why-2.39/0000755000106100004300000000000013147234006011231 5ustar marchevalswhy-2.39/src/0000755000106100004300000000000013147234006012020 5ustar marchevalswhy-2.39/src/pvs.mli0000644000106100004300000000443113147234006013335 0ustar marchevals(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2017 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (**************************************************************************) val reset : unit -> unit val push_decl : Logic_decl.t -> unit val output_file : string -> unit why-2.39/src/typing.ml0000644000106100004300000007335513147234006013701 0ustar marchevals(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2017 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (**************************************************************************) (*s Typing. *) open Format open Options open Ident open Misc open Ltyping open Util open Logic open Types open Ptree open Error open Report open Ast open Env open Effect (*s Typing of terms (used to type pure expressions). *) let type_v_int = PureType PTint let type_v_bool = PureType PTbool let type_v_unit = PureType PTunit let type_v_real = PureType PTreal let typing_const = function | ConstInt _ -> type_v_int | ConstBool _ -> type_v_bool | ConstUnit -> type_v_unit | ConstFloat _ -> type_v_real (*s Utility functions for typing *) let expected_cmp loc = raise_located loc (ExpectedType (fun fmt -> fprintf fmt "unit, bool, int or real")) (* dead code let just_reads e = difference (get_reads e) (get_writes e) *) let rec unify_type_v v1 v2 = match (v1,v2) with | PureType c1, PureType c2 -> Ltyping.unify c1 c2 | Ref v1, Ref v2 -> Ltyping.unify v1 v2 | Arrow (bl1, k1), Arrow (bl2, k2) -> let rec unify_bl = function | [], [] -> unify_type_v k1.c_result_type k2.c_result_type | (_,t1)::bl1, (_,t2)::bl2 -> unify_type_v t1 t2 && unify_bl (bl1,bl2) | [], bl2 -> unify_type_v k1.c_result_type (Arrow (bl2, k2)) | bl1, [] -> unify_type_v (Arrow (bl1, k1)) k2.c_result_type in unify_bl (bl1,bl2) | _ -> false let type_v_sup loc t1 t2 = if not(unify_type_v t1 t2) then raise_located loc BranchesSameType; t1 let union3effects x y z = Effect.union x (Effect.union y z) let decomp_fun_type loc = function | Arrow ([x, v], k) -> x, v, k | Arrow ((x, v) :: bl, k) -> x, v, type_c_of_v (Arrow (bl, k)) | Arrow ([], _) -> assert false | ty -> Format.eprintf "decomp_fun_type=%a@." print_type_v ty; raise_located loc AppNonFunction let expected_type loc t et = if not (unify_type_v t et) then raise_located loc (ExpectedType2 ((fun fmt -> print_type_v fmt t), (fun fmt -> print_type_v fmt et))) let check_for_alias loc id v = if occur_type_v id v then raise_located loc (Alias id) let check_for_let_ref loc v = if not (is_pure v) then raise_located loc Error.LetRef let check_for_not_mutable loc v = if is_mutable v then raise_located loc CannotBeMutable let check_unbound_exn loc = let check (x,_) = if not (Env.is_exception x) then raise_located loc (UnboundException x) in List.iter check (*s Instantiation of polymorphic functions *) let type_prim idint idreal idbool idunit loc = function | PureType pt -> begin match normalize_pure_type pt with | PTint -> idint | PTbool -> idbool | PTreal -> idreal | PTunit -> idunit | _ -> expected_cmp loc end | _ -> expected_cmp loc let type_eq = type_prim t_eq_int_ t_eq_real_ t_eq_bool_ t_eq_unit_ let type_neq = type_prim t_neq_int_ t_neq_real_ t_neq_bool_ t_neq_unit_ let type_num idint idreal loc = function | PureType pt -> begin match normalize_pure_type pt with | PTint -> if idint == t_div_real_ then expected_real loc else idint | PTreal -> idreal | _ -> expected_num loc end | _ -> expected_num loc let type_lt = type_num t_lt_int_ t_lt_real_ let type_le = type_num t_le_int_ t_le_real_ let type_gt = type_num t_gt_int_ t_gt_real_ let type_ge = type_num t_ge_int_ t_ge_real_ let type_add = type_num t_add_int t_add_real let type_sub = type_num t_sub_int t_sub_real let type_mul = type_num t_mul_int t_mul_real let type_div = type_num t_div_real_ t_div_real_ let type_neg = type_num t_neg_int t_neg_real let type_poly id = if id == t_eq then type_eq else if id == t_neq then type_neq else if id == t_lt then type_lt else if id == t_le then type_le else if id == t_gt then type_gt else if id == t_ge then type_ge else if id == t_add then type_add else if id == t_sub then type_sub else if id == t_mul then type_mul else if id == t_div then type_div else if id == t_neg then type_neg else assert false (* dead code let type_un_poly id = if id == t_neg then type_neg else assert false *) (*s Making nodes *) let gmake_node loc env userlabel l ?(post=None) p rt e = { desc = p; info = { t_loc = loc; t_env = env; t_label = l; t_userlabel = userlabel; t_result_name = result; t_result_type = rt; t_effect = e; t_post = post } } let bool_constant b loc env = gmake_node loc env "" (label_name ()) (Expression (Tconst (ConstBool b))) type_v_bool Effect.bottom let make_arrow_type lab bl k = let k = let q = optpost_app (change_label lab "") k.c_post in { k with c_post = q } in make_arrow bl k let k_add_effects k e = { k with t_effect = Effect.union k.t_effect e } let type_c_of_typing_info pre ti = { c_result_name = ti.t_result_name; c_result_type = ti.t_result_type; c_effect = ti.t_effect; c_pre = a_values pre; c_post = optpost_app a_value ti.t_post } let typing_info_of_type_c loc env l k = { t_loc = loc; t_env = env; t_label = l; t_userlabel = ""; t_result_name = k.c_result_name; t_result_type = k.c_result_type; t_effect = k.c_effect; t_post = optpost_app (post_named loc) k.c_post } (* dead code let assume loc env ef p = let k = { c_result_name = result; c_result_type = type_v_unit; c_effect = ef; c_pre = []; c_post = Some (p,[]) } in gmake_node loc env "" (label_name ()) (Any k) type_v_unit ef let seq loc env e1 e2 = gmake_node loc env "" (label_name ()) (Seq (e1, e2)) (result_type e2) (Effect.union (effect e1) (effect e2)) *) (*s Typing variants. Return the effect i.e. variables appearing in the variant. *) let state_var loc lab env = function | None when termination = Total -> raise_located loc (AnyMessage "a variant is required here (since -total is set)") | None -> None, Effect.bottom | Some (pphi,r) -> let phi,tphi = Ltyping.term lab env pphi in let ids = term_refs env phi in (if termination = Partial then None else Some (pphi.pp_loc,phi,tphi,r)), Effect.add_reads ids Effect.bottom (*s Typing preconditions. Return the effect i.e. variables appearing in the precondition. Check existence of labels. *) let predicates_effect lab env loc pl = let state e p = let ids = predicate_vars p in Idset.fold (fun id e -> if is_reference env id then Effect.add_read id e else if is_at id then begin let uid,l = un_at id in if not (Label.mem l lab) then raise_located loc (UnboundLabel l); if is_reference env uid then Effect.add_read uid e else e end else e) ids e in List.fold_left state Effect.bottom pl let state_pre lab env loc pl = let pl = List.map (type_assert lab env) pl in predicates_effect lab env loc (List.map (fun x -> x.a_value) pl), pl (* dead code let state_assert lab env loc a = let a = type_assert lab env a in predicates_effect lab env loc [a.a_value], a *) let state_inv lab env loc = function | None -> Effect.bottom, None | Some i -> let i = type_assert lab env i in predicates_effect lab env loc [i.a_value], Some i (*s Typing postconditions. Return the effect i.e. variables appearing in the postcondition, together with the normalized postcondition (i.e. [x] replaced by [x@] whenever [x] is not modified by the program). Check existence of labels. *) let state_post lab env (id,v,ef) loc q = check_unbound_exn loc (snd q); let q = type_post lab env id v ef q in let ids = apost_vars q in let ef,q = Idset.fold (fun id (e,q) -> if is_reference env id then if is_write ef id then Effect.add_write id e, q else Effect.add_read id e, (let s = subst_in_predicate (subst_onev id (at_id id "")) in post_app (asst_app s) q) else if is_at id then begin let uid,l = un_at id in if l <> "" && not (Label.mem l lab) then raise_located loc (UnboundLabel l); if is_reference env uid then Effect.add_read uid e, q else raise_located loc (UnboundReference uid) end else e,q) ids (Effect.bottom, q) in ef, q (* dead code let state_post_option lab env res loc = function | None -> Effect.bottom, None | Some q -> let ef,q = state_post lab env res loc q in ef, Some q *) (*s Detection of pure functions. *) let rec is_pure_type_v = function | PureType _ -> true | Arrow (bl,c) -> List.for_all is_pure_arg bl && is_pure_type_c c | Ref _ -> false and is_pure_arg (_,v) = is_pure_type_v v and is_pure_type_c c = is_pure_type_v c.c_result_type && c.c_effect = Effect.bottom && c.c_pre = [] && c.c_post = None (*s Types of references and arrays *) let check_ref_type loc env id = try deref_type (type_in_env env id) with | Not_found -> raise_located loc (UnboundReference id) | Invalid_argument _ -> raise_located loc (NotAReference id) (* dead code let check_array_type loc env id = try PureType (dearray_type (type_in_env env id)) with | Not_found -> raise_located loc (UnboundArray id) | Invalid_argument _ -> raise_located loc (NotAnArray id) *) let is_pure_type = function | PureType _ -> true | _ -> false let pure_type loc = function | PureType pt -> pt | _ -> raise_located loc MustBePure let decompose_app e = let rec loop args e = match e.pdesc with | Sapp (e1, e2) -> loop (e2 :: args) e1 | _ -> e, args in loop [] e (* dead code let pdesc loc p = { pdesc = p; ploc = loc } *) let sapp loc e1 e2 = { pdesc = Sapp (e1, e2); ploc = loc } let svar loc v = { pdesc = Svar v; ploc = loc } (* dead code let sassume loc p = let a = { pa_name = Anonymous; pa_value = p; pa_loc = loc } in let k = { pc_result_name = result; pc_result_type = PVpure PPTunit; pc_effect = { pe_reads = []; pe_writes = []; pe_raises = [] }; pc_pre = []; pc_post = Some (a, []) } in { pdesc = Sany k; ploc = loc } let sletin loc v e1 e2 = { pdesc = Sletin (v, e1, e2); ploc = loc } let sseq loc e1 e2 = { pdesc = Sseq (e1, e2); ploc = loc } let ppinfix loc l1 i l2 = { pp_loc = loc; pp_desc = PPinfix (l1, i, l2) } let ppvar loc v = { pp_loc = loc; pp_desc = PPvar v } let ppconst loc c = { pp_loc = loc; pp_desc = PPconst c } *) (*s Saturation of postconditions: a postcondition must be set for any possibly raised exception *) let warning_no_post loc x = if not !c_file then begin wprintf loc "no postcondition for exception %a; false inserted@\n" Ident.print x; if werror then exit 1 end let saturation loc e (a,al) = let xs = Effect.get_exns e in let check (x,_) = if not (List.mem x xs) then raise_located loc (CannotBeRaised x); in List.iter check al; let set_post x = try x, List.assoc x al with Not_found -> warning_no_post loc x; x, anonymous Loc.dummy_position Pfalse (* default_post *) in (a, List.map set_post xs) let conj_assert ({a_value=pa} as a) ({a_value=pb} as b) = let loc = Loc.join a.a_loc b.a_loc in { a with a_value = pand ~is_wp:true pa pb; a_loc = loc } let conj q q' = match q, q' with | None, _ -> q' | _, None -> q | Some (q, ql), Some (q', ql') -> assert (List.length ql = List.length ql'); let conjx (x,a) (x',a') = assert (x = x'); x, if is_default_post a then a' else if is_default_post a' then a else conj_assert a a' in Some (conj_assert q q', List.map2 conjx ql ql') (*s The following flag indicates whether exceptions must be checked as possibly raised in try-with constructs; indeed, this must be disabled when computing the effects of a recursive function. *) let exn_check = ref true let without_exn_check f x = if !exn_check then begin exn_check := false; try let y = f x in exn_check := true; y with e -> exn_check := true; raise e end else f x (*s Pure expressions. Used in [Slazy_and] and [Slazy_or] to decide whether to use [strict_bool_and_] and [strict_bool_or_] or not. *) let has_no_effect e = let ef = effect e in get_writes ef = [] && get_exns ef = [] let rec is_pure_expr e = has_no_effect e && match e.desc with | Var _ | Expression _ -> true | If (e1, e2, e3) -> is_pure_expr e1 && is_pure_expr e2 && is_pure_expr e3 | LetIn (_, e1, e2) -> is_pure_expr e1 && is_pure_expr e2 | Label (_, e1) | Assertion (_, [], e1) -> is_pure_expr e1 | AppRef (e1, _, _) | AppTerm (e1, _, _) -> is_pure_expr e1 | Any _ | Rec _ | Lam _ | Try _ | Raise _ | Post _ | Assertion _ | LetRef _ | Loop _ | Seq _ | Absurd -> false (*s Typing programs. We infer here the type with effects. [lab] is the set of labels, [env] the environment and [expr] the program. [pre] indicates whether preconditions are true preconditions or obligations *) let rec typef ?(userlabel="") lab env expr = let toplabel = label_name () in let loc = expr.ploc in let make_node = gmake_node loc env userlabel in match expr.pdesc with | Sconst c -> make_node toplabel (Expression (Tconst c)) (typing_const c) Effect.bottom | Svar id -> let v = try type_in_env env id with Not_found -> raise_located loc (UnboundVariable id) in let ef = Effect.bottom in if not (is_local env id) && is_logic_function id && not (is_pure_type v) then raise_located loc (AnyMessage "a logic function cannot be partially applied"); if is_pure_type_v v && not (is_rec id env) then let t,v = try let lid = { pp_loc = loc; pp_desc = PPvar id } in let t,v = Ltyping.term lab env lid in t, PureType v with _ -> Tvar id, v in make_node toplabel (Expression t) v ef else make_node toplabel (Var id) v ef | Sderef id -> let v = check_ref_type loc env id in let ef = Effect.add_read id Effect.bottom in make_node toplabel (Expression (Tderef id)) (PureType v) ef | Sseq (e1, e2) -> let t_e1 = typef lab env e1 in expected_type e1.ploc (result_type t_e1) type_v_unit; let t_e2 = typef lab env e2 in let ef = Effect.union (effect t_e1) (effect t_e2) in make_node toplabel (Seq (t_e1, t_e2)) (result_type t_e2) ef | Sloop (invopt, var, e) -> let var,efphi = state_var loc lab env var in let t_e = typef lab env e in let efe = t_e.info.t_effect in let efinv,invopt = state_inv lab env loc invopt in let ef = Effect.union efe (Effect.union efinv efphi) in let v = type_v_unit in make_node toplabel (Loop (invopt,var,t_e)) v ef | Slam ([], _, _) -> assert false | Slam (bl, p, e) -> let bl',env' = binders loc lab env bl in let (ep,p') = state_pre lab env' loc p in let t_e = typef lab env' e in check_for_not_mutable e.ploc t_e.info.t_result_type; let info = k_add_effects t_e.info ep in let t_e = { t_e with info = info } in let k = type_c_of_typing_info p' info in let v = make_arrow_type t_e.info.t_label bl' k in let ef = Effect.bottom in make_node toplabel (Lam (bl',p',t_e)) v ef | Sapp _ -> let f,args = decompose_app expr in (* 1. if f is a polymorphic symbol, find its type using first arg. *) let f = match f.pdesc with | Svar x when is_poly x -> begin match args with | a :: _ -> let t_a = typef lab env a in let eq = type_poly x a.ploc (result_type t_a) in { f with pdesc = Svar eq } | [] -> assert false (* the parser ensures the presence of an argument *) end | _ -> f in (* 2. typing the function f *) let t_f, tyf = match f.pdesc with | Svar x when is_logic_function x && not (is_local env x) -> begin match find_global_logic x with | vars, Function (tl,tr) -> (* TODO: check number of args *) let v = type_v_of_logic tl tr in let i = instance x vars in make_node toplabel (Expression (Tapp (x, [], i))) v Effect.bottom, v | _, Predicate _ -> assert false end | _ -> let tf = typef lab env f in tf, result_type tf in (* 3. typing the arguments *) let rec loop_args t_f tyf = function | [] -> t_f | a :: ra -> let x,tx,kapp = decomp_fun_type loc tyf in begin match tx with (* the function expects a mutable; it must be a variable *) | Ref _ -> begin match a.pdesc with | Svar r -> let v = try type_in_env env r with Not_found -> raise_located a.ploc (UnboundVariable r) in expected_type a.ploc v tx; check_for_alias a.ploc r tyf; let kapp = type_c_subst (subst_onev x r) kapp in let (_,tapp),eapp,papp,_ = decomp_type_c kapp in let kapp = typing_info_of_type_c loc env toplabel kapp in let ef = Effect.union (effect t_f) eapp in let t_f = let make ?post n = make_node (label_name ()) ?post n tapp ef in make (Assertion (`PRE, List.map (pre_named loc) papp, make ~post:kapp.t_post (AppRef (t_f, r, kapp)))) in loop_args t_f (result_type t_f) ra | _ -> raise_located a.ploc ShouldBeVariable end (* otherwise (the argument is not a reference) *) | _ -> let t_a = typef lab env a in expected_type a.ploc (result_type t_a) tx; begin match t_a with (* argument is pure: it is substituted *) (*** | { desc = Expression ta } when post t_a = None -> let kapp = type_c_subst_oldify env x ta kapp in let _,_,papp,_ = decomp_type_c kapp in let kapp = typing_info_of_type_c loc env toplabel kapp in let (_,tapp),eapp,_ = decomp_kappa kapp in let ef = union3effects (effect t_a) (effect t_f) eapp in let t_f = match t_f with (* collapse: (term(tf) term(ta)) --> term(tf ta) *) | { desc = Expression tf } when post t_f = None -> let l = label_name () in make_node l (Expression (applist tf [ta])) tapp ef | _ -> let make ?post n = make_node (label_name ()) ?post n tapp ef in make (Assertion (`PRE, List.map (pre_named loc) papp, make ~post:kapp.t_post (AppTerm (t_f, ta, kapp)))) in loop_args t_f (result_type t_f) ra ***) (* otherwise we transform into [let v = arg in (f v)] *) | _ -> let _,eapp,_,_ = decomp_type_c kapp in let v = fresh_var () in let kapp = type_c_subst (subst_onev x v) kapp in let _,_,papp,_ = decomp_type_c kapp in let label_f_v = label_name () in let kapp = typing_info_of_type_c loc env label_f_v kapp in let env' = Env.add v tx env in let app_f_v = match t_f with | { desc = Expression tf } when post t_f = None -> Expression (applist tf [Tvar v]) | _ -> AppTerm (t_f, Tvar v, kapp) in let kfv = k_add_effects kapp (effect t_f) in let app_f_v = gmake_node loc env' userlabel label_f_v app_f_v ~post:kfv.t_post kfv.t_result_type kfv.t_effect in let app = loop_args app_f_v (result_type app_f_v) ra in let tapp = result_type app in if occur_type_v v tapp then raise_located a.ploc TooComplexArgument; let ef = union3effects (effect app) (effect t_f) eapp in let ef' = Effect.union ef (effect t_a) in let make n = make_node (label_name ()) n tapp ef' in make (LetIn (v, t_a, let make n = gmake_node loc env' userlabel (label_name ()) n tapp ef in make (Assertion (`PRE, List.map (pre_named loc) papp, app)))) end end in loop_args t_f tyf args | Sletref (x, e1, e2) -> if is_ref env x then raise_located loc (ClashRef x); let t_e1 = typef lab env e1 in let ef1 = t_e1.info.t_effect in let v1 = pure_type loc t_e1.info.t_result_type in let env' = add x (Ref v1) env in let t_e2 = typef lab env' e2 in let ef2 = t_e2.info.t_effect in let v2 = t_e2.info.t_result_type in check_for_let_ref loc v2; let ef = Effect.union ef1 (Effect.remove x ef2) in make_node toplabel (LetRef (x, t_e1, t_e2)) v2 ef | Sletin (x, e1, e2) -> let t_e1 = typef lab env e1 in let ef1 = t_e1.info.t_effect in let v1 = t_e1.info.t_result_type in check_for_not_mutable e1.ploc v1; let env' = add ~generalize:true x v1 env in let t_e2 = typef lab env' e2 in let ef2 = t_e2.info.t_effect in let v2 = t_e2.info.t_result_type in let ef = Effect.union ef1 ef2 in make_node toplabel (LetIn (x, t_e1, t_e2)) v2 ef | Sif (b, e1, e2) -> let t_b = typef lab env b in expected_type b.ploc (result_type t_b) type_v_bool; let t_e1 = typef lab env e1 and t_e2 = typef lab env e2 in let t1 = t_e1.info.t_result_type in let t2 = t_e2.info.t_result_type in let ef = union3effects (effect t_b) (effect t_e1) (effect t_e2) in let v = type_v_sup loc t1 t2 in make_node toplabel (If (t_b, t_e1, t_e2)) v ef | Slazy_and (e1, e2) -> let t_e1 = typef lab env e1 in expected_type e1.ploc (result_type t_e1) type_v_bool; let t_e2 = typef lab env e2 in expected_type e2.ploc (result_type t_e2) type_v_bool; if not split_bool_op && is_pure_expr t_e2 then (* we build strict_bool_and_(e1, e2) TODO: avoid typing e1 and e2 twice *) let d = sapp loc (sapp loc (svar loc strict_bool_and_) e1) e2 in (* we build let v = e1 in strict_bool_and_ v1 (assume v1=true; e2) let v = fresh_var () in let p = ppinfix loc (ppvar loc v) PPeq (ppconst loc (ConstBool true)) in let d = sletin loc v e1 (sapp loc (sapp loc (svar loc strict_bool_and_) (svar loc v)) (sseq loc (sassume loc p) e2)) in *) typef lab env d else let ef = union (effect t_e1) (effect t_e2) in let bool_false = bool_constant false loc env in make_node toplabel (If (t_e1, t_e2, bool_false)) type_v_bool ef | Slazy_or (e1, e2) -> let t_e1 = typef lab env e1 in expected_type e1.ploc (result_type t_e1) type_v_bool; let t_e2 = typef lab env e2 in expected_type e2.ploc (result_type t_e2) type_v_bool; if not split_bool_op && is_pure_expr t_e2 then (* we build strict_bool_or_(e1, e2) TODO: avoid typing e1 and e2 twice *) let d = sapp loc (sapp loc (svar loc strict_bool_or_) e1) e2 in typef lab env d else let ef = union (effect t_e1) (effect t_e2) in let bool_true = bool_constant true loc env in make_node toplabel (If (t_e1, bool_true, t_e2)) type_v_bool ef | Snot e1 -> let t_e1 = typef lab env e1 in expected_type e1.ploc (result_type t_e1) type_v_bool; if not split_bool_op then let d = sapp loc (svar loc bool_not_) e1 in typef lab env d else let bool_false = bool_constant false loc env in let bool_true = bool_constant true loc env in let d = If (t_e1, bool_false, bool_true) in make_node toplabel d type_v_bool (effect t_e1) | Srec (f,bl,v,var,p,e) -> let loc_e = e.ploc in let bl',env' = binders loc lab env bl in let (ep,p') = state_pre lab env' loc p in let v = type_v loc lab env' v in let var, efvar = state_var loc lab env' var in (* e --> let vphi0 = phi in e *) let varinfo,env' = match var with | None -> None, env' | Some (_loc,phi,tphi,r) -> let vphi0 = variant_name () in let tphi = PureType tphi in let env' = Env.add vphi0 tphi env' in let decphi = Papp (r, [phi; Tvar vphi0], []) in Some (vphi0,phi,tphi,decphi), env' in (* effects for a let/rec construct are computed as a fixpoint *) let type_body c = let c = match varinfo with | None -> c | Some (_,_,_,decphi) -> { c with c_pre = decphi :: c.c_pre } in let tf = make_arrow bl' c in let env'' = add_rec f (add f tf env') in typef lab env'' e in let fixpoint_reached c1 c2 = c1.c_effect = c2.c_effect && List.length c1.c_pre = List.length c2.c_pre && (match c1.c_post, c2.c_post with | None, None | Some _, Some _ -> true | _ -> false) in let rec fixpoint c = let t_e = type_body c in let info = k_add_effects t_e.info ep in let k_e = type_c_of_typing_info p' info in if fixpoint_reached k_e c then t_e else begin if_debug_3 eprintf " (rec => %a)@\n@?" print_typing_info t_e.info; fixpoint k_e end in let c0 = { c_result_name = result; c_result_type = v; c_effect = efvar; c_pre = []; c_post = None } in (* fixpoint, without check *) let t_e = without_exn_check fixpoint c0 in (* once again, with checks *) let info = k_add_effects t_e.info ep in let t_e = type_body (type_c_of_typing_info p' info) in let tf = make_arrow bl' (type_c_of_typing_info p' t_e.info) in let t_e = match varinfo with | Some (vphi0,phi,tphi,_) -> let mk_node_e = gmake_node loc_e env' "" in mk_node_e (label_name ()) (LetIn (vphi0, mk_node_e (label_name ()) (Expression phi) tphi efvar, t_e)) (result_type t_e) (Effect.union efvar (effect t_e)) | None -> t_e in make_node toplabel (Rec (f,bl',v,var,p',t_e)) tf Effect.bottom | Sraise (id, e, ct) -> if not (is_exception id) then raise_located loc (UnboundException id); let t_e, ef = match find_exception id , e with | None, Some _ -> raise_located loc (ExceptionArgument (id, false)) | Some _, None -> raise_located loc (ExceptionArgument (id, true)) | Some xt, Some e -> let t_e = typef lab env e in expected_type e.ploc (result_type t_e) (PureType xt); Some t_e, effect t_e | None, None -> None, Effect.bottom in let v = match ct with | None -> PureType (PTvar (new_type_var ())) | Some v -> type_v loc lab env v in make_node toplabel (Raise (id, t_e)) v (Effect.add_exn id ef) | Stry (e, hl) -> let te = typef lab env e in let v = result_type te in let ef = effect te in let xs = get_exns ef in let ef = List.fold_left (fun e ((x,_),_) -> remove_exn x e) ef hl in let type_handler ((x,a),h) = if not (is_exception x) then raise_located loc (UnboundException x); if not (List.mem x xs) && !exn_check then raise_located e.ploc (CannotBeRaised x); let env' = match a, find_exception x with | None, None -> env | Some v, Some tv -> Env.add v (PureType tv) env | None, Some _ -> raise_located loc (ExceptionArgument (x, true)) | Some _, None -> raise_located loc (ExceptionArgument (x, false)) in let th = typef lab env' h in expected_type h.ploc (result_type th) v; ((x,a), th) in let thl = List.map type_handler hl in let ef = List.fold_left (fun e (_,th) -> union e (effect th)) ef thl in make_node toplabel (Try (te, thl)) v ef | Sabsurd ct -> let v = match ct with | None -> PureType (PTvar (new_type_var ())) | Some v -> type_v loc lab env v in let absurd = make_node (label_name ()) Absurd v Effect.bottom in make_node toplabel (Assertion (`ABSURD,[anonymous loc Pfalse], absurd)) v Effect.bottom | Sany c -> let c = type_c loc lab env c in make_node toplabel (Any c) c.c_result_type c.c_effect | Spost (e, q, tr) -> let t_e = typef lab env e in let v = t_e.info.t_result_type in let e = t_e.info.t_effect in let (eq,q) = state_post lab env (result,v,e) loc q in let q = saturation loc e q in let e' = Effect.union e eq in let d = Post (t_e, q, tr) in gmake_node loc env userlabel toplabel d v e' ~post:(Some q) | Sassert (kind,p, e) -> let ep,p = state_pre lab env loc p in let t_e = typef lab env e in let ef = Effect.union (effect t_e) ep in make_node toplabel (Assertion ((kind :> Ast.assert_kind),p, t_e)) (result_type t_e) ef | Slabel (s, e) -> if (Label.mem s lab) then raise_located loc (ReboundLabel s); let lab' = Label.add s lab in let t_e = typef ~userlabel:s lab' env e in make_node toplabel (Label (s, t_e)) (result_type t_e) (effect t_e) let typef = typef ~userlabel:"" why-2.39/src/linenum.mll0000644000106100004300000000632013147234006014176 0ustar marchevals(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2017 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (**************************************************************************) (*i $Id: linenum.mll,v 1.9 2008-11-05 14:03:17 filliatr Exp $ i*) (* code from Ocaml sources *) { open Lexing let bol = ref 0 (* beginning of line, in chars *) let line = ref 1 (* current line number *) let file = ref "" } rule one_line = parse | '#' [' ' '\t']* (['0'-'9']+ as l) [' ' '\t']* ("\"" ([^ '\n' '\r' '"' (* '"' *) ]* as f) "\"")? [^ '\n' '\r']* ('\n' | '\r' | "\r\n") { line := int_of_string l; begin match f with Some f -> file := f | None -> () end; bol := lexeme_start lexbuf; lexeme_end lexbuf } | [^ '\n' '\r']* ('\n' | '\r' | "\r\n") { incr line; bol := lexeme_start lexbuf; lexeme_end lexbuf } | [^ '\n' '\r'] * eof { incr line; bol := lexeme_start lexbuf; raise End_of_file } { let from_char f c = let cin = open_in_bin f in let lb = from_channel cin in file := f; line := 1; bol := 0; begin try while one_line lb <= c do () done with End_of_file -> () end; close_in cin; (!file, !line - 1, c - !bol) } why-2.39/src/dispatcher.ml0000644000106100004300000002231513147234006014503 0ustar marchevals(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2017 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (**************************************************************************) open Options open Logic open Logic_decl (* dead code type elem = Logic_decl.t *) let stack = ref [] let add_elem e = stack := e :: !stack let oblig = Queue.create () let oblig_h = Hashtbl.create 97 let add_oblig ((_,_,_,id,_) as o) = let so = (List.rev !stack, o) in Queue.add so oblig ; Hashtbl.add oblig_h id so let rec f_of_seq ctx g = match ctx with | [] -> g | Cc.Svar (id, v) :: hyps -> Forall(false,id,id,v,[],f_of_seq hyps g) | Cc.Spred (_id, p) :: hyps -> Pimplies(false,p,f_of_seq hyps g) let push_decl d = match d with | Dgoal (loc, is_lemma, expl, id, s) -> add_oblig (loc, is_lemma, expl, id, s); if is_lemma then let (_l,(ctx,g)) = Env.specialize_sequent s in add_elem (Daxiom(loc,id,Env.generalize_predicate (f_of_seq ctx g))) | d -> add_elem d let iter f = Queue.iter (fun (_,o) -> f o) oblig (* calling prover *) open DpConfig let push_elem p e = if not pruning then assert (match e with Dgoal _ -> false | _ -> true); match p with | Simplify | Vampire -> Simplify.push_decl e | Harvey -> Harvey.push_decl e | Cvcl -> Cvcl.push_decl e | Zenon -> Zenon.push_decl e | Rvsat | Yices | Cvc3 | Z3 | VeriT -> Smtlib.push_decl e | Ergo | ErgoSelect | SimplifySelect | GappaSelect -> Pretty.push_decl ~ergo:true e | Coq -> Coq.push_decl e | PVS -> Pvs.push_decl e | Gappa -> Gappa.push_decl e let push_obligation p (loc, is_lemma, expl, id, s) = let g = Dgoal (loc, is_lemma, expl, id, s) in match p with | Simplify | Vampire -> Simplify.push_decl g | Harvey -> Harvey.push_decl g | Cvcl -> Cvcl.push_decl g | Zenon -> Zenon.push_decl g | Rvsat | Yices | Cvc3 | Z3 | VeriT -> Smtlib.push_decl g | Ergo | ErgoSelect | SimplifySelect | GappaSelect -> Pretty.push_decl g | Coq -> Coq.push_decl g | PVS -> Pvs.push_decl g | Gappa -> Gappa.push_decl g (* output_file is a CRITICAL SECTION *) (** @parama elems is the List that stores the theory @parama o is the proof obligation **) let get_project () = match !Options.gui_project with | Some p -> p | None -> failwith "For interactive provers, option --project must be set" let output_file ?encoding p (elems,o) = begin match encoding with Some e -> set_types_encoding e | None -> () end; begin match p with | Simplify | Vampire -> Simplify.reset () | Harvey -> Harvey.reset () | Cvcl -> Cvcl.prelude_done := false; Cvcl.reset () | Zenon -> Zenon.prelude_done := false; Zenon.reset () | Rvsat | Yices | Cvc3 | Z3 | VeriT -> Smtlib.reset () | Ergo | ErgoSelect | SimplifySelect | GappaSelect -> Pretty.reset () | Coq -> () (* Coq.reset () *) | PVS -> Pvs.reset() | Gappa -> Gappa.reset () end; if pruning then begin (**stores into the declarationQueue all the elements of the elems list and th obligation**) let declQ = Queue.create () in List.iter (fun p -> Queue.add p declQ) elems ; let (loc, is_lemma, expl, id, s) = o in let g = Dgoal (loc, is_lemma, expl, id, s) in Queue.add g declQ; if debug then Format.printf "Before the pruning dedicated to the PO: %d @." (Queue.length declQ); (** reduce the theory **) let q = Theory_filtering.reduce declQ in if debug then Format.printf "After the pruning dedicated to the PO: %d @." (Queue.length q); Queue.iter (push_elem p) q ; push_obligation p o end else begin List.iter (push_elem p) elems; push_obligation p o end; match p with | Simplify -> let f = Filename.temp_file "gwhy" "_why.sx" in Simplify.output_file ~allowedit:false f; f | Vampire -> let f = Filename.temp_file "gwhy" "_why.vp" in Simplify.output_file ~allowedit:false f; f | Harvey -> let f = Filename.temp_file "gwhy" "_why.rv" in Harvey.output_file f; f | Cvcl -> let f = Filename.temp_file "gwhy" "_why.cvc" in Cvcl.output_file ~allowedit:false f; f | Zenon -> let f = Filename.temp_file "gwhy" "_why.znn" in Zenon.output_file ~allowedit:false f; f | Rvsat | Yices | Cvc3 -> let f = Filename.temp_file "gwhy" "_why.smt" in Smtlib.output_file ~logic:"AUFLIRA" f; f | VeriT -> let f = Filename.temp_file "gwhy" "_why.smt" in Smtlib.output_file ~logic:"AUFLIRA" f; f | Z3 -> let f = Filename.temp_file "gwhy" "_why.smt" in Smtlib.output_file f; f | Ergo | ErgoSelect -> let f = Filename.temp_file "gwhy" "_why.why" in Pretty.output_file ~ergo:true f; f | SimplifySelect | GappaSelect -> let f = Filename.temp_file "gwhy" "_why.why" in Pretty.output_file ~ergo:false f; f | Gappa -> let f = Filename.temp_file "gwhy" "_why.gappa" in Gappa.output_one_file ~allowedit:false f; f | Coq -> let (_, _, _, f, _) = o in let _p = get_project () in (* if necessary, Pretty.output_project "name ?"; *) (* file should already be generated ?? *) (* Coq.output_file f; *) if debug then Format.printf "Reusing coq file %s_why.v@." f; f ^ "_why.v" | PVS -> assert false (* no PVS in Gwhy *) (* let f = Filename.temp_file "gwhy" "_why.pvs" in Pvs.output_file ~allowedit:false f; f *) open Format let prover_name p = try let (info,_) = List.assoc p DpConfig.prover_list in info.name with Not_found -> "(unnamed)" (* | Simplify -> "Simplify" | Harvey -> "haRVey" | Cvcl -> "CVC Lite" | Zenon -> "Zenon" | Rvsat -> "rv-sat" | Yices -> "Yices" | Ergo -> DpConfig.alt_ergo.DpConfig.name ^ " " ^ DpConfig.alt_ergo.DpConfig.version | Cvc3 -> "CVC3" | Graph -> "Graph" | Z3 -> "Z3" | Coq -> DpConfig.coq.DpConfig.name *) let call_prover ?(debug=false) ?timeout ?encoding ~obligation:o p = let so = try Hashtbl.find oblig_h o with Not_found -> assert false in let filename = output_file ?encoding p so in if debug then eprintf "calling %s on %s@." (prover_name p) filename; let r = match p with | Simplify -> Calldp.simplify ~debug ?timeout ~filename () | Vampire -> Calldp.vampire ~debug ?timeout ~filename () | Harvey -> Calldp.harvey ~debug ?timeout ~filename () | Cvcl -> Calldp.cvcl ~debug ?timeout ~filename () | Zenon -> Calldp.zenon ~debug ?timeout ~filename () | Rvsat -> Calldp.rvsat ~debug ?timeout ~filename () | Yices -> Calldp.yices ~debug ?timeout ~filename () | Ergo -> Calldp.ergo ~select_hypotheses:false ~debug ?timeout ~filename () | ErgoSelect -> Calldp.ergo ~select_hypotheses:true ~debug ?timeout ~filename () | Cvc3 -> Calldp.cvc3 ~debug ?timeout ~filename () | Z3 -> Calldp.z3 ~debug ?timeout ~filename () | VeriT -> Calldp.verit ~debug ?timeout ~filename () | SimplifySelect -> Calldp.generic_hypotheses_selection ~debug ?timeout ~filename DpConfig.Simplify () | Coq -> Calldp.coq ~debug ?timeout ~filename () | PVS -> Calldp.pvs ~debug ?timeout ~filename () | Gappa -> Calldp.gappa ~debug ?timeout ~filename () | GappaSelect -> Calldp.generic_hypotheses_selection ~debug ?timeout ~filename DpConfig.Gappa () in begin match p with | Coq -> () | _ -> Lib.remove_file ~debug filename end; r why-2.39/src/why3.ml0000644000106100004300000004203413147234006013247 0ustar marchevals(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2017 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (**************************************************************************) open Format open Pp open Ident open Misc open Logic open Logic_decl let reset = Encoding.reset let push_decl d = Encoding.push ~encode_preds:false ~encode_funs:false ~encode_inductive:false ~encode_algtype:false d let iter = Encoding.iter (* let capitalize s = let is_alpha n = ('a' <= n && n <= 'z') || ('A' <= n && n <= 'Z') in let s = if not (is_alpha s.[0]) then "Un"^s else s in String.capitalize s *) let ident fmt s = let s = Ident.string s in let s = if Why3_kw.is_why3_keyword s then s ^ "_why3" else s in let s = if 'A' <= s.[0] && s.[0] <= 'Z' then "_" ^ s else s in if Why3_kw.is_why3_keyword s then fprintf fmt "why3__%s" s else pp_print_string fmt s let string_capitalize fmt s = let s = if s.[0] = '_' then "U"^s else if 'a' <= s.[0] && s.[0] <= 'z' then String.capitalize s else s in pp_print_string fmt s let ident_capitalize fmt s = string_capitalize fmt (Ident.string s) let type_vars = Hashtbl.create 17 let type_var fmt n = try fprintf fmt "'a%d" (Hashtbl.find type_vars n) with Not_found -> assert false let specialize s = Hashtbl.clear type_vars; let n = ref 0 in Env.Vset.iter (fun tv -> incr n; Hashtbl.add type_vars tv.tag !n) s.Env.scheme_vars; s.Env.scheme_type let t_single = Ident.create "single" let t_double = Ident.create "double" let t_mode = Ident.create "mode" let print_builtin_type fmt = function | id when id == t_single -> Pp.string fmt "Single.single" | id when id == t_double -> Pp.string fmt "Double.double" | id when id == t_mode -> Pp.string fmt "Rounding.mode" | id -> ident fmt id let rec pure_type fmt = function | PTint -> fprintf fmt "int" | PTbool -> fprintf fmt "Bool.bool" | PTunit -> fprintf fmt "()" | PTreal -> fprintf fmt "real" | PTexternal ([],id) -> print_builtin_type fmt id | PTvar {tag=t; type_val=None} -> type_var fmt t | PTvar {tag=_t; type_val=Some pt} -> pure_type fmt pt | PTexternal (l,id) -> fprintf fmt "(%a %a)" ident id (print_list space pure_type) l let t_computer_div = Ident.create "computer_div" let t_computer_mod = Ident.create "computer_mod" let builtins_table = [ t_add_int , "Int.(+)"; t_sub_int , "Int.(-)"; t_mul_int , "Int.(*)"; t_computer_div , "ComputerDivision.div"; t_computer_mod , "ComputerDivision.mod"; t_neg_int , "Int.(-_)"; t_add_real , "Real.(+)"; t_sub_real , "Real.(-)"; t_mul_real , "Real.(*)"; t_div_real , "Real.(/)"; t_neg_real , "Real.(-_)"; t_lt_int , "Int.(<)" ; t_le_int , "Int.(<=)"; t_gt_int , "Int.(>)"; t_ge_int , "Int.(>=)"; t_lt_real , "Real.(<)" ; t_le_real , "Real.(<=)"; t_gt_real , "Real.(>)"; t_real_of_int, "FromInt.from_int"; t_abs_int , "AbsInt.abs"; t_abs_real , "AbsReal.abs"; t_sqrt_real, "SquareReal.sqrt"; t_cos, "Trigonometry.cos" ; t_sin, "Trigonometry.sin" ; t_tan, "Trigonometry.tan" ; t_atan, "Trigonometry.atan" ; Ident.create "nearest_even", "Rounding.NearestTiesToEven" ; Ident.create "to_zero", "Rounding.ToZero" ; Ident.create "up", "Rounding.Up" ; Ident.create "down", "Rounding.Down" ; Ident.create "nearest_away", "Rounding.NearTiesToAway" ; Ident.create "round_single", "Single.round" ; Ident.create "round_double", "Double.round" ; Ident.create "single_value", "Single.value"; Ident.create "double_value", "Double.value"; ] let constructor_table = Hashtbl.create 17 let print_builtin fmt id = try let s = List.assq id builtins_table in Pp.string fmt s with Not_found -> if Hashtbl.mem constructor_table id then ident_capitalize fmt id else ident fmt id let rec term fmt = function | Tconst (ConstInt n) -> fprintf fmt "%s" n | Tconst (ConstBool b) -> if b then fprintf fmt "Bool.True" else fprintf fmt "Bool.False" | Tconst ConstUnit -> fprintf fmt "()" | Tconst (ConstFloat c) -> Print_real.print fmt c | Tvar id | Tderef id -> ident fmt id | Tapp (id, tl, instance) -> let ret_type = let var_subst,logic = Env.find_global_logic id in Env.instantiate_specialized var_subst instance; match logic with | Predicate _ -> assert false | Function (_,ret_type) -> ret_type in begin match tl with (* | [] -> fprintf fmt "(%a : %a)" ident id pure_type ret_type *) | _ -> fprintf fmt "(%a %a : %a)" print_builtin id (print_list space term) tl pure_type ret_type end | Tnamed (User n, t) -> fprintf fmt "@[(%S@ %a)@]" n term t | Tnamed (_, t) -> term fmt t let rec predicate fmt = function | Pvar id | Papp (id, [], _) -> ident fmt id | Papp (id, [t1; t2], _) when is_eq id -> fprintf fmt "(%a = %a)" term t1 term t2 | Papp (id, [t1; t2], _) when is_neq id -> fprintf fmt "(%a <> %a)" term t1 term t2 | Papp (id, [a;b], _) when id == t_zwf_zero -> fprintf fmt "@[((Int.(<=) 0 %a) /\\@ (Int.(<) %a %a))@]" term b term a term b | Papp (id, [_t], _) when id == well_founded -> fprintf fmt "@[false (* was well_founded(...) *)@]" | Papp (id, l, _) -> fprintf fmt "(%a %a)" print_builtin id (print_list space term) l | Ptrue -> fprintf fmt "true" | Pfalse -> fprintf fmt "false" | Pimplies (_, a, b) -> fprintf fmt "(@[%a ->@ %a@])" predicate a predicate b | Piff (a, b) -> fprintf fmt "(@[%a <->@ %a@])" predicate a predicate b | Pif (a, b, c) -> fprintf fmt "(@[if %a = Bool.True then@ %a else@ %a@])" term a predicate b predicate c | Pand (_is_wp, is_sym, a, b) -> if is_sym then fprintf fmt "(@[%a /\\@ %a@])" predicate a predicate b else fprintf fmt "(@[%a &&@ %a@])" predicate a predicate b | Forallb (_, _ptrue, _pfalse) -> assert false (* TODO What is it? *) (* fprintf fmt "(@[forallb(%a,@ %a)@])" *) (* predicate ptrue predicate pfalse *) | Por (a, b) -> fprintf fmt "(@[%a \\/@ %a@])" predicate a predicate b | Pnot a -> fprintf fmt "(not %a)" predicate a | Forall (_,id,n,v,tl,p) -> let id = next_away id (predicate_vars p) in let s = subst_onev n id in let p = subst_in_predicate s p in let tl = List.map (List.map (subst_in_pattern s)) tl in fprintf fmt "@[(forall %a:%a%a.@ %a)@]" ident id pure_type v print_triggers tl predicate p | Exists (id,n,v,p) -> let id = next_away id (predicate_vars p) in let p = subst_in_predicate (subst_onev n id) p in fprintf fmt "@[(exists %a:%a.@ %a)@]" ident id pure_type v predicate p | Plet (id, n, _, t, p) -> if false then (* TODO: alt-ergo has no let support yet. *) let id = next_away id (predicate_vars p) in let p = subst_in_predicate (subst_onev n id) p in fprintf fmt "@[(let %a = %a in@ %a)@]" ident id term t predicate p else let p = tsubst_in_predicate (subst_one n t) p in fprintf fmt "@[%a@]" predicate p | Pnamed (User n, p) -> fprintf fmt "@[(%S@ %a)@]" n predicate p | Pnamed (_, p) -> predicate fmt p and print_pattern fmt = function | TPat t -> term fmt t | PPat p -> predicate fmt p and print_triggers fmt = function | [] -> () | tl -> fprintf fmt " [%a]" (print_list alt (print_list comma print_pattern)) tl let sequent fmt (ctx, p) = let context fmt = function | Cc.Svar (id, pt) -> fprintf fmt "forall %a:%a." ident id pure_type pt | Cc.Spred (_, p) -> fprintf fmt "@[%a ->@]" predicate p in print_list newline context fmt ctx; if ctx <> [] then fprintf fmt "@\n"; predicate fmt p let logic_binder fmt (id, pt) = fprintf fmt "(%a : %a)" ident id pure_type pt let logic_type fmt id = function | Predicate [] -> fprintf fmt "@[predicate %a@]" ident id | Function ([], pt) -> fprintf fmt "@[function %a : %a@]" ident id pure_type pt | Predicate ptl -> fprintf fmt "@[predicate %a %a@]" ident id (print_list space pure_type) ptl | Function (ptl, pt) -> fprintf fmt "@[function %a %a : %a@]" ident id (print_list space pure_type) ptl pure_type pt let type_parameters fmt l = let type_var fmt id = fprintf fmt "'%s" id in match l with | [] -> () | l -> fprintf fmt " %a" (print_list space type_var) l let alg_type_parameters fmt = function | [] -> () | l -> fprintf fmt "%a " (print_list space pure_type) l let alg_type_constructor fmt (c,pl) = Hashtbl.add constructor_table c (); match pl with | [] -> fprintf fmt "| %a" ident_capitalize c | _ -> fprintf fmt "| %a (@[%a@])" ident_capitalize c (print_list space (* or comma ? *) pure_type) pl let alg_type_single fmt (_, id, d) = let vs,cs = specialize d in fprintf fmt "@[%a %a@] =@\n @[%a@]" ident id alg_type_parameters vs (print_list newline alg_type_constructor) cs let explanation fmt e = fprintf fmt "\"fun:%s\"@ " e.lemma_or_fun_name; fprintf fmt "\"beh:%s\"@ " e.behavior; fprintf fmt "\"expl:%s\"@ " (Explain.msg_of_kind ~name:e.lemma_or_fun_name e.vc_kind); let (f,l,b,e) = e.vc_loc in fprintf fmt "#\"%s\" %d %d %d#" f l (max b 0) (max e 0) (* dead code let logic_kind fmt = function | Function _ -> fprintf fmt "function" | Predicate _ -> fprintf fmt "predicate" *) let decl fmt d = match d with | Dtype (_, id, pl) -> fprintf fmt "@[type %a%a@]" ident id type_parameters pl | Dalgtype ls -> let andsep fmt () = fprintf fmt "@\n" in fprintf fmt "@[type %a@]" (print_list andsep alg_type_single) ls | Dlogic (_, id, lt) -> let lt = specialize lt in logic_type fmt id lt | Dpredicate_def (_, id, def) -> let bl,p = specialize def in fprintf fmt "@[predicate %a %a =@ %a@]" ident id (print_list space logic_binder) bl predicate p | Dinductive_def (_, id, indcases) -> let bl,l = specialize indcases in begin match l with | [] -> fprintf fmt "@[inductive %a %a@]" ident id (print_list space pure_type) bl | _ -> fprintf fmt "@[inductive %a %a@] =@\n @[%a@]@\n@\n@]" ident id (print_list space pure_type) bl (print_list newline (fun fmt (id,p) -> fprintf fmt "@[| %a: %a@]" ident_capitalize id predicate p)) l end | Dfunction_def (_, id, def) -> let bl,pt,t = specialize def in fprintf fmt "@[function %a %a : %a =@ %a@]" ident id (print_list space logic_binder) bl pure_type pt term t | Daxiom (_, id, p) -> let p = specialize p in fprintf fmt "@[axiom %a:@ %a@]" string_capitalize id predicate p | Dgoal (_, is_lemma, expl, id, sq) -> let sq = specialize sq in fprintf fmt "@[%s %s %a:@\n%a@]" (if is_lemma then "lemma" else "goal") (String.capitalize id) explanation expl sequent sq let decl fmt d = fprintf fmt "@[%a@]@\n@\n" decl d (* let print_file fmt = fprintf fmt "@[theory Why2@\n"; fprintf fmt "use Tuple0@\n"; fprintf fmt "use int.Int@\n"; fprintf fmt "use int.Abs as AbsInt@\n"; fprintf fmt "use int.ComputerDivision@\n"; fprintf fmt "use real.Real@\n"; fprintf fmt "use real.Abs as AbsReal@\n"; fprintf fmt "use bool.Bool@\n"; iter (decl fmt); fprintf fmt "@]@\nend@?" let print_trace fmt id expl = fprintf fmt "[%s]@\n" id; Explain.print fmt expl; fprintf fmt "@\n" let print_traces fmt = iter (function | Dgoal (_loc, expl, id, _) -> print_trace fmt id ((*loc,*)expl) | _ -> ()) let output_file f = print_in_file print_file (Options.out_file (f ^ "_why3.why")) *) (* let output_files f = eprintf "Starting Multi-Why output with basename %s@." f; let po = ref 0 in print_in_file (fun ctxfmt -> iter (function | Dgoal (_loc,expl,id,_) as d -> incr po; let fpo = f ^ "_po" ^ string_of_int !po ^ ".why" in print_in_file (fun fmt -> decl fmt d) fpo; if explain_vc then let ftr = f ^ "_po" ^ string_of_int !po ^ ".xpl" in print_in_file (fun fmt -> print_trace fmt id ((*loc,*)expl)) ftr | d -> decl ctxfmt d)) (f ^ "_ctx.why"); eprintf "Multi-Why output done@." let push_or_output_decl = let po = ref 0 in function d -> match d with | Dgoal (_loc,expl,id,_) as d -> incr po; let fpo = Options.out_file (id ^ ".why") in print_in_file (fun fmt -> decl fmt d) fpo; if explain_vc then let ftr = Options.out_file (id ^ ".xpl") in print_in_file (fun fmt -> print_trace fmt id ((*loc,*)expl)) ftr | d -> push_decl d *) module SMap = Map.Make(String) let escape s = let s = String.copy s in for i = 0 to String.length s - 1 do match s.[i] with | ' ' | '\'' | '`' -> s.[i] <- '_' | _ -> () done; s let print_structured_file f fmt = fprintf fmt "@[theory %s_ctx@\n" f; fprintf fmt "use int.Int@\n"; fprintf fmt "use int.Abs as AbsInt@\n"; fprintf fmt "use int.ComputerDivision@\n"; fprintf fmt "use real.Real@\n"; fprintf fmt "use real.FromInt@\n"; fprintf fmt "use real.Abs as AbsReal@\n"; fprintf fmt "use real.Square as SquareReal@\n"; fprintf fmt "use real.Trigonometry@\n"; fprintf fmt "use bool.Bool@\n"; fprintf fmt "use floating_point.Rounding@\n"; fprintf fmt "use floating_point.Single@\n"; fprintf fmt "use floating_point.Double@\n"; let lemmas = ref [] in let functions = ref SMap.empty in iter (function | Dgoal (_,is_lemma, e,_id,_) as d -> begin if is_lemma then lemmas := d :: !lemmas else let fn = e.lemma_or_fun_name in let behs = try SMap.find fn !functions with Not_found -> SMap.empty in let vcs = try SMap.find e.behavior behs with Not_found -> [] in let behs = SMap.add e.behavior (d::vcs) behs in functions := SMap.add fn behs !functions; end | d -> decl fmt d); (* add any function which have no VC *) Hashtbl.iter (fun _key (fn,_beh,_loc) -> try let _ = SMap.find fn !functions in () with Not_found -> functions := SMap.add fn SMap.empty !functions) Util.program_locs ; (* outputs the lemmas and close the ctx theory*) List.iter (decl fmt) (List.rev !lemmas); fprintf fmt "@]@\nend@\n@."; (* outputs the VCs *) SMap.iter (fun fname behs -> (* let floc = try let (_,_,floc) = Hashtbl.find Util.program_locs fname in floc with Not_found -> Loc.dummy_floc in *) SMap.iter (fun beh vcs -> fprintf fmt "@[theory %a_%s@\n" string_capitalize (escape fname) (escape beh); fprintf fmt "use import %s_ctx@\n" f; List.iter (decl fmt) (List.rev vcs); fprintf fmt "@]@\nend@\n@.") behs) !functions let output_structured_file f = print_in_file (print_structured_file (String.capitalize (Filename.basename f))) (Options.out_file (f ^ "_why3.why")) let output_file = output_structured_file why-2.39/src/ocaml.mli0000644000106100004300000000457713147234006013633 0ustar marchevals(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2017 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (**************************************************************************) (*s Ocaml code output *) open Format open Types open Env val push_parameters : Ident.t list -> type_v -> unit val push_program : Ident.t -> typed_expr -> unit val output : formatter -> unit why-2.39/src/encoding_mono_inst.mli0000644000106100004300000000471213147234006016402 0ustar marchevals(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2017 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (**************************************************************************) (* make a monorphic output for provers not supporting polymorphism (e.g. PVS or CVC Lite) *) (* input... *) val push_decl : Logic_decl.t -> unit (* ...and output *) val iter : (Logic_decl.t -> unit) -> unit val reset : unit -> unit val create_ident_id : string why-2.39/src/typing.mli0000644000106100004300000000563213147234006014043 0ustar marchevals(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2017 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (**************************************************************************) (*s This module realizes type and effect inference *) open Types open Ptree open Ast open Env val typef : Label.t -> local_env -> parsed_program -> typed_expr val check_for_not_mutable : Loc.position -> type_v -> unit val is_pure_type : type_v -> bool val is_pure_type_v : type_v -> bool val type_c_of_typing_info : assertion list -> typing_info -> type_c val typing_info_of_type_c : Loc.position -> local_env -> label -> type_c -> typing_info (* val gmake_node : Loc.position -> local_env -> label -> (* userlabel *) label -> ?post:postcondition option -> typing_info t_desc -> type_v -> Effect.t -> typed_expr *) val conj : postcondition option -> postcondition option -> postcondition option why-2.39/src/encoding_strat.mli0000644000106100004300000000443513147234006015534 0ustar marchevals(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2017 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (**************************************************************************) val reset : unit -> unit val push : Logic_decl.t -> unit val iter : (Logic_decl.t -> unit) -> unit why-2.39/src/report.ml0000644000106100004300000002121713147234006013670 0ustar marchevals(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2017 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (**************************************************************************) open Format open Error exception Error of Error.t let report fmt = function | AnyMessage s -> fprintf fmt "Error: %s" s | UnboundVariable id -> fprintf fmt "Unbound variable %s" (Ident.string id) | UnboundReference id -> fprintf fmt "Unbound reference %s" (Ident.string id) | UnboundArray id -> fprintf fmt "Unbound array %s" (Ident.string id) | UnboundLabel s -> fprintf fmt "Unbound label '%s'" s | ReboundLabel s -> fprintf fmt "Rebound label '%s'" s | UnboundException id -> fprintf fmt "Unbound exception '%s'" (Ident.string id) | UnboundType id -> fprintf fmt "Unbound type '%a'" Ident.print id | Clash id -> fprintf fmt "Clash with previous constant %s" (Ident.string id) | ClashParam id -> fprintf fmt "Clash with previous parameter %s" (Ident.string id) | ClashExn id -> fprintf fmt "Clash with previous exception %s" (Ident.string id) | ClashRef id -> fprintf fmt "Clash with previous reference %s" (Ident.string id) | ClashType id -> fprintf fmt "Clash with previous type %s" (Ident.string id) | Undefined id -> fprintf fmt "The object %s is undefined" (Ident.string id) | NotAReference id -> fprintf fmt "%s is not a reference" (Ident.string id) | NotAnArray id -> fprintf fmt "%s is not an array" (Ident.string id) | NotAnIndex -> fprintf fmt "@[This expression is an index@ and should have type int@]" | HasSideEffects -> fprintf fmt "This expression should not have side effects" | ShouldBeBoolean -> fprintf fmt "This expression should have type bool" | ShouldBeAlgebraic -> fprintf fmt "This expression should have an algebraic type" | ShouldBeAnnotated -> fprintf fmt "This test should be annotated" | CannotBeMutable -> fprintf fmt "This expression cannot be a mutable" | MustBePure -> fprintf fmt "@[This expression must be pure@ "; fprintf fmt "(i.e. neither a mutable nor a function)@]" | BranchesSameType -> fprintf fmt "@[The two branches of an `if' expression@ "; fprintf fmt "should have the same type@ "; fprintf fmt "(or the `else' branch has been omitted in a non-unit `if')"; fprintf fmt "@]" | LetRef -> fprintf fmt "References can only be bound in pure terms" | VariantInformative -> fprintf fmt "A variant should be informative" | ShouldBeInformative -> fprintf fmt "This term should be informative" | AppNonFunction -> fprintf fmt "@[This term cannot be applied@ "; fprintf fmt "(either it is not a function@ "; fprintf fmt "or it is applied to non pure arguments)@]" | TooManyArguments -> fprintf fmt "@[Too many arguments@]" | TooComplexArgument -> fprintf fmt "@[This argument is too complex; application cannot be given a type@]" | Alias id -> fprintf fmt "@[Application to %a creates an alias@]" Ident.print id | PartialApp -> fprintf fmt "@[This function does not have@ "; fprintf fmt "the right number of arguments@]" | ExpectedType v -> fprintf fmt "@[This term is expected to have type@ "; v fmt; fprintf fmt "@]" | ExpectedType2 (v1, v2) -> fprintf fmt "@[This term has type %a but is expected to have type@ %a@]" (fun fmt () -> v1 fmt) () (fun fmt () -> v2 fmt) () | TermExpectedType (t,v) -> fprintf fmt "@[Term "; t fmt; fprintf fmt "@ is expected to have type@ "; v fmt; fprintf fmt "@]" | ExpectsAType id -> fprintf fmt "@[The argument %s@ " (Ident.string id); fprintf fmt "in this application is supposed to be a type@]" | ExpectsATerm id -> fprintf fmt "@[The argument %s@ " (Ident.string id); fprintf fmt "in this application is supposed to be a term@]" | ShouldBeVariable -> fprintf fmt "@[This argument should be a variable@]" | ShouldBeReference id -> fprintf fmt "@[The argument %a@ " Ident.print id; fprintf fmt "in this application should be a reference@]" | ShouldNotBeReference -> fprintf fmt "@[This argument should not be a reference@]" | IllTypedArgument f -> fprintf fmt "@[This argument should have type@ "; f fmt; fprintf fmt "@]" | NoVariableAtDate (id, d) -> fprintf fmt "Variable %a is unknown at date %s" Ident.print id d | MutableExternal -> fprintf fmt "@[An external value cannot be mutable;@ "; fprintf fmt "use parameter instead@]" | ExceptionArgument (id, true) -> fprintf fmt "Exception %a needs an argument" Ident.print id | ExceptionArgument (id, false) -> fprintf fmt "Exception %a has no argument" Ident.print id | CannotBeRaised id -> fprintf fmt "Exception %a cannot be raised" Ident.print id | MutableMutable -> fprintf fmt "A mutable type cannot contain another mutable type or a function" | PolymorphicGoal -> fprintf fmt "A goal cannot be polymorphic" | NonExhaustive id -> fprintf fmt "Non-exhausitive pattern matching, missing constructor %a" Ident.print id | PatternBadArity -> fprintf fmt "A pattern variable occurs several times" | TypeBadArity -> fprintf fmt "A type parameter occurs several times" | TypeArity (id, a, n) -> fprintf fmt "@[The type %a expects %d argument(s),@ " Ident.print id a; fprintf fmt "but is applied to %d argument(s)@]" n | GlobalWithEffects (id, e) -> fprintf fmt "@[Global %a has effects (@[%a@]).@\n" Ident.print id Effect.print e; fprintf fmt "A global declaration cannot have effects@]" | CannotGeneralize -> fprintf fmt "Cannot generalize" | IllformedPattern -> fprintf fmt "Ill-formed pattern found in trigger: predicates pattern should be atoms" | IllegalComparison f -> fprintf fmt "comparison on type "; f fmt; fprintf fmt " is not allowed" (* dead code let is_mutable = function Ref _ -> true | _ -> false let is_pure = function PureType _ -> true | _ -> false *) let raise_located loc e = raise (Loc.Located (loc, Error e)) let raise_unlocated e = raise (Error e) let raise_locop locop e = match locop with | None -> raise (Error e) | Some l -> raise (Loc.Located (l, Error e)) let rec explain_exception fmt = function (* | Lexer.Lexical_error s -> fprintf fmt "Lexical error: %s" s | Parsing.Parse_error -> fprintf fmt "Syntax error" *) | Stream.Error s -> fprintf fmt "Syntax error: %s" s | Loc.Located (loc, e) -> fprintf fmt "%a%a" Loc.report_position loc explain_exception e | Error e -> report fmt e | e -> fprintf fmt "Anomaly: %s" (Printexc.to_string e); raise e why-2.39/src/gappa.mli0000644000106100004300000000452213147234006013616 0ustar marchevals(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2017 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (**************************************************************************) val reset : unit -> unit val push_decl : Logic_decl.t -> unit val output_one_file : allowedit:bool -> string -> unit val output_file : string -> unit why-2.39/src/rc.mli0000644000106100004300000000523713147234006013136 0ustar marchevals(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2017 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (**************************************************************************) type rc_value = | RCint of int | RCbool of bool | RCfloat of float | RCstring of string | RCident of string val int : rc_value -> int (** raise Failure "Rc.int" if not a int value *) val bool : rc_value -> bool (** raise Failure "Rc.bool" if not a int value *) val string : rc_value -> string (** raise Failure "Rc.string" if not a string or an ident value *) val from_file : string -> (string * (string * rc_value) list) list val get_home_dir : unit -> string why-2.39/src/types.mli0000644000106100004300000000535313147234006013675 0ustar marchevals(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2017 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (**************************************************************************) (*s Types for programs. Types of values ([type_v]) and computations ([type_c]) *) open Logic type assertion = predicate type precondition = assertion type postcondition = assertion * (Ident.t * assertion) list type 'a binder = Ident.t * 'a type type_v = | PureType of pure_type | Ref of pure_type | Arrow of type_v binder list * type_c and type_c = { c_result_name : Ident.t; c_result_type : type_v; c_effect : Effect.t; c_pre : precondition list; c_post : postcondition option } type transp = Transparent | Opaque why-2.39/src/encoding_rec.ml0000644000106100004300000003706013147234006014777 0ustar marchevals(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2017 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (**************************************************************************) open Options open Cc open Logic open Logic_decl let loc = Loc.dummy_floc let prefix = "c_" let suffix = "_c" let var = "x" let tvar = "t" (* dead code let cpt = ref 0 *) let axiom c = c ^ "_to_" ^ (c^suffix) (* dead code let def c = "def_"^c *) (* The unique type for all terms *) let ut = PTexternal ([], Ident.create (prefix^"unique")) let unify ptl = List.map (fun _ -> ut) ptl let prelude = (Dtype (loc, Ident.create (prefix^"unique"), [])):: (* The unique sort *) (Dlogic (loc, Ident.create (prefix^"sort"), Env.empty_scheme (Function ([ut; ut], ut)))):: (* The "sort" symbol *) (Dlogic (loc, Ident.create (prefix^"int"), Env.empty_scheme (Function ([], ut)))):: (* One synbol for each prefedined type *) (Dlogic (loc, Ident.create (prefix^"bool"), Env.empty_scheme (Function ([], ut)))):: (Dlogic (loc, Ident.create (prefix^"real"), Env.empty_scheme (Function ([], ut)))):: (Dlogic (loc, Ident.create (prefix^"unit"), Env.empty_scheme (Function ([], ut)))):: (Dlogic (loc, Ident.create ("equal"^suffix), Env.empty_scheme (Predicate ([ut; ut])))):: (* One 'untyped' predicate of equality *) (* (Daxiom (loc, axiom "equal", *) (* let t = Ident.create "t" *) (* and x = Ident.create "x" *) (* and y = Ident.create "y" in *) (* Env.empty_scheme *) (* (Forall (false, t, t, ut, *) (* Forall (false, x, x, ut, *) (* Forall (false, y, y, ut, *) (* (Pimplies *) (* (false, *) (* (Papp (Ident.create ("equal"^suffix), *) (* [Tapp (Ident.create (prefix^"sort"), *) (* [Tvar t; Tvar x], []); *) (* Tapp (Ident.create (prefix^"sort"), *) (* [Tvar t; Tvar y], [])], [])), *) (* (Papp (Ident.t_eq, [Tvar x; Tvar y], [])))) *) (* )))))):: (\* and the corresponding axiom to link it with the built-in = predicate *\) *) [] (* A list of polymorphic constants *) let poly_consts = ref [] let type_vars t = let rec aux acc t = match t with | PTvar ({type_val = None} as var) -> var::acc | PTvar {type_val = Some pt} -> aux acc pt | PTexternal (ptl, _id) -> List.fold_left aux acc ptl | _ -> [] in aux [] t let is_poly_cons ptl rt = let largs = List.fold_left List.append [] (List.map type_vars ptl) and lres = type_vars rt in List.exists (fun t -> not (List.mem t largs)) lres let i_ex id = (* Big big HACK... *) match Ident.string id with "nil" -> Ident.create "list" | "null" -> Ident.create "pointer" | "pset_empty" -> Ident.create "pset" | _ -> Ident.create "unknown poly-const" (* Function that plunges a term under its type information. *) (* Uses an assoc. list of tags -> idents for type variables *) let plunge fv term pt = let rec leftt pt = match pt with PTint -> Tapp (Ident.create (prefix^"int"), [], []) | PTbool -> Tapp (Ident.create (prefix^"bool"), [], []) | PTreal -> Tapp (Ident.create (prefix^"real"), [], []) | PTunit -> Tapp (Ident.create (prefix^"unit"), [], []) | PTvar ({type_val = None} as var) -> let t = try (List.assoc var.tag fv) with _ -> let s = string_of_int var.tag in (if debug then print_endline ("unknown vartype : "^s); s) in Tvar (Ident.create t) | PTvar {type_val = Some pt} -> leftt pt | PTexternal (ptl, id) -> Tapp (id, List.map (fun pt -> leftt pt) ptl, []) in Tapp (Ident.create (prefix^"sort"), [leftt pt; term], []) (* The core *) let queue = Queue.create () let reset () = poly_consts := []; Queue.clear queue let push d = match d with (* Dans le cas type on déclare la fonction correspondante, *) (* d'arité correspondant à la taille du schéma de ce type *) | Dtype (loc, ident, vars) -> Queue.add (Dlogic (loc, ident, Env.empty_scheme (Function (unify vars, ut)))) queue | Dalgtype _ -> assert false (* failwith "encoding rec: algebraic types are not supported" *) (* Dans le cas logique, on redéfinit le prédicat/la fonction *) (* avec le type u, et on fait un prédicat/une fonction qui *) (* l'appelle avec les informations de type *) | Dlogic (loc, ident, arity) -> let cpt = ref 0 in let fv = Env.Vset.fold (fun tv acc -> cpt := !cpt + 1; (tv.tag, tvar^(string_of_int !cpt))::acc) (arity.Env.scheme_vars) [] in let name = Ident.string ident in (match arity.Env.scheme_type with | Predicate ptl -> let args = List.map (fun t -> Ident.create (let _ = cpt := !cpt + 1 in var^(string_of_int !cpt)), t) ptl in let terml = Papp (Ident.create (name^suffix), List.map (fun (id, t) -> plunge fv (Tvar id) t) args, []) and termr = Papp (ident, List.map (fun (t, _) -> Tvar t) args, []) in let rec lifted l p = match l with [] -> p | a::q -> lifted q (Forall(false, a, a, ut, [], p)) in let ax = Env.empty_scheme (lifted ((fst (List.split args))@(List.map (fun i -> Ident.create i) (snd (List.split fv)))) (Piff (terml, termr))) in (Queue.add (Dlogic (loc, Ident.create (name^suffix), Env.empty_scheme (Predicate (unify ptl)))) queue; Queue.add (Dlogic (loc, ident, Env.empty_scheme (Predicate (unify ptl)))) queue; Queue.add (Daxiom (loc, axiom name, ax)) queue) | Function (ptl, rt) -> let _ = if is_poly_cons ptl rt then (if debug then print_endline ("Constante polymorphe détectée : "^name); poly_consts := name :: !poly_consts) else () in let args = List.map (fun t -> Ident.create (let _ = cpt := !cpt + 1 in var^(string_of_int !cpt)), t) ptl in let terml = Tapp (Ident.create (name^suffix), List.map (fun (id, t) -> plunge fv (Tvar id) t) args, []) and termr = plunge fv (Tapp (ident, List.map (fun (t, _) -> Tvar t) args, [])) rt in let rec lifted l p = match l with [] -> p | a::q -> lifted q (Forall(false, a, a, ut, [], p)) in let ax = Env.empty_scheme (lifted ((fst (List.split args))@(List.map (fun i -> Ident.create i) (snd (List.split fv)))) (Papp (Ident.t_eq, [terml;termr], []))) in (Queue.add (Dlogic (loc, Ident.create (name^suffix), Env.empty_scheme (Function (unify ptl, ut)))) queue; Queue.add (Dlogic (loc, ident, Env.empty_scheme (Function (unify ptl, ut)))) queue; Queue.add (Daxiom (loc, axiom name, ax)) queue)) (* A predicate definition can be handled as a predicate logic definition + an axiom *) | Dpredicate_def (_loc, _ident, _pred_def_sch) -> assert false (* let p = pred_def_sch.Env.scheme_type in let rec lifted_t l p = match l with [] -> p | (a,t)::q -> lifted_t q (Forall(false, a, a, t, [], p)) in let name = Ident.string ident in push (Dlogic (loc, ident, (Env.generalize_logic_type (Predicate (snd (List.split (fst p))))))); push (Daxiom (loc, def name, (Env.generalize_predicate (lifted_t (fst p) (Piff ((Papp (ident, List.map (fun (i,_) -> Tvar i) (fst p), [])), (snd p))))))) *) | Dinductive_def _ -> assert false (* failwith "encoding rec: inductive def not yet supported" *) (* A function definition can be handled as a function logic definition + an axiom *) | Dfunction_def (_loc, _ident, _fun_def_sch) -> assert false (* let f = fun_def_sch.Env.scheme_type in let rec lifted_t l p = match l with | [] -> p | (a,t)::q -> lifted_t q (Forall(false, a, a, t, [], p)) in let (ptl, rt, t) = f in let name = Ident.string ident in push (Dlogic (loc, ident, (Env.generalize_logic_type (Function (snd (List.split ptl), rt))))); push (Daxiom (loc, def name, (Env.generalize_predicate (lifted_t ptl (Papp (Ident.t_eq, [(Tapp (ident, List.map (fun (i,_) -> Tvar i) ptl, [])); t], [])))))) *) | Daxiom (loc, name, pred_sch) -> let cpt = ref 0 in let fv = Env.Vset.fold (fun tv acc -> cpt := !cpt + 1; (tv.tag, tvar^(string_of_int !cpt))::acc) (pred_sch.Env.scheme_vars) [] in let rec translate_eq lv = function | Papp (id, tl, inst) when Ident.is_eq id -> Papp (id, List.map (translate_term lv) tl, inst) (* Papp (Ident.create (prefix^"equal"), List.map (translate_term lv) tl, inst) *) | Papp (id, tl, inst) -> Papp (Ident.create (Ident.string id^suffix), List.map (translate_term lv) tl, inst) | Pimplies (iswp, p1, p2) -> Pimplies (iswp, translate_eq lv p1, translate_eq lv p2) | Pif (t, p1, p2) -> Pif (translate_term lv t, translate_eq lv p1, translate_eq lv p2) | Pand (iswp, issym, p1, p2) -> Pand (iswp, issym, translate_eq lv p1, translate_eq lv p2) | Por (p1, p2) -> Por (translate_eq lv p1, translate_eq lv p2) | Piff (p1, p2) -> Piff (translate_eq lv p1, translate_eq lv p2) | Pnot p -> Pnot (translate_eq lv p) | Forall (iswp, id, n, pt, tl, p) -> let lv' = (n,pt)::lv in let tl' = List.map (List.map (translate_pattern lv')) tl in Forall (iswp, id, n, ut, tl', translate_eq lv' p) | Forallb (iswp, p1, p2) -> Forallb (iswp, translate_eq lv p1, translate_eq lv p2) | Exists (id, n, pt, p) -> Exists (id, n, ut, translate_eq ((n,pt)::lv) p) | Pnamed (s, p) -> Pnamed (s, translate_eq lv p) | _ as d -> d and translate_pattern lv = function | TPat t -> TPat (translate_term lv t) | PPat p -> PPat (translate_eq lv p) and translate_term lv = function | Tvar id -> plunge fv (Tvar id) (List.assoc id lv) | Tapp (id, tl, inst) when List.mem (Ident.string id) !poly_consts -> if inst = [] then (print_string "probleme probleme"; Tapp (Ident.create (Ident.string id ^suffix), List.map (translate_term lv) tl, inst)) else plunge fv (Tapp (id, List.map (translate_term lv) tl, inst)) (PTexternal (inst, i_ex id)) (* HACK !! *) | Tapp (id, tl, inst) -> Tapp (Ident.create (Ident.string id ^suffix), List.map (translate_term lv) tl, inst) | Tconst (ConstInt _) as t -> plunge fv t PTint | Tconst (ConstBool _) as t -> plunge fv t PTbool | Tconst (ConstUnit) as t -> plunge fv t PTunit | Tconst (ConstFloat _) as t -> plunge fv t PTreal | _ as t -> t in let rec lifted l p = match l with [] -> p | (_,a)::q -> lifted q (Forall(false, Ident.create a, Ident.create a, ut, [], p)) in Queue.add (Daxiom (loc, name, Env.empty_scheme (lifted fv (translate_eq [] pred_sch.Env.scheme_type)))) queue | Dgoal (loc, is_lemma, expl, name, s_sch) -> let cpt = ref 0 in let (cel, pred) = s_sch.Env.scheme_type in let fv = Env.Vset.fold (fun tv acc -> cpt := !cpt + 1; (tv.tag, tvar^(string_of_int !cpt))::acc) (s_sch.Env.scheme_vars) [] in let lookup id = let rec aux = function | [] -> raise Not_found | (Svar (i, pt))::_q when id = i -> pt | (Spred (_, _))::q | (Svar (_,_))::q -> aux q in aux cel in let rec translate_eq lv = function | Papp (id, tl, inst) when Ident.is_eq id -> Papp (id, List.map (translate_term lv) tl, inst) (* Papp (Ident.create (prefix^"equal"), List.map (translate_term lv) tl, inst) *) | Papp (id, tl, inst) -> Papp (Ident.create (Ident.string id^suffix), List.map (translate_term lv) tl, inst) | Pimplies (iswp, p1, p2) -> Pimplies (iswp, translate_eq lv p1, translate_eq lv p2) | Pif (t, p1, p2) -> Pif (translate_term lv t, translate_eq lv p1, translate_eq lv p2) | Pand (iswp, issym, p1, p2) -> Pand (iswp, issym, translate_eq lv p1, translate_eq lv p2) | Por (p1, p2) -> Por (translate_eq lv p1, translate_eq lv p2) | Piff (p1, p2) -> Piff (translate_eq lv p1, translate_eq lv p2) | Pnot p -> Pnot (translate_eq lv p) | Forall (iswp, id, n, pt, tl, p) -> let lv' = (n,pt)::lv in let tl' = List.map (List.map (translate_pattern lv')) tl in Forall (iswp, id, n, ut, tl', translate_eq lv' p) | Forallb (iswp, p1, p2) -> Forallb (iswp, translate_eq lv p1, translate_eq lv p2) | Exists (id, n, pt, p) -> Exists (id, n, ut, translate_eq ((n,pt)::lv) p) | Pnamed (s, p) -> Pnamed (s, translate_eq lv p) | _ as d -> d and translate_pattern lv = function | TPat t -> TPat (translate_term lv t) | PPat p -> PPat (translate_eq lv p) and translate_term lv = function | Tvar id -> (try (plunge fv (Tvar id) (List.assoc id lv)) with Not_found -> plunge fv (Tvar id) (lookup id)) | Tapp (id, tl, inst) when List.mem (Ident.string id) !poly_consts -> if inst = [] then (print_string "probleme probleme"; Tapp (Ident.create (Ident.string id ^suffix), List.map (translate_term lv) tl, inst)) else plunge fv (Tapp (id, List.map (translate_term lv) tl, inst)) (PTexternal (inst, i_ex id)) (* HACK !! *) | Tapp (id, tl, inst) -> Tapp (Ident.create (Ident.string id ^suffix), List.map (translate_term lv) tl, inst) | Tconst (ConstInt _) as t -> plunge fv t PTint | Tconst (ConstBool _) as t -> plunge fv t PTbool | Tconst (ConstUnit) as t -> plunge fv t PTunit | Tconst (ConstFloat _) as t -> plunge fv t PTreal | _ as t -> t in (* dead code let rec lifted l p = match l with [] -> p | (_,a)::q -> lifted q (Forall(false, Ident.create a, Ident.create a, ut, [], p)) in *) Queue.add (Dgoal (loc, is_lemma, expl, name, Env.empty_scheme (List.map (fun s -> match s with Spred (id, p) -> Spred (id, translate_eq [] p) | s -> s) cel, translate_eq [] pred))) queue let iter f = (* first the prelude *) List.iter f prelude; (* then the queue *) Queue.iter f queue why-2.39/src/project.mli0000644000106100004300000000711313147234006014173 0ustar marchevals(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2017 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (**************************************************************************) type goal = private { goal_expl : Logic_decl.vc_expl; goal_file : string; sub_goal : goal list; proof : (string*string*string*string*string) list; mutable goal_tags : (string*string) list; } type lemma = private { lemma_name : string; lemma_loc : Loc.floc; lemma_goal : goal; mutable lemma_tags : (string*string) list; } type behavior = { behavior_name : string; behavior_loc : Loc.floc; mutable behavior_goals : goal list; mutable behavior_tags : (string*string) list; } type funct = private { function_name : string; function_loc : Loc.floc; mutable function_behaviors : behavior list; mutable function_tags : (string*string) list; } type t = private { project_name : string; mutable project_context_file : string; mutable project_lemmas : lemma list; mutable project_functions : funct list; } (* creations *) val create : string -> t val set_project_context_file : t -> string -> unit val add_lemma : t -> string -> Logic_decl.vc_expl -> string -> lemma val add_function : t -> string -> Loc.floc -> funct val add_behavior : funct -> string -> Loc.floc -> behavior val add_goal : behavior -> Logic_decl.vc_expl -> string -> goal (* toggle visibility *) val toggle_lemma : lemma -> unit val toggle_function : funct -> unit val toggle_behavior : behavior -> unit val toggle_goal : goal -> unit (* save/load *) val save : t -> string -> unit val load : string -> t why-2.39/src/monad.ml0000644000106100004300000004161613147234006013460 0ustar marchevals(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2017 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (**************************************************************************) open Misc open Ident open Effect open Util open Logic open Types open Ast open Cc open Rename open Env open Typing (*s [product ren [y1,z1;...;yk,zk] q] constructs the (possibly dependent) tuple type $z1 \times ... \times zk$ if no postcondition or $\exists. y1:z1. ... yk:zk. (Q x1 ... xn)$ otherwise *) let make_bl = List.map (fun (id,t) -> (id, CC_var_binder t)) let product w q = match q, w with | None, [_, v] -> v | _ -> TTtuple (make_bl w, q) (*s [arrow_pred ren v pl] abstracts the term [v] over the pre-condition if any i.e. computes (P1 x1 ... xn) -> ... -> (Pk x1 ... xn) -> v where the [xi] are given by the renaming [ren]. *) let arrow_pred ren env v pl = List.fold_right (fun p t -> let p = apply_assert ren env p in TTarrow ((Ident.anonymous, CC_pred_binder p), t)) pl v let arrow_vars = List.fold_right (fun (id,v) t -> TTarrow ((id, CC_var_binder v), t)) let lambda_vars = List.fold_right (fun (id,v) t -> TTlambda ((id, CC_var_binder v), t)) (* type of the argument of an exception; unit if none *) let exn_arg_type x = TTpure (match find_exception x with None -> PTunit | Some pt -> pt) (* monadic type for exceptions: (EM E1 (EM E1 ... (EM Ek T))) *) let trad_exn_type = List.fold_right (fun id t -> TTapp (tt_var Ident.exn_type, [exn_arg_type id; t])) (*s Translation of effects types in CC types. [trad_type_v] and [trad_type_c] translate types with effects into CC types. *) let rec trad_type_c ren env k = let ((_,v),e,p,q) = decomp_type_c k in let i,o,x,_ = get_repr e in let before = label_name () in let ren' = next (push_date ren before) o in let lo = output ren' env (v,o,x) in let q = option_app (apply_post before ren' env) q in let ty = product lo (make_applied_post ren' env k q) in let ty = arrow_pred ren env ty p in let li = input ren env i in arrow_vars li ty and trad_type_v ren env = function | Ref _ -> assert false | Arrow (bl, c) -> let bl',ren',env' = List.fold_left (fun (bl,ren,env) b -> match b with | (id, (Ref _ as v)) -> let env' = Env.add id v env in let ren' = initial_renaming env' in (bl, ren', env') | (id, v) -> let tt = trad_type_v ren env v in let env' = Env.add id v env in let ren' = initial_renaming env' in (id,tt)::bl, ren', env') ([],ren,env) bl in arrow_vars (List.rev bl') (trad_type_c ren' env' c) | PureType c -> TTpure c and input ren env i = prod ren env i and output ren env (v,o,x) = let tv = trad_type_v ren env v in (prod ren env o) @ [result, trad_exn_type x tv] and prod ren env g = List.map (fun id -> (current_var ren id, trad_type_in_env ren env id)) g and trad_imp_type _ren _env = function | Ref v -> TTpure v | _ -> assert false and trad_type_in_env ren env id = let v = type_in_env env id in trad_imp_type ren env v (* builds (qcomb [r][Q1] (qcomb [r][Q2] (... (qcomb [r][Qn] [r]Q)))) *) and make_post ren env res k q = let q = post_app (subst_in_predicate (subst_onev result res)) q in let abs_pred v c = lambda_vars [res, trad_type_v ren env v] (TTpred c) in List.fold_right (fun x c -> let tx = match find_exception x with None -> PTunit | Some pt -> pt in let tx = PureType tx in let qx = post_exn x q in TTapp (tt_var exn_post, [abs_pred tx qx; c])) (get_exns k.c_effect) (abs_pred k.c_result_type (post_val q)) (* same, applied on [result] *) and make_applied_post ren env k = function | None -> None | Some (a, []) -> Some (TTpred a) | Some q -> let tt = make_post ren env result k q in Some (TTapp (tt, [tt_var result])) let a_make_post ren env r k q = make_post ren env r (type_c_of_typing_info [] k) (post_app a_value q) (* translation of type scheme *) let trad_scheme_v ren env s = let (l,v) = specialize_type_scheme s in Vmap.fold (fun _ v cc -> TTarrow((Ident.create ("A"^(string_of_int v.tag)), CC_var_binder TTSet),cc)) l (trad_type_v ren env v) (* builds [Val Ex] *) let make_valx x = CC_app (CC_term (Tvar Ident.exn_val), CC_type (exn_arg_type x)) (* builds [Val_e1 (Val_e2 ... (Val_en t))] *) let make_val t xs = List.fold_right (fun x cc -> CC_app (make_valx x, cc)) xs t (* builds [Val_e1 (Val_e2 ... (Exn_ei t))] *) let rec make_exn ty x v = function | [] -> assert false | y :: yl when x = y -> let v = match v with Some v -> v | None -> Tconst ConstUnit in CC_app (CC_app (CC_term (Tvar Ident.exn_exn), CC_type (trad_exn_type yl ty)), CC_term v) | y :: yl -> CC_app (make_valx y, make_exn ty x v yl) (*s The Monadic operators. They are operating on values of the following type [interp] (functions producing a [cc_term] when given a renaming data structure). *) type interp = Rename.t -> (Loc.position * predicate) cc_term type result = | Value of term | Exn of Ident.t * term option let apply_result ren env = function | Value t -> Value (apply_term ren env t) | Exn (x, Some t) -> Exn (x, Some (apply_term ren env t)) | Exn (_, None) as e -> e (*s [unit k t ren env] constructs the tuple (y1, ..., yn, t, ?::(q/ren y1 ... yn t)) where the [yi] are the values of the output of [k]. If there is no [yi] and no postcondition, it is simplified into [t] itself. *) let result_term ef v = function | Value t -> make_val (CC_term t) (Effect.get_exns ef) | Exn (x, t) -> make_exn v x t (Effect.get_exns ef) let unit info r ren = let env = info.t_env in let r = apply_result ren env r in let v = trad_type_v ren env info.t_result_type in let ef = info.t_effect in let t = result_term ef v r in let q = info.t_post in let ids = get_writes ef in if ids = [] && q = None then t else let hole, holet = match q with | None -> [], None | Some q -> (* proof obligation *) let h = let q = a_apply_post info.t_label ren env q in let a = match r with | Value _ -> post_val q | Exn (x,_) -> post_exn x q in match r with | Value t | Exn (_, Some t) -> a.a_loc, simplify (tsubst_in_predicate (subst_one result t) a.a_value) | Exn _ -> a.a_loc, a.a_value in (* type of the obligation: [y1]...[yn][res]Q *) let ht = let _,o,_xs,_ = get_repr ef in let ren' = Rename.next ren (result :: o) in let result' = current_var ren' result in let q = a_apply_post info.t_label ren' env q in let c = a_make_post ren' env result' info q in let bl = List.map (fun id -> (current_var ren' id, trad_type_in_env ren env id)) o in lambda_vars bl c in [ CC_hole h ], Some ht in CC_tuple ( (List.map (fun id -> let id' = current_var ren id in CC_var id') ids) @ t :: hole, holet) (*s \pagebreak Case patterns *) (* pattern for an exception: (Val (Val ... (Exn v))) *) let exn_pattern dep x res xs = let rec make = function | [] -> assert false | y :: _yl when x = y -> PPcons ((if dep then exn_qexn else exn_exn), res) | _y :: yl -> PPcons ((if dep then exn_qval else exn_val), [make yl]) in make xs (* pattern for a value: (Val (Val ... (Val v))) *) let val_pattern dep res xs = let t = if dep then [PPcons (exist, res)] else res in let id = if dep then exn_qval else exn_val in List.hd (List.fold_right (fun _x cc -> [PPcons (id, cc)]) xs t) (*s [compose k1 e1 e2 ren env] constructs the term [ let h1 = ?:P1 in ... let hn = ?:Pm in ] let y1,y2,...,yn, res1 [,q] = in where [ren' = next w1 ren] and [y1,...,yn = w1/ren] *) let binding_of_alist ren env = List.map (fun (id,id') -> (id', CC_var_binder (trad_type_in_env ren env id))) let make_pre env ren p = let p = a_apply_assert ren env p in p.a_name, (p.a_loc, p.a_value) let let_pre (id, h) cc = CC_letin (false, [id, CC_pred_binder (snd h)], CC_hole h, cc) (* dead code let let_many_pre = List.fold_right let_pre *) let decomp x b v = let var id = CC_term (Tvar id) in match b with | [] -> var v | (id,_) :: _ -> CC_app (var (decomp (List.length x)), var id) (* [isapp] signals an application. [handler x res : interp] is the handler for exception [x] with value [res]. *) let gen_compose isapp handler info1 e1 _info2 e2 ren = let env = info1.t_env in let (res1,v1),ef1,q1 = decomp_kappa info1 in let ren = push_date ren info1.t_label in let r1,w1,x1,_ = get_repr ef1 in let ren' = next ren w1 in let res1,ren' = fresh ren' res1 in let tv1 = trad_type_v ren env v1 in let tres1 = trad_exn_type x1 tv1 in let b = [res1, CC_var_binder tres1] in let b',dep = match q1 with | None -> [], false | Some q1 -> if x1 = [] then let (q,_) = a_apply_post info1.t_label ren' env q1 in let hyp = subst_in_predicate (subst_onev result res1) q.a_value in [q.a_name, CC_pred_binder hyp], true else let tt = TTapp (a_make_post ren' env res1 info1 q1, [tt_var res1]) in [post_name (), CC_var_binder tt], true in let vo = current_vars ren' w1 in let bl = (binding_of_alist ren env vo) @ b @ b' in let cc1 = if isapp then let input = List.map (fun (_,id') -> CC_var id') (current_vars ren r1) in cc_applist (e1 ren) input else e1 ren in let cc2 = if x1 = [] then (* e1 does not raise any exception *) e2 res1 ren' else (* e1 may raise an exception *) let q1 = option_app (a_apply_post info1.t_label ren' env) q1 in let q1 = optpost_app (subst_in_assertion (subst_onev result res1)) q1 in let pat_post a = PPvariable (a.a_name, CC_pred_binder a.a_value) in let exn_branch x = let px = (match find_exception x with | Some pt1 -> PPvariable (res1, CC_var_binder (TTpure pt1)) | None -> PPvariable (anonymous, CC_var_binder (TTpure PTunit))) :: (match q1 with | Some q1 -> let a = post_exn x q1 in [pat_post a] | None -> []) in exn_pattern dep x px x1, handler x res1 ren' in let pres1 = (PPvariable (res1, CC_var_binder tv1)) :: (match q1 with Some (q,_) -> [pat_post q] | None -> []) in CC_case (decomp x1 b' res1, (val_pattern dep pres1 x1, e2 res1 ren') :: (List.map exn_branch x1)) in CC_letin (dep, bl, cc1, cc2) (* [compose], [apply] and [handle] are instances of [gen_compose]. [compose] and [apply] use the default handler [reraise]. *) let reraise info x res = let xt = find_exception x in let r = Exn (x, option_app (fun _ -> Tvar res) xt) in unit info r let compose info1 e1 info2 e2 = gen_compose false (reraise info2) info1 e1 info2 e2 let apply info1 e1 info2 e2 = gen_compose true (reraise info2) info1 e1 info2 e2 (* dead code let lift x = fun _ -> CC_var x *) let handle info1 e1 info hl = let handler x res = let rec lookup = function | [] -> reraise info x res | ((y,_),h) :: _ when x = y -> h res | _ :: hl -> lookup hl in lookup hl in gen_compose false handler info1 e1 info (fun v -> unit info (Value (Tvar v))) (*s [exn] is the operator corresponding to [raise]. *) let exn info id t = unit info (Exn (id, t)) (*s [cross_label] is an operator to be used when a label is encountered *) let cross_label l e ren = e (push_date ren l) (*s Inserting assertions *) let insert_pre env p t ren = let_pre (make_pre env ren p) (t ren) let insert_many_pre env pl t = List.fold_left (fun t h -> insert_pre env h t) t pl (*s [abstraction env k e] abstracts a term [e] with respect to the list of read variables, to the preconditions/assertions, i.e. builds [x1]...[xk][h1:P1]...[hn:Pn]let h'1 = ?:P'1 in ... let H'm = ?:P'm in t *) let make_abs bl t = match bl with | [] -> t | _ -> cc_lam bl t let bind_pre ren env p = p.a_name, CC_pred_binder (a_apply_assert ren env p).a_value let abs_pre env pl t = List.fold_right (fun p t ren -> CC_lam (bind_pre ren env p, t ren)) pl t let abstraction info pl e ren = let env = info.t_env in let _,ef,_ = decomp_kappa info in let ids = get_reads ef in let al = current_vars ren ids in let bl = binding_of_alist ren env al in let c = abs_pre env pl e ren in make_abs bl c let fresh id e ren = let id',ren' = Rename.fresh ren id in e id' ren' (*s Well-founded recursion. \begin{verbatim} (well_founded_induction A R ?::(well_founded A R) [Phi:A] (bl) (x) Phi=phi(x) -> [Phi:A][w:(Phi0:A) Phi0 (bl) (x) Phi=phi(x) -> ] [bl][x][eq:Phi=phi(x)][h:
]

            )>

       phi(x) bl x ?::phi(x)=phi(x) ?::
)
    \end{verbatim}
*)

let wfrec_with_binders bl (_,phi,a,r) pre info f ren =
  let env = info.t_env in
  let vphi = variant_name () in
  let wr = get_writes info.t_effect in
  let info' = { info with t_effect = keep_writes info.t_effect } in
  let a = TTpure a in
  let w = wf_name () in
  let k = info' in
  let ren' = next ren (get_writes k.t_effect) in 
  let tphi = 
    tt_arrow bl (trad_type_c ren' env (type_c_of_typing_info pre k)) 
  in
  let vphi0 = variant_name () in
  let tphi0 = 
    let k0 = 
      type_c_subst (subst_onev vphi vphi0) (type_c_of_typing_info pre k) 
    in 
    tt_arrow bl (trad_type_c ren' env k0) 
  in
  let input ren =
    let args = List.map (fun (id,_) -> CC_var id) bl in
    let input = List.map (fun (_,id') -> CC_var id') (current_vars ren wr) in
    let pl = 
      (Misc.anonymous info.t_loc (equality phi phi)) :: pre
    in
    let holes = 
      List.map (fun p -> 
		  let p = a_apply_assert ren env p in
		  CC_hole (p.a_loc, p.a_value)) pl 
    in
    args @ input @ holes
  in
  let tw = 
    let r_phi0_phi = Papp (r, [Tvar vphi0; Tvar vphi], []) in
    TTarrow ((vphi0, CC_var_binder a),
	     TTarrow ((pre_name Anonymous, CC_pred_binder r_phi0_phi), tphi0))
  in
  let fw ren = 
    let tphi = apply_term ren env phi in
    let decphi = info.t_loc, Papp (r, [tphi; Tvar vphi], []) in
    cc_applist (CC_var w) ([CC_term tphi; CC_hole decphi] @ input ren) 
  in
  cc_applist (CC_var well_founded_induction)
    ([CC_type a; CC_term (Tvar r);
      CC_hole (info.t_loc, Papp (well_founded, [Tvar r], []));
      CC_type (TTlambda ((vphi, CC_var_binder a), tphi));
      cc_lam 
	([vphi, CC_var_binder a; w, CC_var_binder tw] @ bl)
	(abstraction info' pre (f fw) ren');
      CC_term (apply_term ren env phi)] @
     input ren)

let wfrec = wfrec_with_binders []


(*s Interpretations of recursive functions are stored in the following
    table. *)

let rec_table = Hashtbl.create 97

let is_rec = Hashtbl.mem rec_table
let find_rec = Hashtbl.find rec_table

let with_rec f tf e ren = 
  Hashtbl.add rec_table f tf; 
  let r = e ren in 
  Hashtbl.remove rec_table f; 
  r

why-2.39/src/main.ml0000644000106100004300000005661713147234006013315 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Options
open Ptree
open Ast
open Cc
open Types
open Env
open Typing
open Format
open Error
open Report
open Misc
open Util
open Logic
open Logic_decl


(*s Prover dependent functions. *)


let declarationQueue = Queue.create ()

let reset () =
  (*Queue.clear declarationQueue ;*)
  Vcg.logs := []; 
  match prover () with
    | Pvs -> Pvs.reset ()
    | Coq _ -> Coq.reset ()
    | HolLight -> Holl.reset ()
    | Mizar -> Mizar.reset ()
    | Isabelle -> Isabelle.reset ()
    | Hol4 -> Hol4.reset ()
    | SmtLib ->  ()
    | Harvey | Simplify | Zenon | Z3 | CVCLite  | Gappa | Vampire
    | Ergo | Why | MultiWhy | MultiAltergo | Why3 | Dispatcher 
    | WhyProject -> ()

let add_loc = function
  | Dtype (loc, s, _)
  | Dlogic (loc, s, _) -> Loc.add_ident (Ident.string s) loc
  | Dalgtype ls ->
      List.iter (fun (loc, s, _) -> Loc.add_ident (Ident.string s) loc) ls
  | Daxiom (loc, s, _) (* useful? *) -> Loc.add_ident s loc
  | Dpredicate_def (_loc, _s, _)
  | Dfunction_def (_loc, _s, _) 
  | Dinductive_def (_loc, _s , _) -> () (* TODO ? *)
  | Dgoal _ -> ()

let store_decl_into_a_queue d  = 
  Queue.push d declarationQueue


(** push the declarations  in the corresponding 
    prover and stores them (or their expansed version) into 
    declarationQueue **)
let push_decl _vloc d = 
  add_loc d;
  if (not pruning) && (Options.pruning_hyp_v = -1) then
    begin 
      let pushing = 
	match prover () with
	  | Pvs -> Pvs.push_decl
	  | Coq _ -> Coq.push_decl 
	  | HolLight -> Holl.push_decl 
	  | Mizar -> Mizar.push_decl
	  | Isabelle -> Isabelle.push_decl
	  | Hol4 -> Hol4.push_decl
	  | Gappa -> Gappa.push_decl 
	  | MultiWhy (* // Moy -> Marche NO destroy eclipse plugin
			-> Pretty.push_or_output_decl *)
	  | Why | WhyProject -> Pretty.push_decl ~ergo:false
          | Why3 -> Why3.push_decl
	  | Ergo | MultiAltergo -> Pretty.push_decl ~ergo:true
	  | Dispatcher -> 
(*
	      (fun d ->
		 (* push for Dispatcher, used by Gwhy *)
*)
	      Dispatcher.push_decl
(*
		 if prover ~ignore_gui:true () = WhyProject then
		   (* also push for project, used by GWhy/Coq column *)
		   Pretty.push_decl ~ergo:false d)
*)
	  | Harvey -> Harvey.push_decl
	  | Simplify | Vampire -> Simplify.push_decl
	  | Zenon -> Zenon.push_decl
	  | Z3 -> Z3.push_decl
	  | CVCLite -> Cvcl.push_decl
	  | SmtLib -> Smtlib.push_decl 
      in
      let decl =
	match defExpanding with
	  | NoExpanding -> d
	  | Options.Goal -> PredDefExpansor.push ~recursive_expand:false d 
	  | All -> PredDefExpansor.push ~recursive_expand:true d 
      in
      pushing decl ;
      store_decl_into_a_queue decl 
    end
  else
      let decl =
	match defExpanding with
	  | NoExpanding -> d
	  | Options.Goal -> PredDefExpansor.push ~recursive_expand:false d 
	  | All -> PredDefExpansor.push ~recursive_expand:true d 
      in
      store_decl_into_a_queue decl
	
	
let push_obligations vloc = 
  List.iter 
    (fun (loc,_is_lemma,expl,id,s) -> 
      let (loc,expl,id,s) = 
	if pruning_hyp_v != -1 then 
	  Hypotheses_filtering.reduce (loc, expl, id, s) declarationQueue
	else
	  (loc, expl, id, s)
      in
      push_decl vloc (Dgoal(loc, false, expl, id, generalize_sequent s))
    ) 



let prover_is_coq = match prover () with Coq _ -> true | _ -> false

let push_validation id tt v = 
  if valid && prover_is_coq then Coq.push_validation id tt v

let is_pure_type_scheme s = is_pure_type_v s.scheme_type

let push_parameter id _v tv = match prover () with
  | Coq _ -> 
      if valid then Coq.push_parameter id tv
  | Pvs | HolLight | Isabelle | Hol4 | Mizar
  | Harvey | Simplify | Vampire | Zenon | Z3 | SmtLib | Gappa 
  | CVCLite | Ergo | Why | MultiWhy | MultiAltergo
  | Dispatcher | WhyProject | Why3 ->
      ()

let output is_last fwe =
  if wol then begin
    let cout = Options.open_out_file (fwe ^ ".wol") in
    output_value cout !Vcg.logs;
    Options.close_out_file cout
  end else if ocaml then 
    Pp.print_in_file Ocaml.output (Options.out_file "out")
  else begin match prover () with
    | Pvs -> Pvs.output_file fwe
    | Coq _ -> Coq.output_file is_last fwe
    | HolLight -> Holl.output_file fwe
    | Mizar -> Mizar.output_file fwe    
    | Harvey -> Harvey.output_file fwe
    | Simplify -> Simplify.output_file ~allowedit:true (fwe ^ "_why.sx")
    | Vampire -> Simplify.output_file ~allowedit:true (fwe ^ "_why.vp")
    | CVCLite -> Cvcl.output_file ~allowedit:true (fwe ^ "_why.cvc")
    | Zenon -> Zenon.output_file ~allowedit:true (fwe ^ "_why.znn")
    | Z3 ->  Z3.output_file fwe
    | SmtLib ->  Smtlib.output_file (fwe ^ "_why.smt")
    | Isabelle -> Isabelle.output_file fwe
    | Hol4 -> Hol4.output_file fwe
    | Gappa -> Gappa.output_file (fwe ^ "_why.gappa")
    | Dispatcher -> ()
(*
	if prover (* ~ignore_gui:true*)  () = WhyProject then
	  (* output project, used by GWhy/Coq column *)
	  Options.gui_project := Some(Pretty.output_project fwe)
*)
    | Ergo -> Pretty.output_file ~ergo:true (fwe ^ "_why.why")  
    | Why -> Pretty.output_file ~ergo:false (fwe ^ "_why.why") 
    | Why3 -> Why3.output_file fwe
    | MultiWhy | MultiAltergo -> Pretty.output_files fwe
    | WhyProject -> ignore(Pretty.output_project fwe)
  end



(** This method aims at translating the theory  according to
    the selected encoding  
    @q is the queue of  theory that will be modified
**)
let encode q = 
  let callEncoding d =  match prover () with
    | Pvs -> Pvs.push_decl d
    | Coq _ -> Coq.push_decl d
    | HolLight -> Holl.push_decl d
    | Mizar -> Mizar.push_decl d
    | Isabelle -> Isabelle.push_decl d
    | Hol4 -> Hol4.push_decl d
    | Gappa -> Gappa.push_decl d  
    | Why | MultiWhy | WhyProject -> Pretty.push_decl d
    | Ergo | MultiAltergo -> Pretty.push_decl ~ergo:true d
    | Dispatcher -> Dispatcher.push_decl d      
    | Harvey -> Harvey.push_decl d
    | Simplify -> Simplify.push_decl d
    | Vampire -> Simplify.push_decl d
    | Zenon -> Zenon.push_decl d
    | Z3 -> Z3.push_decl d
    | CVCLite -> Cvcl.push_decl d
    | SmtLib -> Smtlib.push_decl d
    | Why3 -> Why3.push_decl d
  in
  Queue.iter callEncoding q 
 
(*s Processing of a single declaration [let id = p]. *)

let print_if_debug p x = if_debug_3 eprintf "  @[%a@]@." p x

let interp_program loc id p =
  reset_names ();
  let ploc = p.ploc in
  if_verbose_3 eprintf "*** interpreting program %a@." Ident.print id;

  if_debug eprintf "* typing with effects@.";
  let env = Env.empty_progs () in
  let p = Typing.typef Label.empty env p in
  if effect p <> Effect.bottom then
    raise_located ploc (GlobalWithEffects (id, effect p));
  let c = type_c_of_typing_info [] p.info in
  let c = 
    { c with c_post = optpost_app (change_label p.info.t_label "") c.c_post }
  in
  let v = c.c_result_type in
  check_for_not_mutable ploc v;
  Env.add_global id v None;
  print_if_debug print_type_c c;
  print_if_debug print_expr p;
  if type_only then raise Exit;

  if_debug eprintf "* weakest preconditions@.";
  let p,wp = 
    if fast_wp then
      let w = Fastwp.wp p in
      p, Some (wp_named p.info.t_loc w)
    else
      Wp.wp p 
  in
  print_if_debug print_wp wp;

  if wp_only then raise Exit;

  if ocaml then begin Ocaml.push_program id p; raise Exit end;

  (***
      if_debug eprintf "* functionalization@.";
      let ren = initial_renaming env in
      let cc = Mlize.trad p ren in
      if_debug_3 eprintf "  %a@\n  -----@." print_cc_term cc;
      let cc = Red.red cc in
      print_if_debug print_cc_term cc;
  ***)

  if_debug eprintf "* generating obligations@.";
  let ids = Ident.string id in

  let (name,beh,loc) as vloc =
    try 
      let (f,l,b,e,o) = 
	Hashtbl.find locs_table ids 
      in 
      let name = 
	match List.assoc "name" o with
	  | Rc.RCident s -> s
	  | Rc.RCstring s -> s
	  | _ -> raise Not_found		  
      in
      let beh = 
	match List.assoc "behavior" o with
	  | Rc.RCstring s -> s
	  | _ -> raise Not_found		  
      in
      (name,beh,(f,l,b,e))
    with Not_found -> ("function "^ids,"Correctness", Loc.extract loc)
      
  in
  Hashtbl.add program_locs ids vloc;

  (*let ol,v = Vcg.vcg ids cc in*)
  begin match wp with
    | None -> 
	if_debug eprintf "no WP => no obligation@."
    | Some wp -> 
	if_debug eprintf "VCs from WP...@?";
	let ol,pr = Vcg.vcg_from_wp loc ids name beh wp in
	if_debug eprintf "done@.";
	push_obligations vloc ol;
	push_validation (ids ^ "_wp") (TTpred wp.a_value) (CC_hole pr)
  end;

  if valid then
    let ren = initial_renaming env in
    let tt = Monad.trad_type_c ren env c in
    let ren = initial_renaming env in
    let _cc = Red.red (Mlize.trad p ren) in
      Coq.push_parameter (ids ^ "_valid") tt;
(*      Coq.push_program (ids ^ "_functional") tt cc; *)
    (*** TODO
	 push_validation ids tt v;
	 if_verbose_2 eprintf "%d proof obligation(s)@\n@." (List.length ol);
    ***)
    flush stderr

(*s Processing of a program. *)

let add_external loc v id =
  if Env.is_global id then raise_located loc (Clash id);
  Env.add_global_gen id v None

let add_parameter v tv id =
  push_parameter (Ident.string id) v tv

let rec is_a_type_var = function
  | PTvar { type_val = None } -> true
  | PTvar { type_val = Some t } -> is_a_type_var t
  | _ -> false

let rec polymorphic_pure_type = function
  | PTvar { type_val = None } -> true
  | PTexternal (l,_) -> List.exists polymorphic_pure_type l
  | PTint | PTbool | PTreal | PTunit | PTvar _ -> false

let cannot_be_generalized = function
  | Ref _ -> true
  | PureType pt -> is_a_type_var pt
  | Arrow _ -> false

let logic_type_is_var = function
  | Function ([], pt) -> is_a_type_var pt
  | Function _ | Predicate _ -> false

let check_duplicate_params l =
  let rec loop l acc =
    match l with
      | [] -> ()
      | (loc,x,_)::rem ->
	  if Ident.Idset.mem x acc then
	    raise_located loc (ClashParam x)
	  else loop rem (Ident.Idset.add x acc)
  in
  loop l Ident.Idset.empty

let check_duplicate_binders loc ty =
  let rec check acc = function
    | PVpure _ | PVref _ -> ()
    | PVarrow (l, ty) ->
	let rec loop l acc =
	  match l with
	    | [] -> acc
	    | (x,_)::rem when x = Ident.anonymous ->
		loop rem acc
	    | (x,_)::rem ->
		if Ident.Idset.mem x acc then
		  raise_located loc (ClashParam x)
		else loop rem (Ident.Idset.add x acc)
	in
	check (loop l acc) ty.pc_result_type
  in
  check Ident.Idset.empty ty


(** [check_clausal_form loc pi a] checks whether the assertion [a] 
    has a valid clausal form 
      \forall x_1,.., x_k. P1 -> ... -> P_n -> P
    where P is headed by pi and pi has only positive occurrences in P1 .. Pn
*)

let rec occurrences pi a =
  match a with
  | Ptrue | Pfalse -> (0,0)
  | Papp (id, _, _) -> ((if id == pi then 1 else 0),0)
  | Pimplies (_, p1, p2) -> 
      let (pos1,neg1) = occurrences pi p1 in
      let (pos2,neg2) = occurrences pi p2 in
      (neg1+pos2,pos1+neg2)
  | Pand (_, _, p1, p2) -> 
      let (pos1,neg1) = occurrences pi p1 in
      let (pos2,neg2) = occurrences pi p2 in
      (pos1+pos2,neg1+neg2)
  | Pnot p1 -> 
      let (pos1,neg1) = occurrences pi p1 in (neg1,pos1)
  | Forall (_is_wp, _id1, _id2, _typ, _triggers, _p) -> 
      assert false (* TODO *)
      (* occurrences pi p *)
  | Pnamed (_, _) -> assert false (* TODO *)
  | Exists (_, _, _, _)  -> assert false (* TODO *)
  | Forallb (_, _, _)  -> assert false (* TODO *)
  | Piff (_, _) -> assert false (* TODO *)
  | Por (_, _) -> assert false (* TODO *)
  | Pif (_, _, _) -> assert false (* TODO *)
  | Pvar _ -> assert false (* TODO *)
  | Plet _ -> assert false (* TODO *)

let rec check_unquantified_clausal_form loc id a =
  match a with
    | Pimplies (_, p1, p2) -> 
	check_unquantified_clausal_form loc id p2;
	let (_pos1,neg1) = occurrences id p1 in
	if neg1 > 0 then 
	  raise_located loc 
	    (AnyMessage 
               "inductive predicate has a negative occurrence in this case")
    | Papp(pi,_,_) -> 
	if pi != id then
	  raise_located loc 
	    (AnyMessage 
               "head of clause does not contain the inductive predicate")
    | _ -> 
	  raise_located loc 
	    (AnyMessage "this case is not in clausal form")
	

let rec check_clausal_form loc id a =
  match a with
    | Forall (_is_wp, _id1, _id2, _typ, _triggers, p) -> 
	check_clausal_form loc id p
    | _ -> check_unquantified_clausal_form loc id a

let loaded_files = Hashtbl.create 17

let rec interp_decl ?(_prelude=false) d = 
  let lab = Label.empty in
  match d with 
    | Include (loc,s) ->
	let file =
	  if Sys.file_exists s then s else lib_file s
	in
	begin
	  try
	    if Hashtbl.find loaded_files file then ()
	    else raise_located loc 
	      (AnyMessage "circular inclusion")
	  with Not_found ->
	    Hashtbl.add loaded_files file false;
	    load_file file;
	    Hashtbl.add loaded_files file true;	    
	  end
    | Program (loc,id, p) ->
	if Env.is_global id then raise_located p.ploc (Clash id);
	(try interp_program loc id p with Exit -> ())
    | Parameter (loc, ext, ids, v) ->
	let env = Env.empty_progs () in
	check_duplicate_binders loc v;
	let v = Ltyping.type_v loc lab env v in
	if ext && is_mutable v then raise_located loc MutableExternal;
	let gv = Env.generalize_type_v v in
	let v_spec = snd (specialize_type_scheme gv) in
	if not (Vset.is_empty gv.scheme_vars) && cannot_be_generalized v_spec 
	then
	  raise_located loc CannotGeneralize;
	List.iter (add_external loc gv) ids;
	if ext && ocaml_externals || ocaml then 
	  Ocaml.push_parameters ids v_spec;
	if valid && not ext && not (is_mutable v_spec) then begin
	  let tv = Monad.trad_scheme_v (initial_renaming env) env gv in
	  List.iter (add_parameter gv tv) ids
	end
    | Exception (loc, id, v) ->
	let env = Env.empty_progs () in
	if is_exception id then raise_located loc (ClashExn id);
	let v = option_app (Ltyping.pure_type env) v in
	begin match v with
	  | Some pt when polymorphic_pure_type pt ->
	      raise_located loc CannotGeneralize
	  | _ -> () 
	end;
	add_exception id v
    | Logic (loc, ext, ids, t) ->
	let add id =
	  if is_global_logic id then raise_located loc (Clash id);
	  let t = Ltyping.logic_type t in
	  if logic_type_is_var t then raise_located loc CannotGeneralize;
	  let t = generalize_logic_type t in
	  add_global_logic id t;
	  if ext then 
	    begin 
	      Monomorph.add_external id ;
	    end
	  else
	    begin
	      push_decl ("","",Loc.dummy_floc) 
                (Dlogic (Loc.extract loc, id, t));
	    end 
	in
	List.iter add ids
    | Predicate_def (loc, id, pl, p) ->
	let env = Env.empty_logic () in
	if is_global_logic id then raise_located loc (Clash id);
	check_duplicate_params pl;
	let pl = List.map (fun (_,x,t) -> (x, Ltyping.pure_type env t)) pl in
	let t = Predicate (List.map snd pl) in
	let env' = List.fold_right (fun (x,pt) -> add_logic x pt) pl env in
	let p = Ltyping.predicate lab env' p in
	add_global_logic id (generalize_logic_type t);
	let p = generalize_predicate_def (pl,p) in
	push_decl ("","",Loc.dummy_floc) (
	  Dpredicate_def (Loc.extract loc, id, p))
    | Inductive_def(loc,id,t,indcases) ->
	let env = Env.empty_logic () in
	if is_global_logic id then raise_located loc (Clash id);
	let pl = 
	  match Ltyping.logic_type t with
	    | Function _ -> raise_located loc 
                (AnyMessage "only predicates can be inductively defined")
	    | Predicate l -> l
	in
	(* add id first because indcases contain id, without generalization *)
	add_global_logic id (empty_scheme (Predicate pl));
	let l =
	  List.map (fun (loc,i,p) ->
		      let p = Ltyping.predicate lab env p in
		      if is_global_logic i then raise_located loc (Clash i);
		      check_clausal_form loc id p;
		      (i,p))
	    indcases
	in
	let d = generalize_inductive_def (pl,l) in
	push_decl ("","",Loc.dummy_floc) 
	  (Dinductive_def (Loc.extract loc, id, d))
    | Function_def (loc, id, pl, ty, e) ->
	let env = Env.empty_logic () in
	if is_global_logic id then raise_located loc (Clash id);
	check_duplicate_params pl;
	let pl = List.map (fun (_,x,t) -> (x, Ltyping.pure_type env t)) pl in
	let ty = Ltyping.pure_type env ty in
	let t = Function (List.map snd pl, ty) in
	let env' = List.fold_right (fun (x,pt) -> add_logic x pt) pl env in
	let e,ty' = Ltyping.term lab env' e in
	if not (Ltyping.unify ty ty') then 
	  Ltyping.expected_type loc (PureType ty);
	add_global_logic id (generalize_logic_type t);
	let f = generalize_function_def (pl,ty,e) in
	push_decl ("","",Loc.dummy_floc) 
	  (Dfunction_def (Loc.extract loc, id, f))
    | Goal(loc, KAxiom, id, p) ->
	let env = Env.empty_logic () in
	let p = Ltyping.predicate lab env p in
	let p = generalize_predicate p in
	push_decl ("","",Loc.dummy_floc) 
          (Daxiom (Loc.extract loc, Ident.string id, p))

    | Goal(loc, kind, id, p) ->
	let env = Env.empty_logic () in
	let p = Ltyping.predicate lab env p in
	let s = ([], p) in
	let l = 
	  try
	    Util.loc_of_label (Ident.string id)
	  with Not_found -> Loc.extract loc
	in
	let xpl =
	  { lemma_or_fun_name = Ident.string id;
	    behavior = "";
	    vc_loc = l;
	    vc_kind = if kind = KLemma then EKLemma else EKCheck;
            vc_label = None;
	  }
	in
	let (l,xpl,id,s) = 
	  if Options.pruning_hyp_v != -1 then
	    (Hypotheses_filtering.reduce (l, xpl, Ident.string id, s) 
               declarationQueue)
	  else	  
	    (l, xpl, Ident.string id, s) 
	in
	let s= generalize_sequent s in 
	let dg = 
	    Dgoal (l, kind = KLemma, xpl, id, s) 
	in
	let ids = id in
	let vloc =
	  try 
	    let (f,l,b,e,o) = Hashtbl.find locs_table ids in 
	    let name = 
	      match List.assoc "name" o with
		| Rc.RCident s -> s
		| Rc.RCstring s -> s
		| _ -> raise Not_found		  
	    in
	    (name,"Validity",(f,l,b,e))
	  with Not_found -> ("goal "^ids,"Validity", Loc.extract loc)
	in
	Hashtbl.add program_locs ids vloc;
	push_decl ("","",Loc.dummy_floc) dg

    | TypeDecl (loc, ext, vl, id) ->
	Env.add_type loc vl id;
	let vl = List.map Ident.string vl in
	if not ext then 
	  push_decl ("","",Loc.dummy_floc) (Dtype (Loc.extract loc, id, vl))

    | AlgType ls ->
      let ats (loc, vl, id, td) =
        let d = Env.generalize_alg_type (Ltyping.alg_type id vl td) in
        let vs,cs = d.Env.scheme_type in
        let th = PTexternal (vs, id) in
        let add_constructor (c, pl) =
          if is_global_logic c then raise_located loc (Clash c);
          let t = Env.generalize_logic_type (Function (pl,th)) in
          Env.add_global_logic c t;
          let r = ref 1 in
          let add_proj t =
            let pr = Ident.proj_id c !r in
            let pt = Env.generalize_logic_type (Function ([th],t)) in
            if is_global_logic pr then raise_located loc (Clash pr);
            Env.add_global_logic pr pt; incr r
          in
          List.iter add_proj pl;
          c
        in
        Env.set_constructors id (List.map add_constructor cs);
        let mt = Ident.match_id id in
        let nt = PTvar (Env.new_type_var()) in
        let ns = List.map (fun _ -> nt) cs in
        let tm = Env.generalize_logic_type (Function (th::ns,nt)) in
        if is_global_logic mt then raise_located loc (Clash mt);
        Env.add_global_logic mt tm;
        (Loc.extract loc, id, d)
      in
        List.iter (fun (loc, vl, id, _td) -> Env.add_type loc vl id) ls;
        push_decl ("","",Loc.dummy_floc) (Dalgtype (List.map ats ls))

(*s Prelude *)

and load_file ?(_prelude=false) f =
  let c = open_in f in
  let p = Lexer.parse_file (Lexing.from_channel c) in
  List.iter (interp_decl ~_prelude) p;
  close_in c

let load_prelude () =
  try
    List.iter (load_file ~_prelude:true) lib_files_to_load;
    begin match prover () with
      | Simplify | Vampire when no_simplify_prelude -> Simplify.reset ()
      | _ -> ()
    end
  with e ->
    eprintf "anomaly while reading prelude: %a@." Report.explain_exception e;
    exit 1

(*s Processing of a channel / a file. *)

let why_parser f c = 
  let lb = Lexing.from_channel c in
  lb.Lexing.lex_curr_p <- { lb.Lexing.lex_curr_p with Lexing.pos_fname = f };
  Lexer.parse_file lb
    
let deal_channel parsef cin =
  let p = parsef cin in
  if not parse_only then List.iter interp_decl p

let single_file () = match prover () with
  | Simplify | Vampire | Harvey | Zenon | Z3 | CVCLite | Gappa | Dispatcher 
  | SmtLib | Ergo | Why | MultiWhy | MultiAltergo | WhyProject | Why3 -> true
  | Coq _ | Pvs | Mizar | Hol4 | HolLight | Isabelle -> false

let deal_file is_last f =
  reset ();
  let cin = open_in f in 
  deal_channel (why_parser f) cin;
  close_in cin;
  if not type_only then
    let fwe = Filename.chop_extension f in
    if not (single_file ()) then output is_last fwe

let rec iter_with_last f = function
  | [] -> ()
  | [x] -> f true x
  | x::l -> f false x; iter_with_last f l

let delete_old_vcs files =
   let base_name = Filename.chop_extension (last files) in
   let cnt = ref 1 in
   try
      while true do
         let po_name = base_name ^ "_po" ^ string_of_int !cnt ^ ".why" in
         if Sys.file_exists po_name then Sys.remove po_name
         else raise Exit;
         incr cnt;
      done;
   with Exit -> ()


let main () =
  let t0 = Unix.times () in
  load_prelude ();
  if files = [] then 
    begin
      deal_channel (why_parser "standard input") stdin;
      output false "out"
    end 
  else 
    begin
      if Options.delete_old_vcs then delete_old_vcs files;
      iter_with_last deal_file files;
      if type_only then exit 0;
      if (pruning) || (Options.pruning_hyp_v != -1) then
	begin
	  let q =  declarationQueue in 
	  encode q 
	end;
      if single_file () then 
	let lf = Filename.chop_extension (last files) in
	output false lf
    end;
  if show_time then
    let t1 = Unix.times () in
    printf "Why execution time : %3.2f@." 
      (t1.Unix.tms_utime -. t0.Unix.tms_utime)
why-2.39/src/effect.mli0000644000106100004300000000617613147234006013771 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(*s The abstract type of effects. *)

type t

val bottom : t

val add_read  : Ident.t -> t -> t
val add_reads : Ident.set -> t -> t
val add_write : Ident.t -> t -> t
val add_writes : Ident.set -> t -> t
val add_exn : Ident.t -> t -> t
val add_exns : Ident.set -> t -> t
val add_nontermination : t -> t

val get_reads : t -> Ident.t list
val get_writes : t -> Ident.t list
val get_exns : t -> Ident.t list
val get_repr : t -> Ident.t list * Ident.t list * Ident.t list * bool

val is_read  : t -> Ident.t -> bool    (* read-only *)
val is_write : t -> Ident.t -> bool    (* read-write *)
val is_exn : t -> Ident.t -> bool
val is_nonterminating : t -> bool

val union : t -> t -> t

val remove : Ident.t -> t -> t
val remove_exn : Ident.t -> t -> t
val remove_nontermination : t -> t

val keep_writes : t -> t
val erase_exns : t -> t

val occur : Ident.t -> t -> bool

val subst : Logic.var_substitution -> t -> t

open Format

val print : formatter -> t -> unit

why-2.39/src/rename.mli0000644000106100004300000000701713147234006013777 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(* Abstract type for renamings 
 * 
 * Records the names of the mutables objets (ref, arrays) at the different
 * moments of the evaluation, called dates
 *)

type t

type date = string


val empty_ren : t
val update    : t -> date -> Ident.t list -> t
    (* assign new names for the given variables, associated to a new date *)
val next      : t -> Ident.t list -> t
    (* assign new names for the given variables, associated to a new
     * date which is generated from an internal counter *)
val push_date : t -> date -> t
    (* put a new date on top of the stack *)

val valid_date   : date -> t -> bool
val current_date : t -> date
val all_dates    : t -> date list

val current_var  : t -> Ident.t      -> Ident.t
val current_vars : t -> Ident.t list -> (Ident.t * Ident.t) list
    (* gives the current names of some variables *)

val avoid : t -> Ident.set -> t
val fresh : t -> Ident.t -> Ident.t * t
val fresh_many : t -> Ident.t list -> (Ident.t * Ident.t) list * t
    (* introduces new names to avoid and renames some given variables *)

val var_at_date  : t -> date -> Ident.t -> Ident.t
    (* gives the name of a variable at a given date *)
val vars_at_date : t -> date -> Ident.t list
                 -> (Ident.t * Ident.t) list
    (* idem for a list of variables *)  

(* pretty-printers *)

open Format

val print : formatter -> t -> unit
why-2.39/src/hol4.ml0000644000106100004300000002654313147234006013232 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(*s HOL 4 output (contributed by Seungkeol Choe, University of Utah) *)

open Ident
open Misc
open Logic
open Logic_decl
open Format
open Cc
open Pp

type elem = 
  | Obligation of obligation
  | Logic of string * logic_type Env.scheme
  | Axiom of string * predicate Env.scheme
  | Predicate of string * predicate_def Env.scheme

let elem_q = Queue.create ()

let reset () = Queue.clear elem_q

let push_decl = function
  | Dlogic (_, id, t) -> Queue.add (Logic (Ident.string id, t)) elem_q
  | Daxiom (_, id, p) -> Queue.add (Axiom (id, p)) elem_q
  | Dpredicate_def (_, id, p) -> Queue.add (Predicate (Ident.string id, p)) elem_q
  | Dinductive_def(_loc, _ident, _inddef) ->
      failwith "HOL4 output: inductive def not yet supported"
  | Dfunction_def _ -> assert false (*TODO*)
  | Dgoal (loc,is_lemma, expl,id,s) -> 
      Queue.add (Obligation (loc,is_lemma,expl,id,s.Env.scheme_type)) elem_q
  | Dtype _ -> () (* assert false *)
  | Dalgtype _ -> () (* assert false *)

(*s Pretty print *)

let rec print_pure_type fmt = function
  | PTint -> fprintf fmt "int"
  | PTbool -> fprintf fmt "bool"
  | PTunit -> fprintf fmt "one"
  | PTreal -> fprintf fmt "real"
  | PTexternal([v],id) when id==farray -> 
      fprintf fmt "%a warray" print_pure_type v
  | PTexternal([],id) -> Ident.print fmt id
  | PTvar { type_val = Some t} -> fprintf fmt "%a" print_pure_type t
  | PTexternal(_,_)
  | PTvar _ -> failwith "no polymorphism with HOL4 yet"

let prefix_id id =
  (* int cmp *)
  if id == t_lt_int then "int_lt" 
  else if id == t_le_int then "int_le"
  else if id == t_gt_int then "int_gt"
  else if id == t_ge_int then "int_ge"
  else if id == t_eq_int then assert false (* TODO *)
  else if id == t_neq_int then assert false (* TODO *)
  (* real cmp *)
  else if id == t_lt_real then "real_lt" 
  else if id == t_le_real then "real_le"
  else if id == t_gt_real then "real_gt"
  else if id == t_ge_real then "real_ge"
  else if id == t_eq_real then assert false (* TODO *)
  else if id == t_neq_real then assert false (* TODO *)
  (* bool cmp *)
  else if id == t_eq_bool then assert false (* TODO *)
  else if id == t_neq_bool then assert false (* TODO *)
  (* unit cmp *)
  else if id == t_eq_unit then assert false (* TODO *)
  else if id == t_neq_unit then assert false (* TODO *)
  (* int ops *)
  else if id == t_add_int then "int_add"
  else if id == t_sub_int then "int_sub"
  else if id == t_mul_int then "int_mul"
(*
  else if id == t_div_int then assert false (* TODO *)
  else if id == t_mod_int then assert false (* TODO *)
*)
  else if id == t_neg_int then "int_neg"
  (* real ops *)
  else if id == t_add_real then "real_add"
  else if id == t_sub_real then "real_sub"
  else if id == t_mul_real then "real_mul"
  else if id == t_div_real then "real_div"
  else if id == t_neg_real then "real_neg"
  else if id == t_sqrt_real then assert false (* TODO *)
  else if id == t_real_of_int then assert false (* TODO *)
  else assert false

let rec print_term fmt = function
  | Tvar id -> 
      Ident.print fmt id
  | Tconst (ConstInt n) -> 
      fprintf fmt "%s" n
  | Tconst (ConstBool true) -> 
      fprintf fmt "T" 
  | Tconst (ConstBool false) -> 
      fprintf fmt "F" 
  | Tconst ConstUnit -> 
      fprintf fmt "one" 
  | Tconst (ConstFloat c) ->
      Print_real.print_with_integers 
	"(real_of_num %s)" 
	"(real_of_num (%s * %s))"
	"(real_of_num %s / real_of_num %s)" 
	fmt c
  | Tderef _ -> 
      assert false
  (* arithmetic *)
  | Tapp (id, [a; b], _) when id == t_add_int || id == t_add_real ->
      fprintf fmt "(@[%a +@ %a@])" print_term a print_term b
  | Tapp (id, [a; b], _) when id == t_sub_int || id == t_sub_real ->
      fprintf fmt "(@[%a -@ %a@])" print_term a print_term b
  | Tapp (id, [a; b], _) when id == t_mul_int || id == t_mul_real ->
      fprintf fmt "(@[%a *@ %a@])" print_term a print_term b
  | Tapp (id, [a; b], _) when id == t_div_real ->
      fprintf fmt "(@[%a /@ %a@])" print_term a print_term b
  | Tapp (id, [a], _) when id == t_neg_int || id == t_neg_real ->
      fprintf fmt "(@[--%a@])" print_term a
  | Tapp (id, [a; b; c], _) when id == if_then_else -> 
      fprintf fmt "(@[if %a@ then %a@ else %a@])" 
	print_term a print_term b print_term c
  | Tapp (id, tl, _) when is_relation id || is_arith id -> 
      fprintf fmt "(@[%s %a@])" (prefix_id id) print_terms tl
  (* arrays *)
  | Tapp (id, [a; b], _) when id == access ->
      fprintf fmt "(@[access %a (num_of_int %a)@])" print_term a print_term b
  | Tapp (id, [a], _) when id == Ident.array_length ->
      fprintf fmt "(@[%a.length@])" print_term a
  (* any other application *)
  | Tapp (id, tl, _) ->
      fprintf fmt "@[(%a@ %a)@]"
	Ident.print id (print_list space print_term) tl
  | Tnamed (User n, t) ->
      fprintf fmt "@[(* %s: *) %a@]" n print_term t
  | Tnamed (_, t) -> print_term fmt t

and print_terms fmt tl = 
  print_list space print_term fmt tl

let rec print_predicate fmt = function
  | Ptrue ->
      fprintf fmt "T"
  | Pvar id when id == Ident.default_post ->
      fprintf fmt "T"
  | Pfalse ->
      fprintf fmt "F"
  | Pvar id -> 
      fprintf fmt "%a" Ident.print id
  | Papp (id, tl, _) when id == t_distinct ->
      fprintf fmt "@[(%a)@]" print_predicate (Util.distinct tl)
  | Papp (id, [a; b], _) when is_eq id ->
      fprintf fmt "@[(%a =@ %a)@]" print_term a print_term b
  | Papp (id, [a; b], _) when is_neq id ->
      fprintf fmt "@[~(%a =@ %a)@]" print_term a print_term b
  | Papp (id, [a; b], _) when id == t_lt_int || id == t_lt_real ->
      fprintf fmt "@[(%a <@ %a)@]" print_term a print_term b
  | Papp (id, [a; b], _) when id == t_le_int || id == t_le_real ->
      fprintf fmt "@[(%a <=@ %a)@]" print_term a print_term b
  | Papp (id, [a; b], _) when id == t_gt_int || id == t_gt_real ->
      fprintf fmt "@[(%a >@ %a)@]" print_term a print_term b
  | Papp (id, [a; b], _) when id == t_ge_int || id == t_ge_real ->
      fprintf fmt "@[(%a >=@ %a)@]" print_term a print_term b
  | Papp (id, [a; b], _) when id == t_zwf_zero ->
      fprintf fmt "@[((0 <= %a) /\\@ (%a < %a))@]" 
	print_term b print_term a print_term b
  | Papp (id, tl, _) when is_relation id || is_arith id ->
      fprintf fmt "@[(%s %a)@]" (prefix_id id) print_terms tl
  | Papp (id, tl, _) -> 
      fprintf fmt "@[(%a@ %a)@]" Ident.print id print_terms tl
  | Pimplies (_, a, b) ->
      fprintf fmt "(@[%a ==>@ %a@])" print_predicate a print_predicate b
  | Piff (a, b) ->
      fprintf fmt "(@[(@[%a ==>@ %a@]) /\\@ (@[%a ==>@ %a@])@])" 
	print_predicate a print_predicate b
	print_predicate b print_predicate a
  | Pif (a, b, c) ->
      fprintf fmt "(@[if %a@ then %a@ else %a@])" 
	print_term a print_predicate b print_predicate c
  | Pand (_, _, a, b) | Forallb (_, a, b) ->
      fprintf fmt "@[(%a /\\@ %a)@]" print_predicate a print_predicate b
  | Por (a, b) ->
      fprintf fmt "@[(%a \\/@ %a)@]" print_predicate a print_predicate b
  | Pnot a ->
      fprintf fmt "@[~(%a)@]" print_predicate a
  | Forall (_,id,n,t,_,p) -> 
      let id' = next_away id (predicate_vars p) in
      let p' = subst_in_predicate (subst_onev n id') p in
      fprintf fmt "(@[!%s:%a.@ %a@])" (Ident.string id')
	print_pure_type t print_predicate p'
  | Exists (id,n,t,p) -> 
      let id' = next_away id (predicate_vars p) in
      let p' = subst_in_predicate (subst_onev n id') p in
      fprintf fmt "(@[?%s:%a.@ %a@])" (Ident.string id')
	print_pure_type t print_predicate p'
  | Pnamed (User n, p) ->
      fprintf fmt "@[(* %s: *) %a@]" n print_predicate p
  | Pnamed (_, p) -> print_predicate fmt p
  | Plet (_, n, _, t, p) ->
      print_predicate fmt (subst_term_in_predicate n t p)

let print_sequent fmt (hyps,concl) =
  let rec print_seq fmt = function
    | [] ->
	print_predicate fmt concl
    | Svar (id, v) :: hyps -> 
	fprintf fmt "!%a:%a.@\n" Ident.print id print_pure_type v;
	print_seq fmt hyps
    | Spred (_, p) :: hyps -> 
	fprintf fmt "@[%a@] ==>@\n" print_predicate p;
	print_seq fmt hyps
  in
  fprintf fmt "@[%a@]@?" print_seq hyps

(* TODO *)
(* dead code
let print_parameter fmt id _v =
  fprintf fmt "(* parameter %s *);;" id
*)

(* TODO *)
let print_logic fmt id t =
  let _ = Env.specialize_logic_type t in
  fprintf fmt "(* logic %s *);;" id

(* TODO *)
let print_axiom fmt id _v =
  fprintf fmt "(* axiom %s *);;" id

let print_obligation fmt _loc _is_lemma id sq =
(*
  fprintf fmt "@[(* %a *)@]@\n" Loc.report_obligation_position loc;
*)
  fprintf fmt "val %s = Parse.Term `%a`;;@\n@\n" id print_sequent sq

let print_elem fmt = function
  | Obligation (loc, is_lemma, _expl, s, sq) -> 
      print_obligation fmt loc is_lemma s sq
  | Logic (id, t) -> print_logic fmt id t
  | Axiom (id, p) -> print_axiom fmt id p
  | Predicate _ -> assert false (*TODO*)

let print_obl_list fmt = 
  let comma = ref false in
  let print = function
    | Obligation (_,_,_,id,_) -> 
	if !comma then fprintf fmt "; "; fprintf fmt "%s" id; comma := true
    | Axiom _ | Logic _ | Predicate _ -> 
	()
  in
  fprintf fmt "val all = ["; 
  Queue.iter print elem_q;
  fprintf fmt "]@\n"

let output_file fwe =
  let sep = "(* DO NOT EDIT BELOW THIS LINE *)" in
  let file = fwe ^ "_why.ml" in
  do_not_edit_below ~file
    ~before:(fun _ -> ())
    ~sep 
    ~after:(fun fmt ->
	      fprintf fmt "load \"intLib\"; \n intLib.prefer_int();\n\n";
	      Queue.iter (print_elem fmt) elem_q;
	      print_obl_list fmt)
why-2.39/src/predDefExpansor.ml0000644000106100004300000002756413147234006015461 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

open Env
open Ident
open Misc
open Logic 
open Cc 
open Logic_decl

let pred_def = Hashtbl.create 97

let rec subst_in_pure_type st = function
  | PTvar ({ type_val = None } as v) as t ->
      (try Vmap.find v st with Not_found -> t)
  | PTvar { type_val = Some t } ->
      subst_in_pure_type st t
  | PTexternal(l, id) ->
      PTexternal(List.map (subst_in_pure_type st) l, id)
  | PTint | PTreal | PTbool | PTunit as t -> 
      t

let subst_in_instance st = List.map (subst_in_pure_type st)

let rec subst_in_term s st = function
  | Tvar x as t -> 
      (try Idmap.find x s with Not_found -> t)
  | Tapp (x,l,i) -> 
      Tapp (x, List.map (subst_in_term s st) l, subst_in_instance st i)
  | Tconst _ | Tderef _ as t -> 
      t
  | Tnamed(lab,t) -> Tnamed(lab,subst_in_term s st t)

let rec subst_in_predicate s st = function
  | Papp (id, l, i) -> 
      Papp (id, List.map (subst_in_term s st) l, subst_in_instance st i)
  | Pif (a, b ,c) -> 
      Pif (subst_in_term s st a, 
	   subst_in_predicate s st b, 
	   subst_in_predicate s st c)
  | Forall (w, id, b, v, tl, p) -> 
      Forall (w, id, b, subst_in_pure_type st v, 
	      List.map (List.map (subst_in_pattern s st)) tl,
	      subst_in_predicate s st p)
  | Exists (id, b, v, p) ->
      Exists (id, b, subst_in_pure_type st v, subst_in_predicate s st p)
  | p -> 
      map_predicate (subst_in_predicate s st) p

and subst_in_pattern s st = function
  | TPat t -> TPat (subst_in_term s st t)
  | PPat p -> PPat (subst_in_predicate s st p)

let rec expand = function
  | Papp (id, tl, i) as p ->
      begin 
	try
	  let tvars,argl,p = Hashtbl.find pred_def id in
(*
          Format.eprintf "predDefExpansor: expanding def of %s@." (Ident.string id);
*)
	  let st = subst_many argl tl in
	  let sty = List.fold_left2 (fun s v t -> Vmap.add v t s) Vmap.empty tvars i in
	  subst_in_predicate st sty p
	with Not_found ->
(*
          Format.eprintf "predDefExpansor: NOT expanding def of %s@." (Ident.string id);
*)
	  p
      end
  | p -> 
      map_predicate expand p

let expand_inductive_def (t,l) = (t,List.map (fun (id,p) -> (id,expand p)) l)

let expand_sequent ~recursive_expand (ctx,p) =
  let expand_hyp = function
    | Svar _ as h -> h
    | Spred (id, p) -> 
	Spred (id, if recursive_expand then expand p else p)  
  in
  (List.map expand_hyp ctx, expand p)


let push ~recursive_expand decl = 
  match decl with
  | Dpredicate_def (loc, ident, def) ->
      let argl,p = def.scheme_type in
      (*let rootexp = (Papp (Ident.create ident, List.map (fun (i,_) -> Tvar i) argl, [])) in*)
      let p = expand p  in
      let vars = Vset.fold (fun v l -> v :: l) def.scheme_vars [] in
      Hashtbl.add pred_def ident (vars, List.map fst argl, p);
      if recursive_expand then 
	Dlogic (loc, ident, Env.generalize_logic_type (Predicate (List.map snd argl)))
      else
	decl
  | Dinductive_def(loc, ident, def) when recursive_expand -> 
      Dinductive_def(loc,ident,
		     Env.generalize_inductive_def 
		       (expand_inductive_def def.scheme_type))		       
  | Daxiom (loc, ident, ps) when recursive_expand -> 
      Daxiom (loc, ident, Env.generalize_predicate(expand ps.scheme_type)) 
  | Dgoal (loc, is_lemma, expl, ident, ps) ->
      Dgoal (loc, is_lemma, expl, ident, 
	     Env.generalize_sequent (expand_sequent ~recursive_expand ps.scheme_type)) 
  | Dfunction_def _ 
  | Dinductive_def _ 
  | Daxiom _
  | Dtype _ 
  | Dalgtype _
  | Dlogic _ -> decl


(***************
 ad-hoc utilities
**************)

let ah_equal t l r = Papp (t_eq, [l;r], [t])

(* dead code
let ah_exists = List.fold_right (fun (y,t) f -> Util.exists y (Types.PureType t) f)
*)

let ah_forall yv tl f =
  let fall (y,t) (l,f) = ([], Util.forall y (Types.PureType t) ~triggers:l f) in
  snd (List.fold_right fall yv (tl,f))

(***************
 function and predicate definitions
**************)

let function_def loc id d =
  let (vars,(yv,tr,e)) = Env.specialize_function_def d in
  let zv = Ltyping.instance id vars in
  let ts = List.map (fun (_,t) -> t) yv in
  let yt = List.map (fun (y,_) -> Tvar y) yv in
  let lhs = Tapp (id,yt,zv) in
  let body = ah_equal tr lhs e in
  let axiom = ah_forall yv [[TPat lhs]] body in
  let t = Env.generalize_logic_type (Function (ts,tr)) in
  let name = Ident.string id in
  [ Dlogic (loc, id, t);
    Daxiom (loc, name ^ "_def", Env.generalize_predicate axiom) ]

let predicate_def loc id d =
  let (vars,(yv,e)) = Env.specialize_predicate_def d in
  let zv = Ltyping.instance id vars in
  let ts = List.map (fun (_,t) -> t) yv in
  let yt = List.map (fun (y,_) -> Tvar y) yv in
  let lhs = Papp (id,yt,zv) in
  let body = Piff (lhs, e) in
  let axiom = ah_forall yv [[PPat lhs]] body in
  let t = Env.generalize_logic_type (Predicate ts) in
  let name = Ident.string id in
  [ Dlogic (loc, id, t);
    Daxiom (loc, name ^ "_def", Env.generalize_predicate axiom) ]

(***************
 inductive definitions
**************)

(*

inductive id : t1 -> .. -> tn -> prop {

  c_1 : forall x_1,..,x_k : H1 -> .. Hi -> id(e_1,..,e_n)

| ...

| c_j

}

gives (j+1) axioms : j direct axioms

a_1 : forall x_1,..,x_k : H1 -> .. Hi -> id(e_1,..,e_n)
..
a_j : ...

and one inversion axiom :

forall y_1:t_1,..,y_n:t_n, id(y_1,..,y_n) ->

  exists x_1,..,x_k: H1 /\ ... /\ Hi /\ y_1 = e1 /\ .. /\ y_n = e_n

\/

  ...

*)

let inductive_inverse_body id yv cases =
  let eq_and (y,t) e = Misc.pand (ah_equal t (Tvar y) e) in
  let rec invert = function
    | Forall(_w,id,n,t,_trig,p) -> Exists(id,n,t,invert p)
    | Pimplies(_w,h,p) -> Misc.pand h (invert p)
    | Papp(f,l,_) when f == id -> List.fold_right2 eq_and yv l Ptrue
    | _ -> assert false (* ill-formed, should have been catch by typing *)
  in
  List.fold_right (fun (_,c) -> Misc.por (invert c)) cases Pfalse

let inversion_axiom id zv bl cases =
  let yv = List.map (fun t -> (fresh_var(),t)) bl in
  let yt = List.map (fun (y,_) -> Tvar y) yv in
  let lhs = Papp (id,yt,zv) in
  let body = inductive_inverse_body id yv cases in
  ah_forall yv [[PPat lhs]] (Pimplies (false, lhs, body))

let inductive_def loc id d =
  let (vars,(bl,cases)) = Env.specialize_inductive_def d in
  let zv = Ltyping.instance id vars in
  let t = Env.generalize_logic_type (Predicate bl) in
  let name = Ident.string id in
  Dlogic(loc,id,t)::
    (Daxiom(loc,name ^ "_inversion",
	    Env.generalize_predicate (inversion_axiom id zv bl cases)))::
    (List.map
       (fun (id,p) ->
	  let p = Env.generalize_predicate p in
	  Daxiom(loc,Ident.string id,p)) cases)

(***************
 algebraic types
**************)

let fresh_cons zv id pl =
  let yv = List.map (fun t -> (fresh_var (),t)) pl in
  let yt = List.map (fun (y,_) -> Tvar y) yv in
  (yv, Tapp (id,yt,zv))

let find_global_logic_gen id =
  let _,t = find_global_logic id in
  generalize_logic_type t

let alg_proj_fun loc zv (id,pl) =
  let r = ref 1 in
  let yv,ct = fresh_cons zv id pl in
  let proj (v,t) =
    let nm = Ident.proj_id id !r in
    let head = Tapp (nm, [ct], zv) in
    let body = ah_equal t head (Tvar v) in
    let body = ah_forall yv [[TPat ct]] body in
    let pred = Env.generalize_predicate body in
    let () = incr r in
    Dlogic (loc, nm, find_global_logic_gen nm) ::
      Daxiom (loc, Ident.string nm ^ "_def", pred) :: []
  in
  List.concat (List.map proj yv)

let alg_inversion_axiom loc id zv th cs =
  let x = fresh_var () in
  let inv_cons acc (id,pl) =
    let r = ref 1 in
    let targ _ =
      let nm = Ident.proj_id id !r in
      let () = incr r in
      Tapp (nm, [Tvar x], zv)
    in
    let ct = Tapp (id, List.map targ pl, zv) in
    Misc.por acc (ah_equal th (Tvar x) ct)
  in
  let body = List.fold_left inv_cons Pfalse cs in
  let body = Util.forall x (Types.PureType th) body in
  let pred = Env.generalize_predicate body in
  Daxiom (loc, Ident.string id ^ "_inversion", pred)

let alg_match_fun_axiom loc id zv cs =
  let nm = Ident.match_id id in
  let nt = PTvar (new_type_var ()) in
  let vs = List.map (fun _ -> (fresh_var (), nt)) cs in
  let ts = List.map (fun (v,_) -> Tvar v) vs in
  let axiom (id,pl) v =
    let yv,ct = fresh_cons zv id pl in
    let head = Tapp (nm, ct::ts, nt::zv) in
    let body = ah_equal nt head v in
    let body = ah_forall (vs @ yv) [[TPat head]] body in
    let pred = Env.generalize_predicate body in
    Daxiom (loc, Ident.string nm ^ "_" ^ Ident.string id, pred)
  in
  Dlogic (loc, nm, find_global_logic_gen nm) ::
    List.map2 axiom cs ts

let alg_to_int_fun_axiom loc id zv th cs =
  let cpt = ref 0 in
  let ty = Function ([th], PTint) in
  let nm = Ident.create (Ident.string id ^ "_to_int") in
  let axiom (id,pl) =
    let yv,ct = fresh_cons zv id pl in
    let lst = Tapp (nm, [ct], zv) in
    let rst = Tconst (ConstInt (string_of_int !cpt)) in
    let body = Papp (t_eq_int,[lst;rst],[]) in
    let body = ah_forall yv [[TPat ct]] body in
    let pred = Env.generalize_predicate body in
    incr cpt;
    Daxiom (loc, Ident.string nm ^ "_" ^ Ident.string id, pred)
  in
  Dlogic (loc, nm, Env.generalize_logic_type ty) ::
    List.map axiom cs

let algebraic_type_single (loc,id,d) =
  let vars,(vs,cs) = Env.specialize_alg_type d in
  let zv = Ltyping.instance id vars in
  let th = PTexternal (vs, id) in
  List.map (fun (c,_) ->
      Dlogic (loc, c, find_global_logic_gen c)) cs @
    alg_match_fun_axiom loc id zv cs @
    List.concat (List.map (alg_proj_fun loc zv) cs) @
    alg_inversion_axiom loc id zv th cs ::
    alg_to_int_fun_axiom loc id zv th cs
(*
    List.map (alg_cons_injective_axiom loc zv th)
      (List.filter (fun (_,pl) -> pl <> []) cs)
*)

let algebraic_type_decl (loc,id,d) =
  let string_of_var = function
    | PTvar v -> "a" ^ (string_of_int v.tag)
    | _ -> assert false
  in
  let vs, _ = d.Env.scheme_type in
  Dtype (loc, id, List.map string_of_var vs)

let algebraic_type ls =
  List.map algebraic_type_decl ls @
  List.concat (List.map algebraic_type_single ls)

why-2.39/src/util.mli0000644000106100004300000002047613147234006013511 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Cc
open Logic
open Types
open Ast
open Env

val erase_label : string -> predicate -> predicate
val change_label : string -> string -> predicate -> predicate
val put_label_term : local_env -> string -> term -> term
val put_label_predicate : local_env -> string -> predicate -> predicate

val traverse_binders : local_env -> (type_v binder) list -> local_env
val initial_renaming : local_env -> Rename.t

val apply_term : 
  Rename.t -> local_env -> term -> term
val apply_assert : 
  Rename.t -> local_env -> Types.assertion -> Types.assertion
val a_apply_assert : 
  Rename.t -> local_env -> assertion -> assertion
val apply_post : 
  label -> Rename.t -> local_env -> Types.postcondition -> Types.postcondition
val a_apply_post : 
  label -> Rename.t -> local_env -> postcondition -> postcondition

val oldify : local_env -> Effect.t -> term -> term
val type_c_subst_oldify : local_env -> Ident.t -> term -> type_c -> type_c

val is_reference : local_env -> Ident.t -> bool
val predicate_now_refs : local_env -> predicate -> Ident.set
val predicate_refs : local_env -> predicate -> Ident.set
val term_now_refs : local_env -> term -> Ident.set
val term_refs : local_env -> term -> Ident.set
val post_refs : local_env -> postcondition -> Ident.set

val deref_type : type_v -> pure_type
val dearray_type : type_v -> pure_type

val decomp_type_c : type_c -> 
  (Ident.t * type_v) * Effect.t * 
  Types.precondition list * Types.postcondition option
val decomp_kappa : typing_info -> 
  (Ident.t * type_v) * Effect.t * Ast.postcondition option

val equality : term -> term -> predicate
val tequality : type_v -> term -> term -> predicate

val distinct : term list -> predicate


val  split_one : Logic.predicate list ->
  int -> Logic.predicate -> Logic.predicate list
val  split : context_element list ->
  (unit -> Ident.t) -> context_element list -> context_element list
val  intros : context_element list ->
  predicate -> (unit -> Ident.t) -> bool -> context_element list * Logic.predicate
  
val decomp_boolean : postcondition -> predicate * predicate

val effect : typed_expr -> Effect.t
val post : typed_expr -> postcondition option
val result_type : typed_expr -> type_v
val result_name : typing_info -> Ident.t

val erase_exns : typing_info -> typing_info

val forall : 
  ?is_wp:is_wp -> Ident.t -> type_v -> ?triggers:triggers 
  -> predicate -> predicate
val foralls : ?is_wp:is_wp -> (Ident.t * type_v) list -> predicate -> predicate
val exists : Ident.t -> type_v -> predicate -> predicate

(* more efficient version when there are many variables *)
val foralls_many : 
  ?is_wp:is_wp -> (Ident.t * type_v) list -> predicate -> predicate

val plet : Ident.t -> pure_type -> term -> predicate -> predicate

(* versions performing simplifcations *)
val pforall : ?is_wp:is_wp -> Ident.t -> type_v -> predicate -> predicate
val pexists : Ident.t -> type_v -> predicate -> predicate

(* decomposing universal quantifiers, renaming variables on the fly *)

val decomp_forall : 
  ?ids:Ident.set -> predicate -> (Ident.t * pure_type) list * predicate

(*s Occurrences *)

val occur_term : Ident.t -> term -> bool
val occur_predicate : Ident.t -> predicate -> bool
val occur_assertion : Ident.t -> assertion -> bool
val occur_post : Ident.t -> postcondition option -> bool
val occur_type_v : Ident.t -> type_v -> bool
val occur_type_c : Ident.t -> type_c -> bool

(*s Functions to translate array operations *)

val array_info : 
  local_env -> Ident.t -> pure_type

val make_raw_access :
  local_env -> Ident.t * Ident.t -> term -> term

val make_raw_store :
  local_env -> Ident.t * Ident.t -> term -> term -> term

val make_pre_access :
  local_env -> Ident.t -> term -> predicate

(*s AST builders for program transformation *)

val make_lnode : 
  Loc.position -> typing_info Ast.t_desc ->
  local_env -> type_c -> typed_expr
val make_var : 
  Loc.position -> Ident.t -> type_v -> local_env -> typed_expr
val make_expression :
  Loc.position -> term -> type_v -> local_env -> typed_expr
val make_annot_bool :
  Loc.position -> bool -> local_env -> typed_expr
val make_void :
  Loc.position -> local_env -> typed_expr
val make_raise :
  Loc.position -> Ident.t -> type_v -> local_env -> typed_expr

val change_desc : 'a Ast.t -> 'a Ast.t_desc -> 'a Ast.t

val force_post :
  local_env -> postcondition option -> typed_expr -> typed_expr

val create_postval : predicate -> assertion option

val create_post : predicate -> (assertion * 'b list) option

(* explanations *)

val loc_of_label: string -> Loc.floc

val cook_explanation : 
    string option -> raw_vc_explain ->
       Logic_decl.expl_kind * Loc.floc * string option

val program_locs : (string,(string * string * Loc.floc)) Hashtbl.t

val explanation_table : (int,Cc.raw_vc_explain) Hashtbl.t

val reg_explanation : Cc.raw_vc_explain -> Logic.term_label

(*s Pretty printers. *)

open Format

val print_pred_binders : bool ref

val print_scheme : (formatter -> 'a -> unit) -> formatter -> 'a scheme -> unit

val print_type_var : formatter -> type_var -> unit
val print_pure_type : formatter -> pure_type -> unit
val print_instance : formatter -> instance -> unit
val print_logic_type : formatter -> logic_type -> unit

val print_term : formatter -> term -> unit
val print_predicate : formatter -> predicate -> unit
(*
val raw_loc : ?pref:string -> formatter -> Loc.floc -> unit
val print_explanation : formatter -> ((*Loc.floc * *) Logic_decl.vc_expl) -> unit
*)
val print_assertion : formatter -> assertion -> unit
val print_wp : formatter -> assertion option -> unit

val print_type_v : formatter -> type_v -> unit
val print_type_c : formatter -> type_c -> unit
val print_typing_info : formatter -> typing_info -> unit
val print_expr : formatter -> typed_expr -> unit

val print_cc_type : formatter -> Cc.cc_type -> unit
val print_cc_term : formatter -> ('a * predicate) Cc.cc_term -> unit
val print_cc_pattern : formatter -> Cc.cc_pattern -> unit

val print_subst : formatter -> substitution -> unit
val print_cc_subst : formatter -> ('a * predicate) Cc.cc_term Ident.map -> unit

val print_env : formatter -> local_env -> unit

val print_ptree : formatter -> Ptree.parsed_program -> unit
val print_pfile : formatter -> Ptree.decl list -> unit

val print_decl : formatter -> Logic_decl.t -> unit

why-2.39/src/coq.mli0000644000106100004300000000565313147234006013316 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Cc

val reset : unit -> unit
val push_decl : Logic_decl.t -> unit
val push_validation : string -> cc_type -> validation -> unit
val push_program : string -> cc_type -> cc_functional_program -> unit
val push_parameter : string -> cc_type -> unit
val output_file : bool -> string -> unit

(* exported for the GUI *)

val prefix_id : Ident.t -> string
val pprefix_id : Ident.t -> string
val infix_relation : Ident.t -> string


val print_predicate_v8 : Format.formatter -> Logic.predicate -> unit
val print_cc_type_v8 : Format.formatter -> Cc.cc_type -> unit
val print_binder_v8 : Format.formatter -> Cc.cc_binder -> unit
val print_binder_type_v8 : Format.formatter -> Cc.cc_binder -> unit
val print_term_v8 : Format.formatter -> Logic.term -> unit
why-2.39/src/pretty.ml0000644000106100004300000003464613147234006013716 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Format
open Pp
open Ident
open Options
open Misc
open Logic
open Logic_decl

let reset = Encoding.reset

let ergo = ref false

let push_decl ?(ergo=false) d =
  if ergo
  then Encoding.push ~encode_preds:false ~encode_funs:false d
  else Encoding.push ~encode_preds:false ~encode_funs:false
    ~encode_inductive:false ~encode_algtype:false d

let iter = Encoding.iter

let ident fmt id =
  let s = Ident.string id in
  let s = if s = "farray" then "why__farray" else s in (* Alt-ergo keyword *)
  pp_print_string fmt s

let type_vars = Hashtbl.create 17

let type_var fmt n =
  try
    fprintf fmt "'a%d" (Hashtbl.find type_vars n)
  with Not_found ->
    assert false

let specialize s =
  Hashtbl.clear type_vars;
  let n = ref 0 in
  Env.Vset.iter
    (fun tv -> incr n; Hashtbl.add type_vars tv.tag !n) s.Env.scheme_vars;
  s.Env.scheme_type

let rec pure_type fmt = function
  | PTint -> fprintf fmt "int"
  | PTbool -> fprintf fmt "bool"
  | PTunit -> fprintf fmt "unit"
  | PTreal -> fprintf fmt "real"
  | PTexternal ([],id) -> fprintf fmt "%a" ident id
  | PTvar {tag=t; type_val=None} -> type_var fmt t
  | PTvar {tag=_t; type_val=Some pt} -> pure_type fmt pt
  | PTexternal ([t],id) ->
      fprintf fmt "%a %a" pure_type t ident id
  | PTexternal (l,id) -> fprintf fmt "(%a) %a"
      (print_list comma pure_type) l ident id

let rec term fmt = function
  | Tconst (ConstInt n) ->
      fprintf fmt "%s" n
  | Tconst (ConstBool b) ->
      fprintf fmt "%b" b
  | Tconst ConstUnit ->
      fprintf fmt "void"
  | Tconst (ConstFloat c) ->
      Print_real.print fmt c
  | Tvar id | Tderef id | Tapp (id, [], _) ->
      ident fmt id
  | Tapp (id, [t1; t2], _) when id == t_add_int || id == t_add_real ->
      fprintf fmt "(%a + %a)" term t1 term t2
  | Tapp (id, [t1; t2], _) when id == t_sub_int || id == t_sub_real ->
      fprintf fmt "(%a - %a)" term t1 term t2
  | Tapp (id, [t1; t2], _) when id == t_mul_int || id == t_mul_real ->
      fprintf fmt "(%a * %a)" term t1 term t2
(*
  | Tapp (id, [t1; t2], _) when id == t_div_int ->
      if !ergo then
        fprintf fmt "computer_div(%a,%a)" term t1 term t2
      else
        fprintf fmt "(%a / %a)" term t1 term t2
*)
(*
  | Tapp (id, [t1; t2], _) when id == t_mod_int ->
      if !ergo then
        fprintf fmt "computer_mod(%a,%a)" term t1 term t2
      else
        fprintf fmt "(%a %% %a)" term t1 term t2
*)
  | Tapp (id, [t1], _) when id == t_neg_int || id == t_neg_real ->
      fprintf fmt "(-%a)" term t1
  | Tapp (id, tl, _) ->
      fprintf fmt "%a(%a)" ident id (print_list comma term) tl
  | Tnamed (User n, t) ->
      fprintf fmt "@[(%S:@ %a)@]" n term t
  | Tnamed (_, t) -> term fmt t

let int_relation_string id =
  if id == t_lt_int then "<"
  else if id == t_le_int then "<="
  else if id == t_gt_int then ">"
  else if id == t_ge_int then ">="
  else assert false

let real_relation_string id =
  if id == t_lt_real then "<"
  else if id == t_le_real then "<="
  else if id == t_gt_real then ">"
  else if id == t_ge_real then ">="
  else assert false

let rec predicate fmt = function
  | Pvar id | Papp (id, [], _) ->
      ident fmt id
  | Papp (id, [t1; t2], _) when is_eq id ->
      fprintf fmt "(%a = %a)" term t1 term t2
  | Papp (id, [t1; t2], _) when is_neq id ->
      fprintf fmt "(%a <> %a)" term t1 term t2
  | Papp (id, [t1; t2], _) when is_int_comparison id ->
      fprintf fmt "(%a %s %a)" term t1 (int_relation_string id) term t2
  | Papp (id, [t1; t2], _) when is_real_comparison id ->
      fprintf fmt "(%a %s %a)" term t1 (real_relation_string id) term t2
  | Papp (id, [a;b], _) when id == t_zwf_zero ->
      fprintf fmt "@[((0 <= %a) and@ (%a < %a))@]" term b term a term b
  | Papp (id, [_t], _) when id == well_founded ->
      fprintf fmt "@[false (* was well_founded(...) *)@]"
  | Papp (id, l, _) ->
      fprintf fmt "%s(%a)" (Ident.string id) (print_list comma term) l
  | Ptrue ->
      fprintf fmt "true"
  | Pfalse ->
      fprintf fmt "false"
  | Pimplies (_, a, b) ->
      fprintf fmt "(@[%a ->@ %a@])" predicate a predicate b
  | Piff (a, b) ->
      fprintf fmt "(@[%a <->@ %a@])" predicate a predicate b
  | Pif (a, b, c) ->
      fprintf fmt "(@[if %a then@ %a else@ %a@])"
	term a predicate b predicate c
  | Pand (_, _, a, b) ->
      fprintf fmt "(@[%a and@ %a@])" predicate a predicate b
  | Forallb (_, ptrue, pfalse) ->
      fprintf fmt "(@[forallb(%a,@ %a)@])"
	predicate ptrue predicate pfalse
  | Por (a, b) ->
      fprintf fmt "(@[%a or@ %a@])" predicate a predicate b
  | Pnot a ->
      fprintf fmt "(not %a)" predicate a
  | Forall (_,id,n,v,tl,p) ->
      let id = next_away id (predicate_vars p) in
      let s = subst_onev n id in
      let p = subst_in_predicate s p in
      let tl = List.map (List.map (subst_in_pattern s)) tl in
      fprintf fmt "@[(forall %a:%a%a.@ %a)@]"
	ident id pure_type v print_triggers tl predicate p
  | Exists (id,n,v,p) ->
      let id = next_away id (predicate_vars p) in
      let p = subst_in_predicate (subst_onev n id) p in
      fprintf fmt "@[(exists %a:%a.@ %a)@]"
	ident id pure_type v predicate p
  | Plet (id, n, _, t, p) ->
      if false then  (* TODO: alt-ergo has no let support yet. *)
        let id = next_away id (predicate_vars p) in
        let p = subst_in_predicate (subst_onev n id) p in
        fprintf fmt "@[(let %a = %a in@ %a)@]"
	  ident id term t predicate p
      else
        let p = tsubst_in_predicate (subst_one n t) p in
        fprintf fmt "@[%a@]" predicate p
  | Pnamed (User n, p) ->
      fprintf fmt "@[(%S:@ %a)@]" n predicate p
  | Pnamed (_, p) -> predicate fmt p

and print_pattern fmt = function
  | TPat t -> term fmt t
  | PPat p -> predicate fmt p

and print_triggers fmt l =
  let l =
    if !ergo then
      List.rev
        (List.fold_left 
           (fun acc pl ->
             let pl = List.fold_left 
               (fun acc p ->
                 match p with
                   | PPat(Papp (id, _, _)) when is_eq id -> acc
                   | _ -> p::acc)
               [] pl
             in
             match pl with [] -> acc | _ -> (List.rev pl)::acc)
           [] l)
    else l
  in
  match l with
  | [] -> ()
  | _ ->
      fprintf fmt " [%a]" (print_list alt (print_list comma print_pattern)) l

let sequent fmt (ctx, p) =
  let context fmt = function
    | Cc.Svar (id, pt) ->
	fprintf fmt "forall %a:%a." ident id pure_type pt
    | Cc.Spred (_, p) ->
	fprintf fmt "@[%a ->@]" predicate p
  in
  print_list newline context fmt ctx;
  if ctx <> [] then fprintf fmt "@\n";
  predicate fmt p

let logic_binder fmt (id, pt) =
  fprintf fmt "%a: %a" ident id pure_type pt

let logic_type fmt = function
  | Predicate [] ->
      fprintf fmt "prop"
  | Function ([], pt) ->
      fprintf fmt "%a" pure_type pt
  | Predicate ptl ->
      fprintf fmt "%a -> prop" (print_list comma pure_type) ptl
  | Function (ptl, pt) ->
      fprintf fmt "%a -> %a" (print_list comma pure_type) ptl pure_type pt

let type_parameters fmt l =
  let type_var fmt id = fprintf fmt "'%s" id in
  match l with
  | [] -> ()
  | [id] -> fprintf fmt "%a " type_var id
  | l -> fprintf fmt "(%a) " (print_list comma type_var) l

let alg_type_parameters fmt = function
  | [] -> ()
  | [id] -> fprintf fmt "%a " pure_type id
  | l -> fprintf fmt "(%a) " (print_list comma pure_type) l

let alg_type_constructor fmt (c,pl) =
  match pl with
  | [] -> fprintf fmt "| %a" ident c
  | _  -> fprintf fmt "| %a (@[%a@])" ident c
            (print_list comma pure_type) pl

let alg_type_single fmt (_, id, d) =
  let vs,cs = specialize d in
  fprintf fmt "@[%a%a@] =@\n  @[%a@]"
    alg_type_parameters vs ident id
    (print_list newline alg_type_constructor) cs

let decl fmt d =
  match d with
  | Dtype (_, id, pl) ->
      fprintf fmt "@[type %a%a@]" type_parameters pl ident id
  | Dalgtype ls ->
      let andsep fmt () = fprintf fmt "@\n and " in
      fprintf fmt "@[type %a@]" (print_list andsep alg_type_single) ls
  | Dlogic (_, id, lt) ->
      let lt = specialize lt in
      fprintf fmt "@[logic %a : %a@]" ident id logic_type lt
  | Dpredicate_def (_, id, def) ->
      let bl,p = specialize def in
      fprintf fmt "@[predicate %a(%a) =@ %a@]" ident id
	(print_list comma logic_binder) bl predicate p
  | Dinductive_def (_, id, indcases) ->
      let bl,l = specialize indcases in
      fprintf fmt
	"@[inductive %a: @[%a -> prop@] =@\n  @[%a@]@\n@\n@]"
	ident id
	(print_list comma pure_type) bl
	(print_list newline
	   (fun fmt (id,p) -> fprintf fmt "@[| %a: %a@]" ident id predicate p)) l
  | Dfunction_def (_, id, def) ->
      let bl,pt,t = specialize def in
      fprintf fmt "@[function %a(%a) : %a =@ %a@]" ident id
	(print_list comma logic_binder) bl pure_type pt term t
  | Daxiom (_, id, p) ->
      let p = specialize p in
      fprintf fmt "@[axiom %s:@ %a@]" id predicate p
  | Dgoal (_, is_lemma, _, id, sq) ->
      let sq = specialize sq in
      if !ergo then
	begin
	  fprintf fmt "@[goal %s:@\n%a@]" id sequent sq;
	  if is_lemma then
	    fprintf fmt "@\n@\n@[axiom %s_as_axiom:@\n%a@]" id sequent sq
	end
      else
	fprintf fmt "@[%s %s:@\n%a@]"
	  (if is_lemma then "lemma" else "goal")
	  id sequent sq

let decl fmt d = fprintf fmt "@[%a@]@\n@\n" decl d

let print_file ~ergo:b fmt =
  ergo := b;
  iter (decl fmt);
  ergo := false

let print_trace fmt id expl =
  fprintf fmt "[%s]@\n" id;
  Explain.print fmt expl;
  fprintf fmt "@\n"

(* dead code
let print_traces fmt =
  iter
    (function
       | Dgoal (_loc, _, expl, id, _) -> print_trace fmt id ((*loc,*)expl)
       | _ -> ())
*)

let output_file ~ergo f =
  print_in_file (print_file ~ergo) (Options.out_file f)
(* cannot work as is, pb with temp files
  if explain_vc && not ergo then
    print_in_file print_traces (Options.out_file (f ^ ".xpl"))
*)

let output_files f =
  eprintf "Starting Multi-Why output with basename %s@." f;
  let po = ref 0 in
  print_in_file
    (fun ctxfmt ->
       iter
	 (function
	    | Dgoal (_loc,_,expl,id,_) as d ->
		incr po;
		let fpo = f ^ "_po" ^ string_of_int !po ^ ".why" in
		print_in_file (fun fmt -> decl fmt d) fpo;
		if explain_vc then
		  let ftr = f ^ "_po" ^ string_of_int !po ^ ".xpl" in
		  print_in_file (fun fmt -> print_trace fmt id ((*loc,*)expl)) ftr
	    | d ->
		decl ctxfmt d))
    (f ^ "_ctx.why");
  eprintf "Multi-Why output done@."

let push_or_output_decl =
  let po = ref 0 in
  function d ->
    match d with
      | Dgoal (_loc,_is_lemma,expl,id,_) as d ->
	  incr po;
	  let fpo = Options.out_file (id ^ ".why") in
	  print_in_file (fun fmt -> decl fmt d) fpo;
	  if explain_vc then
	    let ftr = Options.out_file (id ^ ".xpl") in
	    print_in_file (fun fmt -> print_trace fmt id ((*loc,*)expl)) ftr
      | d -> push_decl d

module SMap = Map.Make(String)

let output_project f =
  let po = ref 0 in
  let lemmas = ref [] in
  let functions = ref SMap.empty in
  print_in_file
    (fun ctxfmt ->
       iter
	 (function
	    | Dgoal (_,_is_lemma,e,_id,_) as d ->
		incr po;
		let fpo = f ^ "_po" ^ string_of_int !po ^ ".why" in
		print_in_file (fun fmt -> decl fmt d) fpo;
		begin
		  match e.vc_kind with
		    | EKLemma ->
			lemmas := (e,fpo) :: !lemmas;
		    | _ ->
			let fn = e.lemma_or_fun_name in
			let behs =
			  try SMap.find fn !functions
			  with Not_found -> SMap.empty
			in
			let vcs =
			  try SMap.find e.behavior behs
			  with Not_found -> []
			in
			let behs =
			  SMap.add e.behavior ((e,fpo)::vcs) behs
			in
			functions := SMap.add fn behs !functions;
		end
	    | d ->
		decl ctxfmt d))
    (f ^ "_ctx.why");
  Hashtbl.iter
    (fun _key (fn,_beh,_loc) ->
       try
	 let _ = SMap.find fn !functions in ()
       with Not_found ->
	 functions := SMap.add fn SMap.empty !functions)
    Util.program_locs ;
  let p = Project.create (Filename.basename f) in
  Project.set_project_context_file p (f ^ "_ctx.why");
  List.iter
    (fun (expl,fpo) ->
       let n = expl.lemma_or_fun_name in
       let _ = Project.add_lemma p n expl fpo in ())
    !lemmas;
  SMap.iter
    (fun fname behs ->
       let floc =
	 try
	   let (_,_,floc) = Hashtbl.find Util.program_locs fname in
	   floc
	 with Not_found -> Loc.dummy_floc
       in
       let f = Project.add_function p fname floc in
       SMap.iter
	 (fun beh vcs ->
	    let be = Project.add_behavior f beh floc in
	    List.iter
	      (fun (expl,fpo) ->
		 let _ = Project.add_goal be expl fpo in ())
	      vcs)
	 behs)
    !functions;
  Project.save p f;
  p
why-2.39/src/coq.ml0000644000106100004300000012345013147234006013141 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Options
open Logic
open Logic_decl
open Vcg
open Ident
open Util
open Format
open Misc
open Cc
open Pp

(* common to V7 and V8 *)

let is_coq_keyword =
  let ht = Hashtbl.create 50  in
  List.iter (fun kw -> Hashtbl.add ht kw ())
    ["at"; "cofix"; "exists2"; "fix"; "IF"; "mod"; "Prop";
     "return"; "Set"; "Type"; "using"; "where"];
  Hashtbl.mem ht

let rename s = if is_coq_keyword s then "why__" ^ s else s
let idents fmt s = fprintf fmt "%s" (rename s)
let ident fmt id = fprintf fmt "%s" (rename (Ident.string id))

let rec print_pure_type fmt = function
  | PTint -> fprintf fmt "Z"
  | PTbool -> fprintf fmt "bool"
  | PTunit -> fprintf fmt "unit"
  | PTreal -> fprintf fmt "R"
  | PTexternal ([v], id) when id == farray ->
      fprintf fmt "(array %a)" print_pure_type v
  | PTexternal([],id) -> ident fmt id
  | PTexternal(l,id) ->
      fprintf fmt "(%a %a)"
      ident id (print_list space print_pure_type) l
  | PTvar { type_val = Some t} ->
      fprintf fmt "%a" print_pure_type t
  | PTvar v ->
      fprintf fmt "A%d" v.tag

let instance = print_list space print_pure_type

let prefix_id id =
  (* int cmp *)
  if id == t_lt_int then "Z_lt_ge_bool"
  else if id == t_le_int then "Z_le_gt_bool"
  else if id == t_gt_int then "Z_gt_le_bool"
  else if id == t_ge_int then "Z_ge_lt_bool"
  else if id == t_eq_int then "Z_eq_bool"
  else if id == t_neq_int then "Z_noteq_bool"
  (* real cmp *)
  else if id == t_lt_real then "R_lt_ge_bool"
  else if id == t_le_real then "R_le_gt_bool"
  else if id == t_gt_real then "R_gt_le_bool"
  else if id == t_ge_real then "R_ge_lt_bool"
  else if id == t_eq_real then "R_eq_bool"
  else if id == t_neq_real then "R_noteq_bool"
  (* bool cmp *)
  else if id == t_eq_bool then "B_eq_bool"
  else if id == t_neq_bool then "B_noteq_bool"
  (* unit cmp *)
  else if id == t_eq_unit then "U_eq_bool"
  else if id == t_neq_unit then "U_noteq_bool"
  (* int ops *)
  else if id == t_add_int then "Zplus"
  else if id == t_sub_int then "Zminus"
  else if id == t_mul_int then "Zmult"
(*
  else if id == t_div_int then "Zdiv"
  else if id == t_mod_int then "Zmod"
*)
  else if id == t_neg_int then "Zopp"
  (* real ops *)
  else if id == t_add_real then "Rplus"
  else if id == t_sub_real then "Rminus"
  else if id == t_mul_real then "Rmult"
  else if id == t_div_real then "Rdiv"
  else if id == t_neg_real then "Ropp"
  else if id == t_sqrt_real then "sqrt"
  else if id == t_real_of_int then "IZR"
  else if id == t_int_of_real then "int_of_real"
  else assert false

let infix_relation id =
       if id == t_lt_int then "<"
  else if id == t_le_int then "<="
  else if id == t_gt_int then ">"
  else if id == t_ge_int then ">="
  else if id == t_eq_int then "="
  else if id == t_neq_int then "<>"
  else assert false

let pprefix_id id =
  if id == t_lt_real then "Rlt"
  else if id == t_le_real then "Rle"
  else if id == t_gt_real then "Rgt"
  else if id == t_ge_real then "Rge"
  else assert false

let rec collect_app l = function
  | CC_app (e1, e2) -> collect_app (e2 :: l) e1
  | p -> p :: l

let print_binder_id fmt (id,_) = ident fmt id

let collect_lambdas x =
  let rec collect bl = function
    | CC_lam (b,c) -> collect (b :: bl) c
    | c -> List.rev bl, c
  in
  collect [] x

(* printers for Coq V7 *)

let inz = ref 0
let openz fmt = if !inz == 0 then fprintf fmt "`@["; incr inz
let closez fmt = decr inz; if !inz == 0 then fprintf fmt "@]`"

let print_term_v7 fmt t =
  let rec print0 fmt = function
    | Tapp (id, [a;b], _) when is_relation id ->
	fprintf fmt "(@[%s@ %a@ %a@])" (prefix_id id)
	print1 a print1 b
    | t ->
	print1 fmt t
  and print1 fmt = function
    | Tapp (id, [a;b], _) when id == t_add_int ->
	openz fmt; fprintf fmt "%a +@ %a" print1 a print2 b; closez fmt
    | Tapp (id, [a;b], _) when id == t_sub_int ->
	openz fmt; fprintf fmt "%a -@ %a" print1 a print2 b; closez fmt
    | t ->
	print2 fmt t
  and print2 fmt = function
    | Tapp (id, [a;b], _) when id == t_mul_int ->
	openz fmt; fprintf fmt "%a *@ %a" print2 a print3 b; closez fmt
(*
    | Tapp (id, [a;b], _) when id == t_div_int ->
	fprintf fmt "(@[Zdiv %a@ %a@])" print3 a print3 b
    | Tapp (id, [a;b], _) when id == t_mod_int ->
	fprintf fmt "(@[Zmod %a@ %a@])" print3 a print3 b
*)
    | t ->
	print3 fmt t
  and print3 fmt = function
    | Tconst (ConstInt n) ->
	openz fmt; fprintf fmt "%s" n; closez fmt
    | Tconst (ConstBool b) ->
	fprintf fmt "%b" b
    | Tconst ConstUnit ->
	fprintf fmt "tt"
    | Tconst (ConstFloat _) ->
	assert (!inz == 0); (* TODO: reals inside integer expressions *)
	failwith "real constants not supported with Coq V7"
    | Tvar id when id == implicit ->
	fprintf fmt "?"
    | Tvar id when id == t_zwf_zero ->
	fprintf fmt "(Zwf ZERO)"
    | Tvar id | Tapp (id, [], []) ->
	ident fmt id
    | Tapp (id, [], i) ->
	fprintf fmt "(@[@@%a %a@])" ident id instance i
    | Tderef _ ->
	assert false
    | Tapp (id, [t], _) when id == t_neg_int ->
	openz fmt; fprintf fmt "(-%a)" print3 t; closez fmt
    | Tapp (id, [_;_], _) as t when is_relation id || is_int_arith_binop id ->
	fprintf fmt "@[(%a)@]" print0 t
    | Tapp (id, [a; b; c], _) when id == if_then_else ->
	(* was print0 instead of print3, was wrong because printed
	     if_then_else (x < y) y-x x-y
	   missing parentheses
	*)
	fprintf fmt "(@[if_then_else %a@ %a@ %a@])" print3 a print3 b print3 c
    | Tapp (id, tl, _) when id == t_zwf_zero ->
	fprintf fmt "(@[Zwf 0 %a@])" print_terms tl
    | Tapp (id, tl, _) when is_relation id || is_arith id ->
	fprintf fmt "(@[%s@ %a@])" (prefix_id id) print_terms tl
    | Tapp (id, tl, _) ->
	fprintf fmt "(@[%a@ %a@])" ident id print_terms tl
    | Tnamed (User n, t) ->
	fprintf fmt "@[((* %s *)@ %a)@]" n print3 t
    | Tnamed (_, t) -> print3 fmt t
  and print_terms fmt tl =
    print_list space print0 fmt tl
  in
  print0 fmt t

let print_predicate_v7 fmt p =
  let rec print0 fmt = function
    | Pif (a, b, c) ->
	fprintf fmt "(@[if %a@ then %a@ else %a@])"
	  print_term_v7 a print0 b print0 c
    | Pimplies (_, a, b) ->
	fprintf fmt "(@[%a ->@ %a@])" print1 a print0 b
    | Piff (a, b) ->
	fprintf fmt "(@[%a <->@ %a@])" print1 a print0 b
    | p -> print1 fmt p
  and print1 fmt = function
    | Por (a, b) -> fprintf fmt "%a \\/@ %a" print2 a print1 b
    | p -> print2 fmt p
  and print2 fmt = function
    | Pand (_, _, a, b) | Forallb (_, a, b) ->
        fprintf fmt "%a /\\@ %a" print3 a print2 b
    | p -> print3 fmt p
  and print3 fmt = function
    | Ptrue ->
	fprintf fmt "True"
    | Pvar id when id == Ident.default_post ->
	fprintf fmt "True"
    | Pfalse ->
	fprintf fmt "False"
    | Pvar id ->
	ident fmt id
    | Papp (id, tl, _) when id == t_distinct ->
	fprintf fmt "@[(%a)@]" print0 (Util.distinct tl)
    | Papp (id, [t], _) when id == well_founded ->
	fprintf fmt "@[(well_founded %a)@]" print_term_v7 t
    | Papp (id, [a;b], _) when id == t_zwf_zero ->
	fprintf fmt "(Zwf `0` %a %a)" print_term_v7 a print_term_v7 b
    | Papp (id, [a;b], _) when is_int_comparison id ->
	openz fmt;
	fprintf fmt "%a %s@ %a"
	  print_term_v7 a (infix_relation id) print_term_v7 b;
	closez fmt
    | Papp (id, [a;b], _) when id == t_eq_real ->
	fprintf fmt "(@[eqT R %a %a@])" print_term_v7 a print_term_v7 b
    | Papp (id, [a;b], _) when id == t_neq_real ->
	fprintf fmt "~(@[eqT R %a %a@])" print_term_v7 a print_term_v7 b
    | Papp (id, [a;b], _) when is_eq id ->
	fprintf fmt "@[%a =@ %a@]" print_term_v7 a print_term_v7 b
    | Papp (id, [a;b], _) when is_neq id ->
	fprintf fmt "@[~(%a =@ %a)@]" print_term_v7 a print_term_v7 b
    | Papp (id, [a;b], _) when is_real_comparison id ->
	fprintf fmt "(@[%s %a %a@])"
	(pprefix_id id) print_term_v7 a print_term_v7 b
    | Papp (id, l, _) ->
	fprintf fmt "(@[%a %a@])" ident id
	  (print_list space print_term_v7) l
    | Pnot p ->
	fprintf fmt "~%a" print3 p
    | Forall (_,id,n,t,_,p) ->
	let id' = next_away id (predicate_vars p) in
	let p' = subst_in_predicate (subst_onev n id') p in
	fprintf fmt "(@[(%a:%a)@ %a@])" ident id'
	  print_pure_type t print0 p'
    | Exists (id,n,t,p) ->
	let id' = next_away id (predicate_vars p) in
	let p' = subst_in_predicate (subst_onev n id') p in
	fprintf fmt "(@[EX %a:%a |@ %a@])" ident id'
	  print_pure_type t print0 p'
    | Pnamed (User n, p) ->
	fprintf fmt "@[((* %s *)@ %a)@]" n print3 p
    | Pnamed (_, p) -> print3 fmt p
    | Plet (_, x, _, t, p) -> print3 fmt (subst_term_in_predicate x t p)
    | (Por _ | Piff _ | Pand _ | Pif _ | Pimplies _ | Forallb _) as p ->
	fprintf fmt "(%a)" print0 p
  in
  print0 fmt p

let rec print_cc_type_v7 fmt = function
  | TTpure pt ->
      print_pure_type fmt pt
  | TTarray v ->
      fprintf fmt "(@[array@ %a@])" print_cc_type_v7 v
  | TTlambda (b, t) ->
      fprintf fmt "[%a]@,%a" print_binder_v7 b print_cc_type_v7 t
(*i***
  | TTarrow ((id, CC_var_binder t1), t2) when not (occur_cc_type id t2) ->
      fprintf fmt "%a -> %a" print_cc_type t1 print_cc_type t2
***i*)
  | TTarrow (b, t) ->
      fprintf fmt "(%a)@,%a" print_binder_v7 b print_cc_type_v7 t
  | TTtuple ([_,CC_var_binder t], None) ->
      print_cc_type_v7 fmt t
  | TTtuple (bl, None) ->
      fprintf fmt "(@[tuple_%d@ %a@])" (List.length bl)
	(print_list space print_binder_type_v7) bl
  | TTtuple (bl, Some q) ->
      fprintf fmt "(@[sig_%d@ %a@ %a(%a)@])" (List.length bl)
	(print_list space print_binder_type_v7) bl
	(print_list nothing
	   (fun fmt b -> fprintf fmt "[%a]@," print_binder_v7 b)) bl
	print_cc_type_v7 q
  | TTpred p ->
      print_predicate_v7 fmt p
  | TTapp (tt, l) ->
      fprintf fmt "(@[%a@ %a@])" print_cc_type_v7 tt
	(print_list space print_cc_type_v7) l
  | TTterm t ->
      print_term_v7 fmt t
  | TTSet ->
      fprintf fmt "Set"

and print_binder_v7 fmt (id,b) =
  ident fmt id;
  match b with
    | CC_pred_binder p -> fprintf fmt ": %a" print_predicate_v7 p
    | CC_var_binder t -> fprintf fmt ": %a" print_cc_type_v7 t
    | CC_untyped_binder -> ()

and print_binder_type_v7 fmt = function
  | _, CC_var_binder t -> print_cc_type_v7 fmt t
  | _ -> assert false


let print_sequent_v7 fmt (hyps,concl) =
  let rec print_seq fmt = function
    | [] ->
	print_predicate_v7 fmt concl
    | Svar (id, v) :: hyps ->
	fprintf fmt "(%a: @[%a@])@\n" ident id print_pure_type v;
	print_seq fmt hyps
    | Spred (id, p) :: hyps ->
	fprintf fmt "(%a: @[%a@])@\n" ident id print_predicate_v7 p;
	print_seq fmt hyps
  in
  fprintf fmt "@[%a@]@?" print_seq hyps

let print_lambdas_v7 = print_list semi print_binder_v7

let rec print_gen_cc_term_v7 print_hole fmt t =
  let print_cc_term_v7 = print_gen_cc_term_v7 print_hole in
    match t with
      | CC_var id ->
 	  ident fmt id
      | CC_lam _ as t ->
	  let bl,c = collect_lambdas t in
	    fprintf fmt "@[[@[%a@]]@,%a@]"
	      print_lambdas_v7 bl print_cc_term_v7 c
      | CC_app (f,a) ->
	  let tl = collect_app [a] f in
	    fprintf fmt "@[(%a)@]" (print_list space print_cc_term_v7) tl
      | CC_tuple (cl, None) ->
	  fprintf fmt "(Build_tuple_%d %a)" (List.length cl)
	    (print_list space print_cc_term_v7) cl
      | CC_tuple (cl, Some q) ->
	  fprintf fmt "(exist_%d %a %a)" (List.length cl - 1)
	    print_cc_type_v7 q (print_list space print_cc_term_v7) cl
	    (* special treatment for the if-then-else *)
      | CC_letin (_, bl, e1,
		  CC_if (CC_var idb,
			 CC_lam ((idt, CC_pred_binder _), brt),
			 CC_lam ((idf, CC_pred_binder _), brf)))
	  when annotated_if idb bl ->
	  let qb, q = annotation_if bl in
	    fprintf fmt "@[@[let (%a) =@ %a in@]@\n@[Cases@ (@[btest@ @[[%a:bool]@,%a@] %a@ %a@]) of@]@\n| @[(left %a) =>@ %a@]@\n| @[(right %a) =>@ %a@] end@]"
	      (print_list comma print_binder_id) bl print_cc_term_v7 e1
	      ident idb print_predicate_v7 q ident idb ident qb
	      ident idt print_cc_term_v7 brt
	      ident idf print_cc_term_v7 brf
	      (* non-dependent boolean if-then-else (probably not of use) *)
      | CC_if (b,e1,e2) ->
	  fprintf fmt "@[if "; print_cc_term_v7 fmt b; fprintf fmt " then@\n  ";
	  hov 0 fmt (print_cc_term_v7 fmt) e1;
	  fprintf fmt "@\nelse@\n  ";
	  hov 0 fmt (print_cc_term_v7 fmt) e2;
	  fprintf fmt "@]"
      | CC_case (e, pl) ->
	  let print_case_v7 fmt (p,e) =
	    fprintf fmt "@[| %a =>@ %a@]"
	      print_cc_pattern p print_cc_term_v7 e
	  in
	    fprintf fmt "@[Cases %a of@\n%a@\nend@]" print_cc_term_v7 e
	      (print_list newline print_case_v7) pl
      | CC_letin (_,[id,_],c,c1) ->
	  fprintf fmt "@[@[let %a =@ %a in@]@\n%a@]"
	    ident id print_cc_term_v7 c print_cc_term_v7 c1
      | CC_letin (_,bl,c,c1) ->
	  fprintf fmt "@[@[let (%a) =@ %a in@]@\n%a@]"
	    (print_list comma print_binder_id) bl
	    print_cc_term_v7 c print_cc_term_v7 c1
      | CC_term c ->
	  fprintf fmt "@[%a@]" print_term_v7 c
       | CC_hole pr ->
 	  print_hole fmt pr
      | CC_type t ->
	  print_cc_type_v7 fmt t
      | CC_any _ ->
	  Report.raise_unlocated
	    (Error.AnyMessage "can't produce a validation for an incomplete program")

let rec print_proof_v7 fmt = function
  | Lemma (s, []) ->
      fprintf fmt "%s" s
  | Lemma (s, vl) ->
      fprintf fmt "@[(%s %a)@]" s (print_list space ident) vl
  | True ->
      fprintf fmt "I"
  | Reflexivity t ->
      fprintf fmt "@[(refl_equal ? %a)@]" print_term_v7 t
  | Assumption id ->
      ident fmt id
  | Proj1 id ->
      fprintf fmt "@[(proj1 ? ? %a)@]" ident id
  | Proj2 id ->
      fprintf fmt "@[(proj2 ? ? %a)@]" ident id
  | Conjunction (id1, id2) ->
      fprintf fmt "@[(conj ? ? %a %a)@]" ident id1 ident id2
  | WfZwf t ->
      fprintf fmt "(Zwf_well_founded %a)" print_term_v7 t
  | Loop_variant_1 (h, h') ->
      fprintf fmt "(loop_variant_1 %a %a)" ident h ident h'
  | Absurd h ->
      fprintf fmt "(False_ind ? %a)" ident h
  | ProofTerm t ->
      fprintf fmt "@[%a@]" print_cc_term_v7 t
  | ShouldBeAWp ->
      Report.raise_unlocated
	(Error.AnyMessage "can't produce a validation for an incomplete program")

and print_cc_term_v7 x = print_gen_cc_term_v7 print_proof_v7 x

let print_cc_functional_program_v7 =
  print_gen_cc_term_v7 (fun fmt (_loc, p) -> print_predicate_v7 fmt p)

(* printers for Coq V8 *)

let print_term_v8 fmt t =
  let rec print0 fmt = function
    | Tapp (id, [a;b], _) when is_relation id ->
	fprintf fmt "(@[%s@ %a@ %a@])" (prefix_id id)
	print3 a print3 b
    | t ->
	print1 fmt t
  and print1 fmt = function
    | Tapp (id, [a;b], _) when id == t_add_int ->
	fprintf fmt "%a +@ %a" print1 a print2 b
    | Tapp (id, [a;b], _) when id == t_sub_int ->
	fprintf fmt "%a -@ %a" print1 a print2 b
    | t ->
	print2 fmt t
  and print2 fmt = function
    | Tapp (id, [a;b], _) when id == t_mul_int ->
	fprintf fmt "%a *@ %a" print2 a print3 b
(*
    | Tapp (id, [a;b], _) when id == t_div_int ->
	fprintf fmt "(@[Zdiv %a@ %a@])" print3 a print3 b
    | Tapp (id, [a;b], _) when id == t_mod_int ->
	fprintf fmt "(@[Zmod %a@ %a@])" print3 a print3 b
*)
    | t ->
	print3 fmt t
  and print3 fmt = function
    | Tconst (ConstInt n) ->
	fprintf fmt "%s" n
    | Tconst (ConstBool b) ->
	fprintf fmt "%b" b
    | Tconst ConstUnit ->
	fprintf fmt "tt"
    | Tconst (ConstFloat c) ->
	Print_real.print_with_integers
	  "(%s)%%R" "(%s * %s)%%R" "(%s / %s)%%R" fmt c
    | Tvar id when id == implicit ->
	fprintf fmt "?"
    | Tvar id when id == t_zwf_zero ->
	fprintf fmt "(Zwf Z0)"
    | Tvar id | Tapp (id, [], []) ->
	ident fmt id
    | Tapp (id, [], i) ->
	fprintf fmt "(@[@@%a %a@])" ident id instance i
    | Tderef _ ->
	assert false
    | Tapp (id, [a; Tapp (id', [b], _)], _)
      when id == t_pow_real && id' == t_real_of_int ->
	fprintf fmt "(@[powerRZ@ %a@ %a@])" print3 a print3 b
    | Tapp (id, [a;b], _) when id == t_pow_real ->
	fprintf fmt "(@[Rpower@ %a@ %a@])" print3 a print3 b
    | Tapp (id, [a], _) when id == t_abs_real ->
	fprintf fmt "(@[Rabs@ %a@])" print3 a
    | Tapp (id, [t], _) when id == t_neg_int ->
	begin
	  (* special case for -constant to avoid extra "simpl" *)
	  match t with
	    | Tconst (ConstInt n) -> fprintf fmt "(-%s)" n
	    | _ -> fprintf fmt "(Zopp@ %a)" print3 t
	end
    | Tapp (id, [_;_], _) as t when is_relation id || is_int_arith_binop id ->
	fprintf fmt "@[(%a)@]" print0 t
    | Tapp (id, [a; b; c], _) when id == if_then_else ->
	fprintf fmt "(@[if_then_else %a@ %a@ %a@])" print0 a print0 b print0 c
    | Tapp (id, tl, _) when id == t_zwf_zero ->
	fprintf fmt "(@[Zwf 0 %a@])" print_terms tl
    | Tapp (id, tl, _) when is_relation id || is_arith id ->
	fprintf fmt "(@[%s@ %a@])" (prefix_id id) print_terms tl
    | Tapp (id, tl, _) ->
	fprintf fmt "(@[%a@ %a@])" ident id print_terms tl
    | Tnamed (User n, t) ->
	fprintf fmt "@[((* %s *)@ %a)@]" n print3 t
    | Tnamed (_, t) -> print3 fmt t
  and print_terms fmt tl =
    print_list space print3 fmt tl
  in
  print3 fmt t

let print_predicate_v8 fmt p =
  let rec print0 fmt = function
    | Pif (a, b, c) ->
	fprintf fmt "(@[if %a@ then %a@ else %a@])"
	  print_term_v8 a print0 b print0 c
    | Pimplies (_, a, b) ->
	fprintf fmt "(@[%a ->@ %a@])" print1 a print0 b
    | Piff (a, b) ->
	fprintf fmt "(@[%a <->@ %a@])" print1 a print0 b
    | p -> print1 fmt p
  and print1 fmt = function
    | Por (a, b) -> fprintf fmt "%a \\/@ %a" print2 a print1 b
    | p -> print2 fmt p
  and print2 fmt = function
    | Pand (_, _, a, b) | Forallb (_, a, b) ->
        fprintf fmt "%a /\\@ %a" print3 a print2 b
    | p -> print3 fmt p
  and print3 fmt = function
    | Ptrue ->
	fprintf fmt "True"
    | Pvar id when id == Ident.default_post ->
	fprintf fmt "True"
    | Pfalse ->
	fprintf fmt "False"
    | Pvar id ->
	ident fmt id
    | Papp (id, tl, _) when id == t_distinct ->
	fprintf fmt "@[(%a)@]" print0 (Util.distinct tl)
    | Papp (id, [t], _) when id == well_founded ->
	fprintf fmt "@[(well_founded %a)@]" print_term_v8 t
    | Papp (id, [a;b], _) when id == t_zwf_zero ->
	fprintf fmt "(Zwf 0 %a %a)" print_term_v8 a print_term_v8 b
    | Papp (id, [a;b], _) when is_int_comparison id ->
	fprintf fmt "%a %s@ %a"
	  print_term_v8 a (infix_relation id) print_term_v8 b
    | Papp (id, [a;b], _) when id == t_eq_real ->
	fprintf fmt "(@[eq %a %a@])" print_term_v8 a print_term_v8 b
    | Papp (id, [a;b], _) when id == t_neq_real ->
	fprintf fmt "~(@[eq %a %a@])" print_term_v8 a print_term_v8 b
    | Papp (id, [a;b], _) when is_eq id ->
	fprintf fmt "@[%a =@ %a@]" print_term_v8 a print_term_v8 b
    | Papp (id, [a;b], _) when is_neq id ->
	fprintf fmt "@[~(%a =@ %a)@]" print_term_v8 a print_term_v8 b
    | Papp (id, [a;b], _) when is_real_comparison id ->
	fprintf fmt "(@[%s@ %a@ %a@])"
	(pprefix_id id) print_term_v8 a print_term_v8 b
    | Papp (id, l, _) ->
	fprintf fmt "(@[%a@ %a@])" ident id
	  (print_list space print_term_v8) l
    | Pnot p ->
	fprintf fmt "~%a" print3 p
    | Forall (_,id,n,t,_,p) ->
	let id' = next_away id (predicate_vars p) in
	let p' = subst_in_predicate (subst_onev n id') p in
	fprintf fmt "(@[forall (%a:%a),@ %a@])" ident id'
	  print_pure_type t print0 p'
    | Exists (id,n,t,p) ->
	let id' = next_away id (predicate_vars p) in
	let p' = subst_in_predicate (subst_onev n id') p in
	fprintf fmt "(@[exists %a:%a,@ %a@])" ident id'
	  print_pure_type t print0 p'
    | Pnamed (User n, p) ->
	fprintf fmt "@[(* %s *)@ %a@]" n print3 p
    | Pnamed (_, p) -> print3 fmt p
    | Plet (id, n, _pt, t, p) ->
	let id' = next_away id (predicate_vars p) in
	let p' = subst_in_predicate (subst_onev n id') p in
	fprintf fmt "@[@[let %a :=@ %a in@]@\n%a@]"
	  ident id' print_term_v8 t print0 p'
    | (Por _ | Piff _ | Pand _ | Pif _ | Pimplies _ | Forallb _) as p -> 
	fprintf fmt "(%a)" print0 p
  in
  print0 fmt p

let rec print_cc_type_v8 fmt = function
  | TTpure pt -> 
      print_pure_type fmt pt
  | TTarray v -> 
      fprintf fmt "(@[array@ %a@])" print_cc_type_v8 v
  | TTlambda (b, t) ->
      fprintf fmt "(@[fun %a =>@ %a@])" print_binder_v8 b print_cc_type_v8 t
(*i***
  | TTarrow ((id, CC_var_binder t1), t2) when not (occur_cc_type id t2) -> 
      fprintf fmt "%a -> %a" print_cc_type t1 print_cc_type t2
***i*)
  | TTarrow (b, t) -> 
      fprintf fmt "forall %a,@ %a" print_binder_v8 b print_cc_type_v8 t
  | TTtuple ([_,CC_var_binder t], None) -> 
      print_cc_type_v8 fmt t
  | TTtuple (bl, None) ->
      fprintf fmt "(@[tuple_%d@ %a@])" (List.length bl) 
	(print_list space print_binder_type_v8) bl
  | TTtuple (bl, Some q) -> 
      fprintf fmt "(@[sig_%d@ %a@ (@[fun %a =>@ (%a)@])@])" (List.length bl)
	(print_list space print_binder_type_v8) bl 
	(print_list nothing 
	   (fun fmt b -> fprintf fmt "%a@ " print_binder_v8 b)) bl
	print_cc_type_v8 q
  | TTpred p ->
      print_predicate_v8 fmt p
  | TTapp (tt, l) ->
      fprintf fmt "(@[%a@ %a@])" print_cc_type_v8 tt
	(print_list space print_cc_type_v8) l
  | TTterm t ->
      print_term_v8 fmt t
  | TTSet ->
      fprintf fmt "Set"

and print_binder_v8 fmt (id,b) = match b with
  | CC_pred_binder p ->
      fprintf fmt "(%a: %a)" ident id print_predicate_v8 p
  | CC_var_binder t ->
      fprintf fmt "(%a: %a)" ident id print_cc_type_v8 t
  | CC_untyped_binder ->
      ident fmt id

and print_binder_type_v8 fmt = function
  | _, CC_var_binder t -> print_cc_type_v8 fmt t
  | _ -> assert false


let print_sequent_v8 fmt (hyps,concl) =
  let rec print_seq fmt = function
    | [] ->
	print_predicate_v8 fmt concl
    | Svar (id, v) :: hyps ->
	fprintf fmt "forall (%a: @[%a@]),@\n"
	ident id print_pure_type v;
	print_seq fmt hyps
    | Spred (id, p) :: hyps ->
	fprintf fmt "forall (%a: @[%a@]),@\n"
	ident id print_predicate_v8 p;
	print_seq fmt hyps
  in
  fprintf fmt "@[%a@]@?" print_seq hyps

let print_lambdas_v8 = print_list space print_binder_v8

let rec print_gen_cc_term_v8 print_hole fmt t =
  let print_cc_term_v8 = print_gen_cc_term_v8 print_hole in
    match t with
      | CC_var id ->
	  ident fmt id
      | CC_lam _ as t ->
	  let bl,c = collect_lambdas t in
	    fprintf fmt "(@[fun @[%a@] =>@ %a@])"
	      print_lambdas_v8 bl print_cc_term_v8 c
      | CC_app (f,a) ->
	  let tl = collect_app [a] f in
	    (match tl with
	       | [CC_term (Tapp (f, [t], _)); CC_lam (x, u)] when f = nt_bind ->
		   fprintf fmt "@[@[do %s <- @[(%a);@] @ @] @\n %a @]"
		     (Ident.string (fst x)) print_cc_term_v8
		     (CC_term t) print_cc_term_v8 u
	       | [CC_term (Tvar f); t; CC_lam (x, u) ]
	       | [CC_var f; t; CC_lam (x, u) ] when f = nt_bind ->
		   fprintf fmt "@[@[do %s <- @[(%a);@] @ @] @\n %a @]"
		     (Ident.string (fst x)) print_cc_term_v8
		     t print_cc_term_v8 u
	       | tl ->
		   fprintf fmt "@[(%a)@]"
		     (print_list_par space print_cc_term_v8) tl)
      | CC_tuple (cl, None) ->
	  fprintf fmt "(Build_tuple_%d %a)" (List.length cl)
	    (print_list_par space print_cc_term_v8) cl
      | CC_tuple (cl, Some q) ->
	  fprintf fmt "(exist_%d %a %a)" (List.length cl - 1)
	    print_cc_type_v8 q (print_list_par space print_cc_term_v8) cl
	    (* special treatment for the if-then-else *)
      | CC_letin (_, bl, e1,
		  CC_if (CC_var idb,
			 CC_lam ((idt, CC_pred_binder _), brt),
			 CC_lam ((idf, CC_pred_binder _), brf)))
	  when annotated_if idb bl ->
	  let qb, q = annotation_if bl in
	    fprintf fmt "@[@[let (%a) :=@ %a in@]@\n@[match@ (@[btest@ (@[fun (%a:bool) =>@ %a@]) %a@ %a@]) with@]@\n| @[(left %a) =>@ %a@]@\n| @[(right %a) =>@ %a@] end@]"
	      (print_list comma print_binder_id) bl print_cc_term_v8 e1
	      ident idb print_predicate_v8 q ident idb ident qb
	      ident idt print_cc_term_v8 brt
	      ident idf print_cc_term_v8 brf
	      (* non-dependent boolean if-then-else (probably not of use) *)
      | CC_if (b,e1,e2) ->
	  fprintf fmt "@[if "; print_cc_term_v8 fmt b; fprintf fmt " then@\n  ";
	  hov 0 fmt (print_cc_term_v8 fmt) e1;
	  fprintf fmt "@\nelse@\n  ";
	  hov 0 fmt (print_cc_term_v8 fmt) e2;
	  fprintf fmt "@]"
      | CC_case (e, pl) ->
	  let print_case_v8 fmt (p,e) =
	    fprintf fmt "@[| %a =>@ %a@]"
	      print_cc_pattern p print_cc_term_v8 e
	  in
	    fprintf fmt "@[match %a with@\n%a@\nend@]" print_cc_term_v8 e
	      (print_list newline print_case_v8) pl
      | CC_letin (_,[id,_],c,c1) ->
	  fprintf fmt "@[@[let %a :=@ %a in@]@\n%a@]"
	    ident id print_cc_term_v8 c print_cc_term_v8 c1
      | CC_letin (_,bl,c,c1) ->
	  fprintf fmt "@[@[let (%a) :=@ %a in@]@\n%a@]"
	    (print_list comma print_binder_id) bl
	    print_cc_term_v8 c print_cc_term_v8 c1
      | CC_term c ->
	  fprintf fmt "@[%a@]" print_term_v8 c
      | CC_hole pr ->
	  print_hole fmt pr
      | CC_type t ->
	  print_cc_type_v8 fmt t
      | CC_any _ ->
	  Report.raise_unlocated
	    (Error.AnyMessage "can't produce a validation for an incomplete program")

let rec print_proof_v8 fmt = function
  | Lemma (s, []) ->
      fprintf fmt "%s" s
  | Lemma (s, vl) ->
      fprintf fmt "@[(%s %a)@]" s (print_list space ident) vl
  | True ->
      fprintf fmt "I"
  | Reflexivity t ->
      fprintf fmt "@[(refl_equal %a)@]" print_term_v8 t
  | Assumption id ->
      ident fmt id
  | Proj1 id ->
      fprintf fmt "@[(proj1 %a)@]" ident id
  | Proj2 id ->
      fprintf fmt "@[(proj2 %a)@]" ident id
  | Conjunction (id1, id2) ->
      fprintf fmt "@[(conj %a %a)@]" ident id1 ident id2
  | WfZwf t ->
      fprintf fmt "(Zwf_well_founded %a)" print_term_v8 t
  | Loop_variant_1 (h, h') ->
      fprintf fmt "(loop_variant_1 %a %a)" ident h ident h'
  | Absurd h ->
      fprintf fmt "(False_ind _ %a)" ident h
  | ProofTerm t ->
      fprintf fmt "@[%a@]" print_cc_term_v8 t
  | ShouldBeAWp ->
      if debug then Report.raise_unlocated (Error.AnyMessage "should be a WP");
      Report.raise_unlocated
	(Error.AnyMessage "can't produce a validation for an incomplete program")

and print_cc_term_v8 x = print_gen_cc_term_v8 print_proof_v8 x

let print_cc_functional_program_v8 =
  print_gen_cc_term_v8 (fun fmt (_loc, p) -> print_predicate_v8 fmt p)

(* printers selection *)

let v8 = match prover () with Coq V8 | Coq V81 -> true | _ -> false

let v81 = match prover () with Coq V81 -> true | _ -> false

(* totally ugly. To improve if the hack of Dp_hint makes it in official why*)
(* workaround against the fact that coq seems to not export
   Dp_hints when a Require Export is made... *)
let is_last_file = ref false
let library_hints = ref []
let add_library_hints id = library_hints:= id :: !library_hints

let print_term = if v8 then print_term_v8 else print_term_v7
let print_predicate = if v8 then print_predicate_v8 else print_predicate_v7
let print_sequent = if v8 then print_sequent_v8 else print_sequent_v7
let print_cc_type = if v8 then print_cc_type_v8 else print_cc_type_v7
let print_cc_term = if v8 then print_cc_term_v8 else print_cc_term_v7
let print_cc_functional_program =
  if v8 then print_cc_functional_program_v8 else print_cc_functional_program_v7

(* while printing scheme, we rename type variables (for more stability
   of the Coq source); this is safe only because we throw away the types
   as soon as they are printed *)
let print_scheme fmt l =
  let r = ref 0 in
  Env.Vmap.iter
    (fun _ x ->
       incr r;
       x.type_val <- Some (PTvar { tag = !r; user = false; type_val = None });
       if v8 then fprintf fmt "forall (A%d:Set),@ " !r
       else fprintf fmt "(A%d:Set)@ " !r)
    l

let print_sequent fmt s =
  let (l,s) = Env.specialize_sequent s in
  print_scheme fmt l;
  print_sequent fmt s

(*let _ = Vcg.log_print_function := print_sequent*)

let reprint_obligation fmt loc _is_lemma _expl id s =
  fprintf fmt "@[(* %a *)@]@\n" (Loc.report_obligation_position  ~onlybasename:true) loc;
  fprintf fmt "@[(*Why goal*) Lemma %s : @\n%a.@]@\n" id print_sequent s
  (*;
  fprintf fmt "@[(* %a *)@]@\n" Util.print_explanation expl
  *)
 

let print_obligation fmt loc is_lemma expl id s =
  reprint_obligation fmt loc is_lemma expl id s;
  fprintf fmt "Proof.@\n";
  option_iter (fun t -> fprintf fmt "%s.@\n" t) coq_tactic;
  fprintf fmt "(* FILL PROOF HERE *)@\nSave.@\n";
  if is_lemma && v81 && coq_use_dp then 
    fprintf fmt "@[Dp_hint %s.@]@\n" id

let reprint_parameter fmt id c =
  let (l,c) = Env.specialize_cc_type c in
  fprintf fmt
    "@[(*Why*) Parameter %a :@ @[%a%a@].@]@\n" idents id
    print_scheme l print_cc_type c

let print_parameter = reprint_parameter

let print_logic_type fmt s =
  let (l,t) = Env.specialize_logic_type s in
  print_scheme fmt l;
  match t with
  | Function ([], t) ->
      print_pure_type fmt t
  | Function (pl, t) ->
      fprintf fmt "%a -> %a"
	(print_list arrow print_pure_type) pl print_pure_type t
  | Predicate [] ->
      fprintf fmt "Prop"
  | Predicate pl ->
      fprintf fmt "%a -> Prop" (print_list arrow print_pure_type) pl

let reprint_logic fmt id t =
  fprintf fmt
    "@[(*Why logic*) Definition %a :@ @[%a@].@]@\n"
    idents id print_logic_type t

let polymorphic t = not (Env.Vset.is_empty t.Env.scheme_vars)

let implicits_for_logic_type t = match t.Env.scheme_type with
  | Predicate [] -> false
  | Function _ | Predicate _ -> polymorphic t

let implicits_for_predicate t = 
  let (bl,_) = t.Env.scheme_type in bl <> [] && polymorphic t

let is_logic_constant t = match t.Env.scheme_type with
  | Function ([],_) -> true
  | Function _ | Predicate _ -> false

let print_logic fmt id t =
  reprint_logic fmt id t;
  fprintf fmt "Admitted.@\n";
  if implicits_for_logic_type t then
    begin
      let b = is_logic_constant t in
      if b then fprintf fmt "Set Contextual Implicit.@\n";
      fprintf fmt "Implicit Arguments %a.@\n" idents id;
      if b then fprintf fmt "Unset Contextual Implicit.@\n";
    end

let print_predicate_scheme fmt p =
  let (l,p) = Env.specialize_predicate p in
  print_scheme fmt l;
  print_predicate fmt p

let reprint_axiom fmt id p =
  fprintf fmt
    "@[(*Why axiom*) Lemma %a :@ @[%a@].@]@\n"
    idents id print_predicate_scheme p

let print_axiom fmt id p =
  reprint_axiom fmt id p;
  fprintf fmt "Admitted.@\n";
  if v81 && coq_use_dp then 
    fprintf fmt "@[Dp_hint %a.@]@\n" idents id;
  if not !is_last_file then add_library_hints id
  (* if is_polymorphic p then fprintf fmt "Implicit Arguments %s.@\n" id *)

let print_poly fmt x =
  if v8 then fprintf fmt "(A%d:Set)" x.tag else fprintf fmt "[A%d:Set]" x.tag

let reprint_predicate_def fmt id p =
  let (l,(bl,p)) = Env.specialize_predicate_def p in
  let l = Env.Vmap.fold (fun _ t acc -> t :: acc) l [] in
  let print_binder fmt (x,pt) =
    if v8 then
      fprintf fmt "(%a:%a)" ident x print_pure_type pt
    else
      fprintf fmt "[%a:%a]" ident x print_pure_type pt
  in
  fprintf fmt
     "@[(*Why predicate*) Definition %a %a %a@ := @[%a@].@]@\n"
    idents id
    (print_list space print_poly) l
    (print_list space print_binder) bl
    print_predicate p

let print_predicate_def fmt id p =
  reprint_predicate_def fmt id p;
  if implicits_for_predicate p then
    fprintf fmt "Implicit Arguments %a.@\n" idents id

let reprint_inductive fmt id d =
  let (l,(bl,cases)) = Env.specialize_inductive_def d in
  let l = Env.Vmap.fold (fun _ t acc -> t :: acc) l [] in
  fprintf fmt
     "@[(*Why inductive*) Inductive %s %a : %a -> Prop @ := @[%a@].@]@\n"
    id
    (print_list space print_poly) l
    (print_list arrow print_pure_type) bl
    (print_list newline
       (fun fmt (id,p) ->
	  fprintf fmt "| %a : %a@\n" ident id print_predicate p)) cases

let print_inductive fmt id d =
  reprint_inductive fmt id d
(*
  if implicits_for_predicate p then
    fprintf fmt "Implicit Arguments %a.@\n" idents id
*)

let reprint_alg_type_single fmt (id,d) =
  let cpt = ref 0 in
  let print_binder fmt = function
    | PTvar v ->
        incr cpt;
        let x = { tag = !cpt; user = false; type_val = None } in
        v.type_val <- Some (PTvar x);
        print_poly fmt x
    | _ -> assert false
  in
  let _,(vs,cs) = Env.specialize_alg_type d in
  let th = PTexternal (vs, Ident.create id) in
  let print_constructor fmt (c,pl) =
    fprintf fmt "| %a : @[%a@]" idents (Ident.string c)
      (print_list arrow print_pure_type) (pl@[th])
  in
  fprintf fmt "%a @[%a: Set@] :=@\n  @[%a@]"
    idents id (print_list nothing print_binder) vs
    (print_list newline print_constructor) cs

let reprint_alg_type fmt ls =
  let andsep fmt () = fprintf fmt "@\n with " in
  fprintf fmt "@[(*Why type*) Inductive %a.@]@\n"
    (print_list andsep reprint_alg_type_single) ls

let print_alg_type_single fmt (_id,d) =
  let print_implicit (c,pl) =
    match pl with
    | [] -> fprintf fmt "Set Contextual Implicit.@\n";
            fprintf fmt "Implicit Arguments %a.@\n" idents (Ident.string c);
            fprintf fmt "Unset Contextual Implicit.@\n"
    | _  -> fprintf fmt "Implicit Arguments %a.@\n" idents (Ident.string c)
  in
  let vs,cs = d.Env.scheme_type in
  match vs with
  | [] -> ()
  | _ -> List.iter print_implicit cs

let print_alg_type fmt ls =
  reprint_alg_type fmt ls;
  print_list nothing print_alg_type_single fmt ls

let reprint_type fmt id vl =
  fprintf fmt "@[(*Why type*) Definition %a: @[%aSet@].@]@\n"
    idents id (print_list space (fun fmt _ -> fprintf fmt "Set ->")) vl

let print_type fmt id vl =
  reprint_type fmt id vl;
  fprintf fmt "Admitted.@\n"

let reprint_function fmt id p =
  let (l,(bl,_t,e)) = Env.specialize_function_def p in
  let l = Env.Vmap.fold (fun _ t acc -> t :: acc) l [] in
  let print_poly fmt x =
    if v8 then fprintf fmt "(A%d:Set)" x.tag else fprintf fmt "[A%d:Set]" x.tag
  in
  let print_binder fmt (x,pt) =
    if v8 then
      fprintf fmt "(%a:%a)" ident x print_pure_type pt
    else
      fprintf fmt "[%a:%a]" ident x print_pure_type pt
  in
  fprintf fmt
     "@[(*Why function*) Definition %a %a %a@ := @[%a@].@]@\n"
    idents id
    (print_list space print_poly) l
    (print_list space print_binder) bl
    print_term e

let print_function fmt id p =
  reprint_function fmt id p;
  if polymorphic p then
    begin
      let b = let (bl,_,_) = p.Env.scheme_type in bl = [] in
      if b then fprintf fmt "Set Contextual Implicit.@\n";
      fprintf fmt "Implicit Arguments %a.@\n" idents id;
      if b then fprintf fmt "Unset Contextual Implicit.@\n";
    end

let print_lam_scheme fmt l =
  List.iter
    (fun v -> match v with
       | {type_val=Some (PTvar {type_val=None; tag=x})} ->
	   if v8 then fprintf fmt "fun (A%d:Set) =>@ " x
	   else fprintf fmt "[A%d:Set]@ " x
       | _ ->
	   assert false)
    l

let print_validation fmt (id, tt, v) =
  let (l,tt,v) = Env.specialize_validation tt v in
  let print_cc_type fmt t = print_scheme fmt l; print_cc_type fmt t in
  let l = Env.Vmap.fold (fun _ t acc -> t :: acc) l [] in
  let print_cc_term fmt c = print_lam_scheme fmt l; print_cc_term fmt c in
  fprintf fmt
    "@[Definition %a (* validation *)@\n  : @[%a@]@\n  := @[%a@].@]@\n@\n"
    idents id print_cc_type tt print_cc_term v

let print_cc_functional_program fmt (id, tt, v) =
  let (l,tt,v) = Env.specialize_cc_functional_program tt v in
  let print_cc_type fmt t = print_scheme fmt l; print_cc_type fmt t in
  let l = Env.Vmap.fold (fun _ t acc -> t :: acc) l [] in
  let print_cc_functional_program fmt c =
    print_lam_scheme fmt l; print_cc_functional_program fmt c
  in
  fprintf fmt
    "@[Definition %a (* validation *)@\n  : @[%a@]@\n  := @[%a@].@]@\n@\n"
    idents id print_cc_type tt print_cc_functional_program v

open Regen

module Gen = Regen.Make(
struct

  let print_element fmt e =
    begin match e with
      | Parameter (id, c) -> print_parameter fmt id c
      | Program (id, tt, v) -> print_cc_functional_program fmt (id, tt, v)
      | Obligation (loc, is_lemma, expl, id, s) -> 
	  print_obligation fmt loc is_lemma expl id s
      | Logic (id, t) -> print_logic fmt id t
      | Axiom (id, p) -> print_axiom fmt id p
      | Predicate (id, p) -> print_predicate_def fmt id p
      | Inductive(id,d) -> print_inductive fmt id d
      | Function (id, f) -> print_function fmt id f
      | AbstractType (id, vl) -> print_type fmt id vl
      | AlgebraicType ls -> print_alg_type fmt ls
    end;
    fprintf fmt "@\n"

  let reprint_element fmt = function
    | Parameter (id, c) -> reprint_parameter fmt id c
    | Program (id, tt, v) -> print_cc_functional_program fmt (id, tt, v)
    | Obligation (loc, is_lemma, expl, id, s) -> 
	reprint_obligation fmt loc is_lemma expl id s
    | Logic (id, t) -> reprint_logic fmt id t
    | Axiom (id, p) -> reprint_axiom fmt id p
    | Predicate (id, p) -> reprint_predicate_def fmt id p
    | Inductive(id, d) -> reprint_inductive fmt id d
    | Function (id, f) -> reprint_function fmt id f
    | AbstractType (id, vl) -> reprint_type fmt id vl
    | AlgebraicType ls -> reprint_alg_type fmt ls

  let re_oblig_loc = Str.regexp "(\\* Why obligation from .*\\*)"

  let first_time fmt =
    fprintf fmt "\
@\n(* This file was originally generated by why.\
@\n   It can be modified; only the generated parts will be overwritten. *)@\n";
    if floats then fprintf fmt "Require Export WhyFloats.@\n";
    fprintf fmt "%s@\n" coq_preamble;
    if !is_last_file && v81 then
      List.iter (fun x -> fprintf fmt "Dp_hint %a.@\n" idents x) !library_hints;
    fprintf fmt "@\n"

  let first_time_trailer _fmt = ()

  let not_end_of_element _ s =
    let n = String.length s in n = 0 || s.[n-1] <> '.'

end)

let reset = Gen.reset

let push_decl = function
  | Dgoal (loc,is_lemma,expl,l,s) ->
      Gen.add_elem (Oblig, l) (Obligation (loc,is_lemma,expl,l,s))
  | Dlogic (_, id, t) ->
      let id = Ident.string id in
      Gen.add_elem (Lg, rename id) (Logic (id, t))
  | Daxiom (_, id, p) ->
      Gen.add_elem (Ax, rename id) (Axiom (id, p))
  | Dpredicate_def (_,id,p) -> 
      let id = Ident.string id in
      Gen.add_elem (Pr, rename id) (Predicate (id, p))
  | Dinductive_def(_loc, id, d) ->
      let id = Ident.string id in
      Gen.add_elem (Ind, rename id) (Inductive(id, d))
  | Dfunction_def (_,id,f) -> 
      let id = Ident.string id in
      Gen.add_elem (Fun, rename id) (Function (id, f))
  | Dtype (_, id, vl) ->
      let id = Ident.string id in
      Gen.add_elem (Ty, rename id) (AbstractType (id, vl))
  | Dalgtype ls ->
      let id = match ls with (_,id,_)::_ -> id | _ -> assert false in
      let at = List.map (fun (_,id,d) -> (Ident.string id,d)) ls in
      Gen.add_elem (Ty, rename (Ident.string id)) (AlgebraicType at)

let push_parameter id v =
  Gen.add_elem (Param, id) (Parameter (id,v))

let push_program id tt v =
  Gen.add_elem (Prog, id) (Program (id, tt, v))

let _ =
  Gen.add_regexp
    "Lemma[ ]+\\(.*_po_[0-9]+\\)[ ]*:[ ]*" Oblig;
  Gen.add_regexp
    "(\\*Why goal\\*) Lemma[ ]+\\([^ ]*\\)[ ]*:[ ]*" Oblig;
  Gen.add_regexp
    "Definition[ ]+\\([^ ]*\\)[ ]*:=[ ]*(\\* validation \\*)[ ]*" Valid;
  Gen.add_regexp
    "Definition[ ]+\\([^ ]*\\)[ ]*(\\* validation \\*)[ ]*" Valid;
  Gen.add_regexp
    "(\\*Why\\*) Parameter[ ]+\\([^ ]*\\)[ ]*:[ ]*" Param;
  Gen.add_regexp
    "(\\*Why axiom\\*) Lemma[ ]+\\([^ ]*\\)[ ]*:[ ]*" Ax;
  Gen.add_regexp
    "(\\*Why logic\\*) Definition[ ]+\\([^ ]*\\)[ ]*:[ ]*" Lg;
  Gen.add_regexp
    "(\\*Why predicate\\*) Definition[ ]+\\([^ ]*\\) " Pr;
  Gen.add_regexp
    "(\\*Why inductive\\*) Inductive[ ]+\\([^ ]*\\) " Ind;
  Gen.add_regexp
    "(\\*Why function\\*) Definition[ ]+\\([^ ]*\\) " Fun;
  Gen.add_regexp
    "(\\*Why program\\*) Definition[ ]+\\([^ ]*\\) " Fun;
  Gen.add_regexp
    "(\\*Why type\\*) Parameter[ ]+\\([^ ]*\\):" Ty;
  Gen.add_regexp
    "(\\*Why type\\*) Inductive[ ]+\\([^ ]*\\) " Ty;
  Gen.add_regexp 
    "(\\*Why type\\*) Definition[ ]+\\([^ ]*\\):" Ty

(* validations *)

let valid_q = Queue.create ()

let deps_q = Queue.create ()
let add_dep f = Queue.add f deps_q

let push_validation id tt v = Queue.add (id,tt,v) valid_q

let print_validations fwe fmt =
  fprintf fmt "(* This file is generated by Why; do not edit *)@\n@\n";
  fprintf fmt "Require Import Why.@\n";
  Queue.iter (fun m -> fprintf fmt "Require Export %s_valid.@\n" m) deps_q;
  fprintf fmt "Require Export %s_why.@\n@\n" fwe;
  Queue.iter (print_validation fmt) valid_q;
  Queue.clear valid_q

let output_validations fwe =
  let f = fwe ^ "_valid.v" in
  let m = Filename.basename fwe in
  print_in_file (print_validations m) f;
  add_dep m

(* output file. *)

let output_file is_last fwe =
  let fwe = Options.out_file fwe 
    (* because not done anymore in main.ml *)
  in
  let f = fwe ^ "_why.v" in
  is_last_file:=is_last;
  Gen.output_file f;
  if valid then begin
    output_validations fwe
  end
why-2.39/src/logic_decl.mli0000644000106100004300000000667613147234006014626 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(*s Logical declarations. 
    This is what is sent to the various provers (see main.ml and the provers
    interfaces). *)

open Cc
open Logic

type loc = Loc.floc
type 'a scheme = 'a Env.scheme

type expl_kind = 
  | EKAbsurd
  | EKAssert
  | EKCheck
  | EKLoopInvInit of string
  | EKLoopInvPreserv of string
  | EKPost
  | EKPre of string
  | EKOther of string
  | EKVarDecr
  | EKWfRel 
  | EKLemma
      
type vc_expl =
    { lemma_or_fun_name : string;
      behavior : string;
      vc_loc : Loc.floc;
      vc_kind : expl_kind;
      vc_label : string option
    }

type obligation = Loc.floc * bool * vc_expl * string * sequent
    (* loc, is_lemma, explanation, id, sequent *) 

type t =
  | Dtype          of loc * Ident.t * string list
  | Dalgtype       of (loc * Ident.t * alg_type_def scheme) list
  | Dlogic         of loc * Ident.t * logic_type scheme
  | Dpredicate_def of loc * Ident.t * predicate_def scheme
  | Dinductive_def of loc * Ident.t * inductive_def scheme
  | Dfunction_def  of loc * Ident.t * function_def scheme
  | Daxiom         of loc * string * predicate scheme
  | Dgoal          of loc * bool * vc_expl * string * sequent scheme
      (* bool is true when goal is a lemma, that is it must be present
      in the context of the next goals *)
why-2.39/src/encoding.ml0000644000106100004300000000764213147234006014151 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Options

let queue = Queue.create ()

let reset () = match get_types_encoding () with
  | NoEncoding -> Queue.clear queue
  | Predicates -> Encoding_pred.reset ()
  | Stratified -> Encoding_strat.reset ()
  | SortedStratified -> Encoding_mono.reset ()
  | Recursive -> Encoding_rec.reset ()
  | Monomorph -> Monomorph.reset ()
  | MonoInst -> Encoding_mono_inst.reset ()

let push d = match get_types_encoding () with
  | NoEncoding -> Queue.add d queue
  | Predicates -> Encoding_pred.push d
  | SortedStratified -> Encoding_mono.push d
  | Stratified -> Encoding_strat.push d
  | Recursive -> Encoding_rec.push d
  | Monomorph -> Monomorph.push_decl d
  | MonoInst -> Encoding_mono_inst.push_decl d

let push ?(encode_inductive=true) ?(encode_algtype=true) 
    ?(encode_preds=true) ?(encode_funs=true) = function
  | Logic_decl.Dfunction_def (loc, id, d) when encode_funs ->
      List.iter push (PredDefExpansor.function_def loc id d)
  | Logic_decl.Dpredicate_def (loc, id, d) when encode_preds ->
      List.iter push (PredDefExpansor.predicate_def loc id d)
  | Logic_decl.Dinductive_def (loc, id, d) when encode_inductive ->
      List.iter push (PredDefExpansor.inductive_def loc id d)
  | Logic_decl.Dalgtype ls when encode_algtype ->
      List.iter push (PredDefExpansor.algebraic_type ls)
  | d -> push d

let iter f = match get_types_encoding () with
  | NoEncoding -> Queue.iter f queue
  | Predicates -> Encoding_pred.iter f
  | Stratified -> Encoding_strat.iter f
  | SortedStratified -> Encoding_mono.iter f
  | Recursive -> Encoding_rec.iter f
  | Monomorph -> Monomorph.iter f
  | MonoInst -> Encoding_mono_inst.iter f

let symbol ((id,_) as s) = match get_types_encoding () with
  | Monomorph -> Monomorph.symbol s
  | _ -> Ident.string id
why-2.39/src/pretty.mli0000644000106100004300000000574413147234006014064 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(* Why pretty-printer *)

val push_decl : ?ergo:bool -> Logic_decl.t -> unit

(* [push_or_output_decl d] either pushes the goal in a queue like [push_decl]
   for declarations other than goals, and produces a file for goal 
   declarations much as what [output_files] does. *)
val push_or_output_decl : Logic_decl.t -> unit

val reset : unit -> unit

val output_file : ergo:bool -> string -> unit

(* [output_files f] produces the context in file [f_ctx.why]
   and each goal in a seaparate file [f_po.why] for i=1,2,... *)
val output_files : string -> unit

(* [output_project f] produces a whole project description, in a file
[f.wpr], together with other needed files [f_ctx.why], [f_lemmas.why],
and each goal in a separate file [f_po.why] for i=1,2,... *)
val output_project : string -> Project.t
why-2.39/src/cvcl.mli0000644000106100004300000000450713147234006013460 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

val reset : unit -> unit
val push_decl : Logic_decl.t -> unit
val output_file : allowedit:bool -> string -> unit
val prelude_done : bool ref
why-2.39/src/util.ml0000644000106100004300000012302113147234006013326 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Logic
open Ident
open Misc
open Types
open Cc
open Logic_decl
open Ast
open Env
open Rename
open Options


(*s Pretty printers (for debugging purposes) *)

open Format
open Pp

let rec print_type_var fmt = function
  | ({user=true; type_val=None} as v) -> 
      fprintf fmt "'%s" (type_var_name v)
  | {user=true; type_val=Some _} -> assert false
  | {tag=t; type_val=None} -> fprintf fmt "'a%d" t
  | {tag=t; type_val=Some pt} -> 
      if debug then
	fprintf fmt "'a%d(=%a)" t print_pure_type pt
      else
	print_pure_type fmt pt

and print_pure_type fmt = function
  | PTint -> fprintf fmt "int"
  | PTbool -> fprintf fmt "bool"
  | PTunit -> fprintf fmt "unit"
  | PTreal -> fprintf fmt "real"
  | PTexternal([],id) -> fprintf fmt "%a" Ident.print id
  | PTvar var -> print_type_var fmt var
  | PTexternal([t],id) -> 
      fprintf fmt "%a %a" print_pure_type t Ident.print id
  | PTexternal(l,id) -> fprintf fmt "(%a) %a" 
      (print_list comma print_pure_type) l
      Ident.print id

let print_instance = Pp.print_list Pp.semi print_pure_type


let print_scheme pr fmt x =
  fprintf fmt "[%a]%a" (Pp.print_iter1 Vset.iter Pp.comma print_type_var) x.scheme_vars
    pr x.scheme_type

let print_logic_type fmt lt =
  let print_args = print_list comma print_pure_type in
  match lt with
    | Predicate l -> fprintf fmt "%a -> prop" print_args l
    | Function (l, pt) -> 
	fprintf fmt "%a -> %a" print_args l print_pure_type pt

let rec print_term fmt = function
  | Tconst (ConstInt n) -> 
      fprintf fmt "%s" n
  | Tconst (ConstBool b) -> 
      fprintf fmt "%b" b
  | Tconst ConstUnit -> 
      fprintf fmt "void" 
  | Tconst (ConstFloat c) -> 
      Print_real.print fmt c
  | Tvar id -> 
      (if debug then Ident.dbprint else Ident.print) fmt id
  | Tderef id ->
      fprintf fmt "!%a" Ident.lprint id
  | Tapp (id, tl, []) -> 
      fprintf fmt "%s(%a)" (Ident.string id) (print_list comma print_term) tl
  | Tapp (id, tl, i) -> 
      fprintf fmt "%s(%a)[%a]" 
	(Ident.string id) (print_list comma print_term) tl
	(print_list comma print_pure_type) i
  | Tnamed(User lab,t) ->
      fprintf fmt "(%s : %a)" lab print_term t
  | Tnamed(Internal n,t) ->
      fprintf fmt "((%d) : %a)" n print_term t

(* dead code
let relation_string id =
  if id == t_lt || id == t_lt_int || id == t_lt_real then "<" 
  else if id == t_le || id == t_le_int || id == t_le_real then "<="
  else if id == t_gt || id == t_gt_int || id == t_gt_real then ">"
  else if id == t_ge || id == t_ge_int || id == t_ge_real then ">="
  else if is_eq id then "="
  else if is_neq id then "<>"
  else assert false
*)

let rec print_pattern fmt = function
  | TPat t -> print_term fmt t
  | PPat p -> print_predicate fmt p

and print_triggers fmt = function
  | [] -> ()
  | tl -> fprintf fmt " [%a]" (print_list alt (print_list comma print_pattern))tl

and print_predicate fmt = function
  | Pvar id -> 
      (if debug then Ident.dbprint else Ident.print) fmt id
(*
  | Papp (id, [t1; t2]) when is_relation id ->
      fprintf fmt "%a %s %a" print_term t1 (relation_string id) print_term t2
*)
  | Papp (id, l, []) ->
      fprintf fmt "%s(%a)" (Ident.string id) (print_list comma print_term) l
  | Papp (id, l, i) ->
      fprintf fmt "%s(%a)[%a]" 
	(Ident.string id) (print_list comma print_term) l
	(print_list comma print_pure_type) i
  | Ptrue ->
      fprintf fmt "true"
  | Pfalse ->
      fprintf fmt "false"
  | Pimplies (_, a, b) -> 
      fprintf fmt "(@[%a ->@ %a@])" print_predicate a print_predicate b
  | Piff (a, b) -> 
      fprintf fmt "(@[%a <->@ %a@])" print_predicate a print_predicate b
  | Pif (a, b, c) -> 
      fprintf fmt "(@[if %a then@ %a else@ %a@])" 
	print_term a print_predicate b print_predicate c
  | Pand (_, _, a, b) ->
      fprintf fmt "(@[%a and@ %a@])" print_predicate a print_predicate b
  | Forallb (_, ptrue, pfalse) ->
      fprintf fmt "(@[forallb(%a,@ %a)@])" 
	print_predicate ptrue print_predicate pfalse
  | Por (a, b) ->
      fprintf fmt "(@[%a or@ %a@])" print_predicate a print_predicate b
  | Pnot a ->
      fprintf fmt "(not %a)" print_predicate a
  | Forall (_,_,b,v,tl,p) ->
      fprintf fmt "@[(forall %a:%a%a.@ %a)@]"
	(if debug then Ident.dbprint else Ident.print) b 
	print_pure_type v print_triggers tl print_predicate p
  | Exists (_,b,v,p) ->
      fprintf fmt "@[(exists %a:%a @ %a)@]" 
	(if debug then Ident.dbprint else Ident.print) b 
	print_pure_type v print_predicate p
  | Pnamed (User n, p) ->
      fprintf fmt "@[%s:@ %a@]" n print_predicate p
  | Pnamed (Internal n, p) ->
      fprintf fmt "@[(%d):@ %a@]" n print_predicate p
  | Plet (_, x, _, t, p) ->
      fprintf fmt "@[(let %a = %a in@ %a)@]" Ident.print x print_term t
	print_predicate p

(* dead code
let print_assertion fmt a = 
  fprintf fmt "%a: %a" Ident.print a.a_name print_predicate a.a_value
*)

let print_wp fmt = function
  | None -> fprintf fmt ""
  | Some {a_value=p} -> print_predicate fmt p

let print_pre print_assertion fmt l = 
  if l <> [] then begin
    fprintf fmt "@[ ";
    print_list semi print_assertion fmt l;
    fprintf fmt " @]"
  end

let print_assertion fmt a = print_predicate fmt a.a_value

let print_exn print_assertion fmt (x,c) = 
  fprintf fmt "| %a => @[%a@]@," Ident.print x print_assertion c

let print_post print_assertion fmt = function
  | None -> 
      ()
  | Some (c,[]) -> 
      fprintf fmt "@[ %a @]" print_assertion c
  | Some (c, l) -> 
      fprintf fmt "@[ %a@ %a @]" print_assertion c 
	(print_list space (print_exn print_assertion)) l

let rec print_type_v fmt = function
  | Arrow (b,c) ->
      fprintf fmt "@[%a ->@ %a@]" 
	(print_list arrow pp_binder) b print_type_c c
  | v -> 
      print_type_v2 fmt v

and pp_binder fmt = function
  | id, v when id == Ident.anonymous -> 
      print_type_v2 fmt v
  | id, v ->
      fprintf fmt "@[%a:%a@]" Ident.print id print_type_v v

and print_type_v2 fmt = function
  | Ref v -> 
      fprintf fmt "@[%a@ ref@]" print_pure_type v
  | PureType pt -> 
      print_pure_type fmt pt
  | Arrow _ as v ->
      fprintf fmt "(%a)" print_type_v v

and print_type_c fmt c =
  let id = c.c_result_name in
  let v = c.c_result_type in
  let p = c.c_pre in
  let q = c.c_post in
  let e = c.c_effect in
  if e = Effect.bottom && p = [] && q = None then
    print_type_v fmt v
  else
    fprintf fmt "@[{%a}@ returns %a: %a@ %a@,{%a}@]" 
      (print_pre print_predicate) p
      Ident.print id 
      print_type_v v 
      Effect.print e
      (print_post print_predicate) q

let print_typing_info fmt c =
  let id = c.t_result_name in
  let v = c.t_result_type in
  let q = c.t_post in
  let e = c.t_effect in
  if e = Effect.bottom && q = None then
    print_type_v fmt v
  else
    fprintf fmt "@[{}@ returns %a: %a@ %a@,{%a}@]" 
      Ident.print id 
      print_type_v v 
      Effect.print e
      (print_post print_assertion) q

(*s Pretty-print of typed programs *)

(* dead code
let rec print_prog fmt (pre,p) = 
  let i = p.info in
  fprintf fmt "@[%s:@,@[{%a}@]@ @[%a@]@ @[{%a}@]@]" 
    i.t_label (print_pre print_assertion) pre 
    print_desc p.desc (print_post print_assertion) i.t_post
*)

let rec print_expr fmt p =
  let i = p.info in
  if i.t_post = None then
    fprintf fmt "@[%s:@,%a@]" i.t_label print_desc p.desc
  else
    fprintf fmt "@[%s:@,{}@ @[%a@]@ @[{%a}@]@]" i.t_label
      print_desc p.desc (print_post print_assertion) i.t_post

and print_desc fmt = function
  | Var id -> 
      Ident.print fmt id
  | Seq (e1, e2) -> 
      fprintf fmt "@[%a@ %a@]" print_expr e1 print_expr e2
  | Loop (i, _var, e) ->
      fprintf fmt 
	"loop @\n { invariant @[%a@] variant _ }@\n  @[%a@]@\ndone" 
	(print_option print_assertion) i print_expr e
  | If (p1, p2, p3) ->
      fprintf fmt "@[if %a then@ %a else@ %a@]" 
	print_expr p1 print_expr p2 print_expr p3
  | Lam (_bl, p, e) -> 
      fprintf fmt "@[fun  ->@ @[%a@]@\n  %a@]" 
	(print_pre print_assertion) p print_expr e
  | AppRef (p, x, k) -> 
      fprintf fmt "(@[%a %a ::@ %a@])" 
	print_expr p Ident.print x print_typing_info k
  | AppTerm (p, t, k) -> 
      fprintf fmt "(@[%a %a ::@ %a@])" 
	print_expr p print_term t print_typing_info k
  | LetRef (id, p1, p2) ->
      fprintf fmt "@[@[let %a =@ ref %a@ in@]@ %a@]" 
	Ident.print id print_expr p1 print_expr p2
  | LetIn (id, p1, p2) ->
      fprintf fmt "@[@[let %a =@ %a in@]@ %a@]" 
	Ident.print id print_expr p1 print_expr p2
  | Rec (id, _bl, v, _var, p, e) ->
      fprintf fmt "rec %a :  %a { variant _ } =@ %a@\n%a" 
	Ident.print id print_type_v v 
	(print_pre print_assertion) p print_expr e
  | Raise (id, None) ->
      fprintf fmt "raise %a" Ident.print id
  | Raise (id, Some p) ->
      fprintf fmt "@[raise@ (@[%a@ %a@])@]" 
	Ident.print id print_expr p
  | Try (p, hl) ->
      fprintf fmt "@[try@ %a@ with %a@ end@]" print_expr p 
	(print_list alt print_handler) hl
  | Expression t -> 
      print_term fmt t
  | Absurd ->
      fprintf fmt "absurd"
  | Any k ->
      fprintf fmt "[%a]" print_type_c k
  | Assertion (_b, l, p) ->
      fprintf fmt "@[{%a}@ %a@]" 
	(print_pre print_assertion) l print_expr p
  | Post (e, q, Transparent) ->
      fprintf fmt "@[(%a@ { %a })@]" 
	print_expr e (print_post print_assertion) (Some q)
  | Post (e, q, Opaque) ->
      fprintf fmt "@[(%a@ {{ %a }})@]" 
	print_expr e (print_post print_assertion) (Some q)
  | Label (s, e) ->
      fprintf fmt "@[%s:@ %a@]" s print_expr e

and print_handler fmt ((id, a), e) = match a with
  | None -> 
      fprintf fmt "%a ->@ %a" Ident.print id print_expr e
  | Some a -> 
      fprintf fmt "%a %a ->@ %a" Ident.print id Ident.print a print_expr e

(* dead code
and print_cast fmt = function
  | None -> ()
  | Some v -> fprintf fmt ": %a" print_type_v v
*)

(*s Pretty-print of cc-terms (intermediate terms) *)

let print_pred_binders = ref true
let print_var_binders = ref false

let rec print_cc_type fmt = function
  | TTpure pt -> 
      print_pure_type fmt pt
  | TTarray t -> 
      fprintf fmt "(array %a)" print_cc_type t
  | TTlambda (b, t) ->
      fprintf fmt "[%a]%a" print_binder b print_cc_type t
  | TTarrow (b, t) -> 
      fprintf fmt "(%a)%a" print_binder b print_cc_type t
  | TTtuple (bl, None) -> 
      fprintf fmt "{%a}" print_tuple bl
  | TTtuple (bl, Some q) -> 
      fprintf fmt "{%a | %a}" print_tuple bl print_cc_type q
  | TTpred p ->
      print_predicate fmt p
  | TTapp (tt, l) ->
      fprintf fmt "(%a %a)" print_cc_type tt (print_list space print_cc_type) l
  | TTterm t ->
      print_term fmt t
  | TTSet -> 
      fprintf fmt "Set"

and print_tuple fmt = print_list comma print_binder fmt

and print_binder fmt (id,b) = 
  Ident.print fmt id;
  match b with
    | CC_pred_binder p -> 
	if !print_pred_binders then fprintf fmt ": %a" print_predicate p
    | CC_var_binder t -> 
	if !print_var_binders then fprintf fmt ": %a" print_cc_type t
    | CC_untyped_binder -> 
	()

let rec print_cc_pattern fmt = function
  | PPvariable (id, _) -> 
      Ident.print fmt id
  | PPcons (id, pl) -> 
      fprintf fmt "(%a %a)" 
	Ident.print id (print_list space print_cc_pattern) pl

(* dead code
let print_case_pred fmt (x,_) = Ident.print fmt x
*)

let rec print_cc_term fmt = function
  | CC_var id -> 
      fprintf fmt "%s" (Ident.string id)
  | CC_letin (_,bl,c,c1) ->
      fprintf fmt "@[@[let %a =@ %a in@]@\n%a@]"
      (print_list comma print_binder) bl
      print_cc_term c print_cc_term c1
  | CC_lam (b,c) ->
      fprintf fmt "@[[%a]@,%a@]" print_binder b print_cc_term c
  | CC_app (f,a) ->
      fprintf fmt "@[(%a@ %a)@]" print_cc_term f print_cc_term a
  | CC_tuple (cl,_) ->
      fprintf fmt "@[(%a)@]" (print_list comma print_cc_term) cl
  | CC_if (b,e1,e2) ->
      fprintf fmt "@[if "; print_cc_term fmt b; fprintf fmt " then@\n  ";
      hov 0 fmt (print_cc_term fmt) e1;
      fprintf fmt "@\nelse@\n  ";
      hov 0 fmt (print_cc_term fmt) e2;
      fprintf fmt "@]"
  | CC_case (e,pl) ->
      fprintf fmt "@[match %a with@\n  @[%a@]@\nend@]" 
	print_cc_term e (print_list newline print_case) pl
  | CC_term c ->
      fprintf fmt "@["; print_term fmt c; fprintf fmt "@]"
  | CC_hole (_, c) ->
      fprintf fmt "@[(?:@ "; print_predicate fmt c; fprintf fmt ")@]"
  | CC_type t ->
      print_cc_type fmt t
  | CC_any t ->
      fprintf fmt "@[(any(%a))@]" print_cc_type t

(* dead code
and print_binders fmt bl =
  print_list nothing (fun fmt b -> fprintf fmt "[%a]" print_binder b) fmt bl
*)

and print_case fmt (p,e) =
  fprintf fmt "@[| %a =>@ %a@]" print_cc_pattern p print_cc_term e

let print_subst fmt =
  Idmap.iter
    (fun id t -> fprintf fmt "%a -> %a@\n" Ident.print id print_term t)

let print_cc_subst fmt =
  Idmap.iter
    (fun id t -> fprintf fmt "%a -> %a@\n" Ident.print id print_cc_term t)


let print_env fmt e =
  fold_all (fun (id, v) () -> fprintf fmt "%a:%a, " Ident.dbprint id 
		print_type_v v) e ()



(*s References mentioned by a predicate *)

let is_reference env id =
  (is_in_env env id) && (is_mutable (type_in_env env id))

let predicate_now_refs env c =
  Idset.filter (is_reference env) (predicate_vars c)

let term_now_refs env c =
  Idset.filter (is_reference env) (term_vars c)


let labelled_reference env id =
  if is_reference env id then
    id
  else if is_at id then
    let uid,_ = Ident.un_at id in 
    if is_reference env uid then uid else failwith "caught"
  else
    failwith "caught"

let set_map_succeed f s = 
  Idset.fold 
    (fun x e -> try Idset.add (f x) e with Failure _ -> e) 
    s Idset.empty

let predicate_refs env c =
  set_map_succeed (labelled_reference env) (predicate_vars c)

let term_refs env c =
  set_map_succeed (labelled_reference env) (term_vars c)

let post_refs env q =
  set_map_succeed (labelled_reference env) (apost_vars q)

(*s Labels management *)

let gen_change_label f c =
  let ids = Idset.elements (predicate_vars c) in
  let s = 
    List.fold_left 
      (fun s id -> 
	 if is_at id then 
	   try Idmap.add id (f (un_at id)) s with Failure _ -> s
	 else s)
      Idmap.empty ids
  in
  subst_in_predicate s c

let erase_label l c =
  gen_change_label 
    (function (uid,l') when l = l' -> uid | _ -> failwith "caught") c

let change_label l1 l2 c =
  gen_change_label 
    (function (uid,l) when l = l1 -> at_id uid l2 | _ -> failwith "caught") c

let put_label_term env l t =
  let ids = term_refs env t in
  let s = 
    Idset.fold (fun id s -> Idmap.add id (at_id id l) s) ids Idmap.empty 
  in
  subst_in_term s t

let put_label_predicate env l p =
  let ids = predicate_refs env p in
  let s = 
    Idset.fold (fun id s -> Idmap.add id (at_id id l) s) ids Idmap.empty 
  in
  subst_in_predicate s p

let oldify env ef t =
  let ids = term_refs env t in
  let s =
    Idset.fold 
      (fun id s -> 
	 if Effect.is_write ef id then Idmap.add id (at_id id "") s else s)
      ids Idmap.empty
  in
  subst_in_term s t

let type_c_subst_oldify env x t k =
  let s = subst_one x t in 
  let s_old = subst_one x (oldify env k.c_effect t) in
  { c_result_name = k.c_result_name;
    c_result_type = type_v_rsubst s k.c_result_type;
    c_effect = k.c_effect;
    c_pre = List.map (tsubst_in_predicate s) k.c_pre;
    c_post = option_app (post_app (tsubst_in_predicate s_old)) k.c_post }

(*s shortcuts for typing information *)

let effect p = p.info.t_effect
let post p = p.info.t_post
let result_type p = p.info.t_result_type
let result_name p = p.t_result_name

let erase_exns ti = 
  { ti with t_effect = Effect.erase_exns ti.t_effect }

(*s [apply_pre] and [apply_post] instantiate pre- and post- conditions
    according to a given renaming of variables (and a date that means
    `before' in the case of the post-condition). *)

let make_subst before ren env ids =
  Idset.fold
    (fun id s ->
       if is_reference env id then
	 Idmap.add id (current_var ren id) s
       else if is_at id then
	 let uid,d = un_at id in
	 if is_reference env uid then begin
	   let d' = match d, before with
	     | "", None -> assert false
	     | "", Some l -> l
	     | _ -> d
	   in
	   Idmap.add id (var_at_date ren d' uid) s
	 end else
	   s
       else
	 s) 
    ids Idmap.empty

let apply_term ren env t =
  let ids = term_vars t in
  let s = make_subst None ren env ids in
  subst_in_term s t

let apply_assert ren env c =
  let ids = predicate_vars c in
  let s = make_subst None ren env ids in
  subst_in_predicate s c
 
let a_apply_assert ren env c =
  let ids = predicate_vars c.a_value in
  let s = make_subst None ren env ids in
  asst_app (subst_in_predicate s) c
 
let apply_post before ren env q =
  let ids = post_vars q in
  let s = make_subst (Some before) ren env ids in
  post_app (subst_in_predicate s) q
  
let a_apply_post before ren env q =
  let ids = apost_vars q in
  let s = make_subst (Some before) ren env ids in
  post_app (asst_app (subst_in_predicate s)) q
  
(*s [traverse_binder ren env bl] updates renaming [ren] and environment [env]
    as we cross the binders [bl]. *)

let rec traverse_binders env = function
  | [] -> 
      env
  | (id, v) :: rem ->
      traverse_binders (Env.add id v env) rem
	  
let initial_renaming env =
  let ids = Env.fold_all (fun (id,_) l -> id::l) env [] in
  update empty_ren "%init" ids


(*s Occurrences *)

let rec occur_term id = function
  | Tvar id' | Tderef id' -> id = id'
  | Tapp (_, l, _) -> List.exists (occur_term id) l
  | Tconst _ -> false
  | Tnamed(_,t) -> occur_term id t

let rec occur_pattern id = function
  | TPat t -> occur_term id t
  | PPat p -> occur_predicate id p

and occur_trigger id = List.exists (occur_pattern id)
and occur_triggers id = List.exists (occur_trigger id)

and occur_predicate id = function
  | Pvar _ | Ptrue | Pfalse -> false
  | Papp (_, l, _) -> List.exists (occur_term id) l
  | Pif (a, b, c) -> 
      occur_term id a || occur_predicate id b || occur_predicate id c
  | Forallb (_, a, b) 
  | Pimplies (_, a, b) 
  | Pand (_, _, a, b) 
  | Piff (a, b) 
  | Por (a, b) -> occur_predicate id a || occur_predicate id b
  | Pnot a -> occur_predicate id a
  | Forall (_,_,_,_,tl,a) -> occur_triggers id tl || occur_predicate id a
  | Exists (_,_,_,a) -> occur_predicate id a
  | Pnamed (_, a) -> occur_predicate id a
  | Plet (_, _, _, t, a) -> occur_term id t || occur_predicate id a

let occur_assertion id a = occur_predicate id a.a_value

let gen_occur_post occur_assertion id = function 
  | None -> 
      false 
  | Some (q,l) -> 
      occur_assertion id q || 
      List.exists (fun (_,a) -> occur_assertion id a) l

let occur_post = gen_occur_post occur_assertion

let rec occur_type_v id = function
  | PureType _ | Ref _ -> false
  | Arrow (bl, c) -> occur_arrow id bl c

and occur_type_c id c =
  occur_type_v id c.c_result_type ||
  List.exists (occur_predicate id) c.c_pre ||
  Effect.occur id c.c_effect ||
  gen_occur_post occur_predicate id c.c_post 

and occur_arrow id bl c = match bl with
  | [] -> 
      occur_type_c id c
  | (id', v) :: bl' -> 
      occur_type_v id v || (id <> id' && occur_arrow id bl' c)

let rec noPnamed = function
  | Pnamed(_, p) -> noPnamed p
  | p -> p

(* [quant_boolean_as_conj] checks whether p is either (if result ...)
   or (if result ... -> if result ...) i.e. if forall b. p(b) can be
   simplified into p(true) and p(false) *)
let quant_boolean_as_conj x p = 
  not fast_wp &&
  match noPnamed p with
    | Pif (Tvar id, _, _) -> id == x
    | Pimplies(_, p1, p2) ->
	begin
	  match noPnamed p1, noPnamed p2 with
	    | Pif (Tvar id1, _, _), Pif (Tvar id2, _, _) -> 
		id1 == x && id2 == x
	    | _ -> false
	end
    | _ -> false

(* [mk_bool_forall x p] simplifies (forall x. (if x then pt else pf) -> q)
   into q[x=true <- pt; x=false <- pf] when the only occurrences of x in p
   are x=true or x=false *)
let mk_bool_forall x p = match noPnamed p with
  | Pimplies (_, p1, q) -> begin match noPnamed p1 with
      | Pif (Tvar y, pt, pf) when y == x ->
	  let rec subst = function
	    | Papp (id, [Tvar y; c], _) as p when id == t_eq_bool && y == x ->
		begin match c with
		  | Tconst (ConstBool true) -> pt
		  | Tconst (ConstBool false) -> pf
		  | _ -> if occur_term x c then raise Exit; p
		end
	    | Papp (_, tl, _) as p ->
		if List.exists (occur_term x) tl then raise Exit; p
	    | Pif (t, _, _) when occur_term x t -> 
		raise Exit
	    | p ->
		map_predicate subst p
	  in
	  subst q
      | _ -> raise Exit 
    end
  | _ -> raise Exit

let mk_forall is_wp x v triggers p =
  let n = Ident.bound x in
  let s = subst_onev x n in
  let p = subst_in_predicate s p in
  let subst_in_pattern s = function
    | TPat t -> TPat (subst_in_term s t)
    | PPat p -> PPat (subst_in_predicate s p) in
  let triggers = List.map (List.map (subst_in_pattern s)) triggers in
  Forall (is_wp, x, n, mlize_type v, triggers, p)

let forall ?(is_wp=false) x v ?(triggers=[]) p = match v with
  (* particular case: $\forall b:bool. Q(b) = Q(true) and Q(false)$ *)
  | PureType PTbool when quant_boolean_as_conj x p ->
      let ptrue = tsubst_in_predicate (subst_one x ttrue) p in
      let pfalse = tsubst_in_predicate (subst_one x tfalse) p in
      Pand (true, true, simplify ptrue, simplify pfalse)
  | PureType PTbool ->
      (try mk_bool_forall x p with Exit -> mk_forall is_wp x v triggers p)
  | _ ->
      mk_forall is_wp x v triggers p

let pforall ?(is_wp=false) x v p =
  if p = Ptrue then Ptrue else forall ~is_wp x v p

let foralls ?(is_wp=false) =
  List.fold_right
    (fun (x,v) p -> if occur_predicate x p then forall ~is_wp x v p else p)

let foralls_many ?(is_wp=false) bl p =
  let l1,l2 = 
    List.fold_right 
      (fun ((x,_v) as xv) (l1,l2) ->
	if occur_predicate x p then 
	  let n = Ident.bound x in xv::l1, n::l2
	else
	  l1,l2)
      bl ([],[])
  in
  let s = subst_manyv (List.map fst l1) l2 in
  let p = subst_in_predicate s p in
  List.fold_right2 
    (fun (x,v) n p -> Forall (is_wp, x, n, mlize_type v, [], p))
    l1 l2 p

let exists x v p =
  let n = Ident.bound x in
  let p = subst_in_predicate (subst_onev x n) p in
  Exists (x, n, mlize_type v, p)

let pexists x v p = 
  if p = Ptrue then Ptrue else exists x v p

let plet x pt t p =
  let n = Ident.bound x in
  let s = subst_onev x n in
  (* warning: do not subst in t *)
  let p = subst_in_predicate s p in
  Plet (x, n, pt, t, p)

(* decomposing universal quantifiers, renaming variables on the fly *)

let decomp_forall ?(ids=Idset.empty) p = 
  let rec decomp bv = function
    | Forall (_,id,n,pt,_,p) ->
	decomp ((id,n,pt) :: bv) p
    | p ->
	let s,_,bv = 
	  List.fold_left 
	    (fun (s,ids,bv) (id,n,pt) -> 
	      let id' = next_away id ids in
	      let s = Idmap.add n id' s in
	      let ids = Idset.add id' ids in
	      s, ids, (id',pt) :: bv)
	    (Idmap.empty, Idset.union ids (predicate_vars p), []) bv
	in
	bv, subst_in_predicate s p
  in
  decomp [] p


(* misc. functions *)

let deref_type = function
  | Ref v -> v
  | _ -> invalid_arg "deref_type"

let dearray_type = function
  | PureType (PTexternal ([pt], id)) when id == Ident.farray -> pt
  | _ -> invalid_arg "dearray_type"

let decomp_type_c c = 
  ((c.c_result_name, c.c_result_type), c.c_effect, c.c_pre, c.c_post)

let decomp_kappa c = 
  ((c.t_result_name, c.t_result_type), c.t_effect, c.t_post)

(* dead code
let id_from_name = function Name id -> id | Anonymous -> (Ident.create "X")
*)

(* [decomp_boolean c] returns the specs R and S of a boolean expression *)

let equality t1 t2 = Papp (t_eq, [t1; t2], [])
let nequality t1 t2 = Papp (t_neq, [t1; t2], [])

let tequality v t1 t2 = match v with
  | PureType PTint -> Papp (t_eq_int, [t1; t2], [])
  | PureType PTbool -> Papp (t_eq_bool, [t1; t2], [])
  | PureType PTreal -> Papp (t_eq_real, [t1; t2], [])
  | PureType PTunit -> Papp (t_eq_unit, [t1; t2], [])
  | _ -> Papp (t_eq, [t1; t2], [])

let distinct tl = 
  let rec make acc = function
    | [] | [_] -> 
	acc
    | t :: tl -> 
	let p = List.fold_left (fun p t' -> pand (nequality t t') p) acc tl in
	make p tl
  in
  make Ptrue tl

let decomp_boolean ({ a_value = c }, _) =
  (* q -> if result then q(true) else q(false) *)
  let ctrue = tsubst_in_predicate (subst_one Ident.result ttrue) c in
  let cfalse = tsubst_in_predicate (subst_one Ident.result tfalse) c in
  simplify ctrue, simplify cfalse

(*s [make_access env id c] Access in array id.
    Constructs [t:(array s T)](access_g s T t c ?::(lt c s)). *)

(* dead code
let add_ctx_vars =
  List.fold_left 
    (fun acc -> function Svar (id,_) -> Idset.add id acc | _ -> acc)
*)












(**
   split : split predicate into a list of smaller predicates
   @param ctx : list of already split hypothesis (empty at first call)
   @param pol : polarity of the current predicate (1 at first call)
   @param matched : predicate to split
   @result l : l : list of split predicates 
**)
let rec split_one ctx pol = function
  | Pimplies (i, Por(h1,h2), c) when pol > 0-> (* split(h1 \/ h2 -> c) ~~~> split(h1->c) U split(h2->) *)
      let imp1=(split_one ctx pol (Pimplies (i, h1, c))) in 
      let imp2=(split_one imp1 pol (Pimplies (i, h2, c))) in 
      (*(List.append (List.append imp1 imp2) ctx)*)
      imp2
	
  | Pimplies (i, a, c) when pol > 0->          (* split( h -> c) ~~~> U_c':split(c) {h->c'}  *)
      let lc=split_one [] pol c in
      List.fold_left (fun ct c' -> Pimplies(i,a,c')::ct)  ctx lc
	
  | Pand (_,_, a, b) when pol > 0->            (* split(c1 /\ c2)  ~~~> split(c1) U split(c2)  *)
      let l1 = split_one ctx pol a in   
      (split_one l1 pol b)
	
  | Forall (a, id, n, t, b, c) when pol>0 ->   (* split(forall x.c)  ~~~>  U_c':split(c) {forall x.c'}   *)
      let lc'=split_one [] pol c in
      List.fold_left (fun ct c' -> Forall (a, id, n, t, b, c')::ct)  ctx lc'
	
  | Exists (a, b, t, c) when pol>0 ->          (* split(exists x.c)  ~~~> U_c':split-(c) {exists x.c'} *)
      let lc'=split_one [] (-pol) c in
      List.fold_left (fun ct c' -> Exists (a, b, t, c')::ct)  ctx lc'
	
  | Por (a, b) when pol < 0->                  (* split-(c1 \/ c2)  ~~~> split-(c1) U split-(c2)  *)
      let l1 = split_one ctx pol a in   
      (split_one l1 pol b)
	
  | c ->                                       (* split(c)  ~~~> {c}  *)
      c::ctx
	  

(**
   split : split each predicate of a list into a smaller predicates
   @param ctx : list of already split hypothesis
   @param pol : polarity of the current predicate
   @param matched : list of CC_context predicates to split
   @result l : l : list of split hypothesis 
**)
let rec split ctx my_fresh_hyp =
  function
    | [] -> ctx
    | Spred (_h,p):: l -> split (List.fold_left (fun lp p -> Spred(my_fresh_hyp (),p)::lp ) ctx (split_one [] 1 p)) my_fresh_hyp l
    | c :: l -> c :: (split (c::ctx) my_fresh_hyp l)



(**
   intro : split a predicate into a list of hypothesis and a goal
   @param ctx : empty list
   @param p : predicate to split
   @param my_fresh_hyp : function that provide a fresh name of variable
   @result (l,g) : l : list of hypothesis / g : goal
**)
let intros ctx p my_fresh_hyp split_res =   
  (**
     introb : split a predicate into a list of hypothesis and a goal
     @param ctx : list of already split hypothesis
     @param pol : polarity of the current predicate
     @param matched : predicate
     @result (l,g) : l : list of hypothesis / g : goal
  **)
  let rec introb ctx pol = function
    | Forall (_, id, n, t, _, p) when pol>0 ->
	let id' =  Ident.bound id  in
	let sp  =  Misc.subst_onev  n  id' in
	let pp  =  Misc.subst_in_predicate sp p in
	introb (Svar (id', t) :: ctx) pol pp
    | Pimplies (_, a, b) when pol > 0-> 
	let h = my_fresh_hyp () in
	let (l,p) = introb [] (-pol) a in 
	let l' =  Spred(h, p)::ctx in 
	introb (List.append l l') pol b
    | Pand (_,_, a, b) when pol < 0-> 
       let (l1,p1) = introb ctx pol a in
       let h1 = my_fresh_hyp () in
       let l' = Spred(h1, p1)::l1 in
       let (l2,p2) = introb l' pol b in
       l2, p2 
    | Pnamed (_, p) ->
	introb ctx pol p
    | c -> 
	 ctx, c 
  in 
  let l,g = introb ctx 1 p in 
  if split_res then
    (split [] my_fresh_hyp l ), g
  else
    List.rev l, g   



let array_info env id =
  let ty = type_in_env env id in
  let v = dearray_type ty in
  (*i let ty_elem = trad_ml_type_v ren env v in
  let ty_array = trad_imp_type ren env ty in i*)
  v

let make_raw_access env (id,id') c =
  let pt = array_info env id in
  Tapp (Ident.access, [Tvar id'; c], [pt])

let make_pre_access env id c =
  let pt = array_info env id in
  let c = unref_term c in
  Pand (false, true, 
	le_int (Tconst (ConstInt "0")) c, lt_int c (array_length id pt))
      
let make_raw_store env (id,id') c1 c2 =
  let pt = array_info env id in
  Tapp (Ident.store, [Tvar id'; c1; c2], [pt])

(*s to build AST *)

let make_lnode loc p env k = 
  { desc = p; 
    info = { t_loc = loc; t_env = env; t_label = label_name ();
	     t_userlabel = "";
	     t_result_name = k.c_result_name; t_result_type = k.c_result_type;
	     t_effect = k.c_effect; 
	     t_post = optpost_app (anonymous loc) k.c_post } }

let make_var loc x t env =
  make_lnode loc (Expression (Tvar x)) env (type_c_of_v t)

let make_expression loc e t env =
  make_lnode loc (Expression e) env (type_c_of_v t)
    
let make_annot_bool loc b env =
  let k = type_c_of_v (PureType PTbool) in
  let b = Tconst (ConstBool b) in
  let q = equality (Tvar result) b in
  make_lnode loc (Expression b) env { k with c_post = Some (q, []) }

let make_void loc env = 
  make_expression loc (Tconst ConstUnit) (PureType PTunit) env 

let make_raise loc x v env =
  let k = type_c_of_v v in
  let ef = Effect.add_exn exit_exn Effect.bottom in
  make_lnode loc (Raise (x, None)) env { k with c_effect = ef }

let change_desc p d = { p with desc = d }

let force_post env q e = match q with
  | None -> 
      e
  | Some c ->
      let c = force_post_loc e.info.t_loc c in
      let ids = post_refs env c in
      let ef = Effect.add_reads ids e.info.t_effect in
      let i = { e.info with t_post = Some c; t_effect = ef } in
      { e with info = i }

let post_named c = 
  { a_value = c; a_name = post_name (); 
    a_loc = Loc.dummy_position; a_proof = None }

let create_postval c = Some (post_named c)

let create_post c = Some (post_named c, [])

(*s For debugging purposes *)

open Ptree

let rec print_ptree fmt p = match p.pdesc with
  | Svar x -> Ident.print fmt x
  | Sderef x -> fprintf fmt "!%a" Ident.print x
  | Sseq (p1, p2) ->
      fprintf fmt "@[%a;@ %a@]" print_ptree p1 print_ptree p2
  | Sloop ( _, _, p2) ->
      fprintf fmt "loop@\n  @[%a@]@\ndone" print_ptree p2
  | Sif (p1, p2, p3) ->
      fprintf fmt "@[if %a then@ %a else@ %a@]" 
	print_ptree p1 print_ptree p2 print_ptree p3
  | Slazy_and (p1, p2) ->
      fprintf fmt "@[(%a &&@ %a)@]" print_ptree p1 print_ptree p2
  | Slazy_or (p1, p2) ->
      fprintf fmt "@[(%a ||@ %a)@]" print_ptree p1 print_ptree p2
  | Snot p1 ->
      fprintf fmt "@[(not %a)@]" print_ptree p1
  | Slam (_bl, _pre, p) ->
      fprintf fmt "@[fun <...> ->@ %a@]" print_ptree p
  | Sapp (p, a) ->
      fprintf fmt "(%a %a)" print_ptree p print_ptree a
  | Sletref (id, e1, e2) -> 
      fprintf fmt "@[let %a = ref %a in@ %a@]" 
	Ident.print id print_ptree e1 print_ptree e2
  | Sletin (id, e1, e2) ->
      fprintf fmt "@[let %a = %a in@ %a@]"
	Ident.print id print_ptree e1 print_ptree e2
  | Srec _ ->
      fprintf fmt ""
  | Sraise (x, None, _) -> 
      fprintf fmt "raise %a" Ident.print x
  | Sraise (x, Some e, _) -> 
      fprintf fmt "raise (%a %a)" Ident.print x print_ptree e
  | Stry (e, hl) ->
      fprintf fmt "@[try %a with@\n  @[%a@]@\nend@]" 
	print_ptree e (print_list newline print_phandler) hl
  | Sconst c -> print_term fmt (Tconst c)
  | Sabsurd _ -> fprintf fmt ""
  | Sany _ -> fprintf fmt ""
  | Spost (e,_q,Transparent) -> fprintf fmt "@[%a@ {...}@]" print_ptree e
  | Spost (e,_q,Opaque) -> fprintf fmt "@[%a@ {{...}}@]" print_ptree e
  | Sassert (`ASSERT,_p,e) -> fprintf fmt "@[{...}@ %a@]" print_ptree e
  | Sassert (`CHECK,_p,e) -> fprintf fmt "@[{{...}}@ %a@]" print_ptree e
  | Slabel (l,e) -> fprintf fmt "@[%s: %a@]" l print_ptree e

and print_phandler fmt = function
  | (x, None), e -> 
      fprintf fmt "| %a => %a" Ident.print x print_ptree e
  | (x, Some y), e -> 
      fprintf fmt "| %a %a => %a" Ident.print x Ident.print y print_ptree e

let print_external fmt b = if b then fprintf fmt "external "

let str_of_goal_kind = function
  | KAxiom -> "axiom"
  | KLemma -> "lemma"
  | KGoal -> "goal"

let print_decl fmt = function
  | Include (_,s) -> fprintf fmt "include \"%S\"" s 
  | Program (_,id, p) -> fprintf fmt "let %a = %a" Ident.print id print_ptree p
  | Parameter (_, e, _ids, _v) -> 
      fprintf fmt "%aparameter <...>" print_external e
  | Exception (_, id, _pto) -> fprintf fmt "exception %a <...>" Ident.print id
  | Logic (_, e, ids, _lt) -> 
      fprintf fmt "%alogic %a : <...>" print_external e 
	(print_list comma Ident.print) ids
  | Goal (_, k, id, _p) ->
      fprintf fmt "%s %a : <...>" (str_of_goal_kind k) Ident.print id
  | Predicate_def (_, id, _, _) ->
      fprintf fmt "predicate %a <...>" Ident.print id
  | Inductive_def (_, id, _, _) ->
      fprintf fmt "inductive %a <...>" Ident.print id
  | Function_def (_, id, _, _, _) ->
      fprintf fmt "function %a <...>" Ident.print id
  | TypeDecl (_, e, _, id) ->
      fprintf fmt "%atype %a" print_external e Ident.print id
  | AlgType ls ->
      List.iter (fun (_, _, id, _) ->
        fprintf fmt "type %a" Ident.print id) ls

let print_pfile = print_list newline print_decl


(*s explanation *)

let program_locs = Hashtbl.create 17

(* dead code
let read_in_file f l b e = 
  let ch = open_in f in
  for i = 2 to l do
    ignore (input_line ch)
  done;
  for i = 1 to b do
    ignore (input_char ch)
  done;
  let buf = Buffer.create 17 in
  for i = b to e-1 do
    Buffer.add_char buf (input_char ch)
  done;
  Buffer.contents buf
*) 

let loc_of_label n =
  let (f,l,b,e,_) = Hashtbl.find locs_table n in
  (f,l,b,e)
    
let reloc_xpl_term (loc,t) = 
  match t with
    | Tnamed(User n,_p) ->     
	begin
	  try loc_of_label n
	  with Not_found -> Loc.extract loc
	end
    | _ -> Loc.extract loc

let reloc_xpl (loc,p) = 
  match p with
    | Pnamed(User n,_p) -> 
	begin
	  try loc_of_label n
	  with Not_found -> Loc.extract loc
	end
    | _ -> Loc.extract loc

let dummy_reloc = Loc.dummy_floc

(* [cook_loop_invariant internal_lab userlab] checks whether the loop invariant
   labelled with [userlab] is associated to a formula in the locs file
   given on the command line. If yes, the formula is returned as a
   string, followed by the location in the source file where the loop
   is.
*)
let cook_loop_invariant _internal_lab (userlab : string option) p =
  match userlab with
    | None -> "", reloc_xpl p
    | Some lab ->
	try 
	  let (f,l,b,e,o) = Hashtbl.find locs_table lab in
	  try
	    let k = 
	      match List.assoc "formula" o with
		| Rc.RCident s | Rc.RCstring s -> s
		| _ -> raise Not_found		  
	    in
	    if debug then eprintf "Util: formula for '%s' is '%s'@." lab k;
	    k, (f,l,b,e)
	  with Not_found ->
	    if debug then eprintf "Util: cannot find a formula for '%s'@." lab;
	    "", (f,l,b,e)
	with Not_found -> 
	  if debug then eprintf "Util: cannot find a loc for '%s'@." lab;
	  "", reloc_xpl p

(* [cook_explanation userlab raw_exp] processes the raw explanation
   [raw_exp] for the formula labelled [userlab] generated by the WP
   calculus. 

   Location(s) of [raw_exp] refers to the Why file.  A better
   explanation is cooked, depending on the locs file given on the
   command line and the [userlab]: it is check
   whether this label is present in the locs file, and if it is the
   case, replaces the location in [raw_exp] by the location given
   there, and also if a precise kind of VC is given, produces a
   refined explanation.
*)
let cook_explanation (userlab : string option) e =
  let e,l, maylab =
    match e with
      | VCEexternal s -> EKOther s, dummy_reloc, None
      | VCEabsurd -> EKAbsurd, dummy_reloc, None
      | VCEassert (k,p) -> 
          (match k with 
            | `ASSERT -> EKAssert
            | `CHECK -> EKCheck), (reloc_xpl (List.hd p)), None
      | VCEpre(lab,loc,_p) -> 
	  begin
	    if debug then eprintf "Util.cook_explanation: label,loc for pre = %s,%a@." lab
	      Loc.gen_report_position loc;
	    try 
	      let (f,l,b,e,o) = Hashtbl.find locs_table lab in
	      try
		let k = 
		  match List.assoc "kind" o with
		    | Rc.RCident s | Rc.RCstring s -> s
		    | _ -> raise Not_found		  
		in
		if debug then eprintf "Util: kind for '%s' is '%s'@." lab k;
		EKPre k, (f,l,b,e), Some lab
	      with Not_found ->
		if debug then eprintf "Util: cannot find a kind for '%s'@." lab;
		EKPre "", (f,l,b,e), Some lab
	    with Not_found -> 
	      if debug then eprintf "Util: cannot find a loc for '%s'@." lab;
	      EKPre "", Loc.extract loc, Some lab
	  end

      | VCEpost p -> EKPost, (reloc_xpl p), None
      | VCEwfrel -> EKWfRel, dummy_reloc, None
      | VCEvardecr p -> EKVarDecr, (reloc_xpl_term p), None
      | VCEinvinit(internal_lab,p) -> 
	  let s,loc  = cook_loop_invariant internal_lab userlab p in
	  EKLoopInvInit s, loc, None
      | VCEinvpreserv(internal_lab,p) -> 
	  let s,loc  = cook_loop_invariant internal_lab userlab p in
	  EKLoopInvPreserv s, loc, None
  in
  let new_lab = if userlab = None then maylab else userlab in
  match e with
    | EKPre _ -> 
	(* for pre-conditions, we want to focus on the call, not an the formula to prove *)
	e,l, new_lab
    | _ -> e, 
	(match new_lab with
	  | None -> l
	  | Some lab -> 
	      try loc_of_label lab with Not_found -> 
		if debug then
		  eprintf "Warning: no loc found for user label %s@." lab;
		l),
         new_lab

    
let explanation_table = Hashtbl.create 97
let explanation_counter = ref 0

let reg_explanation e =
  incr explanation_counter;
  let id = !explanation_counter in
  if debug then Format.eprintf "registering internal explanation '%d'@." id;
  Hashtbl.add explanation_table id e;
  Internal id

(*
let print_loc_predicate fmt (loc,p) =
  match p with
    | Pnamed(User s,p) -> 
	begin
	  try 
	    let (f,l,b,e,o) = Hashtbl.find locs_table s in
	    let s = read_in_file f l b e in
	    fprintf fmt "(relocated from %a) %s"
	      Loc.gen_report_line (f,l,b,e) s 
	  with Not_found ->
	    fprintf fmt "(named %s) %a" s print_predicate p
	end
    | _ -> 
	fprintf fmt "(located %a) %a" 
	  Loc.gen_report_position loc print_predicate p
*)
  
let print_decl fmt = function
  | Dtype (_, s, _) ->
      fprintf fmt "type %s" (Ident.string s)
  | Dalgtype ls ->
      print_list newline (fun fmt (_, s, _) ->
        fprintf fmt "type %s" (Ident.string s)) fmt ls
  | Dlogic (_, _s, log_type_sch) -> 
      fprintf fmt "logic %a" print_logic_type log_type_sch.Env.scheme_type
  | Dpredicate_def (_, s, pred_def_sch) ->
      let (args, pred) = pred_def_sch.Env.scheme_type in
      fprintf fmt "defpred %s (%a) = %a" (Ident.string s)
	(print_list comma (fun fmt t -> print_pure_type fmt (snd t))) args
	print_predicate pred
  | Dinductive_def _ -> assert false (* TODO *)
  | Dfunction_def (_, s, fun_def_sch) ->
      let (args, rt, exp) = fun_def_sch.Env.scheme_type in
      fprintf fmt "deffun %s (%a) : %a = %a" (Ident.string s)
	(print_list comma (fun fmt t -> print_pure_type fmt (snd t))) args
	print_pure_type rt
	print_term exp
  | Daxiom (_, s, pred_sch) ->
      fprintf fmt "axiom %s : %a" s 
	print_predicate pred_sch.Env.scheme_type
  | Dgoal (_loc, is_lemma, expl, s, seq_sch) -> 
      let (cel, pred) = seq_sch.Env.scheme_type in
      fprintf fmt "%s %s (%a) : %a" 
	(if is_lemma then "lemma" else "goal") s
	(print_list comma 
	   (fun fmt t -> match t with 
	     Cc.Svar (id, pt) -> 
	       fprintf fmt "%a : %a" Ident.print id print_pure_type pt
	   | Cc.Spred (id, pred) -> 
	       fprintf fmt "%a <=> %a" Ident.print id print_predicate pred)) cel
	print_predicate pred;
      fprintf fmt "(* %a *)@\n" (fun fmt -> Explain.print fmt) ((*loc,*)expl)

(* debug *)

(**
let () = 
  Env.dump_type_var := 
    (fun v -> eprintf "@[type_var %d = %a@]@." v.tag print_pure_type (PTvar v))
**)
why-2.39/src/regen.mli0000644000106100004300000000755013147234006013632 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(* files partly edited and partly regenerated *)

open Format
open Cc
open Logic

type element_kind = 
  | Param
  | Oblig
  | Prog
  | Valid (* obsolete but helps porting from old versions *)
  | Lg
  | Ax
  | Pr
  | Ind
  | Fun
  | Ty

type element_id = element_kind * string

type element = 
  | Parameter of string * cc_type
  | Program of string * cc_type * cc_functional_program
  | Obligation of Loc.floc * bool * Logic_decl.vc_expl * string * sequent Env.scheme
  | Logic of string * logic_type Env.scheme
  | Axiom of string * predicate Env.scheme
  | Predicate of string * predicate_def Env.scheme
  | Inductive of string * inductive_def Env.scheme
  | Function of string * function_def Env.scheme
  | AbstractType of string * string list
  | AlgebraicType of (string * alg_type_def Env.scheme) list

module type S = sig
 
  (* how to print and reprint elements *)
  val print_element : formatter -> element -> unit
  val reprint_element : formatter -> element -> unit

  (* regexp to recognize obligations locations (as comments) *)
  val re_oblig_loc : Str.regexp

  (* what to print at the beginning of file when first created *)
  val first_time : formatter -> unit

  (* what to print at the end of file when first created *)
  val first_time_trailer : formatter -> unit

  (* how to recognize the end of an element to erase / overwrite *)
  val not_end_of_element : element_id -> string -> bool

end

module Make(X : S) : sig 

  val add_elem : element_id -> element -> unit

  val add_regexp : string -> element_kind -> unit

  val reset : unit -> unit

  val regen : string -> formatter -> unit

  val first_time : formatter -> unit

  val output_file : ?margin:int -> string -> unit

end

why-2.39/src/mizar.mli0000644000106100004300000000445613147234006013656 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(*s Mizar output *)

val reset : unit -> unit
val push_decl : Logic_decl.t -> unit
val output_file : string -> unit
why-2.39/src/fastwp.ml0000644000106100004300000004500713147234006013664 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)





(* Fast weakest preconditions *)



open Ident
open Logic
open Types
open Effect
open Misc
open Util
open Ast
open Env

let idmap_union m1 m2 =
  Idmap.fold 
    (fun x2 v m1 -> 
      if Idmap.mem x2 m1 
      then begin assert (Idmap.find x2 m1 = v); m1 end
      else Idmap.add x2 v m1)
    m2 m1

module Subst = struct

  type t = { 
    current : Ident.t Idmap.t; (* current name for each variable *)
    sigma : Ident.t Idmap.t;   (* substitution for all variables *)
    types : pure_type Idmap.t; (* types, for quantifiers *)
    all_vars : Idset.t;        (* all names already used *)
  }

  let empty = 
    { current = Idmap.empty;
      sigma = Idmap.empty; 
      types = Idmap.empty; 
      all_vars = Idset.empty }

  let add x pt s = 
    { current = Idmap.add x x s.sigma;
      sigma = Idmap.add x x s.sigma;
      types = Idmap.add x pt s.types;
      all_vars = Idset.add x s.all_vars }

  let add_aux x pt s = 
    { s with
	types = Idmap.add x pt s.types;
	all_vars = Idset.add x s.all_vars }

  let frame env ef s =
    let r,w,_,_ = Effect.get_repr ef in
    List.fold_left 
      (fun s x -> 
	 try 
	   begin match Env.type_in_env env x with
	     | Ref pt -> add x pt s
	     | _ -> assert false end
	 with Not_found -> assert false) 
      s (r @ w)

  let find x s = Idmap.find x s.current

  let global_names = ref Idset.empty

  let next_away x s =
    let x' = next_away x (Idset.union !global_names s) in
    global_names := Idset.add x' !global_names;
    x'

  let fresh x s =
    assert (Idmap.mem x s.types);
    let x' = next_away x s.all_vars in
    x',
    { current = Idmap.add x x' s.current; 
      sigma = Idmap.add x x' s.sigma; 
      types = Idmap.add x' (Idmap.find x s.types) s.types;
      all_vars = Idset.add x' s.all_vars }

  let fresh_pure x pt s =
    let x' = next_away x s.all_vars in
    x',
    { current = Idmap.add x x' s.current; 
      sigma = Idmap.add x x' s.sigma;
      types = Idmap.add x' pt s.types;
      all_vars = Idset.add x' s.all_vars }

  let write x s = let _,s = fresh x s in s
  let writes = List.fold_right write

  let term s = Misc.subst_in_term s.sigma
  let predicate s = Misc.subst_in_predicate s.sigma

  (* we cross the label l => 
     the values at label l are mapped to the current values of references *)
  let label l s =
    { s with sigma =
	Idmap.fold 
	  (fun x x' m -> 
	     if not (is_at x) then Idmap.add (at_id x l) x' m else m)
	  s.current s.sigma }

(* dead code
  let add_vars s1 s2 =
    { s1 with 
	types = idmap_union s1.types s2.types;
	all_vars = Idset.union s1.all_vars s2.all_vars } 
*)

(* debug 

  open Format
  let print fmt s =
    let print_map fmt m = 
      Idmap.iter 
	(fun x x' -> fprintf fmt "(%a->%a)" Ident.lprint x Ident.lprint x') m
    in
    let print_keys fmt m =
      Idmap.iter 
	(fun x _ -> fprintf fmt "(%a)" Ident.lprint x) m
    in
    fprintf fmt "@[current=%a,@ sigma=%a,@ types=%a@]" 
      print_map s.current print_map s.sigma print_keys s.types
*)

end
open Subst

let all_quantifiers ((_,s),ee) =
  let s =
    List.fold_left (fun s (_,(_,sx)) -> idmap_union s sx.types) s.types ee 
  in
  let l = Idmap.fold (fun x pt acc -> (x, PureType pt) :: acc) s [] in
  List.rev l

let merge s1 s2 =
  (* d = { x | s1(x) <> s2(x) } *)
  let d = 
    Idmap.fold 
      (fun x x1 d ->
	 try 
	   let x2 = Subst.find x s2 in if x1 != x2 then Idset.add x d else d
	 with Not_found -> 
	   d)
      s1.current Idset.empty
  in
  let s12 = 
    { s1 with 
      types = idmap_union s1.types s2.types;
      all_vars = Idset.union s1.all_vars s2.all_vars } 
  in
  Idset.fold 
    (fun x (s',r1,r2) -> 
       let x',s' = Subst.fresh x s' in
       let ty = PureType (Idmap.find x s'.types) in
       s', 
       wpand r1 (tequality ty (Tvar x') (Tvar (Subst.find x s1))),
       wpand r2 (tequality ty (Tvar x') (Tvar (Subst.find x s2))))
    d (s12, Ptrue, Ptrue)

let wpforall = pforall ~is_wp:true
let wpforalls = foralls_many ~is_wp:true

let ssubst_in_predicate s p = simplify (tsubst_in_predicate s p)

(* dead code
let norm (p,_) = p
*)
let exn x pl s = try List.assoc x pl with Not_found -> Pfalse, s
let exns e ee = List.map (fun x -> x, ee x) (get_exns e.info.t_effect)

let with_exception_type e v f x = match find_exception e, v with
  | None, None -> x
  | Some pt, Some v -> f v pt x
  | _ -> assert false

(* INPUT
   - e : program
   - s : Subst.t
   OUTPUT
   - ok : predicate = correctness of e
   - (n,el) : predicate * (Ident.t * predicate) list, such that
     * if e terminates normally then n holds
     * if e raises exception E then List.assoc E el holds
   - s' : Subst.t
*)

let rec wp e s = 
  let _,(_,ee) as r = wp0 e.info e s in
  assert (List.length ee = List.length (get_exns e.info.t_effect));
  r

and wp0 info e s =
  (*Format.eprintf "@[wp avec %a@]@." Subst.print s;*)
  let v = result_type e in
  match e.desc with
  | Expression t ->
      (* OK: true
	 NE: result=t *)
      let t = Subst.term s (unref_term t) in
      let p = match e.info.t_result_type with
	| PureType PTunit -> Ptrue
	| _ -> tequality v tresult t
      in
      Ptrue, ((p, s), [])
  | If (e1, e2, e3) ->
      (* OK: ok(e1) /\ (ne(e1,true) => ok(e2)) /\ (ne(e1,false) => ok(e3))
	 NE: (ne(e1,true) /\ ne(e2,result)) \/ (ne(e1,false) /\ ne(e3,result)) 
      *)
      let ok1,((ne1,s1),ee1) = wp e1 s in
      let ok2,((ne2,s2),ee2) = wp e2 s1 in
      let ok3,((ne3,s3),ee3) = wp e3 s1 in
      let ne1true = ssubst_in_predicate (subst_one result ttrue) ne1 in
      let ne1false = ssubst_in_predicate (subst_one result tfalse) ne1 in
      let ok = wpands [ok1; wpimplies ne1true ok2; wpimplies ne1false ok3] in
      let ne = 
	let s',r2,r3 = merge s2 s3 in
	por (wpands [ne1true; ne2; r2]) (wpands [ne1false; ne3; r3]), s'
      in
      let ee x = 
	let ee2,s2 = exn x ee2 s1 and ee3,s3 = exn x ee3 s1 in
	let s23,r2,r3 = merge s2 s3 in
	let ee1,s1 = exn x ee1 s in
	let s',q1,q23 = merge s1 s23 in
	pors [wpand ee1 q1; 
	      wpands [ne1true;ee2;r2;q23]; 
	      wpands [ne1false;ee3;r3;q23]], s'
      in
      ok, (ne, exns e ee)
  | Seq (e1, e2) ->
      (* OK: ok(e1) /\ (ne(e1,void) => ok(e2))
	 NE: ne(e1,void) /\ ne(e2,result) *)
      let ok1,((ne1,s1),ee1) = wp e1 s in
      let ok2,((ne2,s2),ee2) = wp e2 s1 in
      let ne1void = tsubst_in_predicate (subst_one result tvoid) ne1 in
      let ok = wpand ok1 (wpimplies ne1void ok2) in
      let ne = wpand ne1void ne2 in
      let ee x = 
	let ee1,sx1 = exn x ee1 s and ee2,sx2 = exn x ee2 s1 in
	let s',r1,r2 = merge sx1 sx2 in
	por (wpand ee1 r1) (wpands [ne1void; ee2; r2]), s'
      in
      ok, ((ne, s2), exns e ee)
  | LetIn (x, e1, e2) ->
      let ok1,((ne1,s1),ee1) = wp e1 s in
      let x',s1 = match e1.info.t_result_type with
	| PureType pt -> Subst.fresh_pure x pt s1 
	| _ -> x, s1
      in
      let ok2,((ne2,s2),ee2) = wp e2 s1 in
      begin match e1.info.t_result_type with
	| PureType _pt ->
	    let ne1x = subst_in_predicate (subst_onev result x') ne1 in
	    let subst = subst_in_predicate (subst_onev x x') in
	    let ok = wpand ok1 (wpimplies ne1x (subst ok2)) in
	    let ne = wpand ne1x (subst ne2) in
	    let ee x =
	      let ee1,sx1 = exn x ee1 s and ee2,sx2 = exn x ee2 s1 in
	      let s',r1,r2 = merge sx1 sx2 in
	      por (wpand ee1 r1) (wpands [ne1x; ee2; r2]), s'
	    in
	    ok, ((ne, s2), exns e ee)
	| Arrow _ ->
	    assert (not (occur_predicate result ne1));
	    assert (not (occur_predicate x ne2));
	    let ok = wpand ok1 (wpimplies ne1 ok2) in (* ok1 /\ ok2 ? *)
	    let ne = wpand ne1 ne2 in
	    let ee x =
	      let ee1,sx1 = exn x ee1 s and ee2,sx2 = exn x ee2 s1 in
	      let s',r1,r2 = merge sx1 sx2 in
	      por (wpand ee1 r1) (wpands [ne1; ee2; r2]), s'
	    in
	    ok, ((ne, s2), exns e ee)
	| Ref _ -> 
	    assert false
      end
  | LetRef (x, e1, e2) ->
      begin match e1.info.t_result_type with
	| PureType pt ->
	    let ok1,((ne1,s1),ee1) = wp e1 s in
	    let s1 = Subst.add x pt s1 in
	    let ok2,((ne2,s2),ee2) = wp e2 s1 in
	    let ne1x = subst_in_predicate (subst_onev result x) ne1 in
	    let ok = wpand ok1 ((*wpforall x ty1*) (wpimplies ne1x ok2)) in
	    let ne = (*exists x ty1*) (wpand ne1x ne2) in
	    let ee x =
	      let ee1,sx1 = exn x ee1 s and ee2,sx2 = exn x ee2 s1 in
	      let s',r1,r2 = merge sx1 sx2 in
	      por (wpand ee1 r1) (wpands [ne1x; ee2; r2]), s'
	    in
	    let s2 = Subst.add_aux x pt s2 in
	    ok, ((ne, s2), exns e ee)
	| Arrow _ | Ref _ -> 
	    assert false
      end
  | Assertion (k, al, e1) ->
      (* OK: al /\ ok(e1)
	 NE: al /\ ne(e1, result) *)
      let ok, ((ne1, s'), ee1) = wp e1 s in
      let pl = List.map (fun a -> subst_in_predicate s.sigma a.a_value) al in
      let ee x = let ee, sx = exn x ee1 s in wpands (pl @ [ee]), sx in
      (* wpands (pl@[ok]), ((wpands (pl@[ne1]), s'), exns e ee) *)
      let expl =  
	match k with
	 | `ABSURD ->
	    Cc.VCEabsurd
	 | #Cc.assert_kind as k -> (* ASSERT and CHECK *)
	    Cc.VCEassert (k, List.map (fun a -> (a.a_loc, a.a_value)) al) 
	 | `PRE ->
	    let lab = info.t_userlabel in
	    let loc = info.t_loc in
	    Cc.VCEpre (lab, loc, List.map (fun a -> (a.a_loc, a.a_value)) al)
      in
      let id = reg_explanation expl in
      Pnamed (id, wpands (pl@[ok])), ((wpands (pl@[ne1]), s'), exns e ee)
  | Post (e1, q, _) ->
      (* TODO: what to do with the transparency here? *)
      let lab = e1.info.t_label in
      let s = Subst.label lab s in
      let ok, ((ne1, s'), ee1) = wp e1 s in
      let q, ql = post_app (asst_app (change_label "" lab)) q in
      let q = 
        let id = reg_explanation (Cc.VCEpost (q.a_loc, q.a_value)) in
        { q with a_value = Pnamed (id, q.a_value) } 
      in
      let ql = 
        List.map
          (fun (x, q) ->
	     let id = reg_explanation (Cc.VCEpost (q.a_loc, q.a_value)) in
             x, { q with a_value = Pnamed (id, q.a_value) })
	  ql
      in
      let subst p s = subst_in_predicate s.sigma p.a_value in
      let q = subst q s' in
      let ql = List.map2 (fun (_, (_,sx)) (x, qx) -> x, subst qx sx) ee1 ql in
      let post_exn (x, (ex, _)) (x', qx) =
	assert (x = x'); 
	let p = wpimplies ex qx in
	match find_exception x with
	  | Some pt -> wpforall result (PureType pt) p
	  | None -> p
      in
      let ok = 
	wpands 
	  (ok :: 
	     wpforall result e1.info.t_result_type (wpimplies ne1 q) ::
	     List.map2 post_exn ee1 ql)
      in
      let ne = wpand ne1 q, s' in
      let ee x = let ee, sx = exn x ee1 s in wpand ee (List.assoc x ql), sx in
      ok, (ne, exns e ee)
  | Label (l, e) ->
      wp e (Subst.label l s)
  | Var _ -> 
      (* this must be an impure function, thus OK = NE = true *)
      Ptrue, ((Ptrue, s), [])
  | Absurd -> 
      (* OK = NE = false *)
      Pfalse, ((Pfalse, s), [])
  | Loop (inv, var, e1) ->
      (* OK: I /\ forall w. (I => (ok(e1) /\ (ne(e1,void) => I /\ var 
             let lab = info.t_userlabel in
	     let id = reg_explanation (Cc.VCEinvinit (lab, (inv.a_loc, inv.a_value))) in
	     { inv with a_value = Pnamed (id, inv.a_value) })
          inv
      in
      let inv2 = 
        option_app
	  (fun inv -> 
             let lab = info.t_userlabel in
	     let id = reg_explanation (Cc.VCEinvpreserv (lab, (inv.a_loc, inv.a_value))) in
	     { inv with a_value = Pnamed (id, inv.a_value) })
          inv
      in
      let subst_inv inv s = match inv with
	| None -> Ptrue
	| Some { a_value = i } -> Subst.predicate s i
      in
      let i0 = subst_inv inv1 s0 in 
      let i1 = subst_inv inv2 s0 in 
      let decphi = match var with
	| None -> Ptrue
	| Some (loc, phi, _, r) -> 
	    let id = reg_explanation (Cc.VCEvardecr (loc, phi)) in
	    Pnamed (id, Papp (r, [Subst.term s1 phi; Subst.term s0 phi], []))
      in
      let ok = 
	wpands
	  [Wp.well_founded_rel var;
	   subst_inv inv1 s;
	   wpimplies i1 
	     (wpand ok1 (wpimplies ne1void (wpand (subst_inv inv2 s1) decphi)))]
      in
      let ee x =
	let ee,sx = exn x ee1 s0 in wpand i0 ee, sx
      in
      ok, ((Pfalse, s1), exns e ee)
  | Raise (id, None) -> 
      (* OK: true  
	 N : false  
	 E : true *)
      Ptrue, ((Pfalse, s), [id, (Ptrue, s)])
  | Raise (id, Some e1) -> 
      (* OK: ok(e1)
	 N : false
	 E : ne(e1) \/ E(e1) if E=id, E(e1) otherwise *)
      let ok1,((ne1,s1),ee1) = wp e1 s in
      let ee x = 
	if x == id then
	  try let ee1,sx = List.assoc x ee1 in por ne1 ee1, sx
	  with Not_found -> ne1, s1
	else
	  try List.assoc x ee1 with Not_found -> assert false
      in
      ok1, ((Pfalse, s1), exns e ee)
  | Try (e1, hl) ->
      let ok1,((ne1,s1),ee1) = wp e1 s in
      let hl = 
	List.map 
	  (fun ((x,v),ei) -> let _,sx = exn x ee1 s in ((x,v), wp ei sx))
	  hl 
      in
      let bind_result v p = match v with
	| None -> p
	| Some x -> subst_in_predicate (subst_onev result x) p
      in
      let handler_ok ((x,v), (oki,_)) = 
	let e1x,_ = exn x ee1 s in 
	let e1x = bind_result v e1x in
	let p = wpimplies e1x oki in
	with_exception_type x v (fun v pt -> wpforall v (PureType pt)) p
      in
      let ok = wpands (ok1 :: List.map handler_ok hl) in
      let ne =
	List.fold_left
	  (fun (ne,s) ((x,v), (_,((nei,si),_))) ->
	    let e1x,_ = exn x ee1 s in 
	    let e1x = bind_result v e1x in
	    let si = with_exception_type x v Subst.add_aux si in
	    let s',r1,r2 = merge s si in
	    por (wpand ne r1) (wpands [e1x; nei; r2]), s')
	  (ne1,s1) hl
      in
      let ee x = 
	let eex,sx =
	  if List.exists (fun ((xi,_),_) -> x == xi) hl then
 	    Pfalse, s
	  else
 	    exn x ee1 s
	in
	List.fold_left
	  (fun (nex,sx) ((xi,vi),(_,(_,eei))) ->
	    let e1xi,sxi = exn xi ee1 s in
	    let eeix,sxi = exn x eei sxi in
	    let eeix = bind_result vi eeix in
	    let sxi = with_exception_type xi vi Subst.add_aux sxi in
	    let sx,r1,r2 = merge sx sxi in
	    por (wpand nex r1) (wpands [e1xi; eeix; r2]), sx)
	  (eex, sx) hl
      in
      ok, (ne, exns e ee)
  | Lam (bl, pl, e) ->
      (* OK: forall bl. pl => ok(e)
	 NE: forall bl. pl /\ ne(e, result) *)
      let s = Subst.frame e.info.t_env e.info.t_effect s in
      let ok,r = wp e s in
      let qr = all_quantifiers r in
      let pl = List.map (fun a -> subst_in_predicate s.sigma a.a_value) pl in
      let q = List.filter (function (_,PureType _) -> true | _ -> false) bl in
      wpforalls (q @ qr) (wpimplies (wpands pl) ok),
      ((Ptrue, s), [])
  | Rec (_f, bl, _v, var, pl, e) ->
      (* OK: well_founded(R) /\ forall bl. pl => ok(e)
	 NE: forall bl. pl /\ ne(e, result) *)
      let wfr = Wp.well_founded_rel var in
      let s = Subst.frame e.info.t_env e.info.t_effect s in
      let ok,r = wp e s in
      let qr = all_quantifiers r in
      let pl = List.map (fun a -> subst_in_predicate s.sigma a.a_value) pl in
      let q = List.filter (function (_,PureType _) -> true | _ -> false) bl in
      pand wfr (wpforalls (q @ qr) (wpimplies (wpands pl) ok)),
      ((Ptrue, s), [])
  | AppRef (e1, _, k) 
  | AppTerm (e1, _, k) ->
      let lab = e1.info.t_label in
      let s = Subst.label lab s in
      let q = optpost_app (asst_app (change_label "" lab)) k.t_post in
      let ok,(((ne,s'),ee) as nee) = wp e1 s in
      assert (not (occur_predicate result ne));
      let wr s = Subst.writes (Effect.get_writes k.t_effect) s in
      let nee = match q with
	| Some (q', qe) -> 
	    (let s' = wr s' in
	     wpand ne (Subst.predicate s' q'.a_value), s'),
	    (let ee x = 
	       let q' = List.assoc x qe in
	       let ee,s' = exn x ee s in
	       let s' = wr s' in
	       por ee (wpand ne (Subst.predicate s' q'.a_value)), s'
	     in
	     exns e ee)
	| None -> 
	    nee
      in
      ok, nee
  | Any k ->
      let lab = e.info.t_label in
      let s = Subst.label lab s in
      let q = optpost_app (post_named e.info.t_loc) k.c_post in
      let q = optpost_app (asst_app (change_label "" lab)) q in
      let s' = Subst.writes (Effect.get_writes k.c_effect) s in
      let nee = match q with
	| Some (q', qe) -> 
	    (Subst.predicate s' q'.a_value, s'),
	    (let ee x = 
	       let q' = List.assoc x qe in
	       Subst.predicate s' q'.a_value, s'
	     in
	     exns e ee)
	| None -> 
	    let ee _x = Ptrue, s' in
	    (Ptrue, s'), exns e ee
      in
      Ptrue, nee

let wp e =
  let s = Subst.frame e.info.t_env e.info.t_effect Subst.empty in
  let ok, _ = wp e s in
  ok

(*
 Local Variables: 
 compile-command: "unset LANG; make -C .. byte"
 End: 
*)
why-2.39/src/wp.mli0000644000106100004300000000466113147234006013160 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(*s Weakest preconditions *)

open Env

val wp : typed_expr -> typed_expr * Ast.assertion option

(**
val wp : typed_expr -> Ast.assertion option * (Cc.proof_term -> typed_expr)
***)

val well_founded_rel : Ast.variant option -> Logic.predicate
why-2.39/src/why.ml0000644000106100004300000000452713147234006013171 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

open Format
open Main

let _ =
  try
    main ()
  with e ->
    Report.explain_exception err_formatter e;
    pp_print_newline err_formatter ();
    exit 1
why-2.39/src/monomorph.mli0000644000106100004300000000517713147234006014553 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(* make a monorphic output for provers not supporting polymorphism
   (e.g. PVS or CVC Lite) *)

(* input... *)

val push_decl : Logic_decl.t -> unit

val add_external : Ident.t -> unit

(* ...and output *)

val iter : (Logic_decl.t -> unit) -> unit

val reset : unit -> unit

(* [symbol id i] prints the instance [i] of symbol [id] using the same 
   conventions as in the monomorphization process *)

val symbol : Ident.t * Logic.instance -> string
why-2.39/src/ident.ml0000644000106100004300000002650513147234006013465 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



type t = { stamp : int; name : string; label : string option; fresh_from : (string * t list) option }

let hashcons = 
  let h = Hashtbl.create 97 in
  fun id -> try Hashtbl.find h id with Not_found -> Hashtbl.add h id id; id 

let create ?from s = hashcons { stamp = 0; name = s; label = None; fresh_from = from }
let string s = s.name
let fresh_from s = s.fresh_from

let completeString s = s.name^"_"^(string_of_int s.stamp)  

module I = struct type t_ = t type t = t_ let compare = compare end

module Idset = Set.Make(I)
type set = Idset.t

module Idmap = Map.Make(I)
type 'a map = 'a Idmap.t

let is_index s = 
  let n = String.length s in
  (n > 0) && (match s.[n-1] with '0'..'9' -> true | _ -> false)

let rec next id n s =
  let id' = create (id ^ string_of_int n) in
  if Idset.mem id' s then
    next id (succ n) s
  else
    id'

let next_away id s = 
  if id.name <> "_" && Idset.mem id s then 
    let id0 = id.name in
    let id0 = if is_index id0 then id0 ^ "_" else id0 in
    next id0 0 s 
  else 
    id

let print fmt s = Format.fprintf fmt "%s" s.name

let lprint fmt s = match s.label with
  | None -> Format.fprintf fmt "%s" s.name
  | Some l -> Format.fprintf fmt "%s@@%s" s.name l

let dbprint fmt s = Format.fprintf fmt "%a#%d" lprint s s.stamp

(*s Possibly anonymous names *)

type name = Anonymous | Name of t

let print_name fmt = function
  | Name id -> print fmt id
  | Anonymous -> Format.fprintf fmt "_"

(*s Labelled identifiers. *)

let at_id id d = hashcons { id with label = Some d }

let is_at id = id.label <> None

let un_at = function
  | { label = Some d } as id -> hashcons { id with label = None }, d
  | _ -> invalid_arg "Ident.un_at"

(*s Bound variables. *)

let bound =
  let n = ref 0 in
  fun s -> incr n; hashcons { s with stamp = !n }

(*s Exceptions names and constructors *)

let exn_type = create "EM"
let exn_val = create "Val"
let exn_exn = create "Exn"
let exn_post = create "qcomb"
let exn_qval = create "Qval"
let exn_qexn = create "Qexn"
let exist = create "exist"
let decomp n = create ("decomp" ^ string_of_int n)

let exit_exn = create "Exit"

(*s Non termination monad. *)

let non_termination_monad = create "nt_m"
let nt_unit : t = create "nt_unit"
let nt_bind : t = create "nt_bind"
let nt_fix : t = create "nt_fix"
let nt_lift : t = create "nt_lift"

(*s Identifiers for the functional validation. *)

let fun_id x = create (string x ^ "_fun")

(*s Identifiers for algebraic-typed term matching *)

let match_id x = create (string x ^ "_match")
let proj_id x i = create (string x ^ "_proj_" ^ string_of_int i)

(*s Pre-defined. *)

let t_bool_and = create "bool_and"
let t_bool_or = create "bool_or"
let t_bool_xor = create "bool_xor"
let t_bool_not = create "bool_not"

let anonymous = create "_"
let implicit = create "?"
let default_post = create "%default_post"

let t_add = create "%add"
let t_sub = create "%sub"
let t_mul = create "%mul"
let t_div = create "%div"
let t_neg = create "%neg"

let t_add_int = create "add_int"
let t_sub_int = create "sub_int"
let t_mul_int = create "mul_int"
(*
let t_div_int = create "div_int"
let t_mod_int = create "mod_int"
*)
let t_neg_int = create "neg_int"
let t_abs_int = create "abs_int"

let t_add_real = create "add_real"
let t_sub_real = create "sub_real"
let t_mul_real = create "mul_real"
let t_div_real = create "div_real"
let t_neg_real = create "neg_real"
let t_abs_real = create "abs_real"
let t_pow_real = create "pow_real"
let t_sqrt_real = create "sqrt_real"

let t_cos = create "cos"
let t_sin = create "sin"
let t_tan = create "tan"
let t_atan = create "atan"

let t_int_max = create "int_max"
let t_int_min = create "int_min"
let t_real_max = create "real_max"
let t_real_min = create "real_min"

let t_real_of_int = create "real_of_int"
let t_int_of_real = create "int_of_real"

let t_div_real_ = create "div_real_"
(*
let t_div_int_ = create "div_int_"
let t_mod_int_ = create "mod_int_"
*)
let t_sqrt_real_ = create "sqrt_real_"

let t_distinct = create "distinct"

let t_lt = create "%lt"
let t_le = create "%le"
let t_gt = create "%gt"
let t_ge = create "%ge"
let t_eq = create "%eq"
let t_neq = create "%neq"

let t_eq_int = create "eq_int"
let t_eq_bool = create "eq_bool"
let t_eq_real = create "eq_real"
let t_eq_unit = create "eq_unit"

let t_neq_int = create "neq_int"
let t_neq_bool = create "neq_bool"
let t_neq_real = create "neq_real"
let t_neq_unit = create "neq_unit"

let t_lt_int = create "lt_int"
let t_le_int = create "le_int"
let t_gt_int = create "gt_int"
let t_ge_int = create "ge_int"

let t_lt_real = create "lt_real"
let t_le_real = create "le_real"
let t_gt_real = create "gt_real"
let t_ge_real = create "ge_real"

let t_eq_int_ = create "eq_int_"
let t_eq_bool_ = create "eq_bool_"
let t_eq_real_ = create "eq_real_"
let t_eq_unit_ = create "eq_unit_"

let t_neq_int_ = create "neq_int_"
let t_neq_bool_ = create "neq_bool_"
let t_neq_real_ = create "neq_real_"
let t_neq_unit_ = create "neq_unit_"

let t_lt_int_ = create "lt_int_"
let t_le_int_ = create "le_int_"
let t_gt_int_ = create "gt_int_"
let t_ge_int_ = create "ge_int_"

let t_lt_int_bool = create "lt_int_bool"
let t_le_int_bool = create "le_int_bool"
let t_gt_int_bool = create "gt_int_bool"
let t_ge_int_bool = create "ge_int_bool"

let t_lt_real_ = create "lt_real_"
let t_le_real_ = create "le_real_"
let t_gt_real_ = create "gt_real_"
let t_ge_real_ = create "ge_real_"

let t_lt_real_bool = create "lt_real_bool"
let t_le_real_bool = create "le_real_bool"
let t_gt_real_bool = create "gt_real_bool"
let t_ge_real_bool = create "ge_real_bool"

let t_eq_int_bool = create "t_eq_int_bool"
let t_eq_real_bool = create "t_eq_real_bool"
let t_neq_int_bool = create "t_neq_int_bool"
let t_neq_real_bool = create "t_neq_real_bool"

let t_zwf_zero = create "zwf_zero"
let result = create "result"
let default = create "H"
let farray = create "farray"
let array_length = create "array_length"
let ref_set = create "ref_set"
let array_get = create "array_get"
let array_set = create "array_set"
let access = create "access"
let store = create "store"
let annot_bool = create "annot_bool"
let well_founded = create "well_founded"
let well_founded_induction = create "well_founded_induction"
let if_then_else = create "ite"
let false_rec = create "False_rec"
let wfix = create "wfix"

let any_int = create "why_any_int"
let any_unit = create "why_any_unit"
let any_real = create "why_any_real"

(*s tests *)

let is_wp id =
  String.length id.name >= 2 && id.name.[0] == 'W' && id.name.[1] == 'P'

let is_variant id =
  String.length id.name >= 7 && String.sub id.name 0 7 = "Variant"

let is_comparison id = 
  id == t_lt || id == t_le || id == t_gt || id == t_ge || 
  id == t_eq || id == t_neq 

let is_poly id =
  is_comparison id || 
  id == t_add || id == t_sub || id == t_mul || id == t_div || id == t_neg

let is_int_comparison id =
  id == t_eq_int || id == t_neq_int ||
  id == t_lt_int || id == t_le_int || id == t_gt_int || id == t_ge_int 

let is_int_comparison_ id =
  id == t_eq_int_ || id == t_neq_int_ ||
  id == t_lt_int_ || id == t_le_int_ || id == t_gt_int_ || id == t_ge_int_ 

let is_real_comparison id = 
  id == t_eq_real || id == t_neq_real ||
  id == t_lt_real || id == t_le_real || id == t_gt_real || id == t_ge_real 

let is_real_comparison_ id = 
  id == t_eq_real_ || id == t_neq_real_ ||
  id == t_lt_real_ || id == t_le_real_ || id == t_gt_real_ || id == t_ge_real_ 

let is_bool_comparison id = id == t_eq_bool || id == t_neq_bool
let is_bool_comparison_ id = id == t_eq_bool_ || id == t_neq_bool_

let is_unit_comparison id = id == t_eq_unit || id == t_neq_unit
let is_unit_comparison_ id = id == t_eq_unit_ || id == t_neq_unit_

let is_eq id = 
  id == t_eq || 
  id == t_eq_int || id == t_eq_real || id == t_eq_bool || id == t_eq_unit

let is_eq_ id = 
  id == t_eq_int_ || id == t_eq_real_ || id == t_eq_bool_ || id == t_eq_unit_

let is_neq id = 
  id == t_neq || id == t_neq_int || id == t_neq_real || 
  id == t_neq_bool || id == t_neq_unit

let is_neq_ id = 
  id == t_neq_int_ || id == t_neq_real_ || 
  id == t_neq_bool_ || id == t_neq_unit_

let is_relation id = 
  is_comparison id || is_int_comparison id || is_real_comparison id ||
  is_bool_comparison id || is_unit_comparison id

let is_relation_ id = 
  is_comparison id || is_int_comparison_ id || is_real_comparison_ id ||
  is_bool_comparison_ id || is_unit_comparison_ id

let is_int_arith_binop id =
  id == t_add_int || id == t_sub_int || id == t_mul_int 
(* disabled (confusion math_div / computer_div
  || id == t_div_int || id == t_mod_int
*)

let is_real_arith_binop id =
  id == t_add_real || id == t_sub_real || id == t_mul_real || 
  id == t_div_real 

let is_arith_binop id =
  is_int_arith_binop id || is_real_arith_binop id

let is_int_arith_unop id = 
  id == t_neg_int

let is_real_arith_unop id =
  id == t_neg_real || id == t_sqrt_real

let is_int_arith id = 
  is_int_arith_binop id || is_int_arith_unop id

let is_real_arith id =
  is_real_arith_binop id || is_real_arith_unop id

let is_arith id =
  is_int_arith id || is_real_arith id || id == t_real_of_int

let is_simplify_arith id =
  is_int_arith id || id == t_lt_int || id == t_le_int || id == t_gt_int || id == t_ge_int

let strict_bool_and_ = create "strict_bool_and_"
let strict_bool_or_ = create "strict_bool_or_"
let bool_not_ = create "bool_not_"

why-2.39/src/mlize.ml0000644000106100004300000002064413147234006013500 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(*s Translation of imperative programs into functional ones. *)

open Ident
open Logic
open Misc
open Types
open Ast
open Cc
open Util
open Rename
open Env

module Make (Monad : MonadSig.S) =
struct

  open Monad

  let new_label info = { info with t_label = label_name () }
    
  let make_info info k = 
    { info with t_label = label_name (); 
	t_post = k.t_post; t_effect = k.t_effect }

      (*s [ren] is the current renamings of variables,
	[e] is the imperative program to translate, annotated with type+effects.
	We return the translated program in type [predicate cc_term] *)

  let rec trad e =
    cross_label e.info.t_label (trad_desc e.info e.desc)

  and trad_desc info d ren = match d with
    | Expression t ->
	Monad.unit info (Value (unref_term t)) ren

    | Var id ->
	assert (not (is_reference info.t_env id));
	if is_rec id then
	  find_rec id ren 
	else
	  CC_var id

    | If (e1, e2, e3) ->
	trad_conditional info 
	  e1.info (trad e1) e2.info (trad e2) e3.info (trad e3) 
	  ren

    | LetIn (x, e1, e2) ->
	let info1 = { e1.info with t_result_name = x } in
	  Monad.compose info1 (trad e1) info
	    (fun v1 ren' ->
	       let te2 = 
		 Monad.compose e2.info (trad e2) info
		   (fun v2 -> Monad.unit info (Value (Tvar v2))) ren' 
	       in
		 if v1 <> x then
		   let ty1 = trad_type_v ren info.t_env (result_type e1) in
		     CC_letin (false, [x, CC_var_binder ty1], CC_var v1, te2)
		 else
		   te2)
	    ren

    | Seq (e1, e2) ->
	Monad.compose e1.info (trad e1) info
	  (fun _ ren' ->
	     Monad.compose e2.info (trad e2) info
	       (fun v2 -> Monad.unit info (Value (Tvar v2))) ren')
	  ren

    | LetRef (x, e1, e2) ->
	let info1 = { e1.info with t_result_name = x } in
	  Monad.compose info1 (trad e1) info
	    (fun v1 ren' ->
	       let t1 = trad_type_v ren info.t_env (result_type e1) in
	       let ren'' = next ren' [x] in
	       let x' = current_var ren'' x in
		 CC_letin (false, [x', CC_var_binder t1], CC_var v1, 
			   Monad.compose e2.info (trad e2) info
			     (fun v2 -> Monad.unit info (Value (Tvar v2))) ren''))
	    ren

    | AppTerm (e1, t, kapp) ->
	let infoapp = make_info info kapp in
	  Monad.compose e1.info (trad e1) info
	    (fun v1 -> 
	       Monad.apply 
		 infoapp (fun ren -> 
			    let t = apply_term ren info.t_env (unref_term t) in
			      CC_app (CC_var v1, CC_term t)) 
		 info (fun v -> Monad.unit info (Value (Tvar v))))
	    ren

    | AppRef (e1, _, kapp) ->
	let infoapp = make_info info kapp in
	  Monad.compose e1.info (trad e1) info
	    (fun v1 -> 
	       Monad.apply infoapp (fun _ -> CC_var v1) info
		 (fun v -> Monad.unit info (Value (Tvar v))))
	    ren

    | Lam (bl, p, e) ->
	let bl',env' = trad_binders ren info.t_env bl in
	let ren' = initial_renaming env' in
	let te = trans (p,e) ren' in
	  cc_lam bl' te

    | Loop (_, None, _) ->
	assert false

    | Loop (inv, Some var, e) ->
	let p = match inv with Some a -> [a] | None -> [] in
	let infoc = new_label info in
	  Monad.wfrec var p info
	    (fun w -> Monad.compose e.info (trad e) infoc (fun _ -> w))
	    ren

    | Rec (_, _, _, None, _, _) ->
	assert false

    | Rec (f, bl, _v, Some var, p, e) -> 
	let bl',env' = trad_binders ren info.t_env bl in
	let ren' = push_date (initial_renaming env') e.info.t_label in
	let recf w ren = cc_lam bl' (abstraction e.info p w ren) in
	  cc_lam bl' 
	    (abstraction e.info p
	       (Monad.wfrec_with_binders bl' var p e.info
		  (fun w -> with_rec f (recf w) (trad e)))
	       ren')

    | Raise (id, None) ->
	Monad.exn info id None ren

    | Raise (id, Some e) ->
	Monad.compose e.info (trad e) info
	  (fun v -> Monad.exn info id (Some (Tvar v))) 
	  ren

    | Try (e, hl) ->
	let handler ((x,a) as p, h) =
	  let hi = 
	    Monad.compose h.info (trad h) info 
	      (fun v -> Monad.unit info (Value (Tvar v)))
	  in
	    p, (fun res ren -> match a with
		  | None -> 
		      hi ren
		  | Some a ->
		      let ta = exn_arg_type x in
			CC_letin (false, [a, CC_var_binder ta], CC_var res, hi ren))
	in
	  Monad.handle e.info (trad e) info (List.map handler hl) ren

    | Assertion (_k, al, e) ->
	insert_many_pre info.t_env al (trad e) ren

    | Ast.Absurd ->
	let v = info.t_result_type in
	let ainfo = 
	  { info with 
	      t_label = label_name (); t_result_type = v; t_post = None }
	in
	let tv = trad_type_v ren info.t_env v in
	  Monad.compose ainfo 
	    (fun _ -> cc_applist (cc_var false_rec) 
	       [CC_type tv; CC_hole (info.t_loc, Pfalse)])
	    info (fun v -> Monad.unit info (Value (Tvar v)))
	    ren

	    (**
	       | Any c when info.obligations = [] && info.kappa = c ->
	       CC_any (Monad.trad_type_c ren info.env c)
	    **)

    | Any c ->
	let info_c = 
	  Typing.typing_info_of_type_c info.t_loc info.t_env info.t_label c 
	in
	  Monad.compose 
	    info_c (fun ren -> CC_any (Monad.trad_type_c ren info.t_env c)) 
	    info (fun v -> Monad.unit info (Value (Tvar v)))
	    ren

    | Label (s, e) ->
	cross_label s (trad e) ren

    | Post (e, _q, _) ->
	(* TODO *)
	trad e ren 

  and trad_binders ren env = function
    | [] -> 
	[], env
    | (id, (Ref _ as v)) :: bl ->
	trad_binders ren (Env.add id v env) bl
    | (id, v) :: bl ->
	let tt =  trad_type_v ren env v in
	let env' = Env.add id v env in
	let bl',env'' = trad_binders ren env' bl in
	  (id, CC_var_binder tt) :: bl', env''

	    (* to be used for both [if] and [while] *)
  and trad_conditional info info1 te1 info2 te2 info3 te3 =
    Monad.compose info1 te1 info
      (fun resb ren' -> 
	 let q1 = 
	   option_app (a_apply_post info1.t_label ren' info.t_env) info1.t_post
	 in
	 let branch infob eb tb = 
	   (***
	       let info = { info with loc = infob.loc;
	       kappa = force_type_c_loc infob.loc info.kappa } in
           ***)
	   let t = 
	     Monad.compose infob eb info
	       (fun r -> Monad.unit info (Value (Tvar r))) ren'
	   in
	     match q1 with
	       | Some (q,_) -> 
		   let n = if is_wp q.a_name then q.a_name else test_name () in
		   let q = tsubst_in_predicate (subst_one result tb) q.a_value in
		     CC_lam ((n, CC_pred_binder (simplify q)), t)
	       | None -> 
		   t
	 in
	   CC_if (CC_var resb,  
		  branch info2 te2 ttrue, branch info3 te3 tfalse))

  and trans (p,e) =
    cross_label e.info.t_label (abstraction e.info p (trad e))

end

module MLwithLogicTerms = Make (Monad)

let trad = MLwithLogicTerms.trad


why-2.39/src/isabelle.ml0000644000106100004300000005023413147234006014136 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(*s Isabelle/HOL output *)

open Ident
open Misc
open Logic
open Logic_decl
open Format
open Cc
open Pp

let is_isabelle_keyword =
  let ht = Hashtbl.create 300  in
  List.iter (fun kw -> Hashtbl.add ht kw ()) 
    ["also"; "apply"; "apply_end"; "arities"; "assume"; "automaton";
    "ax_specification"; "axclass"; "axioms"; "back"; "by"; "cannot_undo";
    "case"; "cd"; "chapter"; "classes"; "classrel"; "clear_undos"; 
    "code_library"; "code_module"; "coinductive"; "commit"; "constdefs";
    "consts"; "consts_code"; "context"; "corollary"; "cpodef"; "datatype";
    "declare"; "def"; "defaultsort"; "defer"; "defer_recdef"; "defs"; 
     "disable_pr"; "display_drafts"; "domain"; "done"; "enable_pr"; 
    "end"; "exit"; "extract"; "extract_type"; "finalconsts"; "finally"; 
    "find_theorems"; "fix"; "fixpat"; "fixrec"; "from"; "full_prf";
    "global"; "have"; "header"; "hence"; "hide"; "inductive"; "inductive_cases";
    "init_toplevel"; "instance"; "interpret"; "interpretation"; "judgment"; 
    "kill"; "kill_thy"; "lemma"; "lemmas"; "let"; "local"; "locale"; 
    "method_setup"; "moreover"; "next"; "no_syntax"; "nonterminals"; "note";
    "obtain"; "oops"; "oracle"; "parse_ast_translation"; "parse_translation";
    "pcpodef"; "pr"; "prefer"; "presume"; "pretty_setmargin"; "prf"; "primrec";
    "print_antiquotations"; "print_ast_translation"; "print_attributes";
    "print_binds"; "print_cases"; "print_claset"; "print_commands"; 
    "print_context"; "print_drafts"; "print_facts"; "print_induct_rules";
    "print_interps"; "print_locale"; "print_locales"; "print_methods";
    "print_rules"; "print_simpset"; "print_syntax"; "print_theorems"; 
    "print_theory"; "print_trans_rules"; "print_translation"; "proof";
    "prop"; "pwd"; "qed"; "quickcheck"; "quickcheck_params"; "quit"; 
    "realizability"; "realizers"; "recdef"; "recdef_tc"; "record"; "redo";
    "refute"; "refute_params"; "remove_thy"; "rep_datatype"; "sect";
    "section"; "setup"; "show"; "sorry"; "specification"; "subsect";
    "subsection"; "subsubsect"; "subsubsection"; "syntax"; "term"; "text";
    "text_raw"; "then"; "theorem"; "theorems"; "theory"; "thm"; "thm_deps";
    "thus"; "token_translation"; "touch_all_thys"; "touch_child_thys";
    "touch_thy"; "translations"; "txt"; "txt_raw"; "typ"; 
    "typed_print_translation";  "typedecl"; "typedef"; "types"; "types_code";
    "ultimately"; "undo"; "undos_proof"; "update_thy"; "update_thy_only"; 
    "use"; "use_thy"; "use_thy_only"; "using"; "value"; "welcome"; "with";
    "actions"; "advanced"; "and"; "assumes"; "attach"; "begin"; "binder";
    "compose"; "concl"; "congs"; "constrains"; "contains"; "defines"; 
    "distinct"; "file"; "files"; "fixes"; "hide_action"; "hints"; 
    "imports"; "in"; "includes"; "induction"; "infix"; "infixl"; "infixr";
    "initially"; "inject"; "inputs"; "internals"; "intros"; "is"; "lazy";
    "monos"; "morphisms"; "notes"; "open"; "output"; "outputs"; "overloaded";
    "permissive"; "post"; "pre"; "rename"; "restrict"; "shows"; "signature";
    "states"; "structure"; "to"; "transitions"; "transrel"; "uses"; "where"];
  Hashtbl.mem ht

let rename s = if is_isabelle_keyword s then "why__" ^ s else s
let idents fmt s = fprintf fmt "%s" (rename s)
let ident fmt id = fprintf fmt "%s" (rename (Ident.string id))

(*s Pretty print *)

let rec print_pure_type fmt = function
  | PTint -> fprintf fmt "int"
  | PTbool -> fprintf fmt "bool"
  | PTunit -> fprintf fmt "unit"
  | PTreal -> fprintf fmt "real"
  | PTexternal ([v], id) when id == farray -> 
      fprintf fmt "(%a list)" print_pure_type v (* TODO *)
  | PTexternal([],id) -> ident fmt id
  | PTexternal([t],id) -> 
      fprintf fmt "(%a %a)"
      print_pure_type t
      ident id 
  | PTexternal(l,id) -> 
      fprintf fmt "((@[%a@]) %a)"
      (print_list comma print_pure_type) l
      ident id
  | PTvar { type_val = Some t} -> 
      fprintf fmt "%a" print_pure_type t      
  | PTvar v -> fprintf fmt "'a%d" v.tag

let prefix_id id =
  (* int cmp *)
  if id == t_lt_int then "(op <)" 
  else if id == t_le_int then "(op <=)"
  else if id == t_gt_int then "(%x y. y < x)"
  else if id == t_ge_int then "(%x y. y <= x)"
  else if id == t_eq_int then "(op =)"
  else if id == t_neq_int then "(%x y. x ~= y)"
  (* real cmp *)
  else if id == t_lt_real then "(op <)" 
  else if id == t_le_real then "(op <=)"
  else if id == t_gt_real then "(%x y. y < x)"
  else if id == t_ge_real then "(%x y. y <= x)"
  else if id == t_eq_real then "(op =)"
  else if id == t_neq_real then "(%x y. x ~= y)"
  (* bool cmp *)
  else if id == t_eq_bool then "(op =)"
  else if id == t_neq_bool then "(%x y. x ~= y)"
  (* unit cmp *)
  else if id == t_eq_unit then "(op =)"
  else if id == t_neq_unit then "(%x y. x ~= y)"
  (* int ops *)
  else if id == t_add_int then "(op +)"
  else if id == t_sub_int then "(op -)"
  else if id == t_mul_int then "(op *)"
(*
  else if id == t_div_int then "(op div)"
  else if id == t_mod_int then "(op mod)"
*)
  else if id == t_neg_int then "(%x. - x)"
  (* real ops *)
  else if id == t_add_real then "(op +)"
  else if id == t_sub_real then "(op -)"
  else if id == t_mul_real then "(op *)"
  else if id == t_div_real then "(op /)"
  else if id == t_neg_real then "(%x. - x)"
  else if id == t_sqrt_real then assert false (* TODO *)
  else if id == t_real_of_int then "real"
  else if id == t_int_of_real then assert false (* TODO *)
  else assert false

let rec print_term fmt = function
  | Tvar id -> 
      ident fmt id
  | Tconst (ConstInt n) -> 
      fprintf fmt "(%s::int)" n
  | Tconst (ConstBool true) -> 
      fprintf fmt "True" 
  | Tconst (ConstBool false) -> 
      fprintf fmt "False" 
  | Tconst ConstUnit -> 
      fprintf fmt "()" 
  | Tconst (ConstFloat c) ->
      Print_real.print_with_integers
	"(real (%s::int))" 
	"(real (%s::int * %s))"
	"(real (%s::int) / real (%s::int))" 
	fmt c
  | Tderef _ -> 
      assert false
  (* arithmetic *)
  | Tapp (id, [a; b], _) when id == t_add_int || id == t_add_real ->
      fprintf fmt "(@[%a +@ %a@])" print_term a print_term b
  | Tapp (id, [a; b], _ ) when id == t_sub_int || id == t_sub_real ->
      fprintf fmt "(@[%a -@ %a@])" print_term a print_term b
  | Tapp (id, [a; b], _) when id == t_mul_int || id == t_mul_real ->
      fprintf fmt "(@[%a *@ %a@])" print_term a print_term b
  | Tapp (id, [a; b], _) when id == t_div_real ->
      fprintf fmt "(@[%a /@ %a@])" print_term a print_term b
(*
  | Tapp (id, [a; b], _) when id == t_mod_int ->
      fprintf fmt "(@[%a mod@ %a@])" print_term a print_term b
  | Tapp (id, [a; b], _) when id == t_div_int ->
      fprintf fmt "(@[%a div@ %a@])" print_term a print_term b
*)
  | Tapp (id, [a], _) when id == t_neg_int || id == t_neg_real ->
      fprintf fmt "(@[-%a@])" print_term a
  | Tapp (id, [a; b; c], _) when id == if_then_else -> 
      fprintf fmt "(@[if %a@ then %a@ else %a@])" 
	print_term a print_term b print_term c
  | Tapp (id, tl, _) when is_relation id || is_arith id -> 
      fprintf fmt "(@[%s %a@])" (prefix_id id) print_terms tl
  (* arrays *)
  | Tapp (id, [a; b], _) when id == access ->
      fprintf fmt "(@[%a !(nat %a) @])" print_term a print_term b
  | Tapp (id, [a], _) when id == Ident.array_length ->
      fprintf fmt "(@[int (length %a)@])" print_term a
  (* any other application *)
  | Tapp (id, tl, _) ->
      fprintf fmt "@[(%a@ %a)@]" 
	ident id (print_list space print_term) tl
  | Tnamed (User n, t) ->
      fprintf fmt "@[(* %s: *)@ %a@]" (String.escaped n) print_term t
  | Tnamed (_, t) -> print_term fmt t

and print_terms fmt tl = 
  print_list space print_term fmt tl

let rec print_predicate fmt = function
  | Ptrue ->
      fprintf fmt "True"
  | Pvar id when id == Ident.default_post ->
      fprintf fmt "True"
  | Pfalse ->
      fprintf fmt "False"
  | Pvar id -> 
      fprintf fmt "%a" ident id
  | Papp (id, tl, _) when id == t_distinct ->
      fprintf fmt "@[(%a)@]" print_predicate (Util.distinct tl)
  | Papp (id, [a; b], _) when is_eq id ->
      fprintf fmt "(@[%a =@ %a@])" print_term a print_term b
  | Papp (id, [a; b], _) when is_neq id ->
      fprintf fmt "(@[%a ~=@ %a@])" print_term a print_term b
  | Papp (id, [a; b], _) when id == t_lt_int || id == t_lt_real ->
      fprintf fmt "(@[%a <@ %a@])" print_term a print_term b
  | Papp (id, [a; b], _) when id == t_le_int || id == t_le_real ->
      fprintf fmt "(@[%a <=@ %a@])" print_term a print_term b
  | Papp (id, [a; b], _) when id == t_gt_int || id == t_gt_real ->
      fprintf fmt "(@[%a <@ %a@])" print_term b print_term a
  | Papp (id, [a; b], _) when id == t_ge_int || id == t_ge_real ->
      fprintf fmt "(@[%a <=@ %a@])" print_term b print_term a
  | Papp (id, [a; b], _) when id == t_zwf_zero ->
      fprintf fmt "(@[(0 <= %a) &@ (%a < %a)@])" 
	print_term b print_term a print_term b
  | Papp (id, tl, _) when is_relation id || is_arith id ->
      fprintf fmt "(@[%s %a@])" (prefix_id id) print_terms tl
  | Papp (id, tl, _) -> 
      fprintf fmt "(@[%a@ %a@])" ident id print_terms tl
  | Pimplies (_, a, b) ->
      fprintf fmt "(@[%a -->@ %a@])" print_predicate a print_predicate b
  | Piff (a, b) ->
      fprintf fmt "(@[%a =@ %a@])" 
	print_predicate a print_predicate b
  | Pif (a, b, c) ->
      fprintf fmt "(@[if %a@ then %a@ else %a@])" 
	print_term a print_predicate b print_predicate c
  | Pand (_, _, a, b) | Forallb (_, a, b) ->
      fprintf fmt "(@[%a &@ %a@])" print_predicate a print_predicate b
  | Por (a, b) ->
      fprintf fmt "(@[%a |@ %a@])" print_predicate a print_predicate b
  | Pnot a ->
      fprintf fmt "~%a" print_predicate a
  | Forall (_,id,n,t,_,p) -> 
      let id' = next_away id (predicate_vars p) in
      let p' = subst_in_predicate (subst_onev n id') p in
      fprintf fmt "(@[!%a::%a.@ %a@])" ident id'
	print_pure_type t print_predicate p'
  | Exists (id,n,t,p) -> 
      let id' = next_away id (predicate_vars p) in
      let p' = subst_in_predicate (subst_onev n id') p in
      fprintf fmt "(@[? %a::%a.@ %a@])" ident id'
	print_pure_type t print_predicate p'
  | Pnamed (User n, p) ->
      fprintf fmt "@[(* %s: *)@ %a@]" (String.escaped n) print_predicate p
  | Pnamed (_, p) -> print_predicate fmt p
  | Plet (_, n, _, t, p) ->
      print_predicate fmt (subst_term_in_predicate n t p)
  
let print_sequent fmt (hyps,concl) =
  let rec print_seq fmt = function
    | [] ->
	fprintf fmt "shows \"@[%a@]\"@\n" print_predicate concl
    | Svar (id, v) :: hyps -> 
	fprintf fmt "fixes %a::\"%a\"@\n" ident id print_pure_type v;
	print_seq fmt hyps
    | Spred (id, p) :: hyps -> 
	fprintf fmt "assumes %a: \"@[%a@]\"@\n" ident id print_predicate p;
	print_seq fmt hyps
  in
  fprintf fmt "@[%a@]@?" print_seq hyps

let print_predicate_scheme fmt p =
  let (_l,p) = Env.specialize_predicate p in
  print_predicate fmt p

let print_logic_type fmt s = 
  let (_l,t) = Env.specialize_logic_type s in
  match t with
  | Logic.Function ([], t) ->
      print_pure_type fmt t
  | Logic.Function (pl, t) ->
      fprintf fmt "[@[%a@]] => %a" 
	(print_list comma print_pure_type) pl print_pure_type t
  | Logic.Predicate [] ->
      fprintf fmt "bool"
  | Logic.Predicate pl ->
      fprintf fmt "[@[%a@]] => bool" (print_list comma print_pure_type) pl

let reprint_logic fmt id t =
  fprintf fmt 
    "@[(*Why logic*) consts %a ::@ @[\"%a\"@]@];@\n" 
    idents id print_logic_type t

let print_logic fmt id t = reprint_logic fmt id t

let reprint_axiom fmt id p =
  fprintf fmt "@[(*Why axiom*) axioms %a:@ \"%a\";@]@\n" idents id print_predicate_scheme p

let print_axiom fmt id p = 
  reprint_axiom fmt id p

let reprint_obligation fmt loc _is_lemma _expl id s =
  fprintf fmt "@[(* %a *)@]@\n" (Loc.report_obligation_position ~onlybasename:true) loc;
  fprintf fmt "@[(*Why goal*) lemma %a:@\n%a;@]@\n" idents id print_sequent s
(*;
  fprintf fmt "@[(* %a *)@]@\n" Util.print_explanation expl
*)

let print_obligation fmt loc is_lemma expl id s = 
  reprint_obligation fmt loc is_lemma expl id s;
  fprintf fmt "(* FILL PROOF HERE *)@\n@\n"

let reprint_predicate fmt id p =
  let (_l,(bl,p)) = Env.specialize_predicate_def p in
  let print_binder_type fmt (_x,pt) = 
      fprintf fmt "%a" print_pure_type pt in
  let print_binder fmt (x,_pt) = 
      fprintf fmt "%a" ident x in
  fprintf fmt
     "@[(*Why predicate*) constdefs %a :: @[\"[@[%a@]] => bool\"@]@]@\n" 
    idents id 
    (print_list comma print_binder_type) bl;
  fprintf fmt
     "@[     \"%a == @[%%@[%a@]. @[%a@]@]\"@];@\n" 
    idents id 
    (print_list space print_binder) bl
    print_predicate p 

let print_predicate fmt id p = reprint_predicate fmt id p

let reprint_function fmt id p =
  let (_l,(bl,t,e)) = Env.specialize_function_def p in
  let print_binder_type fmt (_x,pt) = 
      fprintf fmt "%a" print_pure_type pt in
  let print_binder fmt (x,_pt) = 
      fprintf fmt "%a" ident x in
  fprintf fmt
     "@[(*Why function*) constdefs %a :: @[\"[%a] => %a\"@]@]@\n" 
    idents id 
    (print_list comma print_binder_type) bl print_pure_type t;
  fprintf fmt
     "@[    \"%a ==@ %%%a. @[%a@]\"@];@\n" 
    idents id 
    (print_list space print_binder) bl
    print_term e 

let print_function fmt id p = reprint_function fmt id p

let type_parameters fmt l = 
  let one fmt x = fprintf fmt "'%s " x in
  match l with
    | [] -> ()
    | [x] -> one fmt x
    | l -> fprintf fmt "(%a) " (print_list comma one) l

let reprint_type fmt id vl =
  fprintf fmt "@[(*Why type*) typedecl %a%a;@]@\n"
    type_parameters vl idents id

let print_type fmt id vl = reprint_type fmt id vl

let print_alg_type_parameters fmt = function
  | [] -> ()
  | [id] -> fprintf fmt "%a " print_pure_type id
  | l -> fprintf fmt "(%a) " (print_list comma print_pure_type) l

let print_alg_type_constructor fmt (c,pl) =
  match pl with
  | [] -> fprintf fmt "%a" idents (Ident.string c)
  | _  -> fprintf fmt "%a @[%a@]" idents (Ident.string c)
            (print_list space print_pure_type) pl

let reprint_alg_type_single fmt (id,d) =
  let _,(vs,cs) = Env.specialize_alg_type d in
  let newline fmt () = fprintf fmt "@\n| " in
  fprintf fmt "@[%a%a@] =@\n  @[  %a@]"
    print_alg_type_parameters vs idents id
    (print_list newline print_alg_type_constructor) cs

let reprint_alg_type fmt ls =
  let andsep fmt () = fprintf fmt "@\n and " in
  fprintf fmt "@[(*Why type*) datatype %a;@]@\n"
    (print_list andsep reprint_alg_type_single) ls

let print_alg_type fmt ls = reprint_alg_type fmt ls

let theory_name = ref ""

open Regen

module Gen = Regen.Make(
struct

  let print_element fmt e = 
    begin match e with
      | Parameter _-> assert false
      | Program _ -> assert false
      | Obligation (loc, is_lemma, expl, id, s) -> 
	  print_obligation fmt loc is_lemma expl id s.Env.scheme_type
      | Logic (id, t) -> print_logic fmt id t
      | Axiom (id, p) -> print_axiom fmt id p
      | Predicate (id, p) -> print_predicate fmt id p
      | Inductive(_id, _p) -> assert false
      | Function (id, f) -> print_function fmt id f
      | AbstractType (id, vl) -> print_type fmt id vl
      | AlgebraicType ls -> print_alg_type fmt ls
    end;
    fprintf fmt "@\n"
      
  let reprint_element fmt = function
    | Parameter _ -> assert false
    | Program _ -> assert false
    | Obligation (loc, is_lemma, expl, id, s) -> 
	reprint_obligation fmt loc is_lemma expl id s.Env.scheme_type
    | Logic (id, t) -> reprint_logic fmt id t
    | Axiom (id, p) -> reprint_axiom fmt id p
    | Predicate (id, p) -> reprint_predicate fmt id p
    | Inductive(_id, _p) -> assert false
    | Function (id, f) -> reprint_function fmt id f
    | AbstractType (id, vl) -> reprint_type fmt id vl
    | AlgebraicType ls -> reprint_alg_type fmt ls

  let re_oblig_loc = Str.regexp "(\\* Why obligation from .*\\*)"

  let first_time fmt =
    fprintf fmt "\
@\n(* This file was originally generated by why.\
@\n   It can be modified; only the generated parts will be overwritten. *)@\n\
@\ntheory %s@\nimports %s@\nbegin@\n@\n" (!theory_name) Options.isabelle_base_theory

  let first_time_trailer fmt = fprintf fmt "end@\n"

  let not_end_of_element _ s =
    let n = String.length s in n = 0 || s.[n-1] <> ';'

end)


let reset = Gen.reset

let push_decl = function
  | Dgoal (loc,is_lemma,expl,l,s) ->
      Gen.add_elem (Oblig, l) (Obligation (loc,is_lemma,expl,l,s))
  | Dlogic (_, id, t) ->
      let id = Ident.string id in
      Gen.add_elem (Lg, rename id) (Logic (id, t))
  | Daxiom (_, id, p) -> Gen.add_elem (Ax, rename id) (Axiom (id, p))
  | Dpredicate_def (_, id, p) -> 
      let id = Ident.string id in
      Gen.add_elem (Pr, rename id) (Predicate (id, p))
  | Dinductive_def(_loc, _ident, _inddef) ->
      failwith "Isabelle output: inductive def not yet supported"
  | Dfunction_def (_, id, p) -> 
      let id = Ident.string id in
      Gen.add_elem (Fun, rename id) (Function (id, p))
  | Dtype (_, id, vl) ->
      let id = Ident.string id in
      Gen.add_elem (Ty, rename id) (AbstractType (id, vl))
  | Dalgtype ls ->
      let id = match ls with (_,id,_)::_ -> id | _ -> assert false in
      let at = List.map (fun (_,id,d) -> (Ident.string id,d)) ls in
      Gen.add_elem (Ty, rename (Ident.string id)) (AlgebraicType at)

let _ = 
  Gen.add_regexp 
    "lemma[ ]+\\(.*_po_[0-9]+\\)[ ]*:[ ]*" Oblig;
  Gen.add_regexp 
    "(\\*Why goal\\*) lemma[ ]+\\([^ ]*\\)[ ]*:[ ]*" Oblig;
  Gen.add_regexp 
    "(\\*Why\\*) consts[ ]+\\([^ ]*\\)[ ]*::[ ]*" Param;
  Gen.add_regexp 
    "(\\*Why axiom\\*) axioms[ ]+\\([^ ]*\\):[ ]*" Ax;
  Gen.add_regexp 
    "(\\*Why logic\\*) consts[ ]+\\([^ ]*\\)[ ]*::[ ]*" Lg;
  Gen.add_regexp 
    "(\\*Why predicate\\*) constdefs[ ]+\\([^ ]*\\)[ ]*::[ ]*" Pr;
  Gen.add_regexp 
    "(\\*Why function\\*) constdefs[ ]+\\([^ ]*\\)[ ]*::[ ]*" Fun;
  Gen.add_regexp
    "(\\*Why type\\*) datatype[ ]+\\([^ ]*\\) =" Ty;
  Gen.add_regexp
    "(\\*Why type\\*) datatype[ ]+[^ ]*[ ]+\\([^ ]*\\) =" Ty;
  Gen.add_regexp
    "(\\*Why type\\*) datatype[ ]+(.*)[ ]+\\([^ ]*\\) =" Ty;
  Gen.add_regexp 
    "(\\*Why type\\*) typedecl[ ]+\\([^ ]*\\);" Ty;
  Gen.add_regexp 
    "(\\*Why type\\*) typedecl[ ]+[^ ]*[ ]+\\([^ ]*\\);" Ty;
  Gen.add_regexp 
    "(\\*Why type\\*) typedecl[ ]+(.*)[ ]+\\([^ ]*\\);" Ty

let output_file fwe =
  let f = fwe ^ "_why.thy" in
  theory_name := Filename.basename fwe ^ "_why";
  Gen.output_file f
why-2.39/src/loc.mli0000644000106100004300000000611213147234006013300 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Format

(*s Line number for an absolute position *)

val report_line : formatter -> Lexing.position -> unit

(* Lexing positions *)

type position = Lexing.position * Lexing.position

exception Located of position * exn

val string : position -> string
val parse : string -> position

val dummy_position : position

type floc = string * int * int * int

val dummy_floc : floc

val extract :  position -> floc
val gen_report_line : formatter -> floc -> unit
val gen_report_position : formatter -> position -> unit
val report_position : formatter -> position -> unit
val report_obligation_position : ?onlybasename:bool -> formatter -> floc -> unit


(* for both type [t] and [position] *)

val join : 'a * 'b -> 'a * 'b -> 'a * 'b

val current_offset : int ref
val reloc : Lexing.position -> Lexing.position

(* Identifiers localization *)

val add_ident : string -> floc -> unit
val ident : string -> floc
why-2.39/src/linenum.mli0000644000106100004300000000453413147234006014200 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(* [from_char f n] gives the actual source file, line number, position of the
   beginning of the line. *)

val from_char : string -> int -> string * int * int
why-2.39/src/env.mli0000644000106100004300000001724413147234006013323 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(*s Environment for imperative programs.
 
   Here we manage the global environment, which is imperative,
   and we provide a functional local environment. 
  
   The most important functions, [is_in_env], [type_in_env] and [fold_all]
   first look in the local environment then in the global one. *)

open Cc
open Logic
open Types
open Ast

module StringMap : Map.S with type key = string
module StringSet : Set.S with type elt = string

(*s type schemes *)

module Vset : Set.S with type elt = type_var
module Vmap : Map.S with type key = type_var

type 'a scheme = private { scheme_vars : Vset.t; scheme_type : 'a }
val empty_scheme : 'a -> 'a scheme

(*s AST for typed programs are decorated with local environments *)

type local_env

type typing_info = { 
  t_loc : Loc.position;
  t_env : local_env;
  t_label : label;
  mutable t_userlabel : label;
  t_result_name : Ident.t;
  t_result_type : type_v;
  t_effect : Effect.t;
  t_post : postcondition option 
}
  
type typed_expr = typing_info Ast.t

(*s global environment *)

val add_global : Ident.t -> type_v -> typed_expr option -> unit
val add_global_gen : Ident.t -> type_v scheme -> typed_expr option -> unit
val is_global : Ident.t -> bool
val iter_global : (Ident.t * Types.type_v scheme -> unit) -> unit
val lookup_global : Ident.t -> type_v

(*s types (only global) *)

val add_type : Loc.position -> Ident.t list -> Ident.t -> unit
val is_type : Ident.t -> bool
val type_arity : Ident.t -> int

val iter_type : (Ident.t -> int -> unit) -> unit
val fold_type : (Ident.t -> int -> 'a -> 'a) -> 'a -> 'a

(*s algebraic types (only global) *)

val set_constructors : Ident.t -> Ident.t list -> unit
val is_alg_type : Ident.t -> bool
val alg_type_constructors : Ident.t -> Ident.t list

(*s exceptions (only global) *)

val add_exception : Ident.t -> pure_type option -> unit
val is_exception : Ident.t -> bool
val find_exception : Ident.t -> pure_type option

(*s logical elements *)

type var_subst = type_var Vmap.t

val add_global_logic : Ident.t -> logic_type scheme -> unit
val find_global_logic : Ident.t -> var_subst * logic_type

val iter_global_logic : (Ident.t -> logic_type scheme -> unit) -> unit
val fold_global_logic : (Ident.t -> logic_type scheme -> 'a -> 'a) -> 'a -> 'a
val is_global_logic : Ident.t -> bool
val is_logic_function : Ident.t -> bool

(*s a table keeps the program (for extraction) *)

val find_pgm : Ident.t -> typed_expr option

(*s local environments *)

val empty_progs : unit -> local_env
val empty_logic : unit -> local_env

val add : ?generalize:bool -> Ident.t -> type_v -> local_env -> local_env
val is_local : local_env -> Ident.t -> bool

val find_type_var : Ident.t -> local_env -> type_var

(*s access in env (local then global) *)

val type_in_env : local_env -> Ident.t -> type_v
val is_in_env : local_env -> Ident.t -> bool
val is_ref : local_env -> Ident.t -> bool

val fold_all : (Ident.t * type_v -> 'a -> 'a) -> local_env -> 'a -> 'a

val add_rec : Ident.t -> local_env -> local_env
val is_rec : Ident.t -> local_env -> bool

(*s logical elements *)

val add_logic : Ident.t -> pure_type -> local_env -> local_env
val find_logic : Ident.t -> local_env -> pure_type

val type_v_of_logic : pure_type list -> pure_type -> type_v

(* type variables and generalization/specialization *)

val new_type_var : ?user:bool -> unit -> type_var

val type_var_name : type_var -> string (* for error messages only *)

val generalize_logic_type : logic_type -> logic_type scheme
val generalize_alg_type : alg_type_def -> alg_type_def scheme
val generalize_type_v : type_v -> type_v scheme
val generalize_predicate : predicate -> predicate scheme
val generalize_predicate_def : predicate_def -> predicate_def scheme
val generalize_inductive_def : inductive_def -> inductive_def scheme
val generalize_function_def : function_def -> function_def scheme
val generalize_sequent : sequent -> sequent scheme

val specialize_type_scheme : type_v scheme -> var_subst * type_v
val specialize_logic_type : logic_type scheme -> var_subst * logic_type
val specialize_alg_type : alg_type_def scheme -> var_subst * alg_type_def
val specialize_predicate : predicate scheme -> var_subst * predicate
val specialize_predicate_def : 
  predicate_def scheme -> var_subst * predicate_def
val specialize_inductive_def : 
  inductive_def scheme -> var_subst * inductive_def
val specialize_function_def : 
  function_def scheme -> var_subst * function_def
val specialize_sequent : sequent scheme -> var_subst * sequent

val subst_sequent : var_subst -> sequent -> sequent

val specialize_cc_type : Cc.cc_type -> var_subst * Cc.cc_type
val specialize_validation : 
  Cc.cc_type -> Cc.validation -> var_subst * Cc.cc_type * Cc.validation

val specialize_cc_functional_program : 
  Cc.cc_type -> Cc.cc_functional_program 
  -> var_subst * Cc.cc_type * Cc.cc_functional_program

val instantiate_specialized : var_subst -> instance -> unit

val instantiate_logic_type : logic_type scheme -> instance -> logic_type
val instantiate_predicate : predicate scheme -> instance -> predicate
val instantiate_predicate_def : 
  predicate_def scheme -> instance -> predicate_def
val instantiate_inductive_def : 
  inductive_def scheme -> instance -> inductive_def
val instantiate_function_def : 
  function_def scheme -> instance -> function_def
val instantiate_sequent : sequent scheme -> instance -> sequent

(*s Labels *)

module Label : sig 
  type t 
  val empty : t
  val add : string -> t -> t
  val mem : string -> t -> bool
end

(* debug *)

val dump_type_var : (type_var -> unit) ref

(* misc *)

val bad_arity : Ident.t list -> bool

why-2.39/src/z3.mli0000644000106100004300000000446313147234006013066 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(* Z3 native syntax *)

val reset : unit -> unit
val push_decl : Logic_decl.t -> unit
val output_file : string -> unit


why-2.39/src/vcg.ml0000644000106100004300000007234613147234006013145 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(*s Verification Conditions Generator. *)

open Format
open Ident
open Misc
open Util
open Options
open Logic
open Cc

(*s Log for the why-viewer *)

let logs = ref ([] : Log.t)

let log_print_function = 
  ref (fun fmt (_,p) -> fprintf fmt "@[%a@]@?" print_predicate p)

let log l sq lemma_name =
  let (_,l,_,_) = l in
  if wol then
    let s = 
      let buf = Buffer.create 1024 in
      let fmt = formatter_of_buffer buf in
      !log_print_function fmt sq;
      Buffer.contents buf
    in
    if_debug (fun () -> eprintf "at %d, %b, %s@\n" l (lemma_name = None) s) ();
    logs := (l, s, lemma_name) :: !logs

(*s We automatically prove the trivial obligations *)

let (===) = eq_predicate

let rec strip_name = function
  | Pnamed (_, p) -> strip_name p
  | p -> p

let eval_term t =
  match t with
    | Tconst (ConstInt a) ->
	Num.num_of_string a
    | Tapp(id,[Tconst (ConstInt a)], _ ) when id == t_neg_int ->
	Num.minus_num (Num.num_of_string a)
    | _ -> raise Exit
	     

let rec eval p = 
  match p with
    | Pnamed (_, p) -> eval p
    | Papp (id, [a; b], _) when is_int_comparison id -> 
	begin
	  try
	    let a = eval_term a in
	    let b = eval_term b in
	    if 
	      (id == t_eq_int && Num.eq_num a b) ||
		(id == t_neq_int && not (Num.eq_num a b)) ||
		(id == t_lt_int && Num.lt_num a b) ||
		(id == t_le_int && Num.le_num a b) ||
		(id == t_gt_int && Num.gt_num a b) ||
		(id == t_ge_int && Num.ge_num a b) 
	    then Ptrue else p
	  with Exit -> p
	end
    | Papp (_, _, _) 
    | Exists (_, _, _, _)
    | Forallb (_, _, _)
    | Forall (_, _, _, _, _, _)
    | Pnot _
    | Piff (_, _)
    | Por (_, _)
    | Pand (_, _, _, _)
    | Pif (_, _, _)
    | Pimplies (_, _, _)
    | Pvar _
    | Pfalse
    | Ptrue 
    | Plet _ -> p



(* ... |- true *)
let rec ptrue = function
  | Ptrue -> True
  | Pnamed(_,p) -> ptrue p
  | Pvar id when id == Ident.default_post -> True
  | _ -> raise Exit

(* ... |- a=a *)
let reflexivity = function
  | Papp (id, [a;b], _) when is_eq id && a = b -> Reflexivity a
  | _ -> raise Exit

(* ..., h:P, ...|- P  and ..., h:P and Q, ...|- P *)
let assumption concl = function
  | Spred (id, p) when p === concl -> Assumption id 
  | Spred (id, Pand (_, _, a, _)) when a === concl -> Proj1 id
  | Spred (id, Pand (_, _, _, b)) when b === concl -> Proj2 id
  | _ -> raise Exit

(* alpha-equivalence ? *)
let lookup_hyp a = 
  let test = function Spred (id, b) when a === b -> id | _ -> raise Exit in
  list_first test

(* ..., h:False, ... |- C *)
let absurd ctx =  Absurd (lookup_hyp Pfalse ctx)

(* ..., h:false=true, ... |- C *)
let discriminate_lemma = Ident.create "why_boolean_discriminate"
let discriminate ctx concl = 
  let false_eq_true = 
    equality (Tconst (ConstBool false)) (Tconst (ConstBool true))
  in
  let h = lookup_hyp false_eq_true ctx in
  ProofTerm 
    (cc_applist (CC_var discriminate_lemma) [CC_var h; CC_type (TTpred concl)])

let boolean_destruct_1 = Ident.create "why_boolean_destruct_1"
let boolean_destruct_2 = Ident.create "why_boolean_destruct_2"
let boolean_destruct ctx concl = 
  let test_1 = function
    | Spred (id, 
	     Pand (_, _,
		   Pimplies 
		     (_, Papp (eq1, [Tconst (ConstBool b1); t1], _), c1),
	           Pimplies
		     (_, Papp (eq2, [Tconst (ConstBool b2); t2], _), c2)))
      when eq_term t1 t2 && c1 === c2 && c1 === concl && is_eq eq1 
        && is_eq eq2 && b1 = not b2 ->
	id, t1, b1
    | _ ->
	raise Exit
  in
  let h,t,b = list_first test_1 ctx in
  ProofTerm 
    (cc_applist 
       (CC_var (if b then boolean_destruct_1 else boolean_destruct_2)) 
       [CC_term t; CC_type (TTpred concl); CC_var h])

(* ..., h:A, ..., h':B, ... |- A and B *)
let conjunction ctx = function
  | Pand (_, _, a, b) -> Conjunction (lookup_hyp a ctx, lookup_hyp b ctx)
  | _ -> raise Exit

(* ... |- (well_founded (Zwf 0)) *)
let wf_zwf = function
  | Papp (id, [Tvar id'], _) when id == well_founded && id' == t_zwf_zero ->
      WfZwf (Tconst (ConstInt "0"))
  | _ -> 
      raise Exit

(* ..., h:v=phi0, ..., h':I and (Zwf c phi1 phi0), ... |- (Zwf c phi1 v) *)
let loop_variant_1 hyps concl =
  let lookup_h v = function
    | Spred (h, Papp (id, [Tvar id';phi0], _)) when is_eq id && id' == v -> 
	h,phi0
    | _ -> 
	raise Exit
  in
  let lookup_h' phi1 phi0 = function
    | Spred (h', Pand (_, _, _, Papp (id, [t1; t0], _))) 
      when id == t_zwf_zero && eq_term t1 phi1 && eq_term t0 phi0 -> h'
    | _ -> raise Exit
  in
  match concl with
    | Papp (id, [phi1; Tvar v], _) when id == t_zwf_zero ->
	let h, phi0 = list_first (lookup_h v) hyps in 
	let h' = list_first (lookup_h' phi1 phi0) hyps in
	Loop_variant_1 (h, h')
    | _ -> 
	raise Exit

(* unification of terms *)
let rec unif_term u = function
  | Tconst c, Tconst c' when c = c' -> u
  | Tvar id, Tvar id' when id == id' -> u
  | Tderef _, _ | _, Tderef _ -> assert false
  | Tvar id, t' -> 
      (try (match Idmap.find id u with
	      | None -> Idmap.add id (Some t') u
	      | Some t'' -> if t' = t'' then u else raise Exit)
       with Not_found -> raise Exit)
  | Tapp (id, tl, _), Tapp (id', tl', _) when id == id' -> 
      unif_terms u (tl, tl')
  | _ -> raise Exit
and unif_terms u = function
  | [], [] -> u
  | t :: tl, t' :: tl' -> unif_terms (unif_term u (t, t')) (tl, tl')
  | _ -> raise Exit

(* unification of predicates *)
let rec unif_pred u = function
  | Pvar id, Pvar id' when id == id' -> 
      u
  | Papp (id, tl, _), Papp (id', tl', _) when id == id' -> 
      unif_terms u (tl, tl')
  | Ptrue, Ptrue 
  | Pfalse, Pfalse -> 
      u
  | Forallb (_, a, b), Forallb (_, a', b')
  | Pimplies (_, a, b), Pimplies (_, a', b') 
  | Pand (_, _, a, b), Pand (_, _, a', b')
  | Piff (a, b), Piff (a', b')
  | Por (a, b), Por (a', b') -> 
      unif_pred (unif_pred u (a, a')) (b, b')
  | Pif (a, b, c), Pif (a', b', c') ->
      unif_pred (unif_pred (unif_term u (a, a')) (b, b')) (c, c')
  | Pif (Tvar x, b, c), p' ->
      (try match Idmap.find x u with
	 | None -> 
	     (try unif_pred (Idmap.add x (Some ttrue) u) (b, p')
	      with Exit -> unif_pred (Idmap.add x (Some tfalse) u) (c, p'))
	 | Some (Tconst (ConstBool true)) -> unif_pred u (b, p')
	 | Some (Tconst (ConstBool false)) -> unif_pred u (c, p')
	 | _ -> raise Exit
       with Not_found ->
	 raise Exit)
  | Pnot a, Pnot a' -> 
      unif_pred u (a, a')
  | Forall (_, _, n, _, _, p), Forall (_, _, n', _, _, p') 
  | Exists (_, n, _, p), Exists (_, n', _, p') ->
      let p'n = subst_in_predicate (subst_onev n' n) p' in 
      unif_pred u (p, p'n)
  | Plet (_, n, _, t, p), Plet (_, n', _, t', p') ->
      let u = unif_term u (t, t') in
      let p'n = subst_in_predicate (subst_onev n' n) p' in 
      unif_pred u (p, p'n)
  | Pnamed (_, p), p'
  | p, Pnamed (_, p') ->
      unif_pred u (p, p')
  (* outside of the diagonal -> false *)
  | (Forall _ | Exists _ | Forallb _ | Pnot _ | Piff _ | Por _ |
     Pand _ | Pif _ | Pimplies _ | Papp _ | Pvar _ | Pfalse | Ptrue | Plet _),
    (Forall _ | Exists _ | Forallb _ | Pnot _ | Piff _ | Por _ |
     Pand _ | Pif _ | Pimplies _ | Papp _ | Pvar _ | Pfalse | Ptrue | Plet _) 
    ->
      raise Exit

(* [lookup_instance]. 
   [id] is a proof of [forall v1...vn . p => q] where [bvars = v1...vn].
   we look for an hypothesis matching [p], as an instance [p(a1...ak)],
   and we return [forall vi. q(a1...ak)] (together with a proof of it)
   where the [vi]s not in the [aj]s. *)

let first_hyp f = 
  list_first (function Svar _ -> raise Exit | Spred (h, p) -> f h p)

let lookup_instance id bvars p q hpx p' =
  let u0 = 
    List.fold_right (fun (_,n,_) -> Idmap.add n None) bvars Idmap.empty 
  in
  let u = unif_pred u0 (p, p') in
  let bvars',vars,s =
    List.fold_right 
      (fun ((x,n,_) as b) (bv,vl,s) -> match Idmap.find n u with
	 | None -> b :: bv, (Tvar x) :: vl, s
	 | Some x' -> bv, x' :: vl, Idmap.add n x' s) 
      bvars ([], [], Idmap.empty)
  in
  List.fold_right
    (fun (x, n, ty) p -> Forall (true, x, n, ty, [], p))
    bvars' (simplify (tsubst_in_predicate s q)),
  cc_lam 
    (List.map (fun (x, _, ty) -> x, CC_var_binder (TTpure ty)) bvars')
    (cc_applist id (List.map cc_term (vars @ [Tvar hpx])))

(* checks whether [p] is an instance of [c] and returns the instance *)
let unify bvars p c =
  let u0 = 
    List.fold_right (fun (_,n,_) -> Idmap.add n None) bvars Idmap.empty 
  in
  let u = unif_pred u0 (p, c) in
  List.map
    (fun (_,n,_) -> match Idmap.find n u with
       | None -> raise Exit (* does not instanciate all variables *)
       | Some x -> x) bvars

(* alpha-equivalence over predicates *)
let alpha_eq a b = 
  try let _ = unif_pred Idmap.empty (a, b) in true with Exit -> false

(* dead code
let lookup_boolean_instance a b =
  let rec lookup = function
    | Svar (x, PTbool) ::
      Spred (h, Pif (Tvar x1, c, d)) :: _ 
      when x == x1 && a === c && b === d -> 
	x, h
    | _ :: ctx ->
	lookup ctx
    | [] ->
	raise Exit
  in
  lookup

let boolean_wp_lemma = Ident.create "why_boolean_wp"
*)

(* [qe_forall (forall x1...forall xn. p) = [x1;...;xn],p] *)
let rec qe_forall = function
  | Forall (_, id, n, ty, _, p) -> 
      let vl, p = qe_forall p in (id, n, ty) :: vl, p
  | Forallb (_, ptrue, pfalse) -> 
      let id = fresh_var () in
      let n = Ident.bound id in
      let p = Pif (Tvar n, ptrue, pfalse) in
      [(id, n, PTbool)], p
  | p -> 
      [], p

let add_ctx_vars =
  List.fold_left 
    (fun acc -> function Svar (id,_) -> Idset.add id acc | _ -> acc)

(* introduction of universal quantifiers and implications;
   return the new goal (context-conclusion), together with a proof-term
   modifier to apply to the proof-term found for the new goal. *)
let rec intros ctx = function
(*
  | Forall (_, id, n, t, _, p) ->
      let id' = next_away id (add_ctx_vars (predicate_vars p) ctx) in
      let p' = subst_in_predicate (subst_onev n id') p in
      let ctx', concl', f = intros (Svar (id', t) :: ctx) p' in
      ctx', concl',
      (fun pr -> 
	 ProofTerm (cc_lam [id', CC_var_binder (TTpure t)] (CC_hole (f pr))))
*)
  | Forall _ as p ->
      let ids = add_ctx_vars Idset.empty ctx in
      let bv, p' = decomp_forall ~ids p in
      let ctx = 
	List.fold_left (fun ctx (id', t) -> Svar (id', t) :: ctx) ctx bv
      in
      let ctx', concl', f = intros ctx p' in
      ctx', concl',
      (fun pr -> 
	 let bvars = List.map (fun (x, t) -> x, CC_var_binder (TTpure t)) bv in
	 ProofTerm (cc_lam bvars (CC_hole (f pr))))
  | Pimplies (_, a, b) -> 
      let h = fresh_hyp () in 
      let ctx', concl', f = intros (Spred (h, a) :: ctx) b in
      ctx', concl', 
      (fun pr -> ProofTerm (cc_lam [h, CC_pred_binder a] (CC_hole (f pr))))
  | Pnamed (n, p) ->
      let ctx,p,v = intros ctx p in
      ctx, Pnamed (n, p), v
  | c -> 
      ctx, c, (fun pr -> pr)

let boolean_forall_lemma = Ident.create "why_boolean_forall"
let make_forall_proof id = function
  | Forall _ -> 
      CC_var id
  | Forallb (_, qtrue, qfalse) -> 
      let x = fresh_var () in
      let n = Ident.bound x in
      let q = Pif (Tvar n, qtrue, qfalse) in
      cc_applist (CC_var boolean_forall_lemma) 
	[cc_lam [n, CC_var_binder (TTpure PTbool)] (CC_type (TTpred q)); 
	 CC_var id]
  | _ -> 
      assert false

(* dead code
let should_be_a_wp ctx =
  if debug then raise Exit;
  first_hyp (fun id _ -> if not (is_wp id) then raise Exit) ctx; ShouldBeAWp
*)

(* Tautologies in linear minimal first-order logic.
   Context [ctx] is given in reverse order ([ctx = xk:tk, ..., x1:t1]). 

   First, we introduce universal quantifiers and implications with [intros].

   Then, we cut the context at the last [WP] and reverse it at the same
   time, with [cut_context].

   Then we apply the linear rules: assumption, and-elimination,
   forall-elimination and implication-elimination. Regarding 
   forall-elimination, there are two cases: (1) the hypothesis is
   [forall x. P] and the goal matches [P], and (2) the hypothesis
   is [forall x. P => Q] and there is another hypothesis matching [P]. *)

let linear ctx concl = 
  let ctx, concl, pr_intros = intros ctx concl in
  (* we cut the context at the last WP (and reverse it) *)
  let rec cut_context acc = function
    | [] -> raise Exit
    | Spred (id, _) as h :: _ when is_wp id -> h :: acc
    | h :: ctx -> cut_context (h :: acc) ctx
  in
  let ctx = cut_context [] ctx in
  let rec search = function
    | [] -> 
	raise Exit
    (* assumption *)
    | Spred (id, p) :: _ when alpha_eq p concl ->
	Assumption id
    (* and-elimination *)
    | Spred (id, Pand (true, _, a, b)) :: ctx ->
	begin try
	  search ctx
	with Exit ->
	  let h1 = fresh_hyp () in
	  let h2 = fresh_hyp () in
	  let ctx' = (Spred (h1, a)) :: (Spred (h2, b)) :: ctx in
	  ProofTerm (CC_letin (false,
			       [h1, CC_pred_binder a; h2, CC_pred_binder b],
			       CC_var id, CC_hole (search ctx')))
	end
    (* forall-elimination *)
    | Spred (id, (Forall (true,_,_,_,_,_) | Forallb (true,_,_) as a)) 
      :: ctx -> 
	let id = make_forall_proof id a in
	begin try
	  search ctx
	with Exit ->
	  let bvars,p = qe_forall a in
	  try
	    (* 1. try to unify [p] and [concl] *)
	    let vars = unify bvars p concl in
	    ProofTerm (cc_applist id (List.map cc_term vars))
	  with Exit -> match p with
	    | Pimplies (true, p, q) ->
  	    (* 2. we have [p => q]: try to unify [p] and an hypothesis *)
		first_hyp 
		  (fun h ph ->
		     let qx,pr_qx = lookup_instance id bvars p q h ph in
		     let h1 = fresh_hyp () in
		     let ctx' = Spred (h1, qx) :: ctx in
		     ProofTerm 
		       (CC_letin (false, [h1, CC_pred_binder qx], pr_qx,
				  CC_hole (search ctx'))))
		  ctx
	    | Pand (true, _, p1, p2) ->
            (* 3. we have [a and b]: split under the quantifiers *)
                let h1 = fresh_hyp () in
		let h2 = fresh_hyp () in
		let qpi pi =
		  List.fold_right
		    (fun (x, n, ty) p -> Forall (true, x, n, ty, [], p)) 
		    bvars pi
		in
		let qp1 = qpi p1 in
		let qp2 = qpi p2 in
		let ctx' = Spred (h1, qp1) :: Spred (h2, qp2) :: ctx in
		let pr = search ctx' in
		let pr_qpi hi = 
		  cc_lam 
		    (List.map (fun (x,_,ty) -> x, CC_var_binder (TTpure ty)) 
		       bvars)
		    (CC_letin (false, [h1, CC_pred_binder p1;
				       h2, CC_pred_binder p2], 
			       cc_applist id
				 (List.map (fun (_,x,_) -> CC_var x) bvars),
			       CC_var hi))
		in
		ProofTerm 
		  (CC_letin (false, [h1, CC_pred_binder qp1], pr_qpi h1,
   	           CC_letin (false, [h2, CC_pred_binder qp2], pr_qpi h2,
			     CC_hole pr)))
	    | _ ->
		raise Exit
	end
    (* implication-elimination *)
    | Spred (id, Pimplies (true, p, q)) :: ctx ->
	begin try
	  search ctx
	with Exit ->
	  let hp = lookup_hyp p ctx in (* alpha-equivalence ? *)
	  let hq = fresh_hyp () in
	  let ctx' = Spred (hq, q) :: ctx in
	  ProofTerm
	    (CC_letin (false, [hq, CC_pred_binder q],
		       CC_app (CC_var id, CC_var hp), CC_hole (search ctx')))
	end
    (* skip this hypothesis (or variable) *)
    | _ :: ctx ->
	search ctx
  in
  pr_intros (search ctx)

let rewrite_var_lemma = Ident.create "why_rewrite_var"
let rewrite_var_left_lemma = Ident.create "why_rewrite_var_left"
let rewrite_var ctx concl = match ctx, concl with
  (* ..., v=t, p(v) |- p(t) *)
  | Spred (h1, p1) ::
    Svar (_id'1, PTbool) ::
    Spred (h2, Papp (ide, [Tvar v; t], _)) ::
    Svar (v', ty) :: _,
    p
    when is_eq ide && v == v' -> 
      if not (tsubst_in_predicate (subst_one v t) p1 === p) then raise Exit;
      ProofTerm 
	(cc_applist (CC_var rewrite_var_lemma)
	   [CC_var h2;
	    CC_type (TTlambda ((v, CC_var_binder (TTpure ty)), TTpred p1));
	    CC_var h1])
  (* ..., v=t, p(t) |- p(v) *)
  | _ :: 
    Spred (h1, p1) ::
    Spred (h2, Papp (ide, [Tvar v; t], _)) ::
    Svar (v', ty) :: _,
    p
    when is_eq ide && v == v' -> 
      if not (tsubst_in_predicate (subst_one v t) p === p1) then raise Exit;
      ProofTerm 
	(cc_applist (CC_var rewrite_var_left_lemma)
	   [CC_var h2;
	    CC_type (TTlambda ((v, CC_var_binder (TTpure ty)), TTpred p));
	    CC_var h1])
  | _ -> 
      raise Exit

(* ..., x:bool, if x then a else b |- if x then c else d *)
let boolean_case_lemma = Ident.create "why_boolean_case"
let boolean_case ctx concl = match ctx, concl with
  | Spred (h1, Pif (Tvar x1, a, b)) ::
    Svar (x, PTbool) ::
    ctx,
    Pif (Tvar x2, c, d)
    when x1 == x && x2 == x ->
      let h2 = fresh_hyp () in
      let branch h p =
	let pr = linear (Spred (h2, h) :: ctx) p in
	CC_lam ((h2, CC_pred_binder h), CC_hole pr)
      in
      ProofTerm
	(cc_applist (CC_var boolean_case_lemma)
	   [CC_var h1; branch a c; branch b d])
  | _ ->
      raise Exit

(* we try the automatic proofs successively, starting with the simplest ones *)
let discharge_methods ctx concl =
  let ctx,concl,pr = intros ctx concl in 
  let concl = (if Options.eval_goals then eval else strip_name) concl in
  let ctx = 
    List.map (function 
		| Spred (h,p) -> Spred (h, strip_name p) 
		| Svar _ as v -> v) ctx
  in
  pr begin
  try ptrue concl with Exit ->
  try wf_zwf concl with Exit ->
  try reflexivity concl with Exit -> 
  try absurd ctx with Exit ->
  try list_first (assumption concl) ctx with Exit ->
  try conjunction ctx concl with Exit ->
  try loop_variant_1 ctx concl with Exit ->
  try rewrite_var ctx concl with Exit ->
  try discriminate ctx concl with Exit ->
  try boolean_destruct ctx concl with Exit ->
  try if fast_wp then raise Exit; linear ctx concl with Exit ->
  boolean_case ctx concl
  end

(* DEBUG 
open Pp

let print_sequent fmt (ctx, concl) =
  let print_hyp fmt = function
    | Svar (id, _) -> Ident.print fmt id
    | Spred (id, p) -> fprintf fmt "%a: %a" Ident.print id print_predicate p
  in
  fprintf fmt "@[[@\n%a@\n----@\n%a@\n]@]" (print_list newline print_hyp) ctx
    print_predicate concl
*)

let count = ref 0

let discharge loc ctx concl =
  let pr = (if all_vc then raise Exit else discharge_methods) ctx concl in
  log loc (ctx, concl) None;
  incr count;
  if_verbose_2 eprintf "one obligation trivially discharged [%d]@." !count;
  pr

(*s Cleaning the sequents *)

let occur_in_hyp id = function
  | Spred (_,p) -> occur_predicate id p
  | Svar _ -> false

(* dead code
let occur_as_var id = function
  | Svar (id',_) -> id = id'
  | Spred _ -> false
*)

let clean_sequent hyps concl =
  (* if a variable appears twice, we remove the first and its dependencies *)
(* dead code
  let rec filter_up_to x = function
    | [] -> []
    | Svar (y, _) :: _ as hl when x = y -> hl
    | Spred (_, p) :: hl when occur_predicate x p -> filter_up_to x hl
    | h :: hl -> h :: filter_up_to x hl
  in 
*)
  (* we remove variables not occuring at all in hypotheses or conclusion *)
  let rec clean = function
    | [] ->
	[]
    | Svar (x, _v) as h :: hl -> 
	if List.exists (occur_in_hyp x) hl || occur_predicate x concl then
	  h :: clean hl
	else
	  clean hl
    | Spred (_, p1) :: ((Spred (_, p2) :: _) as hl) when p1 = p2 ->
	clean hl
    | Spred (_, Ptrue) :: hl ->
	clean hl
    | Spred (id, _) :: hl when not debug && is_wp id ->
	clean hl
    | h :: hl ->
	h :: clean hl
  in
  clean hyps

let hyps_names = 
  let hyp_name = function Svar (id,_) | Spred (id,_) -> id in
  List.map hyp_name

(* dead code
let rec cut_last_binders = function
  | [] | [_] | [_; _] -> []
  | b :: bl -> b :: cut_last_binders bl
*)

let rec annotated_if id = function
  | [id', CC_var_binder (TTpure PTbool); _, CC_pred_binder _] -> id == id'
  | [] -> false
  | _ :: bl -> annotated_if id bl

let rec annotation_if = function
  | [qb, CC_pred_binder q] -> qb, q
  | _ :: bl -> annotation_if bl
  | [] -> assert false

(***
let simplify_sequent ctx p = 
  let simplify_hyp = function
    | Svar _ as h -> h
    | Spred (id, p) -> Spred (id, simplify p)
  in
  List.map simplify_hyp ctx, simplify p
***)

(*s Splitting verification conditions on WP connectives
    [split: sequent -> sequent list * (proof list -> proof)] *)

let rec split_list n1 l2 = 
  if n1 = 0 then 
    [], l2
  else match l2 with
    | [] -> assert false
    | x :: r2 -> let l1,r2 = split_list (n1 - 1) r2 in x :: l1, r2

let conj = match prover () with
  | Coq V7 -> Ident.create "conj ? ?"
  | _ -> Ident.create "conj"

let asym_conj = Ident.create "why_asym_conj"
let split_iff = Ident.create "why_split_iff"

let rec split lvl ctx = function
  | Pand (wp, true, p1, p2) 
      when (wp || Options.split_user_conj) ->
      let o1,pr1 = split lvl ctx p1 in
      let n1 = List.length o1 in
      let o2,pr2 = split lvl ctx p2 in
      o1 @ o2, 
      (fun pl -> 
	 let l1,l2 = split_list n1 pl in 
	 ProofTerm 
	   (cc_applist (cc_var conj) [CC_hole (pr1 l1); CC_hole (pr2 l2)]))
  (* asymetric conjunction *)
  | Pand (wp, false, p1, p2) 
      when (wp || Options.split_user_conj) ->
      let o1,pr1 = split lvl ctx p1 in
      let n1 = List.length o1 in
      let p2 = Pimplies (true, p1, p2) in
      let o2,pr2 = split lvl ctx p2 in
      o1 @ o2, 
      (fun pl -> 
	 let l1,l2 = split_list n1 pl in 
	 ProofTerm 
	   (cc_applist (cc_var asym_conj)
	      [CC_hole (pr1 l1); CC_hole (pr2 l2)]))
  (* splits Zwf if splitting user conjunctions required *)
  | Papp (id, [a;b], inst) when id == t_zwf_zero && Options.split_user_conj ->
      (* 0 <= b and a < b *)
      split lvl ctx 
	(Pand(true, true, 
	      Papp(t_le_int, [Tconst (ConstInt "0") ; b ], inst) ,
	      Papp(t_lt_int, [a ; b ], inst)))
  | Piff (p1, p2) when Options.split_user_conj ->
      let o1,pr1 = split lvl ctx (pimplies p1 p2) in
      let n1 = List.length o1 in
      let o2,pr2 = split lvl ctx (pimplies p2 p1) in
      o1 @ o2, 
      (fun pl -> 
	 let l1,l2 = split_list n1 pl in 
	 ProofTerm (cc_applist (cc_var split_iff) 
		      [CC_hole (pr1 l1); CC_hole (pr2 l2)]))
  | Pimplies (wp, _, _)
  | Forall (wp, _, _, _, _, _) as concl 
      when (wp || Options.split_user_conj) && lvl < lvlmax ->
      let ctx',concl',pr_intros = intros ctx concl in
      let ol,prl = split (succ lvl) ctx' concl' in
      ol, (fun pl -> pr_intros (prl pl))
  | Pnamed (n, p1) as _concl ->
      begin match split lvl ctx p1 with
(*
	| [_],_ -> 
            [ctx,Pnamed(n,concl)], 
            (function [pr] -> pr | _ -> assert false)
*)
	| gl,v -> 
	List.map (fun (ctx,c) -> ctx, Pnamed(n,c)) gl, v
      end
  | concl -> 
      [ctx,concl], (function [pr] -> pr | _ -> assert false)


(*s The VCG; it's trivial, we just traverse the CC term and push a 
    new obligation on each hole. *)

(***
let vcg base t =
  let po = ref [] in
  let cpt = ref 0 in
  let push_one loc ctx concl = 
    incr cpt;
    let id = base ^ "_po_" ^ string_of_int !cpt in
    let ctx' = clean_sequent (List.rev ctx) concl in
    let sq = (ctx', concl) in
    po := (loc, id, sq) :: !po;
    log (snd loc) sq (Some id);
    Lemma (id, hyps_names ctx')
  in
  let push loc ctx concl =
    if false(*Options.split*) then
      let ol,pr = split 0 ctx concl in
      pr (List.map (fun (ctx,c) -> push_one loc ctx c) ol)
    else
      push_one loc ctx concl
  in
  let rec traverse ctx = function
    | CC_var _ 
    | CC_term _ 
    | CC_type _ 
    | CC_any _ as cc -> 
	cc
    | CC_hole (loc, p) -> 
	CC_hole (try discharge loc ctx p with Exit -> push loc ctx p)
    (* special treatment for the if-then-else *)
    | CC_letin (dep, bl1, e1, 
		CC_if (CC_term (Tvar idb),
		       (CC_lam ((_, CC_pred_binder _), _) as br1),
		       (CC_lam ((_, CC_pred_binder _), _) as br2)))
      when annotated_if idb bl1 ->
	let e'1 = traverse ctx e1 in
	let ctx = traverse_binders ctx (cut_last_binders bl1) in
	let br'1 = traverse ctx br1 in
	let br'2 = traverse ctx br2 in
	CC_letin (dep, bl1, e'1, CC_if (CC_var idb, br'1, br'2))
    (* special treatment for the composition of exceptions *)
    | CC_letin (dep, bl, e1, CC_case (CC_term (Tvar _) as e2, br)) ->
	let e'1 = traverse ctx e1 in
	let ctx = traverse_binders ctx bl in
	let br' = List.map (traverse_case ctx) br in
	CC_letin (dep, bl, e'1, CC_case (e2, br'))
    | CC_letin (dep, bl, e1, CC_case (e2, br)) ->
	let e'1 = traverse ctx e1 in
	let ctx = traverse_binders ctx (cut_last_binders bl) in
	let e'2 = traverse ctx e2 in
	let br' = List.map (traverse_case ctx) br in
	CC_letin (dep, bl, e'1, CC_case (e'2, br'))
    | CC_letin (dep, bl, e1, e2) -> 
	let e'1 = traverse ctx e1 in
	let e'2 = traverse (traverse_binders ctx bl) e2 in
	CC_letin (dep, bl, e'1, e'2)
    | CC_lam (b, e) ->
	let e' = traverse (traverse_binders ctx [b]) e in
	CC_lam (b, e')
    | CC_app (f, a) ->
	let f' = traverse ctx f in
	let a' = traverse ctx a in
	CC_app (f', a')
    | CC_case (e, pl) ->
	let e' = traverse ctx e in
	let pl' = List.map (traverse_case ctx) pl in
	CC_case (e', pl')
    | CC_tuple (el,p) ->
	let el' = List.map (traverse ctx) el in
	CC_tuple (el',p)
    | CC_if (a, b, c) ->
	let a' = traverse ctx a in
	let b' = traverse ctx b in
	let c' = traverse ctx c in
	CC_if (a', b', c')
  and traverse_case ctx (p,e) =
    p, traverse (traverse_pattern ctx p) e
  and traverse_pattern ctx = function
    | PPvariable (id,b) -> traverse_binder ctx (id,b)
    | PPcons (_, pl) -> List.fold_left traverse_pattern ctx pl
  and traverse_binder ctx = function
    | id, CC_var_binder v -> (Svar (id,v)) :: ctx
    | id, CC_pred_binder p -> (Spred (id,p)) :: ctx
    | id, CC_untyped_binder -> assert false
  and traverse_binders ctx = 
    List.fold_left traverse_binder ctx
  in
  let cc' = traverse [] t in
  List.rev !po, cc'
***)

(*
let rec loc_for_pred = function
  | Pnamed (User s, _) -> begin try Loc.parse s with _ -> Loc.dummy_position end
  | Forall (_,_,_,_,_,p)
  | Pimplies (_,_,p)  -> loc_for_pred p
  | _ -> Loc.dummy_position
*)

let rec explain_for_pred internal user = function
  | Forall (_,_,_,_,_,p)
  | Pimplies (_,_,p)  -> explain_for_pred internal user p
  | Pnamed(Internal n,p) -> explain_for_pred (Some n) user p
  | Pnamed(User n,p) -> explain_for_pred internal (Some n) p
  | _p ->
      (if debug then
	 eprintf "User label for explanation: `%a'@." (Pp.print_option pp_print_string)user;
       user)
	,
      (match internal with
	| Some n ->
	    begin
	      if debug then 
		Format.eprintf "looking for internal explanation '%d'@." n;
	      try
		let e = Hashtbl.find Util.explanation_table n in
		if debug then Format.eprintf "found@.";
		e
	      with
		  Not_found ->
		    if debug then Format.eprintf "not found@.";
		    assert false
	    end
	| None -> 
	    fprintf str_formatter "unexplained assertion";
	    VCEexternal(flush_str_formatter())) 
	      
(* Proof obligations from the WP *)

let vcg_from_wp _loc ids name beh w =
  let po = ref [] in
  let cpt = ref 0 in
  let push_one (ctx, concl) = 
    let formula_userlab, raw_explain = explain_for_pred None None concl in	
    let kind,loc, lab =  Util.cook_explanation formula_userlab raw_explain in
(*
    if formula_userlab = None then
       Format.printf "formula_userlab unset: %s@." name;
*)
    let explain = (*Logic_decl.ExplVC*)
      { Logic_decl.lemma_or_fun_name = name ;
	Logic_decl.behavior = beh;
	Logic_decl.vc_loc = loc ;
        Logic_decl.vc_kind = kind ;
        Logic_decl.vc_label = lab;
      }
    in
    try
      discharge loc ctx concl
    with Exit -> begin
      incr cpt;
      let id = ids (* name ^ "_" ^ beh *) ^ "_po_" ^ string_of_int !cpt in
      let ctx' = clean_sequent (List.rev ctx) concl in
      let sq = (ctx', concl) in
      log loc sq (Some id);
      (*Format.eprintf "Vcg.push_one: %a@." Loc.report_position loc;*)
      po := (loc, false, explain, id, sq) :: !po;
      Lemma (id, hyps_names ctx')
    end
  in
  let w = w.Ast.a_value in
  let ol,pr = split 0 [] w in 
  let prl = List.map push_one ol in
  List.rev !po, pr prl

(*
Local Variables: 
compile-command: "make -C .. bin/why.byte"
End: 
*)
why-2.39/src/error.mli0000644000106100004300000000727013147234006013662 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(*s Errors. *)

open Format

type t = 
  | UnboundVariable of Ident.t
  | UnboundReference of Ident.t
  | UnboundArray of Ident.t
  | UnboundLabel of string
  | ReboundLabel of string
  | UnboundException of Ident.t
  | UnboundType of Ident.t
  | Clash of Ident.t
  | ClashParam of Ident.t
  | ClashExn of Ident.t
  | ClashRef of Ident.t
  | ClashType of Ident.t
  | Undefined of Ident.t
  | NotAReference of Ident.t
  | NotAnArray of Ident.t
  | NotAnIndex
  | HasSideEffects
  | ShouldBeBoolean
  | ShouldBeAlgebraic
  | ShouldBeAnnotated
  | CannotBeMutable
  | MustBePure
  | BranchesSameType
  | LetRef
  | VariantInformative
  | ShouldBeInformative
  | AppNonFunction
  | TooManyArguments
  | TooComplexArgument
  | Alias of Ident.t
  | PartialApp
  | TermExpectedType of (formatter -> unit) * (formatter -> unit)
  | ExpectedType of (formatter -> unit)
  | ExpectedType2 of (formatter -> unit) * (formatter -> unit)
  | ExpectsAType of Ident.t
  | ExpectsATerm of Ident.t
  | ShouldBeVariable
  | ShouldBeReference of Ident.t
  | ShouldNotBeReference
  | IllTypedArgument of (formatter -> unit)
  | NoVariableAtDate of Ident.t * string
  | MutableExternal
  | AnyMessage of string
  | ExceptionArgument of Ident.t * bool
  | CannotBeRaised of Ident.t
  | MutableMutable
  | PolymorphicGoal
  | NonExhaustive of Ident.t
  | PatternBadArity
  | TypeBadArity
  | TypeArity of Ident.t * int * int
  | GlobalWithEffects of Ident.t * Effect.t
  | IllformedPattern
  | CannotGeneralize
  | IllegalComparison of (formatter -> unit)

why-2.39/src/cc.mli0000644000106100004300000001104313147234006013107 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(*s Intermediate CC terms. *)

open Logic

type variable = Ident.t

type cc_type =
  | TTpure of pure_type
  | TTarray of cc_type
  | TTlambda of cc_binder * cc_type
  | TTarrow of cc_binder * cc_type
  | TTtuple of cc_binder list * cc_type option
  | TTpred of predicate
  | TTapp of cc_type * cc_type list
  | TTterm of term
  | TTSet

and cc_bind_type = 
  | CC_var_binder of cc_type
  | CC_pred_binder of predicate
  | CC_untyped_binder

and cc_binder = variable * cc_bind_type

type cc_pattern = 
  | PPvariable of cc_binder
  | PPcons of Ident.t * cc_pattern list

(* ['a] is the type of holes *)

type 'a cc_term =
  | CC_var of variable
  | CC_letin of bool * cc_binder list * 'a cc_term * 'a cc_term
  | CC_lam of cc_binder * 'a cc_term
  | CC_app of 'a cc_term * 'a cc_term
  | CC_tuple of 'a cc_term list * cc_type option
  | CC_if of 'a cc_term * 'a cc_term * 'a cc_term
  | CC_case of 'a cc_term * (cc_pattern * 'a cc_term) list
  | CC_term of term
  | CC_hole of 'a
  | CC_type of cc_type
  | CC_any of cc_type

(* Proofs *)

type proof = 
  | Lemma of string * Ident.t list
  | True
  | Reflexivity of term
  | Assumption of Ident.t
  | Proj1 of Ident.t
  | Proj2 of Ident.t
  | Conjunction of Ident.t * Ident.t
  | WfZwf of term
  | Loop_variant_1 of Ident.t * Ident.t
  | Absurd of Ident.t
  | ProofTerm of proof cc_term
  | ShouldBeAWp

type proof_term = proof cc_term

type validation = proof cc_term

(* Functional programs. *)

type cc_functional_program = (Loc.position * predicate) cc_term

(*s Sequents and obligations. *)

type context_element =
  | Svar of Ident.t * pure_type
  | Spred of Ident.t * predicate

type sequent = context_element list * predicate

type loc_term = Loc.position * term
type loc_predicate = Loc.position * predicate

type assert_kind = [`ASSERT | `CHECK]

type raw_vc_explain =
  | VCEexternal of string
  | VCEabsurd
  | VCEassert of assert_kind * loc_predicate list
  | VCEpre of string * Loc.position * loc_predicate list 
      (*r label and loc for the call, then preconditions *)
  | VCEpost of loc_predicate
  | VCEwfrel
  | VCEvardecr of loc_term
  | VCEinvinit of string * loc_predicate
      (*r label for the loop, then loop invariant *)
  | VCEinvpreserv of string * loc_predicate 
      (*r label for the loop, then loop invariant *)

(*
type obligation = Loc.floc * vc_explain * string * sequent
    (* loc, explanation, id, sequent *) 
*)

why-2.39/src/red.mli0000644000106100004300000000460113147234006013276 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Cc
open Logic 

(* reduction on intermediate programs 
 * get rid of redexes of the kind let (x1,...,xn) = e in (x1,...,xn) *)

val red : ('a * predicate) cc_term -> ('a * predicate) cc_term

why-2.39/src/smtlib.ml0000644000106100004300000003434713147234006013657 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Ident
open Options
open Misc
open Logic
open Logic_decl
open Env
open Cc
open Format
open Pp

(*s Pretty print *)

(* dead code
let int2U = "int2U"
let u2Int = "u2Int"
*)

let prefix id =
  if id == t_lt then assert false
  else if id == t_le then assert false
  else if id == t_gt then assert false
  else if id == t_ge then assert false
  (* int cmp *)
  else if id == t_lt_int then "<"
  else if id == t_le_int then "<="
  else if id == t_gt_int then ">"
  else if id == t_ge_int then ">="
  (* int ops *)
  else if id == t_add_int then "+"
  else if id == t_sub_int then "-"
  else if id == t_mul_int then "*"
(*
  else if id == t_div_int then "div_int"
  else if id == t_mod_int then
    if Options.modulo then "%" else "modulo"
*)
  else if id == t_neg_int then "-"
  (* real ops *)
  else if id == t_add_real then "+"
  else if id == t_sub_real then "-"
  else if id == t_mul_real then "*"
  else if id == t_neg_real then "-"
  else if id == t_lt_real then "<"
  else if id == t_le_real then "<="
  else if id == t_gt_real then ">"
  else if id == t_ge_real then ">="
  else if id == t_div_real
       || id == t_sqrt_real
       || id == t_real_of_int
  then
    Ident.string id
  else (eprintf "%a@." Ident.print id; assert false)

let is_smtlib_keyword =
  let ht = Hashtbl.create 50  in
  List.iter (fun kw -> Hashtbl.add ht kw ())
    ["and";" benchmark";" distinct";"exists";"false";"flet";"forall";
     "if then else";"iff";"implies";"ite";"let";"logic";"not";"or";
     "sat";"theory";"true";"unknown";"unsat";"xor";
     "assumption";"axioms";"defintion";"extensions";"formula";
     "funs";"extrafuns";"extrasorts";"extrapreds";"language";
     "notes";"preds";"sorts";"status";"theory";"Int";"Real";"Bool";
     "Array";"U";"select";"store"];
  Hashtbl.mem ht

let leading_underscore s = s <> "" && s.[0] = '_'

let removeChar =
  let lc = ('\'','p')::('_','u')::('-','t')::[] in
  function s ->
    for i=0 to (String.length s)-1 do
      let c = (String.get s i) in
      try
	let c' =  List.assoc c lc  in
	String.set  s i c'
      with Not_found -> ()
    done;
    s

let idents fmt s =
  (* Yices does not expect names to begin with an underscore. *)
  if is_smtlib_keyword s || leading_underscore s then
    fprintf fmt "smtlib__%s" s
  else
    fprintf fmt "%s" s

let ident fmt id = idents fmt (Ident.string id)

let print_bvar fmt id = fprintf fmt "?%a" ident id

let rec print_term fmt = function
  | Tvar id ->
      print_bvar fmt id
  | Tconst (ConstInt n) ->
      fprintf fmt "%s" n
  | Tconst (ConstBool b) ->
      fprintf fmt "c_Boolean_%b" b
  | Tconst ConstUnit ->
      fprintf fmt "tt"
  | Tconst (ConstFloat c) ->
      Print_real.print_no_exponent fmt ~prefix_div:true c
(*
	"(real_of_int %s)"
	"(real_of_int ( * %s %s))"
	"(div_real (real_of_int %s) (real_of_int %s))"
	fmt c
*)
  | Tderef _ ->
      assert false
  | Tapp (id, [a; b; c], _) when id == if_then_else ->
      if (Options.get_types_encoding() = SortedStratified) then
	fprintf fmt
	  "@[(smtlib__ite@ %a @ %a@ %a)@]"
	   print_term a print_term b print_term c
      else
	fprintf fmt "@[(ite@ (= %a c_Boolean_true) @ %a@ %a)@]"
	  print_term a print_term b print_term c
(*
  | Tapp (id, [a], _) when id = t_real_of_int ->
      print_term fmt a
*)
  | Tapp (id, tl, _) when is_relation id || is_arith id ->
      fprintf fmt "@[(%s %a)@]" (prefix id) print_terms tl
  | Tapp (id, [], i) ->
      fprintf fmt "%a" idents (Encoding.symbol (id, i))
  | Tapp (id, tl, i) ->
      fprintf fmt "@[(%a@ %a)@]"
	idents (Encoding.symbol (id, i)) (print_list space print_term) tl
  | Tnamed (_, t) -> (* TODO: print name *)
      print_term fmt t

and print_terms fmt tl =
  print_list space print_term fmt tl

let rec print_pure_type fmt = function
  | PTint -> fprintf fmt "Int"
  | PTbool -> fprintf fmt "c_Boolean"
  | PTreal -> fprintf fmt "Real"
  | PTunit -> fprintf fmt "Unit"
  | PTexternal(_,id) when id==farray -> fprintf fmt "Array"
  | PTvar {type_val=Some pt} -> print_pure_type fmt pt
  | PTvar v -> fprintf fmt "A%d" v.tag
  | PTexternal (i,id) -> idents fmt (Encoding.symbol (id, i))

(* dead code
and instance fmt = function
  | [] -> ()
  | ptl -> fprintf fmt "_%a" (print_list underscore print_pure_type) ptl
*)

let bound_variable =
  let count = ref 0 in
  function n ->
    count := !count+1 ;
    Ident.create ((removeChar (completeString n))^"_"^ (string_of_int !count))

let rec print_predicate fmt = function
  | Ptrue ->
      fprintf fmt "true"
  | Pvar id when id == Ident.default_post ->
      fprintf fmt "true"
  | Pfalse ->
      fprintf fmt "false"
  | Pvar id ->
      fprintf fmt "%a" ident id
  | Papp (id, [_t], _) when id == well_founded ->
      fprintf fmt "true;; was well founded @\n"
  | Papp (id, [a; b], _) when is_eq id ->
      fprintf fmt "@[(= %a@ %a)@]" print_term a print_term b
  | Papp (id, [a; b], _) when is_neq id ->
      fprintf fmt "@[(not (= %a@ %a))@]" print_term a print_term b
  | Papp (id, tl, _) when is_relation id || is_arith id ->
      fprintf fmt "@[(%s %a)@]" (prefix id) print_terms tl
  | Papp (id, [a;b], _) when id == t_zwf_zero ->
      (** TODO : DIRTY WAY TO translate such predicate;
	  may be previously dispatched into an inequality **)
      fprintf fmt "@[(and (<= 0 %a)@ (< %a %a))@]"
	print_term b print_term a print_term b
  | Papp (id, tl, _) when id == t_distinct ->
      fprintf fmt "@[(distinct@ %a)@]" print_terms tl
  | Papp (id, tl, i) ->
      fprintf fmt "@[(%a@ %a)@]"
	idents (Encoding.symbol (id, i)) print_terms tl
  | Pimplies (_, a, b) ->
      fprintf fmt "@[(implies@ %a@ %a)@]" print_predicate a print_predicate b
  | Pif (a, b, c) ->
      if (Options.get_types_encoding() = SortedStratified) then
      fprintf fmt "@[(if_then_else@ (= %a c_Boolean_true)@ %a@ %a)@]"
	print_term a print_predicate b print_predicate c
      else
	fprintf fmt "@[(if_then_else@ (= %a c_Boolean_true)@ %a@ %a)@]"
	  print_term a print_predicate b print_predicate c
  | Pand (_, _, a, b) | Forallb (_, a, b) ->
      fprintf fmt "@[(and@ %a@ %a)@]" print_predicate a print_predicate b
  | Por (a, b) ->
      fprintf fmt "@[(or@ %a@ %a)@]" print_predicate a print_predicate b
  | Piff (a, b) ->
      fprintf fmt "@[(iff@ %a@ %a)@]" print_predicate a print_predicate b
  | Pnot a ->
      fprintf fmt "@[(not@ %a)@]" print_predicate a
  | Forall (_,_id,n,t,_,p) ->
      (*Printf.printf "Forall : %s\n" (Ident.string id);  *)
      (*let id' = next_away id (predicate_vars p) in*)
      let id' = (bound_variable n) in
      (***Format.printf
	" Forall : %a , " Ident.dbprint n ;
      Format.printf
	" %a" Ident.dbprint id' ;**)
      let p' = subst_in_predicate (subst_onev n id') p in
      fprintf fmt "@[(forall (%a %a)@ %a)@]"
	print_bvar id' print_pure_type t print_predicate p'
  | Exists (_id,n,t,p) ->
      (*let id' = next_away id (predicate_vars p) in*)
      let id' = bound_variable n in
      let p' = subst_in_predicate (subst_onev n id') p in
      fprintf fmt "@[(exists (%a %a) %a)@]"
	print_bvar id' print_pure_type t print_predicate p'
  | Pnamed (_, p) -> (* TODO: print name *)
      print_predicate fmt p
  | Plet (_, n, _, t, p) ->
      let id' = bound_variable n in
      let s = subst_onev n id' in
      let t' = subst_in_term s t in
      let p' = subst_in_predicate s p in
      fprintf fmt "@[(let (%a %a)@ %a)@]" print_bvar id' print_term t'
	print_predicate p'

let print_axiom fmt id p =
  fprintf fmt "@[;; Why axiom %s@]@\n" id;
  fprintf fmt " @[:assumption@ %a@]" print_predicate p;
  fprintf fmt "@]@\n@\n"

(* dead code
let print_quantifiers =
  let print_quantifier fmt (x,t) =
    fprintf fmt "(%a %a)" print_bvar x print_pure_type t
  in
  print_list space print_quantifier
*)

let pure_type_list = print_list space print_pure_type

(* Function and predicate definitions are handled in Encoding *)
(*
let print_predicate_def fmt id (bl,p) =
  let tl = List.map snd bl in
  fprintf fmt "@[:extrapreds ((%a %a))@]@\n@\n" idents id pure_type_list tl;
  fprintf fmt "@[:assumption@ (forall %a@ (iff (%a %a)@ @[%a@]))@]@\n@\n"
    print_quantifiers bl
    idents id
    (print_list space (fun fmt (x,_) -> print_bvar fmt x)) bl
    print_predicate p

let print_function_def fmt id (bl,pt,e) =
  let tl = List.map snd bl in
  fprintf fmt "@[:extrafuns ((%a %a %a))@]@\n@\n" idents id pure_type_list tl
    print_pure_type pt;
  fprintf fmt "@[:assumption@ (forall %a@ (= (%a %a)@ @[%a@]))@]@\n@\n"
    print_quantifiers bl
    idents id
    (print_list space (fun fmt (x,_) -> print_bvar fmt x)) bl
    print_term e
*)

let output_sequent fmt (hyps,concl) =
  let rec print_seq fmt = function
    | [] ->
	print_predicate fmt concl
    | Svar (id, v) :: hyps ->
	fprintf fmt "@[(forall (%a %a)@ %a)@]"
	  print_bvar id print_pure_type v print_seq hyps
(* TODO : update this for renaming each variable *)
    | Spred (_,p) :: hyps ->
	fprintf fmt "@[(implies@ %a@ %a)@]" print_predicate p print_seq hyps
  in
  print_seq fmt hyps

let print_obligation fmt loc _is_lemma _o s =
  fprintf fmt "@[:formula@\n";
  fprintf fmt "  @[;; %a@]@\n" Loc.gen_report_line loc;
  fprintf fmt "  @[(not@ %a)@]" output_sequent s;
  fprintf fmt "@]@\n@\n"
(* 

   useless since goals are split
   (moreover, may trigger a bug with Z3: proves the lemma using the aussmption given after)

  if is_lemma then begin
    fprintf fmt "@[;; %s as axiom@]@\n" o;
    fprintf fmt " @[:assumption@ %a@]" output_sequent s;
    fprintf fmt "@]@\n@\n"
  end
*)

let push_decl d = Encoding.push d

let iter = Encoding.iter

let reset () = Encoding.reset ()

let declare_type fmt id =
  fprintf fmt ":extrasorts (%a)@\n" ident id

let print_logic fmt id t =
  fprintf fmt ";;;; Why logic %s@\n" id;
  match t with
    | Predicate tl ->
	fprintf fmt "@[:extrapreds ((%a %a))@]@\n@\n"
	  idents id pure_type_list tl
    | Function (tl, pt) ->
	fprintf fmt "@[:extrafuns ((%a %a %a))@]@\n@\n"
	  idents id pure_type_list tl print_pure_type pt

let output_elem fmt = function
  | Dtype (_loc, id, []) -> declare_type fmt id
  | Dtype (_, id, _) ->
      fprintf fmt ";; polymorphic type %s@\n@\n" (Ident.string id)
  | Dalgtype _ ->
      assert false
(*
      failwith "SMTLIB output: algebraic types are not supported"
*)
  | Dlogic (_, id, t)  when not (Ident.is_simplify_arith id)
      -> print_logic fmt (Ident.string id) t.scheme_type
  | Dlogic (_, _, _) -> fprintf fmt ""
  | Dpredicate_def (_loc, _id, _d) ->
      assert false
(*
      print_predicate_def fmt (Ident.string id) d.scheme_type
*)
  | Dinductive_def(_loc, _ident, _inddef) ->
      assert false
(*
      failwith "SMTLIB output: inductive def not yet supported"
*)
  | Dfunction_def (_loc, _id, _d) ->
      assert false
(*
      print_function_def fmt (Ident.string id) d.scheme_type
*)
  | Daxiom (_loc, id, p) -> print_axiom fmt id p.scheme_type
  | Dgoal (loc, is_lemma, _expl, id, s) -> 
      print_obligation fmt loc is_lemma id s.Env.scheme_type




let output_file ?logic fname =
  let cout = Options.open_out_file fname in
  let fmt = formatter_of_out_channel cout in
  fprintf fmt "(benchmark %a@\n" idents (removeChar (Filename.basename fname));
  fprintf fmt "  :status unknown@\n";
  begin
    match logic with
      | None -> ()
      | Some l ->
	  fprintf fmt "  :logic %s@\n" l;
  end;
(*   if (Options.get_types_encoding() != SortedStratified) then   *)
  begin
    fprintf fmt "  :extrasorts (c_Boolean)@\n";
    fprintf fmt "  :extrafuns ((c_Boolean_true c_Boolean))@\n";
    fprintf fmt "  :extrafuns ((c_Boolean_false c_Boolean))@\n";
    fprintf fmt "  :assumption\
@\n                   (forall (?bcd c_Boolean) (or (= ?bcd c_Boolean_true)\
@\n                                            (= ?bcd c_Boolean_false)))@\n";
    fprintf fmt "  :assumption\
@\n                   (not\
@\n                      (= c_Boolean_true  c_Boolean_false))@\n";
  end;
  fprintf fmt "  :extrasorts (Unit)@\n";
  fprintf fmt "  :extrafuns ((tt Unit))@\n";
(*
  fprintf fmt "  :extrafuns ((div_int Int Int Int))@\n";
  if not modulo then begin
    fprintf fmt "  :extrafuns ((modulo Int Int Int))@\n";
  end;
*)
  iter (output_elem fmt);

  (* end of smtlib file *)
  fprintf fmt "@\n)@\n";
  pp_print_flush fmt ();
  Options.close_out_file cout


(*
Local Variables:
compile-command: "unset LANG; nice make -j -C .. bin/why.byte"
End:
*)
why-2.39/src/monadSig.mli0000644000106100004300000001111413147234006014262 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

open Logic
open Types
open Ast
open Cc
open Env

module type S = 
sig 

  (*s Translation of types *)
  
  val trad_scheme_v : Rename.t -> local_env -> type_v scheme -> cc_type
  val trad_type_v : Rename.t -> local_env -> type_v -> cc_type
  val trad_type_c : Rename.t -> local_env -> type_c -> cc_type
  val trad_imp_type  : Rename.t -> local_env -> type_v -> cc_type
  val trad_type_in_env : Rename.t -> local_env -> Ident.t -> cc_type
    
  val exn_arg_type : Ident.t -> cc_type
    
    (*s Basic monadic operators. They operate over values of type [interp] i.e.
      functions building a [cc_term] given a renaming structure. *)
    
  type interp = Rename.t -> (Loc.position * predicate) cc_term
    
    (*s The [unit] operator encapsulates a term in a computation. *)
    
  type result = 
    | Value of term
    | Exn of Ident.t * term option
	
  val unit : typing_info -> result -> interp
    
    (*s [compose k1 e1 e2] evaluates computation [e1] of type [k1] and 
      passes its result (actually, a variable naming this result) to a
      second computation [e2]. [apply] is a variant of [compose] where
      [e2] is abstracted (typically, a function) and thus must be applied
      to its input. *)

  val compose : 
    typing_info -> interp -> typing_info -> (Ident.t -> interp) -> interp
  val apply   : 
    typing_info -> interp -> typing_info -> (Ident.t -> interp) -> interp

    (*s Monadic operator to raise and handle exceptions *)

  val exn : typing_info -> Ident.t -> term option -> interp

  val handle : 
    typing_info -> interp -> typing_info -> 
    (exn_pattern * (Ident.t -> interp)) list -> interp

    (*s Other monadic operators. *)

  val cross_label : string -> interp -> interp

  val insert_pre : local_env -> precondition -> interp -> interp

  val insert_many_pre : local_env -> precondition list -> interp -> interp

  val abstraction : typing_info -> precondition list -> interp -> interp

  val fresh : Ident.t -> (Ident.t -> interp) -> interp

    (*s Well-founded recursion. *)

  val wfrec : 
    variant -> precondition list -> typing_info -> (interp -> interp) -> interp

  val wfrec_with_binders : 
    cc_binder list -> 
    variant -> precondition list -> typing_info -> (interp -> interp) -> interp

    (*s Table for recursive functions' interpretation *)

  val is_rec : Ident.t -> bool
  val find_rec : Ident.t -> interp
  val with_rec : Ident.t -> interp -> ('a -> 'b) -> 'a -> 'b
end
why-2.39/src/regen.ml0000644000106100004300000001474013147234006013460 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(* files partly edited and partly regenerated *)

open Format
open Options
open Cc
open Logic

type element_kind = 
  | Param
  | Oblig
  | Prog
  | Valid (* obsolete but helps porting from old versions *)
  | Lg
  | Ax
  | Pr
  | Ind
  | Fun
  | Ty

type element_id = element_kind * string

type element = 
  | Parameter of string * cc_type
  | Program of string * cc_type * cc_functional_program
  | Obligation of Loc.floc * bool * Logic_decl.vc_expl * string * sequent Env.scheme
  | Logic of string * logic_type Env.scheme
  | Axiom of string * predicate Env.scheme
  | Predicate of string * predicate_def Env.scheme
  | Inductive of string * inductive_def Env.scheme
  | Function of string * function_def Env.scheme
  | AbstractType of string * string list
  | AlgebraicType of (string * alg_type_def Env.scheme) list

module type S = sig
 
  (* how to print and reprint elements *)
  val print_element : formatter -> element -> unit
  val reprint_element : formatter -> element -> unit

  (* regexp to recognize obligations locations (as comments) *)
  val re_oblig_loc : Str.regexp

  (* what to print at the beginning of file when first created *)
  val first_time : formatter -> unit

  (* what to print at the end of file when first created *)
  val first_time_trailer : formatter -> unit

  (* how to recognize the end of an element to erase / overwrite *)
  val not_end_of_element : element_id -> string -> bool

end

module Make(X : S) = struct

  let print_element_kind fmt = function
    | Param, s -> fprintf fmt "parameter %s" s
    | Prog, s -> fprintf fmt "program %s" s
    | Oblig, s -> fprintf fmt "obligation %s" s
    | Valid, s -> fprintf fmt "validation %s" s
    | Lg, s -> fprintf fmt "logic %s" s
    | Ax, s -> fprintf fmt "axiom %s" s
    | Pr, s -> fprintf fmt "predicate %s" s
    | Ind, s -> fprintf fmt "inductive %s" s
    | Fun, s -> fprintf fmt "function %s" s
    | Ty, s -> fprintf fmt "type %s" s

  let elem_t = Hashtbl.create 97 (* maps [element_id] to [element] *)
  let elem_q = Queue.create ()   (* queue of [element_id * element] *)
		 
  let add_elem ek e = Queue.add (ek,e) elem_q; Hashtbl.add elem_t ek e
    
  let reset () = Queue.clear elem_q; Hashtbl.clear elem_t

  let regexps = ref []
		  
  let add_regexp r k = regexps := (Str.regexp r, k) :: !regexps

  type line_kind =
    | Obligation_location
    | Element of (element_kind * string)
    | Other

  let check_line s =
    let rec test = function
      | [] -> 
	  Other
      | (r, k) :: l ->
	  if Str.string_match r s 0 then 
	    Element (k, Str.matched_group 1 s) 
	  else 
	    test l
    in
    if Str.string_match X.re_oblig_loc s 0 then 
      Obligation_location
    else
      test !regexps
	
  let regen oldf fmt =
    let cin = open_in oldf in
    let rec scan () =
      let s = input_line cin in
      match check_line s with
	| Other -> 
	    fprintf fmt "%s@\n" s;
	    scan ()
	| Obligation_location ->
	    scan ()
	| Element e ->
	    if Hashtbl.mem elem_t e then begin
	      if verbose then eprintf "overwriting %a@." print_element_kind e;
	      print_up_to e
	    end else
	      if verbose then eprintf "erasing %a@." print_element_kind e;
	    if X.not_end_of_element e s then skip_element e;
	    scan ()
    and skip_element e =
      let s = input_line cin in
      if X.not_end_of_element e s then skip_element e
    and tail () = 
      fprintf fmt "%c" (input_char cin); tail () 
    and print_up_to e =
      let (e',ee) = Queue.take elem_q in
      Hashtbl.remove elem_t e'; 
      if e = e' then 
	X.reprint_element fmt ee 
      else begin
	X.print_element fmt ee; print_up_to e
      end
    in
    begin
      try scan () with End_of_file -> 
      try tail () with End_of_file -> close_in cin
    end;
    Queue.iter (fun (_,e) -> X.print_element fmt e) elem_q

  let first_time fmt =
    X.first_time fmt;
    Queue.iter (fun (_,e) -> X.print_element fmt e) elem_q;
    X.first_time_trailer fmt

  let output_file ?(margin=78) f =
    if Sys.file_exists f then begin
      let fbak = f ^ ".bak" in
      if Sys.file_exists fbak then Sys.remove fbak;
      Sys.rename f fbak; 
      if_verbose_3 eprintf "*** re-generating file %s (backup in %s)@." f fbak;
      Pp.print_in_file ~margin (regen fbak) f
    end else begin
      if_verbose_2 eprintf "*** generating file %s@." f;
      Pp.print_in_file ~margin first_time f
    end

end
why-2.39/src/simplify.mli0000644000106100004300000000445313147234006014365 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

val reset : unit -> unit
val push_decl : Logic_decl.t -> unit
val output_file : allowedit:bool -> string -> unit
why-2.39/src/xml.mli0000644000106100004300000000453613147234006013333 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)


type element =
    { name : string;
      attributes : (string * Rc.rc_value) list;
      elements : element list;
    }

val from_file : string -> element list


why-2.39/src/theory_filtering.ml0000644000106100004300000002673413147234006015743 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(*s Harvey's output *)

open Ident
open Options
open Logic
open Logic_decl
open Env
open Cc

let threshold = 1

let axiomCounter = ref 0

let reducedQueue =  Queue.create()

module Int_map = Map.Make(struct type t=int let compare= compare end)

module Int_set = Set.Make(struct type t=int let compare= compare end)

module Theory_container = 
struct 

  let m = ref Int_map.empty 

  let uniqueNumberGenerator () = 
     incr axiomCounter; !axiomCounter
      
  (**
     @param f is the formula we want to store
     @return n is the index where the formula has been stored
  **)
  let add (logic,d) = 
    let n  = uniqueNumberGenerator () in 
    m := Int_map.add n (logic,Int_set.empty,d)  !m ;
    n
          

  let reset () = 
    m := Int_map.empty ;
    Queue.clear reducedQueue ;
    axiomCounter := 0


  let  depends_on n =
    try 
      let (_,_,d) =  Int_map.find n !m in 
      d
    with 
	Not_found -> 
	  Printf.printf "Number %d not found \n" n;
	  raise Exit
    
  let  produces n =
    try 
      let (_,p,_) =  Int_map.find n !m in 
      p
    with 
	Not_found -> 
	  Printf.printf "Number %d not found \n" n;
	  raise Exit

  let axiom n =
    try 
      let (l,_,_) =  Int_map.find n !m in 
      l
    with 
	Not_found -> 
	  Printf.printf "Number %d not found \n" n;
	  raise Exit

  let set_produce n s  = 
    let l = axiom n in 
    let d = depends_on n in
    m := Int_map.add n (l,s,d)  !m 

end 
  



module  Symbol_container = 
struct 
  module Id_map = Map.Make(struct type t=string let compare= compare end)

  let m = ref Id_map.empty

  let add logic n= 
    m := Id_map.add logic n !m 

  let reset () = 
    m := Id_map.empty
  
  let index_of logic =
    try 
       Id_map.find logic !m
    with 
	Not_found -> 
	  Printf.printf "Symbol %s not found \n" logic;
	  raise Exit
end



(**
   collects the functionnal  symbols
   of the term given in parameter 
   @paramater f : the formula we are parsing   
   @returns the StringSet that contains all the symbols 
   of the formula
**)	
let functional_symbols  f  = (*: Logic_decl.t -> StringSet*) 
  (** symbols the result **)
  let symbolsSet  = ref Int_set.empty  in 
  let rec collect formula  = 
    match formula with 
      | Tconst (ConstInt _n) -> ()
      | Tconst (ConstBool _) -> () 
      | Tconst ConstUnit -> ()
      | Tconst (ConstFloat _) -> ()
      | Tderef _ -> ()
      | Tapp (id, [a; b; c], _) when id == if_then_else -> 
	  collect a; 
	  collect b;
	  collect c  
      | Tapp (id, tl, _) when is_relation id || is_arith id ->
	  symbolsSet  := Int_set.add (Symbol_container.index_of (Ident.string id))  !symbolsSet ;
	  List.iter collect tl 
      | Tapp (id, [], _i) -> 
	  symbolsSet  := Int_set.add (Symbol_container.index_of (Ident.string id)) !symbolsSet
      | Tapp (id, tl, _i) ->
	  symbolsSet  := Int_set.add (Symbol_container.index_of (Ident.string id)) !symbolsSet;
	  List.iter collect tl 
      | _ -> ()
  in
  collect f ; 
  !symbolsSet


let symbols  f  =
  (** symbols the result **)
  let symbolsSet  = ref Int_set.empty  in 
  let rec collect formula  = 
(* dead code
    let rec collectIntoAList  l = match l with 
	[] -> () 
      |  p :: r -> 
	   collect p ;
	   collectIntoAList r in
*)
    match formula with 
      | Papp (id, [a; b], _) when is_eq id || is_neq id || id == t_zwf_zero->
	  symbolsSet  := Int_set.union (functional_symbols a) 
	    !symbolsSet ;
	  symbolsSet  := Int_set.union (functional_symbols b) 
	    !symbolsSet 
      | Pand (_, _, a, b) | Forallb (_, a, b)  | Por (a, b) | Piff (a, b) | 
	    Pimplies (_, a, b) ->
	  collect a;
	      collect b
      | Papp (id, tl, _i) -> 
	  let rec functional_symbolsFromList  l  =  
	    match l with 
		[] -> Int_set.empty
	      | t :: q ->  Int_set.union  (functional_symbols t)
		  (functional_symbolsFromList q) in
	  symbolsSet  := Int_set.union (functional_symbolsFromList tl) 
	    !symbolsSet ;   
	  symbolsSet  := Int_set.add  (Symbol_container.index_of (Ident.string id))  !symbolsSet 
      | Pif (a, b, c) ->
	  symbolsSet  := Int_set.union (functional_symbols a) 
	    !symbolsSet ;
	  collect b;
	  collect c
      | Pnot a ->
	  collect a;
      | Forall (_,_id,_n,_t,_,p) | Exists (_id,_n,_t,p) ->    
	  collect p
      | Pnamed (_, p) -> (* TODO: print name *)
	  collect p 
      |_ -> ()
  in
  collect f ; 
  !symbolsSet


let rec add_relevant_in elt s = 
  if Int_set.mem elt s then
    s
  else  
    Int_set.add elt (Int_set.fold add_relevant_in (Theory_container.depends_on elt) s)
      

let rank n s = 
  let s1 = Theory_container.produces n in 
  let r = 
    if Int_set.subset s1 s then 1 else 0 in 
  (*Printf.printf "rank %d \n" r ;*)
  r


let filter rs selectedAx notYetSelectedAx = 
  let irrelevant = ref notYetSelectedAx in
  let relevant = ref selectedAx in
  let new_rs = ref rs in 
  let f ax =
    let r = rank ax rs in 
    if r >= threshold then
      begin 
	relevant := add_relevant_in ax !relevant ;
	irrelevant := Int_set.remove ax !irrelevant;
	new_rs := Int_set.union rs (Theory_container.produces ax)
      end ; 
    if debug then begin 
	Printf.printf "ax (%d) has rank %d \n" ax r
      end    
  in
  Int_set.iter f notYetSelectedAx ;
  (!new_rs,!relevant,!irrelevant)


let display_symb_of set =
  Int_set.iter (fun s -> Printf.printf "%d " s) set 
 
let display (q,s) n = 
  let di = function 
    | Dtype (_, id, _) ->
        Printf.printf  "type %s (%d) : "  (Ident.string id)
    | Dalgtype _ ->
        failwith "Theory filtering: algebraic types are not supported"
    | Dlogic (_, id, _t) ->
        Printf.printf  "arit %s (%d) : " (Ident.string id)
    | Dpredicate_def (_, id, _d) -> 
	let id = Ident.string id in
	Printf.printf  "def_pred %s (%d): " id 
    | Dinductive_def(_loc, _ident, _inddef) ->
	failwith "Theory filtering: inductive def not yet supported"
    | Dfunction_def (_, id, _d) -> 
	let id = Ident.string id in
	Printf.printf  "def_func %s (%d): " id 
    | Daxiom (_, id, _p)          -> Printf.printf  "axiom %s (%d): "  id 
    | Dgoal (_, is_lemma,_expl, id, _s)   -> 
	Printf.printf  "%s %s (%d):" (if is_lemma then "lemma" else "goal") id 
  in 
  if debug then begin 
    (di q) n;
    display_symb_of s; Printf.printf "\n" 
  end

let managesGoal _id ax (hyps,concl) =   
  let rec symb_of_seq = function
    | [] -> symbols concl
    | Svar (_id, _v) :: q ->  symb_of_seq  q 
    | Spred (_,p) :: q -> 
	Int_set.union 
	  (symbols p) 
	  (symb_of_seq q)
  in
  let setOfSymbols =  ref (symb_of_seq hyps) in 
  let n = Theory_container.add  (ax,!setOfSymbols) in 
  display (ax,!setOfSymbols) n ;
  (*Theory_container.set_produce n setOfSymbols ; *)
  let allax = ref Int_set.empty  in 
  for i= 1 to n-1 do
    allax := Int_set.add i !allax 
  done;
  let rel = ref Int_set.empty in
  let irrel = allax in 
  for _i=1 to 2 do (* include predicates/functions and their properties *)
    let (rs,r,ir) = filter !setOfSymbols !rel  !irrel in
    rel := r ;
    setOfSymbols := rs ; 
    irrel :=  ir 
      (*Printf.printf "Relevant of %d : " n;
      Int_set.iter (fun t-> Printf.printf "%d " t) rel ;
      Printf.printf " \n " 
    *)
  done;
  Int_set.iter 
    (fun t-> Queue.add (Theory_container.axiom t) reducedQueue)
    !rel 
  
  

let declare_axiom _id ax p =
  let setOfSymbols = symbols p in 
  let n = Theory_container.add  (ax,setOfSymbols) in 
  Theory_container.set_produce n setOfSymbols ;
  display (ax,setOfSymbols) n


let declare_function id ax (_,_,e) = 
  let setOfSymbols =  functional_symbols e in 
  let n = Theory_container.add  (ax,setOfSymbols) in 
  Theory_container.set_produce n (Int_set.singleton n) ;
  Symbol_container.add id n;
  display (ax,setOfSymbols) n


let declare_predicate id ax (_,p) = 
  let setOfSymbols = symbols p in 
  let n = Theory_container.add  (ax,setOfSymbols) in 
  Theory_container.set_produce n (Int_set.singleton n) ;
  Symbol_container.add id n;
  display (ax,setOfSymbols) n

let declare_arity id ax = 
  let n = Theory_container.add (ax,Int_set.empty)  in 
  Symbol_container.add id n ;
  display (ax,Int_set.empty) n


let declare_type id ax = 
  let n = Theory_container.add (ax,Int_set.empty)   in
  Symbol_container.add id n ;
  display (ax,Int_set.empty) n

    
let launcher decl = match decl with   
  | Dtype (_, id, _) as ax -> (*Printf.printf  "Dtype %s \n"  id ;*)
      declare_type (Ident.string id) ax
  | Dalgtype _ ->
      failwith "Theory filtering: algebraic types are not supported"
  | Dlogic (_, id, _t) as ax -> (* Printf.printf  "Dlogic %s \n"  id ;*) 
      declare_arity (Ident.string id) ax
  | Dpredicate_def (_, id, d) as ax -> 
      (*Printf.printf  "Dpredicate_def %s \n"  *)
      let id = Ident.string id in
      declare_predicate id ax d.scheme_type 
  | Dinductive_def(_loc, _ident, _inddef) ->
      failwith "Theory filtering: inductive def not yet supported"
  | Dfunction_def (_, id, d)  as ax ->
      (*Printf.printf  "Dfunction_def %s \n"  id ;*)  
      let id = Ident.string id in
      declare_function id ax d.scheme_type 
  | Daxiom (_, id, p) as ax         -> (*Printf.printf  "Daxiom %s \n"  id ; *)
      declare_axiom  id ax p.scheme_type 
  | Dgoal (_, _is_lemma, _expl, id, s)  as ax -> 
      (*Printf.printf  "Dgoal %s \n"  id ; *)
      managesGoal id ax s.Env.scheme_type 




(**
   @param q is a logic_decl Queue 
   @returns the pruned theory 
**)

let reduce q = 
  Theory_container.reset();
  Symbol_container.reset();  
  Queue.iter launcher q ;
  reducedQueue
  

  
why-2.39/src/fastwp.mli0000644000106100004300000000442013147234006014027 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(*s Fast weakest preconditions *)

open Env

val wp : typed_expr -> Logic.predicate
why-2.39/src/vcg.mli0000644000106100004300000000543413147234006013310 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(*s Verification Conditions Generator. *)

open Logic
open Cc

(***
val vcg : 
  string -> (Loc.position * predicate) cc_term -> obligation list * validation
***)

val logs : Log.t ref
val log_print_function : (Format.formatter -> sequent -> unit) ref

(* obligations from the WP *)

val vcg_from_wp : 
  (* fun loc, fun ids fun name, fun behavior, wp *)
  Loc.floc -> string -> string -> string -> Ast.assertion -> Logic_decl.obligation list * proof

(* functions to be reused in module [Coq] *)

val annotated_if : Ident.t -> cc_binder list -> bool
val annotation_if : cc_binder list -> Ident.t * predicate

why-2.39/src/pvs.ml0000644000106100004300000005101713147234006013166 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Logic
open Logic_decl
open Cc
open Misc
open Ident
open Env
open Format
open Pp


let infix_table = ref Idmap.empty

let () =
  List.iter (fun (id,s) -> infix_table := Idmap.add id s !infix_table)
    [ t_lt, "<" ;
      t_le, "<=";
      t_gt, ">";
      t_ge, ">=";
      t_eq, "=";
      t_neq, "/=";
      t_bool_and, "AND";
      t_bool_or, "OR";
      t_bool_xor, "/=" ;
      t_gt_int_bool, ">";
      t_gt_real_bool, ">";
      t_ge_int_bool, ">=";
      t_ge_real_bool, ">=";
      t_le_int_bool, "<=";
      t_le_real_bool, "<=";
      t_lt_int_bool, "<";
      t_lt_real_bool, "<";
      t_eq_int_bool, "=";
      t_eq_real_bool, "=";
      t_neq_int_bool, "/=";
      t_neq_real_bool, "/=";
      t_lt_int, "<" ;
      t_le_int, "<=";
      t_gt_int, ">";
      t_ge_int, ">=";
      t_eq_int, "=";
      t_neq_int, "/=";
      t_lt_real, "<" ;
      t_le_real, "<=";
      t_gt_real, ">";
      t_ge_real, ">=";
      t_eq_real, "=";
      t_neq_real, "/=";
    ]

let is_infix id = Idmap.mem id !infix_table
	
let infix id = 
  try
    Idmap.find id !infix_table
  with Not_found -> assert false



let prefix_table = ref Idmap.empty

let () =
  List.iter (fun (id,s) -> prefix_table := Idmap.add id s !prefix_table)
    [ t_abs_real, "abs";
      t_real_max, "max";
      t_real_min, "min";
      t_sqrt_real, "sqrt";
    ]

let is_prefix id = Idmap.mem id !prefix_table
	
let prefix id = 
  try
    Idmap.find id !prefix_table
  with Not_found -> assert false


let is_pvs_keyword =
  let ht = Hashtbl.create 50  in
  List.iter (fun kw -> Hashtbl.add ht kw ()) 
    [];
  Hashtbl.mem ht

let leading_underscore s = s <> "" && s.[0] = '_'

let idents fmt s = 
  (* PVS does not expect names to begin with an underscore. *)
  if is_pvs_keyword s || leading_underscore s then
    fprintf fmt "why__%s" s
  else 
    fprintf fmt "%s" s

let ident fmt id = idents fmt (Ident.string id)

let rec filter_phantom_type = function
  | PTexternal (_, id) ->
      not (Hashtbl.mem Options.phantom_types (Ident.string id))
  | PTvar { type_val = Some t} -> filter_phantom_type t   
  | _ -> true

let rec print_pure_type fmt = function
  | PTint -> fprintf fmt "int"
  | PTbool -> fprintf fmt "bool"
  | PTunit -> fprintf fmt "unit"
  | PTreal -> fprintf fmt "real"
  | PTexternal ([pt], id) when id == farray -> 
      fprintf fmt "warray[%a]" print_pure_type pt
  | PTvar { type_val = Some t} -> fprintf fmt "%a" print_pure_type t      
  | PTvar v -> fprintf fmt "A%d" v.tag
  | PTexternal (i, id) -> 
      fprintf fmt "%a%a" ident id print_instance i

and print_instance fmt l = 
  match List.filter filter_phantom_type l with
    | [] -> ()
    | i -> fprintf fmt "[%a]" (print_list comma print_pure_type) i

let print_real = Print_real.print_no_exponent 

let print_term fmt t = 
  let rec print0 fmt = function
    | Tapp (id, [a;b], _) when is_infix id ->
	fprintf fmt "@[(%a %s@ %a)@]" print1 a (infix id) print1 b
    | t -> 
	print1 fmt t
  and print1 fmt = function
    | Tapp (id, [a;b], _) when id == t_add_int || id == t_sub_int ->
	fprintf fmt "@[%a %s@ %a@]" 
	  print1 a (if id == t_add_int then "+" else "-") print2 b
    | Tapp (id, [a;b], _) when id == t_add_real || id == t_sub_real ->
	fprintf fmt "@[%a %s@ %a@]" 
	  print1 a (if id == t_add_real then "+" else "-") print2 b
    | t ->
	print2 fmt t
  and print2 fmt = function
    | Tapp (id, [a;b], _) when id == t_mul_int || id == t_mul_real ->
	fprintf fmt "@[%a *@ %a@]" print2 a print3 b
    | Tapp (id, [a;b], _) when id == t_div_real ->
	fprintf fmt "@[%a /@ %a@]" print2 a print3 b
(*
    | Tapp (id, [a;b], _) when id == t_div_int ->
	fprintf fmt "(@[div(%a,%a)@])" print0 a print0 b
    | Tapp (id, [a;b], _) when id == t_mod_int ->
	fprintf fmt "(@[mod(%a,%a)@])" print0 a print0 b
*)
    | t ->
	print3 fmt t
  and print3 fmt = function
    | Tconst (ConstInt n) -> 
	fprintf fmt "%s" n
    | Tconst (ConstBool b) -> 
	fprintf fmt "%b" b
    | Tconst ConstUnit -> 
	fprintf fmt "unit" 
    | Tconst (ConstFloat f) -> 
	print_real fmt ~prefix_div:false f
    | Tapp (id, [t], _) when id == t_real_of_int ->
	fprintf fmt "%a" print3 t
    | Tderef _ ->
	assert false
    | Tvar id when id == implicit ->
	assert false
    | Tvar id when id == t_zwf_zero ->
	fprintf fmt "zwf_zero"
    | Tvar id ->
	ident fmt id
    | Tapp (id, [a; Tapp (id', [b], _)], _) 
      when id == t_pow_real && id' == t_real_of_int ->
	fprintf fmt "(@[%a@ ^ %a@])" print3 a print3 b
    | Tapp (id, [a;b], _) when id == t_pow_real ->
	fprintf fmt "(@[%a@ ^ %a@])" print3 a print3 b
    | Tapp (id, tl, i) when is_prefix id -> 
	fprintf fmt "%s%a(@[%a@])" 
	  (prefix id) print_instance (List.rev i) (print_list comma print0) tl
    | Tapp (id, [t], _) when id == t_neg_int || id == t_neg_real ->
	fprintf fmt "-%a" print3 t
    | Tapp (id, [t], _) when id == t_bool_not ->
	fprintf fmt "(NOT(%a))" print3 t
    | Tapp (id, [a; b; c], _) when id == if_then_else -> 
	fprintf fmt "(@[IF %a@ THEN %a@ ELSE %a@ ENDIF@])" print0 a print0 b print0 c
    | Tapp (id, _l, _) as t when is_infix id ->
	fprintf fmt "@[%a@]" print0 t
    | Tapp (id, _l, _) as t when is_arith_binop id ->
	fprintf fmt "@[(%a)@]" print0 t
    | Tapp (id, [], i) -> 
	fprintf fmt "%a%a" ident id print_instance (List.rev i)
    | Tapp (id, tl, i) -> 
	fprintf fmt "%a%a(@[%a@])" 
	  ident id print_instance (List.rev i) (print_list comma print0) tl
    | Tnamed(_lab,t) -> print3 fmt t
  in
  print0 fmt t

let print_logic_binder fmt (id,pt) =
  fprintf fmt "%a:%a" ident id print_pure_type pt


let print_predicate fmt p =
  let rec print0 fmt = function
    | Pif (a, b, c) -> 
	fprintf fmt "@[IF "; print_term fmt a; fprintf fmt "@ THEN ";
	print0 fmt b; fprintf fmt "@ ELSE "; print0 fmt c; 
	fprintf fmt " ENDIF@]"
    | Pimplies (_, a, b) -> 
	fprintf fmt "@[("; print1 fmt a; fprintf fmt " IMPLIES@ "; 
	print0 fmt b; fprintf fmt ")@]"
    | Piff (a, b) -> 
	fprintf fmt "@[("; print1 fmt a; fprintf fmt " IFF@ "; 
	print0 fmt b; fprintf fmt ")@]"
    | p -> print1 fmt p
  and print1 fmt = function
    | Por (a, b) -> print1 fmt a; fprintf fmt " OR@ "; print2 fmt b
    | p -> print2 fmt p
  and print2 fmt = function
    | Pand (_, _, a, b) | Forallb (_, a, b) -> 
        print2 fmt a; fprintf fmt " AND@ "; print3 fmt b
    | p -> print3 fmt p
  and print3 fmt = function
    | Ptrue ->
	fprintf fmt "True"
    | Pvar id when id == default_post ->
	fprintf fmt "True"
    | Pfalse ->
	fprintf fmt "False"
    | Pvar id -> 
	ident fmt id
    | Papp (id, tl, _) when id == t_distinct ->
	fprintf fmt "@[(%a)@]" print0 (Util.distinct tl)
    | Papp (id, [t], _) when id == well_founded ->
	fprintf fmt "well_founded?(%a)" print_term t
    | Papp (id, [a;b], _) when id == t_zwf_zero ->
	fprintf fmt "zwf_zero(%a, %a)" print_term a print_term b
    | Papp (id, [a;b], _) when is_int_comparison id || is_real_comparison id ->
	fprintf fmt "@[%a %s@ %a@]" 
	  print_term a (infix id) print_term b
    | Papp (id, [a;b], _) when is_eq id ->
	fprintf fmt "@[%a =@ %a@]" print_term a print_term b
    | Papp (id, [a;b], _) when is_neq id ->
	fprintf fmt "%a /=@ %a" print_term a print_term b
    | Papp (id, l, i) -> 	
	fprintf fmt "%a%a(@[" ident id print_instance (List.rev i);
	print_list (fun fmt () -> fprintf fmt ",@ ") print_term fmt l;
	fprintf fmt "@])"
    | Pnot p -> 
	fprintf fmt "NOT "; print3 fmt p
    | Forall (_,id,n,t,_,p) -> 
	let id' = next_away id (predicate_vars p) in
	let p' = subst_in_predicate (subst_onev n id') p in
	fprintf fmt "@[(FORALL (%a: " ident id';
	print_pure_type fmt t; fprintf fmt "):@ ";
	print0 fmt p'; fprintf fmt ")@]"
    | Exists (id,n,t,p) -> 
	let id' = next_away id (predicate_vars p) in
	let p' = subst_in_predicate (subst_onev n id') p in
	fprintf fmt "(@[EXISTS (%a: " ident id';
	print_pure_type fmt t; fprintf fmt "):@ ";
	print0 fmt p'; fprintf fmt "@])"
    | Pnamed (_, p) -> (* TODO: print name *)
	print3 fmt p
    | Plet (_, n, _, t, p) ->
	print3 fmt (subst_term_in_predicate n t p)
    | (Por _ | Piff _ | Pand _ | Pif _ | Pimplies _ | Forallb _) as p -> 
	fprintf fmt "(%a)" print0 p
  in
  print0 fmt p

let print_sequent fmt (hyps,concl) =
  let rec print_seq = function
    | [] ->
	print_predicate fmt concl
    | Svar (id, v) :: hyps -> 
	fprintf fmt "FORALL (%a: %a) :@\n" ident id print_pure_type v;
	print_seq hyps
    | Spred (_,p) :: hyps -> 
	print_predicate fmt p; fprintf fmt " IMPLIES@\n";
	print_seq hyps
  in
  print_seq hyps

let last_theory = ref None

let import_last_theory fmt = match !last_theory with
  | None -> ()
  | Some t -> fprintf fmt "  IMPORTING %s@\n@\n" t

let begin_theory fmt th =
  fprintf fmt "%s: THEORY@\nBEGIN@\n@\n" th;
  fprintf fmt "  %s@\n" Options.pvs_preamble;
  import_last_theory fmt

let begin_sub_theory fmt n th =
  fprintf fmt "%s" th;
  if n > 0 then begin
    fprintf fmt "[";
    for i = 1 to n do fprintf fmt "A%d" i; if i < n then fprintf fmt "," done;
    fprintf fmt ": TYPE]"
  end;
  fprintf fmt ": THEORY@\nBEGIN@\n@\n";
  fprintf fmt "  %s@\n" Options.pvs_preamble;
  import_last_theory fmt
    
let end_theory fmt th =
  fprintf fmt "END %s@\n@\n" th

let print_logic_type fmt = function
  | Predicate [] ->
      fprintf fmt "bool"
  | Predicate pl -> 
      fprintf fmt "[%a -> bool]"
	(print_list comma print_pure_type) pl
  | Function ([], pt) ->
      print_pure_type fmt pt
  | Function (pl, t) -> 
      fprintf fmt "[%a -> %a]"
	(print_list comma print_pure_type) pl print_pure_type t

let declare_type fmt id = 
  fprintf fmt "  @[%a: TYPE+;@]@\n@\n" idents id

let declare_alg_type fmt id cs =
  let print_cargs c fmt pl =
    let cpt = ref 0 in
    let print_carg fmt t =
      incr cpt; fprintf fmt "%s_proj_%i : %a" c !cpt print_pure_type t
    in
    match pl with
    | [] -> ()
    | _  -> fprintf fmt "@[(%a)@]" (print_list comma print_carg) pl
  in
  let cons fmt (c,pl) =
    let c = Ident.string c in
    fprintf fmt "%s%a : %s?" c (print_cargs c) pl c
  in
  fprintf fmt "  @[%s: DATATYPE@\n@[BEGIN@\n%a@]@\nEND %s@]@\n@\n"
    id (print_list newline cons) cs id

let print_logic fmt id t = 
  fprintf fmt "  %%%% Why logic %s@\n" id;
  fprintf fmt "  %a: @[%a@]@\n@\n" idents id print_logic_type t
    
let print_axiom fmt id p =
  fprintf fmt "  @[%%%% Why axiom %s@]@\n" id;
  fprintf fmt "  @[%a: AXIOM@ @[%a@]@]@\n@\n" idents id print_predicate p
    
let print_predicate_def fmt id (bl,p) =
  fprintf fmt "  @[%a(@[%a@]) : bool =@ @[%a@]@]@\n@\n"
    ident id (print_list comma print_logic_binder) bl print_predicate p
    
let print_inductive_def fmt id inddef =
  let (_vars,(bl,cases)) = Env.specialize_inductive_def inddef in
  let newvars = List.map (fun t -> (fresh_var(),t)) bl in
  let body = PredDefExpansor.inductive_inverse_body id newvars cases in
  fprintf fmt "  @[INDUCTIVE %a(@[%a@]) : bool =@ @[%a@]@]@\n@\n"
    ident id (print_list comma print_logic_binder) newvars print_predicate body
    
let print_function_def fmt id (bl,t,e) =
  fprintf fmt "  @[%a(@[%a@]) : %a =@ @[%a@]@]@\n@\n"
    ident id (print_list comma print_logic_binder) bl 
    print_pure_type t print_term e
    
let print_obligation fmt (loc,_is_lemma,_expl,id,s) =
  fprintf fmt "  @[%% %a @]@\n" (Loc.report_obligation_position ~onlybasename:true) loc;
  fprintf fmt "  @[%a: LEMMA@\n" idents id;
  print_sequent fmt s;
  fprintf fmt "@]@\n@\n"
  (*;
  fprintf fmt "@[%% %a @]@\n@\n" Util.print_explanation expl
  *)

(* polymorphism *)

let print_scheme l =
  let r = ref 0 in
  Env.Vmap.iter
    (fun _ x -> 
       incr r;
       x.type_val <- Some (PTvar { tag = !r; user = false; type_val = None }))
    l

let tvar_so_far = ref 0

let print_goal fmt (loc, is_lemma, expl, id, s) =
  let n = Vset.cardinal s.scheme_vars in
  if n > !tvar_so_far then begin
    fprintf fmt "  ";
    for i = !tvar_so_far + 1 to n do
      fprintf fmt "A%d" i; if i < n then fprintf fmt ", "
    done;
    fprintf fmt ": TYPE+;@\n@\n";
    tvar_so_far := n
  end;
  let l,s = Env.specialize_sequent s in
  print_scheme l;
  print_obligation fmt (loc,is_lemma,expl,id,s)

let print_logic_scheme fmt id s =
  let l,t = Env.specialize_logic_type s in
  print_scheme l;
  print_logic fmt id t

let print_axiom_scheme fmt id s =
  let l,a = Env.specialize_predicate s in
  print_scheme l;
  print_axiom fmt id a

type def =
  | DefFunction of function_def scheme
  | DefPredicate of predicate_def scheme
  | DefInductive of inductive_def scheme

let print_def_scheme fmt id = function
  | DefFunction s -> 
      let l,d = Env.specialize_function_def s in
      print_scheme l;
      print_function_def fmt id d
  | DefPredicate s ->
      let l,d = Env.specialize_predicate_def s in
      print_scheme l;
      print_predicate_def fmt id d
  | DefInductive s ->
      let l,_d = Env.specialize_inductive_def s in
      print_scheme l;      
      print_inductive_def fmt id s

let queue = Queue.create ()

let push_decl d = Queue.add d queue

let iter f = Queue.iter f queue

let reset () = Queue.clear queue

let output_elem fmt = function
  | Dtype (_loc, id, []) -> declare_type fmt (Ident.string id)
  | Dtype _ -> assert false
  | Dalgtype [(_loc, id, {scheme_type=([],cs)})] ->
      declare_alg_type fmt (Ident.string id) cs
  | Dalgtype _ -> assert false
  | Dlogic (_loc, id, t) -> print_logic fmt (Ident.string id) t.scheme_type
  | Dpredicate_def (_loc, id, d) -> print_predicate_def fmt id d.scheme_type
  | Dinductive_def(_loc, ident, inddef) -> print_inductive_def fmt ident inddef
  | Dfunction_def (_loc, id, d) -> print_function_def fmt id d.scheme_type
  | Daxiom (_loc, id, p) -> print_axiom fmt id p.scheme_type
  | Dgoal (loc, is_lemma, expl, id, s) -> print_goal fmt (loc, is_lemma, expl, id, s)

module ArMap = struct

  module S = Set.Make(struct type t = int let compare = compare end)

  type 'a t = { mutable keys : S.t; vals : (int, 'a Queue.t) Hashtbl.t }

  let create () = { keys = S.empty; vals = Hashtbl.create 17 }

  let add n x m =
    try 
      Queue.add x (Hashtbl.find m.vals n)
    with Not_found -> 
      let q = Queue.create () in 
      Queue.add x q;
      Hashtbl.add m.vals n q; 
      m.keys <- S.add n m.keys

  let add_scheme s = add (Vset.cardinal s.scheme_vars)

  let importing fmt s m =
    let one fmt n = fprintf fmt "%s%d" s n in
    if not (S.is_empty m.keys) then
      fprintf fmt "  @[IMPORTING %a@]@\n@\n" 
	(print_list comma one) (S.elements m.keys)

(* dead code
  let iter f m = Hashtbl.iter f m.vals
*)

  let print_theories fmt prefix preamble f m =
    Hashtbl.iter
      (fun n q -> 
	let tn = prefix ^ string_of_int n in
	begin_sub_theory fmt n tn;
	preamble ();
	Queue.iter f q;
	end_theory fmt tn) 
      m.vals

end

type pvs_theories = {
  types : (string list * string * (Ident.t * pure_type list) list) ArMap.t;
  decls : (string * logic_type scheme) ArMap.t;
  defs : (string * def) Queue.t;
  axioms : (string * predicate scheme) ArMap.t;
  goals : (loc * bool * Logic_decl.vc_expl * string * sequent scheme) Queue.t;
  mutable poly : bool;
}

let sort_theory () =
  let th = 
    { types = ArMap.create ();
      decls = ArMap.create ();
      defs = Queue.create ();
      axioms = ArMap.create ();
      goals = Queue.create ();
      poly = false }
  in
  let poly s = if not (Vset.is_empty s.scheme_vars) then th.poly <- true in
  let sort = function
    | Dtype (_, id, l) ->
	let n = List.length l in
	if n > 0 then th.poly <- true;
        ArMap.add n (l, Ident.string id, []) th.types
    | Dalgtype [(_, id, { scheme_type = ([], cs) })] ->
        ArMap.add 0 ([], Ident.string id, cs) th.types
    | Dalgtype _ ->
        failwith "PVS: polymorphic algebraic datatypes are not supported"
    | Dlogic (_, id, s) -> 
	poly s; ArMap.add_scheme s (Ident.string id, s) th.decls
    | Dpredicate_def (_, id, s) -> 
	poly s; Queue.add (Ident.string id, DefPredicate s) th.defs
    | Dinductive_def(_loc, ident, inddef) ->
	poly inddef; Queue.add (Ident.string ident, DefInductive inddef) th.defs
    | Dfunction_def (_, id, s) -> 
	poly s; Queue.add (Ident.string id, DefFunction s) th.defs
    | Daxiom (_, id, s) -> 
	poly s; ArMap.add_scheme s (id,s) th.axioms
    | Dgoal (loc, is_lemma, expl, id, s) -> 
	Queue.add (loc,is_lemma,expl,id,s) th.goals
  in
  Queue.iter sort queue;
  th

let output_theory fmt th_name =
  tvar_so_far := 0;
  let th = sort_theory () in
  if th.poly then begin
    (* complex case: there are some polymorphic elements -> several theories *)
    let import_types () = ArMap.importing fmt (th_name ^ "_types") th.types in
    let import_decls () = ArMap.importing fmt (th_name ^ "_decls") th.decls in
    let importing l = 
      if l <> [] then 
	fprintf fmt "  @[IMPORTING %a@]@\n@\n" 
	  (print_list comma pp_print_string) l
    in
    let all_defs = 
      Queue.fold (fun l (id,_) -> (th_name ^ "_" ^ id) :: l) [] th.defs
    in
    let import_defs () = importing all_defs in
    let import_axioms () = ArMap.importing fmt (th_name^"_axioms") th.axioms in
    import_types ();
    import_decls ();
    import_defs ();
    import_axioms ();
    (* goals *)
    Queue.iter (print_goal fmt) th.goals;
    end_theory fmt th_name;
    (* axioms *)
    ArMap.print_theories fmt (th_name ^ "_axioms") 
      (fun () -> import_types (); import_decls (); import_defs ())
      (fun (id,a) -> print_axiom_scheme fmt id a) th.axioms;
    (* defs *)
    let defs_so_far = ref [] in
    Queue.iter 
      (fun (id,def) -> 
	let n = 
	  let vars = match def with 
	    | DefFunction s -> s.scheme_vars
	    | DefInductive s -> s.scheme_vars
	    | DefPredicate s -> s.scheme_vars
	  in
	  Vset.cardinal vars
	in
	let name = th_name ^ "_" ^ id in
	begin_sub_theory fmt n name;
	import_types ();
	import_decls ();
	importing !defs_so_far;
	print_def_scheme fmt (Ident.create id) def;
	end_theory fmt name;
        defs_so_far := name :: !defs_so_far)
      th.defs;
    (* decls *)
    ArMap.print_theories fmt (th_name ^ "_decls") 
      import_types
      (fun (id,t) -> print_logic_scheme fmt id t) th.decls;
    (* types *)
    ArMap.print_theories fmt (th_name ^ "_types") 
      (fun () -> ())
      (function
        | (_,id,[]) -> declare_type fmt id
        | (_,id,cs) -> declare_alg_type fmt id cs) th.types
  end else begin 
    (* simple case: no polymorphism at all -> a single theory *)
    iter (output_elem fmt);
    end_theory fmt th_name
  end

let output_file fwe =
  let sep = "  %% DO NOT EDIT BELOW THIS LINE" in
  let file = fwe ^ "_why.pvs" in
  let th_name = (Filename.basename fwe) ^ "_why" in
  do_not_edit_below ~file
    ~before:(fun fmt -> begin_theory fmt th_name)
    ~sep
    ~after:(fun fmt -> output_theory fmt th_name);
  last_theory := Some th_name
    

why-2.39/src/graphviz.ml0000644000106100004300000007246513147234006014222 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(** Interface with {i GraphViz}

    This module provides a basic interface with dot and neato,
    two programs of the GraphViz toolbox.
    These tools are available at the following URLs:
      http://www.graphviz.org/
      http://www.research.att.com/sw/tools/graphviz/

 *)

open Format



(***************************************************************************)
(** {2 Common stuff} *)

(** Because the neato and dot engines present a lot of common points -
    in particular in the graph description language, large parts of
    the code is shared.  First, the [!CommonAttributes] module defines
    attributes of graphs, nodes and edges that are understood by the
    two engines.  Second, given a module (of type [!ENGINE])
    describing an engine the [!MakeEngine] functor provides suitable
    interface function for it. *)

(*-------------------------------------------------------------------------*)
(** {3 Common attributes} *)

type color = int

let fprint_color ppf color =
  fprintf ppf "\"#%06X\"" color

let fprint_string ppf s = fprintf ppf "\"%s\"" s
(*  let s' = String.escaped s in
  if s' = s && s <> ""
  then fprintf ppf "%s" s
  else fprintf ppf "\"%s\"" s'*)

let fprint_string_user ppf s =
(*  let s = String.escaped s in*)
    fprintf ppf "\"%s\"" s

type arrow_style =
  [ `None | `Normal | `Inv | `Dot | `Odot | `Invdot | `Invodot ] 

let fprint_arrow_style ppf = function
    `None -> fprintf ppf "none"
  | `Normal -> fprintf ppf "normal"
  | `Inv -> fprintf ppf "inv"
  | `Dot -> fprintf ppf "dot"
  | `Odot -> fprintf ppf "odot"
  | `Invdot -> fprintf ppf "invdot"
  | `Invodot -> fprintf ppf "invodot"

let fprint_dir ppf = function
    `TopToBottom -> fprintf ppf "TB"
  | `LeftToRight -> fprintf ppf "LR"



(** The [CommonAttributes] module defines attributes for graphs, nodes and edges
    that are available in the two engines, dot and neato.
 *)
module CommonAttributes = struct

  (** Attributes of graphs.
   *)
  type graph =
    [ `Center of bool
        (** Centers the drawing on the page.  Default value is [false]. *)
    | `Fontcolor of color
        (** Sets the font color.  Default value is [black]. *)
    | `Fontname of string
        (** Sets the font family name.  Default value is ["Times-Roman"]. *)
    | `Fontsize of int
        (** Sets the type size (in points).  Default value is [14]. *)
    | `Label of string
        (** Caption for graph drawing. *)
    | `Orientation of [ `Portrait | `Landscape ]
        (** Sets the page orientation.  Default value is [`Portrait]. *)
    | `Page of float * float
        (** Sets the PostScript pagination unit, e.g [8.5, 11.0]. *)
    | `Pagedir of [ `TopToBottom | `LeftToRight ]
        (** Traversal order of pages.  Default value is [`TopToBottom]. *)
    | `Size of float * float
        (** Sets the bounding box of drawing (in inches). *)
    | `OrderingOut
        (** Constrains  order of out-edges in a subgraph according to
          their file sequence *)
    ] 

  (** Attributes of nodes. *)
  type vertex =
    [ `Color of color
        (** Sets the color of the border of the node. Default value is [black]
         *)
    | `Fontcolor of color
        (** Sets the label font color.  Default value is [black]. *)
    | `Fontname of string
        (** Sets the label font family name.  Default value is
            ["Times-Roman"]. *)
    | `Fontsize of int
        (** Sets the label type size (in points).  Default value is [14]. *)
    | `Height of float
        (** Sets the minimum height.  Default value is [0.5]. *)
    | `Label of string
        (** Sets the label printed in the node. The string may include escaped
            newlines [\n], [\l], or [\r] for center, left, and right justified
	    lines.
            Record labels may contain recursive box lists delimited by { | }. 
	*)
    | `Orientation of float
        (** Node rotation angle, in degrees.  Default value is [0.0]. *)
    | `Peripheries of int
        (** Sets  the  number  of periphery lines drawn around the polygon. *)
    | `Regular of bool
        (** If [true], then the polygon is made regular, i.e. symmetric about
	    the x and y axis, otherwise  the polygon   takes   on   the  aspect
	    ratio of the label.  Default value is [false]. *)
    | `Shape of
        [`Ellipse | `Box | `Circle | `Doublecircle | `Diamond
        | `Plaintext | `Record | `Polygon of int * float]
        (** Sets the shape of the node.  Default value is [`Ellipse].
            [`Polygon (i, f)] draws a polygon with [n] sides and a skewing
            of [f]. *)
    | `Style of [ `Filled | `Solid | `Dashed | `Dotted | `Bold | `Invis ]
        (** Sets the layout style of the node.  Several styles may be combined
            simultaneously. *)
    | `Width of float
        (** Sets the minimum width.  Default value is [0.75]. *)
    ]     

  (** Attributes of edges.
   *)
  type edge =
    [ `Color of color
        (** Sets the edge stroke color.  Default value is [black]. *)
    | `Decorate of bool
        (** If [true], draws a line connecting labels with their edges. *)
    | `Dir of [ `Forward | `Back | `Both | `None ] 
        (** Sets arrow direction.  Default value is [`Forward]. *)
    | `Fontcolor of color
        (** Sets the label font color.  Default value is [black]. *)
    | `Fontname of string
        (** Sets the label font family name.  Default value is
	    ["Times-Roman"]. *)
    | `Fontsize of int
        (** Sets the label type size (in points).  Default value is [14]. *)
    | `Label of string
        (** Sets the label to be attached to the edge.  The string may include
	    escaped newlines [\n], [\l], or [\r] for centered, left, or right
	    justified lines. *)
    | `Labelfontcolor of color
        (** Sets the font color for head and tail labels.  Default value is
            [black]. *)
    | `Labelfontname of string
        (** Sets the font family name for head and tail labels.  Default
            value is ["Times-Roman"]. *)
    | `Labelfontsize of int
        (** Sets the font size for head and tail labels (in points). 
            Default value is [14]. *)
    | `Style of [ `Solid | `Dashed | `Dotted | `Bold | `Invis ]
        (** Sets the layout style of the edge.  Several styles may be combined
            simultaneously. *)
    ]     



  (** Pretty-print. *)

  let fprint_orientation ppf = function
      `Portrait -> fprintf ppf "portrait"
    | `Landscape -> fprintf ppf "landscape"

  let fprint_graph ppf = function
      `Center b -> fprintf ppf "center=%i" (if b then 1 else 0)
    | `Fontcolor a -> fprintf ppf "fontcolor=%a" fprint_color a
    | `Fontname s -> fprintf ppf "fontname=%a" fprint_string s
    | `Fontsize i -> fprintf ppf "fontsize=%i" i
    | `Label s -> fprintf ppf "label=%a" fprint_string_user s
    | `Orientation a -> fprintf ppf "orientation=%a" fprint_orientation a
    | `Page (x, y) -> fprintf ppf "page=\"%f,%f\"" x y
    | `Pagedir a -> fprintf ppf "pagedir=%a" fprint_dir a
    | `Size (x, y) -> fprintf ppf "size=\"%f,%f\"" x y
    | `OrderingOut -> fprintf ppf "ordering=out"



  let fprint_shape ppf = function
    | `Ellipse -> fprintf ppf "ellipse"
    | `Box -> fprintf ppf "box"
    | `Circle -> fprintf ppf "circle"
    | `Doublecircle -> fprintf ppf "doublecircle"
    | `Diamond -> fprintf ppf "diamond"
    | `Plaintext -> fprintf ppf "plaintext"
    | `Record -> fprintf ppf "record"
    | `Polygon (i, f) -> fprintf ppf "polygon, sides=%i, skew=%f" i f

  let fprint_node_style ppf = function
      `Filled -> fprintf ppf "filled"
    | `Solid -> fprintf ppf "solid"
    | `Dashed -> fprintf ppf "dashed"
    | `Dotted -> fprintf ppf "dotted"
    | `Bold -> fprintf ppf "bold"
    | `Invis -> fprintf ppf "invis"

  let fprint_vertex ppf = function
      `Color a -> fprintf ppf "color=%a" fprint_color a
    | `Fontcolor a -> fprintf ppf "fontcolor=%a" fprint_color a
    | `Fontname s -> fprintf ppf "fontname=%a"  fprint_string s
    | `Fontsize i -> fprintf ppf "fontsize=%i" i
    | `Height f -> fprintf ppf "height=%f" f
    | `Label s -> fprintf ppf "label=%a" fprint_string_user s
    | `Orientation f -> fprintf ppf "orientation=%f" f
    | `Peripheries i -> fprintf ppf "peripheries=%i" i
    | `Regular b -> fprintf ppf "regular=%b" b
    | `Shape a -> fprintf ppf "shape=%a" fprint_shape a
    | `Style a -> fprintf ppf "style=%a" fprint_node_style a
    | `Width f -> fprintf ppf "width=%f" f
  


  let fprint_edge_style = 
    fprint_node_style

  let fprint_arrow_direction ppf = function
      `Forward -> fprintf ppf "forward"
    | `Back -> fprintf ppf "back"
    | `Both -> fprintf ppf "both"
    | `None -> fprintf ppf "none"

  let fprint_edge ppf = function
      `Color a -> fprintf ppf "color=%a" fprint_color a
    | `Decorate b -> fprintf ppf "decorate=%b" b
    | `Dir a -> fprintf ppf "dir=%a" fprint_arrow_direction a
    | `Fontcolor a -> fprintf ppf "fontcolor=%a" fprint_color a
    | `Fontname s -> fprintf ppf "fontname=%a" fprint_string s
    | `Fontsize i -> fprintf ppf "fontsize=%i" i
    | `Label s -> fprintf ppf "label=%a" fprint_string_user s
    | `Labelfontcolor a -> fprintf ppf "labelfontcolor=%a" fprint_color a
    | `Labelfontname s -> fprintf ppf "labelfontname=\"%s\"" s 
	(* (String.escaped s) *)
    | `Labelfontsize i -> fprintf ppf "labelfontsize=%i" i
    | `Style a -> fprintf ppf "style=%a" fprint_edge_style a

end



(*-------------------------------------------------------------------------*)
(** {3 The [MakeEngine] functor} *)

(** An engine is described by a module of the following signature.
 *)
module type ENGINE = sig

  module Attributes : sig
    (** Attributes of graphs provided by the engine. *)
    type graph

    (** Attributes of nodes provided by the engine. *)
    type vertex

    (** Attribute of edges provided by the engine. *)
    type edge

    type subgraph = {
      sg_name : string;
      sg_attributes : vertex list;
    }

    val fprint_graph:formatter -> graph -> unit
    val fprint_vertex: formatter -> vertex -> unit
    val fprint_edge: formatter -> edge -> unit

  end

  (** The litteral name of the engine. *)      
  val name: string

  (** The keyword for graphs ("digraph" for dot, "graph" for neato) *)
    val opening: string

  (** The litteral for edge arrows ("->" for dot, "--" for neato) *)
  val edge_arrow: string

end



module MakeEngine 
  (EN: ENGINE)
  (X : sig
     type t
     module V : sig type t end
     module E : sig type t val src : t -> V.t val dst : t -> V.t end
       
     val iter_vertex : (V.t -> unit) -> t -> unit
     val iter_edges_e : (E.t -> unit) -> t -> unit

     val graph_attributes: t -> EN.Attributes.graph list

     val default_vertex_attributes: t -> EN.Attributes.vertex list
     val vertex_name : V.t -> string
     val vertex_attributes: V.t -> EN.Attributes.vertex list

     val default_edge_attributes: t -> EN.Attributes.edge list
     val edge_attributes: E.t -> EN.Attributes.edge list

     val get_subgraph : V.t -> EN.Attributes.subgraph option

  end) = 
struct

  let command = ref EN.name
  let set_command cmd =
    command := cmd

  exception Error of string

  let handle_error f arg =
    try 
      f arg
    with 
	Error msg ->
	  Printf.eprintf "%s: %s failure\n   %s\n"
	  Sys.argv.(0) EN.name msg;
	  flush stderr;
	  exit 2



    (** [fprint_graph_attributes ppf list] pretty prints a list of 
        graph attributes on the formatter [ppf].  Attributes are separated
        by a ";". 
    *)
    let fprint_graph_attributes ppf list =
       List.iter (function att ->
	 fprintf ppf "%a;@ " EN.Attributes.fprint_graph att
       ) list

   (** [fprint_graph_attribute printer ppf list] pretty prints a list of 
       attributes on the formatter [ppf], using the printer [printer] for
       each attribute.  The list appears between brackets and attributes
       are speparated by ",".  If the list is empty, nothing is printed.
    *)
    let fprint_attributes fprint_attribute ppf = function
	[] -> ()
      | hd :: tl ->
	  let rec fprint_attributes_rec ppf = function
	      [] -> ()
	    | hd' :: tl' ->
		fprintf ppf ",@ %a%a" 
		  fprint_attribute hd'
		  fprint_attributes_rec tl'
	  in
	  fprintf ppf " [@[%a%a@]]"
	    fprint_attribute hd
	    fprint_attributes_rec tl

    (** [fprint_graph_attributes ppf list] pretty prints a list of 
        node attributes using the format of [fprint_attributes].
     *)
    let fprint_node_attributes ppf list = 
      fprint_attributes EN.Attributes.fprint_vertex ppf list
	 
    (** [fprint_graph_attributes ppf list] pretty prints a list of 
        edge attributes using the format of [fprint_attributes].
     *)
    let fprint_edge_attributes ppf list =
      fprint_attributes EN.Attributes.fprint_edge ppf list



    (** [fprint_graph ppf graph] pretty prints the graph [graph] in
        the CGL language on the formatter [ppf]. 
     *)
    let fprint_graph ppf graph =
      let subgraphs = Hashtbl.create 7 in 

      (* Printing nodes. *)

      let print_nodes ppf =

	let default_node_attributes = X.default_vertex_attributes graph in
	if default_node_attributes  <> [] then
	  fprintf ppf "node%a;@ " fprint_node_attributes default_node_attributes;

	X.iter_vertex 
          (function node ->
             begin match X.get_subgraph node with 
             | None -> ()
             | Some sg -> 
                 try 
                   let (sg,nodes) = Hashtbl.find subgraphs sg.EN.Attributes.sg_name in
                   Hashtbl.replace subgraphs sg.EN.Attributes.sg_name (sg,node::nodes)
                 with Not_found -> 
                   Hashtbl.add subgraphs sg.EN.Attributes.sg_name (sg,[node]) 
             end;
	     fprintf ppf "%s%a;@ " 
	       (X.vertex_name node)
	       fprint_node_attributes (X.vertex_attributes node)) 
          graph

      in

      (* Printing subgraphs *)

      let print_subgraphs ppf = 
        
        Hashtbl.iter
          (fun name (sg,nodes) -> 
             fprintf ppf "@[subgraph cluster_%s { %t%t };@]@\n"
               name
               
               (fun ppf -> 
                  (List.iter 
                     (fun n -> fprintf ppf "%a;@\n" EN.Attributes.fprint_vertex n)
                     sg.EN.Attributes.sg_attributes))
               (fun ppf -> 
                  (List.iter 
                     (fun n -> fprintf ppf "%s;" (X.vertex_name n))
                     nodes))
               
          )
          subgraphs 
        
      in

      (* Printing edges *)

      let print_edges ppf =
	
	let default_edge_attributes = X.default_edge_attributes graph in
	if default_edge_attributes <> [] then
	  fprintf ppf "edge%a;@ " fprint_edge_attributes default_edge_attributes;

	X.iter_edges_e (function edge ->
	                  fprintf ppf "%s %s %s%a;@ "
	                    (X.vertex_name (X.E.src edge))
	                    EN.edge_arrow
	                    (X.vertex_name (X.E.dst edge))
	                    fprint_edge_attributes (X.edge_attributes edge)
                       ) graph

      in

      fprintf ppf "@[%s G {@ @[  %a"
	EN.opening
	fprint_graph_attributes (X.graph_attributes graph);
      fprintf ppf "%t@ " print_nodes;
      fprintf ppf "%t@ " print_subgraphs;
      fprintf ppf "%t@ " print_edges;
      fprintf ppf "@]}@]"



    (** [output_graph oc graph] pretty prints the graph [graph] in the dot
	language on the channel [oc].
     *)
    let output_graph oc graph =

      let ppf = formatter_of_out_channel oc in
      fprint_graph ppf graph;
      pp_print_flush ppf ()

  end




(***************************************************************************)
(** {2 Interface with the dot engine} *)

(** The [DotAttributes] module defines attributes for graphs, nodes and edges
    that are available in the dot engine.
 *)
module DotAttributes = struct

  (** Attributes of graphs.  They include all common graph attributes and
      several specific ones.  All attributes described in the "dot User's
      Manual, February 4, 2002" are handled, excepted: clusterank, color,
      compound, labeljust, labelloc, ordering, rank, remincross, rotate,
      searchsize and style.
   *)
  type graph =
    [ CommonAttributes.graph
    | `Bgcolor of color
        (** Sets the background color and the inital fill color. *)
    | `Comment of string
        (** Comment string. *)
    | `Concentrate of bool
        (** If [true], enables edge concentrators.  Default value is [false]. *)
    | `Fontpath of string
        (** List of directories for fonts. *)
    | `Layers of string list
        (** List of layers. *)
    | `Margin of float
        (** Sets the page margin (included in the page size).  Default value is
            [0.5]. *)
    | `Mclimit of float
        (** Scale factor for mincross iterations.  Default value is [1.0]. *)
    | `Nodesep of float
        (** Sets the minimum separation between nodes, in inches.  Default
            value is [0.25]. *)
    | `Nslimit of int
        (** If set of [f], bounds network simplex iterations by [f *
            ] when ranking nodes. *)
    | `Nslimit1 of int
        (** If set of [f], bounds network simplex iterations by [f *
            ] when setting x-coordinates. *)
    | `Ranksep of float
        (** Sets the minimum separation between ranks. *)
    | `Quantum of float
        (** If not [0.0], node label dimensions will be rounded to integral
	    multiples of it.  Default value is [0.0]. *)
    | `Rankdir of [ `TopToBottom | `LeftToRight ]
        (** Direction of rank ordering.  Default value is [`TopToBottom]. *)
    | `Ratio of [ `Float of float | `Fill | `Compress| `Auto ]
        (** Sets the aspect ratio. *)
    | `Samplepoints of int
        (** Number of points used to represent ellipses and circles on output.
	    Default value is [8]. *)
    | `Url of string
        (** URL associated with graph (format-dependent). *)
    ] 

  (** Attributes of nodes.  They include all common node attributes and
      several specific ones.  All attributes described in the "dot User's
      Manual, February 4, 2002" are handled, excepted: bottomlabel, group,
      shapefile and toplabel.
   *)
  type vertex =
    [ CommonAttributes.vertex
    | `Comment of string
        (** Comment string. *)
    | `Distortion of float
        (* TEMPORARY *)
    | `Fillcolor of color
        (** Sets the fill color (used when `Style filled).  Default value
            is [lightgrey]. *)
    | `Fixedsize of bool
        (** If [true], forces the given dimensions to be the actual ones.
            Default value is [false]. *)
    | `Layer of string
        (** Overlay. *)
    | `Url of string
        (** The  default  url  for  image  map  files; in PostScript files,
            the base URL for all relative URLs, as recognized by Acrobat
	    Distiller 3.0 and up. *)
    | `Z of float
        (** z coordinate for VRML output. *)
    ] 

  (** Attributes of edges.  They include all common edge attributes and
      several specific ones.  All attributes described in the "dot User's
      Manual, February 4, 2002" are handled, excepted: lhead and ltail.
   *)
  type edge =
    [ CommonAttributes.edge
    | `Arrowhead of arrow_style
        (** Sets the style of the head arrow.  Default value is [`Normal]. *)
    | `Arrowsize of float
        (** Sets the scaling factor of arrowheads.  Default value is [1.0]. *)
    | `Arrowtail of arrow_style
        (** Sets the style of the tail arrow.  Default value is [`Normal]. *)
    | `Comment of string
        (** Comment string. *)
    | `Constraints of bool
        (** If [false], causes an edge to be ignored for rank assignment. 
            Default value is [true]. *)
    | `Headlabel of string
        (** Sets the label attached to the head arrow. *)
    | `Headport of [ `N | `NE | `E | `SE | `S | `SW | `W | `NW ]
        (* TEMPORARY *)
    | `Headurl of string
        (** Url attached to head label if output format is ismap. *)
    | `Labelangle of float
        (** Angle in degrees which head or tail label is rotated off edge. 
            Default value is [-25.0]. *)
    | `Labeldistance of float
        (** Scaling factor for distance of head or tail label from node. 
            Default value is [1.0]. *)
    | `Labelfloat of bool
        (** If [true], lessen constraints on edge label placement. 
            Default value is [false]. *)
    | `Layer of string
        (** Overlay. *)
    | `Minlen of int
        (** Minimum rank distance between head an tail.  Default value is [1]. *)
    | `Samehead of string
        (** Tag for head node; edge heads with the same tag are merged onto the
	    same port. *)
    | `Sametail of string
        (** Tag for tail node; edge tails with the same tag are merged onto the
	    same port. *)
    | `Taillabel of string
        (** Sets the label attached to the tail arrow. *)
    | `Tailport of [ `N | `NE | `E | `SE | `S | `SW | `W | `NW ]
        (* TEMPORARY *)
    | `Tailurl of string
        (** Url attached to tail label if output format is ismap. *)
    | `Weight of int
        (** Sets the integer cost of stretching the edge.  Default value is
            [1]. *)
    ] 



    type subgraph = {
      sg_name : string;
      sg_attributes : vertex list;
    }

  (** {4 Pretty-print of attributes} *)

  let rec fprint_string_list ppf = function
      [] -> ()
    | [hd] -> fprintf ppf "%s" hd
    | hd :: tl -> fprintf ppf "%s,%a" hd fprint_string_list tl

  let fprint_ratio ppf = function
      `Float f -> fprintf ppf "%f" f
    | `Fill -> fprintf ppf "fill"
    | `Compress -> fprintf ppf "compress"
    | `Auto -> fprintf ppf "auto"

  let fprint_graph ppf = function
      #CommonAttributes.graph as att -> CommonAttributes.fprint_graph ppf att
    | `Bgcolor a -> fprintf ppf "bgcolor=%a" fprint_color a
    | `Comment s -> fprintf ppf "comment=%a" fprint_string s
    | `Concentrate b -> fprintf ppf "concentrate=%b" b
    | `Fontpath s -> fprintf ppf "fontpath=%a" fprint_string s
    | `Layers s -> fprintf ppf "layers=%a" fprint_string_list s
    | `Margin f -> fprintf ppf "margin=%f" f
    | `Mclimit f -> fprintf ppf "mclimit=%f" f
    | `Nodesep f -> fprintf ppf "nodesep=%f" f
    | `Nslimit i -> fprintf ppf "nslimit=%i" i
    | `Nslimit1 i -> fprintf ppf "nslimit1=%i" i
    | `Ranksep f -> fprintf ppf "ranksep=%f" f
    | `Quantum f -> fprintf ppf "quantum=%f" f
    | `Rankdir a -> fprintf ppf "rankdir=%a" fprint_dir a
    | `Ratio a -> fprintf ppf "ratio=%a" fprint_ratio a
    | `Samplepoints i -> fprintf ppf "samplepoints=%i" i
    | `Url s -> fprintf ppf "URL=\"%s\"" s (*(String.escaped s)*)

  let fprint_vertex ppf = function
      #CommonAttributes.vertex as att -> CommonAttributes.fprint_vertex ppf att
    | `Comment s -> fprintf ppf "comment=%a" fprint_string s
    | `Distortion f -> fprintf ppf "distortion=%f" f
    | `Fillcolor a -> fprintf ppf "fillcolor=%a" fprint_color a
    | `Fixedsize b -> fprintf ppf "fixedsize=%b" b
    | `Layer s -> fprintf ppf "layer=%a" fprint_string s
    | `Url s -> fprintf ppf "URL=\"%s\"" s (*(String.escaped s)*)
    | `Z f -> fprintf ppf "z=%f" f



  let fprint_port ppf = function
      `N -> fprintf ppf "n"
    | `NE -> fprintf ppf "ne"
    | `E -> fprintf ppf "e"
    | `SE -> fprintf ppf "se"
    | `S -> fprintf ppf "s"
    | `SW -> fprintf ppf "sw"
    | `W -> fprintf ppf "w"
    | `NW -> fprintf ppf "nw"

  let fprint_edge ppf = function
      #CommonAttributes.edge as att -> CommonAttributes.fprint_edge ppf att
    | `Arrowhead a -> fprintf ppf "arrowhead=%a" fprint_arrow_style a
    | `Arrowsize f -> fprintf ppf "arrowsize=%f" f
    | `Arrowtail a -> fprintf ppf "arrowtail=%a" fprint_arrow_style a
    | `Comment s -> fprintf ppf "comment=%a" fprint_string s
    | `Constraints b -> fprintf ppf "constraints=%b" b
    | `Headlabel s -> fprintf ppf "headlabel=%a" fprint_string s
    | `Headport a -> fprintf ppf "headport=%a" fprint_port a
    | `Headurl s -> fprintf ppf "headURL=%a" fprint_string s
    | `Labelangle f -> fprintf ppf "labelangle=%f" f
    | `Labeldistance f -> fprintf ppf "labeldistance=%f" f
    | `Labelfloat b -> fprintf ppf "labelfloat=%b" b
    | `Layer s -> fprintf ppf "layer=%a" fprint_string s
    | `Minlen i -> fprintf ppf "minlen=%i" i
    | `Samehead s -> fprintf ppf "samehead=%a" fprint_string s
    | `Sametail s -> fprintf ppf "sametail=%a" fprint_string s
    | `Taillabel s -> fprintf ppf "taillabel=%a" fprint_string s
    | `Tailport a -> fprintf ppf "tailport=%a" fprint_port a
    | `Tailurl s -> fprintf ppf "tailURL=%a" fprint_string s
    | `Weight i -> fprintf ppf "weight=%i" i


end



module Dot = 
  MakeEngine (struct
		module Attributes = DotAttributes
		let name = "dot"
		let opening = "digraph"
		let edge_arrow = "->"
	      end)


(***************************************************************************)
(** {2 Interface with the neato engine} *)

(** The [NeatoAttributes] module defines attributes for graphs, nodes and edges
    that are available in the neato engine.
 *)
module NeatoAttributes = struct

  (** Attributes of graphs.  They include all common graph attributes and
      several specific ones.  All attributes described in the "Neato User's
      manual, April 10, 2002" are handled.
   *)
  type graph =
    [ CommonAttributes.graph
    | `Margin of float * float
        (** Sets the page margin (included in the page size).  Default value is
            [0.5, 0.5]. *)
    | `Start of int
        (** Seed for random number generator. *)
    | `Overlap of bool
	(** Default value is [true]. *)
    | `Spline of bool
	(** [true] makes edge splines if nodes don't overlap.
	    Default value is [false]. *)
    | `Sep of float
	(** Edge spline separation factor from nodes.  Default value 
	    is [0.0]. *)
    ] 

  (** Attributes of nodes.  They include all common node attributes and
      several specific ones.  All attributes described in the "Neato User's
      manual, April 10, 2002" are handled.
   *)
  type vertex =
    [ CommonAttributes.vertex
    | `Pos of float * float
        (** Initial coordinates of the node. *)
    ] 

  (** Attributes of edges.  They include all common edge attributes and
      several specific ones.  All attributes described in the "Neato User's
      manual, April 10, 2002" are handled.
   *)
  type edge =
    [ CommonAttributes.edge
    | `Id of string
        (** Optional value to distinguish multiple edges. *)
    | `Len of float
        (** Preferred length of edge.  Default value is [1.0]. *)
    | `Weight of float
        (** Strength of edge spring.  Default value is [1.0]. *)
    ] 



    type subgraph = {
      sg_name : string;
      sg_attributes : vertex list;
    }

  (** {4 Pretty-print of attributes} *)

  let fprint_graph ppf = function
      #CommonAttributes.graph as att -> CommonAttributes.fprint_graph ppf att
    | `Margin (f1, f2) -> fprintf ppf "margin=\"%f,%f\"" f1 f2
    | `Start i -> fprintf ppf "start=%i" i
    | `Overlap b -> fprintf ppf "overlap=%b" b
    | `Spline b -> fprintf ppf "spline=%b" b
    | `Sep f -> fprintf ppf "sep=%f" f

  let fprint_vertex ppf = function
      #CommonAttributes.vertex as att -> CommonAttributes.fprint_vertex ppf att
    | `Pos (f1, f2) -> fprintf ppf "pos=\"%f,%f\"" f1 f2

  let fprint_edge ppf = function
      #CommonAttributes.edge as att -> CommonAttributes.fprint_edge ppf att
    | `Id s -> fprintf ppf "id=%a" fprint_string s
    | `Len f -> fprintf ppf "len=%f" f
    | `Weight f -> fprintf ppf "weight=%f" f

end



module Neato = 
  MakeEngine (struct
		module Attributes = NeatoAttributes
		let name = "neato"
		let opening = "graph"
		let edge_arrow = "--"
	      end)
why-2.39/src/graphviz.mli0000644000106100004300000004234313147234006014363 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(** Interface with {i GraphViz}

    This module provides a basic interface with dot and neato,
    two programs of the GraphViz toolbox.
    These tools are available at the following URLs:

    {v http://www.graphviz.org/ v}

    {v http://www.research.att.com/sw/tools/graphviz/ v}

 *)

open Format



(***************************************************************************)
(** {2 Common stuff} *)

(** Because the neato and dot engines present a lot of common points -
    in particular in the graph description language, large parts of
    the code is shared.  The [CommonAttributes] module defines
    attributes of graphs, vertices and edges that are understood by the
    two engines.  Then module [DotAttributes] and [NeatoAttributes]
    define attributes specific to dot and neato respectively. *)

(*-------------------------------------------------------------------------*)
(** {3 Common attributes} *)

type color = int

type arrow_style =
  [ `None | `Normal | `Inv | `Dot | `Odot | `Invdot | `Invodot ] 



(** The [CommonAttributes] module defines attributes for graphs, 
    vertices and edges that are available in the two engines, dot and neato. *)
module CommonAttributes : sig

  (** Attributes of graphs. *)
  type graph =
    [ `Center of bool
        (** Centers the drawing on the page.  Default value is [false]. *)
    | `Fontcolor of color
        (** Sets the font color.  Default value is [black]. *)
    | `Fontname of string
        (** Sets the font family name.  Default value is ["Times-Roman"]. *)
    | `Fontsize of int
        (** Sets the type size (in points).  Default value is [14]. *)
    | `Label of string
        (** Caption for graph drawing. *)
    | `Orientation of [ `Portrait | `Landscape ]
        (** Sets the page orientation.  Default value is [`Portrait]. *)
    | `Page of float * float
        (** Sets the PostScript pagination unit, e.g [8.5, 11.0]. *)
    | `Pagedir of [ `TopToBottom | `LeftToRight ]
        (** Traversal order of pages.  Default value is [`TopToBottom]. *)
    | `Size of float * float
        (** Sets the bounding box of drawing (in inches). *)
    | `OrderingOut
        (** Constrains  order of out-edges in a subgraph according to
          their file sequence *)
    ] 

  (** Attributes of vertices.
   *)
  type vertex =
    [ `Color of color
        (** Sets the color of the border of the vertex. 
	  Default value is [black] *)
    | `Fontcolor of color
        (** Sets the label font color.  Default value is [black]. *)
    | `Fontname of string
        (** Sets the label font family name.  Default value is
            ["Times-Roman"]. *)
    | `Fontsize of int
        (** Sets the label type size (in points).  Default value is [14].
         *)
    | `Height of float
        (** Sets the minimum height.  Default value is [0.5]. *)
    | `Label of string
        (** Sets the label printed in the vertex. 
	    The string may include escaped
            newlines [\n], [\l], or [\r] for center, left, and right justified
	    lines.
            Record labels may contain recursive box lists delimited by { | }. 
	*)
    | `Orientation of float
        (** Vertex rotation angle, in degrees.  Default value is [0.0]. *)
    | `Peripheries of int
        (** Sets  the  number  of periphery lines drawn around the polygon. *)
    | `Regular of bool
        (** If [true], then the polygon is made regular, i.e. symmetric about
	    the x and y axis, otherwise  the polygon   takes   on   the  aspect
	    ratio of the label.  Default value is [false]. *)
    | `Shape of
        [`Ellipse | `Box | `Circle | `Doublecircle | `Diamond
        | `Plaintext | `Record | `Polygon of int * float]
        (** Sets the shape of the vertex.  Default value is [`Ellipse].
            [`Polygon (i, f)] draws a polygon with [n] sides and a skewing
            of [f]. *)
    | `Style of [ `Filled | `Solid | `Dashed | `Dotted | `Bold | `Invis ]
        (** Sets the layout style of the vertex.  
	    Several styles may be combined simultaneously. *)
    | `Width of float
        (** Sets the minimum width.  Default value is [0.75]. *)
    ]     

  (** Attributes of edges.
   *)
  type edge =
    [ `Color of color
        (** Sets the edge stroke color.  Default value is [black]. *)
    | `Decorate of bool
        (** If [true], draws a line connecting labels with their edges. *)
    | `Dir of [ `Forward | `Back | `Both | `None ] 
        (** Sets arrow direction.  Default value is [`Forward]. *)
    | `Fontcolor of color
        (** Sets the label font color.  Default value is [black]. *)
    | `Fontname of string
        (** Sets the label font family name.  Default value is
	    ["Times-Roman"]. *)
    | `Fontsize of int
        (** Sets the label type size (in points).  Default value is [14]. *)
    | `Label of string
        (** Sets the label to be attached to the edge.  The string may include
	    escaped newlines [\n], [\l], or [\r] for centered, left, or right
	    justified lines. *)
    | `Labelfontcolor of color
        (** Sets the font color for head and tail labels.  Default value is
            [black]. *)
    | `Labelfontname of string
        (** Sets the font family name for head and tail labels.  Default
            value is ["Times-Roman"]. *)
    | `Labelfontsize of int
        (** Sets the font size for head and tail labels (in points). 
            Default value is [14]. *)
    | `Style of [ `Solid | `Dashed | `Dotted | `Bold | `Invis ]
        (** Sets the layout style of the edge.  Several styles may be combined
            simultaneously. *)
    ]     

end



(***************************************************************************)
(** {2 Interface with the dot engine} *)

module DotAttributes : sig

  (** Attributes of graphs.  They include all common graph attributes and
      several specific ones.  All attributes described in the "dot User's
      Manual, February 4, 2002" are handled, excepted: clusterank, color,
      compound, labeljust, labelloc, ordering, rank, remincross, rotate,
      searchsize and style.
   *)
  type graph =
    [ CommonAttributes.graph
    | `Bgcolor of color
        (** Sets the background color and the inital fill color. *)
    | `Comment of string
        (** Comment string. *)
    | `Concentrate of bool
        (** If [true], enables edge concentrators.  Default value is [false]. *)
    | `Fontpath of string
        (** List of directories for fonts. *)
    | `Layers of string list
        (** List of layers. *)
    | `Margin of float
        (** Sets the page margin (included in the page size).  Default value is
            [0.5]. *)
    | `Mclimit of float
        (** Scale factor for mincross iterations.  Default value is [1.0]. *)
    | `Nodesep of float
        (** Sets the minimum separation between nodes, in inches.  Default
            value is [0.25]. *)
    | `Nslimit of int
        (** If set of [f], bounds network simplex iterations by [f *
            ] when ranking nodes. *)
    | `Nslimit1 of int
        (** If set of [f], bounds network simplex iterations by [f *
            ] when setting x-coordinates. *)
    | `Ranksep of float
        (** Sets the minimum separation between ranks. *)
    | `Quantum of float
        (** If not [0.0], node label dimensions will be rounded to integral
	    multiples of it.  Default value is [0.0]. *)
    | `Rankdir of [ `TopToBottom | `LeftToRight ]
        (** Direction of rank ordering.  Default value is [`TopToBottom]. *)
    | `Ratio of [ `Float of float | `Fill | `Compress| `Auto ]
        (** Sets the aspect ratio. *)
    | `Samplepoints of int
        (** Number of points used to represent ellipses and circles on output.
	    Default value is [8]. *)
    | `Url of string
        (** URL associated with graph (format-dependent). *)
    ] 

  (** Attributes of nodes.  They include all common node attributes and
      several specific ones.  All attributes described in the "dot User's
      Manual, February 4, 2002" are handled, excepted: bottomlabel, group,
      shapefile and toplabel.
   *)
  type vertex =
    [ CommonAttributes.vertex
    | `Comment of string
        (** Comment string. *)
    | `Distortion of float
        (* TEMPORARY *)
    | `Fillcolor of color
        (** Sets the fill color (used when `Style filled).  Default value
            is [lightgrey]. *)
    | `Fixedsize of bool
        (** If [true], forces the given dimensions to be the actual ones.
            Default value is [false]. *)
    | `Layer of string
        (** Overlay. *)
    | `Url of string
        (** The  default  url  for  image  map  files; in PostScript files,
            the base URL for all relative URLs, as recognized by Acrobat
	    Distiller 3.0 and up. *)
    | `Z of float
        (** z coordinate for VRML output. *)
    ] 

  (** Attributes of edges.  They include all common edge attributes and
      several specific ones.  All attributes described in the "dot User's
      Manual, February 4, 2002" are handled, excepted: lhead and ltail.
   *)
  type edge =
    [ CommonAttributes.edge
    | `Arrowhead of arrow_style
        (** Sets the style of the head arrow.  Default value is [`Normal]. *)
    | `Arrowsize of float
        (** Sets the scaling factor of arrowheads.  Default value is [1.0]. *)
    | `Arrowtail of arrow_style
        (** Sets the style of the tail arrow.  Default value is [`Normal]. *)
    | `Comment of string
        (** Comment string. *)
    | `Constraints of bool
        (** If [false], causes an edge to be ignored for rank assignment. 
            Default value is [true]. *)
    | `Headlabel of string
        (** Sets the label attached to the head arrow. *)
    | `Headport of [ `N | `NE | `E | `SE | `S | `SW | `W | `NW ]
        (* TEMPORARY *)
    | `Headurl of string
        (** Url attached to head label if output format is ismap. *)
    | `Labelangle of float
        (** Angle in degrees which head or tail label is rotated off edge. 
            Default value is [-25.0]. *)
    | `Labeldistance of float
        (** Scaling factor for distance of head or tail label from node. 
            Default value is [1.0]. *)
    | `Labelfloat of bool
        (** If [true], lessen constraints on edge label placement. 
            Default value is [false]. *)
    | `Layer of string
        (** Overlay. *)
    | `Minlen of int
        (** Minimum rank distance between head an tail.  Default value is [1]. *)
    | `Samehead of string
        (** Tag for head node; edge heads with the same tag are merged onto the
	    same port. *)
    | `Sametail of string
        (** Tag for tail node; edge tails with the same tag are merged onto the
	    same port. *)
    | `Taillabel of string
        (** Sets the label attached to the tail arrow. *)
    | `Tailport of [ `N | `NE | `E | `SE | `S | `SW | `W | `NW ]
        (* TEMPORARY *)
    | `Tailurl of string
        (** Url attached to tail label if output format is ismap. *)
    | `Weight of int
        (** Sets the integer cost of stretching the edge.  Default value is
            [1]. *)
    ] 

    type subgraph = {
      sg_name : string;
      sg_attributes : vertex list;
    }

end

module Dot
  (X : sig
     type t
     module V : sig type t end
     module E : sig type t val src : t -> V.t val dst : t -> V.t end
       
     val iter_vertex : (V.t -> unit) -> t -> unit
     val iter_edges_e : (E.t -> unit) -> t -> unit

     val graph_attributes: t -> DotAttributes.graph list

     val default_vertex_attributes: t -> DotAttributes.vertex list
     val vertex_name : V.t -> string
     val vertex_attributes: V.t -> DotAttributes.vertex list

     val default_edge_attributes: t -> DotAttributes.edge list
     val edge_attributes: E.t -> DotAttributes.edge list
     val get_subgraph : V.t -> DotAttributes.subgraph option
   end) : 
sig

  (** [fprint_graph ppf graph] pretty prints the graph [graph] in
    the CGL language on the formatter [ppf]. 
  *)
  val fprint_graph: formatter -> X.t -> unit

  (** [output_graph oc graph] pretty prints the graph [graph] in the dot
    language on the channel [oc].
  *)
  val output_graph: out_channel -> X.t -> unit

end


(***************************************************************************)
(** {2 The neato engine} *)


module NeatoAttributes : sig

  (** Attributes of graphs.  They include all common graph attributes and
      several specific ones.  All attributes described in the "Neato User's
      manual, April 10, 2002" are handled.
   *)
  type graph =
    [ CommonAttributes.graph
    | `Margin of float * float
        (** Sets the page margin (included in the page size).  Default value is
            [0.5, 0.5]. *)
    | `Start of int
        (** Seed for random number generator. *)
    | `Overlap of bool
	(** Default value is [true]. *)
    | `Spline of bool
	(** [true] makes edge splines if nodes don't overlap.
	    Default value is [false]. *)
    | `Sep of float
	(** Edge spline separation factor from nodes.  Default value 
	    is [0.0]. *)
    ] 

  (** Attributes of nodes.  They include all common node attributes and
      several specific ones.  All attributes described in the "Neato User's
      manual, April 10, 2002" are handled.
   *)
  type vertex =
    [ CommonAttributes.vertex
    | `Pos of float * float
        (** Initial coordinates of the vertex. *)
    ] 

  (** Attributes of edges.  They include all common edge attributes and
      several specific ones.  All attributes described in the "Neato User's
      manual, April 10, 2002" are handled.
   *)
  type edge =
    [ CommonAttributes.edge
    | `Id of string
        (** Optional value to distinguish multiple edges. *)
    | `Len of float
        (** Preferred length of edge.  Default value is [1.0]. *)
    | `Weight of float
        (** Strength of edge spring.  Default value is [1.0]. *)
    ] 

  type subgraph = {
    sg_name : string;
    sg_attributes : vertex list;
  }

end

module Neato 
  (X : sig
     type t
     module V : sig type t end
     module E : sig type t val src : t -> V.t val dst : t -> V.t end
       
     val iter_vertex : (V.t -> unit) -> t -> unit
     val iter_edges_e : (E.t -> unit) -> t -> unit

     val graph_attributes: t -> NeatoAttributes.graph list

     val default_vertex_attributes: t -> NeatoAttributes.vertex list
     val vertex_name : V.t -> string
     val vertex_attributes: V.t -> NeatoAttributes.vertex list

     val default_edge_attributes: t -> NeatoAttributes.edge list
     val edge_attributes: E.t -> NeatoAttributes.edge list

     val get_subgraph : V.t -> NeatoAttributes.subgraph option

   end) : 
sig

  (** Several functions provided by this module run the external program
      {i neato}.  By default, this command is supposed to be in the default
      path and is invoked by {i neato}.  The function
      [set_command] allows to set an alternative path at run time.
   *)
  val set_command: string -> unit

  exception Error of string
  val handle_error: ('a -> 'b) -> 'a -> 'b

  (** [fprint_graph ppf graph] pretty prints the graph [graph] in
    the CGL language on the formatter [ppf]. 
  *)
  val fprint_graph: formatter -> X.t -> unit

  (** [output_graph oc graph] pretty prints the graph [graph] in the dot
    language on the channel [oc].
  *)
  val output_graph: out_channel -> X.t -> unit

end
why-2.39/src/ocaml.ml0000644000106100004300000002342613147234006013454 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(*s Ocaml code output *)

open Format
open Options
open Ident
open Logic
open Misc
open Types
open Env
open Ast
open Pp

(*s pre- and postconditions *)

let pre print_assertion = 
  let print fmt p = fprintf fmt "(* @[%a@] *)" print_assertion p in
  print_list newline print

let post print_assertion fmt q = 
  let exn fmt (x,a) = fprintf fmt "%a => %a" Ident.print x print_assertion a in
  match q with
    | (a, []) -> 
	fprintf fmt "(* @[%a@] *)" print_assertion a 
    | (a, al) -> 
	fprintf fmt "(* @[%a@ | %a@] *)" 
	  print_assertion a (print_list alt exn) al

(*s types and constants *)

(* dead code
let identifiers = print_list comma Ident.print
*)

let print_predicate = Util.print_predicate
let print_assertion = Util.print_assertion

let rec typev fmt = function
  | PureType PTreal -> 
      fprintf fmt "float"
  | PureType pt -> 
      Util.print_pure_type fmt pt
  | Ref (PTexternal ([t], id)) when id == farray  -> 
      fprintf fmt "(%a array)" Util.print_pure_type t
  | Ref v -> 
      fprintf fmt "(%a ref)" Util.print_pure_type v
  | Arrow (bl, c) -> 
      fprintf fmt "%a ->@ %a" (print_list arrow binder_type) bl typec c

and typec fmt c = match c.c_pre, c.c_post with
  | [], None ->
      fprintf fmt "%a" typev c.c_result_type
  | [], Some q ->
      fprintf fmt "%a@ %a" typev c.c_result_type (post print_predicate) q
  | p, None ->
      fprintf fmt "%a@ %a" (pre print_predicate) p typev c.c_result_type
  | p, Some q ->
      fprintf fmt "%a@ %a@ %a" 
	(pre print_predicate) p typev c.c_result_type (post print_predicate) q

and binder_type fmt = function
  | id, v when id == Ident.anonymous -> typev fmt v
  | id, v -> fprintf fmt "(*%a:*)%a" Ident.print id typev v

let binder_id fmt (id, v) =
  fprintf fmt "%a (*:%a*)" Ident.print id typev v

let binder_ids = print_list space binder_id

let constant fmt = function
  | ConstInt n -> fprintf fmt "%s" n
  | ConstBool b -> fprintf fmt "%b" b
  | ConstUnit -> fprintf fmt "()"
  | ConstFloat (RConstDecimal (i,f,None)) -> fprintf fmt "%s.%s" i f
  | ConstFloat (RConstDecimal (i,f,Some e)) -> fprintf fmt "%s.%se%s" i f e
  | ConstFloat (RConstHexa (i,f,e)) -> 
      fprintf fmt "(float_of_string \"0x%s.%sp%s\")" i f e

(*s logical expressions *)

let caml_infix id = is_arith_binop id || is_relation_ id

let infix id = 
  if id == t_add_int then "+" 
  else if id == t_sub_int then "-" 
  else if id == t_mul_int then "*"
(*
  else if id == t_div_int then "/"
  else if id == t_mod_int then "mod"
*)
  else if id == t_add_real then "+." 
  else if id == t_sub_real then "-." 
  else if id == t_mul_real then "*."
  else if id == t_div_real then "/."
  else if is_eq id || is_eq_ id then "="
  else if is_neq id || is_neq_ id then "<>"
  else if id == t_lt_int_ || id == t_lt_real_ then "<"
  else if id == t_le_int_ || id == t_le_real_ then "<="
  else if id == t_gt_int_ || id == t_gt_real_ then ">"
  else if id == t_ge_int_ || id == t_ge_real_ then ">="
  else begin eprintf "infix id = %a@." Ident.print id; assert false end

let prefix fmt id = fprintf fmt "( %s )" (infix id)

let rec expression fmt = function
  | Tvar id -> 
      Ident.print fmt id
  | Tconst c -> 
      constant fmt c
  | Tderef id ->
      fprintf fmt "!%a" Ident.print id
  | Tapp (id, [Tderef t], _) when id == Ident.array_length ->
      fprintf fmt "(Array.length %a)" Ident.print t
  | Tapp (id, [t], _) when id == t_neg_int ->
      fprintf fmt "(-%a)" expression t
  | Tapp (id, [t], _) when id == t_neg_real ->
      fprintf fmt "(-. %a)" expression t
  | Tapp (id, [t], _) when id == t_sqrt_real ->
      fprintf fmt "(sqrt %a)" expression t
  | Tapp (id, [t], _) when id == t_real_of_int ->
      fprintf fmt "(real %a)" expression t
  | Tapp (id, [a; b], _) when id == access ->
      fprintf fmt "%a.(%a)" expression a expression b
  | Tapp (id, [a; b], _) when caml_infix id ->
      fprintf fmt "(%a %s %a)" expression a (infix id) expression b
  | Tapp (id, tl, _) -> 
      fprintf fmt "(%a %a)" Ident.print id (print_list space expression) tl
  | Tnamed (User n, t) ->
      fprintf fmt "@[(* %s: *)@ %a@]" (String.escaped n) expression t
  | Tnamed (_, t) -> expression fmt t

(*s program expressions *)

let rec expr fmt e = 
  let k = e.info in
  let q = k.t_post in
  if not ocaml_annot || q = None then
    fprintf fmt "@[%a@]" exprd e.desc
  else match q with
    | Some q -> 
	fprintf fmt "@[%a@ %a@]" exprd e.desc (post print_assertion) q
    | None ->
	fprintf fmt "@[%a@]" exprd e.desc

and exprd fmt = function
  | Var id when caml_infix id ->
      fprintf fmt "%a" prefix id
  | Var id ->
      Ident.print fmt id
  | Seq (e1, e2) ->
      fprintf fmt "@[begin@;<1 2>%a;@ %a end@]" expr e1 expr e2
  | Loop (_inv, _var, e2) ->
      fprintf fmt "@[while true do@;<1 2>%a@ done@]" expr e2
  | If (e1, e2, e3) ->
      fprintf fmt "(@[if %a then@;<1 2>%a@ else@;<1 2>%a@])" 
	expr e1 expr e2 expr e3
  | Lam (bl, p, e) ->
      fprintf fmt "@[(fun %a ->@ %a)@]" binder_ids bl expr_pre (p,e)
  | AppTerm ({desc=AppTerm ({desc=Var id}, t1, _)}, t2, _) 
    when is_poly id (* || id == t_mod_int *) ->
      fprintf fmt "@[(%a %s@ %a)@]" 
      expression t1 (infix id) expression t2
  | AppTerm (e, t, _) ->
      fprintf fmt "@[(%a@ %a)@]" expr e expression t
  | AppRef (e, a, _) ->
      fprintf fmt "@[(%a@ %a)@]" expr e Ident.print a
  | LetRef (id, e1, e2) ->
      fprintf fmt "@[(@[let %a =@ ref %a in@]@\n%a)@]" 
	Ident.print id expr e1 expr e2
  | LetIn (id, e1, e2) ->
      fprintf fmt "@[(@[let %a =@ %a in@]@\n%a)@]" 
	Ident.print id expr e1 expr e2
  | Rec (id, bl, _v, _var, p, e) ->
      fprintf fmt "@[(let rec %a %a =@ %a in@ %a)@]" 
	Ident.print id binder_ids bl expr_pre (p,e) Ident.print id
  | Raise (id, None) ->
      fprintf fmt "@[(raise %a)@]" Ident.print id
  | Raise (id, Some e) ->
      fprintf fmt "@[(raise@ (%a %a))@]" Ident.print id expr e
  | Try (e, hl) ->
      fprintf fmt "(@[try@;<1 2>%a@ with@ @[%a@]@])" 
	expr e (print_list newline handler) hl
  | Expression t -> 
      expression fmt t
  | Absurd ->
      fprintf fmt "@[assert false@]"
  | Any _ ->
      fprintf fmt "@[assert false (* code not given *)@]"
  | Assertion (_k, p,e) ->
      expr_pre fmt (p,e)
  | Post (e, q, _) ->
      let q = post_app a_value q in
      fprintf fmt "@[(%a@ %a)@]" expr e (post print_predicate) q
  | Label (l, e) -> 
      fprintf fmt "@[(* label %s *)@ %a@]" l expr e

and expr_pre fmt (p,e) =
  fprintf fmt "@[%a@ %a@]" (pre print_assertion) p expr e

and handler fmt = function
  | (id, None), e -> 
      fprintf fmt "| %a -> %a" Ident.print id expr e
  | (id, Some id'), e -> 
      fprintf fmt "| %a %a -> %a" Ident.print id Ident.print id' expr e

let decl fmt (id, e) =
  fprintf fmt "@[let %a =@ %a@]@\n@\n" Ident.print id expr e

(*s Parameters (collected to make a functor) *)

let params = Queue.create ()

let push_parameters ids v = List.iter (fun id -> Queue.add (id, v) params) ids

(*s We make a functor if some parameters are present *)

let parameter fmt (id, v) =
  fprintf fmt "@\n@[val %a : %a@]@\n" Ident.print id typev v 

let progs = Queue.create ()

let push_program id p = Queue.add (id, p) progs

let output fmt = 
  fprintf fmt "(* code generated by why --ocaml *)@\n@\n";
  let print_decls fmt () = Queue.iter (decl fmt) progs in
  if Queue.is_empty params then
    fprintf fmt "@[%a@]" print_decls ()
  else begin
    fprintf fmt "@[module type Parameters = sig@\n  @[";
    Queue.iter (parameter fmt) params;
    fprintf fmt "@]@\nend@\n@\n@]";
    fprintf fmt "@[module Make(P : Parameters) = struct@\n";
    fprintf fmt "  open P@\n@\n";
    fprintf fmt "  @[%a@]@\nend@\n@]" print_decls ()
  end



why-2.39/src/why3.mli0000644000106100004300000000506513147234006013423 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(* Why3 pretty-printer *)

val push_decl : Logic_decl.t -> unit

(* [push_or_output_decl d] either pushes the goal in a queue like [push_decl]
   for declarations other than goals, and produces a file for goal 
   declarations much as what [output_files] does. *)
(*
val push_or_output_decl : Logic_decl.t -> unit
*)

val reset : unit -> unit

val output_file : string -> unit
why-2.39/src/fpi.mli0000644000106100004300000000507713147234006013312 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(* realing-point intervals *)

(* [split ol] extracts realing-point obligations (predicate `fpi') from a 
   list of obligations and return the remaining ones *)
val split : Cc.obligation list -> Cc.obligation list

(* [output f] outputs the current realing-point obligations in file [f] *)
val output : string -> unit 

(* clear the current set of obligations *)
val reset : unit -> unit
why-2.39/src/annot.mli0000644000106100004300000000572013147234006013646 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Env
open Types
open Logic
open Ast

(*s Maximum of two postconditions. [sup q q'] is made of postconditions
    from [q], when not the default postcondition, and from [q'] otherwise. *)

val sup : postcondition option -> postcondition option -> postcondition option

(*s automatic postcondition for a loop body, i.e. [I and var < var@L] *)

val while_post_block :
  local_env -> predicate asst option -> variant -> typed_program -> 
  postcondition

(*s [normalise p] inserts some automatic annotation on the outermost
    construct of [p] *)

val normalize : typed_program -> typed_program


(*s Useful functions to change the program tree or its annotations,
    to be reused in [Wp] *)




val purify : typed_program -> typed_program

val is_result_eq : predicate -> term option

why-2.39/src/encoding_pred.mli0000644000106100004300000000443513147234006015331 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

val reset : unit -> unit
val push : Logic_decl.t -> unit
val iter : (Logic_decl.t -> unit) -> unit
why-2.39/src/rename.ml0000644000106100004300000001240413147234006013622 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Ident
open Misc
open Report
open Error

(* Variables names management *)

type date = string

(* The following data structure keeps the successive names of the variables
 * as we traverse the program. A each step a ``date'' and a
 * collection of new names is (possibly) given, and updates the
 * previous renaming.
 * 
 * Then, we can ask for the name of a variable, at current date or
 * at a given date.
 *
 * It is easily represented by a list of date x assoc list, most recent coming 
 * first i.e. as follows:
 *
 *   [ date (= current), [ (x,xi); ... ];
 *     date            , [ (z,zk); ... ];
 *     ...
 *     date (= initial), [ (x,xj); (y,yi); ... ]
 *
 * We also keep a list of all names already introduced, in order to
 * quickly get fresh names.
 *)

type t =
  { levels : (date * (Ident.t * Ident.t) list) list;
    avoid  : Ident.set;
    cpt    : int }
    

let empty_ren = { levels = []; avoid = Idset.empty; cpt = 0 }

let update r d ids =
  let al,av = renaming_of_ids r.avoid ids in
  { levels = (d,al) :: r.levels; avoid = av; cpt = r.cpt }

let push_date r d = update r d []

let next r ids =
  let al,av = renaming_of_ids r.avoid ids in
  let n = succ r.cpt in
  let d = string_of_int n in
  { levels = (d,al) :: r.levels; avoid = av; cpt = n }


let find r x =
  let rec find_in_one = function
    | []           -> raise Not_found
    | (y,v) :: rem -> if y = x then v else find_in_one rem
  in
  let rec find_in_all = function
    | []           -> raise Not_found
    | (_,l) :: rem -> try find_in_one l with Not_found -> find_in_all rem
  in
  find_in_all r.levels


let current_var = find

let current_vars r ids = List.map (fun id -> id,current_var r id) ids


let avoid r ids = 
  { levels = r.levels; avoid = Idset.union r.avoid ids; cpt = r.cpt }

let fresh r id =
  match renaming_of_ids r.avoid [id] with
    | [_,id'], av -> id', { r with avoid = av }
    | _ -> assert false

let fresh_many r ids = 
  let ids',av = renaming_of_ids r.avoid ids in
  ids', { r with avoid = av }


let current_date r =
  match r.levels with
    | [] -> invalid_arg "Renamings.current_date"
    | (d,_) :: _ -> d

let all_dates r = List.map fst r.levels

let valid_date da r = 
  let rec valid = function
    | [] -> false
    | (d,_) :: rem -> (d = da) || (valid rem)
  in
  valid r.levels

(* [until d r] selects the part of the renaming [r] starting from date [d] *)
let until da r =
  let rec cut = function
    | [] -> failwith ("unknown label " ^ da)
    | (d,_) :: rem as r -> if d = da then r else cut rem
  in
  { avoid = r.avoid; levels = cut r.levels; cpt = r.cpt }

let var_at_date r d id =
  try
    find (until d r) id
  with Not_found ->
    raise_unlocated (NoVariableAtDate (id, d))

let vars_at_date r d ids =
  let r' = until d r in List.map (fun id -> id,find r' id) ids


(* pretty-printers *)

open Format
open Pp

let print fmt r = 
  fprintf fmt "@[";
  print_list pp_print_newline
    (fun fmt (d,l) -> 
       fprintf fmt "%s: " d;
       print_list pp_print_space 
	 (fun fmt (id,id') -> 
	    fprintf fmt "(%s,%s)" (Ident.string id) (Ident.string id'))
	 fmt l)
    fmt r.levels


 
why-2.39/src/ident.mli0000644000106100004300000001465313147234006013637 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(*s Identifiers. *)

module I : 
sig
  type t 
  val compare : t -> t -> int
end

type t = I.t

(* from :
       - string inform which creates the fresh ident
       - t list gives the arguments
*)
val create : ?from:(string * t list) -> string -> t

val string : t -> string

val completeString : t -> string 

val fresh_from : t -> (string * t list) option

module Idset : Set.S with type elt = t
type set = Idset.t

module Idmap : Map.S with type key = t
type 'a map = 'a Idmap.t

val next_away : t -> set -> t

val print : Format.formatter -> t -> unit
val lprint : Format.formatter -> t -> unit
val dbprint : Format.formatter -> t -> unit

(*s Possibly anonymous names *)

type name = Anonymous | Name of t

val print_name : Format.formatter -> name -> unit

(*s Qualified identifiers with labels. *)

val at_id : t -> string -> t
val un_at : t -> t * string
val is_at : t -> bool

(*s Bound variables. *)

val bound : t -> t

(*s Exceptions names and constructors *)

val exn_type : t
val exn_val : t
val exn_exn : t
val exn_post : t
val exn_qval : t
val exn_qexn : t
val exist : t
val decomp : int -> t

val exit_exn : t

val is_index : string -> bool

(*s Non termination monad. *)

val non_termination_monad : t
val nt_unit : t
val nt_bind : t
val nt_fix : t
val nt_lift : t

(*s Identifiers for the functional validation. *)

val fun_id : t -> t

(*s Identifiers for algebraic-typed term matching *)

val match_id : t -> t
val proj_id : t -> int -> t

(*s Some pre-defined identifiers. *)

val t_bool_and : t 
val t_bool_or : t
val t_bool_xor : t
val t_bool_not : t

val anonymous : t
val implicit : t
val default_post : t

val t_add : t
val t_sub : t
val t_mul : t
val t_div : t
val t_neg : t

val t_add_int : t
val t_sub_int : t
val t_mul_int : t
(* disabled (confusion math_div / computer_div)
val t_div_int : t
val t_mod_int : t
*)
val t_neg_int : t
val t_abs_int : t

val t_add_real : t
val t_sub_real : t
val t_mul_real : t
val t_div_real : t
val t_neg_real : t
val t_sqrt_real : t
val t_abs_real : t
val t_pow_real : t

val t_cos : t
val t_sin : t
val t_tan : t
val t_atan : t

val t_int_max : t
val t_int_min : t
val t_real_max : t
val t_real_min : t

val t_div_real_ : t
(* disabled (confusion math_div / computer_div)
val t_div_int_ : t
val t_mod_int_ : t
*)
val t_sqrt_real_ : t

val t_real_of_int : t
val t_int_of_real : t

val t_lt : t
val t_le : t
val t_gt : t
val t_ge : t
val t_eq : t
val t_neq : t

val t_eq_int : t
val t_eq_bool : t
val t_eq_real : t
val t_eq_unit : t

val t_neq_int : t
val t_neq_bool : t
val t_neq_real : t
val t_neq_unit : t

val t_lt_int : t
val t_le_int : t
val t_gt_int : t
val t_ge_int : t

val t_lt_real : t
val t_le_real : t
val t_gt_real : t
val t_ge_real : t

val t_lt_int_bool : t
val t_le_int_bool : t
val t_gt_int_bool : t
val t_ge_int_bool : t

val t_lt_real_bool : t
val t_le_real_bool : t
val t_gt_real_bool : t
val t_ge_real_bool : t

val t_eq_int_bool : t
val t_eq_real_bool : t
val t_neq_int_bool : t
val t_neq_real_bool : t

val t_eq_int_ : t
val t_eq_bool_ : t
val t_eq_real_ : t
val t_eq_unit_ : t

val t_neq_int_ : t
val t_neq_bool_ : t
val t_neq_real_ : t
val t_neq_unit_ : t

val t_lt_int_ : t
val t_le_int_ : t
val t_gt_int_ : t
val t_ge_int_ : t

val t_lt_real_ : t
val t_le_real_ : t
val t_gt_real_ : t
val t_ge_real_ : t

val t_distinct : t

val t_zwf_zero : t
val result : t
val default : t
val farray : t
val array_length : t
val if_then_else : t
val ref_set : t
val array_get : t
val array_set : t
val access : t
val store : t
val annot_bool : t
val well_founded : t
val well_founded_induction : t
val wfix : t
val false_rec : t

val any_int : t
val any_unit : t
val any_real : t

(*s Category tests *)

val is_wp : t -> bool
val is_variant : t -> bool

val is_poly : t -> bool

val is_comparison : t -> bool
val is_int_comparison : t -> bool
val is_real_comparison : t -> bool

val is_relation : t -> bool
val is_relation_ : t -> bool

val is_eq : t -> bool
val is_neq : t -> bool

val is_eq_ : t -> bool
val is_neq_ : t -> bool

val is_int_arith_binop : t -> bool
val is_int_arith_unop : t -> bool
val is_int_arith : t -> bool

val is_real_arith_binop : t -> bool
val is_real_arith : t -> bool

val is_arith_binop : t -> bool

val is_arith : t -> bool

val is_simplify_arith : t -> bool

val strict_bool_and_ : t
val strict_bool_or_ : t
val bool_not_ : t
why-2.39/src/options.mli0000644000106100004300000001407513147234006014225 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)


(*s General options *)

val verbose : bool

val if_verbose : ('a -> unit) -> 'a -> unit
val if_verbose_2 : ('a -> 'b -> unit) -> 'a -> 'b -> unit
val if_verbose_3 : ('a -> 'b -> 'c -> unit) -> 'a -> 'b -> 'c -> unit

val debug : bool

val if_debug : ('a -> unit) -> 'a -> unit
val if_debug_2 : ('a -> 'b -> unit) -> 'a -> 'b -> unit
val if_debug_3 : ('a -> 'b -> 'c -> unit) -> 'a -> 'b -> 'c -> unit

val ocaml : bool
val ocaml_annot : bool
val ocaml_externals : bool

val explain_vc : bool
val locs_table :
  (string, (string * int * int * int * (string * Rc.rc_value) list))
     Hashtbl.t

val wol : bool

val c_file : bool ref

val werror : bool

val parse_only : bool
val type_only : bool
val wp_only : bool

val fast_wp : bool
(*
val black : bool
val white : bool
val wbb : bool
*)
val split_user_conj : bool
val split_bool_op : bool
val lvlmax : int
val all_vc : bool
val eval_goals : bool
val pruning : bool
val pruning_hyp_v : int
val pruning_hyp_p : int
(* Heuristiques en test *)
val prune_coarse_pred_comp : bool
val pruning_hyp_CompInGraph : bool
val pruning_hyp_CompInFiltering : bool
val pruning_hyp_LinkVarsQuantif : bool
val pruning_hyp_keep_single_comparison_representation : bool
val pruning_hyp_comparison_eqOnly : bool
val pruning_hyp_suffixed_comparison : bool
val pruning_hyp_equalities_linked : bool
val pruning_hyp_arithmetic_tactic : bool
val pruning_hyp_var_tactic : int
val pruning_hyp_polarized_preds : bool
val prune_context : bool
val prune_get_depths : bool
val pruning_hyp_considere_arith_comparison_as_special_predicate : bool
(* FIN de Heuristiques en test *)
(*
val modulo : bool
*)

val phantom_types : (string,unit) Hashtbl.t

type expanding = All | Goal | NoExpanding
val defExpanding : expanding
val get_type_expanding : unit -> expanding

type encoding =
  | NoEncoding | Predicates | Stratified | Recursive | Monomorph
  | SortedStratified |MonoInst
val get_types_encoding : unit -> encoding
val set_types_encoding : encoding -> unit

type monoinstWorldGen =
  | MonoinstSorted
  | MonoinstBuiltin
  | MonoinstGoal
  | MonoinstPremises
val monoinstworldgen : monoinstWorldGen
val monoinstoutput_world : bool
val monoinstonlymem : bool
val monoinstnounit : bool
val monoinstonlyconst : bool

type termination = UseVariant | Partial | Total
val termination : termination

(*s Prover options *)

type coq_version = V7 | V8 | V81

type prover =
  | Coq of coq_version | Pvs | HolLight | Mizar | Harvey | Simplify | CVCLite
  | SmtLib | Isabelle | Hol4 | Gappa | Zenon | Z3 | Vampire
  | Ergo | Why | MultiWhy | MultiAltergo | Why3 | Dispatcher | WhyProject

val prover : (* ?ignore_gui:bool  -> *) unit -> prover

val valid : bool
val coq_tactic : string option
val coq_preamble : string
val coq_use_dp: bool

val pvs_preamble : string

val mizar_environ : string option

val isabelle_base_theory : string

val no_simplify_prelude : bool
val simplify_triggers : bool
val no_harvey_prelude : bool
val no_zenon_prelude : bool
val no_cvcl_prelude : bool
val delete_old_vcs : bool

val floats : bool
val show_time : bool

(*s [file f] appends [f] to the directory specified with [-dir], if any *)

val file : string -> string

(* [out_file f] returns the file specified with option -o, or [file f]
   otherwise. This function musn't be used if you want to be able to
   output on stdout *)

val out_file : string -> string

(* If you want to be able to print to stdout transparently you must
   use this function instead of the standard one. *)

val open_out_file : string -> out_channel
val close_out_file : out_channel -> unit
val out_file_exists :  string -> bool

(* [lib_file f] appends [f] to the lib directory *)

val lib_file : string -> string

val lib_dir : string

(*s Files given on the command line *)

val files : string list

(*s GUI? *)

val gui : bool ref
val gui_project : Project.t option ref
val lib_files_to_load : string list

(*
Local Variables:
compile-command: "unset LANG; make -j -C .. bin/why.byte"
End:
*)
why-2.39/src/effect.ml0000644000106100004300000001533413147234006013614 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(*s Effects. *)

open Ident

(*s An effect is composed of three sets of variables.

    The first one is the set of all variables (the input),
    the second one is the set of possibly modified variables (the output),
    and the third one the set of possibly raised exceptions.
 
    INVARIANTS: 
    1. there are no duplicate elements in each list 
    2. output is contained in input

    REMARK: for most operations, sets will be more relevant than lists,
    but order must not change when a substitution is applied and thus
    lists are preferred *)

type t = { 
  input : Ident.set;
  output : Ident.set;
  exns : Ident.set;
  nt : bool
}

(*s the empty effect *)

let bottom = { input = Idset.empty; output = Idset.empty; exns = Idset.empty; nt = false }

(*s basic operations *)

(* dead code
let list_add x l = if List.mem x l then l else x :: l

let list_remove x l = 
  let rec rem_rec = function
    | [] -> []
    | y :: l -> if x = y then l else y :: rem_rec l
  in
  if List.mem x l then rem_rec l else l

let mem x (r,w) = (List.mem x r) || (List.mem x w)

(* [list_union] is a merge sort *)
let list_union l1 l2 = 
  let rec basic_union = function
    | [], s2 -> s2
    | s1, [] -> s1
    | ((v1 :: l1) as s1), ((v2 :: l2) as s2) ->
	if v1 < v2 then
	  v1 :: basic_union (l1,s2)
	else if v1 > v2 then
	  v2 :: basic_union (s1,l2)
	else
	  v1 :: basic_union (l1,l2)
  in
  basic_union (List.sort compare l1, List.sort compare l2)
*)

(*s adds reads and writes variables *)

let add_read x e = { e with input = Idset.add x e.input }

let add_reads = Idset.fold add_read

let add_write x e = 
  { e with input = Idset.add x e.input; output = Idset.add x e.output }

let add_writes = Idset.fold add_write

let add_exn x e = { e with exns = Idset.add x e.exns }

let add_exns = Idset.fold add_exn

let add_nontermination e = { e with nt = true }

(*s access *)

let get_reads e = Idset.elements e.input
let get_writes e = Idset.elements e.output
let get_exns e = Idset.elements e.exns
let get_repr e = 
  Idset.elements e.input, Idset.elements e.output, Idset.elements e.exns, e.nt

(*s tests *)

let is_read  e id = Idset.mem id e.input
let is_write e id = Idset.mem id e.output
let is_exn e id = Idset.mem id e.exns
let is_nonterminating e = e.nt


let keep_writes e = { e with input = e.output }

(*s union and disjunction *)

let union e1 e2 =
  { input = Idset.union e1.input e2.input;
    output = Idset.union e1.output e2.output;
    exns = Idset.union e1.exns e2.exns;
    nt = e1.nt || e2.nt
  }

(*s comparison relation *)

(* dead code
let le _e1 _e2 = failwith "effects: le: not yet implemented"

let inf _e1 _e2 = failwith "effects: inf: not yet implemented"
*)

(*s remove *)

let remove x e = 
  { e with 
      input = Idset.remove x e.input;
      output = Idset.remove x e.output }

let remove_exn x e = { e with exns = Idset.remove x e.exns }

let remove_nontermination e = { e with nt = false }

let erase_exns e = { e with exns = Idset.empty }

(*s occurrence *)

let occur x e = Idset.mem x e.input || Idset.mem x e.output

(*s substitution *)

(***
let list_subst x x' l =
  let rec subst = function
    | [] -> []
    | y :: r -> if y = x then x' :: r else y :: subst r
  in
  if List.mem x l then subst l else l

let subst_one x x' e = 
  { e with input = list_subst x x' e.input; output = list_subst x x' e.output }

let subst = Idmap.fold subst_one
***)

let subst subst e =
  let subst_set s =
    Idset.fold (fun x acc -> 
		  let x' = try Idmap.find x subst with Not_found -> x in
		  Idset.add x' acc)
      s Idset.empty
  in
  { e with input = subst_set e.input; output = subst_set e.output }

(*s pretty-print *)

open Format

(* copied to avoid circularity Effect <-> Misc *)
let rec print_list sep print fmt = function
  | [] -> ()
  | [x] -> print fmt x
  | x :: r -> print fmt x; sep fmt (); print_list sep print fmt r

let print fmt { input = r; output = w; exns = e; nt = nt } =
  let r = Idset.elements r in
  let w = Idset.elements w in
  fprintf fmt "@[";
  if r <> [] then begin
    fprintf fmt "reads ";
    print_list (fun fmt () -> fprintf fmt ",@ ") Ident.print fmt r;
  end;
  if r <> [] && w <> [] then fprintf fmt "@ ";
  if w <> [] then begin
    fprintf fmt "writes ";
    print_list (fun fmt () -> fprintf fmt ",@ ") Ident.print fmt w;
  end;
  let e = Idset.elements e in
  if (r <> [] || w <> []) && e <> [] then fprintf fmt "@ ";
  if e <> [] then begin
    fprintf fmt "raises ";
    print_list (fun fmt () -> fprintf fmt ",@ ") Ident.print fmt e;
  end;
  if r <> [] || w <> [] || e <> [] then fprintf fmt "@ ";
  if nt then fprintf fmt ",@ nt";
  fprintf fmt "@]"

why-2.39/src/wserver.ml0000644000106100004300000003212513147234006014052 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)


(* Copyright (c) 1998-2005 INRIA *)

let sock_in = ref "wserver.sin"
let sock_out = ref "wserver.sou"
let noproc = ref false

let wserver_oc = set_binary_mode_out stdout true; ref stdout

let wprint fmt = Printf.fprintf !wserver_oc fmt
let wflush () = flush !wserver_oc

let hexa_digit x =
  if x >= 10 then Char.chr (Char.code 'A' + x - 10)
  else Char.chr (Char.code '0' + x)

let hexa_val conf =
  match conf with
    '0'..'9' -> Char.code conf - Char.code '0'
  | 'a'..'f' -> Char.code conf - Char.code 'a' + 10
  | 'A'..'F' -> Char.code conf - Char.code 'A' + 10
  | _ -> 0

let decode s =
  let rec need_decode i =
    if i < String.length s then
      match s.[i] with
        '%' | '+' -> true
      | _ -> need_decode (succ i)
    else false
  in
  let rec compute_len i i1 =
    if i < String.length s then
      let i =
        match s.[i] with
          '%' when i + 2 < String.length s -> i + 3
        | _ -> succ i
      in
      compute_len i (succ i1)
    else i1
  in
  let rec copy_decode_in s1 i i1 =
    if i < String.length s then
      let i =
        match s.[i] with
          '%' when i + 2 < String.length s ->
            let v = hexa_val s.[i + 1] * 16 + hexa_val s.[i + 2] in
            s1.[i1] <- Char.chr v; i + 3
        | '+' -> s1.[i1] <- ' '; succ i
        | x -> s1.[i1] <- x; succ i
      in
      copy_decode_in s1 i (succ i1)
    else s1
  in
  let rec strip_heading_and_trailing_spaces s =
    if String.length s > 0 then
      if s.[0] == ' ' then
        strip_heading_and_trailing_spaces
          (String.sub s 1 (String.length s - 1))
      else if s.[String.length s - 1] == ' ' then
        strip_heading_and_trailing_spaces
          (String.sub s 0 (String.length s - 1))
      else s
    else s
  in
  if need_decode 0 then
    let len = compute_len 0 0 in
    let s1 = String.create len in
    strip_heading_and_trailing_spaces (copy_decode_in s1 0 0)
  else s

let special =
  function
    '\000'..'\031' | '\127'..'\255' | '<' | '>' | '\"' | '#' | '%' | '{' |
    '}' | '|' | '\\' | '^' | '~' | '[' | ']' | '`' | ';' | '/' | '?' | ':' |
    '@' | '=' | '&' ->
      true
  | _ -> false

let encode s =
  let rec need_code i =
    if i < String.length s then
      match s.[i] with
        ' ' -> true
      | x -> if special x then true else need_code (succ i)
    else false
  in
  let rec compute_len i i1 =
    if i < String.length s then
      let i1 = if special s.[i] then i1 + 3 else succ i1 in
      compute_len (succ i) i1
    else i1
  in
  let rec copy_code_in s1 i i1 =
    if i < String.length s then
      let i1 =
        match s.[i] with
          ' ' -> s1.[i1] <- '+'; succ i1
        | c ->
            if special c then
              begin
                s1.[i1] <- '%';
                s1.[i1 + 1] <- hexa_digit (Char.code c / 16);
                s1.[i1 + 2] <- hexa_digit (Char.code c mod 16);
                i1 + 3
              end
            else begin s1.[i1] <- c; succ i1 end
      in
      copy_code_in s1 (succ i) i1
    else s1
  in
  if need_code 0 then
    let len = compute_len 0 0 in copy_code_in (String.create len) 0 0
  else s

let nl () = wprint "\013\010"

let http answer =
  let answer = if answer = "" then "200 OK" else answer in
  wprint "HTTP/1.0 %s" answer; nl ()

let print_exc exc =
  match exc with
    Unix.Unix_error (err, fun_name, arg) ->
      prerr_string "\"";
      prerr_string fun_name;
      prerr_string "\" failed";
      if String.length arg > 0 then
        begin prerr_string " on \""; prerr_string arg; prerr_string "\"" end;
      prerr_string ": ";
      prerr_endline (Unix.error_message err)
  | Out_of_memory -> prerr_string "Out of memory\n"
  | Match_failure (file, first_char, last_char) ->
      prerr_string "Pattern matching failed, file ";
      prerr_string file;
      prerr_string ", chars ";
      prerr_int first_char;
      prerr_char '-';
      prerr_int last_char;
      prerr_char '\n'
  | Assert_failure (file, first_char, last_char) ->
      prerr_string "Assertion failed, file ";
      prerr_string file;
      prerr_string ", chars ";
      prerr_int first_char;
      prerr_char '-';
      prerr_int last_char;
      prerr_char '\n'
  | x ->
      prerr_string "Uncaught exception: ";
      prerr_string (Obj.magic (Obj.field (Obj.field (Obj.repr x) 0) 0));
      if Obj.size (Obj.repr x) > 1 then
        begin
          prerr_char '(';
          for i = 1 to Obj.size (Obj.repr x) - 1 do
            if i > 1 then prerr_string ", ";
            let arg = Obj.field (Obj.repr x) i in
            if not (Obj.is_block arg) then prerr_int (Obj.magic arg : int)
            else if Obj.tag arg = 252 then
              begin
                prerr_char '\"';
                prerr_string (Obj.magic arg : string);
                prerr_char '\"'
              end
            else prerr_char '_'
          done;
          prerr_char ')'
        end;
      prerr_char '\n'

let print_err_exc exc = print_exc exc; flush stderr

let case_unsensitive_eq s1 s2 = String.lowercase s1 = String.lowercase s2

let rec extract_param name stop_char =
  function
    x :: l ->
      if String.length x >= String.length name &&
         case_unsensitive_eq (String.sub x 0 (String.length name)) name
      then
        let i =
          let rec loop i =
            if i = String.length x then i
            else if x.[i] = stop_char then i
            else loop (i + 1)
          in
          loop (String.length name)
        in
        String.sub x (String.length name) (i - String.length name)
      else extract_param name stop_char l
  | [] -> ""

let buff = ref (String.create 80)
let store len x =
  if len >= String.length !buff then
    buff := !buff ^ String.create (String.length !buff);
  !buff.[len] <- x;
  succ len
let get_buff len = String.sub !buff 0 len

let get_request strm =
  let rec loop len (strm__ : _ Stream.t) =
    match Stream.peek strm__ with
      Some '\010' ->
        Stream.junk strm__;
        let s = strm__ in
        if len == 0 then [] else let str = get_buff len in str :: loop 0 s
    | Some '\013' -> Stream.junk strm__; loop len strm__
    | Some c -> Stream.junk strm__; loop (store len c) strm__
    | _ -> if len == 0 then [] else [get_buff len]
  in
  loop 0 strm

let timeout tmout spid _ =
  Unix.kill spid Sys.sigkill;
  http "";
  wprint "Content-type: text/html; charset=iso-8859-1";
  nl ();
  nl ();
  wprint "Time out\n";
  wprint "
Time out
\n";
  wprint "Computation time > %d second(s)\n" tmout;
  wprint "\n";
  wflush ();
  exit 2

let get_request_and_content strm =
  let request = get_request strm in
  let content =
    match extract_param "content-length: " ' ' request with
      "" -> ""
    | x ->
        let str = String.create (int_of_string x) in
        for i = 0 to String.length str - 1 do
          str.[i] <-
            let (strm__ : _ Stream.t) = strm in
            match Stream.peek strm__ with
              Some x -> Stream.junk strm__; x
            | _ -> ' '
        done;
        str
  in
  request, content

let string_of_sockaddr =
  function
    Unix.ADDR_UNIX s -> s
  | Unix.ADDR_INET (a, _) -> Unix.string_of_inet_addr a
let sockaddr_of_string s = Unix.ADDR_UNIX s

let treat_connection tmout callback addr fd =
  ();
  let (request, script_name, contents__) =
    let (request, contents__) =
      let strm =
        let c = " " in
        Stream.from
          (fun _ -> if Unix.read fd c 0 1 = 1 then Some c.[0] else None)
      in
      get_request_and_content strm
    in
    let (script_name, contents__) =
      match extract_param "GET /" ' ' request with
        "" -> extract_param "POST /" ' ' request, contents__
      | str ->
          try
            let i = String.index str '?' in
            String.sub str 0 i,
            String.sub str (i + 1) (String.length str - i - 1)
          with
            Not_found -> str, ""
    in
    request, script_name, contents__
  in
  if script_name = "robots.txt" then
    begin
      http "";
      wprint "Content-type: text/plain";
      nl ();
      nl ();
      wprint "User-Agent: *";
      nl ();
      wprint "Disallow: /";
      nl ();
      wflush ();
      Printf.eprintf "Robot request\n";
      flush stderr
    end
  else
    begin
      begin try callback (addr, request) script_name contents__ with
        Unix.Unix_error (Unix.EPIPE, "write", _) -> ()
      | exc -> print_err_exc exc
      end;
      begin try wflush () with
        _ -> ()
      end;
      try flush stderr with
        _ -> ()
    end

let buff = String.create 1024

(* *)

let rec list_remove x =
  function
    [] -> failwith "list_remove"
  | y :: l -> if x = y then l else y :: list_remove x l

(* *)
(* *)
(* *)

(* *)

let wait_and_compact s =
  if Unix.select [s] [] [] 15.0 = ([], [], []) then
    begin
      Printf.eprintf "Compacting... ";
      flush stderr;
      Gc.compact ();
      Printf.eprintf "Ok\n";
      flush stderr
    end

let skip_possible_remaining_chars fd =
  let b = "..." in
  try
    let rec loop () =
      match Unix.select [fd] [] [] 5.0 with
        [_], [], [] ->
          let len = Unix.read fd b 0 (String.length b) in
          if len = String.length b then loop ()
      | _ -> ()
    in
    loop ()
  with
    Unix.Unix_error (Unix.ECONNRESET, _, _) -> ()

let accept_connection tmout max_clients callback s =
  wait_and_compact s;
  let (t, addr) = Unix.accept s in
  Unix.setsockopt t Unix.SO_KEEPALIVE true;
  let cleanup () =
    begin try Unix.shutdown t Unix.SHUTDOWN_SEND with
      _ -> ()
    end;
    begin try Unix.shutdown t Unix.SHUTDOWN_RECEIVE with
      _ -> ()
    end;
    try Unix.close t with
      _ -> ()
  in
  wserver_oc := Unix.out_channel_of_descr t;
  treat_connection tmout callback addr t;
  cleanup ()

let f addr_opt port tmout max_clients g =
  match None with
    Some s -> ()
  | None ->
      let addr =
        match addr_opt with
          Some addr ->
            begin try Unix.inet_addr_of_string addr with
              Failure _ -> (Unix.gethostbyname addr).Unix.h_addr_list.(0)
            end
        | None -> Unix.inet_addr_any
      in
      let s = Unix.socket Unix.PF_INET Unix.SOCK_STREAM 0 in
      Unix.setsockopt s Unix.SO_REUSEADDR true;
      Unix.bind s (Unix.ADDR_INET (addr, port));
      Unix.listen s 4;
      Sys.set_signal Sys.sigpipe Sys.Signal_ignore;
      let tm = Unix.localtime (Unix.time ()) in
      Printf.eprintf "Ready %4d-%02d-%02d %02d:%02d port"
        (1900 + tm.Unix.tm_year) (succ tm.Unix.tm_mon) tm.Unix.tm_mday
        tm.Unix.tm_hour tm.Unix.tm_min;
      Printf.eprintf " %d" port;
      Printf.eprintf "...\n";
      flush stderr;
      while true do
        begin try accept_connection tmout max_clients g s with
          Unix.Unix_error (Unix.ECONNRESET, "accept", _) -> ()
        | Unix.Unix_error ((Unix.EBADF | Unix.ENOTSOCK), "accept", _) as x ->
            raise x
        | exc -> print_err_exc exc
        end;
        begin try wflush () with
          Sys_error _ -> ()
        end;
        begin try flush stdout with
          Sys_error _ -> ()
        end;
        flush stderr
      done
why-2.39/src/option_misc.ml0000644000106100004300000000473613147234006014707 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



let map f = function None -> None | Some x -> Some (f x)

let map_default f d = function None -> d | Some x -> f x

let iter f = function None -> () | Some x -> f x

let fold f x c = match x with None -> c | Some x -> f x c 

let fold_left f c x = match x with None -> c | Some x -> f c x 
why-2.39/src/whyweb.ml0000644000106100004300000005513413147234006013667 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

open Format
open Project

(*prover*)
let provers = [Ergo ; Simplify ; Z3 ; Yices ; Cvc3]

(*color*)
let valid_color = "#00FF00"
let invalid_color = "#FF8093"
let failed_color = "#FF0000"
let unknown_color = "#FFFF80"
let cannotdecide_color = "#FF80FF"
let running_color = "#8080FF"
let timeout_color = "#FF8093"

(* toggle *)
let toggle_lemma l = l.lemma_tags <- 
  List.map (fun (key,value) ->  
	      if key = "ww_open" then 
		if value = "true" then (key,"false") 
		else (key,"true") 
	      else
		(key,value)) l.lemma_tags

let toggle_function f =  f.function_tags <- 
  List.map (fun (key,value) ->  
	      if key = "ww_open" then 
		if value = "true" then (key,"false") 
		else (key,"true") 
	      else
		assert false) f.function_tags

let toggle_behavior b = b.behavior_tags <- 
  List.map (fun (key,value) ->  
	      if key = "ww_open" then 
		if value = "true" then (key,"false") 
		else (key,"true") 
	      else
		(key,value))  b.behavior_tags

let toggle_goal g = g.goal_tags <- 
  List.map (fun (key,value) ->  
	      if key = "ww_open" then 
		if value = "true" then (key,"false") 
		else (key,"true") 
	      else
		(key,value))  g.goal_tags

let use_prover p =
  match p with 
    | Ergo -> ("--why",".why","",67) 
    | Simplify -> ("--simplify", ".sx","",66)
    | Z3 -> ("--smtlib",".smt","z3",67)
    | Yices -> ("--smtlib",".smt","",67)
    | Cvc3 -> ("--smtlib",".smt","cvc3",67)
    | Other -> assert false

open Wserver

let launch_goal  prover context g =  
  let (option,endoffile,opt,size) = use_prover prover in
  let (reademe,writeme) = Unix.pipe () in
  eprintf "why -no-prelude %s %s %s@." option context g.goal_file;
  let _ = Unix.create_process
    "why" [| "why"; "-no-prelude"; option; context; g.goal_file  |]
    Unix.stdin Unix.stdout Unix.stderr in
  let _ = Unix.wait() in
  eprintf "why-dp %s -timeout 10 %s@." opt ((String.sub g.goal_file 0 
	  (String.length g.goal_file  - 4))^"_why"^endoffile) ;
  let _ = 
    if opt = "" 
    then 
      Unix.create_process
	"why-dp" 
	[| "why-dp" ; "-timeout" ; "10" ; 
	   (String.sub g.goal_file 0 
	      (String.length g.goal_file  - 4))^"_why"^endoffile  |]
	Unix.stdin writeme Unix.stderr 
    else
      Unix.create_process
	"why-dp" 
	[| "why-dp" ; "-smt-solver" ; opt  ;"-timeout" ; "10" ; 
	   (String.sub g.goal_file 0 
	      (String.length g.goal_file  - 4))^"_why"^endoffile  |]
	Unix.stdin writeme Unix.stderr 
  in  
  let _ = Unix.wait() in
  let size = size+(String.length g.goal_file) in
  let buff = String.make size  '!' in
  let _ = Unix.read reademe buff 0 size in
  eprintf "%s@." buff;
  (*    let buff = String.make size '?' in
	let _ = Unix.read reademe buff 0 size in
    eprintf "%s@." buff;*)
  Unix.close writeme;
  Unix.close reademe;
  let proof = List.filter (fun (s,_) -> s!=prover) g.proof in
  (g.proof <-
     match String.get buff ((String.length buff)-1) with 
       | '.' -> (prover,("valid","10","",""))::proof
       | '*' -> (prover,("invalid","10","",""))::proof  
       | '?' -> (prover,("cannotdecide","10","",""))::proof  
       | '#' -> (prover,("timeout","10","",""))::proof  
       | '!' -> (prover,("failure","10","",""))::proof 
       | c -> Format.eprintf "erreur : %c@." c;
	   assert false)
     
let version () = 
  printf "This is WhyWeb version %s, compiled on %s
Copyright (c) 2008 - Claude Marché
This is free software with ABSOLUTELY NO WARRANTY (use option -warranty)
" Version.version Version.date;
  exit 0

let port = ref 2372
 
let spec =
 [ "-version", Arg.Unit version, 
   "  prints version and exit" ;
   "-port", Arg.Int ((:=) port), 
   "  set server port (default " ^ string_of_int !port ^ ")" ;
]

let file = ref None

let add_file f = 
  if not (Sys.file_exists f) then begin
    eprintf "whyweb: %s: no such file@." f;
    exit 1
  end;
  file := Some f

let usage = "whyweb [options]"

let () = Arg.parse spec add_file usage

let file = match !file with
  | None -> ()
  | Some f -> Arg.usage spec usage; exit 1

let proj = ref (Project.create "")

let proj_file = ref ""

let coms = Hashtbl.create 1023

let file = ref ""
let line = ref 0
let beginning = ref 0
let ending = ref 0
let current_line = ref 0
let current_page = ref ""


let launch_goal prover g =
  let proof = g.proof in
  g.proof <- (prover,("running","10","",""))::proof;
  launch_goal prover !proj.project_context_file g

let launch_lemmas prover lemmas =
  List.iter (fun l -> launch_goal prover l.lemma_goal) lemmas

let launch_behavior prover b =
  List.iter (launch_goal prover)  b.behavior_goals

let launch_function prover f =
  List.iter (launch_behavior prover) f.function_behaviors

let launch_functions prover functions =
  List.iter (launch_function prover) functions

let interp_com c =
  try
    let (c,loc) = Hashtbl.find coms c in
    begin
    match c with
      | `ToggleFunction f ->()
      | `ToggleLemma l -> ()
      | `ToggleBehavior b -> ()
      | `ToggleGoal g -> ()
      | `OpenFunction f -> toggle_function f
      | `OpenLemma l -> toggle_lemma l
      | `OpenBehavior b -> toggle_behavior b
      | `OpenGoal g -> toggle_goal g
      | `LaunchErgo g -> let _ =  Thread.create (launch_goal Ergo) g in ()
      | `LaunchErgoLemma -> let _ =  
	    Thread.create (launch_lemmas Ergo) !proj.project_lemmas in ()
      | `LaunchErgoFunctions -> let _ =  
	  Thread.create (launch_functions Ergo) !proj.project_functions in ()
      | `LaunchErgoBehavior b -> 
	  let _ =  Thread.create (launch_behavior Ergo)  b in ()
      | `LaunchErgoFunction f -> 
	  let _ =  Thread.create (launch_function Ergo) f  in ()
      | `LaunchSimplify g -> 
	  let _ = Thread.create (launch_goal Simplify) g in ()
      | `LaunchSimplifyLemma -> let _ =  
	    Thread.create (launch_lemmas Simplify) !proj.project_lemmas in ()
      | `LaunchSimplifyFunctions -> let _ =  
	  Thread.create (launch_functions Simplify) !proj.project_functions 
	in ()
      | `LaunchSimplifyBehavior b -> 
	  let _ =  Thread.create (launch_behavior Simplify)  b in ()
      | `LaunchSimplifyFunction f -> 
	  let _ =  Thread.create (launch_function Simplify) f  in ()
      | `LaunchZ3 g -> let _ =  Thread.create (launch_goal Z3) g in ()
      | `LaunchZ3Lemma -> let _ =  
	    Thread.create (launch_lemmas Z3) !proj.project_lemmas in ()
      | `LaunchZ3Functions -> let _ =  
	  Thread.create (launch_functions Z3) !proj.project_functions in ()
      | `LaunchZ3Behavior b -> 
	  let _ =  Thread.create (launch_behavior Z3)  b in ()
      | `LaunchZ3Function f -> 
	  let _ =  Thread.create (launch_function Z3) f  in ()
      | `LaunchYices g -> let _ =  Thread.create (launch_goal Yices) g in ()
      | `LaunchYicesLemma -> let _ =  
	    Thread.create (launch_lemmas Yices) !proj.project_lemmas in ()
      | `LaunchYicesFunctions -> let _ =  
	  Thread.create (launch_functions Yices) !proj.project_functions 
	in ()
      | `LaunchYicesBehavior b -> 
	  let _ =  Thread.create (launch_behavior Yices)  b in ()
      | `LaunchYicesFunction f -> 
	  let _ =  Thread.create (launch_function Yices) f  in ()
      | `LaunchCvc3 g -> let _ =  Thread.create (launch_goal Cvc3) g in ()
      | `LaunchCvc3Lemma -> let _ =  
	    Thread.create (launch_lemmas Cvc3) !proj.project_lemmas in ()
      | `LaunchCvc3Functions -> let _ =  
	  Thread.create (launch_functions Cvc3) !proj.project_functions in ()
      | `LaunchCvc3Behavior b -> 
	  let _ =  Thread.create (launch_behavior Cvc3)  b in ()
      | `LaunchCvc3Function f -> 
	  let _ =  Thread.create (launch_function Cvc3) f  in ()
      | `Save -> Project.save !proj !proj.project_name
    end;
    loc
  with Not_found -> ("",0,0,0)

let com_count = ref 0

let reg_com c =
  incr com_count;
  let loc = match c with     
    | `ToggleFunction f ->   
	let (_,lin,_,_) = f.function_loc in
	current_line := lin; 
	f.function_loc
    | `ToggleLemma l -> 
	let (_,lin,_,_) = l.lemma_loc in
	current_line := lin;
	l.lemma_loc
    | `ToggleBehavior b -> 
	let (_,lin,_,_) = b.behavior_loc in
	current_line := lin;
	b.behavior_loc
    | `ToggleGoal g -> 
	let (_,lin,_,_) = g.goal_expl.Logic_decl.vc_loc in
	current_line := lin;
	g.goal_expl.Logic_decl.vc_loc   
    | `OpenFunction _
    | `OpenLemma _
    | `OpenBehavior _
    | `OpenGoal _ -> (!file,!line,!beginning,!ending)
    | `LaunchErgo _ -> (!file,!line,!beginning,!ending) 
    | `LaunchErgoLemma -> (!file,!line,!beginning,!ending)
    | `LaunchErgoFunctions -> (!file,!line,!beginning,!ending)
    | `LaunchErgoBehavior  _ -> (!file,!line,!beginning,!ending)
    | `LaunchErgoFunction  _ -> (!file,!line,!beginning,!ending)
    | `LaunchSimplify _ -> (!file,!line,!beginning,!ending) 
    | `LaunchSimplifyLemma -> (!file,!line,!beginning,!ending)
    | `LaunchSimplifyFunctions -> (!file,!line,!beginning,!ending)
    | `LaunchSimplifyBehavior  _ -> (!file,!line,!beginning,!ending)
    | `LaunchSimplifyFunction  _ -> (!file,!line,!beginning,!ending)
    | `LaunchZ3 _ -> (!file,!line,!beginning,!ending) 
    | `LaunchZ3Lemma -> (!file,!line,!beginning,!ending)
    | `LaunchZ3Functions -> (!file,!line,!beginning,!ending)
    | `LaunchZ3Behavior  _ -> (!file,!line,!beginning,!ending)
    | `LaunchZ3Function  _ -> (!file,!line,!beginning,!ending)
    | `LaunchYices _ -> (!file,!line,!beginning,!ending) 
    | `LaunchYicesLemma -> (!file,!line,!beginning,!ending)
    | `LaunchYicesFunctions -> (!file,!line,!beginning,!ending)
    | `LaunchYicesBehavior  _ -> (!file,!line,!beginning,!ending)
    | `LaunchYicesFunction  _ -> (!file,!line,!beginning,!ending)
    | `LaunchCvc3 _ -> (!file,!line,!beginning,!ending) 
    | `LaunchCvc3Lemma -> (!file,!line,!beginning,!ending)
    | `LaunchCvc3Functions -> (!file,!line,!beginning,!ending)
    | `LaunchCvc3Behavior  _ -> (!file,!line,!beginning,!ending)
    | `LaunchCvc3Function  _ -> (!file,!line,!beginning,!ending)
    | `Save -> (!file,!line,!beginning,!ending)
  in
  let n = string_of_int !com_count in
  Hashtbl.add coms n (c,loc);
  !proj.project_name ^ "?" ^ n
  

(* main *)

open Wserver
open Format

let main_page msg =
  wprint "
Welcome to the World-Why-Web
";
  wprint "
List of current projects
";
  wprint "
    ";
  wprint "
  1.  test";
  wprint "
  2.  Gcd";
  wprint "
  3.  Lesson1";
  wprint "
";
  if msg <> "" then
    begin
      wprint "
%s" msg;
    end

let load_prj file =
  eprintf "Reading file %s@." file;
  try
    proj := Project.load file;
    proj_file := file;
  with
      Sys_error _ -> 
	let msg = "Cannot open file " ^ file in
	eprintf "%s@." msg;
	main_page msg;
	raise Exit
	
let toogletooltip b s =
  (if b then "close" else "open") ^ s
  
let rec find_prover l = 
  match  l with
    | (prover,(status,_,_,_))::l -> (prover,status)::(find_prover l)
    | [] -> []

let validity nl valid = 
  let(valid,color) =
    match valid with 
    | "valid" -> "Valid", valid_color
    | "timeout" -> "TimeOut", timeout_color
    | "cannotdecide" -> "Unknown", cannotdecide_color
    | "invalid" ->  "Invalid", invalid_color
    | "failure"-> "Failed", failed_color
    | "running" -> "Running", running_color
    | _ -> assert false 
  in
  wprint "%s" 
   color nl valid

let goal_validity_bool prover g = 
  let list_prover = find_prover g.proof in
  let valid =  try 
      List.assoc prover list_prover 
    with Not_found -> "invalid" 
  in 
  valid

let goal_validity prover g nl = validity nl (goal_validity_bool prover g)

let goal_is_valid prover g = 
  let (v,_,_,_) = try List.assoc prover g.proof  
    with Not_found -> ("invalid","","","")
  in
  v = "valid"

let behavior_validity prover b =
  List.for_all (goal_is_valid prover)  b.behavior_goals 

let function_validity prover f =
  List.for_all (behavior_validity prover) f.function_behaviors


let goal g indice indent =
  let s =fprintf str_formatter "%s" 
    (Explain.msg_of_kind g.goal_expl.Logic_decl.vc_kind);
    flush_str_formatter ()
  in
  let nt = reg_com (`ToggleGoal g) in 
  let no = reg_com (`OpenGoal g) in 
  let call_provers = 
    List.map (fun prover -> (prover,
			     match prover with 
			       | Ergo -> reg_com (`LaunchErgo g)
			       | Simplify -> reg_com (`LaunchSimplify g)
			       | Z3 -> reg_com (`LaunchZ3 g) 
			       | Yices -> reg_com (`LaunchYices g) 
			       | Cvc3 -> reg_com (`LaunchCvc3 g)
			       | _ -> assert false)) provers in
  let op = List.assoc "ww_open" g.goal_tags = "true" in
  if op 
  then wprint "    %s-" indent no !current_line
  else wprint "    %s+" indent no !current_line; 
  wprint "%d : %s
" indice nt !current_line s;
  if op 
  then
    begin
      try
	wprint "
";
	let fi = open_in g.goal_file in
	begin
	  try 
	    while true do  
	      wprint "%s
" (input_line fi);
	    done
	  with End_of_file -> close_in fi
	end;
	wprint "
";
      with Sys_error _ -> 
	wprint "File %s don't exist" g.goal_file;
    end;
  List.iter (fun (prover,launcher) -> goal_validity prover g launcher ) 
    call_provers;
  wprint "
"

let string_of_addr addr = 
  match addr with 
    | Unix.ADDR_UNIX s -> s
    | Unix.ADDR_INET (ie,i) -> 
	(Unix.string_of_inet_addr ie)^":"^string_of_int(i)

let () =
  Wserver.f None !port 60 None
    (fun (addr,req) script cont ->
       eprintf "add : %s@." (string_of_addr addr);
       eprintf "request: %a@." (Pp.print_list Pp.comma pp_print_string) req;
       eprintf "script: `%s'@." script;
       eprintf "cont: `%s'@." cont;
       http "";
       current_page := "http://localhost:2372/" ^ script;
       wprint "



 

 
WhyWeb


" !current_page;
       try
	 if script = "" then 
	   begin
	     if cont = "" then (main_page ""; raise Exit);
	     load_prj cont;
	   end
	 else 
	   if !proj.project_name <> script then
	     begin
	       eprintf "Previous project: `%s'@." !proj.project_name;
	       eprintf "TODO: save previous project@.";
	       main_page "Argument is not the currently opened project";
	       raise Exit
	     end;
	 let (loc_file,loc_line,loc_beginning,loc_ending) = interp_com cont in
	 file := loc_file;
	 line := loc_line;
	 beginning := loc_beginning;
	 ending := loc_ending;
	 Hashtbl.clear coms;
	 com_count := 0;
	 wprint "
 Project name: %s



" !proj.project_name;
     let ns = reg_com (`Save) in
wprint "
Save Project

" ns;
	 wprint "";
	 List.iter (fun prover -> 
		      wprint "" (Project.provers_name prover)) 
	   provers;
	 wprint "
";
	 wprint ""; 
	 let call_provers = 
	   List.map (fun prover -> 
		       (prover,
			match prover with 
			  | Ergo -> reg_com (`LaunchErgoLemma)
			  | Simplify -> reg_com (`LaunchSimplifyLemma)
			  | Z3 -> reg_com (`LaunchZ3Lemma) 
			  | Yices -> reg_com (`LaunchYicesLemma) 
			  | Cvc3 -> reg_com (`LaunchCvc3Lemma)
			  | Other -> assert false)) provers in
	 List.iter (fun (prover,launch) ->
		     if (List.for_all 
			   (fun l -> 
			      "valid" = 
			       (goal_validity_bool prover l.lemma_goal)) 
			   !proj.project_lemmas) 
		     then validity launch "valid"
		     else validity launch "invalid" ) call_provers;
	 wprint "
";
	 let indice = ref 1 in
 	 List.iter 
 	   (fun l ->  
 	      let nt = reg_com (`ToggleLemma l) in  
 	      let no = reg_com (`OpenLemma l) in  
	      let op = List.assoc "ww_open" l.lemma_tags = "true" in 
 	      if op  
 	      then 
		begin
		  wprint "" !indice nt  
 		!current_line l.lemma_name; 
 	      wprint " 
 "; 
 	      indice := !indice +1; 
 	      if op then  
 		begin  
 		  goal l.lemma_goal 1 "";  
 		end  
 	   ) 
 	   !proj.project_lemmas; 
 wprint "
";
	 wprint "
"; 
	 let call_provers = 
	   List.map (fun prover -> 
		       (prover,
			match prover with 
			  | Ergo -> reg_com(`LaunchErgoFunctions)
			  | Simplify -> reg_com(`LaunchSimplifyFunctions)
			  | Z3 -> reg_com(`LaunchZ3Functions) 
			  | Yices -> reg_com(`LaunchYicesFunctions) 
			  | Cvc3 -> reg_com(`LaunchCvc3Functions)
			  | Other -> assert false)) provers
	 in
	 List.iter (fun (prover,launch) ->
		      if (List.for_all (function_validity prover) 
			    !proj.project_functions) 
	 then validity launch "valid" 
	 else validity launch "invalid") call_provers;
	 wprint "
";
	 let indice = ref 1 in
	 List.iter
	   (fun f -> 
	      let nt = reg_com (`ToggleFunction f) in 
	      let no = reg_com (`OpenFunction f) in
	      let call_provers = 
		List.map (fun prover -> 
			    (prover,
			     match prover with 
			       | Ergo -> reg_com (`LaunchErgoFunction f)
			       | Simplify -> 
				   reg_com (`LaunchSimplifyFunction f)
			       | Z3 -> reg_com (`LaunchZ3Function f) 
			       | Yices -> reg_com (`LaunchYicesFunction f) 
			       | Cvc3 -> reg_com (`LaunchCvc3Function f)
			       | Other -> assert false)) 
		  provers in	 
	      let op = List.assoc "ww_open" f.function_tags = "true" in
	      if op
	      then wprint "" !indice nt !current_line f.function_name;
	      List.iter (fun (prover,launch) ->
			   if (function_validity prover f)
			   then validity launch "valid"
			   else validity launch "invalid") call_provers;
	      wprint "
";
	      indice := !indice +1;
	      if op then
		begin
		  let indice = ref 1 in
		  List.iter
		    (fun b ->
		       let nt = reg_com (`ToggleBehavior b) in 
		       let no = reg_com (`OpenBehavior b) in 
		       let call_provers = 
			 List.map (fun prover -> 
				     (prover,
				      match prover with 
					| Ergo -> 
					    reg_com (`LaunchErgoBehavior b)
					| Simplify -> 
					    reg_com (`LaunchSimplifyBehavior b)
					| Z3 -> 
					    reg_com (`LaunchZ3Behavior b) 
					| Yices -> 
					    reg_com (`LaunchYicesBehavior b) 
					| Cvc3 -> 
					    reg_com (`LaunchCvc3Behavior b)
					| Other -> assert false))
			   provers in
		       let op = 
			 List.assoc "ww_open" b.behavior_tags = "true" in
		       if op 
		       then 
			 wprint "" 
			 !indice nt !current_line b.behavior_name;
		       List.iter (fun (prover,launch) ->
				    if (behavior_validity prover b)
				    then validity launch "valid"
				    else validity launch "invalid") 
			 call_provers;
		       wprint "
";
		       indice := !indice +1;
		       if op then
			 begin
			   let indice = ref 0 in
			   List.iter(fun x ->   indice :=  !indice +1;goal x !indice "   ") b.behavior_goals;
			 end)
		    f.function_behaviors;
		end)
	   !proj.project_functions;
	 raise Exit
       with
	   Exit -> 
	     begin
	       wprint "

%s
Lemmas
-" no !current_line; 
		end
 	      else wprint "
+" no !current_line;
 	      wprint "%d : %s
Functions
-" no !current_line
	      else wprint "
+" no !current_line;
              wprint "%d : %s
   -" no
			   !current_line
		       else 
			 wprint "
   +" no
			   !current_line;
		       wprint "%d : %s







 
";
	       if !file = "" then ()
	       else 
		 let fi = open_in !file in
		 begin
		   try 
		     let l = ref 1 in
		     let c = ref 1 in
		     let in_select = ref false in
		     wprint "" !l;
		     while true do  
		       let char = input_char fi in
		       if char = '\n'
		       then
			 begin
			   l := !l+1;
			   if not !in_select then c := 0 else ();
			   wprint "" !l
			 end
		       else ();
		       if (!l = !line && !c = !beginning)
		       then
			 begin
			   wprint "";
			   in_select := true
			 end
		       else ();
		       wprint "%c" char;
		       if (!c = !ending) then wprint "" else ();
		       c := !c+1
		     done
		   with End_of_file -> close_in fi
		 end;
		 wprint "


"
	     end)
why-2.39/src/explain.ml0000644000106100004300000001236713147234006014023 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(* explanations *)

(* dead code
let program_locs = Hashtbl.create 17

let read_in_file f l b e = 
  let ch = open_in f in
  for i = 2 to l do
    ignore (input_line ch)
  done;
  for i = 1 to b do
    ignore (input_char ch)
  done;
  let buf = Buffer.create 17 in
  for i = b to e-1 do
    Buffer.add_char buf (input_char ch)
  done;
  Buffer.contents buf
*)
 
open Format
open Logic_decl

  
let raw_loc ?(quote=false) ?(pref="") fmt (f,l,b,e) =
  if quote 
  then
    begin
      fprintf fmt "%sfile = \"%s\" " pref f;
      fprintf fmt "%sline = \"%d\" " pref l;
      fprintf fmt "%sbegin = \"%d\" " pref b;
      fprintf fmt "%send = \"%d\"" pref e
    end
  else
    begin
      fprintf fmt "%sfile = \"%s\"@\n" pref f;
      fprintf fmt "%sline = %d@\n" pref l;
      fprintf fmt "%sbegin = %d@\n" pref b;
      fprintf fmt "%send = %d@\n" pref e
    end
 
let print_formula fmt s =
  if String.length s > 0 then
    fprintf fmt "formula = \"%s\"@\n" s

let string_of_kind k =
  match k with
    | EKOther _ -> "Other"
    | EKAbsurd -> "Absurd"
    | EKAssert -> "Assert"
    | EKCheck -> "Check"
    | EKPre _ -> "Pre" 
    | EKPost -> "Post"
    | EKWfRel -> "WfRel"
    | EKVarDecr -> "VarDecr" 
    | EKLoopInvInit _ -> "LoopInvInit"
    | EKLoopInvPreserv _ -> "LoopInvPreserv"
    | EKLemma -> "Lemma"
	
let print_kind ?(quote=false) fmt (loc,k,lab) =
  (* 
     Option_misc.iter (fun lab ->  fprintf fmt "label = %s@\n" lab) labopt; 
  *)
  if not quote then
    begin
      raw_loc fmt loc;
      match lab with
	| None -> ()
	| Some s ->
            fprintf fmt "source_label = \"%s\"@\n" s
    end;
  match k with
    | EKOther s | EKPre s -> 
	fprintf fmt "kind = \"%s\"@\ntext = \"%s\"" (string_of_kind k) s
    | EKAbsurd | EKAssert | EKCheck | EKPost | EKWfRel | EKVarDecr 
    | EKLemma -> 
	fprintf fmt "kind = \"%s\"" (string_of_kind k)
    | EKLoopInvInit s | EKLoopInvPreserv s -> 
	fprintf fmt "kind = \"%s\"" (string_of_kind k);
	print_formula fmt s
 
let print ?(quote=false) fmt  e = 
  print_kind ~quote fmt (e.vc_loc,e.vc_kind,e.vc_label)

let msg_of_loopinv = function
  | "" -> "loop invariant"
  | s -> "generated loop inv. '" ^ s ^"'"

let msg_of_kind ?name = 
  function
    | EKPre "PointerDeref" -> "pointer dereferencing"
    | EKPre "IndexBounds" -> "check index bounds"
    | EKPre "ArithOverflow" -> "check arithmetic overflow"
    | EKPre "FPOverflow" -> "check FP overflow"
    | EKPre "DivByZero" -> "check division by zero"
    | EKPre "AllocSize" -> "check allocation size"
    | EKPre "UserCall" -> "precondition for user call"
    | EKPre "" -> "precondition"
    | EKPre s -> "unclassified precondition `" ^ s ^ "'"
    | EKOther s -> "unclassified obligation `" ^ s ^ "'"
    | EKAbsurd -> "code unreachable"
    | EKAssert -> "assertion"
    | EKCheck -> "check"
    | EKPost -> "postcondition"
    | EKWfRel -> "relation is well-founded"
    | EKVarDecr -> "variant decreases" 
    | EKLoopInvInit s -> msg_of_loopinv s ^ " initially holds"
    | EKLoopInvPreserv s -> msg_of_loopinv s ^ " preserved"
    | EKLemma -> "lemma" ^ (match name with None -> "" | Some s -> " " ^ s)
why-2.39/src/gappa.ml0000644000106100004300000005745113147234006013456 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(*s Gappa's output *)

open Ident
open Options
open Misc
open Logic
open Cc
open Format
open Pp

module HashedTerm = struct
  type t = term

  let rec equal t1 t2 =
    match t1, t2 with
      | Tconst c1, Tconst c2 -> c1 = c2
      | Tvar v1, Tvar v2 -> v1 == v2
      | Tderef d1, Tderef d2 -> d1 == d2
      | Tapp (a1, l1, _), Tapp (a2, l2, _) ->
          a1 == a2 &&
          (try List.for_all2 equal l1 l2 with _ -> false)
      | Tnamed (_, t1), Tnamed (_, t2) -> equal t1 t2
      | _ -> false

  let combine n acc = acc * 65599 + n

  let rec hash = function
    | Tconst c -> combine 1 (Hashtbl.hash c)
    | Tvar v -> combine 2 (Hashtbl.hash v)
    | Tderef d -> combine 3 (Hashtbl.hash d)
    | Tapp (a, l, _) ->
        combine (Hashtbl.hash a) (List.fold_left
          (fun acc i -> combine (hash i) acc) 4 l)
    | Tnamed (_, t) -> combine 5 (hash t)
end

module Termtbl = Hashtbl.Make(HashedTerm)

(* Gappa terms and formulas *)

(* fields of the float model *)
type float_field = Rounded | Exact | Model
(* formats of the float model *)
type float_fmt = Int | Single | Double (* | Binary80 *)
(* modes of the float model *)
type mode = RndNE | RndZR | RndUP | RndDN | RndNA

type gterm =
  | Gvar of string
  | Gfld of float_field * string
  | Grnd of float_fmt * mode * gterm
  | Gcst of string
  | Gsqrt of gterm
  | Gneg of gterm
  | Gadd of gterm * gterm
  | Gsub of gterm * gterm
  | Gmul of gterm * gterm
  | Gdiv of gterm * gterm
  | Gabs of gterm

type gpred =
  | Gle of gterm * string
  | Gge of gterm * string
  | Gin of gterm * string * string
  | Grel of gterm * gterm * string
  | Gimplies of gpred * gpred
  | Gand of gpred * gpred
  | Gor of gpred * gpred
  | Gnot of gpred

(* dead code
type gobligation = (string * gterm) list * gpred
*)

exception NotGappa

(* compilation to Gappa formulas *)

let real_of_int = Ident.create "real_of_int"
let truncate_real_to_int = Ident.create "truncate_real_to_int"

let rnd_ne = Ident.create "nearest_even"
let rnd_zr = Ident.create "to_zero"
let rnd_up = Ident.create "up"
let rnd_dn = Ident.create "down"
let rnd_na = Ident.create "nearest_away"

let single_type = Ident.create "single"
let double_type = Ident.create "double"

let max_single = Ident.create "max_single"
let max_double = Ident.create "max_double"
let round_single = Ident.create "round_single"
let round_double = Ident.create "round_double"
let single_round_error = Ident.create "single_round_error"
let double_round_error = Ident.create "double_round_error"
let round_single_logic = Ident.create "round_single_logic"
let round_double_logic = Ident.create "round_double_logic"
let single_to_double = Ident.create "single_to_double"
let double_to_single = Ident.create "double_to_single"

let single_value = Ident.create "single_value"
let double_value = Ident.create "double_value"
let single_exact = Ident.create "single_exact"
let double_exact = Ident.create "double_exact"
let single_model = Ident.create "single_model"
let double_model = Ident.create "double_model"

let is_int_constant = function
  | Tconst (ConstInt _) -> true
  | Tapp (id, [Tconst (ConstInt _)], _) when id == t_neg_int -> true
  | _ -> false

let eval_int_constant = function
  | Tconst (ConstInt n) -> n
  | Tapp (id, [Tconst (ConstInt n)], _) when id == t_neg_int -> "-"^n
  | _ -> assert false

let is_pos_constant = function
  | Tconst (ConstInt _) -> true
  | Tconst (ConstFloat _) -> true
  | Tapp (id, [Tconst (ConstInt _)], _) when id == real_of_int -> true
  | Tapp (id,_,_) when id == max_single -> true
  | Tapp (id,_,_) when id == max_double -> true
  | _ -> false

let is_constant = function
  | t when is_int_constant t -> true
  | t when is_pos_constant t -> true
  | Tapp (id, [t], _) when id == real_of_int && is_int_constant t -> true
  | Tapp (id, [t], _) when id == t_neg_real  && is_pos_constant t -> true
  | _ -> false

let eval_rconst = function
  | RConstDecimal (i, f, None)   -> Printf.sprintf "%s.%s"      i f
  | RConstDecimal (i, f, Some e) -> Printf.sprintf "%s.%se%s"   i f e
  | RConstHexa (i, f, e)         -> Printf.sprintf "0x%s.%sp%s" i f e

let eval_pos_constant = function
  | Tconst (ConstInt n) -> n
  | Tconst (ConstFloat f) -> eval_rconst f
  | Tapp (id, [Tconst (ConstInt n)], _) when id == real_of_int -> n
  | Tapp (id,_,_) when id == max_single -> "0x1.FFFFFEp127"
  | Tapp (id,_,_) when id == max_double -> "0x1.FFFFFFFFFFFFFp1023"
  | _ -> raise NotGappa

let eval_constant = function
  | t when is_int_constant t -> eval_int_constant t
  | t when is_pos_constant t -> eval_pos_constant t
  | Tapp (id, [t], _) when id == real_of_int && is_int_constant t
      -> eval_int_constant t
  | Tapp (id, [t], _) when id == t_neg_real  && is_pos_constant t
      -> "-" ^ (eval_pos_constant t)
  | _ -> raise NotGappa

let field_of_id s =
  if s == single_value || s == double_value then Rounded else
  if s == single_exact || s == double_exact then Exact else
  if s == single_model || s == double_model then Model else
  assert false

let mode_of_id s =
  if s == rnd_ne then RndNE else
  if s == rnd_zr then RndZR else
  if s == rnd_up then RndUP else
  if s == rnd_dn then RndDN else
  if s == rnd_na then RndNA else
  raise NotGappa

(* contains all the terms that have been generalized away,
   because they were not recognized *)
let gen_table = Termtbl.create 10

(* contains the terms associated to variables, especially gen_float variables *)
let var_table = Hashtbl.create 10

(* contains the roundings used *)
let rnd_table = Hashtbl.create 10

(* contains the names already defined,
   so new definitions should be as equalities *)
let def_table = Hashtbl.create 10

(* contains the reverted list of aliases from def_table *)
let def_list = ref []

(* contains the list of format-implied bounds on float variables *)
let bnd_list = ref []

let rec subst_var = function
  | Tvar id as t ->
    begin
      try
        Hashtbl.find var_table id
      with Not_found ->
        t
    end
  | Tnamed (_, t) -> subst_var t
  | Tapp (id, l1, l2) -> Tapp (id, List.map subst_var l1, l2)
  | t -> t

let rec create_var = function
  | Tvar v -> Ident.string v
  | Tnamed (_, t) -> create_var t
  | _ as t ->
      try
        Termtbl.find gen_table t
      with Not_found ->
        let n = Ident.string (fresh_var ()) in
(*
        Format.eprintf "creating var for %a {%i}@." Util.print_term t (HashedTerm.hash t);
*)
        Termtbl.replace gen_table t n;
        n

let rec term = function
  | t when is_constant t ->
      Gcst (eval_constant t)
  | Tconst _ ->
      raise NotGappa
  | Tvar id ->
      Gvar (Ident.string id)
  | Tderef id ->
      Gvar (Ident.string id)
  (* int and real ops *)
  | Tapp (id, [t], _) when id == t_neg_real || id = t_neg_int ->
      Gneg (term t)
  | Tapp (id, [t], _) when id == t_abs_real || id == t_abs_int ->
      Gabs (term t)
  | Tapp (id, [t], _) when id == t_sqrt_real ->
      Gsqrt (term t)
  | Tapp (id, [t1; t2], _) when id == t_add_real || id = t_add_int ->
      Gadd (term t1, term t2)
  | Tapp (id, [t1; t2], _) when id == t_sub_real || id = t_sub_int ->
      Gsub (term t1, term t2)
  | Tapp (id, [t1; t2], _) when id == t_mul_real || id = t_mul_int ->
      Gmul (term t1, term t2)
  | Tapp (id, [t1; t2], _) when id == t_div_real ->
      Gdiv (term t1, term t2)
  (* conversion int -> real *)
  | Tapp (id, [t], _) when id == real_of_int ->
      term t
  (* conversion real -> int by truncate, i.e. towards zero *)
  | Tapp (id, [t], _) when id == truncate_real_to_int ->
      let mode = RndZR in
      Hashtbl.replace rnd_table (Int, mode) ();
      Grnd (Int, mode, term t)

  (* [Jessie] rounding *)
  | Tapp (id, [Tapp (m, [], _); t], _)
      when id == round_single ->
      let mode = mode_of_id m in
      Hashtbl.replace rnd_table (Single, mode) ();
      Grnd (Single, mode, term t)
  | Tapp (id, [Tapp (m, [], _); t], _)
      when id == round_double ->
      let mode = mode_of_id m in
      Hashtbl.replace rnd_table (Double, mode) ();
      Grnd (Double, mode, term t)

  | Tapp (id1, [Tapp (id2, l1, l2)], _)
      when id1 == single_value && id2 == round_single_logic ->
      term (Tapp (round_single, l1, l2))
  | Tapp (id1, [Tapp (id2, l1, l2)], _)
      when id1 == double_value && id2 == round_double_logic ->
      term (Tapp (round_double, l1, l2))

  (* casts *)
  | Tapp (id1, [Tapp (id2,[Tapp (m, [], _); t] , l2)], _)  
      when id1 == single_value && id2 == double_to_single ->
      let mode = mode_of_id m in
      Hashtbl.replace rnd_table (Single, mode) ();
      Grnd (Single, mode, term (Tapp (double_value,[t],l2)))

  | Tapp (id1, [Tapp (id2,[Tapp (_m, [], _); t] , l2)], _)  
      when id1 == double_value && id2 == single_to_double ->
        term (Tapp (single_value,[t],l2))


  | Tapp (id, [t], _)
      when (id == single_value || id == double_value || id == single_exact 
         || id == double_exact || id == single_model || id == double_model) ->
      let v = create_var t in
      let f = field_of_id id in
      let add_def fmt =
        if not (Hashtbl.mem def_table (f, v)) then begin
          Hashtbl.add def_table (f, v) ();
          Hashtbl.replace rnd_table (fmt, RndNE) ();
          def_list := (f, v, Grnd (fmt, RndNE, Gvar ("dummy_float_" ^ v))) :: !def_list;
          let b =
            if fmt = Single then "0x1.FFFFFEp127" else
            if fmt = Double then "0x1.FFFFFFFFFFFFFp1023" else
            assert false in
          bnd_list := Gin (Gfld (f, v), "-"^b, b) :: !bnd_list
        end in
      if id == single_value then add_def Single else
      if id == double_value then add_def Double;
      Gfld (f, v)

  | Tapp (id, [t], _) 
    when id == single_round_error || id == double_round_error ->
    let v = create_var t in
    Gabs (Gsub (Gfld (Rounded, v), Gfld (Exact, v)))

  | Tnamed(_,t) -> term t

  (* anything else is generalized as a fresh variable *)
  | Tapp _ as t ->
      Gvar (create_var t)


let termo t = try Some (term (subst_var t)) with NotGappa -> None

(* recognition of a Gappa predicate *)

let rec is_float_type = function
  | PTexternal ([], id) when id == single_type || id == double_type 
      -> true
  | PTvar {type_val=Some t} -> is_float_type t
  | PTexternal _ 
  | PTvar _
  | PTunit
  | PTreal
  | PTbool
  | PTint -> false


let rec gpred def = function
  | Papp (id, [t1; t2], _) when id == t_le_real || id == t_le_int ->
      begin match termo t1, termo t2 with
	| Some (Gcst c1), Some t2 -> Some (Gge (t2, c1))
	| Some t1, Some (Gcst c2) -> Some (Gle (t1, c2))
        | Some t1, Some t2 ->
            begin match t1, t2 with
              | Gabs (Gsub (t1, t2)), Gmul (Gcst c, Gabs t3) when t2 = t3 ->
                  Some (Grel (t1, t2, c))
              | Gabs (Gsub (t2, t1)), Gmul (Gcst c, Gabs t3) when t2 = t3 ->
                  Some (Grel (t1, t2, c))
              | Gabs (Gsub (t1, t2)), Gmul (Gabs t3, Gcst c) when t2 = t3 ->
                  Some (Grel (t1, t2, c))
              | Gabs (Gsub (t2, t1)), Gmul (Gabs t3, Gcst c) when t2 = t3 ->
                  Some (Grel (t1, t2, c))
              | _ -> Some (Gle (Gsub (t1, t2), "0"))
            end
        | _ -> None
      end
  | Papp (id, [t1; t2], _) when id == t_ge_real || id == t_ge_int ->
      begin match termo t1, termo t2 with
	| Some (Gcst c1), Some t2 -> Some (Gle (t2, c1))
	| Some t1, Some (Gcst c2) -> Some (Gge (t1, c2))
        | Some t1, Some t2 -> Some (Gge (Gsub (t1, t2), "0"))
	| _ -> None
      end
  | Papp (id, [t1; t2], _) when id == t_lt_real || id == t_lt_int ->
      begin match termo t1, termo t2 with
        | Some (Gcst c1), Some t2 -> Some (Gnot (Gle (t2, c1)))
        | Some t1, Some (Gcst c2) -> Some (Gnot (Gge (t1, c2)))
        | Some t1, Some t2 -> Some (Gnot (Gge (Gsub (t1, t2), "0")))
        | _ -> None
      end
  | Papp (id, [t1; t2], _) when id == t_gt_real || id == t_gt_int ->
      begin match termo t1, termo t2 with
        | Some (Gcst c1), Some t2 -> Some (Gnot (Gge (t2, c1)))
        | Some t1, Some (Gcst c2) -> Some (Gnot (Gle (t1, c2)))
        | Some t1, Some t2 -> Some (Gnot (Gle (Gsub (t1, t2), "0")))
        | _ -> None
      end
  | Pand (_, _, Papp (id1, [f1; t1], _), Papp (id2, [t2; f2], _))
    when (id1 == t_le_real || id1 == t_le_int) && (id2 == t_le_real || id2 == t_le_int)
    && t1 = t2 && is_constant f1 && is_constant f2 ->
    begin 
      try Some (Gin (term t1, eval_constant f1, eval_constant f2))
      with NotGappa -> None
    end
  | Papp (id, [t1; t2], _) when (* is_eq id *) id == t_eq_int || id == t_eq_real  ->
      begin match termo t1, termo t2 with
        | Some (Gcst c1), Some t2 -> Some (Gin (t2, c1, c1))
        | Some t1, Some (Gcst c2) -> Some (Gin (t1, c2, c2))
        | Some t1, Some t2 -> Some (Gin (Gsub (t1, t2), "0", "0"))
        | _ -> None
      end
  | Papp (id, [t1; t2], [ty]) when id == t_eq && is_float_type ty ->
      begin
(*        try*)
          let v1 = create_var t1 in
          let v2 = create_var t2 in
          Some (Gin (Gsub (Gfld(Rounded,v1), (Gfld(Rounded,v2))), "0", "0"))
(*
          List.iter
            (fun f -> 
               if not (Hashtbl.mem def_table (f, vx)) then
                 begin
                   Hashtbl.add def_table (f, vx) ();
                   def_list := (f, vx, Gfld(f,v)) :: !def_list
                 end
               else raise Exit)
            [Rounded; Exact; Model];
          None
        with Exit -> 
          gpred true p
*)
      end

  | Papp (id, [t1; t2], _) when is_neq id ->
      begin match termo t1, termo t2 with
        | Some (Gcst c1), Some t2 -> Some (Gnot (Gin (t2, c1, c1)))
        | Some t1, Some (Gcst c2) -> Some (Gnot (Gin (t1, c2, c2)))
        | Some t1, Some t2 -> Some (Gnot (Gin (Gsub (t1, t2), "0", "0")))
        | _ -> None
      end
  | Pand (_, _, p1, p2) ->
      begin match gpred def p1, gpred def p2 with
        | Some p1, Some p2 -> Some (Gand (p1, p2))
        | (Some _ as p1), None when def = true -> p1
        | None, (Some _ as p2) when def = true -> p2
        | _-> None
      end
  | Por (p1, p2) ->
      begin match gpred def p1, gpred def p2 with
        | Some p1, Some p2 -> Some (Gor (p1, p2))
        | (Some _ as p1), None when def = false -> p1
        | None, (Some _ as p2) when def = false -> p2
        | _ -> None
      end
  | Pimplies (_, Papp (id, [Tconst (ConstBool true); Tconst (ConstBool true)], _), p)
      when id == t_eq_bool ->
      gpred def p
  | Pimplies (_, p1, p2) ->
      begin match gpred (not def) p1, gpred def p2 with
        | Some p1, Some p2 -> Some (Gimplies (p1, p2))
        | Some p1, None        when def = false -> Some (Gnot p1)
        | None, (Some _ as p2) when def = false -> p2
        | _ -> None
      end
  | Pnamed (_, p) ->
      gpred def p
  | Plet (_, n, _, t, p) ->
      gpred def (subst_term_in_predicate n t p)
  | Pnot p ->
      begin match gpred (not def) p with
        | Some p -> Some (Gnot p)
        | _ -> None
      end
  | Forall _ 
  | Papp _
  | Pif _
  | Piff _
  | Forallb _
  | Exists _
  | Ptrue | Pfalse | Pvar _ -> (* discarded *)
      None

(*
let gpred def p =
  Format.printf "gpred %a@." Util.print_predicate p;
  gpred def p
*)

(* extraction of a list of equalities and possibly a Gappa predicate *)

let ghyp = function
  | Papp (id, [Tvar x; t], _) when id == t_eq_int || id == t_eq_real ->
    begin
      Hashtbl.replace var_table x (subst_var t);
      None
    end
  | Papp (id, [t; Tapp (id', [Tvar x], _)], _) 
  | Papp (id, [Tapp (id', [Tvar x], _); t], _) as p
      when id == t_eq_real &&
       (id' == single_value || id' == double_value || id' == single_exact ||
        id' == double_exact || id' == single_model || id' == double_model) ->
    begin
      match termo t with
      | Some t ->
          let f = field_of_id id' in
          let vx = Ident.string x in
          if not (Hashtbl.mem def_table (f, vx)) then
           (Hashtbl.add def_table (f, vx) ();
            def_list := (f, vx, t) :: !def_list;
            None)
          else
            gpred true p
      | None ->
          gpred true p
    end
  | Papp (id, [Tvar x; t], [ty]) | Papp (id, [t; Tvar x], [ty]) as p 
        when id == t_eq && is_float_type ty ->
      begin
        try
          let v = create_var t in
          let vx = Ident.string x in
          List.iter
            (fun f -> 
               if not (Hashtbl.mem def_table (f, vx)) then
                 begin
                   Hashtbl.add def_table (f, vx) ();
                   def_list := (f, vx, Gfld(f,v)) :: !def_list
                 end
               else raise Exit)
            [Rounded; Exact; Model];
          None
        with Exit -> 
          gpred true p
      end
(*
  | Papp (id, [t1; t2], [ty]) when id == t_eq->
      eprintf "t1 = %a@." Util.print_term t1;
      eprintf "t2 = %a@." Util.print_term t2;
      eprintf "ty = %a@." Util.print_pure_type ty;
      eprintf "is_float_type(ty) = %b@." (is_float_type ty);
      assert false
*)
  | p ->
      gpred true p

(* Processing obligations.
   One Why obligation can be split into several Gappa obligations *)

let queue = Queue.create ()

let reset () =
  Queue.clear queue;
  Termtbl.clear gen_table;
  Hashtbl.clear var_table;
  Hashtbl.clear rnd_table;
  Hashtbl.clear def_table;
  def_list := [];
  bnd_list := []

let add_ctx_vars =
  List.fold_left 
    (fun acc -> function Svar (id,_) -> Idset.add id acc | _ -> acc)

(* takes a reverted context and returns an augmented reverted context *)
let rec intros ctx = function
  | Forall (_, id, n, t, _, p) ->
      let id' = next_away id (add_ctx_vars (predicate_vars p) ctx) in
      let p' = subst_in_predicate (subst_onev n id') p in
      intros (Svar (id', t) :: ctx) p'
  | Pimplies (_, a, b) -> 
      let h = fresh_hyp () in 
      intros (Spred (h, a) :: ctx) b
  | Pnamed (_, p) ->
      intros ctx p
  | c -> 
      ctx, c

let rec handle_hyp p acc =
  match p with
    | Pnamed (_, p) -> handle_hyp p acc
    | Pand (_, _, p1, p2) -> handle_hyp p2 (handle_hyp p1 acc)
    | _ ->
        match ghyp p with
          | Some p -> p :: acc
          | None -> acc

let process_obligation (ctx, concl) =
  let ctx, concl = intros (List.rev ctx) concl in
  let ctx = List.rev ctx in
  let pl =
    List.fold_left
      (fun pl h ->
        match h with
          | Svar _ -> pl
          | Spred (_, p) -> handle_hyp p pl)
      [] ctx
    in
  let gconcl =
    match gpred false concl with
      | None -> Gle (Gcst "1", "0")
      | Some p -> p
    in
  let gconcl = List.fold_left (fun acc p -> Gimplies (p, acc)) gconcl pl in
  let gconcl = List.fold_left (fun acc p -> Gimplies (p, acc)) gconcl !bnd_list in
  Queue.add (List.rev !def_list, gconcl) queue

let push_decl d =
  let decl = PredDefExpansor.push ~recursive_expand:true d in
  match decl with
  | Logic_decl.Dgoal (_,_,_,_,s) -> process_obligation s.Env.scheme_type
  | _ -> ()

let get_format = function
  | Single -> "ieee_32"
  | Double -> "ieee_64"
(*
  | Binary80 -> "x86_80"
*)
  | Int -> "int"

let get_mode = function
  | RndNE -> "ne"
  | RndZR -> "zr"
  | RndUP -> "up"
  | RndDN -> "dn"
  | RndNA -> "na"

let rec print_term fmt = function
  | Gvar x -> fprintf fmt "%s" x
  | Gfld (Rounded, x) -> fprintf fmt "float_%s" x
  | Gfld (Exact,   x) -> fprintf fmt "exact_%s" x
  | Gfld (Model,   x) -> fprintf fmt "model_%s" x
  | Grnd (f, m, t) -> 
      fprintf fmt "rnd_%s%s(%a)" (get_format f) (get_mode m) print_term t
  | Gcst c -> fprintf fmt "%s" c
  | Gneg t -> fprintf fmt "(-%a)" print_term t
  | Gadd (t1, t2) -> fprintf fmt "(%a + %a)" print_term t1 print_term t2
  | Gsub (t1, t2) -> fprintf fmt "(%a - %a)" print_term t1 print_term t2
  | Gmul (t1, t2) -> fprintf fmt "(%a * %a)" print_term t1 print_term t2
  | Gdiv (t1, t2) -> fprintf fmt "(%a / %a)" print_term t1 print_term t2
  | Gabs t -> fprintf fmt "|%a|" print_term t
  | Gsqrt t -> fprintf fmt "sqrt(%a)" print_term t

let rec print_pred_atom fmt = function
  | Gle (t, r1) ->
      fprintf fmt "%a <= %s" print_term t r1
  | Gge (t, r1) ->
      fprintf fmt "%a >= %s" print_term t r1
  | Gin (t, r1, r2) ->
      fprintf fmt "%a in [%s, %s]" print_term t r1 r2
  | Grel (t1, t2, r1) ->
      fprintf fmt "|%a -/ %a| <= %s" print_term t1 print_term t2 r1
  | Gnot p ->
      fprintf fmt "not %a" print_pred_atom p
  | _ as p ->
      fprintf fmt "(%a)" print_pred p
and print_pred_left fmt = function
  | Gand (p1, p2) ->
      fprintf fmt "@[%a /\\@ %a@]" print_pred_atom p1 print_pred_atom p2
  | Gor (p1, p2) ->
      fprintf fmt "@[%a \\/@ %a@]" print_pred_atom p1 print_pred_atom p2
  | _ as p ->
      print_pred_atom fmt p
and print_pred fmt = function
  | Gimplies (p1, p2) ->
      fprintf fmt "@[%a ->@ %a@]" print_pred_left p1 print_pred p2
  | _ as p ->
      print_pred_left fmt p

let print_equation fmt (e, x, t) =
  let e =
    match e with
    | Rounded -> "float_"
    | Exact -> "exact_"
    | Model -> "model_" in
  fprintf fmt "@[%s%s = %a;@]" e x print_term t

let print_obligation fmt (eq,p) =
  Hashtbl.iter 
    (fun (f, m) () ->
       let m = get_mode m in
       match f with 
         | Int ->
             fprintf fmt "@@rnd_int%s = int<%s>;@\n" m m 
         | _ ->
             let f = get_format f in
             fprintf fmt "@@rnd_%s%s = float<%s, %s>;@\n" f m f m) 
    rnd_table;
  fprintf fmt "@\n%a@\n@\n" (print_list newline print_equation) eq;
  fprintf fmt "{ @[%a@] }@." print_pred p

let print_file fmt = Queue.iter (print_obligation fmt) queue

let output_one_file ~allowedit file =
  if allowedit then
    begin
      let sep = "### DO NOT EDIT ABOVE THIS LINE" in
      do_not_edit_above ~file
	~before:print_file
	~sep
	~after:(fun _fmt -> ())
    end
  else
      print_in_file print_file file

let output_file fwe =
  let sep = "### DO NOT EDIT ABOVE THIS LINE" in
  let i = ref 0 in
  Queue.iter
    (fun o ->
       incr i;
       if debug then eprintf "gappa obligation %d@." !i;
       let file = fwe ^ "_why_po_" ^ string_of_int !i ^ ".gappa" in
       do_not_edit_above ~file
	 ~before:(fun fmt -> print_obligation fmt o)
	 ~sep
	 ~after:(fun _fmt -> ()))
    queue
why-2.39/src/zenon.mli0000644000106100004300000000451013147234006013654 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

val reset : unit -> unit
val push_decl : Logic_decl.t -> unit
val prelude_done : bool ref
val output_file : allowedit:bool -> string -> unit

why-2.39/src/lexer.mli0000644000106100004300000000475513147234006013655 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



exception Lexical_error of string

val token : Lexing.lexbuf -> Parser.token

val parse_file  : Lexing.lexbuf -> Ptree.file
val parse_lexpr : Lexing.lexbuf -> Ptree.lexpr

val lexpr_of_string : string -> Ptree.lexpr

(*
Local Variables: 
compile-command: "unset LANG; make -j -C .. bin/why.byte"
End: 
*)
why-2.39/src/encoding_mono2.ml0000644000106100004300000012166613147234006015266 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(** 
    Such encoding aims at simulating polymorphism in 
    multi-sorted logic. 
    There are basically three cases 
    1- For a term that is not of sort INT and 
    which is not used in a INT context, the translation 
    of the outermost symbol is the same as in strat
    2- For a term of sort INT and which is used in an INT 
    context, the outermost term is not modified 
    3- For a term of sort INT in a polymorphic context and 
    a term of an instantied sort which is used in an INT context 
    a special treatment is provided.    
*)






open Cc
open Logic
open Logic_decl
open Util 

let loc = Loc.dummy_floc

let prefix = "c_"
let suffix = "_c"
let var = "x"
let tvar = "t"
let cpt = ref 0
let axiomA c = (c^suffix)^ "_to_" ^ c
let axiomR c = (c^suffix)^ "_to_" ^ (c^suffix)
let def c = "def_"^c

let int2U = "int2U"
let ss2Int = "ss2Int"
let real2U = "real2U"
let ss2Real = "ss2Real" 
let bool2U = "bool2U"
let ss2Bool = "ss2Bool"
let unit2U = "unit2U"
let ss2Unit = "ss2Unit"
let arities = ref []




let prefixForTypeIdent ident = 
  "type_"^ident


let int = Tapp (Ident.create (prefix^"int"), [], []) 
let real = Tapp (Ident.create (prefix^"real"), [], [])
let bool = Tapp (Ident.create (prefix^"bool"), [], []) 
let unit = Tapp (Ident.create (prefix^"unit"), [], [])


(* Ground instanciation of an arity (to be plunged under) *)
let instantiate_arity id inst =
  let arity = 
    try List.assoc (Ident.string id) !arities
    with e -> (print_endline ("Encoding_mono2: unknown arity for "^(Ident.string id))); raise e in
  let (vs, log_type) = Env.specialize_logic_type arity in
  match log_type with 
      Function (ptl, rt) ->
	ignore (Env.Vmap.fold 
		  (fun _ v l ->
		     (match l with [] -> [] 
			| _ -> (v.type_val <- Some (List.hd l); (List.tl l))))
		  vs (List.rev inst));
	rt
    | _ -> assert false
	

(**
   @return the list containing the type of the function/predicate parameters.
   This fucntion is called when we want to reduce the encoding of the function/predicate 
   parameter according to the type of these ones.
   @param id is the function/predicate name for which we look for the parameters 
**)
let getParamTypeList id =
  let arity = 
    try List.assoc (Ident.string id) !arities
    with e -> (print_endline ("Encoding_mono2: unknown arity for "^(Ident.string id))); raise e in
  let (vs, log_type) = Env.specialize_logic_type arity in
  match log_type with 
      Function (ptl, _) -> ptl
    | Predicate ptl -> ptl


(**
   The unique type for all terms.
   this function is used everywhere we use a generic sort for the term
**) 
let ut = PTexternal ([], Ident.create (prefix^"unique"))


(**
   @param pt is the type we are going to translate.
   @return either the type if this one if a built in type (like int, float)
   or the type  ssorted
**)
let ssortedButBuiltIn  pt = match pt with 
    PTint as k -> k 
  | PTreal as k -> k
  | PTbool as k -> k
  | PTunit as k -> k
  | _ ->       PTexternal ([], Ident.create (prefix^"ssorted"))


(**
   @param pt is the type we are going to translate.
   @return either the type if this one if a built in type (like int, float)
   or the unique type define just above
**)
let utButBuiltIn  pt = match pt with 
    PTint as k -> k 
  | PTreal as k -> k
  | PTbool as k -> k
  | PTunit as k -> k
  | _ -> ut


(**
   @param pt is the type we are going to translate.
   @return either the type if this one if a built in type (like int, float)
   or the unique type define in the ut function. It is a shortcut since it allows 
   to create quickly a PureType. 
**)
let ssortedButBuiltInString  pt = match pt with 
    "PTint"  -> PTint 
  | "PTreal" -> PTreal
  | "PTbool" -> PTbool
  | "PTunit" -> PTunit
  | "type" -> PTexternal ([], Ident.create (prefix^"type"))
  | "ssorted" -> PTexternal ([], Ident.create (prefix^"ssorted"))
  | _ -> 
      (*Printf.printf " type : %s \n" pt ;  *)
      PTexternal ([], Ident.create (prefix^"type"))


(**
   @param ptl is the list of pure type 
   @return a list with the same size as ptl and whose only contains the 
   the type unique
**)
let unify ptl = List.map (fun _ -> ut) ptl

(**
   @param ptl is the list of pure type
   @return a list with the same size as ptl and whose only contains the 
   the type unique, but for built in type that are preserved
**)
let unifyPureType ptl = 
  List.map (fun pt -> ssortedButBuiltIn pt) ptl

(**
   @param ptl is the list of pure type, described as string  
   @return a list with the same size as ptl and whose only contains the 
   the type unique, but for built in type that are preserved
**)
let unifyString ptl = List.map (fun pt -> ssortedButBuiltInString pt) ptl

  

(**
   @return a forall predicate without trigger 
**)
let newForallTriggerFree is_wp x t p = 
  let n = Ident.bound x in 
  let s = Misc.subst_onev x n in
  let p = Misc.subst_in_predicate s p in
  Forall (is_wp, x, n, t, [], p) 


(**
   @return a forall predicate with triggers
   aiming at helping the prover
**)
let newForall is_wp x ty tr p = 
  let n = Ident.bound x  in
  let sp = Misc.subst_onev x n in
  let pp = Misc.subst_in_predicate sp p in
  let tt = Misc.subst_in_triggers sp tr in
  Forall (is_wp, x , n, ty, tt, pp) 


(**
   Axiomatizes the theory used in this encoding.
**) 
let prelude =
  (* The unique sort for not built-in types*)
  (Dtype (loc, [], prefix^"unique"))::
  (Dtype (loc, [], prefix^"ssorted"))::	
    (Dtype (loc, [], prefix^"type"))::
    (Dtype (loc, [], prefix^"Boolean"))::
    (Dtype (loc, [], prefix^"Unit"))::
    (Dlogic (loc, prefix^"sort", 
	     Env.empty_scheme (Function 
				 ([ssortedButBuiltInString "type" ; ut], 
				  ssortedButBuiltInString "ssorted")))):: 
    (Dlogic (loc, prefix^"Boolean_true",
	     Env.empty_scheme (Function ([], ssortedButBuiltIn PTbool)))):: 
    (Dlogic (loc, prefix^"Boolean_false",
	     Env.empty_scheme (Function ([], ssortedButBuiltIn PTbool)))):: 
    (** \forall b : bool b= true \lor b = false **)
    (Daxiom (loc, axiomR "either true_or_false",
	     let b = Ident.create "b" in 
	     let boolTrue =  Tapp (Ident.create (prefix^"Boolean_true"), [], []) in
	     let boolFalse = Tapp (Ident.create (prefix^"Boolean_false"), [], []) in 
	     let eqTrue  = Papp (Ident.t_eq, [boolTrue ; Tvar b], []) in 
	     let eqFalse  = Papp (Ident.t_eq, [boolFalse ; Tvar b], []) in 
	     let eq = Por (eqTrue, eqFalse) in 	     
	     Env.empty_scheme (newForallTriggerFree false  b  PTbool eq )))::
    (** true \neq false **)
    (Daxiom (loc, axiomR "true_neq_false",
	     let boolTrue =  Tapp (Ident.create (prefix^"Boolean_true"), [], []) in
	     let boolFalse = Tapp (Ident.create (prefix^"Boolean_false"), [], []) in 
    	     let neq = Papp (Ident.t_neq,[boolTrue;boolFalse], []) in 	     
	     Env.empty_scheme neq ))::
    
    (Dlogic (loc, int2U, 
	     Env.empty_scheme (Function ([ssortedButBuiltIn PTint], ut)))):: 
    (Dlogic (loc, ss2Int, 
	     Env.empty_scheme (Function ([ssortedButBuiltInString "ssorted"], 
					 ssortedButBuiltIn PTint))))::
    (Dlogic (loc, real2U, 
	     Env.empty_scheme (Function ([ssortedButBuiltIn PTreal], ut)))):: 
    (Dlogic (loc, ss2Real, 
	     Env.empty_scheme (Function ([ssortedButBuiltInString "ssorted"], 
					 ssortedButBuiltIn PTreal)))):: 
    (Dlogic (loc, bool2U, 
	     Env.empty_scheme (Function ([ssortedButBuiltIn PTbool], ut))))::
    (Dlogic (loc, ss2Bool, 
	     Env.empty_scheme (Function ([ssortedButBuiltInString "ssorted"], 
					 ssortedButBuiltIn PTbool)))):: 
    (Dlogic (loc, unit2U, 
	     Env.empty_scheme (Function ([ssortedButBuiltIn PTunit], ut))))::
    (Dlogic (loc, ss2Unit, 
	     Env.empty_scheme (Function ([ssortedButBuiltInString "ssorted"], 
					 ssortedButBuiltIn PTunit)))):: 
    (Dlogic (loc, prefix^"int",
	     Env.empty_scheme (Function ([], ssortedButBuiltInString "type")))):: 
    (Dlogic (loc, prefix^"bool", 
	     Env.empty_scheme (Function ([], ssortedButBuiltInString "type"))))::
    (Dlogic (loc, prefix^"real", 
	     Env.empty_scheme (Function ([], ssortedButBuiltInString "type"))))::
    (Dlogic (loc, prefix^"unit", 
	     Env.empty_scheme (Function ([], ssortedButBuiltInString "type"))))::
    (Dlogic (loc, prefix^"ref", 
	     Env.empty_scheme (Function ([ut], ut))))::
    (** \forall x,y: U, t : Typ .  sort(t,x) = sort(t,y) => x = y   **)
    (Daxiom (loc, axiomR prefix^"sort_is_injective",
	     let t = Ident.create "t" in 
 	     let x = Ident.create "x" in 
 	     let y = Ident.create "y" in 
	     let sort_t_x_ = Tapp (Ident.create (prefix^"sort"),
				  [Tvar t;Tvar x], []) in 
	     let sort_t_y_ = Tapp (Ident.create (prefix^"sort"),
				  [Tvar t;Tvar y], []) in 
	     let sort_t_x_Eq_sort_t_y = Papp (Ident.t_eq, [sort_t_x_; sort_t_y_], []) in
	     let x_Eq_y = Papp (Ident.t_eq, [Tvar x; Tvar y], []) in
	     let implication = Pimplies (false, sort_t_x_Eq_sort_t_y, x_Eq_y) in 
	     let innerForally =  newForallTriggerFree false  y  ut  implication in 
	     let innerForallx =  newForallTriggerFree false  x  ut  innerForally in 
	     let outerForall =  newForallTriggerFree false  t  (ssortedButBuiltInString "type") innerForallx in 
             Env.empty_scheme outerForall))::
    (** \forall x: Int .  ss2Int(sort(int, int2U(x))) = x  (a) **)
    (Daxiom (loc, axiomR "eq_"^ss2Int^"_"^int2U,
 	     let x = Ident.create "x" in 
	     let int2u_x_ = Tapp (Ident.create int2U,
				  [Tvar x], []) in 
	     let sort_int_int2U_x_ = Tapp (Ident.create (prefix^"sort"),
					   [int; int2u_x_], []) in 
	     let ss2Intsort_int_int2U_x_ = Tapp (Ident.create ss2Int,
						[sort_int_int2U_x_], []) in
	     let peq = Papp (Ident.t_eq,[ss2Intsort_int_int2U_x_;Tvar x], []) in 
             Env.empty_scheme (newForall false  x  PTint [[TPat sort_int_int2U_x_]]peq )))::
    (** \forall x,y: Int .  int2U(x) = int2U(y) => x = y   **)
    (Daxiom (loc, axiomR int2U^"_is_injective",
 	     let x = Ident.create "x" in 
	     let int2u_x_ = Tapp (Ident.create int2U,
				  [Tvar x], []) in 
 	     let y = Ident.create "y" in 
	     let int2u_y_ = Tapp (Ident.create int2U,
				  [Tvar y], []) in 
	     let int2u_x_Eq_int2u_y_ = Papp (Ident.t_eq, [int2u_x_; int2u_y_], []) in
	     let x_Eq_y = Papp (Ident.t_eq, [Tvar x; Tvar y], []) in
	     let implication = Pimplies (false,   int2u_x_Eq_int2u_y_, x_Eq_y) in 
	     let innerForall =  newForallTriggerFree false  y  PTint  implication in 
	     let outerForall =  newForallTriggerFree false  x  PTint  innerForall in 
             Env.empty_scheme outerForall))::
(** \forall x,y: Real .  real2U(x) = real2U(y) => x = y   **)
    (Daxiom (loc, axiomR real2U^"_is_injective",
 	     let x = Ident.create "x" in 
	     let real2u_x_ = Tapp (Ident.create real2U,
				  [Tvar x], []) in 
 	     let y = Ident.create "y" in 
	     let real2u_y_ = Tapp (Ident.create real2U,
				  [Tvar y], []) in 
	     let real2u_x_Eq_real2u_y_ = Papp (Ident.t_eq, [real2u_x_; real2u_y_], []) in
	     let x_Eq_y = Papp (Ident.t_eq, [Tvar x; Tvar y], []) in
	     let implication = Pimplies (false,   real2u_x_Eq_real2u_y_, x_Eq_y) in 
	     let innerForall =  newForallTriggerFree false  y  PTreal  implication in 
	     let outerForall =  newForallTriggerFree false  x  PTreal  innerForall in 
             Env.empty_scheme outerForall))::
    (** \forall x,y: Bool .  bool2U(x) = bool2U(y) => x = y   **)
    (Daxiom (loc, axiomR bool2U^"_is_injective",
 	     let x = Ident.create "x" in 
	     let bool2u_x_ = Tapp (Ident.create bool2U,
				  [Tvar x], []) in 
 	     let y = Ident.create "y" in 
	     let bool2u_y_ = Tapp (Ident.create bool2U,
				  [Tvar y], []) in 
	     let bool2u_x_Eq_bool2u_y_ = Papp (Ident.t_eq, [bool2u_x_; bool2u_y_], []) in
	     let x_Eq_y = Papp (Ident.t_eq, [Tvar x; Tvar y], []) in
	     let implication = Pimplies (false,   bool2u_x_Eq_bool2u_y_, x_Eq_y) in 
	     let innerForall =  newForallTriggerFree false  y  PTbool  implication in 
	     let outerForall =  newForallTriggerFree false  x  PTbool  innerForall in 
             Env.empty_scheme outerForall))::
    (** \forall x,y: ssorted .  ss2Int(x) = ss2Int(y) => x = y   **)
    (Daxiom (loc, axiomR ss2Int^"_is_injective",
 	     let x = Ident.create "x" in 
	     let ss2int_x_ = Tapp (Ident.create ss2Int,
				  [Tvar x], []) in 
 	     let y = Ident.create "y" in 
	     let ss2int_y_ = Tapp (Ident.create ss2Int,
				  [Tvar y], []) in 
	     let ss2int_x_Eq_ss2int_y_ = Papp (Ident.t_eq, [ss2int_x_; ss2int_y_], []) in
	     let x_Eq_y = Papp (Ident.t_eq, [Tvar x; Tvar y], []) in
	     let implication = Pimplies (false,   ss2int_x_Eq_ss2int_y_, x_Eq_y) in 
	     let innerForall =  newForallTriggerFree false  y  (ssortedButBuiltInString "ssorted")  implication in 
	     let outerForall =  newForallTriggerFree false  x  (ssortedButBuiltInString "ssorted")  innerForall in 
             Env.empty_scheme outerForall))::
    (** \forall x,y: U .  ss2Real(x) = ss2Real(y) => x = y   **)
    (Daxiom (loc, axiomR ss2Real^"_is_injective",
 	     let x = Ident.create "x" in 
	     let ss2real_x_ = Tapp (Ident.create ss2Real,
				  [Tvar x], []) in 
 	     let y = Ident.create "y" in 
	     let ss2real_y_ = Tapp (Ident.create ss2Real,
				  [Tvar y], []) in 
	     let ss2real_x_Eq_ss2real_y_ = Papp (Ident.t_eq, [ss2real_x_; ss2real_y_], []) in
	     let x_Eq_y = Papp (Ident.t_eq, [Tvar x; Tvar y], []) in
	     let implication = Pimplies (false,   ss2real_x_Eq_ss2real_y_, x_Eq_y) in 
	     let innerForall =  newForallTriggerFree false  y  (ssortedButBuiltInString "ssorted")  implication in 
	     let outerForall =  newForallTriggerFree false  x  (ssortedButBuiltInString "ssorted")  innerForall in 
             Env.empty_scheme outerForall))::
    (** \forall x,y: U .  ss2Bool(x) = ss2Bool(y) => x = y   **)
    (Daxiom (loc, axiomR ss2Bool^"_is_injective",
 	     let x = Ident.create "x" in 
	     let ss2bool_x_ = Tapp (Ident.create ss2Bool,
				  [Tvar x], []) in 
 	     let y = Ident.create "y" in 
	     let ss2bool_y_ = Tapp (Ident.create ss2Bool,
				  [Tvar y], []) in 
	     let ss2bool_x_Eq_ss2bool_y_ = Papp (Ident.t_eq, [ss2bool_x_; ss2bool_y_], []) in
	     let x_Eq_y = Papp (Ident.t_eq, [Tvar x; Tvar y], []) in
	     let implication = Pimplies (false,   ss2bool_x_Eq_ss2bool_y_, x_Eq_y) in 
	     let innerForall =  newForallTriggerFree false  y  (ssortedButBuiltInString "ssorted")  implication in 
	     let outerForall =  newForallTriggerFree false  x  (ssortedButBuiltInString "ssorted")  innerForall in 
             Env.empty_scheme outerForall))::
    (** \forall x,y: U .  ss2Unit(x) = ss2Unit(y) => x = y   **)
    (Daxiom (loc, axiomR ss2Unit^"_is_injective",
 	     let x = Ident.create "x" in 
	     let ss2unit_x_ = Tapp (Ident.create ss2Unit,
				  [Tvar x], []) in 
 	     let y = Ident.create "y" in 
	     let ss2unit_y_ = Tapp (Ident.create ss2Unit,
				  [Tvar y], []) in 
	     let ss2unit_x_Eq_ss2unit_y_ = Papp (Ident.t_eq, [ss2unit_x_; ss2unit_y_], []) in
	     let x_Eq_y = Papp (Ident.t_eq, [Tvar x; Tvar y], []) in
	     let implication = Pimplies (false,   ss2unit_x_Eq_ss2unit_y_, x_Eq_y) in 
	     let innerForall =  newForallTriggerFree false  y  (ssortedButBuiltInString "ssorted")  implication in 
	     let outerForall =  newForallTriggerFree false  x  (ssortedButBuiltInString "ssorted")  innerForall in 
             Env.empty_scheme outerForall))::
    (** \forall x:Real .  ss2Real(sort(real, real2U(x))) = x  (b) **)
    (Daxiom (loc, axiomR "eq_"^ss2Real^"_"^real2U,
	     let x = Ident.create "x" in 
	     let real2u_x_ = Tapp (Ident.create real2U,
				   [Tvar x], []) in 
	     let sort_real_real2U_x_ = Tapp (Ident.create (prefix^"sort"),
					     [real; real2u_x_], []) in 
	     let ss2Realsort_real_real2U_x_ = Tapp (Ident.create ss2Real,
						   [sort_real_real2U_x_], []) in
	     let peq = Papp (Ident.t_eq,[ss2Realsort_real_real2U_x_;Tvar x], []) in 
             Env.empty_scheme (newForall false  x  PTreal [[TPat sort_real_real2U_x_]]peq )))::
    (** \forall x:Bool .  ss2Bool(sort(bool, bool2U(x))) = x  **)
    (Daxiom (loc, axiomR "eq_"^ss2Bool^"_"^bool2U,
	     let x = Ident.create "x" in 
	     let bool2u_x_ = Tapp (Ident.create bool2U,
				   [Tvar x], []) in 
	     let sort_bool_bool2U_x_ = Tapp (Ident.create (prefix^"sort"),
					     [bool; bool2u_x_], []) in 
	     let ss2Boolsort_bool_bool2U_x_ = Tapp (Ident.create ss2Bool,
						   [sort_bool_bool2U_x_], []) in
	     let peq = Papp (Ident.t_eq,[ss2Boolsort_bool_bool2U_x_;Tvar x], []) in 
             Env.empty_scheme (newForall false  x  PTbool [[TPat sort_bool_bool2U_x_]]peq )))::
    (** \forall x:Unit .  ss2Unit(sort(unit, unit2U(x))) = x  **)
    (Daxiom (loc, axiomR "eq_"^ss2Unit^"_"^unit2U,
	     let x = Ident.create "x" in 
	     let unit2u_x_ = Tapp (Ident.create unit2U,
				   [Tvar x], []) in 
	     let sort_unit_unit2U_x_ = Tapp (Ident.create (prefix^"sort"),
					     [unit; unit2u_x_], []) in 
	     let ss2Unitsort_unit_unit2U_x_ = Tapp (Ident.create ss2Unit,
						   [sort_unit_unit2U_x_], []) in
	     let peq = Papp (Ident.t_eq,[ss2Unitsort_unit_unit2U_x_;Tvar x], []) in 
             Env.empty_scheme (newForall false  x  PTunit [[TPat sort_unit_unit2U_x_]]peq )))::
    (** \forall x. U  int2U(ss2Int(sort(int,x))) = x **)
    (Daxiom (loc, axiomR "eq_"^int2U^"_"^ss2Int,
	     let x = Ident.create "x" in 
	     let sort_int_x_ = Tapp (Ident.create (prefix^"sort"),
				     [int; Tvar x], []) in
	     let ss2Int_sort_int_x_ = Tapp (Ident.create ss2Int,
					   [sort_int_x_], []) in 
	     let int2U_ss2Int_sort_int_x_ = Tapp (Ident.create int2U,
						 [ss2Int_sort_int_x_], []) in
	     let peq = Papp (Ident.t_eq,
			     [int2U_ss2Int_sort_int_x_;Tvar x], [])
	     in
	     Env.empty_scheme (newForall false  x ut [[TPat ss2Int_sort_int_x_]]peq )))::
    (** \forall x. U  real2U(ss2Real(sort(real,x))) = x **)
    (Daxiom (loc, axiomR "eq_"^real2U^"_"^ss2Real,
	     let x = Ident.create "x" in 
	     let sort_real_x_ = Tapp (Ident.create (prefix^"sort"),
				      [real; Tvar x], []) in
	     let ss2Real_sort_real_x_ = Tapp (Ident.create ss2Real,
					     [sort_real_x_], []) in 
	     let real2U_ss2Real_sort_real_x_ = Tapp (Ident.create real2U,
						    [ss2Real_sort_real_x_], []) in
	     let peq = Papp (Ident.t_eq,
			     [real2U_ss2Real_sort_real_x_;Tvar x], [])
	     in
	     Env.empty_scheme (newForall false  x ut [[TPat ss2Real_sort_real_x_]]peq )))::
    (** \forall x. U  bool2U(ss2Bool(sort(bool,x))) = sort(bool,x) **)
    (Daxiom (loc, axiomR "eq_"^bool2U^"_"^ss2Bool,
	     let x = Ident.create "x" in 
	     let sort_bool_x_ = Tapp (Ident.create (prefix^"sort"),
				      [bool; Tvar x], []) in
	     let ss2Bool_sort_bool_x_ = Tapp (Ident.create ss2Bool,
					     [sort_bool_x_], []) in 
	     let bool2U_ss2Bool_sort_bool_x_ = Tapp (Ident.create bool2U,
						    [ss2Bool_sort_bool_x_], []) in
	     let peq = Papp (Ident.t_eq,
			     [bool2U_ss2Bool_sort_bool_x_;Tvar x], [])
	     in
	     Env.empty_scheme (newForall false  x ut [[TPat bool2U_ss2Bool_sort_bool_x_]]peq )))::
    (** \forall x. U  unit2U(ss2Unit(sort(unit,x))) = sort(unit,x) **)
    (Daxiom (loc, axiomR "eq_"^unit2U^"_"^ss2Unit,
	     let x = Ident.create "x" in 
	     let sort_unit_x_ = Tapp (Ident.create (prefix^"sort"),
				      [unit; Tvar x], []) in
	     let ss2Unit_sort_unit_x_ = Tapp (Ident.create ss2Unit,
					     [sort_unit_x_], []) in 
	     let unit2U_ss2Unit_sort_unit_x_ = Tapp (Ident.create unit2U,
						    [ss2Unit_sort_unit_x_], []) in
	     let peq = Papp (Ident.t_eq,
			     [unit2U_ss2Unit_sort_unit_x_;Tvar x], [])
	     in
	     Env.empty_scheme (newForall false  x ut [[TPat unit2U_ss2Unit_sort_unit_x_]]peq )))::
    []



(** internal function used in  plunge and typedPlunge.
    it recursively translates  the type given in parameter 
    if it is a built-in type, a constant corresponding to this type is generated
    if it is a type variable, a variable corresponding to this type is generated
    @pt is the type
    @fv is list of (tag,typeVar) of the problem
**)
let rec leftt pt fv=
  match pt with
      PTint -> Tapp (Ident.create (prefix^"int"), [], [])
    | PTbool -> Tapp (Ident.create (prefix^"bool"), [], [])
    | PTreal -> Tapp (Ident.create (prefix^"real"), [], [])
    | PTunit -> Tapp (Ident.create (prefix^"unit"), [], [])
    | PTvar ({type_val = None} as var) -> 
	(*let s = string_of_int var.tag in *)
	let t = try (List.assoc var.tag fv)
	with _ ->
	  let s = string_of_int var.tag in
	  (print_endline ("unknown vartype : "^s); Ident.create "dummy") in
	(*print_endline ("Vartype : "^s^" :"^(Ident.string t)); *)
	Tvar t
    | PTvar {type_val = Some pt} -> leftt pt fv 
    | PTexternal (ptl, id) -> Tapp ( Ident.create (prefixForTypeIdent (Ident.string id)), List.map (fun pt -> leftt pt fv) ptl, [])


(**@return a Tapp that encapsulates a term t with sort(..., t) 
   by calling to lefft
   @param fv is the list of type variable of the problem 
   @param term is the term we want to encapsulate
   @param pt is the type of the term
**)
let plunge fv term pt =
  Tapp (Ident.create (prefix^"sort"),
	[leftt pt fv; term],
	[])
    
(**@return a Tapp that encapsulates a term t with sort(...,f(t))
   where f is a casting function from built-in type to the unique sort
   sinc the second parameter of sort is of type unique.
   @param fv is the list of type variable of the problem 
   @param term is the term we want to encapsulate
   @param pt is the type of the term
**)
let typedPlunge fv term pt =
  (** internal function that accomplish the casting task **)
  let cast pt term = 
    match pt with
	PTint -> Tapp (Ident.create int2U,  [term], [])
      | PTbool -> Tapp (Ident.create bool2U, [term], [])
      | PTreal -> Tapp (Ident.create real2U, [term], [])
      | PTunit -> Tapp (Ident.create unit2U, [term], [])
      | _ -> term 
  in
  let l =  Tapp (Ident.create (prefix^"sort"),
	[leftt pt fv; cast pt term],
	[]) in 
  l

    



(**
   @return the type of a term given in parameter
   @param term is the term we want the type
   @param lv is the list of (var,type) of the problem 
**)
let rec getTermType term lv = 
  (*Format.eprintf 
    "getTermType  : %a \n List " 
    Util.print_term term ;
  List.iter (fun (id,ty) -> 
	       Format.eprintf 
		 "(%s ,%a) " 
    (Ident.string id)
		 Util.print_pure_type ty
    ) lv; *)
  match term with
    | Tvar id -> 
	(* let l = List.map (fun (id,x) -> Ident.string id,x) lv in
	let associatedType = 
	  (try List.assoc (Ident.string id) l
	   with e ->  
	     Format.eprintf 
	       "Exception 2 Caught In getTermType  : %s" 
	       (Ident.string id);   
	     raise e) in*)
	let associatedType = 
	(try List.assoc id lv 
	 with e ->  
	   Format.eprintf 
	     "Exception Caught In getTermType  : %s" 
	     (Ident.string id);   
	   raise e) in
      associatedType
  | Tapp (id, l, inst) when (Ident.is_int_arith id) ->
      PTint
  | Tapp (id, l, inst) when (Ident.is_real_arith id) ->
      PTreal
  | Tapp (id, l, inst)  ->  instantiate_arity id inst
  | Tconst (ConstInt _)  ->  PTint
  | Tconst (ConstBool _)  -> PTbool
  | Tconst (ConstUnit)  ->  PTunit
  | Tconst (ConstFloat f) ->  PTreal
  | Tderef _ -> assert false
  | Tnamed(_,t) ->  getTermType t lv 

let isBuiltInType t= match t with 
    PTint | PTreal | PTbool  | PTunit -> true
  | _ -> false




(** Translate  of a term 
    @param fv is the list of type variables of the problem 
    @param lv is the list of free  variables of the term
    @param term is the term we want to encapsulate
    @param pt is the type of the term
    
**)
let rec translate_term fv lv term doTheCast= 
  let rec translate fv lv term = match term with 
    | Tnamed(_,t) -> translate fv lv t
    | Tvar id as t -> 
        let t = typedPlunge fv  (Tvar id) (getTermType t lv) in 
	t
    | Tapp (id, tl, inst) when Ident.is_simplify_arith id ->
	(** This function yields a numeric parameter 
	    we have to cast the result into the u type **)
 	let outermostCast = if Ident.is_real_arith id then  real2U 
	else int2U in
	let inner = Tapp(Ident.create outermostCast, 
			 [Tapp(id, List.map 
				 (** each parameter of this function is a built-in
				     We cast it to respect this constraint **)
				 (fun t -> translateParam  fv lv t true) tl, [])], 
			 []) in 
	let innerCast = if ( outermostCast= real2U) then real else int in 
	Tapp(Ident.create (prefix^"sort"), [innerCast; inner],[])
    | Tapp (id, tl, inst) ->
	(** it is not a arithmetic function **)
	(** retrieves the  function signature **)
	let paramList = ref (getParamTypeList id) in
	(** translates the parameter wrt the function signature **)
	let translateParameter t  = match !paramList with 
	    pt::tl ->
	      paramList := tl ;
	      translateParam fv lv t (isBuiltInType pt) 
	  | [] -> assert false
	in
	(** eventually encapsulates the function **)
	let t = typedPlunge fv 
	  (Tapp (id, 
		 List.map 
		   (fun t -> translateParameter t) tl, 
		 []))
	  (instantiate_arity id inst) in 
	(*Format.printf "term: %a\n" Util.print_term ter ; *)
	t
    | Tconst (ConstInt _) as t -> typedPlunge fv  t PTint
    | Tconst (ConstBool _) as t -> typedPlunge fv t PTbool
    | Tconst (ConstUnit) as t -> typedPlunge [] t PTunit
    | Tconst (ConstFloat f) as t -> typedPlunge fv t PTreal
    | Tderef id as t -> print_endline ("id in Tderef : "^(Ident.string id)); t 
  in
  if doTheCast then   
    match (getTermType term lv) with 
	PTint  ->
 	  Tapp(Ident.create ss2Int, [translate fv lv term],[])
      | PTreal  ->
 	  Tapp(Ident.create ss2Real, [translate fv lv term],[])
      | PTbool -> 
	  Tapp(Ident.create ss2Bool, [translate fv lv term],[])
      | PTunit -> 
	  Tapp(Ident.create ss2Unit, [translate fv lv term],[])
      | _   ->
	  (** if the type is not pure, i.e. it is deduced syntactically **)
	  let term'= translate fv lv term  in 
	    match term' with 
		Tapp (id, [sortTerm;_], _) when 
		  Ident.string id = prefix^"sort" -> 
		    begin
		      match sortTerm with       
			  Tapp (k, [], [])  when 
			    Ident.string k = prefix^"int" ->  
			      Tapp(Ident.create ss2Int, [term'],[])
		      	| Tapp (k, [], [])  when 
			    Ident.string k = prefix^"real" -> 
			    Tapp(Ident.create ss2Real, [term'],[])
			| Tapp (k, [], [])  when 
			    Ident.string k = prefix^"bool"->  
			    Tapp(Ident.create ss2Bool, [term'],[])
			| _ (* Tapp (k, [], [])  when  
			    Ident.string k = prefix^"unit" *)->  
			    Tapp(Ident.create ss2Unit, [term'],[])
(* 			| _ as t -> *)
(* 			    Format.printf ("tt :  %a \n ") print_term t ;  *)
(* 			    assert false *)
		    end
	      | _ -> assert false
  else
    translate fv lv term 




(**
   @return a term generated by a classical translation  
   composed with a reduction that  directly applies the axioms 
   (a) and (b).
   @param fv is the list of type variables of the problem 
   @param lv is the list of variables of the term
   @param t is the term we have to translate
   @param isArith the a boolean flag used in the clasical translate_term 
   function 
**)
and translateParam fv lv t doTheCast =
  let tp = translate_term fv lv t doTheCast in
  match tp with 
      Tapp(id1, [ti],_) when 
	Ident.string id1 = ss2Int ->
	  begin 
	    match ti with       
		Tapp(id2, [_;tk],_) when 
		  Ident.string id2 = prefix^"sort" -> 
		    begin
		      match tk with       
			  Tapp(id3, [tl],_) when 
			    Ident.string id3 = int2U -> 
			      tl
			| _ -> tp
		    end
	      | _ -> tp 
	  end
    | Tapp(id1, [ti],_) when 
	Ident.string id1 = ss2Real ->
	begin 
	  match ti with       
	      Tapp(id2, [_;tk],_) when 
		Ident.string id2 = prefix^"sort" -> 
		  begin
		    match tk with       
			Tapp(id3, [tl],_) when 
			  Ident.string id3 = real2U -> 
			    tl
		      | _ -> tp
		  end
	    | _ -> tp 
	end
    | Tapp(id1, [ti],_) when 
	Ident.string id1 = ss2Bool ->
	begin 
	  match ti with       
	      Tapp(id2, [_;tk],_) when 
		Ident.string id2 = prefix^"sort" -> 
		  begin
		    match tk with       
			Tapp(id3, [tl],_) when 
			  Ident.string id3 = bool2U -> 
			    tl
		      | _ -> tp
		  end
	    | _ -> tp 
	end
    | _ -> tp


(**
   @param fv is the list of type variables of the problem 
   @param lv is the list of variables of the term
   @param t is the term we have to translate

**)
and literalParam fv lv t =
  let tp = translate_term fv lv t false in
  match tp with 
      Tapp(id, [_;tk],_) when 
	Ident.string id = prefix^"sort" ->  tk
    | _ -> tp 


let rec reduceEquality t1 t2 =
 match (t1,t2) with 
     (Tapp(id1, [tk1],_),Tapp(id2, [tk2],_)) when 
       (Ident.string id1 = Ident.string id2 &&
	   (id1 = Ident.create ("int2U") ||
	       id1 = Ident.create ("ss2Int") ||
	       id1 = Ident.create ("bool2U") ||
	       id1 = Ident.create ("ss2Bool") ||
	       id1 = Ident.create ("real2U") ||
	       id1 = Ident.create ("ss2Real") 
	   ))-> reduceEquality tk1 tk2
   | (Tapp(id1, [_;tk1],_),Tapp(id2, [_;tk2],_)) when 
       (id1 = Ident.create (prefix^"sort") && Ident.string id1 = Ident.string id2) 
       -> reduceEquality tk1 tk2
   | _-> t1::t2::[]


(**
   @return a predicate that is universally quantified 
   with the top most variable present in the list l. 
   These varaible are of sort type. 
   When it is the last variable into the list, it adds trigger
   When the type variable list is empty, it returns only the predicate  
   It is called when we build an axiom at the outermost position
   @param l is a list of type variables 
   @param p is the predicate we want to add quantifiers 
   @param t is the triggers 
**)
let rec lifted  l p t =  
  match l with [] -> p
    | (_, s)::[] ->
	newForall false s (ssortedButBuiltInString "type") t p
	  
    | (_, s)::q -> 
	newForallTriggerFree false s (ssortedButBuiltInString "type") (lifted q p t)
	  
(**
   @return a predicate that is universally quantified 
   with the top most variable present in the list l.
   When it is the last variable into the list, it adds trigger
   When the variable list is empty, it returns only the predicate  
   It is called when we build an axiom to quantify the free variables 
   @param l is a list of variables (a,t) where 
   a is the variable identifier and t is its type. 
   @param p is the predicate we want to add quantifiers 
   @param t is the triggers 
**)
let rec lifted_t l p tr =
  match l with [] -> p
    | (a,t)::[] -> 
	newForall false a t tr p    
    | (a,t)::q -> 
	newForallTriggerFree false  a t  (lifted_t q p tr)

let lifted_ctxt l cel =
  (List.map (fun (pt,s) -> Svar(s, PTexternal ([], Ident.create (prefix^"type")))) l)@cel






(** 
    @return true if all the element of tl are of sort Int or Real
    (and not sort (int,...) i.e. of sort u)
    @param tl is the list of terms we analyse
    @param lv is the list of free varaiables in the terms list
**)
let rec getEqualityType tl lv =
  let ret = ref PTbool in 
  (fun tl -> match tl with 
       [] -> !ret 
     | hd::l -> 
	 begin 
	   match hd with 
	       Tapp (id, _, _) when Ident.is_int_arith id -> 
		 ret:= PTint ; 
		 getEqualityType l lv 
	     | Tapp (id, _, _) when Ident.is_real_arith id -> 
		 ret:= PTint ; 
		 getEqualityType l lv 
	     | Tapp (id, _, inst) ->
		 begin
		   let pt = (instantiate_arity id inst) in
		   match pt  with 
		       PTint  ->
			 ret:= PTint ;
			 getEqualityType l lv 
		     | PTreal -> 
			 ret:= PTreal ; 
			 getEqualityType l lv 
		     | PTbool -> 
			 ret:= PTbool ; 
			 getEqualityType l lv
		     | PTunit ->
			 ret := PTunit ;
			 getEqualityType l lv
		     | _ ->  pt
		 end
	     | Tconst (ConstInt _) ->
		 ret:= PTint ; 
		 getEqualityType l lv 
             | Tconst (ConstFloat _) -> 
		 ret:= PTreal ; 
		 getEqualityType l lv 
	     | Tconst (ConstBool _) ->
		 ret:= PTbool ; 
		 getEqualityType l lv 
	     | Tconst ConstUnit ->
		 ret:= PTunit ; 
		 getEqualityType l lv
	     | Tvar id as t-> 
		 begin 
		   let pt = (try List.assoc id lv
			     with e ->  
			       Format.eprintf 
				 "Exception Caught In getEqualityType  : %a" 
				 Util.print_term t ; 
			       raise e) in 
		   match pt  with 
		       PTint  ->
			 ret:= PTint ; 
			 getEqualityType l lv 
		     | PTreal -> 
			 ret:= PTreal ; 
			 getEqualityType l lv 
		     | PTbool -> 
			 ret:= PTbool ; 
			 getEqualityType l lv 
		     | PTunit ->
			 ret:= PTunit ; 
			 getEqualityType l lv 
		     | _ ->  pt
			 
		 end
	     | _ -> assert false 
	 end) tl  
    

(** 
    @param fv is the list of type variables of the problem 
    @param p is the predicate we have to translate
    @param lv is the list of free variables in the predicate 
**)
let rec translate_pred fv lv p  = match p with
  | Papp (id, tl, inst) when  
      (Ident.is_eq id && ( Ident.is_int_comparison id ||
	  Ident.is_real_comparison id ))->
      let lt = List.map (fun t-> translateParam fv lv t true) tl in 
      begin
	match lt with 
	    [t1;t2] -> Papp (id, reduceEquality t1 t2, [])   
	  | _ -> 	  Papp (id,lt, [])   
      end
  | Papp (id, tl, inst) when  
      ( Ident.is_int_comparison id ||
	  Ident.is_real_comparison id )->
      Papp (id,List.map (fun t-> translateParam fv lv t true) tl, [])   
  | Papp (id, tl, inst) when  
      (Ident.is_eq id || Ident.is_neq id) ->
      let lt = List.map (fun t-> literalParam fv lv t) tl in 
      begin
	match lt with 
	    [t1;t2] -> Papp (id, reduceEquality t1 t2, [])   
	  | _ -> 	  Papp (id,lt, [])   
      end
  | Papp (id, [a;b], _) when id==Ident.t_zwf_zero ->  
       (* 0 <= a *)
      let aLeftBound = (Papp (Ident.t_le_int,
			      [Tconst(ConstInt("0"));
			       (translateParam fv lv a true)],[PTint;PTint])) in 
      (* a < b *)
      let aRightBound = Papp (Ident.t_lt_int,
			      [(translateParam fv lv a true);
			       (translateParam fv lv b true)],[PTint;PTint]) in  
      (* 0 <= a  &  a < b *)
      Pand(false, false, aLeftBound,aRightBound)
  | Papp (id, tl, inst) ->
      (** retrieves the predicate signature **) 
      let paramList = ref (getParamTypeList id) in
      let translateParameter t  = match !paramList with 
	  pType::tl  ->
	    paramList := tl ;
	    translateParam fv lv t (isBuiltInType pType) 
	| [] -> assert false
      in	
      Papp (id, 
	    List.map 
	      (fun t -> translateParameter t) tl, 
	    [])
  | Pimplies (iswp, p1, p2) ->
      Pimplies (iswp, translate_pred fv lv p1, translate_pred fv lv p2)
  | Pif (t, p1, p2) ->
      Pif (translate_term fv lv t true, translate_pred fv lv p1, translate_pred fv lv p2)
  | Pand (iswp, issym, p1, p2) ->
      Pand (iswp, issym, translate_pred fv lv p1, translate_pred fv lv p2)
  | Por (p1, p2) ->
      Por (translate_pred fv lv p1, translate_pred fv lv p2)
  | Piff (p1, p2) ->
      Piff (translate_pred fv lv p1, translate_pred fv lv p2)
  | Pnot p ->
      Pnot (translate_pred fv lv p)
  | Forall (iswp, id, n, pt, tl, p) ->
      let lv' = (n,pt)::lv in
      let tl' = List.map (List.map (translate_pattern fv lv')) tl in
      Forall (iswp, id, n, utButBuiltIn pt, tl', translate_pred fv lv' p)
  | Forallb (iswp, p1, p2) ->
      Forallb (iswp, translate_pred fv lv p1, translate_pred fv lv p2)
  | Exists (id, n, pt, p) ->
      Exists (id, n, utButBuiltIn pt, translate_pred fv ((n,pt)::lv) p)
  | Pnamed (s, p) ->
      Pnamed (s, translate_pred fv lv p)
  | _ as d -> d 

and translate_pattern fv lv = function
  | TPat t -> TPat (translate_term fv lv t false)
  | PPat p -> PPat (translate_pred fv lv p)


(* The core *)
let queue = Queue.create ()



let bound_variable =
  let count = ref 0 in
  function n ->  
    count := !count+1 ;
    Ident.create (n^"_"^ (string_of_int !count))


let rec push d = 
  try (match d with
	   (* A type declaration is translated as new logical function, the arity of *)
	   (* which depends on the number of type variables in the declaration *)
	 | Dtype (loc, vars, ident) ->
	     Queue.add (Dlogic (loc, (prefixForTypeIdent ident), 
				Env.empty_scheme (Function (unifyString vars, ssortedButBuiltInString "type")))) queue
	       (* For arithmetic symbols, another encoding is used (see encoding_rec.ml) *)
	 | Dlogic (loc, ident, arity) when Ident.is_simplify_arith (Ident.create ident) ->
	     arities := (ident, arity)::!arities;
	     (* with type u, and its complete arity is stored for the encoding *)
	 | Dlogic (loc, ident, arity) -> 
	     arities := (ident, arity)::!arities;
	     let newarity = match arity.Env.scheme_type with
		 Predicate ptl -> Predicate (unifyPureType ptl)
	       | Function (ptl, rt) -> Function (unifyPureType ptl, utButBuiltIn rt) in
	     
	     Queue.add (Dlogic (loc, ident,
				Env.empty_scheme newarity)) queue
	       (* A predicate definition can be handled as a predicate logic definition + an axiom *)
	 | Dpredicate_def (loc, ident, pred_def_sch) ->
	     let (argl, pred) = pred_def_sch.Env.scheme_type in
	     let rootexp = (Papp (Ident.create ident, List.map (fun (i,_) -> Tvar i) argl, [])) in
	     push (Dlogic (loc, ident, (Env.generalize_logic_type (Predicate (snd (List.split argl))))));
	     let pred_scheme = (lifted_t argl (Piff (rootexp, pred)) [[PPat rootexp]]) in
	     push (Daxiom (loc, def ident, 
			   (Env.generalize_predicate 
			      pred_scheme)))
	       (* A function definition can be handled as a function logic definition + an axiom *)
	 | Dfunction_def (loc, ident, fun_def_sch) ->
	     let _ = print_endline ident in
	     let (argl, rt, term) = fun_def_sch.Env.scheme_type in
	     let rootexp = (Tapp (Ident.create ident, List.map (fun (i,_) -> Tvar i) argl, [])) in
	     push (Dlogic (loc, ident, (Env.generalize_logic_type (Function (snd (List.split argl), rt)))));
	     let pred_scheme = (Env.generalize_predicate
				  (lifted_t argl 
				     (Papp (Ident.t_eq, [rootexp; term], [])) 
				     [[TPat rootexp]])) in 
	     push (Daxiom (loc, def ident,pred_scheme))
	       (* Axiom definitions *)
	 | Daxiom (loc, ident, pred_sch) ->
	     let fv = Env.Vset.fold
	       (fun tv acc -> 
		  (tv.tag, (bound_variable tvar) )::acc)
	       (pred_sch.Env.scheme_vars) [] in
	     let new_pred = (translate_pred fv [] pred_sch.Env.scheme_type) in 
	     let pred' = lifted fv new_pred [] in 
	     let new_axiom =
	       Env.empty_scheme (pred') in
	     Queue.add (Daxiom (loc, ident, new_axiom)) queue
	       (* A goal is a sequent : a context and a predicate and both have to be translated *)
	 | Dgoal (loc, expl, ident, s_sch) ->
	     let fv = Env.Vset.fold
	       (fun tv acc -> 
		  (tv.tag,  (bound_variable tvar))::acc)
	       (s_sch.Env.scheme_vars) [] in
	     (* function for the following fold_left *)
	     let f  (acc_c, acc_new_cel) s = match s with
		 Spred (id, p) -> (acc_c, 
				   (Spred (id, translate_pred fv acc_c p))::acc_new_cel)
	       | Svar (id, t)  -> 
		   ((id,t)::acc_c, (Svar (id, utButBuiltIn t))::acc_new_cel) in
	     (* list of hyps for the following fold_left *)
	     let l = fst s_sch.Env.scheme_type in
	     
	     let (context, new_cel) =  List.fold_left 	f ([], []) l in
	     let ctxt = lifted_ctxt fv (List.rev new_cel) in 
	     let pred' =  translate_pred fv context (snd (s_sch.Env.scheme_type)) in 
	     (*Format.printf "%a" Util.print_predicate pred' ; *)
	     let new_sequent =
	       Env.empty_scheme
		 (ctxt,pred'
		  ) in
	     let temp = Dgoal (loc, expl, ident, new_sequent) in
	     Queue.add temp queue 
      )
  with
      Not_found -> 
	Format.eprintf "Exception Caught In Push : %a\n" Util.print_decl d;
	raise Not_found

let iter f =
  (* first the prelude *)
  List.iter f prelude;
  (* then the queue *)
  Queue.iter f queue

let reset () = 
  arities := [];
  Queue.clear queue;
  (*List.iter push arith_kernel*)
  

why-2.39/src/encoding_strat.ml0000644000106100004300000004172413147234006015365 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Cc
open Logic
open Logic_decl

let loc = Loc.dummy_floc

let prefix = "c_"
let suffix = "_c"
let var = "x"
let tvar = "t"
(* dead code
let cpt = ref 0
*)
let axiom c = c ^ "_to_" ^ (c^suffix)
(* dead code
let def c = "def_"^c
*)

let arities = ref []

(* The unique type for all terms *)
let ut = PTexternal ([], Ident.create (prefix^"unique"))

let unify ptl = List.map (fun _ -> ut) ptl

let prelude =
  (Dtype (loc, Ident.create (prefix^"unique"), []))::	(* The unique sort *)
  (Dlogic (loc, Ident.create (prefix^"sort"),
	   Env.empty_scheme (Function ([ut; ut], ut)))):: (* The "sort" symbol *)
  (Dlogic (loc, Ident.create (prefix^"int"),
	   Env.empty_scheme (Function ([], ut)))):: (* One synbol for each prefedined type *)
  (Dlogic (loc, Ident.create (prefix^"bool"),
	   Env.empty_scheme (Function ([], ut))))::
  (Dlogic (loc, Ident.create (prefix^"real"),
	   Env.empty_scheme (Function ([], ut))))::
  (Dlogic (loc, Ident.create (prefix^"unit"),
	   Env.empty_scheme (Function ([], ut))))::
  (Dlogic (loc, Ident.create (prefix^"ref"),
	   Env.empty_scheme (Function ([ut], ut))))::
(*   (Dlogic (loc, "neq"^suffix, *)
(* 	   Env.empty_scheme (Predicate ([ut; ut])))):: *)
  (Daxiom (loc, axiom "eq",
	   let x = Ident.create "x"
	   and y = Ident.create "y"
	   and int = Tapp (Ident.create (prefix^"int"), [], []) in
	   Env.empty_scheme
             (Forall (false, x, x, ut, [],
	      Forall (false, y, y, ut, [],
	      (Piff
		 (Papp (Ident.t_eq,
			[Tapp (Ident.create (prefix^"sort"),
			       [int; Tvar x], []);
			 Tapp (Ident.create (prefix^"sort"),
			       [int; Tvar y], [])], []),
		  (Papp (Ident.t_eq, [Tvar x; Tvar y], []))))
		     )))))::
  []

(* Special axioms for arithmetic *)
let arith_kernel =
  (Dlogic (loc, Ident.t_add_int,
	   Env.empty_scheme (Function ([PTint; PTint], PTint))))::
  (Dlogic (loc, Ident.t_sub_int,
	   Env.empty_scheme (Function ([PTint; PTint], PTint))))::
  (Dlogic (loc, Ident.t_mul_int,
	   Env.empty_scheme (Function ([PTint; PTint], PTint))))::
(*
  (Dlogic (loc, Ident.t_div_int,
	   Env.empty_scheme (Function ([PTint; PTint], PTint))))::
  (Dlogic (loc, Ident.t_mod_int,
	   Env.empty_scheme (Function ([PTint; PTint], PTint))))::
*)
  (Dlogic (loc, Ident.t_neg_int,
	   Env.empty_scheme (Function ([PTint], PTint))))::
  (Dlogic (loc, Ident.t_lt_int,
	   Env.empty_scheme (Predicate ([PTint; PTint]))))::
  (Dlogic (loc, Ident.t_le_int,
	   Env.empty_scheme (Predicate ([PTint; PTint]))))::
  (Dlogic (loc, Ident.t_gt_int,
	   Env.empty_scheme (Predicate ([PTint; PTint]))))::
  (Dlogic (loc, Ident.t_ge_int,
	   Env.empty_scheme (Predicate ([PTint; PTint]))))::
  []

(* Function that plunges a term under its type information.  *)
(* Uses an assoc. list of tags -> idents for type variables *)
let plunge fv term pt =
  let rec leftt pt =
    match pt with
      PTint -> Tapp (Ident.create (prefix^"int"), [], [])
    | PTbool -> Tapp (Ident.create (prefix^"bool"), [], [])
    | PTreal -> Tapp (Ident.create (prefix^"real"), [], [])
    | PTunit -> Tapp (Ident.create (prefix^"unit"), [], [])
    | PTvar ({type_val = None} as var) ->
	let t =
	  try
	    List.assoc var.tag fv
	  with Not_found ->
	    let s = string_of_int var.tag in
	    (print_endline ("unknown vartype : "^s); s)
	in
	Tvar (Ident.create t)
    | PTvar {type_val = Some pt} -> leftt pt
    | PTexternal (ptl, id) -> Tapp (id, List.map (fun pt -> leftt pt) ptl, [])
  in
  Tapp (Ident.create (prefix^"sort"),
	[leftt pt; term],
	[])

(* Function that strips the top most sort application, for terms bound
   in let-ins *)
let strip_topmost t =
  match t with
    | Tapp (symb, [_encoded_ty; encoded_t], [])
	when symb = Ident.create (prefix^"sort") ->
	encoded_t
    | _ -> t

(* Ground instanciation of an arity (to be plunged under) *)
let instantiate_arity id inst =
  let arity =
    try List.assoc (Ident.string id) !arities
    with e ->
      (print_endline ("unknown arity for symbol "^(Ident.string id))); raise e in
  let (vs, log_type) = Env.specialize_logic_type arity in
  match log_type with
    Function (_ptl, rt) ->
      ignore (Env.Vmap.fold (fun _ v l ->
	(match l with [] -> []
	| _ -> (v.type_val <- Some (List.hd l); (List.tl l))))
		vs (List.rev inst));
      rt
  | _ -> assert false

(* Translation of a term *)
let rec translate_term fv lv = function
  | Tvar id ->
      plunge fv (Tvar id)
	(try List.assoc id lv
	with e -> (* (print_endline ("unknown variable :"^(pp id)); *)
(* 		   print_endline "=== in ==="; *)
(* 		   ignore (List.iter (fun (n, _) -> print_endline (pp n)) lv); *)
	  raise e)
  | Tapp (id, tl, _inst) when Ident.is_simplify_arith id ->
      Tapp(Ident.create (Ident.string id ^ suffix),
	   List.map (translate_term fv lv) tl, [])
  | Tapp (id, tl, inst) ->
      plunge fv (Tapp (id, List.map (translate_term fv lv) tl, []))
	(instantiate_arity id inst)
  | Tconst (ConstInt _) as t -> plunge [] t PTint
  | Tconst (ConstBool _) as t -> plunge [] t PTbool
  | Tconst (ConstUnit) as t -> plunge [] t PTunit
  | Tconst (ConstFloat _f) as t -> plunge [] t PTreal
  | Tderef id as t -> print_endline ("id in Tderef : "^(Ident.string id)); t
  | Tnamed(_,t) -> translate_term fv lv t

(* Generalizing a predicate scheme with foralls (can add a trigger) *)
let rec lifted  l p t =
  match l with [] -> p
  | (_, s)::[] ->
      Forall(false, Ident.create s, Ident.create s, ut, t, p)
  | (_, s)::q ->
      Forall(false, Ident.create s, Ident.create s, ut, [], lifted q p t)

(* dead code
let rec lifted_t l p tr =
  match l with [] -> p
  | (a,t)::[] -> (Forall(false, a, a, t, tr, p))
  | (a,t)::q ->  (Forall(false, a, a, t, [], lifted_t q p tr))
*)

let lifted_ctxt l cel =
  (List.map (fun (_,s) -> Svar(Ident.create s, ut)) l)@cel

(* Translation of a predicate *)
let rec translate_pred fv lv = function
  | Papp (id, tl, _inst) when Ident.is_simplify_arith id ->
      Papp (Ident.create ((Ident.string id)^suffix),
	    List.map (translate_term fv lv) tl, [])
(*   | Papp (id, [a; b], inst) when Ident.is_neq id -> *)
(*       Papp (Ident.create ("neq"^suffix), [translate_term fv lv a; translate_term fv lv b], []) *)
  | Papp (id, tl, _inst) ->
      Papp (id, List.map (translate_term fv lv) tl, [])
  | Plet (id, n, pt, t, p) ->
      let t' = strip_topmost (translate_term fv lv t) in
	Plet (id, n, ut, t', translate_pred fv ((n,pt)::lv) p)
  | Pimplies (iswp, p1, p2) ->
      Pimplies (iswp, translate_pred fv lv p1, translate_pred fv lv p2)
  | Pif (t, p1, p2) ->
      Pif (translate_term fv lv t, translate_pred fv lv p1, translate_pred fv lv p2)
  | Pand (iswp, issym, p1, p2) ->
      Pand (iswp, issym, translate_pred fv lv p1, translate_pred fv lv p2)
  | Por (p1, p2) ->
      Por (translate_pred fv lv p1, translate_pred fv lv p2)
  | Piff (p1, p2) ->
      Piff (translate_pred fv lv p1, translate_pred fv lv p2)
(*   | Pnot (Papp (id, [a; b], inst)) when Ident.is_eq id -> *)
(*       Papp (Ident.create ("neq"^suffix), [translate_term fv lv a; translate_term fv lv b], []) *)
  | Pnot p ->
      Pnot (translate_pred fv lv p)
  | Forall (iswp, id, n, pt, tl, p) ->
      let lv' = (n,pt)::lv in
(*       print_endline "----"; *)
(*       ignore (List.iter (fun (n, _) -> print_endline (Ident.string n)) lv'); *)
      let tl' = List.map (List.map (translate_pattern fv lv')) tl in
      Forall (iswp, id, n, ut, tl', translate_pred fv lv' p)
  | Forallb (iswp, p1, p2) ->
      Forallb (iswp, translate_pred fv lv p1, translate_pred fv lv p2)
  | Exists (id, n, pt, p) ->
      Exists (id, n, ut, translate_pred fv ((n,pt)::lv) p)
  | Pnamed (s, p) ->
      Pnamed (s, translate_pred fv lv p)
  | _ as d -> d

and translate_pattern fv lv = function
  | TPat t -> TPat (translate_term fv lv t)
  | PPat p -> PPat (translate_pred fv lv p)

(* Identity for now (Could translate built-in equality into customized equality) *)
let translate_eq = (fun d -> d) (* function *)
(*   | Papp (id, tl, inst) when Ident.is_eq id -> *)
(*       Papp (Ident.create ("equal"^suffix), tl, inst) *)
(*   | Papp (id, tl, inst) when Ident.is_neq id -> *)
(*       Pnot (Papp (Ident.create ("equal"^suffix), tl, inst)) *)
(*   | Pimplies (iswp, p1, p2) -> *)
(*       Pimplies (iswp, translate_eq p1, translate_eq p2) *)
(*   | Pif (t, p1, p2) -> *)
(*       Pif (t, translate_eq p1, translate_eq p2) *)
(*   | Pand (iswp, issym, p1, p2) -> *)
(*       Pand (iswp, issym, translate_eq p1, translate_eq p2) *)
(*   | Por (p1, p2) -> *)
(*       Por (translate_eq p1, translate_eq p2) *)
(*   | Piff (p1, p2) -> *)
(*       Piff (translate_eq p1, translate_eq p2) *)
(*   | Pnot p -> *)
(*       Pnot (translate_eq p) *)
(*   | Forall (iswp, id, n, pt, p) -> *)
(*       Forall (iswp, id, n, pt, translate_eq p) *)
(*   | Forallb (iswp, p1, p2) -> *)
(*       Forallb (iswp, translate_eq p1, translate_eq p2) *)
(*   | Exists (id, n, pt, p) -> *)
(*       Exists (id, n, pt, translate_eq p) *)
(*   | Pnamed (s, p) -> *)
(*       Pnamed (s, translate_eq p) *)
(*   | _ as d -> d  *)

(* The core *)
let queue = Queue.create ()

let push d =
  try (match d with
(* A type declaration is translated as new logical function, the arity of *)
(* which depends on the number of type variables in the declaration *)
  | Dtype (loc, ident, vars) ->
      Queue.add (Dlogic (loc, ident,
			 Env.empty_scheme (Function (unify vars, ut)))) queue
  | Dalgtype _ ->
      assert false
(*
      failwith "encoding rec: algebraic types are not supported"
*)
(* For arithmetic symbols, another encoding is used (see encoding_rec.ml) *)
  | Dlogic (loc, ident, arity) when Ident.is_simplify_arith ident ->
      let cpt = ref 0 in
      let fv = Env.Vset.fold
	  (fun tv acc -> cpt := !cpt + 1; (tv.tag, tvar^(string_of_int !cpt))::acc)
	  (arity.Env.scheme_vars) [] in
      let name = Ident.string ident in
      (match arity.Env.scheme_type with
      | Predicate ptl ->
	  let args =
	    List.map
	      (fun t -> Ident.create (let _ = cpt := !cpt + 1 in var^(string_of_int !cpt)), t)
	      ptl in
	  let terml =
	    Papp (Ident.create (name^suffix),
		  List.map (fun (id, t) -> plunge fv (Tvar id) t) args, [])
	  and termr =
	    Papp (ident, List.map (fun (t, _) -> Tvar t) args, []) in
	  let ax = Env.empty_scheme
	      (lifted ((List.map (fun (id,_) -> (0, Ident.string id)) args)@fv)
		 (Piff (terml, termr)) [[PPat terml]]) in
	  (Queue.add (Dlogic (loc, Ident.create (name^suffix),
			      Env.empty_scheme (Predicate (unify ptl)))) queue;
	   Queue.add (Dlogic (loc, ident,
			      Env.empty_scheme (Predicate (unify ptl)))) queue;
	   Queue.add (Daxiom (loc, axiom name, ax)) queue)
      | Function (ptl, rt) ->
	  let args =
	    List.map
	      (fun t ->
		Ident.create (let _ = cpt := !cpt + 1 in var^(string_of_int !cpt)), t)
	      ptl in
	  let terml =
	    Tapp (Ident.create (name^suffix),
		  List.map (fun (id, t) -> plunge fv (Tvar id) t) args, [])
	  and termr =
	    plunge fv
	      (Tapp (ident, List.map (fun (t, _) -> Tvar t) args, []))
	      rt in
	  let ax = Env.empty_scheme
	      (lifted
		 ((List.map (fun (id,_) -> (0,Ident.string id)) args)@fv)
		 (Papp (Ident.t_eq, [terml;termr], [])) [[TPat terml]]) in
	  (Queue.add (Dlogic (loc, Ident.create (name^suffix),
			      Env.empty_scheme (Function (unify ptl, ut)))) queue;
	   Queue.add (Dlogic (loc, ident,
			      Env.empty_scheme (Function (unify ptl, ut)))) queue;
	   Queue.add (Daxiom (loc, axiom name, ax)) queue))
(* In the case of a logic definition, we redefine the logic symbol  *)
(* with type u, and its complete arity is stored for the encoding *)
  | Dlogic (loc, ident, arity) ->
      arities := (Ident.string ident, arity)::!arities;
      let newarity = match arity.Env.scheme_type with
	Predicate ptl -> Predicate (unify ptl)
      | Function (ptl, _) -> Function (unify ptl, ut) in
      Queue.add (Dlogic (loc, ident,
			 Env.empty_scheme newarity)) queue
(* A predicate definition can be handled as a predicate logic definition + an axiom *)
  | Dpredicate_def (_loc, _ident, _pred_def_sch) ->
      assert false
(*
      let (argl, pred) = pred_def_sch.Env.scheme_type in
      let rootexp = (Papp (ident, List.map (fun (i,_) -> Tvar i) argl, [])) in
      let name = Ident.string ident in
      push (Dlogic (loc, ident, (Env.generalize_logic_type (Predicate (snd (List.split argl))))));
      push (Daxiom (loc, def name, (Env.generalize_predicate
				       (lifted_t argl (Piff (rootexp, pred)) [[PPat rootexp]]))))
*)
  | Dinductive_def(_loc, _ident, _inddef) ->
      assert false
(*
      failwith "encoding strat: inductive def not yet supported"
*)
(* A function definition can be handled as a function logic definition + an axiom *)
  | Dfunction_def (_loc, _ident, _fun_def_sch) ->
      assert false
(*
(* ?????
      let _ = print_endline ident in
*)
      let (argl, rt, term) = fun_def_sch.Env.scheme_type in
      let rootexp = (Tapp (ident, List.map (fun (i,_) -> Tvar i) argl, [])) in
      let name = Ident.string ident in
      push (Dlogic (loc, ident, (Env.generalize_logic_type (Function (snd (List.split argl), rt)))));
      push (Daxiom (loc, def name,
		    (Env.generalize_predicate
		       (lifted_t argl (Papp (Ident.t_eq, [rootexp; term], [])) [[TPat rootexp]]))))
*)
(* Axiom definitions *)
  | Daxiom (loc, name, pred_sch) ->
      let cpt = ref 0 in
      let fv = Env.Vset.fold
	  (fun tv acc -> cpt := !cpt + 1; (tv.tag, tvar^(string_of_int !cpt))::acc)
	  (pred_sch.Env.scheme_vars) [] in
      let new_axiom =
	Env.empty_scheme (lifted fv (translate_pred fv [] pred_sch.Env.scheme_type) []) in
      Queue.add (Daxiom (loc, name, new_axiom)) queue
(* A goal is a sequent : a context and a predicate and both have to be translated *)
  | Dgoal (loc, is_lemma, expl, name, s_sch) ->
      begin try
	let cpt = ref 0 in
	let fv = Env.Vset.fold
	  (fun tv acc -> cpt := !cpt + 1; (tv.tag, tvar^(string_of_int !cpt))::acc)
	  (s_sch.Env.scheme_vars) [] in
	let (context, new_cel) =
	  List.fold_left
	    (fun (acc_c, acc_new_cel) s -> match s with
		 Spred (id, p) -> (acc_c,
				   (Spred (id, translate_eq (translate_pred fv acc_c p)))::acc_new_cel)
	       | Svar (id, t) -> ((id,t)::acc_c, (Svar (id, ut))::acc_new_cel))
	    ([], [])
	    (fst (s_sch.Env.scheme_type)) in
	let new_sequent =
	  Env.empty_scheme
	    (lifted_ctxt fv (List.rev new_cel),
	     translate_eq (translate_pred fv context (snd (s_sch.Env.scheme_type)))) in
	Queue.add (Dgoal (loc, is_lemma, expl, name, new_sequent)) queue
      with Not_found ->
	Format.eprintf "Exception Not_found caught in : %a\n" Util.print_decl d;
	Queue.add (Dgoal (loc, is_lemma, expl, name, Env.empty_scheme([],Pfalse))) queue
      end)
  with
    Not_found ->
      Format.eprintf "Exception Not_found caught in : %a\n" Util.print_decl d;
      raise Not_found

let iter f =
  (* first the prelude *)
  List.iter f prelude;
  (* then the queue *)
  Queue.iter f queue

let reset () =
  arities := [];
  Queue.clear queue;
  List.iter push arith_kernel;
(*
  Env.iter_global_logic (fun id _ -> print_endline (Ident.string id));
  Env.iter_global_logic
    (fun id lts -> push (Dlogic (loc, Ident.string id, lts)))
*)
why-2.39/src/env.ml0000644000106100004300000005667013147234006013160 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Ident
open Misc
open Types
open Ast
open Logic
open Error
open Report
open Cc

module StringMap = Map.Make(String)
module StringSet = Set.Make(String)

(* generalization *)

module TypeVar = struct
  type t = type_var
  let compare v1 v2 = compare v1.tag v2.tag 
end
module Vset = Set.Make(TypeVar)
module Vmap = Map.Make(TypeVar)
type var_subst = type_var Vmap.t

type 'a scheme = { scheme_vars : Vset.t; scheme_type : 'a }

let empty_scheme t = { scheme_vars = Vset.empty ; scheme_type = t }

let rec find_pure_type_vars env t =
  match t with
    | PTvar ({ type_val = None } as v) -> 
	Vset.add v env
    | PTvar { type_val = Some t } ->
	find_pure_type_vars env t
    | PTexternal(l,_id) ->
	List.fold_left find_pure_type_vars env l
    | PTint | PTreal | PTbool | PTunit -> 
	env

let find_logic_type_vars t =
  match t with
    | Function(tl,tr) ->
	let env = find_pure_type_vars Vset.empty tr in
	List.fold_left find_pure_type_vars env tl
    | Predicate(tl) ->
	List.fold_left find_pure_type_vars Vset.empty tl

let rec find_type_v_vars acc t =
  match t with
    | Ref t | PureType t -> find_pure_type_vars acc t
    | Arrow(bl,c) ->
	let acc = find_type_c_vars acc c in
	List.fold_left find_binder_vars acc bl
and find_type_c_vars acc c = find_type_v_vars acc c.c_result_type
and find_binder_vars acc (_,t) = find_type_v_vars acc t


let generalize_logic_type t =
  let l = find_logic_type_vars t in
  { scheme_vars = l ; scheme_type = t }

let generalize_alg_type t =
  let vs,cs = t in
  let pls = List.map (fun (_,pl) -> pl) cs in
  let act = List.fold_left find_pure_type_vars in
  let l = List.fold_left act Vset.empty (vs::pls) in
  { scheme_vars = l ; scheme_type = t }

let rec find_term_vars acc = function
  | Tconst _
  | Tvar _
  | Tderef _ ->
      acc
  | Tapp (_, tl, i) ->
      List.fold_left find_term_vars 
	(List.fold_left find_pure_type_vars acc i) tl
  | Tnamed(_,t) -> find_term_vars acc t

let rec find_pattern_vars acc = function
  | TPat t -> find_term_vars acc t
  | PPat p -> find_predicate_vars acc p

and find_predicate_vars acc p =
  match p with
    | Pvar _
    | Ptrue
    | Pfalse -> 
	acc
    | Papp (_, tl, i) ->
	List.fold_left find_term_vars 
	  (List.fold_left find_pure_type_vars acc i) tl
    | Pimplies (_,p1,p2) 
    | Pif (_,p1,p2)
    | Pand (_,_,p1,p2)
    | Piff (p1,p2)
    | Por (p1,p2) ->
	find_predicate_vars (find_predicate_vars acc p1) p2
    | Pnot p -> find_predicate_vars acc p
    | Forall (_,_,_,t,tl,p) ->
	List.fold_left (List.fold_left find_pattern_vars)
	  (find_predicate_vars (find_pure_type_vars acc t) p) tl
    | Exists (_,_,t,p) ->
	find_predicate_vars (find_pure_type_vars acc t) p
    | Forallb (_,p1,p2) ->
	find_predicate_vars (find_predicate_vars acc p1) p2
    | Pnamed (_,p) ->
	find_predicate_vars acc p
    | Plet (_, _, _, _, p) ->
	find_predicate_vars acc p

let generalize_predicate p =
  let l = find_predicate_vars Vset.empty p in
  { scheme_vars = l ; scheme_type = p }

let generalize_predicate_def (bl,p) = 
  let l = 
    List.fold_left (fun acc (_,pt) -> find_pure_type_vars acc pt) Vset.empty bl
  in
  let l = find_predicate_vars l p in
  { scheme_vars = l; scheme_type = (bl,p) }

let generalize_inductive_def (bl,l) =
  let vars = List.fold_left find_pure_type_vars Vset.empty bl in
  let vars =
    List.fold_left (fun acc (_,p) -> find_predicate_vars acc p) vars l
  in
  { scheme_vars = vars ; scheme_type = (bl,l) }

let generalize_function_def (bl,t,e) = 
  let l = 
    List.fold_left (fun acc (_,pt) -> find_pure_type_vars acc pt) Vset.empty bl 
  in
  let l = find_pure_type_vars l t in
  { scheme_vars = l; scheme_type = (bl,t,e) }

(* specialization *)

let dump_type_var = ref (fun (_v:type_var) -> ())

let new_type_var =
  let c = ref 0 in
  fun ?(user=false) () -> 
    incr c; 
    let v = { tag = !c; user=user; type_val = None } in 
    v

let rec subst_pure_type s t =
  match t with
    | PTvar ({ type_val = None } as v) ->
	(try PTvar (Vmap.find v s) with Not_found -> t)
    | PTvar { type_val = Some t } ->
	subst_pure_type s t
    | PTexternal(l,id) ->
	PTexternal(List.map (subst_pure_type s) l,id)
    | PTint | PTreal | PTbool | PTunit -> t


let subst_logic_type s = function
  | Function (tl,tr) -> 
      Function (List.map (subst_pure_type s) tl, subst_pure_type s tr)
  | Predicate (tl) -> 
      Predicate (List.map (subst_pure_type s) tl)

let subst_alg_type s (vs,cs) =
  (List.map (subst_pure_type s) vs,
    List.map (fun (c,pl) -> (c, List.map (subst_pure_type s) pl)) cs)

let rec subst_term s = function
  | Tapp (id, tl, i) -> 
      Tapp (id, List.map (subst_term s) tl, List.map (subst_pure_type s) i)
  | Tconst _ | Tvar _ | Tderef _ as t -> 
      t
  | Tnamed (lab,t) -> Tnamed(lab,subst_term s t)

let rec subst_pattern s = function
  | TPat t -> TPat (subst_term s t)
  | PPat p -> PPat (subst_predicate s p)

and subst_trigger s = List.map (subst_pattern s)

and subst_triggers s = List.map (subst_trigger s)

and subst_predicate s p =
  let f = subst_predicate s in
  match p with
  | Pimplies (w, a, b) -> Pimplies (w, f a, f b)
  | Pif (a, b, c) -> Pif (subst_term s a, f b, f c)
  | Pand (w, s, a, b) -> Pand (w, s, f a, f b)
  | Por (a, b) -> Por (f a, f b)
  | Piff (a, b) -> Piff (f a, f b)
  | Pnot a -> Pnot (f a)
  | Forall (w, id, b, v, tl, p) -> 
      Forall (w, id, b, subst_pure_type s v, subst_triggers s tl, f p)
  | Exists (id, b, v, p) -> Exists (id, b, subst_pure_type s v, f p)
  | Forallb (w, a, b) -> Forallb (w, f a, f b)
  | Papp (id, tl, i) -> 
      Papp (id, List.map (subst_term s) tl, List.map (subst_pure_type s) i)
  | Pnamed (n, a) -> Pnamed (n, f a)
  | Plet (x, b, pt, t, p) -> Plet (x, b, pt, subst_term s t, f p)
  | Ptrue | Pfalse | Pvar _ as p -> p

let rec subst_type_v s = function
  | Ref t -> Ref (subst_pure_type s t)
  | PureType t -> PureType (subst_pure_type s t)
  | Arrow (bl,c) -> Arrow (List.map (subst_binder s) bl,subst_type_c s c)
and subst_binder s (id,t) = 
  (id, subst_type_v s t)
and subst_type_c s c =
  { c with 
    c_result_type = subst_type_v s c.c_result_type;
    c_pre = List.map (subst_predicate s) c.c_pre;
    c_post = option_app (post_app (subst_predicate s)) c.c_post }

let subst_predicate_def s (bl,p) =
  let bl = List.map (fun (x,pt) -> (x, subst_pure_type s pt)) bl in
  bl, subst_predicate s p


let specialize_scheme subst s =
  let env =
    Vset.fold
      (fun x s -> Vmap.add x (new_type_var()) s)
      s.scheme_vars Vmap.empty
  in 
  (env, subst env s.scheme_type)

let specialize_logic_type = specialize_scheme subst_logic_type

let specialize_alg_type = specialize_scheme subst_alg_type

let specialize_type_v = specialize_scheme subst_type_v

let specialize_predicate = specialize_scheme subst_predicate

let specialize_predicate_def = specialize_scheme subst_predicate_def

let subst_inductive_def s (bl,p) =
  let bl = List.map (subst_pure_type s) bl in
  bl, List.map (fun (id,p) -> (id,subst_predicate s p)) p

let specialize_inductive_def = specialize_scheme subst_inductive_def

let subst_function_def s (bl,t,e) =
  let bl = List.map (fun (x,pt) -> (x, subst_pure_type s pt)) bl in
  bl, subst_pure_type s t, subst_term s e

let specialize_function_def = specialize_scheme subst_function_def

let instantiate_specialized env inst =
  let r = Vmap.fold (fun _ v l -> 
		      (match l with 
                         | [] -> 
                            invalid_arg ("instantiate_specialized : too many var type to instantiate")
			 | a::q -> (v.type_val <- Some a; q)))
    env (List.rev inst) in (* Pourquoi List.rev? *)
  match r with
    | [] -> ()
    | _ -> invalid_arg ("instantiate_specialized : not enough var type to instantiate")

let instantiate_scheme subst s inst =
  let (env,x) = specialize_scheme subst s in
  instantiate_specialized env inst;
  x

let instantiate_logic_type = instantiate_scheme subst_logic_type

(* dead code
let instantiate_type_v = instantiate_scheme subst_type_v
*)

let instantiate_predicate = instantiate_scheme subst_predicate

let instantiate_predicate_def = instantiate_scheme subst_predicate_def

let instantiate_inductive_def = instantiate_scheme subst_inductive_def

let instantiate_function_def = instantiate_scheme subst_function_def

let rec find_cc_type_vars acc = function
  | TTpure pt -> find_pure_type_vars acc pt
  | TTarray cc -> find_cc_type_vars acc cc
  | TTlambda (b, cc) -> find_cc_binder_vars (find_cc_type_vars acc cc) b
  | TTarrow (b, cc) -> find_cc_binder_vars (find_cc_type_vars acc cc) b
  | TTtuple (bl, cco) -> 
      List.fold_left find_cc_binder_vars 
	(match cco with None -> acc | Some cc -> find_cc_type_vars acc cc) bl
  | TTpred p -> find_predicate_vars acc p
  | TTapp (cc, l) -> 
      find_cc_type_vars (List.fold_left find_cc_type_vars acc l) cc
  | TTterm _ 
  | TTSet -> acc

and find_cc_bind_type_vars acc = function
  | CC_var_binder cc -> find_cc_type_vars acc cc
  | CC_pred_binder p -> find_predicate_vars acc p
  | CC_untyped_binder -> acc

and find_cc_binder_vars acc (_, bt) = find_cc_bind_type_vars acc bt

let rec subst_cc_type s = function
  | TTpure pt -> TTpure (subst_pure_type s pt)
  | TTarray cc -> TTarray (subst_cc_type s cc)
  | TTlambda (b, cc) -> TTlambda (subst_cc_binder s b, subst_cc_type s cc)
  | TTarrow (b, cc) -> TTarrow (subst_cc_binder s b, subst_cc_type s cc)
  | TTtuple (bl, cco) -> 
      TTtuple (List.map (subst_cc_binder s) bl, 
	       option_app (subst_cc_type s) cco)
  | TTpred p -> TTpred (subst_predicate s p)
  | TTapp (cc, l) -> TTapp (subst_cc_type s cc, List.map (subst_cc_type s) l)
  | TTterm t -> TTterm (subst_term s t)
  | TTSet -> TTSet

and subst_cc_bind_type s = function
  | CC_var_binder cc -> CC_var_binder (subst_cc_type s cc)
  | CC_pred_binder p -> CC_pred_binder (subst_predicate s p)
  | CC_untyped_binder -> CC_untyped_binder

and subst_cc_binder s (id, bt) = (id, subst_cc_bind_type s bt)

let subst_sequent s (h, p) = 
  let subst_hyp = function
    | Svar (id, t) -> Svar (id, subst_pure_type s t)
    | Spred (id, p) -> Spred (id, subst_predicate s p)
  in
  (List.map subst_hyp h, subst_predicate s p)

let find_sequent_vars (h, p) =
  let find_hyp_vars acc = function
    | Svar (_, t) -> find_pure_type_vars acc t
    | Spred (_, p) -> find_predicate_vars acc p
  in
  let l = List.fold_left find_hyp_vars Vset.empty h in
  find_predicate_vars l p

let generalize_sequent s =
  let l = find_sequent_vars s in
  { scheme_vars = l; scheme_type = s }

let specialize_sequent = specialize_scheme subst_sequent
let instantiate_sequent = instantiate_scheme subst_sequent

let rec find_gen_cc_term_vars hole_fun acc t = 
  let find_cc_term_vars = find_gen_cc_term_vars hole_fun in
    match t with
      | CC_var _ ->
	  acc
      | CC_letin (_, bl, t1, t2) ->
	  List.fold_left find_cc_binder_vars
	    (find_cc_term_vars (find_cc_term_vars acc t1) t2) bl
      | CC_lam (b, t) ->
	  find_cc_binder_vars (find_cc_term_vars acc t) b
      | CC_app (t1, t2) ->
	  find_cc_term_vars (find_cc_term_vars acc t1) t2
      | CC_tuple (tl, top) ->
	  List.fold_left find_cc_term_vars
	    (match top with None -> acc | Some t -> find_cc_type_vars acc t) tl
      | CC_if (t1, t2, t3) ->
	  find_cc_term_vars (find_cc_term_vars (find_cc_term_vars acc t1) t2) t3
      | CC_case (t, pl) ->
	  let find_case_vars acc (p, t) =
	    find_cc_pattern_vars (find_cc_term_vars acc t) p
	  in
	    List.fold_left find_case_vars (find_cc_term_vars acc t) pl
      | CC_term t ->
	  find_term_vars acc t
      | CC_hole pr ->
	  hole_fun acc pr
      | CC_type cc
      | CC_any cc ->
	  find_cc_type_vars acc cc

and find_cc_pattern_vars acc = function
  | PPvariable b -> find_cc_binder_vars acc b
  | PPcons (_, pl) -> List.fold_left find_cc_pattern_vars acc pl

let rec find_proof_vars acc = function
  | Lemma _
  | True
  | Proj1 _
  | Proj2 _
  | Assumption _
  | Conjunction _
  | Loop_variant_1 _
  | Absurd _
  | ShouldBeAWp ->
      acc
  | Reflexivity t
  | WfZwf t ->
      find_term_vars acc t
  | ProofTerm cc ->
      find_cc_term_vars acc cc

and find_cc_term_vars x = find_gen_cc_term_vars find_proof_vars x

and find_cc_functional_program_vars = 
  find_gen_cc_term_vars (fun accu (_loc, pred) -> find_predicate_vars accu pred)

let rec subst_gen_cc_term subst_hole s t = 
  let subst_cc_term = subst_gen_cc_term subst_hole in
    match t with
      | CC_var _ as cc -> cc
      | CC_letin (b, bl, t1, t2) -> 
	  CC_letin (b, List.map (subst_cc_binder s) bl, 
		    subst_cc_term s t1, subst_cc_term s t2)
      | CC_lam (b, t) -> CC_lam (subst_cc_binder s b, subst_cc_term s t)
      | CC_app (t1, t2) -> CC_app (subst_cc_term s t1, subst_cc_term s t2)
      | CC_tuple (tl, top) -> CC_tuple (List.map (subst_cc_term s) tl,
					option_app (subst_cc_type s) top)
      | CC_if (t1, t2, t3) ->
	  CC_if (subst_cc_term s t1, subst_cc_term s t2, subst_cc_term s t3)
      | CC_case (t, cl) ->
	  let subst_case (p, t) = subst_cc_pattern s p, subst_cc_term s t in
	    CC_case (subst_cc_term s t, List.map subst_case cl)
      | CC_term t -> CC_term (subst_term s t)
      | CC_hole pr -> CC_hole (subst_hole s pr)
      | CC_type t -> CC_type (subst_cc_type s t)
      | CC_any t -> CC_any (subst_cc_type s t)

and subst_cc_pattern s = function
  | PPvariable b -> PPvariable (subst_cc_binder s b)
  | PPcons (id, pl) -> PPcons (id, List.map (subst_cc_pattern s) pl)

let rec subst_proof s = function
  | Lemma _
  | True
  | Proj1 _
  | Proj2 _
  | Assumption _
  | Conjunction _
  | Loop_variant_1 _
  | Absurd _
  | ShouldBeAWp as pr ->
      pr
  | Reflexivity t -> Reflexivity (subst_term s t)
  | WfZwf t -> WfZwf (subst_term s t)
  | ProofTerm cc -> ProofTerm (subst_cc_term s cc)

and subst_cc_term x = subst_gen_cc_term subst_proof x

let subst_cc_functional_program = 
  subst_gen_cc_term (fun s (loc, pred) -> (loc, subst_predicate s pred))

let specialize_cc_type tt = 
  let l = find_cc_type_vars Vset.empty tt in
  specialize_scheme subst_cc_type {scheme_vars=l; scheme_type=tt}

let specialize_validation tt cc =
  let l = find_cc_term_vars (find_cc_type_vars Vset.empty tt) cc in
  if Vset.is_empty l then
    Vmap.empty, tt, cc
  else
    let env = 
      Vset.fold (fun x l -> Vmap.add x (new_type_var()) l) l Vmap.empty 
    in 
    (env, subst_cc_type env tt, subst_cc_term env cc)

let specialize_cc_functional_program tt cc =
  let l = find_cc_functional_program_vars (find_cc_type_vars Vset.empty tt) cc in
  if Vset.is_empty l then
    Vmap.empty, tt, cc
  else
    let env = 
      Vset.fold (fun x l -> Vmap.add x (new_type_var()) l) l Vmap.empty 
    in 
    (env, subst_cc_type env tt, subst_cc_functional_program env cc)

let type_var_names = Hashtbl.create 97
let type_var_name v = Hashtbl.find type_var_names v.tag


(* Environments for imperative programs.
 *
 * An environment of programs is an association tables
 * from identifiers (Ident.t) to types of values with effects
 * (ProgAst.ml_type_v), together with a list of these associations, since
 * the order is relevant (we have dependent types e.g. [x:nat; t:(array x T)])
 *)

module Penv = struct
  type 'a t = {
    map : 'a Idmap.t;
    elements: (Ident.t * 'a) list;
    rec_funs : Idset.t;
    type_vars : (string, type_var) Hashtbl.t
  }
  let empty () = 
    { map = Idmap.empty; elements = []; rec_funs = Idset.empty;
      type_vars = Hashtbl.create 17 }
  let add id v e = 
    { e with map = Idmap.add id v e.map; elements = (id,v)::e.elements }
  let find id e = Idmap.find id e.map
  let mem id e = Idmap.mem id e.map
  let fold f e x0 = List.fold_right f e.elements x0
  let iter f e = List.iter f e.elements
  let add_rec x e = { e with rec_funs = Idset.add x e.rec_funs }
  let is_rec x e = Idset.mem x e.rec_funs
  let find_type_var id e =
    let s = Ident.string id in
    try
      Hashtbl.find e.type_vars s
    with Not_found ->
      let v = new_type_var ~user:true () in
      Hashtbl.add type_var_names v.tag s;
      Hashtbl.add e.type_vars s v;
      v
end

(* The global environment.
 *
 * We have a global typing environment env
 * We also keep a table of programs for extraction purposes
 * and a table of initializations (still for extraction)
 *)

let (env : type_v scheme Penv.t ref) = ref (Penv.empty ())
let (global_refs : pure_type Idmap.t ref) = ref Idmap.empty

(* Local environments *)

type local_env = {
  progs: type_v scheme Penv.t;
  logic: pure_type Idmap.t 
}

(* logical variables *)

(* dead code
let is_logic x env = Idmap.mem x env.logic
*)

let find_logic x env = Idmap.find x env.logic

let add_logic x pt env = 
  { env with logic = Idmap.add x pt env.logic }

(* empty local environment: contains the references as *)

let add_logic_ref id v env = match v with
  | Ref pt -> Idmap.add id pt env
  | PureType _ | Arrow _ -> env

let empty_progs () = 
  { progs = Penv.empty (); logic = !global_refs }

let empty_logic () =
  { progs = Penv.empty (); logic = Idmap.empty }

let add_logic_pure_or_ref id v env = match v with
  | Ref pt | PureType pt -> Idmap.add id pt env
  | Arrow _ -> env

let generalize_type_v t =
  let l = find_type_v_vars Vset.empty t in
  { scheme_vars = l ; scheme_type = t }

let add ?(generalize=false) id v env = 
  let v' = if generalize then generalize_type_v v else empty_scheme v in
  { progs = Penv.add id v' env.progs;
    logic = add_logic_pure_or_ref id v env.logic }

let find_type_var x env = Penv.find_type_var x env.progs

let specialize_type_scheme = specialize_type_v

let find id env =
  let s = Penv.find id env.progs in
  snd (specialize_type_scheme s)

let is_local env id = Penv.mem id env.progs


(* typed programs *)

type typing_info = { 
  t_loc : Loc.position;
  t_env : local_env;
  t_label : label;
  mutable t_userlabel : label;
  t_result_name : Ident.t;
  t_result_type : type_v;
  t_effect : Effect.t;
  t_post : postcondition option 
}
  
type typed_expr = typing_info Ast.t

let (pgm_table : (typed_expr option) Idmap.t ref) = ref Idmap.empty

(* Operations on the global environment. *)

let add_global_gen id v p =
  try
    let _ = Penv.find id !env in
    raise_unlocated (Clash id)
  with Not_found -> begin
    env := Penv.add id v !env; 
    global_refs := add_logic_ref id v.scheme_type !global_refs;
    pgm_table := Idmap.add id p !pgm_table
  end

let add_global id v p =
  let v = generalize_type_v v in
  add_global_gen id v p

let is_global id = Penv.mem id !env

let lookup_global id = 
  let s = Penv.find id !env in
  snd (specialize_type_scheme s)

let iter_global id =  Penv.iter id !env

let find_pgm id = Idmap.find id !pgm_table

(* exceptions *)

let exn_table = Hashtbl.create 97

let add_exception = Hashtbl.add exn_table
let is_exception = Hashtbl.mem exn_table
let find_exception = Hashtbl.find exn_table

(* predefined exception [Exit] *)
let _ = add_exception exit_exn None

(* Logic types with their arities *) 

let types = Hashtbl.create 97

let is_type = Hashtbl.mem types

let bad_arity =
  let rec check s = function
    | [] -> false
    | v :: l -> Idset.mem v s || check (Idset.add v s) l
  in
  check Idset.empty

let add_type loc v id = 
  if is_type id then raise_located loc (ClashType id);
  if bad_arity v then raise_located loc TypeBadArity;
  Hashtbl.add types id (List.length v)

let type_arity = Hashtbl.find types

let iter_type f = Hashtbl.iter f types
let fold_type f = Hashtbl.fold f types

(* Algebraic types with their constructors *)

let alg_types = Hashtbl.create 97

let is_alg_type = Hashtbl.mem alg_types

let alg_type_constructors = Hashtbl.find alg_types

let set_constructors = Hashtbl.add alg_types

(* access in env, local then global *)

let type_in_env env id =
  try find id env with Not_found -> lookup_global id

let is_in_env env id =
  (is_global id) || (is_local env id)

let is_ref env id =
  try is_mutable (type_in_env env id) with Not_found -> false

let fold_all f lenv x0 =
  let f (id,s) = f (id,s.scheme_type) in
  let x1 = Penv.fold f !env x0 in
  Penv.fold f lenv.progs x1

let add_rec x env = { env with progs = Penv.add_rec x env.progs }
let is_rec x env = Penv.is_rec x env.progs


let type_v_of_logic tl tr = match tl with
  | [] -> 
      PureType tr
  | _ ->
      let binder pt = Ident.anonymous, PureType pt in
      Arrow (List.map binder tl, type_c_of_v (PureType tr))

(* Logical environment *)

let logic_table = ref (Idmap.empty : logic_type scheme Idmap.t)

let add_global_logic x t = 
  logic_table := Idmap.add x t !logic_table;
  match t.scheme_type with
    | Function (tl, tr) ->
	let v = type_v_of_logic tl tr in
	let v = { scheme_vars = t.scheme_vars ; scheme_type = v } in
	add_global_gen x v None
    | Predicate _ ->
	()

(* dead code
let is_global_logic x = Idmap.mem x !logic_table
*)

let find_global_logic x =
  let t = Idmap.find x !logic_table in
  specialize_logic_type t

let is_global_logic x = Idmap.mem x !logic_table

let is_logic_function x =
  try 
    (match (Idmap.find x !logic_table).scheme_type with 
       | Function _ -> true 
       | _ -> false)
  with Not_found -> 
    false

let iter_global_logic f = Idmap.iter f !logic_table
let fold_global_logic f = Idmap.fold f !logic_table

let add_global_logic_gen x t =
  add_global_logic x (generalize_logic_type t)


let global_builtin = [(t_eq,
                      let v = PTvar (new_type_var()) in 
                      Predicate [v;v]);
                      (t_neq,
                      let v = PTvar (new_type_var()) in 
                      Predicate [v;v])]

let () = 
  List.iter (fun (id,t) -> add_global_logic_gen id t) global_builtin

(*s Labels *)

module Label = struct

  module LabelSet = Set.Make(struct type t = string let compare = compare end)

  type t = LabelSet.t

  let empty = LabelSet.empty

  let add = LabelSet.add

  let mem = LabelSet.mem

end
why-2.39/src/harvey.mli0000644000106100004300000000443213147234006014024 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

val reset : unit -> unit
val push_decl : Logic_decl.t -> unit
val output_file : string -> unit

why-2.39/src/encoding_mono_inst.ml0000644000106100004300000011413113147234006016226 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

open Cc
open Logic
open Logic_decl
open Format

(* dead code
let map_product (f: 'a -> 'a list) (l:'a list) : 'a list list =
  List.fold_left
    (fun prev_acc e ->
       let lr = f e in
       List.fold_left
         (fun acc l -> List.fold_left (fun acc e -> (e::l)::acc) acc lr)
         [] prev_acc) [[]] l
*)

(*let map_times (f: 'a -> 'b -> 'c) (l1:'a list) (l2:'b list) : 'c list =
  List.fold_left
    (fun
*)

let loc = Loc.dummy_floc
let debug = Options.debug
(* dead code
let f2s (s,l,b,e) = Printf.sprintf "File %s, line %d, characters %d-%d" s l b e
*)

let prefix = fun s -> "c_"^s
(* let suffix = "_c" *)
(* let var = "x" *)
let tvar = "_why_t"
(* let cpt = ref 0 *)
(* dead code
let injec c = c^"_injective"
*)
(* let axiom c = c ^ "_to_" ^ (c^suffix) *)
(* dead code
let def c = "def_"^Ident.string c
*)

(* The names for the new function symbols *)
let sort =  Ident.create (prefix "sort")

let is_const t = (* match Misc.normalize_pure_type t with *) match t with
  | PTint | PTbool | PTreal | PTunit -> true
  | _ -> false

(*let cname t =  match Misc.normalize_pure_type t with
  | PTint -> "int"
  | PTbool -> "bool"
  | PTreal -> "real"
  | PTunit -> "unit"
      (** TODO : better error handling here *)
  | _ -> failwith "this function should only be called on constant types"
let c2u t = (cname t)^"2u"
let s2c t = "s2"^(cname t)*)

(* This is the list of constant types which is handled as such *)
let htypes = [PTint; PTbool; PTreal]@(if Options.monoinstnounit then [] else [PTunit])

(* The monosorted stratified encoding introduces
   three new external types : a sort for syntactically
   unsorted terms, one for sorted terms and one for
   syntactic types *)
let utname = Ident.create (prefix "unsorted")
let stname = Ident.create (prefix "sorted")
let ttname = Ident.create (prefix "type")
let ut = PTexternal ([], utname)
let st = PTexternal ([], stname)
let tt = PTexternal ([], ttname)

(* one dumb type *)
let dtname = prefix "alpha"
let dtnameid = Ident.create dtname
let dt = PTexternal ([], dtnameid)

(* The prelude is a set of declarations that must be added
   to the context every time the encoding is used :*)
(* dead code
let eq_arity = (Ident.string Ident.t_eq, Env.empty_scheme (Predicate [st; st]))
let neq_arity = (Ident.string Ident.t_neq, Env.empty_scheme (Predicate [st; st]))
*)

let builtin_poly = [Ident.t_eq;Ident.t_neq(*;Ident.if_then_else*)]
let builtin_poly = List.fold_left (fun s x -> Ident.Idset.add x s) Ident.Idset.empty builtin_poly

(* dead code
let builtin = [] (*[Ident.t_sub_int;Ident.t_add_int;Ident.t_mul_int;Ident.t_div_int;
               Ident.t_mod_int;Ident.t_neg_int;Ident.t_abs_int;
               Ident.t_gt_int;Ident.t_ge_int;Ident.t_eq_int;Ident.t_lt_int;Ident.t_le_int;Ident.t_neq_int;
              ]*)
*)

(* dead code
let builtin = List.fold_left (fun s x -> Ident.Idset.add x s) builtin_poly builtin
*)

let create_ident_id = "ident_of_close_type"

let rec ident_of_close_type ?(from=false)t =
  (*let from = false && from in*)
  let rec aux fmt = function
    | PTint -> fprintf fmt "int"
    | PTbool -> fprintf fmt "bool"
    | PTunit -> fprintf fmt "unit"
    | PTreal -> fprintf fmt "real"
    | PTexternal ([],id) -> fprintf fmt "%a" Ident.print id
    | PTvar {tag=_t; type_val=None} -> assert false (* close type *)
    | PTvar {tag=_t; type_val=Some pt} -> aux fmt pt
    | PTexternal (l,id) -> fprintf fmt "%aI%a"
        (Pp.print_list (Pp.constant_string "I") aux) l Ident.print id in
  let b = Buffer.create 10 in
  Format.bprintf b "%a@?" aux t;
  let from = match from,t with
    | true,PTexternal (l,id) -> Some (create_ident_id,id::(List.map (ident_of_close_type ~from:false) l))
    | _ -> None in
  Ident.create ?from (Buffer.contents b)

module E = struct
  open Mapenv
  open Env

  module Idmap = Ident.Idmap
  module Idset = Ident.Idset

  type t = {
    (** assoc the name of a function and one instanciation
       with the name of the function coded *)
    instances : Ident.t Inst_Map.t;
    (** assoc the name of a function to its arities *)
    arities : logic_type scheme Idmap.t;
    (** assoc with each type to be monomorphised
        the name of the monomorphe type*)
    mono : Ident.t PT_Map.t;
    (** assoc with each type at the edge of the monomorph
        world the logic used in the encoding *)
    encode : Ident.t PT_Map.t;
    (** used for a .... *)
    def_logic : (Ident.t * Logic.logic_type Env.scheme) list Idmap.t;
    def_type : (Ident.t * int) list Idmap.t;
  }

  let print fmt env =
    Format.fprintf fmt "instances :%a@."
      (Pp.print_iter2 Inst_Map.iter Pp.semi Pp.comma
         (Pp.print_pair Ident.print
            (Pp.print_list Pp.comma Util.print_pure_type))
         Ident.print)
      env.instances;
    Format.fprintf fmt "arities :%a@."
      (Pp.print_iter2 Idmap.iter Pp.semi Pp.comma
         Ident.print
         (Util.print_scheme Util.print_logic_type))
      env.arities;
    Format.fprintf fmt "mono :%a@."
      (Pp.print_iter2 PT_Map.iter Pp.semi Pp.comma
         Util.print_pure_type
         Ident.print)
      env.mono;
    Format.fprintf fmt "encode :%a@."
      (Pp.print_iter2 PT_Map.iter Pp.semi Pp.comma
         Util.print_pure_type
         Ident.print)
      env.encode;
    Format.fprintf fmt "def_logic :%a@."
      (Pp.print_iter2 Idmap.iter Pp.semi Pp.comma
         Ident.print
         (Pp.print_list Pp.comma
            (Pp.print_pair
               Ident.print
               (Util.print_scheme Util.print_logic_type))))
      env.def_logic;
    Format.fprintf fmt "def_type :%a@."
      (Pp.print_iter2 Idmap.iter Pp.semi Pp.comma
         Ident.print
         (Pp.print_list Pp.comma
            (Pp.print_pair
               Ident.print
               Pp.int)))
      env.def_type


  (** create the environnement from a list of close type
      to monomorphise *)
  let create l =
    let s = add_subtype_list PT_Set.empty l in
    let m = PT_Set.fold
      (fun e m -> PT_Map.add e (ident_of_close_type ~from:true e) m) s PT_Map.empty in
    {instances = Inst_Map.empty;
     mono = m;
     encode = PT_Map.empty;
     arities = Idmap.empty;
     def_logic = Idmap.empty;
     def_type = Idmap.empty}

  type w =
    | Mono of pure_type
    | Enco of term

  let print_w fmt = function
    | Mono ty -> Format.fprintf fmt "Mono %a" Util.print_pure_type ty
    | Enco t -> Format.fprintf fmt "Enco %a" Util.print_term t


  (** The encoded type are represented by tt *)
  let reduce_to_type = function
    | Mono x -> x
    | Enco _t -> dt

 (** The encoded term are represented by u *)
  let reduce_to_type_neg = function
    | Mono x -> x
    | Enco _t -> st

(** The encoded term are represented by s *)
  let reduce_to_type_pos = function
    | Mono x -> x
    | Enco _t -> ut

  (** The instantiated types don't need encoding *)
  let reduce_to_term = function
    | Mono _x -> None
    | Enco t -> Some t

  (** Keep the builtin type for builtin type *)
  let name_of_mono v = function
    | PTint | PTbool | PTreal | PTunit as t -> t
    | _ -> PTexternal ([],v)

  let type_of_mono _v k = k
(* dead code
  let ident_of_mono v _k = v
*)

  let trad_type env fv_t t =
    (*if debug then Format.eprintf "trad_type : %a@." Util.print_pure_type t;*)
    let rec normalize_pure_type = function
        | PTint | PTbool | PTreal | PTunit as t -> t
        | PTvar {type_val=Some t} -> normalize_pure_type t
        | PTvar ({type_val=None} as v) as t ->
              (try
                 match Vmap.find v fv_t with
                   | Mono ty -> ty
                   | Enco _ -> t
               with Not_found -> assert false) (* term not closed *)
        | PTexternal (l,s) -> PTexternal (List.map normalize_pure_type l,s) in
    let rec aux t =
      try
        Mono (name_of_mono (PT_Map.find t env.mono) t)
      with Not_found ->
        match t with
          | PTint | PTbool | PTreal | PTunit ->
              (try
                 Enco (Tapp (PT_Map.find t env.encode,[],[]))
               with Not_found -> assert false
                 (* the builtin type must be in mono or encode *))
          | PTvar {type_val=Some t} -> aux t
          | PTvar ({type_val=None} as v) ->
              (try
                 Vmap.find v fv_t
               with Not_found -> assert false) (* term not closed *)
          | PTexternal ([],s) when s == dtnameid -> Enco (Tvar dtnameid) (*that case appear only when we instantiate a logic or type, dumb value *)
          | PTexternal (l,s) ->
              let l = List.map aux l in
              let l2 = List.map reduce_to_type l in
              try
                let s = PT_Map.find (PTexternal (l2,s)) env.encode in
                let l = List.rev (List.fold_left (fun l e ->
                                                    match e with
                                                      | Mono _ -> l
                                                      | Enco t -> t::l) [] l) in
                Enco (Tapp(s,l,[]))
              with Not_found ->
                if debug then
                  Format.eprintf "Notfound type = %a -> %a@." Util.print_pure_type t Util.print_pure_type (PTexternal (l2,s));
                  assert false
                  (* There is an instanciation for any instanciation *)
    in aux (normalize_pure_type t)

  let trad_to_type env fv_t x = reduce_to_type (trad_type env fv_t x)
  let trad_to_type_pos env fv_t x = reduce_to_type_pos (trad_type env fv_t x)
  let trad_to_type_neg env fv_t x = reduce_to_type_neg (trad_type env fv_t x)
(* dead code
  let trad_to_term env fv_t x = reduce_to_term (trad_type env fv_t x)
*)

  let rec all_possible which env acc l nargs = function
    | 0 ->  (l,nargs)::acc
    | n -> let acc = PT_Map.fold
        (fun k v acc -> all_possible which env acc ((which v k)::l) nargs (n-1)) env.mono acc in
      all_possible which env acc ((which dtnameid dt)::l) (nargs+1) (n-1)

  (** add a polymorphe (or not, but make_world ensures it (not anymore ;))) type to take into account. *)
  let add_type env tid nargs =
    let allp = all_possible (fun v k -> (v,k)) env [] [] 0 nargs in
    let encode,l = List.fold_left
      (fun (encode,ll) (vk,nargs) ->
         let l = PTexternal (List.map snd vk,tid) in
         let encodell =
           if PT_Map.mem l env.mono
           then encode,ll
           else begin
             let l = List.map (fun (v,k) -> name_of_mono v k) vk in
             let l = PTexternal (l,tid) in
             let lid = ident_of_close_type l in
             PT_Map.add l lid encode,(lid,nargs)::ll
           end in encodell)
      (env.encode,[]) allp in
    {env with encode = encode;
       def_type = Idmap.add tid l env.def_type}

  let get_type env t =
    Idmap.find t env.def_type

  let add_logic_aux env tid arities =
    let nargs = Vset.cardinal arities.Env.scheme_vars in
    let allp = all_possible type_of_mono env [] [] 0 nargs in
    let _,instances,l = List.fold_left
      (fun (lidset,instances,l) (inst,_) ->
         let arities = instantiate_logic_type arities inst in
         (*if debug then
           Format.eprintf "add_logic : arities : %a@." Util.print_logic_type arities;*)
         let l_ty,arities =
           match arities with
             | Function(args,ret) ->
                 let args,ret = List.map (trad_to_type_neg env Vmap.empty) args,
                   (trad_to_type_pos env Vmap.empty) ret in
                 ret::args,Function(args,ret)
             | Predicate(arg) ->
                 let arg = List.map (trad_to_type_neg env Vmap.empty) arg in
                 arg,Predicate(arg) in
         (*could we use builtin theory ? *)
         let from = List.for_all (fun e -> e<>st && e<>ut) l_ty in
         let l_ty = PTexternal (l_ty,tid) in
         (* If the identifier is polymorph then we keep its name *)
         let lid = if nargs = 0
         then tid
         else ident_of_close_type ~from l_ty in
         let inst = List.map (trad_to_type env Vmap.empty) inst in
         let instances = Inst_Map.add (tid,inst) lid instances in
         let lidset,l = if Idset.mem lid lidset
         then lidset,l
         else Idset.add lid lidset,(lid,Env.empty_scheme arities)::l in
         lidset,instances,l)
      (Idset.empty,env.instances,[]) allp in
    {env with instances = instances;
       def_logic = Idmap.add tid l env.def_logic;
       arities = Idmap.add tid arities env.arities}

  let add_logic_poly env tid arities =
    let nargs = Vset.cardinal arities.Env.scheme_vars in
    let allp = all_possible type_of_mono env [] [] 0 nargs in
    let instances = List.fold_left
      (fun instances (inst,_) ->
         let instances = Inst_Map.add (tid,inst) tid instances in
         instances) env.instances allp in
    {env with instances = instances;
       def_logic = Idmap.add tid [tid,arities] env.def_logic;
       arities = Idmap.add tid arities env.arities}

  let add_logic env tid arities =
    if Idset.mem tid builtin_poly
    then add_logic_poly env tid arities
    else add_logic_aux env tid arities

  let get_logic env id =
    Idmap.find id env.def_logic

  let give_inst env scheme =
    let nargs = Vset.cardinal scheme.Env.scheme_vars in
    let vargs = Vset.elements scheme.Env.scheme_vars in
    let allp = all_possible type_of_mono env [] [] 0 nargs in
    let allp = List.map
      (fun (inst,_) ->
         let cpt = ref 0 in
         List.fold_left2
           (fun m ty v ->
              let ty =
                if ty == dt
                then (incr cpt;Enco (Tvar (Ident.create (tvar^(string_of_int !cpt)))))
                else Mono ty in
              Vmap.add v ty m)
           Vmap.empty inst vargs) allp in
    allp,scheme.Env.scheme_type

  let instance_of env fv_t id inst =
    if Idset.mem id builtin_poly
    then id
    else
      let inst2 = List.map (trad_type env fv_t) inst in
      let inst3 = List.map reduce_to_type inst2 in
        try
          Inst_Map.find (id,inst3) env.instances
        with Not_found as e ->
          Format.eprintf "Not_found : instance_of : id=%a@.inst=%a@.inst2=%a@.inst3=%a@." Ident.print id Util.print_instance inst (Pp.print_list Pp.semi print_w) inst2 Util.print_instance inst3;
            raise e

  let type_of env id inst =
    try
      let ty = Idmap.find id env.arities in
      let ty = instantiate_logic_type ty inst in
      ty
    with Not_found as e ->
      Format.eprintf "type_of : unknown ident : %a" Ident.print id;
      raise e

  let get_fun env fv_t id inst =
    let id_inst = instance_of env fv_t id inst in
    let ty = type_of env id inst in
    match ty with
      | Function (arg,_ret) -> (id_inst,(List.map (fun x -> reduce_to_term (trad_type env fv_t x)) arg))
      | Predicate _ -> assert false

  let get_pred env fv_t id inst =
    let id_inst = instance_of env fv_t id inst in
    let ty = type_of env id inst in
    match ty with
      | Function _ -> assert false
      | Predicate arg -> (id_inst,(List.map (fun x -> reduce_to_term (trad_type env fv_t x)) arg))

end

let prelude env =
  (* first the three new types *)
  (Dtype (loc, utname, []))::
    (Dtype (loc, stname, []))::
    (Dtype (loc, ttname, []))::
    (Dlogic (loc, sort, Env.empty_scheme (Function ([tt; ut], st))))::
  (Mapenv.PT_Map.fold (fun k v acc ->
                         if is_const k then acc
                         else (Dtype (loc, v, []))::acc) env.E.mono [])
  (* the function symbols representing constant types *)
(*  @
 (List.map (fun t -> (Dlogic (loc, prefix (cname t),
			       Env.empty_scheme (Function ([], tt)))))
     htypes)
  (* the sorting and conversion functions *)
  @
  (List.map (fun t ->
	       (Dlogic (loc, c2u t,
			Env.empty_scheme (Function ([t], ut)))))
     htypes)
  @
  (List.map (fun t ->
	       (Dlogic (loc, s2c t,
			Env.empty_scheme (Function ([st], t)))))
     htypes)*)

(* Functions that replace polymorphic types by S,T,U and constants *)
(*let typify ptl = List.map (fun _ -> tt) ptl

let sortify env t pt =
  match pt with
    | PTint | PTbool | PTreal | PTunit -> pt
    | PTvar _ -> t
    | PTexternal (_,_) -> t

let monoify env = List.map (sortify st)
*)
let sort_of_c = function
  | ConstInt _ -> PTint
  | ConstBool _ -> PTbool
  | ConstUnit -> PTunit
  | ConstFloat _ -> PTreal

(* Function that plunges a term under its type information. *)
(* Uses an assoc. list of tags -> idents for type variables *)
(*let plunge fv term pt =
  let rec leftt pt =
    match pt with
      |	PTint | PTbool | PTreal | PTunit ->
	  Tapp (Ident.create (prefix (cname pt)), [], [])
      | PTvar ({type_val = None} as var) ->
	  let t =
	    try List.assoc var.tag fv
	    with Not_found ->
	      let s = string_of_int var.tag in
		(print_endline ("[plunge] unknown vartype : "^s);
		 Format.eprintf "term = %a@." Util.print_term term;
		 s)
	  in
	    Tvar (Ident.create t)
      | PTvar {type_val = Some pt} -> leftt pt
      | PTexternal (ptl, id) -> Tapp (id, List.map (fun pt -> leftt pt) ptl, [])
  in
    Tapp (Ident.create sort,[leftt pt; term],[])
*)
let plunge_if_needed term = function
  | None -> term
  | Some ty_term -> Tapp (sort,[ty_term; term],[])


(* Function that strips the top most sort application, for terms bound
   in let-ins *)
(*let strip_topmost t =
  match t with
    | Tapp (symb, [encoded_ty; encoded_t], []) when symb = sort ->
	encoded_t
    | _ -> t
*)
(*let get_arity id =
  let arity =
    try List.assoc (Ident.string id) !arities
    with e -> (print_endline ("Encoding_mono.get_arity: unknown arity for "^(Ident.string id))); raise e in
    match arity.Env.scheme_type with
	Function (ptl, rt) -> ptl, rt
      | Predicate ptl -> ptl, PTbool (* ce PTbool est arbitraire et inutilisé *)

(* Ground instanciation of an arity (to be plunged under) *)
let instantiate_arity id inst =
  let arity =
    try List.assoc (Ident.string id) !arities
    with e -> (print_endline ("Encoding_mono.instantiate_arity: unknown arity for "^(Ident.string id))); raise e in
  let (vs, log_type) = Env.specialize_logic_type arity in
    if debug then
      (print_string "\t{";
       Env.Vmap.iter (fun _ v -> Printf.printf "%d" v.tag) vs;
       print_endline "}");
    match log_type with
	Function (ptl, rt) ->
	  if debug then Printf.printf "Instantiate : %d vars - %d types\n"
	    (Env.Vmap.fold (fun _ _ n -> n + 1) vs 0) (List.length inst);
	  ignore
	    (Env.Vmap.fold (fun _ v l ->
			      (match l with [] -> []
				 | a::q -> (v.type_val <- Some a; q)))
	       vs (List.rev inst));
	  rt
      | Predicate ptl ->
	  ignore
	    (Env.Vmap.fold (fun _ v l ->
			      (match l with [] -> []
				 | a::q -> (v.type_val <- Some a; q)))
	       vs (List.rev inst));
	  PTbool
*)
(* Translation of a term *)
(* [fv] is a map for type variables, [lv] for term variables,
   and [rt] is the type of this term in the arity of its
   direct superterm. *)
let rec translate_term env fv_t = function
  | Tvar _ | Tconst _ as t -> t
  | Tapp (id, tl, inst) ->
      let id,arg = E.get_fun env fv_t id inst in
      let tl = List.map (translate_term env fv_t) tl in
      let tl = List.map2 plunge_if_needed tl arg in
      Tapp (id, tl, [])
  | Tderef id as t -> print_endline ("id in Tderef : "^(Ident.string id)); t
  | Tnamed(_,t) -> translate_term env fv_t t

(* Generalizing a predicate scheme with foralls (can add a trigger) *)
(* This function is used to explicitely quantify over syntactic type
   variables that were implicitely quantified at first. *)
let lifted l p t =
  let l = Env.Vmap.fold (fun _ e l ->
                           match e with
                             | E.Enco (Tvar e) -> e::l
                             | E.Enco _ -> assert false
                             | E.Mono _ -> l) l [] in
  let rec aux l =
    match l with [] -> p
      | s::[] ->
	  Forall(false, s, s, tt, t, p)
      | s::q ->
	  Forall(false, s, s, tt, [], aux q) in
  aux l

(* dead code
let rec lifted_t l p tr =
  match l with [] -> p
    | (a,t)::[] -> (Forall(false, a, a, t, tr, p))
    | (a,t)::q ->  (Forall(false, a, a, t, [], lifted_t q p tr))
*)
(*
let rec lifted_ctxt l cel =
  (List.map (fun (_,s) -> Svar(Ident.create s, tt)) l)@cel
*)
(* Translation of a predicate *)
let rec translate_pred env fv_t = function
(*   | Papp (id, [a; b], [t]) when Ident.is_eq id && is_const t -> *)
(*       Papp (id, [translate_term fv lv t a; translate_term fv lv t b], []) *)
  | Papp (id, tl, inst) ->
      let id,arg = E.get_pred env fv_t id inst in
      let tl = List.map (translate_term env fv_t) tl in
      let tl = List.map2 plunge_if_needed tl arg in
      Papp (id, tl, [])
  | Plet (id, n, pt, t, p) ->
      let t = translate_term env fv_t t in
      let pt = E.trad_to_type_pos env fv_t pt in
      let p = translate_pred env fv_t p in
	Plet (id, n, pt, t, p)
  | Pimplies (iswp, p1, p2) ->
      Pimplies (iswp, translate_pred env fv_t p1, translate_pred env fv_t p2)
  | Pif (t, p1, p2) ->
   (** Il faut que Bool soit dans l'ensemble S,
       sinon il faut redéfinir Pif dans une axiomatique *)
      Pif (translate_term env fv_t t,
           translate_pred env fv_t p1, translate_pred env fv_t p2)
  | Pand (iswp, issym, p1, p2) ->
      Pand (iswp, issym, translate_pred env fv_t p1, translate_pred env fv_t p2)
  | Por (p1, p2) ->
      Por (translate_pred env fv_t p1, translate_pred env fv_t p2)
  | Piff (p1, p2) ->
      Piff (translate_pred env fv_t p1, translate_pred env fv_t p2)
  | Pnot p ->
      Pnot (translate_pred env fv_t p)
  | Forall (iswp, id, n, pt, _tl, p) ->
      let pt = E.trad_to_type_pos env fv_t pt in
      let tl = (*translate_triggers env fv_t p tl*) [] in
      Forall (iswp, id, n, pt, tl, translate_pred env fv_t p)
  | Forallb (iswp, p1, p2) ->
      Forallb (iswp, translate_pred env fv_t p1, translate_pred env fv_t p2)
  | Exists (id, n, pt, p) ->
      let pt = E.trad_to_type_pos env fv_t pt in
      Exists (id, n, pt, translate_pred env fv_t p)
  | Pnamed (s, p) ->
      Pnamed (s, translate_pred env fv_t p)
  | _ as d -> d
(*
and translate_pattern env fv lv p = function
  | TPat t ->
      let rec lookfor_term fv lv acc rt = function
        | t2 when Misc.eq_term t t2 ->
            (translate_term fv lv rt t2)::acc
        | Tvar _ | Tconst _ | Tderef _ -> acc
        | Tapp (id, tl, inst) ->
            let ptl, pt = get_arity id in
            List.fold_left2 (lookfor_term fv lv) acc ptl tl
        | Tnamed(_,t2) -> lookfor_term fv lv acc rt t2 in
      let rec lookfor_term_in_predicate fv lv acc = function
        | Pif (t, p1, p2) ->
            let acc = lookfor_term fv lv acc PTbool t in
            let acc =  lookfor_term_in_predicate fv lv acc p1 in
            let acc =  lookfor_term_in_predicate fv lv acc p2 in
            acc
        | Papp (id, tl, inst) ->
            let arity,_ = get_arity id in
	    List.fold_left2 (lookfor_term fv lv) acc arity tl
        | Plet (_, n, pt, t, p) ->
            let acc = lookfor_term fv lv acc pt t in
	    lookfor_term_in_predicate fv ((n,pt)::lv) acc p
        | Forall (_, _, n, pt, _, p) | Exists (_, n, pt, p) ->
            lookfor_term_in_predicate fv ((n,pt)::lv) acc p
        | Pimplies (_, p1, p2) | Pand (_ , _, p1, p2) | Por (p1, p2)
        | Piff (p1, p2) | Forallb (_, p1, p2) ->
            lookfor_term_in_predicate fv lv (lookfor_term_in_predicate fv lv acc p2) p1
        | Pnot p | Pnamed (_, p) -> lookfor_term_in_predicate fv lv acc p
        | Pvar _|Pfalse|Ptrue -> acc in
      let r = (lookfor_term_in_predicate fv lv [] p) in
      Format.printf "%a : %a@." Util.print_term t (Pp.print_list Pp.comma Util.print_term) r;
      List.map (fun x -> TPat x) r
(*
  let rec translate_term_for_pattern fv lv = function
      (* mauvaise traduction des triggers mais ...
         Le type n'étant pas forcement le même
         les plunges internes peuvent ne pas être les
         même que dans le body de la quantification *)
      | Tvar _ as t -> t
      | Tapp (id, tl, inst) ->
      let ptl, pt = get_arity id in
      let trans_term = Tapp (id, List.map2 (translate_term fv lv) ptl tl, []) in
      let _ = instantiate_arity id inst in
      trans_term
      | Tconst (_) as t -> t
      | Tderef _ as t -> t
      | Tnamed(_,t) -> translate_term_for_pattern fv lv t in
      TPat (translate_term_for_pattern fv lv t)
*)
  | PPat p -> [PPat (translate_pred fv lv p)]

and translate_triggers fv lv p tl =
  List.fold_left (fun acc e -> List.rev_append (map_product (translate_pattern fv lv p) e) acc) [] tl
*)

(* The core *)
let queue = Queue.create ()

let make_list x =
  let rec aux acc = function
    | 0 -> acc
    | n -> aux (x::acc) (n-1) in
  aux []

let rec translate_assertion env iter_fun d =
  let ta env d = translate_assertion env iter_fun d in
  try (match d with
         | Dalgtype _ -> assert false
(* A type declaration is translated as new logical function, the arity of *)
(* which depends on the number of type variables in the declaration *)
  | Dtype (loc, ident, _vars) ->
      let terms = E.get_type env ident in
      List.iter
        (fun (ident,nargs) ->
           let ty = Env.empty_scheme (Function (make_list tt nargs, tt))  in
             iter_fun (Dlogic (loc, ident, ty))) terms;
      env
(* In the case of a logic definition, we redefine the logic symbol  *)
(* with types u and s, and its complete arity is stored for the encoding *)
  | Dlogic (loc, ident, _arity) ->
(*
      Format.eprintf "Encoding_mono: adding %s in arities@." ident;
*)
      let logics = E.get_logic env ident in
      List.iter
        (fun (ident,ty) ->
           iter_fun (Dlogic (loc,ident, ty))) logics;
      env
(* A predicate definition can be handled as a predicate logic definition + an axiom *)
  | Dpredicate_def (loc,id,d) ->
      List.fold_left ta env (PredDefExpansor.predicate_def loc id d)
(*      let (argl, pred) = pred_def_sch.Env.scheme_type in
      (* Et l'ordre pour l'instantiation? *)
      let typevar = List.map (fun x ->  PTvar x) (Env.Vset.elements pred_def_sch.Env.scheme_vars) in
      let rootexp = (Papp (ident, List.map (fun (i,_) -> Tvar i) argl, typevar)) in
      let env = ta env (Dlogic (loc, ident, (Env.generalize_logic_type (Predicate (snd (List.split argl)))))) in
      let env = ta env (Daxiom (loc, def ident, (Env.generalize_predicate
				      (lifted_t argl (Piff (rootexp, pred)) [[PPat rootexp]])))) in
      env*)
(* A function definition can be handled as a function logic definition + an axiom *)
  | Dinductive_def(_,id,d) ->
      List.fold_left ta env (PredDefExpansor.inductive_def loc id d)
  | Dfunction_def (loc, id, d) ->
(*       let _ = print_endline ident in *)
(*      let (argl, rt, term) = fun_def_sch.Env.scheme_type in
      let rootexp = (Tapp (ident, List.map (fun (i,_) -> Tvar i) argl, [])) in
      let env = ta env (Dlogic (loc, ident, (Env.generalize_logic_type (Function (snd (List.split argl), rt))))) in
      let env = ta env (Daxiom (loc, def ident,
		    (Env.generalize_predicate
		       (lifted_t argl (Papp (Ident.t_eq, [rootexp; term], [])) [[TPat rootexp]])))) in
      env*)
      List.fold_left ta env (PredDefExpansor.function_def loc id d)
(* Axiom definitions *)
  | Daxiom (loc, ident, pred_sch) ->
      let insts,p_inst = E.give_inst env pred_sch in
      if debug then
        Format.eprintf "axiom : insts : %a@."
          (Pp.print_list Pp.comma
             (Pp.print_iter2 Env.Vmap.iter Pp.semi Pp.comma
                Util.print_type_var
                E.print_w)) insts;
      List.iter (fun fv_t ->
                   let pred = translate_pred env fv_t p_inst in
                   let new_axiom = Env.empty_scheme (lifted fv_t pred []) in
                   iter_fun (Daxiom (loc, ident, new_axiom))) insts;
      env
(* A goal is a sequent : a context and a predicate and both have to be translated *)
  | Dgoal (loc, is_lemma, expl, ident, s_sch) ->
      begin try
	let new_cel =
	  List.map
	    (fun s ->
	       match s with
		   Spred (id, p) ->
		    Spred (id, translate_pred env Env.Vmap.empty p)
		 | Svar (id, t) ->
                     let t = E.trad_to_type_pos env Env.Vmap.empty t in
                     Svar (id, t))
	    (fst (s_sch.Env.scheme_type)) in
	let new_sequent =
	  Env.empty_scheme
	    (new_cel,
	     translate_pred env Env.Vmap.empty (snd (s_sch.Env.scheme_type))) in
	iter_fun (Dgoal (loc, is_lemma, expl, ident, new_sequent))
      with Not_found ->
	Format.eprintf "Exception caught in : %a\n" Util.print_decl d;
	iter_fun (Dgoal (loc, is_lemma, expl, ident, Env.empty_scheme([],Pfalse)));
      end;env)
  with Not_found ->
    Format.eprintf "Exception caught in : %a\n" Util.print_decl d;
    raise Not_found

(** We take the type monomorph
    and the type used in monomorph axioms :
    we want the traduction to be the identity
    on the monomorph fragment*)
module PT_Set = Mapenv.PT_Set

let _PT_Set_add = Mapenv._PT_Set_add_normalize

let rec make_logic_type world id tl inst =
  try
    let (v,logic) = Env.find_global_logic id in
    Env.instantiate_specialized v inst;
    let world = match logic with
      | Function (arg,rt) ->  List.fold_left (fun s x -> _PT_Set_add x s)  world (rt::arg)
      | Predicate arg -> List.fold_left (fun s x -> _PT_Set_add x s) world arg in
    List.fold_left make_world_term world tl
  with Not_found as e -> Format.eprintf "Notfound : make_logic_type : %a@." Ident.print id; raise e

and make_world_term world = function
  | Tvar _ | Tderef _  -> world
  | Tconst c -> _PT_Set_add (sort_of_c c) world
  | Tapp (id,tl,inst) ->  make_logic_type world id tl inst
  | Tnamed (_,t) -> make_world_term world t

let rec make_world_predicate world = function
  | Pvar _ | Ptrue | Pfalse -> world
  | Pnot p | Pnamed (_,p) -> make_world_predicate world p
  | Pimplies(_,p1,p2) | Pand(_,_,p1,p2) | Por(p1,p2) | Piff(p1,p2)
  | Forallb(_,p1,p2) -> make_world_predicate (make_world_predicate world p1) p2

  | Pif(t,p1,p2) ->
      let world = make_world_term world t in
      let world = make_world_predicate (make_world_predicate world p1) p2 in
      world
  | Plet (_,_,ty,t,p) ->
      let world = make_world_term world t in
      let world = make_world_predicate world p in
      _PT_Set_add ty world
  | Forall(_,_,_,ty,_,p) | Exists(_,_,ty,p) ->
      let world = make_world_predicate world p in
      _PT_Set_add ty world
  | Papp(id,tl,inst) -> make_logic_type world id tl inst


let make_world_context_element world = function
  | Svar (_,ty) -> _PT_Set_add ty world
  | Spred (_,p) -> make_world_predicate world p

let make_world_sorted ~monotype ~monosig ~monodef world  = function
  | Dalgtype _ -> assert false
  | Dtype(_,s,[]) -> if monotype
    then _PT_Set_add (PTexternal([],s)) world
    else world
  | Dlogic(_,_,sch) when Env.Vset.is_empty sch.Env.scheme_vars ->
      if monosig then
      (match sch.Env.scheme_type with
         | Function (arg,rt) ->  List.fold_left (fun s x -> _PT_Set_add x s)  world (rt::arg)
         | Predicate arg ->  List.fold_left (fun s x -> _PT_Set_add x s)  world arg)
      else world
  | Dpredicate_def(_,_,sch) when Env.Vset.is_empty sch.Env.scheme_vars ->
        let world =
          if monosig then
            List.fold_left (fun world (_,ty) -> _PT_Set_add ty world) world
              (fst sch.Env.scheme_type)
          else world in
        if monodef then
        make_world_predicate world (snd sch.Env.scheme_type)
        else world

  | Dinductive_def(_,_,sch) when Env.Vset.is_empty sch.Env.scheme_vars ->
      let world = if monosig then List.fold_left (fun s x -> _PT_Set_add x s)  world (fst sch.Env.scheme_type) else world in
      if monodef then
        List.fold_left (fun world (_,p) -> make_world_predicate world p) world
          (snd sch.Env.scheme_type)
      else world
  | Dfunction_def(_,_,{Env.scheme_vars =v;scheme_type=(tyl,tyr,t)})
      when Env.Vset.is_empty v ->
      let world = if monosig then List.fold_left (fun world (_,ty) -> _PT_Set_add ty world) world tyl else world in
      let world = if monosig then _PT_Set_add tyr world else world in
      if monodef then
        make_world_term world t
      else world
  | Daxiom(_,_,sch) when Env.Vset.is_empty sch.Env.scheme_vars ->
      make_world_predicate world sch.Env.scheme_type
  | Dgoal (_,_,_,_,{Env.scheme_vars =v;scheme_type=(con,p)})
      when Env.Vset.is_empty v ->
      let world = make_world_predicate world p in
      List.fold_left make_world_context_element world con
  | Dgoal _ -> assert false (* Dgoal must have been monomorphised *)
  | _ -> world (* Polymorph case *)

let make_world_just_goal world  = function
  | Dgoal (_,_,_,_,{Env.scheme_vars =v;scheme_type=(con,p)})
      when Env.Vset.is_empty v ->
      let world = make_world_predicate world p in
      List.fold_left make_world_context_element world con
  | Dgoal _ -> assert false (* Dgoal must have been monomorphised *)
  | _ -> world

let make_world_none world _ = world

let make_world = match Options.monoinstworldgen with
  | Options.MonoinstBuiltin -> make_world_none
  | Options.MonoinstSorted -> make_world_sorted ~monotype:true ~monodef:true ~monosig:true
  | Options.MonoinstGoal -> make_world_just_goal
  | Options.MonoinstPremises -> make_world_sorted ~monotype:false  ~monodef:true ~monosig:false

let monomorph_goal acc = function
  | Dgoal (loc,is_lemma,vc,id,sch) ->
      let cpt = ref 0 in
      let fv = Env.Vset.fold
	(fun _ acc ->
	   cpt := !cpt + 1;
	   (Ident.create (tvar^(string_of_int !cpt)))::acc)
	(sch.Env.scheme_vars) [] in
      let inst = List.map (fun x ->
                             Env.add_type Loc.dummy_position [] x;
                             PTexternal ([],x)) fv in
      let p = Env.instantiate_sequent sch inst in
      let acc = List.fold_left (fun acc x -> Dtype (loc,x,[])::acc) acc fv in
      Dgoal (loc,is_lemma,vc,id,Env.empty_scheme p)::acc
  | x -> x::acc

let push_decl a = Queue.add a queue

let output_world world env =
  let print_world fmt = PT_Set.iter (fprintf fmt "%a;@." Util.print_pure_type) in
  let print_map fmt = Mapenv.PT_Map.iter (fun k v -> fprintf fmt "%a \"%a\";@." Util.print_pure_type k Ident.print v) in
  Format.printf "{%t}{%a}{%a}{%a}@."
    (fun fmt -> Env.iter_type (fun id sch -> fprintf fmt "%a %i;@." Ident.print id sch))
    print_world world
    print_map env.E.mono
    print_map env.E.encode;
  exit 0

let memory_arg_kv = lazy (Env.is_logic_function (Ident.create "select"))
let pointer = Ident.create "pointer"

let filter_world world =
  let world = if Options.monoinstonlymem
  then let world = PT_Set.filter (function PTexternal (_,mem)
				      when Ident.string mem = "memory" -> true
				    | _ -> false) world in
  PT_Set.fold (fun pt acc ->
		 match (Lazy.force memory_arg_kv),pt with
		   | (true,PTexternal ([key;_],mem)) |
			 (false,PTexternal ([_;key],mem))
			   when Ident.string mem = "memory"  ->
		       PT_Set.add (PTexternal ([key],pointer)) acc
		   | _ -> acc) world world
  else world in
  let world = if Options.monoinstonlyconst
  then PT_Set.filter (function PTexternal ([],_) -> true
			| _ -> false) world
  else world in
  world


let iter f =
  (* monomorph the goal *)
  let decls = Queue.fold monomorph_goal [] queue in
  let decls = List.rev decls in
  if debug then Format.eprintf "Goal monomorphised@.";
  (* Find the type to monomorph *)
  let world = List.fold_left make_world PT_Set.empty decls in
  (* Filter if asked *)
  let world = filter_world world in
  let world = List.fold_left (fun s x -> _PT_Set_add x s) world htypes in
  if debug then
    Format.eprintf "world :%a@." (Pp.print_list Pp.comma Util.print_pure_type) (PT_Set.elements world);
  let env = E.create (PT_Set.elements world) in
  (* On ajoute toute les logics et type. Mais pas les types builtin *)
  let env = Env.fold_type (fun id sch env -> E.add_type env id sch) env in
  (* On ajoute unit in encode if asked *)
  let env = if Options.monoinstnounit
  then {env with E.encode = Mapenv.PT_Map.add PTunit (Ident.create "unit") env.E.encode}
  else env in
  if Options.monoinstoutput_world then output_world world env;
  let env = Env.fold_global_logic (fun id sch env ->
                                     try
                                       E.add_logic env id sch
                                     with e ->
                                  if debug then
                                    Format.eprintf "error in logic : %a,%a@." Ident.print id
                                      Util.print_logic_type sch.Env.scheme_type;
                                       raise e) env in
  if debug then Format.eprintf "env : %a" E.print env;
  (* first the prelude *)
  List.iter f (prelude env);
  (* then the queue *)
  ignore (List.fold_left (fun env x -> (translate_assertion env f x)) env decls);
  ()

let reset () = Queue.clear queue
why-2.39/src/simplify.ml0000644000106100004300000003557213147234006014222 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(*s Simplify's output *)

open Ident
open Options
open Misc
open Logic
open Logic_decl
open Cc
open Format
open Pp

type elem =
  | Oblig of Loc.floc * bool * Logic_decl.vc_expl * string * sequent Env.scheme
  | Axiom of string * predicate Env.scheme
  | Predicate of string * predicate_def Env.scheme
(*
  | FunctionDef of string * function_def Env.scheme
*)

let queue = Queue.create ()

let reset () =
  Queue.clear queue;
  Encoding.reset ()

let rec decl_to_elem = function
  | Dgoal (loc, is_lemma, expl, id, s) ->
      Queue.add (Oblig (loc, is_lemma, expl,id, s)) queue
  | Daxiom (_, id, p) ->
      Queue.add (Axiom (id, p)) queue
  | Dpredicate_def (_, id, p) ->
      Queue.add (Predicate (Ident.string id, p)) queue
  | Dfunction_def (_, _id, _p) ->
      assert false
(*
      Queue.add (FunctionDef (Ident.string id, p)) queue
*)
  | Dinductive_def (loc, id, d) ->
      List.iter decl_to_elem (PredDefExpansor.inductive_def loc id d)
  | Dlogic _ -> ()
  | Dtype _ -> ()
  | Dalgtype _ ->  assert false


let push_decl d = Encoding.push ~encode_preds:false d

let defpred = Hashtbl.create 97

(*s Pretty print *)

let prefix_table = ref Idmap.empty

let () =
  List.iter (fun (id,s) -> prefix_table := Idmap.add id s !prefix_table)
    [
      (* booleans ops *)
      t_bool_and, "bool_and";
      t_bool_or, "bool_or";
      t_bool_xor, "bool_xor";
      t_bool_not, "bool_not";
      (* poly comps *)
      t_lt, "<";
      t_le, "<=";
      t_gt, ">";
      t_ge, ">=";
      (* int cmp *)
      t_lt_int, "<";
      t_le_int, "<=";
      t_gt_int, ">";
      t_ge_int, ">=";
      (* int ops *)
      t_add_int, "+";
      t_sub_int, "-";
      t_mul_int, "*";
(*
      t_div_int, "int_div";
      t_mod_int, "int_mod";
*)
      (* real ops *)
      t_add_real, "real_add";
      t_sub_real, "real_sub";
      t_mul_real, "real_mul";
      t_div_real, "real_div";
      t_neg_real, "real_neg";
      t_sqrt_real, "real_sqrt";
      t_real_of_int, "real_of_int";
      t_int_of_real, "int_of_real";
      t_lt_real, "real_lt";
      t_le_real, "real_le";
      t_gt_real, "real_gt";
      t_ge_real, "real_ge";
      t_abs_real, "real_abs";
      t_real_max, "real_max";
      t_real_min, "real_min";
      t_sqrt_real, "real_sqrt";
    ]

let is_prefix id = Idmap.mem id !prefix_table

let prefix id =
  try
    Idmap.find id !prefix_table
  with Not_found -> assert false


let is_simplify_ident s =
  let is_simplify_char = function
    | 'a'..'z' | 'A'..'Z' | '0'..'9' | '_' -> true
    | _ -> false
  in
  try
    if String.length s >= 1 && s.[0] = '_' then raise Exit;
    String.iter (fun c -> if not (is_simplify_char c) then raise Exit) s; true
  with Exit ->
    false

let idents fmt s =
  if s = "store" then fprintf fmt "|why__store|" else
  if is_simplify_ident s then fprintf fmt "%s" s else fprintf fmt "|%s|" s

let ident fmt id = idents fmt (Ident.string id)

(* dead code
let sortp fmt id = idents fmt ("IS" ^ Ident.string id)
*)

let simplify_max_int = Int64.of_string "2147483646"

let pp_exp fmt e =
  if e="" then () else
    if e.[0] = '-' then
      fprintf fmt "minus%s" (String.sub e 1 (String.length e - 1))
    else
      fprintf fmt "%s" e

let print_real fmt = function
  | RConstDecimal (i, f, e) ->
      fprintf fmt "%s_%se%a" i f (Pp.print_option pp_exp) e
  | RConstHexa (i, f, e) ->
      fprintf fmt "0x%s_%sp%a" i f pp_exp e

let rec print_term fmt = function
  | Tvar id ->
      fprintf fmt "%a" ident id
  | Tconst (ConstInt n) ->
      begin try
	let n64 = Int64.of_string n in
	if n64 < 0L || n64 > simplify_max_int then raise Exit;
	fprintf fmt "%s" n
      with _ -> (* the constant is too large for Simplify *)
	fprintf fmt "constant_too_large_%s" n
      end
  | Tconst (ConstBool b) ->
      fprintf fmt "|@@%b|" b
  | Tconst ConstUnit ->
      fprintf fmt "tt" (* TODO: CORRECT? *)
  | Tconst (ConstFloat c) ->
      fprintf fmt "real_constant_%a" print_real c
(*
      Print_real.print_with_integers
	"(real_of_int %s)"
	"(real_of_int ( * %s %s))"
	"(div_real (real_of_int %s) (real_of_int %s))"
	fmt c
*)
  | Tderef _ ->
      assert false
(**
  | Tapp (id, [a; b], _) when id == access ->
      fprintf fmt "@[(select@ %a@ %a)@]" print_term a print_term b
  | Tapp (id, [a; b; c], _) when id == store ->
      fprintf fmt "@[(store@ %a@ %a@ %a)@]"
	print_term a print_term b print_term c
**)
  | Tapp (id, [t], _) when id == t_neg_int ->
      fprintf fmt "@[(- 0 %a)@]" print_term t
  | Tapp (id, tl, _) when is_prefix id ->
      fprintf fmt "@[(%s %a)@]" (prefix id) print_terms tl
  | Tapp (id, [], _) ->
      ident fmt id
  | Tapp (id, tl, _) ->
      fprintf fmt "@[(%a@ %a)@]"
	ident id (print_list space print_term) tl
  | Tnamed (_n, t) ->
      (*fprintf fmt "@[;;%s@\n%a@]" n pp p*)
      print_term fmt t

and print_terms fmt tl =
  print_list space print_term fmt tl

let rec print_pattern fmt = function
  | TPat t -> print_term fmt t
  | PPat (Papp (id, tl, inst)) -> print_term fmt (Tapp (id, tl, inst))
  | PPat _ -> Report.raise_unlocated Error.IllformedPattern
and print_patterns fmt pl =
  print_list space print_pattern fmt pl

let trigger fmt = function
  | [] -> ()
  | [TPat (Tvar _ as t)] -> fprintf fmt "(MPAT %a)" print_term t
  | [t] -> print_pattern fmt t
  | tl -> fprintf fmt "(MPAT %a)" print_patterns tl

let triggers fmt = function
  | [] -> ()
  | tl -> fprintf fmt "@ (PATS %a)" (print_list space trigger) tl

(* dead code
let external_type = function
  | PTexternal _ -> true
  | _ -> false

let has_type ty fmt id = match ty with
  | PTexternal([PTexternal (_,ty)], id) when id == farray ->
      fprintf fmt "(FORALL (k) (EQ (%a (select %a k)) |@@true|))"
	sortp ty ident id
  | PTexternal(_, ty) ->
      fprintf fmt "(EQ (%a %a) |@@true|)" sortp ty ident id
  | _ ->
      assert false
*)

let rec print_predicate pos fmt p =
  let pp = print_predicate pos in
  match p with
  | Ptrue ->
      fprintf fmt "TRUE"
  | Pvar id when id == Ident.default_post ->
      fprintf fmt "TRUE"
  | Pfalse ->
      fprintf fmt "FALSE"
  | Pvar id ->
      fprintf fmt "%a" ident id
  | Papp (id, [], _) ->
      ident fmt id
  | Papp (id, tl, _) when id == t_distinct ->
      fprintf fmt "@[(DISTINCT@ %a)@]" print_terms tl
  | Papp (id, [_t], _) when id == well_founded ->
      fprintf fmt "FALSE ; was well_founded(...)@\n"
  | Papp (id, [a; b], _) when is_eq id ->
      fprintf fmt "@[(EQ %a@ %a)@]" print_term a print_term b
  | Papp (id, [a; b], _) when is_neq id ->
      fprintf fmt "@[(NEQ %a@ %a)@]" print_term a print_term b
  | Papp (id, tl, _) when is_int_comparison id ->
      fprintf fmt "@[(%s %a)@]" (prefix id) print_terms tl
  | Papp (id, [a;b], _) when id == t_zwf_zero ->
      (match get_types_encoding () with
	Stratified ->
	  fprintf fmt "@[(AND (EQ (le_int_c (c_sort c_int 0) %a) |@@true|)@ (EQ (lt_int_c %a %a) |@@true|))@]"
	    print_term b print_term a print_term b
      | _ ->
	  fprintf fmt "@[(AND (<= 0 %a)@ (< %a %a))@]"
	    print_term b print_term a print_term b)
  | Papp (id, tl, _) when Hashtbl.mem defpred id ->
      fprintf fmt "@[(%a@ %a)@]" ident id print_terms tl
  | Papp (id, tl, _) ->
      fprintf fmt "@[(EQ (%a@ %a) |@@true|)@]" ident id print_terms tl
  | Pimplies (_, a, b) ->
      fprintf fmt "@[(IMPLIES@ %a@ %a)@]"
	(print_predicate (not pos)) a pp b
  | Piff (a, b) ->
      fprintf fmt "@[(IFF@ %a@ %a)@]" pp a pp b
  | Pif (a, b, c) ->
      fprintf fmt
     "@[(AND@ (IMPLIES (EQ %a |@@true|) %a)@ (IMPLIES (NEQ %a |@@true|) %a))@]"
      print_term a pp b print_term a pp c
  | Pand (_, _, a, b) | Forallb (_, a, b) ->
      fprintf fmt "@[(AND@ %a@ %a)@]" pp a pp b
  | Por (a, b) ->
      fprintf fmt "@[(OR@ %a@ %a)@]" pp a pp b
  | Pnot a ->
      fprintf fmt "@[(NOT@ %a)@]" pp a
  | Forall (_,id,n,_,tl,p)
      when simplify_triggers ||
	get_types_encoding () = Stratified ||
	get_types_encoding () = SortedStratified ->
      let id' = next_away id (predicate_vars p) in
      let s = subst_onev n id' in
      let p' = subst_in_predicate s p in
      let tl' = List.map (List.map (subst_in_pattern s)) tl in
      fprintf fmt "@[(FORALL (%a)%a@ %a)@]" ident id' triggers tl' pp p'
(*  | Forall (_,id,n,_,_,p) ->
      let id' = next_away id (predicate_vars p) in
      let p' = subst_in_predicate (subst_onev n id') p in
      fprintf fmt "@[(FORALL (%a)@ %a)@]" ident id' pp p'
*)
  | Forall _ as p ->
      let bv,p = Util.decomp_forall p in
      let var fmt (x,_) = ident fmt x in
      fprintf fmt "@[(FORALL (%a)@ %a)@]" (print_list space var) bv pp p
  | Exists (id,n,_t,p) ->
      let id' = next_away id (predicate_vars p) in
      let p' = subst_in_predicate (subst_onev n id') p in
      fprintf fmt "@[(EXISTS (%a)@ %a)@]" ident id' pp p'
  | Pnamed (_n, p) ->
      (*fprintf fmt "@[;;%s@\n%a@]" n pp p*)
      pp fmt p
  | Plet (_, n, _, t, p) ->
      pp fmt (subst_term_in_predicate n t p)
  (** BUG Simplify
  | Pnamed (n, p) when pos ->
      fprintf fmt "@[(LBLPOS@ |%s|@ %a)@]" n pp p
  | Pnamed (n, p) ->
      fprintf fmt "@[(LBLNEG@ |%s|@ %a)@]" n pp p
  **)

(* dead code
let cc_external_type = function
  | Cc.TTpure ty -> external_type ty
  | Cc.TTarray (Cc.TTpure (PTexternal _)) -> true
  | _ -> false

let cc_has_type ty fmt id = match ty with
  (*JFC :  where is it called ?*)
  | Cc.TTpure ty when external_type ty ->
      has_type ty fmt id
  | Cc.TTarray (Cc.TTpure (PTexternal(_,ty))) ->
      fprintf fmt "(FORALL (k) (EQ (%a (select %a k)) |@@true|))"
	sortp ty ident id
  | _ ->
      assert false
*)

let print_sequent fmt (hyps,concl) =
  let rec print_seq fmt = function
    | [] ->
	print_predicate false fmt concl
    | Svar (id, _v) :: hyps ->
	fprintf fmt "@[(FORALL (%a)@ %a)@]" ident id print_seq hyps
    | Spred (_,p) :: hyps ->
	fprintf fmt "@[(IMPLIES %a@ %a)@]"
	  (print_predicate true) p print_seq hyps
  in
  print_seq fmt hyps

let print_obligation fmt loc is_lemma _expl o s =
  fprintf fmt "@[;; %s, %a@]@\n" o Loc.gen_report_line loc;
  fprintf fmt "@[%a@]@\n@\n" print_sequent s.Env.scheme_type;
  if is_lemma then begin
    fprintf fmt "@[(BG_PUSH@\n ;; lemma %s as axiom@\n" o;
    fprintf fmt "@[%a@])@]@\n@\n" print_sequent s.Env.scheme_type;
  end

let push_foralls p =
  let change = ref false in
  let split vars p =
    let vars_p = predicate_vars p in
    List.fold_left
      (fun (in_p, out_p) ((_,_,b,_,_) as v) ->
	 if Idset.mem b vars_p then v :: in_p, out_p else in_p, v :: out_p)
      ([],[]) vars
  in
  let quantify =
    List.fold_right (fun (w,id,b,v,tl) p -> Forall (w,id,b,v,tl,p))
  in
  let rec push vars = function
    | Forall (w, id, b, v, tl, p) ->
	push ((w,id,b,v,tl) :: vars) p
    | Pimplies (w, p1, p2) ->
	let in_p1, out_p1 = split vars p1 in
	if out_p1 <> [] then change := true;
	quantify in_p1 (Pimplies (w, p1, push out_p1 p2))
    | p ->
	quantify vars p
  in
  push [] p, !change


 let print_axiom fmt id p =
  fprintf fmt "@[(BG_PUSH@\n ;; Why axiom %s@\n" id;
  let p = p.Env.scheme_type in
  fprintf fmt " @[%a@]" (print_predicate true) p;
  let p,c = push_foralls p in
  if c then fprintf fmt "@\n@\n @[%a@]" (print_predicate true) p;
  fprintf fmt ")@]@\n@\n"

let print_predicate fmt id p =
  let (bl,p) = p.Env.scheme_type in
  fprintf fmt "@[(DEFPRED @[(%a %a)@]@ @[%a@])@]@\n@\n" idents id
    (print_list space (fun fmt (x,_) -> ident fmt x)) bl
    (print_predicate false) p;
  Hashtbl.add defpred (Ident.create id) ()

(* dead code
let idents_plus_prefix fmt s  =
  match Ident.create s with
    id when id == t_neg_int -> (* hack *)
      fprintf fmt "@[- 0@]"
  | id when is_arith id || is_relation id ->
      fprintf fmt "%s" (prefix id)
  | _ when is_simplify_ident s ->
      fprintf fmt "%s" s
  | _ ->
      fprintf fmt "|%s|" s
*)

(* TODO: should be handled in Encoding *)
(* dead code
let print_function fmt id p =
  let (bl,_pt,e) = p.Env.scheme_type in
  match bl with
    [] ->
      fprintf fmt "@[(BG_PUSH@\n ;; Why function %s@\n" id;
      fprintf fmt "  @[(EQ %a %a)@])@]@\n@\n" idents id	print_term e
  |_ ->
      fprintf fmt "@[(BG_PUSH@\n ;; Why function %s@\n" id;
      fprintf fmt "  @[(FORALL (%a) (EQ (%a %a) %a))@])@]@\n@\n"
	(print_list space (fun fmt (x,_) -> ident fmt x)) bl
	idents_plus_prefix id
	(print_list space (fun fmt (x,_) -> ident fmt x)) bl
	print_term e
*)

let print_elem fmt = function
  | Oblig (loc, is_lemma, expl, id, s) ->
      print_obligation fmt loc is_lemma expl id s
  | Axiom (id, p) -> print_axiom fmt id p
  | Predicate (id, p) -> print_predicate fmt id p
(*
  | FunctionDef (id, f) -> print_function fmt id f
*)

let print_file fmt =
  Encoding.iter decl_to_elem;
  fprintf fmt "(BG_PUSH (NEQ |@@true| |@@false|))@\n@\n";
  Queue.iter (print_elem fmt) queue

let output_file ~allowedit file =
  if allowedit then
    let sep = ";; DO NOT EDIT BELOW THIS LINE" in
    do_not_edit_below ~file
      ~before:(fun _fmt -> ())
      ~sep
      ~after:print_file
  else
    print_in_file print_file file

why-2.39/src/logic.mli0000644000106100004300000001007413147234006013622 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(*s Logic. *)

type real_constant = 
  | RConstDecimal of string * string * string option (* int / frac / exp *)
  | RConstHexa of string * string * string

type constant =
  | ConstInt of string
  | ConstBool of bool
  | ConstUnit
  | ConstFloat of real_constant

(*s Pure types. *)

type pure_type =
  | PTint
  | PTbool
  | PTreal
  | PTunit
  | PTvar of type_var
  | PTexternal of pure_type list * Ident.t

and type_var =
  { tag : int; 
    user : bool;
    mutable type_val : pure_type option }

type instance = pure_type list

type term_label = User of string | Internal of int

type term =
  | Tconst of constant
  | Tvar of Ident.t
  | Tderef of Ident.t
  | Tapp of Ident.t * term list * instance
  | Tnamed of term_label * term

type substitution = term Ident.map
type var_substitution = Ident.t Ident.map

type is_wp = bool
type is_sym = bool

type predicate =
  | Pvar of Ident.t
  | Papp of Ident.t * term list * instance
  | Ptrue
  | Pfalse
  | Pimplies of is_wp * predicate * predicate
  | Pif of term * predicate * predicate
  | Pand of is_wp * is_sym * predicate * predicate
  | Por of predicate * predicate
  | Piff of predicate * predicate
  | Pnot of predicate
  | Forall of is_wp * Ident.t * Ident.t * pure_type * triggers * predicate
  | Forallb of is_wp * predicate * predicate
  | Exists of Ident.t * Ident.t * pure_type * predicate
  | Pnamed of term_label * predicate
  | Plet of Ident.t * Ident.t * pure_type * term * predicate

and pattern = TPat of term | PPat of predicate
and trigger = pattern list
and triggers = trigger list


type logic_type =
  | Predicate of pure_type list
  | Function of pure_type list * pure_type

type alg_type_def = pure_type list * (Ident.t * pure_type list) list

type predicate_def = (Ident.t * pure_type) list * predicate

type inductive_def = pure_type list * (Ident.t * predicate) list

type function_def = (Ident.t * pure_type) list * pure_type * term


why-2.39/src/cvcl.ml0000644000106100004300000003210413147234006013301 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(*s CVC Lite's output *)

open Ident
open Options
open Misc
open Logic
open Logic_decl
open Format
open Cc
open Pp
open Env

(*s Pretty print *)

let infix id =
  if id == t_lt then "<"
  else if id == t_le then "<="
  else if id == t_gt then ">"
  else if id == t_ge then ">="
  (* int cmp *)
  else if id == t_lt_int then "<"
  else if id == t_le_int then "<="
  else if id == t_gt_int then ">"
  else if id == t_ge_int then ">="
  (* int ops *)
  else if id == t_add_int then "+"
  else if id == t_sub_int then "-"
  else if id == t_mul_int then "*"
(*
  else if id == t_div_int then "/"
*)
  (* real ops *)
  else if id == t_add_real then "+"
  else if id == t_sub_real then "-"
  else if id == t_mul_real then "*"
  else if id == t_div_real then "/"
  else if id == t_lt_real then "<"
  else if id == t_le_real then "<="
  else if id == t_gt_real then ">"
  else if id == t_ge_real then ">="
  else assert false

(* dead code
let external_type = function
  | PTexternal _ -> true
  | _ -> false
*)

let rec print_pure_type fmt = function
  | PTint -> fprintf fmt "INT"
  | PTbool -> fprintf fmt "BOOL"
  | PTreal -> fprintf fmt "REAL"
  | PTunit -> fprintf fmt "UNIT"
  | PTexternal ([pt], id) when id == farray -> 
      fprintf fmt "(ARRAY INT OF %a)" print_pure_type pt
  | PTvar {type_val=Some pt} -> print_pure_type fmt pt
  | PTvar _ -> assert false
  | PTexternal (i ,id) -> fprintf fmt "%s" (Encoding.symbol (id, i))

let rec print_term fmt = function
  | Tvar id -> 
      fprintf fmt "%a" Ident.print id
  | Tconst (ConstInt n) -> 
      fprintf fmt "%s" n
  | Tconst (ConstBool true) -> 
      fprintf fmt "true"
  | Tconst (ConstBool false) -> 
      fprintf fmt "false"
  | Tconst ConstUnit -> 
      fprintf fmt "tt" (* TODO: CORRECT? *)
  | Tconst (ConstFloat c) ->
      Print_real.print_with_integers
	"%s" 
	"(%s * %s)"
	"(%s / %s)" fmt c
  | Tderef _ -> 
      assert false
(*
  | Tapp (id, ([_;_] as tl), _) when id == t_mod_int ->
      fprintf fmt "@[%a(%a)@]" Ident.print id print_terms tl
*)
  | Tapp (id, [a], _) when id == t_sqrt_real || id == t_int_of_real ->
      fprintf fmt "@[%a(%a)@]" Ident.print id print_term a
  | Tapp (id, [a], _) when id == t_real_of_int ->
      fprintf fmt "@[%a@]" print_term a
(**
  | Tapp (id, [a; b], _) when id == access ->
      fprintf fmt "@[%a[%a]@]" print_term a print_term b
  | Tapp (id, [a; b; c], _) when id == store ->
      fprintf fmt "@[(%a WITH@ [%a] := %a)@]" 
	print_term a print_term b print_term c
**)
  | Tapp (id, [t], _) when id == t_neg_int || id == t_neg_real ->
      fprintf fmt "@[(-%a)@]" print_term t
  | Tapp (id, [a;b], _) when is_relation id || is_arith id ->
      fprintf fmt "@[(%a %s %a)@]" print_term a (infix id) print_term b
  | Tapp (id, [], i) ->
      fprintf fmt "%s" (Encoding.symbol (id, i))
  | Tapp (id, tl, i) -> 
      (match Ident.fresh_from id with
        | Some (s,logic_id::_) when s == Encoding_mono_inst.create_ident_id
            && (Ident.string logic_id = "acc" || Ident.string logic_id = "upd" || Ident.string logic_id = "select" || Ident.string logic_id = "store" ) -> 
            (match tl,Ident.string logic_id with
              | [mem;key],("acc"|"select") -> fprintf fmt "@[(%a[%a])@]" print_term mem print_term key
              | [mem;key;value],("upd"|"store") -> fprintf fmt "@[(%a WITH [%a] := %a)@]" print_term mem
                  print_term key print_term value
              | _ -> assert false)
        | _ -> fprintf fmt "@[%s(%a)@]" (Encoding.symbol (id, i)) print_terms tl)
  | Tnamed (_, t) -> (* TODO: print name *)
      print_term fmt t

and print_terms fmt tl = 
  print_list comma print_term fmt tl

let rec print_predicate fmt = function
  | Ptrue ->
      fprintf fmt "TRUE"
  | Pvar id when id == Ident.default_post ->
      fprintf fmt "TRUE"
  | Pfalse ->
      fprintf fmt "FALSE"
  | Pvar id -> 
      fprintf fmt "%a" Ident.print id
  | Papp (id, tl, _) when id == t_distinct ->
      fprintf fmt "@[(%a)@]" print_predicate (Util.distinct tl)
  | Papp (id, [_t], _) when id == well_founded ->
      fprintf fmt "TRUE %% was well_founded@\n"
  | Papp (id, [a; b], _) when is_eq id ->
      fprintf fmt "@[(%a =@ %a)@]" print_term a print_term b
  | Papp (id, [a; b], _) when is_neq id ->
      fprintf fmt "@[(%a /=@ %a)@]" print_term a print_term b
  | Papp (id, [a;b], _) when is_int_comparison id || is_real_comparison id ->
      fprintf fmt "@[(%a %s %a)@]" print_term a (infix id) print_term b
  | Papp (id, [a;b], _) when id == t_zwf_zero ->
      fprintf fmt "@[((0 <= %a) AND@ (%a < %a))@]" 
	print_term b print_term a print_term b
  | Papp (id, tl, i) -> fprintf fmt "@[%s(%a)@]" (Encoding.symbol (id, i)) print_terms tl
  | Pimplies (_, a, b) ->
      fprintf fmt "@[(%a =>@ %a)@]" print_predicate a print_predicate b
  | Piff (a, b) ->
      fprintf fmt "@[(%a <=>@ %a)@]" print_predicate a print_predicate b
  | Pif (a, b, c) ->
      fprintf fmt 
     "@[((%a=true => %a) AND@ (%a=false => %a))@]"
      print_term a print_predicate b print_term a print_predicate c
  | Pand (_, _, a, b) | Forallb (_, a, b) ->
      fprintf fmt "@[(%a AND@ %a)@]" print_predicate a print_predicate b
  | Por (a, b) ->
      fprintf fmt "@[(%a OR@ %a)@]" print_predicate a print_predicate b
  | Pnot a ->
      fprintf fmt "@[(NOT@ %a)@]" print_predicate a
  | Forall (_,id,n,t,_,p) -> 
      let id' = next_away id (predicate_vars p) in
      let p' = subst_in_predicate (subst_onev n id') p in
      fprintf fmt "@[(FORALL (%a:%a):@ %a)@]" 
	Ident.print id' print_pure_type t print_predicate p'
  | Exists (id,n,t,p) -> 
      let id' = next_away id (predicate_vars p) in
      let p' = subst_in_predicate (subst_onev n id') p in
      fprintf fmt "@[(EXISTS (%a:%a):@ %a)@]" 
	Ident.print id' print_pure_type t print_predicate p'
  | Pnamed (_, p) -> (* TODO: print name *)
      print_predicate fmt p
  | Plet (_, n, _, t, p) ->
      print_predicate fmt (subst_term_in_predicate n t p)

let print_sequent fmt (hyps,concl) =
  let rec print_seq fmt = function
    | [] ->
	print_predicate fmt concl
    | Svar (id, v) :: hyps -> 
	fprintf fmt "@[(FORALL (%a:%a):@ %a)@]" 
	  Ident.print id print_pure_type v print_seq hyps
    | Spred (_,p) :: hyps -> 
	fprintf fmt "@[(%a =>@ %a)@]" print_predicate p print_seq hyps
  in
  print_seq fmt hyps

let print_logic_type fmt = function
  | Predicate [] ->
      fprintf fmt "BOOLEAN"
  | Predicate [pt] ->
      fprintf fmt "(%a -> BOOLEAN)" print_pure_type pt
  | Predicate pl ->
      fprintf fmt "((%a) -> BOOLEAN)" (print_list comma print_pure_type) pl
  | Function ([], pt) ->
      print_pure_type fmt pt
  | Function ([pt1], pt2) ->
      fprintf fmt "(%a -> %a)" print_pure_type pt1 print_pure_type pt2
  | Function (pl, pt) ->
      fprintf fmt "((%a) -> %a)" 
	(print_list comma print_pure_type) pl print_pure_type pt

(* we need to recognize array types after monomorphization *)

let is_array s = String.length s >= 6 && String.sub s 0 6 = "array_"

let memory_arg_kv = lazy (is_logic_function (Ident.create "select"))

let declare_type fmt id = 
  match (Lazy.force memory_arg_kv), Ident.fresh_from id with
    | (false,Some (s,[mem;value;key])|true,Some (s,[mem;key;value]))
        when s == Encoding_mono_inst.create_ident_id 
          && Ident.string mem = "memory" ->      
        fprintf fmt "@[%a: TYPE = ARRAY %aIpointer OF %s;@]@.@." 
          Ident.print id 
          Ident.print key 
          (let s = Ident.string value in if s = "int" then "INT" else s)
    | _ -> if not (is_array (Ident.string id)) then fprintf fmt "@[%a: TYPE;@]@\n@\n" Ident.print id
        

let print_logic fmt id t =
  match Ident.fresh_from id with
    | Some (s,logic_id::_) when s == Encoding_mono_inst.create_ident_id
        && (Ident.string logic_id = "acc" || Ident.string logic_id = "upd") -> ()
    | _ ->
        fprintf fmt "%%%% Why logic %a@\n" Ident.print id;
          fprintf fmt "@[%a: %a;@]@\n@\n" Ident.print id print_logic_type t

let print_predicate_def fmt id (bl,p) =
  fprintf fmt "@[%%%% Why predicate %s@]@\n" id;
  fprintf fmt "@[%s: %a =@ LAMBDA (%a):@ @[%a@];@]@\n@\n"
    id 
    print_logic_type (Predicate (List.map snd bl))
    (print_list comma 
       (fun fmt (x,pt) -> 
	  fprintf fmt "%a: %a" Ident.print x print_pure_type pt )) bl 
    print_predicate p
    
let print_function_def fmt id (bl,t,e) =
  fprintf fmt "@[%%%% Why function %s@]@\n" id;
  fprintf fmt "@[%s: %a =@ LAMBDA (%a):@ @[%a@];@]@\n@\n"
    id
    print_logic_type (Function (List.map snd bl, t))
    (print_list comma 
       (fun fmt (x,pt) -> 
	  fprintf fmt "%a: %a" Ident.print x print_pure_type pt )) bl 
    print_term e

let print_axiom fmt id p =
  match id,p with
    | ("acc_upd" |"acc_upd_neq"|"select_store_eq"|"select_store_neq"), 
      Forall (_,_,_,PTexternal (_,t),_,_) when   
        (match Ident.fresh_from t with
           | Some (s,[mem;_;_]) when s == Encoding_mono_inst.create_ident_id 
               && Ident.string mem = "memory" -> true
           | _ -> false) -> ()
    | _ ->
  fprintf fmt "@[%%%% Why axiom %s@]@\n" id;
  fprintf fmt "@[ASSERT %a;@]@\n@\n" print_predicate p

let print_obligation fmt loc is_lemma _expl o s = 
  fprintf fmt "@[%%%% %s, %a@]@\n" o Loc.gen_report_line loc;
  fprintf fmt "PUSH;@\n@[QUERY %a;@]@\nPOP;@\n@\n" print_sequent s;
(*;
  fprintf fmt "@[%%%% %a@]@\n" Util.print_explanation expl;
*)
  if is_lemma then begin
    fprintf fmt "@[%%%%  %s as axiom@]@\n" o;
    fprintf fmt "@[ASSERT %a;@]@\n@\n" print_sequent s;
  end

let push_decl d = Encoding.push ~encode_preds:false ~encode_funs:false d

let iter = Encoding.iter

let reset () = Encoding.reset ()

let output_elem fmt = function
  | Dtype (_loc, id, []) -> declare_type fmt id
  | Dtype _ -> assert false
  | Dalgtype _ ->
      assert false
(*
      failwith "CVC light: algebraic types are not supported"
*)
  | Dlogic (_loc, id, t) ->
      print_logic fmt id t.scheme_type
  | Dpredicate_def (_loc, id, d) -> 
      let id = Ident.string id in
      print_predicate_def fmt id d.scheme_type
  | Dinductive_def _ ->
      assert false
(*
      failwith "CVC light: inductive def not yet supported"
*)
  | Dfunction_def (_loc, id, d) -> 
      let id = Ident.string id in
      print_function_def fmt id d.scheme_type
  | Daxiom (_loc, id, p) ->
      print_axiom fmt id p.scheme_type
  | Dgoal (loc, is_lemma, expl, id, s) ->
      print_obligation fmt loc is_lemma expl id s.Env.scheme_type

let prelude_done = ref false
let prelude fmt = 
  if not !prelude_done && not no_cvcl_prelude then begin
    prelude_done := true;
    fprintf fmt "\
@\nUNIT: TYPE;\
@\ntt: UNIT;\
@\nBOOL: TYPE;\
@\ntrue: BOOL;\
@\nfalse: BOOL;\
@\nASSERT (FORALL (b:BOOL): (b=true OR b=false));\
@\nASSERT (true /= false);\
@\n"
  end

let print_file fmt =
  (*if not no_cvcl_prelude then predefined_symbols fmt;*)
  iter (output_elem fmt)

let output_file ~allowedit file =
  if allowedit then
    begin
      let sep = "%%%% DO NOT EDIT BELOW THIS LINE" in
      do_not_edit_below ~file
	~before:prelude
	~sep
	~after:print_file
    end
  else
    print_in_file print_file file

why-2.39/src/ltyping.mli0000644000106100004300000000743413147234006014221 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(*s Typing on the logical side *)

open Logic
open Types
open Ptree
open Ast
open Env

val unify : Logic.pure_type -> Logic.pure_type -> bool

val pure_type : local_env -> ppure_type -> pure_type

val type_v : 
  Loc.position -> Label.t -> local_env -> ptype_v -> type_v

val type_c :
  Loc.position -> Label.t -> local_env -> ptype_c -> type_c

val logic_type : plogic_type -> logic_type

val alg_type : Ident.t -> Ident.t list ->
  (Loc.position * Ident.t * ppure_type list) list ->
    alg_type_def

val predicate : Label.t -> local_env -> lexpr -> predicate

val term : Label.t -> local_env -> lexpr -> term * pure_type

val type_assert : 
  ?namer:(Ident.name -> Ident.t) ->
  Label.t -> local_env -> Ptree.assertion -> assertion

val type_post : 
  Label.t -> local_env -> Ident.t -> type_v -> Effect.t -> 
  Ptree.postcondition -> postcondition

val binders : 
  Loc.position -> Label.t -> local_env -> 
  ptype_v binder list -> 
  type_v binder list * local_env

val instance : Ident.t -> var_subst -> pure_type list

(* errors *)

val expected_real : Loc.position -> 'a

val expected_num : Loc.position -> 'a

val expected_type : Loc.position -> type_v -> 'a

(* instances: the following table contains all closed instances of logical
   symbols that have been used so far. 
   It is later used to generate all monomorphic
   instances of symbols/predicates/axioms in the CVC Lite output. *)
(*
module Instances : Set.S with type elt = pure_type list

val add_instance_if_closed : Ident.t -> pure_type list -> unit
val instances : Ident.t -> Instances.t

val iter_instances : (Ident.t -> pure_type list -> unit) -> unit
*)
why-2.39/src/ast.mli0000644000106100004300000000727213147234006013322 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(*s Abstract syntax of imperative programs. *)

open Logic
open Types

type variable = Ident.t

type label = string

type variant = Loc.position * term * pure_type * variable

type exn_pattern = Ptree.exn_pattern

type assertion = { 
  a_name : Ident.t;
  a_value : predicate;
  a_loc : Loc.position;
  mutable a_proof : Cc.proof option;
}

type precondition = assertion

type postcondition = assertion * (Ident.t * assertion) list

type assert_kind = [ `ABSURD | `ASSERT | `PRE | `CHECK ]

(* ['a] is the type of information associated to the nodes. 
   It will be defined later in module [Env] *)
type 'a t = 
  { desc : 'a t_desc;
    info : 'a }

and 'a t_desc =
  | Expression of term (* pure terms including !x *)
  | Var of variable (* only for impure functions *)
  | Seq of 'a t * 'a t
  | Loop of assertion option * variant option * 'a t (* infinite loop *)
  | If of 'a t * 'a t * 'a t
  | LetRef of variable * 'a t * 'a t
  | LetIn of variable * 'a t * 'a t
  | Absurd
  (* assertion *)
  | Label of label * 'a t
  | Assertion of assert_kind * assertion list * 'a t
  | Post of 'a t * postcondition * transp
  (* exceptions *)
  | Raise of variable * 'a t option
  | Try of 'a t * (exn_pattern * 'a t) list 
  (* functions and applications *)
  | Lam of type_v binder list * precondition list * 'a t
  | Rec of variable * type_v binder list * type_v * variant option * 
      precondition list * 'a t
  | AppRef of 'a t * variable * 'a
  | AppTerm of 'a t * term * 'a
  (* undeterministic expression *)
  | Any of type_c

why-2.39/src/version.ml0000644000106100004300000000044513147234006014042 0ustar  marchevalslet coqversion = "v8.1"
let version = "2.39"
let bindir = "/usr/local/bin"
let libdir = "/usr/local/lib/why"
let banner : ('a,'b,'c) format = "This is %s version %s@\nCopyright (c) 2006-2017 - Why dev team - CNRS & Inria & Univ Paris-Sud@\nThis is free software with ABSOLUTELY NO WARRANTY@."
why-2.39/src/encoding_rec.mli0000644000106100004300000000443513147234006015150 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

val reset : unit -> unit
val push : Logic_decl.t -> unit
val iter : (Logic_decl.t -> unit) -> unit
why-2.39/src/dispatcher.mli0000644000106100004300000000475313147234006014662 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Cc

val push_decl : Logic_decl.t -> unit

val iter : 
    (Loc.floc * bool * Logic_decl.vc_expl * string * sequent Env.scheme -> unit) 
    -> unit


val call_prover : 
  ?debug:bool -> ?timeout:int -> ?encoding:Options.encoding ->
  obligation:string -> DpConfig.prover_id -> Calldp.prover_result
why-2.39/src/purify.mli0000644000106100004300000000435513147234006014050 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Env

val purify : typed_expr -> typed_expr

why-2.39/src/pp.ml0000644000106100004300000001170313147234006012773 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(*s Pretty-print library *)

open Format

let print_option f fmt = function
  | None -> ()
  | Some x -> f fmt x

let print_option_or_default default f fmt = function
  | None -> fprintf fmt "%s" default
  | Some x -> f fmt x

let rec print_list sep print fmt = function
  | [] -> ()
  | [x] -> print fmt x
  | x :: r -> print fmt x; sep fmt (); print_list sep print fmt r

let print_list_or_default default sep print fmt = function
  | [] -> fprintf fmt "%s" default
  | l -> print_list sep print fmt l

let print_list_par sep pr fmt l =
  print_list sep (fun fmt x -> fprintf fmt "(%a)" pr x) fmt l

let print_iter1 iter sep print fmt l =
  let first = ref true in
  iter (fun x -> 
          if !first
          then first := false
          else sep fmt (); 
          print fmt x ) l

let print_iter2 iter sep1 sep2 print1 print2 fmt l =
  let first = ref true in
  iter (fun x y -> 
          if !first
          then first := false
          else sep1 fmt (); 
          print1 fmt x;sep2 fmt (); print2 fmt y) l


let print_list_delim start stop sep pr fmt = function
  | [] -> ()
  | l -> fprintf fmt "%a%a%a" start () (print_list sep pr) l stop ()

let print_pair_delim start sep stop pr1 pr2 fmt (a,b) =
  fprintf fmt "%a%a%a%a%a" start () pr1 a sep () pr2 b stop ()

let comma fmt () = fprintf fmt ",@ "
let simple_comma fmt () = fprintf fmt ", "
let underscore fmt () = fprintf fmt "_"
let semi fmt () = fprintf fmt ";@ "
let space fmt () = fprintf fmt " "
let alt fmt () = fprintf fmt "|@ "
let newline fmt () = fprintf fmt "@\n"
let arrow fmt () = fprintf fmt "@ -> "
let lbrace fmt () = fprintf fmt "{"
let rbrace fmt () = fprintf fmt "}"
let lsquare fmt () = fprintf fmt "["
let rsquare fmt () = fprintf fmt "]"
let lparen fmt () = fprintf fmt "("
let rparen fmt () = fprintf fmt ")"
let lchevron fmt () = fprintf fmt "<"
let rchevron fmt () = fprintf fmt ">"
let nothing _fmt _ = ()
let string fmt s = fprintf fmt "%s" s
let int fmt i = fprintf fmt "%d" i
let constant_string s fmt () = string fmt s

let print_pair pr1 = print_pair_delim lparen comma rparen pr1

let hov n fmt f x = pp_open_hovbox fmt n; f x; pp_close_box fmt ()

let open_formatter ?(margin=78) cout =
  let fmt = formatter_of_out_channel cout in
  pp_set_margin fmt margin;
  pp_open_box fmt 0; 
  fmt

let close_formatter fmt = 
  pp_close_box fmt ();
  pp_print_flush fmt ()

let open_file_and_formatter ?(margin=78) f =
  let cout = open_out f in
  let fmt = open_formatter ~margin cout in
  cout,fmt

let close_file_and_formatter (cout,fmt) =
  close_formatter fmt;
  close_out cout

let print_in_file_no_close ?(margin=78) p f =
  let cout,fmt = open_file_and_formatter ~margin f in
  p fmt;
  close_formatter fmt;
  cout

let print_in_file ?(margin=78) p f =
  let cout = print_in_file_no_close ~margin p f in
  close_out cout


why-2.39/src/fpi.ml0000644000106100004300000001001113147234006013121 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

open Format
open Pp
open Misc
open Logic
open Cc

let oblig = Queue.create ()


let split_one (loc,n,o) =
  (* normal oblig *)
  let cn = ref 0 in
  let l = ref [] in 
  let push_normal o = 
    incr cn; l := (loc,n ^ "_" ^ string_of_int !cn,o) :: !l 
  in
  (* fpi oblig *)
  let cf = ref 0 in
  let push_fpi o = incr cf; Queue.add (loc, n ^ "_" ^ string_of_int !cf, o) in
  let rec split_rec = function
    | _ -> assert false
  in
  split_rec o;
  List.rev !l

let split ol = List.flatten (List.map split_one ol)
  
let print_real fmt = function
  | (i,f,"") -> fprintf fmt "%s.%s" i f
  | (i,f,e) -> fprintf fmt "%s.%se%s" i f e

let rec print_term fmt = function
  | Tconst (ConstFloat f) -> print_real fmt f
  | Tconst _ -> assert false
  | Tvar id -> Ident.print fmt id
  | Tapp (id, tl, _) -> 
      fprintf fmt "(%s %a)" (Ident.string id) (print_list space print_term) tl
  | Tderef _ -> assert false

let rec print_pred fmt = function
  | Pfpi (t,f1,f2) -> 
      fprintf fmt "(fpi %a %a %a)" print_term t print_real f1 print_real f2
  | Papp (id, tl, _) -> 
      fprintf fmt "(%s %a)" (Ident.string id) (print_list space print_term) tl
  | _ -> assert false

let print_hyp fmt = function
  | Svar _ -> assert false
  | Spred (_, p) -> print_pred fmt p

let print_hyps = print_list space print_hyp

let print_obligation fmt (loc,s,o) =
  fprintf fmt "%% %s from %a@\n" s Loc.report_position loc;
  begin match o with
    | [], p -> 
	fprintf fmt "(@[%a@])" print_pred p
    | [h], p -> 
	fprintf fmt "(@[IMPLIES %a@ %a@])" print_hyp h print_pred p
    | hl, p -> 
	fprintf fmt "(@[IMPLIES (AND %a)@ %a@])" print_hyps hl print_pred p
  end;
  fprintf fmt "@.@."

let print_obligations fmt =
  Queue.iter (print_obligation fmt) oblig;
  fprintf fmt "@."

let output f =
  print_in_file ~margin:78 print_obligations (f ^ ".fpi")

let reset () = Queue.clear oblig
why-2.39/src/wserver.mli0000644000106100004300000001264313147234006014226 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)


(* Copyright (c) 1998-2005 INRIA *)

(* module [Wserver]: elementary web service *)

val f :
  string option -> int -> int -> int option ->
    (Unix.sockaddr * string list -> string -> string -> unit) -> unit
   (* [Wserver.f addr port tmout maxc g] starts an elementary
       httpd server at port [port] in the current machine. The variable
       [addr] is [Some the-address-to-use] or [None] for any of the
       available addresses of the present machine. The port number is
       any number greater than 1024 (to create a client < 1024, you must be
       root). At each connection, the function [g] is called:
       [g (addr, request) scr cont] where [addr] is the client identification
       socket, [request] the browser request, [scr] the script name (extracted
       from [request]) and [cont] the stdin contents . The function
       [g] has [tmout] seconds to answer some text on standard output.
       If [maxc] is [Some n], maximum [n] clients can be treated at the
       same time; [None] means no limit. See the example below. *)

val wprint : ('a, out_channel, unit) format -> 'a
    (* To be called to print page contents. *)

val wflush : unit -> unit
    (* To flush page contents print. *)

val http : string -> unit
    (* [Wserver.http answer] sends the http header where [answer]
       represents the answer status. If empty string, "200 OK" is assumed. *)

val encode : string -> string
    (* [Wserver.encode s] encodes the string [s] in another string
       where spaces and special characters are coded. This allows
       to put such strings in html links . This is
       the same encoding done by Web browsers in forms. *)

val decode : string -> string
    (* [Wserver.decode s] does the inverse job than [Wserver.code],
       restoring the initial string. *)

val extract_param : string -> char -> string list -> string
    (* [extract_param name stopc request] can be used to extract some
       parameter from a browser [request] (list of strings); [name]
       is a string which should match the beginning of a request line,
       [stopc] is a character ending the request line. For example, the
       string request has been obtained by: [extract_param "GET /" ' '].
       Answers the empty string if the parameter is not found. *)

val get_request_and_content : char Stream.t -> string list * string

val sock_in : string ref
val sock_out : string ref
val noproc : bool ref

val wserver_oc : out_channel ref

(* Example:

   - Source program "foo.ml":
        Wserver.f None 2371 60 None
           (fun _ s _ ->
              Wserver.html ""; Wserver.wprint "You said: %s...\n" s);;
   - Compilation:
        ocamlc -custom unix.cma -cclib -lunix wserver.cmo foo.ml
   - Run:
        ./a.out
   - Launch a Web browser and open the location:
        http://localhost:2368/hello   (but see the remark below)
   - You should see a new page displaying the text:
        You said: hello...

  Possible problem: if the browser says that it cannot connect to
      "localhost:2368",
  try:
      "localhost.domain:2368" (the domain where your machine is)
      "127.0.0.1:2368"
      "machine:2368"          (your machine name)
      "machine.domain:2368"   (your machine name)
      "addr:2368"             (your machine internet address)

*)
why-2.39/src/annot.ml0000644000106100004300000003321313147234006013473 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Options
open Ident
open Misc
open Logic
open Util
open Ast
open Env
open Types

(* Automatic annotations *)

let is_default_post a = match a.a_value with
  | Pvar id when id == Ident.default_post -> true
  | _ -> false

(* maximum *)

let sup q q' = match q, q' with
  | None, _ ->
      q'
  | _, None ->
      q
  | Some (q, ql), Some (_, ql') ->
      assert (List.length ql = List.length ql');
      let supx (x,a) (x',a') =
	assert (x = x');
	x, if is_default_post a then a' else a
      in
      Some (q, List.map2 supx ql ql') 

(* force a post-condition *)

let post_if_none env q p = match post p with
  | None -> force_post env q p 
  | _ -> p

(* post-condition of [while b do inv I done] i.e. [I and not B] *)

let default_exns_post e =
  let xs = Effect.get_exns e in
  List.map (fun x -> x, default_post) xs
 
let while_post loc info b inv = 
  let ql = default_exns_post info.kappa.c_effect in
  match post b, inv with
    | None, None -> 
	None
    | None, Some i ->
	Some ({ a_value = i.a_value; 
		a_name = Name (post_name_from i.a_name);
		a_loc = loc }, ql)
    | Some qb, inv ->
	let _,s = decomp_boolean qb in
	let s = change_label b.info.label info.label s in
	match inv with
	  | None -> Some (anonymous loc s, ql)
	  | Some i -> Some ({ a_value = pand i.a_value s; 
			      a_name = Name (post_name_from i.a_name);
			      a_loc = loc }, ql)

let while_post_block env inv (phi,_,r) e = 
  let lab = e.info.label in
  let decphi = Papp (r, [phi; put_label_term env lab phi], []) in
  let ql = default_exns_post (effect e) in
  match inv with
    | None -> 
	anonymous e.info.loc decphi, ql
    | Some i -> 
	{ a_value = pand ~is_wp:true i.a_value decphi; 
	  a_name = Name (post_name_from i.a_name);
	  a_loc = e.info.loc }, ql

let check_while_test b =
  if post b = None then begin
    wprintf b.info.loc 
      "couldn't give this test a postcondition (possible incompleteness)\n";
    if werror then exit 1
  end

(* misc. *)

let is_conditional p = match p.desc with If _ -> true | _ -> false

(* BUG: use is_eq and not t_eq
let is_equality = function
  | Some ({ a_value = Papp (id, [Tvar t1; t2]) }, []) -> 
      id == t_eq && t1 == result
  | _ -> false
*)

let get_equality_rhs = function
  | Some ({ a_value = Papp (id, [Tvar t1; t2], _) }, []) 
    when id == t_eq && t1 == result -> t2
  | _ -> assert false

(* [extract_pre p] erase the pre-condition of [p] and returns it *)

let extract_oblig pr =
  let k = pr.info.kappa in
  { pr with info = { pr.info with 
		       obligations = []; 
		       kappa = { k with c_pre = [] } } },
  pr.info.obligations @ k.c_pre

(* adds some pre-conditions *)

let add_oblig p1 pr =
  let o = pr.info.obligations in
  { pr with info = { pr.info with obligations = o @ p1 } }

  
(* change the statement *)

let is_bool = function
  | PureType PTbool -> true
  | _ -> false

let is_pure e = 
  let ef = effect e in 
  Effect.get_writes ef = [] && Effect.get_exns ef = []

(*s Normalization. In this first pass, we
    (2) annotate [x := E] with [{ x = E }]
    (3) give tests the right postconditions
    (4) lift obligations up in assignements *)

let rec normalize p =
  let env = p.info.env in
  let k = p.info.kappa in
  match p.desc with
    (***
    | Expression t ->
	let t = put_label_term env p.info.label (unref_term t) in
	change_desc p (Expression t)
    ***)
    | If (e1, e2, e3) ->
	change_desc p (If (normalize_boolean false env e1, e2, e3))
(****
    | While (b, invopt, var, e) ->
	let b' = normalize_boolean true env b in
	let p = match post b' with

           (* test is not annotated -> translation using an exception *)
	   | None ->
	       let effect_and_exit k = 
		 let ef = Effect.add_exn exit_exn k.c_effect in
		 let k' = type_c_of_v k.c_result_type in
		 { k' with c_effect = ef }
	       in
	       let bloc = b.info.loc in
	       let praise_exit = 
		 make_raise bloc exit_exn (PureType PTunit) env
	       in
	       let body = 
		 (* if b then e else raise Exit *)
		 make_lnode e.info.loc (If (b', e, praise_exit))
		   env [] (effect_and_exit k)
	       in
	       let d = 
		 Try 
		   (make_lnode p.info.loc
		      (While (make_annot_bool bloc true env, 
			      invopt, var, body))
		      env [] (effect_and_exit k),
		    [ (exit_exn, None), make_void p.info.loc env])
	       in
	       change_desc p d

	   (* test is annotated -> postcondition is [inv and not test] *)
	   | Some _ ->
	       (***
	       let p = change_desc p (While (b', invopt, var, e)) in
	       if post p = None then
		 let q = while_post p.info.loc p.info b' invopt in
		 force_post env q p
	       else
	       ***)
		 p
	in
	let q = optpost_app (change_label "" p.info.label) (post p) in
	force_post env q p
***)
    | LetRef (x, ({ desc = Expression t } as e1), e2) when post e1 = None ->
	let q = create_post (equality (Tvar Ident.result) (unref_term t)) in
	change_desc p (LetRef (x, post_if_none env q e1, e2))
    | LetIn (x, ({ desc = Expression t } as e1), e2) when post e1 = None ->
	let q = create_post (equality (Tvar Ident.result) (unref_term t)) in
	change_desc p (LetIn (x, post_if_none env q e1, e2))
    | Expression _ | Var _ 
    | Seq _ | Lam _ | LetIn _ | LetRef _ | Rec _ | App _ 
    | Raise _ | Try _ | Absurd | Any _ | Loop _ ->
	p

(* [normalize_boolean b] checks if the boolean expression [b] (of type
   [bool]) is annotated; if not, tries to give it an annotation. 
   [force] indicates whether annotating is mandatory. *)

and normalize_boolean force env b =
  let k = b.info.kappa in
  let give_post b q =
    let q = option_app (force_post_loc b.info.loc) q in
    { b with info = { b.info with kappa = { k with c_post = q } } }
  in
  let q = k.c_post in
  match q with
    | Some _ ->
	(* a postcondition; nothing to do *)
	give_post b (force_bool_name q)
    | None -> begin
	match b.desc with
	  | Expression c when force ->
	      (* expression E -> result=E *)
	      let c = equality (Tvar Ident.result) (unref_term c) in
	      give_post b (create_post c)
	  | If (e1, e2, e3) ->
	      let ne1 = normalize_boolean force env e1 in
	      let ne2 = normalize_boolean force env e2 in
	      let ne3 = normalize_boolean force env e3 in
	      if is_pure e1 && is_pure e2 && is_pure e3 then
		let q1 = post ne1 in
		let q2 = post ne2 in
		let q3 = post ne3 in
		match q1, (e2.desc, q2), (e3.desc, q3) with
		  (* [a && b] *)
		  | Some q1, (_,Some q2), 
		    (Expression (Tconst (ConstBool false)),_) ->
		      let q1t,q1f = decomp_boolean q1 in
		      let q2t,q2f = decomp_boolean q2 in
		      let c = 
			Pif (Tvar Ident.result,
			     pand q1t q2t,
			     por q1f (pand q1t q2f))
		      in
		      let b' = change_desc b (If (ne1,ne2,ne3)) in
		      give_post b' (create_post c)
		  (* [a || b] *)
		  | Some q1, (Expression (Tconst (ConstBool true)),_), 
		    (_,Some q3) ->
		      let q1t,q1f = decomp_boolean q1 in
		      let q3t,q3f = decomp_boolean q3 in
		      let c = 
			Pif (Tvar Ident.result,
			     por q1t (pand q1f q3t),
			     pand q1f q3f)
		      in
		      let b' = change_desc b (If (ne1,ne2,ne3)) in
		      give_post b' (create_post c)
                  (* generic case *)
		  | Some q1, (_,Some q2), (_,Some q3) -> 
		      let q1t,q1f = decomp_boolean q1 in
		      let q2t,q2f = decomp_boolean q2 in
		      let q3t,q3f = decomp_boolean q3 in
		      let c = 
			Pif (Tvar Ident.result,
			     por (pand q1t q2t) (pand q1f q3t),
			     por (pand q1t q2f) (pand q1f q3f)) 
		      in
		      let b' = change_desc b (If (ne1,ne2,ne3)) in
		      give_post b' (create_post c)
		  | _ ->
		      b
		else 
		  b
	  | _ -> 
	      b
      end

let map_desc f p =
  let d = match p.desc with
    | Var _ 
    | Expression _
    | Absurd
    | Any _ as d -> 
	d
    | Seq bl -> 
	let block_st = function
	  | Label _ | Assert _ as s -> s
	  | Statement e -> Statement (f e)
	in
	Seq (List.map block_st bl)
    | Loop (inv, var, e2) ->
	Loop (inv, var, f e2)
    | If (e1, e2, e3) ->
	If (f e1, f e2, f e3)
    | Lam (bl, e) ->
	Lam (bl, f e)
    | App (e1, Term e2, k) ->
	App (f e1, Term (f e2), k)
    | App (e1, a, k) ->
	App (f e1, a, k)
    | LetRef (x, e1, e2) ->
	LetRef (x, f e1, f e2)
    | LetIn (x, e1, e2) ->
	LetIn (x, f e1, f e2)
    | Rec (x, bl, v, var, e) ->
	Rec (x, bl, v, var, f e)
    | Raise (x, Some e) ->
	Raise (x, Some (f e))
    | Raise _ as d ->
	d
    | Try (e1, eql) ->
	Try (f e1, List.map (fun (p, e) -> (p, f e)) eql)
  in
  { p with desc = d }

type pure = 
  | PureTerm of term (* result = term *)
  | PurePred of postcondition (* q(result) *)

let q_true_false q =
  let ctrue = tsubst_in_predicate (subst_one Ident.result ttrue) q in
  let cfalse = tsubst_in_predicate (subst_one Ident.result tfalse) q in
  simplify ctrue, simplify cfalse

let is_result_eq = function
  | Papp (id, [Tvar id'; t], _) when is_eq id && id' == result -> Some t
  | _ -> None

let rec purify p =
  try
    if not (is_pure p) then raise Exit;
    (* [pure p] computes pre, obligations and post for [p] *)
    let rec pure p = match p.desc with
      | Expression t when post p = None -> 
	  a_values (pre p), 
	  a_values p.info.obligations,
	  tequality (result_type p) (Tvar Ident.result) (unref_term t)
      | LetIn (x, e1, e2) when post p = None -> 
	  let pre1,o1,post1 = pure e1 in
	  let pre2,o2,post2 = pure e2 in
	  begin match is_result_eq post1 with
	    | Some t1 -> (* optimized when [post1] is [result=t1] *)
		let s = tsubst_in_predicate (subst_one x t1) in
		a_values (pre p), pre1 @ o1 @ (List.map s (pre2 @ o2)), s post2
	    | None ->
		let tyx = result_type e1 in
		let post1_x = subst_in_predicate (subst_onev result x) post1 in
		a_values (pre p),
		(* pre1 and (forall x. post1(x) => pre2) *)
		(pre1 @ o1 @ [(*pimplies (pands pre1)*)
		   (pforall x tyx (pimplies post1_x (pands (pre2 @ o2))))]),
		(* exists x. post1(x) and post2 *)
		pexists x tyx (pand post1_x post2)
	  end
      | If (e1, e2, e3) when post p = None -> 
	  let p1,o1,q1 = pure e1 in
	  let p2,o2,q2 = pure e2 in
	  let p3,o3,q3 = pure e3 in
	  let q1t,q1f = q_true_false q1 in
	  begin match e2.desc, e3.desc with
	    | _, Expression (Tconst (ConstBool false)) (* e1 && e2 *) ->
		let q2t,q2f = q_true_false q2 in
		a_values (pre p),
		p1 @ o1 @ [pimplies q1t (pands (p2 @ o2))],
		Pif (Tvar Ident.result, pand q1t q2t, por q1f (pand q1t q2f))
	    | Expression (Tconst (ConstBool true)), _ (* e1 || e2 *) ->
		let q3t,q3f = q_true_false q3 in
		a_values (pre p),
		p1 @ o1 @ [pimplies q1f (pands (p3 @ o3))],
		Pif (Tvar Ident.result, por q1t (pand q1f q3t), pand q1f q3f)
	    | Expression (Tconst (ConstBool false)),
	      Expression (Tconst (ConstBool true)) (* not e1 *) ->
		a_values (pre p), p1 @ o1, Pif (Tvar Ident.result, q1f, q1t)
	    | _ -> 
		a_values (pre p),
		(* p1 and (q1(true) => p2) and (q1(false) => p3) *)
		p1 @ o1 @ [pimplies q1t (pands (p2 @ o2)); 
			   pimplies q1f (pands (p3 @ o3))],
		(* q1(true) and q2 or q1(false) and q3 *)
		por (pand q1t q2) (pand q1f q3)
	  end
      | App ({desc=Var x}, _, _) when is_rec x p.info.env ->
	  raise Exit
      | App (e1, Term e2, k) when post p = None || post p = k.c_post ->
	  begin match k.c_post with
	    | Some (q,_) -> 
		a_values (pre p),
		a_values (k.c_pre @ e1.info.obligations @ pre e1 @ 
			  e2.info.obligations @ pre e2), 
		q.a_value
	    | None -> 
		raise Exit
	  end
      | _ -> 
	  raise Exit (* we give up *)
    in
    let pre,o,post = pure p in
    let pre = List.map (anonymous p.info.loc) pre in
    let o = List.map (anonymous p.info.loc) o in
    let c = { p.info.kappa with c_pre = pre; c_post = create_post post } in
    { p with 
	desc = Any c; 
	info = { p.info with obligations = o; kappa = c } }
  with Exit -> 
    map_desc purify p
why-2.39/src/monomorph.ml0000644000106100004300000004340213147234006014373 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(* monomorphic output *)

open Ident
open Options
open Misc
open Logic
open Logic_decl
open Cc
open Env
open Format
open Pp

(* output queue *)
let queue = Queue.create ()

let push d = Queue.add d queue

let iter f = Queue.iter f queue

(* the name for a closed instance: name id [t1;...;tn] = id_t1_..._tn *)
let rec print_pure_type fmt = function
  | PTint -> fprintf fmt "int"
  | PTbool -> fprintf fmt "bool"
  | PTunit -> fprintf fmt "unit"
  | PTreal -> fprintf fmt "real"
  | PTexternal ([v], id) when id == farray -> 
      fprintf fmt "array_%a" print_pure_type v
  | PTexternal([], id) -> fprintf fmt "%a" Ident.print id
  | PTexternal(i, id) -> fprintf fmt "%a%a" Ident.print id print_instance i
  | PTvar { type_val = Some t} -> fprintf fmt "%a" print_pure_type t      
  | PTvar _ -> assert false

and print_instance fmt = function
  | [] -> ()
  | ptl -> fprintf fmt "_%a" (print_list underscore print_pure_type) ptl

let name id i =
  fprintf str_formatter "%s%a" id print_instance i;
  flush_str_formatter ()

let external_logic = Hashtbl.create 97
let add_external id = Hashtbl.add external_logic id ()


let symbol (id, i) =
  let n = Ident.string id in
  let nn =
  if Hashtbl.mem external_logic id then
    n
  else
    name n i
  in
(*
  if n="upd" then eprintf "Monomorph : i=%a, rename %s(%a) -> %s@." print_instance i n dbprint id nn;
*)
  nn

(* iteration over instances (function [f]) and types (function [g]) *)
module IterIT = struct

  let rec term f = function
    | Tapp (x, tl, i) -> f x i; List.iter (term f) tl
    | _ -> ()

  let rec predicate f g = function
    | Pand (_, _, a, b)
    | Por (a, b)
    | Piff (a, b)
    | Forallb (_, a, b)
    | Pimplies (_, a, b) -> predicate f g a; predicate f g b
    | Pif (a, b, c) -> term f a; predicate f g b; predicate f g c
    | Pnot a -> predicate f g a
    | Exists (_, _, v, p) -> g v; predicate f g p
    | Forall (_, _, _, v, tl, p) -> 
	g v; List.iter (List.iter (pattern f g)) tl; predicate f g p
    | Pnamed (_, a) -> predicate f g a
    | Ptrue | Pfalse | Pvar _ -> ()
    | Papp (id, tl, i) -> f id i; List.iter (term f) tl
    | Plet (_, _, _, t, p) -> term f t; predicate f g p

  and pattern f g = function
    | TPat t -> term f t
    | PPat p -> predicate f g p

  let predicate_def f g (bl,p) =
    List.iter (fun (_,pt) -> g pt) bl;
    predicate f g p

  let function_def f g (bl,t,e) =
    List.iter (fun (_,pt) -> g pt) bl;
    g t;
    term f e
	
  let logic_type g = function
    | Function (l, pt) -> List.iter g l; g pt
    | Predicate l -> List.iter g l

(* dead code
  let rec cc_type f g = function
    | TTpure pt -> g pt
    | TTarray cc -> cc_type f g cc
    | TTarrow (b, cc)
    | TTlambda (b, cc) -> cc_binder f g b; cc_type f g cc
    | TTtuple (bl, ccopt) -> 
	List.iter (cc_binder f g) bl; 
	option_iter (cc_type f g) ccopt
    | TTpred p ->
	predicate f g p
    | TTapp (cc, ccl) ->
	cc_type f g cc; List.iter (cc_type f g) ccl
    | TTterm t ->
	term f t
    | TTSet ->
	()

  and cc_binder f g = function
    | _, CC_var_binder cc -> cc_type f g cc
    | _, CC_pred_binder p -> predicate f g p
    | _, CC_untyped_binder -> ()
*)

  let sequent f g (ctx,p) =
    List.iter 
      (function 
	 | Svar (_,pt) -> g pt | Spred (_,p) -> predicate f g p)
      ctx;
    predicate f g p
	
end

module PureType = struct

  type t = pure_type

  let rec normalize = function
    | PTvar { type_val = Some t } -> normalize t
    | PTexternal (i, id) -> PTexternal (List.map normalize i, id)
    | PTvar _ | PTint | PTbool | PTunit | PTreal as t -> t

  let equal t1 t2 = normalize t1 = normalize t2

  let hash t = Hashtbl.hash (normalize t)

end	  

module Htypes = Hashtbl.Make(PureType)


(* generic substitution parameterized by a substitution over [pure_type] *)
module type Substitution = sig
  type t
  val pure_type : t -> pure_type -> pure_type
end

module GenSubst(S : Substitution) = struct

  include S

  let logic_type s = function
    | Function (tl, tr) -> 
	Function (List.map (pure_type s) tl, pure_type s tr)
    | Predicate tl -> 
	Predicate (List.map (pure_type s) tl)


(* dead code
  let binder s (id,pt) = (id, pure_type s pt)
  let binders s = List.map (binder s)
*)

  let rec term s = function
    | Tapp (x, tl, i) -> 
	Tapp (x, List.map (term s) tl, List.map (pure_type s) i)
    | t -> 
	t

  let rec predicate s = function
    | Papp (x, tl, i) ->
	Papp (x, List.map (term s) tl, List.map (pure_type s) i)
    | Pimplies (w, a, b) -> Pimplies (w, predicate s a, predicate s b)
    | Pif (a, b, c) -> Pif (a, predicate s b, predicate s c)
    | Pand (w, sym, a, b) -> Pand (w, sym, predicate s a, predicate s b)
    | Por (a, b) -> Por (predicate s a, predicate s b)
    | Piff (a, b) -> Piff (predicate s a, predicate s b)
    | Pnot a -> Pnot (predicate s a)
    | Forall (w, id, b, v, tl, p) -> 
	let tl' = List.map (List.map (pattern s)) tl in
	Forall (w, id, b, pure_type s v, tl', predicate s p)
    | Exists (id, b, v, p) -> 
	Exists (id, b, pure_type s v, predicate s p)
    | Forallb (w, a, b) -> Forallb (w, predicate s a, predicate s b)
    | Pnamed (n, a) -> Pnamed (n, predicate s a)
    | Plet (x, b, pt, t, p) -> Plet (x, b, pure_type s pt, term s t, predicate s p)
    | Ptrue | Pfalse | Pvar _ as p -> p

  and pattern s = function
    | TPat t -> TPat (term s t)
    | PPat p -> PPat (predicate s p)

  let predicate_def s (bl,p) = 
    List.map (fun (x,pt) -> (x, pure_type s pt)) bl, predicate s p

  let function_def s (bl,t,e) = 
    List.map (fun (x,pt) -> (x, pure_type s pt)) bl, 
    pure_type s t,
    term s e

end

(* substitution of type variables ([PTvarid]) by pure types *)
module SV = struct

  type t = pure_type Vmap.t

  let list_of s = 
    Vmap.fold (fun x pt acc -> (x, PureType.normalize pt)::acc) s []

  let equal s1 s2 = list_of s1 = list_of s2
      
  let hash s = Hashtbl.hash (list_of s)

  let rec pure_type s = function
    | PTvar ({type_val = None} as v) ->
	(try Vmap.find v s with Not_found -> assert false (*t?*))
    | PTvar {type_val = Some pt} ->
	pure_type s pt
    | PTexternal (l, id) ->
	PTexternal (List.map (pure_type s) l, id)
    | PTint | PTreal | PTbool | PTunit as t -> t

end
module SubstV = GenSubst(SV)

(* sets of symbols instances *)
module Instance = struct 
  type t = Ident.t * pure_type list 
  let normalize (id, i) = (id, List.map PureType.normalize i)
  let equal (id1, i1) (id2, i2) = id1=id2 && List.for_all2 PureType.equal i1 i2
  let hash i = Hashtbl.hash (normalize i)
  let compare (id1, i1) (id2, i2) = 
    let c = compare id1 id2 in
    if c <> 0 then 
      c 
    else 
      compare (List.map PureType.normalize i1) (List.map PureType.normalize i2)
end

module SymbolsI = Set.Make(Instance)

(* the following module collects instances (within [Tapp] and [Papp]) *)
module OpenInstances = struct

  module S = SymbolsI

  let add ((_,i) as e) s =
    let is_open pt = not (is_closed_pure_type pt) in
    if List.exists is_open i then S.add e s else s

  let rec term s = function
    | Tvar _ | Tderef _ | Tconst _ -> s
    | Tapp (id, l, i) -> List.fold_left term (add (id,i) s) l
    | Tnamed(_,t) -> term s t

  let rec pattern s = function
    | TPat t -> term s t
    | PPat p -> predicate s p

(*   and triggers = List.fold_left (List.fold_left pattern) *)
      
  and predicate s = function
    | Pvar _ | Ptrue | Pfalse -> s
    | Papp (id, l, i) -> List.fold_left term (add (id,i) s) l
    | Pimplies (_, a, b) | Pand (_, _, a, b) | Por (a, b) | Piff (a, b)
    | Forallb (_, a, b) -> predicate (predicate s a) b
    | Pif (a, b, c) -> predicate (predicate (term s a) b) c
    | Pnot a -> predicate s a
    | Forall (_, _, _, _, tl, p) -> 
	List.fold_left (List.fold_left pattern) (predicate s p) tl
    | Exists (_, _, _, p) -> predicate s p
    | Plet (_, _, _, t, p) -> predicate (term s t) p
    | Pnamed (_, p) -> predicate s p
	  
end

(* unification of an open instance [t1] with a closed instance [t2];
   raises [Exit] if unification fails *)
let rec unify s t1 t2 = match (t1,t2) with
  | (PTexternal(l1,i1), PTexternal(l2,i2)) ->
      if i1 <> i2 || List.length l1 <> List.length l2 then raise Exit;
      List.fold_left2 unify s l1 l2
  | (_, PTvar {type_val=None}) ->
      unify s t2 t1
  | (_, PTvar {type_val=Some v2}) ->
      unify s t1 v2
  | (PTvar {type_val=Some v1}, _) ->
      unify s v1 t2
  | (PTvar ({type_val=None} as v1), _) ->
      begin
	try
	  let t1 = Vmap.find v1 s in
	  if t1 <> t2 then raise Exit;
	  s
	with Not_found ->
	  Vmap.add v1 t2 s
      end
  | PTint, PTint
  | PTbool, PTbool
  | PTreal, PTreal
  | PTunit, PTunit -> s
  | _ -> raise Exit

let unify_i = List.fold_left2 unify



(* main algorithm *)

(* declaration of abstract types *)
let declared_types = Htypes.create 97
let declare_type loc = function
  | PTexternal (i,x) as pt 
      when is_closed_pure_type pt && not (Htypes.mem declared_types pt) ->
      Htypes.add declared_types pt ();
      push (Dtype (loc, Ident.create (name (Ident.string x) i), []))
  | _ -> 
      ()

let push_logic_instance loc id i t =
  IterIT.logic_type (declare_type loc) t;
  let id = Ident.create (name (Ident.string id) i) in
  push (Dlogic (loc, id, empty_scheme t))

(* logic symbols (functions and predicates) *)

type logic_symbol = 
  | Uninterp of logic_type scheme
  | PredicateDef of predicate_def scheme
  | FunctionDef of function_def scheme
      
let logic_symbols = Hashtbl.create 97
			
let push_logic loc id t = 
  if Vset.is_empty t.scheme_vars then
    push_logic_instance loc id [] t.scheme_type
  else
    (* nothing to do until we encounter closed instances of [id] *)
    (* we only remember the type of [id] *)
    Hashtbl.add logic_symbols id (Uninterp t)
	
module Hinstance = Hashtbl.Make(Instance)
let declared_logic = Hinstance.create 97

let vset_elements s = Vset.fold (fun x l -> x :: l) s []
  
let rec declare_logic loc id i =
  if not (Hashtbl.mem external_logic id) &&
     i <> [] && 
     not (Hinstance.mem declared_logic (id,i)) 
  then begin
    Hinstance.add declared_logic (id,i) ();
    if debug then eprintf "Monomorph.declare_logic %a@." Ident.print id;
    assert (Hashtbl.mem logic_symbols id);
    match Hashtbl.find logic_symbols id with
      | Uninterp t ->
	  assert (Vset.cardinal t.scheme_vars = List.length i);
	  let s = 
	    List.fold_right2 Vmap.add 
	      (vset_elements t.scheme_vars) i Vmap.empty
	  in
	  let t = SubstV.logic_type s t.scheme_type in
	  (*
	    eprintf "Monomorph.declare_logic i=[%a] t=%a@."
	    (Pp.print_list Pp.comma Util.print_pure_type) i
	    Util.print_logic_type t;
	  *)
	  push_logic_instance loc id i t
      | PredicateDef p ->
	  assert (Vset.cardinal p.scheme_vars = List.length i);
	  let s = 
	    List.fold_right2 Vmap.add 
	      (vset_elements p.scheme_vars) i Vmap.empty
	  in
	  let p = SubstV.predicate_def s p.scheme_type in
 	  push_predicate_def_instance loc (Ident.string id) i p
      | FunctionDef p ->
	  assert (Vset.cardinal p.scheme_vars = List.length i);
	  let s = 
	    List.fold_right2 Vmap.add 
	      (vset_elements p.scheme_vars) i Vmap.empty
	  in
	  let p = SubstV.function_def s p.scheme_type in
 	  push_function_def_instance loc (Ident.string id) i p
  end
    
(* predicates definitions *)

and push_predicate_def_instance loc id i ((_bl,_p) as d) =
  IterIT.predicate_def (declare_logic loc) (declare_type loc) d;
  push (Dpredicate_def (loc,Ident.create (name id i), empty_scheme d))

and push_function_def_instance loc id i ((_bl,_t,_e) as d) =
  IterIT.function_def (declare_logic loc) (declare_type loc) d;
  push (Dfunction_def (loc, Ident.create (name id i), empty_scheme d))
      
let push_predicate_def loc id p0 =
  let (bl,_) = p0.scheme_type in
  assert (bl <> []);
  if Vset.is_empty p0.scheme_vars then
    push_predicate_def_instance loc (Ident.string id) [] p0.scheme_type
  else 
    Hashtbl.add logic_symbols id (PredicateDef p0)

let push_function_def loc id p0 =
  let (bl,_,_) = p0.scheme_type in
  assert (bl <> []);
  if Vset.is_empty p0.scheme_vars then
    push_function_def_instance loc (Ident.string id) [] p0.scheme_type
  else 
    Hashtbl.add logic_symbols id (FunctionDef p0)

  (* axioms *)

let push_axiom_instance loc id i p =
  IterIT.predicate (declare_logic loc) (declare_type loc) p;
  push (Daxiom (loc, name id i, empty_scheme p))

module Hsubst = Hashtbl.Make(SV)
		    
type axiom = {
  ax_pred : predicate scheme;
  ax_symbols : Ident.set;
  ax_symbols_i : SymbolsI.elt list;
  mutable ax_symbols_instances : SymbolsI.t; (*already considered instances*)
  ax_instances : unit Hsubst.t;
}
		 
let axioms = Hashtbl.create 97
		 
let push_axiom loc id p =
  if Vset.is_empty p.scheme_vars then
    push_axiom_instance loc id [] p.scheme_type
  else
    let oi = OpenInstances.predicate SymbolsI.empty p.scheme_type in
    let os = SymbolsI.fold (fun (id,_) -> Idset.add id) oi Idset.empty in
    let a = 
      { ax_pred = p; ax_symbols_i = SymbolsI.elements oi; 
	ax_symbols = os; ax_symbols_instances = SymbolsI.empty;
	ax_instances = Hsubst.create 97 } 
    in
    Hashtbl.add axioms id a

(* instantiating axioms may generate new instances, so we have to repeat it
   again until the fixpint is reached *)
	
let fixpoint = ref false
		   
(* instantiate a polymorphic axiom according to new symbols instances *)
let instantiate_axiom loc id a =
  (* first pass: we look at all (closed) instances encountered so far
     appearing in axiom [a] *)
  let all_ci = 
    Hinstance.fold
      (fun ((id,_) as i) () s -> 
	 if Idset.mem id a.ax_symbols then SymbolsI.add i s else s)
      declared_logic SymbolsI.empty
  in
  (* second pass: 
     if this set has not been already considered we instantiate *)
  if not (SymbolsI.subset all_ci a.ax_symbols_instances) then begin
    a.ax_symbols_instances <- all_ci;
    fixpoint := false;
    let p = a.ax_pred in
    let rec iter s l = 
      match l with
      | [] ->
	  if Vset.for_all 
	    (fun x -> 
	       try is_closed_pure_type (Vmap.find x s) 
	       with Not_found -> false)
	    p.scheme_vars 
	  then
	    if not (Hsubst.mem a.ax_instances s) then begin
	      Hsubst.add a.ax_instances s ();
	      let ps = SubstV.predicate s p.scheme_type in
	      let i = Vmap.fold (fun _ t acc -> t :: acc) s [] in
	      push_axiom_instance loc id i ps
	    end
      | (x,oi) :: oil ->
	  SymbolsI.iter 
	    (fun (y,ci) -> 
	       if x = y then
		 try let s = unify_i s oi ci in iter s oil
		 with Exit -> ()) 
	    all_ci;
	  iter s oil
    in
    iter Vmap.empty a.ax_symbols_i;
  end

let instantiate_axioms loc = 
  fixpoint := false;
  while not !fixpoint do
    fixpoint := true;
    Hashtbl.iter (instantiate_axiom loc) axioms;
  done

(* Obligations *)
    
let new_type = let r = ref 0 in fun () -> incr r; "type_" ^ string_of_int !r

let push_obligation loc is_lemma expl o s = 
  let vs, s = specialize_sequent s in
  Vmap.iter
    (fun _ tv -> 
       let pt = Ident.create (new_type ()) in
       push (Dtype (loc, pt, []));
       tv.type_val <- Some (PTexternal ([], pt)))
      vs;
  IterIT.sequent (declare_logic loc) (declare_type loc) s;
  instantiate_axioms loc;
  push (Dgoal (loc, is_lemma, expl, o, empty_scheme s))

let push_decl = function
  | Dtype (loc, id, []) -> declare_type loc (PTexternal ([], id))
  | Dtype _ -> ()
  | Dalgtype _ ->
      failwith "encoding rec: algebraic types are not supported"
  | Dlogic (loc, x, t) -> push_logic loc x t
  | Dpredicate_def (loc, x, d) -> push_predicate_def loc x d
  | Dinductive_def(_loc, _ident, _inddef) ->
      failwith "monomorph: inductive def not supported"
  | Dfunction_def (loc, x, d) -> push_function_def loc x d
  | Daxiom (loc, x, p) -> push_axiom loc x p
  | Dgoal (loc, is_lemma, expl, x, s) -> push_obligation loc is_lemma expl x s

let reset () =
  Queue.clear queue;
  Htypes.clear declared_types;
  Hinstance.clear declared_logic;
  Hashtbl.clear logic_symbols;
  Hashtbl.clear axioms

why-2.39/src/explain.mli0000644000106100004300000000465613147234006014176 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(* explanations *)

val raw_loc : ?quote:bool -> ?pref:string -> Format.formatter -> Loc.floc -> unit
val print:  ?quote:bool -> Format.formatter ->  Logic_decl.vc_expl -> unit

val msg_of_kind : ?name:string -> Logic_decl.expl_kind -> string

why-2.39/src/hol4.mli0000644000106100004300000000454213147234006013376 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(*s HOL 4 output (contributed by Seungkeol Choe, University of Utah) *)

val reset : unit -> unit
val push_decl : Logic_decl.t -> unit
val output_file : string -> unit
why-2.39/src/ptree.mli0000644000106100004300000001306313147234006013645 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(*s Parse trees. *)

open Logic
open Types

type loc = Loc.position

(*s Logical expressions (for both terms and predicates) *)

type pp_infix = 
  PPand | PPor | PPimplies | PPiff |
  PPlt | PPle | PPgt | PPge | PPeq | PPneq |
  PPadd | PPsub | PPmul | PPdiv 

type pp_prefix = 
  PPneg | PPnot

type ppure_type =
  | PPTint
  | PPTbool
  | PPTreal
  | PPTunit
  | PPTvarid of Ident.t * Loc.position
  | PPTexternal of ppure_type list * Ident.t * Loc.position

type lexpr = 
  { pp_loc : loc; pp_desc : pp_desc }

and pp_desc =
  | PPvar of Ident.t
  | PPapp of Ident.t * lexpr list
  | PPtrue
  | PPfalse
  | PPconst of constant
  | PPinfix of lexpr * pp_infix * lexpr
  | PPprefix of pp_prefix * lexpr
  | PPif of lexpr * lexpr * lexpr
  | PPforall of Ident.t * ppure_type * lexpr list list * lexpr
  | PPexists of Ident.t * ppure_type * lexpr
  | PPnamed of string * lexpr
  | PPlet of Ident.t * lexpr * lexpr
  | PPmatch of lexpr * ((Ident.t * Ident.t list * loc) * lexpr) list

type assertion = { 
  pa_name : Ident.name; 
  pa_value : lexpr; 
  pa_loc : Loc.position;
}

type postcondition = assertion * (Ident.t * assertion) list

(*s Parsed types *)

type peffect = { 
  pe_reads : Ident.t list;
  pe_writes : Ident.t list;
  pe_raises : Ident.t list
}

type ptype_v =
  | PVpure  of ppure_type
  | PVref   of ppure_type
  | PVarrow of ptype_v binder list * ptype_c

and ptype_c =
  { pc_result_name : Ident.t;
    pc_result_type : ptype_v;
    pc_effect : peffect;
    pc_pre    : assertion list;
    pc_post   : postcondition option }

(*s Parsed program. *)

type variable = Ident.t

type label = string

type variant = lexpr * variable

type exn_pattern = variable * variable option

type assert_kind = [`ASSERT | `CHECK]

type t = 
  { pdesc : t_desc;
    ploc : loc }

and t_desc =
  | Svar of variable
  | Sderef of variable
  | Sloop of assertion option * variant option * t
  | Sif of t * t * t
  | Slazy_and of t * t
  | Slazy_or of t * t
  | Snot of t
  | Sapp of t * t
  | Sletref of variable * t * t
  | Sletin of variable * t * t
  | Sseq of t * t
  | Slam of ptype_v binder list * assertion list * t
  | Srec of 
      variable * ptype_v binder list * ptype_v * variant option * 
	assertion list * t
  | Sraise of variable * t option * ptype_v option
  | Stry of t * (exn_pattern * t) list
  | Sconst of constant
  | Sabsurd of ptype_v option
  | Sany of ptype_c
  | Slabel of label * t
  | Sassert of assert_kind * assertion list * t
  | Spost of t * postcondition * transp

type parsed_program = t

(*s Declarations. *)

type external_ = bool

type plogic_type =
  | PPredicate of ppure_type list
  | PFunction of ppure_type list * ppure_type

type goal_kind = KLemma | KAxiom | KGoal

type decl = 
  | Include of loc * string
  | Program of loc * Ident.t * parsed_program
  | Parameter of loc * external_ * Ident.t list * ptype_v
  | Exception of loc * Ident.t * ppure_type option
  | Logic of loc * external_ * Ident.t list * plogic_type
  | Predicate_def of loc * Ident.t * (loc * Ident.t * ppure_type) list * lexpr
  | Inductive_def of loc * Ident.t * plogic_type * (loc * Ident.t * lexpr) list
  | Function_def 
      of loc * Ident.t * (loc * Ident.t * ppure_type) list * ppure_type * lexpr
  | Goal of loc * goal_kind * Ident.t * lexpr
  | TypeDecl of loc * external_ * Ident.t list * Ident.t
  | AlgType of (loc * Ident.t list * Ident.t
      * (loc * Ident.t * ppure_type list) list) list

type file = decl list
why-2.39/src/zenon.ml0000644000106100004300000003227613147234006013515 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(*s Zenon output *)

open Pp
open Ident
open Options
open Misc
open Logic
open Logic_decl
open Format
open Cc
open Env

(*s Pretty print *)

let is_zenon_keyword =
  let ht = Hashtbl.create 17 in
  List.iter (fun kw -> Hashtbl.add ht kw ())
    ["True"; "False"];
  Hashtbl.mem ht

let is_zenon_ident s =
  let is_zenon_char = function
    | 'a'..'z' | 'A'..'Z' | '0'..'9' | '_' -> true
    | _ -> false
  in
  try
    String.iter (fun c -> if not (is_zenon_char c) then raise Exit) s; true
  with Exit ->
    false

let renamings = Hashtbl.create 17
let fresh_name =
  let r = ref 0 in fun () -> incr r; "zenon__" ^ string_of_int !r

let rename s =
  if is_zenon_keyword s then
    "zenon__" ^ s
  else if not (is_zenon_ident s) then begin
    try
      Hashtbl.find renamings s
    with Not_found ->
      let s' = fresh_name () in
      Hashtbl.add renamings s s';
      s'
  end else
    s

let ident fmt id = fprintf fmt "%s" (rename (string id))
let idents fmt s = fprintf fmt "%s" (rename s)

let symbol fmt (id,_i) = ident fmt id
  (* Monomorph.symbol fmt (id, i) *)

let infix id =
  if id == t_lt then "why__lt"
  else if id == t_le then "why__le"
  else if id == t_gt then "why__gt"
  else if id == t_ge then "why__ge"
  (* int cmp *)
  else if id == t_lt_int then "why__lt_int"
  else if id == t_le_int then "why__le_int"
  else if id == t_gt_int then "why__gt_int"
  else if id == t_ge_int then "why__ge_int"
  (* int ops *)
  else if id == t_add_int then "why__add_int"
  else if id == t_sub_int then "why__sub_int"
  else if id == t_mul_int then "why__mul_int"
(*
  else if id == t_div_int then "why__div_int"
*)
  (* real ops *)
  else if id == t_add_real then "why__add_real"
  else if id == t_sub_real then "why__sub_real"
  else if id == t_mul_real then "why__mul_real"
  else if id == t_div_real then "why__div_real"
  else if id == t_lt_real then "why__lt_real"
  else if id == t_le_real then "why__le_real"
  else if id == t_gt_real then "why__gt_real"
  else if id == t_ge_real then "why__ge_real"
  else assert false

(* dead code
let external_type = function
  | PTexternal _ -> true
  | _ -> false
*)

let rec print_pure_type fmt = function
  | PTint -> fprintf fmt "INT"
  | PTbool -> fprintf fmt "BOOLEAN"
  | PTreal -> fprintf fmt "REAL"
  | PTunit -> fprintf fmt "UNIT"
  | PTvar {type_val=Some pt} -> print_pure_type fmt pt
  | PTvar {type_val=None; tag=t} -> fprintf fmt "'a%d" t
  | PTexternal (i ,id) -> symbol fmt (id,i)

let rec print_term fmt = function
  | Tvar id ->
      fprintf fmt "%a" ident id
  | Tconst (ConstInt n) ->
      fprintf fmt "why__int_const_%s" n
  | Tconst (ConstBool true) ->
      fprintf fmt "true"
  | Tconst (ConstBool false) ->
      fprintf fmt "false"
  | Tconst ConstUnit ->
      fprintf fmt "tt" (* TODO: CORRECT? *)
  | Tconst (ConstFloat c) ->
      Print_real.print_with_integers
	"why__real_const_%s"
	"(why__mul_real why__real_const_%s why__real_const_%s)"
	"(why_div_real why__real_const_%s why__real_const_%s)"
	fmt c
  | Tderef _ ->
      assert false
(*
  | Tapp (id, ([_;_] as tl), _) when id == t_mod_int ->
      fprintf fmt "@[(%a %a)@]" ident id print_terms tl
*)
  | Tapp (id, [a], _) when id == t_sqrt_real || id == t_int_of_real ->
      fprintf fmt "@[(%a %a)@]" ident id print_term a
  | Tapp (id, [a], _) when id == t_real_of_int ->
      fprintf fmt "@[(%a %a)@]" ident id print_term a
(**
  | Tapp (id, [a; b], _) when id == access ->
      fprintf fmt "@[(access@ %a@ %a)@]" print_term a print_term b
  | Tapp (id, [a; b; c], _) when id == store ->
      fprintf fmt "@[(update@ %a@ %a@ %a)@]"
	print_term a print_term b print_term c
**)
  | Tapp (id, [t], _) when id == t_neg_int ->
      fprintf fmt "@[(why__sub_int why__int_const_0 %a)@]" print_term t
  | Tapp (id, [t], _) when id == t_neg_real ->
      fprintf fmt "@[(why__sub_real why__real_const_0 %a)@]" print_term t
  | Tapp (id, [a;b], _) when is_relation id || is_arith id ->
      fprintf fmt "@[(%s %a %a)@]" (infix id) print_term a print_term b
  | Tapp (id, [], i) ->
      symbol fmt (id,i)
  | Tapp (id, tl, i) ->
      fprintf fmt "@[(%a %a)@]" symbol (id,i) print_terms tl
  | Tnamed (_, t) -> (* TODO: print name *)
      print_term fmt t

and print_terms fmt tl =
  print_list space print_term fmt tl

let rec print_predicate fmt = function
  | Ptrue ->
      fprintf fmt "True"
  | Pvar id when id == Ident.default_post ->
      fprintf fmt "True"
  | Pfalse ->
      fprintf fmt "False"
  | Pvar id ->
      fprintf fmt "%a" ident id
  | Papp (id, tl, _) when id == t_distinct ->
      fprintf fmt "@[(%a)@]" print_predicate (Util.distinct tl)
  | Papp (id, [_t], _) when id == well_founded ->
      fprintf fmt "True ;; was well_founded@\n"
  | Papp (id, [a; b], _) when id == t_eq_bool ->
      fprintf fmt "@[(= %a@ %a)@]" print_term a print_term b
  | Papp (id, [a; b], _) when id == t_neq_bool ->
      fprintf fmt "@[(-. (= %a@ %a))@]" print_term a print_term b
  | Papp (id, [a; b], _) when is_eq id ->
      fprintf fmt "@[(= %a@ %a)@]" print_term a print_term b
  | Papp (id, [a; b], _) when is_neq id ->
      fprintf fmt "@[(-. (= %a@ %a))@]" print_term a print_term b
  | Papp (id, [a;b], _) when is_int_comparison id || is_real_comparison id ->
      fprintf fmt "@[(%s %a %a)@]" (infix id) print_term a print_term b
  | Papp (id, [a;b], _) when id == t_zwf_zero ->
      fprintf fmt
	"@[(/\\ (why__le_int why__int_const_0 %a)@ (why__lt_int %a %a))@]"
	print_term b print_term a print_term b
  | Papp (id, tl, i) ->
      fprintf fmt "@[(%a@ %a)@]" symbol (id, i) print_terms tl
  | Pimplies (_, a, b) ->
      fprintf fmt "@[(=> %a@ %a)@]" print_predicate a print_predicate b
  | Piff (a, b) ->
      fprintf fmt "@[(<=> %a@ %a)@]" print_predicate a print_predicate b
  | Pif (a, b, c) ->
      fprintf fmt
     "@[(/\\ (=> (= %a true) %a)@ (=> (= %a false) %a))@]"
      print_term a print_predicate b print_term a print_predicate c
  | Pand (_, _, a, b) | Forallb (_, a, b) ->
      fprintf fmt "@[(/\\ %a@ %a)@]" print_predicate a print_predicate b
  | Por (a, b) ->
      fprintf fmt "@[(\\/ %a@ %a)@]" print_predicate a print_predicate b
  | Pnot a ->
      fprintf fmt "@[(-.@ %a)@]" print_predicate a
  | Forall (_,id,n,t,_,p) ->
      let id' = next_away id (predicate_vars p) in
      let p' = subst_in_predicate (subst_onev n id') p in
      fprintf fmt "@[(A. ((%a \"%a\")@ %a))@]"
	ident id' print_pure_type t print_predicate p'
  | Exists (id,n,t,p) ->
      let id' = next_away id (predicate_vars p) in
      let p' = subst_in_predicate (subst_onev n id') p in
      fprintf fmt "@[(E. ((%a \"%a\")@ %a))@]"
	ident id' print_pure_type t print_predicate p'
  | Pnamed (_, p) -> (* TODO: print name *)
      print_predicate fmt p
  | Plet (_, n, _, t, p) ->
      print_predicate fmt (subst_term_in_predicate n t p)

(* dead code
let cc_external_type = function
  | Cc.TTpure ty -> external_type ty
  | Cc.TTarray (Cc.TTpure (PTexternal _)) -> true
  | _ -> false

let rec print_cc_type fmt = function
  | TTpure pt ->
      print_pure_type fmt pt
  | TTarray v ->
      fprintf fmt "(@[ARRAY_%a@])" print_cc_type v
  | _ ->
      assert false
*)

let print_sequent fmt (hyps,concl) =
  let rec print_seq fmt = function
    | [] ->
	print_predicate fmt concl
    | Svar (id, v) :: hyps ->
	fprintf fmt "@[(A. ((%a \"%a\")@ %a))@]"
	  ident id print_pure_type v print_seq hyps
    | Spred (_,p) :: hyps ->
	fprintf fmt "@[(=> %a@ %a)@]" print_predicate p print_seq hyps
  in
  print_seq fmt hyps

(* dead code
let print_logic_type fmt = function
  | Predicate [] ->
      fprintf fmt "prop"
  | Predicate pl ->
      fprintf fmt "%a -> prop" (print_list comma print_pure_type) pl
  | Function ([], pt) ->
      print_pure_type fmt pt
  | Function (pl, pt) ->
      fprintf fmt "%a -> %a"
	(print_list comma print_pure_type) pl print_pure_type pt
*)

let declare_type fmt id =
  fprintf fmt "@[;; type %s@]@\n@\n" id

(* dead code
let print_parameter fmt id c =
  fprintf fmt
    "@[;; Why parameter %a@]@\n" idents id;
  fprintf fmt
    "@[;;  %a: %a@]@\n@\n" idents id print_cc_type c
*)

let print_logic fmt id _t =
  fprintf fmt ";; Why logic %a@\n@\n" idents id
  (*
  fprintf fmt "@[;; %a%a: %a@]@\n@\n" idents id instance i print_logic_type t
  *)

(* Function and predicate definitions are handled in Encoding *)
(*
let print_predicate_def fmt id (bl,p) =
  fprintf fmt "@[;; Why predicate %a@]@\n" idents id;
  fprintf fmt "@[$hyp \"%a\" " idents id;
  List.iter (fun (x,_) -> fprintf fmt "(A. ((%a)@ " ident x) bl;
  fprintf fmt "(<=> (%a %a)@ %a)"
    idents id
    (print_list space (fun fmt (x,_) -> fprintf fmt "%a" ident x)) bl
    print_predicate p;
  List.iter (fun _ -> fprintf fmt "))") bl;
  fprintf fmt "@]@\n@\n"

let print_function_def fmt id (bl,t,e) =
  fprintf fmt "@[;; Why function %a@]@\n" idents id;
  fprintf fmt "@[$hyp \"%a\" " idents id;
  List.iter (fun (x,_) -> fprintf fmt "(A. ((%a)@ " ident x) bl;
  fprintf fmt "(= (%a %a)@ %a)"
    idents id
    (print_list space (fun fmt (x,_) -> fprintf fmt "%a" ident x)) bl
    print_term e;
  List.iter (fun _ -> fprintf fmt "))@]@\n") bl;
  fprintf fmt "@]@\n"
*)

let print_axiom fmt id p =
  fprintf fmt "@[;; Why axiom %s@]@\n" id;
  fprintf fmt "@[$hyp \"%s\" %a@]@\n@\n" id print_predicate p

let print_obligation fmt loc _is_lemma _expl o s =
  fprintf fmt "@[;; %s, %a@]@\n" o Loc.gen_report_line loc;
  fprintf fmt "@[$goal %a@]@\n\n" print_sequent s

let push_decl d = Encoding.push d

let iter = Encoding.iter (*Monomorph.iter*)

let reset () = Encoding.reset (*Monomorph.reset*) ()

let output_elem fmt = function
  | Dtype (_loc, id, _) -> declare_type fmt (Ident.string id)
  | Dalgtype _ ->
      assert false
(*
      failwith "Zenon output: alebraic types are not supported"
*)
  | Dlogic (_loc, id, t) ->
      print_logic fmt (Ident.string id) t.scheme_type
  | Dpredicate_def (_loc, _id, _d) ->
      assert false
(*
      let id = Ident.string id in
      print_predicate_def fmt id d.scheme_type
*)
  | Dinductive_def _ ->
      assert false
(*
      failwith "Zenon output: inductive def not yet supported"
*)
  | Dfunction_def (_loc, _id, _d) ->
      assert false
(*
      let id = Ident.string id in
      print_function_def fmt id d.scheme_type
*)
  | Daxiom (_loc, id, p) -> print_axiom fmt id p.scheme_type
  | Dgoal (loc, is_lemma, expl, id, s) ->
      print_obligation fmt loc is_lemma expl id s.Env.scheme_type

let prelude_done = ref false
let prelude fmt =
  if not !prelude_done && not no_zenon_prelude then begin
    prelude_done := true;
    fprintf fmt "\
@\n;; Zenon prelude\
@\n\
@\n$hyp \"why__prelude_1\" ; x+0=x\
@\n   (A. ((x \"INT\") (= (why__add_int x why__int_const_0) x)))\
@\n$hyp \"why__prelude_2\" ; 0+x=x\
@\n   (A. ((x \"INT\") (= (why__add_int why__int_const_0 x) x)))\
@\n$hyp \"why__prelude_3\" ; x+y=y+x\
@\n   (A. ((x \"INT\") (A. ((y \"INT\")\
@\n     (= (why__add_int x y) (why__add_int y x))))))\
@\n\
@\n"
  end

let print_file fmt = iter (output_elem fmt)

let output_file ~allowedit file =
  if allowedit then
    begin
      let sep = ";; DO NOT EDIT BELOW THIS LINE" in
      do_not_edit_below ~file
	~before:prelude
	~sep
	~after:print_file
    end
  else
    print_in_file print_file file

why-2.39/src/lib.ml0000644000106100004300000000772713147234006013135 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



module Sset = Set.Make(String)

(* small library common to Why and Caduceus *)

let mkdir_p dir =
  if Sys.file_exists dir then begin
    if (Unix.stat dir).Unix.st_kind <> Unix.S_DIR then
      failwith ("failed to create directory " ^ dir)
  end else
    Unix.mkdir dir 0o777

let file ~dir ~file = 
  mkdir_p dir;
  Filename.concat dir (Filename.basename file)

let file_subdir ~dir ~file = 
  let d = Filename.dirname file in
  let d = Filename.concat d dir in
  mkdir_p d;
  Filename.concat d (Filename.basename file)

let file_copy src dest =
  let cin = open_in src
  and cout = open_out dest
  and buff = String.make 1024 ' ' 
  and n = ref 0 
  in
  while n := input cin buff 0 1024; !n <> 0 do 
    output cout buff 0 !n
  done;
  close_in cin; close_out cout

let file_copy_if_different src dst =
  if not (Sys.file_exists dst) || Digest.file dst <> Digest.file src then
    file_copy src dst

let channel_contents_buf cin =
  let buf = Buffer.create 1024
  and buff = String.make 1024 ' ' in
  let n = ref 0 in
  while n := input cin buff 0 1024; !n <> 0 do 
    Buffer.add_substring buf buff 0 !n
  done;
  buf

let channel_contents cin = Buffer.contents (channel_contents_buf cin)

let file_contents f =
  try 
    let cin = open_in f in
    let s = channel_contents cin in
    close_in cin;
    s
  with _ -> 
    invalid_arg (Printf.sprintf "(cannot open %s)" f)

let file_contents_buf f =
  try 
    let cin = open_in f in
    let buf = channel_contents_buf cin in
    close_in cin;
    buf
  with _ -> 
    invalid_arg (Printf.sprintf "(cannot open %s)" f)
      

let remove_file ~debug f =
  if debug then 
    Format.eprintf "Debug: not removing temporary file '%s'@." f 
  else
    try 
      Sys.remove f;
    with _ -> 
      Format.eprintf "Warning: could not remove temporary file '%s'@." f


why-2.39/src/misc.mli0000644000106100004300000002471413147234006013466 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(* Some misc. functions *)

open Logic
open Types
open Ast
open Cc


val is_mutable : type_v -> bool
val is_pure : type_v -> bool
val is_closed_pure_type : pure_type -> bool
val normalize_pure_type : pure_type -> pure_type

val is_default_post : assertion -> bool

(* Substitution within assertions and pre/post-conditions *)
val asst_app : (predicate -> predicate) -> assertion -> assertion
val optasst_app : 
  (predicate -> predicate) -> assertion option -> assertion option
val post_app : ('a -> 'b) -> 'a * ('c * 'a) list -> 'b * ('c * 'b) list
val optpost_app :
  ('a -> 'b) -> ('a * ('c * 'a) list) option -> ('b * ('c * 'b) list) option
val optpost_fold :
  (predicate -> 'a -> 'a) ->
  (assertion * ('b * assertion) list) option -> 'a -> 'a
(***
val post_app : (predicate -> predicate) -> postcondition -> postcondition
val optpost_app : 
  (predicate -> predicate) -> postcondition option -> postcondition option
val optpost_fold : (predicate -> 'a -> 'a) -> postcondition option -> 'a -> 'a
***)

val asst_fold : (predicate -> 'a -> 'a) -> assertion -> 'a -> 'a

(* Substitution within some parts of postconditions (value or exns) *)
val val_app : (predicate -> predicate) -> postcondition -> postcondition
val exn_app : Ident.t -> 
              (predicate -> predicate) -> postcondition -> postcondition
val optval_app : 
  (predicate -> predicate) -> postcondition option -> postcondition option
val optexn_app : 
  Ident.t -> 
  (predicate -> predicate) -> postcondition option -> postcondition option

val a_value : assertion -> predicate
val a_values : assertion list -> predicate list

val anonymous : Loc.position -> predicate -> assertion
val pre_named  : Loc.position -> predicate -> assertion
val post_named  : Loc.position -> predicate -> assertion
val wp_named : Loc.position -> predicate -> assertion

(*s Default exceptional postcondition (inserted when not given) *)
val default_post : assertion

(***
val force_post_name : postcondition option -> postcondition option
val force_bool_name : postcondition option -> postcondition option
***)
val force_wp_name : assertion option -> assertion option

val force_loc : Loc.position -> assertion -> assertion
val force_post_loc : Loc.position -> postcondition -> postcondition
(***
val force_type_c_loc : Loc.position -> type_c -> type_c
***)

val post_val : 'a * 'b -> 'a
val post_exn : Ident.t -> 'a * (Ident.t * 'b) list -> 'b
val optpost_val : postcondition option -> assertion option
val optpost_exn : Ident.t -> postcondition option -> assertion option

val map_succeed : ('a -> 'b) -> 'a list -> 'b list

val option_app : ('a -> 'b) -> 'a option -> 'b option
val option_iter : ('a -> unit) -> 'a option -> unit
val option_fold : ('a -> 'b -> 'b) -> 'a option -> 'b -> 'b

val list_of_some : 'a option -> 'a list
val difference : 'a list -> 'a list -> 'a list
val last : 'a list -> 'a

val list_combine3 : 'a list -> 'b list -> 'c list -> ('a * 'b * 'c) list

val list_first : ('a -> 'b) -> 'a list -> 'b

val if_labelled : (Ident.t * string -> unit) -> Ident.t -> unit

type avoid = Ident.set
val renaming_of_ids : avoid -> Ident.t list -> (Ident.t * Ident.t) list * avoid

val pre_name    : Ident.name -> Ident.t
val post_name   : unit -> Ident.t
val inv_name    : Ident.name -> Ident.t
val test_name   : unit -> Ident.t
val wp_name     : unit -> Ident.t
val h_name      : Ident.name -> Ident.t

val bool_name   : unit -> Ident.t
val variant_name : unit -> Ident.t
val phi_name    : unit -> Ident.t
val for_name    : unit -> Ident.t
val label_name  : unit -> string
val wf_name     : unit -> Ident.t
val fresh_var   : unit -> Ident.t
val fresh_c_var : unit -> Ident.t
val fresh_hyp   : unit -> Ident.t
val fresh_axiom : unit -> Ident.t

val post_name_from : Ident.name -> Ident.t

val reset_names : unit -> unit

val id_of_name : Ident.name -> Ident.t

val rationalize : string -> string * string

(*s Functions over terms and predicates. *)

val applist : term -> term list -> term
val papplist : predicate -> term list -> predicate

val predicate_of_term : term -> predicate

val term_vars : term -> Ident.set
val predicate_vars : predicate -> Ident.set
val post_vars : Types.postcondition -> Ident.set
val apost_vars : postcondition -> Ident.set

val subst_in_term : var_substitution -> term -> term
val tsubst_in_term : substitution -> term -> term

val subst_in_assertion : var_substitution -> assertion -> assertion

val subst_in_predicate : var_substitution -> predicate -> predicate
val tsubst_in_predicate : substitution -> predicate -> predicate

val subst_in_pattern : var_substitution -> pattern -> pattern
val tsubst_in_pattern : substitution -> pattern -> pattern

val subst_in_triggers : var_substitution -> triggers -> triggers

val subst_one : Ident.t -> term -> substitution
val subst_onev : Ident.t -> Ident.t -> var_substitution
val subst_many : Ident.t list -> term list -> substitution
val subst_manyv : Ident.t list -> Ident.t list -> var_substitution

val subst_term_in_predicate : Ident.t -> term -> predicate -> predicate

val map_predicate : (predicate -> predicate) -> predicate -> predicate

val type_v_subst : var_substitution -> type_v -> type_v
val type_c_subst : var_substitution -> type_c -> type_c

val type_v_rsubst : substitution -> type_v -> type_v
val type_c_rsubst : substitution -> type_c -> type_c

val type_c_of_v : type_v -> type_c
val make_arrow : type_v binder list -> type_c -> type_v

val make_binders_type_v : type_v -> type_v
val make_binders_type_c : type_c -> type_c

val unref_term : term -> term

val equals_true : term -> term
val equals_false : term -> term

val mlize_type : type_v -> pure_type

(*s Smart constructors for terms and predicates. *)

val ttrue : term
val tfalse : term
val tresult : term
val tvoid : term

val relation : Ident.t -> term -> term -> predicate
val not_relation : Ident.t -> term -> term -> predicate
val make_int_relation : Ident.t -> Ident.t

val lt : term -> term -> predicate
val le : term -> term -> predicate
val lt_int : term -> term -> predicate
val le_int : term -> term -> predicate
val gt : term -> term -> predicate
val ge : term -> term -> predicate
val ge_real : term -> term -> predicate
val eq : term -> term -> predicate
val neq : term -> term -> predicate

val array_length : Ident.t -> pure_type -> term

val pif : term -> predicate -> predicate -> predicate
val pand : ?is_wp:is_wp -> ?is_sym:bool -> predicate -> predicate -> predicate
val pands : ?is_wp:is_wp -> ?is_sym:bool -> predicate list -> predicate
val por : predicate -> predicate -> predicate
val pors : predicate list -> predicate
val pnot : predicate -> predicate
val pimplies : ?is_wp:is_wp -> predicate -> predicate -> predicate

(* WP connectives *)
val wpand : ?is_sym:bool -> predicate -> predicate -> predicate
val wpands : ?is_sym:bool -> predicate list -> predicate
val wpimplies : predicate -> predicate -> predicate

val simplify : predicate -> predicate

(*s Equalities *)

val eq_pure_type : pure_type -> pure_type -> bool
val eq_term : term -> term -> bool
val eq_predicate : predicate -> predicate -> bool (* no alpha-equivalence *)

(*s Debug functions *)

module Size : sig
  val predicate : predicate -> int
  val term : term -> int
  val postcondition : postcondition -> int
  val postcondition_opt : postcondition option -> int
end 

(*s functions over CC terms *)

val cc_var : Ident.t -> 'a cc_term
val cc_term : term -> 'a cc_term
val cc_applist : 'a cc_term -> 'a cc_term list -> 'a cc_term
val cc_lam : cc_binder list -> 'a cc_term -> 'a cc_term

val tt_var : Ident.t -> cc_type
val tt_arrow : cc_binder list -> cc_type -> cc_type

(*s Pretty-print *)

open Format

val warning : string -> unit
val wprintf : Loc.position -> ('a, Format.formatter, unit) format -> 'a
val unlocated_wprintf : ('a, Format.formatter, unit) format -> 'a

(* [do_not_edit f before sep after] updates the part of file [f] following a
   line matching [sep] exactly (e.g. \verb!(* DO NOT EDIT BELOW THIS LINE *)!);
   a backup of the original file is done in [f.bak].
   when [f] does not exists, it is created by calling [before], inserting
   [sep] and then calling [after]. *)

val do_not_edit_below : 
  file:string -> 
  before:(formatter -> unit) -> 
  sep:string -> 
  after:(formatter -> unit) -> unit

val do_not_edit_above : 
  file:string -> 
  before:(formatter -> unit) -> 
  sep:string -> 
  after:(formatter -> unit) -> unit

val file_formatter : (Format.formatter -> unit) -> (out_channel -> unit)

why-2.39/src/hypotheses_filtering.ml0000644000106100004300000022256713147234006016626 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(**
   This module provides a quick way to filter hypotheses of 
   a goal. It is activated by the option 
   --prune-hyp vb pb 
   where vb an pb are integers that are positive or null. 
   vb is the bound of the max depth of the variable graph search 
   pb is the bound of the max depth of the predicate graph search 
   The number of selected hypotheses increases w.r.t. vb and pb. 
   
   The internal flow is:
   1) Hypotheses are expanded thanks to the intros tactic. 
   A short goal is then produced.
   2) Variables of hypothesis are stored into a graph where 
  - a variable is represented by a vertex
   - a predicate linking some variables is represented by 
   the complete graph with all the vertices 
   corresponding to the variables 
   3) A breadth-first search algorithm, bounded by the constant pb
   computes the set of relevant predicates P
   4) A breadth-first search algorithm, bounded by the constant k
   computes the set of relevant variables V
   5) An hypothesis is selected  by comparing its set of variables 
   with R and its set of predicates with P 
**)


open Ident
open Options
open Misc
open Logic
open Logic_decl
open Env
open Cc
open Util
open Graph.Path

(* Strategies with constants *)
type var_strat =
    AllVars
  | One
  | AllInABranch
  | SplitHyps
  | CNFHyps

let prune_context = Options.prune_context
let use_comparison_as_criteria_for_graph_construction =
  Options.pruning_hyp_CompInGraph
let use_comparison_as_criteria_for_hypothesis_filtering = 
	Options.pruning_hyp_CompInFiltering
let keep_quantification_link_beween_vars = 
	Options.pruning_hyp_LinkVarsQuantif
(* Setup of comparison management *)
let keep_single_comparison_representation = 
	Options.pruning_hyp_keep_single_comparison_representation
let considere_arith_comparison_as_special_predicate = 
	Options.pruning_hyp_considere_arith_comparison_as_special_predicate
let comparison_eqOnly = Options.pruning_hyp_comparison_eqOnly
let suffixed_comparison = Options.pruning_hyp_suffixed_comparison
let equalities_linked = Options.pruning_hyp_equalities_linked
let arith_tactic = Options.pruning_hyp_arithmetic_tactic
let var_filter_tactic = match Options.pruning_hyp_var_tactic with
  | 0 -> AllVars
  | 1 -> One
  | 2 -> AllInABranch
  | 3 -> SplitHyps
  | 4 -> CNFHyps
  | _ -> failwith "Heuristic failed."
let polarized_preds = Options.pruning_hyp_polarized_preds

let pb = ref Options.pruning_hyp_p
let vb = ref Options.pruning_hyp_v
let v_count = ref 0
let hyp_count = ref 0

let set_pb n =
  pb := n

let set_vb n =
  vb := n

let context = ref []
let predicateMaximumDepth = ref 0
let variablesMaximumDepth = ref 0


(**
***********************
VarStringSet module and miscenalous tools
***********************
**)

type var_string =
  | PureVar of string (*already present*)
  | FreshVar of string (*introduced by a flatening step*)

module VarStringSet = Set.Make(struct type t = var_string let compare = compare end)

let member_of str st =
  VarStringSet.mem (PureVar str) st || VarStringSet.mem (FreshVar str) st

let distinct_vars v1 v2 =
  match (v1, v2) with
    (PureVar (id1), PureVar (id2)) ->
      id1 <> id2
  | _ -> assert false

let string_of_var v =
  match v with
    PureVar(id) -> id
  | FreshVar(id) -> id

let display_var_set set =
  VarStringSet.iter
    (fun s ->
          Format.printf "%s " (string_of_var s)) set;
  Format.printf "@\n@."

(** returns the free variables of a term that are not outer quantified (in qvars) **)
let free_vars_of qvars t =
  let vars = ref VarStringSet.empty in
  let rec collect formula =
    match formula with
    | Tapp (_id, tl, _) ->
        List.iter collect tl
    | Tvar (id) ->
        if not (VarStringSet.mem (PureVar (Ident.string id)) qvars) then
          vars := VarStringSet.add (PureVar (Ident.string id)) !vars
    | _ -> () in
  collect t;
  !vars

(** returns the free variables of a predicate that are not inner quantified **)
let free_vars_of p =
  let vars = ref VarStringSet.empty in
  let rec collect qvars formula =
    match formula with
    | Papp (_, tl, _) ->
        List.iter
          (fun t ->
                let v' = free_vars_of qvars t in
                vars := VarStringSet.union v' !vars) tl
    | Pand (_, _, a, b) | Forallb (_, a, b) | Por (a, b) | Piff (a, b) 
    | Pimplies (_, a, b) ->
        collect qvars a;
        collect qvars b
    | Pif (a, b, c) ->
        let v' = free_vars_of qvars a in
        vars := VarStringSet.union v' !vars;
        collect qvars b;
        collect qvars c
    | Pnot a -> collect qvars a;
    | Forall (_, id, _, _, _, p) | Exists (id, _, _, p) ->
        collect (VarStringSet.add (PureVar (Ident.string id)) qvars) p
    | Plet (_, n, _, t, p)  ->
        collect qvars (subst_term_in_predicate n t p) (* FIXME? *)
    | Pnamed (_, p) -> collect qvars p
    | Pvar _ | Pfalse | Ptrue -> ()
  in
  collect VarStringSet.empty p;
  !vars

(** returns the nnf of a formula **)
let rec nnf fm =
  let boolTrue = Tconst (ConstBool true) in
  match fm with
  | Pand (p1, p2, p, q) -> Pand(p1, p2, nnf p, nnf q)
  | Forallb (p1, p, q) -> Pand(p1, false, nnf p, nnf q)
  | Por (p, q) -> Por(nnf p, nnf q)
  | Pimplies (_, p, q)
  -> Por (nnf (Pnot p), nnf q)
  | Piff (p, q) ->
      Pand(false, false, Por(nnf (Pnot p), nnf q), Por(nnf p, nnf(Pnot q)))
  | Pif (a, b, c) ->
      Pand (false, false,
        Por (Papp (t_neq_bool, [boolTrue; a], []),
          nnf b),
        Por (Papp (t_eq_bool, [boolTrue; a], []), nnf c))
  | Forall (t1, t2, p3, p4, p5, p) ->
      Forall(t1, t2, p3, p4, p5, nnf p)
  | Exists (t1, t2, pt, p) ->
      Exists (t1, t2, pt, nnf p)
  | Pnot (Pnot p) -> nnf p
  | Pnot (Pand (_, _, p, q)) -> Por(nnf (Pnot p), nnf(Pnot q))
  | Pnot (Por (p, q)) -> Pand(false, false, nnf (Pnot p), nnf (Pnot q))
  | Pnot (Pimplies (pwp, p, q)) -> Pand(pwp, false, nnf p, nnf (Pnot q))
  | Pnot (Piff (p, q)) -> Por( Pand(false, false, nnf p, nnf(Pnot q)),
        Pand(false, false, nnf (Pnot p), nnf q))
  | Pnot(Forall(_, t1, t2, ty, _, p)) ->
      Exists(t1, t2, ty, (nnf (Pnot p)))
  | Pnot(Forallb (_, p, q)) -> Por(nnf (Pnot p), nnf(Pnot q))
  | Pnot(Exists (t1, t2, pt, p)) ->
      Forall(false, t1, t2, pt,[], (nnf (Pnot p)))
  | Pnot(Pif (a, b, c)) ->
      Por (
        Pand (false, false, Papp (t_eq_bool, [boolTrue; a], []),
          nnf (Pnot b)),
        Pand (false, false, Papp (t_neq_bool, [boolTrue; a], []),
          nnf (Pnot c)))
  | _ -> fm

(** reduces as possible the scope of quantifier
@param pr is the concerned predicate **)
let miniscoping pr =
  let rec mq q fm =
    match q with
    | Forall (t1, t2, p3, p4, p5, _) ->
        begin
          if not (member_of
                (Ident.string t2)
                (free_vars_of fm)) then
            fm
          else
            begin
              match fm with
              | Pand (p1, p2, p, q) ->
                  if not (member_of
                        (Ident.string t2)
                        (free_vars_of p)) then
                    let q' = mq (Forall(t1, t2, p3, p4, p5, q)) q in
                    Pand (p1, p2, p, q')
                  else
                  if not (member_of
                        (Ident.string t2)
                        (free_vars_of q)) then
                    let p' = mq (Forall(t1, t2, p3, p4, p5, p)) p in
                    Pand (p1, p2, p', q)
                  else
                    Pand (p1, p2,
                      mq (Forall (t1, t2, p3, p4, p5, p)) p,
                      mq (Forall (t1, t2, p3, p4, p5, q)) q)
              | Por (p, q) ->
                  if not (member_of
                        (Ident.string t2)
                        (free_vars_of p)) then
                    let q' = mq (Forall(t1, t2, p3, p4, p5, q)) q in
                    Por (p, q')
                  else
                  if not (member_of
                        (Ident.string t2)
                        (free_vars_of q)) then
                    let p' = mq (Forall (t1, t2, p3, p4, p5, p)) p in
                    Por (p', q)
                  else
                    Forall (t1, t2, p3, p4, p5, fm)
              | _ -> Forall (t1, t2, p3, p4, p5, fm)
            end
        end
    | Exists (t1, t2, pt, _p) ->
        begin
          if not (member_of
                (Ident.string t1)
                (free_vars_of fm)) then
            fm
          else
            match fm with
            | Pand (p1, p2, p, q) ->
                if not (member_of
                      (Ident.string t1)
                      (free_vars_of p)) then
                  let q' = mq (Exists(t1, t2, pt, q)) q in
                  Pand (p1, p2, p, q')
                else
                if not (member_of
                      (Ident.string t1)
                      (free_vars_of q)) then
                  let p' = mq (Exists(t1, t2, pt, p)) p in
                  Pand (p1, p2, p', q)
                else
                  Exists(t1, t2, pt, fm)
            | Por (p, q) ->
                if not (member_of
                      (Ident.string t1)
                      (free_vars_of p)) then
                  let q' = mq (Exists(t1, t2, pt, q)) q in
                  Por (p, q')
                else
                if not (member_of
                      (Ident.string t1)
                      (free_vars_of q)) then
                  let p' = mq (Exists (t1, t2, pt, p)) p in
                  Por (p', q)
                else
                  Por(
                    mq (Exists (t1, t2, pt, p)) p,
                    mq (Exists (t1, t2, pt, q)) q)
            | _ -> Exists(t1, t2, pt, fm)
        end
    | _ -> assert false
  in
  (** rewrites Forallb into Forall and call mq to reduce scoping of quantifiers **)
  let rec minib fm =
    match fm with
    | Pand (p1, p2, p, q) -> Pand(p1, p2, minib p, minib q)
    | Forallb (p1, p, q) -> Pand(p1, false, minib p, minib q)
    | Por (p, q) -> Por(minib p, minib q)
    | Forall (_t1, _t2, _p3, _p4, _p5, p) as pi -> mq pi (minib p)
    | Exists (_t1, _t2, _pt, p) as pi -> mq pi (minib p)
    | _ -> fm
  in
  minib (nnf pr)

(** compute the cnf of a predicate **)
let cnf fm =
  let rec cnfp p = match p with
    | Pand (p1, p2, p, q) -> Pand(p1, p2, cnfp p, cnfp q)
    | Por (p1, p2) -> distr (cnfp p1, cnfp p2)
    | Forall (t1, t2, p3, p4, p5, p) -> Forall (t1, t2, p3, p4, p5, cnfp p)
    | Exists (t1, t2, pt, p) -> Exists (t1, t2, pt, cnfp p)
    | _ -> p
  and distr = function
    | (Exists (t1, t2, pt, p), y) -> Exists (t1, t2, pt, distr (p, y))
    | (y, Exists (t1, t2, pt, p)) -> Exists (t1, t2, pt, distr (y, p))
    | (Forall (t1, t2, p3, p4, p5, p), y) -> Forall (t1, t2, p3, p4, p5, distr(p, y))
    | (y, Forall (t1, t2, p3, p4, p5, p)) -> Forall (t1, t2, p3, p4, p5, distr(y, p))
    | (Pand (p1, p2, x2, x3), y) -> Pand (p1, p2, distr (x2, y), distr (x3, y))
    | (x, Pand (p1, p2, y2, y3)) -> Pand (p1, p2, distr (x, y2), distr (x, y3))
    | (x, y) -> Por(x, y)
  
  (* all hypothesis functions are defined without Pnamed case. It is then    *)
  (* removed before selection. It does not have any implication on produced  *)
  (* code.                                                                   *)
  and rm_pnamed par = match par with
    | Pnamed(_, p) -> rm_pnamed p
    | Exists (a, b, c, d) -> Exists (a, b, c, (rm_pnamed d))
    | Forallb (a, b, c) -> Forallb (a, (rm_pnamed b), (rm_pnamed c))
    | Forall (a, b, c, d, e, f) -> Forall (a, b, c, d, e, (rm_pnamed f))
    | Plet (id, x, pt, t, p) -> Plet (id, x, pt, t, rm_pnamed p)
    | Pnot a -> rm_pnamed a
    | Piff (a, b) -> Piff (rm_pnamed a, rm_pnamed b)
    | Por (c, d) -> Por (rm_pnamed c, rm_pnamed d)
    | Pand (a, b, c, d) -> Pand (a, b, rm_pnamed c, rm_pnamed d)
    | Pif (a, b, c) -> Pif (a, rm_pnamed b, rm_pnamed c)
    | Pimplies (a, b, c) -> Pimplies (a, rm_pnamed b, rm_pnamed c)
    | Papp (a, b, c) -> Papp (a, b, c)
    | Pvar a -> Pvar a
    | Pfalse -> Pfalse
    | Ptrue -> Ptrue
  in
  cnfp (miniscoping (rm_pnamed fm))

(** avoided vars **)
let avoided_vars = VarStringSet.singleton (PureVar "alloc")

(** a variable name will be associated to each hypothesis **)
let hash_hyp_vars : (predicate,'a) Hashtbl.t = Hashtbl.create 20

let display_str str set =
  Format.printf "%s : " str;
  display_var_set set;
  Format.printf "@\n@."

module SS_set = Set.Make(struct type t = VarStringSet.t let compare = compare end)

(* Provide a fresh variable identifier from an identifier *)
let bound_variable id =
  v_count := !v_count + 1;
  Ident.create ((Ident.string id)^"_"^ (string_of_int !v_count))

let my_fresh_hyp_str () =
  hyp_count := !hyp_count + 1;
  (string_of_int !hyp_count)

let my_fresh_hyp () =
  hyp_count := !hyp_count + 1;
  Ident.create (string_of_int !hyp_count)

let get_flaged_var v ac_fv_set =
  if not (member_of (Ident.string v) ac_fv_set)
  then
    (PureVar (Ident.string v))
  else
    (FreshVar (Ident.string v))

(**
@return vars which is a set of sets of variables
(either pure or fresh) contained in tl
@param qvars is a set of quantified variables
@tl is the list of terms
@param ac : accumulateur des variables fraiches de l'appelant
**)
let vars_of_list qvars tl ac =
  let vars = ref SS_set.empty in
  let rec collect l ac_fv_set =
    let lp = ref l in
    let inner_vars = ref VarStringSet.empty in
    let f t =
      match t with
      | Tapp (id, tl, _) when is_arith_binop id ->
          lp := !lp@tl
      | Tapp (id, tl, _) ->
          let id' = (bound_variable id) in
          let bv = (FreshVar (Ident.string id')) in
          inner_vars := VarStringSet.add bv !inner_vars;
          let l' = Tvar(id'):: tl in
          collect l' (VarStringSet.add bv ac_fv_set)
      | Tvar (id) ->
          if not (member_of (Ident.string id) qvars) then
            inner_vars := VarStringSet.add (get_flaged_var id (VarStringSet.union ac_fv_set ac)) !inner_vars
      (* if not (member_of (Ident.string id) ac_fv_set) then inner_vars :=       *)
      (* VarStringSet.add (PureVar (Ident.string id)) !inner_vars else           *)
      (* inner_vars := VarStringSet.add (FreshVar (Ident.string id)) !inner_vars *)
      | _ -> ()
    in
    List.iter f !lp;
    vars := SS_set.add (VarStringSet.diff !inner_vars avoided_vars) !vars
  in
  collect tl VarStringSet.empty;
  !vars

(**
@return vars which is a set of sets of variables
@param f the formula to be analyzed
**)
let sets_of_vars f =
  
  let rec local_subst_in_term id1 id2 = function
    | Tvar x as t ->
    (* if debug then begin Format.printf "\nTvar found : %s Tvar seeked : %s   *)
    (* to substitute with %s status = " (Ident.string x) (Ident.string id1)    *)
    (* (Ident.string id2); if id1==x then Format.printf "OK\n" else            *)
    (* Format.printf "KO\n" end;                                               *)
        if (Ident.string id1) == (Ident.string x) then (Tvar id2) else t
    | Tderef x as t ->
        if (Ident.string id1) == (Ident.string x) then (Tderef id2) else t
    | Tapp (x, l, i) ->
        Tapp (x, List.map (local_subst_in_term id1 id2) l, i)
    | Tconst _ as t ->
        t
    | Tnamed(lab, t) -> Tnamed(lab, local_subst_in_term id1 id2 t)
  
  in let rec local_subst_in_predicate id1 id2 = function
    | Papp (id, l, i) -> Papp (id, List.map (local_subst_in_term id1 id2) l, i)
    | Pif (a, b, c) -> Pif (local_subst_in_term id1 id2 a,
          local_subst_in_predicate id1 id2 b,
          local_subst_in_predicate id1 id2 c)
    | Forall (w, id, b, v, tl, p) ->
        Forall (w, id, b, v, List.map (List.map (
                  (fun id1 id2 -> function
                        | TPat t -> TPat (local_subst_in_term id1 id2 t)
                        | PPat p -> PPat (local_subst_in_predicate id1 id2 p) ) id1 id2)) tl,
          local_subst_in_predicate id1 id2 p)
    | p -> map_predicate (local_subst_in_predicate id1 id2) p
  in
  
  let vars = ref SS_set.empty in
  let ac_fv_set = ref VarStringSet.empty in
  let rec collect qvars formula =
    match formula with
    | Papp (id, [el1; el2], _) when is_eq id ->
        begin
          match (el1, el2) with
          |	(Tvar (v1), Tvar(_v2)) ->
              vars := SS_set.add
                ((VarStringSet.add (get_flaged_var v1 !ac_fv_set)) (* (PureVar (Ident.string v1))  *)
                    (VarStringSet.singleton (get_flaged_var v1 !ac_fv_set)))    (* (PureVar (Ident.string v2))) )*)
                !vars
          | (Tvar (v1), Tapp (_, tl, _)) ->
              let l' = Tvar(v1):: tl in
              let v = vars_of_list qvars l' !ac_fv_set in
              (** TODO modifier mettre pure var ? **)
              vars := SS_set.union v !vars
          | (Tapp (_, tl, _), Tvar(v1)) ->
              let l' = Tvar(v1):: tl in
              let v = vars_of_list qvars l' !ac_fv_set in
              vars := SS_set.union v !vars
          | (Tapp (id, tl, _), Tapp (_, tl', _)) ->
              let id' = bound_variable id in
              let tl = Tvar(id'):: tl in
              let tl' = Tvar(id'):: tl' in
              let v = vars_of_list qvars tl !ac_fv_set in
              let v' = vars_of_list qvars tl' !ac_fv_set in
              vars := SS_set.union v !vars;
              vars := SS_set.union v' !vars;
          | (Tapp (_, tl, _), _) ->
              let v = vars_of_list qvars tl !ac_fv_set in
              vars := SS_set.union v !vars;
          | (Tvar(v1), _) ->
              vars := SS_set.add
                (VarStringSet.singleton (get_flaged_var v1 !ac_fv_set) (*(PureVar (Ident.string v1))*) )
                !vars;
          | (_, Tapp (_, tl, _)) ->
              let v = vars_of_list qvars tl !ac_fv_set in
              vars := SS_set.union v !vars
          | (_, Tvar(v1)) ->
              vars := SS_set.add
                (VarStringSet.singleton (get_flaged_var v1 !ac_fv_set) (*(PureVar (Ident.string v1))*) )
                !vars
          | _ -> ()
        end
    | Papp (_, tl, _) ->
        let v = vars_of_list qvars tl !ac_fv_set in
        vars := SS_set.union v !vars
    | Pand (_, _, a, b) | Forallb (_, a, b) | Por (a, b) | Piff (a, b)
    | Pimplies (_, a, b) ->
        collect qvars a;
        collect qvars b
    | Pif (a, b, c) ->
        let l = a::[] in
        let v' = vars_of_list qvars l !ac_fv_set in
        vars := SS_set.union v' !vars;
        collect qvars b;
        collect qvars c
    | Pnot a ->
        collect qvars a;
    | Forall (_, id, _, _, _, p) | Exists (id, _, _, p) ->
        if (keep_quantification_link_beween_vars) then
          begin
            (* The quantified variable id is modified as a fresh one and is    *)
            (* substituted in P, before collecting                             *)
            let id' = (bound_variable id) in
            let bv = (FreshVar (Ident.string id')) in
            (* inner_vars := VarStringSet.add bv !inner_vars; let l' = Tvar(id')::tl   *)
            (* in                                                                      *)
            ac_fv_set:= (VarStringSet.add bv !ac_fv_set);  (* Fresh var. list update *)
            let p'= (local_subst_in_predicate id id' p) in   (*  substitutes id with id' in P *)
            (* let p'= (subst_in_predicate (subst_onev id id') p) in if debug    *)
            (* then begin Format.printf "\nVar : %s subst by %s\n" (Ident.string *)
            (* id) (Ident.string id'); Format.printf "Predicate : %a \n          *)
            (* Substituted in : %a \n\n" Util.print_predicate p                  *)
            (* Util.print_predicate p' end;                                      *)
            collect qvars p'
          end
        else
          collect (VarStringSet.add (PureVar (Ident.string id)) qvars) p
    | Pnamed (_, p) ->
        collect qvars p
    | Plet (_, n, _, t, p) ->
	collect qvars (subst_term_in_predicate n t p)
    | Pvar _ | Pfalse | Ptrue -> ()
  in
  collect VarStringSet.empty f;
  !vars

(** end of  VarStringSet module  **)

(**
***********************
basic strategy type
***********************
**)

(** Abstract clauses. 

An abstract clause only stores atome numbers,
the set of positive predicates symbols
and the set of negative symbols.
Each predicate is represented as a string.
The set of positive predicates is stored as a StringSet.t
**)
module StringSet = Set.Make(struct type t = string let compare = compare end)
(* A type for Ident pairs *)
type identPair = Pair of Ident.t * Ident.t
(* A type for sets of ident pairs *)
module IdentPairSet = Set.Make(struct type t = identPair let compare = compare end)
(* Type of an abstract clause *)	
type abstractClause = { 
	num : int; 
	pos : StringSet.t; 
	neg : StringSet.t;
	cmp : IdentPairSet.t }

let mk_empty_clause () = { num = 0 ; 
			   pos = StringSet.empty ; 
			   neg = StringSet.empty ; 
			   cmp = IdentPairSet.empty }


module AbstractClauseSet = Set.Make(
	struct type t = abstractClause let compare = compare end)

let display_cl cl =
  let display_set_pr =
    StringSet.fold
      (fun x1 a -> x1^" "^a);
  in
  Format.printf "[num: %d, pos: {%s}, neg :{%s}]"
    cl.num
    (display_set_pr cl.pos "")
    (display_set_pr cl.neg "")

let display_cl_set set =
  Format.printf "{ ";
  AbstractClauseSet.iter
    (fun c ->
          display_cl c) set;
  Format.printf "}\n"

(**
********************************
Graph of variables
********************************
**)
module Var_node =
struct
  type t = var_string
  let hash = Hashtbl.hash
  let compare n1 n2 = Pervasives.compare n1 n2
  let equal = (=)
end

module Var_graph = Graph.Imperative.Graph.Concrete(Var_node)
let vg = ref (Var_graph.create())

module DisplayVarGraph = struct
  let vertex_name v = string_of_var v
  let graph_attributes _ = []
  let default_vertex_attributes _ = []
  let vertex_attributes _ = []
  let default_edge_attributes _ = []
  let get_subgraph _ = None
  let edge_attributes _ = []
  include Var_graph
end

module DotVG = Graph.Graphviz.Dot(DisplayVarGraph)

(**
updates the graph_of_variables
**)
let update_v_g vars =
  (** computes the vertex **)
  VarStringSet.iter (fun n -> Var_graph.add_vertex !vg n) vars;
  let rec updateb n v =
    (** adds the edges n<->n2 for all n2 in v **)
    VarStringSet.iter (
        fun n2 -> Var_graph.add_edge !vg n n2) v;
    (** choose another variable and computes the other edges **)
    if not (VarStringSet.is_empty v) then
      let n' = VarStringSet.choose v in
      updateb n' (VarStringSet.remove n' v)
  in
  if not (VarStringSet.is_empty vars) then
    let n' = (VarStringSet.choose vars) in
    updateb
      n'
      (VarStringSet.remove n' vars)

(**
@param l list of variable declaration or predicates (hypotheses)
@param c is the conclusion
Update the hashtables
- symbs which associates to each hypothesis its symbols (as a triple)
and class_of_hyp
- class_of_hyp which associates to each hypothesis its representative
variable
**)
let build_var_graph (l, c) =
  
  (** retrieves the variables of the conclusion **)
  let v = (sets_of_vars c) in
  let _ = SS_set.fold (fun s t ->
        (** update the graph of variables **)
            update_v_g s;
            VarStringSet.union s t) v VarStringSet.empty in
  let rec mem = function
    | [] -> ()
    | Svar (_id, _v) :: q -> mem q
    | Spred (_, p) :: q ->
        let v = sets_of_vars p in
        (** for each set of variables, build the SCC
        of the set and computes the union of all the variables **)
        let v' =
          SS_set.fold (fun s t ->
                  update_v_g s;
                  VarStringSet.union s t) v VarStringSet.empty in
        (** v' is the union of all the variables **)
        let v' = VarStringSet.diff v' avoided_vars in
        (** associates v' to the hypothesis **)
        Hashtbl.add hash_hyp_vars p v';
        if debug then
          begin
          (* Format.printf " In hyps %a" Util.print_predicate p ; display_str "vars  *)
          (* " v';                                                                   *)
          end;
        mem q
  in
  mem l

(** **)
let removes_fresh_vars vs =
  VarStringSet.fold
    (fun el s ->
          match el with
            PureVar _ as x -> VarStringSet.add x s
          | FreshVar _ -> s)
    vs
    VarStringSet.empty

(** returns the set of all the successors of a node **)
let succs_of vs =
  VarStringSet.fold
    (fun el l ->
          let succ_set =
            try
              let succ_list = Var_graph.succ !vg el in
              List.fold_right
                (fun el s ->
                      VarStringSet.add el s) succ_list VarStringSet.empty
            with _ -> VarStringSet.empty in
          VarStringSet.union l succ_set
    )
    vs
    VarStringSet.empty








(**
   @param v the initial set of variables
   @param n the depth of the tree of variables
   @return the list of variables reachable in n steps
**)
let get_n_depth_vars v n =
  (**
     @param v the initial, or newly reached, set of variables
     @param n the depth of the tree of variables
     @param acc acumumulates the variables that have already been visited
     @return the list of variables reachable in n steps
  **)
  let rec get_vars_in_tree_b v n acc =
    let vret =
      if n > 0 then
	let succ_set = succs_of v in
	let newly_reached = VarStringSet.diff succ_set acc in
	(*VarStringSet.union v
          ( *)
	get_vars_in_tree_b 
          newly_reached
          (n - 1) 
          (VarStringSet.union v succ_set)
          (* ) *)
      else
	v 
    in
    (** Some variables have to not be consider in the graph **)
    VarStringSet.diff vret avoided_vars 


  in
  VarStringSet.diff (get_vars_in_tree_b v n VarStringSet.empty) v


(**
   @param v the initial set of variables
   @return the minimum depth needed to reach all reachable variables
**)
let get_depth_of_reachable_vars v =
  
  let rec get_depth nrvars depth acc =
    let succ_set = succs_of nrvars in
    let treated_vars = VarStringSet.union nrvars acc in
    let newly_reached = VarStringSet.diff succ_set treated_vars in

    if (VarStringSet.cardinal newly_reached) > 0 then
      get_depth
        newly_reached
        (depth + 1) 
        treated_vars
    else
      depth
	
  in
  get_depth v 0 VarStringSet.empty
    







(** End of graph of variables **)

(**
********************************
Graph of predicates
********************************
**)
type positivity = Pos | Neg

let oposite = function
    Pos -> Neg
  | Neg -> Pos

let string_value_of t =
  match t with
    Pos -> ""
  | Neg -> "_C"

type vertexLabel = { l: string; pol: positivity }

module Vrtx =
struct
  type t = vertexLabel
  let hash = Hashtbl.hash
  let compare n1 n2 = Pervasives.compare n1 n2
  let equal = (=)
end




module Edg =
struct
  type t = int
  let compare = Pervasives.compare
  let default = 1
end

module PdlGraph =
  Graph.Imperative.Digraph.ConcreteLabeled(Vrtx)(Edg)
let pdlg = ref (PdlGraph.create())

(**
**************
PdlSet
**************
**)
module PdlSet = Set.Make(struct type t = vertexLabel
    let compare = compare end)
let abstr_mem_of el pdl_set =
  PdlSet.mem { l = el.l; pol = Pos } pdl_set ||
  PdlSet.mem { l = el.l; pol = Neg } pdl_set

let is_positive el =
  el.pol == Pos
let is_negative el =
  el.pol == Neg

let mem_of el pdl_set =
  (PdlSet.mem { l = el.l; pol = el.pol } pdl_set )

let mem_of_or_pos el pdl_set =
  (PdlSet.mem { l = el.l; pol = el.pol } pdl_set ) || el.pol == Pos

let mem_of_or_neg el pdl_set =
  (PdlSet.mem { l = el.l; pol = el.pol } pdl_set ) || el.pol == Neg

let abstr_subset_of_pdl set1 set2 =
  if polarized_preds then
    let test_pos = PdlSet.exists(fun el -> is_positive el) set2 in
    let test_neg = PdlSet.exists(fun el -> is_negative el) set2 in
    begin
      if test_pos && test_neg then
        PdlSet.for_all (fun el -> mem_of el set2) set1
      else
        begin
          if test_pos then
            (PdlSet.for_all (fun el -> mem_of_or_neg el set2) set1)
          else
            PdlSet.for_all (fun el -> mem_of_or_pos el set2) set1
        end
    end
  else
    PdlSet.for_all
      (fun el -> abstr_mem_of el set2) set1



let display_symb_of_pdl_set set =
  PdlSet.iter
    (fun el ->
          Format.printf "(%s,%s)" el.l (string_value_of el.pol)) set;
  Format.printf "@\n@."

let vSet = ref PdlSet.empty 


(** end of PdlSet **)


(** Computes arcs from a pair of literals.
    Let l1 and l2 be two literals.
		l1 or l2 is memorized by the edges ~ l1 -> l2 and ~ l2 -> l1 
		with ~ ~ p = p for each predicate p.
		  
		Warning: different from Table 1 from [CGS08] where p is v with
		polarity lp and q is v' with polarity rp.
		 
    @param lp : positivity, left-hand-side polarity.
		@param rp : positivity, right-hand-side polarity.
		@param we : int, Weight to add.
		@param v : string, left-hand-side name.
		@param v' : string, right-hand-side name.
		assigns !pdlg. 
**)
let add_edge lp rp we v v'=
  (* reverse the left polarity since starts from a disjunction *)
  let lp = oposite lp in
	(* Construction of vertices: *)
	(*   type vertexLabel = { l: string; pol: positivity } *)
  let le = { l = v; pol = lp } in
  let re = { l = v'; pol = rp } in
  let lep = { l = v'; pol = oposite rp } in
  let rep = { l = v; pol = oposite lp } in

  try    
    let (_, w, _) = PdlGraph.find_edge !pdlg le re in
		(* edge already exists ... *)
    if w > we then
      begin
				(* ... and its weight is bigger. Its weight is reduced. *)
        PdlGraph.remove_edge !pdlg le re;
        PdlGraph.add_edge_e !pdlg (le, we, re);
        PdlGraph.remove_edge !pdlg lep rep;
        PdlGraph.add_edge_e !pdlg (lep, we, rep);
      end
  with Not_found -> 
		(* New edge. Two arcs. *)
    PdlGraph.add_edge_e !pdlg (le, we, re);
    PdlGraph.add_edge_e !pdlg (lep, we, rep);
    vSet := PdlSet.add 
	       rep 
	       (PdlSet.add 
		  lep
		  (PdlSet.add 
		     re
		     (PdlSet.add le !vSet)  
		  ) 
	       ) 
	       
      
    

module DisplayPdlGraph = struct
  let vertex_name v =
    let v' = PdlGraph.V.label v in
    v'.l^(string_value_of v'.pol)
  let graph_attributes _ = []
  let default_vertex_attributes _ = []
  let vertex_attributes _ = []
  let default_edge_attributes _ = []
  let get_subgraph _ = None
  let edge_attributes e =
    let l = string_of_int (PdlGraph.E.label e) in
    [`Label l]
  include PdlGraph
end

module DotPdlGraph = Graph.Graphviz.Dot(DisplayPdlGraph)

(**
updates the graph_of_predicates
**)
let update_pdlg acs =
  (** Updates the graph from a set of clauses.
      @param a_clause: Input abstract clauses set.
      assigns !pdlg. **)
  let update_pdlg_c a_clause =
    let nlab = a_clause.num - 1 in
    if (StringSet.cardinal (StringSet.union a_clause.pos a_clause.neg))
      <= 1 then ()
    else
      begin
	(* Implements Table 1 from [CGS08]. n is p and n' is q. *)
	let neg = ref a_clause.neg in
	StringSet.iter
	  (fun p ->
	     (* From (neg p or neg q) adds p -> neg q (or equivalently q -> *)
	     (* neg p).                                                     *)
	     neg := StringSet.remove p !neg;
	     StringSet.iter (fun q ->
			       if not(p = q) then
				 add_edge Neg Neg nlab p q
			    ) !neg;
	     (* From (neg p or q) adds p -> q (or equivalently neg q -> *)
	     (* neg p)                                                  *)
	     StringSet.iter (fun q ->
			       if not(p = q) then
				 add_edge Neg Pos nlab p q;
			    ) a_clause.pos
	  ) a_clause.neg;
	let pos = ref a_clause.pos in
	StringSet.iter
	  (fun p ->  (* p' is q in Table 1. *)
	     (* From (p or p') add neg p-> p' (or equivalently neg p'-> p) *)
	     pos := StringSet.remove p !pos;
	     StringSet.iter (fun p' ->
			       if not(p = p') then
				 add_edge Pos Pos nlab p p'
			    ) !pos
	  ) a_clause.pos;
      end;

    if ((IdentPairSet.cardinal a_clause.cmp)<=0 
	|| (StringSet.cardinal (StringSet.union a_clause.pos a_clause.neg))<= 0)
    then ()
    else
      begin
	let suffixes cmp id = (cmp^"_"^(Ident.string id)) in
	(* Addition of arcs memorizing comparison predicates: *)
	let cmps = ref a_clause.cmp in 
	IdentPairSet.iter
	  (fun ip ->  (* ip is a pair of functional symbols. *)
	     cmps := IdentPairSet.remove ip !cmps;
	     match ip with
	       | Pair(f1, f2) ->
		   begin
		     StringSet.iter
		       (fun p ->
			  add_edge Neg Pos nlab (suffixes p f1) (suffixes p f2);
		       ) a_clause.neg;
		     (* Idem for positive literals *)
		     StringSet.iter
		       (fun p ->
			  add_edge Pos Pos nlab (suffixes p f1) (suffixes p f2);
		       ) a_clause.pos;
		   end
	  ) a_clause.cmp
      end
  in
  AbstractClauseSet.iter update_pdlg_c acs;
  if debug then
    begin
      let oc = open_out "/tmp/gwhy_pdlg_graph.dot" in
      DotPdlGraph.output_graph oc !pdlg
    end
      
let rec remove_percents s =
  try
    let i = String.index s '%' in
    (String.set s i '_');
    (remove_percents s)
  with Not_found -> s

let remove_percent_from_stringset sts =
  let r = ref StringSet.empty in
  (StringSet.iter
      (fun st -> r:= StringSet.add (remove_percents st) !r)
      sts);
  !r

let remove_percent_from_abstractclauseset cls =
  let r = ref AbstractClauseSet.empty in
  (AbstractClauseSet.iter
      (fun cl -> r:= AbstractClauseSet.add { 
				num = cl.num; 
				neg = remove_percent_from_stringset cl.neg; 
				pos = remove_percent_from_stringset cl.pos;
				cmp = cl.cmp } !r)
      cls);
  !r 

(** To take comparison operators into account, we consider each operator 
    suffixed by each of its closed identifier **)
(** @params i1 : ident of the comparison **)
(** @params i2 : ident of the closed operator **)
(** @result : string i1 suffixed by i2 **)
(** assigns nothing; **)
let get_suffixed_ident i1 i2 =
  (* let s= *)
  if suffixed_comparison then
    ((Ident.string i1)^"_"^(Ident.string i2))
  else
    (Ident.string i1)
(* in (remove_percents s) *)

let is_comparison id =
    (is_int_comparison id || is_real_comparison id || is_comparison id)

let comparison_to_consider id =
  use_comparison_as_criteria_for_graph_construction && (
    ((not comparison_eqOnly) && (is_int_comparison id || is_real_comparison id))
    || (id == t_eq || id == t_neq || id == t_eq_int || id == t_neq_int || id == t_eq_real || id == t_neq_real )
  )

let is_negative_comparison id =
  (id == t_neq || id == t_neq_int || id == t_neq_real )
  || (id == t_gt || id == t_ge)
  || (id == t_gt_int || id == t_ge_int)
  || (id == t_gt_real || id == t_ge_real)

let inv_comparison id =
  if id == t_eq then t_neq
  else if id == t_neq then t_eq
  else if id == t_eq_int then t_neq_int
  else if id == t_neq_int then t_eq_int
  else if id == t_eq_real then t_neq_real
  else if id == t_neq_real then t_eq_real
  
  else if id == t_lt then t_ge
  else if id == t_le then t_gt
  else if id == t_gt then t_le
  else if id == t_ge then t_lt
  
  else if id == t_lt_int then t_ge_int
  else if id == t_le_int then t_gt_int
  else if id == t_gt_int then t_le_int
  else if id == t_ge_int then t_lt_int
  
  else if id == t_lt_real then t_ge_real
  else if id == t_le_real then t_gt_real
  else if id == t_gt_real then t_le_real
  else if id == t_ge_real then t_lt_real
  
  else assert false (* cases have to match with cases from comparison_to_consider *)

(** @param id a comparison identifier **)
(** @param ti a variable or function identifier **)
(** @return a string composed of id and ti **)
let get_positive_suffixed_ident id ti =
  if (is_negative_comparison id) && (keep_single_comparison_representation) then
    (get_suffixed_ident (inv_comparison id) ti)
  else
    (get_suffixed_ident id ti)

(** @param id a comparison identifier **)
(** @return a string composed with the positive version of id **)
let get_positive_ident id =
  if (is_negative_comparison id) && (keep_single_comparison_representation) then
    (Ident.string (inv_comparison id))
  else
    (Ident.string id)








    
    







(**
   Encodes the arithmetics transitivity throug 11 axioms. The resulting graphe is the following : 
   =_int  ~~1~~> <=_int
   =_int  ~~x~~> <_int
   <=_int ~~2~~> =_int
   <=_int ~~x~~> <_int
   <_int  ~~1~~> <=_int 
   <_int  ~~1~~> <>_int
   <>_int ~~2~~> <_int
   <=_int ~~x~~> <>_int

   =_int  ~~1~~> >=_int
   =_int  ~~x~~> >_int
   >=_int ~~2~~> =_int
   >=_int ~~x~~> >_int
   >_int  ~~1~~> >=_int 
   >_int  ~~1~~> <>_int
   <>_int ~~2~~> >_int
   >=_int ~~x~~> <>_int

   =_int  ~~x~~> <>_int
   <=_int ~~1~~> >=_int
   >=_int ~~1~~> <=_int
   <_int  ~~1~~> >_int
   >_int  ~~1~~> <_int
  
   Needed ? 
   <>_int ~~x~~> <=_int
   <>_int ~~x~~> >=_int
   <>_int ~~x~~> =_int
   <_int  ~~x~~> =_int
   >_int  ~~x~~> =_int


   where x=2 or more.
*)
let add_arith_transitivity oper suffix =
  if (considere_arith_comparison_as_special_predicate && use_comparison_as_criteria_for_graph_construction)
     
  then begin

    let one = 2 in
    let two = 3 in
    let x = 3 in
    let cls = ref AbstractClauseSet.empty in

    let add id1 n id2 =
      cls := AbstractClauseSet.add 
	{ num = n;
	  neg = id1;
	  pos = id2;
	  cmp = IdentPairSet.empty }
	!cls
    in

    let add_all eq neq ge gt le lt =
      (*    =_int  ~~1~~> <=_int *)
      add   eq      one   le;
      (*    =_int  ~~x~~> <_int *)
      add   eq       x    lt;
      (*    <=_int ~~2~~> =_int *)
      add   le      two   eq;
      (*    <=_int ~~x~~> <_int *)
      add   le       x    lt;
      (*    <_int  ~~1~~> <=_int  *)
      add   lt      one   le;
      (*    <_int  ~~1~~> <>_int *)
      add   lt      one   neq;
      (*    <>_int ~~2~~> <_int *)
      add   neq     two   lt;
      (*    <=_int ~~x~~> <>_int *)
      add   le       x    neq;
      
      (*    =_int  ~~1~~> >=_int *)
      add   eq      one   ge;
      (*    =_int  ~~x~~> >_int *)
      add   eq       x    gt;
      (*    >=_int ~~2~~> =_int *)
      add   ge      two   eq;
      (*    >=_int ~~x~~> >_int *)
      add   ge       x    gt;
      (*    >_int  ~~1~~> >=_int  *)
      add   gt      one   ge;
      (*    >_int  ~~1~~> <>_int *)
      add   gt      one   neq;
      (*    <>_int ~~2~~> >_int *)
      add   neq     two   gt;
      (*    >=_int ~~x~~> <>_int *)
      add   ge       x    neq;
      
      (*    =_int  ~~x~~> <>_int *)
      add   eq       x    neq;
      (*    <=_int ~~1~~> >=_int *)
      add   le      one   ge;
      (*    >=_int ~~1~~> <=_int *)
      add   ge      one   le;
      (*    <_int  ~~1~~> >_int *)
      add   lt      one   gt;
      (*    >_int  ~~1~~> <_int *)
      add   gt      one   lt;
      
      
      update_pdlg (remove_percent_from_abstractclauseset !cls)
    in

    let setIt id = match suffix with 
      | Some(s) -> StringSet.singleton (get_suffixed_ident id  s)
      | None -> StringSet.singleton (Ident.string id)
    in

    match oper with
      | Some(id) when is_int_comparison id -> 
	  add_all 
	    (setIt t_eq_int)
	    (setIt t_neq_int)
	    (setIt t_ge_int)
	    (setIt t_gt_int)
	    (setIt t_le_int)
	    (setIt t_lt_int)
	    
	    
      | Some(id) when is_real_comparison id -> 
	  add_all 
	    (setIt t_eq_real)
	    (setIt t_neq_real)
	    (setIt t_ge_real)
	    (setIt t_gt_real)
	    (setIt t_le_real)
	    (setIt t_lt_real)
	    
	    
      | _ -> 
	  add_all 
	    (setIt t_eq_int)
	    (setIt t_neq_int)
	    (setIt t_ge_int)
	    (setIt t_gt_int)
	    (setIt t_le_int)
	    (setIt t_lt_int);
	  
	  add_all 
	    (setIt t_eq_real)
	    (setIt t_neq_real)
	    (setIt t_ge_real)
	    (setIt t_gt_real)
	    (setIt t_le_real)
	    (setIt t_lt_real)
  end





let build_pred_graph decl =
  let eq_link = ref AbstractClauseSet.empty in
  let treated_suffixes = ref StringSet.empty in
  (* assigns eq_link. *)
  let add_suffixed_depends compId appId =
    if suffixed_comparison && not (StringSet.mem (Ident.string appId) !treated_suffixes) then
      begin (* CGS08. 1. *)
	if equalities_linked then
	  begin
	    (* Creation des liens =_f -> = et = -> =_f *)
	    eq_link:= AbstractClauseSet.add
	      ({ num = 1;
		 neg = StringSet.singleton (get_positive_suffixed_ident compId appId);
		 pos = StringSet.singleton (get_positive_ident compId);
		 cmp = IdentPairSet.empty })
	      (AbstractClauseSet.add
		 ({ num = 1;
		    neg = StringSet.singleton (get_positive_ident compId);
		    pos = StringSet.singleton
		      (get_positive_suffixed_ident compId appId);
		    cmp = IdentPairSet.empty })
		 !eq_link)
	  end;
	
	if arith_tactic then
	  begin
	    (* Creation du trio lt_f / le_f / =_f *)
	    let eq =
	      if is_int_comparison compId then (StringSet.singleton (get_suffixed_ident t_eq_int appId))
	      else if is_real_comparison compId then (StringSet.singleton (get_suffixed_ident t_eq_real appId))
	      else (StringSet.singleton (get_suffixed_ident t_eq appId)) in
	    let lt =
	      if is_int_comparison compId then (StringSet.singleton (get_suffixed_ident t_lt_int appId))
	      else if is_real_comparison compId then (StringSet.singleton (get_suffixed_ident t_lt_real appId))
	      else (StringSet.singleton (get_suffixed_ident t_lt appId)) in
	    let le =
	      if is_int_comparison compId then (StringSet.singleton (get_suffixed_ident t_le_int appId))
	      else if is_real_comparison compId then (StringSet.singleton (get_suffixed_ident t_le_real appId))
	      else (StringSet.singleton (get_suffixed_ident t_le appId)) in
	    
	    let trio = ref AbstractClauseSet.empty in
	    trio := AbstractClauseSet.add { num = 1; neg = eq; pos = le;
					    cmp = IdentPairSet.empty } !trio;
	    trio := AbstractClauseSet.add { num = 2; neg = le; pos = eq;
					    cmp = IdentPairSet.empty } !trio;
	    trio := AbstractClauseSet.add { num = 2; neg = le; pos = lt;
					    cmp = IdentPairSet.empty } !trio;
	    trio := AbstractClauseSet.add { num = 1; neg = lt; pos = le;
					    cmp = IdentPairSet.empty } !trio;
	    
	    eq_link:= AbstractClauseSet.union !trio !eq_link
	  end;
	

	add_arith_transitivity (Some(compId)) (Some(appId));

	treated_suffixes:= StringSet.add (Ident.string appId) !treated_suffixes
      end
  in
  
  (* Construction of the Preds dependence graph. Assumes that the clause   *)
  (* cl is in nnf.                                                         *)
  (** @param atome a predicate    **)
  (** @param cl a clause          **)
  (** @result : a set of clauses. **)
  let add_atom atome cl =  

    let oneCl cl = AbstractClauseSet.singleton cl in
    let twoCl cl1 cl2 =
      AbstractClauseSet.add cl1 (AbstractClauseSet.singleton cl2)
    in
    let add_neg ?(num=1) neg =
      { num = cl.num + num;
	neg = StringSet.add neg cl.neg;
	pos = cl.pos;
	cmp = cl.cmp }
    in
    let add_pos ?(num=1) pos =
      { num = cl.num + num;
	neg = cl.neg;
	pos = StringSet.add pos cl.pos;
	cmp = cl.cmp }
    in
    let add_cmp ?(num=1) id p1 p2 =
      { num = cl.num + num;
	neg = StringSet.add (Ident.string (inv_comparison id))cl.neg;
	pos = StringSet.add (Ident.string id) cl.pos;
	cmp = IdentPairSet.add (Pair (p1,p2)) cl.cmp }
    in
    let inc_oneCl () =
      oneCl
	{ num = cl.num +1;
	  neg = cl.neg;
	  pos = cl.pos;	
	  cmp = cl.cmp }
    in


    match atome with
      | Pnot (Papp (id, _, _)) 
      | Papp (id, _, _) 
	  when (is_comparison id) && not use_comparison_as_criteria_for_graph_construction ->
	  Format.printf "\n\nIgnore comparisons Pred : %a\n\n" Util.print_predicate atome ; 
	    inc_oneCl ()



	(* If it is not a comparison or 
	   it is a comparison, we considere comparison but we don't considere it as a special predicate *)
      | Pnot (Papp (id, _l, _i)) 
	  when ((not (is_comparison id))
		|| ((is_comparison id) && (comparison_to_consider id) && not considere_arith_comparison_as_special_predicate)) ->
(* 	  when not (considere_arith_comparison_as_special_predicate  *)
(* 		    && (comparison_to_consider id)) ->  *)
 	  oneCl (add_neg (Ident.string id)) 


	    
      | Papp (id, _l, _i) 
	  when ((not (is_comparison id))
		|| ((is_comparison id) && (comparison_to_consider id) && not considere_arith_comparison_as_special_predicate)) ->
(* 	  when not (considere_arith_comparison_as_special_predicate  *)
(* 		    && (comparison_to_consider id)) ->  *)
	  oneCl (add_pos (Ident.string id))


	    
      (* If it is a comparison, we considere comparison and considere it as a special predicate *)
      | Pnot (Papp (id, [el1; el2], _i)) 
	  when ((is_comparison id) && (comparison_to_consider id) && considere_arith_comparison_as_special_predicate) ->
	  begin 
	    match (el1, el2) with
	      | (Tapp(ti1, _, _), Tapp(ti2, _, _ )) when suffixed_comparison ->
		  (* Added for [CGS08] Sec. 4.3. *)
		  (add_suffixed_depends id ti1);
		  (add_suffixed_depends id ti2);

		  oneCl (add_cmp (inv_comparison id) ti1 ti2)
                  (* End of "Added for [CGS08] Sec. 4.3" *)


	      | (Tapp(ti, _, _), _ )
	      | ( _, Tapp(ti, _, _)) when suffixed_comparison ->
		  (add_suffixed_depends id ti);
		  if (keep_single_comparison_representation) then
		    twoCl
		      (add_neg (get_positive_suffixed_ident id ti))
		      (add_pos (get_positive_suffixed_ident id ti))
		  else
		    oneCl (add_neg (get_suffixed_ident id ti))


	      | ( _, _ ) when suffixed_comparison ->
		  (inc_oneCl ())
		      




	      | ( _, _ ) (* when not suffixed_comparison *) -> 
		  if (keep_single_comparison_representation) then
		    twoCl
		      (add_neg (get_positive_ident id))
		      (add_pos (get_positive_ident id)) 
		  else
		    oneCl (add_neg (Ident.string id))
		      

	  end
	    
      | Papp (id, [el1; el2], _i) 
	  when ((is_comparison id) && (comparison_to_consider id) && considere_arith_comparison_as_special_predicate) ->
	  begin
	    match (el1, el2) with
	      | (Tapp(ti1, _, _), Tapp(ti2, _, _ )) when suffixed_comparison ->
		  (* Added for [CGS08] Sec. 4.3 *)
		  (add_suffixed_depends id ti1);
		  (add_suffixed_depends id ti2);

		  oneCl (add_cmp id ti1 ti2)
                  (* End of "Added for [CGS08] Sec. 4.3" *)


	      | (Tapp(ti, _, _), _ )
	      | ( _, Tapp(ti, _, _)) when suffixed_comparison ->
		  (add_suffixed_depends id ti);
		  if keep_single_comparison_representation then
		    twoCl
		      (add_pos (get_positive_suffixed_ident id ti))
		      (add_neg (get_positive_suffixed_ident id ti))

		  else
		    oneCl (add_pos (get_suffixed_ident id ti))


	      | ( _, _ ) when suffixed_comparison ->  
		  (inc_oneCl ())




	      | ( _, _)  (* when not suffixed_comparison *) ->
		  if keep_single_comparison_representation then
		    twoCl
		      (add_pos (get_positive_ident id))
		      (add_neg (get_positive_ident id))
		      
		  else
		    oneCl (add_pos (Ident.string id))

	  end

      (* If it is a comparison and don't considere it *)
      | _ ->
(* 	  when ((is_comparison id) && not (comparison_to_consider id)) -> *)
	  inc_oneCl ()

  in 
  (** @param p a predicate 
      @return a set of abstract clauses associated to the given predicate
  *)
  let rec get_abstract_clauses p =
    let rec compute_clause p acs = 
    (*if (debug) then begin    
      Format.printf "@.Pred : %a@." Util.print_predicate p; 
      Format.printf "acs : "; display_cl_set acs;
      Format.printf "@."; 
    end;*)
      match p with
	| Forall (_, _, _, _, _, p) 
	| Exists (_, _, _, p) -> compute_clause p acs

	| Por (p1, p2) -> compute_clause p1 (compute_clause p2 acs)

	| _ as p ->
	    let r = ref AbstractClauseSet.empty in
	    (AbstractClauseSet.iter
	       (fun ac -> r:= AbstractClauseSet.union (add_atom p ac) !r)
	       acs);
	    !r
    in
    match p with
      | Forall (_, _, _, _, _, p) 
      | Exists (_, _, _, p) -> get_abstract_clauses p
      | Plet (_, n, _, t, p) ->
	  get_abstract_clauses (subst_term_in_predicate n t p)
      | Pand (_, _, p1, p2) ->
	  AbstractClauseSet.union
	    (get_abstract_clauses p1)
	    (get_abstract_clauses p2)

      | Por _ -> 
	  compute_clause p (AbstractClauseSet.singleton (mk_empty_clause ()))

      | Papp _ 
      | Pnot _  
      | Pfalse  
      | Ptrue  -> (add_atom p (mk_empty_clause ()))

      | Pnamed(_, _)
      | Forallb (_, _, _)
      | Piff (_, _)
      | Pif (_, _, _)
      | Pimplies (_, _, _)
      | Pvar _ -> assert false

  (* END of get_abstract_clauses *)
  in
  let compute_pred_graph = function 
    | Dpredicate_def (loc, ident, def) ->
	let bl, p = def.scheme_type in
	let rootexp = (Papp (
			 ident,
			 List.map (fun (i, _) -> Tvar i) bl, [])) in
	let piff = Piff (rootexp, p) in
	let pforall = List.fold_right
	  (fun (var, tvar) pred -> Forall(false, var, var, tvar,[], pred))
	  bl piff in
	let p' = cnf pforall in
	begin
	  (*if debug then
	    begin
	      Format.printf "p : %a@." Util.print_predicate p; 
	      Format.printf "p' : %a@." Util.print_predicate p';  
	    end;*)

	  context := (p', Dpredicate_def (loc, ident, def))::!context; 
	  let cls = get_abstract_clauses p' in
	  let cls = AbstractClauseSet.union cls !eq_link in
	  (*if debug then
	    begin
	      Format.printf "cls : "; display_cl_set cls
	    end;*)
	  update_pdlg (remove_percent_from_abstractclauseset cls )
	end 
    | Daxiom (loc, ident, ps) ->
	(* loc: , ident: , ps: *)
	let p = ps.scheme_type in
	let p' = cnf p in
	begin 
	  (*if debug then
	    begin
	      Format.printf "p : %a@." Util.print_predicate p; 
	      Format.printf "p' : %a@." Util.print_predicate p';  
	    end;*)

	  context := (p', Daxiom (loc, ident, ps))::!context; 
	  let cls = get_abstract_clauses p' in
	  (*if debug then
	    begin
	      Format.printf "cls : "; display_cl_set cls
	    end;*)
	   
	  let cls = AbstractClauseSet.union cls !eq_link in
	  (*if debug then
	    begin
	      Format.printf "cls + eq_link : %a" Util.print_predicate p; 
	      display_cl_set cls
	    end;*)
	  update_pdlg (remove_percent_from_abstractclauseset cls)
	end  
    | a -> 
	context := (Ptrue, a)::!context;
  in 
  if not suffixed_comparison then add_arith_transitivity None None; 
  Queue.iter compute_pred_graph decl
    
(** End of graph of predicates**)


let set_of_pred_p vs =
  PdlSet.fold
    (fun v s -> 
          let pred_set = 
            try 
              let pred_list = PdlGraph.pred !pdlg v in
              List.fold_right
                (fun el s ->
                      PdlSet.add el s) pred_list PdlSet.empty
            with
              _ -> PdlSet.empty in
          let s' = PdlSet.union s pred_set in
          let succ_set =
            try
              let succ_list = PdlGraph.succ !pdlg { l = v.l; pol = oposite v.pol } in
              List.fold_right
                (fun v s ->
                      PdlSet.add { l = v.l; pol = oposite v.pol } s)
                succ_list PdlSet.empty
            with
              _ -> PdlSet.empty in
          PdlSet.union s' succ_set
    )
    vs
    PdlSet.empty


(***************************************
*********
*******************)

module W = struct 
  type label = PdlGraph.E.label
  type t = int
  let weight x = x
  let zero = 0
  let add = (+)
  let compare = compare
end

  

module Dij = Dijkstra(PdlGraph)(W)

let compute_sequence_of_predicates concl_preds =
  (* compute the weight of the shortest path from the node elem and nodes of *)
  (* the conclusion                                                          *)
  let max = ref 0 in
  let dij elem =
    let dij_and_comp v2 acc =
      try
	(* Dijkstra from elem to node v2 of the conclusion *)
	let (_, d) = Dij.shortest_path !pdlg elem v2 in
	(* update max *)
	max := if d > !max then d else !max;
	(* memorizing the shortest path *)
	if (acc == (- 1)) || (d < acc) then
	  d
	else
	  acc
      with Not_found ->
	(- 1)
    in
    PdlSet.fold dij_and_comp concl_preds (- 1)
  in
  
  let hash_lits : (int,'a) Hashtbl.t = Hashtbl.create 10 in
  (* adds into L[dij] the node elem where dij is the dijkstra result. If dij *)
  (* is -1, then we set L[max+1]                                             *)
  PdlSet.iter
    (fun elem ->
       let w = dij elem in
       try
	 let l_i = Hashtbl.find hash_lits w in
	 if w != (- 1) then
	   Hashtbl.replace hash_lits w (PdlSet.add elem l_i)
	 else
	   Hashtbl.replace hash_lits (!max + 1) (PdlSet.add elem l_i)
       with Not_found ->
	 Hashtbl.add hash_lits w (PdlSet.singleton elem )
    ) !vSet;
  
  if debug then
    begin
      Format.printf "List of predicates \n";
      for i = 0 to 10 do
	Format.printf "L[%d] is " i;
	try
	  let l_i = Hashtbl.find hash_lits i in
	  display_symb_of_pdl_set l_i
	with _ ->
	  Format.printf " empty \n";
      done;
    end;
  predicateMaximumDepth:=!max;
  hash_lits
    




    
 
	   
	 
    
  





(* Use of the preds dependence graph to filter hypothesis *)
let get_preds_of p filter_comparison =
  let s = ref PdlSet.empty in
  
  (* @params i : ident of the comparison @params ref s : list of           *)
  (* predicates where i has to be added @params polarity : polarity to set *)
  (* up @aprams t : term to add as suffixe @result : s including i         *)
  (* suffixed with t                                                       *)
  let add_suffixed_comparison i polarity = function
    | Tapp (ti, _, _) ->
        if (is_negative_comparison i) && (keep_single_comparison_representation) then (* negative comparaisons are traducted as negative in the graph *)
        s:= (PdlSet.add { l = remove_percents (get_suffixed_ident (inv_comparison i) ti);
              pol = if polarity == 1 then Neg else Pos } !s)
        else
          s:= (PdlSet.add { l = remove_percents (get_suffixed_ident i ti);
                pol = if polarity == 1 then Pos else Neg } !s)
    
    | Tvar (_)
    | Tderef (_)
    | Tconst (_) ->
        () (* We do not consider cases with literal constants in the suffix *)
    | Tnamed (_, _) ->
        assert false (* Currently, no label is present close to a comparison predicate *)
  in
  let rec get polarity = function
    (* Treatment of each predicates cases, expect comparison predicates *)
    | Papp (id, _l, _i) when not (comparison_to_consider id) ->
        s := PdlSet.add { l = remove_percents (Ident.string id);
            pol = if polarity == 1 then Pos else Neg } !s
    
    (* | Papp (id, l, i) when use_arith_comp_as_direct_criteria -> s :=        *)
    (* PdlSet.add {l=Ident.string id ; pol= if polarity == 1 then Pos else     *)
    (* Neg} !s                                                                 *)
    
    (* Particular treatment for comparison predicates (only equality at    *)
    (* this time). Each of them is added twice (with a suffix corresonding *)
    (* to each of parameters)                                              *)
    | Papp (id, l, _i) when (comparison_to_consider id) && filter_comparison ->
        (List.iter (add_suffixed_comparison id polarity) l)
    
    | Forall (_(*w*), _id, _b, _v, _(*tl*), p) 
    | Exists (_id, _b, _v, p) ->
        get polarity p 


    | Pimplies (_, p1, p2) ->
        get (- 1 * polarity) p1;
        get polarity p2

    | Pand (_, _, p1, p2) 
    | Por (p1, p2) ->
        get polarity p1;
        get polarity p2

    | Piff (p1, p2) ->
	(* get polarity Pimplies (_,p1,p2) ; *)
        get (- 1 * polarity) p1;
        get polarity p2;
        (* get polarity Pimplies (_,p2,p1) *)
        get (- 1 * polarity) p2;
        get polarity p1

    | Pnot p1 ->
        get (- 1 * polarity) p1;

    | _ -> 
	()
  in
  get 1 p;
  !s

let get_predecessor_pred p n =
  (** av stands for the already visited preds
  nyt stands for not yet treated preds **)
  let rec get_preds_in_graph nyv av n =
    if n > 0 then
      let new_preds = set_of_pred_p nyv in
      let nyv = PdlSet.diff new_preds av in
      PdlSet.union new_preds
        (get_preds_in_graph
            nyv
            (PdlSet.union new_preds av)
            (n - 1)
        )
    else
      av in
  get_preds_in_graph p p n

let get_relevant_preds hl n =
  let avs = ref PdlSet.empty in
  for i = 0 to n do
    try 
      let l_i = Hashtbl.find hl i in
      avs := PdlSet.union !avs l_i
    with Not_found -> 
      () (* TODO remove this *)
  done; 
  !avs
 
















(** 
    @param p the set of initial predicates
    @return the minimum depth needed to reach all reachable predicates from p
**)
let get_depth_of_reachable_preds p =
  (** 
      @param nyt stands for not yet treated preds 
      @param av stands for the already visited preds
      @param depth stands for the current visited depth
      @return the minimum depth needed to reach all reachable predicates from p
  **)
  let rec get_depth nyt av depth =
    let new_preds = set_of_pred_p nyt in
    let all_treated = PdlSet.union nyt av in
    let newly_reached = PdlSet.diff new_preds all_treated in
    if (PdlSet.cardinal newly_reached) > 0 then 
      get_depth
	newly_reached
	all_treated
	(depth + 1)
    else
      depth
  in
  get_depth p PdlSet.empty 0

















 


(**
functions for the main function: reduce
@param l' : liste d'hypotheses
@param g' : predicat du but
**)
let reduce_subst (l', g') =
  let many_substs_in_predicate sl p =
    List.fold_left (fun p s -> tsubst_in_predicate s p) p sl
  in
  let many_substs_in_term sl t =
    List.fold_left (fun t s -> tsubst_in_term s t) t sl
  in
  let many_substs_in_context sl = function
    | Papp (id, l, i) ->
        Papp (id, List.map (many_substs_in_term sl ) l, i)
    | Pif (a, b, c) ->
        Pif (many_substs_in_term sl a,
          many_substs_in_predicate sl b,
          many_substs_in_predicate sl c)
    | Forall (w, id, b, v, tl, p) ->
        Forall (w, id, b, v, tl,
          many_substs_in_predicate sl p)
    | Exists (id, b, v, p) ->
        Exists (id, b, v, many_substs_in_predicate sl p)
    | p ->
        map_predicate (many_substs_in_predicate sl) p
  in
  
  let compute_subst (sl, fl) f =
    match f with
    | Svar (_id, _v) as var_def -> (sl, var_def:: fl)
    | Spred (id, p) ->
        begin
          match p with
            Papp (id, [el1; el2], _) when is_eq id ->
              begin
                match (el1, el2) with
                  (Tvar (v1), t2) | (t2, Tvar (v1)) ->
                    let subst = subst_one v1 t2 in
                    begin
                      if debug then
                        Format.printf "Removed  pred %a\n" Util.print_predicate p;
                    end;
                    (subst:: sl, fl)
                
                | _ ->
                    (sl, Spred(id, (many_substs_in_context sl p)):: fl)
              end
          | _ as p -> (sl, Spred(id, (many_substs_in_context sl p)):: fl)
          
        end in
  let (sl, fl) = List.fold_left compute_subst ([],[]) l' in
  let l' = List.rev fl in
  let g' = many_substs_in_predicate sl g' in
  (l', g')

(**
@param concl_rep the representative variable of the conclusion
@param l the list of hypothesis
@return a list where the hypotheses have been filtered.
An hypothese is selected if
- it is a variable declaration
- it is an hypothese which has the same representant than
the conclusion
**)
let filter_acc_variables l concl_rep selection_strategy pred_symb =
  (** UPDATE THIS ACCORDING TO THE ARRTICLE **)
  
  let rec all_vars_from_term vars qvars = function
    | Tvar v | Tderef v ->
        let r = (member_of (Ident.string v) vars) || (List.mem (Ident.string v) qvars) in
        if debug then
          if r then
            Format.printf "   ->  Tvar %s OK\n" (Ident.string v)
          else
            begin
              Format.printf "   ->  Tvar %s NON PRESENTE\n" (Ident.string v);
              Format.printf "       qvars :";
              List.iter(fun v -> Format.printf ", %s" v) qvars;
              Format.printf "\n";
              
            end;
        r
    | Tapp (_, lt, _) ->
        begin
          if debug then Format.printf "      -> Tapp -->\n"
        end;
        List.for_all (all_vars_from_term vars qvars) lt
    | Tconst _ ->
        true
    | Tnamed(_lab, t) ->
        all_vars_from_term vars qvars t
  in
  
  let rec all_vars_in_one_branch lp vars =
    let rec all_v pred qvars =
      match pred with
      | Forall (_, id, _, _, _, p)
      | Exists (id, _, _, p) ->
          begin
            if debug then Format.printf "   -> Quantif %s \n" (Ident.string id)
          end;
          all_v p ((Ident.string id):: qvars)
      | Plet (_, n, _, t, p) ->
	  all_v (subst_term_in_predicate n t p) qvars
      | Piff (p1, p2)
      | Pand (_, _, p1, p2)
      | Por (p1, p2)
      | Pimplies (_, p1, p2) ->
          begin
            if debug then Format.printf "   -> And / Or / Implies %a %a \n" Util.print_predicate p1 Util.print_predicate p2
          end;
          if all_v p1 qvars then (all_v p2 qvars) else false
      
      | Pnot (p) ->
          begin
            if debug then Format.printf "   ->  Pnot %a \n" Util.print_predicate p
          end;
          all_v p qvars
      
      | Papp (_, lt, _) ->
          begin
            if debug then Format.printf "   ->  Papp --> \n"
          end;
          List.for_all (all_vars_from_term vars qvars) lt
      
      | Pvar (v) ->
          begin
            let r = (member_of (Ident.string v) vars) || (List.mem (Ident.string v) qvars) in
            if debug then
              if r then
                Format.printf "   ->  Pvar %s OK\n" (Ident.string v)
              else
                Format.printf "   ->  Pvar %s NON PRESENTE\n" (Ident.string v);
            r
          end;
      
      | Pfalse
      | Ptrue -> true
      | Pnamed (_, _) ->
          failwith "Pnamed has to be not found there (nnf has to remove it)"
      | Forallb (_, _, _) ->
          failwith "Forallb has to be not found there (nnf has to remove it)"
      | Pif (_a, _b, _c) ->
          failwith "Pif has to be not found there (nnf has to remove it)"
    
    in
    match lp with
    | [] -> false
    | p:: l ->
        if all_v p [] then
          begin
            if debug then Format.printf " Branche retenue : %a \n" Util.print_predicate p;
            true
          end
        else
          begin
            if debug then Format.printf " Branche rejetee : %a \n" Util.print_predicate p;
            (all_vars_in_one_branch l vars)
          end
  
  in
  
  let rec filter = function
    | [] -> []
    | Svar (id, v) :: q ->
        Svar (id, v) :: filter q
    | Spred (t, p) :: q ->
        let vars =
          try Hashtbl.find hash_hyp_vars p
          with Not_found -> assert false
        in
        let v' = (removes_fresh_vars vars) in
        let condition = match selection_strategy with
          | AllVars
          | SplitHyps
          | CNFHyps ->
              VarStringSet.subset
                v'
                concl_rep
          (*** TODO UPDATE THIS ***)
          
          | One -> not (VarStringSet.is_empty
                    (VarStringSet.inter
                        v'
                        concl_rep))
          
          | AllInABranch ->
              all_vars_in_one_branch (Util.split_one [] 1 p) concl_rep
        
        in
        if debug then begin
          Format.printf "\nHyp :\n %a \n\n" Util.print_predicate p;
          display_str "vars" vars;
          display_str "concl_rep" concl_rep;
        end;
        if (!variablesMaximumDepth< !vb) || condition then
          begin
            if debug then
	      begin
 		if (!predicateMaximumDepth< !pb) then
 		  Format.printf "Kept #1 (Vars - No filter due to VariableMaximumDepth ()
        
        | (p_cnf, Dpredicate_def (loc, ident, def)) :: l ->
            let preds_of_p_cnf = get_preds_of p_cnf use_comparison_as_criteria_for_hypothesis_filtering in
	    if (!predicateMaximumDepth< !pb) || (abstr_subset_of_pdl preds_of_p_cnf relevantPreds) then
	      begin
                (* On garde tout le predicat *)
                if debug then
		  begin
		    if (!predicateMaximumDepth< !pb) then
		      Format.printf "Ctx Kept (No filter due to MaxReachableDepth
                          let i = my_fresh_hyp_str () in
                          (p, Daxiom (loc, "axiom_from_"^name^"_part_"^i, generalize_predicate p))
                    ) p_list in
                
                List.iter filter_one_axiom ax_list;
                filter l
              end
        
        | (p_cnf, Daxiom (loc, ident, ps)) :: l ->
            let preds_of_p_cnf = get_preds_of p_cnf use_comparison_as_criteria_for_hypothesis_filtering in
            if (!predicateMaximumDepth< !pb) || (abstr_subset_of_pdl preds_of_p_cnf relevantPreds) then
              begin
                (* On garde tout l'axiome en forme originale *)
                if debug then
		  begin
		    if (!predicateMaximumDepth< !pb) then
		      Format.printf "Ctx Kept (No filter due to MaxReachableDepth
                          let i = my_fresh_hyp_str () in
                          (p, Daxiom (loc, ident^"_part_"^i, generalize_predicate p))
                    ) p_list in
                
                List.iter filter_one_axiom ax_list;
                filter l
              end
        
        | (_p_cnf, c) :: l ->
            if debug then
              begin
                Format.printf "Ctx (Autre): \n";
                Format.printf "%a \n" print_decl c
              end;
            Queue.push c decl;
            filter l
      in
      filter (List.rev !context) 
    end
(* Fin pruning des axiomes du context *)

let managesGoal ax (hyps, concl) decl =

  let (loc, expl, id, _) = ax in
  (** retrieves the list of predicates in the conclusion **)
  let concl_preds = get_preds_of concl true in

  (* if weights are not consider (as [FTP07] implementation)*)
  let relevant_preds = 
      if prune_coarse_pred_comp then 
	get_predecessor_pred concl_preds !pb 
      else
	begin 
	  (* WARNING  !!!! 
	     This branch seems to be KO since the coarse option has been haded, when --prune-with-comp and --prune-context are both set
	  *)
	  let hl = compute_sequence_of_predicates concl_preds in 
	  get_relevant_preds hl !pb 
	end 
  in
  if prune_coarse_pred_comp then predicateMaximumDepth:=(get_depth_of_reachable_preds concl_preds);



  (** retrieves the list of variables in the conclusion **)
  let vars_of_concl = VarStringSet.diff (free_vars_of concl) avoided_vars in
  let reachable_vars = VarStringSet.diff
      (get_n_depth_vars vars_of_concl !vb)
      avoided_vars in
  let relevant_vars = VarStringSet.union reachable_vars vars_of_concl in 
  (* Traitement fait 2 fois pour l'optimisation *)
  (* Calcul de la profondeur max atteignable dans le graph de variables *)
  variablesMaximumDepth:=(get_depth_of_reachable_vars vars_of_concl);

  let l' = filter_acc_variables hyps relevant_vars var_filter_tactic 
    (*All  AllInABranch*) relevant_preds in
  
  if debug then
    begin
      display_str "Concl_vars : " vars_of_concl ;
      display_str "Relevant vars : " relevant_vars;
      display_str "Reachable vars : " reachable_vars;
      
      if VarStringSet.subset relevant_vars reachable_vars then Format.printf "Relevant <: Reachable\n" else Format.printf "Relevant /<: Reachable\n";
      if VarStringSet.subset reachable_vars relevant_vars then Format.printf "Reachable <: Relevant\n" else Format.printf "Reachable /<: Relevant\n";
      
      Format.printf "Concl preds ";
      display_symb_of_pdl_set concl_preds;
      Format.printf "Relevant preds ";
      display_symb_of_pdl_set relevant_preds;
      let oc = open_out "/tmp/gwhy_var_graph.dot" in
      DotVG.output_graph oc !vg
    end;
  
  if Options.prune_get_depths then
    begin
      Format.printf 
	"Max depth of predicates: %d\nMax depth of variables: %d\n" 
	!predicateMaximumDepth
	!variablesMaximumDepth
    end;

  managesContext relevant_preds decl;
  
  (loc, expl, id, (l', concl))

let hyps_to_cnf lh =
  let lh_cnf =
    List.fold_left (fun l h ->
            match h with
            | Svar (_id, _v) as var_def -> var_def:: l
            | Spred (id, p) ->
                let p'= cnf p in 
		(* p' est une CNF de P mais on veut 1 hypothese par clause 
		   alors on coupe selon les and. 
		   On fera appelle au  split a la fin du traitement 
		   de toutes les hypotheses*) 
                Spred(id, p'):: l
        
      ) [] lh
  in
  Util.split [] my_fresh_hyp lh_cnf

let reset () =
  vg := Var_graph.create();
  pdlg := PdlGraph.create();
  Hashtbl.clear hash_hyp_vars;
  v_count := 0;
  hyp_count := 0

(* Module entry point. *)
(* @param q *)
(* @param decl *)
(* assigns ??? *)
let reduce q decl =
  reset();
  
  (** memorize the theory as a graph of predicate symbols **)
  build_pred_graph decl;
  
  (** manage goal **)
  let q' = match q with
      (_loc, _expl, _id, s) as ax ->
        let (l, g) = s in (* l : liste d'hypotheses (contexte local) et g : le but*)
        let (l', g') = Util.intros [] g my_fresh_hyp (var_filter_tactic == SplitHyps) in
        let l' = if (var_filter_tactic == CNFHyps) then hyps_to_cnf l' else l' in
        let l' = List.append l l' in
        let (l', g') = reduce_subst (l', g') in
        

        (** memorize hypotheses as a graph of variables **)
        build_var_graph (l', g');

        
        (** focus on goal **)
        managesGoal ax (l', g') decl
  in
  q'



(*
Local Variables:
compile-command: "LC_ALL=C make -C .."
End:
*)
why-2.39/src/mlize.mli0000644000106100004300000000453313147234006013650 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(*s translation of imperative programs into intermediate functional programs *)

open Cc
open Env

val trad : typed_expr -> Rename.t -> cc_functional_program

why-2.39/src/lexer.mll0000644000106100004300000001657213147234006013660 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(* $Id: lexer.mll,v 1.24 2009-11-26 16:07:54 andrei Exp $ *)

{
  open Lexing
  open Logic
  open Parser

  let keywords = Hashtbl.create 97
  let () = 
    List.iter 
      (fun (x,y) -> Hashtbl.add keywords x y)
      [ "absurd", ABSURD;
	"and", AND;
        "array", ARRAY;
	"as", AS;
	"assert", ASSERT;
	"axiom", AXIOM;
	"begin", BEGIN;
        "bool", BOOL;
        "check", CHECK;
	"do", DO;
	"done", DONE;
        "else", ELSE;
	"end", END;
	"exception", EXCEPTION; 
	"exists", EXISTS;
	"external", EXTERNAL;
        "false", FALSE;
	"for", FOR;
	"forall", FORALL;
	"fun", FUN;
	"function", FUNCTION;
	"goal", GOAL;
	"if", IF;
	"in", IN;
	"include", INCLUDE;
	"inductive", INDUCTIVE;
	"int", INT;
	"invariant", INVARIANT;
        "lemma", LEMMA;
	"let", LET;
	"logic", LOGIC;
	"match", MATCH;
	"not", NOT;
	"of", OF;
	"or", OR;
	"parameter", PARAMETER;
	"predicate", PREDICATE;
	"prop", PROP;
	"raise", RAISE;
	"raises", RAISES;
	"reads", READS;
	"real", REAL;
	"rec", REC;
	"ref", REF;
	"returns", RETURNS;
	"then", THEN;
	"true", TRUE;
	"try", TRY;
	"type", TYPE;
	"unit", UNIT;
	"variant", VARIANT;
	"void", VOID;
	"while", WHILE;
	"with", WITH;
        "writes", WRITES ]
	       
  let newline lexbuf =
    let pos = lexbuf.lex_curr_p in
    lexbuf.lex_curr_p <- 
      { pos with pos_lnum = pos.pos_lnum + 1; pos_bol = pos.pos_cnum }

  let string_buf = Buffer.create 1024

  exception Lexical_error of string

  let char_for_backslash = function
    | 'n' -> '\n'
    | 't' -> '\t'
    | c -> c

  let update_loc lexbuf file line chars =
    let pos = lexbuf.lex_curr_p in
    let new_file = match file with None -> pos.pos_fname | Some s -> s in
    lexbuf.lex_curr_p <- 
      { pos with
	  pos_fname = new_file;
	  pos_lnum = int_of_string line;
	  pos_bol = pos.pos_cnum - int_of_string chars;
      }

  let remove_leading_plus s =
    let n = String.length s in 
    if n > 0 && s.[0] = '+' then String.sub s 1 (n-1) else s

  let option_app f = function None -> None | Some x -> Some (f x)

}

let newline = '\n'
let space = [' ' '\t' '\r']
let alpha = ['a'-'z' 'A'-'Z']
let letter = alpha | '_'
let digit = ['0'-'9']
let ident = letter (letter | digit | '\'')*
let hexadigit = ['0'-'9' 'a'-'f' 'A'-'F']
(*
let hexafloat = '0' ['x' 'X'] (hexadigit* '.' hexadigit+ | hexadigit+ '.' hexadigit* ) ['p' 'P'] ['-' '+']? digit+
  *)

rule token = parse
  | "#" space* ("\"" ([^ '\010' '\013' '"' ]* as file) "\"")?
    space* (digit+ as line) space* (digit+ as char) space* "#"
      { update_loc lexbuf file line char; token lexbuf }
  | newline 
      { newline lexbuf; token lexbuf }
  | space+  
      { token lexbuf }
  | ident as id  
      { try Hashtbl.find keywords id with Not_found -> IDENT id }
  | digit+ as s
      { INTEGER s }
  | (digit+ as i) ("" as f) ['e' 'E'] (['-' '+']? digit+ as e)
  | (digit+ as i) '.' (digit* as f) (['e' 'E'] (['-' '+']? digit+ as e))?
  | (digit* as i) '.' (digit+ as f) (['e' 'E'] (['-' '+']? digit+ as e))?
      { FLOAT (RConstDecimal (i, f, option_app remove_leading_plus e)) }
  | '0' ['x' 'X'] ((hexadigit* as i) '.' (hexadigit+ as f) 
                  |(hexadigit+ as i) '.' (hexadigit* as f)
		  |(hexadigit+ as i) ("" as f))
    ['p' 'P'] (['-' '+']? digit+ as e)
      { FLOAT (RConstHexa (i, f, remove_leading_plus e)) }
  | "(*"
      { comment lexbuf; token lexbuf }
  | "'"
      { QUOTE }
  | ","
      { COMMA }
  | "("
      { LEFTPAR }
  | ")"
      { RIGHTPAR }
  | "!"
      { BANG }
  | ":"
      { COLON }
  | ";"
      { SEMICOLON }
  | ":="
      { COLONEQUAL }
  | "->"
      { ARROW }
  | "<->"
      { LRARROW }
  | "="
      { EQUAL }
  | "<"
      { LT }
  | "<="
      { LE }
  | ">"
      { GT }
  | ">="
      { GE }
  | "<>"
      { NOTEQ }
  | "+"
      { PLUS }
  | "-"
      { MINUS }
  | "*"
      { TIMES }
  | "/"
      { SLASH }
  | "@"
      { AT }
  | "."
      { DOT }
  | "["
      { LEFTSQ }
  | "]"
      { RIGHTSQ }
  | "{"
      { LEFTB }
  | "}"
      { RIGHTB }
  | "{{"
      { LEFTBLEFTB }
  | "}}"
      { RIGHTBRIGHTB }
  | "|"
      { BAR }
  | "||"
      { BARBAR }
  | "&&" 
      { AMPAMP }
  | "=>"
      { BIGARROW }
  | "\""
      { Buffer.clear string_buf; string lexbuf }
  | eof 
      { EOF }
  | _ as c
      { raise (Lexical_error ("illegal character: " ^ String.make 1 c)) }

and comment = parse
  | "*)" 
      { () }
  | "(*" 
      { comment lexbuf; comment lexbuf }
  | newline 
      { newline lexbuf; comment lexbuf }
  | eof
      { raise (Lexical_error "unterminated comment") }
  | _ 
      { comment lexbuf }

and string = parse
  | "\""
      { STRING (Buffer.contents string_buf) }
  | "\\" (_ as c)
      { Buffer.add_char string_buf (char_for_backslash c); string lexbuf }
  | newline 
      { newline lexbuf; Buffer.add_char string_buf '\n'; string lexbuf }
  | eof
      { raise (Lexical_error "unterminated string") }
  | _ as c
      { Buffer.add_char string_buf c; string lexbuf }



{

  let loc lb = (lexeme_start_p lb, lexeme_end_p lb)

  let with_location f lb =
    try f lb with e -> raise (Loc.Located (loc lb, e))

  let parse_lexpr = with_location (lexpr token)
  let parse_file = with_location (file token)

  let lexpr_of_string s = parse_lexpr (from_string s)
}

(*
Local Variables: 
compile-command: "unset LANG; make -j -C .. bin/why.byte"
End: 
*)

why-2.39/src/mapenv.ml0000644000106100004300000000774513147234006013655 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

open Logic

let rec compare_list cmp l1 l2 =
  match l1,l2 with
    | [],[] -> 0
    | [],_ -> -1
    | _,[] -> 1
    | a1::l1,a2::l2 -> let c = cmp a1 a2 in
      if c<>0 then c
      else compare_list cmp l1 l2

let compare_pair cmp1 cmp2 (id1,l1) (id2,l2) = 
      let c = cmp1 id1 id2 in
      if c<>0 then c
      else cmp2 l1 l2

module PT = 
  struct
    type t = pure_type
    let to_int = function 
      | PTint -> 1
      | PTbool -> 2
      | PTreal -> 3
      | PTunit -> 4
      | PTvar _ -> 5
      | PTexternal _ -> 6

    let rec compare x y =
      let c = Pervasives.compare (to_int x) (to_int y) in
      if c<>0 then c
      else 
        match x,y with
          | PTint, _ | PTbool, _ | PTreal, _ | PTunit, _ -> 0
          | PTvar {tag = t1}, PTvar {tag = t2} -> Pervasives.compare t1 t2
          | PTexternal (l1,id1),PTexternal (l2,id2) -> 
              let c = Ident.I.compare id1 id2 in
              if c<>0 then c
              else compare_list compare l1 l2
          | _ -> assert false
  end

module PT_Map = Map.Make(PT)
module PT_Set = Set.Make(PT)

let rec add_subtype_list s l = 
  List.fold_left (fun s e -> add_subtype s e) s l
and add_subtype s = function
  | PTint | PTbool | PTreal | PTunit | PTvar _ as t -> PT_Set.add t s
  | PTexternal (l,_id) as t -> add_subtype_list (PT_Set.add t s) l

let _PT_Set_add_normalize x s = PT_Set.add (Misc.normalize_pure_type x) s

(* pair string,instance *)
module Inst =
  struct
    type t = Ident.t * instance
    let compare = compare_pair Ident.I.compare (compare_list PT.compare)
  end
        
module Inst_Map = Map.Make(Inst)
        
let fold_map f acc l =
  let acc,l = List.fold_left (fun (acc,l) e -> 
                                let acc,e = (f acc e) in
                                acc,e::l) (acc,[]) l in
  acc,List.rev l
  
     

why-2.39/src/report.mli0000644000106100004300000000472713147234006014050 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Format

exception Error of Error.t

val report : formatter -> Error.t -> unit

val raise_located : Loc.position -> Error.t -> 'a 
val raise_unlocated : Error.t -> 'a
val raise_locop : Loc.position option -> Error.t -> 'a

val explain_exception : Format.formatter -> exn -> unit
why-2.39/src/mizar.ml0000644000106100004300000003513513147234006013503 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(*s Mizar output *)

open Options
open Ident
open Misc
open Logic
open Logic_decl
open Format
open Cc
open Pp

type elem = 
  | Obligation of obligation
  | Logic of string * logic_type Env.scheme
  | Axiom of string * predicate Env.scheme
  | Predicate of string * predicate_def Env.scheme

let elem_q = Queue.create ()

(* dead code
let reset () = Queue.clear elem_q
*)

let push_decl = function
  | Dgoal (loc, is_lemma, expl, id, s) -> 
      Queue.add (Obligation (loc, is_lemma, expl, id, s.Env.scheme_type)) elem_q
  | Dlogic (_, id, t) -> Queue.add (Logic (Ident.string id, t)) elem_q
  | Daxiom (_, id, p) -> Queue.add (Axiom (id, p)) elem_q
  | Dpredicate_def (_, id, p) -> 
      Queue.add (Predicate (Ident.string id, p)) elem_q
  | Dinductive_def(_loc, _ident, _inddef) ->
      failwith "Mizar output: inductive def not yet supported"
  | Dfunction_def _ -> () (*TODO*)
  | Dtype _ -> () (*TODO*)
  | Dalgtype _ -> () (*TODO*)

(*s Pretty print *)

let rec print_pure_type fmt = function
  | PTint -> fprintf fmt "Integer"
  | PTbool -> fprintf fmt "Element of BOOLEAN"
  | PTunit -> fprintf fmt "Element of {0}"
  | PTreal -> fprintf fmt "Real"
  | PTexternal([],id) -> Ident.print fmt id
  | PTexternal([v],id) when id == farray ->
      begin match v with
	| PTunit -> fprintf fmt "XFinSequence of {0}"
	| PTbool -> fprintf fmt "XFinSequence of BOOLEAN"
	| PTint -> fprintf fmt "XFinSequence of INT"
	| PTreal -> fprintf fmt "XFinSequence of REAL"
	| PTexternal _ as ty ->
	    fprintf fmt "XFinSequence of %a" print_pure_type ty
	| PTvar _ -> failwith "no polymorphism with Mizar yet"
      end
  | PTexternal _ | PTvar _ ->  failwith "no polymorphism with Mizar yet"

let prefix_id id =
  (* int cmp *)
  if id == t_lt_int then "int_lt" 
  else if id == t_le_int then "int_le"
  else if id == t_gt_int then "int_gt"
  else if id == t_ge_int then "int_ge"
  else if id == t_eq_int then assert false (* TODO *)
  else if id == t_neq_int then assert false (* TODO *)
  (* real cmp *)
  else if id == t_lt_real then "real_lt" 
  else if id == t_le_real then "real_le"
  else if id == t_gt_real then "real_gt"
  else if id == t_ge_real then "real_ge"
  else if id == t_eq_real then assert false (* TODO *)
  else if id == t_neq_real then assert false (* TODO *)
  (* bool cmp *)
  else if id == t_eq_bool then assert false (* TODO *)
  else if id == t_neq_bool then assert false (* TODO *)
  (* unit cmp *)
  else if id == t_eq_unit then assert false (* TODO *)
  else if id == t_neq_unit then assert false (* TODO *)
  (* int ops *)
  else if id == t_add_int then "int_add"
  else if id == t_sub_int then "int_sub"
  else if id == t_mul_int then "int_mul"
(*
  else if id == t_div_int then assert false (* TODO *)
  else if id == t_mod_int then assert false (* TODO *)
*)
  else if id == t_neg_int then "int_neg"
  (* real ops *)
  else if id == t_add_real then "real_add"
  else if id == t_sub_real then "real_sub"
  else if id == t_mul_real then "real_mul"
  else if id == t_div_real then "real_div"
  else if id == t_neg_real then "real_neg"
  else if id == t_sqrt_real then assert false (* TODO *)
  else if id == t_real_of_int then assert false (* TODO *)
  else assert false

let rec print_term fmt t = 
  let rec print0 fmt = function
    | Tapp (id, [a; b], _) when is_relation id -> 
	fprintf fmt "@[%s(@[%a,@ %a@])@]" 
	  (prefix_id id) print0 a print0 b
    | t ->
	print1 fmt t
  and print1 fmt = function
    | Tapp (id, [a; b], _) when id == t_add_int || id == t_add_real ->
	fprintf fmt "%a +@ %a" print1 a print2 b
    | Tapp (id, [a; b], _) when id == t_sub_int || id == t_sub_real ->
	fprintf fmt "%a -@ %a" print1 a print2 b
    | t ->
	print2 fmt t
  and print2 fmt = function
    | Tapp (id, [a; b], _) when id == t_mul_int || id == t_mul_real ->
	fprintf fmt "%a *@ %a" print2 a print3 b
    | Tapp (id, [a; b], _) when (* id == t_div_int || *) id == t_div_real ->
	fprintf fmt "%a /@ %a" print2 a print3 b
(*
    | Tapp (id, [a; b], _) when id == t_mod_int ->
	fprintf fmt "%a mod %a" print2 a print3 b
*)
    | t -> 
	print3 fmt t
  and print3 fmt = function
    | Tvar id -> 
	Ident.print fmt id
    | Tconst (ConstInt n) -> 
	fprintf fmt "%s" n
    | Tconst (ConstBool true) -> 
	fprintf fmt "TRUE" 
    | Tconst (ConstBool false) -> 
	fprintf fmt "FALSE" 
    | Tconst ConstUnit -> 
	fprintf fmt "(Extract 0)" 
    | Tconst (ConstFloat (RConstDecimal (i,f,None))) ->
	fprintf fmt "%s.%s" i f
    | Tconst (ConstFloat (RConstDecimal (i,f,Some e))) ->
	fprintf fmt "%s.%se%s" i f e
    | Tconst (ConstFloat (RConstHexa _)) ->
	failwith "hexadecimal real constants not supported in Mizar"
    | Tderef _ -> 
	assert false
    (* arithmetic *)
    | Tapp (id, [a], _) when id == t_neg_int || id == t_neg_real ->
	fprintf fmt "(@[-%a@])" print3 a
    | Tapp (id, [_;_], _) as t when is_relation id || is_int_arith_binop id ->
	fprintf fmt "(@[%a@])" print0 t
    (* arrays *)
    | Tapp (id, [a; b], _) when id == access ->
	fprintf fmt "(@[%a.%a@])" print0 a print0 b
    | Tapp (id, [a; b; c], _) when id == store ->
	fprintf fmt "(@[%a+*(%a,@ %a)@])" 
	print3 b print0 a print0 c
    | Tapp (id, [a], _) when id == Ident.array_length ->
	fprintf fmt "(@[len %a@])" print0 a
    (* any other application *)
    | Tapp (id, tl, _) when is_relation id || is_arith id -> 
	fprintf fmt "%s(@[%a@])" (prefix_id id) print_terms tl
    | Tapp (id, tl, _) ->
	fprintf fmt "%a(@[%a@])" Ident.print id print_terms tl
    | Tnamed (_, t) -> (* TODO: print name *)
	print3 fmt t
  in
  print0 fmt t

and print_terms fmt tl = 
  print_list comma print_term fmt tl

let infix_relation id =
       if id == t_lt_int || id == t_lt_real then "<" 
  else if id == t_le_int || id == t_le_real then "<="
  else if id == t_gt_int || id == t_gt_real then ">"
  else if id == t_ge_int || id == t_ge_real then ">="
  else if is_eq id then "="
  else if is_neq id then "<>"
  else assert false

let print_predicate fmt p = 
  let rec print0 fmt = function
    | Pimplies (_, a, b) ->
	fprintf fmt "(@[%a implies@ %a@])" print1 a print0 b
    | Piff ( a, b) ->
	fprintf fmt "(@[%a iff@ %a@])" print1 a print0 b
    | Pif (a, b, c) ->
	fprintf fmt "(@[(%a = TRUE implies %a) &@ (%a = FALSE implies %a)@])" 
	print_term a print0 b print_term a print0 c
    | p -> 
	print1 fmt p
  and print1 fmt = function
    | Por (a, b) ->
	fprintf fmt "@[%a or@ %a@]" print2 a print1 b
    | p ->
	print2 fmt p
  and print2 fmt = function
    | Pand (_, _, a, b) | Forallb (_, a, b) ->
	fprintf fmt "@[%a &@ %a@]" print3 a print2 b
    | p ->
	print3 fmt p
  and print3 fmt = function
    | Ptrue ->
	fprintf fmt "not contradiction"
    | Pvar id when id == Ident.default_post ->
	fprintf fmt "not contradiction"
    | Pfalse ->
	fprintf fmt "contradiction"
    | Pvar id -> 
	fprintf fmt "%a" Ident.print id
    | Papp (id, tl, _) when id == t_distinct ->
	fprintf fmt "@[(%a)@]" print0 (Util.distinct tl)
    | Papp (id, [a; b], _) when is_relation id ->
	fprintf fmt "@[%a %s@ %a@]" 
	print_term a (infix_relation id) print_term b
    | Papp (id, [a; b], _) when id == t_zwf_zero ->
	fprintf fmt "@[(0 <= %a &@ %a < %a)@]" 
	print_term b print_term a print_term b
    | Papp (id, tl, _) when is_relation id || is_arith id ->
	fprintf fmt "@[%s(%a)@]" (prefix_id id) print_terms tl
    | Papp (id, tl, _) -> 
	fprintf fmt "@[%a(%a)@]" Ident.print id print_terms tl
    | Pnot a ->
	fprintf fmt "@[not %a@]" print3 a
    | Forall (_,id,n,t,_,p) -> 
	let id' = next_away id (predicate_vars p) in
	let p' = subst_in_predicate (subst_onev n id') p in
	fprintf fmt "(@[for %s@ being %a holds@ %a@])" (Ident.string id')
	  print_pure_type t print0 p'
    | Exists (id,n,t,p) -> 
	let id' = next_away id (predicate_vars p) in
	let p' = subst_in_predicate (subst_onev n id') p in
	fprintf fmt "(@[ex %s being %a st@ %a@])" (Ident.string id')
	  print_pure_type t print0 p'
    | Pnamed (_, p) -> (* TODO: print name *)
	print3 fmt p
    | Plet (_, n, _, t, p) ->
	print3 fmt (subst_term_in_predicate n t p)
    | (Por _ | Piff _ | Pand _ | Pif _ | Pimplies _ | Forallb _) as p -> 
	fprintf fmt "(%a)" print0 p
  in
  print0 fmt p

let print_sequent fmt (hyps,concl) =
  let rec print_seq fmt = function
    | [] ->
	print_predicate fmt concl
    | Svar (id, v) :: hyps -> 
	fprintf fmt "@[for %a being @[%a@] holds@]@\n" 
	  Ident.print id print_pure_type v;
	print_seq fmt hyps
    | Spred (_, p) :: hyps -> 
	fprintf fmt "@[(@[%a@]) %s@]@\n" print_predicate p
	  (match hyps with Spred _ :: _ -> "&" | _ -> "implies");
	print_seq fmt hyps
  in
  let print_intro fmt = function
    | Svar (id, v) -> 
	fprintf fmt "let %a be @[%a@];@\n" Ident.print id print_pure_type v
    | Spred (id, p) -> 
	fprintf fmt "assume %a: @[%a@];@\n" Ident.print id print_predicate p
  in
  let print_intros fmt = List.iter (print_intro fmt) in
  fprintf fmt "@[ @[%a@]@\nproof@\n @[%a@]:: EDIT BELOW THIS LINE@]" 
    print_seq hyps print_intros hyps

let rec print_thesis fmt = function
  | Pand (_, _, t1, t2) -> fprintf fmt "%a@ %a" print_thesis t1 print_thesis t2
  | t -> fprintf fmt "@[thus %a@];" print_predicate t

let reprint_obligation fmt loc _is_lemma _expl id s =
  let s = s.Env.scheme_type in
  fprintf fmt "@[ :: %a @]@\n" (Loc.report_obligation_position ~onlybasename:true) loc;
  fprintf fmt "@[ (*Why goal*) theorem %s:@\n @[%a@]@]@\n" id print_sequent s
  (*;
  fprintf fmt "@[ :: %a @]@\n@\n" Util.print_explanation expl
  *)

let print_obligation fmt loc is_lemma expl id s =
  reprint_obligation fmt loc is_lemma expl id s;
  let t = snd s.Env.scheme_type in
  fprintf fmt "@[  :: FILL PROOF HERE@\n  @[%a@]@]@\n end;@\n" print_thesis t

let print_logic _fmt _id t = 
  let _ = Env.specialize_logic_type t in
  assert false (*TODO*)

let reprint_logic fmt id t = print_logic fmt id t

let reprint_axiom _fmt _id p =
  let _ = Env.specialize_predicate p in
  assert false (*TODO*)
  (*
  fprintf fmt "@[ :: Why Axiom @]@\n";
  fprintf fmt "@[ theorem %s:@\n @[%a@];@]@\n" id print_predicate p *)

let print_axiom = reprint_axiom

open Regen

module Gen = Regen.Make(
struct

  let print_element fmt e = 
    begin match e with
      | Parameter _ -> assert false
      | Program _ -> assert false
      | Obligation (loc, is_lemma, expl, id, s) -> 
	  print_obligation fmt loc is_lemma expl id s
      | Logic (id, t) -> print_logic fmt id t
      | Axiom (id, p) -> print_axiom fmt id p
      | Predicate _ -> assert false (*TODO*)
      | Inductive _ -> assert false (*TODO*)
      | Function _ -> assert false (*TODO*)
      | AbstractType _ -> assert false (*TODO*)
      | AlgebraicType _ -> assert false (*TODO*)
    end;
    fprintf fmt "@\n"
      
  let reprint_element fmt = function
    | Parameter _ -> assert false
    | Program _ -> assert false
    | Obligation (loc, is_lemma, expl, id, s) -> 
	reprint_obligation fmt loc is_lemma expl id s
    | Logic (id, t) -> reprint_logic fmt id t
    | Axiom (id, p) -> reprint_axiom fmt id p
    | Predicate _ -> assert false (*TODO*)
    | Inductive _ -> assert false (*TODO*)
    | Function _ -> assert false (*TODO*)
    | AbstractType _ -> assert false (*TODO*)
    | AlgebraicType _ -> assert false (*TODO*)

  let re_oblig_loc = Str.regexp " :: Why obligation from .*"

  let environ = " vocabularies INT_1, ARYTM_1, MARGREL1, ALGSTR_1, FUNCT_1, FUNCT_4, FINSEQ_1,\
@\n  AFINSQ_1, WHY;\
@\n notations TARSKI, SUBSET_1, ARYTM_0, XCMPLX_0, XREAL_0, REAL_1, INT_1,\
@\n  MARGREL1, ALGSTR_1, AFINSQ_1, WHY;\
@\n constructors NAT_1, ALGSTR_1, AFINSQ_1, WHY;\
@\n clusters XREAL_0, INT_1, WHY;\
@\n requirements BOOLE, SUBSET, ARITHM, REAL, NUMERALS;\
@\n theorems AXIOMS, XCMPLX_1, SQUARE_1, REAL_1, INT_1, WHY;"

  let first_time fmt =
    fprintf fmt "\
@\n:: This file was originally generated by why.\
@\n:: It can be modified; only the generated parts will be overwritten. \
@\n\
@\nenviron\
@\n%s\
@\n\
@\nbegin :: proof obligations start here\
@\n" (match mizar_environ with None -> environ | Some s -> s)

  let first_time_trailer _fmt = ()

  let edit_below = Str.regexp "[ ]*:: EDIT BELOW THIS LINE[ ]*"
  let not_end_of_element _ s = not (Str.string_match edit_below s 0)

end)

let reset = Gen.reset

(* dead code
let push_obligations = 
  List.iter (fun (loc,expl,l,s) -> Gen.add_elem (Oblig, l) 
	       (Obligation (loc,false,expl,l,s)))

let push_parameter id v =
  Gen.add_elem (Param, id) (Parameter (id,v))
*)

let _ = 
  Gen.add_regexp 
    " theorem[ ]+\\(.*_po_[0-9]+\\)[ ]*:[ ]*" Oblig;
  Gen.add_regexp 
    "(\\*Why goal\\*) theorem[ ]+\\([^ ]*\\)[ ]*:[ ]*" Oblig;
  Gen.add_regexp 
    "(\\*Why\\*) Parameter[ ]+\\([^ ]*\\)[ ]*:[ ]*" Param

let output_file fwe =
  let f = fwe ^ "_why.miz" in
  Gen.output_file ~margin:75 f
why-2.39/src/monad.mli0000644000106100004300000000447213147234006013630 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(*s Main part of the translation of imperative programs into functional ones
    (with module [Mlize]) *)

include MonadSig.S
why-2.39/src/wp.ml0000644000106100004300000004056713147234006013014 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(*s Weakest preconditions *)

open Ident
open Error
open Logic
open Misc
open Types
open Ast
open Util
open Env
open Effect
open Options

(*s to quantify over all the variables read/modified by [p] *)

let input_info info = 
  let w = Effect.get_reads info.t_effect in
  let env = info.t_env in
  List.map (fun id -> (id, type_in_env env id)) w

let input p = input_info p.info

let output_info info = 
  let w = Effect.get_writes info.t_effect in
  let env = info.t_env in
  List.map (fun id -> (id, type_in_env env id)) w

(* dead code
let output p = output_info p.info
*)

(* maximum *)

let sup q q' = match q, q' with
  | None, _ ->
      q'
  | _, None ->
      q
  | Some (q, ql), Some (_, ql') ->
      assert (List.length ql = List.length ql');
      let supx (x,a) (x',a') =
	assert (x = x');
	x, if is_default_post a then a' else a
      in
      Some (q, List.map2 supx ql ql') 

(*s [filter_post k q] removes exc. postconditions from [q] which do not
    appear in typing info [k] *)

let filter_post k =
  let ef = k.t_effect in
  let keep (x,_) = is_exn ef x in
  option_app (fun (q, ql) -> (q, List.filter keep ql))




(*s post-condition for a loop body *)

let default_exns_post e =
  let xs = Effect.get_exns e in
  List.map (fun x -> x, default_post) xs
 
let while_post_block env inv var e = 
  let lab = e.info.t_label in
  let decphi = match var with
    | None -> Ptrue
    | Some (loc,phi,_,r) -> 
	if debug then 
	  Format.eprintf "Loc for variant = %a@." Loc.gen_report_position loc;
	let id = Util.reg_explanation (Cc.VCEvardecr(loc,phi)) in
	Pnamed(id, Papp (r, [phi; put_label_term env lab phi], [])) 
  in
  let ql = default_exns_post (effect e) in
  match inv with
    | None -> 
	anonymous e.info.t_loc decphi, ql
    | Some i -> 
	if debug then 
	  Format.eprintf 
	    "Loc for invariant = %a@." Loc.gen_report_position i.a_loc;
	let id = reg_explanation (Cc.VCEinvpreserv("",(i.a_loc,i.a_value))) in
	(* Claude: pand -> wpand to split the conjunct *)
	{ a_value = wpand (Pnamed(id,i.a_value)) decphi; 
	  a_name = post_name_from (Name i.a_name);
	  a_loc = e.info.t_loc;
	  a_proof = None }, ql

let well_founded_rel = function
  | None -> Ptrue
  | Some (_,_,_,r) -> Papp (well_founded, [Tvar r], [])

(*s [saturate_post k a q] makes a postcondition for a program of type [k]
    out of a normal postcondition [a] and the exc. postconditions from [q] *)

let saturate_post k a q = 
  let ql = match q with Some (_,l) -> l | None -> [] in
  let set_post x = x, try List.assoc x ql with Not_found -> default_post in
  let xs = get_exns k.t_effect in
  let saturate a = (a, List.map set_post xs) in
  option_app saturate a

(*s Misc. test functions *)

(* dead code
let need_a_post p = 
  match p.desc with Lam _ | Rec _ -> false | _ -> true

let is_while p = 
  match p.desc with Loop _ -> true | _ -> false

*)

(*s Weakest precondition of an annotated program:
    \begin{verbatim}
    wp(e{Q'}, Q) = forall y,v. Q' => Q
    \end{verbatim}
    When [e] may raise exceptions:
    \begin{verbatim}
    wp(e{Q'|Q'1|...Q'k}, Q|Q1|...Qk) =
    (forall y,v. Q' => Q) and ... and (forall y,x. Q'k => Qk)
    \end{verbatim} *)


let abstract_wp _loc (q',ql') (q,ql) res out =
  assert (List.length ql' = List.length ql);
  let quantify a' a res =
    let vars = match res with Some b -> b :: out | None -> out in
    let a' = (*loc_name loc*) a'.a_value in
    foralls ~is_wp:true vars (Pimplies (true, a', a.a_value)) 
  in
  let quantify_h (x',a') (x,a) =
    assert (x' = x);
    let pt = find_exception x in
    quantify a' a (option_app (fun t -> (result, PureType t)) pt)
  in
  wpands (quantify q' q (Some res) :: List.map2 quantify_h ql' ql)

(* simple version when [q'] is absent *)
let abstract_wp_0 (q,ql) res out =
  let quantify a res =
    let vars = match res with Some b -> b :: out | None -> out in
    foralls ~is_wp:true vars a.a_value
  in
  let quantify_h (x,a) =
    let pt = find_exception x in
    quantify a (option_app (fun t -> (result, PureType t)) pt)
  in
  wpands (quantify q (Some res) :: List.map quantify_h ql)

let opaque_wp q' q info = match q', q with
  | Some q', Some q ->
      let res = (result, info.t_result_type) in
      let p = abstract_wp info.t_loc q' q res (output_info info) in
      let p = erase_label info.t_label (erase_label "" p) in
      Some (wp_named info.t_loc p)
  | None, Some q ->
      let res = (result, info.t_result_type) in
      let p = abstract_wp_0 q res (output_info info) in
      let p = erase_label info.t_label (erase_label "" p) in
      Some (wp_named info.t_loc p)
  | _ ->
      None

let pand_wp info w1 w2 = match w1, w2 with
  | Some w1, Some w2 -> 
      Some (wp_named info.t_loc (wpand w1.a_value w2.a_value))
  | Some _, None -> w1
  | None, Some _ -> w2
  | None, None -> None

(* explanations *)

let explain_assertion e a = 
  let id = reg_explanation e in 
  { a with a_value = Pnamed(id, a.a_value) }

(* dead code
let explain_wp e = Option_misc.map (explain_assertion e)
*)

(* subtyping: a VC expressing that a specification is stronger than another *)

(*** EN COURS NE PAS EFFACER SVP
let rec subtyping env v1 v2 = match v1, v2 with
  | PureType _, PureType _
  | Ref _, Ref _ -> 
      Ptrue
  | Arrow ((x1,t1) :: bl1, k1), Arrow ((x2,t2) :: bl2, k2) ->
      let p = subtyping env (Arrow (bl1,k1)) (Arrow (bl2,k2)) in
      let p = subst_in_predicate (subst_onev x2 x1) p in
      if Typing.is_pure_type t1 then pforall ~is_wp:true x1 t1 p else p
  | Arrow ([], k1), Arrow ([], k2) ->
      subtyping_k env k1 k2
  | Arrow _, Arrow ([], k2) ->
      subtyping_k env (type_c_of_v v1) k2
  | Arrow ([], k1), Arrow _ ->
      subtyping_k env k1 (type_c_of_v v2)
  | _ ->
      assert false

and subtyping_k env k1 k2 =
  let p = wpimplies (wpands k2.c_pre) (wpands k1.c_pre) in
  let res = k1.c_result_name, k1.c_result_type in
  let out = 
    List.map (fun id -> (id, type_in_env env id)) (get_writes k1.c_effect)
  in
  let q = match k1.c_post, k2.c_post with
    | _, None -> Ptrue
    | None, Some q2 -> abstract_wp_0 q2 res out 
    | Some q1, Some q2 -> abstract_wp Loc.dummy q1 q2 res out
  in
  pforall (input k1.c_effect) (wpand p q)
***)

(*s function binders *)

let abstract_binders =
  List.fold_right
    (fun (x,v) p -> match v with
       | PureType _ -> forall ~is_wp:true x v p
       | _ -> p)

(*s Adding precondition and obligations to the wp *)

let add_to_wp ?(is_sym=false) loc explain_id al w =
  let al = List.map (fun p -> (*loc_name loc*) p.a_value) al in
  if al = [] then
    w
  else match w with
    | Some w -> 
	Some (asst_app 
		(fun w -> 
		   Pnamed(explain_id,
			  List.fold_right (wpand ~is_sym) al w))
		w)
    | None -> 
	Some (wp_named loc (Pnamed(explain_id,wpands ~is_sym al)))

(*s WP. [wp p q] computes the weakest precondition [wp(p,q)]
    and gives postcondition [q] to [p] if necessary.

    [wp: typed_program -> postcondition option -> assertion option] *)

let rec wp p q =
  (* Format.eprintf "wp with size(q) = %d@." (Size.postcondition_opt q); *)
  let q = option_app (force_post_loc p.info.t_loc) q in
  let lab = p.info.t_label in
  let q0_ = optpost_app (asst_app (change_label "" lab)) q in
  let d,w = wp_desc p.info p.desc q0_ in
  let p = change_desc p d in
  let w = option_app (asst_app (erase_label lab)) w in
  p, w

and wp_desc info d q = 
  let result = info.t_result_name in
  match d with
    (* TODO: check if likely *)
    | Var x ->
	let w = optpost_val q in
	d, optasst_app (tsubst_in_predicate (subst_one result (Tvar x))) w
    (* $wp(E,q) = q[result \leftarrow E]$ *)
    | Expression t ->
	let w = optpost_val q in
	let t = unref_term t in
	let s = subst_one result t in
	d, optasst_app (fun p -> simplify (tsubst_in_predicate s p)) w
    | If (p1, p2, p3) ->
	let p'2,w2 = wp p2 (filter_post p2.info q) in
	let p'3,w3 = wp p3 (filter_post p3.info q) in
	let q1 = match w2, w3 with
	  | None, None ->
	      None
	  | _ -> 
	      let p_or_true = function Some {a_value=q} -> q | None -> Ptrue in
	      let q2 = p_or_true w2 in
	      let q3 = p_or_true w3 in
	      (* $wp(if p1 then p2 else p3, q) =$ *)
	      (* $wp(p1, if result then wp(p2, q) else wp(p3, q))$ *)
	      let result1 = p1.info.t_result_name in
	      let q1 = create_postval (Pif (Tvar result1, q2, q3)) in
	      let q1 = force_wp_name q1 in
	      saturate_post p1.info q1 q
	in
	let p'1,w1 = wp p1 q1 in
	If (p'1, p'2, p'3), w1
    | AppTerm (p1, t, k) ->
	let p'1,w1 = wp p1 None in
	let wapp = opaque_wp k.t_post q k in
	let w = pand_wp info w1 wapp in
	AppTerm (p'1, t, k), w
    | AppRef (p1, x, k) ->
	let p'1,w1 = wp p1 None in
	let wapp = opaque_wp k.t_post q k in
	let w = pand_wp info w1 wapp in
	AppRef (p'1, x, k), w
    | Lam (bl, p, e) ->
	let e',w = wp_prog (p, e) None in
	let wf = optasst_app (abstract_binders bl) w in
	Lam (bl, p, e'), pand_wp info (optpost_val q) wf
    | LetIn (x, _, _) | LetRef (x, _, _) when occur_post x q ->
        Report.raise_located info.t_loc
	  (AnyMessage ("cannot compute wp due to capture variable;\n" ^
                       "please rename variable " ^ Ident.string x))
    | LetIn (x, e1, e2) ->
	let e'2, w2 = wp e2 (filter_post e2.info q) in
	let q1 = optasst_app (subst_in_predicate (subst_onev x result)) w2 in
	let q1 = saturate_post e1.info q1 q in
	let e'1,w = wp e1 q1 in
	LetIn (x, e'1, e'2), w
    | Seq (e1, e2) -> 
	let e'2, w2 = wp e2 (filter_post e2.info q) in
	let q1 = saturate_post e1.info w2 q in
	let e'1,w = wp e1 q1 in
	Seq (e'1, e'2), w
    | LetRef (x, e1, e2) ->
	(* same as LetIn: correct? *)
	let e'2, w2 = wp e2 (filter_post e2.info q) in
	let q1 = optasst_app (subst_in_predicate (subst_onev x result)) w2 in
	let q1 = saturate_post e1.info q1 q in
	let e'1,w = wp e1 q1 in
	LetRef (x, e'1, e'2), w
    | Rec (f, bl, v, var, p, e) ->
	(* wp = well_founded(R) /\ forall bl. wp(e, True) *)
	let wfr = well_founded_rel var in
	let e',we = wp_prog (p, e) None in
	let w = match we with
	  | None -> wfr
	  | Some {a_value=we} -> wpand wfr (abstract_binders bl we)
	in
	let w = Some (wp_named info.t_loc w) in
	Rec (f, bl, v, var, p, e'), pand_wp info (optpost_val q) w
    | Loop (inv, var, e) ->
        (* wp = well_founded(R) /\ I /\ forall w. I => wp(e, I/\var
	      wfr
	  | Some i, None ->
	      let id = reg_explanation (Cc.VCEinvinit(lab,(i.a_loc,i.a_value)))
	      in wpand wfr (Pnamed(id,i.a_value))
	  | None, Some {a_value=we} ->
	      let vars = output_info info in
	      wpand wfr (foralls ~is_wp:true vars we)
	  | Some i, Some {a_value=we} ->
	      let vars = output_info info in
	      let id = reg_explanation (Cc.VCEinvinit(lab,(i.a_loc,i.a_value))) 
	      in wpand wfr
		(wpand ~is_sym:true
		   (Pnamed(id,i.a_value))
		   (foralls ~is_wp:true vars (Pimplies (true, i.a_value, we))))
	in
	let w = Some (wp_named info.t_loc w) in
	Loop (inv, var, e'), w
    | Raise (id, None) ->
	(* $wp(raise E, _, R) = R$ *)
	d, option_app (fun (_,ql) -> List.assoc id ql) q
    | Raise (id, Some e) ->
        (* $wp(raise (E e), _, R) = wp(e, R, R)$ *)
	let make_post (_,ql) = let r = List.assoc id ql in (r, ql) in
	let qe = filter_post e.info (option_app make_post q) in
	let e',w = wp e qe in
	Raise (id, Some e'), w

    | Try (e, hl) ->
        (* $wp(try e1 with E -> e2, Q, R) = wp(e1, Q, wp(e2, Q, R))$ *)
	let subst w = function
	  | None -> w
	  | Some x -> optasst_app (subst_in_predicate (subst_onev x result)) w
	in
	let hl' = 
	  List.map (fun ((x,v) as p, h) -> 
		      let h',w = wp h (filter_post h.info q) in
		      (p,h'), (x, subst w v)) hl 
	in
	let hl',hwl = List.split hl' in
	let make_post (q,ql) = 
	  let hpost (x,r) =
	    x, 
	    try (match List.assoc x hwl with None -> r | Some w -> w)
	    with Not_found -> r
	  in
	  (q, List.map hpost ql)
	in
	let q = saturate_post e.info (option_app fst q) q in
	let qe = filter_post e.info (option_app make_post q) in
	let e',w = wp e qe in
	Try (e', hl'), w
    | Assertion (k, l, e) ->
	let e',w = wp e q in
	let expl =  
	  match k with
	    | `ABSURD ->
		Cc.VCEabsurd
	    | #Cc.assert_kind as k -> (*ASSERT et CHECK*)
		Cc.VCEassert (k,List.map (fun a -> (a.a_loc,a.a_value)) l) 
	    | `PRE ->
		let lab = info.t_userlabel in
		let loc = info.t_loc in
		if debug then 
		  Format.eprintf 
		    "wp: `PRE explanation: lab=`%s', loc=%a@." lab
		    Loc.gen_report_position loc;
		Cc.VCEpre (lab,loc,List.map (fun a -> (a.a_loc,a.a_value)) l) 
	in
	let id = reg_explanation expl in
        let is_sym = match k with
          | `CHECK -> true
          | `ASSERT | `PRE | `ABSURD -> false in
	Assertion (k, l, e'), add_to_wp ~is_sym info.t_loc id l w
    | Absurd ->
	Absurd, Some (anonymous info.t_loc Pfalse)
    | Any k as d ->
	let q' = optpost_app (post_named info.t_loc) k.c_post in
	let w = opaque_wp q' q info in
	(* BUG! k.c_pre should already contain, as pre and post, Ast.assertion and not Types.assertion *)
	(* we thus add a approximate location for them, as the loc for the whole Any *)
	(* but this breaks the localization of VCs ... *)
	let pre = List.map (pre_named info.t_loc) k.c_pre in
	let l = List.map (fun a -> (a.a_loc,a.a_value)) pre in
	let lab = info.t_userlabel in
	let loc = info.t_loc in
	let id = reg_explanation (Cc.VCEpre(lab,loc,l)) in
	let w = add_to_wp info.t_loc id pre w in
	d, w
    | Post (e, qe, Transparent) ->
	let lab = e.info.t_label in
	let qe' = Typing.conj (Some qe) q in
	let qe' = 
	  optpost_app (fun a -> 
			 explain_assertion
			   (Cc.VCEpost(a.a_loc,a.a_value))
			   (asst_app (change_label "" lab) a))
	    qe' 
	in
	let e',w = wp e qe' in
	Post (e', qe, Transparent), w
    | Post (e, qe, Opaque) ->
	let lab = e.info.t_label in
	let qe' = Some (post_app (asst_app (change_label "" lab)) qe) in
	let e',we = wp e qe' in
	let w' = opaque_wp qe' q e.info in
	let w = pand_wp e.info we w' in
	Post (e', qe, Opaque), w
    | Label (l, e) ->
	let e,w = wp e q in
	Label (l, e), optasst_app (erase_label l) w

and wp_prog (l,e) q =
  let loc = e.info.t_loc in
  let e,w = wp e q in
  let abstract {a_value=w} =
    let w = 
      List.fold_left (fun w p -> pimplies ~is_wp:true p.a_value w) w l 
    in
    wp_named loc (foralls ~is_wp:true (input e) w)
  in
  e, option_app abstract w

let wp p = wp p None
why-2.39/src/wserver.ml40000644000106100004300000005275613147234006014152 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(* $Id: wserver.ml4,v 1.3 2008-11-05 14:03:18 filliatr Exp $ *)
(* Copyright (c) 1998-2005 INRIA *)

value sock_in = ref "wserver.sin";
value sock_out = ref "wserver.sou";
value noproc = ref False;

value wserver_oc =
  do { set_binary_mode_out stdout True; ref stdout }
;

value wprint fmt = Printf.fprintf wserver_oc.val fmt;
value wflush () = flush wserver_oc.val;

value hexa_digit x =
  if x >= 10 then Char.chr (Char.code 'A' + x - 10)
  else Char.chr (Char.code '0' + x)
;

value hexa_val conf =
  match conf with
  [ '0'..'9' -> Char.code conf - Char.code '0'
  | 'a'..'f' -> Char.code conf - Char.code 'a' + 10
  | 'A'..'F' -> Char.code conf - Char.code 'A' + 10
  | _ -> 0 ]
;

value decode s =
  let rec need_decode i =
    if i < String.length s then
      match s.[i] with
      [ '%' | '+' -> True
      | _ -> need_decode (succ i) ]
    else False
  in
  let rec compute_len i i1 =
    if i < String.length s then
      let i =
        match s.[i] with
        [ '%' when i + 2 < String.length s -> i + 3
        | _ -> succ i ]
      in
      compute_len i (succ i1)
    else i1
  in
  let rec copy_decode_in s1 i i1 =
    if i < String.length s then
      let i =
        match s.[i] with
        [ '%' when i + 2 < String.length s ->
            let v = hexa_val s.[i + 1] * 16 + hexa_val s.[i + 2] in
            do { s1.[i1] := Char.chr v; i + 3 }
        | '+' -> do { s1.[i1] := ' '; succ i }
        | x -> do { s1.[i1] := x; succ i } ]
      in
      copy_decode_in s1 i (succ i1)
    else s1
  in
  let rec strip_heading_and_trailing_spaces s =
    if String.length s > 0 then
      if s.[0] == ' ' then
        strip_heading_and_trailing_spaces
          (String.sub s 1 (String.length s - 1))
      else if s.[String.length s - 1] == ' ' then
        strip_heading_and_trailing_spaces
          (String.sub s 0 (String.length s - 1))
      else s
    else s
  in
  if need_decode 0 then
    let len = compute_len 0 0 in
    let s1 = String.create len in
    strip_heading_and_trailing_spaces (copy_decode_in s1 0 0)
  else s
;

value special =
  fun
  [ '\000'..'\031' | '\127'..'\255' | '<' | '>' | '"' | '#' | '%' |
    '{' | '}' | '|' | '\\' | '^' | '~' | '[' | ']' | '`' | ';' | '/' | '?' |
    ':' | '@' | '=' | '&' ->
      True
  | _ -> False ]
;

value encode s =
  let rec need_code i =
    if i < String.length s then
      match s.[i] with
      [ ' ' -> True
      | x -> if special x then True else need_code (succ i) ]
    else False
  in
  let rec compute_len i i1 =
    if i < String.length s then
      let i1 = if special s.[i] then i1 + 3 else succ i1 in
      compute_len (succ i) i1
    else i1
  in
  let rec copy_code_in s1 i i1 =
    if i < String.length s then
      let i1 =
        match s.[i] with
        [ ' ' -> do { s1.[i1] := '+'; succ i1 }
        | c ->
            if special c then do {
              s1.[i1] := '%';
              s1.[i1 + 1] := hexa_digit (Char.code c / 16);
              s1.[i1 + 2] := hexa_digit (Char.code c mod 16);
              i1 + 3
            }
            else do { s1.[i1] := c; succ i1 } ]
      in
      copy_code_in s1 (succ i) i1
    else s1
  in
  if need_code 0 then
    let len = compute_len 0 0 in copy_code_in (String.create len) 0 0
  else s
;

value nl () = wprint "\013\010";

value http answer =
  let answer = if answer = "" then "200 OK" else answer in
  do {
    wprint "HTTP/1.0 %s" answer; nl ();
  }
;

value print_exc exc =
  match exc with
  [ Unix.Unix_error err fun_name arg ->
      do {
        prerr_string "\"";
        prerr_string fun_name;
        prerr_string "\" failed";
        if String.length arg > 0 then do {
          prerr_string " on \""; prerr_string arg; prerr_string "\"";
        }
        else ();
        prerr_string ": ";
        prerr_endline (Unix.error_message err);
      }
  | Out_of_memory -> prerr_string "Out of memory\n"
  | Match_failure (file, first_char, last_char) ->
      do {
        prerr_string "Pattern matching failed, file ";
        prerr_string file;
        prerr_string ", chars ";
        prerr_int first_char;
        prerr_char '-';
        prerr_int last_char;
        prerr_char '\n';
      }
  | Assert_failure (file, first_char, last_char) ->
      do {
        prerr_string "Assertion failed, file ";
        prerr_string file;
        prerr_string ", chars ";
        prerr_int first_char;
        prerr_char '-';
        prerr_int last_char;
        prerr_char '\n';
      }
  | x ->
      do {
        prerr_string "Uncaught exception: ";
        prerr_string (Obj.magic (Obj.field (Obj.field (Obj.repr x) 0) 0));
        if Obj.size (Obj.repr x) > 1 then do {
          prerr_char '(';
          for i = 1 to Obj.size (Obj.repr x) - 1 do {
            if i > 1 then prerr_string ", " else ();
            let arg = Obj.field (Obj.repr x) i in
            if not (Obj.is_block arg) then
              prerr_int (Obj.magic arg : int)
            else if Obj.tag arg = 252 then do {
              prerr_char '"'; prerr_string (Obj.magic arg : string);
              prerr_char '"'
            }
            else prerr_char '_';
          };
          prerr_char ')';
        }
        else ();
        prerr_char '\n';
      } ]
;

value print_err_exc exc =
  do { print_exc exc; flush stderr; }
;

value case_unsensitive_eq s1 s2 =
  String.lowercase s1 = String.lowercase s2
;

value rec extract_param name stop_char =
  fun
  [ [x :: l] ->
      if String.length x >= String.length name
      && case_unsensitive_eq (String.sub x 0 (String.length name)) name then
        let i =
          loop (String.length name) where rec loop i =
            if i = String.length x then i
            else if x.[i] = stop_char then i
            else loop (i + 1)
        in
        String.sub x (String.length name) (i - String.length name)
      else extract_param name stop_char l
  | [] -> "" ]
;

value buff = ref (String.create 80);
value store len x =
  do {
    if len >= String.length buff.val then
      buff.val := buff.val ^ String.create (String.length buff.val)
    else ();
    buff.val.[len] := x;
    succ len
  }
;
value get_buff len = String.sub buff.val 0 len;

value get_request strm =
  let rec loop len =
    parser
    [ [: `'\010'; s :] ->
        if len == 0 then []
        else let str = get_buff len in [str :: loop 0 s]
    | [: `'\013'; s :] -> loop len s
    | [: `c; s :] -> loop (store len c) s
    | [: :] -> if len == 0 then [] else [get_buff len] ]
  in
  loop 0 strm
;

ifdef UNIX then
value timeout tmout spid _ =
  do {
    Unix.kill spid Sys.sigkill;
    http "";
    wprint "Content-type: text/html; charset=iso-8859-1"; nl (); nl ();
    wprint "Time out\n";
    wprint "
Time out
\n";
    wprint "Computation time > %d second(s)\n" tmout;
    wprint "\n";
    wflush ();
    exit 2
  }
;

value get_request_and_content strm =
  let request = get_request strm in
  let content =
    match extract_param "content-length: " ' ' request with
    [ "" -> ""
    | x ->
        let str = String.create (int_of_string x) in
        do {
          for i = 0 to String.length str - 1 do {
            str.[i] :=
              match strm with parser
              [ [: `x :] -> x
              | [: :] -> ' ' ];
          };
          str
        } ]
  in
  (request, content)
;

value string_of_sockaddr =
  fun
  [ Unix.ADDR_UNIX s -> s
  | Unix.ADDR_INET a _ -> Unix.string_of_inet_addr a ]
;
value sockaddr_of_string s = Unix.ADDR_UNIX s;

value treat_connection tmout callback addr fd =
  do {
    ifdef NOFORK then ()
    else ifdef UNIX then
      if tmout > 0 then
        let spid = Unix.fork () in
        if spid > 0 then do {
          let _ (* : Sys.signal_behavior *) =
             Sys.signal Sys.sigalrm
               (Sys.Signal_handle (timeout tmout spid))
          in ();
          let _ = Unix.alarm tmout in ();
          let _ = Unix.waitpid [] spid in ();
          let _ (* : Sys.signal_behavior *) =
            Sys.signal Sys.sigalrm Sys.Signal_default
          in ();
          exit 0;
        }
        else ()
      else ()
    else ();
    let (request, script_name, contents) =
      let (request, contents) =
        let strm =
          let c = " " in
          Stream.from
            (fun _ -> if Unix.read fd c 0 1 = 1 then Some c.[0] else None)
        in
        get_request_and_content strm
      in
      let (script_name, contents) =
        match extract_param "GET /" ' ' request with
        [ "" -> (extract_param "POST /" ' ' request, contents)
        | str ->
            try
              let i = String.index str '?' in
              (String.sub str 0 i,
               String.sub str (i + 1) (String.length str - i - 1))
            with
            [ Not_found -> (str, "") ] ]
      in
      (request, script_name, contents)
    in
    if script_name = "robots.txt" then do {
      http "";
      wprint "Content-type: text/plain"; nl (); nl ();
      wprint "User-Agent: *"; nl ();
      wprint "Disallow: /"; nl ();
      wflush ();
      Printf.eprintf "Robot request\n";
      flush stderr;
    }
    else do {
      try callback (addr, request) script_name contents with
      [ Unix.Unix_error Unix.EPIPE "write" _ -> ()
      | exc -> print_err_exc exc ];
      try wflush () with _ -> ();
      try flush stderr with _ -> ();
    };
  }
;

value buff = String.create 1024;

ifdef WIN95 then
value copy_what_necessary t oc =
  let strm =
    let len = ref 0 in
    let i = ref 0 in
    Stream.from
      (fun _ ->
	 do {
           if i.val >= len.val then do {
             len.val := Unix.read t buff 0 (String.length buff);
	     i.val := 0;
	     if len.val > 0 then output oc buff 0 len.val else ();
           }
	   else ();
           if len.val == 0 then None
	   else do { incr i; Some buff.[i.val - 1] }
         })
  in
  let _ = get_request_and_content strm in
  ()
;

value rec list_remove x =
  fun
  [ [] -> failwith "list_remove"
  | [y :: l] -> if x = y then l else [y :: list_remove x l] ]
;

ifdef NOFORK then declare end else
value pids = ref [];
ifdef NOFORK then declare end else
value cleanup_verbose = ref True;
ifdef NOFORK then declare end else
value cleanup_sons () =
  List.iter
    (fun p ->
       let pid =
         try fst (Unix.waitpid [Unix.WNOHANG] p) with
         [ Unix.Unix_error _ _ _ as exc ->
             do {
               if cleanup_verbose.val then do {
                 Printf.eprintf "*** Why error on waitpid %d?\n" p;
                 flush stderr;
                 print_exc exc;
                 Printf.eprintf "[";
                 List.iter (fun p -> Printf.eprintf " %d" p) pids.val;
                 Printf.eprintf "]\n";
                 flush stderr;
                 cleanup_verbose.val := False;
               }
               else ();
               p
             } ]
       in
       if pid = 0 then ()
       else pids.val := list_remove pid pids.val)
     pids.val
;

ifdef NOFORK then declare end else
value wait_available max_clients s =
  match max_clients with
  [ Some m ->
      do {
        if List.length pids.val >= m then
(*
let tm = Unix.localtime (Unix.time ()) in
let _ = do { Printf.eprintf "*** %02d/%02d/%4d %02d:%02d:%02d " tm.Unix.tm_mday (succ tm.Unix.tm_mon) (1900 + tm.Unix.tm_year) tm.Unix.tm_hour tm.Unix.tm_min tm.Unix.tm_sec; Printf.eprintf "%d clients running; waiting...\n" m; flush stderr; } in
*)
          let (pid, _) = Unix.wait () in
(*
let tm = Unix.localtime (Unix.time ()) in
let _ = do { Printf.eprintf "*** %02d/%02d/%4d %02d:%02d:%02d " tm.Unix.tm_mday (succ tm.Unix.tm_mon) (1900 + tm.Unix.tm_year) tm.Unix.tm_hour tm.Unix.tm_min tm.Unix.tm_sec; Printf.eprintf "ok: place for another client\n"; flush stderr; } in
*)
          pids.val := list_remove pid pids.val
        else ();
        if pids.val <> [] then cleanup_sons () else ();
        let stop_verbose = ref False in
        while pids.val <> [] && Unix.select [s] [] [] 15.0 = ([], [], []) do {
          cleanup_sons ();
          if pids.val <> [] && not stop_verbose.val then do {
            stop_verbose.val := True;
            let tm = Unix.localtime (Unix.time ()) in
Printf.eprintf "*** %02d/%02d/%4d %02d:%02d:%02d %d process(es) remaining after cleanup (%d)\n" tm.Unix.tm_mday (succ tm.Unix.tm_mon) (1900 + tm.Unix.tm_year) tm.Unix.tm_hour tm.Unix.tm_min tm.Unix.tm_sec (List.length pids.val) (List.hd pids.val); flush stderr; ()
          }
          else ();
        };
      }
  | None -> () ]
;

value wait_and_compact s =
  if Unix.select [s] [] [] 15.0 = ([], [], []) then do {
    Printf.eprintf "Compacting... "; flush stderr;
    Gc.compact ();
    Printf.eprintf "Ok\n"; flush stderr;
  }
  else ()
;

value skip_possible_remaining_chars fd =
  do {
    let b = "..." in
    try
      loop () where rec loop () =
        match Unix.select [fd] [] [] 5.0 with
        [ ([_], [], []) ->
            let len = Unix.read fd b 0 (String.length b) in
            if len = String.length b then loop () else ()
        | _ -> () ]
    with
    [ Unix.Unix_error Unix.ECONNRESET _ _ -> () ]
  }
;

value accept_connection tmout max_clients callback s =
  do {
    ifdef NOFORK then wait_and_compact s
    else if noproc.val then wait_and_compact s
    else wait_available max_clients s;
    let (t, addr) = Unix.accept s in
    Unix.setsockopt t Unix.SO_KEEPALIVE True;
    ifdef NOFORK then
      let cleanup () =
        do {
          try Unix.shutdown t Unix.SHUTDOWN_SEND with _ -> ();
          try Unix.shutdown t Unix.SHUTDOWN_RECEIVE with _ -> ();
          try Unix.close t with _ -> ();
        }
      in
      do {
        wserver_oc.val := Unix.out_channel_of_descr t;
        treat_connection tmout callback addr t;
        cleanup ();
      }
    else ifdef UNIX then
      match try Some (Unix.fork ()) with _ -> None with
      [ Some 0 ->
          do {
            try do {
              if max_clients = None && Unix.fork () <> 0 then exit 0 else ();
              Unix.close s;
              Unix.dup2 t Unix.stdout;
              Unix.dup2 t Unix.stdin;
(*  
   j'ai l'impression que cette fermeture fait parfois bloquer le serveur...
              try Unix.close t with _ -> ();
*)
              treat_connection tmout callback addr t;
            }
            with
            [ Unix.Unix_error Unix.ECONNRESET "read" _ -> ()
            | exc ->
                try do { print_err_exc exc; flush stderr; }
                with _ -> () ];
            try Unix.shutdown t Unix.SHUTDOWN_SEND with _ -> ();
            try Unix.shutdown Unix.stdout Unix.SHUTDOWN_SEND with _ -> ();
            skip_possible_remaining_chars t;
            try Unix.shutdown t Unix.SHUTDOWN_RECEIVE with _ -> ();
            try Unix.shutdown Unix.stdin Unix.SHUTDOWN_RECEIVE with _ -> ();
            exit 0
          }
      | Some id ->
          do {
            Unix.close t;
            if max_clients = None then let _ = Unix.waitpid [] id in ()
            else pids.val := [id :: pids.val];
          }
      | None ->
          do { Unix.close t; Printf.eprintf "Fork failed\n"; flush stderr } ]
    else do {
      let oc = open_out_bin sock_in.val in
      let cleanup () = try close_out oc with _ -> () in
      try copy_what_necessary t oc with
      [ Unix.Unix_error _ _ _ -> ()
      | exc -> do { cleanup (); raise exc } ];
      cleanup ();
      ifdef SYS_COMMAND then
        let comm =
          let stringify_if_spaces s =
            try let _ = String.index s ' ' in "\"" ^ s ^ "\"" with
            [ Not_found -> s ]
          in
          List.fold_left (fun s a -> s ^ stringify_if_spaces a ^ " ") ""
            (Array.to_list Sys.argv) ^
          "-wserver " ^ string_of_sockaddr addr
        in
        let _ = Sys.command comm in ()
      else if noproc.val then do {
        let fd = Unix.openfile sock_in.val [Unix.O_RDONLY] 0 in
        let oc = open_out_bin sock_out.val in
        wserver_oc.val := oc;
        treat_connection tmout callback addr fd;
        flush oc;
        close_out oc;
        Unix.close fd;
      }
      else
        let pid =
          let env =
            Array.append (Unix.environment ())
              [| "WSERVER=" ^ string_of_sockaddr addr |]
          in
(*
          let args = Array.map (fun x -> "\"" ^ x ^ "\"") Sys.argv in
*)
let args = Sys.argv in
(**)
          Unix.create_process_env Sys.argv.(0) args env Unix.stdin
            Unix.stdout Unix.stderr
        in
        let _ = Unix.waitpid [] pid in
        let ic = open_in_bin sock_in.val in
        let request = get_request (Stream.of_channel ic) in
        close_in ic
      ;
      let cleanup () =
        do {
          try Unix.shutdown t Unix.SHUTDOWN_SEND with _ -> ();
          skip_possible_remaining_chars t;
          try Unix.shutdown t Unix.SHUTDOWN_RECEIVE with _ -> ();
          try Unix.close t with _ -> ();
        }
      in
      try
        let ic = open_in_bin sock_out.val in
        let cleanup () = try close_in ic with _ -> () in
        do {
          try
            loop () where rec loop () =
              let len = input ic buff 0 (String.length buff) in
              if len == 0 then ()
              else do {
                loop_write 0 where rec loop_write i =
                  let olen = Unix.write t buff i (len - i) in
                  if i + olen < len then loop_write (i + olen) else ();
                loop ()
              }
          with
          [ Unix.Unix_error _ _ _ -> ()
          | exc -> do { cleanup (); raise exc } ];
          cleanup ();
        }
      with
      [ Unix.Unix_error _ _ _ -> ()
      | exc -> do { cleanup (); raise exc } ];
      cleanup ();
    }
  }
;

value f addr_opt port tmout max_clients g =
  match
    ifdef NOFORK then None
    else ifdef WIN95 then
      ifdef SYS_COMMAND then
        let len = Array.length Sys.argv in
        if len > 2 && Sys.argv.(len - 2) = "-wserver" then
          Some Sys.argv.(len - 1)
        else None
      else
        try Some (Sys.getenv "WSERVER") with [ Not_found -> None ]
    else None
  with
  [ Some s ->
      ifdef NOFORK then ()
      else ifdef WIN95 then do {
        let addr = sockaddr_of_string s in
        let fd = Unix.openfile sock_in.val [Unix.O_RDONLY] 0 in
        let oc = open_out_bin sock_out.val in
        wserver_oc.val := oc;
        ignore (treat_connection tmout g addr fd);
        exit 0
      }
      else ()
  | None ->
      let addr =
        match addr_opt with
        [ Some addr ->
            try Unix.inet_addr_of_string addr with
            [ Failure _ -> (Unix.gethostbyname addr).Unix.h_addr_list.(0) ]
        | None -> Unix.inet_addr_any ]
      in
      let s = Unix.socket Unix.PF_INET Unix.SOCK_STREAM 0 in
      do {
        Unix.setsockopt s Unix.SO_REUSEADDR True;
        Unix.bind s (Unix.ADDR_INET addr port);
        Unix.listen s 4;
        ifdef NOFORK then Sys.set_signal Sys.sigpipe Sys.Signal_ignore
        else ifdef UNIX then let _ = Unix.nice 1 in ()
        else ();
        let tm = Unix.localtime (Unix.time ()) in
        Printf.eprintf "Ready %4d-%02d-%02d %02d:%02d port"
          (1900 + tm.Unix.tm_year) (succ tm.Unix.tm_mon) tm.Unix.tm_mday
          tm.Unix.tm_hour tm.Unix.tm_min;
        Printf.eprintf " %d" port;
        Printf.eprintf "...\n";
        flush stderr;
        while True do {
          try accept_connection tmout max_clients g s with
          [ Unix.Unix_error Unix.ECONNRESET "accept" _ -> ()
          | Unix.Unix_error (Unix.EBADF | Unix.ENOTSOCK) "accept" _ as x ->
              (* oops! *) raise x
          | exc -> print_err_exc exc ];
          try wflush () with [ Sys_error _ -> () ];
          try flush stdout with [ Sys_error _ -> () ];
          flush stderr;
        };
      } ]
;
why-2.39/src/encoding.mli0000644000106100004300000000466113147234006014320 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



val reset : unit -> unit

val push : ?encode_inductive:bool -> ?encode_algtype:bool -> 
  ?encode_preds:bool -> ?encode_funs:bool -> Logic_decl.t -> unit
val iter : (Logic_decl.t -> unit) -> unit

val symbol : Ident.t * Logic.instance -> string
why-2.39/src/rc.mll0000644000106100004300000001216113147234006013133 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

{

  open Lexing

  let get_home_dir () =
    try Sys.getenv "HOME"
    with Not_found -> 
      (* try windows env var *)
      try Sys.getenv "USERPROFILE"
      with Not_found -> ""

type rc_value =
  | RCint of int
  | RCbool of bool
  | RCfloat of float
  | RCstring of string
  | RCident of string

let int = function
  | RCint n -> n
  | _ -> failwith "Rc.int"

let bool = function
  | RCbool b -> b
  | _ -> failwith "Rc.bool"

let string = function
  | RCident s | RCstring s -> s
  | _ -> failwith "Rc.string"

let buf = Buffer.create 17

let current_rec = ref ""
let current_list = ref []
let current = ref []

let push_field key value =
  current_list := (key,value) :: !current_list

let push_record () =
  if !current_list <> [] then
    current := (!current_rec,List.rev !current_list) :: !current;
  current_rec := "";
  current_list := []

}

let space = [' ' '\t' '\r' '\n']+
let digit = ['0'-'9']
let letter = ['a'-'z' 'A'-'Z']
let ident = (letter | '_') (letter | digit | '_' | '-' | '(' | ')') * 
let sign = '-' | '+' 
let integer = sign? digit+
let mantissa = ['e''E'] sign? digit+
let real = sign? digit* '.' digit* mantissa?
let escape = ['\\''"''n''t''r']

rule record = parse
  | space 
      { record lexbuf }
  | '[' (ident as key) ']'  
      { push_record();
	current_rec := key;
	record lexbuf 
      }
  | eof 
      { push_record () }
  | (ident as key) space* '=' space* 
      { value key lexbuf }
  | _ as c
      { failwith ("Rc: invalid keyval pair starting with " ^ String.make 1 c) }

and value key = parse
  | integer as i
      { push_field key (RCint (int_of_string i));
        record lexbuf }
  | real as r
      { push_field key (RCfloat (float_of_string r));
        record lexbuf }
  | '"' 
      { Buffer.clear buf;
	string_val key lexbuf } 
  | "true"
      { push_field key (RCbool true);
        record lexbuf }
  | "false"
      { push_field key (RCbool false);
        record lexbuf }
  | ident as id
      { push_field key (RCident (*kind_of_ident*) id);
        record lexbuf }
  | _ as c
      { failwith ("Rc: invalid value starting with " ^ String.make 1 c) }
  | eof
      { failwith "Rc: unterminated keyval pair" }

and string_val key = parse 
  | '"' 
      { push_field key (RCstring (Buffer.contents buf));
	record lexbuf
      }
  | [^ '\\' '"'] as c
      { Buffer.add_char buf c;
        string_val key lexbuf }
  | '\\' (['\\''\"'] as c)   
      { Buffer.add_char buf c;
        string_val key lexbuf }
  | '\\' 'n'
      { Buffer.add_char buf '\n';
        string_val key lexbuf }
  | '\\' (_ as c)
      { Buffer.add_char buf '\\';
        Buffer.add_char buf c;
        string_val key lexbuf }
  | eof
      { failwith "Rc: unterminated string" }


{

  let from_file f =
      let c = 
	try open_in f 
	with Sys_error _ -> raise Not_found
(*
	  Format.eprintf "Cannot open file %s@." f;
	  exit 1
*)
      in
      current := [];
      let lb = from_channel c in
      record lb;
      close_in c;
      List.rev !current

}
why-2.39/src/pp.mli0000644000106100004300000001177013147234006013150 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Format

val print_option : (formatter -> 'a -> unit) -> formatter -> 'a option -> unit
val print_option_or_default :
  string -> (formatter -> 'a -> unit) -> formatter -> 'a option -> unit
val print_list : 
  (formatter -> unit -> unit) -> 
  (formatter -> 'a -> unit) -> formatter -> 'a list -> unit
val print_list_or_default :
  string -> (formatter -> unit -> unit) -> 
  (formatter -> 'a -> unit) -> formatter -> 'a list -> unit
val print_list_par :
  (Format.formatter -> unit -> 'a) ->
  (Format.formatter -> 'b -> unit) -> Format.formatter -> 'b list -> unit
val print_list_delim :
  (Format.formatter -> unit -> unit) ->
  (Format.formatter -> unit -> unit) ->
  (Format.formatter -> unit -> unit) ->
  (Format.formatter -> 'b -> unit) -> Format.formatter -> 'b list -> unit

val print_iter1 : 
  (('a -> unit) -> 'b -> unit) ->
  (Format.formatter -> unit -> unit) -> 
  (Format.formatter -> 'a -> unit) -> 
  Format.formatter -> 'b -> unit

val print_iter2: 
  (('a -> 'b -> unit) -> 'c -> unit) ->
  (Format.formatter -> unit -> unit) ->
  (Format.formatter -> unit -> unit) ->
  (Format.formatter -> 'a -> unit) -> 
  (Format.formatter -> 'b -> unit) -> 
  Format.formatter -> 'c -> unit

val print_pair_delim :
  (Format.formatter -> unit -> unit) ->
  (Format.formatter -> unit -> unit) ->
  (Format.formatter -> unit -> unit) ->
  (Format.formatter -> 'a -> unit) -> 
  (Format.formatter -> 'b -> unit) -> Format.formatter -> 'a * 'b -> unit

val print_pair :
  (Format.formatter -> 'a -> unit) -> 
  (Format.formatter -> 'b -> unit) -> Format.formatter -> 'a * 'b -> unit

val space : formatter -> unit -> unit
val alt : formatter -> unit -> unit
val newline : formatter -> unit -> unit
val comma : formatter -> unit -> unit
val simple_comma : formatter -> unit -> unit
val semi : formatter -> unit -> unit
val underscore : formatter -> unit -> unit
val arrow : formatter -> unit -> unit
val lbrace : formatter -> unit -> unit
val rbrace : formatter -> unit -> unit
val lsquare : formatter -> unit -> unit
val rsquare : formatter -> unit -> unit
val lparen : formatter -> unit -> unit
val rparen : formatter -> unit -> unit
val lchevron : formatter -> unit -> unit
val rchevron : formatter -> unit -> unit
val nothing : formatter -> 'a -> unit
val string : formatter -> string -> unit
val int : formatter -> int -> unit
val constant_string : string -> formatter -> unit -> unit
val hov : int -> formatter -> ('a -> unit) -> 'a -> unit

val open_formatter : ?margin:int -> out_channel -> formatter
val close_formatter : formatter -> unit
val open_file_and_formatter : ?margin:int -> string -> out_channel * formatter
val close_file_and_formatter : out_channel * formatter -> unit
val print_in_file_no_close : ?margin:int -> (Format.formatter -> unit) -> string -> out_channel
val print_in_file : ?margin:int -> (Format.formatter -> unit) -> string -> unit
why-2.39/src/harvey.ml0000644000106100004300000002540113147234006013652 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(*s Harvey's output *)

open Ident
open Misc
open Logic
open Logic_decl
open Cc
open Format
open Pp

type elem = 
  | Axiom of string * predicate Env.scheme
  | Predicate of string * predicate_def Env.scheme
  | FunctionDef of string * function_def Env.scheme

let theory = Queue.create ()
let oblig = Queue.create ()

let reset () = Queue.clear theory; Queue.clear oblig


let push_decl d = Encoding.push ~encode_preds:false ~encode_funs:false d


(*let push_decl = function
  | Dgoal (loc,id,s) -> Queue.add (loc,id,s.Env.scheme_type) oblig
  | Daxiom (_, id, p) -> Queue.add (Axiom (id, p)) theory
  | Dpredicate_def (_, id, p) -> Queue.add (Predicate (id, p)) theory
  | Dfunction_def (_, id, p) -> Queue.add (FunctionDef (id, p)) theory
  | Dtype _ -> ()
  | Dlogic _ -> ()
*)
(*s Pretty print *)

let prefix id =
  if id == t_lt then assert false
  else if id == t_le then assert false
  else if id == t_gt then assert false
  else if id == t_ge then assert false
  (* int cmp *)
  else if id == t_lt_int then "<"
  else if id == t_le_int then "<="
  else if id == t_gt_int then ">"
  else if id == t_ge_int then ">="
  (* int ops *)
  else if id == t_add_int then "+"
  else if id == t_sub_int then "-"
  else if id == t_mul_int then "*"
(*
  else if id == t_div_int then "int_div"
  else if id == t_mod_int then "int_mod"
*)
  else if id == t_neg_int then assert false
  (* real ops *)
  else if id == t_add_real then "add_real"
  else if id == t_sub_real then "sub_real"
  else if id == t_mul_real then "mul_real"
  else if id == t_div_real then "div_real"
  else if id == t_neg_real then "neg_real"
  else if id == t_sqrt_real then "sqrt_real"
  else if id == t_real_of_int then "real_of_int"
  else if id == t_int_of_real then "int_of_real"
  else if id == t_lt_real then "lt_real"
  else if id == t_le_real then "le_real"
  else if id == t_gt_real then "gt_real"
  else if id == t_ge_real then "ge_real"
  else (print_endline (Ident.string id); assert false)

(* we need to rename a few identifiers *)

let is_harvey_keyword =
  let ht = Hashtbl.create 17 in
  List.iter (fun kw -> Hashtbl.add ht kw ()) 
    ["true"; "false"; "le"; "lt"];
  Hashtbl.mem ht

let is_harvey_ident s =
  let is_harvey_char = function
    | 'a'..'z' | 'A'..'Z' | '0'..'9' | '_' -> true 
    | _ -> false
  in
  let is_harvey_first_char = function
    | 'a'..'z' | 'A'..'Z' | '0'..'9' -> true 
    | _ -> false
  in
  String.length s > 0 && is_harvey_first_char s.[0] &&
  (try 
     String.iter (fun c -> if not (is_harvey_char c) then raise Exit) s; true
   with Exit ->
     false)

let renamings = Hashtbl.create 17
let fresh_name = 
  let r = ref 0 in fun () -> incr r; "harvey__" ^ string_of_int !r

let ident fmt id =
  let s = Ident.string id in
  if is_harvey_keyword s then
    fprintf fmt "harvey__%s" s
  else if not (is_harvey_ident s) then 
    let s' = 
      try
	Hashtbl.find renamings s
      with Not_found ->
	let s' = fresh_name () in
	Hashtbl.add renamings s s';
	s'
    in
    fprintf fmt "%s" s'
  else
    Ident.print fmt id

let rec print_term fmt = function
  | Tvar id | Tapp (id, [], _) -> 
      fprintf fmt "%a" ident id
  | Tconst (ConstInt n) -> 
      fprintf fmt "%s" n
  | Tconst (ConstBool b) -> 
      fprintf fmt "harvey__%b" b
  | Tconst ConstUnit -> 
      fprintf fmt "tt" 
  | Tconst (ConstFloat c) ->
      Print_real.print_with_integers 
	"(real_of_int %s)"
	"(real_of_int (* %s %s))"
	"(div_real (real_of_int %s) (real_of_int %s))" 
	fmt c
  | Tderef _ -> 
      assert false
  | Tapp (id, [a; b; c], _) when id == if_then_else -> 
      fprintf fmt "@[(why__ite@ %a@ %a@ %a)@]" print_term a print_term b
	print_term c
  | Tapp (id, [a], _) when id == t_neg_int ->
      fprintf fmt "@[(- 0 %a)@]" print_term a
  | Tapp (id, tl, _) when is_relation id || is_arith id ->
      fprintf fmt "@[(%s %a)@]" (prefix id) print_terms tl
  | Tapp (id, tl, _) ->
      fprintf fmt "@[(%a@ %a)@]" 
	ident id (print_list space print_term) tl
  | Tnamed (_, t) -> (* TODO: print name *)
      print_term fmt t

and print_terms fmt tl = 
  print_list space print_term fmt tl

let rec print_predicate fmt = function
  | Ptrue ->
      fprintf fmt "true"
  | Pvar id when id == Ident.default_post ->
      fprintf fmt "true"
  | Pfalse ->
      fprintf fmt "false"
  | Pvar id -> 
      fprintf fmt "%a" ident id
  | Papp (id, tl, _) when id == t_distinct ->
      fprintf fmt "@[(%a)@]" print_predicate (Util.distinct tl)
  | Papp (id, [a; b], _) when is_eq id ->
      fprintf fmt "@[(= %a@ %a)@]" print_term a print_term b
  | Papp (id, [a; b], _) when is_neq id ->
      fprintf fmt "@[(not (= %a@ %a))@]" print_term a print_term b
  | Papp (id, tl, _) when is_relation id || is_arith id ->
      fprintf fmt "@[(%s %a)@]" (prefix id) print_terms tl
  | Papp (id, [a;b], _) when id == t_zwf_zero ->
      fprintf fmt "@[(and (<= 0 %a)@ (< %a %a))@]" 
	print_term b print_term a print_term b
  | Papp (id, tl, _) -> 
      fprintf fmt "@[(%a@ %a)@]" ident id print_terms tl
  | Pimplies (_, a, b) ->
      fprintf fmt "@[(->@ %a@ %a)@]" print_predicate a print_predicate b
  | Pif (a, b, c) ->
      fprintf fmt "@[(ite@ %a@ %a@ %a)@]" print_term a print_predicate b
	print_predicate c
  | Pand (_, _, a, b) | Forallb (_, a, b) ->
      fprintf fmt "@[(and@ %a@ %a)@]" print_predicate a print_predicate b
  | Por (a, b) ->
      fprintf fmt "@[(or@ %a@ %a)@]" print_predicate a print_predicate b
  | Piff (a, b) ->
      fprintf fmt "@[(<->@ %a@ %a)@]" print_predicate a print_predicate b
  | Pnot a ->
      fprintf fmt "@[(not@ %a)@]" print_predicate a
  | Forall (_,id,n,_,_,p) -> 
      let id' = next_away id (predicate_vars p) in
      let p' = subst_in_predicate (subst_onev n id') p in
      fprintf fmt "@[(forall %a@ %a)@]" ident id' print_predicate p'
  | Exists (id,n,_t,p) -> 
      let id' = next_away id (predicate_vars p) in
      let p' = subst_in_predicate (subst_onev n id') p in
      fprintf fmt "@[(exists %a@ %a)@]" ident id' print_predicate p'
  | Pnamed (_, p) -> (* TODO: print name *)
      print_predicate fmt p
  | Plet (_, n, _, t, p) ->
      print_predicate fmt (subst_term_in_predicate n t p)

let print_axiom fmt id p =
  fprintf fmt "@[;; Why axiom %s@]@\n" id;
  let p = p.Env.scheme_type in
  fprintf fmt " @[%a@]" print_predicate p;
  fprintf fmt "@]@\n@\n" 

let print_predicate_def fmt id p =
  let (bl,p) = p.Env.scheme_type in
  fprintf fmt "@[;; Why predicate %s@\n" id;
  fprintf fmt "@[(forall %a@ @[(<-> (%s %a)@ @[%a@])@])@]@]@\n@\n" 
    (print_list space (fun fmt (x,_) -> ident fmt x)) bl id
    (print_list space (fun fmt (x,_) -> ident fmt x)) bl 
    print_predicate p

let print_function_def fmt id p =
  let (bl,_,e) = p.Env.scheme_type in
  fprintf fmt "@[;; Why function %s@\n" id;
  fprintf fmt "@[(forall %a@ @[(= (%s %a)@ @[%a@])@])@]@]@\n@\n" 
    (print_list space (fun fmt (x,_) -> ident fmt x)) bl id
    (print_list space (fun fmt (x,_) -> ident fmt x)) bl 
    print_term e

let print_elem fmt = function
  | Axiom (id, p) -> print_axiom fmt id p
  | Predicate (id, p) -> print_predicate_def fmt id p
  | FunctionDef (id, f) -> print_function_def fmt id f

let output_theory fmt f =
  fprintf fmt "(@\n@[";
  fprintf fmt "(theory %s_why@\n(extends)@\n(axioms@\n" f;
  Queue.iter (print_elem fmt) theory;
  fprintf fmt "))@\n";
  fprintf fmt "@]@\n) ;; END THEORY@\n"

let output_sequent fmt (ctx, concl) = 
  let rec print_seq fmt = function
    | [] -> 
	fprintf fmt "@[%a@]" print_predicate concl
    | Svar (id, _ty) :: ctx -> 
	fprintf fmt "@[(forall %a@ %a)@]"
	  Ident.print id print_seq ctx
    | Spred (_, p) :: ctx -> 
	fprintf fmt "@[(->@ @[%a@]@ %a)@]" 
	  print_predicate p print_seq ctx
  in
  print_seq fmt ctx

let output_obligation fmt (loc, _is_lemma, _expl, _o, s) = 
  fprintf fmt "@\n@[;; %a@]@\n" Loc.gen_report_line loc;
  fprintf fmt "@[%a@]@\n" output_sequent s

let decl_to_elem = function
  | Dgoal (loc,is_lemma,expl,id,s) -> Queue.add (loc,is_lemma,expl,id,s.Env.scheme_type) oblig
  | Daxiom (_, id, p) -> Queue.add (Axiom (id, p)) theory
  | Dpredicate_def (_, id, p) -> 
      Queue.add (Predicate (Ident.string id, p)) theory
  | Dfunction_def (_, id, p) -> 
      Queue.add (FunctionDef (Ident.string id, p)) theory
  | Dinductive_def (_, _, _) ->
      failwith "Harvey output: inductive def not yet supported"
  | Dlogic _ -> ()
  | Dtype _ -> ()
  | Dalgtype _ -> ()



let output_file fname = 
  let cout = Options.open_out_file fname in
  let fmt = formatter_of_out_channel cout in
  Encoding.iter decl_to_elem ;
  if Options.no_harvey_prelude then 
    fprintf fmt "()@\n" 
  else 
    output_theory fmt (Filename.basename fname);
  Queue.iter (output_obligation fmt) oblig;
  pp_print_flush fmt ();
  Options.close_out_file cout

why-2.39/src/project.ml0000644000106100004300000002666313147234006014035 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)


type goal = {
  goal_expl : Logic_decl.vc_expl;
  goal_file : string;
  sub_goal : goal list;
  proof : (string*string*string*string*string) list ;
  mutable goal_tags : (string*string) list; 
}

type lemma = {
  lemma_name : string;
  lemma_loc : Loc.floc;
  lemma_goal : goal;
  mutable lemma_tags : (string*string) list; 
}

type behavior = {
  behavior_name : string;
  behavior_loc : Loc.floc;
  mutable behavior_goals : goal list;
  mutable behavior_tags : (string*string) list;
}

type funct = {
  function_name : string;
  function_loc : Loc.floc;
  mutable function_behaviors : behavior list;
  mutable function_tags : (string*string) list;
}
  

type t = {
  project_name : string;
  mutable project_context_file : string;
  mutable project_lemmas : lemma list;
  mutable project_functions : funct list;
}

let create n =
  {
    project_name = n;
    project_context_file = "";
    project_lemmas = [];
    project_functions = [];
  }

let set_project_context_file p f =
  p.project_context_file <- f

let add_lemma p n e f =
  let g = {
    goal_expl = e; 
    goal_file = f;
    sub_goal = [];
    proof = [];
    goal_tags = [];
  }
  in
  let l = {
    lemma_name = n;
    lemma_loc = Loc.dummy_floc;
    lemma_goal = g;
    lemma_tags = [];
  }
  in p.project_lemmas <- l :: p.project_lemmas;
  l

let add_goal b e f =
  let g = {
    goal_expl = e; 
    goal_file = f;
    sub_goal = [];
    proof = [];
    goal_tags = [];
  }
  in
  b.behavior_goals <- g :: b.behavior_goals;
  g

let add_behavior f be floc =
  let b = {
    behavior_name = be;
    behavior_loc = floc;
    behavior_goals = [];
    behavior_tags = [];
  }
  in
  f.function_behaviors <- b :: f.function_behaviors;
  b

let add_function p fname floc =
  let f = {
    function_name = fname;
    function_loc = floc;
    function_behaviors = [];
    function_tags = [];
  }
  in
  p.project_functions <- f :: p.project_functions;
  f


(* toggle *)

let toggle_lemma l = l.lemma_tags <- 
  List.map (fun (key,value) ->  
	      if key = "ww_open" then 
		if value = "true" then (key,"false") 
		else (key,"true") 
	      else
		(key,value)) l.lemma_tags

let toggle_function f = f.function_tags <- 
  List.map (fun (key,value) ->  
	      if key = "ww_open" then 
		if value = "true" then (key,"false") 
		else (key,"true") 
	      else
		(key,value)) f.function_tags

let toggle_behavior b = b.behavior_tags <- 
  List.map (fun (key,value) ->  
	      if key = "ww_open" then 
		if value = "true" then (key,"false") 
		else (key,"true") 
	      else
		(key,value))  b.behavior_tags

let toggle_goal g = g.goal_tags <- 
  List.map (fun (key,value) ->  
	      if key = "ww_open" then 
		if value = "true" then (key,"false") 
		else (key,"true") 
	      else
		(key,value))  g.goal_tags

(* saving *)

open Format
open Logic_decl

let pr_goal fmt g =
  fprintf fmt "    @." g.goal_file;
  fprintf fmt "      @."
    (fun fmt -> Explain.raw_loc ~quote:true fmt) (g.goal_expl.vc_loc);
  fprintf fmt "      @."
    (fun fmt -> Explain.print ~quote:true fmt) (g.goal_expl);
  fprintf fmt "    @."

let save p file =
  let ch = open_out (file ^ ".wpr") in
  let fpr = formatter_of_out_channel ch in
  fprintf fpr "@." 
    p.project_name p.project_context_file;
  List.iter
    (fun l -> (* name (floc,loc,expl,fpo) -> *)
       fprintf fpr "  @." l.lemma_name;
       fprintf fpr "    @." 
	 (fun fmt -> Explain.raw_loc ~quote:true fmt) l.lemma_loc;
       pr_goal fpr l.lemma_goal;
    fprintf fpr "  @.")
    p.project_lemmas;
  List.iter
    (fun f -> (* name (floc,behs) -> *)
       fprintf fpr "  @."  f.function_name;
       fprintf fpr "    @." 
	 (fun fmt -> Explain.raw_loc ~quote:true fmt) f.function_loc;
       List.iter
	 (fun b -> (*vcs -> *)
	  fprintf fpr "    @." b.behavior_name;
	    List.iter (pr_goal fpr) b.behavior_goals;
	      fprintf fpr "    @." )
	 f.function_behaviors;
    fprintf fpr "  @.")
    p.project_functions;
  fprintf fpr "@.";
  close_out ch
      
(* loading *)

let get_string_attr a e =
  try
    match List.assoc a e.Xml.attributes with
      | Rc.RCstring s -> s
      | Rc.RCident n -> n
      | _ -> raise Not_found
  with Not_found -> 
    eprintf "Warning: attribute `%s' not found@." a;
    ""
  

let get_name_attr = get_string_attr "name"

let get_int_attr a e =
  match List.assoc a e.Xml.attributes with
    | Rc.RCstring s -> int_of_string s
    | Rc.RCint n -> n
    | _ -> raise Not_found

(* dead code
let get_bool_attr a e =
  try
    match List.assoc a e.Xml.attributes with
      | Rc.RCstring "true" -> true
      | Rc.RCstring "false" -> false
      | Rc.RCint n -> n <> 0
      | Rc.RCbool b -> b
      | _ -> false
  with Not_found -> false
*)

let get_tags l = 
  let ww_open = ref false in
  let rec get_tag tags l =
    match l with 
      | e::l when e.Xml.name = "tag" -> 
	  let key = get_string_attr "key" e in
	  let value = get_string_attr "value" e in
	  if key = "ww_open" then ww_open := true else ();
	  get_tag ((key,value)::tags) l
      | _ -> tags,l
  in
  let (tags,l) = get_tag [] l in
  if !ww_open then  tags,l else (("ww_open","false")::tags,l)

let get_loc e =
  let file = get_string_attr "file" e in
  let line = get_int_attr "line" e in
  let be = get_int_attr "begin" e in
  let en = get_int_attr "end" e in
  (file,line,be,en)

let get_kind e =
  let k = get_string_attr "kind" e in
  match k with
    | "Lemma" -> Logic_decl.EKLemma
    | "Other" -> Logic_decl.EKOther (get_string_attr "text" e)
    | "Absurd" -> Logic_decl.EKAbsurd 
    | "Assert" -> Logic_decl.EKAssert 
    | "Check" -> Logic_decl.EKCheck 
    | "Pre" -> Logic_decl.EKPre (get_string_attr "text" e)
    | "Post" -> Logic_decl.EKPost 
    | "WfRel" -> Logic_decl.EKWfRel
    | "VarDecr" -> Logic_decl.EKVarDecr 
    | "LoopInvInit" -> 
	let f =
	  try get_string_attr "formula" e
	  with Not_found -> ""
	in
	Logic_decl.EKLoopInvInit f
    | "LoopInvPreserv" -> 
	let f =
	  try get_string_attr "formula" e
	  with Not_found -> ""
	in
	Logic_decl.EKLoopInvPreserv f
    | _ -> Logic_decl.EKOther ("Project: unrecognized kind " ^ k)


let get_proof elements =
  let rec get_proofs proofs l =
    match l with 
      | e::l when e.Xml.name = "proof" -> 
	  let prover = get_string_attr "prover" e in
	  let status = get_string_attr "status" e in
	  let timelimit = 
	    try get_string_attr "timelimit" e with Not_found -> "no timeout"
	  in
	  let date =  
	    try get_string_attr "date" e  with Not_found -> "no date" 
	  in
	  let scriptfile = 
	    try get_string_attr "scriptfile" e with Not_found -> "no script" 
	  in
	  get_proofs ((prover,status,timelimit,date,scriptfile)::proofs) l
      | _ -> proofs,l
  in
  (get_proofs [] elements)

let rec get_goal lf beh e =
  match e.Xml.name with
    | "goal" ->
	let (tags, elements) = get_tags e.Xml.elements in
	let loc = List.hd elements in
	let elements = List.tl elements in
	let loc = get_loc loc in
	let k = get_kind (List.hd elements) in 
	let expl =
	  {
	    Logic_decl.lemma_or_fun_name = lf;
	    Logic_decl.behavior = beh;
	    Logic_decl.vc_loc = loc;
	    Logic_decl.vc_kind = k;
            Logic_decl.vc_label = None;
	  }
	in
	let (proofs,elements) = get_proof (List.tl elements) in
	let sub_goals =  List.map (get_goal lf beh) elements in
	{ goal_expl = expl;
	  goal_file = get_string_attr "why_file" e;
	  sub_goal = sub_goals;
	  proof = proofs;
	  goal_tags = tags;
	}
    | _ -> assert false
	
let get_behavior lf loc e  =
  match e.Xml.name with
    | "behavior" ->
	let n = get_name_attr e in
	let (tags,elements) = get_tags e.Xml.elements in
	{ behavior_name = n;
	  behavior_loc = loc;
	  behavior_goals = List.map (get_goal lf n) elements;
	  behavior_tags = tags;
	}
    | _ -> assert false
	
let lemmas = ref []

let functions = ref []

let get_lemma_or_function e =
  match e.Xml.name with
    | "lemma" ->
	let n = get_name_attr e in
	let (tags,elements) = get_tags e.Xml.elements in	
	let loc = get_loc (List.hd elements) in
	let g = List.map (get_goal n "")  (List.tl elements) in
	begin
	  match g with
	    |	[g] ->
		  let l = 
		    { lemma_name = n;
		      lemma_loc = loc;
		      lemma_goal = g;
		      lemma_tags = tags;
		    }
		  in
		  lemmas := l :: !lemmas
	    | _ -> failwith "lemma should have exactly one goal element"
	end
    | "function" ->
	let n = get_name_attr e in
	let (tags,elements) = get_tags e.Xml.elements in
	let loc = get_loc (List.hd elements) in
	let behs = List.map (get_behavior n loc)  (List.tl elements) in
	let f =
	  { function_name = n;
	    function_loc = loc;
	    function_behaviors = behs;
	    function_tags = tags;
	  }
	in
	functions := f :: !functions
    | "tags" -> ()
    | _ -> assert false

(* read XML file *)
let load f =
  let xml = Xml.from_file f in
  match xml with
    | [p] when p.Xml.name = "project" ->
	let name = get_name_attr p in 
(*
	if name <> f then
	  eprintf "Warning! project name `%s' does match file name `%s'@." 
	    !project_name f;
*)
	lemmas := [];
	functions := [];
	List.iter get_lemma_or_function p.Xml.elements;
	{ project_name = name;
	  project_context_file = get_string_attr "context" p; 
	  project_lemmas = !lemmas;
	  project_functions = !functions;
	}
	
    | _ -> failwith "unique  element expected"


why-2.39/src/isabelle.mli0000644000106100004300000000446513147234006014314 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(*s Isabelle/HOL output *)

val reset : unit -> unit
val push_decl : Logic_decl.t -> unit
val output_file : string -> unit
why-2.39/src/options.ml0000644000106100004300000007617513147234006014065 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Format


(*s Local refs to set the options *)

let verbose_ = ref false
let debug_ = ref false
let parse_only_ = ref false
let type_only_ = ref false
let wp_only_ = ref false
let valid_ = ref false
let coq_tactic_ = ref None
let coq_preamble_ = ref None
let coq_use_dp = ref true
let pvs_preamble_ = ref None
let mizar_environ_ = ref None
let isabelle_base_theory_ = ref "Main"
let no_simplify_prelude_ = ref false
let simplify_triggers_ = ref false
let no_cvcl_prelude_ = ref false
let no_harvey_prelude_ = ref false
let no_zenon_prelude_ = ref false
let werror_ = ref false
let dir_ = ref ""
let fast_wp_ = ref false
let white_ = ref false
let black_ = ref true
let wbb_ = ref false
let split_user_conj_ = ref false
let split_bool_op_ = ref false
let lvlmax_ = ref max_int
let all_vc_ = ref false
let eval_goals_ = ref false
let pruning_ = ref false
let pruning_hyp_v_ = {contents = -1}
let pruning_hyp_p_ = {contents = -1}
(* Heuristiques en test *)
let pruning_hyp_CompInGraph_ = ref false
let pruning_hyp_CompInFiltering_ = ref false
let pruning_hyp_LinkVarsQuantif_ = ref false
let pruning_hyp_keep_single_comparison_representation_ = ref false
let pruning_hyp_comparison_eqOnly_ = ref false
let pruning_hyp_suffixed_comparison_ = ref false
let pruning_hyp_equalities_linked_ = ref false
let pruning_hyp_arithmetic_tactic_ = ref false
let pruning_hyp_var_tactic_ = ref 0
let pruning_hyp_polarized_preds_ = ref false
let prune_context_ = ref false
let prune_coarse_pred_comp_ = ref false
let prune_get_depths_ = ref false
let pruning_hyp_considere_arith_comparison_as_special_predicate_ = ref true
(* FIN de Heuristiques en test *)
(*
let modulo_ = ref false
*)

let phantom_types = Hashtbl.create 17

let lib_files_to_load_ = ref []
let no_pervasives = ref false
let files_to_load_ = ref []
let show_time_ = ref false
let locs_files = ref []
let default_locs = ref false
let delete_old_vcs = ref false
let explain_vc = ref false
let locs_table = Hashtbl.create 97

type encoding =
  | NoEncoding | Predicates | Stratified | Recursive | Monomorph
  | SortedStratified | MonoInst

type expanding = All | Goal | NoExpanding


let types_encoding_ = ref NoEncoding (* ne pas changer svp! *)
(* let types_encoding_ = ref Stratified *)

type monoinstWorldGen =
  | MonoinstSorted
  | MonoinstBuiltin
  | MonoinstGoal
  | MonoinstPremises

let monoinstworldgen = ref MonoinstGoal
let monoinstoutput_world = ref false
let monoinstonlymem = ref false
let monoinstnounit = ref false
let monoinstonlyconst = ref false

let defExpanding_ = ref NoExpanding

type termination = UseVariant | Partial | Total
let termination_ = ref UseVariant

let ocaml_ = ref false
let ocaml_annot_ = ref false
let ocaml_externals_ = ref false
let output_ = ref None
let wol_ = ref false

let c_file = ref false

type coq_version = V7 | V8 | V81
let coq_version =
  match Version.coqversion with "v8" -> V8 | "v8.1" -> V81 | _ -> V7

type prover =
  | Coq of coq_version | Pvs | HolLight | Mizar | Harvey | Simplify | CVCLite
  | SmtLib | Isabelle | Hol4 | Gappa | Zenon | Z3 | Vampire
  | Ergo | Why | MultiWhy | MultiAltergo | Why3 | Dispatcher | WhyProject

let prover_ = ref (Coq coq_version)

(*s extracting the Mizar environ from a file *)

let environ_re = Str.regexp "[ ]*environ\\([ \t]\\|$\\)"
let begin_re = Str.regexp "[ ]*begin[ \n]"
let mizar_environ_from f =
  let buf = Buffer.create 1024 in
  let c = open_in f in
  let rec look_for_environ () =
    let s = input_line c in
    if Str.string_match environ_re s 0 then
      read_environ ()
    else
      look_for_environ ()
  and read_environ () =
    let s = input_line c in
    if Str.string_match begin_re s 0 then raise Exit;
    Buffer.add_string buf s;
    Buffer.add_char buf '\n';
    read_environ ()
  in
  try
    look_for_environ ()
  with End_of_file | Exit ->
    close_in c;
    Buffer.contents buf

(*s GUI settings *)

(* Are we the GUI? (set in intf/stat.ml) *)
let gui = ref false

(* GUI project (set in src/main.ml) *)
let gui_project = ref None


(*s Parsing the command-line *)

let copying () =
  eprintf "\
@\nThis program is free software; you can redistribute it and/or modify\
@\nit under the terms of the GNU General Public License version 2, as\
@\npublished by the Free Software Foundation.\
@\n\
@\nThis program is distributed in the hope that it will be useful,\
@\nbut WITHOUT ANY WARRANTY; without even the implied warranty of\
@\nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\
@\n\
@\nSee the GNU General Public License version 2 for more details\
@\n(enclosed in the file GPL).\
@\n";
  flush stderr

let banner () =
  eprintf "\
@\nThis is why version %s, compiled on %s\
@\nCopyright (c) 2002-2014 Why development team - CNRS & INRIA & Univ. Paris-Sud\
@\nThis is free software with ABSOLUTELY NO WARRANTY (use option -warranty)\
@\n" Version.version Version.date;
  flush stderr

let usage () =
  eprintf "\
@\nUsage: why [options] [files...]\
@\n\
@\nIf no file is given, the source is read on standard input and\
@\noutput is written in file `out...'\
@\n\
@\nGeneric Options:\
@\n  -h, --help     prints this message\
@\n  -V, --verbose  verbose mode\
@\n  -q, --quiet    quiet mode (default)\
@\n  -d, --debug    debugging mode (implies verbose mode)\
@\n  --werror       treat warnings as errors\
@\n  -v, --version  prints version and exits\
@\n  --warranty     prints license and exits\
@\n  --where        prints library path and exits\
@\n  --show-time    prints execution time\
@\n\
@\nTyping/Annotations/VCG options:\
@\n  -p,  --parse-only  exits after parsing\
@\n  -tc, --type-only   exits after type-checking\
@\n  -wp, --wp-only     exits after annotation\
@\n  --fast-wp          use WP quadratic algorithm\
@\n  --white            white boxes: WP calculus enters pure expressions\
@\n  --black            black boxes: WP calculus does not enter pure expressions\
@\n  --wbb              while loops as black boxes (careful: incomplete WP)\
@\n  --split-user-conj  splits also user conjunctions in goals\
@\n  --split-bool-op    splits VCs for boolean operations &&, || and not\
@\n  --split n          splits conditions into several pieces up to n levels\
@\n  --partial          partial correctness\
@\n  --total            total correctness\
@\n  --explain          outputs explanations for VCs in file.xpl\
@\n  --locs f           reads source locations from file f\
@\n  --default-locs     reads source locations from file basename.loc\
@\n  --delete-old-vcs   delete files that originate from a previous call to Why on\
@\n                     the same file; active only when option --multi-why or\
@\n                     --multi-altergo is given\
@\n  --phantom    declare  as a phantom type\
@\n\
@\nVC transformation options:\
@\n  --all-vc           outputs all verification conditions (no auto discharge)\
@\n  --eval-goals       evaluate constant expressions in goals\
@\n  --prune-theory     prunes the theory\
@\n  --prune-hyp P V    prunes the hypotheses according to the depths P and V\
@\n  --exp all          expands the predicate definitions in both theory and goal\
@\n  --exp goal         expands the predicate definitions only in goal\
@\n\
@\nHeuristics UNDER TEST of pruning (needs --prun-hyp to be used) :\
@\n  --prune-with-comp            uses comparisons as predicates\
@\n  --prune-without-arith        does not consider as particular predicates\
@\n  --prune-with-comp-filter     as previous and uses also comparisons as filters\
@\n  --prune-keep-local-links     insert quantified variables in variables graph\
@\n  --prune-comp-single-encoding do not inverse negative comparisons\
@\n  --prune-eq-only              consider only equality comparison as a predicate\
@\n  --prune-suffixed-comp        suffixes comparison predicates\
@\n  --prune-link-eqs             link each suffixed equalitie to the unsuffixed\
@\n  --prune-arith-tactic         statically link arithmetic operators (=, < & <=)\
@\n  --prune-vars-filter T        T in {All, One-var, One-branch, Split-hyps, CNF}\
@\n  --prune-polarized-preds      Consider polarity on predicates\
@\n  --prune-context              Filter axioms with Pred depth\
@\n  --prune-coarse-pred-comp     abstract weights in predicate predecessors\
@\n  --prune-get-depths           get minimum depths to reach reachable vars/preds\
@\n\
@\nPrelude files:\
@\n  --lib-file f   load file f from the library\
@\n\
@\nEncoding for types in untyped logic:\
@\n  --encoding none    does not encode types into terms for untyped provers\
@\n  --encoding pred    encodes types with predicates\
@\n  --encoding strat   encodes types into terms\
@\n  --encoding rec     encodes types with typing axioms\
@\n  --encoding mono    encodes types using monomorphisation\
@\n  --encoding sstrat  encodes types using some types  + strat\
@\n  --encoding monoinst  encodes types using some types  + monomorphisation\
@\n\
@\nProver selection:\
@\n  --alt-ergo  selects Alt-Ergo prover\
@\n  --coq       selects COQ prover (default)\
@\n  --cvcl      selects CVC Lite prover\
@\n  --gappa     selects the Gappa prover\
@\n  --harvey    selects haRVey prover\
@\n  --hol-light selects HOL Light prover\
@\n  --hol4      selects HOL4 prover\
@\n  --isabelle  selects Isabelle prover\
@\n  --mizar     selects Mizar prover\
@\n  --pvs       selects PVS prover\
@\n  --simplify  selects Simplify prover\
@\n  --smtlib    selects the SMT-LIB format\
@\n  --z3        selects the Z3 prover (native syntax)\
@\n  --zenon     selects the Zenon prover\
@\n or generic Why outputs formats:\
@\n  --why       selects the Why pretty-printer\
@\n  --why3       selects the Why3 pretty-printer\
@\n  --multi-why selects the Why pretty-printer, with one file per goal\
@\n  --multi-altergo selects the Alt-Ergo pretty-printer, with one file per goal\
@\n  --project   selects the Why project format, with one file per goal\
@\n\
@\nCoq-specific options:\
@\n  --valid,\
@\n  --no-valid  set/unset the functional validation (default is no)\
@\n  --coq-tactic \
@\n              gives a default tactic for new proof obligations\
@\n  --coq-preamble \
@\n              gives some Coq preamble to be substituted to \"Require Why\"\
@\n  --coq-fp-model \
@\n              sets the Coq model for floating-point arithmetic\
@\n  --coq-use-dp\
@\n  --no-coq-use-dp\
@\n              tells Coq to generate or not Dp_hint annotations to use external\
@\n              provers. Doesn't have any effect for Coq version < 8.1 (no\
@\n              external provers support). Default is yes.\
@\n\
@\nMonoinst-specific options\
@\n  --monoinstworldgen \
@\n\
@\nPVS-specific options:\
@\n  --pvs-preamble \
@\n              gives some PVS preamble to be substituted to \"importing why@@why\"\
@\n\
@\nSimplify-specific options:\
@\n  --no-simplify-prelude\
@\n              suppress the Simplify prelude (BG_PUSHs for Why's symbols)\
@\n  --simplify-triggers\
@\n	      pass user-defined triggers when writing Simplify output\
@\n\
@\nZenon-specific options:\
@\n  --no-zenon-prelude\
@\n              suppress the Zenon prelude\
@\n\
@\nMizar-specific options:\
@\n  --mizar-environ \
@\n              sets the Mizar `environ'\
@\n  --mizar-environ-from \
@\n              gets Mizar `environ' from \
@\n\
@\nIsabelle/HOL-specific options:\
@\n  --isabelle-base-theory \
@\n              sets the Isabelle/HOL base theory\
@\n\
@\nGappa options:\
@\n  --gappa-rnd \
@\n              sets the Gappa rounding mode (e.g. float)\
@\n\
@\nMisc options:\
@\n  --ocaml        Ocaml code output\
@\n  --ocaml-annot  Show all annotations in ocaml code\
@\n  --ocaml-ext    Consider \"external\"s as parameters in ocaml code\
@\n  --output f     Redirect output to file f ( - for stdout)\
@\n  --dir d        Output files in directory d\
@\n  --int-is-ident\
@\n                 Consider `int' as a normal identifier, and use\
@\n                 built-in name `integer' instead for integers\
@\n";
  flush stderr

(*

SMT-lib-specific options:
  --modulo           uses %% in SMT-lib output (instead of uninterpreted symb)
*)


let files =
  let filesq = ref [] in
  let rec parse = function
    | [] -> List.rev !filesq
    | ("-h" | "-help" | "--help") :: _ -> usage (); exit 0
    | ("-alt-ergo" | "--alt-ergo") :: args -> prover_ := Ergo; parse args
    | ("-pvs" | "--pvs") :: args -> prover_ := Pvs; parse args
    | ("-coq-v7" | "--coq-v7") :: args -> prover_ := Coq V7; parse args
    | ("-coq-v8" | "--coq-v8") :: args -> prover_ := Coq V8; parse args
    | ("-coq-v81" | "--coq-v81" | "--coq-v8.1") :: args -> prover_ := Coq V81; parse args
    | ("-coq" | "--coq") :: args -> prover_ := Coq coq_version; parse args
    | ("-hol-light" | "--hol-light") :: args -> prover_ := HolLight; parse args
    | ("-mizar" | "--mizar") :: args -> prover_ := Mizar; parse args
    | ("-harvey" | "--harvey") :: args -> prover_ := Harvey; parse args
    | ("-simplify" | "--simplify") :: args -> prover_ := Simplify; parse args
    | ("-vampire" | "--vampire") :: args -> prover_ := Vampire; parse args
    | ("-isabelle" | "--isabelle") :: args -> prover_ := Isabelle; parse args
    | ("-hol4" | "--hol4") :: args -> prover_ := Hol4; parse args
    | ("-cvcl" | "--cvcl") :: args -> prover_ := CVCLite; parse args
    | ("-smtlib" | "--smtlib") :: args -> prover_ := SmtLib; parse args
    | ("-z3" | "--z3") :: args -> prover_ := Z3; parse args
    | ("-zenon" | "--zenon") :: args -> prover_ := Zenon; parse args
    | ("-why" | "--why") :: args -> prover_ := Why; parse args
    | ("-why3" | "--why3") :: args -> prover_ := Why3; parse args
    | ("-multi-why" | "--multi-why") :: args -> prover_ := MultiWhy; parse args
    | ("-multi-altergo" | "--multi-altergo") :: args ->
          prover_ := MultiAltergo; parse args
    | ("-project" | "--project") :: args -> prover_ := WhyProject; parse args
    | ("-gappa" | "--gappa") :: args -> prover_ := Gappa; parse args
    | ("-show-time" | "--show-time") :: args -> show_time_ := true; parse args
    | ("-no-prelude" | "--no-prelude" | "-no-arrays" | "--no-arrays"
      | "-fp" | "--fp" as o) :: _ ->
	Printf.eprintf "%s: deprecated\n" o; exit 1
    | "--no-pervasives" :: args ->
	no_pervasives := true; parse args
    | ("-lib-file" | "--lib-file") :: f :: args ->
	lib_files_to_load_ := f :: !lib_files_to_load_; parse args
    | ("-lib-file" | "--lib-file") :: [] -> usage (); exit 1
    | ("-load-file" | "--load-file") :: f :: args ->
	files_to_load_ := f :: !files_to_load_; parse args
    | ("-load-file" | "--load-file") :: [] -> usage (); exit 1
    | ("-d"|"--debug") :: args -> verbose_ := true; debug_ := true; parse args
    | ("-p" | "--parse-only") :: args -> parse_only_ := true; parse args
    | ("-tc" | "--type-only") :: args -> type_only_ := true; parse args
    | ("-wp" | "--wp-only") :: args -> wp_only_ := true; parse args
    | ("-q" | "--quiet") :: args -> verbose_ := false; parse args
    | ("-v" | "-version" | "--version") :: _ -> banner (); exit 0
    | ("-warranty" | "--warranty") :: _ -> copying (); exit 0
    | ("-where" | "--where") :: _ -> printf "%s\n" Version.libdir; exit 0
    | ("-V" | "--verbose") :: args -> verbose_ := true; parse args
    | ("-valid" | "--valid") :: args -> valid_ := true; parse args
    | ("-novalid" | "--no-valid") :: args -> valid_ := false; parse args
    | ("-coqtactic" | "--coqtactic" | "-coq-tactic" | "--coq-tactic")
      :: s :: args -> coq_tactic_ := Some s; parse args
    | ("-coq-use-dp" | "--coq-use-dp") :: args -> coq_use_dp := true; parse args
    | ("-no-coq-use-dp" | "--no-coq-use-dp") :: args -> 
      coq_use_dp := false; parse args
    | ("-coqtactic" | "--coqtactic" | "-coq-tactic" | "--coq-tactic") :: [] ->
	usage (); exit 1
    | ("-coqpreamble" | "--coqpreamble" | "-coq-preamble" | "--coq-preamble")
      :: s :: args -> coq_preamble_ := Some s; parse args
    | ("-coqpreamble"|"--coqpreamble"|"-coq-preamble"|"--coq-preamble")::[] ->
	usage (); exit 1
    | ("-pvspreamble" | "--pvspreamble" | "-pvs-preamble" | "--pvs-preamble")
      :: s :: args -> pvs_preamble_ := Some s; parse args
    | ("-pvspreamble"|"--pvspreamble"|"-pvs-preamble"|"--pvs-preamble")::[] ->
	usage (); exit 1
    | ("-mizarenviron" | "--mizarenviron" |
       "-mizar-environ" | "--mizar-environ")
      :: s :: args -> mizar_environ_ := Some s; parse args
    | ("-mizarenviron" | "--mizarenviron" |
       "-mizar-environ"|"--mizar-environ") :: [] ->
	usage (); exit 1
    | ("-mizarenvironfrom" | "--mizarenvironfrom" |
       "-mizar-environ-from" | "--mizar-environ-from")
      :: f :: args -> mizar_environ_ := Some (mizar_environ_from f); parse args
    | ("-mizarenvironfrom" | "--mizarenvironfrom" |
       "-mizar-environ-from"|"--mizar-environ-from") :: [] ->
	usage (); exit 1
    | ("-isabelle-base-theory" | "--isabelle-base-theory")
      :: s :: args -> isabelle_base_theory_ := s; parse args
    | ("-isabelle-base-theory" | "--isabelle-base-theory")::[] ->
	usage (); exit 1
    | ("--no-simplify-prelude" | "-no-simplify-prelude") :: args ->
	no_simplify_prelude_ := true; parse args
    | ("--simplify-triggers" | "-simplify-triggers") :: args ->
	simplify_triggers_ := true; parse args
    | ("--no-cvcl-prelude" | "-no-cvcl-prelude") :: args ->
	no_cvcl_prelude_ := true; parse args
    | ("--no-harvey-prelude" | "-no-harvey-prelude") :: args ->
	no_harvey_prelude_ := true; parse args
    | ("--no-zenon-prelude" | "-no-zenon-prelude") :: args ->
	no_zenon_prelude_ := true; parse args
    | ("--ocaml" | "-ocaml") :: args -> ocaml_ := true; parse args
    | ("--ocaml-annot" | "-ocaml-annot") :: args ->
	ocaml_annot_ := true; parse args
    | ("--ocaml-ext" | "-ocaml-ext") :: args ->
	ocaml_externals_ := true; parse args
    | ("-o" | "-output" | "--output") :: f :: args ->
	output_ := Some f; parse args
    | ("-o" | "-output" | "--output") :: [] ->
	usage (); exit 1
    | ("--wol") :: args ->
	wol_ := true; parse args
    | ("-werror" | "--werror") :: args ->
	werror_ := true; parse args
    | ("-dir" | "--dir") :: d :: args ->
	dir_ := d; parse args
    | ("-dir" | "--dir") :: [] ->
	usage (); exit 1
    | ("-fast-wp" | "--fast-wp") :: args ->
	fast_wp_ := true; parse args
    | ("-white" | "--white") :: args ->
	white_ := true; black_ := false; parse args
    | ("-black" | "--black") :: args ->
	black_ := true; white_ := false; parse args
    | ("-wbb" | "--wbb") :: args ->
        wbb_ := true; parse args
    | ("-split-user-conj" | "--split-user-conj") :: args ->
	split_user_conj_ := true; parse args
    | ("-split-bool-op" | "--split-bool-op") :: args ->
	split_bool_op_ := true; parse args
    | ("-split" | "--split") :: n :: args ->
	begin try lvlmax_ := int_of_string n with _ -> usage (); exit 1 end;
	parse args
    | ("-split" | "--split") :: [] ->
	usage (); exit 1
    | ("-all-vc" | "--all-vc" | "--allvc") :: args ->
	all_vc_ := true; parse args
    | ("-partial" | "--partial") :: args ->
	termination_ := Partial; parse args
    | ("-total" | "--total") :: args ->
	termination_ := Total; parse args
    | ("--eval-goals" | "-eval-goals") :: args ->
	 eval_goals_ := true ; parse args
    | ("--prune-theory" | "-prune-theory") :: args ->
	 pruning_ := true ; parse args
    | ("--prune-hyp" | "-prune-hyp"):: tp :: tv :: args ->
	pruning_hyp_p_ := int_of_string tp ;
	pruning_hyp_v_ := int_of_string tv ;
	parse args
(* Heuristiques en test *)
    | ("--prune-with-comp" | "-prune-with-comp"):: args ->
	pruning_hyp_CompInGraph_ := true ;
	parse args
    | ("--prune-with-comp-filter" | "-prune-with-comp-filter"):: args ->
	pruning_hyp_CompInGraph_ := true ;
	pruning_hyp_CompInFiltering_ := true ;
	parse args
    | ("--prune-keep-local-links" | "-prune-keep-local-links"):: args ->
	pruning_hyp_LinkVarsQuantif_ := true ;
	parse args
    | ("--prune-comp-single-encoding" | "-prune-comp-single-encoding"):: args ->
	pruning_hyp_keep_single_comparison_representation_ := true ;
	parse args
    | ("--prune-eq-only" | "-prune-eq-only"):: args ->
	pruning_hyp_CompInGraph_ := true ;
	pruning_hyp_comparison_eqOnly_ := true ;
	parse args
    | ("--prune-suffixed-comp" | "-prune-suffixed-comp"):: args ->
	pruning_hyp_CompInGraph_ := true ;
	pruning_hyp_suffixed_comparison_ := true ;
	parse args
    | ("--prune-link-eqs" | "-prune-link-eqs"):: args ->
	pruning_hyp_CompInGraph_ := true ;
	pruning_hyp_suffixed_comparison_ := true ;
	pruning_hyp_equalities_linked_ := true ;
	parse args
    | ("--prune-arith-tactic" | "-prune-arith-tactic"):: args ->
	pruning_hyp_CompInGraph_ := true ;
	pruning_hyp_arithmetic_tactic_ := true ;
	parse args

    | ("--prune-vars-filter" | "-prune-vars-filter"):: t :: args ->
	(match t with
	  "All" -> pruning_hyp_var_tactic_:=0; parse args
	| "One-var" -> pruning_hyp_var_tactic_:=1; parse args
	| "One-branch" -> pruning_hyp_var_tactic_:=2; parse args
	| "Split-hyps" -> pruning_hyp_var_tactic_:=3; parse args
	| "CNF" ->  pruning_hyp_var_tactic_:=4; parse args
	| _ -> usage (); exit 1);

    | ("--prune-polarized-preds" | "-prune-polarized-preds"):: args ->
	pruning_hyp_polarized_preds_ := true ; parse args

    | ("--prune-context" | "-prune-context") :: args ->
	prune_context_ := true ; parse args
    | ("--prune-coarse-pred-comp" | "-prune-coarse-pred-comp") :: args ->
	prune_coarse_pred_comp_ := true ; parse args

    | ("--prune-get-depths" | "-prune-get-depths") :: args ->
	prune_get_depths_ := true ; parse args

    | ("--prune-without-arith" | "-prune-without-arith") :: args ->
	pruning_hyp_considere_arith_comparison_as_special_predicate_ := false ; parse args
(* FIN de Heuristiques en test *)

(*
    | ("-modulo" | "--modulo") :: args ->
	 modulo_ := true ; parse args
*)
    | ("-exp" | "--exp") :: s :: args ->
	(match s with
	     "goal" -> defExpanding_ := Goal
	   | "all"  -> defExpanding_:= All
	   | _ -> usage (); exit 1);
	parse args
    | ("-encoding" | "--encoding") :: s :: args ->
	(match s with
	  "none" -> types_encoding_ := NoEncoding
	| "pred" -> types_encoding_ := Predicates
	| "strat" -> types_encoding_ := Stratified
	| "rec" -> types_encoding_ := Recursive
	| "mono" -> types_encoding_ := Monomorph
	| "sstrat" -> types_encoding_ := SortedStratified
	| "monoinst" -> types_encoding_ := MonoInst
	| _ -> usage (); exit 1);
	parse args
    | ("-monoinstworldgen" | "--monoinstworldgen") :: s :: args ->
	(match s with
	  "sorted" -> monoinstworldgen := MonoinstSorted
	| "builtin" -> monoinstworldgen := MonoinstBuiltin
	| "goal" -> monoinstworldgen := MonoinstGoal
        | "premises" -> monoinstworldgen := MonoinstPremises
	| _ -> usage (); exit 1);
        types_encoding_ := MonoInst;
	parse args
    | ("-monoinstoutput_world" | "--monoinstoutput_world")::args ->
        monoinstoutput_world := true;
        types_encoding_ := MonoInst;
        parse args
    | ("-monoinstonlymem" | "--monoinstonlymem")::args ->
        monoinstonlymem := true;
        monoinstonlyconst := false;
        parse args
    | ("-monoinstnounit" | "--monoinstnounit")::args ->
        (*monoinstnounit := true;*)
        parse args
    | ("-monoinstonlyconst" | "--monoinstonlyconst")::args ->
        monoinstonlyconst := true;
        monoinstonlymem := false;
        parse args
    | ("-explain" | "--explain") :: args ->
	explain_vc := true; parse args
    | ("-locs" | "--locs") :: s :: args ->
	locs_files := s :: !locs_files;
	parse args
    | ("-default-locs" | "--default-locs" ) :: args ->
          default_locs := true;
          parse args
    | ("-delete-old-vcs" | "--delete-old-vcs" ) :: args ->
          delete_old_vcs := true;
          parse args
    | ("-phantom" | "--phantom") :: s :: args ->
	Hashtbl.add phantom_types s ();
	parse args
    | f :: args ->
	filesq := f :: !filesq; parse args
  in
  parse (List.tl (Array.to_list Sys.argv))

(*s Finally, we dereference all the refs *)

let verbose = !verbose_
let debug = !debug_
let parse_only = !parse_only_
let type_only = !type_only_
let wp_only = !wp_only_
let prover (* ?(ignore_gui=false) *) () =
  if (* not ignore_gui &&*) !gui then Dispatcher else !prover_
let delete_old_vcs =
   !delete_old_vcs && (let p = prover () in p = MultiWhy || p = MultiAltergo)
let valid = !valid_
let coq_tactic = !coq_tactic_
let coq_preamble = match !coq_preamble_ with
  | None when prover () = Coq V7 -> "Require Why."
  | None -> "Require Export Why."
  | Some s -> s
let coq_use_dp = !coq_use_dp

let pvs_preamble = match !pvs_preamble_ with
  | None -> "IMPORTING why@why"
  | Some s -> s

let mizar_environ = !mizar_environ_
let isabelle_base_theory = !isabelle_base_theory_
let no_simplify_prelude = !no_simplify_prelude_
let simplify_triggers = !simplify_triggers_
let no_cvcl_prelude = !no_cvcl_prelude_
let no_harvey_prelude = !no_harvey_prelude_
let no_zenon_prelude = !no_zenon_prelude_
let wol = !wol_
let werror = !werror_
let dir = !dir_
let fast_wp = !fast_wp_
let white = !white_
let black = !black_
(* dead code
let wbb = !wbb_
*)
let split_user_conj = !split_user_conj_
let split_bool_op = !split_bool_op_
let lvlmax = !lvlmax_
let all_vc = !all_vc_
let termination = !termination_
let eval_goals = !eval_goals_
let pruning = !pruning_
let pruning_hyp_p = !pruning_hyp_p_
let pruning_hyp_v = !pruning_hyp_v_
(* Heuristiques en test *)
let pruning_hyp_CompInGraph = !pruning_hyp_CompInGraph_
let pruning_hyp_CompInFiltering = !pruning_hyp_CompInFiltering_
let pruning_hyp_LinkVarsQuantif = !pruning_hyp_LinkVarsQuantif_
let pruning_hyp_keep_single_comparison_representation = !pruning_hyp_keep_single_comparison_representation_
let pruning_hyp_comparison_eqOnly = !pruning_hyp_comparison_eqOnly_
let pruning_hyp_suffixed_comparison = !pruning_hyp_suffixed_comparison_
let pruning_hyp_equalities_linked = !pruning_hyp_equalities_linked_
let pruning_hyp_arithmetic_tactic = !pruning_hyp_arithmetic_tactic_
let pruning_hyp_var_tactic = !pruning_hyp_var_tactic_
let pruning_hyp_polarized_preds = !pruning_hyp_polarized_preds_
let prune_context = !prune_context_
let prune_coarse_pred_comp = !prune_coarse_pred_comp_
let prune_get_depths = !prune_get_depths_
let pruning_hyp_considere_arith_comparison_as_special_predicate= !pruning_hyp_considere_arith_comparison_as_special_predicate_
(* FIN de Heuristiques en test *)
(*
let modulo = !modulo_
*)

let defExpanding = !defExpanding_
let explain_vc = !explain_vc

(* encoding checks *)
let () =
  if (prover () = SmtLib || prover () = CVCLite || prover () = Z3) &&
     !types_encoding_ = NoEncoding
  then
    types_encoding_ := SortedStratified

let get_types_encoding () = !types_encoding_
let set_types_encoding ec = types_encoding_ := ec

let monoinstworldgen = !monoinstworldgen
let monoinstoutput_world = !monoinstoutput_world
let monoinstonlymem = !monoinstonlymem
let monoinstnounit = !monoinstnounit
let monoinstonlyconst = !monoinstonlyconst

let get_type_expanding () = !defExpanding_

let show_time = !show_time_

let file f =
  (*Format.printf "Options.file: dir = %s, f = %s@." dir f;*)
  if dir = "" then f else Lib.file ~dir ~file:f

let ocaml = !ocaml_
let ocaml_annot = !ocaml_annot_
let ocaml_externals = !ocaml_externals_

let out_file f = match !output_ with
  | None -> file f
  | Some "-" -> invalid_arg "I can't use stdout for that output";
  | Some f -> f

let open_out_file f = match !output_ with
  | Some "-" -> stdout
  | _ -> open_out (out_file f)
let close_out_file cout = match !output_ with
  | Some "-" -> ()
  | _ -> close_out cout
let out_file_exists f =
  match !output_ with
    | Some "-" -> false
    | _ -> Sys.file_exists (out_file f)

let if_verbose f x = if verbose then f x
let if_verbose_2 f x y = if verbose then f x y
let if_verbose_3 f x y z = if verbose then f x y z

let if_debug f x = if debug then f x
let if_debug_2 f x y = if debug then f x y
let if_debug_3 f x y z = if debug then f x y z

let () =
  if !default_locs then
    locs_files :=
       (List.map (fun s ->
          Filename.chop_extension s ^ ".loc" ) files) @ !locs_files;

  List.iter
    (fun f ->
       let l = Rc.from_file f in
       List.iter
	 (fun (id,fs) ->
	    let (f,l,b,e,o) =
	      List.fold_left
		(fun (f,l,b,e,o) v ->
		   match v with
		     | "file", Rc.RCstring f -> (f,l,b,e,o)
		     | "line", Rc.RCint l -> (f,l,b,e,o)
		     | "begin", Rc.RCint b -> (f,l,b,e,o)
		     | "end", Rc.RCint e -> (f,l,b,e,o)
		     | _ -> (f,l,b,e,v::o))
		("",0,0,0,[]) fs
	    in
	    Hashtbl.add locs_table id (f,l,b,e,o))
	 l)
    !locs_files

(* compatibility checks *)
let () = if prover () = Gappa && valid then begin
  Printf.eprintf "options -gappa and -valid are not compatible\n";
  exit 1
end
let () = if white && black then begin
  Printf.eprintf "options -white and -black are not compatible\n";
  exit 1
end

(* prelude *)

let lib_dir =
  try Sys.getenv "WHYLIB"
  with Not_found -> Version.libdir

let lib_file f = Filename.concat lib_dir (Filename.concat "why" f)

let prelude_file = lib_file "prelude.why"

let lib_files_to_load =
  (if !no_pervasives then [] else [prelude_file]) @
  List.rev_map lib_file !lib_files_to_load_ @
  List.rev !files_to_load_

let floats = List.mem "floats.why" !lib_files_to_load_

let () =
  if not (Sys.file_exists prelude_file) then begin
    Printf.eprintf "cannot find prelude file %s\n" prelude_file;
    begin
      try
	let s = Sys.getenv "WHYLIB" in
	Printf.eprintf "(WHYLIB is set to %s)\n" s
      with Not_found ->
	Printf.eprintf "(WHYLIB is not set, libdir is %s)\n" Version.libdir
    end;
    exit 1
  end

(*
Local Variables:
compile-command: "unset LANG; make -j -C .. bin/why.byte"
End:
*)
why-2.39/src/ltyping.ml0000644000106100004300000004660313147234006014051 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(*s Typing on the logical side *)

open Format
open Options
open Ident
open Logic
open Types
open Ptree
open Ast
open Misc
open Util
open Env
open Error
open Report

let expected_real loc =
  raise_located loc (ExpectedType (fun fmt -> fprintf fmt "real"))

let expected_num loc =
  raise_located loc (ExpectedType (fun fmt -> fprintf fmt "int or real"))

let expected_type loc et =
  raise_located loc (ExpectedType (fun fmt -> print_type_v fmt et))

let rec pure_type env = function
  | PPTint -> PTint
  | PPTbool -> PTbool
  | PPTreal -> PTreal
  | PPTunit -> PTunit
  | PPTvarid (x, _) -> PTvar (find_type_var x env)
  | PPTexternal (p, id, loc) ->
      if not (is_type id) then raise_located loc (UnboundType id);
      let np = List.length p in
      let a = type_arity id in
      if np <> a then raise_located loc (TypeArity (id, a, np));
      PTexternal (List.map (pure_type env) p, id)

(*s Typing predicates *)

let int_cmp = function
  | PPlt -> t_lt_int
  | PPle -> t_le_int
  | PPgt -> t_gt_int
  | PPge -> t_ge_int
  | PPeq -> t_eq_int
  | PPneq -> t_neq_int
  | _ -> assert false

let real_cmp = function
  | PPlt -> t_lt_real
  | PPle -> t_le_real
  | PPgt -> t_gt_real
  | PPge -> t_ge_real
  | PPeq -> t_eq_real
  | PPneq -> t_neq_real
  | _ -> assert false

let other_cmp = function
  | PTbool, PPeq -> t_eq_bool
  | PTbool, PPneq -> t_neq_bool
  | PTunit, PPeq -> t_eq_unit
  | PTunit, PPneq -> t_neq_unit
  | _, PPeq -> t_eq
  | _, PPneq -> t_neq
  | _ -> assert false

let rec occurs v = function
  | PTvar { type_val = Some t } -> occurs v t
  | PTvar { tag = t; type_val = None } -> v.tag = t
  | PTexternal (l, _) -> List.exists (occurs v) l
  | PTint | PTbool | PTunit | PTreal -> false

(* destructive type unification *)
let rec unify t1 t2 = match (t1,t2) with
  | PTvar { type_val = Some t1 }, _ ->
      unify t1 t2
  | _, PTvar { type_val = Some t2 } ->
      unify t1 t2
  | PTvar v1, PTvar v2 when v1.tag = v2.tag ->
      true
  (* instantiable variables *)
  | (PTvar ({user=false} as v), t)
  | (t, PTvar ({user=false} as v)) ->
      not (occurs v t) && (v.type_val <- Some t; true)
  (* recursive types *)
  | (PTexternal(l1,i1), PTexternal(l2,i2)) ->
      i1 = i2 && List.length l1 = List.length l2 &&
      List.for_all2 unify l1 l2
  | (PTexternal _), _
  | _, (PTexternal _) ->
      false
  (* other cases *)
  | (PTunit | PTreal | PTbool | PTint | PTvar {user=true}),
    (PTunit | PTreal | PTbool | PTint | PTvar {user=true}) ->
      t1 = t2

let make_comparison loc (a,ta) r (b,tb) =
  if not (unify ta tb) then
    raise_located loc
      (ExpectedType2
	 ((fun f -> Util.print_pure_type f (normalize_pure_type ta)),
	  (fun f -> Util.print_pure_type f (normalize_pure_type tb))));
  match normalize_pure_type ta, r, normalize_pure_type tb with
  | PTint, (PPlt|PPle|PPgt|PPge|PPeq|PPneq), PTint ->
      Papp (int_cmp r, [a; b], [])
  | PTreal, (PPlt|PPle|PPgt|PPge|PPeq|PPneq), PTreal ->
      Papp (real_cmp r, [a; b], [])
  | (PTbool | PTunit as ta), (PPeq|PPneq), (PTbool | PTunit) ->
      Papp (other_cmp (ta,r), [a; b], [])
  | ta, (PPeq|PPneq), tb ->
      begin match ta, tb with
	| PTint, PTint -> Papp (int_cmp r, [a;b], [])
	| PTreal, PTreal -> Papp (real_cmp r, [a;b], [])
	| _ -> Papp (other_cmp (ta,r), [a; b], [ta])
      end
  | ta, _, _ ->
      raise_located loc (IllegalComparison (fun fmt -> print_pure_type fmt ta))

let int_arith = function
  | PPadd -> t_add_int
  | PPsub -> t_sub_int
  | PPmul -> t_mul_int
  | _ -> assert false

let real_arith = function
  | PPadd -> t_add_real
  | PPsub -> t_sub_real
  | PPmul -> t_mul_real
  | PPdiv -> t_div_real
  | _ -> assert false

let make_arith loc = function
  | (a,t1), (PPadd|PPsub|PPmul as r), (b,t2)
    when unify t1 PTint && unify t2 PTint ->
      Tapp (int_arith r, [a; b], []), PTint
  | (a,t1), (PPadd|PPsub|PPmul|PPdiv as r), (b,t2)
    when unify t1 PTreal && unify t2 PTreal ->
      Tapp (real_arith r, [a; b], []), PTreal
  | _,PPdiv,_ ->
      expected_real loc
  | (_,_t1),_op,(_,_t2) ->
      expected_num loc

let predicate_expected loc =
  raise_located loc (AnyMessage "syntax error: predicate expected")

let term_expected loc =
  raise_located loc (AnyMessage "syntax error: term expected")

let instance _x i =
  let l =
    Vmap.fold
      (fun _ v l ->
	 (match v.type_val with
	    | None -> PTvar v
	    | Some pt -> normalize_pure_type pt) :: l)
      i []
  in
  (*
    eprintf "instance %a[@[%a@]]@."
    Ident.print x (Pp.print_list Pp.comma print_pure_type) l;
  *)
  l

(* match expression handling *)

let match_branches prop gloc loc x ty l =
  let id = match ty with
    | PTexternal (_,id) when Env.is_alg_type id -> id
    | _ -> raise_located loc ShouldBeAlgebraic
  in
  let cs = Env.alg_type_constructors id in
  let check cm ((c,vs,loc),r) =
    if not (List.mem c cs) then raise_located loc
      (ExpectedType (fun f -> print_pure_type f ty));
    if Idmap.mem c cm then raise_located loc (ClashParam c);
    let () = match find_global_logic c with
      | _, Function (pl,_)
        when List.length pl = List.length vs -> ()
      | _, _ -> raise_located loc PartialApp
    in
    if bad_arity vs then raise_located loc PatternBadArity;
    let expr ex = { pp_loc = loc; pp_desc = ex } in
    let r = if not prop then r else
      let al = List.map (fun v -> expr (PPvar v)) vs in
      let hd = PPinfix (x, PPeq, expr (PPapp (c,al))) in
      expr (PPinfix (expr hd, PPand, r))
    in
    let i = ref 1 in
    let proj acc v =
      let pt = PPapp (proj_id c !i, [x]) in
      incr i ; expr (PPlet (v, expr pt, acc))
    in
    Idmap.add c (List.fold_left proj r vs) cm
  in
  let cm = List.fold_left check Idmap.empty l in
  let pick c = try Idmap.find c cm with
    | Not_found -> raise_located gloc (NonExhaustive c)
  in
  let bs = List.map pick cs in
  if not prop then
    { pp_loc = gloc; pp_desc = PPapp (match_id id, x::bs) }
  else
    let rec join = function
      | [b] -> b
      | b::bs -> { pp_loc = gloc; pp_desc = PPinfix (b, PPor, join bs) }
      | _ -> assert false
    in
    join bs

(* typing predicates *)

let rec predicate lab env p =
  desc_predicate p.pp_loc lab env p.pp_desc

and desc_predicate loc lab env = function
  | PPvar x ->
      type_pvar loc env x
  | PPapp (x, pl) when x == t_distinct ->
      let ty = PTvar (Env.new_type_var ()) in
      let each_term a =
	let t,tt = term lab env a in
	if not (unify tt ty) then expected_type a.pp_loc (PureType ty);
	t,tt
      in
      let tl = List.map each_term pl in
      Papp (x, List.map fst tl, [ty])
  | PPapp (x, pl) ->
      type_papp loc env x (List.map (term lab env) pl)
  | PPtrue ->
      Ptrue
  | PPfalse ->
      Pfalse
  | PPconst _ ->
      predicate_expected loc
  | PPinfix (a, PPand, b) ->
      Pand (false, true, predicate lab env a, predicate lab env b)
  | PPinfix (a, PPiff, b) ->
      Piff (predicate lab env a, predicate lab env b)
  | PPinfix (a, PPor, b) ->
      Por (predicate lab env a, predicate lab env b)
  | PPinfix (a, PPimplies, b) ->
      Pimplies (false, predicate lab env a, predicate lab env b)
  | PPinfix
      ({pp_desc = PPinfix (_, (PPlt|PPle|PPgt|PPge|PPeq|PPneq), a)} as p,
       (PPlt | PPle | PPgt | PPge | PPeq | PPneq as r), b) ->
      let q = { pp_desc = PPinfix (a, r, b); pp_loc = loc } in
      Pand (false, true, predicate lab env p, predicate lab env q)
  | PPinfix (a, (PPlt | PPle | PPgt | PPge | PPeq | PPneq as r), b) ->
      make_comparison a.pp_loc (term lab env a) r (term lab env b)
  | PPinfix (_, (PPadd | PPsub | PPmul | PPdiv), _) ->
      predicate_expected loc
  | PPprefix (PPneg, _) ->
      predicate_expected loc
  | PPprefix (PPnot, a) ->
      Pnot (predicate lab env a)
  | PPif (a, b, c) ->
      let ta,tya = term lab env a in
      (match normalize_pure_type tya with
	 | PTbool ->
	     Pif (ta, predicate lab env b, predicate lab env c)
	 | _ ->
	     raise_located a.pp_loc ShouldBeBoolean)
  | PPforall (id, pt, tl, a) ->
      let v = pure_type env pt in
      let env' = Env.add_logic id v env in
      let tl' = triggers lab env' tl in
      let p' = predicate lab env' a in
      forall id (PureType v) ~triggers:tl' p'
  | PPexists (id, pt, a) ->
      let v = pure_type env pt in
      let p = predicate lab (Env.add_logic id v env) a in
      exists id (PureType v) p
  | PPnamed (n, a) ->
      Pnamed (User n, predicate lab env a)
  | PPlet (x, e1, e2) ->
      let t1, ty = term lab env e1 in
      let env = Env.add_logic x ty env in
      plet x ty t1 (predicate lab env e2)
  | PPmatch (e, l) ->
      let t, ty = term lab env e in
      let x = fresh_var () in
      let v = { pp_loc = loc ; pp_desc = PPvar x } in
      let f = match_branches true loc e.pp_loc v ty l in
      let env = Env.add_logic x ty env in
      plet x ty t (predicate lab env f)

and type_pvar loc _env x =
  if is_at x then
    raise_located loc (AnyMessage "predicates cannot be labelled");
  try match snd (find_global_logic x) with
    | Predicate [] -> Pvar x
    | Function _ -> predicate_expected loc
    | _ -> raise_located loc PartialApp
  with Not_found ->
    raise_located loc (UnboundVariable x)

and type_papp loc _env x tl =
  try match find_global_logic x with
    | vars, Predicate at ->
	check_type_args loc at tl;
	Papp (x, List.map fst tl, instance x vars)
    | _ ->
	predicate_expected loc
  with Not_found ->
    raise_located loc (UnboundVariable x)


and term lab env t =
    desc_term t.pp_loc lab env t.pp_desc

and desc_term loc lab env = function
  | PPvar x | PPapp (x, []) ->
      type_tvar loc lab env x
  | PPif (a, b, c) ->
      term lab env { pp_loc = loc; pp_desc = PPapp (if_then_else, [a;b;c]) }
  | PPapp (x, tl) ->
      let tl = List.map (term lab env) tl in
      let ty, i = type_tapp loc env x tl in
      Tapp (x, List.map fst tl, i), ty
  | PPtrue ->
      ttrue, PTbool
  | PPfalse ->
      tfalse, PTbool
  | PPconst c ->
      Tconst c, type_const c
  | PPinfix (a, (PPadd|PPsub|PPmul|PPdiv as r), b) ->
	make_arith loc (term lab env a, r, term lab env b)
  | PPinfix (_, (PPand|PPor|PPiff|PPimplies
		|PPlt|PPle|PPgt|PPge|PPeq|PPneq), _) ->
      term_expected loc
  | PPprefix (PPneg, a) ->
      (match term lab env a with
	 | ta, ty when unify ty PTint -> Tapp (t_neg_int, [ta], []), PTint
	 | ta, ty when unify ty PTreal -> Tapp (t_neg_real, [ta], []), PTreal
	 | _ -> expected_num loc)
  | PPnamed(n, t) ->
      let tt,ty = term lab env t in Tnamed(User n, tt), ty
  | PPlet (x, e1, e2) ->
      let t1, ty1 = term lab env e1 in
      let env = Env.add_logic x ty1 env in
      let t2, ty2 = term lab env e2 in
      tsubst_in_term (subst_one x t1) t2, ty2
  | PPmatch (e, l) ->
      let t, ty = term lab env e in
      let x = fresh_var () in
      let v = { pp_loc = e.pp_loc; pp_desc = PPvar x } in
      let f = match_branches false loc e.pp_loc v ty l in
      let env = Env.add_logic x ty env in
      let f, ty = term lab env f in
      tsubst_in_term (subst_one x t) f, ty
  | PPprefix (PPnot, _) | PPforall _ | PPexists _ ->
      term_expected loc

(* (* dead code *)
and type_if lab env a b c =
  match term lab env a, term lab env b, term lab env c with
    | (ta, PTbool), (tb, tyb), (tc, tyc) ->
	if tyb <> tyc then
	  raise_located c.pp_loc
	    (ExpectedType (fun f -> print_pure_type f tyb));
	Tapp (if_then_else, [ta; tb; tc], []), tyb
    | _ -> raise_located a.pp_loc ShouldBeBoolean
*)

and type_tvar loc lab env x =
  let x,xu =
    if is_at x then begin
      let xu,l = un_at x in
      if not (Label.mem l lab) then raise_located loc (UnboundLabel l);
      if not (is_reference env xu) then
	xu,xu
      else
	x,xu
    end else
      x,x
  in
  try
    let t = find_logic xu env in Tvar x, t
    (*
    let vars,t = find_logic xu env in
    if Vmap.is_empty vars then Tvar x, t else Tapp (x, [], instance x vars), t
    *)
  with Not_found -> try
    match find_global_logic xu with
      | vars, Function ([], t) -> Tapp (x, [], instance x vars), t
      | _ -> raise_located loc MustBePure
  with Not_found ->
    raise_located loc (UnboundVariable xu)


and type_tapp loc _env x tl =
  try match find_global_logic x with
    | vars, Function (at, t) ->
	check_type_args loc at tl; normalize_pure_type t, instance x vars
    | _ ->
	raise_located loc AppNonFunction
  with Not_found ->
    raise_located loc (UnboundVariable x)

and check_type_args loc at tl =
  let rec check_arg = function
    | [], [] ->
	()
    | a :: al, (tb,b) :: bl ->
	if unify a b then
	  check_arg (al, bl)
	else
	  raise_located loc (TermExpectedType ((fun f -> print_term f tb),
					       fun f -> print_pure_type f a))
    | [], _ ->
	raise_located loc TooManyArguments
    | _, [] ->
	raise_located loc PartialApp
  in
  check_arg (at, tl)

and type_const = function
  | ConstInt _ -> PTint
  | ConstBool _ -> PTbool
  | ConstUnit -> PTunit
  | ConstFloat _ -> PTreal

and pattern lab env t =
  match t.pp_desc with
  | PPapp (x, _) ->
      (try match find_global_logic x with
      | _, Function (_, _) ->
	  TPat (fst (term lab env t))
      | _ ->
	  PPat (predicate lab env t)
      with Not_found ->
	raise_located t.pp_loc (UnboundVariable x))
  | PPvar _ | PPinfix (_, (PPadd|PPsub|PPmul|PPdiv), _) ->
      TPat (fst (term lab env t))
  | _ ->
      Report.raise_located t.pp_loc Error.IllformedPattern

and triggers lab env = List.map (List.map (pattern lab env))

(*s Checking types *)

let add_logic_if_pure x v env =  match v with
  | PureType pt | Ref pt -> Env.add_logic x pt env
  | Arrow _ -> env

let type_assert ?(namer=h_name) lab env a =
  { a_value = predicate lab env a.pa_value;
    a_name = namer a.pa_name;
    a_loc = a.pa_loc;
    a_proof = None }

let type_post lab env id v ef (a,al) =
  let lab' = Label.add "" lab in
  let a' =
    let env' = add_logic_if_pure id v env in type_assert lab' env' a
  in
  let xs = Effect.get_exns ef in
  let check_exn (x,a) =
    let loc = a.pa_value.pp_loc in
    if not (is_exception x) then raise_located loc (UnboundException x);
    if not (List.mem x xs) then raise_located loc (CannotBeRaised x)
  in
  List.iter check_exn al;
  let loc = a.pa_value.pp_loc in
  let type_exn_post x =
    try
      let a = List.assoc x al in
      let env' = match find_exception x with
	| None -> env
	| Some pt -> Env.add_logic result pt env
      in
      (x, type_assert lab' env' a)
    with Not_found ->
      wprintf loc "no postcondition for exception %a; false inserted@\n"
	Ident.print x;
      (x, anonymous loc Pfalse)
  in
  (a', List.map type_exn_post xs)

let check_effect loc env e =
  let check_ref id =
    if not (Env.is_ref env id) then raise_located loc (UnboundReference id)
  in
  let check_exn id =
    if not (Env.is_exception id) then raise_located loc (UnboundException id)
  in
  let r,w,x,_ = Effect.get_repr e in
  List.iter check_ref r;
  List.iter check_ref w;
  List.iter check_exn x


(* warns if a ref occuring in a predicate is not mentioned in the effect,
   and adds it as read to the effect *)
let warn_refs loc env p =
  Idset.fold
    (fun id ef ->
       if not (Effect.is_read ef id) then begin
	 wprintf loc "mutable %a is not declared in effect; added as read\n"
	   Ident.print id;
	 if werror then exit 1;
	 Effect.add_read id ef
       end else
	 ef)
    (predicate_refs env p)

let effect e =
  let ef =
    List.fold_left (fun e x -> Effect.add_write x e) Effect.bottom e.pe_writes
  in
  let ef = List.fold_left (fun e x -> Effect.add_read x e ) ef e.pe_reads in
  List.fold_left (fun e x -> Effect.add_exn x e) ef e.pe_raises


let rec type_v loc lab env = function
  | PVpure pt ->
      PureType (pure_type env pt)
  | PVref v ->
      Ref (pure_type env v)
  | PVarrow (bl, c) ->
      let bl',env' = binders loc lab env bl in
      Arrow (bl', type_c loc lab env' c)

and type_c loc lab env c =
  let ef = effect c.pc_effect in
  check_effect loc env ef;
  let v = type_v loc lab env c.pc_result_type in
  let id = c.pc_result_name in
  let p = List.map (type_assert lab env) c.pc_pre in
  let q = option_app (type_post lab env id v ef) c.pc_post in
  let ef = List.fold_right (asst_fold (warn_refs loc env)) p ef in
  let ef = optpost_fold (warn_refs loc env) q ef in
  let s = subst_onev id Ident.result in
  let p = List.map (fun a -> a.a_value) p in
  let q = optpost_app (fun a -> subst_in_predicate s a.a_value) q in
  { c_result_name = c.pc_result_name; c_effect = ef;
    c_result_type = v; c_pre = p; c_post = q }

and binders loc lab env = function
  | [] ->
      [], env
  | (id, v) :: bl ->
      let v = type_v loc lab env v in
      let bl',env' =
	binders loc lab
	  (Env.add id v (add_logic_if_pure id v env)) bl
      in
      (id, v) :: bl', env'

let type_v loc lab env v = make_binders_type_v (type_v loc lab env v)

let type_c loc lab env c = make_binders_type_c (type_c loc lab env c)

let logic_type lt =
  let env = Env.empty_logic () in
  match lt with
  | PPredicate pl ->
      Predicate (List.map (pure_type env) pl)
  | PFunction (pl, t) ->
      Function (List.map (pure_type env) pl, pure_type env t)

let alg_type _id vl td =
  let vls = List.rev_map Ident.string vl in
  let bound x = List.mem (Ident.string x) vls in
  let rec check = function
    | PPTvarid (x, loc) -> if bound x then ()
        else raise_located loc (UnboundType x)
    | PPTexternal (p,_,_) -> List.iter check p
    | _ -> ()
  in
  let () = List.iter (fun (_,_,pl) -> List.iter check pl) td in
  let env = Env.empty_logic () in
  let vs = List.map (fun v -> PTvar (find_type_var v env)) vl in
  let cons (_,c,pl) = (c, List.map (pure_type env) pl) in
  (vs, List.map cons td)

why-2.39/src/parser.mly0000644000106100004300000004743413147234006014053 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/


%{

  open Ident
  open Types
  open Logic
  open Ptree
  open Parsing

  let loc () = (symbol_start_pos (), symbol_end_pos ())
  let loc_i i = (rhs_start_pos i, rhs_end_pos i)
(* dead code
  let loc_ij i j = (rhs_start_pos i, rhs_end_pos j)
*)

  let mk_ppl loc d = { pp_loc = loc; pp_desc = d }
  let mk_pp d = mk_ppl (loc ()) d
  let mk_pp_i i d = mk_ppl (loc_i i) d
		    
  let infix_ppl loc a i b = mk_ppl loc (PPinfix (a, i, b))
  let infix_pp a i b = infix_ppl (loc ()) a i b

  let prefix_ppl loc p a = mk_ppl loc (PPprefix (p, a))
  let prefix_pp p a = prefix_ppl (loc ()) p a

  let with_loc loc d = { pdesc = d; ploc = loc }
  let locate d = with_loc (loc ()) d
  let locate_i i d = with_loc (loc_i i) d

  let rec_name = function Srec (x,_,_,_,_,_) -> x | _ -> assert false

  let join (b,_) (_,e) = (b,e)

  let rec app f = function
    | [] -> 
	assert false
    | [a] -> 
	Sapp (f, a)
    | a :: l -> 
	let loc = join f.ploc a.ploc in 
	app (with_loc loc (Sapp (f, a))) l

  let bin_op (loc_op,op) e1 e2 =
    let f = with_loc loc_op (Svar op) in
    let f_e1 = with_loc (join e1.ploc loc_op) (Sapp (f, e1)) in
    locate (Sapp (f_e1, e2))
      
  let un_op (loc_op,op) e =
    locate (app (with_loc loc_op (Svar op)) [e])

  let ptype_c_of_v v =
    { pc_result_name = Ident.result;
      pc_result_type = v;
      pc_effect = { pe_reads = []; pe_writes = []; pe_raises = [] };
      pc_pre = []; 
      pc_post = None }

  let list_of_some = function None -> [] | Some x -> [x]

  (*s ensures a postcondition for a function body *)

  let force_function_post ?(warn=false) e = match e.pdesc with
    | Spost _ -> 
	e
    | _ -> 
       if warn then 
	 Format.eprintf 
	   "%ano postcondition for this function; true inserted@\n"
	   Loc.report_position e.ploc; 
       let q = 
	 { pa_name = Anonymous; pa_value = mk_pp PPtrue; pa_loc = loc () }
       in
       { e with pdesc = Spost (e, (q, []), Transparent) }

%}

/* Tokens */ 

%token  IDENT
%token  INTEGER
%token  FLOAT
%token  STRING
%token ABSURD AMPAMP AND ARRAY ARROW AS ASSERT AT AXIOM 
%token BANG BAR BARBAR BEGIN 
%token BIGARROW BOOL CHECK COLON COLONEQUAL COMMA DO DONE DOT ELSE END EOF EQUAL
%token EXCEPTION EXISTS EXTERNAL FALSE FOR FORALL FPI FUN FUNCTION GE GOAL GT
%token IF IN INCLUDE INDUCTIVE INT INVARIANT
%token LE LEMMA LEFTB LEFTBLEFTB LEFTPAR LEFTSQ LET LOGIC LRARROW LT MATCH MINUS
%token NOT NOTEQ OF OR PARAMETER PERCENT PLUS PREDICATE PROP 
%token QUOTE RAISE RAISES READS REAL REC REF RETURNS RIGHTB RIGHTBRIGHTB
%token RIGHTPAR RIGHTSQ 
%token SEMICOLON SLASH 
%token THEN TIMES TRUE TRY TYPE UNIT VARIANT VOID WHILE WITH WRITES

/* Precedences */

%nonassoc prec_recfun
%nonassoc prec_fun
%left LEFTB LEFTBLEFTB
%left prec_simple

%left COLON 

%left prec_letrec
%left IN

%right SEMICOLON

%left prec_no_else
%left ELSE

%right prec_named
%left COLONEQUAL
%right prec_forall prec_exists
%right ARROW LRARROW
%right OR BARBAR
%right AND AMPAMP
%right NOT
%right prec_if
%left prec_relation EQUAL NOTEQ LT LE GT GE
%left PLUS MINUS
%left TIMES SLASH 
%right uminus
%left prec_app
%left prec_ident
%left LEFTSQ

/* Entry points */

%type  lexpr
%start lexpr
%type  file
%start file
%%

file:
| list1_decl EOF 
   { $1 }
| EOF 
   { [] }
;

list1_decl:
| decl 
   { [$1] }
| decl list1_decl 
   { $1 :: $2 }
;

decl:
| INCLUDE STRING
   { Include (loc_i 2,$2) }
| LET ident EQUAL expr
   { Program (loc_i 2,$2, $4) }
| LET ident binders EQUAL list0_bracket_assertion expr
   { Program (loc_i 2,$2, locate (Slam ($3, $5, force_function_post $6))) }
| LET REC recfun
   { let (loc,p) = $3 in Program (loc,rec_name p, locate p) }
| EXCEPTION ident
   { Exception (loc (), $2, None) }
| EXCEPTION ident OF primitive_type
   { Exception (loc (), $2, Some $4) }
| external_ PARAMETER list1_ident_sep_comma COLON type_v
   { Parameter (loc_i 3, $1, $3, $5) }
| external_ LOGIC list1_ident_sep_comma COLON logic_type
   { Logic (loc_i 3, $1, $3, $5) }
| PREDICATE ident LEFTPAR list0_logic_binder_sep_comma RIGHTPAR EQUAL lexpr
   { Predicate_def (loc (), $2, $4, $7) }
| INDUCTIVE ident COLON logic_type inddefn
   { Inductive_def (loc (), $2, $4, $5) }
| FUNCTION ident LEFTPAR list0_logic_binder_sep_comma RIGHTPAR COLON 
  primitive_type EQUAL lexpr
   { Function_def (loc (), $2, $4, $7, $9) }
| GOAL ident COLON lexpr
   { Goal (loc (), KGoal, $2, $4) }
| AXIOM ident COLON lexpr
   { Goal (loc (), KAxiom, $2, $4) }
| LEMMA ident COLON lexpr
   { Goal (loc (), KLemma, $2, $4) }
| EXTERNAL TYPE typedecl
   { let loc, vl, id = $3 in TypeDecl (loc, true, vl, id) }
| TYPE typedecl typedefn
   { let loc, vl, id = $2 in $3 loc vl id }
;

typedecl:
| ident
    { (loc_i 1, [], $1) }
| type_var ident
    { (loc_i 2, [$1], $2) }
| LEFTPAR type_var COMMA list1_type_var_sep_comma RIGHTPAR ident
    { (loc_i 6, $2 :: $4, $6) }
;

typedefn:
| /* epsilon */
    { fun loc vl id -> TypeDecl (loc, false, vl, id) }
| EQUAL bar_ typecases typecont
    { fun loc vl id -> AlgType ((loc, vl, id, $3) :: $4) }
;

typecont:
| /* epsilon */
    { [] }
| AND typedecl EQUAL bar_ typecases typecont
    { let loc, vl, id = $2 in (loc, vl, id, $5) :: $6 }
;

typecases:
| typecase                { [$1] }
| typecase BAR typecases  { $1::$3 }
;

typecase:
| ident
    { (loc_i 1,$1,[]) }
| ident LEFTPAR list1_primitive_type_sep_comma RIGHTPAR
    { (loc_i 1,$1,$3) }
;

inddefn:
| /* epsilon */       { [] }
| EQUAL bar_ indcases { $3 }
;

indcases:
| indcase               { [$1] }
| indcase BAR indcases  { $1::$3 }
;

indcase:
| ident COLON lexpr { (loc_i 1,$1,$3) }
;

type_v:
| simple_type_v ARROW type_c
   { PVarrow ([Ident.anonymous, $1], $3) }
| ident COLON simple_type_v ARROW type_c
   { PVarrow ([($1, $3)], $5) }
| simple_type_v
   { $1 }
;

simple_type_v:
| primitive_type ARRAY    { PVref (PPTexternal ([$1], Ident.farray, loc_i 2)) }
| primitive_type REF      { PVref $1 }
| primitive_type          { PVpure $1 }
| LEFTPAR type_v RIGHTPAR { $2 }
;

primitive_type:
| INT 
   { PPTint }
| BOOL 
   { PPTbool }
| REAL 
   { PPTreal }
| UNIT 
   { PPTunit }
| type_var 
   { PPTvarid ($1, loc ()) }
| ident 
   { PPTexternal ([], $1, loc ()) }
| primitive_type ident
   { PPTexternal ([$1], $2, loc_i 2) }
| LEFTPAR primitive_type COMMA list1_primitive_type_sep_comma RIGHTPAR ident
   { PPTexternal ($2 :: $4, $6, loc_i 6) }
/*
| LEFTPAR list1_primitive_type_sep_comma RIGHTPAR
   { match $2 with [p] -> p | _ -> raise Parse_error }
*/
;

type_c:
| LEFTB opt_assertion RIGHTB result effects LEFTB opt_post_condition RIGHTB
   { let id,v = $4 in
     { pc_result_name = id; pc_result_type = v;
       pc_effect = $5; pc_pre = list_of_some $2; pc_post = $7 } }
| type_v
   { ptype_c_of_v $1 }
;

result:
| RETURNS ident COLON type_v { $2, $4 }
| type_v                     { Ident.result, $1 }
;

effects:
| opt_reads opt_writes opt_raises
    { { pe_reads = $1; pe_writes = $2; pe_raises = $3 } }
;

opt_reads:
| /* epsilon */               { [] }
| READS list0_ident_sep_comma { $2 }
;

opt_writes:
| /* epsilon */                { [] }
| WRITES list0_ident_sep_comma { $2 }
;

opt_raises:
| /* epsilon */                { [] }
| RAISES list0_ident_sep_comma { $2 }
;

opt_assertion:
| /* epsilon */  { None }
| assertion      { Some $1 }
;

assertion:
| lexpr          
    { { pa_name = Anonymous; pa_value = $1; pa_loc = loc () } }
| lexpr AS ident 
    { { pa_name = Name $3; pa_value = $1; pa_loc = loc () } }
;

opt_post_condition:
| /* epsilon */  { None }
| post_condition { Some $1 }
;

post_condition:
| assertion 
   { $1, [] }
| assertion BAR list1_exn_condition_sep_bar
   { $1, $3 }
| BAR list1_exn_condition_sep_bar
   { Format.eprintf "%awarning: no postcondition; false inserted@\n" 
       Loc.report_position (loc ());
     (* if Options.werror then exit 1; *)
     ({ pa_name = Anonymous; pa_value = mk_pp PPfalse; pa_loc = loc () }, $2) }
;

bracket_assertion:
| LEFTB assertion RIGHTB { $2 }
;

list1_bracket_assertion:
| bracket_assertion                         { [$1] }
| bracket_assertion list1_bracket_assertion { $1 :: $2 }
;

list0_bracket_assertion:
| /* epsilon */           { [] }
| LEFTB RIGHTB            { [] }
| list1_bracket_assertion { $1 }
;

list1_exn_condition_sep_bar:
| exn_condition                                 { [$1] }
| exn_condition BAR list1_exn_condition_sep_bar { $1 :: $3 }
;

exn_condition:
| ident BIGARROW assertion { $1,$3 }
;

logic_type:
| list0_primitive_type_sep_comma ARROW PROP
   { PPredicate $1 }
| PROP
   { PPredicate [] }
| list0_primitive_type_sep_comma ARROW primitive_type
   { PFunction ($1, $3) }
| primitive_type
   { PFunction ([], $1) }
;

list0_primitive_type_sep_comma:
| /* epsilon */                  { [] }
| list1_primitive_type_sep_comma { $1 }
;

list1_primitive_type_sep_comma:
| primitive_type                                      { [$1] }
| primitive_type COMMA list1_primitive_type_sep_comma { $1 :: $3 }
;

list0_logic_binder_sep_comma:
| /* epsilon */                { [] }
| list1_logic_binder_sep_comma { $1 }
;

list1_logic_binder_sep_comma:
| logic_binder                                    { [$1] }
| logic_binder COMMA list1_logic_binder_sep_comma { $1 :: $3 }
;

logic_binder:
| ident COLON primitive_type       
    { (loc_i 1, $1, $3) }
| ident COLON primitive_type ARRAY 
    { (loc_i 1, $1, PPTexternal ([$3], Ident.farray, loc_i 3)) }
;

external_:
| /* epsilon */ { false }
| EXTERNAL      { true  }
;

lexpr:
| lexpr ARROW lexpr 
   { infix_pp $1 PPimplies $3 }
| lexpr LRARROW lexpr 
   { infix_pp $1 PPiff $3 }
| lexpr OR lexpr 
   { infix_pp $1 PPor $3 }
| lexpr AND lexpr 
   { infix_pp $1 PPand $3 }
| NOT lexpr 
   { prefix_pp PPnot $2 }
| lexpr relation lexpr %prec prec_relation
   { infix_pp $1 $2 $3 }
| lexpr PLUS lexpr
   { infix_pp $1 PPadd $3 }
| lexpr MINUS lexpr
   { infix_pp $1 PPsub $3 }
| lexpr TIMES lexpr
   { infix_pp $1 PPmul $3 }
| lexpr SLASH lexpr
   { infix_pp $1 PPdiv $3 }
| MINUS lexpr %prec uminus
   { prefix_pp PPneg $2 }
| qualid_ident
   { mk_pp (PPvar $1) }
| qualid_ident LEFTPAR list1_lexpr_sep_comma RIGHTPAR
   { mk_pp (PPapp ($1, $3)) }
| qualid_ident LEFTSQ lexpr RIGHTSQ
   { mk_pp (PPapp (Ident.access, [mk_pp_i 1 (PPvar $1); $3])) }
| IF lexpr THEN lexpr ELSE lexpr %prec prec_if 
   { mk_pp (PPif ($2, $4, $6)) }
| FORALL list1_ident_sep_comma COLON primitive_type triggers 
  DOT lexpr %prec prec_forall
   { let rec mk = function
       | [] -> assert false
       | [id] -> mk_pp (PPforall (id, $4, $5, $7))
       | id :: l -> mk_pp (PPforall (id, $4, [], mk l))
     in
     mk $2 }
| EXISTS ident COLON primitive_type DOT lexpr %prec prec_exists
   { mk_pp (PPexists ($2, $4, $6)) }
| INTEGER
   { mk_pp (PPconst (ConstInt $1)) }
| FLOAT
   { mk_pp (PPconst (ConstFloat $1)) }
| TRUE
   { mk_pp PPtrue }
| FALSE
   { mk_pp PPfalse }    
| VOID
   { mk_pp (PPconst ConstUnit) }
| LEFTPAR lexpr RIGHTPAR
   { $2 }
| ident_or_string COLON lexpr %prec prec_named
   { mk_pp (PPnamed ($1, $3)) }
| LET ident EQUAL lexpr IN lexpr 
   { mk_pp (PPlet ($2, $4, $6)) }
| MATCH lexpr WITH bar_ match_cases END
   { mk_pp (PPmatch ($2, $5)) }
;

match_cases:
| match_case                  { [$1] }
| match_case BAR match_cases  { $1::$3 }
;

match_case:
| pattern ARROW lexpr { ($1,$3) }
;

pattern:
| ident                                         { ($1, [], loc ()) }
| ident LEFTPAR list1_ident_sep_comma RIGHTPAR  { ($1, $3, loc ()) }
;

triggers:
| /* epsilon */                         { [] }
| LEFTSQ list1_trigger_sep_bar RIGHTSQ  { $2 }
;

list1_trigger_sep_bar:
| trigger                           { [$1] }
| trigger BAR list1_trigger_sep_bar { $1 :: $3 }
;

trigger:
  list1_lexpr_sep_comma { $1 }
;

list1_lexpr_sep_comma:
| lexpr                             { [$1] }
| lexpr COMMA list1_lexpr_sep_comma { $1 :: $3 }
;

relation:
| LT { PPlt }
| LE { PPle }
| GT { PPgt }
| GE { PPge }
| EQUAL { PPeq }
| NOTEQ { PPneq }
;

type_var:
| QUOTE ident { $2 }
;

list1_type_var_sep_comma:
| type_var                                { [$1] }
| type_var COMMA list1_type_var_sep_comma { $1 :: $3 }
;

expr:
| simple_expr %prec prec_simple 
   { $1 }
| ident COLONEQUAL expr
   { locate 
       (Sapp (locate (Sapp (locate (Svar Ident.ref_set), 
			    locate_i 1 (Svar $1))),
	      $3)) }
| ident LEFTSQ expr RIGHTSQ COLONEQUAL expr
   { locate 
       (Sapp (locate 
		(Sapp (locate 
			 (Sapp (locate (Svar Ident.array_set), 
				locate_i 1 (Svar $1))),
			 $3)),
		$6)) }
| IF expr THEN expr ELSE expr
   { locate (Sif ($2, $4, $6)) }
| IF expr THEN expr %prec prec_no_else
   { locate (Sif ($2, $4, locate (Sconst ConstUnit))) }
| WHILE expr DO invariant_variant expr DONE
   { (* syntactic suget for
        try loop { invariant variant } if b then e else raise Exit
        with Exit -> void end *)
     let inv,var = $4 in
     locate 
       (Stry
	  (locate 
	     (Sloop (inv, var, 
		     locate 
		       (Sif ($2, $5,
			     locate (Sraise (exit_exn, None, None)))))),
	     [((exit_exn, None), locate (Sconst ConstUnit))])) }
| IDENT COLON expr
   { locate (Slabel ($1, $3)) }
| LET ident EQUAL expr IN expr
   { locate (Sletin ($2, $4, $6)) }
| LET ident EQUAL REF expr IN expr
   { locate (Sletref ($2, $5, $7)) }
| FUN binders ARROW list0_bracket_assertion expr %prec prec_fun
   { locate (Slam ($2, $4, force_function_post $5)) }
| LET ident binders EQUAL list0_bracket_assertion expr IN expr
   { let b =  force_function_post ~warn:true $6 in
     locate (Sletin ($2, locate (Slam ($3, $5, b)), $8)) }
| LET REC recfun %prec prec_letrec
   { let _loc,p = $3 in locate p }
| LET REC recfun IN expr
   { let _loc,p = $3 in locate (Sletin (rec_name p, locate p, $5)) }
| RAISE ident opt_cast
   { locate (Sraise ($2, None, $3)) }
| RAISE LEFTPAR ident expr RIGHTPAR opt_cast
   { locate (Sraise ($3, Some $4 , $6)) }
| TRY expr WITH bar_ list1_handler_sep_bar END
   { locate (Stry ($2, $5)) }
| ABSURD opt_cast
   { locate (Sabsurd $2) }
| simple_expr list1_simple_expr %prec prec_app
   { locate (app $1 $2) }
| expr BARBAR expr
   { locate (Slazy_or ($1, $3))
     (* let ptrue = locate (Sconst (ConstBool true)) in
     locate (Sif ($1, ptrue, $3)) *) }
| expr AMPAMP expr
   { locate (Slazy_and ($1, $3))
     (* let pf = locate (Sconst (ConstBool false)) in
     locate (Sif ($1, $3, pf)) *) }
| NOT expr
   { locate (Snot $2)
     (* let pf = locate (Sconst (ConstBool false)) in
     let pt = locate (Sconst (ConstBool true)) in
     locate (Sif ($2, pf, pt)) *) }
| expr relation_id expr %prec prec_relation
   { bin_op $2 $1 $3 }
| expr PLUS expr
   { bin_op (loc_i 2, Ident.t_add) $1 $3 }
| expr MINUS expr
   { bin_op (loc_i 2, Ident.t_sub) $1 $3 }
| expr TIMES expr
   { bin_op (loc_i 2, Ident.t_mul) $1 $3 }
| expr SLASH expr
   { bin_op (loc_i 2, Ident.t_div) $1 $3 }
/* disabled (confusion math_div / computer_div
| expr PERCENT expr
   { bin_op (loc_i 2, Ident.t_mod_int) $1 $3 }
*/
| MINUS expr %prec uminus
   { un_op (loc_i 1, Ident.t_neg) $2 }
| expr SEMICOLON expr
   { locate (Sseq ($1, $3)) }
| ASSERT list1_bracket_assertion SEMICOLON expr 
   { locate (Sassert (`ASSERT,$2, $4)) }
| CHECK list1_bracket_assertion SEMICOLON expr 
   { locate (Sassert (`CHECK,$2, $4)) }
| expr LEFTB post_condition RIGHTB
   { locate (Spost ($1, $3, Transparent)) }
| expr LEFTBLEFTB post_condition RIGHTBRIGHTB
   { locate (Spost ($1, $3, Opaque)) }
;

simple_expr:
| ident %prec prec_ident
   { locate (Svar $1) }
| INTEGER
   { locate (Sconst (ConstInt $1)) }
| FLOAT
   { let f = $1 in locate (Sconst (ConstFloat f)) }
| VOID
   { locate (Sconst ConstUnit) }
| TRUE
   { locate (Sconst (ConstBool true)) }
| FALSE
   { locate (Sconst (ConstBool false)) }
| BANG ident
   { locate (Sderef $2) }
| ident LEFTSQ expr RIGHTSQ
   { locate 
       (Sapp (locate (Sapp (locate (Svar Ident.array_get), 
			    locate_i 1 (Svar $1))),
	      $3)) }
| LEFTSQ type_c RIGHTSQ
   { locate (Sany $2) }
| LEFTPAR expr RIGHTPAR
   { $2 }
| BEGIN expr END
   { $2 }
;

list1_simple_expr:
| simple_expr %prec prec_simple { [$1] }
| simple_expr list1_simple_expr { $1 :: $2 }
;

list1_handler_sep_bar:
| handler                           { [$1] }
| handler BAR list1_handler_sep_bar { $1 :: $3 }
;

handler:
| ident ARROW expr       { (($1, None), $3) }
| ident ident ARROW expr { (($1, Some $2), $4) }
;

opt_cast:
| /* epsilon */ { None }
| COLON type_v  { Some $2 }
;

invariant_variant:
| /* epsilon */ { None, None }
| LEFTB opt_invariant RIGHTB { $2, None }
| LEFTB opt_invariant VARIANT variant RIGHTB { $2, Some $4 }
;

opt_invariant:
| /* epsilon */       { None }
| INVARIANT assertion { Some $2 }
;

recfun:
| ident binders COLON type_v opt_variant EQUAL 
  list0_bracket_assertion expr %prec prec_recfun
   { (loc_i 1),Srec ($1, $2, $4, $5, $7, force_function_post $8) }
;

opt_variant:
| LEFTB VARIANT variant RIGHTB { Some $3 } 
| /* epsilon */                { None }
;

variant:
| lexpr FOR ident { ($1, $3) }
| lexpr           { ($1, Ident.t_zwf_zero) }
;

binders:
| list1_binder { List.flatten $1 }
;

list1_binder:
| binder              { [$1] }
| binder list1_binder { $1 :: $2 }
;

binder:
| LEFTPAR RIGHTPAR
   { [Ident.anonymous, PVpure PPTunit] }
| LEFTPAR list1_ident_sep_comma COLON type_v RIGHTPAR 
   { List.map (fun s -> (s, $4)) $2 }
;

relation_id:
| LT    { loc (), Ident.t_lt }
| LE    { loc (), Ident.t_le }
| GT    { loc (), Ident.t_gt }
| GE    { loc (), Ident.t_ge }
| EQUAL { loc (), Ident.t_eq }
| NOTEQ { loc (), Ident.t_neq }
;

ident:
| IDENT { Ident.create $1 }
;

qualid_ident:
| IDENT          { Ident.create $1 }
| IDENT AT       { Ident.at_id (Ident.create $1) "" }
| IDENT AT IDENT { Ident.at_id (Ident.create $1) $3 }
;

list0_ident_sep_comma:
| /* epsilon */         { [] }
| list1_ident_sep_comma { $1 }
;

list1_ident_sep_comma:
| ident                             { [$1] }
| ident COMMA list1_ident_sep_comma { $1 :: $3 }
;

ident_or_string:
| IDENT  { $1 }
| STRING { $1 }
;

bar_:
| /* epsilon */ { () }
| BAR           { () }
;

why-2.39/src/xml.mll0000644000106100004300000001366113147234006013335 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

{

  open Lexing

  open Rc

  type element =
    { name : string;
      attributes : (string * rc_value) list;
      elements : element list;
    }

  let buf = Buffer.create 17

  let rec pop_all group_stack element_stack =
    match group_stack with
      | [] -> element_stack
      | (elem,att,elems)::g ->
	  let e = {
	    name = elem;
	    attributes = att;
	    elements = List.rev element_stack;
	  }
	  in pop_all g (e::elems)
}

let space = [' ' '\t' '\r' '\n']
let digit = ['0'-'9']
let letter = ['a'-'z' 'A'-'Z']
let ident = (letter | digit | '_') + 
let sign = '-' | '+' 
let integer = sign? digit+
let mantissa = ['e''E'] sign? digit+
let real = sign? digit* '.' digit* mantissa?
let escape = ['\\''"''n''t''r'] 

rule elements group_stack element_stack = parse
  | space+ 
      { elements group_stack element_stack lexbuf }
  | '<' (ident as elem)   
      { attributes group_stack element_stack elem [] lexbuf }
  | "'
      { match group_stack with
         | [] -> 
             Format.eprintf "Xml: warning unexpected closing Xml element `%s'@." celem;
             elements group_stack element_stack lexbuf
         | (elem,att,stack)::g ->
             if celem <> elem then
               Format.eprintf "Xml: warning Xml element `%s' closed by `%s'@." elem celem;
	     let e = {
	        name = elem;
	        attributes = att;
	        elements = List.rev element_stack;
	     }
             in elements g (e::stack) lexbuf            
       }
  | '<'
      { Format.eprintf "Xml: warning unexpected '<'@.";
        elements group_stack element_stack lexbuf }      
  | eof 
      { match group_stack with
         | [] -> element_stack
         | (elem,_,_)::_ ->
             Format.eprintf "Xml: warning unclosed Xml element `%s'@." elem;
             pop_all group_stack element_stack
      }
  | _ as c
      { failwith ("Xml: invalid element starting with " ^ String.make 1 c) }

and attributes groupe_stack element_stack elem acc = parse
  | space+
      { attributes groupe_stack element_stack elem acc lexbuf }
  | (ident as key) space* '=' 
      { let v = value lexbuf in
        attributes groupe_stack element_stack elem ((key,v)::acc) lexbuf }
  | '>' 
      { elements ((elem,acc,element_stack)::groupe_stack) [] lexbuf }
  | "/>"
      { let e = { name = elem ; 
                  attributes = acc;
                  elements = [] }
        in
        elements groupe_stack (e::element_stack) lexbuf }
  | _ as c
      { failwith ("Xml: `>' expected, got " ^ String.make 1 c) }
  | eof
      { failwith ("Xml: unclosed element, `>' expected") }

and value = parse
  | space+ 
      { value lexbuf }
  | integer as i
      { RCint (int_of_string i) }
  | real as r
      { RCfloat (float_of_string r) }
  | '"' 
      { Buffer.clear buf;
	string_val lexbuf } 
  | "true"
      { RCbool true }
  | "false"
      { RCbool false }
  | ident as id
      { RCident id }
  | _ as c
      { failwith ("Xml: invalid value starting with " ^ String.make 1 c) }
  | eof
      { failwith "Xml: unterminated keyval pair" }

and string_val = parse 
  | '"' 
      { RCstring (Buffer.contents buf) }
  | [^ '\\' '"'] as c
      { Buffer.add_char buf c;
        string_val lexbuf }
  | '\\' (['\\''\"'] as c)   
      { Buffer.add_char buf c;
        string_val lexbuf }
  | '\\' 'n'
      { Buffer.add_char buf '\n';
        string_val lexbuf }
  | '\\' (_ as c)
      { Buffer.add_char buf '\\';
        Buffer.add_char buf c;
        string_val lexbuf }
  | eof
      { failwith "Xml: unterminated string" }


{

  let from_file f =
      let c = 
(*
	try 
*)
	open_in f 
(*
	with Sys_error _ -> 
	  Format.eprintf "Cannot open file %s@." f;
	  exit 1
*)
      in
      let lb = from_channel c in
      let l = elements [] [] lb in
      close_in c;
      List.rev l

}
why-2.39/src/holl.mli0000644000106100004300000000446213147234006013467 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(*s HOL Light output *)

val reset : unit -> unit
val push_decl : Logic_decl.t -> unit
val output_file : string -> unit
why-2.39/src/misc.ml0000644000106100004300000005616513147234006013322 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Options
open Ident
open Logic
open Types
open Ast
open Cc


(*s Utility functions. *)

let map_succeed f =
  let rec map_f = function
    | [] -> []
    | h :: t -> try let x = f h in x :: map_f t with Failure _ -> map_f t
  in
  map_f

let option_app = Option_misc.map

let option_iter = Option_misc.iter

let option_fold = Option_misc.fold

let a_value a = a.a_value
let a_values = List.map a_value

let list_of_some = function None -> [] | Some x -> [x]

let if_labelled f id = if is_at id then f (un_at id)

let difference l1 l2 =
  let rec diff = function
    | [] -> []
    | a::rem -> if List.mem a l2 then diff rem else a::(diff rem)
  in
  diff l1

let rec last = function
  | [] -> invalid_arg "last"
  | [x] -> x
  | _ :: l -> last l

let rec list_combine3 a b c = match a, b, c with
  | [], [], [] -> []
  | xa::ra, xb::rb, xc::rc -> (xa, xb, xc) :: list_combine3 ra rb rc
  | _ -> invalid_arg "list_combine3"

let rec list_first f = function
  | [] -> raise Exit
  | x :: l -> try f x with Exit -> list_first f l

let is_default_post a = match a.a_value with
  | Pvar id when id == Ident.default_post -> true
  | _ -> false

(*s Functions on names *)

type avoid = Ident.set

let renaming_of_ids avoid ids =
  let rec rename avoid = function
    | [] ->
	[], avoid
    | x :: rem ->
	let al,avoid = rename avoid rem in
	let x' = Ident.next_away x avoid in
	(x,x')::al, Idset.add x' avoid
  in
  rename avoid ids

(*s hypotheses names *)

let next s r = function
  | Anonymous -> incr r; Ident.create (s ^ string_of_int !r)
  | Name id -> id

let reset_names_table = ref []
let reset_names () = List.iter (fun f -> f ()) !reset_names_table

let gen_sym_name s =
  let r = ref 0 in
  reset_names_table := (fun () -> r := 0) :: !reset_names_table;
  next s r

let gen_sym s = let g = gen_sym_name s in fun () -> g Anonymous

let pre_name = gen_sym_name "Pre"
let post_name = gen_sym "Post"
let inv_name = gen_sym_name "Inv"
let test_name = gen_sym "Test"
let wp_name = gen_sym "WP"
let h_name = gen_sym_name "H_"
let bool_name = gen_sym "Bool"
let variant_name = gen_sym "variant"
let phi_name = gen_sym "rphi"
let for_name = gen_sym "for"
let label_name = let f = gen_sym "_label_" in fun () -> Ident.string (f ())
let fresh_hyp = gen_sym "HW_"
let fresh_axiom = gen_sym "AXIOM_"
let fresh_var = gen_sym "aux_"
let fresh_c_var = gen_sym "c_aux_"
let wf_name = gen_sym "wf"

let id_of_name = function Name id -> id | Anonymous -> default

let is_post id =
  let s = Ident.string id in
  String.length s >= 4 && String.sub s 0 4 = "Post"

let post_name_from =
  let avoid = ref Idset.empty in
  reset_names_table := (fun () -> avoid := Idset.empty) :: !reset_names_table;
  function
    | Anonymous ->
	post_name ()
    | Name id when is_post id ->
	post_name ()
    | Name id ->
	let id' = Ident.next_away id !avoid in
	avoid := Idset.add id' !avoid;
	id'

let warning s = Format.eprintf "warning: %s@\n" s
let wprintf loc f =
  Format.eprintf "%awarning: " Loc.report_position loc; Format.eprintf f
let unlocated_wprintf f =
  Format.eprintf "warning: "; Format.eprintf f

(*s Various utility functions. *)

let rec is_closed_pure_type = function
  | PTint | PTbool | PTreal | PTunit -> true
  | PTvar {type_val=None} -> false
  | PTvar {type_val=Some t} -> is_closed_pure_type t
  | PTexternal (ptl,_) -> List.for_all is_closed_pure_type ptl

let rec normalize_pure_type = function
  | PTvar { type_val = Some t } -> normalize_pure_type t
  | PTexternal (i, id) -> PTexternal (List.map normalize_pure_type i, id)
  | PTvar _ | PTint | PTbool | PTunit | PTreal as t -> t

let rationalize s =
  let n = String.length s in
  let i = String.index s '.' in
  let d = n - i - 1 in
  String.sub s 0 i ^ String.sub s (succ i) d, "1" ^ String.make d '0'

let is_mutable = function Ref _ -> true | _ -> false
let is_pure = function PureType _ -> true | _ -> false

let asst_app f x = { x with a_value = (f x.a_value); a_proof = None }

let post_app f (q,l) = (f q, List.map (fun (x,a) -> (x, f a)) l)

let optpost_app f = option_app (post_app f)

let asst_fold f x v = f x.a_value v
let post_fold f (q,l) v =
  List.fold_right (fun (_,p) -> asst_fold f p) l (asst_fold f q v)
let optpost_fold f = option_fold (post_fold f)

(* dead code
let panonymous loc x =
  { pa_name = Anonymous; pa_value = x; pa_loc = loc }
*)
let anonymous loc x =
  { a_name = Ident.anonymous; a_value = x; a_loc = loc; a_proof = None }
let wp_named loc x =
  { a_name = wp_name (); a_value = x; a_loc = loc; a_proof = None }
let pre_named loc x =
  { a_name = pre_name Anonymous; a_value = x; a_loc = loc; a_proof = None }
let post_named loc x =
  { a_name = post_name (); a_value = x; a_loc = loc; a_proof = None }

let force_wp_name = option_app (fun a -> { a with a_name = wp_name () })

(* dead code
let force_name f a = { a with a_name = f a.a_name }
*)

(***
    let force_post_name = option_app (fun (q,l) -> (force_name post_name q, l))

    let force_bool_name =
    let f = function Name id -> id | Anonymous -> bool_name() in
    option_app (fun (q,l) -> (force_name f q, l))
***)

let force_loc l a = { a with a_loc = l }

let force_post_loc l (q,ql) =
  (force_loc l q, List.map (fun (x,a) -> (x, force_loc l a)) ql)

(***
    let rec force_type_c_loc l c =
    { c with
    c_result_type = force_type_v_loc l c.c_result_type;
    c_pre = List.map (force_loc l) c.c_pre;
    c_post = option_app (force_post_loc l) c.c_post }

    and force_type_v_loc l = function
    | Arrow (bl, c) -> Arrow (bl, force_type_c_loc l c)
    | (PureType _ | Ref _) as v -> v
***)

let default_post = anonymous Loc.dummy_position (Pvar Ident.default_post)

(* selection of postcondition's parts *)
let post_val = fst
let post_exn x (_,l) = List.assoc x l

let optpost_val = option_app post_val
let optpost_exn x = option_app (post_exn x)

(* substititution within some parts of postconditions *)
let val_app f (x,xl) = (asst_app f x, xl)
let exn_app _x f (x,xl) = (x, List.map (fun (x,a) -> x, asst_app f a) xl)

let optval_app f = option_app (val_app f)
let optexn_app x f = option_app (exn_app x f)

let optasst_app f = option_app (asst_app f)

(*s Functions on terms and predicates. *)

let rec applist f l = match (f,l) with
  | f, [] -> f
  | Tvar id, l -> Tapp (id, l, [])
  | Tapp (id, l, il), l' -> Tapp (id, l @ l', il)
  | (Tconst _ | Tderef _), _ -> assert false
  | Tnamed(lab,t),l -> Tnamed(lab,applist t l)

let papplist f l = match (f,l) with
  | f, [] -> f
  | Pvar id, l -> Papp (id, l, [])
  | Papp (id, l, il), l' -> assert (il = []); Papp (id, l @ l', [])
  | _ -> assert false

let predicate_of_term = function
  | Tvar x -> Pvar x
  | Tapp (id, l, i) -> Papp (id, l, i)
  | _ -> assert false

let rec collect_term s = function
  | Tvar id | Tderef id -> Idset.add id s
  | Tapp (_, l, _) -> List.fold_left collect_term s l
  | Tconst _ -> s
  | Tnamed(_,t) -> collect_term s t

let rec collect_pred s = function
  | Pvar _ | Ptrue | Pfalse -> s
  | Papp (_, l, _) -> List.fold_left collect_term s l
  | Pimplies (_, a, b) | Pand (_, _, a, b) | Por (a, b) | Piff (a, b)
  | Forallb (_, a, b) ->
      collect_pred (collect_pred s a) b
  | Pif (a, b, c) -> collect_pred (collect_pred (collect_term s a) b) c
  | Pnot a -> collect_pred s a
  | Forall (_, _, _, _, _, p) -> collect_pred s p
  | Exists (_, _, _, p) -> collect_pred s p
  | Pnamed (_, p) -> collect_pred s p
  | Plet (_, _, _, t, p) -> collect_pred (collect_term s t) p

let term_vars = collect_term Idset.empty
let predicate_vars = collect_pred Idset.empty
let assertion_vars a = predicate_vars a.a_value

let gen_post_vars assertion_vars (q,al) =
  List.fold_left
    (fun s (_,a) -> Idset.union s (assertion_vars a))
    (assertion_vars q)
    al

let post_vars = gen_post_vars predicate_vars
let apost_vars = gen_post_vars assertion_vars

let map_predicate f = function
  | Pimplies (w, a, b) -> Pimplies (w, f a, f b)
  | Pif (a, b, c) -> Pif (a, f b, f c)
  | Pand (w, s, a, b) -> Pand (w, s, f a, f b)
  | Por (a, b) -> Por (f a, f b)
  | Piff (a, b) -> Piff (f a, f b)
  | Pnot a -> Pnot (f a)
  | Forall (w, id, b, v, tl, p) -> Forall (w, id, b, v, tl, f p)
  | Exists (id, b, v, p) -> Exists (id, b, v, f p)
  | Forallb (w, a, b) -> Forallb (w, f a, f b)
  | Pnamed (n, a) -> Pnamed (n, f a)
  | Plet (id, b, pt, t, p) -> Plet (id, b, pt, t, f p)
  | Ptrue | Pfalse | Pvar _ | Papp _ as p -> p

let rec tsubst_in_term s = function
  | Tvar x | Tderef x as t ->
      (try Idmap.find x s with Not_found -> t)
  | Tapp (x,l,i) ->
      Tapp (x, List.map (tsubst_in_term s) l, i)
  | Tconst _ as t ->
      t
  | Tnamed(lab,t) -> Tnamed(lab,tsubst_in_term s t)

let rec tsubst_in_predicate s = function
  | Papp (id, l, i) -> Papp (id, List.map (tsubst_in_term s) l, i)
  | Pif (a, b ,c) -> Pif (tsubst_in_term s a,
			  tsubst_in_predicate s b,
			  tsubst_in_predicate s c)
  | Forall (w, id, b, v, tl, p) ->
      Forall (w, id, b, v, List.map (List.map (tsubst_in_pattern s)) tl,
	      tsubst_in_predicate s p)
  | Plet (id, n, pt, t, p) ->
      Plet (id, n, pt, tsubst_in_term s t, tsubst_in_predicate s p)
  | p ->
      map_predicate (tsubst_in_predicate s) p

and tsubst_in_pattern s = function
  | TPat t -> TPat (tsubst_in_term s t)
  | PPat p -> PPat (tsubst_in_predicate s p)

(***
    let subst_in_term s =
    tsubst_in_term (Idmap.map (fun id -> Tvar id) s)
***)
let rec subst_in_term s = function
  | Tvar x | Tderef x as t ->
      (try Tvar (Idmap.find x s) with Not_found -> t)
  | Tapp (x,l,i) ->
      Tapp (x, List.map (subst_in_term s) l, i)
  | Tconst _ as t ->
      t
  | Tnamed(lab,t) -> Tnamed(lab,subst_in_term s t)


(***
    let subst_in_predicate s =
    tsubst_in_predicate (Idmap.map (fun id -> Tvar id) s)
    let subst_in_pattern s =
    tsubst_in_pattern (Idmap.map (fun id -> Tvar id) s)
***)

let rec subst_in_predicate s = function
  | Papp (id, l, i) -> Papp (id, List.map (subst_in_term s) l, i)
  | Pif (a, b ,c) -> Pif (subst_in_term s a,
			  subst_in_predicate s b,
			  subst_in_predicate s c)
  | Forall (w, id, b, v, tl, p) ->
      Forall (w, id, b, v, List.map (List.map (subst_in_pattern s)) tl,
	      subst_in_predicate s p)
  | Plet (id, n, pt, t, p) ->
      Plet (id, n, pt, subst_in_term s t, subst_in_predicate s p)
  | p ->
      map_predicate (subst_in_predicate s) p

and subst_in_pattern s = function
  | TPat t -> TPat (subst_in_term s t)
  | PPat p -> PPat (subst_in_predicate s p)

let subst_in_triggers s =
  List.map (List.map (subst_in_pattern s))

let subst_in_assertion s = asst_app (subst_in_predicate s)

let subst_one x t = Idmap.add x t Idmap.empty

let subst_onev = subst_one

let rec subst_many vl1 vl2 = match vl1, vl2 with
  | [], [] -> Idmap.empty
  | x1 :: l1, x2 :: l2 -> Idmap.add x1 x2 (subst_many l1 l2)
  | _ -> invalid_arg "subst_many"

let rec subst_manyv  vl1 vl2 = match vl1, vl2 with
  | [], [] -> Idmap.empty
  | x1 :: l1, x2 :: l2 -> Idmap.add x1 x2 (subst_manyv l1 l2)
  | _ -> invalid_arg "subst_manyv"

let subst_term_in_predicate x t p =
  tsubst_in_predicate (subst_one x t) p

let rec unref_term = function
  | Tderef id -> Tvar id
  | Tapp (id, tl, i) -> Tapp (id, List.map unref_term tl, i)
  | Tvar _ | Tconst _ as t -> t
  | Tnamed(lab,t) -> Tnamed(lab,unref_term t)

let equals_true = function
  | Tapp (id, _, _) as t when is_relation id -> t
  | t -> Tapp (t_eq, [t; Tconst (ConstBool true)], [])

let negate id =
  if id == t_lt then t_ge
  else if id == t_le then t_gt
  else if id == t_gt then t_le
  else if id == t_ge then t_lt
  else if id == t_eq then t_neq
  else if id == t_neq then t_eq
  else if id == t_lt_int then t_ge_int
  else if id == t_le_int then t_gt_int
  else if id == t_gt_int then t_le_int
  else if id == t_ge_int then t_lt_int
  else if id == t_eq_int then t_neq_int
  else if id == t_neq_int then t_eq_int
  else if id == t_lt_real then t_ge_real
  else if id == t_le_real then t_gt_real
  else if id == t_gt_real then t_le_real
  else if id == t_ge_real then t_lt_real
  else if id == t_eq_real then t_neq_real
  else if id == t_neq_real then t_eq_real
  else if id == t_eq_bool then t_neq_bool
  else if id == t_neq_bool then t_eq_bool
  else if id == t_eq_unit then t_neq_unit
  else if id == t_neq_unit then t_eq_unit
  else assert false

let make_int_relation id =
  if id == t_lt then t_lt_int
  else if id == t_le then t_le_int
  else if id == t_gt then t_gt_int
  else if id == t_ge then t_ge_int
  else id

let equals_false = function
  | Tapp (id, l, i) when is_relation id -> Tapp (negate id, l, i)
  | t -> Tapp (t_eq, [t; Tconst (ConstBool false)], [])

let mlize_type = function
  | PureType pt | Ref pt -> pt
  | Arrow _ -> assert false

(*s Substitutions *)

let rec type_c_subst s c =
  let {c_result_name=id; c_result_type=t; c_effect=e; c_pre=p; c_post=q} = c in
  let s' = Idmap.fold (fun x x' -> Idmap.add (at_id x "") (at_id x' "")) s s in
  { c_result_name = id;
    c_result_type = type_v_subst s t;
    c_effect = Effect.subst s e;
    c_pre = List.map (subst_in_predicate s) p;
    c_post = option_app (post_app (subst_in_predicate s')) q }

and type_v_subst s = function
  | Ref _ | PureType _ as v -> v
  | Arrow (bl,c) -> Arrow (List.map (binder_subst s) bl, type_c_subst s c)

and binder_subst s (n,v) = (n, type_v_subst s v)

(*s substitution of term for variables *)

let rec type_c_rsubst s c =
  { c_result_name = c.c_result_name;
    c_result_type = type_v_rsubst s c.c_result_type;
    c_effect = c.c_effect;
    c_pre = List.map (tsubst_in_predicate s) c.c_pre;
    c_post = option_app (post_app (tsubst_in_predicate s)) c.c_post }

and type_v_rsubst s = function
  | Ref _ | PureType _ as v -> v
  | Arrow (bl,c) -> Arrow(List.map (binder_rsubst s) bl, type_c_rsubst s c)

and binder_rsubst s (n,v) = (n, type_v_rsubst s v)

let type_c_of_v v =
  { c_result_name = Ident.result;
    c_result_type = v;
    c_effect = Effect.bottom; c_pre = []; c_post = None }

(* make_arrow bl c = (x1:V1)...(xn:Vn)c *)

let make_arrow bl c = match bl with
  | [] ->
      invalid_arg "make_arrow: no binder"
  | _ ->
      let rename (id,v) (bl,s) =
	let id' = Ident.bound id in
	(id',v) :: bl,
	Idmap.add id id' (Idmap.add (at_id id "") (at_id id' "") s)
      in
      let bl',s = List.fold_right rename bl ([], Idmap.empty) in
      Arrow (bl', type_c_subst s c)

let rec make_binders_type_c s c =
  let {c_result_name=id; c_result_type=t; c_effect=e; c_pre=p; c_post=q} = c in
  { c_result_name = id;
    c_result_type = make_binders_type_v s t;
    c_effect = Effect.subst s e;
    c_pre = List.map (subst_in_predicate s) p;
    c_post = option_app (post_app (subst_in_predicate s)) q }

and make_binders_type_v s = function
  | Ref _ | PureType _ as v -> v
  | Arrow (bl,c) ->
      let rename (id,v) (bl,s) =
	let id' = Ident.bound id in
	(id',v) :: bl,
	Idmap.add id id' (Idmap.add (at_id id "") (at_id id' "") s)
      in
      let bl',s = List.fold_right rename bl ([], s) in
      Arrow (bl', make_binders_type_c s c)

let make_binders_type_v = make_binders_type_v Idmap.empty
let make_binders_type_c = make_binders_type_c Idmap.empty

(*s Smart constructors. *)

let ttrue = Tconst (ConstBool true)
let tfalse = Tconst (ConstBool false)
let tresult = Tvar Ident.result
let tvoid = Tconst ConstUnit

let relation op t1 t2 = Papp (op, [t1; t2], [])
let not_relation op = relation (negate op)
let lt = relation t_lt
let le = relation t_le
let gt = relation t_gt
let ge = relation t_ge
let ge_real = relation t_ge_real
let eq = relation t_eq
let neq = relation t_neq

let array_length id i = Tapp (array_length, [Tderef id], [i])

let lt_int = relation t_lt_int
let le_int = relation t_le_int

let pif a b c =
  if a = ttrue then b else if a = tfalse then c else Pif (a, b ,c)

let pand ?(is_wp=false) ?(is_sym=true) a b =
  if a = Ptrue then b else if b = Ptrue then a else
    if a = Pfalse || b = Pfalse then Pfalse else
      Pand (is_wp, is_sym, a, b)

let wpand = pand ~is_wp:true

let pands ?(is_wp=false) ?(is_sym=true) =
  List.fold_left (pand ~is_wp ~is_sym) Ptrue

let wpands = pands ~is_wp:true

let por a b =
  if a = Ptrue || b = Ptrue then Ptrue else
    if a = Pfalse then b else if b = Pfalse then a else
      Por (a, b)

let pors = List.fold_left por Pfalse

let pnot a =
  if a = Ptrue then Pfalse else if a = Pfalse then Ptrue else Pnot a

let pimplies ?(is_wp=false) p1 p2 =
  if p2 = Ptrue then Ptrue
  else if p1 = Ptrue then p2
  else Pimplies (is_wp, p1, p2)

let wpimplies = pimplies ~is_wp:true

(*s [simplify] only performs simplications which are Coq reductions.
  Currently: only [if true] and [if false] *)

let rec simplify = function
  | Pif (Tconst (ConstBool true), a, _) -> simplify a
  | Pif (Tconst (ConstBool false), _, b) -> simplify b
  | p -> map_predicate simplify p

(*s Equalities *)

let rec eq_pure_type t1 t2 = match t1, t2 with
  | PTvar { type_val = Some t1 }, _ ->
      eq_pure_type t1 t2
  | _, PTvar { type_val = Some t2 } ->
      eq_pure_type t1 t2
  | PTexternal (l1, id1), PTexternal (l2, id2) ->
      id1 == id2 && List.for_all2 eq_pure_type l1 l2
  | _ ->
      t1 = t2

let rec eq_term t1 t2 = match t1, t2 with
  | Tapp (id1, tl1, _i1), Tapp (id2, tl2, _i2) ->
      id1 == id2 && List.for_all2 eq_term tl1 tl2
	(* && List.for_all2 eq_pure_type i1 i2 ??? *)
  | _ ->
      t1 = t2

let rec eq_predicate p1 p2 = match p1, p2 with
  | Papp (id1, tl1, _i1), Papp (id2, tl2, _i2) ->
      id1 == id2 && List.for_all2 eq_term tl1 tl2
	(* && List.for_all2 eq_pure_type i1 i2 ??? *)
  | Pvar id1, Pvar id2 ->
      id1 == id2
  | Ptrue, Ptrue
  | Pfalse, Pfalse ->
      true
  | Pand (_, _, a1, b1), Pand (_, _, a2, b2)
  | Por (a1, b1), Por (a2, b2)
  | Piff (a1, b1), Piff (a2, b2)
  | Forallb (_, a1, b1), Forallb (_, a2, b2)
  | Pimplies (_, a1, b1), Pimplies (_, a2, b2) ->
      eq_predicate a1 a2 && eq_predicate b1 b2
  | Pnot a1, Pnot a2 ->
      eq_predicate a1 a2
  | Pif (t1, a1, b1), Pif (t2, a2, b2) ->
      eq_term t1 t2 && eq_predicate a1 a2 && eq_predicate b1 b2
  | (Forall _ | Exists _ | Plet _), _
  | _, (Forall _ | Exists _ | Plet _) ->
      false
	(* equality up to names *)
  | Pnamed (_, p1), _ ->
      eq_predicate p1 p2
  | _, Pnamed (_, p2) ->
      eq_predicate p1 p2
	(* outside of the diagonal -> false *)
  | (Forallb _ | Pnot _ | Piff _ | Por _ |
	 Pand _ | Pif _ | Pimplies _ | Papp _ | Pvar _ | Pfalse | Ptrue),
      (Forallb _ | Pnot _ | Piff _ | Por _ |
	   Pand _ | Pif _ | Pimplies _ | Papp _ | Pvar _ | Pfalse | Ptrue) ->
      false

(*s Debug functions *)

module Size = struct

  let rec term = function
    | Tconst _ | Tvar _ | Tderef _ -> 1
    | Tapp (_, tl, _) -> List.fold_left (fun s t -> s + term t) 1 tl
    | Tnamed(_,t) -> term t

  let rec predicate = function
    | Pvar _ | Ptrue | Pfalse -> 1
    | Papp (_, tl, _) -> List.fold_left (fun s t -> s + term t) 1 tl
    | Pand (_, _, p1, p2)
    | Por (p1, p2)
    | Piff (p1, p2)
    | Pimplies (_, p1, p2) -> 1 + predicate p1 + predicate p2
    | Pif (t, p1, p2) -> 1 + term t + predicate p1 + predicate p2
    | Pnot p -> 1 + predicate p
    | Forall (_,_,_,_,_,p) -> 1 + predicate p
    | Exists (_,_,_,p) -> 1 + predicate p
    | Forallb (_,p1,p2) -> 1+ predicate p1 + predicate p2
    | Plet (_, _, _, t, p) -> 1 + term t + predicate p
    | Pnamed (_,p) -> predicate p

  let assertion a = predicate a.a_value

  let postcondition (q,ql) =
    assertion q + List.fold_left (fun s (_,q) -> s + assertion q) 0 ql

  let postcondition_opt = function None -> 0 | Some q -> postcondition q

end

(*s functions over CC terms *)

let cc_var x = CC_var x

let cc_term t = CC_term t

let rec cc_applist f l = match (f, l) with
  | f, [] -> f
  | f, x :: l -> cc_applist (CC_app (f, x)) l

let cc_lam bl = List.fold_right (fun b c -> CC_lam (b, c)) bl

let tt_var x = TTterm (Tvar x)

let tt_arrow = List.fold_right (fun b t -> TTarrow (b, t))

open Format

let file_formatter f cout =
  let fmt = formatter_of_out_channel cout in
  f fmt;
  pp_print_flush fmt ()

let do_not_edit_below ~file ~before ~sep ~after =
  let cout =
    if not (out_file_exists file) then begin
      let cout = open_out_file file in
      file_formatter before cout;
      output_string cout ("\n" ^ sep ^ "\n\n");
      cout
    end
    else
      begin
	let file = out_file file in
	let file_bak = file ^ ".bak" in
	Sys.rename file file_bak;
	let cin = open_in file_bak in
	let cout = open_out file in
	begin try
	  while true do
	    let s = input_line cin in
	    output_string cout (s ^ "\n");
	    if s = sep then raise Exit
	  done
	with
	  | End_of_file -> output_string cout (sep ^ "\n\n")
	  | Exit -> output_string cout "\n"
	end;
	cout
      end
  in
  file_formatter after cout;
  close_out_file cout

let do_not_edit_above ~file ~before ~sep ~after =
  if not (out_file_exists file) then begin
    let cout = open_out_file file in
    file_formatter before cout;
    output_string cout ("\n" ^ sep ^ "\n\n");
    file_formatter after cout;
    close_out_file cout
  end else begin
    let file = out_file file in
    let file_bak = file ^ ".bak" in
    Sys.rename file file_bak;
    let cout = open_out file in
    file_formatter before cout;
    output_string cout ("\n" ^ sep ^ "\n\n");
    let cin = open_in file_bak in
    begin try
      while input_line cin <> sep do () done;
      while true do
	let s = input_line cin in output_string cout (s ^ "\n")
      done
    with End_of_file ->
      ()
    end;
    close_out_file cout
  end

why-2.39/src/why3_kw.ml0000644000106100004300000000644613147234006013757 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

let is_why3_keyword =
  let ht = Hashtbl.create 43 in
  List.iter (fun kw -> Hashtbl.add ht kw ())
    [
        "as";
        "axiom";
        "clone";
        "else";
        "end";
        "epsilon";
        "exists";
        "export";
        "false";
        "forall";
        "function";
        "goal";
        "if";
        "import";
        "in";
        "inductive";
        "lemma";
        "let";
        "match";
        "meta";
        "namespace";
        "not";
        "predicate";
        "prop";
        "then";
        "theory";
        "true";
        "type";
        "use";
        "with";
        "abstract";
        "absurd";
        "any";
        "assert";
        "assume";
        "begin";
        "check";
        "do";
        "done";
        "downto";
        "exception";
        "for";
        "fun";
        "invariant";
        "label";
        "loop";
        "model";
        "module";
        "mutable";
        "raise";
        "raises";
        "reads";
        "rec";
        "to";
        "try";
        "val";
        "variant";
        "while";
        "writes";
    ];
  Hashtbl.mem ht

why-2.39/src/why3_kw.mli0000644000106100004300000000434013147234006014117 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

val is_why3_keyword : string -> bool

why-2.39/src/encoding_pred.ml0000644000106100004300000002526113147234006015160 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Cc
open Logic
open Logic_decl

let loc = Loc.dummy_floc

let prefix = "c_"
let suffix = "_c"
let var = "x"
let tvar = "t"
(* dead code
let cpt = ref 0
*)
let axiom c = c ^ "_to_" ^ (c^suffix)
(* dead code
let def c = "def_"^c
*)

(* The unique type for all terms *)
let ut = PTexternal ([], Ident.create (prefix^"unique"))

let unify ptl = List.map (fun _ -> ut) ptl

let prelude =
  (Dtype (loc, Ident.create (prefix^"unique"), []))::	(* The unique sort *)
  (Dlogic (loc, Ident.create (prefix^"sort"),
	   Env.empty_scheme (Predicate ([ut; ut]))))::	(* The "sort" predicate*)
  (Dlogic (loc, Ident.create (prefix^"int"),
	   Env.empty_scheme (Function ([], ut)))):: (* One synbol for each prefedined type *)
  (Dlogic (loc, Ident.create (prefix^"bool"),
	   Env.empty_scheme (Function ([], ut))))::
  (Dlogic (loc, Ident.create (prefix^"real"),
	   Env.empty_scheme (Function ([], ut))))::
  (Dlogic (loc, Ident.create (prefix^"unit"),
	   Env.empty_scheme (Function ([], ut))))::
  []

(* Function that creates the predicate sort(pt,term) *)
(* Uses an assoc. list of tags -> idents for type variables *)
let plunge fv term pt =
  let rec leftt pt =
    match pt with
      PTint -> Tapp (Ident.create (prefix^"int"), [], [])
    | PTbool -> Tapp (Ident.create (prefix^"bool"), [], [])
    | PTreal -> Tapp (Ident.create (prefix^"real"), [], [])
    | PTunit -> Tapp (Ident.create (prefix^"unit"), [], [])
    | PTvar ({type_val = None} as var) ->
	let t = try (List.assoc var.tag fv)
	with _ ->
	  let s = string_of_int var.tag in
	  (print_endline ("unknown vartype : "^s); s)
	in
	Tvar (Ident.create t)
    | PTvar {type_val = Some pt} -> leftt pt
    | PTexternal (ptl, id) -> Tapp (id, List.map (fun pt -> leftt pt) ptl, [])
  in
  Papp (Ident.create (prefix^"sort"), [leftt pt; term], [])

(* Generalizing a predicate scheme with foralls (can add a trigger) *)
let rec lifted  l p t =
  match l with [] -> p
  | a::[] -> Forall(false, a, a, ut, t, p)
  | a::q -> Forall(false, a, a, ut, [], lifted q p t)

(* The core *)

let queue = Queue.create ()

let reset () =
  Queue.clear queue

let push d =
  match d with
(* A type declaration is translated as new logical function, the arity of *)
(* which depends on the number of type variables in the declaration *)
  | Dtype (loc, ident, vars) ->
      Queue.add (Dlogic (loc, ident,
			 Env.empty_scheme (Function (unify vars, ut)))) queue
  | Dalgtype _ ->
      assert false
(*
      failwith "encoding rec: algebraic types are not supported"
*)
(* In the case of a declaration of a function or predicate symbol, the symbol *)
(* is redefined with 'unified' arity, and in the case of a function, an axiom *)
(* is added to type the result w.r.t the arguments *)
  | Dlogic (loc, ident, arity) ->
      let cpt = ref 0 in
      let fv = Env.Vset.fold
	  (fun tv acc -> cpt := !cpt + 1; (tv.tag, tvar^(string_of_int !cpt))::acc)
	  (arity.Env.scheme_vars) [] in
      let name = Ident.string ident in
      (match arity.Env.scheme_type with
      | Predicate ptl ->
	  Queue.add (Dlogic (loc, ident,
			     Env.empty_scheme (Predicate (unify ptl)))) queue
      | Function (ptl, rt) ->
	  let args =
	    List.map
	      (fun t ->
		Ident.create (let _ = cpt := !cpt + 1 in var^(string_of_int !cpt)), t)
	      ptl in
	  let rec mult_conjunct l p =
	    match l with [] -> p
	    | a::q -> mult_conjunct q (Pand(false, false, a, p)) in
	  let prem =
	    mult_conjunct (List.map (fun (id,t) -> plunge fv (Tvar id) t) args) Ptrue in
	  let pattern = (Tapp (ident, List.map (fun (t, _) -> Tvar t) args, [])) in
	  let ccl = plunge fv pattern rt in
	  let ax = Env.empty_scheme
	      (lifted
		 ((fst (List.split args))@(List.map (fun i -> Ident.create i) (snd (List.split fv))))
		 (Pimplies (false, prem, ccl)) []) in
	  (Queue.add (Dlogic (loc, ident,
			      Env.empty_scheme (Function (unify ptl, ut)))) queue;
	   Queue.add (Daxiom (loc, axiom name, ax)) queue))
(* A predicate definition can be handled as a predicate logic definition + an axiom *)
  | Dpredicate_def (_loc, _ident, _pred_def_sch) ->
      assert false
(*
      let p = pred_def_sch.Env.scheme_type in
      let rec lifted_t l p =
	match l with
	  | [] -> p
	  | (a,t)::q -> lifted_t q (Forall(false, a, a, t, [], p))
      in
      let name = Ident.string ident in
      push (Dlogic (loc, ident,
		    (Env.generalize_logic_type
		       (Predicate (snd (List.split (fst p)))))));
      push (Daxiom (loc, def name,
		    (Env.generalize_predicate
		       (lifted_t (fst p)
			  (Piff ((Papp (ident,
					List.map (fun (i,_) -> Tvar i) (fst p),
					[])),
			         (snd p)))))))
*)
  | Dinductive_def(_loc, _ident, _inddef) ->
      assert false
(*
      failwith "encoding rec: inductive def not yet supported"
*)
(* A function definition can be handled as a function logic definition + an axiom *)
  | Dfunction_def (_loc, _ident, _fun_def_sch) ->
      assert false
(*
      let f = fun_def_sch.Env.scheme_type in
      let rec lifted_t l p =
	match l with
	  | [] -> p
	  | (a,t)::q -> lifted_t q (Forall(false, a, a, t, [], p))
      in
      let (ptl, rt, t) = f in
      let name = Ident.string ident in
      push (Dlogic (loc, ident,
		    (Env.generalize_logic_type
		       (Function (snd (List.split ptl), rt)))));
      push (Daxiom (loc, def name,
		    (Env.generalize_predicate
		       (lifted_t ptl
			  (Papp (Ident.t_eq,
				 [(Tapp (ident,
					 List.map (fun (i,_) -> Tvar i) ptl,
					 []));
				  t], []))))))
*)
(* Goals and axioms are just translated straightworfardly *)
  | Daxiom (loc, name, pred_sch) ->
      let cpt = ref 0 in
      let fv = Env.Vset.fold
	  (fun tv acc -> cpt := !cpt + 1; (tv.tag, tvar^(string_of_int !cpt))::acc)
	  (pred_sch.Env.scheme_vars) [] in
      let rec translate_eq = function
	| Pimplies (iswp, p1, p2) ->
	    Pimplies (iswp, translate_eq p1, translate_eq p2)
	| Pif (t, p1, p2) ->
	    Pif (t, translate_eq p1, translate_eq p2)
	| Pand (iswp, issym, p1, p2) ->
	    Pand (iswp, issym, translate_eq p1, translate_eq p2)
	| Por (p1, p2) ->
	    Por (translate_eq p1, translate_eq p2)
	| Piff (p1, p2) ->
	    Piff (translate_eq p1, translate_eq p2)
	| Pnot p ->
	    Pnot (translate_eq p)
	| Forall (iswp, id, n, pt, tl, p) ->
	    Forall (iswp, id, n, ut, tl,
		    Pimplies(false, plunge fv (Tvar n) pt, translate_eq p))
	| Plet (id, n, pt, t, p) ->
	    Plet (id, n, pt, t,
		  Pimplies(false, plunge fv (Tvar n) pt, translate_eq p))
	| Forallb (iswp, p1, p2) ->
	    Forallb (iswp, translate_eq p1, translate_eq p2)
	| Exists (id, n, pt, p) ->
	    Exists (id, n, ut, Pand (false, false, plunge fv (Tvar n) pt, translate_eq p))
	| Pnamed (s, p) ->
	    Pnamed (s, translate_eq p)
	| p -> p in
      let rec lifted  l p =
	match l with [] -> p
	| (_,a)::q ->
	    lifted q (Forall(false, Ident.create a, Ident.create a, ut, [], p))
      in
      Queue.add (Daxiom (loc, name,
			 Env.empty_scheme
 			   (lifted fv (translate_eq pred_sch.Env.scheme_type)))) queue
  | Dgoal (loc, is_lemma, expl, name, s_sch) ->
      let cpt = ref 0 in
      let (cel, pred) = s_sch.Env.scheme_type in
      let fv = Env.Vset.fold
	  (fun tv acc -> cpt := !cpt + 1; (tv.tag, tvar^(string_of_int !cpt))::acc)
	  (s_sch.Env.scheme_vars) [] in
      let rec translate_eq = function
	| Pimplies (iswp, p1, p2) ->
	    Pimplies (iswp, translate_eq p1, translate_eq p2)
	| Pif (t, p1, p2) ->
	    Pif (t, translate_eq p1, translate_eq p2)
	| Pand (iswp, issym, p1, p2) ->
	    Pand (iswp, issym, translate_eq p1, translate_eq p2)
	| Por (p1, p2) ->
	    Por (translate_eq p1, translate_eq p2)
	| Piff (p1, p2) ->
	    Piff (translate_eq p1, translate_eq p2)
	| Pnot p ->
	    Pnot (translate_eq p)
	| Forall (iswp, id, n, pt, tl, p) ->
	    Forall (iswp, id, n, ut, tl,
		    Pimplies(false, plunge fv (Tvar n) pt, translate_eq p))
	| Plet (id, n, pt, t, p) ->
	    Plet (id, n, pt, t,
		  Pimplies(false, plunge fv (Tvar n) pt, translate_eq p))
	| Forallb (iswp, p1, p2) ->
	    Forallb (iswp, translate_eq p1, translate_eq p2)
	| Exists (id, n, pt, p) ->
	    Exists (id, n, ut, Pand (false, false, plunge fv (Tvar n) pt, translate_eq p))
	| Pnamed (s, p) ->
	    Pnamed (s, translate_eq p)
	| p -> p in
(* dead code
      let rec lifted  l p =
	match l with [] -> p
	| (_,a)::q ->
	    lifted q (Forall(false, Ident.create a, Ident.create a, ut, [], p))
      in
*)
      Queue.add (Dgoal
		   (loc, is_lemma, expl, name,
		    Env.empty_scheme
		      (List.map
			 (fun s -> match s with
			   Spred (id, p) -> Spred (id, translate_eq p)
			 | s -> s) cel,
		       translate_eq pred))) queue

let iter f =
  (* first the prelude *)
  List.iter f prelude;
  (* then the queue *)
  Queue.iter f queue
why-2.39/src/predDefExpansor.mli0000644000106100004300000000561513147234006015623 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)


val inductive_inverse_body : 
    Ident.t ->  (* predicate name *)
    (Ident.t * Logic.pure_type) list -> (* binders *)
    (Ident.t * Logic.predicate) list -> (* inductive cases *) 
      Logic.predicate (* predicate body *)

val function_def :
  Logic_decl.loc -> Ident.t -> Logic.function_def Env.scheme
  -> Logic_decl.t list

val predicate_def :
  Logic_decl.loc -> Ident.t -> Logic.predicate_def Env.scheme
  -> Logic_decl.t list

val inductive_def : 
  Logic_decl.loc -> Ident.t -> Logic.inductive_def Env.scheme 
  -> Logic_decl.t list

val algebraic_type :
  (Logic_decl.loc * Ident.t * Logic.alg_type_def Env.scheme) list
  -> Logic_decl.t list

val push: recursive_expand:bool -> Logic_decl.t -> Logic_decl.t

why-2.39/src/print_real.ml0000644000106100004300000001415713147234006014521 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

open Format
open Big_int
open Logic

let print_decimal_no_exponent fmt ~prefix_div = function
  | "","0",_ | "0","",_ | "0","0",_ -> 
      fprintf fmt "0.0"
  | "",f, None -> 
      fprintf fmt "0.%s" f
  | i,"", None -> 
      fprintf fmt "%s.0" i
  | i,f, None ->
      fprintf fmt "%s.%s" i f      
  | i,f, Some e ->
      let e = (int_of_string e) - String.length f in
      if e = 0 then
	fprintf fmt "%s%s" i f
      else 
        let op,s =
          if e > 0 then "*",(String.make e '0')
          else "/",(String.make (-e) '0')
        in
        if prefix_div then
	  fprintf fmt "(%s %s%s.0 1%s.0)" op i f s
        else
	  fprintf fmt "(%s%s %s.0 1%s.0)" i f op s


let num0 = Num.Int 0
let num10 = Num.Int 10
let num16 = Num.Int 16

let decnumber s =
  let r = ref num0 in
  for i=0 to String.length s - 1 do
    r := Num.add_num (Num.mult_num num10 !r) 
      (Num.num_of_int (Char.code s.[i] - Char.code '0'))
  done;
  !r
    
let hexnumber s =
  let r = ref num0 in
  for i=0 to String.length s - 1 do
    let c = s.[i] in
    let v = 
      match c with
	| '0'..'9' -> Char.code c - Char.code '0'
	| 'a'..'f' -> Char.code c - Char.code 'a' + 10
	| 'A'..'F' -> Char.code c - Char.code 'A' + 10
	| _ -> assert false
    in
    r := Num.add_num (Num.mult_num num16 !r) (Num.num_of_int v)
  done;
  !r
    
let print_hexa fmt i f e =
  let mant = hexnumber (i^f) in
  let v =
    if e=""
    then mant
    else
      if String.get e 0 = '-' then
	Num.div_num mant 
	  (Num.power_num (Num.Int 2) 
	     (decnumber (String.sub e 1 (String.length e - 1))))
      else
	
	Num.mult_num mant 
	  (Num.power_num (Num.Int 2) (decnumber e))
  in
  let v = 
    Num.div_num v 
      (Num.power_num (Num.Int 16) (Num.num_of_int (String.length f))) 
  in
  let i = Num.floor_num v in
  let f = ref (Num.sub_num v i) in
  if Num.eq_num !f num0 then
    fprintf fmt "%s.0" (Num.string_of_num i)
  else
    begin
      fprintf fmt "%s." (Num.string_of_num i);
      while not (Num.eq_num !f num0) do
	f := Num.mult_num !f num10;
	let i =  Num.floor_num !f in
	fprintf fmt "%s" (Num.string_of_num i);
	f := Num.sub_num !f i
      done
    end
(*
  Format.fprintf fmt ";;;; %s@\n" (Num.string_of_num v)
*)

let print_no_exponent fmt ~prefix_div = function
  | RConstDecimal (i, f, e) -> print_decimal_no_exponent fmt ~prefix_div (i,f,e)
  | RConstHexa (i, f, e) -> print_hexa fmt i f e 

let hexa_to_decimal s =
  let n = String.length s in
  let rec compute acc i =
    if i = n then 
      acc 
    else 
      compute (add_int_big_int 
		  (match s.[i] with 
		    | '0'..'9' as c -> Char.code c - Char.code '0'
		    | 'A'..'F' as c -> 10 + Char.code c - Char.code 'A'
		    | 'a'..'f' as c -> 10 + Char.code c - Char.code 'a'
		    | _ -> assert false)
		  (mult_int_big_int 16 acc)) (i+1)
  in
  string_of_big_int (compute zero_big_int 0)

let power2 n =
  string_of_big_int (power_int_positive_int 2 n)

let print_with_integers exp0_fmt exp_pos_fmt exp_neg_fmt fmt = function
  | RConstDecimal (i, f, e) -> 
      let f = if f = "0" then "" else f in
      let e = 
	(match e with None -> 0 | Some e -> int_of_string e) - 
	String.length f 
      in
      if e = 0 then
	fprintf fmt exp0_fmt (i ^ f)
      else if e > 0 then
	fprintf fmt exp_pos_fmt (i ^ f) ("1" ^ String.make e '0')
      else
	fprintf fmt exp_neg_fmt (i ^ f) ("1" ^ String.make (-e) '0')
  | RConstHexa (i, f, e) -> 
      let f = if f = "0" then "" else f in
      let dec = hexa_to_decimal (i ^ f) in
      let e = int_of_string e - 4 * String.length f in
      if e = 0 then
	fprintf fmt exp0_fmt dec
      else if e > 0 then
	fprintf fmt exp_pos_fmt dec (power2 e)
      else
	fprintf fmt exp_neg_fmt dec (power2 (-e))
      

let print fmt = function
  | RConstDecimal (i, f,None) -> 
      fprintf fmt "%s.%s" i f 
  | RConstDecimal (i, f, Some e) -> 
      fprintf fmt "%s.%se%s" i f e
  | RConstHexa (i, f, e) -> 
      fprintf fmt "0x%s.%sp%s" i f e

(*
Local Variables: 
compile-command: "unset LANG; nice make -j -C .. byte"
End: 
*)
why-2.39/src/loc.ml0000644000106100004300000001072313147234006013132 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



let join (b,_) (_,e) = (b,e)

(*s Error locations. *)

(* dead code
let finally ff f x =
  let y = try f x with e -> ff (); raise e in ff (); y
*)

(***
let linenum f b =
  let cin = open_in f in
  let rec lookup n l cl =
    if n = b then 
      (l,cl)
    else 
      let c = input_char cin in
      lookup (succ n) (if c == '\n' then succ l else l) 
	(if c == '\n' then 0 else succ cl)
  in
  try let r = lookup 0 1 0 in close_in cin; r with e -> close_in cin; raise e

let safe_linenum f b = try linenum f b with _ -> (1,1)
***)

open Format
open Lexing

(*s Line number *)

let report_line fmt l = fprintf fmt "%s:%d:" l.pos_fname l.pos_lnum

(* Lexing positions *)

type position = Lexing.position * Lexing.position

exception Located of position * exn

let dummy_position = Lexing.dummy_pos, Lexing.dummy_pos

let gen_report_line fmt (f,l,b,e) = 
  fprintf fmt "File \"%s\", " f;
  fprintf fmt "line %d, characters %d-%d" l b e

type floc = string * int * int * int

let dummy_floc = ("",0,0,0)

let extract (b,e) = 
  let f = b.pos_fname in
  let l = b.pos_lnum in
  let fc = b.pos_cnum - b.pos_bol in
  let lc = e.pos_cnum - b.pos_bol in
  (f,l,fc,lc)

let gen_report_position fmt loc = 
  gen_report_line fmt (extract loc)

let report_position fmt pos = 
  fprintf fmt "%a:@\n" gen_report_position pos

let string =
  let buf = Buffer.create 1024 in
  fun loc ->
    let fmt = Format.formatter_of_buffer buf in
    Format.fprintf fmt "%a@?" gen_report_position loc;
    let s = Buffer.contents buf in
    Buffer.reset buf;
    s

let parse s =
  Scanf.sscanf s "File %S, line %d, characters %d-%d"
    (fun f l c1 c2 -> 
       (*Format.eprintf "Loc.parse %S %d %d %d@." f l c1 c2;*)
       let p = 
	 { Lexing.dummy_pos with pos_fname = f; pos_lnum = l; pos_bol = 0 }
       in
       { p with pos_cnum = c1 }, { p with pos_cnum = c2 })

let report_obligation_position ?(onlybasename=false) fmt loc =
  let (f,l,b,e) = loc in
  let f = if onlybasename then Filename.basename f else f in
  fprintf fmt "Why obligation from file \"%s\", " f;
  fprintf fmt "line %d, characters %d-%d:" l b e

let current_offset = ref 0
let reloc p = { p with pos_cnum = p.pos_cnum + !current_offset }

(* Identifiers localization *)

let ident_t = Hashtbl.create 97
let add_ident = Hashtbl.add ident_t
let ident = Hashtbl.find ident_t
why-2.39/src/theoryreducer.ml0000644000106100004300000004104613147234006015243 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(*s Harvey's output *)

open Ident
open Logic
open Logic_decl
open Env
open Cc



module FormulaContainer = 
struct 
  (**
     sContainer is the unique hash table that 
     memorizes all the elements of the theory and the goal **)  
  let fContainer :(int, 'a) Hashtbl.t = Hashtbl.create 20

  (**
     @returns a unique integer that is used to index the 
     fContainerainer hash table
  **)    
  let uniqueNumberGenerator = 
    let x = ref 1 in
    fun () -> incr x; !x
      
  (**
     @param f is the formula we want to store
     @return n is the index where the formula has been stored
  **)
  let add f = 
    let n  = uniqueNumberGenerator () in 
    Hashtbl.add fContainer n f ;
    n
  let reset ()=
    Hashtbl.clear fContainer

end 
  
module  SymbolContainer = 
struct 

  (**
     sContainer is the unique hash table that stores 
     all the symbol (predicative or functional) of the 
     theory and the goal **)  
  let sContainer :(string, int) Hashtbl.t = Hashtbl.create 20
    
  let outputSymbolList  e =
    Printf.printf "%s \t \n" e ; 
    let myPrint k _v = 
      (Printf.printf "%s \t \n" k)
    in
    (Hashtbl.iter myPrint sContainer)


  (**
     @param e the element which we are looking for the number 
     @param n the default number that is returned if the element 
     does not belongs to the table
     @return either the number  corresponding to s or the number n otherwise
  **)
  let getClassNumberOfSymbol e n   = 
    try 
      Hashtbl.find sContainer e
    with Not_found -> n

  (**
     @param e the element we want to add 
     @param n the number that is associated to the element
     The function adds into the hashtable the (e,n) tuple 
  **)
  let addSymbol e n= 
    Hashtbl.add sContainer e n


  let reset ()=
    Hashtbl.clear sContainer


  module StringSet = Set.Make(struct type t=string let compare= compare end)


  (**
     collects the functionnal  symbols
     of the term given in parameter 
     @paramater f : the formula we are parsing   
     @returns the StringSet that contains all the symbols 
     of the formula
  **)	
  let functionalSymbolsCollect  f  = (*: Logic_decl.t -> StringSet*) 
    (** symbols the result **)
    let symbolsSet  = ref StringSet.empty  in 
    let rec collect formula  = 
      let rec collectIntoAList  l = match l with 
	  [] -> () 
	|  p :: r -> 
	     collect p ;
	     collectIntoAList r in 
      match formula with 
	| Tconst (ConstInt n) -> 
	    symbolsSet  := StringSet.add n !symbolsSet 
	| Tconst (ConstBool _b) -> () 
	| Tconst ConstUnit -> ()
	| Tconst (ConstFloat (RConstDecimal (i,f,None))) ->
	    symbolsSet  :=  StringSet.add  (i^"."^f) !symbolsSet
	| Tconst (ConstFloat (RConstDecimal (i,f, Some e))) ->
	    symbolsSet  :=  StringSet.add  (i^"."^f^"E"^e) !symbolsSet
	| Tconst (ConstFloat (RConstHexa (i,f,e))) ->
	    symbolsSet  :=  StringSet.add  (i^"."^f^"P"^e) !symbolsSet
	| Tderef _ -> ()
	| Tapp (id, [a; b; c], _) when id == if_then_else -> 
	    collect a; 
	    collect b;
	    collect c  
	| Tapp (id, tl, _) when is_relation id || is_arith id ->
	    symbolsSet  := StringSet.add (Ident.string id)  !symbolsSet ;
	    collectIntoAList tl 
	| Tapp (id, [], _i) -> 
	    symbolsSet  := StringSet.add (Ident.string id) !symbolsSet
	| Tapp (id, tl, _i) ->
	    symbolsSet  := StringSet.add (Ident.string id) !symbolsSet;
	    collectIntoAList tl 
	| _ -> ()
    in
    collect f ; 
    !symbolsSet

  (**
     collects the functionnal and predicative 
     symbols of the formula given in parameter 
     @paramater f : the formula we are parsing   
     @returns the String set that contains all the symbols 
     of the formula
  **)	
  let rec functionalSymbolsCollectFromList  l  =  
    match l with 
	[] -> StringSet.empty
      | t :: q ->  StringSet.union  (functionalSymbolsCollect t)
	  (functionalSymbolsCollectFromList q)
	    

  (**
     collects the functionnal and predicative 
     symbols of the formula given in parameter 
     @paramater f : the formula we are parsing   
     @returns the String set that contains all the symbols 
     of the formula
  **)	
  let getAllSymbols  f  =
    (** symbols the result **)
    let symbolsSet  = ref StringSet.empty  in 
    let rec collect formula  = 
(* dead code
      let rec collectIntoAList  l = match l with 
	  [] -> () 
	|  p :: r -> 
	     collect p ;
	     collectIntoAList r in 
*)
      match formula with 
	| Papp (id, [a; b], _) when is_eq id || is_neq id || id == t_zwf_zero->
	    symbolsSet  := StringSet.union (functionalSymbolsCollect a) 
	      !symbolsSet ;
	    symbolsSet  := StringSet.union (functionalSymbolsCollect b) 
	      !symbolsSet 
	| Pand (_, _, a, b) | Forallb (_, a, b)  | Por (a, b) | Piff (a, b) | 
	      Pimplies (_, a, b) ->
	    collect a;
		collect b
(*	| Papp (id, tl, _) when is_relation id || is_arith id ->
	    symbolsSet  := StringSet.union (functionalSymbolsCollectFromList tl)
	      !symbolsSet  *) 
	| Papp (id, tl, _i) -> 
	    symbolsSet  := StringSet.union (functionalSymbolsCollectFromList tl) 
	      !symbolsSet ;   
	    symbolsSet  := StringSet.add  (Ident.string id)  !symbolsSet 
	| Pif (a, b, c) ->
	    symbolsSet  := StringSet.union (functionalSymbolsCollect a) 
	      !symbolsSet ;
	    collect b;
	    collect c
	| Pnot a ->
	    collect a;
	| Forall (_,_id,_n,_t,_,p) | Exists (_id,_n,_t,p) ->    
	    collect p
	| Pnamed (_, p) -> (* TODO: print name *)
	    collect p 
	|_ -> ()
    in
    collect f ; 
    !symbolsSet
      
 

end






module  EquivClass = 
struct 
  
  module IntSet = Set.Make(struct type t=int let compare= compare end)
  let firstGoalNumber = ref 0 
  let firstTypeDefinitionNumber = ref 0

    
  
  (** the union find module for using classes **)
  module UnionFindInt = Unionfind.Make (struct 
					  type t = int let 
					      hash = Hashtbl.hash 
						       let compare = compare 
						       let equal = (=) 
					end)


  (** the data structure that stores the equivalence classes 
      for the axioms number **)
  let partition : UnionFindInt.t ref =  ref (UnionFindInt.init ())

  let reinit p =
    p := UnionFindInt.init ()

  let reset () =
    reinit partition
    

(** 
    @param m, n : class number that are equivalent.    
**)
  let merge (m:int)  (n:int) = 
    UnionFindInt.union m n !partition 
    (*Printf.printf  " merge %d ,  %d \n" m n *)

      (**
	 @param n is the number of the goal
	If there are many goal in the same file, 
	such goals has to be equivalent. To do so, we store 
	the number of the first formula and each time we 
	add a goal, we say it is equivalent to this one. **) 
  let addFormula n =
    let mergeFormulaNumber num =  
      if !firstGoalNumber = 0 then
	firstGoalNumber := num 
      else merge !firstGoalNumber num in
    mergeFormulaNumber n
	
  
  let addTypeDefinition n =
    let mergeTypeDefinitionNumber num =  
      if !firstTypeDefinitionNumber = 0 then
	begin
	  firstTypeDefinitionNumber := num ;
	end
      else 
	begin 
	  merge !firstTypeDefinitionNumber num ;
	end
    in 
    mergeTypeDefinitionNumber n
  

  let getReducedTheory _t=
    let localSet = ref IntSet.empty in 
    if !firstGoalNumber = 0  then 
      Queue.create () 
    else
      begin
      (**the type declarations, if they exist, 
	 are pushed into the formula classe **)
	if !firstTypeDefinitionNumber <> 0  then
	  merge !firstTypeDefinitionNumber !firstGoalNumber ;
	
      (** computes the declarations corresponding to the formula classe**)
	let goalClassNumber = UnionFindInt.find !firstGoalNumber !partition in 
	let addToSet k _v = 
	  if ((UnionFindInt.find k !partition) = goalClassNumber) then
	    localSet := IntSet.add k !localSet
	in
	Hashtbl.iter addToSet FormulaContainer.fContainer ;


	(** computes the ordered queue of elements **)
	let axiomQueue = Queue.create() in 
	let rec addToQueue l = match l with  
	    [] -> ()
	  | q :: t -> 
	      Queue.push (Hashtbl.find  FormulaContainer.fContainer q)  axiomQueue ;
	      addToQueue t
	in 
	addToQueue  (IntSet.elements !localSet) ;
	
	axiomQueue
	
      end
	
end
  



(**given a list of symbols associated 
   to a number n, this recursive function updates the 
   SymbolContainer and the EquivClass according to 
   the presence of this symbols in other classes
   @param symbolsList : the symbolist associated to n
   @param n : the class number (that is the number of the formula)
   @returns Unit
**)
let manageSymbols symbolsList n = 
  let rec manageS  l = match l  with 
      []     -> ()
    | s ::l  -> 
	(**Check wether s is already  present in the table **)
	let m = SymbolContainer.getClassNumberOfSymbol s n in 
	begin 
	  if m = n then 
	    (** m is not yet present in the table of symbols 
		associate n to s and add it into the symbol container **)
	    SymbolContainer.addSymbol s n 
	      
	  else
	    (** m already exists in the symbole table; we have to merge 
		the class identified by m with 
		the class identified by n **)
	    EquivClass.merge m n 
	end ;
	(** recursive call over the reduced lsit **) 
	manageS l in
  manageS symbolsList 
  
	  

let managesGoal _id ax (hyps,concl) = 
  let n = FormulaContainer.add  ax in
  (* Retrieve the list symbolList of symbols in hyps *)
  let rec managesHypotheses = function
    | [] -> SymbolContainer.getAllSymbols  concl
    | Svar (_id, _v) :: q ->  managesHypotheses  q 
    | Spred (_,p) :: q -> 
	SymbolContainer.StringSet.union 
	  (SymbolContainer.getAllSymbols p) 
	  (managesHypotheses q)
  in
  let symbolList =  SymbolContainer.StringSet.elements 
    (managesHypotheses hyps) in 
  (*Printf.printf "Formula %s :" id ;
  List.iter (fun x-> Printf.printf "%s " x) symbolList; *)
  manageSymbols symbolList n ;
  (** add the formula number into the list of known goal **)
  EquivClass.addFormula n 
    
    







(** manages the  axioms
    @ax ax is the typing predicate
    @p is is the predicative part of the definition of 
    the predicate
**) 
let managesAxiom _id ax p =
  let n = FormulaContainer.add  ax in 
  (* Retrieve the list symbolList of symbols in such predicate
     and we add into it the symbol id *)
  let symbolList =  SymbolContainer.StringSet.elements 
    (SymbolContainer.getAllSymbols p) in 
  (*Printf.printf "Axiom %s :" id ;
  List.iter (fun x-> Printf.printf "%s " x) symbolList; *)
  manageSymbols symbolList n
    





(** manages the  definitions of prediactes
    @param id is the symbol name
    @ax ax is the typing predicate
    @(_,_,p) is is the predicative part of the definition of 
    the predicate
**) 
let managesPredicate id ax (_,p) = 
  let n = FormulaContainer.add  ax in 
  (* Retrieve the list symbolList of symbols in such predicate
     and we add into it the symbol id *)
  let symbolList =  SymbolContainer.StringSet.elements 
    (SymbolContainer.StringSet.add id (SymbolContainer.getAllSymbols p)) in 
(*  Printf.printf "Predicate %s :" id ;
    List.iter (fun x-> Printf.printf "%s " x) symbolList; 
  Printf.printf "\n"; *)
  manageSymbols symbolList n




(** manages the definitions of  function 
    @param id is the symbol name
    @ax ax is the typing predicate
    @(_,_,e) is is the predicative part of the definition of 
    the function
**) 
let managesFunction id ax (_,_,e) = 
  let n = FormulaContainer.add  ax in 
  (* Retrieve the list symbolList of symbols in such function
     and we add into it the symbol id *)
  let symbolList =  SymbolContainer.StringSet.elements 
    (SymbolContainer.StringSet.add id (SymbolContainer.functionalSymbolsCollect e)) in 
(*  Printf.printf "Function %s :" id ;
  List.iter (fun x-> Printf.printf "%s " x) symbolList; 
  Printf.printf "\n"  ; *)
  manageSymbols symbolList n


(**
   such function treats the special case of typing  definition for
   new axioms or new function. The sol itroduced symbol is 
   the predicate name  or the function name 
   @param id it the symbol name 
   @ax is the complete node**)
    
let typingPredicate id ax = 
  let n = FormulaContainer.add  ax in 
  (*Printf.printf  " %s : %d \n" id n ;*)
  (*Retrieve the list l of symbols in such predicate *)
  let symbolList =  SymbolContainer.StringSet.elements 
    (SymbolContainer.StringSet.add 
       id 
       SymbolContainer.StringSet.empty) in   
  manageSymbols symbolList n  
  
    
(**
   such function treats the  definition of  new types
   @param id it the type name 
   @param ax is the complete node**)
let declareType _id ax = 
  let n = FormulaContainer.add ax in 
    EquivClass.addTypeDefinition n 
  

    
    
let launcher decl = match decl with   
  | Dtype (_, id, _) as ax ->
      (*Printf.printf  "Dtype %s \n"  id ;*) 
      declareType (Ident.string id) ax
  | Dalgtype _ ->
      failwith "Theory reducer: algebraic types are not supported"
  | Dlogic (_, id, _t) as ax -> 
      (* Printf.printf  "Dlogic %s \n"  id ;*) 
      typingPredicate (Ident.string id) ax
  | Dpredicate_def (_, id, d) as ax -> 
      (*Printf.printf  "Dpredicate_def %s \n"  id ; *)
      let id = Ident.string id in
      managesPredicate id ax d.scheme_type
  | Dinductive_def(_loc, _ident, _inddef) ->
      failwith "Theory reducer: inductive def not yet supported"
  | Dfunction_def (_, id, d)  as ax -> 
      (*Printf.printf  "Dfunction_def %s \n"  id ; *)
      let id = Ident.string id in
      managesFunction  id ax d.scheme_type
  | Daxiom (_, id, p) as ax -> 
      (*Printf.printf  "Daxiom %s \n"  id ; *)
      managesAxiom  id ax p.scheme_type
  | Dgoal (_, _is_lemma, _expl, id, s)  as ax -> 
      (*Printf.printf  "Dgoal %s \n"  id ; *)
      managesGoal id ax s.Env.scheme_type 



let display q = 
  let displayMatch e  = match e with   
  | Dtype (_, id, _) -> Printf.printf  "%s \n" (Ident.string id)
  | Dalgtype _ ->
      failwith "Theory reducer: algebraic types are not supported"
  | Dlogic (_, id, _t) -> Printf.printf  "%s \n" (Ident.string id)
  | Dpredicate_def (_, id, _d) -> 
      let id = Ident.string id in
      Printf.printf  "%s \n" id
  | Dinductive_def(_loc, _ident, _inddef) ->
      failwith "Theory reducer: inductive def not yet supported"
  | Dfunction_def (_, id, _d) -> 
      let id = Ident.string id in
      Printf.printf  "%s \n" id
  | Daxiom (_, id, _p)          -> Printf.printf  "%s \n"  id
  | Dgoal (_, _is_lemma,_expl, id, _s)   -> Printf.printf  "%s \n"  id
  in
  Queue.iter displayMatch q 


(**
   @param q is a logic_decl Queue 
   @returns the pruned theory 
**)
let reduce q     = 
  (*Printf.printf " PENDANT \n"; 
  display q ;*)
  FormulaContainer.reset ();
  SymbolContainer.reset();
  EquivClass.reset();
  
  Queue.iter launcher q ;
  let q = EquivClass.getReducedTheory "" in
  (*display q ;*)
  q 
    

    

why-2.39/src/option_misc.mli0000644000106100004300000000467413147234006015061 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

val map : ('a -> 'b) -> 'a option -> 'b option
val map_default : ('a -> 'b) -> 'b -> 'a option -> 'b
val iter : ('a -> unit) -> 'a option -> unit
val fold : ('a -> 'b -> 'b) -> 'a option -> 'b -> 'b
val fold_left : ('b -> 'a -> 'b) -> 'b -> 'a option -> 'b 
why-2.39/src/holl.ml0000644000106100004300000002664513147234006013325 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(*s HOL Light output *)

open Ident
open Misc
open Logic
open Logic_decl
open Format
open Cc
open Pp

type elem = 
  | Obligation of obligation
  | Logic of string * logic_type Env.scheme
  | Axiom of string * predicate Env.scheme
  | Predicate of string * predicate_def Env.scheme

let elem_q = Queue.create ()

let reset () = Queue.clear elem_q

let push_decl = function
  | Dlogic (_, id, t) -> Queue.add (Logic (Ident.string id, t)) elem_q
  | Daxiom (_, id, p) -> Queue.add (Axiom (id, p)) elem_q
  | Dpredicate_def (_, id, p) -> Queue.add (Predicate (Ident.string id, p)) elem_q
  | Dinductive_def(_loc, _ident, _inddef) ->
      failwith "HOL light output: inductive def not yet supported"
  | Dgoal (loc,is_lemma,expl,id,s) -> 
      Queue.add (Obligation (loc,is_lemma,expl,id,s.Env.scheme_type)) elem_q
  | Dfunction_def _ -> () (*TODO*)
  | Dtype _ -> () (*TODO*)
  | Dalgtype _ -> () (*TODO*)

(*s Pretty print *)

let rec print_pure_type fmt = function
  | PTint -> fprintf fmt "int"
  | PTbool -> fprintf fmt "bool"
  | PTunit -> fprintf fmt "one"
  | PTreal -> fprintf fmt "real"
  | PTexternal ([v], id) when id == farray -> 
      fprintf fmt "list(%a)" print_pure_type v (* TODO *)
  | PTexternal([],id) -> Ident.print fmt id
  | PTvar { type_val = Some t} -> fprintf fmt "%a" print_pure_type t
  | PTexternal _
  | PTvar _ -> failwith "no polymorphism with HOL-light yet"

let prefix_id id =
  (* int cmp *)
  if id == t_lt_int then "int_lt" 
  else if id == t_le_int then "int_le"
  else if id == t_gt_int then "int_gt"
  else if id == t_ge_int then "int_ge"
  else if id == t_eq_int then assert false
  else if id == t_neq_int then assert false
  (* real cmp *)
  else if id == t_lt_real then "real_lt" 
  else if id == t_le_real then "real_le"
  else if id == t_gt_real then "real_gt"
  else if id == t_ge_real then "real_ge"
  else if id == t_eq_real then assert false
  else if id == t_neq_real then assert false
  (* bool cmp *)
  else if id == t_eq_bool then assert false
  else if id == t_neq_bool then assert false
  (* unit cmp *)
  else if id == t_eq_unit then assert false
  else if id == t_neq_unit then assert false
  (* int ops *)
  else if id == t_add_int then "int_add"
  else if id == t_sub_int then "int_sub"
  else if id == t_mul_int then "int_mul"
(*
  else if id == t_div_int then assert false (* TODO *)
  else if id == t_mod_int then assert false (* TODO *)
*)
  else if id == t_neg_int then "int_neg"
  (* real ops *)
  else if id == t_add_real then "real_add"
  else if id == t_sub_real then "real_sub"
  else if id == t_mul_real then "real_mul"
  else if id == t_div_real then "real_div"
  else if id == t_neg_real then "real_neg"
  else if id == t_sqrt_real then "root(2)"
  else if id == t_real_of_int then assert false (* TODO *)
  else assert false

let rec print_term fmt = function
  | Tvar id -> 
      Ident.print fmt id
  | Tconst (ConstInt n) -> 
      fprintf fmt "&%s" n
  | Tconst (ConstBool true) -> 
      fprintf fmt "T" 
  | Tconst (ConstBool false) -> 
      fprintf fmt "F" 
  | Tconst ConstUnit -> 
      fprintf fmt "one" 
  | Tconst (ConstFloat c) ->
      Print_real.print_with_integers 
	"(real_of_num %s)" 
	"(real_of_num (%s * %s))"
	"(real_of_num %s / real_of_num %s)" 
	fmt c
  | Tderef _ -> 
      assert false
  (* arithmetic *)
  | Tapp (id, [a; b], _) when id == t_add_int || id == t_add_real ->
      fprintf fmt "(@[%a +@ %a@])" print_term a print_term b
  | Tapp (id, [a; b], _) when id == t_sub_int || id == t_sub_real ->
      fprintf fmt "(@[%a -@ %a@])" print_term a print_term b
  | Tapp (id, [a; b], _) when id == t_mul_int || id == t_mul_real ->
      fprintf fmt "(@[%a *@ %a@])" print_term a print_term b
  | Tapp (id, [a; b], _) when id == t_div_real ->
      fprintf fmt "(@[%a /@ %a@])" print_term a print_term b
  | Tapp (id, [a], _) when id == t_neg_int || id == t_neg_real ->
      fprintf fmt "(@[--%a@])" print_term a
  | Tapp (id, [a; b; c], _) when id == if_then_else -> 
      fprintf fmt "(@[if %a@ then %a@ else %a@])" 
	print_term a print_term b print_term c
  | Tapp (id, tl, _) when is_relation id || is_arith id -> 
      fprintf fmt "(@[%s %a@])" (prefix_id id) print_terms tl
  (* arrays *)
  | Tapp (id, [a; b], _) when id == access ->
      fprintf fmt "(@[EL (num_of_int %a) %a@])" print_term b print_term a
  | Tapp (id, [a], _) when id == Ident.array_length ->
      fprintf fmt "&(@[LENGTH %a@])" print_term a
  (* any other application *)
  | Tapp (id, tl, _) ->
      fprintf fmt "@[(%a@ %a)@]" 
	Ident.print id (print_list space print_term) tl
  | Tnamed (User n, t) ->
      fprintf fmt "@[(* %s: *) %a@]" n print_term t
  | Tnamed (_, t) -> print_term fmt t

and print_terms fmt tl = 
  print_list space print_term fmt tl

let rec print_predicate fmt = function
  | Ptrue ->
      fprintf fmt "T"
  | Pvar id when id == Ident.default_post ->
      fprintf fmt "T"
  | Pfalse ->
      fprintf fmt "F"
  | Pvar id -> 
      fprintf fmt "%a" Ident.print id
  | Papp (id, tl, _) when id == t_distinct ->
      fprintf fmt "@[(%a)@]" print_predicate (Util.distinct tl)
  | Papp (id, [a; b], _) when is_eq id ->
      fprintf fmt "@[(%a =@ %a)@]" print_term a print_term b
  | Papp (id, [a; b], _) when is_neq id ->
      fprintf fmt "@[~(%a =@ %a)@]" print_term a print_term b
  | Papp (id, [a; b], _) when id == t_lt_int || id == t_lt_real ->
      fprintf fmt "@[(%a <@ %a)@]" print_term a print_term b
  | Papp (id, [a; b], _) when id == t_le_int || id == t_le_real ->
      fprintf fmt "@[(%a <=@ %a)@]" print_term a print_term b
  | Papp (id, [a; b], _) when id == t_gt_int || id == t_gt_real ->
      fprintf fmt "@[(%a >@ %a)@]" print_term a print_term b
  | Papp (id, [a; b], _) when id == t_ge_int || id == t_ge_real ->
      fprintf fmt "@[(%a >=@ %a)@]" print_term a print_term b
  | Papp (id, [a; b], _) when id == t_zwf_zero ->
      fprintf fmt "@[((&0 <= %a) /\\@ (%a < %a))@]" 
	print_term b print_term a print_term b
  | Papp (id, tl, _) when is_relation id || is_arith id ->
      fprintf fmt "@[(%s %a)@]" (prefix_id id) print_terms tl
  | Papp (id, tl, _) -> 
      fprintf fmt "@[(%a@ %a)@]" Ident.print id print_terms tl
  | Pimplies (_, a, b) ->
      fprintf fmt "(@[%a ==>@ %a@])" print_predicate a print_predicate b
  | Piff (a, b) ->
      fprintf fmt "(@[(@[%a ==>@ %a@]) /\\@ (@[%a ==>@ %a@])@])" 
	print_predicate a print_predicate b
	print_predicate b print_predicate a
  | Pif (a, b, c) ->
      fprintf fmt "(@[if %a@ then %a@ else %a@])" 
	print_term a print_predicate b print_predicate c
  | Pand (_, _, a, b) | Forallb (_, a, b) ->
      fprintf fmt "@[(%a /\\@ %a)@]" print_predicate a print_predicate b
  | Por (a, b) ->
      fprintf fmt "@[(%a \\/@ %a)@]" print_predicate a print_predicate b
  | Pnot a ->
      fprintf fmt "@[~(%a)@]" print_predicate a
  | Forall (_,id,n,t,_,p) -> 
      let id' = next_away id (predicate_vars p) in
      let p' = subst_in_predicate (subst_onev n id') p in
      fprintf fmt "(@[!%s:%a.@ %a@])" (Ident.string id')
	print_pure_type t print_predicate p'
  | Exists (id,n,t,p) -> 
      let id' = next_away id (predicate_vars p) in
      let p' = subst_in_predicate (subst_onev n id') p in
      fprintf fmt "(@[?%s:%a.@ %a@])" (Ident.string id')
	print_pure_type t print_predicate p'
  | Pnamed (User n, p) ->
      fprintf fmt "@[(* %s: *) %a@]" n print_predicate p
  | Pnamed (_, p) -> print_predicate fmt p
  | Plet (_, n, _, t, p) ->
      print_predicate fmt (subst_term_in_predicate n t p)

let print_sequent fmt (hyps,concl) =
  let rec print_seq fmt = function
    | [] ->
	print_predicate fmt concl
    | Svar (id, v) :: hyps -> 
	fprintf fmt "!%a:%a.@\n" Ident.print id print_pure_type v;
	print_seq fmt hyps
    | Spred (_, p) :: hyps -> 
	fprintf fmt "@[%a@] ==>@\n" print_predicate p;
	print_seq fmt hyps
  in
  fprintf fmt "@[%a@]@?" print_seq hyps

(* TODO *)
let print_logic fmt id _t =
  fprintf fmt "@[(* logic %s *);;@\n@\n@]" id

let print_axiom fmt id p =
  let (_l,p) = Env.specialize_predicate p in
  fprintf fmt "@[let %s = new_axiom@ `%a`;;@\n@\n@]" 
    id print_predicate p

let print_predicate fmt id p =
  let (_l,(bl,p)) = Env.specialize_predicate_def p in
  fprintf fmt "@[let %s = new_definition@ `%s %a = %a`;;@\n@\n@]" 
    id id (print_list space Ident.print) (List.map fst bl) print_predicate p

let print_obligation fmt _loc _is_lemma id sq =
(*
  fprintf fmt "@[(* %a *)@]@\n" Loc.report_obligation_position loc;
*)
  fprintf fmt "@[let %s =@ `%a`;;@\n@\n@]" id print_sequent sq

let print_elem fmt = function
  | Obligation (loc, is_lemma, _expl, s, sq) -> print_obligation fmt loc is_lemma s sq
  | Logic (id, t) -> print_logic fmt id t
  | Axiom (id, p) -> print_axiom fmt id p
  | Predicate (id, p) -> print_predicate fmt id p

let print_obl_list fmt = 
  let comma = ref false in
  let print = function
    | Obligation (_,_,_,id,_) -> 
	if !comma then fprintf fmt "; "; fprintf fmt "%s" id; comma := true
    | Axiom _ | Logic _ | Predicate _ -> 
	()
  in
  fprintf fmt "let all = ["; 
  Queue.iter print elem_q;
  fprintf fmt "]@\n"

let output_file fwe =
  let sep = "(* DO NOT EDIT BELOW THIS LINE *)" in
  let file = fwe ^ "_why.ml" in
  do_not_edit_below ~file 
    ~before:(fun _ -> ())
    ~sep 
    ~after:(fun fmt ->
	      fprintf fmt "@[";
	      fprintf fmt "prioritize_int();;@\n@\n";
	      Queue.iter (print_elem fmt) elem_q;
	      print_obl_list fmt;
	      fprintf fmt "@]@.")
why-2.39/src/red.ml0000644000106100004300000002344013147234006013127 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Logic
open Ident
open Misc
open Cc

(*s Reductions of interpretations. *)

(*s We proceed in two phases (simpler without de Bruijn indices).
    (1) first we rename bound variables, so that successive binders have 
        different names;
    (2) then we reduce, performing substitutions without possible captures *)

(*s Phase 1: Renaming of bound variables. Argument [fv] is the set of 
    already traversed binders (a set of identifiers) *)

let rec uniq_list f fv s = function
  | [] -> 
      [], fv, s
  | x :: l -> 
      let x',fv',s' = f fv s x in 
      let l',fv'',s'' = uniq_list f fv' s' l in
      x' :: l', fv'', s''

let rec uniq_tt fv s = function
  | TTarray tt -> 
      TTarray (uniq_tt fv s tt)
  | TTlambda (b, tt) ->
      let b',fv',s' = uniq_binder fv s b in TTlambda (b', uniq_tt fv' s' tt)
  | TTarrow (b, tt) -> 
      let b',fv',s' = uniq_binder fv s b in TTarrow (b', uniq_tt fv' s' tt)
  | TTtuple (bl, p) -> 
      let bl',fv',s' = uniq_binders fv s bl in
      TTtuple (bl', option_app (uniq_tt fv' s') p)
  | TTpred p ->
      TTpred (tsubst_in_predicate s p)
  | TTpure _ | TTSet as t -> 
      t
  | TTapp (tt, l) ->
      TTapp (uniq_tt fv s tt, List.map (uniq_tt fv s) l)
  | TTterm t ->
      TTterm (tsubst_in_term s t)

and uniq_binder fv s (id,b) =
  let b' = match b with 
    | CC_var_binder c -> CC_var_binder (uniq_tt fv s c)
    | CC_pred_binder c -> CC_pred_binder (tsubst_in_predicate s c)
    | CC_untyped_binder -> CC_untyped_binder
  in
  let id' = next_away id fv in
  if id' <> id then 
    (id',b'), Idset.add id' fv, Idmap.add id (Tvar id') s 
  else 
    (id,b'), Idset.add id fv, s

and uniq_binders fv s bl = uniq_list uniq_binder fv s bl

and uniq_pattern fv s = function
  | PPvariable b -> 
      let b',fv',s' = uniq_binder fv s b in PPvariable b',fv',s'
  | PPcons (id, pl) -> 
      let pl',fv',s' = uniq_list uniq_pattern fv s pl in PPcons (id,pl'),fv',s'

let rec uniq_cc fv s = function
  | CC_var x | CC_term (Tvar x) ->
      CC_term (try Idmap.find x s with Not_found -> Tvar x)
  | CC_letin (dep, bl, e1, e2) ->
      let bl',fv',s' = uniq_binders fv s bl in
      CC_letin (dep, bl', uniq_cc fv s e1, uniq_cc fv' s' e2)
  | CC_lam (b, e) ->
      let b',fv',s' = uniq_binder fv s b in
      CC_lam (b', uniq_cc fv' s' e)
  | CC_app (f, a) ->
      CC_app (uniq_cc fv s f, uniq_cc fv s a)
  | CC_if (a,b,c) ->
      CC_if (uniq_cc fv s a, uniq_cc fv s b, uniq_cc fv s c)
  | CC_tuple (al, po) ->
      CC_tuple (List.map (uniq_cc fv s) al, option_app (uniq_tt fv s) po)
  | CC_case (e, pl) ->
      let uniq_branch (p,e) = 
	let p',fv',s' = uniq_pattern fv s p in (p', uniq_cc fv' s' e)
      in
      CC_case (uniq_cc fv s e, List.map uniq_branch pl)
  | CC_term c ->
      CC_term (tsubst_in_term s c)
  | CC_hole (x, ty) ->
      CC_hole (x, tsubst_in_predicate s ty)
  | CC_type t ->
      CC_type (uniq_tt fv s t)
  | CC_any t ->
      CC_any (uniq_tt fv s t)

(*s Phase 2: we reduce. *)

(*s Occurrence in the range of a substitution *)

(* dead code
let in_rng id s =
  try
    Idmap.iter (fun _ t -> if occur_term id t then raise Exit) s; false
  with Exit ->
    true
*)

(*s Traversing binders and substitution within CC types *)

let rec cc_subst_list f s = function
  | [] -> 
      [], s
  | x :: l -> 
      let x',s' = f s x in 
      let l',s'' = cc_subst_list f s' l in
      x' :: l', s''

let rec cc_subst_binder_type s = function
  | CC_var_binder c -> CC_var_binder (cc_type_subst s c)
  | CC_pred_binder c -> CC_pred_binder (tsubst_in_predicate s c)
  | CC_untyped_binder -> CC_untyped_binder

and cc_subst_binder s (id,b) = 
  (id, cc_subst_binder_type s b), Idmap.remove id s

and cc_subst_binders s = cc_subst_list cc_subst_binder s

and cc_type_subst s = function
  | TTarray tt -> 
      TTarray (cc_type_subst s tt)
  | TTlambda (b, tt) ->
      let b',s' = cc_subst_binder s b in TTlambda (b', cc_type_subst s' tt)
  | TTarrow (b, tt) -> 
      let b',s' = cc_subst_binder s b in TTarrow (b', cc_type_subst s' tt)
  | TTtuple (bl, p) -> 
      let bl',s' = cc_subst_binders s bl in
      TTtuple (bl', option_app (cc_type_subst s') p)
  | TTpred p ->
      TTpred (tsubst_in_predicate s p)
  | TTpure _ | TTSet as t -> 
      t
  | TTapp (tt, l) ->
      TTapp (cc_type_subst s tt, List.map (cc_type_subst s) l)
  | TTterm t ->
      TTterm (tsubst_in_term s t)

let rec cc_subst_pat s = function
  | PPvariable b -> 
      let b',s' = cc_subst_binder s b in PPvariable b', s'
  | PPcons (id, pl) -> 
      let pl', s' = cc_subst_list cc_subst_pat s pl in PPcons (id, pl'), s'

(*s copy of term [c] under binders [bl], with the necessary renamings *)

let copy_under_binders bl c =
  let vars = List.map fst bl in
  let fv = List.fold_right Idset.add vars Idset.empty in
  uniq_cc fv Idmap.empty c       

(*s Eta and iota redexes. *)

let is_eta_redex bl al =
  try
    List.for_all2
      (fun (id,_) t -> match t with CC_var id' -> id = id' | _ -> false)
      bl al
  with Invalid_argument "List.for_all2" -> 
    false

let is_term = function CC_term _ -> true | CC_var _ -> true | _ -> false

let is_iota_redex l1 l2 = 
  (List.length l1 = List.length l2) && List.for_all is_term l2

let rec iota_subst s = function
  | [], [] -> s
  | (id,_) :: l1, CC_term t :: l2 -> iota_subst (Idmap.add id t s) (l1, l2)
  | _ -> assert false

(*s Reduction. Substitution is done at the same time for greater efficiency *)

let rm_binders sp = List.fold_left (fun sp (id,_) -> Idmap.remove id sp) sp

let rec rm_pat_binders sp = function
  | PPvariable (id, _) -> Idmap.remove id sp
  | PPcons (_, pl) -> List.fold_left rm_pat_binders sp pl

let rec red sp s cct = 
  match cct with
  | CC_var x | CC_term (Tvar x) ->
      (try Idmap.find x sp 
       with Not_found -> CC_term (try Idmap.find x s with Not_found -> Tvar x))
  | CC_letin (dep, bl, e1, e2) ->
      (match red sp s e1 with
	 (* [let x = t1 in e2] *)
	 | CC_term t1 when List.length bl = 1 ->
	     red sp (Idmap.add (fst (List.hd bl)) t1 s) e2
         (* [let x = [_]_ in e2] *)
	 | CC_lam _ as re1 when List.length bl = 1 ->
	     red (Idmap.add (fst (List.hd bl)) re1 sp) s e2
	 (* [let (x1,...,xn) = (t1,...,tn) in e2] *)
	 | CC_tuple (al,_) when is_iota_redex bl al ->
	     red sp (iota_subst s (bl, al)) e2
	 | re1 ->
	     let bl',s' = cc_subst_binders s bl in
	     let sp' = rm_binders sp bl in
	     (match red sp' s' e2 with
		(* [let (x1,...,xn) = e1 in (x1,...,xn)] *)
		| CC_tuple (al,_) when is_eta_redex bl al ->
		    red sp s e1
		| re2 ->
		    CC_letin (dep, bl', re1, copy_under_binders bl' re2)))
  | CC_lam (b, e) ->
      let b',s' = cc_subst_binder s b in
      let sp' = rm_binders sp [b] in
      let e' = red sp' s' e in
      CC_lam (b', copy_under_binders [b'] e')
  | CC_app (f, a) ->
      (match red sp s f, red sp s a with
	 (* two terms *)
	 | CC_term tf, CC_term ta ->
	     CC_term (applist tf [ta])
	 (* beta-redex *)
	 | CC_lam ((x,_),e), CC_term ta ->
	     red sp (Idmap.add x ta s) e
	 | CC_lam ((x,_),e), ra ->
	     red (Idmap.add x ra sp) s e
	 | rf, ra -> 
	     CC_app (rf, ra))
  | CC_if (a, b, c) ->
      CC_if (red sp s a, red sp s b, red sp s c)
  | CC_case (e, pl) ->
      let red_branch (p,e) = 
	let p',s' = cc_subst_pat s p in 
	let sp' = rm_pat_binders sp p in
	p', red sp' s' e 
      in
      CC_case (red sp s e, List.map red_branch pl)
  | CC_tuple (al, po) ->
      CC_tuple (List.map (red sp s) al,	option_app (cc_type_subst s) po)
  | CC_term c ->
      CC_term (tsubst_in_term s c)
  | CC_hole (x, ty) ->
      CC_hole (x, tsubst_in_predicate s ty)
  | CC_type t ->
      CC_type (cc_type_subst s t)
  | CC_any t ->
      CC_any (cc_type_subst s t)

let red c = 
  let c' = uniq_cc Idset.empty Idmap.empty c in
  red Idmap.empty Idmap.empty c'

why-2.39/src/unionfind.ml0000644000106100004300000001125313147234006014345 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(*
 * Graph: generic graph library
 * Copyright (C) 2004
 * Sylvain Conchon, Jean-Christophe Filliatre and Julien Signoles
 * 
 * This software is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Library General Public
 * License version 2, as published by the Free Software Foundation.
 * 
 * This software is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 * 
 * See the GNU Library General Public License version 2 for more details
 * (enclosed in the file LGPL).
 *)


module type HashedOrderedType = sig
  type t
  val equal : t -> t -> bool
  val hash : t -> int 
  val compare : t -> t -> int 
end

module type S = sig
  type elt
  type t
    
  val init : unit -> t
  val find : elt -> t -> elt
  val union : elt -> elt -> t -> unit
end

module Make(X:HashedOrderedType) = struct

  type elt = X.t

  module H = Hashtbl.Make(X)
  
  type cell = {
    mutable c : int;
    data : elt;
    mutable father : cell
  }
  
  type t = cell H.t (* a forest *)

  let cell h x =
    try
      H.find h x
    with Not_found ->
      let rec cell = { c = 0; data = x; father = cell } in 
      H.add h x cell;
      cell

  let init () = H.create 997

  let rec find_aux cell = 
    if cell.father == cell then 
      cell
    else 
      let r = find_aux cell.father in 
      cell.father <- r; 
      r

  let find x h = (find_aux (cell h x)).data

  let union x y h = 
    let rx = find_aux (cell h x) in
    let ry = find_aux (cell h y) in
    if rx != ry then begin
      if rx.c > ry.c then
        ry.father <- rx
      else if rx.c < ry.c then
        rx.father <- ry
      else begin
        rx.c <- rx.c + 1;
        ry.father <- rx
      end
    end
end

(*** test ***)
(***

module M = Make (struct 
        type t = int let 
        hash = Hashtbl.hash 
        let compare = compare 
        let equal = (=) 
    end)

open Printf

let saisir s  = 
        printf "%s = " s; flush stdout;
        let x = read_int () in
        x

let h = M.init [0;1;2;3;4;5;6;7;8;9] 
let () = if not !Sys.interactive then 
    while true do 
        printf "1) find\n2) union\n";
        match read_int () with
            1 -> begin
                let x = saisir "x" in
                printf "%d\n" (M.find x h) 
            end
          | 2 -> begin
                let x, y = saisir "x", saisir "y" in
                M.union x y h
            end
          | _ -> ()
    done

***)
why-2.39/src/log.mli0000644000106100004300000000450613147234006013311 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(* Exported type for the why-viewer:
   (position, predicate, is automatically dicharged)
*)

type t = (int * string * string option) list

why-2.39/src/lib.mli0000644000106100004300000000637113147234006013300 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



module Sset : Set.S with type elt = string

val mkdir_p : string -> unit

(* [file dir file] returns "dir/basename" if [file] is "dirname/basename", 
   creating [dir] if necessary. *)
val file : dir:string -> file:string -> string

(* [file_subdir dir file] returns "dirname/dir/basename" if [file] is "dirname/basename", 
   creating [dir] if necessary. *)
val file_subdir : dir:string -> file:string -> string

(* [file_copy f1 f2] copies [f1] into name [f2] *)
val file_copy : string -> string -> unit

(* [file_copy_if_different f1 f2] copies [f1] into name [f2], unless
   [f2] already exists and is identical to [f1] (thus keeping the same
   modification date) *)
val file_copy_if_different : string -> string -> unit

(* return the content of an in-channel *)
val channel_contents : in_channel -> string

(* return the content of a file *)
val file_contents : string -> string

(* return the content of a file *)
val file_contents_buf : string -> Buffer.t

(* remove file if debug not set, or display appropriate info message *)
val remove_file : debug:bool -> string -> unit
why-2.39/src/z3.ml0000644000106100004300000004003013147234006012703 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Ident
open Options
open Misc
open Logic
open Logic_decl
open Env
open Cc
open Format
open Pp

(*s Pretty print *)

(* dead code
let int2U = "int2U"
let u2Int = "u2Int" 
*)

let prefix id =
  if id == t_lt then assert false
  else if id == t_le then assert false
  else if id == t_gt then assert false
  else if id == t_ge then assert false
  (* int cmp *)
  else if id == t_lt_int then "<"
  else if id == t_le_int then "<="
  else if id == t_gt_int then ">"
  else if id == t_ge_int then ">="
  (* int ops *)
  else if id == t_add_int then "+"
  else if id == t_sub_int then "-"
  else if id == t_mul_int then "*"
(*
  else if id == t_div_int then "div"
  else if id == t_mod_int then 
    if Options.modulo then "%" else "modulo" 
*)
  else if id == t_neg_int then "-"
  (* real ops *)
  else if id == t_add_real then "+" 
  else if id == t_sub_real then "-" 
  else if id == t_mul_real then "*"
  else if id == t_neg_real then "-" 
  else if id == t_lt_real then "<"
  else if id == t_le_real then "<="
  else if id == t_gt_real then ">"
  else if id == t_ge_real then ">="
  else if id == t_div_real 
       || id == t_sqrt_real 
       || id == t_real_of_int 
  then
    Ident.string id
  else (eprintf "%a@." Ident.print id; assert false)

let is_smtlib_keyword =
  let ht = Hashtbl.create 50  in
  List.iter (fun kw -> Hashtbl.add ht kw ()) 
    ["and";" benchmark";" distinct";"exists";"false";"flet";"forall";
     "if_then_else";"iff";"implies";"ite";"let";"logic";"not";"or";
     "sat";"theory";"true";"unknown";"unsat";"xor";
     "assumption";"axioms";"definition";"extensions";"formula";
     "funs";"extrafuns";"extrasorts";"extrapreds";"language";
     "notes";"preds";"sorts";"status";"theory";"Int";"Real";"Bool";
     "Array";"U";"select";"store";"define_sorts";"datatypes";"const";
     "map";"default";"div"];
  Hashtbl.mem ht

let leading_underscore s = s <> "" && s.[0] = '_'

let removeChar =
  let lc = ('\'','p')::('_','u')::[] in 
  function s ->
    for i=0 to (String.length s)-1 do
      let c = (String.get s i) in 
      try 
	let c' =  List.assoc c lc  in 
	String.set  s i c'
      with Not_found -> ()  
    done;
    s
	
let idents fmt s = 
  (* Yices does not expect names to begin with an underscore if
     Yices understand Z3 smtlib extended we can keep that. *)
  if is_smtlib_keyword s  || leading_underscore s then
    fprintf fmt "smtlib__%s" s
  else
    fprintf fmt "%s" s

let ident fmt id = idents fmt (Ident.string id)

let print_bvar fmt id = fprintf fmt "?%a" ident id

let rec print_term fmt = function
  | Tvar id -> 
      print_bvar fmt id
  | Tconst (ConstInt n) -> 
      fprintf fmt "%s" n
  | Tconst (ConstBool b) -> 
      fprintf fmt "c_Boolean_%b" b
  | Tconst ConstUnit -> 
      fprintf fmt "tt" 
  | Tconst (ConstFloat c) ->
      Print_real.print_no_exponent fmt ~prefix_div:true c
(*
	"(real_of_int %s)"
	"(real_of_int ( * %s %s))"
	"(div_real (real_of_int %s) (real_of_int %s))" 
	fmt c
*)
  | Tderef _ -> 
      assert false
  | Tapp (id, [a; b; c], _) when id == if_then_else -> 
      if (Options.get_types_encoding() = SortedStratified) then
	fprintf fmt 
	  "@[(smtlib__ite@ %a @ %a@ %a)@]" 
	   print_term a print_term b print_term c 
      else
	fprintf fmt "@[(ite@ (= %a c_Boolean_true) @ %a@ %a)@]" 
	  print_term a print_term b print_term c
(*
  | Tapp (id, [a], _) when id = t_real_of_int ->
      print_term fmt a
*)
  | Tapp (id, tl, _) when is_relation id || is_arith id ->
      fprintf fmt "@[(%s %a)@]" (prefix id) print_terms tl
  | Tapp (id, [], i) -> 
      fprintf fmt "%a" idents (Encoding.symbol (id, i))
  | Tapp (id, tl, i) ->
      (match Ident.fresh_from id with
        | Some (s,logic_id::_) when s == Encoding_mono_inst.create_ident_id
            && (Ident.string logic_id = "acc" || Ident.string logic_id = "upd" || Ident.string logic_id = "select" || Ident.string logic_id = "store") -> 
            (match tl,Ident.string logic_id with
              | [mem;key],("acc"|"select") -> fprintf fmt "@[(select %a %a)@]" print_term mem print_term key
              | [mem;key;value],("upd" |"store")-> fprintf fmt "@[(store %a %a %a)@]" print_term mem
                  print_term key print_term value
              | _ -> assert false)
        | _ -> fprintf fmt "@[(%a@ %a)@]" 
	idents (Encoding.symbol (id, i)) (print_list space print_term) tl)
  | Tnamed (_, t) -> (* TODO: print name *)
      print_term fmt t

and print_terms fmt tl = 
  print_list space print_term fmt tl

let rec print_pure_type fmt = function
  | PTint -> fprintf fmt "Int"
  | PTbool -> fprintf fmt "c_Boolean"
  | PTreal -> fprintf fmt "Real"
  | PTunit -> fprintf fmt "Unit"
  | PTexternal(_,id) when id==farray -> fprintf fmt "Array" 
  | PTvar {type_val=Some pt} -> print_pure_type fmt pt
  | PTvar _v -> assert false (*  fprintf fmt "A%d" v.tag *)
  | PTexternal (i,id) -> idents fmt (Encoding.symbol (id, i))

(* dead code
and instance fmt = function
  | [] -> ()
  | ptl -> fprintf fmt "_%a" (print_list underscore print_pure_type) ptl
*)

let bound_variable =
  let count = ref 0 in
  function n ->  
    count := !count+1 ;
    Ident.create ((removeChar (completeString n))^"_"^ (string_of_int !count)) 

let rec print_pattern fmt = function
  | TPat t -> fprintf fmt "(%a)" print_term t
  | PPat p -> fprintf fmt "(%a)" print_predicate p

and print_trigger fmt =
  print_list_delim (constant_string ":pat{") rbrace space print_pattern fmt

and print_triggers fmt =
  print_list space print_trigger fmt
    
    
and print_predicate fmt = function
  | Ptrue ->
      fprintf fmt "true"
  | Pvar id when id == Ident.default_post ->
      fprintf fmt "true"
  | Pfalse ->
      fprintf fmt "false"
  | Pvar id -> 
      fprintf fmt "%a" ident id
  | Papp (id, [_t], _) when id == well_founded ->
      fprintf fmt "true;; was well founded @\n" 
  | Papp (id, [a; b], _) when is_eq id ->
      fprintf fmt "@[(= %a@ %a)@]" print_term a print_term b
  | Papp (id, [a; b], _) when is_neq id ->
      fprintf fmt "@[(not (= %a@ %a))@]" print_term a print_term b
  | Papp (id, tl, _) when is_relation id || is_arith id ->
      fprintf fmt "@[(%s %a)@]" (prefix id) print_terms tl
  | Papp (id, [a;b], _) when id == t_zwf_zero ->
      (** TODO : DIRTY WAY TO translate such predicate;
	  may be previously dispatched into an inequality **)
      fprintf fmt "@[(and (<= 0 %a)@ (< %a %a))@]" 
	print_term b print_term a print_term b
  | Papp (id, tl, _) when id == t_distinct ->
      fprintf fmt "@[(distinct@ %a)@]" print_terms tl
  | Papp (id, tl, i) -> 
      fprintf fmt "@[(%a@ %a)@]" 
	idents (Encoding.symbol (id, i)) print_terms tl
  | Pimplies (_, a, b) ->
      fprintf fmt "@[(implies@ %a@ %a)@]" print_predicate a print_predicate b
  | Pif (a, b, c) ->
      if (Options.get_types_encoding() = SortedStratified) then
      fprintf fmt "@[(if_then_else@ (= %a c_Boolean_true)@ %a@ %a)@]" 
	print_term a print_predicate b print_predicate c
      else
	fprintf fmt "@[(if_then_else@ (= %a c_Boolean_true)@ %a@ %a)@]" 
	  print_term a print_predicate b print_predicate c
  | Pand (_, _, a, b) | Forallb (_, a, b) ->
      fprintf fmt "@[(and@ %a@ %a)@]" print_predicate a print_predicate b
  | Por (a, b) ->
      fprintf fmt "@[(or@ %a@ %a)@]" print_predicate a print_predicate b
  | Piff (a, b) ->
      fprintf fmt "@[(iff@ %a@ %a)@]" print_predicate a print_predicate b
  | Pnot a ->
      fprintf fmt "@[(not@ %a)@]" print_predicate a
  | Forall (_,_id,n,t,trigs,p) -> 
      (*Printf.printf "Forall : %s\n" (Ident.string id);  *)
      (*let id' = next_away id (predicate_vars p) in*)
      let id' = (bound_variable n) in
      (***Format.printf 
	" Forall : %a , " Ident.dbprint n ;
      Format.printf 
	" %a" Ident.dbprint id' ;**)
      let p' = subst_in_predicate (subst_onev n id') p in
      let trigs = subst_in_triggers (subst_onev n id') trigs in
      fprintf fmt "@[(forall (%a %a)@ %a%a)@]" 
	print_bvar id' print_pure_type t print_predicate p' print_triggers trigs
  | Exists (_id,n,t,p) -> 
      (*let id' = next_away id (predicate_vars p) in*)
      let id' = bound_variable n in
      let p' = subst_in_predicate (subst_onev n id') p in
      fprintf fmt "@[(exists (%a %a) %a)@]" 
	print_bvar id' print_pure_type t print_predicate p'
  | Pnamed (_, p) -> (* TODO: print name *)
      print_predicate fmt p
  | Plet (_, n, _, t, p) ->
      let id' = bound_variable n in
      let s = subst_onev n id' in
      let t' = subst_in_term s t in
      let p' = subst_in_predicate s p in
      fprintf fmt "@[(let (%a %a)@ %a)@]" print_bvar id' print_term t'
	print_predicate p'

let print_axiom fmt id p =
  match id,p with
    | ("acc_upd" |"acc_upd_neq"|"select_store_eq"|"select_store_neq"),
      Forall (_,_,_,PTexternal (_,t),_,_) when   
        (match Ident.fresh_from t with
           | Some (s,[mem;_;_]) when s == Encoding_mono_inst.create_ident_id 
               && Ident.string mem = "memory" -> true
           | _ -> false) -> ()
    | _ ->
  fprintf fmt "@[;; Why axiom %s@]@\n" id;
  fprintf fmt " @[:assumption@ %a@]" print_predicate p;
  fprintf fmt "@]@\n@\n" 

(* dead code
let print_quantifiers =
  let print_quantifier fmt (x,t) = 
    fprintf fmt "(%a %a)" print_bvar x print_pure_type t
  in
  print_list space print_quantifier 
*)

let pure_type_list = print_list space print_pure_type

(* Function and predicate definitions are handled in Encoding *)
(*
let print_predicate_def fmt id (bl,p) =
  let tl = List.map snd bl in
  fprintf fmt "@[:extrapreds ((%a %a))@]@\n@\n" idents id pure_type_list tl;
  fprintf fmt "@[:assumption@ (forall %a@ (iff (%a %a)@ @[%a@]))@]@\n@\n" 
    print_quantifiers bl 
    idents id
    (print_list space (fun fmt (x,_) -> print_bvar fmt x)) bl 
    print_predicate p

let print_function_def fmt id (bl,pt,e) =
  let tl = List.map snd bl in
  fprintf fmt "@[:extrafuns ((%a %a %a))@]@\n@\n" idents id pure_type_list tl
    print_pure_type pt;
  fprintf fmt "@[:assumption@ (forall %a@ (= (%a %a)@ @[%a@]))@]@\n@\n" 
    print_quantifiers bl 
    idents id
    (print_list space (fun fmt (x,_) -> print_bvar fmt x)) bl 
    print_term e
*)

let output_sequent fmt (hyps,concl) =
  let rec print_seq fmt = function
    | [] ->
	print_predicate fmt concl
    | Svar (id, v) :: hyps -> 
	fprintf fmt "@[(forall (%a %a)@ %a)@]" 
	  print_bvar id print_pure_type v print_seq hyps
(* TODO : update this for renaming each variable *) 
    | Spred (_,p) :: hyps -> 
	fprintf fmt "@[(implies@ %a@ %a)@]" print_predicate p print_seq hyps
  in
  print_seq fmt hyps

let print_obligation fmt loc is_lemma o s = 
  fprintf fmt "@[:formula@\n"; 
  fprintf fmt "  @[;; %a@]@\n" Loc.gen_report_line loc;
  fprintf fmt "  @[(not@ %a)@]" output_sequent s;
  fprintf fmt "@]@\n@\n" ;
  if is_lemma then begin
    fprintf fmt "@[;; %s as axiom@]@\n" o;
    fprintf fmt " @[:assumption@ %a@]" output_sequent s;
    fprintf fmt "@]@\n@\n" 
  end
(* Inductive predicates are handled in Encoding *)
(*
let rec push_decl d = 
  match d with
    | Dinductive_def (loc, id, d) ->
	List.iter push_decl (PredDefExpansor.inductive_def loc id d)
    | _ -> Encoding.push d
*)

let push_decl d = Encoding.push d

let iter = Encoding.iter

let reset () = Encoding.reset ()

let memory_arg_kv = lazy (is_logic_function (Ident.create "select"))

let declare_type fmt id = 
  match (Lazy.force memory_arg_kv), Ident.fresh_from id with
    | (false,Some (s,[mem;value;key])|true,Some (s,[mem;key;value])) when s == Encoding_mono_inst.create_ident_id 
        && Ident.string mem = "memory" ->      
        fprintf fmt ":define_sorts ((%a  (array %aIpointer %s)))@."
          ident id 
          ident key 
          (let s = Ident.string value in if s = "int" then "Int" else s)
    | _ -> fprintf fmt ":extrasorts (%a)@\n" ident id


(*let declare_type fmt id =
  fprintf fmt ":extrasorts (%a)@\n" ident id
*)
let print_logic fmt id t =
  fprintf fmt ";;;; Why logic %a@\n" ident id;
  match t with
    | Predicate tl ->
	fprintf fmt "@[:extrapreds ((%a %a))@]@\n@\n" 
	  ident id pure_type_list tl
    | Function (tl, pt) ->
        match Ident.fresh_from id with
          | Some (s,logic_id::_) when s == Encoding_mono_inst.create_ident_id
              && (Ident.string logic_id = "acc" || Ident.string logic_id = "upd") -> ()
          | _ -> fprintf fmt "@[:extrafuns ((%a %a %a))@]@\n@\n" 
	      ident id pure_type_list tl print_pure_type pt
	
let output_elem fmt = function
  | Dtype (_loc, id, []) -> declare_type fmt id
  | Dtype (_, id, _) ->
      fprintf fmt ";; polymorphic type %s@\n@\n" (Ident.string id)
  | Dalgtype _ ->
      assert false
(*
      failwith "SMTLIB output: algebraic types are not supported"
*)
  | Dlogic (_, id, t)  when not (Ident.is_simplify_arith id)
      -> print_logic fmt id t.scheme_type
  | Dlogic (_, _, _) -> fprintf fmt "" 
  | Dpredicate_def (_loc, _id, _d) -> 
      assert false
(*
      print_predicate_def fmt (Ident.string id) d.scheme_type
*)
  | Dinductive_def(_loc, _ident, _inddef) ->
      assert false
(*
      failwith "SMTLIB output: inductive def not yet supported"
*)
  | Dfunction_def (_loc, _id, _d) -> 
      assert false
(*
      print_function_def fmt (Ident.string id) d.scheme_type
*)
  | Daxiom (_loc, id, p) -> print_axiom fmt id p.scheme_type 
  | Dgoal (loc, is_lemma, _expl, id, s) -> 
      print_obligation fmt loc is_lemma id s.Env.scheme_type


   

let output_file f = 
  let fname = f ^ "_why.z3.smt" in
  let cout = Options.open_out_file fname in
  let fmt = formatter_of_out_channel cout in
  fprintf fmt "(benchmark %a@\n" idents (Filename.basename f);
  fprintf fmt "  :status unknown@\n";
  fprintf fmt "  :datatypes ((c_Boolean c_Boolean_true c_Boolean_false))@.";
  (*fprintf fmt "  :datatypes ((Unit tt))@.";*)
  fprintf fmt "  :extrasorts (Unit)@\n";
  fprintf fmt "  :extrafuns ((tt  Unit))@\n";
(*
  if not modulo then begin 
    fprintf fmt "  :extrafuns ((modulo Int Int Int))@\n";
  end;
*)
  iter (output_elem fmt);
  
  (* end of smtlib file *)
  fprintf fmt "@\n)@\n";
  pp_print_flush fmt ();
  Options.close_out_file cout


(*
Local Variables: 
compile-command: "unset LANG; nice make -j -C .. bin/why.byte"
End: 
*)
why-2.39/src/encoding_mono.ml0000644000106100004300000004676513147234006015212 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

open Cc
open Logic
open Logic_decl

let map_product (f: 'a -> 'a list) (l:'a list) : 'a list list =
  List.fold_left 
    (fun prev_acc e ->
       let lr = f e in
       List.fold_left 
         (fun acc l -> List.fold_left (fun acc e -> (e::l)::acc) acc lr)
         [] prev_acc) [[]] l

let loc = Loc.dummy_floc
let debug = false
let f2s (s,l,b,e) = Printf.sprintf "File %s, line %d, characters %d-%d" s l b e

let prefix = fun s -> "c_"^s
(* let suffix = "_c" *)
(* let var = "x" *)
let tvar = "t"
(* let cpt = ref 0 *)
let injec c = c^"_injective"
(* let axiom c = c ^ "_to_" ^ (c^suffix) *)
let def c = "def_"^c

(* The names for the new function symbols *)
let sort =  prefix "sort"

let cname t =  match Misc.normalize_pure_type t with
  | PTint -> "int"
  | PTbool -> "bool"
  | PTreal -> "real"
  | PTunit -> "unit"
      (** TODO : better error handling here *)
  | _ -> failwith "this function should only be called on constant types"
let c2u t = (cname t)^"2u"
let s2c t = "s2"^(cname t)

(* This is the list of constant types which is handled as such *)
let htypes = [PTint; PTbool; PTreal; PTunit]

(* The monosorted stratified encoding introduces
   three new external types : a sort for syntactically 
   unsorted terms, one for sorted terms and one for 
   syntactic types *)
let utname = prefix "unsorted"
let stname = prefix "sorted"
let ttname = prefix "type"
let ut = PTexternal ([], Ident.create utname)
let st = PTexternal ([], Ident.create stname)
let tt = PTexternal ([], Ident.create ttname)

(* The prelude is a set of declarations that must be added
   to the context every time the encoding is used :*)
let eq_arity = (Ident.string Ident.t_eq, Env.empty_scheme (Predicate [st; st]))
let neq_arity = (Ident.string Ident.t_neq, Env.empty_scheme (Predicate [st; st]))
let arities = ref [eq_arity; neq_arity]

let prelude = [
  (* first the three new types *)
  (Dtype (loc, Ident.create utname, []));
  (Dtype (loc, Ident.create stname, []));
  (Dtype (loc, Ident.create ttname, []))]
  (* the function symbols representing constant types *)
  @
 (List.map (fun t -> (Dlogic (loc, Ident.create (prefix (cname t)),
			       Env.empty_scheme (Function ([], tt)))))
     htypes)
  (* the sorting and conversion functions *)
  @
  [(Dlogic (loc, Ident.create sort, Env.empty_scheme (Function ([tt; ut], st))))]
  @
  (List.map (fun t ->
	       (Dlogic (loc, Ident.create (c2u t),
			Env.empty_scheme (Function ([t], ut)))))
     htypes)
  @
  (List.map (fun t ->
	       (Dlogic (loc, Ident.create (s2c t),
			Env.empty_scheme (Function ([st], t)))))
     htypes)
  (* and the conversion axioms *)
  @
  (** \forall x: T .  s2T(sort(T, T2u(x))) = x  **)
  (List.map (fun t -> 
	       (Daxiom (loc, (s2c t)^"_inv_"^(c2u t),
	let x = Ident.create "x" in 
	let t_term = Tapp (Ident.create (prefix (cname t)), [], []) in
	let t2u_x = Tapp (Ident.create (c2u t), [Tvar x], []) in 
	let sort_t_t2u_x = Tapp (Ident.create sort, [t_term; t2u_x], []) in
	let lhs = Tapp (Ident.create (s2c t), [sort_t_t2u_x], []) in
	let peq = Papp (Ident.t_eq,[lhs;Tvar x], []) in
	let pat = [[TPat sort_t_t2u_x]] in
          Env.empty_scheme (Forall (false, x, x, t, pat, peq)))))
     htypes)
  @
  (** \forall x: U .  T2u(s2T(sort(T, x))) = x from CADE'08 paper
      but contradiction with one finite type and one infinite type protected.
      So use \forall x: U .  sort(T,T2u(s2T(sort(T, x)))) = sort(T,x)
      (see perhaps FROCOS'11)
  **)
  (List.map (fun t -> 
	       (Daxiom (loc, (c2u t)^"_inv_"^(s2c t),
	let x = Ident.create "x" in 
	let t_term = Tapp (Ident.create (prefix (cname t)), [], []) in
	let sort_t_x = Tapp (Ident.create sort, [t_term; Tvar x], []) in
	let s2t_sort_t_x = Tapp (Ident.create (s2c t), [sort_t_x], []) in 
	let lhs = Tapp (Ident.create (c2u t), [s2t_sort_t_x], []) in
	let lhs' = Tapp (Ident.create sort, [t_term; lhs], []) in
	let rhs = Tapp (Ident.create sort, [t_term; Tvar x], []) in
	let peq = Papp (Ident.t_eq,[lhs';rhs], []) in
          Env.empty_scheme (Forall (false, x, x, ut, [[TPat lhs]], peq)))))
     htypes)

(* Functions that replace polymorphic types by S,T,U and constants *)
let typify ptl = List.map (fun _ -> tt) ptl

let sortify t pt = 
  match pt with
    | PTint | PTbool | PTreal | PTunit -> pt
    | PTvar _ -> t
    | PTexternal (_,_) -> t

let monoify = List.map (sortify st)

let sort_of_c = function
  | ConstInt _ -> PTint
  | ConstBool _ -> PTbool
  | ConstUnit -> PTunit
  | ConstFloat _ -> PTreal

let is_const t = (* match Misc.normalize_pure_type t with *) match t with
  | PTint | PTbool | PTreal | PTunit -> true
  | _ -> false

(* Function that plunges a term under its type information. *)
(* Uses an assoc. list of tags -> idents for type variables *)
let plunge fv term pt =
  let rec leftt pt =
    match pt with
	PTint | PTbool | PTreal | PTunit ->
	  Tapp (Ident.create (prefix (cname pt)), [], [])
      | PTvar ({type_val = None} as var) -> 
	  let t = 
	    try List.assoc var.tag fv
	    with Not_found ->
	      let s = string_of_int var.tag in
		(print_endline ("[plunge] unknown vartype : "^s); 
		 Format.eprintf "term = %a@." Util.print_term term;
		 s)
	  in
	    Tvar (Ident.create t)
      | PTvar {type_val = Some pt} -> leftt pt
      | PTexternal (ptl, id) -> Tapp (id, List.map (fun pt -> leftt pt) ptl, [])
  in
    Tapp (Ident.create sort,[leftt pt; term],[])

(* Function that strips the top most sort application, for terms bound
   in let-ins *)
let strip_topmost t =
  match t with
    | Tapp (symb, [_encoded_ty; encoded_t], []) when symb = Ident.create sort ->
	encoded_t
    | _ -> t

let get_arity id =
  let arity =
    try List.assoc (Ident.string id) !arities
    with e -> (print_endline ("Encoding_mono.get_arity: unknown arity for "^(Ident.string id))); raise e in
    match arity.Env.scheme_type with
	Function (ptl, rt) -> ptl, rt
      | Predicate ptl -> ptl, PTbool (* ce PTbool est arbitraire et inutilisé *)

(* Ground instanciation of an arity (to be plunged under) *)
let instantiate_arity id inst =
  let arity =
    try List.assoc (Ident.string id) !arities
    with e -> (print_endline ("Encoding_mono.instantiate_arity: unknown arity for "^(Ident.string id))); raise e in
  let (vs, log_type) = Env.specialize_logic_type arity in
    if debug then 
      (print_string "\t{";
       Env.Vmap.iter (fun _ v -> Printf.printf "%d" v.tag) vs;
       print_endline "}");
    match log_type with
	Function (_ptl, rt) ->
	  if debug then Printf.printf "Instantiate : %d vars - %d types\n"
	    (Env.Vmap.fold (fun _ _ n -> n + 1) vs 0) (List.length inst);
	  ignore 
	    (Env.Vmap.fold (fun _ v l -> 
			      (match l with [] -> []
				 | a::q -> (v.type_val <- Some a; q)))
	       vs (List.rev inst));
	  rt
      | Predicate _ptl ->
	  ignore 
	    (Env.Vmap.fold (fun _ v l -> 
			      (match l with [] -> []
				 | a::q -> (v.type_val <- Some a; q)))
	       vs (List.rev inst));
	  PTbool

(* Translation of a term *)
(* [fv] is a map for type variables, [lv] for term variables,
   and [rt] is the type of this term in the arity of its
   direct superterm. *)
let rec translate_term fv lv rt = function
  | Tvar id as t ->
      let pt = try List.assoc id lv with e -> 
	(Printf.eprintf "variable %s\n" (Ident.string id); raise e) in
	(match is_const rt, is_const pt with
	     true, true -> t
	   | true, false -> Tapp (Ident.create (s2c rt), [plunge fv t pt], [])
	   | false, true -> plunge [] (Tapp (Ident.create (c2u pt), [t], [])) pt
	   | false, false -> plunge fv t pt
	)
  | Tapp (id, tl, inst) ->
      let ptl, pt = get_arity id in
      let trans_term = Tapp (id, List.map2 (translate_term fv lv) ptl tl, []) in
      let ground_type = instantiate_arity id inst in
	(match is_const rt, is_const pt with
	     true, true -> trans_term
	   | true, false -> Tapp (Ident.create (s2c rt), 
				  [plunge fv trans_term rt], [])
	   | false, true -> plunge [] 
	       (Tapp (Ident.create (c2u pt), [trans_term], [])) pt
	   | false, false -> plunge fv trans_term ground_type
	)
  | Tconst (_) as t when is_const rt -> t
  | Tconst (c) as t -> 
      let pt = sort_of_c c in
	plunge fv (Tapp (Ident.create (c2u pt), [t], [])) (sort_of_c c)
  | Tderef id as t -> print_endline ("id in Tderef : "^(Ident.string id)); t
  | Tnamed(_,t) -> translate_term fv lv rt t

(* Generalizing a predicate scheme with foralls (can add a trigger) *)
(* This function is used to explicitely quantify over syntactic type 
   variables that were implicitely quantified at first. *)
let rec lifted l p t =
  match l with [] -> p
    | (_, s)::[] ->
	Forall(false, Ident.create s, Ident.create s, tt, t, p)
    | (_, s)::q ->
	Forall(false, Ident.create s, Ident.create s, tt, [], lifted q p t)
	
let rec lifted_t l p tr =
  match l with [] -> p
    | (a,t)::[] -> (Forall(false, a, a, t, tr, p))
    | (a,t)::q ->  (Forall(false, a, a, t, [], lifted_t q p tr))

let lifted_ctxt l cel =
  (List.map (fun (_,s) -> Svar(Ident.create s, tt)) l)@cel

(* Translation of a predicate *)
let rec translate_pred fv lv = function
(*   | Papp (id, [a; b], [t]) when Ident.is_eq id && is_const t -> *)
(*       Papp (id, [translate_term fv lv t a; translate_term fv lv t b], []) *)
  | Papp (id, tl, inst) ->
      let _ = instantiate_arity id inst in
      let arity,_ = get_arity id in
	Papp (id, List.map2 (translate_term fv lv) arity tl, [])
  | Plet (id, n, pt, t, p) -> 
      let t' = strip_topmost (translate_term fv lv pt t) in
	Plet (id, n, sortify ut pt, t', translate_pred fv ((n,pt)::lv) p)
  | Pimplies (iswp, p1, p2) ->
      Pimplies (iswp, translate_pred fv lv p1, translate_pred fv lv p2)
  | Pif (t, p1, p2) ->
      Pif (translate_term fv lv PTbool t,
	   translate_pred fv lv p1, translate_pred fv lv p2)
  | Pand (iswp, issym, p1, p2) ->
      Pand (iswp, issym, translate_pred fv lv p1, translate_pred fv lv p2)
  | Por (p1, p2) ->
      Por (translate_pred fv lv p1, translate_pred fv lv p2)
  | Piff (p1, p2) ->
      Piff (translate_pred fv lv p1, translate_pred fv lv p2)
  | Pnot p ->
      Pnot (translate_pred fv lv p)
  | Forall (iswp, id, n, pt, _(*tl*), p) ->
      let lv' = (n,pt)::lv in
       let tl' = (*translate_triggers fv lv' p tl*) [] in
	Forall (iswp, id, n, sortify ut pt, tl', translate_pred fv lv' p)
  | Forallb (iswp, p1, p2) ->
      Forallb (iswp, translate_pred fv lv p1, translate_pred fv lv p2)
  | Exists (id, n, pt, p) ->
      Exists (id, n, sortify ut pt, translate_pred fv ((n,pt)::lv) p)
  | Pnamed (s, p) ->
      Pnamed (s, translate_pred fv lv p)
  | _ as d -> d

and translate_pattern fv lv p = function
  | TPat t -> 
      let rec lookfor_term fv lv acc rt = function
        | t2 when ((*Format.printf "%a = %a? %b@." Util.print_term t Util.print_term t2 (Misc.eq_term t t2);*) Misc.eq_term t t2) -> 
            (translate_term fv lv rt t2)::acc
        | Tvar _ | Tconst _ | Tderef _ -> acc
        | Tapp (id, tl, _inst) ->
            let ptl, _pt = get_arity id in
            List.fold_left2 (lookfor_term fv lv) acc ptl tl
        | Tnamed(_,t2) -> lookfor_term fv lv acc rt t2 in
      let rec lookfor_term_in_predicate fv lv acc = function
        | Pif (t, p1, p2) ->
            let acc = lookfor_term fv lv acc PTbool t in
            let acc =  lookfor_term_in_predicate fv lv acc p1 in
            let acc =  lookfor_term_in_predicate fv lv acc p2 in
            acc
        | Papp (id, tl, _inst) ->
            let arity,_ = get_arity id in
	    List.fold_left2 (lookfor_term fv lv) acc arity tl
        | Plet (_, n, pt, t, p) -> 
            let acc = lookfor_term fv lv acc pt t in
	    lookfor_term_in_predicate fv ((n,pt)::lv) acc p
        | Forall (_, _, n, pt, _, p) | Exists (_, n, pt, p) ->
            lookfor_term_in_predicate fv ((n,pt)::lv) acc p
        | Pimplies (_, p1, p2) | Pand (_ , _, p1, p2) | Por (p1, p2) 
        | Piff (p1, p2) | Forallb (_, p1, p2) ->
            lookfor_term_in_predicate fv lv (lookfor_term_in_predicate fv lv acc p2) p1
        | Pnot p | Pnamed (_, p) -> lookfor_term_in_predicate fv lv acc p 
        | Pvar _|Pfalse|Ptrue -> acc in
      let r = (lookfor_term_in_predicate fv lv [] p) in
      (*Format.printf "%a : %a@." Util.print_term t (Pp.print_list Pp.comma Util.print_term) r;*)
      List.map (fun x -> TPat x) r
(*
  let rec translate_term_for_pattern fv lv = function
      (* mauvaise traduction des triggers mais ...
         Le type n'étant pas forcement le même 
         les plunges internes peuvent ne pas être les 
         même que dans le body de la quantification *)
      | Tvar _ as t -> t
      | Tapp (id, tl, inst) ->
      let ptl, pt = get_arity id in
      let trans_term = Tapp (id, List.map2 (translate_term fv lv) ptl tl, []) in
      let _ = instantiate_arity id inst in
      trans_term
      | Tconst (_) as t -> t
      | Tderef _ as t -> t
      | Tnamed(_,t) -> translate_term_for_pattern fv lv t in
      TPat (translate_term_for_pattern fv lv t)
*)
  | PPat p -> [PPat (translate_pred fv lv p)]

and translate_triggers fv lv p tl =
  List.fold_left (fun acc e -> List.rev_append (map_product (translate_pattern fv lv p) e) acc) [] tl


(* The core *)
let queue = Queue.create ()

let rec push d = 
  try (match d with
(* A type declaration is translated as new logical function, the arity of *)
(* which depends on the number of type variables in the declaration *)
  | Dtype (loc, ident, vars) ->
      Queue.add (Dlogic (loc, ident,
			 Env.empty_scheme (Function (typify vars, tt)))) queue
  | Dalgtype _ ->
      assert false
(*
      failwith "encoding rec: algebraic types are not supported"
*)
(* In the case of a logic definition, we redefine the logic symbol  *)
(* with types u and s, and its complete arity is stored for the encoding *)
  | Dlogic (loc, ident, arity) -> 
(*
      Format.eprintf "Encoding_mono: adding %s in arities@." ident;
*)
      arities := (Ident.string ident, arity)::!arities;
      let newarity = match arity.Env.scheme_type with
	  Predicate ptl -> Predicate (monoify ptl)
	| Function (ptl, pt) -> Function (monoify ptl, sortify ut pt) in
	Queue.add (Dlogic (loc, ident, Env.empty_scheme newarity)) queue
(* A predicate definition can be handled as a predicate logic definition + an axiom *)
  | Dpredicate_def (loc,id,d) ->
      List.iter push (PredDefExpansor.predicate_def loc id d)
(*
      let (argl, pred) = pred_def_sch.Env.scheme_type in
      let rootexp = (Papp (ident, List.map (fun (i,_) -> Tvar i) argl, [])) in
      let name = Ident.string ident in
      push (Dlogic (loc, ident, (Env.generalize_logic_type (Predicate (snd (List.split argl))))));
      push (Daxiom (loc, def name, (Env.generalize_predicate
				      (lifted_t argl (Piff (rootexp, pred)) [[PPat rootexp]]))))
*)
  | Dinductive_def(_loc, _ident, _inddef) ->
      assert false
(*
      failwith "encoding mono: inductive def not yet supported"
*)
(* A function definition can be handled as a function logic definition + an axiom *)
  | Dfunction_def (_loc, _ident, _fun_def_sch) ->
      assert false
(*
(*       let _ = print_endline ident in *)
      let (argl, rt, term) = fun_def_sch.Env.scheme_type in
      let rootexp = (Tapp (ident, List.map (fun (i,_) -> Tvar i) argl, [])) in
      let name = Ident.string ident in
      push (Dlogic (loc, ident, (Env.generalize_logic_type (Function (snd (List.split argl), rt)))));
      push (Daxiom (loc, def name,
		    (Env.generalize_predicate
		       (lifted_t argl (Papp (Ident.t_eq, [rootexp; term], [])) [[TPat rootexp]]))))
*)
(* Axiom definitions *)
  | Daxiom (loc, name, pred_sch) ->
      let cpt = ref 0 in
      let fv = Env.Vset.fold
	(fun tv acc -> cpt := !cpt + 1; (tv.tag, tvar^(string_of_int !cpt))::acc)
	(pred_sch.Env.scheme_vars) [] in
      let new_axiom = Env.empty_scheme
	(lifted fv (translate_pred fv [] pred_sch.Env.scheme_type) []) in
	Queue.add (Daxiom (loc, name, new_axiom)) queue
(* A goal is a sequent : a context and a predicate and both have to be translated *)
  | Dgoal (loc, is_lemma, expl, name, s_sch) ->
      begin try
	if debug then Printf.printf "Encoding goal %s, %s...\n" name (f2s loc);
	let cpt = ref 0 in
	let fv = Env.Vset.fold
	  (fun tv acc -> 
	     cpt := !cpt + 1; 
	     (tv.tag, tvar^(string_of_int !cpt))::acc)
	  (s_sch.Env.scheme_vars) [] in
	if debug then
	  (Printf.printf "Goal environment :\n";
	   List.iter (fun (n,id) -> Printf.printf "\tIn env : %s tagged %d\n" id n) fv;
	   Printf.printf "=========\n");
	let (context, new_cel) =
	  List.fold_left
	    (fun (acc_c, acc_new_cel) s -> 
	       match s with
		   Spred (id, p) -> 
		     (acc_c, (Spred (id, translate_pred fv acc_c p))::acc_new_cel)
		 | Svar (id, t) -> ((id,t)::acc_c, (Svar (id, sortify ut t))::acc_new_cel))
	    ([], [])
	    (fst (s_sch.Env.scheme_type)) in
	if debug then
	  (Printf.printf "Goal context :\n";
	   List.iter (fun ce -> match ce with 
			| Svar (id, _pt) -> Printf.printf "\tvar %s : ??\n" (Ident.string id)
			| Spred(id, _) -> Printf.printf "\thyp %s : ...\n" (Ident.string id)
		     ) new_cel;
	   Printf.printf "=========\n");
	let new_sequent =
	  Env.empty_scheme
	    (lifted_ctxt fv (List.rev new_cel),
	     translate_pred fv context (snd (s_sch.Env.scheme_type))) in
	Queue.add (Dgoal (loc, is_lemma, expl, name, new_sequent)) queue
      with Not_found -> 
	Format.eprintf "Exception caught in : %a\n" Util.print_decl d;
	Queue.add (Dgoal (loc, is_lemma, expl, name, Env.empty_scheme([],Pfalse))) queue
      end)
  with Not_found -> 
    Format.eprintf "Exception caught in : %a\n" Util.print_decl d;
    raise Not_found

let iter f =
  (* first the prelude *)
  List.iter f prelude;
  (* then the queue *)
  Queue.iter f queue

let reset () = 
  arities := [eq_arity; neq_arity];
  Queue.clear queue
why-2.39/src/smtlib.mli0000644000106100004300000000445413147234006014024 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

val reset : unit -> unit
val push_decl : Logic_decl.t -> unit
val output_file : ?logic:string -> string -> unit


why-2.39/jc/0000755000106100004300000000000013147234006011625 5ustar  marchevalswhy-2.39/jc/jc_poutput.ml0000644000106100004300000004062513147234006014362 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Format
open Jc_ast
open Jc_output_misc
open Pp


let is_not_true (p : Jc_ast.pexpr) =
  match p#node with
    | JCPEconst (JCCboolean true) -> false
    | _ -> true

let bin_op = function
  | `Blt -> "<"
  | `Bgt -> ">"
  | `Ble -> "<="
  | `Bge -> ">="
  | `Beq -> "=="
  | `Bneq -> "!="
  | `Badd -> "+"
  | `Bsub -> "-"
  | `Bmul -> "*"
  | `Bdiv -> "/"
  | `Bmod -> "%"
  | `Bland -> "&&"
  | `Blor -> "||"
  | `Bimplies -> "==>"
  | `Biff -> "<==>"
  | `Bbw_and -> "&"
  | `Bbw_or -> "|"
  | `Bbw_xor -> "^"
  | `Blogical_shift_right -> ">>"
  | `Barith_shift_right -> ">>>"
  | `Bshift_left -> "<<"
  | `Bconcat -> "@"

let unary_op = function
  | `Uplus -> "+"
  | `Uminus -> "-"
  | `Unot -> "!"
  | `Upostfix_inc | `Uprefix_inc -> "++"
  | `Upostfix_dec | `Uprefix_dec -> "--"
  | `Ubw_not -> "~"

let rec ppattern fmt p =
  match p#node with
    | JCPPstruct(st, lbls) ->
	fprintf fmt "@[%s{@ " st#name;
	List.iter
	  (fun (lbl, pat) ->
	     fprintf fmt "%s = %a;@ " lbl#name ppattern pat)
          lbls;
	fprintf fmt "}@]"
    | JCPPvar vi ->
	fprintf fmt "%s" vi#name
    | JCPPor(p1, p2) ->
	fprintf fmt "(%a)@ | (%a)" ppattern p1 ppattern p2
    | JCPPas(pat, vi) ->
	fprintf fmt "(%a as %s)" ppattern pat vi#name
    | JCPPany ->
	fprintf fmt "_"
    | JCPPconst c ->
	fprintf fmt "%a" const c

let quantifier fmt = function
  | Forall -> fprintf fmt "forall"
  | Exists -> fprintf fmt "exists"

let identifier fmt id =
  fprintf fmt "%s" id#name

let rec pexpr fmt e =
  match e#node with
    | JCPElabel(lab,e) ->
	assert (lab <> "");
	fprintf fmt "@[(%s : %a)@]" lab pexpr e
    | JCPEconst c -> const fmt c
    | JCPEvar vi ->
	fprintf fmt "%s" vi
    | JCPEbinary (e1, op, e2) ->
	fprintf fmt "@[(%a %s@ %a)@]" pexpr e1 (bin_op op) pexpr e2
    | JCPEunary((`Upostfix_dec | `Upostfix_inc) as op,e1) ->
	fprintf fmt "@[(%a %s)@]" pexpr e1 (unary_op op)
    | JCPEunary(op,e1) ->
	fprintf fmt "@[(%s %a)@]" (unary_op op) pexpr e1
    | JCPEif (e1,e2,e3) ->
	fprintf fmt "@[(if %a then %a else %a)@]" pexpr e1 pexpr e2 pexpr e3
    | JCPElet(Some ty,vi,Some e1,e2) ->
	fprintf fmt "@[(let %a %s =@ %a@ in %a)@]"
          ptype ty vi pexpr e1 pexpr e2
    | JCPElet(None,vi,Some e1,e2) ->
	fprintf fmt "@[(let %s =@ %a@ in %a)@]"
          vi pexpr e1 pexpr e2
    | JCPElet(_ty,_vi,None,_e2) -> assert false
    | JCPEassign (v, e) ->
	fprintf fmt "(%a = %a)" pexpr v pexpr e
    | JCPEassign_op (v, op, e) ->
	fprintf fmt "%a %s= %a" pexpr v (bin_op op) pexpr e
    | JCPEcast (e, si) ->
	fprintf fmt "(%a :> %a)" pexpr e ptype si
    | JCPEalloc (e, si) ->
	fprintf fmt "(new %s[%a])" si pexpr e
    | JCPEfree (e) ->
	fprintf fmt "(free(%a))" pexpr e
    | JCPEoffset(k,e) ->
	fprintf fmt "\\offset_m%a(%a)" offset_kind k pexpr e
    | JCPEaddress(absolute,e) ->
	fprintf fmt "\\%aaddress(%a)" address_kind absolute pexpr e
    | JCPEbase_block(e) ->
	fprintf fmt "\\base_block(%a)" pexpr e
    | JCPEfresh(e) ->
	fprintf fmt "\\fresh(%a)" pexpr e
    | JCPEinstanceof (e, si) ->
	fprintf fmt "(%a <: %s)" pexpr e si
    | JCPEderef (e, fi) ->
	fprintf fmt "%a.%s" pexpr e fi
    | JCPEmatch (e, pel) ->
	fprintf fmt "@[match %a with@ " pexpr e;
	List.iter
	  (fun (p, e) -> fprintf fmt "  @[%a ->@ %a;@]@ "
	     ppattern p pexpr e) pel;
	fprintf fmt "end@]"
    | JCPEold t -> fprintf fmt "@[\\old(%a)@]" pexpr t
    | JCPEat(t,lab) -> fprintf fmt "@[\\at(%a,%a)@]" pexpr t label lab
    | JCPEapp(f,labs,args) ->
	fprintf fmt "%s%a(@[%a@])" f
	  (fun fmt labs -> if List.length labs = 0 then () else
	    fprintf fmt "%a" (print_list_delim lbrace rbrace comma label) labs) labs
	  (print_list comma pexpr) args
    | JCPErange(t1,t2) ->
	fprintf fmt "@[[%a..%a]@]" (print_option pexpr) t1 (print_option pexpr) t2
    | JCPEquantifier (q,ty,vil,trigs, a)->
	fprintf fmt "@[(\\%a %a %a%a;@\n%a)@]"
	  quantifier q
	  ptype ty
	  (print_list comma identifier) vil
	  triggers trigs pexpr a
    | JCPEmutable _ ->
        fprintf fmt "\\mutable(TODO)"
    | JCPEeqtype(tag1,tag2) ->
	fprintf fmt "\\typeeq(%a,%a)" ptag tag1 ptag tag2
    | JCPEsubtype(tag1,tag2) ->
	fprintf fmt "(%a <: %a)" ptag tag1 ptag tag2
    | JCPEreturn (e) ->
	fprintf fmt "@\n(return %a)" pexpr e
    | JCPEunpack _ ->
        fprintf fmt "unpack(TODO)"
    | JCPEpack _ ->
        fprintf fmt "pack(TODO)"
    | JCPEthrow (ei, eo) ->
	fprintf fmt "@\n(throw %s %a)"
	  ei#name
	  pexpr eo
    | JCPEtry (s, hl, fs) ->
	fprintf fmt
	  "@\n@[try %a@]%a@\n@[finally%a@ end@]"
	  pexpr s
	  (print_list nothing handler) hl
	  pexpr fs
    | JCPEgoto lab ->
	fprintf fmt "@\n(goto %s)" lab
    | JCPEcontinue lab ->
	fprintf fmt "@\n(continue %s)" lab
    | JCPEbreak lab ->
	fprintf fmt "@\n(break %s)" lab
    | JCPEwhile (e, behaviors, variant, s)->
	fprintf fmt "@\n@[loop %a%a@\nwhile (%a)%a@]"
	  (print_list nothing loop_behavior) behaviors
	  (print_option
             (fun fmt (t,r) ->
                match r with
                  | None ->
                      fprintf fmt "@\nvariant %a;" pexpr t
                  | Some r ->
                      fprintf fmt "@\nvariant %a for %a;" pexpr t identifier r
             ))
	  variant
	  pexpr e block [s]
    | JCPEfor (inits, cond, updates, behaviors, variant, body)->
	fprintf fmt "@\n@[loop %a@\n%a@\nfor (%a ; %a ; %a)%a@]"
	  (print_list nothing loop_behavior) behaviors
	  (print_option
             (fun fmt (t,r) ->
                match r with
                  | None ->
                      fprintf fmt "@\nvariant %a;" pexpr t
                  | Some r ->
                      fprintf fmt "@\nvariant %a for %a;" pexpr t identifier r
             ))
	  variant
	  (print_list comma pexpr) inits
	  pexpr cond (print_list comma pexpr) updates
	  block [body]
    | JCPEdecl (ty,vi, None)->
	fprintf fmt "@\n(var %a %s)" ptype ty vi
    | JCPEdecl (ty,vi, Some e)->
	fprintf fmt "@\n(var %a %s = %a)"
	  ptype ty vi pexpr e
    | JCPEassert(behav,asrt,a)->
	fprintf fmt "@\n(%a %a%a)"
	  asrt_kind asrt
	  (print_list_delim
	     (constant_string "for ") (constant_string ": ")
	     comma identifier)
	  behav
	  pexpr a
    | JCPEcontract(req,dec,behs,e) ->
	fprintf fmt "@\n@[( ";
	Option_misc.iter
	  (fun e -> if is_not_true e then
	     fprintf fmt "requires %a;@\n" pexpr e) req;
	Option_misc.iter
	  (fun (t,r) -> match r with
	     | None -> fprintf fmt "decreases %a;@\n" pexpr t
	     | Some r -> fprintf fmt "decreases %a for %a;@\n"
		 pexpr t identifier r)
	  dec;
	List.iter (behavior fmt) behs;
	fprintf fmt "@\n{ %a@ })@]" pexpr e
    | JCPEblock l -> block fmt l
    | JCPEswitch (e, csl) ->
	fprintf fmt "@\n@[switch (%a) {%a@]@\n}"
	  pexpr e (print_list nothing case) csl

and triggers fmt trigs =
  print_list_delim lsquare rsquare alt (print_list comma pexpr) fmt trigs

and ptag fmt tag =
  match tag#node with
    | JCPTtag id -> string fmt id#name
    | JCPTbottom -> string fmt "\\bottom"
    | JCPTtypeof e -> fprintf fmt "\\typeof(%a)" pexpr e

and handler fmt (ei,vio,s) =
  fprintf fmt "@\n@[catch %s %s %a@]"
    ei#name vio
    pexpr s

and pexprs fmt l = print_list semi pexpr fmt l

and block fmt b =
  match b with
    | [] -> fprintf fmt "{()}"
    | _::_ ->
        fprintf fmt "@\n@[{@[  ";
        pexprs fmt b;
        fprintf fmt "@]@\n}@]"

and case fmt (c,sl) =
  let onecase fmt = function
    | Some c ->
	fprintf fmt "@\ncase %a:" pexpr c
    | None ->
	fprintf fmt "@\ndefault:"
  in
  fprintf fmt "%a%a" (print_list nothing onecase) c pexpr sl

and behavior fmt (_loc,id,throws,assumes,requires,assigns,allocates,ensures) =
  fprintf fmt "@\n@[behavior %s:" id;
  Option_misc.iter
    (fun a ->
(*       Format.eprintf "Jc_poutput: assumes %a@." pexpr a;*)
       if is_not_true a then
         fprintf fmt "@\nassumes %a;" pexpr a) assumes;
  Option_misc.iter (fprintf fmt "@\nrequires %a;" pexpr) requires;
  Option_misc.iter
    (fun id -> fprintf fmt "@\nthrows %s;" id#name) throws;
  Option_misc.iter
    (fun (_,locs) -> fprintf fmt "@\nassigns %a;"
       (print_list_or_default "\\nothing" comma pexpr) locs)
    assigns;
  Option_misc.iter
    (fun (_,locs) -> fprintf fmt "@\nallocates %a;"
       (print_list_or_default "\\nothing" comma pexpr) locs)
    allocates;
  fprintf fmt "@\nensures %a;@]" pexpr ensures

and loop_behavior fmt (ids,inv,ass) =
  fprintf fmt "@\n@[behavior %a:@\n"
    (print_list comma (fun fmt id -> fprintf fmt "%s" id#name)) ids;
  Option_misc.iter
    (fun i -> fprintf fmt "invariant %a;" pexpr i) inv;
  Option_misc.iter
    (fun (_,locs) -> fprintf fmt "@\nassigns %a;"
       (print_list_or_default "\\nothing" comma pexpr) locs)
    ass;
  fprintf fmt "@]"



let pclause fmt = function
  | JCCrequires e ->
      if is_not_true e then
	fprintf fmt "@\n@[  requires @[%a@];@]" pexpr e
  | JCCdecreases(e,None) ->
      fprintf fmt "@\n@[  decreases @[%a@];@]" pexpr e
  | JCCdecreases(e,Some r) ->
      fprintf fmt "@\n@[  decreases @[%a@] for %a;@]"
	pexpr e identifier r
  | JCCbehavior b -> behavior fmt b

let param fmt (ty,vi) =
  fprintf fmt "%a %s" ptype ty vi

let fun_param fmt (valid,ty,vi) =
  fprintf fmt "%s%a %s" (if valid then "" else "! ") ptype ty vi

let field fmt (modifier,ty,fi,bitsize) =
  let (rep,abstract) = modifier in
  fprintf fmt "@\n";
  if abstract then
    fprintf fmt "abstract "
  else
    if rep then
      fprintf fmt "rep ";
  fprintf fmt "%a %s"
    ptype ty fi;
  match bitsize with
    | Some bitsize ->
	fprintf fmt ": %d;" bitsize
    | None ->
	fprintf fmt ";"

let invariant fmt (id, vi, a) =
  fprintf fmt "@\n@[invariant %s(%s) =@ %a;@]"
    id#name vi pexpr a

let reads_or_expr fmt = function
  | JCnone -> ()
  | JCreads [] ->
      fprintf fmt "@ reads \\nothing;"
  | JCreads el ->
      fprintf fmt "@ reads %a;" (print_list comma pexpr) el
  | JCexpr e ->
      fprintf fmt " =@\n%a" pexpr e
  | JCinductive l ->
      fprintf fmt " {@\n@[%a@]@\n}"
	(print_list newline
	   (fun fmt (id,labels,e) ->
	      fprintf fmt "case %s@[%a@]: %a;@\n" id#name
		(print_list_delim lbrace rbrace comma label) labels
		pexpr e)) l

let type_params_decl fmt l = print_list_delim lchevron rchevron comma Pp.string fmt l

let type_params fmt = function
  | [] -> ()
  | l -> fprintf fmt "<%a>" (print_list comma ptype) l

let super_option fmt = function
  | None -> ()
  | Some(s, p) -> fprintf fmt "%s%a with " s type_params p

let rec pdecl fmt d =
  match d#node with
    | JCDfun(ty,id,params,clauses,body) ->
	fprintf fmt "@\n@[%a %s(@[%a@])%a%a@]@\n" ptype ty id#name
	  (print_list comma fun_param) params
	  (print_list nothing pclause) clauses
	  (print_option_or_default "\n;" pexpr) body
    | JCDenum_type(id,min,max) ->
	fprintf fmt "@\n@[type %s = %s..%s@]@\n"
	  id (Num.string_of_num min) (Num.string_of_num max)
    | JCDvariant_type(id, tags) ->
	fprintf fmt "@\n@[type %s = [" id;
	print_list
	  (fun fmt () -> fprintf fmt " | ")
	  (fun fmt tag -> fprintf fmt "%s" tag#name)
	  fmt tags;
	fprintf fmt "]@]@\n"
    | JCDunion_type(id,discriminated,tags) ->
	fprintf fmt "@\n@[type %s = [" id;
	print_list
	  (fun fmt () -> fprintf fmt " %c "
	     (if discriminated then '^' else '&'))
	  (fun fmt tag -> fprintf fmt "%s" tag#name)
	  fmt tags;
	fprintf fmt "]@]@\n"
    | JCDtag(id, params, super, fields, invs) ->
	fprintf fmt "@\n@[tag %s%a = %a{%a%a@]@\n}@\n"
          id
          type_params_decl params
          super_option super
          (print_list space field) fields
	  (print_list space invariant) invs
    | JCDvar(ty,id,init) ->
	fprintf fmt "@\n@[%a %s%a;@]@\n" ptype ty id
	  (print_option (fun fmt e -> fprintf fmt " = %a" pexpr e)) init
    | JCDlemma(id,is_axiom,poly_args,lab,a) ->
	fprintf fmt "@\n@[%s %s@[%a@]@[%a@] :@\n%a@]@\n"
          (if is_axiom then "axiom" else "lemma") id
	  (print_list_delim lchevron rchevron comma string) poly_args
	  (print_list_delim lbrace rbrace comma label) lab
	  pexpr a
    | JCDglobal_inv(id,a) ->
	fprintf fmt "@\n@[invariant %s :@\n%a@]@\n" id pexpr a
    | JCDexception(id,tyopt) ->
	fprintf fmt "@\n@[exception %s of %a@]@\n" id
	  (print_option ptype) tyopt
    | JCDlogic_var (ty, id, body) ->
	fprintf fmt "@\n@[logic %a %s %a@]@\n"
	  ptype ty id
	  (print_option (fun fmt e -> fprintf fmt "=@\n%a" pexpr e)) body
    | JCDlogic (None, id, poly_args, labels, params, body) ->
	fprintf fmt "@\n@[predicate %s@[%a@]@[%a@](@[%a@])%a@]@\n"
	  id
          (print_list_delim lchevron rchevron comma string) poly_args
          (print_list_delim lbrace rbrace comma label) labels
	  (print_list comma param) params
	  reads_or_expr body
    | JCDlogic (Some ty, id, poly_args, labels, params, body) ->
	fprintf fmt "@\n@[logic %a %s@[%a@]@[%a@](@[%a@])%a@]@\n"
	  ptype ty id
          (print_list_delim lchevron rchevron comma string) poly_args
          (print_list_delim lbrace rbrace comma label) labels
	  (print_list comma param) params
	  reads_or_expr body
    | JCDlogic_type (id,args) ->
	fprintf fmt "@\n@[logic type %s%a@]@\n" id (print_list_delim lchevron rchevron comma string) args
    | JCDinvariant_policy p ->
        fprintf fmt "# InvariantPolicy = %s@\n" (string_of_invariant_policy p)
    | JCDseparation_policy p ->
        fprintf fmt "# SeparationPolicy = %s@\n" (string_of_separation_policy p)
    | JCDtermination_policy p ->
        fprintf fmt "# TerminationPolicy = %s@\n" (string_of_termination_policy p)
    | JCDannotation_policy p ->
        fprintf fmt "# AnnotationPolicy = %s@\n" (string_of_annotation_policy p)
    | JCDabstract_domain p ->
        fprintf fmt "# AbstractDomain = %s@\n" (string_of_abstract_domain p)
    | JCDint_model p ->
        fprintf fmt "# IntModel = %s@\n" (string_of_int_model p)
    | JCDpragma_gen_sep (kind,s,l) ->
        let print_ptype_r =
          print_pair ptype (print_list semi string) in
        fprintf fmt "# Gen_Separation %s %s(%a)\n" kind s
          (print_list comma print_ptype_r) l
    | JCDpragma_gen_frame (name,logic) ->
      fprintf fmt "# Gen_Frame %s %s" name logic
    | JCDpragma_gen_sub (name,logic) ->
      fprintf fmt "# Gen_Sub %s %s" name logic
    | JCDpragma_gen_same (name,logic) ->
      fprintf fmt "# Gen_Same_Footprint %s %s" name logic
    | JCDaxiomatic(id,l) ->
	fprintf fmt "@\n@[axiomatic %s {@\n@[%a@]@\n}@]@\n" id
	  (print_list space pdecl) l

and pdecls fmt (l : pexpr decl list) =
  match l with
    | [] -> ()
    | d::r -> pdecl fmt d; pdecls fmt r

(*
Local Variables:
compile-command: "LC_ALL=C make -j -C .. byte"
End:
*)
why-2.39/jc/jc_name.ml0000644000106100004300000001704713147234006013564 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Jc_env
open Jc_region
open Jc_pervasives
open Output

let alloc_table_type_name = "alloc_table"
let tag_table_type_name = "tag_table"
let pointer_type_name = "pointer"
let pset_type_name = "pset"
let memory_type_name = "memory"
let tag_id_type_name = "tag_id"
let bitvector_type_name = "bitvector"

let simple_logic_type s =
  { logic_type_name = s; logic_type_args = [] }

let root_type_name vi = vi.jc_root_info_name

let struct_type_name st = root_type_name (struct_root st)

let pointer_class_type_name = function
  | JCtag(st, _) -> struct_type_name st
  | JCroot vi -> root_type_name vi

let alloc_class_name = function
  | JCalloc_root vi -> root_type_name vi
  | JCalloc_bitvector -> bitvector_type_name

let memory_class_name = function
  | JCmem_field fi -> fi.jc_field_info_final_name
  | JCmem_plain_union vi -> root_type_name vi
  | JCmem_bitvector -> bitvector_type_name

let variant_alloc_table_name vi = vi.jc_root_info_name ^ "_alloc_table"

let variant_tag_table_name vi = vi.jc_root_info_name ^ "_tag_table"

let variant_axiom_on_tags_name vi = vi.jc_root_info_name ^ "_tags"

let axiom_int_of_tag_name st = st.jc_struct_info_name ^ "_int"

let tag_name st = st.jc_struct_info_name ^ "_tag"

let of_pointer_address_name vi = 
  vi.jc_root_info_name ^ "_of_pointer_address"

let generic_tag_table_name vi =
  (root_type_name vi) ^ "_tag_table"

let tag_table_name (vi,r) =
  if !Jc_common_options.separation_sem = SepRegions && not (is_dummy_region r) 
  then 
    (root_type_name vi) ^ "_" ^ (Region.name r) ^ "_tag_table"
  else
    (root_type_name vi) ^ "_tag_table"

let generic_alloc_table_name ac =
  (alloc_class_name ac) ^ "_alloc_table"

let alloc_table_name (ac,r) = 
  if !Jc_common_options.separation_sem = SepRegions && not (is_dummy_region r) 
  then 
    (alloc_class_name ac) ^ "_" ^ (Region.name r) ^ "_alloc_table"
  else
    (alloc_class_name ac) ^ "_alloc_table"

let field_memory_name fi = 
  let rt = struct_root fi.jc_field_info_struct in
  if root_is_plain_union rt then
    rt.jc_root_info_name ^ "_fields"
  else
    fi.jc_field_info_final_name

let field_region_memory_name (fi,r) = 
  if !Jc_common_options.separation_sem = SepRegions && not (is_dummy_region r) 
  then 
    (field_memory_name fi) ^ "_" ^ (Region.name r)
  else field_memory_name fi

let union_memory_name vi =
  vi.jc_root_info_name ^ "_fields"

let union_region_memory_name (vi,r) = 
  if !Jc_common_options.separation_sem = SepRegions && not (is_dummy_region r) 
  then 
    (union_memory_name vi) ^ "_" ^ (Region.name r)
  else union_memory_name vi

let bitvector_region_memory_name r = 
  if !Jc_common_options.separation_sem = SepRegions && not (is_dummy_region r) 
  then 
    bitvector_type_name ^ "_" ^ (Region.name r)
  else bitvector_type_name

let union_memory_type_name vi = 
  vi.jc_root_info_name ^ "_union"

let generic_memory_name mc =
  memory_class_name mc

let memory_name (mc,r) =
  match mc with
    | JCmem_field fi -> field_region_memory_name (fi,r)
    | JCmem_plain_union vi -> union_region_memory_name (vi,r)
    | JCmem_bitvector -> bitvector_region_memory_name r

let pointer_class_name = function
  | JCtag(st, _) -> 
      if struct_of_union st then
	"root_" ^ (struct_root st).jc_root_info_name
      else
	"struct_" ^ st.jc_struct_info_name
  | JCroot vi -> "root_" ^ vi.jc_root_info_name

let valid_pred_name ~equal ~left ~right ac pc = 
  let prefix = match ac with
    | JCalloc_root _ -> 
	if equal then "strict_valid" else 
	  begin match left, right with
	    | false, false -> assert false
	    | false, true -> "right_valid"
	    | true, false -> "left_valid"
	    | true, true -> "valid"
	  end
    | JCalloc_bitvector -> "valid_bitvector" (* TODO ? *)
  in
  prefix ^ "_" ^ (pointer_class_name pc)

let alloc_param_name ~check_size ac pc = 
  let prefix = match ac with
    | JCalloc_root _ -> "alloc"
    | JCalloc_bitvector -> "alloc_bitvector"
  in
  let n = prefix ^ "_" ^ (pointer_class_name pc) in
  if check_size then n ^ "_requires" else n

let alloc_bitvector_logic_name pc =
  (pointer_class_name pc) ^ "_alloc_bitvector"

let mem_bitvector_logic_name pc =
  (pointer_class_name pc) ^ "_mem_bitvector"

let alloc_of_bitvector_param_name pc = 
  (pointer_class_name pc) ^ "_alloc_of_bitvector"

let mem_of_bitvector_param_name pc = 
  (pointer_class_name pc) ^ "_mem_of_bitvector"

let alloc_to_bitvector_param_name pc = 
  (pointer_class_name pc) ^ "_alloc_to_bitvector"

let mem_to_bitvector_param_name pc = 
  (pointer_class_name pc) ^ "_mem_to_bitvector"

let jessie_return_variable = "return"
let jessie_return_exception = "Return"

let exception_name ei =
  ei.jc_exception_info_name ^ "_exc"

let mutable_name pc =
  "mutable_"^(pointer_class_type_name pc)

let committed_name pc =
  "committed_"^(pointer_class_type_name pc)

(* dead code
let fully_packed_name st =
  "fully_packed_"^(root_name st)
*)

let hierarchy_invariant_name st =
  "global_invariant_"^(root_name st)

let pack_name st =
  "pack_"^(root_name st)

let unpack_name st =
  "unpack_"^(root_name st)

let fully_packed_name = "fully_packed"

let unique_name =
  let unique_names = Hashtbl.create 127 in
  function s ->
    try
      let s = if s = "" then "unnamed" else s in
      let count = Hashtbl.find unique_names s in
      incr count;
      s ^ "_" ^ (string_of_int !count)
    with Not_found ->
      Hashtbl.add unique_names s (ref 0); s


(*
Local Variables: 
compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
End: 
*)
why-2.39/jc/jc_options.mli0000644000106100004300000000774013147234006014507 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Jc_stdlib
open Jc_env

(*s environment variables *)

val has_floats : bool ref
val libdir : string
val get_libfiles : unit -> string list
val add_to_libfiles : string -> unit

(*s command-line options *)

val parse_only : bool
val type_only : bool
val print_graph : bool
val gen_only : bool
val debug : bool
val verbose : bool
val werror : bool
val why3_backend : bool
val why3_cmd : string

val verify_all_offsets : bool
val verify_invariants_only : bool
val verify : string list
val behavior : string list

val interprocedural : bool
val main : string

val files : unit -> string list
val usage : unit -> unit

val inv_sem: Jc_env.inv_sem ref
val separation_sem : Jc_env.separation_sem ref
val annotation_sem : Jc_env.annotation_sem ref
val termination_policy : Jc_env.termination_policy ref
val ai_domain : Jc_env.abstract_domain ref
val int_model : Jc_env.int_model ref
val float_model : Jc_env.float_model ref
val float_instruction_set : Jc_env.float_instruction_set ref
val trust_ai : bool
val fast_ai : bool

val gen_frame_rule_with_ft : bool

val current_rounding_mode : Jc_env.float_rounding_mode ref

val verify_behavior: string -> bool

val set_int_model: int_model -> unit

val set_float_model: float_model -> unit

(*s The log file *)

val log : Format.formatter
val lprintf : ('a, Format.formatter, unit) format -> 'a
val close_log : unit -> unit

(*s error handling *)

exception Jc_error of Loc.position * string

val jc_error : Loc.position -> ('a, unit, string, 'b) format4 -> 'a

val parsing_error : Loc.position -> ('a, unit, string, 'b) format4 -> 'a

val pos_table :
  (string, (string * int * int * int * Output.kind option * (string * Rc.rc_value) list))
     Hashtbl.t

val position_of_label: string -> Loc.position option

(*
Local Variables:
compile-command: "make -C .. bin/jessie.byte"
End:
*)
why-2.39/jc/jc_pervasives.mli0000644000106100004300000001651013147234006015176 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

open Jc_stdlib
open Jc_env
open Jc_envset
open Jc_ast
open Jc_fenv

val ( $ ): ('b -> 'c) -> ('a -> 'b) -> 'a -> 'c

(*
exception Error of Loc.position * string

val error: Loc.position -> ('a, Format.formatter, unit, 'b) format4 -> 'a
*)

(*
val zero: Num.num
*)
val one: Num.num
val two: Num.num
val eight: Num.num
val is_power_of_two: Num.num -> bool
val log2: Num.num -> Num.num

(* labels *)

val new_label_name: unit -> string

(* types *)

val operator_of_native: native_type -> [> native_operator_type] 
val operator_of_type: jc_type -> [> operator_type] 
val eq_operator_of_type: jc_type -> [> operator_type] 

val integer_type : Jc_env.jc_type
val boolean_type : Jc_env.jc_type
val real_type : Jc_env.jc_type
val double_type : Jc_env.jc_type
val float_type : Jc_env.jc_type
val unit_type : Jc_env.jc_type
val null_type : Jc_env.jc_type
val string_type : Jc_env.jc_type
val any_type: jc_type

val string_of_native: Jc_env.native_type -> string
val print_type : Format.formatter -> Jc_env.jc_type -> unit
val print_type_var : Format.formatter -> Jc_env.type_var_info -> unit

val struct_of_union: Jc_env.struct_info -> bool
val struct_of_plain_union : Jc_env.struct_info -> bool
val struct_of_discr_union : Jc_env.struct_info -> bool
val union_of_field: Jc_env.field_info -> Jc_env.root_info
val integral_union: Jc_env.root_info -> bool
val root_is_plain_union : Jc_env.root_info -> bool
val root_is_discr_union : Jc_env.root_info -> bool
val root_is_union : Jc_env.root_info -> bool

val struct_has_bytesize: Jc_env.struct_info -> bool
val struct_bitsize: Jc_env.struct_info -> int
val struct_bytesize: Jc_env.struct_info -> int
val possible_struct_bytesize: Jc_env.struct_info -> int option

(* constants *)

val zero: Num.num
val num_of_constant : 'a -> const -> Num.num

(* environment infos *)

val var : ?unique:bool -> ?static:bool -> ?formal:bool -> 
  Jc_env.jc_type -> string -> Jc_env.var_info
val copyvar : Jc_env.var_info -> Jc_env.var_info

val tmp_var_name : unit -> string
val newvar : Jc_env.jc_type -> Jc_env.var_info
val newrefvar : Jc_env.jc_type -> Jc_env.var_info

val exception_info :  
  Jc_env.jc_type option -> string -> Jc_env.exception_info

val make_fun_info : string -> Jc_env.jc_type -> Jc_fenv.fun_info

val make_pred : string -> Jc_fenv.logic_info

val make_logic_fun : string -> Jc_env.jc_type -> Jc_fenv.logic_info

val location_set_region : location_set -> Jc_env.region
(*
val direct_embedded_struct_fields : Jc_env.struct_info -> Jc_env.field_info list
val embedded_struct_fields : Jc_env.struct_info -> Jc_env.field_info list
*)
val field_sinfo : Jc_env.field_info -> Jc_env.struct_info
val field_bounds : Jc_env.field_info -> Num.num * Num.num
(* destruct a pointer type. *)
val pointer_struct: jc_type -> struct_info
val pointer_class: jc_type -> pointer_class
(*val embedded_struct_roots : Jc_env.struct_info -> string list*)

val root_name : Jc_env.struct_info -> string
val field_root_name : Jc_env.field_info -> string
val struct_root : Jc_env.struct_info -> Jc_env.root_info
val pointer_class_root : pointer_class -> Jc_env.root_info

(* predefined functions *)

val any_string : Jc_fenv.logic_info
(*
val real_of_integer : Jc_fenv.logic_info
val real_of_integer_ : Jc_fenv.fun_info
*)
val full_separated : Jc_fenv.logic_info

val default_behavior : behavior

val empty_fun_effect : Jc_fenv.fun_effect
val empty_effects : Jc_fenv.effect

(* assertions *)

val skip_term_shifts :  term -> term
val skip_shifts : expr -> expr
val skip_tloc_range : location_set -> location_set

val select_option : 'a option -> 'a -> 'a
val is_constant_assertion : assertion -> bool

(* fun specs *)

val contains_normal_behavior : fun_spec -> bool
val contains_exceptional_behavior : fun_spec -> bool
val is_purely_exceptional_fun : fun_spec -> bool

(* patterns *)

(** The set of variables bound by a pattern. *)
val pattern_vars : Jc_env.var_info Jc_envset.StringMap.t -> pattern ->
  Jc_env.var_info Jc_envset.StringMap.t

(* operators *)

val string_of_op: [< bin_op | unary_op] -> string
val string_of_op_type: [< operator_type] -> string

(* builtin_logic_symbols *)

val builtin_logic_symbols :
  (Jc_env.jc_type option * string * string * Jc_env.jc_type list) list

val builtin_function_symbols :
  (Jc_env.jc_type * string * string * Jc_env.jc_type list * Jc_fenv.builtin_treatment) list

module TermOrd : OrderedHashedType with type t = term

module TermSet : Set.S with type elt = term

module TermMap : Map.S with type key = term

module TermTable : Hashtbl.S with type key = term

module AssertionOrd : OrderedType with type t = assertion

module StringHashtblIter:
sig
  type 'a t
  val create: int -> 'a t
  val add: 'a t -> string -> 'a -> unit
  val replace: 'a t -> string -> 'a -> unit
  val find: 'a t -> string -> 'a 
  val fold: (string -> 'a -> 'b -> 'b) -> 'a t -> 'b -> 'b
  val iter: (string -> 'a -> unit) -> 'a t -> unit
end

module IntHashtblIter:
sig
  type 'a t
  val create: int -> 'a t
  val add: 'a t -> int -> 'a -> unit
  val replace: 'a t -> int -> 'a -> unit
  val find: 'a t -> int -> 'a 
  val fold: (int -> 'a -> 'b -> 'b) -> 'a t -> 'b -> 'b
  val iter: (int -> 'a -> unit) -> 'a t -> unit
end

(*
Local Variables: 
compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
End: 
*)
why-2.39/jc/jc_lexer.mll0000644000106100004300000003616413147234006014140 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)


(*i $Id: jc_lexer.mll,v 1.95 2010-02-19 15:51:08 marche Exp $ i*)

{
  open Jc_ast
  open Jc_parser
  open Lexing

  type location = Lexing.position * Lexing.position

  let loc lexbuf : location = (lexeme_start_p lexbuf, lexeme_end_p lexbuf)

  exception Lexical_error of location * string
(*
  exception Syntax_error of location
*)

  let lex_error lexbuf s =
    raise (Lexical_error(loc lexbuf,s))

  let buf = Buffer.create 1024

  let newline lexbuf =
    let pos = lexbuf.lex_curr_p in
    lexbuf.lex_curr_p <- 
      { pos with pos_lnum = pos.pos_lnum + 1; pos_bol = pos.pos_cnum }

  (* Update the current location with file name and line number. *)

(*
  let update_loc lexbuf file line absolute chars =
    let pos = lexbuf.lex_curr_p in
    let new_file = match file with
      | None -> pos.pos_fname
      | Some s -> s
    in
    lexbuf.lex_curr_p <- 
      { pos with
	  pos_fname = new_file;
	  pos_lnum = if absolute then line else pos.pos_lnum + line;
	  pos_bol = pos.pos_cnum - chars;
      }
*)

  let builtins_table =
    let table = Hashtbl.create 17 in
    List.iter
      (fun (_ty,id,_whyid,_params) -> Hashtbl.add table id ())
      Jc_pervasives.builtin_logic_symbols;
    List.iter
      (fun (_ty,id,_whyid,_params,_) -> Hashtbl.add table id ())
      Jc_pervasives.builtin_function_symbols;
    table

  let special_id lexbuf s =
    try
      let () = Hashtbl.find builtins_table s in
      IDENTIFIER s
    with
	Not_found ->
	  lex_error lexbuf ("unknown special symbol "^s)

  exception Dotdot of string

  let pragma lexbuf id v =
    match id with
      | "InvariantPolicy" ->
	  begin
	    Jc_options.inv_sem :=
	      match v with	  
		| "None" -> Jc_env.InvNone
		| "Arguments" -> Jc_env.InvArguments
		| "Ownership" -> Jc_env.InvOwnership
		| _ -> lex_error lexbuf ("unknown invariant policy " ^ v)
	  end  
      | "SeparationPolicy" ->
	  begin
	    Jc_options.separation_sem :=
	      match v with
		| "None" -> Jc_env.SepNone
		| "Regions" -> Jc_env.SepRegions
		| _ -> lex_error lexbuf ("unknown separation policy " ^ v)
	  end  
      | "AnnotationPolicy" ->
	  begin
	    Jc_options.annotation_sem :=
	      match v with
		| "None" -> Jc_env.AnnotNone
		| "Invariants" -> Jc_env.AnnotInvariants
		| "ElimPre" -> Jc_env.AnnotElimPre
		| "StrongPre" -> Jc_env.AnnotStrongPre
		| "WeakPre" -> Jc_env.AnnotWeakPre
		| _ -> lex_error lexbuf ("unknown annotation policy " ^ v)
	  end  
      | "AbstractDomain" ->
	  begin
	    Jc_options.ai_domain :=
	      match v with
		| "None" -> Jc_env.AbsNone 
		| "Box" -> Jc_env.AbsBox 
		| "Oct" -> Jc_env.AbsOct 
		| "Pol" -> Jc_env.AbsPol 
		| _ -> lex_error lexbuf ("unknown abstract domain " ^ v)
	  end  
      | "IntModel" ->
	  begin
	    Jc_options.set_int_model
	      (match v with
		 | "bounded" -> Jc_env.IMbounded
		 | "modulo" -> Jc_env.IMmodulo 
		 | _ -> lex_error lexbuf ("unknown int model " ^ v))
	  end  
      | "FloatModel" ->
	  begin
	    Jc_options.float_model := 
	      (match v with
	         | "math" -> Jc_env.FMmath
		 | "defensive" -> Jc_env.FMdefensive
		 | "full" -> Jc_env.FMfull
		 | "multirounding" -> Jc_env.FMmultirounding
		 | _ -> lex_error lexbuf ("unknown float model " ^ v))
	  end  
      | "FloatRoundingMode" ->
	  begin
	    Jc_options.current_rounding_mode :=
	      (match v with
		 | "nearestEven" -> Jc_env.FRMNearestEven
		 | "down" -> Jc_env.FRMDown
		 | "up" -> Jc_env.FRMUp
		 | "toZero" -> Jc_env.FRMToZero
		 | "nearestAway" -> Jc_env.FRMNearestAway 
		 | _ -> lex_error lexbuf ("unknown float rounding mode " ^ v))
	  end 
      | "FloatInstructionSet" ->
	  begin
	    Jc_options.float_instruction_set :=
	      (match v with
		 | "x87" -> Jc_env.FISx87
		 | "ieee754" -> Jc_env.FISstrictIEEE754
		 | _ -> lex_error lexbuf ("unknown float instruction set " ^ v))
	  end 
      | "TerminationPolicy" ->
	  begin
	    Jc_options.termination_policy :=
	      (match v with
		 | "always" -> Jc_env.TPalways
		 | "never" -> Jc_env.TPnever
		 | "user" -> Jc_env.TPuser
		 | _ -> lex_error lexbuf ("unknown termination policy " ^ v))
	  end 
      | _ -> lex_error lexbuf ("unknown pragma " ^ id)

(*
 let float_suffix = function
    | None -> `Real
    | Some('f' | 'F') -> `Single
    | Some('d' | 'D') -> `Double
    | _ -> assert false
*)

}

let space = [' ' '\t' '\012' '\r']
let backslash_escapes =
  ['\\' '"' '\'' 'n' 't' 'b' 'r' 'f' ]
let rD = ['0'-'9']
let rL = ['a'-'z' 'A'-'Z' '_']
let rH = ['a'-'f' 'A'-'F' '0'-'9']
let rE = ['E''e']['+''-']? rD+
let rP = ['P''p']['+''-']? rD+
(*
 let rFS	= ('f'|'F'|'l'|'L')
*)
let rIS = ('u'|'U'|'l'|'L')*

rule token = parse
  | [' ' '\t' '\012' '\r']+ { token lexbuf }
  | '\n'                    { newline lexbuf; token lexbuf }
  | "/*@" | "//@"           { lex_error lexbuf "annotations should not be in @ comments" }
  | "/*"                    { comment lexbuf; token lexbuf }
  | "//" [^ '\n']* '\n'     { newline lexbuf; token lexbuf }
  | "abstract"              { ABSTRACT }
  | "allocates"             { ALLOCATES }
  | "and"                   { AND }
  | "as"                    { AS }
  | "assert"                { ASSERT }
  | "assigns"               { ASSIGNS }
  | "assumes"               { ASSUMES }
  | "axiom"                 { AXIOM }
  | "axiomatic"             { AXIOMATIC }
  | "behavior"              { BEHAVIOR }
  | "boolean"               { BOOLEAN }
  | "break"                 { BREAK }
  | "case"                  { CASE }
  | "catch"                 { CATCH }
  | "check"                 { CHECK }
  | "continue"              { CONTINUE }
  | "decreases"             { DECREASES }
  | "default"               { DEFAULT }
  | "do"                    { DO }
  | "double"                { Jc_options.has_floats := true; DOUBLE }
  | "else"                  { ELSE }
  | "end"                   { END }
  | "ensures"               { ENSURES }
  | "exception"             { EXCEPTION }
  | "false"                 { CONSTANT (JCCboolean false) }
  | "finally"               { FINALLY }
  | "float"                 { Jc_options.has_floats := true; FLOAT }
  | "for"                   { FOR }
  | "free"                  { FREE }
  | "goto"                  { GOTO }
  | "hint"                  { HINT }
  | "if"                    { IF }
  | "in"                    { IN }
  | "integer"               { INTEGER }
  | "invariant"             { INVARIANT }
  | "lemma"                 { LEMMA }
  | "let"                   { LET }
  | "logic"                 { LOGIC }
  | "loop"                  { LOOP }
  | "match"                 { MATCH }
  | "new"                   { NEW }
  | "null"                  { NULL }
  | "of"                    { OF }
  | "pack"                  { PACK }
  | "predicate"             { PREDICATE }
  | "reads"                 { READS }
  | "real"                  { REAL}
  | "rep"                   { REP }
  | "requires"              { REQUIRES }
  | "return"                { RETURN }
  | "switch"                { SWITCH }
  | "tag"                   { TAG }
  | "then"                  { THEN }
  | "throw"                 { THROW }
  | "throws"                { THROWS }
  | "true"                  { CONSTANT (JCCboolean true) }
  | "try"                   { TRY }
  | "type"                  { TYPE }
  | "unit"                  { UNIT }
  | "unpack"                { UNPACK }
  | "var"                   { VAR }
  | "variant"               { VARIANT }
  | "while"                 { WHILE }
  | "with"                  { WITH }
  | "\\absolute_address"    { BSABSOLUTE_ADDRESS }
  | "\\address"             { BSADDRESS }
  | "\\at"                  { BSAT }
  | "\\base_block"          { BSBASE_BLOCK }
  | "\\bottom"              { BSBOTTOM }
  | "\\exists"              { BSEXISTS }
  | "\\forall"              { BSFORALL }
  | "\\fresh"               { BSFRESH }
  | "\\mutable"             { BSMUTABLE }
  | "\\nothing"             { BSNOTHING }
  | "\\offset_max"          { BSOFFSET_MAX }
  | "\\offset_min"          { BSOFFSET_MIN }
  | "\\old"                 { BSOLD }
  | "\\result"              { BSRESULT }
  | "\\typeeq"              { BSTYPEEQ }
  | "\\typeof"              { BSTYPEOF }
  | "\\" rL (rL | rD)* as s { special_id lexbuf s }
(*
  | "#" [' ' '\t']* (['0'-'9']+ as num) [' ' '\t']*
        ("\"" ([^ '\010' '\013' '"' ] * as name) "\"")?
        [^ '\010' '\013'] * '\n'
      { update_loc lexbuf name (int_of_string num) true 0;
        token lexbuf }
  | '#' [^'\n']* '\n'       { newline lexbuf; token lexbuf }
*)
  | '#' space* ((rL | rD)+ as id) space* "=" 
        space* ((rL | rD)+ as v) space* '\n'
      { pragma lexbuf id v; newline lexbuf; token lexbuf } 
  | '#' ' '* "Gen_Separation" { PRAGMA_GEN_SEP }
  | '#' ' '* "Gen_Frame" { PRAGMA_GEN_FRAME }
  | '#' ' '* "Gen_Sub" { PRAGMA_GEN_SUB }
  | '#' ' '* "Gen_Same_Footprint" { PRAGMA_GEN_SAME }
  | rL (rL | rD)*           { match lexeme lexbuf with
				| "_" -> UNDERSCORE
				| s -> IDENTIFIER s }

  | '0'['x''X'] rH+ rIS?    { CONSTANT (JCCinteger (lexeme lexbuf)) }
  | '0' rD+ rIS?            { CONSTANT (JCCinteger (lexeme lexbuf)) }
  | rD+ rIS?                { CONSTANT (JCCinteger (lexeme lexbuf)) }
  | 'L'? "'" [^ '\n' '\'']+ "'"     { CONSTANT (JCCinteger (lexeme lexbuf)) }

  | ('0'['x''X'] rH+ '.' rH* rP) as pre
  | ('0'['x''X'] rH* '.' rH+ rP) as pre
  | ('0'['x''X'] rH+ rP) as pre
  | (rD+ rE) as pre  
  | (rD* "." rD+ (rE)?) as pre  
  | (rD+ "." rD* (rE)?) as pre   
      { CONSTANT (JCCreal pre) }

      (* trick to deal with intervals like 0..10 *)

  | (rD+ as n) ".."         { raise (Dotdot n) }

      (* character constants *)

  | '"'                     { Buffer.clear buf; STRING_LITERAL(string lexbuf) }

(*
  | ">>="                   { RIGHT_ASSIGN }
  | "<<="                   { LEFT_ASSIGN }
*)
  | "+="                    { PLUSEQ }
  | "-="                    { MINUSEQ }
  | "*="                    { STAREQ }
  | "/="                    { SLASHEQ }
  | "%="                    { PERCENTEQ }
  | "&="                    { AMPEQ }
  | "^="                    { CARETEQ }
  | "|="                    { BAREQ }
  | ">>>"                   { ARSHIFT }
  | ">>"                    { LRSHIFT }
  | "<<"                    { LSHIFT }
  | "++"                    { PLUSPLUS }
  | "--"                    { MINUSMINUS }
  | "&&"                    { AMPAMP }
  | "||"                    { BARBAR }
  | "==>"                   { EQEQGT }
  | "<==>"                  { LTEQEQGT }
  | "<="                    { LTEQ }
  | ">="                    { GTEQ }
  | "=="                    { EQEQ }
  | "!="                    { BANGEQ }
  | ";"                     { SEMICOLON }
  | ";;"                    { SEMISEMI }
  | "{"                     { LBRACE }
  | "}"                     { RBRACE }
  | ","                     { COMMA }
  | ":"                     { COLON }
  | "="                     { EQ }
  | "()"                    { LPARRPAR }
  | "("                     { LPAR }
  | ")"                     { RPAR }
  | "["                     { LSQUARE }
  | "]"                     { RSQUARE }
  | "."                     { DOT }
  | ".."                    { DOTDOT }
  | "..."                   { DOTDOTDOT }
  | "<:"                    { LTCOLON } 
  | ":>"                    { COLONGT } 
  | "&"                     { AMP }
  | "!"                     { EXCLAM }
  | "~"                     { TILDE }
  | "-"                     { MINUS }
  | "+"                     { PLUS }
  | "*"                     { STAR }
  | "/"                     { SLASH }
  | "%"                     { PERCENT }
  | "<"                     { LT }
  | ">"                     { GT }
  | "^"                     { HAT }
  | "|"                     { PIPE }
  | "?"                     { QUESTION }
  | "@"                     { AT }
  | "->"                    { MINUSGT }
  | eof { EOF }
  | '"' { lex_error lexbuf "unterminated string" }
  | _   { lex_error lexbuf ("illegal character " ^ lexeme lexbuf) }

and comment = parse
  | "*/" { () }
  | "/*" { comment lexbuf ; comment lexbuf }
  | eof  { lex_error lexbuf "unterminated comment" }
  | '\n' { newline lexbuf; comment lexbuf }
  | _    { comment lexbuf }

and string = parse
  | '"'
      { Buffer.contents buf }
  | '\\' backslash_escapes
      { Buffer.add_string buf (lexeme lexbuf);
	string lexbuf }
  | '\\' _ 
      { lex_error lexbuf "unknown escape sequence in string" }
  | ['\n' '\r']
      { (* no \n anymore in strings since java 1.4 *)
	lex_error lexbuf "string not terminated"; }
  | [^ '\n' '\\' '"']+ 
      { Buffer.add_string buf (lexeme lexbuf); string lexbuf }
  | eof
      { lex_error lexbuf "string not terminated" }

      
{

let dotdot_mem = ref false
 
let next_token lexbuf =
  if !dotdot_mem then
    begin
      dotdot_mem := false;
      DOTDOT
    end
  else
    begin
      try
	token lexbuf
      with
	Dotdot(n) ->
	  dotdot_mem := true;
	  CONSTANT(JCCinteger n)
    end

  let parse f c =
    let lb = from_channel c in
    lb.lex_curr_p <- { lb.lex_curr_p with pos_fname = f };
    try
      Jc_parser.file next_token lb
    with Parsing.Parse_error ->
      Jc_options.parsing_error (loc lb) ""
	
}


(*
Local Variables: 
compile-command: "make -C .. bin/jessie.byte"
End: 
*)

why-2.39/jc/jc_envset.mli0000644000106100004300000001014113147234006014305 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



module type OrderedType =
sig
  type t
  val equal : t -> t -> bool
  val compare : t -> t -> int
end

module type OrderedHashedType =
sig
  type t
  val equal : t -> t -> bool
  val compare : t -> t -> int
  val hash : t -> int
end

open Jc_env
open Jc_stdlib

module StringSet : Set.S with type elt = string

module StringMap : Map.S with type key = string 

val get_unique_name : ?local_names:StringSet.t -> string -> string

val is_pointer_type : Jc_env.jc_type -> bool
val is_nonnull_pointer_type : Jc_env.jc_type -> bool
val is_integral_type: jc_type -> bool

val is_embedded_field : Jc_env.field_info -> bool

module VarOrd : OrderedHashedType with type t = var_info

module VarSet : Set.S with type elt = var_info

module VarMap : Map.S with type key = var_info

module StructSet : Set.S with type elt = struct_info

module StructMap : Map.S with type key = struct_info

module VariantSet : Set.S with type elt = root_info

module VariantMap : Map.S with type key = root_info

module ExceptionSet : Set.S with type elt = exception_info

module ExceptionMap : Map.S with type key = exception_info

module StructOrd : OrderedHashedType with type t = struct_info

module VariantOrd : OrderedHashedType with type t = root_info

module FieldOrd : OrderedHashedType with type t = field_info

module FieldSet : Set.S with type elt = field_info

module FieldMap : Map.S with type key = field_info

module FieldTable : Hashtbl.S with type key = field_info

module MemClass : OrderedHashedType with type t = mem_class

module MemClassSet : Set.S with type elt = mem_class

module AllocClass : OrderedHashedType with type t = alloc_class

module PointerClass : OrderedHashedType with type t = pointer_class

module LogicLabelSet : Set.S with type elt = label

module TypeVarOrd : OrderedHashedType with type t = type_var_info
module TypeVarMap : Map.S with type key = type_var_info

(*
Local Variables: 
compile-command: "make -C .. bin/jessie.byte"
End: 
*)

why-2.39/jc/jc_constructors.ml0000644000106100004300000005316713147234006015417 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Jc_env
open Jc_region
open Jc_ast 
open Jc_fenv

class positioned ~pos =
object
  method pos: Loc.position = 
    match pos with None -> Loc.dummy_position | Some pos -> pos 
end

class typed ~typ =
object
  method typ: jc_type = typ
end

class labeled ~label =
object
  val mutable llab: label option = label
  method label = llab
  method set_label lab = llab <- lab
end

class marked ~mark =
object
  method mark: string = mark
end

class regioned ~region =
object
  val mutable r: region = region
  method region = r
  method set_region x = r <- x
end

class identifier ?pos name = 
object
  inherit positioned pos
  method name: string = name
end

class ['a] node_positioned ?pos node = 
object
  inherit positioned pos
  method node: 'a = node
end

class ptype ?(pos = Loc.dummy_position) node = 
object
  inherit [ptype_node] node_positioned ~pos node
end

class pexpr ?(pos = Loc.dummy_position) node =
object
  inherit [pexpr_node] node_positioned ~pos node
end

class pexpr_with ?pos ?node e =
  let pos = match pos with None -> e#pos | Some pos -> pos in
  let node = match node with None -> e#node | Some node -> node in
  pexpr ~pos node

class nexpr ?(pos = Loc.dummy_position) ?label node =
object
  inherit labeled label
  inherit [nexpr_node] node_positioned ~pos node
end

(* dead code
class nexpr_with ?pos ?node e =
  let pos = match pos with None -> e#pos | Some pos -> pos in
  let node = match node with None -> e#node | Some node -> node in
  let llab = e#label in
  nexpr ~pos ~label:llab node
*)

class pattern ?(pos = Loc.dummy_position) ~typ node =
object
  inherit typed typ
  inherit [pattern_node] node_positioned ~pos node
end

(* dead code
class pattern_with ?pos ?node ?typ p =
  let pos = match pos with None -> p#pos | Some pos -> pos in
  let node = match node with None -> p#node | Some node -> node in
  let typ = match typ with None -> p#typ | Some typ -> typ in
  pattern ~pos ~typ node
*)

class term ?(pos = Loc.dummy_position) ~typ ?(mark="") ?label ?region node =
  let region = 
    match region with None -> dummy_region | Some region -> region 
  in
object
  inherit typed typ
  inherit regioned region
  inherit marked mark
  inherit labeled label
  inherit [term_node] node_positioned ~pos node
end

class term_with ?pos ?typ ?mark ?region ?node t =
  let pos = match pos with None -> t#pos | Some pos -> pos in
  let typ = match typ with None -> t#typ | Some typ -> typ in
  let mark = 
    match mark with None -> t#mark | Some mark -> mark 
  in
  let llab = t#label in
  let region = match region with None -> t#region | Some region -> region in
  let node = match node with None -> t#node | Some node -> node in
  term ~pos ~typ ~mark ?label:llab ~region node

class term_var ?(pos = Loc.dummy_position) ?(mark="") v =
  term ~pos ~typ:v.jc_var_info_type ~mark ~region:v.jc_var_info_region
    (JCTvar v)

class location ?(pos = Loc.dummy_position) ~typ ?label ?region node =
  let region = 
    match region with None -> dummy_region | Some region -> region 
  in
object
  inherit typed typ
  inherit regioned region
  inherit labeled label
  inherit [location_node] node_positioned ~pos node
end

(* ignore argument's label *)
class location_with ?pos ~typ ?label ?region ~node t =
  let pos = match pos with None -> t#pos | Some pos -> pos in
  let region = match region with None -> t#region | Some region -> region in
  location ~pos ~typ ?label ~region node

class location_set ?(pos = Loc.dummy_position) ~typ ?label ?region node =
  let region = 
    match region with None -> dummy_region | Some region -> region 
  in
object
  inherit typed typ
  inherit regioned region
  inherit labeled label
  inherit [location_set_node] node_positioned ~pos node
end

(* ignore argument's label *)
class location_set_with ?pos ~typ ?label ?region ~node t =
  let pos = match pos with None -> t#pos | Some pos -> pos in
  let region = match region with None -> t#region | Some region -> region in
  location_set ~pos ~typ ?label ~region node

class expr ?(pos = Loc.dummy_position) ~typ ?(mark="") ?region
  ?original_type node =
  let region = 
    match region with None -> dummy_region | Some region -> region 
  in
object
  inherit typed typ
  inherit regioned region
  inherit marked mark
  inherit [expr_node] node_positioned ~pos node
  method original_type = 
    match original_type with None -> typ | Some original_type -> original_type
end

class expr_with ?pos ?typ ?mark ?region ?node ?original_type e =
  let pos = match pos with None -> e#pos | Some pos -> pos in
  let typ = match typ with None -> e#typ | Some typ -> typ in
  let mark = 
    match mark with None -> e#mark | Some mark -> mark 
  in
  let region = match region with None -> e#region | Some region -> region in
  let node = match node with None -> e#node | Some node -> node in
  let original_type = match original_type with
    | None -> e#original_type
    | Some original_type -> original_type
  in
  expr ~pos ~typ ~mark ~region ~original_type node

class assertion ?(mark="") ?label ?(pos = Loc.dummy_position) node =
object
  inherit marked mark
  inherit labeled label
  inherit [assertion_node] node_positioned ~pos node
end

class assertion_with ?pos ?mark ?node a =
  let pos = match pos with None -> a#pos | Some pos -> pos in
  let mark = 
    match mark with None -> a#mark | Some mark -> mark 
  in
  let llab = a#label in
  let node = match node with None -> a#node | Some node -> node in
  assertion ~pos ~mark ?label:llab node

class ['expr] ptag ?(pos = Loc.dummy_position) node =
object
  inherit ['expr ptag_node] node_positioned ~pos node
end

class ['expr] ptag_with ?pos ?node t =
  let pos = match pos with None -> t#pos | Some pos -> pos in
  let node = match node with None -> t#node | Some node -> node in
  ['expr] ptag ~pos node

class tag ?(pos = Loc.dummy_position) node =
object
  inherit [tag_node] node_positioned ~pos node
end

class tag_with ?pos ?node t =
  let pos = match pos with None -> t#pos | Some pos -> pos in
  let node = match node with None -> t#node | Some node -> node in
  tag ~pos node

class ['expr] decl ?(pos = Loc.dummy_position) node =
object
  inherit ['expr decl_node] node_positioned ~pos node
end

(* dead code
class ['expr] decl_with ?pos ?node t =
  let pos = match pos with None -> t#pos | Some pos -> pos in
  let node = match node with None -> t#node | Some node -> node in
  ['expr] decl ~pos node
*)

(*******************************************************************************)
(*                             constant constructors                           *)
(*******************************************************************************)

(* These functions also exist in the other constructor modules such as PExpr. *)
module Const = struct
  let mkvoid = JCCvoid
  let mknull = JCCnull
  let mkboolean value = JCCboolean value
  let mkint ?value ?valuestr () =
    match value, valuestr with
      | Some value, None -> JCCinteger (string_of_int value)
      | None, Some valuestr -> JCCinteger valuestr
      | _ -> failwith "Jc_constructors.Const.mkint: use with ~value OR \
~valuestr only"
(*
  let mkreal ?value ?valuestr () =
    match value, valuestr with
      | Some value, None -> JCCreal (string_of_float value)
      | None, Some valuestr -> JCCreal(valuestr)
      | _ -> failwith "Jc_constructors.Const.mkint: use with ~value OR \
~valuestr only"
*)
end

(*******************************************************************************)
(*                               pexpr constructors                            *)
(*******************************************************************************)

(*
let oo a b = match a with
  | None -> b
  | Some a -> a
*)

module PExpr = struct
  let mk ?pos ~node () = new pexpr ?pos node

  let mkconst ~const = mk ~node:(JCPEconst const)
  let mkvoid = mkconst ~const:Const.mkvoid
  let mknull = mkconst ~const:Const.mknull
  let mkboolean ~value = mkconst ~const:(Const.mkboolean value)
  let mkint ?value ?valuestr = mkconst ~const:(Const.mkint ?value ?valuestr ())
(* dead code
  let mkreal ?value ?valuestr = mkconst ~const:(Const.mkreal ?value ?valuestr ())
*)

  let mkbinary ~expr1 ~op ~expr2 = mk ~node:(JCPEbinary(expr1, op, expr2))
  let mkbinary_list ~default ~op ?expr1 ?expr2 ?list ?pos
      () =
    match expr1, expr2, list with
      | None, None, Some el ->
	  begin
	    match el with
	      | [] -> default
	      | e::el ->
            List.fold_left
              (fun expr2 expr1 -> mkbinary ?pos ~expr1 ~expr2 ~op ())
              e el
	  end
      | Some expr1, Some expr2, None -> mkbinary ~expr1 ~op ~expr2 ?pos ()
      | _ -> failwith "Jc_constructors.PExpr.mkbinary_list should be used \
either with (~expr1 AND ~expr2) OR ~list only."
  let mkand = mkbinary_list ~default:(mkboolean ~value:true ()) ~op:`Bland
  let mkor = mkbinary_list ~default:(mkboolean ~value:false ()) ~op:`Blor
  let mkadd = mkbinary_list ~default:(mkint ~value:0 ()) ~op:`Badd

  let mklabel ~label ~expr = mk ~node:(JCPElabel(label, expr))
  let mkvar ~name = mk ~node:(JCPEvar name)
  let mkderef ~expr ~field = mk ~node:(JCPEderef(expr, field))
  let mkunary ~expr ~op = mk ~node:(JCPEunary(op, expr))
  let mkapp ~fun_name ?(labels = []) ?(args = []) =
    mk ~node:(JCPEapp(fun_name, labels, args))
  let mkassign ~location ~value ?field ?op =
    let location = match field with
      | None -> location
      | Some field -> mkderef ~expr:location ~field:field ()
    in
    match op with
      | None -> mk ~node:(JCPEassign(location, value))
      | Some op -> mk ~node:(JCPEassign_op(location, op, value))
  let mkinstanceof ~expr ~typ = mk ~node:(JCPEinstanceof(expr, typ))
  let mkcast ~expr ~typ = mk ~node:(JCPEcast(expr, typ))
  let mkquantifier ~quantifier ~typ ~vars ?(triggers=[]) ~body =
    mk ~node:(JCPEquantifier(quantifier, typ, vars, triggers, body))
  let mkforall = mkquantifier ~quantifier:Forall
(* dead code
  let mkexists = mkquantifier ~quantifier:Exists
  let mkold ~expr = mk ~node:(JCPEold expr)
*)
  let mkat ~expr ~label = mk ~node:(JCPEat(expr, label))
  let mkfresh ~expr = mk ~node:(JCPEfresh(expr))
  let mkoffset ~kind ~expr = mk ~node:(JCPEoffset(kind, expr))
(*
  let mkoffset_min = mkoffset ~kind:Offset_min
*)
  let mkoffset_max = mkoffset ~kind:Offset_max
  let mkif ~condition ~expr_then ?(expr_else = mkvoid ()) =
    mk ~node:(JCPEif(condition, expr_then, expr_else))
  let mkblock ~exprs = mk ~node:(JCPEblock exprs)
  let mkdecl ~typ ~var ?init = mk ~node:(JCPEdecl(typ, var, init))
  let mklet ?typ ~var ?init ~body ?pos () =
    match typ with
      | None -> mk ~node:(JCPElet(typ, var, init, body)) ?pos ()
      | Some typ ->
	  mkblock ~exprs:[
	    mkdecl ~typ ~var ?init ?pos ();
	    body
	  ] ?pos ()
  let mklet_nodecl ?typ ~var ?init ~body =
    mk ~node:(JCPElet(typ, var, init, body))
  let mkrange ?left ?right ?locations ?pos () =
    let r = mk ~node:(JCPErange(left, right)) ?pos () in
    match locations with
      | None -> r
      | Some l -> mkadd ~expr1:l ~expr2:r ?pos ()
  let mkalloc ?(count = mkint ~value:1 ()) ~typ =
    mk ~node:(JCPEalloc(count, typ))
(*
  let mkfree ~expr = mk ~node:(JCPEfree expr)
  let mkmutable ~expr ~tag = mk ~node:(JCPEmutable(expr, tag))
  let mktag_equality ~tag1 ~tag2 = mk ~node:(JCPEeqtype(tag1, tag2))
  let mkmatch ~expr ~cases = mk ~node:(JCPEmatch(expr, cases))
*)
  let mkassert ?(behs=[]) ~expr = 
    mk ~node:(JCPEassert (behs,Aassert,expr))
  let mkwhile ?(condition = mkboolean ~value:true ())
      ?(behaviors = []) ?variant ~body =
    mk ~node:(JCPEwhile(condition, behaviors, variant, body))
  let mkfor ?(inits = []) ?(condition = mkboolean ~value:true ())
      ?(updates = []) ?(behaviors = []) ?variant ~body =
    mk ~node:(JCPEfor(inits, condition, updates, behaviors, variant, body))
  let mkreturn ?(expr = mkvoid ()) = mk ~node:(JCPEreturn expr)
  let mkbreak ?(label = "") = mk ~node:(JCPEbreak label)
  let mkcontinue ?(label = "") = mk ~node:(JCPEcontinue label)
(*
  let mkgoto ~label = mk ~node:(JCPEgoto label)
*)
  let mktry ~expr ?(catches = []) ?(finally = mkvoid ()) =
    mk ~node:(JCPEtry(expr, catches, finally))
  let mkthrow ~exn ?(argument = mkvoid ()) = mk ~node:(JCPEthrow(exn, argument))
(*
  let mkpack ~expr ?tag = mk ~node:(JCPEpack(expr, tag))
  let mkunpack ~expr ?tag = mk ~node:(JCPEunpack(expr, tag))
*)
  let mkswitch ~expr ?(cases = []) = mk ~node:(JCPEswitch(expr, cases))

  let mkcatch ~exn ?(name = "") ?body ?pos () =
    exn, name, (match body with None -> mkvoid ?pos () | Some body -> body)

  let mkshift ~expr ~offset = mkadd ~expr1:expr ~expr2:offset
  let mknot = mkunary ~op:`Unot
  let mkeq = mkbinary ~op:`Beq
  let mkimplies = mkbinary ~op:`Bimplies
  let mkiff = mkbinary ~op:`Biff
  let mkincr_heap ~expr ~field ?(op = `Upostfix_inc) =
    mkunary ~op ~expr:(mkderef ~expr ~field ())

  let mkcontract ~requires ~decreases ~behaviors ~expr =
    mk ~node:(JCPEcontract(requires, decreases, behaviors, expr))
end

module PDecl = struct
  open PExpr

  let mk ?pos ~node () =
    new node_positioned ?pos node
  let mkfun_def ?(result_type = new ptype (JCPTnative Tunit)) ~name
      ?(params = []) ?(clauses = []) ?body =
    mk ~node:(JCDfun(result_type, name, params, clauses, body))
  let mklemma_def ~name ?(axiom = false) ?(poly_args=[]) ?(labels = []) ~body =
    mk ~node:(JCDlemma(name, axiom, poly_args, labels, body))
  let mklogic_var_def ~typ ~name ?body =
    mk ~node:(JCDlogic_var(typ, name, body))
  let mklogic_def ?typ ~name ?(poly_args = []) ?(labels = []) ?(params = []) 
      ?reads ?body ?inductive = 
    let roe = match reads, body, inductive with
      | None, None, None -> JCnone
      | Some r, None, None -> JCreads r
      | None, Some b, None -> JCexpr b
      | None, None, Some l -> JCinductive l 
      | _ ->
          raise
            (Invalid_argument "mklogic_def: cannot use both ~reads and ~body and ~inductive")
    in
    mk ~node:(JCDlogic(typ, name, poly_args, labels, params, roe))
      
  let mkaxiomatic ~name ~decls =
    mk ~node:(JCDaxiomatic(name,decls))
  let mklogic_type ?(args = []) ~name =
    mk ~node:(JCDlogic_type(name,args))
  let mkvar_def ~typ ~name ?init =
    mk ~node:(JCDvar(typ, name, init))
  let mkglobal_inv_def ~name ~body =
    mk ~node:(JCDglobal_inv(name, body))
  let mktag_def ~name ?(params = []) ?super ?(fields = []) ?(invariants = []) =
    mk ~node:(JCDtag(name, params, super, fields, invariants))
  let mkenum_type_def ~name ~left ~right =
    mk ~node:(JCDenum_type(name, left, right))
  let mkexception_def ~name ?arg_type =
    mk ~node:(JCDexception(name, arg_type))
  let mkvariant_type_def ~name ?(tags = []) =
    mk ~node:(JCDvariant_type(name, tags))

  let mkinvariant_policy_def ~value = mk ~node:(JCDinvariant_policy value)
  let mkseparation_policy_def ~value = mk ~node:(JCDseparation_policy value)
  let mktermination_policy_def ~value = mk ~node:(JCDtermination_policy value)
  let mkannotation_policy_def ~value = mk ~node:(JCDannotation_policy value)
  let mkabstract_domain_def ~value = mk ~node:(JCDabstract_domain value)
(*
  let mkint_model_def ~value = mk ~node:(JCDint_model value)
*)

  let mkbehavior ?(pos = Loc.dummy_position) ~name ?throws ?assumes ?requires
      ?assigns ?allocates ?(ensures = mkboolean ~value:true ()) () =
    (pos, name, throws, assumes, requires, assigns, allocates, ensures)

  let mkrequires_clause expr = JCCrequires expr

  let mkdecreases_clause ?measure expr = JCCdecreases(expr,measure)

  let mkbehavior_clause ?(pos = Loc.dummy_position) ~name ?throws ?assumes ?requires
      ?assigns ?allocates ?(ensures = mkboolean ~value:true ()) () =
      JCCbehavior (mkbehavior ~pos ~name ?throws ?assumes ?requires ?assigns ?allocates ~ensures ())

(*
  let mkbehavior_clause_with ?pos ?name ?throws ?assumes ?requires ?assigns ?allocates ?ensures =
    function
      | JCCbehavior(pos', name', throws', assumes', requires', assigns',
                    allocates', ensures') ->
          JCCbehavior(
            oo pos pos',
            oo name name',
            oo throws throws',
            oo assumes assumes',
            oo requires requires',
            oo assigns assigns',
            oo allocates allocates',
            oo ensures ensures'
          )
      | _ -> raise (Invalid_argument "mkbehavior_with")
*)
  let mkassigns ?(pos = Loc.dummy_position) ?(locations = []) () =
    pos, locations

(*
  let mktag_invariant ~name ~var ~body = name, var, body
  let behavior_ensures = function
    | JCCbehavior(_, _, _, _, _, _, _, e) -> e
    | _ -> raise (Invalid_argument "behavior_ensures")
*)
end


(******************************************************************************)
(*                              nexpr constructors                            *)
(******************************************************************************)

module NExpr = struct
  let mk ?pos ~node () = new nexpr ?pos node

  let mkcast ~expr ~typ = mk ~node:(JCNEcast(expr, typ))
end


(*******************************************************************************)
(*                               expr constructors                             *)
(*******************************************************************************)

module Expr = struct
  let mk ?pos ~typ ?mark ?region ?original_type ~node () =
    new expr ?pos ~typ ?mark ?region ?original_type node

  let mkconst ~const = mk ~typ:(JCTnative Tinteger) ~node:(JCEconst const)
  let mkint ?value ?valuestr = mkconst ~const:(Const.mkint ?value ?valuestr ())
  let mkbinary ~expr1 ~op ~expr2 = mk ~node:(JCEbinary(expr1, op, expr2))

  let mklet ~var ?init ~body =
    mk ~typ:var.jc_var_info_type ~node:(JCElet(var, init, body))
  let mkvar ~var = 
    mk ~typ:var.jc_var_info_type ~node:(JCEvar var)

  let is_app e = match e#node with JCEapp _ -> true | _ -> false
end

(*******************************************************************************)
(*                               term constructors                             *)
(*******************************************************************************)

module Term = struct
  let mk ?pos ~typ ?mark ?region ~node () =
    new term ?pos ~typ ?mark ?region node

  let mkconst ~const = mk ~typ:(JCTnative Tinteger) ~node:(JCTconst const)
  let mkint ?value ?valuestr = mkconst ~const:(Const.mkint ?value ?valuestr ())
  let mkbinary ~term1 ~op ~term2 = mk ~node:(JCTbinary(term1, op, term2))

  let mkvar ~var = 
    mk ~typ:var.jc_var_info_type ~node:(JCTvar var)
end

(*******************************************************************************)
(*                           assertion constructors                            *)
(*******************************************************************************)

module Assertion = struct
  let mk ?pos ?mark ~node () =
    new assertion ?pos ?mark node

  let fake ?pos:_ ?mark:_ ~value () = 
    value

  let is_true a = 
    match a#node with 
      | JCAtrue -> true
      | JCAbool_term t when t#node = JCTconst(JCCboolean true) -> true
      | _ -> false
    
  let is_false a =
    match a#node with 
      | JCAfalse -> true
      | JCAbool_term t when t#node = JCTconst(JCCboolean false) -> true
      | _ -> false

  let mktrue = mk ~node:JCAtrue
  let mkfalse = mk ~node:JCAfalse

  let mkand ~conjuncts =
    (* optimization *)
    let conjuncts = List.filter (fun a -> not (is_true a)) conjuncts in
    match conjuncts with
      | [] -> mktrue
      | [a] -> fake ~value:a
      | alist -> mk ~node:(JCAand alist)

  let mkor ~disjuncts = 
    (* optimization *)
    let disjuncts = List.filter (fun a -> not (is_false a)) disjuncts in
    match disjuncts with
      | [] -> mkfalse
      | [a] -> fake ~value:a
      | alist -> mk ~node:(JCAor alist)

  let mknot ~asrt:a = mk ~node:(JCAnot a)
end

(*
Local Variables: 
compile-command: "LC_ALL=C nice make -j -C .. byte"
End: 
*)
why-2.39/jc/jc_norm.mli0000644000106100004300000000455513147234006013770 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Jc_ast

val decls : pexpr decl list -> nexpr decl list

val return_label : identifier

(*
Local Variables: 
compile-command: "LC_ALL=C make -C .. bin/jessie.byte"
End: 
*)
why-2.39/jc/jc_interp.ml0000644000106100004300000045444113147234006014150 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(*
open Jc_stdlib
*)
open Jc_env
open Jc_envset
open Jc_region
open Jc_ast
open Jc_fenv

open Jc_name
open Jc_constructors
open Jc_pervasives
open Jc_struct_tools
open Jc_effect
open Jc_interp_misc
open Jc_invariants
open Jc_pattern

open Output
open Format
open Num

let unsupported = Jc_typing.typing_error

(******************************************************************************)
(*                            source positioning                              *)
(******************************************************************************)

let abs_fname f =
  if Filename.is_relative f then
    Filename.concat (Unix.getcwd ()) f
  else f

type source_ref =
    {
      in_mark: string;
      pos: Loc.position
    }

type gui_elem =
    {
      out_mark: string;
      kind: kind option;
      name: string option;
      beh: string option
    }

let reg_pos sce gui =
  if gui.out_mark <> "" && false (* Jc_stdlib.StdHashtbl.mem Output.my_pos_table gui.out_mark *) then 
    begin
      (* If GUI element already refered to in output table, do not
       * reference it twice. This is the case in particular for generated
       * annotations. *)
      gui.out_mark
    end
  else
    (* Generate a new mark if not fixed in GUI element *)
    let mark =
      if gui.out_mark = "" then
	Jc_pervasives.new_label_name()
      else gui.out_mark
    in
    let (n,f,l,b,e,k) =
      if sce.in_mark <> "" && Jc_stdlib.Hashtbl.mem Jc_options.pos_table sce.in_mark then
	(* If source location present in input table, copy information to
	 * output table. *)
	let (f,l,b,e,k,o) = Jc_stdlib.Hashtbl.find Jc_options.pos_table sce.in_mark in
	let n =
	  try match List.assoc "name" o with
            | Rc.RCident s | Rc.RCstring s -> Some s
            | _ -> raise Not_found
	  with Not_found -> gui.name
	in
	(n,f,l,b,e,k)
      else
        begin
	  (* By default, refer to the Jessie source file *)
	  let b,e = sce.pos in
	  let f = abs_fname b.Lexing.pos_fname in
	  let l = b.Lexing.pos_lnum in
	  let fc = b.Lexing.pos_cnum - b.Lexing.pos_bol in
	  let lc = e.Lexing.pos_cnum - b.Lexing.pos_bol in
	  (gui.name,f,l,fc,lc,None)
        end
    in
    (* If present, always prefer new kind *)
    let k = match gui.kind with None -> k | Some k -> Some k in
    my_add_pos mark (k,n,gui.beh,f,l,b,e);
    mark

let reg_check ?mark ?kind pos =
  let sce =
    { in_mark = Option_misc.map_default (fun x -> x) "" mark; pos = pos; }
  in
  let gui = { out_mark = ""; kind = kind; name = None; beh = None; } in
  reg_pos sce gui

let reg_decl ~in_mark ~out_mark ~name ~beh pos =
  let sce = { in_mark = in_mark; pos = pos; } in
  let gui =
    { out_mark = out_mark; kind = None; name = Some name; beh = Some beh; }
  in
  ignore (reg_pos sce gui)

let make_check ?mark ?kind pos e' =
  let mark = reg_check ?mark ?kind pos in
(*
  eprintf "Jc_interp.make_check: adding label %s@." mark;
*)
  make_label mark e'

let make_guarded_app ~mark kind pos f args =
  make_check ~mark ~kind pos (make_app f args)

(*
let print_locs fmt =
  Hashtbl.iter
    (fun id (kind,name,beh,(f,l,b,e)) ->
(*
       let f = b.Lexing.pos_fname in
       let l = b.Lexing.pos_lnum in
       let fc = b.Lexing.pos_cnum - b.Lexing.pos_bol in
       let lc = e.Lexing.pos_cnum - b.Lexing.pos_bol in
*)
       fprintf fmt "[%s]@\n" id;
       Option_misc.iter
         (fun k -> fprintf fmt "kind = %a@\n" print_kind k) kind;
       Option_misc.iter
         (fun n -> fprintf fmt "name = \"%s\"@\n" n) name;
       Option_misc.iter
	 (fun b -> fprintf fmt "behavior = \"%s\"@\n" b) beh;
       fprintf fmt "file = \"%s\"@\n" (String.escaped f);
       fprintf fmt "line = %d@\n" l;
       fprintf fmt "begin = %d@\n" b;
       fprintf fmt "end = %d@\n@\n" e)
    Output.pos_table
  *)

(******************************************************************************)
(*                                 Operators                                  *)
(******************************************************************************)

let native_operator_type op = match snd op with
  | `Unit -> Jc_pervasives.unit_type
  | `Boolean -> Jc_pervasives.boolean_type
  | `Integer -> Jc_pervasives.integer_type
  | `Real -> Jc_pervasives.real_type
  | `Double -> Jc_pervasives.double_type
  | `Float -> Jc_pervasives.float_type
  | `Binary80 -> JCTnative (Tgenfloat `Binary80)

let unary_op: expr_unary_op -> string = function
  | `Uminus, `Integer -> "neg_int"
  | `Uminus, `Real -> "neg_real"
  | `Unot, `Boolean -> "not"
  | `Ubw_not, `Integer -> "bw_compl"
  | _ -> assert false (* not proper type *)

let term_unary_op: expr_unary_op -> string = function
  | `Uminus, `Integer -> "neg_int"
  | `Uminus, `Real -> "neg_real"
  | `Unot, `Boolean -> "bool_not"
  | `Ubw_not, `Integer -> "bw_compl"
  | _ -> assert false (* not proper type *)

let float_model_has_safe_functions () =
  match !Jc_options.float_model with
    | FMdefensive | FMmultirounding -> true
    | FMmath | FMfull -> false


let float_format f =
  match f with
    | `Double -> "double"
    | `Float -> "single"
    | `Binary80 -> "binary80"

let float_operator f t =
  let s =
    match f with
      | `Badd -> "add_"
      | `Bsub -> "sub_"
      | `Bmul -> "mul_"
      | `Bdiv -> "div_"
      | `Uminus -> "neg_"
      | `Bmod -> assert false
  in
  if float_model_has_safe_functions() && (not (safety_checking()))
  then s ^ (float_format t) ^"_safe" else s^ (float_format t)



let logic_current_rounding_mode () =
  match !Jc_options.current_rounding_mode with
    | FRMNearestEven -> LVar "nearest_even"
    | FRMDown -> LVar "down"
    | FRMUp -> LVar "up"
    | FRMToZero -> LVar "to_zero"
    | FRMNearestAway -> LVar "nearest_away"

let current_rounding_mode () =
  match !Jc_options.current_rounding_mode with
    | FRMNearestEven -> mk_var "nearest_even"
    | FRMDown -> mk_var "down"
    | FRMUp -> mk_var "up"
    | FRMToZero -> mk_var "to_zero"
    | FRMNearestAway -> mk_var "nearest_away"

let bin_op: expr_bin_op -> string = function
    (* integer *)
  | `Bgt, `Integer -> "gt_int_"
  | `Blt, `Integer -> "lt_int_"
  | `Bge, `Integer -> "ge_int_"
  | `Ble, `Integer -> "le_int_"
  | `Beq, `Integer -> "eq_int_"
  | `Bneq, `Integer -> "neq_int_"
  | `Badd, `Integer -> "add_int"
  | `Bsub, `Integer -> "sub_int"
  | `Bmul, `Integer -> "mul_int"
  | `Bdiv, `Integer ->
      if safety_checking () then "computer_div_" else "computer_div"
  | `Bmod, `Integer ->
      if safety_checking () then "computer_mod_" else "computer_mod"
      (* pointer *)
  | `Beq, `Pointer ->
      if safety_checking () then "eq_pointer" else "safe_eq_pointer"
  | `Bneq, `Pointer ->
      if safety_checking () then "neq_pointer" else "safe_neq_pointer"
  | `Bsub, `Pointer ->
      if safety_checking () then "sub_pointer_" else "safe_sub_pointer_"
      (* real *)
  | `Bgt, `Real -> "gt_real_"
  | `Blt, `Real -> "lt_real_"
  | `Bge, `Real -> "ge_real_"
  | `Ble, `Real -> "le_real_"
  | `Beq, `Real -> "eq_real_"
  | `Bneq, `Real -> "neq_real_"
  | `Bgt, `Float -> "gt_single_"
  | `Blt, `Float -> "lt_single_"
  | `Bge, `Float -> "ge_single_"
  | `Ble, `Float -> "le_single_"
  | `Beq, `Float -> "eq_single_"
  | `Bneq,`Float -> "ne_single_"
  | `Bgt, `Double -> "gt_double_"
  | `Blt, `Double -> "lt_double_"
  | `Bge, `Double -> "ge_double_"
  | `Ble, `Double -> "le_double_"
  | `Beq, `Double -> "eq_double_"
  | `Bneq, `Double -> "ne_double_"
  | `Badd, `Real -> "add_real"
  | `Bsub, `Real -> "sub_real"
  | `Bmul, `Real -> "mul_real"
  | `Bdiv, `Real ->
      if safety_checking () then "div_real_" else "div_real"
      (* bool *)
  | `Beq, `Boolean -> "eq_bool_"
  | `Bneq, `Boolean -> "neq_bool_"
      (* bitwise *)
  | `Bbw_and, `Integer -> "bw_and"
  | `Bbw_or, `Integer -> "bw_or"
  | `Bbw_xor, `Integer -> "bw_xor"
  | `Bbw_and, `Boolean -> "bool_and"
  | `Bbw_or, `Boolean -> "bool_or"
  | `Bbw_xor, `Boolean -> "bool_xor"
      (* shift *)
  | `Bshift_left, `Integer -> "lsl"
  | `Blogical_shift_right, `Integer -> "lsr"
  | `Barith_shift_right, `Integer -> "asr"
  | `Bland, _ -> assert false
  | `Blor, _ -> assert false
  | `Bconcat, _ -> "string_concat"
  | op, opty ->
      Jc_typing.typing_error Loc.dummy_position
        "Can't use operator %s with type %s in expressions"
        (string_of_op op) (string_of_op_type opty)

let term_bin_op: term_bin_op -> string = function
    (* integer *)
  | `Bgt, `Integer -> "gt_int_bool"
  | `Blt, `Integer -> "lt_int_bool"
  | `Bge, `Integer -> "ge_int_bool"
  | `Ble, `Integer -> "le_int_bool"
  | `Beq, `Integer -> "eq_int_bool"
  | `Bneq, `Integer -> "neq_int_bool"
  | `Badd, `Integer -> "add_int"
  | `Bsub, `Integer -> "sub_int"
  | `Bmul, `Integer -> "mul_int"
  | `Bdiv, `Integer -> "computer_div"
  | `Bmod, `Integer -> "computer_mod"
      (* pointer *)
  | `Beq, `Pointer -> "eq_pointer_bool"
  | `Bneq, `Pointer -> "neq_pointer_bool"
  | `Bsub, `Pointer -> "sub_pointer"
      (* logic *)
  | `Beq, `Logic -> "eq"
  | `Bneq, `Logic -> "neq"
      (* real *)
  | `Bgt, `Real -> "gt_real_bool"
  | `Blt, `Real -> "lt_real_bool"
  | `Bge, `Real -> "ge_real_bool"
  | `Ble, `Real -> "le_real_bool"
  | `Beq, `Real -> "eq_real_bool"
  | `Bneq, `Real -> "neq_real_bool"
  | `Badd, `Real -> "add_real"
  | `Bsub, `Real -> "sub_real"
  | `Bmul, `Real -> "mul_real"
  | `Bdiv, `Real -> "div_real"
      (* bool *)
(*  | `Beq_bool, `Boolean -> "eq_bool"
  | `Bneq_bool, `Boolean -> "neq_bool"*)
      (* bitwise *)
  | `Bbw_and, `Integer -> "bw_and"
  | `Bbw_or, `Integer -> "bw_or"
  | `Bbw_xor, `Integer -> "bw_xor"
  | `Bshift_left, `Integer -> "lsl"
  | `Blogical_shift_right, `Integer -> "lsr"
  | `Barith_shift_right, `Integer -> "asr"
      (* logical *)
  | `Blor, `Boolean -> "bool_or"
  | `Bland, `Boolean ->  "bool_and"
  | `Biff, _ | `Bimplies, _ ->
      assert false (* TODO *)
  | op, opty ->
      Jc_typing.typing_error Loc.dummy_position
        "Can't use operator %s with type %s in terms"
        (string_of_op op) (string_of_op_type opty)

let pred_bin_op: pred_bin_op -> string = function
    (* integer *)
  | `Bgt, `Integer -> "gt_int"
  | `Blt, `Integer -> "lt_int"
  | `Bge, `Integer -> "ge_int"
  | `Ble, `Integer -> "le_int"
  | `Beq, `Integer -> "eq"
  | `Bneq, `Integer -> "neq"
      (* pointer *)
  | `Beq, (`Pointer | `Logic) -> "eq"
  | `Bneq, (`Pointer | `Logic) -> "neq"
      (* real *)
  | `Beq, `Real -> "eq"
  | `Bneq, `Real -> "neq"
  | `Bgt, `Real -> "gt_real"
  | `Blt, `Real -> "lt_real"
  | `Bge, `Real -> "ge_real"
  | `Ble, `Real -> "le_real"
      (* logical *)
  | `Blor, `Boolean -> "bor"
  | `Bland, `Boolean -> "band"
  | `Biff, `Boolean
  | `Bimplies, `Boolean -> assert false (* TODO *)
      (* boolean *)
  | `Beq, `Boolean -> "eq"
  | `Bneq, `Boolean -> "neq"
  | op, opty ->
      Jc_typing.typing_error Loc.dummy_position
        "Can't use operator %s with type %s in assertions"
        (string_of_op op) (string_of_op_type opty)


(******************************************************************************)
(*                                   types                                    *)
(******************************************************************************)

(*
let has_equality_op = function
  | JCTnative Tunit -> false
  | JCTnative Tboolean -> true
  | JCTnative Tinteger -> true
  | JCTnative Treal -> true
  | JCTnative (Tgenfloat _) -> true
  | JCTnative Tstring -> true
  | JCTlogic _s -> (* TODO *) false
  | JCTenum _ei -> true
  | JCTpointer _
  | JCTnull ->  true
  | JCTany -> false
  | JCTtype_var _ -> false (* TODO ? *)
*)

let equality_op_for_type = function
  | JCTnative Tunit -> assert false
  | JCTnative Tboolean -> "eq_bool"
  | JCTnative Tinteger -> "eq_int"
  | JCTnative Treal -> "eq_real"
  | JCTnative (Tgenfloat f) -> ("eq_"^(float_format f))
  | JCTnative Tstring -> "eq"
  | JCTlogic _s -> (* TODO *) assert false
  | JCTenum ei -> eq_of_enum ei
  | JCTpointer _
  | JCTnull ->  "eq"
  | JCTany -> assert false
  | JCTtype_var _ -> assert false (* TODO ? *)


(******************************************************************************)
(*                                 Structures                                 *)
(******************************************************************************)

let tr_struct st acc =
  let tagid_type = tag_id_type (struct_root st) in
    (* Declarations of field memories. *)
  let acc =
    if !Jc_options.separation_sem = SepRegions then acc else
      if struct_of_plain_union st then acc else
        List.fold_left
          (fun acc fi ->
             let mem = memory_type (JCmem_field fi) in
             Param(
               false,
               id_no_loc (field_memory_name fi),
               Ref_type(Base_type mem))::acc)
          acc st.jc_struct_info_fields
  in
  (* Declarations of translation functions for union *)
(*
  let vi = struct_root st in
  let acc =
    if not (root_is_union vi) then acc else
      if integral_union vi then acc else
        let uty = bitvector_type in
        List.fold_left
          (fun acc fi ->
	     if has_equality_op fi.jc_field_info_type then
               Logic(false,id_no_loc (logic_field_of_union fi),
                     [("",uty)],tr_base_type fi.jc_field_info_type)
               :: Logic(false,id_no_loc (logic_union_of_field fi),
			[("",tr_base_type fi.jc_field_info_type)],uty)
               :: Goal(KAxiom,id_no_loc ((logic_field_of_union fi)^"_of_"^(logic_union_of_field fi)),
			LForall("x",tr_base_type fi.jc_field_info_type, [],
				LPred(equality_op_for_type fi.jc_field_info_type,
                                      [LApp(logic_field_of_union fi,
                                            [LApp(logic_union_of_field fi,
                                                  [LVar "x"])]);
                                       LVar "x"])))
               :: acc
	     else acc)
          acc st.jc_struct_info_fields
  in
*)
  (* declaration of the tag_id *)
  let acc =
    Logic(false,id_no_loc (tag_name st),[],tagid_type)::acc
  in

  let acc =
    if struct_of_union st then acc
    else
      let pc = JCtag(st,[]) in
      let ac = alloc_class_of_pointer_class pc in
      let in_param = false in
	(* Validity parameters *)
	make_valid_pred ~in_param ~equal:true ac pc
	:: make_valid_pred ~in_param ~equal:false ac pc
	:: make_valid_pred ~in_param ~equal:false ~right:false ac pc
	:: make_valid_pred ~in_param ~equal:false ~left:false ac pc
(*
	:: make_valid_pred ~in_param ~equal:true (* TODO ? *) JCalloc_bitvector pc
*)
	  (* Allocation parameters *)
	:: make_alloc_param ~check_size:true ac pc
	:: make_alloc_param ~check_size:false ac pc
(*
	:: make_alloc_param ~check_size:true JCalloc_bitvector pc
	:: make_alloc_param ~check_size:false JCalloc_bitvector pc
*)
	:: (if Region.exists_bitwise () then make_conversion_params pc else [])
        @ acc
  in

  match st.jc_struct_info_parent with
    | None ->
        (* axiom for parenttag *)
        let name = st.jc_struct_info_name ^ "_parenttag_bottom" in
        let p = LPred("parenttag", [ LVar (tag_name st); LVar "bottom_tag" ]) in
        Goal(KAxiom,id_no_loc name, p)::acc
    | Some(p, _) ->
        (* axiom for parenttag *)
        let name =
          st.jc_struct_info_name ^ "_parenttag_" ^ p.jc_struct_info_name
        in
        let p =
          LPred("parenttag", [ LVar (tag_name st); LVar (tag_name p) ])
        in
        Goal(KAxiom,id_no_loc name, p)::acc


(******************************************************************************)
(*                                 Coercions                                  *)
(******************************************************************************)

let float_of_real f x =
  (* TODO: Mpfr.settofr etc *)
  if Str.string_match (Str.regexp "\\([0-9]+\\)\\.0*$") x 0 then
    let s = Str.matched_group 1 x in
    match f with
      | `Float ->
          if String.length s <= 7 (* x < 10^7 < 2^24 *) then x
          else
            (*
              Format.eprintf"real constant: %s@." x;
            *)
            raise Not_found
     | `Double ->
          if String.length s <= 15 (* x < 10^15 < 2^53 *) then x
          else
            (*
              Format.eprintf"real constant: %s@." x;
            *)
            raise Not_found
     | `Binary80 -> raise Not_found
  else
    match f,x with
      | _ , "0.5" -> x
      | `Float, "0.1" -> "0x1.99999ap-4"
      | `Double, "0.1" -> "0x1.999999999999ap-4"
      | _ -> raise Not_found

let rec term_coerce ~type_safe ~global_assertion lab ?(cast=false) pos
    ty_dst ty_src e e' =
  let rec aux a b =
    match a,b with
      | JCTlogic (t,tl), JCTlogic (u,ul) when t = u -> List.for_all2 aux tl ul
      | JCTtype_var _, JCTtype_var _ -> true (*jc_typing take care of that*)
      | (JCTtype_var _, _) | (_,JCTtype_var _) -> true
      | JCTpointer (JCroot rt1,_,_), JCTpointer (JCroot rt2,_,_) -> rt1 == rt2
      | _ -> false
  in
  match ty_dst, ty_src with
      (* identity *)
    | JCTnative t, JCTnative u when t = u -> e'
    | (JCTlogic _|JCTtype_var _), (JCTlogic _|JCTtype_var _)
      when aux ty_dst ty_src -> e'
    | (JCTtype_var _, JCTpointer _) -> e'
    | JCTpointer _, JCTpointer _ when aux ty_dst ty_src -> e'
    | JCTany, JCTany -> e'
      (* between integer/enum and real *)
    | JCTnative Treal, JCTnative Tinteger ->
	begin match e' with
	  | LConst(Prim_int n) ->
	      LConst(Prim_real(n ^ ".0"))
	  | _ ->
	      LApp("real_of_int",[ e' ])
	end
    | JCTnative Treal, JCTenum ri ->
	begin match e' with
	  | LConst(Prim_int n) ->
	      LConst(Prim_real(n ^ ".0"))
	  | _ ->
	      let e' = LApp(logic_int_of_enum ri,[ e' ]) in
	      LApp("real_of_int",[ e' ])
	end
    | JCTnative Treal, JCTnative (Tgenfloat f) ->
	begin
	  match e' with
	    | LApp (f,[LConst (Prim_real _) as c])
		when f = "single_of_real_exact" || f = "single_of_real_exact" ->
		c
	    | _ -> LApp((float_format f)^"_value",[ e' ])
	end
    | JCTnative (Tgenfloat f), JCTnative Treal ->
	begin
          try
	    match e' with
	      | LConst (Prim_real x) ->
		  LApp ((float_format f)^"_of_real_exact",
		        [LConst (Prim_real (float_of_real f x))])
	      | _ -> raise Not_found
          with Not_found ->
	    LApp ("round_"^(float_format f)^"_logic",
		  [ logic_current_rounding_mode () ; e' ])
	end
    | JCTnative (Tgenfloat _f), (JCTnative Tinteger | JCTenum _) ->
        term_coerce ~type_safe ~global_assertion lab pos ty_dst (JCTnative Treal) e
          (term_coerce ~type_safe ~global_assertion lab pos (JCTnative Treal) ty_src e e')
    | JCTnative Tinteger, JCTnative Treal ->
	assert false (* LApp("int_of_real",[ e' ]) *)
      (* between enums and integer *)
    | JCTenum ri1, JCTenum ri2
	when ri1.jc_enum_info_name = ri2.jc_enum_info_name -> e'
    | JCTenum ri1, JCTenum ri2 ->
        assert cast; (* Typing should have inserted an explicit cast *)
        let e' = LApp(logic_int_of_enum ri2,[ e' ]) in
        LApp(logic_enum_of_int ri1,[ e' ])
    | JCTnative Tinteger, JCTenum ri ->
        LApp(logic_int_of_enum ri,[ e' ])
    | JCTenum ri, JCTnative Tinteger ->
        LApp(logic_enum_of_int ri,[ e' ])
      (* between pointers and null *)
    | JCTpointer _ , JCTnull -> e'
    | JCTpointer(pc1,_,_), JCTpointer(JCtag(st2,_),_,_)
        when Jc_typing.substruct st2 pc1 -> e'
    | JCTpointer(JCtag(st1,_),_,_), JCTpointer _ ->
	let tag =
	  ttag_table_var ~label_in_name:global_assertion lab
	    (struct_root st1,e#region)
	in
        LApp("downcast", [ tag; e'; LVar (tag_name st1) ])
    |  _ ->
         Jc_typing.typing_error pos
           "can't (term_)coerce type %a to type %a"
           print_type ty_src print_type ty_dst

let eval_integral_const e =
  let rec eval e =
    match e#node with
      | JCEconst(JCCinteger s) -> Numconst.integer s
      | JCErange_cast(e,_ri2) -> eval e
      | JCEunary(op,e) ->
          let v = eval e in
          begin match op with
            | `Uminus, `Integer -> minus_num v
            | `Uminus, (`Real | `Binary80 | `Double | `Float | `Boolean | `Unit)
            | `Unot, _
            | `Ubw_not, _ -> raise Exit
          end
      | JCEbinary(e1,op,e2) ->
          let v1 = eval e1 in
          let v2 = eval e2 in
          begin match op with
            | `Badd, `Integer -> v1 +/ v2
            | `Bsub, `Integer -> v1 -/ v2
            | `Bmul, `Integer -> v1 */ v2
            | `Bdiv, `Integer ->
                if eq_num (mod_num v1 v2) Numconst.zero then quo_num v1 v2 else raise Exit
            | `Bmod, `Integer ->
                mod_num v1 v2
            | (`Badd | `Barith_shift_right | `Bbw_and | `Bbw_or | `Bbw_xor
              | `Bdiv | `Beq | `Bge | `Bgt | `Ble | `Blogical_shift_right
              | `Blt | `Bmod | `Bmul | `Bneq | `Bshift_left | `Bsub), _ ->
		raise Exit
	    | `Bconcat, _ -> raise Exit
	    | `Bland, _ -> raise Exit
	    | `Blor, _ -> raise Exit
          end
      | JCEif(_e1,_e2,_e3) ->
          (* TODO: write [eval_boolean_const] *)
          raise Exit
      | JCEconst _ | JCEvar _ | JCEshift _ | JCEderef _
      | JCEinstanceof _ | JCEcast _ | JCEbitwise_cast _ | JCEreal_cast _
      | JCEoffset _ | JCEbase_block _
      | JCEaddress _
      | JCEalloc _ | JCEfree _ | JCEmatch _ |JCEunpack _ |JCEpack _
      | JCEthrow _ | JCEtry _ | JCEreturn _ | JCEloop _ | JCEblock _
      | JCEcontract _ | JCEassert _ | JCEfresh _ 
      | JCElet _ | JCEassign_heap _ | JCEassign_var _ | JCEapp _
      | JCEreturn_void -> raise Exit

  in
  try Some(eval e) with Exit | Division_by_zero -> None

let fits_in_enum ri e =
  match eval_integral_const e with
    | Some c -> ri.jc_enum_info_min <=/ c && c <=/ ri.jc_enum_info_max
    | None -> false

let rec coerce ~check_int_overflow mark pos ty_dst ty_src e e' =
  match ty_dst, ty_src with
      (* identity *)
    | JCTnative t, JCTnative u when t = u -> e'
    | JCTlogic t, JCTlogic u when t = u -> e'
    | JCTany, JCTany -> e'
      (* between integer/enum and real *)
    | JCTnative Treal, JCTnative Tinteger ->
	begin match e'.expr_node with
	  | Cte(Prim_int n) ->
	      { e' with expr_node = Cte(Prim_real(n ^ ".0")) }
	  | _ ->
	      make_app "real_of_int" [ e' ]
	end
    | JCTnative Treal, JCTenum ri ->
	begin match e'.expr_node with
	  | Cte(Prim_int n) ->
	      { e' with expr_node = Cte(Prim_real(n ^ ".0")) }
	  | _ ->
	      make_app "real_of_int" [ make_app (logic_int_of_enum ri) [ e' ] ]
	end
    | JCTnative Tinteger, JCTnative Treal ->
	assert false (* make_app "int_of_real" [ e' ] *)
    | JCTnative (Tgenfloat _), (JCTnative Tinteger | JCTenum _) ->
        coerce ~check_int_overflow mark pos ty_dst (JCTnative Treal) e
          (coerce ~check_int_overflow mark pos (JCTnative Treal) ty_src e e')
    | JCTnative (Tgenfloat f1), JCTnative (Tgenfloat f2) ->
        let enlarge =
          match f2, f1 with
          | `Float, _ -> true
          | _, `Float -> false
          | `Double, _ -> true
          | _, _ -> false in
        let name = (float_format f1)^"_of_"^(float_format f2) in
        if enlarge then
          make_app name [ e' ]
        else if check_int_overflow then
          make_guarded_app ~mark FPoverflow pos name
            [ current_rounding_mode () ; e' ]
        else
          make_app (name^"_safe") [ current_rounding_mode () ; e' ]
    | JCTnative (Tgenfloat f), JCTnative Treal ->
	begin
          try
	    match e'.expr_node with
	      | Cte (Prim_real x) ->
		  let s = float_of_real f x in
		  make_app ((float_format f)^"_of_real_exact")
		  [ { e' with expr_node = Cte (Prim_real s) } ]
	      | _ -> raise Not_found
          with Not_found ->
	    if check_int_overflow then
	      make_guarded_app ~mark FPoverflow pos
	        ((float_format f)^"_of_real")
	        [ current_rounding_mode () ; e' ]
	    else
	      make_app ((float_format f)^"_of_real_safe")
	        [ current_rounding_mode () ; e' ]
	end
    | JCTnative Treal, JCTnative (Tgenfloat f) ->
	make_app ((float_format f)^"_value") [ e' ]
      (* between enums and integer *)
    | JCTenum ri1, JCTenum ri2
	when ri1.jc_enum_info_name = ri2.jc_enum_info_name -> e'
    | JCTenum ri1, JCTenum ri2 ->
        let e' = make_app (logic_int_of_enum ri2) [ e' ] in
        if not check_int_overflow || fits_in_enum ri1 e then
          make_app (safe_fun_enum_of_int ri1) [ e' ]
        else
          make_guarded_app ~mark ArithOverflow pos (fun_enum_of_int ri1) [ e' ]
    | JCTnative Tinteger, JCTenum ri ->
        make_app (logic_int_of_enum ri) [ e' ]
    | JCTenum ri, JCTnative Tinteger ->
        if not check_int_overflow || fits_in_enum ri e then
          make_app (safe_fun_enum_of_int ri) [ e' ]
        else
          make_guarded_app ~mark ArithOverflow pos (fun_enum_of_int ri) [ e' ]
      (* between pointers and null *)
    | JCTpointer _ , JCTnull -> e'
    | JCTpointer(pc1,_,_), JCTpointer(JCtag(st2,_),_,_)
        when Jc_typing.substruct st2 pc1 -> e'
    | JCTpointer(JCtag(st1,_),_,_), JCTpointer _  ->
	let downcast_fun =
	  if safety_checking () then "downcast_" else "safe_downcast_"
	in
	let tag = tag_table_var(struct_root st1,e#region) in
        make_guarded_app ~mark DownCast pos downcast_fun
          [ tag; e'; mk_var(tag_name st1) ]
    | _ ->
        Jc_typing.typing_error pos
          "can't coerce type %a to type %a"
          print_type ty_src print_type ty_dst


(******************************************************************************)
(*                                   terms                                    *)
(******************************************************************************)

(* [pattern_lets] is a list of (id, value), which should be binded
 * at the assertion level. *)
let pattern_lets = ref []
let concat_pattern_lets lets = pattern_lets := lets @ !pattern_lets
let bind_pattern_lets body =
  let binds =
    List.fold_left
      (fun body bind ->
	 match bind with
	   | JCforall(id, ty) -> LForall(id, ty, [], body)
	   | JClet(id, value) -> LLet(id, value, body))
      body (List.rev !pattern_lets)
  in
  pattern_lets := [];
  binds

let is_base_block t = match t#node with
  | JCTbase_block _ -> true
  | _ -> false

let rec term ?(subst=VarMap.empty) ~type_safe ~global_assertion ~relocate lab oldlab t =
  let ft = term ~subst ~type_safe ~global_assertion ~relocate lab oldlab in
  let term_coerce = term_coerce ~type_safe ~global_assertion lab in
  let t' = match t#node with
    | JCTconst JCCnull -> LVar "null"
    | JCTvar v ->
        begin
          try VarMap.find v subst
          with Not_found -> tvar ~label_in_name:global_assertion lab v
        end
    | JCTconst c -> LConst(const c)
    | JCTunary(op,t1) ->
        let t1'= ft t1 in
        LApp(term_unary_op op,
	     [ term_coerce t#pos (native_operator_type op) t1#typ t1 t1' ])
(*     | JCTbinary(t1,(`Bsub,`Pointer),t2) -> *)
(*         let t1' = LApp("address",[ ft t1 ]) in *)
(*         let t2' = LApp("address",[ ft t2 ]) in *)
(* 	let st = pointer_struct t1#typ in *)
(* 	let s = string_of_int (struct_size_in_bytes st) in *)
(*         LApp( *)
(* 	  term_bin_op (`Bdiv,`Integer), *)
(* 	  [ LApp(term_bin_op (`Bsub,`Integer), [ t1'; t2' ]); *)
(* 	    LConst(Prim_int s) ]) *)
    | JCTbinary(t1,(_,(`Pointer | `Logic) as op),t2) ->
        let t1' = ft t1 in
        let t2' = ft t2 in
        LApp(term_bin_op op, [ t1'; t2' ])
    | JCTbinary(t1,(_, #native_operator_type as op),t2) ->
        let t1' = ft t1 in
        let t2' = ft t2 in
        let ty = native_operator_type op in
        LApp(term_bin_op op,
             [ term_coerce t1#pos ty t1#typ t1 t1';
               term_coerce t2#pos ty t2#typ t2 t2' ])
    | JCTshift(t1,t2) ->
        let t1' = ft t1 in
        let t2' = ft t2 in
        LApp("shift",[ t1'; term_coerce t2#pos integer_type t2#typ t2 t2' ])
    | JCTif(t1,t2,t3) ->
        let t1' = ft t1 in
        let t2' = ft t2 in
        let t3' = ft t3 in
        TIf(t1',
            (** type of t2 and t3 are equal or one is the subtype of
                the other *)
            term_coerce t2#pos t#typ t2#typ t2 t2',
            term_coerce t3#pos t#typ t3#typ t3 t3')
    | JCTlet(vi,t1,t2) ->
        let t1' = ft t1 in
        let t2' = ft t2 in
        TLet(vi.jc_var_info_final_name, t1', t2')
    | JCToffset(k,t1,st) ->
	let ac = tderef_alloc_class ~type_safe t1 in
        let _,alloc =
	  talloc_table_var ~label_in_name:global_assertion lab (ac,t1#region)
	in
	begin match ac with
	  | JCalloc_root _ ->
              let f = match k with
		| Offset_min -> "offset_min"
		| Offset_max -> "offset_max"
              in
              let t1' = ft t1 in
              LApp(f,[alloc; t1' ])
	  | JCalloc_bitvector ->
              let f = match k with
		| Offset_min -> "offset_min_bytes"
		| Offset_max -> "offset_max_bytes"
              in
              let t1' = ft t1 in
	      let s = string_of_int (struct_size_in_bytes st) in
              LApp(f,[ alloc; t1'; LConst(Prim_int s) ])
	end
    | JCTaddress(Addr_absolute,t1) ->
        LApp("absolute_address",[ ft t1 ])
    | JCTaddress(Addr_pointer,t1) ->
        LApp("address",[ ft t1 ])
    | JCTbase_block(t1) ->
        LApp("base_block",[ ft t1 ])
    | JCTinstanceof(t1,lab',st) ->
      let lab = if relocate && lab' = LabelHere then lab else lab' in
        let t1' = ft t1 in
	let tag =
	  ttag_table_var ~label_in_name:global_assertion lab
	    (struct_root st,t1#region)
	in
        LApp("instanceof_bool",[ tag; t1'; LVar (tag_name st) ])
    | JCTcast(t1,lab',st) ->
      let lab = if relocate && lab' = LabelHere then lab else lab' in
        if struct_of_union st then
	  ft t1
	else
          let t1' = ft t1 in
	  let tag =
	    ttag_table_var ~label_in_name:global_assertion lab
	      (struct_root st,t1#region)
	  in
          LApp("downcast",[ tag; t1'; LVar (tag_name st) ])
    | JCTbitwise_cast(t1,_lab,_st) ->
	ft t1
    | JCTrange_cast(t1,ri) ->
(*         eprintf "range_cast in term: from %a to %a@."  *)
(*           print_type t1#typ print_type (JCTenum ri); *)
        let t1' = ft t1 in
        term_coerce ~cast:true t1#pos (JCTenum ri) t1#typ t1 t1'
    | JCTreal_cast(t1,rc) ->
        let t1' = ft t1 in
        begin match rc with
          | Integer_to_real ->
              term_coerce t1#pos real_type t1#typ t1 t1'
          | Double_to_real ->
              term_coerce t1#pos real_type t1#typ t1 t1'
	  | Float_to_real ->
	      term_coerce t1#pos real_type t1#typ t1 t1'
(*
          | Real_to_integer ->
              term_coerce t1#pos integer_type t1#typ t1 t1'
*)
	  | Round(f,_rm) ->
              term_coerce t1#pos (JCTnative (Tgenfloat f)) t1#typ t1 t1'
	end
    | JCTderef(t1,lab',fi) ->
	let lab = if relocate && lab' = LabelHere then lab else lab' in
	let mc,_ufi_opt = tderef_mem_class ~type_safe t1 fi in
	begin match mc with
	  | JCmem_field fi' ->
	      assert (fi.jc_field_info_tag = fi'.jc_field_info_tag);
              let t1' = ft t1 in
              let mem =
		tmemory_var ~label_in_name:global_assertion lab
		  (JCmem_field fi,t1#region)
	      in
              LApp("select",[ mem; t1' ])
	  | JCmem_plain_union vi ->
	      let t1,off = tdestruct_union_access t1 (Some fi) in
	      (* Retrieve bitvector *)
              let t1' = ft t1 in
              let mem =
		tmemory_var ~label_in_name:global_assertion lab
		  (JCmem_plain_union vi,t1#region)
	      in
              let e' = LApp("select",[ mem; t1' ]) in
	      (* Retrieve subpart of bitvector for specific subfield *)
	      let off = match off with
		| Int_offset s -> s
		| _ -> assert false (* TODO *)
	      in
	      let size =
		match fi.jc_field_info_bitsize with
		  | Some x -> x / 8
		  | None -> assert false
	      in
	      let off = string_of_int off and size = string_of_int size in
	      let e' =
		LApp("extract_bytes",
		     [ e'; LConst(Prim_int off); LConst(Prim_int size) ])
	      in
	      (* Convert bitvector into appropriate type *)
	      begin match fi.jc_field_info_type with
		| JCTenum ri -> LApp(logic_enum_of_bitvector ri,[e'])
		| JCTnative Tinteger -> LApp(logic_integer_of_bitvector,[e'])
                | JCTnative _ -> assert false (* TODO ? *)
                | JCTtype_var _ -> assert false (* TODO ? *)
                | JCTpointer (_, _, _) -> assert false (* TODO ? *)
                | JCTlogic _ -> assert false (* TODO ? *)
                | JCTany -> assert false (* TODO ? *)
                | JCTnull -> assert false (* TODO ? *)
	      end
	  | JCmem_bitvector ->
	      (* Retrieve bitvector *)
              let t1' = ft t1 in
	      let mem =
		tmemory_var ~label_in_name:global_assertion lab
		  (JCmem_bitvector,t1#region)
	      in
	      let off =
		match field_offset_in_bytes fi with
		  | Some x -> x
		  | None -> assert false
	      in
	      let size =
		match fi.jc_field_info_bitsize with
		  | Some x -> x / 8
		  | None -> assert false
	      in
	      let off = string_of_int off and size = string_of_int size in
	      let e' =
		LApp("select_bytes",
		     [ mem; t1'; LConst(Prim_int off); LConst(Prim_int size) ])
	      in
	      (* Convert bitvector into appropriate type *)
	      begin match fi.jc_field_info_type with
		| JCTenum ri -> LApp(logic_enum_of_bitvector ri,[e'])
		| _ty -> assert false (* TODO *)
	      end
	end
    | JCTapp app ->
        let f = app.jc_app_fun in
        let args =
	  List.fold_right (fun arg acc -> (ft arg) :: acc) app.jc_app_args []
        in
        let args =
          try List.map2 (fun e e' -> (e,e')) app.jc_app_args args
          with Invalid_argument _ -> assert false
        in
        let args =
          try
            List.map2
              (fun v (t,t') -> term_coerce t#pos v.jc_var_info_type t#typ t t')
              f.jc_logic_info_parameters args
          with Invalid_argument _ ->
            eprintf "fun = %s, len pars = %d, len args' = %d@."
              f.jc_logic_info_name
              (List.length f.jc_logic_info_parameters)
              (List.length args);
            assert false
        in
	let relab (lab1,lab2) =
	  (lab1, if lab2 = LabelHere then lab else lab2)
	in
	let label_assoc =
	  if relocate then
	    (LabelHere,lab) :: List.map relab app.jc_app_label_assoc
	  else app.jc_app_label_assoc
	in
        make_logic_fun_call ~label_in_name:global_assertion
	  ~region_assoc:app.jc_app_region_assoc
	  ~label_assoc:label_assoc
	  f args
    | JCTold t1 ->
	let lab = if relocate && oldlab = LabelHere then lab else oldlab in
	term ~type_safe ~global_assertion ~relocate lab oldlab t1
    | JCTat(t1,lab') ->
	let lab = if relocate && lab' = LabelHere then lab else lab' in
	term ~type_safe ~global_assertion ~relocate lab oldlab t1
    | JCTrange(_t1,_t2) -> Jc_typing.typing_error t#pos "Unsupported range in term, sorry" (* TODO ? *)
    | JCTmatch(t, ptl) ->
        let t' = ft t in
        (* TODO: use a temporary variable for t' *)
        (* if the pattern-matching is incomplete, default value is true *)
        let ptl',lets =
          pattern_list_term ft t' t#typ ptl (LConst(Prim_bool true)) in
	concat_pattern_lets lets;
        ptl'
  in
  (if t#mark <> "" then
     Tnamed(reg_check ~mark:t#mark t#pos,t')
   else
     t')

let () = ref_term := term

let named_term ~type_safe ~global_assertion ~relocate lab oldlab t =
  let t' = term ~type_safe ~global_assertion ~relocate lab oldlab t in
  match t' with
    | Tnamed _ -> t'
    | _ ->
        let n = reg_check ~mark:t#mark t#pos in
        Tnamed(n,t')


(******************************************************************************)
(*                                assertions                                  *)
(******************************************************************************)

let tag ~type_safe ~global_assertion ~relocate lab oldlab tag=
  match tag#node with
    | JCTtag st -> LVar (tag_name st)
    | JCTbottom -> LVar "bottom_tag"
    | JCTtypeof(t,st) ->
	let t' = term ~type_safe ~global_assertion ~relocate lab oldlab t in
	make_typeof st t#region t'

let rec assertion ~type_safe ~global_assertion ~relocate lab oldlab a =
  let fa = assertion ~type_safe ~global_assertion ~relocate lab oldlab in
  let ft = term ~type_safe ~global_assertion ~relocate lab oldlab in
  let ftag = tag ~type_safe ~global_assertion ~relocate lab oldlab in
  let term_coerce = term_coerce ~type_safe ~global_assertion lab in
  let a' = match a#node with
    | JCAtrue -> LTrue
    | JCAfalse -> LFalse
    | JCAif(t1,a2,a3) ->
        let t1' = ft t1 in
	let a2' = fa a2 in
	let a3' = fa a3 in
        LIf(t1',a2',a3')
    | JCAand al -> make_and_list (List.map fa al)
    | JCAor al -> make_or_list (List.map fa al)
    | JCAimplies(a1,a2) ->
	let a1' = fa a1 in
	let a2' = fa a2 in
	make_impl a1' a2'
    | JCAiff(a1,a2) ->
	let a1' = fa a1 in
	let a2' = fa a2 in
	make_equiv a1' a2'
    | JCAnot a1 ->
	let a1' = fa a1 in
	LNot a1'
    | JCArelation(t1,((`Beq | `Bneq as op),_),t2)
	when is_base_block t1 && is_base_block t2 ->
	let t1 =
	  match t1#node with JCTbase_block t1' -> t1' | _ -> assert false
	in
	let t2 =
	  match t2#node with JCTbase_block t2' -> t2' | _ -> assert false
	in
        let t1' = ft t1 in
        let t2' = ft t2 in
        let p = LPred("same_block", [ t1'; t2' ]) in
	begin match op with
	  | `Beq -> p
	  | `Bneq -> LNot p
	  | _ -> assert false
	end
    | JCArelation(t1,(_,(`Pointer | `Logic) as op),t2) ->
        let t1' = ft t1 in
        let t2' = ft t2 in
        LPred (pred_bin_op (op :> pred_bin_op),[ t1'; t2' ])
(* disabled because cause other problems

  o [Jessie] removed some superfluous conversion on enums which
    prevented some proofs by rewriting

    | JCArelation(t1, (((`Beq | `Bneq), _)as op),t2) ->

(* 	if Jc_options.debug then printf "%a@." Jc_output.assertion a; *)
        let t1' = ft t1 in
        let t2' = ft t2 in
        LPred(pred_bin_op (op), [ t1'; t2' ])
*)
    | JCArelation(t1,(_, #native_operator_type as op),t2) ->
(* 	if Jc_options.debug then printf "%a@." Jc_output.assertion a; *)
        let t1' = ft t1 in
        let t2' = ft t2 in
        let ty = native_operator_type op in
        LPred(pred_bin_op (op :> pred_bin_op),
              [ term_coerce t1#pos ty t1#typ t1 t1';
                term_coerce t2#pos ty t2#typ t2 t2' ])
    | JCAapp app ->
        let f = app.jc_app_fun in
        let args =
	  List.fold_right (fun arg acc -> (ft arg) :: acc) app.jc_app_args []
        in
        let args =
          try List.map2 (fun e e' -> (e,e')) app.jc_app_args args
          with Invalid_argument _ -> assert false
        in
        let args =
          try
            List.map2
              (fun v (t,t') -> term_coerce t#pos v.jc_var_info_type t#typ t t')
              f.jc_logic_info_parameters args
          with Invalid_argument _ ->
            eprintf "fun = %s, len pars = %d, len args' = %d@."
              f.jc_logic_info_name
              (List.length f.jc_logic_info_parameters)
              (List.length args);
            assert false
        in
	let label_assoc =
	  if relocate then
	    let relab (lab1,lab2) =
	      (lab1, if lab2 = LabelHere then lab else lab2)
	    in
	    (LabelHere,lab) :: List.map relab app.jc_app_label_assoc
	  else app.jc_app_label_assoc
	in
        make_logic_pred_call
	  ~label_in_name:global_assertion
	  ~region_assoc:app.jc_app_region_assoc
	  ~label_assoc:label_assoc
	  f args
    | JCAquantifier(Forall,v,trigs,a1) ->
        LForall(v.jc_var_info_final_name,
                tr_var_base_type v,
                triggers fa ft trigs,
                fa a1)
    | JCAquantifier(Exists,v,trigs, a1) ->
        LExists(v.jc_var_info_final_name,
                tr_var_base_type v,
                triggers fa ft trigs,
                fa a1)
    | JCAold a1 ->
	let lab = if relocate && oldlab = LabelHere then lab else oldlab in
	assertion ~type_safe ~global_assertion ~relocate lab oldlab a1
    | JCAat(a1,lab') ->
	let lab = if relocate && lab' = LabelHere then lab else lab' in
	assertion ~type_safe ~global_assertion ~relocate lab oldlab a1
    | JCAfresh t1 ->
	let ac = tderef_alloc_class ~type_safe t1 in
	let lab = if relocate && oldlab = LabelHere then lab else oldlab in
	let _,alloc =
	  talloc_table_var ~label_in_name:global_assertion lab (ac,t1#region)
	in
        let valid =
	  begin match ac with
	    | JCalloc_root _ ->
              let f = "valid" in
              let t1' = ft t1 in
              LPred(f,[alloc; t1' ])
	    | JCalloc_bitvector ->
              let f = "valid_bytes" in
              let t1' = ft t1 in
              LPred(f,[ alloc; t1'])
	  end
        in
        LNot valid
    | JCAbool_term t1 ->
        let t1' = ft t1 in
        LPred("eq",[ t1'; LConst(Prim_bool true) ])
    | JCAinstanceof(t1,lab',st) ->
	let lab = if relocate && lab' = LabelHere then lab else lab' in
        let t1' = ft t1 in
	let tag =
	  ttag_table_var ~label_in_name:global_assertion lab
	    (struct_root st,t1#region)
	in
        LPred("instanceof",[ tag; t1'; LVar (tag_name st) ])
    | JCAmutable(te, st, ta) ->
        let te' = ft te in
        let tag = ftag ta in
        let mutable_field = LVar (mutable_name (JCtag(st, []))) in
        LPred("eq", [ LApp("select", [ mutable_field; te' ]); tag ])
    | JCAeqtype(tag1,tag2,_st_opt) ->
        let tag1' = ftag tag1 in
        let tag2' = ftag tag2 in
        LPred("eq", [ tag1'; tag2' ])
    | JCAsubtype(tag1,tag2,_st_opt) ->
        let tag1' = ftag tag1 in
        let tag2' = ftag tag2 in
        LPred("subtag", [ tag1'; tag2' ])
    | JCAlet(vi,t,p) ->
	LLet(vi.jc_var_info_final_name,ft t, fa p)
    | JCAmatch(arg, pal) ->
        let arg' = ft arg in
        (* TODO: use a temporary variable for arg' *)
        let pal', _ = pattern_list_assertion fa arg' arg#typ
          pal LTrue in
        pal'
  in
  let a' = bind_pattern_lets a' in
  if a#mark = "" then a' else LNamed(reg_check ~mark:a#mark a#pos, a')

and triggers fa ft trigs =
  let pat = function
    | JCAPatT t -> LPatT (ft t)
    | JCAPatP a -> LPatP (fa a) in
  List.map (List.map pat) trigs

let mark_assertion pos a' =
  match a' with
    | LNamed _ -> a'
    | _ -> LNamed(reg_check pos, a')

let named_assertion ~type_safe ~global_assertion ~relocate lab oldlab a =
  let a' =
    assertion ~type_safe ~global_assertion ~relocate lab oldlab a
  in
  mark_assertion a#pos a'


(******************************************************************************)
(*                                  Locations                                 *)
(******************************************************************************)

let rec pset ~type_safe ~global_assertion before loc =
  let fpset = pset ~type_safe ~global_assertion before in
  let ft = term ~type_safe ~global_assertion ~relocate:false before before in
  let term_coerce = term_coerce ~type_safe ~global_assertion before in
  match loc#node with
    | JCLSderef(locs,lab,fi,_r) ->
        let m = tmemory_var ~label_in_name:global_assertion lab
	  (JCmem_field fi,locs#region) in
        (*begin
          match locs#node with
              (* reduce the pset_deref of a singleton *)
            | JCLSvar vi ->
                let v = tvar ~label_in_name:global_assertion before vi in
                LApp("pset_singleton",[LApp("select", [m;v])])
            | _ ->*) LApp("pset_deref", [m;fpset locs])
        (*end*)
    | JCLSvar vi ->
        let m = tvar ~label_in_name:global_assertion before vi in
        LApp("pset_singleton", [m])
    | JCLSrange(ls,None,None) ->
        let ls = fpset ls in
        LApp("pset_all", [ls])
    | JCLSrange(ls,None,Some b) ->
        let ls = fpset ls in
        let b' = ft b in
        LApp("pset_range_left",
             [ls;
              term_coerce b#pos integer_type b#typ b b'])
    | JCLSrange(ls,Some a,None) ->
        let ls = fpset ls in
        let a' = ft a in
        LApp("pset_range_right",
             [ls;
              term_coerce a#pos integer_type a#typ a a'])
    | JCLSrange(ls,Some a,Some b) ->
        let ls = fpset ls in
        let a' = ft a in
        let b' = ft b in
        LApp("pset_range",
             [ls;
              term_coerce a#pos integer_type a#typ a a';
              term_coerce b#pos integer_type b#typ b b'])
    | JCLSrange_term(ls,None,None) ->
        let ls = LApp("pset_singleton",[ ft ls ]) in
        LApp("pset_all", [ls])
    | JCLSrange_term(ls,None,Some b) ->
        let ls = LApp("pset_singleton",[ ft ls ]) in
        let b' = ft b in
        LApp("pset_range_left",
             [ls;
              term_coerce b#pos integer_type b#typ b b'])
    | JCLSrange_term(ls,Some a,None) ->
        let ls = LApp("pset_singleton",[ ft ls ]) in
        let a' = ft a in
        LApp("pset_range_right",
             [ls;
              term_coerce a#pos integer_type a#typ a a'])
    | JCLSrange_term(ls,Some a,Some b) ->
        let ls = LApp("pset_singleton",[ ft ls ]) in
        let a' = ft a in
        let b' = ft b in
        LApp("pset_range",
             [ls;
              term_coerce a#pos integer_type a#typ a a';
              term_coerce b#pos integer_type b#typ b b'])
    | JCLSat(locs,_) -> fpset locs

let rec collect_locations ~type_safe ~global_assertion before (refs,mems) loc =
(*
  let ft = term ~type_safe ~global_assertion ~relocate:false before before in
*)
  match loc#node with
    | JCLderef(e,lab,fi,_fr) ->
        let iloc = pset ~type_safe ~global_assertion lab e in
        let mc =
(*           if field_of_union fi then FVvariant (union_of_field fi) else *)
	  JCmem_field fi
        in
        let l =
          try
            let l = MemoryMap.find (mc,location_set_region e) mems in
            iloc::l
          with Not_found -> [iloc]
        in
        (refs, MemoryMap.add (mc,location_set_region e) l mems)
    | JCLderef_term(_t1,_fi) ->
	assert false
(*
        let iloc = LApp("pset_singleton",[ ft t1 ]) in
        let mc = JCmem_field fi in
        let l =
          try
            let l = MemoryMap.find (mc,t1#region) mems in
            iloc::l
          with Not_found -> [iloc]
        in
        (refs, MemoryMap.add (mc,t1#region) l mems)
*)
    | JCLvar vi ->
        let var = vi.jc_var_info_final_name in
        (StringMap.add var true refs,mems)
    | JCLat(loc,_lab) ->
        collect_locations ~type_safe ~global_assertion before (refs,mems) loc

let rec collect_pset_locations ~type_safe ~global_assertion loc =
  let ft = term ~type_safe ~global_assertion ~relocate:false in
  match loc#node with
    | JCLderef(e,lab,_fi,_fr) ->
        pset ~type_safe ~global_assertion lab e
    | JCLderef_term(t1,_fi) ->
	let lab = match t1#label with Some l -> l | None -> assert false in
	LApp("pset_singleton",[ ft lab lab t1 ])
    | JCLvar _vi ->
	LVar "pset_empty"
    | JCLat(loc,_lab) ->
        collect_pset_locations ~type_safe ~global_assertion loc

let assigns ~type_safe ?region_list before ef locs loc =
  match locs with
    | None -> LTrue
    | Some locs ->
  let refs =
    (* HeapVarSet.fold
            (fun v m ->
               if Ceffect.is_alloc v then m
               else StringMap.add (heap_var_name v) (Reference false) m)
            assigns.Ceffect.assigns_var
    *)
    VarMap.fold
      (fun v _labs m -> StringMap.add v.jc_var_info_final_name false m)
      ef.jc_writes.jc_effect_globals StringMap.empty
  in
  let mems =
    MemoryMap.fold
      (fun (fi,r) _labs acc ->
	 if (* TODO: bug some assigns \nothing clauses are not translated e.g. in Purse.java (perhaps when no region is used). The first test resolve the problem but may hide another bug : What must be region_list when --no-region is used? *)
	   !Jc_options.separation_sem = SepNone || Option_misc.map_default (RegionList.mem r) true region_list then
	   begin
(*
	     eprintf "ASSIGNS FOR FIELD %s@."
	       (match fi with JCmem_field f -> f.jc_field_info_name
		  | _ -> "??");
*)
             MemoryMap.add (fi,r) [] acc
	   end
	 else
	   begin
(*
	     eprintf "IGNORING ASSIGNS FOR FIELD %s@."
	       (match fi with JCmem_field f -> f.jc_field_info_name
		  | _ -> "??");
*)
             MemoryMap.add (fi,r) [] acc
	   end
      ) ef.jc_writes.jc_effect_memories MemoryMap.empty
  in
  let refs,mems =
    List.fold_left (collect_locations ~type_safe ~global_assertion:false before) (refs,mems) locs
  in
  let a =
    StringMap.fold
      (fun v p acc ->
        if p then acc else
          make_and acc (LPred("eq", [LVar v; lvar ~constant:false (* <<- CHANGE THIS *) ~label_in_name:false before v])))
      refs LTrue
  in
  MemoryMap.fold
    (fun (mc,r) p acc ->
       let v = memory_name(mc,r) in
       let ac = alloc_class_of_mem_class mc in
       let _,alloc = talloc_table_var ~label_in_name:false before (ac,r) in

       make_and acc
	 (let a = LPred("not_assigns",
                [alloc;
                 lvar ~constant:false (* <<- CHANGE THIS *)
                   ~label_in_name:false before v;
                 LDeref v; location_list' p]) in
	  LNamed(reg_check loc,a))
    ) mems a

let reads ~type_safe ~global_assertion locs (mc,r) =
  let refs = StringMap.empty
  in
  let mems = MemoryMap.empty
  in
  let _refs,mems =
    List.fold_left (collect_locations ~type_safe ~global_assertion LabelOld) (refs,mems) locs
  in
  let p = try MemoryMap.find (mc,r) mems with Not_found -> [] in
  location_list' p


(******************************************************************************)
(*                                Expressions                                 *)
(******************************************************************************)

let bounded lb rb s =
  let n = Num.num_of_int s in Num.le_num lb n && Num.le_num n rb

let lbounded lb s =
  let n = Num.num_of_int s in Num.le_num lb n

let rbounded rb s =
  let n = Num.num_of_int s in Num.le_num n rb

let rec const_int_term t =
  match t # node with
    | JCTconst (JCCinteger s) -> Some (Numconst.integer s)
    | JCTvar vi ->
	begin
	  try
	    let _, init =
	      Jc_stdlib.Hashtbl.find
		Jc_typing.logic_constants_table
		vi.jc_var_info_tag
	    in
	      const_int_term init
	  with Not_found -> None
	end
    | JCTapp app ->
	begin
	  try
	    let _, init =
	      Jc_stdlib.Hashtbl.find
		Jc_typing.logic_constants_table
		app.jc_app_fun.jc_logic_info_tag
	    in
	      const_int_term init
	  with Not_found -> None
	end
    | JCTunary (uop, t) ->
	let no = const_int_term t in
	  Option_misc.fold
	    (fun n _ -> match uop with
	       | `Uminus, `Integer -> Some (Num.minus_num n)
	       | _ -> None)
	    no None
    | JCTbinary (t1, bop, t2) ->
	let no1 = const_int_term t1 in
	let no2 = const_int_term t2 in
	  begin match no1, no2 with
	    | Some n1, Some n2 ->
		begin match bop with
		  | `Badd, `Integer -> Some (n1 +/ n2)
		  | `Bsub, `Integer -> Some (n1 -/ n2)
		  | `Bmul, `Integer -> Some (n1 */ n2)
		  | `Bdiv, `Integer ->
		      let n = n1 // n2 in
			if Num.is_integer_num n then
			  Some n
			else
			  None
		  | `Bmod, `Integer -> Some (Num.mod_num n1 n2)
		  | _ -> None
		end
	    | _ -> None
	  end
    | JCTrange_cast (t, _) -> const_int_term t
    | JCTconst _ | JCTshift _ | JCTderef _
    | JCTold _ | JCTat _
    | JCToffset _ | JCTaddress _ | JCTinstanceof _ | JCTbase_block _
    | JCTreal_cast _ | JCTif _ | JCTrange _
    | JCTcast _ | JCTmatch _ | JCTlet _ | JCTbitwise_cast _ ->
	assert false

let rec const_int_expr e =
  match e # node with
    | JCEconst (JCCinteger s) -> Some (Numconst.integer s)
    | JCEvar vi ->
	begin
	  try
	    let _, init =
	      Jc_stdlib.Hashtbl.find
		Jc_typing.logic_constants_table
		vi.jc_var_info_tag
	    in
	      const_int_term init
	  with Not_found -> None
	end
    | JCEapp call ->
	begin match call.jc_call_fun with
	  | JClogic_fun li ->
	      begin
		try
		  let _, init =
		    Jc_stdlib.Hashtbl.find
		      Jc_typing.logic_constants_table
		      li.jc_logic_info_tag
		  in
		    const_int_term init
		with Not_found -> None
	      end
	  | JCfun _ -> None
	end
    | JCErange_cast (e, _) -> const_int_expr e
    | JCEunary (uop, e) ->
	let no = const_int_expr e in
	  Option_misc.fold
	    (fun n _ -> match uop with
	       | `Uminus, `Integer -> Some (Num.minus_num n)
	       | _ -> None)
	    no None
    | JCEbinary (e1, bop, e2) ->
	let no1 = const_int_expr e1 in
	let no2 = const_int_expr e2 in
	  begin match no1, no2 with
	    | Some n1, Some n2 ->
		begin match bop with
		  | `Badd, `Integer -> Some (n1 +/ n2)
		  | `Bsub, `Integer -> Some (n1 -/ n2)
		  | `Bmul, `Integer -> Some (n1 */ n2)
		  | `Bdiv, `Integer ->
		      let n = n1 // n2 in
			if Num.is_integer_num n then
			  Some n
			else
			  None
		  | `Bmod, `Integer -> Some (Num.mod_num n1 n2)
		  | _ -> None
		end
	    | _ -> None
	  end
    | JCEderef _ | JCEoffset _ | JCEbase_block _
    | JCEaddress _ | JCElet _ | JCEassign_var _
    | JCEassign_heap _ ->
	None
    | JCEif _ ->
	None (* TODO *)
    | JCEconst _ | JCEinstanceof _ | JCEreal_cast _
    | JCEalloc _ | JCEfree _ | JCEassert _
    | JCEcontract _ | JCEblock _ | JCEloop _
    | JCEreturn_void | JCEreturn _ | JCEtry _
    | JCEthrow _ | JCEpack _ | JCEunpack _
    | JCEcast _ | JCEmatch _ | JCEshift _
    | JCEbitwise_cast _ | JCEfresh _ ->
	assert false

let destruct_pointer e =
  let ptre, off = match e # node with
    | JCEshift (e1, e2) ->
	e1,
	(match const_int_expr e2 with
	   | Some n -> Int_offset (Num.int_of_num n)
           | None -> Expr_offset e2)
    | _ -> e, Int_offset 0
  in
    match ptre # typ with
      | JCTpointer (_, lb, rb) -> ptre, off, lb, rb
      | _ -> assert false

let rec make_lets l e =
  match l with
    | [] -> e
    | (tmp,a)::l -> mk_expr (Let(tmp,a,make_lets l e))

let old_to_pre = function
  | LabelOld -> LabelPre
  | lab -> lab

let old_to_pre_term =
  Jc_iterators.map_term
    (fun t -> match t#node with
       | JCTold t'
       | JCTat(t',LabelOld) ->
	   new term_with
	     ~node:(JCTat(t',LabelPre)) t
       | JCTderef(t',LabelOld,fi) ->
	   new term_with
	     ~node:(JCTderef(t',LabelPre,fi)) t
       | _ -> t)

let rec old_to_pre_lset lset =
  match lset#node with
    | JCLSvar _ -> lset
    | JCLSderef(lset,lab,fi,_region) ->
	new location_set_with
          ~typ:lset#typ
	  ~node:(JCLSderef(old_to_pre_lset lset, old_to_pre lab, fi, lset#region))
	  lset
    | JCLSrange(lset,t1,t2) ->
	new location_set_with
          ~typ:lset#typ
	  ~node:(JCLSrange(old_to_pre_lset lset,
			   Option_misc.map old_to_pre_term t1,
			   Option_misc.map old_to_pre_term t2))
	  lset
    | JCLSrange_term(lset,t1,t2) ->
	new location_set_with
          ~typ:lset#typ
	  ~node:(JCLSrange_term(old_to_pre_term lset,
				Option_misc.map old_to_pre_term t1,
				Option_misc.map old_to_pre_term t2))
	  lset
    | JCLSat(lset,lab) ->
	new location_set_with
          ~typ:lset#typ
	  ~node:(JCLSat(old_to_pre_lset lset,old_to_pre lab))
	  lset

let rec old_to_pre_loc loc =
  match loc#node with
    | JCLvar _ -> loc
    | JCLat(l,lab) ->
	new location_with
          ~typ:loc#typ
	  ~node:(JCLat(old_to_pre_loc l, old_to_pre lab))
	  loc
    | JCLderef(lset,lab,fi,_region) ->
	new location_with
          ~typ:loc#typ
	  ~node:(JCLderef(old_to_pre_lset lset,old_to_pre lab, fi, lset#region))
	  loc
    | JCLderef_term(t1,fi) ->
	new location_with
          ~typ:loc#typ
	  ~node:(JCLderef_term(old_to_pre_term t1,fi))
	  loc

let assumption al a' =
  let ef = List.fold_left Jc_effect.assertion empty_effects al in
  let read_effects =
    local_read_effects ~callee_reads:ef ~callee_writes:empty_effects
  in
  mk_expr (BlackBox(Annot_type(LTrue, unit_type, read_effects, [], a', [])))

(*
let check al a' =
  let ef = List.fold_left Jc_effect.assertion empty_effects al in
  let read_effects =
    local_read_effects ~callee_reads:ef ~callee_writes:empty_effects
  in
  mk_expr (BlackBox(Annot_type(a', unit_type, read_effects, [], LTrue, [])))
*)

(* decreases clauses: stored in global table for later use at each call sites *)

let decreases_clause_table = Hashtbl.create 17

let term_zero = new term ~typ:integer_type (JCTconst(JCCinteger "0"))

let dummy_measure = (term_zero, None)

let get_measure_for f =
  match !Jc_options.termination_policy with
    | TPalways ->
        (try
          Hashtbl.find decreases_clause_table (f.jc_fun_info_tag)
        with Not_found ->
          Hashtbl.add decreases_clause_table (f.jc_fun_info_tag) dummy_measure;
          eprintf
            "Warning: generating dummy decrease variant for recursive \
             function %s. Please provide a real variant or set \
             termination policy to user or never\n%!" f.jc_fun_info_name;
          dummy_measure)
    | TPuser ->
        (try
          Hashtbl.find decreases_clause_table (f.jc_fun_info_tag)
         with Not_found -> raise Exit)
    | TPnever -> raise Exit




(* Translate the heap update `e1.fi = tmp2'

   essentially we want

   let tmp1 = [e1] in
   fi := upd(fi,tmp1,tmp2)

   special cases are considered to avoid statically known safety properties:
   if e1 has the form p + i then we build

   let tmpp = p in
   let tmpi = i in
   let tmp1 = shift(tmpp, tmpi) in
    // depending on type of p and value of i
   ...
*)
(*
let rec make_upd_simple mark pos e1 fi tmp2 =
  (* Temporary variables to avoid duplicating code *)
  let tmpp = tmp_var_name () in
  let tmpi = tmp_var_name () in
  let tmp1 = tmp_var_name () in
  (* Define memory and allocation table *)
  let mc,_ufi_opt = deref_mem_class ~type_safe:false e1 fi in
  let mem = plain_memory_var (mc,e1#region) in
  let ac = alloc_class_of_mem_class mc in
  let alloc = alloc_table_var (ac,e1#region) in
  let lets, e' =
    if safety_checking () then
      let p,off,lb,rb = destruct_pointer e1 in
      let p' = expr p in
      let i' = offset off in
      let letspi =
	[ (tmpp,p') ; (tmpi,i') ;
	  (tmp1,make_app "shift" [Var tmpp; Var tmpi])]
      in
      match off, lb, rb with
	| Int_offset s, Some lb, Some rb when bounded lb rb s ->
            let e1' = expr e1 in
	    [ (tmp1, e1') ],
            make_app "safe_upd_" [ mem; Var tmp1; Var tmp2 ]
	| Int_offset s, Some lb, _ when lbounded lb s ->
	    letspi,
            make_guarded_app ~mark IndexBounds pos "lsafe_lbound_upd_"
              [ alloc; mem; Var tmpp; Var tmpi; Var tmp2 ]
	| Int_offset s, _, Some rb when rbounded rb s ->
	    letspi,
            make_guarded_app ~mark IndexBounds pos "rsafe_rbound_upd_"
              [ alloc; mem; Var tmpp; Var tmpi; Var tmp2 ]
	| Int_offset s, None, None when s = 0 ->
	    [ (tmp1, p') ],
            make_guarded_app ~mark PointerDeref pos "upd_"
              [ alloc; mem ; Var tmp1; Var tmp2 ]
	| _ ->
	    letspi,
            make_guarded_app ~mark PointerDeref pos "offset_upd_"
              [ alloc; mem ; Var tmpp; Var tmpi; Var tmp2 ]
    else
      let e1' = expr e1 in
      [ (tmp1,e1') ],
      make_app "safe_upd_" [ mem; Var tmp1; Var tmp2 ]
  in
  tmp1, lets, e'
*)



let rec make_upd_simple mark pos e1 fi tmp2 =
  (* Temporary variables to avoid duplicating code *)
  let tmpp = tmp_var_name () in
(*
  eprintf "make_upd_simple: tmp_var_name for tmpp is %s@." tmpp;
*)
  let tmpi = tmp_var_name () in
(*
  eprintf "make_upd_simple: tmp_var_name for tmpi is %s@." tmpi;
*)
  let tmp1 = tmp_var_name () in
(*
  eprintf "make_upd_simple: tmp_var_name for tmp1 is %s@." tmp1;
*)
  (* Define memory and allocation table *)
  let mc,_ufi_opt = deref_mem_class ~type_safe:false e1 fi in
  let mem = match (plain_memory_var (mc,e1#region)).expr_node with
    | Var v -> v
    | _ -> assert false
  in
  let ac = alloc_class_of_mem_class mc in
(*
  let alloc_var = alloc_table_name (ac,e1#region) in
*)
  let alloc = alloc_table_var (ac,e1#region) in
  let is_ref,talloc = talloc_table_var ~label_in_name:true LabelHere (ac,e1#region) in
  let p,off,lb,rb = destruct_pointer e1 in
  let p' = expr p in
  let i' = offset off in
  let letspi =
    [ (tmpp,p') ; (tmpi,i') ;
      (tmp1,make_app "shift" [mk_var tmpp; mk_var tmpi])]
  in
  try
    let s,b1,b2 =
      match off, lb, rb with
        | Int_offset s, Some lb, Some rb when bounded lb rb s ->
            (*
              make_app "safe_upd_" [ mem; mk_var tmp1; mk_var tmp2 ]
            *)
            s,true,true
        | Int_offset s, Some lb, _ when lbounded lb s ->
	    (*
              make_guarded_app ~mark IndexBounds pos "lsafe_lbound_upd_"
              [ alloc; mem; mk_var tmpp; mk_var tmpi; mk_var tmp2 ]
            *)
            s, true, false
        | Int_offset s, _, Some rb when rbounded rb s ->
	    (*
              make_guarded_app ~mark IndexBounds pos "rsafe_rbound_upd_"
              [ alloc; mem; mk_var tmpp; mk_var tmpi; mk_var tmp2 ]
            *)
            s, false, true
              (*
	        | Int_offset s, None, None when int_of_string s = 0 ->
	        [ (tmp1, p') ],
              (*
                make_guarded_app ~mark PointerDeref pos "upd_"
                [ alloc; mem ; mk_var tmp1; mk_var tmp2 ]
              *)
                Upd(alloc, mem , mk_var tmp1, mk_var tmp2)
              *)
        | Int_offset s, None, None ->
	    (*
              make_guarded_app ~mark PointerDeref pos "upd_"
              [ alloc; mem ; mk_var tmp1; mk_var tmp2 ]
            *)
            s, false, false
        | _ ->
            raise Exit
    in
(*    Format.eprintf "found constant update let %s = %a in (%s + %d).%s = ...@." tmpp Output.fprintf_expr p' tmpp s mem;
*)
    let letspi = if s = 0 then [ (tmpp,p') ] else letspi in
    tmp1, [],
    mk_expr (MultiAssign(mark,pos,letspi, is_ref, talloc, alloc, tmpp, p', mem, [s, b1, b2, tmp2]))
 with Exit ->
   tmp1,letspi,
   if (safety_checking()) then
     make_guarded_app ~mark PointerDeref pos "offset_upd_"
	       [ alloc; mk_var mem ; mk_var tmpp; mk_var tmpi; mk_var tmp2 ]
   else
     make_app "safe_upd_" [ mk_var mem; mk_var tmp1; mk_var tmp2 ]


and make_upd_union mark pos off e1 fi tmp2 =
  let e1' = expr e1 in
  (* Convert value assigned into bitvector *)
  let e2' = match fi.jc_field_info_type with
    | JCTenum ri -> make_app (logic_bitvector_of_enum ri) [mk_var tmp2]
    | JCTnative Tinteger -> make_app logic_bitvector_of_integer [mk_var tmp2]
    | JCTnative _ -> assert false (* TODO ? *)
    | JCTtype_var _ -> assert false (* TODO ? *)
    | JCTpointer (_, _, _) -> assert false (* TODO ? *)
    | JCTlogic _ -> assert false (* TODO ? *)
    | JCTany -> assert false (* TODO ? *)
    | JCTnull -> assert false (* TODO ? *)
  in
  (* Temporary variables to avoid duplicating code *)
  let tmp1 = tmp_var_name () in
  let tmp2 = tmp_var_name () in
  let v1 = Jc_pervasives.var e1#typ tmp1 in
  let e1 = new expr_with ~node:(JCEvar v1) e1 in
  let size =
    match fi.jc_field_info_bitsize with
      | Some x -> x / 8
      | None -> assert false
  in
  let union_size =
    (union_type e1#typ).jc_root_info_union_size_in_bytes
  in
  let e2' =
    if size = union_size then
      (* TODO: deal with offset which should be null *)
      e2'
    else
      (* Retrieve bitvector for access to union *)
      let deref = make_deref_simple mark pos e1 fi in
      (* Replace subpart of bitvector for specific subfield *)
      let off = match off with
	| Int_offset s -> s
	| _ -> assert false (* TODO *)
      in
      let off = string_of_int off and size = string_of_int size in
      make_app "replace_bytes"
	[ deref; mk_expr (Cte(Prim_int off)); mk_expr (Cte(Prim_int size)); e2' ]
  in
  let lets = [ (tmp1,e1'); (tmp2,e2') ] in
  let tmp1, lets', e' = make_upd_simple mark pos e1 fi tmp2 in
  tmp1, lets @ lets', e'

and make_upd_bytes mark pos e1 fi tmp2 =
  let e1' = expr e1 in
  (* Convert value assigned into bitvector *)
  let e2' = match fi.jc_field_info_type with
    | JCTenum ri -> make_app (logic_bitvector_of_enum ri) [mk_var tmp2]
    | _ty -> assert false (* TODO *)
  in
  (* Temporary variables to avoid duplicating code *)
  let tmp1 = tmp_var_name () in
  let v1 = Jc_pervasives.var e1#typ tmp1 in
  let e1 = new expr_with ~node:(JCEvar v1) e1 in
  (* Define memory and allocation table *)
  let mem = plain_memory_var (JCmem_bitvector,e1#region) in
  let alloc = alloc_table_var (JCalloc_bitvector,e1#region) in
  (* Store bitvector *)
  let off =
    match field_offset_in_bytes fi with
      | Some x -> x
      | None -> assert false
  in
  let size =
    match fi.jc_field_info_bitsize with
      | Some x ->  x / 8
      | None -> assert false
  in
  let off = string_of_int off and size = string_of_int size in
  let e' =
    if safety_checking () then
      make_guarded_app ~mark PointerDeref pos "upd_bytes_"
        [ alloc; mem; mk_var tmp1;
          mk_expr (Cte(Prim_int off)); mk_expr (Cte(Prim_int size));
	  mk_var tmp2 ]
    else
      make_app "safe_upd_bytes_"
	[ mem; mk_var tmp1; mk_expr (Cte(Prim_int off));
          mk_expr (Cte(Prim_int size)); mk_var tmp2 ]
  in
  let lets = [ (tmp1,e1'); (tmp2,e2') ] in
  tmp1, lets, e'

and make_upd mark pos e1 fi e2 =
  (* Value assigned stored in temporary at that point *)
  let v2 = match e2#node with JCEvar v2 -> v2 | _ -> assert false in
  let tmp2 = v2.jc_var_info_name in
  (* Dispatch depending on kind of memory *)
  let mc,ufi_opt = deref_mem_class ~type_safe:false e1 fi in
  match mc,ufi_opt with
    | JCmem_field fi', None ->
	assert (fi.jc_field_info_tag = fi'.jc_field_info_tag);
	make_upd_simple mark pos e1 fi tmp2
    | JCmem_field fi', Some ufi ->
	assert (fi.jc_field_info_tag = fi'.jc_field_info_tag);
        let tmp1, lets, e1' = make_upd_simple mark pos e1 fi tmp2 in
	let mems = overlapping_union_memories ufi in
	let ef =
	  List.fold_left
	    (fun ef mc -> add_memory_effect LabelHere ef (mc,e1#region))
	    empty_effects mems
	in
	let write_effects =
	  local_write_effects ~callee_reads:empty_effects ~callee_writes:ef
	in
	let e2' =
	  mk_expr(BlackBox(Annot_type(LTrue, unit_type, [], write_effects, LTrue, [])) )
	in
	tmp1, lets, append e1' e2'
    | JCmem_plain_union _vi, _ ->
	let e1,off = destruct_union_access e1 (Some fi) in
	make_upd_union mark pos off e1 fi tmp2
    | JCmem_bitvector, _ ->
	make_upd_bytes mark pos e1 fi tmp2

(* Translate the heap access `e.fi'

   special cases are considered to avoid statically known safety properties:
   if e1 has the form p + i then we build an access that depends on the
   type of p and the value of i
*)
and make_deref_simple mark pos e fi =
  (* Define memory and allocation table *)
  let mc,_ufi_opt = deref_mem_class ~type_safe:false e fi in
  let mem = memory_var (mc,e#region) in
  let ac = alloc_class_of_mem_class mc in
  let alloc = alloc_table_var (ac,e#region) in
  let e' =
    if safety_checking() then
      match destruct_pointer e with
	| _, Int_offset s, Some lb, Some rb when bounded lb rb s ->
            make_app "safe_acc_"
              [ mem ; expr e ]
	| p, (Int_offset s as off), Some lb, _ when lbounded lb s ->
            make_guarded_app ~mark IndexBounds pos "lsafe_lbound_acc_"
              [ alloc; mem; expr p; offset off ]
	| p, (Int_offset s as off), _, Some rb when rbounded rb s ->
            make_guarded_app ~mark IndexBounds pos "rsafe_rbound_acc_"
              [ alloc; mem; expr p; offset off ]
	| p, Int_offset s, None, None when s = 0 ->
            make_guarded_app ~mark PointerDeref pos "acc_"
              [ alloc; mem ; expr p ]
	| p, off, _, _ ->
            make_guarded_app ~mark PointerDeref pos "offset_acc_"
              [ alloc; mem ; expr p; offset off ]
    else
      make_app "safe_acc_" [ mem; expr e ]
  in e'

and make_deref_union mark pos off e fi =
  (* Retrieve bitvector *)
  let e' = make_deref_simple mark pos e fi in
  (* Retrieve subpart of bitvector for specific subfield *)
  let off = match off with
    | Int_offset s -> s
    | _ -> assert false (* TODO *)
  in
  let size =
    match fi.jc_field_info_bitsize with
      | Some x -> x / 8
      | None -> assert false
  in
  let off = string_of_int off and size = string_of_int size in
  let e' =
    make_app "extract_bytes" [ e'; mk_expr (Cte(Prim_int off)); mk_expr(Cte(Prim_int size)) ]
  in
  (* Convert bitvector into appropriate type *)
  match fi.jc_field_info_type with
    | JCTenum ri -> make_app (logic_enum_of_bitvector ri) [e']
    | _ty -> assert false (* TODO *)

and make_deref_bytes mark pos e fi =
  (* Define memory and allocation table *)
  let mem = memory_var (JCmem_bitvector,e#region) in
  let alloc = alloc_table_var (JCalloc_bitvector,e#region) in
  (* Retrieve bitvector *)
  let off =
    match field_offset_in_bytes fi with
      | Some x -> x
      | None -> assert false
  in
  let size =
    match fi.jc_field_info_bitsize with
      | Some x ->  x / 8
      | None -> assert false
  in
  let off = string_of_int off and size = string_of_int size in
  let e' =
    if safety_checking () then
      make_guarded_app ~mark PointerDeref pos "acc_bytes_"
        [ alloc; mem; expr e; mk_expr (Cte(Prim_int off));
          mk_expr (Cte(Prim_int size)) ]
    else
      make_app "safe_acc_bytes_"
	[ mem; expr e; mk_expr (Cte(Prim_int off));
          mk_expr (Cte(Prim_int size)) ]
  in
  (* Convert bitvector into appropriate type *)
  match fi.jc_field_info_type with
    | JCTenum ri -> make_app (logic_enum_of_bitvector ri) [e']
    | JCTnative t ->
	begin
	  match t with
	    | Treal  ->
		unsupported pos "bit-dependent cast over real numbers"
	    | Tgenfloat _ ->
		unsupported pos "bit-dependent cast over floating-point values"
	    | Tstring ->
		unsupported pos "bit-dependent cast over strings"
	    | Tinteger ->
		unsupported pos "bit-dependent cast over integers"
	    | Tboolean ->
		unsupported pos "bit-dependent cast over booleans"
	    | Tunit  ->
		unsupported pos "bit-dependent cast over type unit"
	end
    | JCTtype_var _ -> assert false (* TODO *)
    | JCTpointer (_, _, _) -> assert false (* TODO *)
    | JCTlogic _ -> assert false (* TODO *)
    | JCTany -> assert false (* TODO *)
    | JCTnull -> assert false (* TODO *)

(*
    | ty ->
	Format.eprintf "%a@." print_type ty;
	assert false (* TODO *)
*)

and make_deref mark pos e1 fi =
  (* Dispatch depending on kind of memory *)
  let mc,_uif_opt = deref_mem_class ~type_safe:false e1 fi in
  match mc with
    | JCmem_field _ ->
	make_deref_simple mark pos e1 fi
    | JCmem_plain_union _vi ->
	let e1,off = destruct_union_access e1 (Some fi) in
	make_deref_union mark pos off e1 fi
    | JCmem_bitvector ->
	make_deref_bytes mark pos e1 fi

and offset = function
  | Int_offset s -> mk_expr (Cte (Prim_int (string_of_int s)))
  | Expr_offset e ->
      coerce ~check_int_overflow:(safety_checking())
        e#mark e#pos integer_type e#typ e
        (expr e)
  | Term_offset _ -> assert false

and type_assert tmp ty e =
  let offset k e1 ty tmp =
    let ac = deref_alloc_class ~type_safe:false e1 in
    let _,alloc =
      talloc_table_var ~label_in_name:false LabelHere (ac,e1#region)
    in
    match ac with
      | JCalloc_root _ ->
          let f = match k with
	    | Offset_min -> "offset_min"
	    | Offset_max -> "offset_max"
          in
	  LApp(f,[alloc; LVar tmp])
      | JCalloc_bitvector ->
	  let st = pointer_struct ty in
          let f = match k with
	    | Offset_min -> "offset_min_bytes"
	    | Offset_max -> "offset_max_bytes"
          in
	  let s = string_of_int (struct_size_in_bytes st) in
	  LApp(f,[alloc; LVar tmp; LConst(Prim_int s)])
  in
  let a = match ty with
    | JCTpointer(_pc,n1o,n2o) ->
	let offset_mina n =
	  LPred ("le_int",
		 [offset Offset_min e ty tmp;
		  LConst (Prim_int (Num.string_of_num n))])
	in
	let offset_maxa n =
	  LPred ("ge_int",
		 [offset Offset_max e ty tmp;
		  LConst (Prim_int (Num.string_of_num n))])
	in
	begin match e#typ with
	  | JCTpointer (_si', n1o', n2o') ->
	      begin match n1o, n2o with
		| None, None -> LTrue
		| Some n, None ->
		    begin match n1o' with
		      | Some n' when Num.le_num n' n
                          && not Jc_options.verify_all_offsets
                          -> LTrue
		      | _ -> offset_mina n
		    end
		| None, Some n ->
		    begin match n2o' with
		      | Some n' when Num.ge_num n' n
                          && not Jc_options.verify_all_offsets
                          -> LTrue
		      | _ -> offset_maxa n
		    end
		| Some n1, Some n2 ->
		    begin match n1o', n2o' with
		      | None, None -> make_and (offset_mina n1) (offset_maxa n2)
		      | Some n1', None ->
			  if Num.le_num n1' n1 && not Jc_options.verify_all_offsets then
			    offset_maxa n2
			  else
			    make_and (offset_mina n1) (offset_maxa n2)
		      | None, Some n2' ->
			  if Num.ge_num n2' n2 && not Jc_options.verify_all_offsets then
			    offset_mina n1
			  else
			    make_and (offset_mina n1) (offset_maxa n2)
		      | Some n1', Some n2' ->
			  if Jc_options.verify_all_offsets then
			    make_and (offset_mina n1) (offset_maxa n2)
			  else
			    if Num.le_num n1' n1 then
			      if Num.ge_num n2' n2 then LTrue
                              else
				offset_maxa n2
			    else
			      if Num.ge_num n2' n2 then
				offset_mina n1
                              else
				make_and (offset_mina n1) (offset_maxa n2)
		    end
	      end
	  | JCTnull ->
	      begin match n1o, n2o with
		| None, None -> LTrue
		| Some n, None -> offset_mina n
		| None, Some n -> offset_maxa n
		| Some n1, Some n2 -> make_and (offset_mina n1) (offset_maxa n2)
	      end
	  | _ -> LTrue
	end
    | _ -> LTrue
  in
  (coerce ~check_int_overflow:(safety_checking())
    e#mark e#pos ty
    e#typ e (expr e),
   a)

and list_type_assert vi e (lets, params) =
  let ty = vi.jc_var_info_type in
  let tmp = tmp_var_name() (* vi.jc_var_info_name *) in
  let e,a = type_assert tmp ty e in
  (tmp, e, a) :: lets , (mk_var tmp) :: params

and value_assigned mark pos ty e =
    let tmp = tmp_var_name () in
    let e,a = type_assert tmp ty e in
    if a <> LTrue && safety_checking() then
      mk_expr (Let(tmp,e,make_check ~mark ~kind:IndexBounds pos
            (mk_expr (Assert(`ASSERT,a,mk_var tmp)))))
    else e

and expr e =
  let infunction = get_current_function () in
  let e' = match e#node with
    | JCEconst JCCnull -> mk_var "null"
    | JCEconst c -> mk_expr (Cte(const c))
    | JCEvar v -> var v
    | JCEunary((`Uminus,(`Double|`Float as format)),e2) ->
        let e2' = expr e2 in
        if !Jc_options.float_model <> FMmultirounding then
          make_guarded_app
            ~mark:e#mark FPoverflow e#pos
            ("neg_" ^ float_format format)
            [ e2' ]
        else
          make_guarded_app
            ~mark:e#mark FPoverflow e#pos
 	    (float_operator `Uminus format)
 	    [current_rounding_mode () ; e2' ]

    | JCEunary(op,e1) ->
        let e1' = expr e1 in
        make_app (unary_op op)
          [ coerce ~check_int_overflow:(safety_checking())
              e#mark e#pos (native_operator_type op) e1#typ e1 e1' ]
(*     | JCEbinary(e1,(`Bsub,`Pointer),e2) -> *)
(*         let e1' = make_app "address" [ expr e1 ] in *)
(*         let e2' = make_app "address" [ expr e2 ] in *)
(* 	let st = pointer_struct e1#typ in *)
(* 	let s = string_of_int (struct_size_in_bytes st) in *)
(*         make_app *)
(* 	  (bin_op (`Bdiv,`Integer)) *)
(* 	  [ make_app (bin_op (`Bsub,`Integer)) [ e1'; e2' ]; *)
(* 	    Cte(Prim_int s) ] *)
    | JCEbinary(e1,(_,(`Pointer | `Logic) as op),e2) ->
        let e1' = expr e1 in
        let e2' = expr e2 in
        make_app (bin_op op) [e1'; e2']
    | JCEbinary(e1,(`Bland,_),e2) ->
        let e1' = expr e1 in
        let e2' = expr e2 in
        (* lazy conjunction *)
        mk_expr (And(e1',e2'))
    | JCEbinary(e1,(`Blor,_),e2) ->
        let e1' = expr e1 in
        let e2' = expr e2 in
        (* lazy disjunction *)
        mk_expr (Or(e1',e2'))
    | JCEbinary(e1,(#arithmetic_op as op,(`Double|`Float|`Binary80 as format)),e2) ->
	let e1' = expr e1 in
        let e2' = expr e2 in
        make_guarded_app
	  ~mark:e#mark FPoverflow e#pos
	  (float_operator op format)
	  [current_rounding_mode () ; e1' ; e2' ]
    | JCEbinary(e1,(_,#native_operator_type as op),e2) ->
        let e1' = expr e1 in
        let e2' = expr e2 in
        let ty = native_operator_type op in
        let mk = match fst op with
          | `Bdiv | `Bmod -> make_guarded_app ~mark:e#mark DivByZero e#pos
          | _ -> make_app ?ty:None
	in
        mk (bin_op op)
          [coerce ~check_int_overflow:(safety_checking())
             e1#mark e1#pos ty e1#typ e1 e1';
           coerce ~check_int_overflow:(safety_checking())
             e2#mark e2#pos ty e2#typ e2 e2']
    | JCEshift(e1,e2) ->
	(* TODO: bitwise !!!!!!!!!!!!!!!!!!!!! *)
        let e1' = expr e1 in
        let e2' = expr e2 in
        make_app "shift"
          [e1';
	   coerce ~check_int_overflow:(safety_checking())
             e2#mark e2#pos integer_type e2#typ e2 e2']
    | JCEif(e1,e2,e3) ->
        let e1' = expr e1 in
        let e2' = expr e2 in
        let e3' = expr e3 in
        mk_expr (If(e1',e2',e3'))
    | JCEoffset(k,e1,st) ->
	let ac = deref_alloc_class ~type_safe:false e1 in
        let alloc = alloc_table_var (ac,e1#region) in
	begin match ac with
	  | JCalloc_root _ ->
              let f = match k with
		| Offset_min -> "offset_min"
		| Offset_max -> "offset_max"
              in
	      make_app f [alloc; expr e1]
	  | JCalloc_bitvector ->
              let f = match k with
		| Offset_min -> "offset_min_bytes"
		| Offset_max -> "offset_max_bytes"
              in
	      let s = string_of_int (struct_size_in_bytes st) in
	      make_app f [alloc; expr e1; mk_expr (Cte(Prim_int s))]
	end
    | JCEaddress(Addr_absolute,e1) ->
        make_app "absolute_address" [ expr e1 ]
    | JCEaddress(Addr_pointer,e1) ->
        make_app "address" [ expr e1 ]
    | JCEbase_block(e1) ->
        make_app "base_block" [ expr e1 ]
    | JCEfresh _ -> assert false
    | JCEinstanceof(e1,st) ->
        let e1' = expr e1 in
        let tag = tag_table_var (struct_root st,e1#region) in
        (* always safe *)
        make_app "instanceof_" [ tag; e1'; mk_var(tag_name st) ]
    | JCEcast(e1,st) ->
        if struct_of_union st then
	  expr e1
	else
          let e1' = expr e1 in
          let tmp = tmp_var_name () in
(*
          eprintf "JCEcast: tmp_var_name for tmp is %s@." tmp;
*)
          let tag = tag_table_var (struct_root st,e1#region) in
	  let downcast_fun =
	    if safety_checking () then "downcast_" else "safe_downcast_"
	  in
          let call =
            make_guarded_app e#mark DownCast e#pos downcast_fun
	      [ tag; mk_var tmp; mk_var(tag_name st) ]
          in
          mk_expr (Let(tmp,e1',call)) (* Yannick: why a temporary here? *)
    | JCEbitwise_cast(e1,_st) ->
	expr e1
    | JCErange_cast(e1,ri) ->
        let e1' = expr e1 in
        coerce ~check_int_overflow:(safety_checking())
          e#mark e#pos (JCTenum ri) e1#typ e1 e1'
    | JCEreal_cast(e1,rc) ->
        let e1' = expr e1 in
        begin match rc with
          | Integer_to_real ->
              coerce ~check_int_overflow:(safety_checking())
                e#mark e#pos real_type e1#typ e1 e1'
          | Double_to_real ->
              coerce ~check_int_overflow:(safety_checking())
                e#mark e#pos real_type e1#typ e1 e1'
	  | Float_to_real ->
              coerce ~check_int_overflow:(safety_checking())
                e#mark e#pos real_type e1#typ e1 e1'
          | Round(f,_rm) ->
              coerce ~check_int_overflow:(safety_checking()
					    (* no safe version in the full model*)
	      || not (float_model_has_safe_functions ()))
                e#mark e#pos (JCTnative (Tgenfloat f)) e1#typ e1 e1'
        end
    | JCEderef(e1,fi) ->
  	make_deref e#mark e#pos e1 fi
    | JCEalloc(e1,st) ->
	let e1' = expr e1 in
	let ac = deref_alloc_class ~type_safe:false e in
        let alloc = plain_alloc_table_var (ac,e#region) in
	let pc = JCtag(st,[]) in
	let args = alloc_arguments (ac,e#region) pc in
        if !Jc_options.inv_sem = InvOwnership then
          let tag = plain_tag_table_var (struct_root st,e#region) in
          let mut = mutable_name pc in
          let com = committed_name pc in
          make_app "alloc_parameter_ownership"
            [alloc; mk_var mut; mk_var com; tag; mk_var (tag_name st);
             coerce ~check_int_overflow:(safety_checking())
	       e1#mark e1#pos integer_type
	       e1#typ e1 e1']
	else
          make_guarded_app e#mark
            AllocSize e#pos
            (alloc_param_name ~check_size:(safety_checking()) ac pc)
            (coerce ~check_int_overflow:(safety_checking())
	       e1#mark e1#pos integer_type
	       e1#typ e1 e1'
             :: args)
    | JCEfree e1 ->
	let e1' = expr e1 in
	let ac = deref_alloc_class ~type_safe:false e1 in
        let alloc = plain_alloc_table_var (ac,e1#region) in
        if !Jc_options.inv_sem = InvOwnership then
	  let pc = pointer_class e1#typ in
	  let com = committed_name pc in
	  make_app "free_parameter_ownership"
	    [alloc; mk_var com; e1']
        else
	  let free_fun =
	    if safety_checking () then "free_parameter"
	    else "safe_free_parameter"
	  in
	  make_app free_fun [alloc; e1']


    | JCEapp call ->
	begin match call.jc_call_fun with
          | JClogic_fun f ->
              let arg_types_asserts, args =
		try match f.jc_logic_info_parameters with
		  | [] -> [], []
		  | params ->
(*
		      let param_types =
			List.map (fun v -> v.jc_var_info_type) params
		      in
*)
		      List.fold_right2 list_type_assert
			params call.jc_call_args ([],[])
		with Invalid_argument _ -> assert false
              in
	      let param_assoc =
		List.map2 (fun param arg -> param,arg)
		  f.jc_logic_info_parameters call.jc_call_args
	      in
	      let with_body =
		try
                  let _f,body =
		    IntHashtblIter.find 
                      Jc_typing.logic_functions_table
		      f.jc_logic_info_tag
		  in
		  match body with
		    | JCTerm _ -> true
		    | JCNone | JCReads _ -> false
		    | JCAssertion _ | JCInductive _ -> assert false
                with Not_found -> false
	      in
	      let pre, fname, locals, prolog, epilog, args =
		make_arguments
                  ~callee_reads: f.jc_logic_info_effects
                  ~callee_writes: empty_effects
                  ~region_assoc: call.jc_call_region_assoc
		  ~param_assoc ~with_globals:true ~with_body
		  f.jc_logic_info_final_name args
	      in
	      assert (pre = LTrue);
	      assert (fname = f.jc_logic_info_final_name);
              let call = make_logic_app fname args in
              let new_arg_types_assert =
		List.fold_right
		  (fun opt acc ->
		     match opt with
                       | (_tmp,_e,a) -> make_and a acc)
		  arg_types_asserts LTrue
              in
              let call =
		if new_arg_types_assert = LTrue || not (safety_checking()) then
		  call
		else
		  mk_expr (Assert(`ASSERT,new_arg_types_assert,call))
              in
              let call =
		List.fold_right
		  (fun opt c ->
		     match opt with
                       | (tmp,e,_ass) -> mk_expr (Let(tmp,e,c)))
		  arg_types_asserts call
              in
	      let call = append prolog call in
	      let call =
		if epilog.expr_node = Void then call else
		  let tmp = tmp_var_name () in
		  mk_expr (Let(tmp,call,append epilog (mk_var tmp)))
	      in
              define_locals ~writes:locals call

          | JCfun f ->

              let arg_types_asserts, args =
		try match f.jc_fun_info_parameters with
		  | [] -> [], []
		  | params ->
		      let params =
			List.map (fun (_,v) -> v) params
		      in
		      List.fold_right2 list_type_assert
			params call.jc_call_args ([],[])
		with Invalid_argument _ -> assert false
              in
	      let args =
		List.fold_right2
		  (fun e e' acc ->
		     let e' =
		       if is_pointer_type e#typ && Region.bitwise e#region then
			 let st = pointer_struct e#typ in
			 let vi = struct_root st in
			 make_app (of_pointer_address_name vi) [ e' ]
		       else e'
		     in
		     e' :: acc
		  ) call.jc_call_args args []
	      in
	      let param_assoc =
		List.map2 (fun (_,param) arg -> param,arg)
		  f.jc_fun_info_parameters call.jc_call_args
	      in
	      let fname =
		if safety_checking () then
		  f.jc_fun_info_final_name ^ "_requires"
		else f.jc_fun_info_final_name
	      in
	      let with_body =
		try
		  let _f,_loc,_s,body =
                    IntHashtblIter.find 
                      Jc_typing.functions_table f.jc_fun_info_tag
		  in
		  body <> None
                with Not_found ->
                  (*
                    eprintf "Fatal error: tag for %s not found@." f.jc_fun_info_name;
                    assert false
                  *)
                  false
	      in
	      let args =
		match f.jc_fun_info_builtin_treatment with
		  | TreatNothing -> args
		  | TreatGenFloat format ->
		      (mk_var (float_format format))::(current_rounding_mode ())::args
	      in
	      let pre, fname, locals, prolog, epilog, new_args =
		make_arguments
                  ~callee_reads: f.jc_fun_info_effects.jc_reads
                  ~callee_writes: f.jc_fun_info_effects.jc_writes
                  ~region_assoc: call.jc_call_region_assoc
		  ~param_assoc ~with_globals:false ~with_body
		  fname args
	      in
	      let call = make_guarded_app e#mark UserCall e#pos fname new_args in
	      let call =
		if is_pointer_type e#typ && Region.bitwise e#region then
		  make_app "pointer_address" [ call ]
		else call
	      in
	      (* decreases *)

	      let this_comp = f.jc_fun_info_component in
	      let current_comp = (get_current_function()).jc_fun_info_component in
	      let call =
		if safety_checking() && this_comp = current_comp then
                  try
		  let cur_measure,cur_r = get_measure_for (get_current_function()) in
                  let cur_measure_why =
                    term ~type_safe:true ~global_assertion:true
                      ~relocate:false LabelPre LabelPre cur_measure
                  in
		  let this_measure,this_r = get_measure_for f in
                  let subst =
                    List.fold_left2
                      (fun acc (_,vi) (tmp,_,_) ->
(*
                         Format.eprintf "subst: %s -> %s@."
                           vi.jc_var_info_name tmp;
*)
                         VarMap.add vi (LVar tmp) acc)
                      VarMap.empty f.jc_fun_info_parameters arg_types_asserts
                  in
                  let this_measure_why =
                    term ~subst ~type_safe:true ~global_assertion:true
                      ~relocate:false LabelHere LabelHere this_measure
                  in
		  let r,ty =
		    assert (this_r = cur_r);
		    match this_r with
		      | None -> "zwf_zero", integer_type
		      | Some li ->
                          match li.jc_logic_info_parameters with
                              v1::_ -> li.jc_logic_info_name,v1.jc_var_info_type
                            | _ -> assert false
		  in
                  let this_measure_why =
                    term_coerce
                      ~type_safe:false ~global_assertion:false
                      LabelHere this_measure#pos ty this_measure#typ this_measure this_measure_why
                  in
                  let cur_measure_why =
                    term_coerce
                      ~type_safe:false ~global_assertion:false
                      LabelHere cur_measure#pos ty cur_measure#typ cur_measure cur_measure_why
                  in
		  let pre =
		    LPred(r,[this_measure_why;cur_measure_why])
		  in
		  make_check ~mark:e#mark ~kind:VarDecr e#pos
                    (* Francois mardi 29 juin 2010 : `ASSERT -> `CHECK
                       if this_measure_why = 0 and cur_measure_why = 0 then this assert is not
                       false (0>0) so all the remaining goal are trivial. *)
                    (mk_expr (Assert(`CHECK,pre,call)))
                  with Exit -> call
		else call
	      in
	      (* separation assertions *)
	      let call =
		if pre = LTrue || not (safety_checking()) then
		  call
		else
		  make_check ~mark:e#mark (* ~kind:Separation *) e#pos
		    (mk_expr (Assert(`ASSERT,pre,call)))
	      in
              let arg_types_assert =
		List.fold_right
		  (fun opt acc ->
		     match opt with
                       | (_tmp,_e,a) -> make_and a acc)
		  arg_types_asserts LTrue
              in
              let call =
		if arg_types_assert = LTrue || not (safety_checking()) then
		  call
		else
		  make_check ~mark:e#mark ~kind:IndexBounds e#pos
		    (mk_expr (Assert(`ASSERT,arg_types_assert,call)))
              in
              let call =
		List.fold_right
		  (fun opt c ->
		     match opt with
                       | (tmp,e,_ass) -> mk_expr (Let(tmp,e,c)))
		  arg_types_asserts call
              in
	      let call = append prolog call in
	      let call =
		if epilog.expr_node = Void then call else
		  let tmp = tmp_var_name () in
		  mk_expr (Let(tmp,call,append epilog (mk_var tmp)))
	      in
              define_locals ~writes:locals call
	end
    | JCEassign_var(v,e1) ->
(*
        begin
          match e#mark with
            | "" -> ()
            | l -> Format.eprintf "met assign_var with label %s@." l
        end;
*)
	let e1' = value_assigned e#mark e#pos v.jc_var_info_type e1 in
	let e' = mk_expr (Assign(v.jc_var_info_final_name,e1')) in
	if e#typ = Jc_pervasives.unit_type then
          begin
(*
            eprintf "JCEassign(%s,..) : has type unit@." v.jc_var_info_name;
*)
            e'
          end
        else
          begin
(*
            eprintf "JCEassign(%s,..) : DOES NOT have type unit@." v.jc_var_info_name;
*)
            append e' (var v)
          end
    | JCEassign_heap(e1,fi,e2) ->
	let e2' = value_assigned e#mark e#pos fi.jc_field_info_type e2 in
	(* Define temporary variable for value assigned *)
	let tmp2 = tmp_var_name () in
(*
        eprintf "JCEassign_heap: tmp_var_name for tmp2 is %s@." tmp2;
*)
	let v2 = Jc_pervasives.var fi.jc_field_info_type tmp2 in
	let e2 =
	  new expr_with ~typ:fi.jc_field_info_type ~node:(JCEvar v2) e2
	in
	(* Translate assignment *)
        let tmp1, lets, e' = make_upd e#mark e#pos e1 fi e2 in
        let e' =
	  if (safety_checking()) && !Jc_options.inv_sem = InvOwnership then
            append (assert_mutable (LVar tmp1) fi) e'
	  else e'
	in
	let lets = (tmp2,e2') :: lets in
        let e' =
          if e#typ = Jc_pervasives.unit_type then
	    match e'.expr_node with
              | MultiAssign(m,p,lets',isrefa,ta,a,tmpe,e,f,l) ->
(*
                eprintf "multiassign for a unit type !@.";
                eprintf "length lets = %d, length lets' = %d@."
                  (List.length lets) (List.length lets');
*)
                  { e' with expr_node =
                      MultiAssign(m,p,lets@lets',isrefa,ta,a,tmpe,e,f,l)}
              | _ ->
                  make_lets lets e'
          else
            begin
(*
              eprintf "multiassign but not a unit type !@.";
*)
              make_lets lets (append e' (mk_var tmp2))
            end
        in
        if !Jc_options.inv_sem = InvOwnership then
          append e' (assume_field_invariants fi)
        else e'

    | JCEblock el ->
        List.fold_right append (List.map expr el) void
    | JCElet(v,e1,e2) ->
        let e1' = match e1 with
          | None ->
              any_value v.jc_var_info_region v.jc_var_info_type
          | Some e1 ->
	      value_assigned e#mark e#pos v.jc_var_info_type e1
	in
	let e2' = expr e2 in
        if v.jc_var_info_assigned then
	  mk_expr (Let_ref(v.jc_var_info_final_name,e1',e2'))
        else
	  mk_expr (Let(v.jc_var_info_final_name,e1',e2'))
    | JCEreturn_void -> mk_expr (Raise(jessie_return_exception,None))
    | JCEreturn(ty,e1) ->
	let e1' = value_assigned e#mark e#pos ty e1 in
	let e' = mk_expr (Assign(jessie_return_variable,e1')) in
	append e' (mk_expr (Raise(jessie_return_exception,None)))
    | JCEunpack(st,e1,as_st) ->
        let e1' = expr e1 in
        make_guarded_app e#mark Unpack e#pos
          (unpack_name st) [ e1'; mk_var (tag_name as_st) ]
    | JCEpack(st,e1,from_st) ->
        let e1' = expr e1 in
        make_guarded_app e#mark Pack e#pos
          (pack_name st) [ e1'; mk_var (tag_name from_st) ]
    | JCEassert(b,asrt,a) ->
(*
        Format.eprintf "assertion meet, kind %a for behaviors: %a@."
          Jc_output_misc.asrt_kind asrt
          (print_list comma Jc_output.identifier) b;
*)
	let a' =
	  named_assertion
	    ~type_safe:false ~global_assertion:false ~relocate:false
	    LabelHere LabelPre a
	in
(*
        Format.eprintf "assertion to check ?@.";
*)
	begin match asrt with
	  | Aassert | Ahint ->
	      if in_current_behavior b then
		mk_expr (Assert(`ASSERT,a',void))
	      else if in_default_behavior b then
		assumption [ a ] a'
              else
                void
	  | Aassume ->
	      if in_current_behavior b || in_default_behavior b then
		assumption [ a ] a'
	      else void
          | Acheck ->
(*
              (match b with
                 | [] -> Format.eprintf "check for no behavior@."
                 | b::_ -> Format.eprintf "check for behavior %s,...@." b#name);
*)
              if in_current_behavior b then
		mk_expr (Assert(`CHECK,a',void))
	      else void
	end
    | JCEloop(la,e1) ->
	let inv,assume_from_inv =
	  List.fold_left
	    (fun ((invariants,assumes) as acc) (names,inv,_) ->
	       match inv with
		 | Some i ->
		     if in_current_behavior names
		     then (i::invariants,assumes)
		     else
		       if List.exists
			 (fun behav -> behav#name = "default")
			 names
		       then
			 (invariants,i::assumes)
		       else
			 (invariants,assumes)
		 | None -> acc)
	    ([],[])
	    la.jc_loop_behaviors
	in
        let inv' =
	  make_and_list
	    (List.map
	       (named_assertion
		  ~type_safe:false ~global_assertion:false ~relocate:false
		  LabelHere LabelPre) inv)
	in
        let assume_from_inv' =
	  make_and_list
	    (List.map
	       (named_assertion
		  ~type_safe:false ~global_assertion:false ~relocate:false
		  LabelHere LabelPre) assume_from_inv)
	in
	(* free invariant: trusted or not *)
	let free_inv = la.jc_free_loop_invariant in
        let free_inv' =
	  named_assertion
	    ~type_safe:false ~global_assertion:false ~relocate:false
	    LabelHere LabelPre free_inv
        in
        let inv' =
	  if Jc_options.trust_ai then inv' else make_and inv' free_inv'
	in
	(* loop assigns

	   By default, the assigns clause for the function should be
	   taken

	   Yannick: wrong, as function's assigns clause does not deal
	   with newly allocated memory, nor local variables, which may
	   be assigned in the loop.

	   Claude: it is not wrong if we take care: the implicit loop
	   assigns generated from the function's assigns should relate
	   the state Pre (for the function) and current state. Whereas an
	   explicit loop assigns relates the state before entering the
	   loop and the current state. example:


	   int t[10];
	   //@ assigns t[0..9]
	   f() { int i;
	   int u[] = new int [10];
	   //@ loop assigns t[0..i], u[0..i]
	   for (i=0; i < 10; i++) {
	   t[i] = ...; u[i] = ...
	   }

	   the Why code should be

	   f() { let i = ref any_int() in
	   let u = alloc_array(10) // writes alloc
	   in
	   loop_init:
	   i := 0;
	   while (!i < 10) do
	     invariant
	        // from loop assigns
	        assigns(alloc@loop_init,intP@loop_init,intP,
	                    t[0..i] union u[0..i])
	        and
	        // from function's assigns
	        assigns(alloc@,intP@,intP, t[0..9])
	     intP := store(intP,t+!i,...);
	     intP := store(intP,u+!i,...);
	     i := !i + 1;
	   done;

	*)


	(* loop assigns from function's loop assigns *)

	let loop_assigns_from_function =
	  let s = get_current_spec () in
	  List.fold_left
	    (fun acc (_pos,id,b) ->
	       if is_current_behavior id then
		 match b.jc_behavior_assigns with
		   | None -> acc
		   | Some(_pos,loclist) ->
		       let loclist = List.map old_to_pre_loc loclist in
		       match acc with
			 | None -> Some loclist
			 | Some loclist' -> Some (loclist @ loclist')
	       else acc
	    ) None (s.jc_fun_default_behavior::s.jc_fun_behavior)
	in

	(* This is the code producing the Why invariant from the user's loop assigns

   a loop assigns for behavior b should be

   - taken as an invariant if current behavior is b

   - taken as an assumption at loop entrance if current behavior is not b
     and b is "default"

     WARNING: this is UNSOUND if the defautl behavior has an assumes clause!!!
       -> temporarily disabled

   - otherwise ignored

*)


	let loop_assigns =
	  List.fold_left
	    (fun acc (names,_inv,ass) ->
	       match ass with
		 | Some i ->
		     if in_current_behavior names
		     then
		       match acc with
			 | None -> Some i
			 | Some l -> Some (i@l)
		     else
		       (*
			 if List.exists
			 (fun behav -> behav#name = "default")
			 names
			 then
			 (invariants,i::assumes)
		       else
			 (invariants,assumes)
		       *)
		       acc
		 | None -> acc)
	    None
	    la.jc_loop_behaviors
	in

	let loop_label = fresh_loop_label() in

	let ass =
	  assigns ~type_safe:false
	    (LabelName loop_label) infunction.jc_fun_info_effects loop_assigns
	    e#pos
	in

	let ass_from_fun =
	  assigns ~type_safe:false
	    LabelPre infunction.jc_fun_info_effects loop_assigns_from_function
	    e#pos
	in

        let inv' =
	  make_and inv' (make_and (mark_assertion e#pos ass)
			   (mark_assertion e#pos ass_from_fun))
	in
	(* loop body *)
        let body = expr e1 in
	let add_assume s =
          let s = append (assumption assume_from_inv assume_from_inv') s in
          if Jc_options.trust_ai then
            append (assumption [ free_inv ] free_inv') s
          else s
        in
	let body = [ add_assume body ] in
	(* loop variant *)
	let loop_variant =
          match la.jc_loop_variant with
            | Some (t,r) when variant_checking () &&
                !Jc_options.termination_policy <> TPnever ->
		let variant =
		  named_term
		    ~type_safe:false ~global_assertion:false ~relocate:false
		    LabelHere LabelPre t
	        in
                let variant,r = match r with
                  | None ->
		      term_coerce
                        ~type_safe:false ~global_assertion:false
                        LabelHere t#pos integer_type t#typ t variant, None
                  | Some id -> variant, Some id.jc_logic_info_name
                in
                Some (variant,r)
            | None when variant_checking () &&
                !Jc_options.termination_policy = TPalways ->
                eprintf
                  "Warning, generating a dummy variant for loop. \
                   Please provide a real variant or set termination policy \
                   to user or never\n%!";
                Some (LConst(Prim_int "0"),None)
            | _ -> None
        in
(*
        eprintf "Jc_interp.expr: adding loop label %s@." loop_label.label_info_final_name;
*)
        make_label loop_label.label_info_final_name
	  (mk_expr (While((mk_expr (Cte(Prim_bool true)),
                           inv', loop_variant, body))))

    | JCEcontract(req,dec,vi_result,behs,e) ->
	let r =
          match req with
            | Some a ->
                assertion
	          ~type_safe:false ~global_assertion:false ~relocate:false
	          LabelHere LabelPre a
            | _ -> LTrue
        in
        assert (dec = None);
        let ef = Jc_effect.expr Jc_pervasives.empty_fun_effect e in
	begin match behs with
	  | [_pos,id,b] ->
	      assert (b.jc_behavior_throws = None);
	      assert (b.jc_behavior_assumes = None);
	      let a =
		assertion
		  ~type_safe:false ~global_assertion:false ~relocate:false
		  LabelHere LabelPre b.jc_behavior_ensures
	      in
              let post = match b.jc_behavior_assigns with
                | None -> a
                | Some(_,locs) ->
                    make_and a
	              (assigns ~type_safe:false
	                 LabelPre
                         ef (* infunction.jc_fun_info_effects*) (Some locs)
	                 e#pos)
              in
              if safety_checking () then
                begin
                  let tmp = tmp_var_name () in
                  mk_expr (Let(tmp,
                               mk_expr (Triple(true,r,expr e,LTrue,[])),
                               append
                                 (mk_expr
                                    (BlackBox(Annot_type(LTrue,unit_type,[],[],post,[]))))
                                 (mk_expr (Var tmp))))
                end
              else if is_current_behavior id then
                if r = LTrue
                then
                  mk_expr (Triple(true,LTrue,expr e,post,[]))
                else
                  append
                    (mk_expr (BlackBox(Annot_type(LTrue,unit_type,[],[],r,[]))))
                    (mk_expr (Triple(true,LTrue,expr e,post,[])))
              else
(*
                let reads = read_effects
                  ~callee_reads:ef.jc_reads
                  ~callee_writes:ef.jc_writes ~params:[] ~region_list:[]
                in
                let _writes = write_effects
                  ~callee_reads:ef.jc_reads
                  ~callee_writes:ef.jc_writes ~params:[] ~region_list:[]
                in
*)
                append
                  (mk_expr (BlackBox(Annot_type(LTrue,unit_type,[],[],r,[]))))
                  (*
                  (mk_expr (BlackBox(Annot_type(LTrue, tr_var_type vi_result,reads, writes, post, []))))
                  *)
                  (let tmp = tmp_var_name () in
                   mk_expr (Let(tmp,
                                (mk_expr (Triple(true,LTrue,expr e,LTrue,[]))),
                                (mk_expr (BlackBox(Annot_type(LTrue, tr_var_type vi_result,[], [], post, [])))))))
	  | _ -> assert false
	end
    | JCEthrow(exc,Some e1) ->
        let e1' = expr e1 in
        mk_expr (Raise(exception_name exc,Some e1'))
    | JCEthrow(exc, None) ->
        mk_expr (Raise(exception_name exc,None))
    | JCEtry (s, catches, _finally) ->
(*      assert (finally.jc_statement_node = JCEblock []); (\* TODO *\) *)
        let catch (s,excs) (ei,v_opt,st) =
          if ExceptionSet.mem ei excs then
            (mk_expr (Try(s,
                 exception_name ei,
                 Option_misc.map (fun v -> v.jc_var_info_final_name) v_opt,
                 expr st)),
             ExceptionSet.remove ei excs)
          else
            begin
(* YMo: too many questions about warning due to generated Jessie *)
(*               eprintf "Warning: exception %s cannot be thrown@." *)
(*                 ei.jc_exception_info_name; *)
              (s,excs)
            end
        in
        let ef = Jc_effect.expr empty_fun_effect s in
        let (s,_) =
          List.fold_left catch (expr s,ef.jc_raises) catches
        in s
    | JCEmatch (e, psl) ->
        let tmp = tmp_var_name () in
        let body = pattern_list_expr expr (LVar tmp) e#region
          e#typ psl in
        mk_expr (Let(tmp, expr e, body))
  in
  let e' =
    (* Ideally, only labels used in logical annotations should be kept *)
    let lab = e#mark in
    if lab = "" then e' else
      begin
        match e' with
            (*
              | MultiAssign _ -> assert false
            *)
          | _ ->
(*
              if lab = "L2" then eprintf "Jc_interp.expr: adding label %s to expr %a@." lab Output.fprintf_expr e';
*)
              make_label e#mark e'
      end
  in
  let e' =
    if e#typ = Jc_pervasives.unit_type then
      if match e#original_type with
        | JCTany | JCTnative Tunit -> false
        | _ -> true
      then
        match e'.expr_node with
          | MultiAssign _ -> e'
          | _ ->
	      (* Create dummy temporary *)
	      let tmp = tmp_var_name () in
	      mk_expr (Let(tmp,e',void))
      else e'
    else
      match e'.expr_node with
        | MultiAssign _ -> assert false
        | _ -> e'
  in
(*
  begin
    match e' with
      | MultiAssign _ -> eprintf "Jc_interp.expr produces MultiAssign@.";
      | _ -> ()
  end;
*)
  e'



(*****

finalization: removing MultiAssign expressions

***)

let make_old_style_update ~mark ~pos alloc tmpp tmpshift mem i b1 b2 tmp2 =
  if safety_checking() then
    match b1,b2 with
      | true,true ->
          make_app "safe_upd_" [ mk_var mem; mk_var tmpshift; mk_var tmp2 ]
      | true,false ->
          make_guarded_app ~mark IndexBounds pos "lsafe_lbound_upd_"
            [ alloc; mk_var mem; mk_var tmpp; mk_expr (Cte i); mk_var tmp2 ]
      | false,true ->
          make_guarded_app ~mark IndexBounds pos "rsafe_rbound_upd_"
            [ alloc; mk_var mem; mk_var tmpp; mk_expr (Cte i); mk_var tmp2 ]
      | false,false ->
          make_guarded_app ~mark PointerDeref pos "upd_"
            [ alloc; mk_var mem ; mk_var tmpshift; mk_var tmp2 ]
  else
    make_app "safe_upd_" [ mk_var mem; mk_var tmpshift; mk_var tmp2 ]

let make_old_style_update_no_shift ~mark ~pos alloc tmpp mem b1 b2 tmp2 =
  if safety_checking() then
    match b1,b2 with
      | true,true ->
          make_app "safe_upd_" [ mk_var mem; mk_var tmpp; mk_var tmp2 ]
      | true,false ->
          make_guarded_app ~mark IndexBounds pos "lsafe_lbound_upd_"
            [ alloc; mk_var mem; mk_var tmpp; mk_expr (Cte (Prim_int "0")); mk_var tmp2 ]
      | false,true ->
          make_guarded_app ~mark IndexBounds pos "rsafe_rbound_upd_"
            [ alloc; mk_var mem; mk_var tmpp; mk_expr (Cte (Prim_int "0")); mk_var tmp2 ]
      | false,false ->
          make_guarded_app ~mark PointerDeref pos "upd_"
            [ alloc; mk_var mem ; mk_var tmpp; mk_var tmp2 ]
  else
    make_app "safe_upd_" [ mk_var mem; mk_var tmpp; mk_var tmp2 ]

let make_not_assigns talloc mem t l =
  let l = List.map (fun (i,_,_,_) -> i) l in
  let l = List.sort Pervasives.compare l in
  let rec merge l acc =
    match l,acc with
      | [],_ -> acc
      | i::r, [] -> merge r [(i,i)]
      | i::r, (a,b)::acc' ->
          if i=b+1 then merge r ((a,i)::acc')
          else merge r ((i,i)::acc)
  in
  let i,l = match merge l []
  with [] -> assert false
    | i::l -> i,l
  in
  let pset_of_interval (a,b) =
    if a=b then LApp("pset_singleton",[
                       LApp("shift",[LVar t;
                                     LConst (Prim_int (string_of_int a))])])
    else LApp("pset_range",[
                LApp("pset_singleton", [LVar t]);
                LConst(Prim_int (string_of_int a));
                LConst(Prim_int (string_of_int b))])
  in
  let pset = List.fold_left
    (fun acc i ->
       LApp("pset_union",[pset_of_interval i; acc]))
    (pset_of_interval i)
    l
  in
  LPred("not_assigns",[talloc;LDerefAtLabel(mem,"") ; LDeref mem ; pset])





let rec finalize e =
  match e.expr_node with
    | Absurd | Void | Cte _ | Var _ | BlackBox _ | Assert _ | Deref _
    | Raise(_, None) -> e
    | Triple(opaque,pre,e1,post,posts) ->
      { e with expr_node = Triple(opaque,pre,finalize e1,post,posts) }
    | Loc (l, e1) -> {e with expr_node = Loc(l,finalize e1) }
(*
    | Label (l, e) -> Label(l,finalize e)
*)
    | Fun (_, _, _, _, _) -> assert false
    | Try (e1, exc, arg, e2) ->
        {e with expr_node = Try(finalize e1, exc, arg, finalize e2)}
    | Raise (id, Some e1) ->
        {e with expr_node = Raise(id, Some(finalize e1))}
    | App (e1, e2, ty) ->
        {e with expr_node = App(finalize e1, finalize e2, ty)}
    | Let_ref (x, e1, e2) ->
        {e with expr_node = Let_ref(x, finalize e1, finalize e2)}
    | Let (x, e1, e2) ->
        {e with expr_node = Let(x, finalize e1, finalize e2)}
    | Assign (x, e1) ->
        {e with expr_node = Assign(x, finalize e1) }
    | Block(l) ->
        {e with expr_node = Block(List.map finalize l) }
    | While (e1, inv, var, l) ->
        {e with expr_node = While(finalize e1, inv, var, List.map finalize l)}
    | If (e1, e2, e3) ->
        {e with expr_node = If(finalize e1, finalize e2, finalize e3)}
    | Not e1 ->
        {e with expr_node = Not(finalize e1)}
    | Or (e1, e2) ->
        {e with expr_node = Or(finalize e1, finalize e2) }
    | And (e1, e2) ->
        {e with expr_node = And(finalize e1, finalize e2) }
    | MultiAssign(mark,pos,lets,isrefalloc,talloc,alloc,tmpe,_e,mem,l) ->
(*
        eprintf "finalizing a MultiAssign@.";
*)
        match l with
          | [] -> assert false
          | [(i,b1,b2,e')] ->
(*
            eprintf "MultiAssign is only for one update@.";
*)
              if i=0 then
                 make_lets lets
                   (make_old_style_update_no_shift ~mark ~pos alloc tmpe mem b1 b2 e')
              else
                let tmpshift = tmp_var_name () in
(*
                eprintf "Jc_interp.finalize: tmp_var_name for tmpshift is %s@." tmpshift;
*)
                let i = Prim_int (string_of_int i) in
                make_lets lets
                  (make_lets [tmpshift,make_app "shift" [mk_var tmpe; mk_expr (Cte i)]]
                     (make_old_style_update ~mark ~pos alloc tmpe tmpshift mem i b1 b2 e'))
         | _ ->
(*
            eprintf "MultiAssign is for several updates !@.";
*)
              let pre =
                if safety_checking() then
                  make_and_list
                    (List.fold_left
                       (fun acc (i,b1,b2,_) ->
                          (* valid e+i *)
                          let i = LConst (Prim_int (string_of_int i)) in
                          (if b1 then LTrue else
                             (* offset_min(alloc,e) <= i *)
	                     LPred ("le_int",
		                    [LApp("offset_min",
                                          [talloc; LVar tmpe]);
                                     i])) ::
                            (if b2 then LTrue else
                               (* i <= offset_max(alloc,e) *)
	                       LPred ("le_int",
		                      [i ;
                                       LApp("offset_max",
                                            [talloc; LVar tmpe])]))
                          ::acc
                       )
                       []
                       l)
                else LTrue
              in
              let post =
                make_and_list
                  (make_not_assigns talloc mem tmpe l ::
                     List.map
                     (fun (i,_,_,e') ->
                        (* (e+i).f == e' *)
                        LPred("eq",
                              [ LApp("select",
                                     [ LDeref mem;
                                       LApp("shift",
                                            [ LVar tmpe ; LConst (Prim_int (string_of_int i))] )]);
                                LVar e'])) l)
              in
              let reads = if isrefalloc then
                match talloc with
                  | LVar v -> [v;mem]
                  | LDeref v -> [v;mem]
                  | _ -> assert false
              else
                [mem]
              in
              make_lets lets
                (mk_expr (BlackBox (Annot_type(pre,unit_type,reads,[mem],post,[]))))


let expr e = finalize (expr e)


(*****************************)
(* axioms, lemmas, goals   *)
(**************************)

let tr_axiom loc id ~is_axiom labels a acc =

  if Jc_options.debug then
    Format.printf "[interp] axiom %s@." id;

  let lab = match labels with [lab] -> lab | _ -> LabelHere in
  let ef = Jc_effect.assertion empty_effects a in
  let a' =
    assertion ~type_safe:false ~global_assertion:true ~relocate:false lab lab a
  in
  let params = tmodel_parameters ~label_in_name:true ef in
  let new_id = get_unique_name id in
  reg_decl
    ~out_mark:new_id
    ~in_mark:id
    ~name:id
    ~beh:(if is_axiom then "axiom" else "lemma")
    loc;
  let a' =
    List.fold_right (fun (n,_v,ty') a' -> LForall(n,ty',[],a')) params a'
  in
  Goal((if is_axiom then KAxiom else KLemma),
       {Output.name = new_id; loc = Loc.extract loc},a') :: acc




(***********************************)
(*             axiomatic decls     *)
(***********************************)


let tr_axiomatic_decl acc d =
  match d with
    | Jc_typing.ABaxiom(loc,id,labels,p) ->
	tr_axiom loc ~is_axiom:true id labels p acc

(******************************************************************************)
(*                                 Functions                                  *)
(******************************************************************************)

let excep_posts_for_others exc_opt excep_behaviors =
  ExceptionMap.fold
    (fun exc _bl acc ->
       match exc_opt with
         | Some exc' ->
	     if exc.jc_exception_info_tag = exc'.jc_exception_info_tag then
	       acc
	     else
	       (exception_name exc, LTrue) :: acc
         | None -> (exception_name exc, LTrue) :: acc
    ) excep_behaviors []

let fun_parameters ~type_safe params write_params read_params =
  let write_params =
    List.map (fun (n,ty') -> (n,Ref_type(Base_type ty'))) write_params
  in
  let read_params =
    List.map (fun (n,ty') -> (n,Base_type ty')) read_params
  in
  let params =
    List.map (fun v ->
		let n,ty' = param ~type_safe v in
		(n, Base_type ty')
	     ) params
  in
  let params = params @ write_params @ read_params in
  match params with
    | [] -> [ ("tt", unit_type) ]
    | _ -> params

let annot_fun_parameters params write_params read_params annot_type =
  let params = fun_parameters ~type_safe:true params write_params read_params in
  List.fold_right (fun (n,ty') acc -> Prod_type(n, ty', acc))
    params annot_type

let function_body _f spec behavior_name body =
  set_current_behavior behavior_name;
  set_current_spec spec;
  let e' = expr body in
  reset_current_behavior ();
  reset_current_spec ();
  e'

(* Only used for internal function, hence type-safe parameter set to false *)
let assume_in_precondition b pre =
  match b.jc_behavior_assumes with
    | None -> pre
    | Some a ->
	let a' =
	  assertion ~type_safe:false ~global_assertion:false ~relocate:false
	    LabelHere LabelHere a
	in
	make_and a' pre

(* Only used for external prototype, hence type-safe parameter set to true *)
let assume_in_postcondition b post =
  match b.jc_behavior_assumes with
    | None -> post
    | Some a ->
	let a' =
	  assertion ~type_safe:true ~global_assertion:false ~relocate:true
	    LabelOld LabelOld a
	in
	make_impl a' post

let function_prototypes = Hashtbl.create 7

let get_valid_pred_app ~in_param vi =
  match vi.jc_var_info_type with
    | JCTpointer (pc, n1o, n2o) ->
	(* TODO: what about bitwise? *)
	let v' =
          term ~type_safe:false ~global_assertion:false ~relocate:false
	    LabelHere LabelHere (new term_var vi)
	in
	  begin match n1o, n2o with
            | None, None -> LTrue
	    | Some n, None ->
		let ac = alloc_class_of_pointer_class pc in
                let a' =
		  make_valid_pred_app ~in_param ~equal:false
		    (ac, vi.jc_var_info_region) pc
                    v' (Some (const_of_num n)) None
                in
		  bind_pattern_lets a'
	    | None, Some n ->
		let ac = alloc_class_of_pointer_class pc in
                let a' =
		  make_valid_pred_app ~in_param ~equal:false
		    (ac, vi.jc_var_info_region) pc
                    v' None (Some (const_of_num n))
                in
		  bind_pattern_lets a'
            | Some n1, Some n2 ->
		let ac = alloc_class_of_pointer_class pc in
                let a' =
		  make_valid_pred_app  ~in_param ~equal:false (ac, vi.jc_var_info_region) pc
                    v' (Some (const_of_num n1)) (Some (const_of_num n2))
                in
		  bind_pattern_lets a'
	  end
    | JCTnative _ | JCTlogic _ | JCTenum _ | JCTnull | JCTany
    | JCTtype_var _ -> LTrue


let pre_tr_fun f _funpos spec _body acc =
  begin
    match spec.jc_fun_decreases with
      | None -> ()
      | Some(t,r) ->
	  Hashtbl.add decreases_clause_table f.jc_fun_info_tag (t,r)
  end;
  acc


let tr_fun f funpos spec body acc =

  if Jc_options.debug then
    Format.printf "[interp] function %s@." f.jc_fun_info_name;
  Jc_options.lprintf "Jc_interp: function %s@." f.jc_fun_info_name;

  (* handle parameters that are assigned in the body *)

  let assigned_params =
    List.fold_left
      (fun acc (_,v) ->
         if v.jc_var_info_assigned then
           begin
             v.jc_var_info_assigned <- false;
             v :: acc
           end
         else
           acc)
      [] f.jc_fun_info_parameters
  in

  (* global variables valid predicates *)
  let variables_valid_pred_apps = LTrue
(* Yannick: commented out because not taken into account in effects
    Hashtbl.fold
      (fun _ (vi, _) acc ->
         let req = get_valid_pred_app vi in
	   make_and req acc)
      Jc_typing.variables_table LTrue
*)
  in

  (* precondition for calling the function and extra one for analyzing it *)

  let external_requires =
    named_assertion ~type_safe:true ~global_assertion:false ~relocate:false
      LabelHere LabelHere spec.jc_fun_requires
  in
  let external_requires =
    if Jc_options.trust_ai then
      external_requires
    else
      let free_requires =
	named_assertion ~type_safe:true ~global_assertion:false ~relocate:false
	  LabelHere LabelHere spec.jc_fun_free_requires
      in
	make_and external_requires free_requires
  in

  let internal_requires =
    named_assertion ~type_safe:false ~global_assertion:false ~relocate:false
      LabelHere LabelHere spec.jc_fun_requires
  in
  let free_requires =
    named_assertion ~type_safe:false ~global_assertion:false ~relocate:false
      LabelHere LabelHere spec.jc_fun_free_requires
  in
  let free_requires = make_and variables_valid_pred_apps free_requires in
  let internal_requires = make_and internal_requires free_requires in
  let internal_requires =
    List.fold_left
      (fun acc (_,v) ->
         let req = get_valid_pred_app  ~in_param:true v in
	   make_and req acc)
      internal_requires f.jc_fun_info_parameters
  in


  (* partition behaviors as follows:
     - (optional) 'safety' behavior (if Arguments Invariant Policy is selected)
     - (optional) 'inferred' behaviors (computed by analysis)
     - user defined behaviors *)

  let behaviors = spec.jc_fun_default_behavior :: spec.jc_fun_behavior in
  let (safety_behavior,
       normal_behaviors_inferred, normal_behaviors,
       excep_behaviors_inferred, excep_behaviors) =
    List.fold_left
      (fun (safety,normal_inferred,normal,excep_inferred,excep) (pos,id,b) ->
	 let make_post ~type_safe ~internal =
	   let post =
	     if internal && Jc_options.trust_ai then
	       b.jc_behavior_ensures
	     else
	       Assertion.mkand [ b.jc_behavior_ensures;
				 b.jc_behavior_free_ensures ] ()
	   in
	   let post =
	     named_assertion
	       ~type_safe ~global_assertion:false ~relocate:false
	       LabelPost LabelOld post
	   in
           let post = match b.jc_behavior_assigns with
             | None ->
		 Jc_options.lprintf
		   "Jc_interp: behavior '%s' has no assigns@." id;
		 post
             | Some(assigns_pos,loclist) ->
		 Jc_options.lprintf
		   "Jc_interp: behavior '%s' has assigns clause with %d elements@."
		   id (List.length loclist);
		 let assigns_post =
                   mark_assertion assigns_pos
                     (assigns ~type_safe
			~region_list:f.jc_fun_info_param_regions
			LabelOld f.jc_fun_info_effects (Some loclist) funpos)
		 in
		 mark_assertion pos (make_and post assigns_post)
	   in post
	 in
	 let internal_post = make_post ~type_safe:false ~internal:true in
	 let external_post = make_post ~type_safe:true ~internal:false in
	 let behav = (id,b,internal_post,external_post) in
         match b.jc_behavior_throws with
           | None ->
               begin match id with
                 | "safety" ->
		     assert (b.jc_behavior_assumes = None);
		     let internal_post =
		       make_and variables_valid_pred_apps internal_post
		     in
		     let external_post =
		       make_and variables_valid_pred_apps external_post
		     in
                     (id, b, internal_post, external_post) :: safety,
                     normal_inferred, normal, excep_inferred, excep
                 | "inferred" ->
		     assert (b.jc_behavior_assumes = None);
                     safety, behav :: normal_inferred,
                     (if Jc_options.trust_ai then normal else behav :: normal),
                     excep_inferred, excep
                 | _ ->
                     safety, normal_inferred, behav :: normal,
                     excep_inferred, excep
               end
           | Some exc ->
               if id = "inferred" then
		 begin
		   assert (b.jc_behavior_assumes = None);
                   safety, normal_inferred, normal,
		   ExceptionMap.add_merge
		     List.append exc [behav] excep_inferred,
		   if Jc_options.trust_ai then excep else
                     ExceptionMap.add_merge List.append exc [behav] excep
		 end
               else
                 safety, normal_inferred, normal, excep_inferred,
                 ExceptionMap.add_merge List.append exc [behav] excep)
      ([], [], [], ExceptionMap.empty, ExceptionMap.empty)
      behaviors
  in
  let user_excep_behaviors = excep_behaviors in
  let excep_behaviors =
    ExceptionSet.fold
      (fun exc acc ->
         if ExceptionMap.mem exc acc then acc else
           let b =
             { default_behavior with
                 jc_behavior_throws = Some exc;
		 jc_behavior_ensures = (new assertion JCAtrue); }
           in
           ExceptionMap.add
	     exc [exc.jc_exception_info_name ^ "_b", b, LTrue, LTrue] acc)
      f.jc_fun_info_effects.jc_raises
      excep_behaviors
  in

  (* Effects, parameters and locals *)

  let params = List.map snd f.jc_fun_info_parameters in

  let external_write_effects =
    write_effects
      ~callee_reads:f.jc_fun_info_effects.jc_reads
      ~callee_writes:f.jc_fun_info_effects.jc_writes
      ~region_list:f.jc_fun_info_param_regions
      ~params
  in
  let external_read_effects =
    read_effects
      ~callee_reads:f.jc_fun_info_effects.jc_reads
      ~callee_writes:f.jc_fun_info_effects.jc_writes
      ~region_list:f.jc_fun_info_param_regions
      ~params
  in
  let external_write_params =
    write_parameters
      ~type_safe:true
      ~callee_reads:f.jc_fun_info_effects.jc_reads
      ~callee_writes:f.jc_fun_info_effects.jc_writes
      ~region_list:f.jc_fun_info_param_regions
      ~params
  in
  let internal_write_params =
    write_parameters
      ~type_safe:false
      ~callee_reads:f.jc_fun_info_effects.jc_reads
      ~callee_writes:f.jc_fun_info_effects.jc_writes
      ~region_list:f.jc_fun_info_param_regions
      ~params
  in
  let external_read_params =
    read_parameters
      ~type_safe:true
      ~callee_reads:f.jc_fun_info_effects.jc_reads
      ~callee_writes:f.jc_fun_info_effects.jc_writes
      ~region_list:f.jc_fun_info_param_regions
      ~params
      ~already_used:(List.map fst external_write_params)
  in
  let internal_read_params =
    read_parameters
      ~type_safe:false
      ~callee_reads:f.jc_fun_info_effects.jc_reads
      ~callee_writes:f.jc_fun_info_effects.jc_writes
      ~region_list:f.jc_fun_info_param_regions
      ~params
      ~already_used:(List.map fst internal_write_params)
  in
  let internal_write_locals =
    write_locals
      ~callee_reads:f.jc_fun_info_effects.jc_reads
      ~callee_writes:f.jc_fun_info_effects.jc_writes
      ~region_list:f.jc_fun_info_param_regions
      ~params
  in
  let internal_read_locals =
    read_locals
      ~callee_reads:f.jc_fun_info_effects.jc_reads
      ~callee_writes:f.jc_fun_info_effects.jc_writes
      ~region_list:f.jc_fun_info_param_regions
      ~params
  in
  let define_locals e' =
    define_locals ~reads:internal_read_locals ~writes:internal_write_locals e'
  in

  (* Postcondition *)

  let add_modif_postcondition
      ~internal f (_id,b,internal_post,external_post) acc =
    let post = if internal then internal_post else external_post in
    make_and (f b post) acc
  in
  let add_postcondition ~internal =
    add_modif_postcondition ~internal (fun _b post -> post)
  in
  let internal_safety_post =
    List.fold_right (add_postcondition ~internal:true) safety_behavior LTrue
  in
  let external_safety_post =
    List.fold_right (add_postcondition ~internal:false) safety_behavior LTrue
  in
  let normal_post =
    List.fold_right
      (add_modif_postcondition ~internal:false assume_in_postcondition)
      normal_behaviors LTrue
  in
  let normal_post_inferred =
    List.fold_right (add_postcondition ~internal:false)
      normal_behaviors_inferred LTrue
  in
  let excep_posts =
    ExceptionMap.fold
      (fun exc bl acc ->
         let a' =
	   List.fold_right (add_postcondition ~internal:false) bl LTrue
	 in
         (exception_name exc, a') :: acc
      ) excep_behaviors []
  in
  let excep_posts_inferred =
    ExceptionMap.fold
      (fun exc bl acc ->
         let a' =
           List.fold_right
	     (add_modif_postcondition ~internal:false assume_in_postcondition)
	     bl LTrue
         in
	 (exception_name exc, a') :: acc
      ) excep_behaviors_inferred []
  in

  (* Function type *)

  let ret_type = tr_var_type f.jc_fun_info_result in
  let fparams = List.map snd f.jc_fun_info_parameters in
  let param_normal_post =
    if is_purely_exceptional_fun spec then LFalse else
      make_and_list [external_safety_post; normal_post; normal_post_inferred]
  in
  let param_excep_posts = excep_posts @ excep_posts_inferred in
  let acc =
    let annot_type = (* function declaration with precondition *)
      Annot_type(external_requires, ret_type,
                 external_read_effects, external_write_effects,
		 param_normal_post, param_excep_posts)
    in
    let fun_type =
      annot_fun_parameters fparams
	external_write_params external_read_params annot_type
    in
    let newid = f.jc_fun_info_final_name ^ "_requires" in
    Hashtbl.add function_prototypes newid fun_type;
    Param(false, id_no_loc newid, fun_type) :: acc
  in
  let acc = (* function declaration without precondition *)
    let annot_type =
      Annot_type(LTrue, ret_type,
                 external_read_effects, external_write_effects,
		 param_normal_post, param_excep_posts)
    in
    let fun_type =
      annot_fun_parameters fparams
	external_write_params external_read_params annot_type
    in
    let newid = f.jc_fun_info_final_name in
    Hashtbl.add function_prototypes newid fun_type;
    Param(false, id_no_loc newid, fun_type) :: acc
  in


  (* restore assigned status for parameters assigned in the body *)

  List.iter
    (fun v -> v.jc_var_info_assigned <- true)
    assigned_params;

  (* Function body *)

  match body with
    | None -> acc (* function was only declared *)
    | Some body ->
        if Jc_options.verify <> [] &&
          not (List.mem f.jc_fun_info_name Jc_options.verify)
        then
          acc (* function is not in the list of functions to verify *)
        else
          let () =
	    printf "Generating Why function %s@." f.jc_fun_info_final_name
	  in

	  (* parameters *)
	  let params =
	    fun_parameters ~type_safe:false fparams
	      internal_write_params internal_read_params
	  in

	  let wrap_body f spec bname body =
	    (* rename formals after parameters are computed and before body
	       is treated *)
	    let list_of_refs =
	      List.fold_right
		(fun id bl ->
		   if id.jc_var_info_assigned
		   then
		     let n = id.jc_var_info_final_name in
		     let newn = "mutable_" ^ n in
		     id.jc_var_info_final_name <- newn;
		     (newn, n) :: bl
		   else bl)
		fparams []
	    in
            let body = function_body f spec bname body in
	    let body =
	      if !Jc_options.inv_sem = InvOwnership then
		append (assume_all_invariants fparams) body
	      else body
	    in
	    let body = define_locals body in
	    let body = match f.jc_fun_info_result.jc_var_info_type with
	      | JCTnative Tunit ->
		  mk_expr (Try(append body (mk_expr (Raise(jessie_return_exception,None))),
		               jessie_return_exception, None, void))
	      | _ ->
                  let result = f.jc_fun_info_result in
		  let e' = any_value
                    result.jc_var_info_region result.jc_var_info_type in
		  mk_expr (Let_ref(jessie_return_variable, e',
			           mk_expr (Try(append body (mk_expr Absurd),
			                        jessie_return_exception, None,
			                        mk_expr (Deref jessie_return_variable)))))
	    in
	    let body = make_label "init" body in
	    let body =
	      List.fold_right
		(fun (mut_id,id) e' ->
                   mk_expr (Let_ref(mut_id, plain_var id, e')))
		list_of_refs body
	    in
	    (* FS#393: restore parameter real names *)
	    List.iter
	      (fun v ->
		 let n = v.jc_var_info_final_name in
		 if List.mem_assoc n list_of_refs then
		   v.jc_var_info_final_name <- List.assoc n list_of_refs
	      ) fparams;
	    body
	  in

          (* safety behavior *)
	  let acc =
	    if Jc_options.verify_behavior "safety" ||
               Jc_options.verify_behavior "variant" then
              let behav = if Jc_options.verify_behavior "safety"
                then "safety" else "variant" in
              let safety_body = wrap_body f spec behav body in
              let newid = f.jc_fun_info_name ^ "_safety" in
              reg_decl
		~out_mark:newid
		~in_mark:f.jc_fun_info_name
		~name:("function " ^ f.jc_fun_info_name)
		~beh:"Safety"
		funpos;
              if is_purely_exceptional_fun spec then acc else
		if Jc_options.verify_invariants_only then acc else
                  Def(
                    id_no_loc newid,
                    !Jc_options.termination_policy <> TPalways,
                    (* false = we require termination proofs *)
                    mk_expr (Fun(
                      params,
                      internal_requires,
                      safety_body,
                      internal_safety_post,
                      excep_posts_for_others None excep_behaviors)))
		  :: acc
	    else acc
	  in

          (* normal behaviors *)
          let acc =
            List.fold_right
              (fun (id,b,internal_post,_) acc ->
		 if Jc_options.verify_behavior id then
                   let normal_body = wrap_body f spec id body in
                   let newid = f.jc_fun_info_name ^ "_ensures_" ^ id in
                   let beh =
                     if id="default" then "default behavior" else
		       "Behavior `"^id^"'"
                   in
                   reg_decl
                     ~out_mark:newid
                     ~in_mark:f.jc_fun_info_name
                     ~name:("function " ^ f.jc_fun_info_name)
                     ~beh
                     funpos;
                   Def(
                     id_no_loc newid,
                     true, (* we do not require termination *)
                     mk_expr (Fun(
		       params,
		       assume_in_precondition b internal_requires,
		       normal_body,
		       internal_post,
		       excep_posts_for_others None excep_behaviors)))
		   :: acc
		 else acc
              ) normal_behaviors acc
          in

          (* exceptional behaviors *)
          let acc =
            ExceptionMap.fold
              (fun exc bl acc ->
                 List.fold_right
                   (fun (id,b,internal_post,_) acc ->
		      if Jc_options.verify_behavior id then
			let except_body = wrap_body f spec id body in
                        let newid = f.jc_fun_info_name ^ "_exsures_" ^ id in
                        reg_decl
                          ~out_mark:newid
                          ~in_mark:f.jc_fun_info_name
                          ~name:("function " ^ f.jc_fun_info_name)
                          ~beh:("Behavior `" ^ id ^ "'")
                          funpos;
                        Def(id_no_loc newid,
                            true, (* we do not require termination *)
                            mk_expr (Fun(
			      params,
			      assume_in_precondition b internal_requires,
			      except_body,
			      LTrue,
			      (exception_name exc, internal_post) ::
                                excep_posts_for_others (Some exc)
				excep_behaviors)))
                        :: acc
		      else acc
		   ) bl acc
	      ) user_excep_behaviors acc
          in
          acc

let tr_fun f funpos spec body acc =
  set_current_function f;
  let acc = tr_fun f funpos spec body acc in
  reset_current_function ();
  acc

let tr_specialized_fun n fname param_name_assoc acc =

  let rec modif_why_type = function
    | Prod_type(n,t1,t2) ->
	if StringMap.mem n param_name_assoc then
	  modif_why_type t2
	else Prod_type(n,t1,modif_why_type t2)
    | Base_type b -> Base_type b
    | Ref_type(t) -> Ref_type (modif_why_type t)
    | Annot_type (pre,t,reads,writes,post,signals) ->
	Annot_type (modif_assertion pre, modif_why_type t,
		    modif_namelist reads,
		    modif_namelist writes,
		    modif_assertion post,
		    List.map (fun (x,a) -> (x,modif_assertion a)) signals)

  and modif_assertion a =
    match a with
      | LTrue
      | LFalse -> a
      | LAnd(a1,a2) -> LAnd(modif_assertion a1,modif_assertion a2)
      | LOr(a1,a2) -> LOr(modif_assertion a1,modif_assertion a2)
      | LIff(a1,a2) -> LIff(modif_assertion a1,modif_assertion a2)
      | LNot(a1) -> LNot(modif_assertion a1)
      | LImpl(a1,a2) -> LImpl(modif_assertion a1,modif_assertion a2)
      | LIf(t,a1,a2) -> LIf(modif_term t,modif_assertion a1,modif_assertion a2)
      | LLet(id,t,a) -> LLet(id,modif_term t,modif_assertion a)
      | LForall(id,t,trigs,a) -> LForall(id,t,triggers trigs,modif_assertion a)
      | LExists(id,t,trigs,a) -> LExists(id,t,triggers trigs,modif_assertion a)
      | LPred(id,l) -> LPred(id,List.map modif_term l)
      | LNamed (n, a) -> LNamed (n, modif_assertion a)

  and triggers trigs =
    let pat = function
      | LPatT t -> LPatT (modif_term t)
      | LPatP a -> LPatP (modif_assertion a) in
    List.map (List.map pat) trigs

  and modif_term t =
    match t with
      | LConst(_c) -> t
      | LApp(id,l) -> LApp(id,List.map modif_term l)
      | LVar(id) ->
	  let id = StringMap.find_or_default id id param_name_assoc in
	  LVar id
      | LDeref(id) ->
	  let id = StringMap.find_or_default id id param_name_assoc in
	  LDeref id
      | LDerefAtLabel(id,l) ->
	  let id = StringMap.find_or_default id id param_name_assoc in
	  LDerefAtLabel(id,l)
      | Tnamed(n,t) -> Tnamed(n,modif_term t)
      | TIf(t1,t2,t3) ->
	  TIf(modif_term t1,modif_term t2,modif_term t3)
      | TLet(id,t1,t2) ->
	  let id = StringMap.find_or_default id id param_name_assoc in
	  TLet(id,modif_term t1,modif_term t2)

  and modif_namelist names =
    fst (List.fold_right
	   (fun id (acc,set) ->
	      let id = StringMap.find_or_default id id param_name_assoc in
	      id :: acc, StringSet.add id set
	   ) names ([],StringSet.empty))
  in

  let fun_type = Hashtbl.find function_prototypes fname in
  let new_fun_type = modif_why_type fun_type in
  Param(false, id_no_loc n, new_fun_type) :: acc


(******************************************************************************)
(*                               Logic entities                               *)
(******************************************************************************)

let tr_logic_type (id,l) acc = Type(id_no_loc id,List.map Jc_type_var.name l) :: acc


let tr_exception ei acc =
  Jc_options.lprintf "producing exception '%s'@." ei.jc_exception_info_name;
  let typ = match ei.jc_exception_info_type with
    | Some tei -> Some (tr_base_type tei)
    | None -> None
  in
  Exception(id_no_loc (exception_name ei), typ) :: acc

(* let tr_native_type nty acc = *)
(*   let lt = tr_base_type (JCTnative nty) in *)
(*   Logic(false,logic_bitvector_of_native nty,["",lt],bitvector_type) *)
(*   :: Logic(false,logic_native_of_bitvector nty,["",bitvector_type],lt) *)
(*   :: Axiom((logic_native_of_bitvector nty)^"_of_"^(logic_bitvector_of_native nty), *)
(* 	   LForall("x",lt, *)
(* 		   LPred(equality_op_for_type (JCTnative nty), *)
(*                          [LApp(logic_native_of_bitvector nty, *)
(*                                [LApp(logic_bitvector_of_native nty,  *)
(*                                      [LVar "x"])]); *)
(*                           LVar "x"]))) *)
(*   :: Axiom((logic_bitvector_of_native nty)^"_of_"^(logic_native_of_bitvector nty), *)
(* 	   LForall("x",bitvector_type, *)
(* 		   LPred("eq", (\* TODO: equality for bitvectors ? *\) *)
(*                          [LApp(logic_bitvector_of_native nty, *)
(*                                [LApp(logic_native_of_bitvector nty,  *)
(*                                      [LVar "x"])]); *)
(*                           LVar "x"]))) *)
(*   :: acc *)

let range_of_enum ri =
  Num.add_num (Num.sub_num ri.jc_enum_info_max ri.jc_enum_info_min) (Num.Int 1)

let tr_enum_type ri (* to_int of_int *) acc =
  let name = ri.jc_enum_info_name in
  let min = Num.string_of_num ri.jc_enum_info_min in
  let max = Num.string_of_num ri.jc_enum_info_max in
  let width = Num.string_of_num (range_of_enum ri) in
  let lt = simple_logic_type name in
  let in_bounds x =
    LAnd(LPred("le_int",[LConst(Prim_int min); x]),
         LPred("le_int",[x; LConst(Prim_int max)]))
  in
  let safe_of_int_type =
    let post =
      LPred("eq_int",
            [LApp(logic_int_of_enum ri,[LVar "result"]);
             if !Jc_options.int_model = IMbounded then LVar "x"
             else LApp(mod_of_enum ri,[LVar "x"])])
    in
    Prod_type("x", Base_type(why_integer_type),
              Annot_type(LTrue,
                         Base_type lt,
                         [],[],post,[]))
  in
  let of_int_type =
    let pre =
      if !Jc_options.int_model = IMbounded then in_bounds (LVar "x") else LTrue
    in
    let post =
      LPred("eq_int",
            [LApp(logic_int_of_enum ri,[LVar "result"]);
             if !Jc_options.int_model = IMbounded then LVar "x"
             else LApp(mod_of_enum ri,[LVar "x"])])
    in
    Prod_type("x", Base_type(why_integer_type),
              Annot_type(pre,Base_type lt,[],[],post,[]))
  in
  let any_type =
    Prod_type("", Base_type(simple_logic_type "unit"),
              Annot_type(LTrue,Base_type lt,[],[],LTrue,[]))
  in
  let bv_conv =
    if !Region.some_bitwise_region then
      [Logic(false,id_no_loc (logic_bitvector_of_enum ri),
	     ["",lt],bitvector_type) ;
       Logic(false,id_no_loc (logic_enum_of_bitvector ri),
	     ["",bitvector_type],lt) ;
       Goal(KAxiom,id_no_loc ((logic_enum_of_bitvector ri)^"_of_"^
				(logic_bitvector_of_enum ri)),
	    LForall("x",lt, [],
		    LPred(equality_op_for_type (JCTenum ri),
                         [LApp(logic_enum_of_bitvector ri,
                               [LApp(logic_bitvector_of_enum ri,
                                     [LVar "x"])]);
                          LVar "x"])));
       Goal(KAxiom,id_no_loc ((logic_bitvector_of_enum ri)^"_of_"^
				(logic_enum_of_bitvector ri)),
	   LForall("x",bitvector_type, [],
		   LPred("eq", (* TODO: equality for bitvectors ? *)
                         [LApp(logic_bitvector_of_enum ri,
                               [LApp(logic_enum_of_bitvector ri,
                                     [LVar "x"])]);
                          LVar "x"]))) ]
    else []
  in
  Type(id_no_loc name,[])
  :: Logic(false,id_no_loc (logic_int_of_enum ri),
           [("",lt)],why_integer_type)
  :: Logic(false,id_no_loc (logic_enum_of_int ri),
           [("",why_integer_type)],lt)
  :: Predicate(false,id_no_loc (eq_of_enum ri),[("x",lt);("y",lt)],
               LPred("eq_int",[LApp(logic_int_of_enum ri,[LVar "x"]);
                               LApp(logic_int_of_enum ri,[LVar "y"])]))
  :: (if !Jc_options.int_model = IMmodulo then
        let width = LConst (Prim_int width) in
        let fmod t = LApp (mod_of_enum ri, [t]) in
        [Logic (false, id_no_loc (mod_of_enum ri),
                ["x", simple_logic_type "int"], simple_logic_type "int");
         Goal(KAxiom,id_no_loc (name ^ "_mod_def"),
                LForall ("x", simple_logic_type "int", [],
                         LPred ("eq_int", [LApp (mod_of_enum ri, [LVar "x"]);
                                           LApp (logic_int_of_enum ri,
                                                 [LApp (logic_enum_of_int ri,
                                                        [LVar "x"])])])));
         Goal(KAxiom,id_no_loc (name ^ "_mod_lb"),
                LForall ("x", simple_logic_type "int", [],
                         LPred ("ge_int", [LApp (mod_of_enum ri, [LVar "x"]);
                                           LConst (Prim_int min)])));
         Goal(KAxiom,id_no_loc (name ^ "_mod_gb"),
                LForall ("x", simple_logic_type "int", [],
                         LPred ("le_int", [LApp (mod_of_enum ri, [LVar "x"]);
                                           LConst (Prim_int max)])));
         Goal(KAxiom,id_no_loc (name ^ "_mod_id"),
                LForall ("x", simple_logic_type "int", [],
                         LImpl (in_bounds (LVar "x"),
                                LPred ("eq_int", [LApp (mod_of_enum ri,
                                                        [LVar "x"]);
                                                  LVar "x"]))));
         Goal(KAxiom,id_no_loc (name ^ "_mod_lt"),
                LForall ("x", simple_logic_type "int", [],
                         LImpl (LPred ("lt_int", [LVar "x";
                                                  LConst (Prim_int min)]),
                                LPred ("eq_int", [fmod (LVar "x");
                                                  fmod (LApp ("add_int",
                                                              [LVar "x";
                                                               width]))]))));
         Goal(KAxiom,id_no_loc (name ^ "_mod_gt"),
                LForall ("x", simple_logic_type "int", [],
                         LImpl (LPred ("gt_int", [LVar "x";
                                                  LConst (Prim_int max)]),
                                LPred ("eq_int", [fmod (LVar "x");
                                                  fmod (LApp ("sub_int",
                                                              [LVar "x";
                                                               width]))]))));
        ]
      else [])
  @ Param(false,id_no_loc (fun_enum_of_int ri),of_int_type)
  :: Param(false,id_no_loc (safe_fun_enum_of_int ri),safe_of_int_type)
  :: Param(false,id_no_loc (fun_any_enum ri),any_type)
  :: Goal(KAxiom,id_no_loc (name^"_range"),
           LForall("x",lt, [],in_bounds
                     (LApp(logic_int_of_enum ri,[LVar "x"]))))
  :: Goal(KAxiom,id_no_loc (name^"_coerce"),
           LForall("x",why_integer_type, [],
                   LImpl(in_bounds (LVar "x"),
                         LPred("eq_int",
                               [LApp(logic_int_of_enum ri,
                                     [LApp(logic_enum_of_int ri,
                                           [LVar "x"])]) ;
                                LVar "x"]))))
(*
  :: Goal(KAxiom,id_no_loc (name^"_extensionality"),
           LForall("x",lt, [],
           LForall("y",lt, [ (* [LPatP(LPred(eq_of_enum ri,
                                         [LVar "x"; LVar "y"]))] *) ],
                   LImpl(LPred(eq_of_enum ri,[LVar "x"; LVar "y"]),
                         LPred("eq",[LVar "x"; LVar "y"])
                         ))))
*)
  :: Goal(KAxiom,id_no_loc (name^"_extensionality"),
           LForall("x",lt, [],
           LForall("y",lt, [ [LPatP(LPred("eq_int",
                               [LApp(logic_int_of_enum ri, [LVar "x"]);
                                LApp(logic_int_of_enum ri, [LVar "y"])]))] ],
                   LImpl(LPred("eq_int",
                               [LApp(logic_int_of_enum ri, [LVar "x"]);
                                LApp(logic_int_of_enum ri, [LVar "y"])]),
                         LPred("eq",[LVar "x"; LVar "y"])
                         ))))
  :: bv_conv
  @ acc

let tr_enum_type_pair ri1 ri2 acc =
  (* Information from first enum *)
  let name1 = ri1.jc_enum_info_name in
  let min1 = ri1.jc_enum_info_min in
  let max1 = ri1.jc_enum_info_max in
  (* Information from second enum *)
  let name2 = ri2.jc_enum_info_name in
  let min2 = ri2.jc_enum_info_min in
  let max2 = ri2.jc_enum_info_max in
  if not (!Jc_options.int_model = IMmodulo) then acc else
    if max1 
       let axiom =
         Goal(KAxiom,
           id_no_loc (axiom_int_of_tag_name st),
           make_eq
             (make_int_of_tag st)
             (LConst(Prim_int(string_of_int index)))
         )
       in axiom::acc, index+1)
    (acc, 1)
    rt.jc_root_info_hroots
  in
  let acc =
    type_def::alloc_table::tag_table::axiom_variant_has_tag
    :: of_ptr_addr :: addr_axiom :: rev_addr_axiom
    :: conv @ acc
  in
  acc

(*
  Local Variables:
  compile-command: "unset LANG; make -j -C .. bin/jessie.byte"
  End:
*)
why-2.39/jc/jc_constructors.mli0000644000106100004300000005222313147234006015560 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

open Jc_env
open Jc_ast
open Jc_fenv

(*
class positioned :
  pos:Loc.position option -> object method pos : Loc.position end
class typed : typ:Jc_env.jc_type -> object method typ : Jc_env.jc_type end
class labeled :
  label:Jc_env.label option ->
  object
    val mutable llab : Jc_env.label option
    method label : Jc_env.label option
    method set_label : Jc_env.label option -> unit
  end
class marked :
  mark:string -> object method mark : string end
class regioned :
  region:Jc_env.region ->
  object
    val mutable r : Jc_env.region
    method region : Jc_env.region
    method set_region : Jc_env.region -> unit
  end
*)


class identifier :
  ?pos:Loc.position ->
  string -> object method pos : Loc.position method name : string end

class ['a] node_positioned :
  ?pos:Loc.position ->
  'a -> object method pos : Loc.position method node : 'a end

class ptype :
  ?pos:Loc.position ->
  ptype_node ->
  object method pos : Loc.position method node : ptype_node end

class pexpr :
  ?pos:Loc.position ->
  pexpr_node ->
  object method pos : Loc.position method node : pexpr_node end

class pexpr_with :
  ?pos:Loc.position ->
  ?node:pexpr_node ->
  < pos : Loc.position; node : pexpr_node; .. > -> pexpr

class nexpr :
  ?pos:Loc.position ->
  ?label:label ->
  nexpr_node ->
  object
    val mutable llab : label option
    method pos : Loc.position
    method label : label option
    method node : nexpr_node
    method set_label : label option -> unit
  end

(*
class nexpr_with :
  ?pos:Loc.position ->
  ?node:nexpr_node ->
  < pos : Loc.position; label : label;
    node : nexpr_node; .. > ->
  nexpr
*)

class pattern :
  ?pos:Loc.position ->
  typ:jc_type ->
  pattern_node ->
  object
    method pos : Loc.position
    method node : pattern_node
    method typ : jc_type
  end

(*
class pattern_with :
  ?pos:Loc.position ->
  ?node:pattern_node ->
  ?typ:jc_type ->
  < pos : Loc.position; node : pattern_node; typ : jc_type;
    .. > ->
  pattern
*)


class term :
  ?pos:Loc.position ->
  typ:jc_type ->
  ?mark:string ->
  ?label:label ->
  ?region:region ->
  term_node ->
  object
    val mutable r : region
    method pos : Loc.position
    method mark : string
    method node : term_node
    method region : region
    method set_region : region -> unit
    method label : label option
    method set_label : label option -> unit
    method typ : jc_type
  end

class term_with :
  ?pos:Loc.position ->
  ?typ:jc_type ->
  ?mark:string ->
  ?region:region ->
  ?node:term_node ->
  < pos : Loc.position; mark : string; node : term_node;
    label: label option; 
    region : region; typ : jc_type; .. > ->
  term

class term_var :
  ?pos:Loc.position -> ?mark:string -> var_info -> term

class location :
  ?pos:Loc.position ->
  typ:jc_type ->
  ?label:label ->
  ?region:region ->
  location_node ->
  object
    val mutable r : region
    method pos : Loc.position
    method typ : jc_type
    method node : location_node
    method region : region
    method set_region : region -> unit
    method label : label option
    method set_label : label option -> unit
  end

class location_with :
  ?pos:Loc.position ->
  typ:jc_type ->
  ?label:label ->
  ?region:region ->
  node:location_node ->
  < pos : Loc.position; region : region; .. > ->
  location

class location_set :
  ?pos:Loc.position ->
  typ:jc_type ->
  ?label:label ->
  ?region:region ->
  location_set_node ->
  object
    val mutable r : region
    method pos : Loc.position
    method typ : jc_type
    method node : location_set_node
    method region : region
    method set_region : region -> unit
    method label : label option
    method set_label : label option -> unit
  end

class location_set_with :
  ?pos:Loc.position ->
  typ:jc_type ->
  ?label:label ->
  ?region:region ->
  node:location_set_node ->
  < pos : Loc.position; region : region; .. > ->
  location_set

class expr :
  ?pos:Loc.position ->
  typ:jc_type ->
  ?mark:string ->
  ?region:region ->
  ?original_type:jc_type ->
  expr_node ->
  object
    val mutable r : region
    method pos : Loc.position
    method mark : string
    method node : expr_node
    method original_type : jc_type
    method region : region
    method set_region : region -> unit
    method typ : jc_type
  end
class expr_with :
  ?pos:Loc.position ->
  ?typ:jc_type ->
  ?mark:string ->
  ?region:region ->
  ?node:expr_node ->
  ?original_type:jc_type ->
  < pos : Loc.position; mark : string; node : expr_node;
    original_type : jc_type; region : region;
    typ : jc_type; .. > ->
  expr


class assertion :
  ?mark:string ->
  ?label:label ->
  ?pos:Loc.position ->
  assertion_node ->
  object
    method pos : Loc.position
    method mark : string
    method label : label option
    method set_label : label option -> unit
    method node : assertion_node
  end


class assertion_with :
  ?pos:Loc.position ->
  ?mark:string ->
  ?node:assertion_node ->
  < pos : Loc.position; mark : string; node : assertion_node;
    label: label option;
    .. > ->
  assertion

class ['a] ptag :
  ?pos:Loc.position ->
  'a ptag_node ->
  object method pos : Loc.position method node : 'a ptag_node end

class ['a] ptag_with :
  ?pos:Loc.position ->
  ?node:'a ptag_node ->
  < pos : Loc.position; node : 'a ptag_node; .. > -> ['a] ptag

class tag :
  ?pos:Loc.position ->
  tag_node ->
  object method pos : Loc.position method node : tag_node end

class tag_with :
  ?pos:Loc.position ->
  ?node:tag_node ->
  < pos : Loc.position; node : tag_node; .. > -> tag

class ['a] decl :
  ?pos:Loc.position ->
  'a decl_node ->
  object method pos : Loc.position method node : 'a decl_node end

(*

class ['a] decl_with :
  ?pos:Loc.position ->
  ?node:'a decl_node ->
  < pos : Loc.position; node : 'a decl_node; .. > -> ['a] decl
module Const :
  sig
    val mkvoid : const
    val mknull : const
    val mkboolean : bool -> const
    val mkint : ?value:int -> ?valuestr:string -> unit -> const
    val mkreal : ?value:float -> ?valuestr:string -> unit -> const
  end
val oo : 'a option -> 'a -> 'a
*)

module PExpr :
  sig
(*
    val mk : ?pos:Loc.position -> node:pexpr_node -> unit -> pexpr
*)
    val mkconst : const:const -> ?pos:Loc.position -> unit -> pexpr

    val mkvoid : ?pos:Loc.position -> unit -> pexpr

    val mknull : ?pos:Loc.position -> unit -> pexpr

    val mkboolean : value:bool -> ?pos:Loc.position -> unit -> pexpr

    val mkint :
      ?value:int -> ?valuestr:string -> ?pos:Loc.position -> unit -> pexpr

(*
    val mkreal :
      ?value:float -> ?valuestr:string -> ?pos:Loc.position -> unit -> pexpr
*)
    val mkbinary :
      expr1:pexpr ->
      op:bin_op ->
      expr2:pexpr -> ?pos:Loc.position -> unit -> pexpr
(*
    val mkbinary_list :
      default:pexpr ->
      op:bin_op ->
      ?expr1:pexpr ->
      ?expr2:pexpr ->
      ?list:pexpr list -> ?pos:Loc.position -> unit -> pexpr
*)
    val mkand :
      ?expr1:pexpr ->
      ?expr2:pexpr ->
      ?list:pexpr list -> ?pos:Loc.position -> unit -> pexpr

    val mkor :
      ?expr1:pexpr ->
      ?expr2:pexpr ->
      ?list:pexpr list -> ?pos:Loc.position -> unit -> pexpr

    val mkadd :
      ?expr1:pexpr ->
      ?expr2:pexpr ->
      ?list:pexpr list -> ?pos:Loc.position -> unit -> pexpr

    val mklabel :
      label:string -> expr:pexpr -> ?pos:Loc.position -> unit -> pexpr

    val mkvar : name:string -> ?pos:Loc.position -> unit -> pexpr

    val mkderef :
      expr:pexpr -> field:string -> ?pos:Loc.position -> unit -> pexpr

    val mkunary :
      expr:pexpr ->
      op:pexpr_unary_op -> ?pos:Loc.position -> unit -> pexpr

    val mkapp :
      fun_name:string ->
      ?labels:label list ->
      ?args:pexpr list -> ?pos:Loc.position -> unit -> pexpr

    val mkassign :
      location:pexpr ->
      value:pexpr ->
      ?field:string ->
      ?op:bin_op -> ?pos:Loc.position -> unit -> pexpr

    val mkinstanceof :
      expr:pexpr -> typ:string -> ?pos:Loc.position -> unit -> pexpr

    val mkcast :
      expr:pexpr -> typ:ptype -> ?pos:Loc.position -> unit -> pexpr

    val mkquantifier :
      quantifier:quantifier ->
      typ:ptype ->
      vars:identifier list ->
      ?triggers:pexpr list list ->
      body:pexpr -> ?pos:Loc.position -> unit -> pexpr

    val mkforall :
      typ:ptype ->
      vars:identifier list ->
      ?triggers:pexpr list list ->
      body:pexpr -> ?pos:Loc.position -> unit -> pexpr

(*
    val mkexists :
      typ:ptype ->
      vars:string list ->
      body:pexpr -> ?pos:Loc.position -> unit -> pexpr
    val mkold : expr:pexpr -> ?pos:Loc.position -> unit -> pexpr
*)

    val mkat :
      expr:pexpr ->
      label:label -> ?pos:Loc.position -> unit -> pexpr

(*
    val mkoffset :
      kind:offset_kind ->
      expr:pexpr -> ?pos:Loc.position -> unit -> pexpr
    val mkoffset_min :
      expr:pexpr -> ?pos:Loc.position -> unit -> pexpr
*)

    val mkoffset_max :
      expr:pexpr -> ?pos:Loc.position -> unit -> pexpr

    val mkfresh :
      expr:pexpr -> ?pos:Loc.position -> unit -> pexpr

    val mkif :
      condition:pexpr ->
      expr_then:pexpr ->
      ?expr_else:pexpr -> ?pos:Loc.position -> unit -> pexpr

    val mkblock :
      exprs:pexpr list -> ?pos:Loc.position -> unit -> pexpr

(*
    val mkdecl :
      typ:ptype ->
      var:string -> ?init:pexpr -> ?pos:Loc.position -> unit -> pexpr
*)
    val mklet :
      ?typ:ptype ->
      var:string ->
      ?init:pexpr ->
      body:pexpr -> ?pos:Loc.position -> unit -> pexpr

    val mklet_nodecl :
      ?typ:ptype ->
      var:string ->
      ?init:pexpr ->
      body:pexpr -> ?pos:Loc.position -> unit -> pexpr

    val mkrange :
      ?left:pexpr ->
      ?right:pexpr ->
      ?locations:pexpr -> ?pos:Loc.position -> unit -> pexpr

    val mkalloc :
      ?count:pexpr -> typ:string -> ?pos:Loc.position -> unit -> pexpr

(*
    val mkfree : expr:pexpr -> ?pos:Loc.position -> unit -> pexpr
    val mkmutable :
      expr:pexpr ->
      tag:pexpr ptag -> ?pos:Loc.position -> unit -> pexpr
    val mktag_equality :
      tag1:pexpr ptag ->
      tag2:pexpr ptag -> ?pos:Loc.position -> unit -> pexpr
    val mkmatch :
      expr:pexpr ->
      cases:(ppattern * pexpr) list ->
      ?pos:Loc.position -> unit -> pexpr
*)

    val mkassert : ?behs:identifier list -> expr:pexpr -> ?pos:Loc.position -> unit -> pexpr

    val mkwhile :
      ?condition:pexpr ->
      ?behaviors:pexpr loopbehavior list ->
      ?variant:(pexpr * identifier option) ->
      body:pexpr -> ?pos:Loc.position -> unit -> pexpr

    val mkfor :
      ?inits:pexpr list ->
      ?condition:pexpr ->
      ?updates:pexpr list ->
      ?behaviors:pexpr loopbehavior list ->
      ?variant:(pexpr * identifier option) ->
      body:pexpr -> ?pos:Loc.position -> unit -> pexpr

    val mkreturn : ?expr:pexpr -> ?pos:Loc.position -> unit -> pexpr

    val mkbreak : ?label:string -> ?pos:Loc.position -> unit -> pexpr

    val mkcontinue : ?label:string -> ?pos:Loc.position -> unit -> pexpr

(*
    val mkgoto : label:string -> ?pos:Loc.position -> unit -> pexpr

*)

    val mktry :
      expr:pexpr ->
      ?catches:(identifier * string * pexpr) list ->
      ?finally:pexpr -> ?pos:Loc.position -> unit -> pexpr

    val mkthrow :
      exn:identifier ->
      ?argument:pexpr -> ?pos:Loc.position -> unit -> pexpr

(*
    val mkpack :
      expr:pexpr ->
      ?tag:identifier -> ?pos:Loc.position -> unit -> pexpr
    val mkunpack :
      expr:pexpr ->
      ?tag:identifier -> ?pos:Loc.position -> unit -> pexpr
*)

    val mkswitch :
      expr:pexpr ->
      ?cases:(pexpr option list * pexpr) list ->
      ?pos:Loc.position -> unit -> pexpr

    val mkcatch :
      exn:'a ->
      ?name:string ->
      ?body:pexpr -> ?pos:Loc.position -> unit -> 'a * string * pexpr

    val mkshift :
      expr:pexpr ->
      offset:pexpr ->
      ?list:pexpr list -> ?pos:Loc.position -> unit -> pexpr

    val mknot : expr:pexpr -> ?pos:Loc.position -> unit -> pexpr

    val mkeq :
      expr1:pexpr ->
      expr2:pexpr -> ?pos:Loc.position -> unit -> pexpr

    val mkimplies :
      expr1:pexpr ->
      expr2:pexpr -> ?pos:Loc.position -> unit -> pexpr

    val mkiff :
      expr1:pexpr ->
      expr2:pexpr -> ?pos:Loc.position -> unit -> pexpr

    val mkincr_heap :
      expr:pexpr ->
      field:string ->
      ?op:pexpr_unary_op -> ?pos:Loc.position -> unit -> pexpr

    val mkcontract : 
      requires:pexpr option ->
      decreases:(pexpr * Jc_ast.identifier option) option ->
      behaviors:pexpr pbehavior list ->
      expr:pexpr -> ?pos:Loc.position -> unit -> pexpr

  end

module NExpr :
  sig
    val mkcast :
      expr:nexpr -> typ:ptype -> ?pos:Loc.position -> unit -> nexpr
  end

module PDecl :
  sig
(*
    val mk : ?pos:Loc.position -> node:'a -> unit -> 'a node_positioned
*)
    val mkfun_def :
      ?result_type:ptype ->
      name:identifier ->
      ?params:(bool * ptype * string) list ->
      ?clauses:'a clause list ->
      ?body:'a ->
      ?pos:Loc.position -> unit -> 'a decl_node node_positioned

    val mklemma_def :
      name:string ->
      ?axiom:bool ->
      ?poly_args:string list ->
      ?labels:label list ->
      body:'a ->
      ?pos:Loc.position -> unit -> 'a decl_node node_positioned

    val mklogic_var_def :
      typ:ptype ->
      name:string ->
      ?body:'a ->
      ?pos:Loc.position -> unit -> 'a decl_node node_positioned

    val mklogic_def :
      ?typ:ptype ->
      name:string ->
      ?poly_args:string list ->
      ?labels:label list ->
      ?params:(ptype * string) list ->
      ?reads:'a list ->
      ?body:'a ->
      ?inductive:(identifier * label list * 'a) list ->
      ?pos:Loc.position -> unit -> 'a decl_node node_positioned

    val mkaxiomatic :
      name:string ->
      decls:'a Jc_ast.decl list -> 
      ?pos:Loc.position -> 
      unit -> 'a decl_node node_positioned

    val mklogic_type :
      ?args:string list ->
      name:string ->
      ?pos:Loc.position -> unit -> 'a decl_node node_positioned

    val mkvar_def :
      typ:ptype ->
      name:string ->
      ?init:'a ->
      ?pos:Loc.position -> unit -> 'a decl_node node_positioned

    val mkglobal_inv_def :
      name:string ->
      body:'a ->
      ?pos:Loc.position -> unit -> 'a decl_node node_positioned

    val mktag_def :
      name:string ->
      ?params:string list ->
      ?super:string * ptype list ->
      ?fields:(field_modifiers * ptype * string * int option) list ->
      ?invariants:(identifier * string * 'a) list ->
      ?pos:Loc.position -> unit -> 'a decl_node node_positioned

    val mkenum_type_def :
      name:string ->
      left:Num.num ->
      right:Num.num ->
      ?pos:Loc.position -> unit -> 'a decl_node node_positioned

    val mkexception_def :
      name:string ->
      ?arg_type:ptype ->
      ?pos:Loc.position -> unit -> 'a decl_node node_positioned

    val mkvariant_type_def :
      name:string ->
      ?tags:identifier list ->
      ?pos:Loc.position -> unit -> 'a decl_node node_positioned

    val mkinvariant_policy_def :
      value:inv_sem ->
      ?pos:Loc.position -> unit -> 'a decl_node node_positioned

    val mktermination_policy_def :
      value:termination_policy ->
      ?pos:Loc.position -> unit -> 'a decl_node node_positioned

    val mkseparation_policy_def :
      value:separation_sem ->
      ?pos:Loc.position -> unit -> 'a decl_node node_positioned

    val mkannotation_policy_def :
      value:annotation_sem ->
      ?pos:Loc.position -> unit -> 'a decl_node node_positioned

    val mkabstract_domain_def :
      value:abstract_domain ->
      ?pos:Loc.position -> unit -> 'a decl_node node_positioned

(*

    val mkint_model_def :
      value:int_model ->
      ?pos:Loc.position -> unit -> 'a decl_node node_positioned

*)

    val mkbehavior :
      ?pos:Loc.position ->
      name:string ->
      ?throws:identifier ->
      ?assumes:pexpr ->
      ?requires:pexpr ->
      ?assigns:Loc.position * pexpr list ->
      ?allocates:Loc.position * pexpr list ->
      ?ensures:pexpr -> unit -> pexpr pbehavior

    val mkrequires_clause : 'a -> 'a clause

    val mkdecreases_clause : ?measure:identifier -> 'a -> 'a clause

    val mkbehavior_clause :
      ?pos:Loc.position ->
      name:string ->
      ?throws:identifier ->
      ?assumes:pexpr ->
      ?requires:pexpr ->
      ?assigns:Loc.position * pexpr list ->
      ?allocates:Loc.position * pexpr list ->
      ?ensures:pexpr -> unit -> pexpr clause

(*
    val mkbehavior_with :
      ?pos:Loc.position ->
      ?name:string ->
      ?throws:identifier option ->
      ?assumes:'a option ->
      ?requires:'a option ->
      ?assigns:(Loc.position * 'a list) option ->
      ?ensures:'a -> 'a clause -> 'a clause
*)

    val mkassigns :
      ?pos:Loc.position ->
      ?locations:'a list -> unit -> Loc.position * 'a list

(*
    val mktag_invariant : name:'a -> var:'b -> body:'c -> 'a * 'b * 'c
    val behavior_ensures : 'a clause -> 'a
*)
  end


module Expr :
  sig
    val mk :
      ?pos:Loc.position ->
      typ:jc_type ->
      ?mark:string ->
      ?region:region ->
      ?original_type:jc_type -> node:expr_node -> unit -> expr
    val mkint :
      ?value: int ->
      ?valuestr:string ->
      ?pos:Loc.position ->
      ?mark:string ->
      ?region:region ->
      ?original_type:jc_type -> unit -> expr
    val mkbinary :
      expr1:expr ->
      op:expr_bin_op ->
      expr2:expr -> 
      ?pos:Loc.position ->
      typ:jc_type ->
      ?mark:string ->
      ?region:region ->
      ?original_type:jc_type -> unit -> expr
    val mklet :
      var:var_info ->
      ?init:expr ->
      body:expr ->
      ?pos:Loc.position ->
      ?mark:string ->
      ?region:region -> ?original_type:jc_type -> unit -> expr
    val mkvar :
      var:var_info ->
      ?pos:Loc.position ->
      ?mark:string ->
      ?region:region -> ?original_type:jc_type -> unit -> expr
    val is_app : < node : expr_node; .. > -> bool
  end



module Term :
  sig
(*
    val mk :
      ?pos:Loc.position ->
      typ:jc_type ->
      ?mark:string ->
      ?region:region -> node:term_node -> unit -> term
*)

    val mkint :
      ?value: int ->
      ?valuestr:string ->
      ?pos:Loc.position ->
      ?mark:string ->
      ?region:region -> unit -> term
    val mkbinary :
      term1:term ->
      op:term_bin_op ->
      term2:term -> 
      ?pos:Loc.position ->
      typ:jc_type ->
      ?mark:string ->
      ?region:region -> unit -> term
    val mkvar :
      var:var_info ->
      ?pos:Loc.position ->
      ?mark:string -> ?region:region -> unit -> term
  end

module Assertion :
  sig
(*
    val mk :
      ?pos:Loc.position ->
      ?mark:string -> node:assertion_node -> unit -> assertion
    val fake : ?pos:'a -> ?mark:'b -> value:'c -> unit -> 'c
*)

    val is_true : assertion -> bool
    val is_false : assertion -> bool

    val mktrue : ?pos:Loc.position -> ?mark:string -> unit -> assertion

    val mkfalse :
      ?pos:Loc.position -> ?mark:string -> unit -> assertion

    val mkand :
      conjuncts:assertion list ->
      ?pos:Loc.position -> ?mark:string -> unit -> assertion

    val mkor :
      disjuncts:assertion list ->
      ?pos:Loc.position -> ?mark:string -> unit -> assertion

    val mknot :
      asrt:assertion ->
      ?pos:Loc.position -> ?mark:string -> unit -> assertion

  end

(*
Local Variables: 
compile-command: "LC_ALL=C nice make -j -C .. byte"
End: 
*)
why-2.39/jc/output.mli0000644000106100004300000002231513147234006013673 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



type constant =
  | Prim_void
  | Prim_int of string
  | Prim_real of string
  | Prim_bool of bool
(*
  | Prim_string of string
*)

type logic_type =
    { logic_type_name : string;
      logic_type_args : logic_type list;
    }

val logic_type_var : string -> logic_type

val fprintf_logic_type : Format.formatter -> logic_type -> unit


type term =
  | LConst of constant
  | LApp of string * term list
  | LVar of string                  (*r immutable logic var *)
  | LDeref of string                     (*r !r *) 
  | LDerefAtLabel of string * string     (*r x@L *)
  | Tnamed of string * term
  | TIf of term * term * term
  | TLet of string * term * term

val match_term : (string * term) list -> term -> term -> (string * term) list

val fprintf_term : Format.formatter -> term -> unit

type assertion =
  | LTrue | LFalse
  | LAnd of assertion * assertion
  | LOr of assertion * assertion
  | LIff of assertion * assertion
  | LNot of assertion
  | LImpl of assertion * assertion
  | LIf of term * assertion * assertion
  | LLet of string * term * assertion
  | LForall of string * logic_type * trigger list list * assertion
      (*r forall x:t.a *)
  | LExists of string * logic_type * trigger list list * assertion
      (*r exists x:t.a *)
  | LPred of string * term list
  | LNamed of string * assertion

and trigger =
  | LPatP of assertion
  | LPatT of term

val make_var : string -> term


val make_or : assertion -> assertion -> assertion
val make_and : assertion -> assertion -> assertion
val make_or_list : assertion list -> assertion
val make_and_list : assertion list -> assertion
val make_forall_list : (string * logic_type) list -> trigger list list
  -> assertion -> assertion
val make_impl : assertion -> assertion -> assertion
val make_impl_list : assertion -> assertion list -> assertion
val make_equiv : assertion -> assertion -> assertion

val fprintf_assertion : Format.formatter -> assertion -> unit

type why_type =
  | Prod_type of string * why_type * why_type (*r (x:t1)->t2 *)
  | Base_type of logic_type
  | Ref_type of why_type
  | Annot_type of
      assertion * why_type *
      string list * string list * assertion * ((string * assertion) list)
	(*r { P } t reads r writes w raises E { Q | E => R } *)
;;

val int_type : why_type
val bool_type : why_type
val unit_type : why_type
val base_type : string -> why_type

type variant = term * string option

type opaque = bool

type assert_kind = [`ASSERT | `CHECK]

type expr_node =
  | Cte of constant
  | Var of string
  | And of expr * expr
  | Or of expr * expr
  | Not of expr
  | Void
  | Deref of string
  | If of expr * expr * expr
  | While of
      expr (* loop condition *)
      * assertion (* invariant *)
      * variant option (* variant *)
      * expr list (* loop body *)
  | Block of expr list
  | Assign of string * expr
  | MultiAssign of string * Loc.position * (string * expr) list *
      bool * term * expr * string * expr * string *
      (int * bool * bool * string) list
      (*

         this construction is not in Why, but a temporary construction
         used by jessie to denote "parallel updates"

         [MultiAssign(mark,pos,lets,talloc,alloc,tmpe,e,f,l)] where [l]
         is a list of pair (i,b1,b2,e') for distincts i, denotes the
         parallel updates (lets) let tmpe = e in (tmpe+i).f = e'

         booleans [b1] and [b2] indicates whether it is safe to ignore
         bound checking on the left resp on the right

         [alloc] is the allocation table for safety conditions
         [lets] is a sequence of local bindings for expressions e'
      *)
  | Let of string * expr * expr
  | Let_ref of string * expr * expr
  | App of expr * expr * why_type option
  | Raise of string * expr option
  | Try of expr * string * string option * expr
  | Fun of (string * why_type) list *
      assertion * expr * assertion * ((string * assertion) list)
  | Triple of opaque *
      assertion * expr * assertion * ((string * assertion) list)
  | Assert of assert_kind * assertion * expr
(*
  | Label of string * expr
*)
  | BlackBox of why_type
  | Absurd
  | Loc of Lexing.position * expr

and expr = 
    { expr_labels : string list;
      expr_loc_labels : string list;
      expr_node : expr_node;
    }

;;

val mk_expr : expr_node -> expr
val mk_var : string -> expr
val void : expr

(*
val make_block : string list -> string list -> expr list -> expr
*)

val fprintf_expr : Format.formatter -> expr -> unit

val make_or_expr : expr -> expr -> expr
val make_and_expr : expr -> expr -> expr


(*

  [make_app id [e1;..;en])] builds
  App(...(App(Var(id),e1),...,en)

*)

val make_app : ?ty:why_type -> string -> expr list -> expr
val make_logic_app : ?ty:why_type -> string -> expr list -> expr
val make_app_e : ?ty:why_type -> expr -> expr list -> expr

(*

  [make_label l e] adds label l to e

  In the case of a block, add it to the first instruction of the block, if there
  is one.
*)

val make_label : string -> expr -> expr;;

(*

  [make_while cond inv dec e] builds

  while cond do { invariant inv variant dec } e

  applying simplifications if possible

*)
val make_while : expr -> assertion -> variant option -> expr -> expr;;

val make_pre : assertion -> expr -> expr;;

val append : expr -> expr -> expr

type why_id = { name : string ; loc : Loc.floc }

val id_no_loc : string -> why_id

type goal_kind = KAxiom | KLemma | KGoal

type why_decl =
  | Param of bool * why_id * why_type         (*r parameter in why *)
  | Def of why_id * bool *     (* "diverges" flag *)
            expr               (*r global let in why *)
  | Logic of bool * why_id * (string * logic_type) list * logic_type    (*r logic decl in why *)
  | Predicate of bool * why_id * (string * logic_type) list * assertion
  | Inductive of bool * why_id * (string * logic_type) list *
      (string * assertion) list (*r inductive definition *)
  | Goal of goal_kind * why_id * assertion         (*r Goal *)
  | Function of bool * why_id * (string * logic_type) list * logic_type * term
  | Type of why_id * string list
  | Exception of why_id * logic_type option

val fprintf_why_decl : Format.formatter -> why_decl -> unit;;

val fprintf_why_decls : ?why3:bool -> ?use_floats:bool -> 
  float_model:Jc_env.float_model -> Format.formatter -> why_decl list -> unit

type kind =
  | VarDecr
  | ArithOverflow
  | DownCast
  | IndexBounds
  | PointerDeref
  | UserCall
  | DivByZero
  | AllocSize
  | Pack
  | Unpack
  | FPoverflow

val print_kind : Format.formatter -> kind -> unit

(*
val pos_table :
    (string, (kind option * string option * string option *
                string * int * int * int))
    Hashtbl.t
*)

(*
val my_pos_table :
    (string, (kind option * string option * string option *
                string * int * int * int))
    Hashtbl.t
*)

val my_add_pos :
  string -> (kind option * string option * string option *
               string * int * int * int) -> unit

val my_print_locs : Format.formatter -> unit

(* backward compatibility for Krakatoa and Jessie plugin *)

val old_reg_pos : string -> ?id:string -> ?kind:kind -> ?name:string
  -> ?formula:string -> Loc.floc -> string

val old_print_pos : Format.formatter -> unit


why-2.39/jc/jc_typing.ml0000644000106100004300000037317313147234006014163 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Jc_stdlib
open Jc_env
open Jc_envset
open Jc_region
open Jc_ast
open Jc_fenv

open Jc_constructors
open Jc_pervasives
(*
open Jc_iterators
*)
open Jc_struct_tools

open Format

exception Typing_error of Loc.position * string

let typing_error l =
  Format.kfprintf
    (fun _fmt -> raise (Typing_error(l, flush_str_formatter())))
    str_formatter

let uenv = Jc_type_var.create {Jc_type_var.f = typing_error}

let reset_uenv () = Jc_type_var.reset uenv
(*
let print_uenv () = Format.printf "%a" Jc_type_var.print uenv
*)
let add_poly_args poly_args = List.map (fun e -> Jc_type_var.add_type_var uenv e) poly_args

let logic_type_table = StringHashtblIter.create 97

let exceptions_table = StringHashtblIter.create 97

let enum_types_table = StringHashtblIter.create 97

let structs_table = StringHashtblIter.create 97

let roots_table = StringHashtblIter.create 97

let mutable_fields_table = Hashtbl.create 97 (* structure name (string) -> field info *)
let committed_fields_table = Hashtbl.create 97 (* structure name (string) -> field info *)

let logic_functions_table = IntHashtblIter.create 97
let logic_functions_env = Hashtbl.create 97
let logic_constants_table = Hashtbl.create 97
(*
let logic_constants_env = Hashtbl.create 97
*)
let functions_table = IntHashtblIter.create 97
let functions_env = Hashtbl.create 97
let variables_table = IntHashtblIter.create 97
let variables_env = Hashtbl.create 97

(* Store the generated user predicates *)
let pragma_gen_sep = Hashtbl.create 10
let pragma_gen_frame = Hashtbl.create 10
let pragma_gen_same = Hashtbl.create 10

(* Keep the pragma which are defined
   before one of its argument *)
let pragma_before_def = Hashtbl.create 10

let () =
  List.iter
    (fun (ty,x,whyid,pl) ->
       let pi = match ty with
	 | None -> make_pred x
	 | Some ty -> make_logic_fun x ty
       in
       let pl = List.map
	 (fun ty -> var ~formal:true ty "_") pl
       in
       pi.jc_logic_info_parameters <- pl;
       pi.jc_logic_info_final_name <- whyid;
       Hashtbl.add logic_functions_env x pi)
    Jc_pervasives.builtin_logic_symbols;
  List.iter
    (fun (ty,x,whyid,pl,treat) ->
       let pi = make_fun_info x ty in
       let pl = List.map
	 (fun ty -> (true,var ~formal:true ty "_")) pl
       in
       pi.jc_fun_info_parameters <- pl;
       pi.jc_fun_info_final_name <- whyid;
       pi.jc_fun_info_builtin_treatment <- treat;
       Hashtbl.add functions_env x pi)
    Jc_pervasives.builtin_function_symbols

let real_of_integer =
  let fi =
    Hashtbl.find logic_functions_env "\\real_of_integer"
  in
(*
  eprintf "\\real_of_integer.jc_logic_fun_info_tag = %d@." fi.jc_logic_info_tag;
*)
  fi



type axiomatic_decl =
  | ABaxiom of Loc.position * string * Jc_env.label list * Jc_constructors.assertion

type axiomatic_data =
    {
      mutable axiomatics_defined_ids : logic_info list;
      mutable axiomatics_decls : axiomatic_decl list;
    }

let axiomatics_table = StringHashtblIter.create 17

let field_tag_counter = ref 0

let create_mutable_field st =
  incr field_tag_counter;
  let name = "committed_"^st.jc_struct_info_name in
  let fi = {
    jc_field_info_tag = !field_tag_counter;
    jc_field_info_name = name;
    jc_field_info_final_name = Jc_envset.get_unique_name name;
    jc_field_info_type = boolean_type;
    jc_field_info_hroot = st.jc_struct_info_hroot;
    jc_field_info_struct = st;
    jc_field_info_rep = false;
    jc_field_info_abstract = false;
    jc_field_info_bitsize = None;
  } in
  Hashtbl.add committed_fields_table st.jc_struct_info_name fi

let find_struct_info loc id =
  try
    let st,_ = StringHashtblIter.find structs_table id in st
  with Not_found ->
    typing_error loc "undeclared structure %s" id

let find_struct_root st =
  match st.jc_struct_info_hroot.jc_struct_info_root with
    | None -> raise Not_found
    | Some vi -> vi

let is_type_var = function
    | JCTtype_var _ -> true
    | _ -> false

let cast_needed pos ty =
  typing_error pos "At this point we need to know exactly the type, can you add a cast?( I have %a)" print_type ty

let not_the_good_type pos ty s =
  if is_type_var ty then
    cast_needed pos ty
  else
    typing_error pos s

let must_be_subtypable pos ty =
  if is_type_var ty then
    cast_needed pos ty


let is_real t =
  match t with
    | JCTnative Treal -> true
    | _ -> false

let is_double t =
  match t with
    | JCTnative (Tgenfloat `Double) -> true
    | _ -> false

let is_float t =
  match t with
    | JCTnative (Tgenfloat `Float) -> true
    | _ -> false

let is_gen_float t =
  match t with
    | JCTnative (Tgenfloat _) -> true
    | _ -> false


let is_boolean t =
  match t with
    | JCTnative Tboolean -> true
    | _ -> false

let is_numeric t =
  match t with
    | JCTnative (Tinteger | Treal) -> true
    | JCTenum _ -> true
    | _ -> false

let is_integer t =
  match t with
    | JCTnative Tinteger -> true
    | JCTenum _ -> true
    | _ -> false

let is_root_struct st =
  match st.jc_struct_info_parent with None -> true | Some _ -> false

let lub_numeric_types t1 t2 =
  match t1,t2 with
    | JCTnative (Tgenfloat _), JCTnative (Tgenfloat _) when
	!Jc_options.float_instruction_set = FISx87 ->
	Tgenfloat `Binary80
    | JCTnative (Tgenfloat `Float), JCTnative (Tgenfloat `Float) -> (Tgenfloat `Float)
    | JCTnative (Tgenfloat _), JCTnative (Tgenfloat _) -> Tgenfloat `Double
	(* note: there is an invariant that when not in FISx87, `Binary80 never occurs *)
    | JCTnative Treal,_ | _,JCTnative Treal -> Treal
    | _ -> Tinteger

let rec substruct st = function
  | (JCtag(st', _)) as pc ->
      if st == st' then true else
        let vi = struct_root st and vi' = struct_root st' in
        (vi == vi' && (root_is_union vi))
        ||
        begin match st.jc_struct_info_parent with
          | None -> false
          | Some(p, []) -> substruct p pc
          | Some(_p, _) -> assert false (* TODO *)
        end
  | JCroot vi ->
      struct_root st == vi

let superstruct st = function
  | JCtag(st', _) ->
      let vi' = struct_root st' in
      not (root_is_union vi') && substruct st' (JCtag(st,[]))
  | JCroot _vi ->
      false

let same_hierarchy st1 st2 =
  let vi1 = pointer_class_root st1 in
  let vi2 = pointer_class_root st2 in
  vi1 == vi2

let subtype ?(allow_implicit_cast=true) t1 t2 =
  match t1,t2 with
    | JCTnative t1, JCTnative t2 ->
        t1=t2 ||
         (* integer is subtype of real *)
        (match t1,t2 with
           | Tinteger, Treal -> true
	   | _ -> false)
    | JCTenum ri1, JCTenum ri2 ->
        allow_implicit_cast ||
          (Num.ge_num ri1.jc_enum_info_min ri2.jc_enum_info_min &&
             Num.le_num ri1.jc_enum_info_max ri2.jc_enum_info_max)
    | JCTenum _, JCTnative Tinteger ->
        true
    | JCTnative Tinteger, JCTenum _ ->
        allow_implicit_cast
    | JCTlogic s1, JCTlogic s2 ->
        s1=s2
    | JCTpointer(JCtag(s1, []), _, _), JCTpointer(pc, _, _) ->
        substruct s1 pc
    | JCTpointer(JCroot v1, _, _), JCTpointer(JCroot v2, _, _) ->
        v1 == v2
    | JCTnull, (JCTnull | JCTpointer _) ->
        true
    | _ ->
        false

let subtype_strict = subtype ~allow_implicit_cast:false

let mintype loc t1 t2 =
  try match t1,t2 with
    | JCTnative Tinteger, JCTnative Treal
    | JCTnative Treal, JCTnative Tinteger ->
        JCTnative Treal
    | JCTnative n1, JCTnative n2 ->
        if n1=n2 then t1 else raise Not_found
          (* TODO: integer is subtype of real *)
    | JCTenum e1, JCTenum e2 ->
        if e1=e2 then t1 else  Jc_pervasives.integer_type
    | (JCTenum _ | JCTnative Tinteger), (JCTenum _| JCTnative Tinteger) ->
        Jc_pervasives.integer_type
    | JCTlogic s1, JCTlogic s2 ->
        if s1=s2 then t1 else raise Not_found
    | JCTpointer(JCtag(s1, []), _, _), JCTpointer(pc, _, _)
        when substruct s1 pc ->
        t2
    | JCTpointer(pc, _, _), JCTpointer(JCtag(s1, []), _, _)
        when substruct s1 pc ->
        t1
    | JCTpointer(JCroot v1, _, _), JCTpointer(JCroot v2, _, _) ->
        if v1 == v2 then t1 else raise Not_found
    | JCTnull, JCTnull -> JCTnull
    | JCTnull, JCTpointer _ -> t2
    | JCTpointer _, JCTnull -> t1
    | JCTany, t | t, JCTany -> t
    | JCTpointer(JCtag(_, _::_), _, _), JCTpointer _
    | JCTpointer _, JCTpointer(JCtag(_, _::_), _, _) -> assert false
        (* TODO: parameterized type *)
    | _ -> raise Not_found
  with Not_found ->
    typing_error loc "incompatible types: %a and %a"
      print_type t1 print_type t2

let unit_expr e =
  if e#typ = unit_type then e else
    new expr_with ~typ:unit_type ~region:dummy_region ~original_type:e#typ e

let rec same_type_no_coercion t1 t2 =
  match t1,t2 with
    | JCTnative t1, JCTnative t2 -> t1=t2
    | JCTenum ei1, JCTenum ei2 ->
      ei1.jc_enum_info_name = ei2.jc_enum_info_name
    | JCTlogic (name1, args1), JCTlogic (name2, args2) ->
      name1=name2 && List.for_all2 same_type_no_coercion args1 args2
    | JCTpointer(pc1,_,_), JCTpointer(pc2,_,_) ->
        pointer_class_root pc1 == pointer_class_root pc2
    | JCTnull, JCTnull -> true
    | JCTnull, JCTpointer _
    | JCTpointer _, JCTnull -> true
    | _ -> false

let comparable_types t1 t2 =
  match t1,t2 with
    | JCTnative Tinteger, JCTnative Treal -> true
    | JCTnative Treal, JCTnative Tinteger -> true
    | JCTnative t1, JCTnative t2 -> t1=t2
    | JCTenum _, JCTenum _ -> true
    | JCTenum _, JCTnative Tinteger -> true
    | JCTnative Tinteger, JCTenum _ -> true
    | JCTlogic s1, JCTlogic s2 -> s1=s2
    | JCTpointer(pc1,_,_), JCTpointer(pc2,_,_) ->
        pointer_class_root pc1 == pointer_class_root pc2
    | JCTnull, JCTnull -> true
    | JCTnull, JCTpointer _
    | JCTpointer _, JCTnull -> true
    | _ -> false


let rec list_assoc_name f id l =
  match l with
    | [] -> raise Not_found
    | fi::r ->
        if (f fi) = id then fi
        else list_assoc_name f id r


let rec find_field_struct loc st allow_mutable = function
  | ("mutable" | "committed") as x ->
      if allow_mutable && !Jc_common_options.inv_sem = InvOwnership then
        let table =
          if x = "mutable" then mutable_fields_table
          else committed_fields_table
        in
        Hashtbl.find table (root_name st)
      else typing_error loc "field %s cannot be used here" x
  | f ->
      try
        list_assoc_name
          (fun f -> f.jc_field_info_name) f st.jc_struct_info_fields
      with Not_found ->
        match st.jc_struct_info_parent with
          | None ->
              raise Not_found
(*              typing_error loc "no field %s in structure %s"
                f st.jc_struct_info_name*)
          | Some(st, _) -> find_field_struct loc st allow_mutable f
let find_field_struct loc st allow_mutable f =
  try find_field_struct loc st allow_mutable f
  with Not_found ->
    typing_error loc "no field %s in structure %s" f st.jc_struct_info_name

let find_field loc ty f allow_mutable =
  match ty with
    | JCTpointer(JCtag(st, _), _, _) -> find_field_struct loc st allow_mutable f
    | JCTpointer(JCroot _, _, _)
    | JCTnative _
    | JCTenum _
    | JCTlogic _
    | JCTnull
    | JCTany -> typing_error loc "not a structure type"
    | JCTtype_var _ -> cast_needed loc ty

let find_fun_info id = Hashtbl.find functions_env id

let find_logic_info id = Hashtbl.find logic_functions_env id

(* types *)

let rec type_type t =
  match t#node with
    | JCPTnative n -> JCTnative n
    | JCPTpointer (id, _, a, b) ->
        (* first we try the most precise type (the tag) *)
        begin try
          let st, _ = StringHashtblIter.find structs_table id in
          JCTpointer(JCtag(st, []), a, b)
        with Not_found ->
          try
            let vi = StringHashtblIter.find roots_table id in
            JCTpointer(JCroot vi, a, b)
          with Not_found ->
            typing_error t#pos "unknown type or tag: %s" id
        end
    | JCPTidentifier (id,l) ->
        try
          JCTtype_var (Jc_type_var.find_type_var uenv id)
        with Not_found ->
          try
            let l = List.map type_type l in
            let _,lp = StringHashtblIter.find logic_type_table id in
            let len_l = List.length l in
            let len_lp = List.length lp in
            if not (len_l = len_lp) then
              typing_error t#pos "Here the type %s is used with %i arguments instead of %i " id len_l len_lp;
            JCTlogic (id,l)
          with Not_found ->
            try
              let ri = StringHashtblIter.find enum_types_table id in
              JCTenum ri
            with Not_found ->
              typing_error t#pos "unknown type %s" id

let unary_op (t: [< operator_type]) (op: [< unary_op]) = op, t

let bin_op (t: [< operator_type]) (op: [< bin_op]) = op, t

(******************************************************************************)
(*                                  Patterns                                  *)
(******************************************************************************)

(* constants *)

let const c =
  match c with
    | JCCvoid -> unit_type,dummy_region,c
    | JCCinteger _ -> integer_type,dummy_region,c
    | JCCreal _ -> real_type,dummy_region,c
    | JCCboolean _ -> boolean_type, dummy_region, c
    | JCCnull -> null_type,Region.make_var JCTnull "null",c
    | JCCstring _ -> string_type,dummy_region,c


let valid_pointer_type st =
  JCTpointer(st, Some (Num.num_of_int 0), Some (Num.num_of_int 0))

(* ety = expected type *)
(* env: the variables already bound *)
(* vars: the var_info to use if encountering a given variable *)
(* Return: (vars, pat) where:
     vars is the environment of the binders of the pattern
     pat is the typed pattern. *)
let rec pattern env vars pat ety =
  let get_var ety id =
    let id = id#name in
    if List.mem_assoc id env then
      typing_error pat#pos
        "the variable %s appears twice in the pattern" id;
    try
      StringMap.find id vars
    with Not_found ->
      let vi = var ety id in
      vi.jc_var_info_assigned <- true;
      vi
  in
  let tpn, ty, newenv = match pat#node with
    | JCPPstruct(id, lpl) ->
        let pc = match ety with
          | JCTpointer(pc, _, _) -> pc
          | JCTnative _ | JCTenum _ | JCTlogic _ | JCTnull | JCTany
          | JCTtype_var _ ->
              not_the_good_type pat#pos ety
                "this pattern doesn't match a structure nor a variant"
        in
        (* tag *)
        let st = find_struct_info id#pos id#name in
        if not (substruct st pc) then
          typing_error id#pos
            "tag %s is not a subtag of %s"
            st.jc_struct_info_name (Jc_output_misc.pointer_class pc);
        (* fields *)
        let env, tlpl = List.fold_left
          (fun (env, acc) (l, p) ->
             let fi = find_field_struct l#pos st false l#name in
             let env, tp = pattern env vars p fi.jc_field_info_type in
             env, (fi, tp)::acc)
          (env, []) lpl
        in
        JCPstruct(st, List.rev tlpl), valid_pointer_type (JCtag(st, [])), env
    | JCPPvar id ->
        let vi = get_var ety id in
        JCPvar vi, ety, (id#name, vi)::env
    | JCPPor(p1, p2) ->
        let _, tp1 = pattern env vars p1 ety in
        let vars = pattern_vars vars tp1 in
        let env, tp2 = pattern env vars p2 ety in
        JCPor(tp1, tp2), ety, env
    | JCPPas(p, id) ->
        let env, tp = pattern env vars p ety in
        let vi = get_var (tp#typ) id in
        JCPas(tp, vi), ety, (id#name, vi)::env
    | JCPPany ->
        JCPany, ety, env
    | JCPPconst c ->
        let ty, _, c = const c in
        Jc_type_var.add uenv pat#pos ty ety;
        JCPconst c, ety, env
  in newenv, new pattern ~typ:ty ~pos:pat#pos tpn
let pattern = pattern [] StringMap.empty

(******************************************************************************)
(*                                   Terms                                    *)
(******************************************************************************)

(*
let num_op (op: [< `Badd | `Bsub | `Bmul | `Bdiv | `Bmod]) = op, Tinteger
*)

let num_un_op t (op: [< `Uminus | `Ubw_not | `Unot]) e =
  match op with
    | `Unot
    | `Uminus
    | `Ubw_not -> JCTunary((unary_op t op :> unary_op * 'a),e)

let make_logic_unary_op loc (op : Jc_ast.unary_op) e2 =
  let t2 = e2#typ in
  match op with
    | `Unot ->
        Jc_type_var.add uenv loc (JCTnative Tboolean) t2;
	  t2, dummy_region, num_un_op (operator_of_native Tboolean) op  e2
    | ((`Uminus | `Ubw_not) as x) ->
        must_be_subtypable loc t2;
        if is_numeric t2 then
          let t = lub_numeric_types t2 t2 in
          JCTnative t,dummy_region,num_un_op (operator_of_native t) x e2
        else
          typing_error loc "numeric type expected"
(*    | `Upostfix_dec | `Upostfix_inc | `Uprefix_dec | `Uprefix_inc ->
        typing_error loc "pre/post incr/decr not allowed as logical term"*)

(* [term_coerce t1 t2 e] applies coercion to expr e of type t1 to t2 *)
let term_coerce t1 t2 e =
  let tn1 =
    match t1 with
      | JCTenum _ri -> Tinteger
      | JCTnative t -> t
      | _ -> assert false
  in
  match tn1,t2 with
    | Tinteger, Treal ->
	begin
	  match e#node with
	    | JCTconst (JCCinteger n) ->
		new term
		  ~typ:real_type
		  ~region:e#region
		  ~mark:e#mark
		  ~pos:e#pos
		  (JCTconst(JCCreal (n^".0")))
	    | _ ->
		let app = {
		  jc_app_fun = real_of_integer;
		  jc_app_args = [e];
		  jc_app_region_assoc = [];
		  jc_app_label_assoc = [];
		} in
		new term
		  ~typ:real_type
		  ~region:e#region
		  ~mark:e#mark
		  ~pos:e#pos
		  (JCTapp app)
	end
    | _ -> e

let logic_bin_op (t : [< operator_type ]) (op : [< bin_op]) : term_bin_op =
  bin_op t op
(*
  match t,op with
    | _, BPgt -> gt_int
    | _, BPlt -> lt_int
    | _, BPge -> ge_int
    | _, BPle -> le_int
    | _, BPeq -> eq
    | _, BPneq -> neq
    | Tinteger, BPadd -> add_int
    | Treal, BPadd -> add_real
    | _, BPsub -> sub_int
    | _, BPmul -> mul_int
    | _, BPdiv -> div_int
    | _, BPmod -> mod_int
    | Tboolean, BPland -> band
    | Tboolean, BPlor -> bor
        (* not allowed as expression op *)
    | _,BPimplies -> assert false
    | Tunit,_ -> assert false
    | _ -> assert false
*)

let make_logic_bin_op loc (op: bin_op) e1 e2 =
  let t1 = e1#typ and t2 = e2#typ in
  (** Test only if t1 t2 are not a type variable,
      thus they can contain type variable*)
  must_be_subtypable loc t1;
  must_be_subtypable loc t2;
  match op with
    | `Bgt | `Blt | `Bge | `Ble ->
        if is_numeric t1 && is_numeric t2 then
          let t = lub_numeric_types t1 t2 in
          boolean_type,dummy_region,
          JCTbinary(term_coerce t1 t e1, logic_bin_op (operator_of_native t) op,
                    term_coerce t2 t e2)
        else
          typing_error loc "numeric types expected for >, <, >= and <="
    | `Beq | `Bneq ->
        if is_numeric t1 && is_numeric t2 then
          let t = lub_numeric_types t1 t2 in
          boolean_type,dummy_region,
          JCTbinary(term_coerce t1 t e1, logic_bin_op (operator_of_native t) op,
                     term_coerce t2 t e2)
        else if is_pointer_type t1 && is_pointer_type t2
	  && (comparable_types t1 t2)
	then
          boolean_type,dummy_region,
          JCTbinary(e1,logic_bin_op `Pointer op,e2)
        else
          typing_error loc "numeric or pointer types expected for == and !="
    | `Badd ->
        if is_pointer_type t1 && is_integer t2 then
          t1, e1#region, JCTshift(e1, term_coerce t2 Tinteger e2)
        else if is_numeric t1 && is_numeric t2 then
          let t = lub_numeric_types t1 t2 in
          (JCTnative t,dummy_region,
           JCTbinary(term_coerce t1 t e1,
                     logic_bin_op (operator_of_native t) op,
                     term_coerce t2 t e2))
        else
          typing_error loc "unexpected types for +"
    | `Bsub ->
        if is_pointer_type t1 && is_integer t2 then
          let _, _, te = make_logic_unary_op loc `Uminus e2 in
          let e2 = new term_with ~node:te e2 in
          t1,e1#region,JCTshift(e1, term_coerce t2 Tinteger e2)
        else if
          is_pointer_type t1 && is_pointer_type t2
          && comparable_types t1 t2
        then
          (integer_type,dummy_region,
           JCTbinary(e1, bin_op `Pointer `Bsub, e2))
        else if is_numeric t1 && is_numeric t2 then
          let t = lub_numeric_types t1 t2 in
          (JCTnative t,
           dummy_region,
           JCTbinary(term_coerce t1 t e1,
                     logic_bin_op (operator_of_native t) op,
                     term_coerce t2 t e2))
        else
          typing_error loc "unexpected types for -"
    | `Bmul | `Bdiv | `Bmod | `Bbw_and | `Bbw_or | `Bbw_xor
    | `Blogical_shift_right | `Barith_shift_right | `Bshift_left ->
        if is_numeric t1 && is_numeric t2 then
          let t = lub_numeric_types t1 t2 in
          (JCTnative t,dummy_region,
           JCTbinary(term_coerce t1 t e1,
                     logic_bin_op (operator_of_native t) op,
                     term_coerce t2 t e2))
        else typing_error loc "numeric types expected for *, / and %%"
    | `Bland | `Blor ->
        let t=
          match (t1,t2) with
            | JCTnative t1, JCTnative t2 ->
                begin
                  match (t1,t2) with
                    | Tboolean,Tboolean -> Tboolean
                    | _ -> assert false (* TODO *)
                end
            | _ ->
                typing_error loc "booleans expected"
        in
        JCTnative t,
        dummy_region,
        JCTbinary(e1, logic_bin_op (operator_of_native t) op, e2)

        (* not allowed as term op *)
    | `Bimplies | `Biff -> assert false
    | `Bconcat -> assert false (* TODO *)


(** Check that used logic labels appear in the environment,
and add the current [label] to the node in [jc_nexpr_label].
[env] is the list of valid labels.
[result_label] is the expected label for [\result].
However, [label] might be changed by the "\at" construction. *)
let rec type_labels env ~result_label label e =
  let check e x =
    if not (List.mem x env) then
      typing_error e#pos "label `%a' not found" Jc_output_misc.label x
  in
  let iter_subs ?(env=env) label =
    List.iter
      (fun e -> ignore (type_labels env ~result_label label e))
      (Jc_iterators.INExpr.subs e)
  in
  e#set_label label;
(*
  (match label with
    | None -> assert false
    | Some l ->
	eprintf "setting label %a to expr %a@." Jc_output_misc.label l Jc_noutput.expr e);
*)
  match e#node with
    | JCNEconst _ | JCNEderef _ | JCNEbinary _
    | JCNEunary _ | JCNEassign _ | JCNEinstanceof _ | JCNEcast _
    | JCNEif _ | JCNEoffset _ | JCNEaddress _ | JCNEbase_block _ | JCNEfresh _
    | JCNEalloc _ | JCNEfree _ | JCNElet _
    | JCNEassert _ | JCNEloop _ | JCNEreturn _ | JCNEtry _
    | JCNEthrow _ | JCNEpack _ | JCNEunpack _ | JCNEmatch _ | JCNEquantifier _
    | JCNEmutable _ | JCNEeqtype _ | JCNEsubtype _ | JCNErange _ ->
        iter_subs label;
        env
    | JCNEvar id ->
	if id = "\\result" then
	  begin match label,result_label with
	    | Some lab1, Some lab2 ->
		if lab1 <> lab2 then
		  typing_error e#pos "\\result not allowed here (lab1 = %a, lab2= %a)" Jc_output_misc.label lab1 Jc_output_misc.label lab2
	    | None, _
	    | _, None -> typing_error e#pos "\\result not allowed here"
	  end;
	env
    | JCNEcontract(req,dec,behs,e) ->
	ignore (type_labels_opt env ~result_label:None (Some LabelHere) req);
	Option_misc.iter
	  (fun (dec,_) ->
	     ignore (type_labels env ~result_label:None (Some LabelHere) dec)) dec;
	List.iter (behavior_labels env) behs;
	type_labels env ~result_label None e
    | JCNEapp(_, l, _) ->
        List.iter (check e) l;
        iter_subs label;
        env
    | JCNEold _ ->
        check e LabelOld;
        iter_subs (Some LabelOld);
        env
    | JCNEat(_, l) ->
        check e l;
        iter_subs (Some l);
        env
    | JCNEblock el ->
        List.fold_left
          (fun env e -> type_labels env ~result_label label e)
          env el
    | JCNElabel(lab, _) ->
        let lab = {
          label_info_name = lab;
          label_info_final_name = lab;
          times_used = 0;
        } in
        let env = (LabelName lab)::env in
        iter_subs ~env label;
        env

and type_labels_opt env ~result_label label e =
  match e with
    | None -> env
    | Some e -> type_labels env ~result_label label e

and behavior_labels env
    (_loc,_id,_throws,assumes,requires,assigns,allocates,ensures) =
  let here = Some LabelHere in
  let _ = type_labels_opt env ~result_label:None here assumes in
  let _ = type_labels_opt env ~result_label:None here requires in
  let env = LabelOld :: LabelPost :: env in
  Option_misc.iter
    (fun (_,a) ->
       List.iter
	 (fun e ->
	    ignore(type_labels env
		     ~result_label:(Some LabelPost) (Some LabelOld) e)) a)
    assigns;
  Option_misc.iter
    (fun (_,a) ->
       List.iter
	 (fun e ->
	    ignore(type_labels env
		     ~result_label:(Some LabelHere) (Some LabelHere) e)) a)
    allocates;
  let _ = type_labels env ~result_label:here here ensures in
  ()

let type_labels env ~result_label label e =
  ignore (type_labels env ~result_label label e)

let get_label e =
  match e#label with
    | None -> typing_error e#pos "a memory state is needed here (\\at missing?)"
    | Some l -> l

let label_assoc loc id cur_label fun_labels effective_labels =
  match cur_label, fun_labels, effective_labels with
    | Some l, [lf], [] -> [lf,l]
    | _ ->
	try
	  List.map2
	    (fun l1 l2 -> (l1,l2))
	    fun_labels effective_labels
	with Invalid_argument _ ->
	  typing_error loc
	    "wrong number of labels for %s (expected %d, got %d)" id (List.length fun_labels) (List.length effective_labels)

let rec term env e =
  let ft = term env in
  let lab = ref "" in
  let label () = get_label e in
  let t, tr, te = match e#node with
    | JCNEconst c ->
        let t, tr, c = const c in t, tr, JCTconst c
    | JCNElabel(l, e1) ->
        let te1 = ft e1 in
        lab := l;
        te1#typ, te1#region, te1#node
    | JCNEvar id ->
	begin try
          let vi =
            try List.assoc id env
	    with Not_found -> Hashtbl.find variables_env id
          in
          vi.jc_var_info_type, vi.jc_var_info_region, JCTvar vi
	with Not_found ->
          (* François : Où teste-t-on que pi n'a pas d'argument? *)
	  let pi =
            try Hashtbl.find logic_functions_env id with Not_found ->
              typing_error e#pos "unbound term identifier %s" id
	  in
          let app = {
            jc_app_fun = pi;
            jc_app_args = [];
            jc_app_region_assoc = [];
            jc_app_label_assoc = [];
          } in
	  let ty =
	    match pi.jc_logic_info_result_type with
	      | Some t -> t
	      | None -> assert false (* check it is a function *)
	  in
          let ty = (Jc_type_var.instance pi.jc_logic_info_poly_args) ty in
	  ty, Region.make_var ty pi.jc_logic_info_name, JCTapp app
	end
    | JCNEderef(e1, f) ->
        let te1 = ft e1 in
        let fi = find_field e#pos te1#typ f true in
        fi.jc_field_info_type,
        Region.make_field te1#region fi,
        JCTderef(te1, label (), fi)
    | JCNEbinary(e1, op, e2) ->
        make_logic_bin_op e#pos op (ft e1) (ft e2)
    | JCNEunary(op, e1) ->
        make_logic_unary_op e#pos op (ft e1)
    | JCNEapp(id, labs, args) ->
        begin try
(* Yannick: no need for different rule for const logic *)
(*           if List.length args = 0 then *)
(*             let vi = Hashtbl.find logic_constants_env id in *)
(*             vi.jc_var_info_type, vi.jc_var_info_region, JCTvar vi *)
(*           else *)
	    begin
            let pi = find_logic_info id in
            let subst = Jc_type_var.instance pi.jc_logic_info_poly_args in
            let tl =
              try
                List.map2
                  (fun vi e ->
                     let ty = subst vi.jc_var_info_type in
                     let te = ft e in
                     Jc_type_var.add uenv te#pos te#typ ty;
                     te)
                   pi.jc_logic_info_parameters args
              with  Invalid_argument _ ->
                typing_error e#pos
                  "wrong number of arguments for %s" id
            in
            let ty = match pi.jc_logic_info_result_type with
              | None ->
                  typing_error e#pos
                    "the logic info %s is a predicate; it should be \
used as an assertion, not as a term" pi.jc_logic_info_name
              | Some ty -> ty
	    in
            let ty = Jc_type_var.subst uenv (subst ty) in
            let label_assoc =
	      label_assoc e#pos id e#label pi.jc_logic_info_labels labs
	    in
            let app = {
              jc_app_fun = pi;
              jc_app_args = tl;
              jc_app_region_assoc = [];
              jc_app_label_assoc = label_assoc;
            } in
            ty, Region.make_var ty pi.jc_logic_info_name, JCTapp app
          end
        with Not_found ->
          typing_error e#pos "unbound logic function identifier %s" id
        end
    | JCNEinstanceof(e1, t) ->
        boolean_type,
        dummy_region,
        JCTinstanceof(ft e1, label (), find_struct_info e#pos t)
    | JCNEcast(e1, t) ->
        let te1 = ft e1 in
	let ty = type_type t in
	begin match ty with
	  | JCTnative Tinteger ->
	      (*if is_real te1#typ then
		integer_type, te1#region, JCTreal_cast(te1,Real_to_integer)
	      else*) if is_integer te1#typ then
		integer_type, te1#region, te1#node
	      else
                not_the_good_type e#pos ty "bad cast to integer"
		  (*typing_error e#pos "bad cast to integer"*)
	  | JCTnative Treal ->
	      if is_integer te1#typ then
		real_type, te1#region, JCTreal_cast(te1,Integer_to_real)
	      else if is_real te1#typ then
		real_type, te1#region, te1#node
	      else if is_double te1#typ then
		real_type, te1#region, JCTreal_cast(te1,Double_to_real)
	      else if is_float te1#typ then
		real_type, te1#region, JCTreal_cast(te1,Float_to_real)
	      else
		 not_the_good_type e#pos te1#typ "bad cast to real"
		  (*typing_error e#pos "bad cast to real"*)
	  | JCTnative (Tgenfloat f) ->
	       if is_real te1#typ || is_integer te1#typ then
                JCTnative (Tgenfloat f), te1#region, JCTreal_cast(te1, Round (f,Round_nearest_even))
	       else
		 begin
		   match te1#typ with
		     | JCTnative (Tgenfloat f1) ->
			 let e =
			   match (f1,f) with
			     | `Binary80,`Binary80 -> te1#node
			     | `Double,`Double -> te1#node
			     | `Float,`Float -> te1#node
			     | _ ->
				 JCTreal_cast(te1, Round(f,Round_nearest_even))
			 in
			   JCTnative (Tgenfloat f), te1#region, e
		     | _ -> not_the_good_type e#pos te1#typ "bad cast to floating-point number"
		  (*typing_error e#pos "bad cast to floating-point number"*)
		 end

(*
	  | JCTnative (Tgenfloat `Double) ->
              if is_real te1#typ || is_integer te1#typ then
                double_type, te1#region, JCTreal_cast(te1, Round_double Round_nearest_even)
	      else if is_double te1#typ then
		double_type, te1#region, te1#node
	      else if is_float te1#typ then
		double_type, te1#region, te1#node
	      else
		typing_error e#pos "bad cast to double"
	  | JCTnative Tfloat ->
              if is_real te1#typ || is_double te1#typ || is_integer te1#typ then
                float_type, te1#region, JCTreal_cast(te1, Round_float Round_nearest_even)
	      else if is_float te1#typ then
		float_type, te1#region, te1#node
	      else
		typing_error e#pos "bad cast to float"
*)
	  | JCTnative _ -> assert false (* TODO *)
	  | JCTenum ri ->
	      if is_integer te1#typ then
		JCTenum ri, dummy_region, JCTrange_cast(te1, ri)
	      else
		(* CM je ne comprends pas ce cast de real vers enum
		   if is_real te1#typ then
		let cast = NExpr.mkcast ~expr:e1 ~typ:integer_type () in
		let t = ft cast in
		  JCTenum ri, te1#region, JCTrange_cast(t, ri)
	      else
		*)
		not_the_good_type e#pos te1#typ "integer type expected"
		  (*typing_error e#pos "integer type expected"*)
	  | JCTpointer(JCtag(st,_),_,_) ->
	      begin match te1#typ with
		| JCTpointer(st1, a, b) ->
		    if superstruct st st1 then
		      (te1#typ,
		       te1#region,
		       te1#node)
		    else if substruct st st1 then
		      (JCTpointer(JCtag(st, []), a, b),
		       te1#region,
		       JCTcast(te1, label (), st))
		    else if same_hierarchy (JCtag(st, [])) st1 then
		      typing_error e#pos "invalid cast"
		    else
		      (* bitwise cast *)
		      (Region.make_bitwise te1#region;
		       JCTpointer(JCtag(st, []), a, b),
		       te1#region,
		       JCTbitwise_cast(te1, label(), st))
		| JCTnull ->
		    (* bitwise cast *)
		    (Region.make_bitwise te1#region;
		     JCTpointer(JCtag(st,[]),None,None),
		     te1#region,
		     JCTbitwise_cast(te1, label(), st))
		| JCTnative _ | JCTlogic _ | JCTenum _ | JCTany
		| JCTtype_var _ -> not_the_good_type e#pos te1#typ "only structures can be cast"

	      end
	  | JCTpointer (JCroot _, _, _)  -> assert false (* TODO *)
	  | JCTtype_var _|JCTlogic _|JCTany|JCTnull -> assert false (* TODO *)
	end
    | JCNEif(e1, e2, e3) ->
        let te1 = ft e1 and te2 = ft e2 and te3 = ft e3 in
        Jc_type_var.add uenv e#pos (JCTnative Tboolean) te1#typ;
        let t =
          let t2 = te2#typ and t3 = te3#typ in
          if subtype_strict t2 t3 then t3 else
            if subtype_strict t3 t2 then t2 else
              (Jc_type_var.add uenv e#pos t2 t3;
               Jc_type_var.subst uenv t2)
		(* typing_error e#pos "incompatible result types"*)
              in
        t, te1#region, JCTif(te1, te2, te3)
    | JCNEoffset(k, e1) ->
        let te1 = ft e1 in
        begin match te1#typ with
          | JCTpointer(JCtag(st, _), _, _) ->
              integer_type, dummy_region, JCToffset(k, te1, st)
          | JCTpointer(JCroot _, _, _) ->
              assert false (* TODO *)
          | JCTnative _ | JCTlogic _ | JCTenum _ | JCTnull | JCTany -> typing_error e#pos "pointer expected"
          | JCTtype_var _ -> cast_needed te1#pos te1#typ

        end
    | JCNEaddress(Addr_absolute,e1) ->
        let te1 = ft e1 in
        if is_integer te1#typ then
	  JCTnull, dummy_region, JCTaddress(Addr_absolute,te1)
	else
          not_the_good_type te1#pos te1#typ "integer expected"
    | JCNEaddress(Addr_pointer,e1) ->
        let te1 = ft e1 in
        begin match te1#typ with
          | JCTpointer(JCtag(_st, _), _, _) ->
              integer_type, dummy_region, JCTaddress(Addr_pointer,te1)
          | JCTpointer(JCroot _, _, _) ->
              assert false (* TODO *)
          | JCTnative _ | JCTlogic _ | JCTenum _ | JCTnull | JCTany -> typing_error e#pos "pointer expected"
          | JCTtype_var _ -> cast_needed te1#pos te1#typ

        end
    | JCNEbase_block(e1) ->
        let te1 = ft e1 in
        if is_pointer_type te1#typ then
	  JCTnull, dummy_region, JCTbase_block(te1)
	else
          not_the_good_type te1#pos te1#typ "pointer expected"
          (*typing_error e#pos "pointer expected"*)
    | JCNElet(pty, id, Some e1, e2) ->
        let te1 = ft e1 in
        let ty = match pty with
          | None -> te1#typ
          | Some pty ->
              let ty = type_type pty in
              Jc_type_var.add uenv e1#pos te1#typ ty;
              Jc_type_var.subst uenv ty
        in
        let vi = var ty id in
        let te2 = term ((id, vi)::env) e2 in
        te2#typ, te2#region, JCTlet(vi,te1,te2)
    | JCNElet(_ (* Some pty *), _id, None, _e2) ->
        typing_error e#pos "let without initial value"
(*
        let vi = var (type_type pty) id in
        let te2 = term ((id, vi)::env) e2 in
        te2#typ, te2#region, JCTlet(vi,None,te2)
    | JCNElet(None, _, None, _) ->
        typing_error e#pos "let with no initial value must have a type"
*)
    | JCNEmatch(arg, pel) ->
        let targ = ft arg in
        let rty, tpel = match pel with
          | [] -> assert false (* should not be allowed by the parser *)
          | (p1, e1)::rem ->
              (* type the first item *)
              let penv, tp1 = pattern p1 targ#typ in
              let te1 = term (penv @ env) e1 in
              (* type the remaining items *)
              List.fold_left
                (fun (accrty, acctpel) (p, e2) ->
                   let penv, tp = pattern p targ#typ in
                   let te2 = term (penv @ env) e2 in
                   mintype e#pos accrty te2#typ,
                   (tp, te2)::acctpel)
                (te1#typ, [tp1, te1])
                (List.rev rem)
        in
        rty, targ#region, JCTmatch(targ, List.rev tpel)
    | JCNEold e1 ->
        let te1 = ft e1 in
        te1#typ, te1#region, JCTold te1
    | JCNEat(e1, lab) ->
        let te1 = ft e1 in
        te1#typ, te1#region, JCTat(te1, lab)
    | JCNEmutable(_e, _t) -> assert false (* TODO *)
    | JCNErange(Some e1, Some e2) ->
        let e1 = ft e1 and e2 = ft e2 in
        let t1 = e1#typ and t2 = e2#typ in
        assert (is_numeric t1 && is_numeric t2);
        let t = lub_numeric_types t1 t2 in
        JCTnative t, dummy_region,
        JCTrange(Some (term_coerce t1 t e1),Some (term_coerce t2 t e2))
    | JCNErange(Some e, None) ->
        let e = ft e in
        let t = e#typ in
        assert (is_numeric t);
        t, dummy_region,JCTrange(Some e,None)
    | JCNErange(None, Some e) ->
        let e = ft e in
        let t = e#typ in
        assert (is_numeric t);
        t,dummy_region, JCTrange(None,Some e)
    | JCNErange(None, None) ->
        integer_type, dummy_region,JCTrange(None,None)
    (* Not terms: *)
    | JCNEassign _ | JCNEalloc _ | JCNEfree _ | JCNEblock _ | JCNEassert _ | JCNEfresh _
    | JCNEloop _ | JCNEreturn _ | JCNEtry _ | JCNEthrow _ | JCNEpack _
    | JCNEunpack _ | JCNEquantifier _ | JCNEcontract _
    | JCNEeqtype _ | JCNEsubtype _ ->
	typing_error e#pos "construction %a not allowed in logic terms"
	  Jc_noutput.expr e
  in
  new term
    ~typ: t
    ~region: tr
    ~mark: !lab
    ?label: e#label
    ~pos: e#pos
    te

(******************************************************************************)
(*                                 Assertions                                 *)
(******************************************************************************)

(*
let term label_env label env e =
  type_labels label_env label e;
  term env e
*)

(*
let rel_unary_op loc op t =
  match op with
    | `Unot | `Ubw_not -> assert false
    | `Uminus | `Uplus ->
        typing_error loc "not a proposition"
    | `Upostfix_dec | `Upostfix_inc | `Uprefix_dec | `Uprefix_inc ->
        typing_error loc "pre/post incr/decr not allowed as logical term"
*)

let rel_bin_op t (op: [< comparison_op]) =
  (bin_op t op :> pred_rel_op)
(*
  match t,op with
    | Tinteger,BPgt -> gt_int
    | Tinteger,BPlt -> lt_int
    | Tinteger,BPge -> ge_int
    | Tinteger,BPle -> le_int
    | _,BPeq -> eq
    | _,BPneq -> neq
    | _,(BPadd | BPsub | BPmul | BPdiv | BPmod) -> assert false
    | _,(BPland | BPlor | BPimplies | BPiff) -> assert false
    | _ -> assert false  (* TODO *)
*)

let make_and a1 a2 =
  match (a1#node, a2#node) with
    | (JCAtrue,_) -> a2
    | (_,JCAtrue) -> a1
(*
    | (LFalse,_) -> LFalse
    | (_,LFalse) -> LFalse
*)
    | (JCAand l1 , JCAand l2) -> new assertion(JCAand(l1@l2))
    | (JCAand l1 , _ ) -> new assertion(JCAand(l1@[a2]))
    | (_ , JCAand l2) -> new assertion(JCAand(a1::l2))
    | _ -> new assertion(JCAand [a1;a2])

let rec make_and_list l =
  match l with
    | [] -> assert false
    | [a] -> a
    | f::r -> make_and f (make_and_list r)

let make_or a1 a2 =
  match (a1#node, a2#node) with
    | (JCAfalse,_) -> a2
    | (_,JCAfalse) -> a1
(*
    | (LFalse,_) -> LFalse
    | (_,LFalse) -> LFalse
*)
    | (JCAor l1 , JCAor l2) -> new assertion(JCAor(l1@l2))
    | (JCAor l1 , _ ) -> new assertion(JCAor(l1@[a2]))
    | (_ , JCAor l2) -> new assertion(JCAor(a1::l2))
    | _ -> new assertion(JCAor [a1;a2])

let make_rel_bin_op loc (op: [< comparison_op]) e1 e2 =
  let t1 = e1#typ and t2 = e2#typ in
  must_be_subtypable e1#pos t1;
  must_be_subtypable e2#pos t2;
  match op with
    | `Bgt | `Blt | `Bge | `Ble ->
        if is_numeric t1 && is_numeric t2 then
          let t = lub_numeric_types t1 t2 in
          JCArelation(term_coerce t1 t e1,
                      rel_bin_op (operator_of_native t) op,
                      term_coerce t2 t e2)
        else
          typing_error loc "numeric types expected for >, <, >= and <="
    | `Beq | `Bneq ->
(**)
        if is_numeric t1 && is_numeric t2 then
          let t = lub_numeric_types t1 t2 in
          JCArelation(term_coerce t1 t e1,
                      rel_bin_op (operator_of_native t) op,
                      term_coerce t2 t e2)
        else
(**)
          let t = eq_operator_of_type (mintype loc t1 t2) in
          if comparable_types t1 t2 then
            JCArelation(e1, rel_bin_op t op, e2)
          else
            typing_error loc "terms should have the same type for == and !="

let tag env hierarchy t =
  let check_hierarchy loc st =
    if hierarchy <> "" &&
      root_name st != hierarchy then
        typing_error loc
          "this is in the hierarchy of %s, while it should be in the hierarchy \
of %s"
          (root_name st) hierarchy
  in
  let tt = match t#node with
    | JCPTtag id ->
        let st = find_struct_info id#pos id#name in
        check_hierarchy id#pos st;
        JCTtag st
    | JCPTbottom -> JCTbottom
    | JCPTtypeof tof ->
        let ttof = term env tof in
        match ttof#typ with
          | JCTpointer(JCtag(st, _), _, _) ->
              check_hierarchy tof#pos st;
              JCTtypeof (ttof, st)
          | _ -> not_the_good_type tof#pos ttof#typ "tag pointer expression expected"
  in
  new tag ~pos:t#pos tt

let rec assertion env e =
  let fa = assertion env in
  let ft = term env in
  let lab = ref "" in
  let label () = get_label e in
  let struct_for_tags ttag1 ttag2 =
    match ttag1#node, ttag2#node with
      | JCTbottom, JCTbottom -> None
      | JCTbottom, JCTtag st
      | JCTtag st, JCTbottom
      | JCTbottom, JCTtypeof(_, st)
      | JCTtypeof(_, st), JCTbottom -> Some st
      | JCTtag st1, JCTtag st2
      | JCTtypeof(_, st1), JCTtag st2
      | JCTtag st1, JCTtypeof(_, st2)
      | JCTtypeof(_, st1), JCTtypeof(_, st2) ->
          if st1.jc_struct_info_hroot != st2.jc_struct_info_hroot then
            typing_error e#pos "the hierarchy %s and %s are different"
              (root_name st1)
              (root_name st2)
          else
            Some st1.jc_struct_info_hroot
  in
  let ta = match e#node with
    | JCNElabel(l, e) ->
        let te = fa e in
        lab := l;
        te#node
    | JCNEbinary(e1, (`Bland | `Blor | `Bimplies | `Biff as op), e2) ->
        let a1 = fa e1 and a2 = fa e2 in
        begin match op with
          | `Bland -> (make_and a1 a2)#node
          | `Blor -> (make_or a1 a2)#node
          | `Bimplies -> JCAimplies(a1, a2)
          | `Biff -> JCAiff(a1, a2)
        end
    | JCNEbinary(e1, (#comparison_op as op), e2) ->
        make_rel_bin_op e#pos op (ft e1) (ft e2)
    | JCNEunary(`Unot, e1) ->
        JCAnot(fa e1)
    | JCNEapp (id, labs, args) ->
        begin try
          let pi = find_logic_info id in
          let subst = Jc_type_var.instance pi.jc_logic_info_poly_args in
          let tl = try
            List.map2
              (fun vi e ->
                 let ty = subst vi.jc_var_info_type in
                 let te = ft e in
                 Jc_type_var.add uenv te#pos te#typ ty;
                 te)
              pi.jc_logic_info_parameters args
          with Invalid_argument _ ->
            typing_error e#pos "wrong number of arguments for %s" id
          in
	  let label_assoc =
		label_assoc e#pos id e#label pi.jc_logic_info_labels labs
	      in
          let app = {
            jc_app_fun = pi;
            jc_app_args = tl;
            jc_app_region_assoc = [];
            jc_app_label_assoc = label_assoc;
          } in
          JCAapp app
        with Not_found ->
          typing_error e#pos "unbound predicate identifier %s" id
        end
    | JCNEinstanceof(e1, t) ->
        JCAinstanceof(ft e1, label (), find_struct_info e#pos t)
    | JCNEcast _ -> assert false (* TODO *)
    | JCNEif(e1,e2,e3) ->
        let te1 = ft e1 and te2 = fa e2 and te3 = fa e3 in
        Jc_type_var.add uenv e1#pos te1#typ (JCTnative Tboolean);
        JCAif(te1,te2,te3)
    | JCNElet(ty,id,Some e1,e2) ->
	let te1 = ft e1 in
	let ty1 =
	  match ty with
	    | None -> te1#typ
	    | Some ty ->
		let ty = type_type ty in
		if comparable_types ty te1#typ then ty
		else not_the_good_type e1#pos te1#typ
		  "type not compatible with declared type"
	in
        let vi = var ty1 id in
        let env = (id, vi) :: env in
	let te2 = assertion env e2 in
	JCAlet(vi,te1,te2)
    | JCNElet(_ty,_id,None,_e2) ->
	assert false (* TODO *)
    | JCNEmatch(arg, pel) ->
        let targ = ft arg in
        let tpal = List.map
          (fun (pat, body) ->
             let vars, tpat = pattern pat targ#typ in
             let tbody = assertion (vars @ env) body in
             tpat, tbody)
          pel
        in
        JCAmatch(targ, tpal)
    | JCNEquantifier(q, ty, idl, trigs, e1) ->
        let ty = type_type ty in
        (make_quantifier q e#pos ty idl env trigs e1)#node
    | JCNEold e1 ->
        JCAold(fa e1)
    | JCNEat(e1, lab) ->
        JCAat(fa e1, lab)
    | JCNEmutable(e, t) ->
        let te = ft e in
        let te_st = match te#typ with
          | JCTpointer(JCtag(st, _), _, _) -> st
          | _ -> not_the_good_type e#pos te#typ "tag pointer expression expected"
        in
        let tt = tag env (root_name te_st) t in
        JCAmutable(te, te_st, tt)
    | JCNEeqtype(tag1, tag2) ->
        let ttag1 = tag env "" tag1 in
        let ttag2 = tag env "" tag2 in
	let st = struct_for_tags ttag1 ttag2 in
        JCAeqtype(ttag1, ttag2, st)
    | JCNEsubtype(tag1, tag2) ->
        let ttag1 = tag env "" tag1 in
        let ttag2 = tag env "" tag2 in
	let st = struct_for_tags ttag1 ttag2 in
        JCAsubtype(ttag1, ttag2, st)
    (* Boolean terms: *)
    | JCNEconst _ | JCNEvar _ | JCNEderef _ ->
        let t = ft e in
        begin match t#typ with
          | JCTnative Tboolean -> JCAbool_term t
          | _ -> typing_error e#pos "non boolean expression"
        end
    | JCNEfresh e1 -> 
        let te1 = ft e1 in
        if is_pointer_type te1#typ then JCAfresh(te1)
	else
          not_the_good_type te1#pos te1#typ "pointer expected"
    (* Not assertions: *)
    | JCNEoffset _ | JCNEaddress _ | JCNEbase_block _
    | JCNErange _ | JCNEassign _ | JCNEalloc _ | JCNEfree _
    | JCNEassert _ | JCNEblock _ | JCNEloop _ | JCNEreturn _ | JCNEtry _
    | JCNEthrow _ | JCNEpack _ | JCNEunpack _ | JCNEbinary _ | JCNEunary _
    | JCNEcontract _ ->
        typing_error e#pos "construction not allowed in logic assertions"
  in
  new assertion
    ~mark: !lab
    ?label: e#label
    ~pos: e#pos
    ta

and make_quantifier q loc ty idl env trigs e : assertion =
  match idl with
    | [] -> assertion env e (*Here the triggers disappear if idl start empty*)
    | id :: r ->
        let vi = var ty id#name in
        let env = ((id#name, vi) :: env) in
        let trigs_id,trigs_r =
          match r with
            | [] -> (*id is the last variable,
                      the trigger should stay here*)
                triggers env trigs,[]
            | _ -> [],trigs in
        let f =
          JCAquantifier (q, vi, trigs_id, make_quantifier q loc ty r env trigs_r e)
        in
        new assertion ~pos:loc f

and triggers env l =
  let pat e =
    match e#node with
    | JCNEapp (id,_,_) ->
        let pi = find_logic_info id in
        (match pi.jc_logic_info_result_type with
          | None ->   JCAPatP (assertion env e)
          | Some _ -> JCAPatT (term env e))
    | _ ->  typing_error e#pos "IllformedPattern" in
  List.map (List.map pat) l

(******************************************************************************)
(*                                Expressions                                 *)
(******************************************************************************)

let loop_annot =
  let cnt = ref 0 in
  fun ~behaviors ~free_invariant ~variant ->
    incr cnt;
    {
      jc_loop_tag = !cnt;
      jc_loop_behaviors = behaviors;
      jc_free_loop_invariant = free_invariant;
      jc_loop_variant = variant;
    }

let rec location_set env e =
  let ty,r,locs_node = match e#node with
    | JCNElabel(_l,_e) ->
        assert false (* TODO *)
    | JCNEvar id ->
        let vi =
          try List.assoc id env with Not_found ->
            try Hashtbl.find variables_env id with Not_found ->
              typing_error e#pos "unbound identifier %s" id
        in
        begin match vi.jc_var_info_type with
          | JCTpointer _ ->
              vi.jc_var_info_type, vi.jc_var_info_region, JCLSvar vi
          | _ -> assert false
        end
    | JCNEbinary(e, `Badd, i) ->
	begin try
          let ty,tr,te = location_set env e in
	  let ti = term env i in
          begin match ty, ti#typ with
            | JCTpointer(_st,_,_), t2 when is_integer t2 ->
                begin match ti#node with
                  | JCTrange(t1,t2) -> ty,tr,JCLSrange(te,t1,t2)
                  | _ -> ty,tr,JCLSrange(te,Some ti,Some ti)
		      (* TODO ?
			 | _ -> ty,tr,JCLSshift(te,ti)
		      *)
                end
            | JCTpointer _, _ ->
                typing_error i#pos "integer expected, %a found"
                  print_type ti#typ
            | _ ->
                typing_error e#pos "pointer expected"
          end
	with Typing_error _ ->
          let t1 = term env e in
          let ty, tr, te = t1#typ, t1#region, t1 in
	  let ti = term env i in
          begin match ty, ti#typ with
            | JCTpointer(_st,_,_), t2 when is_integer t2 ->
                begin match ti#node with
                  | JCTrange(t1,t2) -> ty,tr,JCLSrange_term(te,t1,t2)
                  | _ -> ty,tr,JCLSrange_term(te,Some ti,Some ti)
		      (* TODO ?
			 | _ -> ty,tr,JCLSshift(te,ti)
		      *)
                end
            | JCTpointer _, _ ->
                typing_error i#pos "integer expected, %a found"
                  print_type ti#typ
            | _ ->
                typing_error e#pos "pointer expected"
          end
	end
    | JCNEbinary _ ->
        assert false
    | JCNEderef(ls, f) ->
        let t,tr,tls = location_set env ls in
        let fi = find_field e#pos t f false in
        let fr = Region.make_field tr fi in
        fi.jc_field_info_type, fr, JCLSderef(tls, get_label e, fi, fr)
    | JCNEat(ls, lab) ->
	let t,tr,tls = location_set env ls in
	t,tr,JCLSat(tls,lab)
    | JCNEfresh _ 
    | JCNErange _ | JCNEeqtype _ | JCNEmutable _ | JCNEold _
    | JCNEquantifier _ | JCNEmatch _ | JCNEunpack _ | JCNEpack _ | JCNEthrow _
    | JCNEtry _ |JCNEreturn _ | JCNEloop _ |JCNEblock _ | JCNEassert _
    | JCNElet _ |JCNEfree _ | JCNEalloc _ | JCNEoffset _ | JCNEaddress _
    | JCNEif _ | JCNEcast _ | JCNEbase_block _
    | JCNEinstanceof _ | JCNEassign _ | JCNEapp _ | JCNEunary _
    | JCNEconst _ | JCNEcontract _ | JCNEsubtype _ ->
        typing_error e#pos "invalid memory location"
  in
  let locs =
    new location_set
      ~pos: e#pos
      ~typ:ty
      ~region:r
      ?label: e#label
      locs_node
  in ty,r,locs

let rec location env e =
  let ty,r,loc_node = match e#node with
    | JCNElabel(_l, _e) ->
        assert false (* TODO *)
    | JCNEvar id ->
        let vi =
          try List.assoc id env with Not_found ->
            try Hashtbl.find variables_env id with Not_found ->
              typing_error e#pos "unbound identifier %s" id
        in
        vi.jc_var_info_type, vi.jc_var_info_region, JCLvar vi
    | JCNEderef(ls, f) ->
(*
	begin try
*)
          let t, tr, tls = location_set env ls in
          let fi = find_field e#pos t f false in
          let fr = Region.make_field tr fi in
          fi.jc_field_info_type, fr, JCLderef(tls, get_label e, fi, fr)
(*
	with Typing_error _ ->
          let t1 = term env ls in
          let fi = find_field e#pos t1#typ f false in
          let fr = Region.make_field t1#region fi in
          fi.jc_field_info_type, fr, JCLderef_term(t1, fi)
	end
*)
    | JCNEat(e, lab) ->
        let t, tr, tl = location env e in
        t, tr, JCLat(tl, lab)
    | JCNErange _ | JCNEeqtype _ | JCNEmutable _ | JCNEold _
    | JCNEquantifier _ | JCNEmatch _ | JCNEunpack _ | JCNEpack _ | JCNEthrow _
    | JCNEtry _ | JCNEreturn _ | JCNEloop _ | JCNEblock _ | JCNEassert _
    | JCNElet _ | JCNEfree _ | JCNEalloc _ | JCNEoffset _ | JCNEaddress _
    | JCNEif _ | JCNEcast _ | JCNEbase_block _
    | JCNEinstanceof _ | JCNEassign _ | JCNEapp _ | JCNEunary _ | JCNEbinary _
    | JCNEconst _ | JCNEcontract _ | JCNEsubtype _ | JCNEfresh _ ->
        typing_error e#pos "invalid memory location"
  in
  let loc =
    new location
      ~pos: e#pos
      ~typ:ty
      ~region:r
      ?label: e#label
      loc_node
  in ty,r,loc

let behavior env vi_result (loc, id, throws, assumes, _requires, assigns, allocates, ensures) =
  let throws,env_result =
    match throws with
      | None -> None, (vi_result.jc_var_info_name,vi_result)::env
      | Some id ->
          try
            let ei =
              StringHashtblIter.find exceptions_table id#name
            in
            let tei = match ei.jc_exception_info_type with
              | Some tei -> tei
              | None -> typing_error id#pos
                  "exception without value"
            in
            let vi = var tei "\\result" in
            vi.jc_var_info_final_name <- "result";
            Some ei, (vi.jc_var_info_name,vi)::env
          with Not_found ->
            typing_error id#pos
              "undeclared exception %s" id#name
  in
  let assumes = Option_misc.map (assertion env) assumes in
  (*
    let requires = Option_misc.map (assertion (Some "Here") env) requires in
  *)
  let assigns =
    Option_misc.map
      (fun (loc, l) ->
         (loc, List.map
            (fun a -> let _,_,tl = location env_result a in
             (match tl#node with
                | JCLvar vi -> vi.jc_var_info_assigned <- true
                | _ -> ());
             tl)
            l))
      assigns
  in
  let allocates =
    Option_misc.map
      (fun (loc, l) ->
         (loc, List.map
            (fun a -> let _,_,tl = location env_result a in
             (match tl#node with
                | JCLvar vi -> vi.jc_var_info_assigned <- true
                | _ -> ());
             tl)
            l))
      allocates
  in
  let b = {
    jc_behavior_throws = throws;
    jc_behavior_assumes = assumes;
    (*
      jc_behavior_requires = requires;
    *)
    jc_behavior_assigns = assigns;
    jc_behavior_allocates = allocates;
    jc_behavior_ensures = assertion env_result ensures;
    jc_behavior_free_ensures = Assertion.mktrue () }
  in
  (*
    eprintf "lab,loc for ensures: \"%s\", %a@."
    b.jc_behavior_ensures.jc_assertion_label
    Loc.gen_report_position b.jc_behavior_ensures.jc_assertion_loc;
  *)
  (loc,id,b)


let loopbehavior env (names,inv,ass) =
  (names,Option_misc.map (assertion env) inv,
     Option_misc.map
       (fun (_p,locs) ->
	  List.map
	    (fun l ->
	       let _,_,tl = location env l in tl) locs) ass)

let make_unary_op loc (op : Jc_ast.unary_op) e2 =
  let t2 = e2#typ in
  match op with
(*    | `Uprefix_inc | `Upostfix_inc | `Uprefix_dec | `Upostfix_dec (*as op*) ->
        begin
          let t = if is_pointer_type t2 then t2 else
            JCTnative (lub_numeric_types t2 t2) in
          match e2#node with
            | JCEvar v ->
                v.jc_var_info_assigned <- true;
                t, v.jc_var_info_region,
                assert false (* JCEincr_local(incr_op op, v) *)
            | JCEderef(e,f) ->
                t, e2#region,
                assert false (* JCEincr_heap(incr_op op, e, f) *)
            | _ -> typing_error e2#pos "not an lvalue"
        end*)
    | `Unot as op ->
        let t=
          match t2 with
            | JCTnative t2 ->
                begin
                  match t2 with
                    | Tboolean -> Tboolean
                    | _ -> assert false (* TODO *)
                end
            | _ ->
                typing_error loc "boolean expected"
        in (JCTnative t,dummy_region,
            JCEunary(unary_op (operator_of_native t) op, e2))
    | `Uminus ->
        if is_numeric t2 || is_gen_float t2 then
          let t = lub_numeric_types t2 t2 in
          (JCTnative t,dummy_region,
           JCEunary(unary_op (operator_of_native t) op, e2))
        else
          typing_error loc "numeric type expected"
    | `Ubw_not ->
        if is_numeric t2 then
          let t = lub_numeric_types t2 t2 in
          (JCTnative t,dummy_region,
           JCEunary(unary_op (operator_of_native t) op, e2))
        else
          typing_error loc "numeric type expected"

let coerce t1 t2 e =
  let tn1 =
    match t1 with
      | JCTenum _ri -> Tinteger
      | JCTnative t -> t
      | _ -> assert false
  in
  match tn1, t2 with
    | Tinteger,Treal ->
	begin
	  match e#node with
	    | JCEconst (JCCinteger n) ->
		new expr
		  ~typ:real_type
		  ~region:e#region
		  ~pos:e#pos
		  (JCEconst(JCCreal (n^".0")))
	    | _ ->
		new expr
		  ~typ: real_type
		  ~pos: e#pos
		  (JCEapp{
		     jc_call_fun = JClogic_fun real_of_integer;
		     jc_call_args = [e];
		     jc_call_region_assoc = [];
		     jc_call_label_assoc = [];
		   })
	end
    | _ -> e

let make_bin_op loc (op: operational_op) e1 e2 =
  let t1 = e1#typ and t2 = e2#typ in
  match op with
    | `Bgt | `Blt | `Bge | `Ble ->
        if is_numeric t1 && is_numeric t2
	  || is_gen_float t1 && is_gen_float t2
	then
          let t = lub_numeric_types t1 t2 in
          (boolean_type, dummy_region,
           JCEbinary(coerce t1 t e1,
                     bin_op (operator_of_native t) op,
                     coerce t2 t e2))
        else
          typing_error loc "numeric types expected for <, >, <= and >="
    | `Beq | `Bneq as op ->
        if is_numeric t1 && is_numeric t2
	  || is_gen_float t1 && is_gen_float t2
	then
          let t = lub_numeric_types t1 t2 in
          (boolean_type, dummy_region,
           JCEbinary(coerce t1 t e1,
                     bin_op (operator_of_native t) op,
                     coerce t2 t e2))
        else
          if t1 = boolean_type && t2 = boolean_type then
            (boolean_type, dummy_region, JCEbinary (e1, bin_op `Boolean op, e2))
          else
            if is_pointer_type t1 && is_pointer_type t2 &&
              comparable_types t1 t2 then
                (boolean_type, dummy_region,
                 JCEbinary(e1, bin_op `Pointer op, e2))
            else
              typing_error loc
                "numeric, boolean or pointer types expected for == and !="
    | `Badd as op  ->
        if is_pointer_type t1 && is_integer t2 then
          t1, e1#region, JCEshift(e1, coerce t2 Tinteger e2)
        else if is_numeric t1 && is_numeric t2
	  || is_gen_float t1 && is_gen_float t2
	then
          let t = lub_numeric_types t1 t2 in
          (JCTnative t,
           dummy_region,
           JCEbinary(coerce t1 t e1,
                     bin_op (operator_of_native t) op,
                     coerce t2 t e2))
        else
          typing_error loc "unexpected types for +"
    | `Bsub as op  ->
        if is_pointer_type t1 && is_integer t2 then
          let _,_,te = make_unary_op loc `Uminus e2 in
          let e2 = new expr_with ~node:te e2 in
          t1, e1#region, JCEshift(e1, coerce t2 Tinteger e2)
        else if
          is_pointer_type t1 && is_pointer_type t2
          && comparable_types t1 t2
        then
          (integer_type, dummy_region,
           JCEbinary(e1, bin_op `Pointer `Bsub, e2))
        else if is_numeric t1 && is_numeric t2
	  || is_gen_float t1 && is_gen_float t2
	then
          let t = lub_numeric_types t1 t2 in
          (JCTnative t, dummy_region,
           JCEbinary(coerce t1 t e1,
                     bin_op (operator_of_native t) op,
                     coerce t2 t e2))
	else
          typing_error loc "unexpected types for -"
    | `Bmul | `Bdiv | `Bmod ->
        if is_numeric t1 && is_numeric t2
	  || is_gen_float t1 && is_gen_float t2
	then
          let t = lub_numeric_types t1 t2 in
          (JCTnative t,dummy_region,
           JCEbinary(coerce t1 t e1,
                     bin_op (operator_of_native t) op,
                     coerce t2 t e2))
        else
	  typing_error loc "numeric types expected for multiplicative operators"
    | `Bbw_and | `Bbw_or | `Bbw_xor ->
        if is_numeric t1 && is_numeric t2 then
          let t = lub_numeric_types t1 t2 in
          (JCTnative t,dummy_region,
           JCEbinary(coerce t1 t e1,
                     bin_op (operator_of_native t) op,
                     coerce t2 t e2))
        else if is_boolean t1 && is_boolean t2 then
          (boolean_type, dummy_region,
           JCEbinary(e1,
                     bin_op (operator_of_native Tboolean) op,
                     e2))
        else
	  typing_error loc "numeric types expected for bitwise operators"
    | `Blogical_shift_right | `Barith_shift_right | `Bshift_left as op  ->
        if is_numeric t1 && is_numeric t2 then
          let t = lub_numeric_types t1 t2 in
          (JCTnative t,dummy_region,
           JCEbinary(coerce t1 t e1,
                     bin_op (operator_of_native t) op,
                     coerce t2 t e2))
        else
	  typing_error loc "numeric types expected for shift operators"
    | `Bland | `Blor as op ->
        let t = match (t1, t2) with
          | JCTnative t1, JCTnative t2 ->
              begin match (t1, t2) with
                | Tboolean, Tboolean -> Tboolean
                | _ -> assert false (* TODO *)
              end
          | _ -> typing_error loc "booleans expected"
        in
        (JCTnative t,
         dummy_region,
         JCEbinary(e1, bin_op (operator_of_native t) op, e2))
    | `Bconcat -> assert false (* TODO *)


let reset_return_label, set_return_label, get_return_label =
  let has_label = ref false in
  (fun () -> has_label := false),
  (fun () -> has_label := true),
  (fun () -> !has_label)

let rec expr env e =
  let fe = expr env in
  let ft = term env in
  let lab = ref "" in
  let ty, region, typed_e = match e#node with
    (* old expressions *)
    | JCNEconst c ->
        let t, tr, tc = const c in t, tr, JCEconst tc
    | JCNElabel(l, e1) ->
        let te1 = fe e1 in
        lab := l;
        te1#typ, te1#region, te1#node
    | JCNEvar id ->
	begin try
          let vi =
            try List.assoc id env
	    with Not_found -> Hashtbl.find variables_env id
          in vi.jc_var_info_type, vi.jc_var_info_region, JCEvar vi
	with Not_found ->
          let pi =
	    try Hashtbl.find logic_functions_env id with Not_found ->
              typing_error e#pos "unbound identifier %s" id
	  in
          let app = {
            jc_call_fun = JClogic_fun pi;
            jc_call_args = [];
            jc_call_region_assoc = [];
            jc_call_label_assoc = [];
          } in
	  let ty =
	    match pi.jc_logic_info_result_type with
	      | Some r -> r
	      | None -> assert false (* check it is a function *)
	  in
	  ty, Region.make_var ty pi.jc_logic_info_name, JCEapp app
	end

    | JCNEderef(e1, f) ->
        let te1 = fe e1 in
        let fi = find_field e#pos te1#typ f false in
        fi.jc_field_info_type,
        Region.make_field te1#region fi,
        JCEderef(te1, fi)
    | JCNEbinary(e1, (#logical_op as op), e2) ->
        let te1 = fe e1 and te2 = fe e2 in
	(* boolean_type, dummy_region,  *)
	  begin match op with
	  | `Bland ->
	      (*
              JCEif(
                te1,
                te2,
                new expr ~typ:boolean_type (JCEconst(JCCboolean false))
              )
	      *)
	      make_bin_op e#pos `Bland te1 te2
          | `Blor ->
              (*
		JCEif(
                te1,
                new expr ~typ:boolean_type (JCEconst(JCCboolean true)),
                te2
              )
	      *)
	      make_bin_op e#pos `Blor te1 te2
	  | `Bimplies | `Biff ->
	      typing_error e#pos "unexpected operator in expression"
	end
    | JCNEbinary(e1, (#operational_op as op), e2) ->
        make_bin_op e#pos op (fe e1) (fe e2)
    | JCNEunary(op, e1) ->
        make_unary_op e#pos op (fe e1)
    | JCNEapp(id, labs, args) ->
        begin try
          let fi = find_fun_info id in
          assert (labs = []);
          let tl = try
            List.map2
              (fun (_valid,vi) e ->
                 let ty = vi.jc_var_info_type in
                 let te = fe e in
                 if subtype te#typ ty then te
                 else
                   typing_error e#pos "type %a expected instead of %a"
                     print_type ty print_type te#typ)
              fi.jc_fun_info_parameters args
          with Invalid_argument _ ->
            typing_error e#pos "wrong number of arguments for %s" id
          in
          let ty = fi.jc_fun_info_result.jc_var_info_type in
          ty,
          Region.make_var ty fi.jc_fun_info_name,
          JCEapp {
            jc_call_fun = JCfun fi;
            jc_call_args = tl;
            jc_call_region_assoc = [];
            jc_call_label_assoc = [];
          }
        with Not_found -> try
(* Yannick: no need for different rule for const logic *)
(*           if List.length args = 0 then *)
(*             let vi = Hashtbl.find logic_constants_env id in *)
(*             vi.jc_var_info_type, vi.jc_var_info_region, JCEvar vi *)
(*           else *)
	  begin
            let pi = find_logic_info id in
            let tl =
              try
                List.map2
                  (fun vi e ->
                     let ty = vi.jc_var_info_type in
                     let te = fe e in
                     if subtype_strict te#typ ty then te
                     else
                       typing_error e#pos
                         "type %a expected instead of %a"
                         print_type ty print_type te#typ)
                  pi.jc_logic_info_parameters args
              with  Invalid_argument _ ->
                typing_error e#pos
                  "wrong number of arguments for %s" id
            in
            let ty = match pi.jc_logic_info_result_type with
              | None ->
                  typing_error e#pos
                    "the logic info %s is a predicate; it should be \
used as an assertion, not as a term" pi.jc_logic_info_name
              | Some ty -> ty
            in
            let label_assoc =
              match e#label, pi.jc_logic_info_labels, labs with
                | Some l, [lf], [] -> [lf,l]
                | _ ->
                    try
                      List.map2
                        (fun l1 l2 -> (l1,l2))
                        pi.jc_logic_info_labels labs
                    with Invalid_argument _ ->
                      typing_error e#pos
                        "wrong number of labels for %s" id
            in
            let app = {
              jc_call_fun = JClogic_fun pi;
              jc_call_args = tl;
              jc_call_region_assoc = [];
              jc_call_label_assoc = label_assoc;
            } in
            ty, Region.make_var ty pi.jc_logic_info_name, JCEapp app
          end
        with Not_found ->
          typing_error e#pos "unbound function or logic function identifier %s" id
        end
    | JCNEassign(e1, e2) ->
        let te1 = fe e1 and te2 = fe e2 in
        let t1 = te1#typ and t2 = te2#typ in
	let te2 =
          if subtype t2 t1 then
	    match t2 with
	      | JCTnull -> new expr_with ~typ:t1 te2
	      | _ -> te2
	  else
	    (* particular case for floats: implicit cast *)
	    begin
	      match (t1,t2) with
		| JCTnative (Tgenfloat f1), JCTnative (Tgenfloat f2) ->
		    begin
		      match (f2,f1) with
			| `Binary80,`Binary80 -> te2
			| `Double,`Double -> te2
			| `Float,`Float -> te2
			| _ ->
			    new expr ~typ:t1 ~pos:te2#pos
			      (JCEreal_cast(te2, Round(f1,Round_nearest_even)))
		    end
		| _ ->
		    typing_error e2#pos
		      "type '%a' expected in assignment instead of '%a'"
		      print_type t1 print_type t2
	    end
	in
          begin
	    match te1#node with
              | JCEvar v ->
                  v.jc_var_info_assigned <- true;
                  t1, te2#region, JCEassign_var(v, te2)
              | JCEderef(e, f) ->
                  t1, te2#region, JCEassign_heap(e, f, te2)
              | _ -> typing_error e1#pos "not an lvalue"
	  end
    | JCNEinstanceof(e1, t) ->
        let te1 = fe e1 in
        let st = find_struct_info e#pos t in
        boolean_type, dummy_region, JCEinstanceof(te1, st)
    | JCNEcast(e1, t) ->
       let te1 = fe e1 in
	let ty = type_type t in
	begin match ty with
	  | JCTnative Tinteger ->
	      (* if is_real te1#typ then
		integer_type, te1#region, JCEreal_cast(te1,Real_to_integer)
	      else*) if is_integer te1#typ then
		integer_type, te1#region, te1#node
	      else
		typing_error e#pos "bad cast to integer"
	  | JCTnative Treal ->
	      if is_integer te1#typ then
		real_type, te1#region, JCEreal_cast(te1,Integer_to_real)
	      else if is_real te1#typ then
		real_type, te1#region, te1#node
	      else if is_double te1#typ then
		real_type, te1#region, JCEreal_cast(te1,Double_to_real)
	      else if is_float te1#typ then
		real_type, te1#region, JCEreal_cast(te1,Float_to_real)
	      else
		typing_error e#pos "bad cast to real"
	  | JCTnative (Tgenfloat f) ->
	       if is_real te1#typ || is_integer te1#typ then
                JCTnative (Tgenfloat f), te1#region, JCEreal_cast(te1, Round (f,Round_nearest_even))
	       else
		 begin
		   match te1#typ with
		     | JCTnative (Tgenfloat f1) ->
			 let e =
			   match (f1,f) with
			     | `Binary80,`Binary80 -> te1#node
			     | `Double,`Double -> te1#node
			     | `Float,`Float -> te1#node
			     | _ ->
				 JCEreal_cast(te1, Round(f,Round_nearest_even))
			 in
			   JCTnative (Tgenfloat f), te1#region, e
		     | _ -> typing_error e#pos "bad cast to floating-point number"
		 end
(*
	  | JCTnative Tdouble ->
              if is_real te1#typ || is_integer te1#typ then
                double_type, te1#region, JCEreal_cast(te1,Round_double Round_nearest_even)
              else if is_float te1#typ then
                double_type, te1#region, te1#node
	      else
		typing_error e#pos "bad cast to double"
	  | JCTnative Tfloat ->
              if is_real te1#typ || is_double te1#typ || is_integer te1#typ then
                float_type, te1#region, JCEreal_cast(te1,Round_float Round_nearest_even)
	      else
		typing_error e#pos "bad cast to float"
*)
	  | JCTnative _ -> assert false (* TODO *)
	  | JCTenum ri ->
	      if is_integer te1#typ then
		JCTenum ri, dummy_region, JCErange_cast(te1, ri)
	      else
		(* CM je ne comprends pas ce cast de real vers enum
		   if is_real te1#typ then
		let cast = NExpr.mkcast ~expr:e1 ~typ:integer_type () in
		let t = ft cast in
		  JCTenum ri, te1#region, JCErange_cast(t, ri)
	      else
		*)
		typing_error e#pos "integer type expected"
	  | JCTpointer(JCtag(st,_),_,_) ->
	      begin match te1#typ with
		| JCTpointer(st1, a, b) ->
		    if superstruct st st1 then
		      (te1#typ,
		       te1#region,
		       te1#node)
		    else if substruct st st1 then
		      (JCTpointer(JCtag(st, []), a, b),
		       te1#region,
		       JCEcast(te1, st))
		    else if same_hierarchy (JCtag(st, [])) st1 then
		      typing_error e#pos "invalid cast"
		    else
		      (* bitwise cast *)
		      (Region.make_bitwise te1#region;
		       JCTpointer(JCtag(st, []), a, b),
		       te1#region,
		       JCEbitwise_cast(te1, st))
		| JCTnull ->
		    (* bitwise cast *)
		    (Region.make_bitwise te1#region;
		     JCTpointer(JCtag(st,[]),None,None),
		     te1#region,
		     JCEbitwise_cast(te1, st))
		| JCTnative _ | JCTlogic _ | JCTenum _ | JCTany
		| JCTtype_var _ ->
		    typing_error e#pos "only structures can be cast"
	      end
	  | JCTpointer (JCroot _, _, _)  -> assert false (* TODO *)
	  | JCTtype_var _|JCTlogic _|JCTany|JCTnull -> assert false (* TODO *)
	end
    | JCNEif(e1,e2,e3) ->
        let te1 = fe e1 and te2 = fe e2 and te3 = fe e3 in
        begin match te1#typ with
          | JCTnative Tboolean ->
	      let te2,te3 =
		if same_type_no_coercion te2#typ te3#typ then
		  te2,te3
		else
		  unit_expr te2, unit_expr te3
	      in
              let t = mintype e#pos
                te2#typ
                te3#typ
              in
              t, te2#region, JCEif(te1, te2, te3)
          | _ -> typing_error e1#pos "boolean expression expected"
        end
    | JCNEoffset(k, e1) ->
        let te1 = fe e1 in
        begin match te1#typ with
          | JCTpointer(JCtag(st, _), _, _) ->
              integer_type, dummy_region, JCEoffset(k, te1, st)
          | JCTpointer(JCroot _, _, _) ->
              assert false (* TODO *)
          | _ -> typing_error e#pos "pointer expected"
        end
    | JCNEaddress(Addr_absolute,e1) ->
        let te1 = fe e1 in
	if is_integer  te1#typ then
          JCTnull, dummy_region, JCEaddress(Addr_absolute,te1)
	else
	  typing_error e#pos "integer expected"
    | JCNEaddress(Addr_pointer,e1) ->
        let te1 = fe e1 in
        begin match te1#typ with
          | JCTpointer(JCtag(_st, _), _, _) ->
              integer_type, dummy_region, JCEaddress(Addr_pointer,te1)
          | JCTpointer(JCroot _, _, _) ->
              assert false (* TODO *)
          | _ -> typing_error e#pos "pointer expected"
        end
    | JCNEbase_block(e1) ->
        let te1 = fe e1 in
	if is_pointer_type te1#typ then
          JCTnull, dummy_region, JCEbase_block(te1)
	else
	  typing_error e#pos "pointer expected"
    | JCNEalloc(e1, t) ->
        let st = find_struct_info e#pos t in
        let ty = JCTpointer(JCtag(st, []), Some zero, None) in
        ty, Region.make_var ty "alloc", JCEalloc (fe e1, st)
    | JCNEfree e1 ->
        unit_type, dummy_region, JCEfree (fe e1)
    | JCNElet(tyo, id, e1o, e2) ->
        let ty, te1o = match tyo, e1o with
          | None, None ->
              typing_error e#pos "let with no initial value must have a type"
          | Some ty, None ->
              type_type ty, None
          | None, Some e1 ->
              let te1 = fe e1 in
              te1#typ, Some te1
          | Some ty, Some e1 ->
              let te1 = fe e1 in
              let tty = type_type ty in
              if subtype te1#typ tty then
                tty, Some te1
              else
                typing_error e#pos
                  "inferred type is not a subtype of declared type"
        in
        let vi = var ty id in
        let te2 = expr ((id, vi)::env) e2 in
        te2#typ,
        te2#region,
        JCElet(vi, te1o, te2)
    (* old statements *)
    | JCNEassert(behav,asrt,e1) ->
        unit_type, dummy_region, JCEassert(behav,asrt,assertion env e1)
    | JCNEcontract(req,dec,behs,e) ->
	let requires = Option_misc.map (assertion env) req in
	let decreases = Option_misc.map (fun (t,rel) -> term env t,rel) dec in
	let e = expr env e in
	let vi_result = var (e#typ) "\\result" in
	let behs = List.map (behavior env vi_result) behs in
	e#typ,e#region,JCEcontract(requires,decreases,vi_result,behs,e)
    | JCNEblock el ->
        (* No warning when a value is ignored. *)
        let tel = List.map fe el in
        begin match List.rev tel with
          | [] ->
              unit_type, dummy_region, JCEconst JCCvoid
          | last::but_last ->
	      let but_last = List.map unit_expr but_last in
              last#typ, last#region, JCEblock(List.rev(last::but_last))
        end
    | JCNEloop(behs, vo, body) ->
        let behaviors = List.map (loopbehavior env) behs in
        let variant =
          Option_misc.map
            (fun (v,r) ->
               let r = Option_misc.map
                 (fun id -> find_logic_info id#name) r
               in
               (ft v,r))
            vo
        in
        (unit_type,
         dummy_region,
         JCEloop(
          loop_annot ~behaviors
            ~free_invariant:(Assertion.mktrue ())
            ~variant,
           fe body))
    | JCNEreturn None ->
        unit_type, dummy_region, JCEreturn_void
    | JCNEreturn(Some e1) ->
        let te1 = fe e1 in
        let vi = List.assoc "\\result" env in
        if subtype te1#typ vi.jc_var_info_type then
          (unit_type,
           te1#region,
           JCEreturn(vi.jc_var_info_type, te1))
        else
          typing_error e#pos "type `%a' expected in return instead of `%a'"
            print_type vi.jc_var_info_type print_type te1#typ
    | JCNEtry(body, catches, finally) ->
        let tbody = unit_expr (fe body) in
        let tfinally = unit_expr (fe finally) in
        let tcatches = List.map begin function (id, v, cbody) ->
	  if id#name = Jc_norm.return_label#name then set_return_label ();
          let ei = try
            StringHashtblIter.find exceptions_table id#name
          with Not_found ->
            typing_error id#pos "undeclared exception: %s" id#name
          in
          match ei.jc_exception_info_type with
            | Some tei ->
		let vi = var tei v in
		ei, Some vi, unit_expr (expr ((v, vi) :: env) cbody)
            | None -> ei, None, unit_expr (fe cbody)
        end catches in
          tbody#typ,
        tbody#region,
        JCEtry(tbody, tcatches, tfinally)
    | JCNEthrow(id, e1o) ->
        let ei = try
          StringHashtblIter.find exceptions_table id#name
        with Not_found ->
          typing_error id#pos "undeclared exception %s" id#name
        in
        let region, te1o = match e1o with
          | None -> dummy_region, None
          | Some e1 ->
              let te1 = fe e1 in
              let tei = match ei.jc_exception_info_type with
                | Some tei -> tei
                | None -> typing_error e#pos "this exception has no argument"
              in
              if subtype te1#typ tei then
                te1#region, Some te1
              else
                typing_error e#pos "type `%a' expected instead of `%a'"
                  print_type tei print_type te1#typ
        in
        Jc_pervasives.any_type, region, JCEthrow(ei, te1o)
    | JCNEpack(e1, t) ->
        let te1 = fe e1 in
        begin match te1#typ with
          | JCTpointer(JCtag(st, _), _, _) ->
              let as_t = match t with
                | Some t -> find_struct_info t#pos t#name
                | None -> st
              in
              unit_type, te1#region, JCEpack(st, te1, as_t)
          | _ -> typing_error e#pos "only structures can be packed"
        end
    | JCNEunpack(e1, t) ->
        let te1 = fe e1 in
        begin match te1#typ with
          | JCTpointer(JCtag(st, []), _, _) ->
              let from_t = match t with
                | Some t -> find_struct_info t#pos t#name
                | None ->
                    let rec res = {
                      jc_struct_info_params = [];
                      jc_struct_info_name = "bottom";
                      jc_struct_info_parent = None;
                      jc_struct_info_hroot = res;
                      jc_struct_info_fields = [];
                      jc_struct_info_root = None;
                    }
                    in res
              in
              unit_type, te1#region, JCEunpack(st, te1, from_t)
          | _ -> typing_error e#pos "only structures can be unpacked"
        end
    | JCNEmatch(arg, pel) ->
        let targ = fe arg in
        let rty, tpel = match pel with
          | [] -> assert false (* should not be allowed by the parser *)
          | (p1, e1)::rem ->
              (* type the first item *)
              let penv, tp1 = pattern p1 targ#typ in
              let te1 = expr (penv @ env) e1 in
              (* type the remaining items *)
              List.fold_left
                (fun (accrty, acctpel) (p, e2) ->
                   let penv, tp = pattern p targ#typ in
                   let te2 = expr (penv @ env) e2 in
                   mintype e#pos accrty te2#typ,
                   (tp, te2)::acctpel)
                (te1#typ, [tp1, te1])
                rem
        in
        rty, targ#region, JCEmatch(targ, List.rev tpel)
    (* logic only *)
    | JCNEquantifier _ | JCNEold _ | JCNEat _ | JCNEmutable _
    | JCNEeqtype _ | JCNErange _ | JCNEsubtype _ | JCNEfresh _ ->
        typing_error e#pos "construction not allowed in expressions"
  in
(*
  if !lab = "L2" then
    Format.eprintf "Jc_typing.expr: adding label L2@.";
*)
  new expr
    ~pos: e#pos
    ~typ: ty
    ~region: region
    ~mark: !lab
    typed_e

(*******************************************************************************)
(*                                  Declarations                               *)
(*******************************************************************************)



let default_label l =
  match l with
    | [l] -> Some l
    | _ -> None

(** Apply [type_labels] in all expressions of a normalized clause,
with the correct label environment. *)
let type_labels_in_clause = function
  | JCCrequires e | JCCdecreases(e,_) ->
      type_labels [LabelHere] ~result_label:None (Some LabelHere) e
  | JCCbehavior(_, _, _, assumes, requires, assigns, allocates, ensures) ->
      Option_misc.iter
	(type_labels [LabelHere] ~result_label:None (Some LabelHere)) assumes;
      Option_misc.iter
	(type_labels [LabelHere] ~result_label:None (Some LabelHere)) requires;
      Option_misc.iter
        (fun (_, x) ->
           List.iter
             (type_labels [LabelOld; LabelPre; LabelPost]
		~result_label:(Some LabelPost) (Some LabelOld)) x)
        assigns;
      Option_misc.iter
        (fun (_, x) ->
           List.iter
             (type_labels [LabelOld; LabelPre; LabelPost]
(* warning: allocates L: L evaluated in the post-state *)
		~result_label:(Some LabelHere) (Some LabelHere)) x)
        allocates;
      type_labels [LabelOld; LabelPre; LabelHere]
	~result_label:(Some LabelHere) (Some LabelHere) ensures

(** Apply [type_labels] in all expressions of a normalized declaration,
with the correct label environment. *)
let rec type_labels_in_decl d = match d#node with
  | JCDvar(_, _, init) ->
      Option_misc.iter (type_labels [] ~result_label:None None) init
  | JCDfun(_, _, _, clauses, body) ->
      Option_misc.iter
        (type_labels [LabelHere; LabelPre] ~result_label:None (Some LabelHere))
        body;
      List.iter type_labels_in_clause clauses
  | JCDtag(_, _, _, _, invs) ->
      List.iter
        (fun (_, _, e) ->
	   type_labels [LabelHere] ~result_label:None (Some LabelHere) e) invs
  | JCDlemma(_, _, _, labels, body) ->
(*
      let labels = match labels with [] -> [ LabelHere ] | _ -> labels in
*)
      type_labels labels ~result_label:None (default_label labels) body
  | JCDlogic(_, _, _, _labels, _, JCnone) -> ()
  | JCDlogic(_, _, _, labels, _, JCreads el) ->
(*
      let labels = match labels with [] -> [ LabelHere ] | _ -> labels in
*)
      List.iter
	(type_labels labels
	   ~result_label:(Some LabelPost) (default_label labels)) el
  | JCDlogic(_, _, _, labels, _, JCexpr e) ->
(*
      let labels = match labels with [] -> [ LabelHere ] | _ -> labels in
*)
      type_labels labels  ~result_label:None (default_label labels) e
  | JCDlogic(_, _, _, _labels, _, JCinductive l) ->
(*
      let _labels = match labels with [] -> [ LabelHere ] | _ -> labels in
*)
      List.iter (fun (_,labels,e) ->
		   type_labels labels
		     ~result_label:None (default_label labels) e) l
  | JCDglobal_inv(_, body) ->
      type_labels [LabelHere] ~result_label:None (Some LabelHere) body
  | JCDvariant_type _ | JCDunion_type _ | JCDenum_type _ | JCDlogic_type _
  | JCDexception _ | JCDinvariant_policy _ | JCDseparation_policy _
  | JCDannotation_policy _ | JCDabstract_domain _ | JCDint_model _
  | JCDtermination_policy _ | JCDlogic_var _ ->
      ()
  | JCDaxiomatic(_id,l) -> List.iter type_labels_in_decl l
  | JCDpragma_gen_sep _ | JCDpragma_gen_frame _ | JCDpragma_gen_sub _
  | JCDpragma_gen_same _ -> ()


(* <====== A partir d'ici, c'est pas encore fait *)



let clause env vi_result c acc =
  match c with
    | JCCrequires e ->
        { acc with
          jc_fun_requires =
            make_and (assertion env e) acc.jc_fun_requires; }
    | JCCdecreases(e,r) ->
	assert (acc.jc_fun_decreases = None);
	let pi = Option_misc.map
	  (fun id ->
             let pi =
	       try Hashtbl.find logic_functions_env id#name
	       with Not_found ->
		 typing_error e#pos "unbound ordering relation %s" id#name
	     in pi)
	  r
	in
        { acc with jc_fun_decreases = Some(term env e,pi) }

    | JCCbehavior b ->
	let (loc,id,b) = behavior env vi_result b in
	if id = "default" then
	  { acc with jc_fun_default_behavior = loc,id,b }
	else
          { acc with jc_fun_behavior = (loc,id,b)::acc.jc_fun_behavior }

let param (t,id) =
  let ty = type_type t in
  let vi = var ~formal:true ty id in
  (id,vi)

let fun_param (v,t,id) =
  let ty = type_type t in
  let vi = var ~formal:true ty id in
  (v,id,vi)

let assertion_true = new assertion JCAtrue

let field st root ((rep,abs), t, id, bitsize) =
  let ty = type_type t in
  incr field_tag_counter;
  let name = st.jc_struct_info_name ^ "_" ^ id in
  let fi = {
    jc_field_info_tag = !field_tag_counter;
    jc_field_info_name = id ;
    jc_field_info_final_name = Jc_envset.get_unique_name name;
    jc_field_info_type = ty;
    jc_field_info_hroot = root;
    jc_field_info_struct = st;
    jc_field_info_rep = rep || (not (is_pointer_type ty));
    jc_field_info_abstract = abs;
    jc_field_info_bitsize = bitsize;
  } in
  fi

let lemmas_table = StringHashtblIter.create 17
let global_invariants_table = IntHashtblIter.create 17

(*let add_typedecl d (id, parent) =
  let root,par =
    match parent with
      | None ->
          (None, None)
      | Some p ->
          let st = find_struct_info d.jc_pdecl_loc p in
          (Some st.jc_struct_info_hroot, Some st)
  in
  let struct_info, root =
    try
      let struct_info,_ = Hashtbl.find structs_table id in
      let root = match root with
        | Some x -> x
        | None -> struct_info
      in
      struct_info.jc_struct_info_hroot <- root;
      struct_info.jc_struct_info_parent <- par;
      struct_info, root
    with Not_found ->
      assert false (* cannot happen, thanks to the function decl_declare *)
(*      let rec struct_info =
        { jc_struct_info_name = id;
          jc_struct_info_fields = [];
          jc_struct_info_parent = par;
          jc_struct_info_hroot = struct_info;
          jc_struct_info_root = None;
        }
      in
      (* adding structure name in global environment before typing
         the fields, because of possible recursive definition *)
      Hashtbl.replace structs_table id (struct_info,[]);
      struct_info, struct_info*)
  in
  root, struct_info*)

let add_vardecl (ty,id) =
  let ty = type_type ty in
  let vi = var ~static:true ty id in
  Hashtbl.add variables_env id vi

let get_vardecl id =
  Hashtbl.find variables_env id

let get_fundecl id =
  let fi = Hashtbl.find functions_env id in
  let param_env =
    List.map
      (fun (_valid,v) -> (v.jc_var_info_name, v))
      fi.jc_fun_info_parameters
  in
  param_env, fi

let add_fundecl (ty,_loc,id,pl) =
  try
    let param_env,fi = get_fundecl id in
    Format.eprintf
      "FIXME: Warning: ignoring second declaration of function %s@." id;
    param_env, fi
  with Not_found ->
    let params = List.map fun_param pl in
    let param_env = List.map (fun (_,t,x) -> (t,x)) params in
    let ty = type_type ty in
    let fi = make_fun_info id ty in
    fi.jc_fun_info_parameters <- List.map (fun (v,_,x) -> (v,x)) params;
    Hashtbl.replace functions_env id fi;
    param_env, fi

let add_logic_fundecl (ty,id,poly_args,labels,pl) =
  try
    let pi = Hashtbl.find logic_functions_env id in
    let ty = pi.jc_logic_info_result_type in
    let param_env =
      List.map (fun v -> v.jc_var_info_name, v) pi.jc_logic_info_parameters
    in
    param_env, ty, pi
  with Not_found ->
    let poly_args = add_poly_args poly_args in
    let param_env = List.map param pl in
    let ty = Option_misc.map type_type ty in
    let pi = match ty with
      | None -> make_pred id
      | Some ty -> make_logic_fun id ty
    in
    pi.jc_logic_info_parameters <- List.map snd param_env;
    pi.jc_logic_info_poly_args <- poly_args;
    pi.jc_logic_info_labels <- labels;
    Hashtbl.replace logic_functions_env id pi;
    param_env, ty, pi


(* let add_logic_constdecl (ty, id) = *)
(*   try *)
(*     let vi = Hashtbl.find logic_constants_env id in *)
(*       vi.jc_var_info_type, vi  *)
(*   with Not_found -> *)
(*     let ty = type_type ty in *)
(*     let vi = var ~static:true ty id in *)
(*       Hashtbl.add logic_constants_env id vi; *)
(*       ty, vi *)

let type_range_of_term ty t =
  match ty with
    | JCTenum ri ->
        let mint =
          new term ~pos:t#pos ~typ:integer_type
            (JCTconst(JCCinteger (Num.string_of_num ri.jc_enum_info_min)))
        in
        let mina = new assertion (JCArelation(mint,(`Ble,`Integer),t)) in
        let maxt =
          new term ~pos:t#pos ~typ:integer_type
            (JCTconst(JCCinteger (Num.string_of_num ri.jc_enum_info_max)))
        in
        let maxa = new assertion (JCArelation(t,(`Ble,`Integer),maxt)) in
	new assertion (JCAand [ mina; maxa ])
    | JCTpointer (JCtag(st, _), _n1opt, n2opt) ->
(*      let instanceofcstr = new assertion (JCAinstanceof (t, st)) in *)
(*      let mincstr = match n1opt with
          | None -> true_assertion
          | Some n1 ->
              let mint =
                term_no_loc (JCToffset (Offset_min, t, st)) integer_type in
              let n1t =
                term_no_loc (JCTconst (JCCinteger (Num.string_of_num n1)))
                  integer_type
              in
              new assertion (JCArelation (mint, Beq_int, n1t))
        in *)
        let maxcstr = match n2opt with
          | None -> Assertion.mktrue ()
          | Some n2 ->
              let maxt =
                new term
                  ~pos: t#pos
                  ~typ: integer_type
                  (JCToffset (Offset_max, t, st))
              in
              let n2t =
                new term
                  ~pos: t#pos
                  ~typ: integer_type
                  (JCTconst (JCCinteger (Num.string_of_num n2)))
              in
              new assertion (JCArelation (maxt, (`Beq, `Integer), n2t))
        in
          maxcstr
(*        if is_root_struct st then *)
(*        Jc_pervasives.make_and [mincstr; maxcstr] *)
(*        else
          Jc_pervasives.make_and [instanceofcstr; mincstr; maxcstr] *)
    | JCTpointer (JCroot _vi, _, _) ->
        assert false (* TODO, but need to change JCToffset before *)
    | _ -> Assertion.mktrue ()

(* First pass: declare everything with no typing
 * (use dummy values that will be replaced by "decl")
 * (declare identifiers so that previous definitions can (possibly recursively)
 * use them) *)
(*let rec decl_declare d =
  match d.jc_pdecl_node with
    | JCPDtag(id, parent, fields, inv) ->
        (* declare structure name *)
        let rec struct_info = {
          jc_struct_info_name = id;
          jc_struct_info_fields = [];
          jc_struct_info_parent = None;
          jc_struct_info_hroot = struct_info;
          jc_struct_info_root = None;
        } in
        Hashtbl.add structs_table id (struct_info, []);
        (* declare mutable field (if needed) *)
        if parent = None && !Jc_common_options.inv_sem = InvOwnership then
          create_mutable_field struct_info;
        (* TODO: declare fields *)
        (* TODO: declare invariants *)
        Hashtbl.replace structs_table id (struct_info, [])
    | JCPDvarianttype(id, _) ->
        Hashtbl.replace variants_table id {
          jc_root_info_name = id;
          jc_root_info_roots = [];
        }
    | JCPDvar _
    | JCPDfun _
    | JCPDrecfuns _
    | JCPDenumtype _
    | JCPDlogictype _
    | JCPDaxiom _
    | JCPDexception _
    | JCPDlogic _
    | JCPDglobinv _ ->
        () (* TODO *)
*)

(** [check_positivity pi a] checks whether the assertion [a] as exactly one positive occurrence of pi in a *)

let rec signed_occurrences pi a =
match a#node with
  | JCArelation _ | JCAtrue | JCAfalse -> (0,0)
  | JCAapp app -> ((if app.jc_app_fun == pi then 1 else 0),0)
  | JCAquantifier (Forall, _vi, _, p) -> signed_occurrences pi p
  | JCAquantifier (Exists, _vi, _, _p) -> assert false (* TODO *)
  | JCAimplies (p1, p2) ->
      let (pos1,neg1) = signed_occurrences pi p1 in
      let (pos2,neg2) = signed_occurrences pi p2 in
      (neg1+pos2,pos1+neg2)
  | JCAand l ->
      List.fold_left
	(fun (p,n) a ->
	   let (pos1,neg1) = signed_occurrences pi a in
	   (p+pos1,n+neg1)) (0,0) l
  | JCAor _ -> assert false (* TODO *)
  | JCAat (p, _) | JCAold p -> signed_occurrences pi p
  | JCAnot p ->
      let (pos,neg) = signed_occurrences pi p in
      (neg,pos)
  | JCAiff (_, _) -> assert false (* TODO *)
  | JCAsubtype (_, _, _) -> assert false (* TODO *)
  | JCAeqtype (_, _, _) -> assert false (* TODO *)
  | JCAmutable (_, _, _) -> assert false (* TODO *)
  | JCAif (_, _, _) -> assert false (* TODO *)
  | JCAbool_term _ -> assert false (* TODO *)
  | JCAinstanceof (_, _, _) -> assert false (* TODO *)
  | JCAlet (_, _,_) -> assert false (* TODO *)
  | JCAmatch (_, _) -> assert false (* TODO *)
  | JCAfresh _ -> assert false (* TODO *)

let check_positivity loc pi a =
  let (pos,_neg) = signed_occurrences pi a in
  if pos = 0 then
    typing_error loc "predicate has no positive occurrence in this case";
  if pos > 1 then
    typing_error loc "predicate has too many positive occurrences in this case"



(** [check_consistency id data] attempt to detect trivial inconsistency cases in axiomatics

    pis = data.axiomatics_defined_ids is the set of logic ids defined in this axiomatic

    check 1:
      for each lemma: check that at least one pi of pis occurs

    check 2:
      for each lemma with labels l1,..,lk: for each li, there should be at least one occurrence
      of some pi of pis applied to label li.

*)

let rec term_occurrences table t =
  match t#node with
    | JCTconst _
    | JCTvar _ -> ()
    | JCTrange_cast (t, _)
    | JCTat (t, _)
    | JCTunary (_, t)
    | JCToffset (_, t, _)
    | JCTderef (t, _, _) -> term_occurrences table t
    | JCTbinary (t1, _, t2)
    | JCTshift (t1, t2) ->
	term_occurrences table t1; term_occurrences table t2
    | JCTapp app ->
      begin
        List.iter (term_occurrences table) app.jc_app_args;
	try
	  let l = Hashtbl.find table app.jc_app_fun.jc_logic_info_tag in
	  Hashtbl.replace table app.jc_app_fun.jc_logic_info_tag (app.jc_app_label_assoc::l)
	with Not_found -> ()
      end
    | JCTlet (_, _, _) -> assert false (* TODO *)
    | JCTmatch (_, _) -> assert false (* TODO *)
    | JCTrange (_, _) -> assert false (* TODO *)
    | JCTif (_, _, _) -> assert false (* TODO *)
    | JCTreal_cast (t, _) -> term_occurrences table t
    | JCTbitwise_cast (_, _, _) -> assert false (* TODO *)
    | JCTcast (_, _, _) -> assert false (* TODO *)
    | JCTinstanceof (_, _, _) -> assert false (* TODO *)
    | JCTbase_block t -> term_occurrences table t
    | JCTaddress (_, _) -> assert false (* TODO *)
    | JCTold _ -> assert false (* TODO *)

let rec occurrences table a =
  match a#node with
  | JCAtrue | JCAfalse -> ()
  | JCAapp app ->
      begin
        List.iter (term_occurrences table) app.jc_app_args;
	try
	  let l = Hashtbl.find table app.jc_app_fun.jc_logic_info_tag in
	  Hashtbl.replace table app.jc_app_fun.jc_logic_info_tag (app.jc_app_label_assoc::l)
	with Not_found -> ()
      end
  | JCAnot p
  | JCAquantifier (_, _, _, p) -> occurrences table p
  | JCAiff (p1, p2)
  | JCAimplies (p1, p2) ->
      occurrences table p1; occurrences table p2
  | JCAand l | JCAor l ->
      List.iter (occurrences table) l
  | JCArelation(t1,_op,t2) ->
      term_occurrences table t1; term_occurrences table t2
  | JCAsubtype (_, _, _) -> assert false (* TODO *)
  | JCAeqtype (_, _, _) -> assert false (* TODO *)
  | JCAmutable (_, _, _) -> assert false (* TODO *)
  | JCAif (_, _, _) -> assert false (* TODO *)
  | JCAbool_term _ -> assert false (* TODO *)
  | JCAinstanceof (_, _, _) -> assert false (* TODO *)
  | JCAold p
  | JCAat (p, _) -> occurrences table p
  | JCAlet (_, _, _) -> assert false (* TODO *)
  | JCAmatch (_, _) -> assert false (* TODO *)
  | JCAfresh _ -> assert false (* TODO *)

let rec list_assoc_data lab l =
  match l with
    | [] -> false
    | (_,d):: r ->
	d=lab || list_assoc_data lab r

let check_consistency id data =
  let pis = data.axiomatics_defined_ids in
  List.iter
    (fun (ABaxiom(loc,axid,labels,a)) ->
       let h = Hashtbl.create 17 in
       List.iter
	 (fun pi -> Hashtbl.add h pi.jc_logic_info_tag [])
	 pis;
       occurrences h a;
       Jc_options.lprintf "@[occurrences table for axiom %s in axiomatic %s:@\n" axid id;
       Hashtbl.iter
	 (fun pi l ->
	    Jc_options.lprintf "%d: @[" pi;
	    List.iter
	      (fun label_assoc ->
		 Jc_options.lprintf "%a ;"
		   (Pp.print_list Pp.comma (fun fmt (_l1,l2) -> Jc_output_misc.label fmt l2)) label_assoc)
	      l;
	    Jc_options.lprintf "@]@\n")
	 h;
       Jc_options.lprintf "@]@.";
       if Hashtbl.fold (fun _pi l acc -> acc && l=[]) h true then
	 typing_error loc
	   "axiom %s should contain at least one occurrence of a symbol declared in axiomatic %s" axid id;
       List.iter
	 (fun lab ->
	    if not (Hashtbl.fold (fun _pi l acc -> acc || List.exists (list_assoc_data lab) l) h false) then
	      typing_error loc
		"there should be at least one declared symbol depending on label %a in this axiom" Jc_output_misc.label lab)
	 labels
    )
    data.axiomatics_decls

let update_axiomatic axiomatic pi =
  match axiomatic with
    | Some(id,data) ->
	pi.jc_logic_info_axiomatic <- Some id;
	data.axiomatics_defined_ids <- pi :: data.axiomatics_defined_ids
    | None -> ()

exception Identifier_Not_found of string

let create_pragma_gen_frame_sub frame_or_sub loc id logic =
  let info = 
    try 
      find_logic_info logic
    with Not_found -> typing_error loc "logic unknown %s" logic in
  let params1 = info.jc_logic_info_parameters in
  let params2 = List.map (fun v -> var ~unique:true v.jc_var_info_type 
    (v.jc_var_info_name^"_dest"))
    info.jc_logic_info_parameters in
  let pi = make_pred id in
  pi.jc_logic_info_parameters <- params1@params2;
  let label1 = LabelName { 
    label_info_name = "L1";
    label_info_final_name = "L1";
    times_used = 0;
  } in
  let label2 = LabelName { 
    label_info_name = "L2";
    label_info_final_name = "L2";
    times_used = 0;
  } in
  pi.jc_logic_info_labels <- [label1;label2];
  Hashtbl.replace logic_functions_env id pi;
  let def = 
    let params param = List.map 
      (fun x -> new term ~pos:loc ~typ:x.jc_var_info_type (JCTvar x))
      param in
    begin
      match info.jc_logic_info_result_type with
        | None ->
          let app label param = new assertion (JCAapp {jc_app_fun = info;
                             jc_app_args = params param;
                             jc_app_region_assoc = [];
                             jc_app_label_assoc = 
              label_assoc loc "bug in the generation" 
                (Some label) info.jc_logic_info_labels []
                 }) in
          make_and (app label1 params1) (app label2 params2)
        | Some ty -> 
          let term label param = new term ~pos:loc ~typ:ty
            (JCTapp {jc_app_fun = info;
                     jc_app_args = params param;
                     jc_app_region_assoc = [];
                     jc_app_label_assoc = 
                label_assoc loc "bug in the generation" 
                  (Some label) info.jc_logic_info_labels []}) in
          new assertion (make_rel_bin_op loc `Beq
                           (term label1 params1) (term label2 params2))
    end in
  let def = JCAssertion def in
  IntHashtblIter.add logic_functions_table pi.jc_logic_info_tag (pi, def);
  Hashtbl.add pragma_gen_frame pi.jc_logic_info_tag
    (pi,info,params1,params2,frame_or_sub)


let create_pragma_gen_sep_logic_aux loc kind id li =
  let translate_param (p,restr) =
    match p#node,restr with
      | JCPTnative _,_ ->
          typing_error loc "A Separation pragma can't reference \"pure\" type"
      | JCPTidentifier (s,[]),_ -> (* Should be the identifier of a logic *)
          let info =
            try
              find_logic_info s
            with Not_found -> raise (Identifier_Not_found s)
          in `Logic (info,restr)
      | JCPTidentifier (_s,_l),_ ->
          typing_error loc "A Separation pragma can't reference a logic type"
      | JCPTpointer (_,[],None,None),[] ->
          let ty = type_type p in
          `Pointer (newvar ty)
      | JCPTpointer _, _::_ ->
          typing_error loc
            "In a separation pragma pointer can't\
             be at that time restreint to some field"
      | JCPTpointer _,_ ->
          failwith "TODO : sorry I'm lazy. But what have you done?" in
  let change_var_name = function
    |`Logic (info,restr) ->
       let params = info.jc_logic_info_parameters in
       let new_params = List.map copyvar params in
       `Logic (info,restr,new_params)
    |`Pointer _ as e -> e in
  let to_param = function
    | `Logic (_,_,new_params) -> new_params
    | `Pointer var -> [var]
  in
  let params = List.map translate_param li in
  let params = List.map change_var_name params in
  let param_env = List.concat (List.map to_param params) in
  let pi = make_pred id in
  pi.jc_logic_info_parameters <- param_env;
  let cur_label = LabelName {
    label_info_name = "L";
    label_info_final_name = "L";
    times_used = 0;
  } in
  pi.jc_logic_info_labels <- [cur_label];
  Hashtbl.replace logic_functions_env id pi;
  (* create a dumb definition with the correct effect
     which will be replace by the correcte one at the end *)
  let to_def = function
    | `Logic (info,_,params) ->
        let param = List.map
          (fun x -> new term ~pos:loc ~typ:x.jc_var_info_type (JCTvar x))
          params in
        new assertion begin
          match info.jc_logic_info_result_type with
            | None ->
                JCAapp {jc_app_fun = info;
                        jc_app_args = param;
                        jc_app_region_assoc = [];
                        jc_app_label_assoc =
                    label_assoc loc "bug in the generation"
                      (Some cur_label) info.jc_logic_info_labels []
                       }
            | Some ty ->
                let term = new term ~pos:loc
                  ~typ:ty
                  (JCTapp {jc_app_fun = info;
                           jc_app_args = param;
                           jc_app_region_assoc = [];
                           jc_app_label_assoc = []}) in
                make_rel_bin_op loc `Beq term term
        end
    | `Pointer var ->
        let t = new term ~pos:loc ~typ:var.jc_var_info_type (JCTvar var) in
        new assertion (make_rel_bin_op loc `Beq t t) in
  let def = JCAssertion (make_and_list (List.map to_def params)) in
  IntHashtblIter.add logic_functions_table pi.jc_logic_info_tag (pi, def);
  Hashtbl.add pragma_gen_sep pi.jc_logic_info_tag
    (kind,params)


let create_pragma_gen_sep_logic loc kind id li =
  try
    create_pragma_gen_sep_logic_aux loc kind id li
  with Identifier_Not_found ident ->
    Hashtbl.add pragma_before_def ident (loc,kind,id,li)

let create_if_pragma_before ident =
  List.iter (fun (loc,kind,id,li) ->
               create_pragma_gen_sep_logic loc kind id li)
    (Hashtbl.find_all pragma_before_def ident);
    (Hashtbl.remove_all pragma_before_def ident)

let test_if_pragma_notdefined () =
  if not (Hashtbl.is_empty pragma_before_def) then
    Hashtbl.iter (fun ident (loc,_kind,id,_li) ->
    typing_error loc "The pragma %s has not been defined because\
%s appeared nowhere" id ident) pragma_before_def


(*let test_*)


let rec decl_aux ~only_types ~axiomatic acc d =
  reset_uenv ();
  let loc = d#pos in
  let in_axiomatic = axiomatic <> None in
  match d#node with
    | JCDvar (_ty, id, init) ->
	if not only_types then
	  begin
	    if in_axiomatic then
	      typing_error loc "not allowed inside axiomatic specification";
            let e = Option_misc.map (expr []) init in
            let vi = get_vardecl id in
            IntHashtblIter.add variables_table vi.jc_var_info_tag (vi, e);
	    acc
	  end
	else
	  acc
    | JCDfun (_ty, id, _pl, specs, body) ->
	if not only_types then
	  begin
	    if in_axiomatic then
	      typing_error loc "not allowed inside axiomatic specification";
            let loc = match Jc_options.position_of_label id#name with
	      | Some loc -> loc
	      | None -> id#pos
	    in
            let param_env, fi = get_fundecl id#name in
            let vi = fi.jc_fun_info_result in
            let s = List.fold_right
              (clause param_env vi) specs
              { jc_fun_requires = assertion_true;
                jc_fun_free_requires = assertion_true;
		jc_fun_decreases = None;
                jc_fun_default_behavior =
		  Loc.dummy_position ,"default", default_behavior;
                jc_fun_behavior = [] }
            in
	    reset_return_label ();
            let b = Option_misc.map
	      (unit_expr $ expr (("\\result",vi)::param_env)) body
	    in
	    fi.jc_fun_info_has_return_label <- get_return_label ();
            IntHashtblIter.add functions_table fi.jc_fun_info_tag (fi,loc,s,b);
	    acc
	  end
	else
	  acc
    | JCDenum_type(id,min,max) ->
	if only_types then
	  begin
	    if in_axiomatic then
	      typing_error loc "not allowed inside axiomatic specification";
	    begin
	      try
	        let _ = StringHashtblIter.find enum_types_table id in
	        typing_error d#pos "duplicate range type `%s'" id
	      with Not_found ->
                let ri =
                  { jc_enum_info_name = id;
		    jc_enum_info_min = min;
		    jc_enum_info_max = max;
                  }
                in
                StringHashtblIter.add enum_types_table id ri;
	        acc
	    end
	  end
	else
	  acc
    | JCDtag(id, _, _parent, _fields, inv) ->
	if not only_types then
	  begin
	    Jc_options.lprintf "Typing tag %s@." id;
	    if in_axiomatic then
	      typing_error loc "not allowed inside axiomatic specification";
            let struct_info, _ = StringHashtblIter.find structs_table id in
            (* declare invariants as logical functions *)
            let invariants =
              List.fold_left
                (fun acc (id, x, e) ->
                   if !Jc_common_options.inv_sem = InvNone then
                     typing_error id#pos
                       "use of structure invariants requires declaration \
of an invariant policy";
                   let vi =
                     var (JCTpointer (JCtag(struct_info, []), Some zero,
                                      Some zero)) x in
                   let p = assertion [(x, vi)] e in
                   let pi = make_pred id#name in
                   pi.jc_logic_info_parameters <- [vi];
                   pi.jc_logic_info_labels <- [LabelHere];
                   eprintf "generating logic fun %s with one default label@."
                     pi.jc_logic_info_name;
                   IntHashtblIter.replace logic_functions_table
                     pi.jc_logic_info_tag (pi, JCAssertion p);
                   Hashtbl.replace logic_functions_env id#name pi;
                   (pi, p) :: acc)
                []
                inv
            in
            StringHashtblIter.replace
              structs_table id (struct_info, invariants);
	    acc
	  end
	else
	  acc

    | JCDvariant_type(_id, _tags) -> acc
    | JCDunion_type(_id,_discr,_tags) -> acc

    (*    | JCDrectypes(pdecls) ->
    (* first pass: adding structure names *)
          List.iter (fun d -> match d.jc_pdecl_node with
          | JCDstructtype(id,_,_,_) ->
    (* parent type may not be declared yet *)
          ignore (add_typedecl d (id,None))
          | _ -> assert false
          ) pdecls;
    (* second pass: adding structure fields *)
          List.iter (fun d -> match d.jc_pdecl_node with
          | JCDstructtype(id,parent,fields,_) ->
          let root,struct_info = add_typedecl d (id,parent) in
          let env = List.map (field struct_info root) fields in
          struct_info.jc_struct_info_fields <- env;
          Hashtbl.replace structs_table id (struct_info,[])
          | _ -> assert false
          ) pdecls;
    (* third pass: typing invariants *)
          List.iter decl pdecls*)

    | JCDlogic_type(id,l) ->
	if only_types then
	  begin
	    Jc_options.lprintf "Typing logic type declaration %s@." id;
            begin
              try
                let _ = StringHashtblIter.find logic_type_table id in
                typing_error d#pos "duplicate logic type `%s'" id
              with Not_found ->
                let l = List.map Jc_type_var.type_var_from_string l in
                StringHashtblIter.add logic_type_table id (id,l);
	        acc
            end
	  end
	else
	  acc
    | JCDlemma(id,is_axiom,poly_args,labels,e) ->
	if not only_types then
	  begin
	    Jc_options.lprintf "Typing lemma/axiom %s@." id;
	    if is_axiom && not in_axiomatic then
	      typing_error loc "allowed only inside axiomatic specification";
            (*
	      let labels = match labels with [] -> [ LabelHere ] | _ -> labels in
            *)
            let poly_args = add_poly_args poly_args in
            let te = assertion [] e in
            let te = Jc_type_var.subst_type_in_assertion uenv te in
            if in_axiomatic && is_axiom then
	      (ABaxiom(d#pos,id,labels,te))::acc
	    else
	      begin
	        StringHashtblIter.add
                  lemmas_table id (d#pos,is_axiom,poly_args,labels,te);
	        acc
	      end
	  end
	else
	  acc
    | JCDglobal_inv(id, e) ->
	if not only_types then
	  begin
	    if in_axiomatic then
	      typing_error loc "not allowed inside axiomatic specification";
            let a = assertion [] e in
            let li = make_pred id in
            let idx = li.jc_logic_info_tag in
            if !Jc_common_options.inv_sem = InvArguments then
              IntHashtblIter.replace logic_functions_table
                idx (li, JCAssertion a);
            IntHashtblIter.add global_invariants_table idx (li, a);
	    acc
	  end
	else
	  acc
    | JCDexception(id,tyopt) ->
	if not only_types then
	  begin
	    if in_axiomatic then
	      typing_error loc "not allowed inside axiomatic specification";
            let tt = Option_misc.map type_type tyopt in
            StringHashtblIter.add exceptions_table id (exception_info tt id);
	    acc
	  end
	else
	  acc
    | JCDlogic_var (_ty, _id, _body) -> assert false
        (*         let ty, vi = add_logic_constdecl (ty, id) in *)
        (*         let t = Option_misc.map  *)
        (* 	  (function body -> *)
        (* 	     let t = term [] body in *)
        (*              if not (subtype t#typ ty) then *)
        (*                typing_error d#pos *)
        (*                  "inferred type differs from declared type" *)
        (*              else (t,mintype t#pos t#typ ty) *)
        (* 	  ) body *)
        (*         in *)
        (*         Hashtbl.add logic_constants_table vi.jc_var_info_tag (vi, t) *)
    | JCDlogic (None, id, poly_args, labels, pl, body) ->
	if not only_types then
	  begin
            (*
	      let labels = match labels with [] -> [ LabelHere ] | _ -> labels in
            *)
            let param_env,_ty,pi = add_logic_fundecl (None,id,poly_args,labels,pl) in
            create_if_pragma_before id;
            let p = match body with
              | JCnone ->
	          if not in_axiomatic then
		    typing_error loc "allowed only inside axiomatic specification";
                  JCNone
              | JCreads reads ->
	          if not in_axiomatic then
		    typing_error loc "allowed only inside axiomatic specification";
                  JCReads (
                    (List.map
                       (fun a ->
                          let _,_,tl =
                            location param_env a
                          in tl)) reads)
              | JCexpr body ->
                  JCAssertion(assertion param_env body)
		    (*
		      | JCaxiomatic l ->
		      JCAxiomatic(List.map (fun (id,e) -> (id,assertion param_env e)) l)
		    *)
	      | JCinductive l ->
	          JCInductive(List.map
			        (fun (id,labels,e) ->
                                   (*
			             let labels = match labels with
				     [] -> [ LabelHere ]
				     | _ -> labels
			             in
                                   *)
			           let a = assertion param_env e in
				   check_positivity a#pos pi a;
			           (id,labels,a))
			        l)
            in
	    update_axiomatic axiomatic pi;
            IntHashtblIter.add
              logic_functions_table pi.jc_logic_info_tag (pi, p);
	    acc
	  end
	else
	  acc
    | JCDlogic (Some ty, id, poly_args, labels, pl, body) ->
	if not only_types then
	  begin
            (*
	      let labels = match labels with [] -> [ LabelHere ] | _ -> labels in
            *)
            let param_env, ty, pi = add_logic_fundecl (Some ty,id,poly_args,labels,pl) in
            create_if_pragma_before id;
            let ty = match ty with Some ty -> ty | None -> assert false in
            let t = match body with
              | JCnone -> JCNone
              | JCreads reads ->
		  if not in_axiomatic then
		    typing_error loc "allowed only inside axiomatic specification";
		  JCReads (
                    (List.map
                       (fun a ->
			  let _,_,tl = location param_env a
			  in tl)) reads)
              | JCexpr body ->
		  let t = term param_env body in
		  if pl = [] && not (subtype t#typ ty)
		    || pl <> [] && not (subtype_strict t#typ ty) then
		      typing_error d#pos
			"inferred type differs from declared type"
		  else
		    begin
		      if pl = [] then
			(* constant *)
			Hashtbl.add logic_constants_table pi.jc_logic_info_tag (pi, t);
		      JCTerm t
		    end
		      (*
			| JCaxiomatic l ->
			JCAxiomatic(List.map (fun (id,e) -> (id,assertion param(_env e)) l)
		      *)
	      | JCinductive _ ->
		  typing_error d#pos
                    "only predicates can be inductively defined"
            in
	    update_axiomatic axiomatic pi;
            IntHashtblIter.add
              logic_functions_table pi.jc_logic_info_tag (pi, t);
	    acc
	  end
	else
	  acc
    | JCDint_model _|JCDabstract_domain _|JCDannotation_policy _
    | JCDseparation_policy _
    | JCDtermination_policy _
    | JCDinvariant_policy _ -> assert false
    | JCDpragma_gen_sep (kind,id,li) ->
        if Jc_options.gen_frame_rule_with_ft && not only_types then
	  begin
            let kind = match kind,li with
              | "",_ -> `Sep
              | "inc", [_;_] -> `Inc
              | "cni", [_;_] -> `Cni

              | ("inc"|"cni"), _ ->
                  typing_error loc
                    "A Gen_separation inc or cni pragma should \
                     have 2 arguments (%i given)" (List.length li)
              | _ -> typing_error loc
                  "I don't know that kind of Gen_separation pragma : %s" 
                kind in
            create_pragma_gen_sep_logic loc kind id li
          end;
	acc
    | JCDpragma_gen_frame(name,logic) -> 
        if Jc_options.gen_frame_rule_with_ft && not only_types then
	  begin
            create_pragma_gen_frame_sub `Frame loc name logic
          end;
      acc
    | JCDpragma_gen_sub(name,logic) -> 
        if Jc_options.gen_frame_rule_with_ft && not only_types then
	  begin
            create_pragma_gen_frame_sub `Sub loc name logic
          end;
      acc
    | JCDpragma_gen_same(name,logic) -> 
        if Jc_options.gen_frame_rule_with_ft && not only_types then
	  begin
            let logic_info =
              try
                find_logic_info name
              with Not_found -> raise (Identifier_Not_found name) in
            let pred_info =
              try
                find_logic_info logic
              with Not_found -> raise (Identifier_Not_found logic) in
            (** TODO test that the arguments are the same *)
            Hashtbl.add pragma_gen_same
              logic_info.jc_logic_info_tag pred_info
          end;
      acc
    | JCDaxiomatic(id,l) ->
	Jc_options.lprintf "Typing axiomatic %s@." id;
	let data =
	  {
	    axiomatics_defined_ids = [];
	    axiomatics_decls = [];
	  }
	in
	data.axiomatics_decls <- List.fold_left
          (decl_aux ~only_types ~axiomatic:(Some (id,data))) [] l;
	if not only_types then
	  begin
	    check_consistency id data;
	    StringHashtblIter.add axiomatics_table id data
	  end;
	acc

let decl ~only_types d =
  ignore (decl_aux ~only_types ~axiomatic:None [] d)

let declare_struct_info d = match d#node with
  | JCDtag(id, _, parent, _, _) ->
      let rec si = {
        jc_struct_info_params = [];
        jc_struct_info_name = id;
        jc_struct_info_fields = [];
        jc_struct_info_parent = None;
        jc_struct_info_hroot = si;
        jc_struct_info_root = None;
      } in
      StringHashtblIter.add structs_table id (si, []);
      (* declare the "mutable" field (if needed) *)
      if parent = None && !Jc_common_options.inv_sem = InvOwnership then
        create_mutable_field si
  | _ -> ()

let rec declare_function d =
  reset_uenv ();
  match d#node with
  | JCDfun(ty,id,pl,_specs,_body) ->
      ignore
        (add_fundecl (ty,id#pos,id#name,pl))
(*   | JCDlogic(Some ty,id,labels,[],_body) -> *)
(*       ignore  *)
(* 	(add_logic_constdecl (ty,id)) *)
  | JCDlogic(ty,id,poly_args,labels,pl,_body) ->
(*
      let labels = match labels with [] -> [ LabelHere ] | _ -> labels in
*)
      ignore (add_logic_fundecl (ty,id,poly_args,labels,pl))
  | JCDaxiomatic(_id,l) ->
      List.iter declare_function l
  | _ -> ()

let declare_variable d = match d#node with
  | JCDvar(ty,id,_init) ->
      add_vardecl (ty,id)
  | _ -> ()

let compute_struct_info_parent d = match d#node with
  | JCDtag(id, _, Some(parent, _), _, _) ->
      let si, _ = StringHashtblIter.find structs_table id in
      let psi = find_struct_info d#pos parent in
      si.jc_struct_info_parent <- Some(psi, [])
  | _ -> ()

let fixpoint_struct_info_roots () =
  let modified = ref false in
  StringHashtblIter.iter
    (fun _ (si, _) ->
       match si.jc_struct_info_parent with
         | Some(psi, _) ->
             if si.jc_struct_info_hroot != psi.jc_struct_info_hroot then begin
               si.jc_struct_info_hroot <- psi.jc_struct_info_hroot;
               modified := true
             end
         | None -> ())
    structs_table;
  !modified

let type_variant d = match d#node with
  | JCDvariant_type(id, tags) | JCDunion_type(id,_,tags) ->
      (* declare the variant *)
      let vi = {
        jc_root_info_name = id;
        jc_root_info_hroots = [];
        jc_root_info_kind =
	  (match d#node with
             | JCDvariant_type _ -> Rvariant
	     | JCDunion_type(_,true,_) ->
                 Region.some_bitwise_region := true;
                 RdiscrUnion
	     | JCDunion_type(_,false,_) ->
                 Region.some_bitwise_region := true;
                 RplainUnion
	     | _ -> assert false
	  );
	jc_root_info_union_size_in_bytes = 0;
      } in
      StringHashtblIter.add roots_table id vi;
      (* tags *)
      let roots = List.map
        (fun tag ->
           (* find the structure *)
           let st, _ = try
             StringHashtblIter.find structs_table tag#name
           with Not_found ->
             typing_error tag#pos
               "undefined tag: %s" tag#name
           in
           (* the structure must be root *)
           if st.jc_struct_info_parent <> None then
             typing_error tag#pos
               "the tag %s is not root" tag#name;
           (* the structure must not be used by another variant *)
           match st.jc_struct_info_root with
             | None ->
                 (* update the structure variant and return the root *)
                 st.jc_struct_info_root <- Some vi;
                 st
             | Some prev -> typing_error tag#pos
                 "tag %s is already used by type %s" tag#name
                   prev.jc_root_info_name)
        tags
      in
      if root_is_union vi then
	let size =
	  List.fold_left
	    (fun size st -> max size (struct_size_in_bytes st)) 0 roots
	in
	vi.jc_root_info_union_size_in_bytes <- size
      else ();
      (* update the variant *)
      vi.jc_root_info_hroots <- roots
  | _ -> ()

let declare_tag_fields d = match d#node with
  | JCDtag(id, _, _, fields, _inv) ->
      let struct_info, _ = StringHashtblIter.find structs_table id in
      let root = struct_info.jc_struct_info_hroot in
      let fields = List.map (field struct_info root) fields in
      struct_info.jc_struct_info_fields <- fields;
      StringHashtblIter.replace structs_table id (struct_info, [])
  | _ -> ()

let check_struct d = match d#node with
  | JCDtag(id, _, _, _, _) ->
      let loc = d#pos in
      let st = find_struct_info loc id in
      if st.jc_struct_info_hroot.jc_struct_info_root = None then
        typing_error loc "the tag %s is not used by any type"
          st.jc_struct_info_name
  | _ -> ()

(* type declarations in the right order *)
let type_file ast =
(*
  (* 1. logic types *)
  let is_logic_type d =
    match d#node with JCDlogic_type _ -> true | _ -> false
  in
  let logic_types,ast = List.partition is_logic_type ast in
  List.iter decl logic_types;
  (* 2. enumerations *)
  let is_enum d =
    match d#node with JCDenum_type _ -> true | _ -> false
  in
  let enums,ast = List.partition is_enum ast in
  List.iter decl enums;
*)
  List.iter (decl ~only_types:true) ast;
  (* 3. records and variants *)
  List.iter declare_struct_info ast;
  List.iter compute_struct_info_parent ast;
  while fixpoint_struct_info_roots () do () done;
  List.iter type_variant ast;
  List.iter declare_tag_fields ast;
  List.iter check_struct ast;
  (* 4. declaring global variables *)
  List.iter declare_variable ast;
  (* 5. declaring coding and logic functions *)
  List.iter declare_function ast;
  (* 6. remaining declarations *)
  List.iter (decl ~only_types:false) ast;
  (* 7. test if all the pragma have been defined *)
  test_if_pragma_notdefined ()

let print_file fmt () =
  let functions =
    IntHashtblIter.fold
      (fun _ (finfo,_,fspec,slist) f ->
         Jc_output.JCfun_def
           (finfo.jc_fun_info_result.jc_var_info_type,finfo.jc_fun_info_name,
            finfo.jc_fun_info_parameters,fspec,slist)
         :: f
      ) functions_table []
  in
  let logic_functions =
    IntHashtblIter.fold
      (fun _ (linfo,tora) f ->
         Jc_output.JClogic_fun_def
           (linfo.jc_logic_info_result_type,linfo.jc_logic_info_name,
            linfo.jc_logic_info_poly_args,
            linfo.jc_logic_info_labels,
            linfo.jc_logic_info_parameters, tora)
         :: f
      ) logic_functions_table []
  in
(*  let logic_constants =
    Hashtbl.fold
      (fun _ (vi,t) f ->
         Jc_output.JClogic_const_def
           (vi.jc_var_info_type, vi.jc_var_info_name, Option_misc.map fst t)
        :: f
      ) logic_constants_table []
  in *)
  let logic_types =
    StringHashtblIter.fold
      (fun _ (s,l) f -> Jc_output.JClogic_type_def (s,l) :: f)
      logic_type_table
      []
  in
  let variables =
    IntHashtblIter.fold
      (fun _ (vinfo,vinit) f ->
         Jc_output.JCvar_def
           (vinfo.jc_var_info_type,vinfo.jc_var_info_name,vinit)
         :: f
      ) variables_table []
  in
  let structs =
    StringHashtblIter.fold
      (fun name (sinfo,_) f ->
         let super = match sinfo.jc_struct_info_parent with
           | None -> None
           | Some(st, _) -> Some st.jc_struct_info_name
         in
         Jc_output.JCstruct_def
           (name,super,sinfo.jc_struct_info_fields,[])
         :: f
      ) structs_table []
  in
  let variants =
    StringHashtblIter.fold
      (fun name vinfo f ->
        let tags =
          List.map (fun sinfo -> sinfo.jc_struct_info_name)
            vinfo.jc_root_info_hroots
        in
        Jc_output.JCvariant_type_def (name,tags)
        :: f
      ) roots_table []
  in
  let enums =
    StringHashtblIter.fold
      (fun name rinfo f ->
         Jc_output.JCenum_type_def
           (name,rinfo.jc_enum_info_min,rinfo.jc_enum_info_max)
         :: f
      ) enum_types_table []
  in
  let axioms =
    StringHashtblIter.fold
      (fun name (_loc,is_axiom,poly_args,labels, a) f ->
         Jc_output.JClemma_def (name,is_axiom, poly_args, labels,a)
         :: f
      ) lemmas_table []
  in
  let global_invariants =
    IntHashtblIter.fold
      (fun _ (li, a) f ->
         Jc_output.JCglobinv_def (li.jc_logic_info_name,a) :: f)
      global_invariants_table
      []
  in
  let exceptions =
    StringHashtblIter.fold
      (fun name ei f ->
         Jc_output.JCexception_def (name,ei)
         :: f
      ) exceptions_table []
  in
  (* make all structured types mutually recursive.
     make all functions mutually recursive.
     make all logic functions and constants mutually recursive.
  *)
  let tfile =
    (List.rev enums)
    @ (List.rev structs)
    @ (List.rev variants)
    @ (List.rev exceptions)
    @ (List.rev variables)
    @ (List.rev logic_types)
    @ (Jc_output.JCrec_fun_defs
      (* (List.rev logic_constants @*) (List.rev logic_functions))
    :: (List.rev axioms)
    @ (List.rev global_invariants)
    @ [Jc_output.JCrec_fun_defs (List.rev functions)]
  in
  Jc_output.print_decls fmt tfile;

(*
Local Variables:
compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
End:
*)
why-2.39/jc/jc_typing.mli0000644000106100004300000001123713147234006014322 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

open Jc_stdlib
open Jc_env
open Jc_ast
open Jc_fenv
open Jc_pervasives

val default_label : label list -> label option
 
val typing_error : 
    Loc.position -> ('a, Format.formatter, unit, 'b) format4 -> 'a

val is_root_struct : struct_info -> bool

val substruct : struct_info -> pointer_class -> bool

val logic_type_table : (string * type_var_info list) StringHashtblIter.t

val logic_constants_table : 
  (int, logic_info * Jc_fenv.logic_info Jc_ast.term) Hashtbl.t

val logic_functions_table:
  (logic_info * term_or_assertion) IntHashtblIter.t

val functions_table : 
  (fun_info * Loc.position * fun_spec * expr option) IntHashtblIter.t

val variables_table : (var_info * expr option) IntHashtblIter.t

val structs_table:
  (struct_info * (logic_info * assertion) list) StringHashtblIter.t

val roots_table: (root_info) StringHashtblIter.t

val enum_types_table: enum_info StringHashtblIter.t

(*
val enum_conversion_functions_table : (fun_info, string) Hashtbl.t
val enum_conversion_logic_functions_table : (logic_info, string) Hashtbl.t
*)

val lemmas_table : 
  (Loc.position * bool * type_var_info list * label list * assertion)
  StringHashtblIter.t

type axiomatic_decl =
  | ABaxiom of Loc.position * string * Jc_env.label list * Jc_constructors.assertion

type axiomatic_data = private
    {
      mutable axiomatics_defined_ids : logic_info list;
      mutable axiomatics_decls : axiomatic_decl list;
    }

val axiomatics_table : axiomatic_data StringHashtblIter.t

val global_invariants_table : 
  (logic_info * assertion) IntHashtblIter.t

val exceptions_table: exception_info StringHashtblIter.t

exception Typing_error of Loc.position * string

val coerce : jc_type -> native_type -> expr -> expr

val type_range_of_term : jc_type -> term -> assertion

val find_struct_root : Jc_env.struct_info -> Jc_env.root_info

val type_file : nexpr decl list -> unit

val print_file : Format.formatter -> unit -> unit

val type_labels_in_decl : nexpr decl -> unit

val pragma_gen_sep :  (int,
   [ `Sep | `Inc | `Cni] *
   [ `Logic of Jc_fenv.logic_info * string list * Jc_env.var_info list
   | `Pointer of Jc_env.var_info ] list) Jc_stdlib.Hashtbl.t

val pragma_gen_frame : 
  (int, Jc_fenv.logic_info * Jc_fenv.logic_info 
    * Jc_env.var_info list * Jc_env.var_info list *
      [ `Frame | `Sub ]) Jc_stdlib.Hashtbl.t

val pragma_gen_same :
  (int, Jc_fenv.logic_info) Jc_stdlib.Hashtbl.t

val comparable_types : jc_type -> jc_type -> bool

(*
Local Variables: 
compile-command: "make -C .. bin/jessie.byte"
End: 
*)
why-2.39/jc/jc_common_options.ml0000644000106100004300000000470613147234006015705 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(*s command-line options *)

open Jc_env

let debug = ref false
let verbose = ref false
let werror = ref false

let inv_sem = ref InvNone
let separation_sem = ref SepNone

(*
  Local Variables: 
  compile-command: "unset LANG; make -C .. bin/jessie.byte"
  End: 
*)
why-2.39/jc/jc_ast.mli0000644000106100004300000005020213147234006013572 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Jc_env

class type positioned =
object
  method pos: Loc.position
end

class type typed =
object
  method typ: jc_type
end

class type labeled =
object
  method label: label option
  method set_label: label option -> unit
end

class type marked =
object
  method mark: string
end

class type regioned =
object
  method region: region
  method set_region: region -> unit
end

type const =
  | JCCvoid
  | JCCnull
  | JCCboolean of bool
  | JCCinteger of string
  | JCCreal of string
  | JCCstring of string

class type identifier =
object
  inherit positioned
  method name: string
end

class type ['a] node_positioned =
object
  inherit positioned
  method node: 'a
end

(***************)
(* parse trees *)
(***************)

type ptype_node =
  | JCPTnative of native_type
  | JCPTidentifier of string * ptype list
  | JCPTpointer of string * ptype list * Num.num option * Num.num option

and ptype = ptype_node node_positioned

type comparison_op = [ `Blt | `Bgt | `Ble | `Bge | `Beq | `Bneq ]
type arithmetic_op = [ `Badd | `Bsub | `Bmul | `Bdiv | `Bmod ]
type logical_op = [ `Bland | `Blor | `Bimplies | `Biff ]
type bitwise_op =
    [ `Bbw_and | `Bbw_or | `Bbw_xor
    | `Bshift_left | `Blogical_shift_right | `Barith_shift_right ]

type basic_op = [ comparison_op | arithmetic_op ]
type operational_op = [ basic_op | bitwise_op | `Bconcat | `Bland | `Blor ]
type bin_op = [ operational_op | logical_op ]

type pre_unary_op = [ `Uprefix_inc | `Uprefix_dec ]
type post_unary_op = [ `Upostfix_inc | `Upostfix_dec ]
type pm_unary_op = [ pre_unary_op | post_unary_op | `Uplus ]
type unary_op = [ `Uminus | `Unot | `Ubw_not ]

type pexpr_unary_op = [ pm_unary_op | unary_op ]

type native_operator_type = [ `Unit | `Boolean | `Integer | `Real | float_format ]
type operator_type = [ native_operator_type | `Pointer | `Logic ]

type pred_bin_op = [comparison_op | logical_op] * operator_type
type expr_unary_op = unary_op * native_operator_type
type term_unary_op = expr_unary_op
type expr_bin_op = operational_op * operator_type
type term_bin_op = bin_op * operator_type
type pred_rel_op = comparison_op * operator_type

type offset_kind = Offset_max | Offset_min

type address_kind = Addr_absolute | Addr_pointer

type quantifier = Forall | Exists

type asrt_kind =
  | Aassert (* Assertion to prove *)
  | Ahint   (* Assertion to help in proofs,
	       can be either discarded or both used and proved *)
  | Aassume (* Assertion that can be relied on without proof *)
  | Acheck  (* Assertion to prove but which is not used after *)

type rounding_mode =
  | Round_nearest_even | Round_to_zero | Round_up | Round_down
  | Round_nearest_away

type real_conversion =
  | Integer_to_real
  | Double_to_real
  | Float_to_real
  | Round of float_format * rounding_mode

type ppattern_node =
  | JCPPstruct of identifier * (identifier * ppattern) list
  | JCPPvar of identifier
  | JCPPor of ppattern * ppattern
  | JCPPas of ppattern * identifier
  | JCPPany
  | JCPPconst of const

and ppattern = ppattern_node node_positioned

type 'expr pbehavior =
    Loc.position * string * identifier option * 'expr option
    * 'expr option * (Loc.position * 'expr list) option * 
    (Loc.position * 'expr list) option * 'expr
      (*r loc, name, throws, assumes,requires,assigns,allocates, ensures *)

and 'expr loopbehavior =
    identifier list
    * 'expr option * (Loc.position * 'expr list) option
      (*r idents, invariant, assigns *)

and pexpr_node =
  | JCPEconst of const
  | JCPElabel of string * pexpr
  | JCPEvar of string
  | JCPEderef of pexpr * string
  | JCPEbinary of pexpr * bin_op * pexpr
  | JCPEunary of pexpr_unary_op * pexpr
  | JCPEapp of string * label list * pexpr list
  | JCPEassign of pexpr * pexpr
  | JCPEassign_op of pexpr * bin_op * pexpr
  | JCPEinstanceof of pexpr * string
  | JCPEcast of pexpr * ptype
  | JCPEquantifier of quantifier * ptype * identifier list * pexpr list list * pexpr
  | JCPEfresh of pexpr
  | JCPEold of pexpr
  | JCPEat of pexpr * label
  | JCPEoffset of offset_kind * pexpr
  | JCPEaddress of address_kind * pexpr
      (* expression is of integer type for an absolute address, and of
	 pointer type for a pointer address *)
  | JCPEbase_block of pexpr
  | JCPEif of pexpr * pexpr * pexpr
  | JCPElet of ptype option * string * pexpr option * pexpr
  | JCPEdecl of ptype * string * pexpr option
  | JCPErange of pexpr option * pexpr option
  | JCPEalloc of pexpr * string
  | JCPEfree of pexpr
  | JCPEmutable of pexpr * pexpr ptag
  | JCPEeqtype of pexpr ptag * pexpr ptag
  | JCPEsubtype of pexpr ptag * pexpr ptag
  | JCPEmatch of pexpr * (ppattern * pexpr) list
  | JCPEblock of pexpr list
  | JCPEassert of identifier list * asrt_kind * pexpr
  | JCPEcontract of
      pexpr option * (pexpr * identifier option) option *
	pexpr pbehavior list * pexpr
	(* requires, decreases, behaviors, expression *)
  | JCPEwhile of
      pexpr * pexpr loopbehavior list *
	(pexpr * identifier option) option * pexpr
	(*r condition, behaviors, variant, body *)
  | JCPEfor of
      pexpr list * pexpr * pexpr list * pexpr loopbehavior list
      * (pexpr * identifier option) option * pexpr
	(*r inits, condition, updates, behaviors, variant, body *)
  | JCPEreturn of pexpr
  | JCPEbreak of string
  | JCPEcontinue of string
  | JCPEgoto of string
  | JCPEtry of pexpr * (identifier * string * pexpr) list * pexpr
  | JCPEthrow of identifier * pexpr
  | JCPEpack of pexpr * identifier option
  | JCPEunpack of pexpr * identifier option
  | JCPEswitch of pexpr * (pexpr option list * pexpr) list

and pexpr = pexpr_node node_positioned

and 'a ptag_node =
  | JCPTtag of identifier
  | JCPTbottom
  | JCPTtypeof of 'a

and 'a ptag = 'a ptag_node node_positioned

type 'expr clause =
  | JCCrequires of 'expr
  | JCCdecreases of 'expr * identifier option
  | JCCbehavior of 'expr pbehavior

type 'expr reads_or_expr =
  | JCnone
  | JCreads of 'expr list
  | JCexpr of 'expr
  | JCinductive of (identifier * label list * 'expr) list

type field_modifiers = bool * bool

type 'expr decl_node =
  | JCDvar of ptype * string * 'expr option
  | JCDfun of ptype * identifier * (bool * ptype * string) list * 'expr clause list
      * 'expr option
  | JCDtag of
      string (* name of the tag *)
      * string list (* type parameters *)
      * (string * ptype list) option (* parent tag, applied type parameters *)
      * (field_modifiers * ptype * string * int option) list (* fields *)
      * (identifier * string * 'expr) list (* invariants *)
  | JCDvariant_type of string * identifier list
  | JCDunion_type of string * bool * identifier list
    (* name, discriminated, structure names *)
  | JCDenum_type of string * Num.num * Num.num
  | JCDlogic_type of string * string list
  | JCDlemma of string * bool * string list * label list * 'expr
    (* 2nd arg is true if it is an axiom *)
  | JCDexception of string * ptype option
    (* logic functions and predicates (return type: None if predicate) *)
  | JCDlogic of ptype option * string * string list * label list * (ptype * string) list
      * 'expr reads_or_expr
  | JCDlogic_var of ptype * string * 'expr option
  (* global invariant *)
  | JCDglobal_inv of string * 'expr
  (* "pragma" options and policies *)
  | JCDinvariant_policy of Jc_env.inv_sem
  | JCDseparation_policy of Jc_env.separation_sem
  | JCDtermination_policy of Jc_env.termination_policy
  | JCDannotation_policy of Jc_env.annotation_sem
  | JCDabstract_domain of Jc_env.abstract_domain
  | JCDint_model of Jc_env.int_model
  | JCDpragma_gen_sep of string * string * (ptype * string list) list
  | JCDpragma_gen_frame of string * string
  | JCDpragma_gen_sub of string * string
  | JCDpragma_gen_same of string * string
  | JCDaxiomatic of string * 'expr decl list


and 'expr decl = 'expr decl_node node_positioned

type pdecl = pexpr decl

class type ['expr_node] c_nexpr =
object
  inherit labeled
  inherit ['expr_node] node_positioned
end

(** Normalized expressions. Not typed yet, but without gotos. *)
type nexpr_node =
  | JCNEconst of const
  | JCNElabel of string * nexpr
  | JCNEvar of string
  | JCNEderef of nexpr * string
  | JCNEbinary of nexpr * bin_op * nexpr
  | JCNEunary of unary_op * nexpr
  | JCNEapp of string * label list * nexpr list
  | JCNEassign of nexpr * nexpr
  | JCNEinstanceof of nexpr * string
  | JCNEcast of nexpr * ptype
  | JCNEif of nexpr * nexpr * nexpr
  | JCNEoffset of offset_kind * nexpr
  | JCNEaddress of address_kind * nexpr
  | JCNEfresh of nexpr
  | JCNEbase_block of nexpr
  | JCNEalloc of nexpr * string
  | JCNEfree of nexpr
  | JCNElet of ptype option * string * nexpr option * nexpr
  | JCNEassert of identifier list * asrt_kind * nexpr
  | JCNEcontract of
      nexpr option * (nexpr * identifier option) option *
	nexpr pbehavior list * nexpr
	(* requires, decreases, behaviors, expression *)
  | JCNEblock of nexpr list
  | JCNEloop of nexpr loopbehavior list *
      (nexpr * identifier option) option * nexpr
      (*r behaviors, variant, body *)
  | JCNEreturn of nexpr option
  | JCNEtry of nexpr * (identifier * string * nexpr) list * nexpr
  | JCNEthrow of identifier * nexpr option
  | JCNEpack of nexpr * identifier option
  | JCNEunpack of nexpr * identifier option
  | JCNEmatch of nexpr * (ppattern * nexpr) list
  (* Assertions only *)
  | JCNEquantifier of quantifier * ptype * identifier list * nexpr list list * nexpr
  | JCNEold of nexpr
  | JCNEat of nexpr * label
  | JCNEmutable of nexpr * nexpr ptag
  | JCNEeqtype of nexpr ptag * nexpr ptag
  | JCNEsubtype of nexpr ptag * nexpr ptag
  (* Locations only *)
  | JCNErange of nexpr option * nexpr option

and nexpr = nexpr_node c_nexpr


(*************)
(* typed ast *)
(*************)

class type ['pattern_node] c_pattern =
object
  inherit typed
  inherit ['pattern_node] node_positioned
end

type pattern_node =
  | JCPstruct of struct_info * (field_info * pattern) list
  | JCPvar of var_info
  | JCPor of pattern * pattern
  | JCPas of pattern * var_info
  | JCPany
  | JCPconst of const

and pattern = pattern_node c_pattern

class type ['node] c_term =
object
  inherit typed
  inherit regioned
  inherit marked
  inherit labeled
  inherit ['node] node_positioned
end

type 'li app =
    {
      jc_app_fun : 'li;
      jc_app_args : 'li term list;
      mutable jc_app_region_assoc : (region * region) list;
      jc_app_label_assoc : (label * label) list;
    }

and 'li term_node =
  | JCTconst of const
  | JCTvar of var_info
  | JCTshift of 'li term * 'li term
  | JCTderef of 'li term * label * field_info
  | JCTbinary of 'li term * term_bin_op * 'li term
  | JCTunary of term_unary_op * 'li term
  | JCTapp of 'li app
  | JCTold of 'li term
  | JCTat of 'li term * label
  | JCToffset of offset_kind * 'li term * struct_info
  | JCTaddress of address_kind * 'li term
  | JCTbase_block of 'li term
  | JCTinstanceof of 'li term * label * struct_info
  | JCTcast of 'li term * label * struct_info
  | JCTbitwise_cast of 'li term * label * struct_info
  | JCTrange_cast of 'li term * enum_info
  | JCTreal_cast of 'li term * real_conversion
  | JCTif of 'li term * 'li term * 'li term
  | JCTrange of 'li term option * 'li term option
  | JCTlet of var_info * 'li term * 'li term
  | JCTmatch of 'li term * (pattern * 'li term) list

and 'li term = 'li term_node c_term

type 'li tag = 'li tag_node node_positioned

and 'li tag_node =
  | JCTtag of struct_info
  | JCTbottom
  | JCTtypeof of 'li term * struct_info

class type ['node] c_location =
object
  inherit typed
  inherit regioned
  inherit labeled
  inherit ['node] node_positioned
end

type 'li location_set_node =
  | JCLSvar of var_info
  | JCLSderef of 'li location_set * label * field_info * region
(* TODO ?
  | JCLSshift of location_set * term
*)
  | JCLSrange of 'li location_set * 'li term option * 'li term option
  | JCLSrange_term of 'li term * 'li term option * 'li term option
  | JCLSat of 'li location_set * label

and 'li location_node =
  | JCLvar of var_info
  | JCLderef of 'li location_set * label * field_info * region
  | JCLderef_term of 'li term * field_info
  | JCLat of 'li location * label

and 'li location_set = 'li location_set_node c_location

and 'li location = 'li location_node c_location

class type ['assertion_node] c_assertion =
object
  inherit marked
  inherit labeled
  inherit ['assertion_node] node_positioned
end

type 'li assertion_node =
  | JCAtrue
  | JCAfalse
  | JCArelation of 'li term * pred_rel_op * 'li term
  | JCAand of 'li assertion list
  | JCAor of 'li assertion list
  | JCAimplies of 'li assertion * 'li assertion
  | JCAiff of 'li assertion * 'li assertion
  | JCAnot of 'li assertion
  | JCAapp of 'li app
  | JCAquantifier of quantifier * var_info * 'li trigger list * 'li assertion
  | JCAold of 'li assertion
  | JCAat of 'li assertion * label
  | JCAinstanceof of 'li term * label * struct_info
  | JCAbool_term of 'li term
  | JCAfresh of 'li term
  | JCAif of 'li term * 'li assertion * 'li assertion
  | JCAmutable of 'li term * struct_info * 'li tag
  | JCAeqtype of 'li tag * 'li tag * struct_info option
  | JCAsubtype of 'li tag * 'li tag * struct_info option
  | JCAlet of var_info * 'li term * 'li assertion
  | JCAmatch of 'li term * (pattern * 'li assertion) list

and 'li assertion = 'li assertion_node c_assertion

and 'li tpattern = JCAPatT of 'li term | JCAPatP of 'li assertion
and 'li trigger = 'li tpattern list

type 'li term_or_assertion =
  | JCAssertion of 'li assertion
  | JCTerm of 'li term
  | JCNone
  | JCReads of 'li location list
  | JCInductive of (identifier * label list * 'li assertion) list

type 'li loop_annot =
    {
      jc_loop_tag : int;
      mutable jc_loop_behaviors :
	(identifier list *
	   'li assertion option *
	   'li location list option) list;
      mutable jc_free_loop_invariant : 'li assertion;
      jc_loop_variant : ('li term * 'li option) option;
    }


type 'li behavior =
    {
      jc_behavior_throws : exception_info option ;
      jc_behavior_assumes : 'li assertion option ;
      jc_behavior_assigns : (Loc.position * 'li location list) option ;
      jc_behavior_allocates : (Loc.position * 'li location list) option ;
      mutable jc_behavior_ensures : 'li assertion;
      (* "free" postcondition, proved by static analysis. It can be used
	 as the postcondition of a call without being checked in the function
	 body, if static analysis is trusted (option [-trust-ai]) *)
      mutable jc_behavior_free_ensures : 'li assertion;
    }

type 'li fun_spec =
    {
      mutable jc_fun_requires : 'li assertion;
      (* "free" precondition, proved by static analysis. It can be used
	 to prove the function correctness without being checked at
	 calls, if static analysis is trusted (option [-trust-ai]) *)
      mutable jc_fun_free_requires : 'li assertion;
      mutable jc_fun_decreases : ('li term * 'li option) option;
      (* special behavior without [assumes] clause, on which all annotations
	 not specifically attached to a behavior are checked *)
      mutable jc_fun_default_behavior : Loc.position * string * 'li behavior;
      mutable jc_fun_behavior : (Loc.position * string * 'li behavior) list;
    }


(******************)
(*    typed ast   *)
(******************)

class type ['node] c_expr =
object
  inherit typed
  inherit regioned
  inherit marked
  inherit ['node] node_positioned
  method original_type: jc_type
end

(* application, increment and assignment are statements.
   special assignment with operation disappears.
 *)
type ('li,'fi) expr_node =
  | JCEconst of const
  | JCEvar of var_info
  | JCEderef of ('li,'fi) expr * field_info
  | JCEbinary of ('li,'fi) expr * expr_bin_op * ('li,'fi) expr
  | JCEunary of expr_unary_op * ('li,'fi) expr
  | JCEapp of ('li,'fi) call
  | JCEassign_var of var_info * ('li,'fi) expr
  | JCEassign_heap of ('li,'fi) expr * field_info * ('li,'fi) expr
  | JCEinstanceof of ('li,'fi) expr * struct_info
  | JCEcast of ('li,'fi) expr * struct_info
  | JCEbitwise_cast of ('li,'fi) expr * struct_info
  | JCErange_cast of ('li,'fi) expr * enum_info
  | JCEreal_cast of ('li,'fi) expr * real_conversion
  | JCEif of ('li,'fi) expr * ('li,'fi) expr * ('li,'fi) expr
  | JCEoffset of offset_kind * ('li,'fi) expr * struct_info
  | JCEaddress of address_kind * ('li,'fi) expr
  | JCEbase_block of ('li,'fi) expr
  | JCEalloc of ('li,'fi) expr * struct_info
  | JCEfree of ('li,'fi) expr
  | JCEfresh of ('li,'fi) expr
  | JCElet of var_info * ('li,'fi) expr option * ('li,'fi) expr
  | JCEassert of identifier list * asrt_kind * 'li assertion
  | JCEcontract of 'li assertion option *
      ('li term * identifier option) option * var_info *
      (Loc.position * string * 'li behavior) list * ('li,'fi) expr
      (* requires, decreases, vi of \result, behaviors, expression *)
  | JCEblock of ('li,'fi) expr list
  | JCEloop of 'li loop_annot * ('li,'fi) expr
  | JCEreturn_void
  | JCEreturn of jc_type * ('li,'fi) expr (*r expected return type *)
  | JCEtry of ('li,'fi) expr
      * (exception_info * var_info option * ('li,'fi) expr) list * ('li,'fi) expr
  | JCEthrow of exception_info * ('li,'fi) expr option
  | JCEpack of struct_info * ('li,'fi) expr * struct_info
  | JCEunpack of struct_info * ('li,'fi) expr * struct_info
  | JCEmatch of ('li,'fi) expr * (pattern * ('li,'fi) expr) list
  | JCEshift of ('li,'fi) expr * ('li,'fi) expr

and ('li,'fi) expr = ('li,'fi) expr_node c_expr

and ('li,'fi) callee =
    JClogic_fun of 'li | JCfun of 'fi

and ('li,'fi) call =
    {
      jc_call_fun : ('li,'fi) callee;
      jc_call_args : ('li,'fi) expr list;
      mutable jc_call_region_assoc : (region * region) list;
      jc_call_label_assoc : (label * label) list;
    }


(*type incr_op = Stat_inc | Stat_dec*)

(* application, increment and assignment are exprs.
   expressions (without any of the above) are not exprs anymore.
   break, continue, goto are translated with exceptions.
*)


(*
type behavior =
    {
      jc_behavior_throws : exception_info option ;
      jc_behavior_assumes : assertion option ;
(*
      jc_behavior_requires : assertion option ;
*)
      jc_behavior_assigns : location list option ;
      jc_behavior_ensures : assertion;
    }
*)

(*
type fun_spec =
    {
      jc_fun_requires : assertion;
      jc_fun_behavior : (string * behavior) list;
    }
*)



(*
Local Variables:
compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
End:
*)
why-2.39/jc/jc_output_misc.ml0000644000106100004300000001313713147234006015213 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

open Jc_pervasives
open Jc_env
open Jc_ast
open Format
open Pp

let string_of_termination_policy p =
  match p with
    | Jc_env.TPalways -> "always"
    | Jc_env.TPuser -> "user"
    | Jc_env.TPnever -> "never"

let string_of_invariant_policy p =
  match p with
    | InvNone -> "None"
    | InvArguments -> "Arguments"
    | InvOwnership -> "Ownership"

let string_of_separation_policy p =
  match p with
    | SepNone -> "None"
    | SepRegions -> "Regions"

let string_of_annotation_policy p =
  match p with
    | AnnotNone -> "None"
    | AnnotInvariants -> "Invariants"
    | AnnotElimPre -> "ElimPre"
    | AnnotStrongPre -> "StrongPre"
    | AnnotWeakPre -> "WeakPre"
 
let string_of_abstract_domain p =
  match p with
    | AbsNone -> "None"
    | AbsBox -> "Box"
    | AbsOct -> "Oct"
    | AbsPol -> "Pol"

let string_of_int_model p =
  match p with
    | IMbounded -> "bounded"
    | IMmodulo -> "modulo"

let float_suffix fmt = function
  | `Single -> fprintf fmt "f"
  | `Double -> fprintf fmt "d"
  | `Real -> fprintf fmt ""

let const fmt c =
  match c with
    | JCCinteger s -> fprintf fmt "%s" s
    | JCCreal s -> fprintf fmt "%s" s 
    | JCCboolean b -> fprintf fmt "%B" b
    | JCCnull -> fprintf fmt "null"
    | JCCvoid -> fprintf fmt "()"
    | JCCstring s -> fprintf fmt "\"%s\"" s

let label fmt l =
  match l with
    | LabelName s -> fprintf fmt "%s" s.label_info_name
    | LabelHere -> fprintf fmt "Here" 
    | LabelPre -> fprintf fmt "Pre" 
    | LabelOld -> fprintf fmt "Old" 
    | LabelPost -> fprintf fmt "Post" 

let rec ptype fmt t =
  match t#node with
    | JCPTnative n -> fprintf fmt "%s" (string_of_native n)
    | JCPTidentifier (s,args) -> fprintf fmt "%s%a" s (print_list_delim lchevron rchevron comma ptype) args
    | JCPTpointer (name,params,ao, bo) ->
	begin match ao, bo with
	  | None, None ->
	      fprintf fmt "%s%a[..]" name ptype_params params
	  | Some a, None ->
	      fprintf fmt "%s%a[%s..]" name ptype_params params
                (Num.string_of_num a)
	  | None, Some b ->
	      fprintf fmt "%s%a[..%s]" name ptype_params params
                (Num.string_of_num b)
	  | Some a, Some b ->
	      if Num.eq_num a b then
		fprintf fmt "%s%a[%s]" name ptype_params params
                  (Num.string_of_num a)
	      else
		fprintf fmt "%s%a[%s..%s]" name ptype_params params
		  (Num.string_of_num a) (Num.string_of_num b)
	end

and ptype_params fmt l = print_list_delim lchevron rchevron comma ptype fmt l

let offset_kind fmt k =
  match k with
    | Offset_max -> fprintf fmt "ax"
    | Offset_min -> fprintf fmt "in"

and asrt_kind fmt = function
  | Aassert -> fprintf fmt "assert"
  | Ahint -> fprintf fmt "hint"
  | Aassume -> fprintf fmt "assume"
  | Acheck -> fprintf fmt "check"

and address_kind fmt = function
  | Addr_absolute -> fprintf fmt "absolute_"
  | Addr_pointer -> fprintf fmt ""

let alloc_class fmt = function
  | JCalloc_root vi -> fprintf fmt "alloc-root(%s)" vi.jc_root_info_name
  | JCalloc_bitvector -> fprintf fmt "alloc-bitvector"

let memory_class fmt = function
  | JCmem_field fi -> fprintf fmt "mem-field(%s)" fi.jc_field_info_name
  | JCmem_plain_union vi -> 
      fprintf fmt "mem-plain-union(%s)" vi.jc_root_info_name
  | JCmem_bitvector -> fprintf fmt "mem-bitvector"

let pointer_class = function
  | JCtag(st, _) -> "tag "^st.jc_struct_info_name
  | JCroot vi -> "root "^vi.jc_root_info_name

(*
Local Variables: 
compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
End: 
*)
why-2.39/jc/jc_norm.ml0000644000106100004300000006106713147234006013620 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Jc_env
open Jc_envset
open Jc_pervasives
open Jc_constructors
open Jc_ast
open Jc_constructors.PExpr


(** Normalization: transforms the parsed AST in order to reduce the number of
    constructs. As it works on untyped expressions, the transformations are
    all syntax-oriented:
    - transform switch into sequence of ifs with exceptions
    - transform while and for into loop with gotos
    - transform op-assign into normal assign and op
    - transform gotos into exceptions *)


(**************************************************************************)
(* Globals to add to the list of declarations                             *)
(**************************************************************************)

let name_for_loop_exit = Jc_envset.get_unique_name "Loop_exit"
let name_for_loop_continue = Jc_envset.get_unique_name "Loop_continue"
let name_for_return_label = get_unique_name "Return_label"

let loop_exit = new identifier name_for_loop_exit
let loop_continue = new identifier name_for_loop_continue
let return_label = new identifier name_for_return_label

let label_to_exception = Hashtbl.create 17

let goto_exception_for_label lab =
  (* CIL defines a label "return_label" to go to before returning.
     It is recognized here so that static analysis recognizes these returns
     and avoids merging all returns together. *)
  if lab = "return_label" then return_label else
    try
      Hashtbl.find label_to_exception lab
    with Not_found ->
      let excname = Jc_envset.get_unique_name ("Goto_" ^ lab) in
      let exc = new identifier excname in
      Hashtbl.add label_to_exception lab exc;
      exc


(**************************************************************************)
(* Transformations                                                        *)
(**************************************************************************)

(** Transform switch *)
let normalize_switch pos e caselist =
  (* Give a temporary name to the switch expression, so that modifying
   * a variable on which this expression depends does not interfere
   * with the control-flow, when its value is tested.
   *)
  let epos = e#pos in
  let tmpname = tmp_var_name () in
  let tmpvar = mkvar ~pos:epos ~name:tmpname () in
  let has_default c = List.exists (fun c -> c = None) c in
  (* Test for case considered *)
  let test_one_case ~(neg:bool) c =
    let op = if neg then `Bneq else `Beq in
    mkbinary ~pos:epos ~expr1:tmpvar ~op ~expr2:c ()
  in
  (* Collect negative tests for [default] case *)
  let all_neg_cases () =
    let collect_neg_case c =
      List.fold_right (fun c l -> match c with
			 | Some c -> test_one_case ~neg:true c :: l
			 | None -> l) c []
    in
    fst (List.fold_left (fun (l,after_default) (c,_)  ->
			   if after_default then
			     collect_neg_case c @ l,after_default
			   else
			     l,has_default c
			) ([],false) caselist)
  in
  let test_one_case_or_default = function
    | Some c -> test_one_case ~neg:false c
    | None -> mkand ~pos:epos ~list:(all_neg_cases ()) ()
  in
  let test_case_or_default c =
    mkor ~pos:epos ~list:(List.map test_one_case_or_default c) ()
  in
  let rec cannot_fall_trough e =
    match e#node with
      | JCPEblock [] ->
	  false
      | JCPEblock elist ->
	  cannot_fall_trough (List.hd (List.rev elist))
      | JCPEthrow _ | JCPEreturn _ | JCPEwhile _ | JCPEfor _ ->
	  true
      | JCPEif(_,te,fe) ->
	  cannot_fall_trough te && cannot_fall_trough fe
      | _ -> false
  in
  let rec fold_case (previous_c,acc) =
    function [] -> List.rev acc | (c,e) :: next_cases ->
      (* No need to test on previous values if default present *)
      let current_c = if has_default c then c else previous_c @ c in
      let teste = test_case_or_default current_c in
      (* Case translated into if-statement *)
      if cannot_fall_trough e then
	let nexte = start_fold_case next_cases in
	let ife =
          mkif ~pos:epos ~condition:teste ~expr_then:e ~expr_else:nexte () in
	List.rev (ife :: acc)
      else
	let ife = mkif ~pos:epos ~condition:teste ~expr_then:e () in
	fold_case (current_c, ife :: acc) next_cases
  and start_fold_case caselist =
    let iflist = fold_case ([],[]) caselist in
    mkblock ~pos ~exprs:iflist ()
  in
  let iflist = fold_case ([],[]) caselist in
  let switche = mkblock ~pos ~exprs:iflist () in
  let catche = [mkcatch ~pos ~name:(tmp_var_name()) ~exn:loop_exit ()] in
  let trye = mktry ~pos ~expr:switche ~catches:catche () in
  mklet_nodecl ~var:tmpname ~init:e ~body:trye ()

(** Transform while-loop *)
let normalize_while pos test behs var body =
  let body = match test#node with
    | JCPEconst(JCCboolean true) -> body
	(* Special case of an infinite loop [while(true)].
	 * Then, no condition needs to be tested. This form is expected
	 * for some assertions to be recognized as loop invariants
	 * later on, in annotation inference. *)
    | _ ->
	let exit_ = mkthrow ~pos ~exn:loop_exit () in
	mkif ~pos ~condition:test ~expr_then:body ~expr_else:exit_ ()
  in
  mktry ~pos
    ~expr:
    (mkwhile ~pos ~behaviors:behs ?variant:var
       ~body:
       (mktry ~pos
          ~expr:
          (mkblock ~pos ~exprs:[body; mkthrow ~pos ~exn:loop_continue ()] ())
	  ~catches: [mkcatch ~pos ~name:(tmp_var_name()) ~exn:loop_continue ()]
          ())
       ())
    ~catches:
    [mkcatch ~pos ~name:(tmp_var_name()) ~exn:loop_exit ()]
    ()

(** Transform for-loop *)
let normalize_for pos inits test updates behs var body =
  mkblock ~pos
    ~exprs:(inits
	    @ [mktry ~pos
                 ~expr:
		 (mkwhile ~pos ~behaviors:behs ?variant:var
                    ~body:
		    (mktry ~pos
                       ~expr:
		       (mkblock ~pos ~exprs:[
			  mkif ~pos ~condition:test ~expr_then:body
                            ~expr_else:(mkthrow ~pos ~exn:loop_exit ()) ();
			  mkthrow ~pos ~exn:loop_continue ()] ())
                       ~catches:
		       [mkcatch ~pos ~name:(tmp_var_name()) ~exn:loop_continue
                          ~body:(mkblock ~pos ~exprs:updates ()) ()] ())
                    ())
                 ~catches:
		 [mkcatch ~pos ~name:(tmp_var_name()) ~exn:loop_exit ()]
                 ()
	      ])
    ()

let duplicable =
  Jc_iterators.IPExpr.fold_left
    (fun acc e -> acc && match e#node with
       | JCPEconst _ | JCPEvar _ | JCPErange _ | JCPEderef _ | JCPEfresh _
       | JCPEunary _ | JCPEoffset _ | JCPEaddress _ | JCPEold _ | JCPEat _
       | JCPEbinary _ | JCPEcast _ | JCPEsubtype _ | JCPEbase_block _ ->
	   true
       | JCPEassert _ | JCPEthrow _ | JCPEreturn _ | JCPEeqtype _
       | JCPEbreak _ | JCPEcontinue _  | JCPEgoto _  | JCPEdecl _
       | JCPElabel _ | JCPEinstanceof _ | JCPEalloc _
       | JCPEfree _ | JCPElet _ | JCPEpack _ | JCPEunpack _
       | JCPEquantifier _ | JCPEmutable _ | JCPEassign _
       | JCPEassign_op _ | JCPEif _ | JCPEwhile _ | JCPEblock _
       | JCPEapp _ | JCPEtry _ | JCPEmatch _ | JCPEfor _
       | JCPEswitch _ | JCPEcontract _ ->
	   false
    ) true

(** Transform assign-op *)
let normalize_assign_op pos e1 op e2 =
  if duplicable e1 then
    mkassign
      ~pos
      ~location:e1
      ~value:(mkbinary ~pos ~expr1:e1 ~op ~expr2:e2 ())
      ()
  else
    match e1#node with
      | JCPEderef(e3,f) ->
	  let tmpname = tmp_var_name () in
	  let tmpvar = mkvar ~pos ~name:tmpname () in
	  let e4 = mkderef ~pos ~expr:tmpvar ~field:f () in
	  mklet_nodecl
            ~var:tmpname
            ~init:e3
	    ~body:
            (mkassign
               ~pos
               ~location:e4
               ~value:(mkbinary ~pos ~expr1:e4 ~op ~expr2:e2 ())
               ())
            ()
      | _ -> Jc_options.jc_error pos "Not an lvalue in assignment"

(** Transform unary increment and decrement *)
let normalize_pmunary pos op e =
  let op_of_incdec = function
    | `Uprefix_inc | `Upostfix_inc -> `Badd
    | `Uprefix_dec | `Upostfix_dec -> `Bsub
    | `Uplus -> assert false
  in
  let on_duplicable e =
    match op with
      | `Uprefix_inc | `Uprefix_dec ->
	  (* e = e +/- 1 } *)
	  mkassign
            ~pos
            ~location: e
            ~value:
            (mkbinary
               ~pos
               ~expr1: e
               ~op: (op_of_incdec op)
               ~expr2: (mkint ~pos ~value:1 ())
               ())
            ()
      | `Upostfix_inc | `Upostfix_dec ->
	  let tmpname = tmp_var_name () in
	  let tmpvar = mkvar ~pos ~name:tmpname () in
	  (* let tmp = e in { e = tmp +/- 1; tmp } *)
	  mklet_nodecl
            ~var: tmpname
            ~init: e
            ~body:
	    (mkblock ~pos ~exprs:[
	       mkassign ~pos ~location:e
		 ~value:
                 (mkbinary
                    ~pos
                    ~expr1:tmpvar
                    ~op:(op_of_incdec op)
                    ~expr2:(mkint ~pos ~value:1 ())
                    ())
                 ();
	       tmpvar
	     ] ())
            ()
      | `Uplus -> assert false
  in
  match op with `Uplus -> e | _ ->
    if duplicable e then on_duplicable e else
      match e#node with
	| JCPEderef(e1,f) ->
	    let tmpname = tmp_var_name () in
	    let tmpvar = mkvar ~pos ~name:tmpname () in
	    let e2 = mkderef ~pos ~expr:tmpvar ~field:f () in
	    mklet_nodecl ~var:tmpname ~init:e1 ~body:(on_duplicable e2) ()
	| _ -> Jc_options.jc_error pos "Not an lvalue in assignment"

(** Transform local variable declarations *)
let normalize_locvardecl pos elist =
  mkblock ~pos
    ~exprs:
    (List.fold_right
       (fun e acc ->
	  match e#node with
	    | JCPEdecl(ty,name,initopt) ->
		[mklet_nodecl ~pos:e#pos ~typ:ty ~var:name ?init:initopt
                   ~body:(mkblock ~pos ~exprs:acc ()) ()]
	    | JCPElabel(lab, e1) ->
		(* the scope of lab is indeed extended to the end of that block, so that e.g.
		   { (L: e1); ... ; assert ... \at(x,L) ... }

		   is valid
		*)
		[mklabel
                  ~pos:e#pos
                  ~label:lab
		  (* CAUTION ! shouldn't we recurse normalize on e1 ??? *)
                  ~expr:(mkblock ~pos ~exprs:(e1::acc) ())
		  ()]
		(*
                begin match e1#node with
                  | JCPEdecl(ty,name,initopt) ->
                      [mklabel
                         ~pos:e#pos
                         ~label:lab (*(mkskip e#pos);*)
                         ~expr:
                         (mklet_nodecl
                            ~pos: e#pos
                            ~typ: ty
                            ~var: name
                            ?init: initopt
                            ~body: (mkblock ~pos ~exprs:acc ())
                            ())
                         ()]
                  | _ -> e::acc
                end
		*)
	    | _ -> e::acc
       ) elist []
    )
    ()

let normalize_postaction pos elist =
  let pre_of_post = function
    | `Upostfix_inc -> `Uprefix_inc
    | `Upostfix_dec -> `Uprefix_dec
  in
  mkblock ~pos
    ~exprs:
    (match List.rev elist with [] -> elist | last::elist' ->
       (* Only transform into pre increment/decrement those post increment/
	* decrement whose value is discarded, like all expressions in a block
	* but the last one.
	*)
       (List.fold_left (fun acc e -> match e#node with
			  | JCPEunary(#post_unary_op as op,e') ->
			      new pexpr_with
				~node:(JCPEunary(pre_of_post op,e')) e
			      :: acc
			  | _ -> e :: acc
		       ) [last] elist'
       ))
    ()

(** Apply normalizations recursively *)
let normalize =
  Jc_iterators.map_pexpr
    ~before:(fun e -> match e#node with
	       | JCPEblock elist ->
		   normalize_postaction e#pos elist
	       | _ -> e
	    )
    ~after:(fun e -> match e#node with
	      | JCPEassign_op(e1,op,e2) ->
		  normalize_assign_op e#pos e1 op e2
	      | JCPEunary(#pm_unary_op as op,e') ->
		  normalize_pmunary e#pos op e'
	      | JCPEswitch(e',caselist) ->
		  normalize_switch e#pos e' caselist
	      | JCPEwhile(test,inv,var,body) ->
		  normalize_while e#pos test inv var body
	      | JCPEfor(inits,test,updates,behs,var,body) ->
		  normalize_for e#pos inits test updates behs var body
	      | JCPEbreak lab ->
		  assert (lab = ""); (* TODO for Java *)
		  mkthrow ~pos:e#pos ~exn:loop_exit ()
	      | JCPEcontinue lab ->
		  assert (lab = ""); (* TODO for Java *)
		  mkthrow ~pos:e#pos ~exn:loop_continue ()
	      | JCPEblock elist ->
		  normalize_locvardecl e#pos elist
	      | _ -> e
	   )

(** Transform gotos *)
(* Build the structure of labels in a function body, using Huet's
   zipper, so as to identify 'structured' gotos, i.e., those gotos that
   go forward and do not enter scopes.
*)

let label_used = Hashtbl.create 17

type label_tree =
  | LabelItem of string
  | LabelBlock of label_tree list

(*
let rec printf_label_tree fmt lt =
  match lt with
    | LabelItem s -> fprintf fmt "%s" s
    | LabelBlock l ->
	fprintf fmt "{ %a }" (Pp.print_list Pp.space printf_label_tree ) l

let rec in_label_tree lab = function
  | LabelItem l -> l=lab
  | LabelBlock l -> in_label_tree_list lab l

and in_label_tree_list lab = function
  | [] -> false
  | h::r ->
      in_label_tree lab h || in_label_tree_list lab r
*)

let rec in_label_upper_tree_list lab = function
  | [] -> false
  | LabelItem l :: _ when l=lab -> true
  | _ :: r -> in_label_upper_tree_list lab r

let build_label_tree e : label_tree list =
  (* [acc] is the tree of labels for the list of statements that follow
     the current one, in the same block.
     [fwdacc] is the tree of labels for all the statements that follow
     the current one to the end of the function. It is used to identify
     unused labels.
  *)
  let rec build_bwd e (acc,fwdacc) =
    match e#node with
      | JCPEgoto lab ->
	  (* Count number of forward gotos. Labels with 0 count will
	     not be considered in generated try-catch. *)
	  if in_label_upper_tree_list lab fwdacc then
	    Hashtbl.add label_used lab ()
	  else
	    Jc_options.jc_error e#pos "unsupported goto (backward or to some inner block)";
	  acc,fwdacc
      | JCPElabel (lab, e) ->
	  let l,fwdl = build_bwd e ([],fwdacc) in
	  (LabelItem lab) :: (LabelBlock l) :: acc, (LabelItem lab) :: fwdl
      | JCPEblock sl ->
	  let l,fwdl = List.fold_right build_bwd sl ([],fwdacc) in
	  (LabelBlock l) :: acc, fwdl
      | _ ->
	  let elist = Jc_iterators.IPExpr.subs e in
	  LabelBlock
	    (List.map (fun e -> LabelBlock(fst (build_bwd e ([],fwdacc)))) elist)
	  :: acc, fwdacc
  in
  fst (build_bwd e ([],[]))

let goto_block pos el =
  let rec label_block el =
    match el with [] -> [],[] | e1::r ->
      let elr,labelr = label_block r in
      match e1#node with
	| JCPElabel(lab,e2) when Hashtbl.mem label_used lab ->
	    let e3 = mkblock ~pos ~exprs:(e2::elr) () in
	    let e4 = mklabel ~pos ~label:lab ~expr:e3 () in
	    [],(lab,[e4])::labelr
	| _ -> e1::elr,labelr
  in
  let el,labels = label_block el in
  let el = List.fold_left (fun acc (lab,el) ->
		    let id = goto_exception_for_label lab in
		    (* Throw expression in case of fall-through *)
		    let throw = mkthrow ~pos ~exn:id () in
		    [mktry ~pos
                       ~expr:(mkblock ~pos ~exprs:(acc@[throw]) ())
		       ~catches:
                       [mkcatch ~pos ~name:(tmp_var_name()) ~exn:id
			  ~body:(mkblock ~pos ~exprs:el ()) ()]
                       ()
		    ]
		 ) el labels
  in
  mkblock ~pos ~exprs:el ()

let rec goto e lz =
  let pos = e#pos in
  let enode,lz2 = match e#node with
    | JCPEgoto lab ->
	let id = goto_exception_for_label lab in
	JCPEthrow(id, mkvoid ()), lz
    | JCPElabel (lab,e1) ->
	let lz1 = match lz with
	  | LabelItem lab'::LabelBlock b1::after ->
	      assert (lab=lab');
	      b1@after
	  | _ -> assert false
	in
	let e2, lz2 = goto e1 lz1 in
	JCPElabel(lab,e2), lz2
    | JCPEblock el ->
	let lz1,lz2 = match lz with
	  | LabelBlock b1::after ->
	      b1@after,after
	  | _ -> assert false
	in
	let el,_ =
	  List.fold_left (fun (acc,lz1) e1 ->
			    let e2,lz2 = goto e1 lz1 in e2::acc,lz2
			 ) ([],lz1) el
	in
	let el = List.rev el in
	(goto_block pos el)#node, lz2
    | _ ->
	let elist = Jc_iterators.IPExpr.subs e in
	let lz1list,lz2 = match lz with
	  | LabelBlock b1::after ->
	      List.map
		(function LabelBlock b -> b@after | _ -> assert false) b1,
	      after
	  | _ -> assert false
	in
	let elist,_ = List.split (List.map2 goto elist lz1list) in
	(Jc_iterators.replace_sub_pexpr e elist)#node, lz2
  in new pexpr_with ~node:enode e, lz2


(**************************************************************************)
(* Translation                                                            *)
(**************************************************************************)

(** From parsed expression to normalized expression *)
let rec expr e =
  let enode = match e#node with
    | JCPEconst c -> JCNEconst c
    | JCPElabel(id,e) -> JCNElabel(id,expr e)
    | JCPEvar id -> JCNEvar id
    | JCPEderef(e,id) -> JCNEderef(expr e,id)
    | JCPEbinary(e1,op,e2) -> JCNEbinary(expr e1,op,expr e2)
    | JCPEunary(#unary_op as op,e) -> JCNEunary(op,expr e)
    | JCPEunary _ -> assert false
    | JCPEapp(id,lablist,elist) -> JCNEapp(id,lablist,List.map expr elist)
    | JCPEassign(e1,e2) -> JCNEassign(expr e1,expr e2)
    | JCPEassign_op _ -> assert false
    | JCPEinstanceof(e,id) -> JCNEinstanceof(expr e,id)
    | JCPEcast(e,id) -> JCNEcast(expr e,id)
    | JCPEquantifier(q,ty,idlist,trigs,e) ->
        JCNEquantifier(q,ty,idlist,List.map (List.map expr) trigs,expr e)
    | JCPEold e -> JCNEold(expr e)
    | JCPEat(e,lab) -> JCNEat(expr e,lab)
    | JCPEoffset(off,e) -> JCNEoffset(off,expr e)
    | JCPEfresh e -> JCNEfresh(expr e)
    | JCPEaddress(absolute,e) -> JCNEaddress(absolute,expr e)
    | JCPEbase_block(e) -> JCNEbase_block(expr e)
    | JCPEif(e1,e2,e3) -> JCNEif(expr e1,expr e2,expr e3)
    | JCPElet(tyopt,id,e1,e2) ->
	JCNElet(tyopt,id,Option_misc.map expr e1,expr e2)
    | JCPEdecl _ ->
	assert false
	(* (ty,name,initopt) ->  *)
(* 	JCNElet(Some ty,name,Option_misc.map expr initopt,expr (mkvoid())) *)
    | JCPErange(e1opt,e2opt) ->
	JCNErange(Option_misc.map expr e1opt,Option_misc.map expr e2opt)
    | JCPEalloc(e,id) -> JCNEalloc(expr e,id)
    | JCPEfree e -> JCNEfree(expr e)
    | JCPEmutable(e,tag) -> JCNEmutable(expr e,tag_ tag)
    | JCPEeqtype(tag1,tag2) -> JCNEeqtype(tag_ tag1,tag_ tag2)
    | JCPEsubtype(tag1,tag2) -> JCNEsubtype(tag_ tag1,tag_ tag2)
    | JCPEmatch(e,pelist) ->
	JCNEmatch(expr e,List.map (fun (pat,e) -> (pat,expr e)) pelist)
    | JCPEblock elist -> JCNEblock(List.map expr elist)
    | JCPEassert(behav,asrt,e) -> JCNEassert(behav,asrt,expr e)
    | JCPEcontract(req,dec,behs,e) ->
	JCNEcontract(Option_misc.map expr req,
		     Option_misc.map
		       (fun (t,r) -> (expr t,r)) dec,
		     List.map behavior behs,
		     expr e)
    | JCPEwhile(_,behs,vareopt,e) ->
	let behs = List.map loopbehavior behs in
	JCNEloop(behs,Option_misc.map (fun (v,r) -> (expr v,r)) vareopt,expr e)
    | JCPEfor _ -> assert false
    | JCPEreturn e ->
        begin match e#node with
          | JCPEconst JCCvoid -> JCNEreturn None
          | _ -> JCNEreturn(Some(expr e))
        end
    | JCPEbreak _ -> assert false
    | JCPEcontinue _ -> assert false
    | JCPEgoto _ -> assert false
    | JCPEtry(e,hlist,fe) ->
	let hlist = List.map (fun (id1,id2,e) -> (id1,id2,expr e)) hlist in
	JCNEtry(expr e,hlist,expr fe)
    | JCPEthrow(id, e) ->
	JCNEthrow(id, Some(expr e))
    | JCPEpack(e,idopt) -> JCNEpack(expr e,idopt)
    | JCPEunpack(e,idopt) -> JCNEunpack(expr e,idopt)
    | JCPEswitch _ -> assert false
  in
  new nexpr ~pos:e#pos enode

and tag_ tag =
  let tagnode = match tag#node with
    | JCPTtypeof e -> JCPTtypeof (expr e)
    | JCPTtag _ | JCPTbottom as tagnode -> tagnode
  in
  new ptag ~pos:tag#pos tagnode

and behavior (pos,id,idopt,e1opt,e2opt,asslist,alloclist,e3) =
  (pos,id,idopt,
   Option_misc.map expr e1opt,
   Option_misc.map expr e2opt,
   Option_misc.map (fun (pos,elist) -> pos,List.map expr elist) asslist,
   Option_misc.map (fun (pos,elist) -> pos,List.map expr elist) alloclist,
   expr e3)

and loopbehavior (ids,inv,asslist) =
  (ids,Option_misc.map expr inv,
   Option_misc.map (fun (pos,elist) -> pos,List.map expr elist) asslist)

let expr e =
  let e,_ = goto e (build_label_tree e) in
  let e = expr (normalize e) in
  (*
    let fmt = Format.std_formatter in
    Format.fprintf fmt "Normalized expression:@\n%a@\n@."
    Jc_noutput.expr e;
  *)
  e

(** From parsed clause to normalized clause *)
let clause = function
  | JCCrequires e -> JCCrequires(expr e)
  | JCCdecreases(e,r) -> JCCdecreases(expr e,r)
  | JCCbehavior b -> JCCbehavior(behavior b)


(** From parsed reads-or-expr to normalized reads-or-expr *)
let reads_or_expr = function
  | JCnone -> JCnone
  | JCreads elist -> JCreads(List.map expr elist)
  | JCexpr e -> JCexpr(expr e)
(*
  | JCaxiomatic l -> JCaxiomatic(List.map (fun (id,e) -> (id, expr e)) l)
*)
  | JCinductive l -> JCinductive(List.map (fun (id,labels,e) -> (id, labels, expr e)) l)

(** From parsed declaration to normalized declaration *)
let rec decl d =
  let dnode = match d#node with
    | JCDfun(ty,id,params,clauses,body) ->
	JCDfun(ty,id,params,List.map clause clauses,Option_misc.map expr body)
    | JCDenum_type(id,min,max) ->
	JCDenum_type(id,min,max)
    | JCDvariant_type(id, tags) ->
	JCDvariant_type(id, tags)
    | JCDunion_type(id,discr,tags) ->
	JCDunion_type(id,discr,tags)
    | JCDtag (id, params, extends, fields, invs) ->
	JCDtag (id, params, extends, fields,
		List.map (fun (id,name,e) -> id,name,expr e) invs)
    | JCDvar(ty,id,init) ->
	JCDvar(ty,id,Option_misc.map expr init)
    | JCDlemma(id,is_axiom,poly_args,lab,a) ->
	JCDlemma(id,is_axiom,poly_args,lab,expr a)
    | JCDglobal_inv(id,a) ->
	JCDglobal_inv(id,expr a)
    | JCDexception(id,ty) ->
	JCDexception(id,ty)
    | JCDlogic_var (ty, id, body) ->
	JCDlogic_var (ty, id, Option_misc.map expr body)
    | JCDlogic (ty, id, poly_args, labels, params, body) ->
	JCDlogic (ty, id, poly_args, labels, params, reads_or_expr body)
    | JCDaxiomatic(id,l) -> JCDaxiomatic(id,List.map decl l)
    | JCDlogic_type _
    | JCDint_model _
    | JCDabstract_domain _
    | JCDtermination_policy _
    | JCDannotation_policy _
    | JCDseparation_policy _
    | JCDinvariant_policy _
    | JCDpragma_gen_sep _
    | JCDpragma_gen_frame _
    | JCDpragma_gen_sub _
    | JCDpragma_gen_same _ as e -> e


  in new decl ~pos:d#pos dnode

let decls dlist =
  let unit_type = new ptype (JCPTnative Tunit) in
  [
    new decl (JCDexception(name_for_loop_exit,Some unit_type));
    new decl (JCDexception(name_for_loop_continue,Some unit_type));
    new decl (JCDexception(name_for_return_label,Some unit_type));
  ]
  @ Hashtbl.fold (fun _ exc acc ->
		    new decl (JCDexception(exc#name,Some unit_type))
		    :: acc
		 ) label_to_exception []
  @ List.map decl dlist

(*
  Local Variables:
  compile-command: "LC_ALL=C make -C .. bin/jessie.byte"
  End:
*)
why-2.39/jc/jc_env.mli0000644000106100004300000001416613147234006013604 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)


type termination_policy = TPalways | TPnever | TPuser

type float_format = [ `Double | `Float | `Binary80 ]

type native_type = 
    Tunit | Tboolean | Tinteger | Treal | Tgenfloat of float_format | Tstring

type inv_sem = InvNone | InvOwnership | InvArguments

type separation_sem = SepNone | SepRegions

type annotation_sem = 
    AnnotNone | AnnotInvariants | AnnotElimPre | AnnotStrongPre | AnnotWeakPre

type abstract_domain = AbsNone | AbsBox | AbsOct | AbsPol

type int_model = IMbounded | IMmodulo

type float_model = FMmath | FMdefensive | FMfull | FMmultirounding

type float_rounding_mode = 
    FRMDown | FRMNearestEven | FRMUp | FRMToZero | FRMNearestAway

type float_instruction_set = FISstrictIEEE754 | FISx87

type root_kind = Rvariant | RplainUnion | RdiscrUnion

type jc_type =
  | JCTnative of native_type
  | JCTlogic of (string * jc_type list)
  | JCTenum of enum_info
  | JCTpointer of pointer_class * Num.num option * Num.num option
  | JCTnull
  | JCTany (* used when typing (if ... then raise E else ...): 
              raise E is any *)
  | JCTtype_var of type_var_info

and type_var_info =  { jc_type_var_info_name : string;
                       jc_type_var_info_tag : int;
                       jc_type_var_info_univ : bool} 
(* The variable is universally quantified *)

and pointer_class =
  | JCtag of struct_info * jc_type list (* struct_info, type parameters *)
  | JCroot of root_info

and enum_info =
    { 
      jc_enum_info_name : string;
      jc_enum_info_min : Num.num;
      jc_enum_info_max : Num.num;
    }

and struct_info =
    { 
              jc_struct_info_params : type_var_info list;
              jc_struct_info_name : string;
      mutable jc_struct_info_parent : (struct_info * jc_type list) option;
      mutable jc_struct_info_hroot : struct_info;
      mutable jc_struct_info_fields : field_info list;
      mutable jc_struct_info_root : root_info option;
        (* only valid for root structures *)
    }

and root_info =
    {
      jc_root_info_name : string;
(*      mutable jc_root_info_tags : struct_info list;*)
      mutable jc_root_info_hroots : struct_info list;
(*      jc_root_info_open : bool;*)
      jc_root_info_kind : root_kind;
      mutable jc_root_info_union_size_in_bytes: int;
    }

and field_info =
    {
      jc_field_info_tag : int;
      jc_field_info_name : string;
      jc_field_info_final_name : string;
      jc_field_info_type : jc_type;
      jc_field_info_struct: struct_info;
        (* The structure in which the field is defined *)
      jc_field_info_hroot : struct_info;
        (* The root of the structure in which the field is defined *)
      jc_field_info_rep : bool; (* "rep" flag *)
      jc_field_info_abstract : bool; (* "abstract" flag *)
      jc_field_info_bitsize : int option;
        (* Size of the field in bits, optional *)
    }

type region = 
    {
      mutable jc_reg_variable : bool;
      mutable jc_reg_bitwise : bool;
      jc_reg_id : int;
      jc_reg_name : string;
      jc_reg_final_name : string;
      jc_reg_type : jc_type;
    }

type var_info = {
    jc_var_info_tag : int;
    jc_var_info_name : string;
    mutable jc_var_info_final_name : string;
    mutable jc_var_info_type : jc_type;
    mutable jc_var_info_region : region;
    mutable jc_var_info_formal : bool;
    mutable jc_var_info_assigned : bool;
    jc_var_info_static : bool;
  }

type exception_info =
    {
      jc_exception_info_tag : int;
      jc_exception_info_name : string;
      jc_exception_info_type : jc_type option;
    }

type label_info =
    { 
      label_info_name : string;
      label_info_final_name : string;
      mutable times_used : int;
    }

type label = 
  | LabelName of label_info
  | LabelHere
  | LabelPost
  | LabelPre
  | LabelOld

type alloc_class =
  | JCalloc_root of root_info
  | JCalloc_bitvector

type mem_class =
  | JCmem_field of field_info 
  | JCmem_plain_union of root_info
  | JCmem_bitvector

(*
Local Variables: 
compile-command: "unset LANG ; make -C .. byte"
End: 
*)
why-2.39/jc/jc_pattern.ml0000644000106100004300000001633713147234006014322 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

open Jc_pervasives
open Jc_name
open Jc_ast
open Jc_env
open Jc_interp_misc
open Output

module type TAssertionMaker = sig
  type t
  val make_subtag: term -> struct_info -> t
  val make_or: t -> t -> t
  val make_and: t -> t -> t
  val make_not: t -> t
  val make_false: t
  val make_true: t
  val make_eq: jc_type -> term -> term -> t
end

module Pattern(AM: TAssertionMaker) = struct
  (** [pattern arg ty pat] translates the pattern [pat] applied to the term
    [arg] which have a [jc_type] of [ty].
    Returns [notcond, cond, vars] where:
    [notcond] is an assertion equivalent to "the pattern cannot be applied";
    [cond] is an assertion equivalent to "the pattern can be applied" and giving
      the values of each binded variable;
    [vars] is a list of [name, user_name, ty] where [user_name] is a variable
      binded by the pattern, [name] its unique name used in [cond], and
      [ty] its [jc_type]. *)
  let rec pattern arg ty pat = match pat#node with
    | JCPstruct(st, fpl) ->
	let subtag = AM.make_subtag arg st in
	List.fold_left
	  (fun (accnotcond, acccond, accvars) (fi, pat) ->
	     let arg = make_select_fi fi arg in
	     let ty = fi.jc_field_info_type in
	     let notcond, cond, vars = pattern arg ty pat in
	     AM.make_or accnotcond notcond,
	     AM.make_and acccond cond,
	     accvars @ vars)
	  (AM.make_not subtag, subtag, [])
	  fpl
    | JCPvar vi ->
	AM.make_false,
	AM.make_eq ty (LVar vi.jc_var_info_final_name) arg,
	[vi.jc_var_info_final_name, ty]
    | JCPor(p1, p2) ->
      (* typing ensures that both patterns bind the same variables *)
	let notcond1, cond1, vars = pattern arg ty p1 in
	let notcond2, cond2, _ = pattern arg ty p2 in
	AM.make_and notcond1 notcond2,
	AM.make_or cond1 cond2,
	vars
    | JCPas(p, vi) ->
	let notcond, cond, vars = pattern arg ty p in
	notcond,
	AM.make_and
	  cond
	  (AM.make_eq ty (LVar vi.jc_var_info_final_name) arg),
	(vi.jc_var_info_final_name, ty)::vars
    | JCPany | JCPconst JCCvoid ->
	AM.make_false,
	AM.make_true,
	[]
    | JCPconst c ->
	let eq = AM.make_eq ty arg (LConst (const c)) in
	AM.make_not eq,
	eq,
	[]
end

module MakeAssertion = struct
  type t = Output.assertion

  let make_subtag x st =
    let r = Jc_region.dummy_region in
    make_subtag (make_typeof st r x) (LVar (tag_name st))
  let make_or a b = LOr(a, b)
  let make_and a b = LAnd(a, b)
  let make_not a = LNot a
  let make_false = LFalse
  let make_true = LTrue
  let make_eq _ = make_eq
end
module PatternAssertion = Pattern(MakeAssertion)

module MakeTerm = struct
  type t = Output.term

  let make_subtag x st =
    let r = Jc_region.dummy_region in
    make_subtag_bool (make_typeof st r x) (LVar (tag_name st))
  let make_or = make_or_term
  let make_and = make_and_term
  let make_not = make_not_term
  let make_false = LConst(Prim_bool false)
  let make_true = LConst(Prim_bool false)
  let make_eq = make_eq_term
end
module PatternTerm = Pattern(MakeTerm)

let make_blackbox_annot pre ty reads writes post exn_posts =
  mk_expr(BlackBox(Annot_type(pre, ty, reads, writes, post, exn_posts)))

let pattern_list_expr translate_body arg region ty pbl =
  List.fold_left
    (fun accbody (pat, body) ->
       let notcond, cond, vars = PatternAssertion.pattern arg ty pat in
       let body = translate_body body in
       let reads =
	 let ef = Jc_effect.pattern empty_effects (*LabelHere region*) pat in
	 all_effects ef
       in
       let writes = List.map fst vars in
       let post = LIf(LVar "result", cond, notcond) in
       let bbox = make_blackbox_annot LTrue bool_type reads writes post [] in
       let branch = List.fold_left
	 (fun acc (name, ty) ->
           mk_expr (Let_ref(name, any_value region ty, acc)))
         (mk_expr (If(bbox, body, accbody)))
	 vars
       in
       branch)
    (mk_expr Absurd)
    (List.rev pbl)

let pattern_list_term translate_body arg ty pbl default =
  (* Right now, all binders are put at the predicate level, so there might
     be problems (though variables are renamed so it should be ok).
     Will be better when (if) Why has Let binders at the term level. *)
  List.fold_left
    (fun (accbody, _acclets) (pat, body) ->
       let _, cond, vars = PatternTerm.pattern arg ty pat in
       let body = translate_body body in
       let body = make_if_term cond body accbody in
       let lets = List.map
	 (fun (n, ty) -> JCforall(n, tr_base_type ty))
	 vars
       in
       body, lets)
    (default, [])
    (List.rev pbl)

let pattern_list_assertion translate_body arg ty pbl default =
  List.fold_left
    (fun (accbody, accnotcond) (pat, body) ->
       (* not previous case => (forall vars, arg matches pattern => body) *)
       let notcond, cond, vars = PatternAssertion.pattern arg ty pat in
       let body = translate_body body in
       let case =
	 List.fold_left
	   (fun acc (n, ty) -> LForall(n, tr_base_type ty, [], acc))
	   (LImpl(cond, body))
	   vars
       in
       let full_case = LImpl(accnotcond, case) in
       LAnd(accbody, full_case), LAnd(accnotcond, notcond))
    (default, LTrue)
    pbl

(*
  Local Variables: 
  compile-command: "unset LANG; make -j -C .. bin/jessie.byte"
  End:
*)
why-2.39/jc/jc_iterators.mli0000644000106100004300000001547413147234006015033 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(* {1 substitution in logic} *)

type term_subst = Jc_fenv.term Jc_envset.VarMap.t

val subst_term : term_subst -> Jc_fenv.term -> Jc_fenv.term

(* {2 miscellaneous} *)

(* spec ? *)
(*
val fold_term :
 ('a -> 'b Jc_ast.term -> 'a) -> 'a -> 'b Jc_ast.term -> 'a
*)

(* spec ? *)
val fold_term_in_assertion :
  ('a -> 'b Jc_ast.term -> 'a) -> 'a -> 'b Jc_ast.assertion -> 'a

(* spec ? *)
val iter_term : ('a Jc_ast.term -> unit) -> 'a Jc_ast.term -> unit

(* spec ? *)
val iter_term_and_assertion : 
  ('a Jc_ast.term -> unit) ->  ('a Jc_ast.assertion -> unit) 
  -> 'a Jc_ast.assertion -> unit

(* spec ? *)
val iter_location : 
  ('a Jc_ast.term -> unit) ->
  ('a Jc_ast.location -> unit) ->
  ('a Jc_ast.location_set -> unit) -> 'a Jc_ast.location -> unit

(* spec ? *)
val iter_expr_and_term_and_assertion :
  ('a Jc_ast.term -> unit) ->
  ('a Jc_ast.assertion -> unit) ->
  ('a Jc_ast.location -> unit) ->
  ('a Jc_ast.location_set -> unit) ->
  (('a, 'b) Jc_ast.expr -> unit) -> ('a, 'b) Jc_ast.expr -> unit
  

(* used only once in Jc_separation *)
val iter_funspec : 
  ('a Jc_ast.term -> unit) ->
  ('a Jc_ast.assertion -> unit) ->
  ('a Jc_ast.location -> unit) ->
  ('a Jc_ast.location_set -> unit) -> 'a Jc_ast.fun_spec -> unit

(* spec ? *)
val iter_pattern: (Jc_ast.pattern -> 'a) -> Jc_ast.pattern -> unit

(* spec ? *)
val map_term :
  (Jc_constructors.term_with -> Jc_fenv.logic_info Jc_ast.term) ->
  Jc_fenv.logic_info Jc_ast.term -> Jc_fenv.logic_info Jc_ast.term

(* spec ? *)
val map_term_in_assertion :
  (Jc_constructors.term_with -> Jc_fenv.logic_info Jc_ast.term) ->
  Jc_fenv.logic_info Jc_ast.assertion ->
  Jc_fenv.logic_info Jc_ast.assertion

(* spec ? *)
val fold_term : 
  ('a -> 'b Jc_ast.term -> 'a) -> 'a -> 'b Jc_ast.term -> 'a

(* spec ? *)
val fold_term_and_assertion :
  ('a -> 'b Jc_ast.term -> 'a) ->
  ('a -> 'b Jc_ast.assertion -> 'a) -> 'a -> 'b Jc_ast.assertion -> 'a

(* spec ? *)
val fold_rec_term : 
  ('a -> 'b Jc_ast.term -> bool * 'a) -> 'a -> 'b Jc_ast.term -> 'a

(* spec ? *)
val fold_rec_term_and_assertion :
  ('a -> 'b Jc_ast.term -> bool * 'a) ->
  ('a -> 'b Jc_ast.assertion -> bool * 'a) ->
  'a -> 'b Jc_ast.assertion -> 'a

(* spec ? *)
val fold_rec_location : 
  ('a -> 'b Jc_ast.term -> bool * 'a) ->
  ('a -> 'b Jc_ast.location -> bool * 'a) ->
  ('a -> 'b Jc_ast.location_set -> bool * 'a) ->
  'a -> 'b Jc_ast.location -> 'a

val fold_rec_expr_and_term_and_assertion : 
  ('a -> 'b Jc_ast.term -> bool * 'a) ->
  ('a -> 'b Jc_ast.assertion -> bool * 'a) ->
  ('a -> 'b Jc_ast.location -> bool * 'a) ->
  ('a -> 'b Jc_ast.location_set -> bool * 'a) ->
  ('a -> ('b, 'c) Jc_ast.expr -> bool * 'a) ->
  'a -> ('b, 'c) Jc_ast.expr -> 'a

(*
val fold_rec_behavior: 
  ('a -> 'b Jc_ast.term -> bool * 'a) ->
  ('a -> 'b Jc_ast.assertion -> bool * 'a) ->
  ('a -> 'b Jc_ast.location -> bool * 'a) ->
  ('a -> 'b Jc_ast.location_set -> bool * 'a) ->
  'a -> 'b Jc_ast.behavior -> 'a
*)

module IPExpr : sig

  (* spec ?
     This function is used only once, in Jc_norm 
     -> should be erased
  *)
  val fold_left : ('a -> Jc_ast.pexpr -> 'a) -> 'a -> Jc_ast.pexpr -> 'a

  (* Used twice in Jc_norm. spec ? *) 
  val subs : Jc_ast.pexpr -> Jc_ast.pexpr list

end

(* spec ? *)
val replace_sub_pexpr : 
    < node : Jc_ast.pexpr_node; pos : Loc.position; .. > ->
    Jc_ast.pexpr list -> Jc_constructors.pexpr_with

(* spec ?
   This function is used only once, in Jc_norm 
   -> should be erased
*)
val map_pexpr : 
  ?before:(Jc_ast.pexpr -> Jc_ast.pexpr) ->
  ?after:(Jc_constructors.pexpr_with -> Jc_constructors.pexpr_with) ->
  Jc_ast.pexpr -> Jc_ast.pexpr


(* spec ?
   This function is used only once, in Jc_annot_inference
   -> should be erased
*)
val map_expr :
  ?before:((Jc_fenv.logic_info, Jc_fenv.fun_info) Jc_ast.expr ->
             (Jc_fenv.logic_info, Jc_fenv.fun_info) Jc_ast.expr) ->
  ?after:(Jc_constructors.expr_with -> Jc_constructors.expr_with) ->
  (Jc_fenv.logic_info, Jc_fenv.fun_info) Jc_ast.expr ->
  (Jc_fenv.logic_info, Jc_fenv.fun_info) Jc_ast.expr

val replace_sub_expr :
  < mark : string; node : Jc_fenv.expr_node;
  original_type : Jc_env.jc_type; pos : Loc.position;
  region : Jc_env.region; typ : Jc_env.jc_type; .. > ->
    (Jc_fenv.logic_info, Jc_fenv.fun_info) Jc_ast.expr list ->
    Jc_constructors.expr_with


module ITerm : sig
  type t = Jc_constructors.term
  val iter : (t -> unit) -> t -> unit
end

module INExpr : sig

  (* spec ? *)
  val subs: Jc_ast.nexpr -> Jc_ast.nexpr list
end

module IExpr : sig

  type t = Jc_constructors.expr

  (* spec ? *)
  val fold_left : ('a -> t -> 'a) -> 'a -> t -> 'a

  val subs : t -> t list 

end


(*
Local Variables: 
compile-command: "LC_ALL=C make -C .. bin/jessie.byte"
End: 
*)
why-2.39/jc/jc_options.ml0000644000106100004300000002315613147234006014335 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Jc_stdlib
open Format
open Jc_env
open Jc_common_options

(*s The log file *)

let c = ref stdout

let log =
  c := open_out "jessie.log";
  Format.formatter_of_out_channel !c

let lprintf s = Format.fprintf log s

let close_log () =
  lprintf "End of log.@.";
  close_out !c;
  c := stdout

(*s environment variables *)

let libdir =
  try
    let v = Sys.getenv "WHYLIB" in
    lprintf "WHYLIB is set to %s@." v;
    v
  with Not_found ->
    let p = Version.libdir in
    lprintf "WHYLIB is not set, using %s as default@." p;
    p

let has_floats = ref false

let float_model : float_model ref = ref FMdefensive

let float_instruction_set : float_instruction_set ref = ref FISstrictIEEE754

let libfiles = ref []

let add_to_libfiles s = libfiles := s :: !libfiles
let get_libfiles () = List.rev !libfiles

(*s command-line options *)

let parse_only = ref false
let type_only = ref false
let user_annot_only = ref false
let print_graph = ref false
let gen_only = ref false
let why3_cmd = ref ""

let verify_all_offsets = ref false
let verify_invariants_only = ref false
let verify = ref []
let behavior = ref []

let add_why3_cmd s =
  if !why3_cmd = "" then why3_cmd := s else
    raise (Arg.Bad "option -why3cmd cannot be given twice")

let annotation_sem = ref AnnotNone
let ai_domain = ref AbsNone

let current_rounding_mode = ref FRMNearestEven

let termination_policy = ref Jc_env.TPalways

let int_model = ref IMbounded
let interprocedural = ref false
let main = ref ""
let trust_ai = ref false
let fast_ai = ref false

let gen_frame_rule_with_ft = ref false

let files_ = ref []
let add_file f = files_ := f :: !files_
let files () = List.rev !files_

let pos_files = ref []
let pos_table = Hashtbl.create 97

let version () =
  Format.printf Version.banner "Jessie" Version.version;
  exit 0

let usage = "jessie [options] files"

let _ =
  Arg.parse
      [ "-parse-only", Arg.Set parse_only,
	  "  stops after parsing";
        "-type-only", Arg.Set type_only,
	  "  stops after typing";
        "-user-annot-only", Arg.Set user_annot_only,
	  "  check only user-defined annotations (i.e. safety is assumed)";
        "-print-call-graph", Arg.Set print_graph,
	  "  stops after call graph and print call graph";
        "-gen-only", Arg.Set gen_only,
	  "  stops after generating intermediate Why3 code";
        "-d", Arg.Set debug,
          "  debugging mode";
	"-locs", Arg.String (fun f -> pos_files := f :: !pos_files),
	  "   reads source locations from file f" ;
        "-behavior", Arg.String (fun s -> behavior := s::!behavior),
	  "  verify only specified behavior (safety, variant, default or user-defined behavior)";
        "-why3cmd", Arg.String add_why3_cmd,
	  "    (default: ide)";
	"-v", Arg.Set verbose,
          "  verbose mode";
	"-q", Arg.Clear verbose,
          "  quiet mode (default)";
(* 	"-ai", Arg.Tuple [ *)
(* 	  Arg.String (fun s -> ai_domain := s);  *)
(* 	  Arg.Set annot_infer], *)
(*           "   performs annotation inference" *)
(*           ^ " with abstract interpretation using the Box, Octagon" *)
(*           ^ " or Polyhedron domain, or with weakest preconditions or with both"; *)
	"-main", Arg.Tuple [Arg.Set interprocedural; Arg.Set_string main],
	  "  main function for interprocedural abstract interpretation (needs -ai )";
	"-fast-ai", Arg.Set fast_ai,
	  "  fast ai (needs -ai  and -main )";
	"-trust-ai", Arg.Set trust_ai,
	  "  verify inferred annotations (needs -ai )";
	"-separation", Arg.Unit (fun () -> separation_sem := SepRegions),
	  "  apply region-based separation on pointers";
	"--werror", Arg.Set werror,
          "  treats warnings as errors";
	"--version", Arg.Unit version,
          "  prints version and exit";
(*
	"-inv-sem", Arg.String
	  (function
	     | "none" -> inv_sem := InvNone
	     | "ownership" -> inv_sem := InvOwnership
	     | "arguments" -> inv_sem := InvArguments
	     | s -> raise (Arg.Bad ("Unknown mode: "^s))),
	  "    sets the semantics of invariants (available modes: none, ownership, arguments)";
*)
	"-all-offsets", Arg.Set verify_all_offsets,
	  "  generate vcs for all pointer offsets";
	"-invariants-only", Arg.Set verify_invariants_only,
	  "  verify invariants only (Arguments policy)";
	"-verify", Arg.String (function s -> verify := s::!verify),
	  "  verify only these functions";
        "-gen_frame_rule_with_ft", Arg.Set gen_frame_rule_with_ft,
        "Experimental : Generate frame rule for predicates and logic functions using only their definitions";
      ]
      add_file usage

let () =
  if !trust_ai && !int_model = IMmodulo then
    (Format.eprintf "cannot trust abstract interpretation \
in modulo integer model";
     assert false)

let usage () =
  eprintf "usage: %s@." usage;
  exit 2

let parse_only = !parse_only
let type_only = !type_only
(* dead code
let user_annot_only = !user_annot_only
*)
let print_graph = !print_graph
let gen_only = !gen_only
let debug = !debug
let verbose = !verbose
let werror = !werror
let why3_backend = true
let why3_cmd = if !why3_cmd = "" then "ide" else !why3_cmd
let inv_sem = inv_sem
let separation_sem = separation_sem
let trust_ai = !trust_ai
let fast_ai = !fast_ai

let verify_all_offsets = !verify_all_offsets
let verify_invariants_only = !verify_invariants_only
let verify = !verify
let interprocedural = !interprocedural
let main = !main
let behavior = !behavior

let gen_frame_rule_with_ft = !gen_frame_rule_with_ft
let () = if gen_frame_rule_with_ft then libfiles := "mybag.why"::!libfiles

let verify_behavior s =
  behavior = [] || List.mem s behavior

let set_int_model im =
  if im = IMmodulo && trust_ai then
    (Format.eprintf "cannot trust abstract interpretation \
in modulo integer model";
     assert false)
  else
    int_model := im

let set_float_model fm = float_model := fm


(*s error handling *)

exception Jc_error of Loc.position * string

let jc_error l f =
  Format.ksprintf
    (fun s -> raise (Jc_error(l, s))) f

let parsing_error l f =
  Format.ksprintf
    (fun s ->
       let s = if s="" then s else " ("^s^")" in
       raise (Jc_error(l, "syntax error" ^ s))) f

(*s pos table *)

let kind_of_ident = function
  | "ArithOverflow" -> Output.ArithOverflow
  | "DownCast" -> Output.DownCast
  | "IndexBounds" -> Output.IndexBounds
  | "PointerDeref" -> Output.PointerDeref
  | "UserCall" -> Output.UserCall
  | "DivByZero" -> Output.DivByZero
  | "AllocSize" -> Output.AllocSize
  | "Pack" ->  Output.Pack
  | "Unpack" -> Output.Unpack
  | _ -> raise Not_found

let () =
  List.iter
    (fun f ->
       let l = Rc.from_file f in
       List.iter
	 (fun (id,fs) ->
	    let (f,l,b,e,k,o) =
	      List.fold_left
		(fun (f,l,b,e,k,o) v ->
		   match v with
		     | "file", Rc.RCstring f -> (f,l,b,e,k,o)
		     | "line", Rc.RCint l -> (f,l,b,e,k,o)
		     | "begin", Rc.RCint b -> (f,l,b,e,k,o)
		     | "end", Rc.RCint e -> (f,l,b,e,k,o)
		     | "kind", Rc.RCident s ->
			 let k =
			   try
			     Some (kind_of_ident s)
			   with Not_found -> None
			 in
			 (f,l,b,e,k,o)
		     | _ -> (f,l,b,e,k,v::o))
		("",0,0,0,None,[]) fs
	    in
	    Hashtbl.add pos_table id (f,l,b,e,k,o))
	 l)
    !pos_files

let position_of_label name =
  let position f l c = {
    Lexing.pos_fname = f;
    Lexing.pos_lnum = l;
    Lexing.pos_bol = 0;
    Lexing.pos_cnum = c;
  } in
  try
    let (f,l,b,e,_k,_o) = Hashtbl.find pos_table name in
    Some (position f l b, position f l e)
  with Not_found -> None


(*
Local Variables:
compile-command: "unset LANG; make -C .. bin/jessie.byte"
End:
*)
why-2.39/jc/jc_lexer.mli0000644000106100004300000000461513147234006014131 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Jc_ast

exception Lexical_error of Loc.position * string

(*
exception Syntax_error of Loc.position
*)

val token : Lexing.lexbuf -> Jc_parser.token

val parse  : string -> in_channel -> pexpr decl list

why-2.39/jc/jc_type_var.mli0000644000106100004300000001027713147234006014644 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Jc_env

(** Type variables: unification, generalization, ... *)

(** The type of type variables. *)
type t = type_var_info

(** Obtain a fresh type variable. *)
val type_var_from_string: ?univ:bool -> string -> t
(** Univ set if the variable is universally quantified (prenex)
    The argument is the name of the variable.
It can be anything, it shall only be used for pretty-printing purposes. *)

(** Unique ID of a variable, different for each variable, even if it is
quantified. *)
val uid: t -> int

(** The name of a variable, which should only be used for
pretty-printing purposes. *)
val name: t -> string

(** The unique name of a variable, which is composed of its name and its UID. *)
val uname: t -> string

(** The environnement of unification *)
type env

(** The type of function used in case of unification error *)
type typing_error = {f : 'a. Loc.position -> ('a, Format.formatter, unit, unit) format4 -> 'a}

val create : typing_error -> env
val reset : env -> unit

(** Add a universally quantified type var to substitute with the string
    invalid_argument is raised if the string is yet bind *)
val add_type_var : env -> string -> t

(** Try to get a universally quantified var from a string 
    Not_found is raised if there is no binding*)
val find_type_var : env -> string -> t

(** Add an equality for unification of logic type variable*)
val add : ?subtype:bool -> env ->  Loc.position -> jc_type -> jc_type -> unit

val subst : env -> jc_type -> jc_type

(** Get instances of a list of type variables, 
    return a substitution function *)
val instance : t list -> (jc_type -> jc_type)

(** Print the set of universally quantified type variables,
    and the set of equalities *)
val print : Format.formatter -> env -> unit

(** Substitute in an assertion the type variable which are in
    the environnement env *)
val subst_type_in_assertion : 
  env -> 
  Jc_fenv.logic_info Jc_ast.assertion -> 
  Jc_fenv.logic_info Jc_ast.assertion

(*
Local Variables: 
compile-command: "unset LANG ; make -C .. byte"
End: 
*)
why-2.39/jc/jc_envset.ml0000644000106100004300000002147313147234006014146 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Jc_stdlib
open Jc_env

module type OrderedType =
sig
  type t
  val equal : t -> t -> bool
  val compare : t -> t -> int
end

module type OrderedHashedType =
sig
  type t
  val equal : t -> t -> bool
  val compare : t -> t -> int
  val hash : t -> int
end

(* dead code
module ChoiceOrd(A : OrderedHashedType)(B : OrderedHashedType) =
struct
  type t = A of A.t | B of B.t
  let equal = function
    | A a1,A a2 -> A.equal a1 a2
    | B b1,B b2 -> B.equal b1 b2
    | _ -> false
  let compare = function
    | A a1,A a2 -> A.compare a1 a2
    | B b1,B b2 -> B.compare b1 b2
    | A _,_ -> 1
    | B _,_ -> -1
  let hash = function
    | A a -> A.hash a
    | B b -> B.hash b
end
*)

module StringSet = Set.Make(String)

module StringMap = Map.Make(String)

(* used names (in order to rename identifiers when necessary) *)
let used_names = Hashtbl.create 97

let mark_as_used x = 
  Hashtbl.add used_names x ()

let () = 
  List.iter mark_as_used 
    [ (* Why keywords *)
      "absurd"; "and"; "array"; "as"; "assert"; "axiom"; "begin";
      "bool"; "do"; "done"; "else"; "end"; "exception"; "exists";
      "external"; "false"; "for"; "forall"; "fun"; "function"; "goal";
      "if"; "in"; "int"; "invariant"; "label"; "let"; "logic"; "not";
      "of"; "or"; "parameter"; "predicate"; "prop"; "raise"; "raises";
      "reads"; "real"; "rec"; "ref"; "result"; "returns"; "then"; "true"; "try";
      "type"; "unit"; "variant"; "void"; "while"; "with"; "writes"; "init";
      (* Why prelude *)
      "exp" ; "log" ; "sin" ; "cos" ; "tan" ; "sqr_real" ; "atan" ; 
      (* jessie generated names *)
      "shift"
      (* "global" ; "alloc"  *)
    ]

let is_used_name n = Hashtbl.mem used_names n

let use_name ?local_names n = 
  if is_used_name n then raise Exit; 
  begin match local_names with 
    | Some h -> if StringSet.mem n h then raise Exit 
    | None -> () 
  end;
  mark_as_used n;
  n

let rec next_name ?local_names n i = 
  let n_i = n ^ "_" ^ string_of_int i in
  try use_name ?local_names n_i 
  with Exit -> next_name ?local_names n (succ i)

let get_unique_name ?local_names n = 
  try use_name ?local_names n 
  with Exit -> next_name ?local_names n 0

let is_pointer_type t =
  match t with
    | JCTnull -> true
    | JCTpointer _ -> true
    | _ -> false

let is_nonnull_pointer_type t =
  match t with
    | JCTpointer _ -> true
    | _ -> false

let is_integral_type = function
  | JCTnative Tinteger -> true
  | JCTenum _ -> true 
  | JCTnative _ | JCTlogic _ | JCTpointer _ | JCTnull | JCTany
  | JCTtype_var _ -> false

let is_embedded_field fi =
  match fi.jc_field_info_type with
    | JCTpointer(_,Some _,Some _) -> true
    | _ -> false

module type Tag =
  sig
    type t
    val tag_of_val : t -> int
  end

module OrderedHashedTypeOfTag (X:Tag) : OrderedHashedType with type t = X.t =
struct
  type t = X.t
  let compare v1 v2 = Pervasives.compare (X.tag_of_val v1) (X.tag_of_val v2)
  let equal v1 v2 = (X.tag_of_val v1) = (X.tag_of_val v2)
  let hash v = Hashtbl.hash (X.tag_of_val v)
end

module VarOrd = OrderedHashedTypeOfTag 
  (struct type t = var_info
          let tag_of_val x = x.jc_var_info_tag
   end)

module VarSet = Set.Make(VarOrd)

module VarMap = Map.Make(VarOrd)

module StructOrd =
  struct type t = struct_info
	 let compare st1 st2 = 
	   Pervasives.compare 
	     st1.jc_struct_info_name st2.jc_struct_info_name
	 let equal st1 st2 =
	   st1.jc_struct_info_name = st2.jc_struct_info_name
	 let hash st =
	   Hashtbl.hash st.jc_struct_info_name 
  end

module StructSet = Set.Make(StructOrd)

module StructMap = Map.Make(StructOrd)

module VariantOrd = struct
  type t = root_info
  let compare v1 v2 = 
    Pervasives.compare v1.jc_root_info_name v2.jc_root_info_name
  let equal v1 v2 =
    v1.jc_root_info_name = v2.jc_root_info_name
  let hash v =
    Hashtbl.hash v.jc_root_info_name 
end

module VariantSet = Set.Make(VariantOrd)

module VariantMap = Map.Make(VariantOrd)

module FieldOrd =  OrderedHashedTypeOfTag 
  (struct type t = field_info
          let tag_of_val x = x.jc_field_info_tag
   end)

module FieldSet = Set.Make(FieldOrd)

module FieldMap = Map.Make(FieldOrd)
module FieldTable = Hashtbl.Make(FieldOrd)

module MemClass = 
struct
  type t = mem_class
  let equal fv1 fv2 = match fv1,fv2 with
    | JCmem_field a1,JCmem_field a2 -> FieldOrd.equal a1 a2
    | JCmem_plain_union b1,JCmem_plain_union b2 -> VariantOrd.equal b1 b2
    | JCmem_bitvector,JCmem_bitvector -> true
    | _ -> false
  let compare fv1 fv2 = match fv1,fv2 with
    | JCmem_field a1,JCmem_field a2 -> FieldOrd.compare a1 a2
    | JCmem_plain_union b1,JCmem_plain_union b2 -> VariantOrd.compare b1 b2
    | JCmem_bitvector,JCmem_bitvector -> 0
    | JCmem_field _,_ -> 1
    | _,JCmem_field _ -> -1
    | JCmem_plain_union _,_ -> 1
    | _,JCmem_plain_union _ -> -1
  let hash = function
    | JCmem_field a -> FieldOrd.hash a
    | JCmem_plain_union b -> VariantOrd.hash b
    | JCmem_bitvector -> 0
end

module MemClassSet = Set.Make(MemClass)

module AllocClass = 
struct
  type t = alloc_class
  let equal fv1 fv2 = match fv1,fv2 with
    | JCalloc_root st1,JCalloc_root st2 -> VariantOrd.equal st1 st2
    | JCalloc_bitvector,JCalloc_bitvector -> true
    | _ -> false
  let compare fv1 fv2 = match fv1,fv2 with
    | JCalloc_root a1,JCalloc_root a2 -> VariantOrd.compare a1 a2
    | JCalloc_bitvector,JCalloc_bitvector -> 0
    | JCalloc_root _,_ -> 1
    | _,JCalloc_root _ -> -1
  let hash = function
    | JCalloc_root a -> VariantOrd.hash a
    | JCalloc_bitvector -> 0
end

(* TODO: take into account type parameters *)
module PointerClass = 
struct
  type t = pointer_class
  let equal fv1 fv2 = match fv1,fv2 with
    | JCtag(st1,_),JCtag(st2,_) -> StructOrd.equal st1 st2
    | JCroot vi1,JCroot vi2 -> VariantOrd.equal vi1 vi2
    | _ -> false
  let compare fv1 fv2 = match fv1,fv2 with
    | JCtag(a1,_),JCtag(a2,_) -> StructOrd.compare a1 a2
    | JCroot b1,JCroot b2 -> VariantOrd.compare b1 b2
    | JCtag _,_ -> 1
    | _,JCtag _ -> -1
  let hash = function
    | JCtag(a,_) -> StructOrd.hash a
    | JCroot b -> VariantOrd.hash b
end

module ExceptionOrd =  OrderedHashedTypeOfTag 
  (struct type t = exception_info
          let tag_of_val x = x.jc_exception_info_tag
   end)  

module ExceptionSet = Set.Make(ExceptionOrd)

module ExceptionMap = Map.Make(ExceptionOrd)

module LogicLabelOrd =
  struct type t = label
	 let compare = (Pervasives.compare : label -> label -> int)
  end

module LogicLabelSet = Set.Make(LogicLabelOrd)

module TypeVarOrd = OrderedHashedTypeOfTag 
  (struct type t = type_var_info
          let tag_of_val x = x.jc_type_var_info_tag
   end)

module TypeVarMap = Map.Make(TypeVarOrd)

(*
Local Variables: 
compile-command: "LC_ALL=C make -C .. bin/jessie.byte"
End: 
*)
why-2.39/jc/jc_interp_misc.ml0000644000106100004300000024470413147234006015162 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

open Jc_stdlib
open Jc_env
open Jc_envset
open Jc_region
open Jc_ast
open Jc_fenv

open Jc_name
open Jc_constructors
open Jc_pervasives
open Jc_struct_tools
open Jc_effect

open Output
open Format

(* The following functions should be eliminated eventually, but before,
 * effect.ml must be redone.
 * They are here, and not in Jc_name, so that Krakatoa do not depends on
 * Jc_typing. *)

let find_struct a =
(*
  Format.printf "[find_struct] %s@." a;
*)
  fst (StringHashtblIter.find Jc_typing.structs_table a)

(*
let find_variant a =
  StringHashtblIter.find Jc_typing.roots_table a
*)

(*
let find_pointer_class a =
  try
    JCtag (find_struct a, []) (* TODO: fill parameters ? *)
  with Not_found ->
    JCroot (find_variant a)
*)

let mutable_name2 a =
  mutable_name (JCtag (find_struct a, []))

let committed_name2 a =
  committed_name (JCtag (find_struct a, []))

let logic_enum_of_int ri = ri.jc_enum_info_name ^ "_of_integer"
let safe_fun_enum_of_int ri = "safe_" ^ ri.jc_enum_info_name ^ "_of_integer_"
(* Yannick: why have both logic_enum_of_int and safe_fun_enum_of_int? *)
let fun_enum_of_int ri = ri.jc_enum_info_name ^ "_of_integer_"
let logic_int_of_enum ri = "integer_of_" ^ ri.jc_enum_info_name
let mod_of_enum ri = "mod_" ^ ri.jc_enum_info_name ^ "_of_integer"
let fun_any_enum ri = "any_" ^ ri.jc_enum_info_name
let eq_of_enum ri = "eq_" ^ ri.jc_enum_info_name


let logic_bitvector_of_enum ri = "bitvector_of_" ^ ri.jc_enum_info_name
let logic_enum_of_bitvector ri = ri.jc_enum_info_name  ^ "_of_bitvector"

let logic_integer_of_bitvector = "integer_of_bitvector"
let logic_bitvector_of_integer = "bitvector_of_integer"
let logic_real_of_bitvector = "real_of_bitvector"

let native_name = function
  | Tunit -> "unit"
  | Tboolean -> "boolean"
  | Tinteger -> "integer"
  | Treal -> "real"
  | Tgenfloat `Double -> "double"
  | Tgenfloat `Float -> "single"
  | Tgenfloat `Binary80 -> "binary80"
  | Tstring -> "string"

(* let logic_bitvector_of_native nty = "bitvector_of_" ^ (native_name nty) *)
(* let logic_native_of_bitvector nty = (native_name nty) ^ "_of_bitvector" *)

let logic_bitvector_of_variant vi = "bitvector_of_" ^ vi.jc_root_info_name
let logic_variant_of_bitvector vi = vi.jc_root_info_name ^ "_of_bitvector"

let logic_union_of_field fi = "bitvector_of_" ^ fi.jc_field_info_name
let logic_field_of_union fi = fi.jc_field_info_name ^ "_of_bitvector"


(*
let why_name_of_format = function
  | `Float -> "Single"
  | `Double -> "Double"
  | `Binary80 -> "Binary80"
*)

(* functions to make Why expressions *)

let make_if_term cond a b =
  LApp("ite", [ cond; a; b ])

let make_eq_term ty a b =
  let eq = match ty with
    | JCTpointer _ | JCTnull -> "eq_pointer_bool"
    | JCTenum _ | JCTlogic _ | JCTany -> assert false
    | JCTnative Tunit -> "eq_unit_bool"
    | JCTnative Tboolean -> "eq_bool_bool"
    | JCTnative Tinteger -> "eq_int_bool"
    | JCTnative Treal -> "eq_real_bool"
    | JCTnative (Tgenfloat f) -> ("eq_"^(native_name (Tgenfloat f)))
    | JCTnative Tstring -> "eq_string_bool"
    | JCTtype_var _ -> assert false (* TODO: need environment *)
  in
  LApp(eq, [a; b])

let make_eq_pred ty a b =
  let eq = match ty with
    | JCTpointer _ | JCTnull -> "eq"
    | JCTenum ri -> eq_of_enum ri
    | JCTlogic _ | JCTany -> assert false
    | JCTnative Tunit -> "eq_unit"
    | JCTnative Tboolean -> "eq_bool"
    | JCTnative Tinteger -> "eq_int"
    | JCTnative Treal -> "eq_real"
    | JCTnative (Tgenfloat f) -> ("eq_"^(native_name (Tgenfloat f)))
    | JCTnative Tstring -> "eq_string"
    | JCTtype_var _ -> assert false (* TODO: need environment *)
  in
  LPred(eq, [a; b])

let make_and_term a b =
  make_if_term a b (LConst(Prim_bool false))

let make_or_term a b =
  make_if_term a (LConst(Prim_bool true)) b

let make_not_term a =
  make_if_term a (LConst(Prim_bool false)) (LConst(Prim_bool true))

let make_eq a b =
  LPred("eq", [ a; b ])

let make_le a b =
  LPred("le", [ a; b ])

let make_ge a b =
  LPred("ge", [ a; b ])

let make_select f this =
  LApp("select", [ f; this ])

let make_select_fi fi =
  make_select (LVar (field_memory_name fi))

let make_select_committed pc =
  make_select (LVar (committed_name pc))

let make_typeof_vi (vi,r) x =
  LApp("typeof", [ LVar (tag_table_name (vi,r)); x ])

let make_typeof st r x =
  make_typeof_vi (struct_root st,r) x

let make_subtag t u =
  LPred("subtag", [ t; u ])

let make_subtag_bool t u =
  LApp("subtag_bool", [ t; u ])

let make_instanceof tt p st =
  LPred("instanceof", [ tt; p; LVar (tag_name st) ])

let make_offset_min ac p =
  LApp("offset_min", [LVar(generic_alloc_table_name ac); p])

let make_offset_max ac p =
  LApp("offset_max", [LVar(generic_alloc_table_name ac); p])

let make_int_of_tag st =
  LApp("int_of_tag", [LVar(tag_name st)])



(*
let pc_of_name name = JCtag (find_struct name, []) (* TODO: parameters *)
*)


let const c =
  match c with
    | JCCvoid -> Prim_void
    | JCCnull -> assert false
    | JCCreal s -> Prim_real s
    | JCCinteger s -> Prim_int (Num.string_of_num (Numconst.integer s))
    | JCCboolean b -> Prim_bool b
    | JCCstring _s -> assert false (* TODO *)

type forall_or_let =
  | JCforall of string * Output.logic_type
  | JClet of string * Output.term


(******************************************************************************)
(*                              environment                                   *)
(******************************************************************************)

let current_behavior : string option ref = ref None
let set_current_behavior behav = current_behavior := Some behav
let reset_current_behavior () = current_behavior := None
let get_current_behavior () =
  match !current_behavior with None -> assert false | Some behav -> behav
let safety_checking () = get_current_behavior () = "safety"
let variant_checking () =
  let behv = get_current_behavior () in
  behv = "safety" || behv = "variant"

let is_current_behavior id = id = get_current_behavior ()

let in_behavior b lb =
  match lb with
    | [] -> b = "default"
    | _ -> List.exists (fun behav -> behav#name = b) lb

let in_current_behavior b = in_behavior (get_current_behavior ()) b

let in_default_behavior b = in_behavior "default" b



let current_spec : fun_spec option ref = ref None
let set_current_spec s = current_spec := Some s
let reset_current_spec () = current_spec := None
let get_current_spec () =
  match !current_spec with None -> assert false | Some s -> s

(*
let current_fun : fun_info option ref = ref None
let set_current_fun s = current_fun := Some s
let reset_current_fun () = current_fun := None
let get_current_fun () =
  match !current_fun with None -> assert false | Some s -> s
*)

let fresh_loop_label =
  let c = ref 0 in
  fun () -> incr c;
    let n = "loop_" ^ string_of_int !c in
    { label_info_name = n;
      label_info_final_name = n;
      times_used = 1 }

(******************************************************************************)
(*                                   types                                    *)
(******************************************************************************)

(* basic model types *)

let why_integer_type = simple_logic_type "int"
let why_unit_type = simple_logic_type "unit"

let root_model_type vi =
  simple_logic_type (root_type_name vi)

(*
let struct_model_type st =
  root_model_type (struct_root st)
*)

let pointer_class_model_type pc =
  root_model_type (pointer_class_root pc)

let bitvector_type = simple_logic_type bitvector_type_name

let alloc_class_type = function
  | JCalloc_root vi -> root_model_type vi
  | JCalloc_bitvector -> why_unit_type

let memory_class_type mc =
  alloc_class_type (alloc_class_of_mem_class mc)

(* raw types *)

let raw_pointer_type ty' =
  { logic_type_name = pointer_type_name;
    logic_type_args = [ty']; }

let raw_pset_type ty' =
  { logic_type_name = pset_type_name;
    logic_type_args = [ty']; }

let raw_alloc_table_type ty' =
  { logic_type_name = alloc_table_type_name;
    logic_type_args = [ty']; }

let raw_tag_table_type ty' =
  { logic_type_name = tag_table_type_name;
    logic_type_args = [ty']; }

let raw_tag_id_type ty' =
  { logic_type_name = tag_id_type_name;
    logic_type_args = [ty']; }

let raw_memory_type ty1' ty2' =
  { logic_type_name = memory_type_name;
    logic_type_args = [ty1';ty2'] }

(* pointer model types *)

let pointer_type ac pc =
  match ac with
    | JCalloc_root _ ->
	raw_pointer_type (pointer_class_model_type pc)
    | JCalloc_bitvector ->
	raw_pointer_type why_unit_type

(* translation *)

let tr_native_type = function
  | Tunit -> "unit"
  | Tboolean -> "bool"
  | Tinteger -> "int"
  | Treal -> "real"
  | Tgenfloat `Double -> "double"
  | Tgenfloat `Float -> "single"
  | Tgenfloat `Binary80 -> "binary80"
  | Tstring -> "string"

let rec tr_base_type ?region = function
  | JCTnative ty ->
      simple_logic_type (tr_native_type ty)
  | JCTlogic (s,l) ->
      { logic_type_name = s;
        logic_type_args = List.map (tr_base_type ?region)  l;
      }
  | JCTenum ri ->
      simple_logic_type ri.jc_enum_info_name
  | JCTpointer(pc, _, _) ->
      let ac = match region with
	| None ->
	    alloc_class_of_pointer_class pc
	| Some r ->
	    if Region.bitwise r then JCalloc_bitvector
	    else alloc_class_of_pointer_class pc
      in
      pointer_type ac pc
  | JCTnull | JCTany -> assert false
  | JCTtype_var t -> logic_type_var (Jc_type_var.uname t)

let tr_type ~region ty = Base_type (tr_base_type ~region ty)

let tr_var_base_type v =
  tr_base_type ~region:v.jc_var_info_region v.jc_var_info_type

let tr_var_type v =
  tr_type ~region:v.jc_var_info_region v.jc_var_info_type

let any_value region t =
  match t with
    | JCTnative ty ->
        begin match ty with
	  | Tunit -> void
	  | Tboolean -> make_app "any_bool" [void]
	  | Tinteger -> make_app "any_int" [void]
	  | Treal -> make_app "any_real" [void]
	  | Tgenfloat _ -> make_app ("any_"^(native_name ty)) [void]
	  | Tstring -> make_app "any_string" [void]
        end
    | JCTnull
    | JCTpointer _ -> make_app ~ty:(tr_type ~region t) "any_pointer" [void]
    | JCTenum ri -> make_app (fun_any_enum ri) [void]
    | JCTlogic _ as ty ->
        let t =
          Annot_type(LTrue, Base_type (tr_base_type ty), [], [], LTrue, [])
        in mk_expr (BlackBox t)
    | JCTany -> assert false
    | JCTtype_var _ -> assert false (* TODO: need environment *)

(* model types *)

(*
let pset_type ac = raw_pset_type (alloc_class_type ac)
*)

let alloc_table_type ac = raw_alloc_table_type (alloc_class_type ac)

let tag_table_type vi = raw_tag_table_type (root_model_type vi)

let tag_id_type vi = raw_tag_id_type (root_model_type vi)

let memory_type mc =
  let value_type = match mc with
    | JCmem_field fi -> tr_base_type fi.jc_field_info_type
    | JCmem_plain_union _
    | JCmem_bitvector -> bitvector_type
  in
  raw_memory_type (memory_class_type mc) value_type

(* query model types *)

let is_alloc_table_type ty' = ty'.logic_type_name = alloc_table_type_name

let is_tag_table_type ty' = ty'.logic_type_name = tag_table_type_name

let is_memory_type ty' = ty'.logic_type_name = memory_type_name

let deconstruct_memory_type_args ty =
  match ty.logic_type_args with [t;v] -> t,v | _ -> assert false

let any_value' ty' =
  let anyfun =
    if is_alloc_table_type ty' then "any_alloc_table"
    else if is_tag_table_type ty' then "any_tag_table"
    else if is_memory_type ty' then "any_memory"
    else assert false
  in
  make_app ~ty:(Base_type ty') anyfun [void]


(******************************************************************************)
(*                                 variables                                  *)
(******************************************************************************)

let transpose_label ~label_assoc lab =
  match label_assoc with
    | None -> lab
    | Some l ->  try List.assoc lab l with Not_found -> lab

let lvar_name ~label_in_name ?label_assoc lab n =
  let lab = transpose_label ~label_assoc lab in
  if label_in_name then
    match lab with
      | LabelHere -> n
      | LabelOld -> assert false
      | LabelPre -> n ^ "_at_Pre"
      | LabelPost -> n ^ "_at_Post"
      | LabelName lab -> n ^ "_at_" ^ lab.label_info_final_name
  else n

let lvar ~constant ~label_in_name lab n =
  let n = lvar_name ~label_in_name lab n in
  if constant then
    LVar n
  else if label_in_name then
    LDeref n
  else match lab with
    | LabelHere -> LDeref n
    | LabelOld -> LDerefAtLabel(n,"")
    | LabelPre -> LDerefAtLabel(n,"init")
    | LabelPost -> LDeref n
    | LabelName lab -> LDerefAtLabel(n,lab.label_info_final_name)

(* simple variables *)

let plain_var n = mk_var n
let deref_var n = mk_expr (Deref n)

let var_name' e = match e.expr_node with
  | Var n | Deref n -> n
  | _ -> assert false

let var v =
  if v.jc_var_info_assigned
  then deref_var v.jc_var_info_final_name
  else plain_var v.jc_var_info_final_name

let param ~type_safe v =
  v.jc_var_info_final_name,
  if type_safe then
    tr_base_type v.jc_var_info_type
  else
    tr_base_type ~region:v.jc_var_info_region v.jc_var_info_type

let tvar_name ~label_in_name lab v =
  let constant = not v.jc_var_info_assigned in
  lvar_name ~label_in_name:(label_in_name && not constant)
    lab v.jc_var_info_final_name


let tvar ~label_in_name lab v =
  let constant = not v.jc_var_info_assigned in
  lvar ~constant ~label_in_name:(label_in_name && not constant)
    lab v.jc_var_info_final_name

let tparam ~label_in_name lab v =
  tvar_name ~label_in_name lab v,
  tvar ~label_in_name lab v,
  tr_base_type v.jc_var_info_type

let local_of_parameter (v',ty') = (var_name' v',ty')
let effect_of_parameter (v',_ty') = var_name' v'
let wparam_of_parameter (v',ty') = (v',Ref_type(Base_type ty'))
let rparam_of_parameter (v',ty') = (v',Base_type ty')

(* model variables *)

let mutable_memory infunction (mc,r) =
  if Region.polymorphic r then
    if Region.bitwise r then
      MemoryMap.exists (fun (_mc',r') _labs -> Region.equal r r')
	infunction.jc_fun_info_effects.jc_writes.jc_effect_memories
    else
      MemoryMap.mem (mc,r)
	infunction.jc_fun_info_effects.jc_writes.jc_effect_memories
  else true

let mutable_alloc_table infunction (ac,r) =
  if Region.polymorphic r then
    if Region.bitwise r then
      AllocMap.exists (fun (_ac',r') _labs -> Region.equal r r')
	infunction.jc_fun_info_effects.jc_writes.jc_effect_alloc_tables
    else
      AllocMap.mem (ac,r)
	infunction.jc_fun_info_effects.jc_writes.jc_effect_alloc_tables
  else true

let mutable_tag_table infunction (vi,r) =
  if Region.polymorphic r then
    if Region.bitwise r then
      TagMap.exists (fun (_vi',r') _labs -> Region.equal r r')
	infunction.jc_fun_info_effects.jc_writes.jc_effect_tag_tables
    else
      TagMap.mem (vi,r)
	infunction.jc_fun_info_effects.jc_writes.jc_effect_tag_tables
  else true

let plain_memory_var (mc,r) = mk_var (memory_name (mc,r))
let deref_memory_var (mc,r) = mk_expr (Deref (memory_name (mc,r)))

let memory_var ?(test_current_function=false) (mc,r) =
  if test_current_function && !current_function = None then
    plain_memory_var (mc,r)
  else if mutable_memory (get_current_function ()) (mc,r) then
    deref_memory_var (mc,r)
  else plain_memory_var (mc,r)

let tmemory_var ~label_in_name lab (mc,r) =
  let mem = memory_name (mc,r) in
  let constant = match !current_function with
    | None -> true
    | Some infunction -> not (mutable_memory infunction (mc,r))
  in
  lvar ~constant ~label_in_name lab mem

let tmemory_param ~label_in_name lab (mc,r) =
  let mem = memory_name (mc,r) in
  let constant = match !current_function with
    | None -> true
    | Some infunction -> not (mutable_memory infunction (mc,r))
  in
  let n = lvar_name (* ~constant *) ~label_in_name lab mem in
  let v = lvar ~constant ~label_in_name lab mem in
  let ty' = memory_type mc in
  n, v, ty'

let plain_alloc_table_var (ac,r) = mk_var (alloc_table_name (ac,r))
let deref_alloc_table_var (ac,r) = mk_expr (Deref (alloc_table_name (ac,r)))

let alloc_table_var ?(test_current_function=false) (ac,r) =
  if test_current_function && !current_function = None then
    plain_alloc_table_var (ac,r)
  else if mutable_alloc_table (get_current_function ()) (ac,r) then
    deref_alloc_table_var (ac,r)
  else plain_alloc_table_var (ac,r)

let talloc_table_var ~label_in_name lab (ac,r) =
  let alloc = alloc_table_name (ac,r) in
  let constant = match !current_function with
    | None -> true
    | Some infunction -> not (mutable_alloc_table infunction (ac,r))
  in
  not constant,lvar ~constant ~label_in_name lab alloc


let talloc_table_param ~label_in_name lab (ac,r) =
  let alloc = alloc_table_name (ac,r) in
  let constant = match !current_function with
    | None -> true
    | Some infunction -> not (mutable_alloc_table infunction (ac,r))
  in
  let n = lvar_name (* ~constant *) ~label_in_name lab alloc in
  let v = lvar ~constant ~label_in_name lab alloc in
  let ty' = alloc_table_type ac in
  n, v, ty'

let plain_tag_table_var (vi,r) = mk_var (tag_table_name (vi,r))
let deref_tag_table_var (vi,r) = mk_expr (Deref (tag_table_name (vi,r)))

let tag_table_var (vi,r) =
  if mutable_tag_table (get_current_function ()) (vi,r) then
    deref_tag_table_var (vi,r)
  else plain_tag_table_var (vi,r)

let ttag_table_var ~label_in_name lab (vi,r) =
  let tag = tag_table_name (vi,r) in
  let constant = match !current_function with
    | None -> true
    | Some infunction -> not (mutable_tag_table infunction (vi,r))
  in
  lvar ~constant ~label_in_name lab tag

let ttag_table_param ~label_in_name lab (vi,r) =
  let tag = tag_table_name (vi,r) in
  let constant = match !current_function with
    | None -> true
    | Some infunction -> not (mutable_tag_table infunction (vi,r))
  in
  let n = lvar_name (* ~constant *) ~label_in_name lab tag in
  let v = lvar ~constant ~label_in_name lab tag in
  let ty' = tag_table_type vi in
  n, v, ty'


(******************************************************************************)
(*                           locations and separation                         *)
(******************************************************************************)

let ref_term : (?subst:(Output.term Jc_envset.VarMap.t) ->
                 type_safe:bool -> global_assertion:bool -> relocate:bool
		 -> label -> label -> Jc_fenv.term -> Output.term) ref
    = ref (fun ?(subst=VarMap.empty) ~type_safe:_ ~global_assertion:_
             ~relocate:_ _ _ _ ->
               assert (VarMap.is_empty subst);
               assert false)

let rec location ~type_safe ~global_assertion lab loc =
  let flocs = location_set ~type_safe ~global_assertion lab in
  let ft = !ref_term ~type_safe ~global_assertion ~relocate:false lab lab in
  match loc#node with
    | JCLvar _v ->
	LVar "pset_empty"
    | JCLderef(locs,_lab,_fi,_r) ->
	flocs locs
    | JCLderef_term(t1,_fi) ->
	LApp("pset_singleton",[ ft t1 ])
    | _ -> assert false (* TODO *)

and location_set ~type_safe ~global_assertion lab locs =
  let flocs = location_set ~type_safe ~global_assertion lab in
  let ft = !ref_term ~type_safe ~global_assertion ~relocate:false lab lab in
  match locs#node with
    | JCLSvar v ->
	LApp("pset_singleton",[ tvar ~label_in_name:global_assertion lab v ])
    | JCLSderef(locs,lab,fi,_r) ->
	let mc,_fi_opt = lderef_mem_class ~type_safe locs fi in
        let mem =
	  tmemory_var ~label_in_name:global_assertion lab (mc,locs#region)
	in
	LApp("pset_deref",[ mem; flocs locs ])
    | JCLSrange(locs,Some t1,Some t2) ->
	LApp("pset_range",[ flocs locs; ft t1; ft t2 ])
    | JCLSrange(locs,None,Some t2) ->
	LApp("pset_range_left",[ flocs locs; ft t2 ])
    | JCLSrange(locs,Some t1,None) ->
	LApp("pset_range_right",[ flocs locs; ft t1 ])
    | JCLSrange(locs,None,None) ->
	LApp("pset_all",[ flocs locs ])
    | JCLSrange_term(locs,Some t1,Some t2) ->
	LApp("pset_range",[ LApp("pset_singleton", [ ft locs ]); ft t1; ft t2 ])
    | JCLSrange_term(locs,None,Some t2) ->
	LApp("pset_range_left",[ LApp("pset_singleton", [ ft locs ]); ft t2 ])
    | JCLSrange_term(locs,Some t1,None) ->
	LApp("pset_range_right",[ LApp("pset_singleton", [ ft locs ]); ft t1 ])
    | JCLSrange_term(locs,None,None) ->
	LApp("pset_all",[ LApp("pset_singleton", [ ft locs ]) ])
    | JCLSat(locs,_lab) -> flocs locs


let rec location_list' = function
  | [] -> LVar "pset_empty"
  | [e'] -> e'
  | e' :: el' -> LApp("pset_union",[ e'; location_list' el' ])

let separation_condition loclist loclist' =
  let floc = location ~type_safe:false ~global_assertion:false LabelHere in
  let pset = location_list' (List.map floc loclist) in
  let pset' = location_list' (List.map floc loclist') in
  LPred("pset_disjoint",[ pset; pset' ])

type memory_effect = RawMemory of Memory.t | PreciseMemory of Location.t

exception NoRegion

let rec transpose_location ~region_assoc ~param_assoc (loc,(mc,rdist)) =
  match transpose_region ~region_assoc rdist with
    | None -> None
    | Some rloc ->
	try
	  let rec mk_node loc = match loc#node with
	    | JCLvar v ->
		if v.jc_var_info_static then
		  JCLvar v
		else
		  begin match List.mem_assoc_eq VarOrd.equal v param_assoc with
		    | None -> (* Local variable *)
			raise NoRegion
		    | Some e ->
			match location_of_expr e with
			  | None -> raise NoRegion
			  | Some loc' -> loc'#node
		  end
	    | JCLderef(locs,lab,fi,r) ->
		let locs =
		  transpose_location_set ~region_assoc ~param_assoc locs
		in
		JCLderef(locs,lab,fi,r) (* TODO: remove useless lab & r *)
            | JCLat(loc,lab) ->
                let node = mk_node loc in
                JCLat(new location_with ~typ:loc#typ ~region:rloc ~node loc,lab)
	    | _ -> assert false (* TODO *)
	  in
          let node = mk_node loc in
	  let loc = new location_with ~typ:loc#typ ~region:rloc ~node loc in
	  Some(PreciseMemory(loc,(mc,rloc)))
	with NoRegion ->
	  Some(RawMemory(mc,rloc))

and transpose_location_set ~region_assoc ~param_assoc locs =
  match transpose_region ~region_assoc locs#region with
    | None -> raise NoRegion
    | Some rloc ->
	let node = match locs#node with
	  | JCLSvar v ->
	      if v.jc_var_info_static then
		JCLSvar v
	      else
		begin match List.mem_assoc_eq VarOrd.equal v param_assoc with
		  | None -> (* Local variable *)
		      raise NoRegion
		  | Some e ->
		      match location_set_of_expr e with
			| None -> raise NoRegion
			| Some locs' -> locs'#node
	      end
	  | JCLSderef(locs',lab,fi,r) ->
	      let locs' =
		transpose_location_set ~region_assoc ~param_assoc locs'
	      in
	      JCLSderef(locs',lab,fi,r) (* TODO: remove useless lab & r *)
          | JCLSat(locs',lab) ->
              let locs' =
                transpose_location_set ~region_assoc ~param_assoc locs'
              in JCLSat(locs',lab)
	  | _ -> assert false (* TODO *)
	in
	new location_set_with ~typ:locs#typ  ~region:rloc ~node locs

(*
let transpose_location_set ~region_assoc ~param_assoc locs _w =
  try Some(transpose_location_set ~region_assoc ~param_assoc locs)
  with NoRegion -> None
*)

let transpose_location_list
    ~region_assoc ~param_assoc rw_raw_mems rw_precise_mems (mc,distr) =
  if MemorySet.mem (mc,distr) rw_raw_mems then
    begin
(*
	Format.eprintf "** Jc_interp_misc.transpose_location_list: TODO: parameters **@.";
	Format.eprintf "memory %a@\nin memory set %a@."
	  print_memory (mc,distr)
	  (print_list comma print_memory) (MemorySet.elements rw_raw_mems);
	assert false
*)
        []
(*
        MemorySet.fold
          (fun (mc,r) acc ->
             if Region.equal r distr then
               let r' =
	         match
                   transpose_region ~region_assoc r
                 with
                   | None -> None
                   | Some rloc -> Some(RawMemory(mc,rloc))
               in
                 failwith "what to do ?"
             else acc) rw_raw_mems []
*)
     end

    else
      LocationSet.fold
	(fun ((_,(_,r)) as x) acc ->
           if Region.equal r distr then
	     match
               transpose_location ~region_assoc ~param_assoc x
             with
	       | None -> acc
	       | Some(RawMemory _) -> assert false
	       | Some(PreciseMemory(loc,(_mc,_rloc))) -> loc :: acc
           else acc) rw_precise_mems []

let write_read_separation_condition
    ~callee_reads ~callee_writes ~region_assoc ~param_assoc
    inter_names writes reads =
  List.fold_left
    (fun acc ((mc,distr),(v,_ty')) ->
       let n = var_name' v in
       if StringSet.mem n inter_names then
	 (* There is a read/write interference on this memory *)
	 List.fold_left
	   (fun acc ((mc',distr'),(v',_ty')) ->
	      let n' = var_name' v' in
	      if n = n' then
		let rw_raw_mems =
		  MemorySet.of_list
		    (MemoryMap.keys callee_reads.jc_effect_raw_memories
		     @ MemoryMap.keys callee_writes.jc_effect_raw_memories)
		in
		let rw_precise_mems =
		  LocationSet.of_list
		    (LocationMap.keys callee_reads.jc_effect_precise_memories
		     @
		     LocationMap.keys callee_writes.jc_effect_precise_memories)
		in
		let loclist =
		  transpose_location_list ~region_assoc ~param_assoc
		    rw_raw_mems rw_precise_mems (mc,distr)
		in
		let loclist' =
		  transpose_location_list ~region_assoc ~param_assoc
		    rw_raw_mems rw_precise_mems (mc',distr')
		in
		if loclist <> [] && loclist' <> [] then
		  let pre = separation_condition loclist loclist' in
		  make_and pre acc
                else acc
	      else acc
	   ) acc writes
       else acc
    ) LTrue reads

let write_write_separation_condition
    ~callee_reads ~callee_writes ~region_assoc ~param_assoc
    ww_inter_names writes _reads =
  let writes =
    List.filter
      (fun ((_mc,_distr),(v,_ty)) ->
	 let n = var_name' v in
	 StringSet.mem n ww_inter_names
      ) writes
  in
  let write_pairs = List.all_pairs writes in
  List.fold_left
    (fun acc (((mc,distr),(v,_ty)), ((mc',distr'),(v',_ty'))) ->
       let n = var_name' v in
       let n' = var_name' v' in
       if n = n' then
	 (* There is a write/write interference on this memory *)
	 let rw_raw_mems =
	   MemorySet.of_list
	     (MemoryMap.keys callee_reads.jc_effect_raw_memories
	      @ MemoryMap.keys callee_writes.jc_effect_raw_memories)
	 in
	 let rw_precise_mems =
	   LocationSet.of_list
	     (LocationMap.keys callee_reads.jc_effect_precise_memories
	      @
	      LocationMap.keys callee_writes.jc_effect_precise_memories)
	 in
	 let loclist =
	   transpose_location_list ~region_assoc ~param_assoc
	     rw_raw_mems rw_precise_mems (mc,distr)
	 in
	 let loclist' =
	   transpose_location_list ~region_assoc ~param_assoc
	     rw_raw_mems rw_precise_mems (mc',distr')
	 in
	 if loclist <> [] && loclist' <> [] then
	   let pre = separation_condition loclist loclist' in
	   make_and pre acc
         else acc
       else acc
    ) LTrue write_pairs


(******************************************************************************)
(*                                  effects                                   *)
(******************************************************************************)

let rec all_possible_memory_effects acc r ty =
  match ty with
    | JCTpointer(pc,_,_) ->
	begin match pc with
	  | JCroot _ -> acc (* TODO *)
	  | JCtag(st,_) ->
	      List.fold_left
		(fun acc fi ->
		   let mc = JCmem_field fi in
		   let mem = mc,r in
		   if MemorySet.mem mem acc then
		     acc
		   else
		     all_possible_memory_effects
		       (MemorySet.add mem acc) r fi.jc_field_info_type
		) acc st.jc_struct_info_fields
	end
    | JCTnative _
    | JCTnull
    | JCTenum _
    | JCTlogic _
    | JCTany -> acc
    | JCTtype_var _ -> assert false (* TODO: need environment *)


let rewrite_effects ~type_safe ~params ef =
  let all_mems =
    List.fold_left
      (fun acc v ->
	 all_possible_memory_effects acc v.jc_var_info_region v.jc_var_info_type
      ) MemorySet.empty params
  in
  if not type_safe then ef else
    { ef with
	jc_effect_memories =
	MemoryMap.fold
	  (fun (mc,r) labs acc ->
	     match mc with
	       | JCmem_field _ | JCmem_plain_union _ ->
		   MemoryMap.add (mc,r) labs acc
	       | JCmem_bitvector ->
		   MemorySet.fold
		     (fun (mc',r') acc ->
			if Region.equal r r' then
			  MemoryMap.add (mc',r') labs acc
			else acc
		     ) all_mems acc
	  ) ef.jc_effect_memories MemoryMap.empty
    }


(******************************************************************************)
(*                                 Structures                                 *)
(******************************************************************************)

let const_of_num n = LConst(Prim_int(Num.string_of_num n))

let define_locals ?(reads=[]) ?(writes=[]) e' =
  let e' =
    List.fold_left
      (fun acc (n,ty') -> mk_expr (Let(n,any_value' ty',acc)))
      e' reads
  in
  let e' =
    List.fold_left
      (fun acc (n,ty') -> mk_expr (Let_ref(n,any_value' ty',acc)))
      e' writes
  in
  e'

(* Validity *)

let make_valid_pred_app ~in_param ~equal (ac, r) pc p ao bo =
  assert (in_param = in_param);
  let all_allocs = match ac with
    | JCalloc_bitvector -> [ ac ]
    | JCalloc_root rt ->
	match rt.jc_root_info_kind with
	  | Rvariant
	  | RdiscrUnion -> all_allocs ~select:fully_allocated pc
	  | RplainUnion -> [ ac ]
  in
  let allocs =
    List.map (fun ac ->
                (*
                  let v = alloc_table_name(ac,r) in
                  if in_param then LDeref v else LVar v
                *)
                let is_not_cte,v =
                  talloc_table_var ~label_in_name:false LabelHere (ac,r)
                in
                match v with
                  | LDeref x ->
                      assert is_not_cte;
                      assert in_param;
                      if is_not_cte then v else LVar x
                  | LVar x ->
                      assert (not is_not_cte);
                     (*  assert (not in_param); *)
                      (* if in_param then *) LDeref x (* else v *)
                  | _ -> assert false
             ) all_allocs
  in
  let all_mems = match ac with
    | JCalloc_bitvector -> []
    | JCalloc_root rt ->
	match rt.jc_root_info_kind with
	  | Rvariant
	  | RdiscrUnion -> all_memories ~select:fully_allocated pc
	  | RplainUnion -> []
  in
  let mems =
    List.map (fun mc ->
                tmemory_var ~label_in_name:false LabelHere (mc,r))
      all_mems
  in
  let params = allocs @ mems in
  let f x acc = x :: acc in
  let params = Option_misc.fold f bo params in
  let params = Option_misc.fold f ao params in
  LPred (valid_pred_name ~equal ~left:(ao <> None) ~right:(bo <> None) ac pc, p :: params)

(*
If T is a structure:
   valid_T(p, a, b, allocs ...) =
     if T is root:
       offset_min(alloc_i, p) == a &&
       offset_max(alloc_i, p) == b
     else if S is the direct superclass of T:
       valid_S(p, a, b, allocs ...)
     and for all field (T'[a'..b'] f) of p,
       valid_T'(p.f, a', b', allocs ...)
If T is a variant, then we only have the condition on offset_min and max.
*)
let make_valid_pred ~in_param ~equal ?(left=true) ?(right=true) ac pc =
  let p = "p" in
  let a = "a" in
  let b = "b" in
  let params =
    let all_allocs = match ac with
      | JCalloc_bitvector -> [ ac ]
      | JCalloc_root rt ->
	  match rt.jc_root_info_kind with
	    | Rvariant
	    | RdiscrUnion -> all_allocs ~select:fully_allocated pc
	    | RplainUnion -> [ ac ]
    in
    let allocs =
      List.map (fun ac -> generic_alloc_table_name ac,alloc_table_type ac)
	all_allocs
    in
    let all_mems = match ac with
      | JCalloc_bitvector -> []
      | JCalloc_root rt ->
	  match rt.jc_root_info_kind with
	    | Rvariant
	    | RdiscrUnion -> all_memories ~select:fully_allocated pc
	    | RplainUnion -> []
    in
    let mems =
      List.map (fun mc -> generic_memory_name mc,memory_type mc) all_mems
    in
    let p = p, pointer_type ac pc in
    let a = a, why_integer_type in
    let b = b, why_integer_type in
    let params = allocs @ mems in
    let params = if right then b :: params else params in
    let params = if left then a :: params else params in
      p :: params
  in
  let validity =
    let omin, omax, super_valid = match pc with
      | JCtag ({ jc_struct_info_parent = Some(st, pp) }, _) ->
          LTrue,
          LTrue,
          make_valid_pred_app ~in_param ~equal
	    (ac,dummy_region) (JCtag(st, pp)) (LVar p)
	    (if left then Some (LVar a) else None)
	    (if right then Some (LVar b) else None)
      | JCtag ({ jc_struct_info_parent = None }, _)
      | JCroot _ ->
          (if equal then make_eq else make_le) (make_offset_min ac (LVar p)) (LVar a),
          (if equal then make_eq else make_ge) (make_offset_max ac (LVar p)) (LVar b),
          LTrue
    in
    let fields_valid = match ac with
      | JCalloc_bitvector -> [ LTrue ]
      | JCalloc_root rt ->
	  match rt.jc_root_info_kind with
	    | Rvariant ->
		begin match pc with
		  | JCtag(st,_) ->
		      List.map
			(function
			   | { jc_field_info_type =
				 JCTpointer(fpc, Some fa, Some fb) } as fi ->
			       make_valid_pred_app ~in_param ~equal (ac,dummy_region) fpc
				 (make_select_fi fi (LVar p))
				 (if left then Some (const_of_num fa) else None)
				 (if right then Some (const_of_num fb) else None)
			   | _ ->
			       LTrue)
			st.jc_struct_info_fields
		  | JCroot _ -> [ LTrue ]
		end
	    | RdiscrUnion
	    | RplainUnion -> [ LTrue ]
    in
    let validity = super_valid :: fields_valid in
    let validity = if right then omax :: validity else validity in
    let validity = if left then omin :: validity else validity in
      make_and_list validity
  in
  Predicate(false, id_no_loc (valid_pred_name ~equal ~left ~right ac pc),
	    params, validity)

(* Allocation *)

let alloc_write_parameters (ac,r) pc =
  let all_allocs = match ac with
    | JCalloc_bitvector -> [ ac ]
    | JCalloc_root rt ->
	match rt.jc_root_info_kind with
	  | Rvariant
	  | RdiscrUnion -> all_allocs ~select:fully_allocated pc
	  | RplainUnion -> [ ac ]
  in
  let allocs =
    List.map (fun ac -> plain_alloc_table_var (ac,r), alloc_table_type ac)
      all_allocs
  in
  let all_tags = match ac with
    | JCalloc_bitvector -> []
    | JCalloc_root rt ->
	match rt.jc_root_info_kind with
	  | Rvariant
	  | RdiscrUnion -> [ rt ]
	  | RplainUnion -> []
  in
  let tags =
    List.map (fun vi -> plain_tag_table_var (vi,r), tag_table_type vi)
      all_tags
  in
  allocs @ tags

let alloc_read_parameters (ac,r) pc =
  let all_mems = match ac with
    | JCalloc_bitvector -> []
    | JCalloc_root rt ->
	match rt.jc_root_info_kind with
	  | Rvariant
	  | RdiscrUnion -> all_memories ~select:fully_allocated pc
	  | RplainUnion -> []
  in
  let mems =
    List.map
      (fun mc ->
	 memory_var ~test_current_function:true (mc,r), memory_type mc)
      all_mems
  in
  mems

let alloc_arguments (ac,r) pc =
  let writes = alloc_write_parameters (ac,r) pc in
  let reads = alloc_read_parameters (ac,r) pc in
  List.map fst writes @ List.map fst reads

let make_alloc_param ~check_size ac pc =
  let n = "n" in
  let alloc = generic_alloc_table_name ac in
  (* parameters and effects *)
  let writes = alloc_write_parameters (ac,dummy_region) pc in
  let write_effects =
    List.map (function ({ expr_node = Var n},_ty') -> n | _ -> assert false) writes
  in
  let write_params =
    List.map (fun (n,ty') -> (n,Ref_type(Base_type ty'))) writes
  in
  let reads = alloc_read_parameters (ac,dummy_region) pc in
  let read_params =
    List.map (fun (n,ty') -> (n,Base_type ty')) reads
  in
  let params = [ (mk_var n,Base_type why_integer_type) ] in
  let params = params @ write_params @ read_params in
  let params =
    List.map (function ({expr_node = Var n},ty') -> (n,ty') | _ -> assert false) params
  in
  (* precondition *)
  let pre =
    if check_size then LPred("ge_int",[LVar n;LConst(Prim_int "0")])
    else LTrue
  in
  (* postcondition *)
  let instanceof_post = match ac with
    | JCalloc_bitvector -> []
    | JCalloc_root rt ->
	match rt.jc_root_info_kind with
	  | Rvariant ->
	      begin match pc with
		| JCtag(st,_) ->
		    let tag = generic_tag_table_name (struct_root st) in
		    (* [instanceof(tagtab,result,tag_st)] *)
		    [ LPred("instanceof",
			    [LDeref tag;LVar "result";LVar(tag_name st)]) ]
		| JCroot _ -> []
	      end
	  | RdiscrUnion
	  | RplainUnion -> []
  in
  let alloc_type =
    Annot_type(
      (* [n >= 0] *)
      pre,
      (* argument pointer type *)
      Base_type(pointer_type ac pc),
      (* reads and writes *)
      [], write_effects,
      (* normal post *)
      make_and_list (
	[
          (* [valid_st(result,0,n-1,alloc...)] *)
          make_valid_pred_app ~in_param:true ~equal:true (ac,dummy_region) pc
            (LVar "result")
            (Some (LConst(Prim_int "0")))
            (Some (LApp("sub_int",[LVar n; LConst(Prim_int "1")])));
          (* [alloc_extends(old(alloc),alloc)] *)
          LPred("alloc_extends",[LDerefAtLabel(alloc,"");LDeref alloc]);
          (* [alloc_fresh(old(alloc),result,n)] *)
          LPred("alloc_fresh",[LDerefAtLabel(alloc,"");LVar "result";LVar n])
	]
	@ instanceof_post ),
      (* no exceptional post *)
      [])
  in
  let alloc_type =
    List.fold_right (fun (n,ty') acc -> Prod_type(n, ty', acc))
      params alloc_type
  in
  let name = alloc_param_name ~check_size ac pc in
  Param(false,id_no_loc name,alloc_type)

(* Conversion to and from bitvector *)

let make_param ~name ~writes ~reads ~pre ~post ~return_type =
  (* parameters and effects *)
  let write_effects = List.map effect_of_parameter writes in
  let write_params = List.map wparam_of_parameter writes in
  let read_params = List.map rparam_of_parameter reads in
  let params = write_params @ read_params in
  let params = List.map local_of_parameter params in
  (* type *)
  let annot_type =
    Annot_type(
      pre,
      Base_type return_type,
      (* reads and writes *)
      [], write_effects,
      (* normal post *)
      post,
      (* no exceptional post *)
      [])
  in
  let annot_type =
    List.fold_right (fun (n,ty') acc -> Prod_type(n, ty', acc))
      params annot_type
  in
  Param(false,id_no_loc name,annot_type)

let conv_bw_alloc_parameters ~deref r _pc =
  let ac = JCalloc_bitvector in
  let allocv =
    if deref then
      alloc_table_var ~test_current_function:true (ac,r)
    else
      plain_alloc_table_var (ac,r)
  in
  let alloc = (allocv, alloc_table_type ac) in
  [ alloc ]

let conv_bw_mem_parameters ~deref r _pc =
  let mc = JCmem_bitvector in
  let memv =
    if deref then
      memory_var ~test_current_function:true (mc,r)
    else
      plain_memory_var (mc,r)
  in
  let mem = (memv, memory_type mc) in
  [ mem ]

(* let conv_bw_mem_tparameters r pc = *)
(*   let mc = JCmem_bitvector in *)
(*   let memv = tmemory_var ~label_in_name:global_assertion lab (mc,locs#region)  *)
(* tmemory_var ~test_current_function:true (mc,r) *)
(*     else  *)
(*       plain_memory_var (mc,r) *)
(*   in *)
(*   let mem = (memv, memory_type mc) in *)
(*   [ mem ] *)

let conv_typ_alloc_parameters r pc =
  match pc with
    | JCtag _ ->
	let ac = alloc_class_of_pointer_class pc in
	let alloc = (plain_alloc_table_var (ac,r), alloc_table_type ac) in
	[ alloc ]
    | JCroot vi ->
	let ac = JCalloc_root vi in
	let alloc = (plain_alloc_table_var (ac,r), alloc_table_type ac) in
	[ alloc ]

let conv_typ_mem_parameters ~deref r pc =
  let memvar = if deref then deref_memory_var else plain_memory_var in
  match pc with
    | JCtag _ ->
	let all_mems = all_memories pc in
	let mems =
	  List.map
	    (fun mc -> memvar (mc,r), memory_type mc) all_mems
	in
	mems
    | JCroot rt ->
	match rt.jc_root_info_kind with
	  | Rvariant -> []
	  | RdiscrUnion -> assert false (* TODO *)
	  | RplainUnion ->
	      let mc = JCmem_plain_union rt in
	      let mem = (memvar (mc,r), memory_type mc) in
	      [ mem ]

let make_ofbit_alloc_param_app r pc =
  let writes = conv_typ_alloc_parameters r pc in
  let reads = conv_bw_alloc_parameters ~deref:true r pc in
  let args = List.map fst writes @ List.map fst reads in
  let app = match pc with
    | JCtag _ ->
	make_app (alloc_of_bitvector_param_name pc) args
    | JCroot rt ->
	match rt.jc_root_info_kind with
	  | Rvariant -> void
	  | RdiscrUnion -> assert false (* TODO *)
	  | RplainUnion -> assert false (* TODO *)
  in
  let locals = List.map local_of_parameter writes in
  locals, app

let make_ofbit_mem_param_app r pc =
  let writes = conv_typ_mem_parameters ~deref:false r pc in
  let reads = conv_bw_mem_parameters ~deref:true r pc in
  let args = List.map fst writes @ List.map fst reads in
  let app = match pc with
    | JCtag _ ->
	make_app (mem_of_bitvector_param_name pc) args
    | JCroot rt ->
	match rt.jc_root_info_kind with
	  | Rvariant -> void
	  | RdiscrUnion -> assert false (* TODO *)
	  | RplainUnion -> assert false (* TODO *)
  in
  let locals = List.map local_of_parameter writes in
  locals, app

let make_tobit_alloc_param_app r pc =
  let writes = conv_bw_alloc_parameters ~deref:false r pc in
  let reads = conv_typ_alloc_parameters r pc in
  let args = List.map fst writes @ List.map fst reads in
  let app = match pc with
    | JCtag _ ->
	make_app (alloc_to_bitvector_param_name pc) args
    | JCroot rt ->
	match rt.jc_root_info_kind with
	  | Rvariant -> void
	  | RdiscrUnion -> assert false (* TODO *)
	  | RplainUnion -> assert false (* TODO *)
  in
  app

let make_tobit_mem_param_app r pc =
  let writes = conv_bw_mem_parameters ~deref:false r pc in
  let reads = conv_typ_mem_parameters ~deref:true r pc in
  let args = List.map fst writes @ List.map fst reads in
  let app = match pc with
    | JCtag _ ->
	make_app (mem_to_bitvector_param_name pc) args
    | JCroot rt ->
	match rt.jc_root_info_kind with
	  | Rvariant -> void
	  | RdiscrUnion -> assert false (* TODO *)
	  | RplainUnion -> assert false (* TODO *)
  in
  app

let make_of_bitvector_app fi e' =
  (* Convert bitvector into appropriate type *)
  match fi.jc_field_info_type with
    | JCTenum ri -> LApp(logic_enum_of_bitvector ri,[e'])
(*     | JCTnative nty -> LApp(logic_native_of_bitvector nty,[e']) *)
    | JCTpointer(pc,_,_) ->
	LApp(logic_variant_of_bitvector (pointer_class_root pc),[e'])
    | _ty -> assert false (* TODO *)

let make_conversion_params pc =
  let p = "p" in
  let bv_mem = generic_memory_name JCmem_bitvector in
  let bv_alloc = generic_alloc_table_name JCalloc_bitvector in

  (* postcondition *)
  let post_alloc = match pc with
    | JCtag(st,_) ->
	if struct_has_size st then
	  let post_alloc =
	    let ac = alloc_class_of_pointer_class pc in
	    let alloc = generic_alloc_table_name ac in
	    let s = string_of_int (struct_size_in_bytes st) in
	    let post_min =
	      make_eq_pred integer_type
		(LApp("offset_min",[ LVar alloc; LVar p ]))
		(LApp("offset_min_bytes",[ LVar bv_alloc;
					   LApp("pointer_address",[ LVar p ]);
					   LConst(Prim_int s)]))
	    in
	    let post_max =
	      make_eq_pred integer_type
		(LApp("offset_max",[ LVar alloc; LVar p ]))
		(LApp("offset_max_bytes",[ LVar bv_alloc;
					   LApp("pointer_address",[ LVar p ]);
					   LConst(Prim_int s)]))
	    in
	    let ty' = pointer_type ac pc in
	    let post = make_and post_min post_max in
	    LForall(p,ty',[],post)
	  in
	  post_alloc
	else LTrue
    | JCroot _ -> assert false (* TODO *)
  in
  let post_mem = match pc with
    | JCtag(st,_) ->
	if struct_has_size st then
	  let fields = all_fields pc in
	  let post_mem,_ =
	    List.fold_left
	      (fun (acc,i) fi ->
		 if field_type_has_bitvector_representation fi then
		   let pi = p ^ (string_of_int i) in
		   let mc = JCmem_field fi in
		   let ac = alloc_class_of_mem_class mc in
		   let mem =
		     tmemory_var ~label_in_name:true LabelHere
		       (mc,dummy_region)
		   in
		   let off =
		     match field_offset_in_bytes fi with
		       | Some x -> x
		       | None ->  assert false
		   in
		   let size =
		     match fi.jc_field_info_bitsize with
		       | Some x -> x / 8
		       | None -> assert false
		   in
		   let off = string_of_int off and size = string_of_int size in
		   let posti =
		     make_eq_pred fi.jc_field_info_type
		       (LApp("select",[ mem; LVar pi ]))
		       (make_of_bitvector_app fi
			  (LApp("select_bytes",
				[ LVar bv_mem;
				  LApp("pointer_address",[ LVar pi ]);
				  LConst(Prim_int off); LConst(Prim_int size) ])))
		   in
		   let ty' = pointer_type ac pc in (* Correct pc *)
		   let posti = LForall(pi,ty',[],posti) in
		   make_and acc posti, i+1
		 else acc, i
	      ) (LTrue,0) fields
	  in
	  post_mem
	else LTrue
    | JCroot _ -> assert false (* TODO *)
  in

  (* Invariant linking typed and byte views *)

(*   let mem_logic = *)
(*     Logic(false, mem_bitvector_logic_name pc, params, result_ty')  *)
(*   in *)

  (* Conversion from bitvector *)
  let writes = conv_typ_alloc_parameters dummy_region pc in
  let reads = conv_bw_alloc_parameters ~deref:true dummy_region pc in
  let name = alloc_of_bitvector_param_name pc in
  let alloc_ofbit_param =
    make_param ~name ~writes ~reads ~pre:LTrue ~post:post_alloc
      ~return_type:why_unit_type
  in

  let writes = conv_typ_mem_parameters ~deref:false dummy_region pc in
  let reads = conv_bw_mem_parameters ~deref:true dummy_region pc in
  let name = mem_of_bitvector_param_name pc in
  let mem_ofbit_param =
    make_param ~name ~writes ~reads ~pre:LTrue ~post:post_mem
      ~return_type:why_unit_type
  in

  (* Conversion to bitvector *)
  let writes = conv_bw_alloc_parameters ~deref:false dummy_region pc in
  let reads = conv_typ_alloc_parameters dummy_region pc in
  let name = alloc_to_bitvector_param_name pc in
  let alloc_tobit_param =
    make_param ~name ~writes ~reads ~pre:LTrue ~post:post_alloc
      ~return_type:why_unit_type
  in

  let writes = conv_bw_mem_parameters ~deref:false dummy_region pc in
  let reads = conv_typ_mem_parameters ~deref:true dummy_region pc in
  let name = mem_to_bitvector_param_name pc in
  let mem_tobit_param =
    make_param ~name ~writes ~reads ~pre:LTrue ~post:post_mem
      ~return_type:why_unit_type
  in

  [ alloc_ofbit_param; mem_ofbit_param; alloc_tobit_param; mem_tobit_param ]


(******************************************************************************)
(*                               call arguments                               *)
(******************************************************************************)

type param_mode = [ `MAppParam | `MFunParam ]
type effect_mode = [ `MEffect | `MLocalEffect ]
type param_or_effect_mode = [ param_mode | effect_mode ]
type param_or_local_mode = [ param_mode | `MLocal ]
(*
type param_or_effect_or_local_mode = [ param_or_effect_mode | `MLocal ]
*)

let remove_duplicates ~already_used entries =
  fst (List.fold_left
	 (fun (acc,already_used) entry ->
	    (* Accumulate entry only if not already present *)
	    let n = var_name' (fst (snd entry)) in
	    if StringSet.mem n already_used then
	      acc, already_used
	    else
	      entry :: acc, StringSet.add n already_used
	 ) ([],already_used) entries)

(*
let check_no_duplicates ~already_used entries =
  ignore (List.fold_left
	    (fun already_used entry ->
	       (* Check entry not already present *)
	       let n = var_name' (fst (snd entry)) in
	       assert (not (StringSet.mem n already_used));
	       StringSet.add n already_used
	    ) already_used entries)
*)

let add_alloc_table_argument
    ~mode ~type_safe ~no_deref (ac,distr as alloc) ?region_assoc acc =
  let allocvar =
    if no_deref then plain_alloc_table_var
    else alloc_table_var ~test_current_function:false
  in
  let ty' = alloc_table_type ac in
  if Region.polymorphic distr then
    try
      (* Polymorphic allocation table. Both passed in argument by the caller,
	 and counted as effect. *)
      let locr =
	Option_misc.map_default (RegionList.assoc distr) distr region_assoc
      in
      match mode with
	| `MAppParam ->
	    if Region.bitwise locr && not no_deref then
	      (* Anticipate generation of local ref from bitwise *)
	      ((alloc,locr), (deref_alloc_table_var (ac,locr), ty')) :: acc
	    else
	      ((alloc,locr), (allocvar (ac,locr), ty')) :: acc
	| `MFunParam | #effect_mode ->
	    if Region.bitwise locr && not type_safe then
	      (* Bitwise allocation table in the caller.
		 Translate the allocation class. *)
	      let ac = JCalloc_bitvector in
	      let ty' = alloc_table_type ac in
	      ((alloc,locr), (allocvar (ac,locr), ty')) :: acc
	    else
	      ((alloc,locr), (allocvar (ac,locr), ty')) :: acc
	| `MLocal -> acc
    with Not_found ->
      (* MLocal allocation table. Neither passed in argument by the caller,
	 nor counted as effect. *)
      match mode with
	| #param_or_effect_mode -> acc
	| `MLocal ->
	    if Region.bitwise distr && not type_safe then
	      (* Bitwise allocation table. Translate the allocation class. *)
	      let ac = JCalloc_bitvector in
	      let ty' = alloc_table_type ac in
	      ((alloc,distr), (allocvar (ac,distr), ty')) :: acc
	    else
	      ((alloc,distr), (allocvar (ac,distr), ty')) :: acc
  else
    (* Constant allocation table. Not passed in argument by the caller,
       but counted as effect. *)
    match mode with
      | #param_or_local_mode -> acc
      | #effect_mode -> ((alloc,distr), (allocvar (ac,distr), ty')) :: acc

let translate_alloc_table_effects ~region_mem_assoc alloc_effect =
  AllocMap.fold
    (fun (ac,r) labs acc ->
       let allocs = transpose_alloc_table ~region_mem_assoc (ac,r) in
       AllocSet.fold
	 (fun (ac,_r) acc -> AllocMap.add (ac,r) labs acc) allocs acc
    ) alloc_effect AllocMap.empty

(* let translate_external_alloc_tables ~no_deref ~region_mem_assoc ~already_used *)
(*     allocs = *)
(*   let already_used = StringSet.of_list already_used in *)
(*   let allocvar =  *)
(*     if no_deref then plain_alloc_table_var  *)
(*     else alloc_table_var ~test_current_function:false *)
(*   in *)
(*   let allocs = *)
(*     List.fold_left *)
(*       (fun acc ((alloc,locr),(v',ty') as entry) -> *)
(* 	 if Region.bitwise locr then *)
(* 	   (\* Translate bitwise allocation table into typed ones *\) *)
(* 	   try *)
(* 	     let mems = MemorySet.find_region locr region_mem_assoc in *)
(* 	     let allocs =  *)
(* 	       List.map *)
(* 		 (fun (mc,_r) -> *)
(* 		    let ac = alloc_class_of_mem_class mc in *)
(* 		    let ty' = alloc_table_type ac in *)
(* 		    ((alloc,locr), (allocvar (ac,locr), ty')) *)
(* 		 ) (MemorySet.elements mems) *)
(* 	     in allocs @ acc *)
(* 	   with Not_found -> *)
(* 	     (\* No possible effect on caller types *\) *)
(* 	     acc *)
(* 	 else entry :: acc *)
(*       ) [] allocs *)
(*   in *)
(*   remove_duplicates ~already_used allocs *)

let alloc_table_detailed_writes ~mode ~type_safe ~callee_writes ?region_assoc
    ~region_mem_assoc =
  let write_effects = callee_writes.jc_effect_alloc_tables in
  let write_effects =
    if type_safe then
      match mode with
	| #param_mode | `MEffect ->
	    translate_alloc_table_effects ~region_mem_assoc write_effects
      | `MLocalEffect | `MLocal -> write_effects
    else write_effects
  in
  let writes =
    AllocMap.fold
      (fun (ac,distr) _labs acc ->
	 add_alloc_table_argument
	   ~mode ~type_safe ~no_deref:true (ac,distr) ?region_assoc acc
      ) write_effects []
  in
  if type_safe then
    writes
  else
    remove_duplicates ~already_used:StringSet.empty writes

let alloc_table_writes ~mode ~type_safe ~callee_writes ?region_assoc
    ~region_mem_assoc =
  List.map snd
    (alloc_table_detailed_writes ~mode ~type_safe ~callee_writes ?region_assoc
       ~region_mem_assoc)

let alloc_table_detailed_reads ~mode ~type_safe ~callee_writes ~callee_reads
    ?region_assoc ~region_mem_assoc ~already_used =
  let read_effects = callee_reads.jc_effect_alloc_tables in
  let read_effects =
    if type_safe then
      match mode with
	| #param_mode | `MEffect ->
	    translate_alloc_table_effects ~region_mem_assoc read_effects
	| `MLocalEffect | `MLocal -> read_effects
    else read_effects
  in
  let reads =
    AllocMap.fold
      (fun (ac,distr) _labs acc ->
	 if has_alloc_table (ac,distr) callee_writes.jc_effect_alloc_tables then
	   (* Allocation table is written, thus it is already taken care of
	      as a parameter. *)
	   match mode with
	     | #param_or_local_mode -> acc
	     | #effect_mode ->
		 add_alloc_table_argument
		   ~mode ~type_safe ~no_deref:false (ac,distr) ?region_assoc acc
	 else if mutable_alloc_table (get_current_function ()) (ac,distr) then
	   add_alloc_table_argument
	     ~mode ~type_safe ~no_deref:false (ac,distr) ?region_assoc acc
	 else
	   (* Allocation table is immutable, thus it is not passed by
	      reference. As such, it cannot be counted in effects. *)
	   match mode with
	     | #param_or_local_mode ->
		 add_alloc_table_argument
		   ~mode ~type_safe ~no_deref:false (ac,distr) ?region_assoc acc
	     | #effect_mode -> acc
      ) read_effects []
  in
  if type_safe then
    reads
  else
    let already_used = StringSet.of_list already_used in
    remove_duplicates ~already_used reads

let alloc_table_reads ~mode ~type_safe ~callee_writes ~callee_reads
    ?region_assoc ~region_mem_assoc ~already_used =
  List.map snd
    (alloc_table_detailed_reads ~mode ~type_safe ~callee_writes ~callee_reads
       ?region_assoc ~region_mem_assoc ~already_used)

let add_tag_table_argument ~mode ~no_deref (vi,distr) ?region_assoc acc =
  let tagvar = if no_deref then plain_tag_table_var else tag_table_var in
  let ty' = tag_table_type vi in
  if Region.polymorphic distr then
    try
      (* Polymorphic tag table. Both passed in argument by the caller,
	 and counted as effect. *)
      let locr =
	Option_misc.map_default (RegionList.assoc distr) distr region_assoc
      in
      match mode with
	| #param_or_effect_mode -> (tagvar (vi,locr), ty') :: acc
	| `MLocal -> acc
    with Not_found ->
      (* MLocal tag table. Neither passed in argument by the caller,
	 nor counted as effect. *)
      match mode with
	| #param_or_effect_mode -> acc
	| `MLocal -> (tagvar (vi,distr), ty') :: acc
  else
    (* Constant tag table. Not passed in argument by the caller,
       but counted as effect. *)
    match mode with
      | #param_or_local_mode -> acc
      | #effect_mode -> (tagvar (vi,distr), ty') :: acc

let tag_table_writes ~mode ~callee_writes ?region_assoc () =
  TagMap.fold
    (fun (vi,distr) _labs acc ->
       add_tag_table_argument
	 ~mode ~no_deref:true (vi,distr) ?region_assoc acc
    ) callee_writes.jc_effect_tag_tables []

let tag_table_reads ~mode ~callee_writes ~callee_reads ?region_assoc () =
  TagMap.fold
    (fun (vi,distr) _labs acc ->
       if TagMap.mem (vi,distr) callee_writes.jc_effect_tag_tables then
	 (* Tag table is written, thus it is already taken care of
	    as a parameter. *)
	 match mode with
	   | #param_or_local_mode -> acc
	   | #effect_mode ->
	       add_tag_table_argument
		 ~mode ~no_deref:false (vi,distr) ?region_assoc acc
       else if mutable_tag_table (get_current_function ()) (vi,distr) then
	 add_tag_table_argument
	   ~mode ~no_deref:false (vi,distr) ?region_assoc acc
       else
	 (* Tag table is immutable, thus it is not passed by
	    reference. As such, it cannot be counted in effects. *)
	 match mode with
	   | #param_or_local_mode ->
	       add_tag_table_argument
		 ~mode ~no_deref:false (vi,distr) ?region_assoc acc
	   | #effect_mode -> acc
    ) callee_reads.jc_effect_tag_tables []

let add_memory_argument
    ~mode ~type_safe ~no_deref (mc,distr as mem) ?region_assoc acc =
  let memvar =
    if no_deref then plain_memory_var
    else memory_var ~test_current_function:false
  in
  let ty' = memory_type mc in
  if Region.polymorphic distr then
    try
      (* Polymorphic memory. Both passed in argument by the caller,
	 and counted as effect. *)
      let locr =
	Option_misc.map_default (RegionList.assoc distr) distr region_assoc
      in
      match mode with
	| `MAppParam ->
	    if Region.bitwise locr && not no_deref then
	      (* Anticipate generation of local ref from bitwise *)
	      ((mem,locr), (deref_memory_var (mc,locr), ty')) :: acc
	    else
	      ((mem,locr), (memvar (mc,locr), ty')) :: acc
	| `MFunParam | #effect_mode ->
	    if Region.bitwise locr && not type_safe then
	      (* Bitwise memory in the caller.
		 Translate the memory class. *)
	      let mc = JCmem_bitvector in
	      let ty' = memory_type mc in
	      ((mem,locr), (memvar (mc,locr), ty')) :: acc
	    else
	      ((mem,locr), (memvar (mc,locr), ty')) :: acc
	| `MLocal -> acc
    with Not_found ->
      (* MLocal memory. Neither passed in argument by the caller,
	 nor counted as effect. *)
      match mode with
	| #param_or_effect_mode -> acc
	| `MLocal ->
	    if Region.bitwise distr && not type_safe then
	      (* Bitwise memory. Translate the memory class. *)
	      let mc = JCmem_bitvector in
	      let ty' = memory_type mc in
	      ((mem,distr), (memvar (mc,distr), ty')) :: acc
	    else
	      ((mem,distr), (memvar (mc,distr), ty')) :: acc
  else
    (* Constant memory. Not passed in argument by the caller,
       but counted as effect. *)
    match mode with
      | #param_or_local_mode -> acc
      | #effect_mode -> ((mem,distr), (memvar (mc,distr), ty')) :: acc

(* let translate_external_memories ~no_deref ~region_mem_assoc ~already_used mems = *)
(*   let already_used = StringSet.of_list already_used in *)
(*   let memvar =  *)
(*     if no_deref then plain_memory_var  *)
(*     else memory_var ~test_current_function:false *)
(*   in *)
(*   let mems = *)
(*     List.fold_left *)
(*       (fun acc ((mem,locr),(v',ty') as entry) -> *)
(* 	 if Region.bitwise locr then *)
(* 	   try *)
(* 	     (\* Translate bitwise memories into typed ones *\) *)
(* 	     let mems = MemorySet.find_region locr region_mem_assoc in *)
(* 	     let mems =  *)
(* 	       List.map *)
(* 		 (fun (mc,_r) -> *)
(* 		    let ty' = memory_type mc in *)
(* 		    ((mem,locr), (memvar (mc,locr), ty')) *)
(* 		 ) (MemorySet.elements mems) *)
(* 	     in mems @ acc *)
(* 	   with Not_found -> *)
(* 	     (\* No possible effect on caller types *\) *)
(* 	     acc *)
(* 	 else entry :: acc *)
(*       ) [] mems *)
(*   in *)
(*   remove_duplicates ~already_used mems *)

let translate_memory_effects ~region_mem_assoc mem_effect =
  MemoryMap.fold
    (fun (mc,r) labs acc ->
       let mems = transpose_memory ~region_mem_assoc (mc,r) in
       MemorySet.fold
	 (fun (mc,_r) acc -> MemoryMap.add (mc,r) labs acc) mems acc
    ) mem_effect MemoryMap.empty

let memory_detailed_writes
    ~mode ~type_safe ~callee_writes ?region_assoc ~region_mem_assoc =
  let write_effects = callee_writes.jc_effect_memories in
  let write_effects =
    if type_safe then
      match mode with
	| #param_mode | `MEffect ->
	    translate_memory_effects ~region_mem_assoc write_effects
	| `MLocalEffect | `MLocal -> write_effects
    else write_effects
  in
  let writes =
    MemoryMap.fold
      (fun (mc,distr) _labs acc ->
	 add_memory_argument
	   ~mode ~type_safe ~no_deref:true (mc,distr) ?region_assoc acc
      ) write_effects []
  in
  if type_safe then
    (* non-interference precondition added later on *)
(*     let () = check_no_duplicates ~already_used:StringSet.empty writes in *)
    writes
  else
    remove_duplicates ~already_used:StringSet.empty writes

let memory_writes
    ~mode ~type_safe ~callee_writes ?region_assoc ~region_mem_assoc =
  List.map snd
    (memory_detailed_writes ~mode ~type_safe ~callee_writes
       ?region_assoc ~region_mem_assoc)

let memory_detailed_reads ~mode ~type_safe ~callee_writes ~callee_reads
    ?region_assoc ~region_mem_assoc ~already_used =
  let read_effects = callee_reads.jc_effect_memories in
  let read_effects =
    if type_safe then
      match mode with
	| #param_mode | `MEffect ->
	    translate_memory_effects ~region_mem_assoc read_effects
	| `MLocalEffect | `MLocal -> read_effects
    else read_effects
  in
  let write_effects = callee_writes.jc_effect_memories in
  let write_effects =
    if type_safe then
      match mode with
	| #param_mode | `MEffect ->
	    translate_memory_effects ~region_mem_assoc write_effects
	| `MLocalEffect | `MLocal -> write_effects
    else write_effects
  in
  let reads =
    MemoryMap.fold
      (fun (mc,distr) _labs acc ->
	 if has_memory (mc,distr) write_effects then
	   (* Memory is written, thus it is already taken care of
	      as a parameter. *)
	   match mode with
	     | #param_or_local_mode -> acc
	     | #effect_mode ->
		 add_memory_argument
		   ~mode ~type_safe ~no_deref:false (mc,distr) ?region_assoc acc
	 else if mutable_memory (get_current_function ()) (mc,distr) then
	   add_memory_argument
	     ~mode ~type_safe ~no_deref:false (mc,distr) ?region_assoc acc
	 else
	   (* Memory is immutable, thus it is not passed by
	      reference. As such, it cannot be counted in effects. *)
	   match mode with
	     | #param_or_local_mode ->
		 add_memory_argument
		   ~mode ~type_safe ~no_deref:false (mc,distr) ?region_assoc acc
	     | #effect_mode -> acc
      ) read_effects []
  in
  let already_used = StringSet.of_list already_used in
  if type_safe then
    (* non-interference precondition added later on *)
(*     let () = check_no_duplicates ~already_used reads in *)
    reads
  else
    remove_duplicates ~already_used reads

let memory_reads ~mode ~type_safe ~callee_writes ~callee_reads
    ?region_assoc ~region_mem_assoc ~already_used =
  List.map snd
    (memory_detailed_reads ~mode ~type_safe ~callee_writes ~callee_reads
       ?region_assoc ~region_mem_assoc ~already_used)

let global_writes ~callee_writes =
  VarMap.fold
    (fun v _labs acc ->
       let n,ty' = param ~type_safe:false v in
       (plain_var n,ty') :: acc
    ) callee_writes.jc_effect_globals []

let global_reads ~callee_reads =
  VarMap.fold
    (fun v _labs acc ->
       let n,ty' = param ~type_safe:false v in
       (plain_var n,ty') :: acc
    ) callee_reads.jc_effect_globals []

let local_reads ~callee_reads =
  VarMap.fold
    (fun v _labs acc ->
       let n,ty' = param ~type_safe:false v in
       (plain_var n,ty') :: acc
    ) callee_reads.jc_effect_locals []

(* Yannick: change this to avoid recovering the real type from its name
   in mutable and committed effects *)

(*
let write_mutable callee_writes =
  StringSet.fold
    (fun v acc -> (mutable_name2 v)::acc) callee_writes.jc_effect_mutable []

let read_mutable callee_reads =
  StringSet.fold
    (fun v acc -> (mutable_name2 v)::acc) callee_reads.jc_effect_mutable []

let write_committed callee_writes =
  StringSet.fold
    (fun v acc -> (committed_name2 v)::acc) callee_writes.jc_effect_committed []

let read_committed callee_reads =
  StringSet.fold
    (fun v acc -> (committed_name2 v)::acc) callee_reads.jc_effect_committed []
*)

let make_region_assoc region_list =
  List.map (fun r -> (r,r)) region_list

let write_model_parameters
    ~type_safe ~mode ~callee_reads ~callee_writes ?region_list ~params () =
  assert (Jc_effect.same_effects callee_reads callee_reads);
  let region_assoc = Option_misc.map make_region_assoc region_list in
  let region_mem_assoc = make_region_mem_assoc ~params in
  let callee_writes = rewrite_effects ~type_safe ~params callee_writes in
  let write_allocs =
    alloc_table_writes ~mode ~type_safe ~callee_writes
      ?region_assoc ~region_mem_assoc
  in
  let write_tags =
    tag_table_writes ~mode ~callee_writes ?region_assoc ()
  in
  let write_mems =
    memory_writes ~mode ~type_safe ~callee_writes
      ?region_assoc ~region_mem_assoc
  in
  let write_globs = match mode with
    | #param_or_local_mode -> []
    | #effect_mode -> global_writes ~callee_writes
  in
  (* TODO: add mutable and committed effects *)
  write_allocs @ write_tags @ write_mems @ write_globs

let write_parameters
    ~type_safe ~region_list ~callee_reads ~callee_writes ~params =
  let vars' =
    write_model_parameters ~type_safe ~mode:`MFunParam
      ~callee_reads ~callee_writes ~region_list ~params ()
  in
  List.map (function ({expr_node = Var n},ty') -> (n,ty') | _ -> assert false) vars'

let write_locals ~region_list ~callee_reads ~callee_writes ~params =
  let vars' =
    write_model_parameters ~type_safe:false ~mode:`MLocal
      ~callee_reads ~callee_writes ~region_list ~params ()
  in
  List.map (function ({expr_node = Var n},ty') -> (n,ty') | _ -> assert false) vars'

let write_effects ~callee_reads ~callee_writes ~region_list ~params =
  let vars' =
    write_model_parameters ~type_safe:true ~mode:`MEffect
      ~callee_reads ~callee_writes ~region_list ~params ()
  in
  List.map (function ({expr_node = Var n},_ty') -> n | _ -> assert false) vars'

let local_write_effects ~callee_reads ~callee_writes =
  let vars' =
    write_model_parameters ~type_safe:false ~mode:`MLocalEffect
      ~callee_reads ~callee_writes ~params:[] ()
  in
  List.map (var_name' $ fst) vars'

let read_model_parameters ~type_safe ~mode ~callee_reads ~callee_writes
    ?region_list ~params ~already_used () =
  let region_assoc = Option_misc.map make_region_assoc region_list in
  let region_mem_assoc = make_region_mem_assoc ~params in
  let callee_reads = rewrite_effects ~type_safe ~params callee_reads in
  let callee_writes = rewrite_effects ~type_safe ~params callee_writes in
  let read_allocs =
    alloc_table_reads ~mode ~type_safe ~callee_reads ~callee_writes
      ?region_assoc ~region_mem_assoc ~already_used
  in
  let read_tags =
    tag_table_reads ~mode ~callee_reads ~callee_writes ?region_assoc ()
  in
  let read_mems =
    memory_reads ~mode ~type_safe ~callee_reads ~callee_writes
      ?region_assoc ~region_mem_assoc ~already_used
  in
  let read_globs = match mode with
    | #param_or_local_mode -> []
    | #effect_mode -> global_reads ~callee_reads
  in
  let read_locs = match mode with
    | #param_or_local_mode | `MEffect -> []
    | `MLocalEffect -> local_reads ~callee_reads
  in
  (* TODO: add mutable and committed effects *)
  read_allocs @ read_tags @ read_mems @ read_globs @ read_locs

let read_parameters
    ~type_safe ~region_list ~callee_reads ~callee_writes ~params ~already_used =
  let vars' =
    read_model_parameters ~type_safe ~mode:`MFunParam
      ~callee_reads ~callee_writes ~region_list ~params ~already_used ()
  in
  List.map (function ({expr_node = Var n},ty') -> (n,ty') | _ -> assert false) vars'

let read_locals ~region_list ~callee_reads ~callee_writes ~params =
  let vars' =
    read_model_parameters ~type_safe:false ~mode:`MLocal
      ~callee_reads ~callee_writes ~region_list ~params ~already_used:[] ()
  in
  List.map (function ({expr_node = Var n},ty') -> (n,ty')
              | ({expr_node = Deref n},ty') ->
	          printf "Deref %s with type %a@." n Output.fprintf_logic_type ty';
	          assert false
	      | _ -> assert false
	   ) vars'

let read_effects ~callee_reads ~callee_writes ~region_list ~params =
  let vars' =
    read_model_parameters ~type_safe:true ~mode:`MEffect
      ~callee_reads ~callee_writes ~region_list ~params ~already_used:[] ()
  in
  List.map (var_name' $ fst) vars'

let local_read_effects ~callee_reads ~callee_writes =
  let vars' =
    read_model_parameters ~type_safe:false ~mode:`MLocalEffect
      ~callee_reads ~callee_writes ~params:[] ~already_used:[] ()
  in
  List.map (var_name' $ fst) vars'

let alloc_table_arguments ~callee_reads ~callee_writes ~region_assoc
    ~region_mem_assoc =
  let writes =
    alloc_table_detailed_writes
      ~mode:`MAppParam ~type_safe:true ~callee_writes
      ~region_assoc ~region_mem_assoc
  in
  let reads =
    alloc_table_detailed_reads
      ~mode:`MAppParam ~type_safe:true ~callee_reads ~callee_writes
      ~region_assoc ~region_mem_assoc ~already_used:[]
  in
  let pointer_of_parameter = function
      (((ac,_distr),locr),(_v',_ty')) ->
	let pc = match ac with
	  | JCalloc_root vi -> JCroot vi
	  | JCalloc_bitvector -> assert false
	in
	(pc,locr)
  in
  let wpointers = List.map pointer_of_parameter writes in
  let rpointers = List.map pointer_of_parameter reads in
  let write_arguments = List.map (fst $ snd) writes in
  let read_arguments = List.map (fst $ snd) reads in
  wpointers, rpointers, write_arguments, read_arguments

let tag_table_arguments ~callee_reads ~callee_writes ~region_assoc =
  let writes =
    tag_table_writes ~mode:`MAppParam ~callee_writes ~region_assoc ()
  in
  let reads =
    tag_table_reads
      ~mode:`MAppParam ~callee_reads ~callee_writes ~region_assoc ()
  in
  (List.map fst writes), (List.map fst reads)

let specialized_functions = StringHashtblIter.create 0

let memory_arguments ~callee_reads ~callee_writes ~region_assoc
    ~region_mem_assoc ~param_assoc ~with_body fname =
  let writes =
    memory_detailed_writes
      ~mode:`MAppParam ~type_safe:true ~callee_writes
      ~region_assoc ~region_mem_assoc
  in
  let reads =
    memory_detailed_reads
      ~mode:`MAppParam ~type_safe:true ~callee_reads ~callee_writes
      ~region_assoc ~region_mem_assoc ~already_used:[]
  in
  let pointer_of_parameter = function
      (((mc,_distr),locr),(_v',_ty')) ->
	let pc = match mc with
	  | JCmem_field fi -> JCtag(fi.jc_field_info_struct,[])
	  | JCmem_plain_union vi -> JCroot vi
	  | JCmem_bitvector -> assert false
	in
	(pc,locr)
  in
  let wpointers = List.map pointer_of_parameter writes in
  let rpointers = List.map pointer_of_parameter reads in
  let remove_local effects =
    List.map (fun ((mem,_locr),(v',ty')) -> (mem,(v',ty'))) effects
  in
  let writes' = remove_local writes and reads' = remove_local reads in
  (* Check if there are duplicates between reads and writes *)
  let write_names = List.map (var_name' $ fst $ snd) writes in
  let read_names = List.map (var_name' $ fst $ snd) reads in
  let rw_inter_names =
    StringSet.inter
      (StringSet.of_list write_names) (StringSet.of_list read_names)
  in
  let rw_pre =
    if StringSet.is_empty rw_inter_names then
      LTrue (* no read/write interference *)
    else if not with_body then
      LTrue (* no body in which region assumptions must be verified *)
    else
      write_read_separation_condition
	~callee_reads ~callee_writes ~region_assoc ~param_assoc
	rw_inter_names writes' reads'
  in
  (* TODO: rewrite postcondition to assert it after the call, when
     there is an interference. see, e.g., example [separation.c] in Jessie
     tests.
  *)
  (* Check if there are duplicates between writes *)
  let ww_inter_names =
    snd (List.fold_left
	   (fun (first_occur,next_occur) n ->
	      if StringSet.mem n first_occur then
		first_occur, StringSet.add n next_occur
	      else StringSet.add n first_occur, next_occur
	   ) (StringSet.empty,StringSet.empty) write_names)
  in
  let ww_pre =
    if StringSet.is_empty ww_inter_names then
      LTrue (* no write/write interference *)
    else if not with_body then
      LTrue (* no body in which region assumptions must be verified *)
    else
      write_write_separation_condition
	~callee_reads ~callee_writes ~region_assoc ~param_assoc
	ww_inter_names writes' reads'
  in
  let pre = make_and rw_pre ww_pre in
  if pre = LTrue then
    let writes = List.map (fst $ snd) writes in
    let reads = List.map (fst $ snd) reads in
    LTrue, fname, wpointers, rpointers, writes, reads
  else
    (* Presence of interferences. Function must be specialized. *)
    let new_fname = unique_name (fname ^ "_specialized") in
    let writes, name_assoc, already_used_names =
      List.fold_right
	(fun ((mc,distr),(v,_ty)) (acc,name_assoc,already_used_names) ->
	   let n = var_name' v in
	   if StringMap.mem n already_used_names then
	     let ndest = StringMap.find n already_used_names in
	     let nsrc = memory_name (mc,distr) in
	     acc, StringMap.add nsrc ndest name_assoc, already_used_names
	   else
	     let ndest = memory_name (mc,distr) in
	     v :: acc, name_assoc, StringMap.add n ndest already_used_names
	) writes' ([], StringMap.empty, StringMap.empty)
    in
    let reads, name_assoc, _ =
      List.fold_right
	(fun ((mc,distr),(v,_ty)) (acc,name_assoc,already_used_names) ->
	   let n = var_name' v in
	   if StringMap.mem n already_used_names then
	     let ndest = StringMap.find n already_used_names in
	     let nsrc = memory_name (mc,distr) in
	     acc, StringMap.add nsrc ndest name_assoc, already_used_names
	   else
	     let ndest = memory_name (mc,distr) in
	     v :: acc, name_assoc, StringMap.add n ndest already_used_names
	) reads' ([], name_assoc, already_used_names)
    in
    StringHashtblIter.add specialized_functions new_fname (fname,name_assoc);
    pre, new_fname, wpointers, rpointers, writes, reads

let global_arguments ~callee_reads ~callee_writes ~region_assoc:_ =
  let writes = global_writes ~callee_writes in
  let reads = global_reads ~callee_reads in
  (List.map fst writes), (List.map fst reads)

(* Identify bitwise arguments and generate appropriate typed ones *)
let make_bitwise_arguments alloc_wpointers alloc_rpointers
    mem_wpointers mem_rpointers =
  let bw_pointers pointers =
    PointerSet.of_list (List.filter (Region.bitwise $ snd) pointers)
  in
  let bw_alloc_wpointers = bw_pointers alloc_wpointers in
  let bw_alloc_rpointers = bw_pointers alloc_rpointers in
  let bw_alloc_pointers =
    PointerSet.union bw_alloc_wpointers bw_alloc_rpointers
  in
  let bw_mem_wpointers = bw_pointers mem_wpointers in
  let bw_mem_rpointers = bw_pointers mem_rpointers in
  let bw_mem_pointers =
    PointerSet.union bw_mem_wpointers bw_mem_rpointers
  in
  let bw_pointers =
    PointerSet.union bw_alloc_pointers bw_mem_pointers
  in

  let locals,prolog,epilog =
    List.fold_left
      (fun (acc,pro,epi) (pc,r as pointer) ->
	 let alloc_locals,alloc_ofapp =
	   if PointerSet.mem_region r bw_alloc_pointers then
	     make_ofbit_alloc_param_app r pc
	   else [], void
	 in
	 let mem_locals,mem_ofapp =
	   if PointerSet.mem pointer bw_mem_pointers then
	     make_ofbit_mem_param_app r pc
	   else [], void
	 in
	 let alloc_toapp =
	   if PointerSet.mem_region r bw_alloc_wpointers then
	     make_tobit_alloc_param_app r pc
	   else void
	 in
	 let mem_toapp =
	   if PointerSet.mem pointer bw_mem_wpointers then
	     make_tobit_mem_param_app r pc
	   else void
	 in
	 let locals = alloc_locals @ mem_locals in
	 let ofapp = append alloc_ofapp mem_ofapp in
	 let toapp = append alloc_toapp mem_toapp in
	 locals @ acc, append ofapp pro, append toapp epi
      ) ([],void,void) (PointerSet.to_list bw_pointers)
  in
  let locals =
    fst (List.fold_left
	   (fun (acc,already_used) entry ->
	      (* Accumulate entry only if not already present *)
	      let n = fst entry in
	      if StringSet.mem n already_used then
		acc, already_used
	      else
		entry :: acc, StringSet.add n already_used
	   ) ([],StringSet.empty) locals)
  in
  locals,prolog,epilog

let make_arguments
    ~callee_reads ~callee_writes ~region_assoc ~param_assoc
    ~with_globals ~with_body fname args =
  let params = List.map fst param_assoc in
  let region_mem_assoc = make_region_mem_assoc ~params in
  let alloc_wpointers, alloc_rpointers, write_allocs, read_allocs =
    alloc_table_arguments ~callee_reads ~callee_writes ~region_assoc
      ~region_mem_assoc
  in
  let write_tags, read_tags =
    tag_table_arguments ~callee_reads ~callee_writes ~region_assoc
  in
  let pre_mems, fname, mem_wpointers, mem_rpointers, write_mems, read_mems =
    memory_arguments ~callee_reads ~callee_writes ~region_assoc
      ~region_mem_assoc ~param_assoc ~with_body fname
  in
  let write_globs, read_globs =
    if with_globals then
      global_arguments ~callee_reads ~callee_writes ~region_assoc
    else
      [], []
  in
  let locals, prolog, epilog =
    make_bitwise_arguments alloc_wpointers alloc_rpointers
      mem_wpointers mem_rpointers
  in
  (* Return complete list of arguments *)
  (* TODO: add mutable and committed effects *)
  let args =
    args
    @ write_allocs @ write_tags @ write_mems @ write_globs
    @ read_allocs @ read_tags @ read_mems @ read_globs
  in
  pre_mems, fname, locals, prolog, epilog, args

let tmemory_detailed_params ~label_in_name ?region_assoc ?label_assoc reads =
  MemoryMap.fold
    (fun (mc,distr) labs acc ->
       let locr = match region_assoc with
	 | None -> distr
	 | Some region_assoc ->
	     match transpose_region ~region_assoc distr with
	       | Some r -> r
	       | None -> failwith "Unexpected internal region in logic"
       in
       LogicLabelSet.fold
	 (fun lab acc ->
	    let lab = transpose_label ~label_assoc lab in
	    let param = tmemory_param ~label_in_name lab (mc,locr) in
	    ((mc,locr), param) :: acc
	 ) labs acc
    ) reads.jc_effect_memories []

let tmemory_params ~label_in_name ?region_assoc ?label_assoc reads =
  List.map snd
    (tmemory_detailed_params ~label_in_name ?region_assoc ?label_assoc reads)

let talloc_table_detailed_params
    ~label_in_name ?region_assoc ?label_assoc reads =
  AllocMap.fold
    (fun (ac,distr) labs acc ->
       let locr = match region_assoc with
	 | None -> distr
	 | Some region_assoc ->
	     match transpose_region ~region_assoc distr with
	       | Some r -> r
	       | None -> failwith "Unexpected internal region in logic"
       in
       LogicLabelSet.fold
	 (fun lab acc ->
	    let lab = transpose_label ~label_assoc lab in
	    let param = talloc_table_param ~label_in_name lab (ac,locr) in
	    ((ac,locr), param) :: acc
	 ) labs acc
    ) reads.jc_effect_alloc_tables []

let talloc_table_params ~label_in_name ?region_assoc ?label_assoc reads =
  List.map snd
    (talloc_table_detailed_params
       ~label_in_name ?region_assoc ?label_assoc reads)

let ttag_table_detailed_params ~label_in_name ?region_assoc ?label_assoc reads =
  TagMap.fold
    (fun (vi,distr) labs acc ->
       let locr = match region_assoc with
	 | None -> distr
	 | Some region_assoc ->
	     match transpose_region ~region_assoc distr with
	       | Some r -> r
	       | None -> failwith "Unexpected internal region in logic"
       in
       LogicLabelSet.fold
	 (fun lab acc ->
	    let lab = transpose_label ~label_assoc lab in
	    let param = ttag_table_param ~label_in_name lab (vi,locr) in
	    ((vi,locr), param) :: acc
	 ) labs acc
    ) reads.jc_effect_tag_tables []

let ttag_table_params ~label_in_name ?region_assoc ?label_assoc reads =
  List.map snd
    (ttag_table_detailed_params
       ~label_in_name ?region_assoc ?label_assoc reads)

let tglob_detailed_params ~label_in_name ?region_assoc:_ ?label_assoc reads =
  VarMap.fold
    (fun v labs acc ->
       LogicLabelSet.fold
	 (fun lab acc ->
	    let lab = transpose_label ~label_assoc lab in
	    let param = tparam ~label_in_name lab v in
	    (v, param) :: acc
	 ) labs acc
    ) reads.jc_effect_globals []

let tglob_params ~label_in_name ?region_assoc ?label_assoc reads =
  List.map snd
    (tglob_detailed_params ~label_in_name ?region_assoc ?label_assoc reads)

let tmodel_parameters ~label_in_name ?region_assoc ?label_assoc reads =
  let allocs =
    talloc_table_params ~label_in_name ?region_assoc ?label_assoc reads
  in
  let tags =
    ttag_table_params ~label_in_name ?region_assoc ?label_assoc reads
  in
  let mems =
    tmemory_params ~label_in_name ?region_assoc ?label_assoc reads
  in
  let globs =
    tglob_params ~label_in_name ?region_assoc ?label_assoc reads
  in
  allocs @ tags @ mems @ globs

let make_logic_arguments ~label_in_name ~region_assoc ~label_assoc f args =
  let model_params =
    tmodel_parameters ~label_in_name ~region_assoc ~label_assoc
      f.jc_logic_info_effects
  in
  let model_args = List.map (fun (_n,v,_ty') -> v) model_params in
  args @ model_args

let make_logic_fun_call ~label_in_name ~region_assoc ~label_assoc f args =
  if Jc_options.debug then printf "logic call to %s@." f.jc_logic_info_name;
  let args =
    make_logic_arguments ~label_in_name ~region_assoc ~label_assoc f args
  in
  LApp(f.jc_logic_info_final_name, args)

let make_logic_pred_call ~label_in_name ~region_assoc ~label_assoc f args =
  if Jc_options.debug then printf "logic pred call to %s@." f.jc_logic_info_name;
  let args =
    make_logic_arguments ~label_in_name ~region_assoc ~label_assoc f args
  in
  LPred(f.jc_logic_info_final_name, args)


(* *)
let logic_info_reads acc li =
  let acc =
    MemoryMap.fold
      (fun (mc,r) _ acc ->
	 StringSet.add (memory_name(mc,r)) acc)
      li.jc_logic_info_effects.jc_effect_memories
      acc
  in
  let acc =
    AllocMap.fold
      (fun (ac,r) _labs acc ->
	 StringSet.add (alloc_table_name (ac, r)) acc)
      li.jc_logic_info_effects.jc_effect_alloc_tables
      acc
  in
  TagMap.fold
    (fun v _ acc -> StringSet.add (tag_table_name v) acc)
    li.jc_logic_info_effects.jc_effect_tag_tables
    acc


(* fold all effects into a list *)
let all_effects ef =
  let res =
    MemoryMap.fold
      (fun (mc,r) _labels acc ->
	let mem = memory_name(mc,r) in
	if Region.polymorphic r then
(*	  if RegionList.mem r f.jc_fun_info_param_regions then
	    if FieldRegionMap.mem (fi,r)
	      f.jc_fun_info_effects.jc_writes.jc_effect_memories
	    then mem::acc
	    else acc
	  else acc*)
	  assert false (* TODO *)
	else mem::acc)
      ef.jc_effect_memories
      []
  in
  let res =
    VarMap.fold
      (fun v _labs acc -> v.jc_var_info_final_name::acc)
      ef.jc_effect_globals
      res
  in
  let res =
    AllocMap.fold
      (fun (a,r) _labs acc ->
	let alloc = alloc_table_name(a,r) in
	if Region.polymorphic r then
(*	  if RegionList.mem r f.jc_fun_info_param_regions then
	    if AllocSet.mem (a,r)
	      f.jc_fun_info_effects.jc_writes.jc_effect_alloc_tables
	    then alloc::acc
	    else acc
	  else acc*)
	  assert false (* TODO *)
	else alloc::acc)
      ef.jc_effect_alloc_tables
      res
  in
  let res =
    TagMap.fold
      (fun v _ acc -> (tag_table_name v)::acc)
      ef.jc_effect_tag_tables
      res
  in
  let res =
    StringSet.fold
      (fun v acc -> (mutable_name2 v)::acc)
      ef.jc_effect_mutable
      res
  in
  let res =
    StringSet.fold
      (fun v acc -> (committed_name2 v)::acc)
      ef.jc_effect_committed
      res
  in
  res


(*
Local Variables:
compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
End:
*)
why-2.39/jc/numconst.mll0000644000106100004300000001556413147234006014214 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(*i $Id: numconst.mll,v 1.7 2008-11-05 14:03:16 filliatr Exp $ i*)

(* evaluation of integer literals *)

{

  open Lexing
  open Num

  let zero = num_of_int 0
  let eight = num_of_int 8
  let ten = num_of_int 10
  let sixteen = num_of_int 16

  let val_char = function
    | '0' -> 0
    | '1' -> 1
    | '2' -> 2
    | '3' -> 3
    | '4' -> 4
    | '5' -> 5
    | '6' -> 6
    | '7' -> 7
    | '8' -> 8
    | '9' -> 9
    | 'a' | 'A' -> 10
    | 'b' | 'B' -> 11
    | 'c' | 'C' -> 12
    | 'd' | 'D' -> 13
    | 'e' | 'E' -> 14
    | 'f' | 'F' -> 15
    | _ -> assert false

  let val_char c = num_of_int (val_char c)

(*
  let check_bounds loc hexa accu suffix =
    match String.lowercase suffix with
      | "" ->
	  if accu > 0x7FFFFFFFL then 
	     if hexa then warning loc "Constant too large for a int"
                     else raise Constant_too_large
          else
	    if accu > 0x7FFFL then 
	      warning loc
		"this constant overflows if sizeof(int)<=16";
	  accu 
      | "u" ->
	  if accu > 0xFFFFFFFFL then raise Constant_too_large;
	  if accu > 0xFFFFL then 
	    warning loc
	      "this constant overflows if sizeof(int)<=16";
	  accu 
      | "l" ->
	  if accu > 0x7FFFFFFFL then raise Constant_too_large else accu 
      | "ul" | "lu" ->
	  if accu > 0xFFFFFFFFL then raise Constant_too_large else accu 
      | "ll" ->
	  if accu > 0x7FFFFFFFFFFFFFFFL then raise Constant_too_large else accu
      | "ull" | "llu" -> accu 
      | _ ->
	  raise (Invalid ("suffix '" ^ suffix ^ "' on integer constant")) 
*)

}

let rD =	['0'-'9']
let rL = ['a'-'z' 'A'-'Z' '_']
let rH = ['a'-'f' 'A'-'F' '0'-'9']
(*
let rE = ['E''e']['+''-']? rD+
let rFS	= ('f'|'F'|'l'|'L')
*)
let rIS = ('u'|'U'|'l'|'L')

(*
  | '0'['x''X'] rH+ rIS?    { CONSTANT (IntConstant (lexeme lexbuf)) }
  | '0' rD+ rIS?            { CONSTANT (IntConstant (lexeme lexbuf)) }
  | rD+ rIS?                { CONSTANT (IntConstant (lexeme lexbuf)) }
  | 'L'? "'" [^ '\n' '\'']+ "'"     { CONSTANT (IntConstant (lexeme lexbuf)) }
*)

rule eval_int = parse

  | '0'['x''X']  { eval_hexa zero lexbuf }
  | "'" { eval_char lexbuf }
  | '0' { eval_octa zero lexbuf}
  | ['1'-'9'] as d { eval_deci (val_char d) lexbuf}
  | "-" { minus_num(eval_int lexbuf) }
  | 'L' { invalid_arg "extended characters not yet implemented" } 
  | eof { invalid_arg "empty literal" }
  | _   { invalid_arg ("Illegal character " ^ lexeme lexbuf) }

and eval_hexa accu = parse
  | rH as d { (* if accu >= 0x10000000L then raise Constant_too_large; *)
	  let accu = add_num (mult_num sixteen accu) (val_char d) in 
	  eval_hexa accu lexbuf }
  | eof { (* check_bounds loc true *) accu (*""*) }
  | rIS+ as _s { (*check_bounds loc true *) accu (* s *) }
  | _ { invalid_arg ("digit '" ^ (lexeme lexbuf) ^ 
		       "' in hexadecimal constant") }

and eval_deci accu = parse
  | rD as c 
      { (* if accu >= 0x10000000L then raise Constant_too_large; *)
	let accu = add_num (mult_num ten accu) (val_char c) in 
	eval_deci accu lexbuf }
  | eof 
      { (* check_bounds loc false *) accu (* "" *) }
  | rIS+ as _s
      { (* check_bounds loc false *) accu (* s *) }
  | _ 
      { invalid_arg ("digit '" ^ (lexeme lexbuf) ^ 
			"' in decimal constant") }

and eval_octa accu = parse
  | ['0'-'7'] as d
      { (* if accu >= 0x10000000L then raise Constant_too_large; *)
	let accu = add_num (mult_num eight accu) (val_char d) in 
	eval_octa accu lexbuf }
  | eof { (* check_bounds loc false *) accu (* "" *) }
  | rIS+ as _s { (* check_bounds loc false *) accu (* s *) }
  | _ { invalid_arg ("digit '" ^ (lexeme lexbuf) ^ 
			"' in octal constant") }

and eval_char = parse
  | "\\n'" { num_of_int (Char.code '\n') }
  | "\\t'" { num_of_int (Char.code '\t') }
  | "\\v'" { num_of_int 11 }
  | "\\a'" { num_of_int 7 }
  | "\\b'" { num_of_int (Char.code '\b') }
  | "\\r'" { num_of_int (Char.code '\r') }
  | "\\f'" { num_of_int 12 }
  | "\\\\'" { num_of_int (Char.code '\\') }
  | "\\?'" { num_of_int (Char.code '?') }
  | "\\''" { num_of_int (Char.code '\'') }
  | "\\\"'" { num_of_int (Char.code '"') }
  | "\\" (['0'-'7'] ['0'-'7']? ['0'-'7']? as s) "'" 
      { num_of_int (int_of_string ("0o" ^ s)) }
  | "\\" (['0'-'9'] ['0'-'9']? ['0'-'9']? as s) "'" 
      { invalid_arg ("digits '" ^ s ^ "' in octal constant") }
  | "\\x" (rH rH? as s) "'" { num_of_int (int_of_string ("0x" ^ s)) }
  | "\\u" (rH rH rH rH as s) "'" { num_of_int (int_of_string ("0x" ^ s)) }
  | (_ as c) "'" { num_of_int (Char.code c) }
  | [^'\'']* as s "'"  
      { invalid_arg ("cannot evaluate char constant '" ^ s ^"'") }

{

  let integer s =
(*
    try
*)
      let lb = Lexing.from_string s in
      eval_int lb
(*
    with
      | Constant_too_large -> error loc "constant too large"
      | Invalid msg -> error loc "invalid constant: %s" msg
*)

    
}
why-2.39/jc/jc_struct_tools.mli0000644000106100004300000001031213147234006015545 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

open Jc_env

(** Convert class or memory to class of allocation. *)
val alloc_class_of_mem_class: mem_class -> alloc_class

(** Convert class or pointer to class of allocation. *)
val alloc_class_of_pointer_class: pointer_class -> alloc_class

(** Convert a class of allocation into the corresponding variant. *)
val variant_of_alloc_class: alloc_class -> root_info

val variant_of_mem_class: mem_class -> root_info

(** Return whether a field is embedded or not. *)
val embedded_field: field_info -> bool

(** Return the bit offset of a field. *)
val field_offset: field_info -> int

(** Return the byte offset of a field, if any. *)
val field_offset_in_bytes: field_info -> int option

val field_type_has_bitvector_representation: field_info -> bool

(** Return the size in bytes of a structure. *)
val struct_size_in_bytes: struct_info -> int

(** Return whether the structure has a size. *)
val struct_has_size: struct_info -> bool

(** Return all the fields of a structure or a variant.
A variant has no field.
A structure has its fields and the fields of its ancestors. *)
val all_fields: pointer_class -> field_info list

(** Selects fully allocated fields. *)
val fully_allocated: field_info -> bool

(** Return all the memories used by a structure, i.e.: its fields,
the fields of its ancestors, and recursively the fields of its fields.
The "select" argument can be used to ignore specific fields. *)
val all_memories: 
  ?select:(field_info -> bool) -> pointer_class -> mem_class list

(** Return all the variants used by a structure, i.e.: the type of all
pointers returned by all_memories. *)
val all_types: ?select:(field_info -> bool) -> pointer_class ->
  root_info list

(** Return all the classes of allocation used by a structure *)
val all_allocs: 
  ?select:(field_info -> bool) -> pointer_class -> alloc_class list

(** Return all the variant info used by a structure *)
val all_tags: 
  ?select:(field_info -> bool) -> pointer_class -> root_info list


(*
Local Variables: 
compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
End: 
*)
why-2.39/jc/jc_stdlib_lt312.ml0000644000106100004300000001713213147234006015045 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



module List = struct
  include List

  let cons e l = e::l

  let as_singleton = function
    | [e] -> e
    | _ -> failwith "as_singleton"

  let mem_assoc_eq f k l =
    fold_left (fun v_opt (k',v') -> 
		 match v_opt with
		   | None ->
		       if f k k' then Some v' else None
		   | Some v -> Some v
	      ) None l

  let all_pairs l =
    let rec aux acc = function
      | e :: l ->
	  let acc = fold_left (fun acc e' -> (e,e') :: acc) acc l in
	  aux acc l
      | [] -> acc
    in
    aux [] l

  let map_fold f acc l =
    let (rev,acc) = List.fold_left 
      (fun (rev,acc) e -> let (e,acc) = (f acc e) in (e::rev,acc)) 
      ([],acc) l in
    (List.rev rev,acc)

  let fold_all_part f acc =
    let rec aux acc part = function
    | [] -> f acc part
    | a::l -> aux (aux acc (a::part) l) part l in
    aux acc []

end

module Set = struct

  module type OrderedType = Set.OrderedType

  module type S = sig
    include Set.S
    val of_list: elt list -> t
    val to_list: t -> elt list
  end

  module Make(Ord : OrderedType) : S with type elt = Ord.t = struct
    include Set.Make(Ord)

    let of_list ls =
      List.fold_left (fun s e -> add e s) empty ls

    let to_list s =
      fold (fun e acc -> e :: acc) s []

  end
end

module Map = struct

  module type OrderedType = Map.OrderedType

  module type S = sig
    include Map.S
    val elements: 'a t -> (key * 'a) list
    val keys: 'a t -> key list
    val values: 'a t -> 'a list
    val to_list: 'a t -> (key * 'a) list
    val exists: (key -> 'a -> bool) -> 'a t -> bool
    val filter: (key -> 'a -> bool) -> 'a t -> 'a t
    val find_or_default: key -> 'a -> 'a t -> 'a
    val find_or_none: key -> 'a t -> 'a option
    val merge: ('a -> 'a -> 'a) -> 'a t -> 'a t -> 'a t
    val add_merge: ('a -> 'a -> 'a) -> key -> 'a -> 'a t -> 'a t
    val diff_merge: ('a -> 'a -> 'a) -> ('a -> bool) -> 'a t -> 'a t -> 'a t
    val inter_merge: ('a -> 'a -> 'a) -> ('a -> bool) -> 'a t -> 'a t -> 'a t
    val inter_merge_option: ('a -> 'b -> 'c option) -> 'a t -> 'b t -> 'c t
  end

  module Make(Ord : OrderedType) : S with type key = Ord.t = struct
    include Map.Make(Ord)

    let elements m =
      fold (fun k v acc -> (k,v) :: acc) m []

    let keys m = 
      fold (fun k _v acc -> k :: acc) m []

    let values m = 
      fold (fun _k v acc -> v :: acc) m []

    let to_list m =
      fold (fun k v acc -> (k,v) :: acc) m []

    let exists f m =
      fold (fun k v b -> b || f k v) m false

    let filter f m =
      fold (fun k v m ->
	      if f k v then add k v m else m
	   ) m empty

    let find_or_default k v m =
      try find k m with Not_found -> v

    let find_or_none k m =
      try Some(find k m) with Not_found -> None

    let merge f m1 m2 =
      fold (fun k v1 m ->
	      try
		let v2 = find k m2 in
		add k (f v1 v2) m
	      with Not_found ->
		add k v1 m
	   ) m1 m2

    let add_merge f k v m =
      let v = 
	try f v (find k m)
	with Not_found -> v
      in 
      add k v m

    let diff_merge f g m1 m2 =
      fold (fun k v1 m ->
	      try
		let v2 = find k m2 in
		let v = f v1 v2 in
		if g v then m else add k v m
	      with Not_found ->
		add k v1 m
	   ) m1 empty

    let inter_merge f g m1 m2 =
      fold (fun k v1 m ->
	      try
		let v2 = find k m2 in
		let v = f v1 v2 in
		if g v then m else add k v m
	      with Not_found -> m
	   ) m1 empty

    let inter_merge_option f m1 m2 =
      fold (fun k v1 m ->
	      try
		let v2 = find k m2 in
		match f v1 v2 with
                  | Some v -> add k v m
                  | None -> m
	      with Not_found -> m
	   ) m1 empty
	
  end
end

module StdHashtbl = Hashtbl

module Hashtbl = struct

  module type HashedType = Hashtbl.HashedType

  module type S = sig 
    include Hashtbl.S
    val keys: 'a t -> key list
    val values: 'a t -> 'a list
    val choose: 'a t -> (key * 'a) option
    val remove_all : 'a t -> key -> unit
    val is_empty : 'a t -> bool
  end

  module type Std = sig
    type ('a, 'b) t
    val create : int -> ('a, 'b) t
    val clear : ('a, 'b) t -> unit
    val add : ('a, 'b) t -> 'a -> 'b -> unit
    val copy : ('a, 'b) t -> ('a, 'b) t
    val find : ('a, 'b) t -> 'a -> 'b
    val find_all : ('a, 'b) t -> 'a -> 'b list
    val mem : ('a, 'b) t -> 'a -> bool
    val remove : ('a, 'b) t -> 'a -> unit
    val replace : ('a, 'b) t -> 'a -> 'b -> unit
    val iter : ('a -> 'b -> unit) -> ('a, 'b) t -> unit
    val fold : ('a -> 'b -> 'c -> 'c) -> ('a, 'b) t -> 'c -> 'c
    val length : ('a, 'b) t -> int
    val hash : 'a -> int
    val hash_param : int -> int -> 'a -> int
  end

  include (Hashtbl : Std)

  module Make(H : HashedType) : S with type key = H.t = struct
    include Hashtbl.Make(H)

    let keys t = 
      fold (fun k _v acc -> k :: acc) t []

    let values t = 
      fold (fun _k v acc -> v :: acc) t []

    let choose t =
      let p = ref None in
      begin try
	iter (fun k v -> p := Some(k,v); failwith "Hashtbl.choose") t
      with Failure "Hashtbl.choose" -> () end;
      !p

    let remove_all t p =
      List.iter (fun _ -> remove t p) (find_all t p)

    let is_empty t =
      try
        iter (fun _ _ ->  raise Not_found) t;
        true
      with Not_found -> false          
  end

  let remove_all t p =
    List.iter (fun _ -> remove t p) (find_all t p)
      
  let is_empty t =
    try
      iter (fun _ _ ->  raise Not_found) t;
      true
    with Not_found -> false

end

(*
Local Variables: 
compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
End: 
*)
why-2.39/jc/jc_effect.ml0000644000106100004300000015660513147234006014104 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)




open Jc_stdlib
open Jc_env
open Jc_envset
open Jc_region
open Jc_ast
open Jc_fenv

open Jc_name
open Jc_constructors
open Jc_pervasives
(*
open Jc_iterators
*)
open Jc_struct_tools

open Format
open Pp

type precision_mode = MApprox | MPrecise
let current_mode = ref MApprox

(* Constant memories *)
let constant_memories = StringHashtblIter.create 17

(* Constant allocation tables *)
let constant_alloc_tables = StringHashtblIter.create 17

(* Constant allocation tables *)
let constant_tag_tables = StringHashtblIter.create 17

let add_constant_memory (mc,r) =
  StringHashtblIter.add constant_memories (memory_name (mc,r)) (mc,r)

let add_constant_alloc_table (ac,r) =
  StringHashtblIter.add constant_alloc_tables (alloc_table_name (ac,r)) (ac,r)

let add_constant_tag_table (vi,r) =
  StringHashtblIter.add constant_tag_tables (tag_table_name (vi,r)) (vi,r)

(* Transposition for calls *)

let transpose_labels ~label_assoc labs =
  match label_assoc with
    | None -> labs
    | Some assoc ->
	LogicLabelSet.fold
	  (fun lab acc ->
	     let lab = try List.assoc lab assoc with Not_found -> lab in
	     LogicLabelSet.add lab acc)
	  labs LogicLabelSet.empty

let transpose_region ~region_assoc r =
  if Region.polymorphic r then
    try Some (RegionList.assoc r region_assoc)
    with Not_found -> None (* Local region *)
  else Some r

(* TODO: complete for recursive *)
let make_region_mem_assoc ~params =
  let aux acc r ty =
    if Region.bitwise r then
      match ty with
	| JCTpointer(pc,_,_) ->
	    let all_mems = all_memories pc in
	    List.fold_left (fun acc mc -> MemorySet.add (mc,r) acc) acc all_mems
	| JCTnative _ | JCTlogic _ | JCTenum _ | JCTnull | JCTany -> acc
	| JCTtype_var _ -> assert false
    else acc
  in
  List.fold_left
    (fun acc v -> aux acc v.jc_var_info_region v.jc_var_info_type)
    MemorySet.empty params

let transpose_alloc_table ~region_mem_assoc (ac,r) =
  if Region.bitwise r then
    try
      (* Translate bitwise allocation table into typed ones *)
      let mems = MemorySet.find_region r region_mem_assoc in
      MemorySet.fold (fun (mc,r) acc ->
		       let ac = alloc_class_of_mem_class mc in
		       AllocSet.add (ac,r) acc
		    ) mems AllocSet.empty
    with Not_found ->
      (* No possible effect on caller types *)
      AllocSet.empty
  else AllocSet.singleton (ac,r)

let transpose_tag_table ~region_mem_assoc (vi,r) =
  if Region.bitwise r then
    try
      (* Translate bitwise tag table into typed ones *)
      let mems = MemorySet.find_region r region_mem_assoc in
      MemorySet.fold (fun (mc,r) acc ->
		       let vi = variant_of_mem_class mc in
		       TagSet.add (vi,r) acc
		     ) mems TagSet.empty
    with Not_found ->
      (* No possible effect on caller types *)
      TagSet.empty
  else TagSet.singleton (vi,r)

let transpose_memory ~region_mem_assoc (mc,r) =
  if Region.bitwise r then
    try
      (* Translate bitwise memories into typed ones *)
      MemorySet.find_region r region_mem_assoc
    with Not_found ->
      (* No possible effect on caller types *)
      MemorySet.empty
  else MemorySet.singleton (mc,r)

let has_alloc_table (ac,r) alloc_effect =
  let allocs = AllocSet.of_list (AllocMap.keys alloc_effect) in
  if Region.bitwise r then AllocSet.mem_region r allocs
  else AllocSet.mem (ac,r) allocs

let has_memory (mc,r) mem_effect =
  let mems = MemorySet.of_list (MemoryMap.keys mem_effect) in
  if Region.bitwise r then MemorySet.mem_region r mems
  else MemorySet.mem (mc,r) mems

(* Printing effects *)

let print_list_assoc_label pr fmt ls =
  fprintf fmt "%a"
    (print_list comma
       (fun fmt (k,labs) ->
	  fprintf fmt "%a (%a)"
	    pr k
	    (print_list comma Jc_output_misc.label)
	    (LogicLabelSet.elements labs))
    ) ls

let print_alloc_table fmt (ac,r) =
  fprintf fmt "(%a,%a)" Jc_output_misc.alloc_class ac Region.print r

let print_tag_table fmt (vi,r) =
  fprintf fmt "(%s,%a)" vi.jc_root_info_name Region.print r

let print_memory fmt (mc,r) =
  fprintf fmt "(%a,%a)" Jc_output_misc.memory_class mc Region.print r

let print_location fmt (loc,(mc,r)) =
  fprintf fmt "(%a,%a)" Jc_output.location loc print_memory (mc,r)

let print_variable fmt v =
  fprintf fmt "%s" v.jc_var_info_name

let print_exception fmt exc =
  fprintf fmt "%s" exc.jc_exception_info_name

let print_effect fmt ef =
  fprintf fmt
"@[@[ alloc_table: @[%a@]@]@\n\
@[ tag_table: @[%a@]@]@\n\
@[ memories: @[%a@]@]@\n\
@[ raw memories: @[%a@]@]@\n\
@[ precise memories: @[%a@]@]@\n\
@[ globals: @[%a@]@]@\n\
@[ locals: @[%a@]@]@]@."
    (print_list_assoc_label print_alloc_table)
    (AllocMap.elements ef.jc_effect_alloc_tables)
    (print_list_assoc_label print_tag_table)
    (TagMap.elements ef.jc_effect_tag_tables)
    (print_list_assoc_label print_memory)
    (MemoryMap.elements ef.jc_effect_memories)
    (print_list_assoc_label print_memory)
    (MemoryMap.elements ef.jc_effect_raw_memories)
    (print_list_assoc_label print_location)
    (LocationMap.elements ef.jc_effect_precise_memories)
    (print_list_assoc_label print_variable)
    (VarMap.elements ef.jc_effect_globals)
    (print_list_assoc_label print_variable)
    (VarMap.elements ef.jc_effect_locals)

(* Operations on effects *)

let ef_union ef1 ef2 =
  {
    jc_effect_alloc_tables =
      AllocMap.merge LogicLabelSet.union
	ef1.jc_effect_alloc_tables ef2.jc_effect_alloc_tables;
    jc_effect_tag_tables =
      TagMap.merge LogicLabelSet.union
	ef1.jc_effect_tag_tables ef2.jc_effect_tag_tables;
    jc_effect_raw_memories =
      MemoryMap.merge LogicLabelSet.union
	ef1.jc_effect_raw_memories ef2.jc_effect_raw_memories;
    jc_effect_precise_memories =
      LocationMap.merge LogicLabelSet.union
	ef1.jc_effect_precise_memories ef2.jc_effect_precise_memories;
    jc_effect_memories =
      MemoryMap.merge LogicLabelSet.union
	ef1.jc_effect_memories ef2.jc_effect_memories;
    jc_effect_globals =
      VarMap.merge LogicLabelSet.union
	ef1.jc_effect_globals ef2.jc_effect_globals;
    jc_effect_locals =
      VarMap.merge LogicLabelSet.union
	ef1.jc_effect_locals ef2.jc_effect_locals;
    jc_effect_mutable =
      StringSet.union
	ef1.jc_effect_mutable ef2.jc_effect_mutable;
    jc_effect_committed =
      StringSet.union
	ef1.jc_effect_committed ef2.jc_effect_committed;
  }

let ef_filter_labels ~label_assoc ef =
  let filter_labels labs =
    List.fold_left
      (fun acc (l1,l2) ->
	 if LogicLabelSet.mem l2 labs then LogicLabelSet.add l1 acc else acc)
      LogicLabelSet.empty label_assoc
  in
  { ef with
      jc_effect_memories =
        MemoryMap.fold
	  (fun m labs acc ->
	     MemoryMap.add m (filter_labels labs) acc
	  ) ef.jc_effect_memories MemoryMap.empty;
  }

let ef_assoc ?label_assoc ~region_assoc ~region_mem_assoc ef =
  { ef with
      jc_effect_alloc_tables =
        AllocMap.fold
	  (fun (ac,distr) labs acc ->
	     let labs = transpose_labels ~label_assoc labs in
	     match transpose_region ~region_assoc distr with
	       | None -> acc
	       | Some locr ->
		   let allocs =
		     transpose_alloc_table ~region_mem_assoc (ac,distr)
		   in
		   AllocSet.fold
		     (fun (ac,_r) acc ->
			if not (Region.polymorphic locr) then
			  add_constant_alloc_table (ac,locr);
			AllocMap.add (ac,locr) labs acc
		     ) allocs acc
	  ) ef.jc_effect_alloc_tables AllocMap.empty;
      jc_effect_tag_tables =
        TagMap.fold
	  (fun (vi,distr) labs acc ->
	     let labs = transpose_labels ~label_assoc labs in
	     match transpose_region ~region_assoc distr with
	       | None -> acc
	       | Some locr ->
		   let tags =
		     transpose_tag_table ~region_mem_assoc (vi,distr)
		   in
		   TagSet.fold
		     (fun (vi,_r) acc ->
			if not (Region.polymorphic locr) then
			  add_constant_tag_table (vi,locr);
			TagMap.add (vi,locr) labs acc
		     ) tags acc
	  ) ef.jc_effect_tag_tables TagMap.empty;
      jc_effect_raw_memories =
        MemoryMap.fold
	  (fun (mc,distr) labs acc ->
	     let labs = transpose_labels ~label_assoc labs in
	     match transpose_region ~region_assoc distr with
	       | None -> acc
	       | Some locr ->
		   let mems =
		     transpose_memory ~region_mem_assoc (mc,distr)
		   in
		   MemorySet.fold
		     (fun (mc,_r) acc ->
			if not (Region.polymorphic locr) then
			  add_constant_memory (mc,locr);
			MemoryMap.add (mc,locr) labs acc
		     ) mems acc
	  ) ef.jc_effect_raw_memories MemoryMap.empty;
      jc_effect_memories =
        MemoryMap.fold
	  (fun (mc,distr) labs acc ->
	     let labs = transpose_labels ~label_assoc labs in
	     match transpose_region ~region_assoc distr with
	       | None -> acc
	       | Some locr ->
		   let mems =
		     transpose_memory ~region_mem_assoc (mc,distr)
		   in
		   MemorySet.fold
		     (fun (mc,_r) acc ->
			if not (Region.polymorphic locr) then
			  add_constant_memory (mc,locr);
			MemoryMap.add (mc,locr) labs acc
		     ) mems acc
	  ) ef.jc_effect_memories MemoryMap.empty;
      jc_effect_globals =
        VarMap.fold
	  (fun v labs acc ->
	     VarMap.add v (transpose_labels ~label_assoc labs) acc
	  ) ef.jc_effect_globals VarMap.empty;
      jc_effect_locals = VarMap.empty;
  }

let same_effects ef1 ef2 =
  let eq = LogicLabelSet.equal in
  AllocMap.equal eq ef1.jc_effect_alloc_tables ef2.jc_effect_alloc_tables
  && TagMap.equal eq ef1.jc_effect_tag_tables ef2.jc_effect_tag_tables
  && MemoryMap.equal eq ef1.jc_effect_raw_memories ef2.jc_effect_raw_memories
  && LocationMap.equal eq
    ef1.jc_effect_precise_memories ef2.jc_effect_precise_memories
  && MemoryMap.equal eq ef1.jc_effect_memories ef2.jc_effect_memories
  && VarMap.equal eq ef1.jc_effect_globals ef2.jc_effect_globals
  && VarMap.equal eq ef1.jc_effect_locals ef2.jc_effect_locals
  && StringSet.equal ef1.jc_effect_mutable ef2.jc_effect_mutable
  && StringSet.equal ef1.jc_effect_committed ef2.jc_effect_committed

(* Operations on function effects *)

let fef_reads ef =
  {
    jc_reads = ef;
    jc_writes = empty_effects;
    jc_raises = ExceptionSet.empty;
  }

let fef_union fef1 fef2 =
  {
    jc_reads = ef_union fef1.jc_reads fef2.jc_reads;
    jc_writes = ef_union fef1.jc_writes fef2.jc_writes;
    jc_raises = ExceptionSet.union fef1.jc_raises fef2.jc_raises;
  }

let fef_assoc ~region_assoc ~region_mem_assoc fef =
  {
    jc_reads = ef_assoc ~region_assoc ~region_mem_assoc fef.jc_reads;
    jc_writes = ef_assoc ~region_assoc ~region_mem_assoc fef.jc_writes;
    jc_raises = fef.jc_raises;
  }

let same_feffects fef1 fef2 =
  same_effects fef1.jc_reads fef2.jc_reads
  && same_effects fef1.jc_writes fef2.jc_writes
  && ExceptionSet.equal fef1.jc_raises fef2.jc_raises

(* Query of a single effect *)

let has_memory_effect ef (mc,r) =
  try
    ignore (MemoryMap.find (mc,r) ef.jc_effect_memories);
    true
  with Not_found ->
    try
      ignore (MemoryMap.find (mc,r) ef.jc_effect_raw_memories);
      true
    with Not_found ->
      let locs =
	LocationMap.filter
	  (fun (_loc,mem) _ -> Memory.equal mem (mc,r))
	  ef.jc_effect_precise_memories
      in
      not (LocationMap.is_empty locs)

(* Addition of a single effect *)

let add_alloc_effect lab ef (ac, r) =
  if not (Region.polymorphic r) then add_constant_alloc_table (ac,r);
  let labs = LogicLabelSet.singleton lab in
  { ef with jc_effect_alloc_tables =
      AllocMap.add_merge LogicLabelSet.union
	(ac,r) labs ef.jc_effect_alloc_tables }

let add_tag_effect lab ef (vi,r) =
  if not (Region.polymorphic r) then add_constant_tag_table (vi,r);
  let labs = LogicLabelSet.singleton lab in
  { ef with jc_effect_tag_tables =
      TagMap.add_merge LogicLabelSet.union
	(vi,r) labs ef.jc_effect_tag_tables }

let add_memory_effect lab ef (mc,r) =
  if not (Region.polymorphic r) then add_constant_memory (mc,r);
  let labs = LogicLabelSet.singleton lab in
  match !current_mode with
    | MApprox ->
	{ ef with jc_effect_memories =
	    MemoryMap.add_merge LogicLabelSet.union
	      (mc,r) labs ef.jc_effect_memories }
    | MPrecise ->
	{ ef with jc_effect_raw_memories =
	    MemoryMap.add_merge LogicLabelSet.union
	      (mc,r) labs ef.jc_effect_raw_memories }

let add_precise_memory_effect lab ef (loc,(mc,r)) =
  let labs = LogicLabelSet.singleton lab in
  { ef with jc_effect_precise_memories =
      LocationMap.add_merge LogicLabelSet.union
	(loc,(mc,r)) labs ef.jc_effect_precise_memories }

let add_global_effect lab ef v =
  let labs = LogicLabelSet.singleton lab in
  { ef with jc_effect_globals =
      VarMap.add_merge LogicLabelSet.union v labs ef.jc_effect_globals }

let add_local_effect lab ef v =
  let labs = LogicLabelSet.singleton lab in
  { ef with jc_effect_locals =
      VarMap.add_merge LogicLabelSet.union v labs ef.jc_effect_locals }

let add_mutable_effect ef pc =
  { ef with jc_effect_mutable = StringSet.add
      (pointer_class_type_name pc) ef.jc_effect_mutable }

let add_committed_effect ef pc =
  { ef with jc_effect_committed = StringSet.add
      (pointer_class_type_name pc) ef.jc_effect_committed }

(* Addition of a single read *)

let add_alloc_reads lab fef (ac,r) =
  { fef with jc_reads = add_alloc_effect lab fef.jc_reads (ac,r) }

let add_tag_reads lab fef (vi,r) =
  { fef with jc_reads = add_tag_effect lab fef.jc_reads (vi,r) }

let add_memory_reads lab fef (mc,r) =
  { fef with jc_reads = add_memory_effect lab fef.jc_reads (mc,r) }

let add_precise_memory_reads lab fef (loc,(mc,r)) =
  { fef with jc_reads =
      add_precise_memory_effect lab fef.jc_reads (loc,(mc,r)) }

let add_global_reads lab fef v =
  { fef with jc_reads = add_global_effect lab fef.jc_reads v }

let add_local_reads lab fef v =
  { fef with jc_reads = add_local_effect lab fef.jc_reads v }

let add_mutable_reads fef pc =
  { fef with jc_reads = add_mutable_effect fef.jc_reads pc }

let add_committed_reads fef pc =
  { fef with jc_reads = add_committed_effect fef.jc_reads pc }

(* Addition of a single write *)

let add_alloc_writes lab fef (ac,r) =
  { fef with jc_writes = add_alloc_effect lab fef.jc_writes (ac,r) }

let add_tag_writes lab fef (vi,r) =
  { fef with jc_writes = add_tag_effect lab fef.jc_writes (vi,r) }

let add_memory_writes lab fef (mc,r) =
  { fef with jc_writes = add_memory_effect lab fef.jc_writes (mc,r) }

let add_precise_memory_writes lab fef (loc,(mc,r)) =
  { fef with jc_writes =
      add_precise_memory_effect lab fef.jc_writes (loc,(mc,r)) }

let add_global_writes lab fef vi =
  { fef with jc_writes = add_global_effect lab fef.jc_writes vi }

let add_local_writes lab fef vi =
  { fef with jc_writes = add_local_effect lab fef.jc_writes vi }

let add_mutable_writes fef pc =
  { fef with jc_writes = add_mutable_effect fef.jc_writes pc }

let add_committed_writes fef pc =
  { fef with jc_writes = add_committed_effect fef.jc_writes pc }

(* Addition of a single exception *)

let add_exception_effect fef exc =
  { fef with jc_raises = ExceptionSet.add exc fef.jc_raises }


(*****************************************************************************)
(*                                  Unions                                   *)
(*****************************************************************************)

type shift_offset =
  | Int_offset of int
  | Expr_offset of Jc_fenv.expr
  | Term_offset of Jc_fenv.term

let offset_of_expr e =
  match e#node with
    | JCEconst (JCCinteger s) -> 
        (try
           Int_offset (int_of_string s)
         with Failure _ -> Expr_offset e)
    | _ -> Expr_offset e

let offset_of_term t =
  match t#node with
    | JCTconst (JCCinteger s) -> 
        (try
           Int_offset (int_of_string s)
         with Failure _ -> Term_offset t)
    | _ -> Term_offset t

let offset_of_field fi =
  match field_offset_in_bytes fi with
    | None ->
        Format.eprintf "Jc_effect.offset_of_field: fi=%s@."
          fi.jc_field_info_name;
        assert false
    | Some off -> Int_offset off

let mult_offset i off =
  match off with
    | Int_offset j -> Int_offset (i * j)
    | Expr_offset e ->
	let ie = Expr.mkint ~value:i ()  in
	let mule =
	  Expr.mkbinary
	    ~expr1:ie ~op:(`Bmul,`Integer) ~expr2:e ~typ:integer_type ()
	in
	Expr_offset mule
    | Term_offset t ->
	let it = Term.mkint ~value:i ()  in
	let mult =
	  Term.mkbinary
	    ~term1:it ~op:(`Bmul,`Integer) ~term2:t ~typ:integer_type ()
	in
	Term_offset mult

let add_offset off1 off2 =
  match off1,off2 with
    | Int_offset i, Int_offset j ->
	let k = i + j in
	Int_offset k
    | Expr_offset e1, Expr_offset e2 ->
	let adde =
	  Expr.mkbinary
	    ~expr1:e1 ~op:(`Badd,`Integer) ~expr2:e2 ~typ:integer_type ()
	in
	Expr_offset adde
    | Expr_offset e, Int_offset i
    | Int_offset i, Expr_offset e ->
	let ie = Expr.mkint ~value:i ()  in
	let adde =
	  Expr.mkbinary
	    ~expr1:ie ~op:(`Badd,`Integer) ~expr2:e ~typ:integer_type ()
	in
	Expr_offset adde
    | Term_offset t1, Term_offset t2 ->
	let addt =
	  Term.mkbinary
	    ~term1:t1 ~op:(`Badd,`Integer) ~term2:t2 ~typ:integer_type ()
	in
	Term_offset addt
    | Term_offset t, Int_offset i
    | Int_offset i, Term_offset t ->
	let it = Term.mkint ~value:i ()  in
	let addt =
	  Term.mkbinary
	    ~term1:it ~op:(`Badd,`Integer) ~term2:t ~typ:integer_type ()
	in
	Term_offset addt
    | Expr_offset _, Term_offset _
    | Term_offset _, Expr_offset _ -> assert false

let possible_union_type = function
  | JCTpointer(pc,_,_) ->
      let rt = pointer_class_root pc in
      if root_is_union rt then Some rt else None
  | _ -> None

let union_type ty =
  match possible_union_type ty with Some rt -> rt | None -> assert false

let type_is_union ty =
  match possible_union_type ty with Some _rt -> true | None -> false

let overlapping_union_memories fi =
  let st = fi.jc_field_info_struct in
  let rt = struct_root st in
  let stlist =
    List.filter
      (fun st' -> not (st.jc_struct_info_name = st'.jc_struct_info_name))
      rt.jc_root_info_hroots
  in
  let mems =
    List.flatten
      (List.map
	 (fun st -> all_memories ~select:fully_allocated (JCtag(st,[])))
	 stlist)
  in
  MemClassSet.to_list (MemClassSet.of_list mems)

let possible_union_access e fi_opt =
  let fieldoffbytes fi =
    match field_offset_in_bytes fi with
      | None -> assert false
      | Some off -> Int_offset off
  in
  (* Count offset in bytes before last field access in union *)
  let rec access e =
    match e#node with
      | JCEderef(e,fi) when embedded_field fi ->
	  begin match access e with
	    | Some(e,off) ->
		Some (e, add_offset off (fieldoffbytes fi))
	    | None ->
		if type_is_union e#typ then
		  Some (e, fieldoffbytes fi)
		else None
	  end
      | JCEshift(e1,e2) ->
	  begin match access e1 with
	    | Some(e,off1) ->
		let off2 = offset_of_expr e2 in
		let siz = struct_size_in_bytes (pointer_struct e1#typ) in
		let off2 = mult_offset siz off2 in
		Some (e, add_offset off1 off2)
	    | None -> None
	  end
      | JCEalloc(_e1,st) ->
	  if struct_of_union st then
	    Some(e,Int_offset 0)
	  else None
      | _ ->
	  if type_is_union e#typ then
	    Some (e,Int_offset 0)
	  else None
  in
  match fi_opt with
    | None -> access e
    | Some fi ->
	match access e with
	  | Some(e,off) -> Some (e, add_offset off (fieldoffbytes fi))
	  | None ->
	      if type_is_union e#typ then Some (e, fieldoffbytes fi) else None

(* Optionally returns a triple of
   1) a prefix [ue] of type union
   2) the field of the union [ue] accessed
   3) the offset from the address of [ue] to the final field
*)
let possible_union_deref e fi =
  let rec access e fi =
    match e#node with
      | JCEderef(e1,fi1) when embedded_field fi1 ->
	  begin match access e1 fi1 with
	    | Some(e2,fi2,off) ->
		Some(e2,fi2,add_offset off (offset_of_field fi))
	    | None ->
		if type_is_union e1#typ then
		  Some(e1,fi,offset_of_field fi)
		else None
	  end
      | JCEshift(e1,_e2) ->
	  begin match access e1 fi with
	    | Some(e2,fi2,off1) ->
		let off2 = offset_of_expr e2 in
		let siz = struct_size_in_bytes (pointer_struct e1#typ) in
		let off2 = mult_offset siz off2 in
		Some(e2,fi2,add_offset off1 off2)
	    | None -> None
	  end
      | _ -> None
  in
  match access e fi with
    | Some(e1,fi1,off) -> Some(e1,fi1,add_offset off (offset_of_field fi))
    | None ->
	if type_is_union e#typ then Some(e,fi,offset_of_field fi) else None

let destruct_union_access e fi_opt =
  match possible_union_access e fi_opt with
    | Some x -> x
    | None -> assert false

let tpossible_union_access t fi_opt =
  let fieldoffbytes fi =
    match field_offset_in_bytes fi with
      | None -> assert false
      | Some off -> Int_offset off
  in
  (* Count offset in bytes before last field access in union *)
  let rec access t =
    match t#node with
      | JCTderef(t,_lab,fi) when embedded_field fi ->
	  begin match access t with
	    | Some(t,off) ->
		Some (t, add_offset off (fieldoffbytes fi))
	    | None ->
		if type_is_union t#typ then
		  Some (t, fieldoffbytes fi)
		else None
	  end
      | JCTshift(t1,t2) ->
	  begin match access t1 with
	    | Some(t3,off1) ->
		let off2 = offset_of_term t2 in
		let siz = struct_size_in_bytes (pointer_struct t1#typ) in
		let off2 = mult_offset siz off2 in
		Some (t3, add_offset off1 off2)
	    | None -> None
	  end
      | _ ->
	  if type_is_union t#typ then
	    Some (t,Int_offset 0)
	  else None
  in

  match fi_opt with
    | None ->
	access t
    | Some fi ->
(* 	let fieldoff fi = Int_offset (string_of_int (field_offset fi)) in *)
	match access t with
	  | Some(t,off) ->
	      Some (t, add_offset off (fieldoffbytes fi))
	  | None ->
	      if type_is_union t#typ then
		Some (t, fieldoffbytes fi)
	      else None

let tpossible_union_deref t fi =
  let rec access t fi =
    match t#node with
      | JCTderef(t1,_lab,fi1) when embedded_field fi1 ->
	  begin match access t1 fi1 with
	    | Some(t2,fi2,off) ->
		Some(t2,fi2,add_offset off (offset_of_field fi))
	    | None ->
		if type_is_union t1#typ then
		  Some(t1,fi,offset_of_field fi)
		else None
	  end
      | JCTshift(t1,_t2) ->
	  begin match access t1 fi with
	    | Some(t2,fi2,off1) ->
		let off2 = offset_of_term t2 in
		let siz = struct_size_in_bytes (pointer_struct t1#typ) in
		let off2 = mult_offset siz off2 in
		Some(t2,fi2,add_offset off1 off2)
	    | None -> None
	  end
      | _ -> None
  in
  match access t fi with
    | Some(t1,fi1,off) -> Some(t1,fi1,add_offset off (offset_of_field fi))
    | None ->
	if type_is_union t#typ then Some(t,fi,offset_of_field fi) else None

let tdestruct_union_access t fi_opt =
  match tpossible_union_access t fi_opt with
    | Some x -> x
    | None -> assert false

let lpossible_union_access _t _fi = None (* TODO *)

let lpossible_union_deref _t _fi = None (* TODO *)

let ldestruct_union_access loc fi_opt =
  match lpossible_union_access loc fi_opt with
    | Some x -> x
    | None -> assert false

let foreign_union _e = [] (* TODO: subterms of union that are not in union *)
let tforeign_union _t = []

let common_deref_alloc_class ~type_safe union_access e =
  if not type_safe && Region.bitwise e#region then
    JCalloc_bitvector
  else match union_access e None with
    | None -> JCalloc_root (struct_root (pointer_struct e#typ))
    | Some(e,_off) -> JCalloc_root (union_type e#typ)

let deref_alloc_class ~type_safe e =
  common_deref_alloc_class ~type_safe possible_union_access e

let tderef_alloc_class ~type_safe t =
  common_deref_alloc_class ~type_safe tpossible_union_access t

let lderef_alloc_class ~type_safe locs =
  common_deref_alloc_class ~type_safe lpossible_union_access locs

let common_deref_mem_class ~type_safe union_deref e fi =
  if not type_safe && Region.bitwise e#region then
    JCmem_bitvector, None
  else match union_deref e fi with
    | None ->
	assert (not (root_is_union (struct_root fi.jc_field_info_struct)));
	JCmem_field fi, None
    | Some(e1,fi1,_off) ->
	let rt = union_type e1#typ in
	if root_is_plain_union rt then JCmem_plain_union rt, Some fi1
	else JCmem_field fi, Some fi1

let deref_mem_class ~type_safe e fi =
  common_deref_mem_class ~type_safe possible_union_deref e fi

let tderef_mem_class ~type_safe t fi =
  common_deref_mem_class ~type_safe tpossible_union_deref t fi

let lderef_mem_class ~type_safe locs fi =
  common_deref_mem_class ~type_safe lpossible_union_deref locs fi


(******************************************************************************)
(*                                  patterns                                  *)
(******************************************************************************)

(* TODO: check the use of "label" and "r" *)
let rec pattern ef (*label r*) p =
  let r = dummy_region in
  match p#node with
    | JCPstruct(st, fpl) ->
	let ef = add_tag_effect (*label*)LabelHere ef (struct_root st,r) in
	List.fold_left
	  (fun ef (fi, pat) ->
	     let mc = JCmem_field fi in
	     let ef = add_memory_effect (*label*)LabelHere ef (mc,r) in
	     pattern ef (*label r*) pat)
	  ef fpl
    | JCPor(p1, p2) ->
	pattern (pattern ef (*label r*) p1) (*label r*) p2
    | JCPas(p, _) ->
	pattern ef (*label r*) p
    | JCPvar _
    | JCPany
    | JCPconst _ ->
	ef


(******************************************************************************)
(*                              environment                                   *)
(******************************************************************************)

let current_function = ref None
let set_current_function f = current_function := Some f
let reset_current_function () = current_function := None
let get_current_function () =
  match !current_function with None -> assert false | Some f -> f

(******************************************************************************)
(*                             immutable locations                            *)
(******************************************************************************)

let term_of_expr e =
  let rec term e =
    let tnode = match e#node with
      | JCEconst c -> JCTconst c
      | JCEvar vi -> JCTvar vi
      | JCEbinary (e1, (bop,opty), e2) ->
	  JCTbinary (term e1, ((bop :> bin_op),opty), term e2)
      | JCEunary (uop, e1) -> JCTunary (uop, term e1)
      | JCEshift (e1, e2) -> JCTshift (term e1, term e2)
      | JCEderef (e1, fi) -> JCTderef (term e1, LabelHere, fi)
      | JCEinstanceof (e1, st) -> JCTinstanceof (term e1, LabelHere, st)
      | JCEcast (e1, st) -> JCTcast (term e1, LabelHere, st)
      | JCErange_cast(e1,_) | JCEreal_cast(e1,_) ->
	  (* range does not modify term value *)
	  (term e1)#node
      | JCEif (e1, e2, e3) -> JCTif (term e1, term e2, term e3)
      | JCEoffset (off, e1, st) -> JCToffset (off, term e1, st)
      | JCEalloc (e, _) -> (* Note: \offset_max(t) = length(t) - 1 *)
	  JCTbinary (term e, (`Bsub,`Integer), new term ~typ:integer_type (JCTconst (JCCinteger "1")) )
      | JCEfree _ -> failwith "Not a term"
      | _ -> failwith "Not a term"
(*       | JCEmatch (e, pel) -> *)
(* 	  let ptl = List.map (fun (p, e) -> (p, term_of_expr e)) pel in *)
(* 	    JCTmatch (term_of_expr e, ptl) *)
    in
      new term ~typ:e#typ ~region:e#region tnode
  in
    try Some (term e) with Failure _ -> None

let rec location_of_expr e =
  try
    let loc_node = match e#node with
      | JCEvar v ->
	  JCLvar v
      | JCEderef(e1,fi) ->
	  JCLderef(location_set_of_expr e1, LabelHere, fi, e#region)
      | _ -> failwith "No location for expr"
    in
    Some(new location_with ~typ:e#typ ~node:loc_node e)
  with Failure "No location for expr" -> None

and location_set_of_expr e =
  let locs_node = match e#node with
    | JCEvar v ->
	JCLSvar v
    | JCEderef(e1,fi) ->
	JCLSderef(location_set_of_expr e1, LabelHere, fi, e#region)
    | JCEshift(e1,e2) ->
	let t2_opt = term_of_expr e2 in
	JCLSrange(location_set_of_expr e1, t2_opt, t2_opt)
    | _ -> failwith "No location for expr"
  in
  new location_set_with ~typ:e#typ ~node:locs_node e

let location_set_of_expr e =
  try Some(location_set_of_expr e) with Failure "No location for expr" -> None

let rec location_of_term t =
  try
    let node = match t#node with
      | JCTvar v ->
	  JCLvar v
      | JCTderef(t1,_lab,fi) ->
	  JCLderef(location_set_of_term t1, LabelHere, fi, t#region)
      | JCTat(t1,lab) ->
          (match location_of_term t1 with
               None -> failwith "No location for term"
             | Some l1 -> JCLat(l1,lab))
      | _ -> failwith "No location for term"
    in
    Some(new location_with ~typ:t#typ ~node t)
  with Failure "No location for term" -> None

and location_set_of_term t =
  let locs_node = match t#node with
    | JCTvar v ->
	JCLSvar v
    | JCTderef(t1,_lab,fi) ->
	JCLSderef(location_set_of_term t1, LabelHere, fi, t#region)
    | JCTat (t1,lab) -> JCLSat(location_set_of_term t1,lab)
    | _ -> failwith "No location for term"
  in
  new location_set_with ~typ:t#typ ~node:locs_node t


(* last location can be mutated *)
let rec immutable_location fef loc =
  match loc#node with
    | JCLvar _v -> true
    | JCLderef(locs,_lab,_fi,_r) ->
	immutable_location_set fef locs
    | JCLat(l1,_lab) -> immutable_location fef l1
    | _ -> false

and immutable_location_set fef locs =
  match locs#node with
    | JCLSvar v -> not v.jc_var_info_assigned
    | JCLSderef(locs,_lab,fi,_r) ->
	let mc,_fi_opt = lderef_mem_class ~type_safe:true locs fi in
	immutable_location_set fef locs
	&& not (MemoryMap.mem (mc,locs#region) fef.jc_writes.jc_effect_memories)
    | JCLSat(l1,_lab) -> immutable_location_set fef l1
    | _ -> false

let expr_immutable_location e =
  match !current_mode with
    | MApprox -> None
    | MPrecise ->
	match !current_function with
	  | None -> None
	  | Some f ->
	      let fef = f.jc_fun_info_effects in
	      match location_of_expr e with
		| None -> None
		| Some loc ->
		    if immutable_location fef loc then
		      Some loc
		    else None

let term_immutable_location t =
  match !current_mode with
    | MApprox -> None
    | MPrecise ->
	match !current_function with
	  | None -> None
	  | Some f ->
	      let fef = f.jc_fun_info_effects in
	      match location_of_term t with
		| None -> None
		| Some loc ->
		    if immutable_location fef loc then
		      Some loc
		    else None

(* let immutable_heap_location fef ~full_expr e1 fi = *)
(*   match !current_mode with *)
(*     | MApprox -> None *)
(*     | MPrecise -> *)
(* 	match e1#node with *)
(* 	  | JCEvar v -> *)
(* 	      if v.jc_var_info_assigned then  *)
(* 		None *)
(* 	      else *)
(* 		Some(new location_with ~node:(JCLvar v) full_expr) *)
(* 	  | _ -> None *)

(* let timmutable_heap_location ef ~full_term t1 fi = (\* TODO: fef *\) *)
(*   match !current_mode with *)
(*     | MApprox -> None *)
(*     | MPrecise -> *)
(* 	match t1#node with *)
(* 	  | JCTvar v -> *)
(* 	      if v.jc_var_info_assigned then  *)
(* 		None *)
(* 	      else *)
(* 		Some(new location_with ~node:(JCLvar v) full_term) *)
(* 	  | _ -> None *)


(******************************************************************************)
(*                             terms and assertions                           *)
(******************************************************************************)

let rec single_term ef t =
  let lab =
    match t#label with None -> LabelHere | Some lab -> lab
  in
  match t#node with
    | JCTvar vi ->
	true,
	if vi.jc_var_info_assigned then
	  if vi.jc_var_info_static then
	    add_global_effect lab ef vi
	  else
	    add_local_effect lab ef vi
	else ef
    | JCToffset(_k,t,_st) ->
        let ac = tderef_alloc_class ~type_safe:true t in
	true,
	add_alloc_effect lab ef (ac,t#region)
    | JCTapp app ->
	let region_mem_assoc =
	  make_region_mem_assoc app.jc_app_fun.jc_logic_info_parameters
	in
	let ef_app =
	  ef_assoc
	    ~label_assoc:app.jc_app_label_assoc
	    ~region_assoc:app.jc_app_region_assoc
	    ~region_mem_assoc
	    app.jc_app_fun.jc_logic_info_effects
	in
	(if app.jc_app_fun.jc_logic_info_name = "content" then
	   Format.eprintf "**Effects for logic application content(): %a@."
	   print_effect ef_app);
	true,
	ef_union ef_app ef
    | JCTderef(t1,lab,fi) ->
	let mc,ufi_opt = tderef_mem_class ~type_safe:true t1 fi in
	let mem = mc, t1#region in
	begin match term_immutable_location t with
	  | Some loc ->
	      let ef = add_precise_memory_effect lab ef (loc,mem) in
	      (* TODO: treat union *)
	      true, ef
	  | None ->
	      let ef = add_memory_effect lab ef mem in
	      begin match mc,ufi_opt with
		| JCmem_plain_union _vi, _ ->
		    false, (* do not call on sub-terms of union *)
		    List.fold_left term ef (tforeign_union t1)
		| JCmem_field _, _
		| JCmem_bitvector, _ ->
		    true, ef
	      end
	end
    | JCTcast(t,lab,st)
    | JCTinstanceof(t,lab,st) ->
	true,
	add_tag_effect lab ef (struct_root st,t#region)
    | JCTmatch(_t,ptl) ->
	true,
	List.fold_left pattern ef (List.map fst ptl)
    | JCTconst _ | JCTrange _ | JCTbinary _ | JCTunary _
    | JCTshift _ | JCTold _ | JCTat _ | JCTaddress _ | JCTbase_block _
    | JCTbitwise_cast _ | JCTrange_cast _ | JCTreal_cast _ | JCTif _ | JCTlet _ ->
	true, ef

and term ef t =
  Jc_iterators.fold_rec_term single_term ef t

let tag ef lab _t vi_opt r =
  match vi_opt with
    | None -> ef
    | Some vi -> add_tag_effect lab ef (vi,r)

let single_assertion ef a =
  let lab =
    match a#label with None -> LabelHere | Some lab -> lab
  in
  match a#node with
    | JCAfresh(t) ->
        let ac = tderef_alloc_class ~type_safe:true t in
	true,
	add_alloc_effect lab ef (ac,t#region)
    | JCAinstanceof(t,lab,st) ->
	true,
	add_tag_effect lab ef (struct_root st,t#region)
    | JCAapp app ->
	let region_mem_assoc =
	  make_region_mem_assoc app.jc_app_fun.jc_logic_info_parameters
	in
	let ef_app =
	  ef_assoc
	    ~label_assoc:app.jc_app_label_assoc
	    ~region_assoc:app.jc_app_region_assoc
	    ~region_mem_assoc
	    app.jc_app_fun.jc_logic_info_effects
	in
	true,
	ef_union ef_app ef
    | JCAmutable(t,st,ta) ->
	true,
	add_mutable_effect
	  (tag ef lab ta (* Yannick: really effect on tag here? *)
	     (Some (struct_root st)) t#region)
	  (JCtag(st, []))
    | JCAlet(_vi,_t,_p) ->
	true,ef
    | JCAmatch(_t,pal) ->
	true,
	List.fold_left pattern ef (List.map fst pal)
    | JCAtrue | JCAfalse | JCAif _ | JCAbool_term _ | JCAnot _
    | JCAold _ | JCAat _ | JCAquantifier _ | JCArelation _
    | JCAand _ | JCAor _ | JCAiff _ | JCAimplies _
    | JCAeqtype _ | JCAsubtype _ ->
	true, ef

let assertion ef a =
  Jc_iterators.fold_rec_term_and_assertion single_term single_assertion ef a


(******************************************************************************)
(*                                locations                                   *)
(******************************************************************************)

let single_term fef t =
  let cont,ef = single_term fef.jc_reads t in
  cont,{ fef with jc_reads = ef }

let single_assertion fef a =
  let cont,ef = single_assertion fef.jc_reads a in
  cont,{ fef with jc_reads = ef }

type assign_alloc_clause = Assigns | Allocates | Reads

let rec single_location ~in_clause fef 
    (loc : Jc_fenv.logic_info Jc_ast.location) =
  let lab =
    match loc#label with None -> LabelHere | Some lab -> lab
  in
  let fef = match loc#node with
    | JCLvar v ->
        let fef =
	  if v.jc_var_info_assigned then
	    if v.jc_var_info_static then
              begin
	        match in_clause with
                  | Assigns -> add_global_writes lab fef v
                  | Allocates -> 
                      let ac = lderef_alloc_class ~type_safe:true loc in
	              add_alloc_writes lab fef (ac,loc#region)
	          | Reads -> add_global_reads lab fef v
              end
	    else fef
	  else fef
        in
        fef
        
    | JCLderef(locs,lab,fi,_r) ->
	let add_mem ~only_writes fef mc =
	  match in_clause with
            | Assigns ->
	      let fef = add_memory_writes lab fef (mc,locs#region) in
	      if only_writes then fef else
	      (* Add effect on allocation table for [not_assigns] predicate *)
	        let ac = alloc_class_of_mem_class mc in
	        add_alloc_reads lab fef (ac,locs#region)
            | Allocates ->
                (* wrong !
                  let fef =
                  if only_writes then fef else
	            let ac = alloc_class_of_mem_class mc in
	            add_alloc_writes lab fef (ac,locs#region)
                in
                *)
                fef
            | Reads ->
	        if only_writes then fef else
	          add_memory_reads lab fef (mc,locs#region)
	in
	let mc,ufi_opt = lderef_mem_class ~type_safe:true locs fi in
	let fef = add_mem ~only_writes:false fef mc in
	let fef =
          begin match mc,ufi_opt with
	    | JCmem_field _fi, Some ufi ->
	        let mems = overlapping_union_memories ufi in
	        List.fold_left (add_mem ~only_writes:true) fef mems
	    | JCmem_field _, None
	    | JCmem_plain_union _, _
	    | JCmem_bitvector, _ -> fef
	  end
        in
        fef
    | JCLderef_term(t1,fi) ->
	let add_mem ~only_writes fef mc =
	  match in_clause with
            | Assigns ->
	      let fef = add_memory_writes lab fef (mc,t1#region) in
	      if only_writes then fef else
	      (* Add effect on allocation table for [not_assigns] predicate *)
	        let ac = alloc_class_of_mem_class mc in
	        add_alloc_reads lab fef (ac,t1#region)
            | Allocates -> 
(* wrong !
	      if only_writes then fef else
	        let ac = alloc_class_of_mem_class mc in
	        add_alloc_writes lab fef (ac,t1#region)
*)
                fef
	    | Reads ->
	        if only_writes then fef else
	          add_memory_reads lab fef (mc,t1#region)
	in
	let mc,ufi_opt = tderef_mem_class ~type_safe:true t1 fi in
	let fef = add_mem ~only_writes:false fef mc in
	begin match mc,ufi_opt with
	  | JCmem_field _fi, Some ufi ->
	      let mems = overlapping_union_memories ufi in
	      List.fold_left (add_mem ~only_writes:true) fef mems
	  | JCmem_field _, None
	  | JCmem_plain_union _, _
	  | JCmem_bitvector, _ -> fef
	end
    | JCLat(loc,lab) -> 
      assert (loc#label = Some lab);
      snd (single_location ~in_clause fef loc)
  in true, fef

let rec single_location_set fef locs =
  let lab =
    match locs#label with None -> LabelHere | Some lab -> lab
  in
  let fef = match locs#node with
    | JCLSvar v ->
	if v.jc_var_info_assigned then
	  if v.jc_var_info_static then
	    add_global_reads lab fef v
	  else fef
	else fef
    | JCLSderef(locs,lab,fi,_r) ->
	let mc,_ufi_opt = lderef_mem_class ~type_safe:true locs fi in
	add_memory_reads lab fef (mc,locs#region)
    | JCLSrange(_,_,_)
    | JCLSrange_term(_,_,_) ->
	fef
    | JCLSat(locs,_) -> snd (single_location_set fef locs)
  in true, fef

let location ~in_clause fef loc =
  let fef =
    Jc_iterators.fold_rec_location single_term
      (single_location ~in_clause) single_location_set fef loc
  in
  fef


(******************************************************************************)
(*                                expressions                                 *)
(******************************************************************************)

let rec expr fef e =
  Jc_iterators.fold_rec_expr_and_term_and_assertion
    single_term single_assertion
    (single_location ~in_clause:Assigns) single_location_set
    (fun (fef : fun_effect) e -> match e#node with
       | JCEvar v ->
	   true,
	   if v.jc_var_info_assigned then
	     if v.jc_var_info_static then
	       add_global_reads LabelHere fef v
	     else
	       add_local_reads LabelHere fef v
	   else fef
       | JCEassign_var(v,_e) ->
	   true,
	   if v.jc_var_info_assigned then
	     if v.jc_var_info_static then
	       add_global_writes LabelHere fef v
	     else
	       add_local_writes LabelHere fef v
	   else fef
       | JCEoffset(_k,e,_st) ->
	   let ac = deref_alloc_class ~type_safe:true e in
	   true,
	   add_alloc_reads LabelHere fef (ac,e#region)
       | JCEapp app ->
	   let fef_call = match app.jc_call_fun with
	     | JClogic_fun f ->
		 let region_mem_assoc =
		   make_region_mem_assoc f.jc_logic_info_parameters
		 in
		 fef_reads
		   (ef_assoc
		      ~label_assoc:app.jc_call_label_assoc
		      ~region_assoc:app.jc_call_region_assoc
		      ~region_mem_assoc
		      f.jc_logic_info_effects)
	     | JCfun f ->
		 let region_mem_assoc =
		   make_region_mem_assoc (List.map snd f.jc_fun_info_parameters)
		 in
		 fef_assoc
		   ~region_assoc:app.jc_call_region_assoc f.jc_fun_info_effects
		   ~region_mem_assoc
	   in
	   true,
	   fef_union fef_call fef
       | JCEderef(e1,fi) ->
	   let mc,ufi_opt = deref_mem_class ~type_safe:true e1 fi in
	   let ac = alloc_class_of_mem_class mc in
	   let mem = mc, e1#region in
	   begin match expr_immutable_location e with
	     | Some loc ->
		 let fef =
		   add_precise_memory_reads LabelHere fef (loc,mem)
		 in
		 let fef = add_alloc_reads LabelHere fef (ac,e1#region) in
		 (* TODO: treat union *)
		 true, fef
	     | None ->
		 let fef = add_memory_reads LabelHere fef mem in
		 let fef = add_alloc_reads LabelHere fef (ac,e1#region) in
		 begin match mc,ufi_opt with
		   | JCmem_plain_union _vi, _ ->
		       false, (* do not call on sub-expressions of union *)
		       List.fold_left expr fef (foreign_union e1)
		   | JCmem_field _, _
		   | JCmem_bitvector, _ ->
		       true, fef
		 end
	   end
       | JCEassign_heap(e1,fi,_e2) ->
	   let mc,ufi_opt = deref_mem_class ~type_safe:true e1 fi in
	   let ac = alloc_class_of_mem_class mc in
	   let deref = new expr_with ~node:(JCEderef(e1,fi)) e in
	   let mem = mc, e1#region in
	   begin match expr_immutable_location deref with
	     | Some loc ->
		 let fef =
		   add_precise_memory_writes LabelHere fef (loc,mem)
		 in
		 (* allocation table is read *)
		 let fef = add_alloc_reads LabelHere fef (ac,e1#region) in
		 (* TODO: treat union *)
		 true, fef
	     | None ->
		 let fef = add_memory_writes LabelHere fef mem in
		 (* allocation table is read *)
		 let fef = add_alloc_reads LabelHere fef (ac,e1#region) in
		 begin match mc,ufi_opt with
		   | JCmem_plain_union _vi, _ ->
		       false, (* do not call on sub-expressions of union *)
		       List.fold_left expr fef (foreign_union e1)
		   | JCmem_field _fi, Some ufi ->
		       let mems = overlapping_union_memories ufi in
		       true,
		       List.fold_left
			 (fun fef mc ->
			    add_memory_writes LabelHere fef (mc,e1#region))
			 fef mems
		   | JCmem_field _, None | JCmem_bitvector, _ ->
		       true, fef
		 end
	   end
       | JCEcast(e,st)
       | JCEinstanceof(e,st) ->
	   true,
	   add_tag_reads LabelHere fef (struct_root st,e#region)
       | JCEalloc(_e1,st) ->
	   let pc = JCtag(st,[]) in
	   let ac = deref_alloc_class ~type_safe:true e in
	   let all_allocs = match ac with
	     | JCalloc_bitvector -> [ ac ]
	     | JCalloc_root rt ->
		 match rt.jc_root_info_kind with
		   | Rvariant -> all_allocs ~select:fully_allocated pc
		   | RdiscrUnion -> 
                       Jc_typing.typing_error e#pos "Unsupported discriminated union, sorry" (* TODO *)
		   | RplainUnion -> [ ac ]
	   in
	   let all_mems = match ac with
	     | JCalloc_bitvector -> []
	     | JCalloc_root rt ->
		 match rt.jc_root_info_kind with
		   | Rvariant -> all_memories ~select:fully_allocated pc
		   | RdiscrUnion -> assert false (* TODO *)
		   | RplainUnion -> []
	   in
	   let all_tags = match ac with
	     | JCalloc_bitvector -> [ struct_root st ]
	     | JCalloc_root rt ->
		 match rt.jc_root_info_kind with
		   | Rvariant -> all_tags ~select:fully_allocated pc
		   | RdiscrUnion -> assert false (* TODO *)
		   | RplainUnion -> [ struct_root st ]
	   in
	   let fef =
	     List.fold_left
	       (fun fef mc ->
		  add_memory_writes LabelHere fef (mc,e#region)
	       ) fef all_mems
	   in
(**)
	   let fef =
	     List.fold_left
	       (fun fef ac -> add_alloc_writes LabelHere fef (ac,e#region))
	       fef all_allocs
	   in
(**)
	   true,
	   List.fold_left
	     (fun fef vi -> add_tag_writes LabelHere fef (vi,e#region))
	     fef all_tags
       | JCEfree e ->
	   let pc = pointer_class e#typ in
	   let ac = alloc_class_of_pointer_class pc in
	   true,
	   add_alloc_writes LabelHere fef (ac,e#region)
       | JCEpack(st,e,_st) ->
	   (* Assert the invariants of the structure
	      => need the reads of the invariants *)
	   let (_, invs) =
	     StringHashtblIter.find
               Jc_typing.structs_table st.jc_struct_info_name
	   in
	   let fef =
	     List.fold_left
	       (fun fef (li, _) ->
		  { fef with jc_reads =
		      ef_union fef.jc_reads li.jc_logic_info_effects })
	       fef
	       invs
	   in
	   (* Fields *)
	   let fef = List.fold_left
	     (fun fef fi ->
		match fi.jc_field_info_type with
		  | JCTpointer(pc, _, _) ->
	              (* Assert fields fully mutable
			 => need mutable and tag_table (of field) as reads *)
		      let fef = add_mutable_reads fef pc in
		      let fef =
			add_tag_reads LabelHere fef
			  (pointer_class_root pc,e#region)
		      in
	              (* Modify field's "committed" field
			 => need committed (of field) as reads and writes *)
		      let fef = add_committed_reads fef pc in
		      let fef = add_committed_writes fef pc in
		      (* ...and field as reads *)
		      add_memory_reads LabelHere fef (JCmem_field fi,e#region)
		  | _ -> fef)
	     fef
	     st.jc_struct_info_fields in
	   (* Change structure mutable => need mutable as reads and writes *)
	   let fef = add_mutable_reads fef (JCtag(st, [])) in
	   let fef = add_mutable_writes fef (JCtag(st, [])) in
           (* And that's all *)
	   true, fef
       | JCEunpack(st,e,_st) ->
	   (* Change structure mutable => need mutable as reads and writes *)
	   let fef = add_mutable_reads fef (JCtag(st, [])) in
	   let fef = add_mutable_writes fef (JCtag(st, [])) in
	   (* Fields *)
	   let fef = List.fold_left
	     (fun fef fi ->
		match fi.jc_field_info_type with
		  | JCTpointer(st, _, _) ->
	              (* Modify field's "committed" field
			 => need committed (of field) as reads and writes *)
		      let fef = add_committed_reads fef st in
		      let fef = add_committed_writes fef st in
		      (* ...and field as reads *)
		      add_memory_reads LabelHere fef (JCmem_field fi,e#region)
		  | _ -> fef)
	     fef
	     st.jc_struct_info_fields in
	   (* And that's all *)
	   true, fef
       | JCEthrow(exc,_e_opt) ->
	   true,
	   add_exception_effect fef exc
       | JCEtry(s,catches,finally) ->
	   let fef = expr fef s in
	   let fef =
	     List.fold_left
	       (fun fef (exc,_vi_opt,_s) ->
		  { fef with
		      jc_raises = ExceptionSet.remove exc fef.jc_raises }
	       ) fef catches
	   in
	   let fef =
	     List.fold_left
	       (fun fef (_exc,_vi_opt,s) -> expr fef s) fef catches
	   in
	   false, (* do not recurse on try-block due to catches *)
	   expr fef finally
       | JCEmatch(_e, psl) ->
	   let pef = List.fold_left pattern empty_effects (List.map fst psl) in
	   true,
	   { fef with jc_reads = ef_union fef.jc_reads pef }
       | JCEloop _ | JCElet _ | JCEassert _ | JCEcontract _ | JCEblock _
       | JCEconst _  | JCEshift _ | JCEif _ | JCErange_cast _
       | JCEreal_cast _ | JCEunary _ | JCEaddress _ | JCEbinary _
       | JCEreturn_void  | JCEreturn _ | JCEbitwise_cast _ | JCEbase_block _ | JCEfresh _ ->
	   true, fef
    ) fef e

let behavior fef (_pos,_id,b) =
  let ita = 
    Jc_iterators.fold_rec_term_and_assertion single_term single_assertion 
  in
  let itl = 
    Jc_iterators.fold_rec_location single_term
      (single_location ~in_clause:Assigns) single_location_set
  in
  let itl_alloc = 
    Jc_iterators.fold_rec_location single_term
      (single_location ~in_clause:Allocates) single_location_set
  in
  let fef = Option_misc.fold_left ita fef b.jc_behavior_assumes in
  let fef =
    Option_misc.fold_left
      (fun fef (_,locs) -> List.fold_left itl fef locs)
      fef b.jc_behavior_assigns
  in
  let fef =
    Option_misc.fold_left
      (fun fef (_,locs) -> 
        List.fold_left itl_alloc fef locs)
      fef b.jc_behavior_allocates
  in
  let fef = ita fef b.jc_behavior_ensures in
  let fef = ita fef b.jc_behavior_free_ensures in
  Option_misc.fold_left add_exception_effect fef b.jc_behavior_throws




let spec fef s =
  let fef =
    List.fold_left behavior fef
      (s.jc_fun_default_behavior :: s.jc_fun_behavior)
  in
  let fef = { fef with jc_reads = assertion fef.jc_reads s.jc_fun_requires } in
  { fef with jc_reads = assertion fef.jc_reads s.jc_fun_free_requires }




(* Type invariant added to precondition for pointer parameters with bounds.
   Therefore, add allocation table to reads. *)
let parameter fef v =
  match v.jc_var_info_type with
    | JCTpointer(pc,Some _i,Some _j) ->
	let ac = alloc_class_of_pointer_class pc in
	add_alloc_reads LabelOld fef (ac,v.jc_var_info_region)
    | _ -> fef


(******************************************************************************)
(*                                 fix-point                                  *)
(******************************************************************************)

let fixpoint_reached = ref false

let axiomatic_decl_effect ef d =
  match d with
    | Jc_typing.ABaxiom(_,_,_,a) -> assertion ef a

let effects_from_app fi ax_effects acc app =
  Jc_options.lprintf "@[Jc_effect.effects_from_app, fi = %s, app = %s@]@."
    fi.jc_logic_info_name
    app.jc_app_fun.jc_logic_info_name;
  Jc_options.lprintf "fi == app.jc_app_fun ? %b@." (fi == app.jc_app_fun);
  if fi == app.jc_app_fun then
    begin
      Jc_options.lprintf
	"@[fi labels = @[{%a}@] ; app label_assoc = @[{%a}@]@]@."
	(print_list comma Jc_output_misc.label)
	fi.jc_logic_info_labels
	(print_list comma
	   (fun fmt (l1,l2) ->
	      Format.fprintf fmt "%a -> %a"
		Jc_output_misc.label l1
		Jc_output_misc.label l2))
	app.jc_app_label_assoc;
      ef_union
	(ef_filter_labels app.jc_app_label_assoc ax_effects)
	acc
    end
  else
    acc

let effects_from_term_app fi ax_effects acc t =
  match t#node with
    | JCTapp app -> effects_from_app fi ax_effects acc app
    | _ -> acc

let effects_from_pred_app fi ax_effects acc a =
  match a#node with
    | JCAapp app -> effects_from_app fi ax_effects acc app
    | _ -> acc

let effects_from_assertion fi ax_effects acc a =
  Jc_iterators.fold_term_and_assertion
    (effects_from_term_app fi ax_effects)
    (effects_from_pred_app fi ax_effects) acc a

let effects_from_decl fi ax_effects acc d =
  match d with
    | Jc_typing.ABaxiom(_,_,_,a) -> effects_from_assertion fi ax_effects acc a

let effects_from_axiomatic fi ax acc =
  try
    let l = StringHashtblIter.find Jc_typing.axiomatics_table ax in
    let ef = List.fold_left axiomatic_decl_effect empty_effects l.Jc_typing.axiomatics_decls in
    List.fold_left (effects_from_decl fi ef) acc l.Jc_typing.axiomatics_decls
  with Not_found -> assert false

let logic_fun_effects f =
  let f,ta =
    IntHashtblIter.find Jc_typing.logic_functions_table f.jc_logic_info_tag
  in
  let ef = f.jc_logic_info_effects in
  let ef = match ta with
    | JCTerm t -> term ef t
    | JCAssertion a -> assertion ef a
    | JCInductive l ->
	let ax_effects =
	  List.fold_left
	    (fun ef (_id,_labels,a) -> assertion ef a) empty_effects l
	in
	List.fold_left (fun acc (_id,_labels,a) ->
			  effects_from_assertion f ax_effects acc a) ef l
    | JCNone ->
	begin match f.jc_logic_info_axiomatic with
	  | Some a ->
	      (* axiomatic def in a *)
	      effects_from_axiomatic f a ef
	  | None -> assert false
	      (* not allowed outside axiomatics *)
	end
    | JCReads loclist ->
	List.fold_left
	  (fun ef loc ->
	     let fef = location ~in_clause:Reads empty_fun_effect loc in
	     ef_union ef fef.jc_reads
	  ) ef loclist
  in
  if same_effects ef f.jc_logic_info_effects then () else
    (fixpoint_reached := false;
     f.jc_logic_info_effects <- ef)

let fun_effects f =
  let (f,_pos,s,e_opt) =
    IntHashtblIter.find Jc_typing.functions_table f.jc_fun_info_tag
  in
  let fef = f.jc_fun_info_effects in
  let fef = spec fef s in
  let fef = Option_misc.fold_left expr fef e_opt in
  let fef =
    List.fold_left parameter fef (List.map snd f.jc_fun_info_parameters)
  in
  if same_feffects fef f.jc_fun_info_effects then () else
    (fixpoint_reached := false;
     f.jc_fun_info_effects <- fef)

let fun_effects f =
  set_current_function f;
  fun_effects f;
  reset_current_function ()

let logic_effects funs =

  List.iter (fun f -> f.jc_logic_info_effects <- empty_effects) funs;

  fixpoint_reached := false;
  while not !fixpoint_reached do
    fixpoint_reached := true;
    Jc_options.lprintf "Effects: doing one iteration...@.";
    List.iter logic_fun_effects funs
  done;
  Jc_options.lprintf "Effects: fixpoint reached@.";
  List.iter
    (fun f ->
       Jc_options.lprintf "Effects for logic function %s:@\n%a@."
	 f.jc_logic_info_name print_effect f.jc_logic_info_effects
    ) funs

let function_effects funs =

  List.iter (fun f -> f.jc_fun_info_effects <- empty_fun_effect) funs;

  let iterate () =
    fixpoint_reached := false;
    while not !fixpoint_reached do
      fixpoint_reached := true;
      Jc_options.lprintf "Effects: doing one iteration...@.";
      List.iter fun_effects funs
    done
  in

  (* Compute raw effects to bootstrap *)
  current_mode := MApprox;
  iterate ();
  (* Compute precise effects *)
  current_mode := MPrecise;
  iterate ();
  (* Reset mode to raw effects for individual calls *)
  current_mode := MApprox;

  Jc_options.lprintf "Effects: fixpoint reached@.";

  (* Global variables that are only read are translated into logic
     functions in Why, and thus they should not appear in effects. *)
  Jc_options.lprintf "Effects: removing global reads w/o writes@.";
  List.iter
    (fun f ->
       let fef = f.jc_fun_info_effects in
       let efr = fef.jc_reads.jc_effect_globals in
       let efw = fef.jc_writes.jc_effect_globals in
       let ef =
	 VarMap.filter
	   (fun v _labs -> VarMap.mem v efw || v.jc_var_info_assigned) efr
       in
       let ef = { fef.jc_reads with jc_effect_globals = ef } in
       f.jc_fun_info_effects <- { fef with jc_reads = ef }
    ) funs;

  List.iter
    (fun f ->
       Jc_options.lprintf
	 "Effects for function %s:@\n\
@[ reads: %a@]@\n\
@[ writes: %a@]@\n\
@[ raises: %a@]@."
	 f.jc_fun_info_name
	 print_effect f.jc_fun_info_effects.jc_reads
	 print_effect f.jc_fun_info_effects.jc_writes
	 (print_list comma print_exception)
	 (ExceptionSet.elements f.jc_fun_info_effects.jc_raises)
    ) funs


(*
Local Variables:
compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
End:
*)
why-2.39/jc/jc_frame.mli0000644000106100004300000000475313147234006014107 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)


(** {1 Frame ??} *)

val compute_needed_predicates: unit -> unit

val tr_logic_fun :
  Jc_fenv.logic_info ->
  Jc_fenv.logic_info Jc_ast.term_or_assertion ->
  Output.why_decl list -> Output.why_decl list


(*
  Local Variables: 
  compile-command: "unset LANG; make -j -C .. bin/jessie.byte"
  End: 
*)
why-2.39/jc/jc_noutput.ml0000644000106100004300000001541313147234006014355 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(** Ouput the normalized AST. Useful for debugging. Not parsable. *)

open Jc_pervasives
open Jc_output_misc
open Jc_ast
open Format
open Pp


let identifier fmt id =
  fprintf fmt "%s" id#name

let rec expr fmt e =
  let out x = fprintf fmt x in
  match e#node with
    | JCNEconst c ->
        const fmt c
    | JCNElabel(id, e1) ->
        out "(@[%s:@ %a@])" id expr e1
    | JCNEvar id ->
        out "%s" id
    | JCNEderef(e1, id) ->
        out "%a.%s" expr e1 id
    | JCNEbinary(e1, op, e2) ->
        out "(@[%a %s@ %a@])" expr e1 (string_of_op op) expr e2
    | JCNEunary(op, e1) ->
        out "(%s %a)" (string_of_op op) expr e1
    | JCNEapp(id, labs, el) ->
        out "@[%s@,{%a}@,(%a)@]" id (print_list comma label)
          labs (print_list comma expr) el
    | JCNEassign(e1, e2) ->
        out "(@[%a =@ %a@])" expr e1 expr e2
    | JCNEinstanceof(_e1, _id) ->
        out "(TODO instanceof)"
    | JCNEcast(_e1, _id) ->
        out "(TODO cast)"
    | JCNEif(_e1, _e2, _e3) ->
        out "(TODO if)"
    | JCNEoffset(k, e1) ->
        out "(\\offset_m%a(%a))" offset_kind k expr e1
    | JCNEaddress(absolute,e1) ->
        out "(\\%aaddress(%a))" address_kind absolute expr e1
    | JCNEbase_block(e1) ->
        out "(\\base_block(%a))" expr e1
    | JCNEfresh(e1) ->
        out "(\\fresh(%a))" expr e1
    | JCNEalloc(_e1, _id) ->
        out "(TODO alloc)"
    | JCNEfree _e1 ->
        out "(TODO free)"
    | JCNElet(Some pty, id, Some e1, e2) ->
        out "(@[let %a %s = %a in@ %a@])" ptype pty id expr e1 expr e2
    | JCNElet(Some pty, id, None, e1) ->
        out "(@[let %a %s in@ %a@])" ptype pty id expr e1
    | JCNElet(None, id, Some e1, e2) ->
        out "(@[let %s = %a in@ %a@])" id expr e1 expr e2
    | JCNElet(None, id, None, e1) ->
        out "(@[let %s in@ %a@])" id expr e1
    | JCNEassert (behav,asrt,e1) ->
        out "(%a %a%a)" 
	  asrt_kind asrt
	  (print_list_delim 
	     (constant_string "for ") (constant_string ": ") 
	     comma identifier)
	  behav
	  expr e1
    | JCNEcontract _ -> assert false (* TODO *)
    | JCNEblock el ->
        out "{@ @[%a@]@ }" (print_list semi expr) el
    | JCNEloop(_inv, Some _e2, _e3) ->
	out "(some loop)" (* TODO *)
	  (*
        out "@[%a@ variant %a;@ %a done@]" 
	  (print_list nothing 
	     (fun fmt (behav,inv) -> out "@\ninvariant %a%a;"
		(print_list_delim 
		   (constant_string "for ") (constant_string ": ") 
		   comma string)
		behav
		expr inv))
	  inv
	  expr e2
          expr e3
	  *)
    | JCNEloop(_inv, None, _e2) ->
        out "(some loop)" (* TODO *)
	  (*
	    out "@[%a@ %a done@]" 
	  (print_list nothing 
	     (fun fmt (behav,inv) -> out "@\ninvariant %a%a;"
		(print_list_delim 
		   (constant_string "for ") (constant_string ": ") 
		   comma string)
		behav
		expr inv))
	  inv
	  expr e2
	  *)
    | JCNEreturn(Some e1) ->
        out "(return %a)" expr e1
    | JCNEreturn None ->
        out "(return)"
    | JCNEtry(e1, l, e2) ->
        out "(@[try %a with@ %a@ | default -> %a@])" expr e1
          (print_list space
             (fun fmt (id, s, e3) ->
                fprintf fmt "| %s %s -> %a" id#name s expr e3))
          l expr e2
    | JCNEthrow(id, Some e1) ->
        out "(throw %s %a)" id#name expr e1
    | JCNEthrow(id, None) ->
        out "(throw %s)" id#name
    | JCNEpack(_e1, _ido) ->
        out "(TODO pack)"
    | JCNEunpack(_e1, _ido) ->
        out "(TODO unpack)"
    | JCNEmatch(_e1, _pel) ->
        out "(TODO match)"
    | JCNEquantifier(Forall, pty, idl, trigs, e1) ->
        out "(@[\\forall %a %a %a,@ %a@])" ptype pty
          (print_list space identifier) idl
          triggers trigs expr e1
    | JCNEquantifier(Exists, pty, idl, trigs, e1) ->
        out "(@[\\exists %a %a%a,@ %a@])" ptype pty
          (print_list space identifier) idl 
           triggers trigs expr e1
    | JCNEold _e1 ->
        out "(TODO old)"
    | JCNEat(e1, lab) ->
        out "\\at(%a,@ %a)" expr e1 label lab
    | JCNEmutable(_e1, _tag) ->
        out "(TODO mutable)"
    | JCNEeqtype(_tag1, _tag2) ->
        out "(TODO eqtype)"
    | JCNEsubtype(_tag1, _tag2) ->
        out "(TODO subtype)"
    | JCNErange(Some e1, Some e2) ->
        out "(%a .. %a)" expr e1 expr e2
    | JCNErange(Some e1, None) ->
        out "(%a ..)" expr e1
    | JCNErange(None, Some e1) ->
        out "(.. %a)" expr e1
    | JCNErange(None, None) ->
        out "(..)"

and triggers fmt trigs = 
  print_list_delim lsquare rsquare alt (print_list comma expr) fmt trigs

(*
Local Variables: 
compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
End: 
*)
why-2.39/jc/jc_fenv.ml0000644000106100004300000001731513147234006013600 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Jc_stdlib
open Jc_env
open Jc_envset
open Jc_region
open Jc_ast

module rec LocationOrd
  : Map.OrderedType with type t = Effect.logic_info location =
struct
  type t = Effect.logic_info location
  let compare loc1 loc2 = 
    match loc1#node,loc2#node with
      | JCLvar v1, JCLvar v2 -> VarOrd.compare v1 v2
      | JCLvar _v, _ -> 1
      | _, JCLvar _v -> -1
      | _,_ -> 0
	  (* TODO: complete def of Location *)
end

and Location
  : Map.OrderedType with type t = Effect.logic_info location * Memory.t =
  PairOrd(LocationOrd)(Memory)

and LocationSet : Set.S with type elt = Location.t = Set.Make(Location)

and LocationMap : Map.S with type key = Location.t = Map.Make(Location)

and Effect : 
sig 
  type effect =
      {
	jc_effect_alloc_tables: LogicLabelSet.t AllocMap.t;
	jc_effect_tag_tables: LogicLabelSet.t TagMap.t;
	jc_effect_raw_memories: LogicLabelSet.t MemoryMap.t;
	jc_effect_precise_memories: LogicLabelSet.t LocationMap.t;
	jc_effect_memories: LogicLabelSet.t MemoryMap.t;
	jc_effect_globals: LogicLabelSet.t VarMap.t;
	jc_effect_locals: LogicLabelSet.t VarMap.t;
	jc_effect_mutable: StringSet.t;
	jc_effect_committed: StringSet.t;
      }

  type fun_effect =
      {
	jc_reads : effect;
	jc_writes : effect;
	jc_raises : ExceptionSet.t;
      }

  type logic_info =
      {
	jc_logic_info_tag : int;
	jc_logic_info_name : string;
	mutable jc_logic_info_final_name : string;
	mutable jc_logic_info_result_type : jc_type option;
	mutable jc_logic_info_result_region : region;
        mutable jc_logic_info_poly_args : type_var_info list;
	mutable jc_logic_info_parameters : var_info list;
	mutable jc_logic_info_param_regions : region list;
	mutable jc_logic_info_effects : effect;
	mutable jc_logic_info_calls : logic_info list;
	mutable jc_logic_info_axiomatic : string option;
	mutable jc_logic_info_labels : label list;
      }

  type builtin_treatment =
    | TreatNothing
    | TreatGenFloat of float_format

  type fun_info = 
      {
	jc_fun_info_tag : int;
	jc_fun_info_name : string;
	mutable jc_fun_info_final_name : string;
	mutable jc_fun_info_builtin_treatment : builtin_treatment; 
	jc_fun_info_result : var_info;
	jc_fun_info_return_region : region;
	(* If function has a label "return_label", this is a label denoting
	   the return statement of the function, to be used by static 
	   analysis to avoid merging contexts *)
	mutable jc_fun_info_has_return_label : bool;
	mutable jc_fun_info_parameters : (bool * var_info) list;
	mutable jc_fun_info_param_regions : region list;
	mutable jc_fun_info_calls : fun_info list;
	mutable jc_fun_info_component : int;
	mutable jc_fun_info_logic_apps : logic_info list;
	mutable jc_fun_info_effects : fun_effect;
      }
  end =
struct
  type effect =
      {
	jc_effect_alloc_tables: LogicLabelSet.t AllocMap.t;
	jc_effect_tag_tables: LogicLabelSet.t TagMap.t;
	jc_effect_raw_memories: LogicLabelSet.t MemoryMap.t;
	jc_effect_precise_memories: LogicLabelSet.t LocationMap.t;
	jc_effect_memories: LogicLabelSet.t MemoryMap.t;
	jc_effect_globals: LogicLabelSet.t VarMap.t;
	jc_effect_locals: LogicLabelSet.t VarMap.t;
	jc_effect_mutable: StringSet.t;
	jc_effect_committed: StringSet.t;
      }

  type fun_effect =
      {
	jc_reads : effect;
	jc_writes : effect;
	jc_raises : ExceptionSet.t;
      }

  type logic_info =
      {
	jc_logic_info_tag : int;
	jc_logic_info_name : string;
	mutable jc_logic_info_final_name : string;
	mutable jc_logic_info_result_type : jc_type option;
        (*r None for predicates *)
	mutable jc_logic_info_result_region : region;
        mutable jc_logic_info_poly_args : type_var_info list;
	mutable jc_logic_info_parameters : var_info list;
	mutable jc_logic_info_param_regions : region list;
	mutable jc_logic_info_effects : effect;
	mutable jc_logic_info_calls : logic_info list;
(* obsolete
	mutable jc_logic_info_is_recursive : bool;
*)
	mutable jc_logic_info_axiomatic : string option;
	mutable jc_logic_info_labels : label list;
      }

  type builtin_treatment =
    | TreatNothing
    | TreatGenFloat of float_format

  type fun_info = 
      {
	jc_fun_info_tag : int;
	jc_fun_info_name : string;
	mutable jc_fun_info_final_name : string;
	mutable jc_fun_info_builtin_treatment : builtin_treatment; 
	jc_fun_info_result : var_info;
	jc_fun_info_return_region : region;
	mutable jc_fun_info_has_return_label : bool;
	mutable jc_fun_info_parameters : (bool * var_info) list;
	mutable jc_fun_info_param_regions : region list;
	mutable jc_fun_info_calls : fun_info list;
	mutable jc_fun_info_component : int;
	mutable jc_fun_info_logic_apps : logic_info list;
	mutable jc_fun_info_effects : fun_effect;
      }
end

include Effect

type app = logic_info Jc_ast.app
type term_node = logic_info Jc_ast.term_node
type term = logic_info Jc_ast.term
type tag_node = logic_info Jc_ast.tag_node
type tag = logic_info Jc_ast.tag
type location_set_node = logic_info Jc_ast.location_set_node
type location_set = logic_info Jc_ast.location_set
type location_node = logic_info Jc_ast.location_node
type location = logic_info Jc_ast.location
type assertion = logic_info Jc_ast.assertion
type assertion_node = logic_info Jc_ast.assertion_node
type term_or_assertion = logic_info Jc_ast.term_or_assertion
type loop_annot = logic_info Jc_ast.loop_annot
type behavior = logic_info Jc_ast.behavior
type fun_spec = logic_info Jc_ast.fun_spec

type expr_node = (logic_info,fun_info) Jc_ast.expr_node
type expr = (logic_info,fun_info) Jc_ast.expr
type callee = (logic_info,fun_info) Jc_ast.callee
type call = (logic_info,fun_info) Jc_ast.call

(*
  Local Variables: 
  compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
  End: 
*)
why-2.39/jc/jc_invariants.ml0000644000106100004300000013521613147234006015021 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Jc_stdlib
open Jc_env
open Jc_envset
open Jc_region
open Jc_ast
open Jc_fenv

open Jc_name
open Jc_constructors
open Jc_pervasives
(*
open Jc_iterators
*)
open Jc_interp_misc
open Jc_struct_tools

open Output

(* other modifications for this extension can be found in:
     ast, typing, norm, interp: about pack / unpack, and mutable
     jc_main.ml
       phase 3.5
       production phase 5
     jc_interp.ml
       function tr_fun: 2 calls to "assume_all_invariants"
       function statement
         JCSassign_heap: call to "assume_field_invariants"
     jc_typing.ml
       hashtbl mutable_fields_table
       hashtbl committed_fields_table
       function create_mutable_field
       function find_field_struct: "mutable" and "committed" cases (and the parameter allow_mutable)
       function decl: JCPDstructtype: call to create_mutable_field
       function statement: call to "assert_mutable"

TODOs:
     Maybe generate assocs (or global invariant) when doing unpack or pack, as it modifies
mutable and committed.
     Arrays and global invariant.
*)

let prop_type = simple_logic_type "prop"


(* returns (inv, reads) where i is the assertion of the invariants of the structure
and r is a StringSet of the "reads" needed by these invariants *)
let invariant_for_struct this st =
  let (_, invs) =
    StringHashtblIter.find Jc_typing.structs_table st.jc_struct_info_name
  in
  let inv =
    make_and_list
      (List.map 
	 (fun (li, _) -> 
	    make_logic_pred_call ~label_in_name:false ~region_assoc:[] ~label_assoc:[] li [this]) invs)
  in
  let reads =
    List.fold_left
      (fun acc (li, _) -> logic_info_reads acc li)
      StringSet.empty
      invs
  in
  (inv, reads)

let make_assume reads assume =
  mk_expr (BlackBox (Annot_type (LTrue, unit_type, reads, [], assume, [])))

let fully_packed pc e =
  LPred(
    fully_packed_name,
    [ LVar (generic_tag_table_name (pointer_class_root pc));
      LVar (mutable_name pc);
      e ])
(*
let type_structure = function
  | JCTpointer(JCtag st, _, _) -> st
  | _ -> failwith "type_structure"
*)

let type_pc = function
  | JCTpointer(pc, _, _) -> pc
  | _ -> raise (Invalid_argument "type_pc")

let range_min = function
  | JCTpointer(_, x, _) -> x
  | _ -> raise (Invalid_argument "range_min")

let range_max = function
  | JCTpointer(_, _, x) -> x
  | _ -> raise (Invalid_argument "range_max")

(*let mutable_instance_of_name root_structure_name =
  (mutable_name root_structure_name)^"_instance_of"*)

let omin_omax alloc basep min max =
  let omin = match min with
    | None -> LApp("offset_min", [ alloc; basep ])
    | Some n -> LConst(Prim_int(Num.string_of_num n))
  in
  let omax = match max with
    | None -> LApp("offset_max", [ alloc; basep ])
    | Some n -> LConst(Prim_int(Num.string_of_num n))
  in
  omin, omax

let make_range index omin omax =
  if omin = omax then
    LPred("eq", [ index; omin ])
  else
    make_and
      (LPred("ge_int", [ index; omin ]))
      (LPred("le_int", [ index; omax ]))

let pset_singleton p =
  LApp("pset_singleton", [ p ])

let pset_union a b =
  LApp("pset_union", [ a; b ])

let pset_union_list = function
  | [] -> LVar "pset_empty"
  | hd::tl -> List.fold_left pset_union hd tl

let pset_range s a b =
  LApp("pset_range", [ s; a; b ])

let make_shift p i =
  LApp("shift", [ p; i ])

let make_not_assigns alloc old_mem new_mem pset =
  LPred("not_assigns", [ alloc; old_mem; new_mem; pset ])

let make_bool b = LConst(Prim_bool b)

(************************************)
(* Checking an invariant definition *)
(************************************)

(* Typing imposes non pointer fields to have the flag "rep" *)
let field this pos fi =
  if not fi.jc_field_info_rep then
    Jc_typing.typing_error pos "this term is not a rep field of %s"
      this.jc_var_info_name

(*let rec check_rep ?(must_deref=false) this pos t =
  match t.jc_term_node with
    | JCTvar vi when vi == this && not must_deref -> ()
    | JCTderef (t, lab, fi) ->
	field fi this pos;
	check_rep ~must_deref:false this pos t
    | JCTcast (t, _, _) -> assert false (* TODO *)
    | JCTshift (t, _) ->
	(* t must not be this, but might be a field of this if it is a table *)
	(* (? TODO) *)
	check_rep ~must_deref:true this pos t
    | _ ->
	Jc_typing.typing_error pos "this term is not a rep field of %s"
	  this.jc_var_info_name*)

(* A pattern may hide some dereferencing. *)
let pattern this p =
  Jc_iterators.iter_pattern
    (fun p -> match p#node with
       | JCPstruct(_, fipl) ->
	   List.iter (field this p#pos) (List.map fst fipl)
       | _ -> ())
    p

(* When typing the body of the invariant, the only pointer in the environment
is the argument of the pointer. Thus, it is sufficient to check that all
dereferencing is done on a rep field AND that all applications do not read
any memory (else one could hide dereferencing in logic functions). *)
let term this t =
  Jc_iterators.ITerm.iter
    (fun t -> match t#node with
       | JCTapp app ->
	   let id = app.jc_app_fun in
	   if not (MemoryMap.is_empty
		     id.jc_logic_info_effects.jc_effect_memories) then
	     Jc_typing.typing_error t#pos
	       "this call is not allowed in structure invariant"
       | JCTderef(_, _, fi) ->
	   field this t#pos fi
       | JCTmatch(_, ptl) ->
	   List.iter (pattern this) (List.map fst ptl)
       | _ -> ())
    t

(*let term this t =
  iter_term
    (fun t -> match t.jc_term_node with
       | JCTconst _
       | JCTvar _
       | JCTrange(None, None) -> ()
       | JCTbinary(t1, _, t2)
       | JCTrange(Some t1, Some t2) ->
	   term this t1;
	   term this t2
       | JCTunary(_, t)
       | JCTold t
       | JCTat(t, _)
       | JCToffset(_, t, _)
       | JCTinstanceof(t, _, _)
       | JCTcast(t, _, _)
       | JCTrange(Some t, None)
       | JCTrange(None, Some t) ->
	   term this t
       | JCTif(t1, t2, t3) ->
	   term this t1
	   term this t2
	   term this t3
       | JCTmatch of term * (pattern * term) list
       | JCTshift(t1, t2) ->
       | JCTsub_pointer(t1, t2) ->
       | JCTderef(t, _, fi) ->
       | JCTapp app ->
	   let id = app.jc_app_fun in
	   if not (FieldRegionMap.is_empty
		     id.jc_logic_info_effects.jc_effect_memories) then
	     Jc_typing.typing_error t.jc_term_loc
	       "this call is not allowed in structure invariant"
       | JCTderef _ ->
	   check_rep this t.jc_term_loc t
       | _ -> ()
    ) t*)

let tag this t =
  match t#node with
    | JCTtag _
    | JCTbottom -> ()
    | JCTtypeof(t, _) -> term this t

let rec assertion this p =
  match p#node with
    | JCAtrue | JCAfalse -> ()
    | JCAif (_, _, _) -> assert false (* TODO *)
    | JCAinstanceof(t,_,_)
    | JCAfresh t 
    | JCAbool_term t -> term this t
    | JCAold p -> assertion this p
    | JCAat(p,_) -> assertion this p
    | JCAquantifier(_,_id, _, p) -> assertion this p
    | JCAapp app ->
	let id = app.jc_app_fun in
	if MemoryMap.is_empty id.jc_logic_info_effects.jc_effect_memories
	then List.iter (term this) app.jc_app_args
	else
	  Jc_typing.typing_error p#pos
	    "this call is not allowed in structure invariant"
    | JCAnot p -> assertion this p
    | JCAiff (p1, p2)
    | JCAimplies (p1, p2) -> assertion this p1; assertion this p2
    | JCArelation (t1,_, t2) -> term this t1; term this t2
    | JCAand l | JCAor l -> List.iter (assertion this) l
    | JCAmutable _ ->
	Jc_typing.typing_error p#pos
	  "\\mutable is not allowed in structure invariant"
    | JCAeqtype(t1, t2, _) | JCAsubtype(t1, t2, _) ->
	tag this t1;
	tag this t2
    | JCAlet(_vi,t, p) ->
	term this t;
	assertion this p
    | JCAmatch(t, pal) ->
	term this t;
	List.iter (fun (_, a) -> assertion this a) pal

let check invs =
  List.iter
    (fun (li,p) -> 
       Jc_options.lprintf
	 "    Checking invariant: %s@." li.jc_logic_info_name;
       match li.jc_logic_info_parameters with
	 | [this] -> assertion this p
	 | _ -> assert false)
    invs

(***********************************)
(* Tools for structure definitions *)
(***********************************)

let term_memories aux t = 
  Jc_iterators.fold_term 
    (fun aux t -> match t#node with
    | JCTderef(_t, _lab, fi) ->
	let m = fi.jc_field_info_final_name in
	StringSet.add m aux
    | _ -> aux
    ) aux t

let tag_memories aux t = match t#node with
  | JCTtag _ | JCTbottom -> aux
  | JCTtypeof(t, _) -> term_memories aux t

let rec assertion_memories aux a = match a#node with
  | JCAtrue
  | JCAfalse -> aux
  | JCAand l
  | JCAor l -> List.fold_left assertion_memories aux l
  | JCAimplies(a1, a2)
  | JCAiff(a1, a2) -> assertion_memories (assertion_memories aux a1) a2
  | JCArelation(t1,_,t2) -> term_memories (term_memories aux t1) t2
  | JCAnot a
  | JCAold a
  | JCAat(a,_)
  | JCAquantifier(_,_, _, a) -> assertion_memories aux a
  | JCAapp app -> List.fold_left term_memories aux app.jc_app_args
  | JCAinstanceof(t, _, _ )
  | JCAfresh t
  | JCAbool_term t -> term_memories aux t
  | JCAif(t, a1, a2) -> assertion_memories (assertion_memories (term_memories aux t) a1) a2
  | JCAmutable(t, _, _) -> term_memories aux t
  | JCAeqtype(t1, t2, _) | JCAsubtype(t1, t2, _) -> 
      tag_memories (tag_memories aux t2) t1
  | JCAlet(_vi,t,p) ->
      term_memories (assertion_memories aux p) t
  | JCAmatch(t, pal) ->
      term_memories (List.fold_left assertion_memories aux (List.map snd pal)) t

(* Returns (as a StringSet.t) every structure name that can be reached from st.
Assumes the structures whose name is in acc have already been visited
and won't be visited again. *)
let rec all_structures st acc =
  if StringSet.mem st.jc_struct_info_name acc then acc else
    List.fold_left
      (fun acc fi ->
	 match fi.jc_field_info_type with
	   | JCTpointer(JCtag(st, _), _, _) -> all_structures st acc
	   | _ -> acc)
      (StringSet.add st.jc_struct_info_name acc)
      st.jc_struct_info_fields   

(* Returns all memories used by the structure invariants. *)
let struct_inv_memories acc st =
  let _, invs = StringHashtblIter.find Jc_typing.structs_table st in
  List.fold_left
    (fun acc (_, a) -> assertion_memories acc a)
    acc
    invs

(* Returns the parameters needed by an invariant, "this" not included *)
(* TODO: factorize using Jc_interp_misc.logic_params *)
let invariant_params acc li =
  let acc =
    MemoryMap.fold
      (fun (mc,r) _labels acc -> 
	 (memory_name(mc,r), memory_type mc)::acc)
      li.jc_logic_info_effects.jc_effect_memories
      acc
  in
  let acc =
    AllocMap.fold
      (fun (ac,r) _labs acc -> 
	 (alloc_table_name (ac, r),
	  alloc_table_type (ac))::acc)
      li.jc_logic_info_effects.jc_effect_alloc_tables
      acc
  in
  let acc =
    TagMap.fold
      (fun (v,r) _labels acc -> 
	 let t = { logic_type_args = [root_model_type v];
		   logic_type_name = "tag_table" }
	 in
	 (tag_table_name (v,r), t)::acc)
      li.jc_logic_info_effects.jc_effect_tag_tables
      acc
  in
    acc

(* Returns the parameters needed by the invariants of a structure, "this" not included *)
let invariants_params acc st =
  let (_, invs) =
    StringHashtblIter.find Jc_typing.structs_table st.jc_struct_info_name
  in
  List.fold_left (fun acc (li, _) -> invariant_params acc li) acc invs

(* Returns the structure and its parents, up to its root *)
let rec parents acc st =
  match st.jc_struct_info_parent with
    | None -> acc
    | Some(p, _) -> parents (st::acc) p
let parents = parents []

(* Returns every structure (name) that can be used by a function,
given its parameters *)
let function_structures params =
  let structures = List.fold_left
    (fun acc vi ->
       match vi.jc_var_info_type with
	 | JCTpointer(JCtag(st, _), _, _) ->
	     all_structures st acc
	 | JCTpointer(JCroot vi, _, _) ->
	     List.fold_right all_structures vi.jc_root_info_hroots acc
	 | _ -> acc)
    StringSet.empty
    params
  in
  StringSet.elements structures

let hierarchy_structures h =
  StringHashtblIter.fold
    (fun _ (st, _) acc ->
       (* don't use equality directly on st and h, as it might not terminate *)
       (* we could use == instead though *)
       if root_name st = root_name h then st::acc else acc)
    Jc_typing.structs_table
    []
  
let hierarchies () =
  let h =
    StringHashtblIter.fold
      (fun _ (st, _) acc ->
         StringMap.add (root_name st) st.jc_struct_info_hroot acc)
      Jc_typing.structs_table
      StringMap.empty
  in
  StringMap.fold
    (fun _ st acc -> st::acc)
    h
    []

let is_pointer = function
  | JCTpointer _ -> true
  | _ -> false

(* Returns every rep pointer fields of a structure *)
let rep_fields st =
  List.filter
    (fun fi -> fi.jc_field_info_rep && is_pointer fi.jc_field_info_type)
    st.jc_struct_info_fields

(* Returns every rep fields of a hierarchy *)
let hierarchy_rep_fields root =
  List.flatten (List.map rep_fields (hierarchy_structures root))

(*********)
(* assoc *)
(*********)

(*let program_point_type = simple_logic_type "int"

let fresh_program_point =
  let c = ref 0 in fun () ->
  c := !c + 1; string_of_int !c

let assoc_declaration =
  (* logic assoc: int, ('a, 'b) memory -> prop *)
  Logic(
    false,
    "assoc",
    [ "", program_point_type;
      "", memory_type "'a" (simple_logic_type "'b") ],
    prop_type)

let make_assoc pp m =
  LPred("assoc", [LConst(Prim_int pp); LVar m])

let make_assoc_list pp mems =
  make_and_list (List.map (make_assoc pp) mems)

let make_assume_assocs pp mems =
  let assocs = make_assoc_list pp mems in
  make_assume mems assocs

(* List of each memory m that appears in an invariant
which can be broken by the modification of the field fi *)
let field_assocs fi =
  let _, invs = Hashtbl.find Jc_typing.structs_table fi.jc_field_info_root in
  let mems = List.fold_left
    (fun aux (_, a) ->
       let amems = assertion_memories StringSet.empty a in
       if StringSet.mem fi.jc_field_info_final_name amems then
         StringSet.union amems aux
       else
	 aux
    ) (StringSet.singleton (mutable_name fi.jc_field_info_root)) invs in
  StringSet.elements mems

(* Assume all assocs needed after a field has been modified *)
let make_assume_field_assocs pp fi =
  make_assume_assocs pp (field_assocs fi)

(* Returns a list of all memories which need an "assoc"
(calculated from a function parameter list) *)
let all_assocs pp params =
  let structures = function_structures params in
  (* memories used by these structures' invariants *)
  let memories = List.fold_left
    struct_inv_memories
    StringSet.empty
    structures
  in
  (* mutable fields *)
  let mutable_fields = List.map (fun s -> mutable_name s) structures in
  StringSet.elements memories@mutable_fields

(* Assume all assocs needed at the start of a fonction *)
let make_assume_all_assocs pp params =
  make_assume_assocs pp (all_assocs pp params)*)

(***********)
(* mutable *)
(***********)

let mutable_memory_type pc =
  raw_memory_type (pointer_class_model_type pc)
    (tag_id_type (pointer_class_root pc))

let committed_memory_type pc =
  raw_memory_type (pointer_class_model_type pc) (simple_logic_type "bool")

let mutable_declaration st acc =
  if st.jc_struct_info_parent = None then
    let st = JCtag(st, []) in
    (* mutable_T: T tag_id *)
    Param(
      false,
      id_no_loc (mutable_name st),
      Ref_type(Base_type (mutable_memory_type st)))
    (* committed_T: bool *)
    ::Param(
      false,
      id_no_loc (committed_name st),
      Ref_type(Base_type (committed_memory_type st)))
    ::acc
  else
    acc

(* Assert the condition under which a field update statement can be executed.
The object must be "sufficiently unpacked", that is: its "mutable" field is
a strict superclass of the class in which the field is defined.
  And the object must not be committed. *)
(* assert ((st.jc_struct_info_parent <: e.mutable || e.mutable = bottom_tag) && e.committed = false) *)
(* Actually, the "not committed" part is meta-implied by the
condition on mutable. *)
let assert_mutable e fi =
  if fi.jc_field_info_rep then
    begin
      let st = fi.jc_field_info_struct in
      let mutable_name = mutable_name (JCtag(st, [])) in
      (*let committed_name = committed_name st.jc_struct_info_hroot in*)
      let e_mutable = LApp("select", [LVar mutable_name; e]) in
      (*let e_committed = LApp("select", [LVar committed_name; e]) in*)
      let parent_tag = match st.jc_struct_info_parent with
	| None -> LVar "bottom_tag"
	| Some(parent, _) -> LVar (tag_name parent)
      in
      let sub = make_subtag parent_tag e_mutable in
      (*let not_committed =
	LPred(
	  "eq",
	  [ e_committed;
	    LConst (Prim_bool false) ])
      in
      Assert(`ASSERT,make_and sub not_committed, Void)*)
      mk_expr (Assert(`ASSERT,sub, void))
    end
  else
    void

(********************)
(* Invariant axioms *)
(********************)

(*let invariant_axiom st acc (li, a) =
  let params = invariant_params [] li in
  
  (* this *)
  let this = "this" in
  let this_ty =
    { logic_type_name = "pointer";
      logic_type_args = [simple_logic_type st.jc_struct_info_hroot] } in

  (* program point *)
  let pp = "program_point" in
  let pp_ty = simple_logic_type "int" in

  (* assoc memories with program point => not this.mutable => this.invariant *)
  let mutable_ty = mutable_memory_type st.jc_struct_info_hroot in
  let mutable_is_false =
    LPred(
      "eq",
      [ LConst(Prim_bool false);
	LApp("select", [LVar "mutable"; LVar this]) ]) in
  let assoc_memories = StringSet.fold
    (fun mem acc ->
       LPred("assoc", [LVar pp; LVar mem])::acc)
    (assertion_memories
       (StringSet.singleton "mutable")
       a)
    [] in
  let invariant = make_logic_pred_call li [LVar this] in
  let axiom_impl = List.fold_left (fun acc assoc -> LImpl(assoc, acc))
    (LImpl(mutable_is_false, invariant))
    assoc_memories in

  (* quantifiers *)
  let quantified_vars = params in
  let quantified_vars = ("mutable", mutable_ty)::quantified_vars in
  let quantified_vars = (pp, pp_ty)::quantified_vars in
  let quantified_vars = (this, this_ty)::quantified_vars in
  let axiom =
    List.fold_left (fun acc (id, ty) -> LForall(id, ty, acc))
      axiom_impl quantified_vars in
  Axiom("axiom_"^li.jc_logic_info_name, axiom)::acc

let invariants_axioms st acc =
  let _, invs = Hashtbl.find Jc_typing.structs_table st.jc_struct_info_name in
  List.fold_left (invariant_axiom st) acc invs*)

(******************************************)
(* Invariant assumes (axioms pre-applied) *)
(******************************************)

(* hierarchy root (string) -> hierarchy invariant parameters ((string * logic_type) list) *)
let hierarchy_invariants = Hashtbl.create 97

(* List of each invariant that can be broken by modifying a given field *)
let field_invariants fi =
  if not fi.jc_field_info_rep then [] else (* small optimisation, it is not needed *)
    (* List of all structure * invariant *)
    let invs =
      StringHashtblIter.fold
        (fun _ (st, invs) acc -> (List.map (fun inv -> st, inv) invs)@acc)
        Jc_typing.structs_table
        []
    in
    (* Only keep the invariants which uses the field *)
    List.fold_left
      (fun aux ((_, (_, a)) as x) ->
	 let amems = assertion_memories StringSet.empty a in
	 if StringSet.mem fi.jc_field_info_final_name amems then
           x::aux
	 else
	 aux)
      []
      invs

(* this.mutable <: st => invariant *)
(* (the invariant li must be declared in st) *)
let not_mutable_implies_invariant this st (li, _) =
  let params = invariant_params [] li in
  
  (* this.mutable <: st *)
  let mutable_name = mutable_name (JCtag(st, [])) in
  let mutable_io = make_subtag
    (LApp("select", [ LVar mutable_name; LVar this ]))
    (LVar (tag_name st))
  in

  (* invariant *)
  let invariant = 
    make_logic_pred_call ~label_in_name:false ~region_assoc:[] ~label_assoc:[] li [LVar this]
  in

  (* implies *)
  let impl = LImpl(mutable_io, invariant) in

  (* params *)
  let params = (mutable_name, mutable_memory_type (JCtag(st, [])))::params in
  let params = (generic_tag_table_name (struct_root st),
                tag_table_type (struct_root st))::params in

  params, impl

(* this.mutable <: st => this.fields.committed *)
let not_mutable_implies_fields_committed this st =
  let fields = rep_fields st in

  (* this.mutable <: st *)
  let mutable_name = mutable_name (JCtag(st, [])) in
  let mutable_io = make_subtag
    (LApp("select", [ LVar mutable_name; LVar this ]))
    (LVar (tag_name st))
  in

  (* fields committed *)
  let fields_pc = List.fold_left
    (fun acc fi ->
       match fi.jc_field_info_type with
	 | JCTpointer(fi_pc, min, max) ->
	     let n = fi.jc_field_info_final_name in
	     let index = "jc_index" in
	     let committed_name = committed_name fi_pc in
	     let fi_ac = alloc_class_of_pointer_class fi_pc in
	     let alloc = generic_alloc_table_name fi_ac in
	     let params =
	       [ n, memory_type (JCmem_field fi);
		 committed_name, committed_memory_type fi_pc;
		 alloc, alloc_table_type fi_ac; ]
	     in
	     let this_fi = make_select (LVar n) (LVar this) in
	     let f = make_shift this_fi (LVar index) in
	     let eq = make_eq (make_select_committed fi_pc f)
	       (make_bool true)
	     in
	     let omin, omax = omin_omax (LVar alloc) this_fi min max in
	     let range = make_range (LVar index) omin omax in
	     let pred =
	       LForall(
		 index, simple_logic_type "int", [],
		 LImpl(range, eq))
	     in
	     (params, pred)::acc
	 | _ -> acc)
    [] fields
  in
  let params, coms = List.flatten (List.map fst fields_pc),
    make_and_list (List.map snd fields_pc) in

  (* additional params *)
  let params = (mutable_name, mutable_memory_type (JCtag(st, [])))::params in
  let params = (generic_tag_table_name (struct_root st),
                tag_table_type (struct_root st))::params in

  (* implies *)
  let impl = LImpl(mutable_io, coms) in

  params, impl

(* this.committed => fully_packed(this) *)
let committed_implies_fully_packed this root =
  let committed_name = committed_name root in
  let committed_type = committed_memory_type root in
  let mutable_name = mutable_name root in
  let mutable_type = mutable_memory_type root in
  let tag_table = generic_tag_table_name (pointer_class_root root) in
  let tag_table_type = tag_table_type (pointer_class_root root) in

  (* this.committed = true *)
  let com = LPred(
    "eq",
    [ LApp(
	"select",
	[ LVar committed_name;
	  LVar this ]);
      LConst(Prim_bool true) ])
  in

  (* fully_packed(this) *)
  let packed = LPred(
    fully_packed_name,
    [ LVar tag_table;
      LVar mutable_name;
      LVar this ])
  in

  (* implies *)
  let impl = LImpl(com, packed) in

  (* params *)
  let params = [
    tag_table, tag_table_type;
    committed_name, committed_type;
    mutable_name, mutable_type;
  ] in

  params, impl

let lex2 (a1, b1) (a2, b2) =
  let c = compare a1 a2 in
  if c = 0 then compare b1 b2 else c

(* forall x, ((meta) forall rep field f),
   this.f = x.f /\ this.f.committed -> this = y *)
let owner_unicity this root =
  let reps = hierarchy_rep_fields root in

  (* x name and type *)
  let x_name = this^"_2" in
  let pc = JCtag(root, []) in
  let ac = alloc_class_of_pointer_class pc in
  let x_type = pointer_type ac pc in

  (* shift indexes *)
  let index1 = "jc_index" in
  let index2 = "jc_index_2" in

  (* big "or" on all rep fields *)
  let eq_and_com_list = List.map
    (fun fi ->
       try
	 let name = fi.jc_field_info_final_name in
	 Printf.printf "***** FIELD %s *****\n%!" name;
	 let fi_pc = type_pc fi.jc_field_info_type in
	 let committed_name = committed_name fi_pc in
	 let this_dot_f = make_select (LVar name) (LVar this) in
	 let x_dot_f = make_select (LVar name) (LVar x_name) in

	 (* indexes, ranges *)
	 let fi_ac = alloc_class_of_pointer_class fi_pc in
	 let alloc = generic_alloc_table_name fi_ac in
	 let omin1, omax1 = omin_omax (LVar alloc) this_dot_f
	   (range_min fi.jc_field_info_type)
	   (range_max fi.jc_field_info_type)
	 in
	 let omin2, omax2 = omin_omax (LVar alloc) x_dot_f
	   (range_min fi.jc_field_info_type)
	   (range_max fi.jc_field_info_type)
	 in
	 let range1 = make_range (LVar index1) omin1 omax1 in
	 let range2 = make_range (LVar index2) omin2 omax2 in
	 let shift1 = make_shift this_dot_f (LVar index1) in
	 let shift2 = make_shift this_dot_f (LVar index2) in

	 let eq = make_eq shift1 shift2 in

	 let com = make_eq
	   (make_select (LVar committed_name) shift1)
	   (make_bool true)
	 in

	 make_and_list [ range1; range2; eq; com ]
       with Failure "type_structure" ->
	 LFalse)
    reps
  in
  let big_or = make_or_list eq_and_com_list in

  let impl = LImpl(big_or, make_eq (LVar this) (LVar x_name)) in

  let forall =
    LForall(
      index1, simple_logic_type "int", [],
      LForall(
	index2, simple_logic_type "int", [],
	LForall(x_name, x_type, [], impl)))
  in

  (* params *)
  let params = List.map
    (fun fi ->
       let ac = JCalloc_root (struct_root fi.jc_field_info_struct) in
       [ fi.jc_field_info_final_name, memory_type (JCmem_field fi);
	 committed_name (JCtag(fi.jc_field_info_hroot, [])),
	 committed_memory_type (JCtag(fi.jc_field_info_hroot, []));
	 generic_alloc_table_name ac,
	 alloc_table_type ac ])
    reps
  in
  let params = List.flatten params in

  params, forall

let make_hierarchy_global_invariant acc root =
  (* this *)
  let this = "this" in
  let pc = JCtag(root, []) in
  let ac = alloc_class_of_pointer_class pc in
  let this_ty = pointer_type ac pc in

  (* not mutable => invariant, and their parameters *)
  let structs = hierarchy_structures root in
  let mut_inv = List.map
    (fun st ->
       let _, invs =
	 StringHashtblIter.find
           Jc_typing.structs_table st.jc_struct_info_name
       in
       List.map (fun inv -> not_mutable_implies_invariant this st inv) invs)
    structs
  in
  let mut_inv = List.flatten mut_inv in
  let params, mut_inv = List.map fst mut_inv, List.map snd mut_inv in
  let mut_inv = make_and_list mut_inv in

  (* not mutable for T => fields defined in T committed *)
  let params, mut_com = List.fold_left
    (fun (params, coms) st ->
       let p, c = not_mutable_implies_fields_committed this st in
       p@params, make_and c coms)
    (List.flatten params, LTrue)
    structs
  in

  (* committed => fully packed *)
  let params_cfp, com_fp = committed_implies_fully_packed this
    (JCtag(root, [])) in
  let params = params_cfp@params in

  (* unicity of the owner: x.f == y.f && x.f.committed ==> x == y *)
  let params_ou, owner_unicity = owner_unicity this root in
  let params = params_ou@params in

  (* predicate body, quantified on "this" *)
  let body = LForall(this, this_ty, [], make_and_list [ mut_inv; mut_com; com_fp; owner_unicity ]) in

  (* sort the parameters and only keep one of each *)
  let params = List.fold_left
    (fun acc (n, t) -> StringMap.add n t acc)
    StringMap.empty
    params
  in
  let params = StringMap.fold (fun n t acc -> (n, t)::acc) params [] in
  let params = List.sort lex2 params in

  (* fill hash table *)
  Hashtbl.add hierarchy_invariants root.jc_struct_info_name params;

  (* return the predicate *)
  match params with
    | [] -> acc (* Not supposed to happen though *)
    | _ -> Predicate(false, id_no_loc (hierarchy_invariant_name root),
		     params, body)::acc

let make_global_invariants acc =
  let h = hierarchies () in
  List.fold_left make_hierarchy_global_invariant acc h

let assume_global_invariant st =
  let params =
    try
      Hashtbl.find hierarchy_invariants (root_name st)
    with Not_found ->
      failwith
	("Jc_invariants.assume_global_invariant: "^
	   (root_name st)^" not found")
  in
  match params with
    | [] -> void
    | _ ->
	let reads = List.map fst params in
	let params = List.map (fun (n, _) -> LVar n) params in
	let inv = LPred(hierarchy_invariant_name st, params) in
	make_assume reads inv

let assume_global_invariants hl =
  List.fold_left append void (List.map assume_global_invariant hl)

(* Given a field that has just been modified, assume all potentially
useful invariant for all objects that is not mutable *)
let assume_field_invariants fi =
  let invs = field_invariants fi in
  (* keep hierarchies only once *)
  let hl = List.fold_left
    (fun acc (st, _) ->
       StringMap.add (root_name st) st.jc_struct_info_hroot acc)
    StringMap.empty
    invs
  in
  assume_global_invariants (StringMap.values hl)

(* Given the parameters of a function, assume all potentially useful
forall this: st, not this.mutable => invariant *)
let assume_all_invariants params =
  let structures = function_structures params in
  (* keep hierarchies only once *)
  let hl = List.fold_left
    (fun acc st ->
       StringSet.add (root_name (find_struct st)) acc)
    StringSet.empty
    structures
  in
  let roots = List.map find_struct (StringSet.elements hl) in
  assume_global_invariants roots

(*(* Given a field that has just been modified, assume all potentially
useful invariant for all objects that is not mutable *)
let assume_field_invariants fi =
  (* structure in which the field is defined *)
  let st, _ = Hashtbl.find Jc_typing.structs_table fi.jc_field_info_struct in
  let assumes = List.map (fun inv -> forall_mutable_invariant st inv) (field_invariants fi) in (* FAUX (st n'est pas forcément la bonne structure !) *)
  let assumes = List.map (fun (params, inv) -> make_assume (List.map fst params) inv) assumes in
  List.fold_left append Void assumes

let rec flatten_snd = function
  | [] -> []
  | (a, l)::tl -> (List.map (fun b -> a, b) l)@(flatten_snd tl)

(* Given the parameters of a function, assume all potentially useful
forall this: st, not this.mutable => invariant *)
let assume_all_invariants params =
  let structures = function_structures params in
  let st_invs =
    List.map
      (fun id -> Hashtbl.find Jc_typing.structs_table id)
      structures
  in
  let st_invs = flatten_snd st_invs in
  let assumes = List.map (fun (st, inv) -> forall_mutable_invariant st inv) st_invs in
  let assumes = List.map (fun (params, inv) -> make_assume (List.map fst params) inv) assumes in
  List.fold_left append Void assumes*)

(*****************)
(* pack / unpack *)
(*****************)

(* return fields that are both pointers and rep fields *)
let components st =
  List.fold_left
    (fun acc fi ->
       if fi.jc_field_info_rep then
	 match fi.jc_field_info_type with
	   | JCTpointer(pc, _, _) -> (fi, pc)::acc
	   | _ -> acc
       else acc)
    []
    st.jc_struct_info_fields

let components_by_type st =
  let compare_pcs s t =
    compare (pointer_class_type_name s) (pointer_class_type_name t) in
  let comps = components st in
  let comps =
    List.sort
      (fun (_, s) (_, t) -> compare_pcs s t)
      comps
  in
  let rec part prev acc = function
    | [] -> [prev, acc]
    | (fi, si)::tl ->
	if compare_pcs si prev = 0 then
	  part prev (fi::acc) tl
	else
	  (prev, acc)::(part si [fi] tl)
  in
  let part = function
    | [] -> []
    | (fi, si)::tl -> part si [fi] tl
  in
  part comps

(* return a post-condition stating that the committed
field of each component of "this" (in "fields") of the
hierarchy "root" has been set to "value", and only them *)
let hierarchy_committed_postcond this root fields value =
  let com = committed_name root in
  let ac = alloc_class_of_pointer_class root in
  let alloc = generic_alloc_table_name ac in
  (* fields information and range *)
  let fields = List.map
    (fun fi ->
       let this_fi = make_select_fi fi this in
       let omin, omax = omin_omax (LVar alloc) this_fi
	 (range_min fi.jc_field_info_type)
	 (range_max fi.jc_field_info_type)
       in
       fi, this_fi, omin, omax)
    fields
  in
  (* pset of pointers that have been modified *)
  let pset_list = List.map
    (fun (_fi, this_fi, omin, omax) ->
       (pset_range (pset_singleton this_fi) omin omax))
    fields
  in
  let pset = pset_union_list pset_list in
  (* "not_assigns" saying that only the pointers of pset
     have been modified *)
  let not_assigns = make_not_assigns (LDeref alloc)
    (LDerefAtLabel(com, ""))
    (LDeref com)
    pset
  in
  (* new values for the fields in their ranges *)
  let com_values = List.map
    (fun (fi, this_fi, omin, omax) ->
       let fi_pc = type_pc fi.jc_field_info_type in
       let index = "jc_index" in
       let range = make_range (LVar index) omin omax in
       let new_value = make_eq
	 (make_select_committed fi_pc
	    (make_shift this_fi (LVar index)))
	 (LConst(Prim_bool value))
       in
       LForall(index, simple_logic_type "int", [], LImpl(range, new_value)))
    fields
  in
  (* result *)
  make_and_list (not_assigns::com_values)

(* all components have "committed" = committed *)
let make_components_postcond this st reads writes committed =
  let comps = components_by_type st in
  let writes =
    List.fold_left
      (fun acc (pc, _) -> StringSet.add (committed_name pc) acc)
      writes
      comps
  in
  let reads =
    List.fold_left
      (fun acc (_, fields) ->
	 List.fold_left
	   (fun acc fi -> StringSet.add fi.jc_field_info_final_name acc)
	   acc
	   fields)
      reads
      comps
  in
  let reads = StringSet.union reads writes in
  let reads = List.fold_left
    (fun acc (pc, _fields) -> StringSet.add
       (generic_alloc_table_name (alloc_class_of_pointer_class pc)) acc)
    reads comps
  in
  let postcond =
    make_and_list
      (* for each hierarchy... *)
      (List.map
	 (fun (pc, fields) -> hierarchy_committed_postcond
	    this pc fields committed)
	 comps)
  in
  postcond, reads, writes  

(* all components must have mutable = committed = false (for pack) *)
let make_components_precond this st reads =
  let comps = components st in
  let reads =
    List.fold_left
      (fun acc (fi, _) -> StringSet.add fi.jc_field_info_final_name acc)
      reads
      comps
  in
  let l, reads = List.fold_left
    (fun (l, reads) (fi, si) ->
       let index_name = "jc_index" in
       let mutable_name = mutable_name si in
       let committed_name = committed_name si in
       (* x.f *)
       let base_field =
	 LApp("select", [LVar fi.jc_field_info_final_name; this])
       in
       (* x.f+i *)
       let this_field =
	 LApp("shift", [ base_field; LVar index_name ])
       in
       let fi_pc = type_pc fi.jc_field_info_type in
       let fi_ac = alloc_class_of_pointer_class fi_pc in
       let alloc = generic_alloc_table_name fi_ac in
       let reads = StringSet.add (generic_tag_table_name (pointer_class_root fi_pc)) reads in
       let reads = StringSet.add alloc reads in
       let reads = StringSet.add mutable_name reads in
       (* pre-condition: forall i, valid(x.f+i) => fp(x.f+i) /\ not committed(x.f+i) *)
       let body = make_and
	 (fully_packed fi_pc this_field)
	 (LPred(
	    "eq",
	    [ LApp("select", [LVar committed_name; this_field]);
	      LConst(Prim_bool false) ]))
       in
       let omin, omax = omin_omax (LVar alloc) base_field
	 (range_min fi.jc_field_info_type)
	 (range_max fi.jc_field_info_type)
       in
       let range = make_range (LVar index_name) omin omax in
       let valid_impl = LImpl(range, body) in
       let forall = LForall(index_name, simple_logic_type "int", [], valid_impl) in
       forall::l, reads)
    ([], reads)
    (components st)
  in
  make_and_list l, reads

let pack_declaration st acc =
  let this = "this" in
  let pc = JCtag(st, []) in
  let ac = alloc_class_of_pointer_class pc in
  let this_type = pointer_type ac pc in
  let tag = "tag" in
  let tag_type = tag_id_type (struct_root st) in
  let mutable_name = mutable_name (JCtag(st, [])) in
  let inv, reads = invariant_for_struct (LVar this) st in
  let writes = StringSet.empty in
  let components_post, reads, writes = make_components_postcond (LVar this) st reads writes true in
  let components_pre, reads = make_components_precond (LVar this) st reads in
  let reads = StringSet.add mutable_name reads in
  let writes = StringSet.add mutable_name writes in
  let requires =
    make_and_list [
      (LPred(
	 "parenttag",
	 [ LVar tag;
	   LApp("select", [LVar mutable_name; LVar this]) ]));
      inv;
      components_pre
    ]
  in
  let ensures =
    make_and
      (LPred(
	 "eq",
	 [ LVar mutable_name;
	   LApp(
	     "store",
	     [ LDerefAtLabel(mutable_name, "");
	       LVar this;
	       LVar tag ])]))
      components_post
  in
  let annot_type =
    Annot_type(
      requires,
      Base_type (simple_logic_type "unit"),
      StringSet.elements reads,
      StringSet.elements writes,
      ensures,
      []
    )
  in
  if st.jc_struct_info_parent = None then
    Param(
      false,
      id_no_loc (pack_name st),
      Prod_type(
	this,
	Base_type this_type,
	Prod_type(
	  tag,
	  Base_type tag_type,
	  annot_type
	)
      )
    )::acc
  else
    acc

(* Unlike Boogie, Jessie has "unpack to S" instead of "unpack from T" *)
let unpack_declaration st acc =
  let this = "this" in
  let pc = JCtag(st, []) in
  let ac = alloc_class_of_pointer_class pc in
  let this_type = pointer_type ac pc in
  let tag = "tag" in
  let tag_type = tag_id_type (struct_root st) in
  let mutable_name = mutable_name (JCtag(st, [])) in
  let committed_name = committed_name (JCtag(st, [])) in
  let reads = StringSet.singleton mutable_name in
  let writes = StringSet.singleton mutable_name in
  let reads = StringSet.add committed_name reads in
  let components_post, reads, writes = make_components_postcond (LVar this) st reads writes false in
  let requires =
    (* unpack this as tag: requires parenttag(this.mutable, tag) and not this.committed *)
    make_and
      (LPred(
	 "parenttag",
	 [ LApp("select", [LVar mutable_name; LVar this]);
	   LVar tag ]))
      (LPred(
	 "eq",
	 [ LConst(Prim_bool false);
	   LApp("select", [LVar committed_name; LVar this]) ]))
  in
  let ensures =
    make_and
      (LPred(
	 "eq",
	 [ LDeref mutable_name;
	   LApp(
	     "store",
	     [ LDerefAtLabel(mutable_name, "");
	       LVar this;
	       LVar tag ])]))
      components_post
  in
  let annot_type =
    Annot_type(
      requires,
      Base_type (simple_logic_type "unit"),
      StringSet.elements reads,
      StringSet.elements writes,
      ensures,
      []
    )
  in
  if st.jc_struct_info_parent = None then
    Param(
      false,
      id_no_loc ("unpack_"^(root_name st)),
      Prod_type(
	this,
	Base_type this_type,
	Prod_type(
	  tag,
	  Base_type tag_type,
	  annot_type
	)
      )
    )::acc
  else
    acc

(*********************************************************************)
(*               Using a recursively-defined predicate               *)
(*********************************************************************)
(*let valid_inv_name st = st.jc_struct_info_name ^ "_inv"

let valid_inv_axiom_name st = st.jc_struct_info_name ^ "_inv_sem"

let rec struct_depends st acc mem =
  let name = st.jc_struct_info_name in
  if StringSet.mem name mem then acc, mem else
  let acc, mem = List.fold_left (fun (acc, mem) (_, fi) -> match fi.jc_field_info_type with
      | JCTpointer(st, _, _) -> struct_depends st acc mem
      | JCTnull -> assert false
      | JCTnative _ | JCTlogic _ | JCTrange _ -> acc, mem)
    (st::acc, StringSet.add name mem) st.jc_struct_info_fields
  in
  match st.jc_struct_info_parent with
    None -> acc, mem
  | Some pst -> struct_depends pst acc mem

let struct_depends =
  let table = Hashtbl.create 97 in fun st ->
  let name = st.jc_struct_info_name in
  try Hashtbl.find table name with Not_found ->
  let result = fst (struct_depends st [] StringSet.empty) in
  Hashtbl.add table name result;
  result

(* "this" is not returned in the list of parameters of valid_inv_params *)
let valid_inv_params st =
  let deps = struct_depends st in
  let memories = List.fold_left (fun acc st ->
    List.fold_left (fun acc (_, fi) ->
      (fi.jc_field_info_final_name, memory_field fi)::acc) acc st.jc_struct_info_fields)
    [] deps in
  let params = List.fold_left invariants_params memories deps in
  let params = List.sort (fun (name1, _) (name2, _) ->
    compare name2 name1) params in
  let rec only_one prev acc = function
    [] -> acc
  | ((name, _) as x)::tl ->
      if name = prev then only_one prev acc tl
      else only_one name (x::acc) tl in
  let params = only_one "" [] params in
    params

(* generate valid_inv predicate and its axiom *)
let tr_valid_inv st acc =
  let params = valid_inv_params st in

  (**** valid_inv predicate declaration ****)
  let valid_inv_type = simple_logic_type "prop" in
  let vi_this = "???",
    { logic_type_name = "pointer" ;
      logic_type_args = [simple_logic_type st.jc_struct_info_hroot] } in
  let logic = Logic(false, valid_inv_name st, vi_this::params,
    valid_inv_type) in
  let acc = logic::acc in

  (**** valid_inv_sem axiom ****)
  let this = "inv_this" in
  let this_var = LVar this in
  let this_ty =
    { logic_type_name = "pointer";
      logic_type_args = [simple_logic_type st.jc_struct_info_hroot] } in
  let fields_valid_inv = List.map (fun (_, fi) ->
    match fi.jc_field_info_type with
    | JCTpointer(st, _, _) ->
        let params = valid_inv_params st in
        let params_var = List.map (fun (name, _) -> LVar name) params in
        LPred(valid_inv_name st,
          LApp("select", [LVar fi.jc_field_info_final_name; this_var])::params_var)
    | JCTnull -> assert false
    | JCTnative _
    | JCTlogic _
    | JCTrange _ -> LTrue) st.jc_struct_info_fields in
  let params_var = List.map (fun (name, _) -> LVar name) params in
  let sem = LIff(LPred(valid_inv_name st, this_var::params_var),
    LImpl(LPred("neq", [LVar this; LVar "null"]),
      make_and (make_and_list fields_valid_inv) (invariant_for_struct this_var st))) in
  (* parent invariant *)
  let sem = match st.jc_struct_info_parent with
    None -> sem
  | Some pst ->
      let parent_params = valid_inv_params pst in
      let parent_params_var = List.map (fun (name, _) -> LVar name) parent_params in
      make_and sem (LPred(valid_inv_name pst, this_var::parent_params_var))
  in
  (* quantifiers *)
  let sem = List.fold_left (fun acc (id, ty) ->
    LForall(id, ty, acc)) sem ((this, this_ty)::params) in
  Axiom(valid_inv_axiom_name st, sem)::acc*)

let rec invariant_for_struct ?pos this si =
  let _, invs = 
    StringHashtblIter.find Jc_typing.structs_table si.jc_struct_info_name 
  in
  let invs = Assertion.mkand ?pos
    ~conjuncts:(List.map 
		  (fun (li, _) -> 
		     let a = { jc_app_fun = li;
			       jc_app_args = [this];
			       jc_app_label_assoc = [];
			       jc_app_region_assoc = [] }
		     in
		       new assertion ?pos (JCAapp a)) invs) 
    ()
  in
    match si.jc_struct_info_parent with
      | None -> invs
      | Some(si, _) -> (* add invariants from the type hierarchy *)
	  let this =
	    match this#typ with
	      | JCTpointer (_, a, b) ->
		  new term_with ~typ:(JCTpointer (JCtag(si, []), a, b)) this
	      | _ -> assert false (* never happen *)
	  in
	    Assertion.mkand ?pos
	      ~conjuncts:[invs; (invariant_for_struct ?pos this si)]
	      ()
	      
let code_function (fi, pos, fs, _sl) vil =
  begin
    match !Jc_common_options.inv_sem with
      | InvArguments ->  (* apply arguments invariant policy *)
	  (* Calculate global invariants. *)
	  let _vitl = 
	    List.map 
	      (fun vi -> Term.mkvar ~var:vi ()) vil 
	  in
	  let global_invariants =
	    IntHashtblIter.fold
	      (fun _ (li, _) acc -> 
		 (* li.jc_logic_info_parameters <- vil; *)
		 let a = { jc_app_fun = li;
			   jc_app_args = (* vitl *)[];
			   jc_app_label_assoc = [];
			   jc_app_region_assoc = [] }
		 in
		 (new assertion ~mark:(Jc_pervasives.new_label_name ())
		    ~pos (JCAapp a)) :: acc)
	      Jc_typing.global_invariants_table []
	  in
	  let global_invariants = 
	    Assertion.mkand ~pos ~conjuncts:global_invariants ()
	  in
	  (* Calculate invariants for each parameter. *)
	  let pre_invariants,post_invariants =
	    List.fold_left
	      (fun (acc1,acc2) (valid,vi) ->
		 match vi.jc_var_info_type with
		   | JCTpointer (JCtag (st, []), _, _) ->
		       let inv = 
			 invariant_for_struct ~pos
			   (Term.mkvar ~var:vi ()) st
		       in
		       ((if valid then
			   Assertion.mkand ~pos
			     ~conjuncts: [acc1; inv] ()
			 else acc1),
			Assertion.mkand ~pos
			  ~conjuncts: [acc2; inv] ())
		   | _ -> (acc1,acc2))
	      (global_invariants,global_invariants)
	      fi.jc_fun_info_parameters
	  in
	  (* add invariants to the function precondition *)
	  fs.jc_fun_requires <- 
	    Assertion.mkand ~pos 
	    ~conjuncts:[fs.jc_fun_requires; pre_invariants] ();
	  (* add invariants to the function postcondition *)
	  if is_purely_exceptional_fun fs then () else
	    let safety_exists = ref false in
	    let post = post_invariants in
	    List.iter
	      (fun (_, s, b) ->
		 if s = "safety" then safety_exists := true;
		 b.jc_behavior_ensures <- 
		   Assertion.mkand ~pos ~conjuncts:[b.jc_behavior_ensures; post] ())
	      fs.jc_fun_behavior;
	    (* add the 'safety' spec if it does not exist 
	       (it could exist e.g. from Krakatoa) *)
	    if not !safety_exists then
	      if Jc_options.verify_invariants_only then
		let invariants_b = { default_behavior with jc_behavior_ensures = post } in
		fs.jc_fun_behavior <- 
		  (Loc.dummy_position, "invariants", invariants_b) :: fs.jc_fun_behavior;
	      else
		let safety_b = { default_behavior with jc_behavior_ensures = post } in
		fs.jc_fun_behavior <- 
		  (Loc.dummy_position, "safety", safety_b) :: fs.jc_fun_behavior;
      | _ -> ()
  end;


(*
Local Variables: 
compile-command: "unset LANG; make -C .. bin/jessie.byte"
End: 
*)
why-2.39/jc/jc_control_flow.ml0000644000106100004300000001070713147234006015347 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)


(* control-flow graph *)

open Jc_ast

type node_info =
    | Statement of expr
    | FunctionExit

type node =
    {
      node_label : int;
      node_statement : node_info;
    }


module NodeComp =
struct
  type t = node
  let compare n1 n2 = Pervasives.compare n1.node_label n2.node_label 
  let hash n = n.node_label
  let equal n1 n2 = n1.node_label = n2.node_label
end

module EdgeOrd =
struct
  type t = Forward | BackEdge
  let compare = Pervasives.compare
  let default = Forward
end

module G = 
  Graph.Imperative.Digraph.ConcreteLabeled(NodeComp)(EdgeOrd)

let node_counter = ref 0

let new_node_gen s =
  incr node_counter;
  { node_label = !node_counter; 
    node_statement = s }

let new_node s = new_node_gen (Statement s)

let rec statement g fun_exit_node s =
  match s.jc_statement_node with
    | JCSreturn_void
    | JCSreturn _ -> 
	let n = new_node s in
	G.add_vertex g n;
	G.add_edge g n fun_exit_node;
	n,[]
    | JCSif (e, s1, s2) ->
	let n = new_node s in
	G.add_vertex g n;
	let entry1,exits1 = statement g fun_exit_node s1 in
	let entry2,exits2 = statement g fun_exit_node s2 in
	G.add_edge g n entry1;
	G.add_edge g n entry2;
	n,exits1@exits2
    | JCSloop (inv, s1) ->
	let n = new_node s in
	G.add_vertex g n;
	let entry1,exits1 = statement g fun_exit_node s1 in
	List.iter (fun v -> G.add_edge g v n) exits1;
	n,[n]	
    | JCSmatch(e, psl) ->
	assert false (* TODO *)
    | JCSassign_heap (_, _, _)
    | JCSassign_var (_, _)
    | JCScall (_, _, _)
    | JCSunpack (_, _, _)
    | JCSpack (_, _, _)
    | JCSthrow (_, _)
    | JCSlabel _
    | JCStry (_, _, _)
    | JCSdecl (_, _, _)
    | JCSassert _
    | JCSblock _ -> assert false

and statement_list g fun_exit_node l =
  match l with
    | [] -> assert false
    | [s] -> statement g fun_exit_node s 
    | s::r ->
	let entry,exits = statement g fun_exit_node s in
	let entry',exits' = statement_list g fun_exit_node r in
	List.iter (fun v -> G.add_edge g v entry') exits;
	entry,exits'
	  
	
let make l =
  let g = G.create () in
  let fun_exit_node = new_node_gen FunctionExit in 
  let entry_node,exits = statement_list g fun_exit_node l in
  List.iter (fun v -> G.add_edge g v fun_exit_node) exits;
  g,entry_node,fun_exit_node


  
(*
Local Variables: 
compile-command: "LC_ALL=C make -C .. bin/jessie.byte"
End: 
*)
why-2.39/jc/jc_stdlib_ge312.ml0000644000106100004300000001645713147234006015032 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



module List = struct
  include List

  let cons e l = e::l

  let as_singleton = function
    | [e] -> e
    | _ -> failwith "as_singleton"

  let mem_assoc_eq f k l =
    fold_left (fun v_opt (k',v') ->
		 match v_opt with
		   | None ->
		       if f k k' then Some v' else None
		   | Some v -> Some v
	      ) None l

  let all_pairs l =
    let rec aux acc = function
      | e :: l ->
	  let acc = fold_left (fun acc e' -> (e,e') :: acc) acc l in
	  aux acc l
      | [] -> acc
    in
    aux [] l

  let map_fold f acc l =
    let (rev,acc) = List.fold_left
      (fun (rev,acc) e -> let (e,acc) = (f acc e) in (e::rev,acc))
      ([],acc) l in
    (List.rev rev,acc)

  let fold_all_part f acc =
    let rec aux acc part = function
    | [] -> f acc part
    | a::l -> aux (aux acc (a::part) l) part l in
    aux acc []

end

module Set = struct

  module type OrderedType = Set.OrderedType

  module type S = sig
    include Set.S
    val of_list: elt list -> t
    val to_list: t -> elt list
  end

  module Make(Ord : OrderedType) : S with type elt = Ord.t = struct
    include Set.Make(Ord)

    let of_list ls =
      List.fold_left (fun s e -> add e s) empty ls

    let to_list s =
      fold (fun e acc -> e :: acc) s []

  end
end

module Map = struct

  module type OrderedType = Map.OrderedType

  module type S = sig
    include Map.S
    val elements: 'a t -> (key * 'a) list
    val keys: 'a t -> key list
    val values: 'a t -> 'a list
    val to_list: 'a t -> (key * 'a) list
    val find_or_default: key -> 'a -> 'a t -> 'a
    val find_or_none: key -> 'a t -> 'a option
    val merge: ('a -> 'a -> 'a) -> 'a t -> 'a t -> 'a t
    val add_merge: ('a -> 'a -> 'a) -> key -> 'a -> 'a t -> 'a t
    val diff_merge: ('a -> 'a -> 'a) -> ('a -> bool) -> 'a t -> 'a t -> 'a t
    val inter_merge: ('a -> 'a -> 'a) -> ('a -> bool) -> 'a t -> 'a t -> 'a t
    val inter_merge_option: ('a -> 'b -> 'c option) -> 'a t -> 'b t -> 'c t
  end

  module Make(Ord : OrderedType) : S with type key = Ord.t = struct
    include Map.Make(Ord)

    let elements m =
      fold (fun k v acc -> (k,v) :: acc) m []

    let keys m =
      fold (fun k _v acc -> k :: acc) m []

    let values m =
      fold (fun _k v acc -> v :: acc) m []

    let to_list m =
      fold (fun k v acc -> (k,v) :: acc) m []

    let find_or_default k v m =
      try find k m with Not_found -> v

    let find_or_none k m =
      try Some(find k m) with Not_found -> None

    let merge f m1 m2 =
      fold (fun k v1 m ->
	      try
		let v2 = find k m2 in
		add k (f v1 v2) m
	      with Not_found ->
		add k v1 m
	   ) m1 m2

    let add_merge f k v m =
      let v =
	try f v (find k m)
	with Not_found -> v
      in
      add k v m

    let diff_merge f g m1 m2 =
      fold (fun k v1 m ->
	      try
		let v2 = find k m2 in
		let v = f v1 v2 in
		if g v then m else add k v m
	      with Not_found ->
		add k v1 m
	   ) m1 empty

    let inter_merge f g m1 m2 =
      fold (fun k v1 m ->
	      try
		let v2 = find k m2 in
		let v = f v1 v2 in
		if g v then m else add k v m
	      with Not_found -> m
	   ) m1 empty

    let inter_merge_option f m1 m2 =
      fold (fun k v1 m ->
	      try
		let v2 = find k m2 in
		match f v1 v2 with
                  | Some v -> add k v m
                  | None -> m
	      with Not_found -> m
	   ) m1 empty

  end
end

module StdHashtbl = Hashtbl

module Hashtbl = struct

  module type HashedType = Hashtbl.HashedType

  module type S = sig
    include Hashtbl.S
    val keys: 'a t -> key list
    val values: 'a t -> 'a list
    val choose: 'a t -> (key * 'a) option
    val remove_all : 'a t -> key -> unit
    val is_empty : 'a t -> bool
  end

  module type Std = sig
    type ('a, 'b) t
    val create : int -> ('a, 'b) t
    val clear : ('a, 'b) t -> unit
    val add : ('a, 'b) t -> 'a -> 'b -> unit
    val copy : ('a, 'b) t -> ('a, 'b) t
    val find : ('a, 'b) t -> 'a -> 'b
    val find_all : ('a, 'b) t -> 'a -> 'b list
    val mem : ('a, 'b) t -> 'a -> bool
    val remove : ('a, 'b) t -> 'a -> unit
    val replace : ('a, 'b) t -> 'a -> 'b -> unit
    val iter : ('a -> 'b -> unit) -> ('a, 'b) t -> unit
    val fold : ('a -> 'b -> 'c -> 'c) -> ('a, 'b) t -> 'c -> 'c
    val length : ('a, 'b) t -> int
    val hash : 'a -> int
    val hash_param : int -> int -> 'a -> int
  end

  include (Hashtbl : Std)

  module Make(H : HashedType) : S with type key = H.t = struct
    include Hashtbl.Make(H)

    let keys t =
      fold (fun k _v acc -> k :: acc) t []

    let values t =
      fold (fun _k v acc -> v :: acc) t []

    let choose t =
      let p = ref None in
      begin try
	iter (fun k v -> p := Some(k,v); failwith "Hashtbl.choose") t
      with Failure "Hashtbl.choose" -> () end;
      !p

    let remove_all t p =
      List.iter (fun _ -> remove t p) (find_all t p)

    let is_empty t =
      try
        iter (fun _ _ ->  raise Not_found) t;
        true
      with Not_found -> false
  end

  let remove_all t p =
    List.iter (fun _ -> remove t p) (find_all t p)

  let is_empty t =
    try
      iter (fun _ _ ->  raise Not_found) t;
      true
    with Not_found -> false

end

(*
Local Variables:
compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
End:
*)
why-2.39/jc/jc_callgraph.mli0000644000106100004300000000572313147234006014750 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

val compute_logic_calls : 
  Jc_fenv.logic_info -> Jc_fenv.term_or_assertion -> unit
(** (compute_logic_calls f t) adds to the set of known calls of logic function 
    f the logic calls that occur in t
*)

val compute_calls : 
  Jc_fenv.fun_info -> Jc_fenv.fun_spec -> Jc_constructors.expr -> unit
(** (compute_calls f spec body) adds to the set of known calls of
     program f the logic calls that occur in spec and the program
     calls that occur in body
*)

val compute_logic_components :   
  (Jc_fenv.logic_info * Jc_fenv.term_or_assertion)
  Jc_pervasives.IntHashtblIter.t 
  -> Jc_fenv.logic_info list array

val compute_components :   
  (Jc_fenv.fun_info * Loc.position * Jc_fenv.fun_spec * Jc_fenv.expr option) 
  Jc_pervasives.IntHashtblIter.t 
  -> Jc_fenv.fun_info list array
why-2.39/jc/jc_annot_fail.ml0000644000106100004300000000454213147234006014752 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

let fail _ = failwith "Not compiled with --enable-apron."

let normalize_expr = fail

let code_function = fail

let main_function = fail

(*
let is_recursive = fail
*)
why-2.39/jc/jc_common_options.mli0000644000106100004300000000466713147234006016064 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(*s command-line options *)

open Jc_env

val debug : bool ref
val verbose : bool ref
val werror : bool ref

val inv_sem: inv_sem ref
val separation_sem : separation_sem ref

(*
Local Variables: 
compile-command: "make -C .. bin/jessie.byte"
End: 
*)
why-2.39/jc/jc_separation.ml0000644000106100004300000003353213147234006015006 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Jc_stdlib
open Jc_env
open Jc_envset
open Jc_region
open Jc_ast
open Jc_fenv

open Jc_constructors
open Jc_pervasives
(*
open Jc_iterators
*)

open Pp

let current_logic_component = ref None
let set_current_logic_component comp = current_logic_component := Some comp
let reset_current_logic_component () = current_logic_component := None
let in_current_logic_component f1 =
  match !current_logic_component with
    | None -> false
    | Some comp ->
	List.exists
	  (fun f2 -> f1.jc_logic_info_tag == f2.jc_logic_info_tag) comp

let current_component = ref None
let set_current_component comp = current_component := Some comp
let reset_current_component () = current_component := None
let in_current_component f1 =
  match !current_component with
    | None -> false
    | Some comp ->
	List.exists
	  (fun f2 -> f1.jc_fun_info_tag == f2.jc_fun_info_tag) comp

let single_term rresult t =
  match t#node with
       | JCTvar vi ->
	   if vi.jc_var_info_name = "\\result" then
	     Region.unify rresult vi.jc_var_info_region
       | JCTbinary(t1,(_,`Pointer),t2) | JCTif(_,t1,t2) ->
	   Region.unify t1#region t2#region
       | JCTmatch(_, (_, t1)::rem) ->
	   List.iter
	     (fun (_, t2) -> Region.unify t1#region t2#region)
	     rem
       | JCTmatch(_, []) ->
	   ()
       | JCTlet _ -> ()
       | JCTapp app ->
	   let li = app.jc_app_fun in
	   let param_regions,result_region =
	     if in_current_logic_component li then
	       (* No generalization here, plain unification *)
	       List.map (fun vi -> vi.jc_var_info_region)
		 li.jc_logic_info_parameters,
	     li.jc_logic_info_result_region
	     else
	       (* Apply generalization before unification *)
	       let regions = li.jc_logic_info_param_regions in
	       let assoc = RegionList.duplicate regions in
	       app.jc_app_region_assoc <- assoc;
	       let param_regions =
		 List.map
                   (fun vi ->
		      if is_dummy_region vi.jc_var_info_region then dummy_region else
			try RegionList.assoc vi.jc_var_info_region assoc
			with Not_found ->
                   	  Jc_options.jc_error t#pos "Unable to complete region analysis, aborting. Consider using #pragma SeparationPolicy(none)";
)
		   li.jc_logic_info_parameters
	       in
	       let result_region =
		 try RegionList.assoc li.jc_logic_info_result_region assoc
		 with Not_found -> assert false
	       in
	       param_regions,result_region
	   in
	   let arg_regions =
	     List.map (fun t -> t#region) app.jc_app_args
	   in
	   Jc_options.lprintf "param:%a@." (print_list comma Region.print) param_regions;
	   Jc_options.lprintf "arg:%a@." (print_list comma Region.print) arg_regions;
	   List.iter2 Region.unify param_regions arg_regions;
	   Jc_options.lprintf "param:%a@." Region.print result_region;
	   Jc_options.lprintf "arg:%a@." Region.print t#region;
	   Region.unify result_region t#region
       | JCTconst _ | JCTrange(None,None) | JCTbinary _ | JCTshift _
       | JCTrange _ | JCTunary _ | JCTderef _ | JCTold _ | JCTat _
       | JCToffset _ | JCTbase_block _
       | JCTaddress _ | JCTinstanceof _ | JCTcast _ | JCTbitwise_cast _
       | JCTrange_cast _ | JCTreal_cast _ ->
	   ()

let term rresult t = Jc_iterators.iter_term (single_term rresult) t

let single_assertion _rresult a =
  match a#node with
    | JCArelation(t1,(_,`Pointer),t2) ->
	Region.unify t1#region t2#region
    | JCArelation _ -> ()
    | JCAapp app ->
	let li = app.jc_app_fun in
	let param_regions =
	  if in_current_logic_component li then
	    (* No generalization here, plain unification *)
	    List.map (fun vi -> vi.jc_var_info_region)
	      li.jc_logic_info_parameters
	  else
	    (* Apply generalization before unification *)
	    let regions = li.jc_logic_info_param_regions in
	    let assoc = RegionList.duplicate regions in
	    app.jc_app_region_assoc <- assoc;
	    List.map (fun vi ->
			if is_dummy_region vi.jc_var_info_region then dummy_region else
			  try RegionList.assoc vi.jc_var_info_region assoc
			  with Not_found -> assert false)
	      li.jc_logic_info_parameters
	in
	let arg_regions =
	  List.map (fun t -> t#region) app.jc_app_args
	in
	Jc_options.lprintf "param:%a@." (print_list comma Region.print) param_regions;
	Jc_options.lprintf "arg:%a@." (print_list comma Region.print) arg_regions;
	List.iter2 Region.unify param_regions arg_regions
    | JCAtrue | JCAfalse | JCAeqtype _
    | JCAinstanceof _ | JCAbool_term _ | JCAmutable _ | JCAfresh _
    | JCAand _ | JCAor _ | JCAimplies _ | JCAiff _ | JCAif _
    | JCAlet _ | JCAmatch _
    | JCAnot _ | JCAquantifier _ | JCAold _ | JCAat _ | JCAsubtype _ ->
	()

let assertion rresult a =
  Jc_iterators.iter_term_and_assertion
    (single_term rresult) (single_assertion rresult) a

let single_location = ignore

let single_location_set = ignore

let location rresult loc =
  Jc_iterators.iter_location
    (single_term rresult) single_location single_location_set loc

let single_expr rresult e =
  match e#node with
       | JCEbinary(e1,_,e2) | JCEif(_,e1,e2) ->
	   Region.unify e1#region e2#region
       | JCEmatch(_, (_, e1)::rem) ->
	   List.iter
	     (fun (_, e2) -> Region.unify e1#region e2#region)
	     rem
       | JCEmatch(_, []) ->
	   ()
       | JCEconst _ | JCEvar _ | JCEshift _ | JCEunary _
       | JCEderef _ | JCEoffset _ | JCEaddress _ | JCEinstanceof _ | JCEcast _
       | JCEbitwise_cast _ | JCEbase_block _ | JCEfresh _
       | JCErange_cast _ | JCEreal_cast _ | JCEalloc _ | JCEfree _
       | JCElet(_,None,_) ->
	   ()
       | JCElet(vi,Some e,_) | JCEassign_var(vi,e) ->
	   Region.unify vi.jc_var_info_region e#region
    | JCEassign_heap(e1,fi,e2) ->
	let fr = Region.make_field e1#region fi in
	Region.unify fr e2#region
    | JCEthrow(ei,_) ->
	begin match ei.jc_exception_info_type with None -> () | Some ty ->
	  assert(not(is_pointer_type ty)) (* TODO *)
	end
    | JCEapp call ->
(*	let f = call.jc_call_fun in*)
	let in_current_comp = match call.jc_call_fun with
	  | JClogic_fun _f -> false
	  | JCfun f -> in_current_component f
	in
	let params = match call.jc_call_fun with
	  | JClogic_fun f -> f.jc_logic_info_parameters
	  | JCfun f -> List.map snd f.jc_fun_info_parameters
	in
	let rregion = match call.jc_call_fun with
	  | JClogic_fun f -> f.jc_logic_info_result_region
	  | JCfun f -> f.jc_fun_info_return_region
	in
	let param_regions,result_region =
	  if in_current_comp then
	    (* No generalization here, plain unification *)
	    List.map (fun vi -> vi.jc_var_info_region) params,
	    rregion
	  else
	    (* Apply generalization before unification *)
	    let regions = match call.jc_call_fun with
	      | JClogic_fun f -> f.jc_logic_info_param_regions
	      | JCfun f -> f.jc_fun_info_param_regions
	    in
	    let assoc = RegionList.duplicate regions in
	    call.jc_call_region_assoc <- assoc;
	    let param_regions =
	      List.map (fun vi ->
			  if is_dummy_region vi.jc_var_info_region then dummy_region else
			    try RegionList.assoc vi.jc_var_info_region assoc
			    with Not_found -> assert false)
		params
	    in
	    let result_region =
	      if is_dummy_region rregion then dummy_region
	      else
		try RegionList.assoc rregion assoc
		with Not_found -> assert false
	    in
	    param_regions,result_region
	in
	let arg_regions =
	  List.map (fun e -> e#region) call.jc_call_args
	in
	Jc_options.lprintf "param:%a@." (print_list comma Region.print) param_regions;
	Jc_options.lprintf "arg:%a@." (print_list comma Region.print) arg_regions;
	List.iter2 Region.unify param_regions arg_regions;
	Jc_options.lprintf "param:%a@." Region.print result_region;
	Jc_options.lprintf "arg:%a@." Region.print e#region;
	if e#typ = unit_type then
	  () (* Result of call discarded *)
	else Region.unify result_region e#region
    | JCEreturn(_ty,e) ->
	Region.unify rresult e#region
    | JCEassert(_behav,_asrt,a) ->
	assertion rresult a
    | JCEcontract(req,dec,_vi_result,_behs,_e) ->
        (* TODO: decreases, behaviors, etc. *)
        assert (dec = None);
	Option_misc.iter (assertion rresult) req

    | JCEloop(_la,_) -> ()
    | JCEblock _ | JCEtry _
    | JCEreturn_void | JCEpack _ | JCEunpack _ ->
	()

let expr rresult e =
  Jc_iterators.iter_expr_and_term_and_assertion
    (single_term rresult)
    (single_assertion rresult) single_location single_location_set
    (single_expr rresult) e

(* let location rresult loc = *)
(*   fold_location  *)
(*     (fold_unit (term rresult)) (fold_unit ignore) (fold_unit ignore) () loc *)

let axiomatic_decl d =
  match d with
    | Jc_typing.ABaxiom(_,_,_,a) -> assertion dummy_region a

let axiomatic a =
  try
    let l = StringHashtblIter.find Jc_typing.axiomatics_table a in
    List.iter axiomatic_decl l.Jc_typing.axiomatics_decls
  with Not_found -> assert false

let logic_function f =
  let (f, ta) =
    IntHashtblIter.find Jc_typing.logic_functions_table f.jc_logic_info_tag
  in
  let rresult = f.jc_logic_info_result_region in
  begin match ta with
    | JCNone -> ()
    | JCTerm t ->
	begin
	  term rresult t;
	  Region.unify rresult t#region
	end
    | JCAssertion a -> assertion rresult a
    | JCReads r -> List.iter (location rresult) r
    | JCInductive l ->
	List.iter (fun (_,_,a) -> assertion rresult a) l
  end;
  Option_misc.iter axiomatic f.jc_logic_info_axiomatic

let generalize_logic_function f =
  let param_regions =
    List.map (fun vi -> vi.jc_var_info_region) f.jc_logic_info_parameters in
  let fun_regions = f.jc_logic_info_result_region :: param_regions in
  f.jc_logic_info_param_regions <- RegionList.reachable fun_regions

let logic_component fls =
  (* Perform plain unification on component *)
  set_current_logic_component fls;
  List.iter logic_function fls;
  reset_current_logic_component ();
  (* Generalize regions accessed *)
  List.iter generalize_logic_function fls;
  (* Fill in association table at each call site *)
  List.iter logic_function fls

let funspec rresult spec =
  Jc_iterators.iter_funspec
    (single_term rresult) (single_assertion rresult) single_location
    single_location_set spec

let code_function f =
  let (f, _, spec, body) =
    IntHashtblIter.find Jc_typing.functions_table f.jc_fun_info_tag
  in
  Jc_options.lprintf "Separation: treating function %s@." f.jc_fun_info_name;
  let rresult = f.jc_fun_info_return_region in
  funspec rresult spec;
  Option_misc.iter (expr rresult) body

let generalize_code_function f =
  let param_regions =
    List.map (fun (_,vi) -> vi.jc_var_info_region) f.jc_fun_info_parameters in
  let fun_regions = f.jc_fun_info_return_region :: param_regions in
  f.jc_fun_info_param_regions <- RegionList.reachable fun_regions

let code_component fls =
  (* Perform plain unification on component *)
  set_current_component fls;
  List.iter code_function fls;
  reset_current_component ();
  (* Generalize regions accessed *)
  List.iter generalize_code_function fls;
  (* Fill in association table at each call site *)
  List.iter code_function fls

let axiom _id (_loc,_is_axiom,_,_labels,a) = assertion (* labels *) dummy_region a

let regionalize_assertion a assoc =
  Jc_iterators.map_term_in_assertion (fun t ->
    let t = match t#node with
      | JCTapp app ->
	  let app_assoc =
	    List.map (fun (rdist,rloc) ->
	      try (rdist,RegionList.assoc rloc assoc) with Not_found -> (rdist,rloc)
	    ) app.jc_app_region_assoc
	  in
	  let tnode = JCTapp { app with jc_app_region_assoc = app_assoc; } in
	  new term_with ~node:tnode t
      | JCTconst _ | JCTvar _ | JCTshift _
      | JCTderef _ | JCTbinary _ | JCTunary _ | JCTold _ | JCTat _ | JCToffset _
      | JCTaddress _ | JCTbase_block _
      | JCTinstanceof _ | JCTcast _ | JCTbitwise_cast _ | JCTrange_cast _ | JCTreal_cast _ | JCTif _ | JCTmatch _ | JCTrange _ | JCTlet _ -> t

    in
    try new term_with ~region:(RegionList.assoc t#region assoc) t
    with Not_found -> t
  ) a

(*
Local Variables:
compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
End:
*)
why-2.39/jc/jc_interp_misc.mli0000644000106100004300000003370413147234006015327 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(** {1 Preliminaries} *)

val find_struct : string -> Jc_env.struct_info


type forall_or_let = 
  | JCforall of string * Output.logic_type
  | JClet of string * Output.term

val logic_int_of_enum : Jc_env.enum_info -> string
val logic_enum_of_int : Jc_env.enum_info -> string
val safe_fun_enum_of_int : Jc_env.enum_info -> string
val fun_enum_of_int : Jc_env.enum_info -> string

val logic_enum_of_bitvector : Jc_env.enum_info -> string
val logic_bitvector_of_enum : Jc_env.enum_info -> string

val mod_of_enum : Jc_env.enum_info -> string

val fun_any_enum : Jc_env.enum_info -> string

val logic_real_of_bitvector : string
val logic_integer_of_bitvector : string
val logic_bitvector_of_integer : string

val logic_bitvector_of_variant : Jc_env.root_info -> string
val logic_variant_of_bitvector : Jc_env.root_info -> string





(** {1 Environment} *)

val safety_checking : unit -> bool

val variant_checking : unit -> bool

val in_current_behavior : < name : string; .. > list -> bool

val in_default_behavior : < name : string; .. > list -> bool

val is_current_behavior : string -> bool

val set_current_behavior : string -> unit

val reset_current_behavior : unit -> unit

val get_current_spec : unit -> Jc_fenv.fun_spec

val set_current_spec : Jc_fenv.fun_spec -> unit

val reset_current_spec : unit -> unit

(*
val get_current_fun : unit -> Jc_fenv.fun_info

val set_current_fun : Jc_fenv.fun_info -> unit

val reset_current_fun : unit -> unit
  *)
val fresh_loop_label : unit -> Jc_env.label_info




(** {1 helpers for Output module} *)

val make_subtag : Output.term -> Output.term -> Output.assertion

val make_eq : Output.term -> Output.term -> Output.assertion
(** builds eq(t1,t2) *)

val make_select: Output.term -> Output.term -> Output.term
(** builds select(t1,t2) *)

val make_or_term : Output.term -> Output.term -> Output.term

val make_and_term : Output.term -> Output.term -> Output.term

val make_not_term : Output.term -> Output.term

val make_eq_term : Jc_env.jc_type -> Output.term -> Output.term -> Output.term

val make_eq_pred : Jc_env.jc_type -> Output.term -> Output.term -> Output.assertion


val make_if_term : Output.term -> Output.term -> Output.term -> Output.term



(** {1 Types} *)

val why_unit_type : Output.logic_type
val why_integer_type : Output.logic_type

val tr_base_type : ?region:Jc_region.RegionTable.key ->
           Jc_env.jc_type -> Output.logic_type

val tr_var_base_type : Jc_env.var_info -> Output.logic_type

val tr_var_type : Jc_env.var_info -> Output.why_type

val raw_pset_type : Output.logic_type -> Output.logic_type

val raw_memory_type : 
  Output.logic_type -> Output.logic_type -> Output.logic_type

val memory_type : Jc_env.mem_class -> Output.logic_type

val is_memory_type : Output.logic_type -> bool

val tmemory_param : label_in_name:bool ->
           Jc_env.label ->
           Jc_envset.MemClass.t * Jc_region.RegionTable.key ->
           string * Output.term * Output.logic_type

val deconstruct_memory_type_args : Output.logic_type -> Output.logic_type * Output.logic_type

val pointer_class_model_type : Jc_env.pointer_class -> Output.logic_type

val tag_id_type : Jc_env.root_info -> Output.logic_type

val tag_table_type : Jc_env.root_info -> Output.logic_type

val raw_alloc_table_type : Output.logic_type -> Output.logic_type

val alloc_table_type : Jc_env.alloc_class -> Output.logic_type

val is_alloc_table_type : Output.logic_type -> bool




(**  {1 Variables} *)





(** {1 others} *)

(* horror... *)
val ref_term : 
  (?subst:(Output.term Jc_envset.VarMap.t) -> 
    type_safe:bool ->
    global_assertion:bool ->
    relocate:bool ->
    Jc_env.label -> Jc_env.label -> Jc_fenv.term -> Output.term)
  ref

val any_value : Jc_env.region -> Jc_env.jc_type -> Output.expr

val eq_of_enum : Jc_env.enum_info -> string

val make_valid_pred : in_param:bool -> equal:bool ->
           ?left:bool ->
           ?right:bool ->
           Jc_env.alloc_class -> Jc_env.pointer_class -> Output.why_decl

val make_valid_pred_app : in_param:bool -> equal:bool ->
           Jc_env.alloc_class * Jc_region.RegionTable.key ->
           Jc_env.pointer_class ->
           Output.term ->
           Output.term option -> Output.term option -> Output.assertion

val make_alloc_param : check_size:bool ->
           Jc_env.alloc_class -> Jc_env.pointer_class -> Output.why_decl

val make_conversion_params : Jc_env.pointer_class -> Output.why_decl list

val param : type_safe:bool -> Jc_env.var_info -> string * Output.logic_type

val tparam : label_in_name:bool ->
           Jc_env.label ->
           Jc_env.var_info -> string * Output.term * Output.logic_type

val tmodel_parameters : label_in_name:bool ->
           ?region_assoc:(Jc_region.RegionTable.key *
                          Jc_region.RegionTable.key)
                         list ->
           ?label_assoc:(Jc_envset.LogicLabelSet.elt *
                         Jc_envset.LogicLabelSet.elt)
                        list ->
           Jc_fenv.effect -> (string * Output.term * Output.logic_type) list

val tmemory_detailed_params : label_in_name:bool ->
           ?region_assoc:(Jc_region.RegionTable.key *
                          Jc_region.RegionTable.key)
                         list ->
           ?label_assoc:(Jc_envset.LogicLabelSet.elt *
                         Jc_envset.LogicLabelSet.elt)
                        list ->
           Jc_fenv.effect ->
           ((Jc_envset.MemClass.t * Jc_region.InternalRegion.t) *
            (string * Output.term * Output.logic_type))
           list

val tag_table_var : Jc_envset.VariantOrd.t * Jc_region.RegionTable.key -> Output.expr

val tvar : label_in_name:bool ->
           Jc_env.label -> Jc_env.var_info -> Output.term

val var: Jc_env.var_info -> Output.expr

val plain_var : string -> Output.expr

val ttag_table_var : label_in_name:bool ->
           Jc_env.label ->
           Jc_envset.VariantOrd.t * Jc_region.RegionTable.key -> Output.term

val talloc_table_var : label_in_name:bool ->
  Jc_env.label ->
  Jc_envset.AllocClass.t * Jc_region.RegionTable.key -> 
  bool * Output.term

val tmemory_var : label_in_name:bool ->
           Jc_env.label ->
           Jc_envset.MemClass.t * Jc_region.RegionTable.key -> Output.term

val lvar : constant:bool ->
           label_in_name:bool -> Jc_env.label -> string -> Output.term

val plain_memory_var : Jc_env.mem_class * Jc_region.RegionTable.key -> Output.expr

val memory_var : ?test_current_function:bool ->
           Jc_envset.MemClass.t * Jc_region.RegionTable.key -> Output.expr

val alloc_table_var : ?test_current_function:bool ->
           Jc_envset.AllocClass.t * Jc_region.RegionTable.key -> Output.expr

val plain_alloc_table_var : Jc_env.alloc_class * Jc_region.RegionTable.key -> Output.expr

val alloc_arguments : Jc_env.alloc_class * Jc_region.RegionTable.key ->
           Jc_env.pointer_class -> Output.expr list

val plain_tag_table_var : Jc_env.root_info * Jc_region.RegionTable.key -> Output.expr

val make_arguments : callee_reads:Jc_fenv.effect ->
           callee_writes:Jc_fenv.effect ->
           region_assoc:(Jc_region.RegionTable.key *
                         Jc_region.RegionTable.key)
                        list ->
           param_assoc:(Jc_envset.VarOrd.t * ('a, 'b) Jc_ast.expr) list ->
           with_globals:bool ->
           with_body:bool ->
           string ->
           Output.expr list ->
           Output.assertion * string *
           (Jc_envset.StringSet.elt * Output.logic_type) list * Output.expr *
           Output.expr * Output.expr list

val define_locals : ?reads:(string * Output.logic_type) list ->
           ?writes:(string * Output.logic_type) list ->
           Output.expr -> Output.expr




val talloc_table_params : label_in_name:bool ->
           ?region_assoc:(Jc_region.RegionTable.key *
                          Jc_region.RegionTable.key)
                         list ->
           ?label_assoc:(Jc_envset.LogicLabelSet.elt *
                         Jc_envset.LogicLabelSet.elt)
                        list ->
           Jc_fenv.effect -> (string * Output.term * Output.logic_type) list

val root_model_type : Jc_env.root_info -> Output.logic_type

val pointer_type : 
  Jc_env.alloc_class -> Jc_env.pointer_class -> Output.logic_type

val raw_pointer_type : Output.logic_type -> Output.logic_type

val bitvector_type : Output.logic_type

val logic_field_of_union : Jc_env.field_info -> string

val logic_union_of_field : Jc_env.field_info -> string

(** {2 building output terms} *)

val const_of_num :  Num.num -> Output.term
val const : Jc_ast.const -> Output.constant
(** constant *)


val make_select_fi : Jc_env.field_info -> Output.term -> Output.term
(** dereferencing, builds select(f.name,t) *)

val make_select_committed : Jc_env.pointer_class -> Output.term -> Output.term
(** builds select("committed",t) *)

val make_subtag_bool : Output.term -> Output.term -> Output.term

val make_logic_pred_call : 
  label_in_name:bool ->
  region_assoc:(Jc_region.RegionTable.key *
                  Jc_region.RegionTable.key) list ->
  label_assoc:(Jc_envset.LogicLabelSet.elt *
                 Jc_envset.LogicLabelSet.elt) list ->
  Jc_fenv.logic_info -> 
  Output.term list -> Output.assertion
(** call logic predicate, handling regions and labels *)

val make_logic_fun_call : label_in_name:bool ->
           region_assoc:(Jc_region.RegionTable.key *
                         Jc_region.RegionTable.key)
                        list ->
           label_assoc:(Jc_envset.LogicLabelSet.elt *
                        Jc_envset.LogicLabelSet.elt)
                       list ->
           Jc_fenv.logic_info -> Output.term list -> Output.term

val make_int_of_tag : Jc_env.struct_info -> Output.term

val make_typeof : Jc_env.struct_info ->
           Jc_region.RegionTable.key -> Output.term -> Output.term
(** typeof expression in logic *)

val make_instanceof : Output.term ->
  Output.term -> Jc_env.struct_info -> Output.assertion



(** {2 helpers for effects information} *)

val logic_info_reads : Jc_envset.StringSet.t ->
           Jc_fenv.logic_info -> Jc_envset.StringSet.t
(** effects of a predicate of logic function *)

val all_effects : Jc_fenv.effect -> string list


val location_list' : Output.term list -> Output.term

val local_read_effects : callee_reads:Jc_fenv.effect ->
           callee_writes:Jc_fenv.effect -> string list

val local_write_effects : callee_reads:Jc_fenv.effect ->
           callee_writes:Jc_fenv.effect -> string list

val write_effects : 
  callee_reads:Jc_fenv.effect ->
  callee_writes:Jc_fenv.effect ->
  region_list:Jc_region.RegionTable.key list ->
  params:Jc_env.var_info list -> string list
  
val read_effects : 
  callee_reads:Jc_fenv.effect ->
  callee_writes:Jc_fenv.effect ->
  region_list:Jc_region.RegionTable.key list ->
  params:Jc_env.var_info list -> string list

val write_parameters :  type_safe:bool ->
           region_list:Jc_region.RegionTable.key list ->
           callee_reads:Jc_fenv.effect ->
           callee_writes:Jc_fenv.effect ->
           params:Jc_env.var_info list -> (string * Output.logic_type) list

val read_parameters : type_safe:bool ->
           region_list:Jc_region.RegionTable.key list ->
           callee_reads:Jc_fenv.effect ->
           callee_writes:Jc_fenv.effect ->
           params:Jc_env.var_info list ->
           already_used:Jc_envset.StringSet.elt list ->
           (string * Output.logic_type) list

val write_locals : region_list:Jc_region.RegionTable.key list ->
           callee_reads:Jc_fenv.effect ->
           callee_writes:Jc_fenv.effect ->
           params:Jc_env.var_info list -> (string * Output.logic_type) list

val read_locals : region_list:Jc_region.RegionTable.key list ->
           callee_reads:Jc_fenv.effect ->
           callee_writes:Jc_fenv.effect ->
           params:Jc_env.var_info list -> (string * Output.logic_type) list



(** {1 Misc} *)

val specialized_functions: 
  (string * string Jc_envset.StringMap.t) Jc_pervasives.StringHashtblIter.t
why-2.39/jc/jc_stdlib_ge400.ml0000644000106100004300000001653113147234006015021 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



module List = struct
  include List

  let cons e l = e::l

  let as_singleton = function
    | [e] -> e
    | _ -> failwith "as_singleton"

  let mem_assoc_eq f k l =
    fold_left (fun v_opt (k',v') ->
		 match v_opt with
		   | None ->
		       if f k k' then Some v' else None
		   | Some v -> Some v
	      ) None l

  let all_pairs l =
    let rec aux acc = function
      | e :: l ->
	  let acc = fold_left (fun acc e' -> (e,e') :: acc) acc l in
	  aux acc l
      | [] -> acc
    in
    aux [] l

  let map_fold f acc l =
    let (rev,acc) = List.fold_left
      (fun (rev,acc) e -> let (e,acc) = (f acc e) in (e::rev,acc))
      ([],acc) l in
    (List.rev rev,acc)

  let fold_all_part f acc =
    let rec aux acc part = function
    | [] -> f acc part
    | a::l -> aux (aux acc (a::part) l) part l in
    aux acc []

end

module Set = struct

  module type OrderedType = Set.OrderedType

  module type S = sig
    include Set.S
    val of_list: elt list -> t
    val to_list: t -> elt list
  end

  module Make(Ord : OrderedType) : S with type elt = Ord.t = struct
    include Set.Make(Ord)

    let of_list ls =
      List.fold_left (fun s e -> add e s) empty ls

    let to_list s =
      fold (fun e acc -> e :: acc) s []

  end
end

module Map = struct

  module type OrderedType = Map.OrderedType

  module type S = sig
    include Map.S
    val elements: 'a t -> (key * 'a) list
    val keys: 'a t -> key list
    val values: 'a t -> 'a list
    val to_list: 'a t -> (key * 'a) list
    val find_or_default: key -> 'a -> 'a t -> 'a
    val find_or_none: key -> 'a t -> 'a option
    val merge: ('a -> 'a -> 'a) -> 'a t -> 'a t -> 'a t
    val add_merge: ('a -> 'a -> 'a) -> key -> 'a -> 'a t -> 'a t
    val diff_merge: ('a -> 'a -> 'a) -> ('a -> bool) -> 'a t -> 'a t -> 'a t
    val inter_merge: ('a -> 'a -> 'a) -> ('a -> bool) -> 'a t -> 'a t -> 'a t
    val inter_merge_option: ('a -> 'b -> 'c option) -> 'a t -> 'b t -> 'c t
  end

  module Make(Ord : OrderedType) : S with type key = Ord.t = struct
    include Map.Make(Ord)

    let elements m =
      fold (fun k v acc -> (k,v) :: acc) m []

    let keys m =
      fold (fun k _v acc -> k :: acc) m []

    let values m =
      fold (fun _k v acc -> v :: acc) m []

    let to_list m =
      fold (fun k v acc -> (k,v) :: acc) m []

    let find_or_default k v m =
      try find k m with Not_found -> v

    let find_or_none k m =
      try Some(find k m) with Not_found -> None

    let merge f m1 m2 =
      fold (fun k v1 m ->
	      try
		let v2 = find k m2 in
		add k (f v1 v2) m
	      with Not_found ->
		add k v1 m
	   ) m1 m2

    let add_merge f k v m =
      let v =
	try f v (find k m)
	with Not_found -> v
      in
      add k v m

    let diff_merge f g m1 m2 =
      fold (fun k v1 m ->
	      try
		let v2 = find k m2 in
		let v = f v1 v2 in
		if g v then m else add k v m
	      with Not_found ->
		add k v1 m
	   ) m1 empty

    let inter_merge f g m1 m2 =
      fold (fun k v1 m ->
	      try
		let v2 = find k m2 in
		let v = f v1 v2 in
		if g v then m else add k v m
	      with Not_found -> m
	   ) m1 empty

    let inter_merge_option f m1 m2 =
      fold (fun k v1 m ->
	      try
		let v2 = find k m2 in
		match f v1 v2 with
                  | Some v -> add k v m
                  | None -> m
	      with Not_found -> m
	   ) m1 empty

  end
end

module StdHashtbl = Hashtbl

module Hashtbl = struct

  module type HashedType = Hashtbl.HashedType

  module type S = sig
    include Hashtbl.S
    val keys: 'a t -> key list
    val values: 'a t -> 'a list
    val choose: 'a t -> (key * 'a) option
    val remove_all : 'a t -> key -> unit
    val is_empty : 'a t -> bool
  end

  module type Std = sig
    type ('a, 'b) t
    val create : int -> ('a, 'b) t
    val clear : ('a, 'b) t -> unit
    val add : ('a, 'b) t -> 'a -> 'b -> unit
    val copy : ('a, 'b) t -> ('a, 'b) t
    val find : ('a, 'b) t -> 'a -> 'b
    val find_all : ('a, 'b) t -> 'a -> 'b list
    val mem : ('a, 'b) t -> 'a -> bool
    val remove : ('a, 'b) t -> 'a -> unit
    val replace : ('a, 'b) t -> 'a -> 'b -> unit
    val iter : ('a -> 'b -> unit) -> ('a, 'b) t -> unit
    val fold : ('a -> 'b -> 'c -> 'c) -> ('a, 'b) t -> 'c -> 'c
    val length : ('a, 'b) t -> int
    val hash : 'a -> int
    val hash_param : int -> int -> 'a -> int
  end

  include (struct include Hashtbl let create x = create x end: Std)

  module Make(H : HashedType) : S with type key = H.t = struct
    include Hashtbl.Make(H)

    let keys t =
      fold (fun k _v acc -> k :: acc) t []

    let values t =
      fold (fun _k v acc -> v :: acc) t []

    let choose t =
      let p = ref None in
      begin try
	iter (fun k v -> p := Some(k,v); failwith "Hashtbl.choose") t
      with Failure "Hashtbl.choose" -> () end;
      !p

    let remove_all t p =
      List.iter (fun _ -> remove t p) (find_all t p)

    let is_empty t =
      try
        iter (fun _ _ ->  raise Not_found) t;
        true
      with Not_found -> false
  end

  let remove_all t p =
    List.iter (fun _ -> remove t p) (find_all t p)

  let is_empty t =
    try
      iter (fun _ _ ->  raise Not_found) t;
      true
    with Not_found -> false

end

(*
Local Variables:
compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
End:
*)
why-2.39/jc/jc_callgraph.ml0000644000106100004300000001771513147234006014603 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

open Jc_stdlib
open Jc_ast
open Jc_fenv

open Jc_pervasives

let term acc t =
  Jc_iterators.fold_term 
    (fun acc t -> match t#node with
    | JCTapp app -> app.jc_app_fun::acc
    | _ -> acc
    ) acc t

let tag acc t = match t#node with
  | JCTtag _ | JCTbottom -> acc
  | JCTtypeof(t, _) -> term acc t

let rec assertion acc p =
  match p#node with
  | JCAtrue 
  | JCAfalse -> acc
  | JCArelation(t1,_op,t2) ->
      term (term acc t1) t2
  | JCAapp app -> app.jc_app_fun :: (List.fold_left term acc app.jc_app_args)
  | JCAand(pl) | JCAor(pl) -> List.fold_left assertion acc pl
  | JCAimplies (p1,p2) | JCAiff(p1,p2) -> 
      assertion (assertion acc p1) p2
  | JCAif(t1,p2,p3) -> 
      assertion (assertion (term acc t1) p2) p3
  | JCAnot p | JCAold p | JCAat(p,_) ->
      assertion acc p
  | JCAquantifier (_,_,trigs,p) -> triggers (assertion acc p) trigs
  | JCAinstanceof(t,_,_)
  | JCAfresh(t)
  | JCAmutable(t,_,_)
  | JCAbool_term t -> term acc t
  | JCAeqtype(t1, t2, _) | JCAsubtype(t1, t2, _) ->
      tag (tag acc t1) t2
  | JCAlet(_,t, p) ->
      assertion (term acc t) p
  | JCAmatch(t, pal) ->
      term (List.fold_left (fun acc (_, a) -> assertion acc a) acc pal) t

and triggers acc trigs =
  List.fold_left (List.fold_left 
    (fun acc pat -> match pat with
       | JCAPatT t -> term acc t
       | JCAPatP p -> assertion acc p)) acc trigs

(*
let spec s = 
  begin
  match s.requires with
    | None -> []
    | Some p -> 
	predicate p
  end @
  begin
  match s.assigns with
    | None -> []
    | Some l -> List.fold_left (fun acc t -> (term t) @acc)  [] l
  end @
  begin
    match s.ensures with
      | None -> []
      | Some p -> predicate p
  end @
  begin
    match s.decreases with
      | None -> []
      | Some (t,_) -> term t
  end
*)

let loop_annot acc la = 
  let acc = 
    List.fold_left 
      (fun acc (_id,inv,_assigns) -> 
	 (* TODO : traverse assigns clause *)
	 Option_misc.fold_left assertion acc inv)
      acc la.jc_loop_behaviors 
  in
  match la.jc_loop_variant with
  | None -> acc
  | Some (t,None) -> term acc t
  | Some (t,Some ri) -> term (ri::acc) t

let expr = 
  Jc_iterators.IExpr.fold_left 
    (fun acc e -> match e#node with  
       | JCEapp call ->
	   let f = call.jc_call_fun in
	   let (a,b)=acc in
	   begin match f with
	     | JCfun f -> (a,f::b)
	     | JClogic_fun f -> (f::a,b)
	   end
       | JCEloop(spec,_s) ->
	   let (a,b) = acc in (loop_annot a spec,b)
       | _ -> acc
    )

let axiomatic_calls_table = Hashtbl.create 17

let compute_axiomatic_decl_call acc d =
  match d with
    | Jc_typing.ABaxiom(_,_,_,a) -> assertion acc a

let compute_axiomatic_calls a =
  try
    Hashtbl.find axiomatic_calls_table a
  with Not_found ->
    try
      let l = StringHashtblIter.find Jc_typing.axiomatics_table a in
      let c = List.fold_left compute_axiomatic_decl_call [] l.Jc_typing.axiomatics_decls in
      Hashtbl.add axiomatic_calls_table a c;
      c
    with
	Not_found -> assert false

let compute_logic_calls f t = 
  let calls =
    match t with
      | JCNone -> []
      | JCTerm t -> term [] t 
      | JCAssertion a -> assertion [] a 
      | JCReads _r -> 
	  begin
	    match f.jc_logic_info_axiomatic with
	      | None -> []
	      | Some a -> compute_axiomatic_calls a 
	  end
      | JCInductive l -> 
	  List.fold_left (fun acc (_,_,a) -> assertion acc a) [] l
  in
  f.jc_logic_info_calls <- calls

let compute_calls f _s b = 
  let (_a,b) = expr ([],[]) b in
  f.jc_fun_info_calls <- b
      
module LogicCallGraph = struct 
  type t = (Jc_fenv.logic_info * Jc_fenv.term_or_assertion) IntHashtblIter.t 
  module V = struct
    type t = logic_info
    let compare f1 f2 = Pervasives.compare f1.jc_logic_info_tag f2.jc_logic_info_tag
    let hash f = f.jc_logic_info_tag
    let equal f1 f2 = f1 == f2
  end
  let iter_vertex iter =
    IntHashtblIter.iter (fun _ (f,_a) -> iter f) 
  let iter_succ iter _ f =
    List.iter iter f.jc_logic_info_calls 
  end

module LogicCallComponents = Graph.Components.Make(LogicCallGraph)

module CallGraph = struct 
  type t = (fun_info * Loc.position * fun_spec * expr option) IntHashtblIter.t
  module V = struct
    type t = fun_info
    let compare f1 f2 = Pervasives.compare f1.jc_fun_info_tag f2.jc_fun_info_tag
    let hash f = f.jc_fun_info_tag
    let equal f1 f2 = f1 == f2
  end
  let iter_vertex iter =
    IntHashtblIter.iter (fun _ (f,_loc,_spec,_b) -> iter f) 
  let iter_succ iter _ f =
    List.iter iter f.jc_fun_info_calls 
  end

module CallComponents = Graph.Components.Make(CallGraph)

open Format
open Pp

let compute_logic_components ltable =
  let tab_comp = LogicCallComponents.scc_array ltable in
  Jc_options.lprintf "***********************************\n";
  Jc_options.lprintf "Logic call graph: has %d components\n" 
    (Array.length tab_comp);
  Jc_options.lprintf "***********************************\n";
  Array.iteri 
    (fun i l -> 
       Jc_options.lprintf "Component %d:\n%a@." i
	 (print_list newline 
	    (fun fmt f -> fprintf fmt " %s calls: %a\n" f.jc_logic_info_name
		 (print_list comma 
		    (fun fmt f -> fprintf fmt "%s" f.jc_logic_info_name))
		 f.jc_logic_info_calls))
	 l)
    tab_comp;
  tab_comp


let compute_components table = 
  (* see above *)
  let tab_comp = CallComponents.scc_array table in
  Jc_options.lprintf "******************************\n";
  Jc_options.lprintf "Call graph: has %d components\n" (Array.length tab_comp);
  Jc_options.lprintf "******************************\n";
  Array.iteri 
    (fun i l -> 
      Jc_options.lprintf "Component %d:\n%a@." i
	(print_list newline 
	   (fun fmt f -> fprintf fmt " %s calls: %a\n" f.jc_fun_info_name
	       (print_list comma 
		  (fun fmt f -> fprintf fmt "%s" f.jc_fun_info_name))
	       f.jc_fun_info_calls))
	l)
    tab_comp;
  tab_comp
    
    


(*
Local Variables: 
compile-command: "LC_ALL=C make -C .. bin/jessie.byte"
End: 
*)
why-2.39/jc/jc_region.ml0000644000106100004300000003554013147234006014125 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Jc_stdlib
open Jc_env
open Jc_envset

open Format
open Pp

let string_explode s =
  let rec next acc i =
    if i >= 0 then next (s.[i] :: acc) (i-1) else acc
  in
  next [] (String.length s - 1)

let string_implode ls =
  let s = String.create (List.length ls) in
  ignore (List.fold_left (fun i c -> String.set s i c; i + 1) 0 ls);
  s

let filter_alphanumeric s =
  let alphanum c =
    String.contains "abcdefghijklmnopqrstuvwxyz" c
    || String.contains "ABCDEFGHIJKLMNOPQRSTUVWXYZ" c
    || String.contains "0123456789" c
    || c = '_'
  in
  string_implode (List.filter alphanum (string_explode s))

let dummy_region =
  {
    jc_reg_variable = false;
    jc_reg_bitwise = false;
    jc_reg_id = 0;
    jc_reg_name = "dummy_region";
    jc_reg_final_name = "dummy_region";
    jc_reg_type = JCTnull; (* Type does not matter. *)
  }

let is_dummy_region r = r.jc_reg_id = 0

module InternalRegion = struct

  type t = region

  let equal r1 r2 = r1.jc_reg_id = r2.jc_reg_id

  let compare r1 r2 = Pervasives.compare r1.jc_reg_id r2.jc_reg_id

  let hash r = r.jc_reg_id

  let prefer r1 r2 =
    if r1.jc_reg_variable && not r2.jc_reg_variable then 1
    else if r2.jc_reg_variable && not r1.jc_reg_variable then -1
    else r1.jc_reg_id - r2.jc_reg_id

end

(* By default, elements should become representant only if they are
 * "preferred" according to function [prefer]. Otherwise, decided by ranking.
 *)
module UnionFind
  (Elem :
    sig type t
	val equal : t -> t -> bool
	val prefer : t -> t -> int
    end)
  (ElemTable : Hashtbl.S with type key = Elem.t) =
struct

  let table = ElemTable.create 73
  let ranks = ElemTable.create 73

  let rec repr e =
    try
      let r = repr(ElemTable.find table e) in
      ElemTable.replace table e r;
      r
    with Not_found -> e

  let rank e =
    try ElemTable.find ranks e with Not_found -> 0

  let unify e1 e2 =
    let r1 = repr e1 and r2 = repr e2 in
    if Elem.equal r1 r2 then ()
    else
      (* Start with preference as defined by function [prefer]. *)
      let pref = Elem.prefer r1 r2 in
      let k1 = rank r1 and k2 = rank r2 in
      if pref < 0 then
	begin
	  ElemTable.replace table r2 r1;
	  if k1 <= k2 then ElemTable.replace ranks r1 (k2 + 1)
	end
      else if pref > 0 then
	begin
	  ElemTable.replace table r1 r2;
	  if k2 <= k1 then ElemTable.replace ranks r2 (k1 + 1)
	end
      else
	(* If no definite preference, resolve to classical ranking. *)
	if k1 < k2 then
	  ElemTable.replace table r1 r2
	else if k2 < k1 then
	  ElemTable.replace table r2 r1
	else
	  begin
	    ElemTable.replace table r1 r2;
	    ElemTable.replace ranks r2 (k2 + 1)
	  end

end

module RegionTable = Hashtbl.Make(InternalRegion)

module PairOrd(A : Set.OrderedType)(B : Set.OrderedType) =
struct
  type t = A.t * B.t
  let compare (a1,b1) (a2,b2) =
    let res1 = A.compare a1 a2 in
    if res1 <> 0 then res1 else B.compare b1 b2
  let equal (a1,b1) (a2,b2) =
    compare (a1,b1) (a2,b2) = 0
end

module RegionUF = UnionFind(InternalRegion)(RegionTable)

module RegionSet = struct
  module S = Set.Make(InternalRegion)
  let empty = S.empty
  let mem r s = S.mem (RegionUF.repr r) s
  let add r s = S.add (RegionUF.repr r) s
  let of_list ls =
    List.fold_left (fun s e -> add e s) empty ls
  let to_list s =
    S.fold (fun e acc -> e :: acc) s []
  let singleton = S.singleton
end

(* Sets should be computed after unification takes place, so that operations
 * can maintain easily the invariant that only representative regions are used.
 *)
module PairRegionSet
  (T : sig type t end)(P : Set.OrderedType with type t = T.t * region) =
struct
  module S = Set.Make(P)
  let empty = S.empty
  let mem (fi,r) s = S.mem (fi,RegionUF.repr r) s
  let add (fi,r) s = S.add (fi,RegionUF.repr r) s
  let singleton (fi,r) = S.singleton (fi,RegionUF.repr r)
  let remove (fi,r) s = S.remove (fi,RegionUF.repr r) s
  let split (fi,r) s = S.split (fi,RegionUF.repr r) s
  let elements = S.elements
  let exists = S.exists
  let union = S.fold add
    (* Added w.r.t. standard Set. *)
  let of_list ls =
    List.fold_left (fun s e -> add e s) empty ls
  let to_list s =
    S.fold (fun e acc -> e :: acc) s []
  let fold = S.fold
  let filter = S.filter
  let map_repr s =
    S.fold (fun (fi,r) acc -> S.add (fi,RegionUF.repr r) acc) s S.empty
  let find_region r s =
    S.filter (fun (_fi,r') ->
		InternalRegion.equal (RegionUF.repr r) (RegionUF.repr r')) s
  let mem_region r s =
    S.exists (fun (_fi,r') ->
		InternalRegion.equal (RegionUF.repr r) (RegionUF.repr r')) s
end

(* Maps should be computed after unification takes place, so that operations
 * can maintain easily the invariant that only representative regions are used.
 *)
module PairRegionMap
  (T : sig type t end)(P : Set.OrderedType with type t = T.t * region) =
struct
  module M = Map.Make(P)
  include M
  let add (fi,r) s = M.add (fi,RegionUF.repr r) s
  let find (fi,r) s = M.find (fi,RegionUF.repr r) s
  let remove (fi,r) s = M.remove (fi,RegionUF.repr r) s
  let mem (fi,r) s = M.mem (fi,RegionUF.repr r) s
  let add_merge f (k,r) v m = add_merge f (k,RegionUF.repr r) v m
end

let global_region_table : (InternalRegion.t FieldTable.t) RegionTable.t
    = RegionTable.create 73


module Region =
struct

  include InternalRegion

  let name r = (RegionUF.repr r).jc_reg_final_name

  let representative = RegionUF.repr

  let polymorphic r =
    let r = RegionUF.repr r in r.jc_reg_variable

  let count = ref 1
  let next_count () = let tmp = !count in incr count; tmp

  let make_const ty name =
    let name = filter_alphanumeric name in
    if !Jc_common_options.separation_sem = SepNone then dummy_region
    else if not(is_pointer_type ty) then dummy_region else
      let id = next_count () in
      {
	jc_reg_variable = false;
	jc_reg_bitwise = false;
	jc_reg_id = id;
	jc_reg_name = name;
	jc_reg_final_name = name ^ "_" ^ (string_of_int id);
	jc_reg_type = ty;
      }

  let make_var ty name =
    let name = filter_alphanumeric name in
    if !Jc_common_options.separation_sem = SepNone then dummy_region
    else if not(is_pointer_type ty) then dummy_region else
      let id = next_count () in
      {
	jc_reg_variable = true;
	jc_reg_bitwise = false;
	jc_reg_id = id;
	jc_reg_name = name;
	jc_reg_final_name = name ^ "_" ^ (string_of_int id);
	jc_reg_type = ty;
      }

  let print fmt r =
    fprintf fmt "%s" r.jc_reg_final_name

  let print_assoc fmt assocl =
    fprintf fmt "%a" (print_list comma
      (fun fmt (r1,r2) -> fprintf fmt "%a->%a" print r1 print r2)) assocl

  let bitwise r = (RegionUF.repr r).jc_reg_bitwise

  let equal r1 r2 =
    InternalRegion.equal (RegionUF.repr r1) (RegionUF.repr r2)

  let some_bitwise_region = ref false

  let exists_bitwise () = !some_bitwise_region

  let rec make_bitwise r =
    some_bitwise_region := true;
    if bitwise r then () else
      let rep = RegionUF.repr r in
      if !Jc_common_options.separation_sem = SepNone then
	(* Potentially all pointers may be aliased *)
	(assert (is_dummy_region rep);
	 rep.jc_reg_bitwise <- true)
      else
	rep.jc_reg_bitwise <- true;
      try
	let t = RegionTable.find global_region_table rep in
	begin match FieldTable.choose t with
	  | Some(_,r1) ->
	      make_bitwise r1;
	      FieldTable.iter (fun _fi ri -> unify r1 ri) t
	  | None -> ()
	end
      with Not_found -> ()

  and unify ?(poly=true) r1 r2 =
    if is_dummy_region r1 && is_dummy_region r2 then ()
    else if is_dummy_region r1 || is_dummy_region r2 then
      let r,dr = if is_dummy_region r1 then r2, r1 else r1, r2 in
      Format.printf "unifying a dummy region %a with a non dummy region %a@."
	print dr print r;
      assert false
    else if equal r1 r2 then () else
      let rep1 = RegionUF.repr r1 and rep2 = RegionUF.repr r2 in
      RegionUF.unify r1 r2;
      let t1 =
	try RegionTable.find global_region_table rep1
	with Not_found -> FieldTable.create 0
      in
      let t2 =
	try RegionTable.find global_region_table rep2
	with Not_found -> FieldTable.create 0
      in
      (* If polymorphic argument is false, then current unification is
	 a field unification coming from parents being unified, with one
	 parent being a constant region. Then its field region must be
	 constant too.
      *)
      assert (poly || not (polymorphic r1 && polymorphic r2));
      let poly =
	poly && polymorphic r1 && polymorphic r2
      in
      (* Recursively make field regions constant if top region is constant *)
      let rec mkconst r =
	let rep = RegionUF.repr r in
	if polymorphic rep then
	  begin
	    rep.jc_reg_variable <- false;
	    try
	      let t = RegionTable.find global_region_table rep in
	      FieldTable.iter (fun _fi ri -> mkconst ri) t
	    with Not_found -> ()
	  end
      in
      FieldTable.iter
	(fun fi r1 ->
	  try
	    begin
	      let r2 = FieldTable.find t2 fi in
	      unify ~poly r1 r2
	    end
	  with Not_found ->
	    if not poly then mkconst r1;
	    FieldTable.add t2 fi r1
	) t1;
      FieldTable.iter
	(fun fi r2 ->
	  try ignore(FieldTable.find t1 fi)
	  with Not_found ->
	    if not poly then mkconst r2
	) t2;
      (* Recursively make region bitwise if necessary *)
      let rep = RegionUF.repr r1 in
      if rep1.jc_reg_bitwise || rep2.jc_reg_bitwise then
	make_bitwise rep;
      (* Update with correct field table *)
      RegionTable.replace global_region_table rep t2

  let make_field r fi =
    let r = RegionUF.repr r in
(*     assert (not r.jc_reg_bitwise); *)
    if !Jc_common_options.separation_sem = SepNone then dummy_region
    else if not(is_pointer_type fi.jc_field_info_type) then dummy_region else
      try
	let t = RegionTable.find global_region_table r in
	try FieldTable.find t fi
	with Not_found ->
	  let fr =
	    if is_embedded_field fi then
	      r
	    else if r.jc_reg_variable then
	      make_var fi.jc_field_info_type fi.jc_field_info_name
	    else
	      make_const fi.jc_field_info_type (* fi.jc_field_info_name *)
		r.jc_reg_name
	  in
	  FieldTable.replace t fi fr;
	  fr
      with Not_found ->
	let fr =
	  if is_embedded_field fi then
	    r
	  else if r.jc_reg_variable then
	    make_var fi.jc_field_info_type fi.jc_field_info_name
	  else
	    make_const fi.jc_field_info_type (* fi.jc_field_info_name *)
	      r.jc_reg_name
	in
	let t = FieldTable.create 5 in
	FieldTable.replace t fi fr;
	RegionTable.replace global_region_table r t;
	fr

end

module RegionList =
struct

  let rec assoc r assocl =
    if is_dummy_region r then dummy_region else
      match assocl with
	| [] -> raise Not_found
	| (r1,r2)::ls ->
	    if Region.equal r r1 then RegionUF.repr r2 else assoc r ls

  let rec assoc' r assocl =
    match assocl with
      | [] -> raise Not_found
      | (r1,v)::ls ->
	  if Region.equal r r1 then v else assoc' r ls

  let rec mem r = function
    | [] -> false
    | r1::ls -> Region.equal r r1 || mem r ls

  (* Do not duplicate the bitwise field of regions *)
  let duplicate rls =
    let assocl =
      List.fold_left (fun acc r ->
	if is_dummy_region r then acc
	else (r,Region.make_var r.jc_reg_type r.jc_reg_name) :: acc
      ) [] rls
    in
    List.iter (fun (r1,r2) ->
      try
	let r1 = RegionUF.repr r1 in
	let t = FieldTable.copy(RegionTable.find global_region_table r1) in
	FieldTable.iter (fun fi r ->
	  try
	    FieldTable.replace t fi (assoc r assocl)
	  with Not_found -> ()
	) t;
	RegionTable.replace global_region_table r2 t
      with Not_found -> ()
    ) assocl;
    assocl

  let reachable rls =
    let rec collect acc r =
      if is_dummy_region r then acc else
	let r = RegionUF.repr r in
	if mem r acc then acc else
	  let acc = r :: acc in
	  try
	    let t = RegionTable.find global_region_table r in
	    FieldTable.fold (fun _fi fr acc -> collect acc fr) t acc
	  with Not_found -> acc
    in
    List.fold_left collect [] rls

end

module Alloc = PairOrd(AllocClass)(InternalRegion)

module AllocSet = PairRegionSet(AllocClass)(Alloc)

module AllocMap = PairRegionMap(AllocClass)(Alloc)

module AllocList =
struct

  let rec mem (a,r) = function
    | [] -> false
    | (a',r')::rest ->
	a = a' && Region.equal r r' || mem (a,r) rest

end

module Tag = PairOrd(VariantOrd)(InternalRegion)

module TagSet = PairRegionSet(VariantOrd)(Tag)

module TagMap = PairRegionMap(VariantOrd)(Tag)

module TagList =
struct

  let rec mem (a,r) = function
    | [] -> false
    | (a',r')::rest ->
	a = a' && Region.equal r r' || mem (a,r) rest

end

module Memory = PairOrd(MemClass)(InternalRegion)

module MemorySet =
  PairRegionSet(MemClass)(Memory)

module MemoryMap =
  PairRegionMap(MemClass)(Memory)

module MemoryList =
struct

  let rec mem (fi,r) = function
    | [] -> false
    | (fi',r')::rest ->
	MemClass.equal fi fi' && Region.equal r r' || mem (fi,r) rest

end

module Pointer = PairOrd(PointerClass)(InternalRegion)

module PointerSet = PairRegionSet(PointerClass)(Pointer)



(*
Local Variables:
compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
End:
*)
why-2.39/jc/jc_ai.mli0000644000106100004300000000510713147234006013400 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)


open Jc_fenv

val normalize_expr: expr -> expr

(* intraprocedural analysis *)
val code_function : fun_info * Loc.position * fun_spec * expr option -> unit


(* interprocedural analysis *)
val main_function : fun_info * Loc.position * fun_spec * expr option -> unit


(*
val is_recursive : fun_info -> bool
*)

(*
Local Variables: 
compile-command: "LC_ALL=C make -C .. bin/jessie.byte"
End: 
*)
why-2.39/jc/jc_interp.mli0000644000106100004300000001225013147234006014305 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)


(** {1 Main translation functions} *)


(** {2 effects} *)
val reads :
  type_safe:bool ->
  global_assertion:bool ->
  Jc_fenv.logic_info Jc_ast.location list ->
  Jc_env.mem_class * Jc_env.region -> Output.term

val collect_pset_locations :
  type_safe:bool ->
  global_assertion:bool ->
  Jc_fenv.logic_info Jc_ast.location -> Output.term

(** {2 types} *)

val tr_logic_type :
  string * Jc_type_var.t list ->
  Output.why_decl list -> Output.why_decl list

val tr_struct :
  Jc_env.struct_info -> Output.why_decl list -> Output.why_decl list

val tr_root :
  Jc_env.root_info -> Output.why_decl list -> Output.why_decl list

val tr_enum_type :
  Jc_env.enum_info -> Output.why_decl list -> Output.why_decl list

val tr_enum_type_pair :
  Jc_env.enum_info ->
  Jc_env.enum_info -> Output.why_decl list -> Output.why_decl list

(** {2 variables and heap} *)

val tr_variable :
  Jc_env.var_info ->
  'a -> Output.why_decl list -> Output.why_decl list

val tr_region :
  Jc_env.region -> Output.why_decl list -> Output.why_decl list

val tr_memory :
  Jc_env.mem_class * Jc_env.region ->
  Output.why_decl list -> Output.why_decl list

val tr_alloc_table :
  Jc_env.alloc_class * Jc_env.region ->
  Output.why_decl list -> Output.why_decl list

val tr_tag_table :
  Jc_env.root_info * Jc_env.region ->
  Output.why_decl list -> Output.why_decl list

(** {2 exceptions} *)


val tr_exception :
  Jc_env.exception_info ->
  Output.why_decl list -> Output.why_decl list

  
(** {2 terms and propositions} *)

val term_coerce :
  type_safe:'a ->
  global_assertion:bool ->
  Jc_env.label ->
  ?cast:bool ->
  Loc.position ->
  Jc_env.jc_type ->
  Jc_env.jc_type ->
  < region : Jc_region.RegionTable.key; .. > -> 
    Output.term -> Output.term

val term :
  ?subst:Output.term Jc_envset.VarMap.t ->
  type_safe:bool ->
  global_assertion:bool ->
  relocate:bool ->
  Jc_env.label ->
  Jc_env.label ->
  Jc_fenv.logic_info Jc_ast.term -> Output.term

val assertion :
  type_safe:bool ->
  global_assertion:bool ->
  relocate:bool ->
  Jc_env.label ->
  Jc_env.label ->
  Jc_fenv.logic_info Jc_ast.assertion -> Output.assertion


(** {2 theories} *)

val tr_axiom :
  Loc.position ->
  string ->
  is_axiom:bool ->
  Jc_env.label list ->
  Jc_fenv.logic_info Jc_ast.assertion ->
  Output.why_decl list -> Output.why_decl list

val tr_axiomatic_decl :
  Output.why_decl list ->
  Jc_typing.axiomatic_decl -> Output.why_decl list

(** {2 functions} *)

val pre_tr_fun :
  Jc_fenv.fun_info ->
  'a -> Jc_fenv.logic_info Jc_ast.fun_spec -> 'b -> 'c -> 'c

val tr_fun :
  Jc_fenv.fun_info ->
  Loc.position ->
  Jc_fenv.fun_spec ->
  (Jc_fenv.logic_info, Jc_fenv.fun_info) Jc_ast.expr option ->
  Output.why_decl list -> Output.why_decl list

val tr_specialized_fun :
  string ->
  string ->
  string Jc_envset.StringMap.t ->
  Output.why_decl list -> Output.why_decl list

(** {2 locations and explanations} *)

(*
val print_locs : Format.formatter -> unit
  *)

(*
  Local Variables: 
  compile-command: "unset LANG; make -j -C .. bin/jessie.byte"
  End: 
*)
why-2.39/jc/jc_struct_tools.ml0000644000106100004300000002243613147234006015406 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

open Jc_name
open Jc_pervasives
open Jc_env
open Jc_envset

let alloc_class_of_mem_class = function
  | JCmem_field fi -> JCalloc_root (struct_root fi.jc_field_info_struct)
  | JCmem_plain_union vi -> JCalloc_root vi
  | JCmem_bitvector -> JCalloc_bitvector

let alloc_class_of_pointer_class = function
  | JCtag(st,_) -> JCalloc_root (struct_root st)
  | JCroot vi -> JCalloc_root vi

let variant_of_alloc_class = function
  | JCalloc_root vi -> vi
  | JCalloc_bitvector -> assert false (* no variant *)

let variant_of_mem_class = variant_of_alloc_class $ alloc_class_of_mem_class

(* keep the pointers only and return their pointer_class *)
let fields_pointer_class = List.flatten $
  (List.map
     (fun fi -> match fi.jc_field_info_type with
	| JCTpointer(pc, _, _) -> [pc]
	| _ -> []))

let embedded_field fi = 
  match fi.jc_field_info_type with
    | JCTpointer(_fpc, Some _fa, Some _fb) -> true
    | _ -> false

(* TODO !!!!!!!!!!!!!
   add fields of parent 
*)

let field_offset fi =
  let st = fi.jc_field_info_struct in
  let off,counting = 
    List.fold_left (fun (off,counting) fi' ->
		      if counting then
			if fi.jc_field_info_tag = fi'.jc_field_info_tag then
			  off,false
			else
			  off + (match fi'.jc_field_info_bitsize 
				 with Some v -> v
				   | None -> assert false)
				   , counting
		      else
			off,counting
		   ) (0,true) st.jc_struct_info_fields
  in 
  assert (not counting);
  off

let field_offset_in_bytes fi =
  let off = field_offset fi in
  if off mod 8 = 0 then Some(off/8) else None

let field_type_has_bitvector_representation fi =
  match fi.jc_field_info_type with
    | JCTenum _ 
    | JCTpointer _ -> true
    | JCTnative _
    | JCTlogic _
    | JCTnull
    | JCTany
    | JCTtype_var _ -> false

let struct_fields st =
  let rec aux acc st =
    let acc = st.jc_struct_info_fields @ acc in
    match st.jc_struct_info_parent with
      | None -> acc
      | Some(st',_) -> aux acc st'
  in
  aux [] st

let struct_has_size st =
  not (List.exists 
	 (fun fi -> fi.jc_field_info_bitsize = None) 
	 (struct_fields st))

let struct_size st =
  match List.rev st.jc_struct_info_fields with
    | [] -> 0
    | last_fi::_ -> 
	match last_fi.jc_field_info_bitsize with
	  | None -> assert false
	  | Some fi_siz -> field_offset last_fi + fi_siz

let struct_size_in_bytes st =
  let s = struct_size st in
  assert (s mod 8 = 0);
  s/8

let rec all_fields acc = function
  | JCroot _vi -> acc
  | JCtag ({ jc_struct_info_parent = Some(p, pp) } as st, _) ->
      all_fields (st.jc_struct_info_fields @ acc) (JCtag(p, pp))
  | JCtag ({ jc_struct_info_parent = None } as st, _) ->
      st.jc_struct_info_fields @ acc

let all_fields = all_fields []

let rec all_memories select forbidden acc pc =
  match pc with
    | JCtag(st,_) as pc ->
	if StringSet.mem st.jc_struct_info_name forbidden then
	  acc
	else
	  let fields = List.filter select (all_fields pc) in
	  let mems = List.map (fun fi -> JCmem_field fi) fields in
	  (* add the fields to our list *)
	  let acc = 
	    List.fold_left
	      (fun acc mc -> StringMap.add (memory_class_name mc) mc acc)
	      acc mems
	  in
	  (* continue recursively on the fields *)
	  let forbidden = StringSet.add st.jc_struct_info_name forbidden in
	  List.fold_left
	    (all_memories select forbidden) acc (fields_pointer_class fields)
    | JCroot rt ->
	match rt.jc_root_info_kind with
	  | Rvariant -> acc
	  | RdiscrUnion ->
	      List.fold_left
		(all_memories select forbidden) acc
		(List.map (fun st -> JCtag(st,[])) rt.jc_root_info_hroots)
	  | RplainUnion ->
	      let mc = JCmem_plain_union rt in
	      StringMap.add (memory_class_name mc) mc acc

let all_memories ?(select = fun _ -> true) pc =
  Jc_options.lprintf "all_memories(%s):@." (Jc_output_misc.pointer_class pc);
  let map = all_memories select StringSet.empty StringMap.empty pc in
  let list = List.rev (StringMap.fold (fun _ ty acc -> ty::acc) map []) in
  Jc_options.lprintf "  Found %n memories.@." (List.length list);
  list

let rec all_types select forbidden acc pc =
  Jc_options.lprintf "  all_types(%s)@." (Jc_output_misc.pointer_class pc);
  match pc with
    | JCtag(st, _) as pc ->
	if StringSet.mem st.jc_struct_info_name forbidden then
	  acc
	else
	  let vi = struct_root st in
	  let forbidden = StringSet.add st.jc_struct_info_name forbidden in
	  List.fold_left
	    (all_types select forbidden)
	    (StringMap.add vi.jc_root_info_name vi acc)
	    (fields_pointer_class (List.filter select (all_fields pc)))
    | JCroot vi ->
	StringMap.add vi.jc_root_info_name vi acc

let all_types ?(select = fun _ -> true) pc =
  Jc_options.lprintf "all_types(%s):@." (Jc_output_misc.pointer_class pc);
  let map = all_types select StringSet.empty StringMap.empty pc in
  let list = List.rev (StringMap.fold (fun _ ty acc -> ty::acc) map []) in
  Jc_options.lprintf "  Found %n types.@." (List.length list);
  list

let fully_allocated fi =
  match fi.jc_field_info_type with
    | JCTpointer(_, Some _, Some _) -> true
    | JCTpointer(_, None, Some _)
    | JCTpointer(_, Some _, None)
    | JCTpointer(_, None, None)
    | JCTnull
    | JCTenum _
    | JCTlogic _
    | JCTnative _
    | JCTany -> false
    | JCTtype_var _ -> assert false (* TODO: need environment *)

let rec all_allocs select forbidden acc pc =
  match pc with
    | JCtag(st,_) as pc ->
	if StringSet.mem st.jc_struct_info_name forbidden then
	  acc
	else
	  let ac = JCalloc_root (struct_root st) in
	  let forbidden = StringSet.add st.jc_struct_info_name forbidden in
	  List.fold_left
	    (all_allocs select forbidden)
	    (StringMap.add (alloc_class_name ac) ac acc)
	    (fields_pointer_class (List.filter select (all_fields pc)))
    | JCroot rt ->
	let ac = JCalloc_root rt in
	let acc = StringMap.add (alloc_class_name ac) ac acc in
	match rt.jc_root_info_kind with
	  | Rvariant 
	  | RplainUnion -> acc
	  | RdiscrUnion -> 
	      List.fold_left
		(all_allocs select forbidden) acc
		(List.map (fun st -> JCtag(st,[])) rt.jc_root_info_hroots)

let all_allocs ?(select = fun _ -> true) pc =
  Jc_options.lprintf "all_allocs(%s):@." (Jc_output_misc.pointer_class pc);
  let map = 
    all_allocs select StringSet.empty StringMap.empty pc
  in
  let list = List.rev (StringMap.fold (fun _ ty acc -> ty::acc) map []) in
  Jc_options.lprintf "  Found %n allocs.@." (List.length list);
  list

let rec all_tags select forbidden acc pc =
  match pc with
    | JCtag(st,_) as pc ->
	if StringSet.mem st.jc_struct_info_name forbidden then
	  acc
	else
	  let vi = struct_root st in
	  let forbidden = StringSet.add st.jc_struct_info_name forbidden in
	  List.fold_left
	    (all_tags select forbidden)
	    (StringMap.add vi.jc_root_info_name vi acc)
	    (fields_pointer_class (List.filter select (all_fields pc)))
    | JCroot vi ->
	StringMap.add vi.jc_root_info_name vi acc

let all_tags ?(select = fun _ -> true) pc =
  Jc_options.lprintf "all_tags(%s):@." (Jc_output_misc.pointer_class pc);
  let map = 
    all_tags select StringSet.empty StringMap.empty pc
  in
  let list = List.rev (StringMap.fold (fun _ ty acc -> ty::acc) map []) in
  Jc_options.lprintf "  Found %n tags.@." (List.length list);
  list


(*
Local Variables: 
compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
End: 
*)

why-2.39/jc/jc_frame_notin.ml0000644000106100004300000002261713147234006015144 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

open Jc_stdlib
open Jc_env
open Jc_region
open Jc_ast
open Jc_fenv

open Jc_name
open Jc_constructors
open Jc_pervasives
open Jc_struct_tools
open Jc_interp_misc

open Output
open Format

let prop_type = "prop"
(*let ft_suffix = "_ft"
let notin_suffix = "_notin"*)
let in_pred = "in_mybag"
let in_suffix = "_in"
let disj_pred = "disj_mybag"
let sub_pred = "sub_mybag"
let mybag_suffix = "mybag"
let tmp_suffix = "_tmp_name"

let jc_axiom = "_jc_axiom_"

let id_uniq = let c = ref 0 in fun () -> incr c; string_of_int !c

let remove_double compare l =
  match List.fast_sort compare l with
    | [] -> []
    | ele::l ->
        let rec aux ele = function
          | [] -> []
          | a::l when compare ele a = 0 -> aux ele l
          | a::l -> a::(aux a l) in
        ele::(aux ele l)

(** Petits Modules bien utiles *)
module MyBag =
struct
  let add_suffix s = s^"_"^mybag_suffix

  let nin = in_pred
  let ndisj = disj_pred
  let nrem = add_suffix "rem"
  let ninter = add_suffix "inter"

  let nempty = add_suffix "empty"
  let nall = add_suffix "all"

  let make_in elt set =
    LPred (nin,[elt;set])

  let empty = LVar nempty
  let all = LVar nall

  let make_rem elt set =
    if set == empty
    then empty
    else LApp(nrem,[elt;set])


  let make_inter set1 set2 =
    match set1 == all, set1, set2 == all, set2 with
      | true , _ , _ , set | _ , set, true, _ -> set
      | _ ->  LApp(ninter,[set1;set2])

  let jc_ty ty = JCTlogic (mybag_suffix,[ty])


  let ty ty = { logic_type_name = mybag_suffix;
                logic_type_args = [ty]
              }

  let ty_elt = function
    | {logic_type_args = [ty]} -> ty
    | _ -> assert false

  let iin =
    let pid = make_pred nin in
    let tvar = Jc_type_var.type_var_from_string ~univ:true "a_in" in
    pid.jc_logic_info_poly_args <- [tvar];
    let tvar = JCTtype_var tvar in
    pid.jc_logic_info_parameters <- [Jc_pervasives.var tvar "x";
                                     Jc_pervasives.var (jc_ty tvar) "s"];
    pid

  let make_jc_in l =
    new assertion (JCAapp
                     {
                       jc_app_fun = iin;
                       jc_app_args = l;
                       jc_app_region_assoc = [];
                       jc_app_label_assoc = []
                     })

  let idisj =
    let pid = make_pred ndisj in
    let tvar = Jc_type_var.type_var_from_string ~univ:true "a" in
    pid.jc_logic_info_poly_args <- [tvar];
    let tvar = JCTtype_var tvar in
    pid.jc_logic_info_parameters <- [Jc_pervasives.var (jc_ty tvar) "s1";
                                     Jc_pervasives.var (jc_ty tvar) "s2"];
    pid

  let make_jc_disj l =
    new assertion (JCAapp
                     {
                       jc_app_fun = idisj;
                       jc_app_args = l;
                       jc_app_region_assoc = [];
                       jc_app_label_assoc = []
                     })


  let isub =
    let pid = make_pred sub_pred in
    let tvar = Jc_type_var.type_var_from_string ~univ:true "a" in
    pid.jc_logic_info_poly_args <- [tvar];
    let tvar = JCTtype_var tvar in
    pid.jc_logic_info_parameters <- [Jc_pervasives.var (jc_ty tvar) "s1";
                                     Jc_pervasives.var (jc_ty tvar) "s2"];
    pid

  let make_jc_sub l =
    new assertion (JCAapp
                     {
                       jc_app_fun = isub;
                       jc_app_args = l;
                       jc_app_region_assoc = [];
                       jc_app_label_assoc = []
                     })




  type elt_set =
      [ `Empty | `All | `MyBag of term
      | `Elt of term]

  (* this order is important *)
  let num = function
    | `Empty -> 1
    | `All -> 2
    | `Elt _ -> 3
    | `MyBag _ -> 4

  let compare e1 e2 =
    let c = compare (num e1) (num e2) in
    if c <> 0 then c else compare e1 e2

  let print fmt : elt_set -> unit = function
    | `Empty -> fprintf fmt "empty"
    | `All -> fprintf fmt "all"
    | `MyBag s -> fprintf fmt "mybag(%a)" Output.fprintf_term s
    | `Elt s -> fprintf fmt "elt(%a)" Output.fprintf_term s

 (* let make_inter_rem_list (l:elt_set list) =
    let rec aux  = function
    | [] -> all
    | `Empty::_ -> empty
    | `All::l -> aux l
    | `MyBag s::l -> make_inter s (aux l)
    | `Elt e::l -> make_rem e (aux l) in
    let l_s = remove_double compare l in
    Jc_options.lprintf "make_inter_rem : %a" (print_list comma print) l_s;
    aux l_s
 *)
end



module NotIn =
struct
  type t = {
    for_one : bool; (*true if its not a bag but one element (a singleton) *)
    mem : Memory.t;
    label : label;
    mem_name : string;
    name : string;
    ty_mem : logic_type;
  }

  let compare t1 t2 = Memory.compare t1.mem t2.mem

  let from_memory for_one (((mc,_distr) as m),label) =
    let (s,_,_) = tmemory_param ~label_in_name:true label m
      (*memory_name (mc,distr)*) in
    if for_one
    then
      {for_one = true;
       mem = m;
       label = label;
       mem_name = s;
       name = s^in_suffix^"_elt";
       ty_mem = memory_type mc}
    else
      {for_one = false;
       mem = m;
       label = label;
       mem_name = s;
       name = s^in_suffix;
       ty_mem = memory_type mc}

  let is_memory t m =
    (*Jc_options.lprintf "is_memory : %s = %s@." m t.mem_name;*)
    m = t.mem_name
  let is_memory_var t = function
    | LVar m -> is_memory t m
    | _ -> false

  let notin_args t = LVar (t.name)

  let for_one t = t.for_one
  let name t = t.name
  let var t = LVar t.name
  let ty_elt t = raw_pointer_type (fst (deconstruct_memory_type_args t.ty_mem))
  let ty_elt_val t = snd (deconstruct_memory_type_args t.ty_mem)

  let jc_ty_elt t =
    let root = match alloc_class_of_mem_class (fst t.mem) with
      | JCalloc_root r -> r
      | JCalloc_bitvector -> assert false in
    JCTpointer(JCroot root,None,None)

  let jc_ty t = MyBag.jc_ty (jc_ty_elt t)

  let ty t =
    let ty = ty_elt t in
    if t.for_one
    then ty
    else MyBag.ty ty

  let mem_name t = t.mem_name
  let mem_name2 t =
    let mem_name = memory_name t.mem in
    if t.for_one
    then mem_name^"_elt"
    else mem_name
end

module NotInSet = Set.Make(NotIn)
module NotInMap = Map.Make(NotIn)


let in_name notin s = s^(NotIn.mem_name2 notin)^in_suffix

let get_in_logic =
  let memo = Hashtbl.create 10 in
  fun f notin ->
    try
      Hashtbl.find memo (f.jc_logic_info_tag,notin)
    with Not_found ->
      let fin = make_logic_fun (in_name notin f.jc_logic_info_name)
        (NotIn.jc_ty notin) in
      fin.jc_logic_info_result_region <- f.jc_logic_info_result_region;
      fin.jc_logic_info_poly_args <- f.jc_logic_info_poly_args;
      fin.jc_logic_info_parameters <- f.jc_logic_info_parameters;
      fin.jc_logic_info_param_regions <- f.jc_logic_info_param_regions;
      fin.jc_logic_info_effects <- f.jc_logic_info_effects;
      fin.jc_logic_info_labels <- f.jc_logic_info_labels;
      IntHashtblIter.add Jc_typing.logic_functions_table fin.jc_logic_info_tag
        (fin,JCNone);
      Hashtbl.add memo (f.jc_logic_info_tag,notin) fin;
      fin

let app_in_logic f fparams label notin =
  let fin = get_in_logic f notin in
  let app = {jc_app_fun = fin;
             jc_app_args = fparams;
             jc_app_region_assoc = [];
             jc_app_label_assoc =
      List.map (fun e -> (e,label)) fin.jc_logic_info_labels} in
  new term (NotIn.jc_ty notin) (JCTapp app)
why-2.39/jc/jc_output.ml0000644000106100004300000006176213147234006014207 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Format
open Jc_env
open Jc_ast
open Jc_fenv
open Jc_pervasives
open Jc_constructors
open Jc_output_misc
open Pp

type jc_decl =
  | JCfun_def of jc_type * string * (bool * var_info) list *
      fun_spec * expr option
  | JCenum_type_def of string * Num.num * Num.num
  | JCvariant_type_def of string * string list
  | JCunion_type_def of string * string list
  | JCstruct_def of string * string option * field_info list *
      (string * var_info * assertion) list
  | JCrec_struct_defs of jc_decl list
      (* deprecated, all tag definitions of a file are mutually recursive *)
  | JCrec_fun_defs of jc_decl list
  | JCvar_def of jc_type * string * expr option
  | JClemma_def of string * bool * type_var_info list * label list * assertion
  | JClogic_fun_def of jc_type option * string * type_var_info list * label list 
      * var_info list * term_or_assertion      
  | JCexception_def of string * exception_info
  | JCglobinv_def of string * assertion
  | JClogic_const_def of jc_type * string * type_var_info list * term option
  | JClogic_type_def of string * type_var_info list
  | JCinvariant_policy of Jc_env.inv_sem
  | JCseparation_policy of Jc_env.separation_sem
  | JCannotation_policy of Jc_env.annotation_sem
  | JCabstract_domain of Jc_env.abstract_domain 
  | JCint_model of Jc_env.int_model      
  | JCfloat_rounding_mode of Jc_env.float_rounding_mode      
  | JCfloat_model of Jc_env.float_model 
  | JCfloat_instruction_set of string
  | JCtermination_policy of Jc_env.termination_policy

(*
let lbin_op op =
  if op == Jc_pervasives.ge_int then ">=" else
  if op == Jc_pervasives.le_int then "<=" else
  if op == Jc_pervasives.gt_int then ">" else
  if op == Jc_pervasives.lt_int then "<" else
  if op == Jc_pervasives.eq then "==" else
  if op == Jc_pervasives.neq then "!=" else
  if op == Jc_pervasives.add_int then "+" else
  if op == Jc_pervasives.sub_int then "-" else
  if op == Jc_pervasives.mul_int then "*" else
  if op == Jc_pervasives.div_int then "/" else
  if op == Jc_pervasives.mod_int then "%" else
  if op == Jc_pervasives.shift then "+" else
  raise Not_found
*)

let identifier fmt id =
  fprintf fmt "%s" id#name

let type_var_info fmt x = fprintf fmt "%s" (Jc_type_var.uname x)

let bin_op (op, _) = match op with
  | `Blt -> "<"
  | `Bgt -> ">"
  | `Ble -> "<="
  | `Bge -> ">="
  | `Beq -> "=="
  | `Bneq -> "!="
  | `Badd -> "+"
  | `Bsub -> "-"
  | `Bmul -> "*"
  | `Bdiv -> "/"
  | `Bmod -> "%"
  | `Bland -> "&&"
  | `Blor -> "||"
  | `Bimplies -> "==>"
  | `Biff -> "<==>"
  | `Bbw_and -> "&"
  | `Bbw_or -> "|"
  | `Bbw_xor -> "^"
  | `Blogical_shift_right -> ">>"
  | `Barith_shift_right -> ">>>"
  | `Bshift_left -> "<<"
  | `Bconcat -> "@"

let unary_op (op, _) = match op with
  | `Uminus -> "-"
  | `Unot -> "!"
  | `Ubw_not -> "~"

let real_conversion fmt rc =
  match rc with
    | Integer_to_real -> fprintf fmt "real"
    | Double_to_real -> fprintf fmt "double_value"
    | Float_to_real -> fprintf fmt "single_value"
    | Round(_f,_m) -> (* fprintf fmt "r_to_s" ou "r_to_" *)
         (* TODO ? parameter rounding mode *)
	assert false

let rec pattern fmt p =
  match p#node with
    | JCPstruct(st, lbls) ->
	fprintf fmt "@[%s{@ " st.jc_struct_info_name;
	List.iter
	  (fun (lbl, pat) ->
	     fprintf fmt "%s = %a;@ " lbl.jc_field_info_name pattern pat)
	  lbls;
	fprintf fmt "}@]"
    | JCPvar vi ->
	fprintf fmt "%s" vi.jc_var_info_name
    | JCPor(p1, p2) ->
	fprintf fmt "(%a)@ | (%a)" pattern p1 pattern p2
    | JCPas(pat, vi) ->
	fprintf fmt "(%a as %s)" pattern pat vi.jc_var_info_name
    | JCPany ->
	fprintf fmt "_"
    | JCPconst c ->
	fprintf fmt "%a" const c

let rec term fmt t =
  if t#mark <> "" then
    fprintf fmt "@[(%s : %a)@]" 
      t#mark term (new term_with ~mark:"" t)
  else
  match t#node with
    | JCTvar vi -> fprintf fmt "%s" vi.jc_var_info_name
    | JCTbinary(t1,op,t2) ->
	fprintf fmt "@[(%a %s %a)@]" term t1 (bin_op op) term t2
    | JCTunary(op,t1) ->
	fprintf fmt "@[(%s %a)@]" (unary_op op) term t1
    | JCTif (t1,t2,t3) -> 
	fprintf fmt "@[(%a ? %a : %a)@]" term t1 term t2 term t3
    | JCTlet (vi,t1,t2) -> 
	fprintf fmt "@[(let %s = %a in %a)@]" 
          vi.jc_var_info_name term t1 term t2 
    | JCTcast (t, _, si)
    | JCTbitwise_cast (t, _, si) ->
	fprintf fmt "(%a :> %s)" term t si.jc_struct_info_name
    | JCTrange_cast (t, ei) ->
	fprintf fmt "(%a :> %s)" term t ei.jc_enum_info_name
    | JCTreal_cast (t, rc) ->
	fprintf fmt "(%a :> %a)" term t real_conversion rc
    | JCTinstanceof (t, _, si) ->
	fprintf fmt "(%a <: %s)" term t si.jc_struct_info_name
    | JCToffset (k,t,_)->
	fprintf fmt "@[\\offset_m%a(%a)@]" offset_kind k term t
    | JCTaddress(absolute,t) ->
	fprintf fmt "@[\\%aaddress(%a)@]" address_kind absolute term t
    | JCTbase_block (t)->
	fprintf fmt "@[\\base_block(%a)@]" term t
    | JCTold t -> fprintf fmt "@[\\old(%a)@]" term t
    | JCTat(t,lab) -> fprintf fmt "@[\\at(%a,%a)@]" term t label lab
(*
    | JCTapp app when List.length app.jc_app_args = 1 ->
	let op = app.jc_app_fun in
	let t1 = List.hd app.jc_app_args in
	begin try 
	  ignore 
	    (Hashtbl.find Jc_typing.enum_conversion_logic_functions_table op);
	  (* conversion due to enumeration. Ignore it. *)
	  term fmt t1
	with Not_found ->
	  fprintf fmt "%s(@[%a@])" op.jc_logic_info_name term t1
	end
    | JCTapp app when List.length app.jc_app_args = 2 ->
	let op = app.jc_app_fun in
	let l = app.jc_app_args in
	  begin try
	  let s = lbin_op op in
	  fprintf fmt "@[(%a %s %a)@]" term t1 s term t2
	with Not_found ->
	  fprintf fmt "@[%s(%a)@]" op.jc_logic_info_name
	    (print_list comma term) l 
	end
*)
    | JCTapp app ->
	let op = app.jc_app_fun and l = app.jc_app_args in
	fprintf fmt "%s(@[%a@])" op.jc_logic_info_name
	  (print_list comma term) l 
    | JCTderef (t, _label, fi)-> 
	fprintf fmt "@[%a.%s@]" term t fi.jc_field_info_name	
    | JCTshift (t1, t2) -> 
	fprintf fmt "@[(%a + %a)@]" term t1 term t2
    | JCTconst c -> const fmt c
    | JCTrange (t1,t2) -> 
	fprintf fmt "@[[%a..%a]@]" (print_option term) t1 (print_option term) t2
    | JCTmatch (t, ptl) ->
	fprintf fmt "@[match %a with@ " term t;
	List.iter
	  (fun (p, t) -> fprintf fmt "  @[%a ->@ %a;@]@ "
	     pattern p term t) ptl;
	fprintf fmt "end@]"

let quantifier = Jc_poutput.quantifier

let rec assertion fmt a =
  if a#mark <> "" then
    fprintf fmt "@[(%s : %a)@]" 
      (a#mark) assertion
      (new assertion_with ~mark:"" a)
  else
  match a#node with
    | JCAtrue -> fprintf fmt "true"
    | JCAif (t, a1, a2) ->
	fprintf fmt "@[(%a ? %a : %a)@]" term t assertion a1 assertion a2
    | JCAbool_term t -> term fmt t
    | JCAinstanceof (t, _lab, st) ->
	fprintf fmt "(%a <: %s)" term t st.jc_struct_info_name
    | JCAfresh t -> fprintf fmt "\\fresh(%a)" term t
    | JCAold a -> fprintf fmt "\\old(%a)" assertion a
    | JCAat(a,lab) -> fprintf fmt "\\at(%a,%a)" assertion a label lab
    | JCAquantifier (q,vi, trigs, a)-> 
	fprintf fmt "@[(\\%a %a %s%a;@\n%a)@]"
	  quantifier q
	  print_type vi.jc_var_info_type
	  vi.jc_var_info_name
          triggers trigs
	  assertion a
    | JCArelation (t1, op, t2) ->
	fprintf fmt "@[(%a %s %a)@]" term t1 (bin_op op) term t2
    | JCAapp app ->
	 fprintf fmt "@[%s(%a)@]" app.jc_app_fun.jc_logic_info_name
	      (print_list comma term) app.jc_app_args 
    | JCAnot a1 ->
	fprintf fmt "@[(!@ %a)@]" assertion a1
    | JCAiff (a1, a2)-> 
	fprintf fmt "@[(%a <==>@ %a)@]" assertion a1 assertion a2
    | JCAimplies (a1, a2)-> 
	fprintf fmt "@[(%a ==>@ %a)@]" assertion a1 assertion a2
    | JCAor [] -> assert false
    | JCAor (a::l) -> 
	fprintf fmt "@[(%a" assertion a;
	List.iter
	  (fun a -> fprintf fmt " ||@ %a" assertion a)
	  l;
	fprintf fmt ")@]"
    | JCAand [] -> assert false
    | JCAand (a::l) -> 
	fprintf fmt "@[(%a" assertion a;
	List.iter
	  (fun a -> fprintf fmt " &&@ %a" assertion a)
	  l;
	fprintf fmt ")@]"
    | JCAfalse -> fprintf fmt "false"
    | JCAmutable _ -> 
        fprintf fmt "mutable(TODO)"
    | JCAeqtype _ -> assert false (* TODO *)
    | JCAsubtype _ -> assert false (* TODO *)
    | JCAlet (vi, t, p) ->
	fprintf fmt "@[let %s =@ %a in@ %a@]" vi.jc_var_info_name
          term t
	  assertion p
    | JCAmatch (t, pal) ->
	fprintf fmt "@[match %a with@ " term t;
	List.iter
	  (fun (p, a) -> fprintf fmt "  @[%a ->@ %a;@]@ "
	     pattern p assertion a) pal;
	fprintf fmt "end@]"

and triggers fmt trigs = 
  let pat fmt = function
  | JCAPatT t -> term fmt t
  | JCAPatP p -> assertion fmt p in
  print_list_delim lsquare rsquare alt (print_list comma pat) fmt trigs	


let rec location_set fmt locs = 
  match locs#node with
    | JCLSvar vi-> 
	fprintf fmt "%s" vi.jc_var_info_name
    | JCLSderef (locs, _, fi, _) ->
	fprintf fmt "%a.%s" location_set locs fi.jc_field_info_name
    | JCLSrange (locset, t1, t2) ->
	fprintf fmt "(%a + [%a..%a])" location_set locset 
	  (print_option term) t1 (print_option term) t2
    | JCLSrange_term (locset, t1, t2) ->
	fprintf fmt "(%a + [%a..%a])" term locset 
	  (print_option term) t1 (print_option term) t2
    | JCLSat(locset,lab) ->
	fprintf fmt "\\at(%a, %a)" location_set locset label lab

let rec location fmt loc = 
  match loc#node with
    | JCLvar vi -> 
	fprintf fmt "%s" vi.jc_var_info_name
    | JCLderef (locs, _, fi,_) ->
	fprintf fmt "%a.%s" location_set locs fi.jc_field_info_name
    | JCLderef_term (t1, fi) ->
	fprintf fmt "%a.%s" term t1 fi.jc_field_info_name
    | JCLat (loc, lab) ->
	fprintf fmt "\\at(%a,%a)" location loc label lab

let behavior fmt (_loc,id,b) =
  fprintf fmt "@\n@[behavior %s:" id;
  Option_misc.iter
    (fun a -> fprintf fmt "@\nassumes %a;" assertion a) 
    b.jc_behavior_assumes;
  Option_misc.iter
  (fun a -> fprintf fmt "@\nthrows %s;" a.jc_exception_info_name) 
    b.jc_behavior_throws;    
  Option_misc.iter 
    (fun (_,locs) -> fprintf fmt "@\nassigns %a;" 
       (print_list_or_default "\\nothing" comma location) locs)
    b.jc_behavior_assigns;
  fprintf fmt "@\nensures %a;@]" assertion b.jc_behavior_ensures
  
let print_spec fmt s =
  fprintf fmt "@\n@[  requires @[%a@];" assertion s.jc_fun_requires;
  Option_misc.iter 
    (fun (t,r) -> match r with
       | None -> fprintf fmt "@\n@[  decreases @[%a@];" term t
       | Some li -> fprintf fmt "@\n@[  decreases @[%a@] for %s;" 
	   term t li.jc_logic_info_name) 
    s.jc_fun_decreases;
  List.iter (behavior fmt) (s.jc_fun_default_behavior :: s.jc_fun_behavior);
  fprintf fmt "@]"

let call_bin_op _op =
(*
  if op == Jc_pervasives.shift_ then "+" else
*)
  raise Not_found

let rec expr fmt e =
  if e#mark <> "" then
    fprintf fmt "@[(%s : %a)@]" 
      e#mark expr (new expr_with ~mark:"" e)
  else
    match e#node with
      | JCEconst c -> const fmt c
      | JCEvar vi -> 
	  fprintf fmt "%s" vi.jc_var_info_name
      | JCEderef(e, fi) -> 
	  fprintf fmt "%a.%s" expr e fi.jc_field_info_name 
      | JCEbinary(e1, op, e2) ->
	  fprintf fmt "@[(%a %s %a)@]" expr e1 (bin_op op) expr e2
      | JCEunary(op,e1) ->
	  fprintf fmt "@[(%s %a)@]" (unary_op op) expr e1
      | JCEassign_var(v, e) -> 
	  fprintf fmt "(%s = %a)" v.jc_var_info_name expr e
      | JCEassign_heap(e1, fi, e2) -> 
	  fprintf fmt "%a.%s = %a" expr e1 fi.jc_field_info_name expr e2
      | JCEinstanceof(e, si) ->
	  fprintf fmt "(%a <: %s)" expr e si.jc_struct_info_name
      | JCEcast(e, si)
      | JCEbitwise_cast(e, si) ->
	  fprintf fmt "(%a :> %s)" expr e si.jc_struct_info_name
      | JCErange_cast(e, ri) ->
	  fprintf fmt "(%a :> %s)" expr e ri.jc_enum_info_name
      | JCEreal_cast(e, rc) ->
	  fprintf fmt "(%a :> %a)" expr e real_conversion rc
      | JCEif(e1,e2,e3) -> 
	  fprintf fmt "@[(%a ? %a : %a)@]" expr e1 expr e2 expr e3
      | JCEoffset(k,e, _) ->
	  fprintf fmt "\\offset_m%a(%a)" offset_kind k expr e
      | JCEaddress(absolute,e) ->
	  fprintf fmt "\\%aaddress(%a)" address_kind absolute expr e
      | JCEbase_block(e) ->
	  fprintf fmt "\\base_block(%a)" expr e
      | JCEfresh(e) ->
	  fprintf fmt "\\fresh(%a)" expr e
      | JCEalloc(e, si) ->
	  fprintf fmt "(new %s[%a])" si.jc_struct_info_name expr e
      | JCEfree e ->
	  fprintf fmt "(free(%a))" expr e
      | JCElet(vi,Some e1,e2) -> 
	  fprintf fmt "@[(let %s =@ %a@ in %a)@]" 
	    vi.jc_var_info_name expr e1 expr e2
      | JCElet(vi,None,e2) -> 
	  fprintf fmt "@[%a %s; %a@]"  
	    print_type vi.jc_var_info_type vi.jc_var_info_name expr e2
      | JCEassert(behav,asrt,a) -> 
	  fprintf fmt "@\n%a %a%a;" 
	    asrt_kind asrt
	    (print_list_delim 
	       (constant_string "for ") (constant_string ": ") 
	       comma identifier)
	    behav
	    assertion a
      | JCEcontract(_req,_dec,_vi_result,_behs,_e) ->
	  assert false (* TODO *)
      | JCEblock l ->
          block fmt l
      | JCEreturn_void ->
	  fprintf fmt "@\nreturn;"
      | JCEreturn(_, e) ->
	  fprintf fmt "@\nreturn %a;" expr e
      | JCEtry(s, hl, fs) ->
	  fprintf fmt
	    "@\n@[try %a@]%a@\n@[finally%a@]"
	    expr s
	    (print_list nothing handler) hl
	    expr fs
      | JCEthrow(ei, eo) ->
	  fprintf fmt "@\nthrow %s %a;"
	    ei.jc_exception_info_name
	    (print_option_or_default "()" expr) eo
      | JCEpack _ ->
          fprintf fmt "pack(TODO)"
      | JCEunpack _ ->
          fprintf fmt "unpack(TODO)"
      | JCEmatch(e, pel) ->
	  fprintf fmt "@[match %a with@ " expr e;
	  List.iter
	    (fun (p, e) -> fprintf fmt "  @[%a ->@ %a;@]@ "
	       pattern p expr e) pel;
	  fprintf fmt "end@]"
      | JCEshift(e1, e2) -> 
	  fprintf fmt "@[(%a + %a)@]" expr e1 expr e2
      | JCEloop(la, e) ->
          fprintf fmt "@\n@[%a%a@\nwhile (true)%a@]"
	  (print_list nothing loop_behavior) 
(*
	     (fun fmt (behav,inv) -> fprintf fmt "@\ninvariant %a%a;"
		(print_list_delim 
		   (constant_string "for ") (constant_string ": ") 
		   comma string)
		behav
		assertion inv))
*)
	    la.jc_loop_behaviors
            (print_option 
               (fun fmt (t,r) -> 
                  match r with
                    | None -> fprintf fmt "@\nvariant %a;" term t
                    | Some r -> fprintf fmt "@\nvariant %a for %s;" term t
                        r.jc_logic_info_name
               ))
            la.jc_loop_variant
            expr e
      | JCEapp{ jc_call_fun = (JClogic_fun{ jc_logic_info_final_name = name }
                | JCfun{ jc_fun_info_final_name = name });
                jc_call_args = args } ->
          fprintf fmt "@[%s(%a)@]" name
            (print_list comma expr) args
	
and loop_behavior fmt (ids,inv,ass) =        
  fprintf fmt "@\n@[behavior %a:@\n"
    (print_list comma (fun fmt id -> fprintf fmt "%s" id#name)) ids;
  Option_misc.iter
    (fun i -> fprintf fmt "invariant %a;" assertion i) inv;
  Option_misc.iter 
    (fun locs -> fprintf fmt "@\nassigns %a;" 
       (print_list_or_default "\\nothing" comma location) locs)
    ass;
  fprintf fmt "@]"

and case fmt (c,sl) =
  let onecase fmt = function
    | Some c ->
	fprintf fmt "@\ncase %a:" expr c
    | None ->
	fprintf fmt "@\ndefault:"
  in
  fprintf fmt "%a%a" (print_list nothing onecase) c block sl

and handler fmt (ei,vio,s) =
  fprintf fmt "@\n@[catch %s %a %a@]"
    ei.jc_exception_info_name 
    (print_option_or_default "__dummy"
      (fun fmt vi -> fprintf fmt "%s" vi.jc_var_info_name)) vio
    expr s

and statements fmt l = List.iter (expr fmt) l

and block fmt b =
  fprintf fmt "@\n@[{@[  ";
  statements fmt b;
  fprintf fmt "@]@\n}@]"


let param fmt vi =
  fprintf fmt "%a %s" print_type vi.jc_var_info_type vi.jc_var_info_name

let fun_param fmt (valid,vi) =
  fprintf fmt "%s%a %s" 
    (if valid then "" else "!")
    print_type vi.jc_var_info_type vi.jc_var_info_name

let field fmt fi =
  fprintf fmt "@\n";
  if fi.jc_field_info_rep then
    fprintf fmt "rep ";
  fprintf fmt "%a %s" 
    print_type fi.jc_field_info_type fi.jc_field_info_name;
  match fi.jc_field_info_bitsize with
    | Some bitsize ->
	fprintf fmt ": %d;" bitsize
    | None -> 
	fprintf fmt ";"

let invariant fmt (id, vi, a) =
  fprintf fmt "@\n@[invariant %s(%s) =@ %a;@]"
    id vi.jc_var_info_name assertion a

let term_or_assertion fmt = function
  | JCAssertion a -> 
      fprintf fmt "=@\n%a" assertion a
  | JCTerm t ->
      fprintf fmt "=@\n%a" term t
  | JCNone -> 
      fprintf fmt ";"
  | JCReads [] -> 
      fprintf fmt "reads \\nothing;"
  | JCReads locs -> 
      fprintf fmt "reads %a;" (print_list comma location) locs
  | JCInductive l ->
      fprintf fmt "{@\n@[%a@]@\n}" 
	(print_list newline 
	   (fun fmt (id,labels,e) -> 
	      fprintf fmt "case %s" id#name ;
	      if labels <> [] then
		fprintf fmt "%a" 
		  (print_list_delim lbrace rbrace comma label) labels;	      
	      fprintf fmt ": %a;@\n" 
		assertion e)) l

  

let print_super fmt = function
  | None -> ()
  | Some id -> fprintf fmt "%s with " id

(*
let string_of_invariant_policy p =
  match p with
    | Jc_env.InvNone -> "None"
    | Jc_env.InvArguments -> "Arguments"
    | Jc_env.InvOwnership -> "Ownership"

let string_of_separation_policy p =
  match p with
    | Jc_env.SepNone -> "None"
    | Jc_env.SepRegions -> "Regions"

let string_of_annotation_policy p =
  match p with
    | Jc_env.AnnotNone -> "None"
    | Jc_env.AnnotInvariants -> "Invariants"
    | Jc_env.AnnotElimPre -> "ElimPre"
    | Jc_env.AnnotStrongPre -> "StrongPre"
    | Jc_env.AnnotWeakPre -> "WeakPre"
 
let string_of_abstract_domain p =
  match p with
    | Jc_env.AbsNone -> "None"
    | Jc_env.AbsBox -> "Box"
    | Jc_env.AbsOct -> "Oct"
    | Jc_env.AbsPol -> "Pol"

let string_of_int_model p =
  match p with
    | Jc_env.IMbounded -> "bounded"
    | Jc_env.IMmodulo -> "modulo"
*)

let string_of_float_rounding_mode p =
  match p with
    | Jc_env.FRMNearestEven -> "nearesteven"
    | Jc_env.FRMDown -> "down"
    | Jc_env.FRMUp -> "up"
    | Jc_env.FRMToZero -> "tozero"
    | Jc_env.FRMNearestAway -> "nearestaway"

let string_of_float_model p =
  match p with
    | Jc_env.FMmath -> "math"
    | Jc_env.FMdefensive -> "defensive"
    | Jc_env.FMfull-> "full"
    | Jc_env.FMmultirounding-> "multirounding"

let rec print_decl fmt d =
  match d with
    | JCinvariant_policy p ->
        fprintf fmt "# InvariantPolicy = %s@\n" (string_of_invariant_policy p)  
    | JCseparation_policy p ->
        fprintf fmt "# SeparationPolicy = %s@\n" (string_of_separation_policy p)
    | JCannotation_policy p ->
        fprintf fmt "# AnnotationPolicy = %s@\n" (string_of_annotation_policy p)
    | JCtermination_policy p ->
        fprintf fmt "# TerminationPolicy = %s@\n" (string_of_termination_policy p)
    | JCabstract_domain p ->
        fprintf fmt "# AbstractDomain = %s@\n" (string_of_abstract_domain p)
    | JCint_model p ->
        fprintf fmt "# IntModel = %s@\n" (string_of_int_model p)
    | JCfloat_model p ->
        fprintf fmt "# FloatModel = %s@\n" (string_of_float_model p)
    | JCfloat_rounding_mode p ->
        fprintf fmt "# FloatRoundingMode = %s@\n" (string_of_float_rounding_mode p)
    | JCfloat_instruction_set p ->
        fprintf fmt "# FloatInstructionSet = %s@\n" p
    | JCfun_def(ty,id,params,spec,body) ->
	fprintf fmt "@\n@[%a %s(@[%a@])%a%a@]@." print_type ty id
	  (print_list comma fun_param) params 
	  print_spec spec 
	  (print_option_or_default "\n;" expr) body
    | JCenum_type_def(id,min,max) ->
	fprintf fmt "@\n@[type %s = %s..%s@]@."
	  id (Num.string_of_num min) (Num.string_of_num max)
    | JCvariant_type_def(id, tags) ->
	fprintf fmt "@\n@[type %s = [" id;
	print_list
	  (fun fmt () -> fprintf fmt " | ")
	  (fun fmt tag -> fprintf fmt "%s" tag)
	  fmt tags;
	fprintf fmt "]@]@."
    | JCunion_type_def(id, tags) ->
	fprintf fmt "@\n@[type %s = [" id;
	print_list
	  (fun fmt () -> fprintf fmt " & ")
	  (fun fmt tag -> fprintf fmt "%s" tag)
	  fmt tags;
	fprintf fmt "]@]@."
    | JCstruct_def (id, extends, fields, invs) ->
	fprintf fmt "@\n@[tag %s = %a{%a%a@]@\n}@."
	  id print_super extends (print_list space field) fields 
	  (print_list space invariant) invs
    | JCrec_struct_defs dlist | JCrec_fun_defs dlist ->
	print_list (fun _fmt () -> ()(*fprintf fmt "@\nand"*))
	  print_decl fmt dlist
    | JCvar_def(ty,id,init) ->
	fprintf fmt "@\n@[%a %s%a;@]@." print_type ty id
	  (print_option (fun fmt e -> fprintf fmt " = %a" expr e)) init
    | JClemma_def(id,is_axiom,poly_args,lab,a) ->
	fprintf fmt "@\n@[%s %s%a%a :@\n%a@]@." 
          (if is_axiom then "axiom" else "lemma") id
          (print_list_delim lchevron rchevron comma type_var_info) poly_args
          (print_list_delim lbrace rbrace comma label) lab
          assertion a
    | JCglobinv_def(id,a) ->
	fprintf fmt "@\n@[invariant %s :@\n%a@]@." id assertion a
    | JCexception_def(id,ei) ->
	fprintf fmt "@\n@[exception %s of %a@]@." id
	  (print_option_or_default "unit" print_type)
	  ei.jc_exception_info_type
    | JClogic_const_def(ty,id,poly_args,None) ->
	fprintf fmt "@\n@[logic %a %s%a@]@." print_type ty id 
          (print_list_delim lchevron rchevron comma type_var_info) poly_args
          
    | JClogic_const_def(ty,id,poly_args,Some t) ->
	fprintf fmt "@\n@[logic %a %s%a = %a@]@." print_type ty id
          (print_list_delim lchevron rchevron comma type_var_info) poly_args
	  term t
    | JClogic_fun_def(None,id,poly_args,labels,[],JCReads l) ->
	assert (l=[]);
	assert (labels=[]);
	fprintf fmt "@\n@[predicate %s@[%a@]@]@." 
	  id
          (print_list_delim lchevron rchevron comma type_var_info) poly_args
    | JClogic_fun_def(Some ty,id,poly_args,labels,[],JCReads l) ->
	assert (l=[]);
	assert (labels=[]);
	fprintf fmt "@\n@[logic %a %s@[%a@]@]@." 
	  print_type ty id
          (print_list_delim lchevron rchevron comma type_var_info) poly_args
(* Yannick: no need for different rule for const logic *)
(*     | JClogic_fun_def(ty,id,labels,[],JCTerm t) -> *)
(* 	assert (labels=[]); *)
(* 	fprintf fmt "@\n@[logic %a %s = %a@]@."  *)
(* 	  (print_option print_type) ty id term t *)
(*    | JClogic_fun_def(ty,id,poly_args,[],params,body) ->
	fprintf fmt "@\n@[logic %a %s@[%a@](@[%a@]) %a@]@." 
	  (print_option print_type) ty id 
          (print_list_delim lchevron rchevron comma type_var_info) poly_args
          (print_list comma param) params
	  term_or_assertion body *)
    | JClogic_fun_def (None, id, poly_args, labels, params, body) ->
	fprintf fmt "@\n@[predicate %s%a%a(@[%a@]) %a@]@." 
	  id 
          (print_list_delim lchevron rchevron comma type_var_info) poly_args
          (print_list_delim lbrace rbrace comma label) labels
	  (print_list comma param) params
	  term_or_assertion body 
    | JClogic_fun_def (Some ty, id, poly_args, labels, params, body) ->
	fprintf fmt "@\n@[logic %a %s%a%a(@[%a@]) %a@]@." 
	  print_type ty id
          (print_list_delim lchevron rchevron comma type_var_info) poly_args
          (print_list_delim lbrace rbrace comma label) labels
	  (print_list comma param) params
	  term_or_assertion body 
    | JClogic_type_def (id,args) ->
	fprintf fmt "@\n@[logic type %s%a@]@." id
          (print_list_delim lchevron rchevron comma type_var_info) args
   
let rec print_decls fmt d =
  match d with
    | [] -> ()
    | d::r -> print_decl fmt d; print_decls fmt r


(*
Local Variables: 
compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte bin/krakatoa.byte"
End: 
*)
why-2.39/jc/jc_type_var.ml0000644000106100004300000001722713147234006014475 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

open Jc_env
open Jc_envset
open Jc_pervasives

type t = type_var_info

let type_var_from_string = let c = ref 0 in fun ?(univ=false) n -> incr c; 
  { jc_type_var_info_name = n;
    jc_type_var_info_tag = !c;
    jc_type_var_info_univ = univ}

let uid x = x.jc_type_var_info_tag

let name x = x.jc_type_var_info_name

let uname x =
  name x ^ string_of_int (uid x)

type typing_error = {f : 'a. Loc.position -> ('a, Format.formatter, unit, unit) format4 -> 'a}

type env = { typing_error : typing_error;
             mutable smap : t StringMap.t;
             mutable vmap : jc_type TypeVarMap.t}

let create x = {typing_error = x;
                smap = StringMap.empty;
                vmap = TypeVarMap.empty}

let reset env = env.smap <- StringMap.empty;env.vmap <- TypeVarMap.empty
  

(** Add substitution from string to type *)
let add_type_var env s = 
  if StringMap.mem s env.smap 
  then invalid_arg ("The same identifier appear twice as polymorphic variable in a function")
  else 
    (let n = (type_var_from_string ~univ:true s) in
    env.smap <- StringMap.add s n env.smap;
    n)

(*                    if subtype_strict te#typ ty then te
                     else
                       typing_error e#pos 
                         "type %a expected instead of %a" 
                         print_type ty print_type te#typ*)

let find_type_var env s = StringMap.find s env.smap

exception Not_subtype of jc_type * jc_type

let rec substruct st = function
  | (JCtag(st', _)) as pc ->
      if st == st' then true else
        let vi = struct_root st and vi' = struct_root st' in
        (vi == vi' && (root_is_union vi))
        || 
        begin match st.jc_struct_info_parent with
          | None -> false
          | Some(p, []) -> substruct p pc
          | Some(_p, _) -> assert false (* TODO *)
        end
  | JCroot vi ->
      struct_root st == vi

let rec dec_type ~subtype acc t1 t2 =
  let accorraise b = if b then acc else raise (Not_subtype (t1,t2)) in
  match t1,t2 with
    | JCTnative t1, JCTnative t2 ->
        accorraise (t1=t2 ||
         (* integer is subtype of real *)
            (subtype && match t1,t2 with 
               | Tinteger, Treal -> true
	       | _ -> false))
    | JCTenum ri1, JCTenum ri2 -> 
        accorraise (subtype && Num.ge_num ri1.jc_enum_info_min ri2.jc_enum_info_min &&
                      Num.le_num ri1.jc_enum_info_max ri2.jc_enum_info_max) 
    | JCTenum _, JCTnative (Tinteger | Treal) ->
        accorraise subtype
    | JCTnative Tinteger, JCTenum _ -> 
        accorraise false
    | JCTpointer(JCtag(s1, []), _, _), JCTpointer(pc, _, _) -> 
        accorraise (substruct s1 pc)
    | JCTpointer(JCroot v1, _, _), JCTpointer(JCroot v2, _, _) ->
         accorraise (v1 == v2)
    | JCTnull, (JCTnull | JCTpointer _) ->
        accorraise subtype
    | JCTlogic (s1,l1), JCTlogic (s2,l2) ->
        if s1=s2 then List.fold_left2 (dec_type ~subtype) acc l1 l2
        else raise (Not_subtype (t1,t2))
          (* No subtyping for this case, the equality is strict *)
    | JCTtype_var {jc_type_var_info_tag = t1}, 
        JCTtype_var {jc_type_var_info_tag = t2} when t1=t2-> acc
    | (JCTtype_var ({jc_type_var_info_univ = false} as tvar),t) 
    | (t,JCTtype_var ({jc_type_var_info_univ = false} as tvar)) -> (tvar,t)::acc
    | _ -> accorraise false

let rec subst_aux vmap a =
  match a with
    | JCTtype_var tvar -> 
        (try TypeVarMap.find tvar vmap
        with Not_found -> a)
    | JCTlogic (s,l) -> JCTlogic (s,List.map (subst_aux vmap) l)
    | a -> a

let subst env a = subst_aux env.vmap a

let rec occur_check tvar t =
  match t with
    | JCTlogic (_s,l) -> List.exists (occur_check tvar) l
    | JCTtype_var tvar2 -> TypeVarOrd.equal tvar tvar2
    | _ -> false

let rec add_subst env (tvar,t) = 
  assert (not tvar.jc_type_var_info_univ);
  let t = subst_aux env.vmap t in
  try
    let t2 = TypeVarMap.find tvar env.vmap in
    add_aux ~subtype:false env t2 t
  with Not_found ->     
    if occur_check tvar t then raise (Not_subtype (JCTtype_var tvar,t))
    else env.vmap <- TypeVarMap.add tvar t env.vmap
          
and add_aux ~subtype env t1 t2 =
  let acc = dec_type ~subtype [] t1 t2 in
  List.iter (add_subst env) acc

(*let subtype_strict = subtype ~allow_implicit_cast:false*)

(** Add an equality for unification *)
let add ?(subtype=true) env pos x y = 
  (*Format.printf "%a=%a@." print_type x print_type y;*)
  try
    add_aux ~subtype env x y
  with Not_subtype (t1,t2) -> 
    env.typing_error.f pos "%a and %a can't be unified" print_type t1 print_type t2

(** Get instances of a list of type variables, 
    return a substitution function *)
let instance l =
  let aux acc e =
    (* Only universally quantified variable can be instantiate *)
    assert e.jc_type_var_info_univ;
    let e_fresh = (type_var_from_string ~univ:false e.jc_type_var_info_name) in
    TypeVarMap.add e (JCTtype_var e_fresh) acc in
  let vmap = List.fold_left aux TypeVarMap.empty l in
  subst_aux vmap

open Pp
let print_smap fmt a = print_list comma (print_pair string print_type_var) fmt (StringMap.to_list a)

let print_vmap fmt a = print_list comma (print_pair print_type_var print_type) fmt (TypeVarMap.to_list a)

let print fmt uenv = Format.fprintf fmt "uenv : smap : %a@.vmap : %a@." print_smap uenv.smap print_vmap uenv.vmap

let subst_type_in_assertion uenv =
  Jc_iterators.map_term_in_assertion
    (fun t -> new Jc_constructors.term_with ~typ:(subst uenv t#typ) t)                                   
    
(*
Local Variables: 
compile-command: "unset LANG ; make -C .. byte"
End: 
*)
why-2.39/jc/jc_parser.mly0000644000106100004300000007375013147234006014334 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

/* $Id: jc_parser.mly,v 1.140 2010-02-11 08:05:24 marche Exp $ */

%{

  open Jc_env
  open Jc_ast
  open Jc_pervasives
  open Parsing
  open Jc_constructors

  let pos () = (symbol_start_pos (), symbol_end_pos ())
  let pos_i i = (rhs_start_pos i, rhs_end_pos i)

  let locate n = new node_positioned ~pos:(pos ()) n
  let locate_identifier n = new identifier ~pos:(pos ()) n

  let skip = locate (JCPEconst JCCvoid)

  let label s = match s with
    | "Pre" -> LabelPre
    | "Old" -> LabelOld
    | "Here" -> LabelHere
    | "Post" -> LabelPost
    | _ -> 
	LabelName { 
	  label_info_name = s; 
	  label_info_final_name = s;
	  times_used = 0;
	}

  let lparams =
    List.map
      (fun (v,t,x) ->
	 if v then (t,x) else
	   Jc_options.parsing_error
	     Loc.dummy_position
	     "logic params cannot not be in invalid state")
%}

%token  IDENTIFIER
%token  CONSTANT
%token  STRING_LITERAL 
%token NULL

/* ( ) () { } [ ] .. ... */
%token LPAR RPAR LPARRPAR LBRACE RBRACE LSQUARE RSQUARE DOTDOT DOTDOTDOT

/* ; ;; , : . ? */
%token SEMICOLON SEMISEMI COMMA COLON DOT QUESTION

/* - -- + ++ * / % */
%token MINUS MINUSMINUS PLUS PLUSPLUS STAR SLASH PERCENT
 
/* = <= >= > < == != <: :> */
%token EQ LTEQ GTEQ GT LT EQEQ BANGEQ LTCOLON COLONGT

/* += -= *= /= %= */
%token PLUSEQ MINUSEQ STAREQ SLASHEQ PERCENTEQ

/* && || => <=> ! */
%token AMPAMP BARBAR EQEQGT LTEQEQGT EXCLAM

/* if then else return while break for fo break continue case switch default goto */
%token IF THEN ELSE RETURN WHILE FOR DO BREAK CONTINUE CASE SWITCH DEFAULT GOTO LOOP

/* exception of throw try catch finally new free let in var */
%token EXCEPTION OF THROW TRY CATCH FINALLY NEW FREE LET IN VAR

/* pack unpack assert */
%token ABSTRACT PACK UNPACK ASSERT ASSUME HINT CHECK

/* type invariant logic axiomatic with variant and axiom tag */
%token TYPE INVARIANT LOGIC PREDICATE AXIOMATIC WITH VARIANT 
%token AND AXIOM LEMMA TAG

/* integer boolean real double unit void rep */
%token INTEGER BOOLEAN REAL DOUBLE FLOAT UNIT REP

/* assigns allocates assumes behavior ensures requires decreases throws reads */
%token ASSIGNS ALLOCATES ASSUMES BEHAVIOR ENSURES REQUIRES DECREASES THROWS READS

/* \forall \exists \offset_max \offset_min \address \old \result \mutable \typeof \bottom \typeeq \absolute_address */
%token BSFORALL BSEXISTS BSOFFSET_MAX BSOFFSET_MIN BSADDRESS BSOLD BSAT BSFRESH
%token BSRESULT BSMUTABLE BSTYPEOF BSBOTTOM BSTYPEEQ BSABSOLUTE_ADDRESS
%token BSBASE_BLOCK

/* \nothing */
%token BSNOTHING

/* as _ match -> end */
%token AS UNDERSCORE MATCH MINUSGT END

/* & ~ ^ | << >> >>> */
%token AMP TILDE HAT PIPE LSHIFT LRSHIFT ARSHIFT
/* | with greater priority */
%token ALT

/* |= &= ^= */
%token BAREQ AMPEQ CARETEQ

/* @ (string concat) */
%token AT

%token PRAGMA_GEN_SEP PRAGMA_GEN_FRAME PRAGMA_GEN_SUB  PRAGMA_GEN_SAME

%token EOF
%type  file
%start file

/* precedences on expressions (from lowest to highest) */

%nonassoc PRECLOOPANNOT
%nonassoc FOR

%nonassoc PRECIF THEN
%nonassoc ELSE

%nonassoc PRECTRY
%nonassoc FINALLY

%nonassoc PRECLOGIC
%nonassoc EQ

%nonassoc PRECTYPE
/* and */
%right AND

/* precedences on expressions  */

%nonassoc RETURN ASSERT ASSUME THROW HINT precwhile CHECK
%nonassoc COLON
%nonassoc PRECFORALL 
/* <=> */
%right LTEQEQGT
/* => */
%right EQEQGT 
%left QUESTION ASSIGNOP
%left BARBAR
%left AMPAMP
%left PIPE
%left pipe_trigger
%left ALT
%left AS
%left HAT
%left AMP
%left LT GT LTEQ GTEQ EQEQ BANGEQ LTCOLON COLONGT
%nonassoc DOTDOT
/* unary -, unary +, ++, --, ! ~ */
%nonassoc UMINUS UPLUS PLUSPLUS MINUSMINUS EXCLAM TILDE
/* . */
%nonassoc DOT



%%

/****************************************/
/* a file is a sequence of declarations */
/****************************************/

file: 
| decl file 
    { $1::$2 }
| tag_and_type_decl file
    { let tag, ty = $1 in tag::ty::$2 }
| EOF 
    { [] }
;

decl: 
| variable_definition
    { $1 }
| function_definition
    { $1 }
| tag_definition
    { $1 }
| type_definition
    { $1 }
/*
| axiom_definition
    { $1 }
*/
| global_invariant_definition
    { $1 }
| exception_definition
    { $1 }
| logic_definition
    { $1 }
| pragma_gen_sep 
    { $1 }
/*
| error
    { Jc_options.parsing_error (pos ()) "'type' or type expression expected" }
*/
;


/*******************/
/* type definition */	      
/*******************/

type_definition:
| TYPE IDENTIFIER EQ int_constant DOTDOT int_constant
    { locate (JCDenum_type($2,$4,$6)) }
/*
| LOGIC TYPE IDENTIFIER
    { locate (JCDlogic_type($3)) }
*/
| TYPE IDENTIFIER EQ LSQUARE variant_tag_list RSQUARE
    { locate (JCDvariant_type($2, $5)) }
| TYPE IDENTIFIER EQ LSQUARE union_tag_list RSQUARE
    { locate (JCDunion_type($2,false,$5)) }
| TYPE IDENTIFIER EQ LSQUARE discr_union_tag_list RSQUARE
    { locate (JCDunion_type($2,true,$5)) }
;

int_constant:
| CONSTANT 
    { num_of_constant (pos_i 1)$1 }
| MINUS CONSTANT
    { Num.minus_num (num_of_constant (pos_i 2) $2) }
;

variant_tag_list:
| identifier PIPE variant_tag_list
    { $1::$3 }
| identifier
    { [ $1 ] }
;

union_tag_list:
| identifier AMP union_tag_list
    { $1::$3 }
| identifier AMP identifier
    { [ $1; $3 ] }
;

discr_union_tag_list:
| identifier HAT discr_union_tag_list
    { $1::$3 }
| identifier HAT identifier
    { [ $1; $3 ] }
;

/******************/
/* tag definition */
/******************/

tag_definition:
| TAG IDENTIFIER LT type_parameter_names GT EQ
    extends LBRACE field_declaration_list RBRACE
    { let (f,i) = $9 in locate (JCDtag($2,$4,$7,f,i)) }
| TAG IDENTIFIER EQ
    extends LBRACE field_declaration_list RBRACE
    { let (f,i) = $6 in locate (JCDtag($2,[],$4,f,i)) }
;

type_parameter_names:
| IDENTIFIER COMMA type_parameter_names
    { $1::$3 }
| IDENTIFIER
    { [$1] }
;

extends:
| /* epsilon */
    { None }
| IDENTIFIER WITH
    { Some($1, []) }
| IDENTIFIER LT type_parameters GT WITH
    { Some($1, $3) }
;

field_declaration_list:
| /* epsilon */
    { ([],[]) }
| field_declaration field_declaration_list
    { let (f,i) = $2 in ($1::f,i) }
| invariant field_declaration_list
    { let (f,i) = $2 in (f,$1::i) }
;

field_declaration:
| field_modifier type_expr IDENTIFIER SEMICOLON
    { ($1, $2, $3, None) }
| field_modifier type_expr IDENTIFIER COLON int_constant SEMICOLON
    { ($1, $2, $3, Some (Num.int_of_num $5)) }
;

field_modifier:
| /* epsilon */
    { (false,false) }
| REP
    { (true,false) }
| ABSTRACT
    { (true,true) }
;        

invariant:
| INVARIANT identifier LPAR IDENTIFIER RPAR EQ expression SEMICOLON
    { ($2,$4,$7) }
;

/********************************/
/* tag and type syntactic suger */
/********************************/

tag_and_type_decl:
| TYPE IDENTIFIER EQ extends LBRACE field_declaration_list RBRACE
    { let (f,i) = $6 in
      let id = locate_identifier $2 in
      locate (JCDtag($2, [], $4, f, i)),
      locate (JCDvariant_type($2, [id])) }
| TYPE IDENTIFIER LT type_parameter_names GT EQ
    extends LBRACE field_declaration_list RBRACE
    { let (f,i) = $9 in
      let id = locate_identifier $2 in
      locate (JCDtag($2, $4, $7, f, i)),
      locate (JCDvariant_type($2, [id])) }
;

/***********************/
/* Function definition */
/***********************/


parameters:
| LPARRPAR
    { [] }
| LPAR RPAR
    { [] }
| LPAR parameter_comma_list RPAR
    { $2 } 
;

parameter_comma_list: 
| parameter_declaration 
    { [$1] }
| parameter_declaration COMMA parameter_comma_list 
    { $1 :: $3 }
;

parameter_declaration:
| type_expr IDENTIFIER
    { (true,$1,$2) }
| EXCLAM type_expr IDENTIFIER
    { (false,$2,$3) }
;


type_expr:
| INTEGER
    { locate (JCPTnative Tinteger) }
| BOOLEAN
    { locate (JCPTnative Tboolean) }
| REAL
    { locate (JCPTnative Treal) }
| DOUBLE
    { locate (JCPTnative (Tgenfloat `Double)) }
| FLOAT
    { locate (JCPTnative (Tgenfloat `Float)) }
| UNIT
    { locate (JCPTnative Tunit) }
| IDENTIFIER 
    { locate (JCPTidentifier ($1,[])) }
| IDENTIFIER  LT type_parameters GT
    { locate (JCPTidentifier ($1,$3)) }
| IDENTIFIER LSQUARE DOTDOT RSQUARE
    { locate (JCPTpointer($1,[],None,None)) }
| IDENTIFIER LSQUARE int_constant RSQUARE
    { let n = $3 in
      locate (JCPTpointer($1,[],Some n,Some n)) }
| IDENTIFIER LSQUARE int_constant DOTDOT RSQUARE
    { let n = $3 in
      locate (JCPTpointer($1,[],Some n,None)) }
| IDENTIFIER LSQUARE int_constant DOTDOT int_constant RSQUARE
    { let n, m = $3, $5 in
      locate (JCPTpointer($1,[],Some n,Some m)) }
| IDENTIFIER LSQUARE DOTDOT int_constant RSQUARE
    { let m = $4 in
      locate (JCPTpointer($1,[],None,Some m)) }

| IDENTIFIER LT type_parameters GT LSQUARE DOTDOT RSQUARE
    { locate (JCPTpointer($1,$3,None,None)) }
| IDENTIFIER LT type_parameters GT LSQUARE int_constant RSQUARE
    { let n = $6 in
      locate (JCPTpointer($1,$3,Some n,Some n)) }
| IDENTIFIER LT type_parameters GT LSQUARE int_constant DOTDOT RSQUARE
    { let n = $6 in
      locate (JCPTpointer($1,$3,Some n,None)) }
| IDENTIFIER LT type_parameters GT
    LSQUARE int_constant DOTDOT int_constant RSQUARE
    { let n, m = $6, $8 in
      locate (JCPTpointer($1,$3,Some n,Some m)) }
| IDENTIFIER LT type_parameters GT LSQUARE DOTDOT int_constant RSQUARE
    { let m = $7 in
      locate (JCPTpointer($1,$3,None,Some m)) }
;

type_parameters:
| type_expr COMMA type_parameters
    { $1::$3 }
| type_expr
    { [$1] }
;

function_specification:
| /* epsilon */ 
    { [] }
| spec_clause function_specification 
    { $1::$2 }
;

spec_clause:
| REQUIRES expression SEMICOLON
    { JCCrequires($2) }
| DECREASES expression SEMICOLON
    { JCCdecreases($2,None) }
| DECREASES expression FOR identifier SEMICOLON
    { JCCdecreases($2,Some $4) }
| behavior
  { JCCbehavior $1 }
;

behavior:
| BEHAVIOR ident_or_default COLON throws assumes requires assigns_opt
  allocates_opt ENSURES expression SEMICOLON
    { (pos_i 2,$2,$4,$5,$6,$7,$8,$10) }
;

ident_or_default:
| IDENTIFIER { $1 }
| DEFAULT { "default" }

throws:
| /* epsilon */
    { None }
| THROWS identifier SEMICOLON
    { Some $2 }
;

assumes:
| /* epsilon */
    { None }
| ASSUMES expression SEMICOLON
    { Some $2 }
;

requires:
| /* epsilon */
    { None }
| REQUIRES expression SEMICOLON
    { Some $2 }
;

assigns_opt:
| /* epsilon */
    { None }
| assigns
    { $1 }
;

assigns:
| ASSIGNS argument_expression_list SEMICOLON
    { Some(pos_i 2,$2) }
| ASSIGNS BSNOTHING SEMICOLON
    { Some (pos_i 2,[]) }
;

allocates_opt:
| /* epsilon */
    { None }
| allocates
    { $1 }
;

allocates:
| ALLOCATES argument_expression_list SEMICOLON
    { Some(pos_i 2,$2) }
| ALLOCATES BSNOTHING SEMICOLON
    { Some (pos_i 2,[]) }
;

reads:
| 
    { JCnone }
| READS argument_expression_list SEMICOLON
    { JCreads $2 }
| READS BSNOTHING SEMICOLON
    { JCreads [] }
;

function_definition: 
| type_expr identifier parameters function_specification compound_expr
    { locate (JCDfun($1, $2, $3, $4, Some $5)) }
| type_expr identifier parameters function_specification SEMICOLON
    { locate (JCDfun($1, $2, $3, $4, None)) }
;


/******************************/
/* Global variable definition */
/******************************/

variable_definition:
| type_expr IDENTIFIER EQ expression SEMICOLON
    { locate (JCDvar($1,$2,Some $4)) }
| type_expr IDENTIFIER SEMICOLON
    { locate (JCDvar($1,$2,None)) }
;

/********************/
/* global invariant */
/********************/

global_invariant_definition:
| INVARIANT IDENTIFIER COLON expression
    { locate( JCDglobal_inv($2,$4)) }
;


/*************************/
/* exception definitions */
/*************************/

exception_definition:
| EXCEPTION IDENTIFIER OF type_expr
    { locate (JCDexception($2,Some $4)) }
;


/***************/
/* expressions */
/***************/

primary_expression: 
| IDENTIFIER 
    { locate (JCPEvar $1) }
| BSRESULT
    { locate (JCPEvar "\\result") }
| CONSTANT 
    { locate (JCPEconst $1) }
| LPARRPAR 
    { locate (JCPEconst JCCvoid) }
| NULL 
    { locate (JCPEconst JCCnull) }
| STRING_LITERAL 
    { locate (JCPEconst (JCCstring $1)) }
| LPAR expression COLONGT type_expr RPAR
    { locate (JCPEcast($2, $4)) }
| LPAR expression RPAR 
    { $2 }
| LPAR IDENTIFIER COLON expression RPAR
    { locate (JCPElabel($2,$4)) }
;

postfix_expression: 
| primary_expression 
    { $1 }
| IDENTIFIER label_binders LPAR argument_expression_list_opt RPAR 
    { locate (JCPEapp($1, $2, $4)) }
| IDENTIFIER label_binders LPARRPAR 
    { locate (JCPEapp($1, $2, [])) }
| BSFRESH LPAR expression RPAR 
    { locate (JCPEfresh($3)) }
| BSOLD LPAR expression RPAR 
    { locate (JCPEold($3)) }
| BSAT LPAR expression COMMA IDENTIFIER RPAR 
    { locate (JCPEat($3,label $5)) }
| BSOFFSET_MAX LPAR expression RPAR 
    { locate (JCPEoffset(Offset_max,$3)) }
| BSOFFSET_MIN LPAR expression RPAR 
    { locate (JCPEoffset(Offset_min,$3)) }
| BSADDRESS LPAR expression RPAR 
    { locate (JCPEaddress(Addr_pointer,$3)) }
| BSABSOLUTE_ADDRESS LPAR expression RPAR 
    { locate (JCPEaddress(Addr_absolute,$3)) }
| BSBASE_BLOCK LPAR expression RPAR 
    { locate (JCPEbase_block($3)) }
| postfix_expression DOT IDENTIFIER
    { locate (JCPEderef ($1, $3)) }
| postfix_expression PLUSPLUS 
    { locate (JCPEunary (`Upostfix_inc, $1)) }
| postfix_expression MINUSMINUS
    { locate (JCPEunary (`Upostfix_dec, $1)) }
| PLUSPLUS postfix_expression 
    { locate (JCPEunary (`Uprefix_inc, $2)) }
| MINUSMINUS postfix_expression 
    { locate (JCPEunary (`Uprefix_dec, $2)) }
| PLUS postfix_expression %prec UPLUS
    { locate (JCPEunary (`Uplus, $2)) }
| MINUS postfix_expression %prec UMINUS
    { locate (JCPEunary (`Uminus, $2)) }
| TILDE postfix_expression 
    { locate (JCPEunary (`Ubw_not, $2)) }
| EXCLAM postfix_expression 
    { locate (JCPEunary (`Unot, $2)) }
| LSQUARE expression DOTDOT expression RSQUARE
    { locate (JCPErange(Some $2,Some $4)) }
| LSQUARE DOTDOT expression RSQUARE 
    { locate (JCPErange(None,Some $3)) }
| LSQUARE expression DOTDOT RSQUARE 
    { locate (JCPErange(Some $2,None)) }
| LSQUARE DOTDOT RSQUARE 
    { locate (JCPErange(None,None)) }
;

label_binders:
| /* epsilon */ { [] }
| LBRACE IDENTIFIER label_list_end RBRACE { (label $2)::$3 }
;

label_list_end:
| /* epsilon */ { [] }
| COMMA IDENTIFIER label_list_end { (label $2)::$3 }
;

argument_expression_list: 
| expression 
    { [$1] }
| expression COMMA argument_expression_list 
    { $1::$3 }
;

argument_expression_list_opt: 
| /* $\varepsilon$ */
    { [] }
| argument_expression_list 
    { $1 }
;


multiplicative_expression: 
| postfix_expression 
    { $1 }
| multiplicative_expression STAR postfix_expression 
    { locate (JCPEbinary ($1, `Bmul, $3)) }
| multiplicative_expression SLASH postfix_expression 
    { locate (JCPEbinary ($1, `Bdiv, $3)) }
| multiplicative_expression PERCENT postfix_expression 
    { locate (JCPEbinary ($1, `Bmod, $3)) }
;

additive_expression: 
| multiplicative_expression 
    { $1 }
| additive_expression PLUS multiplicative_expression 
    { locate (JCPEbinary ($1, `Badd, $3)) }
| additive_expression MINUS multiplicative_expression 
    { locate (JCPEbinary ($1, `Bsub, $3)) }
| additive_expression AT multiplicative_expression 
    { locate (JCPEbinary ($1, `Bconcat, $3)) }
;

shift_expression: 
| additive_expression 
    { $1 }
| shift_expression LSHIFT additive_expression 
    { locate (JCPEbinary ($1, `Bshift_left, $3)) }
| shift_expression LRSHIFT additive_expression 
    { locate (JCPEbinary ($1, `Blogical_shift_right, $3)) }
| shift_expression ARSHIFT additive_expression 
    { locate (JCPEbinary ($1, `Barith_shift_right, $3)) }
;

assignment_operator: 
| EQ { `Aeq }
| PLUSEQ { `Aadd }
| MINUSEQ { `Asub }
| STAREQ { `Amul }
| SLASHEQ { `Adiv }
| PERCENTEQ { `Amod }
/*
| LEFT_ASSIGN { Aleft }
| RIGHT_ASSIGN { Aright }
*/
| AMPEQ { `Aand }
| CARETEQ { `Axor }
| BAREQ { `Aor }
;


expression: 
| compound_expr
    { $1 }
| ASSERT FOR identifier_list COLON expression %prec FOR
    { locate (JCPEassert($3,Aassert,$5)) }
| ASSERT expression 
    { locate (JCPEassert([],Aassert,$2)) }
| HINT FOR identifier_list COLON expression %prec FOR
    { locate (JCPEassert($3,Ahint,$5)) }
| HINT expression 
    { locate (JCPEassert([],Ahint,$2)) }
| ASSUME FOR identifier_list COLON expression %prec FOR
    { locate (JCPEassert($3,Aassume,$5)) }
| ASSUME expression 
    { locate (JCPEassert([],Aassume,$2)) }
| CHECK FOR identifier_list COLON expression %prec FOR
    { locate (JCPEassert($3,Acheck,$5)) }
| CHECK expression 
    { locate (JCPEassert([],Acheck,$2)) }
| requires behavior compound_expr
    { locate (JCPEcontract($1,None,[$2],$3)) } 
| iteration_expression 
    { $1 }
| jump_expression 
    { $1 }
| declaration
    { $1 }
/*
| SPEC expression { locate (CSspec ($1,$2)) }
*/
| pack_expression { $1 }
| exception_expression { $1 }
| shift_expression 
    { $1 }
| SWITCH LPAR expression RPAR LBRACE switch_block RBRACE
    { locate (JCPEswitch ($3, $6)) }

| NEW IDENTIFIER LSQUARE expression RSQUARE
    { locate (JCPEalloc ($4, $2)) }
| FREE LPAR expression RPAR
    { locate (JCPEfree $3) }
| expression LT expression 
    { locate (JCPEbinary ($1, `Blt, $3)) }
| expression GT expression
    { locate (JCPEbinary ($1, `Bgt, $3)) }
| expression LTEQ expression
    { locate (JCPEbinary ($1, `Ble, $3)) }
| expression GTEQ expression
    { locate (JCPEbinary ($1, `Bge, $3)) }
| expression LTCOLON IDENTIFIER
    { locate (JCPEinstanceof($1, $3)) }
| expression EQEQ expression 
    { locate (JCPEbinary ($1, `Beq, $3)) }
| expression BANGEQ expression 
    { locate (JCPEbinary ($1, `Bneq, $3)) }
| expression AMP expression 
    { locate (JCPEbinary ($1, `Bbw_and, $3)) }
| expression HAT expression 
    { locate (JCPEbinary ($1, `Bbw_xor, $3)) }
| expression PIPE expression
    { locate (JCPEbinary ($1, `Bbw_or, $3)) }
| expression AMPAMP expression 
    { locate (JCPEbinary($1, `Bland, $3)) }
| expression BARBAR expression 
    { locate (JCPEbinary($1, `Blor, $3)) }
| IF expression THEN expression ELSE expression
    { locate (JCPEif ($2, $4, $6)) }
| IF expression THEN expression
    { locate (JCPEif ($2, $4, skip)) }
| LET IDENTIFIER EQ expression IN expression %prec PRECFORALL
    { locate (JCPElet (None, $2, Some $4, $6)) }
| LET type_expr IDENTIFIER EQ expression IN expression %prec PRECFORALL
    { locate (JCPElet (Some $2, $3, Some $5, $7)) }
| postfix_expression assignment_operator expression %prec ASSIGNOP
    { let a  =
	match $2 with
		| `Aeq -> JCPEassign ($1, $3)
		| `Aadd -> JCPEassign_op ($1, `Badd, $3)
		| `Asub -> JCPEassign_op ($1, `Bsub, $3)
		| `Amul -> JCPEassign_op ($1, `Bmul, $3)
		| `Adiv -> JCPEassign_op ($1, `Bdiv, $3)
		| `Amod -> JCPEassign_op ($1, `Bmod, $3)
		| `Aand -> JCPEassign_op ($1, `Bbw_and, $3)
		| `Axor -> JCPEassign_op ($1, `Bbw_xor, $3)
		| `Aor -> JCPEassign_op ($1, `Bbw_or, $3)
(*
		| Aleft -> CEassign_op ($1, `Bshift_left, $3)
		| Aright -> CEassign_op ($1, `Bshift_right, $3)
*)
      in locate a }

| BSFORALL type_expr identifier_list triggers SEMICOLON expression 
    %prec PRECFORALL
    { locate (JCPEquantifier(Forall,$2,$3,$4,$6)) }
| BSEXISTS type_expr identifier_list triggers SEMICOLON expression 
    %prec PRECFORALL
    { locate (JCPEquantifier(Exists,$2,$3,$4,$6)) }
| expression EQEQGT expression
    { locate (JCPEbinary($1,`Bimplies,$3)) }
| expression LTEQEQGT expression
    { locate (JCPEbinary($1,`Biff,$3)) }
/*
| expression COMMA assignment_expression { locate (CEseq ($1, $3)) }
*/
| BSMUTABLE LPAR expression COMMA tag RPAR
    { locate (JCPEmutable($3, $5)) }
| BSMUTABLE LPAR expression RPAR
    { locate (JCPEmutable($3, locate JCPTbottom)) }
| BSTYPEEQ LPAR tag COMMA tag RPAR
    { locate (JCPEeqtype($3, $5)) }
| MATCH expression WITH pattern_expression_list END
    { locate (JCPEmatch($2, $4)) }
;

tag:
| identifier
    { locate (JCPTtag $1) }
| BSBOTTOM
    { locate JCPTbottom }
| BSTYPEOF LPAR expression RPAR
    { locate (JCPTtypeof $3) }
;

identifier_list: 
| identifier 
    { [$1] }
| identifier COMMA identifier_list 
    { $1 :: $3 }
;

identifier:
| DEFAULT
    { locate_identifier "default" }
| IDENTIFIER
    { locate_identifier $1 }
;

triggers:
| /* epsilon */ { [] }
| LSQUARE list1_trigger_sep_bar RSQUARE { $2 }
;

list1_trigger_sep_bar:
| trigger { [$1] }
| trigger PIPE list1_trigger_sep_bar  %prec pipe_trigger { $1 :: $3 }
;

trigger:
  argument_expression_list { $1 }
;

/****************/
/* declarations */
/****************/


declaration: 
| VAR type_expr IDENTIFIER
    { locate (JCPEdecl($2, $3, None)) }
| VAR type_expr IDENTIFIER EQ expression
    { locate (JCPEdecl($2, $3, Some $5)) }
;


/**************/
/* expressions */
/**************/

compound_expr:
| LBRACE expression_list RBRACE
    { locate (JCPEblock $2) }
;

expression_list: 
| expression SEMICOLON
    { [$1] }
| expression
    { [$1] }
| expression SEMICOLON expression_list 
    { $1 :: $3 }
;

switch_block: 
| /* $\varepsilon$ */
    { [] }
| switch_labels 
    { [($1, locate (JCPEblock []))] }
| switch_labels expression_list switch_block
    { ($1, locate (JCPEblock $2))::$3 }
;

switch_labels:
| switch_label
    { [$1] }
| switch_label switch_labels
    { $1::$2 }
;

switch_label:
| CASE expression COLON
    { Some($2) }
| DEFAULT COLON
    { None }
;

iteration_expression: 
| loop_annot WHILE LPAR expression RPAR expression %prec precwhile
    { let (i,v) = $1 in 
      locate (JCPEwhile ($4, i, v, $6)) }
| loop_annot DO expression WHILE LPAR expression RPAR
    { assert false (* TODO locate (JCPEdowhile ($1, $3, $6)) *) }
| loop_annot FOR LPAR argument_expression_list_opt SEMICOLON expression SEMICOLON 
    argument_expression_list_opt RPAR expression %prec precwhile
    { let (i,v) = $1 in 
      (*
	let i = match i with 
	| [] -> locate (JCPEconst(JCCboolean true))
	| [_,p] -> p
	|  _ -> assert false
      in
      *)
      locate (JCPEfor($4, $6, $8, i, v, $10)) }
;


loop_behavior:
| INVARIANT expression SEMICOLON assigns_opt
    { (Some $2,$4) }
| assigns
    { (None,$1) }
;

loop_for_behavior_list:
| BEHAVIOR identifier_list COLON loop_behavior loop_for_behavior_list
    { let (i,a) = $4 in ($2,i,a) :: $5 }
| /* epsilon */
    { [] }
;

loop_behaviors:
| loop_behavior loop_for_behavior_list
    { let (i,a) = $1 in ([],i,a)::$2 }
| loop_for_behavior_list
    { $1 }
;

loop_annot:
| LOOP loop_behaviors VARIANT expression SEMICOLON
    { ($2, Some ($4,None)) }
| LOOP loop_behaviors VARIANT expression FOR identifier SEMICOLON
    { ($2, Some ($4, Some $6)) }
| LOOP loop_behaviors
    { ($2, None) }
;

jump_expression: 
| GOTO identifier
    { locate (JCPEgoto $2#name) }
/*
| CONTINUE SEMICOLON { locate CScontinue }
*/
| BREAK
    { locate (JCPEbreak "") }
| RETURN expression
    { locate (JCPEreturn $2) }
;

pack_expression:
| PACK LPAR expression COMMA identifier RPAR
    { locate (JCPEpack ($3, Some $5)) }
| PACK LPAR expression RPAR
    { locate (JCPEpack ($3, None)) }
| UNPACK LPAR expression COMMA identifier RPAR
    { locate (JCPEunpack ($3, Some $5)) }
| UNPACK LPAR expression RPAR
    { locate (JCPEunpack ($3, None)) }
;

catch_expression: 
| CATCH identifier IDENTIFIER expression
    { ($2, $3, $4) }
;

catch_expression_list:
| catch_expression
    { [$1] }
| catch_expression catch_expression_list 
    { $1 :: $2 }
;

exception_expression:
| THROW identifier expression
   { locate (JCPEthrow($2,$3)) }
| TRY expression catch_expression_list END
   { locate (JCPEtry($2, $3, skip)) }
| TRY expression catch_expression_list FINALLY expression END
   { locate (JCPEtry($2, $3, $5)) }
;

/**********************************/
/* Logic functions and predicates */
/**********************************/

logic_definition:
/* constants def */
| LOGIC type_expr IDENTIFIER logic_type_arg EQ expression
    { locate (JCDlogic(Some $2, $3, $4, [], [], JCexpr $6)) }
/* constants no def */
| LOGIC type_expr IDENTIFIER logic_type_arg
    { locate (JCDlogic(Some $2, $3, $4 , [], [], JCreads [])) }
/* logic fun def */
| LOGIC type_expr IDENTIFIER logic_type_arg label_binders parameters EQ expression
    { let p = lparams $6 in
      locate (JCDlogic(Some $2, $3, $4 , $5, p, JCexpr $8)) }
/* logic pred def */
| PREDICATE IDENTIFIER logic_type_arg label_binders parameters EQ expression
    { let p = lparams $5 in
      locate (JCDlogic(None, $2, $3  ,$4, p, JCexpr $7)) }
/* logic fun reads */
/*
| LOGIC type_expr IDENTIFIER logic_type_arg label_binders parameters reads %prec PRECLOGIC
    { locate (JCDlogic(Some $2, $3, $4 ,$5, $6, JCreads $7)) }
*/
/* logic pred reads */
/*
| PREDICATE IDENTIFIER logic_type_arg label_binders parameters reads %prec PRECLOGIC
    { locate (JCDlogic(None, $2, $3 ,$4, $5, JCreads $6)) }
*/
/* logic fun axiomatic def */
/*
| LOGIC type_expr IDENTIFIER logic_type_arg label_binders parameters LBRACE axioms RBRACE
    { locate (JCDlogic(Some $2, $3, $4 ,$5, $6, JCaxiomatic $8)) }
*/
/* logic pred axiomatic def */
/*
| PREDICATE IDENTIFIER logic_type_arg label_binders parameters LBRACE axioms RBRACE
    { locate (JCDlogic(None, $2, $3, $4, $5, JCaxiomatic $7)) }
*/
/* logic pred inductive def */
| PREDICATE IDENTIFIER logic_type_arg label_binders parameters LBRACE indcases RBRACE
    { let p = lparams $5 in
      locate (JCDlogic(None, $2, $3 ,$4 , p, JCinductive $7)) }
| AXIOMATIC IDENTIFIER LBRACE logic_declarations RBRACE
    { locate (JCDaxiomatic($2,$4)) } 
| LEMMA IDENTIFIER logic_type_arg label_binders COLON expression
    { locate( JCDlemma($2,false,$3,$4,$6)) }
;




logic_declarations:
| logic_declaration
    { [$1] }
| logic_declaration logic_declarations
    { $1::$2 }
;

string_list:
| IDENTIFIER {[$1]}
| IDENTIFIER COMMA string_list {$1::$3}

logic_type_arg:
| {[]}
| LT string_list GT {$2}

logic_declaration:
| logic_definition
    { $1 }
| LOGIC TYPE IDENTIFIER logic_type_arg
    { locate (JCDlogic_type($3,$4)) }
/* remove this comment if removed from logic_definition
| LOGIC type_expr IDENTIFIER 
    { locate (JCDlogic(Some $2, $3, [], [], JCnone)) }
*/
| PREDICATE IDENTIFIER logic_type_arg label_binders parameters reads
    { let p = lparams $5 in
      locate (JCDlogic(None, $2, $3, $4, p, $6)) }
| LOGIC type_expr IDENTIFIER logic_type_arg label_binders parameters reads
	{ let p = lparams $6 in
	  locate (JCDlogic(Some $2, $3, $4, $5, p, $7)) }
| AXIOM identifier logic_type_arg label_binders COLON expression
    { locate( JCDlemma($2#name,true,$3,$4,$6)) }
;

indcases:
| /* epsilon */
    { [] }
| CASE identifier label_binders COLON expression SEMICOLON indcases
    { ($2,$3,$5)::$7 }
;

/************/
/* patterns */
/************/

pattern:
| identifier LBRACE field_patterns RBRACE
    { locate (JCPPstruct($1, $3)) }
| identifier
    { locate (JCPPvar $1) }
| LPAR pattern RPAR
    { $2 }
| pattern PIPE pattern
    { locate (JCPPor($1, $3)) }
| pattern AS identifier
    { locate (JCPPas($1, $3)) }
| UNDERSCORE
    { locate JCPPany }
| CONSTANT 
    { locate (JCPPconst $1) }
| LPARRPAR 
    { locate (JCPPconst JCCvoid) }
| NULL 
    { locate (JCPPconst JCCnull) }
;

field_patterns:
| identifier EQ pattern SEMICOLON field_patterns
    { ($1, $3)::$5 }
|
    { [] }
;

/*Multiply defined : Does ocamlyacc take the last. In fact it seems to take the first (cf. variant.jc)*/
pattern_expression_list:
| pattern MINUSGT expression SEMICOLON pattern_expression_list
    { ($1, $3)::$5 }
| pattern MINUSGT expression SEMICOLON
    { [$1, $3] }
;


/*pattern_expression_list:
| pattern MINUSGT compound_expr pattern_expression_list
    { ($1, $3)::$4 }
| pattern MINUSGT compound_expr
    { [$1, $3] }
;*/

/**************/
/* pragma_gen_sep */
/**************/
pragma_gen_sep:
| PRAGMA_GEN_SEP IDENTIFIER type_expr_parameters
    { locate (JCDpragma_gen_sep("",$2, $3)) }
| PRAGMA_GEN_SEP IDENTIFIER IDENTIFIER type_expr_parameters
    { locate (JCDpragma_gen_sep($2,$3, $4)) }
| PRAGMA_GEN_FRAME IDENTIFIER IDENTIFIER
    { locate (JCDpragma_gen_frame($2,$3)) }
| PRAGMA_GEN_SUB IDENTIFIER IDENTIFIER
    { locate (JCDpragma_gen_sub($2,$3)) }
| PRAGMA_GEN_SAME IDENTIFIER IDENTIFIER
    { locate (JCDpragma_gen_same($2,$3)) }
;

type_expr_parameters:
| LPARRPAR
    { [] }
| LPAR RPAR
    { [] }
| LPAR type_expr_comma_list RPAR
    { $2 } 
;

type_expr_restreint:
|type_expr {$1,[]}
|type_expr PIPE LPAR type_parameter_names RPAR {$1,$4}

type_expr_comma_list: 
| type_expr_restreint
    { [$1] }
| type_expr_restreint COMMA type_expr_comma_list
    { $1 :: $3 }
;

/*
Local Variables: 
compile-command: "LC_ALL=C make -C .. byte"
End: 
*/
why-2.39/jc/jc_main.ml0000644000106100004300000004325213147234006013565 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Jc_stdlib
open Jc_env
open Jc_region
open Jc_fenv
open Jc_pervasives

open Format

let parse_file f =
  try
    let c = open_in f in
    let d = Jc_lexer.parse f c in
    close_in c; d
  with
    | Jc_lexer.Lexical_error(l,s) ->
	eprintf "%a: lexical error: %s@." Loc.gen_report_position l s;
	exit 1

let compute_regions logic_components components =
  if !Jc_options.separation_sem = SepRegions then begin
    Jc_options.lprintf "Computation of regions@.";
    (* Preserve order between following calls *)
    Array.iter Jc_separation.logic_component logic_components;
    StringHashtblIter.iter Jc_separation.axiom Jc_typing.lemmas_table;
    StringHashtblIter.iter
      (fun _id data ->
	 List.iter
	   (function Jc_typing.ABaxiom(pos,id,labs,a) ->
	      Jc_separation.axiom id (pos,(* is_axiom = *)true,[],labs,a)
	   ) data.Jc_typing.axiomatics_decls
      ) Jc_typing.axiomatics_table;
    Array.iter Jc_separation.code_component components
  end

let compute_effects logic_components components =
  Jc_options.lprintf "Computation of effects@.";
  (* Preserve order between following calls *)
  Array.iter Jc_effect.logic_effects logic_components;
  Array.iter Jc_effect.function_effects components

let main () =
  let files = Jc_options.files () in
  try match files with [file] ->
    let filename = Filename.chop_extension file in

    (*************************************************************************)
    (*                          PART 1: PARSING                              *)
    (*************************************************************************)

    (* phase 1: parsing *)
    Jc_options.lprintf "Parsing@.";
    let ast = parse_file file in

    if Jc_options.debug then
      Format.printf "@\nAST AFTER PARSING:@\n%a@." Jc_poutput.pdecls ast;

    (*************************************************************************)
    (*                          PART 2: ANALYSIS                             *)
    (*************************************************************************)

    (* phase 2: normalization *)
    Jc_options.lprintf "Normalization@.";
    let ast = Jc_norm.decls ast in

    (* phase 3: typing *)

    (* phase 3.1: type logic labels *)
    Jc_options.lprintf "Typing logic labels@.";
    List.iter Jc_typing.type_labels_in_decl ast;

    (* phase 3.2: type code *)
    Jc_options.lprintf "Typing code@.";
    Jc_typing.type_file ast;

    if Jc_options.debug then
      Format.printf "@\nAST AFTER TYPING:@\n%a@." Jc_typing.print_file ();

    (* phase 4: computation of call graph *)
    Jc_options.lprintf "Computation of call graph@.";
    IntHashtblIter.iter (fun _ (f,t) -> Jc_callgraph.compute_logic_calls f t)
      Jc_typing.logic_functions_table;
    IntHashtblIter.iter
      (fun _ (f,_loc,s,b) ->
	 Option_misc.iter (Jc_callgraph.compute_calls f s) b
      ) Jc_typing.functions_table;

    let logic_components =
      Jc_callgraph.compute_logic_components Jc_typing.logic_functions_table
    in
    let components =
      Jc_callgraph.compute_components Jc_typing.functions_table
    in

    (* update field "component" of functions *)
    Array.iteri
      (fun i l -> List.iter (fun fi -> fi.jc_fun_info_component <- i) l)
      components;

    (* (optional) phase 5: inference of annotations *)
    if !Jc_options.annotation_sem <> AnnotNone then
      begin
	(* phase 5.1: pre-computation of regions *)
	compute_regions logic_components components;

	(* phase 5.2: pre-computation of effects *)
	compute_effects logic_components components;

	(* phase 5.3: inter- or intraprocedural inference of annotations *)
	Jc_options.lprintf "Inference of annotations@.";
	if Jc_options.interprocedural then
	  begin
	    (* interprocedural analysis over the call graph +
	       intraprocedural analysis of each function called *)
	    IntHashtblIter.iter
	      (fun _ (fi, loc, fs, sl) ->
		 if fi.jc_fun_info_name = Jc_options.main then
		   Jc_ai.main_function (fi, loc, fs, sl)
	      ) Jc_typing.functions_table;
	  end
	else
	  (* intraprocedural inference of annotations otherwise *)
	  IntHashtblIter.iter
	    (fun _ (f, loc, s, b) -> Jc_ai.code_function (f, loc, s, b))
	    Jc_typing.functions_table;
      end;

    (* phase 6: add invariants *)
    Jc_options.lprintf "Adding invariants@.";
    let vil =
      IntHashtblIter.fold (fun _tag (vi, _eo) acc -> vi :: acc)
	Jc_typing.variables_table []
    in
    IntHashtblIter.iter
      (fun _tag (f,loc,s,b) -> Jc_invariants.code_function (f, loc, s, b) vil)
      Jc_typing.functions_table;

    (* phase 7: computation of regions *)
    compute_regions logic_components components;

    (* phase 8: computation of effects *)
    compute_effects logic_components components;

    (* (optional)
       generation of the separation predicates : compute the needed
       generated predicates *)
    if Jc_options.gen_frame_rule_with_ft then
      (Jc_options.lprintf "Compute needed predicates@.";
       Jc_frame.compute_needed_predicates ());


    (* (optional) phase 9: checking structure invariants *)
    begin match !Jc_options.inv_sem with
      | InvOwnership ->
	  Jc_options.lprintf "Adding structure invariants@.";
	  StringHashtblIter.iter
            (fun _name (_,invs) -> Jc_invariants.check invs)
	    Jc_typing.structs_table
      | InvNone
      | InvArguments -> ()
    end;

    (*************************************************************************)
    (*                    PART 3: GENERATION OF WHY CODE                     *)
    (*************************************************************************)

    let push_decls, fold_decls, pop_decls =
      let decls = ref [] in
      (fun f -> decls := f !decls),
      (fun f acc -> let d,acc = f (!decls,acc) in decls := d; acc),
      (fun () -> !decls)
    in

    (* production phase 1: generation of Why types *)

    (* production phase 1.1: translate logic types *)
    Jc_options.lprintf "Translate logic types@.";
    push_decls
      (StringHashtblIter.fold
         (fun _ id acc -> Jc_interp.tr_logic_type id acc)
	 Jc_typing.logic_type_table);

    (* production phase 1.2: translate coding types *)
    Jc_options.lprintf "Translate structures@.";
    push_decls
      (StringHashtblIter.fold (fun _ (st, _) acc -> Jc_interp.tr_struct st acc)
	 Jc_typing.structs_table);

    Jc_options.lprintf "Translate variants@.";
    push_decls
      (StringHashtblIter.fold
         (fun _ -> Jc_interp.tr_root) Jc_typing.roots_table);

    (* production phase 2: generation of Why variables *)

    (* production phase 2.1: translate coding variables *)
    Jc_options.lprintf "Translate variables@.";
    push_decls
      (IntHashtblIter.fold (fun _ (v,e) acc -> Jc_interp.tr_variable v e acc)
	 Jc_typing.variables_table);

    (* production phase 2.2: translate memories *)
    Jc_options.lprintf "Translate memories@.";
    let regions =
      fold_decls
	(StringHashtblIter.fold
	   (fun _ (fi,r) (acc,regions) ->
	      let r = Region.representative r in
	      let acc =
		if RegionSet.mem r regions then acc else
		  Jc_interp.tr_region r acc
	      in
	      Jc_interp.tr_memory (fi,r) acc,RegionSet.add r regions)
	   Jc_effect.constant_memories
	) (RegionSet.singleton dummy_region)
    in

    (* production phase 2.3: translate allocation tables *)
    Jc_options.lprintf "Translate allocation tables@.";
    let regions =
      fold_decls
	(StringHashtblIter.fold
	   (fun _ (a,r) (acc,regions) ->
	      let r = Region.representative r in
	      let acc =
		if RegionSet.mem r regions then acc else
		  Jc_interp.tr_region r acc
	      in
	      Jc_interp.tr_alloc_table (a,r) acc, RegionSet.add r regions)
	   Jc_effect.constant_alloc_tables
	) regions
    in

    (* production phase 2.4: translate tag tables *)
    Jc_options.lprintf "Translate tag tables@.";
    let _ =
      fold_decls
	(StringHashtblIter.fold
	   (fun _ (a,r) (acc,regions) ->
	      let r = Region.representative r in
	      let acc =
		if RegionSet.mem r regions then acc else
		  Jc_interp.tr_region r acc
	      in
	      Jc_interp.tr_tag_table (a,r) acc, RegionSet.add r regions)
	   Jc_effect.constant_tag_tables
	) regions
    in

    (* production phase 3: generation of Why exceptions *)
    Jc_options.lprintf "Translate exceptions@.";
    push_decls
      (StringHashtblIter.fold (fun _ ei acc -> Jc_interp.tr_exception ei acc)
	 Jc_typing.exceptions_table);

    (* production phase 3.1: translate enumerated types *)
    (* Yannick: why here and not together with translation of types? *)
    Jc_options.lprintf "Translate enumerated types@.";
    push_decls
      (StringHashtblIter.fold
	 (fun _ ri acc -> Jc_interp.tr_enum_type ri acc)
	 Jc_typing.enum_types_table);
    let enumlist =
      StringHashtblIter.fold
        (fun _ ri acc -> ri::acc) Jc_typing.enum_types_table []
    in
    let rec treat_enum_pairs pairs acc =
      match pairs with
	| [] -> acc
	| ri1 :: rest ->
	    let acc =
	      List.fold_left
		(fun acc ri2 ->
		   Jc_interp.tr_enum_type_pair ri1 ri2 acc) acc rest
	    in
	    treat_enum_pairs rest acc
    in
    push_decls (treat_enum_pairs enumlist);


    (* production phase 4.1: generation of Why logic functions *)
    Jc_options.lprintf "Translate logic functions@.";
    push_decls
      (IntHashtblIter.fold
	 (fun _ (li, p) acc ->
	    Jc_options.lprintf "Logic function %s@." li.jc_logic_info_name;
	    Jc_frame.tr_logic_fun li p acc)
	 Jc_typing.logic_functions_table );

    (* production phase 4.2: generation of axiomatic logic decls*)
    Jc_options.lprintf "Translate axiomatic declarations@.";
    push_decls
      (StringHashtblIter.fold
	 (fun a data acc ->
	    Jc_options.lprintf "Axiomatic %s@." a;
	    List.fold_left Jc_interp.tr_axiomatic_decl acc
              data.Jc_typing.axiomatics_decls)
	 Jc_typing.axiomatics_table);


    (* production phase 4.3: generation of lemmas *)
    Jc_options.lprintf "Translate lemmas@.";
    push_decls
      (StringHashtblIter.fold
	 (fun id (loc,is_axiom,_,labels,p) acc ->
	    Jc_interp.tr_axiom loc id is_axiom labels p acc)
	 Jc_typing.lemmas_table);

    (* (optional) production phase 6: generation of global invariants *)
    if !Jc_options.inv_sem = InvOwnership then
      (Jc_options.lprintf "Generation of global invariants@.";
       push_decls Jc_invariants.make_global_invariants);

    (* production phase 7: generation of Why functions *)
    Jc_options.lprintf "Translate functions@.";
    push_decls
      (IntHashtblIter.fold
	 (fun _ (f,loc,s,b) acc ->
	    Jc_options.lprintf
              "Pre-treatement Function %s@." f.jc_fun_info_name;
	    Jc_interp.pre_tr_fun f loc s b acc)
	 Jc_typing.functions_table);
    push_decls
      (IntHashtblIter.fold
	 (fun _ (f,loc,s,b) acc ->
	    Jc_options.lprintf "Function %s@." f.jc_fun_info_name;
	    Jc_interp.tr_fun f loc s b acc)
	 Jc_typing.functions_table);
    push_decls
      (StringHashtblIter.fold
	 (fun n (fname,param_name_assoc) acc ->
	    Jc_interp.tr_specialized_fun n fname param_name_assoc acc)
	 Jc_interp_misc.specialized_functions);

    (* (optional) production phase 8: generation of global invariants *)
    if !Jc_options.inv_sem = InvOwnership then
      begin
	(* production phase 8.1: "mutable" and "committed" declarations *)
	Jc_options.lprintf "Translate mutable and committed declarations@.";
	push_decls
	  (StringHashtblIter.fold
	     (fun _ (st, _) acc -> Jc_invariants.mutable_declaration st acc)
	     Jc_typing.structs_table);

	(* production phase 8.2: pack *)
	Jc_options.lprintf "Translate pack@.";
	push_decls
	  (StringHashtblIter.fold
	     (fun _ (st, _) acc -> Jc_invariants.pack_declaration st acc)
	     Jc_typing.structs_table);

	(* production phase 8.3: unpack *)
	Jc_options.lprintf "Translate unpack@.";
	push_decls
	  (StringHashtblIter.fold
	     (fun _ (st, _) acc -> Jc_invariants.unpack_declaration st acc)
	     Jc_typing.structs_table)
      end;

    (*************************************************************************)
    (*                       PART 5: OUTPUT FILES                            *)
    (*************************************************************************)

    (* union and pointer casts: disabled *)
    if !Region.some_bitwise_region then
      begin
        eprintf "Jessie support for unions and pointer casts is disabled@.";
        exit 1
      end;

    let decls = pop_decls () in

    (* output phase 1: produce Why file *)
    if Jc_options.why3_backend then
      begin
        Jc_options.lprintf "Produce Why3ml file@.";
        Pp.print_in_file
          (fun fmt -> fprintf fmt "%a@."
             (Output.fprintf_why_decls ~why3:true
                ~use_floats:!Jc_options.has_floats
                ~float_model:!Jc_options.float_model
             ) decls)
          (filename ^ ".mlw");
        (* not used by why3, but useful for debugging traceability *)
        let cout_locs,fmt_locs =
          Pp.open_file_and_formatter (Lib.file_subdir "." (filename ^ ".loc"))
        in
        Output.my_print_locs fmt_locs;
        Pp.close_file_and_formatter (cout_locs,fmt_locs);
      end
    else
      begin
        Jc_options.lprintf "Produce Why file@.";
        Pp.print_in_file
          (fun fmt -> fprintf fmt "%a@."
             (Output.fprintf_why_decls ~why3:false
                ~use_floats:!Jc_options.has_floats
                ~float_model:!Jc_options.float_model
             ) decls)
          (Lib.file_subdir "why" (filename ^ ".why"));

        (* output phase 2: produce locs file *)
        Jc_options.lprintf "Produce locs file@.";
        let cout_locs,fmt_locs =
          Pp.open_file_and_formatter (Lib.file_subdir "." (filename ^ ".loc"))
        in
        Output.my_print_locs fmt_locs;
(*
        Output.old_print_pos fmt_locs; (* Generated annotations. *)
*)
        Pp.close_file_and_formatter (cout_locs,fmt_locs);
      end;

    (* last phase: call why3 on generated file *)

    if not Jc_options.gen_only then
      begin
        let whylib = Jc_options.libdir in
        let conf =
          Filename.concat
            (Filename.concat (String.escaped whylib) "why3") "why3.conf"
        in
        let f = Lib.file_subdir "." (filename ^ ".mlw") in
        let cmd = Jc_options.why3_cmd in
        printf "Calling Why3...@.";
        let _ret =
          Sys.command
            ("why3 " ^ cmd ^ " --extra-config " ^ conf ^ " " ^ f)
        in ()
      end

(*

    (* output phase 3: produce makefile *)
    Jc_options.lprintf "Produce makefile@.";
    (*
      we first have to update Jc_options.libfiles depending on the current
      pragmas
    *)
    Jc_options.add_to_libfiles
      (if !Region.some_bitwise_region then
         "jessie_bitvectors.why" else "jessie.why");
    if !Jc_options.has_floats then
      begin
        match !Jc_options.float_model with
	  | Jc_env.FMmath -> ()
	  | Jc_env.FMdefensive ->
	      Jc_options.add_to_libfiles "floats_strict.why"
	  | Jc_env.FMfull ->
	      Jc_options.add_to_libfiles "floats_full.why"
	  |  Jc_env.FMmultirounding ->
	       Jc_options.add_to_libfiles "floats_multi_rounding.why"
    end;
    Jc_make.makefile filename
*)

    | _ -> Jc_options.usage ()
  with
    | Jc_typing.Typing_error(l,s) when not Jc_options.debug ->
        eprintf "%a: typing error: %s@." Loc.gen_report_position l s;
        exit 1
    | Jc_options.Jc_error(l,s) when not Jc_options.debug ->
	eprintf "%a: %s@." Loc.gen_report_position l s;
	exit 1
    | Assert_failure(f,l,c) as exn when not Jc_options.debug ->
 	eprintf "%a:@." Loc.gen_report_line (f,l,c,c);
 	raise exn

let _ =
  Sys.catch_break true;
  (* Yannick: [Printexc.catch] deprecated, normal system error seems ok,
     remove call? *)
  if Jc_options.debug then main () else Printexc.catch main ()


(*
  Local Variables:
  compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
  End:
*)
why-2.39/jc/jc_make.ml0000644000106100004300000000632213147234006013553 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)


(*
open Format
open Pp
*)

(*
let generic full targets =
  print_in_file
    (fun fmt ->
       let out x = fprintf fmt x in
       out "# this makefile was automatically generated; do not edit @\n@\n";
       out "WHYLIB ?= %s@\n@\n" (String.escaped Jc_options.libdir);
       out "USERWHYTHREEOPT=%s@\n"  (Jc_options.why3_opt);
       out "JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf@\n@\n";

       let why3ml_target =
	 (match targets with f::_ -> f^".mlw" | [] -> "")
       in
       out "why3ml: %s@\n" why3ml_target;
       out "\t why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<@\n@\n";

       out "why3ide: %s@\n" why3ml_target;
       out "\t why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<@\n@\n";

       out "why3replay: %s@\n" why3ml_target;
       out "\t why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<@\n@\n";

    )
    (full ^ ".makefile")
*)

let makefile _f = ()
(*
let c = Filename.basename f in generic f [c]
*)


(*
Local Variables:
compile-command: "make -C .. bin/jessie.byte"
End:
*)
why-2.39/jc/numconst.mli0000644000106100004300000000544713147234006014210 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(* Evaluation of constant literals: superset of C and Java

  general rule: case insensitive

  decimal constants:
    . regexp 0 | [1-9][0-9]*

  octal constants:
    . regexp 0[0-7]+

  hexadecimal constants:
    . regexp 0x[0-9a-f]+

  for each of the three above: suffix allowed =  (u|l)*

  characters: between single quotes, with either 
    . ASCII chars
    . octal chars: \[0-7]^3 
    . unicode chars a la Java: \'u'+[0-9a-f]^4 (TODO) 
    . special chars \n, \r, \t, etc. (TODO: give exact list)   

  extended chars a la C: 'L''"'[^'"']*'"' (TODO)

*)

val zero : Num.num

val integer : string -> Num.num


why-2.39/jc/jc_pervasives.ml0000644000106100004300000011405613147234006015031 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Jc_stdlib
open Jc_env
open Jc_envset
open Jc_region
open Jc_ast
open Jc_fenv

open Jc_constructors

open Format
open Num

let ( $ ) = fun f g x -> f(g x)

(*
exception Error of Loc.position * string
*)

(*
let error l =
  Format.kfprintf
    (fun _fmt -> raise (Error(l, flush_str_formatter())))
    str_formatter
*)

let zero = Num.Int 0
let one = Num.Int 1
let two = Num.Int 2
let eight = Num.Int 8

let rec is_power_of_two i =
  if i <=/ zero then
    false
  else
    i =/ one || mod_num i two =/ zero && is_power_of_two (i // two)

let rec log2 i =
  assert (i >/ zero);
  if i =/ one then zero else one +/ log2 (i // two)

let operator_of_format (f : float_format) =
  match f with
    | `Float -> `Float
    | `Double -> `Double
    | `Binary80 -> `Binary80

let operator_of_native t =
  match t with
  | Tunit -> `Unit
  | Tboolean -> `Boolean
  | Tinteger -> `Integer
  | Treal -> `Real
  | Tgenfloat f -> operator_of_format f
  | Tstring -> assert false

let operator_of_type = function
  | JCTnative n -> operator_of_native n
  | JCTenum _ -> `Integer
  | JCTlogic _ -> `Logic
  | JCTany | JCTtype_var _ -> assert false (* TODO? *)
  | JCTnull | JCTpointer _ -> `Pointer

let eq_operator_of_type = function
  | JCTnative n -> operator_of_native n
  | JCTenum _ | JCTlogic _ -> `Logic
  | JCTany | JCTtype_var _ -> assert false (* TODO? *)
  | JCTnull | JCTpointer _ -> `Pointer

let new_label_name =
  let label_name_counter = ref 0 in function () ->
    incr label_name_counter;
    "JC_" ^ string_of_int !label_name_counter

let root_name st =
  st.jc_struct_info_hroot.jc_struct_info_name

let field_root_name fi =
  fi.jc_field_info_hroot.jc_struct_info_name

let string_of_format f =
  match f with
    | `Double -> "double"
    | `Float -> "float"
    | `Binary80 -> "binary80"

let string_of_native t =
  match t with
    | Tunit -> "unit"
    | Tinteger -> "integer"
    | Treal -> "real"
    | Tgenfloat f -> string_of_format f
    | Tboolean -> "boolean"
    | Tstring -> "string"

let print_type_var fmt v = fprintf fmt "(var_%s_%d)" v.jc_type_var_info_name v.jc_type_var_info_tag

let rec print_type fmt t =
  match t with
    | JCTnative n -> fprintf fmt "%s" (string_of_native n)
    | JCTlogic (s,l) -> fprintf fmt "%s%a" s (Pp.print_list_delim Pp.lchevron Pp.rchevron Pp.comma print_type) l
    | JCTenum ri -> fprintf fmt "%s" ri.jc_enum_info_name
    | JCTpointer(pc, ao, bo) ->
        begin match pc with
          | JCtag({ jc_struct_info_name = name }, [])
          | JCroot { jc_root_info_name = name } ->
              fprintf fmt "%s" name
          | JCtag({ jc_struct_info_name = name }, params) ->
              fprintf fmt "%s<%a>" name
                (Pp.print_list Pp.comma print_type) params
        end;
	begin match ao, bo with
	  | None, None ->
	      fprintf fmt "[..]"
	  | Some a, None ->
	      fprintf fmt "[%s..]" (Num.string_of_num a)
	  | None, Some b ->
	      fprintf fmt "[..%s]" (Num.string_of_num b)
	  | Some a, Some b ->
	      if Num.eq_num a b then
		fprintf fmt "[%s]" (Num.string_of_num a)
	      else
		fprintf fmt "[%s..%s]"
		  (Num.string_of_num a) (Num.string_of_num b)
	end
    | JCTnull -> fprintf fmt "(nulltype)"
    | JCTany -> fprintf fmt "(anytype)"
    | JCTtype_var v -> print_type_var fmt v

let num_of_constant _loc c =
    match c with
      | JCCinteger n ->
	  (try Num.num_of_string n
	   with _ -> assert false)
      | _ -> invalid_arg ""

let zero = Num.num_of_int 0
(*
let minus_one = Num.num_of_int (-1)
*)

let rec location_set_region locs =
  match locs#node with
    | JCLSvar vi -> vi.jc_var_info_region
    | JCLSderef(_,_,_,r) -> r
    | JCLSrange(ls,_,_) -> location_set_region ls
    | JCLSrange_term(t1,_,_) -> t1#region
    | JCLSat(ls,_) -> location_set_region ls

(*
type location =
  | JCLvar of var_info
  | JCLderef of location_set * field_info * region
*)

(* operators *)

(*
let is_relation_binary_op = function
  | `Blt | `Bgt | `Ble | `Bge | `Beq | `Bneq -> true
  | _ -> false

let is_logical_binary_op = function
  | `Bland | `Blor | `Bimplies | `Biff -> true
  | _ -> false

let is_arithmetic_binary_op = function
  | `Badd | `Bsub | `Bmul | `Bdiv | `Bmod -> true
  | _ -> false

let is_bitwise_binary_op = function
  | `Bbw_and | `Bbw_or | `Bbw_xor
  | `Bshift_left | `Blogical_shift_right | `Barith_shift_right -> true
  | _ -> false

let is_logical_unary_op = function
  | `Unot -> true
  | _ -> false

let is_arithmetic_unary_op = function
  | `Uminus -> true
  | _ -> false

let is_bitwise_unary_op = function
  | `Ubw_not -> true
  | _ -> false
*)

(* native types *)

let unit_type = JCTnative Tunit
let boolean_type = JCTnative Tboolean
let integer_type = JCTnative Tinteger
let real_type = JCTnative Treal
let double_type = JCTnative (Tgenfloat `Double)
let float_type = JCTnative (Tgenfloat `Float)
let null_type = JCTnull
let string_type = JCTnative Tstring
let any_type = JCTany

(* temporary variables *)

let tempvar_count = ref 0
(* let reset_tmp_var () = tempvar_count := 0 *)
let tmp_var_name () =
  incr tempvar_count; "_jessie_" ^ string_of_int !tempvar_count

(* variables *)

let var_tag_counter = ref 0

let var ?(unique=true) ?(static=false) ?(formal=false) ty id =
  incr var_tag_counter;
  let vi = {
    jc_var_info_tag = !var_tag_counter;
    jc_var_info_name = id;
    jc_var_info_final_name =
      if unique then Jc_envset.get_unique_name id else id;
    jc_var_info_region =
      if static then Region.make_const ty id else Region.make_var ty id;
    jc_var_info_type = ty;
    jc_var_info_formal = formal;
    jc_var_info_assigned = false;
    jc_var_info_static = static;
  }
  in vi

let newvar ty = var ty (tmp_var_name())

let newrefvar ty =
  let vi = newvar ty in
    vi.jc_var_info_assigned <- true;
    vi

let copyvar vi =
  incr var_tag_counter;
  { vi with
    jc_var_info_tag = !var_tag_counter;
    jc_var_info_name =
      "__jc_" ^ (string_of_int !var_tag_counter) ^ vi.jc_var_info_name;
    jc_var_info_final_name =
      "__jc_" ^ (string_of_int !var_tag_counter) ^ vi.jc_var_info_final_name;
  }

(* exceptions *)

let exception_tag_counter = ref 0

let exception_info ty id =
  incr exception_tag_counter;
  let ei = {
    jc_exception_info_tag = !exception_tag_counter;
    jc_exception_info_name = id;
    jc_exception_info_type = ty;
  }
  in ei


(* logic functions *)

let empty_effects =
  { jc_effect_alloc_tables = AllocMap.empty;
    jc_effect_tag_tables = TagMap.empty;
    jc_effect_raw_memories = MemoryMap.empty;
    jc_effect_precise_memories = LocationMap.empty;
    jc_effect_memories = MemoryMap.empty;
    jc_effect_globals = VarMap.empty;
    jc_effect_locals = VarMap.empty;
    jc_effect_mutable = StringSet.empty;
    jc_effect_committed = StringSet.empty;
  }

(*
let empty_logic_info =
  {
    jc_logic_info_tag = 0;
    jc_logic_info_name = "";
    jc_logic_info_final_name = "";
    jc_logic_info_result_type = None;
    jc_logic_info_result_region = dummy_region; (* TODO *)
    jc_logic_info_poly_args = [];
    jc_logic_info_parameters = [];
    jc_logic_info_param_regions = [];
    jc_logic_info_effects = empty_effects;
    jc_logic_info_calls = [];
(*
    jc_logic_info_is_recursive = false;
*)
    jc_logic_info_axiomatic = None;
    jc_logic_info_labels = [];
  }
*)

let logic_fun_tag_counter = ref 0

let make_logic_fun name ty =
  incr logic_fun_tag_counter;
  { jc_logic_info_tag = !logic_fun_tag_counter;
    jc_logic_info_name = name;
    jc_logic_info_final_name = Jc_envset.get_unique_name name;
    jc_logic_info_result_type = Some ty;
    jc_logic_info_result_region = Region.make_var ty name;
    jc_logic_info_poly_args = [];
    jc_logic_info_parameters = [];
    jc_logic_info_param_regions = [];
    jc_logic_info_effects = empty_effects;
    jc_logic_info_calls = [];
(*
    jc_logic_info_is_recursive = false;
*)
    jc_logic_info_axiomatic = None;
    jc_logic_info_labels = [];
  }

let any_string = make_logic_fun "any_string" string_type

(*
let () =
  let vi = var ~formal:true integer_type "n" in
  real_of_integer.jc_logic_info_parameters <- [vi]
*)

let full_separated = make_logic_fun "full_separated" null_type

(* logic predicates *)

let make_pred name =
  incr logic_fun_tag_counter;
  { jc_logic_info_tag = !logic_fun_tag_counter;
    jc_logic_info_name = name;
    jc_logic_info_final_name = Jc_envset.get_unique_name name;
    jc_logic_info_result_type = None;
    jc_logic_info_result_region = dummy_region;
    jc_logic_info_poly_args = [];
    jc_logic_info_parameters = [];
    jc_logic_info_param_regions = [];
    jc_logic_info_effects = empty_effects;
    jc_logic_info_calls = [];
(*
    jc_logic_info_is_recursive = false;
*)
    jc_logic_info_labels = [];
    jc_logic_info_axiomatic = None;
  }


(* programs *)

let empty_fun_effect =
  { jc_reads = empty_effects;
    jc_writes = empty_effects;
    jc_raises = ExceptionSet.empty ;
  }

let fun_tag_counter = ref 0

let make_fun_info name ty =
  incr fun_tag_counter;
  let vi = var ty "\\result" in
  vi.jc_var_info_final_name <- "result";
  { jc_fun_info_tag = !fun_tag_counter;
    jc_fun_info_name = name;
    jc_fun_info_final_name = Jc_envset.get_unique_name name;
    jc_fun_info_builtin_treatment = TreatNothing;
    jc_fun_info_parameters = [];
    jc_fun_info_result = vi;
    jc_fun_info_return_region = Region.make_var ty name;
    jc_fun_info_has_return_label = false;
    jc_fun_info_param_regions = [];
    jc_fun_info_calls = [];
    jc_fun_info_component = -1;
    jc_fun_info_logic_apps = [];
    jc_fun_info_effects = empty_fun_effect;
  }


let option_compare comp opt1 opt2 = match opt1,opt2 with
  | None,None -> 0
  | None,Some _ -> -1
  | Some _,None -> 1
  | Some x,Some y -> comp x y

let rec list_compare comp ls1 ls2 = match ls1,ls2 with
  | [],[] -> 0
  | [],_ -> -1
  | _,[] -> 1
  | x1::r1,x2::r2 ->
      let compx = comp x1 x2 in
      if compx = 0 then list_compare comp r1 r2 else compx



(* terms *)

let rec is_constant_term t =
  match t#node with
    | JCTrange (None, None) (* CORRECT ? *)
    | JCTconst _ -> true
    | JCTvar _ | JCTshift _ | JCTderef _
    | JCTapp _ | JCTold _ | JCTat _ | JCToffset _ | JCTaddress _
    | JCTbase_block _
    | JCTinstanceof _ | JCTcast _ | JCTbitwise_cast _ | JCTrange_cast _
    | JCTreal_cast _ | JCTif _ | JCTlet _ | JCTmatch _ -> false
    | JCTbinary (t1, _, t2) | JCTrange (Some t1, Some t2) ->
	is_constant_term t1 && is_constant_term t2
    | JCTunary (_, t) | JCTrange (Some t, None) | JCTrange (None, Some t) ->
	is_constant_term t

(* Comparison based only on term structure, not types not locations. *)
module TermOrd = struct
  type t = term

  let term_num t = match t#node with
    | JCTconst _ -> 1
    | JCTvar _ -> 3
    | JCTbinary _ -> 5
    | JCTshift _ -> 7
    | JCTunary _ -> 13
    | JCTderef _ -> 17
    | JCTold _ -> 19
    | JCToffset _ -> 23
    | JCTaddress _ -> 25
    | JCTinstanceof _ -> 31
    | JCTcast _ -> 37
    | JCTbitwise_cast _ -> 39
    | JCTrange _ -> 41
    | JCTapp _ -> 43
    | JCTif _ -> 47
    | JCTat _ -> 53
    | JCTmatch _ -> 59
    | JCTrange_cast _ -> 61
    | JCTreal_cast _ -> 67
    | JCTbase_block _ -> 71
    | JCTlet _ -> 73

  let rec compare t1 t2 =
    match t1#node, t2#node with
      | JCTconst c1,JCTconst c2 ->
	  Pervasives.compare c1 c2
      | JCTvar v1,JCTvar v2 ->
	  Pervasives.compare v1.jc_var_info_tag v2.jc_var_info_tag
      | JCTbinary(t11,op1,t12),JCTbinary(t21,op2,t22) ->
	  let compop = Pervasives.compare op1 op2 in
	  if compop = 0 then
	    let comp1 = compare t11 t21 in
	    if comp1 = 0 then compare t12 t22 else comp1
	  else compop
      | JCTshift(t11,t12),JCTshift(t21,t22) ->
	  let comp1 = compare t11 t21 in
	  if comp1 = 0 then compare t12 t22 else comp1
      | JCTunary(op1,t11),JCTunary(op2,t21) ->
	  let compop = Pervasives.compare op1 op2 in
	  if compop = 0 then compare t11 t21 else compop
      | JCTold t11,JCTold t21 ->
	  compare t11 t21
      | JCTaddress(absolute1,t11),JCTaddress(absolute2,t21) ->
	  let compabs = Pervasives.compare absolute1 absolute2 in
	  if compabs = 0 then
	    compare t11 t21
	  else compabs
      | JCTderef(t11,_,fi1),JCTderef(t21,_,fi2) ->
	  let compfi =
	    Pervasives.compare fi1.jc_field_info_tag fi2.jc_field_info_tag
	  in
	  if compfi = 0 then compare t11 t21 else compfi
      | JCToffset(ok1,t11,st1),JCToffset(ok2,t21,st2) ->
	  let compok = Pervasives.compare ok1 ok2 in
	  if compok = 0 then
	    let compst =
	      Pervasives.compare st1.jc_struct_info_name st2.jc_struct_info_name
	    in
	    if compst = 0 then compare t11 t21 else compst
	  else compok
      | JCTinstanceof(t11,lab1,st1),JCTinstanceof(t21,lab2,st2)
      | JCTcast(t11,lab1,st1),JCTcast(t21,lab2,st2)
      | JCTbitwise_cast(t11,lab1,st1),JCTbitwise_cast(t21,lab2,st2) ->
	  let compst =
	    Pervasives.compare st1.jc_struct_info_name st2.jc_struct_info_name
	  in
	  if compst <> 0 then compst else
	    let compst =
	      Pervasives.compare lab1 lab2
	    in
	    if compst <> 0 then compst else
	      compare t11 t21
      | JCTreal_cast(t11,conv1),JCTreal_cast(t21,conv2) ->
	  let comp =
	    Pervasives.compare conv1 conv2
	  in
	  if comp <> 0 then comp else
	    compare t11 t21
      | JCTrange_cast(t11,ri1),JCTrange_cast(t21,ri2) ->
	  let comp =
	    Pervasives.compare ri1.jc_enum_info_name ri2.jc_enum_info_name
	  in
	  if comp <> 0 then comp else
	    compare t11 t21
      | JCTrange(t11opt,t12opt),JCTrange(t21opt,t22opt) ->
	  let comp1 = option_compare compare t11opt t21opt in
	  if comp1 = 0 then
	    option_compare compare t12opt t22opt
	  else comp1
      | JCTapp app1,JCTapp app2 ->
	  let li1 = app1.jc_app_fun and ts1 = app1.jc_app_args in
	  let li2 = app2.jc_app_fun and ts2 = app2.jc_app_args in
	  let compli =
	    Pervasives.compare li1.jc_logic_info_tag li2.jc_logic_info_tag
	  in
	  if compli = 0 then
	    list_compare compare ts1 ts2
	  else compli
      | JCTif(t11,t12,t13),JCTif(t21,t22,t23) ->
	  let comp1 = compare t11 t21 in
	  if comp1 = 0 then
	    let comp2 = compare t12 t22 in
	    if comp2 = 0 then compare t13 t23 else comp2
	  else comp1
      |JCTat(t11,lab1),JCTat(t21,lab2) ->
	 let compst =
	   Pervasives.compare lab1 lab2
	 in
	 if compst <> 0 then compst else
	   compare t11 t21
      | JCTmatch _, JCTmatch _ -> assert false (* TODO *)
      | JCTbase_block t11, JCTbase_block t21 ->
	  compare t11 t21
      | _ ->
	  (* Terms should have different constructors *)
	  assert (term_num t1 <> term_num t2);
	  term_num t2 - term_num t1

  let equal t1 t2 = compare t1 t2 = 0

  let rec hash t =
    let h = match t#node with
      | JCTconst c1 ->
	  Hashtbl.hash c1
      | JCTvar v1 ->
	  Hashtbl.hash v1.jc_var_info_tag
      | JCTbinary(t11,op1,t12) ->
	  Hashtbl.hash op1 * hash t11 * hash t12
      | JCTshift(t11,t12) ->
	  hash t11 * hash t12
      | JCTunary(op1,t11) ->
	  Hashtbl.hash op1 * hash t11
      | JCTold t11 ->
	  hash t11
      | JCTaddress(absolute1,t11) ->
	  Hashtbl.hash absolute1 * hash t11
      | JCTderef(t11,_,fi1) ->
	  Hashtbl.hash fi1.jc_field_info_tag * hash t11
      | JCToffset(ok1,t11,st1) ->
	  Hashtbl.hash ok1 * hash t11
	  * Hashtbl.hash st1.jc_struct_info_name
      | JCTinstanceof(t11,_,_)
      | JCTcast(t11,_,_)
      | JCTbase_block(t11)
      | JCTbitwise_cast(t11,_,_)
      | JCTreal_cast(t11,_)
      | JCTrange_cast(t11,_)
      | JCTat(t11,_) ->
	  hash t11
      | JCTrange(t11opt,t12opt) ->
	  Option_misc.map_default hash 1 t11opt
	  * Option_misc.map_default hash 1 t12opt
      | JCTapp app1 ->
	  let li1 = app1.jc_app_fun and ts1 = app1.jc_app_args in
	  List.fold_left
	    (fun h arg -> h * hash arg)
	    (Hashtbl.hash li1.jc_logic_info_tag) ts1
      | JCTif(t11,t12,t13) ->
	  hash t11 * hash t12 * hash t13
      | JCTmatch (_, _) -> assert false (* TODO *)
      | JCTlet(_,t1,t2) -> hash t1 * hash t2
    in
    Hashtbl.hash (term_num t) * h

end

module TermTable = Hashtbl.Make(TermOrd)
module TermSet = Set.Make(TermOrd)
module TermMap = Map.Make(TermOrd)


let tag_num tag = match tag#node with
  | JCTtag _ -> 1
  | JCTbottom -> 3
  | JCTtypeof _ -> 5

let raw_tag_compare tag1 tag2 =
  match tag1#node,tag2#node with
    | JCTtag st1,JCTtag st2 ->
        Pervasives.compare st1.jc_struct_info_name st2.jc_struct_info_name
    | JCTbottom,JCTbottom -> 0
    | JCTtypeof(t1,st1),JCTtypeof(t2,st2) ->
        let compst =
	  Pervasives.compare st1.jc_struct_info_name st2.jc_struct_info_name
        in
        if compst = 0 then TermOrd.compare t1 t2 else compst
  | _ -> tag_num tag2 - tag_num tag1


(* Comparison based only on assertion structure, not locations. *)
module AssertionOrd = struct
  type t = assertion

  let assertion_num a = match a#node with
	(* are these supposed to be prime numbers ? *)
    | JCAtrue -> 1
    | JCAfalse -> 3
    | JCArelation _ -> 5
    | JCAand _ -> 7
    | JCAor _ -> 11
    | JCAimplies _ -> 13
    | JCAiff _ -> 17
    | JCAnot _ -> 19
    | JCAapp _ -> 23
    | JCAquantifier _ -> 31
    | JCAold _ -> 37
    | JCAinstanceof  _ -> 41
    | JCAbool_term _ -> 43
    | JCAif _ -> 47
    | JCAmutable _ -> 53
    | JCAeqtype _ -> 59
    | JCAat _ -> 61
    | JCAlet _ -> 67
    | JCAmatch _ -> 71
    | JCAsubtype _ -> 73
    | JCAfresh _ -> 79

  let rec compare a1 a2 =
    match a1#node, a2#node with
      | JCAtrue,JCAtrue | JCAfalse,JCAfalse -> 0
      | JCArelation(t11,op1,t12),JCArelation(t21,op2,t22) ->
          let compop = Pervasives.compare op1 op2 in
          if compop = 0 then
	    let comp1 = TermOrd.compare t11 t21 in
	    if comp1 = 0 then TermOrd.compare t12 t22 else comp1
          else compop
      | JCAand als1,JCAand als2 | JCAor als1,JCAor als2 ->
	  list_compare compare als1 als2
      | JCAimplies(a11,a12),JCAimplies(a21,a22)
      | JCAiff(a11,a12),JCAiff(a21,a22) ->
          let comp1 = compare a11 a21 in
          if comp1 = 0 then compare a12 a22 else comp1
      | JCAnot a1,JCAnot a2 | JCAold a1,JCAold a2 ->
          compare a1 a2
      | JCAapp app1, JCAapp app2 ->
	  let li1 = app1.jc_app_fun in
	  let li2 = app2.jc_app_fun in
          let compli =
	    Pervasives.compare li1.jc_logic_info_tag li2.jc_logic_info_tag
          in
          if compli = 0 then
	    let tls1 = app1.jc_app_args in
	    let tls2 = app2.jc_app_args in
  	    list_compare TermOrd.compare tls1 tls2
          else compli
      | JCAquantifier(q1,vi1,trigs1,a1),JCAquantifier(q2,vi2,trigs2,a2) ->
          let compq = Pervasives.compare q1 q2 in
          if compq = 0 then
	    let compvi = Pervasives.compare vi1 vi2 in
	    if compvi = 0 then
              let comptrigs = list_compare (list_compare compare_pat)
                trigs1 trigs2 in
              if comptrigs = 0 then compare a1 a2
              else comptrigs
            else compvi
          else compq
      | JCAinstanceof(t1,_,st1),JCAinstanceof(t2,_,st2) ->
          let compst =
	    Pervasives.compare st1.jc_struct_info_name st2.jc_struct_info_name
          in
          if compst = 0 then TermOrd.compare t1 t2 else compst
      | JCAbool_term t1,JCAbool_term t2 ->
          TermOrd.compare t1 t2
      | JCAif(t1,a11,a12),JCAif(t2,a21,a22) ->
          let comp0 = TermOrd.compare t1 t2 in
          if comp0 = 0 then
	    let comp1 = compare a11 a21 in
	    if comp1 = 0 then compare a12 a22 else comp1
          else comp0
      | JCAmutable(t1,st1,tag1),JCAmutable(t2,st2,tag2) ->
          let compst =
	    Pervasives.compare st1.jc_struct_info_name st2.jc_struct_info_name
          in
          if compst = 0 then
	    let comptag = raw_tag_compare tag1 tag2 in
	    if comptag = 0 then TermOrd.compare t1 t2 else comptag
          else compst
      | JCAeqtype(tag11,tag12,so1),JCAeqtype(tag21,tag22,so2) ->
          let compso = option_compare Pervasives.compare so1 so2 in
          if compso = 0 then
	    let comptag = raw_tag_compare tag11 tag21 in
	    if comptag = 0 then raw_tag_compare tag12 tag22 else comptag
          else compso
      | _ ->
	  (* Assertions should have different constructors *)
	  assert (assertion_num a1 <> assertion_num a2);
	  assertion_num a1 - assertion_num a2
  and compare_pat pat1 pat2 =
    match pat1,pat2 with
      | JCAPatT t1,JCAPatT t2 -> TermOrd.compare t1 t2
      | JCAPatT _, _ -> 1
      | _,JCAPatT _ -> -1
      | JCAPatP p1, JCAPatP p2 -> compare p1 p2
  let equal a1 a2 = compare a1 a2 = 0
end

(*
let rec is_numeric_term t =
  match t#node with
    | JCTconst _ -> true
    | JCTvar _ | JCTshift _ | JCTderef _
    | JCToffset _ | JCTaddress _ | JCTinstanceof _ | JCTrange _ -> false
    | JCTbinary (t1, _, t2) -> is_numeric_term t1 && is_numeric_term t2
    | JCTunary (_, t) | JCTold t | JCTat(t,_) | JCTcast (t, _, _)
    | JCTbitwise_cast (t, _, _) | JCTbase_block t
    | JCTrange_cast (t, _) | JCTreal_cast (t, _) -> is_numeric_term t
    | JCTapp _ -> false (* TODO ? *)
    | JCTif _ | JCTlet _ | JCTmatch _ -> false (* TODO ? *)
*)

(* assertions *)

let rec is_constant_assertion a =
  match a#node with
    | JCAtrue | JCAfalse -> true
    | JCArelation (t1, _, t2) ->
	is_constant_term t1 && is_constant_term t2
    | JCAand al | JCAor al ->
	List.for_all is_constant_assertion al
    | JCAimplies (a1, a2) | JCAiff (a1, a2) ->
	is_constant_assertion a1 && is_constant_assertion a2
    | JCAnot a | JCAquantifier (_, _, _, a) | JCAold a | JCAat(a,_)
	-> is_constant_assertion a
    | JCAapp _ | JCAinstanceof _ | JCAmutable _ | JCAeqtype _
    | JCAsubtype _ | JCAfresh _
	-> false
    | JCAbool_term t -> is_constant_term t
    | JCAif (t, a1, a2) ->
	is_constant_term t &&
	  is_constant_assertion a1 &&
	  is_constant_assertion a2
    | JCAlet(_vi,t, p) ->
	is_constant_term t && is_constant_assertion p
    | JCAmatch (t, pal) ->
	is_constant_term t &&
	  (List.fold_left (fun acc (_, a) -> acc && is_constant_assertion a)
	     true pal)

(* fun specs *)

let default_behavior = {
  jc_behavior_throws = None;
  jc_behavior_assumes = None;
  jc_behavior_assigns = None;
  jc_behavior_allocates = None;
  jc_behavior_ensures = new assertion JCAtrue;
  jc_behavior_free_ensures = new assertion JCAtrue;
}

let contains_normal_behavior fs =
  List.exists
    (fun (_, _, b) -> b.jc_behavior_throws = None)
    (fs.jc_fun_default_behavior :: fs.jc_fun_behavior)

let contains_exceptional_behavior fs =
  List.exists
    (fun (_, _, b) -> b.jc_behavior_throws <> None)
    (fs.jc_fun_default_behavior :: fs.jc_fun_behavior)

let is_purely_exceptional_fun fs =
  not (contains_normal_behavior fs) &&
    contains_exceptional_behavior fs


let rec skip_shifts e = match e#node with
  | JCEshift(e,_) -> skip_shifts e
  | _ -> e

let rec skip_term_shifts t = match t#node with
  | JCTshift(t,_) -> skip_term_shifts t
  | _ -> t

let rec skip_tloc_range locs = match locs#node with
  | JCLSrange(t,_,_) -> skip_tloc_range t
  | _ -> locs

(* option *)

let select_option opt default = match opt with Some v -> v | None -> default

(*
let direct_embedded_struct_fields st =
  List.fold_left
    (fun acc fi ->
      match fi.jc_field_info_type with
	| JCTpointer(JCtag st', Some _, Some _) ->
	    assert (st.jc_struct_info_name <> st'.jc_struct_info_name);
	    fi :: acc
	| JCTpointer(JCvariant st', Some _, Some _) ->
	    assert false (* TODO *)
	| _ -> acc
    ) [] st.jc_struct_info_fields

let embedded_struct_fields st =
  let rec collect forbidden_set st =
    let forbidden_set = StringSet.add st.jc_struct_info_name forbidden_set in
    let fields = direct_embedded_struct_fields st in
    let fstructs =
      List.fold_left
	(fun acc fi -> match fi.jc_field_info_type with
	  | JCTpointer (JCtag st', Some _, Some _) ->
	      assert
		(not (StringSet.mem st'.jc_struct_info_name forbidden_set));
	      st' :: acc
	   | JCTpointer (JCvariant vi, Some _, Some _) ->
	       assert false (* TODO *)
	   | _ -> assert false (* bug ? pas acc plutot ? *)
	       (* en plus c'est un pattern-matching fragile *)
	) [] fields
    in
    fields @ List.flatten (List.map (collect forbidden_set) fstructs)
  in
  let fields = collect (StringSet.singleton st.jc_struct_info_name) st in
  let fields =
    List.fold_left (fun acc fi -> FieldSet.add fi acc) FieldSet.empty fields
  in
  FieldSet.elements fields
*)
let field_sinfo fi =
  match fi.jc_field_info_type with
    | JCTpointer(JCtag(st, _), _, _) -> st
    | _ -> assert false

let field_bounds fi =
  match fi.jc_field_info_type with
    | JCTpointer(_,Some a,Some b) -> a,b | _ -> assert false

let pointer_struct = function
  | JCTpointer(JCtag(st, []), _, _) -> st
  | ty ->
      Format.printf "%a@." print_type ty;
      assert false

let pointer_class = function
  | JCTpointer(pc, _, _) -> pc
  | ty ->
      Format.printf "%a@." print_type ty;
      assert false

(*
let map_elements map =
  StringMap.fold (fun _ i acc -> i::acc) map []
*)

(*
let embedded_struct_roots st =
  let fields = embedded_struct_fields st in
  let structs =
    List.fold_left (fun acc fi -> StructSet.add (field_sinfo fi) acc)
      StructSet.empty fields
  in
  let structs = StructSet.elements structs in
  let roots =
    List.fold_left
      (fun acc st -> StringSet.add (root_name st) acc)
      StringSet.empty structs
  in
  StringSet.elements roots
*)
let struct_root st =
  match st.jc_struct_info_hroot.jc_struct_info_root with
    | Some vi -> vi
    | None ->
	raise (Invalid_argument
		 ("struct_root in jc_pervasives.ml ("
		  ^st.jc_struct_info_name^", "
		  ^st.jc_struct_info_hroot.jc_struct_info_name^")"))
	(* don't use struct_root before checking that every tag is used
         * in a type *)

let pointer_class_root = function
  | JCtag(st, _) -> struct_root st
  | JCroot vi -> vi

let rec pattern_vars acc pat =
  match pat#node with
    | JCPstruct(_, fpl) ->
	List.fold_left
	  (fun acc (_, pat) -> pattern_vars acc pat)
	  acc fpl
    | JCPvar vi ->
	StringMap.add vi.jc_var_info_name vi acc
    | JCPor(pat, _) ->
	pattern_vars acc pat
    | JCPas(pat, vi) ->
	pattern_vars (StringMap.add vi.jc_var_info_name vi acc) pat
    | JCPany | JCPconst _ ->
	acc

let root_is_plain_union rt = rt.jc_root_info_kind = RplainUnion
let root_is_discr_union rt = rt.jc_root_info_kind = RdiscrUnion
let root_is_union rt = root_is_plain_union rt || root_is_discr_union rt

let struct_of_plain_union st =
  let vi = struct_root st in vi.jc_root_info_kind = RplainUnion

let struct_of_discr_union st =
  let vi = struct_root st in vi.jc_root_info_kind = RdiscrUnion

let struct_of_union st =
  let vi = struct_root st in root_is_union vi

let union_of_field fi =
  let st = fi.jc_field_info_struct in
  let vi = struct_root st in
  assert (root_is_union vi);
  vi

let integral_union vi =
  assert (root_is_union vi);
  List.fold_left (fun acc st -> acc &&
		    match st.jc_struct_info_fields with
		      | [fi] -> is_integral_type fi.jc_field_info_type
		      | _ -> false
		 ) true vi.jc_root_info_hroots

let struct_has_bytesize st =
  List.fold_left
    (fun acc fi -> acc &&
       match fi.jc_field_info_bitsize with None -> false | Some _ -> true)
    true st.jc_struct_info_fields

let struct_bitsize st =
  List.fold_left
    (fun acc fi ->
       match fi.jc_field_info_bitsize with
	 | Some x -> acc + x
	 | None -> assert false)
    0 st.jc_struct_info_fields

let struct_bytesize st =
  struct_bitsize st / 8

let possible_struct_bytesize st =
  if struct_has_bytesize st then Some (struct_bytesize st) else None

(* These are only used by error messages, so feel free to change the strings. *)
let string_of_op = function
  | `Blt -> "<"
  | `Bgt -> ">"
  | `Ble -> "<="
  | `Bge -> ">="
  | `Beq -> "=="
  | `Bneq -> "!="
  | `Badd -> "+"
  | `Bsub -> "-"
  | `Bmul -> "*"
  | `Bdiv -> "/"
  | `Bmod -> "%"
  | `Bland -> "&&"
  | `Blor -> "||"
  | `Bimplies -> "==>"
  | `Biff -> "<=>"
  | `Bbw_and -> "&"
  | `Bbw_or -> "|"
  | `Bbw_xor -> "xor"
  | `Bshift_left -> "shift_left"
  | `Blogical_shift_right -> "logical_shift_right"
  | `Barith_shift_right -> "arith_shift_right"
  | `Uprefix_inc -> "prefix ++"
  | `Uprefix_dec -> "prefix --"
  | `Upostfix_inc -> "postfix ++"
  | `Upostfix_dec -> "prefix --"
  | `Uplus -> "unary +"
  | `Uminus -> "unary -"
  | `Unot -> "not"
  | `Ubw_not -> "bw not"
  | `Bconcat -> "strcat"

let string_of_op_type = function
  | `Integer -> "integer"
  | `Unit -> "unit"
  | `Real -> "real"
  | `Double -> "double"
  | `Float -> "single"
  | `Binary80 -> "binary80"
  | `Boolean -> "boolean"
  | `Pointer -> "pointer"
  | `Logic -> ""

let sign = JCTlogic ("sign",[])
let float_format = JCTlogic ("float_format",[])
let rounding_mode = JCTlogic ("rounding_mode",[])

(* Note: jessie does not support overloading. The right practice is
   to add suffixes to make precise the type of arguments

   TODO: rename integer_max to max_integer, real_abs to abs_real, etc.

*)


let builtin_logic_symbols =
  (* return type, jessie name, why name, parameter types *)
  [ Some real_type, "\\real_of_integer", "real_of_int", [integer_type] ;
    Some integer_type, "\\integer_max", "int_max", [integer_type; integer_type] ;
    Some integer_type, "\\integer_min", "int_min", [integer_type; integer_type] ;
    Some real_type, "\\real_max", "real_max", [real_type; real_type] ;
    Some real_type, "\\real_min", "real_min", [real_type; real_type] ;

    Some integer_type, "\\integer_abs", "abs_int", [integer_type] ;
    Some real_type, "\\real_abs", "abs_real", [real_type] ;
    Some integer_type, "\\truncate_real_to_int", "truncate_real_to_int", [real_type] ;
    Some integer_type, "\\integer_floor", "floor_int", [real_type] ;
    Some integer_type, "\\integer_ceil", "ceil_int", [real_type] ;

    Some integer_type, "\\int_pow", "pow_int", [integer_type; integer_type];

    Some real_type, "\\real_sqrt", "sqrt_real", [real_type];
    Some real_type, "\\real_pow", "pow_real", [real_type; real_type];
    Some real_type, "\\real_int_pow", "pow_real_int", [real_type; integer_type];

    Some real_type, "\\single_exact", "single_exact", [float_type];
    Some real_type, "\\double_exact", "double_exact", [double_type];
    Some real_type, "\\single_model", "single_model", [float_type];
    Some real_type, "\\double_model", "double_model", [double_type];



    Some real_type, "\\single_round_error", "single_round_error", [float_type];
   Some real_type, "\\double_round_error", "double_round_error", [double_type];
   Some real_type, "\\double_total_error", "double_total_error", [double_type];
    Some real_type, "\\single_total_error", "single_total_error", [float_type];
(*    Some real_type, "\\double_relative_error", "gen_relative_error", [double_type];
    Some real_type, "\\single_relative_error", "gen_relative_error", [float_type];
*)
    Some sign, "\\single_sign", "single_sign", [float_type];
    Some sign, "\\double_sign", "double_sign", [double_type];

    Some (JCTnative Tboolean), "\\single_is_finite", "single_is_finite", [float_type];
    Some (JCTnative Tboolean), "\\double_is_finite", "double_is_finite", [double_type];

    Some (JCTnative Tboolean), "\\single_is_infinite", "single_is_infinite", [float_type];
    Some (JCTnative Tboolean), "\\double_is_infinite", "double_is_infinite", [double_type];

    Some (JCTnative Tboolean), "\\single_is_NaN", "single_is_NaN", [float_type];
    Some (JCTnative Tboolean), "\\double_is_NaN", "double_is_NaN", [double_type];

    Some (JCTnative Tboolean), "\\single_is_minus_infinity", "single_is_minus_infinity", [float_type];
    Some (JCTnative Tboolean), "\\double_is_minus_infinity", "double_is_minus_infinity", [double_type];

    Some (JCTnative Tboolean), "\\single_is_plus_infinity", "single_is_plus_infinity", [float_type];
    Some (JCTnative Tboolean), "\\double_is_plus_infinity", "double_is_plus_infinity", [double_type];

    Some real_type, "\\exp", "exp", [real_type] ;
    Some real_type, "\\log", "log", [real_type] ;
    Some real_type, "\\log10", "log10", [real_type] ;

    Some real_type, "\\cos", "cos", [real_type] ;
    Some real_type, "\\sin", "sin", [real_type] ;
    Some real_type, "\\tan", "tan", [real_type] ;
    Some real_type, "\\pi", "pi", [] ;
    Some real_type, "\\cosh", "cosh", [real_type] ;
    Some real_type, "\\sinh", "sinh", [real_type] ;
    Some real_type, "\\tanh", "tanh", [real_type] ;
    Some real_type, "\\acos", "acos", [real_type] ;
    Some real_type, "\\asin", "asin", [real_type] ;
    Some real_type, "\\atan", "atan", [real_type] ;
    Some real_type, "\\atan2", "atan2", [real_type; real_type] ;
    Some real_type, "\\hypot", "hypot", [real_type; real_type] ;
    Some real_type, "\\round_float", "round_float", [float_format; rounding_mode; real_type];
    None, "\\no_overflow_single", "no_overflow_single", [rounding_mode; real_type];
    None, "\\no_overflow_double", "no_overflow_double", [rounding_mode; real_type];

    Some real_type, "\\round_single", "round_single", [rounding_mode; real_type];
    Some real_type, "\\round_double", "round_double", [rounding_mode; real_type];

    Some float_format, "\\Single", "Single", [];
    Some float_format, "\\Double", "Double", [];
    Some float_format, "\\Quad", "Quad", [];

    Some rounding_mode, "\\Down", "down", [];
    Some rounding_mode, "\\Up", "up", [];
    Some rounding_mode, "\\ToZero", "to_zero", [];
    Some rounding_mode, "\\NearestEven", "nearest_even", [];
    Some rounding_mode, "\\NearestAway", "nearest_away", [];

    Some sign, "\\Positive", "Positive", [];
    Some sign, "\\Negative", "Negative", [];

    Some (JCTnative Tboolean), "\\le_float", "le_single_full", [float_type;float_type];
    Some (JCTnative Tboolean), "\\le_double", "le_double_full", [double_type;double_type];

    Some (JCTnative Tboolean), "\\lt_float", "lt_single_full", [float_type;float_type];
    Some (JCTnative Tboolean), "\\lt_double", "lt_double_full", [double_type;double_type];

    Some (JCTnative Tboolean), "\\ge_float", "ge_single_full", [float_type;float_type];
    Some (JCTnative Tboolean), "\\ge_double", "ge_double_full", [double_type;double_type];

    Some (JCTnative Tboolean), "\\gt_float", "gt_single_full", [float_type;float_type];
    Some (JCTnative Tboolean), "\\gt_double", "gt_double_full", [double_type;double_type];

    Some (JCTnative Tboolean), "\\eq_float", "eq_single_full", [float_type;float_type];
    Some (JCTnative Tboolean), "\\eq_double", "eq_double_full", [double_type;double_type];

    Some (JCTnative Tboolean), "\\ne_float", "ne_single_full", [float_type;float_type];
    Some (JCTnative Tboolean), "\\ne_double", "ne_double_full", [double_type;double_type];
]

let treatdouble = TreatGenFloat (`Double :> float_format)

let treatfloat = TreatGenFloat (`Float :> float_format)

let builtin_function_symbols =
  (* return type, jessie name, why name, parameter types, special treatment *)
  [
    real_type, "\\real_of_integer", "real_of_int", [integer_type], TreatNothing ;
    double_type, "\\double_sqrt", "sqrt_double", [double_type], treatdouble ;
    float_type, "\\float_sqrt", "sqrt_single", [float_type], treatfloat ;
    double_type, "\\double_abs", "abs_double", [double_type], treatdouble ;
    float_type, "\\float_abs", "abs_single", [float_type], treatfloat ;
    double_type, "\\neg_double", "neg_double", [double_type], treatdouble ;
    float_type, "\\neg_float", "neg_single", [float_type], treatfloat ;
]

module StringSet = Set.Make(String)

module IntSet = Set.Make(struct type t = int let compare = compare end)

module StringHashtblIter =
struct
  type 'a t = (string, 'a) Hashtbl.t * StringSet.t ref
  let create x = (Hashtbl.create x, ref StringSet.empty)
  let add (tbl, keys) x infos =
    Hashtbl.add tbl x infos;
    keys:=StringSet.add x !keys
  let replace (tbl, keys) x infos =
    Hashtbl.replace tbl x infos;
    keys:=StringSet.add x !keys
  let find (tbl,_) x = Hashtbl.find tbl x
  let fold f (tbl,keys) init =
    let apply s acc =
      try
        let infos = Hashtbl.find tbl s in f s infos acc
      with Not_found -> assert false
    in StringSet.fold apply !keys init
  let iter f t = fold (fun s i () -> f s i) t ()
end

module IntHashtblIter =
struct
  type 'a t = (int, 'a) Hashtbl.t * IntSet.t ref
  let create x = (Hashtbl.create x, ref IntSet.empty)
  let add (tbl, keys) x infos =
    Hashtbl.add tbl x infos;
    keys:=IntSet.add x !keys
  let replace (tbl, keys) x infos =
    Hashtbl.replace tbl x infos;
    keys:=IntSet.add x !keys
  let find (tbl,_) x = Hashtbl.find tbl x
  let fold f (tbl,keys) init =
    let apply s acc =
      try
        let infos = Hashtbl.find tbl s in f s infos acc
      with Not_found -> assert false
    in IntSet.fold apply !keys init
  let iter f t = fold (fun n i () -> f n i) t ()
end


(*
Local Variables:
compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
End:
*)

why-2.39/jc/output.ml0000644000106100004300000016212613147234006013527 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Format
open Pp

let why3syntax = ref false

type constant =
  | Prim_void
  | Prim_int of string
  | Prim_real of string
  | Prim_bool of bool
(*
  | Prim_string of string
*)

let fprintf_constant form e =
  match e with
    | Prim_void ->
        if !why3syntax then
          fprintf form "()"
        else
          fprintf form "void"
    | Prim_int(n) ->
          fprintf form "(%s)" n
    | Prim_real(f) -> fprintf form "%s" f
    | Prim_bool(b) ->
        if !why3syntax then
          fprintf form "%s" (if b then "Bool.True" else "Bool.False")
        else
          fprintf form "%b" b
(*
    | Prim_string s -> fprintf form "\"%s\"" s
*)

type term =
  | LConst of constant
  | LApp of string * term list
  | LVar of string                  (*r immutable logic var *)
  | LDeref of string                     (*r !r *)
  | LDerefAtLabel of string * string     (*r x@L *)
  | Tnamed of string * term
  | TIf of term * term * term
  | TLet of string * term * term

let rec iter_term f t =
  match t with
  | LConst(_c) -> ()
  | LApp(id,l) -> f id; List.iter (iter_term f) l
  | LVar id | LDeref id | LDerefAtLabel(id,_) -> f id
  | Tnamed(_,t) -> iter_term f t
  | TIf(t1,t2,t3) ->
      iter_term f t1; iter_term f t2; iter_term f t3
  | TLet(id,t1,t2) ->
      f id; iter_term f t1; iter_term f t2

let rec match_term acc t1 t2 =
  match t1, t2 with
    | LVar id, _ -> (id,t2)::acc
    | LApp(id1,l1), LApp(id2,l2) when id1 = id2 ->
      List.fold_left2 match_term acc l1 l2
    | _ -> invalid_arg "match_term : t1 is not a valid context"

let why3id s =
  match s.[0] with
  | 'A'..'Z' -> "_" ^ s
  | _ ->
      if Why3_kw.is_why3_keyword s then s ^ "_why3" else s


let why3constr s =
  match s.[0] with
  | 'A'..'Z' -> s
  | 'a'..'z' -> String.capitalize s
  | _ -> "U_" ^ s

let why3id_if s =
  if !why3syntax then why3id s else s

let why3ident s =
  match s with
        (* booleans *)
    | "not" -> "not"
    | "bool_and" -> "Bool.andb"
    | "bool_or" -> "Bool.orb"
    | "bool_xor" -> "Bool.xorb"
    | "bool_not" -> "Bool.notb"
        (* integers *)
    | "le_int" -> "Int.(<=)"
    | "le_int_" -> "Int.(<=)"
    | "le_int_bool" -> "Int.(<=)"
    | "ge_int" -> "Int.(>=)"
    | "ge_int_" -> "Int.(>=)"
    | "ge_int_bool" -> "Int.(>=)"
    | "lt_int" -> "Int.(<)"
    | "lt_int_" -> "Int.(<)"
    | "lt_int_bool" -> "Int.(<)"
    | "gt_int" -> "Int.(>)"
    | "gt_int_" -> "Int.(>)"
    | "gt_int_bool" -> "Int.(>)"
    | "add_int" -> "Int.(+)"
    | "sub_int" -> "Int.(-)"
    | "neg_int" -> "Int.(-_)"
    | "mul_int" -> "Int.(*)"
    | "computer_div" -> "ComputerDivision.div"
    | "computer_mod" -> "ComputerDivision.mod"
    | "int_min" -> "IntMinMax.min"
    | "int_max" -> "IntMinMax.max"
        (* reals *)
    | "le_real" -> "Real.(<=)"
    | "le_real_" -> "Real.(<=)"
    | "le_real_bool" -> "Real.(<=)"
    | "ge_real" -> "Real.(>=)"
    | "ge_real_" -> "Real.(>=)"
    | "ge_real_bool" -> "Real.(>=)"
    | "lt_real" -> "Real.(<)"
    | "lt_real_" -> "Real.(<)"
    | "lt_real_bool" -> "Real.(<)"
    | "gt_real" -> "Real.(>)"
    | "gt_real_" -> "Real.(>)"
    | "gt_real_bool" -> "Real.(>)"
    | "add_real" -> "Real.(+)"
    | "sub_real" -> "Real.(-)"
    | "neg_real" -> "Real.(-_)"
    | "mul_real" -> "Real.(*)"
    | "div_real" -> "Real.(/)"
        (* real functions *)
    | "real_of_int" -> "FromInt.from_int"
    | "truncate_real_to_int" -> "Truncate.truncate"
    | "floor_int" -> "Truncate.floor"
    | "ceil_int" -> "Truncate.ceil"
    | "real_min" -> "RealMinMax.min"
    | "real_max" -> "RealMinMax.max"
    | "abs_int" -> "AbsInt.abs"
    | "abs_real" -> "AbsReal.abs"
    | "sqrt_real" -> "Square.sqrt"
    | "pow_int" -> "Power.power"
    | "pow_real" -> "PowerReal.pow"
    | "pow_real_int" -> "PowerInt.power"
    | "exp" -> "ExpLog.exp"
    | "log" -> "ExpLog.log"
    | "cos" -> "Trigonometry.cos"
    | "sin" -> "Trigonometry.sin"
    | "tan" -> "Trigonometry.tan"
    | "atan" -> "Trigonometry.atan"
        (* floats *)
    | "nearest_even" -> "Rounding.NearestTiesToEven"
    | "down" -> "Rounding.Down"
    | "up" -> "Rounding.Up"
    | "nearest_away" -> "Rounding.NearestTiesToAway"
    | "to_zero" -> "Rounding.ToZero"
    | "single_value" -> "Single.value"
    | "single_exact" -> "Single.exact"
    | "single_round_error" -> "Single.round_error"
    | "round_single" -> "Single.round"
    | "round_single_logic" -> "Single.round_logic"
    | "no_overflow_single" -> "Single.no_overflow"
    | "double_value" -> "Double.value"
    | "double_exact" -> "Double.exact"
    | "double_round_error" -> "Double.round_error"
    | "round_double" -> "Double.round"
    | "round_double_logic" -> "Double.round_logic"
    | "no_overflow_double" -> "Double.no_overflow"
        (* floats full *)
    | "le_double_full" -> "Double.le"
    | "lt_double_full" -> "Double.lt"
    | "ge_double_full" -> "Double.ge"
    | "gt_double_full" -> "Double.gt"
    | "eq_double_full" -> "Double.eq"
    | "ne_double_full" -> "Double.ne"
    | "double_is_finite" -> "Double.is_finite"
    | "double_is_infinite" -> "Double.is_infinite"
    | "double_is_plus_infinity" -> "Double.is_plus_infinity"
    | "double_is_minus_infinity" -> "Double.is_minus_infinity"
    | "double_is_NaN" -> "Double.is_NaN"
    | "double_sign" -> "Double.sign"
    | "Positive" -> "SpecialValues.Pos"
    | "Negative" -> "SpecialValues.Neg"
    | _ -> why3id s

let why3ident_if s =
  if !why3syntax then why3ident s else s

let why3param s =
  match s with
    | "le_int_" -> "Int.(<=)"
    | "ge_int_" -> "Int.(>=)"
    | "lt_int_" -> "Int.(<)"
    | "gt_int_" -> "Int.(>)"
        (* reals *)
    | "le_real_" -> "Real.(<=)"
    | "ge_real_" -> "Real.(>=)"
    | "lt_real_" -> "Real.(<)"
    | "gt_real_" -> "Real.(>)"
    | _ -> why3ident s



let why3_ComputerDivision = ref false
let why3_IntMinMax = ref false
let why3_reals = ref false
let why3_FromInt = ref false
let why3_Truncate = ref false
let why3_Square = ref false
let why3_Power = ref false
let why3_PowerInt = ref false
let why3_PowerReal = ref false
let why3_RealMinMax = ref false
let why3_AbsInt = ref false
let why3_AbsReal = ref false
let why3_ExpLog = ref false
let why3_Trigonometry = ref false

let compute_why3_dependencies f =
  match f with
    | "computer_div"
    | "computer_mod" -> why3_ComputerDivision := true
    | "int_min"
    | "int_max" -> why3_IntMinMax := true
    | "add_real"
    | "sub_real"
    | "neg_real"
    | "mul_real"
    | "div_real" -> why3_reals := true
    | "sqrt_real" -> why3_Square := true
    | "pow_int" -> why3_Power := true
    | "pow_real_int" -> why3_PowerInt := true
    | "pow_real" -> why3_PowerReal := true
    | "real_of_int" -> why3_FromInt := true
    | "floor_int" | "ceil_int"
    | "truncate_real_to_int" -> why3_Truncate := true
    | "real_min"
    | "real_max" -> why3_RealMinMax := true
    | "abs_int" -> why3_AbsInt := true
    | "abs_real" -> why3_AbsReal := true
    | "exp" | "log" -> why3_ExpLog := true
    | "cos"
    | "sin"
    | "tan"
    | "atan" -> why3_Trigonometry := true
    | _ -> ()


(* localization *)

type kind =
  | VarDecr
  | ArithOverflow
  | DownCast
  | IndexBounds
  | PointerDeref
  | UserCall
  | DivByZero
  | AllocSize
  | Pack
  | Unpack
  | FPoverflow


(*
let pos_table :
    (string, (kind option * string option * string option *
             string * int * int * int))
    Hashtbl.t
    = Hashtbl.create 97
*)

let old_pos_table = Hashtbl.create 97

let name_counter = ref 0

let old_reg_pos prefix ?id ?kind ?name ?formula pos =
  let id = match id with
    | None ->
	incr name_counter;
	prefix ^ "_" ^ string_of_int !name_counter
    | Some n -> n
  in
  Hashtbl.add old_pos_table id (kind,name,formula,pos);
  id

let print_kind fmt k =
  fprintf fmt "%s"
    (match k with
       | VarDecr -> "VarDecr"
       | Pack -> "Pack"
       | Unpack -> "Unpack"
       | DivByZero -> "DivByZero"
       | AllocSize -> "AllocSize"
       | UserCall -> "UserCall"
       | PointerDeref -> "PointerDeref"
       | IndexBounds -> "IndexBounds"
       | DownCast -> "DownCast"
       | ArithOverflow -> "ArithOverflow"
       | FPoverflow -> "FPOverflow")

let print_kind_why3 fmt k =
  fprintf fmt "%s"
    (match k with
       | VarDecr -> "variant decreases"
       | Pack -> "pack"
       | Unpack -> "unpack"
       | DivByZero -> "division by zero"
       | AllocSize -> "allocation size"
       | UserCall -> "precondition for call"
       | PointerDeref -> "pointer dereference"
       | IndexBounds -> "index bounds"
       | DownCast -> "downcast"
       | ArithOverflow -> "arithmetic overflow"
       | FPoverflow -> "floating-point overflow")

let abs_fname f =
  if Filename.is_relative f then
    Filename.concat (Unix.getcwd ()) f
  else f

(*
let print_pos fmt =
  Hashtbl.iter
    (fun id (kind,name,formula,f,l,fc,lc) ->
       fprintf fmt "[%s]@\n" id;
       Option_misc.iter
	 (fun k -> fprintf fmt "kind = %a@\n" print_kind k) kind;
       Option_misc.iter
	 (fun n -> fprintf fmt "name = \"%s\"@\n" n) name;
       Option_misc.iter
	 (fun n -> fprintf fmt "formula = \"%s\"@\n" n) formula;
(*
       let f = b.Lexing.pos_fname in
*)
       fprintf fmt "file = \"%s\"@\n"
         (String.escaped (abs_fname f));
(*
       let l = b.Lexing.pos_lnum in
       let fc = b.Lexing.pos_cnum - b.Lexing.pos_bol in
       let lc = e.Lexing.pos_cnum - b.Lexing.pos_bol in
*)
       fprintf fmt "line = %d@\n" l;
       fprintf fmt "begin = %d@\n" fc;
       fprintf fmt "end = %d@\n@\n" lc)
    pos_table
*)

let old_print_pos fmt =
  Hashtbl.iter
    (fun id (kind,name,formula,(f,l,fc,lc)) ->
       fprintf fmt "[%s]@\n" id;
       Option_misc.iter
	 (fun k -> fprintf fmt "kind = %a@\n" print_kind k) kind;
       Option_misc.iter
	 (fun n -> fprintf fmt "name = \"%s\"@\n" n) name;
       Option_misc.iter
	 (fun n -> fprintf fmt "formula = \"%s\"@\n" n) formula;
       fprintf fmt "file = \"%s\"@\n"
         (String.escaped (abs_fname f));
       fprintf fmt "line = %d@\n" l;
       fprintf fmt "begin = %d@\n" fc;
       fprintf fmt "end = %d@\n@\n" lc)
    old_pos_table


let my_pos_table :
    (string, (kind option * string option * string option *
             string * int * int * int))
    Hashtbl.t
    = Hashtbl.create 97

let my_add_pos m pos = Hashtbl.add my_pos_table m pos

let my_print_locs fmt =
  Hashtbl.iter
    (fun id (kind,name,beh,f,l,fc,lc) ->
       fprintf fmt "[%s]@\n" id;
       Option_misc.iter
         (fun k -> fprintf fmt "kind = %a@\n" print_kind k) kind;
       Option_misc.iter
         (fun n -> fprintf fmt "name = \"%s\"@\n" n) name;
       Option_misc.iter
	 (fun b -> fprintf fmt "behavior = \"%s\"@\n" b) beh;
       fprintf fmt "file = \"%s\"@\n" (String.escaped f);
       fprintf fmt "line = %d@\n" l;
       fprintf fmt "begin = %d@\n" fc;
       fprintf fmt "end = %d@\n@\n" lc)
    my_pos_table

let why3_prloc fmt (f,l,fc,lc) =
  fprintf fmt "#\"%s\" %d %d %d#" f l (max fc 0) (max lc 0)

let why3loc ~prog fmt lab =
  try
    let (k,n,beh,f,l,fc,lc) = Hashtbl.find my_pos_table lab in
    begin
      match n,beh,k with
        | Some n, None,_ -> fprintf fmt "\"expl:%s\"@ " n
        | Some n, Some b,_ -> fprintf fmt "\"expl:%s, %s\"@ " n b
        | None, _, Some k -> fprintf fmt "\"expl:%a\"@ " print_kind_why3 k
        | _ -> ()
    end;
(*
    Option_misc.iter (fun n -> fprintf fmt "\"fun:%s\"@ " n) n;
    Option_misc.iter (fun b -> fprintf fmt "\"beh:%s\"@ " b) beh;
    Option_misc.iter (fun k -> fprintf fmt "\"expl:%a\"@ " print_kind_why3 k) k;
*)
    why3_prloc fmt (f,l,fc,lc)
  with
      Not_found ->
        if prog then
          fprintf fmt "'%s: " (why3constr lab)
        else
          fprintf fmt "\"%s\"" lab

let why3_locals = Hashtbl.create 97

let is_why3_local id = Hashtbl.mem why3_locals id

let add_why3_local id = Hashtbl.add why3_locals id ()

let () = add_why3_local "result"

let remove_why3_local id = Hashtbl.remove why3_locals id

type logic_type =
    { logic_type_name : string;
      logic_type_args : logic_type list;
    }
(*r int, float, int list, ... *)

let is_prop t = t.logic_type_name = "prop"

let logic_type_var s = { logic_type_name = "'"^s;
                   logic_type_args = [];
                 }

let rec iter_logic_type f t =
  f t.logic_type_name;
  List.iter (iter_logic_type f) t.logic_type_args

type assertion =
  | LTrue | LFalse
  | LAnd of assertion * assertion
  | LOr of assertion * assertion
  | LIff of assertion * assertion
  | LNot of assertion
  | LImpl of assertion * assertion
  | LIf of term * assertion * assertion
  | LLet of string * term * assertion
      (*r warning: only for Coq assertions *)
  | LForall of string * logic_type * trigger list list * assertion
      (*r forall x:t.a *)
  | LExists of string * logic_type * trigger list list * assertion
      (*r exists x:t.a *)
  | LPred of string * term list
  | LNamed of string * assertion
and trigger =
  |LPatP of assertion
  |LPatT of term


let rec unname a =
  match a with
    | LNamed(_,a) -> unname a
    | _ -> a

let is_not_true a =
  match unname a with
    | LTrue -> false
    | _ -> true

let make_var s = LVar s

let make_not a1 =
  match unname a1 with
    | LTrue -> LFalse
    | LFalse -> LTrue
    | _ -> LNot a1

let make_or a1 a2 =
  match (unname a1,unname a2) with
    | (LTrue,_) -> LTrue
    | (_,LTrue) -> LTrue
    | (LFalse,_) -> a2
    | (_,LFalse) -> a1
    | (_,_) -> LOr(a1,a2)

let make_and a1 a2 =
  match (unname a1,unname a2) with
    | (LTrue, _) -> a2
    | (_,LTrue) -> a1
    | (LFalse,_) -> LFalse
    | (_,LFalse) -> LFalse
    | (_,_) -> LAnd(a1,a2)

let rec make_and_list l =
  match l with
    | [] -> LTrue
    | f::r -> make_and f (make_and_list r)

let rec make_or_list l =
  match l with
    | [] -> LFalse
    | f::r -> make_or f (make_or_list r)

let rec make_forall_list l triggers assertion =
  match l with
    | [] -> assertion
    | [s,ty] -> LForall(s,ty,triggers,assertion)
    | (s,ty)::l -> LForall(s,ty,[],make_forall_list l triggers assertion)

let make_impl a1 a2 =
  match (unname a1,unname a2) with
    | (LTrue,_) -> a2
    | (_,LTrue) -> LTrue
    | (LFalse,_) -> LTrue
    | (_,LFalse) -> LNot(a1)
    | (_,_) -> LImpl(a1,a2)

let rec make_impl_list conclu = function
  | [] -> conclu
  | a::l -> LImpl(a,make_impl_list conclu l)

let make_equiv a1 a2 =
  match (unname a1,unname a2) with
    | (LTrue,_) -> a2
    | (_,LTrue) -> a1
    | (LFalse,_) -> make_not a2
    | (_,LFalse) -> make_not a1
    | (_,_) -> LIff(a1,a2)

let rec iter_assertion f a =
  match a with
  | LTrue -> ()
  | LFalse -> ()
  | LAnd(a1,a2) -> iter_assertion f a1; iter_assertion f a2
  | LOr(a1,a2) -> iter_assertion f a1; iter_assertion f a2
  | LIff(a1,a2) -> iter_assertion f a1; iter_assertion f a2
  | LNot(a1) -> iter_assertion f a1
  | LImpl(a1,a2) -> iter_assertion f a1; iter_assertion f a2
  | LIf(t,a1,a2) ->
      iter_term f t; iter_assertion f a1; iter_assertion f a2
  | LLet(_id,t,a) -> iter_term f t; iter_assertion f a
  | LForall(_id,t,trigs,a) -> iter_logic_type f t;
      iter_triggers f trigs;
      iter_assertion f a
  | LExists(_id,t,trigs,a) -> iter_logic_type f t;
      iter_triggers f trigs;
      iter_assertion f a
  | LPred(id,l) -> f id; List.iter (iter_term f) l
  | LNamed (_, a) -> iter_assertion f a

and iter_triggers f trigs =
  List.iter (List.iter
               (function
                  | LPatP a -> iter_assertion f a
                  | LPatT t -> iter_term f t)) trigs


let logic_type_name t =
  if !why3syntax then
    match t.logic_type_name with
      | "unit" -> "()"
      | "bool" -> "Bool.bool"
      | s -> why3ident s
  else
    t.logic_type_name

let rec fprintf_logic_type form t =
  match t.logic_type_args with
    | [] -> fprintf form "%s" (logic_type_name t)
    | [x] ->
        if !why3syntax then
	  fprintf form "(%s %a)" (logic_type_name t) fprintf_logic_type x
        else
	  fprintf form "%a %s" fprintf_logic_type x t.logic_type_name
    | l ->
        if !why3syntax then
	  fprintf form "(%s %a)"
	    (logic_type_name t)
	    (print_list space fprintf_logic_type) l
        else
	  fprintf form "(%a) %s"
	    (print_list simple_comma fprintf_logic_type) l
	    t.logic_type_name

let rec bool_to_prop t =
  match t with
    | LConst (Prim_bool true) -> LTrue
    | LConst (Prim_bool false) -> LFalse
    | LApp("bool_not",[t1]) -> LNot(bool_to_prop t1)
    | LApp("bool_and",[t1;t2]) -> LAnd(bool_to_prop t1,bool_to_prop t2)
    | LApp("bool_or",[t1;t2]) -> LOr(bool_to_prop t1,bool_to_prop t2)
    | LApp("lt_int_bool",[t1;t2]) -> LPred("lt_int",[t1;t2])
    | LApp("le_int_bool",[t1;t2]) -> LPred("le_int",[t1;t2])
    | LApp("gt_int_bool",[t1;t2]) -> LPred("gt_int",[t1;t2])
    | LApp("ge_int_bool",[t1;t2]) -> LPred("ge_int",[t1;t2])
    | LApp("lt_real_bool",[t1;t2]) -> LPred("lt_real",[t1;t2])
    | LApp("le_real_bool",[t1;t2]) -> LPred("le_real",[t1;t2])
    | LApp("gt_real_bool",[t1;t2]) -> LPred("gt_real",[t1;t2])
    | LApp("ge_real_bool",[t1;t2]) -> LPred("ge_real",[t1;t2])
      (** by default *)
    | _ -> LPred("eq",[t;LConst(Prim_bool true)])

let is_why3_poly_eq, is_why3_poly_neq =
  let eqs = ["eq_int"; "eq_bool"; "eq_real"; "eq_int_"; "eq_bool_"; "eq_real_"] in
  ListLabels.mem ~set:eqs, ListLabels.mem ~set:(List.map ((^) "n") eqs)

let rec fprintf_term form t =
  match t with
  | LConst(c) -> fprintf_constant form c
  | LApp("eq_pointer",[t1;t2]) ->
      fprintf form "@[(%a=%a)@]"
	fprintf_term t1
	fprintf_term t2
  | LApp("ne_pointer",[t1;t2]) ->
      fprintf form "@[(%a<>%a)@]"
	fprintf_term t1
	fprintf_term t2
  | LApp(id,t::tl) ->
      if !why3syntax then
        begin
          fprintf form "@[(%s@ %a" (why3ident id) fprintf_term t;
          List.iter (fun t -> fprintf form "@ %a" fprintf_term t) tl;
          fprintf form ")@]"
        end
      else
        begin
          fprintf form "@[%s(%a" id fprintf_term t;
          List.iter (fun t -> fprintf form ",@ %a" fprintf_term t) tl;
          fprintf form ")@]"
        end
  | LApp(id,[]) ->
      fprintf form "%s" (why3ident_if id)
  | LVar id ->
      fprintf form "%s" (why3ident_if id)
  | LDeref id ->
      if !why3syntax then
        if is_why3_local id then
          fprintf form "%s" (why3ident_if id)
        else
          fprintf form "!%s" (why3ident id)
      else
        fprintf form "%s" id
  | LDerefAtLabel(id,l) ->
      if !why3syntax then
        if l="" then
          fprintf form "(old !%s)" (why3ident id)
        else
          fprintf form "(at !%s '%s)" (why3ident id) (why3constr l)
      else
        fprintf form "%s@@%s" id l
  | Tnamed(lab,t) ->
      if !why3syntax then
        fprintf form "(%a %a)" (why3loc ~prog:false) lab fprintf_term t
      else
        fprintf form "(%s : %a)" lab fprintf_term t
  | TIf(t1,t2,t3) ->
    if !why3syntax then
      let f = bool_to_prop t1 in
      fprintf form "@[(if %a@ then %a@ else %a)@]"
        fprintf_assertion f fprintf_term t2 fprintf_term t3
    else
      fprintf form "@[(if %a@ then %a@ else %a)@]"
        fprintf_term t1 fprintf_term t2 fprintf_term t3
  | TLet(v,t1,t2) ->
      fprintf form "@[(let %s@ = %a@ in %a)@]" v
	fprintf_term t1 fprintf_term t2

and fprintf_assertion form a =
  match a with
  | LTrue -> fprintf form "true"
  | LFalse -> fprintf form "false"
  | LAnd(a1,a2) ->
      fprintf form "@[(%a@ %s %a)@]"
	fprintf_assertion a1
        (if !why3syntax then "/\\" else "and")
	fprintf_assertion a2
  | LOr(a1,a2) ->
      fprintf form "@[(%a@ %s %a)@]"
	fprintf_assertion a1
        (if !why3syntax then "\\/" else "or")
	fprintf_assertion a2
  | LIff(a1,a2) ->
      fprintf form "@[(%a@ <-> %a)@]"
	fprintf_assertion a1
	fprintf_assertion a2
  | LNot(a1) ->
      fprintf form "@[(not %a)@]"
	fprintf_assertion a1
  | LImpl(a1,a2) ->
      fprintf form "@[(%a ->@ %a)@]"
	fprintf_assertion a1 fprintf_assertion a2
  | LIf(t,a1,a2) when !why3syntax ->
      fprintf form "@[(if %a@ = True@ then %a@ else %a)@]"
	fprintf_term t fprintf_assertion a1 fprintf_assertion a2
  | LIf(t,a1,a2) ->
      fprintf form "@[(if %a@ then %a@ else %a)@]"
	fprintf_term t fprintf_assertion a1 fprintf_assertion a2
  | LLet(id,t,a) ->
      fprintf form "@[(let @[%s =@ %a in@]@ %a)@]" id
	fprintf_term t fprintf_assertion a
  | LForall(id,t,trigs,a) when !why3syntax ->
      fprintf form "@[(forall@ %s:@,%a@,%a@,.@ %a)@]"
	(why3ident id) fprintf_logic_type t
        fprintf_triggers trigs fprintf_assertion a
  | LForall(id,t,trigs,a) ->
      fprintf form "@[(forall@ %s:@,%a@,%a@,.@ %a)@]"
	id fprintf_logic_type t fprintf_triggers trigs fprintf_assertion a
  | LExists(id,t,trigs,a) ->
      fprintf form "@[(exists %s:%a%a.@ %a)@]"
	id fprintf_logic_type t fprintf_triggers trigs fprintf_assertion a
(*
  | LPred(id,[t1;t2]) when is_eq id->
      fprintf form "@[(%a = %a)@]"
	fprintf_term t1
	fprintf_term t2
*)
  | LPred("le",[t1;t2]) ->
      fprintf form "@[(%a <= %a)@]"
	fprintf_term t1
	fprintf_term t2
  | LPred("ge",[t1;t2]) ->
      fprintf form "@[(%a >= %a)@]"
	fprintf_term t1
	fprintf_term t2
  | LPred(id,[t1;t2]) when id = "eq" || !why3syntax && is_why3_poly_eq id ->
      fprintf form "@[(%a = %a)@]"
	fprintf_term t1
	fprintf_term t2
  | LPred("neq",[t1;t2]) ->
      fprintf form "@[(%a <> %a)@]"
	fprintf_term t1
	fprintf_term t2
  | LPred(id,t::tl) ->
      if !why3syntax then
        begin
          fprintf form "@[(%s@ %a" (why3ident id) fprintf_term t;
          List.iter (fun t -> fprintf form "@ %a" fprintf_term t) tl;
          fprintf form ")@]"
        end
      else
        begin
          fprintf form "@[%s(%a" id fprintf_term t;
          List.iter (fun t -> fprintf form ",@ %a" fprintf_term t) tl;
          fprintf form ")@]"
        end
  | LPred (id, []) ->
      fprintf form "%s" (why3ident_if id)
  | LNamed (n, a) ->
      if !why3syntax then
        fprintf form "@[(%a@ %a)@]" (why3loc ~prog:false) n fprintf_assertion a
      else
        fprintf form "@[(%s:@ %a)@]" n fprintf_assertion a

and fprintf_triggers fmt trigs =
  let pat fmt = function
    | LPatT t -> fprintf_term fmt t
    | LPatP p -> fprintf_assertion fmt p in
  print_list_delim lsquare rsquare alt (print_list comma pat) fmt trigs

(*s types *)


type why_type =
  | Prod_type of string * why_type * why_type      (*r (x:t1)->t2 *)
  | Base_type of logic_type
  | Ref_type of why_type
  | Annot_type of
      assertion * why_type *
      string list * string list * assertion * ((string * assertion) list)
	(*r { P } t reads r writes w { Q | E => R } *)
;;

let base_type s = Base_type { logic_type_name = s ; logic_type_args = [] }
let int_type = base_type "int"
let bool_type = base_type "bool"
let unit_type = base_type "unit"

let option_iter f x =
  match x with
    | None -> ()
    | Some y -> f y
;;


let rec iter_why_type f t =
  match t with
    | Prod_type(_,t1,t2) ->
	iter_why_type f t1; iter_why_type f t2
    | Base_type b -> iter_logic_type f b
    | Ref_type(t) -> iter_why_type f t
    | Annot_type (pre,t,reads,writes,post,signals) ->
	iter_assertion f pre;
	iter_why_type f t;
	List.iter f reads;
	List.iter f writes;
	iter_assertion f post;
	List.iter (fun (id,a) -> f id; iter_assertion f a) signals
;;


let rec fprint_comma_string_list form l =
  match l with
    | [] -> ()
    | x::l ->
	fprintf form ",%s" x;
	fprint_comma_string_list form l
;;

let rec fprintf_type ~need_colon anon form t =
  match t with
    | Prod_type(id,t1,t2) ->
	  if !why3syntax then
            let id = if id="" || anon then "_anonymous" else id in
            fprintf form "@[(%s:%a)@ %a@]" (why3ident id)
	    (fprintf_type ~need_colon:false anon) t1
              (fprintf_type ~need_colon anon) t2
          else
	    if id="" || anon then
	      fprintf form "@[%a ->@ %a@]"
	        (fprintf_type ~need_colon:false anon) t1
                (fprintf_type ~need_colon anon) t2
	    else
	      fprintf form "@[%s:%a ->@ %a@]" id
	        (fprintf_type ~need_colon:false anon) t1
                (fprintf_type ~need_colon anon) t2
    | Base_type t  ->
        if need_colon then fprintf form ": ";
	fprintf_logic_type form t
    | Ref_type(t) ->
        if need_colon then fprintf form ": ";
	if !why3syntax then
          fprintf form "ref %a" (fprintf_type ~need_colon:false anon) t
        else
          fprintf form "%a ref" (fprintf_type ~need_colon:false anon) t
    | Annot_type(p,t,reads,writes,q,signals) ->
	begin
          if need_colon then fprintf form ": ";
          if !why3syntax then
            begin
	      fprintf form "%a@ " (fprintf_type ~need_colon:false anon) t;
	      fprintf form "@[@[requires { %a }@]@ "
                fprintf_assertion p;
            end
          else
            begin
	      fprintf form "@[@[{ ";
	      if is_not_true p
	      then fprintf_assertion form p;
	      fprintf form "}@]@ %a@ " (fprintf_type ~need_colon:false anon) t
            end;
	  begin
	    match List.sort compare reads with
	      | [] -> ()
	      | r::l as reads ->
                  if !why3syntax then
		    fprintf form "reads@ { %a } @ "
                      (print_list comma
                         (fun form r -> fprintf form "%s" (why3ident r))) reads
                  else
		  fprintf form "reads %s%a@ " r fprint_comma_string_list l
	  end;
	  begin
	    match List.sort compare writes with
	      | [] -> ()
	      | r::l as writes ->
                  if !why3syntax then
		    fprintf form "writes@ { %a }@ "
                      (print_list comma
                         (fun form r -> fprintf form "%s" (why3ident r))) writes
                  else
		    fprintf form "writes %s%a@ " r fprint_comma_string_list l
	  end;
	  begin
	    match signals with
	      | [] ->
                  if !why3syntax then
		    fprintf form "@[ ensures { %a }@]@]" fprintf_assertion q
                  else
		    fprintf form "@[{ %a }@]@]" fprintf_assertion q
	      | l ->
                  if !why3syntax then
		    begin
                      fprintf form "@[ ensures { %a@ }@]@ "
		        fprintf_assertion q;
		      List.iter
                         (fun (e,r) ->
			    fprintf form "@[raises { %s result ->@ %a }@]" e
			      fprintf_assertion r)
		        l
                    end
                  else
		    fprintf form
		      "raises%a@ @[{ %a@ | %a }@]@]"
		      (print_list comma (fun fmt (e,_r) -> fprintf fmt " %s" e))
		      l
		      fprintf_assertion q
		      (print_list alt (fun fmt (e,r) ->
				         fprintf fmt "@[%s =>@ %a@]" e
					   fprintf_assertion r))
		      l
	  end

	end
;;


(*s expressions *)

type variant = term * string option

type opaque = bool

type assert_kind = [`ASSERT | `CHECK]

type expr_node =
  | Cte of constant
  | Var of string
  | And of expr * expr
  | Or of expr * expr
  | Not of expr
  | Void
  | Deref of string
  | If of expr * expr * expr
  | While of
      expr (* loop condition *)
      * assertion (* invariant *)
      * variant option (* variant *)
      * expr list (* loop body *)
  | Block of expr list
  | Assign of string * expr
  | MultiAssign of string * Loc.position * (string * expr) list *
      bool * term * expr * string * expr * string *
      (int * bool * bool * string) list
  | Let of string * expr * expr
  | Let_ref of string * expr * expr
 (* optionaly give the return type to enforce *)
  | App of expr * expr * why_type option
  | Raise of string * expr option
  | Try of expr * string * string option * expr
  | Fun of (string * why_type) list *
      assertion * expr * assertion * ((string * assertion) list)
  | Triple of opaque *
      assertion * expr * assertion * ((string * assertion) list)
  | Assert of assert_kind * assertion * expr
  | BlackBox of why_type
  | Absurd
  | Loc of Lexing.position * expr

and expr =
    { expr_labels : string list;
      expr_loc_labels : string list;
      expr_node : expr_node;
    }
;;

let mk_expr e = { expr_labels = []; expr_loc_labels = []; expr_node = e }
let mk_var s = mk_expr (Var s)
let void = mk_expr Void

let rec iter_expr f e =
  match e.expr_node with
    | Cte(_c) -> ()
    | Var(id) -> f id
    | And(e1,e2) -> iter_expr f e1; iter_expr f e2
    | Or(e1,e2) -> iter_expr f e1; iter_expr f e2
    | Not(e1) -> iter_expr f e1
    | Void -> ()
    | Deref(id) -> f id
    | If(e1,e2,e3) ->
	iter_expr f e1; iter_expr f e2; iter_expr f e3
    | While(e1,inv,var,e2) ->
	iter_expr f e1;
	iter_assertion f inv;
	option_iter (fun (var,r) -> iter_term f var;
                       match r with
                         | None -> ()
                         | Some id -> f id
                    ) var;
	List.iter (iter_expr f) e2
    | Block(el) -> List.iter (iter_expr f) el
    | Assign(id,e) -> f id; iter_expr f e
    | MultiAssign _ ->
        eprintf "Fatal error: Output.iter_expr should not be called on MultiAssign@.";
        assert false
    | Let(_id,e1,e2) -> iter_expr f e1; iter_expr f e2
    | Let_ref(_id,e1,e2) -> iter_expr f e1; iter_expr f e2
    | App(e1,e2,_) -> iter_expr f e1; iter_expr f e2
    | Raise (_, None) -> ()
    | Raise(_id,Some e) -> iter_expr f e
    | Try(e1,_exc,_id,e2) -> iter_expr f e1; iter_expr f e2
    | Fun(_params,pre,body,post,signals) ->
	iter_assertion f pre;
	iter_expr f body;
	iter_assertion f post;
	List.iter (fun (_,a) -> iter_assertion f a) signals
    | Triple(_,pre,e,post,exceps) ->
	iter_assertion f pre;
	iter_expr f e;
	iter_assertion f post;
	List.iter (fun (_,a) -> iter_assertion f a) exceps
    | Assert(_,p, e) -> iter_assertion f p; iter_expr f e
    | Loc (_,e) -> iter_expr f e
    | BlackBox(ty) -> iter_why_type f ty
    | Absurd -> ()


let fprintf_variant form = function
  | None -> ()
  | Some (t, None) ->
      if !why3syntax then
        fprintf form "variant { %a }" fprintf_term t
      else
        fprintf form "variant %a" fprintf_term t
  | Some (t, Some r) ->
      if !why3syntax then
        fprintf form "variant { %a } with %s" fprintf_term t r
      else
        fprintf form "variant %a for %s" fprintf_term t r

let rec fprintf_expr_node in_app form e =
  match e with
    | Cte(c) -> fprintf_constant form c
    | Var(id) ->
        fprintf form "%s" (if !why3syntax then why3param id else id)
    | And(e1,e2) ->
	fprintf form "@[(%a && %a)@]"
	  fprintf_expr e1 fprintf_expr e2
    | Or(e1,e2) ->
	fprintf form "@[(%a || %a)@]"
	  fprintf_expr e1 fprintf_expr e2
    | Not(e1) ->
	fprintf form "@[(not %a)@]"
	  fprintf_expr e1
    | Void ->
        if !why3syntax then
          fprintf form "()"
        else
          fprintf form "void"
    | Deref(id) ->
        fprintf form "!%s" (why3id_if id)
    | If(e1,e2,e3) ->
	fprintf form
	  "@[(if %a@ @[then@ %a@]@ @[else@ %a@])@]"
	  fprintf_expr e1 fprintf_expr e2 fprintf_expr e3
    | While(e1,inv,var,e2) when !why3syntax && e1.expr_node = Cte (Prim_bool true) ->
	fprintf form
	  "@[loop@ @[@[@[invariant@ { %a }@]@ @[%a@]@]@ %a@]@ end@]"
	  fprintf_assertion inv
	  fprintf_variant var
	  fprintf_expr_list e2
    | While(e1,inv,var,e2) when !why3syntax ->
	fprintf form
	  "@[while %a do@ @[@[@[invariant@ { %a }@]@ @[%a@]@]@ %a@]@ done@]"
	  fprintf_expr e1
	  fprintf_assertion inv
	  fprintf_variant var
	  fprintf_expr_list e2
    | While(e1,inv,var,e2) ->
	fprintf form
	  "@[while %a do@ @[@[{ @[invariant@ %a@]@ @[%a@] }@]@ %a@]@ done@]"
	  fprintf_expr e1
	  fprintf_assertion inv
	  fprintf_variant var
	  fprintf_expr_list e2
    | Block([]) ->
	fprintf form "void"
    | Block(el) ->
	fprintf form "@[begin@ @[  %a@]@ end@]" fprintf_expr_list el
    | Assign(id,e) ->
        fprintf form "@[(%s := %a)@]" (why3id_if id) fprintf_expr e
    | MultiAssign _ ->
	fprintf form "@[(MultiAssign ...)@]"
    | Let(id,e1,e2) ->
        fprintf form "@[(let %s =@ %a in@ %a)@]" (why3id_if id)
	  fprintf_expr e1 fprintf_expr e2
    | Let_ref(id,e1,e2) ->
        fprintf form "@[(let %s =@ ref %a in@ %a)@]" (why3id_if id)
	  fprintf_expr e1 fprintf_expr e2
    | App({expr_node = App({expr_node = Var id},e1,_)},e2,_)
        when !why3syntax && is_why3_poly_eq id ->
	fprintf form "@[(%a = %a)@]" fprintf_expr e1 fprintf_expr e2
    | App({expr_node = App({expr_node = Var id},e1,_)},e2,_)
        when !why3syntax && is_why3_poly_neq id ->
	fprintf form "@[(%a <> %a)@]" fprintf_expr e1 fprintf_expr e2
    | App(e1,e2,ty) when !why3syntax ->
        if in_app then
	  fprintf form "@[%a %a@]"
            (fprintf_expr_gen true) e1 fprintf_expr e2
        else
	  fprintf form "@[(%a %a%a)@]"
            (fprintf_expr_gen true) e1 fprintf_expr e2
            (Pp.print_option (fprintf_type ~need_colon:true false)) ty
    | App(e1,e2,_) ->
	fprintf form "@[(%a %a)@]" fprintf_expr e1 fprintf_expr e2
    | Raise(id,None) ->
	fprintf form "@[(raise@ %s)@]" id
    | Raise(id,Some e) ->
	fprintf form "@[(raise@ (%s@ %a))@]" id fprintf_expr e
    | Try(e1,exc,None,e2) ->
	fprintf form "@[try@ %a@ with@ %s ->@ %a end@]"
	  fprintf_expr e1 exc fprintf_expr e2
    | Try(e1,exc,Some id,e2) ->
	fprintf form "@[try@ %a@ with@ %s %s ->@ %a end@]"
	  fprintf_expr e1 exc id fprintf_expr e2
    | Fun(params,pre,body,post,signals) ->
	fprintf form "@[fun @[";
	List.iter
	  (fun (x,t) ->
             (match t with
               | Ref_type _ -> ()
               | _ -> add_why3_local x);
             fprintf form "(%s : %a) " (why3id_if x)
               (fprintf_type ~need_colon:false false) t)
	  params;
        fprintf form "@]->@ ";
        if !why3syntax then
          begin
	    fprintf form "@[requires { %a  }@ "
              fprintf_assertion pre;
            begin
	    match signals with
	      | [] ->
		  fprintf form "@[ensures { %a }@]@ " fprintf_assertion post
	      | l ->
		    fprintf form "@[ ensures { %a@ } %a @]"
		      fprintf_assertion post
		      (print_list alt
		         (fun fmt (e,r) ->
			    fprintf fmt "@[raises { %s result ->@ %a }@]" e
			      fprintf_assertion r))
		      l
            end;
	    fprintf form "@]@ %a" fprintf_expr body;
          end
        else
          begin
	    fprintf form "@[@[{ ";
	    if pre <> LTrue then fprintf_assertion form pre;
	    fprintf form " }@]@ %a@ " fprintf_expr body;
	    match signals with
	      | [] ->
		  fprintf form "@[{ %a }@]" fprintf_assertion post
	      | l ->
		  fprintf form "@[{ %a@ | %a }@]"
		    fprintf_assertion post
		    (print_list alt
		       (fun fmt (e,r) ->
			  fprintf fmt "@[%s =>@ %a@]" e
			    fprintf_assertion r))
		    l
	  end;
        List.iter
	  (fun (x,t) ->
             (match t with
               | Ref_type _ -> ()
               | _ -> remove_why3_local x))
	  params;
        fprintf form "@]@ "

    | Triple(_,pre,e,LTrue,[]) ->
	fprintf form "@[(assert { %a };@ (%a))@]"
	  fprintf_assertion pre
	  fprintf_expr e
    | Triple(o,pre,e,post,exceps) ->
      fprintf form "@[(assert { %a };@ " fprintf_assertion pre;
      if !why3syntax then
        if o then
          begin
            fprintf form "abstract@ ensures {@ %a }@ "
	      fprintf_assertion post;
            List.iter
              (fun (e,r) ->
                fprintf form "@[raises { %s ->@ %a }@]" e fprintf_assertion r)
              exceps;
            fprintf form "@ %a@ end"
              fprintf_expr e
          end
        else
          begin
            match exceps with
	      | [] ->
                fprintf form "let _ = %a in assert { %a }"
                  fprintf_expr e
		  fprintf_assertion post
              | _ -> assert false (* TODO *)
        end
      else
	begin
          fprintf form "(%a)@ " fprintf_expr e;
	  match exceps with
	    | [] ->
		(if o then
                    fprintf form "{{ %a }}" else fprintf form "{ %a }")
		  fprintf_assertion post
	    | l ->
		(if o then
		   fprintf form "@[{{ %a@ | %a }}@]"
		 else
		   fprintf form "@[{ %a@ | %a }@]")
		  fprintf_assertion post
		  (print_list alt
		  (fun fmt (e,r) ->
		     fprintf fmt "@[%s =>@ %a@]" e
		       fprintf_assertion r))
		  l
	end;
      fprintf form ")@]"
    | Assert(k,p, e) ->
	fprintf form "@[(%s@ { %a };@ %a)@]"
          (match k with `ASSERT -> "assert" | `CHECK -> "check")
	  fprintf_assertion p fprintf_expr e
    | BlackBox(t) ->
	if !why3syntax then
          fprintf form "@[any %a @]"
	    (fprintf_type ~need_colon:false false) t
        else
	  fprintf form "@[[ %a ]@]"
	    (fprintf_type ~need_colon:false false) t
    | Absurd ->
	fprintf form "@[absurd@ @]"
    | Loc (_l, e) ->
	fprintf_expr form e
	(*
	fprintf form "@[#%S %d %d#%a@]" l.pos_fname l.pos_lnum
	  (l.pos_cnum - l.pos_bol) fprintf_expr e
	*)

and fprintf_expr_gen in_app form e =
  let rec aux l =
    match l with
      | [] -> fprintf_expr_node in_app form e.expr_node
      | s::l ->
(*
          if s="L2" then Format.eprintf "Output.fprintf_expr: printing label %s for expression %a@." s fprintf_expr_node e.expr_node;
*)
          if !why3syntax then
            fprintf form "@[(%a@ " (why3loc ~prog:true) s
          else
            fprintf form "@[(%s:@ " s;
          aux l;
          fprintf form ")@]"
  in aux e.expr_labels

and fprintf_expr form e = fprintf_expr_gen false form e

and fprintf_expr_list form l =
  match l with
    | [] -> ()
    | e::l ->
	fprintf form "%a" fprintf_expr e;
	fprintf_expr_end_list form l

and fprintf_expr_end_list form l =
  match l with
    | [] -> ()
    | e::l ->
	fprintf form ";@ %a" fprintf_expr e;
	fprintf_expr_end_list form l
;;

let make_or_expr a1 a2 =
  match (a1.expr_node,a2.expr_node) with
    | (Cte (Prim_bool true),_) -> a1
    | (_,Cte (Prim_bool true)) -> a2
    | (Cte (Prim_bool false),_) -> a2
    | (_,Cte (Prim_bool false)) -> a1
    | (_,_) -> mk_expr (Or(a1,a2))

let make_and_expr a1 a2 =
  match (a1.expr_node,a2.expr_node) with
    | (Cte (Prim_bool true),_) -> a2
    | (_,Cte (Prim_bool true)) -> a1
    | (Cte (Prim_bool false),_) -> a1
    | (_,Cte (Prim_bool false)) -> a2
    | (_,_) -> mk_expr (And(a1,a2))


let make_app_rec ~logic f l =
  let rec make_rec accu = function
    | [] -> accu
    | e::r -> make_rec (mk_expr (App(accu,e,None))) r
  in
  match l with
    | [] -> if logic then make_rec f [] else make_rec f [void]
    | l -> make_rec f l
;;

let app_add_ty ?ty e =
  match ty,e.expr_node with
  | None,_ -> e
  | Some _, App(e1,e2,None) -> { e with expr_node = App(e1,e2,ty)}
  | Some _, _ ->
    invalid_arg "Output.app_add_ty: type coercion for constant. To correct."

let make_app ?ty id l =
  let app = make_app_rec ~logic:false (mk_var id) l in
  app_add_ty ?ty app

let make_logic_app ?ty id l =
  let app = make_app_rec ~logic:true (mk_var id) l in
  app_add_ty ?ty app

let make_app_e ?ty e l =
  let app = make_app_rec ~logic:false e l in
  app_add_ty ?ty app

let make_while cond inv var e =
  let body =
    match e.expr_node with
      | Block(l) -> l
      | _ -> [e]
  in mk_expr (While(cond,inv,var,body))

let make_label label e =
(*
  if label = "L2" then Format.eprintf "Output.make_label: adding label %s@." label;
*)
  assert (String.length label > 0);
  if label.[0] = '_' then
  { e with expr_loc_labels = label :: e.expr_loc_labels }
  else
  { e with expr_labels = label :: e.expr_labels }

let make_pre pre e =  mk_expr (Triple(false,pre,e,LTrue,[]))




let compare_parallel_assign (i,_,_,_) (j,_,_,_) =
  let c = Pervasives.compare i j in
  if c = 0 then raise Exit else c


let append_list e l =
(*
  Format.eprintf "Entering append_list@.";
*)
  match l with
    | [] -> [e]
    | e'::rem ->
        match e.expr_node,e'.expr_node with
          | MultiAssign(mark1,pos1,lets1,isrefa1,ta1,a1,tmpe1,e1,f1,l1),
            MultiAssign(_,_,lets2,_isrefa2,_ta2,a2,_tmpe2,e2,f2,l2)
            when e'.expr_labels = [] ->
              (*
                Format.eprintf
                "Found multi-assigns: a1=%a, a2=%a, e1=%a, e2=%a, f1=%s,f2=%s@."
                fprintf_expr a1 fprintf_expr a2
                fprintf_expr e1 fprintf_expr e2 f1 f2;
              *)
              if a1 = a2 && e1 = e2 && f1 = f2 then
                begin
                  try
                    let l = List.merge compare_parallel_assign l1 l2 in
                    (*
                      Format.eprintf "append_list, merge successful!@.";
                    *)
                    { expr_labels = e.expr_labels;
                      expr_loc_labels = e.expr_loc_labels @ e'.expr_loc_labels;
                      expr_node =
                        MultiAssign(mark1,pos1,lets1@lets2,isrefa1,ta1,a1,tmpe1,e1,f1,l) }
                    ::rem
                  with Exit ->
                    (*
                      Format.eprintf "append_list, merge failed...@.";
                    *)
                    e::l
                end
              else
                begin
                  (*
                    Format.eprintf "do not match@.";
                  *)
                  e::l
                end
          | MultiAssign _, _e' ->
              (*
                Format.eprintf "MultiAssign not followed by MultiAssign but by %a@."
                fprintf_expr e';
              *)
              e::l
          | _, MultiAssign _ ->
              (*
                Format.eprintf "MultiAssign not preceeded by MultiAssign@.";
              *)
              e::l
          | _ ->
              (*
                Format.eprintf "no MultiAssign at all@.";
              *)
              e::l


let make_block labels loc_labels l =
  match l with
      | [] -> assert false
      | [e] -> {e with expr_labels = labels @ e.expr_labels ;
                       expr_loc_labels = loc_labels @ e.expr_loc_labels }
      | _ -> { expr_labels = labels ; expr_loc_labels = loc_labels ; expr_node = Block l }

(** Try hard to keep the labels visible by all the instructions that follow
    but also to remove unneeded block

    The principle is to push e2 inside e1 such that every labels visible for
    the last instruction (not a block) of e1 can be visible for e2
 *)
let rec append' e1 e2 =
  match e1.expr_node,e2.expr_node with
    | Void,_ -> (* assert (e1.expr_labels = []);*) [e2]
    | _,Void -> assert (e2.expr_labels = []); [e1]
    | Block(_),Block([]) -> [e1]
    | Block(l1),_ ->
      [make_block e1.expr_labels e1.expr_loc_labels (concat l1 e2)]
    | _,Block(l2) ->
      begin match e1.expr_labels, e2.expr_labels with
        | [], [] -> append_list e1 l2
        | labels1, [] ->
          [make_block labels1 e1.expr_loc_labels (append_list {e1 with expr_labels = []} l2)]
        | labels1, _ ->
          [make_block labels1 e1.expr_loc_labels (append_list {e1 with expr_labels = []} [e2])]
      end
    | _ ->
      if e1.expr_labels = [] then
        append_list e1 [e2]
      else
        let e1' = {e1 with expr_labels = []} in
        [make_block e1.expr_labels [] (append_list e1' [e2])]

and concat l1 e2 =
  match l1 with
  | [] -> [e2]
  | [a1] -> append' a1 e2
  | a1::l1 -> a1::(concat l1 e2)

let append e1 e2 =
  make_block [] [] (append' e1 e2)

type goal_kind = KAxiom | KLemma | KGoal

type why_id = { name : string ; loc : Loc.floc }

let id_no_loc s = { name = s; loc = Loc.dummy_floc }

type why_decl =
  | Param of bool * why_id * why_type         (*r parameter in why *)
  | Def of why_id * bool * expr               (*r global let in why *)
  | Logic of bool * why_id * (string * logic_type) list * logic_type    (*r logic decl in why *)
  | Predicate of bool * why_id * (string * logic_type) list * assertion
  | Inductive of bool * why_id * (string * logic_type) list *
      (string * assertion) list (*r inductive definition *)
  | Goal of goal_kind * why_id * assertion         (*r Goal *)
  | Function of bool * why_id * (string * logic_type) list * logic_type * term
  | Type of why_id * string list
  | Exception of why_id * logic_type option



let get_why_id d =
  match d with
    | Param(_,id,_)
    | Logic(_,id,_,_)
    | Def(id,_,_)
    | Goal(_,id,_)
    | Predicate(_,id,_,_)
    | Function(_,id,_,_,_)
    | Inductive(_,id,_,_)
    | Type (id,_)
    | Exception(id,_) -> id

let iter_why_decl f d =
  match d with
    | Param(_,_,t) -> iter_why_type f t
    | Def(_id,_,t) -> iter_expr f t
    | Logic(_,_id,args,t) ->
	List.iter (fun (_,t) -> iter_logic_type f t) args;
	iter_logic_type f t
    | Inductive(_,_id,args,cases) ->
	List.iter (fun (_,t) -> iter_logic_type f t) args;
	List.iter (fun (_,a) -> iter_assertion f a) cases
    | Predicate(_,_id,args,p) ->
	List.iter (fun (_,t) -> iter_logic_type f t) args;
	iter_assertion f p
    | Goal(_,_id,t) -> iter_assertion f t
    | Function(_,_id,args,t,p) ->
	List.iter (fun (_,t) -> iter_logic_type f t) args;
	iter_logic_type f t;
	iter_term f p
    | Type(_t,args) -> List.iter f args
    | Exception(_,t) -> Option_misc.iter (iter_logic_type f) t



type state = [`TODO | `RUNNING | `DONE ];;

type 'a decl = { mutable state : state; decl : 'a };;

module StringMap = Map.Make(String);;

(*
exception Recursion;;
*)

let rec do_topo decl_map iter_fun output_fun id d =
  match d.state with
    | `DONE -> ()
    | `RUNNING ->
	eprintf "Warning: recursive definition of %s in generated file@." id
    | `TODO ->
	d.state <- `RUNNING;
	iter_fun
	  (fun id ->
	     try
	       let s = StringMap.find id decl_map in
	       do_topo decl_map iter_fun output_fun id s
	     with
		 Not_found -> ())
	  d.decl;
	output_fun d.decl;
	d.state <- `DONE
;;

let compare_ids
    { name = id1; loc = (_,l1,_,_)}
    { name = id2; loc = (_,l2,_,_)} =
  let c = Pervasives.compare l1 l2 in
  if c = 0 then Pervasives.compare id1 id2 else c

let build_map get_id decl_list =
  let m =
    List.fold_left
      (fun acc decl ->
	 let id = get_id decl in
	 let d = { state = `TODO ; decl = decl } in
	 StringMap.add id.name (id,d) acc)
      StringMap.empty
      decl_list
  in
  let m,l = StringMap.fold
    (fun name (id,d) (m,l) ->
       (StringMap.add name d m, (id,d)::l))
    m (StringMap.empty,[])
  in
  m, List.sort (fun (id1,_) (id2,_) ->
		  compare_ids id1 id2) l
;;

let fprint_logic_arg form (id,t) =
  if !why3syntax then
    fprintf form "(%s:%a)" (why3ident id) fprintf_logic_type t
  else
    fprintf form "%s:%a" id fprintf_logic_type t

let str_of_goal_kind = function
  | KAxiom -> "axiom"
  | KLemma -> "lemma"
  | KGoal -> "goal"

let fprintf_why_decl form d =
  match d with
    | Param(b,id,t) when !why3syntax ->
	fprintf form "@[%sval %s@ %a@]@.@."
	(if b then "external " else "") (why3ident id.name)
	  (fprintf_type ~need_colon:true false) t
    | Param(b,id,t) ->
	fprintf form "@[%sparameter %s :@ %a@]@\n@."
	(if b then "external " else "") id.name
	  (fprintf_type ~need_colon:false false) t
    | Logic(b,id,args,t) when !why3syntax ->
        if is_prop t then
	  fprintf form "@[%spredicate %s %a @.@."
	    (if b then "external " else "")
            (why3ident id.name)
	    (print_list space (fun fmt (_id,t) -> fprintf_logic_type fmt t)) args
        else
	  fprintf form "@[%sfunction %s %a : %a@.@."
	    (if b then "external " else "")
            (why3ident id.name)
	    (print_list space (fun fmt (_id,t) -> fprintf_logic_type fmt t)) args
	    fprintf_logic_type t

    | Logic(b,id,args,t) ->
	fprintf form "@[%slogic %s: %a -> %a@.@."
	  (if b then "external " else "") id.name
	  (print_list comma (fun fmt (_id,t) -> fprintf_logic_type fmt t)) args
	  fprintf_logic_type t
    | Inductive(b,id,args,cases) when !why3syntax ->
	fprintf form "@[%sinductive %s @[%a@] =@\n@[%a@]@\n@."
	  (if b then "external " else "") (why3ident id.name)
	  (print_list space (fun fmt (_id,t) -> fprintf_logic_type fmt t)) args
	  (print_list newline
	     (fun _fmt (id,a) ->
		fprintf form "| %s: @[%a@]" id fprintf_assertion a))
	  cases
    | Inductive(b,id,args,cases) ->
	fprintf form "@[%sinductive %s: @[%a -> prop@] =@\n@[%a@]@\n@."
	  (if b then "external " else "") id.name
	  (print_list comma (fun fmt (_id,t) -> fprintf_logic_type fmt t)) args
	  (print_list newline
	     (fun _fmt (id,a) ->
		fprintf form "| %s: @[%a@]" id fprintf_assertion a))
	  cases
    | Goal(k,id,p) when !why3syntax ->
	fprintf form "@[%s %s %a:@ %a@]@.@." (str_of_goal_kind k)
          (why3id id.name)
          (why3loc ~prog:false) id.name
	  fprintf_assertion p
    | Goal(k,id,p) ->
	fprintf form "@[%s %s :@ %a@]@.@." (str_of_goal_kind k)
          id.name
	  fprintf_assertion p
    | Def(id,diverges,e) when !why3syntax ->
        fprintf form "@[let %s%s %a=@ %a@]@.@."
          (why3id id.name)
          (if diverges then " \"W:diverges:N\"" else "")
          (why3loc ~prog:false) id.name
          fprintf_expr e
    | Def(id,_,e) ->
        fprintf form "@[let %s =@ %a@]@.@." (why3id_if id.name)
          fprintf_expr e
    | Predicate (b, id, args, p) when !why3syntax ->
        List.iter (fun (id,_) -> add_why3_local id) args;
	fprintf form "@[%spredicate %s%a =@ %a@]@.@."
	  (if b then "external " else "") (why3ident id.name)
	  (print_list space fprint_logic_arg) args
	  fprintf_assertion p;
        List.iter (fun (id,_) -> remove_why3_local id) args
    | Predicate (b, id, args, p) ->
	fprintf form "@[%spredicate %s(%a) =@ %a@]@.@."
	  (if b then "external " else "") id.name
	  (print_list comma fprint_logic_arg) args
	  fprintf_assertion p
    | Function(b,id,args,t,e) when !why3syntax ->
        List.iter (fun (id,_) -> add_why3_local id) args;
	fprintf form "@[%sfunction %s%a : %a =@ %a@]@.@."
	  (if b then "external " else "") (why3ident id.name)
	  (print_list space fprint_logic_arg) args
	  fprintf_logic_type t
	  fprintf_term e;
        List.iter (fun (id,_) -> remove_why3_local id) args
    | Function(b,id,args,t,e) ->
	fprintf form "@[%sfunction %s(%a) : %a =@ %a@]@.@."
	  (if b then "external " else "") id.name
	  (print_list comma fprint_logic_arg) args
	  fprintf_logic_type t
	  fprintf_term e
    | Type (id, []) when !why3syntax ->
	fprintf form "@[type %s@]@.@." (why3ident id.name)
    | Type (id, []) ->
	fprintf form "@[type %s@]@.@." id.name
    | Type (id, [t]) ->
	fprintf form "@[type '%s %s@]@.@." t id.name
    | Type (id, t::l) ->
	fprintf form "@[type ('%s" t;
	List.iter (fun t -> fprintf form ", '%s" t) l;
	fprintf form ") %s@]@.@." id.name
    | Exception(id, None) ->
	fprintf form "@[exception %s@]@.@." id.name
    | Exception(id, Some t) ->
        if !why3syntax then
	  fprintf form "@[exception %s %a@]@.@." id.name
            fprintf_logic_type t
        else
          fprintf form "@[exception %s of %a@]@.@." id.name fprintf_logic_type t


let output_decls get_id iter_decl output_decl decls =
  let map, l = build_map get_id decls in
  List.iter
    (fun (id,decl) ->
       do_topo map iter_decl output_decl id.name decl)
    l

let output_why3_imports form use_floats float_model =
  fprintf form "use import int.Int@\n@\n";
  fprintf form "use bool.Bool@\n@\n";
  if !why3_IntMinMax then
    fprintf form "use int.MinMax as IntMinMax@\n@\n";
  if !why3_ComputerDivision then
    fprintf form "use int.ComputerDivision@\n@\n";
  if !why3_reals then
    fprintf form "use import real.RealInfix@\n@\n";
  if !why3_FromInt then
    fprintf form "use real.FromInt@\n@\n";
  if !why3_Truncate then
    fprintf form "use real.Truncate@\n@\n";
  if !why3_Square then
    fprintf form "use real.Square@\n@\n";
  if !why3_Power then
    fprintf form "use int.Power@\n@\n";
  if !why3_PowerInt then
    fprintf form "use real.PowerInt@\n@\n";
  if !why3_PowerReal then
    fprintf form "use real.PowerReal@\n@\n";
  if !why3_RealMinMax then
    fprintf form "use real.MinMax as RealMinMax@\n@\n";
  if !why3_AbsInt then
    fprintf form "use int.Abs as AbsInt@\n@\n";
  if !why3_AbsReal then
    fprintf form "use real.Abs as AbsReal@\n@\n";
  if !why3_ExpLog then
    fprintf form "use real.ExpLog@\n@\n";
  if !why3_Trigonometry then
    fprintf form "use real.Trigonometry@\n@\n";
  if use_floats then
    begin
      match float_model with
        | Jc_env.FMfull ->
          fprintf form "use import floating_point.SingleFull as Single@\n";
          fprintf form "use import floating_point.DoubleFull as Double@\n@\n"
        | Jc_env.FMdefensive ->
          fprintf form "use import floating_point.Single@\n";
          fprintf form "use import floating_point.Double@\n@\n"
        | Jc_env.FMmultirounding ->
          (* fprintf form "use import floating_point.Single@\n"; *)
          fprintf form "use import floating_point.DoubleMultiRounding as Double@\n@\n"
        | Jc_env.FMmath ->
          assert false (* TODO *)
    end;
  fprintf form "use import jessie_why3theories.Jessie_memory_model@\n@\n"


let fprintf_why_decls ?(why3=false) ?(use_floats=false)
    ~float_model form decls =
  why3syntax := why3;
  (* Why do we need a partition ?
     because one may have a type and a logic/parameter with the same name,
     and the computation of dependencies is confused in that case

     Type may depend on nothing
     Logic may depend on Type, Logic and Predicate
     Predicate may depend on Type, Predicate and Logic
     Axiom may depend on Type, Predicate and Logic
     Parameter may depend on Type, Predicate and Logic
     Def may depend on Type, Parameter, Predicate, Logic, and Def

     - Claude, 16 nov 2006

  *)

(*
  let (types, defs, others) =
    List.fold_left
      (fun (t,d,o) decl ->
	 match decl with
	   | Type _ -> (decl::t,d,o)
	   | Def _ -> (t,decl::d,o)
	   | _ -> (t,d,decl::o))
      ([],[],[]) decls
  in
    output_decls get_why_id iter_why_decl (fprintf_why_decl form) types;
    output_decls get_why_id iter_why_decl (fprintf_why_decl form) others;
    output_decls get_why_id iter_why_decl (fprintf_why_decl form) defs
*)

  if why3 then List.iter (iter_why_decl compute_why3_dependencies) decls;

  (*
    Additional rules :

    Exception may depend on Type
    Parameter may depend on Exception

    - Nicolas R., 8 nov 2007

  *)

  let (types, params, defs, others) =
    List.fold_left
      (fun (t, p, d, o) decl ->
	 match decl with
	   | Type _ -> (decl::t, p, d, o)
	   | Exception _ | Param _ -> (t, decl::p, d, o)
	   | Def _ -> (t, p, decl::d, o)
	   | _ -> (t, p, d, decl::o))
      ([], [], [], []) decls
  in
  if why3 then
    begin
      fprintf form "theory Jessie_model@\n@\n";
      output_why3_imports form use_floats float_model
    end;
  output_decls get_why_id iter_why_decl (fprintf_why_decl form) types;
  output_decls get_why_id iter_why_decl (fprintf_why_decl form) others;
  if why3 then
    begin
      fprintf form "end@\n@\n";
      fprintf form "module Jessie_program@\n@\n";
      output_why3_imports form use_floats float_model;
      fprintf form "use import Jessie_model@\n@\n";
      fprintf form "use import ref.Ref@\n@\n";
      fprintf form "use import jessie_why3.JessieDivision@\n@\n";
      if use_floats then
        begin
          fprintf form "use import floating_point.Rounding@\n@\n";
          match float_model with
            | Jc_env.FMfull ->
              fprintf form "use import jessie_why3.JessieFloatsFull@\n@\n"
            | Jc_env.FMdefensive ->
              fprintf form "use import jessie_why3.JessieFloats@\n@\n"
            | Jc_env.FMmultirounding ->
              fprintf form "use import jessie_why3.JessieFloatsMultiRounding@\n@\n"
            | Jc_env.FMmath -> assert false (* TODO *)
        end;
      fprintf form "use import jessie_why3.Jessie_memory_model_parameters@\n@\n";
      (* fprintf form "use import jessie3_integer.Integer@\n@\n"; *)
    end;
  output_decls get_why_id iter_why_decl (fprintf_why_decl form) params;
  output_decls get_why_id iter_why_decl (fprintf_why_decl form) defs;
  if why3 then fprintf form "end@\n@\n"



(*
  Local Variables:
  compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
  End:
*)
why-2.39/jc/jc_iterators.ml0000644000106100004300000012431713147234006014657 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

open Jc_ast
open Jc_constructors

open Jc_envset

(*
open Format
open Jc_env
open Jc_fenv
open Jc_fenv
open Jc_pervasives

*)

module type TAst = sig
  type t
  val subs: t -> t list
end

module type TIterators = sig
  type t

  val subs: t -> t list
  val iter: (t -> unit) -> t -> unit

  (* Parcours en profondeur d'abord, mais l'accumulateur obtenu est ensuite
     passé aussi en largeur. *)
  val fold_left: ('a -> t -> 'a) -> 'a -> t -> 'a
(*
  val fold_right: (t -> 'a -> 'a) -> t -> 'a -> 'a
*)

  (* Parcours en profondeur avec accumulateur (le même pour tous les fils). *)
(*
  val iter_deep_left: ('a -> t -> 'a) -> 'a -> t -> unit
  val iter_deep_right: (t -> 'a -> 'a) -> t -> 'a -> unit
*)
end

module Iterators(X: TAst): TIterators with type t = X.t = struct
  type t = X.t
  let subs = X.subs
  let rec iter f x = f x; List.iter (iter f) (subs x)
  let rec fold_left f a x =
    let a = f a x in
    List.fold_left (fold_left f) a (subs x)
(*
  let rec fold_right f x a =
    let a = f x a in
    List.fold_right (fold_right f) (subs x) a
  let rec iter_deep_left f a x =
    let a = f a x in
    List.iter (iter_deep_left f a) (subs x)
  let rec iter_deep_right f x a =
    let a = f x a in
    List.iter (fun x -> iter_deep_right f x a) (subs x)
*)
end

(*****************************************************************************)
(* General iterators on parsed expressions.                                  *)
(*****************************************************************************)


let replace_sub_pexpr e el =
  let as1 = function [e1] -> e1 | _ -> assert false in
  let as2 = function [e1;e2] -> e1,e2 | _ -> assert false in
  let as3 = function [e1;e2;e3] -> e1,e2,e3 | _ -> assert false in
  let pop = function e1::r -> e1,r | _ -> assert false in
  let popopt el = function 
    | None -> None,el 
    | Some _ -> let e1,r = pop el in Some e1,r
  in
  let rec popn n el = 
    if n > 0 then 
      let e,r = pop el in
      let el1,el2 = popn (n-1) r in
      e :: el1, el2
    else [],el
  in
  let replace_sub_tag tag el =
    let tag_node,el = match tag#node with
      | JCPTtag _ | JCPTbottom as tag_node -> tag_node,el
      | JCPTtypeof _e -> 
	  let e1,el = pop el in
	  JCPTtypeof e1,el
    in
    new ptag_with ~node:tag_node tag,el
  in
  let enode = match e#node with
    | JCPEconst _ | JCPEvar _ | JCPEbreak _
    | JCPEcontinue _ | JCPEgoto _ as enode -> enode
    | JCPEeqtype(tag1,tag2) ->
	let tag1,el = replace_sub_tag tag1 el in
	let tag2,el = replace_sub_tag tag2 el in
	assert (el == []);
	JCPEeqtype(tag1,tag2)
    | JCPEsubtype(tag1,tag2) ->
	let tag1,el = replace_sub_tag tag1 el in
	let tag2,el = replace_sub_tag tag2 el in
	assert (el == []);
	JCPEsubtype(tag1,tag2)
    | JCPElabel(lab,_e1) -> 
	let e1 = as1 el in JCPElabel(lab,e1)
    | JCPEbinary(_e1,bop,_e2) ->
	let e1,e2 = as2 el in JCPEbinary(e1,bop,e2) 
    | JCPEunary(uop,_e1) ->
	let e1 = as1 el in JCPEunary(uop,e1)
    | JCPEassign(_e1,_e2) ->
	let e1,e2 = as2 el in JCPEassign(e1,e2)
    | JCPEassign_op(_e1,op,_e2) ->
	let e1,e2 = as2 el in JCPEassign_op(e1,op,e2)
    | JCPEderef(_e1,fi) ->
	let e1 = as1 el in JCPEderef(e1,fi)
    | JCPEapp(fi,labs,_args) ->
	JCPEapp(fi,labs,el)
    | JCPEquantifier(q,ty,labs,trigs,_e) ->
	let e1 = as1 el in JCPEquantifier(q,ty,labs,trigs,e1)
    | JCPEfresh _e ->
	let e1 = as1 el in JCPEfresh(e1)
    | JCPEold _e ->
	let e1 = as1 el in JCPEold(e1)
    | JCPEat(_e,lab) ->
	let e1 = as1 el in JCPEat(e1,lab)
    | JCPEoffset(off,_e) ->
	let e1 = as1 el in JCPEoffset(off,e1)
    | JCPEaddress(absolute,_e) ->
	let e1 = as1 el in JCPEaddress(absolute,e1)
    | JCPEbase_block(_e) ->
	let e1 = as1 el in JCPEbase_block(e1)
    | JCPEinstanceof(_e,st) ->
	let e1 = as1 el in JCPEinstanceof(e1,st)
    | JCPEcast(_e,st) ->
	let e1 = as1 el in JCPEcast(e1,st)
    | JCPEif(_e1,_e2,_e3) ->
	let e1,e2,e3 = as3 el in JCPEif(e1,e2,e3)
    | JCPErange(e1opt,e2opt) ->
	let e1opt,el = popopt el e1opt in
	let e2opt,el = popopt el e2opt in
	assert (el = []);
	JCPErange(e1opt,e2opt)
    | JCPEmatch(_e1,ptl) ->
	let e1,el = pop el in
	let ptl = List.map2 (fun (p,_e) e -> p,e) ptl el in
	JCPEmatch(e1,ptl)
    | JCPElet(tyopt,name,eopt,_e) ->
	let eopt,el = popopt el eopt in
	let e1 = as1 el in JCPElet(tyopt,name,eopt,e1)
    | JCPEdecl(ty,name,eopt) ->
	let eopt,el = popopt el eopt in
	assert (el = []);
	JCPEdecl(ty,name,eopt)
    | JCPEalloc(_e,name) ->
	let e1 = as1 el in JCPEalloc(e1,name)
    | JCPEfree _e ->
	let e1 = as1 el in JCPEfree e1
    | JCPEmutable(_e,tag) ->
	let e1 = as1 el in JCPEmutable(e1,tag)
    | JCPEblock elist ->
	assert (List.length elist = List.length el);
	JCPEblock el
    | JCPEassert(behav,asrt,_e) ->
	let e1 = as1 el in JCPEassert(behav,asrt,e1)
    | JCPEcontract(req,dec,behs,_e) ->
	let e1 = as1 el in JCPEcontract(req,dec,behs,e1)
    | JCPEwhile(_test,behs,variant,_body) ->
	let test,el = pop el in
	let behs,el =
	  List.fold_right
	    (fun (names,inv,ass) (b,el) ->
	       let inv,el = popopt el inv in
	       ((names,inv,ass)::b,el)) 
	    behs
	    ([],el)
	in        
	let variant,el = 
          match variant with
            | None -> None,el
            | Some(_v,r) -> let v,el = pop el in Some(v,r),el
        in
	let body = as1 el in 
	JCPEwhile(test,behs,variant,body)
    | JCPEfor(inits,_test,updates,behs,var,_body) ->
	let inits,el = popn (List.length inits) el in
	let test,el = pop el in
	let updates,el = popn (List.length updates) el in
	let behs,el =
	  List.fold_right
	    (fun (names,inv,ass) (b,el) ->
	       let inv,el = popopt el inv in
	       ((names,inv,ass)::b,el)) 
	    behs
	    ([],el)
	in
	let var,el = 
          match var with
            | None -> None,el
            | Some(_var,r) -> let v,el = pop el in Some(v,r),el
        in
	let body = as1 el in 
	JCPEfor(inits,test,updates,behs,var,body)
    | JCPEreturn _ ->
	let e1 = as1 el in JCPEreturn e1
    | JCPEtry(_body,catches,_finally) ->
	let body,el = pop el in
	let catches,el = 
	  List.fold_left (fun (acc,el) (id,name,_e) -> 
			    let e1,el = pop el in (id,name,e1)::acc,el
			 ) ([],el) catches
	in
	let catches = List.rev catches in
	let finally = as1 el in
	JCPEtry(body,catches,finally)
    | JCPEthrow(id,_) ->
        let e1 = as1 el in JCPEthrow(id,e1)
    | JCPEpack(_e,id) ->
	let e1 = as1 el in JCPEpack(e1,id)
    | JCPEunpack(_e,id) ->
	let e1 = as1 el in JCPEunpack(e1,id)
    | JCPEswitch(_e,cases) ->
	let e1,el = pop el in
	let cases,el = 
	  List.fold_left 
	    (fun (acc,el) (caselist,_e) ->
	       let caselist,el = 
		 List.fold_left 
		   (fun (acc,el) eopt ->
		      let eopt,el = popopt el eopt in
		      eopt::acc,el
		   ) ([],el) caselist
	       in
	       let caselist = List.rev caselist in
	       let e1,el = pop el in
	       (caselist,e1)::acc,el
	    ) ([],el) cases 
	in
	let cases = List.rev cases in	
	assert (el = []);
	JCPEswitch(e1,cases)
  in
  new pexpr_with ~node:enode e

module PExprAst = struct
  type t = pexpr
  let subtags tag = 
    match tag#node with
      | JCPTtag _ | JCPTbottom -> []
      | JCPTtypeof e -> [e]
  let subs e =
    match e#node with
      | JCPEconst _
      | JCPEvar _
      | JCPEbreak _
      | JCPEcontinue _ 
      | JCPEgoto _ 
      | JCPErange(None,None)
      | JCPEdecl(_,_,None) ->
          []
      | JCPEeqtype(tag1,tag2) | JCPEsubtype(tag1,tag2) ->
	  subtags tag1 @ subtags tag2
      | JCPEassert(_,_,e)
      | JCPElabel(_, e)
      | JCPEderef(e, _)
      | JCPEunary(_, e)
      | JCPEinstanceof(e, _)
      | JCPEcast(e, _)
      | JCPEoffset(_, e)
      | JCPEaddress(_,e)
      | JCPEbase_block(e)
      | JCPEalloc(e, _)
      | JCPEfree e
      | JCPElet(_, _,None, e)
      | JCPEreturn e
      | JCPEthrow(_, e)
      | JCPEpack(e, _)
      | JCPEunpack(e, _)
      | JCPEfresh e
      | JCPEold e
      | JCPEat(e,_)
      | JCPErange(Some e,None)
      | JCPErange(None,Some e)
      | JCPEdecl(_,_,Some e)
      | JCPEmutable(e,_) ->
          [e]
      | JCPEbinary(e1, _, e2)
      | JCPEassign(e1, e2)
      | JCPEassign_op(e1, _, e2)
      | JCPElet(_, _, Some e1, e2)
      | JCPErange(Some e1,Some e2) ->
          [e1; e2]
      | JCPEif(e1, e2, e3) ->
	  [e1; e2; e3]
      | JCPEcontract(_,_,_,e) -> [e]
      | JCPEwhile(e1,behs,variant,body) ->
	  let acc =
	    List.fold_right
	      (fun (_,inv,_ass) acc ->
		 Option_misc.fold (fun x l -> x::l) inv acc
		   (* TODO : ass *))
	      behs
	      (Option_misc.fold (fun (x,_) l -> x::l) variant [body])
	  in e1::acc
      | JCPEfor(inits,cond,update,behs,variant,body) ->
	  let acc =
	    List.fold_right
	      (fun (_,inv,_ass) acc ->
		 Option_misc.fold (fun x l -> x::l) inv acc
		   (* TODO : ass *))
	      behs
	      (Option_misc.fold (fun (x,_) l -> x::l) variant [body])
	  in inits @ cond :: update @ acc
      | JCPEblock el
      | JCPEapp(_,_,el) ->
	  el
      | JCPEquantifier(_,_,_,_trigs,e) -> [e](*::(List.concat trigs)*)
      | JCPEtry(e1, l, e2) ->
          e1 :: List.map (fun (_, _, e) -> e) l @ [ e2 ]
      | JCPEmatch(e, pel) ->
          e :: List.map snd pel
      | JCPEswitch(e,cases) ->
	  let case c = 
	    List.flatten (List.map (function None -> [] | Some e -> [e]) c)
	  in
	  e :: List.flatten (List.map (fun (cases,e) -> case cases @ [e]) cases)
end

module IPExpr = Iterators(PExprAst)

let rec map_pexpr ?(before = fun x -> x) ?(after = fun x -> x) e =
  let e = before e in
  let elist = List.map (map_pexpr ~before ~after) (PExprAst.subs e) in
  after (replace_sub_pexpr e elist)


(*****************************************************************************)
(* General iterators on terms.                                               *)
(*****************************************************************************)

type term_subst = Jc_fenv.term Jc_envset.VarMap.t

let rec subst_term (subst : term_subst) t =
  let f = subst_term subst in
  let n = match t#node with
    | JCTconst _ as t1 -> t1
    | JCTvar v as t1 ->
        begin
          try (VarMap.find v subst)#node
          with Not_found -> t1
        end          
    | JCTbinary(t1,op,t2) -> JCTbinary(f t1,op,f t2)
    | JCTshift(t1,t2) -> JCTshift(f t1, f t2)
    | JCTrange(t1,t2) -> JCTrange(Option_misc.map f t1, Option_misc.map f t2)
    | JCTunary(op,t1) -> JCTunary(op, f t1)
    | JCTderef(t1,lab,fi) -> JCTderef(f t1,lab,fi)
    | JCTold(t1) -> JCTold(f t1)  
    | JCTat(t1,lab) -> JCTat(f t1,lab) 
    | JCToffset(kind,t1,st) -> JCToffset(kind,f t1,st) 
    | JCTaddress(kind,t1) -> JCTaddress(kind,f t1) 
    | JCTbase_block(t1) -> JCTbase_block(f t1)
    | JCTinstanceof(t1,lab,st) -> JCTinstanceof(f t1,lab,st) 
    | JCTcast(t1,lab,st) -> JCTcast(f t1,lab,st) 
    | JCTbitwise_cast(t1,lab,st) -> JCTbitwise_cast(f t1,lab,st) 
    | JCTrange_cast(t1,ei) -> JCTrange_cast(f t1,ei)
    | JCTreal_cast(t1,rconv) -> JCTreal_cast(f t1,rconv)
    | JCTapp app -> 
        JCTapp({app with jc_app_args = List.map f app.jc_app_args})
    | JCTif(t1,t2,t3) -> JCTif(f t1, f t2, f t3)
    | JCTlet(_vi,_t1,_t2) -> 
        assert false (* TODO, beware of variable capture *)
    | JCTmatch(_t, _ptl) -> 
        assert false (* TODO, beware of variable capture *)
          (* JCTmatch(f t,List.map f ptl) *)
  in
  new term_with ~node:n t 

module TermAst = struct
  type t = term
  let subs t = 
    match t#node with
      | JCTconst _ | JCTvar _ | JCTrange(None,None) -> 
	  []
      | JCTbinary(t1,_,t2) | JCTshift(t1,t2) 
      | JCTrange(Some t1,Some t2) ->
	  [t1;t2]
      | JCTunary(_,t1) | JCTderef(t1,_,_) | JCTold t1 | JCTat(t1,_) 
      | JCToffset(_,t1,_) | JCTaddress(_,t1) | JCTbase_block(t1)
      | JCTinstanceof(t1,_,_) | JCTcast(t1,_,_) | JCTbitwise_cast(t1,_,_) 
      | JCTrange_cast(t1,_) 
      | JCTreal_cast(t1,_) | JCTrange(Some t1,None)
      | JCTrange(None,Some t1) ->
	  [t1]
      | JCTapp app ->
	  app.jc_app_args 
      | JCTif(t1,t2,t3) ->
	  [t1;t2;t3]
      | JCTmatch(t, ptl) ->
	  t :: List.map snd ptl
      | JCTlet(_, t1,t2) ->
	  [t1;t2]
end

module ITerm = Iterators(TermAst)


let fold_sub_term it f acc t =
  let it = it f in
  match t#node with
    | JCTconst _ 
    | JCTvar _ -> 
	acc
    | JCTbinary(t1,_,t2)
    | JCTshift(t1,t2) ->
	let acc = it acc t1 in
	it acc t2
    | JCTrange(t1_opt,t2_opt) ->
	let acc = Option_misc.fold_left it acc t1_opt in
	Option_misc.fold_left it acc t2_opt
    | JCTunary(_,t1) 
    | JCTderef(t1,_,_)
    | JCTold t1
    | JCToffset(_,t1,_)
    | JCTaddress(_,t1)
    | JCTbase_block(t1)
    | JCTinstanceof(t1,_,_) 
    | JCTcast(t1,_,_) 
    | JCTbitwise_cast(t1,_,_) 
    | JCTreal_cast(t1,_) 
    | JCTrange_cast(t1,_) 
    | JCTat(t1,_) ->
	it acc t1
    | JCTapp app ->
	let tl = app.jc_app_args in
	List.fold_left it acc tl
    | JCTif(t1,t2,t3) ->
	let acc = it acc t1 in
	let acc = it acc t2 in
	it acc t3
    | JCTlet(_,t1,t2) ->
	let acc = it acc t1 in
	it acc t2
    | JCTmatch(t, ptl) ->
	let acc = it acc t in
	List.fold_left (fun acc (_, t) -> it acc t) acc ptl

let rec fold_term f acc t =
  let acc = f acc t in
  fold_sub_term fold_term f acc t

let rec fold_rec_term f acc t =
  let cont,acc = f acc t in
  if cont then fold_sub_term fold_rec_term f acc t else acc

let fold_unit f () = f

let iter_term ft t = fold_term (fold_unit ft) () t

let rec map_term f t =
  let tnode = match t#node with
    | JCTconst _ | JCTvar _ | JCTrange (None, None) as tnode -> tnode
    | JCTbinary(t1,bop,t2) ->
	JCTbinary(map_term f t1,bop,map_term f t2) 
    | JCTunary(uop,t1) ->
	JCTunary(uop,map_term f t1)
    | JCTshift(t1,t2) ->
	JCTshift(map_term f t1,map_term f t2)
    | JCTderef(t1,lab,fi) ->
	JCTderef(map_term f t1,lab,fi)
    | JCTapp app ->
	let tl = app.jc_app_args in
	JCTapp { app with jc_app_args = List.map (map_term f) tl; }
    | JCTold t ->
	JCTold(map_term f t)
    | JCTat(t,lab) ->
	JCTat(map_term f t,lab)
    | JCToffset(off,t,st) ->
	JCToffset(off,map_term f t,st)
    | JCTaddress(absolute,t) ->
	JCTaddress (absolute,map_term f t)
    | JCTbase_block(t) ->
	JCTbase_block (map_term f t)
    | JCTinstanceof(t,lab,st) ->
	JCTinstanceof(map_term f t,lab,st)
    | JCTcast(t,lab,st) ->
	JCTcast(map_term f t,lab,st)
    | JCTbitwise_cast(t,lab,st) ->
	JCTbitwise_cast(map_term f t,lab,st)
    | JCTrange_cast(t,ei) ->
	JCTrange_cast(map_term f t,ei)
    | JCTreal_cast(t,rc) ->
	JCTreal_cast(map_term f t,rc)
    | JCTif(t1,t2,t3) ->
	JCTif(map_term f t1,map_term f t2,map_term f t3)
    | JCTlet(vi,t1,t2) ->
	JCTlet(vi,map_term f t1,map_term f t2)
    | JCTrange(Some t1,Some t2) ->
	JCTrange(Some (map_term f t1),Some (map_term f t2))
    | JCTrange(Some t1,None) ->
	JCTrange(Some (map_term f t1),None)
    | JCTrange(None,Some t2) ->
	JCTrange(None,Some (map_term f t2))
    | JCTmatch(t, ptl) ->
	JCTmatch(map_term f t, List.map (fun (p, t) -> p, map_term f t) ptl)
  in
  f (new term_with ~node:tnode t)


(*****************************************************************************)
(* General iterators on assertions.                                          *)
(*****************************************************************************)

let rec iter_term_and_assertion ft fa a =
  let iter_tag tag = 
    match tag#node with
      | JCTtag _ | JCTbottom -> ()
      | JCTtypeof(t,_st) -> (* ITerm.iter *) iter_term ft t
  in
  fa a;
  match a#node with
    | JCAtrue | JCAfalse -> ()
    | JCAeqtype(tag1,tag2,_st) | JCAsubtype(tag1,tag2,_st) ->
	iter_tag tag1; 
	iter_tag tag2
    | JCArelation(t1,_,t2) -> 
	(* ITerm.iter *) iter_term ft t1;
	(* ITerm.iter *) iter_term ft t2
    | JCAapp app ->
	List.iter (iter_term ft) app.jc_app_args
    | JCAfresh t1
    | JCAinstanceof(t1,_,_) | JCAbool_term t1 | JCAmutable(t1,_,_) ->
	iter_term ft t1
    | JCAand al | JCAor al ->
	List.iter (iter_term_and_assertion ft fa) al
    | JCAimplies(a1,a2) | JCAiff(a1,a2) ->
	iter_term_and_assertion ft fa a1;
	iter_term_and_assertion ft fa a2
    | JCAif(t1,a1,a2) ->
	iter_term ft t1;
	iter_term_and_assertion ft fa a1;
	iter_term_and_assertion ft fa a2
    | JCAnot a1 | JCAold a1 | JCAat(a1,_) ->
	iter_term_and_assertion ft fa a1
    | JCAquantifier(_,_,trigs, a1) ->
        List.iter (List.iter (function 
                                | JCAPatT t -> iter_term ft t
                                | JCAPatP a -> iter_term_and_assertion ft fa a))
          trigs;
        iter_term_and_assertion ft fa a1
    | JCAlet(_vi,t,p) ->
	iter_term ft t;
	iter_term_and_assertion ft fa p
    | JCAmatch(t, pal) ->
	iter_term ft t;
	List.iter (fun (_, a) -> iter_term_and_assertion ft fa a) pal

(*
let iter_term_and_assertion_in_loop_annot ft fa la =
  List.iter (fun (_behav,inv) ->
	       iter_term_and_assertion ft fa inv) la.jc_loop_invariant;
  iter_term_and_assertion ft fa la.jc_free_loop_invariant;
  Option_misc.iter (ITerm.iter ft) la.jc_loop_variant

let iter_term_and_assertion_in_behavior ft fa bv =
  Option_misc.iter (iter_term_and_assertion ft fa) bv.jc_behavior_assumes;
  (* TODO: assigns *)
  iter_term_and_assertion ft fa bv.jc_behavior_ensures;
  iter_term_and_assertion ft fa bv.jc_behavior_free_ensures

let iter_term_and_assertion_in_fun_spec ft fa spec =
  iter_term_and_assertion ft fa spec.jc_fun_requires;
  List.iter (fun (_,_,bv) -> iter_term_and_assertion_in_behavior ft fa bv)
    (spec.jc_fun_default_behavior :: spec.jc_fun_behavior)

let rec fold_assertion f acc a =
  let acc = f acc a in
  match a#node with
    | JCAtrue | JCAfalse | JCArelation _ | JCAapp _ | JCAeqtype _ 
    | JCAinstanceof _ | JCAbool_term _ | JCAmutable _ | JCAsubtype _ -> 
	acc
    | JCAand al | JCAor al ->
	List.fold_left (fold_assertion f) acc al
    | JCAimplies(a1,a2) | JCAiff(a1,a2) | JCAif(_,a1,a2) ->
	let acc = fold_assertion f acc a1 in
	fold_assertion f acc a2
    | JCAnot a1 | JCAquantifier(_,_,a1) | JCAold a1 | JCAat(a1,_) ->
	fold_assertion f acc a1
    | JCAmatch(_, pal) ->
	List.fold_left (fun acc (_, a) -> fold_assertion f acc a) acc pal
	  
(* let fold_term_in_tag f acc tag =  *)
(*   match tag#node with *)
(*     | JCTtag _ | JCTbottom -> acc *)
(*     | JCTtypeof(t,_st) -> fold_term f acc t *)

*)

let fold_sub_term_in_tag it f acc tag = 
  match tag#node with
    | JCTtag _ | JCTbottom -> acc
    | JCTtypeof(t,_st) -> it f acc t

let fold_term_in_tag f acc tag =
  fold_sub_term_in_tag fold_term f acc tag

(*

let fold_rec_term_in_tag f acc tag =
  fold_sub_term_in_tag fold_rec_term f acc tag

*)
let rec fold_term_in_assertion f acc a =
  match a#node with
    | JCAtrue | JCAfalse -> acc
    | JCAeqtype(tag1,tag2,_st) | JCAsubtype(tag1,tag2,_st) ->
	let acc = fold_term_in_tag f acc tag1 in
	fold_term_in_tag f acc tag2
    | JCArelation(t1,_,t2) -> 
	let acc = fold_term f acc t1 in
	fold_term f acc t2
    | JCAapp app ->
	List.fold_left (fold_term f) acc app.jc_app_args
    | JCAfresh t1
    | JCAinstanceof(t1,_,_) | JCAbool_term t1 | JCAmutable(t1,_,_) ->
	fold_term f acc t1
    | JCAand al | JCAor al ->
	List.fold_left (fold_term_in_assertion f) acc al
    | JCAimplies(a1,a2) | JCAiff(a1,a2) ->
	let acc = fold_term_in_assertion f acc a1 in
	fold_term_in_assertion f acc a2
    | JCAif(t1,a1,a2) ->
	let acc = fold_term f acc t1 in
	let acc = fold_term_in_assertion f acc a1 in
	fold_term_in_assertion f acc a2
    | JCAnot a1 | JCAquantifier(_,_,_,a1) | JCAold a1 | JCAat(a1,_) ->
	fold_term_in_assertion f acc a1
    | JCAlet(_vi,t, p) ->
	let acc = fold_term f acc t in
	fold_term_in_assertion f acc p
    | JCAmatch(t, pal) ->
	let acc = fold_term f acc t in
	List.fold_left (fun acc (_, a) -> fold_term_in_assertion f acc a)
	  acc pal

(* let rec fold_term_and_assertion ft fa acc a = *)
(*   let acc = match a#node with *)
(*     | JCAtrue | JCAfalse -> acc *)
(*     | JCAeqtype(tag1,tag2,_st) | JCAsubtype(tag1,tag2,_st) -> *)
(* 	let acc = fold_term_in_tag ft acc tag1 in *)
(* 	fold_term_in_tag ft acc tag2 *)
(*     | JCArelation(t1,_,t2) ->  *)
(* 	let acc = fold_term ft acc t1 in *)
(* 	fold_term ft acc t2 *)
(*     | JCAapp app -> *)
(* 	List.fold_left (fold_term ft) acc app.jc_app_args *)
(*     | JCAinstanceof(t1,_,_) | JCAbool_term t1 | JCAmutable(t1,_,_) -> *)
(* 	fold_term ft acc t1 *)
(*     | JCAand al | JCAor al -> *)
(* 	List.fold_left (fold_term_and_assertion ft fa) acc al *)
(*     | JCAimplies(a1,a2) | JCAiff(a1,a2) -> *)
(* 	let acc = fold_term_and_assertion ft fa acc a1 in *)
(* 	fold_term_and_assertion ft fa acc a2 *)
(*     | JCAif(t1,a1,a2) -> *)
(* 	let acc = fold_term ft acc t1 in *)
(* 	let acc = fold_term_and_assertion ft fa acc a1 in *)
(* 	fold_term_and_assertion ft fa acc a2 *)
(*     | JCAnot a1 | JCAquantifier(_,_,a1) | JCAold a1 | JCAat(a1,_) -> *)
(* 	fold_term_and_assertion ft fa acc a1 *)
(*     | JCAmatch(t, pal) -> *)
(* 	let acc = fold_term ft acc t in *)
(* 	List.fold_left (fun acc (_, a) -> fold_term_and_assertion ft fa acc a) *)
(* 	  acc pal *)
(*   in *)
(*   fa acc a *)


let fold_sub_term_and_assertion itt ita ft fa acc a =
  match a#node with
    | JCAtrue | JCAfalse -> acc
    | JCAeqtype(tag1,tag2,_st) | JCAsubtype(tag1,tag2,_st) ->
	let acc = fold_sub_term_in_tag itt ft acc tag1 in
	fold_sub_term_in_tag itt ft acc tag2
    | JCArelation(t1,_,t2) -> 
	let acc = itt ft acc t1 in
	itt ft acc t2
    | JCAapp app ->
	List.fold_left (itt ft) acc app.jc_app_args
    | JCAfresh t1
    | JCAinstanceof(t1,_,_) | JCAbool_term t1 | JCAmutable(t1,_,_) ->
	itt ft acc t1
    | JCAand al | JCAor al ->
	List.fold_left (ita ft fa) acc al
    | JCAimplies(a1,a2) | JCAiff(a1,a2) ->
	let acc = ita ft fa acc a1 in
	ita ft fa acc a2
    | JCAif(t1,a1,a2) ->
	let acc = itt ft acc t1 in
	let acc = ita ft fa acc a1 in
	ita ft fa acc a2
    | JCAnot a1 | JCAold a1 | JCAat(a1,_) ->
	ita ft fa acc a1
    | JCAquantifier(_,_,trigs,a1) ->
        let pat acc = function
          | JCAPatT t -> itt ft acc t
          | JCAPatP a -> ita ft fa acc a in
        let acc = List.fold_left (List.fold_left pat) acc trigs in
        ita ft fa acc a1
    | JCAlet(_vi,t, p) ->
	let acc = itt ft acc t in
	ita ft fa acc p
    | JCAmatch(t, pal) ->
	let acc = itt ft acc t in
	List.fold_left (fun acc (_, a) -> ita ft fa acc a)
	  acc pal

let rec fold_term_and_assertion ft fa acc a =
  let acc = fa acc a in
  fold_sub_term_and_assertion fold_term fold_term_and_assertion ft fa acc a

let rec fold_rec_term_and_assertion ft fa acc a =
  let cont,acc = fa acc a in
  if cont then 
    fold_sub_term_and_assertion 
      fold_rec_term fold_rec_term_and_assertion ft fa acc a 
  else acc

(*
let iter_term_and_assertion ft fa a = 
  fold_term_and_assertion (fold_unit ft) (fold_unit fa) () a
*)

let fold_sub_location_set itt itls ft fls acc locs =
  let itt = itt ft and itls = itls ft fls in
  match locs#node with
    | JCLSvar _vi ->
	acc
    | JCLSderef(locs,_lab,_fi,_r) ->
	itls acc locs
    | JCLSrange(locs,t1_opt,t2_opt) ->
	let acc = itls acc locs in
	let acc = Option_misc.fold_left itt acc t1_opt in
	Option_misc.fold_left itt acc t2_opt 
   | JCLSrange_term(t0,t1_opt,t2_opt) ->
	let acc = itt acc t0 in
	let acc = Option_misc.fold_left itt acc t1_opt in
	Option_misc.fold_left itt acc t2_opt 
   | JCLSat(ls,_lab) -> itls acc ls

let rec fold_location_set ft fls acc locs =
  let acc = fls acc locs in
  fold_sub_location_set fold_term fold_location_set ft fls acc locs
  
let rec fold_rec_location_set ft fls acc locs =
  let cont,acc = fls acc locs in
  if cont then 
    fold_sub_location_set fold_rec_term fold_rec_location_set ft fls acc locs 
  else acc

(*  
let iter_location_set ft fls loc =
  fold_location_set (fold_unit ft) (fold_unit fls) () loc
*)

let fold_sub_location itt itl itls ft fl fls acc loc =
  let itt = itt ft and itl = itl ft fl fls and itls = itls ft fls in
  match loc#node with
    | JCLvar _vi ->
	acc
    | JCLderef(locs,_lab,_fi,_r) ->
	itls acc locs
    | JCLderef_term(locs,_fi) ->
	itt acc locs
    | JCLat(loc,_lab) ->
	itl acc loc

let rec fold_location ft fl fls acc loc =
  let acc = fl acc loc in
  fold_sub_location fold_term fold_location fold_location_set ft fl fls acc loc

let rec fold_rec_location ft fl fls acc loc =
  let cont,acc = fl acc loc in
  if cont then 
    fold_sub_location fold_rec_term fold_rec_location fold_rec_location_set
      ft fl fls acc loc 
  else acc

let iter_location ft fl fls loc =
  fold_location (fold_unit ft) (fold_unit fl) (fold_unit fls) () loc

let fold_sub_behavior _itt ita itl _itls ft fa fl fls acc b =
  let ita = ita ft fa and itl = itl ft fl fls in
  let acc = Option_misc.fold_left ita acc b.jc_behavior_assumes in
  let acc =
    Option_misc.fold_left
      (fun acc (_,locs) -> List.fold_left itl acc locs)
      acc b.jc_behavior_assigns
  in
  let acc = ita acc b.jc_behavior_ensures in
  ita acc b.jc_behavior_free_ensures

let fold_behavior ft fa fl fls acc e =
  fold_sub_behavior 
    fold_term fold_term_and_assertion fold_location fold_location_set
    ft fa fl fls acc e

(*
let rec fold_rec_behavior ft fa fl fls acc e =
  fold_sub_behavior
    fold_rec_term fold_rec_term_and_assertion fold_rec_location
    fold_rec_location_set
    ft fa fl fls acc e 
*)

(*
let iter_behavior ft fa fl fls b =
  fold_behavior (fold_unit ft) (fold_unit fa) (fold_unit fl) (fold_unit fls) 
    () b
*)

let fold_sub_funspec itb _itt ita _itl _itls ft fa fl fls acc spec =
  let ita = ita ft fa and itb = itb ft fa fl fls in
  let acc = ita acc spec.jc_fun_requires in
  let acc = ita acc spec.jc_fun_free_requires in
  List.fold_left
    (fun acc (_pos,_id,behav) -> itb acc behav)
    acc (spec.jc_fun_default_behavior :: spec.jc_fun_behavior)

let fold_funspec ft fa fl fls acc spec =
  fold_sub_funspec 
    fold_behavior fold_term fold_term_and_assertion fold_location 
    fold_location_set ft fa fl fls acc spec

(*
let rec fold_rec_funspec ft fa fl fls acc spec =
  fold_sub_funspec
    fold_rec_behavior fold_rec_term fold_rec_term_and_assertion 
    fold_rec_location fold_rec_location_set ft fa fl fls acc spec

*)
let iter_funspec ft fa fl fls spec =
  fold_funspec (fold_unit ft) (fold_unit fa) (fold_unit fl) (fold_unit fls) 
    () spec

(*

let rec map_assertion f a =
  let anode = match a#node with
    | JCAtrue | JCAfalse | JCArelation _ | JCAapp _ | JCAeqtype _ 
    | JCAinstanceof _ | JCAbool_term _ | JCAmutable _ 
    | JCAsubtype _ as anode -> 
	anode
    | JCAand al ->
	JCAand(List.map (map_assertion f) al)
    | JCAor al ->
	JCAor(List.map (map_assertion f) al)
    | JCAimplies(a1,a2) ->
	JCAimplies(map_assertion f a1,map_assertion f a2)
    | JCAiff(a1,a2) ->
	JCAiff(map_assertion f a1,map_assertion f a2)
    | JCAif(t,a1,a2) ->
	JCAif(t,map_assertion f a1,map_assertion f a2)
    | JCAnot a1 ->
	JCAnot(map_assertion f a1)
    | JCAquantifier(q,vi,a1) ->
	JCAquantifier(q,vi,map_assertion f a1)
    | JCAold a1 ->
	JCAold(map_assertion f a1)
    | JCAat(a1,lab) ->
	JCAat(map_assertion f a1,lab)
    | JCAmatch(t, pal) ->
	JCAmatch(t, List.map (fun (p, a) -> p, map_assertion f a) pal)
  in
  f (new assertion_with ~node:anode a)

*)

let map_term_in_tag f tag = 
  let tag_node = match tag#node with
    | JCTtag _ | JCTbottom as tag_node -> tag_node
    | JCTtypeof(t,st) -> 
	JCTtypeof(map_term f t,st)
  in
  new tag_with ~node:tag_node tag


let rec map_term_in_assertion f a =
  let anode = match a#node with
    | JCAtrue | JCAfalse as anode -> anode
    | JCAeqtype(tag1,tag2,st) ->
	JCAeqtype(map_term_in_tag f tag1,map_term_in_tag f tag2,st)
    | JCAsubtype(tag1,tag2,st) ->
	JCAsubtype(map_term_in_tag f tag1,map_term_in_tag f tag2,st)
    | JCArelation(t1,op,t2) -> 
	JCArelation(map_term f t1,op,map_term f t2)
    | JCAapp app ->
	JCAapp { app with jc_app_args = List.map (map_term f) app.jc_app_args }
    | JCAinstanceof(t1,lab,st) ->
	JCAinstanceof(map_term f t1,lab,st)
    | JCAbool_term t1 ->
	JCAbool_term(map_term f t1)
    | JCAfresh t1 ->
	JCAfresh(map_term f t1)
    | JCAmutable(t1,st,tag) ->
	JCAmutable(map_term f t1,st,tag)
    | JCAand al ->
	JCAand(List.map (map_term_in_assertion f) al)
    | JCAor al ->
	JCAor(List.map (map_term_in_assertion f) al)
    | JCAimplies(a1,a2) ->
	JCAimplies
	  (map_term_in_assertion f a1,map_term_in_assertion f a2)
    | JCAiff(a1,a2) ->
	JCAiff
	  (map_term_in_assertion f a1,map_term_in_assertion f a2)
    | JCAif(t1,a1,a2) ->
	JCAif(
	  map_term f t1,
	  map_term_in_assertion f a1,
	  map_term_in_assertion f a2)
    | JCAnot a1 ->
	JCAnot(map_term_in_assertion f a1)
    | JCAquantifier(q,vi,trigs,a1) ->
        let pat = function
          | JCAPatT t -> JCAPatT (map_term f t)
          | a -> a in
        let trigs = List.map (List.map pat) trigs in
	JCAquantifier(q,vi,trigs,map_term_in_assertion f a1)
    | JCAold a1 ->
	JCAold(map_term_in_assertion f a1)
    | JCAat(a1,lab) ->
	JCAat(map_term_in_assertion f a1,lab)
    | JCAlet(vi, t, p) ->
	JCAlet(vi,map_term f t,map_term_in_assertion f p)
    | JCAmatch(t, pal) ->
	JCAmatch(map_term f t,
		 List.map (fun (p, a) -> p, map_term_in_assertion f a) pal)
  in
  new assertion_with ~node:anode a

(*
let rec map_term_and_assertion fa ft a =
  let anode = match a#node with
    | JCAtrue | JCAfalse as anode -> anode
    | JCAeqtype(tag1,tag2,st) ->
	JCAeqtype(map_term_in_tag ft tag1,map_term_in_tag ft tag2,st)
    | JCAsubtype(tag1,tag2,st) ->
	JCAsubtype(map_term_in_tag ft tag1,map_term_in_tag ft tag2,st)
    | JCArelation(t1,op,t2) -> 
	JCArelation(map_term ft t1,op,map_term ft t2)
    | JCAapp app ->
	JCAapp { app with jc_app_args = List.map (map_term ft) app.jc_app_args }
    | JCAinstanceof(t1,lab,st) ->
	JCAinstanceof(map_term ft t1,lab,st)
    | JCAbool_term t1 ->
	JCAbool_term(map_term ft t1)
    | JCAmutable(t1,st,tag) ->
	JCAmutable(map_term ft t1,st,tag)
    | JCAand al ->
	JCAand(List.map (map_term_and_assertion fa ft) al)
    | JCAor al ->
	JCAor(List.map (map_term_and_assertion fa ft) al)
    | JCAimplies(a1,a2) ->
	JCAimplies
	  (map_term_and_assertion fa ft a1,map_term_and_assertion fa ft a2)
    | JCAiff(a1,a2) ->
	JCAiff
	  (map_term_and_assertion fa ft a1,map_term_and_assertion fa ft a2)
    | JCAif(t1,a1,a2) ->
	JCAif(
	  map_term ft t1,
	  map_term_and_assertion fa ft a1,
	  map_term_and_assertion fa ft a2)
    | JCAnot a1 ->
	JCAnot(map_term_and_assertion fa ft a1)
    | JCAquantifier(q,vi,a1) ->
	JCAquantifier(q,vi,map_term_and_assertion fa ft a1)
    | JCAold a1 ->
	JCAold(map_term_and_assertion fa ft a1)
    | JCAat(a1,lab) ->
	JCAat(map_term_and_assertion fa ft a1,lab)
    | JCAmatch(t, pal) ->
	JCAmatch(map_term ft t,
		 List.map (fun (p, a) -> p, map_term_and_assertion fa ft a) pal)
  in
  fa (new assertion_with ~node:anode a)

*)

(*****************************************************************************)
(* General iterators on patterns.                                            *)
(*****************************************************************************)


let rec iter_pattern f p =
  f p;
  match p#node with
    | JCPstruct(_, fipl) ->
	List.iter (iter_pattern f) (List.map snd fipl)
    | JCPor(p1, p2) ->
	iter_pattern f p1;
	iter_pattern f p2
    | JCPas(p, _) ->
	iter_pattern f p
    | JCPvar _
    | JCPany
    | JCPconst _ -> ()

(*
let rec fold_pattern f acc p =
  let acc = f acc p in
  match p#node with
    | JCPstruct(_, fipl) ->
	List.fold_left (fold_pattern f) acc (List.rev (List.map snd fipl))
    | JCPor(p1, p2) ->
	let acc = fold_pattern f acc p1 in
	fold_pattern f acc p2
    | JCPas(p, _) ->
	fold_pattern f acc p
    | JCPvar _
    | JCPany
    | JCPconst _ -> ()
*)

(*****************************************************************************)
(* General iterators on expressions.                                         *)
(*****************************************************************************)

let replace_sub_expr e el =
  let as1 = function [e1] -> e1 | _ -> assert false in
  let as2 = function [e1;e2] -> e1,e2 | _ -> assert false in
  let as3 = function [e1;e2;e3] -> e1,e2,e3 | _ -> assert false in
  let pop = function e1::r -> e1,r | _ -> assert false in
  let popopt el = function 
    | None -> None,el 
    | Some _ -> let e1,r = pop el in Some e1,r
  in
(* dead code
  let rec popn n el = 
    if n > 0 then 
      let e,r = pop el in
      let el1,el2 = popn (n-1) r in
      e :: el1, el2
    else [],el
  in
*)
  let enode = match e#node with
    | JCEconst _ | JCEvar _ | JCEassert _ | JCEreturn_void as enode -> enode
    | JCEcontract(req,dec,vi_result,behs,_e) ->
	let e1 = as1 el in JCEcontract(req,dec,vi_result,behs,e1)
    | JCEbinary(_e1,bop,_e2) ->
	let e1,e2 = as2 el in JCEbinary(e1,bop,e2) 
    | JCEshift(_e1,_e2) ->
	let e1,e2 = as2 el in JCEshift(e1,e2) 
    | JCEunary(uop,_e1) ->
	let e1 = as1 el in JCEunary(uop,e1)
    | JCEassign_var(vi,_e2) ->
	let e2 = as1 el in JCEassign_var(vi,e2)
    | JCEassign_heap(_e1,fi,_e2) ->
	let e1,e2 = as2 el in JCEassign_heap(e1,fi,e2)
    | JCEderef(_e1,fi) ->
	let e1 = as1 el in JCEderef(e1,fi)
    | JCEapp call ->
	JCEapp { call with jc_call_args = el }
    | JCEoffset(off,_e,st) ->
	let e1 = as1 el in JCEoffset(off,e1,st)
    | JCEfresh(_e) ->
	let e1 = as1 el in JCEfresh(e1)
    | JCEaddress(absolute,_e) ->
	let e1 = as1 el in JCEaddress(absolute,e1)
    | JCEbase_block(_e) ->
	let e1 = as1 el in JCEbase_block(e1)
    | JCEinstanceof(_e,st) ->
	let e1 = as1 el in JCEinstanceof(e1,st)
    | JCEcast(_e,st) ->
	let e1 = as1 el in JCEcast(e1,st)
    | JCEbitwise_cast(_e,st) ->
	let e1 = as1 el in JCEbitwise_cast(e1,st)
    | JCEreal_cast(_e,st) ->
	let e1 = as1 el in JCEreal_cast(e1,st)
    | JCErange_cast(_e,st) ->
	let e1 = as1 el in JCErange_cast(e1,st)
    | JCEif(_e1,_e2,_e3) ->
	let e1,e2,e3 = as3 el in JCEif(e1,e2,e3)
    | JCEmatch(_e1,ptl) ->
	let e1,el = pop el in
	let ptl = List.map2 (fun (p,_e) e -> p,e) ptl el in
	JCEmatch(e1,ptl)
    | JCElet(vi,eopt,_e) ->
	let eopt,el = popopt el eopt in
	let e1 = as1 el in JCElet(vi,eopt,e1)
    | JCEalloc(_e,name) ->
	let e1 = as1 el in JCEalloc(e1,name)
    | JCEfree _e ->
	let e1 = as1 el in JCEfree e1
    | JCEblock elist ->
	assert (List.length elist = List.length el);
	JCEblock el
    | JCEloop(annot,_body) ->
	let body = as1 el in 
	JCEloop(annot,body)
    | JCEreturn(ty,_e) ->
	let e1 = as1 el in JCEreturn(ty,e1)
    | JCEtry(_body,catches,_finally) ->
	let body,el = pop el in
	let catches,el = 
	  List.fold_left (fun (acc,el) (id,name,_e) -> 
			    let e1,el = pop el in (id,name,e1)::acc,el
			 ) ([],el) catches
	in
	let catches = List.rev catches in
	let finally = as1 el in
	JCEtry(body,catches,finally)
    | JCEthrow(id,eopt) ->
	let eopt,_el = popopt el eopt in
        JCEthrow(id,eopt)
    | JCEpack(st1,_e,st2) ->
	let e1 = as1 el in JCEpack(st1,e1,st2)
    | JCEunpack(st1,_e,st2) ->
	let e1 = as1 el in JCEunpack(st1,e1,st2)
  in
  new expr_with ~node:enode e

module ExprAst = struct
  type t = Jc_constructors.expr
  let subs e =
    match e#node with
      | JCEconst _
      | JCEvar _
      | JCEassert _
      | JCEreturn_void 
      | JCEthrow(_, None) ->
          []
      | JCEderef(e, _)
      | JCEunary(_, e)
      | JCEassign_var(_, e)
      | JCEinstanceof(e, _)
      | JCEcast(e, _)
      | JCEbitwise_cast(e, _)
      | JCErange_cast(e, _)
      | JCEreal_cast(e, _)
      | JCEoffset(_, e, _)
      | JCEaddress(_,e)
      | JCEfresh(e)
      | JCEbase_block(e)
      | JCEalloc(e, _)
      | JCEfree e
      | JCElet(_, None, e)
      | JCEloop(_, e)
      | JCEreturn(_, e)
      | JCEthrow(_, Some e)
      | JCEpack(_, e, _)
      | JCEunpack(_, e, _) 
      | JCEcontract(_,_,_,_,e) -> [e]
      | JCEbinary(e1, _, e2)
      | JCEassign_heap(e1, _, e2)
      | JCElet(_, Some e1, e2)
      | JCEshift(e1, e2) ->
          [e1; e2]
      | JCEif(e1, e2, e3) ->
          [e1; e2; e3]
      | JCEblock el ->
          el
      | JCEapp call ->
	  call.jc_call_args
      | JCEtry(e1, l, e2) ->
          e1 :: List.map (fun (_, _, e) -> e) l @ [ e2 ]
      | JCEmatch(e, pel) ->
          e :: List.map snd pel
end

module IExpr = Iterators(ExprAst)

let rec map_expr ?(before = fun x -> x) ?(after = fun x -> x) e =
  let e = before e in
  let elist = List.map (map_expr ~before ~after) (ExprAst.subs e) in
  after (replace_sub_expr e elist)

let fold_sub_expr_and_term_and_assertion 
    itt ita itl itls ite ft fa fl fls fe acc e =
  let fold_sub_behavior = fold_sub_behavior itt ita itl itls ft fa fl fls in
  let ite = ite ft fa fl fls fe and ita = ita ft fa and itt = itt ft in
  match e#node with
    | JCEconst _ 
    | JCEvar _ 
    | JCEreturn_void ->
       acc
    | JCEthrow(_exc,e1_opt) ->
	Option_misc.fold_left ite acc e1_opt
    | JCEbinary(e1,_,e2) 
    | JCEshift(e1,e2)
    | JCEassign_heap(e1,_,e2) ->
	let acc = ite acc e1 in
	ite acc e2
    | JCEunary(_,e1)
    | JCEderef(e1,_)
    | JCEoffset(_,e1,_)
    | JCEaddress(_,e1)
    | JCEbase_block(e1)
    | JCEfresh(e1)
    | JCEcast(e1,_)
    | JCEbitwise_cast(e1,_) 
    | JCErange_cast(e1,_) 
    | JCEinstanceof(e1,_) 
    | JCEreal_cast(e1,_)
    | JCEunpack(_,e1,_)
    | JCEpack(_,e1,_)
    | JCEassign_var(_,e1) 
    | JCEalloc(e1,_) 
    | JCEfree e1 
    | JCEreturn(_,e1) ->
	ite acc e1
    | JCElet(_,e1_opt,e2) ->
	let acc = Option_misc.fold_left ite acc e1_opt in
	ite acc e2
    | JCEapp call ->
	List.fold_left ite acc call.jc_call_args
    | JCEif(e1,e2,e3) ->
	let acc = ite acc e1 in
	let acc = ite acc e2 in
	ite acc e3
    | JCEmatch(e, ptl) ->
	let acc = ite acc e in
	List.fold_left (fun acc (_, e) -> ite acc e) acc ptl
    | JCEblock el ->
	List.fold_left ite acc el
    | JCEtry(e1,catches,finally) ->
	let acc = ite acc e1 in
	let acc = 
	  List.fold_left (fun acc (_exc,_vi_opt,e) -> ite acc e) acc catches
	in
	ite acc finally
    | JCEassert(_behav,_asrt,a) ->
	ita acc a
    | JCEloop(la,e1) ->
	let acc = ite acc e1 in
	let acc = 
	  List.fold_left 
	    (fun acc (_id,inv,_assigns) -> 
	       let acc = Option_misc.fold_left ita acc inv in
	       acc (* TODO: fold on assigns *)
	    ) acc la.jc_loop_behaviors
	in
	let acc = ita acc la.jc_free_loop_invariant in
	Option_misc.fold_left (fun acc (t,_) -> itt acc t) acc la.jc_loop_variant
    | JCEcontract(a_opt,t_opt,_v,behavs,e) ->
	let acc = Option_misc.fold_left ita acc a_opt in
	let acc = Option_misc.fold_left (fun acc (t,_) -> itt acc t) acc t_opt in
	let acc = 
	  List.fold_left 
	    (fun acc (_loc,_name,behav) ->
	       fold_sub_behavior acc behav
	    ) acc behavs
	in
	ite acc e


let rec fold_expr_and_term_and_assertion ft fa fl fls fe acc e =
  let acc = fe acc e in
  fold_sub_expr_and_term_and_assertion 
    fold_term fold_term_and_assertion fold_location fold_location_set
    fold_expr_and_term_and_assertion 
    ft fa fl fls fe acc e


let rec fold_rec_expr_and_term_and_assertion ft fa fl fls fe acc e =
  let cont,acc = fe acc e in
  if cont then 
    fold_sub_expr_and_term_and_assertion
      fold_rec_term fold_rec_term_and_assertion fold_rec_location
      fold_rec_location_set fold_rec_expr_and_term_and_assertion 
      ft fa fl fls fe acc e 
  else acc

let iter_expr_and_term_and_assertion ft fa fl fls fe e =
  fold_expr_and_term_and_assertion (fold_unit ft) (fold_unit fa) 
    (fold_unit fl) (fold_unit fls) (fold_unit fe) () e


module NExprAst = struct
  type t = nexpr
  let subtags tag = 
    match tag#node with
      | JCPTtag _ | JCPTbottom -> []
      | JCPTtypeof e -> [e]
  let subs e =
    match e#node with
      | JCNEconst _
      | JCNEvar _
      | JCNEreturn None
      | JCNEthrow(_, None)
      | JCNErange(None, None) ->
          []
      | JCNEeqtype(tag1,tag2) | JCNEsubtype(tag1,tag2) ->
	  subtags tag1 @ subtags tag2
      | JCNElabel(_, e)
      | JCNEderef(e, _)
      | JCNEunary(_, e)
      | JCNEinstanceof(e, _)
      | JCNEcast(e, _)
      | JCNEoffset(_, e)
      | JCNEaddress(_,e)
      | JCNEfresh(e)
      | JCNEbase_block(e)
      | JCNEalloc(e, _)
      | JCNEfree e
      | JCNElet(_, _, None, e)
      | JCNEassert(_,_,e)
      | JCNEreturn(Some e)
      | JCNEthrow(_, Some e)
      | JCNEpack(e, _)
      | JCNEunpack(e, _)
      | JCNEold e
      | JCNEat(e, _)
      | JCNEmutable(e, _)
      | JCNErange(Some e, None)
      | JCNErange(None, Some e) ->
          [e]
      | JCNEbinary(e1, _, e2)
      | JCNEassign(e1, e2)
      | JCNElet(_, _, Some e1, e2)
      | JCNErange(Some e1, Some e2) ->
          [e1; e2]
      | JCNEcontract(_,_,_,e) -> 
	  [e]
      | JCNEif(e1, e2, e3) ->
          [e1; e2; e3]
      | JCNEloop(behs, variant, e2) ->
	  List.fold_right
	    (fun (_,inv,ass) acc ->
	       let acc = 
		 Option_misc.fold (fun x l -> x::l) inv acc
	       in
		 Option_misc.fold 
		   (fun (_,locs) l -> locs@l) 
		   ass acc)
	    behs
	    (Option_misc.fold (fun (x,_) l -> x::l) variant [e2])
      | JCNEapp(_, _, el)
      | JCNEblock el ->
          el
      | JCNEquantifier(_, _, _, el, e) -> e::(List.concat el)
      | JCNEmatch(e, pel) ->
          e :: List.map snd pel
      | JCNEtry(e1, l, e2) ->
          e1 :: List.map (fun (_, _, e) -> e) l @ [e2]
end

module INExpr = Iterators(NExprAst)

(*
Local Variables: 
compile-command: "LC_ALL=C make -C .. bin/jessie.byte"
End: 
*)
why-2.39/jc/jc_frame.ml0000644000106100004300000027576213147234006013750 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)


open Jc_stdlib
open Jc_env
open Jc_envset
open Jc_region
open Jc_ast
open Jc_fenv

open Jc_name
open Jc_constructors
open Jc_pervasives
open Jc_interp_misc

open Output
open Format

open Jc_interp

open Jc_frame_notin

(*****)

let test_correct_logic f =
  if List.length f.jc_logic_info_labels <> 1 then
    failwith "Separation predicate generation :\
 Logic must have only one label"
  else
    MemoryMap.iter
      (fun (mc,_distr) _labs ->
        match mc with
          | JCmem_field _ -> ()
          | _ -> failwith "Separation predicate generation :\
 Only simple memory model"
      )
      f.jc_logic_info_effects.jc_effect_memories

(*
let test_correct = function
  | `Logic (f,_,_) -> test_correct_logic f
  | `Pointer _g -> ()
*)

let if_in_restr restr e =
  match restr with [] -> true | _ ->
    match e with
      | JCmem_field field -> List.mem field.jc_field_info_name restr
      | _ ->  assert false (* checked by test_correct *)

let inter_memory (m1,restr1) (m2,restr2) =
  let m1 = m1.jc_logic_info_effects.jc_effect_memories in
  let m2 = m2.jc_logic_info_effects.jc_effect_memories in
  (*let log int m restr =
  Jc_options.lprintf "@[inter_memory %i:@[@.m : %a@.restr : %a@]@]"
    int
    (print_list semi (print_pair Jc_output_misc.memory_class nothing))
       (MemoryMap.keys m)
    (print_list semi string) restr;assert false in
  log 1 m1 restr1;
  log 2 m2 restr2;*)
  let filter m restr =
    MemoryMap.filter (fun (e,_) _ -> if_in_restr restr e) m in
  let m1 = filter m1 restr1 in
  let m2 = filter m2 restr2 in
  MemoryMap.inter_merge_option
    (fun lab1 lab2 ->
       (* These sets should have only one element has their
          functions have only one label (see test_correct) *)
       let l1 = LogicLabelSet.choose lab1 in
       let l2 = LogicLabelSet.choose lab2 in
       Some (l1,l2)
    )
    m1 m2
(*  MemoryMap.fold
    (fun a _ acc ->
       if MemoryMap.mem a m2
       then MemorySet.add a acc
       else acc)
    m1 MemorySet.empty*)

let is_same_field (mc,region) var =
  let b1 = InternalRegion.equal region var.jc_var_info_region in
  let b2 = match mc with
    | JCmem_field field ->
        Jc_typing.comparable_types field.jc_field_info_type
          var.jc_var_info_type
    | _ -> false in
  b1 && b2

let is_same_field_2var var1 var2 =
  InternalRegion.equal var1.jc_var_info_region var2.jc_var_info_region
  && var1.jc_var_info_type = var2.jc_var_info_type

let separation_between queue kind acc a b =
  match a,b with
    | `Logic (finfo,frestr,fparams), `Logic (ginfo,grestr,gparams) ->
        let f = (finfo,fparams) and g = (ginfo,gparams) in
        let mems = inter_memory (finfo,frestr) (ginfo,grestr) in
        MemoryMap.fold
          (fun mem (labf,labg) acc ->
             let memlf = NotIn.from_memory false (mem,labf) in
             let memlg = NotIn.from_memory false (mem,labg) in
             let disj acc =
               Queue.add (finfo,(`Disj ,memlf)) queue;
               Queue.add (ginfo,(`Disj ,memlg)) queue;
               (`Disj ((g,memlg),(f,memlf)))::acc in
             match kind with
               | `Sep -> disj acc
               | `Inc -> assert false (* Not Done anymore *)
               | `Cni -> assert false (* Not Done anymore *)
          )
          mems acc
    | (`Logic (finfo,frestr,fparams), `Pointer pa)
    | (`Pointer pa, `Logic (finfo,frestr,fparams)) ->
        let f = (finfo,fparams) in
        MemoryMap.fold
          (fun mem lab acc ->
             let lab = LogicLabelSet.choose lab in
             if is_same_field mem pa && if_in_restr frestr (fst mem)
             then
               let meml = NotIn.from_memory false (mem,lab) in
               let inn acc =
                 Queue.add (finfo,(`In, meml))  queue;
                 (`In(pa,f,meml))::acc in
               match kind, a with
                 | `Sep, _ -> inn acc
                 | `Inc, `Logic _ -> assert false (* Not Done anymore *)
                 | `Inc, `Pointer _ -> assert false (* Not Done anymore *)
                 | `Cni, `Logic _ -> assert false (* Not Done anymore *)
                 | `Cni, `Pointer _ -> assert false (* Not Done anymore *)
             else acc)
          finfo.jc_logic_info_effects.jc_effect_memories acc
    | `Pointer a, `Pointer b ->
        if is_same_field_2var a b
        then`Diff (a,b)::acc
        else acc

let fold_exp f acc l =
  let f = fun a acc b -> f acc a b in
  let rec aux acc = function
    | [] -> acc
    | a::l -> aux (List.fold_left (f a) acc l) l in
  aux acc l

let make_args ?(uniquify_usual=false) ?parameters f =
  (* From tr_logic_fun_aux *)
  let lab =
    match f.jc_logic_info_labels with [lab] -> lab | _ -> LabelHere
  in
  let params =
    match parameters with
      | None -> f.jc_logic_info_parameters
      | Some params -> params in
  let params = List.map (tparam ~label_in_name:true lab) params in
  let params =
    if uniquify_usual
    then List.map (fun (n,v,ty) -> (n^"_JC"^(id_uniq ()),v,ty)) params
    else params in
  let model_params =
    tmodel_parameters ~label_in_name:true f.jc_logic_info_effects
  in
  let params = params @ model_params in
  let params = List.map (fun (n,_v,ty') -> (n,ty')) params in
  params
(*
let ft_name mem f =
  let mem_name = memory_name mem in
  f.jc_logic_info_final_name^mem_name^ft_suffix

let ftpt_name mem f =
  let mem_name = (memory_name mem)^"_elt" in
  f.jc_logic_info_final_name^mem_name^ft_suffix

let notin_name mem f =
  let mem_name = memory_name mem in
  f.jc_logic_info_final_name^mem_name^notin_suffix
*)

(*
let in_name2 mem f =
  let mem_name = memory_name mem in
  f.jc_logic_info_final_name^mem_name^in_suffix
*)

let mk_tvar a = new term a.jc_var_info_type (JCTvar a)

let frame_between_name = "frame_between"

let frame_between ftin notin labels =
  let pid = make_pred frame_between_name in
  pid.jc_logic_info_final_name <- frame_between_name; (* ugly *)
  let var = Jc_pervasives.var (NotIn.jc_ty notin) "a" in
  pid.jc_logic_info_parameters <- [var];
  let ef = {empty_effects with jc_effect_memories =
      MemoryMap.add notin.NotIn.mem
        (LogicLabelSet.of_list labels) MemoryMap.empty} in
  pid.jc_logic_info_effects <- ef;
  pid.jc_logic_info_labels <- labels;
  let app = { jc_app_fun = pid;
              jc_app_args = [ftin];
              jc_app_region_assoc = [];
              jc_app_label_assoc = List.combine labels labels} in
  new assertion (JCAapp app)


let compute_predicate_framed () =
  let aux tag (pi, info,params1,params2,kind) =
      test_correct_logic info;
      let params1 = List.map mk_tvar params1 in
      let params2 = List.map mk_tvar params2 in
      let label1,label2 = match pi.jc_logic_info_labels with
        | [label1;label2] -> label1,label2
        | _ -> assert false in
      let mems = info.jc_logic_info_effects.jc_effect_memories in
      let apps = Jc_region.MemoryMap.fold
        (fun mem labs acc ->
          let lab = Jc_envset.LogicLabelSet.choose labs in
          let notin = NotIn.from_memory false (mem,lab) in
          let app = app_in_logic info params1 label1 notin in
          let app2 = app_in_logic info params2 label2 notin in
          let app2 = MyBag.make_jc_sub [app2;app] in
          match kind with
            | `Frame ->
              let app1 = frame_between app notin pi.jc_logic_info_labels in
              app2::app1::acc
            | `Sub   -> app2::acc
        ) mems [] in
      let ass = new assertion (JCAand apps) in
      IntHashtblIter.replace Jc_typing.logic_functions_table tag
        (pi,JCAssertion ass) in
  Hashtbl.iter aux Jc_typing.pragma_gen_frame

let user_predicate_code queue id kind pred =
  let (logic,_) = IntHashtblIter.find Jc_typing.logic_functions_table id in
  Jc_options.lprintf "Generate code of %s with %i params@."
    logic.jc_logic_info_name (List.length pred);
  let code = fold_exp (separation_between queue kind) [] pred in
  let lab = match logic.jc_logic_info_labels with
      [lab] -> lab | _ -> LabelHere in
  let trad_code = function
    | `Diff (a,b) ->
      new assertion (JCArelation (mk_tvar a,(`Bneq,`Pointer),mk_tvar b))
    | `In (a,(f,fparams),mem) ->
        let params = List.map mk_tvar fparams in
        (*(make_args ~parameters:fparams f)*)
        let app = app_in_logic f params lab mem in
        let app = MyBag.make_jc_in [mk_tvar a;app] in
        new assertion (JCAnot app)
    | `Disj (((f,fparams),memf),((g,gparams),memg)) ->
      let fparams = List.map mk_tvar fparams in
      let gparams = List.map mk_tvar gparams in
        (*(make_args ~parameters:fparams f)*)
      let fapp = app_in_logic f fparams lab memf in
      let gapp = app_in_logic g gparams lab memg in
      MyBag.make_jc_disj [fapp;gapp] in
  let code = List.map trad_code code in
  let code = new assertion (JCAand code) in
  IntHashtblIter.replace
    Jc_typing.logic_functions_table id (logic,JCAssertion code)

let pragma_gen_sep = Jc_typing.pragma_gen_sep

let predicates_to_generate = Hashtbl.create 10

let compute_needed_predicates () =
  let queue = Queue.create () in
  Hashtbl.iter (fun key (kind,preds) ->
    user_predicate_code queue key kind preds)
    pragma_gen_sep;
  (* use the call graph to add the others needed definitions*)
  while not (Queue.is_empty queue) do
    let (f,((_,mem) as e)) = Queue.pop queue in
    let tag = f.jc_logic_info_tag in
    let l = Hashtbl.find_all predicates_to_generate tag in
    if not (List.mem e l)
    then
      begin
        if MemoryMap.mem mem.NotIn.mem
          f.jc_logic_info_effects.jc_effect_memories
        then
          begin
            begin
              match e with
                | `In, mem -> ignore (get_in_logic f mem)
                | `Disj, _ -> ()
            end;
            Hashtbl.add predicates_to_generate tag e;
            (* The user predicate has a particular traitement *)
            if not (Hashtbl.mem pragma_gen_sep f.jc_logic_info_tag) then
              List.iter (fun called -> Queue.add (called,e) queue)
                f.jc_logic_info_calls
          end
      end;
  done;
  compute_predicate_framed ()

(*****)


(*****************************************************************************)
(*                              Logic functions                              *)
(*****************************************************************************)

(* let tr_logic_const vi init acc = *)
(*   let decl = *)
(*     Logic (false, vi.jc_var_info_final_name, [],
       tr_base_type vi.jc_var_info_type) :: acc *)
(*   in *)
(*     match init with *)
(*       | None -> decl *)
(*       | Some(t,ty) -> *)
(*           let t' = term ~type_safe ~global_assertion:true ~relocate:false
             LabelHere LabelHere t in *)
(*           let vi_ty = vi.jc_var_info_type in *)
(*           let t_ty = t#typ in *)
(*           (\* eprintf "logic const: max type = %a@." print_type ty; *\) *)
(*           let pred = *)
(*             LPred ( *)
(*               "eq", *)
(*               [term_coerce Loc.dummy_position ty vi_ty t
                 (LVar vi.jc_var_info_name);  *)
(*                term_coerce t#pos ty t_ty t t']) *)
(*           in *)
(*         let ax = *)
(*           Axiom( *)
(*             vi.jc_var_info_final_name ^ "_value_axiom", *)
(*             bind_pattern_lets pred *)
(*           ) *)
(*         in *)
(*         ax::decl *)

let fun_def f ta fa ft term_coerce params =
  (* Function definition *)
    match f.jc_logic_info_result_type, ta with
      | None, JCAssertion a -> (* Predicate *)
          let body = fa a in
          [Predicate(false, id_no_loc f.jc_logic_info_final_name,
		     params, body)]
      | Some ty, JCTerm t -> (* Function *)
          let ty' = tr_base_type ty in
          let t' = ft t in
	  let t' = term_coerce t#pos ty t#typ t t' in
          if List.mem f f.jc_logic_info_calls then
            let logic = Logic(false, id_no_loc f.jc_logic_info_final_name,
			      params, ty')
            in
            let fstparams = List.map (fun (s,_) -> LVar s) params in
            let app = (LApp(f.jc_logic_info_final_name,fstparams)) in
            let axiom =
              Goal(KAxiom,id_no_loc (jc_axiom^f.jc_logic_info_final_name),
                    make_forall_list params [[LPatT app]]
                      (make_eq app t')) in
            [logic;axiom]
          else
            [Function(false, id_no_loc f.jc_logic_info_final_name,
		      params, ty', t')]
      | ty_opt, (JCNone | JCReads _) -> (* Logic *)
          let ty' = match ty_opt with
	    | None -> simple_logic_type prop_type
	    | Some ty -> tr_base_type ty
          in
          [Logic(false, id_no_loc f.jc_logic_info_final_name,
		 params, ty')]
      | None, JCInductive l  ->
	  [Inductive(false, id_no_loc f.jc_logic_info_final_name,
		     params,
		    List.map
		      (fun (id,_labels,a) ->
			 let ef = Jc_effect.assertion empty_effects a in
			 let a' = fa a in
			 let params =
			   tmodel_parameters ~label_in_name:true ef
			 in
			 let a' =
			   List.fold_right
			     (fun (n,_v,ty') a' -> LForall(n,ty',[],a'))
                             params a'
			 in
			 (get_unique_name id#name, a')) l)]
      | Some _, JCInductive _ -> assert false
      | None, JCTerm _ -> assert false
      | Some _, JCAssertion _ -> assert false

let gen_no_update_axioms f ta _fa _ft _term_coerce params acc =
    match ta with
      |	JCAssertion _ | JCTerm _ | JCInductive _ -> acc
      | JCNone -> acc
      | JCReads pset ->
    let memory_params_reads =
      tmemory_detailed_params ~label_in_name:true f.jc_logic_info_effects
    in
    let params_names = List.map fst params in
    let normal_params = List.map (fun name -> LVar name) params_names in
    snd (List.fold_left
      (fun (count,acc) param ->
	 let paramty = snd param in
         (* Pourquoi parcourir params et tester au lieu de parcourir
            params_memory*)
	 if not (is_memory_type paramty) then count,acc else
	   let (mc,r),_ = (* Recover which memory it is exactly *)
	     List.find (fun ((_mc,_r),(n,_v,_ty')) -> n = fst param)
	       memory_params_reads
	   in
	   let zonety,basety = deconstruct_memory_type_args paramty in
	   let pset =
	     reads ~type_safe:false ~global_assertion:true pset (mc,r)
	   in
	   let sepa = LNot(LPred("in_pset",[LVar "tmp";pset])) in
	   let update_params =
             List.map (fun name ->
			 if name = fst param then
			   LApp("store",[LVar name;LVar "tmp";LVar "tmpval"])
			 else LVar name
		      ) params_names
	   in
	   let a =
             match f.jc_logic_info_result_type with
	       | None ->
		   LImpl(
                     sepa,
                     LIff(
		       LPred(f.jc_logic_info_final_name,normal_params),
		       LPred(f.jc_logic_info_final_name,update_params)))
	       | Some _rety ->
		   LImpl(
                     sepa,
                     LPred("eq",[
			     LApp(f.jc_logic_info_final_name,normal_params);
			     LApp(f.jc_logic_info_final_name,update_params)]))
	   in
	   let a =
             List.fold_left (fun a (name,ty) -> LForall(name,ty,[],a)) a params
	   in
	   let a =
             LForall(
	       "tmp",raw_pointer_type zonety,[],
	       LForall(
		 "tmpval",basety,[],
		 a))
	   in
	   let name =
	     "no_update_" ^ f.jc_logic_info_name ^ "_" ^ string_of_int count
	   in
	   count + 1, Goal(KAxiom,id_no_loc name,a) :: acc
      ) (0,acc) params)

let gen_no_assign_axioms f ta _fa _ft _term_coerce params acc =
(* TODO: when JCNone, use computed effects instead *)
    match ta with
      | JCAssertion _ | JCTerm _ | JCInductive _ -> acc
      | JCNone -> acc
      | JCReads pset ->
    let memory_params_reads =
      tmemory_detailed_params ~label_in_name:true f.jc_logic_info_effects
    in
    let params_names = List.map fst params in
    let normal_params = List.map (fun name -> LVar name) params_names in
    snd (List.fold_left
      (fun (count,acc) param ->
	 let paramty = snd param in
	 if not (is_memory_type paramty) then count,acc else
	   let (mc,r),_ = (* Recover which memory it is exactly *)
	     List.find (fun ((_mc,_r),(n,_v,_ty')) -> n = fst param)
	       memory_params_reads
	   in
	   let zonety,_basety = deconstruct_memory_type_args paramty in
	   let pset =
	     reads ~type_safe:false ~global_assertion:true pset (mc,r)
	   in
	   let sepa = LPred("pset_disjoint",[LVar "tmp";pset]) in
	   let upda =
	     LPred("not_assigns",[LVar "tmpalloc"; LVar (fst param);
				  LVar "tmpmem"; LVar "tmp"])
	   in
	   let update_params =
             List.map (fun name ->
			 if name = fst param then LVar "tmpmem"
			 else LVar name
		      ) params_names
	   in
	   let a =
             match f.jc_logic_info_result_type with
	       | None ->
		   LImpl(
                     make_and sepa upda,
                     LIff(
		       LPred(f.jc_logic_info_final_name,normal_params),
		       LPred(f.jc_logic_info_final_name,update_params)))
	       | Some _rety ->
		   LImpl(
                     make_and sepa upda,
                     LPred("eq",[
			     LApp(f.jc_logic_info_final_name,normal_params);
			     LApp(f.jc_logic_info_final_name,update_params)]))
	   in
	   let a =
             List.fold_left (fun a (name,ty) -> LForall(name,ty,[],a)) a params
	   in
	   let a =
             LForall(
	       "tmp",raw_pset_type zonety,[],
               LForall(
		 "tmpmem",paramty,[],
		 LForall(
		   "tmpalloc",raw_alloc_table_type zonety,[],
		 a)))
	   in
	   let name =
	     "no_assign_" ^ f.jc_logic_info_name ^ "_" ^ string_of_int count
	   in
	   count + 1, Goal(KAxiom,id_no_loc name,a) :: acc
      ) (0,acc) params) (* memory_param_reads ? *)

(*
let gen_alloc_extend_axioms f ta _fa _ft _term_coerce params acc =
(* TODO: use computed effects instead*)
    match ta with
      | JCAssertion _ | JCTerm _ | JCInductive _ -> acc
      | JCNone -> acc
      | JCReads ps ->
    let alloc_params_reads =
      talloc_table_params ~label_in_name:true f.jc_logic_info_effects
    in
    let params_names = List.map fst params in
    let normal_params = List.map (fun name -> LVar name) params_names in
    snd (List.fold_left
      (fun (count,acc) (n,_v,paramty) ->
	 assert (is_alloc_table_type paramty);
	 let exta =
	   LPred("alloc_extends",[LVar n; LVar "tmpalloc"])
	 in
	 let ps =
	   List.map
	     (collect_pset_locations ~type_safe:false ~global_assertion:true)
             ps
	 in
	 let ps = location_list' ps in
	 let valida =
	   LPred("valid_pset",[LVar n; ps])
	 in
	 let update_params =
           List.map (fun name ->
		       if name = n then LVar "tmpalloc"
		       else LVar name
		    ) params_names
	 in
	 let a =
           match f.jc_logic_info_result_type with
	     | None ->
		 LImpl(
                   make_and exta valida,
                   LIff(
		     LPred(f.jc_logic_info_final_name,normal_params),
		     LPred(f.jc_logic_info_final_name,update_params)))
	     | Some _rety ->
		 LImpl(
                   make_and exta valida,
                   LPred("eq",[
			   LApp(f.jc_logic_info_final_name,normal_params);
			   LApp(f.jc_logic_info_final_name,update_params)]))
	 in
	 let a =
           List.fold_left (fun a (name,ty) -> LForall(name,ty,[],a)) a params
	 in
	 let a =
	   LForall(
	     "tmpalloc",paramty,[],
	     a)
	 in
	 let name =
	   "alloc_extend_" ^ f.jc_logic_info_name ^ "_" ^ string_of_int count
	 in
	 count + 1, Goal(KAxiom,id_no_loc name,a) :: acc
      ) (0,acc) alloc_params_reads)
*)

(*
let reduce f = function
  | [] -> assert false
  | a::l -> List.fold_left f a l
*)

let (|>) x y = y x

let select_name = "select"

(*
let push_not e =
  let rec pos = function
    | LTrue| LFalse as f -> f
    | LAnd(a,b) -> LAnd(pos a,pos b)
    | LOr(a,b) -> LOr(pos a,pos b)
    | LNot a -> neg a
    | LImpl _ | LIff _ | LIf _  | LLet _ as e -> trad pos e
    | LForall (s,ty,tll,a) -> LForall(s,ty,tll,pos a)
    | LExists (s,ty,tll,a) -> LExists(s,ty,tll,pos a)
    | LPred _ as a -> a
    | LNamed (s,a) -> LNamed(s,pos a)
  and neg = function
    | LTrue -> LFalse
    | LFalse -> LTrue
    | LAnd(a,b) -> LOr(neg a,neg b)
    | LOr(a,b) -> LAnd(neg a,neg b)
    | LNot a -> pos a
    | LImpl _ | LIff _ | LIf _  | LLet _ as e -> trad neg e
    | LForall (s,ty,tll,a) -> LExists(s,ty,tll,neg a)
    | LExists (s,ty,tll,a) -> LForall(s,ty,tll,neg a)
    | LPred _ as a -> LNot a
    | LNamed (s,a) -> LNamed(s,neg a)
  and trad f = function
    | LImpl(a,b) -> f (LOr(LNot a,b))
    | LIff(a,b) -> trad f (LAnd (LImpl(a,b),LImpl(b,a)))
    | LIf(_t,_a,_b) -> assert false (* How to trad this? t is a term *)
    | LLet _ -> assert false (* More difficult *)
    | LTrue | LFalse |LAnd _ |LOr _ | LNot _
    | LForall _ | LExists _ | LPred _ | LNamed _ -> assert false in
  pos e
*)

(*module Def_ft_pred :
sig  val def_ft_pred : for_one:bool -> 'a ->
       NotIn.t ->
       Output.why_decl list -> Output.why_decl list -> Output.why_decl list
     val ft_name : NotIn.t -> string -> string
     val ft_name_elt : NotIn.t -> string -> string
     val ft_for_ft : Jc_fenv.logic_info ->
       (string * Output.logic_type) list ->
       NotIn.t ->
       (Jc_fenv.logic_info * (string * 'e) list) list ->
       Output.why_decl list -> Output.why_decl list
end
  =
struct
  let ft_name notin s = s^(NotIn.mem_name2 notin)^ft_suffix
  let ft_name_elt notin s = s^(NotIn.mem_name2 notin)^"_elt"^ft_suffix

  let add_args notin args =
    (NotIn.var notin)::args

  let add_decl_args notin args =
    (NotIn.name notin,NotIn.ty notin)::args

  let conv_app_pred notin s lt =
    let ft_name = ft_name notin s in
    LPred (ft_name,add_args notin lt)

  let trad_app notin e =
    match e with
      | LApp (s,[memory;elt]) when s = select_name ->
          if NotIn.is_memory_var notin memory
          then
            if NotIn.for_one notin
            then LNot (make_eq elt (NotIn.var notin))
            else MyBag.make_in elt (NotIn.var notin)
          else LTrue
      | LApp (s,[]) when s = select_name ->  assert false (*really impossible*)
      | LApp (s,lt) ->
          if List.exists (NotIn.is_memory_var notin) lt
          then (conv_app_pred notin s lt)
          else LTrue
      | _ -> assert false

  let trad_pred notin e =
    match e with
      | LPred (s,lt) ->
          if List.exists (NotIn.is_memory_var notin) lt
          then (conv_app_pred notin s lt)
          else LTrue
      | _ -> assert false

  let rec term_extract_effect notin acc e =
    match e with
      | LConst _ | LVar _ | LVarAtLabel _ -> acc
      | Tnamed (_,t) -> term_extract_effect notin acc t
      | LApp (_,lt) -> (trad_app notin e)::
          (List.fold_left (term_extract_effect notin) acc lt)
      | TIf _ -> assert false
      | TLet _ -> assert false

  let rec conv_to_ft notin e =
    match e with
      | LTrue | LFalse as f -> f
      | LAnd(a,b) -> LAnd (conv_to_ft notin a,conv_to_ft notin b)
      | LOr(a,b) -> LAnd (LImpl(a,conv_to_ft notin a),
                          LImpl(b,conv_to_ft notin b))
      | LExists (s,ty,tll,a) -> LForall (s,ty,tll,LImpl(a,conv_to_ft notin a))
      | LForall (s,ty,tll,a) -> LForall (s,ty,tll,conv_to_ft notin a)
      | LImpl _ | LIff _ | LNot _ -> assert false
      | LPred (_,lt) as e ->
          let acc = List.fold_left
            (term_extract_effect notin) [] lt in
          let acc = trad_pred notin e::acc in
          let acc = remove_double compare acc in
          make_and_list acc
      | LNamed (s,a) ->  LNamed(s,conv_to_ft notin a)
      | LLet _ | LIf _ -> assert false

  let generic_axiom_for_ft ~do_rem:do_rem f_name notin params acc =
    let axiom_name = "axiom"^"_"^(NotIn.mem_name notin) in
    let vars = params
        |> List.map (fun (s,_) -> LVar s) in
    let ft a = LPred (ft_name notin f_name,a::vars) in
    let ft_p a = LPred (ft_name_elt notin f_name,a::vars) in
    (* ft with rem *)
    let acc = if do_rem then
      let mb = "mb"^mybag_suffix in
      let mb_ty = NotIn.ty notin in
      let p = "p"^tmp_suffix in
      let p_ty = MyBag.ty_elt (NotIn.ty notin) in
      let assertion = LForall (mb,mb_ty,[],
                               LForall (p,p_ty,[],
                                        let mb = LVar mb in
                                        let p = LVar p in
                                        make_impl (ft mb) (make_impl (ft_p p)
                                          (ft (MyBag.make_rem p mb))))) in
      let acc = Axiom (axiom_name^"1a",
                       make_forall_list params [] assertion)::acc in
      (* inverse *)
       let assertion =
         let asser =
           let mb = LVar mb in
           let p = LVar p in
           make_impl (ft (MyBag.make_rem p mb)) (ft mb) in
         LForall (mb,mb_ty,[], LForall (p,p_ty,[],asser)) in
      let acc =
        Axiom (axiom_name^"1b", make_forall_list params [] assertion)::acc in
      let assertion =
        let asser =
          let mb = LVar mb in
          let p = LVar p in
          make_impl (ft (MyBag.make_rem p mb)) (ft_p p) in
        LForall (mb,mb_ty,[], LForall (p,p_ty,[],asser)) in
      let acc = Axiom (axiom_name^"1c",
                       make_forall_list params [] assertion)::acc in
      acc
    else acc in
    (* ft with inter *)
    let acc =
      let mb1 = "mb1"^mybag_suffix in
      let mb2 = "mb2"^mybag_suffix in
      let mb_ty = NotIn.ty notin in
      let assertion =
        let asser =
          let mb1 = LVar mb1 in
          let mb2 = LVar mb2 in
          make_equiv (make_and (ft mb1) (ft mb2))
            (ft (MyBag.make_inter mb1 mb2)) in
        LForall (mb1,mb_ty,[], LForall (mb2,mb_ty,[],asser)) in
      Axiom (axiom_name^"2", make_forall_list params [] assertion)::acc in
    (* ft with all *)
    let acc =
      let assertion = ft MyBag.all in
      Axiom (axiom_name^"3", make_forall_list params [] assertion)::acc in
    acc

  let rec def_ft_pred ~for_one _f notin ta_conv acc =
    match ta_conv with
        (* Devrait peut-être utiliser la vrai
           transformation d'inductif en 1 unique axiom*)
      | [Inductive (_,f_name,params,l)] -> begin
          let params = List.map (fun (s,ty) -> ("_JC_"^s,ty)) params in
          let name = ft_name notin f_name in
          Jc_options.lprintf "Generate logic ft : %s :@." name;
          let acc = Logic(false,
                          name,
                          add_decl_args notin params,
                          simple_logic_type prop_type)::acc in

          let rec gen_one_neg acc = function
            | LNot _a -> assert false (*gen_one_neg notin acc a*)
            | LPred (_id,lt) as e ->
                (*Jc_options.lprintf "term_extract_effect %s@." id;*)
                let acc = List.fold_left
                  (term_extract_effect notin) acc lt in
                (trad_pred notin e)::acc
            | LNamed (_,a) -> gen_one_neg acc a
            | LAnd (a,b) ->
                gen_one_neg (gen_one_neg acc b) a
            | _ -> assert false in
          let rec gen_one_pos ~impl acc = function
            | LNamed (_,a) -> gen_one_pos ~impl acc a
            | LPred (s,lt) -> (* Normalement le predicat inductif défini *)
                let asser = make_and_list acc in
                impl s lt asser
            | _ -> assert false in
          let rec gen_one ~impl acc = function
            | LForall(s,ty,tr,a) ->
                LForall(s,ty,tr,gen_one ~impl acc a)
            | LImpl (a1,a2) ->
                let acc = gen_one_neg acc a1 in
                make_impl a1 (gen_one ~impl acc a2)
            | LNamed (_,a) -> gen_one ~impl acc a
            | (LAnd _ | LOr _) -> assert false
            | a -> gen_one_pos ~impl acc a in

          (*let acc =
            if not for_one
            then generic_axiom_for_ft ~do_rem f_name notin params acc
            else acc in*)
          let acc = List.fold_left
            (fun acc (ident,assertion) ->
               let axiom_name =
                 "axiom"^"_ft_"^(NotIn.mem_name2 notin)^f_name^ident in
               Jc_options.lprintf "Generate axiom ft : %s :@." axiom_name;
               let impl s lt asser =
                 make_impl (conv_app_pred notin s lt) asser in
               let asser = gen_one ~impl [] assertion in
               let asser = LForall (NotIn.name notin,
                                    NotIn.ty notin ,[],asser) in
               let asser = Axiom (axiom_name,asser) in
               asser::acc
            ) acc l in
          let conjs = List.map
            (fun (_ident,assertion) ->
               let impl _s lt asser =
                 let eqs = List.map2
                   (fun (x,_) y -> make_eq (LVar x) y) params lt in
                 make_impl (make_and_list eqs) asser in
               gen_one ~impl [] assertion) l in
          let conjs = make_and_list conjs in
          let asser = make_impl conjs
            (conv_app_pred notin f_name
               (List.map (fun (x,_) -> LVar x) params)) in
          let par = (NotIn.name notin,NotIn.ty notin)::params in
          let asser = make_forall_list par [] asser in
          let axiom_name = "axiom"^"_ft_"^(NotIn.mem_name2 notin)^f_name in
          let asser = Axiom (axiom_name,asser) in
          asser::acc
        end
      | [Predicate (bool,f_name,params,assertion)] ->
          let name = ft_name notin f_name in
          Jc_options.lprintf "Generate logic ft : %s :@." name;
          let new_pred = Predicate (bool,
                                    name,
                                    add_decl_args notin params,
                                    conv_to_ft notin assertion) in
          new_pred::acc
      | [Function (_bool,f_name,params,_ltype,term)] ->
          let name = ft_name notin f_name in
          Jc_options.lprintf "Generate logic ft: %s :@." name;
          let acc = Logic(false,
                          name,
                          add_decl_args notin params,
                          simple_logic_type prop_type)::acc in

          let rec gen_one acc term =
              match term with
                | TIf(_if,_then,_else) ->
                    let acc = term_extract_effect notin acc _if in
                    LIf(_if,gen_one acc _then,gen_one acc _else)
                | e ->
                    let acc = term_extract_effect notin acc e in
                    make_and_list acc in
          let axiom_name = "axiom"^"_ft_"^(NotIn.mem_name2 notin)^f_name in
          Jc_options.lprintf "Generate axiom ft: %s :@." axiom_name;
          let asser = gen_one [] term in
          let asser = make_equiv asser
            (conv_app_pred notin f_name
               (List.map (fun (x,_) -> LVar x) params)) in
          let par = (NotIn.name notin,NotIn.ty notin)::params in
          let asser = make_forall_list par [] asser in
          let asser = Axiom (axiom_name,asser) in
          asser::acc
            (* Was a reccursive function definition *)
      | [Logic(_bool,f_name,params,_ltype);
         Axiom(_,ax_asser)] ->
          let rec extract_term = function
            | LForall (_,_,_,asser) -> extract_term asser
            | LPred("eq", [ _; b ]) -> b
            | _ -> assert false (* constructed by tr_fun_def *) in
          let term = extract_term ax_asser in
          let ta_conv = [Function (_bool,f_name,params,_ltype,term)] in
          def_ft_pred ~for_one _f notin ta_conv acc
      | _ -> Jc_options.lprintf "@[I can't translate that :@\n%a"
          (Pp.print_list Pp.newline fprintf_why_decl) ta_conv;acc


  let ft_for_ft f args notin framed acc =
    let conjs = List.map
      (fun (f,params) ->
         (conv_app_pred notin f.jc_logic_info_name
            (List.map (fun (x,_) -> LVar x) params)))
      framed in
    let code = make_and_list conjs in
    let args = add_decl_args notin args in
    let ft_name = ft_name notin f.jc_logic_info_name in
    Predicate(false,ft_name,args,code)::acc
end
*)


let tr_params_usual_model_aux f =
    let lab =
    match f.jc_logic_info_labels with [lab] -> lab | _ -> LabelHere
  in
    let usual_params =
      List.map (tparam ~label_in_name:true lab) f.jc_logic_info_parameters
    in
    let model_params =
      tmodel_parameters ~label_in_name:true f.jc_logic_info_effects
    in
    let _3to2 = List.map (fun (n,_v,ty') -> (n,ty')) in
    let usual_params = _3to2 usual_params in
    let model_params = _3to2 model_params in
    usual_params,model_params

(*
module Def_in :
sig  val def_in : 'a ->  NotIn.t ->
       Output.why_decl list -> Output.why_decl list ->
       Jc_fenv.logic_info * NotIn.t
       -> Output.why_decl list
     val def_disj : string -> bool -> (string * Output.logic_type) list ->
       Output.why_decl list -> NotIn.t  -> Output.why_decl list
     val def_frame_in :
        string -> NotIn.t ->
       (string * Output.logic_type) list ->
       Output.why_decl list -> NotIn.t -> Output.why_decl list
     val notin_for_notin :  Jc_fenv.logic_info ->
       (string * Output.logic_type) list ->
       NotIn.t ->
       Jc_fenv.logic_info * NotIn.t ->
       (Jc_fenv.logic_info * (string * 'n) list) list ->
       Output.why_decl list -> Output.why_decl list

end
  =
struct

  let notin_name notin s = s^(NotIn.mem_name2 notin)^in_suffix
  (* let gen_ft_name notin s = s^(NotIn.mem_name2 notin)^ft_suffix *)
  (* let gen_ft_name_elt notin s = s^(NotIn.mem_name2 notin)^"_elt"^ft_suffix
   *)

  let conv_app_pred var_in notin s lt =
    let notin_name = notin_name notin s in
    LPred(disj_name,[LApp (notin_name,lt);var_in])

  let conv_app_pred_pt var_in elt =
    LNot (LPred(in_pred,[elt;var_in]))

  let trad_app var_in notin e =
    match e with
      | LApp (s,[memory;elt]) when s = select_name ->
          if NotIn.is_memory_var notin memory
          then conv_app_pred_pt var_in elt
          else LTrue
      | LApp (s,_) when s = select_name ->  assert false (*really impossible*)
      | LApp (s,lt) ->
          if List.exists (NotIn.is_memory_var notin) lt
          then conv_app_pred var_in notin s lt
          else LTrue
      | _ -> assert false

  let trad_pred ft notin e =
    match e with
      | LPred (s,lt) ->
          if List.exists (NotIn.is_memory_var notin) lt
          then conv_app_pred ft notin s lt
          else LTrue
      | _ -> assert false

  let rec term_extract_effect notin acc e =
    match e with
      | LConst _ | LVar _ | LVarAtLabel _ -> acc
      | Tnamed (_,t) -> term_extract_effect notin acc t
      | LApp (_,lt) -> (trad_app notin e)::
          (List.fold_left (term_extract_effect notin) acc lt)
      | TIf _ -> assert false
      | TLet _ -> assert false

  let gen axiom_name f_name gen_framed notin_update params framed_params =
    let elt = "elt"^tmp_suffix in
    let elt_val = "elt_val"^tmp_suffix in
    let framed_normal_params = framed_params
      |> List.map fst in
    let framed_update_params =
      List.map (fun name ->
		  if name = NotIn.mem_name notin_update then
		    LApp("store",[LVar name;LVar elt;LVar elt_val])
		  else LVar name
	       ) framed_normal_params in
    let framed_normal_params = framed_normal_params
      |> List.map make_var in
    let params = params
      |> List.map fst
      |> List.map make_var in
    let sepa =
      MyBag.make_in (LVar elt)
        (LApp (notin_name notin_update f_name,params)) in
    let a,trig =
      match gen_framed with
        | `Pred gen_framed ->
            let pred_normal = gen_framed framed_normal_params in
            let pred_update = gen_framed framed_update_params in
            LImpl(pred_normal,pred_update),LPatP pred_update
        | `Term gen_framed ->
            let term_normal = gen_framed framed_normal_params in
            let term_update = gen_framed framed_update_params in
            make_eq term_normal term_update, LPatT term_update in
    let a = LImpl(sepa,a) in
    let a = make_forall_list framed_params [[trig]] a in
    let a = LForall (elt,NotIn.ty_elt notin_update,[],
                     LForall (elt_val,NotIn.ty_elt_val notin_update,[],a)) in
    let axiom_name = "axiom"^"_no_update_"^axiom_name^
      (NotIn.mem_name notin_update) in
    Axiom(axiom_name,a)

  (*let def_no_update f_name notin_update params prop =
    gen f_name f_name prop notin_update params []*)
(*
  let def_frame_ft f_name notin params acc notin_update =
    let ft_name = Def_ft_pred.ft_name notin f_name in
    let p = (NotIn.name notin,NotIn.ty notin) in
    let gen_framed params = LPred(ft_name,params) in
    (gen ft_name f_name (`Pred gen_framed) notin_update params
       (p::params))::acc

  let def_frame_ft_elt f_name notin params  acc notin_update =
    let ft_name = Def_ft_pred.ft_name_elt notin f_name in
    let p = ("p"^tmp_suffix,NotIn.ty_elt notin) in
    let gen_framed params = LPred(ft_name,params) in
    let ax = gen ft_name f_name (`Pred gen_framed) notin_update params
      (p::params) in
    ax::acc
*)
  let def_frame_notin f_name notin params acc notin_update =
    let notin_name = notin_name notin f_name in
    let gen_framed params = LApp(notin_name,params) in
    (gen notin_name f_name (`Term gen_framed) notin_update params params)::acc

  let def_frame f_name is_pred params acc notin_update =
    let gen_framed =
      if is_pred
      then `Pred (fun params -> LPred(f_name,params))
      else `Term (fun params -> LApp(f_name,params)) in
    (gen f_name f_name gen_framed notin_update params params)::acc
(*
  let gen_frame2 (f_name,notin,params) (ft_name,ft_notin,ft_params)
      acc (notin_notin_update, ft_notin_update) =
    let forall_params = remove_double Pervasives.compare
      (ft_params @ params) in
    let params = List.map fst params in
    let ft_params = List.map fst ft_params in
    let elt = "elt"^tmp_suffix in
    let elt_val = "elt_val"^tmp_suffix in
    let notin_update =
      match notin_notin_update, ft_notin_update with
        | None, None -> assert false
        | Some m, None | None, Some m -> m
        | Some m1, Some m2 ->
            assert (NotIn.mem_name m1 = NotIn.mem_name m2);
            assert (NotIn.ty_elt m1 = NotIn.ty_elt m2);
            assert (NotIn.ty_elt_val m1 = NotIn.ty_elt_val m2);
            m1 in
    let to_update =
      List.map (fun name ->
		  if name = NotIn.mem_name notin_update then
                    LApp("store",[LVar name;LVar elt;LVar elt_val])
		  else LVar name) in
    let params_update = to_update params in
    let ft_params_update = to_update ft_params in
    let params = List.map make_var params in
    let ft_params = List.map make_var ft_params in
    let sepa notin_update f_name params =
      match notin_update with
        | Some notin_update ->
            MyBag.make_in (LVar elt)
              (LApp ((notin_name notin_update f_name),params))
        | None -> LTrue in
    let notin_notin_update_sepa =
      sepa notin_notin_update f_name params in
    let ft_notin_update_sepa =
      sepa ft_notin_update ft_name ft_params in
    let body = conv_app_pred (ft_name,ft_notin,ft_params)
      notin f_name params in
    let body_update = conv_app_pred (ft_name,ft_notin,ft_params_update)
      notin f_name params_update in
    let body =
      make_impl notin_notin_update_sepa
        (make_impl ft_notin_update_sepa
           (make_impl body body_update)) in
    let body = make_forall_list forall_params [[LPatP body_update]] body in
    let body =
      LForall (elt,NotIn.ty_elt notin_update,[],
               LForall (elt_val,NotIn.ty_elt_val notin_update,[],body)) in
    let axiom_name = "axiom"^"_no_update_ftn_"^ft_name^f_name^
      (NotIn.mem_name notin_update)^(id_uniq ()) in
    Axiom(axiom_name,body)::acc

  let def_frame_ft_notin (f_name,notin,params) (ft,ft_notin) acc
      notin_notin_updates =
    (** which notin *)
    let ft_notin_updates =
      let todos =
        Hashtbl.find_all predicates_to_generate ft.jc_logic_info_tag in
      let filter_notin acc = function
        | ((`Notin _| `Notin_pt) , mem) -> (NotIn.from_memory false mem)::acc
        | _ -> acc in
      (* notin_updates is used to create the frames axioms *)
      List.fold_left filter_notin [] todos in
    let of_list =
      List.fold_left (fun m x ->NotInMap.add x x m) NotInMap.empty in
    let notin_updates =
      NotInSet.union
        (NotInSet.of_list notin_notin_updates)
        (NotInSet.of_list ft_notin_updates) in
    let notin_notin_updates = of_list notin_notin_updates in
    let ft_notin_updates = of_list ft_notin_updates in
    let add notin acc =
      ((try Some (NotInMap.find notin notin_notin_updates)
      with Not_found -> None),
      (try Some (NotInMap.find notin ft_notin_updates)
      with Not_found -> None))::acc in
    let notin_updates = NotInSet.fold add notin_updates [] in
    (** params *)
    let ft_name = ft.jc_logic_info_name in
    let ft_params_usual,ft_params_model = tr_params_usual_model_aux ft in
    let ft_params_usual =
      List.map (fun (x,ty) -> "_JC_ft_"^x,ty)  ft_params_usual in
    let ft_params_model = List.map (fun (x,ty) -> x,ty)
      ft_params_model in
    let ft_params = ft_params_usual @ ft_params_model in
    let ft = (ft_name,ft_notin,ft_params) in
    List.fold_left (gen_frame2 (f_name,notin,params) ft) acc notin_updates
*)
  let rec def_notin _f notin ta_conv acc =
    match ta_conv with
        (* Devrait peut-être utiliser la vrai transformation
           d'inductif en 1 unique axiom*)
      | [Inductive (_,f_name,params,l)] -> begin
          let rec gen_one_neg notin acc = function
            | LNot _a -> assert false (*gen_one_neg notin acc a*)
            | LPred (_,lt) as e ->
                let acc = List.fold_left
                  (term_extract_effect notin) acc lt in
                (trad_pred notin e)::acc
            | LNamed (_,a) -> gen_one_neg notin acc a
            | LAnd (a,b) ->
                gen_one_neg notin (gen_one_neg notin acc b) a
            | _ -> assert false in
          let rec gen_one_pos ~impl notin acc = function
            | LNamed (_,a) -> gen_one_pos ~impl notin acc a
            | LPred (s,lt) ->
                (* Normalement le predicat inductif défini *)
                let asser = make_and_list acc in
                impl notin s lt asser
            | _ -> assert false in
          let rec gen_one ~impl notin acc = function
            | LForall(s,ty,tr,a) ->
                LForall(s,ty,tr,gen_one ~impl notin acc a)
            | LImpl (a1,a2) ->
                let acc = gen_one_neg notin acc a1 in
                make_impl a1 (gen_one ~impl notin acc a2)
            | LNamed (_,a) -> gen_one ~impl notin acc a
            | (LAnd _ | LOr _) -> assert false
            | a -> gen_one_pos ~impl notin acc a in

          let name = (notin_name notin f_name) in
          Jc_options.lprintf "Generate logic notin : %s :@." name;
          let acc = Logic(false,
                          name,
                          params,
                          NotIn.ty notin)::acc in
          let acc = List.fold_left
            (fun acc (ident,assertion) ->
               let impl notin s lt asser =
                 make_impl (conv_app_pred ft notin s lt) asser in
               let asser = gen_one ~impl notin [] assertion in
               let asser = make_forall_list ft_params_usual [] asser in
               let axiom_name =
                 "axiom"^"_notin_"^(NotIn.mem_name notin) ^ident^f_name in
                 Jc_options.lprintf "Generate axiom notin : %s@." axiom_name;
               (*let asser = LForall (NotIn.name notin,
                                    NotIn.ty notin ,[],asser) in*)
               let asser = Axiom (axiom_name,asser) in
               asser::acc
            ) acc l in
          (* The other side *)
          let params = List.map (fun (s,ty) -> ("_JC_"^s,ty)) params in
          let conjs = List.map
            (fun (_ident,assertion) ->
               let impl _ _s lt asser =
                 let eqs = List.map2
                   (fun (x,_) y -> make_eq (LVar x) y) params lt in
                 make_impl (make_and_list eqs) asser in
               gen_one ~impl notin [] assertion) l in
          let conjs = make_and_list conjs in
          let ft_params_model = List.map (fun (x,ty) -> "_JC_"^x,ty)
            ft_params_model in
          let ft = (ft_name,ft_notin,
                    List.map (fun (x,_) -> LVar x)
                      (ft_params_usual @ ft_params_model)) in
          let conclu = conv_app_pred ft notin f_name
            (List.map (fun (x,_) -> LVar x) params) in
          let asser = make_impl conjs conclu in
          (*let forall_params = remove_double Pervasives.compare
            (ft_params_usual @ ft_params_model @ params) in*)
          let forall_params = ft_params_usual @ params in
          let asser = make_forall_list forall_params [[LPatP conclu]] asser in
          let axiom_name = "axiom"^"_notin_"^(NotIn.mem_name2 notin)^f_name in
          let asser = Axiom (axiom_name,asser) in
          asser::acc
        end
      | [Predicate (_,f_name,params,assertion)] ->
          let name = (gen_ft_name ft_notin ft_name) ^
            (notin_name notin f_name) in
          Jc_options.lprintf "Generate logic notin (pred): %s :@." name;
          let rec gen_one_neg notin acc = function
            | LNot _a -> assert false (*gen_one_neg notin acc a*)
            | LPred (_,lt) as e ->
                let acc = List.fold_left
                  (term_extract_effect ft notin) acc lt in
                (trad_pred ft notin e)::acc
            | LNamed (_,a) -> gen_one_neg notin acc a
            | LAnd (a,b) ->
                gen_one_neg notin (gen_one_neg notin acc b) a
            | _ -> assert false in
          let asser = gen_one_neg notin [] assertion in
          let asser = make_and_list asser in
          let lt = List.map (fun (x,_) -> LVar x) params in
          let asser = make_impl (conv_app_pred ft notin f_name lt) asser in
          let asser = make_forall_list params [] asser in
          let new_pred = Axiom (name,make_forall_list
                                  ft_params_usual [] asser) in
          new_pred::acc
      | [Function (_bool,f_name,params,_ltype,term)] ->
          let name = (gen_ft_name ft_notin ft_name)
            ^ (notin_name notin f_name) in
          Jc_options.lprintf "Generate logic notin (fun): %s :@." name;
          let acc = Logic(false,
                          name,
                          params,
                          NotIn.ty notin)::acc in
          let rec gen_one acc term =
              match term with
                | TIf(_if,_then,_else) ->
                    let acc = term_extract_effect ft notin acc _if in
                    LIf(_if,gen_one acc _then,gen_one acc _else)
                | e ->
                    let acc = term_extract_effect ft notin acc e in
                    let acc = make_and_list acc in
                    acc in
          let axiom_name = "axiom"^"_notin_"^(NotIn.mem_name2 notin)^f_name in
          Jc_options.lprintf "Generate axiom notin : %s :@." axiom_name;
          let asser = gen_one [] term in
          let conclu = conv_app_pred ft notin f_name
            (List.map (fun (x,_) -> LVar x) params) in
          let asser = make_equiv asser conclu in
          let par = params in
          let asser = make_forall_list par [] asser in
          let asser = make_forall_list  ft_params_usual [] asser in
          let asser = Axiom (axiom_name,asser) in
          asser::acc
      | [Logic(_bool,f_name,params,_ltype);
         Axiom(_,ax_asser)] ->
          let rec extract_term = function
            | LForall (_,_,_,asser) -> extract_term asser
            | LPred("eq", [ _; b ]) -> b
            | _ -> assert false (* constructed by tr_fun_def *) in
          let term = extract_term ax_asser in
          let ta_conv = [Function (_bool,f_name,params,_ltype,term)] in
          def_notin _f notin ta_conv acc ft_o
      | _ -> Jc_options.lprintf "@[I can't translate that :@\n%a"
          (Pp.print_list Pp.newline fprintf_why_decl) ta_conv;acc

  let rec def_notin_logic notin ta_conv acc =
    match ta_conv with
        (* Devrait peut-être utiliser la vrai transformation
           d'inductif en 1 unique axiom*)
      | [Inductive (_,f_name,params,_)] -> begin
          let name = notin_name notin f_name in
          Jc_options.lprintf "Generate logic notin : %s :@." name;
          let acc = Logic(false,
                          name,
                          params,
                          NotIn.ty notin)::acc in
          acc
        end
      | [Predicate (_,f_name,params,_)] ->
          let name = notin_name notin f_name in
          Jc_options.lprintf "Generate logic notin : %s :@." name;
          let acc = Logic(false,
                          name,
                          params,
                          NotIn.ty notin)::acc in
          acc
      | [Function (_bool,f_name,params,_ltype,_)] ->
          let name = notin_name notin f_name in
          Jc_options.lprintf "Generate logic notin: %s :@." name;
          let acc = Logic(false,
                          name,
                          params,
                          NotIn.ty notin)::acc in
          acc
      | [Logic(_bool,f_name,params,_ltype);
         Axiom(_,ax_asser)] ->
          let rec extract_term = function
            | LForall (_,_,_,asser) -> extract_term asser
            | LPred("eq", [ _; b ]) -> b
            | _ -> assert false (* constructed by tr_fun_def *) in
          let term = extract_term ax_asser in
          let ta_conv = [Function (_bool,f_name,params,_ltype,term)] in
          def_notin_logic notin ta_conv acc
      | _ -> Jc_options.lprintf "@[I can't translate that :@\n%a"
          (Pp.print_list Pp.newline fprintf_why_decl) ta_conv;acc

  let notin_for_notin f args notin (ft,ft_notin) framed acc =
    let ft_name = ft.jc_logic_info_name in
    let ft_params_usual,ft_params_model = tr_params_usual_model_aux ft in
    let ft_params_usual =
      List.map (fun (x,ty) -> "_JC_ft_"^x,ty)  ft_params_usual in
    let ft_params_model = List.map (fun (x,ty) -> x,ty) ft_params_model in
    let ft = (ft_name,ft_notin,
              List.map (fun (x,_) -> LVar x)
                (ft_params_usual @ ft_params_model)) in
    let name = (notin_name notin f.jc_logic_info_name) in
    Jc_options.lprintf "Generate logic notin_notin : %s :@." name;
    let acc = Logic(false,
                    name,
                    args,
                    NotIn.ty notin)::acc in
    let axiom_name = "axiom"^"_notin_"^(NotIn.mem_name2 notin)
      ^f.jc_logic_info_name in
    Jc_options.lprintf "Generate axiom notin : %s :@." axiom_name;
    let conjs = List.map
      (fun (f,params) ->
         (conv_app_pred ft notin f.jc_logic_info_name
            (List.map (fun (x,_) -> LVar x) params)))
      framed in
    let code = make_and_list conjs in
    let conclu = conv_app_pred ft notin f.jc_logic_info_name
      (List.map (fun (x,_) -> LVar x) args) in
    let asser = make_equiv code conclu in
    let asser = make_forall_list args [] asser in
    let asser = make_forall_list  ft_params_usual [] asser in
    let asser = Axiom (axiom_name,asser) in
    asser::acc


end
*)

module InDisj :
sig

  type define = NotIn.t -> why_decl list -> why_decl list -> why_decl list

  val define_In    : define
  val define_disj  : define
  val define_frame_between : define
  val define_x_sub : define
  val define_sub_x : define
  val define_sub   : define

  val def_frame_in :  string -> NotIn.t -> (string * Output.logic_type) list ->
    Output.why_decl list -> NotIn.t list -> Output.why_decl list
  val def_frame : string -> bool -> string ->
    (string * Output.logic_type) list ->
    Output.why_decl list -> NotIn.t list -> Output.why_decl list

  type for_in = string -> (string * logic_type) list ->
    NotIn.t -> (Jc_fenv.logic_info * (string * logic_type) list) list ->
    why_decl list -> why_decl list

  val in_for_in    : for_in
  val disj_for_in  : for_in
  val x_sub_for_in : for_in
  val sub_x_for_in : for_in

end =
struct

  type define = NotIn.t ->
    Output.why_decl list ->
    Output.why_decl list -> Output.why_decl list

  type for_in = string -> (string * logic_type) list ->
    NotIn.t -> (Jc_fenv.logic_info * (string * logic_type) list) list ->
    why_decl list -> why_decl list


  let trad_app s lt = (s,lt)

  let rec term_extract_application acc e =
    match e with
      | LConst _ | LVar _ | LDeref _ | LDerefAtLabel _ -> acc
      | Tnamed (_,t) -> term_extract_application acc t
      | LApp (s,lt) -> (trad_app s lt)::
          (List.fold_left term_extract_application acc lt)
      | TIf _ -> assert false
      | TLet _ -> assert false

  let pred_extract_effect s lt acc =
    (trad_app s lt)::(List.fold_left term_extract_application acc lt)

  let inductive_extract_effect ass =
    let rec iee e acc =
      match e with
        | LTrue | LFalse -> acc
        | LImpl(f1,f2) -> (iee f2) (neg f1 acc)
        | LPred(_) -> acc
        | _ -> failwith "Inductive must be forall x,.. Pn -> ... -> P1"
    and neg e acc =
      match e with
        | LTrue | LFalse -> acc
        | LAnd (f1,f2) -> neg f1 (neg f2 acc)
        | LPred(s,lt) -> pred_extract_effect s lt acc
        | _ -> failwith "Inductive must be forall x,.. (Pn && Pj) -> ... -> P1"
    and rq = function
        | LForall (_,_,_,f) -> rq f
        | e -> iee e [] in
    let effects = rq ass in
    remove_double Pervasives.compare effects

  let rec rewrite_inductive_case rw = function
    | LForall (s,ty,_,f) -> LForall(s,ty,[],rewrite_inductive_case rw f)
    | LTrue | LFalse as e -> e
    | LImpl(f1,f2) -> LImpl(f1,rewrite_inductive_case rw f2)
    | LPred(s,lt) -> rw s lt
    | _ -> failwith "Inductive must be forall x,.. Pn -> ... -> P1"


  let rec term_interp_or interp t =
    let fnT = term_interp_or interp in
    match t with
      | TIf(if_,then_,else_) ->
        LIf(if_,make_or (fnT if_) (fnT then_),
            make_or (fnT if_) (fnT else_))
      | LConst _ -> LFalse
      | LApp (s,lt) -> List.fold_left (fun acc e -> make_or acc (fnT e))
        (interp s lt) lt
      | LVar _ -> LFalse
      | Tnamed (_,t) -> term_interp_or interp t
      | LDerefAtLabel _ ->
        failwith "Not implemented, how to do that? Show me the example!!! thx"
      | _ -> failwith "Not implemented"

  let rec term_interp_and interp t =
    let fnT = term_interp_and interp in
    match t with
      | TIf(if_,then_,else_) ->
        LIf(if_,make_and (fnT if_) (fnT then_),
            make_and (fnT if_) (fnT else_))
      | LConst _ -> LTrue
      | LApp (s,lt) -> List.fold_left (fun acc e -> make_and acc (fnT e))
        (interp s lt) lt
      | LVar _ -> LTrue
      | Tnamed (_,t) -> term_interp_and interp t
      | LDerefAtLabel _ ->
        failwith "Not implemented, how to do that? Show me the example!!! thx"
      | _ -> failwith "Not implemented"

(*
  let rec pred_interp_or interp e =
    let fnT = term_interp_or interp in
    let fnF = pred_interp_or interp in
    match e with
    | LTrue | LFalse -> LFalse
    | LAnd(f1,f2) -> make_or (fnF f1) (fnF f2)
    | LOr(f1,f2) -> make_or (make_and f1 (fnF f1)) (make_and f2 (fnF f2))
    | LForall (s,lt,_,f) -> LExists(s,lt,[],fnF f)
    | LExists (s,lt,_,f) -> LExists(s,lt,[],make_and f (fnF f))
    | LPred(s,lt) -> List.fold_left (fun acc e -> make_or acc (fnT e))
        (interp s lt) lt
    | _ -> failwith "Not Implemented, not in formula"

  let rec pred_interp_and interp e =
    let fnT = term_interp_and interp in
    let fnF = pred_interp_and interp in
    match e with
    | LTrue | LFalse -> LTrue
    | LAnd(f1,f2) -> make_and (fnF f1) (fnF f2)
    | LOr(f1,f2) -> make_and (make_impl f1 (fnF f1)) (make_impl f2 (fnF f2))
    | LForall (s,lt,_,f) -> LForall(s,lt,[],fnF f)
    | LExists (s,lt,_,f) -> LForall(s,lt,[],make_impl f (fnF f))
    | LPred(s,lt) -> List.fold_left (fun acc e -> LAnd(acc,fnT e))
        (interp s lt) lt
    | _ -> failwith "Not Implemented, not in formula"
*)

  let in_interp_app var notin s lt =
    if s = select_name then
      match lt with
        | [_;p] -> make_eq (LVar (fst var)) p
        | _ -> assert false
    else
    LPred(in_pred,[LVar (fst var);LApp(in_name notin s, lt)])

  let disj_interp_app var notin s lt =
    if s = select_name then
      match lt with
        | [_;p] -> LNot (LPred(in_pred,[p;LVar (fst var)]))
        | _ -> assert false
    else
    LPred(disj_pred,[LVar (fst var);LApp(in_name notin s, lt)])

  let frame_between_interp_app var_mem notin s lt =
    assert (s <> select_name);
    LPred(frame_between_name, [LApp(in_name notin s, lt);
                               LVar (fst var_mem);
                               LVar (NotIn.mem_name notin)])

  let sub_interp_app x1 notin x2 =
    match x1,x2 with
      | `Var var1,`Var var2 -> LPred(sub_pred,[LVar (fst var1);
                                               LVar (fst var2)])
      (* This case must be in fact var1 is a singleton *)
      | `Var _, `App (s,[_;_]) when s = select_name -> assert false
      | `App (s,[_;p]), `Var var when s = select_name ->
        LPred(in_pred,[p;LVar (fst var)])
      | `Var var, `App (s,lt) ->
        LPred(sub_pred,[LVar (fst var);LApp(in_name notin s, lt)])
      | `App (s,lt), `Var var ->
        LPred(sub_pred,[LApp(in_name notin s, lt);LVar (fst var)])
      (* two app *)
      | `App(s1,[_;p1]), `App(s2,[_;p2])
        when s1 = select_name && s2 = select_name ->
        make_eq p1 p2
      (* This case must be in fact app2 is a singleton *)
      | `App _, `App(s2,[_;_]) when s2 = select_name -> assert false
      | `App(s1,[_;p1]), `App(s2,lt2) when s1 = select_name ->
        LPred(in_pred,[p1;LApp(in_name notin s2, lt2)])
      | `App(s1,lt1), `App(s2,lt2) ->
        LPred(sub_pred,[LApp(in_name notin s1,lt1);LApp(in_name notin s2,lt2)])

  let mem_are_compatible notin (_,lt) =
    List.exists (NotIn.is_memory_var notin) lt
(*
  let inductive_to_axioms name (pname,var,fname,lt) l acc =
    let constr acc (ident,assertion) =
      Axiom (name^fname^ident,assertion)::acc in
    let acc = List.fold_left constr acc l in
    let var = ((fst var)^tmp_suffix,snd var) in
    let lt = List.map (fun (s,ty) -> (s^tmp_suffix,ty)) lt in
    let rec rewrite = function
      | LForall(v,t,_,a) -> LExists(v,t,[],rewrite a)
      | LImpl(f1,f2) -> LAnd(f1,rewrite f2)
      | LPred(_,[var2;LApp(_,lt2)]) ->
        let eqs = (var,var2) :: (List.combine lt lt2) in
        let eqs = List.map (fun (a1,a2) -> make_eq (LVar (fst a1)) a2) eqs in
        make_and_list eqs
      | _ -> assert false in
    let assertions = List.map (fun (_,a) -> rewrite a) l in
    let assertions = make_or_list assertions in
    let pred = LPred(pname,
                     [LVar (fst var);
                      LApp(fname,List.map (fun var -> LVar (fst var)) lt)]) in
    let assertion = LImpl(pred,assertions) in
    let assertion = make_forall_list (var::lt) [] assertion in
    Axiom ("axiom_"^name^pname^"_"^fname,assertion) :: acc
    *)
  let match_pred p1 p2 =
    match p1,p2 with
      | LPred(s1,lt1), LPred(s2,lt2) when s1 = s2 ->
        List.fold_left2 match_term [] lt1 lt2
      | _ -> invalid_arg "match_pred p1 is not a valid context for p2"

  (* bindvars must be fresh variables... *)
  let inductive_to_axioms name pred bindvars l acc =
    let constr acc (ident,assertion) =
      Goal(KAxiom,id_no_loc (name^ident),assertion)::acc in
    let acc = List.fold_left constr acc l in
    let rec rewrite = function
      | LForall(v,t,_,a) -> LExists(v,t,[],rewrite a)
      | LImpl(f1,f2) -> LAnd(f1,rewrite f2)
      | LPred _ as p2 ->
        let eqs = match_pred pred p2 in
        let eqs = List.map (fun (a1,a2) -> make_eq (LVar a1) a2) eqs in
        make_and_list eqs
      | _ -> assert false in
    let assertions = List.map (fun (_,a) -> rewrite a) l in
    let assertions = make_or_list assertions in
    let assertion = LImpl(pred,assertions) in
    let assertion = make_forall_list bindvars [] assertion in
    Goal(KAxiom,id_no_loc ("axiom_"^name),assertion) :: acc


  let rec define_In notin ta_conv acc =
    match ta_conv with
        (* Devrait peut-être utiliser la vrai transformation
           d'inductif en 1 unique axiom*)
      | [Inductive (_,f_name,params,l)] ->
        let name = (in_name notin f_name.name) in
        Jc_options.lprintf "Define logic in : %s :@." name;
        (* let acc = Logic(false, name, params, NotIn.ty notin)::acc in *)
        let var = ("jc_var",NotIn.ty_elt notin) in
        let gen_case acc (ident,assertion) =
          let effects = inductive_extract_effect assertion in
          let effects = List.filter (mem_are_compatible notin) effects in
          let rw seff lteff s lt =
            LImpl(in_interp_app var notin seff lteff,
                  in_interp_app var notin s lt) in
          let nb = ref 0 in
          let rewrite acc (seff,lteff) =
            incr nb;
            let assertion =
              LForall(fst var,snd var,[],
                      rewrite_inductive_case (rw seff lteff) assertion) in
            (ident^(string_of_int !nb), assertion) :: acc in
          List.fold_left rewrite acc effects in
        let l = List.fold_left gen_case [] l in
        let var = ((fst var)^tmp_suffix,snd var) in
        let lt = List.map (fun (s,ty) -> (s^tmp_suffix,ty)) params in
        let pred = in_interp_app var notin f_name.name
          (List.map (fun x -> LVar (fst x)) lt) in
          inductive_to_axioms ("In"^name) pred (var::lt) l acc
      | [Function (_,f_name,params,_,term)] ->
          let name = in_name notin f_name.name in
          Jc_options.lprintf "Generate logic notin (fun): %s :@." name;
          let acc = Logic(false,
                          {f_name with name = name},
                          params,
                          NotIn.ty notin)::acc in
          let axiom_name = "axiom"^"_in_"^(NotIn.mem_name2 notin)^f_name.name in
          Jc_options.lprintf "Generate axiom notin : %s :@." axiom_name;
          let var = ("jc_var",NotIn.ty_elt notin) in
          let interp s lt =
            if mem_are_compatible notin (s,lt)
            then in_interp_app var notin s lt
            else LFalse in
          let asser = term_interp_or interp term in
          let conclu = in_interp_app var notin f_name.name
            (List.map (fun (x,_) -> LVar x) params) in
          let asser = make_equiv asser conclu in
          let params = var::params in
          let asser = make_forall_list params [] asser in
          let asser = Goal(KAxiom,id_no_loc axiom_name,asser) in
          asser::acc
      | [Logic(_bool,f_name,params,_ltype);
         Goal(KAxiom,_,ax_asser)] ->
          let rec extract_term = function
            | LForall (_,_,_,asser) -> extract_term asser
            | LPred("eq", [ _; b ]) -> b
            | _ -> assert false (* constructed by tr_fun_def *) in
          let term = extract_term ax_asser in
          let ta_conv = [Function (_bool,f_name,params,_ltype,term)] in
          define_In notin ta_conv acc
      | _ -> Jc_options.lprintf "@[I can't translate that :@\n%a"
          (Pp.print_list Pp.newline fprintf_why_decl) ta_conv;assert false

  let rec define_disj notin ta_conv acc =
    match ta_conv with
      (* Devrait peut-être utiliser la vrai transformation
         d'inductif en 1 unique axiom*)
      | [Inductive (_,f_name,params,l)] ->
        let name = (in_name notin f_name.name) in
        let var = ("jc_var",NotIn.ty notin) in
        let gen_case acc (ident,assertion) =
          let effects = inductive_extract_effect assertion in
          let effects = List.filter (mem_are_compatible notin) effects in
          let rw s lt =
            List.fold_left (fun acc (seff,lteff) ->
              LImpl(disj_interp_app var notin seff lteff,acc))
              (disj_interp_app var notin s lt) effects in
          let rewrite acc =
            let assertion =
              LForall(fst var,snd var,[],
                      rewrite_inductive_case rw assertion) in
            (ident, assertion) :: acc in
          rewrite acc in
        let l = List.fold_left gen_case [] l in
        let var = ((fst var)^tmp_suffix,snd var) in
        let lt = List.map (fun (s,ty) -> (s^tmp_suffix,ty)) params in
        let pred = disj_interp_app var notin f_name.name
          (List.map (fun s -> LVar (fst s)) lt) in
        inductive_to_axioms ("disj"^name) pred (var::lt) l acc
      | [Function (_,f_name,params,_,term)] ->
        let axiom_name = "axiom"^"_disj_"^(NotIn.mem_name2 notin)^f_name.name in
        Jc_options.lprintf "Generate axiom disj : %s :@." axiom_name;
        let var = ("jc_var",NotIn.ty notin) in
        let interp s lt =
          if mem_are_compatible notin (s,lt)
          then disj_interp_app var notin s lt
          else LTrue in
        let asser = term_interp_and interp term in
        let conclu = disj_interp_app var notin f_name.name
          (List.map (fun (x,_) -> LVar x) params) in
        let asser = make_equiv asser conclu in
        let params = var::params in
        let asser = make_forall_list params [] asser in
        let asser = Goal(KAxiom,id_no_loc axiom_name,asser) in
        asser::acc
      | [Logic(_bool,f_name,params,_ltype);
         Goal(KAxiom,_,ax_asser)] ->
          let rec extract_term = function
            | LForall (_,_,_,asser) -> extract_term asser
            | LPred("eq", [ _; b ]) -> b
            | _ -> assert false (* constructed by tr_fun_def *) in
          let term = extract_term ax_asser in
          let ta_conv = [Function (_bool,f_name,params,_ltype,term)] in
          define_disj notin ta_conv acc
      | _ -> Jc_options.lprintf "@[I can't translate that :@\n%a"
          (Pp.print_list Pp.newline fprintf_why_decl) ta_conv;assert false

  let rec add_triggers tr = function
    | LForall(vn,vt,[],(LForall _ as t)) -> LForall(vn,vt,[],add_triggers tr t)
    | LForall(vn,vt,trs,t) -> LForall(vn,vt,tr::trs,t)
    | _ -> assert false

  let rec define_frame_between notin ta_conv acc =
    match ta_conv with
        (* Devrait peut-être utiliser la vrai transformation
           d'inductif en 1 unique axiom*)
      | [Inductive (_,f_name,_,l)] ->
        let name = (in_name notin f_name.name) in
        Jc_options.lprintf "Define logic in : %s :@." name;
        (* let acc = Logic(false, name, params, NotIn.ty notin)::acc in *)
        let var = ("jc_mem", notin.NotIn.ty_mem) in
        let gen_case acc (ident,assertion) =
          let effects = inductive_extract_effect assertion in
          let effects =
            List.filter (fun (s,_) -> not (s = select_name)) effects in
          let effects = List.filter (mem_are_compatible notin) effects in
          let nb = ref 0 in
          let rewrite acc (seff,lteff) =
            incr nb;
            let frameeff = frame_between_interp_app var notin seff lteff in
            let rw s lt =
              make_impl frameeff (frame_between_interp_app var notin s lt) in
            let assertion =
              LForall(fst var,snd var,[],
                      rewrite_inductive_case rw assertion) in
            let assertion = add_triggers [LPatP frameeff] assertion in
            (ident^(string_of_int !nb), assertion) :: acc in
          List.fold_left rewrite acc effects in
        let l = List.fold_left gen_case [] l in
        let constr acc (ident,assertion) =
          Goal(KAxiom,id_no_loc (frame_between_name^f_name.name^ident),
	       assertion)::acc in
        List.fold_left constr acc l
      | [Function (_,f_name,params,_,term)] ->
          let name = in_name notin f_name.name in
          Jc_options.lprintf "Generate logic notin (fun): %s :@." name;
          let acc = Logic(false,
                          {f_name with name = name},
                          params,
                          NotIn.ty notin)::acc in
          let axiom_name = "axiom"^"_in_"^(NotIn.mem_name2 notin)^f_name.name in
          Jc_options.lprintf "Generate axiom notin : %s :@." axiom_name;
          let var = ("jc_mem",NotIn.ty notin) in
          let interp s lt =
            if mem_are_compatible notin (s,lt) && s <> select_name
            then frame_between_interp_app var notin s lt
            else LFalse in
          let asser = term_interp_or interp term in
          let conclu = frame_between_interp_app var notin f_name.name
            (List.map (fun (x,_) -> LVar x) params) in
          let asser = make_equiv asser conclu in
          let params = var::params in
          let asser = make_forall_list params [] asser in
          let asser = Goal(KAxiom,id_no_loc axiom_name,asser) in
          asser::acc
      | [Logic(_bool,f_name,params,_ltype);
         Goal(KAxiom,_,ax_asser)] ->
          let rec extract_term = function
            | LForall (_,_,_,asser) -> extract_term asser
            | LPred("eq", [ _; b ]) -> b
            | _ -> assert false (* constructed by tr_fun_def *) in
          let term = extract_term ax_asser in
          let ta_conv = [Function (_bool,f_name,params,_ltype,term)] in
          define_frame_between notin ta_conv acc
      | _ -> Jc_options.lprintf "@[I can't translate that :@\n%a"
          (Pp.print_list Pp.newline fprintf_why_decl) ta_conv;assert false


  let rec define_sub notin ta_conv acc =
    match ta_conv with
        (* Devrait peut-être utiliser la vrai transformation
           d'inductif en 1 unique axiom*)
      | [Inductive (_,f_name,_,l)] ->
        let name = (in_name notin f_name.name) in
        let var = ("jc_var",NotIn.ty notin) in
        let gen_case acc (ident,assertion) =
          let effects = inductive_extract_effect assertion in
          let effects =
            List.filter (fun (s,_) -> not (s = select_name)) effects in
          let effects = List.filter (mem_are_compatible notin) effects in
          let rw seff lteff s lt =
            sub_interp_app (`App (seff,lteff)) notin (`App (s,lt)) in
          let nb = ref 0 in
          let rewrite acc (seff,lteff) =
            incr nb;
            let assertion =
              LForall(fst var,snd var,[],
                      rewrite_inductive_case (rw seff lteff) assertion) in
            (ident^(string_of_int !nb), assertion) :: acc in
          List.fold_left rewrite acc effects in
        let name = ("Sub"^name) in
        let l = List.fold_left gen_case [] l in
        let constr acc (ident,assertion) =
          Goal(KAxiom,id_no_loc (name^ident),assertion)::acc in
        let acc = List.fold_left constr acc l in
        acc
      | [Function (_,f_name,params,_,term)] ->
          let name = in_name notin f_name.name in
          Jc_options.lprintf "Generate logic notin (fun): %s :@." name;
          let acc = Logic(false,
                          id_no_loc name,
                          params,
                          NotIn.ty notin)::acc in
          let axiom_name = "axiom"^"_in_"^(NotIn.mem_name2 notin)^f_name.name in
          Jc_options.lprintf "Generate axiom notin : %s :@." axiom_name;
          let var = ("jc_var",NotIn.ty_elt notin) in
          let interp s lt =
            if mem_are_compatible notin (s,lt)
            then in_interp_app var notin s lt
            else LFalse in
          let asser = term_interp_or interp term in
          let conclu = in_interp_app var notin f_name.name
            (List.map (fun (x,_) -> LVar x) params) in
          let asser = make_equiv asser conclu in
          let params = var::params in
          let asser = make_forall_list params [] asser in
          let asser = Goal(KAxiom,id_no_loc axiom_name,asser) in
          asser::acc
      | [Logic(_bool,f_name,params,_ltype);
         Goal(KAxiom,_,ax_asser)] ->
          let rec extract_term = function
            | LForall (_,_,_,asser) -> extract_term asser
            | LPred("eq", [ _; b ]) -> b
            | _ -> assert false (* constructed by tr_fun_def *) in
          let term = extract_term ax_asser in
          let ta_conv = [Function (_bool,f_name,params,_ltype,term)] in
          define_sub notin ta_conv acc
      | _ -> Jc_options.lprintf "@[I can't translate that :@\n%a"
          (Pp.print_list Pp.newline fprintf_why_decl) ta_conv;assert false

  let rec define_x_sub notin ta_conv acc =
    match ta_conv with
        (* Devrait peut-être utiliser la vrai transformation
           d'inductif en 1 unique axiom*)
      | [Inductive (_,f_name,_,l)] ->
        let name = (in_name notin f_name.name) in
        Jc_options.lprintf "Define logic in : %s :@." name;
        (* let acc = Logic(false, name, params, NotIn.ty notin)::acc in *)
        let var = ("jc_var",NotIn.ty notin) in
        let gen_case acc (ident,assertion) =
          let effects = inductive_extract_effect assertion in
          let effects =
            List.filter (fun (s,_) -> not (s = select_name)) effects in
          let effects = List.filter (mem_are_compatible notin) effects in
          let rw seff lteff s lt =
            LImpl(sub_interp_app (`Var var) notin (`App (seff,lteff)),
                  sub_interp_app (`Var var) notin (`App (s,lt))) in
          let nb = ref 0 in
          let rewrite acc (seff,lteff) =
            incr nb;
            let assertion =
              LForall(fst var,snd var,[],
                      rewrite_inductive_case (rw seff lteff) assertion) in
            (ident^(string_of_int !nb), assertion) :: acc in
          List.fold_left rewrite acc effects in
        let name = ("X_Sub"^name) in
        let l = List.fold_left gen_case [] l in
        let constr acc (ident,assertion) =
          Goal(KAxiom,id_no_loc (name^ident),assertion)::acc in
        let acc = List.fold_left constr acc l in
        acc
      | [Function (_,f_name,params,_,term)] ->
          let name = in_name notin f_name.name in
          Jc_options.lprintf "Generate logic notin (fun): %s :@." name;
          let acc = Logic(false,
                          {f_name with name = name},
                          params,
                          NotIn.ty notin)::acc in
          let axiom_name = "axiom"^"_in_"^(NotIn.mem_name2 notin)^f_name.name in
          Jc_options.lprintf "Generate axiom notin : %s :@." axiom_name;
          let var = ("jc_var",NotIn.ty_elt notin) in
          let interp s lt =
            if mem_are_compatible notin (s,lt)
            then in_interp_app var notin s lt
            else LFalse in
          let asser = term_interp_or interp term in
          let conclu = in_interp_app var notin f_name.name
            (List.map (fun (x,_) -> LVar x) params) in
          let asser = make_equiv asser conclu in
          let params = var::params in
          let asser = make_forall_list params [] asser in
          let asser = Goal(KAxiom,id_no_loc axiom_name,asser) in
          asser::acc
      | [Logic(_bool,f_name,params,_ltype);
         Goal(KAxiom,_,ax_asser)] ->
          let rec extract_term = function
            | LForall (_,_,_,asser) -> extract_term asser
            | LPred("eq", [ _; b ]) -> b
            | _ -> assert false (* constructed by tr_fun_def *) in
          let term = extract_term ax_asser in
          let ta_conv = [Function (_bool,f_name,params,_ltype,term)] in
          define_x_sub notin ta_conv acc
      | _ -> Jc_options.lprintf "@[I can't translate that :@\n%a"
          (Pp.print_list Pp.newline fprintf_why_decl) ta_conv;assert false

  let rec define_sub_x notin ta_conv acc =
    match ta_conv with
      (* Devrait peut-être utiliser la vrai transformation
         d'inductif en 1 unique axiom*)
      | [Inductive (_,f_name,_,l)] ->
        let name = (in_name notin f_name.name) in
        let var = ("jc_var",NotIn.ty notin) in
        let gen_case acc (ident,assertion) =
          let effects = inductive_extract_effect assertion in
          let effects = List.filter (mem_are_compatible notin) effects in
          let rw s lt =
            List.fold_left (fun acc (seff,lteff) ->
              LImpl(sub_interp_app (`App (seff,lteff)) notin (`Var var),acc))
              (sub_interp_app  (`App (s,lt)) notin (`Var var)) effects in
          let rewrite acc =
            let assertion =
              LForall(fst var,snd var,[],
                      rewrite_inductive_case rw assertion) in
            (ident, assertion) :: acc in
          rewrite acc in
        let name = ("Sub_X"^name) in
        let l = List.fold_left gen_case [] l in
        let constr acc (ident,assertion) =
          Goal(KAxiom,id_no_loc (name^ident),assertion)::acc in
        let acc = List.fold_left constr acc l in
        acc
      | [Function (_,f_name,params,_,term)] ->
        let axiom_name = "axiom"^"_disj_"^(NotIn.mem_name2 notin)^f_name.name in
        Jc_options.lprintf "Generate axiom disj : %s :@." axiom_name;
        let var = ("jc_var",NotIn.ty notin) in
        let interp s lt =
          if mem_are_compatible notin (s,lt)
          then disj_interp_app var notin s lt
          else LTrue in
        let asser = term_interp_and interp term in
        let conclu = disj_interp_app var notin f_name.name
          (List.map (fun (x,_) -> LVar x) params) in
        let asser = make_equiv asser conclu in
        let params = var::params in
        let asser = make_forall_list params [] asser in
        let asser = Goal(KAxiom,id_no_loc axiom_name,asser) in
        asser::acc
      | [Logic(_bool,f_name,params,_ltype);
         Goal(KAxiom,_,ax_asser)] ->
          let rec extract_term = function
            | LForall (_,_,_,asser) -> extract_term asser
            | LPred("eq", [ _; b ]) -> b
            | _ -> assert false (* constructed by tr_fun_def *) in
          let term = extract_term ax_asser in
          let ta_conv = [Function (_bool,f_name,params,_ltype,term)] in
          define_sub_x notin ta_conv acc
      | _ -> Jc_options.lprintf "@[I can't translate that :@\n%a"
          (Pp.print_list Pp.newline fprintf_why_decl) ta_conv;assert false

  let gen axiom_name f_name gen_framed in_update params framed_params =
    (* frame for one update *)
    let elt = "elt"^tmp_suffix in
    let elt_val = "elt_val"^tmp_suffix in
    let framed_normal_params = framed_params
      |> List.map fst in
    let framed_update_params =
      let notin_mem_name = NotIn.mem_name in_update in
      List.map (fun name ->
	if name = notin_mem_name then
	  LApp("store",[LVar name;LVar elt;LVar elt_val])
	else LVar name
      ) framed_normal_params in
    let framed_normal_params = framed_normal_params
      |> List.map make_var in
    let params = params
      |> List.map fst
      |> List.map make_var in
    let sepa =
      LNot (MyBag.make_in (LVar elt)
              (LApp (in_name in_update f_name,params))) in
    let a,trig =
      match gen_framed with
        | `Pred gen_framed ->
            let pred_normal = gen_framed framed_normal_params in
            let pred_update = gen_framed framed_update_params in
            LImpl(pred_normal,pred_update),LPatP pred_update
        | `Term gen_framed ->
            let term_normal = gen_framed framed_normal_params in
            let term_update = gen_framed framed_update_params in
            make_eq term_normal term_update, LPatT term_update in
    let a = LImpl(sepa,a) in
    let a = make_forall_list framed_params [[trig]] a in
    let a = LForall (elt,NotIn.ty_elt in_update,[],
                     LForall (elt_val,NotIn.ty_elt_val in_update,[],a)) in
    let axiom_name = "axiom"^"_no_update_"^axiom_name^
      (NotIn.mem_name in_update) in
    Goal(KAxiom,id_no_loc axiom_name,a)

  let gen_many axiom_name f_name gen_framed notins params framed_params =
    (* frame for many update *)
    let mems = List.map (fun notin ->
      let mem_name = NotIn.mem_name notin in
      let ft = "ft"^mem_name^tmp_suffix in
      let mem1 = mem_name in
      let mem2 = mem_name^"2" in
      (ft,mem1,mem2,notin)) notins in
    let framed_normal_params = framed_params
      |> List.map fst in
    let rec assoc_default mem default = function
      | [] -> default
      | (_,mem1,mem2,_)::_ when mem = mem1 -> mem2
      | _::l -> assoc_default mem default l in
    let framed_update_params =
      List.map (fun name -> LVar (assoc_default name name mems))
        framed_normal_params in
    let framed_normal_params = framed_normal_params
      |> List.map make_var in
    let params = params
      |> List.map fst
      |> List.map make_var in
    let make_hyp (ft,mem1,mem2,notin) =
      let sepa1 = LPred(frame_between_name, [LVar ft;
                                             LVar mem2;
                                             LVar mem1]) in
      let sepa2 = LPred(disj_pred,[LVar ft;
                                   LApp(in_name notin f_name,params)]) in
      (sepa1,sepa2) in
    let hyps = List.map make_hyp mems in
    let impls = List.fold_left
      (fun acc (sepa1,sepa2) -> sepa1::sepa2::acc) [] hyps in
    let conclu,trig =
      match gen_framed with
        | `Pred gen_framed ->
            let pred_normal = gen_framed framed_normal_params in
            let pred_update = gen_framed framed_update_params in
            LImpl(pred_normal,pred_update),LPatP pred_update
        | `Term gen_framed ->
            let term_normal = gen_framed framed_normal_params in
            let term_update = gen_framed framed_update_params in
            make_eq term_normal term_update, LPatT term_update in
    let a = make_impl_list conclu impls  in
    let trigs = List.fold_left
      (fun acc (sepa1,_) -> (LPatP sepa1)::acc) [trig] hyps in
    let a = make_forall_list framed_params [trigs] a in
    let make_foralls acc (ft,_,mem2,notin) =
      (ft,NotIn.ty notin)::(mem2,notin.NotIn.ty_mem)::acc in
    let foralls = List.fold_left make_foralls [] mems in
    let a = make_forall_list foralls [] a in
    let axiom_name = "axiom"^"_no_frame_"^axiom_name^
      (String.concat "_"
         (List.map (fun (_,_,_,notin) -> NotIn.mem_name notin) mems))
    in
    Goal(KAxiom,id_no_loc axiom_name,a)



  let def_frame_in f_name notin params acc notin_updates =
    let in_name = in_name notin f_name in
    let gen_framed = `Term (fun params -> LApp(in_name,params)) in
    let acc = List.fold_left
        (fun acc notin_update ->
         (gen in_name f_name gen_framed notin_update params params) ::acc)
        acc notin_updates in
    let acc = List.fold_all_part
      (fun acc part -> match part with | [] -> acc (* trivial axiom *)
        | notin_updates ->
          gen_many in_name f_name gen_framed notin_updates params params ::acc)
      acc notin_updates in
    acc

  (** framed_name must have the same param than f_name *)
  let def_frame framed_name is_pred f_name params acc notin_updates =
    let gen_framed =
      if is_pred
      then `Pred (fun params -> LPred(framed_name,params))
      else `Term (fun params -> LApp(framed_name,params)) in
    let acc = List.fold_left
      (fun acc notin_update ->
        (gen framed_name f_name gen_framed notin_update params params)::acc)
      acc notin_updates in
    let acc = List.fold_all_part
      (fun acc part -> match part with | [] -> acc (* trivial axiom *)
        | notin_updates ->
          gen_many framed_name f_name gen_framed notin_updates params params ::acc)
      acc notin_updates in
    acc

  let in_for_in f_name args notin framed acc =
    let name = in_name notin f_name in
    let acc = Logic(false, id_no_loc name, args, NotIn.ty notin)::acc in
    let var = ("jc_var",NotIn.ty_elt notin) in
    let conjs = List.map
      (fun (f,params) ->
         (in_interp_app var notin f.jc_logic_info_name
            (List.map (fun (x,_) -> LVar x) params)))
      framed in
    let code = make_and_list conjs in
    let conclu = in_interp_app var notin f_name
      (List.map (fun (x,_) -> LVar x) args) in
    let code = make_equiv code conclu in
    let code = make_forall_list (var::args) [] code in
    let axiom_name = name^"_def" in
    Goal(KAxiom,id_no_loc axiom_name,code)::acc

  let disj_for_in f_name args notin framed acc =
    let name = in_name notin f_name in
    let var = ("jc_var",NotIn.ty notin) in
    let conjs = List.map
      (fun (f,params) ->
         (disj_interp_app var notin f.jc_logic_info_name
            (List.map (fun (x,_) -> LVar x) params)))
      framed in
    let code = make_and_list conjs in
    let conclu = disj_interp_app var notin f_name
      (List.map (fun (x,_) -> LVar x) args) in
    let code = make_equiv code conclu in
    let code = make_forall_list (var::args) [] code in
    let axiom_name = name^"_disj_def" in
    Goal(KAxiom,id_no_loc axiom_name,code)::acc

  let x_sub_for_in f_name args notin framed acc =
    let name = in_name notin f_name in
    let var = ("jc_var",NotIn.ty notin) in
    let conjs = List.map
      (fun (f,params) ->
         (sub_interp_app (`Var var) notin (`App (f.jc_logic_info_name,
            (List.map (fun (x,_) -> LVar x) params)))))
      framed in
    let code = make_and_list conjs in
    let conclu = sub_interp_app (`Var var) notin (`App (f_name,
      (List.map (fun (x,_) -> LVar x) args))) in
    let code = make_equiv code conclu in
    let code = make_forall_list (var::args) [] code in
    let axiom_name = name^"_x_sub_def" in
    Goal(KAxiom,id_no_loc axiom_name,code)::acc

  let sub_x_for_in f_name args notin framed acc =
    let name = in_name notin f_name in
    let var = ("jc_var",NotIn.ty notin) in
    let conjs = List.map
      (fun (f,params) ->
         (sub_interp_app  (`App (f.jc_logic_info_name,
            (List.map (fun (x,_) -> LVar x) params)))) notin (`Var var))
      framed in
    let code = make_and_list conjs in
    let conclu = sub_interp_app (`App (f_name,
      (List.map (fun (x,_) -> LVar x) args))) notin (`Var var) in
    let code = make_equiv code conclu in
    let code = make_forall_list (var::args) [] code in
    let axiom_name = name^"_sub_x_def" in
    Goal(KAxiom,id_no_loc axiom_name,code)::acc


end

let lemma_disjoint_cases ta_conv acc =
  match ta_conv with
    | [Inductive (_,f_name,params,l)] ->
      let rec link_by_implication args cases = function
        | LForall (s,ty,_,f) ->
          LForall(s,ty,[],link_by_implication args cases f)
        | LImpl(f1,f2) -> LImpl(f1,link_by_implication args cases f2)
        | LPred(s,lt) when f_name.name = s ->
          let equalities = List.map2 (fun (a1,_) a2 -> make_eq (LVar a1) a2)
            args lt in
          LImpl (make_and_list equalities,each_case args cases)
        | _ -> failwith "Inductive must be forall x,.. Pn -> ... -> P1"
      and each_case args = function
        | [] -> LFalse
        | (_,assertion)::cases -> link_by_implication args cases assertion in
      let args = List.map (fun (s,ty) -> (s^tmp_suffix,ty)) params in
      let condition = make_forall_list args [] (each_case args l) in
      let goal_name = f_name.name^"_disjoint_case" in
      Goal(KGoal,id_no_loc goal_name,condition)::acc
    | _ -> Jc_options.lprintf "@[I can't translate that :@\n%a"
      (Pp.print_list Pp.newline fprintf_why_decl) ta_conv;assert false





let tr_params_usual_model f =
  let usual_params,model_params = tr_params_usual_model_aux f in
  let params = usual_params @ model_params in
  params

let tr_logic_fun_aux f ta acc =

  if Jc_options.debug then
    Format.printf "[interp] logic function %s@." f.jc_logic_info_final_name;

  let lab =
    match f.jc_logic_info_labels with [lab] -> lab | _ -> LabelHere
  in

  let fa =
    assertion ~type_safe:false ~global_assertion:true ~relocate:false lab lab
  in
  let ft =
    term ~type_safe:false ~global_assertion:true ~relocate:false lab lab
  in
  let term_coerce = term_coerce ~type_safe:false ~global_assertion:true lab in

  let params = tr_params_usual_model f in
  (* definition of the function *)
  let fun_def = fun_def f ta fa ft term_coerce params in
  let acc = fun_def@acc in

  (* no_update axioms *)
  let acc = gen_no_update_axioms f ta fa ft term_coerce params acc in

  (* no_assign axioms *)
  let acc = gen_no_assign_axioms f ta fa ft term_coerce params acc in

  (* alloc_extend axioms *)
  (*let acc = gen_alloc_extend_axioms f ta fa ft term_coerce params acc in*)

  (* generation of ft *)
  let acc =
    if Jc_options.gen_frame_rule_with_ft
    then
      let acc = if Hashtbl.mem pragma_gen_sep f.jc_logic_info_tag
      then begin
        (* use_predicate *)
        let (_,which) = Hashtbl.find pragma_gen_sep f.jc_logic_info_tag in
        let todos =
          Hashtbl.find_all predicates_to_generate f.jc_logic_info_tag in
        let fold acc = function
          | `Logic (f,_,params) -> (f,make_args ~parameters:params f) ::acc
          | `Pointer _ -> acc in
        let framed = List.fold_left fold [] which in
        let args = make_args f in
        let print_todo fmt = function
          | (`In,_) -> fprintf fmt "in"
          | (`Disj,_) -> fprintf fmt "disj" in
        Jc_options.lprintf "user predicate %s asks to generate : %a@."
          f.jc_logic_info_name (Pp.print_list Pp.comma print_todo) todos;
        let make_todo acc (todo,notin) =
          match todo with
            | `In ->
              let fname = f.jc_logic_info_name in
              let acc =
                InDisj.in_for_in fname args notin framed acc in
              let acc =
                InDisj.x_sub_for_in fname args notin framed acc in
              let acc =
                InDisj.sub_x_for_in fname args notin framed acc in
              acc
            | `Disj ->
              InDisj.disj_for_in f.jc_logic_info_name args notin framed acc in
        let acc = List.fold_left make_todo acc todos in
        acc
      end
      else begin
        let f_name = f.jc_logic_info_final_name in
        let todos =
          Hashtbl.find_all predicates_to_generate f.jc_logic_info_tag in
        let filter_notin acc = function
          | (`In , notin) -> notin::acc
          | _ -> acc in
        (* notin_updates is used to create the frames axioms *)
        let notin_updates = List.fold_left filter_notin [] todos in
        let print_todo fmt = function
           | (`Disj,_) -> fprintf fmt "disj"
           | (`In,_) -> fprintf fmt "in" in
        Jc_options.lprintf "%s asks to generate : %a@."
          f_name (Pp.print_list Pp.comma print_todo) todos;
        let acc = if todos = [] then acc else
            lemma_disjoint_cases fun_def acc in
        let make_todo acc (todo,notin) =
          match todo with
            | `In ->
                let acc = InDisj.define_In notin fun_def acc in
                let acc = InDisj.define_frame_between notin fun_def acc in
                let acc = InDisj.define_sub notin fun_def acc in
                let acc = InDisj.define_x_sub notin fun_def acc in
                let acc = InDisj.define_sub_x notin fun_def acc in
                let acc = InDisj.define_sub notin fun_def acc in
                let acc =
                  InDisj.def_frame_in f_name notin params acc notin_updates in
                acc
            | `Disj ->
                let acc = InDisj.define_disj notin fun_def acc  in
                acc in
        let acc = List.fold_left make_todo acc todos in
        let is_pred = f.jc_logic_info_result_type = None in
        InDisj.def_frame f_name is_pred f_name params acc notin_updates
      end in
      if Hashtbl.mem Jc_typing.pragma_gen_same f.jc_logic_info_tag then
        let f_name = f.jc_logic_info_final_name in
        let mirror =
          Hashtbl.find Jc_typing.pragma_gen_same f.jc_logic_info_tag in
        let mirror_name = mirror.jc_logic_info_final_name in
        let todos =
          Hashtbl.find_all predicates_to_generate mirror.jc_logic_info_tag in
        let filter_notin acc = function
          | (`In , notin) -> notin::acc
          | _ -> acc in
        (* notin_updates is used to create the frames axioms *)
        let notin_updates = List.fold_left filter_notin [] todos in
        Jc_options.lprintf "Frame of %s using footprint of %s@."
          f_name mirror_name;
        let is_pred = f.jc_logic_info_result_type = None in
        InDisj.def_frame f_name is_pred mirror_name params acc notin_updates
      else acc
    else acc in
  acc


(*   (\* full_separated axioms. *\) *)
(*   let sep_preds =  *)
(*     List.fold_left (fun acc vi -> *)
(*       match vi.jc_var_info_type with *)
(*         | JCTpointer(st,_,_) ->  *)
(*             LPred("full_separated",[LVar "tmp";
               LVar vi.jc_var_info_final_name]) *)
(*             :: acc *)
(*         | _ -> acc *)
(*     ) [] li.jc_logic_info_parameters *)
(*   in *)
(*   if List.length sep_preds = 0 then acc else *)
(*     let params_names = List.map fst params_reads in *)
(*     let normal_params = List.map (fun name -> LVar name) params_names in *)
(*     MemoryMap.fold (fun (mc,r) labels acc -> *)
(*       let update_params =  *)
(*         List.map (fun name -> *)
(*           if name = memory_name(mc,r) then *)
(*             LApp("store",[LVar name;LVar "tmp";LVar "tmpval"]) *)
(*           else LVar name *)
(*         ) params_names *)
(*       in *)
(*       let a =  *)
(*         match li.jc_logic_info_result_type with *)
(*           | None -> *)
(*               LImpl( *)
(*                 make_and_list sep_preds, *)
(*                 LIff( *)
(*                   LPred(li.jc_logic_info_final_name,normal_params), *)
(*                   LPred(li.jc_logic_info_final_name,update_params))) *)
(*           | Some rety -> *)
(*               LImpl( *)
(*                 make_and_list sep_preds, *)
(*                 LPred("eq",[ *)
(*                   LApp(li.jc_logic_info_final_name,normal_params); *)
(*                   LApp(li.jc_logic_info_final_name,update_params)])) *)
(*       in *)
(*       let a =  *)
(*         List.fold_left (fun a (name,ty) -> LForall(name,ty,a))
           a params_reads *)
(*       in *)
(*       let structty = match mc with  *)
(*         | FVfield fi -> JCtag(fi.jc_field_info_struct, []) *)
(*         | FVvariant vi -> JCvariant vi *)
(*       in *)
(*       let basety = match mc with *)
(*         | FVfield fi -> tr_base_type fi.jc_field_info_type *)
(*         | FVvariant vi ->  *)
(*             if integral_union vi then why_integer_type else *)
(*               simple_logic_type (union_memory_type_name vi) *)
(*       in *)
(*       let a =  *)
(*         LForall( *)
(*           "tmp",pointer_type structty, *)
(*           LForall( *)
(*             "tmpval",basety, *)
(*             a)) *)
(*       in *)
(*       let mcname = match mc with *)
(*         | FVfield fi -> fi.jc_field_info_name *)
(*         | FVvariant vi -> vi.jc_root_info_name *)
(*       in *)
(*       Axiom( *)
(*         "full_separated_" ^ li.jc_logic_info_name ^ "_" ^ mcname, *)
(*         a) :: acc *)
(*     ) li.jc_logic_info_effects.jc_effect_memories acc *)


let tr_logic_fun ft ta acc = tr_logic_fun_aux ft ta acc

(*
  Local Variables:
  compile-command: "unset LANG; make -C .. bin/jessie.byte"
  End:
*)
why-2.39/jc/jc_annot_inference.ml0000644000106100004300000043165013147234006016001 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Jc_stdlib
open Jc_env
open Jc_envset
open Jc_region
open Jc_ast
open Jc_fenv

open Jc_options
open Jc_constructors
open Jc_pervasives
open Jc_separation

open Pp
open Format

open Apron
open Coeff
open Interval
open Lincons1
open Num


(*****************************************************************************)
(*                Transfomations of terms and assertions                     *)
(*****************************************************************************)

let rec mem_term_in_assertion t a =
  Jc_iterators.fold_term_in_assertion (fun acc t' -> acc || TermOrd.equal t t') false a

let rec mem_any_term_in_assertion tset a =
  Jc_iterators.fold_term_in_assertion (fun acc t -> acc || TermSet.mem t tset) false a

let rec replace_term_in_term ~source:srct ~target:trgt t =
  Jc_iterators.map_term (fun t -> if TermOrd.equal srct t then trgt else t) t

let rec replace_term_in_assertion ~source:srct ~target:trgt a =
  Jc_iterators.map_term_in_assertion
    (fun t -> if TermOrd.equal srct t then trgt else t) a

let rec replace_var_in_assertion ~source:srcv ~target:trgt a =
  let srct = new term ~typ:srcv.jc_var_info_type (JCTvar srcv) in
  replace_term_in_assertion srct trgt a

let replace_var_by_var_in_assertion v v' a =
  replace_var_in_assertion v (new term_var v') a

let forget_var_in_assertion v a =
  let v' = newvar v.jc_var_info_type in
  replace_var_by_var_in_assertion v v' a

let unfolding_of_app app =
  let f = app.jc_app_fun in
  let _, term_or_assertion =
    try IntHashtblIter.find Jc_typing.logic_functions_table f.jc_logic_info_tag
    with Not_found -> assert false
  in
  match term_or_assertion with
    | JCAssertion a ->
	let a =
	  List.fold_left2 (fun a v t -> replace_var_in_assertion v t a)
	    a f.jc_logic_info_parameters app.jc_app_args
	in
	Some a
    | _ -> None

let rec conjuncts a =
  match a#node with
    | JCAand al -> List.flatten(List.map conjuncts al)
    | JCAapp app ->
	begin match unfolding_of_app app with
	  | Some a -> conjuncts a
	  | None -> [ a ]
	end
    | JCAnot a1 ->
	List.map (fun a -> new assertion_with ~node:(JCAnot a) a)
	  (disjuncts a1)
    | _ -> [ a ]
and disjuncts a =
  match a#node with
    | JCAor al -> List.flatten(List.map disjuncts al)
    | JCAapp app ->
	begin match unfolding_of_app app with
	  | Some a -> disjuncts a
	  | None -> [ a ]
	end
    | JCAnot a1 ->
	List.map (fun a -> new assertion_with ~node:(JCAnot a) a)
	  (conjuncts a1)
    | _ -> [ a ]

(* No real CNF construction, rather a presentation as conjunction
   of disjuncts *)
let implicit_cnf a =
  let conjuncts = conjuncts a in
  let disjuncts = List.map disjuncts conjuncts in
  new assertion_with
    ~node:(JCAand (List.map
		     (fun disjunct ->
			new assertion_with
			  ~node:(JCAor disjunct) a) disjuncts)) a

(* Deconstruct a pointer term into a base pointer term and an integer offset *)
let rec destruct_pointer t =
  match t#node with
(*     | JCTconst JCCnull -> *)
(*         (\* Before changing this, make sure [pointer_struct] is not called on *)
(*            a null term *\) *)
(*         None,None *)
    | JCTshift(t1,t2) ->
	begin match destruct_pointer t1 with
	  | None -> Some (t1,t2)
	  | Some(tptr,offt) ->
	      let tnode = JCTbinary(offt,(`Badd,`Integer),t2) in
	      let offt = new term ~typ:integer_type tnode in
	      Some(tptr,offt)
	end
    | JCTvar _ | JCTderef _ | JCTapp _ | JCTold _ | JCTat _ | JCTif _ 
    | JCTrange _ | JCTmatch _ | JCTaddress _ | JCTbase_block _ | JCTlet _
    | JCTconst _ | JCTbinary _ | JCTunary _ | JCToffset _ | JCTinstanceof _ 
    | JCTreal_cast _ | JCTrange_cast _ | JCTbitwise_cast _ | JCTcast _ ->
	None

let equality_operator_of_type ty = `Beq, operator_of_type ty

let rec unique_term_name =
  let unique_table = Hashtbl.create 17 in
  let name_table = Hashtbl.create 17 in
  fun t s ->
    try
      let t2 = Hashtbl.find unique_table s in
      if TermOrd.compare t t2 = 0 then
	s
      else
	let n = Hashtbl.find name_table s in
	let s = s ^ "_" ^ (string_of_int n) in
	unique_term_name t s
    with Not_found ->
      Hashtbl.replace name_table s 1;
      Hashtbl.replace unique_table s t; s

let rec unique_assertion_name =
  let unique_table = Hashtbl.create 17 in
  let name_table = Hashtbl.create 17 in
  fun a s ->
    try
      let a2 = Hashtbl.find unique_table s in
      if AssertionOrd.compare a a2 = 0 then
	s
      else
	let n = Hashtbl.find name_table s in
	let s = s ^ "_" ^ (string_of_int n) in
	unique_assertion_name a s
    with Not_found ->
      Hashtbl.replace name_table s 1;
      Hashtbl.replace unique_table s a; s

let string_explode s =
  let rec next acc i =
    if i >= 0 then next (s.[i] :: acc) (i-1) else acc
  in
  next [] (String.length s - 1)

let string_implode ls =
  let s = String.create (List.length ls) in
  ignore (List.fold_left (fun i c -> s.[i] <- c; i + 1) 0 ls);
  s

let filter_alphanumeric s =
  let alphanum c =
    String.contains "abcdefghijklmnopqrstuvwxyz" c
    || String.contains "ABCDEFGHIJKLMNOPQRSTUVWXYZ" c
    || String.contains "0123456789" c
    || c = '_'
  in
  let mkalphanum c = if alphanum c then c else '_' in
  string_implode (List.map mkalphanum (string_explode s))

let name_of_term t =
  ignore (Format.flush_str_formatter ());
  Format.fprintf str_formatter "%a" Jc_output.term t;
  let s = Format.flush_str_formatter () in
  let s = filter_alphanumeric s in
  "T" ^ unique_term_name t s

let name_of_assertion a =
  ignore (Format.flush_str_formatter ());
  Format.fprintf str_formatter "%a" Jc_output.assertion a;
  let s = Format.flush_str_formatter () in
  let s = filter_alphanumeric s in
  "A" ^ unique_assertion_name a s

(* support of  (Nicolas) *)
let rec destruct_alloc t =
  match t#node with
    | JCTconst (JCCinteger _str) -> None, Some t
    | JCTvar vi -> Some vi, None
    | JCTbinary (t1, (`Bsub,`Integer), t2) ->
	begin
	  match destruct_alloc t1 with
	    | None, None ->
		None, Some
		  (new term ~typ:integer_type
		     (JCTunary ((`Uminus,`Integer),
				new term ~typ:integer_type
				  (JCTconst (JCCinteger "-1"))))
		  )
	    | Some vi, None ->
		None, Some
		  (new term ~typ:integer_type
		     (JCTbinary	(new term ~typ:integer_type (JCTvar vi),
				 (`Bsub,`Integer),
				 new term ~typ:integer_type
				   (JCTconst (JCCinteger "-1"))))
		  )
	    | vio, Some offt ->
		let t3 = JCTbinary (offt, (`Bsub,`Integer), t2) in
		let offt = new term ~typ:integer_type t3 in
		vio, Some offt
	end
    | _ -> assert false

(*****************************************************************************)
(* Specific iterators on terms.                                              *)
(*****************************************************************************)


let raw_sub_term subt t =
  Jc_iterators.fold_term (fun acc t -> acc || TermOrd.equal subt t) false t

let raw_sub_term_in_assertion subt a =
  Jc_iterators.fold_term_in_assertion (fun acc t -> acc || TermOrd.equal subt t) false a

let raw_strict_sub_term subt t =
  TermOrd.compare subt t <> 0 && raw_sub_term subt t



(********************)

let rec term_syntactic_dependence ~of_term:t1 ~on_term:t2 =
  raw_sub_term t2 t1

let rec assertion_syntactic_dependence ~of_asrt:a ~on_term:t =
  raw_sub_term_in_assertion t a

let rec assignment_semantic_dependence ~of_term:t1 ~on_term:t2 ~at_field:fi =
  let mc,_ufi_opt = Jc_effect.tderef_mem_class ~type_safe:true t2 fi in
  let mem = mc, t2#region in
  let ef = Jc_effect.term empty_effects t1 in
  Jc_effect.has_memory_effect ef mem

let normalize_expr e =
  let name_app (e : expr) = match e#node with
    | JCEapp _ ->
	if e#typ = Jc_pervasives.unit_type then e else
	  let name = tmp_var_name () in
	  let vi = Jc_pervasives.var e#typ name in
	  Expr.mklet
	    ~pos:e#pos
	    ~var:vi
	    ~init:e
	    ~body:(Expr.mkvar ~pos:e#pos ~var:vi ())
	    ()
    | _ -> e
  in
  Jc_iterators.map_expr
    ~after:(fun e -> match e#node with
	      | JCElet(_vi,e1,e2) ->
		  let elist =
		    Option_misc.fold (fun e1 l -> e1::l) e1 [name_app e2]
		  in
		  Jc_iterators.replace_sub_expr e elist
	      | _ ->
		  let elist = Jc_iterators.IExpr.subs e in
		  let elist = List.map name_app elist in
		  Jc_iterators.replace_sub_expr e elist
	   ) e

let asrt_of_expr e =
  let err () = failwith "asrt_of_expr" in
  let rec aux e =
    let anode = match e#node with
      | JCEconst(JCCboolean true) -> JCAtrue
      | JCEconst(JCCboolean false) -> JCAfalse
      | JCEbinary(e1,(#comparison_op,_ as bop), e2) ->
	  begin match Jc_effect.term_of_expr e1, Jc_effect.term_of_expr e2 with
	    | Some t1, Some t2 -> JCArelation(t1,bop,t2)
	    | _ -> err ()
	  end
      | JCEbinary (e1,(bop,_),e2) ->
	  begin match bop with
	    | `Bland -> JCAand [ aux e1; aux e2 ]
	    | `Blor -> JCAor [ aux e1; aux e2 ]
	    | _ -> err ()
	  end
      | JCEunary((uop,_),e1) ->
	  begin match uop with
	    | `Unot -> JCAnot(aux e1)
	    | _ -> err ()
	  end
      | JCEinstanceof(e1,st) ->
	  begin match Jc_effect.term_of_expr e1 with
	    | Some t1 -> JCAinstanceof(t1,LabelHere,st)
	    | None -> err ()
	  end
      | JCEif(e1,e2,e3) ->
	  begin match Jc_effect.term_of_expr e1 with
	    | Some t1 -> JCAif(t1,aux e2,aux e3)
	    | None -> err ()
	  end
      | JCEcast _ | JCErange_cast _ | JCEreal_cast _ | JCEshift _
      | JCEconst _ | JCEvar _ | JCEderef _ | JCEoffset _ | JCEalloc _
      | JCEfree _ | JCEmatch _ | JCEunpack _ | JCEpack _ | JCEthrow _
      | JCEtry _ | JCEreturn _ | JCEloop _ | JCEblock _ | JCEcontract _
      | JCEassert _ | JCElet _ | JCEaddress _ | JCEbitwise_cast _
      | JCEassign_heap _ | JCEassign_var _ | JCEapp _ |JCEreturn_void
      | JCEbase_block _ | JCEfresh _ ->
	  err ()
    in
    new assertion ~mark:e#mark ~pos:e#pos anode
  in
  try Some (aux e) with Failure "asrt_of_expr" -> None


(*****************************************************************************)
(*                                  Types                                    *)
(*****************************************************************************)

type offset_kind = Offset_min_kind | Offset_max_kind

(* Assertion to be checked at some program point. *)
type target_assertion = {
  jc_target_expr : expr;
  jc_target_hint : bool;
  jc_target_location : Loc.position;
  mutable jc_target_assertion : assertion;
  mutable jc_target_regular_invariant : assertion;
  mutable jc_target_propagated_invariant : assertion;
}

(* Abstract value made up of 2 parts:
 * - regular abstract value
 * - abstract value refined by previous assertions on the execution path
 * Both are mutable in order to get in place widening.
 *)
type 'a abstract_value = {
  mutable jc_absval_regular : 'a Abstract1.t;
  mutable jc_absval_propagated : 'a Abstract1.t;
}

(* Type of current invariant in abstract interpretation, made up of 3 parts:
 * - abstract value at current program point
 * - associative list of exceptions and abstract values obtained after throwing
 *   an exception of this type. It is mutable so that it can be changed in
 *   place.
 * - abstract value after returning from the function. It is a reference so that
 *   it can be shared among all abstract invariants in a function.
 *)
type 'a abstract_invariants = {
  jc_absinv_normal : 'a abstract_value;
  jc_absinv_exceptional : (exception_info * 'a abstract_value) list;
  jc_absinv_return : (expr,'a abstract_value) Hashtbl.t;
}

(* Parameters of an abstract interpretation. *)
type 'a abstract_interpreter = {
  jc_absint_manager : 'a Manager.t;
  jc_absint_function_environment : Environment.t;
  jc_absint_function : fun_info;
  jc_absint_widening_threshold : int;
  jc_absint_loops : (int,expr) Hashtbl.t;
  jc_absint_loop_invariants : (int,'a abstract_invariants) Hashtbl.t;
  jc_absint_loop_initial_invariants : (int,'a abstract_invariants) Hashtbl.t;
  jc_absint_loop_iterations : (int,int) Hashtbl.t;
  jc_absint_loop_entry_invs : (int, 'a abstract_invariants) Hashtbl.t;
  jc_absint_target_assertions : target_assertion list;
}

(* Parameters of an interprocedural abstract interpretation. *)
type 'a interprocedural_ai = {
  jc_interai_manager : 'a Manager.t;
  jc_interai_function_preconditions : (int, 'a Abstract1.t) Hashtbl.t;
  jc_interai_function_postconditions : (int, 'a Abstract1.t) Hashtbl.t;
  jc_interai_function_exceptional :
    (int, (exception_info * 'a Abstract1.t) list)  Hashtbl.t;
  jc_interai_function_nb_iterations : (int, int) Hashtbl.t;
  jc_interai_function_init_pre : (int, 'a Abstract1.t) Hashtbl.t;
  jc_interai_function_abs : (int, 'a abstract_interpreter) Hashtbl.t;
}

(* Type of current postcondition in weakest precondition computation:
 * - postcondition at current program point
 * - associative list of exceptions and postconditions that should be satisfied
 *   when an exception of this type is caught
 * - stack of sets of modified variables, each set except the first one
 *   corresponding to an enclosed loop
 *)
type weakest_postconditions = {
  jc_post_normal : assertion option;
  jc_post_exceptional : (exception_info * assertion) list;
  jc_post_inflexion_vars : VarSet.t ref;
  jc_post_modified_vars : VarSet.t list;
}

type weakest_precondition_computation = {
  jc_weakpre_function: fun_info;
  jc_weakpre_loops : (int,expr) Hashtbl.t;
  jc_weakpre_loop_invariants : (int,assertion) Hashtbl.t;
}


(*****************************************************************************)
(*                                  Debug                                    *)
(*****************************************************************************)

let print_abstract_value fmt absval =
  fprintf fmt "@[{regular: %a@\npropagated: %a@\n}@]"
    Abstract1.print absval.jc_absval_regular
    Abstract1.print absval.jc_absval_propagated

let print_abstract_invariants fmt invs =
  fprintf fmt "@[{@\nnormal: %a@\nexceptional: %a@\nreturn: %a@\n}@]"
    print_abstract_value invs.jc_absinv_normal
    (print_list comma (fun fmt (ei,absval) ->
			 fprintf fmt "(%s,%a)" ei.jc_exception_info_name
			   print_abstract_value absval))
    invs.jc_absinv_exceptional
    (fun fmt returns ->
       Hashtbl.iter (fun _ absval -> print_abstract_value fmt absval) returns)
    invs.jc_absinv_return

let print_modified_vars fmt posts =
  fprintf fmt "modified vars: %a"
    (print_list comma (fun fmt vi -> fprintf fmt "%s" vi.jc_var_info_name))
    (VarSet.elements (List.hd posts.jc_post_modified_vars))


(*****************************************************************************)
(*                    Logging annotations inferred                           *)
(*****************************************************************************)

let reg_annot ?id ?kind ?name ~pos ~anchor a =
  let (f,l,b,e) =
    try
      let (f,l,b,e,_,_) = Hashtbl.find Jc_options.pos_table anchor in
      (f,l,b,e)
    with Not_found -> Loc.extract pos
  in
  let pos = Lexing.dummy_pos in
  let pos = { pos with
		Lexing.pos_fname = f;
		Lexing.pos_lnum = l;
		Lexing.pos_bol = 0; }
  in
  let loc =
    { pos with Lexing.pos_cnum = b; },
    { pos with Lexing.pos_cnum = e; }
  in
  Format.fprintf Format.str_formatter "%a" Jc_output.assertion a;
  let formula = Format.flush_str_formatter () in
  let lab = Output.old_reg_pos "G" ?id ?kind ?name ~formula (Loc.extract loc) in
  new assertion_with ~mark:lab a


(*****************************************************************************)
(*           Translation between terms/assertions and ATP formulas           *)
(*****************************************************************************)

module Vwp : sig
  val variable_for_term : term -> string
  val term : string -> term option
  val variable_for_assertion: assertion -> string
  val assertion: string -> assertion
  val is_variable_for_assertion: string -> bool
end = struct

  let term_table = Hashtbl.create 17
  let assertion_table = Hashtbl.create 17

  let variable_for_term t =
    let check_name s =
      try
	(* Check unicity of name, which [name_of_term] should guarantee *)
	let t2 = Hashtbl.find term_table s in
	assert (TermOrd.compare t t2 = 0)
      with Not_found ->
	Hashtbl.add term_table s t
    in
    let s = name_of_term t in check_name s; s

  let term s =
    try Some (Hashtbl.find term_table s)
    with Not_found -> ignore (Hashtbl.find assertion_table s); None

  let variable_for_assertion a =
    let check_name s =
      try
	(* Check unicity of name, which [name_of_assertion] should guarantee *)
	let a2 = Hashtbl.find assertion_table s in
	assert (AssertionOrd.compare a a2 = 0)
      with Not_found ->
	Hashtbl.add assertion_table s a
    in
    match a#node with
      | JCAnot a1 -> let s = name_of_assertion a1 in check_name s; s
      | _ -> let s = name_of_assertion a in check_name s; s

  let assertion s = Hashtbl.find assertion_table s

  let is_variable_for_assertion s = Hashtbl.mem assertion_table s
end

let binop_atp =
  [
    (`Blt,`Integer), "<";
    (`Bgt,`Integer), ">";
    (`Ble,`Integer), "<=";
    (`Bge,`Integer), ">=";
    (`Beq,`Integer), "=";
    (`Badd,`Integer), "+";
    (`Bsub,`Integer), "-";
    (`Bmul,`Integer), "*";
    (`Bdiv,`Integer), "/";
  ]

let atp_binop = List.map (fun (op,r) -> (r,op)) binop_atp

let atp_of_binop (op : basic_op * [> `Integer ]) =
  try List.assoc op binop_atp with Not_found -> assert false

let binop_of_atp r =
  try List.assoc r atp_binop with Not_found -> assert false

let binrel_of_atp s =
  let op,ty = binop_of_atp s in
  match op with
    | #comparison_op as op1 -> op1,ty
    | _ -> assert false

let unop_atp =
  [
    (`Uminus,`Integer), "-";
  ]

let atp_unop = List.map (fun (op,r) -> (r,op)) unop_atp

let atp_of_unop op =
  try List.assoc op unop_atp with Not_found -> assert false

let unop_of_atp r =
  try List.assoc r atp_unop with Not_found -> assert false

let rec atp_of_term t =
  let err () = failwith "atp_of_term" in
  let is_constant_term t =
    match t#node with JCTconst _ -> true | _ -> false
  in
  match t#node with
    | JCTconst c ->
	begin match c with
	  | JCCinteger s -> Atp.Fn(s,[])
	  | JCCnull | JCCboolean _ | JCCvoid | JCCreal _ | JCCstring _ ->
	      err ()
	end
    | JCTbinary(t1,((`Badd,`Integer) | (`Bsub,`Integer) as bop),t2) ->
	Atp.Fn(atp_of_binop bop, List.map atp_of_term [t1;t2])
    | JCTbinary(t1,(`Bmul,`Integer as bop),t2)
	when (is_constant_term t1 || is_constant_term t2) ->
	Atp.Fn(atp_of_binop bop, List.map atp_of_term [t1;t2])
    | JCTbinary(t1,(`Bdiv,`Integer as bop),t2) when (is_constant_term t2) ->
	Atp.Fn(atp_of_binop bop, List.map atp_of_term [t1;t2])
    | JCTbinary(_t1,_bop,_t2) ->
	Atp.Var (Vwp.variable_for_term t)
    | JCTunary((`Uminus,`Integer as uop),t1) ->
	Atp.Fn(atp_of_unop uop, [atp_of_term t1])
    | JCTvar _ | JCTderef _ | JCTapp _ | JCToffset _ ->
	Atp.Var (Vwp.variable_for_term t)
    | JCTshift _ | JCTold _ | JCTat _ | JCTmatch _ | JCTinstanceof _
    | JCTcast _ | JCTrange_cast _ | JCTbitwise_cast _ | JCTreal_cast _
    | JCTaddress _ | JCTif _ | JCTrange _ | JCTunary _ | JCTbase_block _ 
    | JCTlet _ ->
	err ()

let rec term_of_atp tm =
  try
    match tm with
      | Atp.Var s -> (match Vwp.term s with Some t -> t | None -> assert false)
      | Atp.Fn(s,[tm1;tm2]) ->
	  let tnode =
	    JCTbinary(term_of_atp tm1,binop_of_atp s,term_of_atp tm2)
	  in
	  new term ~typ:integer_type tnode
      | Atp.Fn(s,[tm1]) ->
	  let tnode = JCTunary(unop_of_atp s,term_of_atp tm1) in
	  new term ~typ:integer_type tnode
      | Atp.Fn(s,[]) ->
	  let tnode = JCTconst(JCCinteger s) in
	  new term ~typ:integer_type tnode
      | _tm -> assert false
  with Assert_failure _ ->
    printf "[Jc_annot_inference.term_of_atp] unexpected ATP term %a@."
      (fun _fmt tm -> Atp.printert tm) tm;
    assert false

let term_of_atp_with_variable_for_assertion tm =
  try
    let rec aux tm =
      match tm with
	| Atp.Var s -> (Some (Vwp.assertion s),0)
	| Atp.Fn("+",[tm1;tm2]) ->
	    let a1,c1 = aux tm1 in
	    let a2,c2 = aux tm2 in
	    let a = match a1,a2 with
	      | Some _,Some _ -> assert false
	      | Some a,None | None,Some a -> Some a
	      | None,None -> None
	    in
	    a, c1 + c2
	| Atp.Fn("*",[tm1;tm2]) ->
	    let a1,c1 = aux tm1 in
	    let a2,c2 = aux tm2 in
	    assert (c1 >= 0 && c2 >= 0);
	    let a = match a1,a2 with
	      | Some _,Some _ -> assert false
	      | Some a,None | None,Some a -> Some a
	      | None,None -> None
	    in
	    a, 0
	| Atp.Fn("-",[tm1]) ->
	    let a1,c1 = aux tm1 in
	    assert (a1 = None);
	    None, - c1
	| Atp.Fn(s,[]) ->
	    None, int_of_string s
	| _tm -> assert false
    in aux tm
  with Assert_failure _ ->
    printf "[Jc_annot_inference.term_of_atp_with_variable_for_assertion] unexpected ATP term %a@."
      (fun _fmt tm -> Atp.printert tm) tm;
    assert false

let atp_of_asrt a =
  let err () = failwith "atp_of_asrt" in
  let rec aux a =
    try match a#node with
      | JCAtrue -> Atp.True
      | JCAfalse -> Atp.False
      | JCArelation(t1,(`Bneq,`Integer),t2) ->
	  Atp.Not(Atp.Atom(Atp.R("=",List.map atp_of_term [t1;t2])))
      | JCArelation(t1,(bop,`Integer),t2) ->
	  Atp.Atom(Atp.R(atp_of_binop ((bop :> basic_op),`Integer),
			 List.map atp_of_term [t1;t2]))
      | JCAand al ->
	  let rec mkand = function
	    | [] -> Atp.True
	    | [a] -> aux a
	    | a :: al -> Atp.And (aux a, mkand al)
	  in
	  mkand al
      | JCAor al ->
	  let rec mkor = function
	    | [] -> Atp.False
	    | [a] -> aux a
	    | a :: al -> Atp.Or (aux a, mkor al)
	  in
	  mkor al
      | JCAimplies(a1,a2) ->
	  Atp.Imp(aux a1,aux a2)
      | JCAiff(a1,a2) ->
	  Atp.And (Atp.Imp(aux a1,aux a2), Atp.Imp(aux a2,aux a1))
      | JCAnot a ->
	  Atp.Not(aux a)
      | JCAquantifier(q,v,_trig,a) ->
	  let f = aux a in
	  let fvars = Atp.fv f in
	  let tv = new term_var v in
	  (* Add to the set of variables quantifieds all those variables that
	     syntactically depend on [v] *)
	  let vars =
	    List.fold_left
	      (fun acc va ->
		 let depend = match Vwp.term va with
		   | Some t ->
		       term_syntactic_dependence ~of_term:t ~on_term:tv
		   | None ->
		       let a = Vwp.assertion va in
		       assertion_syntactic_dependence ~of_asrt:a ~on_term:tv
		 in
		 if depend then StringSet.add va acc else acc
	      ) (StringSet.singleton (Vwp.variable_for_term tv)) fvars
	  in
	  let vars = StringSet.elements vars in
	  let rec quant f = function
	    | [] -> f
	    | v::r ->
		match q with
		  | Forall -> quant (Atp.Forall(v,f)) r
		  | Exists -> quant (Atp.Exists(v,f)) r
	  in
	  quant f vars
      | JCAapp app ->
	  begin match unfolding_of_app app with
	    | Some a -> aux a
	    | None -> err ()
	  end
      | JCArelation _ | JCAold _ | JCAat _ | JCAinstanceof _ | JCAbool_term _
      | JCAif _ | JCAmutable _ | JCAeqtype _ | JCAlet _
      | JCAmatch _ | JCAsubtype _ | JCAfresh _ ->
	  err ()
    with Failure "atp_of_asrt" | Failure "atp_of_term" ->
      let s = Vwp.variable_for_assertion a in
      let fm = Atp.Atom(Atp.R("<=",[Atp.Fn("0",[]);Atp.Var s])) in
      match a#node with
	| JCAnot _a1 -> Atp.Not fm
	| _ -> fm
  in aux a

let has_variable_for_assertion fm =
  let vars = Atp.fv fm in
  List.exists Vwp.is_variable_for_assertion vars

let asrt_of_atp_with_variable_for_assertion fm =
  try match fm with
    | Atp.Atom(Atp.R(r,[tm1;tm2])) ->
	let a1,_c1 = term_of_atp_with_variable_for_assertion tm1 in
	let a2,_c2 = term_of_atp_with_variable_for_assertion tm2 in
	begin match a1,a2 with
	  | Some _,Some _
	  | None,None -> assert false
	  | Some a,None ->
	      begin match r with
		| ">=" | ">" -> a#node
		| "<=" | "<" -> JCAnot a
		| _ -> assert false
	      end
	  | None,Some a ->
	      begin match r with
		| ">=" | ">" -> JCAnot a
		| "<=" | "<" -> a#node
		| _ -> assert false
	      end
	end
    | _ -> assert false
  with Assert_failure _ ->
    printf "[Jc_annot_inference.asrt_of_atp_with_variable_for_assertion] unexpected ATP formula %a@."
      (fun _fmt fm -> Atp.printer fm) fm;
    assert false

let rec asrt_of_atp fm =
  let anode = match fm with
    | Atp.False ->
	JCAfalse
    | Atp.True ->
	JCAtrue
    | Atp.Atom _ when has_variable_for_assertion fm ->
	asrt_of_atp_with_variable_for_assertion fm
    | Atp.Atom(Atp.R(r,[tm1;tm2])) ->
	JCArelation(term_of_atp tm1,binrel_of_atp r,term_of_atp tm2)
    | Atp.Atom _ ->
	printf "[Jc_annot_inference.term_of_atp] unexpected ATP atom %a@."
	  (fun _fmt fm -> Atp.printer fm) fm;
	assert false
    | Atp.Not fm ->
	JCAnot(asrt_of_atp fm)
    | Atp.And(fm1,fm2) ->
	JCAand [asrt_of_atp fm1;asrt_of_atp fm2]
    | Atp.Or(fm1,fm2) ->
	JCAor [asrt_of_atp fm1;asrt_of_atp fm2]
    | Atp.Imp(fm1,fm2) ->
	JCAimplies(asrt_of_atp fm1,asrt_of_atp fm2)
    | Atp.Iff(fm1,fm2) ->
	JCAiff(asrt_of_atp fm1,asrt_of_atp fm2)
    | Atp.Forall _ | Atp.Exists _ ->
	printf
	  "[Jc_annot_inference.term_of_atp] unexpected ATP quantification %a@."
	  (fun _fmt fm -> Atp.printer fm) fm;
	assert false
  in
  new assertion anode


(*****************************************************************************)
(*               Abstract variables naming and creation                      *)
(*****************************************************************************)

module Vai : sig
  val integer_variable : term -> Var.t
  val offset_min_variable : term -> Var.t
  val offset_max_variable : term -> Var.t
  val all_variables : term -> Var.t list
  val term : Var.t -> term
end = struct

  let term_table = Hashtbl.create 17

  let integer_variable t =
    let check_name s =
      try
	(* Check unicity of name, which [name_of_term] should guarantee *)
	let t2 = Hashtbl.find term_table s in
	assert (TermOrd.compare t t2 = 0)
      with Not_found ->
	Hashtbl.add term_table s t
    in
    let s = name_of_term t in check_name s; Var.of_string s

  let offset_min_variable t =
    let st = pointer_struct t#typ in
    let tmin = new term ~typ:integer_type (JCToffset(Offset_min,t,st)) in
    integer_variable tmin

  let offset_max_variable t =
    let st = pointer_struct t#typ in
    let tmax = new term ~typ:integer_type (JCToffset(Offset_max,t,st)) in
    integer_variable tmax

  let all_variables t =
    if is_integral_type t#typ then [ integer_variable t ]
    else if is_pointer_type t#typ then
      [ offset_min_variable t; offset_max_variable t ]
    else []

  let term va = Hashtbl.find term_table (Var.to_string va)
end

let empty mgr val1 =
  Abstract1.bottom mgr (Abstract1.env val1)

let extend mgr env val1 =
  let env = Environment.lce env (Abstract1.env val1) in
  Abstract1.change_environment mgr val1 env false

let is_eq mgr val1 val2 =
  let env = Environment.lce (Abstract1.env val1) (Abstract1.env val2) in
  let val1 = Abstract1.change_environment mgr val1 env false in
  let val2 = Abstract1.change_environment mgr val2 env false in
  Abstract1.is_eq mgr val1 val2

let forget mgr val1 vls =
  let vls = List.filter (Environment.mem_var (Abstract1.env val1)) vls in
  let varr = Array.of_list vls in
  Abstract1.forget_array mgr val1 varr false

let meet mgr val1 val2 =
  let env = Environment.lce (Abstract1.env val1) (Abstract1.env val2) in
  let val1 = Abstract1.change_environment mgr val1 env false in
  let val2 = Abstract1.change_environment mgr val2 env false in
  Abstract1.meet mgr val1 val2

let join mgr val1 val2 =
  (* Uncomment following line to possibly get more precision *)
  (*   let val1 = Abstract1.closure mgr val1 in *)
  (*   let val2 = Abstract1.closure mgr val2 in *)
  let env = Environment.lce (Abstract1.env val1) (Abstract1.env val2) in
  let val1 = Abstract1.change_environment mgr val1 env false in
  let val2 = Abstract1.change_environment mgr val2 env false in
  Abstract1.join mgr val1 val2

let widening mgr val1 val2 =
  let env = Environment.lce (Abstract1.env val1) (Abstract1.env val2) in
  let val1 = Abstract1.change_environment mgr val1 env false in
  let val2 = Abstract1.change_environment mgr val2 env false in
  (* Join before widening so that arguments are in increasing order. *)
  let val2 = Abstract1.join mgr val2 val1 in
  (* Perform widening between values in increasing order. *)
  Abstract1.widening mgr val1 val2

let stronger mgr val1 val2 =
  let env = Environment.lce (Abstract1.env val1) (Abstract1.env val2) in
  let val1 = Abstract1.change_environment mgr val1 env false in
  let val2 = Abstract1.change_environment mgr val2 env false in
  Abstract1.is_leq mgr val1 val2

let strictly_stronger mgr val1 val2 =
  stronger mgr val1 val2 && not (stronger mgr val2 val1)

let empty_abstract_value mgr pair1 =
  {
    jc_absval_regular =
      empty mgr pair1.jc_absval_regular;
    jc_absval_propagated =
      empty mgr pair1.jc_absval_propagated
  }

let bottom_abstract_value mgr env =
  {
    jc_absval_regular = Abstract1.bottom mgr env;
    jc_absval_propagated = Abstract1.bottom mgr env;
  }

let top_abstract_value mgr env =
  {
    jc_absval_regular = Abstract1.top mgr env;
    jc_absval_propagated = Abstract1.top mgr env;
  }

let eq_abstract_value mgr absval1 absval2 =
  is_eq mgr absval1.jc_absval_regular absval2.jc_absval_regular
  && is_eq mgr absval1.jc_absval_propagated absval2.jc_absval_propagated

let forget_abstract_value mgr absval vls =
  {
    jc_absval_regular =
      forget mgr absval.jc_absval_regular vls;
    jc_absval_propagated =
      forget mgr absval.jc_absval_propagated vls
  }

let join_abstract_value mgr pair1 pair2 =
  {
    jc_absval_regular =
      join mgr pair1.jc_absval_regular pair2.jc_absval_regular;
    jc_absval_propagated =
      join mgr pair1.jc_absval_propagated pair2.jc_absval_propagated
  }

let widening_abstract_value mgr pair1 pair2 =
  {
    jc_absval_regular =
      widening mgr pair1.jc_absval_regular pair2.jc_absval_regular;
    jc_absval_propagated =
      widening mgr pair1.jc_absval_propagated pair2.jc_absval_propagated
  }

let eq_invariants mgr invs1 invs2 =
  let eq_exclists postexcl1 postexcl2 =
    List.length postexcl1 = List.length postexcl2 &&
    List.fold_right (fun (ei,post1) acc ->
		       acc &&
			 try
			   let post2 = List.assoc ei postexcl2 in
			   eq_abstract_value mgr post1 post2
			 with Not_found -> false
		    ) postexcl1 true
  in
  assert (invs1.jc_absinv_return == invs2.jc_absinv_return);
  eq_abstract_value mgr invs1.jc_absinv_normal invs2.jc_absinv_normal
  && eq_exclists invs1.jc_absinv_exceptional invs2.jc_absinv_exceptional

let forget_invariants mgr invs vls =
  {
    jc_absinv_normal =
      forget_abstract_value mgr invs.jc_absinv_normal vls;
    jc_absinv_exceptional =
      List.map (fun (ei,post) -> (ei,forget_abstract_value mgr post vls))
	invs.jc_absinv_exceptional;
    jc_absinv_return =
      invs.jc_absinv_return
  }

let join_invariants mgr invs1 invs2 =
(*   if Jc_options.debug then *)
(*     printf "@[[join]@\n%a@\nand@\n%a@]@."  *)
(*       print_abstract_invariants invs1 print_abstract_invariants invs2; *)
  let join_exclists postexcl1 postexcl2 =
    let join1 =
      List.fold_right
	(fun (ei, post1) acc ->
	   try
	     let post2 = List.assoc ei postexcl2 in
	     let post1 = join_abstract_value mgr post1 post2 in
	     (ei, post1) :: acc
	   with Not_found -> (ei, post1) :: acc
	) postexcl1 []
    in
    List.fold_right
      (fun (ei, post2) acc ->
	 if List.mem_assoc ei join1 then acc
	 else (ei, post2) :: acc
      ) postexcl2 join1
  in
  assert (invs1.jc_absinv_return == invs2.jc_absinv_return);
  {
    jc_absinv_normal =
      join_abstract_value mgr invs1.jc_absinv_normal invs2.jc_absinv_normal;
    jc_absinv_exceptional =
      join_exclists invs1.jc_absinv_exceptional invs2.jc_absinv_exceptional;
    jc_absinv_return =
      invs1.jc_absinv_return
  }

let widen_invariants mgr invs1 invs2 =
(*   if Jc_options.debug then *)
(*     printf "@[[widening]@\n%a@\nand@\n%a@]@."  *)
(*       print_abstract_invariants invs1 print_abstract_invariants invs2; *)
  let widen_exclists postexcl1 postexcl2 =
    let widen1 =
      List.fold_right
	(fun (ei,post1) acc ->
	   try
	     let post2 = List.assoc ei postexcl2 in
	     let post1 = widening_abstract_value mgr post1 post2 in
	     (ei, post1) :: acc
	   with Not_found -> (ei,post1) :: acc
	) postexcl1 []
    in
    List.fold_right (fun (ei,post2) acc ->
		       if List.mem_assoc ei widen1 then acc
		       else (ei, post2) :: acc
		    ) postexcl2 widen1
  in
  assert (invs1.jc_absinv_return == invs2.jc_absinv_return);
  {
    jc_absinv_normal =
      widening_abstract_value mgr invs1.jc_absinv_normal invs2.jc_absinv_normal;
    jc_absinv_exceptional =
      widen_exclists invs1.jc_absinv_exceptional invs2.jc_absinv_exceptional;
    jc_absinv_return =
      invs1.jc_absinv_return
  }


(*****************************************************************************)
(*                                 DNF form                                  *)
(*****************************************************************************)

module Dnf = struct

  type dnf = string list list

  let false_ = []
  let true_ = [[]]

  let is_false = function [] -> true | _ -> false
  let is_true = function [[]] -> true | _ -> false

  let num_disjuncts (dnf : dnf) = List.length dnf

  let rec make_and =
    let pair_and dnf1 dnf2 =
      if is_false dnf1 || is_false dnf2 then
	false_
      else
	List.fold_left
	  (fun acc conj1 ->
	     List.fold_left (fun acc conj2 ->
			       (conj1 @ conj2) :: acc
			    ) acc dnf2
	  ) [] dnf1
    in
    function
      | [] -> true_
      | dnf::r -> pair_and dnf (make_and r)

  let make_or = List.concat

  let print fmt dnf =
    fprintf fmt "dnf : %a"
      (fun fmt disj ->
	 fprintf fmt "[%a]"
	   (print_list comma
	      (fun fmt conj -> fprintf fmt "[%a]"
		 (print_list comma (fun fmt s -> fprintf fmt "%s" s))
		 conj)) disj) dnf

  let test mgr pre dnf =
    if debug then printf "[Dnf.test] %a@." Abstract1.print pre;
    if debug then printf "[Dnf.test] %a@." print dnf;
    let env = Abstract1.env pre in
    if is_false dnf then Abstract1.bottom mgr env
    else if is_true dnf then pre
    else
      let test_conj conj =
	let lincons =
	  try Parser.lincons1_of_lstring env conj
	  with Parser.Error msg ->
	    printf
	      "[Jc_annot_inference.Dnf.test] %s@." msg;
	    assert false
	in
	Abstract1.meet_lincons_array mgr pre lincons
      in
      (* Test each disjunct separately and then join them. *)
      let copy_list = List.map test_conj dnf in
      match copy_list with
	| pre :: rest -> List.fold_left (Abstract1.join mgr) pre rest
	| _ -> assert false
end


(*****************************************************************************)
(*    Extracting linear expressions and constraints from AST expressions     *)
(*****************************************************************************)

let linearize t =
  let err () = failwith "linearize" in
  let rec aux t =
    try match t#node with
      | JCTconst c ->
	  begin match c with
	    | JCCinteger s -> (TermMap.empty, num_of_string s)
	    | JCCboolean _ | JCCvoid | JCCnull | JCCreal _ | JCCstring _ ->
		err ()
	  end
      | JCTbinary(t1,(#arithmetic_op as bop,`Integer),t2) ->
	  let coeffs1, cst1 = aux t1 in
	  let coeffs2, cst2 = aux t2 in
          begin match bop with
	    | `Badd ->
		let coeffs = TermMap.fold
		  (fun vt1 c1 acc ->
		     try
		       let c2 = TermMap.find vt1 coeffs2 in
		       TermMap.add vt1 (c1 +/ c2) acc
		     with Not_found -> TermMap.add vt1 c1 acc
		  ) coeffs1 TermMap.empty
		in
		let coeffs = TermMap.fold
		  (fun vt2 c2 acc ->
		     if TermMap.mem vt2 coeffs then acc
		     else TermMap.add vt2 c2 acc
		  ) coeffs2 coeffs
		in
		(coeffs, cst1 +/ cst2)
	    | `Bsub ->
		let coeffs = TermMap.fold
		  (fun vt1 c1 acc ->
		     try
		       let c2 = TermMap.find vt1 coeffs2 in
		       TermMap.add vt1 (c1 -/ c2) acc
		     with Not_found -> TermMap.add vt1 c1 acc
		  ) coeffs1 TermMap.empty
		in
		let coeffs = TermMap.fold
		  (fun vt2 c2 acc ->
		     if TermMap.mem vt2 coeffs then acc
		     else TermMap.add vt2 (minus_num c2) acc
		  ) coeffs2 coeffs
		in
		(coeffs, cst1 -/ cst2)
	    | `Bmul when TermMap.is_empty coeffs1 || TermMap.is_empty coeffs2 ->
		let coeffs =
		  if TermMap.is_empty coeffs1 then
		    TermMap.map (fun c -> c */ cst1) coeffs2
		  else
		    TermMap.map (fun c -> c */ cst2) coeffs1
		in
		(coeffs, cst1 */ cst2)
	    | `Bmul
	    | `Bdiv
	    | `Bmod -> err ()
	  end
      | JCTbinary(t1,(#bitwise_op as bop,`Integer),t2) ->
	  let coeffs1, cst1 = aux t1 in
	  if coeffs1 = TermMap.empty && cst1 =/ Int 0 then
	    match bop with
	      | `Bbw_and
	      | `Bshift_left
	      | `Blogical_shift_right
	      | `Barith_shift_right -> TermMap.empty, Int 0
	      | `Bbw_or
	      | `Bbw_xor -> aux t2
	      | _ -> err ()
	  else
	    (* Consider non-linear term as abstract variable. *)
	    (TermMap.add t (Int 1) TermMap.empty, Int 0)
      | JCTunary((uop,`Integer),t1) ->
	  let coeffs1,cst1 = aux t1 in
	  begin match uop with
	    | `Uminus ->
		let coeffs = TermMap.map (fun c -> minus_num c) coeffs1 in
		(coeffs, minus_num cst1)
	    | _ -> err ()
	  end
      | JCTvar _ | JCTderef _ | JCToffset _ | JCTapp _ | JCTbinary _
      | JCTunary _ | JCTshift _ | JCTinstanceof _ | JCTmatch _
      | JCTold _ | JCTat _ | JCTcast _ | JCTbitwise_cast _
      | JCTrange_cast _ | JCTreal_cast _ | JCTaddress _ | JCTbase_block _
      | JCTrange _ | JCTif _ | JCTlet _ ->
	  err ()
    with Failure "linearize" ->
      (TermMap.add t (Int 1) TermMap.empty, Int 0)
  in aux t

let linstr_of_term env t =
  let mkmulstr = function
    | (_va, Int 0) -> ""
    | (va, c) -> string_of_num c ^ " * " ^ va
  in
  let rec mkaddstr = function
    | [] -> ""
    | [va,c] -> mkmulstr (va,c)
    | (va,c) :: r ->
	match mkmulstr (va,c), mkaddstr r with
	  | "","" -> ""
	  | s,"" | "",s -> s
	  | s1,s2 -> s1 ^ " + " ^ s2
  in
  let coeffs, cst = linearize t in
  let env = TermMap.fold
    (fun t _ env  ->
       let va = Vai.integer_variable t in
       if Environment.mem_var env va then env
       else Environment.add env [|va|] [||]
    ) coeffs env
  in
  let coeffs =
    TermMap.fold
      (fun t c acc ->
	 let va = Vai.integer_variable t in (Var.to_string va,c)::acc
      ) coeffs []
  in
  env, mkaddstr coeffs, cst

let offset_linstr_of_term env ok t =
  let ptrt, offt = match destruct_pointer t with
    | None -> t, None
    | Some(ptrt,offt) -> ptrt, Some offt
  in
  let st = pointer_struct ptrt#typ in
  let minmaxt = match ok with
    | Offset_min_kind ->
	new term ~typ:integer_type (JCToffset(Offset_min,ptrt,st))
    | Offset_max_kind ->
	new term ~typ:integer_type (JCToffset(Offset_max,ptrt,st))
  in
  let t = match offt with None -> minmaxt | Some offt ->
    new term ~typ:integer_type (JCTbinary(minmaxt,(`Bsub,`Integer),offt))
  in
  linstr_of_term env t

let rec not_asrt a =
  let anode = match a#node with
    | JCAtrue -> JCAfalse
    | JCAfalse -> JCAtrue
    | JCArelation(t1,(bop,`Integer),t2) ->
	begin match bop with
	  | `Blt -> JCArelation (t1, (`Bge,`Integer), t2)
	  | `Bgt -> JCArelation (t1, (`Ble,`Integer), t2)
	  | `Ble -> JCArelation (t1, (`Bgt,`Integer), t2)
	  | `Bge -> JCArelation (t1, (`Blt,`Integer), t2)
	  | `Beq -> JCArelation (t1, (`Bneq,`Integer), t2)
	  | `Bneq -> JCArelation (t1, (`Beq,`Integer), t2)
	end
    | JCAnot a -> a#node
    | JCAand _ | JCAor _ | JCAimplies _ | JCAiff _ | JCAapp _ | JCArelation _
    | JCAquantifier _ | JCAold _ | JCAat _ | JCAinstanceof _ | JCAbool_term _
    | JCAif _ | JCAmutable _ | JCAeqtype _ | JCAsubtype _ | JCAlet _
    | JCAmatch _ | JCAfresh _ ->
	JCAnot a
  in
  new assertion_with ~node:anode a

(* Should be applied to atomic assertions in a DNF form. Otherwise returns
   an overapproximating true assertion.
   Returns a result in dnf string format. *)
let rec linstr_of_assertion env a =
  match a#node with
    | JCAtrue -> env, Dnf.true_
    | JCAfalse -> env, Dnf.false_
    | JCArelation(t1,(bop,`Integer),t2) ->
	let subt =
	  new term ~typ:integer_type (JCTbinary(t1,(`Bsub,`Integer),t2))
	in
	let env,str,cst = linstr_of_term env subt in
	if str = "" then
	  let ncst = minus_num cst in
	  let is_true = match bop with
	    | `Blt -> Int 0  Int 0 >/ ncst
	    | `Ble -> Int 0 <=/ ncst
	    | `Bge -> Int 0 >=/ ncst
	    | `Beq -> Int 0 =/ ncst
	    | `Bneq -> Int 0 <>/ ncst
	  in
	  env, if is_true then Dnf.true_ else Dnf.false_
	else
	  let cstr = string_of_num (minus_num cst) in
	  (* Do not use < and > with APRON, due to bugs in some versions.
	     Convert to equivalent non-strict. *)
	  let str = match bop with
	    | `Blt -> [[str ^ " <= " ^
			  (string_of_num (pred_num (minus_num cst)))]]
	    | `Bgt -> [[str ^ " >= " ^
			  (string_of_num (succ_num (minus_num cst)))]]
	    | `Ble -> [[str ^ " <= " ^ cstr]]
	    | `Bge -> [[str ^ " >= " ^ cstr]]
	    | `Beq -> [[str ^ " = " ^ cstr]]
	    | `Bneq ->
		[[str ^ " <= " ^
		    (string_of_num (pred_num (minus_num cst)))];
		 [str ^ " >= " ^
		    (string_of_num (succ_num (minus_num cst)))]]
	  in
	  env, str
    | JCAnot a ->
	let nota = not_asrt a in
	begin match nota#node with
	  | JCAnot _ -> env, Dnf.true_
	  | _ -> linstr_of_assertion env nota
	end
    | JCArelation _ | JCAand _ | JCAor _ | JCAimplies _ | JCAiff _ | JCAapp _
    | JCAquantifier _ | JCAold _ | JCAat _ | JCAinstanceof _ | JCAbool_term _
    | JCAif _ | JCAmutable _ | JCAeqtype _ | JCAsubtype _ | JCAmatch _
    | JCAlet _ | JCAfresh _ ->
	env, Dnf.true_

let linstr_of_expr env e =
  match Jc_effect.term_of_expr e with None -> None | Some t ->
    let env,str,cst = linstr_of_term env t in
    if str = "" then Some (env, string_of_num cst)
    else Some (env, str ^ " + " ^ (string_of_num cst))

let offset_linstr_of_expr env ok e =
  match e#node with
    | JCEalloc _ ->
	if ok = Offset_min_kind then Some (env, "0")
	else
	  begin match Jc_effect.term_of_expr e with None -> None | Some t ->
	    let env,str,cst = linstr_of_term env t in
	    if str = "" then Some (env,string_of_num cst)
	    else Some (env,str ^ " + " ^ (string_of_num cst))
	  end
    | _ ->
	if is_nonnull_pointer_type e#typ then
	  match Jc_effect.term_of_expr e with None -> None | Some t ->
	    let env,str,cst = offset_linstr_of_term env ok t in
	    if str = "" then Some (env,string_of_num cst)
	    else Some (env,str ^ " + " ^ (string_of_num cst))
	else None


(*****************************************************************************)
(*             Building assertions from inferred invariants                  *)
(*****************************************************************************)

let mkterm linexpr =
  let vars =
    Array.to_list (fst (Environment.vars (Linexpr1.get_env linexpr)))
  in
  let rec add_term t va =
    match Linexpr1.get_coeff linexpr va with
      | Scalar s ->
	  let vt = match Scalar.to_string s with
	    | "0." | "0" -> None
	    | "1" -> Some (Vai.term va)
	    | "-1" ->
		let tnode = JCTunary ((`Uminus,`Integer), Vai.term va) in
		let t = new term ~typ:integer_type tnode in
		Some t
	    | s ->
		let ctnode = JCTconst (JCCinteger s) in
		let ct = new term ~typ:integer_type ctnode in
		let tnode = JCTbinary (ct, (`Bmul,`Integer), Vai.term va) in
		let t = new term ~typ:integer_type tnode in
		Some t
	  in
	  begin match t,vt with
	    | None,vt -> vt
	    | t,None -> t
	    | Some t,Some vt ->
		let tnode = JCTbinary (t, (`Badd,`Integer), vt) in
		let t = new term ~typ:integer_type tnode in
		Some t
	  end
      | Interval _ -> assert false
  in
  let cst = match Linexpr1.get_cst linexpr with
    | Scalar s ->
	begin match Scalar.to_string s with
	  | "0." | "0" -> None
	  | s ->
	      let ctnode = JCTconst (JCCinteger s) in
	      let ct = new term ~typ:integer_type ctnode in
	      Some ct
	end
    | Interval _ -> assert false
  in
  match List.fold_left add_term cst vars with
    | None -> assert false
    | Some t -> t

let mkassertion lincons =
  let t1 = mkterm (Lincons1.get_linexpr1 lincons) in
  let op,c2 = match Lincons1.get_typ lincons with
    | EQ -> (`Beq,`Integer), JCCinteger "0"
    | SUPEQ -> (`Bge,`Integer), JCCinteger "0"
    | SUP -> (`Bgt,`Integer), JCCinteger "0"
    | DISEQ -> (`Bneq,`Integer), JCCinteger "0"
    | EQMOD _scalar ->
	(* If using a new domain that generates such modulo equalities,
	   add support for those *)
	assert false
  in
  let t2 = new term ~typ:integer_type (JCTconst c2) in
  new assertion (JCArelation(t1,op,t2))

let rec linterms_of_term t =
  let mkmulterm (t,c) =
    if c =/ Int 0 then None
    else if c =/ Int 1 then Some t
    else if c =/ Int (-1) then
      Some(new term ~typ:integer_type (JCTunary((`Uminus,`Integer),t)))
    else
      let c =
	new term ~typ:integer_type (JCTconst(JCCinteger(string_of_num c)))
      in
      Some(new term ~typ:integer_type (JCTbinary(c,(`Bmul,`Integer),t)))
  in
  let rec mkaddterm = function
    | [] -> None
    | [t,c] -> mkmulterm (t,c)
    | (t,c) :: r ->
	match mkmulterm (t,c), mkaddterm r with
	  | None,None -> None
	  | Some t,None | None,Some t -> Some t
	  | Some t1,Some t2 ->
	      Some(new term ~typ:integer_type
		     (JCTbinary(t1,(`Badd,`Integer),t2)))
  in
  let coeffs,cst = linearize t in
  let posl,negl =
    TermMap.fold (fun t c (pl,nl) ->
		    if c >/ Int 0 then (t,c) :: pl, nl
		    else if c 
	if cst >/ Int 0 then cstt
	else new term ~typ:integer_type (JCTconst(JCCinteger "0"))
    | Some t ->
	if cst >/ Int 0 then
	  new term ~typ:integer_type (JCTbinary(t,(`Badd,`Integer),cstt))
	else t
  in
  let negt = match mkaddterm negl with
    | None ->
	if cst 
	if cst 
	  let subt =
	    new term ~typ:integer_type (JCTbinary(t1,(`Bsub,`Integer),t2))
	  in
	  let post,negt = linterms_of_term subt in
	  (* Make all terms appear with a positive coefficient *)
	  new assertion(JCArelation(post,bop,negt))
      | JCAnot a ->
	  let nota = not_asrt a in
	  begin match nota#node with
	    | JCAnot _ -> a
	    | _ -> linasrt_of_assertion nota
	  end
      | JCAtrue | JCAfalse | JCAand _ | JCAor _ | JCAimplies _ | JCAiff _
      | JCAapp _ | JCAquantifier _ | JCAold _ | JCAat _ | JCAinstanceof _
      | JCAbool_term _ | JCAfresh _
      | JCAif _ | JCAmutable _ | JCAeqtype _ | JCAsubtype _ | JCAmatch _
      | JCAlet _ -> a
  in
  linasrt_of_assertion a

let mkconsistent a =
  let cannot_have_lower_bound t =
    match t#node with
      | JCToffset(Offset_min,_,_) -> true
      | JCTapp app when app.jc_app_fun.jc_logic_info_name = "strlen" -> true
      | _ -> false
  in
  let cannot_have_upper_bound t =
    match t#node with
      | JCToffset(Offset_max,_,_) -> true
      | _ -> false
  in
  let rec aux a =
    match a#node with
      | JCArelation(t1,(op,_ty),t2) ->
	  let subt =
	    new term ~typ:integer_type (JCTbinary(t1,(`Bsub,`Integer),t2))
	  in
	  let coeffs,_ = linearize subt in
	  let posl,negl =
	    TermMap.fold
	      (fun t c (pl,nl) ->
		 if c >/ Int 0 then t :: pl, nl
		 else if c  posl,negl
	    | `Bge | `Bgt -> negl,posl
	    | `Beq | `Bneq -> posl@negl,posl@negl
	  in
	  if List.exists cannot_have_upper_bound lbounds
	    || List.exists cannot_have_lower_bound ubounds then None
	  else Some a
      | JCAnot _
      | JCAtrue | JCAfalse | JCAand _ | JCAor _ | JCAimplies _ | JCAiff _
      | JCAapp _ | JCAquantifier _ | JCAold _ | JCAat _ | JCAinstanceof _
      | JCAbool_term _ | JCAfresh _
      | JCAif _ | JCAmutable _ | JCAeqtype _ | JCAsubtype _ | JCAmatch _
      | JCAlet _ ->
	  Some a
  in
  let conjuncts = conjuncts a in
  let cnf = List.map disjuncts conjuncts in
  let conjuncts =
    List.map
      (fun conjunct ->
	 let disjuncts =
	   List.map
	     (fun disjunct -> match aux disjunct with
		| None -> Assertion.mkfalse ()
		| Some a -> a
	     ) conjunct
	 in
	 let conjunct = Assertion.mkor disjuncts () in
	 if Assertion.is_false conjunct then Assertion.mktrue () else conjunct
      ) cnf
  in
  Assertion.mkand conjuncts ()

let mkinvariant mgr absval =
  if Abstract1.is_top mgr absval then
    Assertion.mktrue ()
  else if Abstract1.is_bottom mgr absval then
    Assertion.mkfalse ()
  else
    let linconsarr = Abstract1.to_lincons_array mgr absval in
    let rec mkrec acc i =
      if i >= 0 then
	mkrec (mkassertion (Lincons1.array_get linconsarr i) :: acc) (i-1)
      else acc
    in
    let asserts = mkrec [] (Lincons1.array_length linconsarr - 1) in
    Assertion.mkand (List.map mkpresentable asserts) ()


(*****************************************************************************)
(*                          Simplifying formulas                             *)
(*****************************************************************************)

let variables_and_dnf a =
  let atp = atp_of_asrt a in
  let dnf = Atp.dnf atp in
  let vars = Atp.fv dnf in
  let vars =
    List.fold_left
      (fun acc s ->
	 Option_misc.map_default (fun t -> t :: acc) acc (Vwp.term s)
      ) [] vars
  in
  let vars = List.map Vai.integer_variable vars in
  let env = Environment.make (Array.of_list vars) [||] in
  let disjuncts = Atp.disjuncts dnf in
  let disjuncts = List.map Atp.conjuncts disjuncts in
  let disjuncts = List.map (List.map asrt_of_atp) disjuncts in
  env, disjuncts

(* For scaling, this could be replaced by a call to [contradictory] which
   does not involve quantifier elimination *)
let tautology a =
  let qf = Atp.generalize (atp_of_asrt a) in
(*   if Jc_options.debug then *)
(*     printf "@[Before quantifier elimination@\n%a@]@." *)
(*       (fun fmt fm -> Atp.printer fm) qf; *)
(*   let dnf = Atp.dnf qf in *)
(*   if Jc_options.debug then *)
(*     printf "@[After dnf@\n%a@]@." *)
(*       (fun fmt fm -> Atp.printer fm) dnf; *)
(*   if debug then printf "[before integer_qelim]@."; *)
  let qe = Atp.fourier_qelim qf in
(*   if debug then printf "[after integer_qelim]@."; *)
  let qe = asrt_of_atp qe in
  qe#node = JCAtrue

let contradictory =
  let mgr = Polka.manager_alloc_strict () in
  fun a b ->
    if Jc_options.debug then
      printf "@[[contradictory]@\n%a@\n%a@]@."
	Jc_output.assertion a Jc_output.assertion b;
    let env,disjuncts = variables_and_dnf (Assertion.mkand [a;b] ()) in
    assert(List.length disjuncts > 0);
    let res = List.fold_left
      (fun acc conjunct -> acc &&
	 try
	   let cstrs = List.map (linstr_of_assertion env) conjunct in
	   let cstrs = List.map snd cstrs in
	   let dnf = Dnf.make_and cstrs in
	   let absval = Abstract1.top mgr env in
	   let absval = Dnf.test mgr absval dnf in
	   Abstract1.is_bottom mgr absval
	 with Parser.Error _ | Failure _ -> false
      ) true disjuncts
    in
(*     if debug then  *)
(*       printf "@[[contradictory] %b@]@." res; *)
    res

let abstract_overapprox mgr env a =
  let conjuncts = conjuncts a in
  List.fold_left
    (fun (absval,acc) conjunct ->
       try
	 let dnf = snd (linstr_of_assertion env conjunct) in
	 let absval' = Dnf.test mgr (Abstract1.top mgr env)  dnf in
	 if Abstract1.is_top mgr absval' then
	   absval, conjunct :: acc
	 else
	   meet mgr absval absval', acc
       with Parser.Error _ | Failure _ ->
	 absval, conjunct :: acc
    ) (Abstract1.top mgr env,[]) conjuncts

let minimize mgr =
  (* Use polyhedral domain to get a minimization function *)
  let polmgr = Polka.manager_alloc_strict () in
  fun val1 ->
    let env = Abstract1.env val1 in
    let a = mkinvariant mgr val1 in
    let conjuncts = conjuncts a in
    let dnf =
      Dnf.make_and (List.map (snd $ linstr_of_assertion env) conjuncts)
    in
    let absval = Dnf.test polmgr (Abstract1.top polmgr env) dnf in
    mkinvariant polmgr absval

let simplify =
  (* Use polyhedral domain for precision and to get a minimization function *)
  let mgr = Polka.manager_alloc_strict () in
  fun ?inva inita ->
    if Jc_options.debug then
      printf "@[[simplify]@\n%a@]@." Jc_output.assertion inita;
    let simpla = (* if tautology inita then (Assertion.mktrue ()) else *)
      let env,disjuncts = variables_and_dnf inita in
      if Jc_options.debug then
	printf "@[[simplify] dnf@\n%a@]@."
	  (print_list semi
	     (print_list simple_comma Jc_output.assertion)) disjuncts;

      let invapprox = match inva with
	| None -> Abstract1.top mgr env
	| Some inva -> fst (abstract_overapprox mgr env inva)
      in
      let disjuncts = match inva with
	| None -> disjuncts
	| Some inva ->
	    List.filter
	      (fun conjunct ->
		 not(contradictory (Assertion.mkand conjunct ()) inva)
	      ) disjuncts
      in

      let abstract_disjuncts,other_disjuncts =
	List.fold_right
	  (fun conjunct (abstractl,otherl) ->
	     try
	       if Jc_options.debug then
		 printf "asrt conjunct : %a@."
		   (Pp.print_list (fun _fmt () -> printf " /\\ ")
		      Jc_output.assertion)
		   conjunct;
	       let absval,other_conjuncts =
		 abstract_overapprox mgr env (Assertion.mkand conjunct ())
	       in
	       if Jc_options.debug then
		 printf "abstract conjunct : %a@." Abstract1.print absval;
	       if Abstract1.is_bottom mgr absval then
		 abstractl, otherl
	       else
		 (absval,other_conjuncts) :: abstractl, otherl
	     with Parser.Error _ | Failure _ ->
	       abstractl,
	       Assertion.mkand (List.map mkpresentable conjunct) () :: otherl
	  ) disjuncts ([],[])
      in
      let abstract_disjuncts =
	List.fold_right
	  (fun (absval,other_conjuncts) acc ->
	     (* Do not consider conjunct if less precise than [inva] *)
	     let skip =
	       other_conjuncts = [] && stronger mgr invapprox absval
	     in
	     if skip then acc else
	       (* Remove conjuncts that are stronger than current one *)
	       let acc =
		 List.filter
		   (fun (av,oc) -> not (oc = [] && stronger mgr av absval)) acc
	       in
	       (* Do not add current conjunct if stronger than another one *)
	       if other_conjuncts = [] &&
		 List.exists (fun (av,_oc) -> stronger mgr absval av) acc
	       then acc
	       else (absval,other_conjuncts) :: acc
	  ) abstract_disjuncts []
      in
      List.iter (Abstract1.minimize mgr $ fst) abstract_disjuncts;
      let abstract_disjuncts =
	List.map (fun (absval,other_conjuncts) ->
		    Assertion.mkand (mkinvariant mgr absval :: other_conjuncts) ()
		 ) abstract_disjuncts
      in
      let disjuncts = abstract_disjuncts @ other_disjuncts in
      if List.length disjuncts > 5 then (* Arbitrary threshold for clarity *)
	inita
      else
	Assertion.mkor disjuncts ()
    in
    if debug then
      printf "@[[simplify] initial:@\n%a@]@." Jc_output.assertion inita;
    if debug then
      printf "@[[simplify] w.r.t. invariant:@\n%a@]@."
	(print_option Jc_output.assertion) inva;
    if debug then
      printf "@[[simplify] final:@\n%a@]@." Jc_output.assertion simpla;
    simpla

let quantif_eliminate qf finv =
(*   if Jc_options.debug then *)
(*     printf "@[Raw precondition@\n%a@]@." Jc_output.assertion qf;  *)
  let qf = atp_of_asrt qf in
(*   if Jc_options.debug then *)
(*     printf "@[Before quantifier elimination@\n%a@]@."  *)
(*       (fun fmt fm -> Atp.printer fm) qf;  *)
  let qf = Atp.pnf qf in
  match qf with
    | Atp.Forall _ | Atp.Exists _ ->
	let qe = Atp.fourier_qelim qf in
(* 	if Jc_options.debug then *)
(* 	  printf "@[After quantifier elimination@\n%a@]@."  *)
(* 	    (fun fmt fm -> Atp.printer fm) qe;  *)
	begin match qe with
(* 	  | Atp.Not nqe -> *)
(* 	      let qe = (Atp.dnf nqe) in *)
(* (\* 	      if Jc_options.debug then *\) *)
(* (\* 		printf "@[After negative disjunctive normal form@\n%a@]@."  *\) *)
(* (\* 		  (fun fmt fm -> Atp.printer fm) qe; *\) *)
(* 	      let res = simplify (asrt_of_atp qe) in *)
(* 	      let finv = asrt_of_atp (Atp.dnf (atp_of_asrt finv)) in *)
(* 	      simplify ~inva:finv (Assertion.mknot res ()) *)
	  | _ ->
	      let qe = (Atp.dnf qe) in
(* 	      if Jc_options.debug then *)
(* 		printf "@[After disjunctive normal form@\n%a@]@."  *)
(* 		  (fun fmt fm -> Atp.printer fm) qe; *)
	      let finv = asrt_of_atp (Atp.dnf (atp_of_asrt finv)) in
	      simplify ~inva:finv (asrt_of_atp qe)
	end
    | q ->
	let finv = asrt_of_atp (Atp.dnf (atp_of_asrt finv)) in
	simplify ~inva:finv (asrt_of_atp q)


(*****************************************************************************)
(* Computing weakest preconditions.                                          *)
(*****************************************************************************)

let is_function_level posts =
  List.length posts.jc_post_modified_vars = 1

let add_modified_var posts v =
  let vars = match posts.jc_post_modified_vars with
    | vs :: r -> VarSet.add v vs :: r
    | [] -> assert false
  in
  { posts with jc_post_modified_vars = vars; }

let add_modified_vars posts vs =
  let vars = match posts.jc_post_modified_vars with
    | vs2 :: r -> VarSet.union vs vs2 :: r
    | [] -> assert false
  in
  { posts with jc_post_modified_vars = vars; }

let add_inflexion_var posts v =
  posts.jc_post_inflexion_vars :=
    VarSet.add v !(posts.jc_post_inflexion_vars)

let remove_modified_var posts v =
  let vars = match posts.jc_post_modified_vars with
    | vs :: r -> VarSet.remove v vs :: r
    | [] -> assert false
  in
  { posts with jc_post_modified_vars = vars; }

let push_modified_vars posts =
  let vars = posts.jc_post_modified_vars in
  { posts with jc_post_modified_vars = VarSet.empty :: vars; }

let pop_modified_vars posts =
  let vs,vars = match posts.jc_post_modified_vars with
    | vs :: r -> vs,r
    | [] -> assert false
  in
  vs,{ posts with jc_post_modified_vars = vars; }

let collect_free_vars a =
  let all_vars, quant_vars =
    Jc_iterators.fold_term_and_assertion
      (fun (vars,qvars as acc) t -> match t#node with
	 | JCTvar vi -> VarSet.add vi vars, qvars
	 | _ -> acc)
      (fun (vars,qvars as acc) a -> match a#node with
	 | JCAquantifier(_,vi,_trig,_a) -> vars, VarSet.add vi qvars
	 | _ -> acc)
      (VarSet.empty,VarSet.empty) a
  in
  VarSet.diff all_vars quant_vars

let initialize_target curposts target =
  (* Collect all sub-terms not natively understood by underlying abstract
     domain. By default, collect all non linear arithmetic terms. *)
  let collect_sub_terms =
    Jc_iterators.fold_term_in_assertion
      (fun acc t -> match t#node with
	 | JCTvar _
	 | JCTbinary(_,((`Badd,`Integer) | (`Bsub,`Integer)),_)
	 | JCTunary((`Uminus,`Integer),_) -> acc
	 | _ -> TermSet.add t acc
      ) TermSet.empty
  in
  let vs1 = collect_free_vars target.jc_target_regular_invariant in
  let vs2 = collect_free_vars target.jc_target_assertion in
  let vs = VarSet.union vs1 vs2 in
  let ts1 = collect_sub_terms target.jc_target_regular_invariant in
  let ts2 = collect_sub_terms target.jc_target_assertion in
  let ts = TermSet.union ts1 ts2 in
  (* Avoid potential blowup in WP caused by many disjunctions in initial
     formula by replacing it by a set of equalities between variables and
     their current inflexion, and the same for terms that mention these
     variables *)
  VarSet.fold
    (fun vi a ->
       let vit = new term_var vi in
       let copyvi = copyvar vi in
       add_inflexion_var curposts copyvi;
       let t1 = new term_var copyvi in
       target.jc_target_regular_invariant <-
	 replace_term_in_assertion vit t1 target.jc_target_regular_invariant;
       target.jc_target_assertion <-
	 replace_term_in_assertion vit t1 target.jc_target_assertion;
       let eqs =
	 if is_integral_type vit#typ then
	   let bop = equality_operator_of_type vit#typ in
	   [ new assertion (JCArelation(t1,bop,vit)) ]
	 else []
       in
       let eqs =
	 TermSet.fold
	   (fun t acc ->
	      if is_integral_type t#typ && raw_strict_sub_term vit t then
		let t2 = replace_term_in_term ~source:vit ~target:t1 t in
		let bop = equality_operator_of_type t#typ in
		let eq = new assertion(JCArelation(t2,bop,t)) in
		eq::acc
	      else acc
	   ) ts eqs
       in
       Assertion.mkand(a::eqs) ()
    ) vs (Assertion.mktrue ())

let finalize_target ~is_function_level ~pos ~anchor curposts target inva =
  if Jc_options.debug then
    printf "@[[finalize_target]@\nfunction level? %b@]@."
      is_function_level;
  if Jc_options.debug then
    printf "@[[finalize_target]@\n%a@]@." Jc_output.assertion inva;
  let annot_name =
    if is_function_level then "precondition" else "loop invariant"
  in
  let vs,curposts = pop_modified_vars curposts in
  let vs = VarSet.union vs !(curposts.jc_post_inflexion_vars) in
  if is_function_level then assert(curposts.jc_post_modified_vars = []);
  match curposts.jc_post_normal with
    | None -> (* assert target.jc_target_hint; *) None
    | Some wpa ->
    (* [wpa] is the formula obtained by weakest precondition from some
     * formula at the assertion point.
     *)
    (* [patha] is the path formula. It characterizes the states from which
     * it is possible to reach the assertion point.
     *)
    let patha =
      if target.jc_target_hint then
	wpa
      else
	Assertion.mkand[wpa;target.jc_target_regular_invariant] ()
    in
    (* [impla] is the implication formula, that guarantees the assertion holds
     * when the assertion point is reached.
     *)
    let impla = new assertion(JCAimplies(patha,target.jc_target_assertion)) in
    (* [quanta] is the quantified formula. It quantifies [impla] over the
     * variables modified.
     *)
    let quanta =
      VarSet.fold
	(fun vi a -> new assertion (JCAquantifier(Forall,vi,[],a))) vs impla
    in
    (* [elima] is the quantifier free version of [quanta].
    *)
    if debug then
      printf "@[[finalize_target] quantified formula@\n%a@]@."
	Jc_output.assertion quanta;
    let elima = quantif_eliminate quanta inva in
    if debug then
      printf "@[[finalize_target] quantifier-free formula@\n%a@]@."
	Jc_output.assertion elima;
    let finala = mkconsistent elima in
    if contradictory finala patha then
      begin
	if Jc_options.debug then
	  printf "%a@[No inferred %s@."
	    Loc.report_position target.jc_target_location annot_name;
	None
      end
    else
      begin
	if Jc_options.debug then
	  printf "%a@[Inferring %s@\n%a@]@."
	    Loc.report_position target.jc_target_location
	    annot_name Jc_output.assertion finala;
	let finala = reg_annot ~pos ~anchor finala in
	Some finala
      end

let forget_mem_in_assertion curposts e1 fi dereft a =
  let mc,_ufi_opt = Jc_effect.deref_mem_class ~type_safe:true e1 fi in
  let mem = mc, e1#region in
  Jc_iterators.map_term_in_assertion
    (fun t ->
       if TermOrd.equal dereft t then t
       else
	 let ef = Jc_effect.term empty_effects t in
	 if Jc_effect.has_memory_effect ef mem then
	   let tmp = newvar t#typ in
	   add_inflexion_var curposts tmp;
	   new term_var tmp
	 else t
    ) a

let rec wp_expr weakpre =
  let var_of_term = Hashtbl.create 0 in
  (* Terms should be raw only. *)
  let unique_var_for_term t ty =
    try Hashtbl.find var_of_term t
    with Not_found ->
      let vi = Jc_pervasives.var ty (name_of_term t) in
      Hashtbl.add var_of_term t vi;
      vi
  in
  fun target e curposts ->
    let wp = wp_expr weakpre target in
    (* Do not let hints propagate too far *)
    let block_hint curposts =
      if target.jc_target_hint then
	{ curposts with jc_post_normal = None }
      else curposts
    in
(*     if debug then  *)
(*       printf "[wp_expr] %a@\n%a@\nfor stat %a@." Loc.report_position e#pos *)
(* 	(print_option Jc_output.assertion) curposts.jc_post_normal *)
(* 	Jc_output.expr target.jc_target_expr; *)
(*     if debug then  *)
(*       printf "[wp_expr] curposts is None? %b@."  *)
(* 	(curposts.jc_post_normal = None); *)
    let curposts = match e#node with
      | JCElet(v,e1opt,e2) ->
	  let curposts = wp e2 curposts in
	  let post =
	    match curposts.jc_post_normal, e1opt with
	      | None, _ -> None
	      | Some a, None -> Some a
	      | Some a, Some e1 ->
		  match Jc_effect.term_of_expr e1 with None -> Some a | Some t1 ->
		    let tv = new term_var v in
		    if !Jc_options.annotation_sem = AnnotWeakPre
		      || (!Jc_options.annotation_sem = AnnotStrongPre
			  && mem_term_in_assertion tv a)
		    then
		      let bop =
			equality_operator_of_type v.jc_var_info_type
		      in
		      let eq = new assertion (JCArelation(tv,bop,t1)) in
		      Some (Assertion.mkand [ eq; a ] ())
		    else Some a
	  in
	  let curposts = add_modified_var curposts v in
	  let curposts = { curposts with jc_post_normal = post } in
	  begin match e1opt with
	    | None -> curposts
	    | Some e1 -> wp e1 curposts
	  end
      | JCEassign_var(v,e1) ->
	  let tv = new term_var v in
	  let copyv = copyvar v in
	  let tv1 = new term_var copyv in
	  let post =
	    match curposts.jc_post_normal with None -> None | Some a ->
	      if !Jc_options.annotation_sem = AnnotWeakPre
		|| (!Jc_options.annotation_sem = AnnotStrongPre
		    && mem_term_in_assertion tv a)
	      then
		let a = replace_term_in_assertion tv tv1 a in
		match Jc_effect.term_of_expr e1 with None -> Some a | Some t1 ->
		  let bop = equality_operator_of_type v.jc_var_info_type in
		  let eq = new assertion (JCArelation(tv1,bop,t1)) in
		  Some (Assertion.mkand [ eq; a ] ())
	      else Some a
	  in
	  add_inflexion_var curposts copyv;
	  let curposts =
	    if is_function_level curposts || target.jc_target_hint then
	      curposts
	    else
	      (* Also add regular variable, for other branches in loop. *)
	      add_modified_var curposts v
	  in
	  let curposts = { curposts with jc_post_normal = post } in
	  wp e1 curposts
      | JCEassign_heap(e1,fi,e2) ->
	  let curposts = match Jc_effect.term_of_expr e1 with
	    | None -> curposts (* TODO *)
	    | Some t1 ->
		let dereft =
		  new term ~typ:fi.jc_field_info_type
		    (JCTderef(t1,LabelHere,fi))
		in
		let v = unique_var_for_term dereft fi.jc_field_info_type in
		let copyv = copyvar v in
		let tv1 = new term_var copyv in
		let post =
		  match curposts.jc_post_normal with None -> None | Some a ->
		    if !Jc_options.annotation_sem = AnnotWeakPre
		      || (!Jc_options.annotation_sem = AnnotStrongPre
			  && mem_term_in_assertion dereft a)
		    then
		      let a = forget_mem_in_assertion curposts e1 fi dereft a in
		      let a = replace_term_in_assertion dereft tv1 a in
		      match Jc_effect.term_of_expr e2 with
			| None -> Some a
			| Some t2 ->
			    let bop =
			      equality_operator_of_type fi.jc_field_info_type
			    in
			    let eq = new assertion (JCArelation(tv1,bop,t2)) in
			    Some (Assertion.mkand [ eq; a ] ())
		    else Some a
		in
		add_inflexion_var curposts copyv;
		let curposts =
		  if is_function_level curposts || target.jc_target_hint then
		    curposts
		  else
		    (* Also add regular variable, for other branches in loop. *)
		    add_modified_var curposts v
		in
		{ curposts with jc_post_normal = post }
	  in
	  wp e1 (wp e2 curposts)
(*       | JCEassert(_behav,Ahint,a) ->  *)
(* 	  (\* Hints are not to be used in wp computation, only added to help. *\) *)
(* 	  curposts *)
      | JCEassert(_behav,_asrt,a1) ->
(* 	  if target.jc_target_hint then *)
(* 	    curposts *)
(* 	  else *)
	    let f = atp_of_asrt a1 in
	    let fvars = Atp.fv f in
	    let varsets =
	      List.fold_left
		(fun acc s ->
		   Option_misc.map_default (fun t -> t :: acc) acc (Vwp.term s)
		) [] fvars
	    in
	    let varsets = TermSet.of_list varsets in
	    let post =
	      match curposts.jc_post_normal with None -> None | Some a ->
		if !Jc_options.annotation_sem = AnnotWeakPre
		  || (!Jc_options.annotation_sem = AnnotStrongPre
		      && mem_any_term_in_assertion varsets a)
		then
		  Some (Assertion.mkand [ a1; a ] ())
		else Some a
	    in
	    { curposts with jc_post_normal = post }
      | JCEblock sl ->
	  List.fold_right wp sl curposts
      | JCEif(test,etrue,efalse) ->
	  let curposts = block_hint curposts in
	  let tposts = wp etrue curposts in
	  let ta = asrt_of_expr test in
	  let tf = Option_misc.map_default atp_of_asrt Atp.True ta in
	  let fvars = Atp.fv tf in
	  let varsets =
	    List.fold_left
	      (fun acc s ->
		 Option_misc.map_default (fun t -> t :: acc) acc (Vwp.term s)
	      ) [] fvars
	  in
	  let varsets = TermSet.of_list varsets in

	  let tpost =
	    match tposts.jc_post_normal with None -> None | Some a ->
	      if !Jc_options.annotation_sem = AnnotWeakPre
		|| (!Jc_options.annotation_sem = AnnotStrongPre
		    && mem_any_term_in_assertion varsets a)
	      then
		match ta with None -> Some a | Some ta ->
		  Some (Assertion.mkand [ ta; a ] ())
	      else Some a
	  in
	  let fposts = wp efalse curposts in
	  let fpost =
	    match fposts.jc_post_normal with None -> None | Some a ->
	      let fa = Option_misc.map (fun a -> Assertion.mknot a ()) ta in
	      if !Jc_options.annotation_sem = AnnotWeakPre
		|| (!Jc_options.annotation_sem = AnnotStrongPre
		    && mem_any_term_in_assertion varsets a)
	      then
		match fa with None -> Some a | Some fa ->
		  Some (Assertion.mkand [ fa; a ] ())
	      else Some a
	  in
	  let post = match tpost,fpost with
	    | None,opta | opta,None -> opta
		(* TODO: add loc variable v with ta and not v with fa
		   to correctly implement wp *)
	    | Some ta,Some fa -> Some (Assertion.mkor [ta;fa] ())
	  in
	  let tvs,_ = pop_modified_vars tposts in
	  let fvs,_ = pop_modified_vars fposts in
	  let vs = VarSet.union tvs fvs in
	  let curposts = add_modified_vars curposts vs in
	  let curposts = { curposts with jc_post_normal = post } in
	  let curposts = wp test curposts in
	  block_hint curposts
      | JCEreturn_void ->
	  { curposts with jc_post_normal = None; }
      | JCEreturn(_ty,e1) ->
	  let curposts = { curposts with jc_post_normal = None } in
	  wp e1 curposts
      | JCEthrow(ei,e1opt) -> (* TODO: link with value caught *)
	  let post =
	    try Some (List.assoc ei curposts.jc_post_exceptional)
	    with Not_found -> None
	  in
	  let curposts = { curposts with jc_post_normal = post } in
	  begin match e1opt with None -> curposts | Some e1 ->
	    wp e1 curposts
	  end
      | JCEtry(body,handlers,_finally) ->
	  (* TODO: apply finally stmt to all paths. *)
	  let handlpostexcl,handlvs =
	    List.fold_left
	      (fun (curpostexcl,curvs) (ei,_vio,ehandler) ->
		 let excposts = wp ehandler curposts in
		 let curpostexcl = match excposts.jc_post_normal with
		   | None -> curpostexcl
		   | Some a -> (ei,a) :: curpostexcl
		 in
		 let excvs,_ = pop_modified_vars excposts in
		 let curvs = VarSet.union curvs excvs in
		 (curpostexcl,curvs)
	      ) ([],VarSet.empty) handlers
	  in
	  let curpostexcl =
	    List.filter
	      (fun (ei,_) ->
		 not (List.exists
			(fun (ej,_,_) ->
			   ei.jc_exception_info_tag = ej.jc_exception_info_tag
			) handlers)
	      ) curposts.jc_post_exceptional
	  in
	  let curpostexcl = handlpostexcl @ curpostexcl in
	  let tmpposts =
	    { curposts with jc_post_exceptional = curpostexcl; }
	  in
	  let bodyposts = wp body tmpposts in
	  let bodyvs,_ = pop_modified_vars bodyposts in
	  let vs = VarSet.union handlvs bodyvs in
	  let curposts = add_modified_vars curposts vs in
	  { curposts with jc_post_normal = bodyposts.jc_post_normal; }
      | JCEloop(annot,body) ->
	  let curposts = block_hint curposts in
	  let loops = weakpre.jc_weakpre_loops in
	  let loop_invariants = weakpre.jc_weakpre_loop_invariants in
	  Hashtbl.replace loops annot.jc_loop_tag e;
	  let curposts = { curposts with jc_post_normal = None } in
	  let loopposts = push_modified_vars curposts in
	  let loopposts =
	    match curposts.jc_post_normal with
	      | None -> wp body loopposts
	      | Some _ -> curposts
	  in
	  let inva =
	    Assertion.mkand
	      (List.fold_left
		 (fun acc (_,inv,_) ->
		    match inv with
		      | None -> acc
		      | Some a -> a :: acc)
		 [annot.jc_free_loop_invariant] annot.jc_loop_behaviors)
	      ()
	  in
	  let post =
	    match finalize_target
	      ~is_function_level:false ~pos:e#pos ~anchor:e#mark
	      loopposts target inva
	    with
	      | None -> None
	      | Some infera ->
		  target.jc_target_regular_invariant <- inva;
		  target.jc_target_assertion <- infera;
		  begin try
		    let a = Hashtbl.find loop_invariants annot.jc_loop_tag in
		    Hashtbl.replace loop_invariants annot.jc_loop_tag
		      (Assertion.mkand [a; infera] ())
		  with Not_found ->
		    Hashtbl.add loop_invariants annot.jc_loop_tag infera
		  end;
		  let inita = initialize_target loopposts target in
		  Some inita
	  in
	  let curposts = { curposts with jc_post_normal = post; } in
	  block_hint curposts

	    (*       | JCEapp call ->  *)
	    (* 	  let curposts = wp_expr weakpre target s curposts in *)
	    (* 	  let vit = new term_var vi in *)
	    (* 	  let copyvi = copyvar vi in *)
	    (* 	  let t1 = new term_var copyvi in *)
	    (* 	  let post = match curposts.jc_post_normal with *)
	    (* 	    | None -> None *)
	    (* 	    | Some a -> Some(replace_term_in_assertion vit t1 a) *)
	    (* 	  in *)
	    (* 	  add_inflexion_var curposts copyvi; *)
	    (* 	  let curposts =  *)
	    (* 	    if is_function_level curposts then curposts *)
	    (* 	    else *)
	    (* 	      (\* Also add regular variable, for other branches in loop. *\) *)
	    (* 	      add_modified_var curposts vi  *)
	    (* 	  in *)
	    (* 	  { curposts with jc_post_normal = post; } *)
      | JCEapp _call ->
(* 	  let curposts = wp e curposts in *)
	  curposts
      | JCEvar _
      | JCEconst _ ->
	  curposts
      | JCEderef(e1,_)
      | JCEunary(_,e1)
      | JCEalloc(e1,_)
      | JCEaddress(_,e1)
      | JCEoffset(_,e1,_)
      | JCEbase_block(e1)
      | JCEreal_cast(e1,_)
      | JCErange_cast(e1,_)
      | JCEbitwise_cast(e1,_)
      | JCEinstanceof(e1,_)
      | JCEcast(e1,_)
      | JCEunpack(_,e1,_)
      | JCEpack(_,e1,_)
      | JCEfree e1 ->
	  wp e1 curposts
      | JCEshift(e1,e2)
      | JCEbinary(e1,_,e2) ->
	  wp e1 (wp e2 curposts)
      | JCEfresh _ -> assert false
      | JCEcontract _ -> assert false (* TODO *)
      | JCEmatch _ -> assert false (* TODO *)
    in
    if e == target.jc_target_expr then
      let inita = initialize_target curposts target in
      assert (curposts.jc_post_normal = None);
      if debug then
	printf "[wp_expr] found target %a@\n%a@." Loc.report_position e#pos
	  Jc_output.assertion inita;
      { curposts with jc_post_normal = Some inita; }
    else curposts

and record_wp_loop_invariants weakpre =
  let loop_invariants = weakpre.jc_weakpre_loop_invariants in
  Hashtbl.iter
    (fun _tag e ->
       let annot = match e#node with
	 | JCEloop(annot,_body) -> annot
	 | _ -> assert false
       in
       begin try
	 let a = Hashtbl.find loop_invariants annot.jc_loop_tag in
	 let a = simplify a in
	   (* 	   nb_conj_atoms_inferred := !nb_conj_atoms_inferred + nb_conj_atoms a; *)
	   (* 	   incr nb_loop_inv; *)
	 printf
	  "%a@[Inferring backward loop invariant for function %s:@\n%a@]@."
	   Loc.report_position e#pos
	   weakpre.jc_weakpre_function.jc_fun_info_name
	   Jc_output.assertion a;
	 (* Register loop invariant as such *)
	 let a = reg_annot ~pos:e#pos ~anchor:e#mark a in
	 annot.jc_loop_behaviors <-
	   ([], Some a, None) :: annot.jc_loop_behaviors;
       with Not_found -> () end
    ) weakpre.jc_weakpre_loops

let wp_function targets funpre (f,pos,spec,body) =
  if debug then printf "[wp_function] %s@." f.jc_fun_info_name;
  let weakpre = {
    jc_weakpre_function = f;
    jc_weakpre_loops = Hashtbl.create 3;
    jc_weakpre_loop_invariants = Hashtbl.create 3;
  } in
  let infer_req = ref [] in
  List.iter
    (fun target ->
       if Jc_options.debug then
	 printf "%a@[Infer precondition for assertion:@\n%a@]\
@\n@[under invariant:@\n%a@\nand:@\n%a@]@."
	   Loc.report_position target.jc_target_location
	   Jc_output.assertion target.jc_target_assertion
	   Jc_output.assertion target.jc_target_regular_invariant
	   Jc_output.assertion target.jc_target_propagated_invariant;
       let initposts = {
	 jc_post_normal = None;
	 jc_post_exceptional = [];
	 jc_post_modified_vars = [];
	 jc_post_inflexion_vars = ref VarSet.empty;
       } in
       let initposts = push_modified_vars initposts in
       let posts = match !Jc_options.annotation_sem with
	 | AnnotNone | AnnotInvariants ->
	     assert false (* [wp_function] should not be called *)
	 | AnnotElimPre ->
	     if target.jc_target_hint then
	       initposts
	     else
	       (* Directly eliminate modified variables *)
	       let vs1 =
		 collect_free_vars target.jc_target_regular_invariant
	       in
	       let vs2 = collect_free_vars target.jc_target_assertion in
	       let vs = VarSet.union vs1 vs2 in
	       let qvs =
		 VarSet.filter
		   (fun v ->
		      (not (v.jc_var_info_static || v.jc_var_info_formal))
		      || v.jc_var_info_assigned
		   ) vs
	       in
	       let curposts = add_modified_vars initposts qvs in
	       let inita = initialize_target curposts target in
	       { curposts with jc_post_normal = Some inita }
	 | AnnotWeakPre | AnnotStrongPre ->
	     (* Compute weakest precondition of formula *)
	     wp_expr weakpre target body initposts
       in
       match finalize_target ~is_function_level:true ~pos
	 ~anchor:f.jc_fun_info_name posts target funpre
       with
	 | None -> () (* precondition inconsistant or redundant *)
	 | Some infera -> (* valid precondition *)
	     infer_req := infera :: !infer_req
    ) targets;
  record_wp_loop_invariants weakpre;
  (* Remove redundancy in precondition inferred *)
  let inferred = simplify (Assertion.mkand !infer_req ()) in
  if Assertion.is_false inferred then () else
    begin
      spec.jc_fun_requires <-
	Assertion.mkand [ spec.jc_fun_requires; inferred ] ();
      printf "@[Inferring precondition for function %s:@\n%a@]@."
	f.jc_fun_info_name Jc_output.assertion inferred
    end


(*****************************************************************************)
(* Collecting assertions.                                                    *)
(*****************************************************************************)

let target_of_assertion ?(hint=false) s loc a =
  {
    jc_target_expr = s;
    jc_target_hint = hint;
    jc_target_location = loc;
    jc_target_assertion = a;
    jc_target_regular_invariant = Assertion.mkfalse ();
    jc_target_propagated_invariant = Assertion.mkfalse ();
  }

(* Collect safety assertions from the evaluation of expression [e].
 * Currently, 3 kinds of assertions are collected, that check for:
 * - memory safety
 * - no integer overflows
 * - no division by zero
 *)
let collect_expr_targets e =

  (* Normalization applied on targets to make them more amenable to
     annotation inference. As such, no invariant can be deduced from these
     modified targets, so any heuristic can be applied here to transform
     the target assertions *)
  let normalize_term t =
    Jc_iterators.map_term
      (fun t ->
	 let tnode = match t#node with
	   | JCToffset(off,t',st) ->
	       begin match destruct_pointer t' with
		 | None ->
		     JCToffset(off,t',st)
		 | Some(t1,t2) ->
		     let offt1 =
		       new term_with ~node:(JCToffset(off,t1,st)) t
		     in
		     JCTbinary(offt1,(`Bsub,`Integer),t2)
	       end
	   | JCTapp app as tnode ->
	       if app.jc_app_fun.jc_logic_info_name = "strlen" then
		 let t1 = match app.jc_app_args with
		   | [t1] -> t1
		   | _ -> assert false
		 in
		 match destruct_pointer t1 with
		   | None -> tnode
		   | Some(tptr,offt) ->
		       let app = { app with jc_app_args = [tptr] } in
		       let tapp = new term_with ~node:(JCTapp app) t in
		       JCTbinary(tapp,(`Bsub,`Integer),offt)
	       else tnode
	   | tnode -> tnode
	 in
	 new term_with ~node:tnode t) t
  in
  let normalize_target a =
    let a = Jc_iterators.map_term_in_assertion normalize_term a in
    implicit_cnf a
  in

  (* Collect memory safety assertions. *)
  let collect_memory_access e1 _fi =
    match Jc_effect.term_of_expr e1 with None -> [] | Some t1 ->
      let ptrt, offt = match destruct_pointer t1 with
	| None -> t1, None
	| Some(ptrt,offt) -> ptrt, Some offt
      in
      let offt = match offt with
	| None -> new term ~typ:integer_type (JCTconst(JCCinteger"0"))
	| Some offt -> offt
      in
      let st = pointer_struct ptrt#typ in
      let mint = new term ~typ:integer_type (JCToffset(Offset_min,ptrt,st)) in
      let maxt = new term ~typ:integer_type (JCToffset(Offset_max,ptrt,st)) in
      let mina = new assertion(JCArelation(mint,(`Ble,`Integer),offt)) in
      let maxa = new assertion(JCArelation(offt,(`Ble,`Integer),maxt)) in
      [mina;maxa]
  in
  (* Collect absence of integer overflow assertions. *)
  let collect_integer_overflow ei e1 =
    match Jc_effect.term_of_expr e1 with None -> [] | Some t1 ->
      let mint = new term ~typ:integer_type
	(JCTconst (JCCinteger (Num.string_of_num ei.jc_enum_info_min)))
      in
      let maxt = new term ~typ:integer_type
	(JCTconst(JCCinteger (Num.string_of_num ei.jc_enum_info_max)))
      in
      let mina = new assertion (JCArelation (mint, (`Ble,`Integer), t1)) in
      let maxa = new assertion (JCArelation (t1, (`Ble,`Integer), maxt)) in
      [mina; maxa]
  in
  (* Collect absence of division by zero assertions. *)
  let collect_zero_division e =
    match Jc_effect.term_of_expr e with None -> [] | Some t ->
      let zero = new term ~typ:integer_type (JCTconst(JCCinteger "0")) in
      [new assertion(JCArelation(t,(`Bneq,`Integer),zero))]
  in
  let collect_asserts e =
    let asrts = match e#node with
      | JCEderef(e1,fi) -> collect_memory_access e1 fi
      | JCErange_cast(e1,ei) ->
	  if !Jc_options.int_model = IMbounded then
	    collect_integer_overflow ei e1
	  else []
      | JCEbinary(_,(`Bdiv,`Integer),e2) -> collect_zero_division e2
      | JCEapp call ->
	  let fi = match call.jc_call_fun with
	    | JCfun f -> f
	    | _ -> assert false
	  in
	  let els = call.jc_call_args in
	  let _,_,fs,_ =
            IntHashtblIter.find Jc_typing.functions_table fi.jc_fun_info_tag
          in
          (* Collect preconditions of functions called. *)
          let reqa = fs.jc_fun_requires in
          let reqa =
	    List.fold_left2
	      (fun a (_,param) arg ->
		 match Jc_effect.term_of_expr arg with
		   | None -> Assertion.mktrue ()
		   | Some targ ->
		       replace_term_in_assertion (new term_var param) targ a
	      ) reqa fi.jc_fun_info_parameters els
          in
	  let reqa = regionalize_assertion reqa call.jc_call_region_assoc in
          conjuncts reqa
      | JCEassert(_,Ahint, _a) ->
	  (* Hints are not to be proved by abstract interpretation,
	     only added to help it. *)
	  []
      | JCEassert(_,_, a) ->
	  (* Consider separately each conjunct in a conjunction. *)
	  conjuncts a
      | JCEassign_heap (e1, fi, _e2) ->
	  collect_memory_access e1 fi
      | JCElet(_,None,_) | JCEblock _ | JCEif _ | JCEtry _ | JCEloop _
      | JCEreturn_void | JCEreturn _ | JCEthrow _
      | JCElet _ | JCEassign_var _ | JCEfresh _ 
      | JCEpack _ | JCEunpack _ | JCEshift _ | JCEmatch _ | JCEfree _
      | JCEalloc _ | JCEoffset _ | JCEreal_cast _ | JCEinstanceof _
      | JCEunary _ | JCEvar _ | JCEconst _ | JCEcast _ | JCEbinary _
      | JCEbitwise_cast _ | JCEaddress _ | JCEbase_block _ ->
	  []
      | JCEcontract _ -> assert false (* TODO *)
    in
    let asrts = List.filter (fun a -> not (is_constant_assertion a)) asrts in
    let asrts = List.map normalize_target asrts in
    List.map (target_of_assertion e e#pos) asrts
  in
  let collect_hints e =
    let asrts = match e#node with
      | JCEassert(_,Ahint, a) -> [ a ]
      | _ -> []
    in
    let asrts = List.map normalize_target asrts in
    List.map (target_of_assertion ~hint:true e e#pos) asrts
  in
  let collect e = collect_asserts e @ collect_hints e in
  Jc_iterators.IExpr.fold_left (fun acc e -> collect e @ acc) [] e

let rec collect_targets filter_asrt _targets s =
  let candidates = List.rev (collect_expr_targets s) in
  List.filter (fun target -> filter_asrt target.jc_target_assertion) candidates


let pointer_terms_table = ref (Hashtbl.create 0)

let set_equivalent_terms t1 t2 =
  let tl =
    try
      Hashtbl.find !pointer_terms_table t2#node
    with Not_found -> []
  in
  let tl = List.filter (fun t -> t <> t1) tl in
  Hashtbl.replace !pointer_terms_table t1#node (t2 :: tl)


(*****************************************************************************)
(* Augmenting loop invariants.                                               *)
(*****************************************************************************)

let collect_immediate_targets targets s =
  (* Special version of [fold_expr] different from the one
   * in [Jc_iterators] in that fpost is called after the body expr
   * of the try block.
   *)
  let rec fold_expr fpre fpost acc s =
    let ite = fold_expr fpre fpost in
    let acc = fpre acc s in
    let acc = match s#node with
      | JCEconst _
      | JCEvar _
      | JCEreturn_void ->
	  acc
      | JCEthrow(_exc,e1_opt) ->
	  Option_misc.fold_left ite acc e1_opt
      | JCEbinary(e1,_,e2)
      | JCEshift(e1,e2)
      | JCEassign_heap(e1,_,e2) ->
	  let acc = ite acc e1 in
	  ite acc e2
      | JCEunary(_,e1)
      | JCEderef(e1,_)
      | JCEoffset(_,e1,_)
      | JCEaddress(_,e1)
      | JCEbase_block(e1)
      | JCEcast(e1,_)
      | JCEbitwise_cast(e1,_)
      | JCErange_cast(e1,_)
      | JCEinstanceof(e1,_)
      | JCEreal_cast(e1,_)
      | JCEunpack(_,e1,_)
      | JCEpack(_,e1,_)
      | JCEassign_var(_,e1)
      | JCEalloc(e1,_)
      | JCEfree e1
      | JCEfresh e1
      | JCEreturn(_,e1) ->
	  ite acc e1
      | JCElet(_,e1_opt,e2) ->
	  let acc = Option_misc.fold_left ite acc e1_opt in
	  ite acc e2
      | JCEapp call ->
	  List.fold_left ite acc call.jc_call_args
      | JCEif(e1,e2,e3) ->
	  let acc = ite acc e1 in
	  let acc = ite acc e2 in
	  ite acc e3
      | JCEmatch(e, ptl) ->
	  let acc = ite acc e in
	  List.fold_left (fun acc (_, e) -> ite acc e) acc ptl
      | JCEblock el ->
	  List.fold_left ite acc el
      | JCEtry(e1,catches,finally) ->
	  let acc = ite acc e1 in
	  let acc =
	    List.fold_left (fun acc (_exc,_vi_opt,e) -> ite acc e) acc catches
	  in
	  ite acc finally
      | JCEassert(_behav,_asrt,_a) ->
	  acc
      | JCEloop(_la,e1) ->
	  ite acc e1
      | JCEcontract(_a_opt,_t_opt,_v,_behavs,e) ->
	  ite acc e
    in
    fpost acc s
  in

  (* First checks at start of function should be selected *)
  let in_select_zone = ref true in

  let select_pre acc s =
    match s#node with
      | JCEassert(_behav,Ahint,a) ->
  	  if debug then printf "[select_pre] consider target@.";
  	  if debug then printf "[select_pre] in zone ? %b@." !in_select_zone;
  	  if !in_select_zone then
	    let al =
	      List.filter (fun a -> not (is_constant_assertion a)) (conjuncts a)
	    in
  	    let targets = List.map (target_of_assertion s s#pos) al in
  	    if debug then printf "[select_pre] adding in_zone target@.";
  	    targets@acc
  	  else acc
      | JCEloop _ ->
  	  if debug then printf "[select_pre] in_zone true@.";
  	  in_select_zone := true; acc
      | JCEassert _ | JCEshift _ |JCEcontract _ | JCEfree _ | JCEalloc _
      | JCEaddress _ | JCEoffset _ | JCEreal_cast _ | JCErange_cast _
      | JCEbitwise_cast _ | JCEcast _ | JCEinstanceof _ | JCEunary _
      | JCEbinary _ | JCEderef _ | JCEvar _ |JCEconst _
      | JCElet _ | JCEblock _ | JCEassign_var _
      | JCEassign_heap _ | JCEpack _ | JCEunpack _ | JCEtry _
      | JCEfresh _ 
      | JCEbase_block _ ->
          (* Allowed with [JCEtry] thanks to patched [fold_expr]. *)
  	  acc
      | JCEapp _ | JCEif _ | JCEreturn _ | JCEthrow _
      | JCEreturn_void | JCEmatch _ ->
  	  if debug then printf "[select_pre] in_zone false@.";
  	  in_select_zone := false; acc
  in

  let select_post acc s =
    match s#node with
      | JCEloop _ ->
  	  if debug then printf "[select_post] in_zone false@.";
  	  in_select_zone := false; acc
      | _ -> acc
  in
  fold_expr select_pre select_post targets s

let rec backprop_expr target s curpost =
  if debug then
    printf "[backprop_expr] %a@." Loc.report_position s#pos;
  let curpost = match s#node with
    | JCElet(vi,eo,s) ->
	let curpost = backprop_expr target s curpost in
	begin match curpost with None -> None | Some a ->
	  match eo with None -> Some a | Some e ->
	    match Jc_effect.term_of_expr e with None -> Some a | Some t2 ->
	      let t1 = new term_var vi in
	      Some(replace_term_in_assertion t1 t2 a)
	end
    | JCEassign_var(vi,e) ->
	begin match curpost with None -> None | Some a ->
	  match Jc_effect.term_of_expr e with None -> Some a | Some t2 ->
	    let t1 = new term_var vi in
	    Some(replace_term_in_assertion t1 t2 a)
	end
    | JCEblock sl ->
	List.fold_right (backprop_expr target) sl curpost
    | JCEreturn_void | JCEreturn _ | JCEthrow _ ->
	assert (curpost = None); curpost
    | JCEtry(s,hl,fs) ->
	assert (curpost = None);
	let curpost = backprop_expr target fs None in
	assert (curpost = None);
        List.iter (fun (_,_,s) ->
  		     let curpost = backprop_expr target s None in
		     assert (curpost = None);
		  ) hl;
	backprop_expr target s None
    | JCEloop(la,ls) ->
	let curpost = backprop_expr target ls curpost in
	begin
          match curpost with None -> () | Some propa ->
	    let inva =
	      Assertion.mkand
		(List.fold_left
		   (fun acc (_,inv,_) ->
		      match inv with
			| None -> acc
			| Some a -> a :: acc)
		   [] la.jc_loop_behaviors)
		()
	    in
	    if not (contradictory propa inva) then
              begin
                if Jc_options.debug then
                  printf
	            "%a@[Back-propagating loop invariant@\n%a@]@."
                    Loc.report_position s#pos
                    Jc_output.assertion propa;
	        la.jc_loop_behaviors <-
		  ([],Some propa, None) :: la.jc_loop_behaviors
              end
	end;
	None
	  (*     | JCEcall(_,_,s) -> *)
	  (* 	assert (curpost = None); *)
	  (* 	let curpost = backprop_expr target s None in *)
	  (* 	assert (curpost = None); curpost *)
    | JCEif(_,ts,fs) ->
	assert (curpost = None);
	let curpost = backprop_expr target ts None in
	assert (curpost = None);
	let curpost = backprop_expr target fs None in
	assert (curpost = None); None
    | JCEassign_heap _ | JCEassert _ | JCEpack _ | JCEunpack _
    | JCEshift _ |JCEcontract _ | JCEfree _ | JCEalloc _
    | JCEaddress _ | JCEoffset _ | JCEreal_cast _ | JCErange_cast _
    | JCEbitwise_cast _ | JCEcast _ | JCEinstanceof _ | JCEunary _
    | JCEfresh _ 
    | JCEbinary _ | JCEderef _ | JCEvar _ |JCEconst _ | JCEbase_block _ ->
	curpost
    | JCEmatch _ | JCEapp _ ->
	assert (curpost = None);
	curpost
  in
  if s == target.jc_target_expr then
    begin
      assert (curpost = None);
      Some target.jc_target_assertion
    end
  else curpost

let backprop_function targets (_fi,_fs,sl) =
  if debug then printf "[backprop_function]@.";
  List.iter (fun target ->
	       ignore(backprop_expr target sl None)
	    ) targets


(*****************************************************************************)
(* Performing abstract interpretation.                                       *)
(*****************************************************************************)

let apply_to_current_invariant ?(propagated=false) f curinvs =
  let normal = curinvs.jc_absinv_normal in
  let prop = normal.jc_absval_propagated in
  (* Always apply transformation to propagated invariant *)
  let curinvs =
    { curinvs with jc_absinv_normal =
	{ normal with jc_absval_propagated = f prop } }
  in
  (* Selectively apply transformation to regular invariant *)
  if propagated then curinvs else
    let normal = curinvs.jc_absinv_normal in
    let pre = normal.jc_absval_regular in
    { curinvs with jc_absinv_normal =
	{ normal with jc_absval_regular = f pre } }

let simple_test_assertion mgr a pre =
  let env = Abstract1.env pre in
  let rec extract_environment_and_dnf env a =
    match a#node with
      | JCAtrue -> env,Dnf.true_
      | JCAfalse -> env,Dnf.false_
      | _ when is_constant_assertion a ->
	  (* 'constant' assertions (eg: 0 <= 1) do not have to be tested
	     (Nicolas) *)
	  env,Dnf.true_
      | JCArelation (t1, (`Bneq,`Integer), t2) ->
	  let infa = new assertion (JCArelation(t1, (`Blt,`Integer), t2)) in
	  let supa = new assertion (JCArelation(t1, (`Bgt,`Integer), t2)) in
	  let env, dnf1 = extract_environment_and_dnf env infa in
	  let env, dnf2 = extract_environment_and_dnf env supa in
	  env, Dnf.make_or [dnf1; dnf2]
      | JCArelation (t1, bop, t2) ->
	  if bop = (`Beq,`Pointer) then set_equivalent_terms t1 t2;
	  let env, dnf = linstr_of_assertion env a in
	  if debug then
	    Format.printf "Dnf %a@." Dnf.print dnf;
	  env, dnf
      | JCAand al ->
	  List.fold_left
	    (fun (env,dnf1) a ->
	       let env,dnf2 = extract_environment_and_dnf env a in
	       env,Dnf.make_and [dnf1;dnf2]
	    ) (env,Dnf.true_) al
      | JCAor al ->
	  List.fold_left
	    (fun (env,dnf1) a ->
	       let env,dnf2 = extract_environment_and_dnf env a in
	       env,Dnf.make_or [dnf1;dnf2]
	    ) (env,Dnf.false_) al
      | JCAnot a ->
	  let nota = not_asrt a in
	  begin match nota#node with
	    | JCAnot _ -> env, Dnf.true_
	    | _ -> extract_environment_and_dnf env nota
	  end
      | JCAapp app ->
	  begin match unfolding_of_app app with
	    | Some a -> extract_environment_and_dnf env a
	    | None -> env, Dnf.true_
	  end
      | JCAimplies _ | JCAiff _
      | JCAquantifier _ | JCAold _ | JCAat _ | JCAinstanceof _ | JCAbool_term _
      | JCAif _ | JCAmutable _ | JCAeqtype _ | JCAsubtype _ | JCAmatch _
      | JCAlet _ | JCAfresh _ -> env,Dnf.true_
  in
  let env, dnf = extract_environment_and_dnf env a in
  let pre = Abstract1.change_environment mgr pre env false in
  Dnf.test mgr pre dnf

let test_expr ~(neg:bool) mgr e pre =
  match asrt_of_expr e with None -> pre | Some a ->
    let a = if neg then not_asrt a else a in
    simple_test_assertion mgr a pre

(* Assigns expression [e] to abstract variable [va] in abstract value [pre]. *)
let assign_integer_variable mgr t e pre =
  let va = Vai.integer_variable t in
  let env0 = Abstract1.env pre in
  let env =
    if Environment.mem_var env0 va then env0
    else Environment.add env0 [|va|] [||]
  in
  match linstr_of_expr env e with
    | Some (env, str) ->
	if debug then printf "[assign_variable] str %s@." str;
	(* Assignment can be treated precisely. *)
	let lin =
	  try Parser.linexpr1_of_string env str
	  with Parser.Error msg -> printf "%s@." msg; assert false
	in
	let pre = Abstract1.change_environment mgr pre env false in
	Abstract1.assign_linexpr mgr pre va lin None
    | None ->
	if debug then printf "[assign_variable] no str@.";
	(* Try over-approximate treatment of assignment. *)
	let pre =
	  if Environment.mem_var env0 va then
	    Abstract1.forget_array mgr pre [|va|] false
	  else pre
	in
	match Jc_effect.term_of_expr e with
	  | Some te ->
	      (* Assignment treated as an equality test. *)
	      let t = Vai.term va in
	      let a = new assertion(JCArelation(t,(`Beq,`Integer),te)) in
	      simple_test_assertion mgr a pre
	  | None ->
	      (* Assignment treated as a forget operation. *)
	      pre

let assign_offset_variable mgr va ok e pre =
  let env0 = Abstract1.env pre in
  let env =
    if Environment.mem_var env0 va then env0
    else Environment.add env0 [|va|] [||]
  in
  let forget_vars = [] in
  let forget_vars = Array.of_list forget_vars in
  let pre = Abstract1.forget_array mgr pre forget_vars false in
  match offset_linstr_of_expr env ok e with
    | Some(env,str) ->
	(* Assignment can be treated precisely. *)
	let lin =
	  try Parser.linexpr1_of_string env str
	  with Parser.Error msg -> printf "%s@." msg; assert false
	in
	let pre = Abstract1.change_environment mgr pre env false in
	Abstract1.assign_linexpr mgr pre va lin None
    | None ->
	(* Assignment treated as a forget operation. *)
	if Environment.mem_var env0 va then
	  Abstract1.forget_array mgr pre [|va|] false
	else pre

let assign_pointer_variables mgr t e pre =
  let vmin = Vai.offset_min_variable t in
  let vmax = Vai.offset_max_variable t in
  let pre = assign_offset_variable mgr vmin Offset_min_kind e pre in
  assign_offset_variable mgr vmax Offset_max_kind e pre

let assign_expr mgr t e pre =
  (* Choice: terms that depend on the term assigned to are removed from
     the abstract value -before- treating the assignment. *)
  let env = Abstract1.env pre in
  let integer_vars = Array.to_list (fst (Environment.vars env)) in
  let forget_vars = List.filter
    (fun va' ->
       let t' = Vai.term va' in
       (not (TermOrd.equal t t'))
       && term_syntactic_dependence ~of_term:t' ~on_term:t
    ) integer_vars
  in
  let forget_vars = Array.of_list forget_vars in
  let pre = Abstract1.forget_array mgr pre forget_vars false in
  (* Propagate knowledge on abstract variables on the rhs of the assignment
     to equivalent abstract variables on the lhs. *)
  let pre = match Jc_effect.term_of_expr e with
    | None -> pre
    | Some te ->
	let constr_vars = List.filter
	  (fun va ->
	     not (Abstract1.is_variable_unconstrained mgr pre va)
	  ) integer_vars
	in
	List.fold_left
	  (fun pre va' ->
	     let t' = Vai.term va' in
	     if raw_strict_sub_term te t' then
	       let lhst =
		 replace_term_in_term ~source:te ~target:t t'
	       in
	       let a = new assertion (JCArelation (lhst, (`Beq,`Integer), t')) in
	       simple_test_assertion mgr a pre
	     else pre
	  ) pre constr_vars
  in
  (* special case: t1 : pointer = t2 : pointer *)
(*   begin *)
(*     try  *)
(*       let t1 = t in *)
(*       let t2 = Jc_effect.term_of_expr e in *)
(*       match t1#typ, t2#typ with *)
(* 	| JCTpointer _, JCTpointer _ ->  *)
(* 	    set_equivalent_terms t1 t2 *)
(* 	| _ -> () *)
(*     with _ -> ()  *)
(*   end; *)
  (* Assign abstract variables. *)
  let pre =
    if is_integral_type t#typ then
      assign_integer_variable mgr t e pre
    else if is_pointer_type t#typ then
      assign_pointer_variables mgr t e pre
    else pre
  in pre

let assign_heap mgr e1 fi pre =
  if debug then
    printf "[assign_heap]%a@." Region.print e1#region;
  if !Jc_options.separation_sem = SepRegions then
    assert (not (is_dummy_region e1#region));
  let env = Abstract1.env pre in
  let integer_vars = Array.to_list (fst (Environment.vars env)) in

  let mc,_ufi_opt = Jc_effect.deref_mem_class ~type_safe:true e1 fi in
  let mem = mc, e1#region in

  let forget_vars = List.filter
    (fun va ->
       let t = Vai.term va in
(*        let is_deref_field t = match t#node with *)
(* 	 | JCTderef(_,_,fi') -> FieldOrd.equal fi fi' *)
(* 	 | _ -> false *)
(*        in *)
(*        let rec has_memory acc t = *)
(* 	 if acc ||  *)
(* 	   (is_deref_field t && *)
(* 	      (not (!Jc_options.separation_sem = SepRegions) *)
(* 	       || Region.equal t#region r)) then *)
(* 	     (\* cont = *\)false,(\* acc = *\)true *)
(* 	 else *)
(* 	   match t#node with *)
(* 	     | JCToffset(_,t',_) -> false,has_sub_memory acc t' *)
(* 	     | _ -> true,acc *)
(*        and has_sub_memory acc t = *)
(* 	 fold_sub_term fold_rec_term has_memory acc t *)
(*        in *)
(*        let res = fold_rec_term has_memory false t in *)
       let ef = Jc_effect.term empty_effects t in
       let res = Jc_effect.has_memory_effect ef mem in
       if debug then
	 printf "[assign_heap]%a:%b@." Var.print va res;
       res
    ) integer_vars
  in
  let forget_vars = Array.of_list forget_vars in
  Abstract1.forget_array mgr pre forget_vars false

let test_assertion ?propagated mgr a curinvs =
  apply_to_current_invariant ?propagated (simple_test_assertion mgr a) curinvs

let test_expr ~(neg:bool) mgr e curinvs =
  apply_to_current_invariant (test_expr ~neg mgr e) curinvs

let assign_integer_variable mgr t e curinvs =
  apply_to_current_invariant (assign_integer_variable mgr t e) curinvs

let assign_pointer_variables mgr t e curinvs =
  apply_to_current_invariant (assign_pointer_variables mgr t e) curinvs

let assign_expr mgr t e curinvs =
  apply_to_current_invariant (assign_expr mgr t e) curinvs

let assign_heap mgr e1 fi _topt curinvs =
  apply_to_current_invariant (assign_heap mgr e1 fi) curinvs

let keep_extern mgr fi post =
  let integer_vars =
    Array.to_list (fst (Environment.vars (Abstract1.env post)))
  in
  let to_duplicate t =
    Jc_iterators.fold_term
      (fun (acc1, acc2) t -> try
	 let tl = Hashtbl.find !pointer_terms_table t#node in
	 t :: acc1, tl :: acc2
       with Not_found -> acc1, acc2)
      ([], []) t
  in
  let integer_vars, strl =
    List.fold_left
      (fun (acc1, acc2) va ->
	 try
	   let t = Vai.term va in
	   let tl1, tl2 = to_duplicate t in
	   let tl = List.fold_left2
	     (fun acc t1 tl ->
		if t1 == t then acc else
		  (List.map (fun t2 -> replace_term_in_term t1 t2 t) tl) @ acc)
	     [] tl1 tl2
	   in
	   let vars = List.map Vai.integer_variable tl in
	   let vars = List.filter (fun va -> not (List.mem va acc1)) vars in
	   let vars = List.fold_left
	     (fun acc va -> if (List.mem va acc) then acc else va :: acc)
	     [] vars
	   in
	   let strl = List.map
	     (fun v -> (Var.to_string v) ^ "=" ^ (Var.to_string va))
	     vars
	   in
	   vars @ acc1, strl @ acc2
	 with Not_found -> acc1, acc2)
      (integer_vars, []) integer_vars
  in
  let env = try Environment.make (Array.of_list integer_vars) [||]
  with Failure msg -> printf "%s@." msg; assert false in
  let post = Abstract1.change_environment mgr post env false in
  let lincons = Parser.lincons1_of_lstring env strl in
  let post = meet mgr post (Abstract1.of_lincons_array mgr env lincons) in
  let term_has_local_var t =
    Jc_iterators.fold_term
      (fun acc t -> match t#node with
	 | JCTvar vi ->
	     acc || (not vi.jc_var_info_static  &&
		       not (vi == fi.jc_fun_info_result) &&
		       not (List.exists (fun (_,v) -> vi == v) fi.jc_fun_info_parameters))
	 | _ -> acc
      ) false t
  in
  let extern_vars =
    List.filter (fun va ->
		   let t = Vai.term va in not (term_has_local_var t)
		) integer_vars
  in
  let extern_vars = Array.of_list extern_vars in
  let extern_env = Environment.make extern_vars [||] in
  Abstract1.change_environment mgr post extern_env false

let find_target_assertions targets e =
  List.fold_left
    (fun acc target ->
       if target.jc_target_expr == e then target :: acc else acc
    ) [] targets

let return_abstract_value mgr postret e absval1 =
  let key = e in
  try
    let absval2 = Hashtbl.find postret key in
    let absval = join_abstract_value mgr absval2 absval1 in
    Hashtbl.replace postret key absval
  with Not_found ->
    Hashtbl.replace postret key absval1

let rec ai_inter_function_call _mgr _iai _abs _pre _fi _loc _fs _sl _el =
  assert false
    (*   let pre,formal_vars = *)
    (*     List.fold_left2 *)
    (*       (fun (pre,acc) vi e -> *)
    (* 	 let t = new term_var vi in *)
    (* 	 let pre,acc = if Vai.has_variable t then *)
    (* 	   let va = Vai.variable t in *)
    (* 	   assign_variable mgr va e pre, *)
    (* 	   va :: acc else pre,acc  *)
    (* 	 in *)
    (* 	 let pre,acc = if Vai.has_offset_min_variable t then *)
    (* 	   let va = Vai.offset_min_variable t in *)
    (* 	     assign_offset_variable mgr va Offset_min_kind e pre, *)
    (* 	     va :: acc else pre,acc  *)
    (* 	 in *)
    (* 	 let pre,acc = if Vai.has_offset_max_variable t then *)
    (* 	   let va = Vai.offset_max_variable t in *)
    (* 	     assign_offset_variable mgr va Offset_max_kind e pre, *)
    (* 	   va :: acc else pre,acc  *)
    (* 	 in *)
    (*          pre,acc) *)
    (*       (pre,[]) fi.jc_fun_info_parameters el *)
    (*   in *)
    (*   let formal_vars = List.filter (fun v -> not (Environment.mem_var (Abstract1.env pre) v)) formal_vars in *)
    (*   let formal_vars = Array.of_list formal_vars in *)
    (*   let env = try Environment.add (Abstract1.env pre) formal_vars [||] with _ -> assert false in *)
    (*   let pre = keep_extern mgr fi pre in *)
    (*   let pre = try Abstract1.change_environment mgr pre env false with _ -> assert false in *)
    (*   let function_pre =  *)
    (*     try Hashtbl.find iai.jc_interai_function_preconditions fi.jc_fun_info_tag  *)
    (*     with Not_found -> Abstract1.bottom mgr (Abstract1.env pre)  *)
    (*   in *)
    (*     begin *)
    (*       let old_pre = Abstract1.copy mgr function_pre in *)
    (*       let function_pre, fixpoint_reached =  *)
    (* 	if fi.jc_fun_info_is_recursive then *)
    (* 	  let num =  *)
    (* 	    try Hashtbl.find iai.jc_interai_function_nb_iterations fi.jc_fun_info_tag *)
    (* 	    with Not_found -> 0 *)
    (* 	  in *)
    (* 	    Hashtbl.replace iai.jc_interai_function_nb_iterations fi.jc_fun_info_tag  *)
    (* 	      (num + 1); *)
    (* 	    if num < abs.jc_absint_widening_threshold then *)
    (* 	      begin *)
    (* 		let function_pre = join mgr function_pre pre in *)
    (* 		if num = 0 then  *)
    (* 		  Hashtbl.replace iai.jc_interai_function_init_pre  *)
    (* 		    fi.jc_fun_info_tag function_pre; *)
    (* 		function_pre, false *)
    (* 	      end *)
    (* 	    else *)
    (* 	      begin *)
    (* 		let copy_pre = Abstract1.copy mgr pre in *)
    (* 		let function_pre = widening mgr function_pre copy_pre in *)
    (* 		  if is_eq mgr old_pre function_pre then *)
    (* 		    begin *)
    (* 		      let init_pre =  *)
    (* 			Hashtbl.find iai.jc_interai_function_init_pre fi.jc_fun_info_tag in *)
    (* 		      let function_pre = join mgr function_pre init_pre in *)
    (* 			(\* Hashtbl.replace iai.jc_interai_function_preconditions fi.jc_fun_info_tag function_pre;*\) *)
    (* 			function_pre, true *)
    (* 		    end *)
    (* 		  else *)
    (* 		      function_pre, false *)
    (* 	      end *)
    (* 	else *)
    (* 	  begin *)
    (* 	    let function_pre = join mgr function_pre pre in *)
    (* 	    function_pre, false; *)
    (* 	  end *)
    (*       in *)
    (*       let pre_has_changed = not (is_eq mgr old_pre function_pre) in *)
    (* 	if pre_has_changed then *)
    (* 	  Hashtbl.replace iai.jc_interai_function_preconditions fi.jc_fun_info_tag function_pre; *)
    (* 	let inspected = List.mem fi.jc_fun_info_tag !inspected_functions in *)
    (* 	  if not inspected || pre_has_changed then *)
    (* 	    ai_function mgr (Some iai) [] (fi, loc, fs, sl); *)
    (*     end *)

(* External function to call to perform abstract interpretation [abs]
 * on expr [e], starting from invariants [curinvs].
 * It sets the initial value of invariants before treating a loop.
 *)
and ai_expr iaio abs curinvs e =
(*   if debug then *)
(*     printf "[ai_expr] %a on %a@." print_abstract_invariants curinvs *)
(*       Jc_output.expr e; *)
  let loops = abs.jc_absint_loops in
  let loop_initial_invariants = abs.jc_absint_loop_initial_invariants in
  let loop_invariants = abs.jc_absint_loop_invariants in
  let loop_iterations = abs.jc_absint_loop_iterations in
  match e#node with
    | JCEloop(annot,_body) ->
	(* Reinitialize the loop iteration count and the loop invariant.
	 * This is useful to get precise results for inner loops.
	 * Comment those lines to gain in scaling, at the cost of precision.
	 *)
	Hashtbl.replace loops annot.jc_loop_tag e;
	Hashtbl.replace loop_iterations annot.jc_loop_tag 0;
	Hashtbl.remove loop_invariants annot.jc_loop_tag;
	(* Set the initial value of invariants when entering the loop from
	 * the outside.
	 *)
	Hashtbl.replace loop_initial_invariants annot.jc_loop_tag curinvs;
	intern_ai_expr iaio abs curinvs e
    | _ -> intern_ai_expr iaio abs curinvs e

(* Internal function called when computing a fixpoint for a loop. It does not
 * modify the initial value of invariants for the loop considered, so that
 * narrowing is possible.
 *)
and intern_ai_expr iaio abs curinvs e =
  let mgr = abs.jc_absint_manager in
  let ai = ai_expr iaio abs in

  (* Define common shortcuts. *)
  let normal = curinvs.jc_absinv_normal in
  let pre = normal.jc_absval_regular in
  let prop = normal.jc_absval_propagated in
  let postexcl = curinvs.jc_absinv_exceptional in
  let postret = curinvs.jc_absinv_return in

  (* Record invariant at assertion points. *)
  let targets = find_target_assertions abs.jc_absint_target_assertions e in
  List.iter
    (fun target ->
       target.jc_target_regular_invariant <- mkinvariant mgr pre;
       target.jc_target_propagated_invariant <- mkinvariant mgr prop
    ) targets;

  (* Apply appropriate transition function. *)
  let curinvs = match e#node with
    | JCElet(_v,None,e1) ->
	ai curinvs e1
    | JCElet(v,Some e1,e2) when Expr.is_app e1 ->
	let curinvs = ai_call iaio abs curinvs (Some v) e1 in
	ai curinvs e2
    | JCElet(v,Some e1,e2) ->
	let tv = new term_var v in
	let curinvs = match e1#node with
	  | JCEapp _call ->
	      ai_call iaio abs curinvs (Some v) e1
	  | _ ->
	      (* TODO: precise case of allocation *)
	      let curinvs = ai curinvs e1 in
	      assign_expr mgr tv e1 curinvs
	in
	let curinvs = ai curinvs e2 in
        (* To keep information on variable [v], declaration should be
	   turned into assignment before analysis. *)
        forget_invariants mgr curinvs (Vai.all_variables tv)
    | JCEassign_var(v,e1) ->
	let tv = new term_var v in
	let curinvs = match e1#node with
	  | JCEapp _call ->
	      ai_call iaio abs curinvs (Some v) e1
	  | _ ->
	      (* TODO: precise case of allocation *)
	      let curinvs = ai curinvs e1 in
	      assign_expr mgr tv e1 curinvs
	in
	curinvs
    | JCEassign_heap(e1,fi,e2) ->
	let curinvs = ai curinvs e1 in
	let curinvs = ai curinvs e2 in
	begin match Jc_effect.term_of_expr e1 with
	  | None -> assign_heap mgr e1 fi None curinvs
	  | Some t1 ->
	      let dereft =
		new term ~typ:fi.jc_field_info_type (JCTderef(t1,LabelHere,fi))
	      in
	      let curinvs =
		assign_heap mgr e1 fi (Some dereft) curinvs
	      in
	      assign_expr mgr dereft e2 curinvs
	end
    | JCEassert(_behav,Ahint,a) ->
	test_assertion ~propagated:true mgr a curinvs
    | JCEassert(_behav,_asrt,a) ->
	test_assertion mgr a curinvs
    | JCEblock sl ->
	List.fold_left ai curinvs sl
    | JCEif(e1,etrue,efalse) ->
	let curinvs = ai curinvs e1 in
	(* Treat "then" branch. *)
	let trueinvs = test_expr ~neg:false mgr e1 curinvs in
	let trueinvs = ai trueinvs etrue in
	(* Treat "else" branch. *)
	let falseinvs = test_expr ~neg:true mgr e1 curinvs in
	let falseinvs = ai falseinvs efalse in
	(* Join both branches. *)
	join_invariants mgr trueinvs falseinvs
    | JCEreturn_void ->
	(* For CIL, rather store return value before merge *)
	if not abs.jc_absint_function.jc_fun_info_has_return_label then
	  return_abstract_value mgr postret e normal;
	{ curinvs with jc_absinv_normal = empty_abstract_value mgr normal }
    | JCEreturn(_ty,e1) ->
	let result = abs.jc_absint_function.jc_fun_info_result in
	let resultt = new term_var result in
	let apply_return curinvs =
	  let curinvs = ai curinvs e1 in
	  assign_expr mgr resultt e1 curinvs
	in
	Hashtbl.iter
	  (fun e absval ->
	     let curinvs = { curinvs with jc_absinv_normal = absval } in
	     let curinvs = apply_return curinvs in
	     Hashtbl.replace postret e curinvs.jc_absinv_normal
	  ) postret;
	let curinvs = apply_return curinvs in
	let normal = curinvs.jc_absinv_normal in
	(* For CIL, rather store return value before merge *)
	if not abs.jc_absint_function.jc_fun_info_has_return_label then
	  return_abstract_value mgr postret e normal;
	{ curinvs with jc_absinv_normal = empty_abstract_value mgr normal }
    | JCEthrow(ei,e1opt) ->
	let curinvs = match e1opt with
	  | None -> curinvs
	  | Some e1 -> ai curinvs e1
	in
	if ei.jc_exception_info_name = Jc_norm.return_label#name then
	  let normal = curinvs.jc_absinv_normal in
	  return_abstract_value mgr postret e normal;
	  { curinvs with jc_absinv_normal = empty_abstract_value mgr normal }
	else
	  (* TODO: add thrown value as abstract variable. *)
	  let thrown =
	    try join_abstract_value mgr normal (List.assoc ei postexcl)
	    with Not_found -> normal
	  in
	  let postexcl = (ei,thrown) :: (List.remove_assoc ei postexcl) in
	  let curinvs = { curinvs with jc_absinv_exceptional = postexcl } in
	  { curinvs with jc_absinv_normal = empty_abstract_value mgr normal }
    | JCEtry(body,handlers,finally) ->
	let curinvs = ai curinvs body in
	let postexcl = curinvs.jc_absinv_exceptional in
	(* Filter out exceptions present in [handlers]. *)
	let curpostexcl =
	  List.filter
	    (fun (ei,_invs) ->
	       not (List.exists
		      (fun (ej,_vopt,_e) ->
			 ei.jc_exception_info_tag = ej.jc_exception_info_tag
		      ) handlers)
	    ) postexcl
	in
	let curinvs = { curinvs with jc_absinv_exceptional  = curpostexcl } in
	(* Consider each handler in turn. *)
	let curinvs = List.fold_left
	  (fun curinvs (ei,_vopt,ehandler) ->
	     try
	       let postexc = List.assoc ei postexcl in
	       let excinvs = {
		 jc_absinv_normal = postexc;
		 jc_absinv_exceptional = [];
		 jc_absinv_return = postret;
	       } in
	       let excinvs = ai excinvs ehandler in
	       join_invariants mgr curinvs excinvs
	     with Not_found -> curinvs
	  ) curinvs handlers
	in
	begin match finally#node with
	  | JCEblock []
	  | JCEconst JCCvoid -> curinvs
	  | JCEblock [e1] when e1#node = JCEblock [] -> curinvs
	  | JCEblock [e1] when e1#node = JCEconst JCCvoid -> curinvs
	  | _ -> assert false (* TODO: apply finally stmt to all paths. *)
	end
    | JCEloop(annot,body) ->
	let loop_invariants = abs.jc_absint_loop_invariants in
	let loop_initial_invariants = abs.jc_absint_loop_initial_invariants in
	let loop_iterations = abs.jc_absint_loop_iterations in
	let num =
	  try Hashtbl.find loop_iterations annot.jc_loop_tag
	  with Not_found -> 0
	in
	Hashtbl.replace loop_iterations annot.jc_loop_tag (num + 1);

	if num < abs.jc_absint_widening_threshold then
	  (* Perform one step of propagation through the loop body. *)
	  let nextinvs = ai curinvs body in
	  let curinvs = join_invariants mgr curinvs nextinvs in
	  (* Perform fixpoint computation on the loop. *)
	  intern_ai_expr iaio abs curinvs e
	else
	  begin try
	    let loopinvs = Hashtbl.find loop_invariants annot.jc_loop_tag in
	    let wideninvs = widen_invariants mgr loopinvs curinvs in
	    if eq_invariants mgr loopinvs wideninvs then
	      begin
		(* Fixpoint reached through widening. Perform narrowing now. *)
		let initinvs =
		  Hashtbl.find loop_initial_invariants annot.jc_loop_tag
		in
		let wideninvs =
		  { wideninvs with jc_absinv_exceptional = [] }
		in
		(* TODO: be more precise on return too. *)
		let wideninvs = ai wideninvs body in
		let wideninvs = join_invariants mgr wideninvs initinvs in
		Hashtbl.replace loop_invariants annot.jc_loop_tag wideninvs;
		let wideninvs =
		  { wideninvs with jc_absinv_exceptional =
		      initinvs.jc_absinv_exceptional }
		in
		let wideninvs = ai wideninvs body in
		(* This is an infinite loop, whose only exit is through
		   return or throwing exceptions. *)
		let curinvs =
		  { curinvs with jc_absinv_normal =
		      empty_abstract_value mgr normal }
		in
		{ curinvs with
		    jc_absinv_exceptional = wideninvs.jc_absinv_exceptional }
	      end
	    else
	      begin
		Hashtbl.replace
		  loop_invariants annot.jc_loop_tag wideninvs;
		(* Perform one step of propagation through the loop body. *)
		let wideninvs = ai wideninvs body in
		(* Perform fixpoint computation on the loop. *)
		let wideninvs = intern_ai_expr iaio abs wideninvs e in
		(* Propagate changes to [curinvs]. *)
		let curinvs =
		  { curinvs with jc_absinv_normal =
		      empty_abstract_value mgr normal }
		in
		let normal =
		  join_abstract_value mgr normal wideninvs.jc_absinv_normal
		in
		{ curinvs with
		    jc_absinv_normal = normal;
		    jc_absinv_exceptional = wideninvs.jc_absinv_exceptional }
	      end
	  with Not_found ->
	    Hashtbl.replace
	      loop_invariants annot.jc_loop_tag curinvs;
	    (* Perform one step of propagation through the loop body. *)
	    let curinvs = ai curinvs body in
	    (* Perform fixpoint computation on the loop. *)
	    intern_ai_expr iaio abs curinvs e
	  end
    | JCEapp _call ->
	ai_call iaio abs curinvs None e
    | JCEconst _
    | JCEvar _ ->
	curinvs
    | JCEunary(_,e1)
    | JCEderef(e1,_)
    | JCEoffset(_,e1,_)
    | JCEaddress(_,e1)
    | JCEbase_block(e1)
    | JCEcast(e1,_)
    | JCEbitwise_cast(e1,_)
    | JCErange_cast(e1,_)
    | JCEinstanceof(e1,_)
    | JCEreal_cast(e1,_)
    | JCEunpack(_,e1,_)
    | JCEpack(_,e1,_)
    | JCEalloc(e1,_)
    | JCEfresh e1
    | JCEfree e1 ->
	ai curinvs e1
    | JCEbinary(e1,_,e2)
    | JCEshift(e1,e2) ->
	ai (ai curinvs e1) e2
    | JCEcontract _ -> assert false (* TODO *)
    | JCEmatch _ -> assert false (* TODO *)
  in

  (* Propagate assertions. *)
  List.fold_left
    (fun curinvs target ->
       test_assertion ~propagated:true mgr target.jc_target_assertion curinvs
    ) curinvs targets


and ai_call iaio abs curinvs vio e =
  let mgr = abs.jc_absint_manager in

  (* Define common shortcuts. *)
  let normal = curinvs.jc_absinv_normal in
  let pre = normal.jc_absval_regular in
  let prop = normal.jc_absval_propagated in

  (* Record invariant at assertion points. *)
  let targets = find_target_assertions abs.jc_absint_target_assertions e in
  List.iter
    (fun target ->
       target.jc_target_regular_invariant <- mkinvariant mgr pre;
       target.jc_target_propagated_invariant <- mkinvariant mgr prop
    ) targets;

  let call = match e#node with JCEapp call -> call | _ -> assert false in
  let f = match call.jc_call_fun with JCfun f -> f | _ -> assert false in
  let args = call.jc_call_args in

  (* Compute abstract value at function call *)
  let curinvs = List.fold_left (ai_expr iaio abs) curinvs args in
  let _f, _pos, spec, _body =
    IntHashtblIter.find Jc_typing.functions_table f.jc_fun_info_tag
  in
(*   begin match body with None -> () | Some body -> *)
(*     if Jc_options.interprocedural then *)
(*       match iaio with *)
(* 	| None -> () (\* intraprocedural analysis only *\) *)
(* 	| Some iai ->  *)
(* 	    let copy_pre = Abstract1.copy mgr pre in *)
(* 	    ai_inter_function_call mgr iai abs copy_pre fi loc fs sl args; *)
(*   end; *)

  (* Add precondition as checks *)
  (* Replace formal by actual parameters and result by actual variable *)
  let pre =
    List.fold_left2
      (fun a e (_,v) ->
	 let t = Jc_effect.term_of_expr e in
	 match t with
	   | None -> forget_var_in_assertion v a
	   | Some t -> replace_var_in_assertion v t a
      ) spec.jc_fun_requires args f.jc_fun_info_parameters
  in
  let curinvs = test_assertion ~propagated:true mgr pre curinvs in

  let compulsory_behavior b =
    match b.jc_behavior_assumes with
      | None -> true
      | Some a when Assertion.is_true a -> true
      | _ -> false
  in

  (* Compute normal postcondition *)
  let normal_post =
    List.fold_left
      (fun acc (_pos,_name,b) ->
	 (* TODO : handle 'assumes' clauses precisely *)
	 if b.jc_behavior_throws = None && compulsory_behavior b then
	   Assertion.mkand [ b.jc_behavior_ensures; acc ] ()
	 else acc
      ) (Assertion.mktrue ())
      (spec.jc_fun_default_behavior :: spec.jc_fun_behavior)
  in

(*   let normal_behavior = *)
(*     match iaio with *)
(*       | None -> normal_behavior *)
(*       | Some iai ->  *)
(* 	  let inferred_post = *)
(* 	    try *)
(* 	      Hashtbl.find iai.jc_interai_function_postconditions f.jc_fun_info_tag *)
(* 	    with Not_found -> Abstract1.top mgr (Abstract1.env pre) *)
(* 	  in *)
(* 	  make_and [normal_behavior; (mkinvariant mgr inferred_post)] *)
(*   in *)

  (* Add typing constraints on result *)
  let normal_post =
    match vio with
      | None -> normal_post
      | Some _v ->
  	  let result = f.jc_fun_info_result in
  	  let cstrs =
	    Jc_typing.type_range_of_term result.jc_var_info_type
	      (new term_var result)
  	  in
  	  Assertion.mkand [ normal_post; cstrs ] ()
  in

  (* Replace formal by actual parameters and result by actual variable *)
  let normal_post =
    List.fold_left2
      (fun a e (_,v) ->
	 let t = Jc_effect.term_of_expr e in
	 match t with
	   | None -> forget_var_in_assertion v a
	   | Some t -> replace_var_in_assertion v t a
      ) normal_post args f.jc_fun_info_parameters
  in
  let normal_post =
    match vio with
      | None -> forget_var_in_assertion f.jc_fun_info_result normal_post
      | Some v ->
	  replace_var_by_var_in_assertion f.jc_fun_info_result v normal_post
  in

(*   let exceptional_behaviors = *)
(*     List.fold_left *)
(*       (fun acc (_, _, b) -> *)
(* 	 (\* TODO : handle 'assumes' clauses correctly *\) *)
(* 	 match b.jc_behavior_throws with *)
(* 	   | None -> acc  *)
(* 	   | Some ei -> *)
(* 	       if b.jc_behavior_assumes = None then *)
(* 		 (ei, b.jc_behavior_ensures) :: acc else acc) *)
(*       [] fs.jc_fun_behavior *)
(*   in *)
(*   let exceptional_behaviors = *)
(*     List.map *)
(*       (fun (ei, a) ->  *)
(* 	 ei, List.fold_left2  *)
(* 	   (fun a e vi ->  *)
(* 	      let t = Jc_effect.term_of_expr e in *)
(* 	      match t with *)
(* 		| None -> assert false *)
(* 		| Some t -> replace_var_in_assertion vi t a) *)
(* 	   a args f.jc_fun_info_parameters) *)
(*       exceptional_behaviors *)
(*   in *)
(*   let postexcl =  *)
(*     List.map  *)
(*       (fun (ei, a) ->  *)
(* 	 let copy_normal = copy_abstract_value mgr normal in *)
(* 	 let copy_pre = copy_normal.jc_absval_regular in *)
(* 	 let copy_pre = simple_test_assertion mgr normal_behavior  copy_pre in *)
(* 	 let copy_normal = { copy_normal with jc_absval_regular = copy_pre } in *)
(* 	 ei, copy_normal) *)
(*       exceptional_behaviors *)
(*   in *)
(*   let curinvs = { curinvs with jc_absinv_exceptional = postexcl } in *)
(*   if (is_purely_exceptional_fun fs) then *)
(*     { curinvs with jc_absinv_normal = empty_abstract_value mgr normal } *)
(*   else *)
(*     begin *)

  let fi_writes = f.jc_fun_info_effects.jc_writes.jc_effect_globals in
  let vars_writes =
    VarMap.fold
      (fun vi _labs acc -> Vai.all_variables (new term_var vi) @ acc)
      fi_writes []
  in
  let assigns absval =
    Abstract1.forget_array mgr absval (Array.of_list vars_writes) false
  in
  let curinvs = apply_to_current_invariant assigns curinvs in
  test_assertion mgr normal_post curinvs

and prepare_invariant mgr abs ~pos ~what absval =
  let a = minimize mgr absval in
  if Assertion.is_true a then
    None
  else
    let a = simplify a in
    if Assertion.is_true a then
      None
    else
      (printf
	 "%a@[Inferring %s for function %s:@\n%a@]@."
	 Loc.report_position pos what
	 abs.jc_absint_function.jc_fun_info_name
	 Jc_output.assertion a;
       Some a)

and record_ai_loop_invariants abs =
  let mgr = abs.jc_absint_manager in
  let loop_invariants = abs.jc_absint_loop_invariants in
  Hashtbl.iter
    (fun _tag e ->
       let annot = match e#node with
	 | JCEloop(annot,_body) -> annot
	 | _ -> assert false
       in
       begin try
	 let loopinvs = Hashtbl.find loop_invariants annot.jc_loop_tag in
	 (* Update loop invariant *)
	 let loopinv =
	   meet mgr
	     loopinvs.jc_absinv_normal.jc_absval_regular
	     loopinvs.jc_absinv_normal.jc_absval_propagated
	 in
	 match
	   prepare_invariant mgr abs ~pos:e#pos ~what:"loop invariant" loopinv
	 with
	   | None -> ()
	   | Some a ->
	       (* Register loop invariant as such *)
	       let a = reg_annot ~pos:e#pos ~anchor:e#mark a in
	       if Jc_options.trust_ai then
		 annot.jc_free_loop_invariant <- a
	       else
		 annot.jc_loop_behaviors <-  ([], Some a, None) :: annot.jc_loop_behaviors;
       with Not_found -> () end
    ) abs.jc_absint_loops

and ai_function mgr iaio targets funpre (f,pos,spec,body) =
  try
    let env = Environment.make [||] [||] in

    (* Add global variables as abstract variables in [env]. *)
    let globvars =
      IntHashtblIter.fold (fun _tag (vi,_e) acc ->
			   Vai.all_variables (new term_var vi) @ acc
			  ) Jc_typing.variables_table []
    in
    let env = Environment.add env (Array.of_list globvars) [||] in

    (* Add \result as abstract variable in [env] if any. *)
    let result = f.jc_fun_info_result in
    let return_type = result.jc_var_info_type in
    let env =
      if return_type <> JCTnative Tunit then
	let result = Vai.all_variables (new term_var result) in
	Environment.add env (Array.of_list result) [||]
      else env
    in

    (* Add parameters as abstract variables in [env]. *)
    let params =
      List.fold_left
	(fun acc (_,v) -> Vai.all_variables (new term_var v) @ acc)
	[] f.jc_fun_info_parameters
    in
    let env = Environment.add env (Array.of_list params) [||] in

    let abs = {
      jc_absint_manager                 = mgr;
      jc_absint_function_environment    = env;
      jc_absint_function                = f;
      jc_absint_widening_threshold      = 1;
      jc_absint_loops                   = Hashtbl.create 0;
      jc_absint_loop_invariants         = Hashtbl.create 0;
      jc_absint_loop_initial_invariants = Hashtbl.create 0;
      jc_absint_loop_iterations         = Hashtbl.create 0;
      jc_absint_loop_entry_invs         = Hashtbl.create 0;
      jc_absint_target_assertions       = targets;
    } in

    (* Take the function precondition as initial constraints *)
    let initabs =
      simple_test_assertion mgr funpre (Abstract1.top mgr env)
    in
    let initpre =
      {  jc_absval_regular = initabs; jc_absval_propagated = initabs }
    in

    (* Add the currently inferred pre for [f] in pre *)
(*     let initpre = match iaio with *)
(*       | None -> initpre *)
(*       | Some iai -> *)
(* 	  let inferred_pre = *)
(* 	    try Hashtbl.find iai.jc_interai_function_preconditions f.jc_fun_info_tag  *)
(* 	    with Not_found -> Abstract1.top mgr env (\* for main function *\) in *)
(* 	  { initpre with jc_absval_regular = *)
(* 	      meet mgr initpre.jc_absval_regular inferred_pre } *)
(*     in *)

    pointer_terms_table := Hashtbl.create 0;

    (* Annotation inference on the function body. *)
    let initinvs = {
      jc_absinv_normal = initpre;
      jc_absinv_exceptional = [];
      jc_absinv_return = Hashtbl.create 3;
    } in
    let finalinvs = ai_expr iaio abs initinvs body in
    begin match iaio with
      | None -> record_ai_loop_invariants abs
      | Some iai ->
	  Hashtbl.replace iai.jc_interai_function_abs f.jc_fun_info_tag abs
    end;
    List.iter
      (fun target ->
	 if Jc_options.debug then
	   printf
	     "%a@[Inferring assert invariant@\n%a@]@."
	     Loc.report_position target.jc_target_location
	     Jc_output.assertion
	     (Assertion.mkand [ target.jc_target_regular_invariant;
				target.jc_target_propagated_invariant ] ())
      ) targets;

(*     let initpre = *)
(*       match iaio with *)
(* 	| None -> initpre *)
(* 	| Some iai -> (\* Interprocedural analysis *\)  *)
(* 	    inspected_functions := f.jc_fun_info_tag :: !inspected_functions; *)
(* 	    incr nb_nodes; *)
(* 	    (\* Take the currently inferred pre for [fi] if any *\) *)
(* 	    try *)
(* 	      let inferred_pre =  *)
(* 		Hashtbl.find iai.jc_interai_function_preconditions f.jc_fun_info_tag *)
(* 	      in *)
(* 	      { initpre with jc_absval_regular = *)
(* 		  Abstract1.copy mgr inferred_pre } *)
(* 	    with Not_found -> initpre *)
(*     in *)
(*     pointer_terms_table := Hashtbl.create 0; *)

    (* Update the return postcondition for procedure with no last return. *)
    if return_type = JCTnative Tunit then
      return_abstract_value mgr finalinvs.jc_absinv_return
	body finalinvs.jc_absinv_normal;

    (* record the postcondition inferred *)
    let defpos,defid,defbehav = spec.jc_fun_default_behavior in
    let known_post =
      Assertion.mkand [ defbehav.jc_behavior_free_ensures;
			defbehav.jc_behavior_ensures ] ()
    in
    let cstrs =
      List.fold_left
 	(fun acc (_,v) ->
	   let cstr =
	     Jc_typing.type_range_of_term v.jc_var_info_type (new term_var v)
	   in
	   cstr :: acc
	) [] ((false,f.jc_fun_info_result) :: f.jc_fun_info_parameters)
    in
    let known_post = Assertion.mkand (known_post :: cstrs) () in

    let acc =
      Hashtbl.fold
	(fun _e absval acc ->
	   let post =
	     meet mgr absval.jc_absval_regular absval.jc_absval_propagated
	   in
	   let post = Abstract1.change_environment mgr post env false in
	   let a =
	     match
	       prepare_invariant mgr abs ~pos ~what:"postcondition case" post
	     with
	       | None -> Assertion.mktrue ()
	       | Some a -> simplify ~inva:known_post a
	   in a :: acc
	) finalinvs.jc_absinv_return []
    in
    let post = Assertion.mkor acc () in
    (* Register postcondition as such *)
    let post = reg_annot ~pos ~anchor:f.jc_fun_info_name post in
    let defbehav =
      if Jc_options.trust_ai then
	{ defbehav with jc_behavior_free_ensures =
	    Assertion.mkand [ defbehav.jc_behavior_free_ensures; post ] () }
      else
	{ defbehav with jc_behavior_ensures =
	    Assertion.mkand [ defbehav.jc_behavior_ensures; post ] () }
    in
    spec.jc_fun_default_behavior <- defpos,defid,defbehav;

(*     match iaio with  *)
(*       | None -> () *)
(*       | Some iai -> *)
(* 	  let old_post =  *)
(* 	    try *)
(* 	      Hashtbl.find iai.jc_interai_function_postconditions f.jc_fun_info_tag *)
(* 	    with Not_found -> Abstract1.top mgr env *)
(* 	  in *)
(* 	  let returnabs = keep_extern mgr fi !(invs.jc_absinv_return).jc_absval_regular in *)
(* 	  if not (is_eq mgr old_post returnabs) then *)
(* 	    Hashtbl.replace iai.jc_interai_function_postconditions f.jc_fun_info_tag returnabs; *)
(* 	  let old_excep =  *)
(* 	    try *)
(* 	      Hashtbl.find iai.jc_interai_function_exceptional f.jc_fun_info_tag *)
(* 	    with Not_found -> [] *)
(* 	  in *)
(* 	  let excabsl = *)
(* 	    List.fold_left *)
(* 	      (fun acc (exc, va) -> (exc, va.jc_absval_regular) :: acc) *)
(* 	      [] invs.jc_absinv_exceptional  *)
(* 	  in *)
(* 	  let excabsl = List.map (fun (exc, va) -> exc, keep_extern mgr fi va) excabsl in *)
(* 	  if (List.length old_excep = List.length excabsl) then *)
(* 	    let annot_inferred =  *)
(* 	      List.fold_left2 *)
(* 		(fun acc (ei1, va1) (ei2, va2) -> *)
(* 		   if ei1.jc_exception_info_tag <> ei2.jc_exception_info_tag || *)
(* 		     not (is_eq mgr va1 va2) then true else acc) false old_excep excabsl *)
(* 	    in *)
(* 	    if annot_inferred then *)
(* 	      Hashtbl.replace iai.jc_interai_function_exceptional f.jc_fun_info_tag excabsl; *)

  with Manager.Error exc ->
    Manager.print_exclog std_formatter exc;
    printf "@.";
    exit 1


(*****************************************************************************)
(* Modular generation of annotations for a function.                         *)
(*****************************************************************************)

let prepare_target target =
  target.jc_target_regular_invariant <-
    simplify target.jc_target_regular_invariant;
  (* Build the most precise invariant known at the current assertion point:
   * it is the conjunction of the regular invariant (from forward abstract
   * interpretation) and the propagated invariant (from propagated assertions).
   *)
  let inv =
    Assertion.mkand [ target.jc_target_regular_invariant;
		      target.jc_target_propagated_invariant ] ()
  in
  (* Check whether the target assertion is a consequence of the most
   * precise invariant.
   *)
  let impl = new assertion (JCAimplies(inv,target.jc_target_assertion)) in
  if tautology impl then
    (if debug then
       printf "%a[code_function] proof of %a discharged@."
	 Loc.report_position target.jc_target_location
	 Jc_output.assertion target.jc_target_assertion;
     None)
  else
    (if debug then
       printf "%a[code_function] precondition needed for %a@."
	 Loc.report_position target.jc_target_location
	 Jc_output.assertion target.jc_target_assertion;
     (* Adding target to the list. *)
     Some target)

let code_function (f,pos,spec,body) =
  match body with None -> () | Some body ->
    let wp_filter _canda =
      (* Only propagate candidate assertions for targets if Atp can make
       * sense of them.
       *)
      (* TODO : make sure ident on common logic formulas. *)
      (*         raw_assertion_equal canda (asrt_of_atp(atp_of_asrt canda)) *)
      true
    in

    (* Add parameters specs to the function precondition *)
    let cstrs =
      List.fold_left
 	(fun acc (_,v) ->
	   let cstr =
	     Jc_typing.type_range_of_term v.jc_var_info_type (new term_var v)
	   in
	   cstr :: acc
	) [] f.jc_fun_info_parameters
    in
(*     let consists = *)
(*       List.fold_left *)
(*  	(fun acc v ->  *)
(* 	   (\* This is not an precondition, as a pointer parameter may be null, *)
(* 	      but rather a consistency formula for the generated precondition, *)
(* 	      that should not assert nullity of a parameter this way *\) *)
(* 	   let consist = *)
(* 	     if is_nonnull_pointer_type v.jc_var_info_type then *)
(* 	       let tv = new term_var v in *)
(* 	       let st = pointer_struct tv#typ in *)
(* 	       let tmin =  *)
(* 		 new term ~typ:integer_type (JCToffset(Offset_min,tv,st))  *)
(* 	       in *)
(* 	       let tmax =  *)
(* 		 new term ~typ:integer_type (JCToffset(Offset_max,tv,st))  *)
(* 	       in *)
(* 	       [ new assertion (JCArelation (tmin,(`Ble,`Integer),tmax)) ] *)
(* 	     else [] *)
(* 	   in *)
(* 	   consist @ acc *)
(* 	) [] f.jc_fun_info_parameters *)
(*     in *)
    let funpre =
      Assertion.mkand
	(spec.jc_fun_requires :: spec.jc_fun_free_requires :: cstrs) ()
    in
(*     let funconsist = Assertion.mkand (funpre :: consists) () in *)

    begin match !Jc_options.annotation_sem with
      | AnnotNone -> ()
      | AnnotInvariants | AnnotElimPre | AnnotWeakPre | AnnotStrongPre ->

	  (* Collect checks *)
	  let targets = collect_targets wp_filter [] body in

	  (* Generate invariants by forward abstract interpretation *)
	  begin match !Jc_options.ai_domain with
	    | AbsNone ->
		assert false
	    | AbsBox ->
		let mgr = Box.manager_alloc () in
		ai_function mgr None targets funpre (f,pos,spec,body)
	    | AbsOct ->
		let mgr = Oct.manager_alloc () in
		ai_function mgr None targets funpre (f,pos,spec,body)
	    | AbsPol ->
		let mgr = Polka.manager_alloc_strict () in
		ai_function mgr None targets funpre (f,pos,spec,body)
	  end;

	  (* Generate preconditions by quantifier elimination and
	     weakest preconditions *)
	  begin match !Jc_options.annotation_sem with
	    | AnnotNone -> assert false
	    | AnnotInvariants	-> ()
	    | AnnotElimPre | AnnotWeakPre | AnnotStrongPre ->
 		let targets =
		  List.fold_right
		    (fun target acc ->
		       match prepare_target target with
			 | None -> acc
			 | Some a -> a :: acc
		    ) targets []
		in
		wp_function targets funpre (f,pos,spec,body)
	  end;

	  (* Collect checks that directly follow function beginning or
	     loop beginning *)
	  let targets = collect_immediate_targets [] body in
	  backprop_function targets (f,spec,body)

    end


(*****************************************************************************)
(* Interprocedural analysis.                                                 *)
(*****************************************************************************)

(* Variables used in the interprocedural analysis *)
let inspected_functions = ref []
let nb_conj_atoms_inferred = ref 0
let nb_nodes = ref 0
let nb_loop_inv = ref 0
let nb_fun_pre = ref 0
let nb_fun_post = ref 0
let nb_fun_excep_post = ref 0

let rec nb_conj_atoms a = match a#node with
  | JCAand al -> List.fold_left (fun acc a -> nb_conj_atoms a + acc) 0 al
  | JCAtrue | JCAfalse | JCArelation _ | JCAapp _
  | JCAimplies _ | JCAiff _ | JCAquantifier _ | JCAinstanceof _
  | JCAbool_term _ | JCAif _ | JCAmutable _ | JCAeqtype _ | JCAmatch _
  | JCAlet _ | JCAfresh _ 
  | JCAor _ | JCAnot _ | JCAold _ | JCAat _ | JCAsubtype _ -> 1


let rec record_ai_inter_annotations mgr iai fi pos fs _sl =
  let env = Environment.make [||] [||] in
  inspected_functions := fi.jc_fun_info_tag :: !inspected_functions;
  (* record inferred precondition for [fi] *)
  let pre =
    try
      Hashtbl.find iai.jc_interai_function_preconditions fi.jc_fun_info_tag
    with Not_found -> Abstract1.top mgr env
  in
  let a = mkinvariant mgr pre in
  let a = reg_annot ~pos ~anchor:fi.jc_fun_info_name a in
  nb_conj_atoms_inferred := !nb_conj_atoms_inferred + nb_conj_atoms a;
  incr nb_fun_pre;
  if Jc_options.verbose then
    printf
      "@[Inferring precondition for function %s@\n%a@]@."
      fi.jc_fun_info_name Jc_output.assertion a;
  fs.jc_fun_free_requires <- Assertion.mkand [fs.jc_fun_free_requires; a] ();
  (* record loop invariants for [fi] *)
  let abs =
    try
      Hashtbl.find iai.jc_interai_function_abs fi.jc_fun_info_tag
    with Not_found -> assert false
  in
  record_ai_loop_invariants abs;
  (* record inferred postconditions for [fi] *)
  let post =
    try
      Hashtbl.find iai.jc_interai_function_postconditions fi.jc_fun_info_tag
    with Not_found -> Abstract1.top mgr env
  in
  let returna = mkinvariant mgr post in
  let vi_result = fi.jc_fun_info_result in
  let post = Assertion.mkand
    [returna; Jc_typing.type_range_of_term vi_result.jc_var_info_type
       (new term_var vi_result)] ()
  in
  let normal_behavior = { default_behavior with jc_behavior_ensures = post } in
  let exceptional =
    try
      Hashtbl.find iai.jc_interai_function_exceptional fi.jc_fun_info_tag
    with Not_found -> []
  in
  let excl, excabsl =
    List.fold_left
      (fun (acc1, acc2) (exc, va) -> (exc :: acc1, va :: acc2))
      ([], []) exceptional in
  let excabsl = List.map (fun va -> keep_extern mgr fi va) excabsl in
  let excabsl = List.map
    (fun va -> if Abstract1.is_bottom mgr va then
       Abstract1.top mgr env else va) excabsl in
  let excal = List.map (mkinvariant mgr) excabsl in

  let post = reg_annot ~pos ~anchor:fi.jc_fun_info_name post in
  nb_conj_atoms_inferred := !nb_conj_atoms_inferred + nb_conj_atoms post;
  incr nb_fun_post;
  let excal = List.map (reg_annot ~pos ~anchor:fi.jc_fun_info_name) excal in

  let exc_behaviors =
    List.map2
      (fun exc va ->
	 (Loc.dummy_position, "inferred",
	  { default_behavior with
	      jc_behavior_throws = Some exc;
	      jc_behavior_ensures = va }))
      excl excal
  in
  if Jc_options.verbose then
    begin
      printf
	"@[Inferring postcondition for function %s@\n%a@]@."
	fi.jc_fun_info_name
	Jc_output.assertion post;
      List.iter2
	(fun exc exca ->
	   nb_conj_atoms_inferred := !nb_conj_atoms_inferred + nb_conj_atoms exca;
	   incr nb_fun_excep_post;
	   printf
	     "@[Inferring exceptional postcondition (for exception %s) for function %s@\n%a@]@."
	     exc.jc_exception_info_name
	     fi.jc_fun_info_name
	     Jc_output.assertion exca) excl excal;
    end;
  begin
    if is_purely_exceptional_fun fs then () else
      fs.jc_fun_behavior <-
	(Loc.dummy_position,"inferred", normal_behavior) :: fs.jc_fun_behavior
  end;
  fs.jc_fun_behavior <- exc_behaviors @ fs.jc_fun_behavior;
  (* iterate on the call graph *)
  List.iter
    (fun fi ->
       let fi, _, fs, slo =
	 try
	   IntHashtblIter.find Jc_typing.functions_table fi.jc_fun_info_tag
	 with Not_found -> assert false (* should never happen *)
       in
       match slo with
	 | None -> ()
	 | Some b ->
	     if not (List.mem fi.jc_fun_info_tag !inspected_functions) then
	       record_ai_inter_annotations mgr iai fi pos fs b)
    fi.jc_fun_info_calls


let ai_interprocedural mgr (fi, loc, fs, sl) =
  let iai = {
    jc_interai_manager = mgr;
    jc_interai_function_preconditions = Hashtbl.create 0;
    jc_interai_function_postconditions = Hashtbl.create 0;
    jc_interai_function_exceptional = Hashtbl.create 0;
    jc_interai_function_nb_iterations = Hashtbl.create 0;
    jc_interai_function_init_pre = Hashtbl.create 0;
    jc_interai_function_abs = Hashtbl.create 0;
  } in
  let time = Unix.gettimeofday () in
  ignore (ai_function mgr (Some iai) [] (Assertion.mktrue ()) (fi, loc, fs, sl));
  inspected_functions := [];
  record_ai_inter_annotations mgr iai fi loc fs sl;
  let time = Unix.gettimeofday () -. time in
  if Jc_options.verbose then
    printf "Interprocedural analysis stats: \
@.    %d function preconditions inferred \
@.    %d function postconditions inferred \
@.    %d function exceptional postconditions inferred \
@.    %d loop invariants inferred \
@.    %d conjonction atoms inferred \
@.    %d nodes \
@.    %f seconds@."
      !nb_fun_pre !nb_fun_post !nb_fun_excep_post !nb_loop_inv
      !nb_conj_atoms_inferred !nb_nodes time


let main_function = function
  | _fi, _loc, _fs, None -> ()
  | fi, loc, fs, Some sl ->
      begin match !Jc_options.ai_domain with
	| AbsBox ->
	    let mgr = Box.manager_alloc () in
	    ai_interprocedural mgr (fi, loc, fs, sl)
	| AbsOct ->
	    let mgr = Oct.manager_alloc () in
	    ai_interprocedural mgr (fi, loc, fs, sl)
	| AbsPol ->
	    let mgr = Polka.manager_alloc_strict () in
	    ai_interprocedural mgr (fi, loc, fs, sl)
	| AbsNone -> assert false
      end

(*
let rec is_recursive_rec fi fil =
  List.exists
    (fun fi' ->
       inspected_functions := fi'.jc_fun_info_tag :: !inspected_functions;
       fi.jc_fun_info_tag = fi'.jc_fun_info_tag ||
	   (not (List.mem fi'.jc_fun_info_tag !inspected_functions) &&
	      is_recursive_rec fi fi'.jc_fun_info_calls))
    fil

let is_recursive fi =
  inspected_functions := [];
  let r = is_recursive_rec fi fi.jc_fun_info_calls in
  inspected_functions := [];
  r
*)

(*
  Local Variables:
  compile-command: "LC_ALL=C make -C .. bin/jessie.byte"
  End:
*)
why-2.39/configure.in0000644000106100004300000004076213147234006013553 0ustar  marchevals##########################################################################
#                                                                        #
#  The Why platform for program certification                            #
#                                                                        #
#  Copyright (C) 2002-2017                                               #
#                                                                        #
#    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   #
#    Claude MARCHE, INRIA & Univ. Paris-sud                              #
#    Yannick MOY, Univ. Paris-sud                                        #
#    Romain BARDOU, Univ. Paris-sud                                      #
#                                                                        #
#  Secondary contributors:                                               #
#                                                                        #
#    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        #
#    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             #
#    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           #
#    Sylvie BOLDO, INRIA              (floating-point support)           #
#    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     #
#    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          #
#                                                                        #
#  This software is free software; you can redistribute it and/or        #
#  modify it under the terms of the GNU Lesser General Public            #
#  License version 2.1, with the special exception on linking            #
#  described in file LICENSE.                                            #
#                                                                        #
#  This software is distributed in the hope that it will be useful,      #
#  but WITHOUT ANY WARRANTY; without even the implied warranty of        #
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  #
##########################################################################


#
# autoconf input for Objective Caml programs
# Copyright (C) 2001 Jean-Christophe Filliâtre
#   from a first script by Georges Mariano
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Library General Public
# License version 2, as published by the Free Software Foundation.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
# See the GNU Library General Public License version 2 for more details
# (enclosed in the file LGPL).

# the script generated by autoconf from this input will set the following
# variables:
#   OCAMLC        "ocamlc" if present in the path, or a failure
#                 or "ocamlc.opt" if present with same version number as ocamlc
#   OCAMLOPT      "ocamlopt" (or "ocamlopt.opt" if present), or "no"
#   OCAMLBEST     either "byte" if no native compiler was found,
#                 or "opt" otherwise
#   OCAMLDEP      "ocamldep"
#   OCAMLLEX      "ocamllex"
#   OCAMLYACC     "ocamlyac"
#   OCAMLLIB      the path to the ocaml standard library
#   OCAMLVERSION  the ocaml version number
#   LABLGTK2	  "yes" is available, "no" otherwise
#   OCAMLWEB      "ocamlweb" (not mandatory)


# check for one particular file of the sources
# ADAPT THE FOLLOWING LINE TO YOUR SOURCES!
AC_INIT(src/monad.mli)

# verbosemake feature

AC_ARG_ENABLE(verbosemake,
  AS_HELP_STRING([--enable-verbosemake],[verbose makefile commands]),
  VERBOSEMAKE=$enableval,VERBOSEMAKE=no)
if test "$VERBOSEMAKE" = yes ; then
	AC_MSG_RESULT(Make will be verbose.)
fi

AC_ARG_ENABLE(local,
  AS_HELP_STRING([--enable-local],[use Jessie in the build directory (no installation)]),,
  enable_local=no)


# Check for Ocaml compilers

# we first look for ocamlc in the path; if not present, we fail
AC_CHECK_PROG(OCAMLC,ocamlc,ocamlc,no)
if test "$OCAMLC" = no ; then
	AC_MSG_ERROR(Cannot find ocamlc.)
fi

# we extract Ocaml version number
OCAMLVERSION=`$OCAMLC -v | sed -n -e 's|.*version* *\(.*\)$|\1|p' `
echo "ocaml version is $OCAMLVERSION"

case $OCAMLVERSION in
  0.*|1.*|2.*|3.*|4.00.*)
        AC_MSG_ERROR(You need Objective Caml 4.01.0 or later);;
  4.01.*)
        OCAMLWARN=Aer-6-41-44-45      ;;
  4.02.*)
        OCAMLWARN=Aer-3-6-41-44-45-48-50      ;;
  4.03.*|4.04.*)
        OCAMLWARN=Aer-3-6-41-44-45-48-50-52-57      ;;
  *)
        AC_MSG_WARN(Unknown Objective Caml version, assuming 4.04)
        OCAMLWARN=Aer-3-6-41-44-45-48-50-52-57      ;;
esac

FORPACK="-for-pack Graph"

# Ocaml library path
# old way: OCAMLLIB=`$OCAMLC -v | tail -1 | cut -f 4 -d ' ' | tr -d '\\r'`
OCAMLLIB=`$OCAMLC -where | tr -d '\\r'`
echo "ocaml library path is $OCAMLLIB"


## Where are the library we need
# we look for ocamlfind; if not present, we just don't use it to find
# libraries
AC_CHECK_PROG(USEOCAMLFIND,ocamlfind,yes,no)

if test "$USEOCAMLFIND" = yes; then
   OCAMLFINDLIB=$(ocamlfind printconf stdlib)
   OCAMLFIND=$(which ocamlfind)
   if test "$OCAMLFINDLIB" != "$OCAMLLIB"; then
   USEOCAMLFIND=no;
   echo "but your ocamlfind is not compatible with your ocamlc:"
   echo "ocamlfind : $OCAMLFINDLIB, ocamlc : $OCAMLLIB"
   fi
fi



# Check for arch/OS

AC_MSG_CHECKING(OS dependent settings)
OSTYPE=`echo 'prerr_endline Sys.os_type;;' | ocaml 2>&1 > /dev/null | tr -d '\\r' `
case $OSTYPE in
  Win32)
    EXE=.exe
    STRIP='echo "no strip "'
    CPULIMIT=cpulimit-win
    AC_MSG_RESULT(Win32)
    ;;
  Cygwin)
    EXE=.exe
    STRIP=strip
    CPULIMIT=cpulimit-win
    AC_MSG_RESULT(Cygwin)
    ;;
  Unix)
    EXE=
    STRIP=strip
    CPULIMIT=cpulimit
    AC_MSG_RESULT(Unix)
    ;;
  *) AC_MSG_ERROR(Unknown OS type: $OSTYPE)
    ;;
esac


# then we look for ocamlopt; if not present, we issue a warning
# if the version is not the same, we also discard it
# we set OCAMLBEST to "opt" or "byte", whether ocamlopt is available or not
AC_CHECK_PROG(OCAMLOPT,ocamlopt,ocamlopt,no)
OCAMLBEST=byte
if test "$OCAMLOPT" = no ; then
	AC_MSG_WARN(Cannot find ocamlopt; bytecode compilation only.)
else
	AC_MSG_CHECKING(ocamlopt version)
	TMPVERSION=`$OCAMLOPT -v | sed -n -e 's|.*version* *\(.*\)$|\1|p' `
	if test "$TMPVERSION" != "$OCAMLVERSION" ; then
	    AC_MSG_RESULT(differs from ocamlc; ocamlopt discarded.)
	    OCAMLOPT=no
	else
	    AC_MSG_RESULT(ok)
	    OCAMLBEST=opt
	fi
fi

# checking for ocamlc.opt
AC_CHECK_PROG(OCAMLCDOTOPT,ocamlc.opt,ocamlc.opt,no)
if test "$OCAMLCDOTOPT" != no ; then
	AC_MSG_CHECKING(ocamlc.opt version)
	TMPVERSION=`$OCAMLCDOTOPT -v | sed -n -e 's|.*version* *\(.*\)$|\1|p' `
	if test "$TMPVERSION" != "$OCAMLVERSION" ; then
	    AC_MSG_RESULT(differs from ocamlc; ocamlc.opt discarded.)
	else
	    AC_MSG_RESULT(ok)
	    OCAMLC=$OCAMLCDOTOPT
	fi
fi

# checking for ocamlopt.opt
if test "$OCAMLOPT" != no ; then
    AC_CHECK_PROG(OCAMLOPTDOTOPT,ocamlopt.opt,ocamlopt.opt,no)
    if test "$OCAMLOPTDOTOPT" != no ; then
	AC_MSG_CHECKING(ocamlc.opt version)
	TMPVER=`$OCAMLOPTDOTOPT -v | sed -n -e 's|.*version* *\(.*\)$|\1|p' `
	if test "$TMPVER" != "$OCAMLVERSION" ; then
	    AC_MSG_RESULT(differs from ocamlc; ocamlopt.opt discarded.)
	else
	    AC_MSG_RESULT(ok)
	    OCAMLOPT=$OCAMLOPTDOTOPT
	fi
    fi
fi

# ocamldep, ocamllex and ocamlyacc should also be present in the path
AC_CHECK_PROG(OCAMLDEP,ocamldep,ocamldep,no)
if test "$OCAMLDEP" = no ; then
   AC_MSG_ERROR(Cannot find ocamldep.)
else
   AC_CHECK_PROG(OCAMLDEPDOTOPT,ocamldep.opt,ocamldep.opt,no)
   if test "$OCAMLDEPDOTOPT" != no ; then
      OCAMLDEP=$OCAMLDEPDOTOPT
   fi
fi

AC_CHECK_PROG(OCAMLLEX,ocamllex,ocamllex,no)
if test "$OCAMLLEX" = no ; then
	AC_MSG_ERROR(Cannot find ocamllex.)
else
    AC_CHECK_PROG(OCAMLLEXDOTOPT,ocamllex.opt,ocamllex.opt,no)
    if test "$OCAMLLEXDOTOPT" != no ; then
	OCAMLLEX=$OCAMLLEXDOTOPT
    fi
fi

AC_CHECK_PROG(OCAMLYACC,ocamlyacc,ocamlyacc,no)
if test "$OCAMLYACC" = no ; then
	AC_MSG_ERROR(Cannot find ocamlyacc.)
fi

AC_CHECK_PROG(OCAMLDOC,ocamldoc,ocamldoc,true)
if test "$OCAMLDOC" = true ; then
    AC_MSG_WARN(Cannot find ocamldoc)
else
    AC_CHECK_PROG(OCAMLDOCOPT,ocamldoc.opt,ocamldoc.opt,no)
    if test "$OCAMLDOCOPT" != no ; then
	OCAMLDOC=$OCAMLDOCOPT
    fi
fi


#looking for ocamlgraph library

LOCALOCAMLGRAPH=no

if test "$USEOCAMLFIND" = yes; then
  OCAMLGRAPHLIB=$(ocamlfind query ocamlgraph)
fi
if test -n "$OCAMLGRAPHLIB"; then
   echo "ocamlfind found ocamlgraph in $OCAMLGRAPHLIB"
      OCAMLGRAPHLIB="-I $OCAMLGRAPHLIB"
      OCAMLGRAPHVER="found by ocamlfind"
 else
 AC_CHECK_FILE($OCAMLLIB/ocamlgraph/graph.cmi,OCAMLGRAPH=yes,OCAMLGRAPH=no)
 if test "$OCAMLGRAPH" = no ; then
    AC_CHECK_FILE(ocamlgraph/src/sig.mli,OCAMLGRAPH=yes,OCAMLGRAPH=no)
    if test "$OCAMLGRAPH" = no ; then
      AC_MSG_ERROR(Cannot find ocamlgraph library. Please install the *libocamlgraph-ocaml-dev* Debian package - or the OPAM package *ocamlgraph* - or compile from sources *http://ocamlgraph.lri.fr/*)
    else
      OCAMLGRAPHLIB="-I ocamlgraph"
      OCAMLGRAPHVER="in local subdir ocamlgraph"
      LOCALOCAMLGRAPH=yes
    fi
 else
    OCAMLGRAPHLIB="-I +ocamlgraph"
    OCAMLGRAPHVER="in Ocaml lib, subdir ocamlgraph"
 fi
fi

# checking local ocamlgraph compilation

if test "$LOCALOCAMLGRAPH" = yes; then
   AC_MSG_CHECKING(ocamlgraph compilation)
   if (cd ocamlgraph; ./configure && make) > /dev/null 2>&1; then
      AC_MSG_RESULT(ok)
   else
      AC_MSG_ERROR(cannot compile ocamlgraph in ocamlgraph)
   fi
fi

AC_CHECK_PROG(OCAMLWEB,ocamlweb,ocamlweb,true)

# apron library
APRONLIBS=
AC_ARG_ENABLE(apron,
  AS_HELP_STRING([--enable-apron],[use APRON library for abstract interpretation]),,
  enable_apron=no)

if test "$enable_apron" = "yes" ; then
   AC_CHECK_FILE($OCAMLLIB/apron/apron.cmxa,APRONLIB="-I +apron -I +gmp",APRONLIB=no)
   if test "$APRONLIB" = no ; then
      AC_CHECK_FILE(/usr/lib/apron.cmxa,APRONLIB="-I /usr/lib -I /usr/local/lib",APRONLIB=no)
      if test "$APRONLIB" = no ; then
	 AC_MSG_WARN(Cannot find APRON library.)
	 enable_apron="no (APRON library cannot be found, see above)"
      fi
   fi
fi

if test "$enable_apron" = "yes" ; then
   APRONLIBS="-cclib ' -lpolkaMPQ_caml -lpolkaMPQ -loctMPQ_caml -loctMPQ -lboxMPQ_caml -lboxMPQ -lapron_caml -lapron -lgmp_caml -lmpfr -lgmp -lbigarray -lcamlidl' bigarray.cmxa gmp.cmxa apron.cmxa box.cmxa polka.cmxa"
   ATPCMO=atp/atp.cmo
else
   APRONLIB=""
fi

# Frama-C
AC_ARG_VAR(FRAMAC,[frama-c command])
AC_PATH_PROG(FRAMAC,frama-c,no)

TESTFRAMAC=yes
if test "$TESTFRAMAC" = no ; then
   FRAMACPLUGIN=no
   FRAMACMSG="Disabled on user request"
else
   if test "$FRAMAC" = no ; then
	AC_MSG_WARN(Cannot find frama-c.)
	FRAMACPLUGIN=no
        FRAMACMSG="Cannot find Frama-C"
   else
      # we extract Ocaml version number
      AC_MSG_CHECKING(Frama-c version)
      FRAMACVERSION=`$FRAMAC -version | sed -n -e 's|\(Version: \)\?\(.*\)$|\2|p' `
      if test -z "$FRAMACVERSION" ; then
         FRAMACVERSION=`$FRAMAC -version`
      fi
      AC_MSG_RESULT($FRAMACVERSION)
      case $FRAMACVERSION in
        Phosphorus-20170501)
           FRAMACPLUGIN=yes
           ;;
        Phosphorus-*)
	   FRAMACVERSIONMSG="Found unknown variant of Frama-C Phosphorus (hope this works)"
           AC_MSG_WARN($FRAMACVERSIONMSG)
           FRAMACPLUGIN=yes
           ;;
        *) FRAMACVERSIONMSG="bad Frama-c version \"$FRAMACVERSION\", you need version Phosphorus"
           FRAMACPLUGIN=no
           AC_MSG_WARN($FRAMACVERSIONMSG)
           ;;
      esac
   fi
fi

# Why3
AC_ARG_VAR(WHY3C,[why3 command])
AC_PATH_PROG(WHY3C,why3,no)
if test "$WHY3C" = no ; then
  WHY3=no
  WHY3MSG="command 'why3' not found"
  AC_MSG_ERROR($WHY3MSG)
else
  WHY3=yes
  AC_MSG_CHECKING(Why3 version)
  WHY3VERSION=`$WHY3C --version | sed -n -e 's|.*version \([[^ ]]\+\)\( .*\)\?$|\1|p'`
  case $WHY3VERSION in
  0.6*|0.7*|0.80*|0.81*|0.82*|0.83*)
      AC_MSG_RESULT($WHY3VERSION)
      WHY3="no"
      WHY3MSG="version $WHY3VERSION too old"
      AC_MSG_ERROR($WHY3MSG)
      ;;
  0.84|0.85|0.86|0.86.*|0.87|0.87.*)
      AC_MSG_RESULT($WHY3VERSION)
      ;;
  *)
      AC_MSG_RESULT($WHY3VERSION)
      WHY3MSG="unknown version $WHY3VERSION, hope this works"
      AC_MSG_WARN($WHY3MSG)
      ;;
  esac
fi


WHYFLOATS=

# Coq
AC_ARG_VAR(COQC,[coqc command])
AC_PATH_PROG(COQC,coqc,no)
if test "$COQC" = no ; then
    COQ=no
    COQMSG="command 'coqc' not found"
    AC_MSG_WARN(Cannot find coqc.)
else
    COQ=yes
    AC_CHECK_PROG(COQDEP,coqdep,coqdep,true)
    if test "$COQDEP" = true ; then
	AC_MSG_ERROR(Cannot find coqdep.)
    fi
    COQLIB=`$COQC -where | sed -e 's|\\\|/|g' -e 's| |\\ |g'`
    AC_MSG_CHECKING(Coq version)
    COQVERSION=`$COQC -v | sed -n -e 's|.*version \([[^ ]]\+\) .*$|\1|p' `

    case $COQVERSION in
    7.4*)
	AC_MSG_RESULT($COQVERSION)
	COQC7=$COQC
	COQVER=v7
	WHYLIBCOQ=lib/coq-v7
	cp -f lib/coq-v7/WhyCoqDev.v lib/coq-v7/WhyCoqCompat.v;;
    8.*)
	AC_MSG_RESULT($COQVERSION)
	COQC7="$COQC -v7"
	COQC8=$COQC
	COQVER=v8
	WHYLIBCOQ=lib/coq
	cp -f lib/coq-v7/WhyCoqDev.v lib/coq-v7/WhyCoqCompat.v
	case $COQVERSION in
	8.1*|8.2*|8.3*|8.4*|8.5*|8.6*|trunk)
	  JESSIELIBCOQ=lib/coq/jessie_why.vo
	  cp -f lib/coq/WhyCoqDev.v lib/coq/WhyCoqCompat.v
          # useful ??? [VP] Yes, the hack for making the output compliant with
          # Dp needs >= v8.1
          COQVER=v8.1
          ;;
	*)
	  JESSIELIBCOQ=
	  cp -f lib/coq/WhyCoq8.v lib/coq/WhyCoqCompat.v;;
        esac

	if test "$WHY3" != no ; then
	  AC_MSG_CHECKING(Coq realizations for Why3)
	  WHY3COQPATH=`$WHY3C --print-libdir`/coq
	  if test -f "$WHY3COQPATH/int/Int.vo"; then
	    AC_MSG_RESULT(yes)
	    JESSIEWHY3LIBCOQ="lib/coq/Jessie_memory_model.vo"
	  else
	    AC_MSG_RESULT(no)
	  fi
	fi
	;;
    *)
	COQ=no
	COQMSG="version $COQVERSION not supported"
	AC_MSG_WARN(You need Coq 7.4 or later; Coq support discarded);;
    esac
fi

# PVS
AC_ARG_VAR(PVSC,[pvs command])
AC_PATH_PROG(PVSC,pvs,no)
if test "$PVSC" = no ; then
    PVS=no
    PVSMSG="command 'pvs' not found"
    AC_MSG_WARN(Cannot find PVS.)
else
    PVS=yes
    PVSLIB=`$PVSC -where`/lib
    if test "$PVSLIB" = /lib; then
       AC_MSG_WARN(PVS found but 'pvs -where' did not work)
       PVS=no;
    fi
fi

# substitutions to perform
AC_SUBST(VERBOSEMAKE)
AC_SUBST(EXE)
AC_SUBST(STRIP)
AC_SUBST(CPULIMIT)

AC_SUBST(OCAMLC)
AC_SUBST(OCAMLOPT)
AC_SUBST(OCAMLDEP)
AC_SUBST(OCAMLLEX)
AC_SUBST(OCAMLYACC)
AC_SUBST(OCAMLDOC)
AC_SUBST(OCAMLBEST)
AC_SUBST(OCAMLVERSION)
AC_SUBST(OCAMLWARN)
AC_SUBST(OCAMLV)
AC_SUBST(OCAMLLIB)
AC_SUBST(OCAMLGRAPHLIB)
AC_SUBST(OCAMLWEB)

AC_SUBST(enable_apron)
AC_SUBST(APRONLIB)
AC_SUBST(APRONLIBS)
AC_SUBST(FRAMACPLUGIN)
AC_SUBST(ATPCMO)

AC_SUBST(COQ)
AC_SUBST(COQC7)
AC_SUBST(COQC8)
AC_SUBST(COQDEP)
AC_SUBST(COQLIB)
AC_SUBST(COQVER)
AC_SUBST(WHYLIBCOQ)
AC_SUBST(WHYFLOATS)
AC_SUBST(JESSIELIBCOQ)
AC_SUBST(JESSIEWHY3LIBCOQ)
AC_SUBST(WHY3COQPATH)

AC_SUBST(enable_local)

AC_SUBST(PVS)
AC_SUBST(PVSLIB)

AC_SUBST(FORPACK)

# Finally create the Makefile from Makefile.in
AC_OUTPUT(Makefile)
chmod a-w Makefile

# Summary

echo
echo "                 Summary"
echo "-----------------------------------------"
echo "OCaml version            : $OCAMLVERSION"
echo "OCaml library path       : $OCAMLLIB"
echo "OcamlGraph lib           : $OCAMLGRAPHVER"
echo "Verbose make             : $VERBOSEMAKE"
echo "Inference of annotations : $enable_apron"
if test "$enable_apron" = "yes" ; then
   echo "    APRON lib         : $APRONLIB"
fi
echo "Why3 support             : $WHY3"
if test "$WHY3" = "yes" ; then
   echo "    Binary               : $WHY3C"
   echo "    Version              : $WHY3VERSION"
fi
if test -n "$WHY3MSG" ; then
   echo "    $WHY3MSG"
fi
echo "Frama-C plugin           : $FRAMACPLUGIN"
if test "$FRAMACPLUGIN" = "yes" ; then
   echo "    Binary               : $FRAMAC"
   echo "    Version              : $FRAMACVERSION"
   if test -n "$FRAMACVERSIONMSG" ; then
      echo "    $FRAMACVERSIONMSG"
   fi
fi
if test -n "$FRAMACMSG" ; then
   echo "    $FRAMACMSG"
fi
echo "Coq support (via Why3)   : $COQ"
if test "$COQ" = "yes" ; then
   echo "    Binary               : $COQC"
   echo "    Version              : $COQVER ($COQVERSION)"
   if test "$JESSIEWHY3LIBCOQ" = ""; then
      echo "                         : (Jessie/Why3 Coq proofs disabled, requires Coq realizations for Why3)"
   fi
   echo "    Libraries            : $COQLIB"
fi
if test -n "$COQMSG" ; then
   echo "    $COQMSG"
fi
echo "PVS support (via Why3)   : $PVS"
if test "$PVS" = "yes" ; then
   echo "    Binary               : $PVSC"
   echo "    Libraries            : $PVSLIB"
fi
if test -n "$PVSMSG" ; then
   echo "    $PVSMSG"
fi
echo "Other provers support    : (via Why3)"
why-2.39/README0000644000106100004300000000607313147234006012117 0ustar  marchevals**************************************************************************
*                                                                        *
*  The Why platform for program certification                            *
*                                                                        *
*  Copyright (C) 2002-2017                                               *
*                                                                        *
*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *
*    Claude MARCHE, INRIA & Univ. Paris-sud                              *
*    Yannick MOY, Univ. Paris-sud                                        *
*    Romain BARDOU, Univ. Paris-sud                                      *
*                                                                        *
*  Secondary contributors:                                               *
*                                                                        *
*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *
*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *
*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *
*    Sylvie BOLDO, INRIA              (floating-point support)           *
*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *
*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *
*                                                                        *
*  This software is free software; you can redistribute it and/or        *
*  modify it under the terms of the GNU Lesser General Public            *
*  License version 2.1, with the special exception on linking            *
*  described in file LICENSE.                                            *
*                                                                        *
*  This software is distributed in the hope that it will be useful,      *
*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *
*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *
**************************************************************************

Why is a certification tool.  It takes annotated programs as input and
outputs proof obligations for the proof assistants PVS and Coq.


DOCUMENTATION
=============

The documentation (a  tutorial and a reference manual)  is enclosed in
the subdirectory doc/.

Various examples can be found in the subdirectory examples/.

Mailing lists: there exist two mailing lists for Why and Caduceus
respectively. To subscribe, you need to send an email to

	why-request@serveur-listes.lri.fr
or	caduceus-request@serveur-listes.lri.fr

with "subscribe your@email" in the mail body. These lists are mainly
used to announce the releases of Why and Caduceus. Emails can be sent
to the list at why@serveur-listes.lri.fr and caduceus@serveur-listes.lri.fr. 
Only the lists members can send emails to the list.

COPYRIGHT
=========

This program is distributed under the GNU GPL. 
See the enclosed file COPYING.


INSTALLATION
============

See the enclosed file INSTALL.
why-2.39/frama-c-plugin/0000755000106100004300000000000013147234006014033 5ustar  marchevalswhy-2.39/frama-c-plugin/norm.ml0000644000106100004300000021627713147234006015357 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(* TODO:

   - In both retyping phases that add a level of indirection to locals:
       - Retype variables of structure type
       - Retype variables and fields whose address is taken
     If the returned value dereferences a local, take the returned value in
     a temporary before deallocating memory for the local variable and
     returning. Mostly an issue of consistency: since it is a local variable
     involved, it is retyped as a reference and no check is issued for
     validity of dereference.
     See ex roux3.c from Jessie test base.
     Thanks to Pierre Roux for noting this.

*)


(* Import from Cil *)
open Cil_types
open Cil
open Ast_info
open Extlib

open Visitor

(* Utility functions *)
open Common

let label_here = LogicLabel(None,"Here")

(*****************************************************************************)
(* Retype variables of array type.                                           *)
(*****************************************************************************)

(* TODO: retype predicate \valid_index and \valid_range
 * E.g. in example array.c, "\valid_index(t,1)" for "t" being typed as
 * "int t[3][3]", should be transformed into "\valid_range(t,3,5)".
 *)
class retypeArrayVariables =

  (* Variables originally of array type *)
  let varset = ref Cil_datatype.Varinfo.Set.empty in
  let lvarset = ref Cil_datatype.Logic_var.Set.empty in

  (* Correspondance between variables and "straw" variables, that are used to
   * replace the variable after some changes have been made on the AST,
   * so that further exploration does not change it anymore. The "straw"
   * variables are replaced by regular one before returning the modified AST.
   *)
  let var_to_strawvar = Cil_datatype.Varinfo.Hashtbl.create 17 in
  let strawvar_to_var = Cil_datatype.Varinfo.Hashtbl.create 17 in
  let lvar_to_strawlvar = Cil_datatype.Logic_var.Hashtbl.create 17 in
  let strawlvar_to_lvar = Cil_datatype.Logic_var.Hashtbl.create 17 in

  (* Variables to allocate *)
  let allocvarset = ref Cil_datatype.Varinfo.Set.empty in
  let alloclvarset = ref Cil_datatype.Logic_var.Set.empty in

  (* Remember original array type even after variable modified *)
  let var_to_array_type : typ Cil_datatype.Varinfo.Hashtbl.t = Cil_datatype.Varinfo.Hashtbl.create 0 in
  let lvar_to_array_type = Cil_datatype.Logic_var.Hashtbl.create 17 in

  (* As the rule would be reentrant, do not rely on the fact it is idempotent,
   * and rather change the variable into its "straw" counterpart, as it is
   * done in [preaction_expr]. Also make sure every top expression inside
   * a left-value is an [Info], so that terms that were converted to
   * expressions before treatment can be safely converted back.
   *)
  let preaction_lval (host,off as lv) =
    match host with
      | Var v ->
          if Cil_datatype.Varinfo.Set.mem v !varset then begin
            let strawv = Cil_datatype.Varinfo.Hashtbl.find var_to_strawvar v in
            let loc = Cil_const.CurrentLoc.get() in
            let host = Mem(mkInfo(new_exp ~loc (Lval(Var strawv,NoOffset)))) in
            let off =
              lift_offset (Cil_datatype.Varinfo.Hashtbl.find var_to_array_type v) off
            in
            host, off
          end else
            lv (* For terms, also corresponds to the case for Result *)
      | Mem _ -> lv
  in

  let postaction_lval (host,off as lv) =
    match host with
      | Var strawv ->
          begin try
            let v = Cil_datatype.Varinfo.Hashtbl.find strawvar_to_var strawv in
            Var v, off
          with Not_found -> lv end
      | Mem _ -> lv
  in

  let rec preaction_expr e =
    let loc = e.eloc in
    match e.enode with
    | StartOf(Var v,off) ->
        if Cil_datatype.Varinfo.Set.mem v !varset then begin
          let ty = Cil_datatype.Varinfo.Hashtbl.find var_to_array_type v in
          let strawv = Cil_datatype.Varinfo.Hashtbl.find var_to_strawvar v in
          match lift_offset ty off with
            | NoOffset -> new_exp ~loc (Lval(Var strawv,NoOffset))
            | Index(ie,NoOffset) ->
                let ptrty = TPtr(element_type ty,[]) in
                new_exp ~loc (BinOp(PlusPI,
                               new_exp ~loc (Lval(Var strawv,NoOffset)),
                               ie,ptrty))
            | Index _ | Field _ ->
                (* Field with address taken treated separately *)
                new_exp ~loc
                  (StartOf
                     (Mem(new_exp ~loc (Lval(Var strawv,NoOffset))),off))
        end else e
    | AddrOf(Var v,off) ->
        if Cil_datatype.Varinfo.Set.mem v !varset then
          begin
            let ty = Cil_datatype.Varinfo.Hashtbl.find var_to_array_type v in
            let strawv = Cil_datatype.Varinfo.Hashtbl.find var_to_strawvar v in
            match lift_offset ty off with
              | Index(ie,NoOffset) ->
                  let ptrty = TPtr(element_type ty,[]) in
                  new_exp ~loc
                    (BinOp(PlusPI,
                           new_exp ~loc (Lval(Var strawv,NoOffset)), ie,ptrty))
              | NoOffset ->
                  unsupported "this instance of the address operator cannot be handled"
              | Index _ | Field _ ->
                  (* Field with address taken treated separately *)
                  new_exp ~loc
                    (AddrOf(Mem(new_exp ~loc (Lval(Var strawv,NoOffset))),off))
          end
        else e
    | BinOp(PlusPI,e1,e2,opty) ->
        begin match (stripInfo e1).enode with
          | StartOf(Var v,off) ->
              let rec findtype ty = function
                | NoOffset -> ty
                | Index(_, roff) ->
                    findtype (direct_element_type ty) roff
                | Field _ -> raise Not_found
              in
              if Cil_datatype.Varinfo.Set.mem v !varset then
                let ty = Cil_datatype.Varinfo.Hashtbl.find var_to_array_type v in
                (* Do not replace [v] by [strawv] here, as the sub-expression
                 * [e1] should be treated first. Do it right away so that
                 * the resulting AST is well-typed, which is crucial to apply
                 * this on expressions obtained from terms.
                 *)
                let e1 = preaction_expr e1 in
                let ty = findtype ty off in
                let subty = direct_element_type ty in
                if isArrayType subty then
                  let siz = array_size subty in
                  let e2 =
                    new_exp ~loc:e2.eloc
                      (BinOp(Mult,e2,constant_expr siz,intType)) in
                  new_exp ~loc (BinOp(PlusPI,e1,e2,opty))
                else e
              else e
          | _ -> e
        end
    | _ -> e
  in
object(self)

  inherit Visitor.frama_c_inplace

  method! vvdec v =
    if isArrayType v.vtype && not (Cil_datatype.Varinfo.Set.mem v !varset) then
      begin
        assert (not v.vformal);
        Cil_datatype.Varinfo.Hashtbl.add var_to_array_type v v.vtype;
        let elemty = element_type v.vtype in
        (* Store information that variable was originally of array type *)
        varset := Cil_datatype.Varinfo.Set.add v !varset;
        (* Change the variable type *)
        let newty =
          if Integer.gt (array_size v.vtype) Integer.zero then
            begin
              (* Change the type into "reference" type, that behaves almost like
               * a pointer, except validity is ensured.
               *)
              let size = constant_expr (array_size v.vtype) in
              (* Schedule for allocation *)
              allocvarset := Cil_datatype.Varinfo.Set.add v !allocvarset;
              mkTRefArray(elemty,size,[]);
            end
          else
            (* Plain pointer type to array with zero size *)
            TPtr(v.vtype,[]);
        in
        attach_globaction (fun () -> v.vtype <- newty);
        (* Create a "straw" variable for this variable, with the correct type *)
         let strawv = makePseudoVar newty in
        Cil_datatype.Varinfo.Hashtbl.add var_to_strawvar v strawv;
        Cil_datatype.Varinfo.Hashtbl.add strawvar_to_var strawv v;
      end;
    DoChildren

  method! vlogic_var_decl lv =
    if not (Cil_datatype.Logic_var.Hashtbl.mem lvar_to_strawlvar lv) &&
      app_term_type isArrayType false lv.lv_type then
      begin
        Cil_datatype.Logic_var.Hashtbl.add lvar_to_array_type lv
          (force_app_term_type (fun x -> x) lv.lv_type);
        let elemty = force_app_term_type element_type lv.lv_type in
        lvarset := Cil_datatype.Logic_var.Set.add lv !lvarset;
        let newty =
          if Integer.gt
            (force_app_term_type array_size lv.lv_type)
            Integer.zero
          then
            begin
              let size =
                constant_expr (force_app_term_type array_size lv.lv_type)
              in alloclvarset := Cil_datatype.Logic_var.Set.add lv !alloclvarset;
              mkTRefArray(elemty,size,[])
            end
          else TPtr(elemty,[])
        in attach_globaction (fun () -> lv.lv_type <- Ctype newty);
        let strawlv = match lv.lv_origin with
            None -> make_temp_logic_var (Ctype newty)
          | Some v -> cvar_to_lvar (Cil_datatype.Varinfo.Hashtbl.find var_to_strawvar v)
        in
        Cil_datatype.Logic_var.Hashtbl.add lvar_to_strawlvar lv strawlv;
        Cil_datatype.Logic_var.Hashtbl.add strawlvar_to_lvar strawlv lv
      end;
      DoChildren

  method! vglob_aux g = match g with
    | GVar(v,_init,_loc) ->
        (* Make sure variable declaration is treated before definition *)
        ignore (Cil.visitCilVarDecl (self:>Cil.cilVisitor) v);
        if Cil_datatype.Varinfo.Set.mem v !allocvarset then
          (* Allocate memory for new reference variable *)
          let ty = Cil_datatype.Varinfo.Hashtbl.find var_to_array_type v in
          let size = array_size ty in
(* Disabled: anyway, it is useless to generate code for that,
   a post-condition should be generated instead (bts0284)
          let elemty = element_type ty in
          let ast = mkalloc_array_statement v elemty (array_size ty) loc in
          attach_globinit ast;
*)
          (* Define a global validity invariant *)
          let p =
            Logic_const.pvalid_range
              ~loc:v.vdecl
              (label_here,
               variable_term v.vdecl (cvar_to_lvar v),
               constant_term v.vdecl Integer.zero,
               constant_term v.vdecl (Integer.pred size))
          in
          let globinv =
	    Cil_const.make_logic_info (unique_logic_name ("valid_" ^ v.vname)) in
          globinv.l_labels <- [ label_here ];
          globinv.l_body <- LBpred p;
          attach_globaction (fun () -> Logic_utils.add_logic_function globinv);
          ChangeTo [g;GAnnot(Dinvariant (globinv,v.vdecl),v.vdecl)]
        else DoChildren
    | GVarDecl _ | GFunDecl _ | GFun _ | GAnnot _ -> DoChildren
    | GCompTag _ | GType _ | GCompTagDecl _ | GEnumTagDecl _
    | GEnumTag _ | GAsm _ | GPragma _ | GText _ -> SkipChildren

  method! vfunc f =
    (* First change type of local array variables *)
    List.iter (ignore $ Cil.visitCilVarDecl (self:>Cil.cilVisitor)) f.slocals;
    List.iter (ignore $ Cil.visitCilVarDecl (self:>Cil.cilVisitor)) f.sformals;
    (* Then allocate/deallocate memory for those that need it *)
    List.iter (fun v ->
      if Cil_datatype.Varinfo.Set.mem v !allocvarset then
        let ty = Cil_datatype.Varinfo.Hashtbl.find var_to_array_type v in
        let elemty = element_type ty in
        let ast = mkalloc_array_statement v elemty
          (Integer.to_int64 (array_size ty)) v.vdecl
        in
        add_pending_statement ~beginning:true ast;
        let fst = mkfree_statement v v.vdecl in
        add_pending_statement ~beginning:false fst
    ) f.slocals;
    DoChildren

  method! vlval lv =
    ChangeDoChildrenPost (preaction_lval lv, postaction_lval)

  method! vterm_lval lv =
    do_on_term_lval (Some preaction_lval, Some postaction_lval) lv

  method! vexpr e =
    ChangeDoChildrenPost (preaction_expr e, fun x -> x)

  method! vterm =
    do_on_term (Some preaction_expr, None)

end

let retype_array_variables file =
  (* Enforce the prototype of malloc to exist before visiting anything.
     It might be useful for allocation pointers from arrays
  *)
  ignore (Common.malloc_function ());
  ignore (Common.free_function ());
  let visitor = new retypeArrayVariables in
  visit_and_push_statements visit_and_update_globals visitor file


(*****************************************************************************)
(* Retype logic functions/predicates with structure parameters or return.    *)
(*****************************************************************************)

let model_fields_table = Hashtbl.create 7

let model_fields compinfo =
  (* Format.eprintf "looking in model_fields_table for %s@." compinfo.cname; *)
  try
    Hashtbl.find model_fields_table compinfo.ckey
  with Not_found -> []


(* logic parameter:
 * - change parameter type to pointer to structure
 * - change uses of parameters in logical annotations
 * TODO: take care of logic variables introduced by let.
 *)
class retypeLogicFunctions =

  let varset = ref Cil_datatype.Logic_var.Set.empty in
  let this_name : string ref = ref "" in
  let change_this_type = ref false in  (* Should "this" change? *)
  let new_result_type = ref (Ctype voidType) in
  let change_result_type = ref false in (* Should Result change? *)

  let var lv =
    match lv.lv_type with
      | Ltype _ | Lvar _ | Linteger | Lreal | Larrow _ -> ()
      | Ctype ty ->
          if isStructOrUnionType ty then
            unsupported "Jessie plugin does not support struct or union as parameter to logic functions. Please use a pointer instead."
                      (*
          if isStructOrUnionType ty then
            begin
              varset := Cil_datatype.Logic_var.Set.add lv !varset;
              lv.lv_type <- Ctype(mkTRef ty);
              match lv.lv_origin with
                | None -> ()
                | Some v ->
                    (* For some obscure reason, logic function/predicate
                     * parameters are C variables.
                     *)
                    v.vtype <- mkTRef ty
            end
                      *)
  in

  let postaction_term_lval (host,off) =
    let host = match host with
      | TVar lv ->
          (* Oddly, "this" variable in type invariant is not declared
             before use. Change its type on the fly.
          *)
          if !change_this_type && lv.lv_name = !this_name then
            var lv;
          if Cil_datatype.Logic_var.Set.mem lv !varset then
            let tlval =
              mkterm (TLval(host,TNoOffset)) lv.lv_type
                (Cil_const.CurrentLoc.get())
            in
            TMem tlval
          else host
      | TResult _ ->
          if !change_result_type then
            match !new_result_type with
                Ctype typ ->
                  let tlval = Logic_const.tresult typ in TMem tlval
              | _ -> assert false (* result type of C function
                                     must be a C type*)
          else host
      | TMem _t -> host
    in
    host, off
  in
object

  inherit Visitor.frama_c_inplace

  method! vannotation =
    let return_type ty =
      change_result_type := false;
      match ty with
        | Ctype rt when isStructOrUnionType rt ->
            begin
              change_result_type := true;
              let ty = Ctype(mkTRef rt "Norm.vannotation") in
              new_result_type := ty;
              ty
            end
        | Ctype _ | Ltype _ | Lvar _ | Linteger | Lreal | Larrow _ -> ty
    in
    let annot = function
      | Dfun_or_pred (li,loc) ->
          List.iter var li.l_profile;
          begin
            match li.l_type with
              | None -> DoChildren
              | Some rt ->
                  let li' = { li with l_type = Some (return_type rt)}  in
                  ChangeDoChildrenPost (Dfun_or_pred (li',loc), fun x -> x)
          end
      | Dtype_annot (annot,loc) ->
          begin match (List.hd annot.l_profile).lv_type with
            | Ctype ty when isStructOrUnionType ty ->
                change_this_type := true;
                this_name := (List.hd annot.l_profile).lv_name;
                let annot = { annot with
                                l_profile = [{ (List.hd annot.l_profile) with
                                                 lv_type = Ctype(mkTRef ty "Norm.annot, Dtype_annot")}];
                }
                in
                ChangeDoChildrenPost
                  (Dtype_annot (annot,loc), fun x -> change_this_type := false; x)
            | Ctype _ | Ltype _ | Lvar _ | Linteger | Lreal | Larrow _ ->
                DoChildren
          end
      | Dtype _ | Dlemma _ | Dinvariant _ | Dvolatile _  -> DoChildren
      | Daxiomatic _ -> DoChildren (* FIXME: correct ? *)
      | Dmodel_annot (mi,_) ->
          begin
            match unrollType mi.mi_base_type with
              | TComp (ci, _, _) ->
                  begin
                    let l =
                      try Hashtbl.find model_fields_table ci.ckey
                      with Not_found -> []
                    in
                    (* Format.eprintf "filling model_fields_table for %s@." ci.cname; *)
                    Hashtbl.replace model_fields_table ci.ckey (mi::l)
                  end
              | _ ->
              Common.unsupported "model field only on structures"
          end;
          DoChildren (* FIXME: correct ? *)
      | Dcustom_annot _ -> DoChildren (* FIXME: correct ? *)
    in annot

  method! vterm_lval tlv =
    ChangeDoChildrenPost (tlv, postaction_term_lval)

  method! vterm t =
    let preaction_term t =
      match t.term_node with
        | Tapp(callee,labels,args) ->
            let args = List.map (fun arg ->
              (* Type of [arg] has not been changed. *)
              match arg.term_type with
                | Ltype _ | Lvar _ | Linteger | Lreal | Larrow _ -> arg
                | Ctype ty ->
                    if isStructOrUnionType ty then
                      match arg.term_node with
                        | TLval lv ->
                            (* Arguments translated under address here may
                             * be translated back to dereference when treating
                             * left-values. This is why we add a normalization
                             * in [postaction_term]. *)
                            {
                              arg with
                                term_node = TAddrOf lv;
                                term_type = Ctype(mkTRef ty "Norm.vterm");
                            }
                        | _ -> assert false (* Should not be possible *)
                    else arg
            ) args in
            { t with term_node = Tapp(callee,labels,args); }
        | _ -> t
    in
    (* Renormalize the term tree. *)
    let postaction_term t =
      match t.term_node with
        | TAddrOf(TMem t,TNoOffset) -> t
        | _ -> t
    in
    ChangeDoChildrenPost (preaction_term t, postaction_term)

  method! vpredicate p =
    match p.pred_content with
    | Papp(callee,labels,args) ->
        let args = List.map (fun arg ->
          (* Type of [arg] has not been changed. *)
          match arg.term_type with
            | Ltype _ | Lvar _ | Linteger | Lreal | Larrow _ -> arg
            | Ctype ty ->
                if isStructOrUnionType ty then
                  match arg.term_node with
                    | TLval lv ->
                        {
                          arg with
                            term_node = TAddrOf lv;
                            term_type = Ctype(mkTRef ty "Norm.vpredicate");
                        }
                    | _ -> assert false (* Should not be possible *)
                else arg
        ) args in
        ChangeDoChildrenPost (Logic_const.papp(callee,labels,args), fun x -> x)
    | _ -> DoChildren

end

let retype_logic_functions file =
  let visitor = new retypeLogicFunctions in
  visitFramacFile visitor file


(*****************************************************************************)
(* Expand structure copying through parameter, return or assignment.         *)
(*****************************************************************************)

let return_vars = Cil_datatype.Varinfo.Hashtbl.create 17

(* parameter:
 * - if function defined, add local copy variable of structure type
 * - change parameter type to pointer to structure
 * - change type at call-site to take address of structure arguments
 * - change uses of parameters in logical annotations
 * return:
 * - change return type to pointer to structure
 * - add temporary variable for call
 * - free allocated memory for return after call
 * assignment:
 * - recursively decompose into elementary assignments
 *)
class expandStructAssign () =

  let pairs = ref [] in
  let new_return_type = ref None in
  let return_var = ref None in

  let postaction_term_lval (host,off) =
    let host = match host with
      | TResult _ ->
          begin match !new_return_type with
              None -> host
            | Some rt ->
            let tlval = Logic_const.tresult rt in TMem tlval
          end
      | TVar v ->
          begin match v.lv_origin with
          | None -> host
              (* TODO: recognize \result variable, and change its use if
                 of reference type here. *)
          | Some cv ->
              try
                let newv = List.assoc cv !pairs in
                let newlv = cvar_to_lvar newv in
                (* Type of [newv] is set at that point. *)
                let tlval =
                  mkterm (TLval(TVar newlv,TNoOffset)) (Ctype newv.vtype)
                    (Cil_const.CurrentLoc.get())
                in
                TMem tlval
              with Not_found -> TVar v
          end
      | TMem _t -> host
    in
    host, off
  in

  let rec expand_assign lv e ty loc =
    match unrollType ty with
      | TComp(mcomp,_,_) ->
          let field fi =
            let newlv = addOffsetLval (Field(fi,NoOffset)) lv in
            let newe = match e.enode with
              | Lval elv ->
                  new_exp ~loc:e.eloc
                    (Lval(addOffsetLval (Field(fi,NoOffset)) elv))
              | _ ->
                  (* Other possibilities like [CastE] should have been
                     transformed at this point. *)
                  assert false
            in
            expand_assign newlv newe fi.ftype loc
          in
          List.flatten (List.map field mcomp.cfields)
      | TArray _ ->
          let elem i =
            let cste = constant_expr i in
            let newlv = addOffsetLval (Index(cste,NoOffset)) lv in
            let newe = match e.enode with
              | Lval elv ->
                  new_exp ~loc:e.eloc
                    (Lval (addOffsetLval (Index(cste,NoOffset)) elv))
              | _ ->
                  (* Other possibilities like [CastE] should have been
                     transformed at this point. *)
                  assert false
            in
            expand_assign newlv newe (direct_element_type ty) loc
          in
          let rec all_elem acc i =
            if Integer.ge i Integer.zero
            then all_elem (elem i @ acc) (Integer.pred i)
            else acc
          in
          assert (not (is_reference_type ty));
          all_elem [] (Integer.pred (direct_array_size ty))
      | _ -> [Set (lv, e, loc)]
  in

  let rec expand lv ty loc =
    match unrollType ty with
      | TComp(mcomp,_,_) ->
          let field fi =
            let newlv = addOffsetLval (Field(fi,NoOffset)) lv in
            expand newlv fi.ftype loc
          in
          List.flatten (List.map field mcomp.cfields)
      | TArray _ ->
          let elem i =
            let cste = constant_expr i in
            let newlv = addOffsetLval (Index(cste,NoOffset)) lv in
            expand newlv (direct_element_type ty) loc
          in
          let rec all_elem acc i =
            if Integer.ge i Integer.zero then
              all_elem (elem i @ acc) (Integer.pred i)
            else acc
          in
          assert (not (is_reference_type ty));
          all_elem [] (Integer.pred (direct_array_size ty))
      | _ -> [ lv ]
  in

object(self)

  inherit Visitor.frama_c_inplace
  method! vglob_aux =
    let retype_func fvi =
      let formal (n,ty,a) =
        let ty =
          if isStructOrUnionType ty then mkTRef ty "Norm.vglob_aux" else ty
        in
        n, ty, a
      in
      let rt,params,isva,a = splitFunctionTypeVI fvi in
      let params = match params with
        | None -> None
        | Some p -> Some(List.map formal p)
      in
      let rt =
        if isStructOrUnionType rt then
          mkTRef rt "Norm.vglob_aux(2)"
        else rt
      in
      fvi.vtype <- TFun(rt,params,isva,a)
    in
    function
      | GFunDecl(_,v,_attr)
      | GVarDecl((*_spec,*)v,_attr) ->
          if isFunctionType v.vtype && not v.vdefined then retype_func v;
          DoChildren
      | GFun _
      | GAnnot _ -> DoChildren
      | GVar _  | GCompTag _ | GType _ | GCompTagDecl _ | GEnumTagDecl _
      | GEnumTag _ | GAsm _ | GPragma _ | GText _ -> SkipChildren

  method! vfunc f =
    let var v =
      if isStructOrUnionType v.vtype then
        let newv = copyVarinfo v (unique_name ("v_" ^ v.vname)) in
        newv.vtype <- mkTRef newv.vtype "Norm.vfunc";
        v.vformal <- false;
        let rhs =
          new_exp ~loc:v.vdecl
            (Lval
               (mkMem
                  (new_exp ~loc:v.vdecl (Lval(Var newv,NoOffset))) NoOffset))
        in
        let copy = mkassign_statement (Var v,NoOffset) rhs v.vdecl in
        add_pending_statement ~beginning:true copy;
        pairs := (v,newv) :: !pairs;
        [v], newv
      else
        [], v
    in
    (* Insert copy statements. *)
    let locvl,formvl = List.split (List.map var f.sformals) in
    (* Set locals and formals. *)
    let locvl = List.flatten locvl in
    f.slocals <- locvl @ f.slocals;
    setFormals f formvl;
    (* Add local variable for return *)
    let rt = getReturnType f.svar.vtype in
    if isStructOrUnionType rt then
      let rv = makeTempVar (Extlib.the self#current_func) rt in
      return_var := Some rv;
      Cil_datatype.Varinfo.Hashtbl.add return_vars rv ()
    else
      return_var := None;
    (* Change return type. *)
    new_return_type :=
      if isStructOrUnionType rt then Some(mkTRef rt "Norm.vfunc(3)") else None;
    let rt = if isStructOrUnionType rt then mkTRef rt "Norm.vfunc(4)" else rt in
    setReturnType f rt;
    DoChildren

  method! vbehavior b =
    let lval loc lv = expand lv (typeOfLval lv) loc in
    let term t = match t.term_node with
      | TLval tlv ->
          let lv,env = Common.force_term_lval_to_lval tlv in
          let lvlist = lval t.term_loc lv in
          let tslvlist =
            List.map (Common.force_back_lval_to_term_lval env)
              lvlist
          in
          List.map (fun
                      tslv ->
                        Logic_const.term ~loc:t.term_loc (TLval tslv)
                          t.term_type
                   ) tslvlist
      | Tempty_set -> [ t ]
          (* most of the case below are still to do*)
      | TStartOf _
      | TConst _
      | TCastE _
      | TLogic_coerce _
      | Tat _
      | TAddrOf _
      | Tapp _
      | Trange _
      | Tunion _
      | Tinter _
      | Tcomprehension _
      | Tif _
      | Tnull -> [ t ]
        (* those cases can not appear as assigns *)
      | TSizeOf _ | TSizeOfE _ | TSizeOfStr _ | TAlignOf _ | TAlignOfE _
      | Tlambda _ | TDataCons _ | Tbase_addr _ | TBinOp _ | TUnOp _
      | Tblock_length _ | TCoerce _ | TCoerceE _ | TUpdate _
      | Ttypeof _ | Ttype _ | Tlet _ | Toffset _ -> assert false
    in
    let zone idts =
      List.map Logic_const.new_identified_term (term idts.it_content)
    in
    let assign (z,froms) =
      let zl = zone z in
      let froms =
        match froms with
            FromAny -> froms
          | From l -> From (List.flatten (List.map zone l))
      in
      List.map (fun z -> z, froms) zl
    in
    let assigns = (* b.b_assigns *)
      (* the following may stop completely the execution of the plugin ??? *)
      (**)
      (match b.b_assigns with
          WritesAny -> WritesAny
        | Writes l -> Writes (List.flatten (List.map assign l)))
      (**)
    in
(*    Format.eprintf "[Norm.vbehavior] b_allocation = ";
    begin
      match b.b_allocation with
        | FreeAllocAny ->
            Format.eprintf "FreeAllocAny@."
        | FreeAlloc(l1,l2) ->
            Format.eprintf "FreeAlloc(%d,%d)@." (List.length l1) (List.length l2)
    end;
*)
    let new_bhv =
      Cil.mk_behavior
        ~name:b.b_name
        ~requires:b.b_requires
        ~assumes:b.b_assumes
        ~post_cond:b.b_post_cond
        ~assigns:assigns
        ~allocation:b.b_allocation
        ()
    in
    ChangeDoChildrenPost(new_bhv,fun x -> x)

  method! vstmt_aux s = match s.skind with
    | Return(Some e,loc) ->
        (* Type of [e] has not been changed by retyping formals and return. *)
        if isStructOrUnionType (typeOf e) then
(*           match e with *)
(*             | Lval lv -> *)
(*                 let skind = Return(Some(Cabs2cil.mkAddrOfAndMark lv),loc) in *)
(*                 ChangeTo { s with skind = skind; } *)
(*             | _ -> assert false (\* Should not be possible *\) *)
          let lv = Var(the !return_var),NoOffset in
          let ret =
            mkStmt (Return(Some(Cabs2cil.mkAddrOfAndMark loc lv),loc))
          in
          let assigns = expand_assign lv e (typeOf e) loc in
          let assigns = List.map (fun i -> mkStmt(Instr i)) assigns in
          let block = Block (mkBlock (assigns @ [ret])) in
          ChangeTo { s with skind = block }
        else SkipChildren
    | _ -> DoChildren

  method! vinst f =
    match f with
      | Set(lv,e,loc) ->
          (* Type of [e] has not been changed by retyping formals and return. *)
          if isStructOrUnionType (typeOf e) then
            ChangeTo (expand_assign lv e (typeOf e) loc)
          else SkipChildren
      | Local_init(vi,li,loc) ->
         (* borrowed from [kernel_services/ast_queries/cil.mli] *)
         let rec myInit (lv: lval) (i: init) (acc: 'a) : 'a =
           match i with
           | SingleInit e ->  Set(lv,e,loc) :: acc
           | CompoundInit (ct, initl) ->
              foldLeftCompound
                ~implicit:false
                ~doinit:(fun off' i' _t' acc ->
                         myInit (addOffsetLval off' lv) i' acc)
                ~ct
                ~initl
                ~acc
         in
         begin
           match li with
           | AssignInit init ->
              let lv = (Var vi,NoOffset) in
              let x = myInit lv init [] in
              ChangeTo x
           | ConsInit(f,args,kind) ->
              let call =
                Cil.treat_constructor_as_func
                  (fun lvopt e args loc -> Call(lvopt,e,args,loc))
                  vi f args kind loc
              in
              ChangeTo [call]
         end
      | Call(lvo,callee,args,loc) ->
          let args = List.map (fun arg ->
            (* Type of [arg] has not been changed. *)
            if isStructOrUnionType (typeOf arg) then
              match arg.enode with
              | Lval lv -> Cabs2cil.mkAddrOfAndMark loc lv
              | _ -> assert false (* Should not be possible *)
            else arg
          ) args in
          begin match lvo with
            | None ->
                (* TODO: free memory for structure return, even if not used.
                   Check that no temporary is added in every case, which would
                   make treatment here useless. *)
                let call = Call (lvo, callee, args, loc) in
                ChangeTo [call]
            | Some lv ->
                (* Type of [lv] has not been changed. *)
                let lvty = typeOfLval lv in
                if isStructOrUnionType lvty then
                  let tmpv =
                    makeTempVar
                      (Extlib.the self#current_func) (mkTRef lvty "Norm.vinst")
                  in
                  let tmplv = Var tmpv, NoOffset in
                  let call = Call(Some tmplv,callee,args,loc) in
                  let deref =
                    new_exp ~loc
                      (Lval
                         (mkMem
                            (new_exp ~loc (Lval(Var tmpv,NoOffset))) NoOffset))
                  in
                  let assign = mkassign lv deref loc in
                  let free = mkfree tmpv loc in
                  ChangeTo [call;assign;free]
                else
                  let call = Call(lvo,callee,args,loc) in
                  ChangeTo [call]
          end
      | Asm _ | Skip _ -> SkipChildren
      | Code_annot _ -> assert false

  method! vterm_lval tlv =
    ChangeDoChildrenPost (tlv, postaction_term_lval)

  method! vterm t =
    (* Renormalize the term tree. *)
    let postaction t =
      match t.term_node with
        | TAddrOf(TMem t,TNoOffset) -> t
        | _ -> t
    in
    ChangeDoChildrenPost (t, postaction)

end

let expand_struct_assign file =
  let visitor = new expandStructAssign () in
  visitFramacFile (visit_and_push_statements_visitor visitor) file


(*****************************************************************************)
(* Retype variables of structure type.                                       *)
(*****************************************************************************)

(* DO NOT CHANGE neither formal parameters nor return type of functions.
 *
 * global variable:
 * - change type to reference to structure
 * - prepend allocation in [globinit] function
 * - changes left-values to reflect new type
 * local variable:
 * - change type to reference to structure
 * - prepend allocation at function entry
 * - TODO: postpend release at function exit
 * - changes left-values to reflect new type
 *)

class retypeStructVariables =

  let varset = ref Cil_datatype.Varinfo.Set.empty in
  let lvarset = ref Cil_datatype.Logic_var.Set.empty in

  let postaction_lval (host,off) =
    let host = match host with
      | Var v ->
          if Cil_datatype.Varinfo.Set.mem v !varset then
            Mem(mkInfo(new_exp ~loc:(Cil_const.CurrentLoc.get())
                         (Lval(Var v,NoOffset))))
          else
            Var v
      | Mem _e -> host
    in
    host, off
  in
  let postaction_tlval (host,off) =
    let add_deref host v =
      TMem(mkterm (TLval (host,TNoOffset)) v.lv_type
             (Cil_const.CurrentLoc.get()))
    in
    let host = match host with
      | TVar v ->
          if Cil_datatype.Logic_var.Set.mem v !lvarset then
            add_deref host v
          else
            Extlib.may_map
              (fun cv ->
                 if Cil_datatype.Varinfo.Set.mem cv !varset then
                   add_deref host v
                 else host
              ) ~dft:host v.lv_origin
      | TMem _ | TResult _ -> host
    in
    host, off
  in
object(self)

  inherit Visitor.frama_c_inplace

  method! vvdec v =
    if isStructOrUnionType v.vtype && not v.vformal then
      begin
        v.vtype <- mkTRef v.vtype "Norm.vvdec";
        varset := Cil_datatype.Varinfo.Set.add v !varset
      end;
    DoChildren

  method! vquantifiers vl =
    List.iter (fun v ->
                 (* Only iterate on logic variable with C type *)
                 if app_term_type (fun _ -> true) false v.lv_type then
                   match v.lv_origin with
                     | None -> ()
                     | Some v -> ignore (self#vvdec v)
                 else ()
              ) vl;
    DoChildren

  method! vlogic_var_decl v =
    let newty =
      app_term_type
        (fun ty ->
           Ctype (if isStructOrUnionType ty then mkTRef ty "Norm.vlogic_var_decl" else ty))
        v.lv_type v.lv_type
    in
    v.lv_type <- newty;
    DoChildren

  method! vglob_aux = function
    | GVar (_,_,_) as g ->
        let postaction = function
          | [GVar (v,_,_)] ->
              if Cil_datatype.Varinfo.Set.mem v !varset then
                (* Allocate memory for new reference variable *)
(* Disabled, see BTS 0284
                let ast = mkalloc_statement v (pointed_type v.vtype) v.vdecl in
                attach_globinit ast;
*)
                (* Define a global validity invariant *)
                let p =
                  Logic_const.pvalid_range
                    ~loc:v.vdecl
                    (label_here,
                     variable_term v.vdecl (cvar_to_lvar v),
                     constant_term v.vdecl Integer.zero,
                     constant_term v.vdecl Integer.zero)
                in
                let globinv =
		  Cil_const.make_logic_info (unique_logic_name ("valid_" ^ v.vname))
		in
                globinv.l_labels <- [ label_here ];
                globinv.l_body <- LBpred p;
                attach_globaction
		  (fun () -> Logic_utils.add_logic_function globinv);
                [g; GAnnot(Dinvariant (globinv,v.vdecl),v.vdecl)]
              else [g]
          | _ -> assert false
        in
        ChangeDoChildrenPost ([g], postaction)
    | GVarDecl _ | GFunDecl _ | GFun _ | GAnnot _ -> DoChildren
    | GCompTag _ | GType _ | GCompTagDecl _ | GEnumTagDecl _
    | GEnumTag _ | GAsm _ | GPragma _ | GText _ -> SkipChildren

  method! vfunc f =
    (* First change type of local structure variables *)
    List.iter (ignore $ Cil.visitCilVarDecl (self:>Cil.cilVisitor)) f.slocals;
    List.iter (ignore $ Cil.visitCilVarDecl (self:>Cil.cilVisitor)) f.sformals;
    (* Then allocate/deallocate memory for those that need it *)
    List.iter (fun v ->
      if Cil_datatype.Varinfo.Set.mem v !varset then
        let ast = mkalloc_statement v (pointed_type v.vtype) v.vdecl in
        add_pending_statement ~beginning:true ast;
        (* do not deallocate variable used in returning a structure *)
        if not (Cil_datatype.Varinfo.Hashtbl.mem return_vars v) then
          let fst = mkfree_statement v v.vdecl in
          add_pending_statement ~beginning:false fst
    ) f.slocals;
    DoChildren

  method! vlval lv =
    ChangeDoChildrenPost (lv, postaction_lval)

  method! vterm_lval lv = ChangeDoChildrenPost(lv, postaction_tlval)

  method! vexpr e =
    (* Renormalize the expression tree. *)
    let postaction e = match e.enode with
      | AddrOf(Mem e,NoOffset) -> e
      | _ -> e
    in
    ChangeDoChildrenPost (e, postaction)

  method! vterm t =
    (* Renormalize the term tree. *)
    let postaction t =
      match t.term_node with
        | TAddrOf(TMem t,TNoOffset) -> t
        | _ -> t
    in
    ChangeDoChildrenPost (t, postaction)

end

let retype_struct_variables file =
  let visitor = new retypeStructVariables in
  visit_and_push_statements visit_and_update_globals visitor file


(*****************************************************************************)
(* Retype variables and fields whose address is taken.                       *)
(*****************************************************************************)

(* global variable:
 * - change type from [t] to [t*]
 * - prepend allocation in [globinit] function
 * local variable:
 * - change type from [t] to [t*]
 * - prepend allocation at function entry
 * - TODO: postpend release at function exit
 * formal parameter:
 * - make it a local variable, with previous treatment
 * - replace by a new parameter with same type
 * - prepend initialisation at function entry, after allocation
 * - TODO: decide whether formal parameter address can be taken in
 *   annotations. Currently, if address only taken in annotations,
 *   [vaddrof] would not be set. Plus there is no easy means of translating
 *   such annotation to Jessie.
 * field:
 * - change type from [t] to [t*]
 * - TODO: allocation/release
 *)
class retypeAddressTaken =

  let varset = ref Cil_datatype.Varinfo.Set.empty in
  let lvarset = ref Cil_datatype.Logic_var.Set.empty in
  let fieldset = ref Cil_datatype.Fieldinfo.Set.empty in

  let retypable_var v =
    v.vaddrof
    && not (isArrayType v.vtype)
    && not (is_reference_type v.vtype)
  in
  let retypable_lvar v =
    match v.lv_origin with None -> false | Some v -> retypable_var v
  in
  (* Only retype fields with base/pointer type, because fields of
   * struct/union type will be retyped in any case later on.
   *)
  let retypable_field fi =
    fi.faddrof
    && not (is_reference_type fi.ftype)
    && not (isArrayType fi.ftype)
    && not (isStructOrUnionType fi.ftype)
  in
  let retype_var v =
    if retypable_var v then
      begin
        v.vtype <- mkTRef v.vtype "Norm.retype_var";
        assert (isPointerType v.vtype);
        varset := Cil_datatype.Varinfo.Set.add v !varset
      end
  in
  let retype_lvar v =
    if retypable_lvar v then begin
      v.lv_type <- Ctype (force_app_term_type (fun x -> mkTRef x "Norm.retyp_lvar") v.lv_type);
      lvarset := Cil_datatype.Logic_var.Set.add v !lvarset
    end
  in
  let retype_field fi =
    if retypable_field fi then
      begin
        fi.ftype <- mkTRef fi.ftype "Norm.retype_field";
        assert (isPointerType fi.ftype);
        fieldset := Cil_datatype.Fieldinfo.Set.add fi !fieldset
      end
  in

  let postaction_lval (host,off) =
    let host = match host with
      | Var v ->
          if Cil_datatype.Varinfo.Set.mem v !varset then
            begin
              assert (isPointerType v.vtype);
              Mem(mkInfo
                    (new_exp ~loc:(Cil_const.CurrentLoc.get())
                       (Lval(Var v,NoOffset))))
            end
          else host
      | Mem _e -> host
    in
    (* Field retyped can only appear as the last offset, as it is of
     * base/pointer type.
     *)
    match lastOffset off with
    | Field(fi,_) ->
        if Cil_datatype.Fieldinfo.Set.mem fi !fieldset then
          (assert (isPointerType fi.ftype);
          mkMem
            (mkInfo
               (new_exp
                  ~loc:(Cil_const.CurrentLoc.get())
                  (Lval(host,off)))) NoOffset)
        else
          host,off
    | _ ->
        host,off
  in

  let postaction_tlval (host,off) =
    let add_deref host ty =
      force_app_term_type (fun ty -> assert (isPointerType ty)) ty;
      TMem(mkterm (TLval (host,TNoOffset)) ty (Cil_const.CurrentLoc.get()))
    in
    let host = match host with
      | TVar v ->
          if Cil_datatype.Logic_var.Set.mem v !lvarset then
            add_deref host v.lv_type
          else
            Extlib.may_map
              (fun cv ->
                 if Cil_datatype.Varinfo.Set.mem cv !varset then
                   add_deref host (Ctype cv.vtype)
                 else host
              ) ~dft:host v.lv_origin
      | TResult _ | TMem _ -> host
    in match Logic_const.lastTermOffset off with
      | TField (fi,_) ->
          if Cil_datatype.Fieldinfo.Set.mem fi !fieldset then
            (TMem
               (Logic_const.term (TLval(host,off)) (Ctype fi.ftype)),TNoOffset)
          else host,off
      | TModel _ | TIndex _ | TNoOffset -> host,off
  in
  let postaction_expr e = match e.enode with
    | AddrOf(Var _v,NoOffset) ->
        unsupported "cannot take address of a function"
          (* Host should have been turned into [Mem] *)
    | AddrOf(Mem e1,NoOffset) ->
        e1
    | AddrOf(_host,off) ->
        begin match lastOffset off with
          | Field(fi,_) ->
              if Cil_datatype.Fieldinfo.Set.mem fi !fieldset then
                (* Host should have been turned into [Mem], with NoOffset *)
                assert false
              else
                e
          | Index _ -> e
          | NoOffset -> assert false (* Should be unreachable *)
        end
    | _ -> e
  in
  let postaction_term t = match t.term_node with
    | TAddrOf((TVar _ | TResult _), TNoOffset) -> assert false
    | TAddrOf(TMem t1,TNoOffset) -> t1
    | TAddrOf(_,off) ->
        begin match Logic_const.lastTermOffset off with
          | TField(fi,_) ->
              if Cil_datatype.Fieldinfo.Set.mem fi !fieldset then assert false
              else t
          | TModel _ -> Common.unsupported "Model field"
          | TIndex _ -> t
          | TNoOffset -> assert false (*unreachable*)
        end
    | _ -> t
  in
  let varpairs : (varinfo * varinfo) list ref = ref [] in
  let in_funspec = ref false in
object

  inherit Visitor.frama_c_inplace

  method! vglob_aux = function
    | GVar(v,_,_) ->
        if retypable_var v then
          begin
            retype_var v;
(* Disabled, see BTS 0284
            let ast = mkalloc_statement v (pointed_type v.vtype) v.vdecl in
            attach_globinit ast
*)
          end;
        SkipChildren
    | GVarDecl (v,_) ->
        (* No problem with calling [retype_var] more than once, since
           subsequent calls do nothing on reference type. *)
        if not (isFunctionType v.vtype || v.vdefined) then retype_var v;
        SkipChildren
    | GFunDecl _ -> SkipChildren
    | GFun _ -> DoChildren
    | GAnnot _ -> DoChildren
    | GCompTag(compinfo,_loc) ->
        List.iter retype_field compinfo.cfields;
        SkipChildren
    | GType _ | GCompTagDecl _ | GEnumTagDecl _ | GEnumTag _
    | GAsm _ | GPragma _ | GText _ -> SkipChildren

  method! vfunc f =
    (* Change types before code. *)
    let formals,locals,pairs =
      List.fold_right (fun v (fl,ll,pl) ->
        if retypable_var v then
          let newv = copyVarinfo v ("v_" ^ v.vname) in
          newv.vaddrof <- false;
          v.vformal <- false;
          (newv::fl,v::ll,(v,newv)::pl)
        else (v::fl,ll,pl)
      ) f.sformals ([],[],[])
    in

    varpairs := pairs;
    setFormals f formals;
    f.slocals <- locals @ f.slocals;
    List.iter retype_var f.slocals;

    List.iter (fun v ->
      (* allocate/deallocate locals *)
      if Cil_datatype.Varinfo.Set.mem v !varset then
        begin
          let ast = mkalloc_statement v (pointed_type v.vtype) v.vdecl in
          add_pending_statement ~beginning:true ast;
          (* do not deallocate variable used in returning a structure *)
          if not (Cil_datatype.Varinfo.Hashtbl.mem return_vars v) then
            let fst = mkfree_statement v v.vdecl in
            add_pending_statement ~beginning:false fst
        end;
      (* allocate/deallocate formals *)
      begin try
        let loc = v.vdecl in
        (* [varpairs] holds pairs of (local,formal) to initialize due to
         * the transformation for formals whose address is taken.
         *)
        let fv = List.assoc v !varpairs in
        let lhs = mkMem (new_exp ~loc (Lval(Var v,NoOffset))) NoOffset in
        let rhs = new_exp ~loc (Lval(Var fv,NoOffset)) in
        let assign = mkassign_statement lhs rhs loc in
        add_pending_statement ~beginning:true assign
      with Not_found -> () end
    ) f.slocals;
    DoChildren

  method! vspec _ =
    in_funspec := true;
    DoChildrenPost (fun x -> in_funspec := false; x)

  method! vlogic_var_use v =
    if !in_funspec then
      match v.lv_origin with
        | None -> SkipChildren
        | Some cv ->
            try
              let fv = List.assoc cv !varpairs in
              ChangeTo (cvar_to_lvar fv)
            with Not_found -> SkipChildren
    else
      begin
        if retypable_lvar v then retype_lvar v;
        DoChildren
      end

  method! vlogic_var_decl v = if retypable_lvar v then retype_lvar v; DoChildren

  method! vlval lv = ChangeDoChildrenPost (lv, postaction_lval)

  method! vterm_lval lv = ChangeDoChildrenPost (lv, postaction_tlval)

  method! vexpr e = ChangeDoChildrenPost(e, postaction_expr)

  method! vterm t = ChangeDoChildrenPost(t,postaction_term)

end

let retype_address_taken file =
  let visitor = new retypeAddressTaken in
  visit_and_push_statements visit_and_update_globals visitor file


(*****************************************************************************)
(* Retype fields of type structure and array.                                *)
(*****************************************************************************)

(* We translate C left-values so that they stick to the Jessie semantics for
 * left-values. E.g., a C left-value
 *     s.t.i
 * which is translated in CIL as
 *     Var s, Field(t, Field(i, NoOffset))
 * is translated as
 *     Mem (Mem s, Field(t, NoOffset)), Field(i, NoOffset)
 * so that it is the same as the C left-value
 *     s->t->i
 *
 * Introduce reference at each structure subfield.
 * Does not modify union fields on purpose : union should first be translated
 * into inheritance before [retypeFields] is called again.
 *)
class retypeFields =

  let field_to_array_type : typ Cil_datatype.Fieldinfo.Hashtbl.t = Cil_datatype.Fieldinfo.Hashtbl.create 0 in

  let postaction_lval (host,off) =
    let rec offset_list = function
      | NoOffset -> []
      | Field (fi,off) ->
          (Field (fi, NoOffset)) :: offset_list off
      | Index (e, Field (fi,off)) ->
          (Index (e, Field (fi, NoOffset))) :: offset_list off
      | Index (_idx, NoOffset) as off -> [off]
      | Index (idx, (Index _ as off)) ->
          assert (not !flatten_multi_dim_array);
          Index(idx,NoOffset) :: offset_list off
    in
    let rec apply_lift_offset = function
      | Field (fi,roff) ->
          begin try
            let ty = Cil_datatype.Fieldinfo.Hashtbl.find field_to_array_type fi in
            let roff = apply_lift_offset (lift_offset ty roff) in
            Field (fi,roff)
          with Not_found ->
            let roff = apply_lift_offset roff in
            Field (fi,roff)
          end
      | Index (idx,roff) ->
          let roff = apply_lift_offset roff in
          Index (idx,roff)
      | NoOffset -> NoOffset
    in
    let off =
      if !flatten_multi_dim_array then apply_lift_offset off else off
    in
    (* [initlv] : topmost lval
     * [initlist] : list of offsets to apply to topmost lval
     *)
    let initlv,initlist = match offset_list off with
      | [] -> (host, NoOffset), []
      | fstoff :: roff -> (host, fstoff), roff
    in
    List.fold_left
      (fun curlv -> function
         | NoOffset ->
             assert false (* should not occur *)
         | Field(_,_)
         | Index(_, Field (_,_))
         | Index(_, NoOffset) as nextoff ->
             Mem
               (mkInfo
                  (new_exp ~loc:(Cil_const.CurrentLoc.get()) (Lval curlv))),
             nextoff
         | Index (_, Index _) -> assert false
      ) initlv initlist
  in

  (* Renormalize the expression tree. *)
  let postaction_expr e = match e.enode with
    | AddrOf(Mem e,NoOffset) | StartOf(Mem e,NoOffset) -> e
    | AddrOf(Mem _e,Field(_fi,off) as lv)
    | StartOf(Mem _e,Field(_fi,off) as lv) ->
        assert (off = NoOffset);
        (* Only possibility is that field is of structure or union type,
         * otherwise [retype_address_taken] would have taken care of it.
         * Do not check it though, because type was modified in place.
         *)
        new_exp ~loc:e.eloc (Lval lv)
    | AddrOf(Mem e',Index(ie,NoOffset)) ->
        let ptrty = TPtr(typeOf e',[]) in
        new_exp ~loc:e.eloc (BinOp(PlusPI,e',ie,ptrty))
    | StartOf(Mem _e,Index(_ie,NoOffset) as lv) ->
        new_exp ~loc:e.eloc (Lval lv)
    | AddrOf(Mem _e,Index(_ie,Field(_,NoOffset)) as lv)
    | StartOf(Mem _e,Index(_ie,Field(_,NoOffset)) as lv) ->
        new_exp ~loc: e.eloc (Lval lv)
    | AddrOf(Mem _e,Index(_ie,_)) | StartOf(Mem _e,Index(_ie,_)) ->
        assert false
    | _ -> e
  in
object

  inherit Visitor.frama_c_inplace

  method! vglob_aux = function
    | GCompTag (compinfo,_) ->
        let field fi =
          if isStructOrUnionType fi.ftype then
            fi.ftype <- mkTRef fi.ftype "Norm.vglob_aux(2)"
          else if isArrayType fi.ftype then
            begin
              Cil_datatype.Fieldinfo.Hashtbl.replace field_to_array_type fi fi.ftype;
              if not !flatten_multi_dim_array then
                fi.ftype <- reference_of_array fi.ftype
              else
(*                 if array_size fi.ftype > 0L then *)
                  let size = constant_expr (array_size fi.ftype) in
                  fi.ftype <- mkTRefArray(element_type fi.ftype,size,[])
(*                 else *)
(*                   (\* Array of zero size, e.g. in struct array hack. *\) *)
(*                   fi.ftype <- TPtr(element_type fi.ftype,[]) *)
            end
        in
        List.iter field compinfo.cfields;
        SkipChildren
    | GFun _ | GAnnot _ | GVar _ | GVarDecl _ | GFunDecl _ -> DoChildren
    | GType _ | GCompTagDecl _ | GEnumTagDecl _
    | GEnumTag _ | GAsm _ | GPragma _ | GText _ -> SkipChildren

  method! vlval lv =
    ChangeDoChildrenPost (lv, postaction_lval)

  method! vterm_lval =
    do_on_term_lval (None,Some postaction_lval)

  method! vexpr e =
    ChangeDoChildrenPost(e, postaction_expr)

  method! vterm =
    do_on_term (None,Some postaction_expr)

end

let retype_fields file =
  let visitor = new retypeFields in visitFramacFile visitor file


(*****************************************************************************)
(* Retype type tags.                                                         *)
(*****************************************************************************)

class retypeTypeTags =
object

  inherit Visitor.frama_c_inplace

  method! vterm t = match t.term_node with
    | Ttype ty -> ChangeTo ({ t with term_node = Ttype(TPtr(ty,[])) })
    | _ -> DoChildren

end

let retype_type_tags file =
  let visitor = new retypeTypeTags in visitFramacFile visitor file

(*****************************************************************************)
(* Retype pointers to base types.                                            *)
(*****************************************************************************)

(* Retype pointer to base type T to pointer to struct S with:
 * - if T is [TVoid], no field in S
 * - otherwise, a single field of type T in S
 *)
class retypeBasePointer =

  (* Correspondance between a base type and its wrapper structure type *)
  let type_wrappers = Cil_datatype.Typ.Hashtbl.create 17 in
  (* Store which types are wrapper types *)
  let auto_type_wrappers = ref Cil_datatype.Typ.Set.empty in

  let is_wrapper_type ty = Cil_datatype.Typ.Set.mem ty !auto_type_wrappers in

  let new_wrapper_for_type_no_sharing ty =
    (* Choose name t_P for the wrapper and t_M for the field *)
    let name = type_name ty in
    let wrapper_name = name ^ "P" in
    let field_name = name ^ "M" in
    let compinfo =
      if isVoidType ty then mkStructEmpty wrapper_name
      else mkStructSingleton wrapper_name field_name ty
    in
    let tdef = GCompTag(compinfo,Cil_datatype.Location.unknown) in
    let tdecl = TComp(compinfo,empty_size_cache () ,[]) in
    attach_global tdef;
    tdef, tdecl
  in
object(self)

  (* Helper methods called on the [self] object *)

  method new_wrapper_for_type ty =
    (* Currently, do not make any difference between a pointer to const T
     * or volatile T and a pointer to T.
     *)
    let ty = typeRemoveAttributes ["const";"volatile"] (unrollType ty) in
    try
      Cil_datatype.Typ.Hashtbl.find type_wrappers ty
    with Not_found ->
      (* Construct a new wrapper for this type *)
      let wrapper_def,wrapper_type = new_wrapper_for_type_no_sharing ty in
      Cil_datatype.Typ.Hashtbl.replace type_wrappers ty wrapper_type;
      auto_type_wrappers :=
        Cil_datatype.Typ.Set.add wrapper_type !auto_type_wrappers;
      (* Treat newly constructed type *)
(* Cil.currentGlobal does not exist anymore in Frama-C Aluminium
      let store_current_global = !currentGlobal in
*)
      ignore (Cil.visitCilGlobal (self:>Cil.cilVisitor) wrapper_def);
(*
      currentGlobal := store_current_global;
 *)
      (* Return the wrapper type *)
      wrapper_type

  (* Performs the necessary in-place modifications to [ty] so that
   * the translation to Jessie is easy.
   * Returns [Some newty] if the modified type imposes adding a field
   * access to a dereference on an object of type [ty].
   * Returns [None] in all other cases, in particular for non-wrapper
   * types that are allowed as either type of variable or type of field.
   *)
  method private wrap_type_if_needed ty =
    match ty with
      | TPtr(_elemty,attr) ->
          (* Do not use [_elemty] directly but rather [pointed_type ty] in order
           * to get to the array element in references, i.e. pointers to arrays.
           *)
          let elemty = pointed_type ty in
          if is_wrapper_type elemty then
            Some ty
          else if isStructOrUnionType elemty then
            None (* Already in a suitable form for Jessie translation. *)
          else if is_array_reference_type ty then
            (* Do not lose the information that this type is a reference *)
            let size = constant_expr (Integer.of_int64 (reference_size ty)) in
            assert (not (!flatten_multi_dim_array && is_reference_type elemty));
            Some(mkTRefArray(self#new_wrapper_for_type elemty,size,[]))
          else if is_reference_type ty then
            (* Do not lose the information that this type is a reference *)
            Some(mkTRef(self#new_wrapper_for_type elemty)"Norm.private wrap_type_if_needed")
          else
            (* Here is the case where a transformation is needed *)
            Some(TPtr(self#new_wrapper_for_type elemty,attr))
      | TArray (_,len,size,attr) ->
          (*[VP-20100826] Can happen in case of logic term translation *)
          let elemty = element_type ty in
          if is_wrapper_type elemty then Some ty
          else if isStructOrUnionType elemty then None
          else Some (TArray(self#new_wrapper_for_type elemty,len,size,attr))
      | TFun _ -> None
      | TNamed(typeinfo,_attr) ->
          begin match self#wrap_type_if_needed typeinfo.ttype with
            | Some newtyp ->
                typeinfo.ttype <- newtyp;
                Some ty
            | None -> None
          end
      | TComp(compinfo,_,_) ->
          let field fi =
            match self#wrap_type_if_needed fi.ftype with
              | Some newtyp ->
                  fi.ftype <- newtyp
              | None -> ()
          in
          List.iter field compinfo.cfields;
          None
      | TVoid _ | TInt _ | TFloat _ | TEnum _ | TBuiltin_va_list _ -> None

  method private postaction_lval lv =
    match lv with
      | Var _, NoOffset -> lv
      | Var _, _ ->
          unsupported "cannot handle this lvalue: %a" Printer.pp_lval lv
      | Mem e, NoOffset ->
          begin match self#wrap_type_if_needed (typeOf e) with
            | Some newtyp ->
                let newfi = get_unique_field (pointed_type newtyp) in
                let newlv = Mem e, Field (newfi, NoOffset) in
                (* Check new left-value is well-typed. *)
(*                 begin try ignore (typeOfLval newlv) with _ -> assert false end; *)
                newlv
            | None -> lv
          end
      | Mem e, (Index(ie,_) as off) ->
          if is_last_offset off then
            match self#wrap_type_if_needed (typeOf e) with
              | Some newtyp ->
                  let newfi = get_unique_field (pointed_type newtyp) in
                  let newlv =
                    if Cil.isArrayType (direct_pointed_type newtyp) then
                      lv
                    else (* The array has been directly decayed into a pointer
                            Use pointer arithmetic instead of index. *)
                      (Mem
                         (new_exp ~loc:e.eloc
                            (BinOp(PlusPI,e,ie,newtyp))),
                       NoOffset)
                  in
                  let newlv = addOffsetLval (Field (newfi, NoOffset)) newlv in
                  newlv
              | None -> lv
          else lv
      | Mem _, Field _ -> lv

  (* Usual methods in visitor interface. *)

  inherit Visitor.frama_c_inplace

  method! vfile _ =
    Common.struct_type_for_void := self#new_wrapper_for_type voidType;
    DoChildren

  method! vtype ty =
    let ty = match self#wrap_type_if_needed ty with
      | Some newty -> newty
      | None -> ty
    in
    if isFunctionType ty then
      (* Applies changes in particular to parameter types in function types. *)
      ChangeDoChildrenPost (ty, fun x -> x)
    else
      ChangeTo ty

  method! vglob_aux =
    let retype_return v =
      let retyp = getReturnType v.vtype in
      let newtyp = Cil.visitCilType (self:>Cil.cilVisitor) retyp in
      if newtyp != retyp then setReturnTypeVI v newtyp
    in
    function
      | GType (typeinfo, _) ->
          ignore (self#wrap_type_if_needed (TNamed (typeinfo, [])));
          SkipChildren
      | GCompTag (compinfo, _) ->
          ignore (self#wrap_type_if_needed (TComp (compinfo, empty_size_cache (), [])));
          SkipChildren
      | GFun (f, _) ->
          retype_return f.svar;
          DoChildren
      | GFunDecl (_, v, _) ->
          if isFunctionType v.vtype && not v.vdefined then
            retype_return v;
          DoChildren
      | GVarDecl (v, _) ->
          if isFunctionType v.vtype && not v.vdefined then
            retype_return v;
          DoChildren
      | GVar _
      | GAnnot _ -> DoChildren
      | GCompTagDecl _ | GEnumTag _ | GEnumTagDecl _
      | GAsm _ | GPragma _ | GText _  -> SkipChildren

  method! vlval lv =
    ChangeDoChildrenPost (lv, self#postaction_lval)

  method! vterm_lval t =
    do_on_term_lval (None,Some self#postaction_lval) t

end

let retype_base_pointer file =
  let visitor = new retypeBasePointer in
  visit_and_update_globals (visitor :> frama_c_visitor) file


(*****************************************************************************)
(* Remove useless casts.                                                     *)
(*****************************************************************************)

class removeUselessCasts =
  let preaction_expr etop =
    match (stripInfo etop).enode with
      | CastE(ty,e) ->
          let ety = typeOf e in
          if isPointerType ty && isPointerType ety &&
            Cil_datatype.Typ.equal
              (Cil.typeDeepDropAttributes
                 ["const"; "volatile"] (pointed_type ty))
              (Cil.typeDeepDropAttributes
                 ["const"; "volatile"] (pointed_type ety))
          then e
          else etop
      | _ -> etop
  in
  let preaction_term term =
    match term.term_node with
      | TCastE(ty,t) ->
          if isPointerType ty && Logic_utils.isLogicPointer t then
            (* Ignore type qualifiers *)
            let pty = Cil.typeDeepDropAllAttributes (pointed_type ty) in
            let ptty =
              match t.term_type with
                  Ctype tty ->
                    if isPointerType tty then pointed_type tty
                    else element_type tty
                | ty -> fatal "Not a pointer type '%a'"
                  Cil_datatype.Logic_type.pretty ty
            in
            if Cil_datatype.Typ.equal pty ptty then
              if Logic_utils.isLogicPointerType t.term_type then t
              else
                (match t.term_node with
                   | TLval lv -> Logic_const.term (TStartOf lv) (Ctype ty)
                   | TStartOf _ -> t
                   | _ ->
                       fatal
                         "Unexpected array expression casted into pointer: %a"
                         Cil_datatype.Term.pretty t
                )
            else term
          else term
      | _ -> term
  in
object

  inherit Visitor.frama_c_inplace

  method! vexpr e = ChangeDoChildrenPost (preaction_expr e, fun x -> x)

  method! vterm t = ChangeDoChildrenPost (preaction_term t, fun x -> x)

end

let remove_useless_casts file =
  let visitor = new removeUselessCasts in visitFramacFile visitor file


(*****************************************************************************)
(* Translate union fields into structures                                    *)
(*****************************************************************************)

let generated_union_types = Cil_datatype.Typ.Hashtbl.create 0

class translateUnions =
  let field_to_equiv_type : typ Cil_datatype.Fieldinfo.Hashtbl.t
      = Cil_datatype.Fieldinfo.Hashtbl.create 0
  in
  let new_field_type fi =
    let tname = unique_name (fi.fname ^ "P") in
    let fname = unique_name (fi.fname ^ "M") in
    let padding = the fi.fpadding_in_bits in
    let mcomp =
      mkStructSingleton ~padding tname fname fi.ftype in
    let tdef = GCompTag (mcomp, CurrentLoc.get ()) in
    let tdecl = TComp (mcomp, empty_size_cache (), []) in
    Cil_datatype.Typ.Hashtbl.add generated_union_types tdecl ();
    Cil_datatype.Fieldinfo.Hashtbl.add field_to_equiv_type fi tdecl;
    fi.ftype <- tdecl;
    tdef
  in

  let postaction_offset = function
    | Field(fi,off) as off' ->
        begin try
          let ty = Cil_datatype.Fieldinfo.Hashtbl.find field_to_equiv_type fi in
          let newfi = get_unique_field ty in
          Field(fi,Field(newfi,off))
        with Not_found -> off' end
    | off -> off
  in
object

  inherit Visitor.frama_c_inplace

  method! vglob_aux = function
    | GCompTag (compinfo,_) as g when not compinfo.cstruct ->
        let fields = compinfo.cfields in
        let field fi = new_field_type fi in
        let fty = List.map field fields in
        ChangeTo (g::fty)
    | GFun _ | GAnnot _ | GVar _ | GVarDecl _ | GFunDecl _ -> DoChildren
    | GCompTag _ | GType _ | GCompTagDecl _ | GEnumTagDecl _
    | GEnumTag _ | GAsm _ | GPragma _ | GText _ -> SkipChildren

  method! voffs off =
    ChangeDoChildrenPost(off,postaction_offset)

  method! vterm_offset =
    do_on_term_offset (None, Some postaction_offset)

end

let translate_unions file =
  let visitor = new translateUnions in visitFramacFile visitor file

(*****************************************************************************)
(* Remove array address.                                                     *)
(*****************************************************************************)

class removeArrayAddress =
object

  inherit Visitor.frama_c_inplace

  method! vexpr e =
    let preaction e = match e.enode with
      | AddrOf(Mem ptre,Index(ie,NoOffset)) ->
          let ptrty = typeOf e in
          new_exp ~loc:e.eloc (BinOp (PlusPI, ptre, ie, ptrty))
      | _ -> e
    in
    ChangeDoChildrenPost (preaction e, fun x -> x)

  method! vterm t =
    let preaction t = match t.term_node with
      | TAddrOf(TMem ptrt,TIndex(it,TNoOffset)) ->
          { t with term_node = TBinOp (PlusPI, ptrt, it); }
      | _ -> t
    in
    ChangeDoChildrenPost (preaction t, fun x -> x)

  (* TODO: translate to add tsets easily *)

end

let remove_array_address file =
  let visitor = new removeArrayAddress in
  visitFramacFile visitor file


(*****************************************************************************)
(* Normalize the C file for Jessie translation.                              *)
(*****************************************************************************)

let normalize file =
  if checking then check_types file;
  (* Retype variables of array type. *)
  (* order: before [expand_struct_assign] and any other pass which calls
     [typeOf], because "t[i]" with [StartOf] if type of "t" is "int t[a][b]"
     is not typed correctly by Cil (raises error StartOf on non-array type).
     See, e.g., example array_addr.c. *)
  Jessie_options.debug "Retype variables of array type";
  retype_array_variables file;
  if checking then check_types file;
  (* Retype logic functions/predicates with structure parameters or return. *)
  Jessie_options.debug "Retype logic functions/predicates";
  retype_logic_functions file;
  if checking then check_types file;
  (* Expand structure copying through parameter, return or assignment. *)
  (* order: before [retype_address_taken], before [retype_struct_variables] *)
  Jessie_options.debug "Expand structure copying";
  expand_struct_assign file;
  if checking then check_types file;
  (* Retype variables of structure type. *)
  Jessie_options.debug "Retype variables of structure type";
  retype_struct_variables file;
  if checking then check_types file;
  (* Retype variables and fields whose address is taken. *)
  (* order: after [retype_struct_variables] *)
  Jessie_options.debug "Retype variables and fields whose address is taken";
  retype_address_taken file;
  if checking then check_types file;
  (* Expand structure copying through assignment. *)
  (* Needed because sequence [expand_struct_assign; retype_struct_variables;
     retype_address_taken] may recreate structure assignments. *)
  (* order: after [retype_address_taken] *)
  Jessie_options.debug "Expand structure copying through assignment";
  expand_struct_assign file;
  if checking then check_types file;
  (* Translate union fields into structures. *)
  Jessie_options.debug "Translate union fields into structures";
  translate_unions file;
  if checking then check_types file;
  (* Retype fields of type structure and array. *)
  (* order: after [expand_struct_assign] and [retype_address_taken]
   * before [translate_unions] *)
  Jessie_options.debug "Retype fields of type structure and array";
  retype_fields file;
  if checking then check_types file;
  (* Retype fields of type structure and array. *)
  (* order: after [translate_unions] *)
  Jessie_options.debug "Retype fields of type structure and array";
  retype_fields file;
  if checking then check_types file;
  (* Remove array address. *)
  (* order: before [retype_base_pointer] *)
  Jessie_options.debug "Remove array address";
  remove_array_address file;
  if checking then check_types file;
  (* Retype type tags. *)
  (* order: before [retype_base_pointer] *)
  Jessie_options.debug "Retype type tags";
  retype_type_tags file;
  if checking then check_types file;
  (* Retype pointers to base types. *)
  (* order: after [retype_fields] *)
  Jessie_options.debug "Retype pointers to base types";
  retype_base_pointer file;
  if checking then check_types file;
  (* Remove useless casts. *)
  Jessie_options.debug "Remove useless casts";
  remove_useless_casts file;
  if checking then check_types file;

(*
Local Variables:
compile-command: "make -C .."
End:
*)
why-2.39/frama-c-plugin/jessie_integer.ml0000644000106100004300000000571413147234006017373 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



let zero = Int64.zero
let one = Int64.one
let minus_one = Int64.minus_one

let (+) = Int64.add
let (-) = Int64.sub
let ( * ) = Int64.mul
let (/) = Int64.div
let (mod) = Int64.rem
let (~-) = Int64.neg

let max_int = Int64.max_int
let min_int = Int64.min_int

let (land) = Int64.logand
let (lor) = Int64.logor
let (lxor) = Int64.logxor
let (lsl) = Int64.shift_left
let (asr) = Int64.shift_right
let (lsr) = Int64.shift_right_logical

let negative c = c < 0
let nonpositive c = c <= 0
let (<=) i1 i2 = nonpositive (Int64.compare i1 i2)
let (<) i1 i2 = negative (Int64.compare i1 i2)
let (>=) i1 i2 = i2 <= i1
let (>) i1 i2 = i2 < i1

let power_of_two i = 
  assert (i >= 0L && i < 63L);
  1L lsl (Int64.to_int i)

(*
Local Variables:
compile-command: "LC_ALL=C make -C ../.. -j"
End:
*)
why-2.39/frama-c-plugin/register.ml0000644000106100004300000002456213147234006016222 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(* Import from Cil *)
open Cil_types
open Cil
module FCAst = Ast
module FCProject = Project
(* Import from Why *)
open Jc

(* Utility functions *)
open Common

(*
let std_include = Filename.concat Version.datadir "jessie"

let prolog_h_name = Filename.concat std_include "jessie_prolog.h"

let treat_jessie_prolog () =
  Kernel.CppExtraArgs.add ("-include " ^ prolog_h_name)

let treat_jessie_std_headers () =
  Kernel.CppExtraArgs.add ("-I " ^ std_include)
*)

let treat_integer_model () =
  if !Interp.int_model = Interp.IMexact then
    Kernel.CppExtraArgs.add ("-D JESSIE_EXACT_INT_MODEL")

let () =
  (* [JS 2009/10/04]
     Preserve the behaviour of svn release <= r5012.
     However it works only if the int-model is set from the command line. *)
  Cmdline.run_after_configuring_stage treat_integer_model

(*
let treat_jessie_no_prolog () =
  Kernel.CppExtraArgs.add ("-D JESSIE_NO_PROLOG")
*)

let steal_globals () =
  let vis = object
    inherit Visitor.frama_c_inplace
    method! vglob_aux g =
      match g with
        | GAnnot (a,_) ->
            Annotations.remove_global (Annotations.emitter_of_global a) a;
            Annotations.unsafe_add_global Common.jessie_emitter a;
            (* SkipChildren is not good, as Annotations.remove_global has
               removed it from AST: we have to re-insert it...
            *)
            ChangeTo [g]
        | _ -> SkipChildren
  end
  in
  Visitor.visitFramacFile vis (FCAst.get())

let steal_annots () =
  let emitter=Common.jessie_emitter in
  let l =
    Annotations.fold_all_code_annot
      (fun stmt e ca acc ->
        Annotations.remove_code_annot e stmt ca;
        (stmt,ca)::acc)
      []
  in
  List.iter (fun (stmt,ca) -> Annotations.add_code_annot emitter stmt ca) l;
  steal_globals ();
  Globals.Functions.iter (Annotations.register_funspec ~emitter ~force:true)

let apply_if_dir_exist name f =
  try
    let d = Unix.opendir name in
    Unix.closedir d;
    f name
  with Unix.Unix_error (Unix.ENOENT, "opendir",_) -> ()

let run () =
  if Jessie_config.jessie_local then begin
    let whylib = String.escaped (Filename.concat Config.datadir "why") in
    (try ignore (Unix.getenv "WHYLIB")
       (* don't mess needlessly with user settings *)
     with Not_found ->
       apply_if_dir_exist whylib (Unix.putenv "WHYLIB"));
  end;
  Jessie_options.feedback "Starting Jessie translation";
  (* Work in our own project, initialized by a copy of the main one. *)
  let prj =
    File.create_project_from_visitor "jessie"
      (fun prj -> new Visitor.frama_c_copy prj)
  in
  Jessie_options.debug "Project created";
  FCProject.copy ~selection:(Parameter_state.get_selection ()) prj;
  FCProject.set_current prj;
  let file = FCAst.get () in
  try
    if file.globals = [] then
      Jessie_options.abort "Nothing to process. There was probably an error before.";
    (* Phase 1: various preprocessing steps before C to Jessie translation *)

    (* Enforce the prototype of malloc to exist before visiting anything.
     * It might be useful for allocation pointers from arrays
     *)
    ignore (Common.malloc_function ());
    ignore (Common.free_function ());
    Jessie_options.debug  "After malloc and free";
    if checking then check_types file;
    steal_annots ();
    Jessie_options.debug "After steal_annots";
    if checking then check_types file;
    (* Rewrite ranges in logic annotations by comprehesion *)
    Jessie_options.debug "from range to comprehension";
    Rewrite.from_range_to_comprehension
      (Cil.inplace_visit ()) file;
    if checking then check_types file;

    (* Phase 2: C-level rewriting to facilitate analysis *)

    Rewrite.rewrite file;
    if checking then check_types file;

    if Jessie_options.debug_atleast 1 then print_to_stdout file;

    (* Phase 3: Caduceus-like normalization that rewrites C-level AST into
     * Jessie-like AST, still in Cil (in order to use Cil visitors)
     *)

    Norm.normalize file;
    Retype.retype file;
    if checking then check_types file;

    (* Phase 4: various postprocessing steps, still on Cil AST *)

    (* Rewrite ranges back in logic annotations *)
    Rewrite.from_comprehension_to_range (Cil.inplace_visit ()) file;

    if Jessie_options.debug_atleast 1 then print_to_stdout file;

    (* Phase 5: C to Jessie translation, should be quite straighforward at this
     * stage (after normalization)
     *)
    Jessie_options.debug "Jessie pragmas";
    let pragmas = Interp.pragmas file in
    Jessie_options.debug "Jessie translation";
    let pfile = Interp.file file in
    Jessie_options.debug "Printing Jessie program";

    (* Phase 6: pretty-printing of Jessie program *)

    let sys_command cmd =
      if Sys.command cmd <> 0 then
	(Jessie_options.error "Jessie subprocess failed: %s" cmd; raise Exit)
    in

    let projname = Jessie_options.ProjectName.get () in
    let projname =
      if projname <> "" then projname else
	match Kernel.Files.get() with
	  | [f] ->
	      (try
		 Filename.chop_extension f
	       with Invalid_argument _ -> f)
	  | _ ->
	      "wholeprogram"
    in
    (* if called on 'path/file.c', projname is 'path/file' *)
    (* jessie_subdir is 'path/file.jessie' *)
    let jessie_subdir = projname ^ ".jessie" in
    Lib.mkdir_p jessie_subdir;
    Jessie_options.feedback "Producing Jessie files in subdir %s" jessie_subdir;

    (* basename is 'file' *)
    let basename = Filename.basename projname in

    (* filename is 'file.jc' *)
    let filename = basename ^ ".jc" in
    let () = Pp.print_in_file
      (fun fmt ->
	 Jc_output.print_decls fmt pragmas;
	 Format.fprintf fmt "%a" Jc_poutput.pdecls pfile)
      (Filename.concat jessie_subdir filename)
    in
    Jessie_options.feedback "File %s/%s written." jessie_subdir filename;

    (* Phase 7: produce source-to-source correspondance file *)

    (* locname is 'file.cloc' *)
    let locname = basename ^ ".cloc" in
    Pp.print_in_file Output.old_print_pos (Filename.concat jessie_subdir locname);
    Jessie_options.feedback "File %s/%s written." jessie_subdir locname;

    if Jessie_options.GenOnly.get () then () else

      (* Phase 8: call Jessie to Why translation *)

      let why3cmd = Jessie_options.Why3Cmd.get () in
      let jc_opt = Jessie_options.JcOpt.fold (fun s acc -> s ^ " " ^ acc) "" in
      let debug_opt = if Jessie_options.debug_atleast 1 then " -d " else " " in
      let behav_opt =
	if Jessie_options.Behavior.get () <> "" then
	  "-behavior " ^ Jessie_options.Behavior.get ()
	else ""
      in
      let verbose_opt =
	if Jessie_options.verbose_atleast 1 then " -v " else " "
      in
      let env_opt =
	if Jessie_options.debug_atleast 1 then
	  "OCAMLRUNPARAM=bt"
	else ""
      in
      let jessie_cmd =
	try Sys.getenv "JESSIEEXEC"
	with Not_found ->
          (* NdV: the test below might not be that useful, since ocaml
             has stack trace in native code since 3.10, even though -g
             is usually missing from native flags.  *)
          if Jessie_options.debug_atleast 1 then " jessie.byte "
          else " jessie "
      in
      let rec make_command = function
	| [] -> ""
	| [ a ] -> a
	| a::cmd -> a ^ " " ^ make_command cmd
      in
      Jessie_options.feedback "Calling Jessie tool in subdir %s" jessie_subdir;
      Sys.chdir jessie_subdir;


      let cmd =
	make_command
	  [ env_opt; jessie_cmd;
	    verbose_opt; "-why3cmd \"" ; why3cmd; "\"" ;
            jc_opt; debug_opt; behav_opt;
	    "-locs"; locname; filename ]
      in
      sys_command cmd;

      flush_all ()

  with Exit -> ()

(* ************************************************************************* *)
(* Plug Jessie to the Frama-C platform *)
(* ************************************************************************* *)

let run_and_catch_error () =
  try run ()
  with
    | Unsupported _ ->
	Jessie_options.error "Unsupported feature(s).@\n\
           Jessie plugin can not be used on your code."
    | Log.FeatureRequest (_,s) ->
	Jessie_options.error "Unimplemented feature: %s." s

let run_and_catch_error =
  Dynamic.register
    "run_analysis"
    (Datatype.func Datatype.unit Datatype.unit)
    ~plugin:"Jessie"
    ~journalize:true
    run_and_catch_error

let main () = if Jessie_options.Analysis.get () then run_and_catch_error ()
let () = Db.Main.extend main

(*
Local Variables:
compile-command: "LC_ALL=C make"
End:
*)
why-2.39/frama-c-plugin/rewrite.ml0000644000106100004300000022416313147234006016056 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(* Import from Cil *)
open Cabs
open Cil_types
open Cil
open Cil_datatype
open Ast_info
open Extlib

open Visitor

(* Utility functions *)
open Common

(*****************************************************************************)
(* Adds a default behavior for all functions                                 *)
(*****************************************************************************)

class add_default_behavior =
  object(self)
    inherit Visitor.frama_c_inplace

    method! vspec s =
      if not (List.exists (fun x -> x.b_name = Cil.default_behavior_name)
                s.spec_behavior)
      then begin
        let bhv = Cil.mk_behavior ~name:Cil.default_behavior_name () in
        let kf = Extlib.the self#current_kf in
        let props = Property.ip_all_of_behavior ~active:[] kf Kglobal bhv in
        List.iter Property_status.register props;
        s.spec_behavior <- bhv :: s.spec_behavior
      end;
      SkipChildren

    method! vcode_annot _ = SkipChildren

  end

let add_default_behavior () =
  let treat_one_function kf =
    let bhvs = Annotations.behaviors kf in
    if not
      (List.exists (fun bhv -> bhv.b_name = Cil.default_behavior_name) bhvs)
    then begin
      Annotations.add_behaviors Common.jessie_emitter kf [Cil.mk_behavior()];
      (* ensures that default behavior will be correctly populated *)
      ignore (Annotations.behaviors kf)
    end
  in
  Globals.Functions.iter treat_one_function

(*****************************************************************************)
(* Rename entities to avoid conflicts with Jessie predefined names.          *)
(*****************************************************************************)

class renameEntities
  (add_variable : varinfo -> unit) (add_logic_variable : logic_var -> unit) =
  let types = Typ.Hashtbl.create 17 in
  let add_field fi =
    fi.fname <- unique_name fi.fname
  in
  let add_type ty =
    if Typ.Hashtbl.mem types ty then () else
      let compinfo = get_struct_info ty in
      compinfo.cname <- unique_name compinfo.cname;
      List.iter add_field compinfo.cfields;
      Typ.Hashtbl.add types ty ()
  in
object

  inherit Visitor.frama_c_inplace

  method! vfunc f =
    List.iter add_variable f.slocals;
    DoChildren

  method! vglob_aux = function
    | GCompTag(compinfo,_loc)
    | GCompTagDecl(compinfo,_loc) ->
	add_type (TComp(compinfo,empty_size_cache (),[]));
	SkipChildren
    | GVarDecl _ | GFunDecl _ | GVar _ | GFun _ | GAnnot _ | GType _
    | GEnumTagDecl _ | GEnumTag _ | GAsm _ | GPragma _ | GText _ ->
	DoChildren

  method! vlogic_var_decl lv = add_logic_variable lv; DoChildren

  method! vlogic_var_use v =
    let postaction v =
      (* Restore consistency between C variable name and logical name *)
      Extlib.may (fun cv -> v.lv_name <- cv.vname) v.lv_origin; v
    in
    ChangeDoChildrenPost(v,postaction)
end

let logic_names_overloading = Hashtbl.create 257

let rename_entities file =
  let add_variable v =
    let s = unique_name v.vname in
(*
    Format.eprintf "Renaming variable %s into %s@." v.vname s;
*)
    v.vname <- s;
    match v.vlogic_var_assoc with
      | None -> ()
      | Some lv -> lv.lv_name <- v.vname
  in
  let add_logic_variable v =
    match v.lv_origin with
        None -> (* pure logic variable *)
          v.lv_name <- unique_logic_name v.lv_name
      | Some _ -> () (* we take care of that in the C world *)
  in
  Globals.Vars.iter (fun v _init -> add_variable v);
  Globals.Functions.iter
    (fun kf ->
       add_variable (Globals.Functions.get_vi kf);
       List.iter add_variable (Globals.Functions.get_params kf));
(* [VP 2011-08-22] replace_all has disappeared from kernel's API, but
   it appears that info in Globals.Annotations is not used by Jessie. *)
(*  Globals.Annotations.replace_all
    (fun annot gen ->
       let rec replace_annot annot = match annot with
	 | Dfun_or_pred _ -> annot
	 | Dvolatile _ -> annot
         | Daxiomatic(id, l, loc) ->
             Daxiomatic(id, List.map replace_annot l,loc)
	 | Dtype(infos,loc) ->
	     Dtype({ infos with
                       lt_name = unique_logic_name infos.lt_name;
                       lt_def =
                       opt_map
                         (function
                              | LTsum cons ->
                                  LTsum(
                                    List.map
                                      (fun x ->
                                         { x with ctor_name =
                                             unique_logic_name x.ctor_name})
                                      cons)
                              | (LTsyn _) as def -> def)
                         infos.lt_def;},
                   loc
                  )
	 | Dlemma(name,is_axiom,labels,poly,property,loc) ->
	     Dlemma(unique_logic_name name,is_axiom,labels,poly,property,loc)
         | Dmodel_annot _ -> annot
	 | Dtype_annot _ | Dinvariant _ ->
	     (* Useful ? harmless ?
		info.l_name <- unique_logic_name info.l_name;
	     *)
	     annot
       in replace_annot annot,gen
    );
*)
  (* preprocess of renaming logic functions  *)
  Logic_env.Logic_info.iter
    (fun name _li ->
       try
	 let x = Hashtbl.find logic_names_overloading name in
	 x := true
       with
	   Not_found ->
	     Hashtbl.add logic_names_overloading name (ref false)
    );

  let visitor = new renameEntities (add_variable) (add_logic_variable) in
  visitFramacFile visitor file


(*****************************************************************************)
(* Fill offset/size information in fields                                    *)
(*****************************************************************************)

class fillOffsetSizeInFields =
object

  inherit Visitor.frama_c_inplace

  method! vglob_aux = function
    | GCompTag(compinfo,_loc) ->
	let basety = TComp(compinfo,empty_size_cache () ,[]) in
	let field fi nextoff =
	  let size_in_bits =
	    match fi.fbitfield with
	      | Some siz -> siz
	      | None ->
                try
                  bitsSizeOf fi.ftype
                with SizeOfError _ -> 0 (* Flexible Array Member *)
	  in
	  let offset_in_bits = fst (bitsOffset basety (Field(fi,NoOffset))) in
	  let padding_in_bits = nextoff - (offset_in_bits + size_in_bits) in
	  assert (padding_in_bits >= 0);
	  fi.fsize_in_bits <- Some size_in_bits;
	  fi.foffset_in_bits <- Some offset_in_bits;
	  fi.fpadding_in_bits <- Some padding_in_bits;
	  if compinfo.cstruct then
	    offset_in_bits
	  else nextoff (* union type *)
	in
	ignore(List.fold_right field compinfo.cfields (bitsSizeOf basety));
	SkipChildren
    | _ -> SkipChildren

end

let fill_offset_size_in_fields file =
  let visitor = new fillOffsetSizeInFields in
  visitFramacFile visitor file


(*****************************************************************************)
(* Replace addrof array with startof.                                        *)
(*****************************************************************************)

class replaceAddrofArray =
object

  inherit Visitor.frama_c_inplace

  method! vexpr e = match e.enode with
    | AddrOf lv ->
	if isArrayType(typeOfLval lv) then
	  ChangeDoChildrenPost (new_exp ~loc:e.eloc (StartOf lv), fun x -> x)
	else DoChildren
    | _ -> DoChildren

  method! vterm t = match t.term_node with
    | TAddrOf tlv ->
	let ty = force_app_term_type pointed_type t.term_type in
	if isArrayType ty then
	  let t' = { t with
	    term_node = TStartOf tlv;
	    term_type = Ctype (element_type ty);
	  } in
	  ChangeDoChildrenPost (t', fun x -> x)
	else DoChildren
    | _ -> DoChildren

end

let replace_addrof_array file =
  let visitor = new replaceAddrofArray in
  visit_and_update_globals visitor file


(*****************************************************************************)
(* Replace string constants by global variables.                             *)
(*****************************************************************************)

class replaceStringConstants =

  let string_to_var = Datatype.String.Hashtbl.create 17 in
  let wstring_to_var = Cil_datatype.Wide_string.Hashtbl.create 17 in

  (* Use the Cil translation on initializers. First translate to primitive
   * AST to later apply translation in [blockInitializer].
   *)
  let string_cabs_init s =
    SINGLE_INIT(
      { expr_node = CONSTANT(CONST_STRING s); expr_loc = Cabshelper.cabslu }
    )
  in
  let wstring_cabs_init ws =
    SINGLE_INIT(
      { expr_node = CONSTANT(CONST_WSTRING ws); expr_loc = Cabshelper.cabslu }
    )
  in

  (* Name of variable should be as close as possible to the string it
   * represents. To that end, we just filter out characters not allowed
   * in C names, before we add a discriminating number if necessary.
   *)
  let string_var s =
    let name = unique_name ("__string_" ^ (filter_alphanumeric s [] '_')) in
    makeGlobalVar name (array_type charType)
  in
  let wstring_var () =
    let name = unique_name "__wstring_" in
    makeGlobalVar name (array_type theMachine.wcharType)
(*     makeGlobalVar name (array_type (TInt(IUShort,[]))) *)
  in

  let make_glob ~wstring v size inite =
    (* Apply translation from initializer in primitive AST to block of code,
     * simple initializer and type.
     *)
    let _b,init,ty =
      Cabs2cil.blockInitializer Cabs2cil.empty_local_env v inite in
    (* Precise the array type *)
    v.vtype <- ty;
    (* Attach global variable and code for global initialization *)
(* DISABLED because does not work and uses deprecated Cil.getGlobInit
   See bts0284.c
    List.iter attach_globinit b.bstmts;
*)
    attach_global (GVar(v,{init=Some init},CurrentLoc.get ()));
    (* Define a global string invariant *)
    begin try
    let validstring =
      match Logic_env.find_all_logic_functions
	(if wstring then
	   name_of_valid_wstring
	 else
	   name_of_valid_string)
      with
	| [i] -> i
	| _  -> raise Exit
    in
    let strlen =
      match Logic_env.find_all_logic_functions name_of_strlen
      with
	| [i] -> i
	| _  -> raise Exit
    in
    let strlen_type =
      match strlen.l_type with Some t -> t | None -> assert false
    in
    let wcslen =
      match Logic_env.find_all_logic_functions name_of_wcslen
      with
	| [i] -> i
	| _  -> raise Exit
    in
    let wcslen_type =
      match wcslen.l_type with Some t -> t | None -> assert false
    in
    let pstring =
      Papp(validstring,[],[variable_term v.vdecl (cvar_to_lvar v)])
    in
    let tv = term_of_var v in
    let strsize =
      if wstring then
	mkterm (Tapp(wcslen,[],[tv])) wcslen_type v.vdecl
      else
	mkterm (Tapp(strlen,[],[tv])) strlen_type v.vdecl
    in
    let size = constant_term v.vdecl (Integer.of_int size) in
    let psize = Prel(Req,strsize,size) in
    let p = Pand(predicate v.vdecl pstring,predicate v.vdecl psize) in
    let globinv =
      Cil_const.make_logic_info (unique_logic_name ("valid_" ^ v.vname)) in
    globinv.l_labels <- [ LogicLabel (None, "Here") ];
    globinv.l_body <- LBpred (predicate v.vdecl p);
    attach_globaction (fun () -> Logic_utils.add_logic_function globinv);
    attach_global (GAnnot(Dinvariant (globinv,v.vdecl),v.vdecl));
    with Exit -> ()
    end;
    v
  in
object

  inherit Visitor.frama_c_inplace

  method! vexpr e = match e.enode with
    | Const(CStr s) ->
	let v =
	  Datatype.String.Hashtbl.memo string_to_var s
	    (fun s ->
	       make_glob ~wstring:false (string_var s) (String.length s)
		 (string_cabs_init s))
	in
	ChangeTo (new_exp ~loc:e.eloc (StartOf(Var v,NoOffset)))
    | Const(CWStr ws) ->
	let v =
	  Cil_datatype.Wide_string.Hashtbl.memo wstring_to_var ws
	    (fun ws ->
	       make_glob ~wstring:true (wstring_var ()) (List.length ws - 1)
		 (wstring_cabs_init ws))
	in
	ChangeTo (new_exp ~loc:e.eloc (StartOf(Var v,NoOffset)))
    | _ -> DoChildren

  method! vglob_aux = function
    | GVar(v,{init=Some(SingleInit({enode = Const _}))},_) ->
	if isArrayType v.vtype then
	  (* Avoid creating an array for holding the initializer for another
	   * array. This initializer is later cut into individual
	   * initialization statements in [gather_initialization].
	   *)
	  SkipChildren
	else
	  DoChildren
    | _ -> DoChildren

end

let replace_string_constants file =
  let visitor = new replaceStringConstants in
  visit_and_update_globals visitor file


(*****************************************************************************)
(* Put all global initializations in the [globinit] file.                    *)
(* Replace global compound initializations by equivalent statements.         *)
(*****************************************************************************)

let gather_initialization file =
  do_and_update_globals
    (fun _ ->
      Globals.Vars.iter (fun v iinfo ->
	let _s = match iinfo.init with
	  | Some ie ->
	      let b =
                Cabs2cil.blockInit
                  ~ghost:v.vghost (Var v, NoOffset) ie v.vtype in
	      b.bstmts
	  | None ->
            let length =
              try bitsSizeOf v.vtype
              with SizeOfError _ -> 0
            in
	    if length lsr 3 < 100 then
		(* Enforce zero-initialization of global variables *)
	      let ie =
                makeZeroInit ~loc:Cil_datatype.Location.unknown v.vtype
              in
	      let b =
                Cabs2cil.blockInit
                  ~ghost:v.vghost (Var v, NoOffset) ie v.vtype
              in
	      b.bstmts
	    else
	      (* FS#253: Big data structure, do not initialize individually.
	       * When casts to low-level are supported, call here [memset]
	       * or equivalent to zero the memory.
	       *)
	      []
	in
	(* Too big currently, postpone until useful *)
(*
	ignore s;
  	List.iter attach_globinit s;
*)
	iinfo.init <- None
      )) file

class copy_spec_specialize_memset =
object(self)
  inherit Visitor.frama_c_copy (Project.current())
  method private has_changed lv =
    (Cil.get_original_logic_var self#behavior lv) != lv

  method! vlogic_var_use lv =
    if self#has_changed lv then DoChildren (* Already visited *)
    else begin
      match lv.lv_origin with
        | Some v when not v.vglob -> (* Don't change global references *)
            let v' = Cil_const.copy_with_new_vid v in
            v'.vformal <- true;
            (match Cil.unrollType v.vtype with
              | TArray _ as t -> v'.vtype <- TPtr(t,[])
              | _ -> ());
            v'.vlogic_var_assoc <- None; (* reset association. *)
            let lv' = Cil.cvar_to_lvar v' in
            Cil.set_logic_var self#behavior lv lv';
            Cil.set_orig_logic_var self#behavior lv' lv;
            Cil.set_varinfo self#behavior v v';
            Cil.set_orig_varinfo self#behavior v' v;
            ChangeTo lv'
        | Some _ | None -> DoChildren
    end

  method! vterm t =
    let post_action t =
      let loc = t.term_loc in
      match t.term_node with
        | TStartOf (TVar lv, TNoOffset) ->
            if self#has_changed lv then begin
              (* Original was an array, and is now a pointer to an array.
                 Update term accordingly*)
              let base = Logic_const.tvar ~loc lv in
              let tmem = (TMem base,TNoOffset) in
              Logic_const.term
                ~loc (TStartOf tmem) (Cil.typeOfTermLval tmem)
            end else t
        | TLval (TVar lv, (TIndex _ as idx)) ->
            if self#has_changed lv then begin
                (* Change array access into pointer shift. *)
              let base = Logic_const.tvar ~loc lv in
              let tmem = TMem base, idx in
              Logic_const.term ~loc (TLval tmem) t.term_type
            end else t
        | _ -> t
    in ChangeDoChildrenPost(t,post_action)

  method! vspec s =
    let refresh_deps = function
      | FromAny -> FromAny
      | From locs -> From (List.map Logic_const.refresh_identified_term locs)
    in
    let refresh_froms (loc,deps) =
      (Logic_const.refresh_identified_term loc, refresh_deps deps)
    in
    let refresh_assigns = function
      | WritesAny -> WritesAny
      | Writes (writes) -> Writes (List.map refresh_froms writes)
    in
    let refresh_allocates = function
      | FreeAllocAny -> FreeAllocAny
      | FreeAlloc (free,alloc) ->
          FreeAlloc (List.map Logic_const.refresh_identified_term free,
                     List.map Logic_const.refresh_identified_term alloc)
    in
    let refresh_behavior b =
      let requires = List.map Logic_const.refresh_predicate b.b_requires in
      let assumes = List.map Logic_const.refresh_predicate b.b_assumes in
      let post_cond =
        List.map
          (fun (k,p) -> (k,Logic_const.refresh_predicate p)) b.b_post_cond
      in
      let assigns = refresh_assigns b.b_assigns in
      let allocation = refresh_allocates b.b_allocation in
      let extended = b.b_extended in
      Cil.mk_behavior
        ~assumes ~requires ~post_cond ~assigns ~allocation ~extended ()
    in
    let refresh s =
      let bhvs = List.map refresh_behavior s.spec_behavior in
      s.spec_behavior <- bhvs;
      s
    in
    ChangeDoChildrenPost(s,refresh)
end

let copy_spec_specialize_memset s =
  let vis = new copy_spec_specialize_memset in
  let s' = Visitor.visitFramacFunspec vis s in
  let args =
    Cil.fold_visitor_varinfo
      vis#behavior (fun oldv newv acc -> (oldv,newv)::acc) []
  in
  args,s'

class specialize_memset =
object
  inherit Visitor.frama_c_inplace
  val mutable my_globals = []
  method! vstmt_aux s =
    match Annotations.code_annot ~filter:Logic_utils.is_contract s with
      | [ annot ] ->
          (match annot.annot_content with
             | AStmtSpec
                (_,({ spec_behavior =
                    [ { b_name = "Frama_C_implicit_init" }]} as spec))
              ->
                let loc = Cil_datatype.Stmt.loc s in
                let mk_actual v =
                  match Cil.unrollType v.vtype with
                    | TArray _ ->
                        Cil.new_exp ~loc (StartOf (Cil.var v))
                    | _ -> Cil.evar ~loc v
                in
                let prms, spec = copy_spec_specialize_memset spec in
                let (actuals,formals) = List.split prms in
                let actuals = List.map mk_actual actuals in
                let arg_type =
                  List.map (fun v -> v.vname, v.vtype, []) formals in
                let f =
                  Cil.makeGlobalVar
                    (Common.unique_name "implicit_init")
                    (TFun (TVoid [], Some arg_type, false, []))
                in
                 Cil.unsafeSetFormalsDecl f formals;
                my_globals <-
                  GVarDecl((*Cil.empty_funspec(),*)f,loc) :: my_globals;
                Globals.Functions.replace_by_declaration spec f loc;
                let kf = Globals.Functions.get f in
                Annotations.register_funspec ~emitter:Common.jessie_emitter kf;
                let my_instr = Call(None,Cil.evar ~loc f,actuals,loc) in
                s.skind <- Instr my_instr;
                SkipChildren
            | _ -> DoChildren)
      | _ -> DoChildren

  method! vglob_aux _ =
    let add_specialized g = let s = my_globals in my_globals <- []; s @ g in
    DoChildrenPost add_specialized
end

let specialize_memset file =
  visitFramacFile (new specialize_memset) file;
  (* We may have introduced new globals: clear the last_decl table. *)
  Ast.clear_last_decl ()

(*****************************************************************************)
(* Rewrite comparison of pointers into difference of pointers.               *)
(*****************************************************************************)

class rewritePointerCompare =
  let preaction_expr e = match e.enode with
    | BinOp((Lt | Gt | Le | Ge | Eq | Ne as op),e1,e2,ty)
	when isPointerType (typeOf e1) && not (is_null_expr e2) ->
	new_exp ~loc:e.eloc
          (BinOp(op,
                 new_exp ~loc:e.eloc
                   (BinOp(MinusPP,e1,e2,theMachine.ptrdiffType)),
	         constant_expr Integer.zero,ty))
    | _ -> e
  in
object

  inherit Visitor.frama_c_inplace

  method! vexpr e =
    ChangeDoChildrenPost (preaction_expr e, fun x -> x)

  method! vterm =
    do_on_term (Some preaction_expr,None)

  method! vpredicate p =
    match p.pred_content with
    | Prel(rel,t1,t2)
	when app_term_type isPointerType false t1.term_type
	  && not (is_null_term t1 || is_null_term t2
		  || is_base_addr t1 || is_base_addr t2) ->
	let loc = range_loc t1.term_loc t2.term_loc in
	let tsub = {
	  term_node = TBinOp(MinusPP,t1,t2);
	  term_type = Ctype theMachine.ptrdiffType;
	  term_loc = loc;
	  term_name = [];
	} in
	let p = { p with pred_content = Prel(rel,tsub,constant_term loc Integer.zero)} in
	ChangeDoChildrenPost (p, fun x -> x)
    | _ -> DoChildren

end

let rewrite_pointer_compare file =
  let visitor = new rewritePointerCompare in
  visitFramacFile visitor file


(*****************************************************************************)
(* Rewrite cursor pointers into offsets from base pointers.                  *)
(*****************************************************************************)

(* Recognize the sum of a pointer variable and an integer offset *)
let rec destruct_pointer e = match (stripInfo e).enode with
  | Lval(Var v,NoOffset) | StartOf(Var v,NoOffset) | AddrOf(Var v,NoOffset) ->
      Some(v,None)
  | StartOf(Var v,Index(i,NoOffset)) | AddrOf(Var v,Index(i,NoOffset)) ->
      Some(v,Some i)
  | BinOp((PlusPI | IndexPI | MinusPI as op),e1,e2,_) ->
      begin match destruct_pointer e1 with
	| None -> None
	| Some(v,None) ->
	    begin match op with
	      | PlusPI | IndexPI -> Some(v,Some e2)
	      | MinusPI ->
                  Some(v,
                       Some(new_exp ~loc:e.eloc (UnOp(Neg,e2,typeOf e2))))
	      | _ -> assert false
	    end
	| Some(v,Some off) ->
	    begin match op with
	      | PlusPI | IndexPI ->
                  Some(v,
                       Some(new_exp ~loc:e.eloc
                              (BinOp(PlusA,off,e2,typeOf e2))))
	      | MinusPI ->
                  Some(v,
                       Some(new_exp ~loc:e.eloc
                              (BinOp(MinusA,off,e2,typeOf e2))))
	      | _ -> assert false
	    end
      end
  | CastE(ty,e) ->
      let ety = typeOf e in
      if isPointerType ty && isPointerType ety
	&&
          Cil_datatype.Typ.equal
          (Cil.typeDeepDropAttributes ["const"; "volatile"]
             (unrollType (pointed_type ty)))
          (Cil.typeDeepDropAttributes ["const"; "volatile"]
             (unrollType (pointed_type ety)))
      then
	destruct_pointer e
      else None
  | _ -> None

class collectCursorPointers
  (cursor_to_base : varinfo Cil_datatype.Varinfo.Hashtbl.t) (* local variable to base *)
  (formal_to_base : varinfo Cil_datatype.Varinfo.Hashtbl.t) (* formal variable to base *)
  (assigned_vars : Cil_datatype.Varinfo.Set.t ref) (* variable is assigned (for formals) *)
  (ignore_vars : Cil_datatype.Varinfo.Set.t ref) (* ignore info on these variables *) =

  let curFundec : fundec ref = ref (emptyFunction "@dummy@") in

  let candidate_var v =
    not v.vglob
    && ((isPointerType v.vtype && not v.vaddrof) || isArrayType v.vtype)
  in
  (* Variable should not be translated as base or cursor *)
  let add_ignore_vars v =
    if not (Cil_datatype.Varinfo.Set.mem v !ignore_vars) then
      begin
	ignore_vars := Cil_datatype.Varinfo.Set.add v !ignore_vars; signal_change ()
      end
  in
  (* Variable [v] used as cursor on base [vb] *)
  let add_cursor_to_base v vb =
    try
      let vb2 = Cil_datatype.Varinfo.Hashtbl.find cursor_to_base v in
      if not (Cil_datatype.Varinfo.equal vb vb2) then add_ignore_vars v
    with Not_found ->
      Cil_datatype.Varinfo.Hashtbl.add cursor_to_base v vb; signal_change ()
  in
  (* Variable [v] assigned *)
  let add_assigned_vars v =
    if not (Cil_datatype.Varinfo.Set.mem v !assigned_vars) then
      begin
	assigned_vars := Cil_datatype.Varinfo.Set.add v !assigned_vars; signal_change ()
      end
  in

  (* Interpret difference of pointers as a hint that one is an cursor
   * of the other. *)
  let preaction_expr x =
    begin match x.enode with
      | BinOp(MinusPP,e1,e2,_) when isPointerType (typeOf e1) ->
	  begin match destruct_pointer e1,destruct_pointer e2 with
	    | Some(v1,_),Some(v2,_) ->
		begin try
		  let vb1 = Cil_datatype.Varinfo.Hashtbl.find cursor_to_base v1 in
		  let vb2 = Cil_datatype.Varinfo.Hashtbl.find cursor_to_base v2 in
		  if not (Cil_datatype.Varinfo.equal vb1 vb2)
		    && vb1.vformal && vb2.vformal then
		      (* One formal is an offset from the other.
			 Choose the first one in the list of parameters
			 as base. *)
		      let vbbase,vboff =
			match
			  List.fold_left
			    (fun acc v ->
			       match acc with Some _ -> acc | None ->
		      		 if Cil_datatype.Varinfo.equal v vb1 then
				   Some(vb1,vb2)
				 else if Cil_datatype.Varinfo.equal v vb2 then
				   Some(vb2,vb1)
				 else None
			    ) None !curFundec.sformals
			with None -> assert false | Some pair -> pair
		      in
		      Cil_datatype.Varinfo.Hashtbl.add formal_to_base vboff vbbase
		  else ()
		with Not_found -> () end
	    | _ -> ()
	  end
      | _ -> ()
    end; x
  in
object

  inherit Visitor.frama_c_inplace

  method! vfunc f =
    curFundec := f;
    (* For simplicity, consider formals as self-cursors initially.
     * This is the way we declare bases (in the image of [cursor_to_base]).
     *)
    let formal v =
      if candidate_var v then add_cursor_to_base v v
    in
    let local v =
      (* Consider local arrays as candidate base pointers *)
      if isArrayType v.vtype then formal v
    in
    List.iter formal f.sformals;
    List.iter local f.slocals;
    DoChildren

  method! vinst = function
    | Set((Var v,NoOffset),e,_loc) ->
	if candidate_var v then
	  begin
	    add_assigned_vars v;
	    match destruct_pointer e with
	      | None -> add_ignore_vars v
	      | Some(v2,_offset) ->
		  if Cil_datatype.Varinfo.Set.mem v2 !ignore_vars then add_ignore_vars v
		  else try
		    let vb2 = Cil_datatype.Varinfo.Hashtbl.find cursor_to_base v2 in
		    try
		      let vb = Cil_datatype.Varinfo.Hashtbl.find cursor_to_base v in
		      if not (Cil_datatype.Varinfo.equal vb vb2) then
			add_ignore_vars v
		    with Not_found -> add_cursor_to_base v vb2
		  with Not_found -> add_ignore_vars v
	  end;
	DoChildren
    | Set _ -> DoChildren
    | Call(Some(Var v,NoOffset),_f,_args,_loc) ->
	if candidate_var v then
	  begin
	    add_assigned_vars v; add_ignore_vars v
	  end;
	DoChildren
    | Call _ -> DoChildren
    | Asm _ | Skip _ | Local_init _ -> SkipChildren
    | Code_annot _ -> assert false

  method! vexpr e =
    ignore(preaction_expr e); DoChildren

  method! vterm = do_on_term (Some preaction_expr, None)

end

class rewriteCursorPointers
  (cursor_to_base : varinfo Cil_datatype.Varinfo.Hashtbl.t)
  (formal_to_base : varinfo Cil_datatype.Varinfo.Hashtbl.t)
  (assigned_vars : Cil_datatype.Varinfo.Set.t) =

  (* Correspondance between cursor variables and offset variables *)
  let cursor_to_offset : varinfo Cil_datatype.Varinfo.Hashtbl.t = Cil_datatype.Varinfo.Hashtbl.create 0 in

  (* Function [expr_offset] may raise exception [Not_found] if
   * no offset needed.
   *)
  let expr_offset v =
    let loc = Cil_const.CurrentLoc.get () in
    if v.vformal then
      let voff = Cil_datatype.Varinfo.Hashtbl.find cursor_to_offset v in
      new_exp ~loc (Lval(Var voff,NoOffset))
    else
      let voff = Cil_datatype.Varinfo.Hashtbl.find cursor_to_offset v in
      let vb = Cil_datatype.Varinfo.Hashtbl.find cursor_to_base v in
      if Cil_datatype.Varinfo.Hashtbl.mem formal_to_base vb then
	let voff2 = Cil_datatype.Varinfo.Hashtbl.find cursor_to_offset vb in
	new_exp ~loc
          (BinOp(PlusA,
                 new_exp ~loc (Lval(Var voff,NoOffset)),
                 new_exp ~loc (Lval(Var voff2,NoOffset)),
	         theMachine.ptrdiffType))
      else new_exp ~loc (Lval(Var voff,NoOffset))
  in
  (* Find basis for variable [v] *)
  let var_base v =
    if Cil_datatype.Varinfo.Hashtbl.mem cursor_to_offset v then
      if v.vformal then
	try Cil_datatype.Varinfo.Hashtbl.find formal_to_base v
	with Not_found -> v (* self-base *)
      else
	let vb = Cil_datatype.Varinfo.Hashtbl.find cursor_to_base v in
	try Cil_datatype.Varinfo.Hashtbl.find formal_to_base vb
	with Not_found -> vb
    else
      raise Not_found
  in
  let lval_base vb =
    let loc = Cil_const.CurrentLoc.get () in
    if isArrayType vb.vtype then
      new_exp ~loc (StartOf(Var vb,NoOffset))
    else
      new_exp ~loc (Lval(Var vb,NoOffset))
  in
  let preaction_expr e = match e.enode with
    | BinOp(MinusPP,e1,e2,_) ->
        begin try match destruct_pointer e1,destruct_pointer e2 with
          | None,_ | _,None -> e
          | Some(v1,offopt1),Some(v2,offopt2) ->
	      let vb1 = try var_base v1 with Not_found -> v1 in
	      let vb2 = try var_base v2 with Not_found -> v2 in
              if Cil_datatype.Varinfo.equal vb1 vb2 then
	        let v1offopt =
		  try Some(expr_offset v1) with Not_found -> None in
	        let v2offopt =
		  try Some(expr_offset v2) with Not_found -> None in
                let offopt1 = match v1offopt,offopt1 with
                  | None,None -> None
                  | Some off,None | None,Some off -> Some off
                  | Some off1,Some off2 ->
                      Some
                        (new_exp ~loc:e.eloc
                           (BinOp(PlusA,off1,off2,theMachine.ptrdiffType)))
                in
                let offopt2 = match v2offopt,offopt2 with
                  | None,None -> None
                  | Some off,None | None,Some off -> Some off
                  | Some off1,Some off2 ->
                      Some
                        (new_exp ~loc:e.eloc
                           (BinOp(PlusA,off1,off2,theMachine.ptrdiffType)))
                in
                match offopt1,offopt2 with
                  | Some off1,Some off2 ->
		      new_exp ~loc:e.eloc
                        (BinOp(MinusA,off1,off2,theMachine.ptrdiffType))
                  | Some off1,None ->
		      off1
                  | None,Some off2 ->
	              new_exp ~loc:e.eloc
                        (UnOp(Neg,off2,theMachine.ptrdiffType))
                  | None,None ->
		      constant_expr Integer.zero
              else e
	with Not_found -> e end
    | _ -> e
  in
  let postaction_expr e = match e.enode with
    | Lval(Var v,NoOffset) ->
	begin try
	  (* Both [var_base] and [expr_offset] can raise [Not_found],
	   * the second one only on local array variables.
	   *)
	  let vb = var_base v in
	  new_exp ~loc:e.eloc
            (BinOp(PlusPI,lval_base vb,expr_offset v,v.vtype))
	with Not_found -> e end
    | _ -> e
  in
object

  inherit Visitor.frama_c_inplace

  method! vfunc f =
    let local v =
      if Cil_datatype.Varinfo.Hashtbl.mem cursor_to_base v && not (isArrayType v.vtype) then
	let name = unique_name ("__jc_off_" ^ v.vname) in
	let voff = makeLocalVar f ~insert:true name almost_integer_type in
	Cil_datatype.Varinfo.Hashtbl.add cursor_to_offset v voff
    in
    let formal v =
      if Cil_datatype.Varinfo.Hashtbl.mem formal_to_base v then
	(* Formal is a cursor of another formal *)
	begin
	  local v; (* Create an offset variable for this formal *)
	  let voff = Cil_datatype.Varinfo.Hashtbl.find cursor_to_offset v in
	  let vb = Cil_datatype.Varinfo.Hashtbl.find formal_to_base v in
          let loc = CurrentLoc.get () in
	  let initst =
	    mkStmt(
	      Instr(
                Set((Var voff,NoOffset),
	            new_exp ~loc:(CurrentLoc.get())
                      (BinOp (MinusPP,
                              new_exp ~loc (Lval(Var v,NoOffset)),
                              lval_base vb,
		              theMachine.ptrdiffType)),
		    loc)))
	  in
	  add_pending_statement ~beginning:true initst
	end
      else if Cil_datatype.Varinfo.Hashtbl.mem cursor_to_base v
	&& Cil_datatype.Varinfo.Set.mem v assigned_vars then
	(* Formal is assigned and still a self-base, an offset is needed *)
	begin
	  local v; (* Create an offset variable for this formal *)
	  let voff = Cil_datatype.Varinfo.Hashtbl.find cursor_to_offset v in
	  let initst =
	    mkStmt(Instr(Set((Var voff,NoOffset),
			     constant_expr Integer.zero,
			     CurrentLoc.get ())))
	  in
	  add_pending_statement ~beginning:true initst
	end
      else ()
    in
    List.iter formal f.sformals;
    List.iter local f.slocals;
    DoChildren

  method! vinst = function
    | Set((Var v,NoOffset),e,loc) ->
	if v.vformal then
	  begin try
	    let voff = Cil_datatype.Varinfo.Hashtbl.find cursor_to_offset v in
	    (* At this point, [e] must be a pointer whose destruction through
	     * [destruct_pointer] does not return None.
	     *)
	    let eoff = match destruct_pointer e with
	      | None -> assert false
	      | Some(v2,Some e) ->
		  begin try
                    new_exp ~loc:e.eloc
                      (BinOp(PlusA,expr_offset v2,e,almost_integer_type))
		  with Not_found -> assert false end
	      | Some(v2,None) ->
		  begin try expr_offset v2
		  with Not_found -> assert false end
	    in
	    ChangeDoChildrenPost
	      ([Set((Var voff,NoOffset),eoff,loc)], fun x -> x)
	  with Not_found -> DoChildren end
	else
	  (* local variable *)
	  begin try
	    let voff = Cil_datatype.Varinfo.Hashtbl.find cursor_to_offset v in
	    (* At this point, [e] must be a pointer whose destruction through
	     * [destruct_pointer] does not return None.
	     *)
	    let eoff = match destruct_pointer e with
	      | None -> assert false
	      | Some(v2,Some e) ->
		  begin try
                    new_exp ~loc:e.eloc
                      (BinOp(PlusA,expr_offset v2,e,almost_integer_type))
		  with Not_found -> e end
	      | Some(v2,None) ->
		  begin try expr_offset v2
		  with Not_found -> constant_expr Integer.zero end
	    in
	    ChangeDoChildrenPost
	      ([Set((Var voff,NoOffset),eoff,loc)], fun x -> x)
	  with Not_found -> DoChildren end
    | _ -> DoChildren

  method! vexpr e =
    ChangeDoChildrenPost (preaction_expr e, postaction_expr)

  method! vterm =
    do_on_term (Some preaction_expr,Some postaction_expr)

  method! vspec _sp =
    (* Do not modify the function contract, where offset variables
     * are not known *)
    SkipChildren

end

let rewrite_cursor_pointers file =
  (* Variables to communicate between the collecting visitor and
   * the rewriting one. *)
  let cursor_to_base = Cil_datatype.Varinfo.Hashtbl.create 0 in
  let formal_to_base = Cil_datatype.Varinfo.Hashtbl.create 0 in
  let assigned_vars = ref Cil_datatype.Varinfo.Set.empty in
  let ignore_vars = ref Cil_datatype.Varinfo.Set.empty in

  (* Collect the cursor variables and their base *)
  let visitor =
    new collectCursorPointers
      cursor_to_base formal_to_base assigned_vars ignore_vars
  in
  visit_until_convergence visitor file;

  (* Normalize the information *)
  let rec transitive_basis v =
    try transitive_basis (Cil_datatype.Varinfo.Hashtbl.find formal_to_base v)
    with Not_found -> v
  in
  Cil_datatype.Varinfo.Hashtbl.iter
    (fun v _ -> Cil_datatype.Varinfo.Hashtbl.add formal_to_base v (transitive_basis v))
    formal_to_base;
  Cil_datatype.Varinfo.Set.iter
    (fun v -> Cil_datatype.Varinfo.Hashtbl.remove cursor_to_base v) !ignore_vars;
  Cil_datatype.Varinfo.Hashtbl.iter
    (fun v vb -> if Cil_datatype.Varinfo.Set.mem vb !ignore_vars then
      Cil_datatype.Varinfo.Hashtbl.remove cursor_to_base v) cursor_to_base;
  Cil_datatype.Varinfo.Hashtbl.iter
    (fun v vb -> if Cil_datatype.Varinfo.Set.mem vb !ignore_vars then
      Cil_datatype.Varinfo.Hashtbl.remove formal_to_base v) formal_to_base;

  (* Rewrite cursor variables as offsets from their base variable *)
  let visitor =
    new rewriteCursorPointers
      cursor_to_base formal_to_base !assigned_vars
  in
  visitFramacFile (visit_and_push_statements_visitor visitor) file


(*****************************************************************************)
(* Rewrite cursor integers into offsets from base integers.                  *)
(*****************************************************************************)

(* Recognize the sum of an integer variable and an integer offset *)
let rec destruct_integer e = match e.enode with
  | Lval(Var v,NoOffset) -> Some(v,None)
  | BinOp((PlusA | MinusA as op),e1,e2,_) ->
      begin match destruct_integer e1 with
	| None -> None
	| Some(v,None) ->
	    begin match op with
	      | PlusA -> Some(v,Some e2)
	      | MinusA ->
                  Some(v,
                       Some(new_exp ~loc:e.eloc
                              (UnOp(Neg,e2,almost_integer_type))))
	      | _ -> assert false
	    end
	| Some(v,Some off) ->
	    begin match op with
	      | PlusA ->
                  Some(v,
                       Some(new_exp ~loc:e.eloc
                              (BinOp(PlusA,off,e2,almost_integer_type))))
	      | MinusA ->
                  Some(v,
                       Some(new_exp ~loc:e.eloc
                              (BinOp(MinusA,off,e2,almost_integer_type))))
	      | _ -> assert false
	    end
      end
  | CastE(ty,e) ->
      let ety = typeOf e in
      if isIntegralType ty && isIntegralType ety then
	destruct_integer e
      else None
  | _ -> None

class collectCursorIntegers
  (cursor_to_base : varinfo Cil_datatype.Varinfo.Hashtbl.t) (* local variable to base *)
  (assigned_vars : Cil_datatype.Varinfo.Set.t ref) (* variable is assigned (for formals) *)
  (ignore_vars : Cil_datatype.Varinfo.Set.t ref) (* ignore info on these variables *) =

  let candidate_var v =
    not v.vglob && (isIntegralType v.vtype && not v.vaddrof)
  in
  (* Variable should not be translated as base or cursor *)
  let add_ignore_vars v =
    if not (Cil_datatype.Varinfo.Set.mem v !ignore_vars) then
      begin
	ignore_vars := Cil_datatype.Varinfo.Set.add v !ignore_vars; signal_change ()
      end
  in
  (* Variable [v] used as cursor on base [vb] *)
  let add_cursor_to_base v vb =
    try
      let vb2 = Cil_datatype.Varinfo.Hashtbl.find cursor_to_base v in
      if not (Cil_datatype.Varinfo.equal vb vb2) then add_ignore_vars v
    with Not_found ->
      Cil_datatype.Varinfo.Hashtbl.add cursor_to_base v vb; signal_change ()
  in
  (* Variable [v] assigned *)
  let add_assigned_vars v =
    if not (Cil_datatype.Varinfo.Set.mem v !assigned_vars) then
      begin
	assigned_vars := Cil_datatype.Varinfo.Set.add v !assigned_vars; signal_change ()
      end
  in
object

  inherit Visitor.frama_c_inplace

  method! vfunc f =
    (* For simplicity, consider formals as self-cursors initially.
     * This is the way we declare bases (in the image of [cursor_to_base]).
     *)
    let formal v =
      if candidate_var v then add_cursor_to_base v v
    in
    List.iter formal f.sformals;
    DoChildren

  method! vinst = function
    | Set((Var v,NoOffset),e,_loc) ->
	if candidate_var v then
	  begin
	    add_assigned_vars v;
	    match destruct_integer e with
	      | None -> add_ignore_vars v
	      | Some(v2,_offset) ->
		  if Cil_datatype.Varinfo.Set.mem v2 !ignore_vars then add_ignore_vars v
		  else try
		    let vb2 = Cil_datatype.Varinfo.Hashtbl.find cursor_to_base v2 in
		    try
		      let vb = Cil_datatype.Varinfo.Hashtbl.find cursor_to_base v in
		      if not (Cil_datatype.Varinfo.equal vb vb2) then
			add_ignore_vars v
		    with Not_found -> add_cursor_to_base v vb2
		  with Not_found -> add_ignore_vars v
	  end;
	SkipChildren
    | Set _ -> SkipChildren
    | Call(Some(Var v,NoOffset),_f,_args,_loc) ->
	if candidate_var v then
	  begin
	    add_assigned_vars v; add_ignore_vars v
	  end;
	SkipChildren
    | Call _ -> SkipChildren
    | Asm _ | Skip _ | Local_init _ -> SkipChildren
    | Code_annot _ -> assert false

end

class rewriteCursorIntegers
  (cursor_to_base : varinfo Cil_datatype.Varinfo.Hashtbl.t)
  (assigned_vars : Cil_datatype.Varinfo.Set.t) =

  (* Correspondance between cursor variables and offset variables *)
  let cursor_to_offset : varinfo Cil_datatype.Varinfo.Hashtbl.t = Cil_datatype.Varinfo.Hashtbl.create 0 in

  let postaction_expr e = match e.enode with
    | Lval(Var v,NoOffset) ->
	begin try
	  let vb = Cil_datatype.Varinfo.Hashtbl.find cursor_to_base v in
	  let voff = Cil_datatype.Varinfo.Hashtbl.find cursor_to_offset v in
	  new_exp ~loc:e.eloc
            (BinOp(PlusA,
                   new_exp ~loc:e.eloc (Lval(Var vb,NoOffset)),
                   new_exp ~loc:e.eloc (Lval(Var voff,NoOffset)),
                   v.vtype))
	with Not_found -> e end
    | _ -> e
  in
  let postaction_term t = match t.term_node with
    | TLval(TVar { lv_origin = Some v },TNoOffset) ->
	begin try
	  let vb = Cil_datatype.Varinfo.Hashtbl.find cursor_to_base v in
	  let voff = Cil_datatype.Varinfo.Hashtbl.find cursor_to_offset v in
	  let vt1 = term_of_var vb in
	  let vt2 = term_of_var voff in
	  let addt =
	    mkterm (TBinOp(PlusA,vt1,vt2)) Linteger t.term_loc
	  in
	  mkterm (TCastE(v.vtype,addt)) t.term_type t.term_loc
	with Not_found -> t end
    | _ -> t
  in
object

  inherit Visitor.frama_c_inplace

  method! vfunc f =
    let local v =
      if Cil_datatype.Varinfo.Hashtbl.mem cursor_to_base v then
	let name = unique_name ("__jc_off_" ^ v.vname) in
	let voff = makeLocalVar f ~insert:true name almost_integer_type in
	Cil_datatype.Varinfo.Hashtbl.add cursor_to_offset v voff
    in
    let formal v =
      if Cil_datatype.Varinfo.Hashtbl.mem cursor_to_base v
	&& Cil_datatype.Varinfo.Set.mem v assigned_vars then
	  (* Formal is assigned and still a self-base, an offset is needed *)
	  begin
	  local v; (* Create an offset variable for this formal *)
	  let voff = Cil_datatype.Varinfo.Hashtbl.find cursor_to_offset v in
	  let initst =
	    mkStmt(Instr(Set((Var voff,NoOffset),
			     constant_expr Integer.zero,
			     CurrentLoc.get ())))
	  in
	  add_pending_statement ~beginning:true initst
	  end
      else ()
    in
    List.iter formal f.sformals;
    List.iter local f.slocals;
    DoChildren

  method! vinst = function
    | Set((Var v,NoOffset),e,loc) ->
	begin try
	  let voff = Cil_datatype.Varinfo.Hashtbl.find cursor_to_offset v in
	  (* At this point, [e] must be an integer whose destruction through
	   * [destruct_integer] does not return None.
	   *)
	  let eoff = match destruct_integer e with
	    | None -> assert false
	    | Some(v2,Some e) ->
		begin try
		  let voff2 = Cil_datatype.Varinfo.Hashtbl.find cursor_to_offset v2 in
		  new_exp ~loc:e.eloc
                    (BinOp(PlusA,
                           new_exp ~loc:e.eloc (Lval(Var voff2,NoOffset)),
                           e,
                           almost_integer_type))
		with Not_found -> e end
	    | Some(v2,None) ->
		begin try
		  let voff2 = Cil_datatype.Varinfo.Hashtbl.find cursor_to_offset v2 in
		  new_exp ~loc (Lval(Var voff2,NoOffset))
		with Not_found -> constant_expr Integer.zero end
	  in
	  ChangeDoChildrenPost
	    ([Set((Var voff,NoOffset),eoff,loc)], fun x -> x)
	with Not_found -> DoChildren end
    | _ -> DoChildren

  method! vexpr e =
    ChangeDoChildrenPost (e,postaction_expr)

  method! vterm t =
    ChangeDoChildrenPost (t,postaction_term)

  method! vspec _sp =
    (* Do not modify the function contract, where offset variables
     * are not known *)
    SkipChildren

end

let rewrite_cursor_integers file =
  (* Variables to communicate between the collecting visitor and
   * the rewriting one. *)
  let cursor_to_base = Cil_datatype.Varinfo.Hashtbl.create 0 in
  let assigned_vars = ref Cil_datatype.Varinfo.Set.empty in
  let ignore_vars = ref Cil_datatype.Varinfo.Set.empty in

  (* Collect the cursor variables and their base *)
  let visitor =
    new collectCursorIntegers
      cursor_to_base assigned_vars ignore_vars
  in
  visit_until_convergence visitor file;

  (* Normalize the information *)
  Cil_datatype.Varinfo.Set.iter
    (fun v -> Cil_datatype.Varinfo.Hashtbl.remove cursor_to_base v) !ignore_vars;
  Cil_datatype.Varinfo.Hashtbl.iter
    (fun v vb -> if Cil_datatype.Varinfo.Set.mem vb !ignore_vars then
      Cil_datatype.Varinfo.Hashtbl.remove cursor_to_base v) cursor_to_base;

  (* Rewrite cursor variables as offsets from their base variable *)
  let visitor =
    new rewriteCursorIntegers cursor_to_base !assigned_vars
  in
  visitFramacFile (visit_and_push_statements_visitor visitor) file


(*****************************************************************************)
(* Annotate code with strlen.                                                *)
(*****************************************************************************)

(* All annotations are added as hints, by no means they should be trusted
   blindly, but they can be used if they are also proved *)

class annotateCodeStrlen(strlen : logic_info) =

  (* Store correspondance from temporaries to the corresponding string access *)

  let temps = Cil_datatype.Varinfo.Hashtbl.create 17 in

  (* Recognize access or test of string *)

  (* TODO: extend applicability of [destruct_string_access]. *)
  let lval_destruct_string_access ~through_tmp = function
    | Mem e, NoOffset when isCharPtrType(typeOf e) ->
	begin match destruct_pointer e with
	  | None -> None
	  | Some(v,Some off) -> Some(v,off)
	  | Some(v,None) -> Some(v,constant_expr Integer.zero)
	end
    | Var v, off ->
	if isCharPtrType v.vtype then
	  match off with
	    | Index(i,NoOffset) -> Some (v,i)
	    | NoOffset
	    | Index _
	    | Field _ -> None
	else if isCharArrayType v.vtype then
	  match off with
	    | Index(i,NoOffset) -> Some (v,i)
	    | NoOffset
	    | Index _
	    | Field _ -> None
	else if through_tmp then
	  try Some(Cil_datatype.Varinfo.Hashtbl.find temps v) with Not_found -> None
	else None
    | _ -> None
  in
  let rec destruct_string_access ?(through_tmp=false) ?(through_cast=false) e =
    match e.enode with
      | Lval lv -> lval_destruct_string_access ~through_tmp lv
      | CastE(_,e) ->
	  if through_cast then
	    destruct_string_access ~through_tmp ~through_cast e
	  else None
      | _ -> None
  in
  let destruct_string_test ?(neg=false) e =
    let rec aux ~neg e = match e.enode with
      | UnOp(LNot,e,_) -> aux ~neg:(not neg) e
      | BinOp(Ne,e1,e2,_) when is_null_expr e2 -> aux ~neg e1
      | BinOp(Ne,e2,e1,_) when is_null_expr e2 -> aux ~neg e1
      | BinOp(Eq,e1,e2,_) when is_null_expr e2 -> aux ~neg:(not neg) e1
      | BinOp(Eq,e2,e1,_) when is_null_expr e2 -> aux ~neg:(not neg) e1
      | _ ->
	  match
            destruct_string_access ~through_tmp:true ~through_cast:true e
	  with
	    | Some(v,off) -> Some(neg,v,off)
	    | None -> None
    in match e.enode with
      | BinOp(Eq,e1,e2,_) when is_non_null_expr e2 -> false, aux ~neg e1
      | BinOp(Eq,e2,e1,_) when is_non_null_expr e2 -> false, aux ~neg e1
      | _ -> true, aux ~neg e
  in

  (* Generate appropriate assertion *)

  let strlen_type =
    match strlen.l_type with Some t -> t | None -> assert false
  in

  let within_bounds ~strict v off =
    let rel1 =
      Logic_const.new_predicate (Logic_const.prel (Rle,lzero(),off))
    in
    let tv = term_of_var v in
    let app2 = mkterm (Tapp(strlen,[],[tv])) strlen_type  v.vdecl in
    let op = if strict then Rlt else Rle in
    let rel2 =
      Logic_const.new_predicate (Logic_const.prel (op,off,app2))
    in
    let app =
      Logic_const.new_predicate
	(Logic_const.pand (Logic_const.pred_of_id_pred rel1,
			   Logic_const.pred_of_id_pred rel2))
    in
    Logic_const.pred_of_id_pred
      { app with ip_content = { app.ip_content with pred_name = [ name_of_hint_assertion ] }}
  in
  let reach_upper_bound ~loose v off =
    let tv = term_of_var v in
    let app = mkterm (Tapp(strlen,[],[tv])) strlen_type v.vdecl in
    let op = if loose then Rle else Req in
    let rel =
      Logic_const.new_predicate (Logic_const.prel (op,app,off))
    in
    Logic_const.pred_of_id_pred
      { rel with ip_content = { rel.ip_content with pred_name = [ name_of_hint_assertion ] }}
  in
object(self)

  inherit Visitor.frama_c_inplace

  method! vexpr e =
    begin match destruct_string_access e with None -> () | Some(v,off) ->
      if hasAttribute name_of_string_declspec (typeAttrs v.vtype) then
	(* A string should be accessed within its bounds *)
	let off = Common.force_exp_to_term off in
	let app = within_bounds ~strict:false v off in
	let cur_stmt = the self#current_stmt in
        let kf = the self#current_kf in
	Annotations.add_assert Common.jessie_emitter ~kf cur_stmt app
    end;
    DoChildren

  method! vstmt_aux s =
    let preaction s = match s.skind with
      | If(e,tbl,fbl,_loc) ->
	  begin match destruct_string_test e with _,None -> ()
	    | test_to_null,Some(neg,v,off) ->
		if hasAttribute name_of_string_declspec (typeAttrs v.vtype)
		then
		  (* A string should be tested within its bounds, and
		     depending on the result, the offset is either before
		     or equal to the length of the string *)
		  let off = Common.force_exp_to_term off in
		  let rel1 = within_bounds ~strict:true v off in
		  let supst = mkStmt(Instr(Skip(CurrentLoc.get()))) in
                  let kf = the self#current_kf in
		  Annotations.add_assert Common.jessie_emitter ~kf supst rel1;
		  let rel2 = reach_upper_bound ~loose:false v off in
		  let eqst = mkStmt(Instr(Skip(CurrentLoc.get()))) in
		  Annotations.add_assert Common.jessie_emitter ~kf eqst rel2;

		  (* Rather add skip statement as blocks may be empty *)
		  if neg then
		    begin
		      fbl.bstmts <- supst :: fbl.bstmts;
		      if test_to_null then tbl.bstmts <- eqst :: tbl.bstmts
		    end
		  else
		    begin
		      tbl.bstmts <- supst :: tbl.bstmts;
		      if test_to_null then fbl.bstmts <- eqst :: fbl.bstmts
		    end
	  end; s
      | Instr(Set(lv,e,loc)) when is_null_expr e ->
	  if Jessie_options.HintLevel.get () > 1 then
	    match lval_destruct_string_access ~through_tmp:true lv with
	      | None -> ()
	      | Some(v,off) ->
		  let off = Common.force_exp_to_term off in
		  (* Help ATP with proving the bound on [strlen(v)] by
		     asserting the obvious equality *)
		  let lv' = Common.force_lval_to_term_lval lv in
		  let e' = Common.force_exp_to_term e in
		  let lvt = mkterm (TLval lv') strlen_type loc in
		  let rel =
		    Logic_const.new_predicate (Logic_const.prel (Req,lvt,e'))
		  in
		  let prel =
		    Logic_const.pred_of_id_pred
		      { rel with
                        ip_content =
                          { rel.ip_content with pred_name =
                                                  [ name_of_hint_assertion ] }}
		  in
                  let kf = the self#current_kf in
		  Annotations.add_assert Common.jessie_emitter ~kf s prel;
		  (* If setting a character to zero in a buffer, this should
		     be the new length of a string *)
		  let rel = reach_upper_bound ~loose:true v off in
		  Annotations.add_assert Common.jessie_emitter ~kf s rel
	  else ();
	  s
      | Instr(Set((Var v1,NoOffset),e,_loc)) ->
	  begin match
	    destruct_string_access ~through_tmp:true ~through_cast:true e
	  with
	    | None -> ()
	    | Some(v2,off) -> Cil_datatype.Varinfo.Hashtbl.add temps v1 (v2,off)
	  end; s
      | _ -> s
    in
    ChangeDoChildrenPost(preaction s,fun x -> x)

 end

let annotate_code_strlen file =
  try
    let strlen =
      match Logic_env.find_all_logic_functions name_of_strlen with
	| [i] -> i
	| _  -> assert false
    in
    let visitor = new annotateCodeStrlen strlen in
    visitFramacFile visitor file
  with Not_found -> assert false


(*****************************************************************************)
(* Annotate code with overflow checks.                                       *)
(*****************************************************************************)

class annotateOverflow =
object(self)

  inherit Visitor.frama_c_inplace

  method! vexpr e =
    match e.enode with
    | BinOp((Shiftlt | Shiftrt as op),e1,e2,_ty) ->
        let kf = the self#current_kf in
	let cur_stmt = the self#current_stmt in
	let is_left_shift = match op with Shiftlt -> true | _ -> false in
	let ty1 = typeOf e1 in
	(* Ideally, should strip only casts introduced by the compiler, not
	 * user casts. Since this information is not available, be
	 * conservative here.
	 *)
	let e1' = stripCastsButLastInfo e1 in
	let e2' = stripCastsButLastInfo e2 in
	(* Check that signed shift has a positive right operand *)
	if isSignedInteger ty1 then
	  begin match possible_value_of_integral_expr e2' with
	    | Some i when Integer.ge i Integer.zero -> ()
	    | _ ->
		let check =
                  new_exp ~loc:e.eloc (BinOp(Ge,e2',
                                             constant_expr Integer.zero,
                                             intType))
                in
		let check = Common.force_exp_to_predicate check in
		Annotations.add_assert Common.jessie_emitter ~kf cur_stmt check
	  end
	else ();
	(* Check that shift has not too big a right operand. *)
	let max_right = Integer.of_int (integral_type_size_in_bits ty1) in
	begin match possible_value_of_integral_expr e2' with
	  | Some i when Integer.lt i max_right -> ()
	  | _ ->
	      let max_right = constant_expr max_right in
	      let check =
                new_exp ~loc:e.eloc (BinOp(Lt,e2',max_right,intType)) in
	      let check = Common.force_exp_to_predicate check
	      in
	      Annotations.add_assert Common.jessie_emitter ~kf cur_stmt check
	end;
	(* Check that signed left shift has a positive left operand *)
	if is_left_shift && isSignedInteger ty1 then
	  begin match possible_value_of_integral_expr e1' with
	    | Some i when Integer.ge i Integer.zero -> ()
	    | _ ->
		let check =
                  new_exp ~loc:e.eloc
                    (BinOp(Ge,e1',constant_expr Integer.zero,intType)) in
		let check = Common.force_exp_to_predicate check
		in
		Annotations.add_assert Common.jessie_emitter ~kf cur_stmt check
	  end
	else ();
	(* Check that signed left shift has not a left operand that is bigger
	 * than the maximal value for the type right shifted by its right
	 * operand.
	 *)
	if is_left_shift && isSignedInteger ty1 then
	  let max_int = max_value_of_integral_type ty1 in
	  begin match possible_value_of_integral_expr e2' with
	    | Some i when Integer.ge i Integer.zero &&
                Integer.lt i (Integer.of_int 64) ->
		let max_left = constant_expr (Integer.shift_right max_int i)
                in
		let check =
                  new_exp ~loc:e.eloc (BinOp(Le,e1',max_left,intType))
                in
		let check = Common.force_exp_to_predicate check in
		Annotations.add_assert Common.jessie_emitter ~kf cur_stmt check
	    | _ ->
		let max_int = constant_expr max_int in
		let max_left =
                  new_exp ~loc:e.eloc (BinOp(Shiftrt,max_int,e2',intType))
                in
		let check = new_exp ~loc:e.eloc
                  (BinOp(Le,e1',max_left,intType))
                in
		let check = Common.force_exp_to_predicate check in
		Annotations.add_assert Common.jessie_emitter ~kf cur_stmt check
	  end
	else ();
	DoChildren
    | _ -> DoChildren

end

let annotate_overflow file =
  let visitor = new annotateOverflow in
  visitFramacFile visitor file


(*****************************************************************************)
(* Rewrite type void* into char*.                                            *)
(*****************************************************************************)

class rewriteVoidPointer =
object

  inherit Visitor.frama_c_inplace

  method! vtype ty =
    if isVoidPtrType ty then
      let attr = typeAttr ty in
      ChangeTo (typeAddAttributes attr charPtrType)
(*
    else if isCharType ty then
      (* Yannick: All (un)signed chars changed into char for now ...
	 Claude: why ????
      *)
      let attr = typeAttr ty in
      ChangeTo (typeAddAttributes attr charType)
*)
    else DoChildren

end

class debugVoid =
object
  inherit Visitor.frama_c_inplace
  method! vterm ts = match ts.term_node with
    | TLval(TResult _,_) -> DoChildren
    | _ ->
	assert (not (app_term_type isVoidPtrType false ts.term_type));
	DoChildren
end

let rewrite_void_pointer file =
  let visitor = new rewriteVoidPointer in
  visitFramacFile visitor file

(* Jessie/Why has trouble with Pre labels inside function contracts. *)
class rewritePreOld : Visitor.frama_c_visitor =
object(self)
  inherit Visitor.frama_c_inplace
  val mutable rep_lab = Logic_const.pre_label
    method! vbehavior b =
      rep_lab <- Logic_const.here_label;
      let requires =
        Visitor.visitFramacPredicates
          (self:>Visitor.frama_c_visitor) b.b_requires
      in
      let assumes =
        Visitor.visitFramacPredicates
          (self:>Visitor.frama_c_visitor) b.b_assumes
      in
      let allocation =
        match b.b_allocation with
          | FreeAllocAny -> FreeAllocAny
          | FreeAlloc(free,alloc) ->
              rep_lab <- Logic_const.here_label;
              let free =
                List.map
                  (Visitor.visitFramacIdTerm
                     (self:>Visitor.frama_c_visitor))
                  free
              in
              rep_lab <- Logic_const.old_label;
              let alloc =
                List.map
                  (Visitor.visitFramacIdTerm
                     (self:>Visitor.frama_c_visitor))
                  alloc
              in
              FreeAlloc(free,alloc)
      in
      (* VP: 2012-09-20: signature of Cil.mk_behavior is utterly broken.
         We'll have to live with that for Oxygen, but this will change as
         soon as possible. *)
      rep_lab <- Logic_const.old_label;
      let assigns =
        Visitor.visitFramacAssigns
          (self:>Visitor.frama_c_visitor) b.b_assigns
      in
      let post_cond =
        Cil.mapNoCopy
          (fun (k,p as e) ->
            let p' =
              Visitor.visitFramacIdPredicate
                (self:>Visitor.frama_c_visitor) p
            in
            if p != p' then (k,p') else e)
          b.b_post_cond
      in
      rep_lab <- Logic_const.pre_label;
      let name = b.b_name in
      let b = Cil.mk_behavior
        ~name ~requires ~assumes ~assigns ~allocation ~post_cond () in
      ChangeTo b

  method! vlogic_label l =
    if Cil_datatype.Logic_label.equal l Logic_const.pre_label
       && self#current_kinstr = Kglobal (* Do not rewrite Pre in stmt annot. *)
    then
      ChangeTo rep_lab
    else
      if Cil_datatype.Logic_label.equal l Logic_const.post_label
      then
        ChangeTo Logic_const.here_label
      else
        DoChildren
end

let rewrite_pre_old file =
  let visitor = new rewritePreOld in
  visitFramacFile visitor file

class remove_unsupported: Visitor.frama_c_visitor =
object
  inherit Visitor.frama_c_inplace
  method! vpredicate p =
    match p.pred_content with
      | Pseparated _ ->
          Jessie_options.warning ~once:true
            "\\separated is not supported by Jessie. This predicate will be \
             ignored";
          ChangeTo Logic_const.ptrue
      | _ -> DoChildren
end

let remove_unsupported file =
  let visitor = new remove_unsupported in
  visitFramacFile visitor file

(*****************************************************************************)
(* Rewrite comprehensions into ranges (and back)                             *)
(*****************************************************************************)

let rec add_range vi t1opt t2opt = ranges := (vi,t1opt,t2opt) :: !ranges
and no_range_offset = function
TNoOffset -> true
  | TField(_,offs) | TModel(_,offs) -> no_range_offset offs
  | TIndex({term_type = Ltype ({ lt_name = "set"},[_])},_) -> false
  | TIndex(_,offs) -> no_range_offset offs
and make_comprehension ts =
  let ts = match ts.term_node with
      TLval(ts',offs) when no_range_offset offs ->
        (match ts' with
        | TMem { term_type = Ltype ({lt_name = "set"},[_])} -> ts
        | TMem _ | TVar _ | TResult _ ->
          { ts with term_type = Logic_const.type_of_element ts.term_type}
        )
    | _ -> ts
  in
  let loc = ts.term_loc in
  let ts =
    List.fold_left
      (fun ts (v,t1opt,t2opt) ->
         let vt = variable_term loc v in
         let popt = match t1opt,t2opt with
           | None,None -> None
           | Some t1,None -> Some(predicate t1.term_loc (Prel(Rle,t1,vt)))
           | None,Some t2 -> Some(predicate t2.term_loc (Prel(Rle,vt,t2)))
           | Some t1,Some t2 ->
               let p1 = predicate t1.term_loc (Prel(Rle,t1,vt)) in
               let p2 = predicate t2.term_loc (Prel(Rle,vt,t2)) in
               let loc = (fst t1.term_loc, snd t2.term_loc) in
               Some(predicate loc (Pand(p1,p2)))
         in
         (* NB: no need to update the type, as it is already
            a set of terms (for well-formed terms at least) *)
         { ts with term_node = Tcomprehension(ts,[v],popt) }
      ) ts !ranges
  in
  ranges := [];
  ts
and ranges = ref []


class fromRangeToComprehension behavior = object

  inherit Visitor.generic_frama_c_visitor behavior

  method! vterm ts = match ts.term_type with
    | Ltype ({ lt_name = "set"},[_]) ->
      ChangeDoChildrenPost(ts, make_comprehension)
    | _ -> DoChildren

  method! vterm_offset tsoff = match tsoff with
    | TIndex ({ term_node =Trange(t1opt,t2opt)} as t,tsoff') ->
        let v = make_temp_logic_var Linteger in
        add_range v t1opt t2opt;
        let vt = variable_term t.term_loc v in
        ChangeDoChildrenPost (TIndex(vt,tsoff'), fun x -> x)
    | TNoOffset | TIndex _ | TField _ | TModel _ -> DoChildren

end

let from_range_to_comprehension behavior file =
  let visitor = new fromRangeToComprehension behavior in
  Visitor.visitFramacFile visitor file

let range_to_comprehension t =
  let visitor =
    new fromRangeToComprehension (Cil.copy_visit (Project.current ()))
  in
  Visitor.visitFramacTerm visitor t


class fromComprehensionToRange behavior =
  let ranges = Logic_var.Hashtbl.create 17 in
  let add_range vi t1opt t2opt =
    Logic_var.Hashtbl.add ranges vi (t1opt,t2opt)
  in
  let index_variables_of_term ts =
    let vars = ref Logic_var.Set.empty in
    ignore
      (visitCilTerm
         (object
           inherit nopCilVisitor
           method! vterm = function
           | { term_node =
               TBinOp(PlusPI,_ts,{term_node=TLval(TVar v,TNoOffset)})} ->
             vars := Logic_var.Set.add v !vars;
             DoChildren
           | _ -> DoChildren
           method! vterm_offset = function
           | TIndex({term_node=TLval(TVar v,TNoOffset)},_tsoff) ->
             vars := Logic_var.Set.add v !vars;
             DoChildren
           | _ -> DoChildren
          end)
        ts);
    !vars
  in
  let bounds_of_variable v popt =
    let error () =
      Kernel.fatal "Cannot identify bounds for variable %s" v.lv_name
    in
    let rec bounds p =
      match p.pred_content with
      | Prel(Rle, {term_node = TLval(TVar v',TNoOffset)}, t)
          when Logic_var.equal v v' ->
        None, Some t
      | Prel(Rle, t, {term_node = TLval(TVar v',TNoOffset)})
          when Logic_var.equal v v' ->
        Some t, None
      | Pand(p1,p2) ->
        begin match bounds p1, bounds p2 with
        | (Some t1, None),(None, Some t2) | (None, Some t2),(Some t1, None) ->
          Some t1, Some t2
        | _ -> error ()
        end
      | _ -> error ()
    in
    match popt with None -> None, None | Some p -> bounds p
  in
object(self)

  inherit Visitor.generic_frama_c_visitor behavior

  val mutable has_set_type = false

  method private propagate_set_type t =
    if has_set_type then
      { t with term_type = Logic_const.make_set_type t.term_type }
    else t

  method! vterm t = match t.term_node with
    | Tcomprehension(ts,[v],popt) ->
        let index_vars = index_variables_of_term ts in
        (* Only accept for now comprehension on index variables *)
        if Logic_var.Set.mem v index_vars then begin
          let t1opt,t2opt = bounds_of_variable v popt in
          add_range v t1opt t2opt;
          has_set_type <- false;
          ChangeTo (visitCilTerm (self :> cilVisitor) ts)
        end else begin
          has_set_type <- false;
          DoChildren
        end
    | TBinOp(PlusPI,base,{term_node=TLval(TVar v,TNoOffset)}) ->
          begin try
            let low,high = Logic_var.Hashtbl.find ranges v in
            let range = Logic_const.trange (low,high) in
            let res =
            { t with
                term_node = TBinOp(PlusPI,base,range);
                term_type = Logic_const.make_set_type t.term_type }
            in
            ChangeDoChildrenPost (res, fun x -> has_set_type <- true; x)
          with Not_found -> DoChildren end

    | TBinOp(bop,t1,t2) ->
        has_set_type <- false;
        let t1' = visitCilTerm (self:>Cil.cilVisitor) t1 in
        let has_set_type1 = has_set_type in
        let t2' = visitCilTerm (self:>Cil.cilVisitor) t2 in
        has_set_type <- has_set_type || has_set_type1;
        if t1 != t1' || t2 != t2' || has_set_type then
          ChangeTo
            (self#propagate_set_type { t with term_node = TBinOp(bop,t1',t2')})
        else SkipChildren
    | Tapp(f,prms,args) ->
        has_set_type <- false;
        let visit t =
          let has_set_type1 = has_set_type in
          let res = visitCilTerm (self:>cilVisitor) t in
          has_set_type <- has_set_type || has_set_type1; res
        in
        let args' = mapNoCopy visit args in
        if args != args' || has_set_type then
          ChangeTo
            (self#propagate_set_type { t with term_node = Tapp(f,prms,args') })
        else SkipChildren
     | TDataCons(c,args) ->
        has_set_type <- false;
        let visit t =
          let has_set_type1 = has_set_type in
          let res = visitCilTerm (self:>cilVisitor) t in
          has_set_type <- has_set_type || has_set_type1; res
        in
        let args' = mapNoCopy visit args in
        if args != args' || has_set_type then
          ChangeTo
            (self#propagate_set_type { t with term_node = TDataCons(c,args') })
        else SkipChildren
     | Tif (t1,t2,t3) ->
        has_set_type <- false;
        let t1' = visitCilTerm (self:>Cil.cilVisitor) t1 in
        let has_set_type1 = has_set_type in
        let t2' = visitCilTerm (self:>Cil.cilVisitor) t2 in
        let has_set_type1 = has_set_type || has_set_type1 in
        let t3' = visitCilTerm (self:>Cil.cilVisitor) t3 in
        has_set_type <- has_set_type || has_set_type1;
        if t1 != t1' || t2 != t2' || t3!=t3' || has_set_type then
          ChangeTo
            (self#propagate_set_type { t with term_node = Tif(t1',t2',t3')})
        else SkipChildren
     | TCoerceE(t1,t2) ->
        has_set_type <- false;
        let t1' = visitCilTerm (self:>Cil.cilVisitor) t1 in
        let has_set_type1 = has_set_type in
        let t2' = visitCilTerm (self:>Cil.cilVisitor) t2 in
        has_set_type <- has_set_type || has_set_type1;
        if t1 != t1' || t2 != t2' || has_set_type then
          ChangeTo
            (self#propagate_set_type { t with term_node = TCoerceE(t1',t2')})
        else SkipChildren
     | Tunion l ->
       has_set_type <- false;
        let visit t =
          let has_set_type1 = has_set_type in
          let res = visitCilTerm (self:>cilVisitor) t in
          has_set_type <- has_set_type || has_set_type1; res
        in
        let l' = mapNoCopy visit l in
        if l != l' || has_set_type then
          ChangeTo
             (self#propagate_set_type { t with term_node = Tunion l' })
        else SkipChildren
     | Tinter l ->
       has_set_type <- false;
        let visit t =
          let has_set_type1 = has_set_type in
          let res = visitCilTerm (self:>cilVisitor) t in
          has_set_type <- has_set_type || has_set_type1; res
        in
        let l' = mapNoCopy visit l in
        if l != l' || has_set_type then
          ChangeTo
            (self#propagate_set_type { t with term_node = Tinter l' })
        else SkipChildren
     | Trange(t1,t2) ->
        has_set_type <- false;
        let t1' = optMapNoCopy (visitCilTerm (self:>Cil.cilVisitor)) t1 in
        let has_set_type1 = has_set_type in
        let t2' = optMapNoCopy (visitCilTerm (self:>Cil.cilVisitor)) t2 in
        has_set_type <- has_set_type || has_set_type1;
        if t1 != t1' || t2 != t2' || has_set_type then
          ChangeTo
            (self#propagate_set_type { t with term_node = Trange(t1',t2')})
        else SkipChildren
     | _ ->
         has_set_type <- false;
         ChangeDoChildrenPost (t,self#propagate_set_type)

  method! vterm_lval (lh,lo) =
    let lh' = visitCilTermLhost (self:>Cil.cilVisitor) lh in
    let has_set_type1 = has_set_type in
    let lo' = visitCilTermOffset (self :> Cil.cilVisitor) lo in
    has_set_type <- has_set_type || has_set_type1;
    if lh' != lh || lo' != lo then ChangeTo (lh',lo') else SkipChildren

  method! vterm_lhost = function
    | TVar v ->
        if Logic_var.Hashtbl.mem ranges v then begin
          Format.eprintf "vterm_lhost: Found: v = %s@." v.lv_name;
          assert false
        end;
        DoChildren
    | _ -> DoChildren

  method! vterm_offset off =
    match off with
      | TIndex({term_node=TLval(TVar v,TNoOffset)} as idx,off') ->
          begin try
            let t1opt,t2opt = Logic_var.Hashtbl.find ranges v in
            let trange = Trange(t1opt,t2opt) in
            let toff =
              TIndex
                ({ idx with
                  term_node = trange;
                  term_type = Logic_const.make_set_type idx.term_type },
                 off')
            in
            ChangeDoChildrenPost (toff, fun x -> x)
          with Not_found ->
            DoChildren end
      | TIndex _ | TNoOffset | TField _ | TModel _ ->
          DoChildren

end

let from_comprehension_to_range behavior file =
  let visitor = new fromComprehensionToRange behavior in
  Visitor.visitFramacFile visitor file


(*****************************************************************************)
(* Rewrite the C file for Jessie translation.                                *)
(*****************************************************************************)

let rewrite file =
  if checking then check_types file;
  (* adds a behavior named [name_of_default_behavior] to all functions if
     it does not already exist.
   *)
  Jessie_options.debug "Adding default behavior to all functions";
  add_default_behavior ();
  if checking then check_types file;
  (* Rename entities to avoid conflicts with Jessie predefined names.
     Should be performed before any call to [Cil.cvar_to_lvar] destroys
     sharing among logic variables.
  *)
  Jessie_options.debug "Rename entities";
  rename_entities file;
  if checking then check_types file;
  (* Fill offset/size information in fields *)
  Jessie_options.debug "Fill offset/size information in fields";
  fill_offset_size_in_fields file;
  if checking then check_types file;
  (* Replace addrof array with startof. *)
  Jessie_options.debug "Replace addrof array with startof";
  replace_addrof_array file;
  if checking then check_types file;
  (* Replace string constants by global variables. *)
  Jessie_options.debug "Replace string constants by global variables";
  replace_string_constants file;
  if checking then check_types file;
  (* Put all global initializations in the [globinit] file. *)
  (* Replace global compound initializations by equivalent statements. *)
  Jessie_options.debug "Put all global initializations in the [globinit] file";
  gather_initialization file;
  if checking then check_types file;
  Jessie_options.debug "Use specialized versions of Frama_C_memset";
  specialize_memset file;
  if checking then check_types file;
  (* Rewrite comparison of pointers into difference of pointers. *)
  if Jessie_options.InferAnnot.get () <> "" then
    begin
      Jessie_options.debug "Rewrite comparison of pointers into difference of pointers";
      rewrite_pointer_compare file;
      if checking then check_types file
    end;
  (* Rewrite type void* and (un)signed char* into char*. *)
  Jessie_options.debug "Rewrite type void* and (un)signed char* into char*";
  rewrite_void_pointer file;
  if checking then check_types file;
  Jessie_options.debug "Rewrite Pre as Old in funspec";
  rewrite_pre_old file;
  if checking then check_types file;
  (* Rewrite cursor pointers into offsets from base pointers. *)
  (* order: after [rewrite_pointer_compare] *)
  if Jessie_options.InferAnnot.get () <> "" then
    begin
      Jessie_options.debug "Rewrite cursor pointers into offsets from base pointers";
      rewrite_cursor_pointers file;
      if checking then check_types file
    end;
  (* Rewrite cursor integers into offsets from base integers. *)
  if Jessie_options.InferAnnot.get () <> "" then
    begin
      Jessie_options.debug "Rewrite cursor integers into offsets from base integers";
      rewrite_cursor_integers file;
      if checking then check_types file
    end;
  (* Annotate code with strlen. *)
  if Jessie_options.HintLevel.get () > 0 then
    begin
      Jessie_options.debug "Annotate code with strlen";
      annotate_code_strlen file;
      if checking then check_types file
    end;
  (* Annotate code with overflow checks. *)
  Jessie_options.debug "Annotate code with overflow checks";
  annotate_overflow file;
  if checking then check_types file;
  Jessie_options.debug "Checking if there are unsupported predicates";
  remove_unsupported file;
  if checking then check_types file

(*
Local Variables:
compile-command: "make -C ."
End:
*)
why-2.39/frama-c-plugin/retype.ml0000644000106100004300000003103613147234006015700 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(* Import from Cil *)
open Cil_types
open Cil
open Cil_datatype
open Ast_info

open Visitor

(* Utility functions *)
open Common


(*****************************************************************************)
(* Retype int field used as pointer.                                         *)
(*****************************************************************************)

class collectIntField
  (cast_field_to_type : typ Cil_datatype.Fieldinfo.Hashtbl.t) =
object

  inherit Visitor.frama_c_inplace

  method! vexpr e = match e.enode with
    | CastE(ty,e) ->
	if isPointerType ty then
	  match (stripCastsAndInfo e).enode with
	    | Lval(_host,off) ->
		begin match lastOffset off with
		  | Field(fi,_) ->
		      if isIntegralType fi.ftype
			&& bits_sizeof ty = bits_sizeof fi.ftype then
			  Cil_datatype.Fieldinfo.Hashtbl.replace
			    cast_field_to_type fi fi.ftype
		      else ()
		  | _ -> ()
		end
	    | _ -> ()
	else ();
	DoChildren
    | _ -> DoChildren

end

class retypeIntField
  (cast_field_to_type : typ Cil_datatype.Fieldinfo.Hashtbl.t) =

  let postaction_expr e = match e.enode with
    | Lval(_host,off) ->
	begin match lastOffset off with
	  | Field(fi,_) ->
	      begin try
		new_exp ~loc:e.eloc
                  (CastE(Cil_datatype.Fieldinfo.Hashtbl.find cast_field_to_type fi,e))
	      with Not_found -> e end
	  | _ -> e
	end
    | _ -> e
  in
object

  inherit Visitor.frama_c_inplace

  method! vglob_aux = function
    | GCompTag (compinfo,_) ->
	let fields = compinfo.cfields in
	let field fi =
	  if Cil_datatype.Fieldinfo.Hashtbl.mem cast_field_to_type fi then
	    fi.ftype <- TPtr(!Common.struct_type_for_void,[])
	in
	List.iter field fields;
	DoChildren
    | _ -> DoChildren

  method! vterm =
    do_on_term (None,Some postaction_expr)

end

let retype_int_field file =
  let cast_field_to_type = Cil_datatype.Fieldinfo.Hashtbl.create 17 in
  let visitor = new collectIntField cast_field_to_type in
  visitFramacFile visitor file;
  let visitor = new retypeIntField cast_field_to_type in
  visitFramacFile visitor file


(*****************************************************************************)
(* Organize structure types in hierarchy.                                    *)
(*****************************************************************************)

(* By default, elements should become representant only if they are
 * "preferred" according to function [prefer]. Otherwise, decided by ranking.
 *)
module UnionFind
  (Elem :
    sig type t
	val equal : t -> t -> bool
	val prefer : t -> t -> int
    end)
  (ElemSet : Datatype.Set with type elt = Elem.t)
  (ElemTable : Datatype.Hashtbl with type key = Elem.t) =
struct

  let table = ElemTable.create 73
  let ranks = ElemTable.create 73

  let rec repr e =
    try
      let r = repr(ElemTable.find table e) in
      ElemTable.replace table e r;
      r
    with Not_found -> e

  let rank e =
    try ElemTable.find ranks e with Not_found -> 0

  let unify e1 e2 =
    let r1 = repr e1 and r2 = repr e2 in
    if Elem.equal r1 r2 then ()
    else
      (* Start with preference as defined by function [prefer]. *)
      let pref = Elem.prefer r1 r2 in
      let k1 = rank r1 and k2 = rank r2 in
      if pref < 0 then
	begin
	  ElemTable.replace table r2 r1;
	  if k1 <= k2 then ElemTable.replace ranks r1 (k2 + 1)
	end
      else if pref > 0 then
	begin
	  ElemTable.replace table r1 r2;
	  if k2 <= k1 then ElemTable.replace ranks r2 (k1 + 1)
	end
      else
	(* If no definite preference, resolve to classical ranking. *)
	if k1 < k2 then
	  ElemTable.replace table r1 r2
	else if k2 < k1 then
	  ElemTable.replace table r2 r1
	else
	  begin
	    ElemTable.replace table r1 r2;
	    ElemTable.replace ranks r2 (k2 + 1)
	  end

  (* Does not return singleton classes *)
  let classes () =
    let repr2class = ElemTable.create 17 in
    ElemTable.iter (fun e _ ->
		      let r = repr e in
		      try
			let c = ElemTable.find repr2class r in
			let c = ElemSet.add e c in
			ElemTable.replace repr2class r c
		      with Not_found ->
			ElemTable.add repr2class r (ElemSet.singleton e)
		   ) table;
    ElemTable.fold (fun r c ls -> ElemSet.add r c :: ls) repr2class []

  let one_class e =
    let r = repr e in
    ElemTable.fold (fun e _ ls ->
		      if Elem.equal r (repr e) then e::ls else ls
		   ) table []

  let same_class e1 e2 =
    Elem.equal (repr e1) (repr e2)

end

module FieldElem = struct include Cil_datatype.Fieldinfo let prefer _ _ = 1 end
module FieldUnion = UnionFind(FieldElem)(Cil_datatype.Fieldinfo.Set)(Cil_datatype.Fieldinfo.Hashtbl)

let add_field_representant fi1 fi2 =
  FieldUnion.unify fi1 fi2

module TypeElem = struct include Typ let prefer _ _ = 0 end
module TypeUnion = UnionFind(TypeElem)(Typ.Set)(Typ.Hashtbl)

let type_to_parent_type = Typ.Hashtbl.create 17

let add_inheritance_relation ty parentty =
  if Typ.equal ty parentty then () else
    begin
      Typ.Hashtbl.add type_to_parent_type ty parentty;
      TypeUnion.unify ty parentty
    end

let rec subtype ty parentty =
  Typ.equal ty parentty ||
    try
      subtype (Typ.Hashtbl.find type_to_parent_type ty) parentty
    with Not_found ->
      false

(* module Node = struct *)

(*   type t = NodeVar of varinfo | NodeField of fieldinfo | NodeType of typ *)

(*   let equal n1 n2 = match n1,n2 with *)
(*     | NodeVar v1,NodeVar v2 -> Cil_datatype.Varinfo.equal v1 v2 *)
(*     | NodeField f1,NodeField f2 -> Cil_datatype.Fieldinfo.equal f1 f2 *)
(*     | NodeType ty1,NodeType ty2 -> TypeComparable.equal ty1 ty2 *)

(*   let compare n1 n2 = match n1,n2 with *)
(*     | NodeVar v1,NodeVar v2 -> Cil_datatype.Varinfo.compare v1 v2 *)
(*     | NodeVar _,_ -> -1 *)
(*     | _,NodeVar _ -> 1 *)
(*     | NodeField f1,NodeField f2 -> Cil_datatype.Fieldinfo.compare f1 f2 *)
(*     | NodeField _,_ -> -1 *)
(*     | _,NodeField _ -> 1 *)
(*     | NodeType ty1,NodeType ty2 -> TypeComparable.compare ty1 ty2 *)

(*   let hash = function *)
(*     | NodeVar v -> 17 * Cil_datatype.Varinfo.hash v *)
(*     | NodeField f -> 43 * Cil_datatype.Fieldinfo.hash f *)
(*     | NodeType ty -> 73 * TypeComparable.hash ty *)
(* end *)

(* module NodeHashtbl = Hashtbl.Make(Node) *)
(* module NodeSet = Set.Make(Node) *)
(* module NodeUnion = UnionFind(Node)(NodeHashtbl)(NodeSet) *)

let sub_list l n =
  let rec aux acc n l =
    if n = 0 then acc else
      match l with [] -> assert false | x::r -> aux (x::acc) (n-1) r
  in
  List.rev (aux [] n l)

class createStructHierarchy =
  let unify_type_hierarchies ty1 ty2 =
    (* Extract info from types *)
    let compinfo1 = match unrollType (pointed_type ty1) with
      | TComp(compinfo,_,_) -> compinfo
      | _ -> assert false
    in
    let sty1 = TComp(compinfo1,empty_size_cache () ,[]) in
    let fields1 = compinfo1.cfields in
    let compinfo2 = match unrollType (pointed_type ty2) with
      | TComp(compinfo,_,_) -> compinfo
      | _ -> assert false
    in
    let fields2 = compinfo2.cfields in
    let sty2 = TComp(compinfo2, empty_size_cache () ,[]) in
    (* Compare types *)
    let minlen = min (List.length fields1) (List.length fields2) in
    let prefix,complete = List.fold_left2
      (fun (acc,compl) f1 f2 ->
	 if compl && Typ.equal f1.ftype f2.ftype then
	   f1::acc,compl
	 else acc,false
      )
      ([],true)
      (sub_list fields1 minlen) (sub_list fields2 minlen)
    in
    let prefix = List.rev prefix in
    if complete then
      if List.length prefix = List.length fields1 then
	(* [ty2] subtype of [ty1] *)
	add_inheritance_relation sty2 sty1
      else
	(* [ty1] subtype of [ty2] *)
	add_inheritance_relation sty1 sty2
    else
      begin
	(* Neither one is subtype of the other *)
(* 	add_inheritance_relation sty1 !Common.struct_type_for_void; *)
(* 	add_inheritance_relation sty2 !Common.struct_type_for_void *)
      end
  in
object

  inherit Visitor.frama_c_inplace

  method! vexpr e = match e.enode with
    | CastE(ty,e) when isPointerType ty ->
	let enocast = stripCastsAndInfo e in
	let ety = typeOf enocast in
	if isPointerType ety then
	  unify_type_hierarchies ty ety
	else ();
	DoChildren
    | _ -> DoChildren

end

class exploitStructHierarchy =
object

  inherit Visitor.frama_c_inplace

end

let create_struct_hierarchy file =
  let struct_fields ty =
    match unrollType ty with
    | TComp(compinfo,_,_) -> compinfo.cfields
    | _ -> assert false
  in
  let num_fields ty = List.length (struct_fields ty) in
  let compare_num_fields ty1 ty2 =
    Pervasives.compare (num_fields ty1) (num_fields ty2)
  in
  let subtype ty1 ty2 =
    let fields1 = struct_fields ty1 and fields2 = struct_fields ty2 in
    let len1 = List.length fields1 and len2 = List.length fields2 in
    if len1 > len2 then
      List.fold_left2
	(fun eq fi1 fi2 -> eq && Typ.equal fi1.ftype fi2.ftype)
	true
	(sub_list fields1 len2)
	fields2
    else
      false
  in
  let compute_hierarchy () =
    let classes = TypeUnion.classes () in
    List.iter (fun cls ->
      let types = Typ.Set.elements cls in
      let types = List.sort compare_num_fields types in
      let root,types =
	match types with [] -> assert false | a::r -> a,r
      in
      (* First element is new root *)
      Typ.Hashtbl.remove type_to_parent_type root;
      List.iter
	(fun ty ->
	  add_inheritance_relation ty root;
	  List.iter
	    (fun party ->
	      if subtype ty party then
		add_inheritance_relation ty party
	    ) types
	) types
    ) classes;
    Typ.Hashtbl.iter
      (fun ty party ->
	let fields1 = struct_fields ty in
	let fields2 = struct_fields party in
	let num2 = List.length fields2 in
	let subfields1 = sub_list fields1 num2 in
	List.iter2 add_field_representant subfields1 fields2)
      type_to_parent_type
  in
  let visitor = new createStructHierarchy in
  visitFramacFile visitor file;
  compute_hierarchy ();
  let visitor = new exploitStructHierarchy in
  visitFramacFile visitor file

(*****************************************************************************)
(* Retype the C file for Jessie translation.                                 *)
(*****************************************************************************)

let retype file =
  if checking then check_types file;
  (* Retype int field casted to pointer. *)
  Jessie_options.debug "Retype int field casted to pointer@.";
  retype_int_field file;
  if checking then check_types file;
  (* Organize structure types in hierarchy. *)
  Jessie_options.debug "Organize structure types in hierarchy@.";
  create_struct_hierarchy file;
  if checking then check_types file;

(*
Local Variables:
compile-command: "make"
End:
*)
why-2.39/frama-c-plugin/norm.mli0000644000106100004300000000463113147234006015515 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

val generated_union_types : unit Cil_datatype.Typ.Hashtbl.t

val model_fields : Cil_types.compinfo -> Cil_types.model_info list

(* performs similar normalization tasks as Caduceus *)
val normalize : Cil_types.file -> unit
why-2.39/frama-c-plugin/jessie_options.ml0000644000106100004300000001262013147234006017423 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

include
  Plugin.Register
    (struct
       let name = "Jessie: deductive verification of ASCL contracts using Why3"
       let shortname = "jessie"
       let help = "performs translation of ACSL-annotated C code to the Why3 intermediate language,@ and pass the result to the Why3 environment (http://why3.lri.fr/)"
     end)

module ProjectName =
  Empty_string
    (struct
       let option_name = "-jessie-project-name"
       let arg_name = ""
       let help = "specify project name for Jessie analysis"
     end)

module Behavior =
  Empty_string
    (struct
       let option_name = "-jessie-behavior"
       let arg_name = ""
       let help =
	 "restrict verification to a specific behavior (safety, default or a user-defined behavior)"
     end)

module Analysis =
  False(struct
	  let option_name = "-jessie"
	  let help = "enables translation of annotated C to Why3"
	end)

module ForceAdHocNormalization =
  False(struct
          let option_name = "-jessie-adhoc-normalization"
          let help =
            "enforce code normalization in a mode suitable for Jessie plugin."
        end)

let () =
  (* [JS 2009/10/04]
     Preserve the behaviour of svn release <= r5012.
     However it works only if the int-model is set from the command line.
     [CM 2009/12/08]
     setting int-model on the command-line is obsolete, so what is this
     code for ?
  *)
  ForceAdHocNormalization.add_set_hook
    (fun _ b ->
       if b then begin
	 Kernel.SimplifyCfg.on ();
	 Kernel.KeepSwitch.on ();
	 Kernel.Constfold.on ();
	 Kernel.PreprocessAnnot.on ();
	 Cabs2cil.setDoTransformWhile ();
	 Cabs2cil.setDoAlternateConditional ();
       end);
  State_dependency_graph.add_dependencies
    ~from:ForceAdHocNormalization.self
    [ Kernel.SimplifyCfg.self;
      Kernel.KeepSwitch.self;
      Kernel.Constfold.self;
      Kernel.PreprocessAnnot.self ]

let () =
  Analysis.add_set_hook (fun _ b -> ForceAdHocNormalization.set b);
  State_dependency_graph.add_dependencies
    ~from:Analysis.self [ ForceAdHocNormalization.self ]

module JcOpt =
  String_set(struct
	      let option_name = "-jessie-jc-opt"
	      let arg_name = ""
	      let help = "give an option to Jc (e.g., -jessie-jc-opt=\"-trust-ai\")"
	    end)

module Why3Cmd =
  String
    (struct
       let option_name = "-jessie-why3"
       let arg_name = ""
       let default = "ide"
       let help = "alternate Why3 command (default is \"ide\")"
     end)

module GenOnly =
  False(struct
	  let option_name = "-jessie-gen-only"
	  let help = "only generates jessie intermediate code (for developer use)"
	end)

module InferAnnot =
  Empty_string
    (struct
       let option_name = "-jessie-infer-annot"
       let arg_name = ""
       let help = "infer function annotations (inv, pre, spre, wpre)"
     end)

module AbsDomain =
  String
    (struct
       let option_name = "-jessie-abstract-domain"
       let default = "poly"
       let arg_name = ""
       let help = "use specified abstract domain (box, oct or poly)"
     end)

module HintLevel =
  Zero
    (struct
       let option_name = "-jessie-hint-level"
       let arg_name = ""
       let help = "level of hints, i.e. assertions to help the proof (e.g. for string usage)"
     end)

(*
Local Variables:
compile-command: "make"
End:
*)
why-2.39/frama-c-plugin/configure0000755000106100004300000000044513147234006015745 0ustar  marchevals#!/bin/sh
# Wrapper for the configure of why distribution, to be used when plugin
# configuration is driven by Frama-C's kernel
if test "$WHY_DISTRIB" = ""; then WHY_DISTRIB=..; fi
if test ! -e $WHY_DISTRIB/configure; then (cd $WHY_DISTRIB && autoconf); fi
(cd $WHY_DISTRIB && ./configure $*)
why-2.39/frama-c-plugin/common.mli0000644000106100004300000002113113147234006016024 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)


exception Unsupported of string

val jessie_emitter: Emitter.emitter

val fatal          : ('a,Format.formatter,unit,'b) format4 -> 'a
val unsupported    : ('a,Format.formatter,unit,'b) format4 -> 'a
val warning        : ('a,Format.formatter,unit) format -> 'a
val warn_general   : ('a,Format.formatter,unit) format -> 'a

(** warning for currently ignored feature which is only displayed once *)
val warn_once      : string -> unit

(* Jessie specific names *)

val name_of_default_behavior : string
val name_of_valid_wstring : string
val name_of_valid_string : string
val name_of_strlen : string
val name_of_wcslen : string

val name_of_hint_assertion : string
val name_of_string_declspec : string

val name_of_padding_type : string
val name_of_integral_type : ?bitsize:int -> Cil_types.typ -> string

val name_of_assert : string
val name_of_free : string
val name_of_malloc : string

(*
val filter_alphanumeric : string -> (char * char) list -> char -> string
*)

val type_name:  Cil_types.typ -> string

val logic_type_name:  Cil_types.logic_type -> string

(* unique names generation *)

val unique_name : string -> string

val unique_logic_name : string -> string

val unique_name_if_empty : string -> string


(* ????? *)

val checking : bool

val check_types : Cil_types.file -> unit

val integral_type_size_in_bits : Cil_types.typ -> int

val max_value_of_integral_type :
  ?bitsize:int -> Cil_types.typ -> Integer.t

val min_value_of_integral_type :
  ?bitsize:int -> Cil_types.typ -> Integer.t

(* iter over existing integral types in alphabetical order. *)
val iter_integral_types: (string -> Cil_types.typ -> int -> unit) -> unit

(* fold over existing integral types in alphabetical order. *)
val fold_integral_types:
  (string -> Cil_types.typ -> int -> 'a -> 'a) -> 'a -> 'a

val term_of_var : Cil_types.varinfo -> Cil_types.term

val mkterm :
  Cil_types.term_node ->
  Cil_types.logic_type ->
  Lexing.position * Lexing.position -> Cil_types.term

val mkInfo : Cil_types.exp -> Cil_types.exp

val lift_offset : Cil_types.typ -> Cil_types.offset -> Cil_types.offset

val mkTRef : Cil_types.typ -> string -> Cil_types.typ

val mkTRefArray :
  Cil_types.typ * Cil_types.exp * Cil_types.attributes ->
  Cil_types.typ

val mkalloc_statement : Cil_types.varinfo ->
           Cil_types.typ -> Cil_types.location -> Cil_types.stmt

val mkalloc_array_statement :
  Cil_types.varinfo ->
  Cil_types.typ -> int64 -> Cil_types.location -> Cil_types.stmt

val mkfree_statement :
  Cil_types.varinfo ->
  Cil_types.location -> Cil_types.stmt

val mkfree: Cil_types.varinfo -> Cil_types.location -> Cil_types.instr

val mkStructEmpty : string -> Cil_types.compinfo

val mkStructSingleton :
  ?padding:int ->
  string -> string -> Cil_types.typ -> Cil_types.compinfo

val malloc_function : unit -> Cil_types.varinfo
val free_function : unit -> Cil_types.varinfo

val flatten_multi_dim_array :  bool ref

val reference_of_array : Cil_types.typ -> Cil_types.typ

val get_struct_info : Cil_types.typ -> Cil_types.compinfo

val get_struct_name : Cil_types.typ -> string

val force_app_term_type : (Cil_types.typ -> 'a) -> Cil_types.logic_type -> 'a

val app_term_type : (Cil_types.typ -> 'a) -> 'a -> Cil_types.logic_type -> 'a

val is_base_addr : Cil_types.term -> bool

val is_reference_type : Cil_types.typ -> bool

val is_array_reference_type : Cil_types.typ -> bool

val is_assert_function : Cil_types.varinfo -> bool
val is_free_function : Cil_types.varinfo -> bool
val is_malloc_function : Cil_types.varinfo -> bool
val is_realloc_function : Cil_types.varinfo -> bool
val is_calloc_function : Cil_types.varinfo -> bool

val reference_size : Cil_types.typ -> int64

val bits_sizeof : Cil_types.typ -> int64

val is_unknown_location : Lexing.position * 'a -> bool

val get_unique_field : Cil_types.typ -> Cil_types.fieldinfo

val is_last_offset : Cil_types.offset -> bool

val struct_type_for_void : Cil_types.typ ref

val filter_alphanumeric : string -> (char * char) list -> char -> string

(*
val attach_globinit : Cil_types.stmt -> unit
*)

val attach_global : Cil_types.global -> unit

val attach_globaction : (unit -> unit) -> unit

val do_on_term :
  (Cil_types.exp -> Cil_types.exp) option *
  (Cil_types.exp -> Cil_types.exp) option ->
  Cil_types.term -> Cil_types.term Cil.visitAction

val do_on_term_offset :
  (Cil_types.offset -> Cil_types.offset) option *
  (Cil_types.offset -> Cil_types.offset) option ->
  Cil_types.term_offset -> Cil_types.term_offset Cil.visitAction

val do_on_term_lval :
  (Cil_types.lval -> Cil_types.lval) option *
  (Cil_types.lval -> Cil_types.lval) option ->
  Cil_types.term_lval -> Cil_types.term_lval Cil.visitAction

val do_and_update_globals  : (Cil_types.file -> unit) -> Cil_types.file -> unit

val visit_and_update_globals :
  Visitor.frama_c_visitor -> Cil_types.file -> unit

val signal_change : unit -> unit

val almost_integer_type : Cil_types.typ

val add_pending_statement :  beginning:bool -> Cil_types.stmt -> unit

val visit_until_convergence :
  Visitor.frama_c_visitor -> Cil_types.file -> unit

class proxy_frama_c_visitor:  Visitor.frama_c_visitor -> Visitor.frama_c_visitor

val visit_and_push_statements_visitor :
  Visitor.frama_c_visitor -> proxy_frama_c_visitor

val visit_and_push_statements :
  (proxy_frama_c_visitor -> 'a -> 'b) ->
  Visitor.frama_c_visitor -> 'a -> 'b


val print_to_stdout : Cil_types.file -> unit

val constant_expr : ?loc:Cil_datatype.Location.t -> Integer.t -> Cil_types.exp

(** Make a pseudo-variable to use as placeholder in term to expression
    conversions. Its logic field is set. They are always generated. *)
val makePseudoVar: Cil_types.typ -> Cil_types.varinfo


open Cil_types

type opaque_term_env = {
  term_lhosts: term_lhost Cil_datatype.Varinfo.Map.t;
  terms: term Cil_datatype.Varinfo.Map.t;
  vars: logic_var Cil_datatype.Varinfo.Map.t;
}

type opaque_exp_env = { exps: exp Cil_datatype.Varinfo.Map.t }

val force_term_to_exp: term -> exp * opaque_term_env
val force_back_exp_to_term: opaque_term_env -> exp -> term
val force_exp_to_term: exp -> term
val force_lval_to_term_lval: lval -> term_lval
val force_term_offset_to_offset: term_offset -> offset * opaque_term_env
val force_back_offset_to_term_offset: opaque_term_env -> offset -> term_offset
val force_exp_to_predicate: exp -> predicate
val force_exp_to_assertion: exp -> code_annotation
val force_term_lval_to_lval: term_lval -> lval * opaque_term_env
val force_back_lval_to_term_lval: opaque_term_env -> lval -> term_lval

val predicate: location -> predicate_node -> predicate
why-2.39/frama-c-plugin/common.ml0000644000106100004300000014775313147234006015676 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(* Import from Cil *)
open Cil_types
open Cil
open Ast_info
open Extlib
open Visitor
open Cil_datatype

(* Utility functions *)
open Format

let jessie_emitter =
  Emitter.create
    "jessie"
    [ Emitter.Funspec; Emitter.Code_annot ]
    ~correctness:
    [Jessie_options.Behavior.parameter; Jessie_options.InferAnnot.parameter]
    ~tuning:[]

let constant_expr ?(loc=Cil_datatype.Location.unknown) e =
  Ast_info.constant_expr ~loc e

exception Unsupported of string

let fatal fmt = Jessie_options.fatal ~current:true fmt

let unsupported fmt =
  Jessie_options.with_failure
    (fun evt ->
       raise (Unsupported evt.Log.evt_message)
    ) ~current:true fmt

let warning fmt = Jessie_options.warning ~current:true fmt
let warn_general fmt = Jessie_options.warning ~current:false fmt

let warn_once =
  let known_warns = Hashtbl.create 7 in
  fun s ->
    if not (Hashtbl.mem known_warns s) then begin
      Hashtbl.add known_warns s ();
      warn_general "%s" s
    end

(*****************************************************************************)
(* Options                                                                   *)
(*****************************************************************************)

let flatten_multi_dim_array = ref false


(*****************************************************************************)
(* Source locations                                                         *)
(*****************************************************************************)

let is_unknown_location loc =
  (fst loc).Lexing.pos_lnum = 0


(*****************************************************************************)
(* Types                                                                     *)
(*****************************************************************************)

(* type for ghost variables until integer is a valid type for ghosts *)
let almost_integer_type = TInt(ILongLong,[])

let struct_type_for_void = ref voidType

(* Query functions on types *)

let rec app_term_type f default = function
  | Ctype typ -> f typ
  | Ltype ({lt_name = "set"},[t]) -> app_term_type f default t
  | Ltype _ | Lvar _ | Linteger | Lreal | Larrow _ -> default

let rec force_app_term_type f = function
  | Ctype typ -> f typ
  | Ltype ({ lt_name = "set"},[t]) -> force_app_term_type f t
  | Ltype _ | Lvar _ | Linteger | Lreal | Larrow _ as ty ->
      Jessie_options.fatal "Unexpected non-C type %a" Printer.pp_logic_type ty

let get_unique_field ty = match unrollType ty with
  | TComp(compinfo,_,_) ->
      begin match compinfo.cfields with
	| [content_fi] -> content_fi
	| _ ->
	    Jessie_options.fatal "Type %a has no unique field" Printer.pp_typ ty
      end
  | _ -> Jessie_options.fatal "non-struct (unique field)"

let get_struct_name = function
  | TComp(compinfo,_,_) -> compinfo.cname
  | _ -> Jessie_options.fatal "non-struct (name)"

let get_struct_info = function
  | TComp(compinfo,_,_) -> compinfo
  | _ -> Jessie_options.fatal "non-struct (info)"

(* Integral types *)

let size_in_bytes ik =
  let size = function
    | IBool -> assert false
    | IChar | ISChar | IUChar -> 1 (* Cil assumes char is one byte *)
    | IInt | IUInt -> theMachine.theMachine.sizeof_int
    | IShort | IUShort -> theMachine.theMachine.sizeof_short
    | ILong | IULong -> theMachine.theMachine.sizeof_long
    | ILongLong | IULongLong -> theMachine.theMachine.sizeof_longlong
  in
  size ik

let integral_type_size_in_bytes ty =
  match unrollType ty with
  | TInt(IBool,_attr) -> (* TODO *)
      unsupported "Common.integral_type_size_in_bytes IBool"
  | TInt(ik,_attr) -> size_in_bytes ik
  | TEnum ({ekind = IBool},_) ->
      unsupported "Common.integral_type_size_in_bytes IBool"
  | TEnum (ei,_) -> size_in_bytes ei.ekind
  | _ -> assert false

let integral_type_size_in_bits ty =
  integral_type_size_in_bytes ty * 8

let min_value_of_integral_type ?bitsize ty =
  let min_of signed size_in_bytes =
    let numbits =
      match bitsize with Some siz -> siz | None -> size_in_bytes * 8
    in
    if signed then
      Integer.neg
	(Integer.power_int_positive_int 2
	  (numbits - 1))
    else Integer.zero
  in
  match unrollType ty with
    | TInt(IBool,_attr) -> Integer.zero
    | TInt(ik,_attr) ->
	min_of (isSigned ik) (size_in_bytes ik)
    | TEnum (e,_) when e.ekind = IBool -> Integer.zero
    | TEnum (e,_) ->
      let ik = e.ekind in
      min_of (isSigned ik) (size_in_bytes ik)
    | _ -> assert false

let max_value_of_integral_type ?bitsize ty =
  let max_of signed size_in_bytes =
    let numbits =
      match bitsize with Some siz -> siz | None -> size_in_bytes * 8
    in
    if signed then
      Integer.pred
	(Integer.power_int_positive_int 2
	  (numbits - 1))
    else
      Integer.pred
	(Integer.power_int_positive_int 2
	  numbits)
  in
  match unrollType ty with
    | TInt(IBool,_attr) -> Integer.one
    | TInt(ik,_attr) ->
	max_of (isSigned ik) (size_in_bytes ik)
    | TEnum (e,_) when e.ekind=IBool -> Integer.one
    | TEnum (e,_) ->
      let ik = e.ekind in
      max_of (isSigned ik) (size_in_bytes ik)
    | _ -> assert false

(*TODO: projectify this *)
let all_integral_types = Hashtbl.create 5

module Integral_types_iterator =
  State_builder.Set_ref
    (Datatype.String.Set)
    (struct
       let name = "Jessie.Common.Integral_types_iterator"
       let dependencies = [Ast.self ]
     end
     )

let name_of_integral_type ?bitsize ty =
  let name_it signed size_in_bytes =
    let numbits =
      match bitsize with Some siz -> siz | None -> size_in_bytes * 8
    in
    let name = (if signed then "" else "u") ^ "int" ^ (string_of_int numbits) in
    Hashtbl.replace all_integral_types name (ty,numbits);
    Integral_types_iterator.add name;
    name
  in
  match unrollType ty with
    | TInt(IBool,_attr) -> "_bool"
    | TInt(ik,_attr) ->
	name_it (isSigned ik) (size_in_bytes ik)
    | TEnum ({ekind= IBool},_) -> "_bool"
    | TEnum ({ekind = ik},_) -> name_it (isSigned ik) (size_in_bytes ik)
    | _ -> assert false

let iter_integral_types f =
  let apply s =
    try
      let (ty,size) = Hashtbl.find all_integral_types s in f s ty size
    with Not_found ->
      Jessie_options.fatal
        "Integral type %s is referenced but does not have a definition" s
  in Integral_types_iterator.iter apply

let fold_integral_types f init =
  let apply s acc =
    try
      let (ty,size) = Hashtbl.find all_integral_types s in f s ty size acc
    with Not_found ->
      Jessie_options.fatal
        "Integral type %s is referenced but does not have a definition" s
  in Integral_types_iterator.fold apply init

(* Reference type *)

(* We introduce a reference type, that is different from the C pointer or
 * array type. It is a direct translation in C of the Jessie bounded pointer
 * type, where the lower/upper bounds that can be safely accessed are
 * statically known. To avoid introducing a new type, we reuse the existing
 * C pointer type, with an attribute "arrlen" to give the size.
 * Then, we use it as a regular pointer type. E.g., we allow dynamic allocation
 * of such references:
 *     r = (TRef(T)) (malloc (sizeof(T)));
 * and usual dereference:
 *     T t = *r;
 * Another advantage is it should be working fine with [typeOf], [typeOfLval],
 * [pointed_type] and similar functions.
 *
 * As a result of this transformation, all allocation/releases of memory
 * on a reference type do implicitly allocate/release the fields of reference
 * type. It will be translated in Jessie in various alloc/free statements.
 *)

let arraylen_attr_name = "arraylen"

let mkTRef elemty _msg =
  (* Define the same arguments as for [mkTRefArray] *)
(*
  Format.eprintf "mkTRef, coming from %s@." msg;
*)
  let size = constant_expr Integer.one and attr = [] in
  (* Do the same as in [mkTRefArray] *)
  let siz = expToAttrParam size in
  let attr = addAttribute (Attr(arraylen_attr_name,[siz])) attr in
  (* Avoid creating an array for single pointed elements that do not
   * originate in a C array, to avoid having to access to the first
   * element everywhere.
   *)
  TPtr(elemty,attr)

let mkTRefArray (elemty,size,attr) =
  (* Check the array size is of a correct form *)
  ignore (lenOfArray64 (Some size));
  let siz = expToAttrParam size in
  let attr = addAttribute (Attr(arraylen_attr_name,[siz])) attr in
  (* Make the underlying type an array so that indexing it is still valid C. *)
  TPtr(TArray(elemty,Some size,empty_size_cache (),[]),attr)

let reference_size ty =
  match findAttribute arraylen_attr_name (typeAttrs ty) with
    | [AInt i] -> Integer.to_int64 i
    | _ -> assert false

let is_reference_type ty =
  isPointerType ty && hasAttribute arraylen_attr_name (typeAttrs ty)

let is_array_reference_type ty =
  is_reference_type ty && isArrayType (Cil.unrollType (direct_pointed_type ty))

let reference_of_array ty =
  let rec reftype ty =
    if isArrayType ty then
      let elty = reftype (direct_element_type ty) in
(*       if array_size ty > 0L then *)
	let size = constant_expr (direct_array_size ty) in
	mkTRefArray(elty,size,[])
(*       else *)
(* 	(\* Array of zero size, e.g. in struct array hack. *\) *)
(* 	TPtr(elty,[]) *)
    else ty
  in
  assert (isArrayType ty);
  reftype ty

(* Wrappers on [mkCompInfo] that update size/offset of fields *)

let mkStructEmpty stname =
  mkCompInfo true stname (fun _ -> []) []

let mkStructSingleton ?(padding=0) stname finame fitype =
  let compinfo =
    mkCompInfo true stname
      (fun _ -> [finame,fitype,None,[],CurrentLoc.get ()]) []
  in
  let fi = get_unique_field (TComp(compinfo,empty_size_cache (),[])) in
  fi.fsize_in_bits <- Some (bitsSizeOf fitype);
  fi.foffset_in_bits <- Some 0;
  fi.fpadding_in_bits <- Some padding;
  compinfo

(* Locally use 64 bits integers *)
open Jessie_integer

let bits_sizeof ty =
  let rec rec_size ?(top_size=false) ty =
    match unrollType ty with
      | TPtr _ ->
	  if is_reference_type ty && not top_size then
            rec_size (pointed_type ty) * (reference_size ty)
	  else
	    Int64.of_int (bitsSizeOf ty)
      | TArray _ -> assert false (* Removed by translation *)
      | TFun _ -> unsupported "Function pointer type %a not allowed" Printer.pp_typ ty
      | TNamed _ -> assert false (* Removed by call to [unrollType] *)
      | TComp(compinfo,_,_) ->
	  let size_from_field fi =
	    match
	      fi.foffset_in_bits, fi.fsize_in_bits, fi.fpadding_in_bits
	    with
	      | Some off, Some siz, Some padd ->
		  Int64.of_int off + Int64.of_int siz + Int64.of_int padd
	      | _ -> assert false
	  in
	  if compinfo.cstruct then
	    match List.rev compinfo.cfields with
	      | [] -> 0L
	      | fi :: _ -> size_from_field fi
	  else
	    List.fold_left max 0L (List.map size_from_field compinfo.cfields)
      | TEnum _ | TVoid _ | TInt _ | TFloat _ | TBuiltin_va_list _ ->
	  Int64.of_int (bitsSizeOf ty)
  in
  rec_size ~top_size:true ty

(* Come back to normal 31 bits integers *)
open Pervasives


(*****************************************************************************)
(* Names                                                                     *)
(*****************************************************************************)

(* Predefined entities *)

let name_of_valid_string = "valid_string"
let name_of_valid_wstring = "valid_wstring"
let name_of_strlen = "strlen"
let name_of_wcslen = "wcslen"
let name_of_assert = "assert"
let name_of_free = "free"
let name_of_malloc = "malloc"
let name_of_calloc = "calloc"
let name_of_realloc = "realloc"

let predefined_name =
  [ (* coding functions *)
    name_of_assert;
    name_of_malloc;
    name_of_calloc;
    name_of_realloc;
    name_of_free;
  ]

let is_predefined_name s = List.mem s predefined_name

let is_assert_function v = isFunctionType v.vtype && v.vname = name_of_assert
let is_free_function v = isFunctionType v.vtype && v.vname = name_of_free
let is_malloc_function v = isFunctionType v.vtype && v.vname = name_of_malloc
let is_calloc_function v = isFunctionType v.vtype && v.vname = name_of_calloc
let is_realloc_function v = isFunctionType v.vtype && v.vname = name_of_realloc

(* Name management *)

let unique_name_generator is_exception =
  let unique_names = Hashtbl.create 127 in
  let rec aux s =
    if is_exception s then s else
      try
	let s = if s = "" then "unnamed" else s in
	let count = Hashtbl.find unique_names s in
	let s = s ^ "_" ^ (string_of_int !count) in
	if Hashtbl.mem unique_names s then
	  aux s
	else
	  (Hashtbl.add unique_names s (ref 0);
	   incr count; s)
      with Not_found ->
	Hashtbl.add unique_names s (ref 0); s
  in
  let add s = Hashtbl.add unique_names s (ref 0) in
  aux, add

let unique_name, add_unique_name =
(*  let u = *)unique_name_generator is_predefined_name
(* in (fun s -> let s' = u s in s') *)

let unique_logic_name, add_unique_logic_name =
(*  let u = *) unique_name_generator (fun _ -> false)
(* in (fun s -> let s' = u s in s')*)

let unique_name_if_empty s =
  if s = "" then unique_name "unnamed" else s

(* Jessie reserved names *)

let jessie_reserved_names =
  [
    (* a *) "abstract"; "allocates"; "and"; "as"; "assert";
            "assigns"; "assumes"; "axiom"; "axiomatic";
    (* b *) "behavior"; "boolean"; "break";
    (* c *) "case"; "catch"; "check"; "continue";
    (* d *) "decreases"; "default"; "do"; "double";
    (* e *) "else"; "end"; "ensures"; "exception";
    (* f *) "false"; "finally"; "float"; "for"; "free";
    (* g *) "goto";
    (* h *) "hint";
    (* i *) "if"; "in"; "integer"; "invariant";
    (* l *) "lemma"; "let"; "logic"; "loop";
    (* m *) "match";
    (* n *) "new"; "null";
    (* o *) "of";
    (* p *) "pack"; "predicate";
    (* r *) "reads"; "real"; "rep"; "requires"; "return";
    (* s *) "switch";
    (* t *) "tag"; "then"; "throw"; "throws"; "true"; "try"; "type";
    (* u *) "unit"; "unpack";
    (* v *) "var"; "variant";
    (* w *) "while"; "with";
  ]

let () = List.iter add_unique_name jessie_reserved_names
let () = List.iter add_unique_logic_name jessie_reserved_names

(*
let reserved_name name =
  if List.mem name jessie_reserved_names then name else unique_name name

let reserved_logic_name name =
  if List.mem name jessie_reserved_names then name else unique_logic_name name
*)

(* Type name *)

let string_explode s =
  let rec next acc i =
    if i >= 0 then next (s.[i] :: acc) (i-1) else acc
  in
  next [] (String.length s - 1)

let string_implode ls =
  let s = Bytes.create (List.length ls) in
  ignore (List.fold_left (fun i c -> Bytes.set s i c; i + 1) 0 ls);
  Bytes.to_string s

let filter_alphanumeric s assoc default =
  let is_alphanum c =
    String.contains "abcdefghijklmnopqrstuvwxyz" c
    || String.contains "ABCDEFGHIJKLMNOPQRSTUVWXYZ" c
    || String.contains "123456789" c
    || c = '_'
  in
  let alphanum_or_default c =
    if is_alphanum c then c
    else try List.assoc c assoc with Not_found -> default
  in
  string_implode (List.map alphanum_or_default (string_explode s))

let type_name ty =
  ignore (flush_str_formatter ());
  fprintf str_formatter "%a" Printer.pp_typ ty;
  let name = flush_str_formatter () in
  filter_alphanumeric name [('*','x')] '_'

let logic_type_name ty =
  ignore (flush_str_formatter ());
  let old_mode = Kernel.Unicode.get() in
  Kernel.Unicode.set false;
  fprintf str_formatter "%a" Printer.pp_logic_type ty;
  let name = flush_str_formatter () in
  Kernel.Unicode.set old_mode;
  filter_alphanumeric name [('*','x')] '_'

let name_of_padding_type = (*reserved_logic_name*) "padding"

let name_of_string_declspec = "valid_string"

let name_of_hint_assertion = "hint"

(* VP: unused variable *)
(* let name_of_safety_behavior = "safety" *)

let name_of_default_behavior = "default"

(*****************************************************************************)
(* Visitors                                                                  *)
(*****************************************************************************)

(* Visitor for adding globals and global initializations (for global
 * variables). It delays updates to the file until after the visitor has
 * completed its work, to avoid visiting a newly created global or
 * initialization.
 *)

let attach_detach_mode = ref false
let globinits : stmt list ref = ref []
let globals : global list ref = ref []
let globactions : (unit -> unit) list ref = ref []

(*
let attach_globinit init =
  assert (!attach_detach_mode);
  globinits := init :: !globinits
*)

let attach_global g =
  assert (!attach_detach_mode);
  globals := g :: !globals

let attach_globaction action =
  assert (!attach_detach_mode);
  globactions := action :: !globactions

(*
let detach_globinits file =
  let gif =
    Kernel_function.get_definition (Globals.Functions.get_glob_init file)
  in
  Format.eprintf "Common.detach_globinits: len(globinits) = %d@."
    (List.length !globinits);
  gif.sbody.bstmts <- List.rev_append !globinits gif.sbody.bstmts;
  globinits := []
*)

let detach_globals file =
  file.globals <- !globals @ file.globals;
  List.iter
    (function GVar(v,init,_) -> Globals.Vars.add v init | _ -> ()) !globals;
  globals := []

let detach_globactions () =
  List.iter (fun f -> f ()) !globactions;
  globactions := []

let do_and_update_globals action file =
  attach_detach_mode := true;
  assert (!globinits = [] && !globals = [] && !globactions = []);
  action file;
 (*
 detach_globinits file;
 *)
  detach_globals file;
  detach_globactions ();
  attach_detach_mode := false

let visit_and_update_globals visitor file =
  do_and_update_globals (visitFramacFile visitor) file

(* Visitor for adding statements in front of the body *)

let adding_statement_mode = ref false
let pending_statements_at_beginning : stmt list ref = ref []
let pending_statements_at_end : stmt list ref = ref []

let add_pending_statement ~beginning s =
  assert (!adding_statement_mode);
  if beginning then
    pending_statements_at_beginning := s :: !pending_statements_at_beginning
  else
    pending_statements_at_end := s :: !pending_statements_at_end

let insert_pending_statements f =
  f.sbody.bstmts <-
    List.rev_append !pending_statements_at_beginning f.sbody.bstmts;
  pending_statements_at_beginning := [];
  match !pending_statements_at_end with [] -> () | slist ->
    (* Insert pending statements before return statement *)
    let return_stat =
      Kernel_function.find_return (Globals.Functions.get f.svar)
    in
    (* Remove labels from the single return statement. Leave them on the most
     * external block with cleanup code instead.
     *)
    let s = { return_stat with labels = []; } in
    let block = mkBlock (List.rev_append (s :: slist) []) in
    return_stat.skind <- Block block;
    pending_statements_at_end := []

class proxy_frama_c_visitor (visitor : Visitor.frama_c_visitor) =
object
  (* [VP 2011-08-24] Do not inherit from Visitor.frama_c_visitor: all methods
     that are not overloaded have to come from visitor. Otherwise, proxy will
     fail to delegate some of its actions. *)

  method set_current_kf kf = visitor#set_current_kf kf

  method set_current_func f = visitor#set_current_func f

  method current_kf = visitor#current_kf

  method current_func = visitor#current_func

  method push_stmt s = visitor#push_stmt s
  method pop_stmt s = visitor#pop_stmt s

  method current_stmt = visitor#current_stmt
  method current_kinstr = visitor#current_kinstr

  method get_filling_actions = visitor#get_filling_actions
  method fill_global_tables = visitor#fill_global_tables

  method videntified_term = visitor#videntified_term
  method videntified_predicate = visitor#videntified_predicate

  method vlogic_label = visitor#vlogic_label

  method vlocal_init = visitor#vlocal_init

  (* Modify visitor on functions so that it prepends/postpends statements *)
  method vfunc f =
    adding_statement_mode := true;
    assert (!pending_statements_at_beginning = []);
    assert (!pending_statements_at_end = []);
    let change c = fun f -> adding_statement_mode:=false; c f in
    let postaction_func f =
      insert_pending_statements f;
      adding_statement_mode := false;
      f
    in
    match visitor#vfunc f with
      | SkipChildren -> ChangeToPost(f, change (fun x -> x))
      | JustCopy -> JustCopyPost (change (fun x -> x))
      | JustCopyPost f -> JustCopyPost (change f)
      | ChangeTo f' -> ChangeToPost (f', change (fun x -> x))
      | ChangeToPost(f',action) -> ChangeToPost(f', change action)
      | DoChildren -> DoChildrenPost postaction_func
      | DoChildrenPost f -> DoChildrenPost (f $ postaction_func)
      | ChangeDoChildrenPost (f', action) ->
	  let postaction_func f =
	    let f = action f in
	    insert_pending_statements f;
	    adding_statement_mode := false;
	    f
	  in
	  ChangeDoChildrenPost (f', postaction_func)

  (* Inherit all other visitors *)

  (* Methods introduced by the Frama-C visitor *)
  method vfile = visitor#vfile
  method vglob_aux = visitor#vglob_aux
  method vstmt_aux = visitor#vstmt_aux

  (* Methods from Cil visitor for coding constructs *)
  method vblock = visitor#vblock
  method vvrbl = visitor#vvrbl
  method vvdec = visitor#vvdec
  method vexpr = visitor#vexpr
  method vlval = visitor#vlval
  method voffs = visitor#voffs
  method vinitoffs = visitor#vinitoffs
  method vinst = visitor#vinst
  method vinit = visitor#vinit
  method vtype = visitor#vtype
  method vattr = visitor#vattr
  method vattrparam = visitor#vattrparam

  (* Methods from Cil visitor for logic constructs *)
  method vlogic_type = visitor#vlogic_type
  method vterm = visitor#vterm
  method vterm_node = visitor#vterm_node
  method vterm_lval = visitor#vterm_lval
  method vterm_lhost = visitor#vterm_lhost
  method vterm_offset = visitor#vterm_offset
  method vlogic_info_decl = visitor#vlogic_info_decl
  method vlogic_info_use = visitor#vlogic_info_use
  method vlogic_var_decl = visitor#vlogic_var_decl
  method vlogic_var_use = visitor#vlogic_var_use
  method vquantifiers = visitor#vquantifiers
  method vpredicate = visitor#vpredicate
  method vpredicate_node = visitor#vpredicate_node
  method vmodel_info = visitor#vmodel_info
  method vbehavior = visitor#vbehavior
  method vspec = visitor#vspec
  method vassigns = visitor#vassigns
  method vloop_pragma = visitor#vloop_pragma
  method vslice_pragma = visitor#vslice_pragma
  method vdeps = visitor#vdeps
  method vcode_annot = visitor#vcode_annot
  method vannotation = visitor#vannotation

  method behavior = visitor#behavior
  method project = visitor#project
  method frama_c_plain_copy = visitor#frama_c_plain_copy
  method plain_copy_visitor = visitor#plain_copy_visitor
  method queueInstr = visitor#queueInstr
  method reset_current_func = visitor#reset_current_func
  method reset_current_kf = visitor#reset_current_kf
  method unqueueInstr = visitor#unqueueInstr
  method vcompinfo = visitor#vcompinfo
  method venuminfo = visitor#venuminfo
  method venumitem = visitor#venumitem
  method vfieldinfo = visitor#vfieldinfo
  method vfrom = visitor#vfrom
  method vglob = visitor#vglob
  method vimpact_pragma = visitor#vimpact_pragma
  method vlogic_ctor_info_decl = visitor#vlogic_ctor_info_decl
  method vlogic_ctor_info_use = visitor#vlogic_ctor_info_use
  method vlogic_type_def = visitor#vlogic_type_def
  method vlogic_type_info_decl = visitor#vlogic_type_info_decl
  method vlogic_type_info_use = visitor#vlogic_type_info_use
  method vstmt = visitor#vstmt

  method vallocates = visitor#vallocates
  method vallocation = visitor#vallocation
  method vfrees = visitor#vfrees

end

let visit_and_push_statements_visitor visitor =
  new proxy_frama_c_visitor visitor

let visit_and_push_statements visit visitor file =
  let visitor = new proxy_frama_c_visitor visitor in
  visit visitor file

(* Visitor for tracing computation *)
(* VP: unused *)
(* class trace_frama_c_visitor (visitor : Visitor.frama_c_visitor) =
object

  inherit Visitor.frama_c_inplace

  (* Inherit all visitors, printing visited item on the way *)

  (* Methods introduced by the Frama-C visitor *)
  method vfile = visitor#vfile
  method vglob_aux g =
    Jessie_options.feedback "%a" Printer.pp_global g;
    visitor#vglob_aux g
  method vstmt_aux s =
    Jessie_options.feedback "%a" Printer.pp_stmt s;
    visitor#vstmt_aux s

  (* Methods from Cil visitor for coding constructs *)
  method vfunc = visitor#vfunc
  method vblock b =
    Jessie_options.feedback "%a" Printer.pp_block b;
    visitor#vblock b
  method vvrbl v =
    Jessie_options.feedback "%s" v.vname;
    visitor#vvrbl v
  method vvdec v =
    Jessie_options.feedback "%s" v.vname;
    visitor#vvdec v
  method vexpr e =
    Jessie_options.feedback "%a" Printer.pp_exp e;
    visitor#vexpr e
  method vlval lv =
    Jessie_options.feedback "%a" Printer.pp_lval lv;
    visitor#vlval lv
  method voffs off =
    Jessie_options.feedback "%a" !Ast_printer.d_offset off;
    visitor#voffs off
  method vinitoffs off =
    Jessie_options.feedback "%a" !Ast_printer.d_offset off;
    visitor#vinitoffs off
  method vinst i =
    Jessie_options.feedback "%a" Printer.pp_instr i;
    visitor#vinst i
  method vinit = visitor#vinit
  method vtype ty =
    Jessie_options.feedback "%a" Printer.pp_typ ty;
    visitor#vtype ty
  method vattr attr =
    Jessie_options.feedback "%a" !Ast_printer.d_attr attr;
    visitor#vattr attr
  method vattrparam pattr =
    Jessie_options.feedback "%a" !Ast_printer.d_attrparam pattr;
    visitor#vattrparam pattr

  (* Methods from Cil visitor for logic constructs *)
  method vlogic_type lty =
    Jessie_options.feedback "%a" Printer.pp_logic_type lty;
    visitor#vlogic_type lty
  method vterm t =
    Jessie_options.feedback "%a" Printer.pp_term t;
    visitor#vterm t
  method vterm_node = visitor#vterm_node
  method vterm_lval tlv =
    Jessie_options.feedback "%a" Printer.pp_term_lval tlv;
    visitor#vterm_lval tlv
  method vterm_lhost = visitor#vterm_lhost
  method vterm_offset = visitor#vterm_offset
  method vlogic_info_decl = visitor#vlogic_info_decl
  method vlogic_info_use = visitor#vlogic_info_use
  method vlogic_var_decl lv =
    Jessie_options.feedback "%a" Printer.pp_logic_var lv;
    visitor#vlogic_var_decl lv
  method vlogic_var_use lv =
    Jessie_options.feedback "%a" Printer.pp_logic_var lv;
    visitor#vlogic_var_use lv
  method vquantifiers = visitor#vquantifiers
  method vpredicate = visitor#vpredicate
  method vpredicate_node p =
    Jessie_options.feedback "%a" Printer.pp_predicate_node p;
    visitor#vpredicate_node p
(*
  method vpredicate_info_decl = visitor#vpredicate_info_decl
  method vpredicate_info_use = visitor#vpredicate_info_use
*)
  method vbehavior = visitor#vbehavior
  method vspec funspec =
    Jessie_options.feedback "%a" Printer.pp_funspec funspec;
    visitor#vspec funspec
  method vassigns = visitor#vassigns
  method vloop_pragma = visitor#vloop_pragma
  method vslice_pragma = visitor#vslice_pragma
  method vdeps = visitor#vdeps
  method vcode_annot annot =
    Jessie_options.feedback "%a" Printer.pp_code_annotation annot;
    visitor#vcode_annot annot
  method vannotation annot =
    Jessie_options.feedback "%a" !Ast_printer.d_annotation annot;
    visitor#vannotation annot

end

 let visit_and_trace_framac visit visitor file =
  let visitor = new trace_frama_c_visitor visitor in
  visit visitor file

let visit_and_trace_cil visit visitor file =
  let visitor = new trace_frama_c_visitor visitor in
  visit (visitor :> cilVisitor) file
*)
(* Visitor for fixpoint computation *)

let change = ref false

let signal_change () = change := true

let visit_until_convergence visitor file =
  change := true;
  while !change do
    change := false;
    visitFramacFile visitor file;
  done

(* Force conversion from terms to expressions by returning, along with
 * the result, a map of the sub-terms that could not be converted as
 * a map from fresh variables to terms or term left-values. *)

let rec logic_type_to_typ = function
  | Ctype typ -> typ
  | Linteger -> TInt(ILongLong,[]) (*TODO: to have an unlimited integer type
                                    in the logic interpretation*)
  | Lreal -> TFloat(FLongDouble,[]) (* TODO: handle reals, not floats... *)
  | Ltype({lt_name = name},[]) when name = Utf8_logic.boolean  ->
      TInt(ILongLong,[])
  | Ltype({lt_name = "set"},[t]) -> logic_type_to_typ t
  | Ltype _ | Lvar _ | Larrow _ -> invalid_arg "logic_type_to_typ"


type opaque_term_env = {
  term_lhosts: term_lhost Cil_datatype.Varinfo.Map.t;
  terms: term Cil_datatype.Varinfo.Map.t;
  vars: logic_var Cil_datatype.Varinfo.Map.t;
}
type opaque_exp_env = { exps: exp Cil_datatype.Varinfo.Map.t }

let empty_term_env =
  { term_lhosts = Varinfo.Map.empty;
    terms = Varinfo.Map.empty;
    vars = Varinfo.Map.empty }

let merge_term_env env1 env2 =
  { term_lhosts = Varinfo.Map.fold Varinfo.Map.add env1.term_lhosts
	env2.term_lhosts;
    terms = Varinfo.Map.fold Varinfo.Map.add env1.terms env2.terms;
    vars = Varinfo.Map.fold Varinfo.Map.add env1.vars env2.vars }

let makePseudoVar =
  let counter = ref 0 in
  function ty ->
    incr counter;
    let name = "@" ^ (string_of_int !counter) in
    makeVarinfo ~source:true (* global= *)false (* formal= *)false name ty

let add_opaque_term t env =
  (* Precise the type when possible *)
  let ty = match t.term_type with Ctype ty -> ty | _ -> voidType in
  let v = makePseudoVar ty in
  let env = { env with terms = Varinfo.Map.add v t env.terms; } in
  Lval(Var v,NoOffset), env

let add_opaque_var v env =
  let ty = match v.lv_type with Ctype ty -> ty | _ -> assert false in
  let pv = makePseudoVar ty in
  let env = { env with vars = Varinfo.Map.add pv v env.vars; } in
  Var pv, env

let add_opaque_term_lhost lhost env =
  let v = makePseudoVar voidType in
  let env =
    { env with term_lhosts = Varinfo.Map.add v lhost env.term_lhosts; }
  in
  Var v, env

let add_opaque_result ty env =
  let pv = makePseudoVar ty in
  let env =
    { env with term_lhosts =
	Varinfo.Map.add pv (TResult ty) env.term_lhosts; }
  in
  Var pv, env

let rec force_term_to_exp t =
  let loc = t.term_loc in
  let e,env = match t.term_node with
    | TLval tlv ->
        (match Logic_utils.unroll_type t.term_type with
           | Ctype (TArray _) -> add_opaque_term t empty_term_env
           | _ -> let lv,env = force_term_lval_to_lval tlv in Lval lv, env)
    | TAddrOf tlv ->
        let lv,env = force_term_lval_to_lval tlv in AddrOf lv, env
    | TStartOf tlv ->
        let lv,env = force_term_lval_to_lval tlv in StartOf lv, env
    | TSizeOfE t' ->
        let e,env = force_term_to_exp t' in SizeOfE e, env
    | TAlignOfE t' ->
        let e,env = force_term_to_exp t' in AlignOfE e, env
    | TUnOp(unop,t') ->
        let e,env = force_term_to_exp t' in
        UnOp(unop,e,logic_type_to_typ t.term_type), env
    | TBinOp(binop,t1,t2) ->
        let e1,env1 = force_term_to_exp t1 in
        let e2,env2 = force_term_to_exp t2 in
        let env = merge_term_env env1 env2 in
        BinOp(binop,e1,e2,logic_type_to_typ t.term_type), env
    | TSizeOfStr string -> SizeOfStr string, empty_term_env
(*    | TConst constant -> Const constant, empty_term_env*)
    | TLogic_coerce(Linteger,t) ->
        let e, env = force_term_to_exp t in
        CastE(TInt(IInt,[Attr ("integer",[])]),e), env
    | TLogic_coerce(Lreal,t) ->
        let e, env = force_term_to_exp t in
        CastE(TFloat(FFloat,[Attr("real",[])]),e), env
    | TCastE(ty,t') ->
        let e,env = force_term_to_exp t' in CastE(ty,e), env
    | TAlignOf ty -> AlignOf ty, empty_term_env
    | TSizeOf ty -> SizeOf ty, empty_term_env
    | Tapp _ | TDataCons _ | Tif _ | Tat _ | Tbase_addr _ | Toffset _
    | Tblock_length _ | Tnull | TCoerce _ | TCoerceE _ | TUpdate _
    | Tlambda _ | Ttypeof _ | Ttype _ | Tcomprehension _
    | Tunion _ | Tinter _ | Tempty_set | Trange _ | Tlet _
    | TConst _ | TLogic_coerce _
        ->
        add_opaque_term t empty_term_env
  in
  new_exp ~loc (Info(new_exp ~loc e,exp_info_of_term t)), env

and force_term_lval_to_lval (lhost,toff) =
  let lhost,env1 = force_term_lhost_to_lhost lhost in
  let off,env2 = force_term_offset_to_offset toff in
  let env = merge_term_env env1 env2 in
  (lhost,off), env

and force_term_lhost_to_lhost lhost = match lhost with
  | TVar v ->
      begin match v.lv_origin with
        | Some v -> Var v, empty_term_env
        | None ->
            begin match v.lv_type with
              | Ctype _ty -> add_opaque_var v empty_term_env
              | _ -> add_opaque_term_lhost lhost empty_term_env
            end
      end
  | TMem t ->
      let e,env = force_term_to_exp t in
      Mem e, env
  | TResult ty -> add_opaque_result ty empty_term_env

and force_term_offset_to_offset = function
  | TNoOffset -> NoOffset, empty_term_env
  | TField(fi,toff) ->
      let off,env = force_term_offset_to_offset toff in
      Field(fi,off), env
  | TModel _ ->
      (*
        Kernel.fatal
        "Logic_interp.force_term_offset_to_offset \
        does not support model fields"
      *)
      raise Exit
  | TIndex(t,toff) ->
      let e,env1 = force_term_to_exp t in
      let off,env2 = force_term_offset_to_offset toff in
      let env = merge_term_env env1 env2 in
      Index(e,off), env

(* Force back conversion from expression to term, using the environment
 * constructed during the conversion from term to expression. It expects
 * the top-level expression to be wrapped into an Info, as well as every
 * top-level expression that appears under a left-value. *)

let rec force_back_exp_to_term env e =
  let rec internal_force_back env e =
    let einfo = match e.enode with
      | Info(_e,einfo) -> einfo
      | _ -> { exp_type = Ctype(typeOf e); exp_name = []; }
    in
    let tnode = match (stripInfo e).enode with
      | Info _ -> assert false
      | Const c -> TConst (Logic_utils.constant_to_lconstant c)
      | Lval(Var v,NoOffset as lv) ->
        begin try (Varinfo.Map.find v env.terms).term_node
          with Not_found ->
            TLval(force_back_lval_to_term_lval env lv)
        end
      | Lval lv -> TLval(force_back_lval_to_term_lval env lv)
      | SizeOf ty -> TSizeOf ty
      | SizeOfE e -> TSizeOfE(internal_force_back env e)
      | SizeOfStr s -> TSizeOfStr s
      | AlignOf ty -> TAlignOf ty
      | AlignOfE e -> TAlignOfE(internal_force_back env e)
      | UnOp(op,e,_) -> TUnOp(op,internal_force_back env e)
      | BinOp(op,e1,e2,_) ->
          TBinOp(op,
                 internal_force_back env e1, internal_force_back env e2)
      | CastE(TInt(IInt,[Attr("integer",[])]),e) ->
          TLogic_coerce(Linteger, internal_force_back env e)
      | CastE(TFloat(FFloat,[Attr("real",[])]),e) ->
          TLogic_coerce(Lreal, internal_force_back env e)
      | CastE(ty,e) -> TCastE(ty,internal_force_back env e)
      | AddrOf lv -> TAddrOf(force_back_lval_to_term_lval env lv)
      | StartOf lv -> TStartOf(force_back_lval_to_term_lval env lv)
    in
    term_of_exp_info e.eloc tnode einfo
  in
  internal_force_back env e

and force_back_offset_to_term_offset env = function
  | NoOffset -> TNoOffset
  | Field(fi,off) ->
    TField(fi,force_back_offset_to_term_offset env off)
  | Index(idx,off) ->
    TIndex(
      force_back_exp_to_term env idx,
      force_back_offset_to_term_offset env off)

and force_back_lhost_to_term_lhost env = function
  | Var v ->
    begin try
            let logv = Varinfo.Map.find v env.vars in
            logv.lv_type <- Ctype v.vtype;
            TVar logv
      with Not_found ->
        try Varinfo.Map.find v env.term_lhosts
        with Not_found -> TVar(cvar_to_lvar v)
    end
  | Mem e -> TMem(force_back_exp_to_term env e)

and force_back_lval_to_term_lval env (host,off) =
  force_back_lhost_to_term_lhost env host,
  force_back_offset_to_term_offset env off

(* Force conversion from expr to term *)

let rec force_exp_to_term e =
  let tnode = match (stripInfo e).enode with
    | Info _ -> assert false
    | Const c -> TConst (Logic_utils.constant_to_lconstant c)
    | Lval lv -> TLval(force_lval_to_term_lval lv)
    | SizeOf ty -> TSizeOf ty
    | SizeOfE e -> TSizeOfE(force_exp_to_term e)
    | SizeOfStr s -> TSizeOfStr s
    | AlignOf ty -> TAlignOf ty
    | AlignOfE e -> TAlignOfE(force_exp_to_term e)
    | UnOp(op,e,_) -> TUnOp(op,force_exp_to_term e)
    | BinOp(op,e1,e2,_) ->
        TBinOp(op, force_exp_to_term e1, force_exp_to_term e2)
    | CastE(ty,e) -> TCastE(ty,force_exp_to_term e)
    | AddrOf lv -> TAddrOf(force_lval_to_term_lval lv)
    | StartOf lv -> TStartOf(force_lval_to_term_lval lv)
  in
  {
    term_node = tnode;
    term_loc = e.eloc;
    term_type = Ctype(typeOf e);
    term_name = [];
  }

and force_offset_to_term_offset = function
  | NoOffset -> TNoOffset
  | Field(fi,off) ->
      TField(fi,force_offset_to_term_offset off)
  | Index(idx,off) ->
      TIndex(
        force_exp_to_term idx,
        force_offset_to_term_offset off)

and force_lhost_to_term_lhost = function
  | Var v -> TVar(cvar_to_lvar v)
  | Mem e -> TMem(force_exp_to_term e)

and force_lval_to_term_lval (host,off) =
  force_lhost_to_term_lhost host,
  force_offset_to_term_offset off

(* Force conversion from expr to predicate *)

let rec force_exp_to_predicate e =
  let pnode = match (stripInfo e).enode with
    | Info _ -> assert false
    | Const c ->
        begin match possible_value_of_integral_const c with
          | Some i -> if Integer.equal i Integer.zero then Pfalse else Ptrue
          | None -> assert false
        end
    | UnOp(LNot,e',_) -> Pnot(force_exp_to_predicate e')
    | BinOp(LAnd,e1,e2,_) ->
        Pand(force_exp_to_predicate e1,force_exp_to_predicate e2)
    | BinOp(LOr,e1,e2,_) ->
        Por(force_exp_to_predicate e1,force_exp_to_predicate e2)
    | BinOp(op,e1,e2,_) ->
        let rel = match op with
          | Lt -> Rlt
          | Gt -> Rgt
          | Le -> Rle
          | Ge -> Rge
          | Eq -> Req
          | Ne -> Rneq
          | _ -> assert false
        in
        Prel(rel,force_exp_to_term e1,force_exp_to_term e2)
    | Lval _ | CastE _ | AddrOf _ | StartOf _ | UnOp _
    | SizeOf _ | SizeOfE _ | SizeOfStr _ | AlignOf _ | AlignOfE _ ->
        assert false
  in
  { pred_name = []; pred_loc = e.eloc; pred_content = pnode; }

let force_exp_to_assertion e =
  Logic_const.new_code_annotation (AAssert([], force_exp_to_predicate e))


(* Visitor methods for sharing preaction/postaction between exp/term/tsets *)

let do_on_term_offset (preaction_offset,postaction_offset) tlv =
  let preaction_toffset tlv =
    match preaction_offset with None -> tlv | Some preaction_offset ->
      try
        let lv,env = force_term_offset_to_offset tlv in
        let lv = preaction_offset lv in
        force_back_offset_to_term_offset env lv
      with Exit -> tlv
  in
  let postaction_toffset tlv =
    match postaction_offset with None -> tlv | Some postaction_offset ->
      try
        let lv,env = force_term_offset_to_offset tlv in
        let lv = postaction_offset lv in
        force_back_offset_to_term_offset env lv
      with Exit -> tlv
  in
  ChangeDoChildrenPost (preaction_toffset tlv, postaction_toffset)

let do_on_term_lval (preaction_lval,postaction_lval) tlv =
  let preaction_tlval tlv =
    match preaction_lval with None -> tlv | Some preaction_lval ->
      try
        let lv,env = force_term_lval_to_lval tlv in
        let lv = preaction_lval lv in
        force_back_lval_to_term_lval env lv
      with Exit -> tlv
  in
  let postaction_tlval tlv =
    match postaction_lval with None -> tlv | Some postaction_lval ->
      try
        let lv,env = force_term_lval_to_lval tlv in
        let lv = postaction_lval lv in
        force_back_lval_to_term_lval env lv
      with Exit -> tlv
  in
  ChangeDoChildrenPost (preaction_tlval tlv, postaction_tlval)

let do_on_term (preaction_expr,postaction_expr) t =
  let preaction_term t =
    match preaction_expr with None -> t | Some preaction_expr ->
      try
        let e,env = force_term_to_exp t in
        let e = map_under_info preaction_expr e in
        force_back_exp_to_term env e
      with Exit -> t
  in
  let postaction_term t =
    match postaction_expr with None -> t | Some postaction_expr ->
      try
        let e,env = force_term_to_exp t in
        let e = map_under_info postaction_expr e in
        force_back_exp_to_term env e
      with Exit -> t
  in
  ChangeDoChildrenPost (preaction_term t, postaction_term)

(*****************************************************************************)
(* Debugging                                                                 *)
(*****************************************************************************)

let checking = true

let print_to_stdout file =
  Log.print_on_output (Extlib.swap Printer.pp_file file)

class checkTypes =
  let preaction_expr e = ignore (typeOf e); e in
object

  inherit Visitor.frama_c_inplace

  method! vexpr e =
    ChangeDoChildrenPost (preaction_expr e, fun x -> x)

(* I comment on purpose additional verifications, because they cause some tests
   to fail, see e.g. [copy_struct], because term-lhost TResult does not have
   a type for a proper conversion to expression. *)

(*   method vterm = *)
(*     do_on_term (Some preaction_expr,None) *)

end

let check_types file =
  (* check types *)
  let visitor = new checkTypes in
  visitFramacFile visitor file;
  Jessie_options.debug ~level:2 "%a@." Printer.pp_file file
  (* check general consistency *)
(*   Cil.visitCilFile (new File.check_file :> Cil.cilVisitor) file *)

(* VP: unused function *)
(*
class check_file: Visitor.frama_c_visitor  =
object(self)

  inherit Visitor.generic_frama_c_visitor
    (Project.current ()) (Cil.inplace_visit ()) as super

  val known_fields = Cil_datatype.Fieldinfo.Hashtbl.create 7

  method vterm t =
    match t.term_node with
      | TLval _ ->
	  begin match t.term_type with
	    | Ctype ty when isVoidType ty ->
		Jessie_options.fatal
                  ~current:true "Term %a has void type" Printer.pp_term t
	    | _ -> DoChildren
	  end
      | _ -> DoChildren

  method voffs = function
      NoOffset -> SkipChildren
    | Index _ -> DoChildren
    | Field(fi,_) ->
        begin
          try
            if not (fi == Cil_datatype.Fieldinfo.Hashtbl.find known_fields fi)
            then
	      Jessie_options.warning ~current:true
		"Field %s of type %s is not shared between declaration and use"
                fi.fname fi.fcomp.cname
          with Not_found ->
	    Jessie_options.warning ~current:true
	      "Field %s of type %s is unbound in the AST"
              fi.fname fi.fcomp.cname
        end;
        DoChildren

  method vterm_offset = function
    | TNoOffset -> SkipChildren
    | TIndex _ -> DoChildren
    | TModel _ -> DoChildren
    | TField(fi,_) ->
        begin
          try
            if not (fi == Cil_datatype.Fieldinfo.Hashtbl.find known_fields fi)
            then
              Jessie_options.warning ~current:true
		"Field %s of type %s is not shared between declaration and use"
                fi.fname fi.fcomp.cname
	  with Not_found ->
	    Jessie_options.warning ~current:true
	      "Field %s of type %s is unbound in the AST"
               fi.fname fi.fcomp.cname
        end;
        DoChildren

  method vinitoffs = self#voffs

  method vglob_aux = function
      GCompTag(c,_) ->
        List.iter
          (fun x -> Cil_datatype.Fieldinfo.Hashtbl.add known_fields x x) c.cfields;
        DoChildren
    | _ -> DoChildren

end
*)

(*****************************************************************************)
(* Miscellaneous                                                             *)
(*****************************************************************************)

(* Queries *)

let is_base_addr t = match (stripTermCasts t).term_node with
  | Tbase_addr _ -> true
  | _ -> false

(* Smart constructors *)

(* Redefine statement constructor of CIL to create them with valid sid *)
let mkStmt = mkStmt ~valid_sid:true

let mkterm tnode ty loc =
  {
    term_node = tnode;
    term_loc = loc;
    term_type = ty;
    term_name = []
  }

let term_of_var v =
  let lv = cvar_to_lvar v in
  if app_term_type isArrayType false lv.lv_type then
    let ptrty =
      TPtr(force_app_term_type element_type lv.lv_type,[])
    in
    mkterm (TStartOf(TVar lv,TNoOffset)) (Ctype ptrty) v.vdecl
  else
    mkterm (TLval(TVar lv,TNoOffset)) lv.lv_type v.vdecl

let mkInfo e =
  match e.enode with
      Info _ -> e
    | _ ->
        let einfo = { exp_type = Ctype voidType; exp_name = [] } in
        (* In many cases, the correct type may not be available, as
         * the expression may result from a conversion from a term or a tset.
         * Calling [typeOf] on such an expression may raise an error.
         * Therefore, put here a dummy type until tsets correctly typed.
         *)
        new_exp ~loc:e.eloc (Info(e,einfo))

(* Manipulation of offsets *)
(* VP: unused function *)
(*
let rec offset_list = function
  | NoOffset -> []
  | Field (fi,off) -> (Field (fi, NoOffset)) :: offset_list off
  | Index (e,off) -> (Index (e, NoOffset)) :: offset_list off
*)
let is_last_offset = function
  | NoOffset -> true
  | Field (_fi,NoOffset) -> true
  | Field (_fi,_) -> false
  | Index (_e,NoOffset) -> true
  | Index (_e,_) -> false

(* Transform an index on a multi-dimensional array into an index on the
 * same array that would be flattened to a single dimensional array.
 *)
let rec lift_offset ty = function
  | Index(idx1,(Index(idx2, _off) as suboff)) ->
      let subty = direct_element_type ty in
      let siz = array_size subty in
      begin match lift_offset subty suboff with
	| Index(idx, off) ->
	    let mulidx =
              new_exp ~loc:idx2.eloc
                (BinOp(Mult,idx1,constant_expr siz,intType)) in
	    (* Keep info at top-level for visitors on terms that where
	     * translated to expressions. Those expect these info when
	     * translating back to term.
	     *)
	    let addidx =
	      map_under_info
                (fun e ->
                   new_exp ~loc:e.eloc (BinOp(PlusA,mulidx,idx,intType))) idx1
	    in
	    Index(addidx,off)
	| _ -> assert false
      end
  | Index(idx1,NoOffset) as off ->
      let subty = direct_element_type ty in
      if isArrayType subty then
	let siz = array_size subty in
	(* Keep info at top-level *)
	let mulidx =
	  map_under_info
	    (fun e ->
               new_exp ~loc:e.eloc
                 (BinOp(Mult,idx1,constant_expr siz,intType)))
            idx1
	in
	Index(mulidx,NoOffset)
      else off
  | off -> off

(* VP: unused function *)
(* let change_idx idx1 idx siz =
  let boff =
    Logic_utils.mk_dummy_term (TBinOp(Mult,idx1,constant_term Cil_datatype.Location.unknown siz))
      intType
  in
  Logic_utils.mk_dummy_term (TBinOp(PlusA,boff,idx)) intType

 let rec lift_toffset ty off =
  match off with
      TIndex(idx1,(TIndex _ as suboff)) ->
        let subty = direct_element_type ty in
        let siz = array_size subty in
        begin match lift_toffset subty suboff with
            | TIndex(idx,off) -> TIndex(change_idx idx1 idx siz,off)
            | TModel _ | TField _ | TNoOffset -> assert false
        end
    | TIndex(idx1,TNoOffset) ->
        let subty = direct_element_type ty in
        if isArrayType subty then
          let siz = array_size subty in
          TIndex(change_idx
                   idx1
                   (constant_term Cil_datatype.Location.unknown Integer.zero)
                   siz,
                 TNoOffset)
        else off
    | TIndex _ | TField _ | TModel _ | TNoOffset -> off
*)
(* Allocation/deallocation *)

let malloc_function () =
  try
    Kernel_function.get_vi (Globals.Functions.find_by_name "malloc")
  with Not_found ->
    let params = Some ["size",uintType,[]] in
    let f =
      findOrCreateFunc
	(Ast.get ()) "malloc" (TFun(voidPtrType,params,false,[]))
    in
    let prm =
      try
        List.hd (Cil.getFormalsDecl f)
      with Not_found | Invalid_argument _ ->
        fatal "unexpected prototype for malloc"
    in
    let range =
      Logic_const.trange
        (Some (Cil.lzero ()),
         Some (Logic_const.tvar (Cil.cvar_to_lvar prm)))
    in
    let typ = Ctype Cil.charPtrType in
    let base =
      Logic_const.term
        (TCastE(Cil.charPtrType,Logic_const.tresult Cil.charPtrType)) typ
    in
    let alloc =
      Logic_const.new_identified_term
        (Logic_const.term (TBinOp(PlusPI,base,range)) typ)
    in
    let behav = {
      b_name = Cil.default_behavior_name;
      b_assumes = [];
      b_requires = [];
      b_extended = [];
      b_assigns = Writes [];
      b_allocation = FreeAlloc([],[alloc]);
      b_post_cond = [];
    } in
    let spec = { (empty_funspec ()) with spec_behavior = [behav]; } in
    Globals.Functions.replace_by_declaration
      spec f Cil_datatype.Location.unknown;
    let kf = Globals.Functions.get f in
    Annotations.register_funspec ~emitter:jessie_emitter kf;
    f

let free_function () =
  try
    Kernel_function.get_vi (Globals.Functions.find_by_name "free")
  with Not_found ->
    let params = Some ["ptr",voidPtrType,[]] in
    let f =
      findOrCreateFunc
	(Ast.get ()) "free" (TFun(voidType,params,false,[]))
    in
    let prm =
      try
        List.hd (Cil.getFormalsDecl f)
      with Not_found | Invalid_argument _ ->
        fatal "unexpected prototype for free"
    in
    let frees =
      Logic_const.new_identified_term
        (Logic_const.tvar (Cil.cvar_to_lvar prm))
    in
    let behav = {
      b_name = Cil.default_behavior_name;
      b_assumes = [];
      b_post_cond = [];
      b_requires = [];
      b_extended = [];
      b_allocation = FreeAlloc([frees],[]);
      b_assigns = Writes [];
    }
    in
    let spec = { (empty_funspec ()) with spec_behavior = [behav]; } in
    Globals.Functions.replace_by_declaration
      spec f Cil_datatype.Location.unknown;
    let kf = Globals.Functions.get f in
    Annotations.register_funspec ~emitter:jessie_emitter kf;
    f

let mkalloc v ty loc =
  let callee = new_exp ~loc (Lval(Var(malloc_function ()),NoOffset)) in
  let arg = sizeOf ~loc ty in
  Call(Some(Var v,NoOffset),callee,[arg],loc)

let mkalloc_statement v ty loc = mkStmt (Instr(mkalloc v ty loc))

let mkalloc_array v ty num loc =
  let callee = new_exp ~loc (Lval(Var(malloc_function ()),NoOffset)) in
  let arg = constant_expr
    (Integer.of_int64 (Int64.mul num (Int64.of_int (bytesSizeOf ty))))
  in
  Call(Some(Var v,NoOffset),callee,[arg],loc)

let mkalloc_array_statement v ty num loc =
  mkStmt (Instr(mkalloc_array v ty num loc))

let mkfree v loc =
  let callee = new_exp ~loc (Lval(Var(free_function ()),NoOffset)) in
  let arg = new_exp ~loc (Lval(Var v,NoOffset)) in
  Call(None,callee,[arg],loc)

let mkfree_statement v loc = mkStmt (Instr(mkfree v loc))

let predicate loc p =
  {
    pred_name = [];
    pred_loc = loc;
    pred_content = p;
  }

(*
Local Variables:
compile-command: "LC_ALL=C make -C .. -j byte"
End:
*)
why-2.39/frama-c-plugin/share/0000755000106100004300000000000013147234006015135 5ustar  marchevalswhy-2.39/frama-c-plugin/share/jessie/0000755000106100004300000000000013147234006016417 5ustar  marchevalswhy-2.39/frama-c-plugin/share/jessie/strings.h0000644000106100004300000000414313147234006020263 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  This file is part of Frama-C.                                         */
/*                                                                        */
/*  Copyright (C) 2007-2009                                               */
/*    INRIA (Institut National de Recherche en Informatique et en         */
/*           Automatique)                                                 */
/*                                                                        */
/*  you can redistribute it and/or modify it under the terms of the GNU   */
/*  Lesser General Public License as published by the Free Software       */
/*  Foundation, version 2.1.                                              */
/*                                                                        */
/*  It is distributed in the hope that it will be useful,                 */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         */
/*  GNU Lesser General Public License for more details.                   */
/*                                                                        */
/*  See the GNU Lesser General Public License version 2.1                 */
/*  for more details (enclosed in the file licenses/LGPLv2.1).            */
/*                                                                        */
/**************************************************************************/

/* $Id: strings.h,v 1.1 2009-09-08 11:11:43 monate Exp $ */

#ifndef _STRINGS_H_
#define _STRINGS_H_

/*@ requires valid_string(s1) && valid_string(s2);
  @ assigns \nothing;
  @ ensures \true;
  @*/
extern int strcasecmp(const char *s1, const char *s2);

/*@ requires \valid(((char*)dest)+(0..n - 1))
  @          && \valid(((char*)src)+(0..n - 1));
  @ assigns ((char*)dest)[0..n - 1];
  @ ensures memcmp((char*)dest,(char*)src,n) == 0;
  @*/
extern void bcopy(const void *src, void *dest, size_t n);

#endif /* _STRINGS_H_ */
why-2.39/frama-c-plugin/share/jessie/stdlib.h0000644000106100004300000000740713147234006020061 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  This file is part of Frama-C.                                         */
/*                                                                        */
/*  Copyright (C) 2007-2009                                               */
/*    INRIA (Institut National de Recherche en Informatique et en         */
/*           Automatique)                                                 */
/*                                                                        */
/*  you can redistribute it and/or modify it under the terms of the GNU   */
/*  Lesser General Public License as published by the Free Software       */
/*  Foundation, version 2.1.                                              */
/*                                                                        */
/*  It is distributed in the hope that it will be useful,                 */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         */
/*  GNU Lesser General Public License for more details.                   */
/*                                                                        */
/*  See the GNU Lesser General Public License version 2.1                 */
/*  for more details (enclosed in the file licenses/LGPLv2.1).            */
/*                                                                        */
/**************************************************************************/

/* $Id: stdlib.h,v 1.1 2009-09-08 11:11:43 monate Exp $ */

#ifndef _STDLIB_H_
#define _STDLIB_H_

#include 
#include 
#include 

// Conversion functions

/*@ requires valid_string(nptr);
  @ assigns \nothing;
  @*/
extern double atof(const char *nptr);

/*@ requires valid_string(nptr);
  @ assigns \nothing;
  @*/
extern int atoi(const char *nptr);

/*@ requires valid_string(nptr);
  @ assigns \nothing;
  @*/
extern long int atol(const char *nptr);

/*@ requires valid_string(nptr);
  @ assigns \nothing;
  @*/
extern long long int atoll(const char *nptr);

// Random numbers

extern int rand(void);

extern void srand(unsigned int seed);

// Memory management

/*@ assigns \nothing;
  @ ensures \valid(((char*)\result)+(0..size - 1));
  @*/
extern void *malloc (size_t size);

/*@ assigns \nothing;
  @ ensures \valid(((char*)\result)+(0..size * nmemb - 1));
  @*/
extern void *calloc (size_t nmemb, size_t size);

/*@ requires \valid((char*)ptr) || ptr == NULL;
  @ assigns \nothing;
  @ ensures \valid(((char*)\result)+(0..size - 1));
  @*/
extern void *realloc (void *ptr, size_t size);

// [free] treated specially

// Program termination

/*@ assigns \nothing;
  @ ensures \false;
  @*/
extern void abort(void);

extern int atexit(void (*func)(void));

/*@ assigns \nothing;
  @ ensures \false;
  @*/
extern void exit(int status);

// Multi-byte conversion functions

/*@ requires valid_string(mbstr) && \valid(wcstr+(0..n - 1));
  @ assigns wcstr[0..n - 1];
  @ ensures valid_wstring(wcstr) && wcslen(wcstr) < n;
  @*/
extern size_t mbstowcs (wchar_t *wcstr, const char *mbstr, size_t n);

/*@ requires valid_wstring(wcstr) && \valid(mbstr+(0..n - 1));
  @ assigns mbstr[0..n - 1];
  @ ensures valid_string(mbstr) && strlen(mbstr) < n;
  @*/
extern size_t wcstombs (char *mbstr, const wchar_t *wcstr, size_t n);

/*@ //requires \valid(s+(0..sizeof(wchar_t)-1)) || s == NULL;
  @ // Commented out due to bug that keeps sizeof
  @ requires \valid(s) || s == NULL;
  @ assigns s[..];
  @ behavior zero:
  @   assumes s == NULL;
  @   assigns \nothing;
  @ behavior non_null:
  @   assumes s != NULL;
  @   assigns s[..];
  @*/
extern int wctomb(char *s, wchar_t wc);

#endif /* _STDLIB_H_ */
why-2.39/frama-c-plugin/share/jessie/string.h0000644000106100004300000002021413147234006020075 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  This file is part of Frama-C.                                         */
/*                                                                        */
/*  Copyright (C) 2007-2009                                               */
/*    INRIA (Institut National de Recherche en Informatique et en         */
/*           Automatique)                                                 */
/*                                                                        */
/*  you can redistribute it and/or modify it under the terms of the GNU   */
/*  Lesser General Public License as published by the Free Software       */
/*  Foundation, version 2.1.                                              */
/*                                                                        */
/*  It is distributed in the hope that it will be useful,                 */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         */
/*  GNU Lesser General Public License for more details.                   */
/*                                                                        */
/*  See the GNU Lesser General Public License version 2.1                 */
/*  for more details (enclosed in the file licenses/LGPLv2.1).            */
/*                                                                        */
/**************************************************************************/

/* $Id: string.h,v 1.1 2009-09-08 11:11:43 monate Exp $ */

#ifndef _STRING_H_
#define _STRING_H_

#include 
#include 
#include 

// Query memory

/*@ requires \valid(((char*)s1)+(0..n - 1)) 
  @          && \valid(((char*)s2)+(0..n - 1));
  @ assigns \nothing;
  @ ensures \result == memcmp((char*)s1,(char*)s2,n);
  @*/
extern int memcmp (const void *s1, const void *s2, size_t n);

/*@ requires \valid(((char*)s)+(0..n - 1));
  @ assigns \nothing;
  @ ensures \result == s;
  @ ensures \base_addr((char*)\result) == \base_addr((char*)s);
  @ behavior found:
  @   assumes memchr((char*)s,c,n);
  @   ensures *(char*)\result == c;
  @ behavior not_found:
  @   assumes ! memchr((char*)s,c,n);
  @   ensures \result == NULL;
  @*/
extern void *memchr(const void *s, int c, size_t n);

// Copy memory

/*@ requires \valid(((char*)dest)+(0..n - 1))
  @          && \valid(((char*)src)+(0..n - 1));
  @ assigns ((char*)dest)[0..n - 1];
  @ ensures memcmp((char*)dest,(char*)src,n) == 0 && \result == dest;
  @ ensures \base_addr((char*)\result) == \base_addr((char*)dest);
  @*/
extern void *memcpy(void *restrict dest,
		    const void *restrict src, size_t n);

/*@ requires \valid(((char*)dest)+(0..n - 1)) 
  @          && \valid(((char*)src)+(0..n - 1));
  @ assigns ((char*)dest)[0..n - 1];
  @ ensures memcmp((char*)dest,(char*)src,n) == 0 && \result == dest;
  @ ensures \base_addr((char*)\result) == \base_addr((char*)dest);
  @*/
extern void *memmove(void *dest, const void *src, size_t n);

// Set memory

/*@ requires \valid(((char*)s)+(0..n - 1));
  @ assigns ((char*)s)[0..n - 1];
  @ ensures memset((char*)s,c,n) && \result == s;
  @ ensures \base_addr((char*)\result) == \base_addr((char*)s);
  @*/
extern void *memset(void *s, int c, size_t n);

// Query strings

/*@ requires valid_string(s);
  @ assigns \nothing;
  @ ensures \result == strlen(s);
  @*/
extern size_t strlen (const char *s);

/*@ requires valid_string(s1) && valid_string(s2);
  @ assigns \nothing;
  @ ensures \result == strcmp(s1,s2);
  @*/
extern int strcmp (const char *s1, const char *s2);

/*@ requires valid_string(s1) && valid_string(s2);
  @ assigns \nothing;
  @ ensures \result == strncmp(s1,s2,n);
  @*/
extern int strncmp (const char *s1, const char *s2, size_t n);

/*@ requires valid_string(s1) && valid_string(s2);
  @ assigns \nothing;
  @*/
extern int strcoll (const char *s1, const char *s2);

/*@ requires valid_string(s);
  @ assigns \nothing;
  @ behavior found:
  @   assumes strchr(s,c);
  @   ensures *\result == c && \base_addr(\result) == \base_addr(s);
  @   ensures valid_string(\result);
  @ behavior not_found:
  @   assumes ! strchr(s,c);
  @   ensures \result == NULL;
  @*/
extern char *strchr(const char *s, int c);

/*@ requires valid_string(s);
  @ assigns \nothing;
  @ behavior found:
  @   assumes strchr(s,c);
  @   ensures *\result == c && \base_addr(\result) == \base_addr(s);
  @   ensures valid_string(\result);
  @ behavior not_found:
  @   assumes ! strchr(s,c);
  @   ensures \result == NULL;
  @*/
extern char *strrchr(const char *s, int c);

/*@ requires valid_string(s) && valid_string(reject);
  @ assigns \nothing;
  @ ensures 0 <= \result <= strlen(s);
  @*/
extern size_t strcspn(const char *s, const char *reject);

/*@ requires valid_string(s) && valid_string(accept);
  @ assigns \nothing;
  @ ensures 0 <= \result <= strlen(s);
  @*/
extern size_t strspn(const char *s, const char *accept);

/*@ requires valid_string(s) && valid_string(accept);
  @ assigns \nothing;
  @ ensures \result == 0 || \base_addr(\result) == \base_addr(s);
  @*/
extern char *strpbrk(const char *s, const char *accept);

/*@ requires valid_string(haystack) && valid_string(needle);
  @ assigns \nothing;
  @ ensures \result == 0 
  @      || (\base_addr(\result) == \base_addr(haystack)
  @          && memcmp(\result,needle,strlen(needle)) == 0);
  @*/
extern char *strstr(const char *haystack, const char *needle);

/*@ requires (valid_string(s) || s == NULL) && valid_string(delim);
  @ assigns \nothing;
  @*/
extern char *strtok(char *restrict s, const char *restrict delim);

/*@ assigns \nothing;
  @ ensures valid_string(\result);
  @*/
extern char *strerror(int errnum); 

// Copy strings

/*@ requires \valid(dest+(0..strlen(src))) && valid_string(src);
  @ assigns dest[0..strlen(src)];
  @ ensures strcmp(dest,src) == 0 && \result == dest;
  @ ensures \base_addr(\result) == \base_addr(dest);
  @*/
extern char *strcpy(char *restrict dest, const char *restrict src);

/*@ requires \valid(dest+(0..n - 1)) && valid_string(src);
  @ assigns dest[0..n - 1];
  @ ensures \result == dest;
  @ behavior complete:
  @   assumes strlen(src) < n;
  @   assigns dest[0..n - 1];
  @   ensures strcmp(dest,src) == 0;
  @   ensures \base_addr(\result) == \base_addr(dest);
  @ behavior partial:
  @   assumes n <= strlen(src);
  @   assigns dest[0..n - 1];
  @   ensures memcmp(dest,src,n) == 0;
  @*/
extern char *strncpy(char *restrict dest,
		     const char *restrict src, size_t n);

/*@ requires \valid(dest+(0..strlen(dest) + strlen(src))) 
  @          && valid_string(dest) && valid_string(src);
  @ assigns dest[0..strlen(dest) + strlen(src)];
  @ ensures strlen(dest) == \old(strlen(dest) + strlen(src))
  @         && \result == dest;
  @ ensures \base_addr(\result) == \base_addr(dest);
  @*/
extern char *strcat(char *restrict dest, const char *restrict src);

/*@ requires \valid(dest+(0..n - 1))
  @          && valid_string(dest) && valid_string(src);
  @ assigns dest[0..strlen(dest) + n - 1];
  @ ensures \result == dest;
  @ ensures \base_addr(\result) == \base_addr(dest);
  @ behavior complete:
  @   assumes strlen(src) <= n;
  @   assigns dest[0..strlen(dest) + strlen(src)];
  @   ensures strlen(dest) == \old(strlen(dest) + strlen(src));
  @ behavior partial:
  @   assumes n < strlen(src);
  @   assigns dest[0..strlen(dest) + n];
  @   ensures strlen(dest) == \old(strlen(dest)) + n;
  @*/
extern char *strncat(char *restrict dest, const char *restrict src, size_t n);

/*@ requires \valid(dest+(0..n - 1)) && valid_string(src);
  @ assigns dest[0..n - 1];
  @*/
extern size_t strxfrm (char *restrict dest,
		       const char *restrict src, size_t n);

// Allocate strings

/*@ requires valid_string(s);
  @ assigns \nothing;
  @ ensures \valid(\result+(0..strlen(s))) && strcmp(\result,s) == 0;
  @*/
extern char *strdup (const char *s);

/*@ requires valid_string(s);
  @ assigns \nothing;
  @ ensures \valid(\result+(0..minimum(strlen(s),n))) 
  @         && valid_string(\result) && strlen(\result) <= n
  @         && strncmp(\result,s,n) == 0;
  @*/
extern char *strndup (const char *s, size_t n);

#endif /* _STRING_H_ */
why-2.39/frama-c-plugin/share/jessie/assert.h0000644000106100004300000000334213147234006020073 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  This file is part of Frama-C.                                         */
/*                                                                        */
/*  Copyright (C) 2007-2009                                               */
/*    INRIA (Institut National de Recherche en Informatique et en         */
/*           Automatique)                                                 */
/*                                                                        */
/*  you can redistribute it and/or modify it under the terms of the GNU   */
/*  Lesser General Public License as published by the Free Software       */
/*  Foundation, version 2.1.                                              */
/*                                                                        */
/*  It is distributed in the hope that it will be useful,                 */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         */
/*  GNU Lesser General Public License for more details.                   */
/*                                                                        */
/*  See the GNU Lesser General Public License version 2.1                 */
/*  for more details (enclosed in the file licenses/LGPLv2.1).            */
/*                                                                        */
/**************************************************************************/

/* $Id: assert.h,v 1.1 2009-09-08 11:11:43 monate Exp $ */

#ifndef _ASSERT_H_
#define _ASSERT_H_

void assert(int i);

#endif /* _ASSERT_H_ */
why-2.39/frama-c-plugin/share/jessie/jessie_machine_prolog.h0000644000106100004300000002073613147234006023130 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  This file is part of Frama-C.                                         */
/*                                                                        */
/*  Copyright (C) 2007-2009                                               */
/*    INRIA (Institut National de Recherche en Informatique et en         */
/*           Automatique)                                                 */
/*                                                                        */
/*  you can redistribute it and/or modify it under the terms of the GNU   */
/*  Lesser General Public License as published by the Free Software       */
/*  Foundation, version 2.1.                                              */
/*                                                                        */
/*  It is distributed in the hope that it will be useful,                 */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         */
/*  GNU Lesser General Public License for more details.                   */
/*                                                                        */
/*  See the GNU Lesser General Public License version 2.1                 */
/*  for more details (enclosed in the file licenses/LGPLv2.1).            */
/*                                                                        */
/**************************************************************************/

/* $Id: jessie_machine_prolog.h,v 1.1 2009-09-08 11:11:43 monate Exp $ */

#ifndef _JESSIE_MACHINE_PROLOG_H_
#define _JESSIE_MACHINE_PROLOG_H_

#include "stddef.h"
#include "limits.h"

/*@ axiomatic MemCmp {
  @
  @ logic integer memcmp{L}(char *s1, char *s2, integer n)
  @   reads s1[0..n - 1], s2[0..n - 1];
  @
  @ axiom memcmp_range{L}:
  @   \forall char *s1, *s2; \forall integer n;
  @      INT_MIN <= memcmp(s1,s2,n) <= INT_MAX;
  @
  @ axiom memcmp_zero{L}:
  @   \forall char *s1, *s2; \forall integer n;
  @      memcmp(s1,s2,n) == 0
  @      <==> \forall integer i; 0 <= i < n ==> s1[i] == s2[i];
  @
  @ }
  @*/

/*@ axiomatic MemChr {
  @ logic boolean memchr{L}(char *s, integer c, integer n)
  @   reads s[0..n - 1];
  @ // Returns [true] iff array [s] contains character [c]
  @
  @ axiom memchr_def{L}:
  @   \forall char *s; \forall integer c; \forall integer n;
  @      memchr(s,c,n) <==> \exists int i; 0 <= i < n && s[i] == c;
  @ }
  @*/

/*@ axiomatic MemSet {
  @ logic boolean memset{L}(char *s, integer c, integer n)
  @    reads s[0..n - 1];
  @ // Returns [true] iff array [s] contains only character [c]
  @
  @ axiom memset_def{L}:
  @   \forall char *s; \forall integer c; \forall integer n;
  @      memset(s,c,n) <==> \forall integer i; 0 <= i < n ==> s[i] == c;
  @ }
  @*/

/*@ axiomatic StrLen {
  @ logic integer strlen{L}(char *s)
  @    reads s[0..];
  @
  @ axiom strlen_pos_or_null{L}:
  @   \forall char* s; \forall integer i;
  @      (0 <= i <= INT_MAX
  @       && (\forall integer j; 0 <= j < i ==> s[j] != '\0')
  @       && s[i] == 0) ==> strlen(s) == i;
  @
  @ axiom strlen_neg{L}:
  @   \forall char* s;
  @      (\forall integer i; 0 <= i <= INT_MAX ==> s[i] != '\0')
  @      ==> strlen(s) < 0;
  @
  @ axiom strlen_range{L}:
  @   \forall char* s; strlen(s) <= INT_MAX;
  @
  @ axiom strlen_before_null{L}:
  @   \forall char* s; \forall integer i; 0 <= i < strlen(s) ==> s[i] != '\0';
  @
  @ axiom strlen_at_null{L}:
  @   \forall char* s; 0 <= strlen(s) ==> s[strlen(s)] == '\0';
  @
  @ axiom strlen_not_zero{L}:
  @   \forall char* s; \forall integer i;
  @      0 <= i <= strlen(s) && s[i] != '\0' ==> i < strlen(s);
  @
  @ axiom strlen_zero{L}:
  @   \forall char* s; \forall integer i;
  @      0 <= i <= strlen(s) && s[i] == '\0' ==> i == strlen(s);
  @
  @ axiom strlen_sup{L}:
  @   \forall char* s; \forall integer i;
  @      0 <= i && s[i] == '\0' ==> 0 <= strlen(s) <= i;
  @
  @ axiom strlen_shift{L}:
  @   \forall char* s; \forall integer i;
  @      0 <= i <= strlen(s) ==> strlen(s + i) == strlen(s) - i;
  @
  @ axiom strlen_create{L}:
  @   \forall char* s; \forall integer i;
  @      0 <= i <= INT_MAX && s[i] == '\0' ==> 0 <= strlen(s) <= i;
  @
  @ axiom strlen_create_shift{L}:
  @   \forall char* s; \forall integer i; \forall integer k;
  @      0 <= k <= i <= INT_MAX && s[i] == '\0' ==> 0 <= strlen(s+k) <= i - k;
  @
  @ axiom memcmp_strlen_left{L}:
  @   \forall char *s1, *s2; \forall integer n;
  @      memcmp(s1,s2,n) == 0 && strlen(s1) < n ==> strlen(s1) == strlen(s2);
  @      
  @ axiom memcmp_strlen_right{L}:
  @   \forall char *s1, *s2; \forall integer n;
  @      memcmp(s1,s2,n) == 0 && strlen(s2) < n ==> strlen(s1) == strlen(s2);
  @      
  @ axiom memcmp_strlen_shift_left{L}:
  @   \forall char *s1, *s2; \forall integer k, n;
  @      memcmp(s1,s2 + k,n) == 0 && 0 <= k && strlen(s1) < n ==> 
  @        0 <= strlen(s2) <= k + strlen(s1);
  @      
  @ axiom memcmp_strlen_shift_right{L}:
  @   \forall char *s1, *s2; \forall integer k, n;
  @      memcmp(s1 + k,s2,n) == 0 && 0 <= k && strlen(s2) < n ==> 
  @        0 <= strlen(s1) <= k + strlen(s2);
  @
  @ }
  @*/

/*@ axiomatic StrCmp {
  @ logic integer strcmp{L}(char *s1, char *s2)
  @    reads s1[0..strlen(s1)], s2[0..strlen(s2)];
  @
  @ axiom strcmp_range{L}:
  @   \forall char *s1, *s2; INT_MIN <= strcmp(s1,s2) <= INT_MAX;
  @
  @ axiom strcmp_zero{L}:
  @   \forall char *s1, *s2;
  @      strcmp(s1,s2) == 0 <==>
  @        (strlen(s1) == strlen(s2)
  @         && \forall integer i; 0 <= i <= strlen(s1) ==> s1[i] == s2[i]);
  @ }
  @*/

/*@ axiomatic StrNCmp {
  @ logic integer strncmp{L}(char *s1, char *s2, integer n)
  @    reads s1[0..n-1], s2[0..n-1];
  @
  @ axiom strncmp_zero{L}:
  @   \forall char *s1, *s2; \forall integer n;
  @      strncmp(s1,s2,n) == 0 <==>
  @        (strlen(s1) < n && strcmp(s1,s2) == 0
  @         || \forall integer i; 0 <= i < n ==> s1[i] == s2[i]);
  @ }
  @*/

/*@ axiomatic StrChr {
  @ logic boolean strchr{L}(char *s, integer c)
  @    reads s[0..strlen(s)];
  @ // Returns [true] iff string [s] contains character [c]
  @
  @ axiom strchr_def{L}:
  @   \forall char *s; \forall integer c;
  @      strchr(s,c) <==> \exists integer i; 0 <= i <= strlen(s) && s[i] == c;
  @ }
  @*/

/*@ axiomatic WcsLen {
  @ logic integer wcslen{L}(wchar_t *s) reads s[0..];
  @
  @ axiom wcslen_pos_or_null{L}:
  @   \forall wchar_t* s; \forall integer i;
  @      (0 <= i
  @       && (\forall integer j; 0 <= j < i ==> s[j] != L'\0')
  @       && s[i] == L'\0') ==> wcslen(s) == i;
  @
  @ axiom wcslen_neg{L}:
  @   \forall wchar_t* s;
  @      (\forall integer i; 0 <= i ==> s[i] != L'\0')
  @      ==> wcslen(s) < 0;
  @
  @ axiom wcslen_before_null{L}:
  @   \forall wchar_t* s; \forall int i; 0 <= i < wcslen(s) ==> s[i] != L'\0';
  @
  @ axiom wcslen_at_null{L}:
  @   \forall wchar_t* s; 0 <= wcslen(s) ==> s[wcslen(s)] == L'\0';
  @
  @ axiom wcslen_not_zero{L}:
  @   \forall wchar_t* s; \forall int i;
  @      0 <= i <= wcslen(s) && s[i] != L'\0' ==> i < wcslen(s);
  @
  @ axiom wcslen_zero{L}:
  @   \forall wchar_t* s; \forall int i;
  @      0 <= i <= wcslen(s) && s[i] == L'\0' ==> i == wcslen(s);
  @
  @ axiom wcslen_sup{L}:
  @   \forall wchar_t* s; \forall int i;
  @      0 <= i && s[i] == L'\0' ==> 0 <= wcslen(s) <= i;
  @
  @ axiom wcslen_shift{L}:
  @   \forall wchar_t* s; \forall int i;
  @      0 <= i <= wcslen(s) ==> wcslen(s+i) == wcslen(s)-i;
  @
  @ axiom wcslen_create{L}:
  @   \forall wchar_t* s; \forall int i;
  @      0 <= i && s[i] == L'\0' ==> 0 <= wcslen(s) <= i;
  @
  @ axiom wcslen_create_shift{L}:
  @   \forall wchar_t* s; \forall int i; \forall int k;
  @      0 <= k <= i && s[i] == L'\0' ==> 0 <= wcslen(s+k) <= i - k;
  @ }
  @*/

/*@ axiomatic WcsCmp {
  @ logic integer wcscmp{L}(wchar_t *s1, wchar_t *s2)
  @   reads s1[0..wcslen(s1)], s2[0..wcslen(s2)];
  @
  @ axiom wcscmp_zero{L}:
  @   \forall wchar_t *s1, *s2;
  @      wcscmp(s1,s2) == 0 <==>
  @        (wcslen(s1) == wcslen(s2)
  @         && \forall integer i; 0 <= i <= wcslen(s1) ==> s1[i] == s2[i]);
  @ }
  @*/

/*@ axiomatic WcsNCmp {
  @ logic integer wcsncmp{L}(wchar_t *s1, wchar_t *s2, integer n)
  @    reads s1[0..n-1], s2[0..n-1];
  @
  @ axiom wcsncmp_zero{L}:
  @   \forall wchar_t *s1, *s2; \forall integer n;
  @      wcsncmp(s1,s2,n) == 0 <==>
  @        (wcslen(s1) < n && wcscmp(s1,s2) == 0
  @         || \forall integer i; 0 <= i < n ==> s1[i] == s2[i]);
  @ }
  @*/

#endif /* _JESSIE_MACHINE_PROLOG_H_ */
why-2.39/frama-c-plugin/share/jessie/wchar.h0000644000106100004300000000721013147234006017674 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  This file is part of Frama-C.                                         */
/*                                                                        */
/*  Copyright (C) 2007-2009                                               */
/*    INRIA (Institut National de Recherche en Informatique et en         */
/*           Automatique)                                                 */
/*                                                                        */
/*  you can redistribute it and/or modify it under the terms of the GNU   */
/*  Lesser General Public License as published by the Free Software       */
/*  Foundation, version 2.1.                                              */
/*                                                                        */
/*  It is distributed in the hope that it will be useful,                 */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         */
/*  GNU Lesser General Public License for more details.                   */
/*                                                                        */
/*  See the GNU Lesser General Public License version 2.1                 */
/*  for more details (enclosed in the file licenses/LGPLv2.1).            */
/*                                                                        */
/**************************************************************************/

/* $Id: wchar.h,v 1.1 2009-09-08 11:11:43 monate Exp $ */

#ifndef _WCHAR_H_
#define _WCHAR_H_

#include 

/*@ requires valid_wstring(s);
  @ assigns \nothing;
  @ ensures \result == wcslen(s);
  @*/
size_t wcslen(const wchar_t *s);

/*@ requires \valid(dest+(0..wcslen(src))) && valid_wstring(src);
  @ assigns dest[0..wcslen(src)];
  @ ensures valid_wstring(dest) && wcscmp(dest,src) == 0 && \result == dest;
  @*/
extern wchar_t *wcscpy(wchar_t *dest, const wchar_t *src);

/*@ requires \valid(dest+(0..n - 1)) && valid_wstring(src);
  @ assigns dest[0..n - 1];
  @ ensures \result == dest;
  @ behavior complete:
  @   assumes wcslen(src) < n;
  @   assigns dest[0..n - 1];
  @   ensures valid_wstring(dest) && wcscmp(dest,src) == 0;
  @ behavior partial:
  @   assumes n <= wcslen(src);
  @   assigns dest[0..n - 1];
  @   //ensures memcmp(dest,src,n) == 0;
  @*/
extern wchar_t *wcsncpy(wchar_t *dest, const wchar_t *src, size_t n);

/*@ requires valid_wstring(wcs) && valid_wstring(reject);
  @ assigns \nothing;
  @ ensures 0 <= \result <= wcslen(wcs);
  @*/
extern size_t wcscspn(wchar_t *wcs, const wchar_t *reject);

/*@ requires valid_wstring(wcs) && valid_wstring(accept);
  @ assigns \nothing;
  @ ensures 0 <= \result <= wcslen(wcs);
  @*/
extern size_t wcsspn(const wchar_t *wcs, const wchar_t *accept);

extern wchar_t *wcspbrk(const wchar_t *wcs, const wchar_t *accept);

extern wchar_t *wcsstr(const wchar_t *haystack, const wchar_t *needle);

extern wchar_t *wcstok(wchar_t *restrict s, 
		       const wchar_t *restrict delim,
		       wchar_t **restrict ptr);

// Allocate wide strings

/*@ requires valid_wstring(wcs);
  @ assigns \nothing;
  @ ensures \valid(\result+(0..wcslen(wcs))) && wcscmp(\result,wcs) == 0;
  @*/
extern wchar_t *wcsdup(const wchar_t *wcs);

/*@ requires valid_wstring(wcs);
  @ assigns \nothing;
  @ ensures \valid(\result+(0..minimum(wcslen(wcs),n))) 
  @         && valid_wstring(\result) && wcslen(\result) <= n
  @         && wcsncmp(\result,wcs,n) == 0;
  @*/
extern wchar_t *wcsndup(const wchar_t *wcs, size_t n);

#endif /* _WCHAR_H_ */
why-2.39/frama-c-plugin/share/jessie/jessie_prolog.h0000644000106100004300000000533713147234006021444 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  This file is part of Frama-C.                                         */
/*                                                                        */
/*  Copyright (C) 2007-2009                                               */
/*    INRIA (Institut National de Recherche en Informatique et en         */
/*           Automatique)                                                 */
/*                                                                        */
/*  you can redistribute it and/or modify it under the terms of the GNU   */
/*  Lesser General Public License as published by the Free Software       */
/*  Foundation, version 2.1.                                              */
/*                                                                        */
/*  It is distributed in the hope that it will be useful,                 */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         */
/*  GNU Lesser General Public License for more details.                   */
/*                                                                        */
/*  See the GNU Lesser General Public License version 2.1                 */
/*  for more details (enclosed in the file licenses/LGPLv2.1).            */
/*                                                                        */
/**************************************************************************/

/* $Id: jessie_prolog.h,v 1.1 2009-09-08 11:11:43 monate Exp $ */

#ifndef _JESSIE_PROLOG_H_
#define _JESSIE_PROLOG_H_

#ifdef JESSIE_NO_PROLOG
#else

#ifdef JESSIE_EXACT_INT_MODEL
# include "jessie_exact_prolog.h"
#else
# include "jessie_machine_prolog.h"
#endif

/*@ logic integer minimum(integer i, integer j) = i < j ? i : j;
  @ logic integer maximum(integer i, integer j) = i < j ? j : i;
  @*/

/*@ predicate valid_string{L}(char *s) =
  @   0 <= strlen(s) && \valid(s+(0..strlen(s)));
  @
  @ predicate valid_string_or_null{L}(char *s) =
  @   s == NULL || valid_string(s);
  @
  @ predicate valid_wstring{L}(wchar_t *s) =
  @   0 <= wcslen(s) && \valid(s+(0..wcslen(s)));
  @
  @ predicate valid_wstring_or_null{L}(wchar_t *s) =
  @   s == NULL || valid_wstring(s);
  @*/

#define FRAMA_C_PTR __declspec(valid)
#define FRAMA_C_ARRAY(n) __declspec(valid_range(0,n))
#define FRAMA_C_STRING __declspec(valid_string)
#define FRAMA_C_STRING_OR_NULL __declspec(valid_string_or_null)
#define FRAMA_C_WSTRING __declspec(valid_wstring)
#define FRAMA_C_WSTRING_OR_NULL __declspec(valid_wstring_or_null)

#endif /* JESSIE_NO_PROLOG */

#endif /* _JESSIE_PROLOG_H_ */
why-2.39/frama-c-plugin/share/jessie/ctype.h0000644000106100004300000000443013147234006017715 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  This file is part of Frama-C.                                         */
/*                                                                        */
/*  Copyright (C) 2007-2009                                               */
/*    INRIA (Institut National de Recherche en Informatique et en         */
/*           Automatique)                                                 */
/*                                                                        */
/*  you can redistribute it and/or modify it under the terms of the GNU   */
/*  Lesser General Public License as published by the Free Software       */
/*  Foundation, version 2.1.                                              */
/*                                                                        */
/*  It is distributed in the hope that it will be useful,                 */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         */
/*  GNU Lesser General Public License for more details.                   */
/*                                                                        */
/*  See the GNU Lesser General Public License version 2.1                 */
/*  for more details (enclosed in the file licenses/LGPLv2.1).            */
/*                                                                        */
/**************************************************************************/

/* $Id: ctype.h,v 1.1 2009-09-08 11:11:43 monate Exp $ */

#ifndef _CTYPE_H_
#define _CTYPE_H_

//@ assigns \nothing;
extern int isalnum(int c);

//@ assigns \nothing;
extern int isalpha(int c);
int isascii(int c);

//@ assigns \nothing;
extern int isblank(int c);
int iscntrl(int c);

//@ assigns \nothing;
extern int isdigit(int c);

//@ assigns \nothing;
extern int isgraph(int c);

//@ assigns \nothing;
extern int islower(int c);

//@ assigns \nothing;
extern int isprint(int c);

//@ assigns \nothing;
extern int ispunct(int c);

//@ assigns \nothing;
extern int isspace(int c);

//@ assigns \nothing;
extern int isupper(int c);

//@ assigns \nothing;
extern int isxdigit(int c);

#endif /* _CTYPE_H_ */
why-2.39/frama-c-plugin/share/jessie/stddef.h0000644000106100004300000000361413147234006020045 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  This file is part of Frama-C.                                         */
/*                                                                        */
/*  Copyright (C) 2007-2009                                               */
/*    INRIA (Institut National de Recherche en Informatique et en         */
/*           Automatique)                                                 */
/*                                                                        */
/*  you can redistribute it and/or modify it under the terms of the GNU   */
/*  Lesser General Public License as published by the Free Software       */
/*  Foundation, version 2.1.                                              */
/*                                                                        */
/*  It is distributed in the hope that it will be useful,                 */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         */
/*  GNU Lesser General Public License for more details.                   */
/*                                                                        */
/*  See the GNU Lesser General Public License version 2.1                 */
/*  for more details (enclosed in the file licenses/LGPLv2.1).            */
/*                                                                        */
/**************************************************************************/

/* $Id: stddef.h,v 1.1 2009-09-08 11:11:43 monate Exp $ */

#ifndef _STDDEF_H_
#define _STDDEF_H_

#ifndef NULL
# define NULL ((void*)0)
#endif

#ifndef _WCHAR_T
# define _WCHAR_T
typedef unsigned short wchar_t;
#endif

#ifndef _SIZE_T
# define _SIZE_T
typedef unsigned int size_t;
#endif

#endif /* _STDDEF_H_ */
why-2.39/frama-c-plugin/share/jessie/unistd.h0000644000106100004300000000442713147234006020105 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  This file is part of Frama-C.                                         */
/*                                                                        */
/*  Copyright (C) 2007-2009                                               */
/*    INRIA (Institut National de Recherche en Informatique et en         */
/*           Automatique)                                                 */
/*                                                                        */
/*  you can redistribute it and/or modify it under the terms of the GNU   */
/*  Lesser General Public License as published by the Free Software       */
/*  Foundation, version 2.1.                                              */
/*                                                                        */
/*  It is distributed in the hope that it will be useful,                 */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         */
/*  GNU Lesser General Public License for more details.                   */
/*                                                                        */
/*  See the GNU Lesser General Public License version 2.1                 */
/*  for more details (enclosed in the file licenses/LGPLv2.1).            */
/*                                                                        */
/**************************************************************************/

/* $Id: unistd.h,v 1.1 2009-09-08 11:11:43 monate Exp $ */

#ifndef _UNISTD_H_
#define _UNISTD_H_

extern char *FRAMA_C_STRING_OR_NULL optarg;
extern int optind, opterr, optopt;

/*@ assigns optarg, optind, opterr, optopt;
  @ ensures \result == -1 || valid_string(optarg);
  @*/
extern int getopt (int argc, char *FRAMA_C_STRING const argv[],           
		   const char *FRAMA_C_STRING_OR_NULL optstring);

/*@ assigns \nothing;
  @ ensures -1 <= \result <= 0;
  @*/
extern int chdir(const char *FRAMA_C_STRING path);

/*@ requires \valid(buf+(0..size-1));
  @ assigns buf[0..size-1];
  @ ensures \result == NULL || \result == buf;
  @*/
extern char *getcwd(char *buf, size_t size);

#endif /* _UNISTD_H_ */
why-2.39/frama-c-plugin/share/jessie/stdio.h0000644000106100004300000000533513147234006017720 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  This file is part of Frama-C.                                         */
/*                                                                        */
/*  Copyright (C) 2007-2009                                               */
/*    INRIA (Institut National de Recherche en Informatique et en         */
/*           Automatique)                                                 */
/*                                                                        */
/*  you can redistribute it and/or modify it under the terms of the GNU   */
/*  Lesser General Public License as published by the Free Software       */
/*  Foundation, version 2.1.                                              */
/*                                                                        */
/*  It is distributed in the hope that it will be useful,                 */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         */
/*  GNU Lesser General Public License for more details.                   */
/*                                                                        */
/*  See the GNU Lesser General Public License version 2.1                 */
/*  for more details (enclosed in the file licenses/LGPLv2.1).            */
/*                                                                        */
/**************************************************************************/

/* $Id: stdio.h,v 1.1 2009-09-08 11:11:43 monate Exp $ */

#ifndef _STDIO_H_
#define _STDIO_H_

#ifndef EOF
# define EOF (-1)
#endif

typedef void* FILE;

extern FILE *stdin;
extern FILE *stdout;
extern FILE *stderr;

/*@ requires valid_string(path) && valid_string(mode);
  @ assigns \nothing;
  @ ensures \result == NULL || \valid(\result);
  @*/
extern FILE *fopen(const char *path, const char *mode);

/*@ requires \valid(stream);
  @ assigns \nothing;
  @*/
extern int getc(FILE *stream);

/*@ requires \valid(stream);
  @ assigns \nothing;
  @*/
extern int fgetc(FILE *stream);

/*@ requires \valid(s+(0..size-1)) && \valid(stream);
  @ assigns s[0..size-1];
  @ ensures \result == NULL 
  @      || (\result == s && valid_string(s) && strlen(s) <= size-1);
  @*/
extern char *fgets(char *s, int size, FILE *stream);

/*@ requires \valid(fp);
  @ assigns \nothing;
  @*/
extern int fclose(FILE *fp);

#define printf(...)

/*@ requires \valid(stream) && buf == NULL;
  @ assigns \nothing;
  @*/
extern void setbuf(FILE *stream, char *buf);

/*@ requires valid_string(s);
  @ assigns \nothing;
  @*/
extern void perror(const char *s);

#endif /* _STDIO_H_ */
why-2.39/frama-c-plugin/share/jessie/jessie_exact_prolog.h0000644000106100004300000002017613147234006022626 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  This file is part of Frama-C.                                         */
/*                                                                        */
/*  Copyright (C) 2007-2009                                               */
/*    INRIA (Institut National de Recherche en Informatique et en         */
/*           Automatique)                                                 */
/*                                                                        */
/*  you can redistribute it and/or modify it under the terms of the GNU   */
/*  Lesser General Public License as published by the Free Software       */
/*  Foundation, version 2.1.                                              */
/*                                                                        */
/*  It is distributed in the hope that it will be useful,                 */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         */
/*  GNU Lesser General Public License for more details.                   */
/*                                                                        */
/*  See the GNU Lesser General Public License version 2.1                 */
/*  for more details (enclosed in the file licenses/LGPLv2.1).            */
/*                                                                        */
/**************************************************************************/

/* $Id: jessie_exact_prolog.h,v 1.1 2009-09-08 11:11:43 monate Exp $ */

#ifndef _JESSIE_MACHINE_PROLOG_H_
#define _JESSIE_MACHINE_PROLOG_H_

#include "stddef.h"
#include "limits.h"

/*@ axiomatic MemCmp {
  @ logic integer memcmp{L}(char *s1, char *s2, integer n)
  @    reads s1[0..n - 1], s2[0..n - 1];
  @
  @ axiom memcmp_zero{L}:
  @   \forall char *s1, *s2; \forall integer n;
  @      memcmp(s1,s2,n) == 0
  @      <==> \forall integer i; 0 <= i < n ==> s1[i] == s2[i];
  @ 
  @ }
  @*/


/*@ axiomatic MemChr {
  @ logic boolean memchr{L}(char *s, integer c, integer n)
  @    reads s[0..n - 1];
  @ // Returns [true] iff array [s] contains character [c]
  @
  @ axiom memchr_def{L}:
  @   \forall char *s; \forall integer c; \forall integer n;
  @      memchr(s,c,n) <==> \exists int i; 0 <= i < n && s[i] == c;
  @ }
  @*/

/*@ axiomatic MemSet {
  @ logic boolean memset{L}(char *s, integer c, integer n)
  @    reads s[0..n - 1];
  @ // Returns [true] iff array [s] contains only character [c]
  @
  @ axiom memset_def{L}:
  @   \forall char *s; \forall integer c; \forall integer n;
  @      memset(s,c,n) <==> \forall integer i; 0 <= i < n ==> s[i] == c;
  @ }
  @*/

/*@ axiomatic StrLen {
  @ logic integer strlen{L}(char *s) reads s[0..];
  @
  @ axiom strlen_pos_or_null{L}:
  @   \forall char* s; \forall integer i;
  @      (0 <= i
  @       && (\forall integer j; 0 <= j < i ==> s[j] != '\0')
  @       && s[i] == '\0') ==> strlen(s) == i;
  @
  @ axiom strlen_neg{L}:
  @   \forall char* s;
  @      (\forall integer i; 0 <= i ==> s[i] != '\0')
  @      ==> strlen(s) < 0;
  @
  @ axiom strlen_before_null{L}:
  @   \forall char* s; \forall integer i; 0 <= i < strlen(s) ==> s[i] != '\0';
  @
  @ axiom strlen_at_null{L}:
  @   \forall char* s; 0 <= strlen(s) ==> s[strlen(s)] == '\0';
  @
  @ axiom strlen_not_zero{L}:
  @   \forall char* s; \forall integer i;
  @      0 <= i <= strlen(s) && s[i] != '\0' ==> i < strlen(s);
  @
  @ axiom strlen_zero{L}:
  @   \forall char* s; \forall integer i;
  @      0 <= i <= strlen(s) && s[i] == '\0' ==> i == strlen(s);
  @
  @ axiom strlen_sup{L}:
  @   \forall char* s; \forall integer i;
  @      0 <= i && s[i] == '\0' ==> 0 <= strlen(s) <= i;
  @
  @ axiom strlen_shift{L}:
  @   \forall char* s; \forall integer i;
  @      0 <= i <= strlen(s) ==> strlen(s + i) == strlen(s) - i;
  @
  @ axiom strlen_create{L}:
  @   \forall char* s; \forall integer i;
  @      0 <= i && s[i] == '\0' ==> 0 <= strlen(s) <= i;
  @
  @ axiom strlen_create_shift{L}:
  @   \forall char* s; \forall integer i; \forall integer k;
  @      0 <= k <= i && s[i] == '\0' ==> 0 <= strlen(s+k) <= i - k;
  @
  @ axiom memcmp_strlen_left{L}:
  @   \forall char *s1, *s2; \forall integer n;
  @      memcmp(s1,s2,n) == 0 && strlen(s1) < n ==> strlen(s1) == strlen(s2);
  @      
  @ axiom memcmp_strlen_right{L}:
  @   \forall char *s1, *s2; \forall integer n;
  @      memcmp(s1,s2,n) == 0 && strlen(s2) < n ==> strlen(s1) == strlen(s2);
  @      
  @ axiom memcmp_strlen_shift_left{L}:
  @   \forall char *s1, *s2; \forall integer k, n;
  @      memcmp(s1,s2 + k,n) == 0 && 0 <= k && strlen(s1) < n ==> 
  @        0 <= strlen(s2) <= k + strlen(s1);
  @      
  @ axiom memcmp_strlen_shift_right{L}:
  @   \forall char *s1, *s2; \forall integer k, n;
  @      memcmp(s1 + k,s2,n) == 0 && 0 <= k && strlen(s2) < n ==> 
  @        0 <= strlen(s1) <= k + strlen(s2);
  @ }
  @*/

/*@ axiomatic StrCmp {
  @ logic integer strcmp{L}(char *s1, char *s2)
  @   reads s1[0..strlen(s1)], s2[0..strlen(s2)];
  @
  @ axiom strcmp_zero{L}:
  @   \forall char *s1, *s2;
  @      strcmp(s1,s2) == 0 <==>
  @        (strlen(s1) == strlen(s2)
  @         && \forall integer i; 0 <= i <= strlen(s1) ==> s1[i] == s2[i]);
  @ }
  @*/

/*@ axiomatic StrNCmp {
  @ logic integer strncmp{L}(char *s1, char *s2, integer n)
  @   reads s1[0..n-1], s2[0..n-1];
  @
  @ axiom strncmp_zero{L}:
  @   \forall char *s1, *s2; \forall integer n;
  @      strncmp(s1,s2,n) == 0 <==>
  @        (strlen(s1) < n && strcmp(s1,s2) == 0
  @         || \forall integer i; 0 <= i < n ==> s1[i] == s2[i]);
  @ }
  @*/

/*@ axiomatic StrChr {
  @ logic boolean strchr{L}(char *s, integer c)
  @   reads s[0..strlen(s)];
  @ // Returns [true] iff string [s] contains character [c]
  @
  @ axiom strchr_def{L}:
  @   \forall char *s; \forall integer c;
  @      strchr(s,c) <==> \exists integer i; 0 <= i <= strlen(s) && s[i] == c;
  @ }
  @*/

/*@ axiomatic WcsLen {
  @ logic integer wcslen{L}(wchar_t *s)
  @   reads s[0..];
  @
  @ axiom wcslen_pos_or_null{L}:
  @   \forall wchar_t* s; \forall integer i;
  @      (0 <= i
  @       && (\forall integer j; 0 <= j < i ==> s[j] != L'\0')
  @       && s[i] == L'\0') ==> wcslen(s) == i;
  @
  @ axiom wcslen_neg{L}:
  @   \forall wchar_t* s;
  @      (\forall integer i; 0 <= i ==> s[i] != L'\0')
  @      ==> wcslen(s) < 0;
  @
  @ axiom wcslen_before_null{L}:
  @   \forall wchar_t* s; \forall int i; 0 <= i < wcslen(s) ==> s[i] != L'\0';
  @
  @ axiom wcslen_at_null{L}:
  @   \forall wchar_t* s; 0 <= wcslen(s) ==> s[wcslen(s)] == L'\0';
  @
  @ axiom wcslen_not_zero{L}:
  @   \forall wchar_t* s; \forall int i;
  @      0 <= i <= wcslen(s) && s[i] != L'\0' ==> i < wcslen(s);
  @
  @ axiom wcslen_zero{L}:
  @   \forall wchar_t* s; \forall int i;
  @      0 <= i <= wcslen(s) && s[i] == L'\0' ==> i == wcslen(s);
  @
  @ axiom wcslen_sup{L}:
  @   \forall wchar_t* s; \forall int i;
  @      0 <= i && s[i] == L'\0' ==> 0 <= wcslen(s) <= i;
  @
  @ axiom wcslen_shift{L}:
  @   \forall wchar_t* s; \forall int i;
  @      0 <= i <= wcslen(s) ==> wcslen(s+i) == wcslen(s)-i;
  @
  @ axiom wcslen_create{L}:
  @   \forall wchar_t* s; \forall int i;
  @      0 <= i && s[i] == L'\0' ==> 0 <= wcslen(s) <= i;
  @
  @ axiom wcslen_create_shift{L}:
  @   \forall wchar_t* s; \forall int i; \forall int k;
  @      0 <= k <= i && s[i] == L'\0' ==> 0 <= wcslen(s+k) <= i - k;
  @ }
  @*/

/*@ axiomatic WcsCmp {
  @ logic integer wcscmp{L}(wchar_t *s1, wchar_t *s2)
  @   reads s1[0..wcslen(s1)], s2[0..wcslen(s2)];
  @
  @ axiom wcscmp_zero{L}:
  @   \forall wchar_t *s1, *s2;
  @      wcscmp(s1,s2) == 0 <==>
  @        (wcslen(s1) == wcslen(s2)
  @         && \forall integer i; 0 <= i <= wcslen(s1) ==> s1[i] == s2[i]);
  @ }
  @*/

/*@ axiomatic WcsNCmp {
  @ logic integer wcsncmp{L}(wchar_t *s1, wchar_t *s2, integer n)
  @   reads s1[0..n-1], s2[0..n-1];
  @
  @ axiom wcsncmp_zero{L}:
  @   \forall wchar_t *s1, *s2; \forall integer n;
  @      wcsncmp(s1,s2,n) == 0 <==>
  @        (wcslen(s1) < n && wcscmp(s1,s2) == 0
  @         || \forall integer i; 0 <= i < n ==> s1[i] == s2[i]);
  @ }
  @*/

#endif /* _JESSIE_MACHINE_PROLOG_H_ */
why-2.39/frama-c-plugin/jessie_options.mli0000644000106100004300000000513713147234006017601 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

include Plugin.S

module ProjectName: Parameter_sig.String
module Behavior: Parameter_sig.String
module Analysis: Parameter_sig.Bool
module Why3Cmd: Parameter_sig.String
module JcOpt: Parameter_sig.String_set
module GenOnly: Parameter_sig.Bool
module InferAnnot: Parameter_sig.String
module AbsDomain: Parameter_sig.String
module HintLevel: Parameter_sig.Int

(*
Local Variables:
compile-command: "LC_ALL=C make"
End:
*)
why-2.39/frama-c-plugin/Makefile0000644000106100004300000001070213147234006015473 0ustar  marchevals##########################################################################
#                                                                        #
#  This file is part of Frama-C.                                         #
#                                                                        #
#  Copyright (C) 2007-2010                                               #
#    INRIA (Institut National de Recherche en Informatique et en         #
#           Automatique)                                                 #
#                                                                        #
#  you can redistribute it and/or modify it under the terms of the GNU   #
#  Lesser General Public License as published by the Free Software       #
#  Foundation, version 2.1.                                              #
#                                                                        #
#  It is distributed in the hope that it will be useful,                 #
#  but WITHOUT ANY WARRANTY; without even the implied warranty of        #
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         #
#  GNU Lesser General Public License for more details.                   #
#                                                                        #
#  See the GNU Lesser General Public License version 2.1                 #
#  for more details (enclosed in the file licenses/LGPLv2.1).            #
#                                                                        #
##########################################################################

# Makefile for compiling Jessie independently of Frama-C.
#
# To be used independently of Frama-C, a version of Frama-C compatible with
# Jessie has to be properly installed as well as the Jessie-specific stuff.

# Do not use ?= to initialize both below variables
# (fixed efficiency issue, see GNU Make manual, Section 8.11)
FRAMAC ?= frama-c
ifndef FRAMAC_SHARE
FRAMAC_SHARE  := $(shell $(FRAMAC) -journal-disable -print-path)
endif
ifndef FRAMAC_LIBDIR
FRAMAC_LIBDIR := $(shell $(FRAMAC) -journal-disable -print-libpath)
endif

PLUGIN_DIR      ?= .
WHY_DISTRIB	?= $(PLUGIN_DIR)/..
JESSIE_INCLUDES	?= -I $(WHY_DISTRIB)/src -I $(WHY_DISTRIB)/jc
JCCMO		?= $(WHY_DISTRIB)/jc/jc.cmo
JCCMX		?= $(JCCMO:.cmo=.cmx)

PLUGIN_NAME:=Jessie
PLUGIN_CMO:= jessie_config jessie_options jessie_integer common rewrite \
             norm retype interp register
PLUGIN_HAS_MLI:=yes
PLUGIN_BFLAGS:=-w Aer-3-6-41-44-45-48-50-52-57 $(JESSIE_INCLUDES)
PLUGIN_OFLAGS:=-w Aer-3-6-41-44-45-48-50-52-57 $(JESSIE_INCLUDES)
PLUGIN_EXTRA_BYTE+=$(JCCMO)
PLUGIN_EXTRA_OPT+=$(JCCMX)
#PLUGIN_DEPFLAGS:=$(JESSIE_INCLUDES)
PLUGIN_DOCFLAGS:=$(JESSIE_INCLUDES)
PLUGIN_TESTS_DIRS:=jessie

ifeq ($(FRAMAC_MAKE),yes)
unexport $(FRAMAC_MAKE)

all::  $(WHY_DISTRIB)/Makefile $(WHY_DISTRIB)/.depend why_all

.PHONY: why_all $(WHY_DISTRIB)/depend $(WHY_DISTRIB)/clean
why_all: $(WHY_DISTRIB)/Makefile $(WHY_DISTRIB)/.depend $(PLUGIN_DIR)/interp.cmi
	$(MAKE) -C $(dir $<) -j 1 all-without-frama-c-plugin

$(WHY_DISTRIB)/depend: $(WHY_DISTRIB)/Makefile
	$(MAKE) -C $(dir $@) -j 1 depend FRAMACPLUGIN=no

$(WHY_DISTRIB)/clean:
	$(MAKE) -C $(dir $@) -j 1 clean FRAMACPLUGIN=no

$(PLUGIN_DIR)/.depend: $(WHY_DISTRIB)/.depend

depend:: $(WHY_DISTRIB)/depend

clean::$(WHY_DISTRIB)/clean

tests:: $(WHY_DISTRIB)/bin/jessie.$(OCAMLBEST) $(WHY_DISTRIB)/bin/why.$(OCAMLBEST)

endif

$(PLUGIN_DIR)/interp.cmo: $(PLUGIN_DIR)/interp.cmi $(WHY_DISTRIB)/jc/jc.cmo

$(PLUGIN_DIR)/interp.cmi: $(WHY_DISTRIB)/jc/jc.cmi

$(PLUGIN_DIR)/interp.cmx: $(PLUGIN_DIR)/interp.cmi $(WHY_DISTRIB)/jc/jc.cmx

# $(WHY_DISTRIB)/jc/jc.cmo: $(WHY_DISTRIB)/jc/jc.cmi
# $(WHY_DISTRIB)/jc/jc.cmx: $(WHY_DISTRIB)/jc/jc.cmi

$(PLUGIN_DIR)/jessie_config.ml:
	echo "let jessie_local = false" > $@

$(WHY_DISTRIB)/Makefile: $(WHY_DISTRIB)/Makefile.in $(WHY_DISTRIB)/config.status
	cd $(dir $@) && ./config.status

$(WHY_DISTRIB)/.depend: $(WHY_DISTRIB)/Makefile
	$(MAKE) -C $(dir $@) -j 1 .depend FRAMACPLUGIN=no

$(WHY_DISTRIB)/config.status: $(WHY_DISTRIB)/configure
	if test -e $(dir $@)/config.status; then \
	  cd $(dir $@) && ./config.status -recheck; \
	else \
	 cd $(dir $@) && ./configure ; \
	fi

$(WHY_DISTRIB)/configure: $(WHY_DISTRIB)/configure.in
	cd $(dir $@) && autoconf

$(WHY_DISTRIB)/Makefile.in: ;
$(WHY_DISTRIB)/configure.in: ;

$(WHY_DISTRIB)/%: $(WHY_DISTRIB)/Makefile $(WHY_DISTRIB)/.depend
	$(MAKE) -C $(subst /$*,,$@) -j 1 $*

PLUGIN_GENERATED_LIST+=$(JESSIE_HOME_DIR)/jessie_config.ml

include $(FRAMAC_SHARE)/Makefile.dynamic
why-2.39/frama-c-plugin/interp.mli0000644000106100004300000000467613147234006016054 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(* import from JC *)
open Jc

type int_model = IMexact | IMbounded | IMmodulo

val int_model : int_model ref

(* transforms a CIL AST into a Jessie AST *)
val file : Cil_types.file -> Jc_ast.pdecl list

val pragmas : Cil_types.file -> Jc_output.jc_decl list
why-2.39/frama-c-plugin/Jessie.mli0000644000106100004300000000445313147234006015766 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(** C to Jessie translation. *)

(** No function is directly exported: they are registered in {!Db.Jessie}. *)
why-2.39/frama-c-plugin/interp.ml0000644000106100004300000031200513147234006015667 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(* Import from Cil *)
open Cil_types
open Cil
open Cil_datatype
open Ast_info
open Extlib

(* Import from Why *)
open Jc
open Jc_constructors
open Jc_ast
open Jc_env
open Jc_pervasives

(* Utility functions *)
open Common
open Jessie_integer

(*****************************************************************************)
(* Smart constructors.                                                       *)
(*****************************************************************************)

let mktype tnode = new ptype tnode

let mkexpr enode pos = new pexpr ~pos enode

(* VP: unused variable *)
(* let void_expr = mkexpr (JCPEconst JCCvoid) Loc.dummy_position *)
let null_expr = mkexpr (JCPEconst JCCnull) Loc.dummy_position
let true_expr = mkexpr (JCPEconst(JCCboolean true)) Loc.dummy_position
let false_expr = mkexpr (JCPEconst(JCCboolean false)) Loc.dummy_position
let zero_expr = mkexpr (JCPEconst(JCCinteger "0")) Loc.dummy_position
let one_expr = mkexpr (JCPEconst(JCCinteger "1")) Loc.dummy_position

let mktag tag_node pos = new ptag ~pos tag_node

let mkidentifier name pos = new identifier ~pos name

let rec mkconjunct elist pos =
  match elist with
    | [] -> true_expr
    | [e] -> e
    | e::el -> mkexpr (JCPEbinary(e,`Bland,mkconjunct el pos)) pos

let rec mkdisjunct elist pos =
  match elist with
    | [] -> false_expr
    | [e] -> e
    | e::el -> mkexpr (JCPEbinary(e,`Blor,mkdisjunct el pos)) pos

let mkimplies elist e pos =
  match elist with
    | [] -> e
    | _ -> mkexpr (JCPEbinary(e,`Bimplies,mkconjunct elist pos)) pos

let mkdecl dnode pos = new decl ~pos dnode


(*****************************************************************************)
(* Locate Jessie expressions on source program.                              *)
(*****************************************************************************)

let reg_position ?id ?kind ?name pos =
  Output.old_reg_pos "_C" ?id ?kind ?name (Loc.extract pos)

(* [locate] should be called on every Jessie expression which we would like to
 * locate in the original source program.
 *)
let locate ?pos e =
  (* Recursively label conjuncts so that splitting conjuncts in Why still
   * allows to locate the resulting VC.
   *)
  let rec dopos ~toplevel e =
    (* Generate (and store) a label associated to this source location *)
    let pos = match pos with
      | None -> e#pos
      | Some pos ->
          if is_unknown_location e#pos then pos else e#pos
    in
    let lab = reg_position pos in
    let e = match e#node with
      | JCPEbinary(e1,`Bland,e2) ->
          begin match e1#node,e2#node with
            | JCPElabel _,JCPElabel _ -> e (* already labelled *)
            | JCPElabel _,_ -> (* [e1] already labelled *)
                let e2 = dopos ~toplevel:false e2 in
                mkexpr (JCPEbinary(e1,`Bland,e2)) pos
            | _,JCPElabel _ -> (* [e2] already labelled *)
                let e1 = dopos ~toplevel:false e1 in
                mkexpr (JCPEbinary(e1,`Bland,e2)) pos
            | _,_ -> (* none already labelled *)
                let e1 = dopos ~toplevel:false e1 in
                let e2 = dopos ~toplevel:false e2 in
                mkexpr (JCPEbinary(e1,`Bland,e2)) pos
          end
      | _ -> e
    in
    (* Do not generate a label for every intermediate conjunct *)
    match e#node with
      | JCPEbinary(_e1,`Bland,_e2) when not toplevel -> e
      | _ ->
          (* Label the expression accordingly *)
          mkexpr (JCPElabel(lab,e)) pos
  in
  dopos ~toplevel:true e


(*****************************************************************************)
(* Cil to Jessie translation of operators                                    *)
(*****************************************************************************)

let unop = function
  | Neg -> `Uminus
  | BNot -> `Ubw_not
  | LNot -> `Unot

let binop = function
  | PlusA -> `Badd
  | PlusPI -> `Badd
  | IndexPI -> `Badd
  | MinusA -> `Bsub
  | MinusPI -> `Bsub
  | MinusPP -> `Bsub
  | Mult -> `Bmul
  | Div -> `Bdiv
  | Mod -> `Bmod
  | Shiftlt -> `Bshift_left
  | Shiftrt -> assert false (* Should be decided at point used *)
  | Lt -> `Blt
  | Gt -> `Bgt
  | Le -> `Ble
  | Ge -> `Bge
  | Eq -> `Beq
  | Ne -> `Bneq
  | BAnd -> `Bbw_and
  | BXor -> `Bbw_xor
  | BOr -> `Bbw_or
  | LAnd -> `Bland
  | LOr -> `Blor

let relation = function
  | Rlt -> `Blt
  | Rgt -> `Bgt
  | Rle -> `Ble
  | Rge -> `Bge
  | Req -> `Beq
  | Rneq -> `Bneq



let invariant_policy = ref Jc_env.InvArguments

let separation_policy_regions = ref true

type int_model = IMexact | IMbounded | IMmodulo

let int_model = ref IMbounded

let float_model = ref `Defensive

let rec name_with_profile s prof =
  match prof with
    | [] ->
(*
	Format.eprintf "producing new translated name ``%s''@." s;
*)
	s
    | v::rem ->
	let n = Common.logic_type_name v.lv_type in
(*
	Format.eprintf "type name ``%s''@." n;
*)
	name_with_profile (s^"_"^n) rem

let translated_names_table = Hashtbl.create 257

exception CtePredicate of bool


let full_model_function linfo name default =
  match !float_model with
    | `Math ->
	warning "\\%s always %b in mode JessieFloatModel(math)" name default;
	raise (CtePredicate default)
    | `Defensive | `Full | `Multirounding ->
	begin
	  match (List.hd linfo.l_profile).lv_type with
	    | Ctype x when x == doubleType -> "\\double_" ^ name
	    | Ctype x when x == floatType -> "\\single_" ^ name
	    | _ -> assert false
	end

let jessie_builtins = Hashtbl.create 17

let translated_name linfo largs =
(*
  Format.eprintf "Jessie.interp: linfo = %s(%a)(%d)@."
    linfo.l_name
    (fprintfList ~sep:",@ " d_logic_type)
    (List.map (fun v -> v.lv_type) linfo.l_profile)
    (Obj.magic linfo);
*)
  try
    let n = Hashtbl.find translated_names_table linfo.l_var_info.lv_id in
(*
    Format.eprintf "Jessie.interp: translated(%s) = %s" linfo.l_var_info.lv_name n;
*)
    n
  with Not_found ->
    let name =
      match linfo.l_var_info.lv_name with
	| "\\abs" ->
	    begin
	      match linfo.l_type with
		| Some Lreal -> "\\real_abs"
		| Some Linteger -> "\\integer_abs"
		| _ -> assert false
	    end
	| "\\min" ->
	    begin
	      match linfo.l_type with
		| Some Lreal -> "\\real_min"
		| Some Linteger -> "\\integer_min"
		| _ -> assert false
	    end
	| "\\max" ->
	    begin
	      match linfo.l_type with
		| Some Lreal -> "\\real_max"
		| Some Linteger -> "\\integer_max"
		| _ -> assert false
	    end
	| "\\exact" ->
	    begin
	      match (List.hd linfo.l_profile).lv_type with
		| Ctype x when x == doubleType -> "\\double_exact"
		| Ctype x when x == floatType -> "\\single_exact"
		| _ -> assert false
	    end
	| "\\model" ->
	    begin
	      match (List.hd linfo.l_profile).lv_type with
		| Ctype x when x == doubleType -> "\\double_model"
		| Ctype x when x == floatType -> "\\single_model"
		| _ -> assert false
	    end
	| "\\round_float" ->
	    begin
	      match (List.hd largs).term_node with
                | TDataCons(ctor,_args) ->
                    begin
                      match ctor.ctor_name with
		        | "\\Double" -> "\\round_double"
		        | "\\Single" -> "\\round_single"
		        | s ->
                            warning "first arg '%s' of \\round_float unsupported (should be \\Double or \\Single)" s;
                            assert false
                    end
                | _ ->    assert false
	    end
	| "\\round_error" ->
	    begin
	      match (List.hd linfo.l_profile).lv_type with
		| Ctype x when x == doubleType -> "\\double_round_error"
		| Ctype x when x == floatType -> "\\single_round_error"
		| _ -> assert false
	    end
	| "\\total_error" ->
	    begin
	      match (List.hd linfo.l_profile).lv_type with
		| Ctype x when x == doubleType -> "\\double_total_error"
		| Ctype x when x == floatType -> "\\single_total_error"
		| _ -> assert false
	    end
	| "\\relative_error" ->
	    begin
	      match (List.hd linfo.l_profile).lv_type with
		| Ctype x when x == doubleType -> "\\double_relative_error"
		| Ctype x when x == floatType -> "\\single_relative_error"
		| _ -> assert false
	    end
	| "\\pow" ->
	    begin
	      match linfo.l_type with
		| Some Lreal -> "\\real_pow"
		| _ -> assert false
	    end
	| "\\sqrt" ->
	    begin
	      match linfo.l_type with
		| Some Lreal -> "\\real_sqrt"
		| _ -> assert false
	    end
	| "\\floor" ->
	    begin
	      match linfo.l_type with
		| Some Linteger -> "\\integer_floor"
		| _ -> assert false
	    end
	| "\\ceil" ->
	    begin
	      match linfo.l_type with
		| Some Linteger -> "\\integer_ceil"
		| _ -> assert false
	    end
	| "\\sign" ->
	    begin
	      match (List.hd linfo.l_profile).lv_type with
		| Ctype x when x == doubleType -> "\\double_sign"
		| Ctype x when x == floatType -> "\\single_sign"
		| _ -> assert false
	    end
	| "\\is_finite" ->
            full_model_function linfo "is_finite" true
	| "\\is_infinite" ->
            full_model_function linfo "is_infinite" false
	| "\\is_NaN" ->
            full_model_function linfo "is_NaN" false
	| "\\is_minus_infinity" ->
            full_model_function linfo "is_minus_infinity" false
	| "\\is_plus_infinity" ->
            full_model_function linfo "is_plus_infinity" false
	| "\\le_float" ->
	    begin
	      match (List.hd linfo.l_profile).lv_type with
		| Ctype x when x == doubleType -> "\\le_double"
		| Ctype x when x == floatType -> "\\le_single"
		| _ -> assert false
	    end
	| "\\lt_float" ->
	    begin
	      match (List.hd linfo.l_profile).lv_type with
		| Ctype x when x == doubleType -> "\\lt_double"
		| Ctype x when x == floatType -> "\\lt_single"
		| _ -> assert false
	    end
	| "\\ge_float" ->
	    begin
	      match (List.hd linfo.l_profile).lv_type with
		| Ctype x when x == doubleType -> "\\ge_double"
		| Ctype x when x == floatType -> "\\ge_single"
		| _ -> assert false
	    end
	| "\\gt_float" ->
	    begin
	      match (List.hd linfo.l_profile).lv_type with
		| Ctype x when x == doubleType -> "\\gt_double"
		| Ctype x when x == floatType -> "\\gt_single"
		| _ -> assert false
	    end
	| "\\eq_float" ->
	    begin
	      match (List.hd linfo.l_profile).lv_type with
		| Ctype x when x == doubleType -> "\\eq_double"
		| Ctype x when x == floatType -> "\\eq_single"
		| _ -> assert false
	    end
	| "\\ne_float" ->
	    begin
	      match (List.hd linfo.l_profile).lv_type with
		| Ctype x when x == doubleType -> "\\ne_double"
		| Ctype x when x == floatType -> "\\ne_single"
		| _ -> assert false
	    end
	| s ->

          try
            Hashtbl.find jessie_builtins s
          with Not_found ->
	    try
(*
	      Format.eprintf "Jessie.interp: Checking if %s overloaded" s;
*)
	      let x = Hashtbl.find Rewrite.logic_names_overloading s in
	      if !x then
		let ns = name_with_profile s linfo.l_profile in
(*
		Format.eprintf "yes! -> %s@." ns;
*)
		ns
	      else
		begin
(*
		  Format.eprintf "no@.";
*)
		  s
		end
	    with Not_found ->
	      (* this happens with Jessie-generated predicates like valid_* etc *)
(*
	      Format.eprintf "Jessie.Interp: warning, logic id `%s' not present in overloading table@." s;
*)
	      s
    in
(*
    Format.eprintf "Jessie.interp: translated(%s) = %s" linfo.l_var_info.lv_name name;
*)
    Hashtbl.add translated_names_table linfo.l_var_info.lv_id name;
    name

(*****************************************************************************)
(* Cil to Jessie translation of types                                        *)
(*****************************************************************************)

let type_of_padding = mktype (JCPTidentifier (name_of_padding_type,[]))

let type_conversion_table = Hashtbl.create 0

(* VP: unused function *)
(* let type_conversion ty1 ty2 =
  let ty1 = typeRemoveAttributes ["const";"volatile"] (unrollType ty1) in
  let ty2 = typeRemoveAttributes ["const";"volatile"] (unrollType ty2) in
  let sig1 = typeSig ty1 and sig2 = typeSig ty2 in
  try
    let _,_,ty1_to_ty2,ty2_to_ty1 =
      Hashtbl.find type_conversion_table (sig1,sig2)
    in
    ty1_to_ty2,ty2_to_ty1
  with Not_found ->
    try
      let _,_,ty2_to_ty1,ty1_to_ty2 =
        Hashtbl.find type_conversion_table (sig2,sig1)
      in
      ty1_to_ty2,ty2_to_ty1
    with Not_found ->
      let n1 = type_name ty1 and n2 = type_name ty2 in
      let ty1_to_ty2 = unique_logic_name (n1 ^ "_to_" ^ n2) in
      let ty2_to_ty1 = unique_logic_name (n2 ^ "_to_" ^ n1) in
      Hashtbl.add
        type_conversion_table (sig1,sig2) (ty1,ty2,ty1_to_ty2,ty2_to_ty1);
      ty1_to_ty2,ty2_to_ty1
*)
(*
type float_rounding_mode = [ `Downward | `Nearest | `Upward | `Towardzero | `Towardawayzero ]

let float_rounding_mode : float_rounding_mode ref = ref `Nearest
*)

let ctype ?bitsize ty =
  let tnode = match unrollType ty with
    | TVoid _attr -> JCPTnative Tunit

    | TInt(_ik,_attr) ->
        if !int_model = IMexact then
          JCPTnative Tinteger
        else
          JCPTidentifier (name_of_integral_type ?bitsize ty,[])

    | TFloat(fk,_attr) ->
        begin
          match !float_model with
            | `Math ->
                (* Mode "math": floats interpreted as reals *)
                JCPTnative Treal
            | `Defensive | `Full | `Multirounding ->
                  begin
                    match fk with
                      | FFloat -> JCPTnative (Tgenfloat `Float)
                      | FDouble -> JCPTnative (Tgenfloat `Double)
                      | FLongDouble ->
                          unsupported "Jessie does not handle long double yet"
                  end
        end
    | TPtr(_elemty,_attr) ->
        if is_reference_type ty then
          (* Do not use [_elemty] directly but rather [pointed_type ty] in order
           * to get to the array element in references, i.e. pointers to arrays.
           *)
          begin match unrollType (pointed_type ty) with
            | TComp(compinfo,_,_) ->
                let min_bound = Num.Int 0 in
                let max_bound =
                  Num.num_of_string (Int64.to_string (reference_size ty - 1L))
                in
                JCPTpointer(compinfo.cname,[],Some min_bound,Some max_bound)
            | _ -> assert false
          end
        else
          begin match unrollType (pointed_type ty) with
            | TComp(compinfo,_,_) ->
                JCPTpointer(compinfo.cname,[],None,None)
            | _ -> assert false
          end

    | TArray _ -> assert false (* Removed by translation *)

    | TFun _ ->
	unsupported "Function pointer type %a not allowed"
	  Printer.pp_typ ty

    | TNamed _ -> assert false (* Removed by call to [unrollType] *)

    | TComp(compinfo,_,_) -> JCPTidentifier (compinfo.cname,[])

    | TEnum(enuminfo,_) -> JCPTidentifier (enuminfo.ename,[])

    | TBuiltin_va_list _ -> unsupported "Type builtin_va_list not allowed"
  in
  mktype tnode

let ltype t =
  (* Expand synonym types before translation. *)
  match Logic_utils.unroll_type t with
  | Ctype ty -> ctype ty
  | Ltype (s,[]) when s.lt_name = Utf8_logic.boolean ->
      mktype (JCPTidentifier ("boolean",[]))
  | Ltype (s,[]) -> mktype (JCPTidentifier (s.lt_name,[]))
  | Linteger -> mktype (JCPTnative Tinteger)
  | Lreal -> mktype (JCPTnative Treal)
  | Ltype(_,_)  -> unsupported "polymorphic logic type"
  | Lvar _  -> unsupported "logic type variable"
  | Larrow _ -> unsupported "function type in logic"


(*****************************************************************************)
(* Cil to Jessie translation of constants                                    *)
(*****************************************************************************)

let native_type_of_fkind x : Jc_env.native_type =
  match x with
    | FFloat -> Tgenfloat `Float
    | FDouble -> Tgenfloat `Double
    | FLongDouble -> failwith "Jessie does not handle long double yet"

let strip_float_suffix s =
  let l = pred(String.length s)  in
    match String.get s l with
      | 'f' | 'F' | 'l' | 'L' -> String.sub s 0 l
      | _ -> s


let logic_const pos = function
  | Integer(_,Some s) -> JCPEconst (JCCinteger s)
  | Integer(n,None) -> JCPEconst (JCCinteger (Integer.to_string n))
  | LStr _ | LWStr _ ->
    Common.unsupported "string literals in logic"
  | LChr c -> JCPEconst (JCCinteger(string_of_int (Char.code c)))
  | LReal { r_literal = s } -> JCPEconst (JCCreal (strip_float_suffix s))
  | LEnum ei ->
      (match Cil.isInteger (ei.eival) with
        | Some n ->
            let e =
              mkexpr (JCPEconst (JCCinteger (Integer.to_string n))) pos
            in
            JCPEcast(e,ctype(TEnum(ei.eihost,[])))
        | None -> assert false)

let rec const pos = function
  | CInt64(_,_,Some s) ->
      (* Use the textual representation if available *)
      JCPEconst(JCCinteger s)

  | CInt64(i,_ik,None) ->
      JCPEconst(JCCinteger(Integer.to_string i))

  | CStr _ | CWStr _ -> assert false (* Should have been rewritten *)

  | CChr c -> JCPEconst(JCCinteger(string_of_int (Char.code c)))

  | CReal(_f,fk,Some s) ->
      (* Use the textual representation if available *)
      let s = strip_float_suffix s in
      begin match !float_model with
	| `Math -> JCPEconst(JCCreal s)
        | `Defensive | `Full | `Multirounding ->
            (* add a cast to float or double depending on the value of fk *)
            JCPEcast(mkexpr (JCPEconst(JCCreal s)) pos,
                     mktype (JCPTnative (native_type_of_fkind fk)))
      end
  | CReal(f,_fk,None) ->
      (* otherwise use the float value *)
      JCPEconst(JCCreal(string_of_float f))

  | CEnum item ->
      let e = mkexpr (const_of_expr pos item.eival) pos in
      JCPEcast(e,ctype (TEnum(item.eihost,[])))

and const_of_expr pos e =
  match (stripInfo e).enode with
      Const c -> const pos c
    | _ -> assert false

and boolean_const = function
  | CInt64(i,_ik,_text) ->
    if Integer.equal i Integer.zero then JCCboolean false
    else JCCboolean true

  | CStr _ | CWStr _ -> JCCboolean true

  | CChr c ->
      if Char.code c = 0 then JCCboolean false else JCCboolean true

  | CReal(f,_fk,_text) ->
      if f = 0.0 then JCCboolean false else JCCboolean true

  | CEnum {eival = e } -> boolean_const_of_expr e

and boolean_const_of_expr e =
  match (stripInfo e).enode with Const c -> boolean_const c | _ -> assert false


(*****************************************************************************)
(* Cil to Jessie translation of logic constructs                             *)
(*****************************************************************************)

let label = function
  | Label(lab,_,_) -> lab
  | Case _ | Default _ -> assert false

let logic_label lab =
  let label_name s =
    LabelName {
      label_info_name = s;
      label_info_final_name = s;
      times_used = 0;
    }
  in
  match lab with
    | LogicLabel(_,s) -> label_name s
    | StmtLabel sref ->
        let labels = filter_out is_case_label !sref.labels in
        assert (not (labels = []));
        label_name (label (List.hd labels))

let logic_labels = List.map logic_label

let logic_labels_assoc =
  List.map (fun (_,l) -> logic_label l)

let term_lhost pos = function
  | TVar v ->
      (try
         let li = Logic_env.find_logic_cons v in
         match
           li.l_labels with
             | [] -> mkexpr(JCPEvar v.lv_name) pos
             | [_] ->  mkexpr (JCPEapp (v.lv_name,[],[])) pos
             | _ ->
                 Jessie_options.fatal
                   "cannot handle logic constant %s with several labels"
                   v.lv_name
       with Not_found ->
         mkexpr (JCPEvar v.lv_name) pos)
  | TResult _ -> mkexpr (JCPEvar "\\result") pos
  | TMem t ->
      unsupported "this kind of memory access is not currently supported: *%a"
        Printer.pp_term t
(*
         Loc.report_position pos
*)

let product f t1 t2 =
  List.fold_right
    (fun x acc -> List.fold_right (fun y acc -> f x y :: acc) t2 acc) t1 []

let rec coerce_floats t =
  match !float_model with
    | `Math -> terms t
    | `Defensive | `Full | `Multirounding ->
        if isLogicFloatType t.term_type then
          List.map
            (fun e ->
              mkexpr (JCPEcast(e, mktype (JCPTnative Treal))) t.term_loc)
            (terms t)
        else terms t

and terms t =
  CurrentLoc.set t.term_loc;
  let enode = match constFoldTermNodeAtTop t.term_node with
    | TConst c -> [logic_const t.term_loc c]

    | TDataCons({ctor_type = {lt_name = name} } as d,_args)
        when name = Utf8_logic.boolean ->
        [JCPEconst (JCCboolean (d.ctor_name = "\\true"))]

    | TDataCons(ctor,args) ->
        let args = List.map terms args in
        let args =
          List.fold_right (product (fun x y -> x::y)) args [[]]
        in
        List.map (fun x -> JCPEapp(ctor.ctor_name,[],x)) args

    | TUpdate _ -> Common.unsupported "logic update"

    | Toffset _ -> Common.unsupported "logic offset"

    | TLval lv ->
        List.map (fun x -> x#node) (terms_lval t.term_loc lv)

    | TSizeOf _ | TSizeOfE _ | TSizeOfStr _ | TAlignOf _ | TAlignOfE _ ->
        assert false (* Should be removed by constant folding *)

    | TUnOp(op,t) ->
        List.map (fun x -> JCPEunary(unop op,x)) (coerce_floats t)

    | TBinOp((Lt | Gt | Le | Ge as op),t1,t2)
        when app_term_type isPointerType false t1.term_type ->
        (* Pointer comparison is translated as subtraction *)
        let t1 = terms t1 in
        let t2 = terms t2 in
        let expr x y =
          let sube = mkexpr (JCPEbinary(x,`Bsub,y)) t.term_loc in
          JCPEbinary(sube,binop op,zero_expr)
        in product expr t1 t2

    | TBinOp(Shiftrt,t1,t2) ->
        begin match possible_value_of_integral_term t2 with
          | Some i when Integer.ge i Integer.zero
              && Integer.lt i (Integer.of_int 63)  ->
              (* Right shift by constant is division by constant *)
              let pow = constant_term t2.term_loc (Integer.two_power i) in
              List.map (fun x ->JCPEbinary(x,`Bdiv,term pow)) (terms t1)
          | _ ->
              let op = match t1.term_type with
                | Ctype ty1 ->
                    if isSignedInteger ty1 then `Barith_shift_right
                    else `Blogical_shift_right
                | Linteger -> `Barith_shift_right
                | _ -> assert false
              in
              product (fun x y -> JCPEbinary(x,op,y)) (terms t1) (terms t2)
        end

    | TBinOp(Shiftlt as op,t1,t2) ->
        begin match possible_value_of_integral_term t2 with
          | Some i when Integer.ge i Integer.zero &&
              Integer.lt i (Integer.of_int 63) ->
              (* Left shift by constant is multiplication by constant *)
              let pow = constant_term t2.term_loc (Integer.two_power i) in
              List.map (fun x -> JCPEbinary(x,`Bmul,term pow)) (terms t1)
          | _ ->
              product (fun x y -> JCPEbinary(x,binop op,y))
                (terms t1) (terms t2)
        end

    | TBinOp((Lt | Gt | Le | Ge) as op,t1,t2) ->
        product (fun x y -> JCPEbinary(x,binop op,y)) (terms t1) (terms t2)

    | TBinOp(op,t1,t2) ->
        product
          (fun x y -> JCPEbinary(x,binop op,y))
          (coerce_floats t1)
          (coerce_floats t2)

    | TCastE(ty,t)
        when isIntegralType ty && isLogicRealType t.term_type ->
          List.map (fun x -> JCPEapp("\\truncate_real_to_int",[],[x])) (terms t)

    | TCastE(ty,t)
        when isIntegralType ty && isLogicArithmeticType t.term_type ->
        if !int_model = IMexact then
          List.map (fun x -> x#node) (terms t)
        else
          List.map (fun x -> JCPEcast(x,ctype ty)) (terms t)

    | TCastE(ty,t)
        when isFloatingType ty && isLogicArithmeticType t.term_type ->
          List.map (fun x -> JCPEcast(x,ctype ty)) (terms t)

    | TCastE(ty,t)
        when isIntegralType ty && app_term_type isPointerType false t.term_type ->
	unsupported "Casting from type %a to type %a not allowed"
          Printer.pp_logic_type t.term_type Printer.pp_typ ty

    | TCastE(ptrty,_t1) when isPointerType ptrty ->
        let t = stripTermCasts t in
        begin match t.term_node with
          | Tnull ->
              [JCPEconst JCCnull]
          | TConst c
              when is_integral_logic_const c &&
                Integer.equal
                (value_of_integral_logic_const c) Integer.zero ->
              [JCPEconst JCCnull]
          | _ ->
(*               if isLogicIntegralType t.term_type then *)
(*                 let addr = *)
(*                   mkexpr (JCPEaddress(Addr_absolute,term t)) t.term_loc *)
(*                 in *)
(*                 JCPEcast(addr,ctype ptrty) *)
(*               else if force_app_term_type isIntegralType t.term_type *)
(*                 && *)
(*                 force_app_term_type bits_sizeof t.term_type *)
(*                 = bits_sizeof ptrty *)
(*               then *)
(*                 let _,int_to_ptr = *)
(*                   force_app_term_type (type_conversion ptrty) t.term_type *)
(*                 in *)
(*                 JCPEapp(int_to_ptr,[],[term t]) *)
(*                else if force_app_term_type isPointerType t.term_type then *)
(*                 let destty = pointed_type ptrty in *)
(*                 let srcty = force_app_term_type pointed_type t.term_type in *)
(*                 if Retype.subtype srcty destty then *)
(*                   (term t)#node *)
(*                 else if Retype.TypeUnion.same_class destty srcty then *)
(*                   JCPEcast(term t,ctype ptrty) *)
(*                 else *)
                  (* bitwise cast *)
(*                   JCPEcast(term t,ctype ptrty) *)
(*                   let _,ptr_to_ptr = *)
(*                     force_app_term_type (type_conversion ptrty) t.term_type *)
(*                   in *)
(*                   JCPEapp(ptr_to_ptr,[],[term t]) *)
(*               else *)
              (* Only hierarchical types are available in Jessie. It
               * should have been encoded as the use of pointer types
               * on structure type.
               *)

(*               match unrollType ty with *)
(*                 | TComp(compinfo,_) -> *)
(*                     JCPEcast(term t,compinfo.cname) *)
(*                 | _ -> assert false *)
              unsupported "Casting from type %a to type %a not allowed in logic"
                Printer.pp_logic_type t.term_type Printer.pp_typ ptrty
        end

    | TCastE(ty,t) ->
        (* TODO: support other casts in Jessie as well, through low-level
         * memory model
         *)
	unsupported "Casting from type %a to type %a not allowed"
          Printer.pp_logic_type t.term_type Printer.pp_typ ty

    | TAddrOf _tlv -> assert false (* Should have been rewritten *)

    | TStartOf tlv ->
        List.map (fun x -> x#node) (terms_lval t.term_loc tlv)

    | Tapp(linfo,labels,tlist) ->
	begin
	  try
            let name = translated_name linfo tlist in
            let prof, tlist =
              if linfo.l_var_info.lv_name = "\\round_float" then
                List.tl linfo.l_profile, List.tl tlist
              else
                linfo.l_profile, tlist
            in
            let args =
	      List.map2
		(fun lv t ->
		   let t' = terms t in
		   if isLogicFloatType t.term_type && isLogicRealType lv.lv_type
		   then
		     List.map
		       (fun t' ->
			  mkexpr (JCPEcast(t', mktype (JCPTnative Treal))) t.term_loc)
		       t'
	       else t')
		prof
		tlist
	    in
            let all_args = List.fold_right (product (fun x y -> x::y)) args [[]] in
            List.map
              (fun x -> JCPEapp(name,logic_labels_assoc labels,x)) all_args
	  with (CtePredicate b)->
	   [JCPEconst (JCCboolean b)]
	end

    | Tif(t1,t2,t3) ->
        let t1 = terms t1 in let t2 = terms t2 in let t3 = terms t3 in
        product (fun f x -> f x)
          (product (fun x y z -> JCPEif(x,y,z)) t1 t2) t3

    | Tat(t,lab) -> List.map (fun x -> JCPEat(x,logic_label lab)) (terms t)

    | Tbase_addr (_lab,t) -> List.map (fun x -> JCPEbase_block x) (terms t)

    | Tblock_length (_lab,_t) -> Common.unsupported "\\block_length operator"

    | Tnull -> [JCPEconst JCCnull]

    | Tlet(def,body) ->
        begin
          let v = def.l_var_info in
          match def.l_body, def.l_profile with
            | LBterm t, [] ->
                let jc_def = term t in
                let jc_body = term body in
                let typ = ltype v.lv_type in
                [JCPElet(Some typ, v.lv_name, Some jc_def, jc_body)]
            | LBpred p, [] ->
                let jc_def = pred p in
                let jc_body = term body in
                [JCPElet(None,v.lv_name, Some jc_def, jc_body)]
            | (LBterm _ | LBpred _), _::_ ->
                Common.unsupported "local function definition"
            | (LBnone | LBreads _ | LBinductive _), _ ->
                Jessie_options.fatal "Unexpected definition for local variable"
        end
    | TCoerce(_t,_typ) -> Common.unsupported "term coercion"

    | TCoerceE(_t1,_t2) -> Common.unsupported "term coercion"

    | Tlambda _ ->
	unsupported "Jessie plugin does not support lambda abstraction"

    | Ttypeof _ | Ttype _ -> assert false (* Should have been treated *)

    | Trange(low,high) -> [JCPErange(opt_map term low,opt_map term high)]
    | Tunion l ->
        List.map (fun x -> x#node) (List.flatten (List.map terms l))
    | Tcomprehension _ -> Common.unsupported "sets by comprehension"
    | Tinter _ -> Common.unsupported " set intersection"
    | Tempty_set -> []
    | TLogic_coerce(Lreal,t) -> List.map (fun x -> x#node) (coerce_floats t)
    | TLogic_coerce(_,t) -> List.map (fun x -> x#node) (terms t)

  in
  List.map (swap mkexpr t.term_loc) enode

and tag t =
  let tag_node = match t.term_node with
    | Ttypeof t -> JCPTtypeof (term t)
    | Ttype ty ->
        let id = mkidentifier (get_struct_name (pointed_type ty)) t.term_loc in
        JCPTtag id
    | _ -> assert false (* Not a tag *)
  in
  mktag tag_node t.term_loc

and terms_lval pos lv =
  match lv with
    | lhost, TNoOffset -> [term_lhost pos lhost]

    | (TVar _ | TResult _), _off ->
        assert false (* Should have been rewritten *)

    | TMem t, TModel(mi, toff) ->
        assert (toff = TNoOffset); (* Others should have been rewritten *)
        let e = terms t in
          List.map (fun e -> mkexpr (JCPEderef(e,mi.mi_name)) pos) e

    | TMem t, TField(fi,toff) ->
        assert (toff = TNoOffset); (* Others should have been rewritten *)
        let e = terms t in
        if not fi.fcomp.cstruct then (* field of union *)
          List.map (fun e -> mkexpr (JCPEcast(e,ctype fi.ftype)) pos) e
        else
          let repfi = Retype.FieldUnion.repr fi in
          let e,fi =
            if Fieldinfo.equal fi repfi then
              e,fi
            else
              let caste =
                List.map
                  (fun e ->
                     mkexpr (
                       JCPEcast(e,
                                ctype (TPtr(TComp(repfi.fcomp,empty_size_cache (),[]),[])))) pos)
                  e
              in
              caste,repfi
          in
          List.map (fun e -> mkexpr (JCPEderef(e,fi.fname)) pos) e

    | TMem t, TIndex(it,TField(fi,toff)) ->
        assert (toff = TNoOffset); (* Others should have been rewritten *)
        (* Normalization made it equivalent to simple add *)
        let e = product
          (fun t it -> mkexpr (JCPEbinary(t,`Badd,it)) pos)
          (terms t) (terms it)
        in
        if not fi.fcomp.cstruct then (* field of union *)
          List.map (fun e -> mkexpr (JCPEcast(e,ctype fi.ftype)) pos) e
        else
          let repfi = Retype.FieldUnion.repr fi in
          let e,fi =
            if Fieldinfo.equal fi repfi then
              e,fi
            else
              let caste =
                List.map
                  (fun e ->
                     mkexpr
                       (JCPEcast(e,ctype
                                   (TPtr(TComp(repfi.fcomp,empty_size_cache (),[]),[])))) pos)
                  e
              in
              caste,repfi
          in
          List.map (fun e -> mkexpr (JCPEderef(e,fi.fname)) pos) e
    | TMem _e, TIndex _ ->
        unsupported "cannot interpret this lvalue: %a"
          Printer.pp_term_lval lv

and term t =
  match terms t with [ t ] -> t
    | _ ->
	unsupported "Expecting a single term, not a set:@ %a@."
          Printer.pp_term t

(* VP: unused function *)
(* and term_lval pos lv  =
  match terms_lval pos lv with [ lv ] -> lv
    | _ ->
	unsupported "Expecting a single lval, not a set:@ %a@."
          Printer.pp_term_lval lv
*)
and pred p =
  CurrentLoc.set p.pred_loc;
  let enode = match p.pred_content with
    | Pfalse -> JCPEconst(JCCboolean false)

    | Ptrue -> JCPEconst(JCCboolean true)

    | Papp(pinfo,labels,tl) ->
	begin
	  try
            let name = translated_name pinfo tl in
	(*
          JCPEapp(name,logic_labels_assoc labels,List.map term tl)
	*)
        let args =
	  List.map2
	    (fun lv t ->
	       let t' = term t in
	       if isLogicFloatType t.term_type && isLogicRealType lv.lv_type
	       then
		 mkexpr (JCPEcast(t', mktype (JCPTnative Treal))) t.term_loc
	       else t')
	    pinfo.l_profile
	    tl
	in
	JCPEapp(name,logic_labels_assoc labels, args)
	  with (CtePredicate b) -> JCPEconst(JCCboolean b)

	end
    | Prel((Rlt | Rgt | Rle | Rge as rel),t1,t2)
        when app_term_type isPointerType false t1.term_type ->
        (* Pointer comparison is translated as subtraction *)
        let sube = mkexpr (JCPEbinary(term t1,`Bsub,term t2)) p.pred_loc in
        JCPEbinary(sube,relation rel,zero_expr)

(*     | Prel((Req | Rneq as rel),t1,t2)  *)
(*         when app_term_type isPointerType false t1.term_type *)
(*           && (not (is_null_term t1 || is_null_term t2)) *)
(*           && (not (is_base_addr t1 || is_base_addr t2)) -> *)
(*         (* Pointer (dis-)equality is translated as subtraction *) *)
(*         let sube = mkexpr (JCPEbinary(term t1,`Bsub,term t2)) p.loc in *)
(*         JCPEbinary(sube,relation rel,zero_expr) *)

    | Prel(Req,t1,t2) when isTypeTagType t1.term_type ->
        JCPEeqtype(tag t1,tag t2)

    | Prel(Rneq,t1,t2) when isTypeTagType t1.term_type ->
        let eq = mkexpr (JCPEeqtype(tag t1,tag t2)) p.pred_loc in
        JCPEunary(`Unot,eq)

    | Prel(rel,t1,t2) ->
        let res =
          product (fun t1 t2 -> mkexpr (JCPEbinary(t1,relation rel,t2)) p.pred_loc)
            (coerce_floats t1) (coerce_floats t2)
        in (mkconjunct res p.pred_loc)#node
    | Pand(p1,p2) ->
        JCPEbinary(pred p1,`Bland,pred p2)

    | Por(p1,p2) ->
        JCPEbinary(pred p1,`Blor,pred p2)

    | Pxor(p1,p2) ->
        let notp2 = { p2 with pred_content = Pnot p2; } in
        let p1notp2 = { p with pred_content = Pand(p1,notp2); } in
        let notp1 = { p1 with pred_content = Pnot p1; } in
        let p2notp1 = { p with pred_content = Pand(p2,notp1); } in
        JCPEbinary(pred p1notp2,`Blor,pred p2notp1)

    | Pimplies(p1,p2) ->
        JCPEbinary(pred p1,`Bimplies,pred p2)

    | Piff(p1,p2) ->
        JCPEbinary(pred p1,`Biff,pred p2)

    | Pnot p -> JCPEunary(`Unot,pred p)

    | Pif(t,p1,p2) -> JCPEif(term t,pred p1,pred p2)

    | Plet(def,body) ->
	begin
          let v = def.l_var_info in
          match def.l_body, def.l_profile with
            | LBterm t, [] ->
                let jc_def = term t in
                let jc_body = pred body in
                let typ = ltype v.lv_type in
                JCPElet(Some typ, v.lv_name, Some jc_def, jc_body)
            | LBpred p, [] ->
                let jc_def = pred p in
                let jc_body = pred body in
                JCPElet(None,v.lv_name, Some jc_def, jc_body)
            | (LBterm _ | LBpred _), _::_ ->
                Common.unsupported "local function definition"
            | (LBnone | LBreads _ | LBinductive _), _ ->
                Jessie_options.fatal "Unexpected definition for local variable"
        end

    | Pforall([],p) -> (pred p)#node

    | Pforall([v],p) ->
        JCPEquantifier(Forall,ltype v.lv_type,
                       [new identifier v.lv_name], [],pred p)

    | Pforall(v::q,subp) ->
        let newp = { p with pred_content = Pforall(q,subp) } in
        JCPEquantifier(Forall,ltype v.lv_type,
                       [new identifier v.lv_name], [],pred newp)

    | Pexists([],p) -> (pred p)#node

    | Pexists([v],p) ->
        JCPEquantifier(Exists,ltype v.lv_type,
                       [new identifier v.lv_name], [],pred p)

    | Pexists(v::q,subp) ->
        let newp = { p with pred_content = Pexists(q,subp) } in
        JCPEquantifier(Exists,ltype v.lv_type,
                       [new identifier v.lv_name], [],pred newp)

    | Pat(p,lab) -> JCPEat(pred p,logic_label lab)

    | Pvalid(_lab,
             { term_node = TBinOp(PlusPI,t1,
                                  {term_node = Trange (t2,t3)})}) ->
        let e1 = terms t1 in
        let mk_one_pred e1 =
          match t2,t3 with
            | None,None -> true_expr
            | Some t2,None ->
                let e2 = term t2 in
                let eoffmin = mkexpr (JCPEoffset(Offset_min,e1)) p.pred_loc in
                mkexpr (JCPEbinary(eoffmin,`Ble,e2)) p.pred_loc
            | None, Some t3 ->
                let e3 = term t3 in
                let eoffmax = mkexpr (JCPEoffset(Offset_max,e1)) p.pred_loc in
                mkexpr (JCPEbinary(eoffmax,`Bge,e3)) p.pred_loc
            | Some t2,Some t3 ->
                let e2 = term t2 in
                let e3 = term t3 in
                let eoffmin = mkexpr (JCPEoffset(Offset_min,e1)) p.pred_loc in
                let emin = mkexpr (JCPEbinary(eoffmin,`Ble,e2)) p.pred_loc in
                let eoffmax = mkexpr (JCPEoffset(Offset_max,e1)) p.pred_loc in
                let emax = mkexpr (JCPEbinary(eoffmax,`Bge,e3)) p.pred_loc in
                mkconjunct [emin; emax] p.pred_loc
        in (mkconjunct (List.map mk_one_pred e1) p.pred_loc)#node

    | Pvalid(_lab,{ term_node = TBinOp(PlusPI,t1,t2)}) ->
        let e1 = terms t1 in
        let e2 = term t2 in
        (mkconjunct
           (List.flatten
              (List.map
                 (fun e1 ->
                    let eoffmin = mkexpr (JCPEoffset(Offset_min,e1)) p.pred_loc in
                    let emin = mkexpr (JCPEbinary(eoffmin,`Ble,e2)) p.pred_loc in
                    let eoffmax = mkexpr (JCPEoffset(Offset_max,e1)) p.pred_loc in
                    let emax = mkexpr (JCPEbinary(eoffmax,`Bge,e2)) p.pred_loc in
                    [emin; emax])
                 e1)) p.pred_loc)#node
    | Pvalid (_lab,t) ->
        let elist =
          List.flatten (List.map (fun e ->
            let eoffmin = mkexpr (JCPEoffset(Offset_min,e)) p.pred_loc in
            let emin = mkexpr (JCPEbinary(eoffmin,`Ble,zero_expr)) p.pred_loc in
            let eoffmax = mkexpr (JCPEoffset(Offset_max,e)) p.pred_loc in
            let emax = mkexpr (JCPEbinary(eoffmax,`Bge,zero_expr)) p.pred_loc in
            [emin; emax]
          ) (terms t))
        in
        (mkconjunct elist p.pred_loc)#node

    | Pvalid_read _ -> Common.unsupported "\\valid_read operator"

    | Pfresh (_lab1,_lab2,t,_) ->
      (* TODO: take into account size *)
      JCPEfresh(term t)

    | Pallocable _ -> Common.unsupported "\\allocable operator"

    | Pfreeable _ -> Common.unsupported "\\freeable operator"


    | Psubtype({term_node = Ttypeof t},{term_node = Ttype ty}) ->
        JCPEinstanceof(term t,get_struct_name (pointed_type ty))

    | Psubtype(_t1,_t2) -> Common.unsupported "subtype"

    | Pseparated(_seps) -> Common.unsupported "\\separated operator"

    | Pinitialized _ -> Common.unsupported "\\initialized operator"

    | Pdangling _ -> Common.unsupported "\\dangling_contents operator"

    | Pvalid_function _ -> Common.unsupported "\\valid_function"

  in
  mkexpr enode p.pred_loc

(* Keep names associated to predicate *)
let named_pred p =
  List.fold_right
    (fun lab p -> mkexpr (JCPElabel(lab,p)) p#pos) p.pred_name (pred p)

let conjunct pos pl =
  mkconjunct (List.map (pred $ Logic_const.pred_of_id_pred) pl) pos

let zone (tset,_) = terms tset.it_content

(* Distinguish between:
 * - no assign, which is the empty list in Cil and None in Jessie
 * - assigns nothing, which is [Nothing] in Cil and the Some[] in Jessie
 *)
let assigns = function
  | WritesAny -> None
  | Writes assign_list ->
    let assign_list =
      List.filter
        (function out,_ -> not (Logic_utils.is_result out.it_content))
        assign_list
    in
    let assign_list = List.flatten (List.map zone assign_list) in
    Some(Loc.dummy_position,assign_list)

let allocates a =
  match a with
    | FreeAllocAny ->
        None
    | FreeAlloc(alloc,frees) ->
      let assign_list =
        List.fold_left
          (fun acc out ->
             if false (* Logic_utils.is_result out.it_content *)
             then acc else (out,1)::acc)
          [] (alloc @ frees)
      in
      let assign_list = List.flatten (List.map zone assign_list) in
      Some(Loc.dummy_position,assign_list)

let spec _fname funspec =
  let is_normal_postcond =
    function (Normal,_) -> true
      | (Exits | Returns | Breaks | Continues),_ -> false
  in
  let behavior b =
    if List.exists (not $ is_normal_postcond) b.b_post_cond then
      warn_once "abrupt clause(s) ignored";
    let name =
      if b.b_name = Cil.default_behavior_name then
        name_of_default_behavior
      else if b.b_name = name_of_default_behavior then
        name_of_default_behavior ^ "_jessie"
      else b.b_name
    in
(*    Format.eprintf "[spec] function %s, producing behavior '%s' from behavior '%s'@." fname name b.b_name;
    Format.eprintf "b_allocation = ";
    begin
      match b.b_allocation with
        | FreeAllocAny ->
            Format.eprintf "FreeAllocAny@."
        | FreeAlloc(l1,l2) ->
            Format.eprintf "FreeAlloc(%d,%d)@." (List.length l1) (List.length l2)
    end;
*)
    JCCbehavior(
      Loc.dummy_position,
      name,
      None, (* throws *)
      Some(conjunct Loc.dummy_position b.b_assumes),
      None, (* requires *)
      assigns b.b_assigns,
      allocates b.b_allocation,
      locate
        (conjunct Loc.dummy_position
           (Extlib.filter_map
              (function (Normal,_) -> true
                 | (Exits | Returns | Breaks | Continues),_ -> false)
              snd b.b_post_cond)))
  in
  let behaviors = List.map behavior funspec.spec_behavior in
  let requires =
    List.fold_right
      (fun b acc ->
         let ass = List.map (pred $ Logic_const.pred_of_id_pred) b.b_assumes in
         List.fold_right
           (fun req acc ->
              let impl = mkimplies ass
                (pred (Logic_const.pred_of_id_pred req))
                  Loc.dummy_position in
              JCCrequires(locate impl) :: acc)
           b.b_requires
           acc
      )
      funspec.spec_behavior
      []
  in

  let complete_behaviors_assertions : Jc_ast.pexpr list =
    List.map
      (fun bnames ->
         (* inutile, car dans le contexte de la precondition
            let r = mkconjunct
            (List.map (function
            | JCCrequires p -> p
            | _ -> assert false)
            requires)
            Loc.dummy_position
            in
         *)
         let a = mkdisjunct
           (List.fold_left
              (fun acc b ->
                 match b with
                   | JCCbehavior(_,name,_,Some a,_,_,_,_) ->
                       if (bnames = [] && name <> Common.name_of_default_behavior)
                         || List.mem name bnames
                       then
                         a :: acc
                       else acc
                   | _ -> assert false)
              [] behaviors)
           Loc.dummy_position
         in
         (*
           Some(mkexpr (JCPEbinary(r,`Bimplies,a)) Loc.dummy_position)
         *)
         a)
      funspec.spec_complete_behaviors
  in
  let disjoint_behaviors_assertions  : Jc_ast.pexpr list =
    List.fold_left
      (fun acc bnames ->
         let all_assumes =
           List.fold_left
             (fun acc b ->
                match b with
                  | JCCbehavior(_,name,_,Some a,_,_,_,_) ->
(*
                      Format.eprintf "name = %s, len bnames = %d@."
                        name (List.length bnames);
*)
                      if (bnames = [] &&
                          name <> Common.name_of_default_behavior)
                        ||
                        List.mem name bnames
                      then
                        a :: acc
                      else acc
                  | _ -> assert false)
             [] behaviors
         in
         let rec aux assumes prevs acc =
           match assumes with
             | [] -> acc
             | b::rem ->
                 let acc =
                   List.fold_left
                     (fun acc a ->
                        (mkexpr (JCPEunary(`Unot,
                                           mkconjunct [b;a] Loc.dummy_position))
                           Loc.dummy_position)
                        :: acc)
                     acc prevs
                 in
                 aux rem (b::prevs) acc
         in
         aux all_assumes [] acc)
      [] funspec.spec_disjoint_behaviors
  in

  let decreases =
    match funspec.spec_variant with
      | None -> []
      | Some(t,None) ->
          [JCCdecreases(locate (term t),None)]
      | Some(t,Some id) ->
          [JCCdecreases(locate (term t),Some (new identifier id))]
  in

  (* TODO: translate terminates clauses *)
  if funspec.spec_terminates <> None then
    warn_once "Termination condition(s) ignored" ;

  (requires @ decreases @ behaviors),
  complete_behaviors_assertions,
  disjoint_behaviors_assertions

(* Depending on the argument status, an assertion with this status may
   not generate any PO but still be used as an hypothesis. *)
(*[VP] this is not in the AST anymore. Information needs to be retrieved from table*)
(*let assertion = function
  | { status = Checked { valid = True } } -> Aassume
  | _ -> Aassert
*)

let built_behavior_ids = function
    [] -> [ new identifier name_of_default_behavior ]
  | l ->
      List.map
        (fun i ->
           new identifier
             (if i = name_of_default_behavior then name_of_default_behavior ^ "_jessie"
              else i))
        l

let code_annot pos ((acc_assert_before,contract) as acc) a =
  let push s = s::acc_assert_before,contract in
  match a.annot_content with
    | AAssert (behav,p) ->
        let behav = built_behavior_ids behav in
        let asrt = Aassert in (* [VP] Needs to retrieve exact status *)
        push
          (mkexpr
             (JCPEassert (behav,asrt,locate ~pos (named_pred p))) pos)
    | AInvariant(_behav,is_loop_inv,_p) ->
        if is_loop_inv then acc (* should be handled elsewhere *)
        else unsupported "general code invariant"
            (*
              let behav = built_behavior_ids behav in
              push
              (mkexpr
              (JCPEassert
              (behav,Aassert,locate ~pos (named_pred p))) pos)
            *)
    | APragma _ -> acc (* just ignored *)
    | AExtended _ -> acc (* just ignored *)
    | AAssigns (_, _) -> acc (* should be handled elsewhere *)
    | AAllocation _ -> acc (* should be handled elsewhere *)
    | AVariant _ -> acc (* should be handled elsewhere *)
    | AStmtSpec ([],s) -> (* TODO: handle case of for *)
        begin
          match contract with
            | None -> (acc_assert_before,Some s)
            | Some _ -> assert false
        end
    | AStmtSpec _ ->
        unsupported "statement contract for a specific behavior"

(*****************************************************************************)
(* Cil to Jessie translation of coding constructs                            *)
(*****************************************************************************)

let set_curFundec, get_curFundec =
  let cf = ref None in
  ((fun f -> cf := Some f),
   (fun () ->
      match !cf with
          None ->
            let res = emptyFunction "@empty@" in cf := Some res; res
        | Some res -> res))

let rec expr e =

  let enode =
    let e = stripInfo e in
    match e.enode with
    | Info _ -> assert false

    | Const c -> const e.eloc c

    | Lval lv -> (lval e.eloc lv)#node

    | SizeOf _ | SizeOfE _ | SizeOfStr _ | AlignOf _ | AlignOfE _ ->
        assert false (* Should be removed by constant folding *)

    | UnOp(_op,_e,ty) when isIntegralType ty ->
        (integral_expr e)#node

    | UnOp(op,e,_ty) ->
        let e =
          locate (mkexpr (JCPEunary(unop op,expr e)) e.eloc)
        in
        e#node

    | BinOp(_op,_e1,_e2,ty) when isIntegralType ty ->
        (integral_expr e)#node

    | BinOp(op,e1,e2,_ty) ->
        let e =
          locate (mkexpr (JCPEbinary(expr e1,binop op,expr e2)) e.eloc)
        in
        e#node

    | CastE(ty,e')
        when isIntegralType ty && isFloatingType (typeOf e') ->
        let e1 =
          locate (mkexpr (JCPEcast(expr e',mktype (JCPTnative Treal))) e.eloc)
        in
	let e =
	  locate (mkexpr (JCPEapp("\\truncate_real_to_int",[],[e1])) e.eloc)
	in e#node

    | CastE(ty,e') when isIntegralType ty && isArithmeticType (typeOf e') ->
        (integral_expr e)#node

    | CastE(ty,e') when isFloatingType ty && isArithmeticType (typeOf e') ->
        let e = locate (mkexpr (JCPEcast(expr e',ctype ty)) e.eloc) in
        e#node

    | CastE(ty,e') when isIntegralType ty && isPointerType (typeOf e') ->
(*         && bits_sizeof ty = bits_sizeof (typeOf e') -> *)
(*         let _,ptr_to_int = type_conversion ty (typeOf e') in *)
(*         JCPEapp(ptr_to_int,[],[expr e']) *)
        unsupported "Casting from type %a to type %a not allowed"
          Printer.pp_typ (typeOf e') Printer.pp_typ ty

    | CastE(ptrty,_e1) when isPointerType ptrty ->
        begin
          let e = stripCastsAndInfo e in
          match e.enode with
          | Const c
              when is_integral_const c
                && Integer.equal (value_of_integral_const c) Integer.zero ->
              JCPEconst JCCnull
          | _ ->
              let ety = typeOf e in
              if isIntegralType ety(*  && bits_sizeof ety = bits_sizeof ptrty *) then
(*                 let _,int_to_ptr = type_conversion ptrty ety in *)
(*                 JCPEapp(int_to_ptr,[],[integral_expr e]) *)
		unsupported "Casting from type %a to type %a not allowed"
                  Printer.pp_typ (typeOf e) Printer.pp_typ ptrty
              else if isPointerType ety then
(*                 let destty = pointed_type ptrty in *)
(*                 let srcty = pointed_type ety in *)
(*                 if Retype.subtype srcty destty then *)
(*                   (expr e)#node *)
(*                 else if Retype.TypeUnion.same_class destty srcty then *)
(*                   let enode = JCPEcast(expr e,ctype ptrty) in *)
(*                   let e = locate (mkexpr enode pos) in *)
(*                   e#node *)
(*                 else *)
                  (* bitwise cast *)
                  let enode = JCPEcast(expr e,ctype ptrty) in
                  let e = locate (mkexpr enode e.eloc) in
                  e#node
(*                   let _,ptr_to_ptr = type_conversion ptrty ety in *)
(*                   JCPEapp(ptr_to_ptr,[],[expr e]) *)
              else
                (* Only hierarchical types are available in Jessie. It
                 * should have been encoded as the use of pointer types
                 * on structure type.
                 *)
(*               match unrollType ty with *)
(*                 | TComp(compinfo,_) -> *)
(*                     JCPEcast(expr (stripCasts e),compinfo.cname) *)
(*                 | _ -> assert false *)
                unsupported "Casting from type %a to type %a not allowed"
                  Printer.pp_typ (typeOf e) Printer.pp_typ ptrty
        end

    | CastE(ty,e') ->
        (* TODO: support other casts in Jessie as well, through low-level
         * memory model
         *)
        unsupported "Casting from type %a to type %a not allowed in %a with size %Ld and %Ld"
          Printer.pp_typ (typeOf e') Printer.pp_typ ty Printer.pp_exp e
          ( bits_sizeof ty) ( bits_sizeof (typeOf e'))


    | AddrOf _lv -> assert false (* Should have been rewritten *)

    | StartOf lv -> (lval e.eloc lv)#node
  in
  mkexpr enode e.eloc

(* Function called when expecting a boolean in Jessie, i.e. when translating
   a test or a sub-expression of an "or" or "and".
*)
and boolean_expr e =
  let boolean_node_from_expr ty e =
    if isPointerType ty then JCPEbinary(e,`Bneq,null_expr)
    else if isArithmeticType ty then JCPEbinary (e,`Bneq,zero_expr)
    else assert false
  in

  let enode = match (stripInfo e).enode with
    | Info _ -> assert false

    | Const c -> JCPEconst(boolean_const c)

    | UnOp(LNot,e,_typ) -> JCPEunary(unop LNot,boolean_expr e)

    | BinOp((LAnd | LOr) as op,e1,e2,_typ) ->
        JCPEbinary(boolean_expr e1,binop op,boolean_expr e2)

    | BinOp((Eq | Ne) as op,e1,e2,_typ) ->
        JCPEbinary(expr e1,binop op,expr e2)

    | BinOp((Lt | Gt | Le | Ge) as op,e1,e2,_typ) ->
        let ty = typeOf e1 in
        if isArithmeticType ty then
          JCPEbinary(expr e1,binop op,expr e2)
        else
          (* Pointer comparison is translated as subtraction *)
          let sube = mkexpr (JCPEbinary(expr e1,`Bsub,expr e2)) e.eloc in
          JCPEbinary(sube,binop op,zero_expr)

    | _ -> boolean_node_from_expr (typeOf e) (expr e)
  in
  mkexpr enode e.eloc

(* Function called instead of plain [expr] when the evaluation result should
 * fit in a C integral type.
 *)
and integral_expr e =

  let rec int_expr e =
    let node_from_boolean_expr e = JCPEif(e,one_expr,zero_expr) in

    let enode = match e.enode with
      | UnOp(LNot,e',_ty) ->
          let e = mkexpr (JCPEunary(unop LNot,boolean_expr e')) e.eloc in
          node_from_boolean_expr e

      | UnOp(op,e',_ty) ->
          let e =
            locate (mkexpr (JCPEunary(unop op,expr e')) e.eloc)
          in
          e#node

      | BinOp((LAnd | LOr) as op,e1,e2,_ty) ->
          let e =
            mkexpr (JCPEbinary(boolean_expr e1,binop op,boolean_expr e2)) e.eloc
          in
          node_from_boolean_expr e

      | BinOp((Lt | Gt | Le | Ge as op),e1,e2,_ty)
          when isPointerType (typeOf e1) ->
          (* Pointer comparison is translated as subtraction *)
          let sube = mkexpr (JCPEbinary(expr e1,`Bsub,expr e2)) e.eloc in
          let e = mkexpr (JCPEbinary(sube,binop op,zero_expr)) e.eloc in
          node_from_boolean_expr e

(*       | BinOp((Eq | Ne as op),e1,e2,_ty) *)
(*           when isPointerType (typeOf e1) && *)
(*             not (is_null_expr e2 || is_null_expr e1) -> *)
(*           (\* Pointer (dis-)equality is translated as subtraction *\) *)
(*           let sube = mkexpr (JCPEbinary(expr e1,`Bsub,expr e2)) pos in *)
(*           let e = mkexpr (JCPEbinary(sube,binop op,zero_expr)) pos in *)
(*           node_from_boolean_expr e *)

      | BinOp((Eq | Ne) as op,e1,e2,_ty) ->
          let e = mkexpr (JCPEbinary(expr e1,binop op,expr e2)) e.eloc in
          node_from_boolean_expr e

      | BinOp((Lt | Gt | Le | Ge) as op,e1,e2,_ty) ->
          let e = mkexpr (JCPEbinary(expr e1,binop op,expr e2)) e.eloc in
          node_from_boolean_expr e

      | BinOp(Shiftrt,e1,e2,_ty) ->
          let e = match possible_value_of_integral_expr e2 with
            | Some i when Integer.ge i Integer.zero &&
                Integer.lt i (Integer.of_int 63) ->
                (* Right shift by constant is division by constant *)
                let pow = constant_expr (Integer.two_power i) in
                locate (mkexpr (JCPEbinary(expr e1,`Bdiv,expr pow)) e.eloc)
            | _ ->
                let op =
                  if isSignedInteger (typeOf e1) then `Barith_shift_right
                  else `Blogical_shift_right
                in
                locate (mkexpr (JCPEbinary(expr e1,op,expr e2)) e.eloc)
          in
          e#node

      | BinOp(Shiftlt as op,e1,e2,_ty) ->
          let e = match possible_value_of_integral_expr e2 with
            | Some i when Integer.ge i Integer.zero &&
                Integer.lt i (Integer.of_int 63) ->
                (* Left shift by constant is multiplication by constant *)
                let pow = constant_expr (Integer.two_power i) in
                locate (mkexpr (JCPEbinary(expr e1,`Bmul,expr pow)) e.eloc)
            | _ ->
                locate (mkexpr (JCPEbinary(expr e1,binop op,expr e2)) e.eloc)
          in
          e#node

      | BinOp(op,e1,e2,_ty) ->
          let e =
            locate (mkexpr (JCPEbinary(expr e1,binop op,expr e2)) e.eloc)
          in
          e#node

      | CastE(ty,e1) when isFloatingType (typeOf e1) ->
          let e1' = locate (mkexpr (JCPEcast(expr e1,ltype Linteger)) e.eloc) in
          if !int_model = IMexact then
            e1'#node
          else
            let e2' = locate (mkexpr (JCPEcast(e1',ctype ty)) e.eloc) in
            e2'#node

      | CastE(ty,e1) when isIntegralType (typeOf e1) ->
          if !int_model = IMexact then
            (int_expr e1)#node
          else
            let e = locate (mkexpr (JCPEcast(int_expr e1,ctype ty)) e.eloc) in
            e#node

      | _ -> (expr e)#node
    in
    mkexpr enode e.eloc
  in

  match e.enode with
    | CastE _ -> int_expr e
    | _ -> int_expr (new_exp ~loc:e.eloc (CastE(typeOf e,e)))

and lval pos = function
  | Var v, NoOffset -> mkexpr (JCPEvar v.vname) pos

  | Var _v, _off -> assert false (* Should have been rewritten *)

  | Mem _e, NoOffset -> assert false (* Should have been rewritten *)

  | Mem e, Field(fi,off) ->
      assert (off = NoOffset); (* Others should have been rewritten *)
      let e = expr e in
      if not fi.fcomp.cstruct then (* field of union *)
        locate (mkexpr (JCPEcast(e,ctype fi.ftype)) pos)
      else
        let repfi = Retype.FieldUnion.repr fi in
        let e,fi =
          if Fieldinfo.equal fi repfi then
            e,fi
          else
            let caste =
              locate
                (mkexpr
                   (JCPEcast(e,
                             ctype (TPtr(TComp(repfi.fcomp,
                                               empty_size_cache (),[]),[]))))
                   pos)
            in
            caste,repfi
        in
        locate (mkexpr (JCPEderef(e,fi.fname)) pos)

  | Mem e, Index(ie,Field(fi,off)) ->
      assert (off = NoOffset); (* Others should have been rewritten *)
      (* Normalization made it equivalent to simple add *)
      let e = mkexpr (JCPEbinary(expr e,`Badd,expr ie)) pos in
      if not fi.fcomp.cstruct then (* field of union *)
        locate (mkexpr (JCPEcast(e,ctype fi.ftype)) pos)
      else
        let repfi = Retype.FieldUnion.repr fi in
        let e,fi =
          if Fieldinfo.equal fi repfi then
            e,fi
          else
            let caste =
              locate
                (mkexpr
                   (JCPEcast(e,
                             ctype (TPtr(TComp(repfi.fcomp,
                                               empty_size_cache (),[]),[]))))
                   pos)
            in
            caste,repfi
        in
        locate (mkexpr (JCPEderef(e,fi.fname)) pos)

  | Mem _e, Index _ as lv ->
      Jessie_options.fatal
        ~current:true "Unexpected lval %a" Printer.pp_lval lv

let keep_only_declared_nb_of_arguments vi l =
  let _,args,is_variadic, _ = splitFunctionTypeVI vi in
  if args=None then
    (warning "skipping all arguments of implicit prototype %s" vi.vname;
     [])
  else if is_variadic then unsupported "unsupported variadic functions"
  else l

let instruction = function
  | Set(lv,e,pos) ->
      let enode = JCPEassign(lval pos lv,expr e) in
      (locate (mkexpr enode pos))#node

  | Call(None,{enode = Lval(Var v,NoOffset)},eargs,pos) ->
      if is_assert_function v then
        JCPEassert([new identifier name_of_default_behavior],
                   Aassert,locate (boolean_expr (as_singleton eargs)))
      else
        let enode =
          if is_free_function v then
            let arg = as_singleton eargs in
            let subarg = stripCasts arg in
            let arg = if isPointerType (typeOf subarg) then subarg else arg in
            JCPEfree(expr arg)
          else
            JCPEapp(v.vname,[],
                    keep_only_declared_nb_of_arguments
                      v
                      (List.map expr eargs))
        in
        (locate (mkexpr enode pos))#node

  | Call(Some lv,{enode = Lval(Var v,NoOffset)},eargs,pos) ->
      let enode =
        if is_malloc_function v || is_realloc_function v then
          let lvtyp = pointed_type (typeOfLval lv) in
          let lvsiz = Integer.of_int64 ((bits_sizeof lvtyp) lsr 3) in
          let arg =
            if is_malloc_function v then as_singleton eargs
            else (* realloc *)
              match eargs with [ _; arg ] -> arg | _ -> assert false
          in
          let arg = stripInfo arg in
          let loc = arg.eloc in
          let aux arg nelem =
                let factor = Integer.div (value_of_integral_expr arg) lvsiz in
                let siz =
                  if Integer.equal factor Integer.one then expr nelem
                  else
                    let factor = constant_expr factor in
                    expr
                      (new_exp ~loc (BinOp(Mult,nelem,factor,typeOf arg)))
                in
                lvtyp, siz
          in
          let ty,arg = match arg.enode with
            | Info _ -> assert false
            | Const c when is_integral_const c ->
                let allocsiz = Integer.div (value_of_integral_expr arg) lvsiz
                in
                let siznode =
                  JCPEconst(JCCinteger(Integer.to_string allocsiz))
                in
                lvtyp, mkexpr siznode pos
            | BinOp(Mult,({enode = Const c} as arg),nelem,_ty)
                when is_integral_const c -> aux arg nelem
            | BinOp(Mult,nelem,({enode = Const c} as arg),_ty)
                when is_integral_const c -> aux arg nelem
            | _ ->
                if Integer.equal lvsiz Integer.one then lvtyp, expr arg
                else
                  let esiz = constant_expr ~loc lvsiz in
                  lvtyp, expr (new_exp ~loc (BinOp(Div,arg,esiz,typeOf arg)))
          in
          let name_of_type = match unrollType ty with
            | TComp(compinfo,_,_) -> compinfo.cname
            | _ -> assert false
          in
          JCPEalloc(arg,name_of_type)
        else if is_calloc_function v then
          let nelem,elsize = match eargs with
            | [nelem;elsize] -> nelem,elsize
            | _ -> assert false
          in
          let arg = stripInfo elsize in
          let loc = arg.eloc in
          let ty,arg = match arg.enode with
            | Info _ -> assert false
            | Const c when is_integral_const c ->
                let lvtyp = pointed_type (typeOfLval lv) in
                let lvsiz = Integer.of_int64 ((bits_sizeof lvtyp) lsr 3) in
                let factor = Integer.div (value_of_integral_expr arg) lvsiz in
                let siz =
                  if Integer.equal factor Integer.one then
                    expr nelem
                  else
                    let factor = constant_expr ~loc factor in
                    expr (new_exp ~loc (BinOp(Mult,nelem,factor,typeOf arg)))
                in
                lvtyp, siz
            | _ ->
                let lvtyp = pointed_type (typeOfLval lv) in
                let lvsiz = Integer.of_int64 ((bits_sizeof lvtyp) lsr 3) in
                let esiz = constant_expr ~loc lvsiz in
                lvtyp,
                expr
                  (new_exp ~loc
                     (BinOp(Div,
                            new_exp ~loc (BinOp(Mult,nelem,elsize,typeOf arg)),
                            esiz,
                            typeOf arg)))
          in
          let name_of_type = match unrollType ty with
            | TComp(compinfo,_,_) -> compinfo.cname
            | _ -> assert false
          in
          JCPEalloc(arg,name_of_type)
        else
          JCPEapp(v.vname,[],
                  keep_only_declared_nb_of_arguments
                    v
                    (List.map expr eargs))
      in
      let lvty = typeOfLval lv in
      let call = locate (mkexpr enode pos) in
      let enode =
        if Typ.equal lvty (getReturnType v.vtype)
          || is_malloc_function v
          || is_realloc_function v
          || is_calloc_function v
        then
          JCPEassign(lval pos lv,call)
        else
          let tmpv = makeTempVar (get_curFundec()) (getReturnType v.vtype) in
          let tmplv = Var tmpv, NoOffset in
          let cast =
            new_exp ~loc:pos (CastE(lvty,new_exp ~loc:pos (Lval tmplv)))
          in
          let tmpassign = JCPEassign(lval pos lv,expr cast) in
          JCPElet(None,tmpv.vname,Some call,locate (mkexpr tmpassign pos))
      in
      (locate (mkexpr enode pos))#node

  | Call _ -> Common.unsupported ~current:true "function pointers"

  | Asm _ -> Common.unsupported ~current:true "inline assembly"

  | Skip _pos -> JCPEconst JCCvoid

  | Code_annot _ -> Common.unsupported ~current:true "code annotation"

  | Local_init _ -> Common.unsupported ~current:true "local init"

let rec statement s =
  let pos = Stmt.loc s in
  CurrentLoc.set pos;
(*
  let assert_list =
    Annotations.get_filter Logic_utils.is_assert s
    @ Annotations.get_filter Logic_utils.is_stmt_invariant s
  in
  let assert_before,assert_after =
    List.partition (function Before _ -> true | After _ -> false) assert_list
  in
  let assert_before =
    List.flatten (List.map ((assert_ pos) $ before_after_content) assert_before)
  in
  let assert_after =
    List.flatten (List.map ((assert_ pos) $ before_after_content) assert_after)
  in
*)

  let assert_before, contract =
    Annotations.fold_code_annot
      (fun _ ca acc -> code_annot pos acc ca) s ([],None)
  in
  let snode = match s.skind with
    | Instr i -> instruction i

    | Return(Some e,_) -> JCPEreturn(expr e)

    | Return(None,_pos) ->
        JCPEreturn(mkexpr (JCPEconst JCCvoid) pos)

    | Goto(sref,_pos) ->
        (* Pick the first non-case label in the list of labels associated to
         * the target statement
         *)
        let labels = filter_out is_case_label !sref.labels in
        assert (not (labels = []));
        JCPEgoto(label (List.hd labels))

    | Break _pos ->
        assert false (* Should not occur after [prepareCFG] *)

    | Continue _pos ->
        assert false (* Should not occur after [prepareCFG] *)

    | If(e,bl1,bl2,_) ->
        JCPEif(boolean_expr e,block bl1,block bl2)

    | Switch(e,bl,slist,pos) ->
        let case_blocks stat_list case_list =
          let rec next_case curr_list final_list stat_list case_list =
            match stat_list,case_list with
              | curr_stat :: rest_stat, curr_case :: rest_case ->
                  if curr_case.sid = curr_stat.sid then
                    (* Beginning of a new case. Add previous case to list
                       if not empty. *)
                    let add_to_list cond e l = if cond e then e::l else l in
                    let not_empty_list = function [] -> false | _ -> true in
                    let final_list =
                      add_to_list not_empty_list (List.rev curr_list) final_list
                    in
                    let curr_list = [curr_stat] in
                    next_case curr_list final_list rest_stat rest_case
                  else
                    let curr_list = curr_stat :: curr_list in
                    next_case curr_list final_list rest_stat case_list
              | [], [] ->
                  if List.length curr_list <> 0 then
                    List.rev curr_list :: final_list
                  else
                    final_list
              | [], _ ->
                 (* More cases than available ??? *)
                 (* assert false *)
                 if List.length curr_list <> 0 then
                   List.rev curr_list :: final_list
                 else
                   final_list
              | stat_list, [] ->
                  (List.rev_append curr_list stat_list) :: final_list
          in
          List.rev (next_case [] [] stat_list case_list)
        in
        let switch_label = function
          | Label _ -> assert false
          | Case(e,_) -> Some(expr e)
          | Default _ -> None
        in
        let case = function
          | [] -> assert false
          | case_stmt :: _ as slist ->
              let switch_labels = List.filter is_case_label case_stmt.labels in
              let labs = List.map switch_label switch_labels in
              let slist = mkexpr (JCPEblock(statement_list slist)) pos in
              labs, slist
        in
        let case_list = List.map case (case_blocks bl.bstmts slist) in
        JCPEswitch(expr e,case_list)

    | Loop (_,bl,_pos,_continue_stmt,_break_stmt) ->
	let treat_loop_annot _ annot (beh,var as acc) =
	  match annot.annot_content with
	    | AVariant(v,rel) ->
		begin
		  match var with
		    | None ->
			begin
			  match rel with
			    | Some r ->
				(beh, Some (locate (term v),
					    Some (new identifier r)) )
			    | None ->
				(beh,Some (locate (term v) ,None ))
			end
		    | Some _ -> assert false (* At most one variant *)
		end
	    | AInvariant(ids,true,inv) ->
		((ids,[locate (pred inv)],WritesAny)::beh,var)
	    | AAssigns(ids,assign) ->
		((ids,[],assign)::beh,var)
	    | APragma _ -> (* ignored *) acc
            | AExtended _ -> (* ignored *) acc
            | AAllocation _ -> (* Ignored *) acc
            (* No loop annotation. *)
	    | AAssert _ | AStmtSpec _ | AInvariant _ -> acc
        in
        let behs,variant =
	  Annotations.fold_code_annot treat_loop_annot s ([],None)
	in
        (* Locate the beginning of the loop, to serve as location for generated
         * invariants and variants.
         *)
	(*         let lab = reg_pos pos in *)
        (* TODO: add loop-assigns to Jessie *)
        (* PARTIALLY DONE: added them as new jessie loop behaviors *)
        let behs = List.map
          (fun (beh_names,invs,ass) ->
             let beh_names = built_behavior_ids beh_names in
	     let inv =
	       match invs with
		 | [] -> None
		 | _ -> Some (mkconjunct invs pos)
	     in
	     let ass = assigns ass in
             (beh_names,inv,ass))
          behs
        in
        JCPEwhile(true_expr,behs,variant,block bl)

    | Block bl ->
        JCPEblock(statement_list bl.bstmts)

    | UnspecifiedSequence seq ->
        (* [VP] TODO: take into account undefined behavior tied to the
          effects of the statements... *)
        JCPEblock(statement_list (List.map (fun (x,_,_,_,_) -> x) seq))

    | TryFinally _ | TryExcept _ -> assert false
    | TryCatch _ | Throw _ -> assert false
  in
  (* Prefix statement by all non-case labels *)
  let labels = filter_out is_case_label s.labels in
  let s = mkexpr snode pos in
  let s =
    match contract with
      | None -> s
      | Some sp ->
          let sp,_cba,_dba = spec "statement contract" sp in
          let requires, decreases, behaviors =
            List.fold_left
              (fun (r,d,b) c ->
                 match c with
                   | JCCrequires p ->
                       begin match r with
                         | None -> (Some p,d,b)
                         | Some _ -> unsupported "multiple requires on statement contract"
                       end
                   | JCCdecreases(v,p) ->
                       begin match d with
                         | None -> (r,Some(v,p),b)
                         | Some _ -> unsupported "multiple decreases on statement contract"
                       end
                   | JCCbehavior be -> (r,d,be::b))
              (None,None,[])
              sp
          in
          mkexpr
            (JCPEcontract(requires, decreases, behaviors, s))
            pos
  in
  let s = match assert_before @ [s] with
    | [s] -> s
    | slist -> mkexpr (JCPEblock slist) pos
  in
  List.fold_left (fun s lab -> mkexpr (JCPElabel(label lab,s)) pos) s labels

and statement_list slist = List.rev (List.rev_map statement slist)

and block bl =
  match bl.bstmts with
    | [] -> mkexpr (JCPEconst JCCvoid) Loc.dummy_position
    | [s] -> statement s
    | slist -> mkexpr (JCPEblock(statement_list slist)) Loc.dummy_position


(*****************************************************************************)
(* Cil to Jessie translation of global declarations                          *)
(*****************************************************************************)

let drop_on_unsupported_feature = false

let logic_variable v =
  let name = Extlib.may_map (fun v -> v.vname) ~dft:v.lv_name v.lv_origin in
  ltype v.lv_type, name

let rec annotation is_axiomatic annot =
  match annot with
  | Dfun_or_pred (info,pos) ->
      CurrentLoc.set pos;
      begin
        try
        let params = List.map logic_variable info.l_profile in
        let body =
          match info.l_body with
            | LBnone -> JCnone
          | LBreads reads_tsets ->
              let reads =
                List.flatten
                  (List.map (fun x -> terms x.it_content) reads_tsets)
              in
              JCreads reads
          | LBpred p -> JCexpr(pred p)
          | LBinductive indcases ->
              let l = List.map
                (fun (id,labs,_poly,p) ->
                   (new identifier id,logic_labels labs,pred p)) indcases
              in
              JCinductive l
          | LBterm t -> JCexpr(term t)
        in
	let name =
          try
            let _ = Hashtbl.find jessie_builtins info.l_var_info.lv_name in
            info.l_var_info.lv_name
        with Not_found ->
          translated_name info []
        in
        (match info.l_type, info.l_labels, params with
             Some t, [], [] ->
               let def = match body with
                 | JCnone | JCreads _ | JCinductive _ -> None
                 | JCexpr t -> Some t
               in
               [JCDlogic_var (ltype t, name,def)]
           | _ ->
               [JCDlogic(Option_misc.map ltype info.l_type,
                         name,[],
                         logic_labels info.l_labels,
                         params,body)])
      with (Unsupported _ | Log.FeatureRequest _)
        when drop_on_unsupported_feature ->
	  warning "Dropping declaration of predicate %s@."
            info.l_var_info.lv_name ;
          []
      end

  | Dlemma(name,is_axiom,labels,_poly,property,_attr,pos) ->
     CurrentLoc.set pos;
     assert (_attr = []);
      ignore
        (reg_position ~id:name
           ~name:("Lemma " ^ name) pos);
      begin try
        [JCDlemma(name,is_axiom,[],logic_labels labels,pred property)]
      with (Unsupported _ | Log.FeatureRequest _)
          when drop_on_unsupported_feature ->
            warning "Dropping lemma %s@." name; []
      end

  | Dinvariant (property,pos) ->
      begin try
        CurrentLoc.set pos;
	let n = translated_name property [] in
        [JCDglobal_inv(n,pred (Logic_utils.get_pred_body property))]
      with (Unsupported _ | Log.FeatureRequest _)
          when drop_on_unsupported_feature ->
            warning "Dropping invariant %s@." property.l_var_info.lv_name ;
            []
      end

  | Dtype_annot (annot,pos) ->
      begin try
        CurrentLoc.set pos;
	let n = translated_name annot [] in
        [JCDlogic(
           None,n, [],logic_labels annot.l_labels,
           List.map logic_variable annot.l_profile,
           JCexpr(pred (Logic_utils.get_pred_body annot)))]
      with (Unsupported _ | Log.FeatureRequest _)
          when drop_on_unsupported_feature ->
            warning "Dropping type invariant %s@." annot.l_var_info.lv_name;
            []
      end

  | Dtype (info,pos) when info.lt_params=[] ->
      CurrentLoc.set pos;
      let myself = mktype (JCPTidentifier (info.lt_name,[])) in
      let mydecl = JCDlogic_type (info.lt_name,[]) in
      let axiomatic ctors =
        let cons = List.map
          (fun x ->
             let prms = ref (-1) in
             let make_params t =
               incr prms;
               ltype t, Printf.sprintf "x%d" !prms  (*TODO: give unique name*)
             in
             match x.ctor_params with
               [] -> JCDlogic_var(myself,x.ctor_name,None)
             | l ->
                 let params = List.map make_params l in
                 JCDlogic(Some myself,x.ctor_name,[],[],params,
                          JCreads []
                            (*(List.map (fun (_,x) ->
                              mkexpr (JCPEvar x) pos) params)*)))
          ctors
        in
        let tag_fun = JCDlogic (Some (mktype (JCPTnative Tinteger)),
                                info.lt_name ^ "_tag",[],[],[myself,"x"],
                                JCreads[])
        in
        let tag_axiom cons (i,axioms) =
          let prms = ref(-1) in
          let param t =
            incr prms;
            let prms_name = Printf.sprintf "x%d" !prms in
            (* TODO: give unique name *)
            (fun x ->
               mkexpr (JCPEquantifier(Forall,ltype t,
                                      [new identifier prms_name], [],x)) pos),
            mkexpr (JCPEvar prms_name) pos
          in
	  let (quant,args) =
            List.fold_right
              (fun arg (quants,args) ->
                 let quant,arg = param arg in
                 ((fun x -> quant(quants x)), arg::args))
              cons.ctor_params ((fun x -> x),[])
          in
          let expr = match cons.ctor_params with
              [] -> JCPEvar cons.ctor_name
            | _ -> JCPEapp(cons.ctor_name,[],args)
          in
          let pred =
            quant
              (mkexpr
                 (JCPEbinary
                    (mkexpr (JCPEapp (info.lt_name ^ "_tag",[],
                                      [mkexpr expr pos])) pos,
                     `Beq,
                     mkexpr(JCPEconst(JCCinteger (Int64.to_string i))) pos))
                 pos)
          in
          (i+one,
           JCDlemma(cons.ctor_name ^ "_tag_val",true,[],[], pred)
           ::axioms)
        in
        let (_,axioms) = List.fold_right tag_axiom ctors (zero,[]) in
        let xvar = mkexpr (JCPEvar "x") pos in (* TODO: give unique name *)
        let one_case cons =
          let prms = ref(-1) in
          let param t =
            incr prms;
            let prms_name = Printf.sprintf "x%d" !prms in
            (* TODO: give unique name *)
            ((fun x ->
                mkexpr (JCPEquantifier(Exists,ltype t,
                                       [new identifier prms_name], [],x)) pos),
             mkexpr (JCPEvar prms_name) pos)
          in let (quant,args) =
            List.fold_right
              (fun arg (quants,args) ->
                 let quant,arg = param arg in
                 ((fun x -> quant(quants x)), arg::args))
              cons.ctor_params ((fun x -> x),[])
          in
          quant
            (mkexpr
               (JCPEbinary(xvar,`Beq,
                           mkexpr (JCPEapp(cons.ctor_name,[],args)) pos)) pos)
        in
        match ctors with
          [] -> cons
        | [x] ->
            cons @
              [JCDlemma(info.lt_name ^ "_inductive", true, [], [],
                        (mkexpr (JCPEquantifier
                                   (Forall,myself,
                                    [new identifier "x"], [],one_case x)) pos))]
        | x::l ->
            tag_fun :: cons @ axioms @
              [JCDlemma(info.lt_name ^ "_inductive", true, [], [],
                        mkexpr
                          (JCPEquantifier(
                             Forall,myself,
                             [new identifier "x"], [],
                             List.fold_right
                               (fun cons case ->
                                  mkexpr (JCPEbinary(case,`Blor,
                                                     one_case cons)) pos)
                               l (one_case x))) pos)]
      in
      (*NB: axioms stating that two values beginning with different
        symbols are different are not generated. *)
      let axiomatic = match info.lt_def with
          None -> [mydecl]
        | Some (LTsum cons) -> mydecl::axiomatic cons
        | Some (LTsyn _) -> [] (* We'll expand the type anyway *)
      in
      (match axiomatic with
           [] -> []
         | _ when is_axiomatic -> axiomatic
         | _ ->
             [JCDaxiomatic (info.lt_name ^ "_axiomatic",
                            List.map (fun x -> mkdecl x pos) axiomatic)])

  | Dtype _ -> unsupported "type definitions"
  | Dvolatile _ -> Common.unsupported "volatile variables"
  | Dmodel_annot _ ->
      (* already handled in norm.ml *)
      []
  | Dcustom_annot _ -> Common.unsupported "custom annotation"
  | Daxiomatic(id,l,_attr,pos) ->
     CurrentLoc.set pos;
     assert (_attr = []);
      (*
	Format.eprintf "Translating axiomatic %s into jessie code@." id;
      *)
      let l = List.fold_left (fun acc d -> (annotation true d)@acc) [] l in
      [JCDaxiomatic(id,List.map (fun d -> mkdecl  d pos)
                      (List.rev l))]

let default_field_modifiers = (false,false)

let global vardefs g =
  let pos = Global.loc g in
  CurrentLoc.set pos;
  let dnodes = match g with
    | GType _ -> [] (* No typedef in Jessie *)

    | GCompTag(compinfo,pos) when compinfo.cstruct -> (* struct type *)
        let field fi =
          let this =
            default_field_modifiers,
            ctype ?bitsize:fi.fsize_in_bits fi.ftype,
            fi.fname, fi.fsize_in_bits
          in
          let padding_size =
            match fi.fpadding_in_bits with None -> assert false | Some i -> i
          in
          if padding_size = 0 then [this] else
            let padding =
              default_field_modifiers,
              type_of_padding, unique_name "padding", fi.fpadding_in_bits
            in
            [this;padding]
        in
        let model_field mi =
          default_field_modifiers,
            ltype mi.mi_field_type,
            mi.mi_name, None
        in
        let fields =
          List.fold_right
            (fun fi acc ->
               let repfi = Retype.FieldUnion.repr fi in
               if Fieldinfo.equal fi repfi then
                 field fi @ acc
               else acc)
            compinfo.cfields []
        in
        let fields =
          List.fold_right
            (fun mi acc -> model_field mi :: acc)
            (Norm.model_fields compinfo) fields
        in
        let _parent = None in
(*           find_or_none (Hashtbl.find Norm.type_to_parent_type) compinfo.cname *)
(*         in *)
        let ty = TComp(compinfo, empty_size_cache (), []) in
        begin try
          let parentty = Typ.Hashtbl.find Retype.type_to_parent_type ty in
          let parent = get_struct_name parentty in
          [
            JCDtag(compinfo.cname,[],Some (parent,[]),fields,[])
          ]
        with Not_found ->
          try
            ignore(Typ.Hashtbl.find Norm.generated_union_types ty);
            [JCDtag(compinfo.cname,[],None,fields,[])]
          with Not_found ->
            let id = mkidentifier compinfo.cname pos in
            [
              JCDtag(compinfo.cname,[],None,fields,[]);
              JCDvariant_type(compinfo.cname,[id])
            ]
        end

    | GCompTag(compinfo,pos) -> (* union type *)
        assert (not compinfo.cstruct);
        let field fi =
          let ty = pointed_type fi.ftype in
          mkidentifier (get_struct_name ty) pos
        in
(*           match pointed_type fi.ftype with *)
(*             | TComp(compinfo,_) -> *)
(*                 let field fi = false, ctype fi.ftype, fi.fname in *)
(*                 let fields = List.map field compinfo.cfields in *)
(* (\*                 let parent = *\) *)
(* (\*                   find_or_none (Hashtbl.find Norm.type_to_parent_type) *\) *)
(* (\*                     compinfo.cname *\) *)
(* (\*                 in *\) *)
(*                 mkidentifier fi.fname fi.floc,  *)
(*                 JCDtag(fi.fname,[],None,fields,[]) *)
(*             | _ ->  *)
(*                 assert false *)
(*         in *)
        let union_id = mkidentifier compinfo.cname pos in
        let union_size = match compinfo.cfields with
          | [] -> 0
          | fi::_ ->
              Pervasives.(+) (the fi.fsize_in_bits) (the fi.fpadding_in_bits)
        in
        let padding =
          if union_size = 0 then [] else
            [default_field_modifiers,
             type_of_padding, unique_name "padding", Some union_size]
        in
        let union_tag = JCDtag(compinfo.cname,[],None,padding,[]) in
        let fields = List.map field compinfo.cfields in
        let rec has_pointer ty =
          match unrollType ty with
            | TComp(compinfo,_,_) ->
                List.exists (fun fi -> has_pointer fi.ftype) compinfo.cfields
            | TPtr _ ->
                if is_reference_type ty then
                  (* Possibly skip intermediate array type *)
                  has_pointer (pointed_type ty)
                else true
            | TVoid _
            | TInt _
            | TFloat _
            | TEnum _ -> false
            | TArray _ -> assert false (* Removed by translation *)
            | TFun _ ->
                unsupported "Function pointer type %a not allowed"
                  Printer.pp_typ ty
            | TNamed _ -> assert false
            | TBuiltin_va_list _ -> assert false (* not supported *)
        in
        (* Union type with pointer as sub-field should be used as a
           discriminated union *)
        let discr = has_pointer (TComp(compinfo, empty_size_cache (),[])) in
        [JCDunion_type(compinfo.cname,discr,union_id :: fields); union_tag]

    | GCompTagDecl _ -> [] (* No struct/union declaration in Jessie *)

    | GEnumTag(enuminfo,_pos) ->
        assert (not (enuminfo.eitems = []));
        let enums =
          List.map
            (fun {eival = enum} -> value_of_integral_expr enum) enuminfo.eitems
        in
        let emin =
          List.fold_left (fun acc enum ->
                            if Integer.lt acc enum then acc else enum)
            (List.hd enums)
            enums
        in
        let min = Num.num_of_string (Integer.to_string emin) in
        let emax =
          List.fold_left (fun acc enum ->
                            if Integer.gt acc enum then acc else enum)
            (List.hd enums)
            enums
        in
        let max = Num.num_of_string (Integer.to_string emax) in
        [JCDenum_type(enuminfo.ename,min,max)]

    | GEnumTagDecl _ -> [] (* No enumeration declaration in Jessie *)

    | GVarDecl(v,pos) | GFunDecl(_,v,pos) ->
        (* Keep only declarations for which there is no definition *)
        if List.mem v vardefs
          || (isFunctionType v.vtype &&
                (v.vname = name_of_assert
                    || v.vname = name_of_free
                    || v.vname = name_of_malloc))
        then []
        else if isFunctionType v.vtype then
          let rtyp = match unrollType v.vtype with
            | TFun(rt,_,_,_) -> rt
            | _ -> assert false
          in
          let id = mkidentifier v.vname pos in
          let kf = Globals.Functions.get v in
          Jessie_options.debug
            "Getting spec of %s" (Kernel_function.get_name kf);
          let funspec = Annotations.funspec kf in
          Jessie_options.debug "OK";
          let params = Globals.Functions.get_params kf in
          let formal v = true, ctype v.vtype, unique_name_if_empty v.vname in
          let formals = List.map formal params in
          let s,_cba,_dba = spec v.vname funspec in
          [JCDfun(ctype rtyp,id,formals,s,None)]
        else
          [JCDvar(ctype v.vtype,v.vname,None)]

    | GVar(v,{init=None},_pos) ->
        [JCDvar(ctype v.vtype,v.vname,None)]

    | GVar(_v,_iinfo,_pos) ->
        (* Initialization should have been rewritten as code in an
         * initialization function, that is called by the main function in
         * global analyses and ignored otherwise.
         *)
        assert false

    | GFun(f,pos) ->
        set_curFundec f;
        if f.svar.vname = name_of_assert
          || f.svar.vname = name_of_free then []
        else
          let rty = match unrollType f.svar.vtype with
            | TFun(ty,_,_,_) -> ty
            | _ -> assert false
          in
          let formal v = true, ctype v.vtype, v.vname in
          let formals = List.map formal f.sformals in
          let id = mkidentifier f.svar.vname f.svar.vdecl in
          let funspec =
            Annotations.funspec (Globals.Functions.get f.svar)
          in
          begin try
            let local v =
              mkexpr (JCPEdecl(ctype v.vtype,v.vname,None)) v.vdecl
            in
            let locals = List.rev (List.rev_map local f.slocals) in
            let body = mkexpr (JCPEblock(statement_list f.sbody.bstmts)) pos in
            let s,cba,dba = spec f.svar.vname funspec in
            let body =
              List.fold_left
                (fun acc a ->
                   (mkexpr
                      (JCPEassert([],
                                  Acheck,
                                  mkexpr
                                    (JCPElabel("complete_behaviors",a))
                                    a#pos))
                      a#pos)
                   :: acc)
                (locals @ [body]) cba
            in
            let body =
              List.fold_left
                (fun acc a ->
                   (mkexpr
                      (JCPEassert([],
                                  Acheck,
                                  mkexpr
                                    (JCPElabel("disjoint_behaviors",a))
                                    a#pos))
                      a#pos)
                   :: acc)
                body dba
            in
            let body = mkexpr (JCPEblock body) pos in
            ignore
              (reg_position ~id:f.svar.vname
                 ~name:("Function " ^ f.svar.vname) f.svar.vdecl);
            [JCDfun(ctype rty,id,formals,s,Some body)]
          with (Unsupported _ | Log.FeatureRequest _)
              when drop_on_unsupported_feature ->
                warning "Dropping definition of function %s@." f.svar.vname ;
                let s,_cba,_dba = spec f.svar.vname funspec in
                [JCDfun(ctype rty,id,formals,s,None)]
          end

    | GAsm _ ->
	unsupported "assembly code"

    | GPragma _ -> [] (* Pragmas treated separately *)

    | GText _ -> [] (* Ignore text in Jessie *)

    | GAnnot(la,_) -> annotation false la

  in
  List.map (fun dnode -> mkdecl dnode pos) dnodes

let integral_type name ty bitsize =
  let min = Integer.to_num (min_value_of_integral_type ~bitsize ty) in
  let max = Integer.to_num (max_value_of_integral_type ~bitsize ty) in
  mkdecl (JCDenum_type(name,min,max)) Loc.dummy_position

(* let all_integral_kinds = *)
(*   let rec all_ik = function *)
(*     | IBool -> IBool :: (all_ik IChar) *)
(*     | IChar -> IChar :: (all_ik ISChar) *)
(*     | ISChar -> ISChar :: (all_ik IUChar) *)
(*     | IUChar -> IUChar :: (all_ik IInt) *)
(*     | IInt -> IInt :: (all_ik IUInt) *)
(*     | IUInt -> IUInt :: (all_ik IShort) *)
(*     | IShort -> IShort :: (all_ik IUShort) *)
(*     | IUShort -> IUShort :: (all_ik ILong) *)
(*     | ILong -> ILong :: (all_ik IULong) *)
(*     | IULong -> IULong :: (all_ik ILongLong) *)
(*     | ILongLong -> ILongLong :: (all_ik IULongLong) *)
(*     | IULongLong -> IULongLong :: [] *)
(*   in *)
(*   all_ik IBool *)

let integral_types () =
  if !int_model = IMexact then
    []
  else
    Common.fold_integral_types
      (fun name ty bitsize acc -> integral_type name ty bitsize :: acc) []

let type_conversions () =
  let typconv_axiom ty1 ty1_to_ty2 ty2_to_ty1 =
    let x = PExpr.mkvar ~name:"x" () in
    let app1 = PExpr.mkapp ~fun_name:ty1_to_ty2 ~args:[x] () in
    let app2 = PExpr.mkapp ~fun_name:ty2_to_ty1 ~args:[app1] () in
    let eq = PExpr.mkeq ~expr1:x ~expr2:app2 () in
    let forall =
      PExpr.mkforall ~typ:(ctype ty1)
        ~vars:[new identifier "x"] ~body:eq ()
    in
    PDecl.mklemma_def ~name:(unique_logic_name (ty1_to_ty2 ^ "_axiom")) ~axiom:true
      ~body:forall ()
  in
  Hashtbl.fold
    (fun _ (ty1,ty2,ty1_to_ty2,ty2_to_ty1) acc ->
       [
         PDecl.mklogic_def ~typ:(ctype ty2) ~name:ty1_to_ty2
           ~params:[ctype ty1, "x"] ~reads:[] ();
         PDecl.mklogic_def ~typ:(ctype ty1) ~name:ty2_to_ty1
           ~params:[ctype ty2, "x"] ~reads:[] ();
         typconv_axiom ty1 ty1_to_ty2 ty2_to_ty1;
         typconv_axiom ty2 ty2_to_ty1 ty1_to_ty2
       ] @ acc
    ) type_conversion_table []

let file f =
  let filter_defined = function GFun _ | GVar _ -> true | _ -> false in
  let defined_var =
    function GFun(f,_) -> f.svar | GVar(vi,_,_) -> vi | _ -> assert false
  in
  let is_needed =
    function
      | GVarDecl(v,_)
      | GFunDecl(_,v,_) when Cil.hasAttribute "FC_BUILTIN" v.vattr ->
          v.vreferenced
      | _ -> true
  in
  let globals =
(* AVOID CHECKING THE GLOBAL INITIALIZATION FUNCTION, WHICH IS GUARANTEED *)
(*     if Globals.has_entry_point () then *)
(*       let gif = *)
(*         Kernel_function.get_definition (Globals.Functions.get_glob_init f) *)
(*       in *)
(*       f.globals @ [GFun(gif,Loc.dummy_position)] *)
(*     else  *)
    List.filter is_needed f.globals
  in
  let vardefs =
    List.rev (List.rev_map defined_var (List.filter filter_defined globals))
  in
  (* Compute translation of [globals] before [integral_types] so that types
     used are known *)
  let globals' =
    List.flatten (List.rev (List.rev_map (global vardefs) globals))
  in
  mkdecl (JCDaxiomatic("Padding",
                       [mkdecl (JCDlogic_type (name_of_padding_type, []))
                          Loc.dummy_position]))
    Loc.dummy_position
  (* Define all integral types as enumerated types in Jessie *)
  :: integral_types ()
  (* Define conversion functions and identity axiom for back
     and forth conversion *)
  @ type_conversions ()
  @ globals'

(* Translate pragmas separately as their is no declaration for pragmas in
 * the parsed AST of Jessie, only in its types AST.
 *)
let pragma = function
  | GPragma(Attr(name,[AStr arg]),_)
  | GPragma(Attr(name,[ACons(arg,[])]),_) ->
      begin match name with
        | "InvariantPolicy" ->
            begin match String.lowercase arg with
              | "none" -> invariant_policy := Jc_env.InvNone
              | "arguments" -> invariant_policy := Jc_env.InvArguments
              | "ownership" -> invariant_policy := Jc_env.InvOwnership
              | _ -> assert false
            end;
            []
        | "SeparationPolicy" ->
            begin match String.lowercase arg with
              | "none" -> separation_policy_regions := false
              | "regions" -> separation_policy_regions := true
              | _ -> assert false
            end;
            []
        | "AnnotationPolicy" ->
            begin match String.lowercase arg with
              | "none" -> [Jc_output.JCannotation_policy Jc_env.AnnotNone]
              | "invariants" ->
                  [Jc_output.JCannotation_policy Jc_env.AnnotInvariants]
              | "weakpre" ->
                  [Jc_output.JCannotation_policy Jc_env.AnnotWeakPre]
              | "strongpre" ->
                  [Jc_output.JCannotation_policy Jc_env.AnnotStrongPre]
              | _ -> assert false
            end
        | "AbstractDomain" ->
            begin match String.lowercase arg with
              | "none" -> [Jc_output.JCabstract_domain Jc_env.AbsNone]
              | "box" -> [Jc_output.JCabstract_domain Jc_env.AbsBox]
              | "oct" -> [Jc_output.JCabstract_domain Jc_env.AbsOct]
              | "pol" -> [Jc_output.JCabstract_domain Jc_env.AbsPol]
              | _ -> assert false
            end
        | "JessieFloatModel" ->
            begin match String.lowercase arg with
              | "math" -> float_model := `Math;
		  [Jc_output.JCfloat_model Jc_env.FMmath]
              | "defensive" ->
                  float_model := `Defensive;
		  [Jc_output.JCfloat_model Jc_env.FMdefensive]
              | "full" ->
                  float_model := `Full;
		  [Jc_output.JCfloat_model Jc_env.FMfull]
              | "multirounding" ->
                  float_model := `Multirounding;
		  [Jc_output.JCfloat_model Jc_env.FMmultirounding]
              | s ->
                  Jessie_options.warning ~current:true
                    "pragma %s: identifier %s is not a valid value (ignored)."
		    name s; []
            end;
        | "JessieFloatRoundingMode" ->
            begin match String.lowercase arg with
              | "nearesteven" ->
                  (* float_rounding_mode := `NearestEven; *)
                  [Jc_output.JCfloat_rounding_mode Jc_env.FRMNearestEven]
              | "down" ->
                  (* float_rounding_mode := `Downward; *)
                  [Jc_output.JCfloat_rounding_mode Jc_env.FRMDown]
              | "up" ->
                  (* float_rounding_mode := `Upward; *)
                  [Jc_output.JCfloat_rounding_mode Jc_env.FRMUp]
              | "tozero" ->
                  (* float_rounding_mode := `Towardzero; *)
                  [Jc_output.JCfloat_rounding_mode Jc_env.FRMToZero]
              | "nearestaway" ->
                  (* float_rounding_mode := `Towardawayzero; *)
                  [Jc_output.JCfloat_rounding_mode Jc_env.FRMNearestAway]
              | s ->
                  Jessie_options.warning ~current:true
		    "pragma %s: identifier %s is not a valid value (ignored)" name s; []
            end
	| "JessieFloatInstructionSet" ->
	    begin match String.lowercase arg with
              | "x87" ->
		  [Jc_output.JCfloat_instruction_set "x87"]
              | "ieee754" ->
		  [Jc_output.JCfloat_instruction_set "ieee754"]
	      | s ->
                  Jessie_options.warning ~current:true
		    "pragma %s: identifier %s is not a valid value (ignored)" name s; []
            end

        | "JessieIntegerModel" ->
            begin match String.lowercase arg with
              | "exact" | "math" -> int_model := IMexact
              | "strict" -> int_model := IMbounded
              | "modulo" -> int_model := IMmodulo
              | s ->
                  Jessie_options.warning ~current:true
		    "pragma %s: identifier %s is not a valid value (ignored)." name s
            end;
            []

	| "JessieTerminationPolicy" ->
	    begin match String.lowercase arg with
              | "always" ->
		  [Jc_output.JCtermination_policy TPalways]
              | "user" ->
		  [Jc_output.JCtermination_policy TPuser]
              | "never" ->
		  [Jc_output.JCtermination_policy TPnever]
	      | s ->
                  Jessie_options.warning ~current:true
		    "pragma %s: identifier %s is not a valid value (ignored)" name s; []
            end
        | _ ->
            Jessie_options.warning ~current:true
	      "pragma %s is ignored by Jessie." name;
            []
      end
  | GPragma(Attr("JessieBuiltin",[ACons(acsl,[]);AStr jessie]),_) ->
    Hashtbl.add jessie_builtins acsl jessie;
    []
  | GPragma _ -> []
  | _ -> []

let pragmas f =
  let l = List.flatten (List.rev (List.rev_map pragma f.globals)) in

  (match !int_model with
    | IMexact -> []
    | IMbounded -> [ Jc_output.JCint_model Jc_env.IMbounded ]
    | IMmodulo -> [ Jc_output.JCint_model Jc_env.IMmodulo ])
  @ Jc_output.JCinvariant_policy !invariant_policy
  :: (if !separation_policy_regions then
        Jc_output.JCseparation_policy Jc_env.SepRegions
      else
        Jc_output.JCseparation_policy Jc_env.SepNone)
  :: (match Jessie_options.InferAnnot.get () with
        | "" -> Jc_output.JCannotation_policy Jc_env.AnnotNone
        | "inv" -> Jc_output.JCannotation_policy Jc_env.AnnotInvariants
        | "pre" -> Jc_output.JCannotation_policy Jc_env.AnnotElimPre
        | "spre" -> Jc_output.JCannotation_policy Jc_env.AnnotStrongPre
        | "wpre" -> Jc_output.JCannotation_policy Jc_env.AnnotWeakPre
        | s ->
            Jessie_options.abort "unknown inference technique %s" s)
  :: (match Jessie_options.AbsDomain.get () with
        | "box" -> Jc_output.JCabstract_domain Jc_env.AbsBox
        | "oct" -> Jc_output.JCabstract_domain Jc_env.AbsOct
        | "poly" -> Jc_output.JCabstract_domain Jc_env.AbsPol
        | s ->
	    Jessie_options.abort "unknown abstract domain %s" s)
  :: l


(*
Local Variables:
compile-command: "make"
End:
*)
why-2.39/frama-c-plugin/jessie_config.ml0000644000106100004300000000003113147234006017166 0ustar  marchevalslet jessie_local = false
why-2.39/java/0000755000106100004300000000000013147234006012152 5ustar  marchevalswhy-2.39/java/java_tast.mli0000644000106100004300000001717513147234006014644 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Java_env

type bin_op = Java_ast.bin_op
type un_op = Java_ast.un_op
type incr_decr_op = Java_ast.incr_decr_op

type label_assoc = (logic_label * logic_label) list

type term_node =
    | JTlit of literal
    | JTvar of java_var_info
    | JTat of term * logic_label
    | JTbin of term * base_type * bin_op * term
    | JTbin_obj of term * bin_op * term
    | JTun of base_type * un_op * term
    | JTapp of java_logic_info * label_assoc * term list
    | JTfield_access of term * java_field_info
    | JTstatic_field_access of java_type_info * java_field_info
    | JTarray_length of term
    | JTarray_access of term * term
    | JTarray_range of term * term option * term option
    | JTcast of java_type * term
    | JTif of term * term * term

and term =
    { java_term_node : term_node;
      java_term_type : java_type;
      java_term_loc : Loc.position;
    }


type quantifier = Java_ast.quantifier

type assertion_node =
  | JAtrue
  | JAfalse
  | JAat of assertion * logic_label
  | JAnot of assertion
  | JAand of assertion * assertion
  | JAor of assertion * assertion
  | JAimpl of assertion * assertion
  | JAiff of assertion * assertion
  | JAquantifier of quantifier * java_var_info * assertion
  | JAbool_expr of term
  | JAbin of term * base_type * bin_op * term
  | JAbin_obj of term * bin_op * term
  | JAapp of java_logic_info * label_assoc * term list
  | JAinstanceof of term * logic_label * java_type
  | JAif of term * assertion * assertion
  | JAfresh of term

and assertion =
    { java_assertion_node : assertion_node;
      java_assertion_loc : Loc.position;
    }

(* expressions *)

type expr =
  { java_expr_loc : Loc.position ;
    java_expr_type : java_type;
    java_expr_node : expr_node }

and expr_node =
  | JElit of literal
  | JEvar of java_var_info
  | JEbin of expr * bin_op * expr         (*r binary operations *)
  | JEun of un_op * expr                 (*r (pure) unary operations *)
  | JEif of expr * expr * expr
      (*r pre-post incr/decr operations *)
  | JEincr_local_var of incr_decr_op * java_var_info
  | JEincr_field of incr_decr_op * expr * java_field_info
  | JEincr_array of incr_decr_op * expr * expr
  | JEstatic_field_access of java_type_info * java_field_info
  | JEfield_access of expr * java_field_info
  | JEarray_length of expr
  | JEarray_access of expr * expr
  | JEassign_local_var of java_var_info * expr
  | JEassign_local_var_op of java_var_info * bin_op * expr
  | JEassign_field of expr * java_field_info * expr
  | JEassign_field_op of expr * java_field_info * bin_op * expr
  | JEassign_static_field of java_field_info * expr
  | JEassign_static_field_op of java_field_info * bin_op * expr
  | JEassign_array of expr * expr * expr
  | JEassign_array_op of expr * expr * bin_op * expr
  | JEcall of expr * method_info * expr list
  | JEconstr_call of expr * constructor_info * expr list
  | JEstatic_call of method_info * expr list
  | JEnew_array of java_type * expr list
      (*r elements type, dimensions *)
  | JEnew_object of constructor_info * expr list
      (*r constr, args *)
  | JEcast of java_type * expr
  | JEinstanceof of expr * java_type
(*
  | Static_class of class_entry
  | Static_interface of interface_entry
  | Super_method_call of identifier * pexpr list
  | Instanceof of pexpr * type_expr
      (* in annotations only *)
  | Type of type_expr
  | Typeof of expr
*)

(* statements *)

type initialiser =
  | JIexpr of expr
  | JIlist of initialiser list

type 'a switch_label = 'a Java_ast.switch_label

type behavior =
    Java_ast.identifier * (* behavior name *)
      assertion option * (* assumes *)
      java_class_info option * (* throws *)
      (Loc.position * term list) option * (* assigns *)
      (Loc.position * term list) option * (* allocates *)
      assertion (* ensures *)

type loop_annot =
    { loop_inv : assertion;
      behs_loop_inv : (Java_ast.identifier * assertion) list;
      loop_var : (term * java_logic_info option) option;
    }

type statement =
  { java_statement_loc : Loc.position ;
    java_statement_node : statement_node }

and statement_node =
  | JSskip                  (*r empty statement *)
  | JSif of expr * statement * statement
  | JSreturn_void
  | JSreturn of expr
  | JSvar_decl of java_var_info * initialiser option * statement
  | JSblock of block
  | JSdo of statement * loop_annot * expr
      (*r loop body, annot, condition *)
  | JSwhile of expr * loop_annot * statement
      (*r condition, annot, loop body *)
  | JSfor of expr list * expr * loop_annot * expr list * statement
      (*r init, condition, annot, steps, loop body *)
  | JSfor_decl of (java_var_info * initialiser option) list *
      expr * loop_annot * expr list * statement
      (*r decls, condition, annot, steps, loop body *)
  | JSexpr of expr
  | JSassert of string option * string option * assertion
  | JSswitch of expr * (expr switch_label list * block) list
  | JSbreak of string option
  | JScontinue of string option
  | JSthrow of expr
  | JStry of block * (java_var_info * block) list * block option
  | JSstatement_spec of
      assertion option * (term * java_logic_info option) option
      * behavior list * statement
	(*r requires, decreases, behaviors, statement *)
  | JSlabel of string * statement
(*
  | JPSsynchronized of pexpr * block
*)
(*
  | Kml_annot_statement of jml_annotation_statement
  | Kml_ghost_var_decl of jml_declaration list
  | Annotated of statement_specification * statement
*)

and block = statement list
;;

(*
Local Variables:
compile-command: "make -C .. bin/krakatoa.byte"
End:
*)
why-2.39/java/java_typing.mli0000644000106100004300000001266413147234006015201 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

val print_qualified_ident : Format.formatter -> Java_ast.qualified_ident -> unit

val print_type_name : Format.formatter -> Java_env.java_type_info -> unit

val print_type : Format.formatter -> Java_env.java_type -> unit

val type_table : (int, Java_env.java_type_info) Hashtbl.t

type method_table_info =
    { mt_method_info : Java_env.method_info;
      mt_requires : Java_tast.assertion option;
      mt_decreases : (Java_tast.term * Java_env.java_logic_info option) option;
      mt_behaviors : (Java_ast.identifier *
			Java_tast.assertion option *
			Java_env.java_class_info option *
			(Loc.position * Java_tast.term list) option *
			(Loc.position * Java_tast.term list) option *
			Java_tast.assertion) list ;
      mt_body : Java_tast.block option;
    }

val methods_table :
  (int, method_table_info) Hashtbl.t

type constructor_table_info =
    { ct_constr_info : Java_env.constructor_info;
      ct_requires : Java_tast.assertion option;
      ct_decreases : (Java_tast.term * Java_env.java_logic_info option) option;
      ct_behaviors : (Java_ast.identifier *
			Java_tast.assertion option *
			Java_env.java_class_info option *
			(Loc.position * Java_tast.term list) option *
			(Loc.position * Java_tast.term list) option *
			Java_tast.assertion) list ;
      ct_body : Java_tast.block;
    }

val constructors_table :
  (int, constructor_table_info) Hashtbl.t

val invariants_table :
  (int, Java_env.java_class_info * Java_env.java_var_info *
     (Java_ast.identifier * Java_tast.assertion) list) Hashtbl.t

val static_invariants_table :
  (int, (string * Java_tast.assertion) list) Hashtbl.t

val field_initializer_table :
  (int, Java_tast.initialiser option) Hashtbl.t

val final_field_values_table :
  (int, Num.num list) Hashtbl.t

val lemmas_table : (string,(Loc.position * Java_env.logic_label list * Java_tast.assertion)) Hashtbl.t


type logic_def_body =
  [ `Assertion of Java_tast.assertion
  | `Term of Java_tast.term
  | `Inductive of
      (Java_ast.identifier * Java_env.logic_label list * Java_tast.assertion)
	list
  | `Builtin ]

type logic_decl_body =
  [ logic_def_body
  | `None
  | `Reads of Java_tast.term list ]

val logic_defs_table :
  (int,Java_env.java_logic_info * logic_def_body) Hashtbl.t

type axiomatic_defs =
  | Adecl of  Java_env.java_logic_info * logic_decl_body
  | Aaxiom of string * bool * Java_env.logic_label list * Java_tast.assertion
  | Atype of string

val logic_types_table : (string, Java_env.logic_type_info) Hashtbl.t
val axiomatics_table : (string, axiomatic_defs list) Hashtbl.t

val builtin_logic_symbols : Java_env.java_logic_info list ref

exception Typing_error of Loc.position * string

val catch_typing_errors : ('a -> 'b) -> 'a -> 'b

(*
val get_types :
  Java_ast.compilation_unit ->
  Java_env.package_info list *
    (string * Java_env.java_type_info) list
*)

val get_types :
  Java_env.package_info list ->
  Java_ast.compilation_unit list ->
  Java_env.package_info list *
    (string * Java_env.java_type_info) list

val get_bodies :
  Java_env.package_info list ->
  (string * Java_env.java_type_info) list ->
  Java_ast.compilation_unit -> unit

val type_specs :
  Java_env.package_info list ->
  (string * Java_env.java_type_info) list ->
  unit



(*
Local Variables:
compile-command: "make -j -C .. bin/krakatoa.byte"
End:
*)
why-2.39/java/java_lexer.mll0000644000106100004300000003624213147234006015007 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(**************************************************************************

Lexer for JavaCard source files

VerifiCard Project - Démons research team - LRI - Université Paris XI

$Id: java_lexer.mll,v 1.42 2009-12-08 16:38:49 marche Exp $

***************************************************************************)


{

  open Java_parser
  open Lexing
  open Java_ast

  type location = position * position

  let loc lexbuf : location =
    (lexeme_start_p lexbuf, lexeme_end_p lexbuf)

  exception Lexical_error of location * string
  exception Syntax_error of location
  exception Dotdot of string


  let lex_error lexbuf s = raise (Lexical_error(loc lexbuf,s))

  let buf = Buffer.create 97

  let kw_table =
    let table = Hashtbl.create 17 in
    let _ =
      List.iter
	(fun (s,t) -> Hashtbl.add table s t)
	[ "abstract", ABSTRACT;
          "allocates", ALLOCATES;
	  "assert", ASSERT;
	  "assigns", ASSIGNS;
	  "assumes", ASSUMES;
	  "axiom", AXIOM;
	  "axiomatic", AXIOMATIC;
	  "behavior", BEHAVIOR;
	  "boolean", BOOLEAN;
	  "break", BREAK;
	  "byte", BYTE;
	  (* "byvalue", BYVALUE; ??? *)
	  "case", CASE;
	  (* "cast", CAST; ??? *)
	  "catch", CATCH;
	  "char", CHAR;
	  "class", CLASS;
	  "const", CONST;
	  "continue", CONTINUE;
	  "decreases", DECREASES;
	  "default", DEFAULT;
	  "do", DO;
	  "double", DOUBLE;
	  "else", ELSE;
	  "ensures", ENSURES;
	  "extends", EXTENDS;
	  "false", FALSE;
	  "final", FINAL;
	  "finally", FINALLY;
	  "float", FLOAT;
	  "for", FOR;
	  (* "future", FUTURE; ?? *)
	  (* "generic", GENERIC; ?? *)
	  "ghost", GHOST;
	  "goto", GOTO;
	  "if", IF;
	  "implements", IMPLEMENTS;
	  "import", IMPORT;
	  "inductive", INDUCTIVE;
	  (* "inner", INNER; ?? *)
	  "instanceof", INSTANCEOF;
	  "int", INT;
	  "integer", INTEGER;
	  "interface", INTERFACE;
	  "invariant", INVARIANT;
	  "lemma", LEMMA;
	  "logic", LOGIC;
	  "long", LONG;
	  "loop_invariant", LOOP_INVARIANT;
	  "loop_variant", LOOP_VARIANT;
	  "model", MODEL;
	  "native", NATIVE;
	  "new", NEW;
	  "non_null", NON_NULL;
	  "null", NULL;
	  "nullable", NULLABLE;
	  (* "operator", OPERATOR; ?? *)
	  (* "outer", OUTER; ?? *)
	  "package", PACKAGE;
	  "predicate", PREDICATE;
	  "private", PRIVATE;
	  "protected", PROTECTED;
	  "public", PUBLIC;
	  "reads", READS;
	  "real", REAL;
	  "requires", REQUIRES;
	  (* "rest", REST; ?? *)
	  "return", RETURN;
	  "short", SHORT;
	  "signals", SIGNALS;
	  "static", STATIC;
	  "strictfp", STRICTFP;
	  "super", SUPER;
	  "switch", SWITCH;
	  "synchronized", SYNCHRONIZED;
	  "theory", THEORY;
	  "this", THIS;
	  (* "threadsafe" ? *)
	  "throw", THROW;
	  "throws", THROWS;
	  "transient", TRANSIENT;
	  "true", TRUE;
	  "try", TRY;
	  "type", TYPE;
	  (* "var", VAR; ??? *)
	  "void", VOID;
	  "volatile", VOLATILE;
	  "while", WHILE;
	]
    in table

  let id_or_kw s =
    try
      let k = Hashtbl.find kw_table s in
      (*i
	prerr_string "Keyword ";
	prerr_endline s;
	i*)
      k
    with
	Not_found ->
	  (*i
	    prerr_string "Ident ";
	    prerr_endline s;
	    i*)
	  (ID s)

  let special_kw_table =
    let table = Hashtbl.create 17 in
    let _ =
      List.iter
	(fun (s,t) -> Hashtbl.add table s t)
	[ "\\at", BSAT;
	  "\\exists", BSEXISTS ;
	  "\\fresh", BSFRESH ;
	  "\\forall", BSFORALL ;
	  "\\nothing", BSNOTHING;
	  (*
	  "fields_of", BSFIELDSOF;
          "not_conditionally_updated", BSNOTCONDITIONALLYUPDATED;
	  *)
	  "\\old", BSOLD;
	  "\\result", BSRESULT;
	  (*"type", BSTYPE;
	  "typeof", BSTYPEOF;
	  "fpi", BSFPI; *)
	]
    in table

  let builtins_table =
    let table = Hashtbl.create 17 in
    let _ =
      List.iter
	(fun (_ty,id,_params) -> Hashtbl.add table id ())
	Java_pervasives.builtin_logic_symbols
    in table

  let special_id lexbuf s =
    try
      Hashtbl.find special_kw_table s
    with
	Not_found ->
	  try
	    let () = Hashtbl.find builtins_table s in
	    ID s
	  with
	      Not_found ->
		lex_error lexbuf ("unknown special keyword "^s)

(*

  let jml_spec_token base jml_string =
(*i
    Format.fprintf Config.log "In file %s, parsing JML Spec: %s@."
      (Location.base_filename base) jml_string;
i*)
    match Jml_syntax.parse_jml_specification base jml_string with
    | Ast_types.Jml_declaration d -> JML_DECLARATIONS(d)
    | Ast_types.Jml_method_specification s -> JML_METHOD_SPECIFICATION(s)
    | Ast_types.Jml_loop_annotation la -> JML_LOOP_ANNOTATION(la)
    | Ast_types.Jml_assertion a -> JML_ASSERTION(a)
    | Ast_types.Jml_annotation_statement Ast_types.Set_statement s -> JML_ANNOTATION_STATEMENT(Ast_types.Set_statement(s))
    | Ast_types.Jml_axiom(id,e) -> JML_AXIOM(id,e)
    | Ast_types.Jml_type(id) -> JML_TYPE(id)
    | Ast_types.Jml_logic_reads(id,t,p,r) -> JML_LOGIC_READS(id,t,p,r)
    | Ast_types.Jml_logic_def(id,t,p,e) -> JML_LOGIC_DEF(id,t,p,e)
    assert false

*)
  let newline lexbuf =
    let pos = lexbuf.lex_curr_p in
    lexbuf.lex_curr_p <-
      { pos with pos_lnum = pos.pos_lnum + 1;
	  pos_bol = pos.pos_cnum }

  let pragma lexbuf id v =
    match id with
      | "TerminationPolicy" ->
	  begin
	    Java_options.termination_policy :=
	      match v with
		| "always" -> Jc_env.TPalways
		| "user" -> Jc_env.TPuser
		| "never" -> Jc_env.TPnever
		| _ -> lex_error lexbuf ("unknown termination policy " ^ v)
	  end

      | "AbstractDomain" ->
	  begin
	    Java_options.ai_domain :=
	      match v with
		| "None" -> Jc_env.AbsNone
		| "Box" -> Jc_env.AbsBox
		| "Oct" -> Jc_env.AbsOct
		| "Pol" -> Jc_env.AbsPol
		| _ -> lex_error lexbuf ("unknown abstract domain " ^ v)
	  end
      | "AnnotationPolicy" ->
	  begin
	    Java_options.annotation_sem :=
	      match v with
		| "None" -> Jc_env.AnnotNone
		| "Invariants" -> Jc_env.AnnotInvariants
		| "WeakPre" -> Jc_env.AnnotWeakPre
		| "StrongPre" -> Jc_env.AnnotStrongPre
		| _ -> lex_error lexbuf ("unknown annotation policy " ^ v)
	  end
      | "CheckArithOverflow" ->
	  begin
	    match String.lowercase v with
	      | "yes" -> Java_options.ignore_overflow := false
	      | "no" -> Java_options.ignore_overflow := true
	      | _ -> lex_error lexbuf "yes or no expected"
	  end
      | "InvariantPolicy" ->
	  begin
	    Java_options.inv_sem :=
	      match v with
		| "None" -> Jc_env.InvNone
		| "Arguments" -> Jc_env.InvArguments
		| "Ownership" -> Jc_env.InvOwnership
		| _ -> lex_error lexbuf ("unknown invariant policy " ^ v)
	  end
      | "SeparationPolicy" ->
	  begin
	    Java_options.separation_policy :=
	      match v with
		| "None" -> Jc_env.SepNone
		| "Regions" -> Jc_env.SepRegions
		| _ -> lex_error lexbuf ("unknown separation policy " ^ v)
	  end
      | "NonNullByDefault" ->
	  begin
	    Java_options.nonnull_sem :=
	    match v with
	      | "none" -> Java_env.NonNullNone
	      | "fields" -> Java_env.NonNullFields
	      | "all" -> Java_env.NonNullAll
	      | "alllocal" -> Java_env.NonNullAllLocal
	      | _ -> lex_error lexbuf ("unknown nonnull policy " ^ v)
	  end
      | "MinimalClassHierarchy" ->
	  begin
	    match String.lowercase v with
	      | "yes" -> Java_options.minimal_class_hierarchy := true
	      | "no" -> Java_options.minimal_class_hierarchy := false
	      | _ -> lex_error lexbuf "yes or no expected"
	  end
      | _ -> lex_error lexbuf ("unknown pragma " ^ id)

}

let space = [' ' '\t' '\r' '']
let backslash_escapes =
  ['\\' '"' '\'' 'n' 't' 'b' 'r' 'f' ]
let rD = ['0'-'9']
let rL = ['a'-'z' 'A'-'Z' '_']
let rH = ['a'-'f' 'A'-'F' '0'-'9']
let rE = ['E''e']['+''-']? rD+
let rP = ['P''p']['+''-']? rD+
let rFS	= ('f'|'F'|'l'|'L')
let rIS = ('u'|'U'|'l'|'L')*


rule token = parse
  | space+
      { token lexbuf }
  | '\n'
      { newline lexbuf; token lexbuf }
  | ("/*" | "//") space+ "@"
      { lex_error lexbuf "no space allowed between /* and @" }
  | "//@+" space* ((rL | rD)+ as id) space* "="
        space* ((rL | rD)+ as v) space* '\n'
      { pragma lexbuf id v; newline lexbuf; token lexbuf }
  | "/*@"
      { let loc = lexeme_start_p lexbuf in
	Buffer.clear buf; ANNOT(loc, annot lexbuf) }
  | "//@" ([^ '\n']* as a) '\n'
      { let loc = lexeme_start_p lexbuf in
	newline lexbuf;	ANNOT(loc,a) }
  | "/*"
      { comment lexbuf; token lexbuf }
  | "//" ([^'\n''@'][^'\n']*)? '\n'
      { newline lexbuf; token lexbuf }
  | "\\" rL (rL | rD)* as id
      { special_id lexbuf id }
  | rL (rL | rD)* as id
      { id_or_kw id }
  | ';'
      { SEMICOLON }
  | ','
      { COMMA }
  | '.'
      { DOT }
  | ".."
      { DOTDOT }
  | '+'
      { PLUS }
  | '-'
      { MINUS }
  | "++"
      { PLUSPLUS }
  | "--"
      { MINUSMINUS }
  | '*'
      { STAR }
  | '/'
      { SLASH }
  | '%'
      { PERCENT }
  | "&"
      { AMPERSAND }
  | "|"
      { VERTICALBAR }
  | "&&"
      { AMPERSANDAMPERSAND }
  | "||"
      { VERTICALBARVERTICALBAR }
  | "==>"
      { EQEQGT }
  | "<==>"
      { LTEQEQGT }
  | "!"
      { BANG }
  | "~"
      { TILDA }
  | "^"
      { CARET }
  | "?"
      { QUESTIONMARK }
  | ":"
      { COLON }
  | "<<"
      { SHIFT Blsl }
  | ">>"
      { SHIFT Blsr }
  | ">>>"
      { SHIFT Basr }
  | "="
      { EQ }
  | "*="
      { ASSIGNOP Bmul }
  | "/="
      { ASSIGNOP Bdiv }
  | "%="
      { ASSIGNOP Bmod }
  | "+="
      { ASSIGNOP Badd }
  | "-="
      { ASSIGNOP Bsub }
  | "<<="
      { ASSIGNOP Blsl }
  | ">>="
      { ASSIGNOP Blsr }
  | ">>>="
      { ASSIGNOP Basr }
  | "&="
      { ASSIGNOP Bbwand }
  | "^="
      { ASSIGNOP Bbwxor }
  | "|="
      { ASSIGNOP Bbwor }
  | ">"
      { GT }
  | "<"
      { LT }
  | "<="
      { LE }
  | ">="
      { GE }
  | "=="
      { EQOP Beq }
  | "!="
      { EQOP Bne }


      (* decimal constants *)

  | ('0' | ['1'-'9']rD*) ['l''L']? as n
      { INTCONSTANT n }

      (* octal constants *)

  | '0'['0'-'7']+ ['l''L']? as n
      { INTCONSTANT n }

      (* hexadecimal constants *)

  | '0'['x''X']rH+['l''L']? as n
    { INTCONSTANT n }

      (* trick to deal with intervals like 0..10 *)

  | (rD+ as n) ".."         { raise (Dotdot n) }

      (* floating-point constants *)

  | (rD+ '.' rD* (['e''E']['-''+']?rD+)?) as pre (['f''F''d''D'] as suf) ?
      { REALCONSTANT (pre,suf) }

  | ('.' rD+ (['e''E']['-''+']?rD+)?) as pre (['f''F''d''D'] as suf) ?
      { REALCONSTANT (pre,suf) }

  | (rD+ ['e''E'] ['-''+']?rD+) as pre (['f''F''d''D'] as suf) ?
      { REALCONSTANT (pre,suf) }

  | ('0'['x''X'] rH+ '.' rH* rP) as pre (['f''F''d''D'] as suf) ?
  | ('0'['x''X'] rH* '.' rH+ rP) as pre (['f''F''d''D'] as suf) ?
  | ('0'['x''X'] rH+ rP) as pre (['f''F''d''D'] as suf) ?
      { REALCONSTANT (pre,suf) }

      (* character constants *)

  | "'" _ "'" as s
      { CHARACTER s }

  | "'\\" backslash_escapes "'" as s
      { CHARACTER s }

  | "'\\" ['0'-'3'] ['0'-'7'] ['0'-'7'] "'" as s
      { CHARACTER s }

  | "'\\" ['0'-'7'] ['0'-'7'] "'" as s
      { CHARACTER s }

  | "'\\" ['0'-'7'] "'" as s
      { CHARACTER s }

  | "'\\u" rH rH rH rH "'" as s
      { CHARACTER s }

  | '('
      { LEFTPAR }
  | ')'
      { RIGHTPAR }
  | '{'
      { LEFTBRACE }
  | '}'
      { RIGHTBRACE }
  | '['
      { LEFTBRACKET }
  | ']'
      { RIGHTBRACKET }
  | '"'
      { Buffer.clear buf; STRING(string lexbuf) }
  | _
      { lex_error lexbuf ("unexpected char `" ^ lexeme lexbuf ^ "'") }
  | eof
      { EOF }

and string = parse
  | '"'
      { Buffer.contents buf }
  | '\\' backslash_escapes
      { Buffer.add_string buf (lexeme lexbuf);
	string lexbuf }
  | '\\' _
      { lex_error lexbuf "unknown escape sequence in string" }
  | ['\n' '\r']
      { (* no \n anymore in strings since java 1.4 *)
	lex_error lexbuf "string not terminated"; }
  | [^ '\n' '\\' '"']+
      { Buffer.add_string buf (lexeme lexbuf); string lexbuf }
  | eof
      { lex_error lexbuf "string not terminated" }

and comment = parse
  | "*/"
      { () }
  | '\n'
      { newline lexbuf; comment lexbuf }
  | [^'*''\n']+
      { comment lexbuf }
  | _
      { comment lexbuf }
  | eof
      { lex_error lexbuf "comment not terminated" }

and annot = parse
  | "*/"
      { Buffer.contents buf }
  | '\n'
      { newline lexbuf;
	Buffer.add_string buf (lexeme lexbuf);
	annot lexbuf }
  | ('\n' space* as s) '@'
      { newline lexbuf;
	Buffer.add_string buf s;
	Buffer.add_char buf ' ';
	annot lexbuf }
  | [^'@''*''\n''/']+
      { Buffer.add_string buf (lexeme lexbuf);
	annot lexbuf }
  | '@'
      { annot lexbuf }
  | _
      { Buffer.add_string buf (lexeme lexbuf);
	annot lexbuf }
  | eof
      { lex_error lexbuf "annotation not terminated" }

{

let dotdot_mem = ref false

let next_token lexbuf =
  if !dotdot_mem then
    begin
      dotdot_mem := false;
      Format.eprintf "DOTDOT@.";
      DOTDOT
    end
  else
    begin
      try
	token lexbuf
      with
	Dotdot(n) ->
	  dotdot_mem := true;
	  INTCONSTANT n
    end

  let parse f c =
    let lb = from_channel c in
    lb.lex_curr_p <- { lb.lex_curr_p with pos_fname = f };
    try
      Java_parser.compilation_unit next_token lb
    with Parsing.Parse_error ->
      Java_options.parsing_error (loc lb) ""

  let parse_spec f c =
    let lb = from_channel c in
    lb.lex_curr_p <- { lb.lex_curr_p with pos_fname = f };
    try
      Java_parser.kml_spec_eof next_token lb
    with Parsing.Parse_error ->
      Java_options.parsing_error (loc lb) ""

}

(*
Local Variables:
compile-command: "make -j -C .. bin/krakatoa.byte"
End:
*)
why-2.39/java/java_main.ml0000644000106100004300000002644013147234006014437 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Java_env
open Format
open Jc_constructors.PDecl

let main () =
  let files = Java_options.files () in
  if files = [] then Java_options.usage ();
  (* phase 1 : parsing *)
  let astl = List.map Java_syntax.file files in
  printf "Parsing OK.@.";
  (* phase 2 : typing *)
  Java_options.lprintf "(****** typing phase *****)@.";
  let (p, t) = Java_typing.get_types [] astl in
  Java_options.lprintf "(****** typing phase 2 : get bodies *****)@.";
  List.iter (Java_typing.get_bodies p t) astl;
  Java_options.lprintf "(****** typing phase 3 : type specs *****)@.";
  Java_typing.type_specs p t;
  printf "Typing OK.@.";

  if !Java_options.abstract <> "" then
    begin
      match astl with
	| [a] ->
	    Pp.print_in_file
	      (fun fmt -> Java_abstract.compilation_unit fmt a)
	      !Java_options.abstract;
	    exit 0
	| _ ->
	    eprintf "cannot take %d files with option -abstract@." (List.length astl);
	    Java_options.usage ()
    end;

  (************)
  (* Analyses *)
  (************)

  Hashtbl.iter
    (fun _ (f,t) -> Java_callgraph.compute_logic_calls f t)
    Java_typing.logic_defs_table;

  Hashtbl.iter
    (fun _ mt ->
       Option_misc.iter
	 (Java_callgraph.compute_calls
	    mt.Java_typing.mt_method_info
	    mt.Java_typing.mt_requires)
	 mt.Java_typing.mt_body)
    Java_typing.methods_table;

  Hashtbl.iter
    (fun _ ct ->
       Java_callgraph.compute_constr_calls
	 ct.Java_typing.ct_constr_info
	 ct.Java_typing.ct_requires
	 ct.Java_typing.ct_body)
    Java_typing.constructors_table;

  let _logic_components =
    Java_callgraph.compute_logic_components
      Java_typing.logic_defs_table
  in
  let components =
    Java_callgraph.compute_components
      Java_typing.methods_table
      Java_typing.constructors_table
  in
  Hashtbl.iter
    (fun _ ty ->
       Java_analysis.do_type ty)
    Java_typing.type_table;
  (* analyze in any order *)
  (*
    Hashtbl.iter
    (fun mi mti ->
    Java_analysis.do_method
    mti.Java_typing.mt_method_info
    mti.Java_typing.mt_requires
    mti.Java_typing.mt_ensures
    mti.Java_typing.mt_behaviors
    mti.Java_typing.mt_body)
    Java_typing.methods_table;
    Hashtbl.iter
    (fun ci cti ->
    Java_analysis.do_constructor
    cti.Java_typing.ct_constr_info
    cti.Java_typing.ct_requires
    cti.Java_typing.ct_ensures
    cti.Java_typing.ct_behaviors
    cti.Java_typing.ct_body)
    Java_typing.constructors_table;
  *)

  (* analyze following call graph order
     TODO: precise the meaning of call graph with dynamic calls *)
  Array.iter
    (List.iter
       (fun mi ->
	  match mi with
	    | MethodInfo mi ->
		let mti = Hashtbl.find Java_typing.methods_table
		  mi.method_info_tag
		in
		Java_analysis.do_method
		  mti.Java_typing.mt_method_info
		  mti.Java_typing.mt_requires
		  mti.Java_typing.mt_behaviors
		  mti.Java_typing.mt_body
	    | ConstructorInfo ci ->
		let cti = Hashtbl.find Java_typing.constructors_table
		  ci.constr_info_tag
		in
		Java_analysis.do_constructor
		  cti.Java_typing.ct_constr_info
		  cti.Java_typing.ct_requires
		  cti.Java_typing.ct_behaviors
		  cti.Java_typing.ct_body))
    components;

  (*******************************)
  (* production of jessie output *)
  (*******************************)

  Java_options.lprintf "production phase 1.1 : generation of Jessie logic types@.";
  let decls =
(*
    Hashtbl.fold
      (fun _ id acc ->
	 Java_options.lprintf "generating logic type `%s'@." id;
 	 Java_interp.tr_logic_type id acc)
      Java_typing.logic_types_table
*)
      []
  in

  Java_options.lprintf "production phase 1.2 : generation of Jessie range_types@.";
  let decls = Java_interp.range_types decls in

  let non_null_preds, acc, decls_arrays = Java_interp.array_types [] in

  let decls_constants =
    Hashtbl.fold
      (fun _ id acc -> Java_interp.tr_final_static_fields id acc)
      Java_typing.type_table
      [] in

  Java_options.lprintf "production phase 1.3 : generation of Jessie struct types@.";
  let non_null_preds = Java_interp.tr_non_null_logic_fun () :: non_null_preds in
  let decls_java_types, decls_structs =
    Hashtbl.fold
      (fun _ id (acc0, acc) ->
	 Java_interp.tr_class_or_interface id acc0 acc)
      Java_typing.type_table
      ([], decls_arrays)
  in
  let decl_any_string = Java_interp.decl_any_string in
  let decls = decls_structs @ acc @ decls_java_types @ decl_any_string @ decls_constants @ non_null_preds @ decls in


  Java_options.lprintf "production phase 1.4 : generation of Jessie logic functions@.";
  (* fix: Hashtbl.fold order is not specified... *)
  let tmp =
    Hashtbl.fold
      (fun k x acc -> (k,x)::acc)
      Java_typing.logic_defs_table []
  in
  let tmp = List.sort (fun (k1,_) (k2,_) -> Pervasives.compare k1 k2) tmp in
  let decls =
    List.fold_left
      (fun acc (_,(li,p)) ->
	 Java_options.lprintf "generating logic function `%s'@."
	   li.java_logic_info_name;
	 Java_interp.tr_logic_fun li (p :> Java_typing.logic_decl_body) acc)
      decls
      tmp
  in
  let decls =
    Hashtbl.fold Java_interp.tr_axiomatic Java_typing.axiomatics_table
      decls
  in
  (* production phase 1.5 : generation of Jessie lemmas *)
  let lemmas =
    Hashtbl.fold
      (fun id (loc,lab,p) acc -> (id,Loc.extract loc,lab,p)::acc)
      Java_typing.lemmas_table
      []
  in
  let compare_locs (id1,(_,l1,_,_),_,_) (id2,(_,l2,_,_),_,_) =
    let c = Pervasives.compare l1 l2 in
    if c = 0 then Pervasives.compare id1 id2 else c
  in
  let lemmas = List.sort compare_locs lemmas in
  let decls =
    List.fold_left
      (fun acc (id,loc,lab,p) ->
	 Java_options.lprintf "generating lemma `%s'@."  id;
	 Java_interp.tr_axiom id false loc lab p acc)
      decls
      lemmas
  in

  (* any_string function *)
  (*  let decls = Java_interp.any_string_decl :: decls in *)
  (* class invariants *)
  let decls =
    Hashtbl.fold
      (fun _ (ci, id, invs) acc ->
	 Java_interp.tr_invariants ci id invs acc)
      Java_typing.invariants_table decls
  in

  (* production phase 1.5: generation of Jessie global invariants *)
  let decls =
    Hashtbl.fold
      (fun _ invs acc ->
	 (List.map (Java_interp.tr_static_invariant) invs) @ acc)
      Java_typing.static_invariants_table
      decls
  in

  (* production phase 1.6 : generation of Jessie exceptions *)
  let decls =
    Hashtbl.fold
      (fun _ ei acc ->
	 Java_interp.tr_exception ei acc)
      Java_interp.exceptions_table
      decls
  in


  (* production phase 4 : generation of Jessie functions *)
  let decls =
    Array.fold_left
      (fun acc l ->
         let methods,constrs =
	   List.fold_left
	     (fun (m,c) f ->
	        match f with
		  | MethodInfo mi ->
		      let mt = Hashtbl.find Java_typing.methods_table
		        mi.method_info_tag
		      in
		      printf "Generating JC function %s for method %a.%s@."
		        mi.method_info_trans_name
		        Java_typing.print_type_name
		        mi.method_info_class_or_interface
		        mi.method_info_name;
		      (Java_interp.tr_method_spec mi
		        mt.Java_typing.mt_requires
		        mt.Java_typing.mt_decreases
		        mt.Java_typing.mt_behaviors
		        mt.Java_typing.mt_body m, c)
		  | ConstructorInfo ci ->
		      let ct = Hashtbl.find Java_typing.constructors_table
		        ci.constr_info_tag
		      in
		      printf "Generating JC function %s for constructor %s@."
		        ci.constr_info_trans_name
		        ci.constr_info_class.class_info_name;
		      (m,Java_interp.tr_constr_spec ci
		         ct.Java_typing.ct_requires
		         ct.Java_typing.ct_behaviors
                         ct.Java_typing.ct_body c))
             ([],[])
             l
         in
         let acc =
           List.fold_left
             (fun acc m ->
                Java_interp.tr_method_body m acc)
	     acc
             methods
         in
         List.fold_left
           (fun acc c ->
              Java_interp.tr_constr_body c acc)
	   acc
           constrs)
      decls
      components
  in

  (* production phase 5 : produce Jessie file *)
  let decls =
    (mkinvariant_policy_def ~value:!Java_options.inv_sem ())
    :: (mktermination_policy_def ~value:!Java_options.termination_policy ())
    :: (mkseparation_policy_def ~value:!Java_options.separation_policy ())
    :: (mkannotation_policy_def ~value:!Java_options.annotation_sem ())
    :: (mkabstract_domain_def ~value:!Java_options.ai_domain ())
    :: List.rev decls
  in
  let f = List.hd files in
  let f = Filename.chop_extension f in
  let cout = Pp.print_in_file_no_close
    (fun fmt -> fprintf fmt "%a@." Jc_poutput.pdecls decls)
    (f ^ ".jc")
  in
  close_out cout;

  (* production phase 5.2 : produce locs file *)
  Pp.print_in_file Output.old_print_pos (f ^ ".jloc");

  printf "Done.@.";
  if not !Java_options.gen_only then
    begin
      let jessie_cmd =
	try Sys.getenv "JESSIEEXEC"
	with Not_found -> "jessie"
      in
      let cmd = jessie_cmd ^ " -locs " ^ f ^ ".jloc " ^
                       "-why3cmd \"" ^ Java_options.why3cmd ^ "\" " ^
                       f ^ ".jc"
      in
      printf "Calling Jessie... (%s)@." cmd;
      let _ret = Sys.command cmd in ()
    end


let _ =
  Sys.catch_break true;
  Java_typing.catch_typing_errors main ()


(*
  Local Variables:
  compile-command: "LC_ALL=C make -j -C .. bin/krakatoa.byte"
  End:
*)
why-2.39/java/java_ast.mli0000644000106100004300000002465313147234006014457 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(***************************************************************************

Abstract syntax trees for Java source files

$Id: java_ast.mli,v 1.49 2009-11-12 16:55:27 marche Exp $

***************************************************************************)

open Java_env

(*s Qualified identifiers *)

type identifier = Loc.position * string

type qualified_ident = identifier list

(*s Modifiers *)

type modifier =
  | Static | Final  | Public | Private | Protected | Native
  | Synchronized | Abstract | Transient (* "threadsafe" ? *) | Volatile
  | Strictfp
  | Ghost | Model
  | Non_null | Nullable | Annot_modifier of Lexing.position * string

type modifiers = modifier list

(*s type expressions *)

type type_expr =
    | Base_type of base_type
    | Type_name of qualified_ident
    | Array_type_expr of type_expr

(*s expressions *)

type quantifier = Forall | Exists

type variable_id =
  | Simple_id of identifier
  | Array_id of variable_id


type incr_decr_op = Preincr | Predecr | Postincr | Postdecr

type bin_op =
    | Badd | Bsub | Bmul | Bdiv | Bmod
    | Band | Bor | Bimpl | Biff
    | Bbwand | Bbwor | Bbwxor
    | Blsl | Blsr | Basr
    | Beq | Bne | Bgt | Blt | Ble | Bge
    | Bconcat (* + for Strings *)

type un_op = Uplus | Uminus | Unot | Ucompl

type java_field_access =
  | Super_access of identifier
  | Primary_access of pexpr * identifier

and pexpr =
  { java_pexpr_loc : Loc.position ;
    java_pexpr_node : pexpr_node }

and pexpr_node =
  | JPElit of literal
  | JPEbin of pexpr * bin_op * pexpr         (*r binary operations *)
  | JPEun of un_op * pexpr                 (*r (pure) unary operations *)
  | JPEincr of incr_decr_op * pexpr (*r pre-post incr/decr operations *)
(*
  | JPEvar of identifier
*)
  | JPEname of qualified_ident
  | JPEassign_name of qualified_ident * bin_op * pexpr
  | JPEassign_field of java_field_access * bin_op * pexpr
  | JPEassign_array of pexpr * pexpr * bin_op * pexpr
      (*r [Assign_array(e1,e2,op,e3)] is [e1[e2] op e3] *)
      (*r assignment op is =, +=, etc. *)
  | JPEif of pexpr * pexpr * pexpr
  | JPEthis
  | JPEfield_access of java_field_access
  | JPEcall_name of qualified_ident * identifier list * pexpr list
  | JPEcall_expr of pexpr * identifier * pexpr list
  | JPEsuper_call of identifier * pexpr list
  | JPEnew of qualified_ident * pexpr list
  | JPEnew_array of type_expr * pexpr list
      (*r type, explicit dimensions *)
  | JPEarray_access of pexpr * pexpr
  | JPEarray_range of pexpr * pexpr option * pexpr option
  | JPEcast of type_expr * pexpr
  | JPEinstanceof of pexpr * type_expr
      (* in annotations only *)
  | JPEresult
  | JPEfresh of pexpr
  | JPEold of pexpr
  | JPEat of pexpr * identifier
(*
  | Type of type_expr
  | Typeof of expr
*)
  | JPEquantifier of quantifier * (type_expr * variable_id list) list * pexpr


(*
and set_ref =
  | Set_array_index of expr
      (*r e[e] *)
  | Set_array_interval of expr * expr
      (*r e[e..e] *)
  | Set_array
      (*r e[*] *)
  | Set_field of instance_variable_entry
      (* e.f *)
  | Set_fieldraw of identifier
*)

(*s variable declarations *)

type variable_initializer =
  | Simple_initializer of pexpr
  | Array_initializer of variable_initializer list

type variable_declarator =
    { variable_id : variable_id ;
      variable_initializer : variable_initializer option }


type variable_declaration =
    { variable_modifiers : modifiers ;
      variable_type : type_expr ;
      variable_decls : variable_declarator list }


(*s statements *)

type pbehavior =
    { java_pbehavior_assumes : pexpr option;
      java_pbehavior_assigns : (Loc.position * pexpr list) option;
      java_pbehavior_allocates : (Loc.position * pexpr list) option;
      java_pbehavior_throws : (qualified_ident * identifier option) option;
      java_pbehavior_ensures : pexpr
    }

type 'a switch_label =
  | Case of 'a
  | Default

type parameter =
  | Simple_parameter of modifier option * type_expr * identifier
  | Array_parameter of parameter

type pstatement =
  { java_pstatement_loc : Loc.position ;
    java_pstatement_node : pstatement_node }

and pstatement_node =
  | JPSskip                  (*r empty statement *)
  | JPSexpr of pexpr
  | JPSvar_decl of variable_declaration
  | JPSthrow of pexpr
  | JPSreturn of pexpr option
  | JPSbreak of identifier option
  | JPScontinue of identifier option
  | JPSlabel of identifier * pstatement
  | JPSif of pexpr * pstatement * pstatement
  | JPSwhile of pexpr * pstatement
  | JPSdo of pstatement * pexpr
  | JPSfor of pexpr list * pexpr * pexpr list * pstatement
  | JPSfor_decl of variable_declaration * pexpr * pexpr list * pstatement
  | JPStry of block * (parameter * block) list * block option
  | JPSswitch of pexpr * (pexpr switch_label list * block) list
  | JPSblock of block
  | JPSsynchronized of pexpr * block
  | JPSassert of identifier option * identifier option * pexpr
      (* for id1: assert id2 : e *)
  | JPSghost_local_decls of variable_declaration
  | JPSghost_statement of pexpr
  | JPSannot of Lexing.position * string
  | JPSloop_annot of pexpr * (identifier * pexpr) list *
      (pexpr * identifier option) option
      (* inv, beh invs, variant *)
  | JPSstatement_spec of
      pexpr option * (pexpr * identifier option) option
      * (identifier * pbehavior) list
      (* requires, decreases, behaviors *)

and block = pstatement list

;;

(*s method declarations *)

type method_declarator =
  | Simple_method_declarator of identifier * parameter list
  | Array_method_declarator of method_declarator
;;

type method_declaration =
    { method_modifiers : modifiers ;
      method_return_type : type_expr option ;
      method_declarator : method_declarator ;
      method_throws : qualified_ident list ;
    }
;;

(*s constructor declarations *)


type explicit_constructor_invocation =
  | Invoke_none
  | Invoke_this of pexpr list
  | Invoke_super of pexpr list

type constructor_declaration =
    { constr_modifiers : modifiers ;
      constr_name : identifier ;
      constr_parameters : parameter list ;
      constr_throws : qualified_ident list }
;;




(*s class declarations *)

type field_declaration =
  | JPFmethod of method_declaration * block option
  | JPFconstructor of constructor_declaration *
      explicit_constructor_invocation * block
  | JPFvariable of variable_declaration
  | JPFstatic_initializer of block
  | JPFannot of Lexing.position * string
  | JPFinvariant of identifier * pexpr
  | JPFstatic_invariant of identifier * pexpr
  | JPFmethod_spec of
      pexpr option * (pexpr * identifier option) option
      * (identifier * pbehavior) list
        (* requires, decreases, behaviors *)
  | JPFclass of class_declaration
  | JPFinterface of interface_declaration

and class_declaration =
    {
      class_modifiers : modifiers;
      class_name : identifier;
      class_extends : qualified_ident option;
      class_implements : qualified_ident list;
      class_fields : field_declaration list
    }

(*s interface declarations *)

and interface_declaration =
    { interface_modifiers : modifiers;
      interface_name : identifier;
      interface_extends : qualified_ident list;
      interface_members : field_declaration list
    }



(* my 30.07*)

type poly_theory_id =
 | PolyTheoryId of qualified_ident * identifier list (* type type_parameter_list *)

(*s compilation units *)

type type_declaration =
  | JPTclass of class_declaration
  | JPTinterface of interface_declaration
  | JPTannot of Lexing.position * string
  | JPTlemma of identifier * bool * identifier list * pexpr
  | JPTlogic_type_decl of identifier
  | JPTlogic_reads of identifier * type_expr option * identifier list * parameter list * pexpr list option
  | JPTlogic_def of identifier * type_expr option * identifier list * parameter list * pexpr
  | JPTinductive of identifier * identifier list * parameter list * (identifier * identifier list * pexpr) list
  | JPTaxiomatic of identifier * type_declaration list
  | JPTimport of  poly_theory_id


type theory =
 | JPTtheory of poly_theory_id * type_declaration list


type import_statement =
  | Import_package of qualified_ident
  | Import_class_or_interface of qualified_ident

type compilation_unit =
    {
      cu_package : qualified_ident;
      cu_imports : import_statement list;
      cu_type_decls : type_declaration list
    }

(*
Local Variables:
compile-command: "make -C .. bin/krakatoa.byte"
End:
*)
why-2.39/java/java_interp.ml0000644000106100004300000021432213147234006015012 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Format
open Jc_env
open Jc_fenv
open Jc_ast
open Jc_constructors
open Jc_constructors.PExpr
open Jc_constructors.PDecl
open Java_env
open Java_ast
open Java_tast
open Java_pervasives
open Java_typing

let exn_name e = new identifier e.jc_exception_info_name
let var_name v = v.jc_var_info_name
let var_id v = new identifier v.jc_var_info_name
let fi_name f = f.jc_field_info_name

let reg_pos ?id ?kind ?name pos = Output.old_reg_pos "K" ?id ?kind ?name pos

let reg_position ?id ?kind ?name pos =
  Output.old_reg_pos "K" ?id ?kind ?name (Loc.extract pos)

let locate ?id ?kind ?name pos e =
  let lab = reg_position ?id ?kind ?name pos in
  new pexpr ~pos (JCPElabel(lab,e))

(*s loop tags *)

let get_loop_counter =
  let counter = ref 0 in
  function () -> let tag = !counter in incr counter; tag

(*s range types *)

(* byte = int8 *)
let byte_range =
  {
    jc_enum_info_name = "byte";
    jc_enum_info_min = min_byte;
    jc_enum_info_max = max_byte;
  }

(* short = int16 *)
let short_range =
  {
    jc_enum_info_name = "short";
    jc_enum_info_min = min_short;
    jc_enum_info_max = max_short;
  }

(* int = int32 *)
let int_range =
  {
    jc_enum_info_name = "int32";
    jc_enum_info_min = min_int;
    jc_enum_info_max = max_int;
  }

(* long = int64 *)
let long_range =
  {
    jc_enum_info_name = "long";
    jc_enum_info_min = min_long;
    jc_enum_info_max = max_long;
  }

(* char = uint16 *)
let char_range =
  {
    jc_enum_info_name = "char";
    jc_enum_info_min = min_char;
    jc_enum_info_max = max_char;
  }

let range_types acc =
  if !Java_options.ignore_overflow then acc else
  List.fold_left
    (fun acc ri ->
       (mkenum_type_def
          ~name: ri.jc_enum_info_name
          ~left: ri.jc_enum_info_min
          ~right: ri.jc_enum_info_max
          ())::acc)
    acc [ byte_range ; short_range ; int_range ; long_range ; char_range ]


let byte_type = JCTenum byte_range
let short_type = JCTenum short_range
let int_type = JCTenum int_range
let long_type = JCTenum long_range
let char_type = JCTenum char_range

let get_enum_info t =
  match t with
    | Tshort -> short_range
    | Tint -> int_range
    | Tlong -> long_range
    | Tchar -> char_range
    | Tbyte -> byte_range
    | _ -> assert false

let tr_base_type t =
  match t with
    | Tstring -> Jc_pervasives.string_type
    | Tunit -> Jc_pervasives.unit_type
    | Tboolean -> Jc_pervasives.boolean_type
    | Tinteger -> Jc_pervasives.integer_type
    | Tshort ->
	if !Java_options.ignore_overflow then Jc_pervasives.integer_type else
	short_type
    | Tint ->
	if !Java_options.ignore_overflow then Jc_pervasives.integer_type else
	int_type
    | Tlong ->
	if !Java_options.ignore_overflow then Jc_pervasives.integer_type else
	long_type
    | Tchar ->
	if !Java_options.ignore_overflow then Jc_pervasives.integer_type else
	char_type
    | Tbyte  ->
	if !Java_options.ignore_overflow then Jc_pervasives.integer_type else
	byte_type
    | Treal -> Jc_pervasives.real_type
    | Tfloat -> Jc_pervasives.real_type (* TODO *)
    | Tdouble -> Jc_pervasives.real_type (* TODO *)

(*s class types *)

let rec object_variant = {
  jc_root_info_name = "Object";
  jc_root_info_hroots = [ object_root ];
  jc_root_info_kind = Rvariant;
  jc_root_info_union_size_in_bytes = 0;
}

and object_root = {
  jc_struct_info_params = [];
  jc_struct_info_name = "Object";
  jc_struct_info_parent = None;
  jc_struct_info_hroot = object_root;
  jc_struct_info_fields = [];
  jc_struct_info_root = Some object_variant;
}

let get_class name =
  {
  jc_struct_info_params = [];
    jc_struct_info_name = name;
    jc_struct_info_parent = None;
    jc_struct_info_hroot = object_root;
    jc_struct_info_fields = [];
    jc_struct_info_root = Some object_variant;
  }

(*
let get_interface ii =
  {
    jc_struct_info_name = ii.interface_info_name;
    jc_struct_info_parent = None;
    jc_struct_info_root = ii.interface_info_name;
    jc_struct_info_fields = [];
  }
*)

(*
let rec interface_root = {
  jc_struct_info_name = "interface";
  jc_struct_info_parent = None;
  jc_struct_info_root = interface_root;
  jc_struct_info_fields = [];
  jc_struct_info_variant = Some object_variant;
}
*)

let st_interface =
  {
    jc_struct_info_params = [];
    jc_struct_info_name = "Object/*interface*/";
    jc_struct_info_parent = None;
    jc_struct_info_hroot = object_root ; (* a la place de interface_root; *)
    jc_struct_info_fields = [];
    jc_struct_info_root = Some object_variant;
  }

(*s array types *)

let num_zero = Num.Int 0
let num_minus_one = Num.Int (-1)

let array_struct_table = Hashtbl.create 17

let rec get_array_struct pos t =
  let n = Java_analysis.name_type t in
  try
    (Hashtbl.find array_struct_table n : struct_info)
  with Not_found ->
    eprintf "Array struct for type %a (name : %s) not found: %a@."
      Java_typing.print_type t n Loc.report_position pos;
    raise Not_found

and tr_type pos t =
  match t with
    | JTYbase t -> tr_base_type t
    | JTYnull -> JCTnull
    | JTYclass (non_null, ci) ->
	let st = get_class ci.class_info_name in
	  JCTpointer
	    (JCtag(st, []), Some num_zero, if non_null then Some num_zero else None)
    | JTYinterface _ii ->
	JCTpointer(JCtag(st_interface, []), Some num_zero,None)
(*
	let st = get_interface ii in
	JCTpointer(st,Some num_zero,
	           (* if non_null then Some num_zero else *) None)
*)

    | JTYarray (non_null, t) ->
	let st = get_array_struct pos t in
	  JCTpointer (JCtag(st, []), Some num_zero, if non_null then Some num_minus_one else None)
    | JTYlogic i -> JCTlogic (i,[])

let ptype_node_of_type = function
  | JCTnative n -> JCPTnative n
  | JCTlogic (s,[]) -> JCPTidentifier (s,[])
  | JCTlogic (_s,_) -> failwith ("Java_interp.ptype_node_of_type : \
The case of logic type with argument is left undone")
  | JCTenum e -> JCPTidentifier (e.jc_enum_info_name,[])
  | JCTpointer(JCtag(st, _), l, r) -> JCPTpointer(st.jc_struct_info_name,[], l, r)
  | JCTpointer(JCroot v, l, r) ->
      JCPTpointer(v.jc_root_info_name,[], l, r)
  | JCTnull
  | JCTany | JCTtype_var _ -> assert false

let ptype_of_type t = new ptype (ptype_node_of_type t)


(*s structure fields *)

let fi_table = Hashtbl.create 97

let get_field fi =
  try
    Hashtbl.find fi_table fi.java_field_info_tag
  with
      Not_found ->
	eprintf "Internal error: field '%s' not found@."
	  fi.java_field_info_name;
	assert false

let create_field pos fi =
  Java_options.lprintf "Creating JC field '%s'@." fi.java_field_info_name;
  let ty = tr_type pos fi.java_field_info_type in
  let ci =
    match fi.java_field_info_class_or_interface with
      | TypeClass ci -> get_class ci.class_info_name
      | TypeInterface ii -> get_class ii.interface_info_name
  in
  let nfi =
    { jc_field_info_name = fi.java_field_info_name;
      jc_field_info_final_name = fi.java_field_info_name;
      jc_field_info_tag  = fi.java_field_info_tag;
      jc_field_info_type = ty;
      jc_field_info_hroot = ci.jc_struct_info_hroot;
      jc_field_info_struct = ci;
      jc_field_info_rep = false;
      jc_field_info_abstract = false;
      jc_field_info_bitsize = None;
      (*
	jc_field_info_final_name = vi.java_field_info_name;
	jc_var_info_assigned = vi.java_var_info_assigned;
	jc_var_info_type = tr_type vi.java_var_info_type;
	jc_var_info_tag = vi.java_var_info_tag;
      *)
    }
  in Hashtbl.add fi_table fi.java_field_info_tag nfi;
  nfi

let static_fields_table = Hashtbl.create 97

let get_static_var fi =
  try
    Hashtbl.find static_fields_table fi.java_field_info_tag
  with
      Not_found ->
	eprintf "Java_interp.get_static_var->Not_found: %s@." fi.java_field_info_name;
	raise Not_found


(* local variables and parameters *)

let vi_table = Hashtbl.create 97

let get_var vi =
  try
    Hashtbl.find vi_table vi.java_var_info_tag
  with
      Not_found ->
	eprintf "Java_interp.get_var->Not_found: '%s', %a@."
	  vi.java_var_info_final_name
	  Loc.report_position vi.java_var_info_decl_loc
	;
	raise Not_found

let create_var ?(formal=false) pos vi =
  let ty = tr_type pos vi.java_var_info_type in
  let nvi = Jc_pervasives.var ~formal ty vi.java_var_info_final_name in
  nvi.jc_var_info_assigned <- vi.java_var_info_assigned;
  Hashtbl.add vi_table vi.java_var_info_tag nvi;
  nvi

(*s logic types *)

let tr_logic_type id acc =
  mklogic_type ~name:id () :: acc

(*s logic funs *)

let logics_table = Hashtbl.create 97

let get_logic_fun fi =
  try
    Hashtbl.find logics_table fi.java_logic_info_tag
  with
      Not_found ->
	eprintf "Anomaly: cannot find logic symbol `%s'@." fi.java_logic_info_name;
	eprintf "[";
	Hashtbl.iter
	  (fun _ d -> eprintf "%s;" d.jc_logic_info_name) logics_table;
	eprintf "]@.";
	assert false

let tr_logic_label = function
  | LabelPre -> Jc_env.LabelPre
  | LabelHere -> Jc_env.LabelHere
  | LabelOld -> Jc_env.LabelOld
  | LabelName s ->
      Jc_env.LabelName {
	label_info_name = s;
	label_info_final_name = s;
	times_used = 0;
      }

let create_logic_fun pos fi =
  let nfi =
    match fi.java_logic_info_result_type with
      | None ->
	  Jc_pervasives.make_pred fi.java_logic_info_name
      | Some t ->
	  Jc_pervasives.make_logic_fun fi.java_logic_info_name
	    (tr_type pos t)
  in
  nfi.jc_logic_info_parameters <-
    List.map (create_var pos) fi.java_logic_info_parameters;
  nfi.jc_logic_info_labels <-
    List.map tr_logic_label fi.java_logic_info_labels;
  (* eprintf "adding symbol %s in logics_table@." fi.java_logic_info_name; *)
  Hashtbl.add logics_table fi.java_logic_info_tag nfi;
  nfi

let () =
  List.iter
    (fun fi -> let _ = create_logic_fun Loc.dummy_position fi in ())
    !Java_typing.builtin_logic_symbols

(*s program funs *)

let funs_table = Hashtbl.create 97

let get_fun pos tag =
  try
    Hashtbl.find funs_table tag
  with
      Not_found ->
	eprintf "Java_interp.get_fun->Not_found: %a@." Loc.report_position pos;
	raise Not_found

let create_fun pos tag result name params =
  let nfi =
    match result with
      | None ->
	  Jc_pervasives.make_fun_info name
	    Jc_pervasives.unit_type
      | Some vi ->
	  Jc_pervasives.make_fun_info name
	    (tr_type pos vi.java_var_info_type)
  in
  nfi.jc_fun_info_parameters <-
    List.map (fun (vi, _) -> (true,create_var pos vi)) params;
  Hashtbl.add funs_table tag nfi;
  nfi

(*s exceptions *)

let exceptions_table = Hashtbl.create 17

let get_exception ty =
  match ty with
    | JTYclass(_,ci) ->
	begin
	  try
	    Hashtbl.find exceptions_table ci.class_info_name
	  with
	      Not_found ->
		eprintf "exception %s not found@." ci.class_info_name;
		assert false
	end
    | _ -> assert false

let exceptions_tag = ref 0

let create_exception ty n =
  incr exceptions_tag;
  let ei =
    { jc_exception_info_name = n;
      jc_exception_info_tag = !exceptions_tag;
      jc_exception_info_type = ty
    }
  in
  Hashtbl.add exceptions_table n ei;
  ei

(*s terms *)


let any_string =
  mkapp
    ~fun_name: "any_string"
    ~args: []
    ()


(**)
let any_string_decl =
  mkfun_def
    ~result_type: (new ptype (JCPTpointer("String",[],Some num_zero,None)))
    ~name: (new identifier "any_string")
    ~params: []
    ~clauses: []
    ()
(**)

let decl_any_string =
  if !Java_options.javacard then [] else
    [ any_string_decl ]

let lit l =
  match l with
  | Integer s | Char s -> JCCinteger s
  | Float(s,_suf) -> JCCreal s (* TODO: support for true floating point numbers *)
  | Bool b -> JCCboolean b
  | String s -> JCCstring s
  | Null  -> JCCnull

let lun_op t op: [> Jc_ast.unary_op] =
  match op with
    | Unot -> `Unot
    | Uminus when (t = Tinteger || t = Tint || t = Treal) -> `Uminus
    | Uminus ->
	begin match t with
	  | Tstring -> assert false
	  | Tshort  -> assert false (* TODO *)
	  | Tboolean  -> assert false (* TODO *)
	  | Tbyte  -> assert false (* TODO *)
	  | Tchar  -> assert false (* TODO *)
	  | Tint  -> assert false (* should never happen *)
	  | Tfloat  -> assert false (* TODO *)
	  | Tlong  -> assert false (* TODO *)
	  | Tdouble  -> assert false (* TODO *)
	  | Treal  -> assert false (*  should never happen *)
	  | Tunit -> assert false (* TODO *)
	  | Tinteger -> assert false (* should never happen *)
	end
    | Uplus -> assert false
    | Ucompl -> `Ubw_not

let lbin_op _t op: [> Jc_ast.bin_op] =
  match op with
    | Bgt -> `Bgt
    | Bge -> `Bge
    | Ble -> `Ble
    | Blt -> `Blt
    | Bne -> `Bneq
    | Beq -> `Beq
    | Basr -> `Barith_shift_right
    | Blsr -> `Blogical_shift_right
    | Blsl -> `Bshift_left
    | Bbwxor -> `Bbw_xor
    | Bbwor -> `Bbw_or
    | Bbwand -> `Bbw_and
    | Biff -> `Biff
    | Bimpl -> `Bimplies
    | Bor -> `Blor
    | Band -> `Bland
    | Bmod -> `Bmod
    | Bdiv -> `Bdiv
    | Bmul -> `Bmul
    | Bsub -> `Bsub
    | Badd -> `Badd
    | Bconcat -> `Bconcat

let lobj_op op: [> comparison_op] =
  match op with
    | Bne -> `Bneq
    | Beq -> `Beq
    | _ -> assert false

(* non_null funs & preds *)

let non_null_funs = Hashtbl.create 17
let non_null_preds = Hashtbl.create 17

let non_null_fun si =
  try
    Hashtbl.find non_null_funs si.jc_struct_info_name
  with
      Not_found -> assert false

let non_null_pred name =
  try
    Hashtbl.find non_null_preds name
  with
      Not_found ->
	Format.eprintf "Java_interp: non_null_pred(%s)@." name;
	assert false

let create_non_null_fun si =
  let fi =
    Jc_pervasives.make_fun_info
      ("non_null_" ^ si.jc_struct_info_name)
      Jc_pervasives.boolean_type
  in
    Hashtbl.add non_null_funs si.jc_struct_info_name fi;
    fi

let create_non_null_pred si =
  let li =
    Jc_pervasives.make_pred
      ("Non_null_" ^ si.jc_struct_info_name)
  in
    Hashtbl.add non_null_preds si.jc_struct_info_name li;
    li
(*
let dummy_pos_term ty t =
  new term ~typ:ty t

let term_zero =
  dummy_loc_term Jc_pervasives.integer_type
    (JCTconst (JCCinteger "0"))

let term_maxint =
  dummy_loc_term Jc_pervasives.integer_type
    (JCTconst (JCCinteger "2147483647"))

let term_plus_one t =
  JCTbinary (t, `Badd_int, { t with jc_term_node = JCTconst (JCCinteger "1") })
*)

let zero = mkint ~value:0 ()
let maxint = mkint ~valuestr:"2147483647" ()
let plus_one e =
  let pos = e#pos in
  mkadd ~pos ~expr1:e ~expr2:(mkint ~pos ~value:1 ()) ()

let rec term t =
  let t' =
    match t.java_term_node with
      | JTlit (String _s) -> any_string
      | JTlit l -> mkconst ~const:(lit l) ()
      | JTun (t,op,e1) ->
          mkunary
            ~op:(lun_op t op)
            ~expr:(term e1)
            ()
      | JTbin(e1,t,op,e2) ->
          mkbinary
            ~expr1:(term e1)
            ~op:(lbin_op t op)
            ~expr2:(term e2)
            ()
      | JTbin_obj (e1, op, e2) -> (* case e1 != null *)
	  if op = Bne && e2.java_term_node = JTlit Null then
	    let t1 = term e1 in
	      match e1.java_term_type with
		| JTYbase _ | JTYnull | JTYlogic _ -> assert false
		| JTYclass (_, _ci) ->
                    mkapp
                      ~fun_name: (non_null_pred "Object").jc_logic_info_name
                      ~args: [t1]
                      ()
		| JTYinterface _ii ->
                    mkeq
                      ~expr1: (mkoffset_max ~expr:t1 ())
                      ~expr2: zero
                      ()
		| JTYarray (_, t) ->
		    let si = get_array_struct Loc.dummy_position t in
                    let li = non_null_pred si.jc_struct_info_name in
                    mkapp
                      ~fun_name: li.jc_logic_info_name
                      ~args: [t1]
                      ()
	  else mkbinary
            ~expr1: (term e1)
            ~op: (lobj_op op)
            ~expr2: (term e2)
            ()
      | JTapp (fi, labels, el) ->
          mkapp
            ~fun_name: (get_logic_fun fi).jc_logic_info_name
	    ~labels:(List.map (fun (_,l) -> tr_logic_label l) labels)
            ~args: (List.map term el)
            ()
      | JTvar vi ->
          mkvar ~name:(var_name (get_var vi)) ()
      | JTfield_access(t,fi) ->
          mkderef
            ~expr: (term t)
            ~field: (fi_name (get_field fi))
            ()
      | JTstatic_field_access(_ci,fi) ->
	  mkvar ~name:(var_name (get_static_var fi)) ()
      | JTarray_length(t) ->
	  begin
	    match t.java_term_type with
	      | JTYarray (_, ty) ->
		  let _st = get_array_struct t.java_term_loc ty in
		  let t = term t in
		  plus_one (mkoffset_max ~pos:t#pos ~expr:t ())
	      | _ -> assert false
	  end
      | JTarray_access(t1,t2) ->
	  begin
	    match t1.java_term_type with
	      | JTYarray (_, ty) ->
		  let st = get_array_struct t.java_term_loc ty in
		  let t1' = term t1 in
                  mkderef
                    ~expr:
                    (mkshift
                       ~pos: t.java_term_loc
                       ~expr: t1'
                       ~offset: (term t2)
                       ())
                    ~field: (fi_name (List.hd st.jc_struct_info_fields))
                    ()
	      | _ -> assert false
	  end
      | JTarray_range _ -> assert false
      | JTat(t,lab) ->
          mkat
            ~expr: (term t)
            ~label: (tr_logic_label lab)
            ()
      | JTcast(ty,t') ->
	  begin
(*
	    match ty with
	      | JTYbase _ -> term t'
	      | JTYclass _ ->
*)
                  mkcast
                    ~expr: (term t')
                    ~typ:(ptype_of_type (tr_type t.java_term_loc ty))
                    ()
(*
	      | _ -> assert false (* TODO *)
*)
	  end
      | JTif(t1,t2,t3) ->
	  mkif
	    ~condition: (term t1)
	    ~expr_then: (term t2)
	    ~expr_else: (term t3)
	    ()
  in
  let _ = tr_type t.java_term_loc t.java_term_type in
  new pexpr ~pos: t.java_term_loc t'#node

let quantifier = function
  | Forall -> Jc_ast.Forall
  | Exists -> Jc_ast.Exists

let rec assertion ?(reg=false) a =
  let a' =
    match a.java_assertion_node with
      | JAtrue ->
          mkboolean ~value:true ()
      | JAfalse ->
          mkboolean ~value:false ()
      | JAat(a,lab) ->
	  mkat
	    ~expr:(assertion a)
	    ~label:(tr_logic_label lab)
	    ()
      | JAnot a ->
          mknot ~expr:(assertion a) ()
      | JAbin (e1, t, op, e2) ->
          mkbinary
            ~expr1: (term e1)
            ~op: (lbin_op t op)
            ~expr2: (term e2)
            ()
      | JAbin_obj (e1, op, e2) -> (* case e1 != null *)
	  if op = Bne && e2.java_term_node = JTlit Null then
	    let t1 = term e1 in
	      match e1.java_term_type with
		| JTYbase _ | JTYnull | JTYlogic _ -> assert false
		| JTYclass (_, _ci) ->
                    mkapp
                      ~fun_name: (non_null_pred "Object").jc_logic_info_name
                      ~args: [t1]
                      ()
		| JTYinterface _ii ->
                    mkeq
                      ~expr1: (mkoffset_max ~expr:t1 ())
                      ~expr2: zero
                      ()
		| JTYarray (_, t) ->
		    let si = get_array_struct Loc.dummy_position t in
                    let li = non_null_pred si.jc_struct_info_name in
                    mkapp
                      ~fun_name: li.jc_logic_info_name
                      ~args: [t1]
                      ()
	  else mkbinary
            ~expr1: (term e1)
            ~op: (lobj_op op)
            ~expr2: (term e2)
            ()
      | JAapp (fi, labels, el)->
          mkapp
            ~fun_name: (get_logic_fun fi).jc_logic_info_name
	    ~labels:(List.map (fun (_,l) -> tr_logic_label l) labels)
            ~args: (List.map term el)
            ()
      | JAquantifier (q, vi, a)->
	  let vi = create_var a.java_assertion_loc vi in
          mkquantifier
            ~quantifier: (quantifier q)
            ~typ: (ptype_of_type vi.jc_var_info_type)
            ~vars: [var_id vi]
            ~body: (assertion a)
            ()
      | JAimpl (a1, a2)->
          mkimplies
            ~expr1: (assertion a1)
            ~expr2: (assertion a2)
            ()
      | JAiff (a1, a2)->
          mkiff
            ~expr1: (assertion a1)
            ~expr2: (assertion a2)
            ()
      | JAor (a1, a2)->
          mkor
            ~expr1: (assertion a1)
            ~expr2: (assertion a2)
            ()
      | JAand (a1, a2)->
	  mkand
            ~expr1: (assertion ~reg a1)
            ~expr2: (assertion ~reg a2)
            ()
      | JAbool_expr t ->
          term t
      | JAinstanceof (t, _lab, ty) ->
	  let ty = tr_type Loc.dummy_position ty in
	  begin
	    match ty with
	      | JCTpointer (JCtag(si, []), _, _) ->
                  mkinstanceof
                    ~expr: (term t)
                    ~typ: si.jc_struct_info_name
                    ()
	      | _ -> assert false
	  end
      | JAif(t,a1,a2) ->
	  mkif
	    ~condition: (term t)
	    ~expr_then: (assertion a1)
	    ~expr_else: (assertion a2)
	    ()
      | JAfresh t -> mkfresh (term t) ()
  in
  let a' = new pexpr ~pos:a.java_assertion_loc a'#node in
  if reg then locate a.java_assertion_loc a' else a'

(*let dummy_loc_assertion a =
  { jc_assertion_loc = Loc.dummy_position;
    jc_assertion_label = "";
    jc_assertion_node = a }
*)

let create_static_var pos type_name fi =
  let ty = tr_type pos fi.java_field_info_type in
  let name = type_name ^ "_" ^ fi.java_field_info_name in
  let vi = Jc_pervasives.var ~static:true ty name in
  Hashtbl.add static_fields_table fi.java_field_info_tag vi;
  vi

(*s translation of structure types *)

let rec term_of_expr e =
  let t =
    match e.java_expr_node with
      | JElit l -> JTlit l
      | JEvar vi -> JTvar vi
      | JEbin (e1, op, e2) ->
	  JTbin (term_of_expr e1, Tinteger, op, term_of_expr e2)
      | JEun (op, e) -> JTun (Tinteger, op, term_of_expr e)
      | JEfield_access (e, fi) -> JTfield_access (term_of_expr e, fi)
      | JEstatic_field_access (ty, fi) -> JTstatic_field_access (ty, fi)
      | JEarray_access (e1, e2) ->
	  JTarray_access (term_of_expr e1, term_of_expr e2)
      | JEcast (t, e) -> JTcast (t, term_of_expr e)
      | _ -> assert false
  in
    { java_term_loc = e.java_expr_loc;
      java_term_type = e.java_expr_type;
      java_term_node = t }

(* exceptions *)

let tr_exception ei acc =
  (mkexception_def
     ~name:ei.jc_exception_info_name
     ?arg_type:(Option_misc.map ptype_of_type ei.jc_exception_info_type)
     ()) :: acc

(* array_length funs *)

let java_array_length_funs = Hashtbl.create 17

let java_array_length_fun st =
  try
    Hashtbl.find java_array_length_funs st.jc_struct_info_name
  with
      Not_found -> assert false

let create_java_array_length_fun st =
  let fi =
    Jc_pervasives.make_fun_info
      ("java_array_length_" ^ st.jc_struct_info_name)
      Jc_pervasives.integer_type
  in
  Hashtbl.add java_array_length_funs st.jc_struct_info_name fi;
  fi

let array_types decls =
  Java_options.lprintf "(**********************)@.";
  Java_options.lprintf "(* array types        *)@.";
  Java_options.lprintf "(**********************)@.";
  Hashtbl.fold
    (fun n (t, s, f) (acc0, acc, decls) ->
       let st = {
         jc_struct_info_params = [];
	 jc_struct_info_name = s;
	 jc_struct_info_parent = None;
	 jc_struct_info_hroot = object_root;
	 jc_struct_info_fields = [];
	 jc_struct_info_root = Some object_variant;
       }
       in
       let fi = {
	 jc_field_info_name = f;
	 jc_field_info_final_name = f;
	 jc_field_info_tag = 0 (* TODO *);
	 jc_field_info_type = tr_type Loc.dummy_position t;
	 jc_field_info_hroot = object_root;
	 jc_field_info_struct = st;
	 jc_field_info_rep = false;
	 jc_field_info_abstract = false;
	 jc_field_info_bitsize = None;
       }
       in
       st.jc_struct_info_fields <- [fi];
       Java_options.lprintf "%s@." st.jc_struct_info_name;
       Hashtbl.add array_struct_table n st;

       (* predicate non_null *)
       let non_null_pred = create_non_null_pred st in

       (* java_array_length fun *)
       let fi = create_java_array_length_fun st in
       let vi =
	 (* type is T[0..-1] here
	    (i.e. access to array length has meaning for non null arrays only) *)
         Jc_pervasives.var
	   (JCTpointer (JCtag (st, []), Some num_zero, Some num_minus_one)) "x"
       in
       let vie = mkvar ~name:(var_name vi) () in
       let result_var = mkvar ~name:"\\result" () in
       let spec = [
         mkbehavior_clause
           ~name: "default"
	   ~assigns:(Loc.dummy_position,[])
           ~ensures:
           (mkand ~list:[
              mkeq
                ~expr1: result_var
                ~expr2: (plus_one (mkoffset_max ~expr: vie ()))
                ();
              mkbinary ~op:`Bge
                ~expr1: result_var
                ~expr2: zero
                ();
              mkbinary ~op:`Ble
                ~expr1: result_var
                ~expr2: maxint
                ();
            ] ())
           ();
       ] in
       let args = [false, ptype_of_type vi.jc_var_info_type, var_name vi] in
       let array_length_fun =
	 (mkfun_def
            ~result_type: (ptype_of_type fi.jc_fun_info_result.jc_var_info_type)
	    ~name: (new identifier fi.jc_fun_info_name)
            ~params: args
            ~clauses: spec
            ())
       in
       (* non_null fun & pred *)
       let non_null_fi = create_non_null_fun st in
       let non_null_spec = [
         mkbehavior_clause
           ~name: "default"
	   ~assigns:(Loc.dummy_position,[])
           ~ensures:
           (mkif
              ~condition: result_var
              ~expr_then:
              (mkbinary ~op:`Bge
                 ~expr1: (mkoffset_max ~expr:vie ())
                 ~expr2: (mkint ~value:(-1) ())
                 ())
              ~expr_else: (mkeq ~expr1:vie ~expr2:(mknull ()) ())
              ())
           ();
       ] in
       let vi =
	 (* type is T[0..] here *)
         Jc_pervasives.var
	   (JCTpointer (JCtag (st, []), Some num_zero, None)) "x"
       in
       let args = [false, ptype_of_type vi.jc_var_info_type, var_name vi] in
       let largs = [ptype_of_type vi.jc_var_info_type, var_name vi] in
       let non_null_fun =
	 mkfun_def
            ~result_type:
            (ptype_of_type non_null_fi.jc_fun_info_result.jc_var_info_type)
            ~name: (new identifier non_null_fi.jc_fun_info_name)
            ~params: args
            ~clauses: non_null_spec
            ()
       in
       (mklogic_def
          ~name: non_null_pred.jc_logic_info_name
          ~labels: [Jc_env.LabelHere]
	  ~params: largs
          ~body:
          (mkbinary
             ~expr1: (mkoffset_max ~expr:vie ())
             ~op:`Bge
             ~expr2: (mkint ~value:(-1) ())
             ())
          ()) :: acc0,
       (mktag_def
          ~name:st.jc_struct_info_name
          ~super:("Object", [])
	  ~fields:
          (List.map begin fun fi ->
             (fi.jc_field_info_rep,fi.jc_field_info_abstract),
             ptype_of_type fi.jc_field_info_type,
             fi_name fi,
	     None
           end st.jc_struct_info_fields)
          ()) :: acc,
       array_length_fun ::
	 non_null_fun :: decls)
    Java_analysis.array_struct_table
    ([],
     ((mktag_def ~name:"interface" ()) ::
	(mkvariant_type_def
           ~name:"interface"
           ~tags:[ new identifier "interface" ]
           ())
      ::if !Java_options.minimal_class_hierarchy then []
      else [ mkvariant_type_def
               ~name:"Object"
               ~tags:[ new identifier "Object" ]
               () ]
     ), decls)


(*****************

 locations

***************)

let rec location_set logic_label t =
  match t.java_term_node with
      | JTlit _l -> assert false (* TODO *)
      | JTun(_t,_op,_e1) -> assert false (* TODO *)
      | JTbin(_e1,_t,_op,_e2) -> assert false (* TODO *)
      | JTbin_obj(_e1,_op,_e2) -> assert false (* TODO *)
      | JTapp (_, _, _) -> assert false (* TODO *)
      | JTvar vi ->
          mkvar ~name:(var_name (get_var vi)) ()
      | JTfield_access(t,fi) ->
	  begin match logic_label with
	    | None -> assert false
	    | Some lab ->
                let _ = tr_logic_label lab in
                mkderef
                  ~expr: (location_set logic_label t)
                  ~field: (fi_name (get_field fi))
                  ()
	  end
      | JTstatic_field_access(_ci,fi) ->
	  mkvar ~name:(var_name (get_static_var fi)) ()
      | JTarray_length(_t) -> assert false (* TODO *)
      | JTarray_access(t1,t2) ->
	  begin
	    match t1.java_term_type with
	      | JTYarray (_, ty) ->
		  let st = get_array_struct t1.java_term_loc ty in
		  let t1' = location_set logic_label t1 in
		  let t2' = term t2 in
		  let shift = mkrange ~locations:t1' ~left:t2' ~right:t2' () in
		  begin match logic_label with
		    | None -> assert false
		    | Some lab ->
                        let _ = tr_logic_label lab in
                        let fi = List.hd st.jc_struct_info_fields in
                        mkderef
                          ~expr: shift
                          ~field: (fi_name fi)
                          ()
		  end
	      | _ -> assert false
	  end
      | JTarray_range(t1,t2,t3) ->
	  begin
	    match t1.java_term_type with
	      | JTYarray (_, ty) ->
		  let st = get_array_struct t1.java_term_loc ty in
		  let t1' = location_set logic_label t1 in
		  let t2' = Option_misc.map term t2 in
		  let t3' = Option_misc.map term t3 in
		  let shift = mkrange ~locations:t1' ?left:t2' ?right:t3' () in
		  begin match logic_label with
		    | None -> assert false
		    | Some _lab ->
                        let fi = List.hd st.jc_struct_info_fields in
                        mkderef
                          ~expr: shift
                          ~field: (fi_name fi)
                          ()
		  end
	      | _ -> assert false
	  end
      | JTat _ -> assert false (* TODO, maybe change logic_label ? *)
      | JTcast(_ty,_t) -> assert false (* TODO *)
      | JTif _ -> assert false (* TODO *)


let location logic_label t =
  match t.java_term_node with
      | JTlit _l -> assert false (* TODO *)
      | JTun(_t,_op,_e1) -> assert false (* TODO *)
      | JTbin(_e1,_t,_op,_e2) -> assert false (* TODO *)
      | JTbin_obj(_e1,_op,_e2) -> assert false (* TODO *)
      | JTapp (_, _, _) -> assert false (* TODO *)
      | JTvar vi ->
          mkvar ~name:(var_name (get_var vi)) ()
      | JTfield_access(t,fi) ->
	  begin match logic_label with
	    | None -> assert false
	    | Some lab ->
                let _ = tr_logic_label lab in
                mkderef
                  ~expr: (location_set logic_label t)
                  ~field: (fi_name (get_field fi))
                  ()
	  end
      | JTstatic_field_access(_ci,fi) ->
	  mkvar ~name:(var_name (get_static_var fi)) ()
      | JTarray_length(_t) -> assert false (* TODO *)
      | JTarray_access(t1,t2) ->
	  begin
	    match t1.java_term_type with
	      | JTYarray (_, ty) ->
		  let st = get_array_struct t1.java_term_loc ty in
		  let t1' = location_set logic_label t1 in
		  let t2' = term t2 in
		  let shift = mkrange ~locations:t1' ~left:t2' ~right:t2' () in
		  begin match logic_label with
		    | None -> assert false
		    | Some lab ->
                        let _ = tr_logic_label lab in
                        let fi = List.hd st.jc_struct_info_fields in
                        mkderef
                          ~expr: shift
                          ~field: (fi_name fi)
                          ()
		  end
	      | _ -> assert false
	  end
      | JTarray_range(t1,t2,t3) ->
	  begin
	    match t1.java_term_type with
	      | JTYarray (_, ty) ->
		  let st = get_array_struct t1.java_term_loc ty in
		  let t1' = location_set logic_label t1 in
		  let t2' = Option_misc.map term t2 in
		  let t3' = Option_misc.map term t3 in
		  let shift = mkrange ~locations:t1' ?left:t2' ?right:t3' () in
		  begin match logic_label with
		    | None -> assert false
		    | Some lab ->
                        let _ = tr_logic_label lab in
                        let fi = List.hd st.jc_struct_info_fields in
                        mkderef
                          ~expr: shift
                          ~field: (fi_name fi)
                          ()
		  end
	      | _ -> assert false
	  end
      | JTat _ -> assert false (* TODO, maybe change logic_label ? *)
      | JTcast(_ty,_t) -> assert false (* TODO *)
      | JTif _ -> assert false (* TODO *)


let un_op op: [> Jc_ast.unary_op] =
  match op with
    | Uminus -> `Uminus
    | Ucompl -> `Ubw_not
    | Unot -> `Unot
    | Uplus -> assert false (* TODO *)

let bin_op op: [> Jc_ast.bin_op] =
  match op with
    | Badd -> `Badd
    | Bmod -> `Bmod
    | Bdiv -> `Bdiv
    | Bmul -> `Bmul
    | Bsub -> `Bsub
    | Biff -> assert false
    | Bor -> `Blor
    | Band -> `Bland
    | Bimpl -> assert false
    | Bgt -> `Bgt
    | Bne -> `Bneq
    | Beq -> `Beq
    | Bge -> `Bge
    | Ble -> `Ble
    | Blt -> `Blt
    | Basr -> `Barith_shift_right
    | Blsr -> `Blogical_shift_right
    | Blsl -> `Bshift_left
    | Bbwxor -> `Bbw_xor
    | Bbwor -> `Bbw_or
    | Bbwand -> `Bbw_and
    | Bconcat -> `Bconcat

let incr_op op: [> pm_unary_op] =
  match op with
    | Preincr -> `Uprefix_inc
    | Predecr -> `Uprefix_dec
    | Postincr -> `Upostfix_inc
    | Postdecr -> `Upostfix_dec

let int_cast pos t e =
  if !Java_options.ignore_overflow ||
    match t with
      | JTYbase Tint -> false
      | _ -> true
  then e else
    mkcast
      ~pos
      ~expr: e
      ~typ: (ptype_of_type (tr_type pos t))
      ()

let rec expr ?(reg=false) e =
  let reg = ref reg in
  let e' =
    match e.java_expr_node with
      | JElit (String _s) -> any_string
      | JElit l ->
          mkconst ~const:(lit l) ()
      | JEincr_local_var(op,v) ->
	  reg := true;
          mkunary
            ~op: (incr_op op)
            ~expr: (mkvar ~name:(var_name (get_var v)) ())
            ()
      | JEincr_field(op,e1,fi) ->
	  reg := true;
          mkincr_heap
            ~op: (incr_op op)
            ~expr: (expr e1)
            ~field: (fi_name (get_field fi))
            ()
      | JEincr_array (op, e1, e2) ->
	  begin
	    match e1.java_expr_type with
	      | JTYarray (_, ty) ->
		  let st = get_array_struct e1.java_expr_loc ty in
		  let e1' = expr e1 in
		  let shift = mkshift
                    ~pos:e.java_expr_loc
                    ~expr:e1'
                    ~offset:(expr e2)
                    ()
                  in
		  let fi = (List.hd st.jc_struct_info_fields) in
                  mkincr_heap
                    ~op: (incr_op op)
                    ~expr: shift
                    ~field: (fi_name fi)
                    ()
	      | _ -> assert false
	  end
      | JEun (op, e1) ->
	  let e1 = expr e1 in
	  reg := true;
	  int_cast e.java_expr_loc e.java_expr_type
            (mkunary ~op:(un_op op) ~expr:e1 ())
      | JEbin (e1, op, e2) (* case e1 == null *)
	  when op = Beq && e2.java_expr_node = JElit Null ->
	  let e = expr e1 in
	  begin
            let st = match e1.java_expr_type with
	      | JTYclass _ | JTYinterface _ -> object_root
	      | JTYarray (_,t) -> get_array_struct e1.java_expr_loc t
	      | _ -> assert false
            in
            mknot
              ~expr:
              (mkapp
                 (* Romain: pourquoi non_null_fun et pas null_fun ?
		    Claude: parce que mknot au-dessus *)
                 ~fun_name: (non_null_fun st).jc_fun_info_name
                 ~args: [e]
                 ())
              ()
	  end
      | JEbin (e1, op, e2) (* case e1 != null *)
	  when op = Bne && e2.java_expr_node = JElit Null ->
	  let e = expr e1 in
	  begin
            let st = match e1.java_expr_type with
	      | JTYclass _ | JTYinterface _ -> object_root
	      | JTYarray (_,t) -> get_array_struct e1.java_expr_loc t
	      | _ -> assert false
            in
            mkapp
              ~fun_name: (non_null_fun st).jc_fun_info_name
              ~args: [e]
              ()
	  end
      | JEbin (e1, op, e2) ->
	  let e1 = expr e1 and e2 = expr e2 in
	  reg := true;
	  int_cast e.java_expr_loc e.java_expr_type
            (mkbinary ~expr1:e1 ~op:(bin_op op) ~expr2:e2 ())
      | JEif (e1,e2,e3) ->
          mkif
            ~condition: (expr e1)
            ~expr_then: (expr e2)
            ~expr_else: (expr e3)
            ()
      | JEvar vi ->
          mkvar ~name:(var_name (get_var vi)) ()
      | JEstatic_field_access(_ci,fi) ->
	  mkvar ~name:(var_name (get_static_var fi)) ()
      | JEfield_access(e1,fi) ->
	  reg := true;
	  mkderef ~expr:(expr e1) ~field:(fi_name (get_field fi)) ()
      | JEarray_length e ->
	  begin
	    match e.java_expr_type with
	      | JTYarray (_, ty) ->
		  let st = get_array_struct e.java_expr_loc ty in
		  reg := true;
		  mkapp
                    ~fun_name:(java_array_length_fun st).jc_fun_info_name
                    ~args:[expr e]
                    ()
	      | _ -> assert false
	  end
      | JEarray_access(e1,e2) ->
	  begin
	    match e1.java_expr_type with
	      | JTYarray (_, ty) ->
		  let st = get_array_struct e1.java_expr_loc ty in
		  let e1' = expr e1 in
		  let shift =
                    mkshift
                      ~pos: e.java_expr_loc
                      ~expr: e1'
                      ~offset: (expr e2)
                      ()
		  in
		  reg := true;
                  mkderef
                    ~expr: shift
                    ~field: (fi_name (List.hd st.jc_struct_info_fields))
                    ()
	      | _ -> assert false
	  end
      | JEassign_local_var(vi,e) ->
          mkassign
            ~location: (mkvar ~name:(var_name (get_var vi)) ())
            ~value: (expr e)
            ()
      | JEassign_local_var_op(vi,op,e) ->
	  reg := true;
          mkassign
            ~location: (mkvar ~name:(var_name (get_var vi)) ())
            ~op: (bin_op op)
            ~value: (expr e)
            ()
      | JEassign_field(e1,fi,e2) ->
	  reg := true;
          mkassign
            ~location: (expr e1)
            ~field: (fi_name (get_field fi))
            ~value: (expr e2)
            ()
      | JEassign_field_op(e1,fi,op,e2) ->
	  reg := true;
          mkassign
            ~location: (expr e1)
            ~field: (fi_name (get_field fi))
            ~op: (bin_op op)
            ~value: (expr e2)
            ()
      | JEassign_static_field (fi, e) ->
          mkassign
            ~location: (mkvar ~name:(var_name (get_static_var fi)) ())
            ~value: (expr e)
            ()
      | JEassign_static_field_op (fi, op, e) ->
	  reg := true;
          mkassign
            ~location: (mkvar ~name:(var_name (get_static_var fi)) ())
            ~op: (bin_op op)
            ~value: (expr e)
            ()
      | JEassign_array(e1,e2,e3) ->
	  reg := true;
	  begin
	    match e1.java_expr_type with
	      | JTYarray (_, ty) ->
		  let st = get_array_struct e1.java_expr_loc ty in
		  let e1' = expr e1 in
		  let shift =
                    mkshift
                      ~pos: e.java_expr_loc
                      ~expr: e1'
                      ~offset: (expr e2)
                      ()
		  in
		  let fi = (List.hd st.jc_struct_info_fields) in
		  let e3' = expr e3 in
                  mkassign
                    ~location: shift
                    ~field: (fi_name fi)
                    ~value: e3'
                    ()
	      | _ -> assert false
	  end
      | JEassign_array_op(e1,e2,op,e3) ->
	  begin
	    match e1.java_expr_type with
	      | JTYarray (_, ty) ->
		  let st = get_array_struct e1.java_expr_loc ty in
		  let e1' = expr e1 in
		  let shift =
                    mkshift
                      ~pos: e.java_expr_loc
                      ~expr: e1'
                      ~offset: (expr e2)
                      ()
		  in
		  let fi = (List.hd st.jc_struct_info_fields) in
		  let e3' = expr e3 in
                  mkassign
                    ~location: shift
                    ~field: (fi_name fi)
                    ~op: (bin_op op)
                    ~value: e3'
                    ()
	      | _ -> assert false
	  end
      | JEcall(e1,mi,args) ->
	  reg := true;
          mkapp
            ~fun_name:
            (get_fun e.java_expr_loc mi.method_info_tag).jc_fun_info_name
            ~args: (List.map expr (e1 :: args))
            ()
      | JEconstr_call (e1, ci, args) ->
	  reg := true;
          mkapp
            ~fun_name:
            (get_fun e.java_expr_loc ci.constr_info_tag).jc_fun_info_name
            ~args: (List.map expr (e1 :: args))
            ()
      | JEstatic_call(mi,args) ->
	  reg := true;
          mkapp
            ~fun_name:
            (get_fun e.java_expr_loc mi.method_info_tag).jc_fun_info_name
            ~args: (List.map expr args)
            ()
      | JEnew_array(ty,[e1]) ->
	  let si = get_array_struct e.java_expr_loc ty in
          mkalloc
            ~count: (expr e1)
            ~typ: si.jc_struct_info_name
            ()
      | JEnew_array(_ty,_) ->
	  assert false (* TODO *)
      | JEnew_object(ci,args) ->
	  let si = get_class ci.constr_info_class.class_info_name in
	  let ty = JCTpointer(JCtag(si, []), Some num_zero, Some num_zero) in
	  let this = Jc_pervasives.var ~formal:true ty "this" in
	  let tt = Jc_pervasives.var ~formal:true
            Jc_pervasives.unit_type "_tt" in
	  let args =
            (mkvar ~name:(var_name this) ()) :: List.map expr args in
          mklet
            ~var: (var_name this)
            ~typ: (ptype_of_type this.jc_var_info_type)
            ~init: (mkalloc ~typ:si.jc_struct_info_name ())
            ~body:
            (mklet
               ~var: (var_name tt)
               ~typ: (ptype_of_type tt.jc_var_info_type)
               ~init:
               (mkapp
                  ~fun_name:
                  (get_fun e.java_expr_loc ci.constr_info_tag).jc_fun_info_name
                  ~args: args
                  ())
               ~body: (mkvar ~name:(var_name this) ())
               ())
            ()
      | JEcast(ty,e1) ->
	  begin
	    match ty with
	      | JTYbase _t ->
		  if !Java_options.ignore_overflow then expr e1 else begin
                    reg := true;
                    mkcast
                      ~expr: (expr e1)
                      ~typ: (ptype_of_type (tr_type e.java_expr_loc ty))
                      ()
                  end
	      | JTYclass(_,_ci) ->
		  reg := true;
                  mkcast ~expr:(expr e1)
		    ~typ: (ptype_of_type (tr_type e.java_expr_loc ty))
		    ()
	      | JTYinterface _ii ->
		  begin
		    match e1.java_expr_type with
		      | JTYclass _ -> expr e1 (* TODO *)
		      | JTYinterface _ -> expr e1
		      | _ -> assert false (* TODO *)
(*
		  eprintf "Warning: cast to interface '%s' ignored.@."
		    ii.interface_info_name;
		    (expr e1).jc_texpr_node
*)
		  end
	      | JTYarray (_, ty) ->
		  reg := true;
                  mkcast ~expr:(expr e1)
		    ~typ: (ptype_of_type (tr_type e.java_expr_loc ty))
		    ()
	      | JTYnull | JTYlogic _ -> assert false
	  end
      | JEinstanceof(e,ty) ->
	  begin
	    match ty with
	      | JTYclass(_,ci) ->
		  let st = get_class ci.class_info_name in
                  mkinstanceof ~expr:(expr e) ~typ:st.jc_struct_info_name ()
	      | _ -> assert false (* TODO *)
	  end

  in
  let pos = e.java_expr_loc in
  let e = new pexpr ~pos: e.java_expr_loc e'#node in
  if !reg then locate pos e else e

let tr_initializer ty e =
  match e with
    | JIexpr e -> expr ~reg:true e
    | JIlist il ->
	begin match ty with
	  | JTYarray (_, ty) ->
	      let si = get_array_struct Loc.dummy_position ty in
		mkalloc
		  ~count: (mkint ~value:(List.length il) ())
		  ~typ: si.jc_struct_info_name
		  ()
		  (* TO COMPLETE ? *)
	  | _ -> assert false (* should never happen *)
	end

(*
let dummy_loc_statement s =
  { jc_tstatement_loc = Loc.dummy_position;
    jc_tstatement_node = s }

let make_block l =
  match l with
    | [s] -> s
    | _ -> dummy_loc_statement (JCTSblock l)
*)

let reg_and_subexpr a =
  match a#node with
    | JAand(_a1,_a2) -> a
    | _ -> a

let reg_assertion a = assertion ~reg:true a

let reg_assertion_option a =
  match a with
    | None -> mkboolean ~value:true ()
    | Some a -> reg_assertion a

let reg_term t =
  let t' = term t in
  locate t.java_term_loc t'

let variant v =
  match v with
    | None -> None
    | Some(t,None) -> Some(reg_term t,None)
    | Some(t,Some fi) ->
        Some(reg_term t,Some (new identifier fi.java_logic_info_name))

let loop_annot annot =
  let invariant = reg_assertion annot.loop_inv in
  let behs_inv =
    List.map
      (fun ((loc,id),a) ->
	 ([new identifier ~pos:loc id],Some (reg_assertion a), None))
      annot.behs_loop_inv
  in
  let v = variant annot.loop_var in
  ([new identifier "default"],Some invariant,None)::behs_inv, v

let behavior (id,assumes,throws,assigns,allocates,ensures) =
  mkbehavior
    ~pos: (fst id)
    ~name: (snd id)
    ?throws:
    (Option_misc.map
       (fun ci -> exn_name (get_exception (JTYclass(false,ci))))
       throws)
    ?assigns:
    (Option_misc.map
       (fun (pos,a) ->
          mkassigns
            ~pos
            ~locations:(List.map (location (Some LabelPre)) a)
            ())
       assigns)
    ?allocates:
    (Option_misc.map
       (fun (pos,a) ->
          mkassigns
            ~pos
            ~locations:(List.map (location (Some LabelHere)) a)
            ())
       allocates)
    ?assumes: (Option_misc.map assertion assumes)
    ~ensures: (reg_assertion ensures)
    ()


let rec statement s =
  let s' =
    match s.java_statement_node with
      | JSskip ->
          mkvoid ()
      | JSlabel(lab,s) ->
	  mklabel lab (statement s) ()
      | JSbreak label ->
          mkbreak ?label ()
      | JScontinue label ->
          mkcontinue ?label ()
      | JSreturn_void ->
          mkreturn ()
      | JSreturn e ->
          let _ = tr_type e.java_expr_loc e.java_expr_type in
	  mkreturn ~expr:(expr e) ()
      | JSthrow e ->
	  (* insert a check that e is not null *)
	  let e' = expr e in
	  let t = get_exception e.java_expr_type in
	  let li = non_null_pred "Object" in
	  let tmp_name = "java_thrown_exception" in
	  let tmp_var = mkvar ~name:"java_thrown_exception" () in
          let ass =
	    mkassert
	      ~expr:(mkapp ~fun_name:li.jc_logic_info_name
		       ~args:[tmp_var] ()) ()
	  in
          let th =
	    mkthrow
              ~exn: (exn_name t)
              ~argument: tmp_var
              ()
	  in
	  mklet
            ~typ: (new ptype (JCPTpointer(t.jc_exception_info_name,[],None,None)))
            ~var: tmp_name
            ~init: e'
            ~body: (mkblock [ass; th] ())
            ()
      | JSblock l ->
          mkblock ~exprs:(List.map statement l)	()
      | JSvar_decl (vi, init, s) ->
	  let ty = vi.java_var_info_type in
	  let vi = create_var s.java_statement_loc vi in
          mklet
            ~typ: (ptype_of_type vi.jc_var_info_type)
            ~var: (var_name vi)
            ?init: (Option_misc.map (tr_initializer ty) init)
            ~body: (statement s)
            ()
      | JSif (e, s1, s2) ->
          mkif
            ~condition: (expr e)
            ~expr_then: (statement s1)
            ~expr_else: (statement s2)
            ()
      | JSdo (s, annot, e) ->
	  let (behaviors, variant) = loop_annot annot in
	  let while_expr =
	    mkwhile ~behaviors
	      ?variant ~condition:(expr e) ~body:(statement s) ()
	  in
            mkblock [statement s; while_expr] ()
      | JSwhile(e,annot,s) ->
	  let (behaviors, variant) = loop_annot annot in
          mkwhile ~behaviors
	    ?variant ~condition:(expr e) ~body:(statement s) ()
      | JSfor (el1, e, annot, el2, body) ->
	  let (behaviors, variant) = loop_annot annot in
          mkfor
            ~inits: (List.map expr el1)
            ~condition: (expr e)
            ~updates: (List.map expr el2)
            ~body: (statement body)
            ~behaviors
            ?variant
            ~pos: s.java_statement_loc
            ()
      | JSfor_decl(decls,e,annot,sl,body) ->
	  let decls = List.map begin fun (vi, init) ->
	    create_var s.java_statement_loc vi,
            Option_misc.map (tr_initializer vi.java_var_info_type) init
          end decls in
	  let (behaviors, variant) = loop_annot annot in
          (* TODO: Now that we produce parsed AST we could put inits in ~init *)
	  let res =
	    List.fold_right
	      (fun (vi,init) acc ->
                 mklet
                   ~typ: (ptype_of_type vi.jc_var_info_type)
                   ~var: (var_name vi)
                   ?init
                   ~body: acc
                   ())
	      decls
              (mkfor
                 ~pos: s.java_statement_loc
                 ~condition: (expr e)
                 ~updates: (List.map expr sl)
                 ~behaviors
                 ?variant
                 ~body: (statement body)
                 ())
	  in mkblock ~exprs:[res] ()
      | JSexpr e -> expr e
      | JSassert(forid,id,e) ->
	  let pos = e.java_assertion_loc in
	  let e' = reg_assertion e in
	  let behs =
	    Option_misc.fold_left
	      (fun acc id ->
		 (new identifier id)::acc)
	      [] forid
	  in
          let e = mkassert ~behs:behs ~expr:e' () in
	  locate ?id pos e
      | JSswitch(e,l) ->
          mkswitch ~expr:(expr e) ~cases:(List.map switch_case l) ()
      | JStry(s1, catches, finally) ->
          mktry
            ~expr: (block s1)
            ~catches:
            (List.map
	       (fun (vi,s2) ->
		  let e = get_exception vi.java_var_info_type in
		  let vti = create_var s.java_statement_loc vi in
                  mkcatch
                    ~exn: (exn_name e)
                    ~name: (var_name vti)
                    ~body: (block s2)
                    ())
	       catches)
            ~finally:
            (mkblock
               ~exprs:
               (Option_misc.fold (fun s _acc -> List.map statement s) finally [])
               ())
            ()
      | JSstatement_spec(req,dec,behs,s) ->
	  mkcontract
	    ~requires:(Option_misc.map assertion req)
	    ~decreases:(variant dec)
	    ~behaviors:(List.map behavior behs)
	    ~expr:(statement s)
	    ()

  in new pexpr ~pos:s.java_statement_loc s'#node

and statements l = List.map statement l

and block l = mkblock ~exprs:(statements l) ()

and switch_case (labels, b) =
  (List.map switch_label labels, block b)

and switch_label = function
  | Java_ast.Default -> None
  | Java_ast.Case e -> Some (expr e)

let true_assertion = mkboolean ~value:true ()

(*
let tr_method mi req dec behs b acc =
  let java_params = mi.method_info_parameters in
  let params =
    List.map (fun (p, _) -> create_var Loc.dummy_position p) java_params in
  let params =
    match mi.method_info_has_this with
      | None -> params
      | Some vi -> (create_var Loc.dummy_position vi) :: params
  in
  let params = List.map
    (fun vi -> (true, ptype_of_type vi.jc_var_info_type, (var_name vi)))
    params
  in
  let return_type =
    Option_misc.map
      (fun vi ->
 	 let _nvi = create_var Loc.dummy_position vi in
 	 vi.java_var_info_type)
      mi.method_info_result
  in
  let behaviors =
    List.map (fun beh -> Jc_ast.JCCbehavior (behavior beh)) behs
  in
  let nfi =
    create_fun Loc.dummy_position
      mi.method_info_tag mi.method_info_result
      mi.method_info_trans_name mi.method_info_parameters
  in
  let body = Option_misc.map block b in
  let _ =
    reg_pos ~id:nfi.jc_fun_info_name
      ~name:("Method " ^ mi.method_info_name)
      mi.method_info_loc
  in
  let requires = mkrequires_clause (reg_assertion_option req) in
  let clauses =
    match variant dec with
      | None -> requires :: behaviors
      | Some(t,m) ->
	  requires :: (mkdecreases_clause ?measure:m t) :: behaviors
  in
  let result_type = (* need the option monad... *)
    Option_misc.map
      ptype_of_type
      (Option_misc.map
         (tr_type Loc.dummy_position)
         return_type)
  in
  let def = mkfun_def
    ?result_type
    ~name: (new identifier nfi.jc_fun_info_name)
    ~params
    ~clauses
    ?body
    ()
  in def::acc
     *)

let tr_method_spec mi req dec behs b acc =
  let java_params = mi.method_info_parameters in
  let params =
    List.map (fun (p, _) -> create_var Loc.dummy_position p) java_params in
  let params =
    match mi.method_info_has_this with
      | None -> params
      | Some vi -> (create_var Loc.dummy_position vi) :: params
  in
  let params = List.map
    (fun vi -> (true, ptype_of_type vi.jc_var_info_type, (var_name vi)))
    params
  in
  let return_type =
    Option_misc.map
      (fun vi ->
 	 let _nvi = create_var Loc.dummy_position vi in
 	 vi.java_var_info_type)
      mi.method_info_result
  in
  let behaviors =
    List.map (fun beh -> Jc_ast.JCCbehavior (behavior beh)) behs
  in
  let nfi =
    create_fun Loc.dummy_position
      mi.method_info_tag mi.method_info_result
      mi.method_info_trans_name mi.method_info_parameters
  in
  let _ =
    reg_position ~id:nfi.jc_fun_info_name
      ~name:("Method " ^ mi.method_info_name)
      mi.method_info_loc
  in
  let requires = mkrequires_clause (reg_assertion_option req) in
  let clauses =
    match variant dec with
      | None -> requires :: behaviors
      | Some(t,m) ->
	  requires :: (mkdecreases_clause ?measure:m t) :: behaviors
  in
  let result_type = (* need the option monad... *)
    Option_misc.map
      ptype_of_type
      (Option_misc.map
         (tr_type Loc.dummy_position)
         return_type)
  in
  (result_type, nfi, params, clauses, b)::acc

let tr_method_body (result_type,nfi,params,clauses,b) acc =
  let body = Option_misc.map block b in
  let def = mkfun_def
    ?result_type
    ~name: (new identifier nfi.jc_fun_info_name)
    ~params
    ~clauses
    ?body
    ()
  in def::acc

let default_base_value t =
  match t with
    | Tshort | Tbyte | Tchar | Tint | Tlong ->
	JCCinteger "0"
    | Tboolean -> JCCboolean false
    | Tfloat | Tdouble -> JCCreal "0.0"
    | Tinteger | Treal -> assert false
    | Tunit  -> assert false
    | Tstring -> JCCnull

let default_value ty =
  match ty with
    | JTYbase t -> default_base_value t
    | JTYarray _ | JTYclass _ | JTYinterface _ -> JCCnull
    | JTYlogic _ -> eprintf "ICI@."; assert false
    | JTYnull -> assert false

let init_field this fi =
  mkassign
    ~location: this
    ~field: (fi_name (get_field fi))
    ~value: (mkconst ~const:(default_value fi.java_field_info_type) ())
    ()

(*
let tr_constr ci req behs b acc =
  let params = List.map
    (fun (vi, _) -> create_var Loc.dummy_position vi)
    ci.constr_info_parameters
  in
  let this =
    match ci.constr_info_this with
      | None -> assert false
      | Some vi -> (create_var Loc.dummy_position vi)
  in
  let nfi =
    create_fun Loc.dummy_position ci.constr_info_tag None
      ci.constr_info_trans_name ci.constr_info_parameters
  in
  let body = statements b
(*
@
    [dummy_loc_statement (JCTSreturn(this.jc_var_info_type,
				     dummy_loc_expr
				       this.jc_var_info_type
				       (JCTEvar this)))]
*)
  in
(* NO: TODO
  let body =
    dummy_loc_statement (JCTSdecl(this,None,make_block body))
  in
  *)
  let fields = ci.constr_info_class.class_info_fields in
  let body =
    List.fold_right
      (fun fi acc ->
	 if fi.java_field_info_is_static then acc else
	 try
	   init_field (mkvar ~name:(var_name this) ()) fi::acc
	 with Assert_failure _ -> acc)
	fields body
  in
  let _ =
    reg_pos ~id:nfi.jc_fun_info_name
      ~name:("Constructor of class "^ci.constr_info_class.class_info_name)
      ci.constr_info_loc
  in
  let params =
    (* false because this not yet valid *)
    (false, ptype_of_type this.jc_var_info_type, var_name this)
    ::
      List.map
      (fun vi -> (true,ptype_of_type vi.jc_var_info_type, var_name vi))
      params
  in
  let requires = mkrequires_clause (reg_assertion_option req) in
  let behaviors =
    List.map (fun beh -> Jc_ast.JCCbehavior (behavior beh)) behs
  in
  let def = mkfun_def
    ~name: (new identifier nfi.jc_fun_info_name)
    ~params
    ~body:(mkblock ~exprs:body ())
    ~clauses: (requires::behaviors)
    ()
  in def :: acc
*)

let tr_constr_spec ci req behs b acc =
  let params = List.map
    (fun (vi, _) -> create_var Loc.dummy_position vi)
    ci.constr_info_parameters
  in
  let this =
    match ci.constr_info_this with
      | None -> assert false
      | Some vi -> (create_var Loc.dummy_position vi)
  in
  let nfi =
    create_fun Loc.dummy_position ci.constr_info_tag None
      ci.constr_info_trans_name ci.constr_info_parameters
  in
  let _ =
    reg_position ~id:nfi.jc_fun_info_name
      ~name:("Constructor of class "^ci.constr_info_class.class_info_name)
      ci.constr_info_loc
  in
  let params =
    (* false because this not yet valid *)
    (false, ptype_of_type this.jc_var_info_type, var_name this)
    ::
      List.map
      (fun vi -> (true,ptype_of_type vi.jc_var_info_type, var_name vi))
      params
  in
  let requires = mkrequires_clause (reg_assertion_option req) in
  let behaviors =
    List.map (fun beh -> Jc_ast.JCCbehavior (behavior beh)) behs
  in
  (ci,this,nfi,params,requires::behaviors,b) :: acc

let tr_constr_body (ci,this,nfi,params,clauses,b) acc =
  let body = statements b
    (*
      @
      [dummy_loc_statement (JCTSreturn(this.jc_var_info_type,
      dummy_loc_expr
      this.jc_var_info_type
      (JCTEvar this)))]
    *)
  in
  (* NO: TODO
     let body =
     dummy_loc_statement (JCTSdecl(this,None,make_block body))
     in
  *)
  let fields = ci.constr_info_class.class_info_fields in
  let body =
    List.fold_right
      (fun fi acc ->
	 if fi.java_field_info_is_static then acc else
	   try
	     init_field (mkvar ~name:(var_name this) ()) fi::acc
	   with Assert_failure _ -> acc)
      fields body
  in
  let def = mkfun_def
    ~name: (new identifier nfi.jc_fun_info_name)
    ~params
    ~body:(mkblock ~exprs:body ())
    ~clauses
    ()
  in def :: acc

let default_label l =
  match l with
    | [l] -> Some l
    | _ -> None

let tr_non_null_logic_fun () =
  let si = get_class "Object" in
  let vi = Jc_pervasives.var
    (JCTpointer (JCtag(si, []), Some num_zero, None)) "x" in
  let vit = mkvar ~name:(var_name vi) () in
  let offset_maxt = mkoffset_max ~expr:vit () in
  let offset_maxa = mkbinary ~op:`Bge ~expr1:offset_maxt ~expr2:zero () in
  let non_null_pred = create_non_null_pred si in
  mklogic_def
    ~name: non_null_pred.jc_logic_info_name
    ~labels: [Jc_env.LabelHere]
    ~params: [ptype_of_type vi.jc_var_info_type, var_name vi]
    ~body: offset_maxa
    ()

let tr_logic_fun fi (b : logic_decl_body) acc =
  if b = `Builtin then acc else
  let nfi = create_logic_fun Loc.dummy_position fi in
  let def_ =
    mklogic_def
      ?typ: (Option_misc.map ptype_of_type nfi.jc_logic_info_result_type)
      ~name: nfi.jc_logic_info_name
      ~labels: nfi.jc_logic_info_labels
      ~params:
      (List.map
         (fun vi -> ptype_of_type vi.jc_var_info_type, var_name vi)
         nfi.jc_logic_info_parameters)
  in
  let def = match b with
    | `Assertion a -> def_ ~body:(assertion a) ()
    | `Inductive l ->
	def_ ~inductive:
	  (List.map
	     (fun ((loc,id),labels,a) ->
		(new identifier ~pos:loc id,
		 List.map tr_logic_label labels,
		 assertion a)) l)
	  ()
    | `Term t -> def_ ~body:(term t) ()
    | `None -> def_ ()
    | `Reads l ->
	let logic_label = default_label fi.java_logic_info_labels in
        def_ ~reads:(List.map (location logic_label) l) ()
    | `Builtin -> assert false
  in (def::acc)

(*s axioms *)

let tr_axiom id is_axiom loc lab p acc =
  let (_ : string) =
    reg_pos ~id
      ~name:("Lemma " ^ id)
      loc
  in
  let def = mklemma_def
    ~name: id
    ~axiom:is_axiom
    ~labels: (List.map tr_logic_label lab)
    ~body: (assertion p)
    ()
  in def::acc

(*
let tr_axiomatic_decl acc d =
  match d with
    | Aaxiom(id,is_axiom,labels,a) -> acc
    | Atype _ -> assert false
    | Areads (fi, r) -> tr_logic_fun fi (JReads r)
    | Aind_def (_, _) -> assert false
    | Afun_def (_, _) -> assert false
    | Apred_def (_, _) -> assert false

let tr_axiomatic_decls id l acc =
  let l = List.fold_left tr_axiomatic_decl acc l in
  assert false (* TODO *)

let tr_axiomatic_axiom acc d =
  match d with
    | Aaxiom(id,is_axiom,labels,a) -> tr_axiom id is_axiom labels a acc
    | Atype _|Areads (_, _)|Aind_def (_, _)|Afun_def (_, _)
    | Apred_def (_, _) -> acc

let tr_axiomatic_axioms id l acc =
  let l = List.fold_left tr_axiomatic_axiom acc l in
  assert false (* TODO *)
*)

let tr_axiomatic_decl acc d =
  match d with
    | Aaxiom(_id,_is_axiom,_labels,_a) -> acc
    | Atype s ->
	Java_options.lprintf "translating logic type %s@." s;
	tr_logic_type s acc
    | Adecl(fi, b) ->
	Java_options.lprintf "translating axiomatic function %s@." fi.java_logic_info_name;
	tr_logic_fun fi b acc

let tr_axiomatic_axiom acc d =
  match d with
    | Aaxiom(id,is_axiom,labels,a) ->
	Java_options.lprintf "translating axiom %s@." id;
	tr_axiom id is_axiom Loc.dummy_floc labels a acc
    | Atype _s -> acc
    | Adecl(_fi, _b) -> acc

let tr_axiomatic id l acc =
  Java_options.lprintf "translating axiomatic %s@." id;
  let acc1 = List.fold_left tr_axiomatic_decl [] l in
  let acc2 = List.fold_left tr_axiomatic_axiom acc1 l in
  (mkaxiomatic ~name:id ~decls:(List.rev acc2) ())::acc

let tr_field type_name acc fi =
  let vi = create_static_var Loc.dummy_position type_name fi in
  let vi_ty = vi.jc_var_info_type in
  let fi_ty = fi.java_field_info_type in
  if fi.java_field_info_is_final then
    let logic_body, axiom_body =
      try
	let e =
	  Hashtbl.find Java_typing.field_initializer_table fi.java_field_info_tag
	in
	let values =
	  Hashtbl.find Java_typing.final_field_values_table fi.java_field_info_tag
	in
	let get_value value = match fi_ty with
	  | JTYarray (_,JTYbase t) | JTYbase t ->
	      begin match t with
		| Tshort | Tbyte | Tchar | Tint
		| Tlong | Tdouble | Tinteger ->
		    JCCinteger (Num.string_of_num value)
		| Tboolean ->
		    let b = match Num.string_of_num value with
		      | "0" -> false
		      | "1" -> true
		      | _ -> assert false (* should never happen *)
		    in JCCboolean b
		| Tfloat | Treal -> assert false (* TODO *)
		| Tstring -> assert false (* TODO *)
		| Tunit -> assert false
	      end
	  | JTYnull | JTYclass _ | JTYinterface _ | JTYarray _ | JTYlogic _ ->
	      assert false
	in
	match e with
	  | None ->
              None, None
	  | Some (JIexpr e) ->
	      assert (List.length values = 1);
	      (* evaluated constant expressions are translated *)
              let t = term (term_of_expr e) in
	      Some (mkconst ~const:(get_value (List.hd values)) ~pos:t#pos ()),
	      None
	  | Some (JIlist il) ->
	      let n = List.length il in
	      assert (List.length values = n);
	      let si = match vi_ty with
		| JCTpointer (JCtag(si, []), _, _) -> si
		| _ -> assert false
	      in
	      let vit = mkvar ~name:(var_name vi) () in
	      let a =
		mkapp
                  ~fun_name:
                  (non_null_pred si.jc_struct_info_name).jc_logic_info_name
                  ~args: [vit]
                  ()
	      in
	      let a =
		mkand
                  ~expr1: a
                  ~expr2:
                  (mkeq
                     ~expr1: (mkoffset_max ~expr:vit ())
                     ~expr2: (mkint ~value:(n-1) ())
                     ())
                  ()
	      in
	      let fi' = List.hd si.jc_struct_info_fields in
	      let a, _ = List.fold_left2 begin fun (acc, cpt) init n ->
		match init with
		  | JIexpr e ->
		      let _ = term (term_of_expr e) in (* Why not used? *)
                      mkand
			~expr1: acc
			~expr2:
			(mkeq
                           ~expr1:
                           (mkderef
                              ~expr:
                              (mkshift
				 ~expr: vit
				 ~offset: (mkint ~value:cpt ())
				 ())
                              ~field: (fi_name fi')
                              ())
                           ~expr2: (mkconst ~const:(get_value n) ())
                           ())
			(),
		      cpt + 1
		  | JIlist _ -> assert false (* TODO / Not supported *)
              end (a, 0) il values in
	      None, Some a
      with Not_found ->
	Java_options.lprintf
          "Warning: final field '%s' of %a has no known value@."
	  fi.java_field_info_name
	  Java_typing.print_type_name
	  fi.java_field_info_class_or_interface;
	None, None
    in
    let def1 =
      mklogic_var_def
        ~typ: (ptype_of_type vi_ty)
        ~name: (var_name vi)
	?body:logic_body
	()
    in
    match logic_body,axiom_body with
      | (Some _,None) ->
	  def1 :: acc
      | (None, _ (* Some a *)) ->
	  let ax =
          mkaxiomatic
	    ~name: (fi.java_field_info_name^"_theory")
	    ~decls:[def1 ;
		    (* disabled because should be an invariant instead
		       of an axiom *)
		    (*
		    mklemma_def
		      ~name: (fi.java_field_info_name^"_values")
		      ~axiom: true
		      ~labels: [Jc_env.LabelHere]
		      ~body: a
		      () *)]
	    ()
	  in
	  ax :: acc
      | _ -> assert false
  else
    let e =
      try match Hashtbl.find Java_typing.field_initializer_table
	fi.java_field_info_tag with
	  | None -> None
	  | Some e -> Some (tr_initializer fi_ty e)
      with Not_found -> None
    in
    let acc =
      (mkvar_def
         ~typ: (ptype_of_type vi_ty)
         ~name: (var_name vi)
         ?init: e
         ())::acc
    in
    acc

(* class *)

let tr_class ci acc0 acc =
  let non_final_fields =
    List.filter
      (fun fi -> not fi.java_field_info_is_final)
      ci.class_info_fields
  in
  let (static_fields, fields) =
    List.partition
      (fun fi -> fi.java_field_info_is_static)
      non_final_fields
  in
  let super =
    let superclass = Option_misc.map (fun ci -> ci.class_info_name, [])
      ci.class_info_extends
    in
    match superclass with
      | None ->
	  if ci.class_info_name = "Object"
	  then None
          else Some ("Object", [])
      | _ -> superclass
  in
  let acc = List.fold_left (tr_field ci.class_info_name) acc static_fields in
    (* create exceptions if subclass of Exception *)
    begin
      if ci.class_info_is_exception then
	ignore (create_exception
		  (Some (tr_type Loc.dummy_position (JTYclass (false, ci))))
		  ci.class_info_name);
    end;
    let jc_fields = List.map (create_field Loc.dummy_position) fields in
      (* non_null fun & pred *)
    let si = get_class ci.class_info_name in
    let acc =
      if ci.class_info_name = "Object" then
	let non_null_fi = create_non_null_fun si in
	let vi = Jc_pervasives.var
	  (JCTpointer (JCtag(si, []), Some num_zero, None)) "x" in
	let result = Jc_pervasives.var Jc_pervasives.boolean_type "\\result" in
	let vit = mkvar ~name:(var_name vi) () in
	let offset_maxt = mkoffset_max ~expr:vit () in
	let offset_maxa = mkeq ~expr1:offset_maxt ~expr2:zero () in
        let non_null_spec = [
          mkbehavior_clause
            ~name: "normal"
            ~ensures:
            (mkif
               ~condition: (mkvar ~name:(var_name result) ())
               ~expr_then: offset_maxa
               ~expr_else: (mkeq ~expr1:vit ~expr2:(mknull ()) ())
               ())
            ()
        ] in
        (mkfun_def
           ~result_type: (ptype_of_type Jc_pervasives.boolean_type)
           ~name: (new identifier non_null_fi.jc_fun_info_name)
           ~params: [false,ptype_of_type vi.jc_var_info_type, var_name vi]
           ~clauses: non_null_spec
           ()):: acc
      else acc
    in
    let fields = List.map begin function fi ->
      (fi.jc_field_info_rep,fi.jc_field_info_abstract),
      ptype_of_type fi.jc_field_info_type,
      fi_name fi,
      None
    end jc_fields in
    (mktag_def
       ~name: ci.class_info_name
       ?super:(if !Java_options.minimal_class_hierarchy then None else super)
       ~fields
       ())::
      (if !Java_options.minimal_class_hierarchy then
	 (mkvariant_type_def
            ~name:ci.class_info_name
            ~tags:[ new identifier ci.class_info_name ]
            ())::acc0 else acc0)
      , acc

(* interfaces *)

let tr_interface ii acc =
  let fields =
    List.filter
      (fun fi -> not fi.java_field_info_is_static)
      ii.interface_info_fields
  in
  let (* model_fields *) _ = List.map (create_field Loc.dummy_position) fields in
  acc

let tr_class_or_interface ti acc0 acc =
  match ti with
    | TypeClass ci ->
	Java_options.lprintf "Creating JC structure for class '%s'@."
          ci.class_info_name;
	tr_class ci acc0 acc
    | TypeInterface ii ->
	Java_options.lprintf "Handling interface '%s'@." ii.interface_info_name;
	(acc0, tr_interface ii acc)

let tr_final_static_fields ti acc =
    match ti with
      | TypeClass ci ->
	  let final_static_fields =
	    List.filter
	      (fun fi ->
		 fi.java_field_info_is_final && fi.java_field_info_is_static)
	      ci.class_info_fields
	  in
	    List.fold_left (tr_field ci.class_info_name) acc final_static_fields
      | TypeInterface ii ->
	  List.fold_left
	    (tr_field ii.interface_info_name)
	    acc ii.interface_info_final_fields

let tr_invariants ci id invs decls =
  let invs =
    List.map
      (fun ((_, s), a) ->
	 let vi = create_var Loc.dummy_position id in
	 new identifier s, var_name vi, assertion a)
      invs
  in
  List.map begin fun d -> match d#node with
    | JCDtag (s, params, so, fil, struct_invs) when s = ci.class_info_name ->
	mktag_def
          ~name:s
          ~params
          ?super:so
          ~fields:fil
          ~invariants:(struct_invs @ invs)
          ()
    | _ -> d
  end decls

(* static invariants *)

let tr_static_invariant (s, a) =
  mkglobal_inv_def ~name:s ~body:(assertion a) ()

(*
Local Variables:
compile-command: "LC_ALL=C make -C .. byte"
End:
*)
why-2.39/java/java_typing.ml0000644000106100004300000044610113147234006015025 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Java_env
open Java_ast
open Java_tast
open Format
open Java_pervasives
open Graph


(************************

Pretty-printing of types

*************************)

let rec print_qualified_ident fmt id =
  match id with
    | [] -> assert false
    | [(_,id)] -> fprintf fmt "%s" id
    | (_,id)::r ->
        print_qualified_ident fmt r;
        fprintf fmt ".%s" id

let print_type_name fmt t =
  match t with
    | TypeClass ci -> fprintf fmt "%s" ci.class_info_name
    | TypeInterface ii -> fprintf fmt "%s" ii.interface_info_name
(*
    | TypeLogic s -> fprintf fmt "logic type %s" s
*)

let string_of_base_type t =
  match t with
    | Tunit -> "unit"
    | Tinteger -> "integer"
    | Treal -> "real"
    | Tboolean -> "boolean"
    | Tdouble -> "double"
    | Tlong -> "long"
    | Tfloat -> "float"
    | Tint -> "int"
    | Tchar -> "char"
    | Tbyte -> "byte"
    | Tshort -> "short"
    | Tstring -> "string"


let rec print_type fmt t =
  match t with
    | JTYbase t -> fprintf fmt "%s" (string_of_base_type t)
    | JTYnull -> fprintf fmt "(nulltype)"
    | JTYarray (non_null, t) ->
        fprintf fmt "%s%a[]" (if non_null then "" else "!") print_type t
    | JTYclass (non_null, c) ->
        fprintf fmt "%s%s" (if non_null then "" else "!") c.class_info_name
    | JTYinterface ii -> fprintf fmt "%s" ii.interface_info_name
    | JTYlogic i ->fprintf fmt "%s" i

(***********************

Typing error handling

************************)

exception Typing_error of Loc.position * string

let typing_error l =
  Format.kfprintf
    (fun _fmt -> raise (Typing_error(l, flush_str_formatter())))
    str_formatter

let integer_expected l t =
  typing_error l "integer type expected, got %a" print_type t

let array_expected l t =
  typing_error l "array type expected, got %a" print_type t

let int_expected l t =
  typing_error l "int expected, got %a" print_type t

let class_or_interface_expected l t =
  typing_error l "class or interface expected, got %a" print_type t



let catch_typing_errors f a =
 try
   f a
 with
   | Typing_error(l,s) ->
       eprintf "%a: typing error: %s@." Loc.gen_report_position l s;
       exit 1
   | Java_options.Java_error(l,s) ->
       eprintf "%a: %s@." Loc.gen_report_position l s;
       exit 1
   | Assert_failure(f,l,c) as exn ->
       eprintf "%a:@." Loc.gen_report_line (f,l,c,c);
       raise exn
   | Match_failure(f,l,c) as exn ->
       eprintf "%a:@." Loc.gen_report_line (f,l,c,c);
       raise exn


(**********************

Name classification
(JLS 2nd ed., pp. 93-104)

***********************)

let split_extension filename =
  try
    let dotindex = String.rindex filename '.' in
    (String.sub filename 0 dotindex,
     String.sub filename (dotindex+1) (String.length filename - dotindex - 1))
  with Not_found -> filename,""

let read_dir d =
  let l =
    try
      Sys.readdir d
    with
        Sys_error _ ->
          eprintf "Cannot open directory %s@." d;
          exit 2
  in
  Array.fold_left
    (fun (dirs,files) name ->
       let fullname = Filename.concat d name in
       let s = Unix.lstat fullname in
       match s.Unix.st_kind with
         | Unix.S_DIR when name <> "CVS" ->
             begin
               Java_options.lprintf "got sub-directory %s@." name;
               ((name,fullname)::dirs,files)
             end
         | Unix.S_REG ->
             begin
               let base,ext = split_extension name in
               match ext with
                 | "java" ->
                     Java_options.lprintf "got Java file %s@." base;
                     (dirs,(base,fullname)::files)
                 | _ ->
                   Java_options.lprintf "file %s ignored@." name;
                     (dirs,files)
             end
         | _ ->
             begin
               Java_options.lprintf "skipping special file %s@." name;
               (dirs,files)
             end)
    ([],[]) l


let toplevel_packages_table = (Hashtbl.create 17 : (string, package_info) Hashtbl.t)

let package_counter = ref 0

let new_package_info name fullname =
  incr package_counter;
  let pi =
    { package_info_tag = !package_counter;
      package_info_name = name;
      package_info_directories = [fullname];
    }
  in
    pi

(* [package_contents] maps each internal package id to its contents *)
type package_member =
  | Subpackage of package_info
  | File of string
  | Type of java_type_info

let package_contents =
  (Hashtbl.create 17 : (int, (string, package_member) Hashtbl.t) Hashtbl.t)


let anonymous_package = new_package_info "" "."

let is_anonymous_package pi =
  pi.package_info_tag = anonymous_package.package_info_tag

let javalang_qid = [(Loc.dummy_position,"lang"); (Loc.dummy_position,"java")]

let read_dir_contents ~is_toplevel dir =
  Java_options.lprintf "reading directory '%s'@." dir;
  let d, f = read_dir dir in
  let h = Hashtbl.create 17 in
    List.iter
      (fun (name, fullname) ->
	 begin
	   if is_toplevel then
	     try
	       let pi = Hashtbl.find toplevel_packages_table name in
		 pi.package_info_directories <- fullname :: pi.package_info_directories
	     with Not_found ->
	       let pi = new_package_info name fullname in
		 Java_options.lprintf "adding subpackage %s@." name;
		 Hashtbl.add h name (Subpackage pi)
	   else
	     let pi = new_package_info name fullname in
	       Java_options.lprintf "adding subpackage %s@." name;
	       Hashtbl.add h name (Subpackage pi)
	 end)
      d;
    List.iter
      (fun (name, fullname) ->
	 Java_options.lprintf "adding java file %s (fullname %s)@." name fullname;
	 Hashtbl.add h name (File fullname))
      f;
    h

let get_package_contents pi =
  try
    Hashtbl.find package_contents pi.package_info_tag
  with
      Not_found ->
	let h = Hashtbl.create 17 in
	  List.iter
	    (fun dir ->
	       let is_top_level = is_anonymous_package pi in
	       let h' = read_dir_contents ~is_toplevel:is_top_level dir in
		 Hashtbl.iter
		   (fun name x ->
		      try
			let x' = Hashtbl.find h name in
			  match x, x' with
			    | Subpackage pi, Subpackage pi' ->
				pi'.package_info_directories <-
				  pi.package_info_directories @ pi'.package_info_directories
			    | _ -> assert false (* TODO : error message ? *)
		      with Not_found ->
			Hashtbl.add h name x)
		   h')
	    pi.package_info_directories;
          Hashtbl.add package_contents pi.package_info_tag h;
          h

let toplevel_packages =
  Java_options.lprintf "Reading toplevel packages@.";
  let h = Hashtbl.create 17 in
    List.iter
      (fun dir ->
	 let h' = read_dir_contents ~is_toplevel:true dir in
	   Hashtbl.iter
	     (fun name x ->
		begin
		  Hashtbl.add h name x;
		  match x with
		    | Subpackage pi ->
			Hashtbl.add toplevel_packages_table name pi
		    | _ ->
			Format.eprintf "Warning: %s is not a subpackage of %s@." name dir;
			()
		end)
	     h')
      Java_options.classpath;
    h

let type_table : (int, java_type_info) Hashtbl.t = Hashtbl.create 97

(* A GROUPER *)
let class_type_env_table :
    (int, (string * java_type_info) list) Hashtbl.t
    = Hashtbl.create 97
and interface_type_env_table :
    (int, (string * java_type_info) list) Hashtbl.t
    = Hashtbl.create 97



let class_decl_table :
    (int, (package_info list *
             Java_ast.class_declaration)) Hashtbl.t
    = Hashtbl.create 97


let interface_decl_table :
    (int, (package_info list *
             Java_ast.interface_declaration)) Hashtbl.t
    = Hashtbl.create 97

let invariants_env :
    (int, (* class tag *)
     Java_env.java_type_info (* class or interface *)
     * (string * Java_env.java_var_info) list (* env [this,this_info]*)
     * Java_env.java_var_info (* this_info *)
     * (Java_ast.identifier * Java_ast.pexpr) list (* (inv_name,inv_pred) list *)
    ) Hashtbl.t
    = Hashtbl.create 97
let invariants_table :
    ( int, (* class tag *)
      Java_env.java_class_info (* class_info *)
      * Java_env.java_var_info (* this_info *)
      * (Java_ast.identifier * Java_tast.assertion) list (* (inv_name, typed pred) list *)
      ) Hashtbl.t
    = Hashtbl.create 97

let static_invariants_env = Hashtbl.create 97
let static_invariants_table = Hashtbl.create 97




let rec var_type_and_id non_null ty id =
  match id with
    | Simple_id id -> ty, id
    | Array_id id ->
        let ty, id = var_type_and_id non_null ty id in
          JTYarray (non_null, ty), id


(* fields *)

let field_prototypes_table : (int, variable_initializer option) Hashtbl.t
    = Hashtbl.create 97

let field_tag_counter = ref 0

let new_field ~is_static ~is_final ~is_nullable ~is_model ~is_ghost ti ty id =
  incr field_tag_counter;
  let fi = {
    java_field_info_tag = !field_tag_counter;
    java_field_info_name = id;
    java_field_info_type = ty;
    java_field_info_class_or_interface = ti;
    java_field_info_is_static = is_static;
    java_field_info_is_final = is_final;
    java_field_info_is_nullable = is_nullable;
    java_field_info_is_model = is_model;
    java_field_info_is_ghost = is_ghost;
  } in fi


(* dead code
let new_model_field ii ty id =
  new_field ~is_static:false ~is_final:false ~is_nullable:false
    ~is_model:true (TypeInterface ii) ty id
*)

(* methods *)

let methods_env = Hashtbl.create 97

let method_or_constr_tag_counter = ref 0

let new_method_info ~is_static ~result_is_nullable loc id ti ty pars =
  incr method_or_constr_tag_counter;
  let result =
      Option_misc.map (fun t -> new_var Loc.dummy_position t "\\result") ty
  in
  {
    method_info_tag = !method_or_constr_tag_counter;
    method_info_loc = loc;
    method_info_name = id;
    method_info_class_or_interface = ti;
    method_info_trans_name = id;
    method_info_has_this = None;
    method_info_parameters = pars;
    method_info_result = result;
    method_info_result_is_nullable = result_is_nullable;
    method_info_calls = [];
    method_info_is_static = is_static;
  }

let constructors_env = Hashtbl.create 97

let new_constructor_info ci loc pars =
  incr method_or_constr_tag_counter;
  {
    constr_info_tag = !method_or_constr_tag_counter;
    constr_info_loc = loc;
    constr_info_class = ci;
    constr_info_trans_name = ci.class_info_name;
    constr_info_this = None;
    constr_info_result = None;
    constr_info_parameters = pars;
    constr_info_calls = [];
  }

let rec list_assoc_name f id l =
  match l with
    | [] -> raise Not_found
    | fi::r ->
        if (f fi) = id then fi
        else list_assoc_name f id r


(******************************

Typing level 0: extract types (logic, Java classes, Java interfaces)

**********************************)


let type_counter = ref 0

(* adds an interface named [id] in package [p] *)
let new_interface_info (p:package_info) (id:string) i =
  incr type_counter;
  let ii =
    { interface_info_tag = !type_counter;
      interface_info_name = id;
      interface_info_package_env = (fst i);
      interface_info_incomplete = true;
      interface_info_extends = [];
      interface_info_fields = [];
      interface_info_final_fields = [];
      interface_info_methods = [];
    }
  in
  Hashtbl.add type_table !type_counter (TypeInterface ii);
  Hashtbl.add interface_decl_table !type_counter i;
  Java_options.lprintf "adding interface %s in package '%s'@." id p.package_info_name;
  let h = get_package_contents p in
  Hashtbl.replace h id (Type (TypeInterface ii));
  ii

let new_class_info ~is_final:_ (p:package_info) (id:string) c =
  incr type_counter;
  let ci =
    { class_info_tag = !type_counter;
      class_info_name = id;
      class_info_package_env = (fst c);
      class_info_incomplete = true;
      class_info_is_final = false;
      class_info_extends = None;
      class_info_is_exception = false;
      class_info_implements = [];
      class_info_fields = [];
      class_info_final_fields = [];
      class_info_methods = [];
      class_info_constructors = [];
    }
  in
    Hashtbl.add type_table !type_counter (TypeClass ci);
    Hashtbl.add class_decl_table !type_counter c;
    Java_options.lprintf
    "adding class %s in package %s@." id p.package_info_name;
    let h = get_package_contents p in
      Hashtbl.replace h id (Type (TypeClass ci));
      ci


let logic_types_table = Hashtbl.create 97

let import_spec_table = Hashtbl.create 17

let new_logic_type id = id

let rec get_type_decl package package_env acc d =
    match d with
    | JPTclass cd ->
        (*
          class_modifiers : modifiers;
          class_name : identifier;
          class_extends : qualified_ident option;
          class_implements : qualified_ident list;
          class_fields : field_declaration list
        *)
        let _, id = cd.class_name in
	let is_final = List.mem Final cd.class_modifiers in
        let ci = new_class_info ~is_final:is_final package id (package_env, cd) in
        (id, TypeClass ci) :: acc
    | JPTinterface i ->
        let (_,id) = i.interface_name in
        let ii = new_interface_info package id (package_env,i) in
        (id,TypeInterface ii)::acc
    | JPTannot(_loc,_s) -> assert false
    | JPTlemma((_loc,_id),_is_axiom, _labels,_e) -> acc
    | JPTlogic_type_decl (loc,id) ->
        begin
          try
            let _ = Hashtbl.find logic_types_table id in
            typing_error loc "logic type already defined"
          with
              Not_found ->
                let i = new_logic_type id in
                Hashtbl.add logic_types_table id i;
                acc
        end
    | JPTlogic_reads((_loc,_id),_ret_type,_labels,_params,_reads) -> acc
    | JPTlogic_def((_loc,_id),_ret_type,_labels,_params,_body) -> acc
    | JPTinductive((_loc,_id),_labels,_params,_body) -> acc
    | JPTaxiomatic(_,body) ->
	List.fold_left (get_type_decl package package_env) acc body
    | JPTimport(PolyTheoryId(qid,_params))  ->
        let
          id = Java_pervasives.qualified_ident2string
                 qid "."
        in
	(* we look if id is already in the import table *)
	try
	  let _ = Hashtbl.find import_spec_table id in
	  Java_options.lprintf "importing %s: was already imported@." id;
	  acc
	with Not_found ->
	  Java_options.lprintf "importing spec %s@." id;
	  let
            spec_body = Java_syntax.spec_file
              ((Java_pervasives.qualified_ident2string qid "/")
               ^ ".spec")
          in
	  Hashtbl.add import_spec_table id spec_body;
	  List.fold_left (get_type_decl package package_env) acc spec_body


type classified_name =
  | TermName of term
  | TypeName of java_type_info
  | LogicTypeName of logic_type_info
  | PackageName of package_info

let rec add_in_package_list pi l =
  match l with
    | [] -> [pi]
    | qi::_ when pi.package_info_tag = qi.package_info_tag -> l
    | qi::r -> qi::add_in_package_list pi r

let is_boolean t =
  match t with
    | JTYbase Tboolean -> true
    | _ -> false

let is_reference_type t =
  match t with
    | JTYbase _t -> false
    | _ -> true

(* logic funs *)

type logic_def_body =
  [ `Assertion of Java_tast.assertion
  | `Term of Java_tast.term
  | `Inductive of
      (Java_ast.identifier * Java_env.logic_label list * Java_tast.assertion)
	list
  | `Builtin ]

type logic_decl_body =
  [ logic_def_body | `None | `Reads of Java_tast.term list ]

type axiomatic_defs =
  | Adecl of  Java_env.java_logic_info * logic_decl_body
  | Aaxiom of string * bool * Java_env.logic_label list * Java_tast.assertion
  | Atype of string

let logics_env = Hashtbl.create 97
let logic_defs_table = Hashtbl.create 97
let axiomatics_table = Hashtbl.create 97

let builtin_logic_symbols = ref []

let () =
  List.iter
    (fun (ty,id,pl) ->
       let l =
	 List.map
	   (fun ty -> new_var Loc.dummy_position ty "_")
	   pl
       in
       let fi = logic_info id ty [] l in
       builtin_logic_symbols := fi :: !builtin_logic_symbols;
       Hashtbl.add logics_env fi.java_logic_info_name fi;
       Hashtbl.add logic_defs_table fi.java_logic_info_tag (fi,`Builtin)
    )
    Java_pervasives.builtin_logic_symbols

(* JLS 5.1.1: Identity Conversion *)
let rec is_identity_convertible tfrom tto =
  match tfrom, tto with
    | JTYbase t1, JTYbase t2 -> t1=t2
    | JTYclass(_,c1), JTYclass(_,c2) -> c1 == c2
    | JTYinterface i1, JTYinterface i2 -> i1 == i2
    | JTYarray (_, t1), JTYarray (_, t2) -> is_identity_convertible t1 t2
    | JTYnull, JTYnull -> true
    | _ -> false

(* JLS 5.1.2: Widening Primitive Conversion *)
let is_widening_primitive_convertible tfrom tto =
  match tfrom,tto with
    | Tbyte, (Tshort | Tint | Tlong | Tfloat | Tdouble) -> true
    | Tshort, (Tint | Tlong | Tfloat | Tdouble) -> true
    | Tchar, (Tint | Tlong | Tfloat | Tdouble) -> true
    | Tint, (Tlong | Tfloat | Tdouble) -> true
    | Tlong, (Tfloat | Tdouble) -> true
    | Tfloat, Tdouble -> true
    | _ -> false

let is_logic_widening_primitive_convertible tfrom tto =
  match tfrom,tto with
    | Tbyte, (Tshort | Tint | Tlong | Tinteger | Tfloat | Tdouble | Treal)
        -> true
    | Tshort, (Tint | Tlong | Tinteger | Tfloat | Tdouble | Treal) -> true
    | Tchar, (Tint | Tlong | Tinteger | Tfloat | Tdouble | Treal) -> true
    | Tint, (Tlong | Tinteger | Tfloat | Tdouble | Treal) -> true
    | Tlong, (Tinteger | Tfloat | Tdouble | Treal) -> true
    | Tfloat, (Tdouble | Treal) -> true
    | Tinteger, Treal -> true
    | Tdouble, Treal -> true
    | _ -> false

let logic_unary_numeric_promotion ty =
  match ty with
    | JTYbase t ->
        begin
          match t with
            | Treal | Tdouble | Tfloat -> Treal
            | _ -> Tinteger
        end
    | _ -> assert false

let logic_binary_numeric_promotion t1 t2 =
  match t1,t2 with
    | JTYbase t1,JTYbase t2 ->
        begin
          match t1,t2 with
            | (Tboolean | Tunit),_
            | _, (Tboolean | Tunit) -> raise Not_found
            | (Treal | Tdouble | Tfloat),_
            | _, (Treal | Tdouble | Tfloat) -> Treal
            | _ -> Tinteger
        end
    | _ -> raise Not_found

let make_logic_bin_op loc op t1 e1 t2 e2 =
  match op with
    | Bconcat -> assert false
    | Bgt | Blt | Bge | Ble ->
        begin
          try
            let t = logic_binary_numeric_promotion t1 t2 in
            boolean_type,JTbin(e1,t,op,e2)
          with Not_found ->
            typing_error loc "numeric types expected for >,<,>= and <="
        end
    | Beq | Bne ->
        begin
          try
            let t = logic_binary_numeric_promotion t1 t2 in
            boolean_type,JTbin(e1,t,op,e2)
          with Not_found ->
            if is_boolean t1 && is_boolean t2 then
              boolean_type,JTbin(e1,Tboolean,op,e2)
            else
              if is_reference_type t1 && is_reference_type t2 then
                boolean_type,JTbin_obj(e1,op,e2)
              else
                typing_error loc "numeric, boolean or object types expected for == and !="
        end

    | Basr | Blsr | Blsl ->
        begin
          try
            match logic_unary_numeric_promotion t1 with
              | Tinteger as t1 ->
                  begin
                    try
                      match logic_unary_numeric_promotion t2 with
                        | Tinteger ->
                            JTYbase t1, JTbin (e1, t1, op, e2)
                        | _ -> raise Not_found
                    with Not_found -> int_expected loc t2
                  end
              | _ -> raise Not_found
          with Not_found -> int_expected loc t1
        end
    | Bimpl | Bor | Band | Biff ->
        if is_boolean t1 && is_boolean t2 then
          boolean_type, JTbin (e1, Tboolean, op, e2)
        else
          typing_error loc "booleans expected"
    | Bbwxor | Bbwor | Bbwand ->
        if is_boolean t1 && is_boolean t2 then
          boolean_type, JTbin (e1, Tboolean, op, e2)
        else
          begin
            try
              let t1 = logic_unary_numeric_promotion t1 in
              let t2 = logic_unary_numeric_promotion t2 in
                assert (t1 = t2);
                JTYbase t1, JTbin (e1, t1, op, e2)
            with Not_found ->
              typing_error loc "booleans or integers expected"
          end
    | Bsub | Badd | Bmod | Bdiv | Bmul ->
        try
          let t = logic_binary_numeric_promotion t1 t2 in
            JTYbase t, JTbin (e1, t, op, e2)
        with Not_found ->
          typing_error loc "numeric types expected for +,-,*, / and %%"

let make_logic_un_op loc op e =
  let ty = e.java_term_type in
    match op with
      | Uplus ->
          begin
            try
              let t = logic_unary_numeric_promotion ty in
		JTYbase t, e.java_term_node
            with Not_found ->
              typing_error loc "numeric type expected for unary +"
          end
      | Uminus ->
          begin
            try
              let t = logic_unary_numeric_promotion ty in
		JTYbase t, JTun (t, op, e)
            with Not_found ->
              typing_error loc "numeric type expected for unary -"
          end
      | Ucompl ->
          begin
            try
              match logic_unary_numeric_promotion ty with
		| Tinteger -> JTYbase Tinteger, JTun (Tinteger, op, e)
		| _ -> raise Not_found
            with Not_found ->
              typing_error loc "integer type expected for ~"
          end
      | Unot ->
          if is_boolean ty then ty, JTun (Tboolean, op, e) else
	    typing_error loc "boolean type expected for unary !"

let make_predicate_bin_op loc op t1 e1 t2 e2 =
  match op with
    | Bconcat -> assert false
    | Bgt | Blt | Bge | Ble ->
        begin
          try
            let t = logic_binary_numeric_promotion t1 t2 in
            JAbin(e1,t,op,e2)
          with Not_found ->
            typing_error loc "numeric types expected for >, <, >= and <="
        end
    | Beq | Bne ->
        begin
          try
            let t = logic_binary_numeric_promotion t1 t2 in
            JAbin(e1,t,op,e2)
          with Not_found ->
            if is_boolean t1 && is_boolean t2 then
              JAbin(e1,Tboolean,op,e2)
            else
              if is_reference_type t1 && is_reference_type t2 then
                JAbin_obj(e1,op,e2)
              else
                typing_error loc "numeric, boolean or object types expected for == and !="
        end
    | Basr|Blsr|Blsl|Bbwxor|Bbwor|Bbwand|Bimpl|Bor|Band|Biff ->
        assert false (* TODO *)
    | Bsub | Badd | Bmod | Bdiv | Bmul ->
        typing_error loc "operator +,-,*, / and %% is not a predicate"

let connective a1 op a2 =
  match op with
    | Band -> JAand(a1,a2)
    | Bor -> JAor(a1,a2)
    | Bimpl -> JAimpl(a1,a2)
    | Biff -> JAiff(a1,a2)
    | _ -> assert false

let dummy_class =
  { class_info_tag = (-1);
    class_info_name = "";
    class_info_package_env = [];
    class_info_incomplete = false;
    class_info_is_final = false;
    class_info_extends = None;
    class_info_is_exception = false;
    class_info_implements = [];
    class_info_fields = [];
    class_info_final_fields = [];
    class_info_methods = [];
    class_info_constructors = [];
  }

let object_class = ref dummy_class

let rec is_subclass c1 c2 =
  c1 == c2 ||
    (check_if_class_complete c1;
     match c1.class_info_extends with
      | None -> c2 == !object_class
      | Some c -> is_subclass c c2)

and is_subinterface i1 i2 =
  i1 == i2 ||
    (check_if_interface_complete i1;
     List.exists
        (fun i' ->
(*
           eprintf "checking if interface '%s' is subinterface of '%s'@."
                i'.interface_info_name i2.interface_info_name;
*)
       is_subinterface i' i2)
    i1.interface_info_extends)

and implements c i =
  List.exists
    (fun i' -> is_subinterface i' i)
    c.class_info_implements ||
    match c.class_info_extends with
      | None -> false
      | Some c -> implements c i

and get_this loc env =
  try
    List.assoc "this" env
  with Not_found ->
    typing_error loc "this undefined in this context"

and get_import (packages, types) imp =
  match imp with
    | Import_package qid ->
        Java_options.lprintf "importing package %a@." print_qualified_ident qid;
        begin
          match classify_name [] [] None [] qid with
            | PackageName pi -> (add_in_package_list pi packages,types)
            | _ -> typing_error (fst (List.hd qid))
                "package name expected"
        end
    | Import_class_or_interface qid ->
        Java_options.lprintf "importing %a@." print_qualified_ident qid;
        begin
          match classify_name [] [] None [] qid with
            | TypeName ti -> (packages, (snd (List.hd qid), ti)::types)
            | _ -> typing_error (fst (List.hd qid))
                "type name expected"
        end

and get_types package_env cus =
  let pil =
    List.map
      (fun cu ->
         match cu.cu_package with
           | [] -> anonymous_package
           | qid ->
               match classify_name package_env [] None [] qid with
                 | PackageName pi -> pi
                 | _ -> assert false)
      cus
  in
  let package_env, type_env =
    let imports = List.flatten (List.map (fun cu -> cu.cu_imports) cus) in
    List.fold_left get_import ([],[])
      (Import_package javalang_qid::imports)
  in
  let package_env =
    List.fold_left (fun _acc pi -> add_in_package_list pi package_env)
      package_env pil
  in
  let local_type_env =
    List.flatten
    (List.map
      (fun (pi, cu) ->
         List.fold_left (get_type_decl pi package_env)
           [] cu.cu_type_decls)
      (List.combine pil cus))
  in
  let full_type_env = local_type_env @ type_env in
  List.iter
    (fun (_,ti) ->
       match ti with
         | TypeClass ci ->
(*
             eprintf "setting type env for class '%s' as:@\n" ci.class_info_name;
             List.iter
               (fun (id,_) -> eprintf "  %s@\n" id)
               full_type_env;
*)
             Hashtbl.add class_type_env_table ci.class_info_tag
               full_type_env
         | TypeInterface ii ->
             Hashtbl.add interface_type_env_table ii.interface_info_tag
               full_type_env)
    local_type_env;
  package_env,local_type_env


(* corresponds to JLS 2nd ed., par. 6.5.2, pp. 96--97 *)
and classify_name
    (package_env : package_info list)
    (type_env : (string * java_type_info) list)
    (current_type : java_type_info option)
    (local_env : (string * java_var_info) list)
    (name : qualified_ident) =
  match name with
    | [] -> assert false
    | [(loc, id)] ->
        (* case of a simple name (JLS p 96) *)
(*
	Format.eprintf "classify_name for %s@." id;
*)
        begin
          (* look for a local var of that name *)
          try
            let vi = List.assoc id local_env in
              TermName {
                java_term_node = JTvar vi;
                java_term_type = vi.java_var_info_type;
                java_term_loc = loc
              }
          with Not_found ->
            (* look for a field of that name in current class *)
            try
              match current_type with
                | None -> raise Not_found
                | Some ti ->
                    let fi = lookup_field ti id in
                    let facc =
                      if fi.java_field_info_is_static then
                        JTstatic_field_access (ti, fi)
                      else
                        let vi =
                          try
                            List.assoc "this" local_env
                          with Not_found -> assert false
                        in
                        let this =
                          { java_term_node = JTvar vi;
                            java_term_type = vi.java_var_info_type;
                            java_term_loc = loc }
                        in
                        JTfield_access (this, fi)
                    in
                    TermName {
                      java_term_node = facc;
                      java_term_type = fi.java_field_info_type;
                      java_term_loc = loc
                    }
            with Not_found ->
              try
                (* TODO: look for a local class of member type of that name *)
                raise Not_found
              with
                  Not_found ->
                    try
                      (* look for a type of that name
                         in the current compilation unit, or
                         in another compilation unit of the current package *)
(*
                      eprintf "lookup id '%s' in type_env:@\n" id;
                      List.iter
                        (fun (id,_) -> eprintf "  %s@\n" id)
                        type_env;
*)
                      let ti = List.assoc id type_env in
                        TypeName ti
                    with Not_found ->
                      (* look for a type of that name
                         declared by a type-import-on-demand declaration
                         (fail if two of them are visible) *)
                      let l =
                        List.fold_left
                          (fun acc pi ->
                             let h = get_package_contents pi in
                               try
                                 (pi, h, (Hashtbl.find h id)) :: acc
                               with Not_found -> acc)
                          [] package_env
                      in
(*
		      eprintf "list l has length %d@." (List.length l);
*)
                      match l with
                        | [(_pi, h, x)] ->
                            begin
                              match x with
                                | Subpackage pi -> PackageName pi
                                | Type ti -> TypeName ti
                                | File f ->
                                    let ast = Java_syntax.file f in
                                    let (_, t) = get_types package_env [ast] in
                                    try
                                      let ti = List.assoc id t in
                                      Hashtbl.replace h id (Type ti);
                                      TypeName ti
                                    with Not_found ->
                                      eprintf "Anomaly: `%s' not found" id;
                                      assert false
                            end
                        | (pi1,_,_)::(pi2,_,_)::_ ->
                            typing_error loc
                              "ambiguous name from import-on-demand packages '%s' and '%s'"
                              pi1.package_info_name
                              pi2.package_info_name
                        | [] ->
                            (* otherwise look for a toplevel package
                               of that name *)
                            try
                              match Hashtbl.find toplevel_packages id with
                                | Subpackage pi -> PackageName pi
                                | Type _ti -> assert false
                                | File f ->
                                    typing_error loc "Internal error: got file %s in place of a package@." f
                            with Not_found ->
                              (* otherwise look for a logic type
                                 of that name *)
                              try
                                let i = Hashtbl.find logic_types_table id in
                                LogicTypeName i
                              with Not_found ->
                                typing_error loc "unknown identifier %s" id

        end

    | (loc,id)::n ->
        (* case of a qualified name (JLS p 97) *)
(*
	Format.eprintf "classify_name for %s...@." id;
*)
        match classify_name package_env type_env current_type local_env n with
          | PackageName pi ->
              let contents = get_package_contents pi in
              begin
                try
                  match Hashtbl.find contents id with
                    | Subpackage pi -> PackageName pi
                    | Type ti -> TypeName ti
                    | File f ->
                        let ast = Java_syntax.file f in
                        let (_, t) = get_types package_env [ast] in
                        try
                          let ti = List.assoc id t in
                          Hashtbl.replace contents id (Type ti);
                          TypeName ti
                        with Not_found ->
                          typing_error loc "type `%s' not found in file `%s'@."
                            id f
                with
                    Not_found ->
                      typing_error loc "unknown identifier %s in package %s"
			id pi.package_info_name
              end
          | TypeName ci ->
              begin
                try
                  let fi = lookup_field ci id in
                  if fi.java_field_info_is_static then
                    TermName {
                      java_term_loc = loc;
                      java_term_type = fi.java_field_info_type ;
                      java_term_node = JTstatic_field_access(ci,fi)
                    }
                  else
                    typing_error loc
                      "field %s is not static" id

                with Not_found ->
                  (* TODO: look for a method of that name ? *)
                  (* TODO: look for a member type of that name *)
                  typing_error loc
                    "no such field in %a" print_type_name ci
              end
          | TermName t ->
              type_term_field_access t loc id
          | LogicTypeName _i ->
              typing_error loc "logic type unexpected"

and type_term_field_access t loc id =
  match t.java_term_type with
    | JTYclass(_,c) ->
        begin
          try
            let fi = lookup_class_field c id in
            TermName {
              java_term_loc = loc;
              java_term_type = fi.java_field_info_type ;
              java_term_node = JTfield_access(t,fi)
            }
          with Not_found ->
            typing_error loc
              "no such field in class %s" c.class_info_name
        end
    | JTYinterface _ii ->
        assert false (* TODO *)
    | JTYarray _ ->
        if id="length" then
          TermName {
            java_term_loc = loc;
            java_term_type = integer_type;
            java_term_node = JTarray_length(t)
          }
        else
          typing_error loc
            "no such field in array type"
    | JTYnull | JTYbase _ | JTYlogic _ ->
        class_or_interface_expected t.java_term_loc
          t.java_term_type

and type_expr_field_access e loc id =
  match e.java_expr_type with
    | JTYclass(_,c) ->
        begin
          try
            let fi = lookup_class_field c id in
            {
              java_expr_loc = loc;
              java_expr_type = fi.java_field_info_type ;
              java_expr_node = JEfield_access(e,fi)
            }
          with Not_found ->
            typing_error loc
              "no such field in class %s" c.class_info_name
        end
    | JTYinterface _ii ->
        assert false (* TODO *)
    | JTYarray _ ->
        if id="length" then
          {
            java_expr_loc = loc;
            java_expr_type = int_type;
            java_expr_node = JEarray_length(e)
          }
        else
          typing_error loc
            "no such field in array type"
    | JTYnull | JTYbase _ | JTYlogic _ ->
        class_or_interface_expected e.java_expr_loc
          e.java_expr_type

and type_type package_env type_env non_null ty =
  match ty with
    | Base_type t -> JTYbase t
    | Type_name qid ->
        begin
          match classify_name package_env type_env None [] qid with
            | TypeName ti ->
                begin
                  match ti with
                    | TypeClass ci -> JTYclass (non_null, ci)
                    | TypeInterface ii -> JTYinterface(ii)
                end
            | LogicTypeName i -> JTYlogic i
            | _ -> assert false (* TODO *)
        end
    | Array_type_expr t ->
        let ty = type_type package_env type_env non_null t in
        JTYarray (non_null, ty)

and get_field_prototypes package_env type_env ci acc d =
  match d with
    | JPFvariable vd ->
        (*
          vd.variable_modifiers : modifiers ;
          vd.variable_type : type_expr ;
          vd.variable_decls : variable_declarator list }
        *)
        let is_non_null = List.mem Non_null vd.variable_modifiers in
        let is_nullable = List.mem Nullable vd.variable_modifiers in
        let non_null =
          if !Java_options.nonnull_sem = NonNullNone then is_non_null else
            not is_nullable
        in
        let ty = type_type package_env type_env non_null vd.variable_type in
        let is_static = List.mem Static vd.variable_modifiers in
        let is_final = List.mem Final vd.variable_modifiers in
        let is_ghost = List.mem Ghost vd.variable_modifiers in
        let is_model = List.mem Model vd.variable_modifiers in
        List.fold_left
          (fun acc vd ->
             let ty', (loc, id) = var_type_and_id non_null ty vd.variable_id in
               if is_non_null && !Java_options.nonnull_sem <> NonNullNone then
                 typing_error loc
                   "'non_null' modifier is not allowed in 'non_null by default' mode";
               if is_nullable && !Java_options.nonnull_sem = NonNullNone then
                 typing_error loc
                   "'nullable' modifier is only allowed in 'non_null by default' mode";
             let fi = new_field ~is_static ~is_final ~is_nullable
               ~is_model ~is_ghost ci ty' id in
             Hashtbl.add field_prototypes_table fi.java_field_info_tag
               vd.variable_initializer;
             fi::acc
          ) acc vd.variable_decls
    | _ -> acc

and type_param package_env type_env p =
  let nullable = ref false in
  let rec get_type p =
    match p with
      | Simple_parameter (mo, ty, (loc, id)) ->
          (match mo with
             | None ->
                 nullable :=
                   !Java_options.nonnull_sem <> NonNullAll &&
                     !Java_options.nonnull_sem <> NonNullAllLocal;
             | Some Non_null ->
                 nullable := false;
                 if !Java_options.nonnull_sem = NonNullAll ||
                   !Java_options.nonnull_sem = NonNullAllLocal then
                     typing_error loc
                       "'non_null' modifier is not allowed in 'non_null by default' mode";
             | Some Nullable ->
                 nullable := true;
                 if !Java_options.nonnull_sem <> NonNullAll &&
                   !Java_options.nonnull_sem <> NonNullAllLocal then
                     typing_error loc
                       "'nullable' modifier is only allowed in 'non_null by default' mode";
             | _ -> assert false);
          let non_null = not !nullable in
            (non_null, type_type package_env type_env non_null ty, loc, id)
      | Array_parameter x ->
          let (non_null, t, loc, i) = get_type x in
            non_null, JTYarray (non_null, t), loc, i
  in
  let (_, t,loc,i) = get_type p in (new_var loc t i, !nullable)

and method_header package_env type_env modifiers retty mdecl =
  match mdecl with
    | Simple_method_declarator (id, l) ->
        let is_nullable = List.mem Nullable modifiers in
        let non_null =
          (!Java_options.nonnull_sem = NonNullAll ||
              !Java_options.nonnull_sem = NonNullAllLocal) &&
            not is_nullable
        in
          non_null, id, (Option_misc.map (type_type package_env type_env non_null) retty),
        List.map (type_param package_env type_env) l
    | Array_method_declarator d ->
        let non_null, id, t, l =
          method_header package_env type_env modifiers retty d
        in
          match t with
            | Some t -> non_null, id, Some (JTYarray (non_null, t)),l
            | None -> typing_error (fst id) "invalid type void array"

and get_constructor_prototype
    package_env type_env current_type req decreases behs head eci body =
  match current_type with
    | TypeInterface _ -> assert false
    | TypeClass cur ->
        let loc, _id = head.constr_name in
        let params =
          List.map (type_param package_env type_env)
            head.constr_parameters
        in
        let ci = new_constructor_info cur loc params in
          Hashtbl.add constructors_env ci.constr_info_tag
            (ci,req,decreases,behs,eci,body);
          ci

and get_method_prototypes package_env type_env current_type (mis,cis) env l =
  match l with
    | [] -> (mis,cis)
    | JPFmethod(head,body) :: rem ->
        let non_null, (loc,id), ret_ty, params =
          method_header package_env type_env
            head.method_modifiers head.method_return_type head.method_declarator
        in
        let is_static = List.mem Static head.method_modifiers in
        let result_is_nullable = not non_null in
        let mi = new_method_info
          ~is_static ~result_is_nullable loc id current_type ret_ty params
        in
        Hashtbl.add methods_env mi.method_info_tag (mi,None,None,[],body);
        get_method_prototypes package_env type_env
          current_type (mi::mis,cis) env rem
    | JPFmethod_spec(req,decreases,behs) :: JPFmethod(head,body) :: rem ->
        let non_null, (loc,id), ret_ty, params =
          method_header package_env type_env
            head.method_modifiers head.method_return_type head.method_declarator
        in
        let is_static = List.mem Static head.method_modifiers in
        let result_is_nullable = not non_null in
        let mi = new_method_info
          ~is_static ~result_is_nullable loc id current_type ret_ty params
        in
        Hashtbl.add methods_env mi.method_info_tag
          (mi,req,decreases,behs,body);
        get_method_prototypes package_env type_env
          current_type (mi::mis,cis) env rem
    | JPFconstructor(head,eci,body) :: rem ->
        let ci =
          get_constructor_prototype package_env type_env current_type
            None None [] head eci body
        in
        get_method_prototypes package_env type_env
          current_type (mis,ci::cis) env rem
    | JPFmethod_spec(req,decreases,behs) :: JPFconstructor(head,eci,body) :: rem ->
        let ci =
          get_constructor_prototype package_env type_env current_type
            req decreases behs head eci body
        in
        get_method_prototypes package_env type_env
          current_type (mis,ci::cis) env rem
    | JPFmethod_spec _ :: _ ->
        typing_error Loc.dummy_position "out of place method specification"
    | JPFinvariant (_id, _e) :: rem ->
        get_method_prototypes package_env type_env
          current_type (mis, cis) env rem
    | JPFstatic_invariant (_id, _e) :: rem ->
        get_method_prototypes package_env type_env
          current_type (mis, cis) env rem
    | JPFannot _ :: _ -> assert false (* not possible after 2nd parsing *)
    | JPFstatic_initializer _ ::rem ->
        (* TODO ? *)
        get_method_prototypes package_env type_env
          current_type (mis,cis) env rem
    | JPFvariable _ :: rem ->
        get_method_prototypes package_env type_env
          current_type (mis,cis) env rem
    | JPFclass _ :: rem -> (* TODO *)
        get_method_prototypes package_env type_env
          current_type (mis,cis) env rem
    | JPFinterface _ :: rem -> (* TODO *)
        get_method_prototypes package_env type_env
          current_type (mis,cis) env rem

and get_class_prototypes package_env type_env ci d =
  (* extends *)
  ci.class_info_extends <-
    Option_misc.map
    (fun id ->
       match classify_name package_env type_env None [] id with
         | TypeName (TypeClass super) ->
             check_if_class_complete super;
             Java_options.lprintf "Class %s extends class %s@."
               ci.class_info_name
               super.class_info_name;
             if super.class_info_is_exception then
               begin
                 Java_options.lprintf "Class %s is an exception class@."
                   ci.class_info_name;
                 ci.class_info_is_exception <- true
               end;
             super
         | _ ->
             typing_error (fst (List.hd id)) "class type expected")
    d.class_extends;
  (* implements *)
  ci.class_info_implements <-
    List.map
    (fun id ->
       match classify_name package_env type_env None [] id with
         | TypeName (TypeInterface super) ->
             check_if_interface_complete super;
             super
         | _ ->
             typing_error (fst (List.hd id)) "interface type expected")
    d.class_implements;
  (* fields *)
  let fields = List.fold_left
    (get_field_prototypes package_env type_env (TypeClass ci)) [] d.class_fields in
    ci.class_info_fields <- List.rev fields;
    let methods, constructors =
      get_method_prototypes package_env type_env (TypeClass ci) ([],[]) [] d.class_fields
    in
    let constructors =
      (* if no constructor explicitly declared,
         then there is always an implicit default constructor *)
      if constructors <> [] then constructors else
        let default_constructor = new_constructor_info ci Loc.dummy_position [] in
          Hashtbl.add constructors_env default_constructor.constr_info_tag
            (default_constructor, None, None, [], Invoke_none, []);
        [default_constructor]
    in
      ci.class_info_methods <- methods;
      ci.class_info_constructors <- constructors;
      (* invariants *)
      let this_type = JTYclass (true, ci) (* i.e. [this] is always non-null *) in
      let vi = new_var Loc.dummy_position this_type "this" in
      let invs, static_invs =
        List.fold_left
          (fun (acc1, acc2) d ->
             match d with
               | JPFinvariant (id, e) -> (id, e) :: acc1, acc2
               | JPFstatic_invariant (id, e) -> acc1, (snd id, e) :: acc2
               | _ -> acc1, acc2) ([], []) d.class_fields
      in
        Hashtbl.add invariants_env
          ci.class_info_tag (TypeClass ci, ["this", vi], vi, invs);
        Hashtbl.add static_invariants_env
          ci.class_info_tag (TypeClass ci, static_invs)

and get_interface_field_prototypes package_env type_env ii acc d =
  match d with
    | JPFvariable vd ->
        let is_model = List.mem Model vd.variable_modifiers in
        let ty = type_type package_env type_env true vd.variable_type in
          List.fold_left
            (fun acc vd ->
               let ty',(_loc,id) = var_type_and_id false ty vd.variable_id in
               (* Note: no need to check if it is static and final, because
                  it is implicitly the case (JLS,9.3, p 203) *)
               let fi =
                 if is_model then
                   new_field ~is_static:false ~is_final:false ~is_nullable:true
                     ~is_model:true ~is_ghost:false
                     (TypeInterface ii) ty' id
                 else
                   new_field ~is_static:true ~is_final:true ~is_nullable:true
                     ~is_model:false ~is_ghost:false
                     (TypeInterface ii) ty' id
               in
                 Hashtbl.add field_prototypes_table fi.java_field_info_tag
                   vd.variable_initializer;
                 fi::acc
            ) acc vd.variable_decls
    | _ -> acc

and get_interface_prototypes package_env type_env ii d =
  (* extends *)
  ii.interface_info_extends <-
    List.map
    (fun id ->
       match classify_name package_env type_env None [] id with
         | TypeName (TypeInterface super) ->
             super
         | _ ->
             typing_error (fst (List.hd id)) "interface type expected")
    d.interface_extends;
  (* fields *)
  let fields =
    List.fold_left (get_interface_field_prototypes package_env type_env ii) []
      d.interface_members
  in
  ii.interface_info_fields <- fields;
  let methods,_constructors =
    get_method_prototypes  package_env type_env (TypeInterface ii) ([],[]) [] d.interface_members
  in
  ii.interface_info_methods <- methods

and check_if_interface_complete ii =
  if ii.interface_info_incomplete then
    begin
      (* get interface decls prototypes *)
      let (p, d) = Hashtbl.find interface_decl_table ii.interface_info_tag in
      let t = Hashtbl.find interface_type_env_table ii.interface_info_tag in
      get_interface_prototypes p t ii d;
      ii.interface_info_incomplete <- false;
    end;

and lookup_implemented_interfaces l id =
  match l with
    | [] -> raise Not_found
    | [ii] -> lookup_interface_field ii id
    | ii::l ->
	try
	  lookup_interface_field ii id
	with Not_found -> lookup_implemented_interfaces l id

and lookup_interface_field ii id =
  check_if_interface_complete ii;
  try
    list_assoc_name (fun fi -> fi.java_field_info_name)
      id ii.interface_info_fields
  with
      Not_found -> lookup_implemented_interfaces ii.interface_info_extends id

and check_if_class_complete ci =
  if ci.class_info_incomplete then
    begin
      (* get class decls prototypes *)
      let (p, d) = Hashtbl.find class_decl_table ci.class_info_tag in
      let t = Hashtbl.find class_type_env_table ci.class_info_tag in
	ci.class_info_incomplete <- false;
	get_class_prototypes p t ci d;
    end;

and lookup_class_field ci id =
  check_if_class_complete ci;
  try
    list_assoc_name (fun fi -> fi.java_field_info_name) id ci.class_info_fields
  with
      Not_found ->
        try
          match ci.class_info_extends with
            | None -> raise Not_found
            | Some ci -> lookup_class_field ci id
        with
            Not_found -> lookup_implemented_interfaces ci.class_info_implements id


and lookup_field ti id =
  match ti with
    | TypeClass ci -> lookup_class_field ci id
    | TypeInterface ii -> lookup_interface_field ii id

let () =
  object_class :=
    catch_typing_errors
      (fun () ->
         match classify_name [] [] None []
           ((Loc.dummy_position,"Object") :: javalang_qid)
         with
           | TypeName (TypeClass ci) -> ci
           | _ -> assert false)
      ()

let string_class =
  if !Java_options.javacard then dummy_class else
    catch_typing_errors
      (fun () ->
         match classify_name [] [] None []
           ((Loc.dummy_position,"String") :: javalang_qid)
         with
           | TypeName (TypeClass ci) -> ci
           | _ -> assert false)
      ()

let string_type ~valid = JTYclass(valid,string_class)

type typing_env =
    {
      package_env : Java_env.package_info list;
      type_env : (string * Java_env.java_type_info) list;
      current_type : Java_env.java_type_info option;
      behavior_names : (string * identifier) list;
      label_env : (string * logic_label) list;
      current_label : logic_label option;
      env : (string * Java_env.java_var_info) list;
    }

let find_label env (loc,id) =
  try List.assoc id env.label_env
  with Not_found -> typing_error loc "unknown label %s" id


let label_assoc loc id env fun_labels effective_labels =
  match fun_labels, effective_labels with
    | [lf], [] ->
	begin
	  match env.current_label with
	    | None ->
		typing_error loc
		  "%s expect a label but there is no current label" id
	    | Some l -> [lf,l]
	end
    | _ ->
	try
	  List.map2
	    (fun l1 lab -> let l2 = find_label env lab in (l1,l2))
	    fun_labels effective_labels
	with Invalid_argument _ ->
	  typing_error loc
	    "wrong number of labels for %s" id

(* JLS 5.1.4: Widening Reference Conversion *)
let rec is_widening_reference_convertible tfrom tto =
  match tfrom,tto with
    | JTYclass(_,c1), JTYclass(_,c2) -> is_subclass c1 c2
    | JTYbase Tstring, JTYclass(_,c) -> is_subclass string_class c
    | JTYclass(_,c), JTYinterface i -> implements c i
    | JTYbase Tstring, JTYinterface i -> implements string_class i
    | JTYnull, (JTYclass _ | JTYinterface _ | JTYarray _ ) -> true
    | JTYinterface i1, JTYinterface i2 -> is_subinterface i1 i2
    | JTYinterface _ , JTYclass(_,c) when c == !object_class -> true
    | JTYarray _ , JTYclass(_,c) when  c== !object_class -> true
(* TODO
    | JTYarray _ , JTYinterface i when i==cloneable_interface -> true
    | JTYarray _ , JTYinterface i when i==serializable_interface -> true
*)
    | JTYarray (_, t1), JTYarray (_, t2) ->
        is_widening_reference_convertible t1 t2
    | _ -> false

and is_logic_call_convertible tfrom tto =
  is_identity_convertible tfrom tto ||
  match tfrom,tto with
    | JTYbase t1, JTYbase t2 -> is_logic_widening_primitive_convertible t1 t2
    | JTYlogic s1, JTYlogic s2 -> s1==s2
    | _ -> is_widening_reference_convertible tfrom tto

and term env e =
  let termt = term env in
  let loc = e.java_pexpr_loc in
  let ty, tt =
    match e.java_pexpr_node with
      | JPElit l ->
          let ty,l =
            match l with
              | Integer _s -> integer_type,l
              | Char _s -> assert false (* TODO *)
              | String _s -> logic_string_type,l
              | Bool _b -> boolean_type,l
              | Float(_s,suf) ->
		  begin
		    match suf with
		      | `Real -> real_type,l
		      | `Single -> float_type,l
		      | `Double -> double_type,l
		  end
              | Null -> null_type,l
          in
          ty,(JTlit l)
      | JPEname n ->
          begin
            match classify_name env.package_env env.type_env env.current_type env.env n with
              | TermName t ->
                  t.java_term_type, t.java_term_node
              | TypeName _ ->
                  typing_error loc
                    "term expected, got a class or interface"
              | PackageName _ ->
                  typing_error loc
                    "term expected, got a package name"
              | LogicTypeName _ ->
                  typing_error loc
                    "term expected, got a logic type"
          end

      | JPEresult ->
          begin
            try
              let vi = List.assoc "\\result" env.env in
              vi.java_var_info_type,JTvar vi
            with Not_found ->
              typing_error loc "\\result undefined in this context"
          end
      | JPEthis ->
          let vi = get_this loc env.env in
          vi.java_var_info_type, JTvar vi
      | JPEbin (e1, op, e2) ->
          let te1 = termt e1 and te2 = termt e2 in
          make_logic_bin_op loc op
            te1.java_term_type te1 te2.java_term_type te2
      | JPEquantifier _ ->
          typing_error loc
            "quantified formulas not allowed in term position"
      | JPEold e1 ->
	  let l = find_label env (loc,"Old") in
          let te1 = term { env  with current_label = Some l} e1 in
          te1.java_term_type,JTat(te1,l)
      | JPEat(e1,lab) ->
	  let l = find_label env lab in
          let te1 = term { env  with current_label = Some l} e1 in
          te1.java_term_type,JTat(te1,l)
      | JPEinstanceof (_, _)-> assert false (* TODO *)
      | JPEcast (t, e1)->
          let te1 = termt e1 in
          let ty = type_type env.package_env env.type_env false t in
          (* TODO: check if cast allowed *)
          ty,JTcast(ty,te1)
      | JPEarray_access (e1, e2)->
          let te1 = termt e1 and te2 = termt e2 in
          begin
            match te1.java_term_type with
              | JTYarray (_, t) ->
                  begin
                    try
                      match
                        logic_unary_numeric_promotion te2.java_term_type
                      with
                        | Tinteger -> t, JTarray_access(te1,te2)
                        | _ -> raise Not_found
                    with Not_found ->
                      integer_expected e2.java_pexpr_loc te2.java_term_type
                  end
              | _ ->
                  array_expected e1.java_pexpr_loc te1.java_term_type
          end
      | JPEarray_range (e1, e2, e3)->
          let te1 = termt e1 in
          begin
            match te1.java_term_type with
              | JTYarray (_, t) ->
                  let te2 = Option_misc.map (index env) e2 in
                  let te3 = Option_misc.map (index env) e3 in
                  t, JTarray_range(te1,te2,te3)
              | _ ->
                  array_expected e1.java_pexpr_loc te1.java_term_type
          end
      | JPEnew_array _-> assert false (* TODO *)
      | JPEnew (_, _)-> assert false (* TODO *)
      | JPEsuper_call (_, _)-> assert false (* TODO *)
      | JPEcall_name (qid, labels, args)->
          begin
            match qid with
              | [(loc,id)] ->
                  begin
                    try
                      let fi = Hashtbl.find logics_env id in
		      let lab_assoc =
			label_assoc loc id env fi.java_logic_info_labels labels
		      in
                      let args =
			try
			  List.map2
			    (fun vi e ->
			       let ty = vi.java_var_info_type in
			       let te = termt e in
			       if is_logic_call_convertible te.java_term_type ty
			       then te
			       else
				 typing_error e.java_pexpr_loc
				   "type %a expected instead of %a"
				   print_type ty print_type te.java_term_type)
			    fi.java_logic_info_parameters args
			with  Invalid_argument _ ->
			  typing_error e.java_pexpr_loc
			    "wrong number of arguments for %s" id
		      in
                      match fi.java_logic_info_result_type with
                        | None ->
                            typing_error loc
                              "logic symbol `%s' is a predicate" id
                        | Some t -> t,JTapp(fi,lab_assoc,args)
                    with Not_found ->
                      typing_error loc "logic function `%s' not found" id
                  end
              | _ ->
                  typing_error loc "method calls not allowed in annotations"
          end
      | JPEcall_expr _ ->
          typing_error loc
            "method calls not allowed in annotations"
      | JPEfield_access fa ->
          begin
            match fa with
              | Primary_access (e1, f) ->
                  let te1 = termt e1 in
                    begin
                      match te1.java_term_type with
                        | JTYclass (_, ci) ->
                            begin
                              try
                                let fi = lookup_field (TypeClass ci) (snd f) in
                                  fi.java_field_info_type,JTfield_access(te1,fi)
                              with
                                  Not_found ->
                                    typing_error e1.java_pexpr_loc
                                      "not such field"
                            end
                        | JTYinterface ii ->
                            begin
                              try
                                let fi = lookup_field (TypeInterface ii) (snd f) in
                                  fi.java_field_info_type,JTfield_access(te1,fi)
                              with
                                  Not_found ->
                                    typing_error e1.java_pexpr_loc
                                      "not such field"
                            end
                        | JTYarray _ ->
                            if (snd f) = "length" then
                              integer_type, JTarray_length te1
                            else
                              typing_error e1.java_pexpr_loc
                                "not such field"
                        | _ ->
                            typing_error e1.java_pexpr_loc
                              "not a class"
                    end

              | Super_access _ -> assert false (* TODO *)
          end
      | JPEif (e1, e2, e3)->
          let te1 = termt e1 in
          if is_boolean te1.java_term_type then
            let te2 = termt e2 in
            let te3 = termt e3 in
            (* TODO: check if compatible types *)
            te1.java_term_type,JTif(te1,te2,te3)
          else
            typing_error e1.java_pexpr_loc "boolean expected"
      | JPEassign_array _
      | JPEassign_field _
      | JPEassign_name _ ->
          typing_error loc
            "assignment not allowed in annotations"
      | JPEfresh _ ->
          typing_error loc
            "fresh is a predicate not a term"
      | JPEincr (_, _) -> assert false (* TODO *)
      | JPEun (op, e) ->
          let te = termt e in
            make_logic_un_op loc op te
  in { java_term_node = tt;
       java_term_type = ty;
       java_term_loc = e.java_pexpr_loc }

and index env e =
  let te = term env e in
  match
    logic_unary_numeric_promotion te.java_term_type
  with
    | Tinteger -> te
    | _ ->
        integer_expected e.java_pexpr_loc te.java_term_type

and assertion env e =
  let termt = term env in
  let assertiont = assertion env in
  let ta =
  match e.java_pexpr_node with
    | JPElit (Bool true) -> JAtrue
    | JPElit (Bool false) -> JAfalse
    | JPElit _ ->
        typing_error e.java_pexpr_loc
          "this literal is not a boolean expression"
    | JPEun(Unot, e2) ->
        let te2 = assertiont e2 in JAnot(te2)
    | JPEun (_, _)-> assert false (* TODO *)
    | JPEbin(e1, ((Band | Bor | Bimpl | Biff) as op) , e2) ->
        let te1 = assertiont e1
        and te2 = assertiont e2
        in connective te1 op te2
    | JPEbin
        ({ java_pexpr_node =
             JPEbin (_, (Beq | Bne | Bgt | Blt | Ble | Bge), a) } as p,
         (Beq | Bne | Bgt | Blt | Ble | Bge as op), b) ->
        let q = { java_pexpr_loc = fst a.java_pexpr_loc, snd b.java_pexpr_loc ;
                  java_pexpr_node = JPEbin (a, op, b) } in
          JAand (assertiont p, assertiont q)
    | JPEbin
        (a, (Beq | Bne | Bgt | Blt | Ble | Bge as op),
        ({ java_pexpr_node =
            JPEbin (b, (Beq | Bne | Bgt | Blt | Ble | Bge), _) } as p)) ->
        let q = { java_pexpr_loc = fst a.java_pexpr_loc, snd b.java_pexpr_loc ;
                  java_pexpr_node = JPEbin (a, op, b) } in
          JAand (assertiont q, assertiont p)
    | JPEbin(e1, op, e2) ->
        let te1 = termt e1 and te2 = termt e2 in
          make_predicate_bin_op e.java_pexpr_loc op
            te1.java_term_type te1 te2.java_term_type te2
    | JPEquantifier (q, idl, e)->
      let a = make_quantified_formula
        e.java_pexpr_loc q idl env e
      in
      a.java_assertion_node
    | JPEfresh e ->
      let t = termt e in
      begin
        match t.java_term_type with
          | JTYlogic _ | JTYbase _ ->
            typing_error e.java_pexpr_loc "reference type expected for \\fresh"
          | JTYarray (_, _)
          | JTYinterface _
          | JTYnull
          | JTYclass _ -> JAfresh(t)
      end
    | JPEold a ->
        let l = find_label env (e.java_pexpr_loc,"Old") in
        let ta = assertion { env  with current_label = Some l} a in
        JAat(ta,l)
    | JPEat(a,lab) ->
        let l = find_label env lab in
        let ta = assertion { env  with current_label = Some l} a in
        JAat(ta,l)
    | JPEinstanceof (e, ty) ->
        begin
          match env.current_label with
            | None ->
                typing_error e.java_pexpr_loc "No memory state for this instanceof (\\at missing ?)"
            | Some l ->
                let te = termt e and tty = type_type env.package_env env.type_env false ty in
                if is_reference_type tty then JAinstanceof (te, l, tty) else
                  typing_error e.java_pexpr_loc "unexpected type"
        end
    | JPEcast (_, _)-> assert false (* TODO *)
    | JPEarray_access (_, _)-> assert false (* TODO *)
    | JPEarray_range (_, _,_)-> assert false (* TODO *)
    | JPEnew_array _-> assert false (* TODO *)
    | JPEnew (_, _)-> assert false (* TODO *)
    | JPEsuper_call (_, _)-> assert false (* TODO *)
    | JPEcall_name([(loc,id)], labels, args)->
        begin
          try
            let fi = Hashtbl.find logics_env id in
	    let lab_assoc =
	      label_assoc loc id env fi.java_logic_info_labels labels
	    in
            let tl =
              try
                List.map2
                  (fun vi e ->
                     let ty = vi.java_var_info_type in
                     let te = termt e in
                     if is_logic_call_convertible te.java_term_type ty then te
                     else
                       typing_error e.java_pexpr_loc
                         "type %a expected, got %a"
                         print_type ty print_type te.java_term_type)
                  fi.java_logic_info_parameters args
              with  Invalid_argument _ ->
                typing_error e.java_pexpr_loc
                  "wrong number of arguments for %s" id
            in
            match fi.java_logic_info_result_type with
              | None -> JAapp(fi, lab_assoc, tl)
              | Some _t ->
                  typing_error loc
                    "logic symbol `%s' is not a predicate" id
          with
              Not_found ->
                typing_error e.java_pexpr_loc
                  "unknown predicate `%s'" id
        end
    | JPEcall_name _ | JPEcall_expr _ ->
        typing_error e.java_pexpr_loc
          "method call not allowed in assertion"
    | JPEfield_access _->
        typing_error e.java_pexpr_loc
          "field access not allowed in assertion"
	  (* TODO: boolean fields can be seen as predicates *)
    | JPEif (e1, e2, e3)->
        let te1 = termt e1 in
        if is_boolean te1.java_term_type then
          let te2 = assertiont e2 in
          let te3 = assertiont e3 in
            (* TODO: check if compatible types *)
            JAif(te1,te2,te3)
          else
            typing_error e1.java_pexpr_loc "boolean expected"
    | JPEassign_array (_, _, _, _)
    | JPEassign_field (_, _, _)
    | JPEassign_name (_, _, _) ->
        typing_error e.java_pexpr_loc
          "assignment not allowed in annotations"
    | JPEname _-> assert false (* TODO *)
    | JPEincr (_, _)-> assert false (* TODO *)
    | JPEresult ->
        begin
          try
            let vi = List.assoc "\\result" env.env in
            match vi.java_var_info_type with
              | JTYbase Tboolean ->
                  JAbool_expr {
                    java_term_node = JTvar vi;
                    java_term_type = vi.java_var_info_type;
                    java_term_loc = e.java_pexpr_loc
                  }
              | _ ->
                  typing_error e.java_pexpr_loc "\\result is not boolean"

          with Not_found ->
            typing_error e.java_pexpr_loc "\\result undefined in this context"
        end

    | JPEthis ->
        typing_error e.java_pexpr_loc
          "'this' is not a boolean expression"

  in { java_assertion_node = ta;
       java_assertion_loc = e.java_pexpr_loc }

and make_quantified_formula loc q idl env e : assertion =
  match idl with
    | [] -> assertion env e
    | (ty,idl)::r ->
        let tty = type_type env.package_env env.type_env true ty in
        let env_local =
          List.map
            (fun id ->
               let tyv, (loc,n) = var_type_and_id false tty id in
               let vi = new_var loc tyv n in
               (n,vi))
            idl
        in
        let f =
          make_quantified_formula loc q r
	    { env with env = env_local@env.env }
            e
        in
        List.fold_right
          (fun (_,vi) acc ->
             { java_assertion_loc = loc ;
               java_assertion_node = JAquantifier(q,vi,acc) })
          env_local f



(*

  read the 'Throwable' class to initiate fields
  class_info_is_exception

*)

let () =
  match classify_name [] [] None []
    ((Loc.dummy_position,"Throwable") :: javalang_qid)
  with
    | TypeName (TypeClass ci) -> ci.class_info_is_exception <- true
    | _ -> assert false

let () =
  catch_typing_errors
    (fun () ->
       match classify_name [] [] None []
         ((Loc.dummy_position,"Exception") :: javalang_qid)
       with
         | TypeName (TypeClass ci) -> ci.class_info_is_exception <- true
         | _ -> assert false)
    ()




(*******************************

Typing level 2: extract bodies
  (logic functions definitions, axioms,
   field initializers, method and constructors bodies)

**********************************)



let field_initializer_table = Hashtbl.create 17

let lemmas_table = Hashtbl.create 17


(* JLS 5.6.1: Unary Numeric Promotion *)
let unary_numeric_promotion t =
  match t with
    | JTYbase t ->
        begin
          match t with
            | Treal | Tinteger -> assert false
            | Tchar | Tbyte | Tshort -> Tint
            | _ -> t
        end
    | _ -> assert false

(* JLS 5.6.2: Binary Numeric Promotion *)
let binary_numeric_promotion ~ghost t1 t2 =
  match t1,t2 with
    | JTYbase t1,JTYbase t2 ->
        begin
          if ghost then
            match t1,t2 with
              | (Tboolean | Tunit| Tstring),_
              | _, (Tboolean | Tunit| Tstring) -> raise Not_found
              | (Treal | Tdouble | Tfloat), _
              | _, (Treal | Tdouble | Tfloat) -> Treal
              | _ -> Tinteger
          else
            match t1,t2 with
              | (Tboolean | Tunit | Tstring),_
              | _, (Tboolean | Tunit | Tstring) -> raise Not_found
              | (Treal | Tinteger), _
              | _, (Treal | Tinteger) -> assert false
              | Tdouble,_ | _, Tdouble -> Tdouble
              | Tfloat,_ | _, Tfloat -> Tfloat
              | Tlong,_ | _, Tlong -> Tlong
            | (Tshort | Tbyte | Tint | Tchar),
                  (Tshort | Tbyte | Tint | Tchar) -> Tint
          end
    | _ -> raise Not_found

(* dead code
let lub_object_types _t1 _t2 = JTYnull
*)

(* JLS 5.1.3: Narrowing Primitive Conversion *)
let is_narrowing_primitive_convertible tfrom tto =
  match tfrom, tto with
    | Tshort, (Tbyte | Tchar) -> true
    | Tchar, (Tbyte | Tshort) -> true
    | Tint, (Tbyte | Tshort | Tchar) -> true
    | Tlong, (Tbyte | Tshort | Tchar | Tint) -> true
    | Tfloat, (Tbyte | Tshort | Tchar | Tint | Tlong)  -> true
    | Tdouble, (Tbyte | Tshort | Tchar | Tint | Tlong | Tfloat)  -> true
    | _ -> false

let narrowing_primitive_conversion n tfrom tto =
  match tfrom, tto with
    | Tshort, (Tbyte | Tchar) -> assert false (* TODO *)
    | Tchar, (Tbyte | Tshort) -> assert false (* TODO *)
    | Tint, Tbyte ->
        let i = Num.int_of_num n in
        let i = i land 0xFF in (* discard all but 8 lower order bits *)
          (* if i is a byte then i else take the 2 complement of i *)
        let i = if in_byte_range (Num.num_of_int i) then i else
          let i = (lnot i) land 0xFF in
          let i = (i + 1) land 0xFF in -i
        in Num.num_of_int i
    | Tint, Tshort ->
        let i = Num.int_of_num n in
        let i = i land 0xFFFF in (* discard all but 16 lower order bits *)
          (* if i is a short then i else take the 2 complement of i *)
        let i = if in_short_range (Num.num_of_int i) then i else
          let i = (lnot i) land 0xFFFF in
          let i = (i + 1) land 0xFFFF in -i
        in Num.num_of_int i
    | Tint, Tchar -> assert false (* TODO *)
    | Tlong, (Tbyte | Tshort | Tchar | Tint) -> assert false (* TODO *)
    | Tfloat, (Tbyte | Tshort | Tchar | Tint | Tlong) -> assert false (* TODO *)
    | Tdouble, (Tbyte | Tshort | Tchar | Tint | Tlong | Tfloat) -> assert false (* TODO *)
    | _ -> assert false (* should never happen *)


(* JLS 5.2: Assignment conversion  *)

let final_field_values_table : (int, Num.num list) Hashtbl.t
    = Hashtbl.create 97

let bwor_num n1 n2 =
  try
    let n1 = Num.int_of_num n1 in
    let n2 = Num.int_of_num n2 in
    Num.num_of_int (n1 lor n2)
  with
      _ -> assert false


let rec lsl_num n1 n2 =
  if n2 = 0 then n1 else lsl_num (Num.add_num n1 n1) (n2-1)

let lsr_num _n1 _n2 = assert false

let asr_num _n1 _n2 = assert false


let rec eval_const_expression env const e =
  match e.java_expr_node with
    | JElit c ->
        begin
          match c with
            | Integer s -> Numconst.integer s
            | Float _ -> raise Not_found (* TODO *)
            | Bool false -> Num.Int 0
            | Bool true -> Num.Int 1
            | String _ -> raise Not_found (* TODO *)
            | Char s ->  Numconst.integer s
            | Null -> raise Not_found (* TODO *)
        end
    | JEcast (ty, e) ->
        let n = eval_const_expression env const e in
          begin
            match ty with
              | JTYbase t ->
                  let te = match e.java_expr_type with
                    | JTYbase t -> t | _ -> assert false
                  in
                    begin
                      match t with
                        | Tbyte -> if in_byte_range n then n else
                            if is_narrowing_primitive_convertible te t then
                              narrowing_primitive_conversion n te t
                            else
                              typing_error e.java_expr_loc
                                "outside the byte range: %s" (Num.string_of_num n)
                        | Tshort -> if in_short_range n then n else
                            if is_narrowing_primitive_convertible te t then
                              narrowing_primitive_conversion n te t
                            else
                              typing_error e.java_expr_loc
                                "outside the short range: %s" (Num.string_of_num n)
                        | Tunit | Treal | Tinteger | Tdouble | Tlong
                        | Tfloat | Tint | Tchar | Tboolean | Tstring -> assert false (* TODO *)
                    end
              | JTYarray _ | JTYinterface _ | JTYclass (_, _)
              | JTYnull | JTYlogic _
                  -> raise Not_found
          end
    | JEbin(e1,op,e2) ->
        let n1 = eval_const_expression env const e1 in
        let n2 = eval_const_expression env const e2 in
        begin
          match op with
            | Bconcat -> assert false
            | Badd -> Num.add_num n1 n2
            | Bbwxor -> assert false (* TODO *)
            | Bbwor -> bwor_num n1 n2
            | Bbwand -> assert false (* TODO *)
            | Blsl|Basr|Blsr ->
                let max =
                  match e1.java_expr_type with
                    | JTYbase Tint -> 31
                    | JTYbase Tlong -> 63
                    | _ -> assert false
                in
                if Num.le_num Numconst.zero n1 && Num.le_num n1 (Num.num_of_int max) then
                  match op with
                    | Blsl -> lsl_num n1 (Num.int_of_num n2)
                    | Basr -> asr_num n1 (Num.int_of_num n2)
                    | Blsr -> lsr_num n1 (Num.int_of_num n2)
                    | _ -> assert false
                else
                  typing_error e2.java_expr_loc "this expression is not in the rang 0-%d" max
            | Bge|Ble|Blt|Bgt|Bne|Beq
            |Biff|Bimpl|Bor|Band|Bmod|Bdiv|Bmul|Bsub ->
               raise Not_found (* TODO *)

        end
    | JEstatic_field_access (_ty, fi) ->
        begin
          try
            match fi.java_field_info_type with
              | JTYarray _ -> raise Not_found
              | _ ->
                  List.hd (Hashtbl.find final_field_values_table fi.java_field_info_tag)
          with Not_found ->
	    let ci = match env.current_type with
	      | None -> assert false (* should never happen *)
	      | Some ci -> ci
	    in
	    type_field_initializer env.package_env env.type_env ci fi;
            try
	      List.hd (Hashtbl.find final_field_values_table fi.java_field_info_tag)
	    with Not_found ->
	      raise Not_found
	      (* was assert false (* should never happen *)*)
        end
    | JEif (_, _, _)-> raise Not_found  (* TODO *)
    | JEun (op, e) ->
        let _n = eval_const_expression env const e in
        begin
          match op with
            | Uplus -> raise Not_found (* TODO *)
            | Uminus -> Num.minus_num _n
            | Unot -> raise Not_found (* TODO *)
            | Ucompl -> raise Not_found (* TODO *)
        end
    | JEinstanceof _
    | JEvar _
    | JEnew_object (_, _)
    | JEnew_array (_, _)
    | JEstatic_call (_, _)
    | JEcall (_, _, _)
    | JEconstr_call _
    | JEassign_array (_, _, _)
    | JEassign_array_op (_, _, _, _)
    | JEassign_field_op (_, _, _, _)
    | JEassign_field (_, _, _)
    | JEassign_static_field _
    | JEassign_static_field_op _
    | JEassign_local_var_op (_, _, _)
    | JEassign_local_var (_, _)
    | JEarray_access (_, _)
    | JEarray_length _
    | JEfield_access (_, _)
    | JEincr_field (_, _, _)
    | JEincr_local_var (_, _)
    | JEincr_array _ -> raise Not_found

and is_assignment_convertible ?(const=false) ~ghost env tfrom efrom tto =
  is_identity_convertible tfrom tto ||
  match tfrom,tto with
    | JTYbase t1, JTYbase t2 ->
        if ghost then is_logic_widening_primitive_convertible t1 t2
        else
          is_widening_primitive_convertible t1 t2 ||
            begin
              match t2 with
                | Tbyte | Tshort | Tchar ->
                    begin
                      try
                        let n = eval_const_expression env const efrom in
                        match t2 with
                          | Tbyte -> in_byte_range n
                          | Tshort -> in_short_range n
                          | Tchar -> in_char_range n
                          | _ -> assert false
                      with Not_found ->
                        if const then raise Not_found else false
                    end
                | _ -> false
            end
    | _ -> is_widening_reference_convertible tfrom tto

(* JLS 5.3: Method invocation conversion  *)
and is_method_invocation_convertible tfrom tto =
  is_identity_convertible tfrom tto ||
  match tfrom,tto with
    | JTYbase t1, JTYbase t2 -> is_widening_primitive_convertible t1 t2
    | _ -> is_widening_reference_convertible tfrom tto

(* JLS 5.5: Cast conversion *)
and cast_convertible tfrom tto =
  is_identity_convertible tfrom tto ||
    match tfrom,tto with
      | JTYbase _t1, JTYbase _t2 -> true (* correct ? TODO *)
      | JTYbase _,_ | _, JTYbase _ -> false
      | JTYlogic _,_ | _,JTYlogic _ -> false
      | JTYclass(_,cfrom), JTYclass(_,cto) ->
          is_subclass cfrom cto || is_subclass cto cfrom
      | JTYclass (_, ci), JTYinterface ii ->
	  if ci.class_info_is_final then implements ci ii else
	    true (* JLS 2.0: OK, JLS 3.0: TO COMPLETE *)
      | JTYclass(_,c), JTYarray _ ->
          c == !object_class
      | JTYinterface _,JTYclass _ -> assert false (* TODO *)
      | JTYinterface ifrom, JTYinterface ito ->
          is_subinterface ifrom ito || is_subinterface ito ifrom
            (* TODO: check this: JLS p73 appears to be incomplete *)
      | JTYinterface _,JTYarray _ -> assert false (* TODO *)
      | JTYarray _,_ -> assert false (* TODO *)
      | JTYnull, JTYclass _ -> true
      | JTYnull,_ -> assert false
      | _,JTYnull -> assert false

(**********************)

(* expressions *)

and string_promotion e =
  match e.java_expr_type with
    | JTYclass(_,c) when c == string_class -> e
    | JTYbase Tstring -> e (* TODO: coercion ? *)
    | JTYbase Tinteger -> e (* TODO: coercion ? *)
    | JTYbase _ -> e  (* TODO: coercion ? *)
    | _ -> assert false

and make_bin_op ~ghost loc op t1 e1 t2 e2 =
  match op with
    | Bconcat -> assert false
    | Bgt | Blt | Bge | Ble ->
        begin
          try
            let _t = binary_numeric_promotion ~ghost t1 t2 in
              boolean_type, JEbin(e1, op, e2)
          with Not_found ->
            typing_error loc "numeric types expected"
        end
    | Beq | Bne ->
        begin
          try
            let _t = binary_numeric_promotion t1 t2 in
              boolean_type, JEbin(e1, op, e2)
          with Not_found ->
            if (is_boolean t1 && is_boolean t2) ||
              (is_reference_type t1 && is_reference_type t2) then
                boolean_type, JEbin (e1, op, e2)
            else
              typing_error loc "numeric or object types expected for == and !="
        end
    | Bsub | Bmul | Bdiv | Bmod ->
        begin
          try
            let t = binary_numeric_promotion ~ghost t1 t2 in
            JTYbase t,JEbin(e1, op, e2)
          with Not_found ->
            typing_error loc "numeric types expected for -, *, / and %%"
        end
    | Badd ->
        begin
          try
            let t = binary_numeric_promotion ~ghost t1 t2 in
            JTYbase t,JEbin(e1, op, e2)
          with Not_found ->
            match t1,t2 with
              | (_,JTYclass(_,c)) | (JTYclass(_,c),_)
                    when c == string_class ->
                  (string_type ~valid:true),
                      JEbin(string_promotion e1,Bconcat,string_promotion e2)
              | (_,JTYbase Tstring) | (JTYbase Tstring,_) ->
                  (string_type ~valid:true),
                  JEbin(string_promotion e1,Bconcat,string_promotion e2)
              | _ ->
                  typing_error loc
                    "numeric types or String expected for +, got %a + %a"
                    print_type t1 print_type t2
        end
    | Band | Bor ->
        if is_boolean t1 && is_boolean t2 then
          boolean_type,JEbin(e1,op,e2)
        else
          typing_error loc "booleans expected"
    | Basr | Blsr | Blsl ->
        (* JLS 15.19: Shift Operators *)
        begin
          try
            match unary_numeric_promotion t1 with
              | (Tint | Tlong) as t1 ->
                  begin
                    try
                      match unary_numeric_promotion t2 with
                        | Tint | Tlong ->
                            JTYbase t1, JEbin(e1, op, e2)
                        | _ -> raise Not_found
                    with Not_found -> int_expected loc t2
                  end
              | _ -> raise Not_found
          with Not_found -> int_expected loc t1
        end
    | Bbwxor|Bbwor|Bbwand ->
        if is_boolean t1 && is_boolean t2 then
          boolean_type,JEbin(e1,op,e2)
        else
          begin
            try
              let t1 = unary_numeric_promotion t1 in
              let _t2 = unary_numeric_promotion t2 in
                JTYbase t1, JEbin(e1, op, e2)
            with Not_found ->
              typing_error loc "booleans or integers expected"
          end
    | Bimpl | Biff -> assert false

and make_unary_op loc op t1 e1 =
  match op with
    | Unot ->
        if is_boolean t1 then
          Tboolean,JEun(op,e1)
        else
          typing_error loc "boolean expected"
    | Ucompl ->
        begin
          try
            match unary_numeric_promotion t1 with
              | Tint -> Tint,JEun(op, e1)
              | _ -> raise Not_found
          with Not_found ->
            typing_error loc "integer type expected for ~"
        end
    | Uminus->
        begin
          try
            let t = unary_numeric_promotion t1 in
            t,JEun(op, e1)
          with Not_found ->
            typing_error loc "numeric type expected for -"
        end
    | Uplus -> assert false

(* dead code
and expr_var loc vi =
  { java_expr_node = JEvar vi;
    java_expr_type = vi.java_var_info_type;
    java_expr_loc = loc }
*)

and expr_of_term t =
  let ty = ref t.java_term_type in
  let n =
    match t.java_term_node with
      | JTvar vi -> JEvar vi
      | JTat _ -> assert false (* TODO *)
      | JTfield_access(t, fi) ->
          JEfield_access(expr_of_term t,fi)
      | JTstatic_field_access(ci, fi) ->
          JEstatic_field_access(ci,fi)
      | JTarray_length(t) ->
          ty := int_type;
          JEarray_length(expr_of_term t)
      | JTarray_access(t1,t2) ->
          JEarray_access(expr_of_term t1, expr_of_term t2)
      | JTarray_range _  -> assert false (* TODO *)
      | JTapp (_, _, _) -> assert false (* TODO *)
      | JTbin (_, _, _, _) -> assert false (* TODO *)
      | JTbin_obj (_, _, _) -> assert false (* TODO *)
      | JTun (_t, _op, _e1) -> assert false (* TODO *)
      | JTlit _ -> assert false (* TODO *)
      | JTcast(ty,t) -> JEcast(ty,expr_of_term t)
      | JTif(t1,t2,t3) ->
          JEif(expr_of_term t1, expr_of_term t2, expr_of_term t3)
  in
  { java_expr_loc = t.java_term_loc;
    java_expr_type = !ty;
    java_expr_node = n ;
  }

(*
  JLS 15.12.2: Compile-Time Step 2: Determine Method signature

  ti is the class or interface to search

*)

and is_accessible_and_applicable_method mi id arg_types =
  mi.method_info_name = id &&
  (* check args number *)
  List.length arg_types = List.length mi.method_info_parameters &&
  (* check args types *)
(
  (*
    eprintf "check applicability of [%a] to [%a]@."
    (Pp.print_list Pp.comma (fun fmt t -> print_type fmt t)) arg_types
    (Pp.print_list Pp.comma (fun fmt (vi,_) -> print_type fmt vi.java_var_info_type)) mi.method_info_parameters;
  *)
  List.for_all2
   (fun vi t ->
      is_method_invocation_convertible t vi.java_var_info_type)
  (List.map fst mi.method_info_parameters) arg_types )

and is_accessible_and_applicable_constructor ci arg_types =
  (* check args number *)
  List.length arg_types = List.length ci.constr_info_parameters &&
  (* check args types *)
  List.for_all2
  (fun vi t ->
     is_method_invocation_convertible t vi.java_var_info_type)
  (List.map fst ci.constr_info_parameters) arg_types

and mci_signature mci =
  let ty, params =
    match mci with
      | MethodInfo mi ->
	  begin match mi.method_info_class_or_interface with
	    | TypeClass ci ->
		JTYclass (true (* i.e. [this] is always non-null *), ci)
	    | TypeInterface ii -> JTYinterface ii
	  end,
	  mi.method_info_parameters
      | ConstructorInfo ci ->
	  JTYclass (true (* i.e. [this] is always non-null *), ci.constr_info_class),
	  ci.constr_info_parameters
  in
    ty :: List.map (fun (vi, _) -> vi.java_var_info_type) params

and compare_signatures acc s1 s2 =
  match s1,s2 with
    | [],[] -> acc
    | [],_ | _,[] -> assert false
    | t1::r1,t2::r2 ->
        if is_identity_convertible t1 t2 then
          compare_signatures acc r1 r2
        else
          if is_method_invocation_convertible t1 t2 then
            (* t1 convertible to t2 *)
            if acc >= 0 then 1 else raise Not_found
          else
            if is_method_invocation_convertible t2 t1 then
              (* t2 convertible to t1 *)
              if acc <= 0 then -1 else raise Not_found
            else raise Not_found

and filter_maximally_specific_signature mci acc =
  match acc with
    | [] -> [mci]
    | mci' :: rem ->
        let s1 = mci_signature mci in
        let s2 = mci_signature mci' in
        try
          let c = compare_signatures 0 s1 s2 in
          if c = 0 then mci :: acc else
            if c > 0 then (* mci more specific than mci' *)
              filter_maximally_specific_signature mci rem
            else (* mci' more specific than mci *)
              acc
        with Not_found -> (* incomparable signatures *)
          mci' :: (filter_maximally_specific_signature mci rem)

and get_maximally_specific_signatures acc mcis =
  match mcis with
    | [] -> acc
    | mci::rem ->
        let acc' = filter_maximally_specific_signature mci acc in
        get_maximally_specific_signatures acc' rem

and lookup_method ti (loc,id) arg_types =
  let rec collect_methods_from_interface acc ii =
    check_if_interface_complete ii;
    let acc =
      List.fold_left
        (fun acc mi ->
           if is_accessible_and_applicable_method mi id arg_types then
             mi::acc
           else acc)
        acc ii.interface_info_methods
    in
    List.fold_left
      collect_methods_from_interface acc ii.interface_info_extends
  in
  let rec collect_methods_from_class acc ci =
    check_if_class_complete ci;
    let acc =
      List.fold_left
        (fun acc mi ->
           if is_accessible_and_applicable_method mi id arg_types then
             mi::acc
           else acc)
        acc ci.class_info_methods
    in
    let acc =
      match ci.class_info_extends with
        | None when ci == !object_class -> acc
        | None -> collect_methods_from_class acc !object_class
        | Some ci -> collect_methods_from_class acc ci
    in
    List.fold_left
      collect_methods_from_interface acc ci.class_info_implements
  in
  let meths =
    match ti with
      | TypeClass ci -> collect_methods_from_class [] ci
      | TypeInterface ii ->
          let acc = collect_methods_from_interface [] ii in
          collect_methods_from_class acc !object_class
  in
  match meths with
    | [] ->
        typing_error loc "Cannot find method @['%a.%s(%a)'@]" print_type_name ti id
          (Pp.print_list Pp.comma print_type) arg_types

    | [mi] -> mi
    | _ ->
(*
        eprintf "possible calls:@.";
        List.iter (fun mi ->
                     eprintf "%a.%s(%a)@."
                       print_type_name mi.method_info_class_or_interface
                       mi.method_info_name
                       (Pp.print_list Pp.comma (fun fmt (vi,_) -> print_type fmt vi.java_var_info_type))
                       mi.method_info_parameters)
          meths;
*)
	let meths = List.map (fun mi -> MethodInfo mi) meths in
        let meths = get_maximally_specific_signatures [] meths in
(*
        eprintf "maximally specific calls:@.";
        List.iter (fun mi ->
                     eprintf "%a.%s(%a)@."
                       print_type_name mi.method_info_class_or_interface
                       mi.method_info_name
                       (Pp.print_list Pp.comma (fun fmt (vi,_) -> print_type fmt vi.java_var_info_type))
                       mi.method_info_parameters)
          meths;
*)
        match meths with
          | [] -> assert false
          | [MethodInfo mi] -> mi
          | _ ->
              typing_error loc "ambiguity in overloading/overriding"

and lookup_constructor loc ci arg_types =
  let collect_constructors_from_class acc ci =
    check_if_class_complete ci;
    List.fold_left
      (fun acc ci ->
         if is_accessible_and_applicable_constructor ci arg_types then
           ci::acc
         else acc)
      acc ci.class_info_constructors
  in
  let constructors = collect_constructors_from_class [] ci in
  match constructors with
    | [] ->
        typing_error loc "Cannot find constructor @['%a(%a)'@]"
	  print_type_name  (TypeClass ci)
          (Pp.print_list Pp.comma print_type) arg_types
    | [ci] -> ci
    | _ ->
	let constrs = List.map (fun ci -> ConstructorInfo ci) constructors in
        let constrs = get_maximally_specific_signatures [] constrs in
        match constrs with
          | [] -> assert false
          | [ConstructorInfo ci] -> ci
          | _ ->
              typing_error loc "ambiguity in overloading/overriding"

and expr ~ghost env e =
  let exprt = expr ~ghost env in
  let ty, te =
    match e.java_pexpr_node with
      | JPElit l ->
          let t, l =
            match l with
              | Integer _s | Char _s -> int_type, l
              | String _s -> logic_string_type, l
              | Bool _b -> boolean_type, l
              | Float(_s,suf) ->
		  begin
		    match suf with
		      | `Single -> float_type,l
		      | `Double | `Real -> double_type, l
		  end
              | Null -> null_type, l
          in t, (JElit l)
      | JPEname n ->
          begin
            match classify_name env.package_env env.type_env env.current_type env.env n with
              | TermName t ->
                  let e = expr_of_term t in
                  e.java_expr_type, e.java_expr_node
              | TypeName _ ->
                  typing_error e.java_pexpr_loc
                    "expression expected, got a class or interface"
              | PackageName _ ->
                  typing_error e.java_pexpr_loc
                    "expression expected, got a package name"
              | LogicTypeName _ ->
                  typing_error e.java_pexpr_loc
                    "expression expected, got a logic type"
          end
      | JPEthis ->
          let vi = get_this e.java_pexpr_loc env.env in
          vi.java_var_info_type, JEvar vi
      | JPEinstanceof (e1, t)->
          let te1 = exprt e1 in
          let ty = type_type env.package_env env.type_env false t in
          if is_reference_type ty &&
            cast_convertible te1.java_expr_type ty then
            boolean_type,JEinstanceof(te1,ty)
          else
            typing_error e.java_pexpr_loc "invalid instanceof"
      | JPEcast (t, e1)->
          let te1 = exprt e1 in
          let ty = type_type env.package_env env.type_env false t in
          if cast_convertible te1.java_expr_type ty then
            ty,JEcast(ty,te1)
          else
            typing_error e.java_pexpr_loc "invalid cast"
      | JPEarray_access (e1, e2)->
          let te1 = exprt e1 and te2 = exprt e2 in
          begin
            match te1.java_expr_type with
              | JTYarray (_, t) ->
                  begin
                    try
                      match
                        unary_numeric_promotion te2.java_expr_type
                      with
                        | Tint -> t, JEarray_access(te1,te2)
                        | _ -> raise Not_found
                    with
                        Not_found ->
                          int_expected e2.java_pexpr_loc te1.java_expr_type
                  end
              | _ ->
                  array_expected e1.java_pexpr_loc te1.java_expr_type
          end
      | JPEnew_array(t,dims) ->
          let ty = type_type env.package_env env.type_env true t in
          let l =
            List.map (fun e ->
                        let te = exprt e in
                        match unary_numeric_promotion te.java_expr_type with
                          | Tint ->
                              te
                          | _ ->
                              int_expected e.java_pexpr_loc te.java_expr_type)
              dims
          in
          JTYarray (true, ty), JEnew_array(ty,l)
      | JPEnew (n, args) ->
          let args = List.map exprt args in
          let arg_types = List.map (fun e -> e.java_expr_type) args in
            begin
            match classify_name env.package_env env.type_env env.current_type env.env n with
              | TypeName (TypeClass ci) ->
(*
                  eprintf "looking up constructor in class %s@." ci.class_info_name;
*)

                  let constr = lookup_constructor (fst (List.hd n))
		    ci arg_types in
                  JTYclass (true, ci), JEnew_object(constr,args)
              | _ ->
                  typing_error (fst (List.hd n))
                    "class type expected"
          end
      | JPEsuper_call (id, el) ->
          (* JLS 15.12 *)
          let ci =
            match env.current_type with
              | Some (TypeClass ci) ->
                  if ci == !object_class then
                    typing_error e.java_pexpr_loc "cannot resolve variable super"
                  else
                    begin
                      match ci.class_info_extends with
                        | None ->
                            typing_error e.java_pexpr_loc
                              "cannot resolve variable super"
                        | Some ci -> TypeClass ci
                    end
              | _ -> typing_error e.java_pexpr_loc "not a class"
          in
          let args = List.map exprt el in
          let arg_types = List.map (fun e -> e.java_expr_type) args in
          begin
            let mi = lookup_method ci id arg_types in
            let ty =
              match mi.method_info_result with
                | None -> unit_type
                | Some vi -> vi.java_var_info_type
            in
              if mi.method_info_is_static then
                ty, JEstatic_call (mi, args)
              else
                let te2 =
                  let vi = get_this e.java_pexpr_loc env.env in
                    {
                      java_expr_node = JEvar vi;
                      java_expr_type = vi.java_var_info_type;
                      java_expr_loc = e.java_pexpr_loc;
                    }
                in
                  ty,JEcall (te2, mi, args)
          end
      | JPEcall_name (qid, labels, args)->
	  assert (labels = []);
          let args = List.map exprt args in
          let arg_types = List.map (fun e -> e.java_expr_type) args in
          let ti,id,te1 =
            match qid with
              | [] -> assert false
              | [id] ->
                  begin
                    match env.current_type with
                      | None -> assert false
                      | Some ti -> ti,id,None
                  end
              | id::n ->
                  begin
                    match
                      classify_name env.package_env env.type_env env.current_type env.env n
                    with
                      | TypeName ti -> ti, id, None
                      | TermName te ->
                          let ti =
                            match te.java_term_type with
                              | JTYclass(_,ci) -> TypeClass ci
                              | JTYinterface ii -> TypeInterface ii
                              | _ -> typing_error e.java_pexpr_loc
                                  "not a class or interface type"
                          in ti,id,Some (expr_of_term te)
                      | PackageName _ | LogicTypeName _ ->
                          typing_error (fst (List.hd n))
                            "expr or class or interface expected"
                  end
          in
(*
          eprintf "looking up method '%s' in class %a @." (snd id) print_type_name ti;
*)
          let mi = lookup_method ti id arg_types in
          let ty =
            match mi.method_info_result with
              | None -> unit_type
              | Some vi -> vi.java_var_info_type
          in
          if mi.method_info_is_static then
            ty,JEstatic_call(mi,args)
          else
            let te2 =
              match te1 with
                | Some e -> e
                | None ->
                    let vi = get_this e.java_pexpr_loc env.env in
                    {
                      java_expr_node = JEvar vi;
                      java_expr_type = vi.java_var_info_type;
                      java_expr_loc = e.java_pexpr_loc;
                    }
            in
              ty,JEcall(te2,mi,args)

      | JPEcall_expr (e1, id, args)->
          let args = List.map exprt args in
          let arg_types = List.map (fun e -> e.java_expr_type) args in
          begin
            let ci,te1 =
              let te = exprt e1 in
              begin
                match te.java_expr_type with
                  | JTYclass(_,ci) -> (TypeClass ci),Some te
                  | JTYinterface(ii) -> (TypeInterface ii),Some te
                  | _ -> typing_error e.java_pexpr_loc
                      "not a class or interface type"
              end
            in
            let mi = lookup_method ci id arg_types in
            let ty =
              match mi.method_info_result with
                | None -> unit_type
                | Some vi -> vi.java_var_info_type
            in
            if mi.method_info_is_static then
              ty,JEstatic_call(mi,args)
            else
              let te2 =
                match te1 with
                  | Some e -> e
                  | None ->
                      let vi = get_this e.java_pexpr_loc env.env in
                      {
                        java_expr_node = JEvar vi;
                        java_expr_type = vi.java_var_info_type;
                        java_expr_loc = e.java_pexpr_loc;
                      }
              in
              ty,JEcall(te2,mi,args)
          end
      | JPEfield_access(Super_access _f) -> assert false (* TODO *)
      | JPEfield_access(Primary_access(e1,(loc,id))) ->
          let te = type_expr_field_access (exprt e1) loc id in
          te.java_expr_type,te.java_expr_node
      | JPEif (e1, e2, e3)->
          let te1 = exprt e1 in
          if is_boolean te1.java_expr_type then
            let te2 = exprt e2 in
            let te3 = exprt e3 in
            (* TODO: check if compatible types *)
            te2.java_expr_type,JEif(te1,te2,te3)
          else
            typing_error e1.java_pexpr_loc "boolean expected"

      | JPEassign_array (e1, e2, op, e3)->
          let te1 = exprt e1
          and te2 = exprt e2
          and te3 = exprt e3
          in
          begin
            match te1.java_expr_type with
              | JTYarray (_, t) ->
                  begin
                    try
                      match unary_numeric_promotion te2.java_expr_type with
                        | Tint ->
                            if op = Beq then
                              if is_assignment_convertible ~ghost env
                                te3.java_expr_type te3 t
                              then
                                t, JEassign_array(te1,te2,te3)
                              else
                                typing_error e3.java_pexpr_loc
                                  "type `%a' expected" print_type t
                            else
                              if cast_convertible te3.java_expr_type t then
                                t, JEassign_array_op(te1,te2,op,te3)
                              else
                                typing_error e.java_pexpr_loc
                                  "type %a expected, got %a"
                                  print_type t
                                  print_type te3.java_expr_type

                        | _ -> raise Not_found
                    with
                        Not_found ->
                          int_expected e2.java_pexpr_loc te2.java_expr_type
                  end
              | _ ->
                  array_expected e1.java_pexpr_loc te1.java_expr_type
          end
      | JPEassign_field (Super_access((_loc,_id)), _op, _e2) ->
          assert false (* TODO *)
      | JPEassign_field (Primary_access(e1,(loc,id)), op, e2)->
          let te2 = exprt e2 in
          begin
            match
              (type_expr_field_access (exprt e1) loc id).java_expr_node
            with
              | JEfield_access(t,fi) ->
                  type_assign_field ~ghost env t fi op te2
              | _ -> assert false
          end
      | JPEassign_name (n, op, e1)->
          begin
            let te = exprt e1 in
            match classify_name env.package_env env.type_env env.current_type env.env n with
                | TermName t ->
                    begin
                      match t.java_term_node with
                        | JTvar vi ->
                            if op = Beq then
                              if is_assignment_convertible ~ghost env te.java_expr_type te
                                vi.java_var_info_type
                              then
                                (vi.java_var_info_type,
                                 JEassign_local_var(vi,te))
                              else
                                typing_error e.java_pexpr_loc
                                  "type %a expected, got %a"
                                  print_type vi.java_var_info_type
                                  print_type te.java_expr_type
                            else
                              if cast_convertible te.java_expr_type
                                vi.java_var_info_type
                              then
                                (vi.java_var_info_type,
                                 JEassign_local_var_op(vi,op,te))
                              else
                                typing_error e.java_pexpr_loc
                                  "type %a expected, got %a"
                                  print_type vi.java_var_info_type
                                  print_type te.java_expr_type
                        | JTfield_access (t, fi) ->
                            type_assign_field ~ghost env (expr_of_term t) fi op te
                        | JTstatic_field_access (_, fi) ->
                            type_assign_static_field ~ghost env fi op te
                        | _ -> assert false (* TODO *)
                    end
                | TypeName _ ->
                    typing_error e.java_pexpr_loc
                      "lvalue expected, got a class or interface"
                | PackageName _ ->
                    typing_error e.java_pexpr_loc
                      "lvalue expected, got a package name"
                | LogicTypeName _ ->
                    typing_error e.java_pexpr_loc
                      "lvalue expected, got a package name"
          end
      | JPEincr (op, e)->
          let te = exprt e in
            begin
              match te.java_expr_node with
                | JEvar vi ->
                    te.java_expr_type, JEincr_local_var (op, vi)
                | JEfield_access (e1, fi) ->
                    fi.java_field_info_type, JEincr_field (op, e1, fi)
                | JEarray_access (e1, e2) ->
                    te.java_expr_type, JEincr_array (op, e1, e2)
                | _ -> assert false (* TODO ? *)
            end
      | JPEun (op, e1)->
          let te1 = exprt e1 in
          let t,e = make_unary_op e.java_pexpr_loc op
                      te1.java_expr_type te1 in
          JTYbase t,e

      | JPEbin (e1, op, e2) ->
          let te1 = exprt e1 and te2 = exprt e2 in
          make_bin_op ~ghost e.java_pexpr_loc op
            te1.java_expr_type te1 te2.java_expr_type te2

              (* only in terms *)
      | JPEarray_range _
      | JPEquantifier (_, _, _)
      | JPEat _
      | JPEold _
      | JPEresult 
      | JPEfresh _ ->
          typing_error e.java_pexpr_loc "not allowed in expressions"

  in { java_expr_loc = e.java_pexpr_loc;
        java_expr_type = ty;
        java_expr_node = te; }

and type_assign_field ~ghost env t fi op te =
  if op = Beq then
    if is_assignment_convertible ~ghost env te.java_expr_type te
      fi.java_field_info_type
    then
      (fi.java_field_info_type, JEassign_field (t, fi, te))
    else
      typing_error te.java_expr_loc
        "type %a expected, got %a"
        print_type fi.java_field_info_type
        print_type te.java_expr_type
  else
    if cast_convertible te.java_expr_type
      fi.java_field_info_type
    then
      (fi.java_field_info_type, JEassign_field_op (t, fi, op, te))
    else
      typing_error te.java_expr_loc
        "type %a expected, got %a"
        print_type fi.java_field_info_type
        print_type te.java_expr_type

and type_assign_static_field ~ghost env fi op te =
  if op = Beq then
    if is_assignment_convertible ~ghost env te.java_expr_type te
      fi.java_field_info_type
    then
      (fi.java_field_info_type, JEassign_static_field (fi, te))
    else
      typing_error te.java_expr_loc
        "type %a expected, got %a"
        print_type fi.java_field_info_type
        print_type te.java_expr_type
  else
    if cast_convertible te.java_expr_type
      fi.java_field_info_type
    then
      (fi.java_field_info_type, JEassign_static_field_op (fi, op, te))
    else
      typing_error te.java_expr_loc
        "type %a expected, got %a"
        print_type fi.java_field_info_type
        print_type te.java_expr_type

and initializer_loc i =
  match i with
    | Simple_initializer e -> e.java_pexpr_loc
    | Array_initializer (x::_) -> initializer_loc x
    | Array_initializer [] -> assert false (* TODO *)

and type_initializer ~ghost env ty i =
  match ty, i with
    | _, Simple_initializer e ->
        let te = expr ~ghost env e in
        begin
	  try
	    if is_assignment_convertible ~const:true ~ghost env te.java_expr_type te ty
            then JIexpr te
            else
              typing_error e.java_pexpr_loc "type %a expected, got %a"
		print_type ty print_type te.java_expr_type
	  with Not_found ->
              typing_error e.java_pexpr_loc "type %a expected, got %a"
		print_type ty print_type te.java_expr_type
	end
    | JTYarray (_, t), Array_initializer vil ->
        let il =
          List.map
            (fun vi -> match vi with
               | Simple_initializer _e -> type_initializer ~ghost env t vi
               | Array_initializer _vil -> assert false (* TODO *))
            vil
        in JIlist il
    | _, Array_initializer _l ->
        typing_error (initializer_loc i) "wrong type for initializer"

and type_field_initializer package_env type_env ci fi =
  let init =
    try
      Hashtbl.find field_prototypes_table fi.java_field_info_tag
    with Not_found -> assert false
  in
  let env =
    { package_env = package_env;
      type_env = type_env;
      current_type = Some ci;
      behavior_names = [];
      label_env = [];
      current_label = None;
      env = [];
    }
  in
  let tinit =
    match init with
      | None -> None
      | Some i ->
(*
	  eprintf "Calling type_initializer for %s@." fi.java_field_info_name;
*)
          let ti =
            type_initializer ~ghost:false env fi.java_field_info_type i
          in
          if fi.java_field_info_is_final then
            begin
              match ti with
                | JIexpr e ->
                    begin
                      try
                        let v = eval_const_expression env false e in
                        Hashtbl.add final_field_values_table
                          fi.java_field_info_tag [v]
                      with Not_found ->
                        (**)
                        Java_options.lprintf
                          "FIXME: cannot evaluate this initializer, %a@."
                          Loc.gen_report_position e.java_expr_loc
                          (**)
                          (*
                            typing_error e.java_expr_loc "cannot evaluate this initializer"
                          *)
                    end
                | JIlist vil ->
                    try
                      let vil = List.map
                        (fun vi -> match vi with
                           | JIexpr e -> eval_const_expression env false e
                           | JIlist _ -> assert false (* TODO *))
                        vil
                      in
                      Hashtbl.add final_field_values_table
                        fi.java_field_info_tag vil
                    with Not_found -> assert false
            end;
          Some ti
  in
  Hashtbl.add field_initializer_table fi.java_field_info_tag tinit


(* statements *)

let location env a = term env a


let label_env_here = ["Here",LabelHere]

let labels_env l =
  let env,l =
    List.fold_right
      (fun (_loc,id) (acc1,acc2) ->
	 let lab = LabelName id in
	 ((id,lab)::acc1,lab::acc2))
      l ([],[])
  in
  match l with
    | [lab] -> env,Some lab,l
    | _ -> env,None,l

let add_Pre_Here e =
  { e with
      label_env = ("Pre",LabelPre)::("Here",LabelHere)::e.label_env;
      current_label = Some LabelHere;
  }

let add_Old e =
  { e with
      label_env = ("Pre",LabelOld)::("Old",LabelOld)::e.label_env;
  }

let behavior env pre_state_env post_state_env (id, b) =
  let throws, ensures_env =
    match b.java_pbehavior_throws with
      | None -> None,post_state_env
      | Some (c, None) ->
          (* if [current_type] is an imported type, [c] may not be in [type_env]
             so we need to add the package env of current type in [package_env]
             - Nicolas R. *)
          let package_env =
            match env.current_type with
              | None -> assert false
              | Some (TypeClass ci) ->
                  let p =
                    List.filter
                      (fun p -> not (List.mem p env.package_env))
                      ci.class_info_package_env in
                    p @ env.package_env
              | Some (TypeInterface ii) ->
                  let p =
                    List.filter
                      (fun p -> not (List.mem p env.package_env))
                      ii.interface_info_package_env in
                    p @ env.package_env
          in
          begin
            match classify_name package_env env.type_env env.current_type pre_state_env c with
              | TypeName (TypeClass ci) ->
                  check_if_class_complete ci;
                  assert (ci.class_info_is_exception);
                  (Some ci),post_state_env
              | TypeName (TypeInterface _ci) ->
                  typing_error (fst (List.hd c))
                    "class type expected, not an interface"
              | TermName _ ->
                  typing_error (fst (List.hd c))
                    "class type expected"
              | PackageName _ | LogicTypeName _ ->
                  typing_error (fst (List.hd c))
                    "class type expected"
          end
      | Some (_c, Some _id) ->
          assert false (* TODO *)
  in
  (id,
   Option_misc.map (assertion { env with env = pre_state_env}) b.java_pbehavior_assumes,
   throws,
   (* Note: the `assigns' clause is typed in post-state environnement because \result is available, but where the default label is in Pre
      TODO: we should add a Post label
   *)
   Option_misc.map
     (fun (loc,l) ->
        (loc,List.map (location ((*add_Post*) { env with env = ensures_env })) l))
     b.java_pbehavior_assigns,
   Option_misc.map
     (fun (loc,l) ->
        (loc,List.map (location ((*add_Post*) { env with env = ensures_env })) l))
     b.java_pbehavior_allocates,
   assertion (add_Old {env with env = ensures_env})
     b.java_pbehavior_ensures)



let variable_declaration ~ghost env vd =
  let is_nullable = List.mem Nullable vd.variable_modifiers in
  let non_null = !Java_options.nonnull_sem = NonNullAllLocal && not is_nullable in
  let ty = type_type env.package_env env.type_env non_null vd.variable_type in
  let l =
    List.map
      (fun vd ->
         let ty',id = var_type_and_id false ty vd.variable_id in
         match vd.variable_initializer with
           | None -> (id,ty',None)
           | Some e ->
               let i = type_initializer ~ghost env ty' e in
               (id,ty',Some i))
      vd.variable_decls
  in
  List.fold_right
      (fun ((loc,id),ty,i) (env,decls)->
         let vi = new_var loc ty id in
         (id,vi)::env,(vi,i)::decls)
      l (env.env,[])

let dummy_loop_annot = (expr_true,[],None)

let rec statement env s =
  let exprt = expr ~ghost:false env in
  let statementt = statement env in
  let s' =
    match s.java_pstatement_node with
      | JPSskip -> JSskip
      | JPSif (e, s1, s2) ->
          let te = exprt e in
          let ts1 = statementt s1 in
          let ts2 = statementt s2 in
          if is_boolean te.java_expr_type then
            JSif(te,ts1,ts2)
          else
            typing_error e.java_pexpr_loc "boolean expected"
      | JPSloop_annot (_inv, _beh_invs, _dec) -> assert false
      | JPSannot (_, _)-> assert false (* should not happen *)
      | JPSghost_local_decls _d -> assert false (* TODO *)
      | JPSghost_statement e ->
          let te = expr ~ghost:true env e in JSexpr te
      | JPSexpr e ->
          let te = exprt e in JSexpr te
      | JPSassert(forid,id,a) ->
          let ta = assertion (add_Pre_Here env) a in
          JSassert(Option_misc.map snd forid,Option_misc.map snd id,ta)
      | JPSstatement_spec(_requires,_decreases,_behaviors) ->
          typing_error s.java_pstatement_loc
            "statement spec should appear before a statement"
      | JPSsynchronized (_, _)-> assert false (* TODO *)
      | JPSblock l -> (block env l).java_statement_node
      | JPSswitch (e, l)->
          let te = exprt e in
          (* JSL, p289: switch expr must be char, byte, short or int *)
          begin
            try
              let t = unary_numeric_promotion te.java_expr_type in
              JSswitch(te,List.map (switch_case env t) l)
            with Not_found ->
              typing_error e.java_pexpr_loc "char, byte, short or int expected"
          end
      | JPStry (s, catches, finally)->
          let ts = statements env s in
          let tl =
            List.map
              (fun (p,s) ->
                 let vi, _ = type_param env.package_env env.type_env p in
                 match vi.java_var_info_type with
                   | JTYclass(_,ci) when
                       (check_if_class_complete ci;
                        ci.class_info_is_exception) ->
                       let e = (vi.java_var_info_name,vi)::env.env in
                       (vi,statements {env with env = e } s)
                   | _ ->
                       typing_error vi.java_var_info_decl_loc
                         "throwable class expected")
              catches
          in
          JStry(ts, tl,
                Option_misc.map (statements env) finally)
      | JPSfor_decl _ -> assert false
      | JPSfor _ -> assert false
      | JPSdo (_, _)-> assert false (* TODO *)
      | JPSwhile _ -> assert false
      | JPSlabel ((_loc,id), s)->
	  JSlabel(id, statement
		    {env with label_env = (id, LabelName id)::env.label_env} s)
      | JPSbreak l -> JSbreak (Option_misc.map snd l)
      | JPScontinue l -> JScontinue (Option_misc.map snd l)
      | JPSreturn None ->
          begin
            try
              let _vi = List.assoc "\\result" env.env in
              typing_error s.java_pstatement_loc "missing return value"
            with
                Not_found ->
                  JSreturn_void
          end

      | JPSreturn (Some e) ->
          begin
            try
              let te = exprt e in
              let vi = List.assoc "\\result" env.env in
              if is_assignment_convertible ~ghost:false env
		te.java_expr_type te vi.java_var_info_type then
                  JSreturn te
              else
                typing_error e.java_pexpr_loc "type %a expected, got %a"
                  print_type vi.java_var_info_type print_type te.java_expr_type
            with
                Not_found ->
                  typing_error e.java_pexpr_loc "no result expected"
          end
      | JPSthrow e ->
          let te = exprt e in
          JSthrow te
      | JPSvar_decl _-> assert false (* TODO *)

  in
  { java_statement_loc = s.java_pstatement_loc ;
    java_statement_node = s' }

and local_decl ~ghost env loc vd rem =
  let e, decls = variable_declaration ~ghost env vd in
  let r = block { env with env = e } rem in
  let s =
    List.fold_right
      (fun (vi, i) acc ->
         { java_statement_loc = loc ;
           java_statement_node =
             JSvar_decl(vi,i,acc); })
      decls r in
    [s]


and statements env b =
  match b with
    | [] -> []
    | s :: rem ->
        match s.java_pstatement_node with
          | JPSskip -> statements env rem
          | JPSghost_local_decls vd ->
              local_decl ~ghost:true env s.java_pstatement_loc vd rem
          | JPSvar_decl vd ->
              local_decl ~ghost:false env s.java_pstatement_loc vd rem
	  | JPSlabel ((_loc,id), s)->
	      [{ java_statement_node =
		  JSlabel(id, block
			    {env with label_env =
				(id, LabelName id)::env.label_env}
			    (s :: rem)) ;
		java_statement_loc = s.java_pstatement_loc }]
          | JPSloop_annot (inv,behs_inv,dec) ->
	      let annot = (inv,behs_inv,dec) in
              begin
                match rem with
                  | { java_pstatement_node = JPSdo (s, e);
                      java_pstatement_loc = _loc } :: rem ->
                      let tdo =
                        type_do env s.java_pstatement_loc annot s e
                      in
                        tdo :: statements env rem
                  | { java_pstatement_node = JPSwhile(e,s) ;
                      java_pstatement_loc = _loc } :: rem ->
                      let twhile =
                        type_while env s.java_pstatement_loc annot e s
                      in
                        twhile :: statements env rem
                  | { java_pstatement_node = JPSfor (el1, e, el2, s);
                      java_pstatement_loc = loc } :: rem ->
                      let tfor =
                        type_for env loc el1 annot e el2 s
                      in
                        tfor :: statements env rem
                  | { java_pstatement_node = JPSfor_decl(vd,e,sl,s) ;
                      java_pstatement_loc = loc } :: rem ->
                      let tfor =
                        type_for_decl env loc vd annot e sl s
                      in
                        tfor :: statements env rem
                  | _ -> assert false
              end
          | JPSfor (el1, e, el2, s) ->
              let tfor =
                type_for env
                  s.java_pstatement_loc el1 dummy_loop_annot e el2 s
              in
                tfor :: statements env rem
          | JPSfor_decl(vd,e,sl,s) ->
              let tfor =
                type_for_decl env
                  s.java_pstatement_loc vd dummy_loop_annot e sl s
              in
                tfor :: statements env rem
          | JPSdo (s, e) ->
              let tdo =
                type_do env
                  s.java_pstatement_loc dummy_loop_annot s e
              in
                tdo :: statements env rem
          | JPSwhile(e,s) ->
              let twhile =
                type_while env
                  s.java_pstatement_loc dummy_loop_annot e s
              in
                twhile :: statements env rem
          | JPSstatement_spec(requires,decreases,behaviors) ->
              let req =
                Option_misc.map
		  (assertion { env  with current_label = Some LabelHere})
		  requires
              in
              let decreases = type_variant { env with current_label = Some LabelHere } decreases
              in
              let behs = List.map (behavior env env.env env.env) behaviors in
              begin
                match rem with
                  | [] ->
                      typing_error s.java_pstatement_loc
                        "statement spec should appear before a statement"
                  | stat :: rem ->
                      { java_statement_loc =  s.java_pstatement_loc;
			java_statement_node =
			  JSstatement_spec(req,decreases,behs,
					   statement env stat)
		      } :: statements env rem
              end
          | _ ->
              let s' = statement env s in
                s' :: statements env rem

and type_variant env v =
  Option_misc.map
    (fun (t,r) ->
       let t =
         term env t
       in
       match r with
         | None -> (t,None)
         | Some(loc,id) ->
             (try
                let fi = Hashtbl.find logics_env id in
                (t,Some fi)
              with Not_found ->
                typing_error loc "relation `%s' not found" id)
    )
    v



and type_loop_annot env (inv,behs_inv,dec) =
  let inv = assertion (add_Pre_Here env) inv in
  let l = List.map
    (fun ((loc,id),a) ->
       let bid =
	 try
	   List.assoc id env.behavior_names
	 with Not_found ->
	   typing_error loc "undeclared behavior"
       in
       (bid,assertion (add_Pre_Here env) a))
    behs_inv
  in
  let dec = type_variant (add_Pre_Here env) dec in
  { loop_inv = inv;
    behs_loop_inv = l;
    loop_var = dec;
  }

and type_for env loc el1 annot e el2 s =
  let el1 = List.map (expr ~ghost:false env) el1 in
  let a = type_loop_annot env annot in
  let e = expr ~ghost:false env e in
  let el2 = List.map (expr ~ghost:false env) el2 in
  let s = statement env s in
    { java_statement_node = JSfor (el1, e, a, el2, s);
      java_statement_loc = loc }

and type_for_decl env loc vd annot e sl s =
  let env',decls = variable_declaration ~ghost:false env vd in
  let env = { env with env = env'} in
  let a = type_loop_annot env annot in
  let e = expr ~ghost:false env e in
  let sl = List.map (expr ~ghost:false env) sl in
  let s = statement env s in
  { java_statement_node = JSfor_decl(decls,e,a,sl,s);
    java_statement_loc = loc }

and type_do env loc annot s e =
  let a = type_loop_annot env annot in
  let s = statement env s in
  let e = expr ~ghost:false env e in
    { java_statement_node = JSdo (s, a, e);
      java_statement_loc = loc }

and type_while env loc annot e s =
  let a = type_loop_annot env annot in
  let e = expr ~ghost:false env e in
  let s = statement env s in
  { java_statement_node = JSwhile(e,a,s);
    java_statement_loc = loc }

and block env b =
  match statements env b with
    | [] -> { java_statement_loc = Loc.dummy_position ;
              java_statement_node = JSskip }
    | [s] -> s
    | (s::_) as l ->
        { java_statement_loc = s.java_statement_loc ;
          java_statement_node = JSblock l }

and switch_case env t (labels,b) =
  (List.map (switch_label env t) labels,
   statements env b)

and switch_label env t = function
  | Default -> Default
  | Case e ->
      let te = expr ~ghost:false env e in
      match te.java_expr_type with
        | JTYbase _ as t' when is_assignment_convertible ~ghost:false env t' te (JTYbase t) ->
	  Case te
        | _ ->
             typing_error e.java_pexpr_loc "type `%s' expected, got `%a'"
                (string_of_base_type t) print_type te.java_expr_type

(* methods *)



(* methods *)

type method_table_info =
    { mt_method_info : Java_env.method_info;
      mt_requires : Java_tast.assertion option;
      mt_decreases : (Java_tast.term * Java_env.java_logic_info option) option;
      mt_behaviors : Java_tast.behavior list ;
      mt_body : Java_tast.block option;
    }



let methods_table = Hashtbl.create 97


let type_method_spec_and_body ?(dobody=true) package_env ti mi =
  let type_env =
    match ti with
      | TypeInterface ii ->
          check_if_interface_complete ii;
          (try Hashtbl.find interface_type_env_table ii.interface_info_tag
           with Not_found -> assert false)
      | TypeClass ci ->
          check_if_class_complete ci;
          (try Hashtbl.find class_type_env_table ci.class_info_tag
           with Not_found -> assert false)
  in
  try
    let _ = Hashtbl.find methods_table mi.method_info_tag in ()
  with Not_found ->
    let (_,req,decreases,behs,body) =
      try
        Hashtbl.find methods_env mi.method_info_tag
      with Not_found -> assert false
    in
    let local_env =
      if mi.method_info_is_static then [] else
        let this_type =
          match ti with
            | TypeClass ci -> JTYclass (true, ci) (* i.e. [this] is always non-null *)
            | TypeInterface ii -> JTYinterface ii
        in
        let vi = new_var Loc.dummy_position this_type "this" in
          mi.method_info_has_this <- Some vi;
          [("this",vi)]
    in
    let local_env =
      List.fold_left
        (fun acc vi ->
           (vi.java_var_info_name,vi)::acc)
        local_env (List.map fst mi.method_info_parameters)
    in
    let env = { package_env = package_env ;
                type_env = type_env;
                current_type = (Some ti);
                behavior_names = [];
		label_env = label_env_here;
		current_label = Some LabelHere;
                env = local_env }
    in
    let req = Option_misc.map (assertion env) req in
    let decreases = type_variant env decreases in
    let env_result =
      match mi.method_info_result with
        | None -> local_env
        | Some vi -> (vi.java_var_info_name,vi)::local_env
    in
    let behs = List.map (behavior env local_env env_result) behs in
    let env =
      { env with
	  behavior_names =
	  List.map (fun (id,_,_,_,_,_) -> snd id,id) behs }
    in
    let body =
      if dobody then
        Option_misc.map (statements { env with env = env_result}) body
      else None
    in
    Hashtbl.add methods_table mi.method_info_tag
      { mt_method_info = mi;
        mt_requires = req;
        mt_decreases = decreases;
        mt_behaviors = behs;
        mt_body = body }


type constructor_table_info =
    { ct_constr_info : Java_env.constructor_info;
      ct_requires : Java_tast.assertion option;
      ct_decreases : (Java_tast.term * Java_env.java_logic_info option) option;
      ct_behaviors : (Java_ast.identifier *
                        Java_tast.assertion option *
                        Java_env.java_class_info option *
                        (Loc.position * Java_tast.term list) option *
                        (Loc.position * Java_tast.term list) option *
                        Java_tast.assertion) list ;
      ct_body : Java_tast.block;
    }

let constructors_table = Hashtbl.create 97

let type_constr_spec_and_body ?(dobody=true) package_env current_type ci =
  try
    let _ = Hashtbl.find constructors_table ci.constr_info_tag in ()
  with Not_found ->
  let type_env =
    match current_type with
      | TypeInterface ii ->
          check_if_interface_complete ii;
          (try Hashtbl.find interface_type_env_table ii.interface_info_tag
           with Not_found -> assert false)
      | TypeClass ci ->
          check_if_class_complete ci;
          (try Hashtbl.find class_type_env_table ci.class_info_tag
           with Not_found -> assert false)
  in
  let (_,req,decreases,behs,eci,body) =
    try
      Hashtbl.find constructors_env ci.constr_info_tag
    with Not_found -> assert false
  in
  let local_env =
    List.fold_left
      (fun acc (vi, _) ->
         (vi.java_var_info_name,vi)::acc)
      [] ci.constr_info_parameters
  in
  let this_type =
    match current_type with
      | TypeClass ci -> JTYclass (true, ci) (* i.e. this is always non-null *)
      | TypeInterface ii -> JTYinterface ii
  in
  let this_vi = new_var Loc.dummy_position this_type "this" in
  let this_env =
    ci.constr_info_this <- Some this_vi;
    ("this", this_vi)::local_env
  in
(*
  let spec_env =
    (* spec is typed in a env that contains "this" but it will be
       renamed to "\\result" NO: TODO *)
    let vi = new_var this_type "this" (* "\\result" *) in
      ci.constr_info_result <- Some vi;
      ("this",vi)::local_env
  in
*)
  let env = { package_env = package_env ;
              type_env = type_env;
              current_type = (Some current_type);
	      behavior_names = [];
              label_env = label_env_here;
	      current_label = Some LabelHere;
              env = this_env }
  in
  let req =
    Option_misc.map
      (assertion { env with env = local_env }) req
  in
  let decreases = type_variant { env with env = local_env } decreases in
  let behs = List.map (behavior env local_env this_env) behs in
  if dobody then
    let env =
      { env with
	  behavior_names =
	  List.map (fun (id,_,_,_,_,_) -> snd id,id) behs }
    in
    match eci with
      | Invoke_none ->
          let body = statements { env with env = this_env } body in
          Hashtbl.add constructors_table ci.constr_info_tag
            { ct_constr_info = ci;
              ct_requires = req;
              ct_decreases = decreases;
              ct_behaviors = behs;
              ct_body = body }
      | Invoke_this el ->
          let tel = List.map (expr ~ghost:false env) el in
          let arg_types = List.map (fun te -> te.java_expr_type) tel in
          let this_ci = lookup_constructor Loc.dummy_position ci.constr_info_class arg_types in
          let this_call_s =
            make_statement_no_loc
              (JSexpr (
                 make_expr_no_loc unit_type
                   (JEconstr_call
                      (make_expr_no_loc
                         this_vi.java_var_info_type
                         (JEvar this_vi),
                       this_ci, tel))))
          in
          let body = statements env body in
          Hashtbl.add constructors_table ci.constr_info_tag
            { ct_constr_info = ci;
              ct_requires = req;
              ct_decreases = decreases;
              ct_behaviors = behs;
              ct_body = this_call_s :: body }
      | Invoke_super el ->
          let tel = List.map (expr ~ghost:false env) el in
          let super_class_info =
            match ci.constr_info_class.class_info_extends with
              | None -> assert false
              | Some ci -> ci
          in
          let arg_types = List.map (fun te -> te.java_expr_type) tel in
          let super_ci = lookup_constructor Loc.dummy_position super_class_info arg_types in
          let super_call_s =
            make_statement_no_loc
              (JSexpr (
                 make_expr_no_loc unit_type
                   (JEconstr_call
                      (make_expr_no_loc
                         (JTYclass (true (* [this] is always non null *), super_class_info))
                         (JEvar this_vi),
                       super_ci, tel))))
          in
          let body = statements env body in
          Hashtbl.add constructors_table ci.constr_info_tag
            { ct_constr_info = ci;
              ct_requires = req;
              ct_decreases = decreases;
              ct_behaviors = behs;
              ct_body = super_call_s :: body }
  else
    Hashtbl.add constructors_table ci.constr_info_tag
      { ct_constr_info = ci;
        ct_requires = req;
        ct_decreases = decreases;
        ct_behaviors = behs;
        ct_body = [] }

module G = Imperative.Digraph.Concrete(
  struct
    type t = java_field_info
    let compare fi1 fi2 =
      compare fi1.java_field_info_tag fi2.java_field_info_tag
    let hash fi = fi.java_field_info_tag
    let equal fi1 fi2 = fi1.java_field_info_tag = fi2.java_field_info_tag
  end)

module T = Topological.Make(G)

let rec compute_dependencies_expr env g fi e =
  match e.java_expr_node with
    | JEstatic_field_access (_, fi') | JEfield_access (_, fi') ->
	let v1 = G.V.create fi' in
	let v2 = G.V.create fi in
	  G.add_edge g v1 v2
    | JEun (_, e) | JEcast (_, e) ->
	compute_dependencies_expr env g fi e
    | JEbin (e1, _, e2) ->
	compute_dependencies_expr env g fi e1;
	compute_dependencies_expr env g fi e2
    | JEif (e1, e2, e3) ->
	compute_dependencies_expr env g fi e1;
	compute_dependencies_expr env g fi e2;
	compute_dependencies_expr env g fi e3
    | JElit _ -> ()
    | JEvar _ | JEincr_local_var _ | JEincr_field _
    | JEincr_array _ | JEassign_local_var _ | JEassign_local_var_op _
    | JEassign_field _ | JEassign_field_op _ | JEassign_static_field _
    | JEassign_static_field_op _ | JEassign_array _| JEassign_array_op _
    | JEcall _ | JEconstr_call _ | JEstatic_call _
    | JEnew_object _ | JEnew_array _ | JEinstanceof _ ->
	() (* assert false (* should never happen -> it happens ! *) *)
    | JEarray_length _ | JEarray_access _ -> assert false (* TODO *)

and compute_dependencies_vi env g fi vi =
  match vi with
    | Simple_initializer e ->
(*
	eprintf "Calling expr in type_env:@\n";
        List.iter
          (fun (id,_) -> eprintf "  %s@\n" id)
          env.type_env;
*)
	let te = expr ~ghost:false env e in
(*
	eprintf "Return from expr@.";
*)
	compute_dependencies_expr env g fi te
    | Array_initializer vil ->
	List.iter (compute_dependencies_vi env g fi) vil

and compute_dependencies env g fi =
  let vio =
    try Hashtbl.find field_prototypes_table fi.java_field_info_tag
    with Not_found -> assert false
  in
  let vi = match vio with
    | None -> assert false (* should never happen *)
    | Some vi -> vi
  in
  let v = G.V.create fi in
    G.add_vertex g v;
    compute_dependencies_vi env g fi vi

let type_final_fields package_env type_env ti fields =
(*
  eprintf "type_final_fields in type_env:@\n";
  List.iter
    (fun (id,_) -> eprintf "  %s@\n" id)
    type_env;
*)
  let g = G.create () in
  let env = {
    package_env = package_env;
    type_env = type_env;
    current_type = Some ti;
    behavior_names = [];
    label_env = [];
    current_label = None;
    env = [];
  }
  in
(*
  eprintf "type_final_fields: start iter@.";
*)
  List.iter (compute_dependencies env g) fields;
(*
  eprintf "type_final_fields: end iter@.";
*)
  List.rev
    (T.fold
       (fun t acc ->
	  let fi = G.V.label t in
(*
	  eprintf "Calling type_field_initializer for %s@."
	    fi.java_field_info_name;
*)
	  type_field_initializer package_env type_env
	    fi.java_field_info_class_or_interface fi;
	  fi :: acc)
       g [])

let rec type_decl_aux ~in_axiomatic package_env type_env acc d =
  match d with
    | JPTclass c ->
	assert (not in_axiomatic);
        (*
          class_modifiers : modifiers;
          class_name : identifier;
          class_extends : qualified_ident option;
          class_implements : qualified_ident list;
          class_fields : field_declaration list
        *)
        begin
          let ty =
            try
              List.assoc (snd c.class_name) type_env
            with
                Not_found ->
                  eprintf "Java_typing anomaly: class '%s' not found in type_env@."
                    (snd c.class_name);
                  List.iter
                    (fun (id,_) -> eprintf "  '%s'@\n" id)
                    type_env;
                  assert false
          in
          match ty with
            | TypeInterface _ -> assert false
            | TypeClass ci as ti ->
                check_if_class_complete ci;
                let type_env =
                  try Hashtbl.find class_type_env_table ci.class_info_tag
                  with Not_found -> assert false
                in
		let non_final_fields, final_fields =
		  List.partition
		    (fun fi -> not fi.java_field_info_is_final)
		    ci.class_info_fields
		in

		let final_fields =
(*
		  Format.eprintf "Call(1) type_final_fields@.";
*)
		  let x =
		    type_final_fields package_env type_env ti final_fields
		  in
(*
		  Format.eprintf "Return(1) type_final_fields@.";
*)
		  x
		in
		ci.class_info_final_fields <- final_fields;
                List.iter (type_field_initializer package_env type_env ti)
                  non_final_fields;
                List.iter (type_method_spec_and_body package_env ti)
                  ci.class_info_methods;
                List.iter (type_constr_spec_and_body package_env ti)
                  ci.class_info_constructors;
		acc
        end
    | JPTinterface i ->
	assert (not in_axiomatic);
        begin
          let ty =
            try
              List.assoc (snd i.interface_name) type_env
            with
                Not_found ->
                  eprintf "Java_typing anomaly: interface '%s' not found in type_env@."
                    (snd i.interface_name);
                  List.iter
                    (fun (id,_) -> eprintf "  '%s'@\n" id)
                    type_env;
                  assert false
          in
          match ty with
            | TypeClass _ -> assert false
            | TypeInterface ii as ti ->
                check_if_interface_complete ii;
                let type_env =
                  try Hashtbl.find interface_type_env_table ii.interface_info_tag
                  with Not_found -> assert false
                in
		let fields =
		  type_final_fields package_env type_env ti ii.interface_info_fields
		in
		  ii.interface_info_final_fields <- fields;
                  List.iter (type_method_spec_and_body package_env ti)
                    ii.interface_info_methods;
		  acc
        end
    | JPTannot(_loc,_s) -> assert false
    | JPTlemma((loc,id),is_axiom, labels,e) ->
	let labels_env,current_label,tlabels = labels_env labels in
        let env =
          { package_env = package_env;
            type_env = type_env;
            current_type = None;
            behavior_names = [];
	    label_env = labels_env;
	    current_label = current_label;
            env = [];
          }
        in
        let te = assertion env e in
	if in_axiomatic then
	  Aaxiom(id,is_axiom,tlabels,te)::acc
	else
	  begin
	    if is_axiom then
	      typing_error loc "axioms not allowed outside axiomatics";
	    Hashtbl.add lemmas_table id (loc,tlabels,te);
	    acc
	  end
    | JPTlogic_type_decl (loc,id) ->
	if in_axiomatic then
	  Atype id :: acc
	else
	  begin
	    typing_error loc "logic types not allowed outside axiomatics";
	  end

    | JPTlogic_reads ((loc, id), ret_type, labels, params, reads) ->
	if not in_axiomatic then
	  typing_error loc "logics without def not allowed outside axiomatics";
	let labels_env,current_label,tlabels = labels_env labels in
        let pl = List.map (fun p -> fst (type_param package_env type_env p)) params in
        let env =
          List.fold_left
            (fun acc vi ->
               (vi.java_var_info_name,vi)::acc)
            [] pl
        in
        let env =
          { package_env = package_env;
            type_env = type_env;
            current_type = None;
            behavior_names = [];
	    label_env = labels_env;
	    current_label = current_label;
            env = env;
          }
        in
	let fi =
	  match ret_type with
            | None -> logic_info id None tlabels pl
	    | Some ty ->
		logic_info id
                  (Some (type_type package_env type_env false ty))
                  tlabels pl
	in
        Hashtbl.add logics_env id fi;
	Java_options.lprintf "Adding logic function '%s' in the logic environment@." id;
        let body = match reads with
          | Some r -> `Reads (List.map (location env) r)
          | None -> `None
        in
	Adecl(fi,body)::acc

    | JPTlogic_def ((_loc, id), ret_type, labels, params, body) ->
	let labels_env,current_label,tlabels = labels_env labels in
        let pl = List.map (fun p -> fst (type_param package_env type_env p)) params in
        let env =
          List.fold_left
            (fun acc vi ->
               (vi.java_var_info_name,vi)::acc)
            [] pl
        in
        let env =
          { package_env = package_env;
            type_env = type_env;
            current_type = None;
            behavior_names = [];
	    label_env = labels_env;
	    current_label = current_label;
            env = env;
          }
        in
	begin
          match ret_type with
            | None ->
		let fi = logic_info id None tlabels pl in
		let a = assertion env body in
		Hashtbl.add logics_env id fi;
		if in_axiomatic then
		  Adecl(fi,`Assertion a)::acc
		else
		  begin
		    Hashtbl.add logic_defs_table fi.java_logic_info_tag
		      (fi,`Assertion a);
		    acc
		  end
	    | Some ty ->
                let fi =
		  logic_info id
                  (Some (type_type package_env type_env false ty)) tlabels pl
		in
                let t = term env body in
                Hashtbl.add logics_env id fi;
		if in_axiomatic then
		  Adecl(fi,`Term t)::acc
		else
		  begin
		    Hashtbl.add logic_defs_table fi.java_logic_info_tag
		      (fi,`Term t);
		    acc
		  end
        end
    | JPTinductive((_loc, id), labels, params, body) ->
	let _labels_env,_current_label,tlabels = labels_env labels in
        let pl =
	  List.map (fun p -> fst (type_param package_env type_env p)) params
	in
        let env =
          List.fold_left
            (fun acc vi ->
               (vi.java_var_info_name,vi)::acc)
            [] pl
        in
        let env =
          { package_env = package_env;
            type_env = type_env;
            current_type = None;
            behavior_names = [];
	    label_env = [];
	    current_label = None;
            env = env;
          }
        in
	let fi = logic_info id None tlabels pl in
	(* adding fi in env before typing indcases *)
        Hashtbl.add logics_env id fi;
	let l = List.map
	  (fun (id,labels,e) ->
	     let labels_env,current_label,tlabels = labels_env labels in
	     let env = { env with
			   label_env = labels_env;
			   current_label = current_label;
		       }
	     in
	     let a = assertion env e in
	     (id,tlabels,a))
	  body
	in
	if in_axiomatic then
	  Adecl(fi,`Inductive l)::acc
	else
          begin
	    Hashtbl.add logic_defs_table fi.java_logic_info_tag
	      (fi,`Inductive l);
	    acc;
	  end
    | JPTaxiomatic((loc,id),l) ->
	if in_axiomatic then
	  typing_error loc "nested axiomatics not allowed";
	let l = List.fold_left
	  (type_decl_aux ~in_axiomatic:true package_env type_env) [] l
	in
	Hashtbl.add axiomatics_table id l;
	acc
    | JPTimport(PolyTheoryId(id_list,_params)) ->
        let loc = fst (List.hd id_list) in
	if in_axiomatic then
	  typing_error loc "import not allowed in axiomatics";


        let qid = Java_pervasives.qualified_ident2string id_list "." in
	let body =
	  try
	    Hashtbl.find import_spec_table qid
	  with Not_found -> assert false
	in
	let l = List.fold_left
	  (type_decl_aux ~in_axiomatic:true package_env type_env) [] body
	in
        let id = snd (List.hd id_list) in
	Hashtbl.add axiomatics_table id l;
	acc


let type_decl package_env type_env d =
  ignore (type_decl_aux ~in_axiomatic:false package_env type_env [] d)

let get_bodies package_env type_env cu =
  List.iter (type_decl package_env type_env) cu.cu_type_decls

let type_specs package_env _type_env =
  Hashtbl.iter
    (fun _ ti ->
       match ti with
	 | TypeClass ci ->
	     let final_fields =
	       List.filter
		 (fun fi -> fi.java_field_info_is_final &&
		    not (List.mem fi ci.class_info_final_fields))
		 ci.class_info_fields
	     in
             let type_env =
               try Hashtbl.find class_type_env_table ci.class_info_tag
               with Not_found -> assert false
             in
	     let final_fields =
(*
	       Format.eprintf "Call(2) type_final_fields for %s@." ci.class_info_name;
*)
	       let x = type_final_fields package_env type_env ti final_fields
	       in
(*
	       Format.eprintf "Return(2) type_final_fields@.";
*)
	       x
	     in
	       ci.class_info_final_fields <-
		 final_fields @ ci.class_info_final_fields
	 | TypeInterface ii ->
	     let final_fields =
	       List.filter
		 (fun fi -> not (List.mem fi ii.interface_info_final_fields))
		 ii.interface_info_fields
	     in
             let type_env =
               try Hashtbl.find interface_type_env_table ii.interface_info_tag
               with Not_found -> assert false
             in
	     let final_fields =
	       type_final_fields package_env type_env ti final_fields
	     in
	       ii.interface_info_final_fields <-
		 final_fields @ ii.interface_info_final_fields)
    type_table;
  Hashtbl.iter
    (fun tag (current_type, env, vi, invs) ->
       match current_type with
         | TypeClass ci ->
             let type_env =
               try Hashtbl.find class_type_env_table ci.class_info_tag
               with Not_found -> assert false
             in
             let env =
               { package_env = package_env;
                 type_env = type_env;
                 current_type = (Some current_type);
               	 behavior_names = [];
		 label_env = label_env_here;
		 current_label = Some LabelHere;
                 env = env;
               }
             in
             Hashtbl.add invariants_table tag
               (ci, vi, List.map
                  (fun (id, e) ->
                     (id, assertion env e))
                  invs)
         | _ -> assert false)
    invariants_env;
  Hashtbl.iter
    (fun tag (current_type, invs) ->
       match current_type with
         | TypeClass ci ->
             let type_env =
               try Hashtbl.find class_type_env_table ci.class_info_tag
               with Not_found -> assert false
             in
	     let env =
               { package_env = package_env;
		 type_env = type_env;
		 current_type = (Some current_type);
		 behavior_names = [];
		 label_env = [];
		 current_label = None;
		 env = [];
               }
	     in
	     Hashtbl.add static_invariants_table tag
               (List.map
		  (fun (s, e) -> s, assertion env e)
		  invs)
	 | _ -> assert false)
    static_invariants_env;
  Hashtbl.iter
    (fun _ (mi, _, _, _,_)  ->
       type_method_spec_and_body ~dobody:false
         package_env mi.method_info_class_or_interface mi)
    methods_env;
  Hashtbl.iter
    (fun _ (ci, _, _, _, _, _)  ->
       type_constr_spec_and_body ~dobody:false
         package_env (TypeClass ci.constr_info_class) ci)
    constructors_env


(*
Local Variables:
compile-command: "make -C .. bin/krakatoa.byte"
End:
*)
why-2.39/java/java_abstract.ml0000644000106100004300000002561713147234006015323 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

open Format
open Pp
open Java_env
open Java_ast

let ident fmt (_,id) = fprintf fmt "%s" id

let rec qualified_ident fmt qid =
  match qid with
    | [id] -> fprintf fmt "%a" ident id
    | id::l -> fprintf fmt "%a.%a" ident id qualified_ident l
    | [] -> assert false


let base_type fmt b =
  match b with
    | Tshort -> fprintf fmt "short"
    | Tboolean -> fprintf fmt "boolean"
    | Tbyte -> fprintf fmt "byte"
    | Tchar -> fprintf fmt "char"
    | Tint -> fprintf fmt "int"
    | Tfloat -> fprintf fmt "float"
    | Tlong -> fprintf fmt "long"
    | Tdouble -> fprintf fmt "double"
	  (* native logic types *)
    | Tinteger | Treal | Tunit | Tstring ->  assert false (* TODO *)

let modifier fmt m =
  match m with
  | Static -> fprintf fmt "static "
  | Final -> fprintf fmt "final "
  | Public -> fprintf fmt "public "
  | Private -> fprintf fmt "private "
  | Protected -> fprintf fmt "protected "
  | Native -> fprintf fmt "native "
  | Synchronized -> fprintf fmt "synchronized "
  | Abstract -> assert false (* TODO *)
  | Transient (* "threadsafe" ? *) -> assert false (* TODO *)
  | Volatile-> assert false (* TODO *)
  | Strictfp -> assert false (* TODO *)
  | Ghost -> assert false (* TODO *)
  | Model-> assert false (* TODO *)
  | Non_null -> assert false (* TODO *)
  | Nullable -> assert false (* TODO *)
  | Annot_modifier(_loc,_id) -> assert false (* TODO *)

let modifiers fmt = List.iter (modifier fmt)

let type_expr fmt t =
  match t with
    | Base_type b -> base_type fmt b
    | Type_name id -> fprintf fmt "%a" qualified_ident id;
    | Array_type_expr _typ ->  assert false (* TODO *)

let float_suffix fmt = function
  | `Single -> fprintf fmt "f"
  | `Double -> fprintf fmt "d"
  | `Real -> ()

let literal fmt l =
  match l with
    | Null -> fprintf fmt "null"
    | Integer _s -> assert false (* TODO *)
    | Float(s,suf) -> fprintf fmt "%s%a" s float_suffix suf
    | Bool _b -> assert false (* TODO *)
    | String _s -> assert false (* TODO *)
    | Char _s -> assert false (* TODO *)

let bin_op fmt op =
  match op with
    | Badd -> fprintf fmt "+"
    | Bsub | Bmul | Bdiv | Bmod -> assert false (* TODO *)
    | Band | Bor | Bimpl | Biff -> assert false (* TODO *)
    | Bbwand | Bbwor | Bbwxor -> assert false (* TODO *)
    | Blsl | Blsr | Basr -> assert false (* TODO *)
    | Beq -> assert false (* TODO *)
    | Bne -> fprintf fmt "!="
    | Bgt -> fprintf fmt ">"
    | Blt -> fprintf fmt "<"
    | Ble -> fprintf fmt "<="
    | Bge -> fprintf fmt ">="
    | Bconcat -> assert false (* TODO *) (* + for Strings *)


let rec expr fmt e =
  match e.java_pexpr_node with
    | JPElit l -> literal fmt l
    | JPEbin(e1,op,e2) ->
	fprintf fmt "(%a %a %a)" expr e1 bin_op op expr e2
    | JPEname qid -> qualified_ident fmt qid
	
	
    | _ -> assert false (* TODO *)
(*
    | JPEun of un_op * pexpr                 (*r (pure) unary operations *)
    | JPEincr of incr_decr_op * pexpr (*r pre-post incr/decr operations *)
    | JPEassign_name of qualified_ident * bin_op * pexpr  
    | JPEassign_field of java_field_access * bin_op * pexpr  
    | JPEassign_array of pexpr * pexpr * bin_op * pexpr  
	(*r [Assign_array(e1,e2,op,e3)] is [e1[e2] op e3] *)
	(*r assignment op is =, +=, etc. *)
    | JPEif of pexpr * pexpr * pexpr
    | JPEthis
    | JPEfield_access of java_field_access
    | JPEcall_name of qualified_ident * pexpr list
    | JPEcall_expr of pexpr * identifier * pexpr list
    | JPEsuper_call of identifier * pexpr list
    | JPEnew of qualified_ident * pexpr list
    | JPEnew_array of type_expr * pexpr list 
	(*r type, explicit dimensions *)
    | JPEarray_access of pexpr * pexpr
    | JPEarray_range of pexpr * pexpr option * pexpr option
    | JPEcast of type_expr * pexpr
    | JPEinstanceof of pexpr * type_expr
	(* in annotations only *)
    | JPEresult  
    | JPEold of pexpr 
    | JPEat of pexpr * identifier 
    | JPEquantifier of quantifier * (type_expr * variable_id list) list * pexpr   
*)

let rec param fmt p =
  match p with
    | Simple_parameter(_modifier, typ, id) ->
	fprintf fmt "%a %a" type_expr typ ident id
    | Array_parameter p -> 
	fprintf fmt "%a[]" param p

let method_declarator fmt d =
  match d with
    | Simple_method_declarator(id,params) ->
	fprintf fmt "%a(@[%a@]);@\n@\n" ident id (print_list comma param) params
    | Array_method_declarator _md ->
	assert false (* TODO *)


let method_declaration fmt md =
  (*
    method_modifiers : modifiers ;
    method_return_type : type_expr option ;
    method_declarator : method_declarator ;
    method_throws : qualified_ident list ;
  *)
  modifiers fmt md.method_modifiers;
  begin
    match md.method_return_type with
      | None -> fprintf fmt "void "
      | Some t -> fprintf fmt "%a " type_expr t;
  end;
  assert (md.method_throws = []);
  method_declarator fmt md.method_declarator
  
let constructor_declaration fmt cd =
  (* constr_modifiers : modifiers ;
     constr_name : identifier ;
     constr_parameters : parameter list ;
     constr_throws : qualified_ident list 
  *)
  modifiers fmt cd.constr_modifiers;
  assert (cd.constr_throws = []);
  fprintf fmt "%a(%a);@\n@\n" ident cd.constr_name 
    (print_list comma param) cd.constr_parameters
  
let rec variable_id fmt = function 
    | Simple_id(id) ->
	fprintf fmt "%a" ident id
    | Array_id vd -> 
	fprintf fmt "%a[]" variable_id vd

let initialize fmt = function
  | Simple_initializer e -> expr fmt e
  | Array_initializer _l -> assert false (* TODO *)
      

let variable_declarator ~is_final fmt vd =
  fprintf fmt "%a" variable_id vd.variable_id;
  match vd.variable_initializer with
    | Some init when is_final ->
	fprintf fmt " = %a" initialize init
    | _ -> ()

let variable_declaration fmt vd =
  (*
     variable_modifiers : modifiers ;
    variable_type : type_expr ;
    variable_decls : variable_declarator list 
  *)
  modifiers fmt vd.variable_modifiers;
  fprintf fmt "%a " type_expr vd.variable_type;
  let is_final = List.mem Final vd.variable_modifiers in
  List.iter (variable_declarator ~is_final fmt) vd.variable_decls;
  fprintf fmt ";@\n@\n"

  
  

let field_declaration fmt f =
(*
  | JPFmethod of method_declaration * block option
  | JPFconstructor of constructor_declaration *
      explicit_constructor_invocation * block
  | JPFvariable of variable_declaration
  | JPFstatic_initializer of block
  | JPFannot of Lexing.position * string
  | JPFinvariant of identifier * pexpr
  | JPFstatic_invariant of identifier * pexpr
  | JPFmethod_spec of 
      pexpr option * pexpr option * (identifier * pbehavior) list
  | JPFclass of class_declaration
  | JPFinterface of interface_declaration
*)
  match f with
    | JPFmethod(md,_block) -> method_declaration fmt md      
    | JPFmethod_spec(req, _dec, _behs ) -> 
	fprintf fmt "@[/*@@";
	print_option (fun fmt e -> fprintf fmt " requires %a;@\n  @@" expr e) fmt req;
	(* TODO *)
	fprintf fmt "*/@\n@]"
    | JPFinterface _ -> assert false (* TODO *)
    | JPFclass _ -> assert false (* TODO *)
    | JPFstatic_invariant (_, _) -> assert false (* TODO *)
    | JPFinvariant (_, _) -> assert false (* TODO *)
    | JPFannot (_, _) -> assert false (* TODO *)
    | JPFstatic_initializer _block -> ()	
    | JPFvariable vd -> variable_declaration fmt vd
    | JPFconstructor(cd, _invoke, _block) -> 
	constructor_declaration fmt cd

let class_declaration fmt cd =
  fprintf fmt "@[%a class %a " 
    modifiers cd.class_modifiers ident cd.class_name;
  begin
    match cd.class_extends with
      | None -> ()
      | Some id -> fprintf fmt "extends %a " qualified_ident id
  end;
  assert (cd.class_implements = []);
  fprintf fmt "{@\n@\n  @[";
  List.iter (field_declaration fmt) cd.class_fields;
  fprintf fmt "@]@\n}@\n@]"

let interface_declaration fmt id =
  (*
    { interface_modifiers : modifiers;
    interface_name : identifier;
    interface_extends : qualified_ident list;
    interface_members : field_declaration list
  *)
  fprintf fmt "@[%a interface %a {@\n@\n  @[" 
    modifiers id.interface_modifiers ident id.interface_name;
  assert (id.interface_extends = []);
  List.iter (field_declaration fmt) id.interface_members;
  fprintf fmt "@]@\n}@\n@]"

let type_declaration fmt d =
  match d with
    | JPTclass cd -> class_declaration fmt cd
    | JPTinterface id -> interface_declaration fmt id
    | JPTannot _ -> assert false
    | JPTlemma (_id,_is_axiom,_labels,_p) -> assert false
    | JPTlogic_type_decl _id -> assert false
    | JPTlogic_reads(_id,_rettype,_labels,_params,_reads) -> assert false
    | JPTlogic_def(_id,_rettype,_labels,_param,_e) -> assert false
    | JPTinductive(_id,_labels,_param,_e) -> assert false
    | JPTaxiomatic _ -> assert false
    | JPTimport _ -> assert false	

let compilation_unit fmt cu =
  (*
    cu_package : qualified_ident;
    cu_imports : import_statement list;
  *)
  List.iter (type_declaration fmt) cu.cu_type_decls

why-2.39/java/java_parser.mly0000644000106100004300000007343513147234006015206 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/



/*

Parser for Java source files

*/


%{

  open Java_env
  open Java_ast

  let loc () = (symbol_start_pos (), symbol_end_pos ())
  let loc_i i = (rhs_start_pos i, rhs_end_pos i)

  let locate_expr e =
    { java_pexpr_node = e ; java_pexpr_loc = loc () }

  let locate_lit e = locate_expr (JPElit e)

  let locate_statement s =
    { java_pstatement_node = s ; java_pstatement_loc = loc () }

  let rec build_array_type t n =
    if n=0 then t else Array_type_expr(build_array_type t (pred n))

(*
  let rec build_array_creation_expr t (l,n) =
    match l with
      | [] ->
	  Implicit_array_creation(build_array_type t n)
      | a::b ->
	  Explicit_array_creation(a,(build_array_creation_expr t (b,n)))
*)

  let default_behavior_name = "default"

  let default_behavior assigns allocates ensures behs =
    match assigns,allocates,ensures with
      | None, None, None -> behs
      | a, al, None ->
	  ((Loc.dummy_position,default_behavior_name),
	   { java_pbehavior_assumes = None;
	     java_pbehavior_assigns = a;
	     java_pbehavior_allocates = al;
	     java_pbehavior_throws = None;
	     java_pbehavior_ensures = Java_pervasives.expr_true }) :: behs
      | a, al, Some e ->
	  ((Loc.dummy_position,default_behavior_name),
	   { java_pbehavior_assumes = None;
	     java_pbehavior_assigns = a;
	     java_pbehavior_allocates = al;
	     java_pbehavior_throws = None;
	     java_pbehavior_ensures = e }) :: behs

(*
  let label (loc,s) = match s with
    | "Pre" -> LabelPre
    | "Here" -> LabelHere
    | "Old" -> LabelOld
    | _ -> LabelName s
*)

  let float_of_suf = function
    | None -> `Real
    | Some('f' | 'F') -> `Single
    | Some('d' | 'D') -> `Double
    | _ -> assert false
%}

/*s Start symbols */

%start compilation_unit
%type   compilation_unit

%start kml_global_def_eof
%type   kml_global_def_eof

%start kml_field_decl
%type   kml_field_decl

%start kml_statement_annot
%type   kml_statement_annot

%start kml_modifier
%type   kml_modifier

%start kml_spec_eof
%type  kml_spec_eof

%type  name

/*s Tokens */

/* Literals */

%token  ID
%token  INTCONSTANT
%token  REALCONSTANT
%token  STRING
%token  CHARACTER
%token TRUE FALSE NULL THIS

/* Keywords */

%token NEW SUPER
%token ABSTRACT BOOLEAN BYTE CASE CATCH
%token CHAR CLASS CONST DEFAULT DOUBLE ELSE EXTENDS
%token FALSE FINAL FINALLY FLOAT GHOST GOTO
/* ??? %token FUTURE BYVALUE GENERIC INNER OPERATOR OUTER REST VAR */
%token IMPLEMENTS IMPORT INSTANCEOF INT INTEGER INTERFACE LONG
%token MODEL NATIVE PACKAGE PRIVATE PROTECTED
%token PUBLIC REAL SHORT STATIC STRICTFP
%token THROWS TRANSIENT TRUE VOID VOLATILE
%token WHILE DO FOR IF SWITCH BREAK CONTINUE RETURN TRY SYNCHRONIZED THROW

%token REQUIRES DECREASES ENSURES SIGNALS ASSUMES ASSIGNS ALLOCATES
%token BEHAVIOR ASSERT
%token INVARIANT LOOP_INVARIANT LOOP_VARIANT
%token AXIOM LEMMA LOGIC TYPE PREDICATE INDUCTIVE AXIOMATIC READS
%token THEORY
%token BSFORALL BSEXISTS BSOLD BSAT BSRESULT BSNOTHING
%token BSFRESH
%token NON_NULL NULLABLE

/* Others symbols */

%token LEFTPAR
%token RIGHTPAR LEFTBRACE RIGHTBRACE LEFTBRACKET RIGHTBRACKET
%token SEMICOLON COLON COMMA QUESTIONMARK DOT DOTDOT
%token  DOC_COMMENT
%token  ANNOT
%token EOF

/* Operators (see precedences below for details) */

%token  ASSIGNOP
%token EQ EQEQGT LTEQEQGT
%token VERTICALBARVERTICALBAR
%token AMPERSANDAMPERSAND
%token VERTICALBAR
%token CARET
%token AMPERSAND
%token  EQOP
%token GT LT LE GE
%token  SHIFT
%token PLUS MINUS
%token STAR SLASH PERCENT
%token PLUSPLUS MINUSMINUS TILDA BANG


/*s Operator precedences */

%nonassoc THEN
%nonassoc ELSE
%nonassoc BSFORALL
%right LTEQEQGT
%right EQEQGT
%right EQ ASSIGNOP
  /*r ["="], ["*="],  ["/="], ["%="], ["+="], ["-="], ["<<="], [">>="],
  [">>>="], ["&="], ["^="] and ["|="], and ["==>"] ["<==>"] */
%right IFEXPR QUESTIONMARK     /*r [" ? : "] */
%left VERTICALBARVERTICALBAR  /*r conditional OR ["||"] */
%left AMPERSANDAMPERSAND  /*r conditional AND ["&&"] */
%left VERTICALBAR         /*r bitwise or boolean OR ["|"] */
%left CARET               /*r bitwise or boolean XOR ["^"] */
%left AMPERSAND           /*r bitwise or boolean AND ["&"] */
%left EQOP                /*r ["=="] and ["!="] */
%left GT LT LE GE INSTANCEOF  /*r ["<"], ["<="], [">"], [">="] and ["instanceof"] */
%left SHIFT                 /*r ["<<"], [">>"] and [">>>"] */
%left PLUS MINUS             /*r ["+"] and ["-"] */
%left STAR SLASH PERCENT     /*r ["*"], ["/"] and ["%"] */
%right UMINUS UPLUS PLUSPLUS MINUSMINUS TILDA BANG CAST
           /*r unary ["+"], ["-"], ["++"], ["--"], ["~"], ["!"] and cast */


%%

/*s Compilation units */

compilation_unit:
| package_declaration import_declarations type_declarations EOF
    { { cu_package = $1 ;
	cu_imports = $2 ;
	cu_type_decls = $3} }
;

package_declaration:
| /* $\varepsilon$ */
    { [] }
| PACKAGE name SEMICOLON
    { $2 }
;

import_declarations:
| /* $\varepsilon$ */
    { [] }
| IMPORT import_declaration SEMICOLON import_declarations
    { $2::$4 }
;


import_declaration:
| name DOT STAR
    { Import_package($1) }
| name
    { Import_class_or_interface($1) }
;

/*s type declarations */

type_declarations:
| /* $\varepsilon$ */
    { [] }
| type_declaration type_declarations
    { $1::$2 }
|  SEMICOLON type_declarations
    { $2 }
;

type_declaration:
| class_declaration
    { JPTclass($1) }
| interface_declaration
    { JPTinterface($1) }
| ANNOT
    { let (loc,s) = $1 in JPTannot(loc,s) }
;

/*s Class declarations */

class_declaration:
| modifiers_class ident extends_decl implements_decl class_body
    { { class_modifiers = $1;
	class_name = $2;
	class_extends = $3;
	class_implements = $4;
	class_fields = $5 }}
;

class_body:
  LEFTBRACE field_declarations RIGHTBRACE
    { $2 }

extends_decl:
| /* $\varepsilon$ */
    { None }
| EXTENDS name
    { Some $2 }
;

implements_decl:
| /* $\varepsilon$ */
    { [] }
| IMPLEMENTS name_comma_list
    { $2 }
;

field_declarations:
| /* $\varepsilon$ */
    { [] }
| field_declaration field_declarations
    { $1::$2 }
;

field_declaration:
| method_declaration
    { $1 }
| constructor_declaration
    { $1 }
| variable_declaration
    { JPFvariable($1) }
| static_initializer
    { JPFstatic_initializer($1) }
| ANNOT
    { let(loc,s)=$1 in JPFannot(loc,s) }
/* Java 1.4 */
| class_declaration
    { JPFclass $1 }
| interface_declaration
    { JPFinterface $1 }
;

/*s variable declarations */

variable_declaration:
| modifiers_type_expr variable_declarators SEMICOLON
    { let a, b = $1 in
	match b with
	  | Some b ->
	      { variable_modifiers = a ;
		variable_type = b ;
		variable_decls = $2 }
	  | None -> raise Parse_error }
| modifiers_type_expr ANNOT variable_declarators SEMICOLON
    { let a, b = $1 in
	match b with
	  | Some b ->
	      let loc, s = $2 in
	      { variable_modifiers = Annot_modifier (loc, s) :: a ;
		variable_type = b ;
		variable_decls = $3 }
	  | None -> raise Parse_error }
;

variable_declarators:
| variable_declarator
    { [$1] }
| variable_declarator COMMA variable_declarators
    { $1::$3 }
;

variable_declarator:
| variable_declarator_id
    { { variable_id = $1 ;
	variable_initializer = None } }
| variable_declarator_id EQ variable_initializer
    { { variable_id = $1 ;
	variable_initializer = Some $3 } }
;

variable_declarator_id:
| ident
    { let (loc,id)=$1 in Simple_id(loc,id) }
| variable_declarator_id LEFTBRACKET RIGHTBRACKET
    { Array_id($1) }

variable_initializer:
| expr
    { Simple_initializer($1) }
| array_initializer
    { Array_initializer($1) }
;

array_initializer:
| LEFTBRACE variable_initializers RIGHTBRACE
    { $2 }
;

variable_initializers:
| /* $\varepsilon$ */
    { [] }
| variable_initializer
    { [$1] }
| variable_initializer COMMA variable_initializers
    { $1::$3 }
;


/*s static initializers */

static_initializer:
| STATIC block
    { $2 }
;


/*s method declarations */

method_declaration:
| method_header method_body
    { JPFmethod($1,$2) }
;

method_header:
| modifiers_type_expr method_declarator throws_decl
    { let (a, b) = $1 in
      {
	method_modifiers = a ;
	method_return_type = b ;
	method_declarator = $2 ;
	method_throws = $3
      }
    }
| modifiers_type_expr ANNOT method_declarator throws_decl
    { let (a, b) = $1 in
      let loc, s = $2 in
	{
	  method_modifiers = Annot_modifier (loc, s) :: a ;
	  method_return_type = b ;
	  method_declarator = $3 ;
	  method_throws = $4
	}
    }
;

method_declarator:
| ident method_parameters
    { Simple_method_declarator($1,$2) }
| method_declarator LEFTBRACKET RIGHTBRACKET
    { Array_method_declarator($1) }
;


method_parameters:
| LEFTPAR RIGHTPAR
    { [] }
| LEFTPAR parameter_comma_list RIGHTPAR
    { $2 }
;

parameter_comma_list:
| parameter
    { [$1] }
| parameter COMMA parameter_comma_list
    { $1::$3 }
;

parameter:
/* final modifier allowed since 1.4 (JLS 3.0) */
| final_opt type_expr ident
    { Simple_parameter (None, $2, $3) }
| final_opt type_expr ANNOT ident
    { let loc, s = $3 in
      Simple_parameter (Some (Annot_modifier (loc, s)), $2, $4) }
| parameter LEFTBRACKET RIGHTBRACKET
    { Array_parameter($1) }
;

final_opt:
| /* \epsilon */ { false}
| FINAL { true }
;


throws_decl:
| /* $\varepsilon$ */
    { [] }
| THROWS name_comma_list
    { $2 }
;

method_body:
| block
    { Some($1) }
| SEMICOLON
    { None }
;

/*s constructor declarations */

constructor_declaration:
| modifiers_type_expr method_parameters throws_decl constructor_body
    { let (a,b)=$1 in
      match b with
	| Some (Type_name [id]) ->
	    let c =
	      {
	      constr_modifiers = a ;
	      constr_name = id ;
	      constr_parameters = $2 ;
	      constr_throws = $3 }
	    in
	    let eci,b = $4 in
	    JPFconstructor(c,eci,b)
	| _ -> raise Parse_error}
;

constructor_body:
| LEFTBRACE explicit_constructor_invocation statements RIGHTBRACE
    { ($2,$3) }
| LEFTBRACE statements RIGHTBRACE
    { (Invoke_none,$2) }
| SEMICOLON
    { (Invoke_none,[]) }
;

explicit_constructor_invocation:
| THIS LEFTPAR argument_list RIGHTPAR SEMICOLON
    { Invoke_this($3) }
| SUPER LEFTPAR argument_list RIGHTPAR SEMICOLON
    { Invoke_super($3) }
;

argument_list:
| /* $\varepsilon$ */
    { [] }
| expr_comma_list
    { $1 }
;

/*s interface declarations */

interface_declaration:
| modifiers_interface ident extends_interfaces_decl
    LEFTBRACE interface_member_declarations RIGHTBRACE
    { { interface_modifiers = $1;
	interface_name = $2;
	interface_extends = $3;
	interface_members = $5 }}
;

extends_interfaces_decl:
| /* $\varepsilon$ */
    { [] }
| EXTENDS name_comma_list
    { $2 }
;

interface_member_declarations:
| /* $\varepsilon$ */
    { [] }
| interface_member_declaration interface_member_declarations
    { $1::$2 }
;

interface_member_declaration:
| variable_declaration
    { JPFvariable($1) }
| method_header SEMICOLON
    { JPFmethod($1,None) }
| ANNOT
    { let (loc,s)=$1 in JPFannot(loc,s) }
/* Java 1.4 */
| interface_declaration
    { JPFinterface $1 }
;




/*s type expressions */

base_type:
| SHORT
    { Tshort }
| BOOLEAN
    { Tboolean }
| BYTE
    { Tbyte }
| CHAR
    { Tchar }
| INT
    { Tint }
| FLOAT
    { Tfloat }
| LONG
    { Tlong }
| DOUBLE
    { Tdouble }
| INTEGER
    { Tinteger }
| REAL
    { Treal }
;

type_expr:
| name
    { Type_name($1) }
| base_type
    { Base_type($1) }
| array_type_expr
    { Array_type_expr($1) }
;

array_type_expr:
| base_type LEFTBRACKET RIGHTBRACKET
    { Base_type($1) }
| name LEFTBRACKET RIGHTBRACKET
    { Type_name($1) }
| array_type_expr LEFTBRACKET RIGHTBRACKET
    { Array_type_expr($1) }
;


/*s modifiers */

modifiers_class:
| CLASS
    { [] }
| modifier modifiers_class
    { $1::$2 }
;

modifiers_interface:
| INTERFACE
    { [] }
| modifier modifiers_interface
    { $1::$2 }
;


modifier:
| STATIC
    { Static }
| FINAL
    { Final }
| PUBLIC
    { Public }
| PRIVATE
    { Private }
| PROTECTED
    { Protected }
| NATIVE
    { Native }
| SYNCHRONIZED
    { Synchronized }
| ABSTRACT
    { Abstract }
/* "threadsafe" ? */
| TRANSIENT
    { Transient }
| VOLATILE
    { Volatile }
| STRICTFP
    { Strictfp }
;

modifiers_type_expr:
| type_expr
    { ([],Some $1) }
| VOID
    { ([],None) }
| modifier modifiers_type_expr
    { let (a,b)=$2 in ($1::a,b) }
;

/*s Statements */

block:
| LEFTBRACE statements RIGHTBRACE
    { $2 }

statements:
| statement statements
    { $1::$2 }
| /* $\varepsilon$ */
    { [] }
;

/*s Statements */

local_variable_declaration:
| modifiers_type_expr variable_declarators
    { let (a,b)=$1 in
      match b with
	| Some b ->
	    { variable_modifiers = a ;
	      variable_type = b ;
	      variable_decls = $2 }
	| None -> raise Parse_error }
;

statement:
| ANNOT
    { let (loc, s) = $1 in
	locate_statement (JPSannot (loc, s)) }
| WHILE LEFTPAR expr RIGHTPAR statement %prec WHILE
    { locate_statement (JPSwhile($3,$5)) }
| DO statement WHILE LEFTPAR expr RIGHTPAR
    { locate_statement (JPSdo($2,$5)) }
| FOR LEFTPAR argument_list SEMICOLON for_cond SEMICOLON
  argument_list RIGHTPAR statement
    { locate_statement (JPSfor($3,$5,$7,$9)) }
| FOR LEFTPAR local_variable_declaration SEMICOLON for_cond SEMICOLON
  argument_list RIGHTPAR statement
    { locate_statement (JPSfor_decl($3,$5,$7,$9)) }
| block
    { locate_statement (JPSblock $1) }
| expr SEMICOLON
    { locate_statement (JPSexpr($1)) }
| SEMICOLON
    { locate_statement JPSskip }
| local_variable_declaration SEMICOLON
    { locate_statement (JPSvar_decl($1)) }
| IF LEFTPAR expr RIGHTPAR statement %prec THEN
    { locate_statement (JPSif($3,$5,locate_statement JPSskip)) }
| IF LEFTPAR expr RIGHTPAR statement ELSE statement %prec ELSE
    { locate_statement (JPSif($3,$5,$7)) }
| SWITCH LEFTPAR expr RIGHTPAR LEFTBRACE switch_block RIGHTBRACE
    { locate_statement (JPSswitch($3,$6)) }
| ident COLON statement
    { locate_statement (JPSlabel($1,$3)) }
| BREAK SEMICOLON
    { locate_statement (JPSbreak None) }
| BREAK ident SEMICOLON
    { locate_statement (JPSbreak(Some $2)) }
| CONTINUE SEMICOLON
    { locate_statement (JPScontinue(None)) }
| CONTINUE ident SEMICOLON
    { locate_statement (JPScontinue(Some $2)) }
| RETURN SEMICOLON
    { locate_statement (JPSreturn None) }
| RETURN expr SEMICOLON
    { locate_statement (JPSreturn(Some $2)) }
| THROW expr SEMICOLON
    { locate_statement (JPSthrow($2)) }
| TRY block catch_clauses
    { locate_statement (JPStry($2,$3,None)) }
| TRY block catch_clauses FINALLY block
    { locate_statement (JPStry($2,$3,Some($5))) }
| TRY block FINALLY block
    { locate_statement (JPStry($2,[],Some($4))) }
| SYNCHRONIZED LEFTPAR expr RIGHTPAR block
    { locate_statement (JPSsynchronized($3,$5)) }

for_cond:
| expr
    { $1 }
| /* $\varepsilon$ */
    { locate_expr Java_pervasives.expr_node_true }
;

switch_block:
| /* $\varepsilon$ */
    { [] }
| switch_labels
    { [($1,[])] }
| switch_labels statement statements switch_block
    { ($1,$2::$3)::$4 }
;

switch_labels:
| switch_label
    { [$1] }
| switch_label switch_labels
    { $1::$2 }
;

switch_label:
| CASE expr COLON
    { Case($2) }
| DEFAULT COLON
    { Default }
;

catch_clauses:
| catch_clause
    { [$1] }
| catch_clause catch_clauses
    { $1::$2 }
;

catch_clause:
| CATCH LEFTPAR parameter RIGHTPAR block
    { ($3,$5) }
;

/*s Expressions */

field_access:
| SUPER DOT ident
    { Super_access $3 }
| primary_expr DOT ident
    { Primary_access($1,$3) }
;

primary_expr:
| primary_no_new_array
    { $1 }
| array_creation_expression
    { $1 }
;

primary_no_new_array:
| INTCONSTANT
    { locate_lit (Integer $1) }
| REALCONSTANT
    { let x,suf = $1 in locate_lit (Float(x,float_of_suf suf)) }
| TRUE
    { locate_lit (Bool true) }
| FALSE
    { locate_lit (Bool false) }
| STRING
    { locate_lit (String $1) }
| NULL
    { locate_lit Null }
| CHARACTER
    { locate_lit (Char $1) }
| THIS
    { locate_expr JPEthis }
| BSRESULT
    { locate_expr JPEresult }
| LEFTPAR expr_no_name RIGHTPAR
    { $2 }
| LEFTPAR name RIGHTPAR
    { locate_expr (JPEname $2) }
| field_access
    { locate_expr (JPEfield_access $1) }
| name label_binders LEFTPAR argument_list RIGHTPAR
    { locate_expr (JPEcall_name($1,$2,$4)) }
| SUPER DOT ident LEFTPAR argument_list RIGHTPAR
    { locate_expr (JPEsuper_call($3, $5)) }
| primary_expr DOT ident LEFTPAR argument_list RIGHTPAR
    { locate_expr (JPEcall_expr($1,$3,$5)) }
| NEW name LEFTPAR argument_list RIGHTPAR
    { locate_expr (JPEnew($2,$4)) }
/* new in java 1.4 (see JLS 3.0) */
| NEW name LEFTPAR argument_list RIGHTPAR class_body
    { (* TODO: incorporate class body *)
      locate_expr (JPEnew($2,$4)) }
| array_access
    { let (a,b)=$1 in locate_expr (JPEarray_access(a,b)) }
| array_range
    { let (a,b,c)=$1 in locate_expr (JPEarray_range(a,b,c)) }
| BSFRESH LEFTPAR expr RIGHTPAR
    { locate_expr (JPEfresh $3) }
| BSOLD LEFTPAR expr RIGHTPAR
    { locate_expr (JPEold $3) }
| BSAT LEFTPAR expr COMMA ident RIGHTPAR
    { locate_expr (JPEat($3,$5)) }
;

array_access:
| primary_no_new_array LEFTBRACKET expr RIGHTBRACKET
    { ($1,$3) }
| name LEFTBRACKET expr RIGHTBRACKET
    { (locate_expr (JPEname $1),$3) }
;

array_range:
| primary_no_new_array LEFTBRACKET expr_opt DOTDOT expr_opt RIGHTBRACKET
    { ($1,$3,$5) }
| name LEFTBRACKET expr_opt DOTDOT expr_opt RIGHTBRACKET
    { (locate_expr (JPEname $1),$3,$5) }
;

expr_opt:
| /* epsilon */
    { None }
| expr
    { Some $1 }
;

array_creation_expression:
| NEW base_type array_dims
    { let (a,b) = $3 in
      let t = build_array_type (Base_type($2)) b in
      locate_expr (JPEnew_array(t,a)) }
| NEW name array_dims
    { let (a,b) = $3 in
      let t = build_array_type (Type_name($2)) b in
      locate_expr (JPEnew_array(t,a)) }
/* array_initializer allowed in 1.4 (JLS 3.0) */
| NEW base_type implicit_dims array_initializer
    { let b = $3 in
      let t = build_array_type (Base_type($2)) b in
      locate_expr (JPEnew_array(t,[])) }
| NEW name implicit_dims array_initializer
    { let b = $3 in
      let t = build_array_type (Type_name($2)) b in
      locate_expr (JPEnew_array(t,[])) }
;

array_dims:
| LEFTBRACKET expr RIGHTBRACKET implicit_dims
    { ([$2],$4) }
| LEFTBRACKET expr RIGHTBRACKET array_dims
    { let (a,b) = $4 in ($2::a,b) }
;

implicit_dims:
| /* $\varepsilon$$ */
    { 0 }
| LEFTBRACKET RIGHTBRACKET implicit_dims
    { succ $3 }
;

castable_expr:
| primary_expr
    { $1 }
| name
    { locate_expr (JPEname $1) }
| non_basic_cast
    { $1 }

non_basic_cast:
| LEFTPAR array_type_expr RIGHTPAR castable_expr %prec CAST
    { locate_expr (JPEcast(Array_type_expr($2),$4)) }
| LEFTPAR name RIGHTPAR castable_expr %prec CAST
    { locate_expr (JPEcast(Type_name($2),$4)) }
;


expr:
| name
    { locate_expr (JPEname $1) }
| expr_no_name
    { $1 }
;

expr_no_name:
| primary_expr
    { $1 }
| name assign_op expr %prec ASSIGNOP
    { locate_expr (JPEassign_name($1,$2,$3)) }
| field_access assign_op expr %prec ASSIGNOP
    { locate_expr (JPEassign_field($1,$2,$3)) }
| array_access assign_op expr %prec ASSIGNOP
    { let (a,b)=$1 in
      locate_expr (JPEassign_array(a,b,$2,$3)) }
| PLUSPLUS expr
    { locate_expr (JPEincr(Preincr,$2)) }
| MINUSMINUS expr
    { locate_expr (JPEincr(Predecr,$2)) }
| expr PLUSPLUS
    { locate_expr (JPEincr(Postincr,$1)) }
| expr MINUSMINUS
    { locate_expr (JPEincr(Postdecr,$1)) }
| expr QUESTIONMARK expr COLON expr %prec IFEXPR
    { locate_expr (JPEif($1,$3,$5)) }
| expr VERTICALBARVERTICALBAR expr
    { locate_expr (JPEbin($1,Bor,$3)) }
| expr AMPERSANDAMPERSAND expr
    { locate_expr (JPEbin($1,Band,$3)) }
| expr VERTICALBAR expr
    { locate_expr (JPEbin($1,Bbwor,$3)) }
| expr CARET expr
    { locate_expr (JPEbin($1,Bbwxor,$3)) }
| expr AMPERSAND expr
    { locate_expr (JPEbin($1,Bbwand,$3)) }
| expr EQOP expr
    { locate_expr (JPEbin($1,$2,$3)) }
| expr comp expr %prec GT
    { locate_expr (JPEbin($1,$2,$3)) }
| expr SHIFT expr
    { locate_expr (JPEbin($1,$2,$3)) }
| expr PLUS expr
    { locate_expr (JPEbin($1,Badd,$3)) }
| expr MINUS expr
    { locate_expr (JPEbin($1,Bsub,$3)) }
| expr STAR expr
    { locate_expr (JPEbin($1,Bmul,$3)) }
| expr SLASH expr
    { locate_expr (JPEbin($1,Bdiv,$3)) }
| expr PERCENT expr
    { locate_expr (JPEbin($1,Bmod,$3)) }
| PLUS expr %prec UPLUS
    { locate_expr (JPEun(Uplus,$2)) }
| MINUS expr %prec UMINUS
    { locate_expr (JPEun(Uminus,$2)) }
| BANG expr
    { locate_expr (JPEun(Unot,$2)) }
| TILDA expr
    { locate_expr (JPEun(Ucompl,$2)) }
/*

  CAST expressions

  we distinguish cast types because of syntax ambiguities:
  is (id1)-id2  a cast of a unary minus, or a binary - ?

  solution:

  if id1 is a base type, it is a cast else it is a binary operation.
  it is enough because result of unary - cannot be casted to something
  else than a base type.

  moreover, we distinguish between cast to a type identifier
  "(name) expr" and a complex type expr, because of LALR constraint:
  (name) can be both an expr and a cast, so it is factorized.

*/
| LEFTPAR base_type RIGHTPAR expr %prec CAST
    { locate_expr (JPEcast(Base_type($2),$4)) }
| non_basic_cast
    { $1 }
/*
  instanceof operator
*/
| expr INSTANCEOF type_expr
    { locate_expr (JPEinstanceof($1,$3)) }
/* annotations only operators */
| BSFORALL quantified_variables_decl SEMICOLON expr %prec BSFORALL
    { locate_expr (JPEquantifier(Forall,$2,$4)) }
| BSEXISTS quantified_variables_decl SEMICOLON expr %prec BSFORALL
    { locate_expr (JPEquantifier(Exists,$2,$4)) }
| expr EQEQGT expr
    { locate_expr (JPEbin($1,Bimpl,$3)) }
| expr LTEQEQGT expr
    { locate_expr (JPEbin($1,Biff,$3)) }
;

quantified_variables_decl:
| type_expr quantified_variables
    { [($1,$2)] }
| type_expr quantified_variables COMMA quantified_variables_decl
    { ($1,$2)::$4 }
;

quantified_variables:
| quantified_variable
    { [$1] }
| quantified_variable quantified_variables
    { $1::$2 }
;

quantified_variable:
| ident
    { let (loc,id)=$1 in Simple_id(loc,id) }
| quantified_variable LEFTBRACKET RIGHTBRACKET
    { Array_id($1) }


expr_comma_list:
| expr
    { [$1] }
| expr COMMA expr_comma_list
    { $1::$3 }
;


comp:
| GT { Bgt }
| LT { Blt }
| LE { Ble }
| GE { Bge }
;

assign_op:
| EQ
    { Beq }
| ASSIGNOP
    { $1 }
;

/*s identifiers */


name:
| ident
    { [$1] }
| name DOT ident
    { $3::$1 }
| name DOT CLASS
    { (loc_i 3,"class")::$1 }
| name DOT THIS
    { (loc_i 3,"this")::$1 }
;

name_comma_list:
| name
    { [$1] }
| name COMMA name_comma_list
    { $1::$3 }
;

ident:
| ID
    { (loc(),$1) }
| MODEL
    { (loc(), "model") }
| TYPE
    { (loc(), "type") }
;

type_parameter_list:
| ident
   { [$1] }
| ident COMMA type_parameter_list
   { $1::$3 }
;


poly_theory_id:
| name
   { PolyTheoryId($1,[]) }
| name LT type_parameter_list GT
   { PolyTheoryId($1,$3) }
;



/****************************************************/
/*s parsing of annotations: KML */

kml_spec_eof:
| kml_theory EOF
     { $1 }
;

kml_theory:
| THEORY poly_theory_id LEFTBRACE kml_global_decls RIGHTBRACE
    { JPTtheory($2,$4) }
;

kml_global_def_eof:
| kml_global_def EOF
     { $1 }
;

kml_global_def:
| PREDICATE ident label_binders method_parameters EQ expr SEMICOLON
    { JPTlogic_def($2,None,$3,$4,$6) }
| INDUCTIVE ident label_binders method_parameters LEFTBRACE indcases RIGHTBRACE
    { JPTinductive($2,$3,$4,$6) }
| LOGIC type_expr ident label_binders method_parameters EQ expr SEMICOLON
    { JPTlogic_def($3,Some $2,$4, $5,$7) }
| AXIOMATIC ident LEFTBRACE kml_global_decls RIGHTBRACE
    { JPTaxiomatic($2,$4) }
| LEMMA ident label_binders COLON expr SEMICOLON
    { JPTlemma($2,false,$3,$5) }
| IMPORT poly_theory_id SEMICOLON
    { JPTimport($2) }
;

kml_global_decls:
| /* epsilon */
    { [] }
| kml_global_decl kml_global_decls
    { $1::$2 }
;

kml_global_decl:
| TYPE ident SEMICOLON
    { JPTlogic_type_decl $2 }
| PREDICATE ident label_binders method_parameters reads_clause SEMICOLON
    { JPTlogic_reads ($2, None, $3, $4, $5) }
| LOGIC type_expr ident label_binders method_parameters reads_clause SEMICOLON
    { JPTlogic_reads($3,Some $2,$4,$5,$6) }
| AXIOM ident label_binders COLON expr SEMICOLON
    { JPTlemma($2,true,$3,$5) }
| kml_global_def
    { $1 }
;

reads_clause:
| READS expr_comma_list
    { Some $2 }
| READS BSNOTHING
    { Some [] }
| /* epsilon */
    { None }
;

indcases:
| /* epsilon */
    { [] }
| CASE ident label_binders COLON expr SEMICOLON indcases
    { ($2,$3,$5)::$7 }
;

label_binders:
| /* epsilon */ { [] }
| LEFTBRACE ident label_list_end RIGHTBRACE { $2::$3 }
;

label_list_end:
| /* epsilon */ { [] }
| COMMA ident label_list_end { $2::$3 }
;


kml_field_decl:
| requires_opt decreases_opt assigns_opt allocates_opt ensures_opt behaviors EOF
    { JPFmethod_spec($1,$2,default_behavior $3 $4 $5 $6) }
| INVARIANT ident COLON expr SEMICOLON EOF
    { JPFinvariant($2,$4) }
| STATIC INVARIANT ident COLON expr SEMICOLON EOF
    { JPFstatic_invariant($3,$5) }
| MODEL variable_declaration
    { let vd = $2 in
      JPFvariable {vd with variable_modifiers = Model::vd.variable_modifiers} }
| GHOST variable_declaration
    { let vd = $2 in
      JPFvariable {vd with variable_modifiers = Ghost::vd.variable_modifiers} }
;

kml_modifier:
| NON_NULL
    { Non_null }
| NULLABLE
    { Nullable }
;

requires_opt:
| /* $\varepsilon$ */
    { None }
| REQUIRES expr SEMICOLON
    { Some $2 }
;

ensures_opt:
| /* $\varepsilon$ */
    { None }
| ENSURES expr SEMICOLON
    { Some $2 }
;

behaviors:
| /* $\varepsilon$ */
    { [] }
| BEHAVIOR ident COLON behavior behaviors
    { ($2,$4)::$5 }
;

behavior:
| assumes_opt assigns_opt allocates_opt ENSURES expr SEMICOLON
    { { java_pbehavior_assumes = $1;
	java_pbehavior_assigns = $2;
	java_pbehavior_allocates = $3;
	java_pbehavior_throws = None;
	java_pbehavior_ensures = $5 } }
| assumes_opt assigns_opt allocates_opt SIGNALS LEFTPAR name ident_option RIGHTPAR expr SEMICOLON
    { { java_pbehavior_assumes = $1;
	java_pbehavior_assigns = $2;
	java_pbehavior_allocates = $3;
	java_pbehavior_throws = Some($6,$7);
	java_pbehavior_ensures = $9 } }
| error
	{ raise (Java_options.Java_error (loc(),"`ensures' expected")) }
;

ident_option:
| /* $\varepsilon$ */
    { None }
| ident
    { Some $1 }
;

assumes_opt:
| /* $\varepsilon$ */
    { None }
| ASSUMES expr SEMICOLON
    { Some $2 }
;


assigns_opt:
| /* $\varepsilon$ */
    { None }
| ASSIGNS BSNOTHING SEMICOLON
    { Some (loc_i 2,[]) }
| ASSIGNS expr_comma_list SEMICOLON
    { Some (loc_i 2,$2) }
;

allocates_opt:
| /* $\varepsilon$ */
    { None }
| ALLOCATES BSNOTHING SEMICOLON
    { Some (loc_i 2,[]) }
| ALLOCATES expr_comma_list SEMICOLON
    { Some (loc_i 2,$2) }
;

decreases_opt:
| /* $\varepsilon$ */
    { None }
| DECREASES expr SEMICOLON
    { Some($2, None) }
| DECREASES expr FOR ident SEMICOLON
    { Some($2, Some $4) }
;

kml_statement_annot:
| LOOP_INVARIANT expr SEMICOLON beh_loop_inv loop_variant_opt EOF
    { JPSloop_annot($2,$4,$5) }
| beh_loop_inv loop_variant EOF
    { JPSloop_annot({java_pexpr_node = JPElit (Bool true) ;
		     java_pexpr_loc = loc_i 2 },$1,$2) }
| ASSERT expr SEMICOLON EOF
    { JPSassert(None,None,$2) }
| FOR ident COLON ASSERT expr SEMICOLON EOF
    { JPSassert(Some $2,None,$5) }
/* never used ?
| ASSERT ident COLON expr SEMICOLON EOF
    { JPSassert(None,Some $2,$4) }
*/
| GHOST local_variable_declaration SEMICOLON EOF
    { JPSghost_local_decls($2) }
| GHOST expr SEMICOLON EOF
    { JPSghost_statement($2) }
| requires_opt decreases_opt assigns_opt allocates_opt ensures_opt behaviors EOF
    { JPSstatement_spec($1,$2,default_behavior $3 $4 $5 $6) }
;

beh_loop_inv:
| /* $\varepsilon$ */
    { [] }
| FOR ident COLON LOOP_INVARIANT expr SEMICOLON beh_loop_inv
    { ($2,$5)::$7 }
;

loop_variant_opt:
| /* $\varepsilon$ */
    { None }
| loop_variant
    { $1 }
;

loop_variant:
| LOOP_VARIANT expr SEMICOLON
    { Some($2, None) }
| LOOP_VARIANT expr FOR ident SEMICOLON
    { Some($2, Some $4) }
;


/*
Local Variables:
compile-command: "make -j -C .. bin/krakatoa.byte"
End:
*/
why-2.39/java/java_env.mli0000644000106100004300000001626413147234006014457 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(*s types and environments *)

type accessibility = Apublic | Aprotected | Aprivate | Anone

type base_type =
    | Tshort | Tboolean | Tbyte | Tchar | Tint | Tfloat | Tlong | Tdouble 
	  (* native logic types *)
    | Tinteger | Treal | Tunit | Tstring

type logic_label = 
  | LabelName of string
  | LabelHere
  | LabelOld
  | LabelPre

type java_type =
  | JTYbase of base_type
  | JTYnull (*r type of 'null' *)
  | JTYclass of bool * java_class_info (*r first arg true if non_null *)
  | JTYinterface of interface_info 
  | JTYarray of bool * java_type (*r first arg true if non_null *)
  | JTYlogic of logic_type_info
      
and logic_type_info = string


and java_var_info =
    {
      java_var_info_tag : int;
      java_var_info_name : string;
      java_var_info_decl_loc : Loc.position;
      java_var_info_type : java_type;
      mutable java_var_info_final_name : string;
      mutable java_var_info_assigned : bool;
    }
    
and java_field_info =
    {
      java_field_info_tag : int;
      java_field_info_name : string;
      java_field_info_class_or_interface : java_type_info;
(*
      mutable java_field_info_trans_name : string;
      java_field_info_accessibility : accessibility;
*)
      java_field_info_is_static : bool;
      java_field_info_is_final : bool;
      java_field_info_is_nullable : bool;
      java_field_info_type : java_type;
      java_field_info_is_ghost : bool;
      java_field_info_is_model : bool;
    }
    

and method_info = 
    {
      method_info_tag : int;
      method_info_loc : Loc.position;
      method_info_name : string;
      mutable method_info_trans_name : string;
      method_info_is_static : bool;
      (*
	method_info_accessibility : accessibility;
      *)
      method_info_class_or_interface : java_type_info;
      mutable method_info_has_this : java_var_info option;
      method_info_parameters : (java_var_info * (* nullable *) bool) list;
      method_info_result : java_var_info option ;
      method_info_result_is_nullable : bool ;
      mutable method_info_calls : method_or_constructor_info list;
    }
      
and constructor_info = 
    {
      constr_info_tag : int;
      constr_info_loc : Loc.position;
      constr_info_class : java_class_info;
      mutable constr_info_trans_name : string;
      mutable constr_info_this : java_var_info option;
      mutable constr_info_result : java_var_info option;
      constr_info_parameters : (java_var_info * (* nullable : *) bool) list;
      mutable constr_info_calls : method_or_constructor_info list;
    }

and method_or_constructor_info =
  | MethodInfo of method_info
  | ConstructorInfo of constructor_info

    
and logic_type_entry =
    {
      logic_type_entry_name : string
    }

and java_logic_info =
    {
      java_logic_info_name : string;
      java_logic_info_tag : int;
      java_logic_info_result_type : java_type option;
      java_logic_info_labels : logic_label list;
      java_logic_info_parameters : java_var_info list;
      mutable java_logic_info_calls : java_logic_info list;
    }


and axiom_info = 
    {
      axiom_info_name : string;
    }
    


and package_info =
    {
      package_info_tag : int;
      package_info_name : string;
      mutable package_info_directories : string list;
    }
    
and java_class_info =
    {
      class_info_tag : int;
      class_info_name : string;
      class_info_package_env : package_info list;
      mutable class_info_incomplete : bool;
      mutable class_info_is_final : bool;
      mutable class_info_extends : java_class_info option;
      mutable class_info_is_exception : bool;
      mutable class_info_implements : interface_info list;
      mutable class_info_fields : java_field_info list;
      mutable class_info_final_fields : java_field_info list;
      mutable class_info_methods : method_info list;
      mutable class_info_constructors : constructor_info list;
    }

and interface_info =
    {
      interface_info_tag : int;
      interface_info_name : string;
      interface_info_package_env : package_info list;
      mutable interface_info_incomplete : bool;
      mutable interface_info_extends : interface_info list;
      mutable interface_info_fields : java_field_info list;
      mutable interface_info_final_fields : java_field_info list;
      mutable interface_info_methods : method_info list;
    }

and java_type_info =
  | TypeClass of java_class_info
  | TypeInterface of interface_info

(*s literals, shared between ASTs and typed ASTs *)

type float_suffix = [`Single |`Double |`Real]

type literal =
    | Integer of string
    | Float of string * float_suffix
    | Bool of bool
    | String of string
    | Char of string
    | Null

type nonnull_policy =
  | NonNullNone     (* Java semantics *)
  | NonNullFields   (* class fields non-null by default *)
  | NonNullAll      (* class fields and methods parameters & return value non-null by default *)
  | NonNullAllLocal (* class fields, methods parameters & return value, and local variables non-null by default *)


(*
  Local Variables: 
  compile-command: "make -C .. bin/krakatoa.byte"
  End: 
*)
why-2.39/java/java_syntax.ml0000644000106100004300000001732513147234006015043 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

open Java_ast
open Format
open Lexing

let parse_annot loc s f =
  let lb = Lexing.from_string s in
    (*
      eprintf "lb.pos_fname = %s@." lb.lex_curr_p.pos_fname;
      eprintf "lb.pos_lnum = %d@." lb.lex_curr_p.pos_lnum;
      eprintf "lb.pos_bol = %d@." lb.lex_curr_p.pos_bol;
      eprintf "lb.pos_cnum = %d@." lb.lex_curr_p.pos_cnum;
    *)
    lb.lex_curr_p <- {loc with pos_bol = loc.pos_bol - loc.pos_cnum - 3};
    (*
      eprintf "lb.pos_fname = %s@." lb.lex_curr_p.pos_fname;
      eprintf "lb.pos_lnum = %d@." lb.lex_curr_p.pos_lnum;
      eprintf "lb.pos_bol = %d@." lb.lex_curr_p.pos_bol;
      eprintf "lb.pos_cnum = %d@." lb.lex_curr_p.pos_cnum;
    *)
    try
      f Java_lexer.next_token lb
    with 
      | Parsing.Parse_error ->
	  Java_options.parsing_error (Java_lexer.loc lb) "parse error in annotation"
      | Java_options.Java_error (_,msg) ->
	  Java_options.parsing_error (Java_lexer.loc lb) "%s" msg
	    
let rec statement s =
  { s with java_pstatement_node = match s.java_pstatement_node with
      | JPSannot (loc, s) -> parse_annot loc s Java_parser.kml_statement_annot
      | JPSstatement_spec _
      | JPSghost_local_decls _ | JPSghost_statement _ | JPSloop_annot _ 
      | JPSassert _ -> assert false
      | JPSsynchronized (e, s') -> JPSsynchronized(e, statements s')	
      | JPSblock b -> JPSblock(statements b)
      | JPSswitch(e, l) -> 
	  JPSswitch(e, List.map (fun (labs,b) -> (labs,statements b)) l)
      | JPStry (s, l, f) -> 
	  let l = List.map (fun (p,s) -> (p,statements s)) l in
	    JPStry(statements s,l,Option_misc.map (statements) f)
      | JPSfor_decl (d, e, sl, s) -> JPSfor_decl(d, e, sl, statement s)
      | JPSfor (el1, e, el2, s) -> JPSfor (el1, e, el2, statement s)
      | JPSdo (s', e) -> JPSdo (statement s',e)
      | JPSwhile (e, s') -> JPSwhile(e, statement s')
      | JPSif (e, s1, s2) -> JPSif(e, statement s1, statement s2)
      | JPSlabel (l, s') -> JPSlabel(l,statement s')
      | JPScontinue _
      | JPSbreak _
      | JPSreturn _
      | JPSthrow _
      | JPSvar_decl _
      | JPSexpr _
      | JPSskip -> s.java_pstatement_node }
    
and statements b = List.map statement b

let modifier m =
  match m with
    | Annot_modifier (loc, s) -> parse_annot loc s Java_parser.kml_modifier
    | _ -> m

let variable_declaration vd =
  { vd with variable_modifiers = List.map modifier vd.variable_modifiers }

let rec parameter p =
  match p with
    | Simple_parameter (mo, ty, id) -> 
	Simple_parameter (Option_misc.map modifier mo, ty, id)
    | Array_parameter p ->
	Array_parameter (parameter p)

let rec method_declarator md =
  match md with
    | Simple_method_declarator (id, pl) ->
	Simple_method_declarator (id, List.map parameter pl)
    | Array_method_declarator md -> 
	Array_method_declarator (method_declarator md)

let method_declaration md =
  { md with
      method_modifiers = List.map modifier md.method_modifiers;
      method_declarator = method_declarator md.method_declarator; } 
    
let rec field_decl f = 
  match f with
    | JPFmethod (md, None) -> JPFmethod (method_declaration md, None)
    | JPFmethod (md, Some b) -> JPFmethod (method_declaration md, Some (statements b))
    | JPFconstructor(c,eci,b) -> JPFconstructor(c,eci,statements b)
    | JPFvariable vd -> JPFvariable (variable_declaration vd) 
    | JPFstatic_initializer b -> JPFstatic_initializer (statements b)
    | JPFannot (loc,s) -> parse_annot loc s Java_parser.kml_field_decl
    | JPFinvariant _ | JPFstatic_invariant _ 
    | JPFmethod_spec _ -> assert false
    | JPFclass c -> JPFclass (class_decl c)
    | JPFinterface i -> JPFinterface (interface_decl i)
  
and class_decl c = 
  { c with class_fields = List.map field_decl c.class_fields }

and interface_decl i = 
  { i with interface_members = List.map field_decl i.interface_members }

let type_decl d =
  match d with
    | JPTclass c -> JPTclass (class_decl c)
    | JPTinterface i -> JPTinterface (interface_decl i)
    | JPTannot (loc, s) -> parse_annot loc s Java_parser.kml_global_def_eof
    | JPTlemma _ 
    | JPTlogic_type_decl _
    | JPTlogic_reads _ 
    | JPTlogic_def _  -> assert false
    | JPTinductive _ -> assert false
    | JPTaxiomatic _ -> assert false
    | JPTimport _ -> assert false
    
let compilation_unit cu =
  { cu with cu_type_decls = List.map type_decl cu.cu_type_decls }

let spec_file f =
  try
    let c = open_in f in
    (* we parse the file as a spec file *)
    let d = Java_lexer.parse_spec f c in
    close_in c;
    printf "Parsing of spec file %s was OK.@." f;
    match d with
    | JPTtheory(PolyTheoryId(qid,_params),body) ->
         printf "It contains theory '%s'@."
           (Java_pervasives.qualified_ident2string
             qid ".");
         body
  with
    | Java_lexer.Lexical_error(l,s) ->
	eprintf "%a: lexical error: %s@." Loc.gen_report_position l s;
	exit 1


let file f = 
  try
    let c = open_in f in
    if Filename.check_suffix f ".spec" then
      (* we parse the file as a spec file *)
      let d = Java_lexer.parse_spec f c in
      close_in c;
      printf "Parsing of spec file %s was OK.@." f;
      match d with
	| JPTtheory(PolyTheoryId(qid,_params),_) ->
	    printf "It contains theory '%s'@."
              (Java_pervasives.qualified_ident2string qid ".");
 	    exit 0
    else
      (* we parse the file as an annotated java file *)
      let d = Java_lexer.parse f c in
      close_in c; 
      compilation_unit d
    with
      | Java_lexer.Lexical_error(l,s) ->
	  eprintf "%a: lexical error: %s@." Loc.gen_report_position l s;
	exit 1

(*
Local Variables: 
compile-command: "make -C .. bin/krakatoa.byte"
End: 
*)
why-2.39/java/java_analysis.ml0000644000106100004300000002363213147234006015336 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(*

  Performs several analyses after Java typing and before interpretation into Jessie code.

  1) determines which structure type to introduce for arrays
  2) disambiguates names:
     . different constructors for the same class are named
         Class_typearg1_..._typeargn
     . methods
         * with same names in different classes or interfaces
             Class_or_Interface_method_name
         * with same names in same class or interface
             Class_or_Interface_method_name_typearg1_..._typeargn

*)

open Java_pervasives
open Java_env
open Java_tast
open Format

let array_struct_table = Hashtbl.create 17

let name_base_type t =
  match t with
    | Tboolean -> "boolean"
    | Tchar -> "char"
    | Tbyte -> "byte"
    | Tinteger -> "integer" 
    | Tshort -> "short"
    | Tlong -> "long"
    | Tint -> "int" 
    | Tunit -> "unit"
    | Tfloat -> "float"
    | Treal -> "real"
    | Tdouble -> "double"
    | Tstring -> "string"

let rec name_type t =
  match t with
    | JTYbase t -> name_base_type t
    | JTYclass(_,c) -> c.class_info_name
    | JTYinterface i -> i.interface_info_name
    | JTYarray (_, ty) -> name_type ty ^ "A"
    | JTYnull -> assert false
    | JTYlogic _ -> assert false

let intro_array_struct t =
  let n = name_type t in 
  try
    let _ = Hashtbl.find array_struct_table n in ()
  with Not_found ->
    Java_options.lprintf "Adding array struct for type %a under name %s@." 
      Java_typing.print_type t n;
      (* array structs indexed by name rather than by type,
	 to void generation of two structs for nullable and non_null types
	 of the same name.
	 - Nicolas R. *)
      Hashtbl.add array_struct_table n (t, n ^ "M", n ^ "P")

let term _t = () (* TODO *)

let assertion _a = () (* TODO *)

let rec expr e = 
  match e.java_expr_node with
    | JElit _l -> ()
    | JEincr_local_var(_op,_v) -> ()
    | JEincr_field(_op,e1,_fi) -> expr e1
    | JEun (_, e1) -> expr e1
    | JEbin (e1, _, e2) | JEincr_array (_, e1, e2) -> expr e1; expr e2 
    | JEvar _vi -> ()
    | JEstatic_field_access(_ci,_fi) -> ()
    | JEfield_access(e1,_fi) -> expr e1
    | JEarray_length e -> 
	begin
	  match e.java_expr_type with
	    | JTYarray (_, ty) -> intro_array_struct ty 
	    | _ -> assert false
	end
    | JEarray_access(e1,e2) -> 
	expr e1; expr e2;
	begin
	  match e1.java_expr_type with
	    | JTYarray (_, ty) -> intro_array_struct ty
	    | _ -> assert false
	end
    | JEassign_local_var (_, e)
    | JEassign_local_var_op (_, _, e)
    | JEassign_static_field (_, e) 
    | JEassign_static_field_op (_, _, e) -> expr e
    | JEassign_field(e1,_fi,e2) -> expr e1; expr e2
    | JEassign_field_op(e1,_fi,_op,e2) -> expr e1; expr e2
    | JEif(e1,e2,e3) -> expr e1; expr e2; expr e3
    | JEassign_array(e1,e2,e3) 
    | JEassign_array_op(e1,e2,_,e3) -> 
	expr e1; expr e2; expr e3;
	begin
	  match e1.java_expr_type with
	    | JTYarray (_, ty) -> intro_array_struct ty
	    | _ -> 
		eprintf "unexpected type: e1:%a e2:%a e3:%a@." 
		  Java_typing.print_type e1.java_expr_type
		  Java_typing.print_type e2.java_expr_type
		  Java_typing.print_type e3.java_expr_type;
		assert false
	end
    | JEcall(e,_mi,args) ->
	expr e;	List.iter expr args
    | JEconstr_call (e, _, args) ->
	expr e; List.iter expr args
    | JEstatic_call(_mi,args) ->
	List.iter expr args
    | JEnew_array(_ty,dims) ->
	List.iter expr dims
	(* intro_array_struct ty ??? *)
    | JEnew_object(_ci,args) ->
	List.iter expr args
    | JEinstanceof(e,_)
    | JEcast(_,e) -> expr e

let do_initializer i = 
  match i with
    | JIexpr e -> expr e
    | _ -> assert false (* TODO *)

let switch_label = function
  | Java_ast.Default -> ()
  | Java_ast.Case e -> expr e
  
let behavior (_id,assumes,_throws,assigns,allocates,ensures) =
  Option_misc.iter assertion assumes;
  Option_misc.iter (fun (_,l) -> List.iter term l) assigns;
  Option_misc.iter (fun (_,l) -> List.iter term l) allocates;
  assertion ensures

let loop_annot annot =
  assertion annot.loop_inv;
  List.iter (fun (_,a) -> assertion a) annot.behs_loop_inv;
  Option_misc.iter term annot.loop_var

let rec statement s =
  match s.java_statement_node with
    | JSskip 
    | JSreturn_void
    | JSbreak _ | JScontinue _ -> ()
    | JSlabel(_lab,s) -> statement s
    | JSblock l -> List.iter statement l	  
    | JSvar_decl (_vi, init, s) ->
	Option_misc.iter do_initializer init;
	statement s
    | JSif (e, s1, s2) -> expr e; statement s1; statement s2
    | JSdo (s, annot, e) ->
	statement s; loop_annot annot; expr e
    | JSwhile(e,annot,s) ->
	  expr e; loop_annot annot; statement s
    | JSfor (el1, e, annot, el2, body) ->
	List.iter expr el1;
	expr e;
	loop_annot annot;
	List.iter expr el2;
	statement body
    | JSfor_decl(decls,e,annot,sl,body) ->
	List.iter 
	  (fun (_,init) -> Option_misc.iter do_initializer init) decls;
	expr e;
	loop_annot annot;
	List.iter expr sl;
	statement body
    | JSthrow e
    | JSreturn e 
    | JSexpr e -> expr e
    | JSassert(_,_,e) -> assertion e
    | JSswitch(e,l) -> 
	expr e;
	List.iter (fun (labels,b) ->
		     List.iter switch_label labels;
		     List.iter statement b)
	  l
    | JStry(s, catches, finally) ->
	List.iter statement s;
	List.iter (fun (_,s) -> List.iter statement s) catches;
	Option_misc.iter (List.iter statement) finally
    | JSstatement_spec(req,dec,behs,s) ->
	Option_misc.iter assertion req;
	Option_misc.iter term dec;
	List.iter behavior behs;
	statement s

let param vi =
  match vi.java_var_info_type with
    | JTYarray (_, ty) -> intro_array_struct ty
    | _ -> ()

let string_of_parameters vil =
  (List.fold_right
     (fun (vi, _) acc -> "_" ^ name_type vi.java_var_info_type ^ acc) vil "")

let disambiguates_method_names () =
  let methods_list =
    Hashtbl.fold (fun _ mt acc -> mt :: acc) Java_typing.methods_table []
  in
  let methods_list =
    List.sort 
      (fun mt1 mt2 -> 
	 let mi1 = mt1.Java_typing.mt_method_info in
	 let mi2 = mt2.Java_typing.mt_method_info in
	   String.compare mi1.method_info_trans_name mi2.method_info_trans_name)
      methods_list 
  in
  let rec disambiguates methods_list =
    match methods_list with
      | [] | [_] -> ()
      | mt1::(mt2::_ as tl) ->
	  let mi1 = mt1.Java_typing.mt_method_info in
	  let mi2 = mt2.Java_typing.mt_method_info in
	    if mi1.method_info_trans_name = mi2.method_info_trans_name then
	      begin
		mi1.method_info_trans_name <-
		  mi1.method_info_trans_name ^
		  string_of_parameters mi1.method_info_parameters;
		mi2.method_info_trans_name <-
		  mi2.method_info_trans_name ^
		  string_of_parameters mi2.method_info_parameters;
	      end;
	    disambiguates tl
  in
    disambiguates methods_list;
    List.iter
      (fun mt -> Hashtbl.replace Java_typing.methods_table
	 mt.Java_typing.mt_method_info.method_info_tag mt)
      methods_list

let do_method mi _req _behs body =
(*
  Option_misc.iter assertion req;
  ... behs
*)
  mi.method_info_trans_name <-
    (get_method_info_class_or_interface_name mi) ^ "_" ^
    mi.method_info_name;
  disambiguates_method_names ();
  List.iter param (List.map fst mi.method_info_parameters);
  Option_misc.iter (List.iter statement) body;
  Option_misc.iter param mi.method_info_result


let do_constructor ci _req _behs body =
(*
  let l = ci.constr_info_class.class_info_constructors in
  if List.length l >= 2 then
    begin
*)
      ci.constr_info_trans_name <-
	"cons_" ^ ci.constr_info_class.class_info_name ^
	string_of_parameters ci.constr_info_parameters;
(*
    end;
*)
  List.iter statement body

let do_field fi =
  match fi.java_field_info_type with
    | JTYarray (_, ty) -> intro_array_struct ty
    | _ -> ()

let do_type ty =
  match ty with
    | TypeClass ci -> 
	List.iter do_field ci.class_info_fields
    | TypeInterface ii -> 
	List.iter do_field ii.interface_info_fields


(*
Local Variables: 
compile-command: "make -j -C .. bin/krakatoa.byte"
End: 
*)

why-2.39/java/java_callgraph.ml0000644000106100004300000002766613147234006015463 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

open Java_env
open Java_tast

let rec term acc t =
  match t.java_term_node with
    | JTlit _ | JTvar _
    | JTstatic_field_access _ -> acc
    | JTapp (f,_labs,lt) -> f::(List.fold_left term acc lt)
    | JTat(t,_) -> term acc t
    | JTbin (t1,_,_,t2) -> term (term acc t1) t2
    | JTbin_obj (t1,_,t2) -> term (term acc t1) t2
    | JTun (_,_,t1) -> term acc t1
    | JTif(t1,t2,t3) -> term (term (term acc t1) t2) t3
(*
    | JTinstanceof(t,_)
    | JTunary (_,t)
*)
    | JTcast(_,t) -> term acc t
    | JTarray_access (t1, t2) -> term (term acc t1) t2
    | JTarray_range (t1, t2, t3) ->
	Option_misc.fold_left term
	  (Option_misc.fold_left term (term acc t1) t2) t3
    | JTarray_length t1
    | JTfield_access (t1, _) -> term acc t1

let rec assertion acc p =
  match p.java_assertion_node with
  | JAtrue
  | JAfalse -> acc
  | JAat(a,_lab) -> assertion acc a
  | JAnot a -> assertion acc a
  | JAbin_obj(t1,_,t2)
  | JAbin(t1,_,_,t2) -> term (term acc t1) t2
  | JAapp(f,_labs,lt) -> f::(List.fold_left term acc lt)
  | JAand(p1,p2) | JAor(p1,p2)
  | JAimpl (p1,p2) | JAiff(p1,p2) ->
      assertion (assertion acc p1) p2
  | JAif(t1,p2,p3) ->
      assertion (assertion (term acc t1) p2) p3
  | JAquantifier (_,_,p) -> assertion acc p
  | JAfresh t | JAbool_expr t | JAinstanceof (t, _, _) -> term acc t


let rec expr acc e : 'a list =
  match e.java_expr_node with
    | JElit _
    | JEvar _
    | JEincr_local_var _
    | JEstatic_field_access _ -> acc
    | JEcall (e, mi, args) ->
	List.fold_left expr (expr (MethodInfo mi::acc) e) args
    | JEconstr_call (e, ci, args) ->
	List.fold_left expr (expr (ConstructorInfo ci::acc) e) args
    | JEstatic_call (mi, args) ->
	List.fold_left expr (MethodInfo mi::acc) args
    | JEnew_array(_ty, dims) ->
	List.fold_left expr acc dims
    | JEnew_object(ci,args) ->
	List.fold_left expr (ConstructorInfo ci::acc) args
    | JEif(e1,e2,e3)
    | JEassign_array (e1, e2, e3)
    | JEassign_array_op (e1, e2, _, e3)->
	expr (expr (expr acc e1) e2) e3
    | JEassign_local_var_op (_, _, e)
    | JEassign_local_var (_, e)
    | JEassign_static_field ( _, e)
    | JEassign_static_field_op ( _, _, e)
    | JEarray_length e
    | JEfield_access (e, _)
    | JEincr_field (_,e,_)
    | JEun (_, e) -> expr acc e
    | JEassign_field (e1, _, e2)
    | JEassign_field_op (e1, _, _, e2)
    | JEarray_access (e1, e2)
    | JEbin (e1, _, e2) | JEincr_array (_, e1, e2) ->
	expr (expr acc e1) e2
    | JEinstanceof(e,_)
    | JEcast (_,e) -> expr acc e

let initialiser acc i =
  match i with
    | JIexpr e -> expr acc e
    | _ -> assert false (* TODO *)

(*
let loop_annot acc la =
  term (assertion acc la.java_loop_invariant) la.java_loop_variant
*)

let behavior acc (_id,assumes,_throws,assigns,allocates,ensures) =
  let acc = Option_misc.fold_left assertion acc assumes in
  let acc =
    match assigns with
      | None -> acc
      | Some(_,l) -> List.fold_left term acc l
  in
  let acc =
    match allocates with
      | None -> acc
      | Some(_,l) -> List.fold_left term acc l
  in
  assertion acc ensures

let variant acc v =
  match v with
    | None -> acc
    | Some(dec,None) -> term acc dec
    | Some(dec,Some fi) -> term (fi::acc) dec

let loop_annot acc annot =
  let acc = assertion acc annot.loop_inv in
  let acc =
    List.fold_left (fun acc (_,a) -> assertion acc a) acc annot.behs_loop_inv
  in
  variant acc annot.loop_var

let rec statement acc s : ('a list * 'b list) =
  match s.java_statement_node with
    | JSif(e, s1, s2) ->
	let (a,b) = acc in
	let b = expr b e in
	  statement (statement (a,b) s1) s2
    | JSblock sl ->
	List.fold_left statement acc sl
    | JStry (s, catches, finally) ->
	let acc = List.fold_left statement acc s in
	let acc =
	  List.fold_left
	    (fun acc (_,s) -> List.fold_left statement acc s)
	    acc catches
	in
	  Option_misc.fold
	    (fun b acc -> List.fold_left statement acc b) finally acc
    | JSassert(_,_,t) -> let (a,b) = acc in (assertion a t,b)
    | JSreturn_void
    | JSbreak _ -> acc
    | JScontinue _ -> acc
    | JSlabel(_lab,s) ->	statement acc s
    | JSswitch (e, l)->
	let (a,b) = acc in
	let b = expr b e in
	  List.fold_left
	    (fun acc (_cases,body) -> statements acc body)
	    (a,b) l
    | JSthrow e
    | JSreturn e
    | JSexpr e -> let (a, b) = acc in (a, expr b e)
    | JSfor (inits, cond, annot, updates, body)->
	let (a, b) = acc in
	let b = List.fold_left expr
	  (List.fold_left expr (expr b cond) updates)
	  inits
	in
	let a = loop_annot a annot in
	statement (a, b) body
    | JSfor_decl (inits, cond, annot, updates, body)->
	let (a,b) = acc in
	let b = List.fold_left
	  (fun acc (_vi,i) -> Option_misc.fold_left initialiser acc i)
	  (List.fold_left expr (expr b cond) updates)
	  inits
	in
	let a = loop_annot a annot in
	statement (a,b) body
    | JSdo (body, annot, cond)->
	let a, b = acc in
	let a, b = statement (a, b) body in
	let a = loop_annot a annot in
	let b = expr b cond in
	a, b
    | JSwhile (cond, annot, body)->
	let (a,b) = acc in
	let b = expr b cond in
	let a = loop_annot a annot in
	statement (a,b) body
    | JSvar_decl (_vi, init, s)->
	let (a,b)=acc in
	statement (a,Option_misc.fold_left initialiser b init) s
    | JSskip -> acc
    | JSstatement_spec(req,dec,behs,s) ->
	let (a,b) = acc in
	let a = Option_misc.fold_left assertion a req in
	let a = variant a dec in
	let a = List.fold_left behavior a behs in
	statement (a,b) s

and statements acc l = List.fold_left statement acc l

let compute_logic_calls f (t : [< Java_typing.logic_decl_body]) =
  let calls =
    match t with
      | `Term t -> term [] t
      | `Assertion a -> assertion [] a
      | `None -> []
      | `Reads r -> List.fold_left term [] r
      | `Inductive l ->
	  List.fold_left
	    (fun acc (_,_,a) -> assertion acc a) [] l
      | `Builtin -> []
  in
  f.java_logic_info_calls <- calls

let compute_calls f _req body =
  let (_a, b) = List.fold_left statement ([], []) body in
    f.method_info_calls <- b

let compute_constr_calls f _req body =
  let (_a, b) = List.fold_left statement ([], []) body in
    f.constr_info_calls <- b

module LogicCallGraph = struct
  type t = (int, (java_logic_info * Java_typing.logic_def_body)) Hashtbl.t
  module V = struct
    type t = java_logic_info
    let compare f1 f2 = Pervasives.compare f1.java_logic_info_tag f2.java_logic_info_tag
    let hash f = f.java_logic_info_tag
    let equal f1 f2 = f1 == f2
  end
  let iter_vertex iter =
    Hashtbl.iter (fun _ (f,_a) -> iter f)
  let iter_succ iter _ f =
    List.iter iter f.java_logic_info_calls
  end

module LogicCallComponents = Graph.Components.Make(LogicCallGraph)

open Format
open Pp


type method_or_constructor_data =
  | MethodData of Java_typing.method_table_info
  | ConstructorData of Java_typing.constructor_table_info

let method_or_constructor_tag x =
  match x with
    | MethodInfo mi -> mi.method_info_tag
    | ConstructorInfo ci -> ci.constr_info_tag

let method_or_constructor_info mt =
  match mt with
    | MethodData mti -> MethodInfo mti.Java_typing.mt_method_info
    | ConstructorData cti -> ConstructorInfo cti.Java_typing.ct_constr_info

let print_method_or_constr fmt f =
  match f with
    | MethodInfo fi ->
	fprintf fmt "%a.%s" Java_typing.print_type_name
	  fi.method_info_class_or_interface fi.method_info_name
    | ConstructorInfo ci -> fprintf fmt "%s" ci.constr_info_trans_name

let method_or_constr_calls f =
  match f with
    | MethodInfo fi -> fi.method_info_calls
    | ConstructorInfo ci -> ci.constr_info_calls


module CallGraph = struct
  type t = (int, method_or_constructor_data) Hashtbl.t
  module V = struct
    type t = method_or_constructor_info

    let compare f1 f2 =
      Pervasives.compare
	(method_or_constructor_tag f1) (method_or_constructor_tag f2)

    let hash f = method_or_constructor_tag f
    let equal f1 f2 = method_or_constructor_tag f1 == method_or_constructor_tag f2
  end
  let iter_vertex iter g =
    Hashtbl.iter
      (fun _i mti ->
	 let f = method_or_constructor_info mti in
	 iter f) g
  let iter_succ iter _ f =
    List.iter iter
      (match f with
	 | MethodInfo fi -> fi.method_info_calls
	 | ConstructorInfo ci -> ci.constr_info_calls)
  end
module CallComponents = Graph.Components.Make(CallGraph)

let compute_logic_components ltable =
  let tab_comp = LogicCallComponents.scc_array ltable in
  Java_options.lprintf "***********************************\n";
  Java_options.lprintf "Logic call graph: has %d components\n"
    (Array.length tab_comp);
  Java_options.lprintf "***********************************\n";
  Array.iteri
    (fun i l ->
       Java_options.lprintf "Component %d:\n%a@." i
	 (print_list newline
	    (fun fmt f -> fprintf fmt " %s calls: %a\n" f.java_logic_info_name
		 (print_list comma
		    (fun fmt f -> fprintf fmt "%s" f.java_logic_info_name))
		 f.java_logic_info_calls))
	 l)
    tab_comp;
  tab_comp


let compute_components methods constrs =
  let h = Hashtbl.create 97 in
  Hashtbl.iter
    (fun _ mti ->
       Hashtbl.add h
	 mti.Java_typing.mt_method_info.method_info_tag (MethodData mti))
    methods;
  Hashtbl.iter
    (fun _ cti ->
       Hashtbl.add h
	 cti.Java_typing.ct_constr_info.constr_info_tag (ConstructorData cti))
    constrs;
  let _n,comp = CallComponents.scc h in
  let tab_comp = CallComponents.scc_array h in
  Java_options.lprintf "******************************@\n";
  Java_options.lprintf "Call graph: has %d components@\n" (Array.length tab_comp);
  Java_options.lprintf "******************************@\n";
  Array.iteri
    (fun i l ->
       Java_options.lprintf "Component %d:@\n%a@." i
	 (print_list newline
	    (fun fmt f -> fprintf fmt " - %a calls: %a@\n"
	       print_method_or_constr f
	       (print_list comma
		  (fun fmt f -> fprintf fmt "%a(%d)"
		     print_method_or_constr f (comp f)))
	       (method_or_constr_calls f)))
	 l)
    tab_comp;
  tab_comp




(*
Local Variables:
compile-command: "make -j -C .. bin/krakatoa.byte"
End:
*)
why-2.39/java/java_callgraph.mli0000644000106100004300000000543613147234006015623 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

val compute_logic_calls : Java_env.java_logic_info -> [< Java_typing.logic_decl_body] -> unit

val compute_calls : Java_env.method_info -> 'a -> Java_tast.statement list -> unit

val compute_constr_calls : Java_env.constructor_info -> 'a -> Java_tast.statement list -> unit

val compute_logic_components : 
  (int, (Java_env.java_logic_info * Java_typing.logic_def_body)) Hashtbl.t -> 
  Java_env.java_logic_info list array

val compute_components : 
  (int, Java_typing.method_table_info) Hashtbl.t -> 
  (int, Java_typing.constructor_table_info) Hashtbl.t -> 
  Java_env.method_or_constructor_info list array

why-2.39/java/java_pervasives.ml0000644000106100004300000001550213147234006015677 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



(*** Utility functions ***)


open Java_env

(* for method_info types *)

let get_method_info_class_or_interface_name mi =
  match mi.method_info_class_or_interface with
    | TypeClass ci -> ci.class_info_name
    | TypeInterface ii -> ii.interface_info_name
(*
    | TypeLogic _ -> assert false
*)

open Java_ast

(* for parsed exprs *)

let expr_no_loc e = 
  { java_pexpr_loc = Loc.dummy_position ; java_pexpr_node = e }

let expr_node_true = JPElit(Bool true)

let expr_true = expr_no_loc expr_node_true

let expr_zero = expr_no_loc (JPElit(Integer "0"))


open Java_tast

(* for typed statements *)

let make_statement_no_loc node = 
  { java_statement_loc = Loc.dummy_position ; java_statement_node = node }
    
(* for typed exprs *)

let make_expr_no_loc t node = 
  { java_expr_loc = Loc.dummy_position ;
    java_expr_type = t ;
    java_expr_node = node }
    
    
(*
let default_loop_annotation =
  { kml_loop_invariant = expr_true;
    kml_loop_assigns = None;
    kml_loop_variant = expr_zero;
  }

let default_method_specification =
  { kml_requires = expr_true;
  }
*)

open Java_env

let null_type = JTYnull
let unit_type = JTYbase Tunit
let boolean_type = JTYbase Tboolean
let integer_type = JTYbase Tinteger
let int_type = JTYbase Tint
let real_type = JTYbase Treal
let double_type = JTYbase Tdouble
let float_type = JTYbase Tfloat
let logic_string_type = JTYbase Tstring

let min_byte = Num.num_of_string "-128"
let max_byte = Num.num_of_string "127"
let min_short = Num.num_of_string "-32768"
let max_short = Num.num_of_string "32767"
let min_int = Num.num_of_string "-2147483648"
let max_int = Num.num_of_string "2147483647"
let min_long = Num.num_of_string "-9223372036854775808"
let max_long = Num.num_of_string "9223372036854775807"
let min_char = Num.num_of_string "0"
let max_char = Num.num_of_string "65535"

let in_byte_range n = Num.le_num min_byte n && Num.le_num n max_byte
let in_short_range n = Num.le_num min_short n && Num.le_num n max_short
let in_char_range n = Num.le_num min_char n && Num.le_num n max_char

(* variables *)

module StringSet = Set.Make(String)

(* used names (in order to rename identifiers when necessary) *)
let used_names = Hashtbl.create 97

let mark_as_used x = 
  Hashtbl.add used_names x ()

let () = 
  List.iter mark_as_used 
    (* Jessie reserved names *)
    [ "tag"; "type" ; "end" ; "begin" ; "let" ; "in"]

let is_used_name n = Hashtbl.mem used_names n

let use_name ?local_names n = 
  if is_used_name n then raise Exit; 
  begin match local_names with 
    | Some h -> if StringSet.mem n h then raise Exit 
    | None -> () 
  end;
  mark_as_used n;
  n

let rec next_name ?local_names n i = 
  let n_i = n ^ "_" ^ string_of_int i in
  try use_name ?local_names n_i 
  with Exit -> next_name ?local_names n (succ i)

let get_unique_name ?local_names n = 
  try use_name ?local_names n 
  with Exit -> next_name ?local_names n 0

let get_final_name id =
  if id = "\\result" then id else
    get_unique_name id


let new_var =
  let var_tag_counter = ref 0 in
  fun loc ty id ->
    incr var_tag_counter;
    let vi = {
      java_var_info_tag = !var_tag_counter;
      java_var_info_name = id;
      java_var_info_decl_loc = loc;
      java_var_info_final_name = get_final_name id;
      java_var_info_type = ty;
      java_var_info_assigned = false;
    }
    in vi

(* logic functions *)

let logic_info = 
  let logic_tag_counter = ref 0 in
  fun id ty labels pars ->
    incr logic_tag_counter;
    { java_logic_info_tag = !logic_tag_counter;
      java_logic_info_name = id;
      java_logic_info_labels = labels;
      java_logic_info_parameters = pars;
      java_logic_info_result_type = ty;
      java_logic_info_calls = [];
    }

(*
let real_max_fi = 
  let x = new_var Loc.dummy_position real_type "x" in
  let y = new_var Loc.dummy_position real_type "y" in
  logic_info "\\real_max" (Some real_type) [] [x;y] 
*)

let builtin_logic_symbols =
  [ (Some real_type, "\\cos", [real_type]) ;
    (Some real_type, "\\real_abs", [real_type]) ;
    (Some real_type, "\\real_max", [real_type; real_type]) ;
    (Some real_type, "\\real_min", [real_type; real_type]) ;
    (Some integer_type, "\\int_max", [integer_type; integer_type]) ;
    (Some integer_type, "\\int_min", [integer_type; integer_type]) ;
  ]


(* AG, 08/13/2009. 
   For (Java_typing.get_type_decl ... JPTimport(...)). *)
(* From a qualified identifier qid to a string.
  Can be used to implement Java_???.print_qualified_ident. *)
let rec qualified_ident2string qid separator = 
  match qid with
    | [] -> ""
    | [(_,id)] -> id
    | (_,id)::r ->
        (qualified_ident2string r separator) ^ separator ^ id

(*
Local Variables: 
compile-command: "make -C .. bin/krakatoa.byte"
End: 
*)
why-2.39/java/java_options.ml0000644000106100004300000001376013147234006015207 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)



open Format

(*s The log file *)

let c = ref stdout

let log =
  c := open_out "krakatoa.log";
  Format.formatter_of_out_channel !c

let lprintf s = Format.fprintf log s

let close_log () =
  lprintf "End of log.@.";
  close_out !c;
  c := stdout

(*s environment variables *)

let libdir =
  try
    let v = Sys.getenv "KRAKATOALIB" in
    lprintf "KRAKATOALIB is set to %s@." v;
    v
  with Not_found ->
    let p = Version.libdir in
    lprintf "KRAKATOALIB is not set, using %s as default@." p;
    p

let rec split ch s =
  try
    let i = String.index s ch in
    let h = String.sub s 0 i
    and t = String.sub s (i+1) (String.length s - i - 1)
    in
    h::(split ch t)
  with
    Not_found -> [s]


let libfile = "krakatoa.why"

let javacard = ref false


(*s command-line options *)

let parse_only = ref false
let type_only = ref false
let gen_only = ref false
let abstract = ref ""
let print_graph = ref false
let debug = ref false
let verbose = ref false
let werror = ref false
let why3cmd = ref ""
let ignore_overflow = ref false
let nonnull_sem = ref Java_env.NonNullNone
let minimal_class_hierarchy = ref false
let termination_policy = ref Jc_env.TPalways

(* Jessie options *)
let inv_sem = ref Jc_env.InvArguments
let separation_policy = ref Jc_env.SepNone
let annotation_sem = ref Jc_env.AnnotNone
let ai_domain = ref Jc_env.AbsNone

let add_why3cmd s =
  if !why3cmd = "" then why3cmd := s else
    raise (Arg.Bad "option -why3cmd cannot be given twice")

let files_ = ref []
let add_file f = files_ := f :: !files_
let files () = List.rev !files_

let version () =
  Format.printf Version.banner "Krakatoa" Version.version;
  exit 0

let usage = "krakatoa [options] files"

let _ =
  Arg.parse
      [ "-parse-only", Arg.Set parse_only,
	  "  stops after parsing";
        "-type-only", Arg.Set type_only,
	  "  stops after typing";
	"-abstract", Arg.String ((:=) abstract),
	  "  stops after typing and output abstract view to " ;
	"-gen-only", Arg.Set gen_only,
	  "  stops after producing .jc" ;
        "-print-call-graph", Arg.Set print_graph,
	  "  stops after call graph and print call graph";
        "-d", Arg.Set debug,
          "  debugging mode";
        "-why3", Arg.String add_why3cmd,
	  "    (default: ide)";
	"-v", Arg.Set verbose,
          "  verbose mode";
	"-q", Arg.Clear verbose,
          "  quiet mode (default)";
	"-werror", Arg.Set werror,
          "  treats warnings as errors";
	"-version", Arg.Unit version,
          "  prints version and exit";
	"-javacard", Arg.Set javacard,
	  "  source is Java Card";
	"-nonnull-sem", Arg.String
	  (function
	     | "none" -> nonnull_sem := Java_env.NonNullNone
	     | "fields" -> nonnull_sem := Java_env.NonNullFields
	     | "all" -> nonnull_sem := Java_env.NonNullAll
	     | s -> raise (Arg.Bad ("Unknown nonnull_sem: " ^ s))),
	"   nonnull-by-default semantics: none (default), fields, all";
      ]
      add_file usage

let usage () =
  eprintf "usage: %s@." usage;
  exit 2

let parse_only = !parse_only
let type_only = !type_only
let print_graph = !print_graph
let debug = !debug
let verbose = !verbose
let werror = !werror
let why3cmd = if !why3cmd = "" then "ide" else !why3cmd

let classpath =
  let p =
    try
      let v = Sys.getenv "KRAKATOACLASSPATH" in
	lprintf "KRAKATOACLASSPATH is set to %s@." v;
	split ':' v
    with Not_found ->
      let p = Filename.concat libdir
	(if !javacard then "javacard_api" else "java_api")
      in
	lprintf "KRAKATOACLASSPATH is not set, using %s as default@." p;
	[p]
  in
    "." :: p


(*s error handling *)

exception Java_error of Loc.position * string

let parsing_error l f =
  Format.ksprintf
    (fun s ->
       let s = if s="" then s else " ("^s^")" in
       raise (Java_error(l, "syntax error" ^ s))) f


(*
Local Variables:
compile-command: "make -j -C .. bin/krakatoa.byte"
End:
*)
why-2.39/COPYING0000644000106100004300000000122513147234006012264 0ustar  marchevalsThe Why platform for program certification
Copyright (C) 2002-2008
  Romain BARDOU
  Jean-François COUCHOT
  Mehdi DOGGUY
  Jean-Christophe FILLIÂTRE
  Thierry HUBERT
  Claude MARCHÉ
  Yannick MOY
  Christine PAULIN
  Yann RÉGIS-GIANAS
  Nicolas ROUSSET
  Xavier URBAIN

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU Library General Public License version 2.1,
with the special exception on linking described in file LICENSE.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

why-2.39/atp/0000755000106100004300000000000013147234006012015 5ustar  marchevalswhy-2.39/atp/propexamples.ml0000644000106100004300000003405413147234006015074 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(* ========================================================================= *)
(* Some propositional formulas to test, and functions to generate classes.   *)
(*                                                                           *)
(* Copyright (c) 2003, John Harrison. (See "LICENSE.txt" for details.)       *)
(* ========================================================================= *)

START_INTERACTIVE;;

forall tautology
 [<
 q <=> ~q ==> ~p>>;
  <<~ ~p <=> p>>;
  <<~(p ==> q) ==> q ==> p>>;
  <<~p ==> q <=> ~q ==> p>>;
  <<(p \/ q ==> p \/ r) ==> p \/ (q ==> r)>>;
  <
>;
  <
>;
  <<((p ==> q) ==> p) ==> p>>;
  <<(p \/ q) /\ (~p \/ q) /\ (p \/ ~q) ==> ~(~q \/ ~q)>>;
  <<(q ==> r) /\ (r ==> p /\ q) /\ (p ==> q /\ r) ==> (p <=> q)>>;
  <
 p>>;
  <<((p <=> q) <=> r) <=> (p <=> (q <=> r))>>;
  <
 (p \/ q) /\ (p \/ r)>>;
  <<(p <=> q) <=> (q \/ ~p) /\ (~q \/ p)>>;
  <
 q <=> ~p \/ q>>;
  <<(p ==> q) \/ (q ==> p)>>;
  <
 r) ==> s <=> (~p \/ q \/ s) /\ (~p \/ ~r \/ s)>>];;

(* ------------------------------------------------------------------------- *)
(* Some graph-colouring examples.                                            *)
(* ------------------------------------------------------------------------- *)

let fm =
 <<(a1 \/ a2 \/ a3) /\
   (b1 \/ b2 \/ b3) /\
   (c1 \/ c2 \/ c3) /\
   (d1 \/ d2 \/ d3) /\
   ~(a1 /\ a2) /\ ~(a1 /\ a3) /\ ~(a2 /\ a3) /\
   ~(b1 /\ b2) /\ ~(b1 /\ b3) /\ ~(b2 /\ b3) /\
   ~(c1 /\ c2) /\ ~(c1 /\ c3) /\ ~(c2 /\ c3) /\
   ~(d1 /\ d2) /\ ~(d1 /\ d3) /\ ~(d2 /\ d3) /\
   ~(a1 /\ d1) /\ ~(a2 /\ d2) /\ ~(a3 /\ d3) /\
   ~(b1 /\ d1) /\ ~(b2 /\ d2) /\ ~(b3 /\ d3) /\
   ~(c1 /\ d1) /\ ~(c2 /\ d2) /\ ~(c3 /\ d3) /\
   ~(a1 /\ b1) /\ ~(a2 /\ b2) /\ ~(a3 /\ b3) /\
   ~(b1 /\ c1) /\ ~(b2 /\ c2) /\ ~(b3 /\ c3) /\
   ~(c1 /\ a1) /\ ~(c2 /\ a2) /\ ~(c3 /\ a3)>>;;

satisfiable fm;;

END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Generate assertion equivalent to R(s,t) <= n for the Ramsey number R(s,t) *)
(* ------------------------------------------------------------------------- *)

let var l =
  match l with
    [m;n] -> Atom(P("p_"^(string_of_int m)^"_"^(string_of_int n)))
  | _ -> failwith "var: expected 2-element list";;

let ramsey s t n =
  let vertices = 1 -- n in
  let yesgrps = map (allsets 2) (allsets s vertices)
  and nogrps = map (allsets 2) (allsets t vertices) in
  Or(list_disj (map (list_conj ** map var) yesgrps),
     list_disj (map (list_conj ** map (fun p -> Not(var p))) nogrps));;

(* ------------------------------------------------------------------------- *)
(* Some currently tractable examples.                                        *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;

ramsey 3 3 4;;

tautology(ramsey 3 3 5);;

tautology(ramsey 3 3 6);;

END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Half adder.                                                               *)
(* ------------------------------------------------------------------------- *)

let halfsum x y = Iff(x,Not y);;

let halfcarry x y = And(x,y);;

let ha x y s c = And(Iff(s,halfsum x y),Iff(c,halfcarry x y));;

(* ------------------------------------------------------------------------- *)
(* Full adder.                                                               *)
(* ------------------------------------------------------------------------- *)

let carry x y z = Or(And(x,y),And(Or(x,y),z));;

let sum x y z = halfsum (halfsum x y) z;;

let fa x y z s c = And(Iff(s,sum x y z),Iff(c,carry x y z));;

(* ------------------------------------------------------------------------- *)
(* Useful idiom.                                                             *)
(* ------------------------------------------------------------------------- *)

let conjoin f l = list_conj (map f l);;

(* ------------------------------------------------------------------------- *)
(* n-bit ripple carry adder with carry c(0) propagated in and c(n) out.      *)
(* ------------------------------------------------------------------------- *)

let ripplecarry x y c out n =
  conjoin (fun i -> fa (x i) (y i) (c i) (out i) (c(i + 1)))
          (0 -- (n - 1));;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

let mk_index s i = Atom(P(s^"_"^(string_of_int i)));;

START_INTERACTIVE;;

let [x; y; out; c] = map mk_index ["X"; "Y"; "OUT"; "C"];;

ripplecarry x y c out 2;;

END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Special case with 0 instead of c(0).                                      *)
(* ------------------------------------------------------------------------- *)

let ripplecarry0 x y c out n =
  psimplify
   (ripplecarry x y (fun i -> if i = 0 then False else c i) out n);;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;

ripplecarry0 x y c out 2;;

END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Carry-select adder                                                        *)
(* ------------------------------------------------------------------------- *)

let ripplecarry1 x y c out n =
  psimplify
   (ripplecarry x y (fun i -> if i = 0 then True else c i) out n);;

let mux sel in0 in1 = Or(And(Not sel,in0),And(sel,in1));;

let offset n x i = x(n + i);;

let rec carryselect x y c0 c1 s0 s1 c s n k =
  let k' = min n k in
  let fm =
    And(And(ripplecarry0 x y c0 s0 k',ripplecarry1 x y c1 s1 k'),
        And(Iff(c k',mux (c 0) (c0 k') (c1 k')),
            conjoin (fun i -> Iff(s i,mux (c 0) (s0 i) (s1 i)))
                    (0 -- (k' - 1)))) in
  if k' < k then fm else
  And(fm,carryselect
            (offset k x) (offset k y) (offset k c0) (offset k c1)
            (offset k s0) (offset k s1) (offset k c) (offset k s)
            (n - k) k);;

(* ------------------------------------------------------------------------- *)
(* Equivalence problems for carry-select vs ripple carry adders.             *)
(* ------------------------------------------------------------------------- *)

let mk_adder_test n k =
  let [x; y; c; s; c0; s0; c1; s1; c2; s2] = map mk_index
      ["x"; "y"; "c"; "s"; "c0"; "s0"; "c1"; "s1"; "c2"; "s2"] in
  Imp(And(And(carryselect x y c0 c1 s0 s1 c s n k,Not(c 0)),
          ripplecarry0 x y c2 s2 n),
      And(Iff(c n,c2 n),
          conjoin (fun i -> Iff(s i,s2 i)) (0 -- (n - 1))));;

(* ------------------------------------------------------------------------- *)
(* Ripple carry stage that separates off the final result.                   *)
(*                                                                           *)
(*       UUUUUUUUUUUUUUUUUUUU  (u)                                           *)
(*    +  VVVVVVVVVVVVVVVVVVVV  (v)                                           *)
(*                                                                           *)
(*    = WWWWWWWWWWWWWWWWWWWW   (w)                                           *)
(*    +                     Z  (z)                                           *)
(* ------------------------------------------------------------------------- *)

let rippleshift u v c z w n =
  ripplecarry0 u v (fun i -> if i = n then w(n - 1) else c(i + 1))
                   (fun i -> if i = 0 then z else w(i - 1)) n;;

(* ------------------------------------------------------------------------- *)
(* Naive multiplier based on repeated ripple carry.                          *)
(* ------------------------------------------------------------------------- *)

let mult_rip x u v out n =
  if n = 1 then And(Iff(out 0,x 0 0),Not(out 1)) else
  psimplify
   (And(Iff(out 0,x 0 0),
        And(rippleshift
               (fun i -> if i = n - 1 then False else x 0 (i + 1))
               (x 1) (v 2) (out 1) (u 2) n,
            if n = 2 then And(Iff(out 2,u 2 0),Iff(out 3,u 2 1)) else
            conjoin (fun k -> rippleshift (u k) (x k) (v(k + 1)) (out k)
                                (if k = n - 1 then fun i -> out(n + i)
                                 else u(k + 1)) n) (2 -- (n - 1)))));;

(* ------------------------------------------------------------------------- *)
(* One stage in a sequential multiplier based on CSAs.                       *)
(*                                                                           *)
(*        UUUUUUUUUUUUUUU         (u)                                        *)
(*        VVVVVVVVVVVVVVV         (v)                                        *)
(*       XXXXXXXXXXXXXXX          (x)                                        *)
(*     ------------------------------------------------                      *)
(*       WWWWWWWWWWWWWWW          (w)                                        *)
(*       YYYYYYYYYYYYYYY          (y)                                        *)
(*                      Z         (z)                                        *)
(* ------------------------------------------------------------------------- *)

let csastage u v x z w y n =
  And(ha (u 0) (v 0) z (w 0),
      And(conjoin (fun i -> fa (u(i + 1)) (v(i + 1)) (x i)
                               (y i) (w(i + 1))) (0 -- (n - 2)),
          Iff(y(n - 1),x(n - 1))));;

(* ------------------------------------------------------------------------- *)
(* CSA-based multiplier only using ripple carry for last iteration.          *)
(* ------------------------------------------------------------------------- *)

let csa_init x u v out n =
  And(Iff(out 0,x 0 0),
      And(ha (x 0 1) (x 1 0) (out 1) (u 3 0),
          And(conjoin (fun i -> fa (x 0 (i + 2)) (x 1 (i + 1)) (x 2 i)
                                   (v 3 i) (u 3 (i + 1)))
                      (0 -- (n - 3)),
              And(ha (x 1 (n - 1)) (x 2 (n - 2))
                     (v 3 (n - 2)) (u 3 (n - 1)),
                  Iff(v 3 (n - 1),x 2 (n - 1))))));;

let mult_csa x u v out n =
  And(csa_init x u v out n,
      And(conjoin (fun i -> csastage (u i) (v i) (x i)
                                 (out(i - 1)) (u(i + 1)) (v(i + 1)) n)
                  (3 -- (n - 1)),
          rippleshift (u n) (v n) (v(n + 1))
                      (out(n - 1)) (fun i -> out(n + i)) n));;

(* ------------------------------------------------------------------------- *)
(* Equivalence for ripple vs CSA sequential multipler.                       *)
(* ------------------------------------------------------------------------- *)

let mk_index2 x i j =
  Atom(P(x^"_"^(string_of_int i)^"_"^(string_of_int j)));;

let mk_mult_test n =
  let [x; y; out; out'] = map mk_index ["x"; "y"; "**"; "p"] in
  let m i j = And(x i,y j)
  and [u; v; u'; v'] = map mk_index2 ["u"; "v"; "w"; "z"] in
  Imp(And(mult_rip m u v out n,
          mult_csa m u' v' out' n),
      conjoin (fun i -> Iff(out i,out' i)) (0 -- (n - 1)));;

(* ------------------------------------------------------------------------- *)
(* Primality examples (using CSAs since they are slightly shorter).          *)
(* For large examples, should use "num" instead of "int" in these functions. *)
(* ------------------------------------------------------------------------- *)

let rec bitlength x = if x = 0 then 0 else 1 + bitlength (x / 2);;

let rec bit n x = if n = 0 then x mod 2 = 1 else bit (n - 1) (x / 2);;

let congruent_to x m n =
  conjoin (fun i -> if bit i m then x i else Not(x i))
          (0 -- (n - 1));;

let prime p =
  let [x; y; out] = map mk_index ["x"; "y"; "out"] in
  let m i j = And(x i,y j)
  and [u; v] = map mk_index2 ["u"; "v"] in
  let n = bitlength p in
  Not(And(mult_rip m u v out (n - 1),
      congruent_to out p (max n (2 * n - 2))));;
why-2.39/atp/prop.ml0000644000106100004300000005503313147234006013335 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(* ========================================================================= *)
(* Basic stuff for propositional logic: datatype, parsing and printing.      *)
(*                                                                           *)
(* Copyright (c) 2003, John Harrison. (See "LICENSE.txt" for details.)       *)
(* ========================================================================= *)

type prop = P of string;;

let pname(P s) = s;;

(* ------------------------------------------------------------------------- *)
(* Parsing of propositional formulas.                                        *)
(* ------------------------------------------------------------------------- *)

let parse_propvar vs inp =
  match inp with
    p::oinp when p <> "(" -> Atom(P(p)),oinp
  | _ -> failwith "parse_propvar";;

let parsep = make_parser (parse_formula parse_propvar []);;

(* ------------------------------------------------------------------------- *)
(* Set this up as default for quotations.                                    *)
(* ------------------------------------------------------------------------- *)

let default_parser = parsep;;

(* ------------------------------------------------------------------------- *)
(* Test of the parser.                                                       *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
let fm = parsep "p ==> q <=> r /\\ s \\/ (t <=> ~ ~u /\\ v)";;

let fm = <
 q <=> r /\ s \/ (t <=> ~ ~u /\ v)>>;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Printer.                                                                  *)
(* ------------------------------------------------------------------------- *)

let print_propvar prec p = print_string(pname p);;

let pr = formula_printer print_propvar;;

START_INTERACTIVE;;
#install_printer pr;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Testing the printer.                                                      *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
And(fm,fm);;

And(Or(fm,fm),fm);;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Interpretation of formulas.                                               *)
(* ------------------------------------------------------------------------- *)

let rec eval fm v =
  match fm with
    False -> false
  | True -> true
  | Atom(x) -> v(x)
  | Not(p) -> not(eval p v)
  | And(p,q) -> (eval p v) & (eval q v)
  | Or(p,q) -> (eval p v) or (eval q v)
  | Imp(p,q) -> not(eval p v) or (eval q v)
  | Iff(p,q) -> (eval p v) = (eval q v);;

(* ------------------------------------------------------------------------- *)
(* Example of how we could define connective interpretations ourselves.      *)
(* ------------------------------------------------------------------------- *)

let (-->) p q = match (p,q) with (true,false) -> false | _ -> true;;

let rec eval fm v =
  match fm with
    False -> false
  | True -> true
  | Atom(x) -> v(x)
  | Not(p) -> not(eval p v)
  | And(p,q) -> (eval p v) & (eval q v)
  | Or(p,q) -> (eval p v) or (eval q v)
  | Imp(p,q) -> eval p v --> eval q v
  | Iff(p,q) -> (eval p v) = (eval q v);;

(* ------------------------------------------------------------------------- *)
(* Example of use, showing the "partial" evaluation.                         *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
let fm = <
 q /\ r>>;;

let fm_interp = eval fm;;

eval fm (function P"p" -> true | P"q" -> false | P"r" -> true);;

eval fm (function P"p" -> true | P"q" -> true | P"r" -> false);;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Return the set of propositional variables in a formula.                   *)
(* ------------------------------------------------------------------------- *)

let atoms fm = atom_union (fun a -> [a]) fm;;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
atoms <
 ~p \/ (r <=> s)>>;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Code to print out truth tables.                                           *)
(* ------------------------------------------------------------------------- *)

let rec onallvaluations subfn v pvs =
  match pvs with
    [] -> subfn v
  | p::ps -> let v' t q = if q = p then t else v(q) in
             onallvaluations subfn (v' false) ps &
             onallvaluations subfn (v' true) ps;;

let print_truthtable fm =
  let pvs = atoms fm in
  let width = itlist (max ** String.length ** pname) pvs 5 + 1 in
  let fixw s = s^String.make(width - String.length s) ' ' in
  let truthstring p = fixw (if p then "true" else "false") in
  let mk_row v =
     let lis = map (fun x -> truthstring(v x)) pvs
     and ans = truthstring(eval fm v) in
     print_string(itlist (^) lis ("| "^ans)); print_newline();
     true in
  let separator = String.make (width * length pvs + 9) '-' in
  print_string(itlist (fun s t -> fixw(pname s) ^ t) pvs "| formula");
  print_newline(); print_string separator; print_newline();
  onallvaluations mk_row (fun x -> false) pvs;
  print_string separator; print_newline();;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
let fm = <
 q /\ r>>;;

print_truthtable fm;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Additional examples illustrating formula classes.                         *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
print_truthtable <<((p ==> q) ==> p) ==> p>>;;

print_truthtable <
>;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Recognizing tautologies.                                                  *)
(* ------------------------------------------------------------------------- *)

let tautology fm =
  onallvaluations (eval fm) (fun s -> false) (atoms fm);;

(* ------------------------------------------------------------------------- *)
(* Examples.                                                                 *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
tautology <
>;;
tautology <
 p>>;;
tautology <
 q \/ (p <=> q)>>;;
tautology <<(p \/ q) /\ ~(p /\ q) ==> (~p <=> q)>>;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Related concepts.                                                         *)
(* ------------------------------------------------------------------------- *)

let unsatisfiable fm = tautology(Not fm);;

let satisfiable fm = not(unsatisfiable fm);;

(* ------------------------------------------------------------------------- *)
(* Substitution operation.                                                   *)
(* ------------------------------------------------------------------------- *)

let propsubst subfn = onatoms (fun p -> tryapplyd subfn p (Atom p));;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
let pandq = <
>;;

propsubst (P"p" := pandq) pandq;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Surprising tautologies including Dijkstra's "Golden rule".                *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
tautology <<(p ==> q) \/ (q ==> p)>>;;

tautology <
 r) <=> (p \/ q <=> p \/ r)>>;;

tautology <
 ((p <=> q) <=> p \/ q)>>;;

(* ------------------------------------------------------------------------- *)
(* Some logical equivalences allowing elimination of connectives.            *)
(* ------------------------------------------------------------------------- *)

tautology < p /\ ~p>>;;
tautology < ~(p /\ ~p)>>;;
tautology <
 ~(~p /\ ~q)>>;;
tautology <
 q <=> ~(p /\ ~q)>>;;
tautology <<(p <=> q) <=> ~(p /\ ~q) /\ ~(~p /\ q)>>;;

tautology < false ==> false>>;;
tautology <<~p <=> p ==> false>>;;
tautology <
 (p ==> q ==> false) ==> false>>;;
tautology <
 (p ==> false) ==> q>>;;
tautology(parsep
  "(p <=> q) <=> ((p ==> q) ==> (q ==> p) ==> false) ==> false");;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Dualization.                                                              *)
(* ------------------------------------------------------------------------- *)

let rec subdualize fm =
  match fm with
    False -> True
  | True -> False
  | Atom(p) -> fm
  | Not(p) -> Not(subdualize p)
  | And(p,q) -> Or(subdualize p,subdualize q)
  | Or(p,q) -> And(subdualize p,subdualize q)
  | _ -> failwith "Formula involves connectives ==> and <=>";;

let dualize fm = Not(subdualize fm);;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
dualize <
>;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Routine simplification.                                                   *)
(* ------------------------------------------------------------------------- *)

let psimplify1 fm =
  match fm with
    Not False -> True
  | Not True -> False
  | And(False,q) -> False
  | And(p,False) -> False
  | And(True,q) -> q
  | And(p,True) -> p
  | Or(False,q) -> q
  | Or(p,False) -> p
  | Or(True,q) -> True
  | Or(p,True) -> True
  | Imp(False,q) -> True
  | Imp(True,q) -> q
  | Imp(p,True) -> True
  | Imp(p,False) -> Not p
  | Iff(True,q) -> q
  | Iff(p,True) -> p
  | Iff(False,q) -> Not q
  | Iff(p,False) -> Not p
  | _ -> fm;;

let rec psimplify fm =
  match fm with
  | Not p -> psimplify1 (Not(psimplify p))
  | And(p,q) -> psimplify1 (And(psimplify p,psimplify q))
  | Or(p,q) -> psimplify1 (Or(psimplify p,psimplify q))
  | Imp(p,q) -> psimplify1 (Imp(psimplify p,psimplify q))
  | Iff(p,q) -> psimplify1 (Iff(psimplify p,psimplify q))
  | _ -> fm;;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
psimplify <<(true ==> (x <=> false)) ==> ~(y \/ false /\ z)>>;;

psimplify <<((x ==> y) ==> true) \/ ~false>>;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Negation normal form.                                                     *)
(* ------------------------------------------------------------------------- *)

let rec nnf fm =
  match fm with
  | And(p,q) -> And(nnf p,nnf q)
  | Or(p,q) -> Or(nnf p,nnf q)
  | Imp(p,q) -> Or(nnf(Not p),nnf q)
  | Iff(p,q) -> Or(And(nnf p,nnf q),And(nnf(Not p),nnf(Not q)))
  | Not(Not p) -> nnf p
  | Not(And(p,q)) -> Or(nnf(Not p),nnf(Not q))
  | Not(Or(p,q)) -> And(nnf(Not p),nnf(Not q))
  | Not(Imp(p,q)) -> And(nnf p,nnf(Not q))
  | Not(Iff(p,q)) -> Or(And(nnf p,nnf(Not q)),And(nnf(Not p),nnf q))
  | _ -> fm;;

(* ------------------------------------------------------------------------- *)
(* Side remark on possible alternative tautology.                            *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
tautology <<(p <=> q) <=> (p \/ ~q) /\ (~p \/ q)>>;;

(* ------------------------------------------------------------------------- *)
(* Example of NNF function in action.                                        *)
(* ------------------------------------------------------------------------- *)

let fm = <<(p <=> q) <=> ~(r ==> s)>>;;

let fm' = nnf fm;;

tautology(Iff(fm,fm'));;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* More efficient version.                                                   *)
(* ------------------------------------------------------------------------- *)

let rec nnfp fm =
  match fm with
  | Not(p) ->
        let p',p'' = nnfp p in
        p'',p'
  | And(p,q) ->
        let p',p'' = nnfp p and q',q'' = nnfp q in
        And(p',q'),Or(p'',q'')
  | Or(p,q) ->
        let p',p'' = nnfp p and q',q'' = nnfp q in
        Or(p',q'),And(p'',q'')
  | Imp(p,q) ->
        let p',p'' = nnfp p and q',q'' = nnfp q in
        Or(p'',q'),And(p',q'')
  | Iff(p,q) ->
        let p',p'' = nnfp p and q',q'' = nnfp q in
        Or(And(p',q'),And(p'',q'')),Or(And(p',q''),And(p'',q'))
  | _ -> fm,Not fm;;

let nnf fm = fst(nnfp(psimplify fm));;

(* ------------------------------------------------------------------------- *)
(* Some tautologies remarked on.                                             *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
tautology
 <<(p ==> p') /\ (q ==> q') ==> (p \/ q ==> p' \/ q')>>;;

tautology
 <<(p ==> p') /\ (q ==> q') ==> (p /\ q ==> p' /\ q')>>;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Tracking positive and negative occurrences.                               *)
(* ------------------------------------------------------------------------- *)

let rec occurrences x fm =
  match fm with
    Atom(y) ->
        (x = y,false)
  | Not(p) ->
        let pos,neg = occurrences x p in neg,pos
  | And(p,q) ->
        let pos1,neg1 = occurrences x p
        and pos2,neg2 = occurrences x q in
        (pos1 or pos2,neg1 or neg2)
  | Or(p,q) ->
        let pos1,neg1 = occurrences x p
        and pos2,neg2 = occurrences x q in
        (pos1 or pos2,neg1 or neg2)
  | Imp(p,q) ->
        let pos1,neg1 = occurrences x p
        and pos2,neg2 = occurrences x q in
        (neg1 or pos2,pos1 or neg2)
  | Iff(p,q) ->
        let pos1,neg1 = occurrences x p
        and pos2,neg2 = occurrences x q in
        if pos1 or pos2 or neg1 or neg2 then (true,true)
        else (false,false)
  | _ -> (false,false);;

(* ------------------------------------------------------------------------- *)
(* Disjunctive normal form (DNF) via truth tables.                           *)
(* ------------------------------------------------------------------------- *)

let list_conj l =
  if l = [] then True else end_itlist (fun p q -> And(p,q)) l;;

let list_disj l =
  if l = [] then False else end_itlist (fun p q -> Or(p,q)) l;;

let mk_lits pvs v =
  list_conj (map (fun p -> if eval p v then p else Not p) pvs);;

let rec allsatvaluations subfn v pvs =
  match pvs with
    [] -> if subfn v then [v] else []
  | p::ps -> let v' t q = if q = p then t else v(q) in
             allsatvaluations subfn (v' false) ps @
             allsatvaluations subfn (v' true) ps;;

let dnf fm =
  let pvs = atoms fm in
  let satvals = allsatvaluations (eval fm) (fun s -> false) pvs in
  list_disj (map (mk_lits (map (fun p -> Atom p) pvs)) satvals);;

(* ------------------------------------------------------------------------- *)
(* Examples.                                                                 *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
let fm = <<(p /\ (q \/ r /\ s)) /\ (~p \/ ~q \/ ~s)>>;;

dnf fm;;

print_truthtable fm;;

let fm = <
>;;

dnf fm;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* DNF via distribution.                                                     *)
(* ------------------------------------------------------------------------- *)

let rec distrib fm =
  match fm with
    And(p,(Or(q,r))) -> Or(distrib(And(p,q)),distrib(And(p,r)))
  | And(Or(p,q),r) -> Or(distrib(And(p,r)),distrib(And(q,r)))
  | _ -> fm;;

let rec rawdnf fm =
  match fm with
    And(p,q) -> distrib(And(rawdnf p,rawdnf q))
  | Or(p,q) -> Or(rawdnf p,rawdnf q)
  | _ -> fm;;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
let fm = <<(p /\ (q \/ r /\ s)) /\ (~p \/ ~q \/ ~s)>>;;

rawdnf fm;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* A version using a list representation.                                    *)
(* ------------------------------------------------------------------------- *)

let distrib s1 s2 = allpairs union s1 s2;;      (** Value restriction hell!  *)
                                                (** Need it for FOL formulas *)
let rec purednf fm =
  match fm with
    And(p,q) -> distrib (purednf p) (purednf q)
  | Or(p,q) -> union (purednf p) (purednf q)
  | _ -> [[fm]];;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
purednf fm;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Filtering out noncontradictory disjuncts only.                            *)
(* ------------------------------------------------------------------------- *)

let negative = function (Not p) -> true | _ -> false;;

let positive lit = not(negative lit);;

let negate = function (Not p) -> p | p -> Not p;;

let contradictory lits =
  let pos,neg = partition positive lits in
  intersect pos (map negate neg) <> [];;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
filter (non contradictory) (purednf fm);;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* With subsumption checking, done very naively (quadratic).                 *)
(* ------------------------------------------------------------------------- *)

let subsumes s1 s2 = psubset s2 s1;;

let subsume cls =
  filter (fun cl -> not(exists (subsumes cl) cls)) cls;;

let simpdnf fm =
  if fm = False then []
  else if fm = True then [[]]
  else subsume (filter (non contradictory) (purednf(nnf fm)));;

(* ------------------------------------------------------------------------- *)
(* Mapping back to a formula.                                                *)
(* ------------------------------------------------------------------------- *)

let dnf fm = list_disj(map list_conj (simpdnf fm));;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
dnf fm;;

tautology(Iff(fm,dnf fm));;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Conjunctive normal form (CNF) by duality.                                 *)
(* ------------------------------------------------------------------------- *)

let purecnf fm = smap (smap negate) (purednf(nnf(Not fm)));;

let simpcnf fm = subsume (filter (non contradictory) (purecnf fm));;

let cnf fm = list_conj(map list_disj (simpcnf fm));;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
cnf fm;;

cnf(Iff(fm,cnf fm));;
END_INTERACTIVE;;
why-2.39/atp/make.ml0000644000106100004300000001056213147234006013270 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(* ========================================================================= *)
(* Load theorem proving example code into OCaml toplevel.                    *)
(*                                                                           *)
(* Copyright (c) 2003, John Harrison. (See "LICENSE.txt" for details.)       *)
(* ========================================================================= *)

#load "nums.cma";;                                     (* For Ocaml 3.06     *)
#load "camlp4o.cma";;                                  (* For quotations     *)

(* ------------------------------------------------------------------------- *)
(* Various small tweaks to OCAML's default state.                            *)
(* ------------------------------------------------------------------------- *)

Gc.set { (Gc.get()) with Gc.stack_limit = 16777216 };; (* Up the stack size  *)
Format.set_margin 72;;                                 (* Reduce margins     *)
open Format;;                                          (* Open formatting    *)
open Num;;                                             (* Open bignums       *)
let imperative_assign = (:=);;                         (* Preserve this      *)

let print_num n = print_string(string_of_num n);;      (* Avoid range limit  *)
#install_printer print_num;;                           (* when printing nums *)

(* ------------------------------------------------------------------------- *)
(* Bind these special identifiers to something so we can just do "#use".     *)
(* ------------------------------------------------------------------------- *)

type dummy_interactive = START_INTERACTIVE | END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Set up default quotation parsers for <<...>> and <<|...|>>.               *)
(* ------------------------------------------------------------------------- *)

let quotexpander s =
  if String.sub s 0 1 = "|" & String.sub s (String.length s - 1) 1 = "|" then
    "secondary_parser \""^
    (String.escaped (String.sub s 1 (String.length s - 2)))^"\""
  else "default_parser \""^(String.escaped s)^"\"";;

Quotation.add "" (Quotation.ExStr (fun x -> quotexpander));;

#use "atp.ml"
why-2.39/atp/Mk_ml_file0000755000106100004300000000016313147234006014001 0ustar  marchevalsecho "open Num;;"
echo "open Format;;"

cat $@ | sed 's/START_INTERACTIVE;;/(\*/' | sed 's/END_INTERACTIVE;;/\*)/'
why-2.39/atp/qelim.ml0000644000106100004300000002111013147234006013451 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(* ========================================================================= *)
(* Introduction to quantifier elimination.                                   *)
(*                                                                           *)
(* Copyright (c) 2003, John Harrison. (See "LICENSE.txt" for details.)       *)
(* ========================================================================= *)

let rec disjuncts fm =
  match fm with
    Or(p,q) -> disjuncts p @ disjuncts q
  | _ -> [fm];;

let rec conjuncts fm =
  match fm with
    And(p,q) -> conjuncts p @ conjuncts q
  | _ -> [fm];;

(* ------------------------------------------------------------------------- *)
(* Lift procedure given literal modifier, formula normalizer, and a  basic   *)
(* elimination procedure for existential formulas with conjunctive body.     *)
(* ------------------------------------------------------------------------- *)

let lift_qelim afn nfn qfn =
  let rec qelift vars fm =
    match fm with
    | Atom(R(_,_)) -> afn vars fm
    | Not(p) -> Not(qelift vars p)
    | And(p,q) -> And(qelift vars p,qelift vars q)
    | Or(p,q) -> Or(qelift vars p,qelift vars q)
    | Imp(p,q) -> Imp(qelift vars p,qelift vars q)
    | Iff(p,q) -> Iff(qelift vars p,qelift vars q)
    | Forall(x,p) -> Not(qelift vars (Exists(x,Not p)))
    | Exists(x,p) ->
          let djs = disjuncts(nfn(qelift (x::vars) p)) in
          list_disj(map (qelim x vars) djs)
    | _ -> fm
  and qelim x vars p =
    let cjs = conjuncts p in
    let ycjs,ncjs = partition (mem x ** fv) cjs in
    if ycjs = [] then p else
    let q = qfn vars (Exists(x,list_conj ycjs)) in
    itlist (fun p q -> And(p,q)) ncjs q in
  fun fm -> simplify(qelift (fv fm) fm);;

(* ------------------------------------------------------------------------- *)
(* Cleverer (proposisional) NNF with conditional and literal modification.   *)
(* ------------------------------------------------------------------------- *)

let cnnf lfn =
  let rec cnnf fm =
    match fm with
      And(p,q) -> And(cnnf p,cnnf q)
    | Or(p,q) -> Or(cnnf p,cnnf q)
    | Imp(p,q) -> Or(cnnf(Not p),cnnf q)
    | Iff(p,q) -> Or(And(cnnf p,cnnf q),And(cnnf(Not p),cnnf(Not q)))
    | Not(Not p) -> cnnf p
    | Not(And(p,q)) -> Or(cnnf(Not p),cnnf(Not q))
    | Not(Or(And(p,q),And(p',r))) when p' = negate p ->
         Or(cnnf (And(p,Not q)),cnnf (And(p',Not r)))
    | Not(Or(p,q)) -> And(cnnf(Not p),cnnf(Not q))
    | Not(Imp(p,q)) -> And(cnnf p,cnnf(Not q))
    | Not(Iff(p,q)) -> Or(And(cnnf p,cnnf(Not q)),
                          And(cnnf(Not p),cnnf q))
    | _ -> lfn fm in
  simplify ** cnnf ** simplify;;

(* ------------------------------------------------------------------------- *)
(* Initial literal simplifier and intermediate literal modifier.             *)
(* ------------------------------------------------------------------------- *)

let lfn_dlo fm =
  match fm with
    Not(Atom(R("<",[s;t]))) -> Or(Atom(R("=",[s;t])),Atom(R("<",[t;s])))
  | Not(Atom(R("=",[s;t]))) -> Or(Atom(R("<",[s;t])),Atom(R("<",[t;s])))
  | _ -> fm;;

(* ------------------------------------------------------------------------- *)
(* Simple example of dense linear orderings; this is the base function.      *)
(* ------------------------------------------------------------------------- *)

let dlobasic fm =
  match fm with
    Exists(x,p) ->
      let cjs = subtract (conjuncts p) [Atom(R("=",[Var x;Var x]))] in
      try let eqn = find
            (function (Atom(R("=",_))) -> true | _ -> false) cjs in
          let (Atom(R("=",[s;t]))) = eqn in
          let y = if s = Var x then t else s in
          list_conj(map (formsubst (x := y)) (subtract cjs [eqn]))
      with Failure _ ->
          if mem (Atom(R("<",[Var x;Var x]))) cjs then False else
          let l,r =
            partition (fun (Atom(R("<",[s;t]))) -> t = Var x) cjs in
          let lefts = map (fun (Atom(R("<",[l;_]))) -> l) l
          and rights = map (fun (Atom(R("<",[_;r]))) -> r) r in
          list_conj(allpairs (fun l r -> Atom(R("<",[l;r])))
                             lefts rights)
  | _ -> failwith "dlobasic";;

(* ------------------------------------------------------------------------- *)
(* Overall quelim procedure.                                                 *)
(* ------------------------------------------------------------------------- *)

let afn_dlo vars fm =
  match fm with
    Atom(R("<=",[s;t])) -> Not(Atom(R("<",[t;s])))
  | Atom(R(">=",[s;t])) -> Not(Atom(R("<",[s;t])))
  | Atom(R(">",[s;t])) -> Atom(R("<",[t;s]))
  | _ -> fm;;

let quelim_dlo =
  lift_qelim afn_dlo (dnf ** cnnf lfn_dlo) (fun v -> dlobasic);;

(* ------------------------------------------------------------------------- *)
(* Examples.                                                                 *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
quelim_dlo <>;;

quelim_dlo <>;;

quelim_dlo <>;;

quelim_dlo <<(forall x. x < a ==> x < b)>>;;

quelim_dlo < x < b) <=> a = b>>;;

time quelim_dlo <>;;

time quelim_dlo < x < z>>;;

time quelim_dlo <>;;

time quelim_dlo <>;;

time quelim_dlo <>;;

time quelim_dlo <>;;

time quelim_dlo <>;;

time quelim_dlo < exists z. x < z /\ z < y>>;;

time quelim_dlo
  < exists u. u < x /\ (y < u \/ x < y)>>;;

time quelim_dlo <>;;

time quelim_dlo <>;;

time quelim_dlo <>;;

time quelim_dlo <>;;

time quelim_dlo <>;;

time quelim_dlo <>;;

time quelim_dlo < w < z>>;;

time quelim_dlo <>;;

time quelim_dlo <>;;

time quelim_dlo < x < b) <=> a <= b>>;;

time quelim_dlo < x < b>>;;

time quelim_dlo < x <= b>>;;

time quelim_dlo <>;;

time quelim_dlo < y>>;;

time quelim_dlo <>;;
END_INTERACTIVE;;
why-2.39/atp/formulas.ml0000644000106100004300000002075613147234006014211 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(* ========================================================================= *)
(* Polymorphic type of formulas with parser and printer.                     *)
(*                                                                           *)
(* Copyright (c) 2003, John Harrison. (See "LICENSE.txt" for details.)       *)
(* ========================================================================= *)

type ('a)formula = False
                 | True
                 | Atom of 'a
                 | Not of ('a)formula
                 | And of ('a)formula * ('a)formula
                 | Or of ('a)formula * ('a)formula
                 | Imp of ('a)formula * ('a)formula
                 | Iff of ('a)formula * ('a)formula
                 | Forall of string * ('a)formula
                 | Exists of string * ('a)formula;;

(* ------------------------------------------------------------------------- *)
(* General homomorphism and iteration functions for atoms in formula.        *)
(* ------------------------------------------------------------------------- *)

let rec onatoms fn fm =
  match fm with
    Atom(a) -> fn a
  | Not(p) -> Not(onatoms fn p)
  | And(p,q) -> And(onatoms fn p,onatoms fn q)
  | Or(p,q) -> Or(onatoms fn p,onatoms fn q)
  | Imp(p,q) -> Imp(onatoms fn p,onatoms fn q)
  | Iff(p,q) -> Iff(onatoms fn p,onatoms fn q)
  | Forall(x,p) -> Forall(x,onatoms fn p)
  | Exists(x,p) -> Exists(x,onatoms fn p)
  | _ -> fm;;

let rec overatoms f fm b =
  match fm with
    Atom(a) -> f a b
  | Not(p) -> overatoms f p b
  | And(p,q) | Or(p,q) | Imp(p,q) | Iff(p,q) ->
        overatoms f p (overatoms f q b)
  | Forall(x,p) | Exists(x,p) -> overatoms f p b
  | _ -> b;;

(* ------------------------------------------------------------------------- *)
(* Special case of a union of the results of a function over the atoms.      *)
(* ------------------------------------------------------------------------- *)

let atom_union f fm = setify (overatoms (fun h t -> f(h)@t) fm []);;

(* ------------------------------------------------------------------------- *)
(* General parsing of iterated infixes.                                      *)
(* ------------------------------------------------------------------------- *)

let rec parse_ginfix opsym opupdate sof subparser inp =
  let e1,inp1 = subparser inp in
  if inp1 <> [] & hd inp1 = opsym then
     parse_ginfix opsym opupdate (opupdate sof e1) subparser (tl inp1)
  else sof e1,inp1;;

let parse_left_infix opsym opcon =
  parse_ginfix opsym (fun f e1 e2 -> opcon(f e1,e2)) (fun x -> x);;

let parse_right_infix opsym opcon =
  parse_ginfix opsym (fun f e1 e2 -> f(opcon(e1,e2))) (fun x -> x);;

let parse_list opsym =
  parse_ginfix opsym (fun f e1 e2 -> (f e1)@[e2]) (fun x -> [x]);;

(* ------------------------------------------------------------------------- *)
(* Other general parsing combinators.                                        *)
(* ------------------------------------------------------------------------- *)

let papply f (ast,rest) = (f ast,rest);;

let nextin inp tok = inp <> [] & hd inp = tok;;

let parse_bracketed subparser cbra inp =
  let ast,rest = subparser inp in
  if nextin rest cbra then ast,tl rest
  else failwith "Closing bracket expected";;

(* ------------------------------------------------------------------------- *)
(* Parsing of formulas, parametrized by atom parser "pfn".                   *)
(* ------------------------------------------------------------------------- *)

let rec parse_atomic_formula pfn vs inp =
  match inp with
    [] -> failwith "formula expected"
  | "false"::rest -> False,rest
  | "true"::rest -> True,rest
  | "("::rest -> (try pfn vs inp with Failure _ ->
                  parse_bracketed (parse_formula pfn vs) ")" rest)
  | "~"::rest -> papply (fun p -> Not p)
                        (parse_atomic_formula pfn vs rest)
  | "forall"::x::rest ->
        parse_quant pfn (x::vs) (fun (x,p) -> Forall(x,p)) x rest
  | "exists"::x::rest ->
        parse_quant pfn (x::vs) (fun (x,p) -> Exists(x,p)) x rest
  | _ -> pfn vs inp

and parse_quant pfn vs qcon x inp =
   match inp with
     [] -> failwith "Body of quantified term expected"
   | y::rest ->
        papply (fun fm -> qcon(x,fm))
               (if y = "." then parse_formula pfn vs rest
                else parse_quant pfn (y::vs) qcon y rest)

and parse_formula pfn vs inp =
   parse_right_infix "<=>" (fun (p,q) -> Iff(p,q))
     (parse_right_infix "==>" (fun (p,q) -> Imp(p,q))
         (parse_right_infix "\\/" (fun (p,q) -> Or(p,q))
             (parse_right_infix "/\\" (fun (p,q) -> And(p,q))
                  (parse_atomic_formula pfn vs)))) inp;;

(* ------------------------------------------------------------------------- *)
(* Printing of formulas, parametrized by atom printer.                       *)
(* ------------------------------------------------------------------------- *)

let rec strip_quant isforall fm =
  match (fm,isforall) with
    Forall(x,p),true -> papply (fun l -> x::l) (strip_quant isforall p)
  | Exists(x,p),false -> papply (fun l -> x::l) (strip_quant isforall p)
  | _ -> [],fm;;

let rec print_formula pfn prec fm =
  match fm with
    False -> print_string "false"
  | True -> print_string "true"
  | Atom(pargs) -> pfn prec pargs
  | Not(p) -> print_string "~"; print_formula pfn 10 p
  | And(p,q) -> print_infix_formula pfn prec 8 "/\\" p q
  | Or(p,q) -> print_infix_formula pfn prec 6 "\\/" p q
  | Imp(p,q) -> print_infix_formula pfn prec 4 "==>" p q
  | Iff(p,q) -> print_infix_formula pfn prec 2 "<=>" p q
  | Forall(x,p) -> print_quant pfn prec "forall" (strip_quant true fm)
  | Exists(x,p) -> print_quant pfn prec "exists" (strip_quant false fm)

and print_quant pfn prec qname (bvs,bod) =
  if prec <> 0 then print_string "(" else ();
  print_string qname;
  do_list (fun v -> print_string " "; print_string v) bvs;
  print_string ". "; open_box 0;
  print_formula pfn 0 bod;
  close_box();
  if prec <> 0 then print_string ")" else ()

and print_infix_formula pfn oldprec newprec sym p q =
  if oldprec > newprec then (print_string "("; open_box 0) else ();
  print_formula pfn (newprec+1) p;
  print_string(" "^sym); print_space();
  print_formula pfn newprec q;
  if oldprec > newprec then (close_box(); print_string ")") else ();;

let formula_printer pfn fm =
  open_box 0; print_string "<<";
  open_box 0; print_formula pfn 0 fm; close_box();
  print_string ">>"; close_box();;
why-2.39/atp/skolem.ml0000644000106100004300000002263513147234006013651 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(* ========================================================================= *)
(* Prenex and Skolem normal forms.                                           *)
(*                                                                           *)
(* Copyright (c) 2003, John Harrison. (See "LICENSE.txt" for details.)       *)
(* ========================================================================= *)

(* ------------------------------------------------------------------------- *)
(* Routine simplification. Like "psimplify" but with quantifier clauses.     *)
(* ------------------------------------------------------------------------- *)

let simplify1 fm =
  match fm with
    Forall(x,p) -> if mem x (fv p) then fm else p
  | Exists(x,p) -> if mem x (fv p) then fm else p
  | _ -> psimplify1 fm;;

let rec simplify fm =
  match fm with
    Not p -> simplify1 (Not(simplify p))
  | And(p,q) -> simplify1 (And(simplify p,simplify q))
  | Or(p,q) -> simplify1 (Or(simplify p,simplify q))
  | Imp(p,q) -> simplify1 (Imp(simplify p,simplify q))
  | Iff(p,q) -> simplify1 (Iff(simplify p,simplify q))
  | Forall(x,p) -> simplify1(Forall(x,simplify p))
  | Exists(x,p) -> simplify1(Exists(x,simplify p))
  | _ -> fm;;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
simplify <<(forall x y. P(x) \/ (P(y) /\ false)) ==> exists z. P(z)>>;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Negation normal form.                                                     *)
(* ------------------------------------------------------------------------- *)

let rec nnf fm =
  match fm with
    And(p,q) -> And(nnf p,nnf q)
  | Or(p,q) -> Or(nnf p,nnf q)
  | Imp(p,q) -> Or(nnf(Not p),nnf q)
  | Iff(p,q) -> Or(And(nnf p,nnf q),And(nnf(Not p),nnf(Not q)))
  | Not(Not p) -> nnf p
  | Not(And(p,q)) -> Or(nnf(Not p),nnf(Not q))
  | Not(Or(p,q)) -> And(nnf(Not p),nnf(Not q))
  | Not(Imp(p,q)) -> And(nnf p,nnf(Not q))
  | Not(Iff(p,q)) -> Or(And(nnf p,nnf(Not q)),And(nnf(Not p),nnf q))
  | Forall(x,p) -> Forall(x,nnf p)
  | Exists(x,p) -> Exists(x,nnf p)
  | Not(Forall(x,p)) -> Exists(x,nnf(Not p))
  | Not(Exists(x,p)) -> Forall(x,nnf(Not p))
  | _ -> fm;;

(* ------------------------------------------------------------------------- *)
(* Example of NNF function in action.                                        *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
let fm = <<(forall x. P(x))
           ==> ((exists y. Q(y)) <=> exists z. P(z) /\ Q(z))>> in
nnf fm;;

let andrews =
 <<((exists x. forall y. P(x) <=> P(y)) <=>
    ((exists x. Q(x)) <=> (forall y. Q(y)))) <=>
   ((exists x. forall y. Q(x) <=> Q(y)) <=>
    ((exists x. P(x)) <=> (forall y. P(y))))>> in
 nnf andrews;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Prenex normal form.                                                       *)
(* ------------------------------------------------------------------------- *)

let mk_all x p = Forall(x,p) and mk_ex x p = Exists(x,p);;
let mk_and p q = And(p,q) and mk_or p q = Or(p,q);;

let rec pullquants fm =
  match fm with
    And(Forall(x,p),Forall(y,q)) -> pullquant_2 fm mk_all mk_and x y p q
  | Or(Exists(x,p),Exists(y,q)) -> pullquant_2 fm mk_ex mk_or x y p q
  | And(Forall(x,p),q) -> pullquant_l fm mk_all mk_and x p q
  | And(p,Forall(x,q)) -> pullquant_r fm mk_all mk_and x p q
  | Or(Forall(x,p),q) -> pullquant_l fm mk_all mk_or x p q
  | Or(p,Forall(x,q)) -> pullquant_r fm mk_all mk_or x p q
  | And(Exists(x,p),q) -> pullquant_l fm mk_ex mk_and x p q
  | And(p,Exists(x,q)) -> pullquant_r fm mk_ex mk_and x p q
  | Or(Exists(x,p),q) -> pullquant_l fm mk_ex mk_or x p q
  | Or(p,Exists(x,q)) -> pullquant_r fm mk_ex mk_or x p q
  | _ -> fm

and pullquant_l fm quant op x p q =
  let x' = variant x (fv fm) in
  quant x' (pullquants(op (formsubst (x := Var x') p) q))

and pullquant_r fm quant op x p q =
  let x' = variant x (fv fm) in
  quant x' (pullquants(op p (formsubst (x := Var x') q)))

and pullquant_2 fm quant op x y p q =
  let x' = variant x (fv fm) in
  quant x' (pullquants(op (formsubst (x := Var x') p)
                          (formsubst (y := Var x') q)));;

let rec prenex fm =
  match fm with
    Forall(x,p) -> Forall(x,prenex p)
  | Exists(x,p) -> Exists(x,prenex p)
  | And(p,q) -> pullquants(And(prenex p,prenex q))
  | Or(p,q) -> pullquants(Or(prenex p,prenex q))
  | _ -> fm;;

let pnf fm = prenex(nnf(simplify fm));;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
pnf < exists y z. Q(y) \/ ~(exists z. P(z) /\ Q(z))>>;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Get the functions in a term and formula.                                  *)
(* ------------------------------------------------------------------------- *)

let rec funcs tm = match tm with
    Var x -> []
  | Fn(f,args) -> itlist (union ** funcs) args [f,length args];;

let functions fm =
  atom_union (fun (R(p,a)) -> itlist (union ** funcs) a []) fm;;

(* ------------------------------------------------------------------------- *)
(* Core Skolemization function.                                              *)
(* ------------------------------------------------------------------------- *)

let rec skolem fm corr =
  match fm with
    Exists(y,p) ->
        let xs = fv(fm)
        and fns = map (fun (Fn(f,args),def) -> f) corr in
        let f = variant (if xs = [] then "c_"^y else "f_"^y) fns in
        let fx = Fn(f,map (fun x -> Var x) xs) in
        skolem (formsubst (y := fx) p) ((fx,fm)::corr)
  | Forall(x,p) -> let p',corr' = skolem p corr in Forall(x,p'),corr'
  | And(p,q) -> skolem2 (fun (p,q) -> And(p,q)) (p,q) corr
  | Or(p,q) -> skolem2 (fun (p,q) -> Or(p,q)) (p,q) corr
  | _ -> fm,corr

and skolem2 cons (p,q) corr =
  let p',corr' = skolem p corr in
  let q',corr'' = skolem q corr' in
  cons(p',q'),corr'';;

(* ------------------------------------------------------------------------- *)
(* Overall Skolemization function.                                           *)
(* ------------------------------------------------------------------------- *)

let askolemize fm =
  let fm1 = nnf(simplify fm) in
  let corr = map (fun (n,a) -> Fn(n,[]),False) (functions fm1) in
  fst(skolem fm1 corr);;

let rec specialize fm =
  match fm with
    Forall(x,p) -> specialize p
  | _ -> fm;;

let skolemize fm = specialize(pnf(askolemize fm));;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
skolemize < forall u. exists v. x * u < y * v>>;;

skolemize
 < (exists y z. Q(y) \/ ~(exists z. P(z) /\ Q(z)))>>;;
END_INTERACTIVE;;
why-2.39/atp/Quotexpander.ml0000644000106100004300000000557513147234006015042 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(* ========================================================================= *)
(* Quotation expander for <<...>> and <<|...|>>.                             *)
(*                                                                           *)
(* Copyright (c) 2003, John Harrison. (See "LICENSE.txt" for details.)       *)
(* ========================================================================= *)

let quotexpander s =
  if String.sub s 0 1 = "|" & String.sub s (String.length s - 1) 1 = "|" then
    "secondary_parser \""^
    (String.escaped (String.sub s 1 (String.length s - 2)))^"\""
  else "default_parser \""^(String.escaped s)^"\"";;

Quotation.add "" (Quotation.ExStr (fun x -> quotexpander));;
why-2.39/atp/defcnf.ml0000644000106100004300000002331713147234006013602 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(* ========================================================================= *)
(* Definitional CNF.                                                         *)
(*                                                                           *)
(* Copyright (c) 2003, John Harrison. (See "LICENSE.txt" for details.)       *)
(* ========================================================================= *)

(* ------------------------------------------------------------------------- *)
(* Variant of NNF without splitting equivalences.                            *)
(* ------------------------------------------------------------------------- *)

let rec nenf fm =
  match fm with
    Not(Not p) -> nenf p
  | Not(And(p,q)) -> Or(nenf(Not p),nenf(Not q))
  | Not(Or(p,q)) -> And(nenf(Not p),nenf(Not q))
  | Not(Imp(p,q)) -> And(nenf p,nenf(Not q))
  | Not(Iff(p,q)) -> Iff(nenf p,nenf(Not q))
  | And(p,q) -> And(nenf p,nenf q)
  | Or(p,q) -> Or(nenf p,nenf q)
  | Imp(p,q) -> Or(nenf(Not p),nenf q)
  | Iff(p,q) -> Iff(nenf p,nenf q)
  | _ -> fm;;

(* ------------------------------------------------------------------------- *)
(* Make a stylized variable and update the index.                            *)
(* ------------------------------------------------------------------------- *)

let mkprop n = Atom(P("p_"^(string_of_num n))),n +/ Int 1;;

(* ------------------------------------------------------------------------- *)
(* Make n large enough that "v_m" won't clash with s for any m >= n          *)
(* ------------------------------------------------------------------------- *)

let max_varindex pfx =
  let m = String.length pfx in
  fun s n ->
    let l = String.length s in
    if l <= m or String.sub s 0 m <> pfx then n else
    let s' = String.sub s m (l - m) in
    if forall numeric (explode s') then max_num n (num_of_string s')
    else n;;

(* ------------------------------------------------------------------------- *)
(* Basic definitional CNF procedure.                                         *)
(* ------------------------------------------------------------------------- *)

let rec maincnf (fm,defs,n as trip) =
  match fm with
    And(p,q) -> defstep (fun (p,q) -> And(p,q)) (p,q) trip
  | Or(p,q) -> defstep (fun (p,q) -> Or(p,q)) (p,q) trip
  | Iff(p,q) -> defstep (fun (p,q) -> Iff(p,q)) (p,q) trip
  | _ -> trip

and defstep op (p,q) (fm,defs,n) =
  let fm1,defs1,n1 = maincnf (p,defs,n) in
  let fm2,defs2,n2 = maincnf (q,defs1,n1) in
  let fm' = op(fm1,fm2) in
  try (fst(apply defs2 fm'),defs2,n2) with Failure _ ->
  let v,n3 = mkprop n2 in (v,(fm'|->(v,Iff(v,fm'))) defs2,n3);;

let defcnf fm =
  let fm' = nenf(psimplify fm) in
  let n = Int 1 +/ overatoms (max_varindex "p_" ** pname) fm' (Int 0) in
  let (fm'',defs,_) = maincnf (fm',undefined,n) in
  let deflist = map (snd ** snd) (funset defs) in
  let subcnfs = itlist ((@) ** simpcnf) deflist (simpcnf fm'') in
  list_conj (map list_disj (setify subcnfs));;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
let fm = <<(p \/ (q /\ ~r)) /\ s>>;;

defcnf fm;;

cnf fm;;

cnf <
 (q <=> r)>>;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Version tweaked to exploit initial structure.                             *)
(* ------------------------------------------------------------------------- *)

let subcnf sfn op (p,q) (fm,defs,n) =
  let fm1,defs1,n1 = sfn(p,defs,n) in
  let fm2,defs2,n2 = sfn(q,defs1,n1) in (op(fm1,fm2),defs2,n2);;

let rec orcnf (fm,defs,n as trip) =
  match fm with
    Or(p,q) -> subcnf orcnf (fun (p,q) -> Or(p,q)) (p,q) trip
  | _ -> maincnf trip;;

let rec andcnf (fm,defs,n as trip) =
  match fm with
    And(p,q) -> subcnf andcnf (fun (p,q) -> And(p,q)) (p,q) trip
  | _ -> orcnf trip;;

let defcnfs fm =
  let fm' = nenf(psimplify fm) in
  let n = Int 1 +/ overatoms (max_varindex "p_" ** pname) fm' (Int 0) in
  let (fm'',defs,_) = andcnf (fm',undefined,n) in
  let deflist = map (snd ** snd) (funset defs) in
  setify(itlist ((@) ** simpcnf) deflist (simpcnf fm''));;

let defcnf fm = list_conj (map list_disj (defcnfs fm));;

(* ------------------------------------------------------------------------- *)
(* Examples.                                                                 *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
defcnf fm;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Version using only implication where possible.                            *)
(* ------------------------------------------------------------------------- *)

let defstep pos sfn op (p,q) (fm,defs,n) =
  let fm1,defs1,n1 = sfn (p,defs,n) in
  let fm2,defs2,n2 = sfn (q,defs1,n1) in
  let (fl,fm' as ffm') = (pos,op(fm1,fm2)) in
  try (fst(apply defs2 ffm'),defs2,n2) with Failure _ ->
  let (v,n3) = mkprop n2 in
  let cons = if pos then fun (p,q) -> Imp(p,q)
             else fun (p,q) -> Iff(p,q) in
  (v,(ffm' |-> (v,cons(v,fm'))) defs2,n3);;

let rec maincnf pos (fm,defs,n as trip) =
  match fm with
    And(p,q) ->
        defstep pos (maincnf pos) (fun (p,q) -> And(p,q)) (p,q) trip
  | Or(p,q) ->
        defstep pos (maincnf pos) (fun (p,q) -> Or(p,q)) (p,q) trip
  | Iff(p,q) ->
        defstep pos (maincnf false) (fun (p,q) -> Iff(p,q)) (p,q) trip
  | _ -> trip;;

let rec orcnf pos (fm,defs,n as trip) =
  match fm with
    Or(p,q) -> subcnf (orcnf pos) (fun (p,q) -> Or(p,q)) (p,q) trip
  | _ -> maincnf pos trip;;

let rec andcnf pos (fm,defs,n as trip) =
  match fm with
    And(p,q) -> subcnf (andcnf pos) (fun (p,q) -> And(p,q)) (p,q) trip
  | _ -> orcnf pos trip;;

let defcnfs imps fm =
  let fm' = nenf(psimplify fm) in
  let n = Int 1 +/ overatoms (max_varindex "p_" ** pname) fm' (Int 0) in
  let (fm'',defs,_) = andcnf imps (fm',undefined,n) in
  let deflist = map (snd ** snd) (funset defs) in
  setify(itlist ((@) ** simpcnf) deflist (simpcnf fm''));;

let defcnf imps fm = list_conj (map list_disj (defcnfs imps fm));;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
defcnf false fm;;

defcnf true fm;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Version that guarantees 3-CNF.                                            *)
(* ------------------------------------------------------------------------- *)

let rec andcnf3 pos (fm,defs,n as trip) =
  match fm with
    And(p,q) -> subcnf (andcnf3 pos) (fun (p,q) -> And(p,q)) (p,q) trip
  | _ -> maincnf pos trip;;

let defcnf3s imps fm =
  let fm' = nenf(psimplify fm) in
  let n = Int 1 +/ overatoms (max_varindex "p_" ** pname) fm' (Int 0) in
  let (fm'',defs,_) = andcnf3 imps (fm',undefined,n) in
  let deflist = map (snd ** snd) (funset defs) in
  setify(itlist ((@) ** simpcnf) deflist (simpcnf fm''));;

let defcnf3 imps fm = list_conj (map list_disj (defcnf3s imps fm));;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
let fm = <<(p \/ q \/ r \/ s) /\ ~p /\ (~p \/ q)>>;;

defcnf true fm;;

defcnf3 true fm;;
END_INTERACTIVE;;
why-2.39/atp/LICENSE.txt0000644000106100004300000000317313147234006013644 0ustar  marchevalsIMPORTANT:  READ BEFORE DOWNLOADING, COPYING, INSTALLING OR USING.
By downloading, copying, installing or using the software you agree
to this license.  If you do not agree to this license, do not
download, install, copy or use the software.

Copyright (c) 2003, John Harrison
All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:

* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.

* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.

* The name of John Harrison may not be used to endorse or promote
products derived from this software without specific prior written
permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
why-2.39/atp/fol.ml0000644000106100004300000003666013147234006013142 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(* ========================================================================= *)
(* Basic stuff for first order logic.                                        *)
(*                                                                           *)
(* Copyright (c) 2003, John Harrison. (See "LICENSE.txt" for details.)       *)
(* ========================================================================= *)

(* ------------------------------------------------------------------------- *)
(* Terms.                                                                    *)
(* ------------------------------------------------------------------------- *)

type term = Var of string
          | Fn of string * term list;;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
Fn("sqrt",[Fn("-",[Fn("1",[]);
                   Fn("cos",[Fn("power",[Fn("+",[Var "x"; Var "y"]);
                                        Fn("2",[])])])])]);;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Abbreviation for FOL formula.                                             *)
(* ------------------------------------------------------------------------- *)

type fol = R of string * term list;;

(* ------------------------------------------------------------------------- *)
(* Trivial example of "x + y < z".                                           *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
Atom(R("<",[Fn("+",[Var "x"; Var "y"]); Var "z"]));;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Parsing of terms.                                                         *)
(* ------------------------------------------------------------------------- *)

let is_const s = forall numeric (explode s) or s = "nil";;

let rec parse_atomic_term vs inp =
  match inp with
    [] -> failwith "term expected"
  | "("::rest -> parse_bracketed (parse_term vs) ")" rest
  | f::"("::")"::rest -> Fn(f,[]),rest
  | f::"("::rest ->
      papply (fun args -> Fn(f,args))
             (parse_bracketed (parse_list "," (parse_term vs)) ")" rest)
  | a::rest ->
      (if is_const a & not(mem a vs) then Fn(a,[]) else Var a),rest

and parse_term vs inp =
  parse_right_infix "::" (fun (e1,e2) -> Fn("::",[e1;e2]))
    (parse_right_infix "+" (fun (e1,e2) -> Fn("+",[e1;e2]))
       (parse_left_infix "-" (fun (e1,e2) -> Fn("-",[e1;e2]))
           (parse_right_infix "*" (fun (e1,e2) -> Fn("*",[e1;e2]))
                (parse_left_infix "^" (fun (e1,e2) -> Fn("^",[e1;e2]))
                   (parse_atomic_term vs))))) inp;;

let parset = make_parser (parse_term []);;

(* ------------------------------------------------------------------------- *)
(* Parsing of formulas.                                                      *)
(* ------------------------------------------------------------------------- *)

let parse_atom vs inp =
  try let tm,rest = parse_term vs inp in
      if exists (nextin rest) ["="; "<"; "<="; ">"; ">="] then
            papply (fun tm' -> Atom(R(hd rest,[tm;tm'])))
                   (parse_term vs (tl rest))
      else failwith ""
  with Failure _ ->
  match inp with
  | p::"("::")"::rest -> Atom(R(p,[])),rest
  | p::"("::rest ->
      papply (fun args -> Atom(R(p,args)))
             (parse_bracketed (parse_list "," (parse_term vs)) ")" rest)
  | p::rest when p <> "(" -> Atom(R(p,[])),rest
  | _ -> failwith "parse_atom";;

let parse = make_parser (parse_formula parse_atom []);;

(* ------------------------------------------------------------------------- *)
(* Set up parsing of quotations.                                             *)
(* ------------------------------------------------------------------------- *)

let default_parser = parse;;

let secondary_parser = parset;;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
<<(forall x. x < 2 ==> 2 * x <= 3) \/ false>>;;

<<|2 * x|>>;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Printing of terms.                                                        *)
(* ------------------------------------------------------------------------- *)

let rec print_term prec fm =
  match fm with
    Var x -> print_string x
  | Fn("^",[tm1;tm2]) -> print_infix_term true prec 22 "^" tm1 tm2
  | Fn("*",[tm1;tm2]) -> print_infix_term false prec 20 "*" tm1 tm2
  | Fn("-",[tm1;tm2]) -> print_infix_term true prec 18 "-" tm1 tm2
  | Fn("+",[tm1;tm2]) -> print_infix_term false prec 16 "+" tm1 tm2
  | Fn("::",[tm1;tm2]) -> print_infix_term false prec 14 "::" tm1 tm2
  | Fn(f,args) -> print_fargs f args

and print_fargs f args =
  print_string f;
  if args = [] then () else
   (print_string "(";
    open_box 0;
    print_term 0 (hd args); print_break 0 0;
    do_list (fun t -> print_string ","; print_break 0 0; print_term 0 t)
            (tl args);
    close_box();
    print_string ")")

and print_infix_term isleft oldprec newprec sym p q =
  if oldprec > newprec then (print_string "("; open_box 0) else ();
  print_term (if isleft then newprec else newprec+1) p;
  print_string(" "^sym); print_space();
  print_term (if isleft then newprec+1 else newprec) q;
  if oldprec > newprec then (close_box(); print_string ")") else ();;

let printert fm = open_box 0; print_term 0 fm; close_box();;

START_INTERACTIVE;;
#install_printer printert;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Printing of formulas.                                                     *)
(* ------------------------------------------------------------------------- *)

let print_atom prec (R(p,args)) =
  if mem p ["="; "<"; "<="; ">"; ">="] & length args = 2
  then print_infix_term false 12 12 p (el 0 args) (el 1 args)
  else print_fargs p args;;

let printer = formula_printer print_atom;;

START_INTERACTIVE;;
#install_printer printer;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Examples in the main text.                                                *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
<>;;

<<~(forall x. P(x)) <=> exists y. ~P(y)>>;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Model-theoretic notions, but here restricted to finite interpretations.   *)
(* ------------------------------------------------------------------------- *)

type ('a)interpretation =
  Interp of ('a)list *
            (string -> ('a)list -> 'a) *
            (string -> ('a)list -> bool);;

let domain(Interp(d,funs,preds)) = d
and func(Interp(d,funs,preds)) = funs
and predicate(Interp(d,funs,preds)) = preds;;

(* ------------------------------------------------------------------------- *)
(* Semantics.                                                                *)
(* ------------------------------------------------------------------------- *)

let rec termval md v tm =
  match tm with
    Var(x) -> apply v x
  | Fn(f,args) -> func(md) f (map (termval md v) args);;

let rec holds md v fm =
  match fm with
    False -> false
  | True -> true
  | Atom(R(r,args)) -> predicate(md) r (map (termval md v) args)
  | Not(p) -> not(holds md v p)
  | And(p,q) -> (holds md v p) & (holds md v q)
  | Or(p,q) -> (holds md v p) or (holds md v q)
  | Imp(p,q) -> not(holds md v p) or (holds md v q)
  | Iff(p,q) -> (holds md v p = holds md v q)
  | Forall(x,p) ->
        forall (fun a -> holds md ((x |-> a) v) p) (domain md)
  | Exists(x,p) ->
        exists (fun a -> holds md ((x |-> a) v) p) (domain md);;

(* ------------------------------------------------------------------------- *)
(* Examples of particular interpretations.                                   *)
(* ------------------------------------------------------------------------- *)

let bool_interp =
  let fns f args =
    match (f,args) with
      ("0",[]) -> false
    | ("1",[]) -> true
    | ("+",[x;y]) -> not(x = y)
    | ("*",[x;y]) -> x & y
    | _ -> failwith "uninterpreted function"
  and prs p args =
    match (p,args) with
      ("=",[x;y]) -> x = y
    | _ -> failwith "uninterpreted predicate" in
  Interp([false; true],fns,prs);;

let mod_interp n =
  let fns f args =
    match (f,args) with
      ("0",[]) -> 0
    | ("1",[]) -> 1 mod n
    | ("+",[x;y]) -> (x + y) mod n
    | ("*",[x;y]) -> (x * y) mod n
    | _ -> failwith "uninterpreted function"
  and prs p args =
    match (p,args) with
      ("=",[x;y]) -> x = y
    | _ -> failwith "uninterpreted predicate" in
  Interp(0 -- (n - 1),fns,prs);;

START_INTERACTIVE;;
let fm1 = <>;;

holds bool_interp undefined fm1;;

holds (mod_interp 2) undefined fm1;;

holds (mod_interp 3) undefined fm1;;

let fm2 = < exists y. x * y = 1>>;;

holds bool_interp undefined fm2;;

holds (mod_interp 2) undefined fm2;;

holds (mod_interp 3) undefined fm2;;

holds (mod_interp 4) undefined fm2;;

holds (mod_interp 31) undefined fm2;;

holds (mod_interp 33) undefined fm2;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Free variables in terms and formulas.                                     *)
(* ------------------------------------------------------------------------- *)

let rec fvt tm =
  match tm with
    Var x -> [x]
  | Fn(f,args) -> itlist (union ** fvt) args [];;

let rec fv fm =
  match fm with
    False -> []
  | True -> []
  | Atom(R(p,args)) -> itlist (union ** fvt) args []
  | Not(p) -> fv p
  | And(p,q) -> union (fv p) (fv q)
  | Or(p,q) -> union (fv p) (fv q)
  | Imp(p,q) -> union (fv p) (fv q)
  | Iff(p,q) -> union (fv p) (fv q)
  | Forall(x,p) -> subtract (fv p) [x]
  | Exists(x,p) -> subtract (fv p) [x];;

(* ------------------------------------------------------------------------- *)
(* Substitution within terms.                                                *)
(* ------------------------------------------------------------------------- *)

let instantiate vlist tlist =
  itlist2 (fun x t -> x |-> t) vlist tlist undefined;;

let rec termsubst sfn tm =
  match tm with
    Var x -> tryapplyd sfn x tm
  | Fn(f,args) -> Fn(f,map (termsubst sfn) args);;

(* ------------------------------------------------------------------------- *)
(* Incorrect substitution in formulas, and example showing why it's wrong.   *)
(* ------------------------------------------------------------------------- *)

let rec formsubst subfn fm =    (* WRONG! *)
  match fm with
    False -> False
  | True -> True
  | Atom(R(p,args)) -> Atom(R(p,map (termsubst subfn) args))
  | Not(p) -> Not(formsubst subfn p)
  | And(p,q) -> And(formsubst subfn p,formsubst subfn q)
  | Or(p,q) -> Or(formsubst subfn p,formsubst subfn q)
  | Imp(p,q) -> Imp(formsubst subfn p,formsubst subfn q)
  | Iff(p,q) -> Iff(formsubst subfn p,formsubst subfn q)
  | Forall(x,p) -> Forall(x,formsubst (undefine x subfn) p)
  | Exists(x,p) -> Exists(x,formsubst (undefine x subfn) p);;

START_INTERACTIVE;;
formsubst ("y" := Var "x") <>;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Variant function and examples.                                            *)
(* ------------------------------------------------------------------------- *)

let rec variant x vars =
  if mem x vars then variant (x^"'") vars else x;;

START_INTERACTIVE;;
variant "x" ["y"; "z"];;

variant "x" ["x"; "y"];;

variant "x" ["x"; "x'"];;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* The correct version.                                                      *)
(* ------------------------------------------------------------------------- *)

let rec formsubst subfn fm =
  match fm with
    False -> False
  | True -> True
  | Atom(R(p,args)) -> Atom(R(p,map (termsubst subfn) args))
  | Not(p) -> Not(formsubst subfn p)
  | And(p,q) -> And(formsubst subfn p,formsubst subfn q)
  | Or(p,q) -> Or(formsubst subfn p,formsubst subfn q)
  | Imp(p,q) -> Imp(formsubst subfn p,formsubst subfn q)
  | Iff(p,q) -> Iff(formsubst subfn p,formsubst subfn q)
  | Forall(x,p) -> formsubstq subfn (fun (x,p) -> Forall(x,p)) (x,p)
  | Exists(x,p) -> formsubstq subfn (fun (x,p) -> Exists(x,p)) (x,p)

and formsubstq subfn quant (x,p) =
  let subfn' = undefine x subfn in
  let x' = if exists
             (fun y -> mem x (fvt(tryapplyd subfn' y (Var y))))
             (subtract (fv p) [x])
           then variant x (fv(formsubst subfn' p)) else x in
  quant(x',formsubst ((x |-> Var x') subfn) p);;

(* ------------------------------------------------------------------------- *)
(* Examples.                                                                 *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
formsubst ("y" := Var "x") <>;;

formsubst ("y" := Var "x") < x = x'>>;;
END_INTERACTIVE;;
why-2.39/atp/herbrand.ml0000644000106100004300000003176413147234006014147 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(* ========================================================================= *)
(* Relation between FOL and propositonal logic; Herbrand theorem.            *)
(*                                                                           *)
(* Copyright (c) 2003, John Harrison. (See "LICENSE.txt" for details.)       *)
(* ========================================================================= *)

(* ------------------------------------------------------------------------- *)
(* We want to generalize a formula before negating and refuting.             *)
(* ------------------------------------------------------------------------- *)

let generalize fm = itlist (fun x p -> Forall(x,p)) (fv fm) fm;;

(* ------------------------------------------------------------------------- *)
(* Propositional valuation.                                                  *)
(* ------------------------------------------------------------------------- *)

let pholds d fm = eval fm (fun p -> d(Atom p));;

(* ------------------------------------------------------------------------- *)
(* Characteristic function of Herbrand interpretation for p.                 *)
(* ------------------------------------------------------------------------- *)

let rec herbdom funcs tm =
  match tm with
    Var _ -> false
  | Fn(f,a) -> mem (f,length a) funcs & forall (herbdom funcs) a;;

(* ------------------------------------------------------------------------- *)
(* Get the constants for Herbrand base, adding nullary one if necessary.     *)
(* ------------------------------------------------------------------------- *)

let herbfuns fm =
  let cns,fns = partition (fun (_,ar) -> ar = 0) (functions fm) in
  if cns = [] then ["c",0],fns else cns,fns;;

(* ------------------------------------------------------------------------- *)
(* Enumeration of ground terms and m-tuples, ordered by total fns.           *)
(* ------------------------------------------------------------------------- *)

let rec groundterms cntms funcs n =
  if n = 0 then cntms else
  itlist (fun (f,m) -> (@)
                (map (fun args -> Fn(f,args))
                     (groundtuples cntms funcs (n - 1) m)))
         funcs []

and groundtuples cntms funcs n m =
  if m = 0 then if n = 0 then [[]] else [] else
  itlist (fun k -> (@)
                (allpairs (fun h t -> h::t)
                          (groundterms cntms funcs k)
                          (groundtuples cntms funcs (n - k) (m - 1))))
         (0 -- n) [];;

(* ------------------------------------------------------------------------- *)
(* Iterate modifier "mfn" over ground terms till "tfn" fails.                *)
(* ------------------------------------------------------------------------- *)

let rec herbloop mfn tfn fl0 cntms funcs fvs n fl tried tuples =
  print_string(string_of_int(length tried)^" ground instances tried; "^
               string_of_int(length fl)^" items in list");
  print_newline();
  match tuples with
    [] -> let newtups = groundtuples cntms funcs n (length fvs) in
          herbloop mfn tfn fl0 cntms funcs fvs (n + 1) fl tried newtups
  | tup::tups ->
          let fl' = mfn fl0 (formsubst(instantiate fvs tup)) fl in
          if not(tfn fl') then tup::tried else
          herbloop mfn tfn fl0 cntms funcs fvs n fl' (tup::tried) tups;;

(* ------------------------------------------------------------------------- *)
(* Hence a simple Gilmore-type procedure.                                    *)
(* ------------------------------------------------------------------------- *)

let gilmore_loop =
  let mfn djs0 ifn djs =
    filter (non contradictory) (distrib (smap (smap ifn) djs0) djs) in
  herbloop mfn (fun djs -> djs <> []);;

let gilmore fm =
  let sfm = skolemize(Not(generalize fm)) in
  let fvs = fv sfm and consts,funcs = herbfuns sfm in
  let cntms = smap (fun (c,_) -> Fn(c,[])) consts in
  length(gilmore_loop (simpdnf sfm) cntms funcs fvs 0 [[]] [] []);;

(* ------------------------------------------------------------------------- *)
(* First example and a little tracing.                                       *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
gilmore < P(y)>>;;

let sfm = skolemize(Not < P(y)>>);;

(* ------------------------------------------------------------------------- *)
(* Quick examples.                                                           *)
(* ------------------------------------------------------------------------- *)

let p19 = gilmore
 < Q(z)) ==> P(x) ==> Q(x)>>;;

let p24 = gilmore
 <<~(exists x. U(x) /\ Q(x)) /\
   (forall x. P(x) ==> Q(x) \/ R(x)) /\
   ~(exists x. P(x) ==> (exists x. Q(x))) /\
   (forall x. Q(x) /\ R(x) ==> U(x))
   ==> (exists x. P(x) /\ R(x))>>;;

let p39 = gilmore
 <<~(exists x. forall y. P(y,x) <=> ~P(y,y))>>;;

let p42 = gilmore
 <<~(exists y. forall x. P(x,y) <=> ~(exists z. P(x,z) /\ P(z,x)))>>;;

let p44 = gilmore
 <<(forall x. P(x) ==> (exists y. G(y) /\ H(x,y)) /\
   (exists y. G(y) /\ ~H(x,y))) /\
   (exists x. J(x) /\ (forall y. G(y) ==> H(x,y)))
   ==> (exists x. J(x) /\ ~P(x))>>;;

let p59 = gilmore
 <<(forall x. P(x) <=> ~P(f(x))) ==> (exists x. P(x) /\ ~P(f(x)))>>;;

(* ------------------------------------------------------------------------- *)
(* Slightly less easy examples.                                              *)
(* ------------------------------------------------------------------------- *)

let p45 = gilmore
 <<(forall x.
     P(x) /\ (forall y. G(y) /\ H(x,y) ==> J(x,y))
     ==> (forall y. G(y) /\ H(x,y) ==> R(y))) /\
   ~(exists y. L(y) /\ R(y)) /\
   (exists x. P(x) /\ (forall y. H(x,y) ==> L(y)) /\
                      (forall y. G(y) /\ H(x,y) ==> J(x,y)))
   ==> (exists x. P(x) /\ ~(exists y. G(y) /\ H(x,y)))>>;;

let p60 = gilmore
 <
             exists y. (forall z. P(z,y) ==> P(z,f(x))) /\ P(x,y)>>;;

let p43 = gilmore
 <<(forall x y. Q(x,y) <=> forall z. P(z,x) <=> P(z,y))
   ==> forall x y. Q(x,y) <=> Q(y,x)>>;;

END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* The Davis-Putnam procedure for first order logic.                         *)
(* ------------------------------------------------------------------------- *)

let clausal fm = smap (smap negate) (simpdnf(nnf(Not fm)));;

let dp_mfn cjs0 ifn cjs = union (smap (smap ifn) cjs0) cjs;;

let dp_loop = herbloop dp_mfn dpll;;

let davisputnam fm =
  let sfm = skolemize(Not(generalize fm)) in
  if sfm = False then 0
  else if sfm = True then failwith "davisputnam" else
  let fvs = fv sfm and consts,funcs = herbfuns sfm in
  let cntms = smap (fun (c,_) -> Fn(c,[])) consts in
  length(dp_loop (clausal sfm) cntms funcs fvs 0 [] [] []);;

(* ------------------------------------------------------------------------- *)
(* Show how much better than the Gilmore procedure this can be.              *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
let p20 = davisputnam
 <<(forall x y. exists z. forall w. P(x) /\ Q(y) ==> R(z) /\ U(w))
   ==> (exists x y. P(x) /\ Q(y)) ==> (exists z. R(z))>>;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Show the sensitivity to order: try also with variant suggested.           *)
(* ------------------------------------------------------------------------- *)

let rec herbloop' mfn tfn fl0 cntms funcs fvs n fl tried tuples =
  print_string(string_of_int(length tried)^" ground instances tried; "^
               string_of_int(length fl)^" items in list");
  print_newline();
  match tuples with
    [] -> let newtups = rev(groundtuples cntms funcs n (length fvs)) in
          herbloop' mfn tfn fl0 cntms funcs fvs (n + 1) fl tried newtups
  | tup::tups ->
          let fl' = mfn fl0 (formsubst(instantiate fvs tup)) fl in
          if not(tfn fl') then tup::tried else
          herbloop' mfn tfn fl0 cntms funcs fvs n fl' (tup::tried) tups;;

let dp_loop' =
  herbloop' (fun cjs0 ifn cjs -> union (smap (smap ifn) cjs0) cjs) dpll;;

let davisputnam' fm =
  let sfm = skolemize(Not(generalize fm)) in
  if sfm = False then 0
  else if sfm = True then failwith "davisputnam" else
  let fvs = fv sfm and consts,funcs = herbfuns sfm in
  let cntms = smap (fun (c,_) -> Fn(c,[])) consts in
  length(dp_loop' (clausal sfm) cntms funcs fvs 0 [] [] []);;

START_INTERACTIVE;;
let p36 = davisputnam
 <<(forall x. exists y. P(x,y)) /\
   (forall x. exists y. G(x,y)) /\
   (forall x y. P(x,y) \/ G(x,y)
                ==> (forall z. P(y,z) \/ G(y,z) ==> H(x,z)))
   ==> (forall x. exists y. H(x,y))>>;;

let p36 = davisputnam'
 <<(forall x. exists y. P(x,y)) /\
   (forall x. exists y. G(x,y)) /\
   (forall x y. P(x,y) \/ G(x,y)
                ==> (forall z. P(y,z) \/ G(y,z) ==> H(x,z)))
   ==> (forall x. exists y. H(x,y))>>;;

let p29 = davisputnam
 <<(exists x. P(x)) /\ (exists x. G(x)) ==>
   ((forall x. P(x) ==> H(x)) /\ (forall x. G(x) ==> J(x)) <=>
    (forall x y. P(x) /\ G(y) ==> H(x) /\ J(y)))>>;;

let p29 = davisputnam'
 <<(exists x. P(x)) /\ (exists x. G(x)) ==>
   ((forall x. P(x) ==> H(x)) /\ (forall x. G(x) ==> J(x)) <=>
    (forall x y. P(x) /\ G(y) ==> H(x) /\ J(y)))>>;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Try to cut out useless instantiations in final result.                    *)
(* ------------------------------------------------------------------------- *)

let rec dp_refine cjs0 fvs dunno need =
  match dunno with
    [] -> need
  | cl::dknow ->
      let mfn = dp_mfn cjs0 ** formsubst ** instantiate fvs in
      let need' =
       if dpll(itlist mfn (need @ dknow) []) then cl::need else need in
      dp_refine cjs0 fvs dknow need';;

let dp_refine_loop cjs0 cntms funcs fvs n cjs tried tuples =
  let tups = dp_loop cjs0 cntms funcs fvs n cjs tried tuples in
  dp_refine cjs0 fvs tups [];;

(* ------------------------------------------------------------------------- *)
(* Show how few of the instances we really need. Hence unification!          *)
(* ------------------------------------------------------------------------- *)

let davisputnam'' fm =
  let sfm = skolemize(Not(generalize fm)) in
  if sfm = False then 0
  else if sfm = True then failwith "davisputnam" else
  let fvs = fv sfm and consts,funcs = herbfuns sfm in
  let cntms = smap (fun (c,_) -> Fn(c,[])) consts in
  length(dp_refine_loop (clausal sfm) cntms funcs fvs 0 [] [] []);;

START_INTERACTIVE;;
let p36 = davisputnam''
 <<(forall x. exists y. P(x,y)) /\
   (forall x. exists y. G(x,y)) /\
   (forall x y. P(x,y) \/ G(x,y)
                ==> (forall z. P(y,z) \/ G(y,z) ==> H(x,z)))
   ==> (forall x. exists y. H(x,y))>>;;

let p29 = davisputnam''
 <<(exists x. P(x)) /\ (exists x. G(x)) ==>
   ((forall x. P(x) ==> H(x)) /\ (forall x. G(x) ==> J(x)) <=>
    (forall x y. P(x) /\ G(y) ==> H(x) /\ J(y)))>>;;
END_INTERACTIVE;;
why-2.39/atp/lib.ml0000644000106100004300000005064713147234006013131 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(* ========================================================================= *)
(* Misc library functions to set up a nice environment.                      *)
(*                                                                           *)
(* Copyright (c) 2003, John Harrison. (See "LICENSE.txt" for details.)       *)
(* ========================================================================= *)

let identity x = x;;

(* ------------------------------------------------------------------------- *)
(* Function composition.                                                     *)
(* ------------------------------------------------------------------------- *)

let ( ** ) = fun f g x -> f(g x);;

(* ------------------------------------------------------------------------- *)
(* GCD and LCM on arbitrary-precision numbers.                               *)
(* ------------------------------------------------------------------------- *)

let gcd_num n1 n2 =
  abs_num(num_of_big_int
      (Big_int.gcd_big_int (big_int_of_num n1) (big_int_of_num n2)));;

let lcm_num n1 n2 = abs_num(n1 */ n2) // gcd_num n1 n2;;

(* ------------------------------------------------------------------------- *)
(* A useful idiom for "non contradictory" etc.                               *)
(* ------------------------------------------------------------------------- *)

let non p x = not(p x);;

(* ------------------------------------------------------------------------- *)
(* Repetition of a function.                                                 *)
(* ------------------------------------------------------------------------- *)

let rec funpow n f x =
  if n < 1 then x else funpow (n-1) f (f x);;

let can f x = try f x; true with Failure _ -> false;;

(* ------------------------------------------------------------------------- *)
(* Handy list operations.                                                    *)
(* ------------------------------------------------------------------------- *)

let rec (--) = fun m n -> if m > n then [] else m::((m + 1) -- n);;

let rec (---) = fun m n -> if m >/ n then [] else m::((m +/ Int 1) --- n);;

let rec map2 f l1 l2 =
  match (l1,l2) with
    [],[] -> []
  | (h1::t1),(h2::t2) -> let h = f h1 h2 in h::(map2 f t1 t2)
  | _ -> failwith "map2: length mismatch";;

let rev =
  let rec rev_append acc l =
    match l with
      [] -> acc
    | h::t -> rev_append (h::acc) t in
  fun l -> rev_append [] l;;

let hd l =
  match l with
   h::t -> h
  | _ -> failwith "hd";;

let tl l =
  match l with
   h::t -> t
  | _ -> failwith "tl";;

let rec itlist f l b =
  match l with
    [] -> b
  | (h::t) -> f h (itlist f t b);;

let rec end_itlist f l =
  match l with
        []     -> failwith "end_itlist"
      | [x]    -> x
      | (h::t) -> f h (end_itlist f t);;

let rec itlist2 f l1 l2 b =
  match (l1,l2) with
    ([],[]) -> b
  | (h1::t1,h2::t2) -> f h1 h2 (itlist2 f t1 t2 b)
  | _ -> failwith "itlist2";;

let rec zip l1 l2 =
  match (l1,l2) with
        ([],[]) -> []
      | (h1::t1,h2::t2) -> (h1,h2)::(zip t1 t2)
      | _ -> failwith "zip";;

let rec forall p l =
  match l with
    [] -> true
  | h::t -> p(h) & forall p t;;

let rec exists p l =
  match l with
    [] -> false
  | h::t -> p(h) or exists p t;;

let partition p l =
    itlist (fun a (yes,no) -> if p a then a::yes,no else yes,a::no) l ([],[]);;

let filter p l = fst(partition p l);;

let length =
  let rec len k l =
    if l = [] then k else len (k + 1) (tl l) in
  fun l -> len 0 l;;

let rec last l =
  match l with
    [x] -> x
  | (h::t) -> last t
  | [] -> failwith "last";;

let rec butlast l =
  match l with
    [_] -> []
  | (h::t) -> h::(butlast t)
  | [] -> failwith "butlast";;

let rec find p l =
  match l with
      [] -> failwith "find"
    | (h::t) -> if p(h) then h else find p t;;

let rec el n l =
  if n = 0 then hd l else el (n - 1) (tl l);;

let map f =
  let rec mapf l =
    match l with
      [] -> []
    | (x::t) -> let y = f x in y::(mapf t) in
  mapf;;

let rec allpairs f l1 l2 =
  itlist (fun x -> (@) (map (f x) l2)) l1 [];;

let distinctpairs l =
  filter (fun (a,b) -> a < b) (allpairs (fun a b -> a,b) l l);;

let rec chop_list n l =
  if n = 0 then [],l else
  try let m,l' = chop_list (n-1) (tl l) in (hd l)::m,l'
  with Failure _ -> failwith "chop_list";;

let replicate n a = map (fun x -> a) (1--n);;

let rec insertat i x l =
  if i = 0 then x::l else
  match l with
    [] -> failwith "insertat: list too short for position to exist"
  | h::t -> h::(insertat (i-1) x t);;

let rec forall2 p l1 l2 =
  match (l1,l2) with
    [],[] -> true
  | (h1::t1,h2::t2) -> p h1 h2 & forall2 p t1 t2
  | _ -> false;;

let index x =
  let rec ind n l =
    match l with
      [] -> failwith "index"
    | (h::t) -> if x = h then n else ind (n + 1) t in
  ind 0;;

let rec unzip l =
  match l with
    [] -> [],[]
  | (x,y)::t ->
      let xs,ys = unzip t in x::xs,y::ys;;

(* ------------------------------------------------------------------------- *)
(* Whether the first of two items comes earlier in the list.                 *)
(* ------------------------------------------------------------------------- *)

let rec earlier l x y =
  match l with
    h::t -> if h = y then false
              else if h = x then true
              else earlier t x y
  | [] -> false;;

(* ------------------------------------------------------------------------- *)
(* Application of (presumably imperative) function over a list.              *)
(* ------------------------------------------------------------------------- *)

let rec do_list f l =
  match l with
    [] -> ()
  | h::t -> f(h); do_list f t;;

(* ------------------------------------------------------------------------- *)
(* Association lists.                                                        *)
(* ------------------------------------------------------------------------- *)

let assoc x l = snd(find (fun p -> fst p = x) l);;

let rev_assoc x l = fst(find (fun p -> snd p = x) l);;

(* ------------------------------------------------------------------------- *)
(* Merging of sorted lists (maintaining repetitions).                        *)
(* ------------------------------------------------------------------------- *)

let rec merge ord l1 l2 =
  match l1 with
    [] -> l2
  | h1::t1 -> match l2 with
                [] -> l1
              | h2::t2 -> if ord h1 h2 then h1::(merge ord t1 l2)
                          else h2::(merge ord l1 t2);;

(* ------------------------------------------------------------------------- *)
(* Bottom-up mergesort.                                                      *)
(* ------------------------------------------------------------------------- *)

let sort ord =
  let rec mergepairs l1 l2 =
    match (l1,l2) with
        ([s],[]) -> s
      | (l,[]) -> mergepairs [] l
      | (l,[s1]) -> mergepairs (s1::l) []
      | (l,(s1::s2::ss)) -> mergepairs ((merge ord s1 s2)::l) ss in
  fun l -> if l = [] then [] else mergepairs [] (map (fun x -> [x]) l);;

(* ------------------------------------------------------------------------- *)
(* Common measure predicates to use with "sort".                             *)
(* ------------------------------------------------------------------------- *)

let increasing f x y = f x < f y;;

let decreasing f x y = f x > f y;;

(* ------------------------------------------------------------------------- *)
(* Eliminate repetitions of adjacent elements, with and without counting.    *)
(* ------------------------------------------------------------------------- *)

let rec uniq l =
  match l with
    (x::(y::_ as ys)) -> if x = y then uniq ys else x::(uniq ys)
   | _ -> l;;

let repetitions =
  let rec repcount n l =
    match l with
      x::(y::_ as ys) -> if y = x then repcount (n + 1) ys
                  else (x,n)::(repcount 1 ys)
    | [x] -> [x,n] in
  fun l -> if l = [] then [] else repcount 1 l;;

let rec tryfind f l =
  match l with
      [] -> failwith "tryfind"
    | (h::t) -> try f h with Failure _ -> tryfind f t;;

let rec mapfilter f l =
  match l with
    [] -> []
  | (h::t) -> let rest = mapfilter f t in
              try (f h)::rest with Failure _ -> rest;;

(* ------------------------------------------------------------------------- *)
(* Set operations on ordered lists.                                          *)
(* ------------------------------------------------------------------------- *)

let setify =
  let rec canonical lis =
     match lis with
       x::(y::_ as rest) -> x < y & canonical rest
     | _ -> true in
  fun l -> if canonical l then l else uniq (sort (<=) l);;

let union =
  let rec union l1 l2 =
    match (l1,l2) with
        ([],l2) -> l2
      | (l1,[]) -> l1
      | ((h1::t1 as l1),(h2::t2 as l2)) ->
          if h1 = h2 then h1::(union t1 t2)
          else if h1 < h2 then h1::(union t1 l2)
          else h2::(union l1 t2) in
  fun s1 s2 -> union (setify s1) (setify s2);;

let intersect =
  let rec intersect l1 l2 =
    match (l1,l2) with
        ([],l2) -> []
      | (l1,[]) -> []
      | ((h1::t1 as l1),(h2::t2 as l2)) ->
          if h1 = h2 then h1::(intersect t1 t2)
          else if h1 < h2 then intersect t1 l2
          else intersect l1 t2 in
  fun s1 s2 -> intersect (setify s1) (setify s2);;

let subtract =
  let rec subtract l1 l2 =
    match (l1,l2) with
        ([],l2) -> []
      | (l1,[]) -> l1
      | ((h1::t1 as l1),(h2::t2 as l2)) ->
          if h1 = h2 then subtract t1 t2
          else if h1 < h2 then h1::(subtract t1 l2)
          else subtract l1 t2 in
  fun s1 s2 -> subtract (setify s1) (setify s2);;

let subset,psubset =
  let rec subset l1 l2 =
    match (l1,l2) with
        ([],l2) -> true
      | (l1,[]) -> false
      | ((h1::t1 as l1),(h2::t2 as l2)) ->
          if h1 = h2 then subset t1 t2
          else if h1 < h2 then false
          else subset l1 t2
  and psubset l1 l2 =
    match (l1,l2) with
        (l1,[]) -> false
      | ([],l2) -> true
      | ((h1::t1 as l1),(h2::t2 as l2)) ->
          if h1 = h2 then psubset t1 t2
          else if h1 < h2 then false
          else subset l1 t2 in
  (fun s1 s2 -> subset (setify s1) (setify s2)),
  (fun s1 s2 -> psubset (setify s1) (setify s2));;

let rec set_eq s1 s2 = (setify s1 = setify s2);;

let insert x s = union [x] s;;

let smap f s = setify (map f s);;

(* ------------------------------------------------------------------------- *)
(* Union of a family of sets.                                                *)
(* ------------------------------------------------------------------------- *)

let unions s = setify(itlist (@) s []);;

(* ------------------------------------------------------------------------- *)
(* List membership. This does *not* assume the list is a set.                *)
(* ------------------------------------------------------------------------- *)

let rec mem x lis =
  match lis with
    [] -> false
  | (h::t) -> x = h or mem x t;;

(* ------------------------------------------------------------------------- *)
(* Finding all subsets or all subsets of a given size.                       *)
(* ------------------------------------------------------------------------- *)

let rec allsets m l =
  if m = 0 then [[]] else
  match l with
    [] -> []
  | h::t -> map (fun g -> h::g) (allsets (m - 1) t) @ allsets m t;;

let rec allsubsets s =
  match s with
    [] -> [[]]
  | (a::t) -> let res = allsubsets t in
              map (fun b -> a::b) res @ res;;

let allnonemptysubsets s = subtract (allsubsets s) [[]];;

(* ------------------------------------------------------------------------- *)
(* Explosion and implosion of strings.                                       *)
(* ------------------------------------------------------------------------- *)

let explode s =
  let rec exap n l =
     if n < 0 then l else
      exap (n - 1) ((String.sub s n 1) :: l) in
  exap (String.length s - 1) [];;

let implode l = itlist (^) l "";;

(* ------------------------------------------------------------------------- *)
(* Timing; useful for documentation but not logically necessary.             *)
(* ------------------------------------------------------------------------- *)

let time f x =
  let start_time = Sys.time() in
  let result = f x in
  let finish_time = Sys.time() in
  print_string
    ("CPU time (user): "^(string_of_float(finish_time -. start_time)));
  print_newline();
  result;;

(* ------------------------------------------------------------------------- *)
(* Representation of finite partial functions as balanced trees.             *)
(* Alas, there's no polymorphic one available in the standard library.       *)
(* So this is basically a copy of what's there.                              *)
(* ------------------------------------------------------------------------- *)

type ('a,'b)func =
    Empty
  | Node of ('a,'b)func * 'a * 'b * ('a,'b)func * int;;

let apply,undefined,(|->),undefine,dom,funset =
  let compare x y = if x = y then 0 else if x < y then -1 else 1 in
  let empty = Empty in
  let height = function
      Empty -> 0
    | Node(_,_,_,_,h) -> h in
  let create l x d r =
    let hl = height l and hr = height r in
    Node(l, x, d, r, (if hl >= hr then hl + 1 else hr + 1)) in
  let bal l x d r =
    let hl = match l with Empty -> 0 | Node(_,_,_,_,h) -> h in
    let hr = match r with Empty -> 0 | Node(_,_,_,_,h) -> h in
    if hl > hr + 2 then begin
      match l with
        Empty -> invalid_arg "Map.bal"
      | Node(ll, lv, ld, lr, _) ->
          if height ll >= height lr then
            create ll lv ld (create lr x d r)
          else begin
            match lr with
              Empty -> invalid_arg "Map.bal"
            | Node(lrl, lrv, lrd, lrr, _)->
                create (create ll lv ld lrl) lrv lrd (create lrr x d r)
          end
    end else if hr > hl + 2 then begin
      match r with
        Empty -> invalid_arg "Map.bal"
      | Node(rl, rv, rd, rr, _) ->
          if height rr >= height rl then
            create (create l x d rl) rv rd rr
          else begin
            match rl with
              Empty -> invalid_arg "Map.bal"
            | Node(rll, rlv, rld, rlr, _) ->
                create (create l x d rll) rlv rld (create rlr rv rd rr)
          end
    end else
      Node(l, x, d, r, (if hl >= hr then hl + 1 else hr + 1)) in
  let rec add x data = function
      Empty ->
        Node(Empty, x, data, Empty, 1)
    | Node(l, v, d, r, h) as t ->
        let c = compare x v in
        if c = 0 then
          Node(l, x, data, r, h)
        else if c < 0 then
          bal (add x data l) v d r
        else
          bal l v d (add x data r) in
  let rec find x = function
      Empty ->
        raise Not_found
    | Node(l, v, d, r, _) ->
        let c = compare x v in
        if c = 0 then d
        else find x (if c < 0 then l else r) in
  let rec mem x = function
      Empty ->
        false
    | Node(l, v, d, r, _) ->
        let c = compare x v in
        c = 0 or mem x (if c < 0 then l else r) in
  let rec merge t1 t2 =
    match (t1, t2) with
      (Empty, t) -> t
    | (t, Empty) -> t
    | (Node(l1, v1, d1, r1, h1), Node(l2, v2, d2, r2, h2)) ->
        bal l1 v1 d1 (bal (merge r1 l2) v2 d2 r2) in
  let rec remove x = function
      Empty ->
        Empty
    | Node(l, v, d, r, h) as t ->
        let c = compare x v in
        if c = 0 then
          merge l r
        else if c < 0 then
          bal (remove x l) v d r
        else
          bal l v d (remove x r) in
  let rec iter f = function
      Empty -> ()
    | Node(l, v, d, r, _) ->
        iter f l; f v d; iter f r in
  let rec map f = function
      Empty               -> Empty
    | Node(l, v, d, r, h) -> Node(map f l, v, f d, map f r, h) in
  let rec mapi f = function
      Empty               -> Empty
    | Node(l, v, d, r, h) -> Node(mapi f l, v, f v d, mapi f r, h) in
  let rec fold f m accu =
    match m with
      Empty -> accu
    | Node(l, v, d, r, _) ->
        fold f l (f v d (fold f r accu)) in
  let apply f x = try find x f with Not_found -> failwith "apply" in
  let undefined = Empty in
  let valmod x y f = add x y f in
  let undefine a f = remove a f in
  let dom f = setify(fold (fun x y a -> x::a) f []) in
  let funset f = setify(fold (fun x y a -> (x,y)::a) f []) in
apply,undefined,valmod,undefine,dom,funset;;

let tryapplyd f a d = try apply f a with Failure _ -> d;;
let tryapply f x = tryapplyd f x x;;
let tryapplyl f x = tryapplyd f x [];;
let (:=) = fun x y -> (x |-> y) undefined;;
let fpf assigs = itlist (fun x -> x) assigs undefined;;
let defined f x = can (apply f) x;;

(* ------------------------------------------------------------------------- *)
(* Install a (trivial) printer for finite partial functions.                 *)
(* ------------------------------------------------------------------------- *)

let print_fpf (f:('a,'b)func) = print_string "";;

START_INTERACTIVE;;
#install_printer print_fpf;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Related stuff for standard functions.                                     *)
(* ------------------------------------------------------------------------- *)

let valmod a y f x = if x = a then y else f(x);;

let undef x = failwith "undefined function";;

(* ------------------------------------------------------------------------- *)
(* Union-find algorithm.                                                     *)
(* ------------------------------------------------------------------------- *)

type ('a)pnode = Nonterminal of 'a | Terminal of 'a * int;;

type ('a)partition = Partition of ('a,('a)pnode)func;;

let rec terminus (Partition f as ptn) a =
  match (apply f a) with
    Nonterminal(b) -> terminus ptn b
  | Terminal(p,q) -> (p,q);;

let tryterminus ptn a =
  try terminus ptn a with Failure _ -> (a,0);;

let canonize ptn a = try fst(terminus ptn a) with Failure _ -> a;;

let equate (a,b) (Partition f as ptn) =
  let (a',na) = tryterminus ptn a
  and (b',nb) = tryterminus ptn b in
  Partition
   (if a' = b' then f else
    if na <= nb then
       itlist identity [a' |-> Nonterminal b'; b' |-> Terminal(b',na+nb)] f
    else
       itlist identity [b' |-> Nonterminal a'; a' |-> Terminal(a',na+nb)] f);;

let unequal = Partition undefined;;

let equated (Partition f) = dom f;;

(* ------------------------------------------------------------------------- *)
(* First number starting at n for which p succeeds.                          *)
(* ------------------------------------------------------------------------- *)

let rec first n p = if p(n) then n else first (n +/ Int 1) p;;
why-2.39/atp/Makefile0000644000106100004300000000403213147234006013454 0ustar  marchevals# List of ML files to compile as a library. This leaves out the following
# which are probably not much use:
#
# sigma.ml       (Sigma-formulas and evaluator-by-proof)
# turing.ml      (OCaml implementation of Turing machines)
# undecidable.ml (Proofs related to undecidability results)
# bhk.ml         (Trivial instance of BHK interpretation)
# many.ml        (Example relevant to many-sorted logic)
# hol.ml         (Simple higher order logic setup)

#MLFILES = lib.ml intro.ml formulas.ml prop.ml propexamples.ml           \
          defcnf.ml dp.ml stal.ml bdd.ml fol.ml skolem.ml               \
          herbrand.ml unif.ml tableaux.ml resolution.ml prolog.ml       \
          meson.ml skolems.ml equal.ml cong.ml rewrite.ml               \
          order.ml completion.ml orewrite.ml eqelim.ml                  \
          paramodulation.ml decidable.ml qelim.ml cooper.ml             \
          complex.ml grobner.ml real.ml geom.ml interpolation.ml        \
          combining.ml transition.ml temporal.ml model.ml ltl.ml        \
          ste.ml lcf.ml hilbert.ml lcfprop.ml lcffol.ml checking.ml     \
          tactics.ml

MLFILES = lib.ml intro.ml formulas.ml prop.ml propexamples.ml           \
	  defcnf.ml dp.ml fol.ml skolem.ml herbrand.ml qelim.ml         \
	  cooper.ml fourier_motzkin.ml

# The default is to build a bytecode executable

bytecode: example.ml atp.cmo; ocamlc -o example nums.cma atp.cmo example.ml

# Alternatively, produce native code

compiled: example.ml atp.cmx; ocamlopt -o example nums.cmxa atp.cmx example.ml

# Make the appropriate object for the main body of code

atp.cmx: atp.ml; ocamlopt -w ax -c atp.ml

atp.cmo: atp.ml; ocamlc -w ax -c atp.ml

# Make the camlp4 quotation expander

Quotexpander.cmo: Quotexpander.ml; ocamlc -I +camlp4 -c Quotexpander.ml

# Extract the non-interactive part of the code

atp.ml: $(MLFILES); ./Mk_ml_file $(MLFILES) >atp.ml

# Clean up

clean:; -rm -f atp.cma atp.cmi atp.cmo atp.cmx atp.o atp.ml example example.cmi example.cmo example.cmx example.o Quotexpander.cmo Quotexpander.cmi
why-2.39/atp/fourier_motzkin.ml0000644000106100004300000001631113147234006015577 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(* ========================================================================= *)
(* Fourier-Motzkin elimination for integers.                                 *)
(* ========================================================================= *)

(* We use the functions already defined in [qelim.ml] and [cooper.ml]. *)

(* ------------------------------------------------------------------------- *)
(* Linearize the atoms in a formula, and eliminate strict inequalities.      *)
(* ------------------------------------------------------------------------- *)

let mkatom vars p t = Atom(R(p,[Fn("0",[]);lint vars t]));;

let linform vars fm =
  match fm with
    Atom(R("=",[s;t])) -> mkatom vars "=" (Fn("-",[t;s]))
  | Atom(R("<=",[s;t])) -> mkatom vars "<=" (Fn("-",[t;s]))
  | Atom(R(">=",[s;t])) -> mkatom vars "<=" (Fn("-",[s;t]))
  | Atom(R("<",[s;t])) ->
        mkatom vars "<=" (Fn("-",[Fn("-",[t;Fn("1",[])]);s]))
  | Atom(R(">",[s;t])) ->
        mkatom vars "<=" (Fn("-",[Fn("-",[s;Fn("1",[])]);t]))
  | _ -> fm;;

(* ------------------------------------------------------------------------- *)
(* Post-NNF transformation eliminating negated inequalities.                 *)
(* ------------------------------------------------------------------------- *)

let rec posineq fm =
  match fm with
  | Not(Atom(R("<=",[Fn("0",[]); t]))) ->
        Atom(R("<=",[Fn("0",[]); linear_sub [] (Fn("-1",[])) t]))
  | Not(Atom(R("=",[Fn("0",[]); t]))) ->
        Or(Atom(R("<=",[Fn("0",[]); linear_sub [] (Fn("-1",[])) t])),
	   Atom(R("<=",[Fn("0",[]); linear_add [] (Fn("-1",[])) t])))
  | _ -> fm;;

(* ------------------------------------------------------------------------- *)
(* Adjust all coefficients of x in formula; fold in reduction to +/- 1.      *)
(* ------------------------------------------------------------------------- *)

let rec adjustcoeff x l fm =
  match fm with
    Atom(R(p,[d; Fn("+",[Fn("*",[c;y]);z])])) when y = x ->
        let m = l // dest_numeral c in
        let n = if p = "<=" then abs_num(m) else m in
        let xtm = Fn("*",[mk_numeral(m // n); x]) in
        Atom(R(p,[linear_cmul (abs_num m) d;
                Fn("+",[xtm; linear_cmul n z])]))
  | Not(p) -> Not(adjustcoeff x l p)
  | And(p,q) -> And(adjustcoeff x l p,adjustcoeff x l q)
  | Or(p,q) -> Or(adjustcoeff x l p,adjustcoeff x l q)
  | _ -> fm;;

(* ------------------------------------------------------------------------- *)
(* Make coefficient of x one in existential formula.                         *)
(* ------------------------------------------------------------------------- *)

let unitycoeff x fm =
  let l = formlcm x fm in
  let fm' = adjustcoeff x l fm in
  if l =/ Int 1 then fm' else
  adjustcoeff x l fm;;

(* ------------------------------------------------------------------------- *)
(* Isolate x on left-hand-side and replace.                                  *)
(* ------------------------------------------------------------------------- *)

let isolate x fm =
  match fm with
    Atom(R(p,[_;Fn("+",[Fn("*",[c;y]);z])])) when y = x ->
      let c = mk_numeral (Int 0 -/ dest_numeral c) in
      Atom(R(p,[Fn("*",[c;y]);z]))
  | Atom(R(p,[zero;Fn("*",[c;y])])) when y = x ->
      let c = mk_numeral (Int 0 -/ dest_numeral c) in
      Atom(R(p,[Fn("*",[c;y]);zero]))
  | _ -> 
      printer fm;
      assert false

let replace vars x t fm =
  match fm with
    Atom(R(p,[Fn("*",[c;y]);z])) when y = x ->
      let t = if dest_numeral c >/ Int 0 then t else linear_neg t in
      linform vars (Atom(R(p,[t;z])))
  | _ -> assert false

(* ------------------------------------------------------------------------- *)
(* This is the base function.                                                *)
(* ------------------------------------------------------------------------- *)

let fourier vars fm =
  match fm with
    Exists(x0,p0) ->
      let x = Var x0 in
      let p = unitycoeff x p0 in
      let cjs = map (isolate x) (conjuncts p) in
      try let eqn = find
            (function (Atom(R("=",_))) -> true | _ -> false) cjs in
          let (Atom(R("=",[s;t]))) = eqn in
	  let (Fn("*",[c;_])) = s in
	  let y = if dest_numeral c =/ Int 1 then t else linear_neg t in 
          list_conj(map (replace vars x y) (subtract cjs [eqn]))
      with Failure _ ->
        let l,r =
          partition 
	    (fun (Atom(R("<=",[Fn("*",[c;_]);t]))) -> 
	      dest_numeral c =/ Int (-1)) cjs 
	in
        let lefts = map (fun (Atom(R("<=",[_;l]))) -> linear_neg l) l
        and rights = map (fun (Atom(R("<=",[_;r]))) -> r) r in
        list_conj(allpairs 
	  (fun l r -> Atom(R("<=",[Fn("0",[]); linear_sub vars r l])))
          lefts rights)
  | _ -> failwith "fourier";;

(* ------------------------------------------------------------------------- *)
(* Overall quelim procedure.                                                 *)
(* ------------------------------------------------------------------------- *)

let fourier_qelim =
  simplify ** evalc **
  lift_qelim linform (dnf ** cnnf posineq ** evalc) fourier;;

(*
Local Variables:
compile-command: "LC_ALL=C ocamlc -I . fourier_motzkin.ml"
End:
*)
why-2.39/atp/cooper.ml0000644000106100004300000004415213147234006013644 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(* ========================================================================= *)
(* Cooper's algorithm for Presburger arithmetic.                             *)
(*                                                                           *)
(* Copyright (c) 2003, John Harrison. (See "LICENSE.txt" for details.)       *)
(* ========================================================================= *)

(* ------------------------------------------------------------------------- *)
(* Lift operations up to numerals.                                           *)
(* ------------------------------------------------------------------------- *)

let mk_numeral n = Fn(string_of_num n,[]);;

let dest_numeral =
  function (Fn(ns,[])) -> num_of_string ns
         | _ -> failwith "dest_numeral";;

let is_numeral = can dest_numeral;;

let numeral1 fn n = mk_numeral(fn(dest_numeral n));;

let numeral2 fn m n = mk_numeral(fn (dest_numeral m) (dest_numeral n));;

(* ------------------------------------------------------------------------- *)
(* Operations on canonical linear terms c1 * x1 + ... + cn * xn + k          *)
(*                                                                           *)
(* Note that we're quite strict: the ci must be present even if 1            *)
(* (but if 0 we expect the monomial to be omitted) and k must be there       *)
(* even if it's zero. Thus, it's a constant iff not an addition term.        *)
(* ------------------------------------------------------------------------- *)

let rec linear_cmul n tm =
  if n =/ Int 0 then Fn("0",[]) else
  match tm with
    Fn("+",[Fn("*",[c1; x1]); rest]) ->
        Fn("+",[Fn("*",[numeral1 (( */ ) n) c1; x1]);
                        linear_cmul n rest])
  | k -> numeral1 (( */ ) n) k;;

let earlierv vars (Var x) (Var y) = earlier vars x y;;

let rec linear_add vars tm1 tm2 =
  match (tm1,tm2) with
   (Fn("+",[Fn("*",[c1; x1]); rest1]),
    Fn("+",[Fn("*",[c2; x2]); rest2])) ->
        if x1 = x2 then
          let c = numeral2 (+/) c1 c2 in
          if c = Fn("0",[]) then linear_add vars rest1 rest2
          else Fn("+",[Fn("*",[c; x1]); linear_add vars rest1 rest2])
        else if earlierv vars x1 x2 then
          Fn("+",[Fn("*",[c1; x1]); linear_add vars rest1 tm2])
        else
          Fn("+",[Fn("*",[c2; x2]); linear_add vars tm1 rest2])
  | (Fn("+",[Fn("*",[c1; x1]); rest1]),_) ->
        Fn("+",[Fn("*",[c1; x1]); linear_add vars rest1 tm2])
  | (_,Fn("+",[Fn("*",[c2; x2]); rest2])) ->
        Fn("+",[Fn("*",[c2; x2]); linear_add vars tm1 rest2])
  | _ -> numeral2 (+/) tm1 tm2;;

let linear_neg tm = linear_cmul (Int(-1)) tm;;

let linear_sub vars tm1 tm2 = linear_add vars tm1 (linear_neg tm2);;

(* ------------------------------------------------------------------------- *)
(* Linearize a term.                                                         *)
(* ------------------------------------------------------------------------- *)

let rec lint vars tm =
  match tm with
    Var x -> Fn("+",[Fn("*",[Fn("1",[]); tm]); Fn("0",[])])
  | Fn("-",[t]) -> linear_neg (lint vars t)
  | Fn("+",[s;t]) -> linear_add vars (lint vars s) (lint vars t)
  | Fn("-",[s;t]) -> linear_sub vars (lint vars s) (lint vars t)
  | Fn("*",[s;t]) ->
        let s' = lint vars s and t' = lint vars t in
        if is_numeral s' then linear_cmul (dest_numeral s') t'
        else if is_numeral t' then linear_cmul (dest_numeral t') s'
        else failwith "lint: apparent nonlinearity"
  | _ -> if is_numeral tm then tm else failwith "lint: unknown term";;

(* ------------------------------------------------------------------------- *)
(* Linearize the atoms in a formula, and eliminate non-strict inequalities.  *)
(* ------------------------------------------------------------------------- *)

let mkatom vars p t = Atom(R(p,[Fn("0",[]);lint vars t]));;

let linform vars fm =
  match fm with
    Atom(R("divides",[c;t])) ->
        let c' = mk_numeral(abs_num(dest_numeral c)) in
        Atom(R("divides",[c';lint vars t]))
  | Atom(R("=",[s;t])) -> mkatom vars "=" (Fn("-",[t;s]))
  | Atom(R("<",[s;t])) -> mkatom vars "<" (Fn("-",[t;s]))
  | Atom(R(">",[s;t])) -> mkatom vars "<" (Fn("-",[s;t]))
  | Atom(R("<=",[s;t])) ->
        mkatom vars "<" (Fn("-",[Fn("+",[t;Fn("1",[])]);s]))
  | Atom(R(">=",[s;t])) ->
        mkatom vars "<" (Fn("-",[Fn("+",[s;Fn("1",[])]);t]))
  | _ -> fm;;

(* ------------------------------------------------------------------------- *)
(* Post-NNF transformation eliminating negated inequalities.                 *)
(* ------------------------------------------------------------------------- *)

let rec posineq fm =
  match fm with
  | Not(Atom(R("<",[Fn("0",[]); t]))) ->
        Atom(R("<",[Fn("0",[]); linear_sub [] (Fn("1",[])) t]))
  | _ -> fm;;

(* ------------------------------------------------------------------------- *)
(* Find the LCM of the coefficients of x.                                    *)
(* ------------------------------------------------------------------------- *)

let rec formlcm x fm =
  match fm with
    Atom(R(p,[_;Fn("+",[Fn("*",[c;y]);z])])) when y = x ->
        abs_num(dest_numeral c)
  | Not(p) -> formlcm x p
  | And(p,q) -> lcm_num (formlcm x p) (formlcm x q)
  | Or(p,q) -> lcm_num (formlcm x p) (formlcm x q)
  | _ -> Int 1;;

(* ------------------------------------------------------------------------- *)
(* Adjust all coefficients of x in formula; fold in reduction to +/- 1.      *)
(* ------------------------------------------------------------------------- *)

let rec adjustcoeff x l fm =
  match fm with
    Atom(R(p,[d; Fn("+",[Fn("*",[c;y]);z])])) when y = x ->
        let m = l // dest_numeral c in
        let n = if p = "<" then abs_num(m) else m in
        let xtm = Fn("*",[mk_numeral(m // n); x]) in
        Atom(R(p,[linear_cmul (abs_num m) d;
                Fn("+",[xtm; linear_cmul n z])]))
  | Not(p) -> Not(adjustcoeff x l p)
  | And(p,q) -> And(adjustcoeff x l p,adjustcoeff x l q)
  | Or(p,q) -> Or(adjustcoeff x l p,adjustcoeff x l q)
  | _ -> fm;;

(* ------------------------------------------------------------------------- *)
(* Hence make coefficient of x one in existential formula.                   *)
(* ------------------------------------------------------------------------- *)

let unitycoeff x fm =
  let l = formlcm x fm in
  let fm' = adjustcoeff x l fm in
  if l =/ Int 1 then fm' else
  let xp = Fn("+",[Fn("*",[Fn("1",[]);x]); Fn("0",[])]) in
  And(Atom(R("divides",[mk_numeral l; xp])),adjustcoeff x l fm);;

(* ------------------------------------------------------------------------- *)
(* The "minus infinity" version.                                             *)
(* ------------------------------------------------------------------------- *)

let rec minusinf x fm =
  match fm with
    Atom(R("=",[Fn("0",[]); Fn("+",[Fn("*",[Fn("1",[]);y]);z])]))
        when y = x -> False
  | Atom(R("<",[Fn("0",[]); Fn("+",[Fn("*",[pm1;y]);z])])) when y = x ->
        if pm1 = Fn("1",[]) then False else True
  | Not(p) -> Not(minusinf x p)
  | And(p,q) -> And(minusinf x p,minusinf x q)
  | Or(p,q) -> Or(minusinf x p,minusinf x q)
  | _ -> fm;;

(* ------------------------------------------------------------------------- *)
(* The LCM of all the divisors that involve x.                               *)
(* ------------------------------------------------------------------------- *)

let rec divlcm x fm =
  match fm with
    Atom(R("divides",[d;Fn("+",[Fn("*",[c;y]);z])])) when y = x ->
        dest_numeral d
  | Not(p) -> divlcm x p
  | And(p,q) -> lcm_num (divlcm x p) (divlcm x q)
  | Or(p,q) -> lcm_num (divlcm x p) (divlcm x q)
  | _ -> Int 1;;

(* ------------------------------------------------------------------------- *)
(* Construct the B-set.                                                      *)
(* ------------------------------------------------------------------------- *)

let rec bset x fm =
  match fm with
    Not(Atom(R("=",[Fn("0",[]); Fn("+",[Fn("*",[Fn("1",[]);y]);a])])))
    when y = x -> [linear_neg a]
  | Atom(R("=",[Fn("0",[]); Fn("+",[Fn("*",[Fn("1",[]);y]);a])]))
    when y = x -> [linear_neg(linear_add [] a (Fn("1",[])))]
  | Atom(R("<",[Fn("0",[]); Fn("+",[Fn("*",[Fn("1",[]);y]);a])]))
    when y = x -> [linear_neg a]
  | Not(p) -> bset x p
  | And(p,q) -> union (bset x p) (bset x q)
  | Or(p,q) -> union (bset x p) (bset x q)
  | _ -> [];;

(* ------------------------------------------------------------------------- *)
(* Replace top variable with another linear form, retaining canonicality.    *)
(* ------------------------------------------------------------------------- *)

let rec linrep vars x t fm =
  match fm with
    Atom(R(p,[d; Fn("+",[Fn("*",[c;y]);z])])) when y = x ->
        let ct = linear_cmul (dest_numeral c) t in
        Atom(R(p,[d; linear_add vars ct z]))
  | Not(p) -> Not(linrep vars x t p)
  | And(p,q) -> And(linrep vars x t p,linrep vars x t q)
  | Or(p,q) -> Or(linrep vars x t p,linrep vars x t q)
  | _ -> fm;;

(* ------------------------------------------------------------------------- *)
(* Evaluation of constant expressions.                                       *)
(* ------------------------------------------------------------------------- *)

let operations =
  ["=",(=/); "<",(",(>/); "<=",(<=/); ">=",(>=/);
   "divides",(fun x y -> mod_num y x =/ Int 0)];;

let evalc_atom at =
  match at with
    R(p,[s;t]) ->
        (try if assoc p operations (dest_numeral s) (dest_numeral t)
             then True else False
         with Failure _ -> Atom at)
  | _ -> Atom at;;

let evalc = onatoms evalc_atom;;

(* ------------------------------------------------------------------------- *)
(* Hence the core quantifier elimination procedure.                          *)
(* ------------------------------------------------------------------------- *)

let cooper vars fm =
  match fm with
   Exists(x0,p0) ->
        let x = Var x0 in
        let p = unitycoeff x p0 in
        let p_inf = simplify(minusinf x p) and bs = bset x p
        and js = Int 1 --- divlcm x p in
        let p_element j b =
          linrep vars x (linear_add vars b (mk_numeral j)) p in
        let stage j = list_disj
           (linrep vars x (mk_numeral j) p_inf ::
            map (p_element j) bs) in
        list_disj (map stage js)
  | _ -> failwith "cooper: not an existential formula";;

(* ------------------------------------------------------------------------- *)
(* Overall function.                                                         *)
(* ------------------------------------------------------------------------- *)

let integer_qelim =
  simplify ** evalc **
  lift_qelim linform (cnnf posineq ** evalc) cooper;;

(* ------------------------------------------------------------------------- *)
(* Examples.                                                                 *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
integer_qelim < 2 * x + 1 < 2 * y>>;;

integer_qelim <>;;

integer_qelim < 0 /\ y >= 0 /\ 3 * x - 5 * y = 1>>;;

integer_qelim <>;;

integer_qelim < a <= x>>;;

integer_qelim < b < 3 * x>>;;

time integer_qelim < 2 * x + 1 < 2 * y>>;;

time integer_qelim <<(exists d. y = 65 * d) ==> (exists d. y = 5 * d)>>;;

time integer_qelim
  < (exists d. y = 5 * d)>>;;

time integer_qelim <>;;

time integer_qelim
  < x + y + z > 129>>;;

time integer_qelim < b < x>>;;

time integer_qelim < b < x>>;;

(* ------------------------------------------------------------------------- *)
(* Formula examples from Cooper's paper.                                     *)
(* ------------------------------------------------------------------------- *)

time integer_qelim <>;;

time integer_qelim <>;;

time integer_qelim <>;;

time integer_qelim
  < b + 1)>>;;

time integer_qelim
  < 1 /\ 13 * x - y > 1 /\ x + 2 < 0>>;;

(* ------------------------------------------------------------------------- *)
(* Some more.                                                                *)
(* ------------------------------------------------------------------------- *)

time integer_qelim <= 0 /\ y >= 0
                  ==> 12 * x - 8 * y < 0 \/ 12 * x - 8 * y > 2>>;;

time integer_qelim <>;;

time integer_qelim <>;;

time integer_qelim <= 0 /\ y >= 0 /\ 5 * x - 6 * y = 1>>;;


time integer_qelim <>;;

time integer_qelim <= 0 /\ y >= 0 /\ 5 * x - 3 * y = 1>>;;

time integer_qelim <= 0 /\ y >= 0 /\ 3 * x - 5 * y = 1>>;;

time integer_qelim <= 0 /\ y >= 0 /\ 6 * x - 3 * y = 1>>;;

time integer_qelim
  < 5 * y < 6 * x \/ 5 * y > 6 * x>>;;

time integer_qelim
  < ~(6 * x = 5 * y)>>;;

time integer_qelim < ~(6 * x = 5 * y)>>;;

time integer_qelim <>;;

time integer_qelim < exists d. y = 3 * d>>;;

time integer_qelim <<6 * x = 5 * y ==> exists d. y = 3 * d>>;;

(* ------------------------------------------------------------------------- *)
(* Positive variant of the Bezout theorem.                                   *)
(* ------------------------------------------------------------------------- *)

time integer_qelim
  < 7 ==> exists x y. x >= 0 /\ y >= 0 /\ 3 * x + 5 * y = z>>;;

time integer_qelim
  < 2 ==> exists x y. x >= 0 /\ y >= 0 /\ 3 * x + 5 * y = z>>;;

time integer_qelim
  < ((exists x y. x >= 0 /\ y >= 0 /\ 3 * x + 5 * y = z) <=>
             ~(exists x y. x >= 0 /\ y >= 0 /\ 3 * x + 5 * y = 7 - z))>>;;

(* ------------------------------------------------------------------------- *)
(* Basic result about congruences.                                           *)
(* ------------------------------------------------------------------------- *)

time integer_qelim
  <
              divides(12,x-1) \/ divides(12,x-7)>>;;

time integer_qelim
  <
              (exists m. x = 12 * m + 1) \/ (exists m. x = 12 * m + 7)>>;;

(* ------------------------------------------------------------------------- *)
(* Something else.                                                           *)
(* ------------------------------------------------------------------------- *)

time integer_qelim
 < divides(4,x-1) \/
            divides(8,x-1) \/
            divides(8,x-3) \/
            divides(6,x-1) \/
            divides(14,x-1) \/
            divides(14,x-9) \/
            divides(14,x-11) \/
            divides(24,x-5) \/
            divides(24,x-11)>>;;

(* ------------------------------------------------------------------------- *)
(* Testing fix for an earlier version.                                       *)
(* ------------------------------------------------------------------------- *)

(integer_qelim ** generalize)
  < false>>;;

(* ------------------------------------------------------------------------- *)
(* Inspired by the Collatz conjecture.                                       *)
(* ------------------------------------------------------------------------- *)

integer_qelim
  <>;;

integer_qelim
 < 1 /\ b > 1 /\
               ((2 * b = a) \/ (2 * b = 3 * a + 1)) /\
               (a = b)>>;;

END_INTERACTIVE;;
why-2.39/atp/intro.ml0000644000106100004300000002624413147234006013512 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(* ========================================================================= *)
(* Simple algebraic expression example from the introductory chapter.        *)
(*                                                                           *)
(* Copyright (c) 2003, John Harrison. (See "LICENSE.txt" for details.)       *)
(* ========================================================================= *)

type expression =
   Var of string
 | Const of int
 | Add of expression * expression
 | Mul of expression * expression;;

(* ------------------------------------------------------------------------- *)
(* Trivial example of using the type constructors.                           *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
Add(Mul(Const 2,Var "x"),Var "y");;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Simplification example.                                                   *)
(* ------------------------------------------------------------------------- *)

let simplify1 expr =
  match expr with
    Add(Const(m),Const(n)) -> Const(m + n)
  | Mul(Const(m),Const(n)) -> Const(m * n)
  | Add(Const(0),x) -> x
  | Add(x,Const(0)) -> x
  | Mul(Const(0),x) -> Const(0)
  | Mul(x,Const(0)) -> Const(0)
  | Mul(Const(1),x) -> x
  | Mul(x,Const(1)) -> x
  | _ -> expr;;

let rec simplify expr =
  match expr with
    Add(e1,e2) -> simplify1(Add(simplify e1,simplify e2))
  | Mul(e1,e2) -> simplify1(Mul(simplify e1,simplify e2))
  | _ -> expr;;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)
START_INTERACTIVE;;
let e = Add(Mul(Add(Mul(Const(0),Var "x"),Const(1)),Const(3)),
            Const(12));;
simplify e;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Lexical analysis.                                                         *)
(* ------------------------------------------------------------------------- *)

let matches s = let chars = explode s in fun c -> mem c chars;;

let space = matches " \t\n"
and punctuation = matches "()[]{},"
and symbolic = matches "~`!@#$%^&*-+=|\\:;<>.?/"
and numeric = matches "0123456789"
and alphanumeric = matches
  "abcdefghijklmnopqrstuvwxyz_'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";;

let rec lexwhile prop inp =
  match inp with
    [] -> "",[]
  | c::cs ->
        if prop c then let tok,rest = lexwhile prop cs in c^tok,rest
        else "",inp;;

let rec lex inp =
  let _,inp1 = lexwhile space inp in
  match inp1 with
    [] -> []
  | c::cs -> let prop =
               if alphanumeric(c) then alphanumeric
               else if symbolic(c) then symbolic
               else if punctuation(c) then (fun c -> false)
               else failwith "Unknown character in input" in
             let toktl,rest = lexwhile prop cs in
             (c^toktl)::lex rest;;

START_INTERACTIVE;;
lex(explode "2*((var_1 + x') + 11)");;
lex(explode "if (*p1-- == *p2++) then f() else g()");;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Parsing.                                                                  *)
(* ------------------------------------------------------------------------- *)

let rec parse_expression inp =
  let e1,inp1 = parse_product inp in
  if inp1 <> [] & hd inp1 = "+" then
     let e2,inp2 = parse_expression (tl inp1) in Add(e1,e2),inp2
  else e1,inp1

and parse_product inp =
  let e1,inp1 = parse_atom inp in
  if inp1 <> [] & hd inp1 = "*" then
     let e2,inp2 = parse_product (tl inp1) in Mul(e1,e2),inp2
  else e1,inp1

and parse_atom inp =
  match inp with
    [] -> failwith "Expected an expression at end of input"
  | tok::toks ->
        if tok = "(" then
           let e,inp1 = parse_expression toks in
           if inp1 <> [] & hd inp1 = ")" then e,tl inp1
           else failwith "Expected closing bracket"
        else if forall numeric (explode tok) then
           Const(int_of_string tok),toks
        else Var(tok),toks;;

(* ------------------------------------------------------------------------- *)
(* Generic function to impose lexing and exhaustion checking on a parser.    *)
(* ------------------------------------------------------------------------- *)

let make_parser pfn s =
  let expr,rest = pfn (lex(explode s)) in
  if rest = [] then expr else failwith "Unparsed input";;

(* ------------------------------------------------------------------------- *)
(* Our parser.                                                               *)
(* ------------------------------------------------------------------------- *)

let parsee = make_parser parse_expression;;

(* ------------------------------------------------------------------------- *)
(* Examples.                                                                 *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
parsee "x + 1";;

parsee "(x1 + x2 + x3) * (1 + 2 + 3 * x + y)";;

END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Conservatively bracketing first attempt at printer.                       *)
(* ------------------------------------------------------------------------- *)

let rec string_of_exp e =
  match e with
    Var s -> s
  | Const n -> string_of_int n
  | Add(e1,e2) -> "("^(string_of_exp e1)^" + "^(string_of_exp e2)^")"
  | Mul(e1,e2) -> "("^(string_of_exp e1)^" * "^(string_of_exp e2)^")";;

(* ------------------------------------------------------------------------- *)
(* Examples.                                                                 *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
string_of_exp(parsee "x + 3 * y");;
let e = parsee "3 * (y + z) + 7 * 4";;
parsee(string_of_exp e) = e;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Somewhat better attempt.                                                  *)
(* ------------------------------------------------------------------------- *)

let rec string_of_exp pr e =
  match e with
    Var s -> s
  | Const n -> string_of_int n
  | Add(e1,e2) ->
        let s = (string_of_exp 3 e1)^" + "^(string_of_exp 2 e2) in
        if pr > 2 then "("^s^")" else s
  | Mul(e1,e2) ->
        let s = (string_of_exp 5 e1)^" * "^(string_of_exp 4 e2) in
        if pr > 4 then "("^s^")" else s;;

(* ------------------------------------------------------------------------- *)
(* Examples.                                                                 *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
string_of_exp 0 (parsee "x + 3 * y");;
string_of_exp 0 (parsee "(x + 3) * y");;
string_of_exp 0 (parsee "1 + 2 + 3");;
string_of_exp 0 (parsee "((1 + 2) + 3) + 4");;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Example shows the problem.                                                *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
let e = parsee "(x1 + x2 + x3 + x4 + x5 + x6 + x7 + x8 + x9 + x10) *
                (y1 + y2 + y3 + y4 + y5 + y6 + y7 + y8 + y9 + y10)";;

string_of_exp 0 e;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Real printer with proper line breaks.                                     *)
(* ------------------------------------------------------------------------- *)

let rec print_exp pr e =
  match e with
    Var s -> print_string s
  | Const n -> print_int n
  | Add(e1,e2) ->
        if pr > 2 then (print_string "("; open_box 0) else ();
        print_exp 3 e1;
        print_string " +"; print_space();
        print_exp 2 e2;
        if pr > 2 then (close_box(); print_string ")") else ()
  | Mul(e1,e2) ->
        if pr > 4 then (print_string "("; open_box 0) else ();
        print_exp 5 e1;
        print_string " *"; print_space();
        print_exp 4 e2;
        if pr > 4 then (close_box(); print_string ")") else ();;

let print_expression e =
  open_box 0; print_string "<<";
              open_box 0; print_exp 0 e; close_box();
  print_string ">>"; close_box();;

(* ------------------------------------------------------------------------- *)
(* Also set up parsing of quotations.                                        *)
(* ------------------------------------------------------------------------- *)

let default_parser = parsee;;

(* ------------------------------------------------------------------------- *)
(* Examples.                                                                 *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
print_expression(Mul(Const 3,Add(Mul(e,e),Mul(e,e))));;

#install_printer print_expression;;

parsee "3 + x * y";;

<<3 + x * y>>;;

END_INTERACTIVE;;
why-2.39/atp/dp.ml0000644000106100004300000001537413147234006012764 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(* ========================================================================= *)
(* The Davis-Putnam and Davis-Putnam-Loveland-Logemann procedures.           *)
(*                                                                           *)
(* Copyright (c) 2003, John Harrison. (See "LICENSE.txt" for details.)       *)
(* ========================================================================= *)

let clausal fm = defcnfs false fm;;

(* ------------------------------------------------------------------------- *)
(* Examples of clausal form.                                                 *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
let fm = <
 (~p <=> r))>>;;

clausal fm;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* The DP procedure.                                                         *)
(* ------------------------------------------------------------------------- *)

let one_literal_rule clauses =
  let ucl = hd (find (fun cl -> length cl = 1) clauses) in
  let ucl' = negate ucl in
  let clauses1 = filter (fun cl -> not (mem ucl cl)) clauses in
  smap (fun cl -> subtract cl [ucl']) clauses1;;

let affirmative_negative_rule clauses =
  let literals = itlist union clauses [] in
  let neglits,poslits = partition negative literals in
  let neglits' = smap negate neglits in
  let common = intersect poslits neglits' in
  let pos_only_lits = subtract poslits common
  and neg_only_lits = subtract neglits' common in
  let elim = union pos_only_lits (smap negate neg_only_lits) in
  if elim = [] then failwith "affirmative_negative_rule" else
  filter (fun cl -> intersect cl elim = []) clauses;;

let find_blowup cls l =
  let m = length(filter (mem l) cls)
  and n = length(filter (mem (negate l)) cls) in
  m * n - m - n,l;;

let resolution_rule clauses =
  let pvs = filter positive (itlist union clauses []) in
  let lblows = map (find_blowup clauses) pvs in
  let p = assoc (end_itlist min (map fst lblows)) lblows in
  let p' = negate p in
  let pos,notpos = partition (mem p) clauses in
  let neg,none = partition (mem p') notpos in
  let pos' = smap (filter (fun l -> l <> p)) pos
  and neg' = smap (filter (fun l -> l <> p')) neg in
  let res0 = allpairs union pos' neg' in
  union none (filter (non contradictory) res0);;

(* ------------------------------------------------------------------------- *)
(* Overall procedure.                                                        *)
(* ------------------------------------------------------------------------- *)

let rec dp clauses =
  if clauses = [] then true
  else if mem [] clauses then false else
  try dp(one_literal_rule clauses)
  with Failure _ -> try
      dp(affirmative_negative_rule clauses)
  with Failure _ ->
      dp(resolution_rule clauses);;

(* ------------------------------------------------------------------------- *)
(* Davis-Putnam satisfiability tester and tautology checker.                 *)
(* ------------------------------------------------------------------------- *)

let dpsat fm = dp(clausal fm);;

let dptaut fm = not(dpsat(Not fm));;

(* ------------------------------------------------------------------------- *)
(* Examples.                                                                 *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
tautology(prime 11);;

dptaut(prime 11);;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* The same thing but with the DPLL procedure.                               *)
(* ------------------------------------------------------------------------- *)

let find_count cls l =
  let m = length(filter (mem l) cls)
  and n = length(filter (mem (negate l)) cls) in
  m + n,l;;

let rec dpll clauses =
  if clauses = [] then true
  else if mem [] clauses then false else
  try dpll(one_literal_rule clauses)
  with Failure _ -> try
      dpll(affirmative_negative_rule clauses)
  with Failure _ ->
    let pvs = filter positive (itlist union clauses []) in
    let lcounts = map (find_count clauses) pvs in
    let p = assoc (end_itlist max (map fst lcounts)) lcounts in
    dpll (insert [p] clauses) or
    dpll (insert [negate p] clauses);;

let dpllsat fm = dpll(clausal fm);;

let dplltaut fm = not(dpllsat(Not fm));;

(* ------------------------------------------------------------------------- *)
(* The same example.                                                         *)
(* ------------------------------------------------------------------------- *)

dplltaut(prime 11);;
why-2.39/INSTALL0000644000106100004300000000132513147234006012263 0ustar  marchevals
INSTALLATION
============

  You need Objective Caml >= 3.08 to compile the sources.
 
  To compile the graphical user interface gwhy (optional) you also need the 
  Lablgtk2 library (http://wwwfun.kurims.kyoto-u.ac.jp/soft/olabl/lablgtk.html)
  There is a Debian package (liblablgtk2-ocaml-dev).

  1. Configure with "./configure"

  2. Compile with "make".  

  2. Install with "make install".  You may need superuser permissions.


If you are willing to use Coq (more precisely if Coq is detected when
running ./configure), you need Coq >= 7.4.


If you are willing to verify floating-point C programs using Coq, you
need to install the Coq library on floating-point arithmetic available at
http://flocq.gforge.inria.fr/
why-2.39/tools/0000755000106100004300000000000013147234006012371 5ustar  marchevalswhy-2.39/tools/regtest.ml0000644000106100004300000006174113147234006014411 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

(** the options to launch the toplevel with if the test file is not
     annotated with test options *)
let default_options = [ "" ]

(** the list of tests suites to consider *)
let default_suites =
[ "java" ; "c" ]

let () =
(*
  Unix.putenv "FRAMAC_SHARE" (Filename.concat Filename.current_dir_name "share");
*)
  Unix.putenv "OCAMLRUNPARAM" ""

(** the name of the directory-wide configuration file*)
let dir_config_file = "test_config"

(** the files in [suites] whose name matches
    the pattern [test_file_regexp] will be considered as test files *)
let test_file_regexp = ".*\\.\\(java\\|c\\)$"

(** the pattern that ends the parsing of options in a test file *)
let end_comment = Str.regexp ".*\\*/"

let opt_to_byte =
  let opt = Str.regexp "[.]opt$" in
  function toplevel ->
    Str.global_replace opt ".byte" toplevel

let base_path = Filename.current_dir_name
(*    (Filename.concat
        (Filename.dirname Sys.executable_name)
	Filename.parent_dir_name)
*)

let test_path = "tests"

(** Command-line flags *)

type behavior = Examine | Update | Run | Show
let behavior = ref Run
let verbosity = ref 0
let use_byte = ref false
let do_diffs = ref "diff -u"
let n = ref 2    (* the level of parallelism *)
let suites = ref []
(** options given to toplevel for all tests *)
let additional_options = ref ""
(** special configuration, with associated oracles *)
let special_config = ref ""

let m = Mutex.create ()

let lock_fprintf f =
  Mutex.lock m;
  Format.kfprintf (fun _ -> Mutex.unlock m) f

let lock_printf s = lock_fprintf Format.std_formatter s
let lock_eprintf s = lock_fprintf Format.err_formatter s

let make_test_suite s =
  suites := s :: !suites

let () = Arg.parse
  [
    "", Arg.Unit (fun () -> ()) , "" ;
    "-examine", Arg.Unit (fun () -> behavior := Examine) ,
    " Examine the logs that are different from oracles.";
    "-update", Arg.Unit (fun () -> behavior := Update) ,
    " Take the current logs as oracles.";
    "-show", Arg.Unit (fun () -> behavior := Show; use_byte := true) ,
    " Show the results of the tests. Sets -byte.";
    "-run", Arg.Unit (fun () -> behavior := Run) ,
    "(default)  Delete the logs, run the tests, then examine the logs that are different from the oracles.";
    "", Arg.Unit (fun () -> ()) , "" ;
    "-v", Arg.Unit (fun () -> incr verbosity), " Increase verbosity (up to twice)" ;
    "-diff", Arg.String (fun s -> do_diffs := s), "  Use command for diffs" ;
    "-j", Arg.Int (fun i -> if i>=0 then n := i else ( lock_printf "Option -j requires nonnegative argument@."; exit (-1))), "  Use nonnegative integer n for level of parallelism" ;
    "-byte", Arg.Set use_byte, " Use bytecode toplevel";
    "-opt", Arg.Clear use_byte, " Use native toplevel (default)";
    "-config", Arg.Set_string special_config, " Use special configuration \
      and oracles";
    "-add-options", Arg.Set_string additional_options,
    "add additional options to be passed to the toplevels \
     that will be launched";
    "", Arg.Unit (fun () -> ()) ,"\nA test suite can be the name of a directory in ./tests or the path to a file.\n\nExamples:\nregtest\nregtest -diff \"echo diff\" -examine     # see again the list of tests that failed\nregtest misc                           # for a single test suite\nregtest tests/misc/alias.c             # for a single test\nregtest -examine tests/misc/alias.c    # to see the differences again\nregtest -v -j 1                        # to check the time taken by each test\n"
  ]
  make_test_suite
  "usage: ./regtest.opt [options] [names of test suites]"

(* redefine config file if special configuration expected *)
let dir_config_file = 
  if !special_config = "" then dir_config_file else
    dir_config_file ^ "_" ^ !special_config

let make_toplevel_path exec = exec
(*  if Filename.is_relative exec then
    Filename.concat (Filename.concat base_path "bin") exec
  else exec
*)

(* redefine oracle directory if special configuration expected *)
let oracle_dirname = 
  if !special_config = "" then "oracle" else
    "oracle_" ^ !special_config
 
(* redefine result directory if special configuration expected *)
let result_dirname = 
  if !special_config = "" then "result" else
    "result_" ^ !special_config

let gen_make_file s dir file = Filename.concat (Filename.concat dir s) file
let make_result_file = gen_make_file result_dirname
let make_oracle_file = gen_make_file oracle_dirname

let toplevel_path =
  make_toplevel_path (gen_make_file "tests" base_path "regtest.sh")

type execnow =
    {
      ex_cmd: string;      (** command to launch *)
      ex_log: string list; (** log files *)
      ex_bin: string list; (** bin files *)
      ex_dir: string;      (** directory of test suite *)
    }

(** configuration of a directory/test. *)
type config =
    {
      dc_test_regexp: string; (** regexp of test files. *)
      dc_execnow    : execnow option; (** command to be launched before
                                         the toplevel(s)
                                     *)
      dc_toplevel   : string; (** full path of the toplevel used *)
      dc_filter     : string option; (** optional filter to apply to
			      standard output *)
      dc_options    : string list; (** options to launch the toplevel on *)
      dc_dont_run   : bool;
    }

let default_config =
  { dc_test_regexp = test_file_regexp ;
    dc_execnow = None;
    dc_toplevel = toplevel_path ;
    dc_filter = None ;
    dc_options = default_options ;
    dc_dont_run = false;
  }

let launch command_string =
  let result = Unix.system command_string in
  match result with
  | Unix.WEXITED 127 ->
      lock_printf "%% Couldn't execute command `%s'@.Retrying once.@." command_string;
      Thread.delay 0.1;
      ( match Unix.system command_string with
	Unix.WEXITED r when r <> 127 -> r
      | _ -> lock_printf "%% Retry failed, exiting.@."; exit 1 )
  | Unix.WEXITED r -> r
  | Unix.WSIGNALED s ->
      lock_printf "%% SIGNAL %d received while executing command:@\n%s@\nStopping@."
	s command_string ;
      exit 1
  | Unix.WSTOPPED s ->
      lock_printf "%% STOP %d received while executing command:@\n%s@\nStopping@."
	s command_string;
      exit 1

let scan_execnow dir (s:string) =
  let rec aux (s:execnow) =
    try
      Scanf.sscanf s.ex_cmd "%[ ]LOG %[A-Za-z0-9_',+=:.] %s@\n"
	(fun _ name cmd ->
	   aux { s with ex_cmd = cmd; ex_log = name :: s.ex_log })
    with Scanf.Scan_failure _ ->
      try
	Scanf.sscanf s.ex_cmd "%[ ]BIN %[A-Za-z0-9.] %s@\n"
	  (fun _ name cmd ->
	     aux { s with ex_cmd = cmd; ex_bin = name :: s.ex_bin })
      with Scanf.Scan_failure _ ->
	s
  in
  aux { ex_cmd = s; ex_log = []; ex_bin = []; ex_dir = dir }

(* how to process options *)
let config_options =
  [ "CMD",
    (fun _ s (current,rev_opts) ->
       { current with dc_toplevel = make_toplevel_path s}, rev_opts);

    "OPT",
    (fun _ s (current,rev_opts) -> current, (s::rev_opts) );

    "FILEREG",
    (fun _ s (current,rev_opts) ->
       { current with dc_test_regexp = s }, rev_opts );

    "FILTER",
    (fun _ s (current,rev_opts) ->
       { current with dc_filter = Some s }, rev_opts );

    "GCC",
    (fun _ _ acc -> acc);

    "COMMENT",
    (fun _ _ acc -> acc);

    "DONTRUN",
    (fun _ _s (current,rev_opts) ->
       { current with dc_dont_run = true }, rev_opts );

    "EXECNOW",
    (fun dir s (current,rev_opts)->
       let execnow = scan_execnow dir s in
       { current with dc_execnow = Some execnow }, rev_opts);
  ]

let scan_options dir scan_buffer default =
  let r = ref (default, [])  in
  let treat_line s =
    try
      Scanf.sscanf s "%[ *]%[A-Za-z0-9]:%s@\n"
        (fun _ name opt ->
          try
            r := (List.assoc name config_options) dir opt !r
          with Not_found ->
            lock_eprintf "@[unknown configuration option: %s@\n%!@]" name)
    with Scanf.Scan_failure _ ->
      if Str.string_match end_comment s 0
      then raise End_of_file
      else ()
  in
  try
    while true do
      Scanf.bscanf scan_buffer "%s@\n" treat_line
    done;
    assert false
  with
    End_of_file ->
      let rev_options = snd !r in
      let options =
	if rev_options = []
	then default.dc_options
	else List.rev rev_options
      in
      { (fst !r) with dc_options = options }

let scan_test_file default dir f =
  let f = Filename.concat dir f in
  let exists_as_file =
    try
      (Unix.lstat f).Unix.st_kind = Unix.S_REG
    with Unix.Unix_error _ | Sys_error _ -> false
  in
    if exists_as_file then begin
        let scan_buffer = Scanf.Scanning.from_file f in
          try
            Scanf.bscanf scan_buffer "/* run.config%s@\n" (fun _ -> ());
            scan_options dir scan_buffer default
          with
            | End_of_file
            | Scanf.Scan_failure _ ->
                default
      end else
      (* if the file has disappeared, don't try to run it... *)
      { default with dc_dont_run = true }

type toplevel_command =
    { file : string ;
      options : string ;
      toplevel: string ;
      filter : string option ;
      directory : string ;
      n : int }

type command =
  | Toplevel of toplevel_command
  | Target of execnow * command Queue.t

type log = Err | Res

type diff =
  | Command_error of toplevel_command * log
  | Target_error of execnow
  | Log_error of string (** directory *) * string (** file *)

type cmps =
  | Cmp_Toplevel of toplevel_command
  | Cmp_Log of string (** directory *) * string (** file *)

type shared =
    { lock : Mutex.t ;
      lock_target : Mutex.t ;
      commands_empty : Condition.t ;
      work_available : Condition.t ;
      diff_available : Condition.t ;
      mutable commands : command Queue.t ; (* file, options, number *)
      cmps : cmps Queue.t ;
      (* command that has finished its execution *)
      diffs : diff Queue.t ;
      (* cmp that showed some difference *)
      mutable commands_finished : bool ;
      mutable cmp_finished : bool ;
      mutable summary_run : int ;
      mutable summary_ok : int ;
      mutable summary_log : int;
    }

let shared =
  { lock = Mutex.create () ;
    lock_target = Mutex.create () ;
    commands_empty = Condition.create () ;
    work_available = Condition.create () ;
    diff_available = Condition.create () ;
    commands = Queue.create () ;
    cmps = Queue.create () ;
    diffs = Queue.create () ;
    commands_finished = false ;
    cmp_finished = false ;
    summary_run = 0 ;
    summary_ok = 0 ;
    summary_log = 0 }

let unlock () = Mutex.unlock shared.lock

let lock () = Mutex.lock shared.lock

let catenate_number prefix n =
  if n > 0
  then prefix ^ "." ^ (string_of_int n)
  else prefix

let name_without_extension command =
  try
    (Filename.chop_extension command.file)
  with
    Invalid_argument _ ->
      failwith ("Ce nom de fichier de test ne comporte pas d'extension: " ^
		   command.file)

let gen_prefix s cmd =
  let prefix = gen_make_file s cmd.directory (name_without_extension cmd) in
  catenate_number prefix cmd.n

let log_prefix = gen_prefix result_dirname
let oracle_prefix = gen_prefix oracle_dirname

let basic_command_string command =
  command.toplevel ^ " " ^
    command.options ^ " " ^
    !additional_options ^ " " ^
    (Filename.concat command.directory command.file)

let command_string command =
  let log_prefix = log_prefix command in
  let command_string = basic_command_string command in
  let command_string =
    command_string ^ " 2>" ^ log_prefix ^ ".err.log"
  in
  let command_string =
    match command.filter with
      None -> command_string
    | Some filter ->
	command_string ^ " | " ^ filter
  in
  let command_string =
    command_string ^ " >" ^ log_prefix ^ ".res.log"
  in
  command_string

let update_toplevel_command command =
  let log_prefix = log_prefix command in
  let oracle_prefix = oracle_prefix command in
  let command_string =
    "cp " ^
      log_prefix ^ ".res.log " ^
      oracle_prefix ^ ".res.oracle"
  in
  ignore (launch command_string);
 let command_string =
    "cp " ^
      log_prefix ^ ".err.log " ^
      oracle_prefix ^ ".err.oracle"
  in
  ignore (launch command_string)

let update_command = function
    Toplevel cmd -> update_toplevel_command cmd
  | Target _ -> assert false

let update_log_files dir file =
  let command_string =
    "cp " ^ make_result_file dir file ^ " " ^ make_oracle_file dir file
  in
  ignore (launch command_string)

let do_command command =
  match command with
    Toplevel command ->
      (* Update : copy the logs. Do not enqueue any cmp
         Run | Show: launch the command, then enqueue the cmp
         Examine : just enqueue the cmp *)
      if !behavior = Update
      then update_toplevel_command command
      else begin
          (* Run, Show or Examine *)
          if !behavior <> Examine
          then begin
	      let command_string = command_string command in
	      if !verbosity >= 1
	      then lock_printf "%s@." command_string ;
	      ignore (launch command_string)
	    end;
	  lock ();
	  shared.summary_run <- succ shared.summary_run ;
	  shared.summary_log <- shared.summary_log + 2 ;
	  Queue.push (Cmp_Toplevel command) shared.cmps;
	  unlock ()
	end
  | Target (execnow, cmds) ->
      if !behavior = Update then begin
	  List.iter (update_log_files execnow.ex_dir) execnow.ex_log;
          Queue.iter update_command cmds
	end else
        begin
          let res =
            if !behavior <> Examine then begin
		let filenames =
		  List.fold_left
		    (fun s f -> s ^ " " ^ make_result_file execnow.ex_dir f)
		    ""
		    (execnow.ex_bin @ execnow.ex_log)
		in
		(* TODO this should be done with Unix.unlink *)
		ignore (launch ("rm" ^ filenames ^ " 2> /dev/null"));
		Mutex.lock shared.lock_target;
		let r = launch execnow.ex_cmd in
		Mutex.unlock shared.lock_target;
		r
              end else
	      0
          in
          lock();
	  shared.summary_log <- succ shared.summary_log;
          if res = 0
	  then begin
	      shared.summary_ok <- succ shared.summary_ok;
              Queue.transfer shared.commands cmds;
	      shared.commands <- cmds;
              Condition.signal shared.work_available;
	      if !behavior = Examine || !behavior = Run
	      then begin
		  List.iter
		    (fun f -> Queue.push (Cmp_Log(execnow.ex_dir, f)) shared.cmps)
		    execnow.ex_log
		end
            end
	  else begin
	      let treat_cmd = function
		  Toplevel cmd ->
		    shared.summary_run <- shared.summary_run + 1;
		    let log_prefix = log_prefix cmd in
		    begin try
			Unix.unlink (log_prefix ^ ".res.log ")
		      with Unix.Unix_error _ -> ()
		    end;
		| Target _ -> assert false
	      in
	      Queue.iter treat_cmd cmds;
              Queue.push (Target_error execnow) shared.diffs;
              Condition.signal shared.diff_available
            end;
          unlock()
        end

let log_ext = function Res -> ".res" | Err -> ".err"

let compare_one_file cmp log_prefix oracle_prefix log_kind =
  if !behavior = Show
  then begin
    lock();
    Queue.push (Command_error(cmp,log_kind)) shared.diffs;
    Condition.signal shared.diff_available;
    unlock()
  end else
    let ext = log_ext log_kind in
    let log_file = log_prefix ^ ext ^ ".log " in
    let oracle_file = oracle_prefix ^ ext ^ ".oracle" in
    let cmp_string = "cmp -s " ^ log_file ^ oracle_file in
    if !verbosity >= 2 then lock_printf "%% cmp%s (%d) :%s@."
      ext
      cmp.n
      cmp_string;
    match launch cmp_string with
      0 ->
	lock();
	shared.summary_ok <- shared.summary_ok + 1;
	unlock()
    | 1 ->
	lock();
	Queue.push (Command_error (cmp,log_kind)) shared.diffs;
	Condition.signal shared.diff_available;
	unlock()
    | 2 ->
	lock_printf
	  "%% System error while comparing. Maybe one of the files is missing...@\n%s or %s@."
	  log_file oracle_file;
    | _ -> assert false

let compare_one_log_file dir file =
  if !behavior = Show
  then begin
    lock();
    Queue.push (Log_error(dir,file)) shared.diffs;
    Condition.signal shared.diff_available;
    unlock()
  end else
    let log_file = make_result_file dir file in
    let oracle_file = make_oracle_file dir file in
    let cmp_string = "cmp -s " ^ log_file ^ " " ^ oracle_file in
    if !verbosity >= 2 then lock_printf "%% cmplog: %s / %s@." dir file;
    shared.summary_log <- succ shared.summary_log;
    match launch cmp_string with
      0 ->
	lock();
	shared.summary_ok <- shared.summary_ok + 1;
	unlock()
    | 1 ->
	lock();
	Queue.push (Log_error (dir,file)) shared.diffs;
	Condition.signal shared.diff_available;
	unlock()
    | 2 ->
	lock_printf
	  "%% System error while comparing. Maybe one of the files is missing...@\n%s or %s@."
	  log_file oracle_file;
    | _ -> assert false

let do_cmp = function
  | Cmp_Toplevel cmp ->
      let log_prefix = log_prefix cmp in
      let oracle_prefix = oracle_prefix cmp in
      compare_one_file cmp log_prefix oracle_prefix Res;
      compare_one_file cmp log_prefix oracle_prefix Err
  | Cmp_Log(dir, f) ->
      compare_one_log_file dir f

let worker_thread () =
  while true do
    lock () ;
    if (Queue.length shared.commands) + (Queue.length shared.cmps) < !n
    then Condition.signal shared.commands_empty;
    try
      let cmp = Queue.pop shared.cmps in
      unlock () ;
      do_cmp cmp
    with Queue.Empty ->
      try
	let command = Queue.pop shared.commands in
	unlock () ;
	do_command command
      with Queue.Empty ->
	if shared.commands_finished then (unlock () ; Thread.exit ());

	Condition.signal shared.commands_empty;
	(* we still have the lock at this point *)

	Condition.wait shared.work_available shared.lock;
	  (* this atomically releases the lock and suspends
	     the thread on the condition work_available *)

	unlock ();
  done

let do_diff = function
  | Command_error (diff, kind) ->
      let log_prefix = log_prefix diff in
      let log_ext = log_ext kind in
      let command_string = command_string diff in
      lock_printf "Command:@\n%s@." command_string;
      if !behavior = Show
      then ignore (launch ("cat " ^ log_prefix ^ log_ext ^ ".log"))
      else
        let oracle_prefix = oracle_prefix diff in
        let diff_string =
          !do_diffs ^ " " ^
	    oracle_prefix ^ log_ext ^ ".oracle " ^
	    log_prefix ^ log_ext ^ ".log"
        in
        ignore (launch diff_string)
  | Target_error execnow ->
      lock_printf "Custom command failed: %s@\n" execnow.ex_cmd
  | Log_error(dir, file) ->
      let result_file = make_result_file dir file in
      lock_printf "Log of %s:@." result_file;
      if !behavior = Show
      then ignore (launch ("cat " ^ result_file))
      else
        let diff_string =
	  !do_diffs ^ " " ^ make_oracle_file dir file ^ " " ^ result_file
	in
        ignore (launch diff_string)


let diff_thread () =
  lock () ;
  while true do
    try
      let diff = Queue.pop shared.diffs in
      unlock ();
      do_diff diff;
      lock ()
    with Queue.Empty ->
      if shared.cmp_finished then (unlock () ; Thread.exit ());

      Condition.wait shared.diff_available shared.lock
      (* this atomically releases the lock and suspends
	 the thread on the condition cmp_available *)
  done

let test_pattern config =
  let regexp = Str.regexp config.dc_test_regexp in
  fun file ->
    Str.string_match regexp file 0

let files = Queue.create ()

(* test for a possible toplevel configuration. *)
let default_config =
  let general_config_file = Filename.concat test_path dir_config_file in
    if Sys.file_exists general_config_file
    then begin
      let scan_buffer = Scanf.Scanning.from_file general_config_file in
      scan_options Filename.current_dir_name scan_buffer default_config
    end
    else default_config

let () =
  (* enqueue the test files *)
  let suites =
    match !suites with
      [] -> default_suites
    | l -> List.rev l
  in
  List.iter
    (fun suite ->
       if !verbosity >= 2 then lock_printf "%% Now treating test %s\n%!" suite;
      (* the "suite" may be a directory in [test_path] or a single file *)
      let interpret_as_file =
	try
	  ignore (Filename.chop_extension suite);
	  true
	with Invalid_argument _ -> false
      in
      let directory =
	if interpret_as_file
	then
	  Filename.dirname suite
	else
	  Filename.concat test_path suite
      in
      let config = Filename.concat directory dir_config_file in
      let dir_config =
        if Sys.file_exists config
	then begin
	    let scan_buffer = Scanf.Scanning.from_file config in
            scan_options directory scan_buffer default_config
        end
	else default_config
      in
      if interpret_as_file
      then Queue.push (Filename.basename suite, directory, dir_config) files
      else begin
	  let dir_files = Sys.readdir directory in
	  for i = 0 to pred (Array.length dir_files) do
	    let file = dir_files.(i) in
	    assert (Filename.is_relative file);
	    if test_pattern dir_config file
	    then Queue.push (file, directory, dir_config) files;
	  done
	end)
    suites

let dispatcher () =
  try
    while true
    do
      lock ();
      while (Queue.length shared.commands) + (Queue.length shared.cmps) >= !n
      do
	Condition.wait shared.commands_empty shared.lock;
      done;
      (* we have the lock *)
      let file, directory, config = Queue.pop files in
      let config =
        scan_test_file config directory file in
      let toplevel =
	if not !use_byte
	then config.dc_toplevel
	else opt_to_byte config.dc_toplevel
      in
      let i = ref 0 in
      let make_toplevel_cmd option =
        {file=file; options = option; toplevel = toplevel;
         n = !i; directory = directory;
	 filter = config.dc_filter}
      in
      let treat_option q option =
	Queue.push
	  (Toplevel (make_toplevel_cmd option))
	  q;
	incr i
      in
      if not config.dc_dont_run
      then begin
      (match config.dc_execnow with
         | Some s ->
	     let subworkqueue = Queue.create () in
	     List.iter (treat_option subworkqueue) config.dc_options;
             Queue.push
               (Target (s, subworkqueue))
               shared.commands
         | None ->
             List.iter
	       (treat_option shared.commands)
	       config.dc_options);
      Condition.broadcast shared.work_available;
      end;
      unlock () ;
      done
  with Queue.Empty ->
    shared.commands_finished <- true;
    unlock ()

let () =
  let worker_ids = Array.init !n
    (fun _ -> Thread.create worker_thread ())
  in
  let diff_id = Thread.create diff_thread () in

  dispatcher ();
  if !behavior = Run
  then
    lock_printf "%% Dispatch finished, waiting for workers to complete@.";
  ignore (Thread.create
    (fun () ->
      while true do
	Condition.broadcast shared.work_available;
	Thread.delay 0.5;
      done)
    ());
  Array.iter Thread.join worker_ids;

  if !behavior = Run
  then
    lock_printf "%% Comparisons finished, waiting for diffs to complete@.";
  lock();
  shared.cmp_finished <- true;
  unlock();
  ignore (Thread.create
    (fun () ->
      while true do
	Condition.broadcast shared.diff_available;
	Thread.delay 0.5;
      done)
    ());
  Thread.join diff_id;
  if !behavior = Run
  then
    lock_printf "%% Diffs finished. Summary:@\nRun = %d@\nOk  = %d of %d@."
      shared.summary_run shared.summary_ok shared.summary_log;
  exit 0;


(*
Local Variables: 
compile-command: "make -j -C .. regtest.byte"
End: 
*)
why-2.39/mix/0000755000106100004300000000000013147234006012026 5ustar  marchevalswhy-2.39/mix/mix_main.ml0000644000106100004300000001141413147234006014162 0ustar  marchevals(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2017                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(**************************************************************************)

open Format
open Lexing
open Mix_ast
open Mix_seq
open Mix_interp

let report_lb lb =
  let b,e = lexeme_start_p lb, lexeme_end_p lb in
  eprintf "File \"%s\", " b.pos_fname;
  let l = b.pos_lnum in
  let fc = b.pos_cnum - b.pos_bol + 1 in
  let lc = e.pos_cnum - b.pos_bol + 1 in
  eprintf "line %d, characters %d-%d:@\n" l fc lc

let report_loc loc =
  if loc != Lexing.dummy_pos then begin
    eprintf "File \"%s\", " loc.pos_fname;
    let l = loc.pos_lnum in
    let fc = loc.pos_cnum - loc.pos_bol + 1 in
    eprintf "line %d, character %d:@\n" l fc
  end

(* command line *)

let file = ref None
let entry = ref "init"
let gwhy = ref false
let show_graph = ref false

let spec = 
  ["-entry", Arg.Set_string entry, "
 
 * A method is not required to declare in its throws clause any subclasses of
 * RuntimeException that might be thrown during the execution of the
 * method but not caught.
 * 
This Java Card class's functionality is a strict subset of the definition in the 
 * Java Platform Core API Specification.
 
 */

public class RuntimeException extends Exception {

  /**
   * Constructs a RuntimeException instance.
   */
  public RuntimeException() {}

}
why-2.39/lib/javacard_api/java/lang/Throwable.java0000644000106100004300000000340113147234006021035 0ustar  marchevals/*
* $Workfile: Throwable.java $	$Revision: 1.1 $, $Date: 2007-09-26 14:37:49 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: Throwable.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:37:49 $
// $Author: marche $
// $Archive: /Products/Europa/api21/java/lang/Throwable.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Ravi
// */

package java.lang;

  /**
   * The Throwable class is the superclass of all errors and exceptions in the Java Card subset
   * of the Java language.
   * Only objects that are instances of this class (or of one of its
   * subclasses) are thrown by the Java Card Virtual Machine
   * or can be thrown by the Java throw statement.
   * Similarly, only this class or one of its subclasses
   * can be the argument type in a catch clause.
   * 
This Java Card class's functionality is a strict subset of the definition in the 
   * Java Platform Core API Specification.

   */
public class Throwable {

  /**
   * Constructs a new Throwable. 
   */
  public Throwable() {}
  
}
why-2.39/lib/javacard_api/java/lang/Object.java0000644000106100004300000000667113147234006020330 0ustar  marchevals/*
* $Workfile: Object.java $	$Revision: 1.2 $, $Date: 2007-09-27 14:28:59 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: Object.java $
// $Revision: 1.2 $
// $Date: 2007-09-27 14:28:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/java/lang/Object.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Ravi
// */

package java.lang;

  /**
   * Class Object is the root of the Java Card class hierarchy.
   * Every class has Object as a superclass.
   * All objects, including arrays, implement the methods of this
   * class.
   * 
This Java Card class's functionality is a strict subset of the definition in the
   * Java Platform Core API Specification.

   */
public class Object {

  /*  public normal_behavior 
         requires true;
       assignable \nothing;
          ensures true;
    @*/
  public Object() {}

 /**
  * Compares two Objects for equality. 

  * The equals method implements an equivalence relation:
  * 

  * 

  * The equals method for class Object implements the most discriminating possible equivalence
  * relation on objects; that is, for any reference values x and y,
  * this method returns true if and only if x and y
  * refer to the same object (x==y has the value true).
  * @param obj the reference object with which to compare.
  * @return true if this object is the same as the obj argument; false otherwise.
  */

  /*  public normal_behavior 
    @  requires true;
    @  assignable \nothing;
    @  ensures \result <==> this==obj;
    @*/
    public /* pure @*/ boolean equals(Object obj){ return (this==obj); }

}
why-2.39/lib/javacard_api/java/lang/IndexOutOfBoundsException.java0000644000106100004300000000074213147234006024171 0ustar  marchevals/*
 * JML specs for the JavaCard API 2.1.1
 * by Engelbert Hubbers and Erik Poll
 * Copyright 2002 University of Nijmegen, the Netherlands 
 *
 * The JavaCard API 2.1.1 itself is copyright (c) 2000 Sun Microsystems, Inc.
 */

package java.lang;

public class IndexOutOfBoundsException extends RuntimeException { 

  /*  public normal_behavior
         requires true;
       assignable \nothing;
          ensures true;
    @*/

  public IndexOutOfBoundsException() 
   
   {} 

 } 
why-2.39/lib/javacard_api/java/lang/Exception.java0000644000106100004300000000317313147234006021052 0ustar  marchevals/*
* $Workfile: Exception.java $	$Revision: 1.2 $, $Date: 2007-09-28 13:41:14 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: Exception.java $
// $Revision: 1.2 $
// $Date: 2007-09-28 13:41:14 $
// $Author: marche $
// $Archive: /Products/Europa/api21/java/lang/Exception.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Ravi
// */

package java.lang;

/**
  * The class Exception and its subclasses are a form of Throwable that indicates
  * conditions that a reasonable applet might want to catch.
  * 
This Java Card class's functionality is a strict subset of the definition in the 
  * Java Platform Core API Specification.

  */

public class Exception extends Throwable{

  /**
   * Constructs an Exception instance. 
   */
  /*  public normal_behavior 
         requires true;
       assignable \nothing;
          ensures true;
    @*/
  public Exception() {}
  
}
why-2.39/lib/javacard_api/java/lang/ArrayIndexOutOfBoundsException.java0000644000106100004300000000076413147234006025174 0ustar  marchevals/*
 * JML specs for the JavaCard API 2.1.1
 * by Engelbert Hubbers and Erik Poll
 * Copyright 2002 University of Nijmegen, the Netherlands 
 *
 * The JavaCard API 2.1.1 itself is copyright (c) 2000 Sun Microsystems, Inc.
 */

package java.lang;

public class ArrayIndexOutOfBoundsException extends IndexOutOfBoundsException { 

  /*  public normal_behavior
         requires true;
       assignable \nothing;
          ensures true;
    @*/

  public ArrayIndexOutOfBoundsException() 
  
   {} 

 } 
why-2.39/lib/javacard_api/com/0000755000106100004300000000000013147234006015161 5ustar  marchevalswhy-2.39/lib/javacard_api/com/sun/0000755000106100004300000000000013147234006015766 5ustar  marchevalswhy-2.39/lib/javacard_api/com/sun/javacard/0000755000106100004300000000000013147234006017541 5ustar  marchevalswhy-2.39/lib/javacard_api/com/sun/javacard/impl/0000755000106100004300000000000013147234006020502 5ustar  marchevalswhy-2.39/lib/javacard_api/com/sun/javacard/impl/PackedBoolean.java0000644000106100004300000000010013147234006024023 0ustar  marchevals
package com.sun.javacard.impl;

public class PackedBoolean {

}why-2.39/lib/javacard_api/com/sun/javacard/impl/Constants.java0000644000106100004300000000016213147234006023320 0ustar  marchevals
package com.sun.javacard.impl;


public interface Constants {

  public static final short APDU_BUFFER_LENGTH;

}why-2.39/lib/javacard_api/com/sun/javacard/impl/PrivAccess.java0000644000106100004300000000007613147234006023412 0ustar  marchevalspackage com.sun.javacard.impl;



public class PrivAccess {

}why-2.39/lib/javacard_api/com/sun/javacard/impl/NativeMethods.java0000644000106100004300000000010113147234006024107 0ustar  marchevals
package com.sun.javacard.impl;


public class NativeMethods {

}why-2.39/lib/javacard_api/javacard/0000755000106100004300000000000013147234006016156 5ustar  marchevalswhy-2.39/lib/javacard_api/javacard/framework/0000755000106100004300000000000013147234006020153 5ustar  marchevalswhy-2.39/lib/javacard_api/javacard/framework/CardRuntimeException.java0000644000106100004300000000635213147234006025120 0ustar  marchevals/*
* $Workfile: CardRuntimeException.java $	$Revision: 1.2 $, $Date: 2007-09-26 15:15:36 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: CardRuntimeException.java $
// $Revision: 1.2 $
// $Date: 2007-09-26 15:15:36 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/framework/CardRuntimeException.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Zhiqun
// */

package javacard.framework;

/**
 * The CardRuntimeException class
 * defines a field reason and two accessor methods 
 * getReason() and setReason(). The reason
 * field encapsulates exception cause identifier in Java Card.
 * All Java Card unchecked Exception classes should extend
 * CardRuntimeException. This class also provides a resource-saving mechanism
 * (throwIt() method) for using a JCRE owned instance of this class.
 */

public class CardRuntimeException extends RuntimeException {

  // initialized when created by Dispatcher
  private static CardRuntimeException systemInstance;

  // CardRuntimeException reason code
  private /*  spec_public */ short reason;

  /**
   * Construct a CardRuntimeException instance with the specified reason.
   * To conserve on resources, use throwIt() method
   * to use the JCRE owned instance of this class.
   * @param reason the reason for the exception
   */
  public CardRuntimeException(short reason){
    this.reason = reason;
    if (systemInstance==null) // created by Dispatcher
        systemInstance = this; 
  }

  /** Get reason code
   *  @return the reason for the exception
   */

    
    public /*  pure @*/ short getReason() {
	return reason;
    }

  /** Set reason code
   * @param reason the reason for the exception
   */
  public void setReason(short reason) {
    this.reason = reason;
  }


  /**
   * Throw the JCRE owned instance of the CardRuntimeException class with the
   * specified reason.
   * 
JCRE owned instances of exception classes are temporary JCRE Entry Point Objects
   * and can be accessed from any applet context. References to these temporary objects
   * cannot be stored in class variables or instance variables or array components.
   * See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
   * @param reason the reason for the exception
   * @exception CardRuntimeException always.
   */
  public static void throwIt(short reason) throws CardRuntimeException{  
    systemInstance.setReason(reason);
    throw systemInstance;
  }
}
why-2.39/lib/javacard_api/javacard/framework/CardException.java0000644000106100004300000000613713147234006023555 0ustar  marchevals/*
* $Workfile: CardException.java $	$Revision: 1.1 $, $Date: 2007-09-26 14:32:59 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: CardException.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/framework/CardException.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Zhiqun
// */

package javacard.framework;

/**
 * The CardException class
 * defines a field reason and two accessor methods 
 * getReason() and setReason(). The reason
 * field encapsulates exception cause identifier in Java Card.
 * All Java Card checked Exception classes should extend
 * CardException. This class also provides a resource-saving mechanism
 * (throwIt() method) for using a JCRE owned instance of this class.
 */

public class CardException extends Exception {

  // initialized when created by Dispatcher
  private static CardException systemInstance;

  // CardException reason code
  private short reason;

  /**
   * Construct a CardException instance with the specified reason.
   * To conserve on resources, use the throwIt() method
   * to use the JCRE owned instance of this class.
   * @param reason the reason for the exception
   */
  public CardException(short reason){
    this.reason = reason;
    if (systemInstance==null) // created by Dispatcher
        systemInstance = this; 
  }

  /** Get reason code
   * @return the reason for the exception
   */
  public short getReason() {
    return reason;
  }

  /** Set reason code
   * @param reason the reason for the exception
   */
  public void setReason(short reason) {
    this.reason = reason;
  }


  /**
   * Throw the JCRE owned instance of CardException class with the
   * specified reason.
   * 
JCRE owned instances of exception classes are temporary JCRE Entry Point Objects
   * and can be accessed from any applet context. References to these temporary objects
   * cannot be stored in class variables or instance variables or array components.
   * See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
   * @param reason the reason for the exception
   * @exception CardException always.
   */
  public static void throwIt(short reason) throws CardException{   
    systemInstance.setReason(reason);
    throw systemInstance;
  }
}
why-2.39/lib/javacard_api/javacard/framework/APDUException.java0000644000106100004300000001162313147234006023431 0ustar  marchevals/*
* $Workfile: APDUException.java $	$Revision: 1.1 $, $Date: 2007-09-26 14:32:59 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: APDUException.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/framework/APDUException.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Ravi
// */

package javacard.framework;

/**
 * APDUException represents an APDU related exception.
 * 
The APDU class throws JCRE owned instances of APDUException.
 * 
JCRE owned instances of exception classes are temporary JCRE Entry Point Objects
 * and can be accessed from any applet context. References to these temporary objects
 * cannot be stored in class variables or instance variables or array components.
 * See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
 * @see APDU
 */

public class APDUException extends CardRuntimeException{

  // initialized when created by Dispatcher
  private static APDUException systemInstance;

  // APDUException reason code 
 /**
  * This APDUException reason code indicates that the method should not be invoked 
  * based on the current state of the APDU. 
  */
  public static final short ILLEGAL_USE = 1;
  
 /**
  * This reason code is used by the APDU.sendBytes() method to indicate
  * that the sum of buffer offset parameter and the byte length parameter exceeds the APDU
  * buffer size.
  */
  public static final short BUFFER_BOUNDS = 2;
  
 /**
  * This reason code is used by the APDU.setOutgoingLength() method to indicate
  * that the length parameter is greater that 256 or
  * if non BLOCK CHAINED data transfer is requested and len is greater than
  * (IFSD-2), where IFSD is the Outgoing Block Size. 
  */
  public static final short BAD_LENGTH = 3;
  
 /**
  * This reason code indicates that an unrecoverable error occurred in the
  * I/O transmission layer.
  */
  public static final short IO_ERROR = 4;
  
 /**
  * This reason code indicates that during T=0 protocol, the CAD did not return a GET RESPONSE 
  * command in response to a <61xx> response status to send additional data. The outgoing
  * transfer has been aborted. No more data or status can be sent to the CAD 
  * in this APDU.process() method.
  */
  public static final short NO_T0_GETRESPONSE = 0xAA;
  
 /**
  * This reason code indicates that during T=1 protocol, the CAD returned an ABORT S-Block
  * command and aborted the data transfer. The incoming or outgoing
  * transfer has been aborted. No more data can be received from the CAD.
  * No more data or status can be sent to the CAD 
  * in this APDU.process() method.
  */
  public static final short T1_IFD_ABORT = 0xAB;

  private short[] theReason;

  /**
   * Constructs an APDUException.
   * To conserve on resources use throwIt()
   * to use the JCRE owned instance of this class.
   * @param reason the reason for the exception.
   */
  public APDUException(short reason) {
    super(reason);
    if (systemInstance==null) // created by Dispatcher
        systemInstance = this;
    theReason = JCSystem.makeTransientShortArray( (short)1, (byte)JCSystem.CLEAR_ON_RESET );
    theReason[0] = reason;
    }

  /**
   * Throws the JCRE owned instance of APDUException with the specified reason.
   * 
JCRE owned instances of exception classes are temporary JCRE Entry Point Objects
   * and can be accessed from any applet context. References to these temporary objects
   * cannot be stored in class variables or instance variables or array components.
   * See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
   * @param reason the reason for the exception.
   * @exception APDUException always.
   */
  public static void throwIt(short reason){    
    systemInstance.setReason(reason);
    throw systemInstance;
  }
  
  /** Get reason code
   *  @return the reason for the exception
   */
  public short getReason() {
    return theReason[0];
  }

  /** Set reason code
   * @param reason the reason for the exception
   */
  public void setReason(short reason) {
    theReason[0] = reason;
  }
}
why-2.39/lib/javacard_api/javacard/framework/UserException.java0000644000106100004300000000622713147234006023622 0ustar  marchevals/*
* $Workfile: UserException.java $	$Revision: 1.1 $, $Date: 2007-09-26 14:32:59 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: UserException.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/framework/UserException.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Ravi
// */

package javacard.framework;

/**
 * UserException represents a User exception.
 * This class also provides a resource-saving mechanism (the throwIt() method) for user
 * exceptions by using a JCRE owned instance.
 * 
JCRE owned instances of exception classes are temporary JCRE Entry Point Objects
 * and can be accessed from any applet context. References to these temporary objects
 * cannot be stored in class variables or instance variables or array components.
 * See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
 */

public class UserException extends CardException{

  // initialized when created by Dispatcher
  private static UserException systemInstance;

  /**
   * Constructs a UserException with reason = 0.
   * To conserve on resources use throwIt()
   * to use the JCRE owned instance of this class.
   */
  public UserException() {
    this((short)0);
    if (systemInstance==null) // created by Dispatcher
        systemInstance = this; 
  }

  /**
   * Constructs a UserException with the specified reason.
   * To conserve on resources use throwIt()
   * to use the JCRE owned instance of this class.
   * @param reason the reason for the exception.
   */
  public UserException(short reason) {
    super(reason);
    if (systemInstance==null) // created by Dispatcher
        systemInstance = this; 
    }

  /**
   * Throws the JCRE owned instance of UserException with the specified reason.
   * 
JCRE owned instances of exception classes are temporary JCRE Entry Point Objects
   * and can be accessed from any applet context. References to these temporary objects
   * cannot be stored in class variables or instance variables or array components.
   * See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
   * @param reason the reason for the exception.
   * @exception UserException always.
   */
  public static void throwIt(short reason) throws UserException{
    systemInstance.setReason(reason);
    throw systemInstance;
  }
}
why-2.39/lib/javacard_api/javacard/framework/SystemException.java0000644000106100004300000001030713147234006024162 0ustar  marchevals/*
* $Workfile: SystemException.java $	$Revision: 1.1 $, $Date: 2007-09-26 14:32:59 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: SystemException.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/framework/SystemException.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Ravi
// */

package javacard.framework;

/**
 * SystemException represents a JCSystem class related exception.
 * It is also thrown by the javacard.framework.Applet.register() methods and by
 * the AID class constructor.
 * 
These API classes throw JCRE owned instances of SystemException. 
 * 
JCRE owned instances of exception classes are temporary JCRE Entry Point Objects
 * and can be accessed from any applet context. References to these temporary objects
 * cannot be stored in class variables or instance variables or array components.
 * See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
 * @see JCSystem
 * @see Applet
 * @see AID
 */

public class SystemException extends CardRuntimeException{

  // initialized when created by Dispatcher
  private static SystemException systemInstance;

   // SystemException reason code
 /**
  * This reason code is used to indicate that one or more input parameters
  * is out of allowed bounds.
  */
  public static final short ILLEGAL_VALUE = 1;
  
 /**
  * This reason code is used by the makeTransient..() methods 
  * to indicate that no room is available in volatile memory for the requested object.
  */
  public static final short NO_TRANSIENT_SPACE = 2;
  
 /**
  * This reason code is used to indicate that the request to create
  * a transient object is not allowed in the current applet context.
  * See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details. 
  */
  public static final short ILLEGAL_TRANSIENT = 3;
  
 /**
  * This reason code is used by the javacard.framework.Applet.register() method
  * to indicate that the input AID parameter is not a legal AID value.
  */
  public static final short ILLEGAL_AID = 4;
 
 /**
  * This reason code is used to indicate that there is insufficient resource
  * in the Card for the request. 
  * 
For example, the Java Card Virtual Machine may throw
  * this exception reason when there is insufficient heap space to create a new instance.
  */
  public static final short NO_RESOURCE = 5;

  /**
   * Constructs a SystemException.
   * To conserve on resources use throwIt()
   * to use the JCRE owned instance of this class.
   * @param reason the reason for the exception.
   */

  public SystemException(short reason) {
    super(reason);
    if (systemInstance==null) // created by Dispatcher
        systemInstance = this; 
    }

  /**
   * Throws the JCRE owned instance of SystemException with the specified reason.
   * 
JCRE owned instances of exception classes are temporary JCRE Entry Point Objects
   * and can be accessed from any applet context. References to these temporary objects
   * cannot be stored in class variables or instance variables or array components.
   * See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
   * @param reason the reason for the exception.
   * @exception SystemException always.
   */
  public static void throwIt(short reason){
    systemInstance.setReason(reason);
    throw systemInstance;
  }
}
why-2.39/lib/javacard_api/javacard/framework/JCSystem.java0000644000106100004300000004170113147234006022522 0ustar  marchevals/*
* $Workfile: JCSystem.java $	$Revision: 1.7 $, $Date: 2008-02-07 22:08:32 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: JCSystem.java $
// $Revision: 1.7 $
// $Date: 2008-02-07 22:08:32 $
// $Author: nrousset $
// $Archive: /Products/Europa/api21/javacard/framework/JCSystem.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Ravi
// */

package javacard.framework;

import com.sun.javacard.impl.PrivAccess;
import com.sun.javacard.impl.NativeMethods;

/**
 * The JCSystem class includes a collection of methods to control
 * applet execution, resource management, atomic transaction management
 * and inter-applet object sharing in Java Card.
 * All methods in JCSystem class are static methods.

 *
 * The JCSystem class also includes methods to control the persistence
 * and transience of objects. The term persistent means that objects and their values
 * persist from one CAD session to the next, indefinitely.
 * Persistent object values are updated atomically using transactions.

 * The makeTransient...Array() methods can be used to create transient arrays
 * with primitive data components.
 * Transient array data is lost (in an undefined state, but the real data is unavailable)
 * immediately upon power loss, and is reset to the default value at the occurrence of certain events
 * such as card reset or deselect.
 * Updates to the values of transient arrays are not atomic and are not affected by transactions.
 * 

 * The JCRE maintains an atomic transaction commit buffer which is initialized on card reset
 * (or power on).
 * When a transaction is in progress, the JCRE journals all updates to persistent data space into
 * this buffer so that it can always guarantee, at commit time, that everything in the buffer
 * is written or nothing at all is written.
 * The JCSystem includes methods to  control an atomic transaction.
 * See Java Card Runtime Environment (JCRE) Specification for details.
 * 

 * @see SystemException
 * @see TransactionException
 * @see Applet
 */

public final class JCSystem
{
    private static final short API_VERSION = 0x0201;
    static PrivAccess thePrivAccess; // initialized by Dispatcher

    /**
     * Only JCRE can use constructor.
     */
    JCSystem(){}

    /**
     * This event code indicates that the object is not transient.
     */
    public static final byte NOT_A_TRANSIENT_OBJECT = 0;

    /**
     * This event code indicates that the contents of the transient object are cleared
     * to the default value on card reset ( or power on ) event.
     */
    public static final byte CLEAR_ON_RESET = 1;

    /**
     * This event code indicates that the contents of the transient object are cleared
     * to the default value on applet deselection event or in CLEAR_ON_RESET cases.
     * 
Notes:
    
     * 
  • CLEAR_ON_DESELECT transient objects can be accessed only when the applet
     * which created the object is the currently the selected applet.
     * 
  • The JCRE will throw a SecurityException if a
     * CLEAR_ON_DESELECT transient
     * object is accessed when the currently selected applet is not the applet which created the object.
     * 

     */
    public static final byte CLEAR_ON_DESELECT = 2;

    /**
     * Used to check if the specified object is transient.
     * 
Notes:
    
     * This method returns NOT_A_TRANSIENT_OBJECT if the specified object is 
     * null or is not an array type.
     * 

     * @param theObj the object being queried.
     * @return NOT_A_TRANSIENT_OBJECT, CLEAR_ON_RESET, or CLEAR_ON_DESELECT.
     * @see #makeTransientBooleanArray(short, byte)
     * @see #makeTransientByteArray(short, byte)
     * @see #makeTransientShortArray(short, byte)
     * @see #makeTransientObjectArray(short, byte)
     */

    /*  public normal_behavior
      @   requires true;
      @   assignable \nothing;
      @   ensures true;
      @*/
    public static native /*  pure @*/ byte isTransient(Object theObj);

    /**
     * Create a transient boolean array with the specified array length.
     * @param length the length of the boolean array.
     * @param event the CLEAR_ON... event which causes the array elements to be cleared.
     * @exception SystemException with the following reason codes:
    
     * 
  • SystemException.ILLEGAL_VALUE if event is not a valid event code.
     * 
  • SystemException.NO_TRANSIENT_SPACE if sufficient transient space is not available.
     * 
  • SystemException.ILLEGAL_TRANSIENT if the current applet context
     * is not the currently selected applet context and CLEAR_ON_DESELECT is specified.
     * 

     */

    /*  public normal_behavior
      @   ensures true;
      @*/

    public static native boolean[] makeTransientBooleanArray(short length, byte event) throws SystemException;

    /**
     * Create a transient byte array with the specified array length.
     * @param length the length of the byte array.
     * @param event the CLEAR_ON... event which causes the array elements to be cleared.
     * @exception SystemException with the following reason codes:
    
     * 
  • SystemException.ILLEGAL_VALUE if event is not a valid event code.
     * 
  • SystemException.NO_TRANSIENT_SPACE if sufficient transient space is not available.
     * 
  • SystemException.ILLEGAL_TRANSIENT if the current applet context
     * is not the currently selected applet context and CLEAR_ON_DESELECT is specified.
     * 

     */

    /*@ behavior normal:
      @   ensures \result.length == length;
      @*/
    public static native byte[] makeTransientByteArray(short length, byte event) 
	throws SystemException;
    
     /**
     * Create a transient short array with the specified array length.
     * @param length the length of the short array.
     * @param event the CLEAR_ON... event which causes the array elements to be cleared.
     * @exception SystemException with the following reason codes:
    
     * 
  • SystemException.ILLEGAL_VALUE if event is not a valid event code.
     * 
  • SystemException.NO_TRANSIENT_SPACE if sufficient transient space is not available.
     * 
  • SystemException.ILLEGAL_TRANSIENT if the current applet context
     * is not the currently selected applet context and CLEAR_ON_DESELECT is specified.
     * 

     */

    /*  public normal_behavior
      @   ensures true;
      @*/
    public static native short[] makeTransientShortArray(short length, byte event) throws SystemException;
    
    /**
     * Create a transient array of Object with the specified array length.
     * @param length the length of the Object array.
     * @param event the CLEAR_ON... event which causes the array elements to be cleared.
     * @exception SystemException with the following reason codes:
    
     * 
  • SystemException.ILLEGAL_VALUE if event is not a valid event code.
     * 
  • SystemException.NO_TRANSIENT_SPACE if sufficient transient space is not available.
     * 
  • SystemException.ILLEGAL_TRANSIENT if the current applet context
     * is not the currently selected applet context and CLEAR_ON_DESELECT is specified.
     * 

     */

    /*  public normal_behavior
      @   ensures true;
      @*/

    public static native Object[] makeTransientObjectArray(short length, byte event) throws SystemException;

    /**
     * Returns the current major and minor version of the Java Card API.
     * @return version number as byte.byte (major.minor)
     */
    public static short getVersion()
    {
        return API_VERSION;
    }

    /**
     * Returns the JCRE owned instance of the AID object associated with
     * the current applet context.
     * Returns null if the Applet.register() method
     * has not yet been invoked.
     * 
JCRE owned instances of AID are permanent JCRE
     * Entry Point Objects and can be accessed from any applet context.
     * References to these permanent objects can be stored and re-used.
     * 
See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
     * @return the AID object.
     */
    
    public static AID getAID()
    {
	    return thePrivAccess.getAID( PrivAccess.getCurrentAppID() );
    }

    /**
     * Returns the JCRE owned instance of the AID object, if any, 
     * encapsulating the specified AID bytes in the buffer parameter
     * if there exists a successfully installed applet on the card whose instance AID
     * exactly matches that of the specified AID bytes.
     * 
JCRE owned instances of AID are permanent JCRE
     * Entry Point Objects and can be accessed from any applet context.
     * References to these permanent objects can be stored and re-used.
     * 
See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
     * @param buffer byte array containing the AID bytes.
     * @param offset offset within buffer where AID bytes begin.
     * @param length length of AID bytes in buffer.
     * @return the AID object, if any; null otherwise. A VM exception
     * is thrown if buffer is null,
     * or if offset or length are out of range.
     */

    /*  // Claude Marche', borrowed from LOOP project specification
      @ public behavior 
      @    requires true;
      @  assignable \nothing; 
      @     ensures 
      @        buffer != null && offset >= 0 && length >= 0 && 
      @           offset+length <= buffer.length 
      @        //&& 
      @        //(\result != null ==> \result.equals(buffer,offset,length) )
      @          ;
      @     signals (NullPointerException) 
      @              buffer == null;
      @     signals (ArrayIndexOutOfBoundsException)
      @              buffer != null &&
      @              (offset < 0 || length < 0 || offset+length > buffer.length);
      @*/
    public static /*  pure @*/ AID lookupAID( byte[] buffer, short offset, byte length )
    throws NullPointerException,          // not in original source
           ArrayIndexOutOfBoundsException // not in original source
    {
        byte test = buffer[0]; // throw NullPointerException if buffer==null
        return thePrivAccess.getAID(buffer, offset, length);
    }

    /**
     * Begins an atomic transaction. If a transaction is already in
     * progress (transactionDepth != 0), a TransactionException is
     * thrown.
     * @exception TransactionException with the following reason codes:
    
     * 
  • TransactionException.IN_PROGRESS if a transaction is already in progress.

     * @see #commitTransaction()
     * @see #abortTransaction()
     */

    // specs to avoid Why error msg 'Exception TransactionException_exc cannot be raised' (Nicolas)

    /*  behavior normal:
      @   ensures true;
      @ behavior exc:
      @   signals (TransactionException) true;
      @*/
    public static native void beginTransaction() throws TransactionException;
 
    /**
     * Aborts the atomic transaction. The contents of the commit
     * buffer is discarded.
     * 
Notes:
    
     * 
  • Do not call this method from within a transaction which creates new objects because
     * the JCRE may not recover the heap space used by the new object instances.
     * 
  • Do not call this method from within a transaction which creates new objects because
     * the JCRE may, to ensure the security of the card and to avoid heap space loss,
     * lock up the card session to force tear/reset processing. 
     * 
  • The JCRE ensures that any variable of reference type which references an object
     * instantiated from within this aborted transaction is equivalent to 
     * a null reference.  
     * 

     * @exception TransactionException with the following reason codes:
    
     * 
  • TransactionException.NOT_IN_PROGRESS if a transaction is not in progress.

     * @see #beginTransaction()
     * @see #commitTransaction()
     */

    /*  behavior normal:
      @   ensures true;
      @ behavior exc:
      @   signals (TransactionException) true;
      @*/

    public static native void abortTransaction() throws TransactionException;

    /**
     * Commits an atomic transaction. The contents of commit
     * buffer is atomically committed. If a transaction is not in
     * progress (transactionDepth == 0) then a TransactionException is
     * thrown.
     * @exception TransactionException with the following reason codes:
    
     * 
  • TransactionException.NOT_IN_PROGRESS if a transaction is not in progress.

     * @see #beginTransaction()
     * @see #abortTransaction()
     */

    /*  behavior normal:
      @   ensures true;
      @ behavior exc:
      @   signals (TransactionException) true;
      @*/

    public static native void commitTransaction() throws TransactionException;

    /**
     * Returns the current transaction nesting depth level. At present,
     * only 1 transaction can be in progress at a time.
     * @return 1 if transaction in progress, 0 if not.
     */

    /*  public normal_behavior
      @   ensures true;
      @*/

    public static native /*  pure @*/ byte getTransactionDepth();

    /**
     * Returns the number of bytes left in the commit buffer.
     * @return the number of bytes left in the commit buffer
     * @see #getMaxCommitCapacity()
     */
    public static native short getUnusedCommitCapacity();

    /**
     * Returns the total number of bytes in the commit buffer.
     * This is approximately the maximum number of bytes of
     * persistent data which can be modified during a transaction.
     * However, the transaction subsystem requires additional bytes
     * of overhead data to be included in the commit buffer, and this
     * depends on the number of fields modified and the implementation
     * of the transaction subsystem. The application cannot determine
     * the actual maximum amount of data which can be modified during
     * a transaction without taking these overhead bytes into consideration.
     * @return the total number of bytes in the commit buffer
     * @see #getUnusedCommitCapacity()
     */
    public static native short getMaxCommitCapacity();

    /**
     * This method is called to obtain the JCRE owned instance of the AID object associated
     * with the previously active applet context. This method is typically used by a server applet,
     * while executing a shareable interface method to determine the identity of its client and
     * thereby control access privileges.
     * 
JCRE owned instances of AID are permanent JCRE
     * Entry Point Objects and can be accessed from any applet context.
     * References to these permanent objects can be stored and re-used.
     * 
See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
     * @return the AID object of the previous context, or null if JCRE.
     */
    public static AID getPreviousContextAID()
    {
        return thePrivAccess.getAID( (byte)
                (NativeMethods.getPreviousContext() & PrivAccess.APPID_BITMASK)
                );
    }
    
    /**
     * This method is called by a client applet to get a server applet's
     * shareable interface object. 
This method returns null
     * if the Applet.register() has not yet been invoked or
     * if the server does not exist or if the server returns null.
     * @param serverAID the AID of the server applet.
     * @param parameter optional parameter data.
     * @return the shareable interface object or null.
     * @see javacard.framework.Applet#getShareableInterfaceObject(AID, byte)
     */
    public static Shareable getAppletShareableInterfaceObject(AID serverAID, byte param /* CM parameter */)
    {  
	    return thePrivAccess.getSharedObject(serverAID, param /* CM parameter */);
    }

}
why-2.39/lib/javacard_api/javacard/framework/OwnerPIN.java0000644000106100004300000002654213147234006022470 0ustar  marchevals/*
* $Workfile: OwnerPIN.java $	$Revision: 1.2 $, $Date: 2007-09-26 15:15:36 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: OwnerPIN.java $
// $Revision: 1.2 $
// $Date: 2007-09-26 15:15:36 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/framework/OwnerPIN.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Ravi
// */

package javacard.framework;

/**
 * This class represents an Owner PIN. It implements Personal Identification Number 
 * functionality as defined in the PIN interface. It
 * provides the ability to update the PIN and thus owner functionality.

 * 
 * The implementation of this class must protect against attacks based on program
 * flow prediction.Even if a transaction is in progress, internal state
 * such as the try counter, the validated flag and the blocking state must not
 * be conditionally updated during PIN presentation.

 * 
 * If an implementation of this class creates transient arrays, it must ensure that they are
 * CLEAR_ON_RESET transient objects.

 * 
 * The protected methods getValidatedFlag and
 * setValidatedFlag allow a subclass
 * of this class to optimize the storage for the validated boolean state.

 *
 * Some methods of instances of this class are only suitable for sharing when there exists
 * a trust relationship among the applets. A typical shared usage would use
 * a proxy PIN interface which implements both the PIN interface and
 * the Shareable interface.
 * 
Any of the methods of the OwnerPIN may be called with a transaction in  
 * progress. None of the methods of OwnerPIN class initiate or alter the state
 * of the transaction if one is in progress.
 * @see PINException
 * @see PIN
 * @see Shareable
 * @see JCSystem
 */
public class OwnerPIN implements PIN{


  /**
   * try limit, the maximum number of times an incorrect PIN can be
   * presented before the PIN is blocked. When the PIN is blocked, it
   * cannot be validated even on valid PIN presentation.
   */
    private /*  spec_public */ byte tryLimit;

  /**
   * max PIN size, the maximum length of PIN allowed
   */
  private byte maxPINSize;

  /**
   * PIN value
   */
    private byte[] pinValue;

  /**
   * the current size of PIN array.
   */
  private byte pinSize;

  /**
   * validated flag, true if a valid PIN has been presented. This flag is
   * reset on every card reset.
   */
    // @ invariant flags instanceof boolean[];
    private boolean[] flags; //default null

  private static final byte VALIDATED = (byte)0;
  private static final byte NUMFLAGS = (byte)(VALIDATED+1);
  
  /**
   * Create and initialize Flags array.
   */
  private void createFlags() {
    if (flags!=null) return;
    flags = JCSystem.makeTransientBooleanArray(NUMFLAGS, JCSystem.CLEAR_ON_RESET);
    setValidatedFlag(false);
    }

  /**
   * This protected method returns the validated flag.
   * This method is intended for subclass of this OwnerPIN to access or
   * override the internal PIN state of the OwnerPIN.
   * @return the boolean state of the PIN validated flag.
   */
    /* public normal_behavior
      @ensures \result == flags[VALIDATED];
      @*/
    protected /*  pure */ boolean getValidatedFlag() {
    createFlags();
    return flags[VALIDATED];
    }

  /**
   * This protected method sets the value of the validated flag.
   * This method is intended for subclass of this OwnerPIN to control or
   * override the internal PIN state of the OwnerPIN.
   * @param value the new value for the validated flag.
   */
    // Modified by Xavier (boolean value) -> (boolean v) to avoid name clashes.
  protected void setValidatedFlag(boolean v) {
    createFlags();
    flags[VALIDATED] = v;
    }
    
  /**
   * tries left, the remaining number of times an incorrect PIN
   * presentation is permitted. It is declared as an array so
   * that arrayCopyNonAtomic can be used during decrement.
   */
    private byte[] triesLeft;

  /**
   * tries : temporary byte. This byte is used while decrementing triesLeft field
   * in persistent space, to ensure unconditional update.
   */
    // @ invariant temps instanceof byte[];
    private byte[] temps; // default 0
    
  private static final byte TRIES = (byte)0;
  private static final byte NUMTEMPS = (byte)(TRIES+1);
  
  /**
   * Reset triesLeft field to tryLimit.
   */
  private void resetTriesRemaining() {
    triesLeft[0] = tryLimit;
  }
  
 /**
   * Decrement triesLeft field in persistent space by 1. Ensure that the update is
   * unconditional even if a transaction is in progress.
   */
  private void decrementTriesRemaining() {
    if (temps==null) temps = JCSystem.makeTransientByteArray(NUMTEMPS, JCSystem.CLEAR_ON_RESET);
    temps[TRIES] = (byte)(triesLeft[0]-1);
    Util.arrayCopyNonAtomic( temps, TRIES, triesLeft, (short)0, (short)1 );
  }
    
  /**
   * Constructor. Allocates a new PIN instance with validated flag
   * set to false.
   * @param tryLimit the maximum number of times an incorrect PIN can be presented. tryLimit must be >=1.
   * @param maxPINSize the maximum allowed PIN size. maxPINSize must be >=1.
   * @exception PINException with the following reason codes:
    
   * 
  • PINException.ILLEGAL_VALUE if tryLimit parameter is less than 1.
   * 
  • PINException.ILLEGAL_VALUE if maxPINSize parameter is less than 1.

   */
   
    /* invariant
      @triesLeft instanceof byte[] &&
      @pinValue instanceof byte[] ;
      @*/
  public OwnerPIN(byte tryLimit, byte maxPINSize) throws PINException{
        if ((tryLimit<1) || (maxPINSize<1)) PINException.throwIt( PINException.ILLEGAL_VALUE );
    pinValue = new byte[maxPINSize]; //default value 0
    this.pinSize = maxPINSize; //default
    this.maxPINSize = maxPINSize;
    this.tryLimit = tryLimit;
    triesLeft = new byte[1];
    resetTriesRemaining();
    }

  /**
   * Returns the number of times remaining that an incorrect PIN can
   * be presented before the PIN is blocked.
   *
   * @return the number of times remaining
   */
    /* public normal_behavior
      @modifiable \nothing;
      @ensures \result==triesLeft[0];
      @*/
    public /*  pure */ byte getTriesRemaining(){
    return triesLeft[0];
    }

  /**
   * Compares pin against the PIN value. If they match and the
   * PIN is not blocked, it sets the validated flag
   * and resets the try counter to its maximum. If it does not match,
   * it decrements the try counter and, if the counter has reached
   * zero, blocks the PIN. Even if a transaction is in progress, internal state
   * such as the try counter, the validated flag and the blocking state
   * must not be conditionally updated.
   * 

   * Notes:
    
   * 
  • If NullPointerException or ArrayIndexOutOfBoundsException is
   * thrown, the validated flag must be set to false, the try counter must be decremented
   * and, the PIN blocked if the counter reaches zero.
   * 
  • If offset or length parameter
   * is negative an ArrayIndexOutOfBoundsException exception is thrown.
   * 
  • If offset+length is greater than pin.length, the length
   * of the pin array, an ArrayIndexOutOfBoundsException exception is thrown.
   * 
  • If pin parameter is null
   * a NullPointerException exception is thrown.

   * @param pin the byte array containing the PIN value being checked
   * @param offset the starting offset in the pin array
   * @param length the length of pin.
   * @return true if the PIN value matches; false otherwise
   * @exception java.lang.ArrayIndexOutOfBoundsException
   * - if the check operation would cause access of data outside array bounds.
   * @exception java.lang.NullPointerException - if pin is null 
   */
  public boolean check(byte[] pin, short offset, byte length)
  throws ArrayIndexOutOfBoundsException, NullPointerException{
    setValidatedFlag(false);
    if ( getTriesRemaining() == 0 ) return false;
    decrementTriesRemaining();
    if (length!=pinSize) return false;
    if ( Util.arrayCompare( pin, offset, pinValue, (short)0, (short)length )==(byte)0 ) {
        setValidatedFlag(true);
        resetTriesRemaining();
        return true;
        }
    return false;
    }

  /**
   * Returns true if a valid PIN has been presented since the last
   * card reset or last call to reset().
   *
   * @return true if validated; false otherwise
   */
    /* public normal_behavior
      @ensures \result<==>getValidatedFlag();
      @*/
    public /*  pure */ boolean isValidated(){
    return getValidatedFlag();
    }

  /**
   * If the validated flag is set, this method resets it.
   * If the validated flag is not set, this method does nothing.
   */
  public void reset(){
    if (isValidated()) resetAndUnblock();
    }

  /**
   * This method sets a new value for the PIN and resets the PIN try
   * counter to the value of the PIN try limit. It also resets the validated flag.

   * This method copies the input pin parameter into an internal representation. If a transaction is
   * in progress, the new pin and try counter update must be conditional i.e
   * the copy operation must use the transaction facility. 
   * @param pin the byte array containing the new PIN value
   * @param offset the starting offset in the pin array
   * @param length the length of the new PIN.
   * @exception PINException with the following reason codes:
    
   * 
  • PINException.ILLEGAL_VALUE if length is greater than configured maximum PIN size.

   * @see javacard.framework.JCSystem#beginTransaction()
   */
  public void update(byte[] pin, short offset, byte length)
  throws PINException{
    if ( length>maxPINSize ) PINException.throwIt( PINException.ILLEGAL_VALUE );
    Util.arrayCopy( pin, offset, pinValue, (short)0, length );
    pinSize = length;
    resetTriesRemaining();
    setValidatedFlag(false);
	}

  /**
   * This method resets the validated flag and
   * resets the PIN try counter to the value of the PIN try limit.
   * This method is used by the owner to re-enable the blocked PIN.
   */
  public void resetAndUnblock()
    {
    resetTriesRemaining();
    setValidatedFlag(false);
	}
}
why-2.39/lib/javacard_api/javacard/framework/Dispatcher.java0000644000106100004300000002152013147234006023104 0ustar  marchevals/*
* $Workfile: Dispatcher.java $	$Revision: 1.1 $, $Date: 2007-09-26 14:32:59 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: Dispatcher.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/framework/Dispatcher.java $
// $Modtime: 5/02/00 8:48p $
// Original author:  Mitch Butler
// */
package javacard.framework;

import com.sun.javacard.impl.PrivAccess;
import com.sun.javacard.impl.AppTable;
import com.sun.javacard.impl.NativeMethods;
import javacard.security.CryptoException;

/**
 * This class is the Dispatcher, which contains the main entry point and
 * the main loop of the card. It dispatches APDUs to applets.
 */
class Dispatcher
{
	// Constants
    private static final byte INS_SELECT   = (byte)0xA4;
    private static final byte P1_SELECT_DFBYNAME = (byte) 0x04;

    private static final byte P2_SELECT_OPTIONS = (byte) 0xF3;
    private static final byte P2_SELECT_OPTIONS_ONLY = 0x00;

	// Static class fields, with initialization done in init()
	private static boolean initDone = false;
    private static APDU theAPDU;
    private static byte[] theAPDUBuffer;
    private static PrivAccess thePrivAccess;
    
    // other static fields
    static Dispatcher theDispatcher;

    /**
     * Main entry point invoked by VM when card is reset.
     */
	static void main()
	{
	    if (!initDone) cardInit();      // card initialization (first time only)	    
	    cardReset();                    // session initialization (each card reset)
	    short sw = 0;

        // main loop
    	while (true) {
            PrivAccess.resetSelectingAppletFlag();
    	    theAPDU.complete(sw); // respond to previous APDU and get next
    	    try {
    	        processDispatcherAPDU(); // Dispatcher handles the SELECT APDU
    	        // dispatch to the currently selected applet
    	        if (PrivAccess.getSelectedAppID()==PrivAccess.APP_NULL) {
                   // if no applet selected
                   ISOException.throwIt(ISO7816.SW_APPLET_SELECT_FAILED);
                   }
                PrivAccess.getSelectedApplet().process(theAPDU);
 	            // abort transaction if applet forgot to commit it
 	            if (JCSystem.getTransactionDepth() != 0) {
 	               TransactionException.throwIt(TransactionException.IN_PROGRESS);
 	               }
 	            sw = ISO7816.SW_NO_ERROR;
    	    } catch (ISOException ex) {
    	        // get SW from ISOException reason
    	        sw = ex.getReason();
    	    } catch (Throwable e) {
    	        // any other exception is unknown reason
    	        sw = ISO7816.SW_UNKNOWN;
    	    }

 	        // abort transaction if still in progress
 	        if (JCSystem.getTransactionDepth() != 0) {
	            JCSystem.abortTransaction();
	        }
   	    }
	}

    /**
     * Process APDUs handled by the Dispatcher.
     */
	private static void processDispatcherAPDU()
	{
		if (theAPDUBuffer[0] == (byte)(ISO7816.CLA_ISO7816)) {
    		switch (theAPDUBuffer[1]) {
    		    case (byte)INS_SELECT:
    		        theDispatcher.selectAPDU(theAPDU);
    		        break;
    		}
    	}
	}

    /**
     * Select commands are handled by the Dispatcher.
     * This method checks for the supported SELECT options. If it is a supported applet selection command,
     * and the applet is identified, deselect the currently selected applet and select the new one.
     * If applet selection fails, or the identified applet state is not selectable, deselect the
     * the currently selected applet and leave in "no applet selected" state.
     * This method rewinds the APDU if setIncomingAndReceive() is called.
     */
	void selectAPDU(APDU theAPDU)
	{
        // ensure that P1==4 and (P2 & 0xF3)==0
        if (theAPDUBuffer[2] == P1_SELECT_DFBYNAME) {

            // check P2 = 0x0, 0x04, 0x08 or 0x0C
            if ((theAPDUBuffer[3] & P2_SELECT_OPTIONS) != P2_SELECT_OPTIONS_ONLY) {
                return;
            }

            // read AID and check APDU data length
            byte len = (byte)(theAPDU.setIncomingAndReceive());

            if ( len == theAPDUBuffer[4]) {

                // search for applet with AID
                byte i = AppTable.findApplet(theAPDUBuffer, (short)5, len);

                // find AID in AppTable
                // if no match of AID found in AppTable. JCRE assumes that the command is
                // not being used to select an applet and will invoke process() method
                // of the currently select applet (if there is one)
                if ( i != AppTable.APP_NULL) {
                  // is applet selectable?
                  if ( PrivAccess.getAppState( thePrivAccess.getAID(i) ) >= PrivAccess.APP_STATE_SELECTABLE ){
                    PrivAccess.selectApplet(i);
                  } else {
                    // if applet is not selectable, no applet selected
                    PrivAccess.deselectOnly();
                    NativeMethods.setSelectedContext(PrivAccess.JCRE_CONTEXTID);
                  }
                }
            }
            // "undo" the receive so that the applet can do it
            undoReceive();
        }
    }
    
    void undoReceive() {
        // "undo" the receive so that the applet can do it
        theAPDU.undoIncomingAndReceive();
        }   
            

    /**
     * This method is executed once each time the card is reset, when
     * the Dispatcher is initialized. All reset-time-only Dispatcher,
     * PrivAccess, and "system" initializations are done here.
     */
	static void cardReset()
	{
	    // this implementation selects a default applet on card reset.
        PrivAccess.selectDefaultApplet();
        
        // ensure AppTable state is consistent
        AppTable.cleanup();
        // other card reset time initialization such as initializing
        // transient objects not shown here.
	}

    /**
     * This method is executed exactly once in the lifetime of the card, when
     * the Dispatcher is initialized for the first time. All first-time-only Dispatcher,
     * PrivAccess, and "system" initializations are done here.
     */
    static void cardInit()
    {
        NativeMethods.markHeap(); //allow the JCRE heap space recovery
        if (theDispatcher==null) theDispatcher = new Dispatcher();
        
        // create JCRE owned instances of exceptions
        // and designate as temporary Entry Point Objects
        // Exception classes init their own static systemInstance reference
        Exception ex;
        ex = new CardException( (short) 0 );
        NativeMethods.setJCREentry( ex, true );
        ex = new CardRuntimeException ( (short) 0 );
        NativeMethods.setJCREentry( ex, true );
        ex = new APDUException ( (short) 0 );
        NativeMethods.setJCREentry( ex, true );
        ex = new ISOException ( (short) 0 );
        NativeMethods.setJCREentry( ex, true );
        ex = new PINException ( (short) 0 );
        NativeMethods.setJCREentry( ex, true );
        ex = new SystemException ( (short) 0 );
        NativeMethods.setJCREentry( ex, true );
        ex = new TransactionException ( (short) 0 );
        NativeMethods.setJCREentry( ex, true );
        ex = new UserException ( (short) 0 );
        NativeMethods.setJCREentry( ex, true );
        ex = new CryptoException ( (short) 0 );
        NativeMethods.setJCREentry( ex, true );

        // create JCRE owned instance of the APDU and designate as temporary Entry Point Object
        theAPDU = new APDU();
        NativeMethods.setJCREentry( theAPDU, true );

        // create JCRE owned instance of PrivAccess and designate as permanent Entry Point Object
        thePrivAccess = JCSystem.thePrivAccess = new PrivAccess();
        NativeMethods.setJCREentry( thePrivAccess, false );

        // get APDU buffer and mark as (temporary) Global Array.
        theAPDUBuffer = theAPDU.getBuffer();
        NativeMethods.setJCREentry( theAPDUBuffer, true );

        PrivAccess.initialize( theAPDU );

        initDone = true;	        // card init is complete
        NativeMethods.commit();     // commit the heap space used by JCRE
    }

    /**
     * Only JCRE can use constructor.
     * No need to construct this class anyway. No instance methods/fields.
     */
    Dispatcher(){}

}
why-2.39/lib/javacard_api/javacard/framework/Util.java0000644000106100004300000004146213147234006021742 0ustar  marchevals/*
* $Workfile: Util.java $	$Revision: 1.2 $, $Date: 2007-09-26 15:15:36 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: Util.java $
// $Revision: 1.2 $
// $Date: 2007-09-26 15:15:36 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/framework/Util.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Ravi
// */

package javacard.framework;

/**
 * The Util class contains common utility functions.
 * Some of the methods may be implemented as native functions for
 * performance reasons.
 * All methods in Util, class are static methods.

 * Some methods of Util namely arrayCopy(), arrayCopyNonAtomic(),
 * arrayFillNonAtomic() and setShort(), refer to the persistence of
 * array objects. The term persistent means that arrays and their values persist from
 * one CAD session to the next, indefinitely.
 * The JCSystem class is used to control the persistence and transience of objects.
 * @see javacard.framework.JCSystem
 */

public class Util
{

    /**
     * Only JCRE can use constructor.
     * No need to construct this class anyway, since it is all statics.
     */
    Util(){}

    /**
     * Copies an array from the specified source array,
     * beginning at the specified position,
     * to the specified position of the destination array.
     * 

     * Notes:
    
     * 
  • If srcOff or destOff or length parameter
     * is negative an ArrayIndexOutOfBoundsException exception is thrown.
     * 
  • If srcOff+length is greater than src.length, the length
     * of the src array a ArrayIndexOutOfBoundsException exception is thrown
     * and no copy is performed.
     * 
  • If destOff+length is greater than dest.length, the length
     * of the dest array an ArrayIndexOutOfBoundsException exception is thrown
     * and no copy is performed.
     * 
  • If src or dest parameter is null
     * a NullPointerException exception is thrown.
     * 
  • If the src and dest arguments refer to the same array object,
     * then the copying is performed as if the components at positions srcOff
     * through srcOff+length-1 were first copied to a temporary array with length components
     * and then the contents of the temporary array were copied into
     * positions destOff through destOff+length-1 of the argument array.
     * 
  • If the destination array is persistent, the entire copy is performed atomically.
     * 
  • The copy operation is subject to atomic commit capacity limitations.
     * If the commit capacity is exceeded, no copy is performed and a TransactionException
     * exception is thrown.
     * 

     * @param src source byte array.
     * @param srcOff offset within source byte array to start copy from.
     * @param dest destination byte array.
     * @param destOff offset within destination byte array to start copy into.
     * @param length byte length to be copied.
     * @return destOff+length
     * @exception java.lang.ArrayIndexOutOfBoundsException
     * - if copying would cause access of data outside array bounds.
     * @exception java.lang.NullPointerException - if either src or dest is null.
     * @exception javacard.framework.TransactionException
     * - if copying would cause the commit capacity to be exceeded.
     * @see javacard.framework.JCSystem#getUnusedCommitCapacity()
     */
    /*  normal_behavior
      @  requires src != null &&  srcOff >= 0 &&
      @              srcOff+length <= src.length &&
      @            dest != null && destOff >= 0 &&
      @              destOff+length <= dest.length &&
      @            length >= 0;
      @  modifiable dest[destOff..destOff+length-1];
      @     ensures (\forall short i ; 0 <= i && i < length ;
      @                    dest[destOff+i] == \old(src[srcOff+i]));
      @*/
    public static final native short arrayCopy(byte[] src, short srcOff, byte[] dest, short destOff, short length)
    throws ArrayIndexOutOfBoundsException, NullPointerException, TransactionException;

    /**
     * Copies an array from the specified source array,
     * beginning at the specified position,
     * to the specified position of the destination array (non-atomically).
     * 
This method does not use the transaction facility during the copy operation even if
     * a transaction is in progress. Thus, this
     * method is suitable for use only when the contents of the destination array can be left in
     * a partially modified state in the event of a power loss in the middle of the copy operation.
     * 

     * Notes:
    
     * 
  • If srcOff or destOff or length parameter
     * is negative an ArrayIndexOutOfBoundsException exception is thrown.
     * 
  • If srcOff+length is greater than src.length, the length
     * of the src array a ArrayIndexOutOfBoundsException exception is thrown
     * and no copy is performed.
     * 
  • If destOff+length is greater than dest.length, the length
     * of the dest array an ArrayIndexOutOfBoundsException exception is thrown
     * and no copy is performed.
     * 
  • If src or dest parameter is null
     * a NullPointerException exception is thrown.
     * 
  • If the src and dest arguments refer to the same array object,
     * then the copying is performed as if the components at positions srcOff
     * through srcOff+length-1 were first copied to a temporary array with length components
     * and then the contents of the temporary array were copied into
     * positions destOff through destOff+length-1 of the argument array.
     * 
  • If power is lost during the copy operation and the destination array is persistent,
     * a partially changed destination array could result.
     * 
  • The copy length parameter is not constrained by the atomic commit capacity limitations.

     * @param src source byte array.
     * @param srcOff offset within source byte array to start copy from.
     * @param dest destination byte array.
     * @param destOff offset within destination byte array to start copy into.
     * @param length byte length to be copied.
     * @return destOff+length
     * @exception java.lang.ArrayIndexOutOfBoundsException
     * - if copying would cause access of data outside array bounds.
     * @exception java.lang.NullPointerException - if either src or dest is null.
     * @see javacard.framework.JCSystem#getUnusedCommitCapacity()
     */

    /*  public normal_behavior
      @   requires src != null;
      @   requires srcOff >= 0;
      @   requires srcOff + length <= src.length;
      @   requires dest != null;
      @   requires destOff >= 0;
      @   requires destOff + length <= dest.length;
      @   requires length >= 0;
      @
      @   assignable dest[destOff..destOff + length - 1];
      @
      @   ensures (\forall short i; 0 <= i && i < length; dest[destOff + i] == \old(src[srcOff + i]));
      @*/

    public static final native short arrayCopyNonAtomic(byte[] src, short srcOff, byte[] dest, short destOff, short length)
	throws ArrayIndexOutOfBoundsException, NullPointerException;


    /**
     * Fills the byte array (non-atomically) beginning at the specified position,
     * for the specified length with the specified byte value.
     * 
This method does not use the transaction facility during the fill operation even if
     * a transaction is in progress. Thus, this
     * method is suitable for use only when the contents of the byte array can be left in
     * a partially filled state in the event of a power loss in the middle of the fill operation.
     * 

     * Notes:
    
     * 
  • If bOff or bLen parameter
     * is negative an ArrayIndexOutOfBoundsException exception is thrown.
     * 
  • If bOff+bLen is greater than bArray.length, the length
     * of the bArray array an ArrayIndexOutOfBoundsException exception is thrown.
     * 
  • If bArray parameter is null
     * a NullPointerException exception is thrown.
     * 
  • If power is lost during the copy operation and the byte array is persistent,
     * a partially changed byte array could result.
     * 
  • The bLen parameter is not constrained by the atomic commit capacity limitations.

     * @param bArray the byte array.
     * @param bOff offset within byte array to start filling bValue into.
     * @param bLen byte length to be filled.
     * @param bValue the value to fill the byte array with.
     * @return bOff+bLen
     * @exception java.lang.ArrayIndexOutOfBoundsException
     * - if the fill operation would cause access of data outside array bounds.
     * @exception java.lang.NullPointerException - if bArray is null
     * @see javacard.framework.JCSystem#getUnusedCommitCapacity()
     */
    public static final native short arrayFillNonAtomic(byte[] bArray, short bOff, short bLen, byte bValue)
    throws ArrayIndexOutOfBoundsException, NullPointerException;
   
    /**
     * Compares an array from the specified source array,
     * beginning at the specified position,
     * with the specified position of the destination array from left to right.
     * Returns the ternary result of the comparison : less than(-1), equal(0) or greater than(1).
     * 
Notes:
    
     * 
  • If srcOff or destOff or length parameter
     * is negative an ArrayIndexOutOfBoundsException exception is thrown.
     * 
  • If srcOff+length is greater than src.length, the length
     * of the src array a ArrayIndexOutOfBoundsException exception is thrown.
     * 
  • If destOff+length is greater than dest.length, the length
     * of the dest array an ArrayIndexOutOfBoundsException exception is thrown.
     * 
  • If src or dest parameter is null
     * a NullPointerException exception is thrown.
     * 

     * @param src source byte array.
     * @param srcOff offset within source byte array to start compare.
     * @param dest destination byte array.
     * @param destOff offset within destination byte array to start compare.
     * @param length byte length to be compared.
     * @return the result of the comparison as follows:
    
     * 
  •  0 if identical
     * 
  •  -1 if the first miscomparing byte in source array is less than that in destination array,
     * 
  •  1 if the first miscomparing byte in source array is greater that that in destination array.

     * @exception java.lang.ArrayIndexOutOfBoundsException
     * - if comparing all bytes would cause access of data outside array bounds.
     * @exception java.lang.NullPointerException - if either src or dest is null.
     */
    // TEMP // This method might eventually be a native method

    /*  public normal_behavior
      @   requires src != null;
      @   requires srcOff >= 0;
      @   requires srcOff + length <= src.length;
      @   requires dest != null;
      @   requires destOff >= 0;
      @   requires destOff + length <= dest.length;
      @   requires length >= 0;
      @
      @   assignable \nothing;
      @
      @   ensures -1 <= \result && \result <= 1;
      @   ensures \result == -1
      @           <==>
      @           (\exists short j; 0 <= j && j < length;
      @                    src[srcOff + j] < dest[destOff + j] &&
      @                    (\forall short i; 0 <= i && i < j; src[srcOff + i] == dest[destOff + i]));
      @   ensures \result == 0 
      @           <==>
      @           (\forall short i; 0 <= i && i < length; src[srcOff + i] == dest[destOff + i]);
      @   ensures \result == 1
      @           <==>
      @           (\exists short j; 0 <= j && j < length;
      @                    src[srcOff + j] > dest[destOff + j] &&
      @                    (\forall short i; 0 <= i && i < j; src[srcOff + i] == dest[destOff + i]));
      @*/

    public static final /*  pure @*/ native byte arrayCompare(byte[] src, short srcOff, byte[] dest, short destOff, short length)
    throws ArrayIndexOutOfBoundsException, NullPointerException;

    /**
     * Concatenates the two parameter bytes to form a short value.
     * @param b1 the first byte ( high order byte ).
     * @param b2 the second byte ( low order byte ).
     * @return the short value - the concatenated result
     */
    public static final short makeShort( byte b1, byte b2 )
    {
        return (short)(((short)b1 << 8) + ((short)b2 & 0xFF));
    }

    /**
     * Concatenates two bytes in a byte array to form a short value.
     * @param bArray byte array.
     * @param bOff offset within byte array containing first byte (the high order byte).
     * @return the short value - the concatenated result
     */

    // Added by Xavier to avoid & in specs
    /*  normal_behavior
      @// requires -128 <= b  && b <= 127 ;
      @ ensures (b >= 0 ==> \result==b) && (b < 0 ==> \result==b+256) ;
      @*/
    public static /*  pure @*/ short k_unsigned(byte b){}

    // Is this ensures clause necessary ?
    //    ensures     (\result >> 8) == (int)bArray[bOff] &&
    //    (\result & 0x00ff) == (k_unsigned(bArray[bOff+1]));
      

    /*  normal_behavior
      @  requires bArray != null && 
      @           bOff >= 0 &&
      @           bArray.length - 1 > bOff;
      @  modifiable \nothing;
      @     ensures \result == 256 * bArray[bOff]
      @                          + (k_unsigned(bArray[bOff+1]));
      @*/
    public static final /*  pure @*/ short getShort( byte[] bArray, short bOff )
    {
        return (short)(( (short)(bArray[bOff]) << 8 ) +
                       ( (short)(bArray[(short)(bOff+1)]) & 0xFF));
    }

    /**
     * Deposits the short value as two successive bytes at the specified offset in the byte array.
     * @param bArray byte array.
     * @param bOff offset within byte array to deposit the first byte (the high order byte).
     * @param sValue the short value to set into array.

     * @return bOff+2
     * 
Note:
    
     * 
  • If the byte array is persistent, this operation is performed atomically.
     * If the commit capacity is exceeded, no operation is performed and a TransactionException
     * exception is thrown.

     * @exception javacard.framework.TransactionException
     * - if the operation would cause the commit capacity to be exceeded.
     * @see javacard.framework.JCSystem#getUnusedCommitCapacity()
     */
    // TEMP // This method should eventually be a native method
    public static final native short setShort( byte[] bArray, short bOff, short sValue )
    throws TransactionException;
}
why-2.39/lib/javacard_api/javacard/framework/ISO7816.java0000644000106100004300000001125313147234006022000 0ustar  marchevals/*
* $Workfile: ISO7816.java $	$Revision: 1.1 $, $Date: 2007-09-26 14:32:59 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: ISO7816.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/framework/ISO7816.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Ravi
// */

package javacard.framework;

/**
 * ISO7816 encapsulates constants related to ISO 7816-3 and ISO 7816-4.
 * ISO7816 interface contains only static fields.

 * The static fields with SW_ prefixes define constants for the ISO 7816-4 defined response
 * status word. The fields which use the _00 suffix require the low order byte to be
 * customized appropriately e.g (ISO7816.SW_CORRECT_LENGTH_00 + (0x0025 & 0xFF)).

 * The static fields with OFFSET_ prefixes define constants to be used to index into
 * the APDU buffer byte array to access ISO 7816-4 defined header information.
 */
public interface ISO7816 {

  // Mnemonics for the SW1,SW2 error codes

  /**
   * Response status : No Error = (short)0x9000
   */
  short SW_NO_ERROR		      = (short)0x9000;

  /**
   * Response status : Response bytes remaining = 0x6100
   */
  short SW_BYTES_REMAINING_00 = 0x6100;

  /**
   * Response status : Wrong length = 0x6700
   */
  short SW_WRONG_LENGTH	      = 0x6700;

  /**
   * Response status : Security condition not satisfied = 0x6982
   */
  short SW_SECURITY_STATUS_NOT_SATISFIED = 0x6982;

  /**
   * Response status : File invalid = 0x6983
   */
  short SW_FILE_INVALID       = 0x6983;

  /**
   * Response status : Data invalid = 0x6984
   */
  short SW_DATA_INVALID	      = 0x6984;

  /**
   * Response status : Conditions of use not satisfied = 0x6985
   */
  short SW_CONDITIONS_NOT_SATISFIED	      = 0x6985;

  /**
   * Response status : Command not allowed (no current EF) = 0x6986
   */
  short SW_COMMAND_NOT_ALLOWED	      = 0x6986;
  
  /**
   * Response status : Applet selection failed = 0x6999;
   */
  short SW_APPLET_SELECT_FAILED	      = 0x6999;
  
  /**
   * Response status : Wrong data = 0x6A80
   */
  short SW_WRONG_DATA	      = 0x6A80;

  /**
   * Response status : Function not supported = 0x6A81
   */
  short SW_FUNC_NOT_SUPPORTED = 0x6A81;

  /**
   * Response status : File not found = 0x6A82
   */
  short SW_FILE_NOT_FOUND     = 0x6A82;

  /**
   * Response status : Record not found = 0x6A83
   */
  short SW_RECORD_NOT_FOUND   = 0x6A83;

  /**
   * Response status : Incorrect parameters (P1,P2) = 0x6A86
   */
  short SW_INCORRECT_P1P2 	  = 0x6A86;

  /**
   * Response status : Incorrect parameters (P1,P2) = 0x6B00
   */
  short SW_WRONG_P1P2 	      = 0x6B00;

  /**
   * Response status : Correct Expected Length (Le) = 0x6C00
   */
  short SW_CORRECT_LENGTH_00  = 0x6C00;

  /**
   * Response status : INS value not supported = 0x6D00
   */
  short SW_INS_NOT_SUPPORTED  = 0x6D00;

  /**
   * Response status : CLA value not supported = 0x6E00
   */
  short SW_CLA_NOT_SUPPORTED  = 0x6E00;

  /**
   * Response status : No precise diagnosis = 0x6F00
   */
  short SW_UNKNOWN            = 0x6F00;

  /**
   * Response status : Not enough memory space in the file  = 0x6A84
   */
  short SW_FILE_FULL = 0x6A84;

  // Offsets into APDU header information
  
  /**
   * APDU header offset : CLA = 0
   */
  byte OFFSET_CLA  = 0;

  /**
   * APDU header offset : INS = 1
   */
  byte OFFSET_INS  = 1;

  /**
   * APDU header offset : P1 = 2
   */
  byte OFFSET_P1   = 2;

 /**
   * APDU header offset : P2 = 3
   */
  byte OFFSET_P2   = 3;

 /**
   * APDU header offset : LC = 4
   */
  byte OFFSET_LC   = 4;

 /**
   * APDU command data offset : CDATA = 5
   */
  byte OFFSET_CDATA= 5;
  
  
  //commands
  
  /**
   * APDU command CLA : ISO 7816 = 0x00
   */
  byte CLA_ISO7816 = (byte) 0x00;
  
  /** 
   * APDU command INS : SELECT = 0xA4
   */
  byte INS_SELECT = (byte) 0xA4;
  
  /** 
   * APDU command INS : EXTERNAL AUTHENTICATE = 0x82
   */
  byte INS_EXTERNAL_AUTHENTICATE = (byte) 0x82;

}
why-2.39/lib/javacard_api/javacard/framework/Shareable.java0000644000106100004300000000303513147234006022705 0ustar  marchevals/*
* $Workfile: Shareable.java $	$Revision: 1.1 $, $Date: 2007-09-26 14:32:59 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: Shareable.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/framework/Shareable.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Mitch
// */

package javacard.framework;

/**
 * The Shareable interface serves to identify all shared objects.
 * Any object that needs to be shared through the applet firewall
 * must directly or indirectly implement this interface. Only those
 * methods specified in a shareable interface are available through
 * the firewall.
 *
 * Implementation classes can implement any number of shareable
 * interfaces and can extend other shareable implementation classes.
 */

public interface Shareable {}
why-2.39/lib/javacard_api/javacard/framework/ISOException.java0000644000106100004300000001013613147234006023330 0ustar  marchevals/*
* $Workfile: ISOException.java $	$Revision: 1.2 $, $Date: 2007-09-26 15:15:36 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: ISOException.java $
// $Revision: 1.2 $
// $Date: 2007-09-26 15:15:36 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/framework/ISOException.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Zhiqun
// */

package javacard.framework;

/**
 * ISOException class encapsulates an ISO 7816-4 response status word as
 * its reason code.
 * 
The APDU class throws JCRE owned instances of ISOException.
 * 
JCRE owned instances of exception classes are temporary JCRE Entry Point Objects
 * and can be accessed from any applet context. References to these temporary objects
 * cannot be stored in class variables or instance variables or array components.
 * See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
 */

public class ISOException extends CardRuntimeException {

  // initialized when created by Dispatcher
    // if non static : 
    //   Modified by Xavier to bypass pb with static non final variables
    private /*  spec_public @*/ static ISOException systemInstance;
  
    private /*  spec_public @*/short[] theSw;

  // @ public model short _reason; 

  /**
   * Constructs an ISOException instance with the specified status word.
   * To conserve on resources use throwIt()
   * to use the JCRE owned instance of this class.
   * @param sw the ISO 7816-4 defined status word
   */
  public ISOException(short sw){
    super(sw);
    if (systemInstance==null) // created by Dispatcher
        systemInstance = this;
    theSw = JCSystem.makeTransientShortArray( (short)1, (byte)JCSystem.CLEAR_ON_RESET );
    theSw[0] = sw; 
  }

  /**
   * Throws the JCRE owned instance of the ISOException class with the specified status word.
   * 
JCRE owned instances of exception classes are temporary JCRE Entry Point Objects
   * and can be accessed from any applet context. References to these temporary objects
   * cannot be stored in class variables or instance variables or array components.
   * See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
   * @param sw ISO 7816-4 defined status word
   * @exception ISOException always.
   */
    
    /*  public exceptional_behavior
      @   requires true;
      @   modifiable systemInstance.theSw[0];
      @   signals (ISOException e) e.getReason() == sw 
      @     && e == systemInstance && e != null; 
      @
      @*/
    // modified by Xavier, cf. systemInstance
    // suppressed from signals :  && e == systemInstance; 
    public static void throwIt(short sw){
	// begin
	//	ISOException tmp = new ISOException(sw);
	//throw tmp.systemInstance;
	// end
	// the following is the original body
	systemInstance.setReason(sw);
	throw systemInstance;
  }
  
  /** Get reason code
   *  @return the reason for the exception
   */

  /*  public normal_behavior
    @    requires true;
    @  assignable \nothing;
    @     ensures \result == _reason ;
    @*/

  public /*  pure @*/ short getReason() {
    return theSw[0];
  }

  /** Set reason code
   * @param reason the reason for the exception
   */

  /*  public normal_behavior
    @    requires true;
    @  assignable _reason;
    @     ensures getReason() == sw;
    @*/
  public void setReason(short sw) {
    theSw[0] = sw;
  }
}






why-2.39/lib/javacard_api/javacard/framework/PINException.java0000644000106100004300000000574213147234006023333 0ustar  marchevals/*
* $Workfile: PINException.java $	$Revision: 1.1 $, $Date: 2007-09-26 14:32:59 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: PINException.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/framework/PINException.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Ravi
// */

package javacard.framework;

/**
 * PINException represents a OwnerPIN class access-related exception.
 * 
The OwnerPIN class throws JCRE owned instances of PINException.
 * 
JCRE owned instances of exception classes are temporary JCRE Entry Point Objects
 * and can be accessed from any applet context. References to these temporary objects
 * cannot be stored in class variables or instance variables or array components.
 * See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
 * @see OwnerPIN
 */

public class PINException extends CardRuntimeException{

  // initialized when created by Dispatcher
  private static PINException systemInstance;

  // PINException reason codes
 /**
  * This reason code is used to indicate that one or more input parameters
  * is out of allowed bounds.
  */
  public static final short ILLEGAL_VALUE = 1;

  /**
   * Constructs a PINException.
   * To conserve on resources use throwIt()
   * to use the JCRE owned instance of this class.
   * @param reason the reason for the exception.
   */
  public PINException(short reason) {
    super(reason);
    if (systemInstance==null) // created by Dispatcher
        systemInstance = this; 
    }

  /**
   * Throws the JCRE owned instance of PINException with the specified reason.
   * 
JCRE owned instances of exception classes are temporary JCRE Entry Point Objects
   * and can be accessed from any applet context. References to these temporary objects
   * cannot be stored in class variables or instance variables or array components.
   * See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
   * @param reason the reason for the exception.
   * @exception PINException always.
   */
  public static void throwIt (short reason){    
    systemInstance.setReason(reason);
    throw systemInstance;
  }
}
why-2.39/lib/javacard_api/javacard/framework/APDU.java0000644000106100004300000011232713147234006021555 0ustar  marchevals/*
* $Workfile: APDU.java $	$Revision: 1.5 $, $Date: 2009-11-25 16:25:22 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: APDU.java $
// $Revision: 1.5 $
// $Date: 2009-11-25 16:25:22 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/framework/APDU.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Ravi
// */

package javacard.framework;

import com.sun.javacard.impl.PrivAccess;
import com.sun.javacard.impl.PackedBoolean;
import com.sun.javacard.impl.NativeMethods;
import com.sun.javacard.impl.Constants;

/**
 * Application Protocol Data Unit (APDU) is
 * the communication format between the card and the off-card applications.
 * The format of the APDU is defined in ISO specification 7816-4.

 *
 * This class only supports messages which conform to the structure of
 * command and response defined in ISO 7816-4. The behavior of messages which
 * use proprietary structure of messages ( for example with header CLA byte in range 0xD0-0xFE ) is
 * undefined. This class does not support extended length fields.

 *
 * The APDU object is owned by the JCRE. The APDU class maintains a byte array
 * buffer which is used to transfer incoming APDU header and data bytes as well as outgoing data.
 * The buffer length must be at least 37 bytes ( 5 bytes of header and 32 bytes of data ).
 * The JCRE must zero out the APDU buffer before each new message received from the CAD.

 *
 * The JCRE designates the APDU object as a temporary JCRE Entry Point Object
 * (See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details).
 * A temporary JCRE Entry Point Object can be accessed from any applet context. References
 * to these temporary objects cannot be stored in class variables or instance variables
 * or array components.
 * 
The JCRE similarly marks the APDU buffer as a global array
 * (See Java Card Runtime Environment (JCRE) Specification, section 6.2.2 for details).
 * A global array
 * can be accessed from any applet context. References to global arrays
 * cannot be stored in class variables or instance variables or array components.
 * 

 *
 * The applet receives the APDU instance to process from
 * the JCRE in the Applet.process(APDU) method, and
 * the first five bytes [ CLA, INS, P1, P2, P3 ] are available
 * in the APDU buffer.

 *
 * The APDU class API is designed to be transport protocol independent.
 * In other words, applets can use the same APDU methods regardless of whether
 * the underlying protocol in use is T=0 or T=1 (as defined in ISO 7816-3).

 * The incoming APDU data size may be bigger than the APDU buffer size and may therefore
 * need to be read in portions by the applet. Similarly, the
 * outgoing response APDU data size may be bigger than the APDU buffer size and may
 * need to be written in portions by the applet. The APDU class has methods
 * to facilitate this.

 *
 * For sending large byte arrays as response data,
 * the APDU class provides a special method sendBytesLong() which
 * manages the APDU buffer.

 *
 * 
 * // The purpose of this example is to show most of the methods
 * // in use and not to depict any particular APDU processing
 *
 *public void process(APDU apdu){
 *  // ...
 *  byte[] buffer = apdu.getBuffer();
 *  byte cla = buffer[ISO7816.OFFSET_CLA];
 *  byte ins = buffer[ISO7816.OFFSET_INS];
 *  ...
 *  // assume this command has incoming data
 *  // Lc tells us the incoming apdu command length
 *  short bytesLeft = (short) (buffer[ISO7816.OFFSET_LC] & 0x00FF);
 *  if (bytesLeft < (short)55) ISOException.throwIt( ISO7816.SW_WRONG_LENGTH );
 *
 *  short readCount = apdu.setIncomingAndReceive();
 *  while ( bytesLeft > 0){
 *      // process bytes in buffer[5] to buffer[readCount+4];
 *      bytesLeft -= readCount;
 *      readCount = apdu.receiveBytes ( ISO7816.OFFSET_CDATA );
 *      }
 *  //
 *  //...
 *  //
 *  // Note that for a short response as in the case illustrated here
 *  // the three APDU method calls shown : setOutgoing(),setOutgoingLength() & sendBytes()
 *  // could be replaced by one APDU method call : setOutgoingAndSend().
 *
 *  // construct the reply APDU
 *  short le = apdu.setOutgoing();
 *  if (le < (short)2) ISOException.throwIt( ISO7816.SW_WRONG_LENGTH );
 *  apdu.setOutgoingLength( (short)3 );
 *
 *  // build response data in apdu.buffer[ 0.. outCount-1 ];
 *  buffer[0] = (byte)1; buffer[1] = (byte)2; buffer[3] = (byte)3;
 *  apdu.sendBytes ( (short)0 , (short)3 );
 *  // return good complete status 90 00
 *  }
 * 

 * @see APDUException
 * @see ISOException
 */

public final class APDU{

  // This APDU class implements the T=0 transport protocol.

  private static final short BUFFERSIZE = Constants.APDU_BUFFER_LENGTH;
  private static final byte IFSC = 1;//information field size for ICC i.e Maximum Incoming BlockSize in T=1
  private static final short IFSD = 258;//information field size for IFD i.e Maximum Outgoing BlockSize in T=1

  private static APDU theAPDU;
  /**
   * The APDU will use the buffer byte[]
   * to store data for input and output.
   */
    private /* spec_public @*/ byte[] buffer;

    // Nicolas (for SCID.java)
    //@ invariant buffer_inv: buffer.length >= 37;

    // Added by Xavier
    /*  invariant 
      @   (buffer.length > 36) 
      @   && 
      @   (\forall short i; 0 <= i && i < buffer.length ; 
      @     -128 <= buffer[i] && buffer[i] <= 127);
      @*/


  private static byte[] ramVars;
  private static final byte LE  = (byte) 0;
  private static final byte LR  = (byte)(LE+1);
  private static final byte LC  = (byte)(LR+1);
  private static final byte PRE_READ_LENGTH = (byte)(LC+1);
  private static final byte RAM_VARS_LENGTH = (byte) (PRE_READ_LENGTH+1);

  // status code constants
  private static final short BUFFER_OVERFLOW = (short) 0xC001;
  private static final short READ_ERROR = (short) 0xC003;
  private static final short WRITE_ERROR = (short) 0xC004;
  private static final short INVALID_GET_RESPONSE = (short) 0xC006;

  // procedure byte type constants
  private static final byte ACK_NONE = (byte) 0;
  private static final byte ACK_INS = (byte)1;
  private static final byte ACK_NOT_INS = (byte)2;

  // Le = terminal expected length
  private short getLe() {
    if ( ramVars[LE]==(byte)0 ) return (short) 256;
    else return (short)(ramVars[LE] & 0xFF);
    }
  private void setLe( byte data ) { ramVars[LE] = data; }

  // Lr = our response length
  private short getLr() {
    if (getLrIs256Flag()) return 256;
    else return (short)(ramVars[LR] & 0xFF);
    }
  private void setLr( byte data ) { ramVars[LR] = data; }

  // Lc = terminal incoming length
  private byte getLc() { return ramVars[LC]; }
  private void setLc( byte data ) { ramVars[LC] = data; }

  // PreReadLength = length already received via setIncommingAndReceive(). Used for undo operation.
  private byte getPreReadLength() { return ramVars[PRE_READ_LENGTH]; }
  private void setPreReadLength( byte data ) { ramVars[PRE_READ_LENGTH] = data; }

  private PackedBoolean thePackedBoolean;
  private byte incomingFlag, outgoingFlag, outgoingLenSetFlag,
               lrIs256Flag, sendInProgressFlag, noChainingFlag, noGetResponseFlag;

  // IncomingFlag = setIncoming() has been invoked.
  private boolean getIncomingFlag() { return thePackedBoolean.get( incomingFlag ); }
  private void setIncomingFlag() { thePackedBoolean.set( incomingFlag ); }
  private void resetIncomingFlag() { thePackedBoolean.reset( incomingFlag ); }

  // SendInProgressFlag = No procedure byte needs to be sent.
  private boolean getSendInProgressFlag() { return thePackedBoolean.get( sendInProgressFlag ); }
  private void setSendInProgressFlag() { thePackedBoolean.set( sendInProgressFlag );}
  private void resetSendInProgressFlag() { thePackedBoolean.reset( sendInProgressFlag ); }

  // OutgoingFlag = setOutgoing() has been invoked.
  private boolean getOutgoingFlag() { return thePackedBoolean.get( outgoingFlag ); }
  private void setOutgoingFlag() { thePackedBoolean.set( outgoingFlag ); }
  private void resetOutgoingFlag() { thePackedBoolean.reset( outgoingFlag ); }

  // OutgoingLenSetFlag = setOutgoingLen() has been invoked.
  private boolean getOutgoingLenSetFlag() { return thePackedBoolean.get( outgoingLenSetFlag ); }
  private void setOutgoingLenSetFlag() { thePackedBoolean.set( outgoingLenSetFlag ); }
  private void resetOutgoingLenSetFlag() { thePackedBoolean.reset( outgoingLenSetFlag ); }

  // LrIs256Flag = Lr is not 0. It is actually 256. Saves 1 byte of RAM.
  private boolean getLrIs256Flag() { return thePackedBoolean.get( lrIs256Flag ); }
  private void setLrIs256Flag() { thePackedBoolean.set( lrIs256Flag ); }
  private void resetLrIs256Flag() { thePackedBoolean.reset( lrIs256Flag ); }

  // noChainingFlag = do not use <61,xx> chaining for outbound data transfer.
  // Note that the "get" method is package visible. This ensures that it is
  // entered via an "invokevirtual" instruction and not an "invokestatic"
  // instruction thereby ensuring a context switch
  boolean getNoChainingFlag() { return thePackedBoolean.get( noChainingFlag ); }
  private void setNoChainingFlag() { thePackedBoolean.set( noChainingFlag ); }
  private void resetNoChainingFlag() { thePackedBoolean.reset( noChainingFlag ); }

  // noGetResponseFlag = GET RESPONSE command was not received from CAD.
  private boolean getNoGetResponseFlag() { return thePackedBoolean.get( noGetResponseFlag ); }
  private void setNoGetResponseFlag() { thePackedBoolean.set( noGetResponseFlag ); }
  private void resetNoGetResponseFlag() { thePackedBoolean.reset( noGetResponseFlag ); }

  /**
   * Only JCRE should create an APDU.
   * 

   * @no params
   */
  APDU(){

    /*
    buffer = JCSystem.makeTransientByteArray(BUFFERSIZE, JCSystem.CLEAR_ON_RESET);
    */
    buffer = NativeMethods.t0InitAPDUBuffer();
    ramVars = JCSystem.makeTransientByteArray(RAM_VARS_LENGTH, JCSystem.CLEAR_ON_RESET);

    thePackedBoolean = PrivAccess.getPackedBoolean();
    incomingFlag = thePackedBoolean.allocate();
    sendInProgressFlag = thePackedBoolean.allocate();
    outgoingFlag = thePackedBoolean.allocate();
    outgoingLenSetFlag = thePackedBoolean.allocate();
    lrIs256Flag = thePackedBoolean.allocate();
    noChainingFlag = thePackedBoolean.allocate();
    noGetResponseFlag = thePackedBoolean.allocate();
    theAPDU = this;
  }

    /**
     * Returns the APDU buffer byte array.
     * 
Notes:
    
     * 
  • References to the APDU buffer byte array
     * cannot be stored in class variables or instance variables or array components.
     * See Java Card Runtime Environment (JCRE) Specification, section 6.2.2 for details.
     * 

     * @return byte array containing the APDU buffer
     */
    
    /*@ behavior normal:
      @   ensures \result == buffer; 
      @*/
    
    public byte[] getBuffer() {
	return buffer;
    }

 /**
   * Returns the configured incoming block size. 
   * In T=1 protocol, this corresponds to IFSC (information field size for ICC),
   * the maximum size of incoming data blocks into the card.  In T=0 protocol,
   * this method returns 1.
   * IFSC is defined in ISO 7816-3.

   * This information may be used to ensure that there is enough space remaining in the
   * APDU buffer when receiveBytes() is invoked.
   * 
Notes:
    
   * 
  • On receiveBytes() the bOff param
   * should account for this potential blocksize.
   * 

   * @return incoming block size setting.
   * @see #receiveBytes(short)
   */
  public static short getInBlockSize() {
    return IFSC;
    }

  /**
   * Returns the configured outgoing block size. 
   * In T=1 protocol, this corresponds to IFSD (information field size for interface device),
   * the maximum size of outgoing data blocks to the CAD. 
   * In T=0 protocol, this method returns 258 (accounts for 2 status bytes).
   * IFSD is defined in ISO 7816-3.
   * 
This information may be used prior to invoking the setOutgoingLength() method,
   * to limit the length of outgoing messages when BLOCK CHAINING is not allowed.
   * 
Notes:
    
   * 
  • On setOutgoingLength() the len param
   * should account for this potential blocksize.
   * 

   * @return outgoing block size setting.
   * @see #setOutgoingLength(short)
   */
  public static short getOutBlockSize() {
    return IFSD;
    }

 /**
   * ISO 7816 transport protocol type T=0
   */
  public static final byte PROTOCOL_T0   = 0;

 /**
   * ISO 7816 transport protocol type T=1
   */
  public static final byte PROTOCOL_T1   = 1;

 /**
   * Returns the ISO 7816 transport protocol type, T=1 or T=0 in progress.
   * @return the protocol type in progress.
   * One of PROTOCOL_T0, PROTOCOL_T1 listed above.
   */
  public static byte getProtocol() {
    return (byte) PROTOCOL_T0;
    }

 /**
   * In T=1 protocol, this method returns the Node Address byte, NAD. 
   * In T=0 protocol, this method returns 0.
   * This may be used as additional information to maintain multiple contexts.
   * @return NAD transport byte as defined in ISO 7816-3.
   */
  public byte getNAD() {
    return (byte) 0;
    }

  /**
   * This method is used to set the data transfer direction to
   * outbound and to obtain the expected length of response (Le).
   * 
Notes. 
  • Any remaining incoming data will be discarded.
   * 
  • In T=0 (Case 4) protocol, this method will return 256.
   * 

   * @return Le, the expected length of response.
   * @exception APDUException with the following reason codes:
    
   * 
  • APDUException.ILLEGAL_USE if this method or setOutgoingNoChaining() method already invoked.
   * 
  • APDUException.IO_ERROR on I/O error.

   */
  public short setOutgoing() throws APDUException {
    // if we've previously called this method, then throw an exception
    if ( getOutgoingFlag() )  APDUException.throwIt( APDUException.ILLEGAL_USE );
    setOutgoingFlag();
    return getLe();
    }

 /**
   * This method is used to set the data transfer direction to
   * outbound without using BLOCK CHAINING(See ISO 7816-3/4) and to obtain the expected length of response (Le).
   * This method should be used in place of the setOutgoing() method by applets which need
   * to be compatible with legacy CAD/terminals which do not support ISO 7816-3/4 defined block chaining.
   * See Java Card Runtime Environment (JCRE) Specification, section 8.4 for details.
   * 
Notes. 
    
   * 
  • Any remaining incoming data will be discarded.
   * 
  • In T=0 (Case 4) protocol, this method will return 256.
   * 
  • When this method is used, the waitExtension() method cannot be used.
   * 
  • In T=1 protocol, retransmission on error may be restricted.
   * 
  • In T=0 protocol, the outbound transfer must be performed
   * without using  response status chaining.
   * 
  • In T=1 protocol, the outbound transfer must not set the More(M) Bit in the PCB of the I block. See ISO 7816-3.
   * 

   * @return Le, the expected length of response data.
   * @exception APDUException with the following reason codes:
    
   * 
  • APDUException.ILLEGAL_USE if this method or setOutgoing() method already invoked.
   * 
  • APDUException.IO_ERROR on I/O error.

   */
  public short setOutgoingNoChaining() throws APDUException {
    // if we've previously called this method, then throw an exception
    if ( getOutgoingFlag() )  APDUException.throwIt( APDUException.ILLEGAL_USE );
    setOutgoingFlag();
    setNoChainingFlag();
    return getLe();
    }

/**
   * Sets the actual length of response data. Default is 0.
   * 
Note:
    
   * 
  • In T=0 (Case 2&4) protocol, the length is used by the JCRE to prompt the CAD for GET RESPONSE commands.
   * 

   * @param len the length of response data.
   * @exception APDUException with the following reason codes:
    
   * 
  • APDUException.ILLEGAL_USE if setOutgoing() not called or this method already invoked.
   * 
  • APDUException.BAD_LENGTH if len is greater than 256 or
   * if non BLOCK CHAINED data transfer is requested and len is greater than
   * (IFSD-2), where IFSD is the Outgoing Block Size. The -2 accounts for the status bytes in T=1.
   * 
  • APDUException.IO_ERROR on I/O error.

   * @see #getOutBlockSize()
   */
  public void setOutgoingLength(short len) throws APDUException{
    if ( !getOutgoingFlag() )  APDUException.throwIt(APDUException.ILLEGAL_USE);
    // if we've previously called this method, then throw an exception
    if ( getOutgoingLenSetFlag() )  APDUException.throwIt( APDUException.ILLEGAL_USE );
    if ( len>256 || len<0 )  APDUException.throwIt(APDUException.BAD_LENGTH);
    setOutgoingLenSetFlag();
    setLr((byte)len);
    if ( len==256 ) setLrIs256Flag();
    }

 /**
   * Indicates that this command has incoming data.
   * 
Note.
    
   * 
  • In T=0 ( Case 3&4 ) protocol, the P3 param is assumed to be Lc.

   * @exception APDUException with the following reason codes:
    
   * 
  • APDUException.ILLEGAL_USE if this method already invoked or
   * if setOutgoing() or setOutgoingNoChaining() previously invoked.
   * 
  • APDUException.IO_ERROR on I/O error.

   */
  private void setIncoming() throws APDUException{
    // if JCRE has undone a previous setIncomingAndReceive ignore
    if ( getPreReadLength() != 0 ) return;
    // if we've previously called this or setOutgoing() method, then throw an exception
    if ( getIncomingFlag() || getOutgoingFlag() ) APDUException.throwIt( APDUException.ILLEGAL_USE );
    setIncomingFlag(); // indicate that this method has been called
	byte Lc = (byte) getLe(); // what we stored in Le was really Lc
	setLc( Lc );
	setLe((byte)0);    // in T=1, the real Le is now unknown (assume 256)
	}

  /**
   * Gets as many data bytes as will fit without APDU buffer overflow,
   * at the specified offset bOff.  Gets all the remaining bytes if they fit.
   * 
Notes:
    
   * 
  • The space in the buffer must allow for incoming block size.
   * 
  • In T=1 protocol, if all the remaining bytes do not fit in the buffer, this method may
   * return less bytes than the maximum incoming block size (IFSC).
   * 
  • In T=0 protocol, if all the remaining bytes do not fit in the buffer, this method may
   * return less than a full buffer of bytes to optimize and reduce protocol overhead.
   * 
  • In T=1 protocol, if this method throws an APDUException
   * with T1_IFD_ABORT reason code, the JCRE will restart APDU command processing using the newly
   * received command. No more input data can be received.
   * No output data can be transmitted. No error status response can be returned.
   * 

   * @param bOff the offset into APDU buffer.
   * @return number of bytes read. Returns 0 if no bytes are available.
   * @exception APDUException with the following reason codes:
    
   * 
  • APDUException.ILLEGAL_USE if setIncomingAndReceive() not called or
   * if setOutgoing() or setOutgoingNoChaining() previously invoked.
   * 
  • APDUException.BUFFER_BOUNDS if not enough buffer space for incoming block size.
   * 
  • APDUException.IO_ERROR on I/O error.
   * 
  • APDUException.T1_IFD_ABORT if T=1 protocol is in use and the CAD sends
   * in an ABORT S-Block command to abort the data transfer.
   * 

   * @see #getInBlockSize()
   */
  public short receiveBytes(short bOff) throws APDUException {
    if ( !getIncomingFlag() || getOutgoingFlag() ) APDUException.throwIt( APDUException.ILLEGAL_USE );
    short Lc = (short)(getLc()&0xFF);
    // T=1 check bOff against blocksize and Lc.
    if ( (bOff<0) || ((Lc>=IFSC) && (((short)(bOff+IFSC))>=BUFFERSIZE)) ) APDUException.throwIt ( APDUException.BUFFER_BOUNDS);

    short pre =  (short)( getPreReadLength() & 0x00FF ) ;
    if ( pre != 0 ){
        setPreReadLength( (byte) 0 );
        return pre;
        }

    if ( Lc!=0 ){
        short len = NativeMethods.t0RcvData( bOff );
        if (len<0) APDUException.throwIt( APDUException.IO_ERROR );
        setLc((byte)(Lc - len));   // update RAM copy of Lc, the count remaining
        return len;
        }
    return (short)0;
    }

 /**
   * This is the primary receive method.
   * Calling this method indicates that this APDU has incoming data. This method gets as many bytes
   * as will fit without buffer overflow in the APDU buffer following the header. 
   * It gets all the incoming bytes if they fit.
   * 
Notes:
    
   * 
  • In T=0 ( Case 3&4 ) protocol, the P3 param is assumed to be Lc.
   * 
  • Data is read into the buffer at offset 5.
   * 
  • In T=1 protocol, if all the incoming bytes do not fit in the buffer, this method may
   * return less bytes than the maximum incoming block size (IFSC).
   * 
  • In T=0 protocol, if all the incoming bytes do not fit in the buffer, this method may
   * return less than a full buffer of bytes to optimize and reduce protocol overhead.
   * 
  • This method sets the transfer direction to be inbound
   * and calls receiveBytes(5).
   * 
  • This method may only be called once in a Applet.process() method.
   * 

   * @return number of bytes read. Returns 0 if no bytes are available.
   * @exception APDUException with the following reason codes:
    
   * 
  • APDUException.ILLEGAL_USE if setIncomingAndReceive() already invoked or
   * if setOutgoing() or setOutgoingNoChaining() previously invoked.
   * 
  • APDUException.IO_ERROR on I/O error.
   * 
  • APDUException.T1_IFD_ABORT if T=1 protocol is in use and the CAD sends
   * in an ABORT S-Block command to abort the data transfer.
   * 

   */
  public short setIncomingAndReceive() throws APDUException {
    setIncoming();
    return receiveBytes( (short) 5 );
    }

  /**
   * Send 61  status bytes to CAD and
   * process resulting GET RESPONSE command in the ramVars buffer.
   * **NOTE** : This method overwrites ramVars[0..4]. **
   * @param len the length to prompt CAD with. ( 0
   * 
  • APDUException.NO_T0_GETRESPONSE if GET RESPONSE command not received.
   * 
   */
  private short send61xx( short len ) {

    short expLen = len;
    do {
        NativeMethods.t0SetStatus ( (short)(ISO7816.SW_BYTES_REMAINING_00+(len&0xFF)) );
        short newLen = NativeMethods.t0SndGetResponse();
        if ( newLen == INVALID_GET_RESPONSE ) { // Get Response not received
            setNoGetResponseFlag();
            APDUException.throwIt(APDUException.NO_T0_GETRESPONSE);
            }
        else if ( newLen > 0 ) {
            ramVars[LE] = (byte) newLen;
            expLen = getLe();
            }
        else APDUException.throwIt( APDUException.IO_ERROR );
        }
        while ( expLen>len );

    resetSendInProgressFlag();
    return expLen;
    }

 /**
   * Sends len more bytes from APDU buffer at specified offset bOff.
   * 
    If the last part of the response is being sent by the invocation
   * of this method, the APDU buffer must not be altered. If the data is altered, incorrect output may be sent to
   * the CAD.
   * Requiring that the buffer not be altered allows the implementation to reduce protocol overhead
   * by transmitting the last part of the response along with the status bytes.
   * 
    Notes:
      
   * 
    • If setOutgoingNoChaining() was invoked, output block chaining must not be used.
   * 
    • In T=0 protocol, if setOutgoingNoChaining() was invoked, Le bytes must be transmitted
   * before  response status is returned.
   * 
    • In T=0 protocol, if this method throws an APDUException
   * with NO_T0_GETRESPONSE reason code, the JCRE will restart APDU command processing using the newly
   * received command. No more output data can be transmitted. No error status response can be returned.
   * 
    • In T=1 protocol, if this method throws an APDUException
   * with T1_IFD_ABORT reason code, the JCRE will restart APDU command processing using the newly
   * received command. No more output data can be transmitted. No error status response can be returned.
   * 
    
   * @param bOff the offset into APDU buffer.
   * @param len the length of the data in bytes to send.
   * @exception APDUException with the following reason codes:
      
   * 
    • APDUException.ILLEGAL_USE if setOutgoingLen() not called
   * or setOutgoingAndSend() previously invoked
   * or response byte count exceeded or if APDUException.NO_T0_GETRESPONSE previously thrown.
   * 
    • APDUException.BUFFER_BOUNDS if the sum of bOff and len exceeds the buffer size.
   * 
    • APDUException.IO_ERROR on I/O error.
   * 
    • APDUException.NO_T0_GETRESPONSE if T=0 protocol is in use and
   * the CAD does not respond to  response status
   * with GET RESPONSE command.
   * 
    • APDUException.T1_IFD_ABORT if T=1 protocol is in use and the CAD sends
   * in an ABORT S-Block command to abort the data transfer.
   * 
    
   * @see #setOutgoing()
   * @see #setOutgoingNoChaining()
   */
  public void sendBytes(short bOff, short len) throws APDUException {

    short result;
    if ( (bOff<0) || (len<0) || ((short)((bOff+len))>BUFFERSIZE) ) APDUException.throwIt( APDUException.BUFFER_BOUNDS );
    if ( !getOutgoingLenSetFlag() || getNoGetResponseFlag() )  APDUException.throwIt( APDUException.ILLEGAL_USE );
    if (len==0) return;
    short Lr = getLr();
    if (len>Lr) APDUException.throwIt( APDUException.ILLEGAL_USE );

    short Le = getLe();

    if ( getNoChainingFlag() ) {

        // Need to force GET RESPONSE for
        // Case 4 or
        // Case 2 but sending less than CAD expects
        if ( getIncomingFlag() || (Lroutgoing switch.
            }

        while ( len > Le ) { //sending more than Le
            if ( !getSendInProgressFlag() ) {
                result = NativeMethods.t0SndData( buffer, bOff, Le, ACK_INS );
                setSendInProgressFlag();
                }
            else result = NativeMethods.t0SndData(  buffer, bOff, Le, ACK_NONE );

            if ( result != 0 ) APDUException.throwIt( APDUException.IO_ERROR );

            bOff+=Le;
            len-=Le;
            Lr-=Le;
            Le = send61xx( Lr); // resets sendInProgressFlag.
            }

        if ( !getSendInProgressFlag() ) {
            result = NativeMethods.t0SndData( buffer, bOff, len, ACK_INS );
            setSendInProgressFlag();
            }

        else result = NativeMethods.t0SndData( buffer, bOff, len, ACK_NONE );

        if ( result != 0 ) APDUException.throwIt( APDUException.IO_ERROR );
        Lr-=len;
        Le-=len;
        }
    else { // noChainingFlag = FALSE
        while (len>0) {
            short temp=len;
            // Need to force GET RESPONSE for Case 4  & for partial blocks
            if ( (len!=Lr) || getIncomingFlag() || (Lr!=Le) || getSendInProgressFlag() ){
                temp = send61xx( len ); // resets sendInProgressFlag.
                resetIncomingFlag(); // no more incoming->outgoing switch.
                }
            result = NativeMethods.t0SndData( buffer, bOff, temp, ACK_INS );
            setSendInProgressFlag();

            if ( result != 0 ) APDUException.throwIt( APDUException.IO_ERROR );
            bOff+=temp;
            len-=temp;
            Lr-=temp;
            Le=Lr;
            }
        }

    setLe((byte)Le);   // update RAM copy of Le, the expected count remaining
    setLr((byte)Lr);   // update RAM copy of Lr, the response count remaining
    }

 /**
   * Sends len more bytes from outData byte array starting at specified offset
   * bOff. 
    If the last of the response is being sent by the invocation
   * of this method, the APDU buffer must not be altered. If the data is altered, incorrect output may be sent to
   * the CAD.
   * Requiring that the buffer not be altered allows the implementation to reduce protocol overhead
   * by transmitting the last part of the response along with the status bytes.
   * 
    The JCRE may use the APDU buffer to send data to the CAD.
   * 
    Notes:
      
   * 
    • If setOutgoingNoChaining() was invoked, output block chaining must not be used.
   * 
    • In T=0 protocol, if setOutgoingNoChaining() was invoked, Le bytes must be transmitted
   * before  response status is returned.
   * 
    • In T=0 protocol, if this method throws an APDUException with NO_T0_GETRESPONSE reason code,
   * the JCRE will restart APDU command processing using the newly received command. No more output
   * data can be transmitted. No error status response can be returned.
   * 
    • In T=1 protocol, if this method throws an APDUException
   * with T1_IFD_ABORT reason code, the JCRE will restart APDU command processing using the newly
   * received command. No more output data can be transmitted. No error status response can be returned.
   * 
    
   * 
    
   * @param outData the source data byte array.
   * @param bOff the offset into OutData array.
   * @param len the bytelength of the data to send.
   * @exception SecurityException if the outData byte array is not accessible in the caller's context.
   * @exception APDUException with the following reason codes:
      
   * 
    • APDUException.ILLEGAL_USE if setOutgoingLen() not called
   * or setOutgoingAndSend() previously invoked
   * or response byte count exceeded or if APDUException.NO_T0_GETRESPONSE previously thrown.
   * 
    • APDUException.IO_ERROR on I/O error.
   * 
    • APDUException.NO_T0_GETRESPONSE if T=0 protocol is in use and
   * CAD does not respond to  response status
   * with GET RESPONSE command.
   * 
    • APDUException.T1_IFD_ABORT if T=1 protocol is in use and the CAD sends
   * in an ABORT S-Block command to abort the data transfer.
   * 
    
   * @see #setOutgoing()
   * @see #setOutgoingNoChaining()
   */
  public void sendBytesLong(byte[] outData, short bOff, short len) throws APDUException
  {
    short sendLength = (short)buffer.length;
    while ( len>0 ) {
        if ( lensetOutgoing(), setOutgoingLength( len ) followed by
   * sendBytes ( bOff, len ). In addition, once this method is invoked, sendBytes() and
   * sendBytesLong() methods cannot be invoked and the APDU buffer must not be altered.
    
   * Sends len byte response from the APDU buffer at starting specified offset bOff.
   * 
    Notes:
      
   * 
    • No other APDU send methods can be invoked.
   * 
    • The APDU buffer must not be altered. If the data is altered, incorrect output may be sent to
   * the CAD.
   * 
    • The actual data transmission may only take place on return from Applet.process()
   * 
    
   * 
    
   * @param bOff the offset into APDU buffer.
   * @param len the bytelength of the data to send.
   * @exception APDUException with the following reason codes:
      
   * 
    • APDUException.ILLEGAL_USE if setOutgoing()
   * or setOutgoingAndSend() previously invoked
   * or response byte count exceeded.
   * 
    • APDUException.IO_ERROR on I/O error.
    
   */
   public void setOutgoingAndSend( short bOff, short len) throws APDUException {
    setOutgoing();
    setOutgoingLength(len);
    sendBytes( bOff, len );
    }


  void resetAPDU() {
    // as described earlier, we assume case 1 or 2, so Le=P3 and Lc=0
	setLe( buffer[ISO7816.OFFSET_LC] );
	setLc( (byte)0 );

	// save Lr=0, reset flags
	setLr((byte)0);
	resetIncomingFlag();
	resetOutgoingFlag();
	resetOutgoingLenSetFlag();
    resetSendInProgressFlag();
    resetLrIs256Flag();
    resetNoChainingFlag();
    resetNoGetResponseFlag();
    setPreReadLength( (byte)0 );
    }

  /**
   * Only JCRE should call this method. 
    
   * Sends 0s for any remaining data to be sent based on the
   * promised responseLength (default=0/Le) and status bytes to complete this APDUs
   * response and initiates new APDU exchange.
   * @param status the ISO R-Apdu status bytes sw1 and sw2 response
   * @exception APDUException with the following reason codes:
      
   * 
    • APDUException.IO_ERROR on I/O error.
    
   */
  void complete(short status) throws APDUException{

    short result;

    // Zero out APDU buffer
    Util.arrayFillNonAtomic( buffer, (short)0, BUFFERSIZE, (byte)0 );

    if ( ( !getNoGetResponseFlag() ) && ( getSendInProgressFlag() ) ) {
        short Le = (byte)getLe();
        short sendLen = (short)32;
        while ( Le > 0 ) {
            if (Le<32) sendLen=Le;
            result = NativeMethods.t0SndData( buffer, (byte) 0, sendLen, ACK_NONE );
            if ( result != 0 ) APDUException.throwIt( APDUException.IO_ERROR );
            Le-=sendLen;
            }
        }

    buffer[0] = (byte) ( status >> 8);
    buffer[1] = (byte) status;

    if (status==0) result = NativeMethods.t0RcvCommand();
    else {
        NativeMethods.t0SetStatus ( status );
        result = NativeMethods.t0SndStatusRcvCommand();
    }

    if ( result != 0 ) APDUException.throwIt( APDUException.IO_ERROR );

    resetAPDU();
    }

  /**
   * Only JCRE should call this method. 
    
   * This method puts the externally visible state of the apdu back as if
   * the setIncomingAndReceive has not yet been invoked. It needs to
   * ensure, though that no real I/O is performed when setIncomingAndReceive is
   * invoked next. This method must only be called it setIncomingAndReceive has
   * been invoked by the JCRE. This method must not be invoked however, if receiveBytes
   * has also been invoked.
   */
  void undoIncomingAndReceive() {
    setPreReadLength( (byte)(buffer[ISO7816.OFFSET_LC] - getLc()) );
    }

  /**
   * Requests additional processing time from CAD. The implementation should ensure that this method
   * needs to be invoked only under unusual conditions requiring excessive processing times.
   * 
    Notes:
      
   * 
    • In T=0 protocol, a NULL procedure byte is sent to reset the work waiting time (see ISO 7816-3).
   * 
    • In T=1 protocol, the implementation needs to request the same T=0 protocol work waiting time quantum
   * by sending a T=1 protocol request for wait time extension(see ISO 7816-3).
   * 
    • If the implementation uses an automatic timer mechanism instead, this method may do nothing.
   * 
    
   * 
    
   * @exception APDUException with the following reason codes:
      
   * 
    • APDUException.ILLEGAL_USE if setOutgoingNoChaining() previously invoked.
   * 
    • APDUException.IO_ERROR on I/O error.
    
   */
  public static void waitExtension() throws APDUException{

    if ( theAPDU.getNoChainingFlag() ) APDUException.throwIt( APDUException.ILLEGAL_USE );
    //send a procedure byte of 0x60 to request additional waiting time.
    short result = NativeMethods.t0Wait();
    if ( result != 0 ) APDUException.throwIt( APDUException.IO_ERROR );
    }
}

why-2.39/lib/javacard_api/javacard/framework/PIN.java0000644000106100004300000001235613147234006021453 0ustar  marchevals/*
* $Workfile: PIN.java $	$Revision: 1.4 $, $Date: 2007-10-15 09:19:27 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: PIN.java $
// $Revision: 1.4 $
// $Date: 2007-10-15 09:19:27 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/framework/PIN.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Ravi
// */

package javacard.framework;

/**
 * This interface represents a PIN. An implementation must maintain these internal values:
 * 
      
 * 
    • PIN value
 * 
    • try limit, the maximum number of times an incorrect PIN can be
 *   presented before the PIN is blocked. When the PIN is blocked, it
 *   cannot be validated even on valid PIN presentation.
 * 
    • max PIN size, the maximum length of PIN allowed
 * 
    • try counter, the remaining number of times an incorrect PIN
 *   presentation is permitted before the PIN becomes blocked.
 * 
    • validated flag, true if a valid PIN has been presented. This flag is
 *   reset on every card reset.
 * 
    
 * This interface does not make any assumptions about where the data
 * for the PIN value comparison is stored.
    
 *
 * An owner implementation of this interface must provide a way to initialize/update
 * the PIN value.The owner implementation of the interface must protect against attacks based
 * on program flow prediction. Even if a transaction is in progress, internal state
 * such as the try counter, the validated flag and the blocking state must not be
 * conditionally updated during PIN presentation.
    
 *
 * A typical card global PIN usage will combine an instance of OwnerPIN class and a 
 * a Proxy PIN interface which implements both the PIN and the Shareable interfaces.
 * The OwnerPIN instance would be manipulated only by the owner who has update privilege.
 * All others would access the global PIN functionality via the proxy PIN interface.
 *
 * @see OwnerPIN
 * @see Shareable
 */
public interface PIN {

    /**
   * Returns the number of times remaining that an incorrect PIN can
   * be presented before the PIN is blocked.
   *
   * @return the number of times remaining
   */

   byte getTriesRemaining();

  /**
   * Compares pin against the PIN value. If they match and the
   * PIN is not blocked, it sets the validated flag
   * and resets the try counter to its maximum. If it does not match,
   * it decrements the try counter and, if the counter has reached
   * zero, blocks the PIN. Even if a transaction is in progress, internal state
   * such as the try counter, the validated flag and the blocking state
   * must not be conditionally updated.
   * 
    
   * Notes:
      
   * 
    • If NullPointerException or ArrayIndexOutOfBoundsException is
   * thrown, the validated flag must be set to false, the try counter must be decremented
   * and, the PIN blocked if the counter reaches zero.
   * 
    • If offset or length parameter
   * is negative an ArrayIndexOutOfBoundsException exception is thrown.
   * 
    • If offset+length is greater than pin.length, the length
   * of the pin array, an ArrayIndexOutOfBoundsException exception is thrown.
   * 
    • If pin parameter is null
   * a NullPointerException exception is thrown.
    
   * @param pin the byte array containing the PIN value being checked
   * @param offset the starting offset in the pin array
   * @param length the length of pin.
   * @return true if the PIN value matches; false otherwise
   * @exception java.lang.ArrayIndexOutOfBoundsException
   * - if the check operation would cause access of data outside array bounds.
   * @exception java.lang.NullPointerException - if pin is null 
   */

  public boolean check(byte[] pin, short offset, byte length)
      throws ArrayIndexOutOfBoundsException, NullPointerException;

  /**
   * Returns true if a valid PIN value has been presented since the last
   * card reset or last call to reset().
   *
   * @return true if validated; false otherwise
   */

   boolean isValidated();

  /**
   * If the validated flag is set, this method resets it.
   * If the validated flag is not set, this method does nothing.
   */

   void reset();
}
why-2.39/lib/javacard_api/javacard/framework/Applet.java0000644000106100004300000003432413147234006022251 0ustar  marchevals/*
* $Workfile: Applet.java $	$Revision: 1.2 $, $Date: 2008-01-31 18:27:25 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: Applet.java $
// $Revision: 1.2 $
// $Date: 2008-01-31 18:27:25 $
// $Author: nrousset $
// $Archive: /Products/Europa/api21/javacard/framework/Applet.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Ravi
// */

package javacard.framework;

import javacard.framework.JCSystem;
import com.sun.javacard.impl.PrivAccess;
/**
 * This abstract class defines an applet in Java Card.
 * 
    
 * The Applet class should be extended by any applet that is intended to be
 * loaded onto, installed into and executed on a Java Card compliant
 * smart card.
    
 *
 * 
    
 * Example usage of Applet
 * 
    
 * public class MyApplet extends javacard.framework.Applet{
 * static byte someByteArray[];
 *
 * public static void install( byte[] bArray, short bOffset, byte bLength  ) throws ISOException {
 *   // make all my allocations here, so I do not run
 *   // out of memory later
 *   MyApplet theApplet = new MyApplet();
 *
 *   // check incoming parameter
 *   byte bLen = bArray[bOffset];
 *   if ( bLen!=0 ) { someByteArray = new byte[bLen]; theApplet.register(); return; }
 *   else ISOException.throwIt(ISO7816.SW_FUNC_NOT_SUPPORTED);
 *   }
 *
 * public boolean select(){
 *   // selection initialization
 *   someByteArray[17] = 42; // set selection state
 *   return true;
 *   }
 *
 * public void process(APDU apdu) throws ISOException{
 *  byte[] buffer = apdu.getBuffer();
 *  // .. process the incoming data and reply
 *  if ( buffer[ISO7816.OFFSET_CLA] == (byte)0 ) {
 *     switch ( buffer[ISO7816.OFFSET_INS] ) {
 *         case ISO.INS_SELECT:
 *             ...
 *             // send response data to select command
 *             short Le =  apdu.setOutgoing();
 *             // assume data containing response bytes in replyData[] array.
 *             if ( Le < ..) ISOException.throwIt( ISO7816.SW_WRONG_LENGTH);
 *             apdu.setOutgoingLength( (short)replyData.length );
 *             apdu.sendBytesLong(replyData, (short) 0, (short)replyData.length);
 *             break;
 *         case ...
 *         }
 *      }
 *   }
 *
 * }
 * 
    
 *
 * @see SystemException
 * @see JCSystem
 */

abstract public class Applet
{
    private PrivAccess thePrivAccess;  
    
    /**
     * Only this class's install() method should create the applet object.
     */
    protected Applet(){
        thePrivAccess = PrivAccess.getPrivAccess();
    }

    /**
     * To create an instance of the Applet subclass, the JCRE
     * will call this static method first.
     * 
    The applet should
     * perform any necessary initializations and must call one of the register() methods.
     * Only one Applet instance can be successfully registered from within this install.
     * The installation is considered successful when the call to register()
     * completes without an exception. The installation is deemed unsuccessful if the
     * install method does not call a
     * register() method, or if an exception is thrown from within
     * the install method prior to the call to a register()
     * method, or if every call to the register() method results in an exception.
     * If the installation is unsuccessful, the JCRE must perform all the necessary clean up
     * when it receives control.
     * Successful installation makes the applet instance capable of being selected via a
     * SELECT APDU command.
    
     * Installation parameters are supplied in the byte array parameter and
     * must be in a format defined by the applet. 
     * The bArray object is a global array. If the applet
     * desires to preserve any of this data, it should copy
     * the data into its own object.
     * 
    bArray is zeroed by the JCRE after the return from the
     * install() method.
    
     * References to the bArray object 
     * cannot be stored in class variables or instance variables or array components.
     * See Java Card Runtime Environment (JCRE) Specification, section 6.2.2 for details.
    
     * The implementation of this method provided by
     * Applet class throws an ISOException with 
     * reason code = ISO7816.SW_FUNC_NOT_SUPPORTED.
     * 
    Note:
      
     * 
    • Exceptions thrown by this method after successful installation are caught 
     * by the JCRE and processed by the Installer.
     * 
    
     * @param bArray the array containing installation parameters.
     * @param bOffset the starting offset in bArray.
     * @param bLength the length in bytes of the parameter data in bArray.
     * The maximum value of bLength is 32.
     */
    public static void install( byte[] bArray, short bOffset, byte bLength ) throws ISOException
    { ISOException.throwIt(ISO7816.SW_FUNC_NOT_SUPPORTED); }

    /**
     * Called by the JCRE to process an incoming APDU command.
     * An applet is expected to perform the action
     * requested and return response data if any to the terminal.
    
     * Upon normal return from this
     * method the JCRE sends the ISO 7816-4 defined success status (90 00) in APDU response.
     * If this method throws an ISOException the JCRE sends the associated reason code as the
     * response status instead.
    
     * The JCRE zeroes out the APDU buffer before receiving a new APDU command from the CAD.
     * The five header bytes of the APDU command are available in APDU buffer[0..4] at the time
     * this method is called.
    
     * The APDU object parameter is a temporary JCRE Entry Point Object.
     * A temporary JCRE Entry Point Object can be accessed from any applet context. References
     * to these temporary objects cannot be stored in class variables or instance variables
     * or array components.
    
     * Notes:
      
     * 
    • APDU buffer[5..] is undefined and should not be read or written prior to invoking the
     * APDU.setIncomingAndReceive() method if incoming data is expected. Altering
     * the APDU buffer[5..] could corrupt incoming data.
     * 
    
     * @see APDU
     * @param apdu the incoming APDU object
     * @exception ISOException with the response bytes per ISO 7816-4
     */
    public abstract void process(APDU apdu) throws ISOException;
    
    /**
     * Called by the JCRE to inform this applet that it has been selected.
     * 
    It is called when a SELECT APDU command is received and
     * before the applet is selected. SELECT APDU commands use instance AID bytes for applet
     * selection.
     * See Java Card Runtime Environment (JCRE) Specification, section 4.2 for details.
    
     * A subclass of Applet should override this method
     * if it should perform any initialization that may be required to
     * process APDU commands that may follow.
     * This method returns a boolean to indicate that it is ready to accept incoming APDU
     * commands via its process() method. If this method returns false, it indicates to
     * the JCRE that this Applet declines to be selected.
     * 
    
     * The implementation of this method provided by
     * Applet class returns true.
    
     * @return true to indicate success, false otherwise.
     */
    public boolean select()
    {
        return true;
    }

    /**
     * Called by the JCRE to inform this currently selected applet that another (or the same) applet
     * will be selected. It is called when a SELECT APDU command is received by the JCRE. This method is invoked
     * prior to another applets or this very applets select() method
     * being invoked.
     * 
    
     * A subclass of Applet should override this method if
     * it has any cleanup or bookkeeping work to be performed before another
     * applet is selected.
     * 
    
     * The default implementation of this method provided by Applet class does nothing.
    
     * Notes:
      
     * 
    • Unchecked exceptions thrown by this method are caught by the JCRE but the
     * applet is deselected.
     * 
    • Transient objects of JCSystem.CLEAR_ON_DESELECT clear event type 
     * are cleared to their default value by the JCRE after this method.
     * 
    • This method is NOT called on reset or power loss.
     * 
    
     */
    public void deselect(){}

    /**
     * Called by the JCRE to obtain a shareable interface object from this server applet, on
     * behalf of a request from a client applet. This method executes in the applet context of
     * this applet instance.
     * The client applet initiated this request by calling the
     * JCSystem.getAppletShareableInterfaceObject() method.
     * See Java Card Runtime Environment (JCRE) Specification, section 6.2.4 for details.
     * 
    Note:
      
     * 
    • The clientAID parameter is a JCRE owned AID
     * instance. JCRE owned instances of AID are permanent JCRE
     * Entry Point Objects and can be accessed from any applet context.
     * References to these permanent objects can be stored and re-used.
     * 
    
     * @param clientAID the AID object of the client applet.  
     * @param parameter optional parameter byte. The parameter byte may be used by the client to specify
     * which shareable interface object is being requested.
     * @return the shareable interface object or null.
     * @see javacard.framework.JCSystem#getAppletShareableInterfaceObject(AID, byte)
     */
    public Shareable getShareableInterfaceObject(AID clientAID, byte param /*CM parameter */) {
        return null;
    }

    /*
     * This method is used by the applet to register this applet instance with
     * the JCRE and to
     * assign the Java Card name of the applet as its instance AID bytes. 
     * One of the register() methods must be called from within install()
     * to be registered with the JCRE.
     * See Java Card Runtime Environment (JCRE) Specification, section 3.1 for details.
     * 
    Note:
      
     * 
    • The phrase "Java card name of the applet" is a reference to the AID[AID_length]
     * item in the applets[] item of the applet_component, as documented in Section 6.5
     * Applet Component in the Java Card Virtual Machine Specification.
     * 
    
     * @exception SystemException with the following reason codes:
      
     * 
    • SystemException.ILLEGAL_AID if the Applet subclass AID bytes are in use or
     * if the applet instance has previously successfully registered with the JCRE via one of the
     * register() methods or if a JCRE initiated install() method execution is not in progress.
     * 
    
     */
    protected final void register() throws SystemException
    {
	thePrivAccess.register(this);
    }

    /**
     * This method is used by the applet to register this applet instance with the JCRE and
     * assign the specified AID bytes as its instance AID bytes.
     * One of the register() methods must be called from within install()
     * to be registered with the JCRE.
     * See Java Card Runtime Environment (JCRE) Specification, section 3.1 for details.
     * @param bArray the byte array containing the AID bytes.
     * @param bOffset the start of AID bytes in bArray.
     * @param bLength the length of the AID bytes in bArray.
     * @exception SystemException with the following reason code:
      
     * 
    • SystemException.ILLEGAL_VALUE if the bLength parameter is
     * less than 5 or greater than 16.
     * 
    • SystemException.ILLEGAL_AID if the specified instance AID bytes are in use or
     * if the RID portion of the AID bytes in the bArray parameter
     * does not match the RID portion of the Java Card name of the applet or
     * if the applet instance has previously successfully registered with the JCRE via one of the
     * register() methods or if a JCRE initiated install() method execution is not in progress.
     * 
    
     * 
    Note:
      
     * 
    • The phrase "Java card name of the applet" is a reference to the AID[AID_length]
     * item in the applets[] item of the applet_component, as documented in Section 6.5
     * Applet Component in the Java Card Virtual Machine Specification.
     * 
    
     */
    protected final void register(byte[] bArray, short bOffset, byte bLength ) throws SystemException
    {
        if (bLength<5 || bLength>16) SystemException.throwIt( SystemException.ILLEGAL_VALUE );
        thePrivAccess.register(this, bArray, bOffset, bLength );
    }

   /**
     * This method is used by the applet process() method to distinguish
     * the SELECT APDU command which selected this applet, from all other
     * other SELECT APDU commands which may relate to file or internal applet state selection.
     * @return true if this applet is being selected.
     */
    protected final boolean selectingApplet()
    {
        return thePrivAccess.selectingApplet();
    }


}
why-2.39/lib/javacard_api/javacard/framework/TransactionException.java0000644000106100004300000001010713147234006025161 0ustar  marchevals/*
* $Workfile: TransactionException.java $	$Revision: 1.2 $, $Date: 2007-10-22 08:58:43 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: TransactionException.java $
// $Revision: 1.2 $
// $Date: 2007-10-22 08:58:43 $
// $Author: nrousset $
// $Archive: /Products/Europa/api21/javacard/framework/TransactionException.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Ravi
// */

package javacard.framework;

/**
 * TransactionException represents an exception in the transaction subsystem.
 * The methods referred to in this class are in the JCSystem class.
 * 
    The JCSystem class and the transaction facility throw JCRE owned instances
 * of TransactionException.
 * 
    JCRE owned instances of exception classes are temporary JCRE Entry Point Objects
 * and can be accessed from any applet context. References to these temporary objects
 * cannot be stored in class variables or instance variables or array components.
 * See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
 * @see JCSystem
 */

public class TransactionException extends CardRuntimeException {

  // constants
 /**
  * This reason code is used by the beginTransaction method to indicate
  * a transaction is already in progress.
  */
  public final static short IN_PROGRESS       = 1;    // beginTransaction called when already in progress
  
 /**
  * This reason code is used by the abortTransaction and commitTransaction methods
  * when a transaction is not in progress.
  */
  public final static short NOT_IN_PROGRESS   = 2;    // commit/abortTransaction called when not in progress
  
 /**
  * This reason code is used during a transaction to indicate that the commit buffer is full.
  */
  public final static short BUFFER_FULL       = 3;    // commit buffer is full
  
 /**
  * This reason code is used during a transaction to indicate 
  * an internal JCRE problem (fatal error).
  */
  public final static short INTERNAL_FAILURE  = 4;    // internal JCRE problem (fatal error)

  // initialized when created by Dispatcher
  private static TransactionException systemInstance;

  /**
   * Constructs a TransactionException with the specified reason.
   * To conserve on resources use throwIt()
   * to use the JCRE owned instance of this class.
   */
  public TransactionException(short reason) {
    super(reason);
    if (systemInstance==null) // created by Dispatcher
        systemInstance = this; 
    }

  /**
   * Throws the JCRE owned instance of TransactionException with the specified reason.
   * 
    JCRE owned instances of exception classes are temporary JCRE Entry Point Objects
   * and can be accessed from any applet context. References to these temporary objects
   * cannot be stored in class variables or instance variables or array components.
   * See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
   * @exception TransactionException always.
   */

    /*  public exceptional_behavior
      @   requires true;
      @ 
      @   assignable systemInstance.reason;
      @
      @   signals (TransactionException te) te.getReason() == reason; 
      @   signals (TransactionException te) te == systemInstance;
      @*/
    
    public static void throwIt(short reason) {
	systemInstance.setReason(reason);
	throw systemInstance;
    }
}
why-2.39/lib/javacard_api/javacard/framework/AID.java0000644000106100004300000001634313147234006021422 0ustar  marchevals/*
* $Workfile: AID.java $    $Revision: 1.1 $, $Date: 2007-09-26 14:32:59 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: AID.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/framework/AID.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Ravi
// */

package javacard.framework;

/**
 * This class encapsulates the Application Identifier(AID) associated with
 * an applet. An AID is defined in ISO 7816-5 to be a sequence of bytes between
 * 5 and 16 bytes in length.
    
 *
 * The JCRE creates instances of AID class to identify and manage every applet on 
 * the card. Applets need not create instances of this class.
 * An applet may request and use the JCRE 
 * owned instances to identify itself and other applet instances.
 * 
    JCRE owned instances of AID are permanent JCRE Entry Point Objects
 * and can be accessed from any applet context. References to these permanent objects
 * can be stored and re-used.
 * 
    An applet instance can obtain a reference to JCRE owned instances of its own AID
 * object by using the JCSystem.getAID() method and another applet's AID object
 * via the JCSystem.lookupAID() method.
 * 
    An applet uses AID instances to request to share another applet's
 * object or to control access to its own shared object from another applet.
 * See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
 * @see JCSystem
 * @see SystemException
 */
public final class AID{

  byte[] theAID;

 /**
   * The JCRE uses this constructor to create a new AID instance
   * encapsulating the specified AID bytes.
   * @param bArray the byte array containing the AID bytes.
   * @param offset the start of AID bytes in bArray.
   * @param length the length of the AID bytes in bArray.
   * @exception SystemException with the following reason code:
      
   * 
    • SystemException.ILLEGAL_VALUE if the length parameter is
   * less than 5 or greater than 16.
   * 
    
   */
  public AID( byte[] bArray, short offset, byte length ) throws SystemException{
    if (length < 5 || length>16) SystemException.throwIt(SystemException.ILLEGAL_VALUE);
    theAID = new byte[length];
    Util.arrayCopy( bArray, offset, theAID, (short)0, length );
    }

  /**
   * Called to get the AID bytes encapsulated within AID object.
   * @param dest byte array to copy the AID bytes.
   * @param offset within dest where the AID bytes begin.
   * @return the length of the AID bytes.
   */
  public byte getBytes (byte[] dest, short offset) {
    Util.arrayCopy( theAID, (short)0, dest, offset, (short)theAID.length );
    return (byte) theAID.length;}

 /*
  * Compares the AID bytes in this AID instance to the AID bytes in the 
  * specified object.
  * The result is true if and only if the argument is not null
  * and is an AID object that encapsulates the same AID bytes as this
  * object.
  * 
    This method does not throw NullPointerException.
  * @param anObject the object to compare this AID against. 
  * @return true if the AID byte values are equal, false otherwise.
  */
    /*CM  public boolean equals( Object anObject )
  {
    if ( ! (anObject instanceof AID) || ((AID)anObject).theAID.length != theAID.length) return false; 
    return (Util.arrayCompare(((AID)anObject).theAID, (short)0, theAID, (short)0, (short)theAID.length) == 0);
  }
    CM*/
 /**
  * Checks if the specified AID bytes in bArray are the same as those encapsulated
  * in this AID object.
  * The result is true if and only if the bArray argument is not null
  * and the AID bytes encapsulated in this AID object are equal to 
  * the specified AID bytes in bArray.
  * 
    This method does not throw NullPointerException.
  * @param bArray containing the AID bytes
  * @param offset within bArray to begin
  * @param length of AID bytes in bArray
  * @return true if equal, false otherwise.
  */
  public boolean equals( byte[] bArray, short offset, byte length )
  {
    if (bArray==null) return false;
    // verify the array index
    byte testByte = bArray[(short)(offset + length - (short)1)];
    return ((length == theAID.length) &&
        (Util.arrayCompare(bArray, offset, theAID, (short)0, length) == 0));
  }

  /**
  * Checks if the specified partial AID byte sequence matches the first length bytes
  * of the encapsulated AID bytes within this AID object.
  * The result is true if and only if the bArray argument is not null 
  * and the input length is less than or equal to the length of the encapsulated AID
  * bytes within this AID object and the specified bytes match.
  * 
    This method does not throw NullPointerException.
  * @param bArray containing the partial AID byte sequence
  * @param offset within bArray to begin
  * @param length of partial AID bytes in bArray
  * @return true if equal, false otherwise.
  */
  public boolean partialEquals( byte[] bArray, short offset, byte length )
  {
    if (bArray==null || length > theAID.length) return false;
    return (Util.arrayCompare(bArray, offset, theAID, (short)0, length) == 0);
  }
   
  /**
  * Checks if the RID (National Registered Application provider identifier) portion of the encapsulated
  * AID bytes within the otherAID object matches
  * that of this AID object.
  * The first 5 bytes of an AID byte sequence is the RID. See ISO 7816-5 for details.
  * The result is true if and only if the argument is not null
  * and is an AID object that encapsulates the same RID bytes as this
  * object.
  * 
    This method does not throw NullPointerException.
  * @param otherAID the AID to compare against.
  * @return true if the RID bytes match, false otherwise.
  */
  public boolean RIDEquals ( AID otherAID )
  {
    if (otherAID==null) return false;
    if ( Util.arrayCompare( theAID, (short)0, otherAID.theAID, (short)0, (short)5 ) == 0 )
        return true;
    return false;
  }

}
why-2.39/lib/javacard_api/javacard/security/0000755000106100004300000000000013147234006020025 5ustar  marchevalswhy-2.39/lib/javacard_api/javacard/security/KeyBuilder.java0000644000106100004300000001324413147234006022733 0ustar  marchevals/*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

/*
// $Workfile: KeyBuilder.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/security/KeyBuilder.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Andy
// */

package javacard.security;

/**
 * The KeyBuilder class is a key object factory.
 *
 */

public class KeyBuilder{

	// keyType parameter options

	/**
     * Key object which implements interface type DESKey
     * with CLEAR_ON_RESET transient key data.
     * 
    This Key object implicitly performs a clearKey() on
     * power on or card reset.
     */
	public static final byte TYPE_DES_TRANSIENT_RESET      = 1;

	/**
     * Key object which implements interface type DESKey
     * with CLEAR_ON_DESELECT transient key data.
     * 
    This Key object implicitly performs a clearKey() on
     * power on, card reset and applet deselection.
     */
	public static final byte TYPE_DES_TRANSIENT_DESELECT   = 2;

	/**
     * Key object which implements interface type DESKey with persistent key data.
     */
	public static final byte TYPE_DES                      = 3;

	/**
     * Key object which implements interface type RSAPublicKey.
     */
	public static final byte TYPE_RSA_PUBLIC               = 4;

	/**
     * Key object which implements interface type RSAPrivateKey which
     * uses modulus/exponent form.
     */
	public static final byte TYPE_RSA_PRIVATE              = 5;

	/**
     * Key object which implements interface type RSAPrivateCrtKey which
     * uses Chinese Remainder Theorem.
     */
	public static final byte TYPE_RSA_CRT_PRIVATE          = 6;

	/**
     * Key object which implements the interface type DSAPublicKey
     * for the DSA algorithm.
     */
	public static final byte TYPE_DSA_PUBLIC               = 7;

	/**
     * Key object which implements the interface type DSAPrivateKey
     * for the DSA algorithm.
     */
	public static final byte TYPE_DSA_PRIVATE              = 8;

	// keyLength parameter options
   /**
     * DES Key Length LENGTH_DES = 64.
     */
	public static final short LENGTH_DES  = 64;

	/**
     * DES Key Length LENGTH_DES3_2KEY = 128.
     */
	public static final short LENGTH_DES3_2KEY = 128;

	/**
     * DES Key Length LENGTH_DES3_3KEY = 192.
     */
	public static final short LENGTH_DES3_3KEY = 192;

	/**
     * RSA Key Length LENGTH_RSA_512 = 512.
     */
	public static final short LENGTH_RSA_512 = (short)512;

	/**
     * RSA Key Length LENGTH_RSA_768 = 768.
     */
	public static final short LENGTH_RSA_768 = (short)768;

	/**
     * RSA Key Length LENGTH_RSA_1024 = 1024.
     */
	public static final short LENGTH_RSA_1024 = (short)1024;

	/**
     * RSA Key Length LENGTH_RSA_2048 = 2048.
     */
	public static final short LENGTH_RSA_2048 = (short)2048;

	/**
     * DSA Key Length LENGTH_DSA_512 = 512.
     */
	public static final short LENGTH_DSA_512 = (short)512;

	/**
     * DSA Key Length LENGTH_DSA_768 = 768.
     */
	public static final short LENGTH_DSA_768 = (short)768;

	/**
     * DSA Key Length LENGTH_DSA_1024 = 1024.
     */
	public static final short LENGTH_DSA_1024 = (short)1024;

	/**
	 * Creates uninitialized cryptographic keys for signature and cipher algorithms. Instances created
	 * by this method may be the only key objects used to initialize instances of
	 * Signature and Cipher.
	 * Note that the object returned must be cast to their appropriate key type interface.
	 * @param keyType the type of key to be generated. Valid codes listed in TYPE.. constants.
	 * @param keyLength the key size in bits. The valid key bit lengths are key type dependent. See above.
	 * @param keyEncryption if true this boolean requests a key implementation
	 * which implements the javacardx.crypto.KeyEncryption interface.
	 * The key implementation returned may implement the javacardx.crypto.KeyEncryption
	 * interface even when this parameter is false.
	 * @return the key object instance of the requested key type, length and encrypted access.
	 * @exception CryptoException with the following reason codes:
      
     * 
    • CryptoException.NO_SUCH_ALGORITHM if the requested algorithm
     * associated with the specified type, size of key and key encryption interface is not supported.
    
	*/
	public static Key buildKey( byte keyType, short keyLength, boolean keyEncryption ) throws CryptoException {

	    switch ( keyType ){
	        default :
	            CryptoException.throwIt( CryptoException.NO_SUCH_ALGORITHM );
	    }
	    return null;
	}

	/**
	 * No constructor
	 */
	KeyBuilder() {}

}
why-2.39/lib/javacard_api/javacard/security/DESKey.java0000644000106100004300000000610213147234006021753 0ustar  marchevals/*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

/*
// $Workfile: DESKey.java $
// $Revision: 1.3 $
// $Date: 2007-10-22 07:38:21 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/security/DESKey.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Andy
// */

package javacard.security;

/**
 * DESKey contains an 8/16/24 byte key for single/2 key triple DES/3 key triple DES
 * operations.
 * 
    When the key data is set, the key is initialized and ready for use.
 *
    
 * @see KeyBuilder
 * @see Signature
 * @see javacardx.crypto.Cipher
 * @see javacardx.crypto.KeyEncryption
 */
public interface DESKey extends SecretKey{
    
    /**
     * Sets the Key data. The plaintext length of input key data is 8 bytes for DES,
     * 16 bytes for 2 key triple DES and 24 bytes for 3 key triple DES.
     * The data format is big-endian and right-aligned (the least significant bit is the least significant
     * bit of last byte). Input key data is copied into the internal representation.
     * @param keyData byte array containing key initialization data
     * @param kOff offset within keyData to start
     * @exception CryptoException with the following reason code:
      
     * 
    • CryptoException.ILLEGAL_VALUE if the input key data length is inconsistent
     * with the implementation or if input data decryption is required and fails.
     * 
    
     * 
    Note:
      
     * 
    • If the key object implements the javacardx.crypto.KeyEncryption
     * interface and the Cipher object specified via setKeyCipher()
     * is not null, keyData is decrypted using the Cipher object.
     * 
    
     */
    void setKey( byte[] keyData, short kOff ) throws CryptoException;

    /**
     * Returns the Key data in plain text. The length of output key data is 8 bytes for DES,
     * 16 bytes for 2 key triple DES and 24 bytes for 3 key triple DES.
     * The data format is big-endian and right-aligned (the least significant bit is the least significant
     * bit of last byte).
     * @param keyData byte array to return key data
     * @param kOff offset within keyData to start.
     * @return the byte length of the key data returned.
     */
    byte getKey( byte[] keyData, short kOff );

    }
why-2.39/lib/javacard_api/javacard/security/RSAPrivateCrtKey.java0000644000106100004300000002473313147234006024003 0ustar  marchevals/*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

/*
// $Workfile: RSAPrivateCrtKey.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/security/RSAPrivateCrtKey.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Andy
// */

package javacard.security;

/**
 * The RSAPrivateCrtKey interface is used to sign data using the RSA algorithm
 * in its Chinese Remainder Theorem form. It may also be used by the javacardx.crypto.Cipher class
 * to encrypt/decrypt messages.
 * 
    
 * Let S = md mod n,
 * where m is the data to be signed, d is the private key exponent,
 * and n is private key modulus composed of
 * two prime numbers p and q.
 * The following names are used in the initializer methods in this interface:
 * 
    
 * P, the prime factor p
    
 * Q, the prime factor q.
    
 * PQ = q-1 mod p
    
 * DP1 = d mod (p - 1)
    
 * DQ1 = d mod (q - 1)
    
 * 
    When all five components (P,Q,PQ,DP1,DQ1) of the key are set, the key is
 * initialized and ready for use.
 *
 * @see RSAPrivateKey
 * @see RSAPublicKey
 * @see KeyBuilder
 * @see Signature
 * @see javacardx.crypto.Cipher
 * @see javacardx.crypto.KeyEncryption
 *
 */

public interface RSAPrivateCrtKey extends PrivateKey {

  /**
   * Sets the value of the P parameter.
   * The plaintext data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte). Input P parameter data is copied into the internal representation.
   * @param buffer the input buffer
   * @param offset the offset into the input buffer at which the parameter value begins
   * @param length the length of the parameter
   * @exception CryptoException with the following reason code:
      
   * 
    • CryptoException.ILLEGAL_VALUE if the input parameter data length is inconsistent
   * with the implementation or if input data decryption is required and fails.
   * 
    
   * 
    Note:
      
   * 
    • If the key object implements the javacardx.crypto.KeyEncryption
   * interface and the Cipher object specified via setKeyCipher()
   * is not null, the P parameter value is decrypted using the Cipher object.
   * 
    
   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    void setP( byte[] buffer, short offset, short length) throws CryptoException;

  /**
   * Sets the value of the Q parameter.
   * The plaintext data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte). Input Q parameter data is copied into the internal representation.
   * @param buffer the input buffer
   * @param offset the offset into the input buffer at which the parameter value begins
   * @param length the length of the parameter
   * @exception CryptoException with the following reason code:
      
   * 
    • CryptoException.ILLEGAL_VALUE if the input parameter data length is inconsistent
   * with the implementation or if input data decryption is required and fails.
   * 
    
   * 
    Note:
      
   * 
    • If the key object implements the javacardx.crypto.KeyEncryption
   * interface and the Cipher object specified via setKeyCipher()
   * is not null, the Q parameter value is decrypted using the Cipher object.
   * 
    
   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    void setQ( byte[] buffer, short offset, short length) throws CryptoException;

  /**
   * Sets the value of the DP1 parameter.
   * The plaintext data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte). Input DP1 parameter data is copied into the internal representation.
   * @param buffer the input buffer
   * @param offset the offset into the input buffer at which the parameter value begins
   * @param length the length of the parameter
   * @exception CryptoException with the following reason code:
      
   * 
    • CryptoException.ILLEGAL_VALUE if the input parameter data length is inconsistent
   * with the implementation or if input data decryption is required and fails.
   * 
    
   * 
    Note:
      
   * 
    • If the key object implements the javacardx.crypto.KeyEncryption
   * interface and the Cipher object specified via setKeyCipher()
   * is not null, the DP1 parameter value is decrypted using the Cipher object.
   * 
    
   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    void setDP1( byte[] buffer, short offset, short length) throws CryptoException;

  /**
   * Sets the value of the DQ1 parameter.
   * The plaintext data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte). Input DQ1 parameter data is copied into the internal representation.
   * @param buffer the input buffer
   * @param offset the offset into the input buffer at which the parameter value begins
   * @param length the length of the parameter
   * @exception CryptoException with the following reason code:
      
   * 
    • CryptoException.ILLEGAL_VALUE if the input parameter data length is inconsistent
   * with the implementation or if input data decryption is required and fails.
   * 
    
   * 
    Note:
      
   * 
    • If the key object implements the javacardx.crypto.KeyEncryption
   * interface and the Cipher object specified via setKeyCipher()
   * is not null, the DQ1 parameter value is decrypted using the Cipher object.
   * 
    
   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    void setDQ1( byte[] buffer, short offset, short length) throws CryptoException;

  /**
   * Sets the value of the PQ parameter.
   * The plaintext data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte). Input PQ parameter data is copied into the internal representation.
   * @param buffer the input buffer
   * @param offset the offset into the input buffer at which the parameter value begins
   * @param length the length of the parameter
   * @exception CryptoException with the following reason code:
      
   * 
    • CryptoException.ILLEGAL_VALUE if the input parameter data length is inconsistent
   * with the implementation or if input data decryption is required and fails.
   * 
    
   * 
    Note:
      
   * 
    • If the key object implements the javacardx.crypto.KeyEncryption
   * interface and the Cipher object specified via setKeyCipher()
   * is not null, the PQ parameter value is decrypted using the Cipher object.
   * 
    
   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    void setPQ( byte[] buffer, short offset, short length) throws CryptoException;

  /**
   * Returns the value of the P parameter in plain text.
   * The data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte).
   * @param buffer the output buffer
   * @param offset the offset into the output buffer at which the parameter value begins
   * @return the byte length of the P parameter value returned
   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    short getP( byte[] buffer, short offset );

  /**
   * Returns the value of the Q parameter in plain text.
   * The data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte).
   * @param buffer the output buffer
   * @param offset the offset into the output buffer at which the parameter value begins
   * @return the byte length of the Q parameter value returned
   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    short getQ( byte[] buffer, short offset );

  /**
   * Returns the value of the DP1 parameter in plain text.
   * The data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte).
   * @param buffer the output buffer
   * @param offset the offset into the output buffer at which the parameter value begins
   * @return the byte length of the DP1 parameter value returned
   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    short getDP1( byte[] buffer, short offset );

  /**
   * Returns the value of the DQ1 parameter in plain text.
   * The data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte).
   * @param buffer the output buffer
   * @param offset the offset into the output buffer at which the parameter value begins
   * @return the byte length of the DQ1 parameter value returned
   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    short getDQ1( byte[] buffer, short offset );

  /**
   * Returns the value of the PQ parameter in plain text.
   * The data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte).
   * @param buffer the output buffer
   * @param offset the offset into the output buffer at which the parameter value begins
   * @return the byte length of the PQ parameter value returned
   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    short getPQ( byte[] buffer, short offset );

 }

why-2.39/lib/javacard_api/javacard/security/MessageDigest.java0000644000106100004300000001165613147234006023425 0ustar  marchevals/*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

/*
// $Workfile: MessageDigest.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/security/MessageDigest.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Andy
// */

package javacard.security;

/**
 * The MessageDigest class is the base class for hashing algorithms. Implementations of MessageDigest
 * algorithms must extend this class and implement all the abstract methods.
 * 
     A tear or card reset event resets a 
 * MessageDigest object to the initial state (state upon construction).
 */

abstract public class MessageDigest{


    // algorithm options

    /**
     * Message Digest algorithm SHA.
    */
    public static final byte ALG_SHA        = 1;

    /**
     * Message Digest algorithm MD5.
     */
     public static final byte ALG_MD5       = 2;

    /**
     * Message Digest algorithm RIPE MD-160.
     */
     public static final byte ALG_RIPEMD160 = 3;

	/**
	 * Creates a MessageDigest object instance of the selected algorithm.
	 * @param algorithm the desired message digest algorithm. Valid codes listed in ALG_.. constants. See above.
	 * @param externalAccess if true indicates that the instance will be shared among
	 * multiple applet instances and that the MessageDigest instance will also be accessed (via a Shareable
	 * interface) when the owner of the MessageDigest instance is not the currently selected applet.
	 * @return the MessageDigest object instance of the requested algorithm.
	 * @exception CryptoException with the following reason codes:
      
     * 
    • CryptoException.NO_SUCH_ALGORITHM if the requested algorithm is not supported.
    
	*/
	public static final MessageDigest getInstance(byte algorithm, boolean externalAccess) throws CryptoException{
	    CryptoException.throwIt( CryptoException.NO_SUCH_ALGORITHM);
	    return null;
	    }

	/**
	 *  Protected Constructor
	 */
	protected MessageDigest(){}

	/**
	 * Gets the Message digest algorithm.
	 * @return the algorithm code defined above.
	*/
	abstract public byte getAlgorithm();

      /**
	   * Returns the byte length of the hash.
	   * @return hash length
	   */
    abstract public byte getLength();

	  /**
	   * Generates a hash of all/last input data.
	   * Completes and returns the hash computation after performing final operations such as padding.
	   * The MessageDigest object is reset to the initial state after this call is made.
	   * 
    The input and output buffer data may overlap.
	   * @param inBuff the input buffer of data to be hashed
	   * @param inOffset the offset into the input buffer at which to begin hash generation
	   * @param inLength the byte length to hash
	   * @param outBuff the output buffer, may be the same as the input buffer
	   * @param outOffset the offset into the output buffer where the resulting hash value begins
	   * @return number of bytes of hash output in outBuff
	   */
    abstract public short doFinal(
        byte[] inBuff,
        short inOffset,
        short inLength,
        byte[] outBuff,
        short outOffset);

      /**
	   * Accumulates a hash of the input data. This method requires temporary storage of 
	   * intermediate results. In addition, if the input data length is not block aligned
	   * (multiple of block size)
	   * then additional internal storage may be allocated at this time to store a partial
	   * input data block.
	   * This may result in additional resource consumption and/or slow performance.
	   * This method should only be used if all the input data required for the hash
	   * is not available in one byte array. The doFinal() method
	   * is recommended whenever possible.
	   * @param inBuff the input buffer of data to be hashed
	   * @param inOffset the offset into the input buffer at which to begin hash generation
	   * @param inLength the byte length to hash
	   * @see #doFinal
	   */
    abstract public void update(
        byte[] inBuff,
        short inOffset,
        short inLength);

      /**
	   * Resets the MessageDigest object to the initial state for further use.
	   */
    abstract public void reset();
}
why-2.39/lib/javacard_api/javacard/security/Signature.java0000644000106100004300000004466613147234006022651 0ustar  marchevals/*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

/*
// $Workfile: Signature.java $
// $Revision: 1.4 $
// $Date: 2008-01-31 18:27:25 $
// $Author: nrousset $
// $Archive: /Products/Europa/api21/javacard/security/Signature.java $
// $Modtime: 5/02/00 8:48p $
// Original author:  Andy
// */

package javacard.security;

/**
 * The Signature class is the base class for Signature algorithms. Implementations of Signature
 * algorithms must extend this class and implement all the abstract methods.
 * 
    The term "pad" is used in the public key signature algorithms below to refer to all the
 * operations specified in the referenced scheme to transform the message digest into
 * the encryption block size.
 * 
     A tear or card reset event resets an initialized 
 * Signature object to the state it was in when previously initialized
 * via a call to init().
    
 * 
    Note:
      
 * 
    • On a tear or card reset event, the DES and triple DES algorithms in outer CBC mode
 * reset the initial vector(IV) to 0. The initial vector(IV) can be re-initialized using the
 * init(Key, byte, byte[], short, short) method.
 * 
    
 */
abstract public class Signature{


    // algorithm options
    /**
     * Signature algorithm ALG_DES_MAC4_NOPAD generates a 4 byte MAC
     * (most significant 4 bytes of encrypted block) using DES or triple DES in CBC mode. 
     * This algorithm uses outer CBC for triple DES. 
     * This algorithm does not pad input data.
     * If the input data is not (8 byte) block aligned it throws CryptoException
     * with the reason code ILLEGAL_USE.
     *
     */
    public static final byte ALG_DES_MAC4_NOPAD           = 1;

    /**
     * Signature algorithm ALG_DES_MAC_8_NOPAD generates a 8 byte MAC
     * using DES or triple DES in CBC mode. This algorithm uses outer CBC for triple DES. 
     * This algorithm does not pad input data.
     * If the input data is not (8 byte) block aligned it throws CryptoException
     * with the reason code ILLEGAL_USE.
     * 
    Note:
     * 
    • This algorithm must not be implemented if export restrictions apply.
    
     */
    public static final byte ALG_DES_MAC8_NOPAD           = 2;

    /**
     * Signature algorithm ALG_DES_MAC4_ISO9797_M1 generates a 4 byte MAC
     * (most significant 4 bytes of encrypted block) using DES or triple DES in CBC mode. 
     * This algorithm uses outer CBC for triple DES. 
     * Input data is padded according to the ISO 9797 method 1 scheme.
     */
    public static final byte ALG_DES_MAC4_ISO9797_M1      = 3;

    /**
     * Signature algorithm ALG_DES_MAC8_ISO9797_M1 generates a 8 byte MAC
     * using DES or triple DES in CBC mode. This algorithm uses outer CBC for triple DES. 
     * Input data is padded according to the ISO 9797 method 1 scheme.
     * 
    Note:
     * 
    • This algorithm must not be implemented if export restrictions apply.
    
     */
    public static final byte ALG_DES_MAC8_ISO9797_M1      = 4;

    /**
     * Signature algorithm ALG_DES_MAC4_ISO9797_M2 generates a 4 byte MAC
     * (most significant 4 bytes of encrypted block) using DES or triple DES in CBC mode. 
     * This algorithm uses outer CBC for triple DES. 
     * Input data is padded according to the ISO 9797 method 2 (ISO 7816-4, EMV'96) scheme.
     */
    public static final byte ALG_DES_MAC4_ISO9797_M2      = 5;

    /**
     * Signature algorithm ALG_DES_MAC8_ISO9797_M2 generates a 8 byte MAC
     * using DES or triple DES in CBC mode. This algorithm uses outer CBC for triple DES. 
     * Input data is padded according to the ISO 9797 method 2 (ISO 7816-4, EMV'96) scheme.
     * 
    Note:
     * 
    • This algorithm must not be implemented if export restrictions apply.
    
     */
    public static final byte ALG_DES_MAC8_ISO9797_M2      = 6;

    /**
     * Signature algorithm ALG_DES_MAC4_PKCS5 generates a 4 byte MAC
     * (most significant 4 bytes of encrypted block) using DES or triple DES in CBC mode. 
     * This algorithm uses outer CBC for triple DES. 
     * Input data is padded according to the PKCS#5 scheme.
     */
    public static final byte ALG_DES_MAC4_PKCS5           = 7;

    /**
     * Signature algorithm ALG_DES_MAC8_PKCS5 generates a 8 byte MAC
     * using DES or triple DES in CBC mode. This algorithm uses outer CBC for triple DES. 
     * Input data is padded according to the PKCS#5 scheme.
     * 
    Note:
     * 
    • This algorithm must not be implemented if export restrictions apply.
    
     */
    public static final byte ALG_DES_MAC8_PKCS5           = 8;

    /**
     * Signature algorithm ALG_RSA_SHA_ISO9796 encrypts the 20 byte SHA digest using RSA. 
     * The digest is padded according to the ISO 9796 (EMV'96) scheme.
     */
    public static final byte ALG_RSA_SHA_ISO9796          = 9;

    /**
     * Signature algorithm ALG_RSA_SHA_PKCS1 encrypts the 20 byte SHA digest using RSA. 
     * The digest is padded according to the PKCS#1 (v1.5) scheme.
     * 
    Note:
      
     * 
    •  The encryption block(EB) during signing is built as follows:
      
     *   EB = 00 || 01 || PS || 00 || T
      
     *       :: where T is the DER encoding of :
      
     *             digestInfo ::= SEQUENCE {
      
     *             digestAlgorithm AlgorithmIdentifier of SHA-1,
      
     *             digest OCTET STRING
      
     *             }
      
     *       :: PS is an octet string of length k-3-||T|| with value FF.
     * The length of PS must be at least 8 octets.
      
     *       :: k is the RSA modulus size. 
      
     * 
    
     */
    public static final byte ALG_RSA_SHA_PKCS1            = 10;

    /**
     * Signature algorithm ALG_RSA_MD5_PKCS1 encrypts the 16 byte MD5 digest using RSA. 
     * The digest is padded according to the PKCS#1 (v1.5) scheme.
     * 
    Note:
      
     * 
    •  The encryption block(EB) during signing is built as follows:
      
     * <  EB = 00 || 01 || PS || 00 || T
      
     *       :: where T is the DER encoding of :
      
     *             digestInfo ::= SEQUENCE {
      
     *             digestAlgorithm AlgorithmIdentifier of MD5,
      
     *             digest OCTET STRING
      
     *             }
      
     *       :: PS is an octet string of length k-3-||T|| with value FF.
     * The length of PS must be at least 8 octets.
      
     *       :: k is the RSA modulus size. 
      
     * 
    
     */
    public static final byte ALG_RSA_MD5_PKCS1           = 11;

    /**
     * Signature algorithm ALG_RSA_RIPEMD160_ISO9796 encrypts the 20 byte RIPE MD-160 digest
     * using RSA. The digest is padded according to the ISO 9796 scheme.
     */
    public static final byte ALG_RSA_RIPEMD160_ISO9796    = 12;

    /**
     * Signature algorithm ALG_RSA_RIPEMD160_PKCS1 encrypts the 20 byte RIPE MD-160 digest
     * using RSA. The digest is padded according to the PKCS#1 (v1.5) scheme.
     * 
    Note:
      
     * 
    •  The encryption block(EB) during signing is built as follows:
      
     * <  EB = 00 || 01 || PS || 00 || T
      
     *       :: where T is the DER encoding of :
      
     *             digestInfo ::= SEQUENCE {
      
     *             digestAlgorithm AlgorithmIdentifier of RIPEMD160,
      
     *             digest OCTET STRING
      
     *             }
      
     *       :: PS is an octet string of length k-3-||T|| with value FF.
     * The length of PS must be at least 8 octets.
      
     *       :: k is the RSA modulus size. 
      
     * 
    
     */
    public static final byte ALG_RSA_RIPEMD160_PKCS1      = 13;

    /**
     * Signature algorithm ALG_DSA_SHA signs/verifies the 20 byte SHA digest using DSA.
     */
    public static final byte ALG_DSA_SHA                  = 14;

    /**
     * Signature algorithm ALG_RSA_SHA_RFC2409 encrypts the 20 byte SHA digest using RSA. 
     * The digest is padded according to the RFC2409 scheme.
     */
    public static final byte ALG_RSA_SHA_RFC2409          = 15;

    /**
     * Signature algorithm ALG_RSA_MD5_RFC2409 encrypts the 16 byte MD5 digest using RSA. 
     * The digest is padded according to the RFC2409 scheme.
     */
    public static final byte ALG_RSA_MD5_RFC2409          = 16;

    // mode options
    /**
     * Used in init() methods to indicate signature sign mode.
     */
    public static final byte MODE_SIGN                    = 1;
    
    /**
     * Used in init() methods to indicate signature verify mode.
     */
    public static final byte MODE_VERIFY                  = 2;
    
    /**
     * Creates a Signature object instance of the selected algorithm.
     * @param algorithm the desired Signature algorithm. See above.
     * @param externalAccess if true indicates that the instance will be shared among
     * multiple applet instances and that the Signature instance will also be accessed (via a Shareable
     * interface) when the owner of the Signature instance is not the currently selected applet.
     * @return the Signature object instance of the requested algorithm.
     * @exception CryptoException with the following reason codes:
      
     * 
    • CryptoException.NO_SUCH_ALGORITHM if the requested algorithm is not supported.
    
     */

    /*@ behavior normal:
      @   ensures \result != null;
      @*/
    public static final Signature getInstance(byte algorithm, boolean externalAccess) 
	throws CryptoException{
	switch ( algorithm ){
	default :
	    CryptoException.throwIt( CryptoException.NO_SUCH_ALGORITHM );
	}
	return null;
    }
    
    /**
     * Initializes the Signature object with the appropriate Key. This method should be used
     * for algorithms which do not need initialization parameters or use default parameter
     * values.
     * 
    Note:
      
     * 
    • DES and triple DES algorithms in CBC mode will use 0 for initial vector(IV) if this
     * method is used.
     * 
    
     * @param theKey the key object to use for signing or verifying
     * @param theMode one of MODE_SIGN or MODE_VERIFY
     * @exception CryptoException with the following reason codes:
      
     * 
    • CryptoException.ILLEGAL_VALUE if theMode option is an undefined value or
     * if the Key is inconsistent with theMode
     * or with the Signature implementation.
     * 
    
     */
    abstract public void init ( Key theKey, byte theMode ) throws CryptoException;
    
    /*
     * Initializes the Signature object with the appropriate Key and algorithm specific
     * parameters.
     * 
    Note:
      
     * 
    • DES and triple DES algorithms in outer CBC mode expect an 8 byte parameter value for
     * the initial vector(IV) in bArray.
     * 
    • RSA and DSA algorithms throw CryptoException.ILLEGAL_VALUE.
     * 
    
     * @param theKey the key object to use for signing
     * @param theMode one of MODE_SIGN or MODE_VERIFY
     * @param bArray byte array containing algorithm specific initialization info.
     * @param bOff offset within bArray where the algorithm specific data begins.
     * @param bLen byte length of algorithm specific parameter data
     * @exception CryptoException with the following reason codes:
      
     * 
    • CryptoException.ILLEGAL_VALUE if theMode option is an undefined value
     * or if a byte array parameter option is not supported by the algorithm or if
     * the bLen is an incorrect byte length for the algorithm specific data or
     * if the Key is inconsistent with theMode
     * or with the Signature implementation.
     * 
    
     */
    abstract public void init ( Key theKey, byte theMode, byte[] bArray, short bOff, short bLen )
	throws CryptoException;
    
    /**
     * Protected Constructor
     *
     */
    protected Signature() {}

    /**
     * Gets the Signature algorithm.
     * @return the algorithm code defined above.
     */
    abstract public byte getAlgorithm();
    
    /**
     * Returns the byte length of the signature data.
     * @return the byte length of the signature data.
     */
    abstract public short getLength();

    /**
     * Accumulates a signature of the input data. This method requires temporary storage of 
     * intermediate results. In addition, if the input data length is not block aligned
     * (multiple of block size)
     * then additional internal storage may be allocated at this time to store a partial
     * input data block.
     * This may result in additional resource consumption and/or slow performance.
     * This method should only be used if all the input data required for signing/verifying
     * is not available in one byte array. The sign() or
     * verify() method is recommended whenever possible.
     * @param inBuff the input buffer of data to be signed
     * @param inOffset the offset into the input buffer at which to begin signature generation
     * @param inLength the byte length to sign
     * @exception CryptoException with the following reason codes:
      
     * 
    • CryptoException.UNINITIALIZED_KEY if key not initialized.
    
     * @see #sign(byte[], short, short, byte[], short)
     * @see #verify(byte[], short, short, byte[], short, short)
     */
    abstract public void update(
        byte[] inBuff,
        short inOffset,
        short inLength) throws CryptoException;

    /**
     * Generates the signature of all/last input data.
     * A call to this method also resets this Signature object to the state it was in
     * when previously initialized via a call to init().
     * That is, the object is reset and available to sign another message.
     * 
    Note:
      
     * 
    • DES and triple DES algorithms in outer CBC mode reset the initial vector(IV)
     * to 0. The initial vector(IV) can be re-initialized using the
     * init(Key, byte, byte[], short, short) method.
     * 
    
     * 
    The input and output buffer data may overlap.
     * @param inBuff the input buffer of data to be signed
     * @param inOffset the offset into the input buffer at which to begin signature generation
     * @param inLength the byte length to sign
     * @param sigBuff the output buffer to store signature data
     * @param sigOffset the offset into sigBuff at which to begin signature data
     * @return number of bytes of signature output in sigBuff
     * @exception CryptoException with the following reason codes:
      
     * 
    • CryptoException.UNINITIALIZED_KEY if key not initialized.
     * 
    • CryptoException.INVALID_INIT if this Signature object is
     * not initialized or initialized for signature verify mode.
     * 
    • CryptoException.ILLEGAL_USE if this Signature algorithm
     * does not pad the message and the message is not block aligned.
     * 
    
     */
    abstract public short sign (
        byte[] inBuff,
        short inOffset,
        short inLength,
        byte[] sigBuff,
        short sigOffset) throws CryptoException;

    /**
     * Verifies the signature of all/last input data against the passed in signature.
     * A call to this method also resets this Signature object to the state it was in
     * when previously initialized via a call to init().
     * That is, the object is reset and available to verify another message.
     * 
    Note:
      
     * 
    • DES and triple DES algorithms in outer CBC mode reset the initial vector(IV)
     * to 0. The initial vector(IV) can be re-initialized using the
     * init(Key, byte, byte[], short, short) method.
     * 
    
     * @param inBuff the input buffer of data to be verified
     * @param inOffset the offset into the input buffer at which to begin signature generation
     * @param inLength the byte length to sign
     * @param sigBuff the input buffer containing signature data
     * @param sigOffset the offset into sigBuff where signature data begins.
     * @param sigLength the byte length of the signature data
     * @return true if signature verifies false otherwise.
     * @exception CryptoException with the following reason codes:
      
     * 
    • CryptoException.UNINITIALIZED_KEY if key not initialized.
     * 
    • CryptoException.INVALID_INIT if this Signature object is
     * not initialized or initialized for signature sign mode.
     * 
    • CryptoException.ILLEGAL_USE if this Signature algorithm
     * does not pad the message and the message is not block aligned.
     * 
    
     */
    abstract public boolean verify (
        byte[] inBuff,
        short inOffset,
        short inLength,
        byte[] sigBuff,
        short sigOffset,
        short sigLength) throws CryptoException;

}









why-2.39/lib/javacard_api/javacard/security/RSAPublicKey.java0000644000106100004300000001116313147234006023127 0ustar  marchevals/*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

/*
// $Workfile: RSAPublicKey.java $
// $Revision: 1.2 $
// $Date: 2009-11-25 10:47:13 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/security/RSAPublicKey.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Andy
// */

package javacard.security;

/**
 * The RSAPublicKey is used to verify signatures on signed data using the RSA algorithm.
 * It may also used by the javacardx.crypto.Cipher class to encrypt/decrypt messages.
 * 
    When both the modulus and exponent of the key are set, the key is
 * initialized and ready for use.
 * @see RSAPrivateKey
 * @see RSAPrivateCrtKey
 * @see KeyBuilder
 * @see Signature
 * @see javacardx.crypto.Cipher
 * @see javacardx.crypto.KeyEncryption
 */

public interface RSAPublicKey extends PublicKey{

   /**
   * Sets the modulus value of the key.
   * The plaintext data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte). Input modulus data is copied into the internal representation.
   * @param buffer the input buffer
   * @param offset the offset into the input buffer at which the modulus value begins
   * @param length the byte length of the modulus
   * @exception CryptoException with the following reason code:
      
   * 
    • CryptoException.ILLEGAL_VALUE if the input modulus data length is inconsistent
   * with the implementation or if input data decryption is required and fails.
   * 
    
   * 
    Note:
      
   * 
    • If the key object implements the javacardx.crypto.KeyEncryption
   * interface and the Cipher object specified via setKeyCipher()
   * is not null, the modulus value is decrypted using the Cipher object.
   * 
    
   */

    void setModulus( byte[] buffer, short offset, short length) throws CryptoException;

  /**
   * Sets the public exponent value of the key.
   * The plaintext data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte). Input exponent data is copied into the internal representation.
   * @param buffer the input buffer
   * @param offset the offset into the input buffer at which the exponent value begins
   * @param length the byte length of the exponent
   * @exception CryptoException with the following reason code:
      
   * 
    • CryptoException.ILLEGAL_VALUE if the input exponent data length is inconsistent
   * with the implementation or if input data decryption is required and fails.
   * 
    
   * 
    Note:
      
   * 
    • If the key object implements the javacardx.crypto.KeyEncryption
   * interface and the Cipher object specified via setKeyCipher()
   * is not null, the exponent value is decrypted using the Cipher object.
   * 
    
   */

    void setExponent( byte[] buffer, short offset, short length) throws CryptoException;

  /**
   * Returns the modulus value of the key in plain text.
   * The data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte).
   * @param buffer the output buffer
   * @param offset the offset into the input buffer at which the modulus value starts
   * @return the byte length of the modulus value returned
   */

    short getModulus( byte[] buffer, short offset );

  /**
   * Returns the private exponent value of the key in plain text.
   * The data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte).
   * @param buffer the output buffer
   * @param offset the offset into the output buffer at which the exponent value begins
   * @return the byte length of the public exponent returned
   */

    short getExponent( byte[] buffer, short offset );

 }
why-2.39/lib/javacard_api/javacard/security/SecretKey.java0000644000106100004300000000224213147234006022566 0ustar  marchevals/*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

/*
// $Workfile: SecretKey.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/security/SecretKey.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Andy
// */

package javacard.security;

/**
 * The SecretKey class is the base interface for keys used in symmetric algorithms (e.g. DES).
 *
 */

public interface SecretKey extends Key{}
why-2.39/lib/javacard_api/javacard/security/Key.java0000644000106100004300000000425713147234006021430 0ustar  marchevals/*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

/*
// $Workfile: Key.java $
// $Revision: 1.2 $
// $Date: 2007-10-16 11:03:17 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/security/Key.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Andy
// */

package javacard.security;

/**
 * The Key interface is the base interface for all keys.
 *
    
 * @see KeyBuilder
 */
public interface Key{
  	
  	/**
   	 * Reports the initialized state of the key. Keys must be initialized before
   	 * being used.
   	 * 
    A Key object sets its initialized state to true only when all the associated set
   	 * methods have been invoked at least once since the time the initialized state was set to false.
   	 * 
    A newly created Key object sets its initialized state to false. Invocation of the
   	 * clearKey() method sets the initialized state to false. A key with transient key data
   	 * sets its initialized state to false on the associated clear events.
	 * @return true if the key has been initialized.
   	 */

    boolean isInitialized();

  	/**
   	 * Clears the key and sets its initialized state to false.
   	 */
  	
    void clearKey();
	
	/**
	 * Returns the key interface type.
   	 * @return the key interface type.
   	 *
    
     * @see KeyBuilder 
   	 */


    byte getType();
	
	/**
	 * Returns the key size in number of bits.
   	 * @return the key size in number of bits.
   	 */
	
    short getSize();
	
	
	
}
why-2.39/lib/javacard_api/javacard/security/PublicKey.java0000644000106100004300000000224613147234006022563 0ustar  marchevals/*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

/*
// $Workfile: PublicKey.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/security/PublicKey.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Andy
// */

package javacard.security;

/**
 * The PublicKey interface is the base interface for public keys used in asymmetric algorithms.
 *
 */

 public interface PublicKey extends Key {}

    
why-2.39/lib/javacard_api/javacard/security/RSAPrivateKey.java0000644000106100004300000001162613147234006023327 0ustar  marchevals/*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

/*
// $Workfile: RSAPrivateKey.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/security/RSAPrivateKey.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Andy
// */

package javacard.security;

/**
 * The RSAPrivateKey class is used to sign data using the RSA algorithm
 * in its modulus/exponent form. It may also be used by the javacardx.crypto.Cipher class
 * to encrypt/decrypt messages.
 * 
    When both the modulus and exponent of the key are set, the key is
 * initialized and ready for use.
 *
 * @see RSAPublicKey
 * @see RSAPrivateCrtKey
 * @see KeyBuilder
 * @see Signature
 * @see javacardx.crypto.Cipher
 * @see javacardx.crypto.KeyEncryption
 *
 */

public interface RSAPrivateKey extends PrivateKey {

  /**
   * Sets the modulus value of the key.
   * The plaintext data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte). Input modulus data is copied into the internal representation.
   * @param buffer the input buffer
   * @param offset the offset into the input buffer at which the modulus value begins
   * @param length the length of the modulus
   * @exception CryptoException with the following reason code:
      
   * 
    • CryptoException.ILLEGAL_VALUE if the input modulus data length is inconsistent
   * with the implementation or if input data decryption is required and fails.
   * 
    
   * 
    Note:
      
   * 
    • If the key object implements the javacardx.crypto.KeyEncryption
   * interface and the Cipher object specified via setKeyCipher()
   * is not null, the modulus value is decrypted using the Cipher object.
   * 
    
   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    void setModulus( byte[] buffer, short offset, short length) throws CryptoException;

  /**
   * Sets the private exponent value of the key.
   * The plaintext data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte). Input exponent data is copied into the internal representation.
   * @param buffer the input buffer
   * @param offset the offset into the input buffer at which the exponent value begins
   * @param length the length of the exponent
   * @exception CryptoException with the following reason code:
      
   * 
    • CryptoException.ILLEGAL_VALUE if the input exponent data length is inconsistent
   * with the implementation or if input data decryption is required and fails.
   * 
    
   * 
    Note:
      
   * 
    • If the key object implements the javacardx.crypto.KeyEncryption
   * interface and the Cipher object specified via setKeyCipher()
   * is not null, the exponent value is decrypted using the Cipher object.
   * 
    
   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    void setExponent( byte[] buffer, short offset, short length) throws CryptoException;

  /**
   * Returns the modulus value of the key in plain text.
   * The data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte).
   * @param buffer the output buffer
   * @param offset the offset into the output buffer at which the modulus value starts
   * @return the byte length of the modulus value returned
   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    short getModulus( byte[] buffer, short offset );

  /**
   * Returns the private exponent value of the key in plain text.
   * The data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte).
   * @param buffer the output buffer
   * @param offset the offset into the output buffer at which the exponent value begins
   * @return the byte length of the private exponent value returned
   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    short getExponent( byte[] buffer, short offset );

 }
why-2.39/lib/javacard_api/javacard/security/DSAKey.java0000644000106100004300000001542013147234006021752 0ustar  marchevals/*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

/*
// $Workfile: DSAKey.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/security/DSAKey.java $
// $Modtime: 5/02/00 8:48p $
// Original author:  Andy
// */

package javacard.security;

/**
 * The DSAKey interface is the base interface for the DSA algorithms private and
 * public key implementations. A DSA private key implementation must also implement
 * the DSAPrivateKey interface methods. A DSA public key implementation must also implement
 * the DSAPublicKey interface methods.
 * 
    When all four components of the key (X or Y,P,Q,G) are set, the key is
 * initialized and ready for use.
 * 
    
 *
 * @see DSAPublicKey
 * @see DSAPrivateKey
 * @see KeyBuilder
 * @see Signature
 * @see javacardx.crypto.KeyEncryption
 *
 */

public interface DSAKey {

  /**
   * Sets the prime parameter value of the key.
   * The plaintext data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte). Input prime parameter data is copied into the internal representation.
   * @param buffer the input buffer
   * @param offset the offset into the input buffer at which the prime parameter value begins
   * @param length the length of the prime parameter value
   * @exception CryptoException with the following reason code:
      
   * 
    • CryptoException.ILLEGAL_VALUE if the input parameter data length is inconsistent
   * with the implementation or if input data decryption is required and fails.
   * 
    
   * 
    Note:
      
   * 
    • If the key object implements the javacardx.crypto.KeyEncryption
   * interface and the Cipher object specified via setKeyCipher()
   * is not null, the prime parameter value is decrypted using the Cipher object.
   * 
    
   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    void setP( byte[] buffer, short offset, short length) throws CryptoException;

  /**
   * Sets the subprime parameter value of the key.
   * The plaintext data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte). Input subprime parameter data is copied into the internal representation.
   * @param buffer the input buffer
   * @param offset the offset into the input buffer at which the subprime parameter value begins
   * @param length the length of the subprime parameter value
   * @exception CryptoException with the following reason code:
      
   * 
    • CryptoException.ILLEGAL_VALUE if the input parameter data length is inconsistent
   * with the implementation or if input data decryption is required and fails.
   * 
    
   * 
    Note:
      
   * 
    • If the key object implements the javacardx.crypto.KeyEncryption
   * interface and the Cipher object specified via setKeyCipher()
   * is not null, the subprime parameter value is decrypted using the Cipher object.
   * 
    
   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    void setQ( byte[] buffer, short offset, short length) throws CryptoException;

  /**
   * Sets the base parameter value of the key.
   * The plaintext data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte). Input base parameter data is copied into the internal representation.
   * @param buffer the input buffer
   * @param offset the offset into the input buffer at which the base parameter value begins
   * @param length the length of the base parameter value
   * @exception CryptoException with the following reason code:
      
   * 
    • CryptoException.ILLEGAL_VALUE if the input parameter data length is inconsistent
   * with the implementation or if input data decryption is required and fails.
   * 
    
   * 
    Note:
      
   * 
    • If the key object implements the javacardx.crypto.KeyEncryption
   * interface and the Cipher object specified via setKeyCipher()
   * is not null, the base parameter value is decrypted using the Cipher object.
   * 
    
   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    void setG( byte[] buffer, short offset, short length) throws CryptoException;

  /**
   * Returns the prime parameter value of the key in plain text.
   * The data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte).
   * @param buffer the output buffer
   * @param offset the offset into the output buffer at which the prime parameter value starts
   * @return the byte length of the prime parameter value returned
   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    short getP( byte[] buffer, short offset );

  /**
   * Returns the subprime parameter value of the key in plain text.
   * The data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte).
   * @param buffer the output buffer
   * @param offset the offset into the output buffer at which the subprime parameter value begins
   * @return the byte length of the subprime parameter value returned
   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    short getQ( byte[] buffer, short offset );

  /**
   * Returns the base parameter value of the key in plain text.
   * The data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte).
   * @param buffer the output buffer
   * @param offset the offset into the output buffer at which the base parameter value begins
   * @return the byte length of the base parameter value returned
   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    short getG( byte[] buffer, short offset );

 }
why-2.39/lib/javacard_api/javacard/security/RandomData.java0000644000106100004300000000627113147234006022710 0ustar  marchevals/*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

/*
// $Workfile: RandomData.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/security/RandomData.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Andy
// */

package javacard.security;

//
/**
 * The RandomData abstract class is the base class for random number generation. Implementations of RandomData
 * algorithms must extend this class and implement all the abstract methods.
 */

abstract public class RandomData{

  // Random Number algorithm options

    /**
     * Utility pseudo random number generation algorithms.
    */
    public static final byte ALG_PSEUDO_RANDOM        = 1;

    /**
     * Cryptographically secure random number generation algorithms.
    */
    public static final byte ALG_SECURE_RANDOM        = 2;


  /**
   * Protected constructor for subclassing.
   */
    protected RandomData(){}

  /**
    * Creates a RandomData instance of the selected algorithm.
    * The pseudo random RandomData instance's seed is initialized to a internal default value.
	* @param algorithm the desired random number algorithm. Valid codes listed in ALG_.. constants. See above.
	* @return the RandomData object instance of the requested algorithm.
	* @exception CryptoException with the following reason codes:
      
    * 
    • CryptoException.NO_SUCH_ALGORITHM if the requested algorithm is not supported.
    
	*/
	public static final RandomData getInstance(byte algorithm) throws CryptoException{

	    switch ( algorithm ){
	        case ALG_PSEUDO_RANDOM :
	        case ALG_SECURE_RANDOM :
	            CryptoException.throwIt( CryptoException.NO_SUCH_ALGORITHM);
	            return null;
	    }
	    return null;
	 }


  /**
   * Generates random data.
   * @param buffer the output buffer
   * @param offset the offset into the output buffer
   * @param length the length of random data to generate
   */
   abstract public void generateData(
        byte[] buffer,
        short offset,
        short length);
 //   {
 //   	Randomness.generate(buffer,offset,length);
 //   }

  /**
   * Seeds the random data generator.
   * @param buffer the input buffer
   * @param offset the offset into the input buffer
   * @param length the length of the seed data
   */
    abstract public void setSeed(
        byte[] buffer,
        short offset,
        short length);
//    {
//    	Randomness.setSeed(buffer,offset,length);
//    }
}
why-2.39/lib/javacard_api/javacard/security/PrivateKey.java0000644000106100004300000000224613147234006022757 0ustar  marchevals/*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

/*
// $Workfile: PrivateKey.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/security/PrivateKey.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Andy
// */

package javacard.security;

/**
 * The PrivateKey interface is the base interface for private keys used in asymmetric algorithms.
 *
 */

 public interface PrivateKey extends Key {}

why-2.39/lib/javacard_api/javacard/security/DSAPrivateKey.java0000644000106100004300000000635113147234006023310 0ustar  marchevals/*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

/*
// $Workfile: DSAPrivateKey.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/security/DSAPrivateKey.java $
// $Modtime: 5/02/00 8:48p $
// Original author:  Andy
// */

package javacard.security;

/**
 * The DSAPrivateKey interface is used to sign data using the DSA algorithm. An
 * implementation of  DSAPrivateKey interface must also implement
 * the DSAKey interface methods.
 * 
    When all four components of the key (X,P,Q,G) are set, the key is
 * initialized and ready for use.
 * 
    
 *
 * @see DSAPublicKey
 * @see KeyBuilder
 * @see Signature
 * @see javacardx.crypto.KeyEncryption
 *
 */

public interface DSAPrivateKey extends PrivateKey, DSAKey {

  /**
   * Sets the value of the key. When the base, prime and subprime parameters are initialized
   * and the key value is set, the key is ready for use.
   * The plaintext data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte). Input key data is copied into the internal representation.
   * @param buffer the input buffer
   * @param offset the offset into the input buffer at which the modulus value begins
   * @param length the length of the modulus
   * @exception CryptoException with the following reason code:
      
   * 
    • CryptoException.ILLEGAL_VALUE if the input key data length is inconsistent
   * with the implementation or if input data decryption is required and fails.
   * 
    
   * 
    Note:
      
   * 
    • If the key object implements the javacardx.crypto.KeyEncryption
   * interface and the Cipher object specified via setKeyCipher()
   * is not null, the key value is decrypted using the Cipher object.
   * 
    
   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    void setX( byte[] buffer, short offset, short length) throws CryptoException;

  /**
   * Returns the value of the key in plain text.
   * The data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte).
   * @param buffer the output buffer
   * @param offset the offset into the output buffer at which the key value starts
   * @return the byte length of the key value returned
   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    short getX( byte[] buffer, short offset );

 }
why-2.39/lib/javacard_api/javacard/security/CryptoException.java0000644000106100004300000000735413147234006024040 0ustar  marchevals/*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

/*
// $Workfile: CryptoException.java $
// $Revision: 1.2 $
// $Date: 2007-10-22 07:38:21 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/security/CryptoException.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Andy
// */

package javacard.security;
import javacard.framework.CardRuntimeException;

/**
 * CryptoException represents a cryptography-related exception.
 * 
    The API classes throw JCRE owned instances of SystemException.
 * 
    JCRE owned instances of exception classes are temporary JCRE Entry Point Objects
 * and can be accessed from any applet context. References to these temporary objects
 * cannot be stored in class variables or instance variables or array components.
 * @see javacard.security.KeyBuilder
 * @see javacard.security.MessageDigest
 * @see javacard.security.Signature
 * @see javacard.security.RandomData
 * @see javacardx.crypto.Cipher
 */
public class CryptoException extends CardRuntimeException{

  // initialized when created by Dispatcher
  private static CryptoException systemInstance;

  // CryptoException reason codes
 /**
  * This reason code is used to indicate that one or more input parameters
  * is out of allowed bounds.
  */
  public static final short ILLEGAL_VALUE = 1;

 /**
  * This reason code is used to indicate that the key is uninitialized.
  */
  public static final short UNINITIALIZED_KEY = 2;

 /**
  * This reason code is used to indicate that the requested algorithm or key type
  * is not supported.
  */
  public static final short NO_SUCH_ALGORITHM = 3;

 /**
  * This reason code is used to indicate that the signature or cipher object has not been
  * correctly initialized for the requested operation.
  */
  public static final short INVALID_INIT = 4;

 /**
  * This reason code is used to indicate that the signature or cipher algorithm does
  * not pad the incoming message and the input message is not block aligned.
  */
  public static final short ILLEGAL_USE = 5;


  /**
   * Constructs a CryptoException with the specified reason.
   * To conserve on resources use throwIt()
   * to use the JCRE owned instance of this class.
   * @param reason the reason for the exception.
   */
  public CryptoException(short reason) {
    super(reason);
    if (systemInstance==null) // created by Dispatcher
        systemInstance = this;
  }

  /**
   * Throws the JCRE owned instance of CryptoException with the specified reason.
   * 
    JCRE owned instances of exception classes are temporary JCRE Entry Point Objects
   * and can be accessed from any applet context. References to these temporary objects
   * cannot be stored in class variables or instance variables or array components.
   * See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
   * @param reason the reason for the exception.
   * @exception CryptoException always.
   */
  public static void throwIt (short reason){
    systemInstance.setReason(reason);
    throw systemInstance;
  }

}
why-2.39/lib/javacard_api/javacard/security/KeyPair.java0000644000106100004300000001452413147234006022242 0ustar  marchevals/*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

/*
// $Workfile: KeyPair.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/security/KeyPair.java $
// $Modtime: 5/02/00 8:48p $
// Original author:  Andy
// */

package javacard.security;

/**
 * This class is a container for a key pair (a public key and a
 * private key). It does not enforce any security, and, when initialized,
 * should be treated like a PrivateKey.
 * 
    In addition, this class features a key generation method.
 *
 * @see PublicKey
 * @see PrivateKey
 */

public final class KeyPair {

    /**
     * KeyPair object containing a RSA key pair.
     */
	public static final byte ALG_RSA               = 1;
	
	/**
     * KeyPair object containing a RSA key pair with private key in
     * its Chinese Remainder Theorem form.
     */
	public static final byte ALG_RSA_CRT           = 2;
	
	
	/**
     * KeyPair object containing a DSA key pair.
     */
	public static final byte ALG_DSA               = 3;
	
		
    private PrivateKey privateKey;
    private PublicKey publicKey;

    
    /**
     * (Re)Initializes the key objects encapsulated in this KeyPair instance 
     * with new key values. The initialized public and private key objects
     * encapsulated in this instance will then be suitable for use with the
	 * Signature and Cipher objects. 
	 * An internal secure random number generator is used during new key pair generation.
     * 
    Notes:
      
     * 
    • For the RSA algorithm, if the exponent value in the public key object is pre-initialized,
     * it will be retained; Otherwise a default value of 65537 will be used.
     * 
    • For the DSA algorithm, if the p, q and g parameters of the public key object are pre-initialized,
     * it will be retained; Otherwise default precomputed parameter sets will be used. The required 
     * default precomputed values are listed in Appendix B of Java Cryptography Architecture
     * API Specification & Reference document.
     * 
    • If the time taken to generate the key values is excessive, the implementation may automatically
     * request additional APDU processing time from the CAD.
     * 
    
	 * @exception CryptoException with the following reason codes:
      
     * 
    • CryptoException.ILLEGAL_VALUE if the exponent value parameter in RSA or the
     * p,q,g parameter set in DSA is invalid.
     * 
    
     * @see javacard.framework.APDU
     * @see Signature
     * @see javacardx.crypto.Cipher
     */
    public final void genKeyPair() throws CryptoException {}
    
    /**
     * Constructs a KeyPair instance for the specified algorithm and keylength. 
     * The encapsulated keys are uninitialized.
     * To initialize the KeyPair instance use the genKeyPair() method.
     
     * The encapsulated key objects are of the specified keyLength size and 
	 * implement the appropriate Key interface associated with the specified algorithm
	 * (example - RSAPublicKey interface for the public key and RSAPrivateKey
	 * interface for the private key within an ALG_RSA key pair).
    
	 * 
    Notes:
      
	 * 
    • The key objects encapsulated in the generated KeyPair object
     * need not support the KeyEncryption interface.
     * 
    
 	 * @param algorithm the type of algorithm whose key pair needs to be generated.
	 * Valid codes listed in ALG_.. constants above.
	 * @param keyLength the key size in bits. The valid key bit lengths are key type dependent.
	 * See the KeyBuilder class.
	 * @exception CryptoException with the following reason codes:
      
     * 
    • CryptoException.NO_SUCH_ALGORITHM if the requested algorithm
     * associated with the specified type, size of key is not supported.
    
     * @see KeyBuilder
     * @see Signature
     * @see javacardx.crypto.Cipher
 	 * @see javacardx.crypto.KeyEncryption
     */
    public KeyPair(byte algorithm, short keyLength) throws CryptoException
    {
    	CryptoException.throwIt( CryptoException.NO_SUCH_ALGORITHM );
    }   
        
    /**
     * Constructs a new KeyPair object containing the specified 
     * public key and private key.
     *
     * 
    Note that this constructor only stores references to the public
     * and private key components in the generated KeyPair object. 
     *
     * @param publicKey the public key.
     * @param privateKey the private key.
     * @exception CryptoException with the following reason codes:
      
     * 
    • CryptoException.ILLEGAL_VALUE if the input parameter key
     * objects are inconsistent with each other - i.e mismatched algorithm, size etc.
     * 
    • CryptoException.NO_SUCH_ALGORITHM if the algorithm
     * associated with the specified type, size of key is not supported.
     * 
    
     */
    public KeyPair(PublicKey krak_publicKey, PrivateKey krak_privateKey)
    throws CryptoException
    {
    	CryptoException.throwIt( CryptoException.NO_SUCH_ALGORITHM );
    }

    /**
     * Returns a reference to the public key component of this KeyPair object.
     *
     * @return a reference to the public key.
     */
    public PublicKey getPublic() {
	return publicKey;
    }

     /**
     * Returns a reference to the private key component of this KeyPair object.
     *
     * @return a reference to the private key.
     */
   public PrivateKey getPrivate() {
	return privateKey;
    }
}
why-2.39/lib/javacard_api/javacard/security/DSAPublicKey.java0000644000106100004300000000635413147234006023117 0ustar  marchevals/*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

/*
// $Workfile: DSAPublicKey.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/security/DSAPublicKey.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Andy
// */

package javacard.security;

/**
 * The DSAPublicKey interface is used to verify signatures
 * on signed data using the DSA algorithm.
 * An implementation of DSAPublicKey interface must also implement
 * the DSAKey interface methods.
 * 
    When all four components of the key (Y,P,Q,G) are set, the key is
 * initialized and ready for use.
 * @see DSAPrivateKey
 * @see KeyBuilder
 * @see Signature
 * @see javacardx.crypto.KeyEncryption
 */

public interface DSAPublicKey extends PublicKey, DSAKey{

   /**
   * Sets the value of the key. When the base, prime and subprime parameters are initialized
   * and the key value is set, the key is ready for use.
   * The plaintext data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte). Input key data is copied into the internal representation.
   * @param buffer the input buffer
   * @param offset the offset into the input buffer at which the key value begins
   * @param length the length of the key value
   * @exception CryptoException with the following reason code:
      
   * 
    • CryptoException.ILLEGAL_VALUE if the input key data length is inconsistent
   * with the implementation or if input data decryption is required and fails.
   * 
    
   * 
    Note:
      
   * 
    • If the key object implements the javacardx.crypto.KeyEncryption
   * interface and the Cipher object specified via setKeyCipher()
   * is not null, the key value is decrypted using the Cipher object.
   * 
    
   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    void setY( byte[] buffer, short offset, short length) throws CryptoException;

  /**
   * Returns the value of the key in plain text.
   * The data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte).
   * @param buffer the output buffer
   * @param offset the offset into the input buffer at which the key value starts
   * @return the byte length of the key value returned
   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    short getY( byte[] buffer, short offset );
 }
why-2.39/lib/java_api/0000755000106100004300000000000013147234006013551 5ustar  marchevalswhy-2.39/lib/java_api/java/0000755000106100004300000000000013147234006014472 5ustar  marchevalswhy-2.39/lib/java_api/java/io/0000755000106100004300000000000013147234006015101 5ustar  marchevalswhy-2.39/lib/java_api/java/io/InputStreamReader.java0000644000106100004300000001314413147234006021345 0ustar  marchevals/*
 * @(#)InputStreamReader.java	1.43 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.io;

/*KML
import java.nio.charset.Charset;
import java.nio.charset.CharsetDecoder;
import sun.nio.cs.StreamDecoder;
KML*/

/**
 * An InputStreamReader is a bridge from byte streams to character streams: It
 * reads bytes and decodes them into characters using a specified {@link
 * java.nio.charset.Charset charset}.  The charset that it uses
 * may be specified by name or may be given explicitly, or the platform's
 * default charset may be accepted.
 *
 * 
     Each invocation of one of an InputStreamReader's read() methods may
 * cause one or more bytes to be read from the underlying byte-input stream.
 * To enable the efficient conversion of bytes to characters, more bytes may
 * be read ahead from the underlying stream than are necessary to satisfy the
 * current read operation.
 *
 * 
     For top efficiency, consider wrapping an InputStreamReader within a
 * BufferedReader.  For example:
 *
 * 
     * BufferedReader in
 *   = new BufferedReader(new InputStreamReader(System.in));
 * 
    
 *
 * @see BufferedReader
 * @see InputStream
 * @see java.nio.charset.Charset
 *
 * @version     1.43, 03/01/23
 * @author      Mark Reinhold
 * @since       JDK1.1
 */

public class InputStreamReader extends Reader {

    //KML private final StreamDecoder sd;

    /**
     * Create an InputStreamReader that uses the default charset.
     *
     * @param  in   An InputStream
     */
    public InputStreamReader(InputStream in) {
	super(in);
        try {
	    sd = StreamDecoder.forInputStreamReader(in, this, (String)null); // ## check lock object
        } catch (UnsupportedEncodingException e) {
	    // The default encoding should always be available
	    throw new Error(e);
	}
    }

    /**
     * Create an InputStreamReader that uses the named charset.
     *
     * @param  in
     *         An InputStream
     *
     * @param  charsetName
     *         The name of a supported
     *         {@link java.nio.charset.Charset charset}
     *
     * @exception  UnsupportedEncodingException
     *             If the named charset is not supported
     */
    public InputStreamReader(InputStream in, String charsetName)
        throws UnsupportedEncodingException
    {
	super(in);
	if (charsetName == null)
	    throw new NullPointerException("charsetName");
	sd = StreamDecoder.forInputStreamReader(in, this, charsetName);
    }

    /**
     * Create an InputStreamReader that uses the given charset. 
    
     *
     * @param  in       An InputStream
     * @param  cs       A charset
     *
     * @since 1.4
     * @spec JSR-51
     */
    /*KML
      public InputStreamReader(InputStream in, Charset cs) {
        super(in);
	if (cs == null)
	    throw new NullPointerException("charset");
	sd = StreamDecoder.forInputStreamReader(in, this, cs);
    }
    KML*/

    /**
     * Create an InputStreamReader that uses the given charset decoder.  
    
     *
     * @param  in       An InputStream
     * @param  dec      A charset decoder
     *
     * @since 1.4
     * @spec JSR-51
     */
    /*KML
      public InputStreamReader(InputStream in, CharsetDecoder dec) {
        super(in);
	if (dec == null)
	    throw new NullPointerException("charset decoder");
	sd = StreamDecoder.forInputStreamReader(in, this, dec);
    }
    KML*/

    /**
     * Return the name of the character encoding being used by this stream.
     *
     * 
     If the encoding has an historical name then that name is returned;
     * otherwise the encoding's canonical name is returned.
     *
     * 
     If this instance was created with the {@link
     * #InputStreamReader(InputStream, String)} constructor then the returned
     * name, being unique for the encoding, may differ from the name passed to
     * the constructor.  This method may return null if the stream
     * has been closed. 
    
     *
     * @return The historical name of this encoding, or possibly
     *         null if the stream has been closed
     *
     * @see java.nio.charset.Charset
     *
     * @revised 1.4
     * @spec JSR-51
     */
    public String getEncoding() {
	return sd.getEncoding();
    }

    /**
     * Read a single character.
     *
     * @return The character read, or -1 if the end of the stream has been
     *         reached
     *
     * @exception  IOException  If an I/O error occurs
     */
    public int read() throws IOException {
        return sd.read();
    }

    /**
     * Read characters into a portion of an array.
     *
     * @param      cbuf     Destination buffer
     * @param      offset   Offset at which to start storing characters
     * @param      length   Maximum number of characters to read
     *
     * @return     The number of characters read, or -1 if the end of the 
     *             stream has been reached
     *
     * @exception  IOException  If an I/O error occurs
     */
    public int read(char cbuf[], int offset, int length) throws IOException {
	return sd.read(cbuf, offset, length);
    }

    /**
     * Tell whether this stream is ready to be read.  An InputStreamReader is
     * ready if its input buffer is not empty, or if bytes are available to be
     * read from the underlying byte stream.
     *
     * @exception  IOException  If an I/O error occurs
     */
    public boolean ready() throws IOException {
	return sd.ready();
    }

    /**
     * Close the stream.
     *
     * @exception  IOException  If an I/O error occurs
     */
    public void close() throws IOException {
	sd.close();
    }

}
why-2.39/lib/java_api/java/io/InputStream.java0000644000106100004300000003504113147234006020222 0ustar  marchevals/*
 * @(#)InputStream.java	1.40 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.io;

/**
 * This abstract class is the superclass of all classes representing
 * an input stream of bytes.
 *
 * 
     Applications that need to define a subclass of InputStream
 * must always provide a method that returns the next byte of input.
 *
 * @author  Arthur van Hoff
 * @version 1.40, 01/23/03
 * @see     java.io.BufferedInputStream
 * @see     java.io.ByteArrayInputStream
 * @see     java.io.DataInputStream
 * @see     java.io.FilterInputStream
 * @see     java.io.InputStream#read()
 * @see     java.io.OutputStream
 * @see     java.io.PushbackInputStream
 * @since   JDK1.0
 */
public abstract class InputStream {

    // SKIP_BUFFER_SIZE is used to determine the size of skipBuffer
    private static final int SKIP_BUFFER_SIZE = 2048;
    // skipBuffer is initialized in skip(long), if needed.
    private static byte[] skipBuffer;

    /**
     * Reads the next byte of data from the input stream. The value byte is
     * returned as an int in the range 0 to
     * 255. If no byte is available because the end of the stream
     * has been reached, the value -1 is returned. This method
     * blocks until input data is available, the end of the stream is detected,
     * or an exception is thrown.
     *
     * 
     A subclass must provide an implementation of this method.
     *
     * @return     the next byte of data, or -1 if the end of the
     *             stream is reached.
     * @exception  IOException  if an I/O error occurs.
     */
    public abstract int read() throws IOException;

    /**
     * Reads some number of bytes from the input stream and stores them into
     * the buffer array b. The number of bytes actually read is
     * returned as an integer.  This method blocks until input data is
     * available, end of file is detected, or an exception is thrown.
     *
     * 
     If b is null, a
     * NullPointerException is thrown.  If the length of
     * b is zero, then no bytes are read and 0 is
     * returned; otherwise, there is an attempt to read at least one byte. If
     * no byte is available because the stream is at end of file, the value
     * -1 is returned; otherwise, at least one byte is read and
     * stored into b.
     *
     * 
     The first byte read is stored into element b[0], the
     * next one into b[1], and so on. The number of bytes read is,
     * at most, equal to the length of b. Let k be the
     * number of bytes actually read; these bytes will be stored in elements
     * b[0] through b[k-1],
     * leaving elements b[k] through
     * b[b.length-1] unaffected.
     *
     * 
     If the first byte cannot be read for any reason other than end of
     * file, then an IOException is thrown. In particular, an
     * IOException is thrown if the input stream has been closed.
     *
     * 
     The read(b) method for class InputStream
     * has the same effect as: 
     read(b, 0, b.length) 
    
     *
     * @param      b   the buffer into which the data is read.
     * @return     the total number of bytes read into the buffer, or
     *             -1 is there is no more data because the end of
     *             the stream has been reached.
     * @exception  IOException  if an I/O error occurs.
     * @exception  NullPointerException  if b is null.
     * @see        java.io.InputStream#read(byte[], int, int)
     */
    public int read(byte b[]) throws IOException {
	return read(b, 0, b.length);
    }

    /**
     * Reads up to len bytes of data from the input stream into
     * an array of bytes.  An attempt is made to read as many as
     * len bytes, but a smaller number may be read, possibly
     * zero. The number of bytes actually read is returned as an integer.
     *
     * 
     This method blocks until input data is available, end of file is
     * detected, or an exception is thrown.
     *
     * 
     If b is null, a
     * NullPointerException is thrown.
     *
     * 
     If off is negative, or len is negative, or
     * off+len is greater than the length of the array
     * b, then an IndexOutOfBoundsException is
     * thrown.
     *
     * 
     If len is zero, then no bytes are read and
     * 0 is returned; otherwise, there is an attempt to read at
     * least one byte. If no byte is available because the stream is at end of
     * file, the value -1 is returned; otherwise, at least one
     * byte is read and stored into b.
     *
     * 
     The first byte read is stored into element b[off], the
     * next one into b[off+1], and so on. The number of bytes read
     * is, at most, equal to len. Let k be the number of
     * bytes actually read; these bytes will be stored in elements
     * b[off] through b[off+k-1],
     * leaving elements b[off+k] through
     * b[off+len-1] unaffected.
     *
     * 
     In every case, elements b[0] through
     * b[off] and elements b[off+len] through
     * b[b.length-1] are unaffected.
     *
     * 
     If the first byte cannot be read for any reason other than end of
     * file, then an IOException is thrown. In particular, an
     * IOException is thrown if the input stream has been closed.
     *
     * 
     The read(b, off, len) method
     * for class InputStream simply calls the method
     * read() repeatedly. If the first such call results in an
     * IOException, that exception is returned from the call to
     * the read(b, off, len) method.  If
     * any subsequent call to read() results in a
     * IOException, the exception is caught and treated as if it
     * were end of file; the bytes read up to that point are stored into
     * b and the number of bytes read before the exception
     * occurred is returned.  Subclasses are encouraged to provide a more
     * efficient implementation of this method.
     *
     * @param      b     the buffer into which the data is read.
     * @param      off   the start offset in array b
     *                   at which the data is written.
     * @param      len   the maximum number of bytes to read.
     * @return     the total number of bytes read into the buffer, or
     *             -1 if there is no more data because the end of
     *             the stream has been reached.
     * @exception  IOException  if an I/O error occurs.
     * @exception  NullPointerException  if b is null.
     * @see        java.io.InputStream#read()
     */
    public int read(byte b[], int off, int len) throws IOException {
	if (b == null) {
	    throw new NullPointerException();
	} else if ((off < 0) || (off > b.length) || (len < 0) ||
		   ((off + len) > b.length) || ((off + len) < 0)) {
	    throw new IndexOutOfBoundsException();
	} else if (len == 0) {
	    return 0;
	}

	int c = read();
	if (c == -1) {
	    return -1;
	}
	b[off] = (byte)c;

	int i = 1;
	try {
	    for (; i < len ; i++) {
		c = read();
		if (c == -1) {
		    break;
		}
		if (b != null) {
		    b[off + i] = (byte)c;
		}
	    }
	} catch (IOException ee) {
	}
	return i;
    }

    /**
     * Skips over and discards n bytes of data from this input
     * stream. The skip method may, for a variety of reasons, end
     * up skipping over some smaller number of bytes, possibly 0.
     * This may result from any of a number of conditions; reaching end of file
     * before n bytes have been skipped is only one possibility.
     * The actual number of bytes skipped is returned.  If n is
     * negative, no bytes are skipped.
     *
     * 
     The skip method of InputStream creates a
     * byte array and then repeatedly reads into it until n bytes
     * have been read or the end of the stream has been reached. Subclasses are
     * encouraged to provide a more efficient implementation of this method.
     *
     * @param      n   the number of bytes to be skipped.
     * @return     the actual number of bytes skipped.
     * @exception  IOException  if an I/O error occurs.
     */
    public long skip(long n) throws IOException {

	long remaining = n;
	int nr;
	if (skipBuffer == null)
	    skipBuffer = new byte[SKIP_BUFFER_SIZE];

	byte[] localSkipBuffer = skipBuffer;
		
	if (n <= 0) {
	    return 0;
	}

	while (remaining > 0) {
	    nr = read(localSkipBuffer, 0,
		      (int) Math.min(SKIP_BUFFER_SIZE, remaining));
	    if (nr < 0) {
		break;
	    }
	    remaining -= nr;
	}
	
	return n - remaining;
    }

    /**
     * Returns the number of bytes that can be read (or skipped over) from
     * this input stream without blocking by the next caller of a method for
     * this input stream.  The next caller might be the same thread or or
     * another thread.
     *
     * 
     The available method for class InputStream
     * always returns 0.
     *
     * 
     This method should be overridden by subclasses.
     *
     * @return     the number of bytes that can be read from this input stream
     *             without blocking.
     * @exception  IOException  if an I/O error occurs.
     */
    public int available() throws IOException {
	return 0;
    }

    /**
     * Closes this input stream and releases any system resources associated
     * with the stream.
     *
     * 
     The close method of InputStream does
     * nothing.
     *
     * @exception  IOException  if an I/O error occurs.
     */
    public void close() throws IOException {}

    /**
     * Marks the current position in this input stream. A subsequent call to
     * the reset method repositions this stream at the last marked
     * position so that subsequent reads re-read the same bytes.
     *
     * 
     The readlimit arguments tells this input stream to
     * allow that many bytes to be read before the mark position gets
     * invalidated.
     *
     * 
     The general contract of mark is that, if the method
     * markSupported returns true, the stream somehow
     * remembers all the bytes read after the call to mark and
     * stands ready to supply those same bytes again if and whenever the method
     * reset is called.  However, the stream is not required to
     * remember any data at all if more than readlimit bytes are
     * read from the stream before reset is called.
     *
     * 
     The mark method of InputStream does
     * nothing.
     *
     * @param   readlimit   the maximum limit of bytes that can be read before
     *                      the mark position becomes invalid.
     * @see     java.io.InputStream#reset()
     */
    public synchronized void mark(int readlimit) {}

    /**
     * Repositions this stream to the position at the time the
     * mark method was last called on this input stream.
     *
     * 
     The general contract of reset is:
     *
     * 
      
     *
     * 
    •  If the method markSupported returns
     * true, then:
     *
     *     
      •  If the method mark has not been called since
     *     the stream was created, or the number of bytes read from the stream
     *     since mark was last called is larger than the argument
     *     to mark at that last call, then an
     *     IOException might be thrown.
     *
     *     
      •  If such an IOException is not thrown, then the
     *     stream is reset to a state such that all the bytes read since the
     *     most recent call to mark (or since the start of the
     *     file, if mark has not been called) will be resupplied
     *     to subsequent callers of the read method, followed by
     *     any bytes that otherwise would have been the next input data as of
     *     the time of the call to reset. 
      
     *
     * 
    •  If the method markSupported returns
     * false, then:
     *
     *     
      •  The call to reset may throw an
     *     IOException.
     *
     *     
      •  If an IOException is not thrown, then the stream
     *     is reset to a fixed state that depends on the particular type of the
     *     input stream and how it was created. The bytes that will be supplied
     *     to subsequent callers of the read method depend on the
     *     particular type of the input stream. 
    
     *
     * 
     The method reset for class InputStream
     * does nothing and always throws an IOException.
     *
     * @exception  IOException  if this stream has not been marked or if the
     *               mark has been invalidated.
     * @see     java.io.InputStream#mark(int)
     * @see     java.io.IOException
     */
    public synchronized void reset() throws IOException {
	throw new IOException("mark/reset not supported");
    }

    /**
     * Tests if this input stream supports the mark and
     * reset methods. Whether or not mark and
     * reset are supported is an invariant property of a
     * particular input stream instance. The markSupported method
     * of InputStream returns false.
     *
     * @return  true if this stream instance supports the mark
     *          and reset methods; false otherwise.
     * @see     java.io.InputStream#mark(int)
     * @see     java.io.InputStream#reset()
     */
    public boolean markSupported() {
	return false;
    }

}
why-2.39/lib/java_api/java/io/ObjectStreamClass.java0000644000106100004300000017632513147234006021332 0ustar  marchevals/*
 * @(#)ObjectStreamClass.java	1.130 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.io;

//*KML import java.lang.reflect.Constructor;
//*KML import java.lang.reflect.Field;
//*KML import java.lang.reflect.InvocationTargetException;
//*KML import java.lang.reflect.Member;
//*KML import java.lang.reflect.Method;
//*KML import java.lang.reflect.Modifier;
//*KML import java.lang.reflect.Proxy;
//*KML import java.security.AccessController;
//*KML import java.security.MessageDigest;
//*KML import java.security.NoSuchAlgorithmException;
//*KML import java.security.PrivilegedAction;
//*KML import java.util.ArrayList;
//*KML import java.util.Arrays;
//*KML import java.util.Collections;
//*KML import java.util.Comparator;
//*KML import java.util.HashSet;
//*KML import java.util.Set;
//*KML import sun.misc.SoftCache;
//*KML import sun.misc.Unsafe;
//*KML import sun.reflect.ReflectionFactory;

/**
 * Serialization's descriptor for classes.  It contains the name and
 * serialVersionUID of the class.  The ObjectStreamClass for a specific class
 * loaded in this Java VM can be found/created using the lookup method.
 * 
 * 
    The algorithm to compute the SerialVersionUID is described in 
 * Object
 * Serialization Specification, Section 4.4, Stream Unique Identifiers.
 *
 * @author	Mike Warres
 * @author	Roger Riggs
 * @version 1.98 02/02/00
 * @see ObjectStreamField
 * @see Object Serialization Specification, Section 4, Class Descriptors
 * @since   JDK1.1
 */
public class ObjectStreamClass implements Serializable {

    /** serialPersistentFields value indicating no serializable fields */
    public static final ObjectStreamField[] NO_FIELDS = 
	new ObjectStreamField[0];
    
    private static final long serialVersionUID = -6120832682080437368L;
    private static final ObjectStreamField[] serialPersistentFields =
	NO_FIELDS;
    
    /** reflection factory for obtaining serialization constructors */
    private static final ReflectionFactory reflFactory = (ReflectionFactory)
	AccessController.doPrivileged(
	    new ReflectionFactory.GetReflectionFactoryAction());

    /** cache mapping local classes -> descriptors */
    private static final SoftCache localDescs = new SoftCache(10);
    /** cache mapping field group/local desc pairs -> field reflectors */
    private static final SoftCache reflectors = new SoftCache(10);

    /** class associated with this descriptor (if any) */
    private Class cl;
    /** name of class represented by this descriptor */
    private String name;
    /** serialVersionUID of represented class (null if not computed yet) */
    private volatile Long suid;

    /** true if represents dynamic proxy class */
    private boolean isProxy;
    /** true if represented class implements Serializable */
    private boolean serializable;
    /** true if represented class implements Externalizable */
    private boolean externalizable;
    /** true if desc has data written by class-defined writeObject method */
    private boolean hasWriteObjectData;
    /** 
     * true if desc has externalizable data written in block data format; this
     * must be true by default to accomodate ObjectInputStream subclasses which
     * override readClassDescriptor() to return class descriptors obtained from
     * ObjectStreamClass.lookup() (see 4461737)
     */
    private boolean hasBlockExternalData = true;

    /** exception (if any) thrown while attempting to resolve class */
    private ClassNotFoundException resolveEx;
    /** exception (if any) to be thrown if deserialization attempted */
    private InvalidClassException deserializeEx;
    /** exception (if any) to be thrown if serialization attempted */
    private InvalidClassException serializeEx;
    /** exception (if any) to be thrown if default serialization attempted */
    private InvalidClassException defaultSerializeEx;

    /** serializable fields */
    private ObjectStreamField[] fields;
    /** aggregate marshalled size of primitive fields */
    private int primDataSize;
    /** number of non-primitive fields */
    private int numObjFields;
    /** reflector for setting/getting serializable field values */
    private FieldReflector fieldRefl;
    /** data layout of serialized objects described by this class desc */
    private volatile ClassDataSlot[] dataLayout;

    /** serialization-appropriate constructor, or null if none */
    private Constructor cons;
    /** class-defined writeObject method, or null if none */
    private Method writeObjectMethod;
    /** class-defined readObject method, or null if none */
    private Method readObjectMethod;
    /** class-defined readObjectNoData method, or null if none */
    private Method readObjectNoDataMethod;
    /** class-defined writeReplace method, or null if none */
    private Method writeReplaceMethod;
    /** class-defined readResolve method, or null if none */
    private Method readResolveMethod;

    /** local class descriptor for represented class (may point to self) */
    private ObjectStreamClass localDesc;
    /** superclass descriptor appearing in stream */
    private ObjectStreamClass superDesc;
    
    /**
     * Initializes native code.
     */
    private static native void initNative();
    static {
	initNative();
    }

    /** 
     * Find the descriptor for a class that can be serialized.  Creates an
     * ObjectStreamClass instance if one does not exist yet for class. Null is
     * returned if the specified class does not implement java.io.Serializable
     * or java.io.Externalizable.
     *
     * @param	cl class for which to get the descriptor
     * @return	the class descriptor for the specified class
     */
    public static ObjectStreamClass lookup(Class cl) {
	return lookup(cl, false);
    }
    
    /**
     * The name of the class described by this descriptor.
     *
     * @return	a String representing the fully qualified name of
     * 		the class
     */
    public String getName() {
	return name;
    }

    /**
     * Return the serialVersionUID for this class.  The serialVersionUID
     * defines a set of classes all with the same name that have evolved from a
     * common root class and agree to be serialized and deserialized using a
     * common format.  NonSerializable classes have a serialVersionUID of 0L.
     *
     * @return	the SUID of the class described by this descriptor
     */
    public long getSerialVersionUID() {
	// REMIND: synchronize instead of relying on volatile?
	if (suid == null) {
	    suid = (Long) AccessController.doPrivileged(
		new PrivilegedAction() {
		    public Object run() {
			return new Long(computeDefaultSUID(cl));
		    }
		}
	    );
	}
	return suid.longValue();
    }

    /**
     * Return the class in the local VM that this version is mapped to.  Null
     * is returned if there is no corresponding local class.
     *
     * @return	the Class instance that this descriptor represents
     */
    public Class forClass() {
	return cl;
    }
    
    /**
     * Return an array of the fields of this serializable class.
     *
     * @return	an array containing an element for each persistent field of
     * 		this class. Returns an array of length zero if there are no
     * 		fields.
     * @since 1.2
     */
    public ObjectStreamField[] getFields() {
	return getFields(true);
    }

    /**
     * Get the field of this class by name.
     *
     * @param	name the name of the data field to look for
     * @return	The ObjectStreamField object of the named field or null if
     * 		there is no such named field.
     */
    public ObjectStreamField getField(String name) {
	return getField(name, null);
    }

    /**
     * Return a string describing this ObjectStreamClass.
     */
    public String toString() {
	return name + ": static final long serialVersionUID = " + 
	    getSerialVersionUID() + "L;";
    }
    
    /**
     * Looks up and returns class descriptor for given class, or null if class
     * is non-serializable and "all" is set to false.
     * 
     * @param	cl class to look up
     * @param	all if true, return descriptors for all classes; if false, only
     * 		return descriptors for serializable classes
     */
    static ObjectStreamClass lookup(Class cl, boolean all) {
	/*KML
	  if (!(all || Serializable.class.isAssignableFrom(cl))) {
	    return null;
	}
	KML*/
	/*
	 * Note: using the class directly as the key for storing entries does
	 * not pin the class indefinitely, since SoftCache removes strong refs
	 * to keys when the corresponding values are gc'ed.
	 */
	Object entry;
	EntryFuture future = null;
	synchronized (localDescs) {
	    if ((entry = localDescs.get(cl)) == null) {
		localDescs.put(cl, future = new EntryFuture());
	    }
	}
	
	if (entry instanceof ObjectStreamClass) {  // check common case first
	    return (ObjectStreamClass) entry;
	} else if (entry instanceof EntryFuture) {
	    entry = ((EntryFuture) entry).get();
	} else if (entry == null) {
	    try {
		entry = new ObjectStreamClass(cl);
	    } catch (Throwable th) {
		entry = th;
	    }
	    future.set(entry);
	    synchronized (localDescs) {
		localDescs.put(cl, entry);
	    }
	}
	
	if (entry instanceof ObjectStreamClass) {
	    return (ObjectStreamClass) entry;
	} else if (entry instanceof RuntimeException) {
	    throw (RuntimeException) entry;
	} else if (entry instanceof Error) {
	    throw (Error) entry;
	} else {
	    throw new InternalError("unexpected entry: " + entry);
	}
    }

    /**
     * Placeholder used in class descriptor and field reflector lookup tables
     * for an entry in the process of being initialized.  (Internal) callers
     * which receive an EntryFuture as the result of a lookup should call the
     * get() method of the EntryFuture; this will return the actual entry once
     * it is ready for use and has been set().  To conserve objects,
     * EntryFutures synchronize on themselves.
     */
    /*KML
    private static class EntryFuture {
	
	private static final Object unset = new Object();
	private Object entry = unset;

	synchronized void set(Object entry) {
	    if (this.entry != unset) {
		throw new IllegalStateException();
	    }
	    this.entry = entry;
	    notifyAll();
	}
	
	synchronized Object get() {
	    boolean interrupted = false;
	    while (entry == unset) {
		try { 
		    wait(); 
		} catch (InterruptedException ex) {
		    interrupted = true;
		}
	    }
	    if (interrupted) {
		AccessController.doPrivileged(
		    new PrivilegedAction() {
			public Object run() {
			    Thread.currentThread().interrupt();
			    return null;
			}
		    }
		);
	    }
	    return entry;
	}
    }
    KML*/

    /**
     * Creates local class descriptor representing given class.
     */
    private ObjectStreamClass(final Class cl) {
	this.cl = cl;
	name = cl.getName();
	isProxy = Proxy.isProxyClass(cl);
	/*KML
	serializable = Serializable.class.isAssignableFrom(cl);
	externalizable = Externalizable.class.isAssignableFrom(cl);
	KML*/

	Class superCl = cl.getSuperclass();
	superDesc = (superCl != null) ? lookup(superCl, false) : null;
	localDesc = this;
	/*KML
	if (serializable) {
	    AccessController.doPrivileged(new PrivilegedAction() {
		public Object run() {
		    suid = getDeclaredSUID(cl);
		    try {
			fields = getSerialFields(cl);
			computeFieldOffsets();
		    } catch (InvalidClassException e) {
			serializeEx = deserializeEx = e;
			fields = NO_FIELDS;
		    }
		    
		    if (externalizable) {
			cons = getExternalizableConstructor(cl);
		    } else {
			cons = getSerializableConstructor(cl);
			writeObjectMethod = getPrivateMethod(cl, "writeObject", 
			    new Class[] { ObjectOutputStream.class }, 
			    Void.TYPE);
			readObjectMethod = getPrivateMethod(cl, "readObject", 
			    new Class[] { ObjectInputStream.class }, 
			    Void.TYPE);
			readObjectNoDataMethod = getPrivateMethod(
			    cl, "readObjectNoData", 
			    new Class[0], Void.TYPE);
			hasWriteObjectData = (writeObjectMethod != null);
		    }
		    writeReplaceMethod = getInheritableMethod(
			cl, "writeReplace", new Class[0], Object.class);
		    readResolveMethod = getInheritableMethod(
			cl, "readResolve", new Class[0], Object.class);
		    return null;
		}
	    });
	} else {
	    suid = new Long(0);
	    fields = NO_FIELDS;
	}
	KML*/
	try {
	    fieldRefl = getReflector(fields, this);
	} catch (InvalidClassException ex) {
	    // field mismatches impossible when matching local fields vs. self
	    throw new InternalError();
	}

	if (cons == null) {
	    deserializeEx = new InvalidClassException(
		name, "no valid constructor");
	}
	for (int i = 0; i < fields.length; i++) {
	    if (fields[i].getField() == null) {
		defaultSerializeEx = new InvalidClassException(
		    name, "unmatched serializable field(s) declared");
	    }
	}
    }

    /**
     * Creates blank class descriptor which should be initialized via a
     * subsequent call to initProxy(), initNonProxy() or readNonProxy().
     */
    ObjectStreamClass() {
    }
    
    /**
     * Initializes class descriptor representing a proxy class.
     */
    void initProxy(Class cl, 
		   ClassNotFoundException resolveEx, 
		   ObjectStreamClass superDesc) 
	throws InvalidClassException
    {
	this.cl = cl;
	this.resolveEx = resolveEx;
	this.superDesc = superDesc;
	isProxy = true;
	serializable = true;
	suid = new Long(0);
	fields = NO_FIELDS;
	
	if (cl != null) {
	    localDesc = lookup(cl, true);
	    if (!localDesc.isProxy) {
		throw new InvalidClassException(
		    "cannot bind proxy descriptor to a non-proxy class");
	    }
	    name = localDesc.name;
	    externalizable = localDesc.externalizable;
	    cons = localDesc.cons;
	    writeReplaceMethod = localDesc.writeReplaceMethod;
	    readResolveMethod = localDesc.readResolveMethod;
	    deserializeEx = localDesc.deserializeEx;
	}
	fieldRefl = getReflector(fields, localDesc);
    }
    
    /**
     * Initializes class descriptor representing a non-proxy class.
     */
    void initNonProxy(ObjectStreamClass model, 
		      Class cl, 
		      ClassNotFoundException resolveEx,
		      ObjectStreamClass superDesc)
	throws InvalidClassException
    {
	this.cl = cl;
	this.resolveEx = resolveEx;
	this.superDesc = superDesc;
	name = model.name;
	suid = new Long(model.getSerialVersionUID());
	isProxy = false;
	serializable = model.serializable;
	externalizable = model.externalizable;
	hasBlockExternalData = model.hasBlockExternalData;
	hasWriteObjectData = model.hasWriteObjectData;
	fields = model.fields;
	primDataSize = model.primDataSize;
	numObjFields = model.numObjFields;
	
	if (cl != null) {
	    localDesc = lookup(cl, true);
	    if (localDesc.isProxy) {
		throw new InvalidClassException(
		    "cannot bind non-proxy descriptor to a proxy class");
	    }
	    
	    if (serializable == localDesc.serializable &&
		!cl.isArray() &&
		suid.longValue() != localDesc.getSerialVersionUID())
	    {
		throw new InvalidClassException(localDesc.name, 
		    "local class incompatible: " +
		    "stream classdesc serialVersionUID = " + suid +
		    ", local class serialVersionUID = " +
		    localDesc.getSerialVersionUID());
	    }
		
	    if (!classNamesEqual(name, localDesc.name)) {
		throw new InvalidClassException(localDesc.name,
		    "local class name incompatible with stream class " +
		    "name \"" + name + "\"");
	    }
	    
	    if ((serializable == localDesc.serializable) &&
		(externalizable != localDesc.externalizable))
	    {
		throw new InvalidClassException(localDesc.name, 
		    "Serializable incompatible with Externalizable");
	    }

	    if ((serializable != localDesc.serializable) ||
		(externalizable != localDesc.externalizable) ||
		!(serializable || externalizable))
	    {
		deserializeEx = new InvalidClassException(localDesc.name,
		    "class invalid for deserialization");
	    }
	    
	    cons = localDesc.cons;
	    writeObjectMethod = localDesc.writeObjectMethod;
	    readObjectMethod = localDesc.readObjectMethod;
	    readObjectNoDataMethod = localDesc.readObjectNoDataMethod;
	    writeReplaceMethod = localDesc.writeReplaceMethod;
	    readResolveMethod = localDesc.readResolveMethod;
	    if (deserializeEx == null) {
		deserializeEx = localDesc.deserializeEx;
	    }
	}
	fieldRefl = getReflector(fields, localDesc);
	// reassign to matched fields so as to reflect local unshared settings
	fields = fieldRefl.getFields();
    }
    
    /**
     * Reads non-proxy class descriptor information from given input stream.
     * The resulting class descriptor is not fully functional; it can only be
     * used as input to the ObjectInputStream.resolveClass() and
     * ObjectStreamClass.initNonProxy() methods.
     */
    void readNonProxy(ObjectInputStream in) 
	throws IOException, ClassNotFoundException
    {
	name = in.readUTF();
	suid = new Long(in.readLong());
	isProxy = false;

	byte flags = in.readByte();
	hasWriteObjectData = 
	    ((flags & ObjectStreamConstants.SC_WRITE_METHOD) != 0);
	hasBlockExternalData = 
	    ((flags & ObjectStreamConstants.SC_BLOCK_DATA) != 0);
	externalizable = 
	    ((flags & ObjectStreamConstants.SC_EXTERNALIZABLE) != 0);
	boolean sflag = 
	    ((flags & ObjectStreamConstants.SC_SERIALIZABLE) != 0);
	if (externalizable && sflag) {
	    throw new InvalidClassException(
		name, "serializable and externalizable flags conflict");
	}
	serializable = externalizable || sflag;
	
	int numFields = in.readShort();
	fields = (numFields > 0) ? 
	    new ObjectStreamField[numFields] : NO_FIELDS;
	for (int i = 0; i < numFields; i++) {
	    char tcode = (char) in.readByte();
	    String fname = in.readUTF();
	      String signature = ((tcode == 'L') || (tcode == '[')) ?
		in.readTypeString() : new String(new char[] { tcode });
	    try {
		fields[i] = new ObjectStreamField(fname, signature, false);
	    } catch (RuntimeException e) {
		throw (IOException) new InvalidClassException(name, 
		    "invalid descriptor for field " + fname).initCause(e);
		    }
		    
	}
	computeFieldOffsets();
    }

    /**
     * Writes non-proxy class descriptor information to given output stream.
     */
    void writeNonProxy(ObjectOutputStream out) throws IOException {
	out.writeUTF(name);
	out.writeLong(getSerialVersionUID());

	byte flags = 0;
	if (externalizable) {
	    flags |= ObjectStreamConstants.SC_EXTERNALIZABLE;
	    int protocol = out.getProtocolVersion();
	    if (protocol != ObjectStreamConstants.PROTOCOL_VERSION_1) {
		flags |= ObjectStreamConstants.SC_BLOCK_DATA;
	    }
	} else if (serializable) {
	    flags |= ObjectStreamConstants.SC_SERIALIZABLE;
	}
	if (hasWriteObjectData) {
	    flags |= ObjectStreamConstants.SC_WRITE_METHOD;
	}
	out.writeByte(flags);
	
	out.writeShort(fields.length);
	for (int i = 0; i < fields.length; i++) {
	    ObjectStreamField f = fields[i];
	    out.writeByte(f.getTypeCode());
	    out.writeUTF(f.getName());
	    if (!f.isPrimitive()) {
		out.writeTypeString(f.getTypeString());
	    }
	}
    }
    
    /**
     * Returns ClassNotFoundException (if any) thrown while attempting to
     * resolve local class corresponding to this class descriptor.
     */
    ClassNotFoundException getResolveException() {
	return resolveEx;
    }

    /**
     * Throws an InvalidClassException if object instances referencing this
     * class descriptor should not be allowed to deserialize.
     */
    void checkDeserialize() throws InvalidClassException {
	if (deserializeEx != null) {
	    throw deserializeEx;
	}
    }
    
    /**
     * Throws an InvalidClassException if objects whose class is represented by
     * this descriptor should not be allowed to serialize.
     */
    void checkSerialize() throws InvalidClassException {
	if (serializeEx != null) {
	    throw serializeEx;
	}
    }

    /**
     * Throws an InvalidClassException if objects whose class is represented by
     * this descriptor should not be permitted to use default serialization
     * (e.g., if the class declares serializable fields that do not correspond
     * to actual fields, and hence must use the GetField API).
     */
    void checkDefaultSerialize() throws InvalidClassException {
	if (defaultSerializeEx != null) {
	    throw defaultSerializeEx;
	}
    }

    /**
     * Returns superclass descriptor.  Note that on the receiving side, the
     * superclass descriptor may be bound to a class that is not a superclass
     * of the subclass descriptor's bound class.
     */
    ObjectStreamClass getSuperDesc() {
	return superDesc;
    }
    
    /**
     * Returns the "local" class descriptor for the class associated with this
     * class descriptor (i.e., the result of
     * ObjectStreamClass.lookup(this.forClass())) or null if there is no class
     * associated with this descriptor.
     */
    ObjectStreamClass getLocalDesc() {
	return localDesc;
    }

    /**
     * Returns arrays of ObjectStreamFields representing the serializable
     * fields of the represented class.  If copy is true, a clone of this class
     * descriptor's field array is returned, otherwise the array itself is
     * returned.
     */
    ObjectStreamField[] getFields(boolean copy) {
	return copy ? (ObjectStreamField[]) fields.clone() : fields;
    }
    
    /**
     * Looks up a serializable field of the represented class by name and type.
     * A specified type of null matches all types, Object.class matches all
     * non-primitive types, and any other non-null type matches assignable
     * types only.  Returns matching field, or null if no match found.
     */
    ObjectStreamField getField(String name, Class type) {
	/*KML
	  for (int i = 0; i < fields.length; i++) {
	    ObjectStreamField f = fields[i];
	    if (f.getName().equals(name)) {
		if (type == null || 
		    (type == Object.class && !f.isPrimitive()))
		{
		    return f;
		}
		Class ftype = f.getType();
		if (ftype != null && type.isAssignableFrom(ftype)) {
		    return f;
		}
	    }
	}
	KML*/
	return null;
    }

    /**
     * Returns true if class descriptor represents a dynamic proxy class, false
     * otherwise.
     */
    boolean isProxy() {
	return isProxy;
    }
    
    /**
     * Returns true if represented class implements Externalizable, false
     * otherwise.
     */
    boolean isExternalizable() {
	return externalizable;
    }
    
    /**
     * Returns true if represented class implements Serializable, false
     * otherwise.
     */
    boolean isSerializable() {
	return serializable;
    }

    /**
     * Returns true if class descriptor represents externalizable class that
     * has written its data in 1.2 (block data) format, false otherwise.
     */
    boolean hasBlockExternalData() {
	return hasBlockExternalData;
    }
    
    /**
     * Returns true if class descriptor represents serializable (but not
     * externalizable) class which has written its data via a custom
     * writeObject() method, false otherwise.
     */
    boolean hasWriteObjectData() {
	return hasWriteObjectData;
    }
    
    /**
     * Returns true if represented class is serializable/externalizable and can
     * be instantiated by the serialization runtime--i.e., if it is
     * externalizable and defines a public no-arg constructor, or if it is
     * non-externalizable and its first non-serializable superclass defines an
     * accessible no-arg constructor.  Otherwise, returns false.
     */
    boolean isInstantiable() {
	return (cons != null);
    }
    
    /**
     * Returns true if represented class is serializable (but not
     * externalizable) and defines a conformant writeObject method.  Otherwise,
     * returns false.
     */
    boolean hasWriteObjectMethod() {
	return (writeObjectMethod != null);
    }
    
    /**
     * Returns true if represented class is serializable (but not
     * externalizable) and defines a conformant readObject method.  Otherwise,
     * returns false.
     */
    boolean hasReadObjectMethod() {
	return (readObjectMethod != null);
    }
    
    /**
     * Returns true if represented class is serializable (but not
     * externalizable) and defines a conformant readObjectNoData method.
     * Otherwise, returns false.
     */
    boolean hasReadObjectNoDataMethod() {
	return (readObjectNoDataMethod != null);
    }
    
    /**
     * Returns true if represented class is serializable or externalizable and
     * defines a conformant writeReplace method.  Otherwise, returns false.
     */
    boolean hasWriteReplaceMethod() {
	return (writeReplaceMethod != null);
    }
    
    /**
     * Returns true if represented class is serializable or externalizable and
     * defines a conformant readResolve method.  Otherwise, returns false.
     */
    boolean hasReadResolveMethod() {
	return (readResolveMethod != null);
    }
    
    /**
     * Creates a new instance of the represented class.  If the class is
     * externalizable, invokes its public no-arg constructor; otherwise, if the
     * class is serializable, invokes the no-arg constructor of the first
     * non-serializable superclass.  Throws UnsupportedOperationException if
     * this class descriptor is not associated with a class, if the associated
     * class is non-serializable or if the appropriate no-arg constructor is
     * inaccessible/unavailable.
     */
    Object newInstance()
	throws InstantiationException, InvocationTargetException,
	       UnsupportedOperationException
    {
	if (cons != null) {
	    try {
		return cons.newInstance(new Object[0]);
	    } catch (IllegalAccessException ex) {
		// should not occur, as access checks have been suppressed
		throw new InternalError();
	    }
	} else {
	    throw new UnsupportedOperationException();
	}
    }
	       
    /**
     * Invokes the writeObject method of the represented serializable class.
     * Throws UnsupportedOperationException if this class descriptor is not
     * associated with a class, or if the class is externalizable,
     * non-serializable or does not define writeObject.
     */
    void invokeWriteObject(Object obj, ObjectOutputStream out)
	throws IOException, UnsupportedOperationException
    {
	if (writeObjectMethod != null) {
	    try {
		writeObjectMethod.invoke(obj, new Object[]{ out });
	    } catch (InvocationTargetException ex) {
		Throwable th = ex.getTargetException();
		if (th instanceof IOException) {
		    throw (IOException) th;
		} else {
		    throwMiscException(th);
		}
	    } catch (IllegalAccessException ex) {
		// should not occur, as access checks have been suppressed
		throw new InternalError();
	    }
	} else {
	    throw new UnsupportedOperationException();
	}
    }
    
    /**
     * Invokes the readObject method of the represented serializable class.
     * Throws UnsupportedOperationException if this class descriptor is not
     * associated with a class, or if the class is externalizable,
     * non-serializable or does not define readObject.
     */
    void invokeReadObject(Object obj, ObjectInputStream in)
	throws ClassNotFoundException, IOException, 
	       UnsupportedOperationException
    {
	if (readObjectMethod != null) {
	    try {
		readObjectMethod.invoke(obj, new Object[]{ in });
	    } catch (InvocationTargetException ex) {
		Throwable th = ex.getTargetException();
		if (th instanceof ClassNotFoundException) {
		    throw (ClassNotFoundException) th;
		} else if (th instanceof IOException) {
		    throw (IOException) th;
		} else {
		    throwMiscException(th);
		}
	    } catch (IllegalAccessException ex) {
		// should not occur, as access checks have been suppressed
		throw new InternalError();
	    }
	} else {
	    throw new UnsupportedOperationException();
	}
    }

    /**
     * Invokes the readObjectNoData method of the represented serializable
     * class.  Throws UnsupportedOperationException if this class descriptor is
     * not associated with a class, or if the class is externalizable,
     * non-serializable or does not define readObjectNoData.
     */
    void invokeReadObjectNoData(Object obj)
	throws IOException, UnsupportedOperationException
    {
	if (readObjectNoDataMethod != null) {
	    try {
		readObjectNoDataMethod.invoke(obj, new Object[0]);
	    } catch (InvocationTargetException ex) {
		Throwable th = ex.getTargetException();
		if (th instanceof ObjectStreamException) {
		    throw (ObjectStreamException) th;
		} else {
		    throwMiscException(th);
		}
	    } catch (IllegalAccessException ex) {
		// should not occur, as access checks have been suppressed
		throw new InternalError();
	    }
	} else {
	    throw new UnsupportedOperationException();
	}
    }

    /**
     * Invokes the writeReplace method of the represented serializable class and
     * returns the result.  Throws UnsupportedOperationException if this class
     * descriptor is not associated with a class, or if the class is
     * non-serializable or does not define writeReplace.
     */
    Object invokeWriteReplace(Object obj)
	throws IOException, UnsupportedOperationException
    {
	if (writeReplaceMethod != null) {
	    try {
		return writeReplaceMethod.invoke(obj, new Object[0]);
	    } catch (InvocationTargetException ex) {
		Throwable th = ex.getTargetException();
		if (th instanceof ObjectStreamException) {
		    throw (ObjectStreamException) th;
		} else {
		    throwMiscException(th);
		    throw new InternalError();	// never reached
		}
	    } catch (IllegalAccessException ex) {
		// should not occur, as access checks have been suppressed
		throw new InternalError();
	    }
	} else {
	    throw new UnsupportedOperationException();
	}
    }

    /**
     * Invokes the readResolve method of the represented serializable class and
     * returns the result.  Throws UnsupportedOperationException if this class
     * descriptor is not associated with a class, or if the class is
     * non-serializable or does not define readResolve.
     */
    Object invokeReadResolve(Object obj)
	throws IOException, UnsupportedOperationException
    {
	if (readResolveMethod != null) {
	    try {
		return readResolveMethod.invoke(obj, new Object[0]);
	    } catch (InvocationTargetException ex) {
		Throwable th = ex.getTargetException();
		if (th instanceof ObjectStreamException) {
		    throw (ObjectStreamException) th;
		} else {
		    throwMiscException(th);
		    throw new InternalError();	// never reached
		}
	    } catch (IllegalAccessException ex) {
		// should not occur, as access checks have been suppressed
		throw new InternalError();
	    }
	} else {
	    throw new UnsupportedOperationException();
	}
    }

    /**
     * Class representing the portion of an object's serialized form allotted
     * to data described by a given class descriptor.  If "hasData" is false,
     * the object's serialized form does not contain data associated with the
     * class descriptor.
     */
    /*KML
    static class ClassDataSlot {

	/** class descriptor "occupying" this slot *KML/
	final ObjectStreamClass desc;
	/** true if serialized form includes data for this slot's descriptor *KML/
	final boolean hasData;
	
	ClassDataSlot(ObjectStreamClass desc, boolean hasData) {
	    this.desc = desc;
	    this.hasData = hasData;
	}
    }
    KML*/

    /**
     * Returns array of ClassDataSlot instances representing the data layout
     * (including superclass data) for serialized objects described by this
     * class descriptor.  ClassDataSlots are ordered by inheritance with those
     * containing "higher" superclasses appearing first.  The final
     * ClassDataSlot contains a reference to this descriptor.
     */
    ClassDataSlot[] getClassDataLayout() throws InvalidClassException {
	// REMIND: synchronize instead of relying on volatile?
	if (dataLayout == null) {
	    dataLayout = getClassDataLayout0();
	}
	return dataLayout;
    }
    
    private ClassDataSlot[] getClassDataLayout0() 
	throws InvalidClassException 
    {
	ArrayList slots = new ArrayList();
	Class start = cl, end = cl;
	/*KML
	// locate closest non-serializable superclass
	while (end != null && Serializable.class.isAssignableFrom(end)) {
	    end = end.getSuperclass();
	}
	KML*/
	for (ObjectStreamClass d = this; d != null; d = d.superDesc) {
	    
	    // search up inheritance heirarchy for class with matching name
	    String searchName = (d.cl != null) ? d.cl.getName() : d.name;
	    Class match = null;
	    for (Class c = start; c != end; c = c.getSuperclass()) {
		if (searchName.equals(c.getName())) {
		    match = c;
		    break;
		}
	    }

	    // add "no data" slot for each unmatched class below match
	    if (match != null) {
		for (Class c = start; c != match; c = c.getSuperclass()) {
		    slots.add(new ClassDataSlot(
			ObjectStreamClass.lookup(c, true), false));
		}
		start = match.getSuperclass();
	    }
	    
	    // record descriptor/class pairing
	    slots.add(new ClassDataSlot(d.getVariantFor(match), true));
	}
	
	// add "no data" slot for any leftover unmatched classes
	for (Class c = start; c != end; c = c.getSuperclass()) {
	    slots.add(new ClassDataSlot(
		ObjectStreamClass.lookup(c, true), false));
	}

	// order slots from superclass -> subclass
	Collections.reverse(slots);
	return (ClassDataSlot[]) 
	    slots.toArray(new ClassDataSlot[slots.size()]);
    }
    
    /**
     * Returns aggregate size (in bytes) of marshalled primitive field values
     * for represented class.
     */
    int getPrimDataSize() {
	return primDataSize;
    }
    
    /**
     * Returns number of non-primitive serializable fields of represented
     * class.
     */
    int getNumObjFields() {
	return numObjFields;
    }
    
    /**
     * Fetches the serializable primitive field values of object obj and
     * marshals them into byte array buf starting at offset 0.  It is the
     * responsibility of the caller to ensure that obj is of the proper type if
     * non-null.
     */
    void getPrimFieldValues(Object obj, byte[] buf) {
	fieldRefl.getPrimFieldValues(obj, buf);
    }

    /**
     * Sets the serializable primitive fields of object obj using values
     * unmarshalled from byte array buf starting at offset 0.  It is the
     * responsibility of the caller to ensure that obj is of the proper type if
     * non-null.
     */
    void setPrimFieldValues(Object obj, byte[] buf) {
	fieldRefl.setPrimFieldValues(obj, buf);
    }
    
    /**
     * Fetches the serializable object field values of object obj and stores
     * them in array vals starting at offset 0.  It is the responsibility of
     * the caller to ensure that obj is of the proper type if non-null.
     */
    void getObjFieldValues(Object obj, Object[] vals) {
	fieldRefl.getObjFieldValues(obj, vals);
    }
    
    /**
     * Sets the serializable object fields of object obj using values from
     * array vals starting at offset 0.  It is the responsibility of the caller
     * to ensure that obj is of the proper type if non-null.
     */
    void setObjFieldValues(Object obj, Object[] vals) {
	fieldRefl.setObjFieldValues(obj, vals);
    }
    
    /**
     * Calculates and sets serializable field offsets, as well as primitive
     * data size and object field count totals.  Throws InvalidClassException
     * if fields are illegally ordered.
     */
    private void computeFieldOffsets() throws InvalidClassException {
	primDataSize = 0;
	numObjFields = 0;
	int firstObjIndex = -1;

	for (int i = 0; i < fields.length; i++) {
	    ObjectStreamField f = fields[i];
	    switch (f.getTypeCode()) {
		case 'Z':
		case 'B':
		    f.setOffset(primDataSize++);
		    break;

		case 'C':
		case 'S':
		    f.setOffset(primDataSize);
		    primDataSize += 2;
		    break;

		case 'I':
		case 'F':
		    f.setOffset(primDataSize);
		    primDataSize += 4;
		    break;

		case 'J':
		case 'D':
		    f.setOffset(primDataSize);
		    primDataSize += 8;
		    break;

		case '[':
		case 'L':
		    f.setOffset(numObjFields++);
		    if (firstObjIndex == -1) {
			firstObjIndex = i;
		    }
		    break;

		default:
		    throw new InternalError();
	    }
	}
	if (firstObjIndex != -1 && 
	    firstObjIndex + numObjFields != fields.length)
	{
	    throw new InvalidClassException(name, "illegal field order");
	}
    }
    
    /**
     * If given class is the same as the class associated with this class
     * descriptor, returns reference to this class descriptor.  Otherwise,
     * returns variant of this class descriptor bound to given class.
     */
    private ObjectStreamClass getVariantFor(Class cl) 
	throws InvalidClassException 
    {
	if (this.cl == cl) {
	    return this;
	}
	ObjectStreamClass desc = new ObjectStreamClass();
	if (isProxy) {
	    desc.initProxy(cl, null, superDesc);
	} else {
	    desc.initNonProxy(this, cl, null, superDesc);
	}
	return desc;
    }

    /**
     * Returns public no-arg constructor of given class, or null if none found.
     * Access checks are disabled on the returned constructor (if any), since
     * the defining class may still be non-public.
     */
    private static Constructor getExternalizableConstructor(Class cl) {
	try {
	    Constructor cons = cl.getDeclaredConstructor(new Class[0]);
	    cons.setAccessible(true);
	    return ((cons.getModifiers() & Modifier.PUBLIC) != 0) ? 
		cons : null;
	} catch (NoSuchMethodException ex) {
	    return null;
	}
    }

    /**
     * Returns subclass-accessible no-arg constructor of first non-serializable
     * superclass, or null if none found.  Access checks are disabled on the
     * returned constructor (if any).
     */
    private static Constructor getSerializableConstructor(Class cl) {
	Class initCl = cl;
	/*KML
	while (Serializable.class.isAssignableFrom(initCl)) {
	    if ((initCl = initCl.getSuperclass()) == null) {
		return null;
	    }
	}
	KML*/
	try {
	    Constructor cons = initCl.getDeclaredConstructor(new Class[0]);
	    int mods = cons.getModifiers();
	    if ((mods & Modifier.PRIVATE) != 0 ||
		((mods & (Modifier.PUBLIC | Modifier.PROTECTED)) == 0 &&
		 !packageEquals(cl, initCl)))
	    {
		return null;
	    }
	    cons = reflFactory.newConstructorForSerialization(cl, cons);
	    cons.setAccessible(true);
	    return cons;
	} catch (NoSuchMethodException ex) {
	    return null;
	}
    }

    /**
     * Returns non-static, non-abstract method with given signature provided it
     * is defined by or accessible (via inheritance) by the given class, or
     * null if no match found.  Access checks are disabled on the returned
     * method (if any).
     */
    private static Method getInheritableMethod(Class cl, String name,
					       Class[] argTypes,
					       Class returnType)
    {
	Method meth = null;
	Class defCl = cl;
	while (defCl != null) {
	    try {
		meth = defCl.getDeclaredMethod(name, argTypes);
		break;
	    } catch (NoSuchMethodException ex) {
		defCl = defCl.getSuperclass();
	    }
	}

	if ((meth == null) || (meth.getReturnType() != returnType)) {
	    return null;
	}
	meth.setAccessible(true);
	int mods = meth.getModifiers();
	if ((mods & (Modifier.STATIC | Modifier.ABSTRACT)) != 0) {
	    return null;
	} else if ((mods & (Modifier.PUBLIC | Modifier.PROTECTED)) != 0) {
	    return meth;
	} else if ((mods & Modifier.PRIVATE) != 0) {
	    return (cl == defCl) ? meth : null;
	} else {
	    return packageEquals(cl, defCl) ? meth : null;
	}
    }

    /**
     * Returns non-static private method with given signature defined by given
     * class, or null if none found.  Access checks are disabled on the
     * returned method (if any).
     */
    private static Method getPrivateMethod(Class cl, String name, 
					   Class[] argTypes,
					   Class returnType)
    {
	try {
	    Method meth = cl.getDeclaredMethod(name, argTypes);
	    meth.setAccessible(true);
	    int mods = meth.getModifiers();
	    return ((meth.getReturnType() == returnType) &&
		    ((mods & Modifier.STATIC) == 0) &&
		    ((mods & Modifier.PRIVATE) != 0)) ? meth : null;
	} catch (NoSuchMethodException ex) {
	    return null;
	}
    }

    /**
     * Returns true if classes are defined in the same runtime package, false
     * otherwise.
     */
    private static boolean packageEquals(Class cl1, Class cl2) {
	return (cl1.getClassLoader() == cl2.getClassLoader() &&
		getPackageName(cl1).equals(getPackageName(cl2)));
    }

    /**
     * Returns package name of given class.
     */
    private static String getPackageName(Class cl) {
	String s = cl.getName();
	int i = s.lastIndexOf('[');
	if (i >= 0) {
	    s = s.substring(i + 2);
	}
	i = s.lastIndexOf('.');
	return (i >= 0) ? s.substring(0, i) : "";
    }

    /**
     * Compares class names for equality, ignoring package names.  Returns true
     * if class names equal, false otherwise.
     */
    private static boolean classNamesEqual(String name1, String name2) {
	name1 = name1.substring(name1.lastIndexOf('.') + 1);
	name2 = name2.substring(name2.lastIndexOf('.') + 1);
	return name1.equals(name2);
    }
    
    /**
     * Returns JVM type signature for given class.
     */
    static String getClassSignature(Class cl) {
	StringBuffer sbuf = new StringBuffer();
	while (cl.isArray()) {
	    sbuf.append('[');
	    cl = cl.getComponentType();
	}
	if (cl.isPrimitive()) {
	    if (cl == Integer.TYPE) {
		sbuf.append('I');
	    } else if (cl == Byte.TYPE) {
		sbuf.append('B');
	    } else if (cl == Long.TYPE) {
		sbuf.append('J');
	    } else if (cl == Float.TYPE) {
		sbuf.append('F');
	    } else if (cl == Double.TYPE) {
		sbuf.append('D');
	    } else if (cl == Short.TYPE) {
		sbuf.append('S');
	    } else if (cl == Character.TYPE) {
		sbuf.append('C');
	    } else if (cl == Boolean.TYPE) {
		sbuf.append('Z');
	    } else if (cl == Void.TYPE) {
		sbuf.append('V');
	    } else {
		throw new InternalError();
	    }
	} else {
	    sbuf.append('L' + cl.getName().replace('.', '/') + ';');
	}
	return sbuf.toString();
    }

    /**
     * Returns JVM type signature for given list of parameters and return type.
     */
    private static String getMethodSignature(Class[] paramTypes, 
					     Class retType) 
    {
	StringBuffer sbuf = new StringBuffer();
	sbuf.append('(');
	for (int i = 0; i < paramTypes.length; i++) {
	    sbuf.append(getClassSignature(paramTypes[i]));
	}
	sbuf.append(')');
	sbuf.append(getClassSignature(retType));
	return sbuf.toString();
    }

    /**
     * Convenience method for throwing an exception that is either a
     * RuntimeException, Error, or of some unexpected type (in which case it is
     * wrapped inside an IOException).
     */
    private static void throwMiscException(Throwable th) throws IOException {
	if (th instanceof RuntimeException) {
	    throw (RuntimeException) th;
	} else if (th instanceof Error) {
	    throw (Error) th;
	} else {
	    IOException ex = new IOException("unexpected exception type");
	    ex.initCause(th);
	    throw ex;
	}
    }

    /**
     * Returns ObjectStreamField array describing the serializable fields of
     * the given class.  Serializable fields backed by an actual field of the
     * class are represented by ObjectStreamFields with corresponding non-null
     * Field objects.  Throws InvalidClassException if the (explicitly
     * declared) serializable fields are invalid.
     */
    private static ObjectStreamField[] getSerialFields(Class cl) 
	throws InvalidClassException
    {
	ObjectStreamField[] fields;
	/*KML
	if (Serializable.class.isAssignableFrom(cl) &&
	    !Externalizable.class.isAssignableFrom(cl) &&
	    !Proxy.isProxyClass(cl) &&
	    !cl.isInterface())
	{
	    if ((fields = getDeclaredSerialFields(cl)) == null) {
		fields = getDefaultSerialFields(cl);
	    }
	    Arrays.sort(fields);
	} else {
	    fields = NO_FIELDS;
	}
	KML*/
	return fields;
    }
    
    /**
     * Returns serializable fields of given class as defined explicitly by a
     * "serialPersistentFields" field, or null if no appropriate
     * "serialPersistendFields" field is defined.  Serializable fields backed
     * by an actual field of the class are represented by ObjectStreamFields
     * with corresponding non-null Field objects.  For compatibility with past
     * releases, a "serialPersistentFields" field with a null value is
     * considered equivalent to not declaring "serialPersistentFields".  Throws
     * InvalidClassException if the declared serializable fields are
     * invalid--e.g., if multiple fields share the same name.
     */
    private static ObjectStreamField[] getDeclaredSerialFields(Class cl) 
	throws InvalidClassException
    {
	ObjectStreamField[] serialPersistentFields = null;
	try {
	    Field f = cl.getDeclaredField("serialPersistentFields");
	    int mask = Modifier.PRIVATE | Modifier.STATIC | Modifier.FINAL;
	    if ((f.getModifiers() & mask) == mask) {
		f.setAccessible(true);
		serialPersistentFields = (ObjectStreamField[]) f.get(null);
	    }
	} catch (Exception ex) {
	}
	if (serialPersistentFields == null) {
	    return null;
	} else if (serialPersistentFields.length == 0) {
	    return NO_FIELDS;
	}
	
	ObjectStreamField[] boundFields = 
	    new ObjectStreamField[serialPersistentFields.length];
	Set fieldNames = new HashSet(serialPersistentFields.length);

	for (int i = 0; i < serialPersistentFields.length; i++) {
	    ObjectStreamField spf = serialPersistentFields[i];

	    String fname = spf.getName();
	    if (fieldNames.contains(fname)) {
		throw new InvalidClassException(
		    "multiple serializable fields named " + fname);
	    }
	    fieldNames.add(fname);

	    try {
		Field f = cl.getDeclaredField(fname);
		if ((f.getType() == spf.getType()) &&
		    ((f.getModifiers() & Modifier.STATIC) == 0))
		{
		    boundFields[i] = 
			new ObjectStreamField(f, spf.isUnshared(), true);
		}
	    } catch (NoSuchFieldException ex) {
	    }
	    if (boundFields[i] == null) {
		boundFields[i] = new ObjectStreamField(
		    fname, spf.getType(), spf.isUnshared());
	    }
	}
	return boundFields;
    }

    /**
     * Returns array of ObjectStreamFields corresponding to all non-static
     * non-transient fields declared by given class.  Each ObjectStreamField
     * contains a Field object for the field it represents.  If no default
     * serializable fields exist, NO_FIELDS is returned.
     */
    private static ObjectStreamField[] getDefaultSerialFields(Class cl) {
	Field[] clFields = cl.getDeclaredFields();
	ArrayList list = new ArrayList();
	int mask = Modifier.STATIC | Modifier.TRANSIENT;

	for (int i = 0; i < clFields.length; i++) {
	    if ((clFields[i].getModifiers() & mask) == 0) {
		list.add(new ObjectStreamField(clFields[i], false, true));
	    }
	}
	int size = list.size();
	return (size == 0) ? NO_FIELDS :
	    (ObjectStreamField[]) list.toArray(new ObjectStreamField[size]);
    }

    /**
     * Returns explicit serial version UID value declared by given class, or
     * null if none.
     */
    private static Long getDeclaredSUID(Class cl) {
	try {
	    Field f = cl.getDeclaredField("serialVersionUID");
	    int mask = Modifier.STATIC | Modifier.FINAL;
	    if ((f.getModifiers() & mask) == mask) {
		f.setAccessible(true);
		return new Long(f.getLong(null));
	    }
	} catch (Exception ex) {
	}
	return null;
    }

    /**
     * Computes the default serial version UID value for the given class.
     */
    private static long computeDefaultSUID(Class cl) {
	/*KML
	if (!Serializable.class.isAssignableFrom(cl) || Proxy.isProxyClass(cl))
	{
	    return 0L;
	}
	KML*/
	try {
	    ByteArrayOutputStream bout = new ByteArrayOutputStream();
	    DataOutputStream dout = new DataOutputStream(bout);

	    dout.writeUTF(cl.getName());
	    
	    int classMods = cl.getModifiers() &
		(Modifier.PUBLIC | Modifier.FINAL |
		 Modifier.INTERFACE | Modifier.ABSTRACT);

	    /*
	     * compensate for javac bug in which ABSTRACT bit was set for an
	     * interface only if the interface declared methods
	     */
	    Method[] methods = cl.getDeclaredMethods();
	    if ((classMods & Modifier.INTERFACE) != 0) {
		classMods = (methods.length > 0) ?
		    (classMods | Modifier.ABSTRACT) :
		    (classMods & ~Modifier.ABSTRACT);
	    }
	    dout.writeInt(classMods);
	    
	    if (!cl.isArray()) {
		/*
		 * compensate for change in 1.2FCS in which
		 * Class.getInterfaces() was modified to return Cloneable and
		 * Serializable for array classes.
		 */
		Class[] interfaces = cl.getInterfaces();
		String[] ifaceNames = new String[interfaces.length];
		for (int i = 0; i < interfaces.length; i++) {
		    ifaceNames[i] = interfaces[i].getName();
		}
		Arrays.sort(ifaceNames);
		for (int i = 0; i < ifaceNames.length; i++) {
		    dout.writeUTF(ifaceNames[i]);
		}
	    }
	    
	    Field[] fields = cl.getDeclaredFields();
	    MemberSignature[] fieldSigs = new MemberSignature[fields.length];
	    for (int i = 0; i < fields.length; i++) {
		fieldSigs[i] = new MemberSignature(fields[i]);
	    }
	    Arrays.sort(fieldSigs, new Comparator() {
		public int compare(Object o1, Object o2) {
		    String name1 = ((MemberSignature) o1).name;
		    String name2 = ((MemberSignature) o2).name;
		    return name1.compareTo(name2);
		}
	    });
	    for (int i = 0; i < fieldSigs.length; i++) {
		MemberSignature sig = fieldSigs[i];
		int mods = sig.member.getModifiers();
		if (((mods & Modifier.PRIVATE) == 0) ||
		    ((mods & (Modifier.STATIC | Modifier.TRANSIENT)) == 0))
		{
		    dout.writeUTF(sig.name);
		    dout.writeInt(mods);
		    dout.writeUTF(sig.signature);
		}
	    }
	    
	    if (hasStaticInitializer(cl)) {
		dout.writeUTF("");
		dout.writeInt(Modifier.STATIC);
		dout.writeUTF("()V");
	    }

	    Constructor[] cons = cl.getDeclaredConstructors();
	    MemberSignature[] consSigs = new MemberSignature[cons.length];
	    for (int i = 0; i < cons.length; i++) {
		consSigs[i] = new MemberSignature(cons[i]);
	    }
	    Arrays.sort(consSigs, new Comparator() {
		public int compare(Object o1, Object o2) {
		    String sig1 = ((MemberSignature) o1).signature;
		    String sig2 = ((MemberSignature) o2).signature;
		    return sig1.compareTo(sig2);
		}
	    });
	    for (int i = 0; i < consSigs.length; i++) {
		MemberSignature sig = consSigs[i];
		int mods = sig.member.getModifiers();
		if ((mods & Modifier.PRIVATE) == 0) {
		    dout.writeUTF("");
		    dout.writeInt(mods);
		    dout.writeUTF(sig.signature.replace('/', '.'));
		}
	    }
	    
	    MemberSignature[] methSigs = new MemberSignature[methods.length];
	    for (int i = 0; i < methods.length; i++) {
		methSigs[i] = new MemberSignature(methods[i]);
	    }
	    Arrays.sort(methSigs, new Comparator() {
		public int compare(Object o1, Object o2) {
		    MemberSignature ms1 = (MemberSignature) o1;
		    MemberSignature ms2 = (MemberSignature) o2;
		    int comp = ms1.name.compareTo(ms2.name);
		    if (comp == 0) {
			comp = ms1.signature.compareTo(ms2.signature);
		    }
		    return comp;
		}
	    });
	    for (int i = 0; i < methSigs.length; i++) {
		MemberSignature sig = methSigs[i];
		int mods = sig.member.getModifiers();
		if ((mods & Modifier.PRIVATE) == 0) {
		    dout.writeUTF(sig.name);
		    dout.writeInt(mods);
		    dout.writeUTF(sig.signature.replace('/', '.'));
		}
	    }

	    dout.flush();

	    MessageDigest md = MessageDigest.getInstance("SHA");
	    byte[] hashBytes = md.digest(bout.toByteArray());
	    long hash = 0;
	    for (int i = Math.min(hashBytes.length, 8) - 1; i >= 0; i--) {
		hash = (hash << 8) | (hashBytes[i] & 0xFF);
	    }
	    return hash;
	} catch (IOException ex) {
	    throw new InternalError();
	} catch (NoSuchAlgorithmException ex) {
	    throw new SecurityException(ex.getMessage());
	}
    }

    /**
     * Returns true if the given class defines a static initializer method,
     * false otherwise.
     */
    private native static boolean hasStaticInitializer(Class cl);

    /**
     * Class for computing and caching field/constructor/method signatures
     * during serialVersionUID calculation.
     */
    private static class MemberSignature {

	public final Member member;
	public final String name;
	public final String signature;
	
	public MemberSignature(Field field) {
	    member = field;
	    name = field.getName();
	    signature = getClassSignature(field.getType());
	}
	
	public MemberSignature(Constructor cons) {
	    member = cons;
	    name = cons.getName();
	    signature = getMethodSignature(
		cons.getParameterTypes(), Void.TYPE);
	}
	
	public MemberSignature(Method meth) {
	    member = meth;
	    name = meth.getName();
	    signature = getMethodSignature(
		meth.getParameterTypes(), meth.getReturnType());
	}
    }
    
    /**
     * Class for setting and retrieving serializable field values in batch.
     */
    // REMIND: dynamically generate these?
    private static class FieldReflector {
	
	/** handle for performing unsafe operations */
	private static final Unsafe unsafe = Unsafe.getUnsafe();

	/** fields to operate on */
	private final ObjectStreamField[] fields;
	/** number of primitive fields */
	private final int numPrimFields;
	/** unsafe field keys */
	private final long[] keys;
	/** field data offsets */
	private final int[] offsets;
	/** field type codes */
	private final char[] typeCodes;
	/** field types */
	private final Class[] types;

	/**
	 * Constructs FieldReflector capable of setting/getting values from the
	 * subset of fields whose ObjectStreamFields contain non-null
	 * reflective Field objects.  ObjectStreamFields with null Fields are
	 * treated as filler, for which get operations return default values
	 * and set operations discard given values.
	 */
	FieldReflector(ObjectStreamField[] fields) {
	    this.fields = fields;
	    int nfields = fields.length;
	    keys = new long[nfields];
	    offsets = new int[nfields];
	    typeCodes = new char[nfields];
	    ArrayList typeList = new ArrayList();
	    
	    for (int i = 0; i < nfields; i++) {
		ObjectStreamField f = fields[i];
		Field rf = f.getField();
		keys[i] = (rf != null) ? 
		    unsafe.objectFieldOffset(rf) : Unsafe.INVALID_FIELD_OFFSET;
		offsets[i] = f.getOffset();
		typeCodes[i] = f.getTypeCode();
		if (!f.isPrimitive()) {
		    typeList.add((rf != null) ? rf.getType() : null);
		}
	    }
	    
	    types = (Class[]) typeList.toArray(new Class[typeList.size()]);
	    numPrimFields = nfields - types.length;
	}

	/**
	 * Returns list of ObjectStreamFields representing fields operated on
	 * by this reflector.  The shared/unshared values and Field objects
	 * contained by ObjectStreamFields in the list reflect their bindings
	 * to locally defined serializable fields.
	 */
	ObjectStreamField[] getFields() {
	    return fields;
	}

	/**
	 * Fetches the serializable primitive field values of object obj and
	 * marshals them into byte array buf starting at offset 0.  The caller
	 * is responsible for ensuring that obj is of the proper type.
	 */
	void getPrimFieldValues(Object obj, byte[] buf) {
	    if (obj == null) {
		throw new NullPointerException();
	    }
	    /* assuming checkDefaultSerialize() has been called on the class
	     * descriptor this FieldReflector was obtained from, no field keys
	     * in array should be equal to Unsafe.INVALID_FIELD_OFFSET.
	     */
	    for (int i = 0; i < numPrimFields; i++) {
		long key = keys[i];
		int off = offsets[i];
		switch (typeCodes[i]) {
		    case 'Z':
			Bits.putBoolean(buf, off, unsafe.getBoolean(obj, key));
			break;

		    case 'B':
			buf[off] = unsafe.getByte(obj, key);
			break;

		    case 'C':
			Bits.putChar(buf, off, unsafe.getChar(obj, key));
			break;

		    case 'S':
			Bits.putShort(buf, off, unsafe.getShort(obj, key));
			break;

		    case 'I':
			Bits.putInt(buf, off, unsafe.getInt(obj, key));
			break;

		    case 'F':
			Bits.putFloat(buf, off, unsafe.getFloat(obj, key));
			break;

		    case 'J':
			Bits.putLong(buf, off, unsafe.getLong(obj, key));
			break;

		    case 'D':
			Bits.putDouble(buf, off, unsafe.getDouble(obj, key));
			break;

		    default:
			throw new InternalError();
		}
	    }
	}

	/**
	 * Sets the serializable primitive fields of object obj using values
	 * unmarshalled from byte array buf starting at offset 0.  The caller
	 * is responsible for ensuring that obj is of the proper type.
	 */
	void setPrimFieldValues(Object obj, byte[] buf) {
	    if (obj == null) {
		throw new NullPointerException();
	    }
	    for (int i = 0; i < numPrimFields; i++) {
		long key = keys[i];
		if (key == Unsafe.INVALID_FIELD_OFFSET) {
		    continue;		// discard value
		}
		int off = offsets[i];
		switch (typeCodes[i]) {
		    case 'Z':
			unsafe.putBoolean(obj, key, Bits.getBoolean(buf, off));
			break;

		    case 'B':
			unsafe.putByte(obj, key, buf[off]);
			break;

		    case 'C':
			unsafe.putChar(obj, key, Bits.getChar(buf, off));
			break;

		    case 'S':
			unsafe.putShort(obj, key, Bits.getShort(buf, off));
			break;

		    case 'I':
			unsafe.putInt(obj, key, Bits.getInt(buf, off));
			break;

		    case 'F':
			unsafe.putFloat(obj, key, Bits.getFloat(buf, off));
			break;

		    case 'J':
			unsafe.putLong(obj, key, Bits.getLong(buf, off));
			break;

		    case 'D':
			unsafe.putDouble(obj, key, Bits.getDouble(buf, off));
			break;

		    default:
			throw new InternalError();
		}
	    }
	}

	/**
	 * Fetches the serializable object field values of object obj and
	 * stores them in array vals starting at offset 0.  The caller is
	 * responsible for ensuring that obj is of the proper type.
	 */
	void getObjFieldValues(Object obj, Object[] vals) {
	    if (obj == null) {
		throw new NullPointerException();
	    }
	    /* assuming checkDefaultSerialize() has been called on the class
	     * descriptor this FieldReflector was obtained from, no field keys
	     * in array should be equal to Unsafe.INVALID_FIELD_OFFSET.
	     */
	    for (int i = numPrimFields; i < fields.length; i++) {
		switch (typeCodes[i]) {
		    case 'L':
		    case '[':
			vals[offsets[i]] = unsafe.getObject(obj, keys[i]);
			break;
			
		    default:
			throw new InternalError();
		}
	    }
	}

	/**
	 * Sets the serializable object fields of object obj using values from
	 * array vals starting at offset 0.  The caller is responsible for
	 * ensuring that obj is of the proper type; however, attempts to set a
	 * field with a value of the wrong type will trigger an appropriate
	 * ClassCastException.
	 */
	void setObjFieldValues(Object obj, Object[] vals) {
	    if (obj == null) {
		throw new NullPointerException();
	    }
	    for (int i = numPrimFields; i < fields.length; i++) {
		long key = keys[i];
		if (key == Unsafe.INVALID_FIELD_OFFSET) {
		    continue;		// discard value
		}
		switch (typeCodes[i]) {
		    case 'L':
		    case '[':
			Object val = vals[offsets[i]];
			if (val != null && 
			    !types[i - numPrimFields].isInstance(val))
			{
			    Field f = fields[i].getField();
			    throw new ClassCastException(
				"cannot assign instance of " + 
				val.getClass().getName() + " to field " +
				f.getDeclaringClass().getName() + "." +
				f.getName() + " of type " +
				f.getType().getName() + " in instance of " +
				obj.getClass().getName());
			}
			unsafe.putObject(obj, key, val);
			break;
			
		    default:
			throw new InternalError();
		}
	    }
	}
    }
    
    /**
     * Matches given set of serializable fields with serializable fields
     * described by the given local class descriptor, and returns a
     * FieldReflector instance capable of setting/getting values from the
     * subset of fields that match (non-matching fields are treated as filler,
     * for which get operations return default values and set operations
     * discard given values).  Throws InvalidClassException if unresolvable
     * type conflicts exist between the two sets of fields.
     */
    private static FieldReflector getReflector(ObjectStreamField[] fields,
					       ObjectStreamClass localDesc)
	throws InvalidClassException
    {
	// class irrelevant if no fields
	Class cl = (localDesc != null && fields.length > 0) ? 
	    localDesc.cl : null;
	Object key = new FieldReflectorKey(cl, fields);
	Object entry;
	EntryFuture future = null;
	
	synchronized (reflectors) {
	    if ((entry = reflectors.get(key)) == null) {
		reflectors.put(key, future = new EntryFuture());
	    }
	}
	
	if (entry instanceof FieldReflector) {	// check common case first
	    return (FieldReflector) entry;
	} else if (entry instanceof EntryFuture) {
	    entry = ((EntryFuture) entry).get();
	} else if (entry == null) {
	    try {
		entry = new FieldReflector(matchFields(fields, localDesc));
	    } catch (Throwable th) {
		entry = th;
	    }
	    future.set(entry);
	    synchronized (reflectors) {
		reflectors.put(key, entry);
	    }
	}
	
	if (entry instanceof FieldReflector) {
	    return (FieldReflector) entry;
	} else if (entry instanceof InvalidClassException) {
	    throw (InvalidClassException) entry;
	} else if (entry instanceof RuntimeException) {
	    throw (RuntimeException) entry;
	} else if (entry instanceof Error) {
	    throw (Error) entry;
	} else {
	    throw new InternalError("unexpected entry: " + entry);
	}
    }
    
    /**
     * FieldReflector cache lookup key.  Keys are considered equal if they
     * refer to the same class and equivalent field formats.
     */
    private static class FieldReflectorKey {
	
	private final Class cl;
	private final String sigs;
	private final int hash;
	
	FieldReflectorKey(Class cl, ObjectStreamField[] fields) {
	    /*
	     * Note: maintaining a direct reference to the class does not pin
	     * it indefinitely, since SoftCache removes strong refs to keys
	     * when the corresponding values are gc'ed.
	     */
	    this.cl = cl;

	    StringBuffer sbuf = new StringBuffer();
	    for (int i = 0; i < fields.length; i++) {
		ObjectStreamField f = fields[i];
		sbuf.append(f.getName()).append(f.getSignature());
	    }
	    sigs = sbuf.toString();
	    hash = System.identityHashCode(cl) + sigs.hashCode();
	}
	
	public int hashCode() {
	    return hash;
	}
	
	public boolean equals(Object obj) {
	    if (!(obj instanceof FieldReflectorKey)) {
		return false;
	    }
	    FieldReflectorKey key = (FieldReflectorKey) obj;
	    return (cl == key.cl && sigs.equals(key.sigs));
	}
    }
    
    /**
     * Matches given set of serializable fields with serializable fields
     * obtained from the given local class descriptor (which contain bindings
     * to reflective Field objects).  Returns list of ObjectStreamFields in
     * which each ObjectStreamField whose signature matches that of a local
     * field contains a Field object for that field; unmatched
     * ObjectStreamFields contain null Field objects.  Shared/unshared settings
     * of the returned ObjectStreamFields also reflect those of matched local
     * ObjectStreamFields.  Throws InvalidClassException if unresolvable type
     * conflicts exist between the two sets of fields.
     */
    private static ObjectStreamField[] matchFields(ObjectStreamField[] fields,
						   ObjectStreamClass localDesc)
	throws InvalidClassException
    {
	ObjectStreamField[] localFields = (localDesc != null) ?
	    localDesc.fields : NO_FIELDS;
	
	/*
	 * Even if fields == localFields, we cannot simply return localFields
	 * here.  In previous implementations of serialization,
	 * ObjectStreamField.getType() returned Object.class if the
	 * ObjectStreamField represented a non-primitive field and belonged to
	 * a non-local class descriptor.  To preserve this (questionable)
	 * behavior, the ObjectStreamField instances returned by matchFields
	 * cannot report non-primitive types other than Object.class; hence
	 * localFields cannot be returned directly.
	 */
	
	ObjectStreamField[] matches = new ObjectStreamField[fields.length];
	for (int i = 0; i < fields.length; i++) {
	    ObjectStreamField f = fields[i], m = null;
	    for (int j = 0; j < localFields.length; j++) {
		ObjectStreamField lf = localFields[j];
		if (f.getName().equals(lf.getName())) {
		    if ((f.isPrimitive() || lf.isPrimitive()) &&
			f.getTypeCode() != lf.getTypeCode())
		    {
			throw new InvalidClassException(localDesc.name,
			    "incompatible types for field " + f.getName());
		    }
		    if (lf.getField() != null) {
			m = new ObjectStreamField(
			    lf.getField(), lf.isUnshared(), false);
		    } else {
			m = new ObjectStreamField(
			    lf.getName(), lf.getSignature(), lf.isUnshared());
		    }
		}
	    }
	    if (m == null) {
		m = new ObjectStreamField(
		    f.getName(), f.getSignature(), false);
	    }
	    m.setOffset(f.getOffset());
	    matches[i] = m;
	}
	return matches;
    }
}
why-2.39/lib/java_api/java/io/StreamTokenizer.java0000644000106100004300000006223113147234006021076 0ustar  marchevals/*
 * @(#)StreamTokenizer.java	1.39 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.io;


/**
 * The StreamTokenizer class takes an input stream and
 * parses it into "tokens", allowing the tokens to be
 * read one at a time. The parsing process is controlled by a table
 * and a number of flags that can be set to various states. The
 * stream tokenizer can recognize identifiers, numbers, quoted
 * strings, and various comment styles.
 * 
    
 * Each byte read from the input stream is regarded as a character
 * in the range '\u0000' through '\u00FF'.
 * The character value is used to look up five possible attributes of
 * the character: white space, alphabetic,
 * numeric, string quote, and comment character.
 * Each character can have zero or more of these attributes.
 * 
    
 * In addition, an instance has four flags. These flags indicate:
 * 
      
 * 
    • Whether line terminators are to be returned as tokens or treated
 *     as white space that merely separates tokens.
 * 
    • Whether C-style comments are to be recognized and skipped.
 * 
    • Whether C++-style comments are to be recognized and skipped.
 * 
    • Whether the characters of identifiers are converted to lowercase.
 * 
    
 * 
    
 * A typical application first constructs an instance of this class,
 * sets up the syntax tables, and then repeatedly loops calling the
 * nextToken method in each iteration of the loop until
 * it returns the value TT_EOF.
 *
 * @author  James Gosling
 * @version 1.39, 01/23/03
 * @see     java.io.StreamTokenizer#nextToken()
 * @see     java.io.StreamTokenizer#TT_EOF
 * @since   JDK1.0
 */

public class StreamTokenizer {

    /* Only one of these will be non-null */
    private Reader reader = null;
    private InputStream input = null;

    private char buf[] = new char[20];

    /**
     * The next character to be considered by the nextToken method.  May also
     * be NEED_CHAR to indicate that a new character should be read, or SKIP_LF
     * to indicate that a new character should be read and, if it is a '\n'
     * character, it should be discarded and a second new character should be
     * read.
     */
    private int peekc = NEED_CHAR;

    private static final int NEED_CHAR = Integer.MAX_VALUE;
    private static final int SKIP_LF = Integer.MAX_VALUE - 1;

    private boolean pushedBack;
    private boolean forceLower;
    /** The line number of the last token read */
    private int LINENO = 1;

    private boolean eolIsSignificantP = false;
    private boolean slashSlashCommentsP = false;
    private boolean slashStarCommentsP = false;

    private byte ctype[] = new byte[256];
    private static final byte CT_WHITESPACE = 1;
    private static final byte CT_DIGIT = 2;
    private static final byte CT_ALPHA = 4;
    private static final byte CT_QUOTE = 8;
    private static final byte CT_COMMENT = 16;

    /**
     * After a call to the nextToken method, this field
     * contains the type of the token just read. For a single character
     * token, its value is the single character, converted to an integer.
     * For a quoted string token (see , its value is the quote character.
     * Otherwise, its value is one of the following:
     * 
      
     * 
    • TT_WORD indicates that the token is a word.
     * 
    • TT_NUMBER indicates that the token is a number.
     * 
    • TT_EOL indicates that the end of line has been read.
     *     The field can only have this value if the
     *     eolIsSignificant method has been called with the
     *     argument true.
     * 
    • TT_EOF indicates that the end of the input stream
     *     has been reached.
     * 
    
     * 
    
     * The initial value of this field is -4.
     *
     * @see     java.io.StreamTokenizer#eolIsSignificant(boolean)
     * @see     java.io.StreamTokenizer#nextToken()
     * @see     java.io.StreamTokenizer#quoteChar(int)
     * @see     java.io.StreamTokenizer#TT_EOF
     * @see     java.io.StreamTokenizer#TT_EOL
     * @see     java.io.StreamTokenizer#TT_NUMBER
     * @see     java.io.StreamTokenizer#TT_WORD
     */
    public int ttype = TT_NOTHING;

    /**
     * A constant indicating that the end of the stream has been read.
     */
    public static final int TT_EOF = -1;

    /**
     * A constant indicating that the end of the line has been read.
     */
    public static final int TT_EOL = '\n';

    /**
     * A constant indicating that a number token has been read.
     */
    public static final int TT_NUMBER = -2;

    /**
     * A constant indicating that a word token has been read.
     */
    public static final int TT_WORD = -3;

    /* A constant indicating that no token has been read, used for
     * initializing ttype.  FIXME This could be made public and
     * made available as the part of the API in a future release.
     */
    private static final int TT_NOTHING = -4;

    /**
     * If the current token is a word token, this field contains a
     * string giving the characters of the word token. When the current
     * token is a quoted string token, this field contains the body of
     * the string.
     * 
    
     * The current token is a word when the value of the
     * ttype field is TT_WORD. The current token is
     * a quoted string token when the value of the ttype field is
     * a quote character.
     * 
    
     * The initial value of this field is null.
     *
     * @see     java.io.StreamTokenizer#quoteChar(int)
     * @see     java.io.StreamTokenizer#TT_WORD
     * @see     java.io.StreamTokenizer#ttype
     */
    public String sval;

    /**
     * If the current token is a number, this field contains the value
     * of that number. The current token is a number when the value of
     * the ttype field is TT_NUMBER.
     * 
    
     * The initial value of this field is 0.0.
     *
     * @see     java.io.StreamTokenizer#TT_NUMBER
     * @see     java.io.StreamTokenizer#ttype
     */
    public double nval;

    /** Private constructor that initializes everything except the streams. */
    private StreamTokenizer() {
	wordChars('a', 'z');
	wordChars('A', 'Z');
	wordChars(128 + 32, 255);
	whitespaceChars(0, ' ');
	commentChar('/');
	quoteChar('"');
	quoteChar('\'');
	parseNumbers();
    }

    /**
     * Creates a stream tokenizer that parses the specified input
     * stream. The stream tokenizer is initialized to the following
     * default state:
     * 
      
     * 
    • All byte values 'A' through 'Z',
     *     'a' through 'z', and
     *     '\u00A0' through '\u00FF' are
     *     considered to be alphabetic.
     * 
    • All byte values '\u0000' through
     *     '\u0020' are considered to be white space.
     * 
    • '/' is a comment character.
     * 
    • Single quote '\'' and double quote '"'
     *     are string quote characters.
     * 
    • Numbers are parsed.
     * 
    • Ends of lines are treated as white space, not as separate tokens.
     * 
    • C-style and C++-style comments are not recognized.
     * 
    
     *
     * @deprecated As of JDK version 1.1, the preferred way to tokenize an
     * input stream is to convert it into a character stream, for example:
     * 
         *   Reader r = new BufferedReader(new InputStreamReader(is));
     *   StreamTokenizer st = new StreamTokenizer(r);
     * 
    
     *
     * @param      is        an input stream.
     * @see        java.io.BufferedReader
     * @see        java.io.InputStreamReader
     * @see        java.io.StreamTokenizer#StreamTokenizer(java.io.Reader)
     */
    public StreamTokenizer(InputStream is) {
	this();
        if (is == null) {
            throw new NullPointerException();
        }
	input = is;
    }

    /**
     * Create a tokenizer that parses the given character stream.
     *
     * @param r  a Reader object providing the input stream.
     * @since   JDK1.1
     */
    public StreamTokenizer(Reader r) {
	this();
        if (r == null) {
            throw new NullPointerException();
        }
	reader = r;
    }

    /**
     * Resets this tokenizer's syntax table so that all characters are
     * "ordinary." See the ordinaryChar method
     * for more information on a character being ordinary.
     *
     * @see     java.io.StreamTokenizer#ordinaryChar(int)
     */
    public void resetSyntax() {
	for (int i = ctype.length; --i >= 0;)
	    ctype[i] = 0;
    }

    /**
     * Specifies that all characters c in the range
     * low <= c <= high
     * are word constituents. A word token consists of a word constituent
     * followed by zero or more word constituents or number constituents.
     *
     * @param   low   the low end of the range.
     * @param   hi    the high end of the range.
     */
    public void wordChars(int low, int hi) {
	if (low < 0)
	    low = 0;
	if (hi >= ctype.length)
	    hi = ctype.length - 1;
	while (low <= hi)
	    ctype[low++] |= CT_ALPHA;
    }

    /**
     * Specifies that all characters c in the range
     * low <= c <= high
     * are white space characters. White space characters serve only to
     * separate tokens in the input stream.
     *
     * 
    Any other attribute settings for the characters in the specified
     * range are cleared.
     *
     * @param   low   the low end of the range.
     * @param   hi    the high end of the range.
     */
    public void whitespaceChars(int low, int hi) {
	if (low < 0)
	    low = 0;
	if (hi >= ctype.length)
	    hi = ctype.length - 1;
	while (low <= hi)
	    ctype[low++] = CT_WHITESPACE;
    }

    /**
     * Specifies that all characters c in the range
     * low <= c <= high
     * are "ordinary" in this tokenizer. See the
     * ordinaryChar method for more information on a
     * character being ordinary.
     *
     * @param   low   the low end of the range.
     * @param   hi    the high end of the range.
     * @see     java.io.StreamTokenizer#ordinaryChar(int)
     */
    public void ordinaryChars(int low, int hi) {
	if (low < 0)
	    low = 0;
	if (hi >= ctype.length)
	    hi = ctype.length - 1;
	while (low <= hi)
	    ctype[low++] = 0;
    }

    /**
     * Specifies that the character argument is "ordinary"
     * in this tokenizer. It removes any special significance the
     * character has as a comment character, word component, string
     * delimiter, white space, or number character. When such a character
     * is encountered by the parser, the parser treates it as a
     * single-character token and sets ttype field to the
     * character value.
     *
     * @param   ch   the character.
     * @see     java.io.StreamTokenizer#ttype
     */
    public void ordinaryChar(int ch) {
        if (ch >= 0 && ch < ctype.length)
  	    ctype[ch] = 0;
    }

    /**
     * Specified that the character argument starts a single-line
     * comment. All characters from the comment character to the end of
     * the line are ignored by this stream tokenizer.
     *
     * 
    Any other attribute settings for the specified character are cleared.
     *
     * @param   ch   the character.
     */
    public void commentChar(int ch) {
        if (ch >= 0 && ch < ctype.length)
	    ctype[ch] = CT_COMMENT;
    }

    /**
     * Specifies that matching pairs of this character delimit string
     * constants in this tokenizer.
     * 
    
     * When the nextToken method encounters a string
     * constant, the ttype field is set to the string
     * delimiter and the sval field is set to the body of
     * the string.
     * 
    
     * If a string quote character is encountered, then a string is
     * recognized, consisting of all characters after (but not including)
     * the string quote character, up to (but not including) the next
     * occurrence of that same string quote character, or a line
     * terminator, or end of file. The usual escape sequences such as
     * "\n" and "\t" are recognized and
     * converted to single characters as the string is parsed.
     *
     * 
    Any other attribute settings for the specified character are cleared.
     *
     * @param   ch   the character.
     * @see     java.io.StreamTokenizer#nextToken()
     * @see     java.io.StreamTokenizer#sval
     * @see     java.io.StreamTokenizer#ttype
     */
    public void quoteChar(int ch) {
        if (ch >= 0 && ch < ctype.length)
 	    ctype[ch] = CT_QUOTE;
    }

    /**
     * Specifies that numbers should be parsed by this tokenizer. The
     * syntax table of this tokenizer is modified so that each of the twelve
     * characters:
     * 
         *      0 1 2 3 4 5 6 7 8 9 . -
     * 
    
     * 
    
     * has the "numeric" attribute.
     * 
    
     * When the parser encounters a word token that has the format of a
     * double precision floating-point number, it treats the token as a
     * number rather than a word, by setting the the ttype
     * field to the value TT_NUMBER and putting the numeric
     * value of the token into the nval field.
     *
     * @see     java.io.StreamTokenizer#nval
     * @see     java.io.StreamTokenizer#TT_NUMBER
     * @see     java.io.StreamTokenizer#ttype
     */
    public void parseNumbers() {
	for (int i = '0'; i <= '9'; i++)
	    ctype[i] |= CT_DIGIT;
	ctype['.'] |= CT_DIGIT;
	ctype['-'] |= CT_DIGIT;
    }

    /**
     * Determines whether or not ends of line are treated as tokens.
     * If the flag argument is true, this tokenizer treats end of lines
     * as tokens; the nextToken method returns
     * TT_EOL and also sets the ttype field to
     * this value when an end of line is read.
     * 
    
     * A line is a sequence of characters ending with either a
     * carriage-return character ('\r') or a newline
     * character ('\n'). In addition, a carriage-return
     * character followed immediately by a newline character is treated
     * as a single end-of-line token.
     * 
    
     * If the flag is false, end-of-line characters are
     * treated as white space and serve only to separate tokens.
     *
     * @param   flag   true indicates that end-of-line characters
     *                 are separate tokens; false indicates that
     *                 end-of-line characters are white space.
     * @see     java.io.StreamTokenizer#nextToken()
     * @see     java.io.StreamTokenizer#ttype
     * @see     java.io.StreamTokenizer#TT_EOL
     */
    public void eolIsSignificant(boolean flag) {
	eolIsSignificantP = flag;
    }

    /**
     * Determines whether or not the tokenizer recognizes C-style comments.
     * If the flag argument is true, this stream tokenizer
     * recognizes C-style comments. All text between successive
     * occurrences of /* and */ are discarded.
     * 
    
     * If the flag argument is false, then C-style comments
     * are not treated specially.
     *
     * @param   flag   true indicates to recognize and ignore
     *                 C-style comments.
     */
    public void slashStarComments(boolean flag) {
	slashStarCommentsP = flag;
    }

    /**
     * Determines whether or not the tokenizer recognizes C++-style comments.
     * If the flag argument is true, this stream tokenizer
     * recognizes C++-style comments. Any occurrence of two consecutive
     * slash characters ('/') is treated as the beginning of
     * a comment that extends to the end of the line.
     * 
    
     * If the flag argument is false, then C++-style
     * comments are not treated specially.
     *
     * @param   flag   true indicates to recognize and ignore
     *                 C++-style comments.
     */
    public void slashSlashComments(boolean flag) {
	slashSlashCommentsP = flag;
    }

    /**
     * Determines whether or not word token are automatically lowercased.
     * If the flag argument is true, then the value in the
     * sval field is lowercased whenever a word token is
     * returned (the ttype field has the
     * value TT_WORD by the nextToken method
     * of this tokenizer.
     * 
    
     * If the flag argument is false, then the
     * sval field is not modified.
     *
     * @param   fl   true indicates that all word tokens should
     *               be lowercased.
     * @see     java.io.StreamTokenizer#nextToken()
     * @see     java.io.StreamTokenizer#ttype
     * @see     java.io.StreamTokenizer#TT_WORD
     */
    public void lowerCaseMode(boolean fl) {
	forceLower = fl;
    }

    /** Read the next character */
    private int read() throws IOException {
	if (reader != null)
	    return reader.read();
	else if (input != null)
	    return input.read();
	else
	    throw new IllegalStateException();
    }

    /**
     * Parses the next token from the input stream of this tokenizer.
     * The type of the next token is returned in the ttype
     * field. Additional information about the token may be in the
     * nval field or the sval field of this
     * tokenizer.
     * 
    
     * Typical clients of this
     * class first set up the syntax tables and then sit in a loop
     * calling nextToken to parse successive tokens until TT_EOF
     * is returned.
     *
     * @return     the value of the ttype field.
     * @exception  IOException  if an I/O error occurs.
     * @see        java.io.StreamTokenizer#nval
     * @see        java.io.StreamTokenizer#sval
     * @see        java.io.StreamTokenizer#ttype
     */
    public int nextToken() throws IOException {
	if (pushedBack) {
	    pushedBack = false;
	    return ttype;
	}
	byte ct[] = ctype;
	sval = null;

	int c = peekc;
	if (c < 0)
	    c = NEED_CHAR;
	if (c == SKIP_LF) {
	    c = read();
	    if (c < 0)
		return ttype = TT_EOF;
	    if (c == '\n')
		c = NEED_CHAR;
	}
	if (c == NEED_CHAR) {
	    c = read();
	    if (c < 0)
		return ttype = TT_EOF;
	}
	ttype = c;		/* Just to be safe */

	/* Set peekc so that the next invocation of nextToken will read
	 * another character unless peekc is reset in this invocation
	 */
	peekc = NEED_CHAR;

	int ctype = c < 256 ? ct[c] : CT_ALPHA;
	while ((ctype & CT_WHITESPACE) != 0) {
	    if (c == '\r') {
		LINENO++;
		if (eolIsSignificantP) {
		    peekc = SKIP_LF;
		    return ttype = TT_EOL;
		}
		c = read();
		if (c == '\n')
		    c = read();
	    } else {
		if (c == '\n') {
		    LINENO++;
		    if (eolIsSignificantP) {
			return ttype = TT_EOL;
		    }
		}
		c = read();
	    }
	    if (c < 0)
		return ttype = TT_EOF;
	    ctype = c < 256 ? ct[c] : CT_ALPHA;
	}

	if ((ctype & CT_DIGIT) != 0) {
	    boolean neg = false;
	    if (c == '-') {
		c = read();
		if (c != '.' && (c < '0' || c > '9')) {
		    peekc = c;
		    return ttype = '-';
		}
		neg = true;
	    }
	    double v = 0;
	    int decexp = 0;
	    int seendot = 0;
	    while (true) {
		if (c == '.' && seendot == 0)
		    seendot = 1;
		else if ('0' <= c && c <= '9') {
		    v = v * 10 + (c - '0');
		    decexp += seendot;
		} else
		    break;
		c = read();
	    }
	    peekc = c;
	    if (decexp != 0) {
		double denom = 10;
		decexp--;
		while (decexp > 0) {
		    denom *= 10;
		    decexp--;
		}
		/* Do one division of a likely-to-be-more-accurate number */
		v = v / denom;
	    }
	    nval = neg ? -v : v;
	    return ttype = TT_NUMBER;
	}

	if ((ctype & CT_ALPHA) != 0) {
	    int i = 0;
	    do {
		if (i >= buf.length) {
		    char nb[] = new char[buf.length * 2];
		    System.arraycopy(buf, 0, nb, 0, buf.length);
		    buf = nb;
		}
		buf[i++] = (char) c;
		c = read();
		ctype = c < 0 ? CT_WHITESPACE : c < 256 ? ct[c] : CT_ALPHA;
	    } while ((ctype & (CT_ALPHA | CT_DIGIT)) != 0);
	    peekc = c;
	    sval = String.copyValueOf(buf, 0, i);
	    if (forceLower)
		sval = sval.toLowerCase();
	    return ttype = TT_WORD;
	}

	if ((ctype & CT_QUOTE) != 0) {
	    ttype = c;
	    int i = 0;
	    /* Invariants (because \Octal needs a lookahead):
	     *   (i)  c contains char value
	     *   (ii) d contains the lookahead
	     */
	    int d = read();
	    while (d >= 0 && d != ttype && d != '\n' && d != '\r') {
	        if (d == '\\') {
   		    c = read();
		    int first = c;   /* To allow \377, but not \477 */
		    if (c >= '0' && c <= '7') {
			c = c - '0';
			int c2 = read();
			if ('0' <= c2 && c2 <= '7') {
			    c = (c << 3) + (c2 - '0');
			    c2 = read();
			    if ('0' <= c2 && c2 <= '7' && first <= '3') {
				c = (c << 3) + (c2 - '0');
				d = read();
			    } else
				d = c2;
			} else
			  d = c2;
		    } else {
  		        switch (c) {
			case 'a':
			    c = 0x7;
			    break;
			case 'b':
			    c = '\b';
			    break;
			case 'f':
			    c = 0xC;
			    break;
			case 'n':
			    c = '\n';
			    break;
		        case 'r':
			    c = '\r';
			    break;
			case 't':
			    c = '\t';
			    break;
			case 'v':
			    c = 0xB;
			    break;
			}
			d = read();
		    }
		} else {
		    c = d;
		    d = read();
		}
		if (i >= buf.length) {
		    char nb[] = new char[buf.length * 2];
		    System.arraycopy(buf, 0, nb, 0, buf.length);
		    buf = nb;
		}
		buf[i++] = (char)c;
	    }

	    /* If we broke out of the loop because we found a matching quote
	     * character then arrange to read a new character next time
	     * around; otherwise, save the character.
	     */
	    peekc = (d == ttype) ? NEED_CHAR : d;

	    sval = String.copyValueOf(buf, 0, i);
	    return ttype;
	}

	if (c == '/' && (slashSlashCommentsP || slashStarCommentsP)) {
	    c = read();
	    if (c == '*' && slashStarCommentsP) {
		int prevc = 0;
		while ((c = read()) != '/' || prevc != '*') {
		    if (c == '\r') {
			LINENO++;
			c = read();
			if (c == '\n') {
			    c = read();
			}
		    } else {
		        if (c == '\n') {
			    LINENO++;
			    c = read();
			}
		    }
		    if (c < 0)
		        return ttype = TT_EOF;
		    prevc = c;
		}
		return nextToken();
	    } else if (c == '/' && slashSlashCommentsP) {
	        while ((c = read()) != '\n' && c != '\r' && c >= 0);
	        peekc = c;
		return nextToken();
	    } else {
                /* Now see if it is still a single line comment */
                if ((ct['/'] & CT_COMMENT) != 0) {
                    while ((c = read()) != '\n' && c != '\r' && c >= 0);
                    peekc = c;
                    return nextToken();
                } else {
                    peekc = c;
                    return ttype = '/';
                }
	    }
        }

        if ((ctype & CT_COMMENT) != 0) {
            while ((c = read()) != '\n' && c != '\r' && c >= 0);
            peekc = c;
            return nextToken();
        }

	return ttype = c;
    }

    /**
     * Causes the next call to the nextToken method of this
     * tokenizer to return the current value in the ttype
     * field, and not to modify the value in the nval or
     * sval field.
     *
     * @see     java.io.StreamTokenizer#nextToken()
     * @see     java.io.StreamTokenizer#nval
     * @see     java.io.StreamTokenizer#sval
     * @see     java.io.StreamTokenizer#ttype
     */
    public void pushBack() {
        if (ttype != TT_NOTHING)   /* No-op if nextToken() not called */
	    pushedBack = true;
    }

    /**
     * Return the current line number.
     *
     * @return  the current line number of this stream tokenizer.
     */
    public int lineno() {
	return LINENO;
    }

    /**
     * Returns the string representation of the current stream token and
     * the line number it occurs on.
     *
     * 
    The precise string returned is unspecified, although the following
     * example can be considered typical:
     *
     * 
    Token['a'], line 10
    
     *
     * @return  a string representation of the token
     * @see     java.io.StreamTokenizer#nval
     * @see     java.io.StreamTokenizer#sval
     * @see     java.io.StreamTokenizer#ttype
     */
    public String toString() {
	String ret;
	switch (ttype) {
	  case TT_EOF:
	    ret = "EOF";
	    break;
	  case TT_EOL:
	    ret = "EOL";
	    break;
	  case TT_WORD:
	    ret = sval;
	    break;
	  case TT_NUMBER:
	    ret = "n=" + nval;
	    break;
   	  case TT_NOTHING:
	    ret = "NOTHING";
	    break;
	  default: {
		/* 
		 * ttype is the first character of either a quoted string or
		 * is an ordinary character. ttype can definitely not be less
		 * than 0, since those are reserved values used in the previous
		 * case statements
		 */
		if (ttype < 256 && 
		    ((ctype[ttype] & CT_QUOTE) != 0)) {
		    ret = sval;
		    break;
		}

		char s[] = new char[3];
		s[0] = s[2] = '\'';
		s[1] = (char) ttype;
		ret = new String(s);
		break;
	    }
	}
	return "Token[" + ret + "], line " + LINENO;
    }

}
why-2.39/lib/java_api/java/io/FileNotFoundException.java0000644000106100004300000000361413147234006022163 0ustar  marchevals/*
 * @(#)FileNotFoundException.java	1.22 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.io;


/**
 * Signals that an attempt to open the file denoted by a specified pathname
 * has failed.
 *
 * 
     This exception will be thrown by the {@link FileInputStream}, {@link
 * FileOutputStream}, and {@link RandomAccessFile} constructors when a file
 * with the specified pathname does not exist.  It will also be thrown by these
 * constructors if the file does exist but for some reason is inaccessible, for
 * example when an attempt is made to open a read-only file for writing.
 *
 * @author  unascribed
 * @version 1.22, 01/23/03
 * @since   JDK1.0
 */

public class FileNotFoundException extends IOException {

    /**
     * Constructs a FileNotFoundException with
     * null as its error detail message.
     */
    public FileNotFoundException() {
	super();
    }

    /**
     * Constructs a FileNotFoundException with the
     * specified detail message. The string s can be
     * retrieved later by the
     * {@link java.lang.Throwable#getMessage}
     * method of class java.lang.Throwable.
     *
     * @param   s   the detail message.
     */
    public FileNotFoundException(String s) {
	super(s);
    }

    /**
     * Constructs a FileNotFoundException with a detail message
     * consisting of the given pathname string followed by the given reason
     * string.  If the reason argument is null then
     * it will be omitted.  This private constructor is invoked only by native
     * I/O methods.
     *
     * @since 1.2
     */
    private FileNotFoundException(String path, String reason) {
	super(path + ((reason == null)
		      ? ""
		      : " (" + reason + ")"));
    }

}
why-2.39/lib/java_api/java/io/OutputStreamWriter.java0000644000106100004300000001520413147234006021617 0ustar  marchevals/*
 * @(#)OutputStreamWriter.java	1.45 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.io;

//KML import java.nio.charset.Charset;
//KML import java.nio.charset.CharsetEncoder;
//KML import sun.nio.cs.StreamEncoder;


/**
 * An OutputStreamWriter is a bridge from character streams to byte streams:
 * Characters written to it are encoded into bytes using a specified {@link
 * java.nio.charset.Charset charset}.  The charset that it uses
 * may be specified by name or may be given explicitly, or the platform's
 * default charset may be accepted.
 *
 * 
     Each invocation of a write() method causes the encoding converter to be
 * invoked on the given character(s).  The resulting bytes are accumulated in a
 * buffer before being written to the underlying output stream.  The size of
 * this buffer may be specified, but by default it is large enough for most
 * purposes.  Note that the characters passed to the write() methods are not
 * buffered.
 *
 * 
     For top efficiency, consider wrapping an OutputStreamWriter within a
 * BufferedWriter so as to avoid frequent converter invocations.  For example:
 *
 * 
     * Writer out
 *   = new BufferedWriter(new OutputStreamWriter(System.out));
 * 
    
 *
 * 
     A surrogate pair is a character represented by a sequence of two
 * char values: A high surrogate in the range '\uD800' to
 * '\uDBFF' followed by a low surrogate in the range '\uDC00' to
 * '\uDFFF'.  If the character represented by a surrogate pair cannot be
 * encoded by a given charset then a charset-dependent substitution
 * sequence is written to the output stream.
 *
 * 
     A malformed surrogate element is a high surrogate that is not
 * followed by a low surrogate or a low surrogate that is not preceeded by a
 * high surrogate.  It is illegal to attempt to write a character stream
 * containing malformed surrogate elements.  The behavior of an instance of
 * this class when a malformed surrogate element is written is not specified.
 *
 * @see BufferedWriter
 * @see OutputStream
 * @see java.nio.charset.Charset
 *
 * @version 	1.45, 03/01/23
 * @author	Mark Reinhold
 * @since	JDK1.1
 */

public class OutputStreamWriter extends Writer {

    private final StreamEncoder se;

    /**
     * Create an OutputStreamWriter that uses the named charset.
     *
     * @param  out
     *         An OutputStream
     *
     * @param  charsetName
     *         The name of a supported
     *         {@link java.nio.charset.Charset charset}
     *
     * @exception  UnsupportedEncodingException
     *             If the named encoding is not supported
     */
    public OutputStreamWriter(OutputStream out, String charsetName)
	throws UnsupportedEncodingException
    {
	super(out);
	if (charsetName == null)
	    throw new NullPointerException("charsetName");
	se = StreamEncoder.forOutputStreamWriter(out, this, charsetName);
    }

    /**
     * Create an OutputStreamWriter that uses the default character encoding.
     *
     * @param  out  An OutputStream
     */
    public OutputStreamWriter(OutputStream out) {
	super(out);
	try {
	    se = StreamEncoder.forOutputStreamWriter(out, this, (String)null);
	} catch (UnsupportedEncodingException e) {
	    throw new Error(e);
        }
    }

    /**
     * Create an OutputStreamWriter that uses the given charset. 
    
     *
     * @param  out
     *         An OutputStream
     *
     * @param  cs
     *         A charset
     *
     * @since 1.4
     * @spec JSR-51
     */
    public OutputStreamWriter(OutputStream out, Charset cs) {
	super(out);
	if (cs == null)
	    throw new NullPointerException("charset");
	se = StreamEncoder.forOutputStreamWriter(out, this, cs);
    }

    /**
     * Create an OutputStreamWriter that uses the given charset encoder.  
    
     *
     * @param  out
     *         An OutputStream
     *
     * @param  enc
     *         A charset encoder
     *
     * @since 1.4
     * @spec JSR-51
     */
    public OutputStreamWriter(OutputStream out, CharsetEncoder enc) {
	super(out);
	if (enc == null)
	    throw new NullPointerException("charset encoder");
	se = StreamEncoder.forOutputStreamWriter(out, this, enc);
    }

    /**
     * Return the name of the character encoding being used by this stream.
     *
     * 
     If the encoding has an historical name then that name is returned;
     * otherwise the encoding's canonical name is returned.
     *
     * 
     If this instance was created with the {@link
     * #OutputStreamWriter(OutputStream, String)} constructor then the returned
     * name, being unique for the encoding, may differ from the name passed to
     * the constructor.  This method may return null if the stream has
     * been closed. 
    
     *
     * @return The historical name of this encoding, or possibly
     *         null if the stream has been closed
     *
     * @see java.nio.charset.Charset
     *
     * @revised 1.4
     * @spec JSR-51
     */
    public String getEncoding() {
	return se.getEncoding();
    }



    /**
     * Flush the output buffer to the underlying byte stream, without flushing
     * the byte stream itself.  This method is non-private only so that it may
     * be invoked by PrintStream.
     */
    void flushBuffer() throws IOException {
	se.flushBuffer();
    }

    /**
     * Write a single character.
     *
     * @exception  IOException  If an I/O error occurs
     */
    public void write(int c) throws IOException {
	se.write(c);
    }

    /**
     * Write a portion of an array of characters.
     *
     * @param  cbuf  Buffer of characters
     * @param  off   Offset from which to start writing characters
     * @param  len   Number of characters to write
     *
     * @exception  IOException  If an I/O error occurs
     */
    public void write(char cbuf[], int off, int len) throws IOException {
	se.write(cbuf, off, len);
    }

    /**
     * Write a portion of a string.
     *
     * @param  str  A String
     * @param  off  Offset from which to start writing characters
     * @param  len  Number of characters to write
     *
     * @exception  IOException  If an I/O error occurs
     */
    public void write(String str, int off, int len) throws IOException {
	se.write(str, off, len);
    }

    /**
     * Flush the stream.
     *
     * @exception  IOException  If an I/O error occurs
     */
    public void flush() throws IOException {
	se.flush();
    }

    /**
     * Close the stream.
     *
     * @exception  IOException  If an I/O error occurs
     */
    public void close() throws IOException {
	se.close();
    }

}
why-2.39/lib/java_api/java/io/FileReader.java0000644000106100004300000000405513147234006017752 0ustar  marchevals/*
 * @(#)FileReader.java	1.14 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.io;


/**
 * Convenience class for reading character files.  The constructors of this
 * class assume that the default character encoding and the default byte-buffer
 * size are appropriate.  To specify these values yourself, construct an
 * InputStreamReader on a FileInputStream.
 *
 * 
    FileReader is meant for reading streams of characters.
 * For reading streams of raw bytes, consider using a
 * FileInputStream.
 *
 * @see InputStreamReader
 * @see FileInputStream
 *
 * @version 	1.14, 03/01/23
 * @author	Mark Reinhold
 * @since	JDK1.1
 */
public class FileReader extends InputStreamReader {

   /**
    * Creates a new FileReader, given the name of the
    * file to read from.
    *
    * @param fileName the name of the file to read from
    * @exception  FileNotFoundException  if the named file does not exist,
    *                   is a directory rather than a regular file,
    *                   or for some other reason cannot be opened for
    *                   reading.
    */
    public FileReader(String fileName) throws FileNotFoundException {
	super(new FileInputStream(fileName));
    }

   /**
    * Creates a new FileReader, given the File 
    * to read from.
    *
    * @param file the File to read from
    * @exception  FileNotFoundException  if the file does not exist,
    *                   is a directory rather than a regular file,
    *                   or for some other reason cannot be opened for
    *                   reading.
    */
    public FileReader(File file) throws FileNotFoundException {
	super(new FileInputStream(file));
    }

   /**
    * Creates a new FileReader, given the 
    * FileDescriptor to read from.
    *
    * @param fd the FileDescriptor to read from
    */
    public FileReader(FileDescriptor fd) {
	super(new FileInputStream(fd));
    }

}

why-2.39/lib/java_api/java/io/PrintStream.java0000644000106100004300000004332213147234006020220 0ustar  marchevals/*
 * @(#)PrintStream.java	1.25 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.io;


/**
 * A PrintStream adds functionality to another output stream,
 * namely the ability to print representations of various data values
 * conveniently.  Two other features are provided as well.  Unlike other output
 * streams, a PrintStream never throws an
 * IOException; instead, exceptional situations merely set an
 * internal flag that can be tested via the checkError method.
 * Optionally, a PrintStream can be created so as to flush
 * automatically; this means that the flush method is
 * automatically invoked after a byte array is written, one of the
 * println methods is invoked, or a newline character or byte
 * ('\n') is written.
 *
 * 
     All characters printed by a PrintStream are converted into
 * bytes using the platform's default character encoding.  The {@link
 * PrintWriter} class should be used in situations that require writing
 * characters rather than bytes.
 *
 * @version    1.25, 03/01/23
 * @author     Frank Yellin
 * @author     Mark Reinhold
 * @since      JDK1.0
 */

public class PrintStream extends FilterOutputStream {

    private boolean autoFlush = false;
    private boolean trouble = false;

    /**
     * Track both the text- and character-output streams, so that their buffers
     * can be flushed without flushing the entire stream.
     */
    //KML private BufferedWriter textOut;
    //KML private OutputStreamWriter charOut;

    /**
     * Create a new print stream.  This stream will not flush automatically.
     *
     * @param  out        The output stream to which values and objects will be
     *                    printed
     *
     * @see java.io.PrintWriter#PrintWriter(java.io.OutputStream)
     */
    public PrintStream(OutputStream out) {
	this(out, false);
    }

    /* Initialization is factored into a private constructor (note the swapped
     * parameters so that this one isn't confused with the public one) and a
     * separate init method so that the following two public constructors can
     * share code.  We use a separate init method so that the constructor that
     * takes an encoding will throw an NPE for a null stream before it throws
     * an UnsupportedEncodingException for an unsupported encoding.
     */

    private PrintStream(boolean autoFlush, OutputStream out)
    {
	super(out);
	if (out == null)
	    throw new NullPointerException("Null output stream");
	this.autoFlush = autoFlush;
    }

    private void init(OutputStreamWriter osw) {
	this.charOut = osw;
	this.textOut = new BufferedWriter(osw);
    }

    /**
     * Create a new print stream.
     *
     * @param  out        The output stream to which values and objects will be
     *                    printed
     * @param  autoFlush  A boolean; if true, the output buffer will be flushed
     *                    whenever a byte array is written, one of the
     *                    println methods is invoked, or a newline
     *                    character or byte ('\n') is written
     *
     * @see java.io.PrintWriter#PrintWriter(java.io.OutputStream, boolean)
     */
    public PrintStream(OutputStream out, boolean autoFlush) {
	this(autoFlush, out);
	init(new OutputStreamWriter(this));
    }

    /**
     * Create a new print stream.
     *
     * @param  out        The output stream to which values and objects will be
     *                    printed
     * @param  autoFlush  A boolean; if true, the output buffer will be flushed
     *                    whenever a byte array is written, one of the
     *                    println methods is invoked, or a newline
     *                    character or byte ('\n') is written
     * @param  encoding   The name of a supported
     *                    
     *                    character encoding
     *
     * @exception  UnsupportedEncodingException
     *             If the named encoding is not supported
     */
    public PrintStream(OutputStream out, boolean autoFlush, String encoding)
        throws UnsupportedEncodingException
    {
	this(autoFlush, out);
	init(new OutputStreamWriter(this, encoding));
    }

    /** Check to make sure that the stream has not been closed */
    private void ensureOpen() throws IOException {
	if (out == null)
	    throw new IOException("Stream closed");
    }

    /**
     * Flush the stream.  This is done by writing any buffered output bytes to
     * the underlying output stream and then flushing that stream.
     *
     * @see        java.io.OutputStream#flush()
     */
    public void flush() {
	synchronized (this) {
	    try {
		ensureOpen();
		out.flush();
	    }
	    catch (IOException x) {
		trouble = true;
	    }
	}
    }

    private boolean closing = false; /* To avoid recursive closing */

    /**
     * Close the stream.  This is done by flushing the stream and then closing
     * the underlying output stream.
     *
     * @see        java.io.OutputStream#close()
     */
    public void close() {
	synchronized (this) {
	    if (! closing) {
		closing = true;
		try {
		    textOut.close();
		    out.close();
		}
		catch (IOException x) {
		    trouble = true;
		}
		textOut = null;
		charOut = null;
		out = null;
	    }
	}
    }

    /**
     * Flush the stream and check its error state.  The internal error state
     * is set to true when the underlying output stream throws an
     * IOException other than InterruptedIOException,
     * and when the setError method is invoked.  If an operation
     * on the underlying output stream throws an
     * InterruptedIOException, then the PrintStream
     * converts the exception back into an interrupt by doing:
     * 
         *     Thread.currentThread().interrupt();
     * 
    
     * or the equivalent.
     *
     * @return True if and only if this stream has encountered an
     *         IOException other than
     *         InterruptedIOException, or the
     *         setError method has been invoked
     */
    public boolean checkError() {
	if (out != null)
	    flush();
	return trouble;
    }

    /**
     * Set the error state of the stream to true.
     *
     * @since JDK1.1
     */
    protected void setError() {
	trouble = true;
    }


    /*
     * Exception-catching, synchronized output operations,
     * which also implement the write() methods of OutputStream
     */

    /**
     * Write the specified byte to this stream.  If the byte is a newline and
     * automatic flushing is enabled then the flush method will be
     * invoked.
     *
     * 
     Note that the byte is written as given; to write a character that
     * will be translated according to the platform's default character
     * encoding, use the print(char) or println(char)
     * methods.
     *
     * @param  b  The byte to be written
     * @see #print(char)
     * @see #println(char)
     */
    public void write(int b) {
	try {
	    synchronized (this) {
		ensureOpen();
		out.write(b);
		if ((b == '\n') && autoFlush)
		    out.flush();
	    }
	}
	catch (InterruptedIOException x) {
	    Thread.currentThread().interrupt();
	}
	catch (IOException x) {
	    trouble = true;
	}
    }

    /**
     * Write len bytes from the specified byte array starting at
     * offset off to this stream.  If automatic flushing is
     * enabled then the flush method will be invoked.
     *
     * 
     Note that the bytes will be written as given; to write characters
     * that will be translated according to the platform's default character
     * encoding, use the print(char) or println(char)
     * methods.
     *
     * @param  buf   A byte array
     * @param  off   Offset from which to start taking bytes
     * @param  len   Number of bytes to write
     */
    public void write(byte buf[], int off, int len) {
	try {
	    synchronized (this) {
		ensureOpen();
		out.write(buf, off, len);
		if (autoFlush)
		    out.flush();
	    }
	}
	catch (InterruptedIOException x) {
	    Thread.currentThread().interrupt();
	}
	catch (IOException x) {
	    trouble = true;
	}
    }

    /*
     * The following private methods on the text- and character-output streams
     * always flush the stream buffers, so that writes to the underlying byte
     * stream occur as promptly as with the original PrintStream.
     */

    private void write(char buf[]) {
	try {
	    synchronized (this) {
		ensureOpen();
		textOut.write(buf);
		textOut.flushBuffer();
		charOut.flushBuffer();
		if (autoFlush) {
		    for (int i = 0; i < buf.length; i++)
			if (buf[i] == '\n')
			    out.flush();
		}
	    }
	}
	catch (InterruptedIOException x) {
	    Thread.currentThread().interrupt();
	}
	catch (IOException x) {
	    trouble = true;
	}
    }

    private void write(String s) {
	try {
	    synchronized (this) {
		ensureOpen();
		textOut.write(s);
		textOut.flushBuffer();
		charOut.flushBuffer();
		if (autoFlush && (s.indexOf('\n') >= 0))
		    out.flush();
	    }
	}
	catch (InterruptedIOException x) {
	    Thread.currentThread().interrupt();
	}
	catch (IOException x) {
	    trouble = true;
	}
    }

    private void newLine() {
	try {
	    synchronized (this) {
		ensureOpen();
		textOut.newLine();
		textOut.flushBuffer();
		charOut.flushBuffer();
		if (autoFlush)
		    out.flush();
	    }
	}
	catch (InterruptedIOException x) {
	    Thread.currentThread().interrupt();
	}
	catch (IOException x) {
	    trouble = true;
	}
    }


    /* Methods that do not terminate lines */

    /**
     * Print a boolean value.  The string produced by {@link
     * java.lang.String#valueOf(boolean)} is translated into bytes
     * according to the platform's default character encoding, and these bytes
     * are written in exactly the manner of the
     * {@link #write(int)} method.
     *
     * @param      b   The boolean to be printed
     */
    public void print(boolean b) {
	write(b ? "true" : "false");
    }

    /**
     * Print a character.  The character is translated into one or more bytes
     * according to the platform's default character encoding, and these bytes
     * are written in exactly the manner of the
     * {@link #write(int)} method.
     *
     * @param      c   The char to be printed
     */
    public void print(char c) {
	write(String.valueOf(c));
    }

    /**
     * Print an integer.  The string produced by {@link
     * java.lang.String#valueOf(int)} is translated into bytes
     * according to the platform's default character encoding, and these bytes
     * are written in exactly the manner of the
     * {@link #write(int)} method.
     *
     * @param      i   The int to be printed
     * @see        java.lang.Integer#toString(int)
     */
    public void print(int i) {
	write(String.valueOf(i));
    }

    /**
     * Print a long integer.  The string produced by {@link
     * java.lang.String#valueOf(long)} is translated into bytes
     * according to the platform's default character encoding, and these bytes
     * are written in exactly the manner of the
     * {@link #write(int)} method.
     *
     * @param      l   The long to be printed
     * @see        java.lang.Long#toString(long)
     */
    public void print(long l) {
	write(String.valueOf(l));
    }

    /**
     * Print a floating-point number.  The string produced by {@link
     * java.lang.String#valueOf(float)} is translated into bytes
     * according to the platform's default character encoding, and these bytes
     * are written in exactly the manner of the
     * {@link #write(int)} method.
     *
     * @param      f   The float to be printed
     * @see        java.lang.Float#toString(float)
     */
    public void print(float f) {
	write(String.valueOf(f));
    }

    /**
     * Print a double-precision floating-point number.  The string produced by
     * {@link java.lang.String#valueOf(double)} is translated into
     * bytes according to the platform's default character encoding, and these
     * bytes are written in exactly the manner of the {@link
     * #write(int)} method.
     *
     * @param      d   The double to be printed
     * @see        java.lang.Double#toString(double)
     */
    public void print(double d) {
	write(String.valueOf(d));
    }

    /**
     * Print an array of characters.  The characters are converted into bytes
     * according to the platform's default character encoding, and these bytes
     * are written in exactly the manner of the
     * {@link #write(int)} method.
     *
     * @param      s   The array of chars to be printed
     * 
     * @throws  NullPointerException  If s is null
     */
    public void print(char s[]) {
	write(s);
    }

    /**
     * Print a string.  If the argument is null then the string
     * "null" is printed.  Otherwise, the string's characters are
     * converted into bytes according to the platform's default character
     * encoding, and these bytes are written in exactly the manner of the
     * {@link #write(int)} method.
     *
     * @param      s   The String to be printed
     */
    public void print(String s) {
	if (s == null) {
	    s = "null";
	}
	write(s);
    }

    /**
     * Print an object.  The string produced by the {@link
     * java.lang.String#valueOf(Object)} method is translated into bytes
     * according to the platform's default character encoding, and these bytes
     * are written in exactly the manner of the
     * {@link #write(int)} method.
     *
     * @param      obj   The Object to be printed
     * @see        java.lang.Object#toString()
     */
    public void print(Object obj) {
	write(String.valueOf(obj));
    }


    /* Methods that do terminate lines */

    /**
     * Terminate the current line by writing the line separator string.  The
     * line separator string is defined by the system property
     * line.separator, and is not necessarily a single newline
     * character ('\n').
     */
    public void println() {
	newLine();
    }

    /**
     * Print a boolean and then terminate the line.  This method behaves as
     * though it invokes {@link #print(boolean)} and then
     * {@link #println()}.
     *
     * @param x  The boolean to be printed
     */
    public void println(boolean x) {
	synchronized (this) {
	    print(x);
	    newLine();
	}
    }

    /**
     * Print a character and then terminate the line.  This method behaves as
     * though it invokes {@link #print(char)} and then
     * {@link #println()}.
     *
     * @param x  The char to be printed.
     */
    public void println(char x) {
	synchronized (this) {
	    print(x);
	    newLine();
	}
    }

    /**
     * Print an integer and then terminate the line.  This method behaves as
     * though it invokes {@link #print(int)} and then
     * {@link #println()}.
     *
     * @param x  The int to be printed.
     */
    public void println(int x) {
	synchronized (this) {
	    print(x);
	    newLine();
	}
    }

    /**
     * Print a long and then terminate the line.  This method behaves as
     * though it invokes {@link #print(long)} and then
     * {@link #println()}.
     *
     * @param x  a The long to be printed.
     */
    public void println(long x) {
	synchronized (this) {
	    print(x);
	    newLine();
	}
    }

    /**
     * Print a float and then terminate the line.  This method behaves as
     * though it invokes {@link #print(float)} and then
     * {@link #println()}.
     *
     * @param x  The float to be printed.
     */
    public void println(float x) {
	synchronized (this) {
	    print(x);
	    newLine();
	}
    }

    /**
     * Print a double and then terminate the line.  This method behaves as
     * though it invokes {@link #print(double)} and then
     * {@link #println()}.
     *
     * @param x  The double to be printed.
     */
    public void println(double x) {
	synchronized (this) {
	    print(x);
	    newLine();
	}
    }

    /**
     * Print an array of characters and then terminate the line.  This method
     * behaves as though it invokes {@link #print(char[])} and
     * then {@link #println()}.
     *
     * @param x  an array of chars to print.
     */
    public void println(char x[]) {
	synchronized (this) {
	    print(x);
	    newLine();
	}
    }

    /**
     * Print a String and then terminate the line.  This method behaves as
     * though it invokes {@link #print(String)} and then
     * {@link #println()}.
     *
     * @param x  The String to be printed.
     */
    public void println(String x) {
	synchronized (this) {
	    print(x);
	    newLine();
	}
    }

    /**
     * Print an Object and then terminate the line.  This method behaves as
     * though it invokes {@link #print(Object)} and then
     * {@link #println()}.
     *
     * @param x  The Object to be printed.
     */
    public void println(Object x) {
	synchronized (this) {
	    print(x);
	    newLine();
	}
    }

}
why-2.39/lib/java_api/java/io/FilterOutputStream.java0000644000106100004300000001204013147234006021563 0ustar  marchevals/*
 * @(#)FilterOutputStream.java	1.30 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.io;

/**
 * This class is the superclass of all classes that filter output 
 * streams. These streams sit on top of an already existing output 
 * stream (the underlying output stream) which it uses as its 
 * basic sink of data, but possibly transforming the data along the 
 * way or providing additional functionality. 
 * 
    
 * The class FilterOutputStream itself simply overrides 
 * all methods of OutputStream with versions that pass 
 * all requests to the underlying output stream. Subclasses of 
 * FilterOutputStream may further override some of these 
 * methods as well as provide additional methods and fields. 
 *
 * @author  Jonathan Payne
 * @version 1.30, 01/23/03
 * @since   JDK1.0
 */
public
class FilterOutputStream extends OutputStream {
    /**
     * The underlying output stream to be filtered. 
     */
    protected OutputStream out;

    /**
     * Creates an output stream filter built on top of the specified 
     * underlying output stream. 
     *
     * @param   out   the underlying output stream to be assigned to 
     *                the field this.out for later use, or 
     *                null if this instance is to be 
     *                created without an underlying stream.
     */
    public FilterOutputStream(OutputStream out) {
	this.out = out;
    }

    /**
     * Writes the specified byte to this output stream. 
     * 
    
     * The write method of FilterOutputStream 
     * calls the write method of its underlying output stream, 
     * that is, it performs out.write(b).
     * 
    
     * Implements the abstract write method of OutputStream. 
     *
     * @param      b   the byte.
     * @exception  IOException  if an I/O error occurs.
     */
    public void write(int b) throws IOException {
	out.write(b);
    }

    /**
     * Writes b.length bytes to this output stream. 
     * 
    
     * The write method of FilterOutputStream 
     * calls its write method of three arguments with the 
     * arguments b, 0, and 
     * b.length. 
     * 
    
     * Note that this method does not call the one-argument 
     * write method of its underlying stream with the single 
     * argument b. 
     *
     * @param      b   the data to be written.
     * @exception  IOException  if an I/O error occurs.
     * @see        java.io.FilterOutputStream#write(byte[], int, int)
     */
    public void write(byte b[]) throws IOException {
	write(b, 0, b.length);
    }

    /**
     * Writes len bytes from the specified 
     * byte array starting at offset off to 
     * this output stream. 
     * 
    
     * The write method of FilterOutputStream 
     * calls the write method of one argument on each 
     * byte to output. 
     * 
    
     * Note that this method does not call the write method 
     * of its underlying input stream with the same arguments. Subclasses 
     * of FilterOutputStream should provide a more efficient 
     * implementation of this method. 
     *
     * @param      b     the data.
     * @param      off   the start offset in the data.
     * @param      len   the number of bytes to write.
     * @exception  IOException  if an I/O error occurs.
     * @see        java.io.FilterOutputStream#write(int)
     */
    public void write(byte b[], int off, int len) throws IOException {
	if ((off | len | (b.length - (len + off)) | (off + len)) < 0)
	    throw new IndexOutOfBoundsException();

	for (int i = 0 ; i < len ; i++) {
	    write(b[off + i]);
	}
    }

    /**
     * Flushes this output stream and forces any buffered output bytes 
     * to be written out to the stream. 
     * 
    
     * The flush method of FilterOutputStream 
     * calls the flush method of its underlying output stream. 
     *
     * @exception  IOException  if an I/O error occurs.
     * @see        java.io.FilterOutputStream#out
     */
    public void flush() throws IOException {
	out.flush();
    }

    /**
     * Closes this output stream and releases any system resources 
     * associated with the stream. 
     * 
    
     * The close method of FilterOutputStream 
     * calls its flush method, and then calls the 
     * close method of its underlying output stream. 
     *
     * @exception  IOException  if an I/O error occurs.
     * @see        java.io.FilterOutputStream#flush()
     * @see        java.io.FilterOutputStream#out
     */
    public void close() throws IOException {
	try {
	  flush();
	} catch (IOException ignored) {
	}
	out.close();
    }
}
why-2.39/lib/java_api/java/io/OutputStream.java0000644000106100004300000001173213147234006020424 0ustar  marchevals/*
 * @(#)OutputStream.java	1.25 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.io;

/**
 * This abstract class is the superclass of all classes representing 
 * an output stream of bytes. An output stream accepts output bytes 
 * and sends them to some sink.
 * 
    
 * Applications that need to define a subclass of 
 * OutputStream must always provide at least a method 
 * that writes one byte of output. 
 *
 * @author  Arthur van Hoff
 * @version 1.25, 01/23/03
 * @see     java.io.BufferedOutputStream
 * @see     java.io.ByteArrayOutputStream
 * @see     java.io.DataOutputStream
 * @see     java.io.FilterOutputStream
 * @see     java.io.InputStream
 * @see     java.io.OutputStream#write(int)
 * @since   JDK1.0
 */
public abstract class OutputStream {
    /**
     * Writes the specified byte to this output stream. The general 
     * contract for write is that one byte is written 
     * to the output stream. The byte to be written is the eight 
     * low-order bits of the argument b. The 24 
     * high-order bits of b are ignored.
     * 
    
     * Subclasses of OutputStream must provide an 
     * implementation for this method. 
     *
     * @param      b   the byte.
     * @exception  IOException  if an I/O error occurs. In particular, 
     *             an IOException may be thrown if the 
     *             output stream has been closed.
     */
    public abstract void write(int b) throws IOException;

    /**
     * Writes b.length bytes from the specified byte array 
     * to this output stream. The general contract for write(b) 
     * is that it should have exactly the same effect as the call 
     * write(b, 0, b.length).
     *
     * @param      b   the data.
     * @exception  IOException  if an I/O error occurs.
     * @see        java.io.OutputStream#write(byte[], int, int)
     */
    public void write(byte b[]) throws IOException {
	write(b, 0, b.length);
    }

    /**
     * Writes len bytes from the specified byte array 
     * starting at offset off to this output stream. 
     * The general contract for write(b, off, len) is that 
     * some of the bytes in the array b are written to the 
     * output stream in order; element b[off] is the first 
     * byte written and b[off+len-1] is the last byte written 
     * by this operation.
     * 
    
     * The write method of OutputStream calls 
     * the write method of one argument on each of the bytes to be 
     * written out. Subclasses are encouraged to override this method and 
     * provide a more efficient implementation. 
     * 
    
     * If b is null, a 
     * NullPointerException is thrown.
     * 
    
     * If off is negative, or len is negative, or 
     * off+len is greater than the length of the array 
     * b, then an IndexOutOfBoundsException is thrown.
     *
     * @param      b     the data.
     * @param      off   the start offset in the data.
     * @param      len   the number of bytes to write.
     * @exception  IOException  if an I/O error occurs. In particular, 
     *             an IOException is thrown if the output 
     *             stream is closed.
     */
    public void write(byte b[], int off, int len) throws IOException {
	if (b == null) {
	    throw new NullPointerException();
	} else if ((off < 0) || (off > b.length) || (len < 0) ||
		   ((off + len) > b.length) || ((off + len) < 0)) {
	    throw new IndexOutOfBoundsException();
	} else if (len == 0) {
	    return;
	}
	for (int i = 0 ; i < len ; i++) {
	    write(b[off + i]);
	}
    }

    /**
     * Flushes this output stream and forces any buffered output bytes 
     * to be written out. The general contract of flush is 
     * that calling it is an indication that, if any bytes previously 
     * written have been buffered by the implementation of the output 
     * stream, such bytes should immediately be written to their 
     * intended destination.
     * 
    
     * The flush method of OutputStream does nothing.
     *
     * @exception  IOException  if an I/O error occurs.
     */
    public void flush() throws IOException {
    }

    /**
     * Closes this output stream and releases any system resources 
     * associated with this stream. The general contract of close 
     * is that it closes the output stream. A closed stream cannot perform 
     * output operations and cannot be reopened.
     * 
    
     * The close method of OutputStream does nothing.
     *
     * @exception  IOException  if an I/O error occurs.
     */
    public void close() throws IOException {
    }

}
why-2.39/lib/java_api/java/io/BufferedWriter.java0000644000106100004300000001570013147234006020666 0ustar  marchevals/*
 * @(#)BufferedWriter.java	1.24 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.io;


/**
 * Write text to a character-output stream, buffering characters so as to
 * provide for the efficient writing of single characters, arrays, and strings.
 *
 * 
     The buffer size may be specified, or the default size may be accepted.
 * The default is large enough for most purposes.
 *
 * 
     A newLine() method is provided, which uses the platform's own notion of
 * line separator as defined by the system property line.separator.
 * Not all platforms use the newline character ('\n') to terminate lines.
 * Calling this method to terminate each output line is therefore preferred to
 * writing a newline character directly.
 *
 * 
     In general, a Writer sends its output immediately to the underlying
 * character or byte stream.  Unless prompt output is required, it is advisable
 * to wrap a BufferedWriter around any Writer whose write() operations may be
 * costly, such as FileWriters and OutputStreamWriters.  For example,
 *
 * 
     * PrintWriter out
 *   = new PrintWriter(new BufferedWriter(new FileWriter("foo.out")));
 * 
    
 *
 * will buffer the PrintWriter's output to the file.  Without buffering, each
 * invocation of a print() method would cause characters to be converted into
 * bytes that would then be written immediately to the file, which can be very
 * inefficient.
 *
 * @see PrintWriter
 * @see FileWriter
 * @see OutputStreamWriter
 *
 * @version 	1.24, 03/01/23
 * @author	Mark Reinhold
 * @since	JDK1.1
 */

public class BufferedWriter extends Writer {

    private Writer out;

    private char cb[];
    private int nChars, nextChar;

    private static int defaultCharBufferSize = 8192;

    /**
     * Line separator string.  This is the value of the line.separator
     * property at the moment that the stream was created.
     */
    private String lineSeparator;

    /**
     * Create a buffered character-output stream that uses a default-sized
     * output buffer.
     *
     * @param  out  A Writer
     */
    public BufferedWriter(Writer out) {
	this(out, defaultCharBufferSize);
    }

    /**
     * Create a new buffered character-output stream that uses an output
     * buffer of the given size.
     *
     * @param  out  A Writer
     * @param  sz   Output-buffer size, a positive integer
     *
     * @exception  IllegalArgumentException  If sz is <= 0
     */
    public BufferedWriter(Writer out, int sz) {
	super(out);
	if (sz <= 0)
	    throw new IllegalArgumentException("Buffer size <= 0");
	this.out = out;
	cb = new char[sz];
	nChars = sz;
	nextChar = 0;

	lineSeparator =	(String) java.security.AccessController.doPrivileged(
               new sun.security.action.GetPropertyAction("line.separator"));
    }

    /** Check to make sure that the stream has not been closed */
    private void ensureOpen() throws IOException {
	if (out == null)
	    throw new IOException("Stream closed");
    }

    /**
     * Flush the output buffer to the underlying character stream, without
     * flushing the stream itself.  This method is non-private only so that it
     * may be invoked by PrintStream.
     */
    void flushBuffer() throws IOException {
	synchronized (lock) {
	    ensureOpen();
	    if (nextChar == 0)
		return;
	    out.write(cb, 0, nextChar);
	    nextChar = 0;
	}
    }

    /**
     * Write a single character.
     *
     * @exception  IOException  If an I/O error occurs
     */
    public void write(int c) throws IOException {
	synchronized (lock) {
	    ensureOpen();
	    if (nextChar >= nChars)
		flushBuffer();
	    cb[nextChar++] = (char) c;
	}
    }

    /**
     * Our own little min method, to avoid loading java.lang.Math if we've run
     * out of file descriptors and we're trying to print a stack trace.
     */
    private int min(int a, int b) {
	if (a < b) return a;
	return b;
    }

    /**
     * Write a portion of an array of characters.
     *
     * 
     Ordinarily this method stores characters from the given array into
     * this stream's buffer, flushing the buffer to the underlying stream as
     * needed.  If the requested length is at least as large as the buffer,
     * however, then this method will flush the buffer and write the characters
     * directly to the underlying stream.  Thus redundant
     * BufferedWriters will not copy data unnecessarily.
     *
     * @param  cbuf  A character array
     * @param  off   Offset from which to start reading characters
     * @param  len   Number of characters to write
     *
     * @exception  IOException  If an I/O error occurs
     */
    public void write(char cbuf[], int off, int len) throws IOException {
	synchronized (lock) {
	    ensureOpen();
            if ((off < 0) || (off > cbuf.length) || (len < 0) ||
                ((off + len) > cbuf.length) || ((off + len) < 0)) {
                throw new IndexOutOfBoundsException();
            } else if (len == 0) {
                return;
            } 

	    if (len >= nChars) {
		/* If the request length exceeds the size of the output buffer,
		   flush the buffer and then write the data directly.  In this
		   way buffered streams will cascade harmlessly. */
		flushBuffer();
		out.write(cbuf, off, len);
		return;
	    }

	    int b = off, t = off + len;
	    while (b < t) {
		int d = min(nChars - nextChar, t - b);
		System.arraycopy(cbuf, b, cb, nextChar, d);
		b += d;
		nextChar += d;
		if (nextChar >= nChars)
		    flushBuffer();
	    }
	}
    }

    /**
     * Write a portion of a String.
     *
     * @param  s     String to be written
     * @param  off   Offset from which to start reading characters
     * @param  len   Number of characters to be written
     *
     * @exception  IOException  If an I/O error occurs
     */
    public void write(String s, int off, int len) throws IOException {
	synchronized (lock) {
	    ensureOpen();

	    int b = off, t = off + len;
	    while (b < t) {
		int d = min(nChars - nextChar, t - b);
		s.getChars(b, b + d, cb, nextChar);
		b += d;
		nextChar += d;
		if (nextChar >= nChars)
		    flushBuffer();
	    }
	}
    }

    /**
     * Write a line separator.  The line separator string is defined by the
     * system property line.separator, and is not necessarily a single
     * newline ('\n') character.
     *
     * @exception  IOException  If an I/O error occurs
     */
    public void newLine() throws IOException {
	write(lineSeparator);
    }

    /**
     * Flush the stream.
     *
     * @exception  IOException  If an I/O error occurs
     */
    public void flush() throws IOException {
	synchronized (lock) {
	    flushBuffer();
	    out.flush();
	}
    }

    /**
     * Close the stream.
     *
     * @exception  IOException  If an I/O error occurs
     */
    public void close() throws IOException {
	synchronized (lock) {
	    if (out == null)
		return;
	    flushBuffer();
	    out.close();
	    out = null;
	    cb = null;
	}
    }

}
why-2.39/lib/java_api/java/io/Reader.java0000644000106100004300000001614413147234006017154 0ustar  marchevals/*
 * @(#)Reader.java	1.24 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.io;


/**
 * Abstract class for reading character streams.  The only methods that a
 * subclass must implement are read(char[], int, int) and close().  Most
 * subclasses, however, will override some of the methods defined here in order
 * to provide higher efficiency, additional functionality, or both.
 *
 * 
 * @see BufferedReader
 * @see   LineNumberReader
 * @see CharArrayReader
 * @see InputStreamReader
 * @see   FileReader
 * @see FilterReader
 * @see   PushbackReader
 * @see PipedReader
 * @see StringReader
 * @see Writer
 *
 * @version 	1.24, 03/01/23
 * @author	Mark Reinhold
 * @since	JDK1.1
 */

public abstract class Reader {

    /**
     * The object used to synchronize operations on this stream.  For
     * efficiency, a character-stream object may use an object other than
     * itself to protect critical sections.  A subclass should therefore use
     * the object in this field rather than this or a synchronized
     * method.
     */
    protected Object lock;

    /**
     * Create a new character-stream reader whose critical sections will
     * synchronize on the reader itself.
     */
    protected Reader() {
	this.lock = this;
    }

    /**
     * Create a new character-stream reader whose critical sections will
     * synchronize on the given object.
     *
     * @param lock  The Object to synchronize on.
     */
    protected Reader(Object lock) {
	if (lock == null) {
	    throw new NullPointerException();
	}
	this.lock = lock;
    }

    /**
     * Read a single character.  This method will block until a character is
     * available, an I/O error occurs, or the end of the stream is reached.
     *
     * 
     Subclasses that intend to support efficient single-character input
     * should override this method.
     *
     * @return     The character read, as an integer in the range 0 to 65535
     *             (0x00-0xffff), or -1 if the end of the stream has
     *             been reached
     *
     * @exception  IOException  If an I/O error occurs
     */
    public int read() throws IOException {
	char cb[] = new char[1];
	if (read(cb, 0, 1) == -1)
	    return -1;
	else
	    return cb[0];
    }

    /**
     * Read characters into an array.  This method will block until some input
     * is available, an I/O error occurs, or the end of the stream is reached.
     *
     * @param       cbuf  Destination buffer
     *
     * @return      The number of characters read, or -1 
     *              if the end of the stream
     *              has been reached
     *
     * @exception   IOException  If an I/O error occurs
     */
    public int read(char cbuf[]) throws IOException {
	return read(cbuf, 0, cbuf.length);
    }

    /**
     * Read characters into a portion of an array.  This method will block
     * until some input is available, an I/O error occurs, or the end of the
     * stream is reached.
     *
     * @param      cbuf  Destination buffer
     * @param      off   Offset at which to start storing characters
     * @param      len   Maximum number of characters to read
     *
     * @return     The number of characters read, or -1 if the end of the
     *             stream has been reached
     *
     * @exception  IOException  If an I/O error occurs
     */
    abstract public int read(char cbuf[], int off, int len) throws IOException;

    /** Maximum skip-buffer size */
    private static final int maxSkipBufferSize = 8192;

    /** Skip buffer, null until allocated */
    private char skipBuffer[] = null;

    /**
     * Skip characters.  This method will block until some characters are
     * available, an I/O error occurs, or the end of the stream is reached.
     *
     * @param  n  The number of characters to skip
     *
     * @return    The number of characters actually skipped
     *
     * @exception  IllegalArgumentException  If n is negative.
     * @exception  IOException  If an I/O error occurs
     */
    public long skip(long n) throws IOException {
	if (n < 0L) 
	    throw new IllegalArgumentException("skip value is negative");
	int nn = (int) Math.min(n, maxSkipBufferSize);
	synchronized (lock) {
	    if ((skipBuffer == null) || (skipBuffer.length < nn))
		skipBuffer = new char[nn];
	    long r = n;
	    while (r > 0) {
		int nc = read(skipBuffer, 0, (int)Math.min(r, nn));
		if (nc == -1)
		    break;
		r -= nc;
	    }
	    return n - r;
	}
    }

    /**
     * Tell whether this stream is ready to be read.
     *
     * @return True if the next read() is guaranteed not to block for input,
     * false otherwise.  Note that returning false does not guarantee that the
     * next read will block.
     *
     * @exception  IOException  If an I/O error occurs
     */
    public boolean ready() throws IOException {
	return false;
    }

    /**
     * Tell whether this stream supports the mark() operation. The default
     * implementation always returns false. Subclasses should override this
     * method.
     *
     * @return true if and only if this stream supports the mark operation.
     */
    public boolean markSupported() {
	return false;
    }

    /**
     * Mark the present position in the stream.  Subsequent calls to reset()
     * will attempt to reposition the stream to this point.  Not all
     * character-input streams support the mark() operation.
     *
     * @param  readAheadLimit  Limit on the number of characters that may be
     *                         read while still preserving the mark.  After
     *                         reading this many characters, attempting to
     *                         reset the stream may fail.
     *
     * @exception  IOException  If the stream does not support mark(),
     *                          or if some other I/O error occurs
     */
    public void mark(int readAheadLimit) throws IOException {
	throw new IOException("mark() not supported");
    }

    /**
     * Reset the stream.  If the stream has been marked, then attempt to
     * reposition it at the mark.  If the stream has not been marked, then
     * attempt to reset it in some way appropriate to the particular stream,
     * for example by repositioning it to its starting point.  Not all
     * character-input streams support the reset() operation, and some support
     * reset() without supporting mark().
     *
     * @exception  IOException  If the stream has not been marked,
     *                          or if the mark has been invalidated,
     *                          or if the stream does not support reset(),
     *                          or if some other I/O error occurs
     */
    public void reset() throws IOException {
	throw new IOException("reset() not supported");
    }

    /**
     * Close the stream.  Once a stream has been closed, further read(),
     * ready(), mark(), or reset() invocations will throw an IOException.
     * Closing a previously-closed stream, however, has no effect.
     *
     * @exception  IOException  If an I/O error occurs
     */
     abstract public void close() throws IOException;

}
why-2.39/lib/java_api/java/io/Serializable.java0000644000106100004300000001112713147234006020354 0ustar  marchevals/*
 * @(#)Serializable.java	1.20 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.io;

/**
 * Serializability of a class is enabled by the class implementing the
 * java.io.Serializable interface. Classes that do not implement this
 * interface will not have any of their state serialized or
 * deserialized.  All subtypes of a serializable class are themselves
 * serializable.  The serialization interface has no methods or fields
 * and serves only to identify the semantics of being serializable. 
    
 *
 * To allow subtypes of non-serializable classes to be serialized, the
 * subtype may assume responsibility for saving and restoring the
 * state of the supertype's public, protected, and (if accessible)
 * package fields.  The subtype may assume this responsibility only if
 * the class it extends has an accessible no-arg constructor to
 * initialize the class's state.  It is an error to declare a class
 * Serializable if this is not the case.  The error will be detected at runtime. 
    
 *
 * During deserialization, the fields of non-serializable classes will
 * be initialized using the public or protected no-arg constructor of
 * the class.  A no-arg constructor must be accessible to the subclass
 * that is serializable.  The fields of serializable subclasses will
 * be restored from the stream. 
    
 *
 * When traversing a graph, an object may be encountered that does not
 * support the Serializable interface. In this case the
 * NotSerializableException will be thrown and will identify the class
 * of the non-serializable object. 
    
 *
 * Classes that require special handling during the serialization and
 * deserialization process must implement special methods with these exact
 * signatures: 
    
 *
 * 
     * private void writeObject(java.io.ObjectOutputStream out)
 *     throws IOException
 * private void readObject(java.io.ObjectInputStream in)
 *     throws IOException, ClassNotFoundException;
 * 
    
 *
 * The writeObject method is responsible for writing the state of the
 * object for its particular class so that the corresponding
 * readObject method can restore it.  The default mechanism for saving
 * the Object's fields can be invoked by calling
 * out.defaultWriteObject. The method does not need to concern
 * itself with the state belonging to its superclasses or subclasses.
 * State is saved by writing the individual fields to the
 * ObjectOutputStream using the writeObject method or by using the
 * methods for primitive data types supported by DataOutput. 
    
 *
 * The readObject method is responsible for reading from the stream and
 * restoring the classes fields. It may call in.defaultReadObject to invoke
 * the default mechanism for restoring the object's non-static and non-transient
 * fields.  The defaultReadObject method uses information in the stream to
 * assign the fields of the object saved in the stream with the correspondingly
 * named fields in the current object.  This handles the case when the class
 * has evolved to add new fields. The method does not need to concern
 * itself with the state belonging to its superclasses or subclasses.
 * State is saved by writing the individual fields to the
 * ObjectOutputStream using the writeObject method or by using the
 * methods for primitive data types supported by DataOutput. 
    
 *
 * Serializable classes that need to designate an alternative object to be
 * used when writing an object to the stream should implement this
 * special method with the exact signature: 
    
 *
 * 
     * ANY-ACCESS-MODIFIER Object writeReplace() throws ObjectStreamException;
 * 
    
 *
 * This writeReplace method is invoked by serialization if the method
 * exists and it would be accessible from a method defined within the
 * class of the object being serialized. Thus, the method can have private,
 * protected and package-private access. Subclass access to this method
 * follows java accessibility rules. 
    
 *
 * Classes that need to designate a replacement when an instance of it
 * is read from the stream should implement this special method with the
 * exact signature.
    
 *
 * 
     * ANY-ACCESS-MODIFIER Object readResolve() throws ObjectStreamException;
 * 
    
 *
 * This readResolve method follows the same invocation rules and
 * accessibility rules as writeReplace.
 *
 * @author  unascribed
 * @version 1.20, 01/23/03
 * @see java.io.ObjectOutputStream
 * @see java.io.ObjectInputStream
 * @see java.io.ObjectOutput
 * @see java.io.ObjectInput
 * @see java.io.Externalizable
 * @since   JDK1.1
 */
public interface Serializable {
}
why-2.39/lib/java_api/java/io/File.java0000644000106100004300000017435113147234006016636 0ustar  marchevals/*
 * @(#)File.java	1.113 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.io;

/*KML
import java.net.URI;
import java.net.URL;
import java.net.MalformedURLException;
import java.net.URISyntaxException;
import java.util.ArrayList;
import java.util.Map;
import java.util.Hashtable;
import java.util.Random;
import java.security.AccessController;
import java.security.AccessControlException;
import sun.security.action.GetPropertyAction;
KML*/

/**
 * An abstract representation of file and directory pathnames.
 *
 * 
     User interfaces and operating systems use system-dependent pathname
 * strings to name files and directories.  This class presents an
 * abstract, system-independent view of hierarchical pathnames.  An
 * abstract pathname has two components:
 *
 * 
      
 * 
    1.  An optional system-dependent prefix string,
 *      such as a disk-drive specifier, "/" for the UNIX root
 *      directory, or "\\" for a Microsoft Windows UNC pathname, and
 * 
    2.  A sequence of zero or more string names.
 * 
    
 *
 * Each name in an abstract pathname except for the last denotes a directory;
 * the last name may denote either a directory or a file.  The empty
 * abstract pathname has no prefix and an empty name sequence.
 *
 * 
     The conversion of a pathname string to or from an abstract pathname is
 * inherently system-dependent.  When an abstract pathname is converted into a
 * pathname string, each name is separated from the next by a single copy of
 * the default separator character.  The default name-separator
 * character is defined by the system property file.separator, and
 * is made available in the public static fields {@link
 * #separator} and {@link #separatorChar} of this class.
 * When a pathname string is converted into an abstract pathname, the names
 * within it may be separated by the default name-separator character or by any
 * other name-separator character that is supported by the underlying system.
 *
 * 
     A pathname, whether abstract or in string form, may be either
 * absolute or relative.  An absolute pathname is complete in
 * that no other information is required in order to locate the file that it
 * denotes.  A relative pathname, in contrast, must be interpreted in terms of
 * information taken from some other pathname.  By default the classes in the
 * java.io package always resolve relative pathnames against the
 * current user directory.  This directory is named by the system property
 * user.dir, and is typically the directory in which the Java
 * virtual machine was invoked.
 *
 * 
     The prefix concept is used to handle root directories on UNIX platforms,
 * and drive specifiers, root directories and UNC pathnames on Microsoft Windows platforms,
 * as follows:
 *
 * 
      
 *
 * 
    •  For UNIX platforms, the prefix of an absolute pathname is always
 * "/".  Relative pathnames have no prefix.  The abstract pathname
 * denoting the root directory has the prefix "/" and an empty
 * name sequence.
 *
 * 
    •  For Microsoft Windows platforms, the prefix of a pathname that contains a drive
 * specifier consists of the drive letter followed by ":" and
 * possibly followed by "\" if the pathname is absolute.  The
 * prefix of a UNC pathname is "\\"; the hostname and the share
 * name are the first two names in the name sequence.  A relative pathname that
 * does not specify a drive has no prefix.
 *
 * 
    
 *
 * 
     Instances of the File class are immutable; that is, once
 * created, the abstract pathname represented by a File object
 * will never change.
 *
 * @version 1.113, 01/23/03
 * @author  unascribed
 * @since   JDK1.0
 */

public class File implements java.io.Serializable, Comparable {

    /**
     * The FileSystem object representing the platform's local file system.
     */
    static private FileSystem fs = FileSystem.getFileSystem();

    /**
     * This abstract pathname's normalized pathname string.  A normalized
     * pathname string uses the default name-separator character and does not
     * contain any duplicate or redundant separators.
     *
     * @serial
     */
    private String path;

    /**
     * The length of this abstract pathname's prefix, or zero if it has no
     * prefix.
     */
    private transient int prefixLength;

    /**
     * Returns the length of this abstract pathname's prefix.
     * For use by FileSystem classes.
     */
    int getPrefixLength() {
	return prefixLength;
    }

    /**
     * The system-dependent default name-separator character.  This field is
     * initialized to contain the first character of the value of the system
     * property file.separator.  On UNIX systems the value of this
     * field is '/'; on Microsoft Windows systems it is '\'.
     *
     * @see     java.lang.System#getProperty(java.lang.String)
     */
    public static final char separatorChar = fs.getSeparator();

    /**
     * The system-dependent default name-separator character, represented as a
     * string for convenience.  This string contains a single character, namely
     * {@link #separatorChar}.
     */
    public static final String separator = "" + separatorChar;

    /**
     * The system-dependent path-separator character.  This field is
     * initialized to contain the first character of the value of the system
     * property path.separator.  This character is used to
     * separate filenames in a sequence of files given as a path list.
     * On UNIX systems, this character is ':'; on Microsoft Windows systems it
     * is ';'.
     *
     * @see     java.lang.System#getProperty(java.lang.String)
     */
    public static final char pathSeparatorChar = fs.getPathSeparator();

    /**
     * The system-dependent path-separator character, represented as a string
     * for convenience.  This string contains a single character, namely
     * {@link #pathSeparatorChar}.
     */
    public static final String pathSeparator = "" + pathSeparatorChar;


    /* -- Constructors -- */

    /**
     * Internal constructor for already-normalized pathname strings.
     */
    private File(String pathname, int prefixLength) {
	this.path = pathname;
	this.prefixLength = prefixLength;
    }

    /**
     * Creates a new File instance by converting the given
     * pathname string into an abstract pathname.  If the given string is
     * the empty string, then the result is the empty abstract pathname.
     *
     * @param   pathname  A pathname string
     * @throws  NullPointerException
     *          If the pathname argument is null
     */
    public File(String pathname) {
	if (pathname == null) {
	    throw new NullPointerException();
	}
	this.path = fs.normalize(pathname);
	this.prefixLength = fs.prefixLength(this.path);
    }

    /* Note: The two-argument File constructors do not interpret an empty
       parent abstract pathname as the current user directory.  An empty parent
       instead causes the child to be resolved against the system-dependent
       directory defined by the FileSystem.getDefaultParent method.  On Unix
       this default is "/", while on Microsoft Windows it is "\\".  This is required for
       compatibility with the original behavior of this class. */

    /**
     * Creates a new File instance from a parent pathname string
     * and a child pathname string.
     *
     * 
     If parent is null then the new
     * File instance is created as if by invoking the
     * single-argument File constructor on the given
     * child pathname string.
     *
     * 
     Otherwise the parent pathname string is taken to denote
     * a directory, and the child pathname string is taken to
     * denote either a directory or a file.  If the child pathname
     * string is absolute then it is converted into a relative pathname in a
     * system-dependent way.  If parent is the empty string then
     * the new File instance is created by converting
     * child into an abstract pathname and resolving the result
     * against a system-dependent default directory.  Otherwise each pathname
     * string is converted into an abstract pathname and the child abstract
     * pathname is resolved against the parent.
     *
     * @param   parent  The parent pathname string
     * @param   child   The child pathname string
     * @throws  NullPointerException
     *          If child is null
     */
    public File(String parent, String child) {
	if (child == null) {
	    throw new NullPointerException();
	}
	if (parent != null) {
	    if (parent.equals("")) {
		this.path = fs.resolve(fs.getDefaultParent(),
				       fs.normalize(child));
	    } else {
		this.path = fs.resolve(fs.normalize(parent),
				       fs.normalize(child));
	    }
	} else {
	    this.path = fs.normalize(child);
	}
	this.prefixLength = fs.prefixLength(this.path);
    }

    /**
     * Creates a new File instance from a parent abstract
     * pathname and a child pathname string.
     *
     * 
     If parent is null then the new
     * File instance is created as if by invoking the
     * single-argument File constructor on the given
     * child pathname string.
     *
     * 
     Otherwise the parent abstract pathname is taken to
     * denote a directory, and the child pathname string is taken
     * to denote either a directory or a file.  If the child
     * pathname string is absolute then it is converted into a relative
     * pathname in a system-dependent way.  If parent is the empty
     * abstract pathname then the new File instance is created by
     * converting child into an abstract pathname and resolving
     * the result against a system-dependent default directory.  Otherwise each
     * pathname string is converted into an abstract pathname and the child
     * abstract pathname is resolved against the parent.
     *
     * @param   parent  The parent abstract pathname
     * @param   child   The child pathname string
     * @throws  NullPointerException
     *          If child is null
     */
    public File(File parent, String child) {
	if (child == null) {
	    throw new NullPointerException();
	}
	if (parent != null) {
	    if (parent.path.equals("")) {
		this.path = fs.resolve(fs.getDefaultParent(),
				       fs.normalize(child));
	    } else {
		this.path = fs.resolve(parent.path,
				       fs.normalize(child));
	    }
	} else {
	    this.path = fs.normalize(child);
	}
	this.prefixLength = fs.prefixLength(this.path);
    }

    /**
     * Creates a new File instance by converting the given
     * file: URI into an abstract pathname.
     *
     * 
     The exact form of a file: URI is system-dependent, hence
     * the transformation performed by this constructor is also
     * system-dependent.
     *
     * 
     For a given abstract pathname f it is guaranteed that
     *
     * 
    
     * new File( f.{@link #toURI() toURI}()).equals( f.{@link #getAbsoluteFile() getAbsoluteFile}())
     * 
    
     *
     * so long as the original abstract pathname, the URI, and the new abstract
     * pathname are all created in (possibly different invocations of) the same
     * Java virtual machine.  This relationship typically does not hold,
     * however, when a file: URI that is created in a virtual machine
     * on one operating system is converted into an abstract pathname in a
     * virtual machine on a different operating system.
     *
     * @param  uri
     *         An absolute, hierarchical URI with a scheme equal to
     *         "file", a non-empty path component, and undefined
     *         authority, query, and fragment components
     *
     * @throws  NullPointerException
     *          If uri is null
     *
     * @throws  IllegalArgumentException
     *          If the preconditions on the parameter do not hold
     *
     * @see #toURI()
     * @see java.net.URI
     * @since 1.4
     */
    public File(URI uri) {

	// Check our many preconditions
	if (!uri.isAbsolute())
	    throw new IllegalArgumentException("URI is not absolute");
	if (uri.isOpaque())
	    throw new IllegalArgumentException("URI is not hierarchical");
	String scheme = uri.getScheme();
	if ((scheme == null) || !scheme.equalsIgnoreCase("file"))
	    throw new IllegalArgumentException("URI scheme is not \"file\"");
	if (uri.getAuthority() != null)
	    throw new IllegalArgumentException("URI has an authority component");
	if (uri.getFragment() != null)
	    throw new IllegalArgumentException("URI has a fragment component");
	if (uri.getQuery() != null)
	    throw new IllegalArgumentException("URI has a query component");
	String p = uri.getPath();
	if (p.equals(""))
	    throw new IllegalArgumentException("URI path component is empty");

	// Okay, now initialize
	p = fs.fromURIPath(p);
	if (File.separatorChar != '/')
	    p = p.replace('/', File.separatorChar);
	this.path = fs.normalize(p);
	this.prefixLength = fs.prefixLength(this.path);
    }


    /* -- Path-component accessors -- */

    /**
     * Returns the name of the file or directory denoted by this abstract
     * pathname.  This is just the last name in the pathname's name
     * sequence.  If the pathname's name sequence is empty, then the empty
     * string is returned.
     *
     * @return  The name of the file or directory denoted by this abstract
     *          pathname, or the empty string if this pathname's name sequence
     *          is empty
     */
    public String getName() {
	int index = path.lastIndexOf(separatorChar);
	if (index < prefixLength) return path.substring(prefixLength);
	return path.substring(index + 1);
    }

    /**
     * Returns the pathname string of this abstract pathname's parent, or
     * null if this pathname does not name a parent directory.
     *
     * 
     The parent of an abstract pathname consists of the
     * pathname's prefix, if any, and each name in the pathname's name
     * sequence except for the last.  If the name sequence is empty then
     * the pathname does not name a parent directory.
     *
     * @return  The pathname string of the parent directory named by this
     *          abstract pathname, or null if this pathname
     *          does not name a parent
     */
    public String getParent() {
	int index = path.lastIndexOf(separatorChar);
	if (index < prefixLength) {
	    if ((prefixLength > 0) && (path.length() > prefixLength))
		return path.substring(0, prefixLength);
	    return null;
	}
	return path.substring(0, index);
    }

    /**
     * Returns the abstract pathname of this abstract pathname's parent,
     * or null if this pathname does not name a parent
     * directory.
     *
     * 
     The parent of an abstract pathname consists of the
     * pathname's prefix, if any, and each name in the pathname's name
     * sequence except for the last.  If the name sequence is empty then
     * the pathname does not name a parent directory.
     *
     * @return  The abstract pathname of the parent directory named by this
     *          abstract pathname, or null if this pathname
     *          does not name a parent
     *
     * @since 1.2
     */
    public File getParentFile() {
	String p = this.getParent();
	if (p == null) return null;
	return new File(p, this.prefixLength);
    }

    /**
     * Converts this abstract pathname into a pathname string.  The resulting
     * string uses the {@link #separator default name-separator character} to
     * separate the names in the name sequence.
     *
     * @return  The string form of this abstract pathname
     */
    public String getPath() {
	return path;
    }


    /* -- Path operations -- */

    /**
     * Tests whether this abstract pathname is absolute.  The definition of
     * absolute pathname is system dependent.  On UNIX systems, a pathname is
     * absolute if its prefix is "/".  On Microsoft Windows systems, a
     * pathname is absolute if its prefix is a drive specifier followed by
     * "\\", or if its prefix is "\\".
     *
     * @return  true if this abstract pathname is absolute,
     *          false otherwise
     */
    public boolean isAbsolute() {
	return fs.isAbsolute(this);
    }

    /**
     * Returns the absolute pathname string of this abstract pathname.
     *
     * 
     If this abstract pathname is already absolute, then the pathname
     * string is simply returned as if by the {@link #getPath}
     * method.  If this abstract pathname is the empty abstract pathname then
     * the pathname string of the current user directory, which is named by the
     * system property user.dir, is returned.  Otherwise this
     * pathname is resolved in a system-dependent way.  On UNIX systems, a
     * relative pathname is made absolute by resolving it against the current
     * user directory.  On Microsoft Windows systems, a relative pathname is made absolute
     * by resolving it against the current directory of the drive named by the
     * pathname, if any; if not, it is resolved against the current user
     * directory.
     *
     * @return  The absolute pathname string denoting the same file or
     *          directory as this abstract pathname
     *
     * @throws  SecurityException
     *          If a required system property value cannot be accessed.
     *
     * @see     java.io.File#isAbsolute()
     */
    public String getAbsolutePath() {
	return fs.resolve(this);
    }

    /**
     * Returns the absolute form of this abstract pathname.  Equivalent to
     * new File(this.{@link #getAbsolutePath}()).
     *
     * @return  The absolute abstract pathname denoting the same file or
     *          directory as this abstract pathname
     *
     * @throws  SecurityException
     *          If a required system property value cannot be accessed.
     *
     * @since 1.2
     */
    public File getAbsoluteFile() {
	return new File(getAbsolutePath());
    }

    /**
     * Returns the canonical pathname string of this abstract pathname.
     *
     * 
     A canonical pathname is both absolute and unique.  The precise
     * definition of canonical form is system-dependent.  This method first
     * converts this pathname to absolute form if necessary, as if by invoking the
     * {@link #getAbsolutePath} method, and then maps it to its unique form in a
     * system-dependent way.  This typically involves removing redundant names
     * such as "." and ".." from the pathname, resolving
     * symbolic links (on UNIX platforms), and converting drive letters to a
     * standard case (on Microsoft Windows platforms).
     *
     * 
     Every pathname that denotes an existing file or directory has a
     * unique canonical form.  Every pathname that denotes a nonexistent file
     * or directory also has a unique canonical form.  The canonical form of
     * the pathname of a nonexistent file or directory may be different from
     * the canonical form of the same pathname after the file or directory is
     * created.  Similarly, the canonical form of the pathname of an existing
     * file or directory may be different from the canonical form of the same
     * pathname after the file or directory is deleted.
     *
     * @return  The canonical pathname string denoting the same file or
     *          directory as this abstract pathname
     *
     * @throws  IOException
     *          If an I/O error occurs, which is possible because the
     *          construction of the canonical pathname may require
     *          filesystem queries
     *
     * @throws  SecurityException
     *          If a required system property value cannot be accessed.
     *
     * @since   JDK1.1
     */
    public String getCanonicalPath() throws IOException {
	return fs.canonicalize(fs.resolve(this));
    }

    /**
     * Returns the canonical form of this abstract pathname.  Equivalent to
     * new File(this.{@link #getCanonicalPath}()).
     *
     * @return  The canonical pathname string denoting the same file or
     *          directory as this abstract pathname
     *
     * @throws  IOException
     *          If an I/O error occurs, which is possible because the
     *          construction of the canonical pathname may require
     *          filesystem queries
     *
     * @throws  SecurityException
     *          If a required system property value cannot be accessed.
     *
     * @since 1.2
     */
    public File getCanonicalFile() throws IOException {
	return new File(getCanonicalPath());
    }

    private static String slashify(String path, boolean isDirectory) {
	String p = path;
	if (File.separatorChar != '/')
	    p = p.replace(File.separatorChar, '/');
	if (!p.startsWith("/"))
	    p = "/" + p;
	if (!p.endsWith("/") && isDirectory)
	    p = p + "/";
	return p;
    }

    /**
     * Converts this abstract pathname into a file: URL.  The
     * exact form of the URL is system-dependent.  If it can be determined that
     * the file denoted by this abstract pathname is a directory, then the
     * resulting URL will end with a slash.
     *
     * 
     Usage note: This method does not automatically escape
     * characters that are illegal in URLs.  It is recommended that new code
     * convert an abstract pathname into a URL by first converting it into a
     * URI, via the {@link #toURI() toURI} method, and then converting the URI
     * into a URL via the {@link java.net.URI#toURL() URI.toURL} method.
     *
     * @return  A URL object representing the equivalent file URL
     *
     * @throws  MalformedURLException
     *          If the path cannot be parsed as a URL
     *
     * @see     #toURI()
     * @see     java.net.URI
     * @see     java.net.URI#toURL()
     * @see     java.net.URL
     * @since   1.2
     */
    public URL toURL() throws MalformedURLException {
	return new URL("file", "", slashify(getAbsolutePath(), isDirectory()));
    }

    /**
     * Constructs a file: URI that represents this abstract pathname.
     *
     * 
     The exact form of the URI is system-dependent.  If it can be
     * determined that the file denoted by this abstract pathname is a
     * directory, then the resulting URI will end with a slash.
     *
     * 
     For a given abstract pathname f, it is guaranteed that
     *
     * 
    
     * new {@link #File(java.net.URI) File}( f.toURI()).equals( f.{@link #getAbsoluteFile() getAbsoluteFile}())
     * 
    
     *
     * so long as the original abstract pathname, the URI, and the new abstract
     * pathname are all created in (possibly different invocations of) the same
     * Java virtual machine.  Due to the system-dependent nature of abstract
     * pathnames, however, this relationship typically does not hold when a
     * file: URI that is created in a virtual machine on one operating
     * system is converted into an abstract pathname in a virtual machine on a
     * different operating system.
     *
     * @return  An absolute, hierarchical URI with a scheme equal to
     *          "file", a path representing this abstract pathname,
     *          and undefined authority, query, and fragment components
     *
     * @see #File(java.net.URI)
     * @see java.net.URI
     * @see java.net.URI#toURL()
     * @since 1.4
     */
    public URI toURI() {
	try {
	    File f = getAbsoluteFile();
	    String sp = slashify(f.getPath(), f.isDirectory());
	    if (sp.startsWith("//"))
		sp = "//" + sp;
	    return new URI("file", null, sp, null);
	} catch (URISyntaxException x) {
	    throw new Error(x);		// Can't happen
	}
    }


    /* -- Attribute accessors -- */

    /**
     * Tests whether the application can read the file denoted by this
     * abstract pathname.
     *
     * @return  true if and only if the file specified by this
     *          abstract pathname exists and can be read by the
     *          application; false otherwise
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkRead(java.lang.String)}
     *          method denies read access to the file
     */
    public boolean canRead() {
	SecurityManager security = System.getSecurityManager();
	if (security != null) {
	    security.checkRead(path);
	}
	return fs.checkAccess(this, false);
    }

    /**
     * Tests whether the application can modify to the file denoted by this
     * abstract pathname.
     *
     * @return  true if and only if the file system actually
     *          contains a file denoted by this abstract pathname and
     *          the application is allowed to write to the file;
     *          false otherwise.
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkWrite(java.lang.String)}
     *          method denies write access to the file
     */
    public boolean canWrite() {
	SecurityManager security = System.getSecurityManager();
	if (security != null) {
	    security.checkWrite(path);
	}
	return fs.checkAccess(this, true);
    }

    /**
     * Tests whether the file or directory denoted by this abstract pathname
     * exists.
     *
     * @return  true if and only if the file or directory denoted
     *          by this abstract pathname exists; false otherwise
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkRead(java.lang.String)}
     *          method denies read access to the file or directory
     */
    public boolean exists() {
	SecurityManager security = System.getSecurityManager();
	if (security != null) {
	    security.checkRead(path);
	}
	return ((fs.getBooleanAttributes(this) & FileSystem.BA_EXISTS) != 0);
    }

    /**
     * Tests whether the file denoted by this abstract pathname is a
     * directory.
     *
     * @return true if and only if the file denoted by this
     *          abstract pathname exists and is a directory;
     *          false otherwise
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkRead(java.lang.String)}
     *          method denies read access to the file
     */
    public boolean isDirectory() {
	SecurityManager security = System.getSecurityManager();
	if (security != null) {
	    security.checkRead(path);
	}
	return ((fs.getBooleanAttributes(this) & FileSystem.BA_DIRECTORY)
		!= 0);
    }

    /**
     * Tests whether the file denoted by this abstract pathname is a normal
     * file.  A file is normal if it is not a directory and, in
     * addition, satisfies other system-dependent criteria.  Any non-directory
     * file created by a Java application is guaranteed to be a normal file.
     *
     * @return  true if and only if the file denoted by this
     *          abstract pathname exists and is a normal file;
     *          false otherwise
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkRead(java.lang.String)}
     *          method denies read access to the file
     */
    public boolean isFile() {
	SecurityManager security = System.getSecurityManager();
	if (security != null) {
	    security.checkRead(path);
	}
	return ((fs.getBooleanAttributes(this) & FileSystem.BA_REGULAR) != 0);
    }

    /**
     * Tests whether the file named by this abstract pathname is a hidden
     * file.  The exact definition of hidden is system-dependent.  On
     * UNIX systems, a file is considered to be hidden if its name begins with
     * a period character ('.').  On Microsoft Windows systems, a file is
     * considered to be hidden if it has been marked as such in the filesystem.
     *
     * @return  true if and only if the file denoted by this
     *          abstract pathname is hidden according to the conventions of the
     *          underlying platform
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkRead(java.lang.String)}
     *          method denies read access to the file
     *
     * @since 1.2
     */
    public boolean isHidden() {
	SecurityManager security = System.getSecurityManager();
	if (security != null) {
	    security.checkRead(path);
	}
	return ((fs.getBooleanAttributes(this) & FileSystem.BA_HIDDEN) != 0);
    }

    /**
     * Returns the time that the file denoted by this abstract pathname was
     * last modified.
     *
     * @return  A long value representing the time the file was
     *          last modified, measured in milliseconds since the epoch
     *          (00:00:00 GMT, January 1, 1970), or 0L if the
     *          file does not exist or if an I/O error occurs
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkRead(java.lang.String)}
     *          method denies read access to the file
     */
    public long lastModified() {
	SecurityManager security = System.getSecurityManager();
	if (security != null) {
	    security.checkRead(path);
	}
	return fs.getLastModifiedTime(this);
    }

    /**
     * Returns the length of the file denoted by this abstract pathname.
     * The return value is unspecified if this pathname denotes a directory.
     *
     * @return  The length, in bytes, of the file denoted by this abstract
     *          pathname, or 0L if the file does not exist
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkRead(java.lang.String)}
     *          method denies read access to the file
     */
    public long length() {
	SecurityManager security = System.getSecurityManager();
	if (security != null) {
	    security.checkRead(path);
	}
	return fs.getLength(this);
    }


    /* -- File operations -- */

    /**
     * Atomically creates a new, empty file named by this abstract pathname if
     * and only if a file with this name does not yet exist.  The check for the
     * existence of the file and the creation of the file if it does not exist
     * are a single operation that is atomic with respect to all other
     * filesystem activities that might affect the file.
     * 
    
     * Note: this method should not be used for file-locking, as
     * the resulting protocol cannot be made to work reliably. The 
     * {@link java.nio.channels.FileLock FileLock}
     * facility should be used instead. 
     *
     * @return  true if the named file does not exist and was
     *          successfully created; false if the named file
     *          already exists
     *
     * @throws  IOException
     *          If an I/O error occurred
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkWrite(java.lang.String)}
     *          method denies write access to the file
     *
     * @since 1.2
     */
    public boolean createNewFile() throws IOException {
	SecurityManager security = System.getSecurityManager();
	if (security != null) security.checkWrite(path);
	return fs.createFileExclusively(path);
    }

    /**
     * Deletes the file or directory denoted by this abstract pathname.  If
     * this pathname denotes a directory, then the directory must be empty in
     * order to be deleted.
     *
     * @return  true if and only if the file or directory is
     *          successfully deleted; false otherwise
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkDelete} method denies
     *          delete access to the file
     */
    public boolean delete() {
	SecurityManager security = System.getSecurityManager();
	if (security != null) {
	    security.checkDelete(path);
	}
	return fs.delete(this);
    }

    /**
     * Requests that the file or directory denoted by this abstract 
     * pathname be deleted when the virtual machine terminates.  
     * Deletion will be attempted only for normal termination of the 
     * virtual machine, as defined by the Java Language Specification. 
     *
     * 
     Once deletion has been requested, it is not possible to cancel the
     * request.  This method should therefore be used with care.
     *
     * 
    
     * Note: this method should not be used for file-locking, as 
     * the resulting protocol cannot be made to work reliably. The 
     * {@link java.nio.channels.FileLock FileLock}
     * facility should be used instead.
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkDelete} method denies
     *          delete access to the file
     *
     * @see #delete
     *
     * @since 1.2
     */
    public void deleteOnExit() {
	SecurityManager security = System.getSecurityManager();
	if (security != null) {
	    security.checkDelete(path);
	}
	fs.deleteOnExit(this);
    }

    /**
     * Returns an array of strings naming the files and directories in the
     * directory denoted by this abstract pathname.
     *
     * 
     If this abstract pathname does not denote a directory, then this
     * method returns null.  Otherwise an array of strings is
     * returned, one for each file or directory in the directory.  Names
     * denoting the directory itself and the directory's parent directory are
     * not included in the result.  Each string is a file name rather than a
     * complete path.
     *
     * 
     There is no guarantee that the name strings in the resulting array
     * will appear in any specific order; they are not, in particular,
     * guaranteed to appear in alphabetical order.
     *
     * @return  An array of strings naming the files and directories in the
     *          directory denoted by this abstract pathname.  The array will be
     *          empty if the directory is empty.  Returns null if
     *          this abstract pathname does not denote a directory, or if an
     *          I/O error occurs.
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkRead(java.lang.String)}
     *          method denies read access to the directory
     */
    public String[] list() {
	SecurityManager security = System.getSecurityManager();
	if (security != null) {
	    security.checkRead(path);
	}
	return fs.list(this);
    }

    /**
     * Returns an array of strings naming the files and directories in the
     * directory denoted by this abstract pathname that satisfy the specified
     * filter.  The behavior of this method is the same as that of the
     * {@link #list()} method, except that the strings in the
     * returned array must satisfy the filter.  If the given
     * filter is null then all names are accepted.
     * Otherwise, a name satisfies the filter if and only if the value
     * true results when the {@link
     * FilenameFilter#accept} method of the filter is invoked on this
     * abstract pathname and the name of a file or directory in the directory
     * that it denotes.
     *
     * @param  filter  A filename filter
     *
     * @return  An array of strings naming the files and directories in the
     *          directory denoted by this abstract pathname that were accepted
     *          by the given filter.  The array will be empty if
     *          the directory is empty or if no names were accepted by the
     *          filter.  Returns null if this abstract pathname
     *          does not denote a directory, or if an I/O error occurs.
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkRead(java.lang.String)}
     *          method denies read access to the directory
     */
    public String[] list(FilenameFilter filter) {
	String names[] = list();
	if ((names == null) || (filter == null)) {
	    return names;
	}
	ArrayList v = new ArrayList();
	for (int i = 0 ; i < names.length ; i++) {
	    if (filter.accept(this, names[i])) {
		v.add(names[i]);
	    }
	}
	return (String[])(v.toArray(new String[0]));
    }

    /**
     * Returns an array of abstract pathnames denoting the files in the
     * directory denoted by this abstract pathname.
     *
     * 
     If this abstract pathname does not denote a directory, then this
     * method returns null.  Otherwise an array of
     * File objects is returned, one for each file or directory in
     * the directory.  Pathnames denoting the directory itself and the
     * directory's parent directory are not included in the result.  Each
     * resulting abstract pathname is constructed from this abstract pathname
     * using the {@link #File(java.io.File, java.lang.String)
     * File(File, String)} constructor.  Therefore if this pathname
     * is absolute then each resulting pathname is absolute; if this pathname
     * is relative then each resulting pathname will be relative to the same
     * directory.
     *
     * 
     There is no guarantee that the name strings in the resulting array
     * will appear in any specific order; they are not, in particular,
     * guaranteed to appear in alphabetical order.
     *
     * @return  An array of abstract pathnames denoting the files and
     *          directories in the directory denoted by this abstract
     *          pathname.  The array will be empty if the directory is
     *          empty.  Returns null if this abstract pathname
     *          does not denote a directory, or if an I/O error occurs.
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkRead(java.lang.String)}
     *          method denies read access to the directory
     *
     * @since 1.2
     */
    public File[] listFiles() {
	String[] ss = list();
	if (ss == null) return null;
	int n = ss.length;
	File[] fs = new File[n];
	for (int i = 0; i < n; i++) {
	    fs[i] = new File(this.path, ss[i]);
	}
	return fs;
    }

    /**
     * Returns an array of abstract pathnames denoting the files and
     * directories in the directory denoted by this abstract pathname that
     * satisfy the specified filter.  The behavior of this method is the
     * same as that of the {@link #listFiles()} method, except
     * that the pathnames in the returned array must satisfy the filter.
     * If the given filter is null then all
     * pathnames are accepted.  Otherwise, a pathname satisfies the filter
     * if and only if the value true results when the
     * {@link FilenameFilter#accept} method of the filter is
     * invoked on this abstract pathname and the name of a file or
     * directory in the directory that it denotes.
     *
     * @param  filter  A filename filter
     *
     * @return  An array of abstract pathnames denoting the files and
     *          directories in the directory denoted by this abstract
     *          pathname.  The array will be empty if the directory is
     *          empty.  Returns null if this abstract pathname
     *          does not denote a directory, or if an I/O error occurs.
     *          
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkRead(java.lang.String)}
     *          method denies read access to the directory
     *
     * @since 1.2
     */
    public File[] listFiles(FilenameFilter filter) {
	String ss[] = list();
	if (ss == null) return null;
	ArrayList v = new ArrayList();
	for (int i = 0 ; i < ss.length ; i++) {
	    if ((filter == null) || filter.accept(this, ss[i])) {
		v.add(new File(this.path, ss[i]));
	    }
	}
	return (File[])(v.toArray(new File[0]));
    }

    /**
     * Returns an array of abstract pathnames denoting the files and
     * directories in the directory denoted by this abstract pathname that
     * satisfy the specified filter.  The behavior of this method is the
     * same as that of the {@link #listFiles()} method, except
     * that the pathnames in the returned array must satisfy the filter.
     * If the given filter is null then all
     * pathnames are accepted.  Otherwise, a pathname satisfies the filter
     * if and only if the value true results when the
     * {@link FileFilter#accept(java.io.File)} method of
     * the filter is invoked on the pathname.
     *
     * @param  filter  A file filter
     *
     * @return  An array of abstract pathnames denoting the files and
     *          directories in the directory denoted by this abstract
     *          pathname.  The array will be empty if the directory is
     *          empty.  Returns null if this abstract pathname
     *          does not denote a directory, or if an I/O error occurs.
     *          
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkRead(java.lang.String)}
     *          method denies read access to the directory
     *
     * @since 1.2
     */
    public File[] listFiles(FileFilter filter) {
	String ss[] = list();
	if (ss == null) return null;
	ArrayList v = new ArrayList();
	for (int i = 0 ; i < ss.length ; i++) {
	    File f = new File(this.path, ss[i]);
	    if ((filter == null) || filter.accept(f)) {
		v.add(f);
	    }
	}
	return (File[])(v.toArray(new File[0]));
    }

    /**
     * Creates the directory named by this abstract pathname.
     *
     * @return  true if and only if the directory was
     *          created; false otherwise
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkWrite(java.lang.String)}
     *          method does not permit the named directory to be created
     */
    public boolean mkdir() {
	SecurityManager security = System.getSecurityManager();
	if (security != null) {
	    security.checkWrite(path);
	}
	return fs.createDirectory(this);
    }

    /**
     * Creates the directory named by this abstract pathname, including any
     * necessary but nonexistent parent directories.  Note that if this
     * operation fails it may have succeeded in creating some of the necessary
     * parent directories.
     *
     * @return  true if and only if the directory was created,
     *          along with all necessary parent directories; false
     *          otherwise
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkWrite(java.lang.String)}
     *          method does not permit the named directory and all necessary
     *          parent directories and to be created
     */
    public boolean mkdirs() {
	if (exists()) {
	    return false;
	}
	if (mkdir()) {
 	    return true;
 	}
        File canonFile = null;
        try {
            canonFile = getCanonicalFile();
        } catch (IOException e) {
            return false;
        }
	String parent = canonFile.getParent();
        return (parent != null) && (new File(parent).mkdirs() &&
                                    canonFile.mkdir());
    }

    /**
     * Renames the file denoted by this abstract pathname.
     * 
     * 
     Whether or not this method can move a file from one filesystem 
     * to another is platform-dependent.  The return value should always 
     * be checked to make sure that the rename operation was successful.
     *
     * @param  dest  The new abstract pathname for the named file
     * 
     * @return  true if and only if the renaming succeeded;
     *          false otherwise
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkWrite(java.lang.String)}
     *          method denies write access to either the old or new pathnames
     * 
     * @throws  NullPointerException  
     *          If parameter dest is null
     */
    public boolean renameTo(File dest) {
	SecurityManager security = System.getSecurityManager();
	if (security != null) {
	    security.checkWrite(path);
	    security.checkWrite(dest.path);
	}
	return fs.rename(this, dest);
    }

    /**
     * Sets the last-modified time of the file or directory named by this
     * abstract pathname.
     *
     * 
     All platforms support file-modification times to the nearest second,
     * but some provide more precision.  The argument will be truncated to fit
     * the supported precision.  If the operation succeeds and no intervening
     * operations on the file take place, then the next invocation of the
     * {@link #lastModified} method will return the (possibly
     * truncated) time argument that was passed to this method.
     *
     * @param  time  The new last-modified time, measured in milliseconds since
     *               the epoch (00:00:00 GMT, January 1, 1970)
     *
     * @return true if and only if the operation succeeded;
     *          false otherwise
     *
     * @throws  IllegalArgumentException  If the argument is negative
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkWrite(java.lang.String)}
     *          method denies write access to the named file
     *
     * @since 1.2
     */
    public boolean setLastModified(long time) {
	if (time < 0) throw new IllegalArgumentException("Negative time");
	SecurityManager security = System.getSecurityManager();
	if (security != null) {
	    security.checkWrite(path);
	}
	return fs.setLastModifiedTime(this, time);
    }

    /**
     * Marks the file or directory named by this abstract pathname so that
     * only read operations are allowed.  After invoking this method the file
     * or directory is guaranteed not to change until it is either deleted or
     * marked to allow write access.  Whether or not a read-only file or
     * directory may be deleted depends upon the underlying system.
     *
     * @return true if and only if the operation succeeded;
     *          false otherwise
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkWrite(java.lang.String)}
     *          method denies write access to the named file
     *
     * @since 1.2
     */
    public boolean setReadOnly() {
	SecurityManager security = System.getSecurityManager();
	if (security != null) {
	    security.checkWrite(path);
	}
	return fs.setReadOnly(this);
    }


    /* -- Filesystem interface -- */

    /**
     * List the available filesystem roots.
     *
     * 
     A particular Java platform may support zero or more
     * hierarchically-organized file systems.  Each file system has a
     * root directory from which all other files in that file
     * system can be reached.  Windows platforms, for example, have a root
     * directory for each active drive; UNIX platforms have a single root
     * directory, namely "/".  The set of available filesystem
     * roots is affected by various system-level operations such the insertion
     * or ejection of removable media and the disconnecting or unmounting of
     * physical or virtual disk drives.
     *
     * 
     This method returns an array of File objects that
     * denote the root directories of the available filesystem roots.  It is
     * guaranteed that the canonical pathname of any file physically present on
     * the local machine will begin with one of the roots returned by this
     * method.
     *
     * 
     The canonical pathname of a file that resides on some other machine
     * and is accessed via a remote-filesystem protocol such as SMB or NFS may
     * or may not begin with one of the roots returned by this method.  If the
     * pathname of a remote file is syntactically indistinguishable from the
     * pathname of a local file then it will begin with one of the roots
     * returned by this method.  Thus, for example, File objects
     * denoting the root directories of the mapped network drives of a Windows
     * platform will be returned by this method, while File
     * objects containing UNC pathnames will not be returned by this method.
     *
     * 
     Unlike most methods in this class, this method does not throw
     * security exceptions.  If a security manager exists and its {@link
     * java.lang.SecurityManager#checkRead(java.lang.String)} method
     * denies read access to a particular root directory, then that directory
     * will not appear in the result.
     *
     * @return  An array of File objects denoting the available
     *          filesystem roots, or null if the set of roots
     *          could not be determined.  The array will be empty if there are
     *          no filesystem roots.
     *
     * @since 1.2
     */
    public static File[] listRoots() {
	return fs.listRoots();
    }


    /* -- Temporary files -- */

    private static final Object tmpFileLock = new Object();

    private static int counter = -1; /* Protected by tmpFileLock */

    private static File generateFile(String prefix, String suffix, File dir)
	throws IOException
    {
	if (counter == -1) {
	    counter = new Random().nextInt() & 0xffff;
	}
	counter++;
	return new File(dir, prefix + Integer.toString(counter) + suffix);
    }

    private static String tmpdir; /* Protected by tmpFileLock */

    private static String getTempDir() {
	if (tmpdir == null) {
	    GetPropertyAction a = new GetPropertyAction("java.io.tmpdir");
	    tmpdir = ((String) AccessController.doPrivileged(a));
	}
	return tmpdir;
    }

    private static boolean checkAndCreate(String filename, SecurityManager sm)
	throws IOException
    {
	if (sm != null) {
	    try {
		sm.checkWrite(filename);
	    } catch (AccessControlException x) {
		/* Throwing the original AccessControlException could disclose
		   the location of the default temporary directory, so we
		   re-throw a more innocuous SecurityException */
		throw new SecurityException("Unable to create temporary file");
	    }
	}
	return fs.createFileExclusively(filename);
    }

    /**
     * 
     Creates a new empty file in the specified directory, using the
     * given prefix and suffix strings to generate its name.  If this method
     * returns successfully then it is guaranteed that:
     *
     * 
      
     * 
    1.  The file denoted by the returned abstract pathname did not exist
     *      before this method was invoked, and
     * 
    2.  Neither this method nor any of its variants will return the same
     *      abstract pathname again in the current invocation of the virtual
     *      machine.
     * 
    
     *
     * This method provides only part of a temporary-file facility.  To arrange
     * for a file created by this method to be deleted automatically, use the
     * {@link #deleteOnExit} method.
     *
     * 
     The prefix argument must be at least three characters
     * long.  It is recommended that the prefix be a short, meaningful string
     * such as "hjb" or "mail".  The
     * suffix argument may be null, in which case the
     * suffix ".tmp" will be used.
     *
     * 
     To create the new file, the prefix and the suffix may first be
     * adjusted to fit the limitations of the underlying platform.  If the
     * prefix is too long then it will be truncated, but its first three
     * characters will always be preserved.  If the suffix is too long then it
     * too will be truncated, but if it begins with a period character
     * ('.') then the period and the first three characters
     * following it will always be preserved.  Once these adjustments have been
     * made the name of the new file will be generated by concatenating the
     * prefix, five or more internally-generated characters, and the suffix.
     *
     * 
     If the directory argument is null then the
     * system-dependent default temporary-file directory will be used.  The
     * default temporary-file directory is specified by the system property
     * java.io.tmpdir.  On UNIX systems the default value of this
     * property is typically "/tmp" or "/var/tmp"; on
     * Microsoft Windows systems it is typically "c:\\temp".  A different
     * value may be given to this system property when the Java virtual machine
     * is invoked, but programmatic changes to this property are not guaranteed
     * to have any effect upon the the temporary directory used by this method.
     *
     * @param  prefix     The prefix string to be used in generating the file's
     *                    name; must be at least three characters long
     *
     * @param  suffix     The suffix string to be used in generating the file's
     *                    name; may be null, in which case the
     *                    suffix ".tmp" will be used
     *
     * @param  directory  The directory in which the file is to be created, or
     *                    null if the default temporary-file
     *                    directory is to be used
     *
     * @return  An abstract pathname denoting a newly-created empty file
     *
     * @throws  IllegalArgumentException
     *          If the prefix argument contains fewer than three
     *          characters
     *
     * @throws  IOException  If a file could not be created
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkWrite(java.lang.String)}
     *          method does not allow a file to be created
     *
     * @since 1.2
     */
    public static File createTempFile(String prefix, String suffix,
				      File directory)
        throws IOException
    {
	if (prefix == null) throw new NullPointerException();
	if (prefix.length() < 3)
	    throw new IllegalArgumentException("Prefix string too short");
	String s = (suffix == null) ? ".tmp" : suffix;
	synchronized (tmpFileLock) {
	    if (directory == null) {
		directory = new File(getTempDir());
	    }
	    SecurityManager sm = System.getSecurityManager();
	    File f;
	    do {
		f = generateFile(prefix, s, directory);
	    } while (!checkAndCreate(f.getPath(), sm));
	    return f;
	}
    }

    /**
     * Creates an empty file in the default temporary-file directory, using
     * the given prefix and suffix to generate its name.  Invoking this method
     * is equivalent to invoking {@link #createTempFile(java.lang.String,
     * java.lang.String, java.io.File)
     * createTempFile(prefix, suffix, null)}.
     *
     * @param  prefix     The prefix string to be used in generating the file's
     *                    name; must be at least three characters long
     *
     * @param  suffix     The suffix string to be used in generating the file's
     *                    name; may be null, in which case the
     *                    suffix ".tmp" will be used
     *
     * @return  An abstract pathname denoting a newly-created empty file
     *
     * @throws  IllegalArgumentException
     *          If the prefix argument contains fewer than three
     *          characters
     *
     * @throws  IOException  If a file could not be created
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkWrite(java.lang.String)}
     *          method does not allow a file to be created
     *
     * @since 1.2
     */
    public static File createTempFile(String prefix, String suffix)
	throws IOException
    {
	return createTempFile(prefix, suffix, null);
    }


    /* -- Basic infrastructure -- */

    /**
     * Compares two abstract pathnames lexicographically.  The ordering
     * defined by this method depends upon the underlying system.  On UNIX
     * systems, alphabetic case is significant in comparing pathnames; on Microsoft Windows
     * systems it is not.
     *
     * @param   pathname  The abstract pathname to be compared to this abstract
     *                    pathname
     * 
     * @return  Zero if the argument is equal to this abstract pathname, a
     *		value less than zero if this abstract pathname is
     *		lexicographically less than the argument, or a value greater
     *		than zero if this abstract pathname is lexicographically
     *		greater than the argument
     *
     * @since   1.2
     */
    public int compareTo(File pathname) {
	return fs.compare(this, pathname);
    }

    /**
     * Compares this abstract pathname to another object.  If the other object
     * is an abstract pathname, then this function behaves like {@link
     * #compareTo(File)}.  Otherwise, it throws a
     * ClassCastException, since abstract pathnames can only be
     * compared to abstract pathnames.
     *
     * @param   o  The Object to be compared to this abstract
     *             pathname
     *
     * @return  If the argument is an abstract pathname, returns zero
     *          if the argument is equal to this abstract pathname, a value
     *          less than zero if this abstract pathname is lexicographically
     *          less than the argument, or a value greater than zero if this
     *          abstract pathname is lexicographically greater than the
     *          argument
     *
     * @throws  ClassCastException if the argument is not an
     *		abstract pathname
     *
     * @see     java.lang.Comparable
     * @since   1.2
     */
    public int compareTo(Object o) {
	return compareTo((File)o);
    }

    /**
     * Tests this abstract pathname for equality with the given object.
     * Returns true if and only if the argument is not
     * null and is an abstract pathname that denotes the same file
     * or directory as this abstract pathname.  Whether or not two abstract
     * pathnames are equal depends upon the underlying system.  On UNIX
     * systems, alphabetic case is significant in comparing pathnames; on Microsoft Windows
     * systems it is not.
     *
     * @param   obj   The object to be compared with this abstract pathname
     *
     * @return  true if and only if the objects are the same;
     *          false otherwise
     */
    public boolean equals(Object obj) {
	if ((obj != null) && (obj instanceof File)) {
	    return compareTo((File)obj) == 0;
	}
	return false;
    }

    /**
     * Computes a hash code for this abstract pathname.  Because equality of
     * abstract pathnames is inherently system-dependent, so is the computation
     * of their hash codes.  On UNIX systems, the hash code of an abstract
     * pathname is equal to the exclusive or of its pathname string
     * and the decimal value 1234321.  On Microsoft Windows systems, the hash
     * code is equal to the exclusive or of its pathname string,
     * convered to lower case, and the decimal value 1234321.
     *
     * @return  A hash code for this abstract pathname
     */
    public int hashCode() {
	return fs.hashCode(this);
    }

    /**
     * Returns the pathname string of this abstract pathname.  This is just the
     * string returned by the {@link #getPath} method.
     *
     * @return  The string form of this abstract pathname
     */
    public String toString() {
	return getPath();
    }

    /**
     * WriteObject is called to save this filename.
     * The separator character is saved also so it can be replaced
     * in case the path is reconstituted on a different host type.
     */
    private synchronized void writeObject(java.io.ObjectOutputStream s)
        throws IOException
    {
	s.defaultWriteObject();
	s.writeChar(this.separatorChar); // Add the separator character
    }

    /**
     * readObject is called to restore this filename.
     * The original separator character is read.  If it is different
     * than the separator character on this system, then the old seperator
     * is replaced by the local separator.
     */
    private synchronized void readObject(java.io.ObjectInputStream s)
         throws IOException, ClassNotFoundException
    {
	s.defaultReadObject();
	char sep = s.readChar(); // read the previous seperator char
	if (sep != separatorChar)
	    this.path = this.path.replace(sep, separatorChar);
	this.path = fs.normalize(this.path);
	this.prefixLength = fs.prefixLength(this.path);
    }

    /** use serialVersionUID from JDK 1.0.2 for interoperability */
    private static final long serialVersionUID = 301077366599181567L;

}
why-2.39/lib/java_api/java/io/IOException.java0000644000106100004300000000211713147234006020133 0ustar  marchevals/*
 * @(#)IOException.java	1.21 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.io;

/**
 * Signals that an I/O exception of some sort has occurred. This
 * class is the general class of exceptions produced by failed or
 * interrupted I/O operations.
 *
 * @author  unascribed
 * @version 1.21, 01/23/03
 * @see     java.io.InputStream
 * @see     java.io.OutputStream
 * @since   JDK1.0
 */
public
class IOException extends Exception {
    /**
     * Constructs an IOException with null
     * as its error detail message.
     */
    public IOException() {
	super();
    }

    /**
     * Constructs an IOException with the specified detail
     * message. The error message string s can later be
     * retrieved by the {@link java.lang.Throwable#getMessage}
     * method of class java.lang.Throwable.
     *
     * @param   s   the detail message.
     */
    public IOException(String s) {
	super(s);
    }
}
why-2.39/lib/java_api/java/io/FileDescriptor.java0000644000106100004300000000753113147234006020670 0ustar  marchevals/*
 * @(#)FileDescriptor.java	1.20 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.io;

/**
 * Instances of the file descriptor class serve as an opaque handle
 * to the underlying machine-specific structure representing an open
 * file, an open socket, or another source or sink of bytes. The
 * main practical use for a file descriptor is to create a
 * FileInputStream or FileOutputStream to
 * contain it.
 * 
    
 * Applications should not create their own file descriptors.
 *
 * @author  Pavani Diwanji
 * @version 1.20, 01/23/03
 * @see	    java.io.FileInputStream
 * @see	    java.io.FileOutputStream
 * @since   JDK1.0
 */
public final class FileDescriptor {

    private int fd;

    /**
     * Constructs an (invalid) FileDescriptor
     * object.
     */
    public /**/ FileDescriptor() {
	fd = -1;
    }

    private /* */ FileDescriptor(int fd) {
	this.fd = fd;
    }

    /**
     * A handle to the standard input stream. Usually, this file
     * descriptor is not used directly, but rather via the input stream
     * known as System.in.
     *
     * @see     java.lang.System#in
     */
    public static final FileDescriptor in = new FileDescriptor(0);

    /**
     * A handle to the standard output stream. Usually, this file
     * descriptor is not used directly, but rather via the output stream
     * known as System.out.
     * @see     java.lang.System#out
     */
    public static final FileDescriptor out = new FileDescriptor(1);

    /**
     * A handle to the standard error stream. Usually, this file
     * descriptor is not used directly, but rather via the output stream
     * known as System.err.
     *
     * @see     java.lang.System#err
     */
    public static final FileDescriptor err = new FileDescriptor(2);

    /**
     * Tests if this file descriptor object is valid.
     *
     * @return  true if the file descriptor object represents a
     *          valid, open file, socket, or other active I/O connection;
     *          false otherwise.
     */
    public boolean valid() {
	return fd != -1;
    }

    /**
     * Force all system buffers to synchronize with the underlying
     * device.  This method returns after all modified data and
     * attributes of this FileDescriptor have been written to the
     * relevant device(s).  In particular, if this FileDescriptor
     * refers to a physical storage medium, such as a file in a file
     * system, sync will not return until all in-memory modified copies
     * of buffers associated with this FileDesecriptor have been
     * written to the physical medium.
     *
     * sync is meant to be used by code that requires physical
     * storage (such as a file) to be in a known state  For
     * example, a class that provided a simple transaction facility
     * might use sync to ensure that all changes to a file caused
     * by a given transaction were recorded on a storage medium.
     *
     * sync only affects buffers downstream of this FileDescriptor.  If
     * any in-memory buffering is being done by the application (for
     * example, by a BufferedOutputStream object), those buffers must
     * be flushed into the FileDescriptor (for example, by invoking
     * OutputStream.flush) before that data will be affected by sync.
     *
     * @exception SyncFailedException
     *	      Thrown when the buffers cannot be flushed,
     *	      or because the system cannot guarantee that all the
     *	      buffers have been synchronized with physical media.
     * @since     JDK1.1
     */
    public native void sync() throws SyncFailedException;

    /* This routine initializes JNI field offsets for the class */
    private static native void initIDs();

    static {
	initIDs();
    }
}
why-2.39/lib/java_api/java/util/0000755000106100004300000000000013147234006015447 5ustar  marchevalswhy-2.39/lib/java_api/java/util/Set.java0000644000106100004300000003450613147234006017055 0ustar  marchevals/*
 * @(#)Set.java	1.29 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.util;

/**
 * A collection that contains no duplicate elements.  More formally, sets
 * contain no pair of elements e1 and e2 such that
 * e1.equals(e2), and at most one null element.  As implied by
 * its name, this interface models the mathematical set abstraction.
    
 *
 * The Set interface places additional stipulations, beyond those
 * inherited from the Collection interface, on the contracts of all
 * constructors and on the contracts of the add, equals and
 * hashCode methods.  Declarations for other inherited methods are
 * also included here for convenience.  (The specifications accompanying these
 * declarations have been tailored to the Set interface, but they do
 * not contain any additional stipulations.)
    
 *
 * The additional stipulation on constructors is, not surprisingly,
 * that all constructors must create a set that contains no duplicate elements
 * (as defined above).
    
 *
 * Note: Great care must be exercised if mutable objects are used as set
 * elements.  The behavior of a set is not specified if the value of an object
 * is changed in a manner that affects equals comparisons while the object is
 * an element in the set.  A special case of this prohibition is that it is
 * not permissible for a set to contain itself as an element.
 *
 * 
    Some set implementations have restrictions on the elements that
 * they may contain.  For example, some implementations prohibit null elements,
 * and some have restrictions on the types of their elements.  Attempting to
 * add an ineligible element throws an unchecked exception, typically
 * NullPointerException or ClassCastException.  Attempting
 * to query the presence of an ineligible element may throw an exception,
 * or it may simply return false; some implementations will exhibit the former
 * behavior and some will exhibit the latter.  More generally, attempting an
 * operation on an ineligible element whose completion would not result in
 * the insertion of an ineligible element into the set may throw an
 * exception or it may succeed, at the option of the implementation.
 * Such exceptions are marked as "optional" in the specification for this
 * interface. 
 *
 * 
    This interface is a member of the 
 * 
 * Java Collections Framework.
 *
 * @author  Josh Bloch
 * @version 1.29, 01/23/03
 * @see Collection
 * @see List
 * @see SortedSet
 * @see HashSet
 * @see TreeSet
 * @see AbstractSet
 * @see Collections#singleton(java.lang.Object)
 * @see Collections#EMPTY_SET
 * @since 1.2
 */

public interface Set extends Collection {
    // Query Operations

    /**
     * Returns the number of elements in this set (its cardinality).  If this
     * set contains more than Integer.MAX_VALUE elements, returns
     * Integer.MAX_VALUE.
     *
     * @return the number of elements in this set (its cardinality).
     */
    int size();

    /**
     * Returns true if this set contains no elements.
     *
     * @return true if this set contains no elements.
     */
    boolean isEmpty();

    /**
     * Returns true if this set contains the specified element.  More
     * formally, returns true if and only if this set contains an
     * element e such that (o==null ? e==null :
     * o.equals(e)).
     *
     * @param o element whose presence in this set is to be tested.
     * @return true if this set contains the specified element.
     * @throws ClassCastException if the type of the specified element
     * 	       is incompatible with this set (optional).
     * @throws NullPointerException if the specified element is null and this
     *         set does not support null elements (optional).
     */
    boolean contains(Object o);

    /**
     * Returns an iterator over the elements in this set.  The elements are
     * returned in no particular order (unless this set is an instance of some
     * class that provides a guarantee).
     *
     * @return an iterator over the elements in this set.
     */
    Iterator iterator();

    /**
     * Returns an array containing all of the elements in this set.
     * Obeys the general contract of the Collection.toArray method.
     *
     * @return an array containing all of the elements in this set.
     */
    Object[] toArray();

    /**
     * Returns an array containing all of the elements in this set; the 
     * runtime type of the returned array is that of the specified array. 
     * Obeys the general contract of the 
     * Collection.toArray(Object[]) method.
     *
     * @param a the array into which the elements of this set are to
     *		be stored, if it is big enough; otherwise, a new array of the
     * 		same runtime type is allocated for this purpose.
     * @return an array containing the elements of this set.
     * @throws    ArrayStoreException the runtime type of a is not a supertype
     *            of the runtime type of every element in this set.
     * @throws NullPointerException if the specified array is null.
     */
    Object[] toArray(Object a[]);


    // Modification Operations

    /**
     * Adds the specified element to this set if it is not already present
     * (optional operation).  More formally, adds the specified element,
     * o, to this set if this set contains no element
     * e such that (o==null ? e==null :
     * o.equals(e)).  If this set already contains the specified
     * element, the call leaves this set unchanged and returns false.
     * In combination with the restriction on constructors, this ensures that
     * sets never contain duplicate elements.
    
     *
     * The stipulation above does not imply that sets must accept all
     * elements; sets may refuse to add any particular element, including
     * null, and throwing an exception, as described in the
     * specification for Collection.add.  Individual set
     * implementations should clearly document any restrictions on the the
     * elements that they may contain.
     *
     * @param o element to be added to this set.
     * @return true if this set did not already contain the specified
     *         element.
     * 
     * @throws UnsupportedOperationException if the add method is not
     * 	       supported by this set.
     * @throws ClassCastException if the class of the specified element
     * 	       prevents it from being added to this set.
     * @throws NullPointerException if the specified element is null and this
     *         set does not support null elements.
     * @throws IllegalArgumentException if some aspect of the specified element
     *         prevents it from being added to this set.
     */
    boolean add(Object o);


    /**
     * Removes the specified element from this set if it is present (optional
     * operation).  More formally, removes an element e such that
     * (o==null ?  e==null : o.equals(e)), if the set contains
     * such an element.  Returns true if the set contained the
     * specified element (or equivalently, if the set changed as a result of
     * the call).  (The set will not contain the specified element once the
     * call returns.)
     *
     * @param o object to be removed from this set, if present.
     * @return true if the set contained the specified element.
     * @throws ClassCastException if the type of the specified element
     * 	       is incompatible with this set (optional).
     * @throws NullPointerException if the specified element is null and this
     *         set does not support null elements (optional).
     * @throws UnsupportedOperationException if the remove method is
     *         not supported by this set.
     */
    boolean remove(Object o);


    // Bulk Operations

    /**
     * Returns true if this set contains all of the elements of the
     * specified collection.  If the specified collection is also a set, this
     * method returns true if it is a subset of this set.
     *
     * @param  c collection to be checked for containment in this set.
     * @return true if this set contains all of the elements of the
     * 	       specified collection.
     * @throws ClassCastException if the types of one or more elements
     *         in the specified collection are incompatible with this
     *         set (optional).
     * @throws NullPointerException if the specified collection contains one
     *         or more null elements and this set does not support null
     *         elements (optional).
     * @throws NullPointerException if the specified collection is
     *         null.
     * @see    #contains(Object)
     */
    boolean containsAll(Collection c);

    /**
     * Adds all of the elements in the specified collection to this set if
     * they're not already present (optional operation).  If the specified
     * collection is also a set, the addAll operation effectively
     * modifies this set so that its value is the union of the two
     * sets.  The behavior of this operation is unspecified if the specified
     * collection is modified while the operation is in progress.
     *
     * @param c collection whose elements are to be added to this set.
     * @return true if this set changed as a result of the call.
     * 
     * @throws UnsupportedOperationException if the addAll method is
     * 		  not supported by this set.
     * @throws ClassCastException if the class of some element of the
     * 		  specified collection prevents it from being added to this
     * 		  set.
     * @throws NullPointerException if the specified collection contains one
     *           or more null elements and this set does not support null
     *           elements, or if the specified collection is null.
     * @throws IllegalArgumentException if some aspect of some element of the
     *		  specified collection prevents it from being added to this
     *		  set.
     * @see #add(Object)
     */
    boolean addAll(Collection c);

    /**
     * Retains only the elements in this set that are contained in the
     * specified collection (optional operation).  In other words, removes
     * from this set all of its elements that are not contained in the
     * specified collection.  If the specified collection is also a set, this
     * operation effectively modifies this set so that its value is the
     * intersection of the two sets.
     *
     * @param c collection that defines which elements this set will retain.
     * @return true if this collection changed as a result of the
     *         call.
     * @throws UnsupportedOperationException if the retainAll method
     * 		  is not supported by this Collection.
     * @throws ClassCastException if the types of one or more elements in this
     *            set are incompatible with the specified collection
     *            (optional).
     * @throws NullPointerException if this set contains a null element and
     *            the specified collection does not support null elements
     *            (optional). 
     * @throws NullPointerException if the specified collection is
     *           null.
     * @see #remove(Object)
     */
    boolean retainAll(Collection c);


    /**
     * Removes from this set all of its elements that are contained in the
     * specified collection (optional operation).  If the specified
     * collection is also a set, this operation effectively modifies this
     * set so that its value is the asymmetric set difference of
     * the two sets.
     *
     * @param  c collection that defines which elements will be removed from
     *           this set.
     * @return true if this set changed as a result of the call.
     * 
     * @throws UnsupportedOperationException if the removeAll
     * 		  method is not supported by this Collection.
     * @throws ClassCastException if the types of one or more elements in this
     *            set are incompatible with the specified collection
     *            (optional).
     * @throws NullPointerException if this set contains a null element and
     *            the specified collection does not support null elements
     *            (optional). 
     * @throws NullPointerException if the specified collection is
     *           null.
     * @see    #remove(Object)
     */
    boolean removeAll(Collection c);

    /**
     * Removes all of the elements from this set (optional operation).
     * This set will be empty after this call returns (unless it throws an
     * exception).
     *
     * @throws UnsupportedOperationException if the clear method
     * 		  is not supported by this set.
     */
    void clear();


    // Comparison and hashing

    /**
     * Compares the specified object with this set for equality.  Returns
     * true if the specified object is also a set, the two sets
     * have the same size, and every member of the specified set is
     * contained in this set (or equivalently, every member of this set is
     * contained in the specified set).  This definition ensures that the
     * equals method works properly across different implementations of the
     * set interface.
     *
     * @param o Object to be compared for equality with this set.
     * @return true if the specified Object is equal to this set.
     */
    boolean equals(Object o);

    /**
     * 
     * Returns the hash code value for this set.  The hash code of a set is
     * defined to be the sum of the hash codes of the elements in the set,
     * where the hashcode of a null element is defined to be zero.
     * This ensures that s1.equals(s2) implies that
     * s1.hashCode()==s2.hashCode() for any two sets
     * s1 and s2, as required by the general
     * contract of the Object.hashCode method.
     *
     * @return the hash code value for this set.
     * @see Object#hashCode()
     * @see Object#equals(Object)
     * @see Set#equals(Object)
     */
    int hashCode();
}
why-2.39/lib/java_api/java/util/HashMapIntegerInteger.java0000644000106100004300000000137113147234006022471 0ustar  marchevals
package java.util;

class HashMapIntegerInteger {

    //@ model mappings hashmap_model;


    /*@ ensures this.hashmap_model == empty_mappings();
      @*/
    HashMapIntegerInteger();

    /*@ requires x != null;
      @ assigns hashmap_model;
      @ ensures 
      @   this.hashmap_model == update_int(\old(this.hashmap_model),x,y);
      @*/
    void put(Integer x, Integer y);

    /*@ requires x != null;
      @ assigns \nothing;
      @ behavior key_found:
      @   ensures \result != null ==>
      @    \result == access_int(this.hashmap_model,x) ;
      @ behavior null_found:
      @   assumes containsKey(this.hashmap_model,x);
      @   ensures access_int(this.hashmap_model,x) == null ;
      @       
      @*/
    Integer get(Integer x);

}
why-2.39/lib/java_api/java/util/HashMapIntegerLong.java0000644000106100004300000000142113147234006021767 0ustar  marchevals
package java.util;

class HashMapIntegerLong {

    //@ model mappings hashmap_model;


    /*@ ensures this.hashmap_model == empty_mappings();
      @*/
    HashMapIntegerLong();

    /*@ requires x != null;
      @ assigns hashmap_model;
      @ ensures 
      @   this.hashmap_model == update(\old(this.hashmap_model),x,y);
      @*/
    void put(Integer x, Long y);

    /*@ requires x != null;
      @ assigns \nothing;
      @ behavior key_found:
      @   ensures \result != null ==>
      @    containsKey(this.hashmap_model,x) &&
      @    \result == access(this.hashmap_model,x) ;
      @ behavior null_found:
      @   assumes containsKey(this.hashmap_model,x);
      @   ensures access(this.hashmap_model,x) == null ;
      @       
      @*/
    Long get(Integer x);

}
why-2.39/lib/java_api/java/util/HashMap.java0000644000106100004300000010334313147234006017637 0ustar  marchevals/*
 * @(#)HashMap.java	1.57 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.util;
import  java.io.*;

/**
 * Hash table based implementation of the Map interface.  This
 * implementation provides all of the optional map operations, and permits
 * null values and the null key.  (The HashMap
 * class is roughly equivalent to Hashtable, except that it is
 * unsynchronized and permits nulls.)  This class makes no guarantees as to
 * the order of the map; in particular, it does not guarantee that the order
 * will remain constant over time.
 *
 * 
    This implementation provides constant-time performance for the basic
 * operations (get and put), assuming the hash function
 * disperses the elements properly among the buckets.  Iteration over
 * collection views requires time proportional to the "capacity" of the
 * HashMap instance (the number of buckets) plus its size (the number
 * of key-value mappings).  Thus, it's very important not to set the initial
 * capacity too high (or the load factor too low) if iteration performance is
 * important.
 *
 * 
    An instance of HashMap has two parameters that affect its
 * performance: initial capacity and load factor.  The
 * capacity is the number of buckets in the hash table, and the initial
 * capacity is simply the capacity at the time the hash table is created.  The
 * load factor is a measure of how full the hash table is allowed to
 * get before its capacity is automatically increased.  When the number of
 * entries in the hash table exceeds the product of the load factor and the
 * current capacity, the capacity is roughly doubled by calling the
 * rehash method.
 *
 * 
    As a general rule, the default load factor (.75) offers a good tradeoff
 * between time and space costs.  Higher values decrease the space overhead
 * but increase the lookup cost (reflected in most of the operations of the
 * HashMap class, including get and put).  The
 * expected number of entries in the map and its load factor should be taken
 * into account when setting its initial capacity, so as to minimize the
 * number of rehash operations.  If the initial capacity is greater
 * than the maximum number of entries divided by the load factor, no
 * rehash operations will ever occur.
 *
 * 
    If many mappings are to be stored in a HashMap instance,
 * creating it with a sufficiently large capacity will allow the mappings to
 * be stored more efficiently than letting it perform automatic rehashing as
 * needed to grow the table.
 *
 * 
    Note that this implementation is not synchronized. If multiple
 * threads access this map concurrently, and at least one of the threads
 * modifies the map structurally, it must be synchronized externally.
 * (A structural modification is any operation that adds or deletes one or
 * more mappings; merely changing the value associated with a key that an
 * instance already contains is not a structural modification.)  This is
 * typically accomplished by synchronizing on some object that naturally
 * encapsulates the map.  If no such object exists, the map should be
 * "wrapped" using the Collections.synchronizedMap method.  This is
 * best done at creation time, to prevent accidental unsynchronized access to
 * the map: 
     Map m = Collections.synchronizedMap(new HashMap(...));
 * 
    
 *
 * 
    The iterators returned by all of this class's "collection view methods"
 * are fail-fast: if the map is structurally modified at any time after
 * the iterator is created, in any way except through the iterator's own
 * remove or add methods, the iterator will throw a
 * ConcurrentModificationException.  Thus, in the face of concurrent
 * modification, the iterator fails quickly and cleanly, rather than risking
 * arbitrary, non-deterministic behavior at an undetermined time in the
 * future.
 *
 * 
    Note that the fail-fast behavior of an iterator cannot be guaranteed
 * as it is, generally speaking, impossible to make any hard guarantees in the
 * presence of unsynchronized concurrent modification.  Fail-fast iterators
 * throw ConcurrentModificationException on a best-effort basis. 
 * Therefore, it would be wrong to write a program that depended on this
 * exception for its correctness: the fail-fast behavior of iterators
 * should be used only to detect bugs.
 *
 * 
    This class is a member of the 
 * 
 * Java Collections Framework.
 *
 * @author  Doug Lea
 * @author  Josh Bloch
 * @author  Arthur van Hoff
 * @version 1.57, 01/23/03
 * @see     Object#hashCode()
 * @see     Collection
 * @see	    Map
 * @see	    TreeMap
 * @see	    Hashtable
 * @since   1.2
 */

public class HashMap extends AbstractMap implements Map, Cloneable,
    Serializable
{
    //@ model Class key_type;
    //@ model Class value_type;

    /**
     * The default initial capacity - MUST be a power of two.
     */
    static final int DEFAULT_INITIAL_CAPACITY = 16;

    /**
     * The maximum capacity, used if a higher value is implicitly specified
     * by either of the constructors with arguments.
     * MUST be a power of two <= 1<<30.
     */
    static final int MAXIMUM_CAPACITY = 1 << 30;

    /**
     * The load factor used when none specified in constructor.
     **/
    static final float DEFAULT_LOAD_FACTOR = 0.75f;

    /**
     * The table, resized as necessary. Length MUST Always be a power of two.
     */
    //KML transient Entry[] table;

    /**
     * The number of key-value mappings contained in this identity hash map.
     */
    transient int size;
  
    /**
     * The next size value at which to resize (capacity * load factor).
     * @serial
     */
    int threshold;
  
    /**
     * The load factor for the hash table.
     *
     * @serial
     */
    final float loadFactor;

    /**
     * The number of times this HashMap has been structurally modified
     * Structural modifications are those that change the number of mappings in
     * the HashMap or otherwise modify its internal structure (e.g.,
     * rehash).  This field is used to make iterators on Collection-views of
     * the HashMap fail-fast.  (See ConcurrentModificationException).
     */
    transient volatile int modCount;

    /**
     * Constructs an empty HashMap with the specified initial
     * capacity and load factor.
     *
     * @param  initialCapacity The initial capacity.
     * @param  loadFactor      The load factor.
     * @throws IllegalArgumentException if the initial capacity is negative
     *         or the load factor is nonpositive.
     */
    public HashMap(int initialCapacity, float loadFactor) {
        if (initialCapacity < 0)
            throw new IllegalArgumentException("Illegal initial capacity: " +
                                               initialCapacity);
        if (initialCapacity > MAXIMUM_CAPACITY)
            initialCapacity = MAXIMUM_CAPACITY;
        if (loadFactor <= 0 || Float.isNaN(loadFactor))
            throw new IllegalArgumentException("Illegal load factor: " +
                                               loadFactor);

        // Find a power of 2 >= initialCapacity
        int capacity = 1;
        while (capacity < initialCapacity) 
            capacity <<= 1;
    
        this.loadFactor = loadFactor;
        threshold = (int)(capacity * loadFactor);
        table = new Entry[capacity];
        init();
    }
  
    /**
     * Constructs an empty HashMap with the specified initial
     * capacity and the default load factor (0.75).
     *
     * @param  initialCapacity the initial capacity.
     * @throws IllegalArgumentException if the initial capacity is negative.
     */
    public HashMap(int initialCapacity) {
        this(initialCapacity, DEFAULT_LOAD_FACTOR);
    }

    /**
     * Constructs an empty HashMap with the default initial capacity
     * (16) and the default load factor (0.75).
     */
    public HashMap() {
        this.loadFactor = DEFAULT_LOAD_FACTOR;
        threshold = (int)(DEFAULT_INITIAL_CAPACITY * DEFAULT_LOAD_FACTOR);
        table = new Entry[DEFAULT_INITIAL_CAPACITY];
        init();
    }

    /**
     * Constructs a new HashMap with the same mappings as the
     * specified Map.  The HashMap is created with
     * default load factor (0.75) and an initial capacity sufficient to
     * hold the mappings in the specified Map.
     *
     * @param   m the map whose mappings are to be placed in this map.
     * @throws  NullPointerException if the specified map is null.
     */
    public HashMap(Map m) {
        this(Math.max((int) (m.size() / DEFAULT_LOAD_FACTOR) + 1,
                      DEFAULT_INITIAL_CAPACITY), DEFAULT_LOAD_FACTOR);
        putAllForCreate(m);
    }

    // internal utilities

    /**
     * Initialization hook for subclasses. This method is called
     * in all constructors and pseudo-constructors (clone, readObject)
     * after HashMap has been initialized but before any entries have
     * been inserted.  (In the absence of this method, readObject would
     * require explicit knowledge of subclasses.)
     */
    void init() {
    }

    /**
     * Value representing null keys inside tables.
     */
    static final Object NULL_KEY = new Object();

    /**
     * Returns internal representation for key. Use NULL_KEY if key is null.
     */
    static Object maskNull(Object key) {
        return (key == null ? NULL_KEY : key);
    }

    /**
     * Returns key represented by specified internal representation.
     */
    static Object unmaskNull(Object key) {
        return (key == NULL_KEY ? null : key);
    }

    /**
     * Returns a hash value for the specified object.  In addition to 
     * the object's own hashCode, this method applies a "supplemental
     * hash function," which defends against poor quality hash functions.
     * This is critical because HashMap uses power-of two length 
     * hash tables.
    
     *
     * The shift distances in this function were chosen as the result
     * of an automated search over the entire four-dimensional search space.
     */
    static int hash(Object x) {
        int h = x.hashCode();

        h += ~(h << 9);
        h ^=  (h >>> 14);
        h +=  (h << 4);
        h ^=  (h >>> 10);
        return h;
    }

    /** 
     * Check for equality of non-null reference x and possibly-null y. 
     */
    static boolean eq(Object x, Object y) {
        return x == y || x.equals(y);
    }

    /**
     * Returns index for hash code h. 
     */
    static int indexFor(int h, int length) {
        return h & (length-1);
    }
 
    /**
     * Returns the number of key-value mappings in this map.
     *
     * @return the number of key-value mappings in this map.
     */
    public int size() {
        return size;
    }
  
    /**
     * Returns true if this map contains no key-value mappings.
     *
     * @return true if this map contains no key-value mappings.
     */
    public boolean isEmpty() {
        return size == 0;
    }

    /**
     * Returns the value to which the specified key is mapped in this identity
     * hash map, or null if the map contains no mapping for this key.
     * A return value of null does not necessarily indicate
     * that the map contains no mapping for the key; it is also possible that
     * the map explicitly maps the key to null. The
     * containsKey method may be used to distinguish these two cases.
     *
     * @param   key the key whose associated value is to be returned.
     * @return  the value to which this map maps the specified key, or
     *          null if the map contains no mapping for this key.
     * @see #put(Object, Object)
     */
    /*@
      @ ensures \result instanceof value_type;
      @*/
    public Object get(Object key) {
        Object k = maskNull(key);
        int hash = hash(k);
        int i = indexFor(hash, table.length);
        Entry e = table[i]; 
        while (true) {
            if (e == null)
                return e;
            if (e.hash == hash && eq(k, e.key)) 
                return e.value;
            e = e.next;
        }
    }

    /**
     * Returns true if this map contains a mapping for the
     * specified key.
     *
     * @param   key   The key whose presence in this map is to be tested
     * @return true if this map contains a mapping for the specified
     * key.
     */
    public boolean containsKey(Object key) {
        Object k = maskNull(key);
        int hash = hash(k);
        int i = indexFor(hash, table.length);
        Entry e = table[i]; 
        while (e != null) {
            if (e.hash == hash && eq(k, e.key)) 
                return true;
            e = e.next;
        }
        return false;
    }

    /**
     * Returns the entry associated with the specified key in the
     * HashMap.  Returns null if the HashMap contains no mapping
     * for this key.
     */
    /*KML
    Entry getEntry(Object key) {
        Object k = maskNull(key);
        int hash = hash(k);
        int i = indexFor(hash, table.length);
        Entry e = table[i]; 
        while (e != null && !(e.hash == hash && eq(k, e.key)))
            e = e.next;
        return e;
    }
    KML*/
  
    /**
     * Associates the specified value with the specified key in this map.
     * If the map previously contained a mapping for this key, the old
     * value is replaced.
     *
     * @param key key with which the specified value is to be associated.
     * @param value value to be associated with the specified key.
     * @return previous value associated with specified key, or null
     *	       if there was no mapping for key.  A null return can
     *	       also indicate that the HashMap previously associated
     *	       null with the specified key.
     */
    public Object put(Object key, Object value) {
        Object k = maskNull(key);
        int hash = hash(k);
        int i = indexFor(hash, table.length);

        for (Entry e = table[i]; e != null; e = e.next) {
            if (e.hash == hash && eq(k, e.key)) {
                Object oldValue = e.value;
                e.value = value;
                e.recordAccess(this);
                return oldValue;
            }
        }

        modCount++;
        addEntry(hash, k, value, i);
        return null;
    }

    /**
     * This method is used instead of put by constructors and
     * pseudoconstructors (clone, readObject).  It does not resize the table,
     * check for comodification, etc.  It calls createEntry rather than
     * addEntry.
     */
    private void putForCreate(Object key, Object value) {
        Object k = maskNull(key);
        int hash = hash(k);
        int i = indexFor(hash, table.length);

        /**
         * Look for preexisting entry for key.  This will never happen for
         * clone or deserialize.  It will only happen for construction if the
         * input Map is a sorted map whose ordering is inconsistent w/ equals.
         */
        for (Entry e = table[i]; e != null; e = e.next) {
            if (e.hash == hash && eq(k, e.key)) {
                e.value = value;
                return;
            }
        }

        createEntry(hash, k, value, i);
    }

    void putAllForCreate(Map m) {
        for (Iterator i = m.entrySet().iterator(); i.hasNext(); ) {
            Map.Entry e = (Map.Entry) i.next();
            putForCreate(e.getKey(), e.getValue());
        }
    }

    /**
     * Rehashes the contents of this map into a new array with a
     * larger capacity.  This method is called automatically when the
     * number of keys in this map reaches its threshold.
     *
     * If current capacity is MAXIMUM_CAPACITY, this method does not
     * resize the map, but but sets threshold to Integer.MAX_VALUE.
     * This has the effect of preventing future calls.
     *
     * @param newCapacity the new capacity, MUST be a power of two;
     *        must be greater than current capacity unless current
     *        capacity is MAXIMUM_CAPACITY (in which case value
     *        is irrelevant).
     */
    void resize(int newCapacity) {
        Entry[] oldTable = table;
        int oldCapacity = oldTable.length;
        if (oldCapacity == MAXIMUM_CAPACITY) {
            threshold = Integer.MAX_VALUE;
            return;
        }

        Entry[] newTable = new Entry[newCapacity];
        transfer(newTable);
        table = newTable;
        threshold = (int)(newCapacity * loadFactor);
    }

    /** 
     * Transfer all entries from current table to newTable.
     */
    /*KML
      void transfer(Entry[] newTable) {
        Entry[] src = table;
        int newCapacity = newTable.length;
        for (int j = 0; j < src.length; j++) {
            Entry e = src[j];
            if (e != null) {
                src[j] = null;
                do {
                    Entry next = e.next;
                    int i = indexFor(e.hash, newCapacity);  
                    e.next = newTable[i];
                    newTable[i] = e;
                    e = next;
                } while (e != null);
            }
        }
    }
    KML*/

    /**
     * Copies all of the mappings from the specified map to this map
     * These mappings will replace any mappings that
     * this map had for any of the keys currently in the specified map.
     *
     * @param m mappings to be stored in this map.
     * @throws NullPointerException if the specified map is null.
     */
    public void putAll(Map m) {
        int numKeysToBeAdded = m.size();
        if (numKeysToBeAdded == 0)
            return;

        /*
         * Expand the map if the map if the number of mappings to be added
         * is greater than or equal to threshold.  This is conservative; the
         * obvious condition is (m.size() + size) >= threshold, but this
         * condition could result in a map with twice the appropriate capacity,
         * if the keys to be added overlap with the keys already in this map.
         * By using the conservative calculation, we subject ourself
         * to at most one extra resize.
         */
        if (numKeysToBeAdded > threshold) {
            int targetCapacity = (int)(numKeysToBeAdded / loadFactor + 1);
            if (targetCapacity > MAXIMUM_CAPACITY)
                targetCapacity = MAXIMUM_CAPACITY;
            int newCapacity = table.length;
            while (newCapacity < targetCapacity)
                newCapacity <<= 1;
            if (newCapacity > table.length)
                resize(newCapacity);
        }

        for (Iterator i = m.entrySet().iterator(); i.hasNext(); ) {
            Map.Entry e = (Map.Entry) i.next();
            put(e.getKey(), e.getValue());
        }
    }
  
    /**
     * Removes the mapping for this key from this map if present.
     *
     * @param  key key whose mapping is to be removed from the map.
     * @return previous value associated with specified key, or null
     *	       if there was no mapping for key.  A null return can
     *	       also indicate that the map previously associated null
     *	       with the specified key.
     */
    public Object remove(Object key) {
        Entry e = removeEntryForKey(key);
        return (e == null ? e : e.value);
    }

    /**
     * Removes and returns the entry associated with the specified key
     * in the HashMap.  Returns null if the HashMap contains no mapping
     * for this key.
     */
    /*KML
    Entry removeEntryForKey(Object key) {
        Object k = maskNull(key);
        int hash = hash(k);
        int i = indexFor(hash, table.length);
        Entry prev = table[i];
        Entry e = prev;

        while (e != null) {
            Entry next = e.next;
            if (e.hash == hash && eq(k, e.key)) {
                modCount++;
                size--;
                if (prev == e) 
                    table[i] = next;
                else
                    prev.next = next;
                e.recordRemoval(this);
                return e;
            }
            prev = e;
            e = next;
        }
   
        return e;
    }
    KML*/

    /**
     * Special version of remove for EntrySet.
     */
    /*KML
      Entry removeMapping(Object o) {
        if (!(o instanceof Map.Entry))
            return null;

        Map.Entry entry = (Map.Entry)o;
        Object k = maskNull(entry.getKey());
        int hash = hash(k);
        int i = indexFor(hash, table.length);
        Entry prev = table[i];
        Entry e = prev;

        while (e != null) {
            Entry next = e.next;
            if (e.hash == hash && e.equals(entry)) {
                modCount++;
                size--;
                if (prev == e) 
                    table[i] = next;
                else
                    prev.next = next;
                e.recordRemoval(this);
                return e;
            }
            prev = e;
            e = next;
        }
   
        return e;
    }
    KML*/

    /**
     * Removes all mappings from this map.
     */
    public void clear() {
        modCount++;
        Entry tab[] = table;
        for (int i = 0; i < tab.length; i++) 
            tab[i] = null;
        size = 0;
    }

    /**
     * Returns true if this map maps one or more keys to the
     * specified value.
     *
     * @param value value whose presence in this map is to be tested.
     * @return true if this map maps one or more keys to the
     *         specified value.
     */
    public boolean containsValue(Object value) {
	if (value == null) 
            return containsNullValue();

	Entry tab[] = table;
        for (int i = 0; i < tab.length ; i++)
            for (Entry e = tab[i] ; e != null ; e = e.next)
                if (value.equals(e.value))
                    return true;
	return false;
    }

    /**
     * Special-case code for containsValue with null argument
     **/
    private boolean containsNullValue() {
	Entry tab[] = table;
        for (int i = 0; i < tab.length ; i++)
            for (Entry e = tab[i] ; e != null ; e = e.next)
                if (e.value == null)
                    return true;
	return false;
    }

    /**
     * Returns a shallow copy of this HashMap instance: the keys and
     * values themselves are not cloned.
     *
     * @return a shallow copy of this map.
     */
    public Object clone() {
        HashMap result = null;
	try { 
	    result = (HashMap)super.clone();
	} catch (CloneNotSupportedException e) { 
	    // assert false;
	}
        result.table = new Entry[table.length];
        result.entrySet = null;
        result.modCount = 0;
        result.size = 0;
        result.init();
        result.putAllForCreate(this);

        return result;
    }

    static class Entry implements Map.Entry {
        final Object key;
        Object value;
        final int hash;
        Entry next;

        /**
         * Create new entry.
         */
        Entry(int h, Object k, Object v, Entry n) { 
            value = v; 
            next = n;
            key = k;
            hash = h;
        }

        public Object getKey() {
            return unmaskNull(key);
        }

        public Object getValue() {
            return value;
        }
    
        public Object setValue(Object newValue) {
            Object oldValue = value;
            value = newValue;
            return oldValue;
        }
    
        public boolean equals(Object o) {
            if (!(o instanceof Map.Entry))
                return false;
            Map.Entry e = (Map.Entry)o;
            Object k1 = getKey();
            Object k2 = e.getKey();
            if (k1 == k2 || (k1 != null && k1.equals(k2))) {
                Object v1 = getValue();
                Object v2 = e.getValue();
                if (v1 == v2 || (v1 != null && v1.equals(v2))) 
                    return true;
            }
            return false;
        }
    
        public int hashCode() {
            return (key==NULL_KEY ? 0 : key.hashCode()) ^
                   (value==null   ? 0 : value.hashCode());
        }
    
        public String toString() {
            return getKey() + "=" + getValue();
        }

        /**
         * This method is invoked whenever the value in an entry is
         * overwritten by an invocation of put(k,v) for a key k that's already
         * in the HashMap.
         */
        void recordAccess(HashMap m) {
        }

        /**
         * This method is invoked whenever the entry is
         * removed from the table.
         */
        void recordRemoval(HashMap m) {
        }
    }

    /**
     * Add a new entry with the specified key, value and hash code to
     * the specified bucket.  It is the responsibility of this 
     * method to resize the table if appropriate.
     *
     * Subclass overrides this to alter the behavior of put method.
     */
    void addEntry(int hash, Object key, Object value, int bucketIndex) {
        table[bucketIndex] = new Entry(hash, key, value, table[bucketIndex]);
        if (size++ >= threshold) 
            resize(2 * table.length);
    }

    /**
     * Like addEntry except that this version is used when creating entries
     * as part of Map construction or "pseudo-construction" (cloning,
     * deserialization).  This version needn't worry about resizing the table.
     *
     * Subclass overrides this to alter the behavior of HashMap(Map),
     * clone, and readObject.
     */
    void createEntry(int hash, Object key, Object value, int bucketIndex) {
        table[bucketIndex] = new Entry(hash, key, value, table[bucketIndex]);
        size++;
    }

    private abstract class HashIterator implements Iterator {
        Entry next;                  // next entry to return
        int expectedModCount;        // For fast-fail 
        int index;                   // current slot 
        Entry current;               // current entry

        HashIterator() {
            expectedModCount = modCount;
            Entry[] t = table;
            int i = t.length;
            Entry n = null;
            if (size != 0) { // advance to first entry
                while (i > 0 && (n = t[--i]) == null)
                    ;
            }
            next = n;
            index = i;
        }

        public boolean hasNext() {
            return next != null;
        }

        Entry nextEntry() { 
            if (modCount != expectedModCount)
                throw new ConcurrentModificationException();
            Entry e = next;
            if (e == null) 
                throw new NoSuchElementException();
                
            Entry n = e.next;
            Entry[] t = table;
            int i = index;
            while (n == null && i > 0)
                n = t[--i];
            index = i;
            next = n;
            return current = e;
        }

        public void remove() {
            if (current == null)
                throw new IllegalStateException();
            if (modCount != expectedModCount)
                throw new ConcurrentModificationException();
            Object k = current.key;
            current = null;
            HashMap.this.removeEntryForKey(k);
            expectedModCount = modCount;
        }

    }

    private class ValueIterator extends HashIterator {
        public Object next() {
            return nextEntry().value;
        }
    }

    private class KeyIterator extends HashIterator {
        public Object next() {
            return nextEntry().getKey();
        }
    }

    private class EntryIterator extends HashIterator {
        public Object next() {
            return nextEntry();
        }
    }

    // Subclass overrides these to alter behavior of views' iterator() method
    Iterator newKeyIterator()   {
        return new KeyIterator();
    }
    Iterator newValueIterator()   {
        return new ValueIterator();
    }
    Iterator newEntryIterator()   {
        return new EntryIterator();
    }


    // Views

    private transient Set entrySet = null;

    /**
     * Returns a set view of the keys contained in this map.  The set is
     * backed by the map, so changes to the map are reflected in the set, and
     * vice-versa.  The set supports element removal, which removes the
     * corresponding mapping from this map, via the Iterator.remove,
     * Set.remove, removeAll, retainAll, and
     * clear operations.  It does not support the add or
     * addAll operations.
     *
     * @return a set view of the keys contained in this map.
     */
    public Set keySet() {
        Set ks = keySet;
        return (ks != null ? ks : (keySet = new KeySet()));
    }

    private class KeySet extends AbstractSet {
        public Iterator iterator() {
            return newKeyIterator();
        }
        public int size() {
            return size;
        }
        public boolean contains(Object o) {
            return containsKey(o);
        }
        public boolean remove(Object o) {
            return HashMap.this.removeEntryForKey(o) != null;
        }
        public void clear() {
            HashMap.this.clear();
        }
    }

    /**
     * Returns a collection view of the values contained in this map.  The
     * collection is backed by the map, so changes to the map are reflected in
     * the collection, and vice-versa.  The collection supports element
     * removal, which removes the corresponding mapping from this map, via the
     * Iterator.remove, Collection.remove,
     * removeAll, retainAll, and clear operations.
     * It does not support the add or addAll operations.
     *
     * @return a collection view of the values contained in this map.
     */
    public Collection values() {
        Collection vs = values;
        return (vs != null ? vs : (values = new Values()));
    }

    private class Values extends AbstractCollection {
        public Iterator iterator() {
            return newValueIterator();
        }
        public int size() {
            return size;
        }
        public boolean contains(Object o) {
            return containsValue(o);
        }
        public void clear() {
            HashMap.this.clear();
        }
    }

    /**
     * Returns a collection view of the mappings contained in this map.  Each
     * element in the returned collection is a Map.Entry.  The
     * collection is backed by the map, so changes to the map are reflected in
     * the collection, and vice-versa.  The collection supports element
     * removal, which removes the corresponding mapping from the map, via the
     * Iterator.remove, Collection.remove,
     * removeAll, retainAll, and clear operations.
     * It does not support the add or addAll operations.
     *
     * @return a collection view of the mappings contained in this map.
     * @see Map.Entry
     */
    public Set entrySet() {
        Set es = entrySet;
        return (es != null ? es : (entrySet = new EntrySet()));
    }

    private class EntrySet extends AbstractSet {
        public Iterator iterator() {
            return newEntryIterator();
        }
        public boolean contains(Object o) {
            if (!(o instanceof Map.Entry))
                return false;
            Map.Entry e = (Map.Entry)o;
            Entry candidate = getEntry(e.getKey());
            return candidate != null && candidate.equals(e);
        }
        public boolean remove(Object o) {
            return removeMapping(o) != null;
        }
        public int size() {
            return size;
        }
        public void clear() {
            HashMap.this.clear();
        }
    }

    /**
     * Save the state of the HashMap instance to a stream (i.e.,
     * serialize it).
     *
     * @serialData The capacity of the HashMap (the length of the
     *		   bucket array) is emitted (int), followed  by the
     *		   size of the HashMap (the number of key-value
     *		   mappings), followed by the key (Object) and value (Object)
     *		   for each key-value mapping represented by the HashMap
     *             The key-value mappings are emitted in the order that they
     *             are returned by entrySet().iterator().
     * 
     */
    /*KML
    private void writeObject(java.io.ObjectOutputStream s)
        throws IOException
    {
	// Write out the threshold, loadfactor, and any hidden stuff
	s.defaultWriteObject();

	// Write out number of buckets
	s.writeInt(table.length);

	// Write out size (number of Mappings)
	s.writeInt(size);

        // Write out keys and values (alternating)
        for (Iterator i = entrySet().iterator(); i.hasNext(); ) {
            Map.Entry e = (Map.Entry) i.next();
            s.writeObject(e.getKey());
            s.writeObject(e.getValue());
        }
    }
    KML*/

    private static final long serialVersionUID = 362498820763181265L;

    /**
     * Reconstitute the HashMap instance from a stream (i.e.,
     * deserialize it).
     */
    /*KML
      private void readObject(java.io.ObjectInputStream s)
         throws IOException, ClassNotFoundException
    {
	// Read in the threshold, loadfactor, and any hidden stuff
	s.defaultReadObject();

	// Read in number of buckets and allocate the bucket array;
	int numBuckets = s.readInt();
	table = new Entry[numBuckets];

        init();  // Give subclass a chance to do its thing.

	// Read in size (number of Mappings)
	int size = s.readInt();

	// Read the keys and values, and put the mappings in the HashMap
	for (int i=0; i
 *	
  •  Iterators allow the caller to remove elements from the
 *	     underlying collection during the iteration with well-defined
 * 	     semantics.
 *	
  •  Method names have been improved.
 * 
    
 *
 * This interface is a member of the 
 * 
 * Java Collections Framework.
 *
 * @author  Josh Bloch
 * @version 1.18, 01/23/03
 * @see Collection
 * @see ListIterator
 * @see Enumeration
 * @since 1.2
 */
public interface Iterator {
    /**
     * Returns true if the iteration has more elements. (In other
     * words, returns true if next would return an element
     * rather than throwing an exception.)
     *
     * @return true if the iterator has more elements.
     */
    boolean hasNext();

    /**
     * Returns the next element in the iteration.
     *
     * @return the next element in the iteration.
     * @exception NoSuchElementException iteration has no more elements.
     */
    Object next();

    /**
     * 
     * Removes from the underlying collection the last element returned by the
     * iterator (optional operation).  This method can be called only once per
     * call to next.  The behavior of an iterator is unspecified if
     * the underlying collection is modified while the iteration is in
     * progress in any way other than by calling this method.
     *
     * @exception UnsupportedOperationException if the remove
     *		  operation is not supported by this Iterator.
     
     * @exception IllegalStateException if the next method has not
     *		  yet been called, or the remove method has already
     *		  been called after the last call to the next
     *		  method.
     */
    void remove();
}
why-2.39/lib/java_api/java/util/Locale.java0000644000106100004300000000004713147234006017512 0ustar  marchevals
import java.text.*;

class Locale {

}why-2.39/lib/java_api/java/util/AbstractMap.java0000644000106100004300000005630313147234006020522 0ustar  marchevals/*
 * @(#)AbstractMap.java	1.34 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.util;
//KML import java.util.Map.Entry;

/**
 * This class provides a skeletal implementation of the Map
 * interface, to minimize the effort required to implement this interface. 
    
 *
 * To implement an unmodifiable map, the programmer needs only to extend this
 * class and provide an implementation for the entrySet method, which
 * returns a set-view of the map's mappings.  Typically, the returned set
 * will, in turn, be implemented atop AbstractSet.  This set should
 * not support the add or remove methods, and its iterator
 * should not support the remove method.
    
 *
 * To implement a modifiable map, the programmer must additionally override
 * this class's put method (which otherwise throws an
 * UnsupportedOperationException), and the iterator returned by
 * entrySet().iterator() must additionally implement its
 * remove method.
    
 *
 * The programmer should generally provide a void (no argument) and map
 * constructor, as per the recommendation in the Map interface
 * specification.
    
 *
 * The documentation for each non-abstract methods in this class describes its
 * implementation in detail.  Each of these methods may be overridden if the
 * map being implemented admits a more efficient implementation.
    
 *
 * This class is a member of the 
 * 
 * Java Collections Framework.
 *
 * @author  Josh Bloch
 * @version 1.34, 01/23/03
 * @see Map
 * @see Collection
 * @since 1.2
 */

public abstract class AbstractMap implements Map {
    /**
     * Sole constructor.  (For invocation by subclass constructors, typically
     * implicit.)
     */
    protected AbstractMap() {
    }

    // Query Operations

    /**
     * Returns the number of key-value mappings in this map.  If the map
     * contains more than Integer.MAX_VALUE elements, returns
     * Integer.MAX_VALUE.
    
     *
     * This implementation returns entrySet().size().
     *
     * @return the number of key-value mappings in this map.
     */
    public int size() {
	return entrySet().size();
    }

    /**
     * Returns true if this map contains no key-value mappings. 
    
     *
     * This implementation returns size() == 0.
     *
     * @return true if this map contains no key-value mappings.
     */
    public boolean isEmpty() {
	return size() == 0;
    }

    /**
     * Returns true if this map maps one or more keys to this value.
     * More formally, returns true if and only if this map contains
     * at least one mapping to a value v such that (value==null ?
     * v==null : value.equals(v)).  This operation will probably require
     * time linear in the map size for most implementations of map.
    
     *
     * This implementation iterates over entrySet() searching for an entry
     * with the specified value.  If such an entry is found, true is
     * returned.  If the iteration terminates without finding such an entry,
     * false is returned.  Note that this implementation requires
     * linear time in the size of the map.
     *
     * @param value value whose presence in this map is to be tested.
     * 
     * @return true if this map maps one or more keys to this value.
     */
    public boolean containsValue(Object value) {
	Iterator i = entrySet().iterator();
	if (value==null) {
	    while (i.hasNext()) {
		Entry e = (Entry) i.next();
		if (e.getValue()==null)
		    return true;
	    }
	} else {
	    while (i.hasNext()) {
		Entry e = (Entry) i.next();
		if (value.equals(e.getValue()))
		    return true;
	    }
	}
	return false;
    }

    /**
     * Returns true if this map contains a mapping for the specified
     * key. 
    
     *
     * This implementation iterates over entrySet() searching for an
     * entry with the specified key.  If such an entry is found, true
     * is returned.  If the iteration terminates without finding such an
     * entry, false is returned.  Note that this implementation
     * requires linear time in the size of the map; many implementations will
     * override this method.
     *
     * @param key key whose presence in this map is to be tested.
     * @return true if this map contains a mapping for the specified
     *            key.
     * 
     * @throws NullPointerException key is null and this map does not
     *            not permit null keys.
     */
    public boolean containsKey(Object key) {
	Iterator i = entrySet().iterator();
	if (key==null) {
	    while (i.hasNext()) {
		Entry e = (Entry) i.next();
		if (e.getKey()==null)
		    return true;
	    }
	} else {
	    while (i.hasNext()) {
		Entry e = (Entry) i.next();
		if (key.equals(e.getKey()))
		    return true;
	    }
	}
	return false;
    }

    /**
     * Returns the value to which this map maps the specified key.  Returns
     * null if the map contains no mapping for this key.  A return
     * value of null does not necessarily indicate that the
     * map contains no mapping for the key; it's also possible that the map
     * explicitly maps the key to null.  The containsKey operation
     * may be used to distinguish these two cases. 
    
     *
     * This implementation iterates over entrySet() searching for an
     * entry with the specified key.  If such an entry is found, the entry's
     * value is returned.  If the iteration terminates without finding such an
     * entry, null is returned.  Note that this implementation
     * requires linear time in the size of the map; many implementations will
     * override this method.
     *
     * @param key key whose associated value is to be returned.
     * @return the value to which this map maps the specified key.
     * 
     * @throws NullPointerException if the key is null and this map
     *		  does not not permit null keys.
     * 
     * @see #containsKey(Object)
     */
    public Object get(Object key) {
	Iterator i = entrySet().iterator();
	if (key==null) {
	    while (i.hasNext()) {
		Entry e = (Entry) i.next();
		if (e.getKey()==null)
		    return e.getValue();
	    }
	} else {
	    while (i.hasNext()) {
		Entry e = (Entry) i.next();
		if (key.equals(e.getKey()))
		    return e.getValue();
	    }
	}
	return null;
    }


    // Modification Operations

    /**
     * Associates the specified value with the specified key in this map
     * (optional operation).  If the map previously contained a mapping for
     * this key, the old value is replaced.
    
     *
     * This implementation always throws an
     * UnsupportedOperationException.
     *
     * @param key key with which the specified value is to be associated.
     * @param value value to be associated with the specified key.
     * 
     * @return previous value associated with specified key, or null
     *	       if there was no mapping for key.  (A null return can
     *	       also indicate that the map previously associated null
     *	       with the specified key, if the implementation supports
     *	       null values.)
     * 
     * @throws UnsupportedOperationException if the put operation is
     *	          not supported by this map.
     * 
     * @throws ClassCastException if the class of the specified key or value
     * 	          prevents it from being stored in this map.
     * 
     * @throws IllegalArgumentException if some aspect of this key or value *
     *            prevents it from being stored in this map.
     * 
     * @throws NullPointerException this map does not permit null
     *            keys or values, and the specified key or value is
     *            null.
     */
    public Object put(Object key, Object value) {
	throw new UnsupportedOperationException();
    }

    /**
     * Removes the mapping for this key from this map if present (optional
     * operation). 
    
     *
     * This implementation iterates over entrySet() searching for an
     * entry with the specified key.  If such an entry is found, its value is
     * obtained with its getValue operation, the entry is is removed
     * from the Collection (and the backing map) with the iterator's
     * remove operation, and the saved value is returned.  If the
     * iteration terminates without finding such an entry, null is
     * returned.  Note that this implementation requires linear time in the
     * size of the map; many implementations will override this method.
    
     *
     * Note that this implementation throws an
     * UnsupportedOperationException if the entrySet iterator
     * does not support the remove method and this map contains a
     * mapping for the specified key.
     *
     * @param key key whose mapping is to be removed from the map.
     * @return previous value associated with specified key, or null
     *	       if there was no entry for key.  (A null return can
     *	       also indicate that the map previously associated null
     *	       with the specified key, if the implementation supports
     *	       null values.)
     * @throws UnsupportedOperationException if the remove operation
     * 		  is not supported by this map.
     */
    public Object remove(Object key) {
	Iterator i = entrySet().iterator();
	Entry correctEntry = null;
	if (key==null) {
	    while (correctEntry==null && i.hasNext()) {
		Entry e = (Entry) i.next();
		if (e.getKey()==null)
		    correctEntry = e;
	    }
	} else {
	    while (correctEntry==null && i.hasNext()) {
		Entry e = (Entry) i.next();
		if (key.equals(e.getKey()))
		    correctEntry = e;
	    }
	}

	Object oldValue = null;
	if (correctEntry !=null) {
	    oldValue = correctEntry.getValue();
	    i.remove();
	}
	return oldValue;
    }


    // Bulk Operations

    /**
     * Copies all of the mappings from the specified map to this map
     * (optional operation).  These mappings will replace any mappings that
     * this map had for any of the keys currently in the specified map.
    
     *
     * This implementation iterates over the specified map's
     * entrySet() collection, and calls this map's put
     * operation once for each entry returned by the iteration.
    
     *
     * Note that this implementation throws an
     * UnsupportedOperationException if this map does not support
     * the put operation and the specified map is nonempty.
     *
     * @param t mappings to be stored in this map.
     * 
     * @throws UnsupportedOperationException if the putAll operation
     * 		  is not supported by this map.
     * 
     * @throws ClassCastException if the class of a key or value in the
     * 	          specified map prevents it from being stored in this map.
     * 
     * @throws IllegalArgumentException if some aspect of a key or value in
     *	          the specified map prevents it from being stored in this map.
     * @throws NullPointerException the specified map is null, or if
     *         this map does not permit null keys or values, and the
     *         specified map contains null keys or values.
     */
    public void putAll(Map t) {
	Iterator i = t.entrySet().iterator();
	while (i.hasNext()) {
	    Entry e = (Entry) i.next();
	    put(e.getKey(), e.getValue());
	}
    }

    /**
     * Removes all mappings from this map (optional operation). 
    
     *
     * This implementation calls entrySet().clear().
     *
     * Note that this implementation throws an
     * UnsupportedOperationException if the entrySet
     * does not support the clear operation.
     *
     * @throws    UnsupportedOperationException clear is not supported
     * 		  by this map.
     */
    public void clear() {
	entrySet().clear();
    }


    // Views

    /**
     * Each of these fields are initialized to contain an instance of the
     * appropriate view the first time this view is requested.  The views are
     * stateless, so there's no reason to create more than one of each.
     */
    transient volatile Set        keySet = null;
    transient volatile Collection values = null;

    /**
     * Returns a Set view of the keys contained in this map.  The Set is
     * backed by the map, so changes to the map are reflected in the Set,
     * and vice-versa.  (If the map is modified while an iteration over
     * the Set is in progress, the results of the iteration are undefined.)
     * The Set supports element removal, which removes the corresponding entry
     * from the map, via the Iterator.remove, Set.remove,  removeAll
     * retainAll, and clear operations.  It does not support the add or
     * addAll operations.
    
     *
     * This implementation returns a Set that subclasses
     * AbstractSet.  The subclass's iterator method returns a "wrapper
     * object" over this map's entrySet() iterator.  The size method delegates
     * to this map's size method and the contains method delegates to this
     * map's containsKey method.
    
     *
     * The Set is created the first time this method is called,
     * and returned in response to all subsequent calls.  No synchronization
     * is performed, so there is a slight chance that multiple calls to this
     * method will not all return the same Set.
     *
     * @return a Set view of the keys contained in this map.
     */
    public Set keySet() {
	if (keySet == null) {
	    keySet = new AbstractSet() {
		public Iterator iterator() {
		    return new Iterator() {
			private Iterator i = entrySet().iterator();

			public boolean hasNext() {
			    return i.hasNext();
			}

			public Object next() {
			    return ((Entry)i.next()).getKey();
			}

			public void remove() {
			    i.remove();
			}
                    };
		}

		public int size() {
		    return AbstractMap.this.size();
		}

		public boolean contains(Object k) {
		    return AbstractMap.this.containsKey(k);
		}
	    };
	}
	return keySet;
    }

    /**
     * Returns a collection view of the values contained in this map.  The
     * collection is backed by the map, so changes to the map are reflected in
     * the collection, and vice-versa.  (If the map is modified while an
     * iteration over the collection is in progress, the results of the
     * iteration are undefined.)  The collection supports element removal,
     * which removes the corresponding entry from the map, via the
     * Iterator.remove, Collection.remove,
     * removeAll, retainAll and clear operations.
     * It does not support the add or addAll operations.
    
     *
     * This implementation returns a collection that subclasses abstract
     * collection.  The subclass's iterator method returns a "wrapper object"
     * over this map's entrySet() iterator.  The size method
     * delegates to this map's size method and the contains method delegates
     * to this map's containsValue method.
    
     *
     * The collection is created the first time this method is called, and
     * returned in response to all subsequent calls.  No synchronization is
     * performed, so there is a slight chance that multiple calls to this
     * method will not all return the same Collection.
     *
     * @return a collection view of the values contained in this map.
     */
    public Collection values() {
	if (values == null) {
	    values = new AbstractCollection() {
		public Iterator iterator() {
		    return new Iterator() {
			private Iterator i = entrySet().iterator();

			public boolean hasNext() {
			    return i.hasNext();
			}

			public Object next() {
			    return ((Entry)i.next()).getValue();
			}

			public void remove() {
			    i.remove();
			}
                    };
                }

		public int size() {
		    return AbstractMap.this.size();
		}

		public boolean contains(Object v) {
		    return AbstractMap.this.containsValue(v);
		}
	    };
	}
	return values;
    }

    /**
     * Returns a set view of the mappings contained in this map.  Each element
     * in this set is a Map.Entry.  The set is backed by the map, so changes
     * to the map are reflected in the set, and vice-versa.  (If the map is
     * modified while an iteration over the set is in progress, the results of
     * the iteration are undefined.)  The set supports element removal, which
     * removes the corresponding entry from the map, via the
     * Iterator.remove, Set.remove, removeAll,
     * retainAll and clear operations.  It does not support
     * the add or addAll operations.
     *
     * @return a set view of the mappings contained in this map.
     */
    public abstract Set entrySet();


    // Comparison and hashing

    /**
     * Compares the specified object with this map for equality.  Returns
     * true if the given object is also a map and the two maps
     * represent the same mappings.  More formally, two maps t1 and
     * t2 represent the same mappings if
     * t1.keySet().equals(t2.keySet()) and for every key k
     * in t1.keySet(),  (t1.get(k)==null ? t2.get(k)==null :
     * t1.get(k).equals(t2.get(k))) .  This ensures that the
     * equals method works properly across different implementations
     * of the map interface.
    
     *
     * This implementation first checks if the specified object is this map;
     * if so it returns true.  Then, it checks if the specified
     * object is a map whose size is identical to the size of this set; if
     * not, it it returns false.  If so, it iterates over this map's
     * entrySet collection, and checks that the specified map
     * contains each mapping that this map contains.  If the specified map
     * fails to contain such a mapping, false is returned.  If the
     * iteration completes, true is returned.
     *
     * @param o object to be compared for equality with this map.
     * @return true if the specified object is equal to this map.
     */
    public boolean equals(Object o) {
	if (o == this)
	    return true;

	if (!(o instanceof Map))
	    return false;
	Map t = (Map) o;
	if (t.size() != size())
	    return false;

        try {
            Iterator i = entrySet().iterator();
            while (i.hasNext()) {
                Entry e = (Entry) i.next();
                Object key = e.getKey();
                Object value = e.getValue();
                if (value == null) {
                    if (!(t.get(key)==null && t.containsKey(key)))
                        return false;
                } else {
                    if (!value.equals(t.get(key)))
                        return false;
                }
            }
        } catch(ClassCastException unused)   {
            return false;
        } catch(NullPointerException unused) {
            return false;
        }

	return true;
    }

    /**
     * Returns the hash code value for this map.  The hash code of a map is
     * defined to be the sum of the hash codes of each entry in the map's
     * entrySet() view.  This ensures that t1.equals(t2)
     * implies that t1.hashCode()==t2.hashCode() for any two maps
     * t1 and t2, as required by the general contract of
     * Object.hashCode.
    
     *
     * This implementation iterates over entrySet(), calling
     * hashCode on each element (entry) in the Collection, and adding
     * up the results.
     *
     * @return the hash code value for this map.
     * @see Map.Entry#hashCode()
     * @see Object#hashCode()
     * @see Object#equals(Object)
     * @see Set#equals(Object)
     */
    public int hashCode() {
	int h = 0;
	Iterator i = entrySet().iterator();
	while (i.hasNext())
	    h += i.next().hashCode();
	return h;
    }

    /**
     * Returns a string representation of this map.  The string representation
     * consists of a list of key-value mappings in the order returned by the
     * map's entrySet view's iterator, enclosed in braces
     * ("{}").  Adjacent mappings are separated by the characters
     * ", " (comma and space).  Each key-value mapping is rendered as
     * the key followed by an equals sign ("=") followed by the
     * associated value.  Keys and values are converted to strings as by
     * String.valueOf(Object).
    
     *
     * This implementation creates an empty string buffer, appends a left
     * brace, and iterates over the map's entrySet view, appending
     * the string representation of each map.entry in turn.  After
     * appending each entry except the last, the string ", " is
     * appended.  Finally a right brace is appended.  A string is obtained
     * from the stringbuffer, and returned.
     *
     * @return a String representation of this map.
     */
    public String toString() {
	StringBuffer buf = new StringBuffer();
	buf.append("{");

	Iterator i = entrySet().iterator();
        boolean hasNext = i.hasNext();
        while (hasNext) {
	    Entry e = (Entry) (i.next());
            Object key = e.getKey();
            Object value = e.getValue();
            buf.append((key == this ?  "(this Map)" : key) + "=" + 
                       (value == this ? "(this Map)": value));

            hasNext = i.hasNext();
            if (hasNext)
                buf.append(", ");
        }

	buf.append("}");
	return buf.toString();
    }
    
    /**
     * Returns a shallow copy of this AbstractMap instance: the keys
     * and values themselves are not cloned.
     *
     * @return a shallow copy of this map.
     */
    protected Object clone() throws CloneNotSupportedException {
        AbstractMap result = (AbstractMap)super.clone();
        result.keySet = null;
        result.values = null;
        return result;
    }

    /**
     * This should be made public as soon as possible.  It greately simplifies
     * the task of implementing Map.
     */
    static class SimpleEntry implements Entry {
	Object key;
	Object value;

	public SimpleEntry(Object key, Object value) {
	    this.key   = key;
            this.value = value;
	}

	public SimpleEntry(Map.Entry e) {
	    this.key   = e.getKey();
            this.value = e.getValue();
	}

	public Object getKey() {
	    return key;
	}

	public Object getValue() {
	    return value;
	}

	public Object setValue(Object value) {
	    Object oldValue = this.value;
	    this.value = value;
	    return oldValue;
	}

	public boolean equals(Object o) {
	    if (!(o instanceof Map.Entry))
		return false;
	    Map.Entry e = (Map.Entry)o;
	    return eq(key, e.getKey()) &&  eq(value, e.getValue());
	}

	public int hashCode() {
	    Object v;
	    return ((key   == null)   ? 0 :   key.hashCode()) ^
		   ((value == null)   ? 0 : value.hashCode());
	}

	public String toString() {
	    return key + "=" + value;
	}

        private static boolean eq(Object o1, Object o2) {
            return (o1 == null ? o2 == null : o1.equals(o2));
        }
    }
}
why-2.39/lib/java_api/java/util/Collection.java0000644000106100004300000004464213147234006020417 0ustar  marchevals/*
 * @(#)Collection.java	1.39 03/01/17
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.util;

/**
 * The root interface in the collection hierarchy.  A collection
 * represents a group of objects, known as its elements.  Some
 * collections allow duplicate elements and others do not.  Some are ordered
 * and others unordered.  The SDK does not provide any direct
 * implementations of this interface: it provides implementations of more
 * specific subinterfaces like Set and List.  This interface
 * is typically used to pass collections around and manipulate them where
 * maximum generality is desired.
 *
 * 
    Bags or multisets (unordered collections that may contain
 * duplicate elements) should implement this interface directly.
 *
 * 
    All general-purpose Collection implementation classes (which
 * typically implement Collection indirectly through one of its
 * subinterfaces) should provide two "standard" constructors: a void (no
 * arguments) constructor, which creates an empty collection, and a
 * constructor with a single argument of type Collection, which
 * creates a new collection with the same elements as its argument.  In
 * effect, the latter constructor allows the user to copy any collection,
 * producing an equivalent collection of the desired implementation type.
 * There is no way to enforce this convention (as interfaces cannot contain
 * constructors) but all of the general-purpose Collection
 * implementations in the Java platform libraries comply.
 *
 * 
    The "destructive" methods contained in this interface, that is, the
 * methods that modify the collection on which they operate, are specified to
 * throw UnsupportedOperationException if this collection does not
 * support the operation.  If this is the case, these methods may, but are not
 * required to, throw an UnsupportedOperationException if the
 * invocation would have no effect on the collection.  For example, invoking
 * the {@link #addAll(Collection)} method on an unmodifiable collection may,
 * but is not required to, throw the exception if the collection to be added
 * is empty.
 *
 * 
    Some collection implementations have restrictions on the elements that
 * they may contain.  For example, some implementations prohibit null elements,
 * and some have restrictions on the types of their elements.  Attempting to
 * add an ineligible element throws an unchecked exception, typically
 * NullPointerException or ClassCastException.  Attempting
 * to query the presence of an ineligible element may throw an exception,
 * or it may simply return false; some implementations will exhibit the former
 * behavior and some will exhibit the latter.  More generally, attempting an
 * operation on an ineligible element whose completion would not result in
 * the insertion of an ineligible element into the collection may throw an
 * exception or it may succeed, at the option of the implementation.
 * Such exceptions are marked as "optional" in the specification for this
 * interface. 
 *
 * 
    This interface is a member of the 
 * 
 * Java Collections Framework.
 *
 * @author  Josh Bloch
 * @version 1.40, 01/23/03
 * @see	    Set
 * @see	    List
 * @see	    Map
 * @see	    SortedSet
 * @see	    SortedMap
 * @see	    HashSet
 * @see	    TreeSet
 * @see	    ArrayList
 * @see	    LinkedList
 * @see	    Vector
 * @see     Collections
 * @see	    Arrays
 * @see	    AbstractCollection
 * @since 1.2
 */

public interface Collection {
    // Query Operations

    /**
     * Returns the number of elements in this collection.  If this collection
     * contains more than Integer.MAX_VALUE elements, returns
     * Integer.MAX_VALUE.
     * 
     * @return the number of elements in this collection
     */
    int size();

    /**
     * Returns true if this collection contains no elements.
     *
     * @return true if this collection contains no elements
     */
    boolean isEmpty();

    /**
     * Returns true if this collection contains the specified
     * element.  More formally, returns true if and only if this
     * collection contains at least one element e such that
     * (o==null ? e==null : o.equals(e)).
     *
     * @param o element whose presence in this collection is to be tested.
     * @return true if this collection contains the specified
     *         element
     * @throws ClassCastException if the type of the specified element
     * 	       is incompatible with this collection (optional).
     * @throws NullPointerException if the specified element is null and this
     *         collection does not support null elements (optional).
     */
    boolean contains(Object o);

    /**
     * Returns an iterator over the elements in this collection.  There are no
     * guarantees concerning the order in which the elements are returned
     * (unless this collection is an instance of some class that provides a
     * guarantee).
     * 
     * @return an Iterator over the elements in this collection
     */
    Iterator iterator();

    /**
     * Returns an array containing all of the elements in this collection.  If
     * the collection makes any guarantees as to what order its elements are
     * returned by its iterator, this method must return the elements in the
     * same order.
    
     *
     * The returned array will be "safe" in that no references to it are
     * maintained by this collection.  (In other words, this method must
     * allocate a new array even if this collection is backed by an array).
     * The caller is thus free to modify the returned array.
    
     *
     * This method acts as bridge between array-based and collection-based
     * APIs.
     *
     * @return an array containing all of the elements in this collection
     */
    Object[] toArray();

    /**
     * Returns an array containing all of the elements in this collection; 
     * the runtime type of the returned array is that of the specified array.  
     * If the collection fits in the specified array, it is returned therein.  
     * Otherwise, a new array is allocated with the runtime type of the 
     * specified array and the size of this collection.
    
     *
     * If this collection fits in the specified array with room to spare
     * (i.e., the array has more elements than this collection), the element
     * in the array immediately following the end of the collection is set to
     * null.  This is useful in determining the length of this
     * collection only if the caller knows that this collection does
     * not contain any null elements.)
    
     *
     * If this collection makes any guarantees as to what order its elements
     * are returned by its iterator, this method must return the elements in
     * the same order.
    
     *
     * Like the toArray method, this method acts as bridge between
     * array-based and collection-based APIs.  Further, this method allows
     * precise control over the runtime type of the output array, and may,
     * under certain circumstances, be used to save allocation costs
    
     *
     * Suppose l is a List known to contain only strings.
     * The following code can be used to dump the list into a newly allocated
     * array of String:
     *
     * 
         *     String[] x = (String[]) v.toArray(new String[0]);
     * 
    
     *
     * Note that toArray(new Object[0]) is identical in function to
     * toArray().
     *
     * @param a the array into which the elements of this collection are to be
     *        stored, if it is big enough; otherwise, a new array of the same
     *        runtime type is allocated for this purpose.
     * @return an array containing the elements of this collection
     * 
     * @throws ArrayStoreException the runtime type of the specified array is
     *         not a supertype of the runtime type of every element in this
     *         collection.
     * @throws NullPointerException if the specified array is null.
     */
    
    Object[] toArray(Object a[]);

    // Modification Operations

    /**
     * Ensures that this collection contains the specified element (optional
     * operation).  Returns true if this collection changed as a
     * result of the call.  (Returns false if this collection does
     * not permit duplicates and already contains the specified element.)
    
     *
     * Collections that support this operation may place limitations on what
     * elements may be added to this collection.  In particular, some
     * collections will refuse to add null elements, and others will
     * impose restrictions on the type of elements that may be added.
     * Collection classes should clearly specify in their documentation any
     * restrictions on what elements may be added.
    
     *
     * If a collection refuses to add a particular element for any reason
     * other than that it already contains the element, it must throw
     * an exception (rather than returning false).  This preserves
     * the invariant that a collection always contains the specified element
     * after this call returns.
     *
     * @param o element whose presence in this collection is to be ensured.
     * @return true if this collection changed as a result of the
     *         call
     * 
     * @throws UnsupportedOperationException add is not supported by
     *         this collection.
     * @throws ClassCastException class of the specified element prevents it
     *         from being added to this collection.
     * @throws NullPointerException if the specified element is null and this
     *         collection does not support null elements.
     * @throws IllegalArgumentException some aspect of this element prevents
     *         it from being added to this collection.
     */
    boolean add(Object o);

    /**
     * Removes a single instance of the specified element from this
     * collection, if it is present (optional operation).  More formally,
     * removes an element e such that (o==null ?  e==null :
     * o.equals(e)), if this collection contains one or more such
     * elements.  Returns true if this collection contained the specified
     * element (or equivalently, if this collection changed as a result of the
     * call).
     *
     * @param o element to be removed from this collection, if present.
     * @return true if this collection changed as a result of the
     *         call
     * 
     * @throws ClassCastException if the type of the specified element
     * 	       is incompatible with this collection (optional).
     * @throws NullPointerException if the specified element is null and this
     *         collection does not support null elements (optional).
     * @throws UnsupportedOperationException remove is not supported by this
     *         collection.
     */
    boolean remove(Object o);


    // Bulk Operations

    /**
     * Returns true if this collection contains all of the elements
     * in the specified collection.
     *
     * @param  c collection to be checked for containment in this collection.
     * @return true if this collection contains all of the elements
     *	       in the specified collection
     * @throws ClassCastException if the types of one or more elements
     *         in the specified collection are incompatible with this
     *         collection (optional).
     * @throws NullPointerException if the specified collection contains one
     *         or more null elements and this collection does not support null
     *         elements (optional).
     * @throws NullPointerException if the specified collection is
     *         null.
     * @see    #contains(Object)
     */
    boolean containsAll(Collection c);

    /**
     * Adds all of the elements in the specified collection to this collection
     * (optional operation).  The behavior of this operation is undefined if
     * the specified collection is modified while the operation is in progress.
     * (This implies that the behavior of this call is undefined if the
     * specified collection is this collection, and this collection is
     * nonempty.)
     *
     * @param c elements to be inserted into this collection.
     * @return true if this collection changed as a result of the
     *         call
     * 
     * @throws UnsupportedOperationException if this collection does not
     *         support the addAll method.
     * @throws ClassCastException if the class of an element of the specified
     * 	       collection prevents it from being added to this collection.
     * @throws NullPointerException if the specified collection contains one
     *         or more null elements and this collection does not support null
     *         elements, or if the specified collection is null.
     * @throws IllegalArgumentException some aspect of an element of the
     *	       specified collection prevents it from being added to this
     *	       collection.
     * @see #add(Object)
     */
    boolean addAll(Collection c);

    /**
     * 
     * Removes all this collection's elements that are also contained in the
     * specified collection (optional operation).  After this call returns,
     * this collection will contain no elements in common with the specified
     * collection.
     *
     * @param c elements to be removed from this collection.
     * @return true if this collection changed as a result of the
     *         call
     * 
     * @throws UnsupportedOperationException if the removeAll method
     * 	       is not supported by this collection.
     * @throws ClassCastException if the types of one or more elements
     *         in this collection are incompatible with the specified
     *         collection (optional).
     * @throws NullPointerException if this collection contains one or more
     *         null elements and the specified collection does not support
     *         null elements (optional).
     * @throws NullPointerException if the specified collection is
     *         null.
     * @see #remove(Object)
     * @see #contains(Object)
     */
    boolean removeAll(Collection c);

    /**
     * Retains only the elements in this collection that are contained in the
     * specified collection (optional operation).  In other words, removes from
     * this collection all of its elements that are not contained in the
     * specified collection.
     *
     * @param c elements to be retained in this collection.
     * @return true if this collection changed as a result of the
     *         call
     * 
     * @throws UnsupportedOperationException if the retainAll method
     * 	       is not supported by this Collection.
     * @throws ClassCastException if the types of one or more elements
     *         in this collection are incompatible with the specified
     *         collection (optional).
     * @throws NullPointerException if this collection contains one or more
     *         null elements and the specified collection does not support null 
     *         elements (optional).
     * @throws NullPointerException if the specified collection is
     *         null.
     * @see #remove(Object)
     * @see #contains(Object)
     */
    boolean retainAll(Collection c);

    /**
     * Removes all of the elements from this collection (optional operation).
     * This collection will be empty after this method returns unless it
     * throws an exception.
     *
     * @throws UnsupportedOperationException if the clear method is
     *         not supported by this collection.
     */
    void clear();


    // Comparison and hashing

    /**
     * Compares the specified object with this collection for equality. 
    
     *
     * While the Collection interface adds no stipulations to the
     * general contract for the Object.equals, programmers who
     * implement the Collection interface "directly" (in other words,
     * create a class that is a Collection but is not a Set
     * or a List) must exercise care if they choose to override the
     * Object.equals.  It is not necessary to do so, and the simplest
     * course of action is to rely on Object's implementation, but
     * the implementer may wish to implement a "value comparison" in place of
     * the default "reference comparison."  (The List and
     * Set interfaces mandate such value comparisons.)
    
     *
     * The general contract for the Object.equals method states that
     * equals must be symmetric (in other words, a.equals(b) if and
     * only if b.equals(a)).  The contracts for List.equals
     * and Set.equals state that lists are only equal to other lists,
     * and sets to other sets.  Thus, a custom equals method for a
     * collection class that implements neither the List nor
     * Set interface must return false when this collection
     * is compared to any list or set.  (By the same logic, it is not possible
     * to write a class that correctly implements both the Set and
     * List interfaces.)
     *
     * @param o Object to be compared for equality with this collection.
     * @return true if the specified object is equal to this
     * collection
     * 
     * @see Object#equals(Object)
     * @see Set#equals(Object)
     * @see List#equals(Object)
     */
    boolean equals(Object o);

    /**
     * Returns the hash code value for this collection.  While the
     * Collection interface adds no stipulations to the general
     * contract for the Object.hashCode method, programmers should
     * take note that any class that overrides the Object.equals
     * method must also override the Object.hashCode method in order
     * to satisfy the general contract for the Object.hashCodemethod.
     * In particular, c1.equals(c2) implies that
     * c1.hashCode()==c2.hashCode().
     *
     * @return the hash code value for this collection
     * 
     * @see Object#hashCode()
     * @see Object#equals(Object)
     */
    int hashCode();
}
why-2.39/lib/java_api/java/util/Map.java0000644000106100004300000004517513147234006017043 0ustar  marchevals/*
 * @(#)Map.java	1.39 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.util;

/**
 * An object that maps keys to values.  A map cannot contain duplicate keys;
 * each key can map to at most one value.
 *
 * 
    This interface takes the place of the Dictionary class, which
 * was a totally abstract class rather than an interface.
 *
 * 
    The Map interface provides three collection views, which
 * allow a map's contents to be viewed as a set of keys, collection of values,
 * or set of key-value mappings.  The order of a map is defined as
 * the order in which the iterators on the map's collection views return their
 * elements.  Some map implementations, like the TreeMap class, make
 * specific guarantees as to their order; others, like the HashMap
 * class, do not.
 *
 * 
    Note: great care must be exercised if mutable objects are used as map
 * keys.  The behavior of a map is not specified if the value of an object is
 * changed in a manner that affects equals comparisons while the object is a
 * key in the map.  A special case of this prohibition is that it is not
 * permissible for a map to contain itself as a key.  While it is permissible
 * for a map to contain itself as a value, extreme caution is advised: the
 * equals and hashCode methods are no longer well defined on a such a map.
 *
 * 
    All general-purpose map implementation classes should provide two
 * "standard" constructors: a void (no arguments) constructor which creates an
 * empty map, and a constructor with a single argument of type Map,
 * which creates a new map with the same key-value mappings as its argument.
 * In effect, the latter constructor allows the user to copy any map,
 * producing an equivalent map of the desired class.  There is no way to
 * enforce this recommendation (as interfaces cannot contain constructors) but
 * all of the general-purpose map implementations in the SDK comply.
 *
 * 
    The "destructive" methods contained in this interface, that is, the
 * methods that modify the map on which they operate, are specified to throw
 * UnsupportedOperationException if this map does not support the
 * operation.  If this is the case, these methods may, but are not required
 * to, throw an UnsupportedOperationException if the invocation would
 * have no effect on the map.  For example, invoking the {@link #putAll(Map)}
 * method on an unmodifiable map may, but is not required to, throw the
 * exception if the map whose mappings are to be "superimposed" is empty.
 *
 * 
    Some map implementations have restrictions on the keys and values they
 * may contain.  For example, some implementations prohibit null keys and
 * values, and some have restrictions on the types of their keys.  Attempting
 * to insert an ineligible key or value throws an unchecked exception,
 * typically NullPointerException or ClassCastException.
 * Attempting to query the presence of an ineligible key or value may throw an
 * exception, or it may simply return false; some implementations will exhibit
 * the former behavior and some will exhibit the latter.  More generally,
 * attempting an operation on an ineligible key or value whose completion
 * would not result in the insertion of an ineligible element into the map may
 * throw an exception or it may succeed, at the option of the implementation.
 * Such exceptions are marked as "optional" in the specification for this
 * interface.
 *
 * 
    This interface is a member of the 
 * 
 * Java Collections Framework.
 *
 * @author  Josh Bloch
 * @version 1.39, 01/23/03
 * @see HashMap
 * @see TreeMap
 * @see Hashtable
 * @see SortedMap
 * @see Collection
 * @see Set
 * @since 1.2
 */
public interface Map {
    // Query Operations

    /**
     * Returns the number of key-value mappings in this map.  If the
     * map contains more than Integer.MAX_VALUE elements, returns
     * Integer.MAX_VALUE.
     *
     * @return the number of key-value mappings in this map.
     */
    int size();

    /**
     * Returns true if this map contains no key-value mappings.
     *
     * @return true if this map contains no key-value mappings.
     */
    boolean isEmpty();

    /**
     * Returns true if this map contains a mapping for the specified
     * key.  More formally, returns true if and only if
     * this map contains at a mapping for a key k such that
     * (key==null ? k==null : key.equals(k)).  (There can be
     * at most one such mapping.)
     *
     * @param key key whose presence in this map is to be tested.
     * @return true if this map contains a mapping for the specified
     *         key.
     * 
     * @throws ClassCastException if the key is of an inappropriate type for
     * 		  this map (optional).
     * @throws NullPointerException if the key is null and this map
     *            does not not permit null keys (optional).
     */
    boolean containsKey(Object key);

    /**
     * Returns true if this map maps one or more keys to the
     * specified value.  More formally, returns true if and only if
     * this map contains at least one mapping to a value v such that
     * (value==null ? v==null : value.equals(v)).  This operation
     * will probably require time linear in the map size for most
     * implementations of the Map interface.
     *
     * @param value value whose presence in this map is to be tested.
     * @return true if this map maps one or more keys to the
     *         specified value.
     * @throws ClassCastException if the value is of an inappropriate type for
     * 		  this map (optional).
     * @throws NullPointerException if the value is null and this map
     *            does not not permit null values (optional).
     */
    boolean containsValue(Object value);

    /**
     * Returns the value to which this map maps the specified key.  Returns
     * null if the map contains no mapping for this key.  A return
     * value of null does not necessarily indicate that the
     * map contains no mapping for the key; it's also possible that the map
     * explicitly maps the key to null.  The containsKey
     * operation may be used to distinguish these two cases.
     *
     * 
    More formally, if this map contains a mapping from a key
     * k to a value v such that (key==null ? k==null :
     * key.equals(k)), then this method returns v; otherwise
     * it returns null.  (There can be at most one such mapping.)
     *
     * @param key key whose associated value is to be returned.
     * @return the value to which this map maps the specified key, or
     *	       null if the map contains no mapping for this key.
     * 
     * @throws ClassCastException if the key is of an inappropriate type for
     * 		  this map (optional).
     * @throws NullPointerException key is null and this map does not
     *		  not permit null keys (optional).
     * 
     * @see #containsKey(Object)
     */
    Object get(Object key);

    // Modification Operations

    /**
     * Associates the specified value with the specified key in this map
     * (optional operation).  If the map previously contained a mapping for
     * this key, the old value is replaced by the specified value.  (A map
     * m is said to contain a mapping for a key k if and only
     * if {@link #containsKey(Object) m.containsKey(k)} would return
     * true.)) 
     *
     * @param key key with which the specified value is to be associated.
     * @param value value to be associated with the specified key.
     * @return previous value associated with specified key, or null
     *	       if there was no mapping for key.  A null return can
     *	       also indicate that the map previously associated null
     *	       with the specified key, if the implementation supports
     *	       null values.
     * 
     * @throws UnsupportedOperationException if the put operation is
     *	          not supported by this map.
     * @throws ClassCastException if the class of the specified key or value
     * 	          prevents it from being stored in this map.
     * @throws IllegalArgumentException if some aspect of this key or value
     *	          prevents it from being stored in this map.
     * @throws NullPointerException this map does not permit null
     *            keys or values, and the specified key or value is
     *            null.
     */
    Object put(Object key, Object value);

    /**
     * Removes the mapping for this key from this map if it is present
     * (optional operation).   More formally, if this map contains a mapping
     * from key k to value v such that
     * (key==null ?  k==null : key.equals(k)), that mapping
     * is removed.  (The map can contain at most one such mapping.)
     *
     * 
    Returns the value to which the map previously associated the key, or
     * null if the map contained no mapping for this key.  (A
     * null return can also indicate that the map previously
     * associated null with the specified key if the implementation
     * supports null values.)  The map will not contain a mapping for
     * the specified  key once the call returns.
     *
     * @param key key whose mapping is to be removed from the map.
     * @return previous value associated with specified key, or null
     *	       if there was no mapping for key.
     *
     * @throws ClassCastException if the key is of an inappropriate type for
     * 		  this map (optional).
     * @throws NullPointerException if the key is null and this map
     *            does not not permit null keys (optional).
     * @throws UnsupportedOperationException if the remove method is
     *         not supported by this map.
     */
    Object remove(Object key);


    // Bulk Operations

    /**
     * Copies all of the mappings from the specified map to this map
     * (optional operation).  The effect of this call is equivalent to that
     * of calling {@link #put(Object,Object) put(k, v)} on this map once
     * for each mapping from key k to value v in the 
     * specified map.  The behavior of this operation is unspecified if the
     * specified map is modified while the operation is in progress.
     *
     * @param t Mappings to be stored in this map.
     * 
     * @throws UnsupportedOperationException if the putAll method is
     * 		  not supported by this map.
     * 
     * @throws ClassCastException if the class of a key or value in the
     * 	          specified map prevents it from being stored in this map.
     * 
     * @throws IllegalArgumentException some aspect of a key or value in the
     *	          specified map prevents it from being stored in this map.
     * @throws NullPointerException the specified map is null, or if
     *         this map does not permit null keys or values, and the
     *         specified map contains null keys or values.
     */
    void putAll(Map t);

    /**
     * Removes all mappings from this map (optional operation).
     *
     * @throws UnsupportedOperationException clear is not supported by this
     * 		  map.
     */
    void clear();


    // Views

    /**
     * Returns a set view of the keys contained in this map.  The set is
     * backed by the map, so changes to the map are reflected in the set, and
     * vice-versa.  If the map is modified while an iteration over the set is
     * in progress, the results of the iteration are undefined.  The set
     * supports element removal, which removes the corresponding mapping from
     * the map, via the Iterator.remove, Set.remove,
     * removeAll retainAll, and clear operations.
     * It does not support the add or addAll operations.
     *
     * @return a set view of the keys contained in this map.
     */
    Set keySet();

    /**
     * Returns a collection view of the values contained in this map.  The
     * collection is backed by the map, so changes to the map are reflected in
     * the collection, and vice-versa.  If the map is modified while an
     * iteration over the collection is in progress, the results of the
     * iteration are undefined.  The collection supports element removal,
     * which removes the corresponding mapping from the map, via the
     * Iterator.remove, Collection.remove,
     * removeAll, retainAll and clear operations.
     * It does not support the add or addAll operations.
     *
     * @return a collection view of the values contained in this map.
     */
    Collection values();

    /**
     * Returns a set view of the mappings contained in this map.  Each element
     * in the returned set is a {@link Map.Entry}.  The set is backed by the
     * map, so changes to the map are reflected in the set, and vice-versa.
     * If the map is modified while an iteration over the set is in progress,
     * the results of the iteration are undefined.  The set supports element
     * removal, which removes the corresponding mapping from the map, via the
     * Iterator.remove, Set.remove, removeAll,
     * retainAll and clear operations.  It does not support
     * the add or addAll operations.
     *
     * @return a set view of the mappings contained in this map.
     */
    Set entrySet();

    /**
     * A map entry (key-value pair).  The Map.entrySet method returns
     * a collection-view of the map, whose elements are of this class.  The
     * only way to obtain a reference to a map entry is from the
     * iterator of this collection-view.  These Map.Entry objects are
     * valid only for the duration of the iteration; more formally,
     * the behavior of a map entry is undefined if the backing map has been
     * modified after the entry was returned by the iterator, except through
     * the iterator's own remove operation, or through the
     * setValue operation on a map entry returned by the iterator.
     *
     * @see Map#entrySet()
     * @since 1.2
     */
    interface Entry {
    	/**
	 * Returns the key corresponding to this entry.
	 *
	 * @return the key corresponding to this entry.
	 */
	Object getKey();

    	/**
	 * Returns the value corresponding to this entry.  If the mapping
	 * has been removed from the backing map (by the iterator's
	 * remove operation), the results of this call are undefined.
	 *
	 * @return the value corresponding to this entry.
	 */
	Object getValue();

    	/**
	 * Replaces the value corresponding to this entry with the specified
	 * value (optional operation).  (Writes through to the map.)  The
	 * behavior of this call is undefined if the mapping has already been
	 * removed from the map (by the iterator's remove operation).
	 *
	 * @param value new value to be stored in this entry.
	 * @return old value corresponding to the entry.
         * 
	 * @throws UnsupportedOperationException if the put operation
	 *	      is not supported by the backing map.
	 * @throws ClassCastException if the class of the specified value
	 * 	      prevents it from being stored in the backing map.
	 * @throws    IllegalArgumentException if some aspect of this value
	 *	      prevents it from being stored in the backing map.
	 * @throws NullPointerException the backing map does not permit
	 *	      null values, and the specified value is
	 *	      null.
         */
	Object setValue(Object value);

	/**
	 * Compares the specified object with this entry for equality.
	 * Returns true if the given object is also a map entry and
	 * the two entries represent the same mapping.  More formally, two
	 * entries e1 and e2 represent the same mapping
	 * if
             *     (e1.getKey()==null ?
         *      e2.getKey()==null : e1.getKey().equals(e2.getKey()))  &&
         *     (e1.getValue()==null ?
         *      e2.getValue()==null : e1.getValue().equals(e2.getValue()))
         * 
    
	 * This ensures that the equals method works properly across
	 * different implementations of the Map.Entry interface.
	 *
	 * @param o object to be compared for equality with this map entry.
	 * @return true if the specified object is equal to this map
	 *         entry.
         */
	boolean equals(Object o);

	/**
	 * Returns the hash code value for this map entry.  The hash code
	 * of a map entry e is defined to be: 
    	 *     (e.getKey()==null   ? 0 : e.getKey().hashCode()) ^
	 *     (e.getValue()==null ? 0 : e.getValue().hashCode())
         * 
    
	 * This ensures that e1.equals(e2) implies that
	 * e1.hashCode()==e2.hashCode() for any two Entries
	 * e1 and e2, as required by the general
	 * contract of Object.hashCode.
	 *
	 * @return the hash code value for this map entry.
	 * @see Object#hashCode()
	 * @see Object#equals(Object)
	 * @see #equals(Object)
	 */
	int hashCode();
    }

    // Comparison and hashing

    /**
     * Compares the specified object with this map for equality.  Returns
     * true if the given object is also a map and the two Maps
     * represent the same mappings.  More formally, two maps t1 and
     * t2 represent the same mappings if
     * t1.entrySet().equals(t2.entrySet()).  This ensures that the
     * equals method works properly across different implementations
     * of the Map interface.
     *
     * @param o object to be compared for equality with this map.
     * @return true if the specified object is equal to this map.
     */
    boolean equals(Object o);

    /**
     * Returns the hash code value for this map.  The hash code of a map
     * is defined to be the sum of the hashCodes of each entry in the map's
     * entrySet view.  This ensures that t1.equals(t2) implies
     * that t1.hashCode()==t2.hashCode() for any two maps
     * t1 and t2, as required by the general
     * contract of Object.hashCode.
     *
     * @return the hash code value for this map.
     * @see Map.Entry#hashCode()
     * @see Object#hashCode()
     * @see Object#equals(Object)
     * @see #equals(Object)
     */
    int hashCode();
}
why-2.39/lib/java_api/java/lang/0000755000106100004300000000000013147234006015413 5ustar  marchevalswhy-2.39/lib/java_api/java/lang/String.java0000644000106100004300000026105113147234006017531 0ustar  marchevals/*
 * @(#)String.java	1.159 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;

//*KML import java.io.ObjectStreamClass;
//*KML import java.io.ObjectStreamField;
//*KML import java.io.UnsupportedEncodingException;
//*KML import java.util.ArrayList;
//*KML import java.util.Comparator;
//*KML import java.util.Locale;
//*KML import java.util.regex.Matcher;
//*KML import java.util.regex.Pattern;
//*KML import java.util.regex.PatternSyntaxException;


/**
 * The String class represents character strings. All
 * string literals in Java programs, such as "abc", are
 * implemented as instances of this class.
 * 
    
 * Strings are constant; their values cannot be changed after they
 * are created. String buffers support mutable strings.
 * Because String objects are immutable they can be shared. For example:
 * 
     *     String str = "abc";
 * 
    
 * is equivalent to:
 * 
     *     char data[] = {'a', 'b', 'c'};
 *     String str = new String(data);
 * 
    
 * Here are some more examples of how strings can be used:
 * 
     *     System.out.println("abc");
 *     String cde = "cde";
 *     System.out.println("abc" + cde);
 *     String c = "abc".substring(2,3);
 *     String d = cde.substring(1, 2);
 * 
    
 * 
    
 * The class String includes methods for examining
 * individual characters of the sequence, for comparing strings, for
 * searching strings, for extracting substrings, and for creating a
 * copy of a string with all characters translated to uppercase or to
 * lowercase. Case mapping relies heavily on the information provided
 * by the Unicode Consortium's Unicode 3.0 specification. The
 * specification's UnicodeData.txt and SpecialCasing.txt files are
 * used extensively to provide case mapping.
 * 
    
 * The Java language provides special support for the string
 * concatenation operator ( + ), and for conversion of
 * other objects to strings. String concatenation is implemented
 * through the StringBuffer class and its
 * append method.
 * String conversions are implemented through the method
 * toString, defined by Object and
 * inherited by all classes in Java. For additional information on
 * string concatenation and conversion, see Gosling, Joy, and Steele,
 * The Java Language Specification.
 *
 * 
     Unless otherwise noted, passing a null argument to a constructor
 * or method in this class will cause a {@link NullPointerException} to be
 * thrown.
 *
 * @author  Lee Boynton
 * @author  Arthur van Hoff
 * @version 1.152, 02/01/03
 * @see     java.lang.Object#toString()
 * @see     java.lang.StringBuffer
 * @see     java.lang.StringBuffer#append(boolean)
 * @see     java.lang.StringBuffer#append(char)
 * @see     java.lang.StringBuffer#append(char[])
 * @see     java.lang.StringBuffer#append(char[], int, int)
 * @see     java.lang.StringBuffer#append(double)
 * @see     java.lang.StringBuffer#append(float)
 * @see     java.lang.StringBuffer#append(int)
 * @see     java.lang.StringBuffer#append(long)
 * @see     java.lang.StringBuffer#append(java.lang.Object)
 * @see     java.lang.StringBuffer#append(java.lang.String)
 * @see     java.nio.charset.Charset
 * @since   JDK1.0
 */

public final class String
    implements java.io.Serializable, Comparable, CharSequence
{
    /** The value is used for character storage. */
    private char value[];

    /** The offset is the first index of the storage that is used. */
    private int offset;

    /** The count is the number of characters in the String. */
    private int count;

    /** Cache the hash code for the string */
    private int hash = 0;

    /** use serialVersionUID from JDK 1.0.2 for interoperability */
    private static final long serialVersionUID = -6849794470754667710L;

    /**
     * Class String is special cased within the Serialization Stream Protocol.
     *
     * A String instance is written intially into an ObjectOutputStream in the
     * following format:
     * 
         *      TC_STRING (utf String)
     * 
    
     * The String is written by method DataOutput.writeUTF.
     * A new handle is generated to  refer to all future references to the
     * string instance within the stream.
     */
    /*KML
    private static final ObjectStreamField[] serialPersistentFields =
        new ObjectStreamField[0];
    KML*/

    /**
     * Initializes a newly created String object so that it
     * represents an empty character sequence.  Note that use of this 
     * constructor is unnecessary since Strings are immutable. 
     */
    public String() {
        value = new char[0];
    }

    /**
     * Initializes a newly created String object so that it
     * represents the same sequence of characters as the argument; in other
     * words, the newly created string is a copy of the argument string. Unless 
     * an explicit copy of original is needed, use of this 
     * constructor is unnecessary since Strings are immutable. 
     *
     * @param   original   a String.
     */
    public String(String original) {
 	this.count = original.count;
 	if (original.value.length > this.count) {
 	    // The array representing the String is bigger than the new
 	    // String itself.  Perhaps this constructor is being called
 	    // in order to trim the baggage, so make a copy of the array.
 	    this.value = new char[this.count];
 	    System.arraycopy(original.value, original.offset,
 			     this.value, 0, this.count);
 	} else {
 	    // The array representing the String is the same
 	    // size as the String, so no point in making a copy.
 	    this.value = original.value;
 	}
    }

    /**
     * Allocates a new String so that it represents the
     * sequence of characters currently contained in the character array
     * argument. The contents of the character array are copied; subsequent
     * modification of the character array does not affect the newly created
     * string.
     *
     * @param  value   the initial value of the string.
     */
    public String(char value[]) {
        this.count = value.length;
        this.value = new char[count];
        System.arraycopy(value, 0, this.value, 0, count);
    }

    /**
     * Allocates a new String that contains characters from
     * a subarray of the character array argument. The offset
     * argument is the index of the first character of the subarray and
     * the count argument specifies the length of the
     * subarray. The contents of the subarray are copied; subsequent
     * modification of the character array does not affect the newly
     * created string.
     *
     * @param      value    array that is the source of characters.
     * @param      offset   the initial offset.
     * @param      count    the length.
     * @exception  IndexOutOfBoundsException  if the offset
     *               and count arguments index characters outside
     *               the bounds of the value array.
     */
    public String(char value[], int offset, int count) {
        if (offset < 0) {
            throw new StringIndexOutOfBoundsException(offset);
        }
        if (count < 0) {
            throw new StringIndexOutOfBoundsException(count);
        }
        // Note: offset or count might be near -1>>>1.
        if (offset > value.length - count) {
            throw new StringIndexOutOfBoundsException(offset + count);
        }

        this.value = new char[count];
        this.count = count;
        System.arraycopy(value, offset, this.value, 0, count);
    }

    /**
     * Allocates a new String constructed from a subarray
     * of an array of 8-bit integer values.
     * 
    
     * The offset argument is the index of the first byte
     * of the subarray, and the count argument specifies the
     * length of the subarray.
     * 
    
     * Each byte in the subarray is converted to a
     * char as specified in the method above.
     *
     * @deprecated This method does not properly convert bytes into characters.
     * As of JDK 1.1, the preferred way to do this is via the
     * String constructors that take a charset name or that use
     * the platform's default charset.
     *
     * @param      ascii     the bytes to be converted to characters.
     * @param      hibyte    the top 8 bits of each 16-bit Unicode character.
     * @param      offset    the initial offset.
     * @param      count     the length.
     * @exception  IndexOutOfBoundsException  if the offset
     *               or count argument is invalid.
     * @see        java.lang.String#String(byte[], int)
     * @see        java.lang.String#String(byte[], int, int, java.lang.String)
     * @see        java.lang.String#String(byte[], int, int)
     * @see        java.lang.String#String(byte[], java.lang.String)
     * @see        java.lang.String#String(byte[])
     */
    public String(byte ascii[], int hibyte, int offset, int count) {
	checkBounds(ascii, offset, count);

        char value[] = new char[count];
        this.count = count;
        this.value = value;

        if (hibyte == 0) {
            for (int i = count ; i-- > 0 ;) {
                value[i] = (char) (ascii[i + offset] & 0xff);
            }
        } else {
            hibyte <<= 8;
            for (int i = count ; i-- > 0 ;) {
                value[i] = (char) (hibyte | (ascii[i + offset] & 0xff));
            }
        }
    }

    /**
     * Allocates a new String containing characters
     * constructed from an array of 8-bit integer values. Each character
     * cin the resulting string is constructed from the
     * corresponding component b in the byte array such that:
     * 
         *     c == (char)(((hibyte & 0xff) << 8)
     *                         | (b & 0xff))
     * 
    
     *
     * @deprecated This method does not properly convert bytes into characters.
     * As of JDK 1.1, the preferred way to do this is via the
     * String constructors that take a charset name or
     * that use the platform's default charset.
     *
     * @param      ascii    the bytes to be converted to characters.
     * @param      hibyte   the top 8 bits of each 16-bit Unicode character.
     * @see        java.lang.String#String(byte[], int, int, java.lang.String)
     * @see        java.lang.String#String(byte[], int, int)
     * @see        java.lang.String#String(byte[], java.lang.String)
     * @see        java.lang.String#String(byte[])
     */
    public String(byte ascii[], int hibyte) {
        this(ascii, hibyte, 0, ascii.length);
    }

    /* Common private utility method used to bounds check the byte array
     * and requested offset & length values used by the String(byte[],..)
     * constructors.
     */
    private static void checkBounds(byte[] bytes, int offset, int length) {
	if (length < 0)
	    throw new StringIndexOutOfBoundsException(length);
	if (offset < 0)
	    throw new StringIndexOutOfBoundsException(offset);
	if (offset > bytes.length - length)
	    throw new StringIndexOutOfBoundsException(offset + length);
    }

    /**
     * Constructs a new String by decoding the specified subarray of
     * bytes using the specified charset.  The length of the new
     * String is a function of the charset, and hence may not be equal
     * to the length of the subarray.
     *
     * 
     The behavior of this constructor when the given bytes are not valid
     * in the given charset is unspecified.  The {@link
     * java.nio.charset.CharsetDecoder} class should be used when more control
     * over the decoding process is required.
     *
     * @param  bytes   the bytes to be decoded into characters
     * @param  offset  the index of the first byte to decode
     * @param  length  the number of bytes to decode
     * @param  charsetName  the name of a supported
     *                 {@link java.nio.charset.Charset charset}
     * @throws  UnsupportedEncodingException
     *          if the named charset is not supported
     * @throws  IndexOutOfBoundsException
     *          if the offset and length arguments
     *          index characters outside the bounds of the bytes
     *          array
     * @since JDK1.1
     */
    public String(byte bytes[], int offset, int length, String charsetName)
	throws UnsupportedEncodingException
    {
	if (charsetName == null)
	    throw new NullPointerException("charsetName");
	checkBounds(bytes, offset, length);
	value = StringCoding.decode(charsetName, bytes, offset, length);
	count = value.length;
    }

    /**
     * Constructs a new String by decoding the specified array of
     * bytes using the specified charset.  The length of the new
     * String is a function of the charset, and hence may not be equal
     * to the length of the byte array.
     *
     * 
     The behavior of this constructor when the given bytes are not valid
     * in the given charset is unspecified.  The {@link
     * java.nio.charset.CharsetDecoder} class should be used when more control
     * over the decoding process is required.
     *
     * @param  bytes   the bytes to be decoded into characters
     * @param  charsetName  the name of a supported
     *                 {@link java.nio.charset.Charset charset}
     *
     * @exception  UnsupportedEncodingException
     *             If the named charset is not supported
     * @since      JDK1.1
     */
    public String(byte bytes[], String charsetName)
	throws UnsupportedEncodingException
    {
	this(bytes, 0, bytes.length, charsetName);
    }

    /**
     * Constructs a new String by decoding the specified subarray of
     * bytes using the platform's default charset.  The length of the new
     * String is a function of the charset, and hence may not be equal
     * to the length of the subarray.
     *
     * 
     The behavior of this constructor when the given bytes are not valid
     * in the default charset is unspecified.  The {@link
     * java.nio.charset.CharsetDecoder} class should be used when more control
     * over the decoding process is required.
     *
     * @param  bytes   the bytes to be decoded into characters
     * @param  offset  the index of the first byte to decode
     * @param  length  the number of bytes to decode
     * @throws IndexOutOfBoundsException
     *         if the offset and the length
     *         arguments index characters outside the bounds of the
     *         bytes array
     * @since  JDK1.1
     */
    public String(byte bytes[], int offset, int length) {
	checkBounds(bytes, offset, length);
	value = StringCoding.decode(bytes, offset, length);
	count = value.length;
    }

    /**
     * Constructs a new String by decoding the specified array of
     * bytes using the platform's default charset.  The length of the new
     * String is a function of the charset, and hence may not be equal
     * to the length of the byte array.
     *
     * 
     The behavior of this constructor when the given bytes are not valid
     * in the default charset is unspecified.  The {@link
     * java.nio.charset.CharsetDecoder} class should be used when more control
     * over the decoding process is required.
     *
     * @param  bytes   the bytes to be decoded into characters
     * @since  JDK1.1
     */
    public String(byte bytes[]) {
	this(bytes, 0, bytes.length);
    }

    /**
     * Allocates a new string that contains the sequence of characters
     * currently contained in the string buffer argument. The contents of
     * the string buffer are copied; subsequent modification of the string
     * buffer does not affect the newly created string.
     *
     * @param   buffer   a StringBuffer.
     */
    public String (StringBuffer buffer) {
        synchronized(buffer) {
            buffer.setShared();
            this.value = buffer.getValue();
            this.offset = 0;
            this.count = buffer.length();
        }
    }

    // Package private constructor which shares value array for speed.
    String(int offset, int count, char value[]) {
	this.value = value;
	this.offset = offset;
	this.count = count;
    }

    /**
     * Returns the length of this string.
     * The length is equal to the number of 16-bit
     * Unicode characters in the string.
     *
     * @return  the length of the sequence of characters represented by this
     *          object.
     */
    public int length() {
        return count;
    }

    /**
     * Returns the character at the specified index. An index ranges
     * from 0 to length() - 1. The first character
     * of the sequence is at index 0, the next at index
     * 1, and so on, as for array indexing.
     *
     * @param      index   the index of the character.
     * @return     the character at the specified index of this string.
     *             The first character is at index 0.
     * @exception  IndexOutOfBoundsException  if the index
     *             argument is negative or not less than the length of this
     *             string.
     */
    public char charAt(int index) {
        if ((index < 0) || (index >= count)) {
            throw new StringIndexOutOfBoundsException(index);
        }
        return value[index + offset];
    }

    /**
     * Copies characters from this string into the destination character
     * array.
     * 
    
     * The first character to be copied is at index srcBegin;
     * the last character to be copied is at index srcEnd-1
     * (thus the total number of characters to be copied is
     * srcEnd-srcBegin). The characters are copied into the
     * subarray of dst starting at index dstBegin
     * and ending at index:
     * 
         *     dstbegin + (srcEnd-srcBegin) - 1
     * 
    
     *
     * @param      srcBegin   index of the first character in the string
     *                        to copy.
     * @param      srcEnd     index after the last character in the string
     *                        to copy.
     * @param      dst        the destination array.
     * @param      dstBegin   the start offset in the destination array.
     * @exception IndexOutOfBoundsException If any of the following
     *            is true:
     *            
    • srcBegin is negative.
     *            
    • srcBegin is greater than srcEnd
     *            
    • srcEnd is greater than the length of this
     *                string
     *            
    • dstBegin is negative
     *            
    • dstBegin+(srcEnd-srcBegin) is larger than
     *                dst.length
    
     */
    public void getChars(int srcBegin, int srcEnd, char dst[], int dstBegin) {
        if (srcBegin < 0) {
            throw new StringIndexOutOfBoundsException(srcBegin);
        }
        if (srcEnd > count) {
            throw new StringIndexOutOfBoundsException(srcEnd);
        }
        if (srcBegin > srcEnd) {
            throw new StringIndexOutOfBoundsException(srcEnd - srcBegin);
        }
        System.arraycopy(value, offset + srcBegin, dst, dstBegin,
             srcEnd - srcBegin);
    }

    /**
     * Copies characters from this string into the destination byte
     * array. Each byte receives the 8 low-order bits of the
     * corresponding character. The eight high-order bits of each character
     * are not copied and do not participate in the transfer in any way.
     * 
    
     * The first character to be copied is at index srcBegin;
     * the last character to be copied is at index srcEnd-1.
     * The total number of characters to be copied is
     * srcEnd-srcBegin. The characters, converted to bytes,
     * are copied into the subarray of dst starting at index
     * dstBegin and ending at index:
     * 
         *     dstbegin + (srcEnd-srcBegin) - 1
     * 
    
     *
     * @deprecated This method does not properly convert characters into bytes.
     * As of JDK 1.1, the preferred way to do this is via the
     * the getBytes() method, which uses the platform's default
     * charset.
     *
     * @param      srcBegin   index of the first character in the string
     *                        to copy.
     * @param      srcEnd     index after the last character in the string
     *                        to copy.
     * @param      dst        the destination array.
     * @param      dstBegin   the start offset in the destination array.
     * @exception IndexOutOfBoundsException if any of the following
     *            is true:
     *           
    • srcBegin is negative
     *           
    • srcBegin is greater than srcEnd
     *           
    • srcEnd is greater than the length of this
     *            String
     *           
    • dstBegin is negative
     *           
    • dstBegin+(srcEnd-srcBegin) is larger than
     *            dst.length
    
     */
    public void getBytes(int srcBegin, int srcEnd, byte dst[], int dstBegin) {
        if (srcBegin < 0) {
            throw new StringIndexOutOfBoundsException(srcBegin);
        }
        if (srcEnd > count) {
            throw new StringIndexOutOfBoundsException(srcEnd);
        }
        if (srcBegin > srcEnd) {
            throw new StringIndexOutOfBoundsException(srcEnd - srcBegin);
        }
        int j = dstBegin;
        int n = offset + srcEnd;
        int i = offset + srcBegin;
        char[] val = value;   /* avoid getfield opcode */

        while (i < n) {
            dst[j++] = (byte)val[i++];
        }
    }

    /**
     * Encodes this String into a sequence of bytes using the
     * named charset, storing the result into a new byte array.
     *
     * 
     The behavior of this method when this string cannot be encoded in
     * the given charset is unspecified.  The {@link
     * java.nio.charset.CharsetEncoder} class should be used when more control
     * over the encoding process is required.
     *
     * @param  charsetName
     *         the name of a supported
     *         {@link java.nio.charset.Charset charset}
     *
     * @return  The resultant byte array
     *
     * @exception  UnsupportedEncodingException
     *             If the named charset is not supported
     *
     * @since      JDK1.1
     */
    public byte[] getBytes(String charsetName)
	throws UnsupportedEncodingException
    {
	return StringCoding.encode(charsetName, value, offset, count);
    }

    /**
     * Encodes this String into a sequence of bytes using the
     * platform's default charset, storing the result into a new byte array.
     *
     * 
     The behavior of this method when this string cannot be encoded in
     * the default charset is unspecified.  The {@link
     * java.nio.charset.CharsetEncoder} class should be used when more control
     * over the encoding process is required.
     *
     * @return  The resultant byte array
     *
     * @since      JDK1.1
     */
    public byte[] getBytes() {
	return StringCoding.encode(value, offset, count);
    }

    /**
     * Compares this string to the specified object.
     * The result is true if and only if the argument is not
     * null and is a String object that represents
     * the same sequence of characters as this object.
     *
     * @param   anObject   the object to compare this String
     *                     against.
     * @return  true if the String are equal;
     *          false otherwise.
     * @see     java.lang.String#compareTo(java.lang.String)
     * @see     java.lang.String#equalsIgnoreCase(java.lang.String)
     */
    public boolean equals(Object anObject) {
	if (this == anObject) {
	    return true;
	}
	if (anObject instanceof String) {
	    String anotherString = (String)anObject;
	    int n = count;
	    if (n == anotherString.count) {
		char v1[] = value;
		char v2[] = anotherString.value;
		int i = offset;
		int j = anotherString.offset;
		while (n-- != 0) {
		    if (v1[i++] != v2[j++])
			return false;
		}
		return true;
	    }
	}
	return false;
    }

    /**
     * Returns true if and only if this String represents
     * the same sequence of characters as the specified StringBuffer.
     *
     * @param   sb         the StringBuffer to compare to.
     * @return  true if and only if this String represents
     *          the same sequence of characters as the specified
     *          StringBuffer, otherwise false.
     * @since 1.4
     */
    public boolean contentEquals(StringBuffer sb) {
        synchronized(sb) {
            if (count != sb.length())
                return false;
            char v1[] = value;
            char v2[] = sb.getValue();
            int i = offset;
            int j = 0;
            int n = count;
            while (n-- != 0) {
                if (v1[i++] != v2[j++])
                    return false;
            }
        }
        return true;
    }

    /**
     * Compares this String to another String,
     * ignoring case considerations.  Two strings are considered equal
     * ignoring case if they are of the same length, and corresponding
     * characters in the two strings are equal ignoring case.
     * 
    
     * Two characters c1 and c2 are considered
     * the same, ignoring case if at least one of the following is true:
     * 
    • The two characters are the same (as compared by the
     * == operator).
     * 
    • Applying the method {@link java.lang.Character#toUpperCase(char)}
     * to each character produces the same result.
     * 
    • Applying the method {@link java.lang.Character#toLowerCase(char)}
     * to each character produces the same result.
    
     *
     * @param   anotherString   the String to compare this
     *                          String against.
     * @return  true if the argument is not null
     *          and the Strings are equal,
     *          ignoring case; false otherwise.
     * @see     #equals(Object)
     * @see     java.lang.Character#toLowerCase(char)
     * @see java.lang.Character#toUpperCase(char)
     */
    public boolean equalsIgnoreCase(String anotherString) {
        return (this == anotherString) ? true :
               (anotherString != null) && (anotherString.count == count) &&
	       regionMatches(true, 0, anotherString, 0, count);
    }

    /**
     * Compares two strings lexicographically.
     * The comparison is based on the Unicode value of each character in
     * the strings. The character sequence represented by this
     * String object is compared lexicographically to the
     * character sequence represented by the argument string. The result is
     * a negative integer if this String object
     * lexicographically precedes the argument string. The result is a
     * positive integer if this String object lexicographically
     * follows the argument string. The result is zero if the strings
     * are equal; compareTo returns 0 exactly when
     * the {@link #equals(Object)} method would return true.
     * 
    
     * This is the definition of lexicographic ordering. If two strings are
     * different, then either they have different characters at some index
     * that is a valid index for both strings, or their lengths are different,
     * or both. If they have different characters at one or more index
     * positions, let k be the smallest such index; then the string
     * whose character at position k has the smaller value, as
     * determined by using the < operator, lexicographically precedes the
     * other string. In this case, compareTo returns the
     * difference of the two character values at position k in
     * the two string -- that is, the value:
     * 
         * this.charAt(k)-anotherString.charAt(k)
     * 
    
     * If there is no index position at which they differ, then the shorter
     * string lexicographically precedes the longer string. In this case,
     * compareTo returns the difference of the lengths of the
     * strings -- that is, the value:
     * 
         * this.length()-anotherString.length()
     * 
    
     *
     * @param   anotherString   the String to be compared.
     * @return  the value 0 if the argument string is equal to
     *          this string; a value less than 0 if this string
     *          is lexicographically less than the string argument; and a
     *          value greater than 0 if this string is
     *          lexicographically greater than the string argument.
     */
    public int compareTo(String anotherString) {
	int len1 = count;
	int len2 = anotherString.count;
	int n = Math.min(len1, len2);
	char v1[] = value;
	char v2[] = anotherString.value;
	int i = offset;
	int j = anotherString.offset;

	if (i == j) {
	    int k = i;
	    int lim = n + i;
	    while (k < lim) {
		char c1 = v1[k];
		char c2 = v2[k];
		if (c1 != c2) {
		    return c1 - c2;
		}
		k++;
	    }
	} else {
	    while (n-- != 0) {
		char c1 = v1[i++];
		char c2 = v2[j++];
		if (c1 != c2) {
		    return c1 - c2;
		}
	    }
	}
	return len1 - len2;
    }

    /**
     * Compares this String to another Object.  If the Object is a String,
     * this function behaves like compareTo(String).  Otherwise,
     * it throws a ClassCastException (as Strings are comparable
     * only to other Strings).
     *
     * @param   o the Object to be compared.
     * @return  the value 0 if the argument is a string
     *		lexicographically equal to this string; a value less than
     *		0 if the argument is a string lexicographically
     *		greater than this string; and a value greater than
     *		0 if the argument is a string lexicographically
     *		less than this string.
     * @exception ClassCastException if the argument is not a
     *		  String.
     * @see     java.lang.Comparable
     * @since   1.2
     */
    public int compareTo(Object o) {
	return compareTo((String)o);
    }

    /**
     * A Comparator that orders String objects as by
     * compareToIgnoreCase. This comparator is serializable.
     * 
    
     * Note that this Comparator does not take locale into account,
     * and will result in an unsatisfactory ordering for certain locales.
     * The java.text package provides Collators to allow
     * locale-sensitive ordering.
     *
     * @see     java.text.Collator#compare(String, String)
     * @since   1.2
     */
    /* KML
    public static final Comparator CASE_INSENSITIVE_ORDER
                                         = new CaseInsensitiveComparator();
    private static class CaseInsensitiveComparator
                         implements Comparator, java.io.Serializable {
	// use serialVersionUID from JDK 1.2.2 for interoperability
	private static final long serialVersionUID = 8575799808933029326L;

        public int compare(Object o1, Object o2) {
            String s1 = (String) o1;
            String s2 = (String) o2;
            int n1=s1.length(), n2=s2.length();
            for (int i1=0, i2=0; i1compareTo with normalized versions of the strings
     * where case differences have been eliminated by calling
     * Character.toLowerCase(Character.toUpperCase(character)) on
     * each character.
     * 
    
     * Note that this method does not take locale into account,
     * and will result in an unsatisfactory ordering for certain locales.
     * The java.text package provides collators to allow
     * locale-sensitive ordering.
     *
     * @param   str   the String to be compared.
     * @return  a negative integer, zero, or a positive integer as the
     *		the specified String is greater than, equal to, or less
     *		than this String, ignoring case considerations.
     * @see     java.text.Collator#compare(String, String)
     * @since   1.2
     */
    public int compareToIgnoreCase(String str) {
        return CASE_INSENSITIVE_ORDER.compare(this, str);
    }

    /**
     * Tests if two string regions are equal.
     * 
    
     * A substring of this String object is compared to a substring
     * of the argument other. The result is true if these substrings
     * represent identical character sequences. The substring of this
     * String object to be compared begins at index toffset
     * and has length len. The substring of other to be compared
     * begins at index ooffset and has length len. The
     * result is false if and only if at least one of the following
     * is true:
     * 
    • toffset is negative.
     * 
    • ooffset is negative.
     * 
    • toffset+len is greater than the length of this
     * String object.
     * 
    • ooffset+len is greater than the length of the other
     * argument.
     * 
    • There is some nonnegative integer k less than len
     * such that:
     * this.charAt(toffset+k) != other.charAt(ooffset+k)
     * 
    
     *
     * @param   toffset   the starting offset of the subregion in this string.
     * @param   other     the string argument.
     * @param   ooffset   the starting offset of the subregion in the string
     *                    argument.
     * @param   len       the number of characters to compare.
     * @return  true if the specified subregion of this string
     *          exactly matches the specified subregion of the string argument;
     *          false otherwise.
     */
    public boolean regionMatches(int toffset, String other, int ooffset,
				 int len) {
	char ta[] = value;
	int to = offset + toffset;
	char pa[] = other.value;
	int po = other.offset + ooffset;
	// Note: toffset, ooffset, or len might be near -1>>>1.
	if ((ooffset < 0) || (toffset < 0) || (toffset > (long)count - len)
	    || (ooffset > (long)other.count - len)) {
	    return false;
	}
	while (len-- > 0) {
	    if (ta[to++] != pa[po++]) {
	        return false;
	    }
	}
	return true;
    }

    /**
     * Tests if two string regions are equal.
     * 
    
     * A substring of this String object is compared to a substring
     * of the argument other. The result is true if these
     * substrings represent character sequences that are the same, ignoring
     * case if and only if ignoreCase is true. The substring of
     * this String object to be compared begins at index
     * toffset and has length len. The substring of
     * other to be compared begins at index ooffset and
     * has length len. The result is false if and only if
     * at least one of the following is true:
     * 
    • toffset is negative.
     * 
    • ooffset is negative.
     * 
    • toffset+len is greater than the length of this
     * String object.
     * 
    • ooffset+len is greater than the length of the other
     * argument.
     * 
    • ignoreCase is false and there is some nonnegative
     * integer k less than len such that:
     * 
           * this.charAt(toffset+k) != other.charAt(ooffset+k)
     * 
      
     * 
    • ignoreCase is true and there is some nonnegative
     * integer k less than len such that:
     * 
           * Character.toLowerCase(this.charAt(toffset+k)) !=
               Character.toLowerCase(other.charAt(ooffset+k))
     * 
      
     * and:
     * 
           * Character.toUpperCase(this.charAt(toffset+k)) !=
     *         Character.toUpperCase(other.charAt(ooffset+k))
     * 
      
     * 
    
     *
     * @param   ignoreCase   if true, ignore case when comparing
     *                       characters.
     * @param   toffset      the starting offset of the subregion in this
     *                       string.
     * @param   other        the string argument.
     * @param   ooffset      the starting offset of the subregion in the string
     *                       argument.
     * @param   len          the number of characters to compare.
     * @return  true if the specified subregion of this string
     *          matches the specified subregion of the string argument;
     *          false otherwise. Whether the matching is exact
     *          or case insensitive depends on the ignoreCase
     *          argument.
     */
    public boolean regionMatches(boolean ignoreCase, int toffset,
                           String other, int ooffset, int len) {
        char ta[] = value;
        int to = offset + toffset;
        char pa[] = other.value;
        int po = other.offset + ooffset;
        // Note: toffset, ooffset, or len might be near -1>>>1.
        if ((ooffset < 0) || (toffset < 0) || (toffset > (long)count - len) ||
                (ooffset > (long)other.count - len)) {
            return false;
        }
        while (len-- > 0) {
            char c1 = ta[to++];
            char c2 = pa[po++];
            if (c1 == c2) {
                continue;
            }
            if (ignoreCase) {
                // If characters don't match but case may be ignored,
                // try converting both characters to uppercase.
                // If the results match, then the comparison scan should
                // continue.
                char u1 = Character.toUpperCase(c1);
                char u2 = Character.toUpperCase(c2);
                if (u1 == u2) {
                    continue;
                }
                // Unfortunately, conversion to uppercase does not work properly
                // for the Georgian alphabet, which has strange rules about case
                // conversion.  So we need to make one last check before
                // exiting.
                if (Character.toLowerCase(u1) == Character.toLowerCase(u2)) {
                    continue;
                }
            }
            return false;
        }
        return true;
    }

    /**
     * Tests if this string starts with the specified prefix beginning
     * a specified index.
     *
     * @param   prefix    the prefix.
     * @param   toffset   where to begin looking in the string.
     * @return  true if the character sequence represented by the
     *          argument is a prefix of the substring of this object starting
     *          at index toffset; false otherwise.
     *          The result is false if toffset is
     *          negative or greater than the length of this
     *          String object; otherwise the result is the same
     *          as the result of the expression
     *          
         *          this.subString(toffset).startsWith(prefix)
     *          
    
     */
    public boolean startsWith(String prefix, int toffset) {
	char ta[] = value;
	int to = offset + toffset;
	char pa[] = prefix.value;
	int po = prefix.offset;
	int pc = prefix.count;
	// Note: toffset might be near -1>>>1.
	if ((toffset < 0) || (toffset > count - pc)) {
	    return false;
	}
	while (--pc >= 0) {
	    if (ta[to++] != pa[po++]) {
	        return false;
	    }
	}
	return true;
    }

    /**
     * Tests if this string starts with the specified prefix.
     *
     * @param   prefix   the prefix.
     * @return  true if the character sequence represented by the
     *          argument is a prefix of the character sequence represented by
     *          this string; false otherwise.
     *          Note also that true will be returned if the
     *          argument is an empty string or is equal to this
     *          String object as determined by the
     *          {@link #equals(Object)} method.
     * @since   1. 0
     */
    public boolean startsWith(String prefix) {
	return startsWith(prefix, 0);
    }

    /**
     * Tests if this string ends with the specified suffix.
     *
     * @param   suffix   the suffix.
     * @return  true if the character sequence represented by the
     *          argument is a suffix of the character sequence represented by
     *          this object; false otherwise. Note that the
     *          result will be true if the argument is the
     *          empty string or is equal to this String object
     *          as determined by the {@link #equals(Object)} method.
     */
    public boolean endsWith(String suffix) {
	return startsWith(suffix, count - suffix.count);
    }

    /**
     * Returns a hash code for this string. The hash code for a
     * String object is computed as
     * 
         * s[0]*31^(n-1) + s[1]*31^(n-2) + ... + s[n-1]
     * 
    
     * using int arithmetic, where s[i] is the
     * ith character of the string, n is the length of
     * the string, and ^ indicates exponentiation.
     * (The hash value of the empty string is zero.)
     *
     * @return  a hash code value for this object.
     */
    public int hashCode() {
	int h = hash;
	if (h == 0) {
	    int off = offset;
	    char val[] = value;
	    int len = count;

            for (int i = 0; i < len; i++) {
                h = 31*h + val[off++];
            }
            hash = h;
        }
        return h;
    }

    /**
     * Returns the index within this string of the first occurrence of the
     * specified character. If a character with value ch occurs
     * in the character sequence represented by this String
     * object, then the index of the first such occurrence is returned --
     * that is, the smallest value k such that:
     * 
         * this.charAt(k) == ch
     * 
    
     * is true. If no such character occurs in this string,
     * then -1 is returned.
     *
     * @param   ch   a character.
     * @return  the index of the first occurrence of the character in the
     *          character sequence represented by this object, or
     *          -1 if the character does not occur.
     */
    public int indexOf(int ch) {
	return indexOf(ch, 0);
    }

    /**
     * Returns the index within this string of the first occurrence of the
     * specified character, starting the search at the specified index.
     * 
    
     * If a character with value ch occurs in the character
     * sequence represented by this String object at an index
     * no smaller than fromIndex, then the index of the first
     * such occurrence is returned--that is, the smallest value k
     * such that:
     * 
         * (this.charAt(k) == ch) && (k >= fromIndex)
     * 
    
     * is true. If no such character occurs in this string at or after
     * position fromIndex, then -1 is returned.
     * 
    
     * There is no restriction on the value of fromIndex. If it
     * is negative, it has the same effect as if it were zero: this entire
     * string may be searched. If it is greater than the length of this
     * string, it has the same effect as if it were equal to the length of
     * this string: -1 is returned.
     *
     * @param   ch          a character.
     * @param   fromIndex   the index to start the search from.
     * @return  the index of the first occurrence of the character in the
     *          character sequence represented by this object that is greater
     *          than or equal to fromIndex, or -1
     *          if the character does not occur.
     */
    public int indexOf(int ch, int fromIndex) {
	int max = offset + count;
	char v[] = value;

	if (fromIndex < 0) {
	    fromIndex = 0;
	} else if (fromIndex >= count) {
	    // Note: fromIndex might be near -1>>>1.
	    return -1;
	}
	for (int i = offset + fromIndex ; i < max ; i++) {
	    if (v[i] == ch) {
		return i - offset;
	    }
	}
	return -1;
    }

    /**
     * Returns the index within this string of the last occurrence of the
     * specified character. That is, the index returned is the largest
     * value k such that:
     * 
         * this.charAt(k) == ch
     * 
    
     * is true.
     * The String is searched backwards starting at the last character.
     *
     * @param   ch   a character.
     * @return  the index of the last occurrence of the character in the
     *          character sequence represented by this object, or
     *          -1 if the character does not occur.
     */
    public int lastIndexOf(int ch) {
	return lastIndexOf(ch, count - 1);
    }

    /**
     * Returns the index within this string of the last occurrence of the
     * specified character, searching backward starting at the specified
     * index. That is, the index returned is the largest value k
     * such that:
     * 
         * this.charAt(k) == ch) && (k <= fromIndex)
     * 
    
     * is true.
     *
     * @param   ch          a character.
     * @param   fromIndex   the index to start the search from. There is no
     *          restriction on the value of fromIndex. If it is
     *          greater than or equal to the length of this string, it has
     *          the same effect as if it were equal to one less than the
     *          length of this string: this entire string may be searched.
     *          If it is negative, it has the same effect as if it were -1:
     *          -1 is returned.
     * @return  the index of the last occurrence of the character in the
     *          character sequence represented by this object that is less
     *          than or equal to fromIndex, or -1
     *          if the character does not occur before that point.
     */
    public int lastIndexOf(int ch, int fromIndex) {
	int min = offset;
	char v[] = value;

	for (int i = offset + ((fromIndex >= count) ? count - 1 : fromIndex) ; i >= min ; i--) {
	    if (v[i] == ch) {
		return i - offset;
	    }
	}
	return -1;
    }

    /**
     * Returns the index within this string of the first occurrence of the
     * specified substring. The integer returned is the smallest value
     * k such that:
     * 
         * this.startsWith(str, k)
     * 
    
     * is true.
     *
     * @param   str   any string.
     * @return  if the string argument occurs as a substring within this
     *          object, then the index of the first character of the first
     *          such substring is returned; if it does not occur as a
     *          substring, -1 is returned.
     */
    public int indexOf(String str) {
	return indexOf(str, 0);
    }

    /**
     * Returns the index within this string of the first occurrence of the
     * specified substring, starting at the specified index.  The integer
     * returned is the smallest value k for which:
     * 
         *     k >= Math.min(fromIndex, str.length()) && this.startsWith(str, k)
     * 
    
     * If no such value of k exists, then -1 is returned.
     *
     * @param   str         the substring for which to search.
     * @param   fromIndex   the index from which to start the search.
     * @return  the index within this string of the first occurrence of the
     *          specified substring, starting at the specified index.
     */
    public int indexOf(String str, int fromIndex) {
        return indexOf(value, offset, count,
                       str.value, str.offset, str.count, fromIndex);
    }

    /**
     * Code shared by String and StringBuffer to do searches. The
     * source is the character array being searched, and the target
     * is the string being searched for.
     *
     * @param   source       the characters being searched.
     * @param   sourceOffset offset of the source string.
     * @param   sourceCount  count of the source string.
     * @param   target       the characters being searched for.
     * @param   targetOffset offset of the target string.
     * @param   targetCount  count of the target string.
     * @param   fromIndex    the index to begin searching from.
     */
    static int indexOf(char[] source, int sourceOffset, int sourceCount,
                       char[] target, int targetOffset, int targetCount,
                       int fromIndex) {
	if (fromIndex >= sourceCount) {
            return (targetCount == 0 ? sourceCount : -1);
	}
    	if (fromIndex < 0) {
    	    fromIndex = 0;
    	}
	if (targetCount == 0) {
	    return fromIndex;
	}

        char first  = target[targetOffset];
        int i = sourceOffset + fromIndex;
        int max = sourceOffset + (sourceCount - targetCount);

    startSearchForFirstChar:
        while (true) {
	    /* Look for first character. */
	    while (i <= max && source[i] != first) {
		i++;
	    }
	    if (i > max) {
		return -1;
	    }

	    /* Found first character, now look at the rest of v2 */
	    int j = i + 1;
	    int end = j + targetCount - 1;
	    int k = targetOffset + 1;
	    while (j < end) {
		if (source[j++] != target[k++]) {
		    i++;
		    /* Look for str's first char again. */
		    continue startSearchForFirstChar;
		}
	    }
	    return i - sourceOffset;	/* Found whole string. */
        }
    }

    /**
     * Returns the index within this string of the rightmost occurrence
     * of the specified substring.  The rightmost empty string "" is
     * considered to occur at the index value this.length().
     * The returned index is the largest value k such that
     * 
         * this.startsWith(str, k)
     * 
    
     * is true.
     *
     * @param   str   the substring to search for.
     * @return  if the string argument occurs one or more times as a substring
     *          within this object, then the index of the first character of
     *          the last such substring is returned. If it does not occur as
     *          a substring, -1 is returned.
     */
    public int lastIndexOf(String str) {
	return lastIndexOf(str, count);
    }

    /**
     * Returns the index within this string of the last occurrence of the
     * specified substring, searching backward starting at the specified index.
     * The integer returned is the largest value k such that:
     * 
         *     k <= Math.min(fromIndex, str.length()) && this.startsWith(str, k)
     * 
    
     * If no such value of k exists, then -1 is returned.
     * 
     * @param   str         the substring to search for.
     * @param   fromIndex   the index to start the search from.
     * @return  the index within this string of the last occurrence of the
     *          specified substring.
     */
    public int lastIndexOf(String str, int fromIndex) {
        return lastIndexOf(value, offset, count,
                           str.value, str.offset, str.count, fromIndex);
    }

    /**
     * Code shared by String and StringBuffer to do searches. The
     * source is the character array being searched, and the target
     * is the string being searched for.
     *
     * @param   source       the characters being searched.
     * @param   sourceOffset offset of the source string.
     * @param   sourceCount  count of the source string.
     * @param   target       the characters being searched for.
     * @param   targetOffset offset of the target string.
     * @param   targetCount  count of the target string.
     * @param   fromIndex    the index to begin searching from.
     */
    static int lastIndexOf(char[] source, int sourceOffset, int sourceCount,
                           char[] target, int targetOffset, int targetCount,
                           int fromIndex) {
        /*
	 * Check arguments; return immediately where possible. For
	 * consistency, don't check for null str.
	 */
        int rightIndex = sourceCount - targetCount;
	if (fromIndex < 0) {
	    return -1;
	}
	if (fromIndex > rightIndex) {
	    fromIndex = rightIndex;
	}
	/* Empty string always matches. */
	if (targetCount == 0) {
	    return fromIndex;
	}

        int strLastIndex = targetOffset + targetCount - 1;
	char strLastChar = target[strLastIndex];
	int min = sourceOffset + targetCount - 1;
	int i = min + fromIndex;

    startSearchForLastChar:
	while (true) {
	    while (i >= min && source[i] != strLastChar) {
		i--;
	    }
	    if (i < min) {
		return -1;
	    }
	    int j = i - 1;
	    int start = j - (targetCount - 1);
	    int k = strLastIndex - 1;

	    while (j > start) {
	        if (source[j--] != target[k--]) {
		    i--;
		    continue startSearchForLastChar;
		}
	    }
	    return start - sourceOffset + 1;
	}
    }

    /**
     * Returns a new string that is a substring of this string. The
     * substring begins with the character at the specified index and
     * extends to the end of this string. 
    
     * Examples:
     * 
         * "unhappy".substring(2) returns "happy"
     * "Harbison".substring(3) returns "bison"
     * "emptiness".substring(9) returns "" (an empty string)
     * 
    
     *
     * @param      beginIndex   the beginning index, inclusive.
     * @return     the specified substring.
     * @exception  IndexOutOfBoundsException  if
     *             beginIndex is negative or larger than the
     *             length of this String object.
     */
    public String substring(int beginIndex) {
	return substring(beginIndex, count);
    }

    /**
     * Returns a new string that is a substring of this string. The
     * substring begins at the specified beginIndex and
     * extends to the character at index endIndex - 1.
     * Thus the length of the substring is endIndex-beginIndex.
     * 
    
     * Examples:
     * 
         * "hamburger".substring(4, 8) returns "urge"
     * "smiles".substring(1, 5) returns "mile"
     * 
    
     *
     * @param      beginIndex   the beginning index, inclusive.
     * @param      endIndex     the ending index, exclusive.
     * @return     the specified substring.
     * @exception  IndexOutOfBoundsException  if the
     *             beginIndex is negative, or
     *             endIndex is larger than the length of
     *             this String object, or
     *             beginIndex is larger than
     *             endIndex.
     */
    public String substring(int beginIndex, int endIndex) {
	if (beginIndex < 0) {
	    throw new StringIndexOutOfBoundsException(beginIndex);
	}
	if (endIndex > count) {
	    throw new StringIndexOutOfBoundsException(endIndex);
	}
	if (beginIndex > endIndex) {
	    throw new StringIndexOutOfBoundsException(endIndex - beginIndex);
	}
	return ((beginIndex == 0) && (endIndex == count)) ? this :
	    new String(offset + beginIndex, endIndex - beginIndex, value);
    }

    /**
     * Returns a new character sequence that is a subsequence of this sequence.
     *
     * 
     An invocation of this method of the form
     *
     * 
         * str.subSequence(begin, end)
    
     *
     * behaves in exactly the same way as the invocation
     *
     * 
         * str.substring(begin, end)
    
     *
     * This method is defined so that the String class can implement
     * the {@link CharSequence} interface. 
    
     *
     * @param      beginIndex   the begin index, inclusive.
     * @param      endIndex     the end index, exclusive.
     * @return     the specified subsequence.
     *
     * @throws  IndexOutOfBoundsException
     *          if beginIndex or endIndex are negative,
     *          if endIndex is greater than length(),
     *          or if beginIndex is greater than startIndex
     *
     * @since 1.4
     * @spec JSR-51
     */
    public CharSequence subSequence(int beginIndex, int endIndex) {
        return this.substring(beginIndex, endIndex);
    }

    /**
     * Concatenates the specified string to the end of this string.
     * 
    
     * If the length of the argument string is 0, then this
     * String object is returned. Otherwise, a new
     * String object is created, representing a character
     * sequence that is the concatenation of the character sequence
     * represented by this String object and the character
     * sequence represented by the argument string.
    
     * Examples:
     * 
         * "cares".concat("s") returns "caress"
     * "to".concat("get").concat("her") returns "together"
     * 
    
     *
     * @param   str   the String that is concatenated to the end
     *                of this String.
     * @return  a string that represents the concatenation of this object's
     *          characters followed by the string argument's characters.
     */
    public String concat(String str) {
	int otherLen = str.length();
	if (otherLen == 0) {
	    return this;
	}
	char buf[] = new char[count + otherLen];
	getChars(0, count, buf, 0);
	str.getChars(0, otherLen, buf, count);
	return new String(0, count + otherLen, buf);
    }

    /**
     * Returns a new string resulting from replacing all occurrences of
     * oldChar in this string with newChar.
     * 
    
     * If the character oldChar does not occur in the
     * character sequence represented by this String object,
     * then a reference to this String object is returned.
     * Otherwise, a new String object is created that
     * represents a character sequence identical to the character sequence
     * represented by this String object, except that every
     * occurrence of oldChar is replaced by an occurrence
     * of newChar.
     * 
    
     * Examples:
     * 
         * "mesquite in your cellar".replace('e', 'o')
     *         returns "mosquito in your collar"
     * "the war of baronets".replace('r', 'y')
     *         returns "the way of bayonets"
     * "sparring with a purple porpoise".replace('p', 't')
     *         returns "starring with a turtle tortoise"
     * "JonL".replace('q', 'x') returns "JonL" (no change)
     * 
    
     *
     * @param   oldChar   the old character.
     * @param   newChar   the new character.
     * @return  a string derived from this string by replacing every
     *          occurrence of oldChar with newChar.
     */
    public String replace(char oldChar, char newChar) {
	if (oldChar != newChar) {
	    int len = count;
	    int i = -1;
	    char[] val = value; /* avoid getfield opcode */
	    int off = offset;   /* avoid getfield opcode */

	    while (++i < len) {
		if (val[off + i] == oldChar) {
		    break;
		}
	    }
	    if (i < len) {
		char buf[] = new char[len];
		for (int j = 0 ; j < i ; j++) {
		    buf[j] = val[off+j];
		}
		while (i < len) {
		    char c = val[off + i];
		    buf[i] = (c == oldChar) ? newChar : c;
		    i++;
		}
		return new String(0, len, buf);
	    }
	}
	return this;
    }

    /**
     * Tells whether or not this string matches the given regular expression.
     *
     * 
     An invocation of this method of the form
     * str.matches(regex) yields exactly the
     * same result as the expression
     *
     * 
     {@link java.util.regex.Pattern}.{@link
     * java.util.regex.Pattern#matches(String,CharSequence)
     * matches}(regex, str)
    
     *
     * @param   regex
     *          the regular expression to which this string is to be matched
     *
     * @return  true if, and only if, this string matches the
     *          given regular expression
     *
     * @throws  PatternSyntaxException
     *          if the regular expression's syntax is invalid
     *
     * @see java.util.regex.Pattern
     *
     * @since 1.4
     * @spec JSR-51
     */
    public boolean matches(String regex) {
        return Pattern.matches(regex, this);
    }

    /**
     * Replaces the first substring of this string that matches the given regular expression with the
     * given replacement.
     *
     * 
     An invocation of this method of the form
     * str.replaceFirst(regex, repl)
     * yields exactly the same result as the expression
     *
     * 
    
     * {@link java.util.regex.Pattern}.{@link java.util.regex.Pattern#compile
     * compile}(regex).{@link
     * java.util.regex.Pattern#matcher(java.lang.CharSequence)
     * matcher}(str).{@link java.util.regex.Matcher#replaceFirst
     * replaceFirst}(repl)
    
     *
     * @param   regex
     *          the regular expression to which this string is to be matched
     *
     * @return  The resulting String
     *
     * @throws  PatternSyntaxException
     *          if the regular expression's syntax is invalid
     *
     * @see java.util.regex.Pattern
     *
     * @since 1.4
     * @spec JSR-51
     */
    public String replaceFirst(String regex, String replacement) {
	return Pattern.compile(regex).matcher(this).replaceFirst(replacement);
    }

    /**
     * Replaces each substring of this string that matches the given regular expression with the
     * given replacement.
     *
     * 
     An invocation of this method of the form
     * str.replaceAll(regex, repl)
     * yields exactly the same result as the expression
     *
     * 
    
     * {@link java.util.regex.Pattern}.{@link java.util.regex.Pattern#compile
     * compile}(regex).{@link
     * java.util.regex.Pattern#matcher(java.lang.CharSequence)
     * matcher}(str).{@link java.util.regex.Matcher#replaceAll
     * replaceAll}(repl)
    
     *
     * @param   regex
     *          the regular expression to which this string is to be matched
     *
     * @return  The resulting String
     *
     * @throws  PatternSyntaxException
     *          if the regular expression's syntax is invalid
     *
     * @see java.util.regex.Pattern
     *
     * @since 1.4
     * @spec JSR-51
     */
    public String replaceAll(String regex, String replacement) {
	return Pattern.compile(regex).matcher(this).replaceAll(replacement);
    }

    /**
     * Splits this string around matches of the given regular expression.
     *
     * 
     The array returned by this method contains each substring of this
     * string that is terminated by another substring that matches the given
     * expression or is terminated by the end of the string.  The substrings in
     * the array are in the order in which they occur in this string.  If the
     * expression does not match any part of the input then the resulting array
     * has just one element, namely this string.
     *
     * 
     The limit parameter controls the number of times the
     * pattern is applied and therefore affects the length of the resulting
     * array.  If the limit n is greater than zero then the pattern
     * will be applied at most n - 1 times, the array's
     * length will be no greater than n, and the array's last entry
     * will contain all input beyond the last matched delimiter.  If n
     * is non-positive then the pattern will be applied as many times as
     * possible and the array can have any length.  If n is zero then
     * the pattern will be applied as many times as possible, the array can
     * have any length, and trailing empty strings will be discarded.
     *
     * 
     The string "boo:and:foo", for example, yields the
     * following results with these parameters:
     *
     * 
    
     * 
     *     
     *     
     *     
     * 
     * 
     *     
     *     
     * 
     *     
     *     
     * 
     *     
     *     
     * 
     *     
     *     
     * 
     *     
     *     
     * 
     *     
     *     
     * 
    RegexLimitResult
    :2{ "boo", "and:foo" }
    :5{ "boo", "and", "foo" }
    :-2{ "boo", "and", "foo" }
    o5{ "b", "", ":and:f", "", "" }
    o-2{ "b", "", ":and:f", "", "" }
    o0{ "b", "", ":and:f" }
    
     *
     * 
     An invocation of this method of the form
     * str.split(regex, n)
     * yields the same result as the expression
     *
     * 
    
     * {@link java.util.regex.Pattern}.{@link java.util.regex.Pattern#compile
     * compile}(regex).{@link
     * java.util.regex.Pattern#split(java.lang.CharSequence,int)
     * split}(str, n)
     * 
    
     *
     *
     * @param  regex
     *         the delimiting regular expression
     *
     * @param  limit
     *         the result threshold, as described above
     *
     * @return  the array of strings computed by splitting this string
     *          around matches of the given regular expression
     *
     * @throws  PatternSyntaxException
     *          if the regular expression's syntax is invalid
     *
     * @see java.util.regex.Pattern
     *
     * @since 1.4
     * @spec JSR-51
     */
    public String[] split(String regex, int limit) {
	return Pattern.compile(regex).split(this, limit);
    }

    /**
     * Splits this string around matches of the given regular expression.
     *
     * 
     This method works as if by invoking the two-argument {@link
     * #split(String, int) split} method with the given expression and a limit
     * argument of zero.  Trailing empty strings are therefore not included in
     * the resulting array.
     *
     * 
     The string "boo:and:foo", for example, yields the following
     * results with these expressions:
     *
     * 
    
     * 
     *  
     *  
     * 
     * 
     *     
     * 
     *     
     * 
    RegexResult
    :{ "boo", "and", "foo" }
    o{ "b", "", ":and:f" }
    
     *
     *
     * @param  regex
     *         the delimiting regular expression
     *
     * @return  the array of strings computed by splitting this string
     *          around matches of the given regular expression
     *
     * @throws  PatternSyntaxException
     *          if the regular expression's syntax is invalid
     *
     * @see java.util.regex.Pattern
     *
     * @since 1.4
     * @spec JSR-51
     */
    public String[] split(String regex) {
        return split(regex, 0);
    }

    /**
     * Converts all of the characters in this String to lower
     * case using the rules of the given Locale.  Case mappings rely
     * heavily on the Unicode specification's character data. Since case
     * mappings are not always 1:1 char mappings, the resulting String
     * may be a different length than the original String.
     * 
    
     * Examples of lowercase  mappings are in the following table:
     * 
     * 
     *   
     *   
     *   
     *   
     * 
     * 
     *   
     *   
     *   
     *   
     * 
     * 
     *   
     *   
     *   
     *   
     * 
     * 
     *   
     *   
     *   
     *   
     * 
     * 
     *   
     *   
     *   
     *   
     * 
     * 
    Language Code of LocaleUpper CaseLower CaseDescription
    tr (Turkish)\u0130\u0069capital letter I with dot above -> small letter i
    tr (Turkish)\u0049\u0131capital letter I -> small letter dotless i 
    (all)French Friesfrench frieslowercased all chars in String
    (all)capiotacapchi
     *       capthetacapupsil
     *       capsigmaiotachi
     *       thetaupsilon
     *       sigmalowercased all chars in String
    
     *
     * @param locale use the case transformation rules for this locale
     * @return the String, converted to lowercase.
     * @see     java.lang.String#toLowerCase()
     * @see     java.lang.String#toUpperCase()
     * @see     java.lang.String#toUpperCase(Locale)
     * @since   1.1
     */
    /*KML
    public String toLowerCase(Locale locale) {
	if (locale == null)
	    throw new NullPointerException();
	
        int     len        = count;
        int     off        = offset;
        char[]  val        = value;
        int     firstUpper;

	/* Now check if there are any characters that need to be changed. *KML/
	scan: {
	    for (firstUpper = 0 ; firstUpper < len ; firstUpper++) {
		char c = value[off+firstUpper];
		if (c != Character.toLowerCase(c)) {break scan;}
	    }
	    return this;
	}

        char[]  result = new char[count];

        /* Just copy the first few lowerCase characters. *KML/
        System.arraycopy(val, off, result, 0, firstUpper);

        if (locale.getLanguage().equals("tr")) {
            // special loop for Turkey
            for (int i = firstUpper; i < len; ++i) {
                char ch = val[off+i];
                if (ch == 'I') {
                    result[i] = '\u0131'; // dotless small i
                    continue;
                }
                if (ch == '\u0130') {       // dotted I
                    result[i] = 'i';      // dotted i
                    continue;
                }
                result[i] = Character.toLowerCase(ch);
            }
        } else {
            // normal, fast loop
            for (int i = firstUpper; i < len; ++i) {
                result[i] = Character.toLowerCase(val[off+i]);
            }
        }
        return new String(0, result.length, result);
    }
    KML*/

    /**
     * Converts all of the characters in this String to lower
     * case using the rules of the default locale. This is equivalent to calling
     * toLowerCase(Locale.getDefault()).
     * 
    
     * @return  the String, converted to lowercase.
     * @see     java.lang.String#toLowerCase(Locale)
     */
    public String toLowerCase() {
        return toLowerCase(Locale.getDefault());
    }

    /**
     * Converts all of the characters in this String to upper
     * case using the rules of the given Locale. Case mappings rely
     * heavily on the Unicode specification's character data. Since case mappings
     * are not always 1:1 char mappings, the resulting String may
     * be a different length than the original String.
     * 
    
     * Examples of locale-sensitive and 1:M case mappings are in the following table.
     * 
    
     * 
     * 
     *   
     *   
     *   
     *   
     * 
     * 
     *   
     *   
     *   
     *   
     * 
     * 
     *   
     *   
     *   
     *   
     * 
     * 
     *   
     *   
     *   
     *   
     * 
     * 
     *   
     *   
     *   
     *   
     * 
     * 
    Language Code of LocaleLower CaseUpper CaseDescription
    tr (Turkish)\u0069\u0130small letter i -> capital letter I with dot above
    tr (Turkish)\u0131\u0049small letter dotless i -> capital letter I
    (all)\u00df\u0053 \u0053small letter sharp s -> two letters: SS
    (all)FahrvergnügenFAHRVERGNÜGEN
    
     * @param locale use the case transformation rules for this locale
     * @return the String, converted to uppercase.
     * @see     java.lang.String#toUpperCase()
     * @see     java.lang.String#toLowerCase()
     * @see     java.lang.String#toLowerCase(Locale)
     * @since   1.1
     */
    /*KML
    public String toUpperCase(Locale locale) {
        int     len        = count;
        int     off        = offset;
        char[]  val        = value;
        int     firstLower;

        /* Now check if there are any characters that need changing. *KML/
        scan: {
            char upperCaseChar;
            char c;
            for (firstLower = 0 ; firstLower < len ; firstLower++) {
                c = value[off+firstLower];
                upperCaseChar = Character.toUpperCaseEx(c);
                if (upperCaseChar == Character.CHAR_ERROR || c != upperCaseChar) {
                    break scan;
                }
            }
            return this;
        }

        char[]  result       = new char[len]; /* might grow! *KML/
	int     resultOffset = 0;  /* result grows, so i+resultOffset
				    * is the write location in result *KML/

	/* Just copy the first few upperCase characters. *KML/
	System.arraycopy(val, off, result, 0, firstLower);

        if (locale.getLanguage().equals("tr")) {
            // special loop for Turkey
            char[] upperCharArray;
            char upperChar;
            char ch;

            for (int i = firstLower; i < len; ++i) {
                ch = val[off+i];
                if (ch == 'i') {
                    result[i+resultOffset] = '\u0130';  // dotted cap i
                    continue;
                }
                if (ch == '\u0131') {                   // dotless i
                    result[i+resultOffset] = 'I';       // cap I
                    continue;
                }
                upperChar = Character.toUpperCaseEx(ch);
                if (upperChar == Character.CHAR_ERROR) {
                    upperCharArray = Character.toUpperCaseCharArray(ch);
                    /* Grow result. *KML/
                    int mapLen = upperCharArray.length;
                    char[] result2 = new char[result.length + mapLen - 1];
                    System.arraycopy(result, 0, result2, 0,
                        i + 1 + resultOffset);
                    for (int x=0; xString to upper
     * case using the rules of the default locale. This method is equivalent to
     * toUpperCase(Locale.getDefault()).
     * 
    
     * @return  the String, converted to uppercase.
     * @see     java.lang.String#toUpperCase(Locale)
     */
    public String toUpperCase() {
        return toUpperCase(Locale.getDefault());
    }

    /**
     * Returns a copy of the string, with leading and trailing whitespace
     * omitted.
     * 
    
     * If this String object represents an empty character
     * sequence, or the first and last characters of character sequence
     * represented by this String object both have codes
     * greater than '\u0020' (the space character), then a
     * reference to this String object is returned.
     * 
    
     * Otherwise, if there is no character with a code greater than
     * '\u0020' in the string, then a new
     * String object representing an empty string is created
     * and returned.
     * 
    
     * Otherwise, let k be the index of the first character in the
     * string whose code is greater than '\u0020', and let
     * m be the index of the last character in the string whose code
     * is greater than '\u0020'. A new String
     * object is created, representing the substring of this string that
     * begins with the character at index k and ends with the
     * character at index m-that is, the result of
     * this.substring(km+1).
     * 
    
     * This method may be used to trim
     * {@link Character#isSpace(char) whitespace} from the beginning and end
     * of a string; in fact, it trims all ASCII control characters as well.
     *
     * @return  A copy of this string with leading and trailing white
     *          space removed, or this string if it has no leading or
     *          trailing white space.
     */
    public String trim() {
	int len = count;
	int st = 0;
	int off = offset;      /* avoid getfield opcode */
	char[] val = value;    /* avoid getfield opcode */

	while ((st < len) && (val[off + st] <= ' ')) {
	    st++;
	}
	while ((st < len) && (val[off + len - 1] <= ' ')) {
	    len--;
	}
	return ((st > 0) || (len < count)) ? substring(st, len) : this;
    }

    /**
     * This object (which is already a string!) is itself returned.
     *
     * @return  the string itself.
     */
    public String toString() {
	return this;
    }

    /**
     * Converts this string to a new character array.
     *
     * @return  a newly allocated character array whose length is the length
     *          of this string and whose contents are initialized to contain
     *          the character sequence represented by this string.
     */
    public char[] toCharArray() {
	char result[] = new char[count];
	getChars(0, count, result, 0);
	return result;
    }

    /**
     * Returns the string representation of the Object argument.
     *
     * @param   obj   an Object.
     * @return  if the argument is null, then a string equal to
     *          "null"; otherwise, the value of
     *          obj.toString() is returned.
     * @see     java.lang.Object#toString()
     */
    public static String valueOf(Object obj) {
	return (obj == null) ? "null" : obj.toString();
    }

    /**
     * Returns the string representation of the char array
     * argument. The contents of the character array are copied; subsequent
     * modification of the character array does not affect the newly
     * created string.
     *
     * @param   data   a char array.
     * @return  a newly allocated string representing the same sequence of
     *          characters contained in the character array argument.
     */
    public static String valueOf(char data[]) {
	return new String(data);
    }

    /**
     * Returns the string representation of a specific subarray of the
     * char array argument.
     * 
    
     * The offset argument is the index of the first
     * character of the subarray. The count argument
     * specifies the length of the subarray. The contents of the subarray
     * are copied; subsequent modification of the character array does not
     * affect the newly created string.
     *
     * @param   data     the character array.
     * @param   offset   the initial offset into the value of the
     *                  String.
     * @param   count    the length of the value of the String.
     * @return  a string representing the sequence of characters contained 
     *          in the subarray of the character array argument.
     * @exception IndexOutOfBoundsException if offset is
     *          negative, or count is negative, or
     *          offset+count is larger than
     *          data.length.
     */
    public static String valueOf(char data[], int offset, int count) {
	return new String(data, offset, count);
    }

    /**
     * Returns a String that represents the character sequence in the
     * array specified.
     *
     * @param   data     the character array.
     * @param   offset   initial offset of the subarray.
     * @param   count    length of the subarray.
     * @return  a String that contains the characters of the
     *          specified subarray of the character array.
     */
    public static String copyValueOf(char data[], int offset, int count) {
	// All public String constructors now copy the data.
	return new String(data, offset, count);
    }

    /**
     * Returns a String that represents the character sequence in the
     * array specified.
     *
     * @param   data   the character array.
     * @return  a String that contains the characters of the
     *          character array.
     */
    public static String copyValueOf(char data[]) {
	return copyValueOf(data, 0, data.length);
    }

    /**
     * Returns the string representation of the boolean argument.
     *
     * @param   b   a boolean.
     * @return  if the argument is true, a string equal to
     *          "true" is returned; otherwise, a string equal to
     *          "false" is returned.
     */
    public static String valueOf(boolean b) {
	return b ? "true" : "false";
    }

    /**
     * Returns the string representation of the char
     * argument.
     *
     * @param   c   a char.
     * @return  a string of length 1 containing
     *          as its single character the argument c.
     */
    public static String valueOf(char c) {
	char data[] = {c};
	return new String(0, 1, data);
    }

    /**
     * Returns the string representation of the int argument.
     * 
    
     * The representation is exactly the one returned by the
     * Integer.toString method of one argument.
     *
     * @param   i   an int.
     * @return  a string representation of the int argument.
     * @see     java.lang.Integer#toString(int, int)
     */
    public static String valueOf(int i) {
        return Integer.toString(i, 10);
    }

    /**
     * Returns the string representation of the long argument.
     * 
    
     * The representation is exactly the one returned by the
     * Long.toString method of one argument.
     *
     * @param   l   a long.
     * @return  a string representation of the long argument.
     * @see     java.lang.Long#toString(long)
     */
    public static String valueOf(long l) {
        return Long.toString(l, 10);
    }

    /**
     * Returns the string representation of the float argument.
     * 
    
     * The representation is exactly the one returned by the
     * Float.toString method of one argument.
     *
     * @param   f   a float.
     * @return  a string representation of the float argument.
     * @see     java.lang.Float#toString(float)
     */
    public static String valueOf(float f) {
	return Float.toString(f);
    }

    /**
     * Returns the string representation of the double argument.
     * 
    
     * The representation is exactly the one returned by the
     * Double.toString method of one argument.
     *
     * @param   d   a double.
     * @return  a  string representation of the double argument.
     * @see     java.lang.Double#toString(double)
     */
    public static String valueOf(double d) {
	return Double.toString(d);
    }

    /**
     * Returns a canonical representation for the string object.
     * 
    
     * A pool of strings, initially empty, is maintained privately by the
     * class String.
     * 
    
     * When the intern method is invoked, if the pool already contains a
     * string equal to this String object as determined by
     * the {@link #equals(Object)} method, then the string from the pool is
     * returned. Otherwise, this String object is added to the
     * pool and a reference to this String object is returned.
     * 
    
     * It follows that for any two strings s and t,
     * s.intern() == t.intern() is true
     * if and only if s.equals(t) is true.
     * 
    
     * All literal strings and string-valued constant expressions are
     * interned. String literals are defined in §3.10.5 of the
     * Java Language
     * Specification
     *
     * @return  a string that has the same contents as this string, but is
     *          guaranteed to be from a pool of unique strings.
     */
    public native String intern();

}
why-2.39/lib/java_api/java/lang/RuntimeException.java0000644000106100004300000000556713147234006021575 0ustar  marchevals/*
 * @(#)RuntimeException.java	1.12 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;

/**
 * RuntimeException is the superclass of those 
 * exceptions that can be thrown during the normal operation of the 
 * Java Virtual Machine. 
 * 
    
 * A method is not required to declare in its throws 
 * clause any subclasses of RuntimeException that might 
 * be thrown during the execution of the method but not caught. 
 *
 *
 * @author  Frank Yellin
 * @version 1.12, 01/23/03
 * @since   JDK1.0
 */
public class RuntimeException extends Exception {
    static final long serialVersionUID = -7034897190745766939L;

    /** Constructs a new runtime exception with null as its
     * detail message.  The cause is not initialized, and may subsequently be
     * initialized by a call to {@link #initCause}.
     */
    public RuntimeException() {
	super();
    }

    /** Constructs a new runtime exception with the specified detail message.
     * The cause is not initialized, and may subsequently be initialized by a
     * call to {@link #initCause}.
     *
     * @param   message   the detail message. The detail message is saved for 
     *          later retrieval by the {@link #getMessage()} method.
     */
    public RuntimeException(String message) {
	super(message);
    }

    /**
     * Constructs a new runtime exception with the specified detail message and
     * cause.  
    Note that the detail message associated with
     * cause is not automatically incorporated in
     * this runtime exception's detail message.
     *
     * @param  message the detail message (which is saved for later retrieval
     *         by the {@link #getMessage()} method).
     * @param  cause the cause (which is saved for later retrieval by the
     *         {@link #getCause()} method).  (A null value is
     *         permitted, and indicates that the cause is nonexistent or
     *         unknown.)
     * @since  1.4
     */
    public RuntimeException(String message, Throwable cause) {
        super(message, cause);
    }

    /** Constructs a new runtime exception with the specified cause and a
     * detail message of (cause==null ? null : cause.toString())
     * (which typically contains the class and detail message of
     * cause).  This constructor is useful for runtime exceptions
     * that are little more than wrappers for other throwables.
     *
     * @param  cause the cause (which is saved for later retrieval by the
     *         {@link #getCause()} method).  (A null value is
     *         permitted, and indicates that the cause is nonexistent or
     *         unknown.)
     * @since  1.4
     */
    public RuntimeException(Throwable cause) {
        super(cause);
    }
}
why-2.39/lib/java_api/java/lang/Throwable.java0000644000106100004300000006455113147234006020220 0ustar  marchevals/*
 * @(#)Throwable.java	1.51 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;
import  java.io.*;

/**
 * The Throwable class is the superclass of all errors and
 * exceptions in the Java language. Only objects that are instances of this
 * class (or one of its subclasses) are thrown by the Java Virtual Machine or
 * can be thrown by the Java throw statement. Similarly, only
 * this class or one of its subclasses can be the argument type in a
 * catch clause.
 * 
 * 
    Instances of two subclasses, {@link java.lang.Error} and 
 * {@link java.lang.Exception}, are conventionally used to indicate 
 * that exceptional situations have occurred. Typically, these instances 
 * are freshly created in the context of the exceptional situation so 
 * as to include relevant information (such as stack trace data).
 * 
 * 
    A throwable contains a snapshot of the execution stack of its thread at
 * the time it was created. It can also contain a message string that gives
 * more information about the error. Finally, it can contain a cause:
 * another throwable that caused this throwable to get thrown.  The cause
 * facility is new in release 1.4.  It is also known as the chained
 * exception facility, as the cause can, itself, have a cause, and so on,
 * leading to a "chain" of exceptions, each caused by another.
 *
 * 
    One reason that a throwable may have a cause is that the class that
 * throws it is built atop a lower layered abstraction, and an operation on
 * the upper layer fails due to a failure in the lower layer.  It would be bad
 * design to let the throwable thrown by the lower layer propagate outward, as
 * it is generally unrelated to the abstraction provided by the upper layer.
 * Further, doing so would tie the API of the upper layer to the details of
 * its implementation, assuming the lower layer's exception was a checked
 * exception.  Throwing a "wrapped exception" (i.e., an exception containing a
 * cause) allows the upper layer to communicate the details of the failure to
 * its caller without incurring either of these shortcomings.  It preserves
 * the flexibility to change the implementation of the upper layer without
 * changing its API (in particular, the set of exceptions thrown by its
 * methods).
 *
 * 
    A second reason that a throwable may have a cause is that the method
 * that throws it must conform to a general-purpose interface that does not
 * permit the method to throw the cause directly.  For example, suppose
 * a persistent collection conforms to the {@link java.util.Collection
 * Collection} interface, and that its persistence is implemented atop
 * java.io.  Suppose the internals of the put method 
 * can throw an {@link java.io.IOException IOException}.  The implementation
 * can communicate the details of the IOException to its caller
 * while conforming to the Collection interface by wrapping the
 * IOException in an appropriate unchecked exception.  (The
 * specification for the persistent collection should indicate that it is
 * capable of throwing such exceptions.)
 *
 * 
    A cause can be associated with a throwable in two ways: via a
 * constructor that takes the cause as an argument, or via the
 * {@link #initCause(Throwable)} method.  New throwable classes that
 * wish to allow causes to be associated with them should provide constructors
 * that take a cause and delegate (perhaps indirectly) to one of the
 * Throwable constructors that takes a cause.  For example:
 * 
     *     try {
 *         lowLevelOp();
 *     } catch (LowLevelException le) {
 *         throw new HighLevelException(le);  // Chaining-aware constructor
 *     }
 * 
    
 * Because the initCause method is public, it allows a cause to be
 * associated with any throwable, even a "legacy throwable" whose
 * implementation predates the addition of the exception chaining mechanism to
 * Throwable. For example:
 * 
     *     try {
 *         lowLevelOp();
 *     } catch (LowLevelException le) {
 *         throw (HighLevelException)
                 new HighLevelException().initCause(le);  // Legacy constructor
 *     }
 * 
    
 *
 * 
    Prior to release 1.4, there were many throwables that had their own
 * non-standard exception chaining mechanisms (
 * {@link ExceptionInInitializerError}, {@link ClassNotFoundException},
 * {@link java.lang.reflect.UndeclaredThrowableException},
 * {@link java.lang.reflect.InvocationTargetException}, 
 * {@link java.io.WriteAbortedException},
 * {@link java.security.PrivilegedActionException},
 * {@link java.awt.print.PrinterIOException} and
 * {@link java.rmi.RemoteException}).
 * As of release 1.4, all of these throwables have been retrofitted to 
 * use the standard exception chaining mechanism, while continuing to
 * implement their "legacy" chaining mechanisms for compatibility.
 *
 * 
    Further, as of release 1.4, many general purpose Throwable
 * classes (for example {@link Exception}, {@link RuntimeException},
 * {@link Error}) have been retrofitted with constructors that take
 * a cause.  This was not strictly necessary, due to the existence of the
 * initCause method, but it is more convenient and expressive to
 * delegate to a constructor that takes a cause.
 * 
 * 
    By convention, class Throwable and its subclasses have two
 * constructors, one that takes no arguments and one that takes a
 * String argument that can be used to produce a detail message.
 * Further, those subclasses that might likely have a cause associated with
 * them should have two more constructors, one that takes a
 * Throwable (the cause), and one that takes a
 * String (the detail message) and a Throwable (the
 * cause).
 *
 * 
    Also introduced in release 1.4 is the {@link #getStackTrace()} method,
 * which allows programmatic access to the stack trace information that was
 * previously available only in text form, via the various forms of the
 * {@link #printStackTrace()} method.  This information has been added to the
 * serialized representation of this class so getStackTrace
 * and printStackTrace will operate properly on a throwable that
 * was obtained by deserialization.
 *
 * @author  unascribed
 * @author  Josh Bloch (Added exception chaining and programmatic access to
 *          stack trace in 1.4.)
 * @version 1.51, 01/23/03
 * @since JDK1.0
 */
public class Throwable implements Serializable {
    /** use serialVersionUID from JDK 1.0.2 for interoperability */
    private static final long serialVersionUID = -3042686055658047285L;

    /**
     * Native code saves some indication of the stack backtrace in this slot.
     */
    private transient Object backtrace; 

    /**
     * Specific details about the Throwable.  For example, for
     * FileNotFoundException, this contains the name of
     * the file that could not be found.
     *
     * @serial
     */
    private String detailMessage;

    /**
     * The throwable that caused this throwable to get thrown, or null if this
     * throwable was not caused by another throwable, or if the causative
     * throwable is unknown.  If this field is equal to this throwable itself,
     * it indicates that the cause of this throwable has not yet been
     * initialized.
     *
     * @serial
     * @since 1.4
     */
    private Throwable cause = this;

    /**
     * The stack trace, as returned by {@link #getStackTrace()}.
     *
     * @serial
     * @since 1.4
     */
    //*KML private StackTraceElement[] stackTrace;
    /*
     * This field is lazily initialized on first use or serialization and
     * nulled out when fillInStackTrace is called.
     */

    /**
     * Constructs a new throwable with null as its detail message.
     * The cause is not initialized, and may subsequently be initialized by a
     * call to {@link #initCause}.
     *
     * 
    The {@link #fillInStackTrace()} method is called to initialize
     * the stack trace data in the newly created throwable.
     */
    public Throwable() {
        fillInStackTrace();
    }

    /**
     * Constructs a new throwable with the specified detail message.  The
     * cause is not initialized, and may subsequently be initialized by
     * a call to {@link #initCause}.
     *
     * 
    The {@link #fillInStackTrace()} method is called to initialize
     * the stack trace data in the newly created throwable.
     *
     * @param   message   the detail message. The detail message is saved for 
     *          later retrieval by the {@link #getMessage()} method.
     */
    public Throwable(String message) {
        fillInStackTrace();
        detailMessage = message;
    }

    /**
     * Constructs a new throwable with the specified detail message and
     * cause.  
    Note that the detail message associated with
     * cause is not automatically incorporated in
     * this throwable's detail message.
     *
     * 
    The {@link #fillInStackTrace()} method is called to initialize
     * the stack trace data in the newly created throwable.
     *
     * @param  message the detail message (which is saved for later retrieval
     *         by the {@link #getMessage()} method).
     * @param  cause the cause (which is saved for later retrieval by the
     *         {@link #getCause()} method).  (A null value is
     *         permitted, and indicates that the cause is nonexistent or
     *         unknown.)
     * @since  1.4
     */
    public Throwable(String message, Throwable cause) {
        fillInStackTrace();
        detailMessage = message;
        this.cause = cause;
    }

    /**
     * Constructs a new throwable with the specified cause and a detail
     * message of (cause==null ? null : cause.toString()) (which
     * typically contains the class and detail message of cause).
     * This constructor is useful for throwables that are little more than
     * wrappers for other throwables (for example, {@link
     * java.security.PrivilegedActionException}).
     *
     * 
    The {@link #fillInStackTrace()} method is called to initialize
     * the stack trace data in the newly created throwable.
     *
     * @param  cause the cause (which is saved for later retrieval by the
     *         {@link #getCause()} method).  (A null value is
     *         permitted, and indicates that the cause is nonexistent or
     *         unknown.)
     * @since  1.4
     */
    public Throwable(Throwable cause) {
        fillInStackTrace();
        detailMessage = (cause==null ? null : cause.toString());
        this.cause = cause;
    }

    /**
     * Returns the detail message string of this throwable.
     *
     * @return  the detail message string of this Throwable instance
     *          (which may be null).
     */
    public String getMessage() {
        return detailMessage;
    }

    /**
     * Creates a localized description of this throwable.
     * Subclasses may override this method in order to produce a
     * locale-specific message.  For subclasses that do not override this
     * method, the default implementation returns the same result as
     * getMessage().
     *
     * @return  The localized description of this throwable.
     * @since   JDK1.1
     */
    public String getLocalizedMessage() {
        return getMessage();
    }

    /**
     * Returns the cause of this throwable or null if the
     * cause is nonexistent or unknown.  (The cause is the throwable that
     * caused this throwable to get thrown.)
     *
     * 
    This implementation returns the cause that was supplied via one of
     * the constructors requiring a Throwable, or that was set after
     * creation with the {@link #initCause(Throwable)} method.  While it is
     * typically unnecessary to override this method, a subclass can override
     * it to return a cause set by some other means.  This is appropriate for
     * a "legacy chained throwable" that predates the addition of chained
     * exceptions to Throwable.  Note that it is not
     * necessary to override any of the PrintStackTrace methods,
     * all of which invoke the getCause method to determine the
     * cause of a throwable.
     *
     * @return  the cause of this throwable or null if the
     *          cause is nonexistent or unknown.
     * @since 1.4
     */
    public Throwable getCause() {
        return (cause==this ? null : cause);
    }

    /**
     * Initializes the cause of this throwable to the specified value.
     * (The cause is the throwable that caused this throwable to get thrown.) 
     *
     * 
    This method can be called at most once.  It is generally called from 
     * within the constructor, or immediately after creating the
     * throwable.  If this throwable was created
     * with {@link #Throwable(Throwable)} or
     * {@link #Throwable(String,Throwable)}, this method cannot be called
     * even once.
     *
     * @param  cause the cause (which is saved for later retrieval by the
     *         {@link #getCause()} method).  (A null value is
     *         permitted, and indicates that the cause is nonexistent or
     *         unknown.)
     * @return  a reference to this Throwable instance.
     * @throws IllegalArgumentException if cause is this
     *         throwable.  (A throwable cannot be its own cause.)
     * @throws IllegalStateException if this throwable was
     *         created with {@link #Throwable(Throwable)} or
     *         {@link #Throwable(String,Throwable)}, or this method has already
     *         been called on this throwable.
     * @since  1.4
     */
    public synchronized Throwable initCause(Throwable cause) {
        if (this.cause != this)
            throw new IllegalStateException("Can't overwrite cause");
        if (cause == this)
            throw new IllegalArgumentException("Self-causation not permitted");
        this.cause = cause;
        return this;
    }

    /**
     * Returns a short description of this throwable.
     * If this Throwable object was created with a non-null detail
     * message string, then the result is the concatenation of three strings: 
     * 
      
     * 
    • The name of the actual class of this object 
     * 
    • ": " (a colon and a space)
     * 
    • The result of the {@link #getMessage} method for this object 
     * 
    
     * If this Throwable object was created with a null
     * detail message string, then the name of the actual class of this object
     * is returned. 
     *
     * @return a string representation of this throwable.
     */
    public String toString() {
        String s = getClass().getName();
        String message = getLocalizedMessage();
        return (message != null) ? (s + ": " + message) : s;
    }

    /**
     * Prints this throwable and its backtrace to the 
     * standard error stream. This method prints a stack trace for this 
     * Throwable object on the error output stream that is 
     * the value of the field System.err. The first line of 
     * output contains the result of the {@link #toString()} method for 
     * this object.  Remaining lines represent data previously recorded by 
     * the method {@link #fillInStackTrace()}. The format of this 
     * information depends on the implementation, but the following 
     * example may be regarded as typical: 
     * 
         * java.lang.NullPointerException
     *         at MyClass.mash(MyClass.java:9)
     *         at MyClass.crunch(MyClass.java:6)
     *         at MyClass.main(MyClass.java:3)
     * 
    
     * This example was produced by running the program: 
     * 
         * class MyClass {
     *     public static void main(String[] args) {
     *         crunch(null);
     *     }
     *     static void crunch(int[] a) {
     *         mash(a);
     *     }
     *     static void mash(int[] b) {
     *         System.out.println(b[0]);
     *     }
     * }
     * 
    
     * The backtrace for a throwable with an initialized, non-null cause
     * should generally include the backtrace for the cause.  The format
     * of this information depends on the implementation, but the following
     * example may be regarded as typical:
     * 
         * HighLevelException: MidLevelException: LowLevelException
     *         at Junk.a(Junk.java:13)
     *         at Junk.main(Junk.java:4)
     * Caused by: MidLevelException: LowLevelException
     *         at Junk.c(Junk.java:23)
     *         at Junk.b(Junk.java:17)
     *         at Junk.a(Junk.java:11)
     *         ... 1 more
     * Caused by: LowLevelException
     *         at Junk.e(Junk.java:30)
     *         at Junk.d(Junk.java:27)
     *         at Junk.c(Junk.java:21)
     *         ... 3 more
     * 
    
     * Note the presence of lines containing the characters "...".
     * These lines indicate that the remainder of the stack trace for this
     * exception matches the indicated number of frames from the bottom of the
     * stack trace of the exception that was caused by this exception (the
     * "enclosing" exception).  This shorthand can greatly reduce the length
     * of the output in the common case where a wrapped exception is thrown
     * from same method as the "causative exception" is caught.  The above
     * example was produced by running the program:
     * 
         * public class Junk {
     *     public static void main(String args[]) { 
     *         try {
     *             a();
     *         } catch(HighLevelException e) {
     *             e.printStackTrace();
     *         }
     *     }
     *     static void a() throws HighLevelException {
     *         try {
     *             b();
     *         } catch(MidLevelException e) {
     *             throw new HighLevelException(e);
     *         }
     *     }
     *     static void b() throws MidLevelException {
     *         c();
     *     }   
     *     static void c() throws MidLevelException {
     *         try {
     *             d();
     *         } catch(LowLevelException e) {
     *             throw new MidLevelException(e);
     *         }
     *     }
     *     static void d() throws LowLevelException { 
     *        e();
     *     }
     *     static void e() throws LowLevelException {
     *         throw new LowLevelException();
     *     }
     * }
     *
     * class HighLevelException extends Exception {
     *     HighLevelException(Throwable cause) { super(cause); }
     * }
     *
     * class MidLevelException extends Exception {
     *     MidLevelException(Throwable cause)  { super(cause); }
     * }
     * 
     * class LowLevelException extends Exception {
     * }
     * 
    
     */
    public void printStackTrace() { 
        printStackTrace(System.err);
    }

    /**
     * Prints this throwable and its backtrace to the specified print stream.
     *
     * @param s PrintStream to use for output
     */
    public void printStackTrace(PrintStream s) {
        synchronized (s) {
            s.println(this);
            StackTraceElement[] trace = getOurStackTrace();
            for (int i=0; i < trace.length; i++)
                s.println("\tat " + trace[i]);

            Throwable ourCause = getCause();
            if (ourCause != null)
                ourCause.printStackTraceAsCause(s, trace);
        }
    }

    /**
     * Print our stack trace as a cause for the specified stack trace.
     */
    /*KML
    private void printStackTraceAsCause(PrintStream s,
                                        StackTraceElement[] causedTrace)
    {
        // assert Thread.holdsLock(s);

        // Compute number of frames in common between this and caused
        StackTraceElement[] trace = getOurStackTrace();
        int m = trace.length-1, n = causedTrace.length-1;
        while (m >= 0 && n >=0 && trace[m].equals(causedTrace[n])) {
            m--; n--;
        }
        int framesInCommon = trace.length - 1 - m;

        s.println("Caused by: " + this);
        for (int i=0; i <= m; i++)
            s.println("\tat " + trace[i]);
        if (framesInCommon != 0)
            s.println("\t... " + framesInCommon + " more");

        // Recurse if we have a cause
        Throwable ourCause = getCause();
        if (ourCause != null)
            ourCause.printStackTraceAsCause(s, trace);
    }
    KML*/

    /**
     * Prints this throwable and its backtrace to the specified
     * print writer.
     *
     * @param s PrintWriter to use for output
     * @since   JDK1.1
     */
    /*KML
    public void printStackTrace(PrintWriter s) { 
        synchronized (s) {
            s.println(this);
            StackTraceElement[] trace = getOurStackTrace();
            for (int i=0; i < trace.length; i++)
                s.println("\tat " + trace[i]);

            Throwable ourCause = getCause();
            if (ourCause != null)
                ourCause.printStackTraceAsCause(s, trace);
        }
    }
    KML*/

    /**
     * Print our stack trace as a cause for the specified stack trace.
     */
    /*KML
    private void printStackTraceAsCause(PrintWriter s,
                                        StackTraceElement[] causedTrace)
    {
        // assert Thread.holdsLock(s);

        // Compute number of frames in common between this and caused
        StackTraceElement[] trace = getOurStackTrace();
        int m = trace.length-1, n = causedTrace.length-1;
        while (m >= 0 && n >=0 && trace[m].equals(causedTrace[n])) {
            m--; n--;
        }
        int framesInCommon = trace.length - 1 - m;

        s.println("Caused by: " + this);
        for (int i=0; i <= m; i++)
            s.println("\tat " + trace[i]);
        if (framesInCommon != 0)
            s.println("\t... " + framesInCommon + " more");

        // Recurse if we have a cause
        Throwable ourCause = getCause();
        if (ourCause != null)
            ourCause.printStackTraceAsCause(s, trace);
    }
    KML*/

    /**
     * Fills in the execution stack trace. This method records within this 
     * Throwable object information about the current state of 
     * the stack frames for the current thread.
     *
     * @return  a reference to this Throwable instance.
     * @see     java.lang.Throwable#printStackTrace()
     */
    public synchronized native Throwable fillInStackTrace();

    /**
     * Provides programmatic access to the stack trace information printed by
     * {@link #printStackTrace()}.  Returns an array of stack trace elements,
     * each representing one stack frame.  The zeroth element of the array
     * (assuming the array's length is non-zero) represents the top of the
     * stack, which is the last method invocation in the sequence.  Typically,
     * this is the point at which this throwable was created and thrown.
     * The last element of the array (assuming the array's length is non-zero)
     * represents the bottom of the stack, which is the first method invocation
     * in the sequence.
     *
     * 
    Some virtual machines may, under some circumstances, omit one
     * or more stack frames from the stack trace.  In the extreme case,
     * a virtual machine that has no stack trace information concerning
     * this throwable is permitted to return a zero-length array from this
     * method.  Generally speaking, the array returned by this method will
     * contain one element for every frame that would be printed by
     * printStackTrace.
     *
     * @return an array of stack trace elements representing the stack trace
     *         pertaining to this throwable.
     * @since  1.4
     */
    /*KML
    public StackTraceElement[] getStackTrace() {
        return (StackTraceElement[]) getOurStackTrace().clone();
    }
    KML*/

    /*KML
    private synchronized StackTraceElement[] getOurStackTrace() {
        // Initialize stack trace if this is the first call to this method
        if (stackTrace == null) {
            int depth = getStackTraceDepth();
            stackTrace = new StackTraceElement[depth];
            for (int i=0; i < depth; i++)
                stackTrace[i] = getStackTraceElement(i);
        }
        return stackTrace;
    }
    KML*/

    /**
     * Sets the stack trace elements that will be returned by
     * {@link #getStackTrace()} and printed by {@link #printStackTrace()}
     * and related methods.
     *
     * This method, which is designed for use by RPC frameworks and other
     * advanced systems, allows the client to override the default
     * stack trace that is either generated by {@link #fillInStackTrace()}
     * when a throwable is constructed or deserialized when a throwable is
     * read from a serialization stream.
     *
     * @param   stackTrace the stack trace elements to be associated with
     * this Throwable.  The specified array is copied by this
     * call; changes in the specified array after the method invocation
     * returns will have no affect on this Throwable's stack
     * trace.
     *
     * @throws NullPointerException if stackTrace is
     *         null, or if any of the elements of
     *         stackTrace are null
     *
     * @since  1.4
     */
    /*KML
    public void setStackTrace(StackTraceElement[] stackTrace) {
        StackTraceElement[] defensiveCopy =
            (StackTraceElement[]) stackTrace.clone();
        for (int i = 0; i < defensiveCopy.length; i++)
            if (defensiveCopy[i] == null)
                throw new NullPointerException("stackTrace[" + i + "]");

        this.stackTrace = defensiveCopy;
    }
    KML*/

    /**
     * Returns the number of elements in the stack trace (or 0 if the stack
     * trace is unavailable).
     */
    private native int getStackTraceDepth();

    /**
     * Returns the specified element of the stack trace.
     *
     * @param index index of the element to return.
     * @throws IndexOutOfBoundsException if index %lt; 0 ||
     *         index >= getStackTraceDepth() 
     */
    /*KML
    private native StackTraceElement getStackTraceElement(int index);
    KML*/

    /*KML
    private synchronized void writeObject(java.io.ObjectOutputStream s)
        throws IOException
    {
        getOurStackTrace();  // Ensure that stackTrace field is initialized.
        s.defaultWriteObject();
    }
    KML*/

}
why-2.39/lib/java_api/java/lang/Double.java0000644000106100004300000007024013147234006017473 0ustar  marchevals/*
 * @(#)Double.java	1.82 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;

/**
 * The Double class wraps a value of the primitive type
 * double in an object. An object of type
 * Double contains a single field whose type is
 * double.
 * 
    
 * In addition, this class provides several methods for converting a
 * double to a String and a
 * String to a double, as well as other
 * constants and methods useful when dealing with a
 * double.
 *
 * @author  Lee Boynton
 * @author  Arthur van Hoff
 * @version 1.82, 01/23/03
 * @since JDK1.0
 */
public final class Double extends Number implements Comparable {
    /**
     * A constant holding the positive infinity of type
     * double. It is equal to the value returned by
     * Double.longBitsToDouble(0x7ff0000000000000L).
     */
    public static final double POSITIVE_INFINITY = 1.0 / 0.0;

    /**
     * A constant holding the negative infinity of type
     * double. It is equal to the value returned by
     * Double.longBitsToDouble(0xfff0000000000000L).
     */
    public static final double NEGATIVE_INFINITY = -1.0 / 0.0;

    /** 
     * A constant holding a Not-a-Number (NaN) value of type
     * double. It is equivalent to the value returned by
     * Double.longBitsToDouble(0x7ff8000000000000L).
     */
    public static final double NaN = 0.0d / 0.0;

    /**
     * A constant holding the largest positive finite value of type
     * double, (2-2-52)·21023.
     * It is equal to the value returned by:
     * Double.longBitsToDouble(0x7fefffffffffffffL).
     */
    public static final double MAX_VALUE = 1.7976931348623157e+308;

    /**
     * A constant holding the smallest positive nonzero value of type
     * double, 2-1074. It is equal to the
     * value returned by Double.longBitsToDouble(0x1L).
     */
    public static final double MIN_VALUE = 4.9e-324;

    /**
     * The Class instance representing the primitive type
     * double.
     *
     * @since JDK1.1 
     */
    public static final Class	TYPE = Class.getPrimitiveClass("double");

    /**
     * Returns a string representation of the double 
     * argument. All characters mentioned below are ASCII characters.
     * 
      
     * 
    • If the argument is NaN, the result is the string
     *     "NaN".
     * 
    • Otherwise, the result is a string that represents the sign and 
     * magnitude (absolute value) of the argument. If the sign is negative, 
     * the first character of the result is '-' 
     * ('\u002D'); if the sign is positive, no sign character 
     * appears in the result. As for the magnitude m:
     * 
        
     * 
      • If m is infinity, it is represented by the characters 
     * "Infinity"; thus, positive infinity produces the result 
     * "Infinity" and negative infinity produces the result 
     * "-Infinity".
     *
     * 
      • If m is zero, it is represented by the characters 
     * "0.0"; thus, negative zero produces the result 
     * "-0.0" and positive zero produces the result 
     * "0.0". 
     *
     * 
      • If m is greater than or equal to 10-3 but less 
     * than 107, then it is represented as the integer part of 
     * m, in decimal form with no leading zeroes, followed by 
     * '.' ('\u002E'), followed by one or 
     * more decimal digits representing the fractional part of m. 
     *
     * 
      • If m is less than 10-3 or greater than or
     * equal to 107, then it is represented in so-called
     * "computerized scientific notation." Let n be the unique
     * integer such that 10n <= m <
     * 10n+1; then let a be the
     * mathematically exact quotient of m and
     * 10n so that 1 <= a < 10. The
     * magnitude is then represented as the integer part of a,
     * as a single decimal digit, followed by '.'
     * ('\u002E'), followed by decimal digits
     * representing the fractional part of a, followed by the
     * letter 'E' ('\u0045'), followed
     * by a representation of n as a decimal integer, as
     * produced by the method {@link Integer#toString(int)}.
     * 
      
     * 
    
     * How many digits must be printed for the fractional part of 
     * m or a? There must be at least one digit to represent 
     * the fractional part, and beyond that as many, but only as many, more 
     * digits as are needed to uniquely distinguish the argument value from
     * adjacent values of type double. That is, suppose that 
     * x is the exact mathematical value represented by the decimal 
     * representation produced by this method for a finite nonzero argument 
     * d. Then d must be the double value nearest 
     * to x; or if two double values are equally close 
     * to x, then d must be one of them and the least
     * significant bit of the significand of d must be 0.
     * 
    
     * To create localized string representations of a floating-point
     * value, use subclasses of {@link java.text.NumberFormat}.
     *
     * @param   d   the double to be converted.
     * @return a string representation of the argument.
     */
    public static String toString(double d) {
	return new FloatingDecimal(d).toJavaFormatString();
    }

    /**
     * Returns a Double object holding the
     * double value represented by the argument string
     * s.
     * 
    
     * If s is null, then a 
     * NullPointerException is thrown.
     * 
    
     * Leading and trailing whitespace characters in s
     * are ignored. The rest of s should constitute a
     * FloatValue as described by the lexical rule:
     * 
    
     * 
    
     * 
    FloatValue:
     * 
    Signopt NaN
     * 
    Signopt Infinity
     * 
    Signopt FloatingPointLiteral
     * 
    
     * 
    
     * where Sign and FloatingPointLiteral are as
     * defined in 
     * §3.10.2
     * of the Java 
     * Language Specification. If s does not have the 
     * form of a FloatValue, then a NumberFormatException
     * is thrown. Otherwise, s is regarded as
     * representing an exact decimal value in the usual "computerized
     * scientific notation"; this exact decimal value is then
     * conceptually converted to an "infinitely precise" binary value
     * that is then rounded to type double by the usual
     * round-to-nearest rule of IEEE 754 floating-point arithmetic,
     * which includes preserving the sign of a zero value. Finally, a
     * Double object representing this
     * double value is returned.
     * 
    
     * To interpret localized string representations of a
     * floating-point value, use subclasses of {@link
     * java.text.NumberFormat}.
     *
     * 
    Note that trailing format specifiers, specifiers that
     * determine the type of a floating-point literal
     * (1.0f is a float value;
     * 1.0d is a double value), do
     * not influence the results of this method.  In other
     * words, the numerical value of the input string is converted
     * directly to the target floating-point type.  The two-step
     * sequence of conversions, string to float followed
     * by float to double, is not
     * equivalent to converting a string directly to
     * double. For example, the float
     * literal 0.1f is equal to the double
     * value 0.10000000149011612; the float
     * literal 0.1f represents a different numerical
     * value than the double literal
     * 0.1. (The numerical value 0.1 cannot be exactly
     * represented in a binary floating-point number.)
     *
     * @param      s   the string to be parsed.
     * @return     a Double object holding the value
     *             represented by the String argument.
     * @exception  NumberFormatException  if the string does not contain a
     *               parsable number.
     */
    public static Double valueOf(String s) throws NumberFormatException {
	return new Double(FloatingDecimal.readJavaFormatString(s).doubleValue());
    }

    /**
     * Returns a new double initialized to the value
     * represented by the specified String, as performed
     * by the valueOf method of class
     * Double.
     *
     * @param      s   the string to be parsed.
     * @return the double value represented by the string
     *         argument.
     * @exception NumberFormatException if the string does not contain
     *            a parsable double.
     * @see        java.lang.Double#valueOf(String)
     * @since 1.2
     */
    public static double parseDouble(String s) throws NumberFormatException {
	return FloatingDecimal.readJavaFormatString(s).doubleValue();
    }

    /**
     * Returns true if the specified number is a
     * Not-a-Number (NaN) value, false otherwise.
     *
     * @param   v   the value to be tested.
     * @return  true if the value of the argument is NaN;
     *          false otherwise.
     */
    static public boolean isNaN(double v) {
	return (v != v);
    }

    /**
     * Returns true if the specified number is infinitely
     * large in magnitude, false otherwise.
     *
     * @param   v   the value to be tested.
     * @return  true if the value of the argument is positive
     *          infinity or negative infinity; false otherwise.
     */
    static public boolean isInfinite(double v) {
	return (v == POSITIVE_INFINITY) || (v == NEGATIVE_INFINITY);
    }

    /**
     * The value of the Double.
     *
     * @serial
     */
    private double value;

    /**
     * Constructs a newly allocated Double object that
     * represents the primitive double argument.
     *
     * @param   value   the value to be represented by the Double.
     */
    public Double(double value) {
	this.value = value;
    }

    /**
     * Constructs a newly allocated Double object that
     * represents the floating-point value of type double
     * represented by the string. The string is converted to a
     * double value as if by the valueOf method.
     *
     * @param      s   a string to be converted to a Double.
     * @exception  NumberFormatException  if the string does not contain a
     *               parsable number.
     * @see        java.lang.Double#valueOf(java.lang.String)
     */
    public Double(String s) throws NumberFormatException {
	// REMIND: this is inefficient
	this(valueOf(s).doubleValue());
    }

    /**
     * Returns true if this Double value is
     * a Not-a-Number (NaN), false otherwise.
     *
     * @return  true if the value represented by this object is
     *          NaN; false otherwise.
     */
    public boolean isNaN() {
	return isNaN(value);
    }

    /**
     * Returns true if this Double value is
     * infinitely large in magnitude, false otherwise.
     *
     * @return  true if the value represented by this object is
     *          positive infinity or negative infinity;
     *          false otherwise.
     */
    public boolean isInfinite() {
	return isInfinite(value);
    }

    /**
     * Returns a string representation of this Double object.
     * The primitive double value represented by this
     * object is converted to a string exactly as if by the method
     * toString of one argument.
     *
     * @return  a String representation of this object.
     * @see java.lang.Double#toString(double)
     */
    public String toString() {
	return String.valueOf(value);
    }

    /**
     * Returns the value of this Double as a byte (by
     * casting to a byte).
     *
     * @return  the double value represented by this object
     *          converted to type byte
     * @since JDK1.1 
     */
    public byte byteValue() {
	return (byte)value;
    }

    /**
     * Returns the value of this Double as a
     * short (by casting to a short).
     *
     * @return  the double value represented by this object
     *          converted to type short
     * @since JDK1.1 
     */
    public short shortValue() {
	return (short)value;
    }

    /**
     * Returns the value of this Double as an
     * int (by casting to type int).
     *
     * @return  the double value represented by this object
     *          converted to type int
     */
    public int intValue() {
	return (int)value;
    }

    /**
     * Returns the value of this Double as a
     * long (by casting to type long).
     *
     * @return  the double value represented by this object
     *          converted to type long
     */
    public long longValue() {
	return (long)value;
    }

    /**
     * Returns the float value of this
     * Double object.
     *
     * @return  the double value represented by this object
     *          converted to type float
     * @since JDK1.0 
     */
    public float floatValue() {
	return (float)value;
    }

    /**
     * Returns the double value of this
     * Double object.
     *
     * @return the double value represented by this object
     */
    public double doubleValue() {
	return (double)value;
    }

    /**
     * Returns a hash code for this Double object. The
     * result is the exclusive OR of the two halves of the
     * long integer bit representation, exactly as
     * produced by the method {@link #doubleToLongBits(double)}, of
     * the primitive double value represented by this
     * Double object. That is, the hash code is the value
     * of the expression:
     * 
         * (int)(v^(v>>>32))
     * 
    
     * where v is defined by: 
     * 
         * long v = Double.doubleToLongBits(this.doubleValue());
     * 
    
     *
     * @return  a hash code value for this object.
     */
    public int hashCode() {
	long bits = doubleToLongBits(value);
	return (int)(bits ^ (bits >>> 32));
    }

    /**
     * Compares this object against the specified object.  The result
     * is true if and only if the argument is not
     * null and is a Double object that
     * represents a double that has the same value as the
     * double represented by this object. For this
     * purpose, two double values are considered to be
     * the same if and only if the method {@link
     * #doubleToLongBits(double)} returns the identical
     * long value when applied to each.
     * 
    
     * Note that in most cases, for two instances of class
     * Double, d1 and d2, the
     * value of d1.equals(d2) is true if and
     * only if
     * 
         *   d1.doubleValue() == d2.doubleValue()
     * 
    
     * 
    
     * also has the value true. However, there are two
     * exceptions:
     * 
      
     * 
    • If d1 and d2 both represent
     *     Double.NaN, then the equals method
     *     returns true, even though
     *     Double.NaN==Double.NaN has the value
     *     false.
     * 
    • If d1 represents +0.0 while
     *     d2 represents -0.0, or vice versa,
     *     the equal test has the value false,
     *     even though +0.0==-0.0 has the value true.
     * 
    
     * This definition allows hash tables to operate properly.
     * @param   obj   the object to compare with.
     * @return  true if the objects are the same;
     *          false otherwise.
     * @see java.lang.Double#doubleToLongBits(double)
     */
    public boolean equals(Object obj) {
	return (obj instanceof Double)
	       && (doubleToLongBits(((Double)obj).value) ==
		      doubleToLongBits(value));
    }

    /**
     * Returns a representation of the specified floating-point value
     * according to the IEEE 754 floating-point "double
     * format" bit layout.
     * 
    
     * Bit 63 (the bit that is selected by the mask 
     * 0x8000000000000000L) represents the sign of the 
     * floating-point number. Bits 
     * 62-52 (the bits that are selected by the mask 
     * 0x7ff0000000000000L) represent the exponent. Bits 51-0 
     * (the bits that are selected by the mask 
     * 0x000fffffffffffffL) represent the significand 
     * (sometimes called the mantissa) of the floating-point number. 
     * 
    
     * If the argument is positive infinity, the result is
     * 0x7ff0000000000000L.
     * 
    
     * If the argument is negative infinity, the result is
     * 0xfff0000000000000L.
     * 
    
     * If the argument is NaN, the result is 
     * 0x7ff8000000000000L. 
     * 
    
     * In all cases, the result is a long integer that, when 
     * given to the {@link #longBitsToDouble(long)} method, will produce a 
     * floating-point value the same as the argument to 
     * doubleToLongBits (except all NaN values are
     * collapsed to a single "canonical" NaN value).
     *
     * @param   value   a double precision floating-point number.
     * @return the bits that represent the floating-point number.  
     */
    public static native long doubleToLongBits(double value);

    /**
     * Returns a representation of the specified floating-point value
     * according to the IEEE 754 floating-point "double
     * format" bit layout, preserving Not-a-Number (NaN) values.
     * 
    
     * Bit 63 (the bit that is selected by the mask 
     * 0x8000000000000000L) represents the sign of the 
     * floating-point number. Bits 
     * 62-52 (the bits that are selected by the mask 
     * 0x7ff0000000000000L) represent the exponent. Bits 51-0 
     * (the bits that are selected by the mask 
     * 0x000fffffffffffffL) represent the significand 
     * (sometimes called the mantissa) of the floating-point number. 
     * 
    
     * If the argument is positive infinity, the result is
     * 0x7ff0000000000000L.
     * 
    
     * If the argument is negative infinity, the result is
     * 0xfff0000000000000L.
     * 
    
     * If the argument is NaN, the result is the long
     * integer representing the actual NaN value.  Unlike the
     * doubleToLongBits method,
     * doubleToRawLongBits does not collapse all the bit
     * patterns encoding a NaN to a single "canonical" NaN
     * value.
     * 
    
     * In all cases, the result is a long integer that,
     * when given to the {@link #longBitsToDouble(long)} method, will
     * produce a floating-point value the same as the argument to
     * doubleToRawLongBits.
     *
     * @param   value   a double precision floating-point number.
     * @return the bits that represent the floating-point number.
     */
    public static native long doubleToRawLongBits(double value);

    /**
     * Returns the double value corresponding to a given
     * bit representation.
     * The argument is considered to be a representation of a
     * floating-point value according to the IEEE 754 floating-point
     * "double format" bit layout.
     * 
    
     * If the argument is 0x7ff0000000000000L, the result 
     * is positive infinity. 
     * 
    
     * If the argument is 0xfff0000000000000L, the result 
     * is negative infinity. 
     * 
    
     * If the argument is any value in the range
     * 0x7ff0000000000001L through
     * 0x7fffffffffffffffL or in the range
     * 0xfff0000000000001L through
     * 0xffffffffffffffffL, the result is a NaN.  No IEEE
     * 754 floating-point operation provided by Java can distinguish
     * between two NaN values of the same type with different bit
     * patterns.  Distinct values of NaN are only distinguishable by
     * use of the Double.doubleToRawLongBits method.
     * 
    
     * In all other cases, let s, e, and m be three 
     * values that can be computed from the argument: 
     * 
         * int s = ((bits >> 63) == 0) ? 1 : -1;
     * int e = (int)((bits >> 52) & 0x7ffL);
     * long m = (e == 0) ?
     *                 (bits & 0xfffffffffffffL) << 1 :
     *                 (bits & 0xfffffffffffffL) | 0x10000000000000L;
     * 
    
     * Then the floating-point result equals the value of the mathematical 
     * expression s·m·2e-1075.
     *
    
     * Note that this method may not be able to return a
     * double NaN with exactly same bit pattern as the
     * long argument.  IEEE 754 distinguishes between two
     * kinds of NaNs, quiet NaNs and signaling NaNs.  The
     * differences between the two kinds of NaN are generally not
     * visible in Java.  Arithmetic operations on signaling NaNs turn
     * them into quiet NaNs with a different, but often similar, bit
     * pattern.  However, on some processors merely copying a
     * signaling NaN also performs that conversion.  In particular,
     * copying a signaling NaN to return it to the calling method
     * may perform this conversion.  So longBitsToDouble
     * may not be able to return a double with a
     * signaling NaN bit pattern.  Consequently, for some
     * long values,
     * doubleToRawLongBits(longBitsToDouble(start)) may
     * not equal start.  Moreover, which
     * particular bit patterns represent signaling NaNs is platform
     * dependent; although all NaN bit patterns, quiet or signaling,
     * must be in the NaN range identified above.
     *
     * @param   bits   any long integer.
     * @return  the double floating-point value with the same
     *          bit pattern.
     */
    public static native double longBitsToDouble(long bits);

    /**
     * Compares two Double objects numerically.  There
     * are two ways in which comparisons performed by this method
     * differ from those performed by the Java language numerical
     * comparison operators (<, <=, ==, >= >)
     * when applied to primitive double values:
     * 
    • 
     *		Double.NaN is considered by this method
     *		to be equal to itself and greater than all other
     *		double values (including
     *		Double.POSITIVE_INFINITY).
     * 
    • 
     *		0.0d is considered by this method to be greater
     *		than -0.0d.
     * 
    
     * This ensures that Double.compareTo(Object) (which
     * forwards its behavior to this method) obeys the general
     * contract for Comparable.compareTo, and that the
     * natural order on Doubles is consistent
     * with equals.
     *
     * @param   anotherDouble   the Double to be compared.
     * @return  the value 0 if anotherDouble is
     *		numerically equal to this Double; a value
     *		less than 0 if this Double
     *		is numerically less than anotherDouble;
     *		and a value greater than 0 if this
     *		Double is numerically greater than
     *		anotherDouble.
     *		
     * @since   1.2
     * @see Comparable#compareTo(Object)
     */
    public int compareTo(Double anotherDouble) {
        return Double.compare(value, anotherDouble.value);
    }

    /**
     * Compares this Double object to another object.  If
     * the object is a Double, this function behaves like
     * compareTo(Double).  Otherwise, it throws a
     * ClassCastException (as Double objects
     * are comparable only to other Double objects).
     *
     * @param   o the Object to be compared.
     * @return the value 0 if the argument is a
     *		Double numerically equal to this
     *		Double; a value less than 0
     *		if the argument is a Double numerically
     *		greater than this Double; and a value
     *		greater than 0 if the argument is a
     *		Double numerically less than this
     *		Double.
     * @exception ClassCastException if the argument is not a
     *		  Double.
     * @see     java.lang.Comparable
     * @since 1.2
     */
    public int compareTo(Object o) {
	return compareTo((Double)o);
    }

    /**
     * Compares the two specified double values. The sign
     * of the integer value returned is the same as that of the
     * integer that would be returned by the call:
     * 
         *    new Double(d1).compareTo(new Double(d2))
     * 
    
     *
     * @param   d1        the first double to compare
     * @param   d2        the second double to compare
     * @return  the value 0 if d1 is
     *		numerically equal to d2; a value less than
     *          0 if d1 is numerically less than
     *		d2; and a value greater than 0
     *		if d1 is numerically greater than
     *		d2.
     * @since 1.4
     */
    public static int compare(double d1, double d2) {
        if (d1 < d2)
            return -1;		 // Neither val is NaN, thisVal is smaller
        if (d1 > d2)
            return 1;		 // Neither val is NaN, thisVal is larger

        long thisBits = Double.doubleToLongBits(d1);
        long anotherBits = Double.doubleToLongBits(d2);

        return (thisBits == anotherBits ?  0 : // Values are equal
                (thisBits < anotherBits ? -1 : // (-0.0, 0.0) or (!NaN, NaN)
                 1));                          // (0.0, -0.0) or (NaN, !NaN)
    }

    /** use serialVersionUID from JDK 1.0.2 for interoperability */
    private static final long serialVersionUID = -9172774392245257468L;
}
why-2.39/lib/java_api/java/lang/Comparable.java0000644000106100004300000001314213147234006020324 0ustar  marchevals/*
 * @(#)Comparable.java	1.20 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;

/**
 * This interface imposes a total ordering on the objects of each class that
 * implements it.  This ordering is referred to as the class's natural
 * ordering, and the class's compareTo method is referred to as
 * its natural comparison method.
    
 *
 * Lists (and arrays) of objects that implement this interface can be sorted
 * automatically by Collections.sort (and Arrays.sort).
 * Objects that implement this interface can be used as keys in a sorted map
 * or elements in a sorted set, without the need to specify a comparator.
    
 *
 * The natural ordering for a class C is said to be consistent
 * with equals if and only if (e1.compareTo((Object)e2) == 0) has
 * the same boolean value as e1.equals((Object)e2) for every
 * e1 and e2 of class C.  Note that null
 * is not an instance of any class, and e.compareTo(null) should
 * throw a NullPointerException even though e.equals(null)
 * returns false.
    
 *
 * It is strongly recommended (though not required) that natural orderings be
 * consistent with equals.  This is so because sorted sets (and sorted maps)
 * without explicit comparators behave "strangely" when they are used with
 * elements (or keys) whose natural ordering is inconsistent with equals.  In
 * particular, such a sorted set (or sorted map) violates the general contract
 * for set (or map), which is defined in terms of the equals
 * method.
    
 *
 * For example, if one adds two keys a and b such that
 * (!a.equals((Object)b) && a.compareTo((Object)b) == 0) to a sorted
 * set that does not use an explicit comparator, the second add
 * operation returns false (and the size of the sorted set does not increase)
 * because a and b are equivalent from the sorted set's
 * perspective.
    
 *
 * Virtually all Java core classes that implement comparable have natural
 * orderings that are consistent with equals.  One exception is
 * java.math.BigDecimal, whose natural ordering equates
 * BigDecimal objects with equal values and different precisions 
 * (such as 4.0 and 4.00).
    
 *
 * For the mathematically inclined, the relation that defines
 * the natural ordering on a given class C is:
     *       {(x, y) such that x.compareTo((Object)y) <= 0}.
 * 
     The quotient for this total order is: 
     *       {(x, y) such that x.compareTo((Object)y) == 0}.
 * 
    
 *
 * It follows immediately from the contract for compareTo that the
 * quotient is an equivalence relation on C, and that the
 * natural ordering is a total order on C.  When we say that a
 * class's natural ordering is consistent with equals, we mean that the
 * quotient for the natural ordering is the equivalence relation defined by
 * the class's equals(Object) method:
     *     {(x, y) such that x.equals((Object)y)}.
 * 
    
 *
 * This interface is a member of the 
 * 
 * Java Collections Framework.
 *
 * @author  Josh Bloch
 * @version 1.20, 01/23/03
 * @see java.util.Comparator
 * @see java.util.Collections#sort(java.util.List)
 * @see java.util.Arrays#sort(Object[])
 * @see java.util.SortedSet
 * @see java.util.SortedMap
 * @see java.util.TreeSet
 * @see java.util.TreeMap
 * @since 1.2
 */

public interface Comparable {
    /**
     * Compares this object with the specified object for order.  Returns a
     * negative integer, zero, or a positive integer as this object is less
     * than, equal to, or greater than the specified object.
    
     *
     * In the foregoing description, the notation
     * sgn(expression) designates the mathematical
     * signum function, which is defined to return one of -1,
     * 0, or 1 according to whether the value of expression
     * is negative, zero or positive.
     *
     * The implementor must ensure sgn(x.compareTo(y)) ==
     * -sgn(y.compareTo(x)) for all x and y.  (This
     * implies that x.compareTo(y) must throw an exception iff
     * y.compareTo(x) throws an exception.)
    
     *
     * The implementor must also ensure that the relation is transitive:
     * (x.compareTo(y)>0 && y.compareTo(z)>0) implies
     * x.compareTo(z)>0.
    
     *
     * Finally, the implementer must ensure that x.compareTo(y)==0
     * implies that sgn(x.compareTo(z)) == sgn(y.compareTo(z)), for
     * all z.
    
     *
     * It is strongly recommended, but not strictly required that
     * (x.compareTo(y)==0) == (x.equals(y)).  Generally speaking, any
     * class that implements the Comparable interface and violates
     * this condition should clearly indicate this fact.  The recommended
     * language is "Note: this class has a natural ordering that is
     * inconsistent with equals."
     * 
     * @param   o the Object to be compared.
     * @return  a negative integer, zero, or a positive integer as this object
     *		is less than, equal to, or greater than the specified object.
     * 
     * @throws ClassCastException if the specified object's type prevents it
     *         from being compared to this Object.
     */
    public int compareTo(Object o);
}
why-2.39/lib/java_api/java/lang/CharSequence.java0000644000106100004300000000577313147234006020640 0ustar  marchevals/*
 * @(#)CharSequence.java	1.6 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;


/**
 * A CharSequence is a readable sequence of characters.  This
 * interface provides uniform, read-only access to many different kinds of
 * character sequences.
 *
 * 
     This interface does not refine the general contracts of the {@link
 * java.lang.Object#equals(java.lang.Object) equals} and {@link
 * java.lang.Object#hashCode() hashCode} methods.  The result of comparing two
 * objects that implement CharSequence is therefore, in general,
 * undefined.  Each object may be implemented by a different class, and there
 * is no guarantee that each class will be capable of testing its instances
 * for equality with those of the other.  It is therefore inappropriate to use
 * arbitrary CharSequence instances as elements in a set or as keys in
 * a map. 
    
 *
 * @author Mike McCloskey
 * @version 1.6 03/01/23
 * @since 1.4
 * @spec JSR-51
 */

public interface CharSequence {

    /**
     * Returns the length of this character sequence.  The length is the number
     * of 16-bit Unicode characters in the sequence. 
    
     *
     * @return  the number of characters in this sequence
     */
    int length();

    /**
     * Returns the character at the specified index.  An index ranges from zero
     * to length() - 1.  The first character of the sequence is at
     * index zero, the next at index one, and so on, as for array
     * indexing. 
    
     *
     * @param   index   the index of the character to be returned
     *
     * @return  the specified character
     *
     * @throws  IndexOutOfBoundsException
     *          if the index argument is negative or not less than
     *          length()
     */
    char charAt(int index);

    /**
     * Returns a new character sequence that is a subsequence of this sequence.
     * The subsequence starts with the character at the specified index and
     * ends with the character at index end - 1.  The length of the
     * returned sequence is end - start, so if start == end
     * then an empty sequence is returned. 
    
     * 
     * @param   start   the start index, inclusive
     * @param   end     the end index, exclusive
     *
     * @return  the specified subsequence
     *
     * @throws  IndexOutOfBoundsException
     *          if start or end are negative,
     *          if end is greater than length(),
     *          or if start is greater than end
     */
    CharSequence subSequence(int start, int end);

    /**
     * Returns a string containing the characters in this sequence in the same
     * order as this sequence.  The length of the string will be the length of
     * this sequence. 
    
     *
     * @return  a string consisting of exactly this sequence of characters
     */
    public String toString();

}
why-2.39/lib/java_api/java/lang/NumberFormatException.java0000644000106100004300000000251413147234006022540 0ustar  marchevals/*
 * @(#)NumberFormatException.java	1.19 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;

/**
 * Thrown to indicate that the application has attempted to convert 
 * a string to one of the numeric types, but that the string does not 
 * have the appropriate format. 
 *
 * @author  unascribed
 * @version 1.19, 01/23/03
 * @see     java.lang.Integer#toString()
 * @since   JDK1.0
 */
public
class NumberFormatException extends IllegalArgumentException {
    static final long serialVersionUID = -2848938806368998894L;

    /**
     * Constructs a NumberFormatException with no detail message.
     */
    public NumberFormatException () {
	super();
    }

    /**
     * Constructs a NumberFormatException with the 
     * specified detail message. 
     *
     * @param   s   the detail message.
     */
    public NumberFormatException (String s) {
	super (s);
    }

    /**
     * Factory method for making a NumberFormatException
     * given the specified input which caused the error.
     *
     * @param   s   the input causing the error
     */
    static NumberFormatException forInputString(String s) {
        return new NumberFormatException("For input string: \"" + s + "\"");
    }
}
why-2.39/lib/java_api/java/lang/ArrayStoreException.java0000644000106100004300000000200413147234006022224 0ustar  marchevals/*
 * @(#)ArrayStoreException.java	1.10 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;

/**
 * Thrown to indicate that an attempt has been made to store the 
 * wrong type of object into an array of objects. For example, the 
 * following code generates an ArrayStoreException: 
 * 
     *     Object x[] = new String[3];
 *     x[0] = new Integer(0);
 * 
    
 *
 * @author  unascribed
 * @version 1.10, 01/23/03
 * @since   JDK1.0
 */
public
class ArrayStoreException extends RuntimeException {
    /**
     * Constructs an ArrayStoreException with no detail message. 
     */
    public ArrayStoreException() {
	super();
    }

    /**
     * Constructs an ArrayStoreException with the specified 
     * detail message. 
     *
     * @param   s   the detail message.
     */
    public ArrayStoreException(String s) {
	super(s);
    }
}

why-2.39/lib/java_api/java/lang/Class.java0000644000106100004300000025714313147234006017337 0ustar  marchevals/*
 * @(#)Class.java	1.154 04/05/06
 *
 * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;

// import java.lang.reflect.Member;
// import java.lang.reflect.Field;
// import java.lang.reflect.Method;
// import java.lang.reflect.Constructor;
// import java.lang.reflect.Modifier;
// import java.lang.reflect.InvocationTargetException;
// import java.lang.ref.SoftReference;
// import java.io.InputStream;
// import java.io.ObjectStreamClass;
// import java.io.ObjectStreamField;
// import java.security.AccessController;
// import java.security.PrivilegedAction;
// import java.util.ArrayList;
// import java.util.Collection;
// import java.util.HashSet;
// import java.util.Iterator;
// import java.util.List;
// import java.util.LinkedList;
// import java.util.LinkedHashSet;
// import java.util.Set;
// import sun.misc.Unsafe;
// import sun.reflect.Reflection;
// import sun.reflect.ReflectionFactory;
// import sun.reflect.SignatureIterator;
// import sun.security.util.SecurityConstants;


/**
 * Instances of the class Class represent classes and interfaces
 * in a running Java application.  Every array also belongs to a class that is
 * reflected as a Class object that is shared by all arrays with
 * the same element type and number of dimensions.  The primitive Java types
 * (boolean, byte, char,
 * short, int, long,
 * float, and double), and the keyword
 * void are also represented as Class objects.
 *
 * 
     Class has no public constructor. Instead Class
 * objects are constructed automatically by the Java Virtual Machine as classes
 * are loaded and by calls to the defineClass method in the class
 * loader.
 *
 * 
     The following example uses a Class object to print the
 * class name of an object:
 *
 * 
     
     *     void printClassName(Object obj) {
 *         System.out.println("The class of " + obj +
 *                            " is " + obj.getClass().getName());
 *     }
 * 
    
 * 
 * 
     It is also possible to get the Class object for a named
 * type (or for void) using a class literal 
 * (JLS Section 15.8.2). 
 * For example:
 *
 * 
     
     *     System.out.println("The name of class Foo is: "+Foo.class.getName());
 * 
    
 *
 * @author  unascribed
 * @version 1.135, 05/25/01
 * @see     java.lang.ClassLoader#defineClass(byte[], int, int)
 * @since   JDK1.0
 */
public final
class Class implements java.io.Serializable {

    private static native void registerNatives();
    static {
        registerNatives();
    }

    /*
     * Constructor. Only the Java Virtual Machine creates Class
     * objects.
     */
    private Class() {}


    /**
     * Converts the object to a string. The string representation is the
     * string "class" or "interface", followed by a space, and then by the
     * fully qualified name of the class in the format returned by
     * getName.  If this Class object represents a
     * primitive type, this method returns the name of the primitive type.  If
     * this Class object represents void this method returns
     * "void".
     *
     * @return a string representation of this class object.
     */
    public String toString() {
        return (isInterface() ? "interface " : (isPrimitive() ? "" : "class "))
            + getName();
    }


    /**
     * Returns the Class object associated with the class or
     * interface with the given string name.  Invoking this method is
     * equivalent to:
     *
     * 
         *  Class.forName(className, true, currentLoader)
     * 
    
     *
     * where currentLoader denotes the defining class loader of
     * the current class.
     *
     * 
     For example, the following code fragment returns the
     * runtime Class descriptor for the class named
     * java.lang.Thread:
     *
     * 
         *   Class t = Class.forName("java.lang.Thread")
     * 
    
     * 
    
     * A call to forName("X") causes the class named 
     * X to be initialized.
     *
     * @param      className   the fully qualified name of the desired class.
     * @return     the Class object for the class with the
     *             specified name.
     * @exception LinkageError if the linkage fails
     * @exception ExceptionInInitializerError if the initialization provoked
     *            by this method fails
     * @exception ClassNotFoundException if the class cannot be located
     */
    public static Class forName(String className) 
                throws ClassNotFoundException {
        return forName0(className, true, ClassLoader.getCallerClassLoader());
    }


    /**
     * Returns the Class object associated with the class or
     * interface with the given string name, using the given class loader.
     * Given the fully qualified name for a class or interface (in the same
     * format returned by getName) this method attempts to
     * locate, load, and link the class or interface.  The specified class
     * loader is used to load the class or interface.  If the parameter
     * loader is null, the class is loaded through the bootstrap
     * class loader.  The class is initialized only if the
     * initialize parameter is true and if it has
     * not been initialized earlier.
     *
     * 
     If name denotes a primitive type or void, an attempt
     * will be made to locate a user-defined class in the unnamed package whose
     * name is name. Therefore, this method cannot be used to
     * obtain any of the Class objects representing primitive
     * types or void.
     *
     * 
     If name denotes an array class, the component type of
     * the array class is loaded but not initialized.
     *
     * 
     For example, in an instance method the expression:
     *
     * 
         *  Class.forName("Foo")
     * 
    
     *
     * is equivalent to:
     *
     * 
         *  Class.forName("Foo", true, this.getClass().getClassLoader())
     * 
    
     *
     * Note that this method throws errors related to loading, linking or
     * initializing as specified in Sections 12.2, 12.3 and 12.4 of The
     * Java Language Specification.
     * Note that this method does not check whether the requested class 
     * is accessible to its caller.
     *
     * 
     If the loader is null, and a security
     * manager is present, and the caller's class loader is not null, then this
     * method calls the security manager's checkPermission method
     * with a RuntimePermission("getClassLoader") permission to
     * ensure it's ok to access the bootstrap class loader.
     *
     * @param name       fully qualified name of the desired class
     * @param initialize whether the class must be initialized
     * @param loader     class loader from which the class must be loaded
     * @return           class object representing the desired class
     * 
     * @exception LinkageError if the linkage fails
     * @exception ExceptionInInitializerError if the initialization provoked
     *            by this method fails
     * @exception ClassNotFoundException if the class cannot be located by
     *            the specified class loader
     *
     * @see 	  java.lang.Class#forName(String) 
     * @see 	  java.lang.ClassLoader
     * @since 	  1.2
     */
    /*KML
    public static Class forName(String name, boolean initialize,
				ClassLoader loader)
        throws ClassNotFoundException
    {
	if (loader == null) {
	    SecurityManager sm = System.getSecurityManager();
	    if (sm != null) {
		ClassLoader ccl = ClassLoader.getCallerClassLoader();
		if (ccl != null) {
		    sm.checkPermission(
			SecurityConstants.GET_CLASSLOADER_PERMISSION);
		}
	    }
	}
	return forName0(name, initialize, loader);
    }
    */

    /** Called after security checks have been made. */
    /*KML
    private static native Class forName0(String name, boolean initialize,
					 ClassLoader loader)
	throws ClassNotFoundException;

    */

    /**
     * Creates a new instance of the class represented by this Class
     * object.  The class is instantiated as if by a new
     * expression with an empty argument list.  The class is initialized if it
     * has not already been initialized.
     *
     * 
    If there is a security manager, this method first calls the security
     * manager's checkMemberAccess method with this
     * and Member.PUBLIC as its arguments. If the class is in a
     * package, then this method also calls the security manager's
     * checkPackageAccess method with the package name as its
     * argument. Either of these calls could result in a SecurityException.
     *
     * @return     a newly allocated instance of the class represented by this
     *             object.
     * @exception  IllegalAccessException  if the class or its nullary 
     *               constructor is not accessible.
     * @exception  InstantiationException 
     *               if this Class represents an abstract class,
     *               an interface, an array class, a primitive type, or void;
     *               or if the class has no nullary constructor;
     *               or if the instantiation fails for some other reason.
     * @exception  ExceptionInInitializerError if the initialization
     *               provoked by this method fails.
     * @exception  SecurityException if there is no permission to create a new
     *               instance.
     *
     */
    public Object newInstance() 
        throws InstantiationException, IllegalAccessException
    {
	if (System.getSecurityManager() != null) {
	    checkMemberAccess(Member.PUBLIC, ClassLoader.getCallerClassLoader());
	}
	return newInstance0();
    }

    private Object newInstance0()
        throws InstantiationException, IllegalAccessException
    {
        // NOTE: the following code may not be strictly correct under
        // the current Java memory model.

        // Constructor lookup
        if (cachedConstructor == null) {
            if (this == Class.class) {
                throw new IllegalAccessException(
                    "Can not call newInstance() on the Class for java.lang.Class"
                );
            }
            try {
                final Constructor c =
                  getConstructor0(new Class[] {}, Member.DECLARED);
                // Disable accessibility checks on the constructor
                // since we have to do the security check here anyway
                // (the stack depth is wrong for the Constructor's
                // security check to work)
                java.security.AccessController.doPrivileged
                    (new java.security.PrivilegedAction() {
                            public Object run() {
                                c.setAccessible(true);
                                return null;
                            }
                        });
                cachedConstructor = c;
            } catch (NoSuchMethodException e) {
                throw new InstantiationException(getName());
            }
        }
        Constructor tmpConstructor = cachedConstructor;
        // Security check (same as in java.lang.reflect.Constructor)
        int modifiers = tmpConstructor.getModifiers();
        if (!Reflection.quickCheckMemberAccess(this, modifiers)) {
            Class caller = Reflection.getCallerClass(3);
            if (newInstanceCallerCache != caller) {
                Reflection.ensureMemberAccess(caller, this, null, modifiers);
                newInstanceCallerCache = caller;
            }
        }
        // Run constructor
        try {
            return tmpConstructor.newInstance(null);
        } catch (InvocationTargetException e) {
            Unsafe.getUnsafe().throwException(e.getTargetException());
            // Not reached
            return null;
        }
    }
    //KML private volatile transient Constructor cachedConstructor;
    //KML private volatile transient Class       newInstanceCallerCache;


    /**
     * Determines if the specified Object is assignment-compatible
     * with the object represented by this Class.  This method is
     * the dynamic equivalent of the Java language instanceof
     * operator. The method returns true if the specified
     * Object argument is non-null and can be cast to the
     * reference type represented by this Class object without
     * raising a ClassCastException. It returns false
     * otherwise.
     *
     * 
     Specifically, if this Class object represents a
     * declared class, this method returns true if the specified
     * Object argument is an instance of the represented class (or
     * of any of its subclasses); it returns false otherwise. If
     * this Class object represents an array class, this method
     * returns true if the specified Object argument
     * can be converted to an object of the array class by an identity
     * conversion or by a widening reference conversion; it returns
     * false otherwise. If this Class object
     * represents an interface, this method returns true if the
     * class or any superclass of the specified Object argument
     * implements this interface; it returns false otherwise. If
     * this Class object represents a primitive type, this method
     * returns false.
     *
     * @param   obj the object to check
     * @return  true if obj is an instance of this class
     *
     * @since JDK1.1
     */
    public native boolean isInstance(Object obj);


    /**
     * Determines if the class or interface represented by this
     * Class object is either the same as, or is a superclass or
     * superinterface of, the class or interface represented by the specified
     * Class parameter. It returns true if so;
     * otherwise it returns false. If this Class
     * object represents a primitive type, this method returns
     * true if the specified Class parameter is
     * exactly this Class object; otherwise it returns
     * false.
     *
     * 
     Specifically, this method tests whether the type represented by the
     * specified Class parameter can be converted to the type
     * represented by this Class object via an identity conversion
     * or via a widening reference conversion. See The Java Language
     * Specification, sections 5.1.1 and 5.1.4 , for details.
     * 
     * @param cls the Class object to be checked
     * @return the boolean value indicating whether objects of the
     * type cls can be assigned to objects of this class
     * @exception NullPointerException if the specified Class parameter is
     *            null.
     * @since JDK1.1
     */
    public native boolean isAssignableFrom(Class cls);


    /**
     * Determines if the specified Class object represents an
     * interface type.
     *
     * @return  true if this object represents an interface;
     *          false otherwise.
     */
    public native boolean isInterface();


    /**
     * Determines if this Class object represents an array class.
     *
     * @return  true if this object represents an array class;
     *          false otherwise.
     * @since   JDK1.1
     */
    public native boolean isArray();


    /**
     * Determines if the specified Class object represents a
     * primitive type.
     *
     * 
     There are nine predefined Class objects to represent
     * the eight primitive types and void.  These are created by the Java
     * Virtual Machine, and have the same names as the primitive types that
     * they represent, namely boolean, byte,
     * char, short, int,
     * long, float, and double.
     *
     * 
     These objects may only be accessed via the following public static
     * final variables, and are the only Class objects for which
     * this method returns true.
     *
     * @return true if and only if this class represents a primitive type
     *
     * @see     java.lang.Boolean#TYPE
     * @see     java.lang.Character#TYPE
     * @see     java.lang.Byte#TYPE
     * @see     java.lang.Short#TYPE
     * @see     java.lang.Integer#TYPE
     * @see     java.lang.Long#TYPE
     * @see     java.lang.Float#TYPE
     * @see     java.lang.Double#TYPE
     * @see     java.lang.Void#TYPE
     * @since JDK1.1
     */
    public native boolean isPrimitive();

    /**
     * Returns the  name of the entity (class, interface, array class,
     * primitive type, or void) represented by this Class object,
     * as a String.
     * 
     * 
     If this class object represents a reference type that is not an
     * array type then the binary name of the class is returned, as specified
     * by the Java Language Specification, Second Edition.
     *
     * 
     If this class object represents a primitive type or void, then the
     * name returned is a String equal to the Java language
     * keyword corresponding to the primitive type or void.
     * 
     * 
     If this class object represents a class of arrays, then the internal
     * form of the name consists of the name of the element type preceded by
     * one or more '[' characters representing the depth of the array
     * nesting.  The encoding of element type names is as follows:
     *
     * 
    
     * 
     Element Type  Encoding
     * 
     boolean       Z
     * 
     byte          B
     * 
     char          C
     * 
     class or interface   Lclassname;
     * 
     double        D
     * 
     float         F
     * 
     int           I
     * 
     long          J
     * 
     short         S
     * 
    
     *
     * 
     The class or interface name classname is the binary name of
     * the class specified above.
     *
     * 
     Examples:
     * 
         * String.class.getName()
     *     returns "java.lang.String"
     * byte.class.getName()
     *     returns "byte"
     * (new Object[3]).getClass().getName()
     *     returns "[Ljava.lang.Object;"
     * (new int[3][4][5][6][7][8][9]).getClass().getName()
     *     returns "[[[[[[[I"
     * 
    
     *
     * @return  the name of the class or interface
     *          represented by this object.
     */
    public String getName() {
      if (name == null)
          name = getName0();
      return name;
    }
 
    // cache the name to reduce the number of calls into the VM
    private transient String name;
    private native String getName0();


    /**
     * Returns the class loader for the class.  Some implementations may use
     * null to represent the bootstrap class loader. This method will return
     * null in such implementations if this class was loaded by the bootstrap
     * class loader.
     *
     * 
     If a security manager is present, and the caller's class loader is
     * not null and the caller's class loader is not the same as or an ancestor of
     * the class loader for the class whose class loader is requested, then
     * this method calls the security manager's checkPermission 
     * method with a RuntimePermission("getClassLoader") 
     * permission to ensure it's ok to access the class loader for the class.
     * 
     * 
    If this object
     * represents a primitive type or void, null is returned.
     *
     * @return  the class loader that loaded the class or interface
     *          represented by this object.
     * @throws SecurityException
     *    if a security manager exists and its 
     *    checkPermission method denies
     *    access to the class loader for the class.
     * @see java.lang.ClassLoader
     * @see SecurityManager#checkPermission
     * @see java.lang.RuntimePermission
     */
    /*KML
    public ClassLoader getClassLoader() {
        ClassLoader cl = getClassLoader0();
        if (cl == null)
            return null;
        SecurityManager sm = System.getSecurityManager();
        if (sm != null) {
            ClassLoader ccl = ClassLoader.getCallerClassLoader();
            if (ccl != null && ccl != cl && !cl.isAncestor(ccl)) {
                sm.checkPermission(SecurityConstants.GET_CLASSLOADER_PERMISSION);
            }
        }
        return cl;
    }
    */

    // Package-private to allow ClassLoader access
    //KML native ClassLoader getClassLoader0();


    /**
     * Returns the Class representing the superclass of the entity
     * (class, interface, primitive type or void) represented by this
     * Class.  If this Class represents either the
     * Object class, an interface, a primitive type, or void, then
     * null is returned.  If this object represents an array class then the
     * Class object representing the Object class is
     * returned.
     *
     * @return the superclass of the class represented by this object.
     */
    public native Class getSuperclass();


    /**
     * Gets the package for this class.  The class loader of this class is used
     * to find the package.  If the class was loaded by the bootstrap class
     * loader the set of packages loaded from CLASSPATH is searched to find the
     * package of the class. Null is returned if no package object was created
     * by the class loader of this class.
     *
     * 
     Packages have attributes for versions and specifications only if the
     * information was defined in the manifests that accompany the classes, and
     * if the class loader created the package instance with the attributes
     * from the manifest.
     *
     * @return the package of the class, or null if no package
     *         information is available from the archive or codebase.
     */
    /*KML
      public Package getPackage() {
        return Package.getPackage(this);
    }
    */


    /**
     * Determines the interfaces implemented by the class or interface
     * represented by this object.
     *
     * 
     If this object represents a class, the return value is an array
     * containing objects representing all interfaces implemented by the
     * class. The order of the interface objects in the array corresponds to
     * the order of the interface names in the implements clause
     * of the declaration of the class represented by this object. For 
     * example, given the declaration:
     * 
         * class Shimmer implements FloorWax, DessertTopping { ... }
     * 
    
     * suppose the value of s is an instance of 
     * Shimmer; the value of the expression:
     * 
         * s.getClass().getInterfaces()[0]
     * 
    
     * is the Class object that represents interface 
     * FloorWax; and the value of:
     * 
         * s.getClass().getInterfaces()[1]
     * 
    
     * is the Class object that represents interface 
     * DessertTopping.
     *
     * 
     If this object represents an interface, the array contains objects
     * representing all interfaces extended by the interface. The order of the
     * interface objects in the array corresponds to the order of the interface
     * names in the extends clause of the declaration of the
     * interface represented by this object.
     *
     * 
     If this object represents a class or interface that implements no
     * interfaces, the method returns an array of length 0.
     *
     * 
     If this object represents a primitive type or void, the method
     * returns an array of length 0.
     *
     * @return an array of interfaces implemented by this class.
     */
    public native Class[] getInterfaces();


    /**
     * Returns the Class representing the component type of an
     * array.  If this class does not represent an array class this method
     * returns null.
     *
     * @return the Class representing the component type of this
     * class if this class is an array
     * @see     java.lang.reflect.Array
     * @since JDK1.1
     */
    public native Class getComponentType();


    /**
     * Returns the Java language modifiers for this class or interface, encoded
     * in an integer. The modifiers consist of the Java Virtual Machine's
     * constants for public, protected,
     * private, final, static,
     * abstract and interface; they should be decoded
     * using the methods of class Modifier.
     *
     * 
     If the underlying class is an array class, then its
     * public, private and protected
     * modifiers are the same as those of its component type.  If this
     * Class represents a primitive type or void, its
     * public modifier is always true, and its
     * protected and private modifiers are always
     * false. If this object represents an array class, a
     * primitive type or void, then its final modifier is always
     * true and its interface modifier is always
     * false. The values of its other modifiers are not determined
     * by this specification.
     *
     * 
     The modifier encodings are defined in The Java Virtual Machine
     * Specification, table 4.1.
     *
     * @return the int representing the modifiers for this class
     * @see     java.lang.reflect.Modifier
     * @since JDK1.1
     */
    public native int getModifiers();


    /**
     * Gets the signers of this class.
     *
     * @return  the signers of this class, or null if there are no signers.  In
     * 		particular, this method returns null if this object represents
     * 		a primitive type or void.
     * @since 	JDK1.1
     */
    public native Object[] getSigners();
        

    /**
     * Set the signers of this class.
     */
    native void setSigners(Object[] signers);


    /**
     * If the class or interface represented by this Class object
     * is a member of another class, returns the Class object
     * representing the class in which it was declared.  This method returns
     * null if this class or interface is not a member of any other class.  If
     * this Class object represents an array class, a primitive
     * type, or void,then this method returns null.
     *
     * @return the declaring class for this class
     * @since JDK1.1
     */
    public native Class getDeclaringClass();


    /**
     * Returns an array containing Class objects representing all
     * the public classes and interfaces that are members of the class
     * represented by this Class object.  This includes public
     * class and interface members inherited from superclasses and public class
     * and interface members declared by the class.  This method returns an
     * array of length 0 if this Class object has no public member
     * classes or interfaces.  This method also returns an array of length 0 if
     * this Class object represents a primitive type, an array
     * class, or void.
     * 
     * 
    For this class and each of its superclasses, the following
     * security checks are performed:
     * If there is a security manager, the security manager's
     * checkMemberAccess method is called with this
     * and Member.PUBLIC as its arguments, where this
     * is this class or the superclass whose members are being determined. If
     * the class is in a package, then the security manager's
     * checkPackageAccess method is also called with the package
     * name as its argument. Either of these calls could result in a
     * SecurityException.
     *
     * @return the array of Class objects representing the public
     * members of this class
     * @exception SecurityException    if access to the information is denied.
     * @see       SecurityManager#checkMemberAccess(Class, int)
     * @see       SecurityManager#checkPackageAccess(String)
     *
     * @since JDK1.1
     */
    public Class[] getClasses() {
	// be very careful not to change the stack depth of this
	// checkMemberAccess call for security reasons 
	// see java.lang.SecurityManager.checkMemberAccess
        checkMemberAccess(Member.PUBLIC, ClassLoader.getCallerClassLoader());

	// Privileged so this implementation can look at DECLARED classes,
	// something the caller might not have privilege to do.  The code here
	// is allowed to look at DECLARED classes because (1) it does not hand
	// out anything other than public members and (2) public member access
	// has already been ok'd by the SecurityManager.

	Class[] result = (Class[]) java.security.AccessController.doPrivileged
	    (new java.security.PrivilegedAction() {
	        public Object run() {
		    java.util.List list = new java.util.ArrayList();
		    Class currentClass = Class.this;
		    while (currentClass != null) {
			Class[] members = currentClass.getDeclaredClasses();
			for (int i = 0; i < members.length; i++) {
			    if (Modifier.isPublic(members[i].getModifiers())) {
				list.add(members[i]);
			    }
			}
			currentClass = currentClass.getSuperclass();
		    }
		    return list.toArray(new Class[0]);
		}
	    });

        return result;
    }


    /**
     * Returns an array containing Field objects reflecting all
     * the accessible public fields of the class or interface represented by
     * this Class object.  The elements in the array returned are
     * not sorted and are not in any particular order.  This method returns an
     * array of length 0 if the class or interface has no accessible public
     * fields, or if it represents an array class, a primitive type, or void.
     *
     * 
     Specifically, if this Class object represents a class,
     * this method returns the public fields of this class and of all its
     * superclasses.  If this Class object represents an
     * interface, this method returns the fields of this interface and of all
     * its superinterfaces.
     *
     * 
    If there is a security manager, this method first
     * calls the security manager's checkMemberAccess method
     * with this and Member.PUBLIC 
     * as its arguments. If the class is in a package, then this method
     * also calls the security manager's checkPackageAccess 
     * method with the package name as its argument. Either of these calls
     * could result in a SecurityException.
     * 
     * 
     The implicit length field for array class is not reflected by this
     * method. User code should use the methods of class Array to
     * manipulate arrays.
     *
     * 
     See The Java Language Specification, sections 8.2 and 8.3.
     *
     * @return the array of Field objects representing the
     * public fields
     * @exception SecurityException    if access to the information is denied.
     * @see       java.lang.reflect.Field
     * @see       SecurityManager#checkMemberAccess(Class, int)
     * @see       SecurityManager#checkPackageAccess(String)
     * @since JDK1.1
     */

    /*KML
    public Field[] getFields() throws SecurityException {
	// be very careful not to change the stack depth of this
	// checkMemberAccess call for security reasons 
	// see java.lang.SecurityManager.checkMemberAccess
        checkMemberAccess(Member.PUBLIC, ClassLoader.getCallerClassLoader());
        return copyFields(privateGetPublicFields(null));
    }
    */


    /**
     * Returns an array containing Method objects reflecting all
     * the public member methods of the class or interface represented
     * by this Class object, including those declared by the class
     * or interface and and those inherited from superclasses and
     * superinterfaces.  The elements in the array returned are not sorted and
     * are not in any particular order.  This method returns an array of length
     * 0 if this Class object represents a class or interface that
     * has no public member methods, or if this Class object
     * represents an array class, primitive type, or void.
     *
     * 
    If there is a security manager, this method first
     * calls the security manager's checkMemberAccess method
     * with this and Member.PUBLIC 
     * as its arguments. If the class is in a package, then this method
     * also calls the security manager's checkPackageAccess 
     * method with the package name 
     * as its argument. Either of these calls could result in a SecurityException.
     * 
     * 
     The class initialization method <clinit> is not
     * included in the returned array. If the class declares multiple public
     * member methods with the same parameter types, they are all included in
     * the returned array.
     *
     * 
     See The Java Language Specification, sections 8.2 and 8.4.
     *
     * @return the array of Method objects representing the
     * public methods of this class
     * @exception SecurityException    if access to the information is denied.
     * @see       java.lang.reflect.Method
     * @see       SecurityManager#checkMemberAccess(Class, int)
     * @see       SecurityManager#checkPackageAccess(String)
     * @since JDK1.1
     */
    /*KML
    public Method[] getMethods() throws SecurityException {
	// be very careful not to change the stack depth of this
	// checkMemberAccess call for security reasons 
	// see java.lang.SecurityManager.checkMemberAccess
        checkMemberAccess(Member.PUBLIC, ClassLoader.getCallerClassLoader());
        return copyMethods(privateGetPublicMethods());
    }
    */

    /**
     * Returns an array containing Constructor objects reflecting
     * all the public constructors of the class represented by this
     * Class object.  An array of length 0 is returned if the
     * class has no public constructors, or if the class is an array class, or
     * if the class reflects a primitive type or void.
     *
     * 
    If there is a security manager, this method first
     * calls the security manager's checkMemberAccess method
     * with this and Member.PUBLIC 
     * as its arguments. If the class is in a package, then this method
     * also calls the security manager's checkPackageAccess 
     * method with the package name 
     * as its argument. Either of these calls could result in a SecurityException.
     * 
     * @return the array containing Method objects for all the
     * declared public constructors of this class matches the specified
     * parameterTypes
     * @exception SecurityException    if access to the information is denied.
     * @see       java.lang.reflect.Constructor
     * @see       SecurityManager#checkMemberAccess(Class, int)
     * @see       SecurityManager#checkPackageAccess(String)
     * @since JDK1.1
     */
    /*KML
    public Constructor[] getConstructors() throws SecurityException {
	// be very careful not to change the stack depth of this
	// checkMemberAccess call for security reasons 
	// see java.lang.SecurityManager.checkMemberAccess
        checkMemberAccess(Member.PUBLIC, ClassLoader.getCallerClassLoader());
        return copyConstructors(privateGetDeclaredConstructors(true));
    }
    */


    /**
     * Returns a Field object that reflects the specified public
     * member field of the class or interface represented by this
     * Class object. The name parameter is a
     * String specifying the simple name of the desired field.
     *
     * 
    If there is a security manager, this method first
     * calls the security manager's checkMemberAccess method
     * with this and Member.PUBLIC 
     * as its arguments. If the class is in a package, then this method
     * also calls the security manager's checkPackageAccess 
     * method with the package name 
     * as its argument. Either of these calls could result in a SecurityException.
     *
     * 
     The field to be reflected is determined by the algorithm that
     * follows.  Let C be the class represented by this object:
     * 
      
     * 
    1.  If C declares a public field with the name specified, that is the
     *      field to be reflected.
      2. 
     * 
    2.  If no field was found in step 1 above, this algorithm is applied
     * 	    recursively to each direct superinterface of C. The direct
     * 	    superinterfaces are searched in the order they were declared.
      3. 
     * 
    3.  If no field was found in steps 1 and 2 above, and C has a
     *      superclass S, then this algorithm is invoked recursively upon S.
     *      If C has no superclass, then a NoSuchFieldException
     *      is thrown.
      4. 
     * 
    
     *
     * 
     See The Java Language Specification, sections 8.2 and 8.3.
     * 
     * @param name the field name
     * @return  the Field object of this class specified by 
     * name
     * @exception NoSuchFieldException if a field with the specified name is
     *              not found.
     * @exception NullPointerException if name is null
     * @exception SecurityException    if access to the information is denied.
     * @see       java.lang.reflect.Field
     * @see       SecurityManager#checkMemberAccess(Class, int)
     * @see       SecurityManager#checkPackageAccess(String)
     * @since JDK1.1
     */
    /*KML
    public Field getField(String name)
        throws NoSuchFieldException, SecurityException {
	// be very careful not to change the stack depth of this
	// checkMemberAccess call for security reasons 
	// see java.lang.SecurityManager.checkMemberAccess
        checkMemberAccess(Member.PUBLIC, ClassLoader.getCallerClassLoader());
        Field field = getField0(name);
        if (field == null) {
            throw new NoSuchFieldException(name);
        }
        return field;
    }
    */


    /**
     * Returns a Method object that reflects the specified public
     * member method of the class or interface represented by this
     * Class object. The name parameter is a
     * String specifying the simple name the desired method. The
     * parameterTypes parameter is an array of Class
     * objects that identify the method's formal parameter types, in declared
     * order. If parameterTypes is null, it is 
     * treated as if it were an empty array.
     *
     * 
    If there is a security manager, this method first
     * calls the security manager's checkMemberAccess method
     * with this and Member.PUBLIC 
     * as its arguments. If the class is in a package, then this method
     * also calls the security manager's checkPackageAccess 
     * method with the package name 
     * as its argument. Either of these calls could result in a SecurityException.
     *
     * 
     If the name is "<init>"or "<clinit>" a
     * NoSuchMethodException is raised. Otherwise, the method to
     * be reflected is determined by the algorithm that follows.  Let C be the
     * class represented by this object:
     * 
      
     * 
    1.  C is searched for any matching methods. If no matching
     * 	    method is found, the algorithm of step 1 is invoked recursively on
     * 	    the superclass of C.
      2. 
     * 
    2.  If no method was found in step 1 above, the superinterfaces of C
     *      are searched for a matching method. If any such method is found, it
     *      is reflected.
      3. 
     * 
    
     *
     * To find a matching method in a class C:  If C declares exactly one
     * public method with the specified name and exactly the same formal
     * parameter types, that is the method reflected. If more than one such
     * method is found in C, and one of these methods has a return type that is
     * more specific than any of the others, that method is reflected;
     * otherwise one of the methods is chosen arbitrarily.
     *
     * 
     See The Java Language Specification, sections 8.2 and 8.4.
     *
     * @param name the name of the method
     * @param parameterTypes the list of parameters
     * @return the Method object that matches the specified
     * name and parameterTypes
     * @exception NoSuchMethodException if a matching method is not found
     *            or if the name is "<init>"or "<clinit>".
     * @exception NullPointerException if name is null
     * @exception SecurityException    if access to the information is denied.
     * @see       java.lang.reflect.Method
     * @see       SecurityManager#checkMemberAccess(Class, int)
     * @see       SecurityManager#checkPackageAccess(String)
     * @since JDK1.1
     */
    /*KML
    public Method getMethod(String name, Class[] parameterTypes)
        throws NoSuchMethodException, SecurityException {
	// be very careful not to change the stack depth of this
	// checkMemberAccess call for security reasons 
	// see java.lang.SecurityManager.checkMemberAccess
        checkMemberAccess(Member.PUBLIC, ClassLoader.getCallerClassLoader());
        Method method = getMethod0(name, parameterTypes);
        if (method == null) {
            throw new NoSuchMethodException(getName() + "." + name + argumentTypesToString(parameterTypes));
        }
        return method;
    }
    */

    /**
     * Returns a Constructor object that reflects the specified
     * public constructor of the class represented by this Class
     * object. The parameterTypes parameter is an array of
     * Class objects that identify the constructor's formal
     * parameter types, in declared order.
     *
     * 
     The constructor to reflect is the public constructor of the class
     * represented by this Class object whose formal parameter
     * types match those specified by parameterTypes.
     *
     * 
    If there is a security manager, this method first
     * calls the security manager's checkMemberAccess method
     * with this and Member.PUBLIC 
     * as its arguments. If the class is in a package, then this method
     * also calls the security manager's checkPackageAccess method
     * with the package name as its argument. Either of these calls could
     * result in a SecurityException.
     *
     * @param parameterTypes the parameter array
     * @return the Method object of the public constructor that
     * matches the specified parameterTypes
     * @exception NoSuchMethodException if a matching method is not found.
     * @exception SecurityException     if access to the information is denied.
     * @see       java.lang.reflect.Constructor
     * @see       SecurityManager#checkMemberAccess(Class, int)
     * @see       SecurityManager#checkPackageAccess(String)
     * @since JDK1.1
     */
    /*KML
    public Constructor getConstructor(Class[] parameterTypes)
        throws NoSuchMethodException, SecurityException {
	// be very careful not to change the stack depth of this
	// checkMemberAccess call for security reasons 
	// see java.lang.SecurityManager.checkMemberAccess
        checkMemberAccess(Member.PUBLIC, ClassLoader.getCallerClassLoader());
        return getConstructor0(parameterTypes, Member.PUBLIC);
    }
    */


    /**
     * Returns an array of Class objects reflecting all the
     * classes and interfaces declared as members of the class represented by
     * this Class object. This includes public, protected, default
     * (package) access, and private classes and interfaces declared by the
     * class, but excludes inherited classes and interfaces.  This method
     * returns an array of length 0 if the class declares no classes or
     * interfaces as members, or if this Class object represents a
     * primitive type, an array class, or void.
     *
     * 
    If there is a security manager, this method first
     * calls the security manager's checkMemberAccess method
     * with this and Member.DECLARED 
     * as its arguments. If the class is in a package, then this method also
     * calls the security manager's checkPackageAccess method with
     * the package name as its argument. Either of these calls could result in
     * a SecurityException.
     *
     * @return the array of Class objects representing all the 
     * declared members of this class
     * @exception SecurityException    if access to the information is denied.
     * @see       SecurityManager#checkMemberAccess(Class, int)
     * @see       SecurityManager#checkPackageAccess(String)
     * @since JDK1.1
     */
    public Class[] getDeclaredClasses() throws SecurityException {
	// be very careful not to change the stack depth of this
	// checkMemberAccess call for security reasons 
	// see java.lang.SecurityManager.checkMemberAccess
        checkMemberAccess(Member.DECLARED, ClassLoader.getCallerClassLoader());
        return getDeclaredClasses0();
    }


    /**
     * Returns an array of Field objects reflecting all the fields
     * declared by the class or interface represented by this
     * Class object. This includes public, protected, default
     * (package) access, and private fields, but excludes inherited fields.
     * The elements in the array returned are not sorted and are not in any
     * particular order.  This method returns an array of length 0 if the class
     * or interface declares no fields, or if this Class object
     * represents a primitive type, an array class, or void.
     *
     * 
     See The Java Language Specification, sections 8.2 and 8.3.
     *
     * 
    If there is a security manager, this method first
     * calls the security manager's checkMemberAccess method with
     * this and Member.DECLARED as its arguments. If
     * the class is in a package, then this method also calls the security
     * manager's checkPackageAccess method with the package name
     * as its argument. Either of these calls could result in a
     * SecurityException.
     *
     * @return    the array of Field objects representing all the
     * declared fields of this class
     * @exception SecurityException    if access to the information is denied.
     * @see       java.lang.reflect.Field
     * @see       SecurityManager#checkMemberAccess(Class, int)
     * @see       SecurityManager#checkPackageAccess(String)
     * @since JDK1.1
     */
    /*KML
    public Field[] getDeclaredFields() throws SecurityException {
	// be very careful not to change the stack depth of this
	// checkMemberAccess call for security reasons 
	// see java.lang.SecurityManager.checkMemberAccess
        checkMemberAccess(Member.DECLARED, ClassLoader.getCallerClassLoader());
        return copyFields(privateGetDeclaredFields(false));
    }
    */



    /**
     * Returns an array of Method objects reflecting all the
     * methods declared by the class or interface represented by this
     * Class object. This includes public, protected, default
     * (package) access, and private methods, but excludes inherited methods.
     * The elements in the array returned are not sorted and are not in any
     * particular order.  This method returns an array of length 0 if the class
     * or interface declares no methods, or if this Class object
     * represents a primitive type, an array class, or void.  The class
     * initialization method <clinit> is not included in the
     * returned array. If the class declares multiple public member methods
     * with the same parameter types, they are all included in the returned
     * array.
     *
     * 
     See The Java Language Specification, section 8.2.
     *
     * 
    If there is a security manager, this method first
     * calls the security manager's checkMemberAccess method
     * with this and Member.DECLARED 
     * as its arguments. If the class is in a package, then this method
     * also calls the security manager's checkPackageAccess method
     * with the package name as its argument. Either of these calls could
     * result in a SecurityException.
     *
     * @return    the array of Method objects representing all the
     * declared methods of this class
     * @exception SecurityException    if access to the information is denied.
     * @see       java.lang.reflect.Method
     * @see       SecurityManager#checkMemberAccess(Class, int)
     * @see       SecurityManager#checkPackageAccess(String)
     * @since JDK1.1
     */
    /*KML
    public Method[] getDeclaredMethods() throws SecurityException {
	// be very careful not to change the stack depth of this
	// checkMemberAccess call for security reasons 
	// see java.lang.SecurityManager.checkMemberAccess
        checkMemberAccess(Member.DECLARED, ClassLoader.getCallerClassLoader());
        return copyMethods(privateGetDeclaredMethods(false));
    }
    */


    /**
     * Returns an array of Constructor objects reflecting all the
     * constructors declared by the class represented by this
     * Class object. These are public, protected, default
     * (package) access, and private constructors.  The elements in the array
     * returned are not sorted and are not in any particular order.  If the
     * class has a default constructor, it is included in the returned array.
     * This method returns an array of length 0 if this Class
     * object represents an interface, a primitive type, an array class, or
     * void.
     *
     * 
     See The Java Language Specification, section 8.2.
     *
     * 
    If there is a security manager, this method first
     * calls the security manager's checkMemberAccess method
     * with this and Member.DECLARED 
     * as its arguments. If the class is in a package, then this method
     * also calls the security manager's checkPackageAccess method
     * with the package name as its argument. Either of these calls could
     * result in a SecurityException.
     *
     * @return    the array of Method objects representing all the
     * declared constructors of this class
     * @exception SecurityException    if access to the information is denied.
     * @see       java.lang.reflect.Constructor
     * @see       SecurityManager#checkMemberAccess(Class, int)
     * @see       SecurityManager#checkPackageAccess(String)
     * @since JDK1.1
     */
    /*KML
    public Constructor[] getDeclaredConstructors() throws SecurityException {
	// be very careful not to change the stack depth of this
	// checkMemberAccess call for security reasons 
	// see java.lang.SecurityManager.checkMemberAccess
        checkMemberAccess(Member.DECLARED, ClassLoader.getCallerClassLoader());
        return copyConstructors(privateGetDeclaredConstructors(false));
    }
    */


    /**
     * Returns a Field object that reflects the specified declared
     * field of the class or interface represented by this Class
     * object. The name parameter is a String that
     * specifies the simple name of the desired field.  Note that this method
     * will not reflect the length field of an array class.
     *
     * 
    If there is a security manager, this method first
     * calls the security manager's checkMemberAccess method
     * with this and Member.DECLARED 
     * as its arguments. If the class is in a package, then this method
     * also calls the security manager's checkPackageAccess method
     * with the package name as its argument. Either of these calls could
     * result in a SecurityException.
     *
     * @param name the name of the field
     * @return the Field object for the specified field in this
     * class
     * @exception NoSuchFieldException if a field with the specified name is
     *              not found.
     * @exception NullPointerException if name is null
     * @exception SecurityException    if access to the information is denied.
     * @see       java.lang.reflect.Field
     * @see       SecurityManager#checkMemberAccess(Class, int)
     * @see       SecurityManager#checkPackageAccess(String)
     * @since JDK1.1
     */
    /*KML
    public Field getDeclaredField(String name)
        throws NoSuchFieldException, SecurityException {
	// be very careful not to change the stack depth of this
	// checkMemberAccess call for security reasons 
	// see java.lang.SecurityManager.checkMemberAccess
        checkMemberAccess(Member.DECLARED, ClassLoader.getCallerClassLoader());
        Field field = searchFields(privateGetDeclaredFields(false), name);
        if (field == null) {
            throw new NoSuchFieldException(name);
        }
        return field;
    }
    */

    /**
     * Returns a Method object that reflects the specified
     * declared method of the class or interface represented by this
     * Class object. The name parameter is a
     * String that specifies the simple name of the desired
     * method, and the parameterTypes parameter is an array of
     * Class objects that identify the method's formal parameter
     * types, in declared order.  If more than one method with the same
     * parameter types is declared in a class, and one of these methods has a
     * return type that is more specific than any of the others, that method is
     * returned; otherwise one of the methods is chosen arbitrarily.  If the
     * name is "<init>"or "<clinit>" a NoSuchMethodException
     * is raised.
     *
     * 
    If there is a security manager, this method first
     * calls the security manager's checkMemberAccess method
     * with this and Member.DECLARED 
     * as its arguments. If the class is in a package, then this method also
     * calls the security manager's checkPackageAccess method with
     * the package name as its argument. Either of these calls could result in
     * a SecurityException.
     *
     * @param name the name of the method
     * @param parameterTypes the parameter array
     * @return    the Method object for the method of this class
     * matching the specified name and parameters
     * @exception NoSuchMethodException if a matching method is not found.
     * @exception NullPointerException if name is null
     * @exception SecurityException     if access to the information is denied.
     * @see       java.lang.reflect.Method
     * @see       SecurityManager#checkMemberAccess(Class, int)
     * @see       SecurityManager#checkPackageAccess(String)
     * @since JDK1.1
     */
    /*KML
    public Method getDeclaredMethod(String name, Class[] parameterTypes)
        throws NoSuchMethodException, SecurityException {
	// be very careful not to change the stack depth of this
	// checkMemberAccess call for security reasons 
	// see java.lang.SecurityManager.checkMemberAccess
        checkMemberAccess(Member.DECLARED, ClassLoader.getCallerClassLoader());
        Method method = searchMethods(privateGetDeclaredMethods(false), name, parameterTypes);
        if (method == null) {
            throw new NoSuchMethodException(getName() + "." + name + argumentTypesToString(parameterTypes));
        }
        return method;
    }
    */

    /**
     * Returns a Constructor object that reflects the specified
     * constructor of the class or interface represented by this
     * Class object.  The parameterTypes parameter is
     * an array of Class objects that identify the constructor's
     * formal parameter types, in declared order.
     *
     * 
    If there is a security manager, this method first
     * calls the security manager's checkMemberAccess method
     * with this and Member.DECLARED 
     * as its arguments. If the class is in a package, then this method
     * also calls the security manager's checkPackageAccess 
     * method with the package name 
     * as its argument. Either of these calls could result in a SecurityException.
     *
     * @param parameterTypes the parameter array
     * @return    The Method object for the constructor with the
     * specified parameter list
     * @exception NoSuchMethodException if a matching method is not found.
     * @exception SecurityException     if access to the information is denied.
     * @see       java.lang.reflect.Constructor
     * @see       SecurityManager#checkMemberAccess(Class, int)
     * @see       SecurityManager#checkPackageAccess(String)
     * @since JDK1.1
     */
    /*KML
    public Constructor getDeclaredConstructor(Class[] parameterTypes)
        throws NoSuchMethodException, SecurityException {
	// be very careful not to change the stack depth of this
	// checkMemberAccess call for security reasons 
	// see java.lang.SecurityManager.checkMemberAccess
        checkMemberAccess(Member.DECLARED, ClassLoader.getCallerClassLoader());
        return getConstructor0(parameterTypes, Member.DECLARED);
    }
    */


    /**
     * Finds a resource with a given name.  This method returns null if no
     * resource with this name is found.  The rules for searching
     * resources associated with a given class are implemented by the
     * defining class loader of the class.
     *
     * 
     This method delegates the call to its class loader, after making
     * these changes to the resource name: if the resource name starts with
     * "/", it is unchanged; otherwise, the package name is prepended to the
     * resource name after converting "." to "/".  If this object was loaded by
     * the bootstrap loader, the call is delegated to
     * ClassLoader.getSystemResourceAsStream.
     *
     * @param name  name of the desired resource
     * @return      a java.io.InputStream object.
     * @throws NullPointerException if name is null.
     * @see         java.lang.ClassLoader
     * @since JDK1.1
     */
    /*KML
    public InputStream getResourceAsStream(String name) {
        name = resolveName(name);
        ClassLoader cl = getClassLoader0();
        if (cl==null) {
            // A system class.
            return ClassLoader.getSystemResourceAsStream(name);
        }
        return cl.getResourceAsStream(name);
    }
    */


    /**
     * Finds a resource with a given name.  This method returns null if no
     * resource with this name is found.  The rules for searching resources
     * associated with a given class are implemented by the * defining class
     * loader of the class.
     *
     * 
     This method delegates the call to its class loader, after making
     * these changes to the resource name: if the resource name starts with
     * "/", it is unchanged; otherwise, the package name is prepended to the
     * resource name after converting "." to "/".  If this object was loaded by
     * the bootstrap loader, the call is delegated to
     * ClassLoader.getSystemResource.
     *
     * @param name  name of the desired resource
     * @return      a java.net.URL object.
     * @see         java.lang.ClassLoader
     * @since JDK1.1
     */
    /*KML
    public java.net.URL getResource(String name) {
        name = resolveName(name);
        ClassLoader cl = getClassLoader0();
        if (cl==null) {
            // A system class.
            return ClassLoader.getSystemResource(name);
        }
        return cl.getResource(name);
    }
    */



    /** protection domain returned when the internal domain is null */
    //KML private static java.security.ProtectionDomain allPermDomain;


    /**
     * Returns the ProtectionDomain of this class.  If there is a
     * security manager installed, this method first calls the security
     * manager's checkPermission method with a
     * RuntimePermission("getProtectionDomain") permission to
     * ensure it's ok to get the
     * ProtectionDomain.
     *
     * @return the ProtectionDomain of this class
     *
     * @throws SecurityException
     *        if a security manager exists and its 
     *        checkPermission method doesn't allow 
     *        getting the ProtectionDomain.
     *
     * @see java.security.ProtectionDomain
     * @see SecurityManager#checkPermission
     * @see java.lang.RuntimePermission
     * @since 1.2
     */
    /*KML
    public java.security.ProtectionDomain getProtectionDomain() {
        SecurityManager sm = System.getSecurityManager();
        if (sm != null) {
            sm.checkPermission(SecurityConstants.GET_PD_PERMISSION);
        }
        java.security.ProtectionDomain pd = getProtectionDomain0();
        if (pd == null) {
            if (allPermDomain == null) {
                java.security.Permissions perms = 
                    new java.security.Permissions();
                perms.add(SecurityConstants.ALL_PERMISSION);
                allPermDomain = 
                    new java.security.ProtectionDomain(null, perms);
            }
            pd = allPermDomain;
        }
        return pd;
    }
    */


    /**
     * Returns the ProtectionDomain of this class.
     */
    //KML private native java.security.ProtectionDomain getProtectionDomain0();


    /**
     * Set the ProtectionDomain for this class. Called by
     * ClassLoader.defineClass.
     */
    //KML native void setProtectionDomain0(java.security.ProtectionDomain pd);


    /*
     * Return the Virtual Machine's Class object for the named
     * primitive type.
     */
    static native Class getPrimitiveClass(String name);


    /*
     * Check if client is allowed to access members.  If access is denied,
     * throw a SecurityException.
     *
     * Be very careful not to change the stack depth of this checkMemberAccess
     * call for security reasons reasons see
     * java.lang.SecurityManager.checkMemberAccess
     *
     * 
     Default policy: allow all clients access with normal Java access
     * control.
     */
    /*KML
    private void checkMemberAccess(int which, ClassLoader ccl) {
        SecurityManager s = System.getSecurityManager();
        if (s != null) {
            s.checkMemberAccess(this, which);
	    ClassLoader cl = getClassLoader0();
            if ((ccl != null) && (ccl != cl) && 
                  ((cl == null) || !cl.isAncestor(ccl))) {
		String name = this.getName();
		int i = name.lastIndexOf('.');
		if (i != -1) {
		    s.checkPackageAccess(name.substring(0, i));
		}
	    }
	}
    }
    */

    /**
     * Add a package name prefix if the name is not absolute Remove leading "/"
     * if name is absolute
     */
    private String resolveName(String name) {
        if (name == null) {
            return name;
        }
        if (!name.startsWith("/")) {
            Class c = this;
            while (c.isArray()) {
                c = c.getComponentType();
            }
            String baseName = c.getName();
            int index = baseName.lastIndexOf('.');
            if (index != -1) {
                name = baseName.substring(0, index).replace('.', '/')
                    +"/"+name;
            }
        } else {
            name = name.substring(1);
        }
        return name;
    }

    /**
     * Reflection support.
     */

    // Caches for certain reflective results
    /*KML
    private static boolean useCaches = true;
    private volatile transient SoftReference declaredFields;
    private volatile transient SoftReference publicFields;
    private volatile transient SoftReference declaredMethods;
    private volatile transient SoftReference publicMethods;
    private volatile transient SoftReference declaredConstructors;
    private volatile transient SoftReference publicConstructors;
    // Intermediate results for getFields and getMethods
    private volatile transient SoftReference declaredPublicFields;
    private volatile transient SoftReference declaredPublicMethods;
    */

    //
    //
    // java.lang.reflect.Field handling
    //
    //

    // Returns an array of "root" fields. These Field objects must NOT
    // be propagated to the outside world, but must instead be copied
    // via ReflectionFactory.copyField.
    /*KML
    private Field[] privateGetDeclaredFields(boolean publicOnly) {
        checkInitted();
        Field[] res = null;
        if (useCaches) {
            if (publicOnly) {
                if (declaredPublicFields != null) {
                    res = (Field[]) declaredPublicFields.get();
                }
            } else {
                if (declaredFields != null) {
                    res = (Field[]) declaredFields.get();
                }
            }
            if (res != null) return res;
        }
        // No cached value available; request value from VM
        res = getDeclaredFields0(publicOnly);
        if (useCaches) {
            if (publicOnly) {
                declaredPublicFields = new SoftReference(res);
            } else {
                declaredFields = new SoftReference(res);
            }
        }
        return res;
    }
    */

    // Returns an array of "root" fields. These Field objects must NOT
    // be propagated to the outside world, but must instead be copied
    // via ReflectionFactory.copyField.
    /*KML
    private Field[] privateGetPublicFields(Set traversedInterfaces) {
        checkInitted();
        Field[] res = null;
        if (useCaches) {
            if (publicFields != null) {
                res = (Field[]) publicFields.get();
            }
            if (res != null) return res;
        }

        // No cached value available; compute value recursively.
        // Traverse in correct order for getField().
        List fields = new ArrayList();
        if (traversedInterfaces == null) {
            traversedInterfaces = new HashSet();
        }
        
        // Local fields
        Field[] tmp = privateGetDeclaredFields(true);
        addAll(fields, tmp);

        // Direct superinterfaces, recursively
        Class[] interfaces = getInterfaces();
        for (int i = 0; i < interfaces.length; i++) {
            Class c = interfaces[i];
            if (!traversedInterfaces.contains(c)) {
                traversedInterfaces.add(c);
                addAll(fields, c.privateGetPublicFields(traversedInterfaces));
            }
        }

        // Direct superclass, recursively
        if (!isInterface()) {
            Class c = getSuperclass();
            if (c != null) {
                addAll(fields, c.privateGetPublicFields(traversedInterfaces));
            }
        }

        res = new Field[fields.size()];
        fields.toArray(res);
        if (useCaches) {
            publicFields = new SoftReference(res);
        }
        return res;
    }
    */

    /*KML
    private static void addAll(Collection c, Field[] o) {
        for (int i = 0; i < o.length; i++) {
            c.add(o[i]);
        }
    }
    */

    //
    //
    // java.lang.reflect.Constructor handling
    //
    //

    // Returns an array of "root" constructors. These Constructor
    // objects must NOT be propagated to the outside world, but must
    // instead be copied via ReflectionFactory.copyConstructor.
    /*KML
      private Constructor[] privateGetDeclaredConstructors(boolean publicOnly) {
        checkInitted();
        Constructor[] res = null;
        if (useCaches) {
            if (publicOnly) {
                if (publicConstructors != null) {
                    res = (Constructor[]) publicConstructors.get();
                }
            } else {
                if (declaredConstructors != null) {
                    res = (Constructor[]) declaredConstructors.get();
                }
            }
            if (res != null) return res;
        }
        // No cached value available; request value from VM
        if (isInterface()) {
            res = new Constructor[0];
        } else {
            res = getDeclaredConstructors0(publicOnly);
        }
        if (useCaches) {
            if (publicOnly) {
                publicConstructors = new SoftReference(res);
            } else {
                declaredConstructors = new SoftReference(res);
            }
        }
        return res;
    }
    */

    //
    //
    // java.lang.reflect.Method handling
    //
    //

    // Returns an array of "root" methods. These Method objects must NOT
    // be propagated to the outside world, but must instead be copied
    // via ReflectionFactory.copyMethod.
    /*KML
      private Method[] privateGetDeclaredMethods(boolean publicOnly) {
        checkInitted();
        Method[] res = null;
        if (useCaches) {
            if (publicOnly) {
                if (declaredPublicMethods != null) {
                    res = (Method[]) declaredPublicMethods.get();
                }
            } else {
                if (declaredMethods != null) {
                    res = (Method[]) declaredMethods.get();
                }
            }
            if (res != null) return res;
        }
        // No cached value available; request value from VM
        res = getDeclaredMethods0(publicOnly);
        if (useCaches) {
            if (publicOnly) {
                declaredPublicMethods = new SoftReference(res);
            } else {
                declaredMethods = new SoftReference(res);
            }
        }
        return res;
    }
    */

    static class MethodArray {
        private Method[] methods;
        private int length;

        MethodArray() {
            methods = new Method[20];
            length = 0;
        }
        
        void add(Method m) {
            if (length == methods.length) {
                Method[] newMethods = new Method[2 * methods.length];
                System.arraycopy(methods, 0, newMethods, 0, methods.length);
                methods = newMethods;
            }
            methods[length++] = m;
        }

        void addAll(Method[] ma) {
            for (int i = 0; i < ma.length; i++) {
                add(ma[i]);
            }
        }

        void addAll(MethodArray ma) {
            for (int i = 0; i < ma.length(); i++) {
                add(ma.get(i));
            }
        }

        void addIfNotPresent(Method newMethod) {
            for (int i = 0; i < length; i++) {
                Method m = methods[i];
                if (m == newMethod || (m != null && m.equals(newMethod))) {
                    return;
                }
            }
            add(newMethod);
        }

        void addAllIfNotPresent(MethodArray newMethods) {
            for (int i = 0; i < newMethods.length(); i++) {
                Method m = newMethods.get(i);
                if (m != null) {
                    addIfNotPresent(m);
                }
            }
        }

        int length() {
            return length;
        }

        Method get(int i) {
            return methods[i];
        }

        void removeByNameAndSignature(Method toRemove) {
            for (int i = 0; i < length; i++) {
                Method m = methods[i];
                if (m != null &&
                    m.getReturnType() == toRemove.getReturnType() &&
                    m.getName() == toRemove.getName() &&
                    arrayContentsEq(m.getParameterTypes(),
                                    toRemove.getParameterTypes())) {
                    methods[i] = null;
                }
            }
        }

        void compactAndTrim() {
            int newPos = 0;
            // Get rid of null slots
            for (int pos = 0; pos < length; pos++) {
                Method m = methods[pos];
                if (m != null) {
                    if (pos != newPos) {
                        methods[newPos] = m;
                    }
                    newPos++;
                }
            }
            if (newPos != methods.length) {
                Method[] newMethods = new Method[newPos];
                System.arraycopy(methods, 0, newMethods, 0, newPos);
                methods = newMethods;
            }
        }

        Method[] getArray() {
            return methods;
        }
    }


    // Returns an array of "root" methods. These Method objects must NOT
    // be propagated to the outside world, but must instead be copied
    // via ReflectionFactory.copyMethod.
    /*KML
      private Method[] privateGetPublicMethods() {
        checkInitted();
        Method[] res = null;
        if (useCaches) {
            if (publicMethods != null) {
                res = (Method[]) publicMethods.get();
            }
            if (res != null) return res;
        }

        // No cached value available; compute value recursively.
        // Start by fetching public declared methods
        MethodArray methods = new MethodArray();
        {
            Method[] tmp = privateGetDeclaredMethods(true);
            methods.addAll(tmp);
        }
        // Now recur over superclass and direct superinterfaces.
        // Go over superinterfaces first so we can more easily filter
        // out concrete implementations inherited from superclasses at
        // the end.
        MethodArray inheritedMethods = new MethodArray();
        Class[] interfaces = getInterfaces();
        for (int i = 0; i < interfaces.length; i++) {
            inheritedMethods.addAll(interfaces[i].privateGetPublicMethods());
        }
        if (!isInterface()) {
            Class c = getSuperclass();
            if (c != null) {
                MethodArray supers = new MethodArray();
                supers.addAll(c.privateGetPublicMethods());
                // Filter out concrete implementations of any
                // interface methods
                for (int i = 0; i < supers.length(); i++) {
                    Method m = supers.get(i);
                    if (m != null && !Modifier.isAbstract(m.getModifiers())) {
                        inheritedMethods.removeByNameAndSignature(m);
                    }
                }
                // Insert superclass's inherited methods before
                // superinterfaces' to satisfy getMethod's search
                // order
                supers.addAll(inheritedMethods);
                inheritedMethods = supers;
            }
        }
        // Filter out all local methods from inherited ones
        for (int i = 0; i < methods.length(); i++) {
            Method m = methods.get(i);
            inheritedMethods.removeByNameAndSignature(m);
        }
        methods.addAllIfNotPresent(inheritedMethods);
        methods.compactAndTrim();
        res = methods.getArray();
        if (useCaches) {
            publicMethods = new SoftReference(res);
        }
        return res;
    }
    */


    //
    // Helpers for fetchers of one field, method, or constructor
    //

    /*KML
    private Field searchFields(Field[] fields, String name) {
        String internedName = name.intern();
        for (int i = 0; i < fields.length; i++) {
            if (fields[i].getName() == internedName) {
                return getReflectionFactory().copyField(fields[i]);
            }
        }
        return null;
    }
    */

    /*KML
    private Field getField0(String name) throws NoSuchFieldException {
        // Note: the intent is that the search algorithm this routine
        // uses be equivalent to the ordering imposed by
        // privateGetPublicFields(). It fetches only the declared
        // public fields for each class, however, to reduce the number
        // of Field objects which have to be created for the common
        // case where the field being requested is declared in the
        // class which is being queried.
        Field res = null;
        // Search declared public fields
        if ((res = searchFields(privateGetDeclaredFields(true), name)) != null) {
            return res;
        }
        // Direct superinterfaces, recursively
        Class[] interfaces = getInterfaces();
        for (int i = 0; i < interfaces.length; i++) {
            Class c = interfaces[i];
            if ((res = c.getField0(name)) != null) {
                return res;
            }
        }
        // Direct superclass, recursively
        if (!isInterface()) {
            Class c = getSuperclass();
            if (c != null) {
                if ((res = c.getField0(name)) != null) {
                    return res;
                }
            }
        }
        return null;
    }
    */

    /*KML
    private static Method searchMethods(Method[] methods,
                                        String name,
                                        Class[] parameterTypes)
    {
 	Method res = null;
        String internedName = name.intern();
        for (int i = 0; i < methods.length; i++) {
	    Method m = methods[i];
            if (m.getName() == internedName
		&& arrayContentsEq(parameterTypes, m.getParameterTypes())
		&& (res == null
		    || res.getReturnType().isAssignableFrom(m.getReturnType())))
		res = m;
        }

	return (res == null ? res : getReflectionFactory().copyMethod(res));
    }
    *.
  

    private Method getMethod0(String name, Class[] parameterTypes) {
        // Note: the intent is that the search algorithm this routine
        // uses be equivalent to the ordering imposed by
        // privateGetPublicMethods(). It fetches only the declared
        // public methods for each class, however, to reduce the
        // number of Method objects which have to be created for the
        // common case where the method being requested is declared in
        // the class which is being queried.
        Method res = null;
        // Search declared public methods
        if ((res = searchMethods(privateGetDeclaredMethods(true),
                                 name,
                                 parameterTypes)) != null) {
            return res;
        }
        // Search superclass's methods
        if (!isInterface()) {
            Class c = getSuperclass();
            if (c != null) {
                if ((res = c.getMethod0(name, parameterTypes)) != null) {
                    return res;
                }
            }
        }
        // Search superinterfaces' methods
        Class[] interfaces = getInterfaces();
        for (int i = 0; i < interfaces.length; i++) {
            Class c = interfaces[i];
            if ((res = c.getMethod0(name, parameterTypes)) != null) {
                return res;
            }
        }
        // Not found
        return null;
    }

    private Constructor getConstructor0(Class[] parameterTypes,
                                        int which) throws NoSuchMethodException
    {
        Constructor[] constructors = privateGetDeclaredConstructors((which == Member.PUBLIC));
        for (int i = 0; i < constructors.length; i++) {
            if (arrayContentsEq(parameterTypes,
                                constructors[i].getParameterTypes())) {
                return getReflectionFactory().copyConstructor(constructors[i]);
            }
        }
        throw new NoSuchMethodException(getName() + "." + argumentTypesToString(parameterTypes));
    }

    //
    // Other helpers and base implementation
    //

    private static boolean arrayContentsEq(Object[] a1, Object[] a2) {
        if (a1 == null) {
            return a2 == null || a2.length == 0;
        }

        if (a2 == null) {
            return a1.length == 0;
        }

        if (a1.length != a2.length) {
            return false;
        }

        for (int i = 0; i < a1.length; i++) {
            if (a1[i] != a2[i]) {
                return false;
            }
        }

        return true;
    }

    private static Field[] copyFields(Field[] arg) {
        Field[] out = new Field[arg.length];
        ReflectionFactory fact = getReflectionFactory();
        for (int i = 0; i < arg.length; i++) {
            out[i] = fact.copyField(arg[i]);
        }
        return out;
    }

    private static Method[] copyMethods(Method[] arg) {
        Method[] out = new Method[arg.length];
        ReflectionFactory fact = getReflectionFactory();
        for (int i = 0; i < arg.length; i++) {
            out[i] = fact.copyMethod(arg[i]);
        }
        return out;
    }

    private static Constructor[] copyConstructors(Constructor[] arg) {
        Constructor[] out = new Constructor[arg.length];
        ReflectionFactory fact = getReflectionFactory();
        for (int i = 0; i < arg.length; i++) {
            out[i] = fact.copyConstructor(arg[i]);
        }
        return out;
    }

    private native Field[]       getDeclaredFields0(boolean publicOnly);
    private native Method[]      getDeclaredMethods0(boolean publicOnly);
    private native Constructor[] getDeclaredConstructors0(boolean publicOnly);
    private native Class[]       getDeclaredClasses0();

    private static String        argumentTypesToString(Class[] argTypes) {
        StringBuffer buf = new StringBuffer();
        buf.append("(");
        if (argTypes != null) {
            for (int i = 0; i < argTypes.length; i++) {
                if (i > 0) {
                    buf.append(", ");
                }
		Class c = argTypes[i];
		buf.append((c == null) ? "null" : c.getName());
            }
        }
        buf.append(")");
        return buf.toString();
    }

    /** use serialVersionUID from JDK 1.1 for interoperability */
    private static final long serialVersionUID = 3206093459760846163L;


    /**
     * Class Class is special cased within the Serialization Stream Protocol. 
     *
     * A Class instance is written intially into an ObjectOutputStream in the 
     * following format:
     * 
         *      TC_CLASS ClassDescriptor
     *      A ClassDescriptor is a special cased serialization of 
     *      a java.io.ObjectStreamClass instance. 
     * 
    
     * A new handle is generated for the initial time the class descriptor
     * is written into the stream. Future references to the class descriptor
     * are written as references to the initial class descriptor instance.
     *
     * @see java.io.ObjectStreamClass
     */
    /*KML
      private static final ObjectStreamField[] serialPersistentFields = 
        ObjectStreamClass.NO_FIELDS;
    */


    /**
     * Returns the assertion status that would be assigned to this
     * class if it were to be initialized at the time this method is invoked.
     * If this class has had its assertion status set, the most recent
     * setting will be returned; otherwise, if any package default assertion
     * status pertains to this class, the most recent setting for the most
     * specific pertinent package default assertion status is returned;
     * otherwise, if this class is not a system class (i.e., it has a
     * class loader) its class loader's default assertion status is returned;
     * otherwise, the system class default assertion status is returned.
     * 
    
     * Few programmers will have any need for this method; it is provided
     * for the benefit of the JRE itself.  (It allows a class to determine at
     * the time that it is initialized whether assertions should be enabled.)
     * Note that this method is not guaranteed to return the actual
     * assertion status that was (or will be) associated with the specified
     * class when it was (or will be) initialized.
     *
     * @return the desired assertion status of the specified class.
     * @see    java.lang.ClassLoader#setClassAssertionStatus
     * @see    java.lang.ClassLoader#setPackageAssertionStatus
     * @see    java.lang.ClassLoader#setDefaultAssertionStatus
     * @since  1.4
     */
    public boolean desiredAssertionStatus() {
        ClassLoader loader = getClassLoader();
        // If the loader is null this is a system class, so ask the VM
        if (loader == null)
            return desiredAssertionStatus0(this);

        synchronized(loader) {
            // If the classloader has been initialized with
            // the assertion directives, ask it. Otherwise,
            // ask the VM.
            return (loader.classAssertionStatus == null ?
                    desiredAssertionStatus0(this) :
                    loader.desiredAssertionStatus(getName()));
        }
    }

    // Retrieves the desired assertion status of this class from the VM
    private static native boolean desiredAssertionStatus0(Class clazz);

    // Fetches the factory for reflective objects
    /*KML
    private static ReflectionFactory getReflectionFactory() {
        if (reflectionFactory == null) {
            reflectionFactory =  (ReflectionFactory)
                java.security.AccessController.doPrivileged
                    (new sun.reflect.ReflectionFactory.GetReflectionFactoryAction());
        }
        return reflectionFactory;
    }
    */
    //KML private static ReflectionFactory reflectionFactory;

    // To be able to query system properties as soon as they're available
    private static boolean initted = false;
    private static void checkInitted() {
        if (initted) return;
        AccessController.doPrivileged(new PrivilegedAction() {
                public Object run() {
                    // Tests to ensure the system properties table is fully
                    // initialized. This is needed because reflection code is
                    // called very early in the initialization process (before
                    // command-line arguments have been parsed and therefore
                    // these user-settable properties installed.) We assume that
                    // if System.out is non-null then the System class has been
                    // fully initialized and that the bulk of the startup code
                    // has been run.

                    if (System.out == null) {
                        // java.lang.System not yet fully initialized
                        return null;
                    }

                    String val =
                        System.getProperty("sun.reflect.noCaches");
                    if (val != null && val.equals("true")) {
                        useCaches = false;
                    }
          
                    initted = true;
                    return null;
                }
            });
    }

}
why-2.39/lib/java_api/java/lang/Object.java0000644000106100004300000005615113147234006017474 0ustar  marchevals/*
 * @(#)Object.java	1.61 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;

/**
 * Class Object is the root of the class hierarchy. 
 * Every class has Object as a superclass. All objects, 
 * including arrays, implement the methods of this class. 
 *
 * @author  unascribed
 * @version 1.61, 01/23/03
 * @see     java.lang.Class
 * @since   JDK1.0
 */
public class Object {

    private static native void registerNatives();
    static {
        registerNatives();
    }

    /**
     * Returns the runtime class of an object. That Class 
     * object is the object that is locked by static synchronized 
     * methods of the represented class.
     *
     * @return  the object of type Class that represents the
     *          runtime class of the object.
     */
    /*KML
    public final native Class getClass();
    */

    /**
     * Returns a hash code value for the object. This method is 
     * supported for the benefit of hashtables such as those provided by 
     * java.util.Hashtable. 
     * 
    
     * The general contract of hashCode is: 
     * 
      
     * 
    • Whenever it is invoked on the same object more than once during 
     *     an execution of a Java application, the hashCode method 
     *     must consistently return the same integer, provided no information 
     *     used in equals comparisons on the object is modified.
     *     This integer need not remain consistent from one execution of an
     *     application to another execution of the same application. 
     * 
    • If two objects are equal according to the equals(Object)
     *     method, then calling the hashCode method on each of 
     *     the two objects must produce the same integer result. 
     * 
    • It is not required that if two objects are unequal 
     *     according to the {@link java.lang.Object#equals(java.lang.Object)} 
     *     method, then calling the hashCode method on each of the 
     *     two objects must produce distinct integer results.  However, the 
     *     programmer should be aware that producing distinct integer results 
     *     for unequal objects may improve the performance of hashtables.
     * 
    
     * 
    
     * As much as is reasonably practical, the hashCode method defined by 
     * class Object does return distinct integers for distinct 
     * objects. (This is typically implemented by converting the internal 
     * address of the object into an integer, but this implementation 
     * technique is not required by the 
     * JavaTM programming language.)
     *
     * @return  a hash code value for this object.
     * @see     java.lang.Object#equals(java.lang.Object)
     * @see     java.util.Hashtable
     */
    public native int hashCode();

    /**
     * Indicates whether some other object is "equal to" this one.
     * 
    
     * The equals method implements an equivalence relation
     * on non-null object references:
     * 
      
     * 
    • It is reflexive: for any non-null reference value
     *     x, x.equals(x) should return
     *     true.
     * 
    • It is symmetric: for any non-null reference values
     *     x and y, x.equals(y)
     *     should return true if and only if
     *     y.equals(x) returns true.
     * 
    • It is transitive: for any non-null reference values
     *     x, y, and z, if
     *     x.equals(y) returns true and
     *     y.equals(z) returns true, then
     *     x.equals(z) should return true.
     * 
    • It is consistent: for any non-null reference values
     *     x and y, multiple invocations of
     *     x.equals(y) consistently return true
     *     or consistently return false, provided no
     *     information used in equals comparisons on the
     *     objects is modified.
     * 
    • For any non-null reference value x,
     *     x.equals(null) should return false.
     * 
    
     * 
    
     * The equals method for class Object implements 
     * the most discriminating possible equivalence relation on objects; 
     * that is, for any non-null reference values x and
     * y, this method returns true if and only
     * if x and y refer to the same object
     * (x == y has the value true).
     * 
    
     * Note that it is generally necessary to override the hashCode
     * method whenever this method is overridden, so as to maintain the
     * general contract for the hashCode method, which states
     * that equal objects must have equal hash codes. 
     *
     * @param   obj   the reference object with which to compare.
     * @return  true if this object is the same as the obj
     *          argument; false otherwise.
     * @see     #hashCode()
     * @see     java.util.Hashtable
     */
    public boolean equals(Object obj) {
	return (this == obj);
    }

    /**
     * Creates and returns a copy of this object.  The precise meaning 
     * of "copy" may depend on the class of the object. The general 
     * intent is that, for any object x, the expression:
     * 
    
     * 
         * x.clone() != x
    
     * will be true, and that the expression:
     * 
    
     * 
         * x.clone().getClass() == x.getClass()
    
     * will be true, but these are not absolute requirements. 
     * While it is typically the case that:
     * 
    
     * 
         * x.clone().equals(x)
    
     * will be true, this is not an absolute requirement. 
     * 
    
     * By convention, the returned object should be obtained by calling
     * super.clone.  If a class and all of its superclasses (except
     * Object) obey this convention, it will be the case that
     * x.clone().getClass() == x.getClass().
     * 
    
     * By convention, the object returned by this method should be independent
     * of this object (which is being cloned).  To achieve this independence,
     * it may be necessary to modify one or more fields of the object returned
     * by super.clone before returning it.  Typically, this means
     * copying any mutable objects that comprise the internal "deep structure"
     * of the object being cloned and replacing the references to these
     * objects with references to the copies.  If a class contains only
     * primitive fields or references to immutable objects, then it is usually
     * the case that no fields in the object returned by super.clone
     * need to be modified.
     * 
    
     * The method clone for class Object performs a 
     * specific cloning operation. First, if the class of this object does 
     * not implement the interface Cloneable, then a 
     * CloneNotSupportedException is thrown. Note that all arrays 
     * are considered to implement the interface Cloneable. 
     * Otherwise, this method creates a new instance of the class of this 
     * object and initializes all its fields with exactly the contents of 
     * the corresponding fields of this object, as if by assignment; the
     * contents of the fields are not themselves cloned. Thus, this method 
     * performs a "shallow copy" of this object, not a "deep copy" operation.
     * 
    
     * The class Object does not itself implement the interface 
     * Cloneable, so calling the clone method on an object 
     * whose class is Object will result in throwing an
     * exception at run time.
     *
     * @return     a clone of this instance.
     * @exception  CloneNotSupportedException  if the object's class does not
     *               support the Cloneable interface. Subclasses
     *               that override the clone method can also
     *               throw this exception to indicate that an instance cannot
     *               be cloned.
     * @see java.lang.Cloneable
     */
    protected native Object clone() throws CloneNotSupportedException;

    /**
     * Returns a string representation of the object. In general, the 
     * toString method returns a string that 
     * "textually represents" this object. The result should 
     * be a concise but informative representation that is easy for a 
     * person to read.
     * It is recommended that all subclasses override this method.
     * 
    
     * The toString method for class Object 
     * returns a string consisting of the name of the class of which the 
     * object is an instance, the at-sign character `@', and 
     * the unsigned hexadecimal representation of the hash code of the 
     * object. In other words, this method returns a string equal to the 
     * value of:
     * 
    
     * 
         * getClass().getName() + '@' + Integer.toHexString(hashCode())
     * 
    
     *
     * @return  a string representation of the object.
     */
    public String toString() {
	//KML return getClass().getName() + "@" + Integer.toHexString(hashCode());
    }

    /**
     * Wakes up a single thread that is waiting on this object's 
     * monitor. If any threads are waiting on this object, one of them 
     * is chosen to be awakened. The choice is arbitrary and occurs at 
     * the discretion of the implementation. A thread waits on an object's 
     * monitor by calling one of the wait methods.
     * 
    
     * The awakened thread will not be able to proceed until the current 
     * thread relinquishes the lock on this object. The awakened thread will 
     * compete in the usual manner with any other threads that might be 
     * actively competing to synchronize on this object; for example, the 
     * awakened thread enjoys no reliable privilege or disadvantage in being 
     * the next thread to lock this object.
     * 
    
     * This method should only be called by a thread that is the owner 
     * of this object's monitor. A thread becomes the owner of the 
     * object's monitor in one of three ways: 
     * 
      
     * 
    • By executing a synchronized instance method of that object. 
     * 
    • By executing the body of a synchronized statement 
     *     that synchronizes on the object. 
     * 
    • For objects of type Class, by executing a 
     *     synchronized static method of that class. 
     * 
    
     * 
    
     * Only one thread at a time can own an object's monitor. 
     *
     * @exception  IllegalMonitorStateException  if the current thread is not
     *               the owner of this object's monitor.
     * @see        java.lang.Object#notifyAll()
     * @see        java.lang.Object#wait()
     */
    public final native void notify();

    /**
     * Wakes up all threads that are waiting on this object's monitor. A 
     * thread waits on an object's monitor by calling one of the 
     * wait methods.
     * 
    
     * The awakened threads will not be able to proceed until the current 
     * thread relinquishes the lock on this object. The awakened threads 
     * will compete in the usual manner with any other threads that might 
     * be actively competing to synchronize on this object; for example, 
     * the awakened threads enjoy no reliable privilege or disadvantage in 
     * being the next thread to lock this object.
     * 
    
     * This method should only be called by a thread that is the owner 
     * of this object's monitor. See the notify method for a 
     * description of the ways in which a thread can become the owner of 
     * a monitor. 
     *
     * @exception  IllegalMonitorStateException  if the current thread is not
     *               the owner of this object's monitor.
     * @see        java.lang.Object#notify()
     * @see        java.lang.Object#wait()
     */
    public final native void notifyAll();

    /**
     * Causes current thread to wait until either another thread invokes the 
     * {@link java.lang.Object#notify()} method or the 
     * {@link java.lang.Object#notifyAll()} method for this object, or a 
     * specified amount of time has elapsed. 
     * 
    
     * The current thread must own this object's monitor. 
     * 
    
     * This method causes the current thread (call it T) to 
     * place itself in the wait set for this object and then to relinquish 
     * any and all synchronization claims on this object. Thread T 
     * becomes disabled for thread scheduling purposes and lies dormant 
     * until one of four things happens:
     * 
      
     * 
    • Some other thread invokes the notify method for this 
     * object and thread T happens to be arbitrarily chosen as 
     * the thread to be awakened. 
     * 
    • Some other thread invokes the notifyAll method for this 
     * object. 
     * 
    • Some other thread {@link java.lang.Thread#interrupt() interrupts} 
     * thread T. 
     * 
    • The specified amount of real time has elapsed, more or less.  If 
     * timeout is zero, however, then real time is not taken into 
     * consideration and the thread simply waits until notified. 
     * 
    
     * The thread T is then removed from the wait set for this 
     * object and re-enabled for thread scheduling. It then competes in the 
     * usual manner with other threads for the right to synchronize on the 
     * object; once it has gained control of the object, all its 
     * synchronization claims on the object are restored to the status quo 
     * ante - that is, to the situation as of the time that the wait 
     * method was invoked. Thread T then returns from the 
     * invocation of the wait method. Thus, on return from the 
     * wait method, the synchronization state of the object and of 
     * thread T is exactly as it was when the wait method 
     * was invoked. 
     * 
    
     * If the current thread is 
     * {@link java.lang.Thread#interrupt() interrupted} by another thread 
     * while it is waiting, then an InterruptedException is thrown. 
     * This exception is not thrown until the lock status of this object has 
     * been restored as described above.
     * 
    
     * Note that the wait method, as it places the current thread 
     * into the wait set for this object, unlocks only this object; any 
     * other objects on which the current thread may be synchronized remain 
     * locked while the thread waits.
     * 
    
     * This method should only be called by a thread that is the owner 
     * of this object's monitor. See the notify method for a 
     * description of the ways in which a thread can become the owner of 
     * a monitor. 
     *
     * @param      timeout   the maximum time to wait in milliseconds.
     * @exception  IllegalArgumentException      if the value of timeout is
     *		     negative.
     * @exception  IllegalMonitorStateException  if the current thread is not
     *               the owner of the object's monitor.
     * @exception  InterruptedException if another thread has interrupted
     *             the current thread.  The interrupted status of the
     *             current thread is cleared when this exception is thrown.
     * @see        java.lang.Object#notify()
     * @see        java.lang.Object#notifyAll()
     */
    public final native void wait(long timeout) throws InterruptedException;

    /**
     * Causes current thread to wait until another thread invokes the 
     * {@link java.lang.Object#notify()} method or the 
     * {@link java.lang.Object#notifyAll()} method for this object, or 
     * some other thread interrupts the current thread, or a certain 
     * amount of real time has elapsed. 
     * 
    
     * This method is similar to the wait method of one 
     * argument, but it allows finer control over the amount of time to 
     * wait for a notification before giving up. The amount of real time, 
     * measured in nanoseconds, is given by:
     * 
    
     * 
         * 1000000*timeout+nanos
    
     * 
    
     * In all other respects, this method does the same thing as the 
     * method {@link #wait(long)} of one argument. In particular, 
     * wait(0, 0) means the same thing as wait(0).
     * 
    
     * The current thread must own this object's monitor. The thread 
     * releases ownership of this monitor and waits until either of the 
     * following two conditions has occurred: 
     * 
      
     * 
    • Another thread notifies threads waiting on this object's monitor 
     *     to wake up either through a call to the notify method 
     *     or the notifyAll method. 
     * 
    • The timeout period, specified by timeout 
     *     milliseconds plus nanos nanoseconds arguments, has 
     *     elapsed. 
     * 
    
     * 
    
     * The thread then waits until it can re-obtain ownership of the 
     * monitor and resumes execution.
     * 
    
     * This method should only be called by a thread that is the owner 
     * of this object's monitor. See the notify method for a 
     * description of the ways in which a thread can become the owner of 
     * a monitor. 
     *
     * @param      timeout   the maximum time to wait in milliseconds.
     * @param      nanos      additional time, in nanoseconds range
     *                       0-999999.
     * @exception  IllegalArgumentException      if the value of timeout is
     *			    negative or the value of nanos is
     *			    not in the range 0-999999.
     * @exception  IllegalMonitorStateException  if the current thread is not
     *               the owner of this object's monitor.
     * @exception  InterruptedException if another thread has interrupted
     *             the current thread.  The interrupted status of the
     *             current thread is cleared when this exception is thrown.
     */
    public final void wait(long timeout, int nanos) throws InterruptedException {
        if (timeout < 0) {
            throw new IllegalArgumentException("timeout value is negative");
        }

        if (nanos < 0 || nanos > 999999) {
            throw new IllegalArgumentException(
				"nanosecond timeout value out of range");
        }

	if (nanos >= 500000 || (nanos != 0 && timeout == 0)) {
	    timeout++;
	}

	wait(timeout);
    }

    /**
     * Causes current thread to wait until another thread invokes the 
     * {@link java.lang.Object#notify()} method or the 
     * {@link java.lang.Object#notifyAll()} method for this object. 
     * In other words, this method behaves exactly as if it simply 
     * performs the call wait(0).
     * 
    
     * The current thread must own this object's monitor. The thread 
     * releases ownership of this monitor and waits until another thread 
     * notifies threads waiting on this object's monitor to wake up 
     * either through a call to the notify method or the 
     * notifyAll method. The thread then waits until it can 
     * re-obtain ownership of the monitor and resumes execution. 
     * 
    
     * This method should only be called by a thread that is the owner 
     * of this object's monitor. See the notify method for a 
     * description of the ways in which a thread can become the owner of 
     * a monitor. 
     *
     * @exception  IllegalMonitorStateException  if the current thread is not
     *               the owner of the object's monitor.
     * @exception  InterruptedException if another thread has interrupted
     *             the current thread.  The interrupted status of the
     *             current thread is cleared when this exception is thrown.
     * @see        java.lang.Object#notify()
     * @see        java.lang.Object#notifyAll()
     */
    public final void wait() throws InterruptedException {
	wait(0);
    }

    /**
     * Called by the garbage collector on an object when garbage collection
     * determines that there are no more references to the object.
     * A subclass overrides the finalize method to dispose of
     * system resources or to perform other cleanup. 
     * 
    
     * The general contract of finalize is that it is invoked 
     * if and when the JavaTM virtual 
     * machine has determined that there is no longer any
     * means by which this object can be accessed by any thread that has
     * not yet died, except as a result of an action taken by the
     * finalization of some other object or class which is ready to be
     * finalized. The finalize method may take any action, including
     * making this object available again to other threads; the usual purpose
     * of finalize, however, is to perform cleanup actions before 
     * the object is irrevocably discarded. For example, the finalize method 
     * for an object that represents an input/output connection might perform
     * explicit I/O transactions to break the connection before the object is
     * permanently discarded. 
     * 
    
     * The finalize method of class Object performs no 
     * special action; it simply returns normally. Subclasses of 
     * Object may override this definition.
     * 
    
     * The Java programming language does not guarantee which thread will 
     * invoke the finalize method for any given object. It is 
     * guaranteed, however, that the thread that invokes finalize will not 
     * be holding any user-visible synchronization locks when finalize is 
     * invoked. If an uncaught exception is thrown by the finalize method, 
     * the exception is ignored and finalization of that object terminates.
     * 
    
     * After the finalize method has been invoked for an object, no 
     * further action is taken until the Java virtual machine has again 
     * determined that there is no longer any means by which this object can 
     * be accessed by any thread that has not yet died, including possible
     * actions by other objects or classes which are ready to be finalized, 
     * at which point the object may be discarded.
     * 
    
     * The finalize method is never invoked more than once by a Java
     * virtual machine for any given object.
     * 
    
     * Any exception thrown by the finalize method causes 
     * the finalization of this object to be halted, but is otherwise 
     * ignored. 
     *
     * @throws Throwable the Exception raised by this method
     */
    protected void finalize() throws Throwable { }
}
why-2.39/lib/java_api/java/lang/Long.java0000644000106100004300000010256513147234006017166 0ustar  marchevals/*
 * @(#)Long.java	1.66 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;

/**
 * The Long class wraps a value of the primitive type
 * long in an object. An object of type Long
 * contains a single field whose type is long.
 *
 * 
     
 *
 * In addition, this class provides several methods for converting a
 * long to a String and a
 * String to a long, as well as other
 * constants and methods useful when dealing with a long.
 *
 * @author  Lee Boynton
 * @author  Arthur van Hoff
 * @version 1.66, 01/23/03
 * @since   JDK1.0
 */
public final class Long extends Number implements Comparable {
    /**
     * A constant holding the minimum value a long can
     * have, -263.
     */
    public static final long MIN_VALUE = 0x8000000000000000L;

    /**
     * A constant holding the maximum value a long can
     * have, 263-1.
     */
    public static final long MAX_VALUE = 0x7fffffffffffffffL;

    /**
     * The Class instance representing the primitive type
     * long.
     *
     * @since   JDK1.1
     */
    public static final Class	TYPE = Class.getPrimitiveClass("long");

    /**
     * Returns a string representation of the first argument in the
     * radix specified by the second argument.
     * 
    
     * If the radix is smaller than Character.MIN_RADIX
     * or larger than Character.MAX_RADIX, then the radix
     * 10 is used instead.
     * 
    
     * If the first argument is negative, the first element of the
     * result is the ASCII minus sign '-'
     * ('\u002d'). If the first argument is not
     * negative, no sign character appears in the result.
     * 
    
     * The remaining characters of the result represent the magnitude
     * of the first argument. If the magnitude is zero, it is
     * represented by a single zero character '0'
     * ('\u0030'); otherwise, the first character of
     * the representation of the magnitude will not be the zero
     * character.  The following ASCII characters are used as digits:
     * 
         *   0123456789abcdefghijklmnopqrstuvwxyz
     * 
    
     * These are '\u0030' through
     * '\u0039' and '\u0061' through
     * '\u007a'. If radix is
     * N, then the first N of these characters
     * are used as radix-N digits in the order shown. Thus,
     * the digits for hexadecimal (radix 16) are
     * 0123456789abcdef. If uppercase letters are
     * desired, the {@link java.lang.String#toUpperCase()} method may
     * be called on the result:
     * 
         * Long.toString(n, 16).toUpperCase()
     * 
    
     * 
     * @param   i       a longto be converted to a string.
     * @param   radix   the radix to use in the string representation.
     * @return  a string representation of the argument in the specified radix.
     * @see     java.lang.Character#MAX_RADIX
     * @see     java.lang.Character#MIN_RADIX
     */
    public static String toString(long i, int radix) {
        if (radix < Character.MIN_RADIX || radix > Character.MAX_RADIX)
	    radix = 10;
        if (radix == 10)
            return toString(i);
        char[] buf = new char[65];
        int charPos = 64;
        boolean negative = (i < 0);

        if (!negative) {
            i = -i;
        }

        while (i <= -radix) {
            buf[charPos--] = Integer.digits[(int)(-(i % radix))];
            i = i / radix;
        }
        buf[charPos] = Integer.digits[(int)(-i)];

        if (negative) { 
            buf[--charPos] = '-';
        }

        return new String(buf, charPos, (65 - charPos));
    }

    /**
     * Returns a string representation of the long
     * argument as an unsigned integer in base 16.
     * 
    
     * The unsigned long value is the argument plus
     * 264 if the argument is negative; otherwise, it is
     * equal to the argument.  This value is converted to a string of
     * ASCII digits in hexadecimal (base 16) with no extra
     * leading 0s.  If the unsigned magnitude is zero, it
     * is represented by a single zero character '0'
     * ('\u0030'); otherwise, the first character of
     * the representation of the unsigned magnitude will not be the
     * zero character. The following characters are used as
     * hexadecimal digits:
     * 
         * 0123456789abcdef
     * 
    
     * These are the characters '\u0030' through
     * '\u0039' and  '\u0061' through
     * '\u0066'.  If uppercase letters are desired,
     * the {@link java.lang.String#toUpperCase()} method may be called
     * on the result:
     * 
         * Long.toHexString(n).toUpperCase()
     * 
    
     *
     * @param   i   a long to be converted to a string.
     * @return  the string representation of the unsigned long
     * 		value represented by the argument in hexadecimal
     *		(base 16).
     * @since   JDK 1.0.2
     */
    public static String toHexString(long i) {
	return toUnsignedString(i, 4);
    }

    /**
     * Returns a string representation of the long
     * argument as an unsigned integer in base 8.
     * 
    
     * The unsigned long value is the argument plus
     * 264 if the argument is negative; otherwise, it is
     * equal to the argument.  This value is converted to a string of
     * ASCII digits in octal (base 8) with no extra leading
     * 0s.
     * 
    
     * If the unsigned magnitude is zero, it is represented by a
     * single zero character '0'
     * ('\u0030'); otherwise, the first character of
     * the representation of the unsigned magnitude will not be the
     * zero character. The following characters are used as octal
     * digits:
     * 
         * 01234567
     * 
    
     * These are the characters '\u0030' through 
     * '\u0037'. 
     *
     * @param   i   a long to be converted to a string.
     * @return  the string representation of the unsigned long 
     *		value represented by the argument in octal (base 8).
     * @since   JDK 1.0.2
     */
    public static String toOctalString(long i) {
	return toUnsignedString(i, 3);
    }

    /**
     * Returns a string representation of the long
     * argument as an unsigned integer in base 2.
     * 
    
     * The unsigned long value is the argument plus
     * 264 if the argument is negative; otherwise, it is
     * equal to the argument.  This value is converted to a string of
     * ASCII digits in binary (base 2) with no extra leading
     * 0s.  If the unsigned magnitude is zero, it is
     * represented by a single zero character '0'
     * ('\u0030'); otherwise, the first character of
     * the representation of the unsigned magnitude will not be the
     * zero character. The characters '0'
     * ('\u0030') and '1'
     * ('\u0031') are used as binary digits.
     *
     * @param   i   a long to be converted to a string.
     * @return  the string representation of the unsigned long 
     *          value represented by the argument in binary (base 2).
     * @since   JDK 1.0.2
     */
    public static String toBinaryString(long i) {
	return toUnsignedString(i, 1);
    }

    /**
     * Convert the integer to an unsigned number.
     */
    private static String toUnsignedString(long i, int shift) {
	char[] buf = new char[64];
	int charPos = 64;
	int radix = 1 << shift;
	long mask = radix - 1;
	do {
	    buf[--charPos] = Integer.digits[(int)(i & mask)];
	    i >>>= shift;
	} while (i != 0);
	return new String(buf, charPos, (64 - charPos));
    }

    /**
     * Returns a String object representing the specified
     * long.  The argument is converted to signed decimal
     * representation and returned as a string, exactly as if the
     * argument and the radix 10 were given as arguments to the {@link
     * #toString(long, int)} method.
     *
     * @param   i   a long to be converted.
     * @return  a string representation of the argument in base 10.
     */
    public static String toString(long i) {
        if (i == Long.MIN_VALUE)
            return "-9223372036854775808";
        char[] buf = (char[])(perThreadBuffer.get());
        int charPos = getChars(i, buf);
        return new String(buf, charPos, (20 - charPos));
    }

    // Per-thread buffer for string/stringbuffer conversion
    /*KML
      private static ThreadLocal perThreadBuffer = new ThreadLocal() {
        protected synchronized Object initialValue() {
            return new char[20];
        }
    };
    */

    private static int getChars(long i, char[] buf) {
        long q;
        int r;
        int charPos = 20;
        char sign = 0;

        if (i < 0) {
            sign = '-';
            i = -i;
        }

        // Get 2 digits/iteration using longs until quotient fits into an int
        while (i > Integer.MAX_VALUE) { 
            q = i / 100;
            // really: r = i - (q * 100);
            r = (int)(i - ((q << 6) + (q << 5) + (q << 2)));
            i = q;
            buf[--charPos] = Integer.DigitOnes[r];
            buf[--charPos] = Integer.DigitTens[r];
        }

        // Get 2 digits/iteration using ints
        int q2;
        int i2 = (int)i;
        while (i2 >= 65536) {
            q2 = i2 / 100;
            // really: r = i2 - (q * 100);
            r = i2 - ((q2 << 6) + (q2 << 5) + (q2 << 2));
            i2 = q2;
            buf[--charPos] = Integer.DigitOnes[r];
            buf[--charPos] = Integer.DigitTens[r];
        }

        // Fall thru to fast mode for smaller numbers
        // assert(i2 <= 65536, i2);
        for (;;) {
            q2 = (i2 * 52429) >>> (16+3);
            r = i2 - ((q2 << 3) + (q2 << 1));  // r = i2-(q2*10) ...
            buf[--charPos] = Integer.digits[r];
            i2 = q2;
            if (i2 == 0) break;
        }
        if (sign != 0) {
            buf[--charPos] = sign;
        }
        return charPos;
    }

    static void appendTo(long i, StringBuffer sb) {
        if (i == Long.MIN_VALUE) {
            sb.append("-9223372036854775808");
            return;
        }
        char[] buf = (char[])(perThreadBuffer.get());
        int charPos = getChars(i, buf);
        sb.append(buf, charPos, (20 - charPos));
        return;
    }

    /**
     * Parses the string argument as a signed long in the
     * radix specified by the second argument. The characters in the
     * string must all be digits of the specified radix (as determined
     * by whether {@link java.lang.Character#digit(char, int)} returns
     * a nonnegative value), except that the first character may be an
     * ASCII minus sign '-' ('\u002D') to
     * indicate a negative value. The resulting long
     * value is returned.
     * 
    
     * Note that neither the character L
     * ('\u004C') nor l
     * ('\u006C') is permitted to appear at the end
     * of the string as a type indicator, as would be permitted in
     * Java programming language source code - except that either
     * L or l may appear as a digit for a
     * radix greater than 22.
     * 
    
     * An exception of type NumberFormatException is
     * thrown if any of the following situations occurs:
     * 
      
     * 
    • The first argument is null or is a string of
     * length zero.
     * 
    • The radix is either smaller than {@link
     * java.lang.Character#MIN_RADIX} or larger than {@link
     * java.lang.Character#MAX_RADIX}.
     * 
    • Any character of the string is not a digit of the specified
     * radix, except that the first character may be a minus sign
     * '-' ('\u002d') provided that the
     * string is longer than length 1.
     * 
    • The value represented by the string is not a value of type
     *      long. 
     * 
    
     * Examples:
     * 
         * parseLong("0", 10) returns 0L
     * parseLong("473", 10) returns 473L
     * parseLong("-0", 10) returns 0L
     * parseLong("-FF", 16) returns -255L
     * parseLong("1100110", 2) returns 102L
     * parseLong("99", 8) throws a NumberFormatException
     * parseLong("Hazelnut", 10) throws a NumberFormatException
     * parseLong("Hazelnut", 36) returns 1356099454469L
     * 
    
     * 
     * @param      s       the String containing the
     *                     long representation to be parsed.
     * @param      radix   the radix to be used while parsing s.
     * @return     the long represented by the string argument in
     *             the specified radix.
     * @exception  NumberFormatException  if the string does not contain a
     *               parsable long.
     */
    public static long parseLong(String s, int radix)
              throws NumberFormatException
    {
        if (s == null) {
            throw new NumberFormatException("null");
        }

	if (radix < Character.MIN_RADIX) {
	    throw new NumberFormatException("radix " + radix +
					    " less than Character.MIN_RADIX");
	}
	if (radix > Character.MAX_RADIX) {
	    throw new NumberFormatException("radix " + radix +
					    " greater than Character.MAX_RADIX");
	}

	long result = 0;
	boolean negative = false;
	int i = 0, max = s.length();
	long limit;
	long multmin;
	int digit;

	if (max > 0) {
	    if (s.charAt(0) == '-') {
		negative = true;
		limit = Long.MIN_VALUE;
		i++;
	    } else {
		limit = -Long.MAX_VALUE;
	    }
	    multmin = limit / radix;
            if (i < max) {
                digit = Character.digit(s.charAt(i++),radix);
		if (digit < 0) {
		    throw NumberFormatException.forInputString(s);
		} else {
		    result = -digit;
		}
	    }
	    while (i < max) {
		// Accumulating negatively avoids surprises near MAX_VALUE
		digit = Character.digit(s.charAt(i++),radix);
		if (digit < 0) {
		    throw NumberFormatException.forInputString(s);
		}
		if (result < multmin) {
		    throw NumberFormatException.forInputString(s);
		}
		result *= radix;
		if (result < limit + digit) {
		    throw NumberFormatException.forInputString(s);
		}
		result -= digit;
	    }
	} else {
	    throw NumberFormatException.forInputString(s);
	}
	if (negative) {
	    if (i > 1) {
		return result;
	    } else {	/* Only got "-" */
		throw NumberFormatException.forInputString(s);
	    }
	} else {
	    return -result;
	}
    }

    /**
     * Parses the string argument as a signed decimal
     * long.  The characters in the string must all be
     * decimal digits, except that the first character may be an ASCII
     * minus sign '-' (\u002D') to
     * indicate a negative value. The resulting long
     * value is returned, exactly as if the argument and the radix
     * 10 were given as arguments to the {@link
     * #parseLong(java.lang.String, int)} method.
     * 
    
     * Note that neither the character L
     * ('\u004C') nor l
     * ('\u006C') is permitted to appear at the end
     * of the string as a type indicator, as would be permitted in
     * Java programming language source code.
     *
     * @param      s   a String containing the long
     *             representation to be parsed
     * @return     the long represented by the argument in 
     *		   decimal.
     * @exception  NumberFormatException  if the string does not contain a
     *               parsable long.
     */
    public static long parseLong(String s) throws NumberFormatException {
	return parseLong(s, 10);
    }

    /**
     * Returns a Long object holding the value
     * extracted from the specified String when parsed
     * with the radix given by the second argument.  The first
     * argument is interpreted as representing a signed
     * long in the radix specified by the second
     * argument, exactly as if the arguments were given to the {@link
     * #parseLong(java.lang.String, int)} method. The result is a
     * Long object that represents the long
     * value specified by the string.
     * 
    
     * In other words, this method returns a Long object equal 
     * to the value of:
     *
     * 
    
     * new Long(Long.parseLong(s, radix))
     * 
    
     *
     * @param      s       the string to be parsed
     * @param      radix   the radix to be used in interpreting s
     * @return     a Long object holding the value
     *             represented by the string argument in the specified
     *             radix.
     * @exception  NumberFormatException  If the String does not
     *             contain a parsable long.
     */
    public static Long valueOf(String s, int radix) throws NumberFormatException {
	return new Long(parseLong(s, radix));
    }

    /**
     * Returns a Long object holding the value
     * of the specified String. The argument is
     * interpreted as representing a signed decimal long,
     * exactly as if the argument were given to the {@link
     * #parseLong(java.lang.String)} method. The result is a
     * Long object that represents the integer value
     * specified by the string.
     * 
    
     * In other words, this method returns a Long object
     * equal to the value of:
     *
     * 
         * new Long(Long.parseLong(s))
     * 
    
     *
     * @param      s   the string to be parsed.
     * @return     a Long object holding the value
     *             represented by the string argument.
     * @exception  NumberFormatException  If the string cannot be parsed
     *              as a long.
     */
    public static Long valueOf(String s) throws NumberFormatException
    {
	return new Long(parseLong(s, 10));
    }

    /**
     * Decodes a String into a Long.
     * Accepts decimal, hexadecimal, and octal numbers given by the
     * following grammar:
     *
     * 
    
     * 
    
     * 
    DecodableString:
     * 
    Signopt DecimalNumeral
     * 
    Signopt 0x HexDigits
     * 
    Signopt 0X HexDigits
     * 
    Signopt # HexDigits
     * 
    Signopt 0 OctalDigits
     * 
    
     * 
    Sign:
     * 
    -
     * 
    
     * 
    
     *
     * DecimalNumeral, HexDigits, and OctalDigits
     * are defined in §3.10.1 
     * of the Java 
     * Language Specification.
     * 
    
     * The sequence of characters following an (optional) negative
     * sign and/or radix specifier ("0x",
     * "0X", "#", or
     * leading zero) is parsed as by the Long.parseLong
     * method with the indicated radix (10, 16, or 8).  This sequence
     * of characters must represent a positive value or a {@link
     * NumberFormatException} will be thrown.  The result is negated
     * if first character of the specified String is the
     * minus sign.  No whitespace characters are permitted in the
     * String.
     *
     * @param     nm the String to decode.
     * @return    a Long object holding the long
     *		  value represented by nm
     * @exception NumberFormatException  if the String does not
     *            contain a parsable long.
     * @see java.lang.Long#parseLong(String, int)
     * @since 1.2
     */
    public static Long decode(String nm) throws NumberFormatException {
        int radix = 10;
        int index = 0;
        boolean negative = false;
        Long result;

        // Handle minus sign, if present
        if (nm.startsWith("-")) {
            negative = true;
            index++;
        }

        // Handle radix specifier, if present
	if (nm.startsWith("0x", index) || nm.startsWith("0X", index)) {
	    index += 2;
            radix = 16;
	}
	else if (nm.startsWith("#", index)) {
	    index ++;
            radix = 16;
	}
	else if (nm.startsWith("0", index) && nm.length() > 1 + index) {
	    index ++;
            radix = 8;
	}

        if (nm.startsWith("-", index))
            throw new NumberFormatException("Negative sign in wrong position");

        try {
            result = Long.valueOf(nm.substring(index), radix);
            result = negative ? new Long((long)-result.longValue()) : result;
        } catch (NumberFormatException e) {
            // If number is Long.MIN_VALUE, we'll end up here. The next line
            // handles this case, and causes any genuine format error to be
            // rethrown.
            String constant = negative ? new String("-" + nm.substring(index))
                                       : nm.substring(index);
            result = Long.valueOf(constant, radix);
        }
        return result;
    }

    /**
     * The value of the Long.
     *
     * @serial
     */
    private long value;

    /**
     * Constructs a newly allocated Long object that
     * represents the specified long argument.
     *
     * @param   value   the value to be represented by the 
     *          Long object.
     */
    public Long(long value) {
	this.value = value;
    }

    /**
     * Constructs a newly allocated Long object that
     * represents the long value indicated by the
     * String parameter. The string is converted to a
     * long value in exactly the manner used by the
     * parseLong method for radix 10.
     *
     * @param      s   the String to be converted to a 
     *		   Long.
     * @exception  NumberFormatException  if the String does not
     *               contain a parsable long.
     * @see        java.lang.Long#parseLong(java.lang.String, int)
     */
    public Long(String s) throws NumberFormatException {
	this.value = parseLong(s, 10);
    }

    /**
     * Returns the value of this Long as a
     * byte.
     */
    public byte byteValue() {
	return (byte)value;
    }

    /**
     * Returns the value of this Long as a
     * short.
     */
    public short shortValue() {
	return (short)value;
    }

    /**
     * Returns the value of this Long as an
     * int.
     */
    public int intValue() {
	return (int)value;
    }

    /**
     * Returns the value of this Long as a
     * long value.
     */
    public long longValue() {
	return (long)value;
    }

    /**
     * Returns the value of this Long as a
     * float.
     */
    public float floatValue() {
	return (float)value;
    }

    /**
     * Returns the value of this Long as a
     * double.
     */
    public double doubleValue() {
	return (double)value;
    }

    /**
     * Returns a String object representing this
     * Long's value.  The value is converted to signed
     * decimal representation and returned as a string, exactly as if
     * the long value were given as an argument to the
     * {@link java.lang.Long#toString(long)} method.
     *
     * @return  a string representation of the value of this object in
     *		base 10.
     */
    public String toString() {
	return String.valueOf(value);
    }

    /**
     * Returns a hash code for this Long. The result is
     * the exclusive OR of the two halves of the primitive
     * long value held by this Long
     * object. That is, the hashcode is the value of the expression:
     * 
         * (int)(this.longValue()^(this.longValue()>>>32))
     * 
    
     *
     * @return  a hash code value for this object.
     */
    public int hashCode() {
	return (int)(value ^ (value >>> 32));
    }

    /**
     * Compares this object to the specified object.  The result is
     * true if and only if the argument is not
     * null and is a Long object that
     * contains the same long value as this object.
     *
     * @param   obj   the object to compare with.
     * @return  true if the objects are the same;
     *          false otherwise.
     */
    public boolean equals(Object obj) {
	if (obj instanceof Long) {
	    return value == ((Long)obj).longValue();
	}
	return false;
    }

    /**
     * Determines the long value of the system property
     * with the specified name.
     * 
    
     * The first argument is treated as the name of a system property.
     * System properties are accessible through the {@link
     * java.lang.System#getProperty(java.lang.String)} method. The
     * string value of this property is then interpreted as a
     * long value and a Long object
     * representing this value is returned.  Details of possible
     * numeric formats can be found with the definition of
     * getProperty.
     * 
    
     * If there is no property with the specified name, if the
     * specified name is empty or null, or if the
     * property does not have the correct numeric format, then
     * null is returned.
     * 
    
     * In other words, this method returns a Long object equal to 
     * the value of:
     * 
    
     * getLong(nm, null)
     * 
    
     *
     * @param   nm   property name.
     * @return  the Long value of the property.
     * @see     java.lang.System#getProperty(java.lang.String)
     * @see     java.lang.System#getProperty(java.lang.String, java.lang.String)
     */
    public static Long getLong(String nm) {
	return getLong(nm, null);
    }

    /**
     * Determines the long value of the system property
     * with the specified name.
     * 
    
     * The first argument is treated as the name of a system property.
     * System properties are accessible through the {@link
     * java.lang.System#getProperty(java.lang.String)} method. The
     * string value of this property is then interpreted as a
     * long value and a Long object
     * representing this value is returned.  Details of possible
     * numeric formats can be found with the definition of
     * getProperty.
     * 
    
     * The second argument is the default value. A Long object
     * that represents the value of the second argument is returned if there
     * is no property of the specified name, if the property does not have
     * the correct numeric format, or if the specified name is empty or null.
     * 
    
     * In other words, this method returns a Long object equal 
     * to the value of:
     * 
    
     * getLong(nm, new Long(val))
     * 
    
     * but in practice it may be implemented in a manner such as: 
     * 
         * Long result = getLong(nm, null);
     * return (result == null) ? new Long(val) : result;
     * 
    
     * to avoid the unnecessary allocation of a Long object when 
     * the default value is not needed. 
     *
     * @param   nm    property name.
     * @param   val   default value.
     * @return  the Long value of the property.
     * @see     java.lang.System#getProperty(java.lang.String)
     * @see     java.lang.System#getProperty(java.lang.String, java.lang.String)
     */
    public static Long getLong(String nm, long val) {
        Long result = Long.getLong(nm, null);
        return (result == null) ? new Long(val) : result;
    }

    /**
     * Returns the long value of the system property with
     * the specified name.  The first argument is treated as the name
     * of a system property.  System properties are accessible through
     * the {@link java.lang.System#getProperty(java.lang.String)}
     * method. The string value of this property is then interpreted
     * as a long value, as per the
     * Long.decode method, and a Long object
     * representing this value is returned.
     * 
      
     * 
    • If the property value begins with the two ASCII characters
     * 0x or the ASCII character #, not followed by 
     * a minus sign, then the rest of it is parsed as a hexadecimal integer
     * exactly as for the method {@link #valueOf(java.lang.String, int)} 
     * with radix 16. 
     * 
    • If the property value begins with the ASCII character
     * 0 followed by another character, it is parsed as
     * an octal integer exactly as by the method {@link
     * #valueOf(java.lang.String, int)} with radix 8.
     * 
    • Otherwise the property value is parsed as a decimal
     * integer exactly as by the method 
     * {@link #valueOf(java.lang.String, int)} with radix 10.
     * 
    
     * 
    
     * Note that, in every case, neither L
     * ('\u004C') nor l
     * ('\u006C') is permitted to appear at the end
     * of the property value as a type indicator, as would be
     * permitted in Java programming language source code.
     * 
    
     * The second argument is the default value. The default value is
     * returned if there is no property of the specified name, if the
     * property does not have the correct numeric format, or if the
     * specified name is empty or null.
     *
     * @param   nm   property name.
     * @param   val   default value.
     * @return  the Long value of the property.
     * @see     java.lang.System#getProperty(java.lang.String)
     * @see java.lang.System#getProperty(java.lang.String, java.lang.String)
     * @see java.lang.Long#decode
     */
    public static Long getLong(String nm, Long val) {
        String v = null;
        try {
            v = System.getProperty(nm);
        } catch (IllegalArgumentException e) {
        } catch (NullPointerException e) {
        }
	if (v != null) {
	    try {
		return Long.decode(v);
	    } catch (NumberFormatException e) {
	    }
	}
	return val;
    }

    /**
     * Compares two Long objects numerically.
     *
     * @param   anotherLong   the Long to be compared.
     * @return	the value 0 if this Long is
     * 		equal to the argument Long; a value less than
     * 		0 if this Long is numerically less
     * 		than the argument Long; and a value greater 
     * 		than 0 if this Long is numerically
     * 		 greater than the argument Long (signed
     * 		 comparison).
     * @since   1.2
     */
    public int compareTo(Long anotherLong) {
	long thisVal = this.value;
	long anotherVal = anotherLong.value;
	return (thisValLong object to another object.  If
     * the object is a Long, this function behaves like
     * compareTo(Long).  Otherwise, it throws a
     * ClassCastException (as Long objects
     * are comparable only to other Long objects).
     *
     * @param   o the Object to be compared.
     * @return  the value 0 if the argument is a 
     *		Long numerically equal to this 
     *		Long; a value less than 0 
     *		if the argument is a Long numerically 
     *		greater than this Long; and a value 
     *		greater than 0 if the argument is a 
     *		Long numerically less than this 
     *		Long.
     * @exception ClassCastException if the argument is not a
     *		  Long.
     * @see     java.lang.Comparable
     * @since   1.2
     */
    public int compareTo(Object o) {
	return compareTo((Long)o);
    }

    /** use serialVersionUID from JDK 1.0.2 for interoperability */
    private static final long serialVersionUID = 4290774380558885855L;
}
why-2.39/lib/java_api/java/lang/IllegalArgumentException.java0000644000106100004300000000157513147234006023221 0ustar  marchevals/*
 * @(#)IllegalArgumentException.java	1.19 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;

/**
 * Thrown to indicate that a method has been passed an illegal or 
 * inappropriate argument.
 *
 * @author  unascribed
 * @version 1.19, 01/23/03
 * @see	    java.lang.Thread#setPriority(int)
 * @since   JDK1.0
 */
public
class IllegalArgumentException extends RuntimeException {
    /**
     * Constructs an IllegalArgumentException with no 
     * detail message. 
     */
    public IllegalArgumentException() {
	super();
    }

    /**
     * Constructs an IllegalArgumentException with the 
     * specified detail message. 
     *
     * @param   s   the detail message.
     */
    public IllegalArgumentException(String s) {
	super(s);
    }
}
why-2.39/lib/java_api/java/lang/Exception.java0000644000106100004300000000532413147234006020220 0ustar  marchevals/*
 * @(#)Exception.java	1.30 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;

/**
 * The class Exception and its subclasses are a form of 
 * Throwable that indicates conditions that a reasonable 
 * application might want to catch.
 *
 * @author  Frank Yellin
 * @version 1.30, 01/23/03
 * @see     java.lang.Error
 * @since   JDK1.0
 */
public class Exception extends Throwable {
    static final long serialVersionUID = -3387516993124229948L;

    /**
     * Constructs a new exception with null as its detail message.
     * The cause is not initialized, and may subsequently be initialized by a
     * call to {@link #initCause}.
     */
    public Exception() {
	super();
    }

    /**
     * Constructs a new exception with the specified detail message.  The
     * cause is not initialized, and may subsequently be initialized by
     * a call to {@link #initCause}.
     *
     * @param   message   the detail message. The detail message is saved for 
     *          later retrieval by the {@link #getMessage()} method.
     */
    public Exception(String message) {
	super(message);
    }

    /**
     * Constructs a new exception with the specified detail message and
     * cause.  
    Note that the detail message associated with
     * cause is not automatically incorporated in
     * this exception's detail message.
     *
     * @param  message the detail message (which is saved for later retrieval
     *         by the {@link #getMessage()} method).
     * @param  cause the cause (which is saved for later retrieval by the
     *         {@link #getCause()} method).  (A null value is
     *         permitted, and indicates that the cause is nonexistent or
     *         unknown.)
     * @since  1.4
     */
    public Exception(String message, Throwable cause) {
        super(message, cause);
    }

    /**
     * Constructs a new exception with the specified cause and a detail
     * message of (cause==null ? null : cause.toString()) (which
     * typically contains the class and detail message of cause).
     * This constructor is useful for exceptions that are little more than
     * wrappers for other throwables (for example, {@link
     * java.security.PrivilegedActionException}).
     *
     * @param  cause the cause (which is saved for later retrieval by the
     *         {@link #getCause()} method).  (A null value is
     *         permitted, and indicates that the cause is nonexistent or
     *         unknown.)
     * @since  1.4
     */
    public Exception(Throwable cause) {
        super(cause);
    }
}
why-2.39/lib/java_api/java/lang/Integer.java0000644000106100004300000010564613147234006017667 0ustar  marchevals/*
 * @(#)Integer.java	1.76 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;

/**
 * The Integer class wraps a value of the primitive type
 * int in an object. An object of type
 * Integer contains a single field whose type is
 * int.
 *
 *  
    
 * 
 * In addition, this class provides several methods for converting an
 * int to a String and a String
 * to an int, as well as other constants and methods
 * useful when dealing with an int.
 *
 * @author  Lee Boynton
 * @author  Arthur van Hoff
 * @version 1.76, 01/23/03
 * @since   JDK1.0
 */
public final class Integer extends Number implements Comparable {
    /**
     * A constant holding the minimum value an int can
     * have, -231.
     */
    public static final int   MIN_VALUE = 0x80000000;

    /**
     * A constant holding the maximum value an int can
     * have, 231-1.
     */
    public static final int   MAX_VALUE = 0x7fffffff;

    /**
     * The Class instance representing the primitive type
     * int.
     *
     * @since   JDK1.1
     */
    //KML public static final Class	TYPE = Class.getPrimitiveClass("int");

    /**
     * All possible chars for representing a number as a String
     */
    /* KML
    final static char[] digits = {
	'0' , '1' , '2' , '3' , '4' , '5' ,
	'6' , '7' , '8' , '9' , 'a' , 'b' ,
	'c' , 'd' , 'e' , 'f' , 'g' , 'h' ,
	'i' , 'j' , 'k' , 'l' , 'm' , 'n' ,
	'o' , 'p' , 'q' , 'r' , 's' , 't' ,
	'u' , 'v' , 'w' , 'x' , 'y' , 'z'
    };
    */

    /**
     * Returns a string representation of the first argument in the
     * radix specified by the second argument.
     * 
    
     * If the radix is smaller than Character.MIN_RADIX
     * or larger than Character.MAX_RADIX, then the radix
     * 10 is used instead.
     * 
    
     * If the first argument is negative, the first element of the
     * result is the ASCII minus character '-'
     * ('\u002D'). If the first argument is not
     * negative, no sign character appears in the result.
     * 
    
     * The remaining characters of the result represent the magnitude
     * of the first argument. If the magnitude is zero, it is
     * represented by a single zero character '0'
     * ('\u0030'); otherwise, the first character of
     * the representation of the magnitude will not be the zero
     * character.  The following ASCII characters are used as digits: 
     * 
         *   0123456789abcdefghijklmnopqrstuvwxyz
     * 
    
     * These are '\u0030' through
     * '\u0039' and '\u0061' through
     * '\u007A'. If radix is
     * N, then the first N of these characters
     * are used as radix-N digits in the order shown. Thus,
     * the digits for hexadecimal (radix 16) are
     * 0123456789abcdef. If uppercase letters are
     * desired, the {@link java.lang.String#toUpperCase()} method may
     * be called on the result:
     * 
         * Integer.toString(n, 16).toUpperCase()
     * 
    
     *
     * @param   i       an integer to be converted to a string.
     * @param   radix   the radix to use in the string representation.
     * @return  a string representation of the argument in the specified radix.
     * @see     java.lang.Character#MAX_RADIX
     * @see     java.lang.Character#MIN_RADIX
     */
    public static String toString(int i, int radix) {

        if (radix < Character.MIN_RADIX || radix > Character.MAX_RADIX)
	    radix = 10;

	/* Use the faster version */
	if (radix == 10) {
	    return toString(i);
	}

	char buf[] = new char[33];
	boolean negative = (i < 0);
	int charPos = 32;

	if (!negative) {
	    i = -i;
	}

	while (i <= -radix) {
	    buf[charPos--] = digits[-(i % radix)];
	    i = i / radix;
	}
	buf[charPos] = digits[-i];

	if (negative) {
	    buf[--charPos] = '-';
	}

	return new String(buf, charPos, (33 - charPos));
    }

    /**
     * Returns a string representation of the integer argument as an
     * unsigned integer in base 16.
     * 
    
     * The unsigned integer value is the argument plus 232
     * if the argument is negative; otherwise, it is equal to the
     * argument.  This value is converted to a string of ASCII digits
     * in hexadecimal (base 16) with no extra leading
     * 0s. If the unsigned magnitude is zero, it is
     * represented by a single zero character '0'
     * ('\u0030'); otherwise, the first character of
     * the representation of the unsigned magnitude will not be the
     * zero character. The following characters are used as
     * hexadecimal digits:
     * 
         * 0123456789abcdef
     * 
    
     * These are the characters '\u0030' through
     * '\u0039' and '\u0061' through
     * '\u0066'. If uppercase letters are
     * desired, the {@link java.lang.String#toUpperCase()} method may
     * be called on the result:
     * 
         * Integer.toHexString(n).toUpperCase()
     * 
    
     *
     * @param   i   an integer to be converted to a string.
     * @return  the string representation of the unsigned integer value
     *          represented by the argument in hexadecimal (base 16).
     * @since   JDK1.0.2
     */
    public static String toHexString(int i) {
	return toUnsignedString(i, 4);
    }

    /**
     * Returns a string representation of the integer argument as an
     * unsigned integer in base 8.
     * 
    
     * The unsigned integer value is the argument plus 232
     * if the argument is negative; otherwise, it is equal to the
     * argument.  This value is converted to a string of ASCII digits
     * in octal (base 8) with no extra leading 0s.
     * 
    
     * If the unsigned magnitude is zero, it is represented by a
     * single zero character '0'
     * ('\u0030'); otherwise, the first character of
     * the representation of the unsigned magnitude will not be the
     * zero character. The following characters are used as octal
     * digits:
     * 
         * 01234567
     * 
    
     * These are the characters '\u0030' through
     * '\u0037'.
     *
     * @param   i   an integer to be converted to a string.
     * @return  the string representation of the unsigned integer value
     *          represented by the argument in octal (base 8).
     * @since   JDK1.0.2
     */
    public static String toOctalString(int i) {
	return toUnsignedString(i, 3);
    }

    /**
     * Returns a string representation of the integer argument as an
     * unsigned integer in base 2.
     * 
    
     * The unsigned integer value is the argument plus 232
     * if the argument is negative; otherwise it is equal to the
     * argument.  This value is converted to a string of ASCII digits
     * in binary (base 2) with no extra leading 0s.
     * If the unsigned magnitude is zero, it is represented by a
     * single zero character '0'
     * ('\u0030'); otherwise, the first character of
     * the representation of the unsigned magnitude will not be the
     * zero character. The characters '0'
     * ('\u0030') and '1'
     * ('\u0031') are used as binary digits.
     *
     * @param   i   an integer to be converted to a string.
     * @return  the string representation of the unsigned integer value
     *          represented by the argument in binary (base 2).
     * @since   JDK1.0.2
     */
    public static String toBinaryString(int i) {
	return toUnsignedString(i, 1);
    }

    /**
     * Convert the integer to an unsigned number.
     */
    private static String toUnsignedString(int i, int shift) {
	char[] buf = new char[32];
	int charPos = 32;
	int radix = 1 << shift;
	int mask = radix - 1;
	do {
	    buf[--charPos] = digits[i & mask];
	    i >>>= shift;
	} while (i != 0);

	return new String(buf, charPos, (32 - charPos));
    }

    /* KML
    final static char [] DigitTens = {
	'0', '0', '0', '0', '0', '0', '0', '0', '0', '0',
	'1', '1', '1', '1', '1', '1', '1', '1', '1', '1',
	'2', '2', '2', '2', '2', '2', '2', '2', '2', '2',
	'3', '3', '3', '3', '3', '3', '3', '3', '3', '3',
	'4', '4', '4', '4', '4', '4', '4', '4', '4', '4',
	'5', '5', '5', '5', '5', '5', '5', '5', '5', '5',
	'6', '6', '6', '6', '6', '6', '6', '6', '6', '6',
	'7', '7', '7', '7', '7', '7', '7', '7', '7', '7',
	'8', '8', '8', '8', '8', '8', '8', '8', '8', '8',
	'9', '9', '9', '9', '9', '9', '9', '9', '9', '9',
	} ; 

    final static char [] DigitOnes = { 
	'0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
	'0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
	'0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
	'0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
	'0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
	'0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
	'0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
	'0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
	'0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
	'0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
	} ;
    */
	// I use the "invariant division by multiplication" trick to
	// accelerate Integer.toString.  In particular we want to
	// avoid division by 10.
	//
	// The "trick" has roughly the same performance characterists
	// as the "classic" Integer.toString code on a non-JIT VM.
	// The trick avoids .rem and .div calls but has a longer code
	// path and is thus dominated by dispatch overhead.  In the
	// JIT case the dispatch overhead doesn't exist and the
	// "trick" is considerably faster than the classic code.
	//
	// TODO-FIXME: convert (x * 52429) into the equiv shift-add
	// sequence.
	//
	// RE:  Division by Invariant Integers using Multiplication
	//      T Gralund, P Montgomery
	//      ACM PLDI 1994
	//

    /**
     * Returns a String object representing the
     * specified integer. The argument is converted to signed decimal
     * representation and returned as a string, exactly as if the
     * argument and radix 10 were given as arguments to the {@link
     * #toString(int, int)} method.
     *
     * @param   i   an integer to be converted.
     * @return  a string representation of the argument in base 10.
     */
    public static String toString(int i) {
        switch(i) {
            case Integer.MIN_VALUE: return "-2147483648";
            case -3: return "-3";
            case -2: return "-2";
            case -1: return "-1";
            case 0: return "0";
            case 1: return "1";
            case 2: return "2";
            case 3: return "3";
            case 4: return "4";
            case 5: return "5";
            case 6: return "6";
            case 7: return "7";
            case 8: return "8";
            case 9: return "9";
            case 10: return "10";
        }
        char[] buf = (char[])(perThreadBuffer.get());
        int charPos = getChars(i, buf);
        return new String(buf, charPos, 12 - charPos);
    }

    // Per-thread buffer for string/stringbuffer conversion
    // private static ThreadLocal perThreadBuffer = new ThreadLocal() {
    //    protected synchronized Object initialValue() {
    //        return new char[12];
    //    }
    //};

    private static int getChars(int i, char[] buf) {
        int q, r;
        int charPos = 12;
        char sign = 0;

        if (i < 0) { 
            sign = '-';
            i = -i;
        }

        // Generate two digits per iteration
        while (i >= 65536) {
            q = i / 100;
        // really: r = i - (q * 100);
            r = i - ((q << 6) + (q << 5) + (q << 2));
            i = q;
            buf [--charPos] = DigitOnes[r];
            buf [--charPos] = DigitTens[r];
        }

        // Fall thru to fast mode for smaller numbers
        // assert(i <= 65536, i);
        for (;;) { 
            q = (i * 52429) >>> (16+3);
            r = i - ((q << 3) + (q << 1));  // r = i-(q*10) ...
            buf [--charPos] = digits [r];
            i = q;
            if (i == 0) break;
        }
        if (sign != 0) {
            buf [--charPos] = sign;
        }
        return charPos;
    }
 
    static void appendTo(int i, StringBuffer sb) {
        switch(i) {
            case Integer.MIN_VALUE:
                sb.append("-2147483648");
                return;
            case -3: sb.append("-3"); return;
            case -2: sb.append("-2"); return;
            case -1: sb.append("-1"); return;
            case 0: sb.append("0"); return;
            case 1: sb.append("1"); return;
            case 2: sb.append("2"); return;
            case 3: sb.append("3"); return;
            case 4: sb.append("4"); return;
            case 5: sb.append("5"); return;
            case 6: sb.append("6"); return;
            case 7: sb.append("7"); return;
            case 8: sb.append("8"); return;
            case 9: sb.append("9"); return;
            case 10: sb.append("10"); return;
        }
        char[] buf = (char[])(perThreadBuffer.get());
        int charPos = getChars(i, buf);
        sb.append(buf, charPos, 12 - charPos);
    }
    
    /**
     * Parses the string argument as a signed integer in the radix 
     * specified by the second argument. The characters in the string 
     * must all be digits of the specified radix (as determined by 
     * whether {@link java.lang.Character#digit(char, int)} returns a 
     * nonnegative value), except that the first character may be an 
     * ASCII minus sign '-' ('\u002D') to 
     * indicate a negative value. The resulting integer value is returned. 
     * 
    
     * An exception of type NumberFormatException is
     * thrown if any of the following situations occurs:
     * 
      
     * 
    • The first argument is null or is a string of
     * length zero.
     * 
    • The radix is either smaller than 
     * {@link java.lang.Character#MIN_RADIX} or
     * larger than {@link java.lang.Character#MAX_RADIX}. 
     * 
    • Any character of the string is not a digit of the specified
     * radix, except that the first character may be a minus sign
     * '-' ('\u002D') provided that the
     * string is longer than length 1.
     * 
    • The value represented by the string is not a value of type
     * int. 
     * 
    
     * Examples:
     * 
         * parseInt("0", 10) returns 0
     * parseInt("473", 10) returns 473
     * parseInt("-0", 10) returns 0
     * parseInt("-FF", 16) returns -255
     * parseInt("1100110", 2) returns 102
     * parseInt("2147483647", 10) returns 2147483647
     * parseInt("-2147483648", 10) returns -2147483648
     * parseInt("2147483648", 10) throws a NumberFormatException
     * parseInt("99", 8) throws a NumberFormatException
     * parseInt("Kona", 10) throws a NumberFormatException
     * parseInt("Kona", 27) returns 411787
     * 
    
     *
     * @param      s   the String containing the integer 
     * 			representation to be parsed
     * @param      radix   the radix to be used while parsing s.
     * @return     the integer represented by the string argument in the
     *             specified radix.
     * @exception  NumberFormatException if the String
     * 		   does not contain a parsable int.
     */
    public static int parseInt(String s, int radix)
		throws NumberFormatException
    {
        if (s == null) {
            throw new NumberFormatException("null");
        }

	/*KML
	if (radix < Character.MIN_RADIX) {
	    throw new NumberFormatException("radix " + radix +
					    " less than Character.MIN_RADIX");
	}

	if (radix > Character.MAX_RADIX) {
	    throw new NumberFormatException("radix " + radix +
					    " greater than Character.MAX_RADIX");
	}
	*/

	int result = 0;
	boolean negative = false;
	int i = 0, max = s.length();
	int limit;
	int multmin;
	int digit;

	if (max > 0) {
	    if (s.charAt(0) == '-') {
		negative = true;
		limit = Integer.MIN_VALUE;
		i++;
	    } else {
		limit = -Integer.MAX_VALUE;
	    }
	    multmin = limit / radix;
	    if (i < max) {
		digit = Character.digit(s.charAt(i++),radix);
		if (digit < 0) {
		    throw NumberFormatException.forInputString(s);
		} else {
		    result = -digit;
		}
	    }
	    while (i < max) {
		// Accumulating negatively avoids surprises near MAX_VALUE
		digit = Character.digit(s.charAt(i++),radix);
		if (digit < 0) {
		    throw NumberFormatException.forInputString(s);
		}
		if (result < multmin) {
		    throw NumberFormatException.forInputString(s);
		}
		result *= radix;
		if (result < limit + digit) {
		    throw NumberFormatException.forInputString(s);
		}
		result -= digit;
	    }
	} else {
	    throw NumberFormatException.forInputString(s);
	}
	if (negative) {
	    if (i > 1) {
		return result;
	    } else {	/* Only got "-" */
		throw NumberFormatException.forInputString(s);
	    }
	} else {
	    return -result;
	}
    }

    /**
     * Parses the string argument as a signed decimal integer. The 
     * characters in the string must all be decimal digits, except that 
     * the first character may be an ASCII minus sign '-' 
     * ('\u002D') to indicate a negative value. The resulting 
     * integer value is returned, exactly as if the argument and the radix 
     * 10 were given as arguments to the 
     * {@link #parseInt(java.lang.String, int)} method.
     *
     * @param s	   a String containing the int
     *             representation to be parsed
     * @return     the integer value represented by the argument in decimal.
     * @exception  NumberFormatException  if the string does not contain a
     *               parsable integer.
     */
    public static int parseInt(String s) throws NumberFormatException {
	return parseInt(s,10);
    }

    /**
     * Returns an Integer object holding the value
     * extracted from the specified String when parsed
     * with the radix given by the second argument. The first argument
     * is interpreted as representing a signed integer in the radix
     * specified by the second argument, exactly as if the arguments
     * were given to the {@link #parseInt(java.lang.String, int)}
     * method. The result is an Integer object that
     * represents the integer value specified by the string.
     * 
    
     * In other words, this method returns an Integer
     * object equal to the value of:
     *
     * 
    
     * new Integer(Integer.parseInt(s, radix))  
     * 
    
     *
     * @param      s   the string to be parsed.
     * @param      radix the radix to be used in interpreting s
     * @return     an Integer object holding the value
     *             represented by the string argument in the specified
     *             radix.
     * @exception NumberFormatException if the String
     * 		  does not contain a parsable int.
     */
    public static Integer valueOf(String s, int radix) throws NumberFormatException {
	return new Integer(parseInt(s,radix));
    }

    /**
     * Returns an Integer object holding the
     * value of the specified String. The argument is
     * interpreted as representing a signed decimal integer, exactly
     * as if the argument were given to the {@link
     * #parseInt(java.lang.String)} method. The result is an
     * Integer object that represents the integer value
     * specified by the string.
     * 
    
     * In other words, this method returns an Integer
     * object equal to the value of:
     *
     * 
    
     * new Integer(Integer.parseInt(s))
     * 
    
     *
     * @param      s   the string to be parsed.
     * @return     an Integer object holding the value
     *             represented by the string argument.
     * @exception  NumberFormatException  if the string cannot be parsed 
     *             as an integer.
     */
    public static Integer valueOf(String s) throws NumberFormatException
    {
	return new Integer(parseInt(s, 10));
    }

    /**
     * The value of the Integer.
     *
     * @serial
     */
    private int value;

    /**
     * Constructs a newly allocated Integer object that
     * represents the specified int value.
     *
     * @param   value   the value to be represented by the 
     *			Integer object.
     */
    /*@ ensures this.value == value;
      @*/
    public Integer(int value) {
	this.value = value;
    }

    /**
     * Constructs a newly allocated Integer object that
     * represents the int value indicated by the
     * String parameter. The string is converted to an
     * int value in exactly the manner used by the
     * parseInt method for radix 10.
     *
     * @param      s   the String to be converted to an
     *                 Integer.
     * @exception  NumberFormatException  if the String does not
     *               contain a parsable integer.
     * @see        java.lang.Integer#parseInt(java.lang.String, int)
     */
    public Integer(String s) throws NumberFormatException {
	this.value = parseInt(s, 10);
    }

    /**
     * Returns the value of this Integer as a
     * byte.
     */
    public byte byteValue() {
	return (byte)value;
    }

    /**
     * Returns the value of this Integer as a
     * short.
     */
    public short shortValue() {
	return (short)value;
    }

    /**
     * Returns the value of this Integer as an
     * int.
     */
    /*@ ensures \result == this.value;
      @*/
    public int intValue() {
	return value;
    }

    /**
     * Returns the value of this Integer as a
     * long.
     */
    public long longValue() {
	return (long)value;
    }

    /**
     * Returns the value of this Integer as a
     * float.
     */
    public float floatValue() {
	return (float)value;
    }

    /**
     * Returns the value of this Integer as a
     * double.
     */
    public double doubleValue() {
	return (double)value;
    }

    /**
     * Returns a String object representing this
     * Integer's value. The value is converted to signed
     * decimal representation and returned as a string, exactly as if
     * the integer value were given as an argument to the {@link
     * java.lang.Integer#toString(int)} method.
     *
     * @return  a string representation of the value of this object in
     *          base 10.
     */
    public String toString() {
	return String.valueOf(value);
    }

    /**
     * Returns a hash code for this Integer.
     *
     * @return  a hash code value for this object, equal to the 
     *          primitive int value represented by this 
     *          Integer object. 
     */
    public int hashCode() {
	return value;
    }

    /**
     * Compares this object to the specified object.  The result is
     * true if and only if the argument is not
     * null and is an Integer object that
     * contains the same int value as this object.
     *
     * @param   obj   the object to compare with.
     * @return  true if the objects are the same;
     *          false otherwise.
     */
    public boolean equals(Object obj) {
	if (obj instanceof Integer) {
	    return value == ((Integer)obj).intValue();
	}
	return false;
    }

    /**
     * Determines the integer value of the system property with the
     * specified name.
     * 
    
     * The first argument is treated as the name of a system property. 
     * System properties are accessible through the 
     * {@link java.lang.System#getProperty(java.lang.String)} method. The 
     * string value of this property is then interpreted as an integer 
     * value and an Integer object representing this value is 
     * returned. Details of possible numeric formats can be found with 
     * the definition of getProperty. 
     * 
    
     * If there is no property with the specified name, if the specified name
     * is empty or null, or if the property does not have 
     * the correct numeric format, then null is returned.
     * 
    
     * In other words, this method returns an Integer
     * object equal to the value of:
     *
     * 
    
     * getInteger(nm, null)
     * 
    
     *
     * @param   nm   property name.
     * @return  the Integer value of the property.
     * @see     java.lang.System#getProperty(java.lang.String)
     * @see     java.lang.System#getProperty(java.lang.String, java.lang.String)
     */
    public static Integer getInteger(String nm) {
	return getInteger(nm, null);
    }

    /**
     * Determines the integer value of the system property with the
     * specified name.
     * 
    
     * The first argument is treated as the name of a system property.
     * System properties are accessible through the {@link
     * java.lang.System#getProperty(java.lang.String)} method. The 
     * string value of this property is then interpreted as an integer 
     * value and an Integer object representing this value is 
     * returned. Details of possible numeric formats can be found with 
     * the definition of getProperty. 
     * 
    
     * The second argument is the default value. An Integer object
     * that represents the value of the second argument is returned if there
     * is no property of the specified name, if the property does not have
     * the correct numeric format, or if the specified name is empty or
     *  null.
     * 
    
     * In other words, this method returns an Integer object 
     * equal to the value of:
     * 
    
     * getInteger(nm, new Integer(val))
     * 
    
     * but in practice it may be implemented in a manner such as: 
     * 
         * Integer result = getInteger(nm, null);
     * return (result == null) ? new Integer(val) : result;
     * 
    
     * to avoid the unnecessary allocation of an Integer 
     * object when the default value is not needed. 
     *
     * @param   nm   property name.
     * @param   val   default value.
     * @return  the Integer value of the property.
     * @see     java.lang.System#getProperty(java.lang.String)
     * @see     java.lang.System#getProperty(java.lang.String, java.lang.String)
     */
    public static Integer getInteger(String nm, int val) {
        Integer result = getInteger(nm, null);
        return (result == null) ? new Integer(val) : result;
    }

    /**
     * Returns the integer value of the system property with the
     * specified name.  The first argument is treated as the name of a
     * system property.  System properties are accessible through the
     * {@link java.lang.System#getProperty(java.lang.String)} method.
     * The string value of this property is then interpreted as an
     * integer value, as per the Integer.decode method,
     * and an Integer object representing this value is
     * returned.
     * 
    
     * 
    • If the property value begins with the two ASCII characters 
     *         0x or the ASCII character #, not 
     *      followed by a minus sign, then the rest of it is parsed as a 
     *      hexadecimal integer exactly as by the method 
     *      {@link #valueOf(java.lang.String, int)} with radix 16. 
     * 
    • If the property value begins with the ASCII character 
     *     0 followed by another character, it is parsed as an 
     *     octal integer exactly as by the method 
     *     {@link #valueOf(java.lang.String, int)} with radix 8. 
     * 
    • Otherwise, the property value is parsed as a decimal integer 
     * exactly as by the method {@link #valueOf(java.lang.String, int)} 
     * with radix 10. 
     * 
    
     * The second argument is the default value. The default value is
     * returned if there is no property of the specified name, if the
     * property does not have the correct numeric format, or if the
     * specified name is empty or null.
     *
     * @param   nm   property name.
     * @param   val   default value.
     * @return  the Integer value of the property.
     * @see     java.lang.System#getProperty(java.lang.String)
     * @see java.lang.System#getProperty(java.lang.String, java.lang.String)
     * @see java.lang.Integer#decode
     */
    public static Integer getInteger(String nm, Integer val) {
	/*KML
	  String v = null;
        try {
            v = System.getProperty(nm);
        } catch (IllegalArgumentException e) {
        } catch (NullPointerException e) {
        }
	if (v != null) {
	    try {
		return Integer.decode(v);
	    } catch (NumberFormatException e) {
	    }
	}
	*/
	return val;
    }

    /**
     * Decodes a String into an Integer.
     * Accepts decimal, hexadecimal, and octal numbers numbers given
     * by the following grammar:
     *
     * 
    
     * 
    
     * 
    DecodableString:
     * 
    Signopt DecimalNumeral
     * 
    Signopt 0x HexDigits
     * 
    Signopt 0X HexDigits
     * 
    Signopt # HexDigits
     * 
    Signopt 0 OctalDigits
     * 
    
     * 
    Sign:
     * 
    -
     * 
    
     * 
    
     *
     * DecimalNumeral, HexDigits, and OctalDigits
     * are defined in §3.10.1 
     * of the Java 
     * Language Specification.
     * 
    
     * The sequence of characters following an (optional) negative
     * sign and/or radix specifier ("0x",
     * "0X", "#", or
     * leading zero) is parsed as by the Integer.parseInt
     * method with the indicated radix (10, 16, or 8).  This sequence
     * of characters must represent a positive value or a {@link
     * NumberFormatException} will be thrown.  The result is negated
     * if first character of the specified String is the
     * minus sign.  No whitespace characters are permitted in the
     * String.
     *
     * @param     nm the String to decode.
     * @return    a Integer object holding the int
     *		   value represented by nm
     * @exception NumberFormatException  if the String does not
     *            contain a parsable integer.
     * @see java.lang.Integer#parseInt(java.lang.String, int)
     * @since 1.2
     */
    public static Integer decode(String nm) throws NumberFormatException {
        int radix = 10;
        int index = 0;
        boolean negative = false;
        Integer result;

        // Handle minus sign, if present
        if (nm.startsWith("-")) {
            negative = true;
            index++;
        }

        // Handle radix specifier, if present
	if (nm.startsWith("0x", index) || nm.startsWith("0X", index)) {
	    index += 2;
            radix = 16;
	}
	else if (nm.startsWith("#", index)) {
	    index ++;
            radix = 16;
	}
	else if (nm.startsWith("0", index) && nm.length() > 1 + index) {
	    index ++;
            radix = 8;
	}

        if (nm.startsWith("-", index))
            throw new NumberFormatException("Negative sign in wrong position");

        try {
            result = Integer.valueOf(nm.substring(index), radix);
            result = negative ? new Integer(-result.intValue()) : result;
        } catch (NumberFormatException e) {
            // If number is Integer.MIN_VALUE, we'll end up here. The next line
            // handles this case, and causes any genuine format error to be
            // rethrown.
            String constant = negative ? new String("-" + nm.substring(index))
                                       : nm.substring(index);
            result = Integer.valueOf(constant, radix);
        }
        return result;
    }

    /**
     * Compares two Integer objects numerically.
     *
     * @param   anotherInteger   the Integer to be compared.
     * @return	the value 0 if this Integer is
     * 		equal to the argument Integer; a value less than
     * 		0 if this Integer is numerically less
     * 		than the argument Integer; and a value greater 
     * 		than 0 if this Integer is numerically
     * 		 greater than the argument Integer (signed
     * 		 comparison).
     * @since   1.2
     */
    public int compareTo(Integer anotherInteger) {
	int thisVal = this.value;
	int anotherVal = anotherInteger.value;
	return (thisValInteger object to another object.
     * If the object is an Integer, this function behaves
     * like compareTo(Integer).  Otherwise, it throws a
     * ClassCastException (as Integer
     * objects are only comparable to other Integer
     * objects).
     *
     * @param   o the Object to be compared.
     * @return  the value 0 if the argument is a 
     *		Integer numerically equal to this 
     *		Integer; a value less than 0 
     *		if the argument is a Integer numerically 
     *		greater than this Integer; and a value 
     *		greater than 0 if the argument is a 
     *		Integer numerically less than this 
     *		Integer.
     * @exception ClassCastException if the argument is not an
     *		  Integer.
     * @see     java.lang.Comparable
     * @since   1.2
     */
    public int compareTo(Object o) {
	return compareTo((Integer)o);
    }

    /** use serialVersionUID from JDK 1.0.2 for interoperability */
    private static final long serialVersionUID = 1360826667806852920L;
}
why-2.39/lib/java_api/java/lang/StringBuffer.java0000644000106100004300000014265113147234006020667 0ustar  marchevals/*
 * @(#)StringBuffer.java	1.78 03/05/16
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;

/**
 * A string buffer implements a mutable sequence of characters. 
 * A string buffer is like a {@link String}, but can be modified. At any 
 * point in time it contains some particular sequence of characters, but 
 * the length and content of the sequence can be changed through certain 
 * method calls.
 * 
    
 * String buffers are safe for use by multiple threads. The methods 
 * are synchronized where necessary so that all the operations on any 
 * particular instance behave as if they occur in some serial order 
 * that is consistent with the order of the method calls made by each of 
 * the individual threads involved. 
 * 
    
 * String buffers are used by the compiler to implement the binary 
 * string concatenation operator +. For example, the code:
 * 
     *     x = "a" + 4 + "c"
 * 
    
 * is compiled to the equivalent of: 
 * 
     *     x = new StringBuffer().append("a").append(4).append("c")
 *                           .toString()
 * 
    
 * which creates a new string buffer (initially empty), appends the string
 * representation of each operand to the string buffer in turn, and then
 * converts the contents of the string buffer to a string. Overall, this avoids
 * creating many temporary strings.
 * 
    
 * The principal operations on a StringBuffer are the 
 * append and insert methods, which are 
 * overloaded so as to accept data of any type. Each effectively 
 * converts a given datum to a string and then appends or inserts the 
 * characters of that string to the string buffer. The 
 * append method always adds these characters at the end 
 * of the buffer; the insert method adds the characters at 
 * a specified point. 
 * 
    
 * For example, if z refers to a string buffer object 
 * whose current contents are "start", then 
 * the method call z.append("le") would cause the string 
 * buffer to contain "startle", whereas 
 * z.insert(4, "le") would alter the string buffer to 
 * contain "starlet". 
 * 
    
 * In general, if sb refers to an instance of a StringBuffer, 
 * then sb.append(x) has the same effect as 
 * sb.insert(sb.length(), x).
 * 
    
 * Every string buffer has a capacity. As long as the length of the 
 * character sequence contained in the string buffer does not exceed 
 * the capacity, it is not necessary to allocate a new internal 
 * buffer array. If the internal buffer overflows, it is 
 * automatically made larger. 
 *
 * @author	Arthur van Hoff
 * @version 	1.78, 05/16/03
 * @see     java.io.ByteArrayOutputStream
 * @see     java.lang.String
 * @since   JDK1.0
 */
 
public final class StringBuffer
    implements java.io.Serializable, CharSequence
{
    /**
     * The value is used for character storage.
     * 
     * @serial
     */
    private char value[];

    /** 
     * The count is the number of characters in the buffer.
     * 
     * @serial
     */
    private int count;

    /**
     * A flag indicating whether the buffer is shared 
     *
     * @serial
     */
    private boolean shared;

    /** use serialVersionUID from JDK 1.0.2 for interoperability */
    static final long serialVersionUID = 3388685877147921107L;

    /**
     * Constructs a string buffer with no characters in it and an 
     * initial capacity of 16 characters. 
     */
    public StringBuffer() {
	this(16);
    }

    /**
     * Constructs a string buffer with no characters in it and an 
     * initial capacity specified by the length argument. 
     *
     * @param      length   the initial capacity.
     * @exception  NegativeArraySizeException  if the length
     *               argument is less than 0.
     */
    public StringBuffer(int length) {
	value = new char[length];
	shared = false;
    }

    /**
     * Constructs a string buffer so that it represents the same 
     * sequence of characters as the string argument; in other
     * words, the initial contents of the string buffer is a copy of the 
     * argument string. The initial capacity of the string buffer is 
     * 16 plus the length of the string argument. 
     *
     * @param   str   the initial contents of the buffer.
     * @exception NullPointerException if str is null
     */
    public StringBuffer(String str) {
	this(str.length() + 16);
	append(str);
    }

    /**
     * Returns the length (character count) of this string buffer.
     *
     * @return  the length of the sequence of characters currently 
     *          represented by this string buffer.
     */
    public synchronized int length() {
	return count;
    }

    /**
     * Returns the current capacity of the String buffer. The capacity
     * is the amount of storage available for newly inserted
     * characters; beyond which an allocation will occur.
     *
     * @return  the current capacity of this string buffer.
     */
    public synchronized int capacity() {
	return value.length;
    }

    /**
     * Copies the buffer value.  This is normally only called when shared
     * is true.  It should only be called from a synchronized method.
     */
    private final void copy() {
	char newValue[] = new char[value.length];
	System.arraycopy(value, 0, newValue, 0, count);
	value = newValue;
	shared = false;
    }

    /**
     * Ensures that the capacity of the buffer is at least equal to the
     * specified minimum.
     * If the current capacity of this string buffer is less than the 
     * argument, then a new internal buffer is allocated with greater 
     * capacity. The new capacity is the larger of: 
     * 
      
     * 
    • The minimumCapacity argument. 
     * 
    • Twice the old capacity, plus 2. 
     * 
    
     * If the minimumCapacity argument is nonpositive, this
     * method takes no action and simply returns.
     *
     * @param   minimumCapacity   the minimum desired capacity.
     */
    public synchronized void ensureCapacity(int minimumCapacity) {
	if (minimumCapacity > value.length) {
	    expandCapacity(minimumCapacity);
	}
    }

    /**
     * This implements the expansion semantics of ensureCapacity but is
     * unsynchronized for use internally by methods which are already
     * synchronized.
     *
     * @see java.lang.StringBuffer#ensureCapacity(int)
     */
    private void expandCapacity(int minimumCapacity) {
	int newCapacity = (value.length + 1) * 2;
        if (newCapacity < 0) {
            newCapacity = Integer.MAX_VALUE;
        } else if (minimumCapacity > newCapacity) {
	    newCapacity = minimumCapacity;
	}
	
	char newValue[] = new char[newCapacity];
	System.arraycopy(value, 0, newValue, 0, count);
	value = newValue;
	shared = false;
    }

    /**
     * Sets the length of this String buffer.
     * This string buffer is altered to represent a new character sequence 
     * whose length is specified by the argument. For every nonnegative 
     * index k less than newLength, the character at 
     * index k in the new character sequence is the same as the 
     * character at index k in the old sequence if k is less 
     * than the length of the old character sequence; otherwise, it is the 
     * null character '\u0000'. 
     *  
     * In other words, if the newLength argument is less than 
     * the current length of the string buffer, the string buffer is 
     * truncated to contain exactly the number of characters given by the 
     * newLength argument. 
     * 
    
     * If the newLength argument is greater than or equal 
     * to the current length, sufficient null characters 
     * ('\u0000') are appended to the string buffer so that 
     * length becomes the newLength argument. 
     * 
    
     * The newLength argument must be greater than or equal 
     * to 0. 
     *
     * @param      newLength   the new length of the buffer.
     * @exception  IndexOutOfBoundsException  if the
     *               newLength argument is negative.
     * @see        java.lang.StringBuffer#length()
     */
    public synchronized void setLength(int newLength) {
	if (newLength < 0) {
	    throw new StringIndexOutOfBoundsException(newLength);
	}
	
	if (newLength > value.length) {
	    expandCapacity(newLength);
	}

	if (count < newLength) {
	    if (shared) copy();
	    for (; count < newLength; count++) {
		value[count] = '\0';
	    }
	} else {
            count = newLength;
            if (shared) {
                if (newLength > 0) {
                    copy();
                } else {
                    // If newLength is zero, assume the StringBuffer is being
                    // stripped for reuse; Make new buffer of default size
                    value = new char[16];
                    shared = false;
                }
            }
        }
    }

    /**
     * The specified character of the sequence currently represented by 
     * the string buffer, as indicated by the index argument, 
     * is returned. The first character of a string buffer is at index 
     * 0, the next at index 1, and so on, for 
     * array indexing. 
     * 
    
     * The index argument must be greater than or equal to 
     * 0, and less than the length of this string buffer. 
     *
     * @param      index   the index of the desired character.
     * @return     the character at the specified index of this string buffer.
     * @exception  IndexOutOfBoundsException  if index is 
     *             negative or greater than or equal to length().
     * @see        java.lang.StringBuffer#length()
     */
    public synchronized char charAt(int index) {
	if ((index < 0) || (index >= count)) {
	    throw new StringIndexOutOfBoundsException(index);
	}
	return value[index];
    }

    /**
     * Characters are copied from this string buffer into the 
     * destination character array dst. The first character to 
     * be copied is at index srcBegin; the last character to 
     * be copied is at index srcEnd-1. The total number of 
     * characters to be copied is srcEnd-srcBegin. The 
     * characters are copied into the subarray of dst starting 
     * at index dstBegin and ending at index:
     * 
         * dstbegin + (srcEnd-srcBegin) - 1
     * 
    
     *
     * @param      srcBegin   start copying at this offset in the string buffer.
     * @param      srcEnd     stop copying at this offset in the string buffer.
     * @param      dst        the array to copy the data into.
     * @param      dstBegin   offset into dst.
     * @exception  NullPointerException if dst is 
     *             null.
     * @exception  IndexOutOfBoundsException  if any of the following is true:
     *             
      
     *             
    • srcBegin is negative
     *             
    • dstBegin is negative
     *             
    • the srcBegin argument is greater than 
     *             the srcEnd argument.
     *             
    • srcEnd is greater than 
     *             this.length(), the current length of this 
     *             string buffer.
     *             
    • dstBegin+srcEnd-srcBegin is greater than 
     *             dst.length
     *             
    
     */
    public synchronized void getChars(int srcBegin, int srcEnd, char dst[], int dstBegin) {
	if (srcBegin < 0) {
	    throw new StringIndexOutOfBoundsException(srcBegin);
	}
	if ((srcEnd < 0) || (srcEnd > count)) {
	    throw new StringIndexOutOfBoundsException(srcEnd);
	}
        if (srcBegin > srcEnd) {
            throw new StringIndexOutOfBoundsException("srcBegin > srcEnd");
        }
	System.arraycopy(value, srcBegin, dst, dstBegin, srcEnd - srcBegin);
    }

    /**
     * The character at the specified index of this string buffer is set 
     * to ch. The string buffer is altered to represent a new 
     * character sequence that is identical to the old character sequence, 
     * except that it contains the character ch at position 
     * index. 
     * 
    
     * The index argument must be greater than or equal to 
     * 0, and less than the length of this string buffer. 
     *
     * @param      index   the index of the character to modify.
     * @param      ch      the new character.
     * @exception  IndexOutOfBoundsException  if index is 
     *             negative or greater than or equal to length().
     * @see        java.lang.StringBuffer#length()
     */
    public synchronized void setCharAt(int index, char ch) {
	if ((index < 0) || (index >= count)) {
	    throw new StringIndexOutOfBoundsException(index);
	}
	if (shared) copy();
	value[index] = ch;
    }

    /**
     * Appends the string representation of the Object 
     * argument to this string buffer. 
     * 
    
     * The argument is converted to a string as if by the method 
     * String.valueOf, and the characters of that 
     * string are then appended to this string buffer. 
     *
     * @param   obj   an Object.
     * @return  a reference to this StringBuffer object.
     * @see     java.lang.String#valueOf(java.lang.Object)
     * @see     java.lang.StringBuffer#append(java.lang.String)
     */
    public synchronized StringBuffer append(Object obj) {
	return append(String.valueOf(obj));
    }

    /**
     * Appends the string to this string buffer. 
     * 
    
     * The characters of the String argument are appended, in 
     * order, to the contents of this string buffer, increasing the 
     * length of this string buffer by the length of the argument. 
     * If str is null, then the four characters 
     * "null" are appended to this string buffer.
     * 
    
     * Let n be the length of the old character sequence, the one 
     * contained in the string buffer just prior to execution of the 
     * append method. Then the character at index k in 
     * the new character sequence is equal to the character at index k 
     * in the old character sequence, if k is less than n; 
     * otherwise, it is equal to the character at index k-n in the 
     * argument str.
     *
     * @param   str   a string.
     * @return  a reference to this StringBuffer.
     */
    public synchronized StringBuffer append(String str) {
	if (str == null) {
	    str = String.valueOf(str);
	}

	int len = str.length();
	int newcount = count + len;
	if (newcount > value.length)
	    expandCapacity(newcount);
	str.getChars(0, len, value, count);
	count = newcount;
	return this;
    }

    /**
     * Appends the specified StringBuffer to this
     * StringBuffer.
     * 
    
     * The characters of the StringBuffer argument are appended, 
     * in order, to the contents of this StringBuffer, increasing the 
     * length of this StringBuffer by the length of the argument. 
     * If sb is null, then the four characters 
     * "null" are appended to this StringBuffer.
     * 
    
     * Let n be the length of the old character sequence, the one 
     * contained in the StringBuffer just prior to execution of the 
     * append method. Then the character at index k in 
     * the new character sequence is equal to the character at index k 
     * in the old character sequence, if k is less than n; 
     * otherwise, it is equal to the character at index k-n in the 
     * argument sb.
     * 
    
     * The method ensureCapacity is first called on this
     * StringBuffer with the new buffer length as its argument.
     * (This ensures that the storage of this StringBuffer is
     * adequate to contain the additional characters being appended.)
     *
     * @param   sb         the StringBuffer to append.
     * @return  a reference to this StringBuffer.
     * @since 1.4
     */
    public synchronized StringBuffer append(StringBuffer sb) {
	if (sb == null) {
	    sb = NULL;
	}

	int len = sb.length();
	int newcount = count + len;
	if (newcount > value.length)
	    expandCapacity(newcount);
	sb.getChars(0, len, value, count);
	count = newcount;
	return this;
    }

    private static final StringBuffer NULL =  new StringBuffer("null");

    /**
     * Appends the string representation of the char array 
     * argument to this string buffer. 
     * 
    
     * The characters of the array argument are appended, in order, to 
     * the contents of this string buffer. The length of this string 
     * buffer increases by the length of the argument. 
     * 
    
     * The overall effect is exactly as if the argument were converted to 
     * a string by the method {@link String#valueOf(char[])} and the 
     * characters of that string were then {@link #append(String) appended} 
     * to this StringBuffer object.
     *
     * @param   str   the characters to be appended.
     * @return  a reference to this StringBuffer object.
     */
    public synchronized StringBuffer append(char str[]) { 
	int len = str.length;
	int newcount = count + len;
	if (newcount > value.length)
	    expandCapacity(newcount);
	System.arraycopy(str, 0, value, count, len);
	count = newcount;
	return this;
    }

    /**
     * Appends the string representation of a subarray of the 
     * char array argument to this string buffer. 
     * 
    
     * Characters of the character array str, starting at 
     * index offset, are appended, in order, to the contents 
     * of this string buffer. The length of this string buffer increases 
     * by the value of len. 
     * 
    
     * The overall effect is exactly as if the arguments were converted to 
     * a string by the method {@link String#valueOf(char[],int,int)} and the
     * characters of that string were then {@link #append(String) appended} 
     * to this StringBuffer object.
     *
     * @param   str      the characters to be appended.
     * @param   offset   the index of the first character to append.
     * @param   len      the number of characters to append.
     * @return  a reference to this StringBuffer object.
     */
    public synchronized StringBuffer append(char str[], int offset, int len) {
        int newcount = count + len;
	if (newcount > value.length)
	    expandCapacity(newcount);
	System.arraycopy(str, offset, value, count, len);
	count = newcount;
	return this;
    }

    /**
     * Appends the string representation of the boolean 
     * argument to the string buffer. 
     * 
    
     * The argument is converted to a string as if by the method 
     * String.valueOf, and the characters of that 
     * string are then appended to this string buffer. 
     *
     * @param   b   a boolean.
     * @return  a reference to this StringBuffer.
     * @see     java.lang.String#valueOf(boolean)
     * @see     java.lang.StringBuffer#append(java.lang.String)
     */
    public synchronized StringBuffer append(boolean b) {
        if (b) {
            int newcount = count + 4;
            if (newcount > value.length)
                expandCapacity(newcount);
            value[count++] = 't';
            value[count++] = 'r';
            value[count++] = 'u';
            value[count++] = 'e';
        } else {
            int newcount = count + 5;
            if (newcount > value.length)
                expandCapacity(newcount);
            value[count++] = 'f';
            value[count++] = 'a';
            value[count++] = 'l';
            value[count++] = 's';
            value[count++] = 'e';
        }
	return this;
    }

    /**
     * Appends the string representation of the char 
     * argument to this string buffer. 
     * 
    
     * The argument is appended to the contents of this string buffer. 
     * The length of this string buffer increases by 1. 
     * 
    
     * The overall effect is exactly as if the argument were converted to 
     * a string by the method {@link String#valueOf(char)} and the character 
     * in that string were then {@link #append(String) appended} to this 
     * StringBuffer object.
     *
     * @param   c   a char.
     * @return  a reference to this StringBuffer object.
     */
    public synchronized StringBuffer append(char c) {
        int newcount = count + 1;
	if (newcount > value.length)
	    expandCapacity(newcount);
	value[count++] = c;
	return this;
    }

    /**
     * Appends the string representation of the int 
     * argument to this string buffer. 
     * 
    
     * The argument is converted to a string as if by the method 
     * String.valueOf, and the characters of that 
     * string are then appended to this string buffer. 
     *
     * @param   i   an int.
     * @return  a reference to this StringBuffer object.
     * @see     java.lang.String#valueOf(int)
     * @see     java.lang.StringBuffer#append(java.lang.String)
     */
    public synchronized StringBuffer append(int i) {
	Integer.appendTo(i, this);
        return this;
    }

    /**
     * Appends the string representation of the long 
     * argument to this string buffer. 
     * 
    
     * The argument is converted to a string as if by the method 
     * String.valueOf, and the characters of that 
     * string are then appended to this string buffer. 
     *
     * @param   l   a long.
     * @return  a reference to this StringBuffer object.
     * @see     java.lang.String#valueOf(long)
     * @see     java.lang.StringBuffer#append(java.lang.String)
     */
    public synchronized StringBuffer append(long l) {
        Long.appendTo(l, this);
	return this;
    }

    /**
     * Appends the string representation of the float 
     * argument to this string buffer. 
     * 
    
     * The argument is converted to a string as if by the method 
     * String.valueOf, and the characters of that 
     * string are then appended to this string buffer. 
     *
     * @param   f   a float.
     * @return  a reference to this StringBuffer object.
     * @see     java.lang.String#valueOf(float)
     * @see     java.lang.StringBuffer#append(java.lang.String)
     */
    public synchronized StringBuffer append(float f) {
        new FloatingDecimal(f).appendTo(this);
	return this;
    }

    /**
     * Appends the string representation of the double 
     * argument to this string buffer. 
     * 
    
     * The argument is converted to a string as if by the method 
     * String.valueOf, and the characters of that 
     * string are then appended to this string buffer. 
     *
     * @param   d   a double.
     * @return  a reference to this StringBuffer object.
     * @see     java.lang.String#valueOf(double)
     * @see     java.lang.StringBuffer#append(java.lang.String)
     */
    public synchronized StringBuffer append(double d) {
        new FloatingDecimal(d).appendTo(this);
	return this;
    }

    /**
     * Removes the characters in a substring of this StringBuffer.
     * The substring begins at the specified start and extends to
     * the character at index end - 1 or to the end of the
     * StringBuffer if no such character exists. If
     * start is equal to end, no changes are made.
     *
     * @param      start  The beginning index, inclusive.
     * @param      end    The ending index, exclusive.
     * @return     This string buffer.
     * @exception  StringIndexOutOfBoundsException  if start
     *             is negative, greater than length(), or
     *		   greater than end.
     * @since      1.2
     */
    public synchronized StringBuffer delete(int start, int end) {
	if (start < 0)
	    throw new StringIndexOutOfBoundsException(start);
	if (end > count)
	    end = count;
	if (start > end)
	    throw new StringIndexOutOfBoundsException();

        int len = end - start;
        if (len > 0) {
            if (shared)
                copy();
            System.arraycopy(value, start+len, value, start, count-end);
            count -= len;
        }
        return this;
    }

    /**
     * Removes the character at the specified position in this
     * StringBuffer (shortening the StringBuffer
     * by one character).
     *
     * @param       index  Index of character to remove
     * @return      This string buffer.
     * @exception   StringIndexOutOfBoundsException  if the index
     *		    is negative or greater than or equal to
     *		    length().
     * @since       1.2
     */
    public synchronized StringBuffer deleteCharAt(int index) {
        if ((index < 0) || (index >= count))
	    throw new StringIndexOutOfBoundsException();
	if (shared)
	    copy();
	System.arraycopy(value, index+1, value, index, count-index-1);
	count--;
        return this;
    }

    /**
     * Replaces the characters in a substring of this StringBuffer
     * with characters in the specified String. The substring
     * begins at the specified start and extends to the character
     * at index end - 1 or to the end of the
     * StringBuffer if no such character exists. First the
     * characters in the substring are removed and then the specified
     * String is inserted at start. (The
     * StringBuffer will be lengthened to accommodate the
     * specified String if necessary.)
     * 
     * @param      start    The beginning index, inclusive.
     * @param      end      The ending index, exclusive.
     * @param      str   String that will replace previous contents.
     * @return     This string buffer.
     * @exception  StringIndexOutOfBoundsException  if start
     *             is negative, greater than length(), or
     *		   greater than end.
     * @since      1.2
     */ 
    public synchronized StringBuffer replace(int start, int end, String str) {
        if (start < 0)
	    throw new StringIndexOutOfBoundsException(start);
	if (end > count)
	    end = count;
	if (start > end)
	    throw new StringIndexOutOfBoundsException();

	int len = str.length();
	int newCount = count + len - (end - start);
	if (newCount > value.length)
	    expandCapacity(newCount);
	else if (shared)
	    copy();

        System.arraycopy(value, end, value, start + len, count - end);
        str.getChars(0, len, value, start);
        count = newCount;
        return this;
    }

    /**
     * Returns a new String that contains a subsequence of
     * characters currently contained in this StringBuffer.The 
     * substring begins at the specified index and extends to the end of the
     * StringBuffer.
     * 
     * @param      start    The beginning index, inclusive.
     * @return     The new string.
     * @exception  StringIndexOutOfBoundsException  if start is
     *             less than zero, or greater than the length of this
     *             StringBuffer.
     * @since      1.2
     */
    public synchronized String substring(int start) {
        return substring(start, count);
    }

    /**
     * Returns a new character sequence that is a subsequence of this sequence.
     *
     * 
     An invocation of this method of the form
     *
     * 
         * sb.subSequence(begin, end)
    
     *
     * behaves in exactly the same way as the invocation
     *
     * 
         * sb.substring(begin, end)
    
     *
     * This method is provided so that the StringBuffer class can
     * implement the {@link CharSequence} interface. 
    
     *
     * @param      start   the start index, inclusive.
     * @param      end     the end index, exclusive.
     * @return     the specified subsequence.
     *
     * @throws  IndexOutOfBoundsException
     *          if start or end are negative,
     *          if end is greater than length(),
     *          or if start is greater than end
     *
     * @since 1.4
     * @spec JSR-51
     */
    public CharSequence subSequence(int start, int end) {
        return this.substring(start, end);
    }

    /**
     * Returns a new String that contains a subsequence of
     * characters currently contained in this StringBuffer. The 
     * substring begins at the specified start and 
     * extends to the character at index end - 1. An
     * exception is thrown if 
     *
     * @param      start    The beginning index, inclusive.
     * @param      end      The ending index, exclusive.
     * @return     The new string.
     * @exception  StringIndexOutOfBoundsException  if start
     *             or end are negative or greater than
     *		   length(), or start is
     *		   greater than end.
     * @since      1.2 
     */
    public synchronized String substring(int start, int end) {
	if (start < 0)
	    throw new StringIndexOutOfBoundsException(start);
	if (end > count)
	    throw new StringIndexOutOfBoundsException(end);
	if (start > end)
	    throw new StringIndexOutOfBoundsException(end - start);
        return new String(value, start, end - start);
    }

    /**
     * Inserts the string representation of a subarray of the str
     * array argument into this string buffer. The subarray begins at the
     * specified offset and extends len characters.
     * The characters of the subarray are inserted into this string buffer at
     * the position indicated by index. The length of this
     * StringBuffer increases by len characters.
     *
     * @param      index    position at which to insert subarray.
     * @param      str       A character array.
     * @param      offset   the index of the first character in subarray to
     *		   to be inserted.
     * @param      len      the number of characters in the subarray to
     *		   to be inserted.
     * @return     This string buffer.
     * @exception  StringIndexOutOfBoundsException  if index
     *             is negative or greater than length(), or
     *		   offset or len are negative, or
     *		   (offset+len) is greater than
     *		   str.length.
     * @since 1.2
     */
    public synchronized StringBuffer insert(int index, char str[], int offset,
                                                                   int len) {
        if ((index < 0) || (index > count))
	    throw new StringIndexOutOfBoundsException();
	if ((offset < 0) || (offset + len < 0) || (offset + len > str.length))
	    throw new StringIndexOutOfBoundsException(offset);
	if (len < 0)
	    throw new StringIndexOutOfBoundsException(len);
	int newCount = count + len;
	if (newCount > value.length)
	    expandCapacity(newCount);
	else if (shared)
	    copy();
	System.arraycopy(value, index, value, index + len, count - index);
	System.arraycopy(str, offset, value, index, len);
	count = newCount;
	return this;
    }

    /**
     * Inserts the string representation of the Object 
     * argument into this string buffer. 
     * 
    
     * The second argument is converted to a string as if by the method 
     * String.valueOf, and the characters of that 
     * string are then inserted into this string buffer at the indicated 
     * offset. 
     * 
    
     * The offset argument must be greater than or equal to 
     * 0, and less than or equal to the length of this 
     * string buffer. 
     *
     * @param      offset   the offset.
     * @param      obj      an Object.
     * @return     a reference to this StringBuffer object.
     * @exception  StringIndexOutOfBoundsException  if the offset is invalid.
     * @see        java.lang.String#valueOf(java.lang.Object)
     * @see        java.lang.StringBuffer#insert(int, java.lang.String)
     * @see        java.lang.StringBuffer#length()
     */
    public synchronized StringBuffer insert(int offset, Object obj) {
	return insert(offset, String.valueOf(obj));
    }

    /**
     * Inserts the string into this string buffer. 
     * 
    
     * The characters of the String argument are inserted, in 
     * order, into this string buffer at the indicated offset, moving up any 
     * characters originally above that position and increasing the length 
     * of this string buffer by the length of the argument. If 
     * str is null, then the four characters 
     * "null" are inserted into this string buffer.
     * 
    
     * The character at index k in the new character sequence is 
     * equal to:
     * 
      
     * 
    • the character at index k in the old character sequence, if 
     * k is less than offset 
     * 
    • the character at index k-offset in the 
     * argument str, if k is not less than 
     * offset but is less than offset+str.length() 
     * 
    • the character at index k-str.length() in the 
     * old character sequence, if k is not less than 
     * offset+str.length()
     * 
    
     * The offset argument must be greater than or equal to 
     * 0, and less than or equal to the length of this 
     * string buffer. 
     *
     * @param      offset   the offset.
     * @param      str      a string.
     * @return     a reference to this StringBuffer object.
     * @exception  StringIndexOutOfBoundsException  if the offset is invalid.
     * @see        java.lang.StringBuffer#length()
     */
    public synchronized StringBuffer insert(int offset, String str) {
	if ((offset < 0) || (offset > count)) {
	    throw new StringIndexOutOfBoundsException();
	}

	if (str == null) {
	    str = String.valueOf(str);
	}
	int len = str.length();
	int newcount = count + len;
	if (newcount > value.length)
	    expandCapacity(newcount);
	else if (shared)
	    copy();
	System.arraycopy(value, offset, value, offset + len, count - offset);
	str.getChars(0, len, value, offset);
	count = newcount;
	return this;
    }

    /**
     * Inserts the string representation of the char array 
     * argument into this string buffer. 
     * 
    
     * The characters of the array argument are inserted into the 
     * contents of this string buffer at the position indicated by 
     * offset. The length of this string buffer increases by 
     * the length of the argument. 
     * 
    
     * The overall effect is exactly as if the argument were converted to 
     * a string by the method {@link String#valueOf(char[])} and the 
     * characters of that string were then 
     * {@link #insert(int,String) inserted} into this 
     * StringBuffer  object at the position indicated by
     * offset.
     *
     * @param      offset   the offset.
     * @param      str      a character array.
     * @return     a reference to this StringBuffer object.
     * @exception  StringIndexOutOfBoundsException  if the offset is invalid.
     */
    public synchronized StringBuffer insert(int offset, char str[]) {
	if ((offset < 0) || (offset > count)) {
	    throw new StringIndexOutOfBoundsException();
	}
	int len = str.length;
	int newcount = count + len;
	if (newcount > value.length)
	    expandCapacity(newcount);
	else if (shared)
	    copy();
	System.arraycopy(value, offset, value, offset + len, count - offset);
	System.arraycopy(str, 0, value, offset, len);
	count = newcount;
	return this;
    }

    /**
     * Inserts the string representation of the boolean 
     * argument into this string buffer. 
     * 
    
     * The second argument is converted to a string as if by the method 
     * String.valueOf, and the characters of that 
     * string are then inserted into this string buffer at the indicated 
     * offset. 
     * 
    
     * The offset argument must be greater than or equal to 
     * 0, and less than or equal to the length of this 
     * string buffer. 
     *
     * @param      offset   the offset.
     * @param      b        a boolean.
     * @return     a reference to this StringBuffer object.
     * @exception  StringIndexOutOfBoundsException  if the offset is invalid.
     * @see        java.lang.String#valueOf(boolean)
     * @see        java.lang.StringBuffer#insert(int, java.lang.String)
     * @see        java.lang.StringBuffer#length()
     */
    public StringBuffer insert(int offset, boolean b) {
	return insert(offset, String.valueOf(b));
    }

    /**
     * Inserts the string representation of the char 
     * argument into this string buffer. 
     * 
    
     * The second argument is inserted into the contents of this string 
     * buffer at the position indicated by offset. The length 
     * of this string buffer increases by one. 
     * 
    
     * The overall effect is exactly as if the argument were converted to 
     * a string by the method {@link String#valueOf(char)} and the character 
     * in that string were then {@link #insert(int, String) inserted} into 
     * this StringBuffer object at the position indicated by
     * offset.
     * 
    
     * The offset argument must be greater than or equal to 
     * 0, and less than or equal to the length of this 
     * string buffer. 
     *
     * @param      offset   the offset.
     * @param      c        a char.
     * @return     a reference to this StringBuffer object.
     * @exception  IndexOutOfBoundsException  if the offset is invalid.
     * @see        java.lang.StringBuffer#length()
     */
    public synchronized StringBuffer insert(int offset, char c) {
	int newcount = count + 1;
	if (newcount > value.length)
	    expandCapacity(newcount);
	else if (shared)
	    copy();
	System.arraycopy(value, offset, value, offset + 1, count - offset);
	value[offset] = c;
	count = newcount;
	return this;
    }

    /**
     * Inserts the string representation of the second int 
     * argument into this string buffer. 
     * 
    
     * The second argument is converted to a string as if by the method 
     * String.valueOf, and the characters of that 
     * string are then inserted into this string buffer at the indicated 
     * offset. 
     * 
    
     * The offset argument must be greater than or equal to 
     * 0, and less than or equal to the length of this 
     * string buffer. 
     *
     * @param      offset   the offset.
     * @param      i        an int.
     * @return     a reference to this StringBuffer object.
     * @exception  StringIndexOutOfBoundsException  if the offset is invalid.
     * @see        java.lang.String#valueOf(int)
     * @see        java.lang.StringBuffer#insert(int, java.lang.String)
     * @see        java.lang.StringBuffer#length()
     */
    public StringBuffer insert(int offset, int i) {
	return insert(offset, String.valueOf(i));
    }

    /**
     * Inserts the string representation of the long 
     * argument into this string buffer. 
     * 
    
     * The second argument is converted to a string as if by the method 
     * String.valueOf, and the characters of that 
     * string are then inserted into this string buffer at the position 
     * indicated by offset. 
     * 
    
     * The offset argument must be greater than or equal to 
     * 0, and less than or equal to the length of this 
     * string buffer. 
     *
     * @param      offset   the offset.
     * @param      l        a long.
     * @return     a reference to this StringBuffer object.
     * @exception  StringIndexOutOfBoundsException  if the offset is invalid.
     * @see        java.lang.String#valueOf(long)
     * @see        java.lang.StringBuffer#insert(int, java.lang.String)
     * @see        java.lang.StringBuffer#length()
     */
    public StringBuffer insert(int offset, long l) {
	return insert(offset, String.valueOf(l));
    }

    /**
     * Inserts the string representation of the float 
     * argument into this string buffer. 
     * 
    
     * The second argument is converted to a string as if by the method 
     * String.valueOf, and the characters of that 
     * string are then inserted into this string buffer at the indicated 
     * offset. 
     * 
    
     * The offset argument must be greater than or equal to 
     * 0, and less than or equal to the length of this 
     * string buffer. 
     *
     * @param      offset   the offset.
     * @param      f        a float.
     * @return     a reference to this StringBuffer object.
     * @exception  StringIndexOutOfBoundsException  if the offset is invalid.
     * @see        java.lang.String#valueOf(float)
     * @see        java.lang.StringBuffer#insert(int, java.lang.String)
     * @see        java.lang.StringBuffer#length()
     */
    public StringBuffer insert(int offset, float f) {
	return insert(offset, String.valueOf(f));
    }

    /**
     * Inserts the string representation of the double 
     * argument into this string buffer. 
     * 
    
     * The second argument is converted to a string as if by the method 
     * String.valueOf, and the characters of that 
     * string are then inserted into this string buffer at the indicated 
     * offset. 
     * 
    
     * The offset argument must be greater than or equal to 
     * 0, and less than or equal to the length of this 
     * string buffer. 
     *
     * @param      offset   the offset.
     * @param      d        a double.
     * @return     a reference to this StringBuffer object.
     * @exception  StringIndexOutOfBoundsException  if the offset is invalid.
     * @see        java.lang.String#valueOf(double)
     * @see        java.lang.StringBuffer#insert(int, java.lang.String)
     * @see        java.lang.StringBuffer#length()
     */
    public StringBuffer insert(int offset, double d) {
	return insert(offset, String.valueOf(d));
    }

    /**
     * Returns the index within this string of the first occurrence of the
     * specified substring. The integer returned is the smallest value 
     * k such that:
     * 
         * this.toString().startsWith(str, k)
     * 
    
     * is true.
     *
     * @param   str   any string.
     * @return  if the string argument occurs as a substring within this
     *          object, then the index of the first character of the first
     *          such substring is returned; if it does not occur as a
     *          substring, -1 is returned.
     * @exception java.lang.NullPointerException if str is 
     *          null.
     * @since   1.4
     */
    public int indexOf(String str) {
	return indexOf(str, 0);
    }

    /**
     * Returns the index within this string of the first occurrence of the
     * specified substring, starting at the specified index.  The integer
     * returned is the smallest value k for which:
     * 
         *     k >= Math.min(fromIndex, str.length()) &&
     *                   this.toString().startsWith(str, k)
     * 
    
     * If no such value of k exists, then -1 is returned.
     *
     * @param   str         the substring for which to search.
     * @param   fromIndex   the index from which to start the search.
     * @return  the index within this string of the first occurrence of the
     *          specified substring, starting at the specified index.
     * @exception java.lang.NullPointerException if str is
     *            null.
     * @since   1.4
     */
    public synchronized int indexOf(String str, int fromIndex) {
        return String.indexOf(value, 0, count,
                              str.toCharArray(), 0, str.length(), fromIndex);
    }

    /**
     * Returns the index within this string of the rightmost occurrence
     * of the specified substring.  The rightmost empty string "" is
     * considered to occur at the index value this.length(). 
     * The returned index is the largest value k such that 
     * 
         * this.toString().startsWith(str, k)
     * 
    
     * is true.
     *
     * @param   str   the substring to search for.
     * @return  if the string argument occurs one or more times as a substring
     *          within this object, then the index of the first character of
     *          the last such substring is returned. If it does not occur as
     *          a substring, -1 is returned.
     * @exception java.lang.NullPointerException  if str is 
     *          null.
     * @since   1.4
     */
    public synchronized int lastIndexOf(String str) {
        return lastIndexOf(str, count);
    }

    /**
     * Returns the index within this string of the last occurrence of the
     * specified substring. The integer returned is the largest value k
     * such that:
     * 
         *     k <= Math.min(fromIndex, str.length()) &&
     *                   this.toString().startsWith(str, k)
     * 
    
     * If no such value of k exists, then -1 is returned.
     * 
     * @param   str         the substring to search for.
     * @param   fromIndex   the index to start the search from.
     * @return  the index within this string of the last occurrence of the
     *          specified substring.
     * @exception java.lang.NullPointerException if str is 
     *          null.
     * @since   1.4
     */
    public synchronized int lastIndexOf(String str, int fromIndex) {
        return String.lastIndexOf(value, 0, count,
                              str.toCharArray(), 0, str.length(), fromIndex);
    }

    /**
     * The character sequence contained in this string buffer is 
     * replaced by the reverse of the sequence. 
     * 
    
     * Let n be the length of the old character sequence, the one 
     * contained in the string buffer just prior to execution of the 
     * reverse method. Then the character at index k in 
     * the new character sequence is equal to the character at index 
     * n-k-1 in the old character sequence.
     *
     * @return  a reference to this StringBuffer object.
     * @since   JDK1.0.2
     */
    public synchronized StringBuffer reverse() {
	if (shared) copy();
	int n = count - 1;
	for (int j = (n-1) >> 1; j >= 0; --j) {
	    char temp = value[j];
	    value[j] = value[n - j];
	    value[n - j] = temp;
	}
	return this;
    }

    /**
     * Converts to a string representing the data in this string buffer.
     * A new String object is allocated and initialized to 
     * contain the character sequence currently represented by this 
     * string buffer. This String is then returned. Subsequent 
     * changes to the string buffer do not affect the contents of the 
     * String. 
     * 
    
     * Implementation advice: This method can be coded so as to create a new
     * String object without allocating new memory to hold a 
     * copy of the character sequence. Instead, the string can share the 
     * memory used by the string buffer. Any subsequent operation that alters 
     * the content or capacity of the string buffer must then make a copy of 
     * the internal buffer at that time. This strategy is effective for 
     * reducing the amount of memory allocated by a string concatenation 
     * operation when it is implemented using a string buffer.
     *
     * @return  a string representation of the string buffer.
     */
    public String toString() {
	return new String(this);
    }

    //
    // The following two methods are needed by String to efficiently
    // convert a StringBuffer into a String.  They are not public.
    // They shouldn't be called by anyone but String.
    final void setShared() { shared = true; } 
    final char[] getValue() { return value; }

    /**
     * readObject is called to restore the state of the StringBuffer from
     * a stream.
     */
    private synchronized void readObject(java.io.ObjectInputStream s)
         throws java.io.IOException, ClassNotFoundException {
	s.defaultReadObject();
	value = (char[]) value.clone();
	shared = false;
    }
}
why-2.39/lib/java_api/java/lang/Cloneable.java0000644000106100004300000000251113147234006020141 0ustar  marchevals/*
 * @(#)Cloneable.java	1.14 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;

/**
 * A class implements the Cloneable interface to 
 * indicate to the {@link java.lang.Object#clone()} method that it 
 * is legal for that method to make a 
 * field-for-field copy of instances of that class. 
 * 
    
 * Invoking Object's clone method on an instance that does not implement the 
 * Cloneable interface results in the exception 
 * CloneNotSupportedException being thrown.
 * 
    
 * By convention, classes that implement this interface should override 
 * Object.clone (which is protected) with a public method.
 * See {@link java.lang.Object#clone()} for details on overriding this
 * method.
 * 
    
 * Note that this interface does not contain the clone method.
 * Therefore, it is not possible to clone an object merely by virtue of the
 * fact that it implements this interface.  Even if the clone method is invoked
 * reflectively, there is no guarantee that it will succeed.
 *
 * @author  unascribed
 * @version 1.14, 01/23/03
 * @see     java.lang.CloneNotSupportedException
 * @see     java.lang.Object#clone()
 * @since   JDK1.0
 */
public interface Cloneable { 
}
why-2.39/lib/java_api/java/lang/Character.java0000644000106100004300000022176213147234006020164 0ustar  marchevals// This file was generated AUTOMATICALLY from a template file Sat Jan 15 11:52:14 PST 2005
/* @(#)Character.java.template	1.7 03/01/13
 *
 * Copyright 1994-2002 Sun Microsystems, Inc. All Rights Reserved.
 *
 * This software is the proprietary information of Sun Microsystems, Inc.
 * Use is subject to license terms.
 *
 */

package java.lang;

/**
 * The Character class wraps a value of the primitive
 * type char in an object. An object of type
 * Character contains a single field whose type is
 * char.
 * 
    
 * In addition, this class provides several methods for determining
 * a character's category (lowercase letter, digit, etc.) and for converting
 * characters from uppercase to lowercase and vice versa.
 * 
    
 * Character information is based on the Unicode Standard, version 3.0.
 * 
    
 * The methods and data of class Character are defined by
 * the information in the UnicodeData file that is part of the
 * Unicode Character Database maintained by the Unicode
 * Consortium. This file specifies various properties including name
 * and general category for every defined Unicode code point or
 * character range.
 * 
    
 * The file and its description are available from the Unicode Consortium at:

 * 
    
 *
 * @author  Lee Boynton
 * @author  Guy Steele
 * @author  Akira Tanaka
 * @since   1.0
 */
public final
class Character extends Object implements java.io.Serializable, Comparable {
    /**
     * The minimum radix available for conversion to and from strings.
     * The constant value of this field is the smallest value permitted
     * for the radix argument in radix-conversion methods such as the
     * digit method, the forDigit
     * method, and the toString method of class
     * Integer.
     *
     * @see     java.lang.Character#digit(char, int)
     * @see     java.lang.Character#forDigit(int, int)
     * @see     java.lang.Integer#toString(int, int)
     * @see     java.lang.Integer#valueOf(java.lang.String)
     */
    public static final int MIN_RADIX = 2;

    /**
     * The maximum radix available for conversion to and from strings.
     * The constant value of this field is the largest value permitted
     * for the radix argument in radix-conversion methods such as the
     * digit method, the forDigit
     * method, and the toString method of class
     * Integer.
     *
     * @see     java.lang.Character#digit(char, int)
     * @see     java.lang.Character#forDigit(int, int)
     * @see     java.lang.Integer#toString(int, int)
     * @see     java.lang.Integer#valueOf(java.lang.String)
     */
    public static final int MAX_RADIX = 36;

    /**
     * The constant value of this field is the smallest value of type
     * char, '\u0000'.
     *
     * @since   1.0.2
     */
    public static final char   MIN_VALUE = '\u0000';

    /**
     * The constant value of this field is the largest value of type
     * char, '\uFFFF'.
     *
     * @since   1.0.2
     */
    public static final char   MAX_VALUE = '\uffff';

    /**
     * The Class instance representing the primitive type
     * char.
     *
     * @since   1.1
     */
    public static final Class TYPE = Class.getPrimitiveClass("char");

   /*
    * Normative general types
    */

   /*
    * General character types
    */

   /**
    * General category "Cn" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        UNASSIGNED                  = 0;

   /**
    * General category "Lu" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        UPPERCASE_LETTER            = 1;

   /**
    * General category "Ll" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        LOWERCASE_LETTER            = 2;

   /**
    * General category "Lt" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        TITLECASE_LETTER            = 3;

   /**
    * General category "Lm" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        MODIFIER_LETTER             = 4;

   /**
    * General category "Lo" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        OTHER_LETTER                = 5;

   /**
    * General category "Mn" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        NON_SPACING_MARK            = 6;

   /**
    * General category "Me" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        ENCLOSING_MARK              = 7;

   /**
    * General category "Mc" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        COMBINING_SPACING_MARK      = 8;

   /**
    * General category "Nd" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        DECIMAL_DIGIT_NUMBER        = 9;

   /**
    * General category "Nl" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        LETTER_NUMBER               = 10;

   /**
    * General category "No" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        OTHER_NUMBER                = 11;

   /**
    * General category "Zs" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        SPACE_SEPARATOR             = 12;

   /**
    * General category "Zl" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        LINE_SEPARATOR              = 13;

   /**
    * General category "Zp" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        PARAGRAPH_SEPARATOR         = 14;

   /**
    * General category "Cc" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        CONTROL                     = 15;

   /**
    * General category "Cf" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        FORMAT                      = 16;

   /**
    * General category "Co" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        PRIVATE_USE                 = 18;

   /**
    * General category "Cs" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        SURROGATE                   = 19;

   /**
    * General category "Pd" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        DASH_PUNCTUATION            = 20;

   /**
    * General category "Ps" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        START_PUNCTUATION           = 21;

   /**
    * General category "Pe" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        END_PUNCTUATION             = 22;

   /**
    * General category "Pc" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        CONNECTOR_PUNCTUATION       = 23;

   /**
    * General category "Po" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        OTHER_PUNCTUATION           = 24;

   /**
    * General category "Sm" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        MATH_SYMBOL                 = 25;

   /**
    * General category "Sc" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        CURRENCY_SYMBOL             = 26;

   /**
    * General category "Sk" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        MODIFIER_SYMBOL             = 27;

   /**
    * General category "So" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        OTHER_SYMBOL                = 28;

   /**
    * General category "Pi" in the Unicode specification.
    * @since   1.4
    */
    public static final byte
        INITIAL_QUOTE_PUNCTUATION   = 29;

   /**
    * General category "Pf" in the Unicode specification.
    * @since   1.4
    */
    public static final byte
        FINAL_QUOTE_PUNCTUATION     = 30;

    /**
     * Error or non-char flag
     * @since 1.4
     */
     static final char CHAR_ERROR = '\uFFFF';


    /**
     * Undefined bidirectional character type. Undefined char
     * values have undefined directionality in the Unicode specification.
     * @since 1.4
     */
     public static final byte DIRECTIONALITY_UNDEFINED = -1;

    /**
     * Strong bidirectional character type "L" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_LEFT_TO_RIGHT = 0;

    /**
     * Strong bidirectional character type "R" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_RIGHT_TO_LEFT = 1;

    /**
    * Strong bidirectional character type "AL" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_RIGHT_TO_LEFT_ARABIC = 2;

    /**
     * Weak bidirectional character type "EN" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_EUROPEAN_NUMBER = 3;

    /**
     * Weak bidirectional character type "ES" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_EUROPEAN_NUMBER_SEPARATOR = 4;

    /**
     * Weak bidirectional character type "ET" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_EUROPEAN_NUMBER_TERMINATOR = 5;

    /**
     * Weak bidirectional character type "AN" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_ARABIC_NUMBER = 6;

    /**
     * Weak bidirectional character type "CS" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_COMMON_NUMBER_SEPARATOR = 7;

    /**
     * Weak bidirectional character type "NSM" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_NONSPACING_MARK = 8;

    /**
     * Weak bidirectional character type "BN" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_BOUNDARY_NEUTRAL = 9;

    /**
     * Neutral bidirectional character type "B" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_PARAGRAPH_SEPARATOR = 10;

    /**
     * Neutral bidirectional character type "S" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_SEGMENT_SEPARATOR = 11;

    /**
     * Neutral bidirectional character type "WS" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_WHITESPACE = 12;

    /**
     * Neutral bidirectional character type "ON" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_OTHER_NEUTRALS = 13;

    /**
     * Strong bidirectional character type "LRE" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_LEFT_TO_RIGHT_EMBEDDING = 14;

    /**
     * Strong bidirectional character type "LRO" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_LEFT_TO_RIGHT_OVERRIDE = 15;

    /**
     * Strong bidirectional character type "RLE" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_RIGHT_TO_LEFT_EMBEDDING = 16;

    /**
     * Strong bidirectional character type "RLO" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_RIGHT_TO_LEFT_OVERRIDE = 17;

    /**
     * Weak bidirectional character type "PDF" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_POP_DIRECTIONAL_FORMAT = 18;

    // Maximum character handled by internal fast-path code which
    // avoids initializing large tables.
    // Note: performance of this "fast-path" code may be sub-optimal
    // in negative cases for some accessors due to complicated ranges.
    // Should revisit after optimization of table initialization.
    private static final int FAST_PATH_MAX = 255;

    /**
     * Instances of this class represent particular subsets of the Unicode
     * character set.  The only family of subsets defined in the
     * Character class is {@link Character.UnicodeBlock
     * UnicodeBlock}.  Other portions of the Java API may define other
     * subsets for their own purposes.
     *
     * @since 1.2
     */
    public static class Subset  {

        private String name;

        /**
         * Constructs a new Subset instance.
         *
         * @exception NullPointerException if name is null
         * @param  name  The name of this subset
         */
        protected Subset(String name) {
            if (name == null) {
                throw new NullPointerException("name");
            }
            this.name = name;
        }

        /**
         * Compares two Subset objects for equality.
         * This method returns true if and only if
         * this and the argument refer to the same
         * object; since this method is final, this
         * guarantee holds for all subclasses.
         */
        public final boolean equals(Object obj) {
            return (this == obj);
        }

        /**
         * Returns the standard hash code as defined by the
         * {@link Object#hashCode} method.  This method
         * is final in order to ensure that the
         * equals and hashCode methods will
         * be consistent in all subclasses.
         */
        public final int hashCode() {
            return super.hashCode();
        }

        /**
         * Returns the name of this subset.
         */
        public final String toString() {
            return name;
        }
    }

    /**
     * A family of character subsets representing the character blocks in the
     * Unicode specification. Character blocks generally define characters
     * used for a specific script or purpose. A character is contained by
     * at most one Unicode block.
     *
     * @since 1.2
     */
    public static final class UnicodeBlock extends Subset {

        private UnicodeBlock(String name) {
            super(name);
        }

        /**
         * Constant for the Unicode character block of the same name.
         */
        public static final UnicodeBlock
            BASIC_LATIN
                = new UnicodeBlock("BASIC_LATIN"),
            LATIN_1_SUPPLEMENT
                = new UnicodeBlock("LATIN_1_SUPPLEMENT"),
            LATIN_EXTENDED_A
                = new UnicodeBlock("LATIN_EXTENDED_A"),
            LATIN_EXTENDED_B
                = new UnicodeBlock("LATIN_EXTENDED_B"),
            IPA_EXTENSIONS
                = new UnicodeBlock("IPA_EXTENSIONS"),
            SPACING_MODIFIER_LETTERS
                = new UnicodeBlock("SPACING_MODIFIER_LETTERS"),
            COMBINING_DIACRITICAL_MARKS
                = new UnicodeBlock("COMBINING_DIACRITICAL_MARKS"),
            GREEK
                = new UnicodeBlock("GREEK"),
            CYRILLIC
                = new UnicodeBlock("CYRILLIC"),
            ARMENIAN
                = new UnicodeBlock("ARMENIAN"),
            HEBREW
                = new UnicodeBlock("HEBREW"),
            ARABIC
                = new UnicodeBlock("ARABIC"),
            DEVANAGARI
                = new UnicodeBlock("DEVANAGARI"),
            BENGALI
                = new UnicodeBlock("BENGALI"),
            GURMUKHI
                = new UnicodeBlock("GURMUKHI"),
            GUJARATI
                = new UnicodeBlock("GUJARATI"),
            ORIYA
                = new UnicodeBlock("ORIYA"),
            TAMIL
                = new UnicodeBlock("TAMIL"),
            TELUGU
                = new UnicodeBlock("TELUGU"),
            KANNADA
                = new UnicodeBlock("KANNADA"),
            MALAYALAM
                = new UnicodeBlock("MALAYALAM"),
            THAI
                = new UnicodeBlock("THAI"),
            LAO
                = new UnicodeBlock("LAO"),
            TIBETAN
                = new UnicodeBlock("TIBETAN"),
            GEORGIAN
                = new UnicodeBlock("GEORGIAN"),
            HANGUL_JAMO
                = new UnicodeBlock("HANGUL_JAMO"),
            LATIN_EXTENDED_ADDITIONAL
                = new UnicodeBlock("LATIN_EXTENDED_ADDITIONAL"),
            GREEK_EXTENDED
                = new UnicodeBlock("GREEK_EXTENDED"),
            GENERAL_PUNCTUATION
                = new UnicodeBlock("GENERAL_PUNCTUATION"),
            SUPERSCRIPTS_AND_SUBSCRIPTS
                = new UnicodeBlock("SUPERSCRIPTS_AND_SUBSCRIPTS"),
            CURRENCY_SYMBOLS
                = new UnicodeBlock("CURRENCY_SYMBOLS"),
            COMBINING_MARKS_FOR_SYMBOLS
                = new UnicodeBlock("COMBINING_MARKS_FOR_SYMBOLS"),
            LETTERLIKE_SYMBOLS
                = new UnicodeBlock("LETTERLIKE_SYMBOLS"),
            NUMBER_FORMS
                = new UnicodeBlock("NUMBER_FORMS"),
            ARROWS
                = new UnicodeBlock("ARROWS"),
            MATHEMATICAL_OPERATORS
                = new UnicodeBlock("MATHEMATICAL_OPERATORS"),
            MISCELLANEOUS_TECHNICAL
                = new UnicodeBlock("MISCELLANEOUS_TECHNICAL"),
            CONTROL_PICTURES
                = new UnicodeBlock("CONTROL_PICTURES"),
            OPTICAL_CHARACTER_RECOGNITION
                = new UnicodeBlock("OPTICAL_CHARACTER_RECOGNITION"),
            ENCLOSED_ALPHANUMERICS
                = new UnicodeBlock("ENCLOSED_ALPHANUMERICS"),
            BOX_DRAWING
                = new UnicodeBlock("BOX_DRAWING"),
            BLOCK_ELEMENTS
                = new UnicodeBlock("BLOCK_ELEMENTS"),
            GEOMETRIC_SHAPES
                = new UnicodeBlock("GEOMETRIC_SHAPES"),
            MISCELLANEOUS_SYMBOLS
                = new UnicodeBlock("MISCELLANEOUS_SYMBOLS"),
            DINGBATS
                = new UnicodeBlock("DINGBATS"),
            CJK_SYMBOLS_AND_PUNCTUATION
                = new UnicodeBlock("CJK_SYMBOLS_AND_PUNCTUATION"),
            HIRAGANA
                = new UnicodeBlock("HIRAGANA"),
            KATAKANA
                = new UnicodeBlock("KATAKANA"),
            BOPOMOFO
                = new UnicodeBlock("BOPOMOFO"),
            HANGUL_COMPATIBILITY_JAMO
                = new UnicodeBlock("HANGUL_COMPATIBILITY_JAMO"),
            KANBUN
                = new UnicodeBlock("KANBUN"),
            ENCLOSED_CJK_LETTERS_AND_MONTHS
                = new UnicodeBlock("ENCLOSED_CJK_LETTERS_AND_MONTHS"),
            CJK_COMPATIBILITY
                = new UnicodeBlock("CJK_COMPATIBILITY"),
            CJK_UNIFIED_IDEOGRAPHS
                = new UnicodeBlock("CJK_UNIFIED_IDEOGRAPHS"),
            HANGUL_SYLLABLES
                = new UnicodeBlock("HANGUL_SYLLABLES"),
            SURROGATES_AREA
                = new UnicodeBlock("SURROGATES_AREA"),
            PRIVATE_USE_AREA
                = new UnicodeBlock("PRIVATE_USE_AREA"),
            CJK_COMPATIBILITY_IDEOGRAPHS
                = new UnicodeBlock("CJK_COMPATIBILITY_IDEOGRAPHS"),
            ALPHABETIC_PRESENTATION_FORMS
                = new UnicodeBlock("ALPHABETIC_PRESENTATION_FORMS"),
            ARABIC_PRESENTATION_FORMS_A
                = new UnicodeBlock("ARABIC_PRESENTATION_FORMS_A"),
            COMBINING_HALF_MARKS
                = new UnicodeBlock("COMBINING_HALF_MARKS"),
            CJK_COMPATIBILITY_FORMS
                = new UnicodeBlock("CJK_COMPATIBILITY_FORMS"),
            SMALL_FORM_VARIANTS
                = new UnicodeBlock("SMALL_FORM_VARIANTS"),
            ARABIC_PRESENTATION_FORMS_B
                = new UnicodeBlock("ARABIC_PRESENTATION_FORMS_B"),
            HALFWIDTH_AND_FULLWIDTH_FORMS
                = new UnicodeBlock("HALFWIDTH_AND_FULLWIDTH_FORMS"),
            SPECIALS
                = new UnicodeBlock("SPECIALS");

        /**
         * Constant for the Unicode character block of the same name.
         *
         * @since 1.4
         */
        public static final UnicodeBlock
            SYRIAC
                = new UnicodeBlock("SYRIAC"),
            THAANA
                = new UnicodeBlock("THAANA"),
            SINHALA
                = new UnicodeBlock("SINHALA"),
            MYANMAR
                = new UnicodeBlock("MYANMAR"),
            ETHIOPIC
                = new UnicodeBlock("ETHIOPIC"),
            CHEROKEE
                = new UnicodeBlock("CHEROKEE"),
            UNIFIED_CANADIAN_ABORIGINAL_SYLLABICS
                = new UnicodeBlock("UNIFIED_CANADIAN_ABORIGINAL_SYLLABICS"),
            OGHAM
                = new UnicodeBlock("OGHAM"),
            RUNIC
                = new UnicodeBlock("RUNIC"),
            KHMER
                = new UnicodeBlock("KHMER"),
            MONGOLIAN
                = new UnicodeBlock("MONGOLIAN"),
            BRAILLE_PATTERNS
                = new UnicodeBlock("BRAILLE_PATTERNS"),
            CJK_RADICALS_SUPPLEMENT
                = new UnicodeBlock("CJK_RADICALS_SUPPLEMENT"),
            KANGXI_RADICALS
                = new UnicodeBlock("KANGXI_RADICALS"),
            IDEOGRAPHIC_DESCRIPTION_CHARACTERS =
                new UnicodeBlock("IDEOGRAPHIC_DESCRIPTION_CHARACTERS"),
            BOPOMOFO_EXTENDED
                = new UnicodeBlock("BOPOMOFO_EXTENDED"),
            CJK_UNIFIED_IDEOGRAPHS_EXTENSION_A
                = new UnicodeBlock("CJK_UNIFIED_IDEOGRAPHS_EXTENSION_A"),
            YI_SYLLABLES
                = new UnicodeBlock("YI_SYLLABLES"),
            YI_RADICALS
                = new UnicodeBlock("YI_RADICALS");

        private static final char blockStarts[] = {
            '\u0000', // Basic Latin
            '\u0080', // Latin-1 Supplement
            '\u0100', // Latin Extended-A
            '\u0180', // Latin Extended-B
            '\u0250', // IPA Extensions
            '\u02B0', // Spacing Modifier Letters
            '\u0300', // Combining Diacritical Marks
            '\u0370', // Greek
            '\u0400', // Cyrillic
            '\u0500', // unassigned
            '\u0530', // Armenian
            '\u0590', // Hebrew
            '\u0600', // Arabic
            '\u0700', // Syriac
            '\u0750', // unassigned
            '\u0780', // Thaana
            '\u07C0', // unassigned
            '\u0900', // Devanagari
            '\u0980', // Bengali
            '\u0A00', // Gurmukhi
            '\u0A80', // Gujarati
            '\u0B00', // Oriya
            '\u0B80', // Tamil
            '\u0C00', // Telugu
            '\u0C80', // Kannada
            '\u0D00', // Malayalam
            '\u0D80', // Sinhala
            '\u0E00', // Thai
            '\u0E80', // Lao
            '\u0F00', // Tibetan
            '\u1000', // Myanmar
            '\u10A0', // Georgian
            '\u1100', // Hangul Jamo
            '\u1200', // Ethiopic
            '\u1380', // unassigned
            '\u13A0', // Cherokee
            '\u1400', // Unified Canadian Aboriginal Syllabics
            '\u1680', // Ogham
            '\u16A0', // Runic
            '\u1700', // unassigned
            '\u1780', // Khmer
            '\u1800', // Mongolian
            '\u18B0', // unassigned
            '\u1E00', // Latin Extended Additional
            '\u1F00', // Greek Extended
            '\u2000', // General Punctuation
            '\u2070', // Superscripts and Subscripts
            '\u20A0', // Currency Symbols
            '\u20D0', // Combining Marks for Symbols
            '\u2100', // Letterlike Symbols
            '\u2150', // Number Forms
            '\u2190', // Arrows
            '\u2200', // Mathematical Operators
            '\u2300', // Miscellaneous Technical
            '\u2400', // Control Pictures
            '\u2440', // Optical Character Recognition
            '\u2460', // Enclosed Alphanumerics
            '\u2500', // Box Drawing
            '\u2580', // Block Elements
            '\u25A0', // Geometric Shapes
            '\u2600', // Miscellaneous Symbols
            '\u2700', // Dingbats
            '\u27C0', // unassigned
            '\u2800', // Braille Patterns
            '\u2900', // unassigned
            '\u2E80', // CJK Radicals Supplement
            '\u2F00', // Kangxi Radicals
            '\u2FE0', // unassigned
            '\u2FF0', // Ideographic Description Characters
            '\u3000', // CJK Symbols and Punctuation
            '\u3040', // Hiragana
            '\u30A0', // Katakana
            '\u3100', // Bopomofo
            '\u3130', // Hangul Compatibility Jamo
            '\u3190', // Kanbun
            '\u31A0', // Bopomofo Extended
            '\u31C0', // unassigned
            '\u3200', // Enclosed CJK Letters and Months
            '\u3300', // CJK Compatibility
            '\u3400', // CJK Unified Ideographs Extension A
            '\u4DB6', // unassigned
            '\u4E00', // CJK Unified Ideographs
            '\uA000', // Yi Syllables
            '\uA490', // Yi Radicals
            '\uA4D0', // unassigned
            '\uAC00', // Hangul Syllables
            '\uD7A4', // unassigned
            '\uD800', // Surrogates
            '\uE000', // Private Use
            '\uF900', // CJK Compatibility Ideographs
            '\uFB00', // Alphabetic Presentation Forms
            '\uFB50', // Arabic Presentation Forms-A
            '\uFE00', // unassigned
            '\uFE20', // Combining Half Marks
            '\uFE30', // CJK Compatibility Forms
            '\uFE50', // Small Form Variants
            '\uFE70', // Arabic Presentation Forms-B
            '\uFEFF', // Specials
            '\uFF00', // Halfwidth and Fullwidth Forms
            '\uFFF0', // Specials
            '\uFFFE', // non-characters
        };

        private static final UnicodeBlock[] blocks = {
            BASIC_LATIN,
            LATIN_1_SUPPLEMENT,
            LATIN_EXTENDED_A,
            LATIN_EXTENDED_B,
            IPA_EXTENSIONS,
            SPACING_MODIFIER_LETTERS,
            COMBINING_DIACRITICAL_MARKS,
            GREEK,
            CYRILLIC,
            null,
            ARMENIAN,
            HEBREW,
            ARABIC,
            SYRIAC,
            null,
            THAANA,
            null,
            DEVANAGARI,
            BENGALI,
            GURMUKHI,
            GUJARATI,
            ORIYA,
            TAMIL,
            TELUGU,
            KANNADA,
            MALAYALAM,
            SINHALA,
            THAI,
            LAO,
            TIBETAN,
            MYANMAR,
            GEORGIAN,
            HANGUL_JAMO,
            ETHIOPIC,
            null,
            CHEROKEE,
            UNIFIED_CANADIAN_ABORIGINAL_SYLLABICS,
            OGHAM,
            RUNIC,
            null,
            KHMER,
            MONGOLIAN,
            null,
            LATIN_EXTENDED_ADDITIONAL,
            GREEK_EXTENDED,
            GENERAL_PUNCTUATION,
            SUPERSCRIPTS_AND_SUBSCRIPTS,
            CURRENCY_SYMBOLS,
            COMBINING_MARKS_FOR_SYMBOLS,
            LETTERLIKE_SYMBOLS,
            NUMBER_FORMS,
            ARROWS,
            MATHEMATICAL_OPERATORS,
            MISCELLANEOUS_TECHNICAL,
            CONTROL_PICTURES,
            OPTICAL_CHARACTER_RECOGNITION,
            ENCLOSED_ALPHANUMERICS,
            BOX_DRAWING,
            BLOCK_ELEMENTS,
            GEOMETRIC_SHAPES,
            MISCELLANEOUS_SYMBOLS,
            DINGBATS,
            null,
            BRAILLE_PATTERNS,
            null,
            CJK_RADICALS_SUPPLEMENT,
            KANGXI_RADICALS,
            null,
            IDEOGRAPHIC_DESCRIPTION_CHARACTERS,
            CJK_SYMBOLS_AND_PUNCTUATION,
            HIRAGANA,
            KATAKANA,
            BOPOMOFO,
            HANGUL_COMPATIBILITY_JAMO,
            KANBUN,
            BOPOMOFO_EXTENDED,
            null,
            ENCLOSED_CJK_LETTERS_AND_MONTHS,
            CJK_COMPATIBILITY,
            CJK_UNIFIED_IDEOGRAPHS_EXTENSION_A,
            null,
            CJK_UNIFIED_IDEOGRAPHS,
            YI_SYLLABLES,
            YI_RADICALS,
            null,
            HANGUL_SYLLABLES,
            null,
            SURROGATES_AREA,
            PRIVATE_USE_AREA,
            CJK_COMPATIBILITY_IDEOGRAPHS,
            ALPHABETIC_PRESENTATION_FORMS,
            ARABIC_PRESENTATION_FORMS_A,
            null,
            COMBINING_HALF_MARKS,
            CJK_COMPATIBILITY_FORMS,
            SMALL_FORM_VARIANTS,
            ARABIC_PRESENTATION_FORMS_B,
            SPECIALS,
            HALFWIDTH_AND_FULLWIDTH_FORMS,
            SPECIALS,
            null,
        };

        /**
         * Returns the object representing the Unicode block containing the
         * given character, or null if the character is not a
         * member of a defined block.
         *
         * @param   c  The character in question
         * @return  The UnicodeBlock instance representing the
         *          Unicode block of which this character is a member, or
         *          null if the character is not a member of any
         *          Unicode block
         */
        public static UnicodeBlock of(char c) {
            int top, bottom, current;
            bottom = 0;
            top = blockStarts.length;
            current = top/2;
            // invariant: top > current >= bottom && ch >= unicodeBlockStarts[bottom]
            while (top - bottom > 1) {
                if (c >= blockStarts[current]) {
                    bottom = current;
                } else {
                    top = current;
                }
                current = (top + bottom) / 2;
            }
            return blocks[current];
        }
    }

    /**
     * The value of the Character.
     *
     * @serial
     */
    private char value;

    /** use serialVersionUID from JDK 1.0.2 for interoperability */
    private static final long serialVersionUID = 3786198910865385080L;

    /**
     * Constructs a newly allocated Character object that
     * represents the specified char value.
     *
     * @param  value   the value to be represented by the 
     *			Character object.
     */
    public Character(char value) {
        this.value = value;
    }

    /**
     * Returns the value of this Character object.
     * @return  the primitive char value represented by
     *          this object.
     */
    public char charValue() {
        return value;
    }

    /**
     * Returns a hash code for this Character.
     * @return  a hash code value for this object.
     */
    public int hashCode() {
        return (int)value;
    }

    /**
     * Compares this object against the specified object.
     * The result is true if and only if the argument is not
     * null and is a Character object that
     * represents the same char value as this object.
     *
     * @param   obj   the object to compare with.
     * @return  true if the objects are the same;
     *          false otherwise.
     */
    public boolean equals(Object obj) {
        if (obj instanceof Character) {
            return value == ((Character)obj).charValue();
        }
        return false;
    }

    /**
     * Returns a String object representing this
     * Character's value.  The result is a string of
     * length 1 whose sole component is the primitive
     * char value represented by this
     * Character object.
     *
     * @return  a string representation of this object.
     */
    public String toString() {
        char buf[] = {value};
        return String.valueOf(buf);
    }

    /**
     * Returns a String object representing the
     * specified char.  The result is a string of length
     * 1 consisting solely of the specified char.
     *
     * @param c the char to be converted
     * @return the string representation of the specified char
     * @since 1.4
     */
    public static String toString(char c) {
        return String.valueOf(c);
    }


   /**
     * Determines if the specified character is a lowercase character.
     * 
    
     * A character is lowercase if its general category type, provided
     * by Character.getType(ch), is
     * LOWERCASE_LETTER.
     * 
    
     * The following are examples of lowercase characters:
     * 
         * a b c d e f g h i j k l m n o p q r s t u v w x y z
     * '\u00DF' '\u00E0' '\u00E1' '\u00E2' '\u00E3' '\u00E4' '\u00E5' '\u00E6' 
     * '\u00E7' '\u00E8' '\u00E9' '\u00EA' '\u00EB' '\u00EC' '\u00ED' '\u00EE'
     * '\u00EF' '\u00F0' '\u00F1' '\u00F2' '\u00F3' '\u00F4' '\u00F5' '\u00F6'
     * '\u00F8' '\u00F9' '\u00FA' '\u00FB' '\u00FC' '\u00FD' '\u00FE' '\u00FF'
     * 
    
     * 
     Many other Unicode characters are lowercase too.
     * 
    
     *
     * @param   ch   the character to be tested.
     * @return  true if the character is lowercase;
     *          false otherwise.
     * @see     java.lang.Character#isLowerCase(char)
     * @see     java.lang.Character#isTitleCase(char)
     * @see     java.lang.Character#toLowerCase(char)
     * @see     java.lang.Character#getType(char)
     */
    public static boolean isLowerCase(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.isLowerCase(ch);
        } else {
            return CharacterData.isLowerCase(ch);
        }
    }

   /**
     * Determines if the specified character is an uppercase character.
     * 
    
     * A character is uppercase if its general category type, provided by
     * Character.getType(ch), is UPPERCASE_LETTER.
     * 
    
     * The following are examples of uppercase characters:
     * 
         * A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
     * '\u00C0' '\u00C1' '\u00C2' '\u00C3' '\u00C4' '\u00C5' '\u00C6' '\u00C7'
     * '\u00C8' '\u00C9' '\u00CA' '\u00CB' '\u00CC' '\u00CD' '\u00CE' '\u00CF'
     * '\u00D0' '\u00D1' '\u00D2' '\u00D3' '\u00D4' '\u00D5' '\u00D6' '\u00D8'
     * '\u00D9' '\u00DA' '\u00DB' '\u00DC' '\u00DD' '\u00DE'
     * 
    
     * 
     Many other Unicode characters are uppercase too.
    
     *
     * @param   ch   the character to be tested.
     * @return  true if the character is uppercase;
     *          false otherwise.
     * @see     java.lang.Character#isLowerCase(char)
     * @see     java.lang.Character#isTitleCase(char)
     * @see     java.lang.Character#toUpperCase(char)
     * @see     java.lang.Character#getType(char)
     * @since   1.0
     */
    public static boolean isUpperCase(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.isUpperCase(ch);
        } else {
            return CharacterData.isUpperCase(ch);
        }
    }

    /**
     * Determines if the specified character is a titlecase character.
     * 
     
     * A character is a titlecase character if its general
     * category type, provided by Character.getType(ch),
     * is TITLECASE_LETTER.
     * 
    
     * Some characters look like pairs of Latin letters. For example, there
     * is an uppercase letter that looks like "LJ" and has a corresponding
     * lowercase letter that looks like "lj". A third form, which looks like "Lj",
     * is the appropriate form to use when rendering a word in lowercase
     * with initial capitals, as for a book title.
     * 
    
     * These are some of the Unicode characters for which this method returns
     * true:
     * 
      
     * 
    • LATIN CAPITAL LETTER D WITH SMALL LETTER Z WITH CARON
     * 
    • LATIN CAPITAL LETTER L WITH SMALL LETTER J
     * 
    • LATIN CAPITAL LETTER N WITH SMALL LETTER J
     * 
    • LATIN CAPITAL LETTER D WITH SMALL LETTER Z
     * 
    
     * 
     Many other Unicode characters are titlecase too.
    
     *
     * @param   ch   the character to be tested.
     * @return  true if the character is titlecase;
     *          false otherwise.
     * @see     java.lang.Character#isLowerCase(char)
     * @see     java.lang.Character#isUpperCase(char)
     * @see     java.lang.Character#toTitleCase(char)
     * @see     java.lang.Character#getType(char)
     * @since   1.0.2
     */
    public static boolean isTitleCase(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.isTitleCase(ch);
        } else {
            return CharacterData.isTitleCase(ch);
        }
    }

    /**
     * Determines if the specified character is a digit.
     * 
    
     * A character is a digit if its general category type, provided
     * by Character.getType(ch), is
     * DECIMAL_DIGIT_NUMBER.
     * 
    
     * Some Unicode character ranges that contain digits:
     * 
      
     * 
    • '\u0030' through '\u0039', 
     *	   ISO-LATIN-1 digits ('0' through '9')
     * 
    • '\u0660' through '\u0669',
     *	   Arabic-Indic digits
     * 
    • '\u06F0' through '\u06F9',
     * 	   Extended Arabic-Indic digits
     * 
    • '\u0966' through '\u096F',
     *	   Devanagari digits
     * 
    • '\uFF10' through '\uFF19',
     *	   Fullwidth digits
     * 
    
     *
     * Many other character ranges contain digits as well.
     *
     * @param   ch   the character to be tested.
     * @return  true if the character is a digit;
     *          false otherwise.
     * @see     java.lang.Character#digit(char, int)
     * @see     java.lang.Character#forDigit(int, int)
     * @see     java.lang.Character#getType(char)
     */
    public static boolean isDigit(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.isDigit(ch);
        } else {
            return CharacterData.isDigit(ch);
        }
    }

    /**
     * Determines if a character is defined in Unicode.
     * 
    
     * A character is defined if at least one of the following is true:
     * 
      
     * 
    • It has an entry in the UnicodeData file.
     * 
    • It has a value in a range defined by the UnicodeData file.
     * 
    
     *
     * @param   ch   the character to be tested
     * @return  true if the character has a defined meaning
     *          in Unicode; false otherwise.
     * @see     java.lang.Character#isDigit(char)
     * @see     java.lang.Character#isLetter(char)
     * @see     java.lang.Character#isLetterOrDigit(char)
     * @see     java.lang.Character#isLowerCase(char)
     * @see     java.lang.Character#isTitleCase(char)
     * @see     java.lang.Character#isUpperCase(char)
     * @since   1.0.2
     */
    public static boolean isDefined(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.isDefined(ch);
        } else {
            return CharacterData.isDefined(ch);
        }
    }

    /**
     * Determines if the specified character is a letter.
     * 
    
     * A character is considered to be a letter if its general
     * category type, provided by Character.getType(ch),
     * is any of the following:
     * 
      
     * 
    •  UPPERCASE_LETTER
     * 
    •  LOWERCASE_LETTER
     * 
    •  TITLECASE_LETTER
     * 
    •  MODIFIER_LETTER
     * 
    •  OTHER_LETTER
     * 
    
     *
     * Not all letters have case. Many characters are
     * letters but are neither uppercase nor lowercase nor titlecase.
     *
     * @param   ch   the character to be tested.
     * @return  true if the character is a letter;
     *          false otherwise.
     * @see     java.lang.Character#isDigit(char)
     * @see     java.lang.Character#isJavaIdentifierStart(char)
     * @see     java.lang.Character#isJavaLetter(char)
     * @see     java.lang.Character#isJavaLetterOrDigit(char)
     * @see     java.lang.Character#isLetterOrDigit(char)
     * @see     java.lang.Character#isLowerCase(char)
     * @see     java.lang.Character#isTitleCase(char)
     * @see     java.lang.Character#isUnicodeIdentifierStart(char)
     * @see     java.lang.Character#isUpperCase(char)
     */
    public static boolean isLetter(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.isLetter(ch);
        } else {
            return CharacterData.isLetter(ch);
        }
    }

    /**
     * Determines if the specified character is a letter or digit.
     * 
    
     * A character is considered to be a letter or digit if either
     * Character.isLetter(char ch) or
     * Character.isDigit(char ch) returns
     * true for the character.
     *
     * @param   ch   the character to be tested.
     * @return  true if the character is a letter or digit;
     *          false otherwise.
     * @see     java.lang.Character#isDigit(char)
     * @see     java.lang.Character#isJavaIdentifierPart(char)
     * @see     java.lang.Character#isJavaLetter(char)
     * @see     java.lang.Character#isJavaLetterOrDigit(char)
     * @see     java.lang.Character#isLetter(char)
     * @see     java.lang.Character#isUnicodeIdentifierPart(char)
     * @since   1.0.2
     */
    public static boolean isLetterOrDigit(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.isLetterOrDigit(ch);
        } else {
            return CharacterData.isLetterOrDigit(ch);
        }
    }

    /**
     * Determines if the specified character is permissible as the first
     * character in a Java identifier.
     * 
    
     * A character may start a Java identifier if and only if
     * one of the following is true:
     * 
      
     * 
    •  {@link #isLetter(char) isLetter(ch)} returns true
     * 
    •  {@link #getType(char) getType(ch)} returns LETTER_NUMBER
     * 
    •  ch is a currency symbol (such as "$")
     * 
    •  ch is a connecting punctuation character (such as "_").
     * 
    
     *
     * @param   ch the character to be tested.
     * @return  true if the character may start a Java
     *          identifier; false otherwise.
     * @see     java.lang.Character#isJavaLetterOrDigit(char)
     * @see     java.lang.Character#isJavaIdentifierStart(char)
     * @see     java.lang.Character#isJavaIdentifierPart(char)
     * @see     java.lang.Character#isLetter(char)
     * @see     java.lang.Character#isLetterOrDigit(char)
     * @see     java.lang.Character#isUnicodeIdentifierStart(char)
     * @since   1.02
     * @deprecated Replaced by isJavaIdentifierStart(char).
     */
    public static boolean isJavaLetter(char ch) {
        return isJavaIdentifierStart(ch);
    }

    /**
     * Determines if the specified character may be part of a Java
     * identifier as other than the first character.
     * 
    
     * A character may be part of a Java identifier if and only if any
     * of the following are true:
     * 
      
     * 
    •   it is a letter
     * 
    •   it is a currency symbol (such as '$')
     * 
    •   it is a connecting punctuation character (such as '_')
     * 
    •   it is a digit
     * 
    •   it is a numeric letter (such as a Roman numeral character)
     * 
    •   it is a combining mark
     * 
    •   it is a non-spacing mark
     * 
    •  isIdentifierIgnorable returns
     * true for the character.
     * 
    
     *
     * @param   ch the character to be tested.
     * @return  true if the character may be part of a
     *          Java identifier; false otherwise.
     * @see     java.lang.Character#isJavaLetter(char)
     * @see     java.lang.Character#isJavaIdentifierStart(char)
     * @see     java.lang.Character#isJavaIdentifierPart(char)
     * @see     java.lang.Character#isLetter(char)
     * @see     java.lang.Character#isLetterOrDigit(char)
     * @see     java.lang.Character#isUnicodeIdentifierPart(char)
     * @see     java.lang.Character#isIdentifierIgnorable(char)
     * @since   1.02
     * @deprecated Replaced by isJavaIdentifierPart(char).
     */
    public static boolean isJavaLetterOrDigit(char ch) {
        return isJavaIdentifierPart(ch);
    }

    /**
     * Determines if the specified character is
     * permissible as the first character in a Java identifier.
     * 
    
     * A character may start a Java identifier if and only if
     * one of the following conditions is true:
     * 
      
     * 
    •  {@link #isLetter(char) isLetter(ch)} returns true
     * 
    •  {@link #getType(char) getType(ch)} returns LETTER_NUMBER
     * 
    •  ch is a currency symbol (such as "$")
     * 
    •  ch is a connecting punctuation character (such as "_").
     * 
    
     *
     * @param   ch the character to be tested.
     * @return  true if the character may start a Java identifier;
     *          false otherwise.
     * @see     java.lang.Character#isJavaIdentifierPart(char)
     * @see     java.lang.Character#isLetter(char)
     * @see     java.lang.Character#isUnicodeIdentifierStart(char)
     * @since   1.1
     */
    public static boolean isJavaIdentifierStart(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.isJavaIdentifierStart(ch);
        } else {
            return CharacterData.isJavaIdentifierStart(ch);
        }
    }

    /**
     * Determines if the specified character may be part of a Java
     * identifier as other than the first character.
     * 
    
     * A character may be part of a Java identifier if any of the following
     * are true:
     * 
      
     * 
    •   it is a letter
     * 
    •   it is a currency symbol (such as '$')
     * 
    •   it is a connecting punctuation character (such as '_')
     * 
    •   it is a digit
     * 
    •   it is a numeric letter (such as a Roman numeral character)
     * 
    •   it is a combining mark
     * 
    •   it is a non-spacing mark
     * 
    •  isIdentifierIgnorable returns
     * true for the character
     * 
    
     *
     * @param   ch	the character to be tested.
     * @return true if the character may be part of a
     * 		Java identifier; false otherwise.
     * @see     java.lang.Character#isIdentifierIgnorable(char)
     * @see     java.lang.Character#isJavaIdentifierStart(char)
     * @see     java.lang.Character#isLetterOrDigit(char)
     * @see     java.lang.Character#isUnicodeIdentifierPart(char)
     * @since   1.1
     */
    public static boolean isJavaIdentifierPart(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.isJavaIdentifierPart(ch);
        } else {
            return CharacterData.isJavaIdentifierPart(ch);
        }
    }

    /**
     * Determines if the specified character is permissible as the
     * first character in a Unicode identifier.
     * 
    
     * A character may start a Unicode identifier if and only if
     * one of the following conditions is true:
     * 
      
     * 
    •  {@link #isLetter(char) isLetter(ch)} returns true
     * 
    •  {@link #getType(char) getType(ch)} returns 
     *      LETTER_NUMBER.
     * 
    
     * @param   ch	the character to be tested.
     * @return  true if the character may start a Unicode 
     *          identifier; false otherwise.
     * @see     java.lang.Character#isJavaIdentifierStart(char)
     * @see     java.lang.Character#isLetter(char)
     * @see     java.lang.Character#isUnicodeIdentifierPart(char)
     * @since   1.1
     */
    public static boolean isUnicodeIdentifierStart(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.isUnicodeIdentifierStart(ch);
        } else {
            return CharacterData.isUnicodeIdentifierStart(ch);
        }
    }

    /**
     * Determines if the specified character may be part of a Unicode
     * identifier as other than the first character.
     * 
    
     * A character may be part of a Unicode identifier if and only if
     * one of the following statements is true:
     * 
      
     * 
    •   it is a letter
     * 
    •   it is a connecting punctuation character (such as '_')
     * 
    •   it is a digit
     * 
    •   it is a numeric letter (such as a Roman numeral character)
     * 
    •   it is a combining mark
     * 
    •   it is a non-spacing mark
     * 
    •  isIdentifierIgnorable returns
     * true for this character.
     * 
    
     *
     * @param   ch	the character to be tested.
     * @return  true if the character may be part of a 
     *          Unicode identifier; false otherwise.
     * @see     java.lang.Character#isIdentifierIgnorable(char)
     * @see     java.lang.Character#isJavaIdentifierPart(char)
     * @see     java.lang.Character#isLetterOrDigit(char)
     * @see     java.lang.Character#isUnicodeIdentifierStart(char)
     * @since   1.1
     */
    public static boolean isUnicodeIdentifierPart(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.isUnicodeIdentifierPart(ch);
        } else {
            return CharacterData.isUnicodeIdentifierPart(ch);
        }
    }

    /**
     * Determines if the specified character should be regarded as
     * an ignorable character in a Java identifier or a Unicode identifier.
     * 
    
     * The following Unicode characters are ignorable in a Java identifier
     * or a Unicode identifier:
     * 
      
     * 
    • ISO control characters that are not whitespace
     * 
        
     * 
      • '\u0000' through '\u0008'
     * 
      • '\u000E' through '\u001B'
     * 
      • '\u007F' through '\u009F'
     * 
      
     *
     * 
    • all characters that have the FORMAT general
     * category value
     * 
    
     *
     * @param   ch	the character to be tested.
     * @return 	true if the character is an ignorable control 
     *          character that may be part of a Java or Unicode identifier;
     *		 false otherwise.
     * @see     java.lang.Character#isJavaIdentifierPart(char)
     * @see     java.lang.Character#isUnicodeIdentifierPart(char)
     * @since   1.1
     */
    public static boolean isIdentifierIgnorable(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.isIdentifierIgnorable(ch);
        } else {
            return CharacterData.isIdentifierIgnorable(ch);
        }
    }

    /**
     * Converts the character argument to lowercase using case
     * mapping information from the UnicodeData file.
     * 
    
     * Note that
     * Character.isLowerCase(Character.toLowerCase(ch))
     * does not always return true for some ranges of
     * characters, particularly those that are symbols or ideographs.
     *
     * @param   ch   the character to be converted.
     * @return  the lowercase equivalent of the character, if any;
     *          otherwise, the character itself.
     * @see     java.lang.Character#isLowerCase(char)
     * @see     java.lang.Character#isUpperCase(char)
     * @see     java.lang.Character#toTitleCase(char)
     * @see     java.lang.Character#toUpperCase(char)
     */
    public static char toLowerCase(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.toLowerCase(ch);
        } else {
            return CharacterData.toLowerCase(ch);
        }
    }

    /**
     * Converts the character argument to uppercase using case mapping
     * information from the UnicodeData file.
     * 
    
     * Note that
     * Character.isUpperCase(Character.toUpperCase(ch))
     * does not always return true for some ranges of
     * characters, particularly those that are symbols or ideographs.
     *
     * @param   ch   the character to be converted.
     * @return  the uppercase equivalent of the character, if any;
     *          otherwise, the character itself.
     * @see     java.lang.Character#isLowerCase(char)
     * @see     java.lang.Character#isUpperCase(char)
     * @see     java.lang.Character#toLowerCase(char)
     * @see     java.lang.Character#toTitleCase(char)
     */
    public static char toUpperCase(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.toUpperCase(ch);
        } else {
            return CharacterData.toUpperCase(ch);
        }
    }

    /**
     * Converts the character argument to titlecase using case mapping
     * information from the UnicodeData file. If a character has no
     * explicit titlecase mapping and is not itself a titlecase char
     * according to UnicodeData, then the uppercase mapping is
     * returned as an equivalent titlecase mapping. If the
     * char argument is already a titlecase
     * char, the same char value will be
     * returned.
     * 
    
     * Note that
     * Character.isTitleCase(Character.toTitleCase(ch))
     * does not always return true for some ranges of
     * characters.
     *
     * @param   ch   the character to be converted.
     * @return  the titlecase equivalent of the character, if any;
     *          otherwise, the character itself.
     * @see     java.lang.Character#isTitleCase(char)
     * @see     java.lang.Character#toLowerCase(char)
     * @see     java.lang.Character#toUpperCase(char)
     * @since   1.0.2
     */
    public static char toTitleCase(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.toTitleCase(ch);
        } else {
            return CharacterData.toTitleCase(ch);
        }
    }

    /**
     * Returns the numeric value of the character ch in the
     * specified radix.
     * 
    
     * If the radix is not in the range MIN_RADIX <=
     * radix <= MAX_RADIX or if the
     * value of ch is not a valid digit in the specified
     * radix, -1 is returned. A character is a valid digit
     * if at least one of the following is true:
     * 
      
     * 
    • The method isDigit is true of the character
     *     and the Unicode decimal digit value of the character (or its
     *     single-character decomposition) is less than the specified radix.
     *     In this case the decimal digit value is returned.
     * 
    • The character is one of the uppercase Latin letters
     *     'A' through 'Z' and its code is less than
     *     radix + 'A' - 10.
     *     In this case, ch - 'A' + 10
     *     is returned.
     * 
    • The character is one of the lowercase Latin letters
     *     'a' through 'z' and its code is less than
     *     radix + 'a' - 10.
     *     In this case, ch - 'a' + 10
     *     is returned.
     * 
    
     *
     * @param   ch      the character to be converted.
     * @param   radix   the radix.
     * @return  the numeric value represented by the character in the
     *          specified radix.
     * @see     java.lang.Character#forDigit(int, int)
     * @see     java.lang.Character#isDigit(char)
     */
    public static int digit(char ch, int radix) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.digit(ch, radix);
        } else {
            return CharacterData.digit(ch, radix);
        }
    }

    /**
     * Returns the int value that the specified Unicode
     * character represents. For example, the character
     * '\u216C' (the roman numeral fifty) will return
     * an int with a value of 50.
     * 
    
     * The letters A-Z in their uppercase ('\u0041' through
     * '\u005A'), lowercase
     * ('\u0061' through '\u007A'), and
     * full width variant ('\uFF21' through
     * '\uFF3A' and '\uFF41' through
     * '\uFF5A') forms have numeric values from 10
     * through 35. This is independent of the Unicode specification,
     * which does not assign numeric values to these char
     * values.
     * 
    
     * If the character does not have a numeric value, then -1 is returned.
     * If the character has a numeric value that cannot be represented as a
     * nonnegative integer (for example, a fractional value), then -2
     * is returned.
     *
     * @param   ch	the character to be converted.
     * @return  the numeric value of the character, as a nonnegative int
     *           value; -2 if the character has a numeric value that is not a
     *          nonnegative integer; -1 if the character has no numeric value.
     * @see     java.lang.Character#forDigit(int, int)
     * @see     java.lang.Character#isDigit(char)
     * @since   1.1
     */
    public static int getNumericValue(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.getNumericValue(ch);
        } else {
            return CharacterData.getNumericValue(ch);
        }
    }

    /**
     * Determines if the specified character is ISO-LATIN-1 white space.
     * This method returns true for the following five
     * characters only:
     * 
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
    '\t'            '\u0009'HORIZONTAL TABULATION
    '\n'            '\u000A'NEW LINE
    '\f'            '\u000C'FORM FEED
    '\r'            '\u000D'CARRIAGE RETURN
    ' '  '\u0020'SPACE
    
     *
     * @param      ch   the character to be tested.
     * @return     true if the character is ISO-LATIN-1 white
     *             space; false otherwise.
     * @see        java.lang.Character#isSpaceChar(char)
     * @see        java.lang.Character#isWhitespace(char)
     * @deprecated Replaced by isWhitespace(char).
     */
    public static boolean isSpace(char ch) {
        return (ch <= 0x0020) &&
            (((((1L << 0x0009) |
            (1L << 0x000A) |
            (1L << 0x000C) |
            (1L << 0x000D) |
            (1L << 0x0020)) >> ch) & 1L) != 0);
    }

    /**
     * Determines if the specified character is a Unicode space character.
     * A character is considered to be a space character if and only if
     * it is specified to be a space character by the Unicode standard. This
     * method returns true if the character's general category type is any of
     * the following:
     * 
      
     * 
    •  SPACE_SEPARATOR
     * 
    •  LINE_SEPARATOR
     * 
    •  PARAGRAPH_SEPARATOR
     * 
    
     *
     * @param   ch	the character to be tested.
     * @return 	true if the character is a space character; 
     *		false otherwise.
     * @see     java.lang.Character#isWhitespace(char)
     * @since   1.1
     */
    public static boolean isSpaceChar(char ch) {
        if (ch <=  FAST_PATH_MAX) {
            return CharacterDataLatin1.isSpaceChar(ch);
        } else {
            return CharacterData.isSpaceChar(ch);
        }
    }

    /**
     * Determines if the specified character is white space according to Java.
     * A character is a Java whitespace character if and only if it satisfies
     * one of the following criteria:
     * 
      
     * 
    •  It is a Unicode space character (SPACE_SEPARATOR,
     * 	    LINE_SEPARATOR, or PARAGRAPH_SEPARATOR) 
     *      but is not also a non-breaking space ('\u00A0',
     *      '\u2007', '\u202F').
     * 
    •  It is '\u0009', HORIZONTAL TABULATION.
     * 
    •  It is '\u000A', LINE FEED.
     * 
    •  It is '\u000B', VERTICAL TABULATION.
     * 
    •  It is '\u000C', FORM FEED.
     * 
    •  It is '\u000D', CARRIAGE RETURN.
     * 
    •  It is '\u001C', FILE SEPARATOR.
     * 
    •  It is '\u001D', GROUP SEPARATOR.
     * 
    •  It is '\u001E', RECORD SEPARATOR.
     * 
    •  It is '\u001F', UNIT SEPARATOR.
     * 
    
     *
     * @param   ch the character to be tested.
     * @return  true if the character is a Java whitespace
     *          character; false otherwise.
     * @see     java.lang.Character#isSpaceChar(char)
     * @since   1.1
     */
    public static boolean isWhitespace(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.isWhitespace(ch);
        } else {
            return CharacterData.isWhitespace(ch);
        }
    }

    /**
     * Determines if the specified character is an ISO control
     * character.  A character is considered to be an ISO control
     * character if its code is in the range '\u0000'
     * through '\u001F' or in the range
     * '\u007F' through '\u009F'.
     *
     * @param   ch	the character to be tested.
     * @return  true if the character is an ISO control character;
     *          false otherwise.
     *
     * @see     java.lang.Character#isSpaceChar(char)
     * @see     java.lang.Character#isWhitespace(char)
     * @since   1.1
     */
    public static boolean isISOControl(char ch) {
        return (ch <= 0x009F) && ((ch <= 0x001F) || (ch >= 0x007F));
    }

    /**
     * Returns a value indicating a character's general category.
     *
     * @param   ch      the character to be tested.
     * @return  a value of type int representing the 
     *		character's general category.
     * @see     java.lang.Character#COMBINING_SPACING_MARK
     * @see     java.lang.Character#CONNECTOR_PUNCTUATION
     * @see     java.lang.Character#CONTROL
     * @see     java.lang.Character#CURRENCY_SYMBOL
     * @see     java.lang.Character#DASH_PUNCTUATION
     * @see     java.lang.Character#DECIMAL_DIGIT_NUMBER
     * @see     java.lang.Character#ENCLOSING_MARK
     * @see     java.lang.Character#END_PUNCTUATION
     * @see     java.lang.Character#FINAL_QUOTE_PUNCTUATION
     * @see     java.lang.Character#FORMAT
     * @see     java.lang.Character#INITIAL_QUOTE_PUNCTUATION
     * @see     java.lang.Character#LETTER_NUMBER
     * @see     java.lang.Character#LINE_SEPARATOR
     * @see     java.lang.Character#LOWERCASE_LETTER
     * @see     java.lang.Character#MATH_SYMBOL
     * @see     java.lang.Character#MODIFIER_LETTER
     * @see     java.lang.Character#MODIFIER_SYMBOL
     * @see     java.lang.Character#NON_SPACING_MARK
     * @see     java.lang.Character#OTHER_LETTER
     * @see     java.lang.Character#OTHER_NUMBER
     * @see     java.lang.Character#OTHER_PUNCTUATION
     * @see     java.lang.Character#OTHER_SYMBOL
     * @see     java.lang.Character#PARAGRAPH_SEPARATOR
     * @see     java.lang.Character#PRIVATE_USE
     * @see     java.lang.Character#SPACE_SEPARATOR
     * @see     java.lang.Character#START_PUNCTUATION
     * @see     java.lang.Character#SURROGATE
     * @see     java.lang.Character#TITLECASE_LETTER
     * @see     java.lang.Character#UNASSIGNED
     * @see     java.lang.Character#UPPERCASE_LETTER
     * @since   1.1
     */
    public static int getType(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.getType(ch);
        } else {
            return CharacterData.getType(ch);
        }
    }

    /**
     * Determines the character representation for a specific digit in
     * the specified radix. If the value of radix is not a
     * valid radix, or the value of digit is not a valid
     * digit in the specified radix, the null character
     * ('\u0000') is returned.
     * 
    
     * The radix argument is valid if it is greater than or
     * equal to MIN_RADIX and less than or equal to
     * MAX_RADIX. The digit argument is valid if
     * 0 <=digit < radix.
     * 
    
     * If the digit is less than 10, then
     * '0' + digit is returned. Otherwise, the value
     * 'a' + digit - 10 is returned.
     *
     * @param   digit   the number to convert to a character.
     * @param   radix   the radix.
     * @return  the char representation of the specified digit
     *          in the specified radix.
     * @see     java.lang.Character#MIN_RADIX
     * @see     java.lang.Character#MAX_RADIX
     * @see     java.lang.Character#digit(char, int)
     */
    public static char forDigit(int digit, int radix) {
        if ((digit >= radix) || (digit < 0)) {
            return '\0';
        }
        if ((radix < MIN_RADIX) || (radix > MAX_RADIX)) {
            return '\0';
        }
        if (digit < 10) {
            return (char)('0' + digit);
        }
        return (char)('a' - 10 + digit);
    }

    /**
     * Returns the Unicode directionality property for the given
     * character.  Character directionality is used to calculate the
     * visual ordering of text. The directionality value of undefined
     * char values is DIRECTIONALITY_UNDEFINED.
     *
     * @param  ch char for which the directionality property 
     *            is requested.
     * @return the directionality property of the char value.
     *
     * @see Character#DIRECTIONALITY_UNDEFINED
     * @see Character#DIRECTIONALITY_LEFT_TO_RIGHT
     * @see Character#DIRECTIONALITY_RIGHT_TO_LEFT
     * @see Character#DIRECTIONALITY_RIGHT_TO_LEFT_ARABIC
     * @see Character#DIRECTIONALITY_EUROPEAN_NUMBER
     * @see Character#DIRECTIONALITY_EUROPEAN_NUMBER_SEPARATOR
     * @see Character#DIRECTIONALITY_EUROPEAN_NUMBER_TERMINATOR
     * @see Character#DIRECTIONALITY_ARABIC_NUMBER
     * @see Character#DIRECTIONALITY_COMMON_NUMBER_SEPARATOR
     * @see Character#DIRECTIONALITY_NONSPACING_MARK
     * @see Character#DIRECTIONALITY_BOUNDARY_NEUTRAL
     * @see Character#DIRECTIONALITY_PARAGRAPH_SEPARATOR
     * @see Character#DIRECTIONALITY_SEGMENT_SEPARATOR
     * @see Character#DIRECTIONALITY_WHITESPACE
     * @see Character#DIRECTIONALITY_OTHER_NEUTRALS
     * @see Character#DIRECTIONALITY_LEFT_TO_RIGHT_EMBEDDING
     * @see Character#DIRECTIONALITY_LEFT_TO_RIGHT_OVERRIDE
     * @see Character#DIRECTIONALITY_RIGHT_TO_LEFT_EMBEDDING
     * @see Character#DIRECTIONALITY_RIGHT_TO_LEFT_OVERRIDE
     * @see Character#DIRECTIONALITY_POP_DIRECTIONAL_FORMAT
     * @since 1.4
     */
    public static byte getDirectionality(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.getDirectionality(ch);
        } else {
            return CharacterData.getDirectionality(ch);
        }
    }

    /**
     * Determines whether the character is mirrored according to the
     * Unicode specification.  Mirrored characters should have their
     * glyphs horizontally mirrored when displayed in text that is
     * right-to-left.  For example, '\u0028' LEFT
     * PARENTHESIS is semantically defined to be an opening
     * parenthesis.  This will appear as a "(" in text that is
     * left-to-right but as a ")" in text that is right-to-left.
     *
     * @param  ch char for which the mirrored property is requested
     * @return true if the char is mirrored, false
     *         if the char is not mirrored or is not defined.
     * @since 1.4
     */
    public static boolean isMirrored(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.isMirrored(ch);
        } else {
            return CharacterData.isMirrored(ch);
        }
    }

    /**
     * Compares two Character objects numerically.
     *
     * @param   anotherCharacter   the Character to be compared.

     * @return  the value 0 if the argument Character 
     *          is equal to this Character; a value less than 
     *          0 if this Character is numerically less 
     *          than the Character argument; and a value greater than 
     *          0 if this Character is numerically greater 
     *	        than the Character argument (unsigned comparison).  
     *	        Note that this is strictly a numerical comparison; it is not 
     *		locale-dependent.
     * @since   1.2
     */
    public int compareTo(Character anotherCharacter) {
        return this.value - anotherCharacter.value;
    }

    /**
     * Compares this Character object to another object.
     * If the object is a Character, this function
     * behaves like compareTo(Character).  Otherwise, it
     * throws a ClassCastException (as
     * Character objects are comparable only to other
     * Character objects).
     *
     * @param   o the Object to be compared.
     * @return  the value 0 if the argument is a Character
     *		numerically equal to this Character; a value less than
     *		0 if the argument is a Character numerically
     *		greater than this Character; and a value greater than
     *		0 if the argument is a Character numerically
     *		less than this Character.
     * @exception ClassCastException if the argument is not a
     *		  Character.
     * @see     java.lang.Comparable
     * @since 1.2 */
    public int compareTo(Object o) {
        return compareTo((Character)o);
    }


    /**
     * Converts the character argument to uppercase using case mapping
     * information from the UnicodeData file.
     * 
    
     *
     * @param   ch   the char to be converted.
     * @return  either the uppercase equivalent of the character, if 
     *          any, or an error flag (Character.CHAR_ERROR) 
     *          that indicates that a 1:M char mapping exists.
     * @see     java.lang.Character#isLowerCase(char)
     * @see     java.lang.Character#isUpperCase(char)
     * @see     java.lang.Character#toLowerCase(char)
     * @see     java.lang.Character#toTitleCase(char)
     * @since 1.4
     */
    static char toUpperCaseEx(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.toUpperCaseEx(ch);
        } else {
            return CharacterData.toUpperCaseEx(ch);
        }
    }

    /**
     * Converts the char argument to uppercase using case
     * mapping information from the SpecialCasing file in the Unicode
     * specification. If a character has no explicit uppercase
     * mapping, then the char itself is returned in the
     * char[].
     *
     * @param ch the char to uppercase
     * @return a char[] with the uppercased character.
     * @since 1.4
     */
    static char[] sharpsMap = new char[] {'S', 'S'};
    
    static char[] toUpperCaseCharArray(char ch) {
        char[] upperMap = {ch};
        if (ch <= FAST_PATH_MAX) {
            if (ch == '\u00DF') {
                upperMap = sharpsMap;
            }
            // else ch -> ch
        } else {
	    int location = findInCharMap(ch);
	    if (location != -1) {
	        upperMap = CharacterData.charMap[location][1];
	    }
        }
        return upperMap;
    }


    /**
     * Finds the character in the uppercase mapping table.
     *
     * @param ch the char to search
     * @return the index location ch in the table or -1 if not found
     * @since 1.4
     */
    static  int findInCharMap(char ch) {
        int top, bottom, current;
        bottom = 0;
        top = CharacterData.charMap.length;
        current = top/2;
        // invariant: top > current >= bottom && ch >= CharacterData.charMap[bottom][0]
        while (top - bottom > 1) {
            if (ch >= CharacterData.charMap[current][0][0]) {
                bottom = current;
            } else {
                top = current;
            }
            current = (top + bottom) / 2;
        }
        if (ch == CharacterData.charMap[current][0][0]) return current;
        else return -1;
    }
}
why-2.39/lib/java_api/java/lang/System.java0000644000106100004300000011225613147234006017551 0ustar  marchevals/*
 * @(#)System.java	1.131 03/01/29
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;

import java.io.*;
//KML import java.util.Properties;
//KML import java.util.PropertyPermission;
//KML import java.util.StringTokenizer;
//KML import java.security.AccessController;
//KML import java.security.PrivilegedAction;
//KML import java.security.AllPermission;
//KML import sun.net.InetAddressCachePolicy;
//KML import sun.reflect.Reflection;
//KML import sun.security.util.SecurityConstants;

/**
 * The System class contains several useful class fields
 * and methods. It cannot be instantiated.
 * 
    
 * Among the facilities provided by the System class
 * are standard input, standard output, and error output streams;
 * access to externally defined "properties"; a means of
 * loading files and libraries; and a utility method for quickly
 * copying a portion of an array.
 *
 * @author  Arthur van Hoff
 * @version 1.131, 01/29/03
 * @since   JDK1.0
 */
public final class System {

    /* First thing---register the natives */
    private static native void registerNatives();
    static {
        registerNatives();
    }

    /** Don't let anyone instantiate this class */
    private System() {
    }

    /**
     * The "standard" input stream. This stream is already
     * open and ready to supply input data. Typically this stream
     * corresponds to keyboard input or another input source specified by
     * the host environment or user.
     */
    public final static InputStream in = nullInputStream();

    /**
     * The "standard" output stream. This stream is already
     * open and ready to accept output data. Typically this stream
     * corresponds to display output or another output destination
     * specified by the host environment or user.
     * 
    
     * For simple stand-alone Java applications, a typical way to write
     * a line of output data is:
     * 
         *     System.out.println(data)
     * 
    
     * 
    
     * See the println methods in class PrintStream.
     *
     * @see     java.io.PrintStream#println()
     * @see     java.io.PrintStream#println(boolean)
     * @see     java.io.PrintStream#println(char)
     * @see     java.io.PrintStream#println(char[])
     * @see     java.io.PrintStream#println(double)
     * @see     java.io.PrintStream#println(float)
     * @see     java.io.PrintStream#println(int)
     * @see     java.io.PrintStream#println(long)
     * @see     java.io.PrintStream#println(java.lang.Object)
     * @see     java.io.PrintStream#println(java.lang.String)
     */
    public final static PrintStream out = nullPrintStream();

    /**
     * The "standard" error output stream. This stream is already
     * open and ready to accept output data.
     * 
    
     * Typically this stream corresponds to display output or another
     * output destination specified by the host environment or user. By
     * convention, this output stream is used to display error messages
     * or other information that should come to the immediate attention
     * of a user even if the principal output stream, the value of the
     * variable out, has been redirected to a file or other
     * destination that is typically not continuously monitored.
     */
    public final static PrintStream err = nullPrintStream();

    /* The security manager for the system.
     */
    //KML private static SecurityManager security = null;

    /**
     * Reassigns the "standard" input stream.
     *
     * 
    First, if there is a security manager, its checkPermission
     * method is called with a RuntimePermission("setIO") permission
     *  to see if it's ok to reassign the "standard" input stream.
     * 
    
     *
     * @param in the new standard input stream.
     *
     * @throws SecurityException
     *        if a security manager exists and its
     *        checkPermission method doesn't allow
     *        reassigning of the standard input stream.
     *
     * @see SecurityManager#checkPermission
     * @see java.lang.RuntimePermission
     *
     * @since   JDK1.1
     */
    /*KML
    public static void setIn(InputStream in) {
	checkIO();
	setIn0(in);
    }
    KML*/

    /**
     * Reassigns the "standard" output stream.
     *
     * 
    First, if there is a security manager, its checkPermission
     * method is called with a RuntimePermission("setIO") permission
     *  to see if it's ok to reassign the "standard" output stream.
     *
     * @param out the new standard output stream
     *
     * @throws SecurityException
     *        if a security manager exists and its
     *        checkPermission method doesn't allow
     *        reassigning of the standard output stream.
     *
     * @see SecurityManager#checkPermission
     * @see java.lang.RuntimePermission
     *
     * @since   JDK1.1
     */
    public static void setOut(PrintStream out) {
	checkIO();
	setOut0(out);
    }

    /**
     * Reassigns the "standard" error output stream.
     *
     * 
    First, if there is a security manager, its checkPermission
     * method is called with a RuntimePermission("setIO") permission
     *  to see if it's ok to reassign the "standard" error output stream.
     *
     * @param err the new standard error output stream.
     *
     * @throws SecurityException
     *        if a security manager exists and its
     *        checkPermission method doesn't allow
     *        reassigning of the standard error output stream.
     *
     * @see SecurityManager#checkPermission
     * @see java.lang.RuntimePermission
     *
     * @since   JDK1.1
     */
    public static void setErr(PrintStream err) {
	checkIO();
	setErr0(err);
    }

    private static void checkIO() {
        if (security != null)
	    security.checkPermission(new RuntimePermission("setIO"));
    }

    //KML private static native void setIn0(InputStream in);
    private static native void setOut0(PrintStream out);
    private static native void setErr0(PrintStream err);

    /**
     * Sets the System security.
     *
     * 
     If there is a security manager already installed, this method first
     * calls the security manager's checkPermission method
     * with a RuntimePermission("setSecurityManager")
     * permission to ensure it's ok to replace the existing
     * security manager.
     * This may result in throwing a SecurityException.
     *
     * 
     Otherwise, the argument is established as the current
     * security manager. If the argument is null and no
     * security manager has been established, then no action is taken and
     * the method simply returns.
     *
     * @param      s   the security manager.
     * @exception  SecurityException  if the security manager has already
     *             been set and its checkPermission method
     *             doesn't allow it to be replaced.
     * @see #getSecurityManager
     * @see SecurityManager#checkPermission
     * @see java.lang.RuntimePermission
     */
    /*KML
    public static
    void setSecurityManager(final SecurityManager s) {
        try {
            s.checkPackageAccess("java.lang");
        } catch (Exception e) {
            // no-op
        }
        setSecurityManager0(s);
    }

    private static synchronized
    void setSecurityManager0(final SecurityManager s) {
	if (security != null) {
 	    // ask the currently installed security manager if we
 	    // can replace it.
 	    security.checkPermission(new RuntimePermission
				     ("setSecurityManager"));
	}

	if ((s != null) && (s.getClass().getClassLoader() != null)) {
	    // New security manager class is not on bootstrap classpath.
	    // Cause policy to get initialized before we install the new
	    // security manager, in order to prevent infinite loops when
	    // trying to initialize the policy (which usually involves
	    // accessing some security and/or system properties, which in turn
	    // calls the installed security manager's checkPermission method
	    // which will loop infinitely if there is a non-system class
	    // (in this case: the new security manager class) on the stack).
	    AccessController.doPrivileged(new PrivilegedAction() {
		public Object run() {
		    s.getClass().getProtectionDomain().implies
			(SecurityConstants.ALL_PERMISSION);
		    return null;
		}
	    });
	}

	security = s;
	InetAddressCachePolicy.setIfNotSet(InetAddressCachePolicy.FOREVER);
    }
    KML*/

    /**
     * Gets the system security interface.
     *
     * @return  if a security manager has already been established for the
     *          current application, then that security manager is returned;
     *          otherwise, null is returned.
     * @see     #setSecurityManager
     */
    /*KML
    public static SecurityManager getSecurityManager() {
	return security;
    }
    KML*/

    /**
     * Returns the current time in milliseconds.  Note that
     * while the unit of time of the return value is a millisecond,
     * the granularity of the value depends on the underlying
     * operating system and may be larger.  For example, many
     * operating systems measure time in units of tens of
     * milliseconds.
     *
     * 
     See the description of the class Date for
     * a discussion of slight discrepancies that may arise between
     * "computer time" and coordinated universal time (UTC).
     *
     * @return  the difference, measured in milliseconds, between
     *          the current time and midnight, January 1, 1970 UTC.
     * @see     java.util.Date
     */
    public static native long currentTimeMillis();

    /**
     * Copies an array from the specified source array, beginning at the
     * specified position, to the specified position of the destination array.
     * A subsequence of array components are copied from the source
     * array referenced by src to the destination array
     * referenced by dest. The number of components copied is
     * equal to the length argument. The components at
     * positions srcPos through
     * srcPos+length-1 in the source array are copied into
     * positions destPos through
     * destPos+length-1, respectively, of the destination
     * array.
     * 
    
     * If the src and dest arguments refer to the
     * same array object, then the copying is performed as if the
     * components at positions srcPos through
     * srcPos+length-1 were first copied to a temporary
     * array with length components and then the contents of
     * the temporary array were copied into positions
     * destPos through destPos+length-1 of the
     * destination array.
     * 
    
     * If dest is null, then a
     * NullPointerException is thrown.
     * 
    
     * If src is null, then a
     * NullPointerException is thrown and the destination
     * array is not modified.
     * 
    
     * Otherwise, if any of the following is true, an
     * ArrayStoreException is thrown and the destination is
     * not modified:
     * 
      
     * 
    • The src argument refers to an object that is not an
     *     array.
     * 
    • The dest argument refers to an object that is not an
     *     array.
     * 
    • The src argument and dest argument refer
     *     to arrays whose component types are different primitive types.
     * 
    • The src argument refers to an array with a primitive
     *    component type and the dest argument refers to an array
     *     with a reference component type.
     * 
    • The src argument refers to an array with a reference
     *    component type and the dest argument refers to an array
     *     with a primitive component type.
     * 
    
     * 
    
     * Otherwise, if any of the following is true, an
     * IndexOutOfBoundsException is
     * thrown and the destination is not modified:
     * 
      
     * 
    • The srcPos argument is negative.
     * 
    • The destPos argument is negative.
     * 
    • The length argument is negative.
     * 
    • srcPos+length is greater than
     *     src.length, the length of the source array.
     * 
    • destPos+length is greater than
     *     dest.length, the length of the destination array.
     * 
    
     * 
    
     * Otherwise, if any actual component of the source array from
     * position srcPos through
     * srcPos+length-1 cannot be converted to the component
     * type of the destination array by assignment conversion, an
     * ArrayStoreException is thrown. In this case, let
     * k be the smallest nonnegative integer less than
     * length such that src[srcPos+k]
     * cannot be converted to the component type of the destination
     * array; when the exception is thrown, source array components from
     * positions srcPos through
     * srcPos+k-1
     * will already have been copied to destination array positions
     * destPos through
     * destPos+k-1 and no other
     * positions of the destination array will have been modified.
     * (Because of the restrictions already itemized, this
     * paragraph effectively applies only to the situation where both
     * arrays have component types that are reference types.)
     *
     * @param      src      the source array.
     * @param      srcPos   starting position in the source array.
     * @param      dest     the destination array.
     * @param      destPos  starting position in the destination data.
     * @param      length   the number of array elements to be copied.
     * @exception  IndexOutOfBoundsException  if copying would cause
     *               access of data outside array bounds.
     * @exception  ArrayStoreException  if an element in the src
     *               array could not be stored into the dest array
     *               because of a type mismatch.
     * @exception  NullPointerException if either src or
     *               dest is null.
     */
    public static native void arraycopy(Object src,  int  srcPos,
                                        Object dest, int destPos,
                                        int length);

    /**
     * Returns the same hash code for the given object as
     * would be returned by the default method hashCode(),
     * whether or not the given object's class overrides
     * hashCode().
     * The hash code for the null reference is zero.
     *
     * @param x object for which the hashCode is to be calculated
     * @return  the hashCode
     * @since   JDK1.1
     */
    public static native int identityHashCode(Object x);

    /**
     * System properties. The following properties are guaranteed to be defined:
     * 
    
     * 
    java.version		
    Java version number
     * 
    java.vendor		
    Java vendor specific string
     * 
    java.vendor.url	
    Java vendor URL
     * 
    java.home		
    Java installation directory
     * 
    java.class.version	
    Java class version number
     * 
    java.class.path	
    Java classpath
     * 
    os.name		
    Operating System Name
     * 
    os.arch		
    Operating System Architecture
     * 
    os.version		
    Operating System Version
     * 
    file.separator	
    File separator ("/" on Unix)
     * 
    path.separator	
    Path separator (":" on Unix)
     * 
    line.separator	
    Line separator ("\n" on Unix)
     * 
    user.name		
    User account name
     * 
    user.home		
    User home directory
     * 
    user.dir		
    User's current working directory
     * 
    
     */

    //KML private static Properties props;
    //KML private static native Properties initProperties(Properties props);

    /**
     * Determines the current system properties.
     * 
    
     * First, if there is a security manager, its
     * checkPropertiesAccess method is called with no
     * arguments. This may result in a security exception.
     * 
    
     * The current set of system properties for use by the 
     * {@link #getProperty(String)} method is returned as a 
     * Properties object. If there is no current set of 
     * system properties, a set of system properties is first created and 
     * initialized. This set of system properties always includes values 
     * for the following keys: 
     * 
     * 
     *     
     * 
     *     
     * 
     *     
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
    KeyDescription of Associated Value
    java.versionJava Runtime Environment version
    java.vendorJava Runtime Environment vendor
    java.vendor.urlJava vendor URL
    java.homeJava installation directory
    java.vm.specification.versionJava Virtual Machine specification version
    java.vm.specification.vendorJava Virtual Machine specification vendor
    java.vm.specification.nameJava Virtual Machine specification name
    java.vm.versionJava Virtual Machine implementation version
    java.vm.vendorJava Virtual Machine implementation vendor
    java.vm.nameJava Virtual Machine implementation name
    java.specification.versionJava Runtime Environment specification  version
    java.specification.vendorJava Runtime Environment specification  vendor
    java.specification.nameJava Runtime Environment specification  name
    java.class.versionJava class format version number
    java.class.pathJava class path
    java.library.pathList of paths to search when loading libraries
    java.io.tmpdirDefault temp file path
    java.compilerName of JIT compiler to use
    java.ext.dirsPath of extension directory or directories
    os.nameOperating system name
    os.archOperating system architecture
    os.versionOperating system version
    file.separatorFile separator ("/" on UNIX)
    path.separatorPath separator (":" on UNIX)
    line.separatorLine separator ("\n" on UNIX)
    user.nameUser's account name
    user.homeUser's home directory
    user.dirUser's current working directory
    
     * 
    
     * Multiple paths in a system property value are separated by the path
     * separator character of the platform.
     * 
    
     * Note that even if the security manager does not permit the
     * getProperties operation, it may choose to permit the
     * {@link #getProperty(String)} operation.
     *
     * @return     the system properties
     * @exception  SecurityException  if a security manager exists and its
     *             checkPropertiesAccess method doesn't allow access
     *              to the system properties.
     * @see        #setProperties
     * @see        java.lang.SecurityException
     * @see        java.lang.SecurityManager#checkPropertiesAccess()
     * @see        java.util.Properties
     */
    /*KML
    public static Properties getProperties() {
	if (security != null) {
	    security.checkPropertiesAccess();
	}
	return props;
    }
    KML*/

    /**
     * Sets the system properties to the Properties
     * argument.
     * 
    
     * First, if there is a security manager, its
     * checkPropertiesAccess method is called with no
     * arguments. This may result in a security exception.
     * 
    
     * The argument becomes the current set of system properties for use
     * by the {@link #getProperty(String)} method. If the argument is
     * null, then the current set of system properties is
     * forgotten.
     *
     * @param      props   the new system properties.
     * @exception  SecurityException  if a security manager exists and its
     *             checkPropertiesAccess method doesn't allow access
     *              to the system properties.
     * @see        #getProperties
     * @see        java.util.Properties
     * @see        java.lang.SecurityException
     * @see        java.lang.SecurityManager#checkPropertiesAccess()
     */
    /*KML
    public static void setProperties(Properties props) {
	if (security != null) {
	    security.checkPropertiesAccess();
	}
        if (props == null) {
            props = new Properties();
            initProperties(props);
        }
	System.props = props;
    }
    KML*/

    /**
     * Gets the system property indicated by the specified key.
     * 
    
     * First, if there is a security manager, its
     * checkPropertyAccess method is called with the key as
     * its argument. This may result in a SecurityException.
     * 
    
     * If there is no current set of system properties, a set of system
     * properties is first created and initialized in the same manner as
     * for the getProperties method.
     *
     * @param      key   the name of the system property.
     * @return     the string value of the system property,
     *             or null if there is no property with that key.
     *
     * @exception  SecurityException  if a security manager exists and its
     *             checkPropertyAccess method doesn't allow
     *              access to the specified system property.
     * @exception  NullPointerException if key is
     *             null.
     * @exception  IllegalArgumentException if key is empty.
     * @see        #setProperty
     * @see        java.lang.SecurityException
     * @see        java.lang.SecurityManager#checkPropertyAccess(java.lang.String)
     * @see        java.lang.System#getProperties()
     */
    public static String getProperty(String key) {
	if (key == null) {
	    throw new NullPointerException("key can't be null");
	}
	if (key.equals("")) {
	    throw new IllegalArgumentException("key can't be empty");
	}
	if (security != null) {
	    security.checkPropertyAccess(key);
	}
	return props.getProperty(key);
    }

    /**
     * Gets the system property indicated by the specified key.
     * 
    
     * First, if there is a security manager, its
     * checkPropertyAccess method is called with the
     * key as its argument.
     * 
    
     * If there is no current set of system properties, a set of system
     * properties is first created and initialized in the same manner as
     * for the getProperties method.
     *
     * @param      key   the name of the system property.
     * @param      def   a default value.
     * @return     the string value of the system property,
     *             or the default value if there is no property with that key.
     *
     * @exception  SecurityException  if a security manager exists and its
     *             checkPropertyAccess method doesn't allow
     *             access to the specified system property.
     * @exception  NullPointerException if key is
     *             null.
     * @exception  IllegalArgumentException if key is empty.
     * @see        #setProperty
     * @see        java.lang.SecurityManager#checkPropertyAccess(java.lang.String)
     * @see        java.lang.System#getProperties()
     */
    public static String getProperty(String key, String def) {
	if (key == null) {
	    throw new NullPointerException("key can't be null");
	}
	if (key.equals("")) {
	    throw new IllegalArgumentException("key can't be empty");
	}
	if (security != null) {
	    security.checkPropertyAccess(key);
	}
	return props.getProperty(key, def);
    }

    /**
     * Sets the system property indicated by the specified key.
     * 
    
     * First, if a security manager exists, its
     * SecurityManager.checkPermission method
     * is called with a PropertyPermission(key, "write")
     * permission. This may result in a SecurityException being thrown.
     * If no exception is thrown, the specified property is set to the given
     * value.
     * 
    
     *
     * @param      key   the name of the system property.
     * @param      value the value of the system property.
     * @return     the previous value of the system property,
     *             or null if it did not have one.
     *
     * @exception  SecurityException  if a security manager exists and its
     *             checkPermission method doesn't allow
     *             setting of the specified property.
     * @exception  NullPointerException if key is
     *             null.
     * @exception  IllegalArgumentException if key is empty.
     * @see        #getProperty
     * @see        java.lang.System#getProperty(java.lang.String)
     * @see        java.lang.System#getProperty(java.lang.String, java.lang.String)
     * @see        java.util.PropertyPermission
     * @see        SecurityManager#checkPermission
     * @since      1.2
     */
    public static String setProperty(String key, String value) {
	if (key == null) {
	    throw new NullPointerException("key can't be null");
	}
	if (key.equals("")) {
	    throw new IllegalArgumentException("key can't be empty");
	}
	if (security != null)
	    security.checkPermission(new PropertyPermission(key,
		SecurityConstants.PROPERTY_WRITE_ACTION));
	return (String) props.setProperty(key, value);
    }

    /**
     * Gets an environment variable. An environment variable is a
     * system-dependent external variable that has a string value.
     *
     * @deprecated The preferred way to extract system-dependent information
     *             is the system properties of the
     *             java.lang.System.getProperty methods and the
     *             corresponding getTypeName methods of
     *             the Boolean, Integer, and
     *             Long primitive types.  For example:
     * 
         *     String classPath = System.getProperty("java.class.path",".");
     * 
    
     *     if (Boolean.getBoolean("myapp.exper.mode"))
     *         enableExpertCommands();
     * 
    
     *
     * @param  name of the environment variable
     * @return the value of the variable, or null if the variable
     *           is not defined.
     * @see    java.lang.Boolean#getBoolean(java.lang.String)
     * @see    java.lang.Integer#getInteger(java.lang.String)
     * @see    java.lang.Integer#getInteger(java.lang.String, int)
     * @see    java.lang.Integer#getInteger(java.lang.String, java.lang.Integer)
     * @see    java.lang.Long#getLong(java.lang.String)
     * @see    java.lang.Long#getLong(java.lang.String, long)
     * @see    java.lang.Long#getLong(java.lang.String, java.lang.Long)
     * @see    java.lang.System#getProperties()
     * @see    java.lang.System#getProperty(java.lang.String)
     * @see    java.lang.System#getProperty(java.lang.String, java.lang.String)
     */
    public static String getenv(String name) {
	throw new Error("getenv no longer supported, use properties and -D instead: " + name);
    }

    /**
     * Terminates the currently running Java Virtual Machine. The
     * argument serves as a status code; by convention, a nonzero status
     * code indicates abnormal termination.
     * 
    
     * This method calls the exit method in class
     * Runtime. This method never returns normally.
     * 
    
     * The call System.exit(n) is effectively equivalent to
     * the call:
     * 
         * Runtime.getRuntime().exit(n)
     * 
    
     *
     * @param      status   exit status.
     * @throws  SecurityException
     *        if a security manager exists and its checkExit
     *        method doesn't allow exit with the specified status.
     * @see        java.lang.Runtime#exit(int)
     */
    public static void exit(int status) {
	Runtime.getRuntime().exit(status);
    }

    /**
     * Runs the garbage collector.
     * 
    
     * Calling the gc method suggests that the Java Virtual
     * Machine expend effort toward recycling unused objects in order to
     * make the memory they currently occupy available for quick reuse.
     * When control returns from the method call, the Java Virtual
     * Machine has made a best effort to reclaim space from all discarded
     * objects.
     * 
    
     * The call System.gc() is effectively equivalent to the
     * call:
     * 
         * Runtime.getRuntime().gc()
     * 
    
     *
     * @see     java.lang.Runtime#gc()
     */
    public static void gc() {
	Runtime.getRuntime().gc();
    }

    /**
     * Runs the finalization methods of any objects pending finalization.
     * 
    
     * Calling this method suggests that the Java Virtual Machine expend
     * effort toward running the finalize methods of objects
     * that have been found to be discarded but whose finalize
     * methods have not yet been run. When control returns from the
     * method call, the Java Virtual Machine has made a best effort to
     * complete all outstanding finalizations.
     * 
    
     * The call System.runFinalization() is effectively
     * equivalent to the call:
     * 
         * Runtime.getRuntime().runFinalization()
     * 
    
     *
     * @see     java.lang.Runtime#runFinalization()
     */
    public static void runFinalization() {
	Runtime.getRuntime().runFinalization();
    }

    /**
     * Enable or disable finalization on exit; doing so specifies that the
     * finalizers of all objects that have finalizers that have not yet been
     * automatically invoked are to be run before the Java runtime exits.
     * By default, finalization on exit is disabled.
     *
     * 
    If there is a security manager,
     * its checkExit method is first called
     * with 0 as its argument to ensure the exit is allowed.
     * This could result in a SecurityException.
     *
     * @deprecated  This method is inherently unsafe.  It may result in
     * 	    finalizers being called on live objects while other threads are
     *      concurrently manipulating those objects, resulting in erratic
     *	    behavior or deadlock.
     * @param value indicating enabling or disabling of finalization
     * @throws  SecurityException
     *        if a security manager exists and its checkExit
     *        method doesn't allow the exit.
     *
     * @see     java.lang.Runtime#exit(int)
     * @see     java.lang.Runtime#gc()
     * @see     java.lang.SecurityManager#checkExit(int)
     * @since   JDK1.1
     */
    public static void runFinalizersOnExit(boolean value) {
	Runtime.getRuntime().runFinalizersOnExit(value);
    }

    /**
     * Loads a code file with the specified filename from the local file
     * system as a dynamic library. The filename
     * argument must be a complete path name.
     * 
    
     * The call System.load(name) is effectively equivalent
     * to the call:
     * 
         * Runtime.getRuntime().load(name)
     * 
    
     *
     * @param      filename   the file to load.
     * @exception  SecurityException  if a security manager exists and its
     *             checkLink method doesn't allow
     *             loading of the specified dynamic library
     * @exception  UnsatisfiedLinkError  if the file does not exist.
     * @see        java.lang.Runtime#load(java.lang.String)
     * @see        java.lang.SecurityManager#checkLink(java.lang.String)
     */
    public static void load(String filename) {
	Runtime.getRuntime().load0(getCallerClass(), filename);
    }

    /**
     * Loads the system library specified by the libname
     * argument. The manner in which a library name is mapped to the
     * actual system library is system dependent.
     * 
    
     * The call System.loadLibrary(name) is effectively
     * equivalent to the call
     * 
         * Runtime.getRuntime().loadLibrary(name)
     * 
    
     *
     * @param      libname   the name of the library.
     * @exception  SecurityException  if a security manager exists and its
     *             checkLink method doesn't allow
     *             loading of the specified dynamic library
     * @exception  UnsatisfiedLinkError  if the library does not exist.
     * @see        java.lang.Runtime#loadLibrary(java.lang.String)
     * @see        java.lang.SecurityManager#checkLink(java.lang.String)
     */
    public static void loadLibrary(String libname) {
	Runtime.getRuntime().loadLibrary0(getCallerClass(), libname);
    }

    /**
     * Maps a library name into a platform-specific string representing
     * a native library.
     *
     * @param      libname the name of the library.
     * @return     a platform-dependent native library name.
     * @see        java.lang.System#loadLibrary(java.lang.String)
     * @see        java.lang.ClassLoader#findLibrary(java.lang.String)
     * @since      1.2
     */
    public static native String mapLibraryName(String libname);

    /**
     * The following two methods exist because in, out, and err must be
     * initialized to null.  The compiler, however, cannot be permitted to
     * inline access to them, since they are later set to more sensible values
     * by initializeSystemClass().
     */
    private static InputStream nullInputStream() throws NullPointerException;
    /*KML {
	if (currentTimeMillis() > 0)
	    return null;
	throw new NullPointerException();
    }
    KML*/

    private static PrintStream nullPrintStream() throws NullPointerException {
	if (currentTimeMillis() > 0)
	    return null;
	throw new NullPointerException();
    }

    /**
     * Initialize the system class.  Called after thread initialization.
     */
    private static void initializeSystemClass() {
	props = new Properties();
	initProperties(props);
	sun.misc.Version.init();
	FileInputStream fdIn = new FileInputStream(FileDescriptor.in);
	FileOutputStream fdOut = new FileOutputStream(FileDescriptor.out);
	FileOutputStream fdErr = new FileOutputStream(FileDescriptor.err);
	setIn0(new BufferedInputStream(fdIn));
	setOut0(new PrintStream(new BufferedOutputStream(fdOut, 128), true));
	setErr0(new PrintStream(new BufferedOutputStream(fdErr, 128), true));

	// Load the zip library now in order to keep java.util.zip.ZipFile
	// from trying to use itself to load this library later.
	loadLibrary("zip");

        // Currently File.deleteOnExit is built on JVM_Exit, which is a
        // separate mechanism from shutdown hooks. Unfortunately in order to
        // work properly JVM_Exit implicitly requires that Java signal
        // handlers be set up for HUP, TERM, and INT (where available). If
        // File.deleteOnExit were implemented in terms of shutdown hooks this
        // call to Terminator.setup() could be removed.
        Terminator.setup();

	// Set the maximum amount of direct memory.  This value is controlled
	// by the vm option -XX:MaxDirectMemorySize=.  This method acts
	// as an initializer only if it is called before sun.misc.VM.booted().
 	sun.misc.VM.maxDirectMemory();

	// Subsystems that are invoked during initialization can invoke
	// sun.misc.VM.isBooted() in order to avoid doing things that should
	// wait until the application class loader has been set up.
	sun.misc.VM.booted();
    }

    /* returns the class of the caller. */
    /*KML
    static Class getCallerClass() {
        // NOTE use of more generic Reflection.getCallerClass()
        return Reflection.getCallerClass(3);
    }
    KML*/
}
why-2.39/lib/java_api/java/lang/Number.java0000644000106100004300000000600013147234006017502 0ustar  marchevals/*
 * @(#)Number.java	1.28 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;

/**
 * The abstract class Number is the superclass of classes
 * BigDecimal, BigInteger,
 * Byte, Double, Float,
 * Integer, Long, and Short.
 * 
    
 * Subclasses of Number must provide methods to convert 
 * the represented numeric value to byte, double,
 * float, int, long, and
 * short.
 *
 * @author	Lee Boynton
 * @author	Arthur van Hoff
 * @version 1.28, 01/23/03
 * @see     java.lang.Byte
 * @see     java.lang.Double
 * @see     java.lang.Float
 * @see     java.lang.Integer
 * @see     java.lang.Long
 * @see     java.lang.Short
 * @since   JDK1.0
 */
public abstract class Number implements java.io.Serializable {
    /**
     * Returns the value of the specified number as an int.
     * This may involve rounding or truncation.
     *
     * @return  the numeric value represented by this object after conversion
     *          to type int.
     */
    public abstract int intValue();

    /**
     * Returns the value of the specified number as a long.
     * This may involve rounding or truncation.
     *
     * @return  the numeric value represented by this object after conversion
     *          to type long.
     */
    public abstract long longValue();

    /**
     * Returns the value of the specified number as a float.
     * This may involve rounding.
     *
     * @return  the numeric value represented by this object after conversion
     *          to type float.
     */
    public abstract float floatValue();

    /**
     * Returns the value of the specified number as a double.
     * This may involve rounding.
     *
     * @return  the numeric value represented by this object after conversion
     *          to type double.
     */
    public abstract double doubleValue();

    /**
     * Returns the value of the specified number as a byte.
     * This may involve rounding or truncation.
     *
     * @return  the numeric value represented by this object after conversion
     *          to type byte.
     * @since   JDK1.1
     */
    public byte byteValue() {
	return (byte)intValue();
    }

    /**
     * Returns the value of the specified number as a short.
     * This may involve rounding or truncation.
     *
     * @return  the numeric value represented by this object after conversion
     *          to type short.
     * @since   JDK1.1
     */
    public short shortValue() {
	return (short)intValue();
    }

    /** use serialVersionUID from JDK 1.0.2 for interoperability */
    private static final long serialVersionUID = -8742448824652078965L;
}
why-2.39/lib/java_api/java/lang/Math.java0000644000106100004300000011057213147234006017155 0ustar  marchevals/*
 * @(#)Math.java	1.57 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;
//KML import java.util.Random;


/**
 * The class Math contains methods for performing basic
 * numeric operations such as the elementary exponential, logarithm,
 * square root, and trigonometric functions.
 * 
    
 * Unlike some of the numeric methods of class
 * StrictMath, all implementations of the equivalent
 * functions of class Math are not defined to return the
 * bit-for-bit same results.  This relaxation permits
 * better-performing implementations where strict reproducibility is
 * not required.
 * 
    
 * By default many of the Math methods simply call
 * the equivalent method in StrictMath for their
 * implementation.  Code generators are encouraged to use
 * platform-specific native libraries or microprocessor instructions,
 * where available, to provide higher-performance implementations of
 * Math methods.  Such higher-performance
 * implementations still must conform to the specification for
 * Math.
 * 
    
 * The quality of implementation specifications concern two
 * properties, accuracy of the returned result and monotonicity of the
 * method.  Accuracy of the floating-point Math methods
 * is measured in terms of ulps, units in the last place.  For
 * a given floating-point format, an ulp of a specific real number
 * value is the difference between the two floating-point values
 * closest to that numerical value.  When discussing the accuracy of a
 * method as a whole rather than at a specific argument, the number of
 * ulps cited is for the worst-case error at any argument.  If a
 * method always has an error less than 0.5 ulps, the method always
 * returns the floating-point number nearest the exact result; such a
 * method is correctly rounded.  A correctly rounded method is
 * generally the best a floating-point approximation can be; however,
 * it is impractical for many floating-point methods to be correctly
 * rounded.  Instead, for the Math class, a larger error
 * bound of 1 or 2 ulps is allowed for certain methods.  Informally,
 * with a 1 ulp error bound, when the exact result is a representable
 * number the exact result should be returned; otherwise, either of
 * the two floating-point numbers closest to the exact result may be
 * returned.  Besides accuracy at individual arguments, maintaining
 * proper relations between the method at different arguments is also
 * important.  Therefore, methods with more than 0.5 ulp errors are
 * required to be semi-monotonic: whenever the mathematical
 * function is non-decreasing, so is the floating-point approximation,
 * likewise, whenever the mathematical function is non-increasing, so
 * is the floating-point approximation.  Not all approximations that
 * have 1 ulp accuracy will automatically meet the monotonicity
 * requirements.
 * 
 * @author  unascribed
 * @version 1.57, 01/23/03
 * @since   JDK1.0
 */

public final strictfp class Math {

    /**
     * Don't let anyone instantiate this class.
     */
    private Math() {}

    /**
     * The double value that is closer than any other to
     * e, the base of the natural logarithms.
     */
    public static final double E = 2.7182818284590452354;

    /**
     * The double value that is closer than any other to
     * pi, the ratio of the circumference of a circle to its
     * diameter.
     */
    public static final double PI = 3.14159265358979323846;

    /**
     * Returns the trigonometric sine of an angle.  Special cases:
     * 
    • If the argument is NaN or an infinity, then the 
     * result is NaN.
     * 
    • If the argument is zero, then the result is a zero with the
     * same sign as the argument.
    
     * 
    
     * A result must be within 1 ulp of the correctly rounded result.  Results
     * must be semi-monotonic.
     *
     * @param   a   an angle, in radians.
     * @return  the sine of the argument.
     */
    public static double sin(double a) {
	//KML return StrictMath.sin(a); // default impl. delegates to StrictMath
    }
    
    /**
     * Returns the trigonometric cosine of an angle. Special cases:
     * 
    • If the argument is NaN or an infinity, then the 
     * result is NaN.
    
     * 
    
     * A result must be within 1 ulp of the correctly rounded result.  Results
     * must be semi-monotonic.
     *
     * @param   a   an angle, in radians.
     * @return  the cosine of the argument.
     */
    public static double cos(double a) {
	//KML return StrictMath.cos(a); // default impl. delegates to StrictMath
    }
   
    /**
     * Returns the trigonometric tangent of an angle.  Special cases:
     * 
    • If the argument is NaN or an infinity, then the result 
     * is NaN.
     * 
    • If the argument is zero, then the result is a zero with the
     * same sign as the argument.
    
     * 
    
     * A result must be within 1 ulp of the correctly rounded result.  Results
     * must be semi-monotonic.
     *
     * @param   a   an angle, in radians.
     * @return  the tangent of the argument.
     */
    public static double tan(double a) {
	//KML return StrictMath.tan(a); // default impl. delegates to StrictMath
    }

    /**
     * Returns the arc sine of an angle, in the range of -pi/2 through
     * pi/2. Special cases: 
     * 
    • If the argument is NaN or its absolute value is greater 
     * than 1, then the result is NaN.
     * 
    • If the argument is zero, then the result is a zero with the
     * same sign as the argument.
    
     * 
    
     * A result must be within 1 ulp of the correctly rounded result.  Results
     * must be semi-monotonic.
     *
     * @param   a   the value whose arc sine is to be returned.
     * @return  the arc sine of the argument.
     */
    public static double asin(double a) {
	//KML return StrictMath.asin(a); // default impl. delegates to StrictMath
    }

    /**
     * Returns the arc cosine of an angle, in the range of 0.0 through
     * pi.  Special case:
     * 
    • If the argument is NaN or its absolute value is greater 
     * than 1, then the result is NaN.
    
     * 
    
     * A result must be within 1 ulp of the correctly rounded result.  Results 
     * must be semi-monotonic.
     *
     * @param   a   the value whose arc cosine is to be returned.
     * @return  the arc cosine of the argument.
     */
    public static double acos(double a) {
	//KML return StrictMath.acos(a); // default impl. delegates to StrictMath
    }

    /**
     * Returns the arc tangent of an angle, in the range of -pi/2
     * through pi/2.  Special cases: 
     * 
    • If the argument is NaN, then the result is NaN.
     * 
    • If the argument is zero, then the result is a zero with the
     * same sign as the argument.
    
     * 
    
     * A result must be within 1 ulp of the correctly rounded result.  Results
     * must be semi-monotonic.
     *
     * @param   a   the value whose arc tangent is to be returned.
     * @return  the arc tangent of the argument.
     */
    public static double atan(double a) {
	//KML return StrictMath.atan(a); // default impl. delegates to StrictMath
    }

    /**
     * Converts an angle measured in degrees to an approximately
     * equivalent angle measured in radians.  The conversion from
     * degrees to radians is generally inexact.
     *
     * @param   angdeg   an angle, in degrees
     * @return  the measurement of the angle angdeg
     *          in radians.
     * @since   1.2
     */
    public static double toRadians(double angdeg) {
	return angdeg / 180.0 * PI;
    }

    /**
     * Converts an angle measured in radians to an approximately
     * equivalent angle measured in degrees.  The conversion from
     * radians to degrees is generally inexact; users should
     * not expect cos(toRadians(90.0)) to exactly
     * equal 0.0.
     *
     * @param   angrad   an angle, in radians
     * @return  the measurement of the angle angrad
     *          in degrees.
     * @since   1.2
     */
    public static double toDegrees(double angrad) {
	return angrad * 180.0 / PI;
    }

    /**
     * Returns Euler's number e raised to the power of a
     * double value.  Special cases:
     * 
    • If the argument is NaN, the result is NaN.
     * 
    • If the argument is positive infinity, then the result is 
     * positive infinity.
     * 
    • If the argument is negative infinity, then the result is 
     * positive zero.
    
     * 
    
     * A result must be within 1 ulp of the correctly rounded result.  Results
     * must be semi-monotonic.
     *
     * @param   a   the exponent to raise e to.
     * @return  the value ea, 
     *          where e is the base of the natural logarithms.
     */
    public static double exp(double a) {
	//KML return StrictMath.exp(a); // default impl. delegates to StrictMath
    }

    /**
     * Returns the natural logarithm (base e) of a double
     * value.  Special cases:
     * 
    • If the argument is NaN or less than zero, then the result 
     * is NaN.
     * 
    • If the argument is positive infinity, then the result is 
     * positive infinity.
     * 
    • If the argument is positive zero or negative zero, then the 
     * result is negative infinity.
    
     * 
    
     * A result must be within 1 ulp of the correctly rounded result.  Results
     * must be semi-monotonic.
     *
     * @param   a   a number greater than 0.0.
     * @return  the value ln a, the natural logarithm of
     *          a.
     */
    public static double log(double a) {
	//KML return StrictMath.log(a); // default impl. delegates to StrictMath
    }

    /**
     * Returns the correctly rounded positive square root of a 
     * double value.
     * Special cases:
     * 
    • If the argument is NaN or less than zero, then the result 
     * is NaN. 
     * 
    • If the argument is positive infinity, then the result is positive 
     * infinity. 
     * 
    • If the argument is positive zero or negative zero, then the 
     * result is the same as the argument.
    
     * Otherwise, the result is the double value closest to 
     * the true mathematical square root of the argument value.
     * 
     * @param   a   a value.
     * 
     * @return  the positive square root of a.
     *          If the argument is NaN or less than zero, the result is NaN.
     */
    /*@ requires a >= 0.0;
      @ ensures \result * \result == a;
      @*/
    public static double sqrt(double a) {
	/*KML
	return StrictMath.sqrt(a); // default impl. delegates to StrictMath
				   // Note that hardware sqrt instructions
				   // frequently can be directly used by JITs
				   // and should be much faster than doing
				   // Math.sqrt in software.
				   */
    }

    /**
     * Computes the remainder operation on two arguments as prescribed 
     * by the IEEE 754 standard.
     * The remainder value is mathematically equal to 
     * f1 - f2 × n,
     * where n is the mathematical integer closest to the exact 
     * mathematical value of the quotient f1/f2, and if two 
     * mathematical integers are equally close to f1/f2, 
     * then n is the integer that is even. If the remainder is 
     * zero, its sign is the same as the sign of the first argument. 
     * Special cases:
     * 
    • If either argument is NaN, or the first argument is infinite, 
     * or the second argument is positive zero or negative zero, then the 
     * result is NaN.
     * 
    • If the first argument is finite and the second argument is 
     * infinite, then the result is the same as the first argument.
    
     *
     * @param   f1   the dividend.
     * @param   f2   the divisor.
     * @return  the remainder when f1 is divided by
     *          f2.
     */
    public static double IEEEremainder(double f1, double f2) {
        //KML return StrictMath.IEEEremainder(f1, f2); // delegate to StrictMath
    }

    /**
     * Returns the smallest (closest to negative infinity) 
     * double value that is not less than the argument and is 
     * equal to a mathematical integer. Special cases:
     * 
    • If the argument value is already equal to a mathematical 
     * integer, then the result is the same as the argument. 
     * 
    • If the argument is NaN or an infinity or positive zero or negative 
     * zero, then the result is the same as the argument. 
     * 
    • If the argument value is less than zero but greater than -1.0, 
     * then the result is negative zero.
    
     * Note that the value of Math.ceil(x) is exactly the 
     * value of -Math.floor(-x).
     *
     * @param   a   a value.
     * 
     * @return  the smallest (closest to negative infinity) 
     *          floating-point value that is not less than the argument
     *          and is equal to a mathematical integer. 
     */
    public static double ceil(double a) {
	//KML return StrictMath.ceil(a); // default impl. delegates to StrictMath
    }

    /**
     * Returns the largest (closest to positive infinity) 
     * double value that is not greater than the argument and 
     * is equal to a mathematical integer. Special cases:
     * 
    • If the argument value is already equal to a mathematical 
     * integer, then the result is the same as the argument. 
     * 
    • If the argument is NaN or an infinity or positive zero or 
     * negative zero, then the result is the same as the argument.
    
     *
     * @param   a   a value.
     * 
     * @return  the largest (closest to positive infinity) 
     *          floating-point value that is not greater than the argument
     *          and is equal to a mathematical integer. 
     */
    public static double floor(double a) {
	//KML return StrictMath.floor(a); // default impl. delegates to StrictMath
    }

    /**
     * Returns the double value that is closest in value
     * to the argument and is equal to a mathematical integer. If two
     * double values that are mathematical integers are
     * equally close, the result is the integer value that is
     * even. Special cases:
     * 
    • If the argument value is already equal to a mathematical 
     * integer, then the result is the same as the argument. 
     * 
    • If the argument is NaN or an infinity or positive zero or negative 
     * zero, then the result is the same as the argument.
    
     *
     * @param   a   a double value.
     * @return  the closest floating-point value to a that is
     *          equal to a mathematical integer.
     */
    public static double rint(double a) {
	//KML return StrictMath.rint(a); // default impl. delegates to StrictMath
    }

    /**
     * Converts rectangular coordinates (xy)
     * to polar (r, theta).
     * This method computes the phase theta by computing an arc tangent
     * of y/x in the range of -pi to pi. Special 
     * cases:
     * 
    • If either argument is NaN, then the result is NaN. 
     * 
    • If the first argument is positive zero and the second argument 
     * is positive, or the first argument is positive and finite and the 
     * second argument is positive infinity, then the result is positive 
     * zero. 
     * 
    • If the first argument is negative zero and the second argument 
     * is positive, or the first argument is negative and finite and the 
     * second argument is positive infinity, then the result is negative zero. 
     * 
    • If the first argument is positive zero and the second argument 
     * is negative, or the first argument is positive and finite and the 
     * second argument is negative infinity, then the result is the 
     * double value closest to pi. 
     * 
    • If the first argument is negative zero and the second argument 
     * is negative, or the first argument is negative and finite and the 
     * second argument is negative infinity, then the result is the 
     * double value closest to -pi. 
     * 
    • If the first argument is positive and the second argument is 
     * positive zero or negative zero, or the first argument is positive 
     * infinity and the second argument is finite, then the result is the 
     * double value closest to pi/2. 
     * 
    • If the first argument is negative and the second argument is 
     * positive zero or negative zero, or the first argument is negative 
     * infinity and the second argument is finite, then the result is the 
     * double value closest to -pi/2. 
     * 
    • If both arguments are positive infinity, then the result is the 
     * double value closest to pi/4. 
     * 
    • If the first argument is positive infinity and the second argument 
     * is negative infinity, then the result is the double 
     * value closest to 3*pi/4. 
     * 
    • If the first argument is negative infinity and the second argument 
     * is positive infinity, then the result is the double value 
     * closest to -pi/4. 
     * 
    • If both arguments are negative infinity, then the result is the 
     * double value closest to -3*pi/4.
    
     * 
    
     * A result must be within 2 ulps of the correctly rounded result.  Results
     * must be semi-monotonic.
     *
     * @param   y   the ordinate coordinate
     * @param   x   the abscissa coordinate
     * @return  the theta component of the point
     *          (rtheta)
     *          in polar coordinates that corresponds to the point
     *          (xy) in Cartesian coordinates.
     */
    public static double atan2(double y, double x) {
	//KML return StrictMath.atan2(y, x); // default impl. delegates to StrictMath
    }

    /**
     * Returns the value of the first argument raised to the power of the
     * second argument. Special cases:
     *
     * 
    • If the second argument is positive or negative zero, then the 
     * result is 1.0. 
     * 
    • If the second argument is 1.0, then the result is the same as the 
     * first argument.
     * 
    • If the second argument is NaN, then the result is NaN. 
     * 
    • If the first argument is NaN and the second argument is nonzero, 
     * then the result is NaN. 
     *
     * 
    • If
     * 
        
     * 
      • the absolute value of the first argument is greater than 1
     * and the second argument is positive infinity, or
     * 
      • the absolute value of the first argument is less than 1 and
     * the second argument is negative infinity,
     * 
      
     * then the result is positive infinity. 
     *
     * 
    • If 
     * 
        
     * 
      • the absolute value of the first argument is greater than 1 and 
     * the second argument is negative infinity, or 
     * 
      • the absolute value of the 
     * first argument is less than 1 and the second argument is positive 
     * infinity,
     * 
      
     * then the result is positive zero. 
     *
     * 
    • If the absolute value of the first argument equals 1 and the 
     * second argument is infinite, then the result is NaN. 
     *
     * 
    • If 
     * 
        
     * 
      • the first argument is positive zero and the second argument
     * is greater than zero, or
     * 
      • the first argument is positive infinity and the second
     * argument is less than zero,
     * 
      
     * then the result is positive zero. 
     *
     * 
    • If 
     * 
        
     * 
      • the first argument is positive zero and the second argument
     * is less than zero, or
     * 
      • the first argument is positive infinity and the second
     * argument is greater than zero,
     * 
      
     * then the result is positive infinity.
     *
     * 
    • If 
     * 
        
     * 
      • the first argument is negative zero and the second argument
     * is greater than zero but not a finite odd integer, or
     * 
      • the first argument is negative infinity and the second
     * argument is less than zero but not a finite odd integer,
     * 
      
     * then the result is positive zero. 
     *
     * 
    • If 
     * 
        
     * 
      • the first argument is negative zero and the second argument
     * is a positive finite odd integer, or
     * 
      • the first argument is negative infinity and the second
     * argument is a negative finite odd integer,
     * 
      
     * then the result is negative zero. 
     *
     * 
    • If
     * 
        
     * 
      • the first argument is negative zero and the second argument
     * is less than zero but not a finite odd integer, or
     * 
      • the first argument is negative infinity and the second
     * argument is greater than zero but not a finite odd integer,
     * 
      
     * then the result is positive infinity. 
     *
     * 
    • If 
     * 
        
     * 
      • the first argument is negative zero and the second argument
     * is a negative finite odd integer, or
     * 
      • the first argument is negative infinity and the second
     * argument is a positive finite odd integer,
     * 
      
     * then the result is negative infinity. 
     *
     * 
    • If the first argument is finite and less than zero
     * 
        
     * 
      •  if the second argument is a finite even integer, the
     * result is equal to the result of raising the absolute value of
     * the first argument to the power of the second argument
     *
     * 
      • if the second argument is a finite odd integer, the result
     * is equal to the negative of the result of raising the absolute
     * value of the first argument to the power of the second
     * argument
     *
     * 
      • if the second argument is finite and not an integer, then
     * the result is NaN.
     * 
      
     *
     * 
    • If both arguments are integers, then the result is exactly equal 
     * to the mathematical result of raising the first argument to the power 
     * of the second argument if that result can in fact be represented 
     * exactly as a double value.
    
     * 
     * 
    (In the foregoing descriptions, a floating-point value is
     * considered to be an integer if and only if it is finite and a
     * fixed point of the method {@link #ceil ceil} or,
     * equivalently, a fixed point of the method {@link #floor
     * floor}. A value is a fixed point of a one-argument
     * method if and only if the result of applying the method to the
     * value is equal to the value.)
     *
     * 
    A result must be within 1 ulp of the correctly rounded
     * result.  Results must be semi-monotonic.
     *
     * @param   a   the base.
     * @param   b   the exponent.
     * @return  the value ab.
     */
    public static double pow(double a, double b) {
	//KML return StrictMath.pow(a, b); // default impl. delegates to StrictMath
    }

    /**
     * Returns the closest int to the argument. The 
     * result is rounded to an integer by adding 1/2, taking the 
     * floor of the result, and casting the result to type int. 
     * In other words, the result is equal to the value of the expression:
     * 
    (int)Math.floor(a + 0.5f)
    
     * 
    
     * Special cases:
     * 
    • If the argument is NaN, the result is 0.
     * 
    • If the argument is negative infinity or any value less than or 
     * equal to the value of Integer.MIN_VALUE, the result is 
     * equal to the value of Integer.MIN_VALUE. 
     * 
    • If the argument is positive infinity or any value greater than or 
     * equal to the value of Integer.MAX_VALUE, the result is 
     * equal to the value of Integer.MAX_VALUE.
     
     *
     * @param   a   a floating-point value to be rounded to an integer.
     * @return  the value of the argument rounded to the nearest
     *          int value.
     * @see     java.lang.Integer#MAX_VALUE
     * @see     java.lang.Integer#MIN_VALUE
     */
    public static int round(float a) {
	return (int)floor(a + 0.5f);
    }

    /**
     * Returns the closest long to the argument. The result 
     * is rounded to an integer by adding 1/2, taking the floor of the 
     * result, and casting the result to type long. In other 
     * words, the result is equal to the value of the expression:
     * 
    (long)Math.floor(a + 0.5d)
    
     * 
    
     * Special cases:
     * 
    • If the argument is NaN, the result is 0.
     * 
    • If the argument is negative infinity or any value less than or 
     * equal to the value of Long.MIN_VALUE, the result is 
     * equal to the value of Long.MIN_VALUE. 
     * 
    • If the argument is positive infinity or any value greater than or 
     * equal to the value of Long.MAX_VALUE, the result is 
     * equal to the value of Long.MAX_VALUE.
     
     *
     * @param   a   a floating-point value to be rounded to a 
     *		long.
     * @return  the value of the argument rounded to the nearest
     *          long value.
     * @see     java.lang.Long#MAX_VALUE
     * @see     java.lang.Long#MIN_VALUE
     */
    public static long round(double a) {
	return (long)floor(a + 0.5d);
    }

    //KML private static Random randomNumberGenerator;

    private static synchronized void initRNG() {
        /*KML
	  if (randomNumberGenerator == null) 
            randomNumberGenerator = new Random();
	*/
    }

    /**
     * Returns a double value with a positive sign, greater 
     * than or equal to 0.0 and less than 1.0. 
     * Returned values are chosen pseudorandomly with (approximately) 
     * uniform distribution from that range. 
     * 
    
     * When this method is first called, it creates a single new 
     * pseudorandom-number generator, exactly as if by the expression 
     * 
    new java.util.Random
    
     * This new pseudorandom-number generator is used thereafter for all 
     * calls to this method and is used nowhere else. 
     * 
    
     * This method is properly synchronized to allow correct use by more 
     * than one thread. However, if many threads need to generate 
     * pseudorandom numbers at a great rate, it may reduce contention for 
     * each thread to have its own pseudorandom-number generator.
     *  
     * @return  a pseudorandom double greater than or equal 
     * to 0.0 and less than 1.0.
     * @see     java.util.Random#nextDouble()
     */
    public static double random() {
        /*KML
	  if (randomNumberGenerator == null) initRNG();
	  return randomNumberGenerator.nextDouble();
	*/

    }

    /**
     * Returns the absolute value of an int value.
     * If the argument is not negative, the argument is returned.
     * If the argument is negative, the negation of the argument is returned. 
     * 
    
     * Note that if the argument is equal to the value of 
     * Integer.MIN_VALUE, the most negative representable 
     * int value, the result is that same value, which is 
     * negative. 
     *
     * @param   a   the argument whose absolute value is to be determined
     * @return  the absolute value of the argument.
     * @see     java.lang.Integer#MIN_VALUE
     */
    public static int abs(int a) {
	return (a < 0) ? -a : a;
    }

    /**
     * Returns the absolute value of a long value.
     * If the argument is not negative, the argument is returned.
     * If the argument is negative, the negation of the argument is returned. 
     * 
    
     * Note that if the argument is equal to the value of 
     * Long.MIN_VALUE, the most negative representable 
     * long value, the result is that same value, which is 
     * negative. 
     *
     * @param   a   the argument whose absolute value is to be determined
     * @return  the absolute value of the argument.
     * @see     java.lang.Long#MIN_VALUE
     */
    public static long abs(long a) {
	return (a < 0) ? -a : a;
    }

    /**
     * Returns the absolute value of a float value.
     * If the argument is not negative, the argument is returned.
     * If the argument is negative, the negation of the argument is returned.
     * Special cases:
     * 
    • If the argument is positive zero or negative zero, the 
     * result is positive zero. 
     * 
    • If the argument is infinite, the result is positive infinity. 
     * 
    • If the argument is NaN, the result is NaN.
    
     * In other words, the result is the same as the value of the expression: 
     * 
    Float.intBitsToFloat(0x7fffffff & Float.floatToIntBits(a))
    
     *
     * @param   a   the argument whose absolute value is to be determined
     * @return  the absolute value of the argument.
     */
    public static float abs(float a) {
        return (a <= 0.0F) ? 0.0F - a : a;
    }
  
    /**
     * Returns the absolute value of a double value.
     * If the argument is not negative, the argument is returned.
     * If the argument is negative, the negation of the argument is returned.
     * Special cases:
     * 
    • If the argument is positive zero or negative zero, the result 
     * is positive zero. 
     * 
    • If the argument is infinite, the result is positive infinity. 
     * 
    • If the argument is NaN, the result is NaN.
    
     * In other words, the result is the same as the value of the expression: 
     * 
    Double.longBitsToDouble((Double.doubleToLongBits(a)<<1)>>>1) 
     *
     * @param   a   the argument whose absolute value is to be determined
     * @return  the absolute value of the argument.
     */
    /*@ ensures \result == \real_abs(a);
      @*/
    public static double abs(double a) {
        return (a <= 0.0D) ? 0.0D - a : a;
    }

    /**
     * Returns the greater of two int values. That is, the 
     * result is the argument closer to the value of 
     * Integer.MAX_VALUE. If the arguments have the same value, 
     * the result is that same value.
     *
     * @param   a   an argument.
     * @param   b   another argument.
     * @return  the larger of a and b.
     * @see     java.lang.Long#MAX_VALUE
     */
    /*@ ensures \result == \int_max(a,b);
      @*/
    public static int max(int a, int b) {
	return (a >= b) ? a : b;
    }

    /**
     * Returns the greater of two long values. That is, the 
     * result is the argument closer to the value of 
     * Long.MAX_VALUE. If the arguments have the same value, 
     * the result is that same value. 
     *
     * @param   a   an argument.
     * @param   b   another argument.
     * @return  the larger of a and b.
     * @see     java.lang.Long#MAX_VALUE
     */
    /*@ ensures \result == \int_max(a,b);
      @*/
    public static long max(long a, long b) {
	return (a >= b) ? a : b;
    }

    //KML private static long negativeZeroFloatBits = Float.floatToIntBits(-0.0f);
    //KML private static long negativeZeroDoubleBits = Double.doubleToLongBits(-0.0d);

    /**
     * Returns the greater of two float values.  That is,
     * the result is the argument closer to positive infinity. If the
     * arguments have the same value, the result is that same
     * value. If either value is NaN, then the result is NaN.  Unlike
     * the the numerical comparison operators, this method considers
     * negative zero to be strictly smaller than positive zero. If one
     * argument is positive zero and the other negative zero, the
     * result is positive zero.
     *
     * @param   a   an argument.
     * @param   b   another argument.
     * @return  the larger of a and b.
     */
    /*@ ensures \result == \real_max(a,b);
      @*/
    public static float max(float a, float b) {
        if (a != a) return a;	// a is NaN
	/*KML
	  if ((a == 0.0f) && (b == 0.0f)
	    && (Float.floatToIntBits(a) == negativeZeroFloatBits)) {
	    return b;
	}
	*/
	return (a >= b) ? a : b;
    }

    /**
     * Returns the greater of two double values.  That
     * is, the result is the argument closer to positive infinity. If
     * the arguments have the same value, the result is that same
     * value. If either value is NaN, then the result is NaN.  Unlike
     * the the numerical comparison operators, this method considers
     * negative zero to be strictly smaller than positive zero. If one
     * argument is positive zero and the other negative zero, the
     * result is positive zero.
     *
     * @param   a   an argument.
     * @param   b   another argument.
     * @return  the larger of a and b.
     */
    /*@ ensures \result == \real_max(a,b);
      @*/
    public static double max(double a, double b) {
        if (a != a) return a;	// a is NaN
	/*KML
	  if ((a == 0.0d) && (b == 0.0d)
	    && (Double.doubleToLongBits(a) == negativeZeroDoubleBits)) {
	    return b;
	}
	*/
	return (a >= b) ? a : b;
    }

    /**
     * Returns the smaller of two int values. That is,
     * the result the argument closer to the value of
     * Integer.MIN_VALUE.  If the arguments have the same
     * value, the result is that same value.
     *
     * @param   a   an argument.
     * @param   b   another argument.
     * @return  the smaller of a and b.
     * @see     java.lang.Long#MIN_VALUE
     */
    /*@ ensures \result == \int_min(a,b);
      @*/
    public static int min(int a, int b) {
	return (a <= b) ? a : b;
    }

    /**
     * Returns the smaller of two long values. That is,
     * the result is the argument closer to the value of
     * Long.MIN_VALUE. If the arguments have the same
     * value, the result is that same value.
     *
     * @param   a   an argument.
     * @param   b   another argument.
     * @return  the smaller of a and b.
     * @see     java.lang.Long#MIN_VALUE
     */
    /*@ ensures \result == \int_min(a,b);
      @*/
    public static long min(long a, long b) {
	return (a <= b) ? a : b;
    }

    /**
     * Returns the smaller of two float values.  That is,
     * the result is the value closer to negative infinity. If the
     * arguments have the same value, the result is that same
     * value. If either value is NaN, then the result is NaN.  Unlike
     * the the numerical comparison operators, this method considers
     * negative zero to be strictly smaller than positive zero.  If
     * one argument is positive zero and the other is negative zero,
     * the result is negative zero.
     *
     * @param   a   an argument.
     * @param   b   another argument.
     * @return  the smaller of a and b.
     */
    /*@ ensures \result == \real_min(a,b);
      @*/
    public static float min(float a, float b) {
        if (a != a) return a;	// a is NaN
	/*KML
	  if ((a == 0.0f) && (b == 0.0f)
	    && (Float.floatToIntBits(b) == negativeZeroFloatBits)) {
	    return b;
	}
	*/
	return (a <= b) ? a : b;
    }

    /**
     * Returns the smaller of two double values.  That
     * is, the result is the value closer to negative infinity. If the
     * arguments have the same value, the result is that same
     * value. If either value is NaN, then the result is NaN.  Unlike
     * the the numerical comparison operators, this method considers
     * negative zero to be strictly smaller than positive zero. If one
     * argument is positive zero and the other is negative zero, the
     * result is negative zero.
     *
     * @param   a   an argument.
     * @param   b   another argument.
     * @return  the smaller of a and b.
     */
    /*@ ensures \result == \real_min(a,b);
      @*/
    public static double min(double a, double b) {
        if (a != a) return a;	// a is NaN
	/*KML
	  if ((a == 0.0d) && (b == 0.0d)
	    && (Double.doubleToLongBits(b) == negativeZeroDoubleBits)) {
	    return b;
	}
	*/
	return (a <= b) ? a : b;
    }

}
why-2.39/.depend0000644000106100004300000012533413147234006012501 0ustar  marchevalssrc/annot.cmo : src/util.cmi src/types.cmi src/options.cmi src/misc.cmi \
    src/logic.cmi src/ident.cmi src/env.cmi src/effect.cmi src/ast.cmi \
    src/annot.cmi
src/annot.cmx : src/util.cmx src/types.cmi src/options.cmx src/misc.cmx \
    src/logic.cmi src/ident.cmx src/env.cmx src/effect.cmx src/ast.cmi \
    src/annot.cmi
src/coq.cmo : src/vcg.cmi src/util.cmi src/report.cmi src/regen.cmi \
    src/print_real.cmo src/pp.cmi src/options.cmi src/misc.cmi \
    src/logic_decl.cmi src/logic.cmi src/loc.cmi src/ident.cmi src/error.cmi \
    src/env.cmi src/cc.cmi src/coq.cmi
src/coq.cmx : src/vcg.cmx src/util.cmx src/report.cmx src/regen.cmx \
    src/print_real.cmx src/pp.cmx src/options.cmx src/misc.cmx \
    src/logic_decl.cmi src/logic.cmi src/loc.cmx src/ident.cmx src/error.cmi \
    src/env.cmx src/cc.cmi src/coq.cmi
src/cvcl.cmo : src/util.cmi src/print_real.cmo src/pp.cmi src/options.cmi \
    src/misc.cmi src/logic_decl.cmi src/logic.cmi src/loc.cmi src/ident.cmi \
    src/env.cmi src/encoding_mono_inst.cmi src/encoding.cmi src/cc.cmi \
    src/cvcl.cmi
src/cvcl.cmx : src/util.cmx src/print_real.cmx src/pp.cmx src/options.cmx \
    src/misc.cmx src/logic_decl.cmi src/logic.cmi src/loc.cmx src/ident.cmx \
    src/env.cmx src/encoding_mono_inst.cmx src/encoding.cmx src/cc.cmi \
    src/cvcl.cmi
src/dispatcher.cmo : src/zenon.cmi src/theory_filtering.cmo src/smtlib.cmi \
    src/simplify.cmi src/pvs.cmi src/pretty.cmi src/options.cmi \
    src/logic_decl.cmi src/logic.cmi src/lib.cmi src/harvey.cmi src/gappa.cmi \
    src/env.cmi tools/dpConfig.cmi src/cvcl.cmi src/coq.cmi src/cc.cmi \
    tools/calldp.cmi src/dispatcher.cmi
src/dispatcher.cmx : src/zenon.cmx src/theory_filtering.cmx src/smtlib.cmx \
    src/simplify.cmx src/pvs.cmx src/pretty.cmx src/options.cmx \
    src/logic_decl.cmi src/logic.cmi src/lib.cmx src/harvey.cmx src/gappa.cmx \
    src/env.cmx tools/dpConfig.cmx src/cvcl.cmx src/coq.cmx src/cc.cmi \
    tools/calldp.cmx src/dispatcher.cmi
src/effect.cmo : src/ident.cmi src/effect.cmi
src/effect.cmx : src/ident.cmx src/effect.cmi
src/encoding.cmo : src/predDefExpansor.cmi src/options.cmi src/monomorph.cmi \
    src/logic_decl.cmi src/ident.cmi src/encoding_strat.cmi \
    src/encoding_rec.cmi src/encoding_pred.cmi src/encoding_mono_inst.cmi \
    src/encoding_mono.cmo src/encoding.cmi
src/encoding.cmx : src/predDefExpansor.cmx src/options.cmx src/monomorph.cmx \
    src/logic_decl.cmi src/ident.cmx src/encoding_strat.cmx \
    src/encoding_rec.cmx src/encoding_pred.cmx src/encoding_mono_inst.cmx \
    src/encoding_mono.cmx src/encoding.cmi
src/encoding_mono.cmo : src/util.cmi src/predDefExpansor.cmi src/misc.cmi \
    src/logic_decl.cmi src/logic.cmi src/loc.cmi src/ident.cmi src/env.cmi \
    src/cc.cmi
src/encoding_mono.cmx : src/util.cmx src/predDefExpansor.cmx src/misc.cmx \
    src/logic_decl.cmi src/logic.cmi src/loc.cmx src/ident.cmx src/env.cmx \
    src/cc.cmi
src/encoding_mono2.cmo : src/util.cmi src/misc.cmi src/logic_decl.cmi \
    src/logic.cmi src/loc.cmi src/ident.cmi src/env.cmi src/cc.cmi
src/encoding_mono2.cmx : src/util.cmx src/misc.cmx src/logic_decl.cmi \
    src/logic.cmi src/loc.cmx src/ident.cmx src/env.cmx src/cc.cmi
src/encoding_mono_inst.cmo : src/util.cmi src/predDefExpansor.cmi src/pp.cmi \
    src/options.cmi src/mapenv.cmo src/logic_decl.cmi src/logic.cmi \
    src/loc.cmi src/ident.cmi src/env.cmi src/cc.cmi \
    src/encoding_mono_inst.cmi
src/encoding_mono_inst.cmx : src/util.cmx src/predDefExpansor.cmx src/pp.cmx \
    src/options.cmx src/mapenv.cmx src/logic_decl.cmi src/logic.cmi \
    src/loc.cmx src/ident.cmx src/env.cmx src/cc.cmi \
    src/encoding_mono_inst.cmi
src/encoding_pred.cmo : src/logic_decl.cmi src/logic.cmi src/loc.cmi \
    src/ident.cmi src/env.cmi src/cc.cmi src/encoding_pred.cmi
src/encoding_pred.cmx : src/logic_decl.cmi src/logic.cmi src/loc.cmx \
    src/ident.cmx src/env.cmx src/cc.cmi src/encoding_pred.cmi
src/encoding_rec.cmo : src/options.cmi src/logic_decl.cmi src/logic.cmi \
    src/loc.cmi src/ident.cmi src/env.cmi src/cc.cmi src/encoding_rec.cmi
src/encoding_rec.cmx : src/options.cmx src/logic_decl.cmi src/logic.cmi \
    src/loc.cmx src/ident.cmx src/env.cmx src/cc.cmi src/encoding_rec.cmi
src/encoding_strat.cmo : src/util.cmi src/logic_decl.cmi src/logic.cmi \
    src/loc.cmi src/ident.cmi src/env.cmi src/cc.cmi src/encoding_strat.cmi
src/encoding_strat.cmx : src/util.cmx src/logic_decl.cmi src/logic.cmi \
    src/loc.cmx src/ident.cmx src/env.cmx src/cc.cmi src/encoding_strat.cmi
src/env.cmo : src/types.cmi src/report.cmi src/misc.cmi src/logic.cmi \
    src/loc.cmi src/ident.cmi src/error.cmi src/effect.cmi src/cc.cmi \
    src/ast.cmi src/env.cmi
src/env.cmx : src/types.cmi src/report.cmx src/misc.cmx src/logic.cmi \
    src/loc.cmx src/ident.cmx src/error.cmi src/effect.cmx src/cc.cmi \
    src/ast.cmi src/env.cmi
src/explain.cmo : src/logic_decl.cmi src/explain.cmi
src/explain.cmx : src/logic_decl.cmi src/explain.cmi
src/fastwp.cmo : src/wp.cmi src/util.cmi src/types.cmi src/misc.cmi \
    src/logic.cmi src/ident.cmi src/env.cmi src/effect.cmi src/cc.cmi \
    src/ast.cmi src/fastwp.cmi
src/fastwp.cmx : src/wp.cmx src/util.cmx src/types.cmi src/misc.cmx \
    src/logic.cmi src/ident.cmx src/env.cmx src/effect.cmx src/cc.cmi \
    src/ast.cmi src/fastwp.cmi
src/fpi.cmo : src/pp.cmi src/misc.cmi src/logic.cmi src/loc.cmi \
    src/ident.cmi src/cc.cmi src/fpi.cmi
src/fpi.cmx : src/pp.cmx src/misc.cmx src/logic.cmi src/loc.cmx \
    src/ident.cmx src/cc.cmi src/fpi.cmi
src/gappa.cmo : src/predDefExpansor.cmi src/pp.cmi src/options.cmi \
    src/misc.cmi src/logic_decl.cmi src/logic.cmi src/ident.cmi src/env.cmi \
    src/cc.cmi src/gappa.cmi
src/gappa.cmx : src/predDefExpansor.cmx src/pp.cmx src/options.cmx \
    src/misc.cmx src/logic_decl.cmi src/logic.cmi src/ident.cmx src/env.cmx \
    src/cc.cmi src/gappa.cmi
src/graphviz.cmo : src/graphviz.cmi
src/graphviz.cmx : src/graphviz.cmi
src/harvey.cmo : src/util.cmi src/print_real.cmo src/pp.cmi src/options.cmi \
    src/misc.cmi src/logic_decl.cmi src/logic.cmi src/loc.cmi src/ident.cmi \
    src/env.cmi src/encoding.cmi src/cc.cmi src/harvey.cmi
src/harvey.cmx : src/util.cmx src/print_real.cmx src/pp.cmx src/options.cmx \
    src/misc.cmx src/logic_decl.cmi src/logic.cmi src/loc.cmx src/ident.cmx \
    src/env.cmx src/encoding.cmx src/cc.cmi src/harvey.cmi
src/hol4.cmo : src/util.cmi src/print_real.cmo src/pp.cmi src/misc.cmi \
    src/logic_decl.cmi src/logic.cmi src/ident.cmi src/env.cmi src/cc.cmi \
    src/hol4.cmi
src/hol4.cmx : src/util.cmx src/print_real.cmx src/pp.cmx src/misc.cmx \
    src/logic_decl.cmi src/logic.cmi src/ident.cmx src/env.cmx src/cc.cmi \
    src/hol4.cmi
src/holl.cmo : src/util.cmi src/print_real.cmo src/pp.cmi src/misc.cmi \
    src/logic_decl.cmi src/logic.cmi src/ident.cmi src/env.cmi src/cc.cmi \
    src/holl.cmi
src/holl.cmx : src/util.cmx src/print_real.cmx src/pp.cmx src/misc.cmx \
    src/logic_decl.cmi src/logic.cmi src/ident.cmx src/env.cmx src/cc.cmi \
    src/holl.cmi
src/hypotheses_filtering.cmo : src/util.cmi src/options.cmi src/misc.cmi \
    src/logic_decl.cmi src/logic.cmi src/ident.cmi src/env.cmi src/cc.cmi
src/hypotheses_filtering.cmx : src/util.cmx src/options.cmx src/misc.cmx \
    src/logic_decl.cmi src/logic.cmi src/ident.cmx src/env.cmx src/cc.cmi
src/ident.cmo : src/ident.cmi
src/ident.cmx : src/ident.cmi
src/isabelle.cmo : src/util.cmi src/regen.cmi src/print_real.cmo src/pp.cmi \
    src/options.cmi src/misc.cmi src/logic_decl.cmi src/logic.cmi src/loc.cmi \
    src/ident.cmi src/env.cmi src/cc.cmi src/isabelle.cmi
src/isabelle.cmx : src/util.cmx src/regen.cmx src/print_real.cmx src/pp.cmx \
    src/options.cmx src/misc.cmx src/logic_decl.cmi src/logic.cmi src/loc.cmx \
    src/ident.cmx src/env.cmx src/cc.cmi src/isabelle.cmi
src/lib.cmo : src/lib.cmi
src/lib.cmx : src/lib.cmi
src/loc.cmo : src/loc.cmi
src/loc.cmx : src/loc.cmi
src/ltyping.cmo : src/util.cmi src/types.cmi src/report.cmi src/ptree.cmi \
    src/options.cmi src/misc.cmi src/logic.cmi src/ident.cmi src/error.cmi \
    src/env.cmi src/effect.cmi src/ast.cmi src/ltyping.cmi
src/ltyping.cmx : src/util.cmx src/types.cmi src/report.cmx src/ptree.cmi \
    src/options.cmx src/misc.cmx src/logic.cmi src/ident.cmx src/error.cmi \
    src/env.cmx src/effect.cmx src/ast.cmi src/ltyping.cmi
src/main.cmo : src/zenon.cmi src/z3.cmi src/wp.cmi src/why3.cmi src/vcg.cmi \
    src/util.cmi src/typing.cmi src/types.cmi src/smtlib.cmi src/simplify.cmi \
    src/report.cmi src/red.cmi src/rc.cmi src/pvs.cmi src/ptree.cmi \
    src/pretty.cmi src/predDefExpansor.cmi src/pp.cmi src/options.cmi \
    src/ocaml.cmi src/monomorph.cmi src/monad.cmi src/mlize.cmi src/mizar.cmi \
    src/misc.cmi src/ltyping.cmi src/logic_decl.cmi src/logic.cmi src/loc.cmi \
    src/lexer.cmi src/isabelle.cmi src/ident.cmi src/hypotheses_filtering.cmo \
    src/holl.cmi src/hol4.cmi src/harvey.cmi src/gappa.cmi src/fastwp.cmi \
    src/error.cmi src/env.cmi src/effect.cmi src/dispatcher.cmi src/cvcl.cmi \
    src/coq.cmi src/cc.cmi src/ast.cmi
src/main.cmx : src/zenon.cmx src/z3.cmx src/wp.cmx src/why3.cmx src/vcg.cmx \
    src/util.cmx src/typing.cmx src/types.cmi src/smtlib.cmx src/simplify.cmx \
    src/report.cmx src/red.cmx src/rc.cmx src/pvs.cmx src/ptree.cmi \
    src/pretty.cmx src/predDefExpansor.cmx src/pp.cmx src/options.cmx \
    src/ocaml.cmx src/monomorph.cmx src/monad.cmx src/mlize.cmx src/mizar.cmx \
    src/misc.cmx src/ltyping.cmx src/logic_decl.cmi src/logic.cmi src/loc.cmx \
    src/lexer.cmi src/isabelle.cmx src/ident.cmx src/hypotheses_filtering.cmx \
    src/holl.cmx src/hol4.cmx src/harvey.cmx src/gappa.cmx src/fastwp.cmx \
    src/error.cmi src/env.cmx src/effect.cmx src/dispatcher.cmx src/cvcl.cmx \
    src/coq.cmx src/cc.cmi src/ast.cmi
src/mapenv.cmo : src/misc.cmi src/logic.cmi src/ident.cmi
src/mapenv.cmx : src/misc.cmx src/logic.cmi src/ident.cmx
src/misc.cmo : src/types.cmi src/options.cmi src/option_misc.cmi \
    src/logic.cmi src/loc.cmi src/ident.cmi src/effect.cmi src/cc.cmi \
    src/ast.cmi src/misc.cmi
src/misc.cmx : src/types.cmi src/options.cmx src/option_misc.cmx \
    src/logic.cmi src/loc.cmx src/ident.cmx src/effect.cmx src/cc.cmi \
    src/ast.cmi src/misc.cmi
src/mizar.cmo : src/util.cmi src/regen.cmi src/pp.cmi src/options.cmi \
    src/misc.cmi src/logic_decl.cmi src/logic.cmi src/loc.cmi src/ident.cmi \
    src/env.cmi src/cc.cmi src/mizar.cmi
src/mizar.cmx : src/util.cmx src/regen.cmx src/pp.cmx src/options.cmx \
    src/misc.cmx src/logic_decl.cmi src/logic.cmi src/loc.cmx src/ident.cmx \
    src/env.cmx src/cc.cmi src/mizar.cmi
src/mlize.cmo : src/util.cmi src/typing.cmi src/types.cmi src/rename.cmi \
    src/monadSig.cmi src/monad.cmi src/misc.cmi src/logic.cmi src/ident.cmi \
    src/env.cmi src/cc.cmi src/ast.cmi src/mlize.cmi
src/mlize.cmx : src/util.cmx src/typing.cmx src/types.cmi src/rename.cmx \
    src/monadSig.cmi src/monad.cmx src/misc.cmx src/logic.cmi src/ident.cmx \
    src/env.cmx src/cc.cmi src/ast.cmi src/mlize.cmi
src/monad.cmo : src/util.cmi src/typing.cmi src/types.cmi src/rename.cmi \
    src/misc.cmi src/logic.cmi src/loc.cmi src/ident.cmi src/env.cmi \
    src/effect.cmi src/cc.cmi src/ast.cmi src/monad.cmi
src/monad.cmx : src/util.cmx src/typing.cmx src/types.cmi src/rename.cmx \
    src/misc.cmx src/logic.cmi src/loc.cmx src/ident.cmx src/env.cmx \
    src/effect.cmx src/cc.cmi src/ast.cmi src/monad.cmi
src/monomorph.cmo : src/pp.cmi src/options.cmi src/misc.cmi \
    src/logic_decl.cmi src/logic.cmi src/ident.cmi src/env.cmi src/cc.cmi \
    src/monomorph.cmi
src/monomorph.cmx : src/pp.cmx src/options.cmx src/misc.cmx \
    src/logic_decl.cmi src/logic.cmi src/ident.cmx src/env.cmx src/cc.cmi \
    src/monomorph.cmi
src/ocaml.cmo : src/util.cmi src/types.cmi src/pp.cmi src/options.cmi \
    src/misc.cmi src/logic.cmi src/ident.cmi src/env.cmi src/ast.cmi \
    src/ocaml.cmi
src/ocaml.cmx : src/util.cmx src/types.cmi src/pp.cmx src/options.cmx \
    src/misc.cmx src/logic.cmi src/ident.cmx src/env.cmx src/ast.cmi \
    src/ocaml.cmi
src/option_misc.cmo : src/option_misc.cmi
src/option_misc.cmx : src/option_misc.cmi
src/options.cmo : src/version.cmo src/rc.cmi src/lib.cmi src/options.cmi
src/options.cmx : src/version.cmx src/rc.cmx src/lib.cmx src/options.cmi
src/pp.cmo : src/pp.cmi
src/pp.cmx : src/pp.cmi
src/predDefExpansor.cmo : src/util.cmi src/types.cmi src/misc.cmi \
    src/ltyping.cmi src/logic_decl.cmi src/logic.cmi src/ident.cmi \
    src/env.cmi src/cc.cmi src/predDefExpansor.cmi
src/predDefExpansor.cmx : src/util.cmx src/types.cmi src/misc.cmx \
    src/ltyping.cmx src/logic_decl.cmi src/logic.cmi src/ident.cmx \
    src/env.cmx src/cc.cmi src/predDefExpansor.cmi
src/pretty.cmo : src/util.cmi src/project.cmi src/print_real.cmo src/pp.cmi \
    src/options.cmi src/misc.cmi src/logic_decl.cmi src/logic.cmi src/loc.cmi \
    src/ident.cmi src/explain.cmi src/env.cmi src/encoding.cmi src/cc.cmi \
    src/pretty.cmi
src/pretty.cmx : src/util.cmx src/project.cmx src/print_real.cmx src/pp.cmx \
    src/options.cmx src/misc.cmx src/logic_decl.cmi src/logic.cmi src/loc.cmx \
    src/ident.cmx src/explain.cmx src/env.cmx src/encoding.cmx src/cc.cmi \
    src/pretty.cmi
src/print_real.cmo : src/logic.cmi
src/print_real.cmx : src/logic.cmi
src/project.cmo : src/xml.cmi src/rc.cmi src/logic_decl.cmi src/loc.cmi \
    src/explain.cmi src/project.cmi
src/project.cmx : src/xml.cmx src/rc.cmx src/logic_decl.cmi src/loc.cmx \
    src/explain.cmx src/project.cmi
src/pvs.cmo : src/util.cmi src/print_real.cmo src/predDefExpansor.cmi \
    src/pp.cmi src/options.cmi src/misc.cmi src/logic_decl.cmi src/logic.cmi \
    src/loc.cmi src/ident.cmi src/env.cmi src/cc.cmi src/pvs.cmi
src/pvs.cmx : src/util.cmx src/print_real.cmx src/predDefExpansor.cmx \
    src/pp.cmx src/options.cmx src/misc.cmx src/logic_decl.cmi src/logic.cmi \
    src/loc.cmx src/ident.cmx src/env.cmx src/cc.cmi src/pvs.cmi
src/rc.cmo : src/rc.cmi
src/rc.cmx : src/rc.cmi
src/red.cmo : src/misc.cmi src/logic.cmi src/ident.cmi src/cc.cmi \
    src/red.cmi
src/red.cmx : src/misc.cmx src/logic.cmi src/ident.cmx src/cc.cmi \
    src/red.cmi
src/regen.cmo : src/pp.cmi src/options.cmi src/logic_decl.cmi src/logic.cmi \
    src/loc.cmi src/env.cmi src/cc.cmi src/regen.cmi
src/regen.cmx : src/pp.cmx src/options.cmx src/logic_decl.cmi src/logic.cmi \
    src/loc.cmx src/env.cmx src/cc.cmi src/regen.cmi
src/rename.cmo : src/report.cmi src/pp.cmi src/misc.cmi src/ident.cmi \
    src/error.cmi src/rename.cmi
src/rename.cmx : src/report.cmx src/pp.cmx src/misc.cmx src/ident.cmx \
    src/error.cmi src/rename.cmi
src/report.cmo : src/loc.cmi src/ident.cmi src/error.cmi src/effect.cmi \
    src/report.cmi
src/report.cmx : src/loc.cmx src/ident.cmx src/error.cmi src/effect.cmx \
    src/report.cmi
src/simplify.cmo : src/util.cmi src/report.cmi src/predDefExpansor.cmi \
    src/pp.cmi src/options.cmi src/misc.cmi src/logic_decl.cmi src/logic.cmi \
    src/loc.cmi src/ident.cmi src/error.cmi src/env.cmi src/encoding.cmi \
    src/cc.cmi src/simplify.cmi
src/simplify.cmx : src/util.cmx src/report.cmx src/predDefExpansor.cmx \
    src/pp.cmx src/options.cmx src/misc.cmx src/logic_decl.cmi src/logic.cmi \
    src/loc.cmx src/ident.cmx src/error.cmi src/env.cmx src/encoding.cmx \
    src/cc.cmi src/simplify.cmi
src/smtlib.cmo : src/print_real.cmo src/pp.cmi src/options.cmi src/misc.cmi \
    src/logic_decl.cmi src/logic.cmi src/loc.cmi src/ident.cmi src/env.cmi \
    src/encoding.cmi src/cc.cmi src/smtlib.cmi
src/smtlib.cmx : src/print_real.cmx src/pp.cmx src/options.cmx src/misc.cmx \
    src/logic_decl.cmi src/logic.cmi src/loc.cmx src/ident.cmx src/env.cmx \
    src/encoding.cmx src/cc.cmi src/smtlib.cmi
src/theory_filtering.cmo : src/options.cmi src/logic_decl.cmi src/logic.cmi \
    src/ident.cmi src/env.cmi src/cc.cmi
src/theory_filtering.cmx : src/options.cmx src/logic_decl.cmi src/logic.cmi \
    src/ident.cmx src/env.cmx src/cc.cmi
src/theoryreducer.cmo : src/unionfind.cmo src/logic_decl.cmi src/logic.cmi \
    src/ident.cmi src/env.cmi src/cc.cmi
src/theoryreducer.cmx : src/unionfind.cmx src/logic_decl.cmi src/logic.cmi \
    src/ident.cmx src/env.cmx src/cc.cmi
src/typing.cmo : src/util.cmi src/types.cmi src/report.cmi src/ptree.cmi \
    src/options.cmi src/misc.cmi src/ltyping.cmi src/logic.cmi src/loc.cmi \
    src/ident.cmi src/error.cmi src/env.cmi src/effect.cmi src/ast.cmi \
    src/typing.cmi
src/typing.cmx : src/util.cmx src/types.cmi src/report.cmx src/ptree.cmi \
    src/options.cmx src/misc.cmx src/ltyping.cmx src/logic.cmi src/loc.cmx \
    src/ident.cmx src/error.cmi src/env.cmx src/effect.cmx src/ast.cmi \
    src/typing.cmi
src/unionfind.cmo :
src/unionfind.cmx :
src/util.cmo : src/types.cmi src/rename.cmi src/rc.cmi src/ptree.cmi \
    src/print_real.cmo src/pp.cmi src/options.cmi src/misc.cmi \
    src/logic_decl.cmi src/logic.cmi src/loc.cmi src/ident.cmi \
    src/explain.cmi src/env.cmi src/effect.cmi src/cc.cmi src/ast.cmi \
    src/util.cmi
src/util.cmx : src/types.cmi src/rename.cmx src/rc.cmx src/ptree.cmi \
    src/print_real.cmx src/pp.cmx src/options.cmx src/misc.cmx \
    src/logic_decl.cmi src/logic.cmi src/loc.cmx src/ident.cmx \
    src/explain.cmx src/env.cmx src/effect.cmx src/cc.cmi src/ast.cmi \
    src/util.cmi
src/vcg.cmo : src/util.cmi src/pp.cmi src/options.cmi src/misc.cmi \
    src/logic_decl.cmi src/logic.cmi src/log.cmi src/ident.cmi src/cc.cmi \
    src/ast.cmi src/vcg.cmi
src/vcg.cmx : src/util.cmx src/pp.cmx src/options.cmx src/misc.cmx \
    src/logic_decl.cmi src/logic.cmi src/log.cmi src/ident.cmx src/cc.cmi \
    src/ast.cmi src/vcg.cmi
src/version.cmo :
src/version.cmx :
src/why.cmo : src/report.cmi src/main.cmo
src/why.cmx : src/report.cmx src/main.cmx
src/why3.cmo : src/why3_kw.cmi src/util.cmi src/print_real.cmo src/pp.cmi \
    src/options.cmi src/misc.cmi src/logic_decl.cmi src/logic.cmi \
    src/ident.cmi src/explain.cmi src/env.cmi src/encoding.cmi src/cc.cmi \
    src/why3.cmi
src/why3.cmx : src/why3_kw.cmx src/util.cmx src/print_real.cmx src/pp.cmx \
    src/options.cmx src/misc.cmx src/logic_decl.cmi src/logic.cmi \
    src/ident.cmx src/explain.cmx src/env.cmx src/encoding.cmx src/cc.cmi \
    src/why3.cmi
src/why3_kw.cmo : src/why3_kw.cmi
src/why3_kw.cmx : src/why3_kw.cmi
src/whyweb.cmo : src/wserver.cmi src/version.cmo src/project.cmi src/pp.cmi \
    src/logic_decl.cmi src/explain.cmi
src/whyweb.cmx : src/wserver.cmx src/version.cmx src/project.cmx src/pp.cmx \
    src/logic_decl.cmi src/explain.cmx
src/wp.cmo : src/util.cmi src/typing.cmi src/types.cmi src/report.cmi \
    src/options.cmi src/misc.cmi src/logic.cmi src/loc.cmi src/ident.cmi \
    src/error.cmi src/env.cmi src/effect.cmi src/cc.cmi src/ast.cmi \
    src/wp.cmi
src/wp.cmx : src/util.cmx src/typing.cmx src/types.cmi src/report.cmx \
    src/options.cmx src/misc.cmx src/logic.cmi src/loc.cmx src/ident.cmx \
    src/error.cmi src/env.cmx src/effect.cmx src/cc.cmi src/ast.cmi \
    src/wp.cmi
src/wserver.cmo : src/wserver.cmi
src/wserver.cmx : src/wserver.cmi
src/xml.cmo : src/rc.cmi src/xml.cmi
src/xml.cmx : src/rc.cmx src/xml.cmi
src/z3.cmo : src/print_real.cmo src/pp.cmi src/options.cmi src/misc.cmi \
    src/logic_decl.cmi src/logic.cmi src/loc.cmi src/ident.cmi src/env.cmi \
    src/encoding_mono_inst.cmi src/encoding.cmi src/cc.cmi src/z3.cmi
src/z3.cmx : src/print_real.cmx src/pp.cmx src/options.cmx src/misc.cmx \
    src/logic_decl.cmi src/logic.cmi src/loc.cmx src/ident.cmx src/env.cmx \
    src/encoding_mono_inst.cmx src/encoding.cmx src/cc.cmi src/z3.cmi
src/zenon.cmo : src/util.cmi src/print_real.cmo src/pp.cmi src/options.cmi \
    src/misc.cmi src/logic_decl.cmi src/logic.cmi src/loc.cmi src/ident.cmi \
    src/env.cmi src/encoding.cmi src/cc.cmi src/zenon.cmi
src/zenon.cmx : src/util.cmx src/print_real.cmx src/pp.cmx src/options.cmx \
    src/misc.cmx src/logic_decl.cmi src/logic.cmi src/loc.cmx src/ident.cmx \
    src/env.cmx src/encoding.cmx src/cc.cmi src/zenon.cmi
src/annot.cmi : src/types.cmi src/logic.cmi src/env.cmi src/ast.cmi
src/ast.cmi : src/types.cmi src/ptree.cmi src/logic.cmi src/loc.cmi \
    src/ident.cmi src/cc.cmi
src/cc.cmi : src/logic.cmi src/loc.cmi src/ident.cmi
src/coq.cmi : src/logic_decl.cmi src/logic.cmi src/ident.cmi src/cc.cmi
src/cvcl.cmi : src/logic_decl.cmi
src/dispatcher.cmi : src/options.cmi src/logic_decl.cmi src/loc.cmi \
    src/env.cmi tools/dpConfig.cmi src/cc.cmi tools/calldp.cmi
src/effect.cmi : src/logic.cmi src/ident.cmi
src/encoding.cmi : src/logic_decl.cmi src/logic.cmi src/ident.cmi
src/encoding_mono_inst.cmi : src/logic_decl.cmi
src/encoding_pred.cmi : src/logic_decl.cmi
src/encoding_rec.cmi : src/logic_decl.cmi
src/encoding_strat.cmi : src/logic_decl.cmi
src/env.cmi : src/types.cmi src/logic.cmi src/loc.cmi src/ident.cmi \
    src/effect.cmi src/cc.cmi src/ast.cmi
src/error.cmi : src/ident.cmi src/effect.cmi
src/explain.cmi : src/logic_decl.cmi src/loc.cmi
src/fastwp.cmi : src/logic.cmi src/env.cmi
src/fpi.cmi : src/cc.cmi
src/gappa.cmi : src/logic_decl.cmi
src/graphviz.cmi :
src/harvey.cmi : src/logic_decl.cmi
src/hol4.cmi : src/logic_decl.cmi
src/holl.cmi : src/logic_decl.cmi
src/ident.cmi :
src/isabelle.cmi : src/logic_decl.cmi
src/lexer.cmi : src/ptree.cmi
src/lib.cmi :
src/linenum.cmi :
src/loc.cmi :
src/log.cmi :
src/logic.cmi : src/ident.cmi
src/logic_decl.cmi : src/logic.cmi src/loc.cmi src/ident.cmi src/env.cmi \
    src/cc.cmi
src/ltyping.cmi : src/types.cmi src/ptree.cmi src/logic.cmi src/loc.cmi \
    src/ident.cmi src/env.cmi src/effect.cmi src/ast.cmi
src/misc.cmi : src/types.cmi src/logic.cmi src/loc.cmi src/ident.cmi \
    src/cc.cmi src/ast.cmi
src/mizar.cmi : src/logic_decl.cmi
src/mlize.cmi : src/rename.cmi src/env.cmi src/cc.cmi
src/monad.cmi : src/monadSig.cmi
src/monadSig.cmi : src/types.cmi src/rename.cmi src/logic.cmi src/loc.cmi \
    src/ident.cmi src/env.cmi src/cc.cmi src/ast.cmi
src/monomorph.cmi : src/logic_decl.cmi src/logic.cmi src/ident.cmi
src/ocaml.cmi : src/types.cmi src/ident.cmi src/env.cmi
src/option_misc.cmi :
src/options.cmi : src/rc.cmi src/project.cmi
src/pp.cmi :
src/predDefExpansor.cmi : src/logic_decl.cmi src/logic.cmi src/ident.cmi \
    src/env.cmi
src/pretty.cmi : src/project.cmi src/logic_decl.cmi
src/project.cmi : src/logic_decl.cmi src/loc.cmi
src/ptree.cmi : src/types.cmi src/logic.cmi src/loc.cmi src/ident.cmi
src/purify.cmi : src/env.cmi
src/pvs.cmi : src/logic_decl.cmi
src/rc.cmi :
src/red.cmi : src/logic.cmi src/cc.cmi
src/regen.cmi : src/logic_decl.cmi src/logic.cmi src/loc.cmi src/env.cmi \
    src/cc.cmi
src/rename.cmi : src/ident.cmi
src/report.cmi : src/loc.cmi src/error.cmi
src/simplify.cmi : src/logic_decl.cmi
src/smtlib.cmi : src/logic_decl.cmi
src/types.cmi : src/logic.cmi src/ident.cmi src/effect.cmi
src/typing.cmi : src/types.cmi src/ptree.cmi src/loc.cmi src/env.cmi \
    src/ast.cmi
src/util.cmi : src/types.cmi src/rename.cmi src/ptree.cmi src/logic_decl.cmi \
    src/logic.cmi src/loc.cmi src/ident.cmi src/env.cmi src/effect.cmi \
    src/cc.cmi src/ast.cmi
src/vcg.cmi : src/logic_decl.cmi src/logic.cmi src/log.cmi src/loc.cmi \
    src/ident.cmi src/cc.cmi src/ast.cmi
src/why3.cmi : src/logic_decl.cmi
src/why3_kw.cmi :
src/wp.cmi : src/logic.cmi src/env.cmi src/ast.cmi
src/wserver.cmi :
src/xml.cmi : src/rc.cmi
src/z3.cmi : src/logic_decl.cmi
src/zenon.cmi : src/logic_decl.cmi
jc/jc_ai.cmi : src/loc.cmi jc/jc_fenv.cmo
jc/jc_ast.cmi : src/loc.cmi jc/jc_env.cmi
jc/jc_callgraph.cmi : src/loc.cmi jc/jc_pervasives.cmi jc/jc_fenv.cmo \
    jc/jc_constructors.cmi
jc/jc_common_options.cmi : jc/jc_env.cmi
jc/jc_constructors.cmi : src/loc.cmi jc/jc_fenv.cmo jc/jc_env.cmi \
    jc/jc_ast.cmi
jc/jc_env.cmi :
jc/jc_envset.cmi : jc/jc_stdlib.cmo jc/jc_env.cmi
jc/jc_frame.cmi : jc/output.cmi jc/jc_fenv.cmo jc/jc_ast.cmi
jc/jc_interp.cmi : jc/output.cmi src/loc.cmi jc/jc_typing.cmi \
    jc/jc_type_var.cmi jc/jc_region.cmo jc/jc_fenv.cmo jc/jc_envset.cmi \
    jc/jc_env.cmi jc/jc_ast.cmi
jc/jc_interp_misc.cmi : jc/output.cmi jc/jc_region.cmo jc/jc_pervasives.cmi \
    jc/jc_fenv.cmo jc/jc_envset.cmi jc/jc_env.cmi jc/jc_ast.cmi
jc/jc_iterators.cmi : src/loc.cmi jc/jc_fenv.cmo jc/jc_envset.cmi \
    jc/jc_env.cmi jc/jc_constructors.cmi jc/jc_ast.cmi
jc/jc_lexer.cmi : src/loc.cmi jc/jc_parser.cmi jc/jc_ast.cmi
jc/jc_norm.cmi : jc/jc_ast.cmi
jc/jc_options.cmi : src/rc.cmi jc/output.cmi src/loc.cmi jc/jc_stdlib.cmo \
    jc/jc_env.cmi
jc/jc_parser.cmi : jc/jc_ast.cmi
jc/jc_pervasives.cmi : jc/jc_stdlib.cmo jc/jc_fenv.cmo jc/jc_envset.cmi \
    jc/jc_env.cmi jc/jc_ast.cmi
jc/jc_struct_tools.cmi : jc/jc_env.cmi
jc/jc_type_var.cmi : src/loc.cmi jc/jc_fenv.cmo jc/jc_env.cmi jc/jc_ast.cmi
jc/jc_typing.cmi : src/loc.cmi jc/jc_stdlib.cmo jc/jc_pervasives.cmi \
    jc/jc_fenv.cmo jc/jc_env.cmi jc/jc_constructors.cmi jc/jc_ast.cmi
jc/numconst.cmi :
jc/output.cmi : src/loc.cmi jc/jc_env.cmi
jc/jc_ai.cmo : jc/jc_ai.cmi
jc/jc_ai.cmx : jc/jc_ai.cmi
jc/jc_annot_fail.cmo :
jc/jc_annot_fail.cmx :
jc/jc_annot_inference.cmo : src/pp.cmi jc/output.cmi src/option_misc.cmi \
    src/loc.cmi jc/jc_typing.cmi jc/jc_stdlib.cmo jc/jc_separation.cmo \
    jc/jc_region.cmo jc/jc_pervasives.cmi jc/jc_output.cmo jc/jc_options.cmi \
    jc/jc_norm.cmi jc/jc_iterators.cmi jc/jc_fenv.cmo jc/jc_envset.cmi \
    jc/jc_env.cmi jc/jc_effect.cmo jc/jc_constructors.cmi jc/jc_ast.cmi
jc/jc_annot_inference.cmx : src/pp.cmx jc/output.cmx src/option_misc.cmx \
    src/loc.cmx jc/jc_typing.cmx jc/jc_stdlib.cmx jc/jc_separation.cmx \
    jc/jc_region.cmx jc/jc_pervasives.cmx jc/jc_output.cmx jc/jc_options.cmx \
    jc/jc_norm.cmx jc/jc_iterators.cmx jc/jc_fenv.cmx jc/jc_envset.cmx \
    jc/jc_env.cmi jc/jc_effect.cmx jc/jc_constructors.cmx jc/jc_ast.cmi
jc/jc_callgraph.cmo : src/pp.cmi src/option_misc.cmi src/loc.cmi \
    jc/jc_typing.cmi jc/jc_stdlib.cmo jc/jc_pervasives.cmi jc/jc_options.cmi \
    jc/jc_iterators.cmi jc/jc_fenv.cmo jc/jc_ast.cmi jc/jc_callgraph.cmi
jc/jc_callgraph.cmx : src/pp.cmx src/option_misc.cmx src/loc.cmx \
    jc/jc_typing.cmx jc/jc_stdlib.cmx jc/jc_pervasives.cmx jc/jc_options.cmx \
    jc/jc_iterators.cmx jc/jc_fenv.cmx jc/jc_ast.cmi jc/jc_callgraph.cmi
jc/jc_common_options.cmo : jc/jc_env.cmi jc/jc_common_options.cmi
jc/jc_common_options.cmx : jc/jc_env.cmi jc/jc_common_options.cmi
jc/jc_constructors.cmo : src/loc.cmi jc/jc_region.cmo jc/jc_fenv.cmo \
    jc/jc_env.cmi jc/jc_ast.cmi jc/jc_constructors.cmi
jc/jc_constructors.cmx : src/loc.cmx jc/jc_region.cmx jc/jc_fenv.cmx \
    jc/jc_env.cmi jc/jc_ast.cmi jc/jc_constructors.cmi
jc/jc_control_flow.cmo : jc/jc_ast.cmi
jc/jc_control_flow.cmx : jc/jc_ast.cmi
jc/jc_effect.cmo : src/pp.cmi src/option_misc.cmi jc/jc_typing.cmi \
    jc/jc_struct_tools.cmi jc/jc_stdlib.cmo jc/jc_region.cmo \
    jc/jc_pervasives.cmi jc/jc_output_misc.cmo jc/jc_output.cmo \
    jc/jc_options.cmi jc/jc_name.cmo jc/jc_iterators.cmi jc/jc_fenv.cmo \
    jc/jc_envset.cmi jc/jc_env.cmi jc/jc_constructors.cmi jc/jc_ast.cmi
jc/jc_effect.cmx : src/pp.cmx src/option_misc.cmx jc/jc_typing.cmx \
    jc/jc_struct_tools.cmx jc/jc_stdlib.cmx jc/jc_region.cmx \
    jc/jc_pervasives.cmx jc/jc_output_misc.cmx jc/jc_output.cmx \
    jc/jc_options.cmx jc/jc_name.cmx jc/jc_iterators.cmx jc/jc_fenv.cmx \
    jc/jc_envset.cmx jc/jc_env.cmi jc/jc_constructors.cmx jc/jc_ast.cmi
jc/jc_envset.cmo : jc/jc_stdlib.cmo jc/jc_env.cmi jc/jc_envset.cmi
jc/jc_envset.cmx : jc/jc_stdlib.cmx jc/jc_env.cmi jc/jc_envset.cmi
jc/jc_fenv.cmo : jc/jc_stdlib.cmo jc/jc_region.cmo jc/jc_envset.cmi \
    jc/jc_env.cmi jc/jc_ast.cmi
jc/jc_fenv.cmx : jc/jc_stdlib.cmx jc/jc_region.cmx jc/jc_envset.cmx \
    jc/jc_env.cmi jc/jc_ast.cmi
jc/jc_frame.cmo : src/pp.cmi jc/output.cmi jc/jc_typing.cmi jc/jc_stdlib.cmo \
    jc/jc_region.cmo jc/jc_pervasives.cmi jc/jc_options.cmi jc/jc_name.cmo \
    jc/jc_interp_misc.cmi jc/jc_interp.cmi jc/jc_frame_notin.cmo \
    jc/jc_fenv.cmo jc/jc_envset.cmi jc/jc_env.cmi jc/jc_effect.cmo \
    jc/jc_constructors.cmi jc/jc_ast.cmi jc/jc_frame.cmi
jc/jc_frame.cmx : src/pp.cmx jc/output.cmx jc/jc_typing.cmx jc/jc_stdlib.cmx \
    jc/jc_region.cmx jc/jc_pervasives.cmx jc/jc_options.cmx jc/jc_name.cmx \
    jc/jc_interp_misc.cmx jc/jc_interp.cmx jc/jc_frame_notin.cmx \
    jc/jc_fenv.cmx jc/jc_envset.cmx jc/jc_env.cmi jc/jc_effect.cmx \
    jc/jc_constructors.cmx jc/jc_ast.cmi jc/jc_frame.cmi
jc/jc_frame_notin.cmo : jc/output.cmi jc/jc_typing.cmi jc/jc_type_var.cmi \
    jc/jc_struct_tools.cmi jc/jc_stdlib.cmo jc/jc_region.cmo \
    jc/jc_pervasives.cmi jc/jc_name.cmo jc/jc_interp_misc.cmi jc/jc_fenv.cmo \
    jc/jc_env.cmi jc/jc_constructors.cmi jc/jc_ast.cmi
jc/jc_frame_notin.cmx : jc/output.cmx jc/jc_typing.cmx jc/jc_type_var.cmx \
    jc/jc_struct_tools.cmx jc/jc_stdlib.cmx jc/jc_region.cmx \
    jc/jc_pervasives.cmx jc/jc_name.cmx jc/jc_interp_misc.cmx jc/jc_fenv.cmx \
    jc/jc_env.cmi jc/jc_constructors.cmx jc/jc_ast.cmi
jc/jc_interp.cmo : src/rc.cmi jc/output.cmi src/option_misc.cmi \
    jc/numconst.cmi src/loc.cmi jc/jc_typing.cmi jc/jc_type_var.cmi \
    jc/jc_struct_tools.cmi jc/jc_stdlib.cmo jc/jc_region.cmo \
    jc/jc_pervasives.cmi jc/jc_pattern.cmo jc/jc_options.cmi jc/jc_name.cmo \
    jc/jc_iterators.cmi jc/jc_invariants.cmo jc/jc_interp_misc.cmi \
    jc/jc_fenv.cmo jc/jc_envset.cmi jc/jc_env.cmi jc/jc_effect.cmo \
    jc/jc_constructors.cmi jc/jc_ast.cmi jc/jc_interp.cmi
jc/jc_interp.cmx : src/rc.cmx jc/output.cmx src/option_misc.cmx \
    jc/numconst.cmx src/loc.cmx jc/jc_typing.cmx jc/jc_type_var.cmx \
    jc/jc_struct_tools.cmx jc/jc_stdlib.cmx jc/jc_region.cmx \
    jc/jc_pervasives.cmx jc/jc_pattern.cmx jc/jc_options.cmx jc/jc_name.cmx \
    jc/jc_iterators.cmx jc/jc_invariants.cmx jc/jc_interp_misc.cmx \
    jc/jc_fenv.cmx jc/jc_envset.cmx jc/jc_env.cmi jc/jc_effect.cmx \
    jc/jc_constructors.cmx jc/jc_ast.cmi jc/jc_interp.cmi
jc/jc_interp_misc.cmo : jc/output.cmi src/option_misc.cmi jc/numconst.cmi \
    jc/jc_typing.cmi jc/jc_type_var.cmi jc/jc_struct_tools.cmi \
    jc/jc_stdlib.cmo jc/jc_region.cmo jc/jc_pervasives.cmi jc/jc_options.cmi \
    jc/jc_name.cmo jc/jc_fenv.cmo jc/jc_envset.cmi jc/jc_env.cmi \
    jc/jc_effect.cmo jc/jc_constructors.cmi jc/jc_ast.cmi \
    jc/jc_interp_misc.cmi
jc/jc_interp_misc.cmx : jc/output.cmx src/option_misc.cmx jc/numconst.cmx \
    jc/jc_typing.cmx jc/jc_type_var.cmx jc/jc_struct_tools.cmx \
    jc/jc_stdlib.cmx jc/jc_region.cmx jc/jc_pervasives.cmx jc/jc_options.cmx \
    jc/jc_name.cmx jc/jc_fenv.cmx jc/jc_envset.cmx jc/jc_env.cmi \
    jc/jc_effect.cmx jc/jc_constructors.cmx jc/jc_ast.cmi \
    jc/jc_interp_misc.cmi
jc/jc_invariants.cmo : jc/output.cmi src/loc.cmi jc/jc_typing.cmi \
    jc/jc_struct_tools.cmi jc/jc_stdlib.cmo jc/jc_region.cmo \
    jc/jc_pervasives.cmi jc/jc_options.cmi jc/jc_name.cmo jc/jc_iterators.cmi \
    jc/jc_interp_misc.cmi jc/jc_fenv.cmo jc/jc_envset.cmi jc/jc_env.cmi \
    jc/jc_constructors.cmi jc/jc_common_options.cmi jc/jc_ast.cmi
jc/jc_invariants.cmx : jc/output.cmx src/loc.cmx jc/jc_typing.cmx \
    jc/jc_struct_tools.cmx jc/jc_stdlib.cmx jc/jc_region.cmx \
    jc/jc_pervasives.cmx jc/jc_options.cmx jc/jc_name.cmx jc/jc_iterators.cmx \
    jc/jc_interp_misc.cmx jc/jc_fenv.cmx jc/jc_envset.cmx jc/jc_env.cmi \
    jc/jc_constructors.cmx jc/jc_common_options.cmx jc/jc_ast.cmi
jc/jc_iterators.cmo : src/option_misc.cmi jc/jc_fenv.cmo jc/jc_envset.cmi \
    jc/jc_constructors.cmi jc/jc_ast.cmi jc/jc_iterators.cmi
jc/jc_iterators.cmx : src/option_misc.cmx jc/jc_fenv.cmx jc/jc_envset.cmx \
    jc/jc_constructors.cmx jc/jc_ast.cmi jc/jc_iterators.cmi
jc/jc_lexer.cmo : jc/jc_pervasives.cmi jc/jc_parser.cmi jc/jc_options.cmi \
    jc/jc_env.cmi jc/jc_ast.cmi jc/jc_lexer.cmi
jc/jc_lexer.cmx : jc/jc_pervasives.cmx jc/jc_parser.cmx jc/jc_options.cmx \
    jc/jc_env.cmi jc/jc_ast.cmi jc/jc_lexer.cmi
jc/jc_main.cmo : src/pp.cmi jc/output.cmi src/option_misc.cmi src/loc.cmi \
    src/lib.cmi jc/jc_typing.cmi jc/jc_stdlib.cmo jc/jc_separation.cmo \
    jc/jc_region.cmo jc/jc_poutput.cmo jc/jc_pervasives.cmi jc/jc_options.cmi \
    jc/jc_norm.cmi jc/jc_lexer.cmi jc/jc_invariants.cmo jc/jc_interp_misc.cmi \
    jc/jc_interp.cmi jc/jc_frame.cmi jc/jc_fenv.cmo jc/jc_env.cmi \
    jc/jc_effect.cmo jc/jc_callgraph.cmi jc/jc_ai.cmi
jc/jc_main.cmx : src/pp.cmx jc/output.cmx src/option_misc.cmx src/loc.cmx \
    src/lib.cmx jc/jc_typing.cmx jc/jc_stdlib.cmx jc/jc_separation.cmx \
    jc/jc_region.cmx jc/jc_poutput.cmx jc/jc_pervasives.cmx jc/jc_options.cmx \
    jc/jc_norm.cmx jc/jc_lexer.cmx jc/jc_invariants.cmx jc/jc_interp_misc.cmx \
    jc/jc_interp.cmx jc/jc_frame.cmx jc/jc_fenv.cmx jc/jc_env.cmi \
    jc/jc_effect.cmx jc/jc_callgraph.cmx jc/jc_ai.cmx
jc/jc_make.cmo :
jc/jc_make.cmx :
jc/jc_name.cmo : jc/output.cmi jc/jc_region.cmo jc/jc_pervasives.cmi \
    jc/jc_env.cmi jc/jc_common_options.cmi
jc/jc_name.cmx : jc/output.cmx jc/jc_region.cmx jc/jc_pervasives.cmx \
    jc/jc_env.cmi jc/jc_common_options.cmx
jc/jc_norm.cmo : src/option_misc.cmi jc/jc_pervasives.cmi jc/jc_options.cmi \
    jc/jc_iterators.cmi jc/jc_envset.cmi jc/jc_env.cmi jc/jc_constructors.cmi \
    jc/jc_ast.cmi jc/jc_norm.cmi
jc/jc_norm.cmx : src/option_misc.cmx jc/jc_pervasives.cmx jc/jc_options.cmx \
    jc/jc_iterators.cmx jc/jc_envset.cmx jc/jc_env.cmi jc/jc_constructors.cmx \
    jc/jc_ast.cmi jc/jc_norm.cmi
jc/jc_noutput.cmo : src/pp.cmi jc/jc_pervasives.cmi jc/jc_output_misc.cmo \
    jc/jc_ast.cmi
jc/jc_noutput.cmx : src/pp.cmx jc/jc_pervasives.cmx jc/jc_output_misc.cmx \
    jc/jc_ast.cmi
jc/jc_options.cmo : src/version.cmo src/rc.cmi jc/output.cmi src/loc.cmi \
    jc/jc_stdlib.cmo jc/jc_env.cmi jc/jc_common_options.cmi jc/jc_options.cmi
jc/jc_options.cmx : src/version.cmx src/rc.cmx jc/output.cmx src/loc.cmx \
    jc/jc_stdlib.cmx jc/jc_env.cmi jc/jc_common_options.cmx jc/jc_options.cmi
jc/jc_output.cmo : src/pp.cmi src/option_misc.cmi jc/jc_type_var.cmi \
    jc/jc_poutput.cmo jc/jc_pervasives.cmi jc/jc_output_misc.cmo \
    jc/jc_fenv.cmo jc/jc_env.cmi jc/jc_constructors.cmi jc/jc_ast.cmi
jc/jc_output.cmx : src/pp.cmx src/option_misc.cmx jc/jc_type_var.cmx \
    jc/jc_poutput.cmx jc/jc_pervasives.cmx jc/jc_output_misc.cmx \
    jc/jc_fenv.cmx jc/jc_env.cmi jc/jc_constructors.cmx jc/jc_ast.cmi
jc/jc_output_misc.cmo : src/pp.cmi jc/jc_pervasives.cmi jc/jc_env.cmi \
    jc/jc_ast.cmi
jc/jc_output_misc.cmx : src/pp.cmx jc/jc_pervasives.cmx jc/jc_env.cmi \
    jc/jc_ast.cmi
jc/jc_parser.cmo : src/loc.cmi jc/jc_pervasives.cmi jc/jc_options.cmi \
    jc/jc_env.cmi jc/jc_constructors.cmi jc/jc_ast.cmi jc/jc_parser.cmi
jc/jc_parser.cmx : src/loc.cmx jc/jc_pervasives.cmx jc/jc_options.cmx \
    jc/jc_env.cmi jc/jc_constructors.cmx jc/jc_ast.cmi jc/jc_parser.cmi
jc/jc_pattern.cmo : jc/output.cmi jc/jc_region.cmo jc/jc_pervasives.cmi \
    jc/jc_name.cmo jc/jc_interp_misc.cmi jc/jc_env.cmi jc/jc_effect.cmo \
    jc/jc_ast.cmi
jc/jc_pattern.cmx : jc/output.cmx jc/jc_region.cmx jc/jc_pervasives.cmx \
    jc/jc_name.cmx jc/jc_interp_misc.cmx jc/jc_env.cmi jc/jc_effect.cmx \
    jc/jc_ast.cmi
jc/jc_pervasives.cmo : src/pp.cmi src/option_misc.cmi jc/jc_stdlib.cmo \
    jc/jc_region.cmo jc/jc_fenv.cmo jc/jc_envset.cmi jc/jc_env.cmi \
    jc/jc_constructors.cmi jc/jc_ast.cmi jc/jc_pervasives.cmi
jc/jc_pervasives.cmx : src/pp.cmx src/option_misc.cmx jc/jc_stdlib.cmx \
    jc/jc_region.cmx jc/jc_fenv.cmx jc/jc_envset.cmx jc/jc_env.cmi \
    jc/jc_constructors.cmx jc/jc_ast.cmi jc/jc_pervasives.cmi
jc/jc_poutput.cmo : src/pp.cmi src/option_misc.cmi jc/jc_output_misc.cmo \
    jc/jc_ast.cmi
jc/jc_poutput.cmx : src/pp.cmx src/option_misc.cmx jc/jc_output_misc.cmx \
    jc/jc_ast.cmi
jc/jc_region.cmo : src/pp.cmi jc/jc_stdlib.cmo jc/jc_envset.cmi \
    jc/jc_env.cmi jc/jc_common_options.cmi
jc/jc_region.cmx : src/pp.cmx jc/jc_stdlib.cmx jc/jc_envset.cmx \
    jc/jc_env.cmi jc/jc_common_options.cmx
jc/jc_separation.cmo : src/pp.cmi src/option_misc.cmi jc/jc_typing.cmi \
    jc/jc_stdlib.cmo jc/jc_region.cmo jc/jc_pervasives.cmi jc/jc_options.cmi \
    jc/jc_iterators.cmi jc/jc_fenv.cmo jc/jc_envset.cmi jc/jc_env.cmi \
    jc/jc_constructors.cmi jc/jc_ast.cmi
jc/jc_separation.cmx : src/pp.cmx src/option_misc.cmx jc/jc_typing.cmx \
    jc/jc_stdlib.cmx jc/jc_region.cmx jc/jc_pervasives.cmx jc/jc_options.cmx \
    jc/jc_iterators.cmx jc/jc_fenv.cmx jc/jc_envset.cmx jc/jc_env.cmi \
    jc/jc_constructors.cmx jc/jc_ast.cmi
jc/jc_stdlib.cmo :
jc/jc_stdlib.cmx :
jc/jc_stdlib_ge312.cmo :
jc/jc_stdlib_ge312.cmx :
jc/jc_stdlib_ge400.cmo :
jc/jc_stdlib_ge400.cmx :
jc/jc_stdlib_lt312.cmo :
jc/jc_stdlib_lt312.cmx :
jc/jc_struct_tools.cmo : jc/jc_pervasives.cmi jc/jc_output_misc.cmo \
    jc/jc_options.cmi jc/jc_name.cmo jc/jc_envset.cmi jc/jc_env.cmi \
    jc/jc_struct_tools.cmi
jc/jc_struct_tools.cmx : jc/jc_pervasives.cmx jc/jc_output_misc.cmx \
    jc/jc_options.cmx jc/jc_name.cmx jc/jc_envset.cmx jc/jc_env.cmi \
    jc/jc_struct_tools.cmi
jc/jc_type_var.cmo : src/pp.cmi src/loc.cmi jc/jc_pervasives.cmi \
    jc/jc_iterators.cmi jc/jc_envset.cmi jc/jc_env.cmi jc/jc_constructors.cmi \
    jc/jc_type_var.cmi
jc/jc_type_var.cmx : src/pp.cmx src/loc.cmx jc/jc_pervasives.cmx \
    jc/jc_iterators.cmx jc/jc_envset.cmx jc/jc_env.cmi jc/jc_constructors.cmx \
    jc/jc_type_var.cmi
jc/jc_typing.cmo : src/pp.cmi src/option_misc.cmi src/loc.cmi \
    jc/jc_type_var.cmi jc/jc_struct_tools.cmi jc/jc_stdlib.cmo \
    jc/jc_region.cmo jc/jc_pervasives.cmi jc/jc_output_misc.cmo \
    jc/jc_output.cmo jc/jc_options.cmi jc/jc_noutput.cmo jc/jc_norm.cmi \
    jc/jc_iterators.cmi jc/jc_fenv.cmo jc/jc_envset.cmi jc/jc_env.cmi \
    jc/jc_constructors.cmi jc/jc_common_options.cmi jc/jc_ast.cmi \
    jc/jc_typing.cmi
jc/jc_typing.cmx : src/pp.cmx src/option_misc.cmx src/loc.cmx \
    jc/jc_type_var.cmx jc/jc_struct_tools.cmx jc/jc_stdlib.cmx \
    jc/jc_region.cmx jc/jc_pervasives.cmx jc/jc_output_misc.cmx \
    jc/jc_output.cmx jc/jc_options.cmx jc/jc_noutput.cmx jc/jc_norm.cmx \
    jc/jc_iterators.cmx jc/jc_fenv.cmx jc/jc_envset.cmx jc/jc_env.cmi \
    jc/jc_constructors.cmx jc/jc_common_options.cmx jc/jc_ast.cmi \
    jc/jc_typing.cmi
jc/numconst.cmo : jc/numconst.cmi
jc/numconst.cmx : jc/numconst.cmi
jc/output.cmo : src/why3_kw.cmi src/pp.cmi src/option_misc.cmi src/loc.cmi \
    jc/jc_env.cmi jc/output.cmi
jc/output.cmx : src/why3_kw.cmx src/pp.cmx src/option_misc.cmx src/loc.cmx \
    jc/jc_env.cmi jc/output.cmi
java/java_ast.cmi : src/loc.cmi java/java_env.cmi
java/java_callgraph.cmi : java/java_typing.cmi java/java_tast.cmi \
    java/java_env.cmi
java/java_env.cmi : src/loc.cmi
java/java_parser.cmi : java/java_ast.cmi
java/java_tast.cmi : src/loc.cmi java/java_env.cmi java/java_ast.cmi
java/java_typing.cmi : src/loc.cmi java/java_tast.cmi java/java_env.cmi \
    java/java_ast.cmi
java/java_abstract.cmo : src/pp.cmi java/java_env.cmi java/java_ast.cmi
java/java_abstract.cmx : src/pp.cmx java/java_env.cmi java/java_ast.cmi
java/java_analysis.cmo : src/option_misc.cmi java/java_typing.cmi \
    java/java_tast.cmi java/java_pervasives.cmo java/java_options.cmo \
    java/java_env.cmi java/java_ast.cmi
java/java_analysis.cmx : src/option_misc.cmx java/java_typing.cmx \
    java/java_tast.cmi java/java_pervasives.cmx java/java_options.cmx \
    java/java_env.cmi java/java_ast.cmi
java/java_callgraph.cmo : src/pp.cmi src/option_misc.cmi \
    java/java_typing.cmi java/java_tast.cmi java/java_options.cmo \
    java/java_env.cmi java/java_callgraph.cmi
java/java_callgraph.cmx : src/pp.cmx src/option_misc.cmx \
    java/java_typing.cmx java/java_tast.cmi java/java_options.cmx \
    java/java_env.cmi java/java_callgraph.cmi
java/java_interp.cmo : jc/output.cmi src/option_misc.cmi src/loc.cmi \
    jc/jc_pervasives.cmi jc/jc_fenv.cmo jc/jc_env.cmi jc/jc_constructors.cmi \
    jc/jc_ast.cmi java/java_typing.cmi java/java_tast.cmi \
    java/java_pervasives.cmo java/java_options.cmo java/java_env.cmi \
    java/java_ast.cmi java/java_analysis.cmo
java/java_interp.cmx : jc/output.cmx src/option_misc.cmx src/loc.cmx \
    jc/jc_pervasives.cmx jc/jc_fenv.cmx jc/jc_env.cmi jc/jc_constructors.cmx \
    jc/jc_ast.cmi java/java_typing.cmx java/java_tast.cmi \
    java/java_pervasives.cmx java/java_options.cmx java/java_env.cmi \
    java/java_ast.cmi java/java_analysis.cmx
java/java_lexer.cmo : jc/jc_env.cmi java/java_pervasives.cmo \
    java/java_parser.cmi java/java_options.cmo java/java_env.cmi \
    java/java_ast.cmi
java/java_lexer.cmx : jc/jc_env.cmi java/java_pervasives.cmx \
    java/java_parser.cmx java/java_options.cmx java/java_env.cmi \
    java/java_ast.cmi
java/java_main.cmo : src/pp.cmi jc/output.cmi src/option_misc.cmi \
    src/loc.cmi jc/jc_poutput.cmo jc/jc_constructors.cmi java/java_typing.cmi \
    java/java_syntax.cmo java/java_options.cmo java/java_interp.cmo \
    java/java_env.cmi java/java_callgraph.cmi java/java_analysis.cmo \
    java/java_abstract.cmo
java/java_main.cmx : src/pp.cmx jc/output.cmx src/option_misc.cmx \
    src/loc.cmx jc/jc_poutput.cmx jc/jc_constructors.cmx java/java_typing.cmx \
    java/java_syntax.cmx java/java_options.cmx java/java_interp.cmx \
    java/java_env.cmi java/java_callgraph.cmx java/java_analysis.cmx \
    java/java_abstract.cmx
java/java_options.cmo : src/version.cmo src/loc.cmi jc/jc_env.cmi \
    java/java_env.cmi
java/java_options.cmx : src/version.cmx src/loc.cmx jc/jc_env.cmi \
    java/java_env.cmi
java/java_parser.cmo : src/loc.cmi java/java_pervasives.cmo \
    java/java_options.cmo java/java_env.cmi java/java_ast.cmi \
    java/java_parser.cmi
java/java_parser.cmx : src/loc.cmx java/java_pervasives.cmx \
    java/java_options.cmx java/java_env.cmi java/java_ast.cmi \
    java/java_parser.cmi
java/java_pervasives.cmo : src/loc.cmi java/java_tast.cmi java/java_env.cmi \
    java/java_ast.cmi
java/java_pervasives.cmx : src/loc.cmx java/java_tast.cmi java/java_env.cmi \
    java/java_ast.cmi
java/java_syntax.cmo : src/option_misc.cmi src/loc.cmi \
    java/java_pervasives.cmo java/java_parser.cmi java/java_options.cmo \
    java/java_lexer.cmo java/java_ast.cmi
java/java_syntax.cmx : src/option_misc.cmx src/loc.cmx \
    java/java_pervasives.cmx java/java_parser.cmx java/java_options.cmx \
    java/java_lexer.cmx java/java_ast.cmi
java/java_typing.cmo : src/pp.cmi src/option_misc.cmi jc/numconst.cmi \
    src/loc.cmi java/java_tast.cmi java/java_syntax.cmo \
    java/java_pervasives.cmo java/java_options.cmo java/java_env.cmi \
    java/java_ast.cmi java/java_typing.cmi
java/java_typing.cmx : src/pp.cmx src/option_misc.cmx jc/numconst.cmx \
    src/loc.cmx java/java_tast.cmi java/java_syntax.cmx \
    java/java_pervasives.cmx java/java_options.cmx java/java_env.cmi \
    java/java_ast.cmi java/java_typing.cmi
mix/mix_ast.cmi :
mix/mix_cfg.cmi :
mix/mix_parser.cmi : mix/mix_ast.cmi
mix/mix_cfg.cmo : mix/mix_cfg.cmi
mix/mix_cfg.cmx : mix/mix_cfg.cmi
mix/mix_interp.cmo : src/pp.cmi mix/mix_seq.cmo mix/mix_ast.cmi
mix/mix_interp.cmx : src/pp.cmx mix/mix_seq.cmx mix/mix_ast.cmi
mix/mix_lexer.cmo : mix/mix_parser.cmi mix/mix_ast.cmi
mix/mix_lexer.cmx : mix/mix_parser.cmx mix/mix_ast.cmi
mix/mix_main.cmo : src/pp.cmi mix/mix_seq.cmo mix/mix_parser.cmi \
    mix/mix_lexer.cmo mix/mix_interp.cmo mix/mix_ast.cmi
mix/mix_main.cmx : src/pp.cmx mix/mix_seq.cmx mix/mix_parser.cmx \
    mix/mix_lexer.cmx mix/mix_interp.cmx mix/mix_ast.cmi
mix/mix_parser.cmo : mix/mix_ast.cmi mix/mix_parser.cmi
mix/mix_parser.cmx : mix/mix_ast.cmi mix/mix_parser.cmi
mix/mix_seq.cmo : mix/mix_cfg.cmi mix/mix_ast.cmi
mix/mix_seq.cmx : mix/mix_cfg.cmx mix/mix_ast.cmi
mix/test.cmo :
mix/test.cmx :
why-2.39/version.sh0000755000106100004300000000200313147234006013250 0ustar  marchevals#!/bin/sh

# Note: the BINDIR variable is a free variable
# Note: the LIBDIR variable is a free variable
# Note: the COQVER variable is a free variable
# Note: the mkdirs are needed for the Ocamlbuild Makefile.

. ./Version

# Why
WHYVF=src/version.ml
mkdir -p src
echo "let coqversion = \"$COQVER\"" > $WHYVF
echo "let version = \"$VERSION\"" >> $WHYVF
echo "let bindir = \"$BINDIR\"" >> $WHYVF
echo "let libdir = \"$LIBDIR/why\"" >> $WHYVF
echo "let banner : ('a,'b,'c) format = \"This is %s version %s@\\\nCopyright (c) 2006-2017 - Why dev team - CNRS & Inria & Univ Paris-Sud@\\\nThis is free software with ABSOLUTELY NO WARRANTY@.\"" >> $WHYVF

# Caduceus
# CADUCEUSVF=c/cversion.ml
# mkdir -p c
# echo "let version = \""$CVERSION"\"" > $CADUCEUSVF
# echo "let date = \""`date`"\"" >> $CADUCEUSVF
# echo "let libdir = \""$LIBDIR/caduceus"\"" >> $CADUCEUSVF


# Doc
DOCF=doc/version.tex
mkdir -p doc
printf '\\newcommand{\\whyversion}{'$VERSION'}\n' > $DOCF
printf '\\newcommand{\\caduceusversion}{'$CVERSION'}\n' >> $DOCF
why-2.39/Makefile.in0000644000106100004300000005033313147234006013302 0ustar  marchevals##########################################################################
#                                                                        #
#  The Why platform for program certification                            #
#                                                                        #
#  Copyright (C) 2002-2017                                               #
#                                                                        #
#    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   #
#    Claude MARCHE, INRIA & Univ. Paris-sud                              #
#    Yannick MOY, Univ. Paris-sud                                        #
#    Romain BARDOU, Univ. Paris-sud                                      #
#                                                                        #
#  Secondary contributors:                                               #
#                                                                        #
#    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        #
#    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             #
#    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           #
#    Sylvie BOLDO, INRIA              (floating-point support)           #
#    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     #
#    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          #
#                                                                        #
#  This software is free software; you can redistribute it and/or        #
#  modify it under the terms of the GNU Lesser General Public            #
#  License version 2.1, with the special exception on linking            #
#  described in file LICENSE.                                            #
#                                                                        #
#  This software is distributed in the hope that it will be useful,      #
#  but WITHOUT ANY WARRANTY; without even the implied warranty of        #
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  #
##########################################################################

VERBOSEMAKE ?= @VERBOSEMAKE@

ifeq ($(VERBOSEMAKE),yes)
 QUIET =
else
 QUIET = yes
endif

# where to install the binaries
DESTDIR =
prefix=@prefix@
datarootdir=@datarootdir@
exec_prefix=@exec_prefix@
BINDIR=$(DESTDIR)@bindir@
LIBDIR=$(DESTDIR)@libdir@

EXE=@EXE@
STRIP=@STRIP@

# where to install the man page
MANDIR=$(DESTDIR)@mandir@

# other variables
OCAMLC   = @OCAMLC@
OCAMLOPT = @OCAMLOPT@
OCAMLDEP = @OCAMLDEP@
OCAMLLEX = @OCAMLLEX@
OCAMLYACC= @OCAMLYACC@
OCAMLDOC = @OCAMLDOC@
OCAMLLIB = @OCAMLLIB@
OCAMLBEST= @OCAMLBEST@
OCAMLVERSION = @OCAMLVERSION@

INCLUDES = -I src -I jc -I java -I mix -I tools
BFLAGS   = -w @OCAMLWARN@ -dtypes -g $(INCLUDES) -I +threads @OCAMLGRAPHLIB@
OFLAGS   = -w @OCAMLWARN@ -dtypes $(INCLUDES) -I +threads  @OCAMLGRAPHLIB@

LCFLAGS = -L/usr/lib -L/usr/local/lib/ocaml

APRONLIB = @APRONLIB@
APRONLIBS = @APRONLIBS@
APRONBYTLIBS = $(APRONLIBS:.cmxa=.cma)

export FRAMAC = @FRAMAC@
FRAMACPLUGIN ?= @FRAMACPLUGIN@

ifeq ($(FRAMACPLUGIN),yes)
JESSIE_PLUGIN_BYTE= jessie_plugin.byte
JESSIE_PLUGIN_OPT= jessie_plugin.opt
JESSIE_PLUGIN_BEST= jessie_plugin.$(OCAMLBEST)
.PHONY: $(JESSIE_PLUGIN_BYTE) $(JESSIE_PLUGIN_OPT)
endif

enable_local=@enable_local@

ATPLIB = -I atp

COQC7  = @COQC7@
COQC8  = @COQC8@
COQDEP = @COQDEP@
COQLIB = $(DESTDIR)"@COQLIB@"
COQVER = @COQVER@

VO7= lib/coq-v7/WhyInt.vo lib/coq-v7/WhyArrays.vo  lib/coq-v7/WhyBool.vo \
     lib/coq-v7/WhyTuples.vo  lib/coq-v7/WhyPermut.vo \
     lib/coq-v7/WhySorted.vo  lib/coq-v7/Why.vo     lib/coq-v7/WhyReal.vo \
     lib/coq-v7/WhyExn.vo lib/coq-v7/WhyCoqCompat.vo \
     lib/coq-v7/WhyLemmas.vo  lib/coq-v7/WhyTactics.vo lib/coq-v7/WhyCM.vo

V7FILES=$(VO7:.vo=.v)

VO8= @JESSIEWHY3LIBCOQ@

VO8OLD= lib/coq/WhyInt.vo lib/coq/WhyArrays.vo  lib/coq/WhyBool.vo \
     lib/coq/WhyTuples.vo  lib/coq/WhyPermut.vo lib/coq/WhyCoqCompat.vo \
     lib/coq/WhySorted.vo  \
     lib/coq/WhyExn.vo lib/coq/WhyLemmas.vo  lib/coq/WhyTactics.vo \
     lib/coq/WhyPrelude.vo lib/coq/WhyCM.vo lib/coq/Why.vo lib/coq/WhyReal.vo \
     @JESSIELIBCOQ@ \
     @WHYFLOATS@

V8FILES=$(VO8:.vo=.v)

PVSFILES = lib/pvs/why.pvs lib/pvs/jessie.pvs lib/pvs/whyfloat.pvs
PVSLIB = $(DESTDIR)@PVSLIB@

GENERATED = src/rc.ml src/xml.ml \
	    jc/numconst.ml jc/jc_stdlib.ml \
	    jc/jc_lexer.ml jc/jc_parser.mli jc/jc_parser.ml \
	    jc/jc_ai.ml \
	    java/java_parser.mli java/java_parser.ml java/java_lexer.ml \
	    mix/mix_lexer.ml mix/mix_parser.mli mix/mix_parser.ml \
	    lib/why3/why3.conf

# main targets
##############

JESSIE=bin/jessie.$(OCAMLBEST)
KRAKATOA=bin/krakatoa.$(OCAMLBEST)
REGTEST=regtest.$(OCAMLBEST)

ifeq ($(OCAMLBEST),opt)
JCLIB=jc/jc.cmo jc/jc.cmx jc/jc.o
else
JCLIB=jc/jc.cmo
endif

all: all-without-frama-c-plugin .depend $(JESSIE_PLUGIN_BEST)

all-without-frama-c-plugin: $(JESSIE) $(KRAKATOA) $(REGTEST) coq-@COQ@

# refrain parallel make (-j nn) from starting ocaml compilation too early
*.cm*: .depend

opt: bin/jessie.opt bin/krakatoa.opt $(JESSIE_PLUGIN_OPT)

byte: bin/jessie.byte bin/krakatoa.byte $(JESSIE_PLUGIN_BYTE)

.PHONY: check

# why
CMO_EXPORT =  src/lib.cmo src/rc.cmo src/loc.cmo \
	   src/ident.cmo src/print_real.cmo  \
	   src/effect.cmo src/pp.cmo src/option_misc.cmo \
	   src/report.cmo \
           src/explain.cmo 	\
	   src/xml.cmo src/project.cmo

# jessie
JCCML_EXPORT = src/why3_kw.ml jc/output.ml \
	jc/jc_common_options.ml jc/jc_stdlib.ml \
	jc/jc_envset.ml jc/jc_region.ml jc/jc_fenv.ml \
	jc/jc_constructors.ml \
	jc/jc_pervasives.ml jc/jc_iterators.ml jc/jc_type_var.ml \
	jc/jc_output_misc.ml jc/jc_poutput.ml jc/jc_output.ml jc/jc_noutput.ml
JCCMO_EXPORT = $(CMO_EXPORT) $(JCCML_EXPORT:.ml=.cmo)
JCCMX_EXPORT = $(JCCMO_EXPORT:.cmo=.cmx)
JCCMI_EXPORT = jc/jc_ast.cmi jc/jc_env.cmi jc/jc.cmi $(JCCMO_EXPORT:.cmo=.cmi)

JCCMO = src/version.cmo \
	@ATPCMO@ $(JCCMO_EXPORT) \
	jc/jc_options.cmo \
	jc/jc_name.cmo \
	jc/jc_struct_tools.cmo \
	jc/jc_norm.cmo jc/jc_typing.cmo \
	jc/numconst.cmo \
	jc/jc_parser.cmo jc/jc_lexer.cmo \
	jc/jc_separation.cmo \
	jc/jc_callgraph.cmo \
	jc/jc_effect.cmo \
	jc/jc_ai.cmo \
	jc/jc_interp_misc.cmo jc/jc_invariants.cmo \
	jc/jc_pattern.cmo \
	jc/jc_frame_notin.cmo \
	jc/jc_interp.cmo \
	jc/jc_frame.cmo \
	jc/jc_make.cmo jc/jc_main.cmo
JCCMX = $(JCCMO:.cmo=.cmx)

jc/jc_stdlib.ml: jc/jc_stdlib_lt312.ml jc/jc_stdlib_ge312.ml jc/jc_stdlib_ge400.ml
	rm -f $@
	case $(OCAMLVERSION) in \
         3.0*|3.10*|3.11*) cp jc/jc_stdlib_lt312.ml $@ ;; \
         3.12*) cp jc/jc_stdlib_ge312.ml $@ ;; \
         4.0*) cp jc/jc_stdlib_ge400.ml $@ ;; \
        esac
	chmod -w $@

$(JCCMX_EXPORT): OFLAGS:=$(OFLAGS) -for-pack Jc

atp/atp.cmx:
	make -C atp atp.cmx

atp/atp.cmo:
	make -C atp atp.cmo

jc/jc.cmi jc/jc.cmo: $(JCCMO_EXPORT)
	$(OCAMLC) $(BFLAGS) -pack -o jc/jc.cmo src/ast.cmi $^

jc/jc.cmx jc/jc.o: $(JCCMX_EXPORT)
	$(OCAMLOPT) $(OFLAGS) -pack -o jc/jc.cmx src/ast.cmi $^

# ppc: jc/jc.cmi jc/jc.cmo jc/jc.cmx

bin/jessie.opt: $(JCCMX)
	$(if $(QUIET),@echo 'Linking  $@' &&) $(OCAMLOPT) $(OFLAGS) $(APRONLIB) $(APRONLIBS) $(ATPLIB) -o $@ \
		unix.cmxa str.cmxa nums.cmxa graph.cmxa $^
	$(STRIP)    $@

bin/jessie.byte: $(JCCMO)
	$(if $(QUIET),@echo 'Linking  $@' &&) $(OCAMLC) $(BFLAGS) $(APRONLIB) $(APRONBYTLIBS) $(ATPLIB) -o $@ \
		unix.cma str.cma nums.cma graph.cma $^

# Frama-C plugin for Jessie
ifeq ($(FRAMACPLUGIN),yes)
JESSIE_PLUGIN_PATH=frama-c-plugin
$(JESSIE_PLUGIN_BYTE): jc/jc.cmo $(JCCMO)
	$(MAKE) -C $(JESSIE_PLUGIN_PATH) depend
	$(MAKE) -C $(JESSIE_PLUGIN_PATH) Jessie.cma

$(JESSIE_PLUGIN_OPT): $(JCLIB) $(JCCMX)
	$(MAKE) -C $(JESSIE_PLUGIN_PATH) depend
	$(MAKE) -C $(JESSIE_PLUGIN_PATH)

install:
	$(MAKE) -C $(JESSIE_PLUGIN_PATH) install
clean::
	$(MAKE) -C $(JESSIE_PLUGIN_PATH) clean
endif

# krakatoa
# CAUTION! NEVER ADD jc/jc_options.cmo INTO THIS LIST
KCMO = src/lib.cmo src/version.cmo \
	src/loc.cmo src/pp.cmo src/option_misc.cmo \
	src/why3_kw.cmo jc/output.cmo jc/jc_stdlib.cmo \
	jc/jc_envset.cmo jc/jc_common_options.cmo \
	jc/jc_region.cmo jc/jc_fenv.cmo jc/numconst.cmo jc/jc_constructors.cmo \
	jc/jc_pervasives.cmo jc/jc_name.cmo \
	jc/jc_iterators.cmo jc/jc_type_var.cmo jc/jc_output_misc.cmo \
	jc/jc_poutput.cmo jc/jc_output.cmo jc/jc_noutput.cmo jc/output.cmo \
	java/java_options.cmo java/java_pervasives.cmo \
	java/java_abstract.cmo \
	java/java_parser.cmo java/java_lexer.cmo java/java_syntax.cmo \
	java/java_typing.cmo java/java_callgraph.cmo \
	java/java_analysis.cmo java/java_interp.cmo \
	java/java_main.cmo
KCMX = $(KCMO:.cmo=.cmx)

bin/krakatoa.opt: $(KCMX)
	$(if $(QUIET),@echo 'Linking  $@' &&) $(OCAMLOPT) $(OFLAGS) -o $@ \
		unix.cmxa nums.cmxa graph.cmxa $^
	$(STRIP)    $@

bin/krakatoa.byte: $(KCMO)
	$(if $(QUIET),@echo 'Linking  $@' &&) $(OCAMLC) $(BFLAGS) -o $@ \
	 	 unix.cma nums.cma graph.cma $^



MLINCLUDES = -I ml/utils -I ml/parsing -I ml/typing

# demixify

MIXCMO=src/pp.cmo mix/mix_parser.cmo mix/mix_lexer.cmo mix/mix_cfg.cmo \
       mix/mix_seq.cmo mix/mix_interp.cmo mix/mix_main.cmo
MIXCMX = $(MIXCMO:.cmo=.cmx)

bin/demixify.opt: $(MIXCMX)
	$(if $(QUIET),@echo 'Linking  $@' &&) $(OCAMLOPT) $(OFLAGS) -o $@ $^
	$(STRIP)    $@

bin/demixify.byte: $(MIXCMO)
	$(if $(QUIET),@echo 'Linking  $@' &&) $(OCAMLC) $(BFLAGS) -o $@ $^

# tools
regtest.opt: tools/regtest.ml
	$(OCAMLOPT) $(OFLAGS) -thread -o $@ unix.cmxa str.cmxa threads.cmxa $^

regtest.byte: tools/regtest.ml
	$(OCAMLC) $(BFLAGS) -thread -o $@ unix.cma str.cma threads.cma $^

ifeq ($(enable_local),no)
LIBWHY3=$(LIBDIR)/why
else
LIBWHY3=$(PWD)/lib
endif

lib/why3/why3.conf: Makefile
	printf "[main]\n" > $@
	printf "loadpath=\"$(LIBWHY3)/why3\"\n" >> $@
	printf "\n" >> $@
	printf "[prover_modifiers]\n" >> $@
	printf "name=\"Coq\"\n" >> $@
	printf "option=\"-R $(LIBWHY3)/coq Why\"\n" >> $@
	printf "driver=\"$(LIBWHY3)/why3/coq.drv\"\n" >> $@
	printf "\n"  >> $@
	printf "[editor_modifiers coqide]\n" >> $@
	printf "option=\"-R $(LIBWHY3)/coq Why\"\n" >> $@
	printf "\n"  >> $@
	printf "[editor_modifiers proofgeneral-coq]\n" >> $@
	printf "option=\"--eval \\\\\"(setq coq-load-path (cons '(\\\\\\\\\\\\\"$(LIBWHY3)/coq\\\\\\\\\\\\\" \\\\\\\\\\\\\"Why\\\\\\\\\\\\\") coq-load-path))\\\\\"\"\n"  >> $@


########
# COQ
########

coq-no:
coq-yes: coq-@COQVER@
coq-v7: $(VO7)
coq-v8: $(VO8)
coq-v8.1: $(VO8)

########
# PVS
########

pvs-no:
pvs-yes: $(PVSFILES)

include Version

doc/version.tex src/version.ml c/cversion.ml: Version version.sh config.status
	BINDIR=$(BINDIR) LIBDIR=$(LIBDIR) COQVER=$(COQVER) ./version.sh

# bench

.PHONY: bench test

WHYVO=lib/coq/Why.vo

bench:: $(BINARY) $(WHYVO)
	cd bench; sh ./bench "../$(BINARY)"
	make -C bench fastwp.bench.ergo
	make -C examples ergo
	#cd bench/provers; sh ./bench "../../$(BINARY)"

JCBENCHLOG=jessie-bench-`date +%d-%m-%y`.log

# Claude: does not work anymore, because someone modified bench/jc/bench
# GRRRRRRRRRRRR
# jc-bench:: $(JESSIE) bin/cadlog.opt
#	(cd bench/jc; sh ./bench 2>&1) | bin/cadlog.opt -jc $(JCBENCHLOG)

jc-fast-bench:: $(JESSIE)
	make -C bench/jc -f Makefile good.bench

JCAIBENCHLOG=jessie-ai-bench-`date +%d-%m-%y`.log

jc-ai-bench:: $(JESSIE) bin/cadlog.opt
	(cd bench/jc/ai; sh ./bench 2>&1) | bin/cadlog.opt -jc $(JCAIBENCHLOG)

JAVABENCHLOG=krakatoa-bench-`date +%d-%m-%y`.log

java-bench:: $(KRAKATOA) bin/cadlog.opt
	(cd bench/java; sh ./bench 2>&1) | bin/cadlog.opt -java $(JAVABENCHLOG)

ml-bench:: $(JESSICA) $(JESSIE)
	make -C bench/ml -f Makefile good.bench

bench-pvs:: $(BINARY) $(WHYVO)
	cd bench; sh ./bench "../$(BINARY) --valid" pvs

bench-tc:: $(BINARY) $(WHYVO)
	cd bench; sh ./bench "../$(BINARY) -tc"

test:: $(BINARY) $(WHYVO)
	[ ! -f bench/test.ml ] || $(BINARY) -d -V -coq bench/test.ml

.PHONY: examples examples-c

examples:: $(BINARY) $(WHYVO)
	make -C examples check

# debugging

db debug: bin/why.byte src/logic.cmo

#src/logic.ml: src/logic.mli
#	cp -f $^ $@

# java APIs
#################

java_api:
	(cd lib/java_api ; for i in java/lang/*.java; do \
		mkdir -p `dirname ../distr_java_api/$$i` ; \
		echo "Generating $$i" ; \
		KRAKATOALIB=.. ../../$(KRAKATOA) -abstract ../distr_java_api/$$i $$i || break ; done)

# installation
##############

install: install-binary install-lib install-man install-coq-@COQ@ install-pvs-@PVS@

BINARYFILES = $(BINARY) $(WHYCONFIG) $(JESSIE) $(KRAKATOA) \
	$(WHY2HTML) $(DP) $(CPULIMIT) $(RVMERGE) bin/gwhy.$(OCAMLBEST) \
	$(WHYSTAT) $(TOOLSTAT) $(WHYOBFUSCATOR) $(SIMPLIFY2WHY)

# install-binary should not depend on $(BINARYFILES); otherwise it
# enforces the compilation of gwhy, even when lablgtk2 is not installed
install-binary:
	mkdir -p $(BINDIR)
	cp -f $(JESSIE) $(BINDIR)/jessie$(EXE)
	cp -f $(KRAKATOA) $(BINDIR)/krakatoa$(EXE)

install-lib: lib/why3/why3.conf
	rm -rf $(LIBDIR)/why
	mkdir -p $(LIBDIR)/why/why3
	cp -f lib/why3/why3.conf lib/why3/coq.drv lib/why3/jessie_why3theories.why lib/why3/jessie_why3.mlw $(LIBDIR)/why/why3
	cd lib; cp -rf java_api $(LIBDIR)/why
	cd lib; cp -rf javacard_api $(LIBDIR)/why

install-man:

install-coq-no:
install-coq-yes: install-coq-@COQVER@
install-coq-v7:
	mkdir -p $(LIBDIR)/why/coq7
	cp -f $(VO7) $(LIBDIR)/why/coq7
install-coq-v8 install-coq-v8.1:
	if test -w $(COQLIB) ; then \
	  rm -f $(COQLIB)/user-contrib/Why*.v* ; \
	  rm -f $(COQLIB)/user-contrib/caduceus*.v* $(COQLIB)/user-contrib/Caduceus*.v* ; \
	  rm -f $(COQLIB)/user-contrib/jessie*.v* $(COQLIB)/user-contrib/Jessie*.v* ; \
	  if test -n "$(VO8)" ; then \
	     mkdir -p $(COQLIB)/user-contrib/Why ; \
	     cp -f $(VO8) $(COQLIB)/user-contrib/Why ; \
          fi \
	else \
	  echo "Cannot copy to Coq standard library. Add \"-R $(LIBDIR)/why/coq Why\" to Coq options." ;\
	fi
	mkdir -p $(LIBDIR)/why/coq
	cp -f $(VO8) $(LIBDIR)/why/coq

install-pvs-no:
install-pvs-yes: $(PVSFILES)
	mkdir -p $(PVSLIB)/why
	cp $(PVSFILES) $(PVSFILES:.pvs=.prf) $(PVSLIB)/why
	cp lib/pvs/top.pvs lib/pvs/pvscontext.el $(PVSLIB)/why
	@echo "======  Compiling PVS theories, this may take some time ======"
	(cd $(PVSLIB)/why ; @PVSC@ -batch -l pvscontext.el -q -v 2 > top.out)
	@echo "======  Done compiling PVS theories ======"

MIZARLIB = $(DESTDIR)@MIZARLIB@

install-mizar-no:
install-mizar-yes:
	mkdir -p $(MIZARLIB)/mml/dict
	cp lib/mizar/why.miz $(MIZARLIB)/mml
	cp lib/mizar/dict/why.voc $(MIZARLIB)/mml/dict

local-install: $(BINARY) $(WHYCONFIG) $(JESSIE) bin/gwhy.$(OCAMLBEST) byte bin/gwhy.byte
	cp $(BINARY) $$HOME/bin/why
	cp $(WHYCONFIG) $$HOME/bin/why
	cp $(JESSIE) $$HOME/bin/jessie
	if test -f bin/gwhy.$(OCAMLBEST); then \
	  cp -f bin/gwhy.$(OCAMLBEST) $$HOME/bin/gwhy; \
	fi

local: install

win: why.nsi
	"/cygdrive/c/Program Files (x86)/NSIS/makensis" /DVERSION=$(VERSION) why.nsi

zip:
	zip -A -r why-$(VERSION).zip c:/why/bin c:/why/lib c:/coq/lib/contrib/why c:/coq/lib/contrib7/why

# doc

DOC=	doc/krakatoa.pdf doc/krakatoa.html \
	doc/jessie.pdf doc/jessie.html \
	doc/main.pdf doc/main.html

doc:: doc/version.tex $(DOC)

doc/krakatoa.pdf: doc/krakatoa.tex doc/version.tex
	make -C doc krakatoa.pdf

doc/krakatoa.html: doc/krakatoa.tex doc/version.tex
	make -C doc krakatoa.html

doc/jessie.pdf: doc/jessie.tex doc/version.tex
	make -C doc jessie.pdf

doc/jessie.html: doc/jessie.tex doc/version.tex
	make -C doc jessie.html

doc/main.pdf: doc/main.tex doc/version.tex
	make -C doc main.pdf

doc/main.html: doc/main.tex doc/version.tex
	make -C doc main.html


# generic rules
###############

.SUFFIXES: .mli .ml .cmi .cmo .cmx .mll .mly .v .vo .ml4

.mli.cmi:
	$(if $(QUIET),@echo 'Ocamlc   $<' &&) $(OCAMLC) $(APRONLIB) $(ATPLIB) -c $(BFLAGS) $<

.ml.cmi:
	$(if $(QUIET),@echo 'Ocamlc   $<' &&) $(OCAMLC) $(APRONLIB) $(ATPLIB) -c $(BFLAGS) $<

.ml.cmo:
	$(if $(QUIET),@echo 'Ocamlc   $<' &&) $(OCAMLC) $(APRONLIB) $(ATPLIB) -c $(BFLAGS) $<

.ml.o:
	$(OCAMLOPT) $(APRONLIB) $(ATPLIB) -c $(OFLAGS) $<

.ml.cmx:
	$(if $(QUIET),@echo 'Ocamlopt $<' &&) $(OCAMLOPT) $(APRONLIB) $(ATPLIB) -c $(OFLAGS) $<

.mll.ml:
	$(OCAMLLEX) $<

.mly.ml:
	$(OCAMLYACC) -v $<

.mly.mli:
	$(OCAMLYACC) -v $<


@JESSIEWHY3LIBCOQ@: COQEXTRAR += -R @WHY3COQPATH@ Why3

lib/coq/%.vo: lib/coq/%.v
	$(COQC8) $(COQEXTRAR) -R lib/coq Why $<

lib/coq-v7/%.vo: lib/coq-v7/%.v
	$(COQC7) -I lib/coq-v7 $<

jc/jc_ai.ml: jc/jc_annot_inference.ml jc/jc_annot_fail.ml Makefile
	if test "@enable_apron@" = "yes" ; then \
	  echo "# 1 \"jc/jc_annot_inference.ml\"" > jc/jc_ai.ml; \
	  cat jc/jc_annot_inference.ml >> jc/jc_ai.ml; \
	else \
	  echo "# 1 \"jc/jc_annot_fail.ml\"" > jc/jc_ai.ml; \
	  cat jc/jc_annot_fail.ml >> jc/jc_ai.ml; \
	fi

# Emacs tags
############

tags:
	find src -name "*.ml*" | sort -r | xargs \
	etags "--regex=/let[ \t]+\([^ \t]+\)/\1/" \
	      "--regex=/let[ \t]+rec[ \t]+\([^ \t]+\)/\1/" \
	      "--regex=/and[ \t]+\([^ \t]+\)/\1/" \
	      "--regex=/type[ \t]+\([^ \t]+\)/\1/" \
              "--regex=/exception[ \t]+\([^ \t]+\)/\1/" \
	      "--regex=/val[ \t]+\([^ \t]+\)/\1/" \
	      "--regex=/module[ \t]+\([^ \t]+\)/\1/"

otags:
	otags src/*.mli src/*.ml c/*.mli c/*.ml intf/*.mli intf/*.ml

wc:
	ocamlwc -p src/*.ml* jc/*.ml* c/*.ml* intf/*.ml* tools/*.ml* java/*.ml*

# distrib
#########

NAME=why-$(VERSION)
EXPORT=export/$(NAME)

WWW = /users/www-perso/projets/why
FTP = $(WWW)/download
WWWKRAKATOA = /users/www-perso/projets/krakatoa

FILES =src/*.ml* jc/*.ml* java/*.ml*  mix/*.ml* \
	tools/regtest.ml \
       version.sh Version Makefile.in configure.in configure .depend .depend.coq \
       config/check_ocamlgraph.ml \
       README INSTALL COPYING LICENSE CHANGES \
       doc/Makefile \
	tests/regtest.sh \
	tests/java/*.java tests/java/coq/*.v \
	tests/java/result/README tests/java/oracle/*.oracle \
	tests/c/*.c tests/c/*/coq/*.v \
	tests/c/result/README tests/c/oracle/*.oracle \
	lib/coq*/*.v \
	lib/pvs/pvscontext.el lib/pvs/*.pvs lib/pvs/*.prf \
	lib/why/*.why lib/isabelle/*.thy  \
	lib/why3/*.why lib/why3/*.mlw lib/why3/coq.drv \
	lib/java_api/java/*/*.java \
	lib/javacard_api/java/lang/*.java \
	lib/javacard_api/javacard/*/*.java \
	lib/javacard_api/javacardx/crypto/*.java \
	lib/javacard_api/com/sun/javacard/impl/*.java \
	atp/*.ml atp/LICENSE.txt atp/Makefile atp/Mk_ml_file \
        frama-c-plugin/Makefile frama-c-plugin/configure \
	frama-c-plugin/*.ml* frama-c-plugin/share/jessie/*.h

# ne pas distribuer ces tests-la	frama-c-plugin/tests/jessie/*.c

export: source export-krakatoa-doc

source: export/$(NAME).tar.gz
	cp CHANGES export/$(NAME).tar.gz $(FTP)

export/$(NAME).tar.gz: $(FILES)
	rm -rf $(EXPORT)
	mkdir -p $(EXPORT)/bin
	cp --parents $(FILES) $(EXPORT)
	cd $(EXPORT); rm -f $(GENERATED)
	cd export; tar cf $(NAME).tar $(NAME); gzip -f --best $(NAME).tar

tarball-for-framac:
	make tarball
	cp export/$(NAME).tar.gz export/why-for-framac.tar.gz

tarball:
	mkdir -p export
	cd export; rm -rf $(NAME) $(NAME).tar.gz
	make export/$(NAME).tar.gz

export-krakatoa-doc:
	cp doc/krakatoa.pdf doc/krakatoa.html doc/*.png $(WWWKRAKATOA)
	cp doc/jessie.pdf doc/jessie.html $(WWWKRAKATOA)

# file headers
##############

headers:
	headache -c doc/headache_config.txt -h doc/header.txt \
		Makefile.in configure.in README \
		*/*.ml */*.ml[ily4] tools/*.c bench/c/good/*.c \
		bench/java/good/*.java \
		tests/java/*.java \
		tests/c/*.c \
		doc/*.tex

# myself
########

Makefile: Makefile.in config.status
	./config.status

config.status: configure
	./config.status --recheck

configure: configure.in
	autoconf

# clean and depend
##################

clean::
	rm -f src/*.cm[iox] src/*.o src/*~ src/*.annot src/*.output
	rm -f tools/*.cm[iox] tools/*.o tools/*~ tools/*.annot
	rm -f jc/*.cm[iox] jc/*.o jc/*~ jc/*.annot jc/*.output
	rm -f java/*.cm[iox] java/*.o java/*~ java/*.annot java/*.output
	rm -f bin/jessie.opt bin/jessie.byte
	rm -f lib/coq*/*.vo lib/coq*/*~
	rm -f $(GENERATED)
	make -C atp clean
	make -C doc clean
	if test -d examples-v7; then \
		make -C examples-v7 clean ; \
	fi
	make -C examples clean

dist-clean:: clean
	rm -f Makefile config.status config.cache config.log

coq-clean::
	rm -f lib/coq*/*.vo examples/*/*.vo
	rm .depend.coq

.PHONY: depend
.depend depend: $(GENERATED)
	rm -f .depend
	$(OCAMLDEP) -slash $(INCLUDES) src/*.ml src/*.mli jc/*.mli jc/*.ml java/*.mli java/*.ml mix/*.mli mix/*.ml  > .depend
ifeq ($(FRAMACPLUGIN),yes)
	$(MAKE) -C $(JESSIE_PLUGIN_PATH) depend
endif


.depend.coq: #lib/coq*/*.v
	if test @COQ@ = yes; then \
	  rm -f .depend.coq; \
	  $(COQDEP) -I lib/coq lib/coq/*.v > .depend.coq; \
	  $(COQDEP) -I lib/coq-v7 lib/coq-v7/*.v >> .depend.coq; \
	else touch .depend.coq; \
	fi

alldepend:
	make -C examples-v7 depend
	make -C examples depend

ifneq ($(MAKECMDGOALS),clean)
include .depend
include .depend.coq
endif
why-2.39/.depend.coq0000644000106100004300000001363213147234006013257 0ustar  marchevalslib/coq/Caduceus.vo lib/coq/Caduceus.glob lib/coq/Caduceus.v.beautified: lib/coq/Caduceus.v lib/coq/caduceus_why.vo lib/coq/caduceus_tactics.vo lib/coq/caduceus_lists.vo
lib/coq/JessieGappa.vo lib/coq/JessieGappa.glob lib/coq/JessieGappa.v.beautified: lib/coq/JessieGappa.v lib/coq/WhyFloats.vo
lib/coq/Jessie_memory_model.vo lib/coq/Jessie_memory_model.glob lib/coq/Jessie_memory_model.v.beautified: lib/coq/Jessie_memory_model.v
lib/coq/Why.vo lib/coq/Why.glob lib/coq/Why.v.beautified: lib/coq/Why.v lib/coq/WhyCoqCompat.vo lib/coq/WhyTuples.vo lib/coq/WhyInt.vo lib/coq/WhyBool.vo lib/coq/WhyArrays.vo lib/coq/WhyPermut.vo lib/coq/WhySorted.vo lib/coq/WhyTactics.vo lib/coq/WhyExn.vo lib/coq/WhyLemmas.vo lib/coq/WhyPrelude.vo
lib/coq/WhyArrays.vo lib/coq/WhyArrays.glob lib/coq/WhyArrays.v.beautified: lib/coq/WhyArrays.v lib/coq/WhyInt.vo
lib/coq/WhyArraysFMap.vo lib/coq/WhyArraysFMap.glob lib/coq/WhyArraysFMap.v.beautified: lib/coq/WhyArraysFMap.v lib/coq/WhyInt.vo
lib/coq/WhyBool.vo lib/coq/WhyBool.glob lib/coq/WhyBool.v.beautified: lib/coq/WhyBool.v
lib/coq/WhyCM.vo lib/coq/WhyCM.glob lib/coq/WhyCM.v.beautified: lib/coq/WhyCM.v lib/coq/WhyArrays.vo
lib/coq/WhyCoq8.vo lib/coq/WhyCoq8.glob lib/coq/WhyCoq8.v.beautified: lib/coq/WhyCoq8.v
lib/coq/WhyCoqCompat.vo lib/coq/WhyCoqCompat.glob lib/coq/WhyCoqCompat.v.beautified: lib/coq/WhyCoqCompat.v
lib/coq/WhyCoqDev.vo lib/coq/WhyCoqDev.glob lib/coq/WhyCoqDev.v.beautified: lib/coq/WhyCoqDev.v
lib/coq/WhyExn.vo lib/coq/WhyExn.glob lib/coq/WhyExn.v.beautified: lib/coq/WhyExn.v
lib/coq/WhyFloats.vo lib/coq/WhyFloats.glob lib/coq/WhyFloats.v.beautified: lib/coq/WhyFloats.v
lib/coq/WhyFloatsStrict.vo lib/coq/WhyFloatsStrict.glob lib/coq/WhyFloatsStrict.v.beautified: lib/coq/WhyFloatsStrict.v lib/coq/WhyFloats.vo
lib/coq/WhyFloatsStrictLegacy.vo lib/coq/WhyFloatsStrictLegacy.glob lib/coq/WhyFloatsStrictLegacy.v.beautified: lib/coq/WhyFloatsStrictLegacy.v
lib/coq/WhyInt.vo lib/coq/WhyInt.glob lib/coq/WhyInt.v.beautified: lib/coq/WhyInt.v
lib/coq/WhyLemmas.vo lib/coq/WhyLemmas.glob lib/coq/WhyLemmas.v.beautified: lib/coq/WhyLemmas.v lib/coq/WhyInt.vo lib/coq/WhyTuples.vo
lib/coq/WhyNTMonad.vo lib/coq/WhyNTMonad.glob lib/coq/WhyNTMonad.v.beautified: lib/coq/WhyNTMonad.v
lib/coq/WhyPermut.vo lib/coq/WhyPermut.glob lib/coq/WhyPermut.v.beautified: lib/coq/WhyPermut.v lib/coq/WhyArrays.vo
lib/coq/WhyPrelude.vo lib/coq/WhyPrelude.glob lib/coq/WhyPrelude.v.beautified: lib/coq/WhyPrelude.v lib/coq/WhyCoqCompat.vo lib/coq/WhyTuples.vo lib/coq/WhyInt.vo lib/coq/WhyBool.vo lib/coq/WhyArrays.vo lib/coq/WhyPermut.vo lib/coq/WhySorted.vo lib/coq/WhyTactics.vo lib/coq/WhyExn.vo lib/coq/WhyLemmas.vo
lib/coq/WhyReal.vo lib/coq/WhyReal.glob lib/coq/WhyReal.v.beautified: lib/coq/WhyReal.v lib/coq/Why.vo
lib/coq/WhySorted.vo lib/coq/WhySorted.glob lib/coq/WhySorted.v.beautified: lib/coq/WhySorted.v lib/coq/WhyArrays.vo lib/coq/WhyPermut.vo
lib/coq/WhyTactics.vo lib/coq/WhyTactics.glob lib/coq/WhyTactics.v.beautified: lib/coq/WhyTactics.v lib/coq/WhyArrays.vo lib/coq/WhyPermut.vo
lib/coq/WhyTuples.vo lib/coq/WhyTuples.glob lib/coq/WhyTuples.v.beautified: lib/coq/WhyTuples.v
lib/coq/caduceus_lists.vo lib/coq/caduceus_lists.glob lib/coq/caduceus_lists.v.beautified: lib/coq/caduceus_lists.v lib/coq/Why.vo lib/coq/caduceus_why.vo
lib/coq/caduceus_tactics.vo lib/coq/caduceus_tactics.glob lib/coq/caduceus_tactics.v.beautified: lib/coq/caduceus_tactics.v lib/coq/caduceus_why.vo
lib/coq/caduceus_why.vo lib/coq/caduceus_why.glob lib/coq/caduceus_why.v.beautified: lib/coq/caduceus_why.v lib/coq/Why.vo
lib/coq/jessie_why.vo lib/coq/jessie_why.glob lib/coq/jessie_why.v.beautified: lib/coq/jessie_why.v lib/coq/Why.vo
lib/coq-v7/Why.vo lib/coq-v7/Why.glob lib/coq-v7/Why.v.beautified: lib/coq-v7/Why.v lib/coq-v7/WhyCoqCompat.vo lib/coq-v7/WhyTuples.vo lib/coq-v7/WhyInt.vo lib/coq-v7/WhyBool.vo lib/coq-v7/WhyArrays.vo lib/coq-v7/WhyPermut.vo lib/coq-v7/WhySorted.vo lib/coq-v7/WhyTactics.vo lib/coq-v7/WhyExn.vo lib/coq-v7/WhyLemmas.vo lib/coq-v7/WhyCM.vo
lib/coq-v7/WhyArrays.vo lib/coq-v7/WhyArrays.glob lib/coq-v7/WhyArrays.v.beautified: lib/coq-v7/WhyArrays.v lib/coq-v7/WhyInt.vo
lib/coq-v7/WhyBool.vo lib/coq-v7/WhyBool.glob lib/coq-v7/WhyBool.v.beautified: lib/coq-v7/WhyBool.v lib/coq-v7/WhyCoqCompat.vo
lib/coq-v7/WhyCM.vo lib/coq-v7/WhyCM.glob lib/coq-v7/WhyCM.v.beautified: lib/coq-v7/WhyCM.v lib/coq-v7/WhyArrays.vo
lib/coq-v7/WhyCoq73.vo lib/coq-v7/WhyCoq73.glob lib/coq-v7/WhyCoq73.v.beautified: lib/coq-v7/WhyCoq73.v
lib/coq-v7/WhyCoqCompat.vo lib/coq-v7/WhyCoqCompat.glob lib/coq-v7/WhyCoqCompat.v.beautified: lib/coq-v7/WhyCoqCompat.v
lib/coq-v7/WhyCoqDev.vo lib/coq-v7/WhyCoqDev.glob lib/coq-v7/WhyCoqDev.v.beautified: lib/coq-v7/WhyCoqDev.v
lib/coq-v7/WhyExn.vo lib/coq-v7/WhyExn.glob lib/coq-v7/WhyExn.v.beautified: lib/coq-v7/WhyExn.v
lib/coq-v7/WhyInt.vo lib/coq-v7/WhyInt.glob lib/coq-v7/WhyInt.v.beautified: lib/coq-v7/WhyInt.v
lib/coq-v7/WhyLemmas.vo lib/coq-v7/WhyLemmas.glob lib/coq-v7/WhyLemmas.v.beautified: lib/coq-v7/WhyLemmas.v lib/coq-v7/WhyInt.vo lib/coq-v7/WhyTuples.vo
lib/coq-v7/WhyPermut.vo lib/coq-v7/WhyPermut.glob lib/coq-v7/WhyPermut.v.beautified: lib/coq-v7/WhyPermut.v lib/coq-v7/WhyArrays.vo
lib/coq-v7/WhyReal.vo lib/coq-v7/WhyReal.glob lib/coq-v7/WhyReal.v.beautified: lib/coq-v7/WhyReal.v lib/coq-v7/Why.vo
lib/coq-v7/WhySorted.vo lib/coq-v7/WhySorted.glob lib/coq-v7/WhySorted.v.beautified: lib/coq-v7/WhySorted.v lib/coq-v7/WhyArrays.vo lib/coq-v7/WhyPermut.vo
lib/coq-v7/WhyTactics.vo lib/coq-v7/WhyTactics.glob lib/coq-v7/WhyTactics.v.beautified: lib/coq-v7/WhyTactics.v lib/coq-v7/WhyArrays.vo lib/coq-v7/WhyPermut.vo
lib/coq-v7/WhyTuples.vo lib/coq-v7/WhyTuples.glob lib/coq-v7/WhyTuples.v.beautified: lib/coq-v7/WhyTuples.v
lib/coq-v7/caduceus_tactics.vo lib/coq-v7/caduceus_tactics.glob lib/coq-v7/caduceus_tactics.v.beautified: lib/coq-v7/caduceus_tactics.v
lib/coq-v7/caduceus_why.vo lib/coq-v7/caduceus_why.glob lib/coq-v7/caduceus_why.v.beautified: lib/coq-v7/caduceus_why.v lib/coq-v7/Why.vo lib/coq-v7/WhyReal.vo
why-2.39/Version0000644000106100004300000000004713147234006012602 0ustar  marchevals# Jessie/Krakatoa version
VERSION=2.39
why-2.39/CHANGES0000644000106100004300000010451413147234006012231 0ustar  marchevalsversion 2.39, Aug 22, 2017
===========================

  o [Frama-C plugin] Compatible with release Phosphorus (a.k.a. 20170501)
  o [bug fix] detection of Frama-C version at configure phase
  o [bug fix] support for floating-point rounding modes Up, NearestAway
    and ToZero

version 2.38, Mar 26, 2017
===========================

  o [Frama-C plugin] Compatible with release Silicon (a.k.a. 20161101)
  0 compatibility with OCaml 4.04

version 2.37, Mar 23, 2017
===========================

  o [Frama-C plugin] Compatible with release Aluminium (a.k.a. 20160502)
    of Frama-C
  o compatibility with Why3 from 0.86.1 to 0.87.3

version 2.36, July 22, 2016
===========================

  o [Frama-C plugin] Compatible with release Magnesium of Frama-C
  o compatibility with Why3 0.86.1 and above
  o new options to directly give the Why3 command to execute on the
    generated intermediate Why3 code:
    [Krakatoa] option -why3
    [Jessie] option -why3cmd
    [Frama-C plugin] option -jessie-why3
  o [Frama-C plugin] options -jessie-timelimit, -jessie-atp discarded

version 2.35, March 25, 2015
============================

  o Discarded support of commands 'why' and 'gwhy'. Only 'jessie' and
    'krakatoa' are available, and Why3 is not optional anymore.
  o Compilation with ocaml 4.02.1
  o [Jessie/Frama-C plugin] support for ACSL builtins \floor and \ceil
  o [Frama-C plugin] Compatible with release Sodium of Frama-C
  o [Jessie] Synchronized with Why3 >= 0.84

version 2.34, March 16, 2014
============================

  o [Jessie/Frama-C plugin] Compatible with release Neon of Frama-C
  o [Jessie] Fixed some issues with labels (partly contributed by
    Mikhail Mandrykin)
  o [Jessie] Fixed various issues with Why3 output (contributed by
    Mikhail Mandrykin)
  o [Krakatoa] Fixed a bug in the order of logic definitions
  o [Jessie] Synchronized with Why3 0.83, to benefit from all Why3
    recent improvements, in particular regarding efficiency, both in
    term of execution time and memory comsumption.

version 2.33, April 20, 2013
============================

  o [Jessie/Frama-C plugin] Compatible with release Fluorine of Frama-C

version 2.32, Mar 27, 2013
==========================

  o [Jessie/Why3ML output] Compatible with release 0.81 of Why3
  o [Jessie/Frama-C plugin] support for "allocates" clause in contracts
  o [Jessie/Frama-C plugin] support for built-in construct \fresh
  o [Jessie/Frama-C plugin] support for ACSL model fields
  o [Jessie memory model] added an axiom for sub_pointer
  o [Jessie memory model] fixed bug in Why3 version (free_parameter)
    see Frama-C BTS 1251
  o [Jessie/Frama-C plugin] added new -jessie-atp=why3replay to replay
    Why3 proofs
  o [Jessie] fixed Frama-C BTS 1265

version 2.31, Jul 19, 2011
==========================

  o [Jessie/Why3ML output] Compatible with release 0.73 of Why3
  o [Jessie/Why3ML output] Fixed bug with translation of the if
    expression, which expect a prop in Why3, instead of a term
  o [Jessie and Krakatoa] support for "allocates" clause in contracts
  o [Jessie and Krakatoa] support for built-in construct \fresh
  o [Jessie/Why3ML output] avoid Why3 keywords, fixed Frama-C BTS 1004
  o new option -extra-switch for why-dp (pass additional option to prover)

version 2.30, Oct 24, 2011
=========================
  o [Jessie and Krakatoa] manuals have been extensively updated to
    adopt the Why3 back-ends
  o [Jessie/Frama-C plugin] the default back-end is now to call Why3
    VC generator, and then the Why3 IDE. The former behavior can be
    obtained using option -jessie-atp=gui
  o [Krakatoa] new option -gen-only whichs stops after generation of
    jessie file. The default is now to start jessie and then Why3 IDE.
    the old usage "gwhy file.java" continues to use the Why2 backend.
  o [Krakatoa/Jessie/Frama-C plugin] fixed traceability issues
  o [Krakatoa/Jessie/Frama-C plugin] new backend using Why3 VC generator
  o [Jessie] add extensionality axiom to integer range type. allows to
    prove valid properties that were unprovable before.
  o [Caduceus] support discontinued, not distributed anymore
  o [Why3 output] support for syntax changes of Why3 0.70
  o [Why3 output] better explanations
  o [Why] fix encoding to multi-sorted logic with finite type
  o [Why] option -default-locs
  o [Why] added support for Vampire (based on simplify output)
  o [Why] option --delete-old-vcs erases previous files when using
    --multi-why or --multi-altergo
  o [Why] option --multi-altergo outputs VCs in separate files, like
    --multi-why but in Alt-Ergo's syntax instead of the general Why's
    syntax (e.g. algebraic types are encoded for Alt-Ergo)
  o [Jessie] fixed bug with region analysis, case of pointer
    comparison in annotations. fixes Frama-C BTS 0814
  o [Krakatoa] fixed a problem with scope of labels
  o [Krakatoa] fixed support for string constants
  o [Jessie] order of lemmas now kept the same as in the input. Fixes
    Frama-C BTS 0024
  o [Why lib] completed axiomatization of floats

version 2.29, Mar 1, 2011
=========================

  o [Krakatoa] Documentation: many errors fixed
  o [Jessie] plugin synchronized with Frama-C Carbon stable
  o [Why] fixed typing for division in programs
  o [Why] accepts "lemma" has keyword in input. outputs them accordingly
    for provers
  o [Why] Why3 output: avoids Why3 keywords
  o [Why] improved Gappa output

version 2.28, Dec 17, 2010
==========================

  o [Why] support for Coq 8.3
  o [Why] support for Alt-Ergo 0.92.2
  o [Coq output] removed dependencies on Float and Gappa libraries,
    added dependency on Flocq library
  o [Jessie] emit a warning when generating a dummy variant for
    recursive functions and loops (Frama-C bug 512)
  o [Jessie] preliminary support for \at in region computation
  o [Why] added --smtlib-v1 option (default smtlib format is v2.0)
  o [Why] added support for verit prover
  o [Why] improved support for integer division (better triggers)

version 2.27, Oct 14, 2010
==========================

  o [Why] fixed compilation with Ocaml 3.12
  o [Why] support for Alt-Ergo 0.92.1
  o [Why] fixed compilation with Ocaml 3.12
  o [Why] emacs mode distributed and installed
  o [Why] fixed bug 10851: wrong Coq output for if then else
  o [Why] distinction between computer division and math division
    Fixes Frama-C BTS 0539
  o [Why] added support for Why3 output syntax
  o [Jessie] improved translation of successive assignments on
    the same memory block. As a side effect, translation of
    array initializers from C is much better for provers.
    Fixes Frama-C BTS0377 feature request
  o [Jessie] disabled the experimental support for unions and pointer casts,
    since it is too buggy for public release
  o [Jessie] fixed bug with division by zero in expressions evaluated at
    compile-time (fixes Frama-C BTS0473)
  o [Krakatoa] error message when a comment starts with /*(extra space)@
  o [WhyConfig] bug fix when detecting a prover which was removed

version 2.26, May 10, 2010
==========================

  o [Why] fixed detection of Alt-Ergo
  o [GWhy] fixed some assert failure raised when .gwhyrc is absent
  o [Why] fixed mistakes with files extensions, which were introduced
    by the former fix for GWhy temporary files

version 2.24, April 19, 2010
============================

  o [Frama-C plugin] synchronized with Frama-C Boron 20100412
  o [Gwhy] better handling of temporary files
  o [Jessie] fixed bug 0443 (assigns \nothing and separation analysis)
  o [Jessie] fixed bug with assertions attached to behaviors
  o [Why] support for truncate_real_to_int in Gappa output
  o [Frama-C plugin] logic functions do not accept struct or union as
    parameters
  o [Jessie, Frama-C plugin] make the right difference between
    "reads \nothing" and no reads clause at all
  o [Jessie, Frama-C plugin] the "defensive" model for floating-point
    computations is now the default
  o [Jessie] fixed bug 0370: missing coercion on decreasing measures
  o [Jessie] support for "let x = t in a" when a is an assertion
  o [Frama-C plugin] support for statement contracts, fixes bug 0399
  o [Jessie] fixed bugs 0391 and 0401 (avoid name clash with axiom
    names and inductive case names)
  o [Jessie/Krakatoa/Frama-C plugin] fixed bug with labels inside \old
    and \at.  Moreover, label Pre is now allowed in function
    contracts, as specified in ACSL.
  o [Why] improved detection of external provers
  o [Frama-C plugin] option "-jessie-adhoc-normalization" triggers a code
    normalization suited for jessie without launching the analysis
    (fixes bts 332)
  o [Why] option "-output -" outputs the generated files (.why,
    .smt, .mlw) on stdout
  o [Why-dp] with the option "-simple" output only one line by goal
  o [Why-dp] option "-timeout 0" disables the time limit.
  o [Why-dp] option "-prover" allows to select the prover to use
    independently from the extension
  o [Why-dp] reads the file to send to the prover from stdin if no
    files are provided. In that case the option "-prover" is mandatory.
  o [Jessie] interpretation of floating-point parameters does not forget
    anymore the format of origin, which then provides proper bounds for them.
  o [Frama-C plugin] bts 0361 fixed: free allows NULL as argument
  o [PVS output] fixed problems with idents starting with underscore
  o [Krakatoa & Frama-C plugin] new pragma TerminationPolicy to allow
    the user to prevent generation of VCs for termination

version 2.23, December 4, 2009
==============================

  o [Why] fixed bug with let construct in logic
  o [Simplify output] fixed bug with function definitions
  o [GWhy] VC explanation when using --fast-wp option

version 2.22, November 30, 2009
===============================

  o [Jessie] fixed bug when return type is a logic type
  o [Krakatoa] fixed bug with final fields
  o [Frama-C plugin] fixed bug 0341
  o [Frama-C plugin] fixed bug 0034
  o [GWhy] Fixed pb default prover selection (BTS Frama-C 0037)
  o [Jessie] fixed problem with axiomatization of address operator
  o [Jessie/Krakatoa/Frama-C plugin] support for the 'for' modifier in
    decreases clauses and loop variants
  o [Alt-Ergo output] avoid empty list of arguments
  o [GWhy] added alternative "boomy" icon set
  o [Alt-Ergo+Simplify output] well_founded() translated by false
    instead of true, for soundness
  o [Jessie/Krakatoa/Frama-C plugin] support for decreases clauses,
    even for mutually recursive functions
  o [Frama-C plugin] bug fix 0284
  o [Frama-C plugin] support for "complete behaviors" and "disjoint
    behaviors" clauses. fixes bug 0026.
  o [Jessie][Frama-C] bug fix: 0103. Loops without variant are given a
      default unprovable variant.
  o [Frama-C plugin] bug fix: 0112 (partially fixes bts0039 and bts0080)
  o [Frama-C plugin] bug fix: 0306
  o [Frama-C plugin] bugs closed: 0041, 0063, 0073, 0094, 0102, 0199, 0273
  o [Jessie] Polymorphic logic types added (use < >)

version 2.21, October 15, 2009
==============================

  o [GWhy] Fixed 'Not_found' exception if .whyrc absent
  o [Frama-C plugin] Fixed installation problems.
  o [Frama-C plugin] predicates for finiteness of floats (\is_finite,
    \is_infinite, etc.) do not fail in mode JessieFloatModel(real) but
    give the expected truth value.
  o [Jessie] do not fail anymore on pointer casts over floats or reals.
    Fixes bug 273 of Frama-C BTS

version 2.20, October 2nd, 2009
===============================

  o [Jessie][Frama-C] Integration of the Jessie plugin for Frama-C
    Compatible with Frama-C release Beryllium 2 (20090902)
  o [Why][Jessie] add a new assertion check which is used like assert.
    It try to prove the assertion but do not use it as hypothesis.
  o [Why] fixed some bugs with Coq output
  o [GWhy] new column gappa+hypotheses selection

version 2.19, June 23rd, 2009
=============================

  o This version is synchronized with Frama-C Beryllium beta 1 200906xx
    (http://frama-c.cea.fr/)
  o [Jessie] support for label 'Post' in assigns clauses
  o [Jessie] support for loop_assigns clauses
  o [Why] added a let/in construct in logic (let x = term in term /
    let x = term in predicate)
  o [Krakatoa/Jessie] "reads" clauses on logic functions and
    predicates, which disappeared in version 2.16, have been
    resurected. Beware that the semantics is slightly different from
    Caduceus one: it has to precisely give the memory footprint of the
    function, and not only an under-approximation. It is use to
    automatically generate footprint axioms.
  o [GWhy] improved prover column configuration, improved config saving
    incompatibility warning: old .gwhyrc files will be ignored and overwritten
  o [Why] deprecated options -no-prelude, -no-arrays, -fp
  o [Why] new declaration [include "file"] in Why input language
  o [Why] prelude is split into smaller files: bool.why integer.why
    real.why
  o [Jessie] added several builtin functions on reals:
    \exp, \log, \cos, \sin, etc.
  o [Why] added several functions on reals in prelude:
    exp, log, cos, sin, etc. (see prelude.why)
  o [Jessie] syntax change for loops: can have behaviors with assigns clauses
  o [Why] fixed typing bug with polymorphic function symbols and comparisons
  o [GWhy] new column for Gappa prover (http://lipforge.ens-lyon.fr/www/gappa/)
  o [Coq output] improved output of -e when e is an integer constant
  o [Jessie] fix incompleteness bug with "assigns \nothing" clauses
  o [GWhy] columns can be added/removed interactively

version 2.18, January 22th, 2009
================================

  o Jessie: bug fix related to assignment to the null pointer
  o Krakatoa: several bug fixes related to constructors (class invariant
    not anymore assumed true at entrance, object fields initialized to
    their default values)
  o Krakatoa/Jessie: support for "for" sections (associated to various
    behaviors) in code annotations (assert and loop invariants).
    See e.g tests/java/BinarySearch.java
  o Caduceus: fixed 'pvs' target in generated makefile
  o Why: min and max functions in the prelude, with appropriate
    axiomatization

version 2.17, December 17th, 2008
================================

  o This version is synchronized with Frama-C Lithium 20081201
    (http://frama-c.cea.fr/)
  o why-cpulimit: specific implementation for Cygwin (contributed by
    Dillon Pariente)
  o jessie: bug fix: inductive predicates and multiple labels
  o jessie: new support for floating-point computations
  o krakatoa/jessie: bug fix: axiomatic and multiple labels
  o New prover column in GWhy for Alt-Ergo with selection of hypotheses
    (see option -select of Alt-Ergo)

version 2.16, October 29th, 2008
================================

  o This version is synchronized with Frama-C Lithium beta 1
    (http://frama-c.cea.fr/)
  o GWhy: improved display of VCs
  o Krakatoa/Jessie: changed syntax for axiomatic definitions. 'reads'
    clauses are now obsolete.
  o Krakatoa/Jessie: support for inductive definitions
  o Why: Improved support for inductive definitions. For automatic provers,
    an inversion axiom is generated.
  o New option -alt-ergo to output VCs in Alt-Ergo syntax. Beware that
    because of inductive definition, -alt-ergo is now different from
    -why output: inductive definitions are expansed.
  o License changed to GNU LGPL 2, with a special exception on
    linking (see enclosed file LICENSE)

version 2.15, September 9th, 2008
=================================

  o Why: preliminary support for inductive definitions
  o Krakatoa/Jessie: new syntax for axiomatic definitions
  o Coq support for floats requires Coq version 8.1 at least
  o Jessie bug fix: 'simplify' entry of the generated makefile was ignoring
    prelude axioms

version 2.14, July 28th, 2008
=============================
  o tools `dp' and `cpulimit' renamed into `why-dp' and `why-cpulimit'
  o krakatoa/jessie: preliminary support for statement contracts
  o krakatoa/jessie/why: new builtin logic symbols \int_max, \int_min,
    \real_max, \real_min
  o Zenon: fixed syntax for Zenon 0.5.0 (missing $hyp)
  o WP: no more duplication of VCs when operators &&, || and not are
    applied to pure boolean expressions; command line option
    -split-bool-op to revert to the old behavior
  o krakatoa: loop annotations: 'decreases' keyword replaced by 'loop_variant'
  o WP: universal quantification forall b:bool. P(b) no more turned
    into P(true) and P(false) when there is a possible size increasing
  o SMT-lib output: fixed bug with variants (when -split-user-conj
    not set); predicate zwf_zero added to prelude.why
  o SMT-lib output: fixed bug with if_then_else
  o krakatoa/jessie: support for ( ? : ) operator in terms and propositions
  o configuration: detection of Alt-ergo executable name (ergo/alt-ergo)
  o jessie/why: reorganization of PVS output
  o krakatoa/jessie: version number, and CHANGES files are now those of why
  o krakatoa/jessie: added support for bitwise operator on booleans
  o krakatoa/jessie/why/provers: better support of real numbers
  o CVC3: no more options +arith-new +quant-polarity -quant-new
  o fixed HOL4 output; contribution by Vladimir Timashov
    (vladimir.timashov@gmail.com)
  o gwhy: fixed efficiency issue with large comments
  o jessie: fixed coq entry in jessie-generated makefile
  o why typing safely fails when duplicate parameter names in
    logic definitions

version 2.13, May 27th, 2008
============================

  o krakatoa: bug fix: method lookup in class Object
  o krakatoa: if possible, avoid failure in constant expression evaluation
  o gwhy: better support of non-ascii input characters in GWhy
  o fixed parsing of float constants with exponents

version 2.12, May 23rd, 2008
============================

  o krakatoa: assigns clause now correctly typed in the post-state
  o krakatoa: array ranges in assigns clause: now correctly parse [..], [..n] and [n..]
  o krakatoa: support for model fields (in interfaces)
  o krakatoa: support for user-defined logic types
  o krakatoa: partial support for Strings
  o fixed typing bug with polymorphic logic constants/functions used
    in programs (resulted in bugs in -encoding sstrat)

version 2.11, March 17th, 2008
==============================

  o krakatoa: documentation is now is reasonable shape, although still incomplete
  o krakatoa: loop annotations: having an invariant but no decreases clause is allowed
  o krakatoa: bug fix: value axiom for logic constants
  o krakatoa: many improvements in generation of memory safety VCs
  o fixed bug with --prune-hyp

version 2.10b, January 31st, 2008
=================================

  o krakatoa: first release officially replacing version 0.67
  o CVC3: now called with options +arith-new +quant-polarity -quant-new
    (requires version 1.2.1)
  o SMT-lib output: fixed bug with reals
  o gwhy: benchmark (Ctrl-B) does not verify all functions in parallel anymore

version 2.10a, January 14th, 2008
=================================
  o configuration: fixed detection of ocamldep when ocamldep.opt is
    not installed / fixed detection of local ocamlgraph

version 2.10, December 20th, 2007
=================================
  o the Krakatoa front-end for Java programs is now distributed with Why
  o dp: new option -smt-solver to set the SMT solver (Yices, Z3, CVC3)
  o new option --fast-wp to use quadratic WP algorithm
  o localization of VC wrt source code (options --locs and --explain) and
    visualization in gwhy
  o gwhy: added prover Z3 (http://research.microsoft.com/projects/z3/)
  o SMT-lib output: integer division (/) is now translated into an
    uninterpreted function symbol div_int
  o simplify2why: fixed bugs

version 2.04, August 2nd, 2007
==============================
  o gwhy: Ctrl-B successively tries all provers on all proof obligations
  o new option -load-file to read an input file without generating
    output for the prover
  o new prover interface Graph which iteratively allows to select more
    and more hypotheses and to discharge POs in Simplify
  o new option -prune-hyp to select relevant hypotheses in the goal
  o fixed Isabelle output (contribution by Yasuhiko Minamide)

version 2.03, April 20th, 2007
==============================
  o fixed PVS output
  o gwhy: added prover CVC3 (http://www.cs.nyu.edu/acsys/cvc3/)
  o fixed bug with polymorphic exceptions (not accepted anymore)
  o fixed bug in generalization test
  o Coq output: renaming of Coq's reserved keywords

version 2.02, February 23rd, 2007
=================================
  o new tool why-stat to display statistics regarding symbols used in goals
  o new options -why and -multi-why to get verification conditions in
    Why syntax (useful when computing VCs takes much time)
  o gwhy: font size can be changed dynamically using Ctrl-+ and Ctrl--
  o WP: the invariant at loop entry does not appear anymore in the
    verification condition related to the invariant preservation
  o option -no-simplify-triggers changed to -simplify-triggers,
    defaulting to false, because Caduceus bench shows it is good in
    general, and moreover generated triggers with Krakatoa and jessie
    make Simplify fail
  o Simplify output: fixed bug with leading underscores in identifiers
  o compatibility with Coq development version (ring syntax has changed)
  o option --encoding sstrat automatically added when --smtlib or
    --cvcl is selected and no encoding specified
  o new option --exp to expand the predicate definitions
  o Coq output: the command "Implicit Arguments id" is automatically
    inserted for polymorphic symbols

version 2.01, November 29th, 2006
=================================
  o new predicate distinct(t1,t2,...,tn) with n terms of the same type
    mapped to the primitive DISTINCT in Simplify and SMTlib outputs,
    expanded for other provers
  o fixed bug in CVC Lite output (BOOLEAN now reserved for predicates;
    new type BOOL introduced for term booleans)
  o dp now displays times for searching proofs
  o no using anymore the external command 'timeout', but use our own
    command 'cpulimit' for the same purpose. Time limit is now user
    CPU time instead of wall clock time.
  o fixed bugs in smtlib output: all variables are "?" prefixed,
    brackets around constants are removed,
    validity question is turned into a sat question,
    Boolean sort with Boolean_false and  Boolean_true constants
    are introduced,
    Unit sort is introduced
  o fixed bugs into the harvey (rv-fol) output (principally the
    command lines)
  o triggers added to axioms of the caduceus model

version 2.00, June 12th, 2006
=============================
  o quantifiers triggers can be given with the following syntax
       forall x,y:int [f(x),g(y) | h(x,y)]. p(x,y)
    currently, the triggers are only meaningful for the Simplify prover
  o new encodings of Why logic into first-order monosorted logic for
    untyped provers (like Simplify or Zenon) : there are three
    possible encodings that can be selected through the command
    line --encoding option
  o better naming of type variables in Coq output (A1, A2,
    etc. instead of A718, etc.)
  o fixed bugs with polymorphic logic constants used in programs
  o a missing function postcondition is now given the default value
    "true" (and a warning is emitted for local functions)
  o Zenon output (--zenon option); see focal.inria.fr/zenon
  o new option --split-user-conj to split user conjunctions in goals
    (resulting in more numerous proof obligations)
  o Mizar output updated for Mizar 7.6.01
  o new behavior w.r.t. termination proofs: variants can be omitted in
    loops and recursive functions; new command line options --partial
    and --total to specify respectively partial correctness
    (i.e. variants are not considered even when present) or total
    correctness (i.e. variants are mandatory)
  o fixed bug with polymorphic parameters that should not be generalized
  o new construct "e {{ Q }}" (opaque sub-expression)
  o new construct "assert {P}; e"
  o any logic term can be used in programs
  o types must be declared (new declaration "type foo")
  o fixed bug with missing exceptional postconditions (false in now
    inserted and a warning is emitted)
  o array types now accepted in logic/predicate arguments
  o --coq now selects the Coq version determined at compiled time

version 1.82, September 1st, 2005
=================================
  o fixed variable capture issue in haRVey output
  o fixed bugs in Isabelle output (Yasuhiko Minamide)
  o support for declaration "function" with Isabelle/CVC/harvey/PVS
  o new declaration "goal" to declare a proof obligation
    e.g. goal foo : forall x:int. x = x+0

version 1.81, June 20th, 2005
=============================
  o support for CVC Lite syntax 2.0.0, old syntax not supported anymore
  o support for haRVey 0.5.6
  o a predicate label can be a string (e.g. :"bla bla":pred)
  o a missing exceptional postcondition is now given the default value "false"
    instead of "true" (i.e. the corresponding exception cannot be raised)
  o new declaration "function" to define a logic function
    e.g. function f(x:int, y:int) : int = x+y

version 1.80, June 3rd, 2005
============================
  o Isabelle/HOL output (--isabelle option) contribution by Yasuhiko Minamide
  o HOL 4 output (--hol4 option) contribution by Seungkeol Choe
  o SMT-LIB format output (--smtlib option)

version 1.75, March 15th, 2005
==============================
  o fixed installation issue with Coq 8.0pl2
  o new option -where to print Why's library path

version 1.71, February 3rd, 2005
================================
  o Simplify output: axioms are also printed with universal
    quantifiers moved inside as much as possible (forall x y, P x =>
    Q x y becomes forall x, P x => forall y, Q x y)

version 1.69, January 4th, 2005
===============================
  o labeled predicates with syntax ":id: predicate" and lowest precedence

version 1.64, October 13th, 2004
================================
  o Coq output now in V8 syntax when Coq V8 is detected at configuration

version 1.63, August 26th, 2004
===============================
  o WP completely redesigned: side-effects free expressions are now
    given an adequate specification, so that the WP calculus does not
    enter them. It results in significantly simpler proof obligations.
  o new tool `dp' to call decision procedures Simplify and CVC Lite
    (calls the DP once for each goal with a timeout and displays stats)
  o CVC Lite output (option --cvcl; see http://chicory.stanford.edu/CVCL/)
  o Coq: parameters no more generated when -valid is not set
  o PVS: support for Why polymorphic symbols and/or axioms

version 1.62, June 24th, 2004
=============================
  o new option --all-vc to get all verification conditions (no more
    automatic discharging of the most trivial conditions)

version 1.61, May 27th, 2004
============================
  o Simplify output: do not fail on floats anymore (now uninterpreted symbols)
  o added primitive int_of_real: real -> int (in both logic and programs)

version 1.60, May 18th, 2004
============================
  o fixed WP for while loops (may break Coq proofs)
  o new connective <->

version 1.55, May 3rd, 2004
===========================
  o type `float' is renamed into `real'
  o absurd and raise now polymorphic

version 1.51, April 6th, 2004
=============================
  o Simplify typing constraints only with --simplify-typing option
  o fixed bug in automatic annotation of x := e when e has a postcondition

version 1.50, March 26th, 2004
==============================
  o first release of Caduceus
  o added ``typing'' contraints in Simplify output (using predicates ISxxx)
  o new declaration "predicate" to define a predicate
  o new option --dir to output files into a given directory

version 1.42, March 16th, 2004
==============================
  o new option --pvs-preamble
  o change in syntax: "external" is now a modifier for "parameter" and
    "logic" (see the manual for explainations); to be conservative,
    the following substitutions have to be made:
       "external" -> "external parameter"
       "logic"    -> "external logic"
  o new command "axiom  : " to declare an axiom

version 1.40, December 19th, 2003
================================
  o disabled C support: C is now supported by an external tool, Caduceus
    (to be released soon with Why)
  o support for polymorphism (contribution by C. Marché)
  o syntax of haRVey output now uses integer constants, predefined
    arithmetic operators, and does not change capitalization of
    variables, to be conform with the syntax of the next version of
    haRVey (presumably 0.4)
    Also added option --no-harvey-prelude

version 1.32
============
  o output for Coq version 8 with --coq-v8
    (--coq is now equivalent to --coq-v7, and is still the default output)
    examples in V7 syntax now in examples-v7/ and in V8 syntax in examples/
  o Mizar output (with option --mizar)
    Mizar article in lib/mizar/why.miz (installed by "make install")

version 1.3, September 17th, 2003
=================================
  o new tool why2html to convert Why input files to HTML
  o Simplify output (with option --simplify)
  o fixed bug with WP of constants false/true (simplification added)
  o better automatic annotation of tests (in particular || and && are given
    postconditions whenever possible)

version 1.22, June 21th, 2003
=============================
  o fixed lost of annotation in C function calls
  o C: /*W external/parameter ...*/ correctly added to C environment
  o Coq: added Hints Unfold Zwf
  o (almost) conservative change in renaming strategy; a reference x1 is now
    renamed into x1 x1_0 x1_1 etc. instead of x1 x2 x3 etc.

version 1.2, May 12th, 2003
===========================
  o true used as default postcondition for exceptions instead of false
    (necessary for a correct translation of C programs)
  o C: fixed bug in translation from ints to booleans
  o better names given to local references in proof obligations
  o improved automatic proof (both completeness and performance)

version 1.10, April 4th, 2003
==============================
  o C: added label statement and alternate syntax /*@ label id */
  o fixed bug in ocaml code generation

version 1.08, March 28th, 2003
==============================
  o C: local variables can be uninitialized
  o examples: C programs for exact string matching (in string-matching)
  o fixed bug in WP (not collecting some intermediate assertions)
  o C: added statement /*@ assert p */
  o new construct "absurd" to denote unreachable code

version 1.07, March 25th, 2003
==============================
  o arbitrary side-effects now allowed in tests (if / while)
  o label "init" suppressed; new syntax label:expression to insert labels
  o syntax: logic may introduce several identifiers in a single declaration
  o linear proof search restricted to WP obligations
  o PVS: change in array type (warray) to get better TCCs
  o fixed ocaml output (array_length)

version 1.04, March 5th, 2003
=============================
  o C: logic declarations with syntax /*W ... */
  o improved automatic proof (thus less obligations)
  o validation in a separate file f_valid.v

version 1.02, February 7th, 2003
================================
  o PVS: fixed integer division and modulo, fixed output
  o haRVey: no more restriction to first-order obligations
  o Coq: the validation is now given a type
  o distinction between preconditions and obligations

version 1.0, January 31st, 2003
================================
  o syntax: pre- and postconditions brackets now come by pairs (but,
    inside, the predicates may be omitted)
  o fixed WP bug in a sequence of calls with before-after annotations
  o no more "pvs" declaration (the user can now edit the _why.pvs file)
  o fixed bug in type-checking of recursive functions with exceptions
  o fixed bug in loop tests automatic annotation;
    now a warning when a loop test cannot be given a postcondition
  o fixed bug in interpretation of @init
  o doc: C programs, Coq and PVS libraries documented
  o logic: if-then-else construct on terms
  o PVS: arrays defined in Why prelude and fixed pretty-print; installation

version 0.92, January 13th, 2003
================================
  o C: fixed bug in array/reference passing
  o fixed check for exceptions in external declarations
  o HOL Light output (with option --hol-light)
  o fixed compatibility with Coq 7.3
  o C: recursive functions, arrays, pointers

version 0.8, December 6th, 2002
===============================
  o haRVey output (option --harvey; see http://www.loria.fr/~ranise/haRVey/)
  o C input (incomplete: no arrays, no pointers, no recursive functions)
  o Coq: helper tactics (AccessSame, AccessOther, ...)
  o fixed bug in application typing
  o major change:
    arrays do not have a dependent type anymore; array_length introduced
  o Emacs mode for editing Why ML source (in lib/emacs)
  o automatic discharge of ...|-(well_founded (Zwf 0))
    and of ...,v=t,...,I and (Zwf 0 t' t),...|-(Zwf 0 t' v)
  o fixed bug in local recursive functions

version 0.72, November 12th, 2002
=================================
  o caml code generation with option --ocaml (beta test)
    (customized with --ocaml-annot, --ocaml-ext, --output)
  o quantifier "exists" added to the logic syntax
  o manual: added lexical conventions
  o examples: added maximum sort (by Sylvain Boulmé)
  o new feature: exceptions (beta test)

version 0.71, October 15th, 2002 (bug fix release)
================================
  o better WP for the if-then-else (when the test is annotated)
  o reference masking now forbidden
  o fixed bug in automatic annotations => some postconditions names may change
  o fixed Coq 7.3 compatibility module

version 0.7, October 2nd, 2002
==============================
  o Why library compatible with Coq 7.3 (released version) and with Coq
    development version (determined at configuration)
  o code ported to ocaml 3.06
  o examples: quicksort (2 versions)
  o more obligations automatically discharged
    (True  /  A and B |- A  /  A,B |- A and B)
  o Coq: fixed associativity in pretty-print for /\ and \/ (right)
    right associativity adopted in Why
  o fixed typing and Coq output for primitive float_of_int

version 0.6, July 19th, 2002
============================
  o examples: find
  o doc: predefined functions and predicates
  o floats: predefined functions and predicates, Coq pretty-print
  o fixed bug: x@ reference in a loop post-condition incorrectly translated
  o the variant relation is now necessarily an identifier
  o terms and predicates are now typed; new declaration "logic"
    (terms and predicates syntax are mixed; fixes a parsing bug)

version 0.5,  July 2nd, 2002
============================
  o first (beta) release

Local Variables:
mode: text
End:
why-2.39/doc/0000755000106100004300000000000013147234006011776 5ustar  marchevalswhy-2.39/doc/Makefile0000644000106100004300000000760613147234006013447 0ustar  marchevalsHEVEA=hevea -noiso -entities -exec xxdate.exe -fix

all: main.pdf manual.ps $(KFILES) krakatoa.pdf \
	sourcepp jessie.pdf krakatoa.html jessie.html \
	index.html

install: all
	cp krakatoa.pdf jessie.pdf krakatoa.html jessie.html \
		why_frama_c2-mps.png why_frama_c2.mps *.png \
		/users/www-perso/projets/krakatoa
	mkdir -p /users/www-perso/projets/krakatoa/jessie
	cp jessie/*.png /users/www-perso/projets/krakatoa/jessie
	cp index.html /users/www-perso/projets/krakatoa/index.html

index.html:: why_frama_c2-mps.png

%.html: %.prehtml
	yamlpp  $< -o $@

doc.dvi: doc.tex rules.tex macros.tex code.tex dep.ps

SRCFILES=../src/loc.mli ../src/logic.mli ../src/types.mli \
	 ../src/ptree.mli ../src/ltyping.mli ../src/ast.mli ../src/env.mli \
         ../src/typing.mli ../src/typing.ml ../src/wp.mli ../src/wp.ml \
	 ../src/monad.mli ../src/monad.ml ../src/mlize.mli ../src/mlize.ml

KFILES=Lesson1_max.pp \
	Lesson1_sqrt.pp Lesson1_sqrtbody.pp Lesson1_sqrtloopinv.pp \
	Lesson1_lemmas.pp Lesson1_pragma.pp Lesson1_sqrtdecr.pp \
	Arrays_findMax.pp Arrays_findMaxbody.pp \
	Arrays_findMax2.pp Arrays_shift.pp \
	Purse.pp Purse0.pp Purse_test1.pp Purse_test2.pp Purse2.pp \
	Purse_withdraw2.pp \
	Flag.pp Flag1.pp Flag_inv.pp Flag_isMonochrome.pp Flag_flag.pp \
	Flag_swap.pp Flag_body.pp \
	contracts.bnf lexpr.bnf \
	Gcd-nospec.pp Gcd-spec.pp Gcd.pp Gcd-lemmas.pp

# for jessie
SNIPPET=$(wildcard codes/*.c)
SNIPPETPP:=$(patsubst codes/%.c, texpp/%.cpp, $(SNIPPET))

sourcepp: $(SNIPPETPP) $(EXAMPLESPP)

why_frama_c1.mps: why_frama_c.ml
	mlpost -pdf -latex jessie.tex why_frama_c.ml

why_frama_c1-mps.pdf: why_frama_c1.mps
	mptopdf why_frama_c1.mps 

why_frama_c2.mps: why_frama_c.ml
	mlpost -pdf -latex jessie.tex why_frama_c.ml

why_frama_c2-mps.pdf: why_frama_c2.mps
	mptopdf why_frama_c2.mps 

# why_frama_c2-mps.png: why_frama_c2-mps.pdf
# 	pdftoppm -r 150 why_frama_c2-mps.pdf | pnmtopng -transparent white > why_frama_c2-mps.png

dep.ps:
	(cd ../src; ocamldep *.ml* | ocamldot | dot -Tps) > dep.ps

code.tex: $(SRCFILES)
	ocamlweb --no-preamble -o $@ $(SRCFILES)

logo-why.pdf: logos.tex
	pdflatex logos.tex

logo-why.png: logo-why.pdf
	pdftoppm logos.pdf | pnmcrop | pnmtopng > logowhy.png

logo-why-small.png:

manual.ps: manual.tex version.tex
	latex manual
	latex manual
	makeindex manual
	latex manual
	dvips manual.dvi -o manual.ps

manual.html: manual.tex version.tex
	rm -f manual.aux
	$(HEVEA) manual.tex

caduceus.ps: caduceus.tex version.tex
	latex caduceus
	bibtex caduceus
	makeindex caduceus
	latex caduceus
	latex caduceus
	dvips caduceus.dvi -o caduceus.ps

caduceus.html: caduceus.tex version.tex
	rm -f caduceus.aux
	$(HEVEA) caduceus.tex

krakatoa.pdf: $(KFILES) krakatoa.tex version.tex
	pdflatex krakatoa.tex
	bibtex krakatoa
	makeindex krakatoa
	pdflatex krakatoa.tex
	pdflatex krakatoa.tex

jessie.pdf: sourcepp jessie.tex version.tex
	pdflatex jessie.tex
	bibtex jessie
	makeindex jessie
	pdflatex jessie.tex
	pdflatex jessie.tex

february2008.pdf: $(KFILES) version.tex
	pdflatex february2008.tex

krakatoa.html: krakatoa.tex version.tex
	rm -f krakatoa.aux
	$(HEVEA) krakatoa.tex

jessie.html: jessie.tex version.tex
	rm -f jessie.aux
	$(HEVEA) jessie.tex

main.html: main.tex version.tex
	rm -f main.aux
	$(HEVEA) main.tex


main.pdf: main.tex version.tex
	pdflatex main.tex


%.pp: %.tex pp
	./pp $< > $@

%.pp: %.c pp
	./pp -c $< > $@

%.pp: %.java pp
	./pp -java $< > $@

texpp/%.cpp: codes/%.c pp  Makefile
	mkdir -p texpp
	./pp -c $< > $@

%.dvi: %.tex
	latex $< && latex $<

%.ps: %.dvi
	dvips -o $@ $<

%.eps: %.dia
	dia --filter=eps-builtin $^

%.pdf: %.eps
	epstopdf $^

%.tex: %.dia
	dia --filter=tex $^

%.png: %.dia
	dia --filter=png --size=2048,1536 $^

%.bnf: %.tex tex2bnf
	./tex2bnf < $< > $@

tex2bnf: tex2bnf.ml
	ocamlopt.opt -o $@ $^

pp: pp.ml
	ocamlopt.opt -o $@ $^

%.ml: %.mll
	ocamllex.opt $<

clean::
	rm -f *~ *.dvi *.log *.aux *.toc \
		dep.ps doc.ps manual.ps caduceus.ps krakatoa.pdf main.pdf 
	rm -f *.cm*


why-2.39/LICENSE0000644000106100004300000006342313147234006012246 0ustar  marchevalsThis software is distributed under the terms of the GNU Library General
Public License version 2 (included below). 

As a special exception to the GNU Library General Public License, you
may link, statically or dynamically, a "work that uses the Library"
with a publicly distributed version of the Library to produce an
executable file containing portions of the Library, and distribute
that executable file under terms of your choice, without any of the
additional requirements listed in clause 6 of the GNU Library General
Public License. By "a publicly distributed version of the Library", we
mean either the unmodified Library as distributed, or a
modified version of the Library that is distributed under the
conditions defined in clause 3 of the GNU Library General Public
License. This exception does not however invalidate any other reasons
why the executable file might be covered by the GNU Library General
Public License.  

======================================================================

                  GNU LIBRARY GENERAL PUBLIC LICENSE
                       Version 2, June 1991

 Copyright (C) 1991 Free Software Foundation, Inc.
 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.

[This is the first released version of the library GPL.  It is
 numbered 2 because it goes with version 2 of the ordinary GPL.]

                            Preamble

  The licenses for most software are designed to take away your
freedom to share and change it.  By contrast, the GNU General Public
Licenses are intended to guarantee your freedom to share and change
free software--to make sure the software is free for all its users.

  This license, the Library General Public License, applies to some
specially designated Free Software Foundation software, and to any
other libraries whose authors decide to use it.  You can use it for
your libraries, too.

  When we speak of free software, we are referring to freedom, not
price.  Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.

  To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if
you distribute copies of the library, or if you modify it.

  For example, if you distribute copies of the library, whether gratis
or for a fee, you must give the recipients all the rights that we gave
you.  You must make sure that they, too, receive or can get the source
code.  If you link a program with the library, you must provide
complete object files to the recipients so that they can relink them
with the library, after making changes to the library and recompiling
it.  And you must show them these terms so they know their rights.

  Our method of protecting your rights has two steps: (1) copyright
the library, and (2) offer you this license which gives you legal
permission to copy, distribute and/or modify the library.

  Also, for each distributor's protection, we want to make certain
that everyone understands that there is no warranty for this free
library.  If the library is modified by someone else and passed on, we
want its recipients to know that what they have is not the original
version, so that any problems introduced by others will not reflect on
the original authors' reputations.

  Finally, any free program is threatened constantly by software
patents.  We wish to avoid the danger that companies distributing free
software will individually obtain patent licenses, thus in effect
transforming the program into proprietary software.  To prevent this,
we have made it clear that any patent must be licensed for everyone's
free use or not licensed at all.

  Most GNU software, including some libraries, is covered by the ordinary
GNU General Public License, which was designed for utility programs.  This
license, the GNU Library General Public License, applies to certain
designated libraries.  This license is quite different from the ordinary
one; be sure to read it in full, and don't assume that anything in it is
the same as in the ordinary license.

  The reason we have a separate public license for some libraries is that
they blur the distinction we usually make between modifying or adding to a
program and simply using it.  Linking a program with a library, without
changing the library, is in some sense simply using the library, and is
analogous to running a utility program or application program.  However, in
a textual and legal sense, the linked executable is a combined work, a
derivative of the original library, and the ordinary General Public License
treats it as such.

  Because of this blurred distinction, using the ordinary General
Public License for libraries did not effectively promote software
sharing, because most developers did not use the libraries.  We
concluded that weaker conditions might promote sharing better.

  However, unrestricted linking of non-free programs would deprive the
users of those programs of all benefit from the free status of the
libraries themselves.  This Library General Public License is intended to
permit developers of non-free programs to use free libraries, while
preserving your freedom as a user of such programs to change the free
libraries that are incorporated in them.  (We have not seen how to achieve
this as regards changes in header files, but we have achieved it as regards
changes in the actual functions of the Library.)  The hope is that this
will lead to faster development of free libraries.

  The precise terms and conditions for copying, distribution and
modification follow.  Pay close attention to the difference between a
"work based on the library" and a "work that uses the library".  The
former contains code derived from the library, while the latter only
works together with the library.

  Note that it is possible for a library to be covered by the ordinary
General Public License rather than by this special one.

                  GNU LIBRARY GENERAL PUBLIC LICENSE
   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

  0. This License Agreement applies to any software library which
contains a notice placed by the copyright holder or other authorized
party saying it may be distributed under the terms of this Library
General Public License (also called "this License").  Each licensee is
addressed as "you".

  A "library" means a collection of software functions and/or data
prepared so as to be conveniently linked with application programs
(which use some of those functions and data) to form executables.

  The "Library", below, refers to any such software library or work
which has been distributed under these terms.  A "work based on the
Library" means either the Library or any derivative work under
copyright law: that is to say, a work containing the Library or a
portion of it, either verbatim or with modifications and/or translated
straightforwardly into another language.  (Hereinafter, translation is
included without limitation in the term "modification".)

  "Source code" for a work means the preferred form of the work for
making modifications to it.  For a library, complete source code means
all the source code for all modules it contains, plus any associated
interface definition files, plus the scripts used to control compilation
and installation of the library.

  Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope.  The act of
running a program using the Library is not restricted, and output from
such a program is covered only if its contents constitute a work based
on the Library (independent of the use of the Library in a tool for
writing it).  Whether that is true depends on what the Library does
and what the program that uses the Library does.

  1. You may copy and distribute verbatim copies of the Library's
complete source code as you receive it, in any medium, provided that
you conspicuously and appropriately publish on each copy an
appropriate copyright notice and disclaimer of warranty; keep intact
all the notices that refer to this License and to the absence of any
warranty; and distribute a copy of this License along with the
Library.

  You may charge a fee for the physical act of transferring a copy,
and you may at your option offer warranty protection in exchange for a
fee.

  2. You may modify your copy or copies of the Library or any portion
of it, thus forming a work based on the Library, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:

    a) The modified work must itself be a software library.

    b) You must cause the files modified to carry prominent notices
    stating that you changed the files and the date of any change.

    c) You must cause the whole of the work to be licensed at no
    charge to all third parties under the terms of this License.

    d) If a facility in the modified Library refers to a function or a
    table of data to be supplied by an application program that uses
    the facility, other than as an argument passed when the facility
    is invoked, then you must make a good faith effort to ensure that,
    in the event an application does not supply such function or
    table, the facility still operates, and performs whatever part of
    its purpose remains meaningful.

    (For example, a function in a library to compute square roots has
    a purpose that is entirely well-defined independent of the
    application.  Therefore, Subsection 2d requires that any
    application-supplied function or table used by this function must
    be optional: if the application does not supply it, the square
    root function must still compute square roots.)

These requirements apply to the modified work as a whole.  If
identifiable sections of that work are not derived from the Library,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works.  But when you
distribute the same sections as part of a whole which is a work based
on the Library, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote
it.

Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Library.

In addition, mere aggregation of another work not based on the Library
with the Library (or with a work based on the Library) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.

  3. You may opt to apply the terms of the ordinary GNU General Public
License instead of this License to a given copy of the Library.  To do
this, you must alter all the notices that refer to this License, so
that they refer to the ordinary GNU General Public License, version 2,
instead of to this License.  (If a newer version than version 2 of the
ordinary GNU General Public License has appeared, then you can specify
that version instead if you wish.)  Do not make any other change in
these notices.

  Once this change is made in a given copy, it is irreversible for
that copy, so the ordinary GNU General Public License applies to all
subsequent copies and derivative works made from that copy.

  This option is useful when you wish to copy part of the code of
the Library into a program that is not a library.

  4. You may copy and distribute the Library (or a portion or
derivative of it, under Section 2) in object code or executable form
under the terms of Sections 1 and 2 above provided that you accompany
it with the complete corresponding machine-readable source code, which
must be distributed under the terms of Sections 1 and 2 above on a
medium customarily used for software interchange.

  If distribution of object code is made by offering access to copy
from a designated place, then offering equivalent access to copy the
source code from the same place satisfies the requirement to
distribute the source code, even though third parties are not
compelled to copy the source along with the object code.

  5. A program that contains no derivative of any portion of the
Library, but is designed to work with the Library by being compiled or
linked with it, is called a "work that uses the Library".  Such a
work, in isolation, is not a derivative work of the Library, and
therefore falls outside the scope of this License.

  However, linking a "work that uses the Library" with the Library
creates an executable that is a derivative of the Library (because it
contains portions of the Library), rather than a "work that uses the
library".  The executable is therefore covered by this License.
Section 6 states terms for distribution of such executables.

  When a "work that uses the Library" uses material from a header file
that is part of the Library, the object code for the work may be a
derivative work of the Library even though the source code is not.
Whether this is true is especially significant if the work can be
linked without the Library, or if the work is itself a library.  The
threshold for this to be true is not precisely defined by law.

  If such an object file uses only numerical parameters, data
structure layouts and accessors, and small macros and small inline
functions (ten lines or less in length), then the use of the object
file is unrestricted, regardless of whether it is legally a derivative
work.  (Executables containing this object code plus portions of the
Library will still fall under Section 6.)

  Otherwise, if the work is a derivative of the Library, you may
distribute the object code for the work under the terms of Section 6.
Any executables containing that work also fall under Section 6,
whether or not they are linked directly with the Library itself.

  6. As an exception to the Sections above, you may also compile or
link a "work that uses the Library" with the Library to produce a
work containing portions of the Library, and distribute that work
under terms of your choice, provided that the terms permit
modification of the work for the customer's own use and reverse
engineering for debugging such modifications.

  You must give prominent notice with each copy of the work that the
Library is used in it and that the Library and its use are covered by
this License.  You must supply a copy of this License.  If the work
during execution displays copyright notices, you must include the
copyright notice for the Library among them, as well as a reference
directing the user to the copy of this License.  Also, you must do one
of these things:

    a) Accompany the work with the complete corresponding
    machine-readable source code for the Library including whatever
    changes were used in the work (which must be distributed under
    Sections 1 and 2 above); and, if the work is an executable linked
    with the Library, with the complete machine-readable "work that
    uses the Library", as object code and/or source code, so that the
    user can modify the Library and then relink to produce a modified
    executable containing the modified Library.  (It is understood
    that the user who changes the contents of definitions files in the
    Library will not necessarily be able to recompile the application
    to use the modified definitions.)

    b) Accompany the work with a written offer, valid for at
    least three years, to give the same user the materials
    specified in Subsection 6a, above, for a charge no more
    than the cost of performing this distribution.

    c) If distribution of the work is made by offering access to copy
    from a designated place, offer equivalent access to copy the above
    specified materials from the same place.

    d) Verify that the user has already received a copy of these
    materials or that you have already sent this user a copy.

  For an executable, the required form of the "work that uses the
Library" must include any data and utility programs needed for
reproducing the executable from it.  However, as a special exception,
the source code distributed need not include anything that is normally
distributed (in either source or binary form) with the major
components (compiler, kernel, and so on) of the operating system on
which the executable runs, unless that component itself accompanies
the executable.

  It may happen that this requirement contradicts the license
restrictions of other proprietary libraries that do not normally
accompany the operating system.  Such a contradiction means you cannot
use both them and the Library together in an executable that you
distribute.

  7. You may place library facilities that are a work based on the
Library side-by-side in a single library together with other library
facilities not covered by this License, and distribute such a combined
library, provided that the separate distribution of the work based on
the Library and of the other library facilities is otherwise
permitted, and provided that you do these two things:

    a) Accompany the combined library with a copy of the same work
    based on the Library, uncombined with any other library
    facilities.  This must be distributed under the terms of the
    Sections above.

    b) Give prominent notice with the combined library of the fact
    that part of it is a work based on the Library, and explaining
    where to find the accompanying uncombined form of the same work.

  8. You may not copy, modify, sublicense, link with, or distribute
the Library except as expressly provided under this License.  Any
attempt otherwise to copy, modify, sublicense, link with, or
distribute the Library is void, and will automatically terminate your
rights under this License.  However, parties who have received copies,
or rights, from you under this License will not have their licenses
terminated so long as such parties remain in full compliance.

  9. You are not required to accept this License, since you have not
signed it.  However, nothing else grants you permission to modify or
distribute the Library or its derivative works.  These actions are
prohibited by law if you do not accept this License.  Therefore, by
modifying or distributing the Library (or any work based on the
Library), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Library or works based on it.

  10. Each time you redistribute the Library (or any work based on the
Library), the recipient automatically receives a license from the
original licensor to copy, distribute, link with or modify the Library
subject to these terms and conditions.  You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.

  11. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License.  If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Library at all.  For example, if a patent
license would not permit royalty-free redistribution of the Library by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Library.

If any portion of this section is held invalid or unenforceable under any
particular circumstance, the balance of the section is intended to apply,
and the section as a whole is intended to apply in other circumstances.

It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system which is
implemented by public license practices.  Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.

This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.

  12. If the distribution and/or use of the Library is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Library under this License may add
an explicit geographical distribution limitation excluding those countries,
so that distribution is permitted only in or among countries not thus
excluded.  In such case, this License incorporates the limitation as if
written in the body of this License.

  13. The Free Software Foundation may publish revised and/or new
versions of the Library General Public License from time to time.
Such new versions will be similar in spirit to the present version,
but may differ in detail to address new problems or concerns.

Each version is given a distinguishing version number.  If the Library
specifies a version number of this License which applies to it and
"any later version", you have the option of following the terms and
conditions either of that version or of any later version published by
the Free Software Foundation.  If the Library does not specify a
license version number, you may choose any version ever published by
the Free Software Foundation.

  14. If you wish to incorporate parts of the Library into other free
programs whose distribution conditions are incompatible with these,
write to the author to ask for permission.  For software which is
copyrighted by the Free Software Foundation, write to the Free
Software Foundation; we sometimes make exceptions for this.  Our
decision will be guided by the two goals of preserving the free status
of all derivatives of our free software and of promoting the sharing
and reuse of software generally.

                            NO WARRANTY

  15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO
WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR
OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY
KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
LIBRARY IS WITH YOU.  SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME
THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

  16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY
AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU
FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE
LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING
RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF
SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.

                     END OF TERMS AND CONDITIONS

     Appendix: How to Apply These Terms to Your New Libraries

  If you develop a new library, and you want it to be of the greatest
possible use to the public, we recommend making it free software that
everyone can redistribute and change.  You can do so by permitting
redistribution under these terms (or, alternatively, under the terms of the
ordinary General Public License).

  To apply these terms, attach the following notices to the library.  It is
safest to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least the
"copyright" line and a pointer to where the full notice is found.

    
    Copyright (C)   

    This library is free software; you can redistribute it and/or
    modify it under the terms of the GNU Library General Public
    License as published by the Free Software Foundation; either
    version 2 of the License, or (at your option) any later version.

    This library is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
    Library General Public License for more details.

    You should have received a copy of the GNU Library General Public
    License along with this library; if not, write to the Free
    Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
    MA 02111-1307, USA

Also add information on how to contact you by electronic and paper mail.

You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the library, if
necessary.  Here is a sample; alter the names:

  Yoyodyne, Inc., hereby disclaims all copyright interest in the
  library `Frob' (a library for tweaking knobs) written by James Random Hacker.

  , 1 April 1990
  Ty Coon, President of Vice

That's all there is to it!
why-2.39/tests/0000755000106100004300000000000013147234006012373 5ustar  marchevalswhy-2.39/tests/c/0000755000106100004300000000000013147234006012615 5ustar  marchevalswhy-2.39/tests/c/sum_array.c0000644000106100004300000000724013147234006014766 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

#pragma JessieIntegerModel(math)

/*@ axiomatic Sum {
  @   // sum(t,i,j) denotes t[i]+...+t[j-1]
  @   logic integer sum{L}(int *t, integer i, integer j)
  @        reads i,j,t, t[..] ;
  @   axiom sum1{L} :
  @     \forall int *t, integer i, j; i >= j ==> sum(t,i,j) == 0;
  @   axiom sum2{L} :
  @     \forall int *t, integer i, j; i <= j ==>
  @       sum(t,i,j+1) == sum(t,i,j) + t[j];
  @ }
  @*/

/*@ lemma sum3{L} :
  @     \forall int *t, integer i, j, k;
  @       i <= j <= k ==>
  @         sum(t,i,k) == sum(t,i,j) + sum(t,j,k);
  @*/

/*@ lemma sum_footprint{L} :
  @     \forall int *t1,*t2, integer i, j;
  @       (\forall integer k; i<=k t1[k] == t2[k]) ==>
  @       sum(t1,i,j) == sum(t2,i,j);
  @*/

/*@ requires n >= 1 && \valid(t+(0..n-1)) ;
  @ ensures \result == sum(t,0,n);
  @*/
int test1(int t[],int n) {
  int i,s = 0;

  /*@ loop invariant 0 <= i <= n && s == sum(t,0,i);
    @ loop variant n-i;
  */
  for(i=0; i < n; i++)
  {
    s += t[i];
  }
  return s;
}


/*@ requires n >= 1 && \valid(t+(0..n-1));
  @ assigns t[..];
  @ ensures sum(t,0,n) == \old(sum(t,0,n))+n;
  @*/
void test2(int t[],int n) {
  int i;
  /*@ loop invariant 0 <= i <= n &&
    @     sum(t,0,n) == \at(sum(t,0,n),Pre)+i;
    @ loop variant n-i;
    @*/
  for(i=0; i < n; i++)
  {
    //@ assert sum(t,0,n) == sum(t,0,i) + t[i] + sum(t,i+1,n);
    t[i] += 1;
    //@ assert sum(t,0,n) == sum(t,0,i) + t[i] + sum(t,i+1,n);
  }
}

/*
Local Variables:
compile-command: "make sum_array.why3ide"
End:
*/
why-2.39/tests/c/minmax.c0000644000106100004300000000547013147234006014260 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/


//@ ensures \result == \max(x,y);
int max(int x, int y) {
  return (x <= y) ? y : x;
}


//@ ensures \result == \min(x,y);
int min(int x, int y) {
  return (x <= y) ? x : y;
}


//@ ensures \result == \max(x,y);
float fmax(float x, float y) {
  return (x <= y) ? y : x;
}


//@ ensures \result == \min(x,y);
float fmin(float x, float y) {
  return (x <= y) ? x : y;
}


//@ ensures \result == \max(x,y);
double dmax(double x, double y) {
  return (x <= y) ? y : x;
}


//@ ensures \result == \min(x,y);
double dmin(double x, double y) {
  return (x <= y) ? x : y;
}



/*
Local Variables:
compile-command: "make minmax.why3ide"
End:
*/

why-2.39/tests/c/Sterbenz.c0000644000106100004300000000476113147234006014565 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

// RUNCOQ: will ask regtests to check Coq proofs of this program

/*@ requires  y / 2.0 <= x <= 2.0 * y;
  @ ensures   \result == x - y;
  @*/
float Sterbenz(float x, float y) {
  //@ assert 0.0 <= y;
  //@ assert 0.0 <= x;
  return x-y;
}


/*
Local Variables:
compile-command: "make Sterbenz.why3ide"
End:
*/
why-2.39/tests/c/isqrt.c0000644000106100004300000000543313147234006014130 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/


#pragma JessieIntegerModel(math)

//@ logic integer sqr(integer x) = x * x;

/*@ requires x >= 0;
  @ ensures \result >= 0 && sqr(\result) <= x && x < sqr(\result + 1);
  @*/
int isqrt(int x) {
  int count = 0, sum = 1;
  /*@ loop invariant count >= 0 && x >= sqr(count) && sum == sqr(count+1);
    @ loop variant  x - count; 
    @*/
  while (sum <= x) sum += 2 * ++count + 1;
  return count;
}

//@ ensures \result == 4;
int main () {
  int r;
  r = isqrt(17);
  //@ assert r < 4 ==> \false;
  //@ assert r > 4 ==> \false;
  return r;
}

/*
Local Variables:
compile-command: "make isqrt.why3ide"
End:
*/


why-2.39/tests/c/fact.c0000644000106100004300000000524013147234006013677 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

/*@ axiomatic Factorial {
  @   logic integer factorial(integer n);
  @   axiom factorial_0: factorial(0) == 1;
  @   axiom factorial_succ:
  @     \forall integer n; n > 0 ==> factorial(n) == n * factorial(n-1);
  @ }
  @*/

/*@ lemma fact_bound: \forall integer n; 0 <= n <= 11 ==>
  @      1 <= factorial(n) <= 39916800;
  @*/

/*@ requires 0 <= n <= 12;
  @ decreases n;
  @ ensures \result == factorial(n);
  @*/
int fact(int n) {
  if (n == 0) return 1;
  return n * fact(n-1);
}
why-2.39/tests/c/interval_arith.c0000644000106100004300000002415513147234006016003 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

#pragma JessieFloatModel(full)
#pragma JessieFloatRoundingMode(down)


/*@ requires !\is_NaN(x) && !\is_NaN(y);
  @ ensures \le_float(\result,x) && \le_float(\result,y);
  @ ensures \eq_float(\result,x) || \eq_float(\result,y);
  @*/
double min(double x, double y)
{
  return x < y ? x : y;
}


/*@ requires !\is_NaN(x) && !\is_NaN(y);
  @ ensures \le_float(x,\result) && \le_float(y,\result);
  @ ensures \eq_float(\result,x) || \eq_float(\result,y);
  @*/
double max(double x, double y)
{
  return x > y ? x : y;
}


//@ predicate dif_sign(double x, double y) = \sign(x) != \sign(y);
//@ predicate sam_sign(double x, double y) = \sign(x) == \sign(y);

/*@ predicate double_le_real(double x,real y) =
  @           (\is_finite(x) && x <= y) || \is_minus_infinity(x);
  @*/

/*@ predicate real_le_double(real x,double y) =
  @           (\is_finite(y) && x <= y) || \is_plus_infinity(y);
  @*/

/*@ predicate in_interval(real a,double l,double u) =
  @           double_le_real(l,a) && real_le_double(a,u);
  @*/



/*@ requires ! \is_NaN(x) && ! \is_NaN(y);
  @ requires \is_infinite(x) || \is_infinite(y) ==> dif_sign(x,y);
  @ requires \is_infinite(x) && \is_finite(y) ==> y != 0.0;
  @ requires \is_finite(x) && \is_infinite(y) ==> x != 0.0;
  @ assigns \nothing;
  @ ensures double_le_real(\result,x*y);
  @*/
double mul_dn(double x, double y)
{
  double z = x*y;
  /* @ assert \is_finite(x) && \is_finite(y)
    @     && \no_overflow_double(\Down,x*y) ==> double_le_real(z,x*y);
    @*/
  /* @ assert \is_finite(x) && \is_finite(y)
    @     && ! \no_overflow_double(\Down,x*y) && \sign(x) == \sign(y) ==> double_le_real(z,x*y);
    @*/
  /* @ assert \is_finite(x) && \is_finite(y)
    @     && ! \no_overflow_double(\Down,x*y) && \sign(x) != \sign(y)  ==> double_le_real(z,x*y);
    @*/
  /* @ assert \is_infinite(x) || \is_infinite(y) ==> double_le_real(z,x*y);
    @*/
  return z;
}



/*@ requires !\is_NaN(x) && !\is_NaN(y);
  @ requires \is_infinite(x) || \is_infinite(y) ==> sam_sign(x,y);
  @ requires \is_infinite(x) && \is_finite(y) ==> y != 0.0;
  @ requires \is_infinite(y) && \is_finite(x) ==> x != 0.0;
  @ requires \is_finite(x) && \is_finite(y) &&
  @          !\no_overflow_double(\Down,-y) && \sign(y) == \Positive
  @          ==> x > 0.0 ;
  @ ensures  real_le_double(x * y,\result);
  @*/
double mul_up(double x, double y) {
  double a=-y;
  double b=x*a;
  double z=-b;
  /*  double z = -(x * -y);*/

  /*@ assert \is_infinite(x) || \is_infinite(y) ==> real_le_double(x * y,z);
    @*/


  /*@ assert \is_finite(x) && \is_infinite(y) ==> real_le_double(x * y,z) ;
    @*/
  /*@ assert \is_infinite(x) && \is_finite(y) &&
    @    \no_overflow_double(\Down,-y) ==> real_le_double(x * y,z);
    @*/
  /*@ assert \is_infinite(x) && \is_finite(y) &&
    @    ! \no_overflow_double(\Down,-y) ==> real_le_double(x * y,z);
    @*/
  /*@ assert \is_infinite(x) && \is_infinite(y) ==> real_le_double(x * y,z);
    @*/



  /*@ assert \is_finite(x) && \is_finite(y) &&
    @     \no_overflow_double(\Down,-y) &&
    @     \no_overflow_double(\Down,x*a) &&
    @     !\no_overflow_double(\Down,-b) ==> real_le_double(x * y,z) ;
    @*/
  /*@ assert \is_finite(x) && \is_finite(y) &&
    @     \no_overflow_double(\Down,-y) &&
    @     !\no_overflow_double(\Down,x*a) ==> real_le_double(x * y,z) ;
    @*/
  /*@ assert \is_finite(x) && \is_finite(y) &&
    @     !\no_overflow_double(\Down,-y) && \sign(y) == \Positive
    @                                     ==> real_le_double(x * y,z) ;
    @*/
  /*@ assert \is_finite(x) && \is_finite(y) &&
    @     !\no_overflow_double(\Down,-y) && \sign(y) == \Negative &&
    @     !\no_overflow_double(\Down,x*a) ==> real_le_double(x * y,z) ;
    @*/
  /*@ assert \is_finite(x) && \is_finite(y) &&
    @     !\no_overflow_double(\Down,-y) && \sign(y) == \Negative &&
    @     \no_overflow_double(\Down,x*a) &&
    @     !\no_overflow_double(\Down,-b)  ==> real_le_double(x * y,z) ;
    @*/
  /*@ assert \is_finite(x) && \is_finite(y) &&
    @     !\no_overflow_double(\Down,-y) && \sign(y) == \Negative &&
    @     \no_overflow_double(\Down,x*a) &&
    @     \no_overflow_double(\Down,-b) ==> real_le_double(x * y,z);
    @*/
  /*@ assert \is_finite(x) && \is_finite(y) &&
    @     \no_overflow_double(\Down,-y) &&
    @     \no_overflow_double(\Down,x*a) &&
    @     \no_overflow_double(\Down,-b) && x > 0.0 ==> \is_finite(z) && real_le_double(x * y,z) ;
    @*/
  /*@ assert \is_finite(x) && \is_finite(y) &&
    @     \no_overflow_double(\Down,-y) &&
    @     \no_overflow_double(\Down,x*a) &&
    @     \no_overflow_double(\Down,-b) && x < 0.0 ==> \is_finite(z) && real_le_double(x * y,z) ;
    @*/

   return z;
}


double zl, zu;

/*@ predicate is_interval(double xl, double xu) =
  @       (\is_finite(xl) || \is_minus_infinity(xl))
  @       &&
  @       (\is_finite(xu) || \is_plus_infinity(xu));
  @*/

/*@ requires is_interval(xl,xu) && is_interval(yl,yu);
  @ ensures is_interval(zl,zu);
  @ ensures \forall real a,b;
  @    in_interval(a,xl,xu) && in_interval(b,yl,yu) ==>
  @    in_interval(a+b,zl,zu);
  @*/
void add(double xl, double xu, double yl, double yu)
{
  zl = xl + yl;
  /* @ assert
    @  \forall real a,b;
    @    in_interval(a,xl,xu) && in_interval(b,yl,yu) ==>
    @      double_le_real(zl,a+b)  ;
    @*/
  zu = -((-xu) - yu);
  /* @ assert caseuii: \is_infinite(xu) && \is_infinite(yu) ==>
    @  \forall real a,b;
    @    in_interval(a,xl,xu) && in_interval(b,yl,yu) ==>
    @      real_le_double(a+b,zu)  ;
    @*/
  /* @ assert caseuif: \is_infinite(xu) && \is_finite(yu) ==>
    @  \forall real a,b;
    @    in_interval(a,xl,xu) && in_interval(b,yl,yu) ==>
    @      real_le_double(a+b,zu)  ;
    @*/
  /* @ assert caseufi: \is_finite(xu) && \is_infinite(yu) ==>
    @  \forall real a,b;
    @    in_interval(a,xl,xu) && in_interval(b,yl,yu) ==>
    @      real_le_double(a+b,zu)  ;
    @*/
  /* @ assert caseufff: \is_finite(xu) && \is_finite(yu) && \is_infinite(zu) ==>
    @  \forall real a,b;
    @    in_interval(a,xl,xu) && in_interval(b,yl,yu) ==>
    @      real_le_double(a+b,zu)  ;
    @*/
  /* @ assert caseufff: \is_finite(xu) && \is_finite(yu) && \is_finite(zu) ==>
    @  \forall real a,b;
    @    in_interval(a,xl,xu) && in_interval(b,yl,yu) ==>
    @      real_le_double(a+b,zu)  ;
    @*/
}





/*@ requires is_interval(xl,xu) && is_interval(yl,yu);
  @ ensures is_interval(zl,zu);
  @ ensures \forall real a,b;
  @    in_interval(a,xl,xu) && in_interval(b,yl,yu) ==>
  @    in_interval(a*b,zl,zu);
  @*/
void mul(double xl, double xu, double yl, double yu)
{
  if (xl < 0.0)
    if (xu > 0.0)
      if (yl < 0.0)
        if (yu > 0.0) // M * M
          { zl = min(mul_dn(xl, yu), mul_dn(xu, yl));
            zu = max(mul_up(xl, yl), mul_up(xu, yu)); }
        else           // M * Neg
          { zl = mul_dn(xu, yl);
            zu = mul_up(xl, yl); }
      else
        if (yu > 0.0) // M * Pos
          { zl = mul_dn(xl, yu);
            zu = mul_up(xu, yu); }
        else           // M * Zero
          { zl = 0.0;
            zu = 0.0; }
    else
      if (yl < 0.0)
        if (yu > 0.0) // Neg * M
          { zl = mul_dn(xl, yu);
            zu = mul_up(xl, yl); }
        else           // Neg * Neg
          { zl = mul_dn(xu, yu);
            zu = mul_up(xl, yl); }
      else
        if (yu > 0.0) // Neg * Pos
          { zl = mul_dn(xl, yu);
            zu = mul_up(xu, yl); }
        else           // Neg * Zero
          { zl = 0.0;
            zu = 0.0; }
  else
    if (xu > 0.0)
      if (yl < 0.0)
        if (yu > 0.0) // Pos * M
          { zl = mul_dn(xu, yl);
            zu = mul_up(xu, yu); }
        else           // Pos * Neg
          { zl = mul_dn(xu, yl);
            zu = mul_up(xl, yu); }
      else
        if (yu > 0.0) // Pos * Pos
          { zl = mul_dn(xl, yl);
            zu = mul_up(xu, yu); }
        else           // Pos * Zero
          { zl = 0.0;
            zu = 0.0; }
    else               // Zero * M
      { zl = 0.0;
        zu = 0.0; }
}




/*
Local Variables:
compile-command: "LC_ALL=C make interval_arith.why3ide"
End:
*/
why-2.39/tests/c/cd1d.c0000644000106100004300000000531313147234006013576 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

#define D 10.0
#define T 1.0

/*@ predicate conflict(real s, real v) =
      \exists real t; 0<=t<=T && s - t * v < D;
*/

/*@ predicate cd1d(real s, real v) = D + T * v > s ; */

/*@ lemma completeness: \forall real s, v; v >= 0.0 ==>
             conflict(s,v) ==> cd1d(s,v); */

#define eps 0x1p-49

#define Dp (D+eps)

/*@ requires 100.>=s>=0. && 1. >=v >= 0.;
       behavior completeness:
          assumes cd1d(s,v);
          ensures \result == 1;
 */
int cd1d_double(double s, double v) {
  return (Dp+T*v>s) ? 1 : 0;
}
why-2.39/tests/c/eps_line2.c0000644000106100004300000000623513147234006014647 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

#pragma JessieFloatModel(multirounding)

#define E 0x1.90641p-45

//@ logic integer l_sign(real x) = (x >= 0.0) ? 1 : -1;

/*@ requires e1<= x-\exact(x) <= e2;
  @ ensures  (\result != 0 ==> \result == l_sign(\exact(x))) &&
  @          \abs(\result) <= 1 ;
  @*/
int sign(double x, double e1, double e2) {

  if (x > e2)
    return 1;
  if (x < e1)
    return -1;
  return 0;
}

/*@ requires
  @   sx == \exact(sx)  && sy == \exact(sy) &&
  @   vx == \exact(vx)  && vy == \exact(vy) &&
  @   \abs(sx) <= 100.0 && \abs(sy) <= 100.0 &&
  @   \abs(vx) <= 1.0   && \abs(vy) <= 1.0;
  @ ensures
  @    \result != 0
  @      ==> \result == l_sign(\exact(sx)*\exact(vx)+\exact(sy)*\exact(vy))
  @            * l_sign(\exact(sx)*\exact(vy)-\exact(sy)*\exact(vx));
  @*/
int eps_line(double sx, double sy,double vx, double vy){
  int s1,s2;

  s1=sign(sx*vx+sy*vy, -E, E);
  s2=sign(sx*vy-sy*vx, -E, E);

  return s1*s2;
}

/*
Local Variables:
compile-command: "LC_ALL=C make eps_line2.why3ide"
End:
*/
why-2.39/tests/c/flag.c0000644000106100004300000001007313147234006013673 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

/* Dijkstra's dutch flag */

#pragma JessieIntegerModel(math)

typedef char color;

#define BLUE (color)1
#define WHITE (color)2
#define RED (color)3

/*@ predicate is_color(color c) =
  @   c == BLUE || c == WHITE || c == RED ;
  @*/

/*@ predicate is_color_array{L}(color *t, integer l) =
  @   \valid(t+(0..l-1)) &&
  @   \forall integer i; 0 <= i < l ==> is_color(t[i]) ;
  @*/

/*@ predicate is_monochrome{L}(color *t,integer i, integer j, color c) =
  @   \forall integer k; i <= k < j ==> t[k] == c ;
  @*/


/*@ requires \valid(t+(i..j));
  @ behavior decides_monochromatic:
  @   ensures \result <==> is_monochrome(t,i,j,c);
  @*/
int isMonochrome(color t[], int i, int j, color c) {
  /*@ loop invariant i <= k &&
    @   \forall integer l; i <= l < k ==> t[l] == c;
    @ loop variant j - k;
    @*/
  for (int k = i; k < j; k++) if (t[k] != c) return 0;
  return 1;
}

/*@ requires \valid(t+i);
  @ requires \valid(t+j);
  @ behavior i_j_swapped:
  @   assigns t[i],t[j];
  @   ensures t[i] == \old(t[j]) && t[j] == \old(t[i]);
  @*/
void swap(color t[], int i, int j) {
  color z = t[i];
  t[i] = t[j];
  t[j] = z;
}

/*@ requires l >= 0 && is_color_array(t, l);
  @ behavior sorts:
  @   ensures
  @     (\exists integer b,r;
  @        is_monochrome(t,0,b,BLUE) &&
  @        is_monochrome(t,b,r,WHITE) &&
  @        is_monochrome(t,r,l,RED));
  @*/
void flag(color t[], int l) {
  int b = 0;
  int i = 0;
  int r = l;
  /*@ loop invariant
    @   is_color_array(t,l) &&
    @   0 <= b <= i <= r <= l &&
    @   is_monochrome(t,0,b,BLUE) &&
    @   is_monochrome(t,b,i,WHITE) &&
    @   is_monochrome(t,r,l,RED);
    @ loop variant r - i;
    @*/
  while (i < r) {
    switch (t[i]) {
    case BLUE:
      swap(t,b++, i++);
      break;
    case WHITE:
      i++;
      break;
    case RED:
      swap(t,--r, i);
      break;
    }
  }
}



/*
Local Variables:
compile-command: "make flag.why3ide"
End:
*/
why-2.39/tests/c/swap.c0000644000106100004300000000445413147234006013742 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

int a;
int b;

/*@ ensures a == \old(b) && b == \old(a);
  @*/
void swap() {
  int tmp = a;
  a = b;
  b = tmp;
}
why-2.39/tests/c/clock_drift.c0000644000106100004300000000716113147234006015251 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

// RUNGAPPA: will ask regtests to run gappa on VCs of this program

#define NMAX 1000000
#define NMAXR 1000000.0

// this one is needed by Gappa to prove the assertion on the rounding error
/*@ lemma real_of_int_inf_NMAX:
  @   \forall integer i; i <= NMAX ==> i <= NMAXR;
  @*/

// this one does not seem useful for Alt-Ergo
// but it is for CVC3, to prove preservation of the loop
// invariant. Z3 does not prove it either
//@ lemma real_of_int_succ: \forall integer n; n+1 == n + 1.0;

// this one does not seem to be needed anymore
/* lemma inf_mult : 
  @    \forall real x,y,z; x<=y && 0<=z ==> x*z <= y*z;
  @*/

#define A 1.49012e-09 
// A is a bound of (float)0.1 - 0.1

// this one is not needed anymore since (float)0.1 is evaluated
// at compile-time
// lemma round01: \abs((float)0.1 - 0.1) <=  A;

// B is a bound of round_error(t+(float)0.1) for 0 <= t <= 0.1*NMAXR
// NMAX = 100 -> #define B 4.76838e-07
// NMAX = 1000000 ->
#define B 0x1p-8

#define C (B + A)

/*@ requires 0 <= n <= NMAX;
  @ ensures \abs(\result - n*0.1) <= n * C;
  @*/
float f_single(int n)
{
  float t = 0.0f;
  int i;

  /*@ loop invariant 0 <= i <= n;
    @ loop invariant \abs(t - i * 0.1) <= i * C ;
    @ loop variant n-i;
    @*/
  for(i=0;i 0. ==> newton_rel(t, x);

 predicate closeness(real u, real t, real x) =
   \abs(u - 0.5 * t * (3 - t * t * x)) <= 1 &&
   \abs(u - 1/\sqrt(x)) <= 1;
*/

/*@
 requires 0.5 <= x <= 2;
 ensures \abs(\result - 1/\sqrt(x)) <= 0x1p-6 * \abs(1/\sqrt(x));
*/
double sqrt_init(double x);

/*@
 requires 0.5 <= x <= 2;
 ensures \abs(\result - \sqrt(x)) <= 0x1p-43 * \abs(\sqrt(x));
*/
double sqrt(double x)
{
  double t, u;
  t = sqrt_init(x);

  u = 0.5 * t * (3 - t * t * x);
  //@ assert newton_rel(t, x);
  //@ assert closeness(u, t, x);
  t = u;

  u = 0.5 * t * (3 - t * t * x);
  //@ assert newton_rel(t, x);
  //@ assert closeness(u, t, x);
  t = u;

  u = 0.5 * t * (3 - t * t * x);
  //@ assert newton_rel(t, x);
  //@ assert closeness(u, t, x);
  t = u;

  //@ assert x * (1/\sqrt(x)) == \sqrt(x);
  return x * t;
}



/*
Local Variables:
compile-command: "make float_sqrt.why3ide"
End:
*/


why-2.39/tests/c/isqrt2.c0000644000106100004300000000572113147234006014212 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

/* run.config
   OPT: -journal-disable -cvcg
*/

/*@ requires 0 <= x <= 32768 * 32768 - 1;
  @ assigns \nothing;
  @ ensures \result >= 0 &&
  @         \result * \result <= x &&
  @         x < (\result + 1) * (\result + 1);
  @*/
int isqrt(int x) {
  int count = 0, sum = 1;
  /*@ loop invariant 0 <= count <= 32767 &&
    @                x >= count * count &&
    @                sum == (count+1)*(count+1);
    @ loop assigns count, sum;
    @ loop variant  x - count;
    @*/
  while (sum <= x) sum += 2 * ++count + 1;
  return count;
}

//@ ensures \result == 4;
int test () {
  int r;
  r = 0 + isqrt(17);
  //@ assert r < 4 ==> \false;
  //@ assert r > 4 ==> \false;
  return r;
}

int main () {
  return 0;
}


/*
Local Variables:
compile-command: "make isqrt2.why3ide"
End:
*/


why-2.39/tests/c/exp.c0000644000106100004300000000502713147234006013561 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

/*@ requires \abs(x) <= 1.0;
  @ ensures \abs(\result - \exp(x)) <= 0x1p-4; */
double my_exp(double x) {
  /*@ assert \abs(0.9890365552 + 1.130258690*x +
    @          0.5540440796*x*x - \exp(x)) <= 0x0.FFFFp-4; */
  return 0.9890365552 + 1.130258690 * x + 0.5540440796 * x * x;
}



/*
Local Variables:
compile-command: "make exp.why3ide"
End:
*/
why-2.39/tests/c/binary_search.c0000644000106100004300000000634113147234006015576 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

// RUNSIMPLIFY this tells regtests to run Simplify in this example

//@ lemma mean: \forall integer x, y; x <= y ==> x <= (x+y)/2 <= y;

/*@ predicate sorted{L}(long *t, integer a, integer b) =
  @    \forall integer i,j; a <= i <= j <= b ==> t[i] <= t[j];
  @*/

/*@ requires n >= 0 && \valid(t+(0..n-1));
  @ ensures -1 <= \result < n;
  @ behavior success:
  @   ensures \result >= 0 ==> t[\result] == v;
  @ behavior failure:
  @   assumes sorted(t,0,n-1);
  @   ensures \result == -1 ==>
  @     \forall integer k; 0 <= k < n ==> t[k] != v;
  @*/
int binary_search(long t[], int n, long v) {
  int l = 0, u = n-1;
  /*@ loop invariant
    @   0 <= l && u <= n-1;
    @ for failure:
    @   loop invariant
    @   \forall integer k; 0 <= k < n && t[k] == v ==> l <= k <= u;
    @ loop variant u-l;
    @*/
  while (l <= u ) {
    int m = l + (u - l) / 2;
    //@ assert l <= m <= u;
    if (t[m] < v) l = m + 1;
    else if (t[m] > v) u = m - 1;
    else return m;
  }
  return -1;
}

/*
Local Variables:
compile-command: "make binary_search.why3ide"
End:
*/
why-2.39/tests/c/power.c0000644000106100004300000000706413147234006014124 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/


// int model: unbounded mathematical integers
#pragma JessieIntegerModel(math)


/*@ axiomatic Power {
  @   logic integer power(integer x, integer n);
  @ }
  @*/
#pragma JessieBuiltin(power, "\\int_pow")

// recursive implementation


/*@ lemma power_aux:
  @   \forall integer x,n; n >= 0 ==>
  @     power(x,2*n+0) == power(x*x,n);
  @*/

/*@ lemma power_even:
  @   \forall integer x,n; n >= 0 && n % 2 == 0 ==>
  @     power(x,n) == power(x*x,n/2);
  @*/

/*@ lemma power_odd:
  @   \forall integer x,n; n >= 0 && n % 2 != 0 ==>
  @     power(x,n) == x * power(x*x,n/2);
  @*/

/*@ requires 0 <= n;
  @ decreases n;
  @ ensures \result == power(x,n);
  @*/
long rec(long x, int n) {
  if (n == 0) return 1;
  long r = rec(x, n/2);
  if ( n % 2 == 0 ) return r*r;
  return r*r*x;
}


// non-recursive implementation

/*@ lemma power_even2:
  @   \forall integer x,n; n >= 0 && n % 2 == 0 ==>
  @     power(x,n) == power(x,n/2) * power(x,n/2);
  @*/

/*@ lemma power_odd2:
  @   \forall integer x,n; n >= 0 && n % 2 != 0 ==>
  @     power(x,n) == x * power(x,n/2) * power(x,n/2);
  @*/

/*@ requires 0 <= n;
  @ ensures \result == power(x,n);
  @*/
long imp(long x, int n) {
  long r = 1, p = x;
  int e = n;

  /*@ loop invariant
    @   0 <= e && r * power(p,e) == power(x,n);
    @ loop variant e;
    @*/
  while (e > 0) {
    if (e % 2 != 0) r *= p;
    p *= p;
    e /= 2;
  }
  return r;
}
why-2.39/tests/c/double_rounding_multirounding_model.c0000644000106100004300000000525613147234006022310 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

/* 

Warning: the proof can be achieve with Gappa 0.14.1 but not
with versions 0.15 ou 0.16. Hopefully it will work with 0.16.1 and higher

*/

#pragma JessieFloatModel(multirounding)

double doublerounding() {
  double x = 1.0;
  double y = 0x1p-53 + 0x1p-64;
  double z = x + y;
  //@ assert 1.0 - 0x1p-63 <= z <= 1.0 + 0x1p-52 + 0x1p-62;
  // assert 1.0 <= z <= 1.0 + 0x1p-52;
  return z;
}

/*
Local Variables:
compile-command: "LC_ALL=C make double_rounding_multirounding_model.why3ide"
End:
*/
why-2.39/tests/c/insertion_sort.c0000644000106100004300000000615413147234006016050 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

// RUNSIMPLIFY: will ask regtests to run Simplify on this program

#pragma JessieIntegerModel(math)

#include "sorting.h"

/*@ requires \valid(t+(0..n-1));
  @ ensures Sorted(t,0,n-1);
  @*/
void insert_sort(int t[], int n) {
  int i,j;
  int mv;
  if (n <= 1) return;
  /*@ loop invariant 0 <= i <= n;
    @ loop invariant Sorted(t,0,i);
    @ loop variant n-i;
    @*/
  for (i=1; i Sorted(t,0,i);
      @ loop invariant j < i ==> Sorted(t,0,i+1);
      @ loop invariant \forall integer k; j <= k < i ==> t[k] > mv;
      @ loop variant j;
      @*/
    // look for the right index j to put t[i]
    for (j=i; j > 0; j--) {
      if (t[j-1] <= mv) break;
      t[j] = t[j-1];
    }
    t[j] = mv;
  }
}


/*
Local Variables:
compile-command: "make insertion_sort.why3ide"
End:
*/
why-2.39/tests/c/tree_max.c0000644000106100004300000001061513147234006014570 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

#pragma JessieTerminationPolicy(user)

#define NULL (void*)0

//@ ensures \result == \max(x,y);
int max(int x, int y);

typedef struct Tree *tree;
struct Tree {
  int value;
  tree left;
  tree right;
};

/* not accepted by Why3 (termination not proved) 
  @ predicate mem(int x, tree t) =
  @  (t==\null) ? \false : (x==t->value) || mem(x,t->left) || mem(x,t->right);
  @*/

/*@ axiomatic Mem {
  @   predicate mem{L}(int x, tree t);
  @   axiom mem_null{L}: \forall int x; ! mem(x,\null);
  @   axiom mem_root{L}: \forall tree t; t != \null ==>
  @     mem(t->value,t);
  @   axiom mem_root_eq{L}: \forall int x, tree t; t != \null ==>
  @     x==t->value ==> mem(x,t);
  @   axiom mem_left{L}: \forall int x, tree t; t != \null ==>
  @     mem(x,t->left) ==> mem(x,t);
  @   axiom mem_right{L}: \forall int x, tree t; t != \null ==>
  @     mem(x,t->right) ==> mem(x,t);
  @   axiom mem_inversion{L}: \forall int x, tree t;
  @     mem(x,t) ==> t != \null &&
  @       (x==t->value || mem(x,t->left) || mem(x,t->right));
  @ }
  @*/

/*@ axiomatic WellFormedTree {
  @   predicate has_size{L}(tree t, integer s);
  @   axiom has_size_null{L}: has_size(\null,0);
  @   axiom has_size_non_null{L}: \forall tree t; \valid(t) ==>
  @     \forall integer s1,s2;
  @     has_size(t->left,s1) && has_size(t->right,s2) ==>
  @     has_size(t,s1+s2+1) ;
  @   axiom has_size_inversion{L}: \forall tree t, integer s;
  @     has_size(t,s) ==>
  @       (t == \null && s == 0) ||
  @       (\valid(t) && \exists integer s1,s2;
  @            has_size(t->left,s1) && has_size(t->right,s2) &&
  @            0 <= s1 && 0 <= s2 && s == s1+s2+1) ;
  @  predicate size_decreases{L}(tree t1, tree t2) =
  @    \exists integer s1,s2; has_size(t1,s1) && has_size(t2,s2) && s1 > s2;
  @   predicate valid_tree{L}(tree t) =
  @     \exists integer s; has_size(t,s);
  @ }
  @*/

/*@ requires t != \null && valid_tree(t);
  @ // decreases t for size_decreases;
  @ ensures mem(\result,t) && \forall int x; mem(x,t) ==> \result >= x;
  @*/
int tree_max(tree t) {
  int m = t->value;
  if (t->left != NULL) m = max(m,tree_max(t->left));
  if (t->right != NULL) m = max(m,tree_max(t->right));
  return m;
  }



/*
Local Variables:
compile-command: "make tree_max.why3ide"
End:
*/
why-2.39/tests/c/my_cosine.c0000644000106100004300000000701413147234006014750 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

// does not work: RUN GAPPA: will ask regtests to run Gappa on this program
// does not work anymore: RUN COQ: use why3 instead


/*@ lemma method_error: \forall real x;
  @     \abs(x) <= 0x1p-5 ==> \abs(1.0 - x*x*0.5 - \cos(x)) <= 0x1p-24;
  @*/

/*@ requires \abs(x) <= 0x1p-5;
  @ ensures \abs(\result - \cos(x)) <= 0x1p-23;
  @*/
float my_cos1(float x) {
  //@ assert \abs(1.0 - x*x*0.5 - \cos(x)) <= 0x1p-24;
  return 1.0f - x * x * 0.5f;
}


/*@ requires \abs(x) <= 0x1p-5 && \round_error(x) == 0.0;
  @ ensures \abs(\result - \cos(x)) <= 0x1p-23;
  @*/
float my_cos2(float x) {
  //@ assert \exact(x) == x;
  float r = 1.0f - x * x * 0.5f;
  //@ assert \abs(\exact(r) - \cos(x)) <= 0x1p-24;
  return r;
}


/*@ requires \abs(\exact(x)) <= 0x1p-5
  @     && \round_error(x) <= 0x1p-20;
  @ ensures \abs(\exact(\result) - \cos(\exact(x))) <= 0x1p-24
  @     && \round_error(\result) <= \round_error(x) + 0x3p-24;
  @*/
float my_cos3(float x) {
  float r = 1.0f - x * x * 0.5f;
  //@ assert \abs(\exact(r) - \cos(\exact(x))) <= 0x1p-24;  // by interval
  return r;
}

/*@ requires \abs(x) <= 0x9p-7; // 0.070... 
  @ ensures \abs(\result - \cos(x)) <= 0x1.3p-20;
  @*/
float my_cos4(float x) {
  //@ assert \abs(1.0 - x*x*0.5 - \cos(x)) <= 0x1.2p-20;
  return 1.0f - x * x * 0.5f;
}


/*
Local Variables:
compile-command: "make my_cosine.why3ide"
End:
*/


why-2.39/tests/c/oracle/0000755000106100004300000000000013147234006014062 5ustar  marchevalswhy-2.39/tests/c/oracle/binary_search_wrong.err.oracle0000644000106100004300000000000013147234006022053 0ustar  marchevalswhy-2.39/tests/c/oracle/find_array.err.oracle0000644000106100004300000000000013147234006020144 0ustar  marchevalswhy-2.39/tests/c/oracle/cd1d.err.oracle0000644000106100004300000000000013147234006016641 0ustar  marchevalswhy-2.39/tests/c/oracle/exp.err.oracle0000644000106100004300000000000013147234006016622 0ustar  marchevalswhy-2.39/tests/c/oracle/overflow_level.err.oracle0000644000106100004300000000000013147234006021060 0ustar  marchevalswhy-2.39/tests/c/oracle/sparse_array2.err.oracle0000644000106100004300000000000013147234006020603 0ustar  marchevalswhy-2.39/tests/c/oracle/sparse_array.res.oracle0000644000106100004300000001264413147234006020543 0ustar  marchevals========== file tests/c/sparse_array.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

typedef unsigned int uint;

#define MAXLEN 1000

typedef struct SparseArray {
  int val[MAXLEN];
  uint idx[MAXLEN], back[MAXLEN];
  uint n;
  uint sz;
} *sparse_array;

/*@ requires sz <= MAXLEN;
  @ ensures \fresh(\result,sizeof(struct SparseArray));
  @*/
sparse_array create(uint sz) {
  sparse_array a = (sparse_array)malloc(sizeof(struct SparseArray));
  a->n = 0;
  a->sz = sz;
  return a;
}

/*@ requires \valid(a);
  @*/
int get(sparse_array a, uint i) {
  if (a->idx[i] < a->n && a-> back[a->idx[i]] == i) return a->val[i];
  else return 0;
}

/*@ requires \valid(a);
  @*/
void set(sparse_array a, uint i, int v) {
  a->val[i] = v;
  if (!(a->idx[i] < a->n && a-> back[a->idx[i]] == i)) {
    //@ assert a->n < MAXLEN;
    a->idx[i] = a->n; a->back[a->n] = i; a->n++;
  }
}



int main() {
  sparse_array a = create(10), b = create(20);
  int x,y;
  x = get(a,5); y = get(b,7);
  //@ assert x == 0 && y == 0;
  set(a,5,1); set(b,7,2);
  x = get(a,5); y = get(b,7);
  //@ assert x == 1 && y == 2;
  x = get(a,0); y = get(b,0);
  //@ assert x == 0 && y == 0;
  return 0;
}





/*
Local Variables:
compile-command: "make sparse_array.why3ide"
End:
*/


========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/sparse_array.c (with preprocessing)
tests/c/sparse_array.c:47:[kernel] warning: Calling undeclared function malloc. Old style K&R code?
[jessie] Starting Jessie translation
tests/c/sparse_array.c:72:[kernel] warning: Neither code nor specification for function malloc, generating default assigns from the prototype
[kernel] Current source was: tests/c/sparse_array.c:47
         The full backtrace is:
         Raised at file "src/kernel/ast_info.ml", line 391, characters 11-23
         Called from file "src/kernel/ast_info.ml", line 394, characters 19-43
         Called from file "interp.ml", line 1830, characters 22-50
         Called from file "interp.ml", line 1967, characters 17-30
         Called from file "list.ml", line 66, characters 22-25
         Called from file "interp.ml", line 2133, characters 36-66
         Called from file "list.ml", line 66, characters 22-25
         Called from file "interp.ml", line 2715, characters 27-66
         Called from file "register.ml", line 176, characters 16-32
         Called from file "register.ml", line 327, characters 6-12
         Called from file "queue.ml", line 134, characters 6-20
         Called from file "src/kernel/boot.ml", line 37, characters 4-20
         Called from file "src/kernel/cmdline.ml", line 763, characters 2-9
         Called from file "src/kernel/cmdline.ml", line 216, characters 4-8
         
         Unexpected error (File "src/kernel/ast_info.ml", line 391, characters 11-17: Assertion failed).
         Please report as 'crash' at http://bts.frama-c.com/.
         Your Frama-C version is Sodium-20150201.
         Note that a version and a backtrace alone often do not contain enough
         information to understand the bug. Guidelines for reporting bugs are at:
         http://bts.frama-c.com/dokuwiki/doku.php?id=mantis:frama-c:bug_reporting_guidelines
why-2.39/tests/c/oracle/power.res.oracle0000644000106100004300000007610713147234006017210 0ustar  marchevals========== file tests/c/power.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


// int model: unbounded mathematical integers
#pragma JessieIntegerModel(math)


/*@ axiomatic Power {
  @   logic integer power(integer x, integer n);
  @ }
  @*/
#pragma JessieBuiltin(power, "\\int_pow")

// recursive implementation


/*@ lemma power_aux:
  @   \forall integer x,n; n >= 0 ==>
  @     power(x,2*n+0) == power(x*x,n);
  @*/

/*@ lemma power_even:
  @   \forall integer x,n; n >= 0 && n % 2 == 0 ==>
  @     power(x,n) == power(x*x,n/2);
  @*/

/*@ lemma power_odd:
  @   \forall integer x,n; n >= 0 && n % 2 != 0 ==>
  @     power(x,n) == x * power(x*x,n/2);
  @*/

/*@ requires 0 <= n;
  @ decreases n;
  @ ensures \result == power(x,n);
  @*/
long rec(long x, int n) {
  if (n == 0) return 1;
  long r = rec(x, n/2);
  if ( n % 2 == 0 ) return r*r;
  return r*r*x;
}


// non-recursive implementation

/*@ lemma power_even2:
  @   \forall integer x,n; n >= 0 && n % 2 == 0 ==>
  @     power(x,n) == power(x,n/2) * power(x,n/2);
  @*/

/*@ lemma power_odd2:
  @   \forall integer x,n; n >= 0 && n % 2 != 0 ==>
  @     power(x,n) == x * power(x,n/2) * power(x,n/2);
  @*/

/*@ requires 0 <= n;
  @ ensures \result == power(x,n);
  @*/
long imp(long x, int n) {
  long r = 1, p = x;
  int e = n;

  /*@ loop invariant
    @   0 <= e && r * power(p,e) == power(x,n);
    @ loop variant e;
    @*/
  while (e > 0) {
    if (e % 2 != 0) r *= p;
    p *= p;
    e /= 2;
  }
  return r;
}
========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/power.c (with preprocessing)
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/power.jessie
[jessie] File tests/c/power.jessie/power.jc written.
[jessie] File tests/c/power.jessie/power.cloc written.
========== file tests/c/power.jessie/power.jc ==========
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

tag unsigned_charP = {
  integer unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  integer charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

axiomatic Power {

  logic integer power(integer x, integer n)
  
}

lemma power_aux :
(\forall integer x_0;
  (\forall integer n_0;
    ((n_0 >= 0) ==>
      (\int_pow(x_0, ((2 * n_0) + 0)) == \int_pow((x_0 * x_0), n_0)))))

lemma power_even :
(\forall integer x_1;
  (\forall integer n_1;
    (((n_1 >= 0) && ((n_1 % 2) == 0)) ==>
      (\int_pow(x_1, n_1) == \int_pow((x_1 * x_1), (n_1 / 2))))))

lemma power_odd :
(\forall integer x_2;
  (\forall integer n_2;
    (((n_2 >= 0) && ((n_2 % 2) != 0)) ==>
      (\int_pow(x_2, n_2) == (x_2 * \int_pow((x_2 * x_2), (n_2 / 2)))))))

integer rec(integer x_0, integer n_2)
  requires (_C_12 : (0 <= n_2));
  decreases (_C_13 : n_2);
behavior default:
  ensures (_C_11 : (\result == \int_pow(\at(x_0,Old), \at(n_2,Old))));
{  
   (var integer r);
   
   (var integer __retres);
   
   {  (if (n_2 == 0) then 
      {  (_C_1 : (__retres = 1));
         
         (goto return_label)
      } else ());
      (_C_4 : (r = (_C_3 : rec(x_0, (_C_2 : (n_2 / 2))))));
      (if ((_C_7 : (n_2 % 2)) == 0) then 
      {  (_C_6 : (__retres = (_C_5 : (r * r))));
         
         (goto return_label)
      } else ());
      (_C_10 : (__retres = (_C_9 : ((_C_8 : (r * r)) * x_0))));
      (return_label : 
      (return __retres))
   }
}

lemma power_even2 :
(\forall integer x_3;
  (\forall integer n_3;
    (((n_3 >= 0) && ((n_3 % 2) == 0)) ==>
      (\int_pow(x_3, n_3) ==
        (\int_pow(x_3, (n_3 / 2)) * \int_pow(x_3, (n_3 / 2)))))))

lemma power_odd2 :
(\forall integer x_4;
  (\forall integer n_4;
    (((n_4 >= 0) && ((n_4 % 2) != 0)) ==>
      (\int_pow(x_4, n_4) ==
        ((x_4 * \int_pow(x_4, (n_4 / 2))) * \int_pow(x_4, (n_4 / 2)))))))

integer imp(integer x, integer n_1)
  requires (_C_29 : (0 <= n_1));
behavior default:
  ensures (_C_28 : (\result == \int_pow(\at(x,Old), \at(n_1,Old))));
{  
   (var integer r_0);
   
   (var integer p);
   
   (var integer e);
   
   {  (_C_14 : (r_0 = 1));
      (_C_15 : (p = x));
      (_C_16 : (e = n_1));
      
      loop 
      behavior default:
        invariant (_C_18 : ((_C_19 : (0 <= e)) &&
                             (_C_20 : ((r_0 * \int_pow(p, e)) ==
                                        \int_pow(x, n_1)))));
      variant (_C_17 : e);
      while (true)
      {  
         {  (if (e > 0) then () else 
            (goto while_0_break));
            
            {  (if ((_C_23 : (e % 2)) != 0) then (_C_22 : (r_0 = (_C_21 : 
                                                                 (r_0 *
                                                                   p)))) else ());
               (_C_25 : (p = (_C_24 : (p * p))));
               (_C_27 : (e = (_C_26 : (e / 2))))
            }
         }
      };
      (while_0_break : ());
      
      (return r_0)
   }
}
========== file tests/c/power.jessie/power.cloc ==========
[_C_28]
file = "HOME/tests/c/power.c"
line = 86
begin = 12
end = 33

[rec]
name = "Function rec"
file = "HOME/tests/c/power.c"
line = 65
begin = 5
end = 8

[_C_4]
file = "HOME/tests/c/power.c"
line = 67
begin = 11
end = 22

[power_odd2]
name = "Lemma power_odd2"
file = "HOME/tests/c/power.c"
line = 80
begin = 7
end = 131

[_C_23]
file = "HOME/tests/c/power.c"
line = 97
begin = 8
end = 13

[_C_19]
file = "HOME/tests/c/power.c"
line = 93
begin = 8
end = 14

[_C_13]
file = "HOME/tests/c/power.c"
line = 62
begin = 14
end = 15

[_C_5]
file = "HOME/tests/c/power.c"
line = 68
begin = 27
end = 30

[_C_12]
file = "HOME/tests/c/power.c"
line = 61
begin = 16
end = 22

[_C_22]
file = "HOME/tests/c/power.c"
line = 97
begin = 20
end = 26

[_C_9]
file = "HOME/tests/c/power.c"
line = 69
begin = 9
end = 14

[_C_6]
file = "HOME/tests/c/power.c"
line = 68
begin = 20
end = 31

[_C_24]
file = "HOME/tests/c/power.c"
line = 98
begin = 4
end = 10

[_C_20]
file = "HOME/tests/c/power.c"
line = 93
begin = 18
end = 46

[power_even]
name = "Lemma power_even"
file = "HOME/tests/c/power.c"
line = 51
begin = 7
end = 114

[power_even2]
name = "Lemma power_even2"
file = "HOME/tests/c/power.c"
line = 75
begin = 7
end = 128

[_C_3]
file = "HOME/tests/c/power.c"
line = 67
begin = 11
end = 22

[power_aux]
name = "Lemma power_aux"
file = "HOME/tests/c/power.c"
line = 46
begin = 7
end = 101

[_C_17]
file = "HOME/tests/c/power.c"
line = 94
begin = 19
end = 20

[_C_7]
file = "HOME/tests/c/power.c"
line = 68
begin = 7
end = 12

[_C_27]
file = "HOME/tests/c/power.c"
line = 99
begin = 4
end = 10

[_C_15]
file = "HOME/tests/c/power.c"
line = 89
begin = 2
end = 6

[_C_26]
file = "HOME/tests/c/power.c"
line = 99
begin = 4
end = 10

[_C_10]
file = "HOME/tests/c/power.c"
line = 69
begin = 2
end = 15

[_C_8]
file = "HOME/tests/c/power.c"
line = 69
begin = 9
end = 12

[_C_18]
file = "HOME/tests/c/power.c"
line = 93
begin = 8
end = 46

[_C_29]
file = "HOME/tests/c/power.c"
line = 85
begin = 16
end = 22

[_C_14]
file = "HOME/tests/c/power.c"
line = 89
begin = 2
end = 6

[imp]
name = "Function imp"
file = "HOME/tests/c/power.c"
line = 88
begin = 5
end = 8

[_C_2]
file = "HOME/tests/c/power.c"
line = 67
begin = 18
end = 21

[power_odd]
name = "Lemma power_odd"
file = "HOME/tests/c/power.c"
line = 56
begin = 7
end = 117

[_C_16]
file = "HOME/tests/c/power.c"
line = 90
begin = 2
end = 5

[_C_1]
file = "HOME/tests/c/power.c"
line = 66
begin = 14
end = 23

[_C_25]
file = "HOME/tests/c/power.c"
line = 98
begin = 4
end = 10

[_C_11]
file = "HOME/tests/c/power.c"
line = 63
begin = 12
end = 33

[_C_21]
file = "HOME/tests/c/power.c"
line = 97
begin = 20
end = 26

========== jessie execution ==========
Generating Why function rec_0
Generating Why function imp
========== file tests/c/power.jessie/power.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/power_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: power.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: power.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: power.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/power.jessie/power.loc ==========
[rec_safety]
name = "Function rec"
behavior = "Safety"
file = "HOME/tests/c/power.c"
line = 65
begin = 5
end = 8

[JC_31]
file = "HOME/tests/c/power.jessie/power.jc"
line = 109
begin = 6
end = 716

[JC_17]
kind = DivByZero
file = "HOME/tests/c/power.c"
line = 68
begin = 7
end = 12

[power_odd2]
name = "Lemma power_odd2"
behavior = "lemma"
file = "HOME/tests/c/power.c"
line = 80
begin = 7
end = 131

[JC_23]
file = "HOME/tests/c/power.c"
line = 86
begin = 12
end = 33

[JC_22]
file = "HOME/tests/c/power.c"
line = 86
begin = 12
end = 33

[JC_5]
file = "HOME/tests/c/power.c"
line = 63
begin = 12
end = 33

[JC_9]
kind = DivByZero
file = "HOME/tests/c/power.c"
line = 67
begin = 18
end = 21

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
kind = DivByZero
file = "HOME/tests/c/power.c"
line = 97
begin = 8
end = 13

[JC_26]
file = "HOME/tests/c/power.c"
line = 93
begin = 8
end = 14

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
kind = VarDecr
file = "HOME/tests/c/power.c"
line = 67
begin = 11
end = 22

[rec_ensures_default]
name = "Function rec"
behavior = "default behavior"
file = "HOME/tests/c/power.c"
line = 65
begin = 5
end = 8

[JC_11]
file = "HOME/tests/c/power.c"
line = 62
begin = 14
end = 15

[JC_15]
kind = DivByZero
file = "HOME/tests/c/power.c"
line = 67
begin = 18
end = 21

[JC_36]
file = "HOME/tests/c/power.c"
line = 93
begin = 18
end = 46

[JC_39]
file = "HOME/tests/c/power.jessie/power.jc"
line = 109
begin = 6
end = 716

[JC_40]
file = "HOME/tests/c/power.jessie/power.jc"
line = 109
begin = 6
end = 716

[JC_35]
file = "HOME/tests/c/power.c"
line = 93
begin = 8
end = 14

[power_even]
name = "Lemma power_even"
behavior = "lemma"
file = "HOME/tests/c/power.c"
line = 51
begin = 7
end = 114

[power_even2]
name = "Lemma power_even2"
behavior = "lemma"
file = "HOME/tests/c/power.c"
line = 75
begin = 7
end = 128

[JC_27]
file = "HOME/tests/c/power.c"
line = 93
begin = 18
end = 46

[imp_ensures_default]
name = "Function imp"
behavior = "default behavior"
file = "HOME/tests/c/power.c"
line = 88
begin = 5
end = 8

[JC_38]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_12]
file = "HOME/tests/c/power.c"
line = 62
begin = 14
end = 15

[JC_6]
file = "HOME/tests/c/power.c"
line = 63
begin = 12
end = 33

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[power_aux]
name = "Lemma power_aux"
behavior = "lemma"
file = "HOME/tests/c/power.c"
line = 46
begin = 7
end = 101

[JC_42]
kind = DivByZero
file = "HOME/tests/c/power.c"
line = 99
begin = 4
end = 10

[JC_32]
kind = DivByZero
file = "HOME/tests/c/power.c"
line = 97
begin = 8
end = 13

[JC_33]
kind = DivByZero
file = "HOME/tests/c/power.c"
line = 99
begin = 4
end = 10

[JC_29]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
kind = UserCall
file = "HOME/tests/c/power.c"
line = 67
begin = 11
end = 22

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/tests/c/power.c"
line = 94
begin = 19
end = 20

[JC_14]
kind = DivByZero
file = "HOME/tests/c/power.c"
line = 68
begin = 7
end = 12

[JC_21]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/c/power.c"
line = 61
begin = 16
end = 22

[imp_safety]
name = "Function imp"
behavior = "Safety"
file = "HOME/tests/c/power.c"
line = 88
begin = 5
end = 8

[JC_37]
file = "HOME/tests/c/power.c"
line = 93
begin = 8
end = 46

[JC_10]
kind = UserCall
file = "HOME/tests/c/power.c"
line = 67
begin = 11
end = 22

[power_odd]
name = "Lemma power_odd"
behavior = "lemma"
file = "HOME/tests/c/power.c"
line = 56
begin = 7
end = 117

[JC_20]
file = "HOME/tests/c/power.c"
line = 85
begin = 16
end = 22

[JC_18]
file = "HOME/tests/c/power.c"
line = 85
begin = 16
end = 22

[JC_3]
file = "HOME/tests/c/power.c"
line = 61
begin = 16
end = 22

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/tests/c/power.jessie/power.jc"
line = 109
begin = 6
end = 716

[JC_28]
file = "HOME/tests/c/power.c"
line = 93
begin = 8
end = 46

========== file tests/c/power.jessie/why/power.why ==========
type charP

type padding

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

logic power: int, int -> int

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

lemma power_aux :
 (forall x_0_1:int.
  (forall n_0:int.
   (ge_int(n_0, (0)) ->
    (pow_int(x_0_1, add_int(mul_int((2), n_0), (0))) = pow_int(mul_int(x_0_1,
                                                               x_0_1),
                                                       n_0)))))

lemma power_even :
 (forall x_1_0:int.
  (forall n_1_0:int.
   ((ge_int(n_1_0, (0)) and (computer_mod(n_1_0, (2)) = (0))) ->
    (pow_int(x_1_0, n_1_0) = pow_int(mul_int(x_1_0, x_1_0),
                             computer_div(n_1_0, (2)))))))

lemma power_odd :
 (forall x_2:int.
  (forall n_2_0:int.
   ((ge_int(n_2_0, (0)) and (computer_mod(n_2_0, (2)) <> (0))) ->
    (pow_int(x_2, n_2_0) = mul_int(x_2,
                           pow_int(mul_int(x_2, x_2),
                           computer_div(n_2_0, (2))))))))

lemma power_even2 :
 (forall x_3:int.
  (forall n_3:int.
   ((ge_int(n_3, (0)) and (computer_mod(n_3, (2)) = (0))) ->
    (pow_int(x_3, n_3) = mul_int(pow_int(x_3, computer_div(n_3, (2))),
                         pow_int(x_3, computer_div(n_3, (2))))))))

lemma power_odd2 :
 (forall x_4:int.
  (forall n_4:int.
   ((ge_int(n_4, (0)) and (computer_mod(n_4, (2)) <> (0))) ->
    (pow_int(x_4, n_4) = mul_int(mul_int(x_4,
                                 pow_int(x_4, computer_div(n_4, (2)))),
                         pow_int(x_4, computer_div(n_4, (2))))))))

exception Goto_while_0_break_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter imp :
 x_1:int -> n_1:int -> { } int { (JC_23: (result = pow_int(x_1, n_1))) }

parameter imp_requires :
 x_1:int ->
  n_1:int ->
   { (JC_18: le_int((0), n_1))} int { (JC_23: (result = pow_int(x_1, n_1))) }

parameter rec_0 :
 x_0_0:int -> n_2:int -> { } int { (JC_6: (result = pow_int(x_0_0, n_2))) }

parameter rec_0_requires :
 x_0_0:int ->
  n_2:int ->
   { (JC_1: le_int((0), n_2))} int { (JC_6: (result = pow_int(x_0_0, n_2))) }

let imp_ensures_default =
 fun (x_1 : int) (n_1 : int) ->
  { (JC_20: le_int((0), n_1)) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let r_0 = ref (any_int void) in
     (let p = ref (any_int void) in
     (let e = ref (any_int void) in
     try
      begin
        (let _jessie_ = (r_0 := (1)) in void);
       (let _jessie_ = (p := x_1) in void);
       (let _jessie_ = (e := n_1) in void);
       (loop_2:
       begin
         while true do
         { invariant
             (JC_37:
             ((JC_35: le_int((0), e))
             and (JC_36: (mul_int(r_0, pow_int(p, e)) = pow_int(x_1, n_1)))))
            }
          begin
            [ { } unit { true } ];
           try
            begin
              (let _jessie_ =
              begin
                (if ((gt_int_ !e) (0)) then void
                else (raise (Goto_while_0_break_exc void)));
               (if ((neq_int_ (JC_41: ((computer_mod !e) (2)))) (0))
               then (let _jessie_ = (r_0 := ((mul_int !r_0) !p)) in void)
               else void);
               (let _jessie_ = (p := ((mul_int !p) !p)) in void);
               (e := (JC_42: ((computer_div !e) (2)))); !e end in void);
             (raise (Loop_continue_exc void)) end with
            Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (return := !r_0); (raise Return) end) end)));
    absurd  end with Return -> !return end))
  { (JC_22: (result = pow_int(x_1, n_1))) } 

let imp_safety =
 fun (x_1 : int) (n_1 : int) ->
  { (JC_20: le_int((0), n_1)) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let r_0 = ref (any_int void) in
     (let p = ref (any_int void) in
     (let e = ref (any_int void) in
     try
      begin
        (let _jessie_ = (r_0 := (1)) in void);
       (let _jessie_ = (p := x_1) in void);
       (let _jessie_ = (e := n_1) in void);
       (loop_1:
       begin
         while true do
         { invariant (JC_30: true) variant (JC_34 : e) }
          begin
            [ { } unit reads e,p,r_0
              { (JC_28:
                ((JC_26: le_int((0), e))
                and (JC_27:
                    (mul_int(r_0, pow_int(p, e)) = pow_int(x_1, n_1))))) } ];
           try
            begin
              (let _jessie_ =
              begin
                (if ((gt_int_ !e) (0)) then void
                else (raise (Goto_while_0_break_exc void)));
               (if ((neq_int_ (JC_32: ((computer_mod_ !e) (2)))) (0))
               then (let _jessie_ = (r_0 := ((mul_int !r_0) !p)) in void)
               else void);
               (let _jessie_ = (p := ((mul_int !p) !p)) in void);
               (e := (JC_33: ((computer_div_ !e) (2)))); !e end in void);
             (raise (Loop_continue_exc void)) end with
            Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (return := !r_0); (raise Return) end) end)));
    absurd  end with Return -> !return end)) { true } 

let rec_ensures_default =
 fun (x_0_0 : int) (n_2 : int) ->
  { (JC_3: le_int((0), n_2)) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let r = ref (any_int void) in
     (let __retres = ref (any_int void) in
     try
      begin
        (if ((eq_int_ n_2) (0))
        then
         begin
           (let _jessie_ = (__retres := (1)) in void);
          (raise (Return_label_exc void)) end else void);
       (let _jessie_ =
       (r := (let _jessie_ = x_0_0 in
             (let _jessie_ = (JC_15: ((computer_div n_2) (2))) in
             (JC_16: ((rec_0 _jessie_) _jessie_))))) in void);
       (if ((eq_int_ (JC_17: ((computer_mod n_2) (2)))) (0))
       then
        begin
          (let _jessie_ = (__retres := ((mul_int !r) !r)) in void);
         (raise (Return_label_exc void)) end else void);
       (let _jessie_ = (__retres := ((mul_int ((mul_int !r) !r)) x_0_0)) in
       void); (raise (Return_label_exc void)) end with
      Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end));
    absurd  end with Return -> !return end))
  { (JC_5: (result = pow_int(x_0_0, n_2))) } 

let rec_safety =
 fun (x_0_0 : int) (n_2 : int) ->
  { (JC_3: le_int((0), n_2)) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let r = ref (any_int void) in
     (let __retres = ref (any_int void) in
     try
      begin
        (if ((eq_int_ n_2) (0))
        then
         begin
           (let _jessie_ = (__retres := (1)) in void);
          (raise (Return_label_exc void)) end else void);
       (let _jessie_ =
       (r := (let _jessie_ = x_0_0 in
             (let _jessie_ = (JC_9: ((computer_div_ n_2) (2))) in
             (JC_13:
             (check { zwf_zero((JC_12 : _jessie_), (JC_11 : n_2)) };
             (JC_10: ((rec_0_requires _jessie_) _jessie_))))))) in void);
       (if ((eq_int_ (JC_14: ((computer_mod_ n_2) (2)))) (0))
       then
        begin
          (let _jessie_ = (__retres := ((mul_int !r) !r)) in void);
         (raise (Return_label_exc void)) end else void);
       (let _jessie_ = (__retres := ((mul_int ((mul_int !r) !r)) x_0_0)) in
       void); (raise (Return_label_exc void)) end with
      Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end));
    absurd  end with Return -> !return end)) { true } 


why-2.39/tests/c/oracle/binary_heap.err.oracle0000644000106100004300000000000013147234006020307 0ustar  marchevalswhy-2.39/tests/c/oracle/isqrt2.err.oracle0000644000106100004300000000000013147234006017252 0ustar  marchevalswhy-2.39/tests/c/oracle/my_cosine.res.oracle0000644000106100004300000000752713147234006020041 0ustar  marchevals========== file tests/c/my_cosine.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// does not work: RUN GAPPA: will ask regtests to run Gappa on this program
// does not work anymore: RUN COQ: use why3 instead


/*@ lemma method_error: \forall real x;
  @     \abs(x) <= 0x1p-5 ==> \abs(1.0 - x*x*0.5 - \cos(x)) <= 0x1p-24;
  @*/

/*@ requires \abs(x) <= 0x1p-5;
  @ ensures \abs(\result - \cos(x)) <= 0x1p-23;
  @*/
float my_cos1(float x) {
  //@ assert \abs(1.0 - x*x*0.5 - \cos(x)) <= 0x1p-24;
  return 1.0f - x * x * 0.5f;
}


/*@ requires \abs(x) <= 0x1p-5 && \round_error(x) == 0.0;
  @ ensures \abs(\result - \cos(x)) <= 0x1p-23;
  @*/
float my_cos2(float x) {
  //@ assert \exact(x) == x;
  float r = 1.0f - x * x * 0.5f;
  //@ assert \abs(\exact(r) - \cos(x)) <= 0x1p-24;
  return r;
}


/*@ requires \abs(\exact(x)) <= 0x1p-5
  @     && \round_error(x) <= 0x1p-20;
  @ ensures \abs(\exact(\result) - \cos(\exact(x))) <= 0x1p-24
  @     && \round_error(\result) <= \round_error(x) + 0x3p-24;
  @*/
float my_cos3(float x) {
  float r = 1.0f - x * x * 0.5f;
  //@ assert \abs(\exact(r) - \cos(\exact(x))) <= 0x1p-24;  // by interval
  return r;
}

/*@ requires \abs(x) <= 0x9p-7; // 0.070... 
  @ ensures \abs(\result - \cos(x)) <= 0x1.3p-20;
  @*/
float my_cos4(float x) {
  //@ assert \abs(1.0 - x*x*0.5 - \cos(x)) <= 0x1.2p-20;
  return 1.0f - x * x * 0.5f;
}


/*
Local Variables:
compile-command: "make my_cosine.why3ide"
End:
*/


========== frama-c -jessie execution ==========
[kernel] user error: option `-jessie' is unknown.
                     use `frama-c -help' for more information.
[kernel] Frama-C aborted: invalid user input.
why-2.39/tests/c/oracle/eps_line2.err.oracle0000644000106100004300000000000013147234006017706 0ustar  marchevalswhy-2.39/tests/c/oracle/exp.res.oracle0000644000106100004300000005620413147234006016644 0ustar  marchevals========== file tests/c/exp.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*@ requires \abs(x) <= 1.0;
  @ ensures \abs(\result - \exp(x)) <= 0x1p-4; */
double my_exp(double x) {
  /*@ assert \abs(0.9890365552 + 1.130258690*x + 
    @          0.5540440796*x*x - \exp(x)) <= 0x0.FFFFp-4; */
  return 0.9890365552 + 1.130258690 * x + 0.5540440796 * x * x;
}



/*
Local Variables:
compile-command: "make exp.why3ide"
End:
*/


========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/exp.c (with preprocessing)
tests/c/exp.c:37:[kernel] warning: Floating-point constant 0.9890365552 is not represented exactly. Will use 0x1.fa62ffd643d6ep-1. See documentation for option -warn-decimal-float
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/exp.jessie
[jessie] File tests/c/exp.jessie/exp.jc written.
[jessie] File tests/c/exp.jessie/exp.cloc written.
========== file tests/c/exp.jessie/exp.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

double my_exp(double x)
  requires (_C_9 : (\real_abs((x :> real)) <= 1.0));
behavior default:
  ensures (_C_8 : (\real_abs(((\result :> real) - \exp((\at(x,Old) :> real)))) <=
                    0x1p-4));
{  
   (var double __retres);
   
   {  
      {  
         (assert for default: (_C_1 : (jessie : (\real_abs((((0.9890365552 +
                                                               (1.130258690 *
                                                                 (x :> real))) +
                                                              ((0.5540440796 *
                                                                 (x :> real)) *
                                                                (x :> real))) -
                                                             \exp((x :> real)))) <=
                                                  0x0.FFFFp-4))));
         ()
      };
      
      {  (_C_7 : (__retres = (_C_6 : ((_C_5 : ((0.9890365552 :> double) +
                                                (_C_4 : ((1.130258690 :> double) *
                                                          x)))) +
                                       (_C_3 : ((_C_2 : ((0.5540440796 :> double) *
                                                          x)) *
                                                 x))))));
         
         (return __retres)
      }
   }
}
========== file tests/c/exp.jessie/exp.cloc ==========
[_C_4]
file = "HOME/tests/c/exp.c"
line = 37
begin = 24
end = 39

[_C_5]
file = "HOME/tests/c/exp.c"
line = 37
begin = 9
end = 39

[_C_9]
file = "HOME/tests/c/exp.c"
line = 32
begin = 16
end = 30

[_C_6]
file = "HOME/tests/c/exp.c"
line = 37
begin = 9
end = 62

[my_exp]
name = "Function my_exp"
file = "HOME/tests/c/exp.c"
line = 34
begin = 7
end = 13

[_C_3]
file = "HOME/tests/c/exp.c"
line = 37
begin = 42
end = 62

[_C_7]
file = "HOME/tests/c/exp.c"
line = 37
begin = 2
end = 63

[_C_8]
file = "HOME/tests/c/exp.c"
line = 33
begin = 12
end = 45

[_C_2]
file = "HOME/tests/c/exp.c"
line = 37
begin = 42
end = 58

[_C_1]
file = "HOME/tests/c/exp.c"
line = 35
begin = 18
end = 111

========== jessie execution ==========
Generating Why function my_exp
========== file tests/c/exp.jessie/exp.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why $(WHYLIB)/why/floats_strict.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/exp_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: exp.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: exp.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: exp.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/exp.jessie/exp.loc ==========
[my_exp_ensures_default]
name = "Function my_exp"
behavior = "default behavior"
file = "HOME/tests/c/exp.c"
line = 34
begin = 7
end = 13

[JC_17]
kind = FPOverflow
file = "HOME/tests/c/exp.c"
line = 37
begin = 9
end = 62

[JC_23]
kind = FPOverflow
file = "HOME/tests/c/exp.c"
line = 37
begin = 9
end = 62

[JC_22]
kind = FPOverflow
file = "HOME/tests/c/exp.c"
line = 37
begin = 42
end = 62

[JC_5]
file = "HOME/tests/c/exp.c"
line = 33
begin = 12
end = 45

[JC_9]
file = "HOME/tests/c/exp.c"
line = 35
begin = 18
end = 111

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
kind = FPOverflow
file = "HOME/tests/c/exp.c"
line = 37
begin = 9
end = 39

[JC_11]
kind = FPOverflow
file = "HOME/tests/c/exp.jessie/exp.jc"
line = 56
begin = 57
end = 80

[JC_15]
kind = FPOverflow
file = "HOME/tests/c/exp.c"
line = 37
begin = 42
end = 58

[JC_12]
kind = FPOverflow
file = "HOME/tests/c/exp.c"
line = 37
begin = 24
end = 39

[JC_6]
file = "HOME/tests/c/exp.c"
line = 33
begin = 12
end = 45

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[my_exp_safety]
name = "Function my_exp"
behavior = "Safety"
file = "HOME/tests/c/exp.c"
line = 34
begin = 7
end = 13

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
kind = FPOverflow
file = "HOME/tests/c/exp.c"
line = 37
begin = 42
end = 62

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
kind = FPOverflow
file = "HOME/tests/c/exp.jessie/exp.jc"
line = 58
begin = 57
end = 81

[JC_21]
kind = FPOverflow
file = "HOME/tests/c/exp.c"
line = 37
begin = 42
end = 58

[JC_1]
file = "HOME/tests/c/exp.c"
line = 32
begin = 16
end = 30

[JC_10]
kind = FPOverflow
file = "HOME/tests/c/exp.jessie/exp.jc"
line = 55
begin = 47
end = 71

[JC_20]
kind = FPOverflow
file = "HOME/tests/c/exp.c"
line = 37
begin = 9
end = 39

[JC_18]
file = "HOME/tests/c/exp.c"
line = 35
begin = 18
end = 111

[JC_3]
file = "HOME/tests/c/exp.c"
line = 32
begin = 16
end = 30

[JC_19]
kind = FPOverflow
file = "HOME/tests/c/exp.c"
line = 37
begin = 24
end = 39

========== file tests/c/exp.jessie/why/exp.why ==========
type charP

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter my_exp :
 x_0:double ->
  { } double
  { (JC_6:
    le_real(abs_real(sub_real(double_value(result), exp(double_value(x_0)))),
    0x1p-4)) }

parameter my_exp_requires :
 x_0:double ->
  { (JC_1: le_real(abs_real(double_value(x_0)), 1.0))} double
  { (JC_6:
    le_real(abs_real(sub_real(double_value(result), exp(double_value(x_0)))),
    0x1p-4)) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let my_exp_ensures_default =
 fun (x_0 : double) ->
  { (JC_3: le_real(abs_real(double_value(x_0)), 1.0)) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let __retres = ref (any_double void) in
     begin
       (assert
       { (JC_18:
         le_real(abs_real(sub_real(add_real(add_real(0.9890365552,
                                            mul_real(1.130258690,
                                            double_value(x_0))),
                                   mul_real(mul_real(0.5540440796,
                                            double_value(x_0)),
                                   double_value(x_0))),
                          exp(double_value(x_0)))),
         0x0.FFFFp-4)) }; void); void;
      (let _jessie_ =
      (__retres := (JC_23:
                   (((add_double_safe nearest_even) (JC_20:
                                                    (((add_double_safe nearest_even) 
                                                      ((double_of_real_safe nearest_even) 0.9890365552)) 
                                                     (JC_19:
                                                     (((mul_double_safe nearest_even) 
                                                       ((double_of_real_safe nearest_even) 1.130258690)) x_0))))) 
                    (JC_22:
                    (((mul_double_safe nearest_even) (JC_21:
                                                     (((mul_double_safe nearest_even) 
                                                       ((double_of_real_safe nearest_even) 0.5540440796)) x_0))) x_0))))) in
      void); (return := !__retres); (raise Return) end); absurd  end with
   Return -> !return end))
  { (JC_5:
    le_real(abs_real(sub_real(double_value(result), exp(double_value(x_0)))),
    0x1p-4)) } 

let my_exp_safety =
 fun (x_0 : double) ->
  { (JC_3: le_real(abs_real(double_value(x_0)), 1.0)) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let __retres = ref (any_double void) in
     begin
       [ { } unit
         { (JC_9:
           le_real(abs_real(sub_real(add_real(add_real(0.9890365552,
                                              mul_real(1.130258690,
                                              double_value(x_0))),
                                     mul_real(mul_real(0.5540440796,
                                              double_value(x_0)),
                                     double_value(x_0))),
                            exp(double_value(x_0)))),
           0x0.FFFFp-4)) } ]; void;
      (let _jessie_ =
      (__retres := (JC_17:
                   (((add_double nearest_even) (JC_13:
                                               (((add_double nearest_even) 
                                                 (JC_10:
                                                 ((double_of_real nearest_even) 0.9890365552))) 
                                                (JC_12:
                                                (((mul_double nearest_even) 
                                                  (JC_11:
                                                  ((double_of_real nearest_even) 1.130258690))) x_0))))) 
                    (JC_16:
                    (((mul_double nearest_even) (JC_15:
                                                (((mul_double nearest_even) 
                                                  (JC_14:
                                                  ((double_of_real nearest_even) 0.5540440796))) x_0))) x_0))))) in
      void); (return := !__retres); (raise Return) end); absurd  end with
   Return -> !return end)) { true } 


why-2.39/tests/c/oracle/Sterbenz.res.oracle0000644000106100004300000004750713147234006017652 0ustar  marchevals========== file tests/c/Sterbenz.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// RUNCOQ: will ask regtests to check Coq proofs of this program

/*@ requires  y / 2.0 <= x <= 2.0 * y;
  @ ensures   \result == x - y;
  @*/
float Sterbenz(float x, float y) {
  //@ assert 0.0 <= y;
  //@ assert 0.0 <= x;
  return x-y;
}


/*
Local Variables:
compile-command: "make Sterbenz.why3ide"
End:
*/
========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/Sterbenz.c (with preprocessing)
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/Sterbenz.jessie
[jessie] File tests/c/Sterbenz.jessie/Sterbenz.jc written.
[jessie] File tests/c/Sterbenz.jessie/Sterbenz.cloc written.
========== file tests/c/Sterbenz.jessie/Sterbenz.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

float Sterbenz(float x, float y)
  requires (_C_6 : ((_C_7 : (((y :> real) / 2.0) <= (x :> real))) &&
                     (_C_8 : ((x :> real) <= (2.0 * (y :> real))))));
behavior default:
  ensures (_C_5 : ((\result :> real) ==
                    ((\at(x,Old) :> real) - (\at(y,Old) :> real))));
{  
   (var float __retres);
   
   {  
      {  
         (assert for default: (_C_1 : (jessie : (0.0 <= (y :> real)))));
         ()
      };
      
      {  
         (assert for default: (_C_2 : (jessie : (0.0 <= (x :> real)))));
         ()
      };
      
      {  (_C_4 : (__retres = (_C_3 : (x - y))));
         
         (return __retres)
      }
   }
}
========== file tests/c/Sterbenz.jessie/Sterbenz.cloc ==========
[_C_4]
file = "HOME/tests/c/Sterbenz.c"
line = 40
begin = 2
end = 13

[_C_5]
file = "HOME/tests/c/Sterbenz.c"
line = 35
begin = 12
end = 28

[_C_6]
file = "HOME/tests/c/Sterbenz.c"
line = 34
begin = 16
end = 39

[_C_3]
file = "HOME/tests/c/Sterbenz.c"
line = 40
begin = 9
end = 12

[Sterbenz]
name = "Function Sterbenz"
file = "HOME/tests/c/Sterbenz.c"
line = 37
begin = 6
end = 14

[_C_7]
file = "HOME/tests/c/Sterbenz.c"
line = 34
begin = 16
end = 28

[_C_8]
file = "HOME/tests/c/Sterbenz.c"
line = 34
begin = 27
end = 39

[_C_2]
file = "HOME/tests/c/Sterbenz.c"
line = 39
begin = 18
end = 26

[_C_1]
file = "HOME/tests/c/Sterbenz.c"
line = 38
begin = 18
end = 26

========== jessie execution ==========
Generating Why function Sterbenz
========== file tests/c/Sterbenz.jessie/Sterbenz.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why $(WHYLIB)/why/floats_strict.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/Sterbenz_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Sterbenz.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Sterbenz.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Sterbenz.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/Sterbenz.jessie/Sterbenz.loc ==========
[JC_17]
file = "HOME/tests/c/Sterbenz.c"
line = 39
begin = 18
end = 26

[Sterbenz_ensures_default]
name = "Function Sterbenz"
behavior = "default behavior"
file = "HOME/tests/c/Sterbenz.c"
line = 37
begin = 6
end = 14

[JC_5]
file = "HOME/tests/c/Sterbenz.c"
line = 34
begin = 16
end = 28

[JC_9]
file = "HOME/tests/c/Sterbenz.c"
line = 35
begin = 12
end = 28

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/tests/c/Sterbenz.c"
line = 38
begin = 18
end = 26

[JC_11]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
kind = FPOverflow
file = "HOME/tests/c/Sterbenz.c"
line = 40
begin = 9
end = 12

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/tests/c/Sterbenz.c"
line = 34
begin = 27
end = 39

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[Sterbenz_safety]
name = "Function Sterbenz"
behavior = "Safety"
file = "HOME/tests/c/Sterbenz.c"
line = 37
begin = 6
end = 14

[JC_7]
file = "HOME/tests/c/Sterbenz.c"
line = 34
begin = 16
end = 39

[JC_16]
file = "HOME/tests/c/Sterbenz.c"
line = 38
begin = 18
end = 26

[JC_2]
file = "HOME/tests/c/Sterbenz.c"
line = 34
begin = 27
end = 39

[JC_14]
file = "HOME/tests/c/Sterbenz.c"
line = 39
begin = 18
end = 26

[JC_1]
file = "HOME/tests/c/Sterbenz.c"
line = 34
begin = 16
end = 28

[JC_10]
file = "HOME/tests/c/Sterbenz.c"
line = 35
begin = 12
end = 28

[JC_18]
kind = FPOverflow
file = "HOME/tests/c/Sterbenz.c"
line = 40
begin = 9
end = 12

[JC_3]
file = "HOME/tests/c/Sterbenz.c"
line = 34
begin = 16
end = 39

========== file tests/c/Sterbenz.jessie/why/Sterbenz.why ==========
type charP

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter Sterbenz :
 x_0:single ->
  y:single ->
   { } single
   { (JC_10:
     (single_value(result) = sub_real(single_value(x_0), single_value(y)))) }

parameter Sterbenz_requires :
 x_0:single ->
  y:single ->
   { (JC_3:
     ((JC_1: le_real(div_real(single_value(y), 2.0), single_value(x_0)))
     and (JC_2: le_real(single_value(x_0), mul_real(2.0, single_value(y))))))}
   single
   { (JC_10:
     (single_value(result) = sub_real(single_value(x_0), single_value(y)))) }

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let Sterbenz_ensures_default =
 fun (x_0 : single) (y : single) ->
  { (JC_7:
    ((JC_5: le_real(div_real(single_value(y), 2.0), single_value(x_0)))
    and (JC_6: le_real(single_value(x_0), mul_real(2.0, single_value(y)))))) }
  (init:
  (let return = ref (any_single void) in
  try
   begin
     (let __retres = ref (any_single void) in
     begin
       (assert { (JC_16: le_real(0.0, single_value(y))) }; void); void;
      (assert { (JC_17: le_real(0.0, single_value(x_0))) }; void); void;
      (let _jessie_ =
      (__retres := (JC_18: (((sub_single_safe nearest_even) x_0) y))) in
      void); (return := !__retres); (raise Return) end); absurd  end with
   Return -> !return end))
  { (JC_9:
    (single_value(result) = sub_real(single_value(x_0), single_value(y)))) } 

let Sterbenz_safety =
 fun (x_0 : single) (y : single) ->
  { (JC_7:
    ((JC_5: le_real(div_real(single_value(y), 2.0), single_value(x_0)))
    and (JC_6: le_real(single_value(x_0), mul_real(2.0, single_value(y)))))) }
  (init:
  (let return = ref (any_single void) in
  try
   begin
     (let __retres = ref (any_single void) in
     begin
       [ { } unit { (JC_13: le_real(0.0, single_value(y))) } ]; void;
      [ { } unit { (JC_14: le_real(0.0, single_value(x_0))) } ]; void;
      (let _jessie_ =
      (__retres := (JC_15: (((sub_single nearest_even) x_0) y))) in void);
      (return := !__retres); (raise Return) end); absurd  end with Return ->
   !return end)) { true } 


why-2.39/tests/c/oracle/float_sqrt.res.oracle0000644000106100004300000012032213147234006020217 0ustar  marchevals========== file tests/c/float_sqrt.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


/* contribution by Guillaume Melquiond */

// RUN GAPPA (does not work)

#pragma JessieFloatModel(defensive)

/*
 With some help, the Gappa tool is able to prove the postcondition of the
 sqrt function.

 First, it needs to know that Newton's iteration converges quadratically.
 This formula on relative errors is denoted by the newton_rel predicate.
 The newton states its general expression and it is proved by a short Coq
 script performing algebraic manipulations. The newton lemma is then
 instantiated by Alt-Ergo at each iteration of the loop to solve the
 three assertions about the predicate.

 In order to prove the postcondition, Gappa also needs to be told that
 the value computed after an iteration is close to both sqrt(x) and the
 value that would have been computed with an infinite precision. This is
 done by putting distance expressions into the context through three
 other assertions about the closeness predicate. They are much weaker
 than what Gappa will end up proving; they are only here to guide its
 heuristics.

 Finally, Gappa also needs to know about the inverse square root trick.
 That is what the assertion is for, and it is proved in Coq.
*/

/*@
 predicate newton_rel(real t, real x) =
   (0.5 * t * (3 - t * t * x) - 1/\sqrt(x)) / (1/\sqrt(x)) ==
     - (1.5 + 0.5 * ((t - 1/\sqrt(x)) / (1/\sqrt(x)))) *
     (((t - 1/\sqrt(x)) / (1/\sqrt(x))) * ((t - 1/\sqrt(x)) / (1/\sqrt(x))));

 lemma newton: \forall real t, x; x > 0. ==> newton_rel(t, x);

 predicate closeness(real u, real t, real x) =
   \abs(u - 0.5 * t * (3 - t * t * x)) <= 1 &&
   \abs(u - 1/\sqrt(x)) <= 1;
*/

/*@
 requires 0.5 <= x <= 2;
 ensures \abs(\result - 1/\sqrt(x)) <= 0x1p-6 * \abs(1/\sqrt(x));
*/
double sqrt_init(double x);

/*@
 requires 0.5 <= x <= 2;
 ensures \abs(\result - \sqrt(x)) <= 0x1p-43 * \abs(\sqrt(x));
*/
double sqrt(double x)
{
  double t, u;
  t = sqrt_init(x);

  u = 0.5 * t * (3 - t * t * x);
  //@ assert newton_rel(t, x);
  //@ assert closeness(u, t, x);
  t = u;

  u = 0.5 * t * (3 - t * t * x);
  //@ assert newton_rel(t, x);
  //@ assert closeness(u, t, x);
  t = u;

  u = 0.5 * t * (3 - t * t * x);
  //@ assert newton_rel(t, x);
  //@ assert closeness(u, t, x);
  t = u;

  //@ assert x * (1/\sqrt(x)) == \sqrt(x);
  return x * t;
}



/*
Local Variables:
compile-command: "make float_sqrt.why3ide"
End:
*/


========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/float_sqrt.c (with preprocessing)
[jessie] Starting Jessie translation
tests/c/float_sqrt.c:85:[kernel] warning: No code nor implicit assigns clause for function sqrt_init, generating default assigns from the prototype
[jessie] Producing Jessie files in subdir tests/c/float_sqrt.jessie
[jessie] File tests/c/float_sqrt.jessie/float_sqrt.jc written.
[jessie] File tests/c/float_sqrt.jessie/float_sqrt.cloc written.
========== file tests/c/float_sqrt.jessie/float_sqrt.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol
# FloatModel = defensive

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

predicate newton_rel(real t, real x) =
(((((0.5 * t) * (3 - ((t * t) * x))) - (1 / \real_sqrt(x))) /
   (1 / \real_sqrt(x))) ==
  ((- (1.5 + (0.5 * ((t - (1 / \real_sqrt(x))) / (1 / \real_sqrt(x)))))) *
    (((t - (1 / \real_sqrt(x))) / (1 / \real_sqrt(x))) *
      ((t - (1 / \real_sqrt(x))) / (1 / \real_sqrt(x))))))

lemma newton :
(\forall real t_0;
  (\forall real x_0;
    ((x_0 > 0.) ==> newton_rel(t_0, x_0))))

predicate closeness(real u, real t_1, real x_1) =
((\real_abs((u - ((0.5 * t_1) * (3 - ((t_1 * t_1) * x_1))))) <= 1) &&
  (\real_abs((u - (1 / \real_sqrt(x_1)))) <= 1))

double sqrt_init(double x_0)
  requires (_C_2 : ((_C_3 : (0.5 <= (x_0 :> real))) &&
                     (_C_4 : ((x_0 :> real) <= 2))));
behavior default:
  assigns \nothing;
  ensures (_C_1 : (\real_abs(((\result :> real) -
                               (1 / \real_sqrt((\at(x_0,Old) :> real))))) <=
                    (0x1p-6 *
                      \real_abs((1 / \real_sqrt((\at(x_0,Old) :> real)))))));
;

double sqrt(double x)
  requires (_C_41 : ((_C_42 : (0.5 <= (x :> real))) &&
                      (_C_43 : ((x :> real) <= 2))));
behavior default:
  ensures (_C_40 : (\real_abs(((\result :> real) -
                                \real_sqrt((\at(x,Old) :> real)))) <=
                     (0x1p-43 * \real_abs(\real_sqrt((\at(x,Old) :> real))))));
{  
   (var double t);
   
   (var double u);
   
   (var double __retres);
   
   {  (_C_6 : (t = (_C_5 : sqrt_init(x))));
      (_C_13 : (u = (_C_12 : ((_C_11 : ((0.5 :> double) * t)) *
                               (_C_10 : ((_C_9 : (3 :> double)) -
                                          (_C_8 : ((_C_7 : (t * t)) * x))))))));
      
      {  
         (assert for default: (_C_14 : (jessie : newton_rel((t :> real),
                                                            (x :> real)))));
         ()
      };
      
      {  
         (assert for default: (_C_15 : (jessie : closeness((u :> real),
                                                           (t :> real),
                                                           (x :> real)))));
         ()
      };
      (_C_16 : (t = u));
      (_C_23 : (u = (_C_22 : ((_C_21 : ((0.5 :> double) * t)) *
                               (_C_20 : ((_C_19 : (3 :> double)) -
                                          (_C_18 : ((_C_17 : (t * t)) * x))))))));
      
      {  
         (assert for default: (_C_24 : (jessie : newton_rel((t :> real),
                                                            (x :> real)))));
         ()
      };
      
      {  
         (assert for default: (_C_25 : (jessie : closeness((u :> real),
                                                           (t :> real),
                                                           (x :> real)))));
         ()
      };
      (_C_26 : (t = u));
      (_C_33 : (u = (_C_32 : ((_C_31 : ((0.5 :> double) * t)) *
                               (_C_30 : ((_C_29 : (3 :> double)) -
                                          (_C_28 : ((_C_27 : (t * t)) * x))))))));
      
      {  
         (assert for default: (_C_34 : (jessie : newton_rel((t :> real),
                                                            (x :> real)))));
         ()
      };
      
      {  
         (assert for default: (_C_35 : (jessie : closeness((u :> real),
                                                           (t :> real),
                                                           (x :> real)))));
         ()
      };
      (_C_36 : (t = u));
      
      {  
         (assert for default: (_C_37 : (jessie : (((x :> real) *
                                                    (1 /
                                                      \real_sqrt((x :> real)))) ==
                                                   \real_sqrt((x :> real))))));
         ()
      };
      
      {  (_C_39 : (__retres = (_C_38 : (x * t))));
         
         (return __retres)
      }
   }
}
========== file tests/c/float_sqrt.jessie/float_sqrt.cloc ==========
[_C_35]
file = "HOME/tests/c/float_sqrt.c"
line = 102
begin = 18
end = 36

[_C_28]
file = "HOME/tests/c/float_sqrt.c"
line = 100
begin = 21
end = 30

[_C_31]
file = "HOME/tests/c/float_sqrt.c"
line = 100
begin = 6
end = 13

[_C_41]
file = "HOME/tests/c/float_sqrt.c"
line = 82
begin = 10
end = 23

[_C_4]
file = "HOME/tests/c/float_sqrt.c"
line = 76
begin = 17
end = 23

[_C_32]
file = "HOME/tests/c/float_sqrt.c"
line = 100
begin = 6
end = 31

[_C_23]
file = "HOME/tests/c/float_sqrt.c"
line = 95
begin = 6
end = 31

[_C_19]
file = "HOME/tests/c/float_sqrt.c"
line = 95
begin = 17
end = 18

[_C_42]
file = "HOME/tests/c/float_sqrt.c"
line = 82
begin = 10
end = 18

[_C_13]
file = "HOME/tests/c/float_sqrt.c"
line = 90
begin = 6
end = 31

[_C_5]
file = "HOME/tests/c/float_sqrt.c"
line = 88
begin = 6
end = 18

[_C_36]
file = "HOME/tests/c/float_sqrt.c"
line = 103
begin = 6
end = 7

[_C_12]
file = "HOME/tests/c/float_sqrt.c"
line = 90
begin = 6
end = 31

[sqrt]
name = "Function sqrt"
file = "HOME/tests/c/float_sqrt.c"
line = 85
begin = 7
end = 11

[_C_33]
file = "HOME/tests/c/float_sqrt.c"
line = 100
begin = 6
end = 31

[_C_22]
file = "HOME/tests/c/float_sqrt.c"
line = 95
begin = 6
end = 31

[_C_9]
file = "HOME/tests/c/float_sqrt.c"
line = 90
begin = 17
end = 18

[_C_30]
file = "HOME/tests/c/float_sqrt.c"
line = 100
begin = 17
end = 30

[_C_6]
file = "HOME/tests/c/float_sqrt.c"
line = 88
begin = 6
end = 18

[_C_24]
file = "HOME/tests/c/float_sqrt.c"
line = 96
begin = 18
end = 34

[_C_20]
file = "HOME/tests/c/float_sqrt.c"
line = 95
begin = 17
end = 30

[_C_38]
file = "HOME/tests/c/float_sqrt.c"
line = 106
begin = 9
end = 14

[_C_3]
file = "HOME/tests/c/float_sqrt.c"
line = 76
begin = 10
end = 18

[_C_17]
file = "HOME/tests/c/float_sqrt.c"
line = 95
begin = 21
end = 26

[_C_7]
file = "HOME/tests/c/float_sqrt.c"
line = 90
begin = 21
end = 26

[_C_27]
file = "HOME/tests/c/float_sqrt.c"
line = 100
begin = 21
end = 26

[_C_15]
file = "HOME/tests/c/float_sqrt.c"
line = 92
begin = 18
end = 36

[_C_26]
file = "HOME/tests/c/float_sqrt.c"
line = 98
begin = 6
end = 7

[_C_10]
file = "HOME/tests/c/float_sqrt.c"
line = 90
begin = 17
end = 30

[_C_40]
file = "HOME/tests/c/float_sqrt.c"
line = 83
begin = 9
end = 61

[_C_8]
file = "HOME/tests/c/float_sqrt.c"
line = 90
begin = 21
end = 30

[_C_18]
file = "HOME/tests/c/float_sqrt.c"
line = 95
begin = 21
end = 30

[_C_29]
file = "HOME/tests/c/float_sqrt.c"
line = 100
begin = 17
end = 18

[_C_14]
file = "HOME/tests/c/float_sqrt.c"
line = 91
begin = 18
end = 34

[_C_37]
file = "HOME/tests/c/float_sqrt.c"
line = 105
begin = 18
end = 46

[_C_43]
file = "HOME/tests/c/float_sqrt.c"
line = 82
begin = 17
end = 23

[_C_2]
file = "HOME/tests/c/float_sqrt.c"
line = 76
begin = 10
end = 23

[_C_34]
file = "HOME/tests/c/float_sqrt.c"
line = 101
begin = 18
end = 34

[_C_16]
file = "HOME/tests/c/float_sqrt.c"
line = 93
begin = 6
end = 7

[newton]
name = "Lemma newton"
file = "HOME/tests/c/float_sqrt.c"
line = 68
begin = 1
end = 187

[_C_1]
file = "HOME/tests/c/float_sqrt.c"
line = 77
begin = 9
end = 64

[_C_25]
file = "HOME/tests/c/float_sqrt.c"
line = 97
begin = 18
end = 36

[_C_39]
file = "HOME/tests/c/float_sqrt.c"
line = 106
begin = 2
end = 15

[_C_11]
file = "HOME/tests/c/float_sqrt.c"
line = 90
begin = 6
end = 13

[_C_21]
file = "HOME/tests/c/float_sqrt.c"
line = 95
begin = 6
end = 13

========== jessie execution ==========
Generating Why function sqrt
========== file tests/c/float_sqrt.jessie/float_sqrt.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why $(WHYLIB)/why/floats_strict.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/float_sqrt_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: float_sqrt.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: float_sqrt.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: float_sqrt.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/float_sqrt.jessie/float_sqrt.loc ==========
[JC_73]
file = "HOME/tests/c/float_sqrt.c"
line = 105
begin = 18
end = 46

[JC_63]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 95
begin = 6
end = 31

[JC_51]
kind = UserCall
file = "HOME/tests/c/float_sqrt.c"
line = 88
begin = 6
end = 18

[JC_71]
file = "HOME/tests/c/float_sqrt.c"
line = 101
begin = 18
end = 34

[JC_45]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 100
begin = 17
end = 30

[JC_64]
file = "HOME/tests/c/float_sqrt.c"
line = 96
begin = 18
end = 34

[JC_31]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 90
begin = 17
end = 30

[JC_17]
file = "HOME/tests/c/float_sqrt.c"
line = 82
begin = 10
end = 23

[JC_55]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 90
begin = 17
end = 30

[JC_48]
file = "HOME/tests/c/float_sqrt.c"
line = 102
begin = 18
end = 36

[JC_23]
file = "HOME/tests/c/float_sqrt.c"
line = 83
begin = 9
end = 61

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/tests/c/float_sqrt.c"
line = 76
begin = 10
end = 18

[JC_67]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 100
begin = 21
end = 26

[JC_9]
file = "HOME/tests/c/float_sqrt.c"
line = 77
begin = 9
end = 64

[JC_24]
file = "HOME/tests/c/float_sqrt.c"
line = 83
begin = 9
end = 61

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/tests/c/float_sqrt.c"
line = 97
begin = 18
end = 36

[JC_74]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 106
begin = 9
end = 14

[JC_47]
file = "HOME/tests/c/float_sqrt.c"
line = 101
begin = 18
end = 34

[JC_52]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 90
begin = 6
end = 13

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 90
begin = 21
end = 30

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/c/float_sqrt.c"
line = 77
begin = 9
end = 64

[JC_70]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 100
begin = 6
end = 31

[JC_15]
file = "HOME/tests/c/float_sqrt.c"
line = 82
begin = 10
end = 18

[JC_36]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 95
begin = 21
end = 26

[JC_39]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 95
begin = 6
end = 31

[JC_40]
file = "HOME/tests/c/float_sqrt.c"
line = 96
begin = 18
end = 34

[JC_35]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 95
begin = 6
end = 13

[JC_27]
kind = UserCall
file = "HOME/tests/c/float_sqrt.c"
line = 88
begin = 6
end = 18

[JC_69]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 100
begin = 17
end = 30

[JC_38]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 95
begin = 17
end = 30

[JC_12]
file = "HOME/tests/c/float_sqrt.jessie/float_sqrt.jc"
line = 55
begin = 10
end = 18

[JC_6]
file = "HOME/tests/c/float_sqrt.c"
line = 76
begin = 17
end = 23

[JC_44]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 100
begin = 21
end = 30

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 95
begin = 17
end = 30

[JC_42]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 100
begin = 6
end = 13

[JC_46]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 100
begin = 6
end = 31

[sqrt_ensures_default]
name = "Function sqrt"
behavior = "default behavior"
file = "HOME/tests/c/float_sqrt.c"
line = 85
begin = 7
end = 11

[JC_61]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 95
begin = 21
end = 30

[JC_32]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 90
begin = 6
end = 31

[JC_56]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 90
begin = 6
end = 31

[JC_33]
file = "HOME/tests/c/float_sqrt.c"
line = 91
begin = 18
end = 34

[JC_65]
file = "HOME/tests/c/float_sqrt.c"
line = 97
begin = 18
end = 36

[JC_29]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 90
begin = 21
end = 26

[JC_68]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 100
begin = 21
end = 30

[JC_7]
file = "HOME/tests/c/float_sqrt.c"
line = 76
begin = 10
end = 23

[JC_16]
file = "HOME/tests/c/float_sqrt.c"
line = 82
begin = 17
end = 23

[JC_43]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 100
begin = 21
end = 26

[JC_2]
file = "HOME/tests/c/float_sqrt.c"
line = 76
begin = 17
end = 23

[JC_34]
file = "HOME/tests/c/float_sqrt.c"
line = 92
begin = 18
end = 36

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_53]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 90
begin = 21
end = 26

[JC_21]
file = "HOME/tests/c/float_sqrt.c"
line = 82
begin = 10
end = 23

[JC_49]
file = "HOME/tests/c/float_sqrt.c"
line = 105
begin = 18
end = 46

[JC_1]
file = "HOME/tests/c/float_sqrt.c"
line = 76
begin = 10
end = 18

[JC_37]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 95
begin = 21
end = 30

[JC_10]
file = "HOME/tests/c/float_sqrt.jessie/float_sqrt.jc"
line = 55
begin = 10
end = 18

[JC_57]
file = "HOME/tests/c/float_sqrt.c"
line = 91
begin = 18
end = 34

[JC_66]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 100
begin = 6
end = 13

[JC_59]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 95
begin = 6
end = 13

[newton]
name = "Lemma newton"
behavior = "lemma"
file = "HOME/tests/c/float_sqrt.c"
line = 68
begin = 1
end = 187

[JC_20]
file = "HOME/tests/c/float_sqrt.c"
line = 82
begin = 17
end = 23

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/c/float_sqrt.c"
line = 76
begin = 10
end = 23

[sqrt_safety]
name = "Function sqrt"
behavior = "Safety"
file = "HOME/tests/c/float_sqrt.c"
line = 85
begin = 7
end = 11

[JC_60]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 95
begin = 21
end = 26

[JC_72]
file = "HOME/tests/c/float_sqrt.c"
line = 102
begin = 18
end = 36

[JC_19]
file = "HOME/tests/c/float_sqrt.c"
line = 82
begin = 10
end = 18

[JC_50]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 106
begin = 9
end = 14

[JC_30]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 90
begin = 21
end = 30

[JC_58]
file = "HOME/tests/c/float_sqrt.c"
line = 92
begin = 18
end = 36

[JC_28]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 90
begin = 6
end = 13

========== file tests/c/float_sqrt.jessie/why/float_sqrt.why ==========
type charP

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

predicate closeness(u:real, t_1:real, x_1:real) =
 (le_real(abs_real(sub_real(u,
                   mul_real(mul_real(0.5, t_1),
                   sub_real(3.0, mul_real(mul_real(t_1, t_1), x_1))))),
  1.0)
 and le_real(abs_real(sub_real(u, div_real(1.0, sqrt_real(x_1)))), 1.0))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

predicate newton_rel(t:real, x_0:real) =
 (div_real(sub_real(mul_real(mul_real(0.5, t),
                    sub_real(3.0, mul_real(mul_real(t, t), x_0))),
           div_real(1.0, sqrt_real(x_0))),
  div_real(1.0, sqrt_real(x_0))) = mul_real(neg_real(add_real(1.5,
                                                     mul_real(0.5,
                                                     div_real(sub_real(t,
                                                              div_real(1.0,
                                                              sqrt_real(x_0))),
                                                     div_real(1.0,
                                                     sqrt_real(x_0)))))),
                                   mul_real(div_real(sub_real(t,
                                                     div_real(1.0,
                                                     sqrt_real(x_0))),
                                            div_real(1.0, sqrt_real(x_0))),
                                   div_real(sub_real(t,
                                            div_real(1.0, sqrt_real(x_0))),
                                   div_real(1.0, sqrt_real(x_0))))))

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

lemma newton :
 (forall t_0:real.
  (forall x_0_1:real. (gt_real(x_0_1, 0.) -> newton_rel(t_0, x_0_1))))

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter sqrt :
 x_2:double ->
  { } double
  { (JC_24:
    le_real(abs_real(sub_real(double_value(result),
                     sqrt_real(double_value(x_2)))),
    mul_real(0x1p-43, abs_real(sqrt_real(double_value(x_2)))))) }

parameter sqrt_init :
 x_0_0:double ->
  { } double
  { (JC_11:
    le_real(abs_real(sub_real(double_value(result),
                     div_real(1.0, sqrt_real(double_value(x_0_0))))),
    mul_real(0x1p-6, abs_real(div_real(1.0, sqrt_real(double_value(x_0_0))))))) }

parameter sqrt_init_requires :
 x_0_0:double ->
  { (JC_3:
    ((JC_1: le_real(0.5, double_value(x_0_0)))
    and (JC_2: le_real(double_value(x_0_0), 2.0))))}
  double
  { (JC_11:
    le_real(abs_real(sub_real(double_value(result),
                     div_real(1.0, sqrt_real(double_value(x_0_0))))),
    mul_real(0x1p-6, abs_real(div_real(1.0, sqrt_real(double_value(x_0_0))))))) }

parameter sqrt_requires :
 x_2:double ->
  { (JC_17:
    ((JC_15: le_real(0.5, double_value(x_2)))
    and (JC_16: le_real(double_value(x_2), 2.0))))}
  double
  { (JC_24:
    le_real(abs_real(sub_real(double_value(result),
                     sqrt_real(double_value(x_2)))),
    mul_real(0x1p-43, abs_real(sqrt_real(double_value(x_2)))))) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let sqrt_ensures_default =
 fun (x_2 : double) ->
  { (JC_21:
    ((JC_19: le_real(0.5, double_value(x_2)))
    and (JC_20: le_real(double_value(x_2), 2.0)))) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let t_2 = ref (any_double void) in
     (let u_0 = ref (any_double void) in
     (let __retres = ref (any_double void) in
     begin
       (let _jessie_ =
       (t_2 := (let _jessie_ = x_2 in (JC_51: (sqrt_init _jessie_)))) in
       void);
      (let _jessie_ =
      (u_0 := (JC_56:
              (((mul_double_safe nearest_even) (JC_52:
                                               (((mul_double_safe nearest_even) 
                                                 (double_of_real_exact 0.5)) !t_2))) 
               (JC_55:
               (((sub_double_safe nearest_even) (double_of_real_exact 3.0)) 
                (JC_54:
                (((mul_double_safe nearest_even) (JC_53:
                                                 (((mul_double_safe nearest_even) !t_2) !t_2))) x_2))))))) in
      void);
      (assert { (JC_57: newton_rel(double_value(t_2), double_value(x_2))) };
      void); void;
      (assert
      { (JC_58:
        closeness(double_value(u_0), double_value(t_2), double_value(x_2))) };
      void); void; (let _jessie_ = (t_2 := !u_0) in void);
      (let _jessie_ =
      (u_0 := (JC_63:
              (((mul_double_safe nearest_even) (JC_59:
                                               (((mul_double_safe nearest_even) 
                                                 (double_of_real_exact 0.5)) !t_2))) 
               (JC_62:
               (((sub_double_safe nearest_even) (double_of_real_exact 3.0)) 
                (JC_61:
                (((mul_double_safe nearest_even) (JC_60:
                                                 (((mul_double_safe nearest_even) !t_2) !t_2))) x_2))))))) in
      void);
      (assert { (JC_64: newton_rel(double_value(t_2), double_value(x_2))) };
      void); void;
      (assert
      { (JC_65:
        closeness(double_value(u_0), double_value(t_2), double_value(x_2))) };
      void); void; (let _jessie_ = (t_2 := !u_0) in void);
      (let _jessie_ =
      (u_0 := (JC_70:
              (((mul_double_safe nearest_even) (JC_66:
                                               (((mul_double_safe nearest_even) 
                                                 (double_of_real_exact 0.5)) !t_2))) 
               (JC_69:
               (((sub_double_safe nearest_even) (double_of_real_exact 3.0)) 
                (JC_68:
                (((mul_double_safe nearest_even) (JC_67:
                                                 (((mul_double_safe nearest_even) !t_2) !t_2))) x_2))))))) in
      void);
      (assert { (JC_71: newton_rel(double_value(t_2), double_value(x_2))) };
      void); void;
      (assert
      { (JC_72:
        closeness(double_value(u_0), double_value(t_2), double_value(x_2))) };
      void); void; (let _jessie_ = (t_2 := !u_0) in void);
      (assert
      { (JC_73:
        (mul_real(double_value(x_2),
         div_real(1.0, sqrt_real(double_value(x_2)))) = sqrt_real(double_value(x_2)))) };
      void); void;
      (let _jessie_ =
      (__retres := (JC_74: (((mul_double_safe nearest_even) x_2) !t_2))) in
      void); (return := !__retres); (raise Return) end))); absurd  end with
   Return -> !return end))
  { (JC_23:
    le_real(abs_real(sub_real(double_value(result),
                     sqrt_real(double_value(x_2)))),
    mul_real(0x1p-43, abs_real(sqrt_real(double_value(x_2)))))) } 

let sqrt_safety =
 fun (x_2 : double) ->
  { (JC_21:
    ((JC_19: le_real(0.5, double_value(x_2)))
    and (JC_20: le_real(double_value(x_2), 2.0)))) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let t_2 = ref (any_double void) in
     (let u_0 = ref (any_double void) in
     (let __retres = ref (any_double void) in
     begin
       (let _jessie_ =
       (t_2 := (let _jessie_ = x_2 in
               (JC_27: (sqrt_init_requires _jessie_)))) in void);
      (let _jessie_ =
      (u_0 := (JC_32:
              (((mul_double nearest_even) (JC_28:
                                          (((mul_double nearest_even) 
                                            (double_of_real_exact 0.5)) !t_2))) 
               (JC_31:
               (((sub_double nearest_even) (double_of_real_exact 3.0)) 
                (JC_30:
                (((mul_double nearest_even) (JC_29:
                                            (((mul_double nearest_even) !t_2) !t_2))) x_2))))))) in
      void);
      [ { } unit reads t_2
        { (JC_33: newton_rel(double_value(t_2), double_value(x_2))) } ];
      void;
      [ { } unit reads t_2,u_0
        { (JC_34:
          closeness(double_value(u_0), double_value(t_2), double_value(x_2))) } ];
      void; (let _jessie_ = (t_2 := !u_0) in void);
      (let _jessie_ =
      (u_0 := (JC_39:
              (((mul_double nearest_even) (JC_35:
                                          (((mul_double nearest_even) 
                                            (double_of_real_exact 0.5)) !t_2))) 
               (JC_38:
               (((sub_double nearest_even) (double_of_real_exact 3.0)) 
                (JC_37:
                (((mul_double nearest_even) (JC_36:
                                            (((mul_double nearest_even) !t_2) !t_2))) x_2))))))) in
      void);
      [ { } unit reads t_2
        { (JC_40: newton_rel(double_value(t_2), double_value(x_2))) } ];
      void;
      [ { } unit reads t_2,u_0
        { (JC_41:
          closeness(double_value(u_0), double_value(t_2), double_value(x_2))) } ];
      void; (let _jessie_ = (t_2 := !u_0) in void);
      (let _jessie_ =
      (u_0 := (JC_46:
              (((mul_double nearest_even) (JC_42:
                                          (((mul_double nearest_even) 
                                            (double_of_real_exact 0.5)) !t_2))) 
               (JC_45:
               (((sub_double nearest_even) (double_of_real_exact 3.0)) 
                (JC_44:
                (((mul_double nearest_even) (JC_43:
                                            (((mul_double nearest_even) !t_2) !t_2))) x_2))))))) in
      void);
      [ { } unit reads t_2
        { (JC_47: newton_rel(double_value(t_2), double_value(x_2))) } ];
      void;
      [ { } unit reads t_2,u_0
        { (JC_48:
          closeness(double_value(u_0), double_value(t_2), double_value(x_2))) } ];
      void; (let _jessie_ = (t_2 := !u_0) in void);
      [ { } unit
        { (JC_49:
          (mul_real(double_value(x_2),
           div_real(1.0, sqrt_real(double_value(x_2)))) = sqrt_real(double_value(x_2)))) } ];
      void;
      (let _jessie_ =
      (__retres := (JC_50: (((mul_double nearest_even) x_2) !t_2))) in void);
      (return := !__retres); (raise Return) end))); absurd  end with
   Return -> !return end)) { true } 


why-2.39/tests/c/oracle/double_rounding_multirounding_model.err.oracle0000644000106100004300000000000013147234006025345 0ustar  marchevalswhy-2.39/tests/c/oracle/minmax.err.oracle0000644000106100004300000000000013147234006017317 0ustar  marchevalswhy-2.39/tests/c/oracle/isqrt2.res.oracle0000644000106100004300000011024313147234006017266 0ustar  marchevals========== file tests/c/isqrt2.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* run.config
   OPT: -journal-disable -cvcg
*/

/*@ requires 0 <= x <= 32768 * 32768 - 1;
  @ assigns \nothing;
  @ ensures \result >= 0 &&
  @         \result * \result <= x &&
  @         x < (\result + 1) * (\result + 1);
  @*/
int isqrt(int x) {
  int count = 0, sum = 1;
  /*@ loop invariant 0 <= count <= 32767 &&
    @                x >= count * count &&
    @                sum == (count+1)*(count+1);
    @ loop assigns count, sum;
    @ loop variant  x - count;
    @*/
  while (sum <= x) sum += 2 * ++count + 1;
  return count;
}

//@ ensures \result == 4;
int test () {
  int r;
  r = 0 + isqrt(17);
  //@ assert r < 4 ==> \false;
  //@ assert r > 4 ==> \false;
  return r;
}

int main () {
  return 0;
}


/*
Local Variables:
compile-command: "make isqrt2.why3ide"
End:
*/


========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/isqrt2.c (with preprocessing)
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/isqrt2.jessie
[jessie] File tests/c/isqrt2.jessie/isqrt2.jc written.
[jessie] File tests/c/isqrt2.jessie/isqrt2.cloc written.
========== file tests/c/isqrt2.jessie/isqrt2.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

type int32 = -2147483648..2147483647

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

int32 isqrt(int32 x)
  requires (_C_26 : ((_C_27 : (0 <= x)) &&
                      (_C_28 : (x <= ((32768 * 32768) - 1)))));
behavior default:
  assigns \nothing;
  ensures (_C_21 : (((_C_23 : (\result >= 0)) &&
                      (_C_24 : ((\result * \result) <= \at(x,Old)))) &&
                     (_C_25 : (\at(x,Old) < ((\result + 1) * (\result + 1))))));
{  
   (var int32 count);
   
   (var int32 sum);
   
   {  (_C_1 : (count = 0));
      (_C_2 : (sum = 1));
      
      loop 
      behavior default:
        invariant (_C_4 : ((((_C_7 : (0 <= count)) &&
                              (_C_8 : (count <= 32767))) &&
                             (_C_9 : (x >= (count * count)))) &&
                            (_C_10 : (sum == ((count + 1) * (count + 1))))));
      behavior default:
        
        assigns count,
        sum;
      variant (_C_3 : (x - count));
      while (true)
      {  
         {  (if (sum <= x) then () else 
            (goto while_0_break));
            
            {  (_C_13 : (count = (_C_12 : ((_C_11 : (count + 1)) :> int32))));
               (_C_20 : (sum = (_C_19 : ((_C_18 : (sum +
                                                    (_C_17 : ((_C_16 : 
                                                              ((_C_15 : (
                                                               (_C_14 : 
                                                               (2 *
                                                                 count)) :> int32)) +
                                                                1)) :> int32)))) :> int32))))
            }
         }
      };
      (while_0_break : ());
      
      (return count)
   }
}

int32 test()
behavior default:
  ensures (_C_34 : (\result == 4));
{  
   (var int32 r);
   
   (var int32 tmp);
   
   {  
      {  (_C_30 : (tmp = (_C_29 : isqrt(17))));
         (_C_31 : (r = tmp))
      };
      
      {  
         (assert for default: (_C_32 : (jessie : ((r < 4) ==> false))));
         ()
      };
      
      {  
         (assert for default: (_C_33 : (jessie : ((r > 4) ==> false))));
         ()
      };
      
      {  
         (return r)
      }
   }
}

int32 main()
behavior default:
  ensures (_C_36 : true);
{  
   (var int32 __retres);
   
   {  (_C_35 : (__retres = 0));
      
      (return __retres)
   }
}
========== file tests/c/isqrt2.jessie/isqrt2.cloc ==========
[_C_35]
file = "HOME/tests/c/isqrt2.c"
line = 64
begin = 2
end = 11

[_C_28]
file = "HOME/tests/c/isqrt2.c"
line = 36
begin = 21
end = 43

[main]
name = "Function main"
file = "HOME/tests/c/isqrt2.c"
line = 63
begin = 4
end = 8

[_C_31]
file = "HOME/tests/c/isqrt2.c"
line = 57
begin = 6
end = 19

[test]
name = "Function test"
file = "HOME/tests/c/isqrt2.c"
line = 55
begin = 4
end = 8

[_C_4]
file = "HOME/tests/c/isqrt2.c"
line = 44
begin = 26
end = 139

[_C_32]
file = "HOME/tests/c/isqrt2.c"
line = 58
begin = 18
end = 34

[_C_23]
file = "HOME/tests/c/isqrt2.c"
line = 38
begin = 12
end = 24

[_C_19]
file = "HOME/tests/c/isqrt2.c"
line = 50
begin = 19
end = 41

[_C_13]
file = "HOME/tests/c/isqrt2.c"
line = 50
begin = 30
end = 37

[_C_5]
file = "HOME/tests/c/isqrt2.c"
line = 44
begin = 26
end = 88

[_C_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_12]
file = "HOME/tests/c/isqrt2.c"
line = 50
begin = 30
end = 37

[_C_33]
file = "HOME/tests/c/isqrt2.c"
line = 59
begin = 18
end = 34

[_C_22]
file = "HOME/tests/c/isqrt2.c"
line = 38
begin = 12
end = 62

[_C_9]
file = "HOME/tests/c/isqrt2.c"
line = 45
begin = 21
end = 39

[_C_30]
file = "HOME/tests/c/isqrt2.c"
line = 57
begin = 10
end = 19

[_C_6]
file = "HOME/tests/c/isqrt2.c"
line = 44
begin = 26
end = 45

[_C_24]
file = "HOME/tests/c/isqrt2.c"
line = 39
begin = 12
end = 34

[_C_20]
file = "HOME/tests/c/isqrt2.c"
line = 50
begin = 19
end = 41

[_C_3]
file = "HOME/tests/c/isqrt2.c"
line = 48
begin = 19
end = 28

[_C_17]
file = "HOME/tests/c/isqrt2.c"
line = 50
begin = 26
end = 41

[_C_7]
file = "HOME/tests/c/isqrt2.c"
line = 44
begin = 26
end = 36

[_C_27]
file = "HOME/tests/c/isqrt2.c"
line = 36
begin = 16
end = 22

[_C_15]
file = "HOME/tests/c/isqrt2.c"
line = 50
begin = 26
end = 37

[_C_26]
file = "HOME/tests/c/isqrt2.c"
line = 36
begin = 16
end = 43

[_C_10]
file = "HOME/tests/c/isqrt2.c"
line = 46
begin = 21
end = 47

[_C_8]
file = "HOME/tests/c/isqrt2.c"
line = 44
begin = 31
end = 45

[_C_18]
file = "HOME/tests/c/isqrt2.c"
line = 50
begin = 19
end = 41

[_C_29]
file = "HOME/tests/c/isqrt2.c"
line = 57
begin = 10
end = 19

[_C_14]
file = "HOME/tests/c/isqrt2.c"
line = 50
begin = 26
end = 37

[_C_2]
file = "HOME/tests/c/isqrt2.c"
line = 43
begin = 2
end = 5

[_C_34]
file = "HOME/tests/c/isqrt2.c"
line = 54
begin = 15
end = 27

[_C_16]
file = "HOME/tests/c/isqrt2.c"
line = 50
begin = 26
end = 41

[isqrt]
name = "Function isqrt"
file = "HOME/tests/c/isqrt2.c"
line = 42
begin = 4
end = 9

[_C_1]
file = "HOME/tests/c/isqrt2.c"
line = 43
begin = 2
end = 5

[_C_25]
file = "HOME/tests/c/isqrt2.c"
line = 40
begin = 12
end = 45

[_C_11]
file = "HOME/tests/c/isqrt2.c"
line = 50
begin = 30
end = 37

[_C_21]
file = "HOME/tests/c/isqrt2.c"
line = 38
begin = 12
end = 111

========== jessie execution ==========
Generating Why function isqrt
Generating Why function test
Generating Why function main
========== file tests/c/isqrt2.jessie/isqrt2.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/isqrt2_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: isqrt2.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: isqrt2.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: isqrt2.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/isqrt2.jessie/isqrt2.loc ==========
[main_safety]
name = "Function main"
behavior = "Safety"
file = "HOME/tests/c/isqrt2.c"
line = 63
begin = 4
end = 8

[JC_63]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_51]
file = "HOME/tests/c/isqrt2.c"
line = 58
begin = 18
end = 34

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_31]
kind = ArithOverflow
file = "HOME/tests/c/isqrt2.c"
line = 50
begin = 26
end = 41

[JC_17]
file = "HOME/tests/c/isqrt2.c"
line = 38
begin = 12
end = 111

[JC_55]
file = "HOME/tests/c/isqrt2.c"
line = 59
begin = 18
end = 34

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/tests/c/isqrt2.c"
line = 45
begin = 21
end = 39

[JC_22]
file = "HOME/tests/c/isqrt2.c"
line = 44
begin = 31
end = 45

[JC_5]
file = "HOME/tests/c/isqrt2.c"
line = 36
begin = 16
end = 22

[JC_9]
file = "HOME/tests/c/isqrt2.c"
line = 38
begin = 12
end = 24

[JC_24]
file = "HOME/tests/c/isqrt2.c"
line = 46
begin = 21
end = 47

[JC_25]
file = "HOME/tests/c/isqrt2.c"
line = 44
begin = 26
end = 139

[JC_41]
file = "HOME/tests/c/isqrt2.jessie/isqrt2.jc"
line = 52
begin = 6
end = 1151

[JC_47]
file = "HOME/tests/c/isqrt2.c"
line = 54
begin = 15
end = 27

[JC_52]
file = "HOME/tests/c/isqrt2.c"
line = 59
begin = 18
end = 34

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/tests/c/isqrt2.c"
line = 58
begin = 18
end = 34

[JC_13]
file = "HOME/tests/c/isqrt2.jessie/isqrt2.jc"
line = 40
begin = 10
end = 18

[isqrt_ensures_default]
name = "Function isqrt"
behavior = "default behavior"
file = "HOME/tests/c/isqrt2.c"
line = 42
begin = 4
end = 9

[JC_11]
file = "HOME/tests/c/isqrt2.c"
line = 40
begin = 12
end = 45

[JC_15]
file = "HOME/tests/c/isqrt2.c"
line = 39
begin = 12
end = 34

[JC_36]
file = "HOME/tests/c/isqrt2.c"
line = 45
begin = 21
end = 39

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/tests/c/isqrt2.jessie/isqrt2.jc"
line = 52
begin = 6
end = 1151

[JC_35]
file = "HOME/tests/c/isqrt2.c"
line = 44
begin = 31
end = 45

[JC_27]
file = "HOME/tests/c/isqrt2.jessie/isqrt2.jc"
line = 52
begin = 6
end = 1151

[JC_38]
file = "HOME/tests/c/isqrt2.c"
line = 44
begin = 26
end = 139

[JC_12]
file = "HOME/tests/c/isqrt2.c"
line = 38
begin = 12
end = 111

[JC_6]
file = "HOME/tests/c/isqrt2.c"
line = 36
begin = 21
end = 43

[JC_44]
file = "HOME/tests/c/isqrt2.c"
line = 55
begin = 4
end = 8

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/tests/c/isqrt2.c"
line = 55
begin = 4
end = 8

[main_ensures_default]
name = "Function main"
behavior = "default behavior"
file = "HOME/tests/c/isqrt2.c"
line = 63
begin = 4
end = 8

[JC_46]
file = "HOME/tests/c/isqrt2.c"
line = 54
begin = 15
end = 27

[JC_61]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
kind = ArithOverflow
file = "HOME/tests/c/isqrt2.c"
line = 50
begin = 19
end = 41

[JC_56]
file = "HOME/tests/c/isqrt2.c"
line = 63
begin = 4
end = 8

[JC_33]
file = "HOME/tests/c/isqrt2.c"
line = 48
begin = 19
end = 28

[JC_29]
kind = ArithOverflow
file = "HOME/tests/c/isqrt2.c"
line = 50
begin = 30
end = 37

[JC_7]
file = "HOME/tests/c/isqrt2.c"
line = 36
begin = 16
end = 43

[JC_16]
file = "HOME/tests/c/isqrt2.c"
line = 40
begin = 12
end = 45

[JC_43]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_2]
file = "HOME/tests/c/isqrt2.c"
line = 36
begin = 21
end = 43

[test_ensures_default]
name = "Function test"
behavior = "default behavior"
file = "HOME/tests/c/isqrt2.c"
line = 55
begin = 4
end = 8

[JC_34]
file = "HOME/tests/c/isqrt2.c"
line = 44
begin = 26
end = 36

[JC_14]
file = "HOME/tests/c/isqrt2.c"
line = 38
begin = 12
end = 24

[JC_53]
kind = UserCall
file = "HOME/tests/c/isqrt2.c"
line = 57
begin = 10
end = 19

[JC_21]
file = "HOME/tests/c/isqrt2.c"
line = 44
begin = 26
end = 36

[JC_49]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/c/isqrt2.c"
line = 36
begin = 16
end = 22

[JC_37]
file = "HOME/tests/c/isqrt2.c"
line = 46
begin = 21
end = 47

[JC_10]
file = "HOME/tests/c/isqrt2.c"
line = 39
begin = 12
end = 34

[JC_57]
file = "HOME/"
line = 0
begin = -1
end = -1

[test_safety]
name = "Function test"
behavior = "Safety"
file = "HOME/tests/c/isqrt2.c"
line = 55
begin = 4
end = 8

[JC_59]
file = "HOME/"
line = 0
begin = -1
end = -1

[isqrt_safety]
name = "Function isqrt"
behavior = "Safety"
file = "HOME/tests/c/isqrt2.c"
line = 42
begin = 4
end = 9

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/c/isqrt2.jessie/isqrt2.jc"
line = 40
begin = 10
end = 18

[JC_3]
file = "HOME/tests/c/isqrt2.c"
line = 36
begin = 16
end = 43

[JC_60]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_50]
kind = UserCall
file = "HOME/tests/c/isqrt2.c"
line = 57
begin = 10
end = 19

[JC_30]
kind = ArithOverflow
file = "HOME/tests/c/isqrt2.c"
line = 50
begin = 26
end = 37

[JC_58]
file = "HOME/tests/c/isqrt2.c"
line = 63
begin = 4
end = 8

[JC_28]
file = "HOME/tests/c/isqrt2.jessie/isqrt2.jc"
line = 52
begin = 6
end = 1151

========== file tests/c/isqrt2.jessie/why/isqrt2.why ==========
type charP

type int32

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Goto_while_0_break_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter isqrt :
 x_0:int32 ->
  { } int32
  { (JC_17:
    ((JC_14: ge_int(integer_of_int32(result), (0)))
    and ((JC_15:
         le_int(mul_int(integer_of_int32(result), integer_of_int32(result)),
         integer_of_int32(x_0)))
        and (JC_16:
            lt_int(integer_of_int32(x_0),
            mul_int(add_int(integer_of_int32(result), (1)),
            add_int(integer_of_int32(result), (1)))))))) }

parameter isqrt_requires :
 x_0:int32 ->
  { (JC_3:
    ((JC_1: le_int((0), integer_of_int32(x_0)))
    and (JC_2:
        le_int(integer_of_int32(x_0),
        sub_int(mul_int((32768), (32768)), (1))))))}
  int32
  { (JC_17:
    ((JC_14: ge_int(integer_of_int32(result), (0)))
    and ((JC_15:
         le_int(mul_int(integer_of_int32(result), integer_of_int32(result)),
         integer_of_int32(x_0)))
        and (JC_16:
            lt_int(integer_of_int32(x_0),
            mul_int(add_int(integer_of_int32(result), (1)),
            add_int(integer_of_int32(result), (1)))))))) }

parameter main : tt:unit -> { } int32 { true }

parameter main_requires : tt:unit -> { } int32 { true }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter test :
 tt:unit -> { } int32 { (JC_47: (integer_of_int32(result) = (4))) }

parameter test_requires :
 tt:unit -> { } int32 { (JC_47: (integer_of_int32(result) = (4))) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let isqrt_ensures_default =
 fun (x_0 : int32) ->
  { (JC_7:
    ((JC_5: le_int((0), integer_of_int32(x_0)))
    and (JC_6:
        le_int(integer_of_int32(x_0),
        sub_int(mul_int((32768), (32768)), (1)))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let count = ref (any_int32 void) in
     (let sum = ref (any_int32 void) in
     try
      begin
        (let _jessie_ = (count := (safe_int32_of_integer_ (0))) in void);
       (let _jessie_ = (sum := (safe_int32_of_integer_ (1))) in void);
       (loop_2:
       begin
         while true do
         { invariant
             (JC_38:
             ((JC_34: le_int((0), integer_of_int32(count)))
             and ((JC_35: le_int(integer_of_int32(count), (32767)))
                 and ((JC_36:
                      ge_int(integer_of_int32(x_0),
                      mul_int(integer_of_int32(count),
                      integer_of_int32(count))))
                     and (JC_37:
                         (integer_of_int32(sum) = mul_int(add_int(integer_of_int32(count),
                                                          (1)),
                                                  add_int(integer_of_int32(count),
                                                  (1)))))))))  }
          begin
            [ { } unit { true } ];
           try
            begin
              (let _jessie_ =
              begin
                (if ((le_int_ (integer_of_int32 !sum)) (integer_of_int32 x_0))
                then void else (raise (Goto_while_0_break_exc void)));
               (let _jessie_ =
               (count := (safe_int32_of_integer_ ((add_int (integer_of_int32 !count)) (1)))) in
               void);
               (sum := (safe_int32_of_integer_ ((add_int (integer_of_int32 !sum)) 
                                                (integer_of_int32 (safe_int32_of_integer_ 
                                                                   ((add_int 
                                                                    (integer_of_int32 
                                                                    (safe_int32_of_integer_ 
                                                                    ((mul_int (2)) 
                                                                    (integer_of_int32 !count))))) (1)))))));
               !sum end in void); (raise (Loop_continue_exc void)) end with
            Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (return := !count); (raise Return) end) end));
    absurd  end with Return -> !return end))
  { (JC_12:
    ((JC_9: ge_int(integer_of_int32(result), (0)))
    and ((JC_10:
         le_int(mul_int(integer_of_int32(result), integer_of_int32(result)),
         integer_of_int32(x_0)))
        and (JC_11:
            lt_int(integer_of_int32(x_0),
            mul_int(add_int(integer_of_int32(result), (1)),
            add_int(integer_of_int32(result), (1)))))))) } 

let isqrt_safety =
 fun (x_0 : int32) ->
  { (JC_7:
    ((JC_5: le_int((0), integer_of_int32(x_0)))
    and (JC_6:
        le_int(integer_of_int32(x_0),
        sub_int(mul_int((32768), (32768)), (1)))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let count = ref (any_int32 void) in
     (let sum = ref (any_int32 void) in
     try
      begin
        (let _jessie_ = (count := (safe_int32_of_integer_ (0))) in void);
       (let _jessie_ = (sum := (safe_int32_of_integer_ (1))) in void);
       (loop_1:
       begin
         while true do
         { invariant (JC_27: true)
           variant (JC_33 : sub_int(integer_of_int32(x_0),
                            integer_of_int32(count))) }
          begin
            [ { } unit reads count,sum
              { (JC_25:
                ((JC_21: le_int((0), integer_of_int32(count)))
                and ((JC_22: le_int(integer_of_int32(count), (32767)))
                    and ((JC_23:
                         ge_int(integer_of_int32(x_0),
                         mul_int(integer_of_int32(count),
                         integer_of_int32(count))))
                        and (JC_24:
                            (integer_of_int32(sum) = mul_int(add_int(
                                                             integer_of_int32(count),
                                                             (1)),
                                                     add_int(integer_of_int32(count),
                                                     (1))))))))) } ];
           try
            begin
              (let _jessie_ =
              begin
                (if ((le_int_ (integer_of_int32 !sum)) (integer_of_int32 x_0))
                then void else (raise (Goto_while_0_break_exc void)));
               (let _jessie_ =
               (count := (JC_29:
                         (int32_of_integer_ ((add_int (integer_of_int32 !count)) (1))))) in
               void);
               (sum := (JC_32:
                       (int32_of_integer_ ((add_int (integer_of_int32 !sum)) 
                                           (integer_of_int32 (JC_31:
                                                             (int32_of_integer_ 
                                                              ((add_int 
                                                                (integer_of_int32 
                                                                 (JC_30:
                                                                 (int32_of_integer_ 
                                                                  ((mul_int (2)) 
                                                                   (integer_of_int32 !count)))))) (1)))))))));
               !sum end in void); (raise (Loop_continue_exc void)) end with
            Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (return := !count); (raise Return) end) end));
    absurd  end with Return -> !return end)) { true } 

let main_ensures_default =
 fun (tt : unit) ->
  { (JC_59: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let __retres = ref (any_int32 void) in
     begin
       (let _jessie_ = (__retres := (safe_int32_of_integer_ (0))) in void);
      (return := !__retres); (raise Return) end); absurd  end with Return ->
   !return end)) { (JC_60: true) } 

let main_safety =
 fun (tt : unit) ->
  { (JC_59: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let __retres = ref (any_int32 void) in
     begin
       (let _jessie_ = (__retres := (safe_int32_of_integer_ (0))) in void);
      (return := !__retres); (raise Return) end); absurd  end with Return ->
   !return end)) { true } 

let test_ensures_default =
 fun (tt : unit) ->
  { (JC_45: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let r = ref (any_int32 void) in
     (let tmp = ref (any_int32 void) in
     begin
       (let _jessie_ =
       begin
         (let _jessie_ =
         (tmp := (let _jessie_ = (safe_int32_of_integer_ (17)) in
                 (JC_53: (isqrt _jessie_)))) in void); (r := !tmp); !r end in
       void);
      (assert
      { (JC_54: (lt_int(integer_of_int32(r), (4)) -> (false = true))) };
      void); void;
      (assert
      { (JC_55: (gt_int(integer_of_int32(r), (4)) -> (false = true))) };
      void); void; (return := !r); (raise Return) end)); absurd  end with
   Return -> !return end)) { (JC_46: (integer_of_int32(result) = (4))) } 

let test_safety =
 fun (tt : unit) ->
  { (JC_45: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let r = ref (any_int32 void) in
     (let tmp = ref (any_int32 void) in
     begin
       (let _jessie_ =
       begin
         (let _jessie_ =
         (tmp := (let _jessie_ = (safe_int32_of_integer_ (17)) in
                 (JC_50: (isqrt_requires _jessie_)))) in void);
        (r := !tmp); !r end in void);
      [ { } unit reads r
        { (JC_51: (lt_int(integer_of_int32(r), (4)) -> (false = true))) } ];
      void;
      [ { } unit reads r
        { (JC_52: (gt_int(integer_of_int32(r), (4)) -> (false = true))) } ];
      void; (return := !r); (raise Return) end)); absurd  end with Return ->
   !return end)) { true } 


why-2.39/tests/c/oracle/fact.res.oracle0000644000106100004300000000134013147234006016754 0ustar  marchevals========== file tests/c/fact.c ==========

/*@ axiomatic Factorial {
  @   logic integer factorial(integer n);
  @   axiom factorial_0: factorial(0) == 1;
  @   axiom factorial_succ:
  @     \forall integer n; n > 0 ==> factorial(n) == n * factorial(n-1);
  @ }
  @*/

/*@ lemma fact_bound: \forall integer n; 0 <= n <= 11 ==>
  @      1 <= factorial(n) <= 39916800;
  @*/

/*@ requires 0 <= n <= 12;
  @ decreases n;
  @ ensures \result == factorial(n);
  @*/
int fact(int n) {
  if (n == 0) return 1;
  return n * fact(n-1);
}
========== frama-c -jessie execution ==========
[kernel] user error: option `-jessie' is unknown.
                     use `frama-c -help' for more information.
[kernel] Frama-C aborted: invalid user input.
why-2.39/tests/c/oracle/quick_sort.err.oracle0000644000106100004300000000062613147234006020227 0ustar  marchevalsWarning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
why-2.39/tests/c/oracle/tree_max.res.oracle0000644000106100004300000012570313147234006017655 0ustar  marchevals========== file tests/c/tree_max.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

#pragma JessieTerminationPolicy(user)

#define NULL (void*)0

//@ ensures \result == \max(x,y);
int max(int x, int y);

typedef struct Tree *tree;
struct Tree {
  int value;
  tree left;
  tree right;
};

/* not accepted by Why3 (termination not proved) 
  @ predicate mem(int x, tree t) =
  @  (t==\null) ? \false : (x==t->value) || mem(x,t->left) || mem(x,t->right);
  @*/

/*@ axiomatic Mem {
  @   predicate mem{L}(int x, tree t);
  @   axiom mem_null{L}: \forall int x; ! mem(x,\null);
  @   axiom mem_root{L}: \forall tree t; t != \null ==>
  @     mem(t->value,t);
  @   axiom mem_root_eq{L}: \forall int x, tree t; t != \null ==>
  @     x==t->value ==> mem(x,t);
  @   axiom mem_left{L}: \forall int x, tree t; t != \null ==>
  @     mem(x,t->left) ==> mem(x,t);
  @   axiom mem_right{L}: \forall int x, tree t; t != \null ==>
  @     mem(x,t->right) ==> mem(x,t);
  @   axiom mem_inversion{L}: \forall int x, tree t;
  @     mem(x,t) ==> t != \null &&
  @       (x==t->value || mem(x,t->left) || mem(x,t->right));
  @ }
  @*/

/*@ axiomatic WellFormedTree {
  @   predicate has_size{L}(tree t, integer s);
  @   axiom has_size_null{L}: has_size(\null,0);
  @   axiom has_size_non_null{L}: \forall tree t; \valid(t) ==>
  @     \forall integer s1,s2;
  @     has_size(t->left,s1) && has_size(t->right,s2) ==>
  @     has_size(t,s1+s2+1) ;
  @   axiom has_size_inversion{L}: \forall tree t, integer s;
  @     has_size(t,s) ==>
  @       (t == \null && s == 0) ||
  @       (\valid(t) && \exists integer s1,s2;
  @            has_size(t->left,s1) && has_size(t->right,s2) &&
  @            0 <= s1 && 0 <= s2 && s == s1+s2+1) ;
  @  predicate size_decreases{L}(tree t1, tree t2) =
  @    \exists integer s1,s2; has_size(t1,s1) && has_size(t2,s2) && s1 > s2;
  @   predicate valid_tree{L}(tree t) =
  @     \exists integer s; has_size(t,s);
  @ }
  @*/

/*@ requires t != \null && valid_tree(t);
  @ // decreases t for size_decreases;
  @ ensures mem(\result,t) && \forall int x; mem(x,t) ==> \result >= x;
  @*/
int tree_max(tree t) {
  int m = t->value;
  if (t->left != NULL) m = max(m,tree_max(t->left));
  if (t->right != NULL) m = max(m,tree_max(t->right));
  return m;
  }



/*
Local Variables:
compile-command: "make tree_max.why3ide"
End:
*/
========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/tree_max.c (with preprocessing)
[jessie] Starting Jessie translation
tests/c/tree_max.c:92:[kernel] warning: No code nor implicit assigns clause for function max, generating default assigns from the prototype
[jessie] Producing Jessie files in subdir tests/c/tree_max.jessie
[jessie] File tests/c/tree_max.jessie/tree_max.jc written.
[jessie] File tests/c/tree_max.jessie/tree_max.cloc written.
========== file tests/c/tree_max.jessie/tree_max.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol
# TerminationPolicy = user

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

type int32 = -2147483648..2147483647

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

tag Tree = {
  int32 value: 32; 
  Tree[..] left: 32; 
  Tree[..] right: 32;
}

type Tree = [Tree]

int32 max(int32 x, int32 y)
behavior default:
  assigns \nothing;
  ensures (_C_1 : (\result == \integer_max(\at(x,Old), \at(y,Old))));
;

axiomatic Mem {

  predicate mem{L}(int32 x, Tree[..] t)
   
  axiom mem_null{L} :
  (\forall int32 x_0;
    (! mem{L}(x_0, null)))
   
  axiom mem_root{L} :
  (\forall Tree[..] t_0;
    ((t_0 != null) ==> mem{L}(t_0.value, t_0)))
   
  axiom mem_root_eq{L} :
  (\forall int32 x_1;
    (\forall Tree[..] t_1;
      ((t_1 != null) ==> ((x_1 == t_1.value) ==> mem{L}(x_1, t_1)))))
   
  axiom mem_left{L} :
  (\forall int32 x_2;
    (\forall Tree[..] t_2;
      ((t_2 != null) ==> (mem{L}(x_2, t_2.left) ==> mem{L}(x_2, t_2)))))
   
  axiom mem_right{L} :
  (\forall int32 x_3;
    (\forall Tree[..] t_3;
      ((t_3 != null) ==> (mem{L}(x_3, t_3.right) ==> mem{L}(x_3, t_3)))))
   
  axiom mem_inversion{L} :
  (\forall int32 x_4;
    (\forall Tree[..] t_4;
      (mem{L}(x_4, t_4) ==>
        ((t_4 != null) &&
          (((x_4 == t_4.value) || mem{L}(x_4, t_4.left)) ||
            mem{L}(x_4, t_4.right))))))
  
}

axiomatic WellFormedTree {

  predicate has_size{L}(Tree[..] t_5, integer s)
   
  axiom has_size_null{L} :
  has_size{L}(null, 0)
   
  axiom has_size_non_null{L} :
  (\forall Tree[..] t_6;
    (((\offset_min(t_6) <= 0) && (\offset_max(t_6) >= 0)) ==>
      (\forall integer s1;
        (\forall integer s2;
          ((has_size{L}(t_6.left, s1) && has_size{L}(t_6.right, s2)) ==>
            has_size{L}(t_6, ((s1 + s2) + 1)))))))
   
  axiom has_size_inversion{L} :
  (\forall Tree[..] t_7;
    (\forall integer s_0;
      (has_size{L}(t_7, s_0) ==>
        (((t_7 == null) && (s_0 == 0)) ||
          (((\offset_min(t_7) <= 0) && (\offset_max(t_7) >= 0)) &&
            (\exists integer s1_0;
              (\exists integer s2_0;
                ((((has_size{L}(t_7.left, s1_0) &&
                     has_size{L}(t_7.right, s2_0)) &&
                    (0 <= s1_0)) &&
                   (0 <= s2_0)) &&
                  (s_0 == ((s1_0 + s2_0) + 1))))))))))
   
  predicate size_decreases{L}(Tree[..] t1, Tree[..] t2) =
  (\exists integer s1_1;
    (\exists integer s2_1;
      ((has_size{L}(t1, s1_1) && has_size{L}(t2, s2_1)) && (s1_1 > s2_1))))
   
  predicate valid_tree{L}(Tree[..] t_8) =
  (\exists integer s_1;
    has_size{L}(t_8, s_1))
  
}

int32 tree_max(Tree[..] t)
  requires (_C_19 : ((_C_20 : (t != null)) && (_C_21 : valid_tree{Here}(t))));
behavior default:
  ensures (_C_16 : ((_C_17 : mem{Here}(\result, \at(t,Old))) &&
                     (_C_18 : (\forall int32 x_5;
                                (mem{Here}(x_5, \at(t,Old)) ==>
                                  (\result >= x_5))))));
{  
   (var int32 m);
   
   (var int32 tmp);
   
   (var int32 tmp_0);
   
   {  (_C_3 : (m = (_C_2 : t.value)));
      (if ((_C_9 : t.left) != null) then 
      {  (_C_6 : (tmp = (_C_5 : tree_max((_C_4 : t.left)))));
         (_C_8 : (m = (_C_7 : max(m, tmp))))
      } else ());
      (if ((_C_15 : t.right) != null) then 
      {  (_C_12 : (tmp_0 = (_C_11 : tree_max((_C_10 : t.right)))));
         (_C_14 : (m = (_C_13 : max(m, tmp_0))))
      } else ());
      
      (return m)
   }
}
========== file tests/c/tree_max.jessie/tree_max.cloc ==========
[has_size_null]
name = "Lemma has_size_null"
file = "HOME/tests/c/tree_max.c"
line = 70
begin = 6
end = 48

[tree_max]
name = "Function tree_max"
file = "HOME/tests/c/tree_max.c"
line = 92
begin = 4
end = 12

[mem_left]
name = "Lemma mem_left"
file = "HOME/tests/c/tree_max.c"
line = 58
begin = 6
end = 99

[_C_4]
file = "HOME/tests/c/tree_max.c"
line = 94
begin = 46
end = 53

[_C_19]
file = "HOME/tests/c/tree_max.c"
line = 88
begin = 16
end = 43

[_C_13]
file = "HOME/tests/c/tree_max.c"
line = 95
begin = 32
end = 57

[_C_5]
file = "HOME/tests/c/tree_max.c"
line = 94
begin = 37
end = 54

[_C_12]
file = "HOME/tests/c/tree_max.c"
line = 95
begin = 38
end = 56

[mem_root]
name = "Lemma mem_root"
file = "HOME/tests/c/tree_max.c"
line = 54
begin = 6
end = 80

[_C_9]
file = "HOME/tests/c/tree_max.c"
line = 94
begin = 6
end = 13

[_C_6]
file = "HOME/tests/c/tree_max.c"
line = 94
begin = 37
end = 54

[_C_20]
file = "HOME/tests/c/tree_max.c"
line = 88
begin = 16
end = 26

[mem_null]
name = "Lemma mem_null"
file = "HOME/tests/c/tree_max.c"
line = 53
begin = 6
end = 55

[_C_3]
file = "HOME/tests/c/tree_max.c"
line = 93
begin = 2
end = 5

[_C_17]
file = "HOME/tests/c/tree_max.c"
line = 90
begin = 12
end = 26

[_C_7]
file = "HOME/tests/c/tree_max.c"
line = 94
begin = 31
end = 55

[_C_15]
file = "HOME/tests/c/tree_max.c"
line = 95
begin = 6
end = 14

[mem_inversion]
name = "Lemma mem_inversion"
file = "HOME/tests/c/tree_max.c"
line = 62
begin = 6
end = 149

[has_size_non_null]
name = "Lemma has_size_non_null"
file = "HOME/tests/c/tree_max.c"
line = 71
begin = 6
end = 182

[_C_10]
file = "HOME/tests/c/tree_max.c"
line = 95
begin = 47
end = 55

[_C_8]
file = "HOME/tests/c/tree_max.c"
line = 94
begin = 31
end = 55

[_C_18]
file = "HOME/tests/c/tree_max.c"
line = 90
begin = 30
end = 70

[_C_14]
file = "HOME/tests/c/tree_max.c"
line = 95
begin = 32
end = 57

[mem_root_eq]
name = "Lemma mem_root_eq"
file = "HOME/tests/c/tree_max.c"
line = 56
begin = 6
end = 99

[has_size_inversion]
name = "Lemma has_size_inversion"
file = "HOME/tests/c/tree_max.c"
line = 75
begin = 6
end = 287

[_C_2]
file = "HOME/tests/c/tree_max.c"
line = 93
begin = 10
end = 18

[mem_right]
name = "Lemma mem_right"
file = "HOME/tests/c/tree_max.c"
line = 60
begin = 6
end = 101

[_C_16]
file = "HOME/tests/c/tree_max.c"
line = 90
begin = 12
end = 70

[_C_1]
file = "HOME/tests/c/tree_max.c"
line = 36
begin = 15
end = 35

[_C_11]
file = "HOME/tests/c/tree_max.c"
line = 95
begin = 38
end = 56

[_C_21]
file = "HOME/tests/c/tree_max.c"
line = 88
begin = 30
end = 43

========== jessie execution ==========
Generating Why function tree_max
========== file tests/c/tree_max.jessie/tree_max.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/tree_max_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: tree_max.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: tree_max.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: tree_max.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/tree_max.jessie/tree_max.loc ==========
[has_size_null]
name = "Lemma has_size_null"
behavior = "axiom"
file = "HOME/tests/c/tree_max.c"
line = 70
begin = 6
end = 48

[mem_left]
name = "Lemma mem_left"
behavior = "axiom"
file = "HOME/tests/c/tree_max.c"
line = 58
begin = 6
end = 99

[JC_31]
kind = UserCall
file = "HOME/tests/c/tree_max.c"
line = 94
begin = 31
end = 55

[JC_17]
file = "HOME/tests/c/tree_max.c"
line = 88
begin = 16
end = 43

[JC_23]
file = "HOME/tests/c/tree_max.c"
line = 90
begin = 30
end = 70

[JC_22]
file = "HOME/tests/c/tree_max.c"
line = 90
begin = 12
end = 26

[JC_5]
file = "HOME/tests/c/tree_max.c"
line = 36
begin = 15
end = 35

[JC_9]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_24]
file = "HOME/tests/c/tree_max.c"
line = 90
begin = 12
end = 70

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[tree_max_ensures_default]
name = "Function tree_max"
behavior = "default behavior"
file = "HOME/tests/c/tree_max.c"
line = 92
begin = 4
end = 12

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/tests/c/tree_max.jessie/tree_max.jc"
line = 47
begin = 10
end = 18

[mem_root]
name = "Lemma mem_root"
behavior = "axiom"
file = "HOME/tests/c/tree_max.c"
line = 54
begin = 6
end = 80

[JC_13]
file = "HOME/tests/c/tree_max.c"
line = 88
begin = 16
end = 43

[JC_11]
file = "HOME/tests/c/tree_max.c"
line = 88
begin = 16
end = 26

[JC_15]
file = "HOME/tests/c/tree_max.c"
line = 88
begin = 16
end = 26

[JC_36]
kind = UserCall
file = "HOME/tests/c/tree_max.c"
line = 94
begin = 37
end = 54

[JC_39]
kind = UserCall
file = "HOME/tests/c/tree_max.c"
line = 95
begin = 32
end = 57

[JC_35]
kind = UserCall
file = "HOME/tests/c/tree_max.c"
line = 95
begin = 32
end = 57

[mem_null]
name = "Lemma mem_null"
behavior = "axiom"
file = "HOME/tests/c/tree_max.c"
line = 53
begin = 6
end = 55

[JC_27]
kind = PointerDeref
file = "HOME/tests/c/tree_max.c"
line = 93
begin = 10
end = 18

[JC_38]
kind = UserCall
file = "HOME/tests/c/tree_max.c"
line = 95
begin = 38
end = 56

[JC_12]
file = "HOME/tests/c/tree_max.c"
line = 88
begin = 30
end = 43

[JC_6]
file = "HOME/tests/c/tree_max.jessie/tree_max.jc"
line = 47
begin = 10
end = 18

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
kind = PointerDeref
file = "HOME/tests/c/tree_max.c"
line = 95
begin = 6
end = 14

[JC_33]
kind = PointerDeref
file = "HOME/tests/c/tree_max.c"
line = 95
begin = 47
end = 55

[mem_inversion]
name = "Lemma mem_inversion"
behavior = "axiom"
file = "HOME/tests/c/tree_max.c"
line = 62
begin = 6
end = 149

[has_size_non_null]
name = "Lemma has_size_non_null"
behavior = "axiom"
file = "HOME/tests/c/tree_max.c"
line = 71
begin = 6
end = 182

[tree_max_safety]
name = "Function tree_max"
behavior = "Safety"
file = "HOME/tests/c/tree_max.c"
line = 92
begin = 4
end = 12

[JC_29]
kind = PointerDeref
file = "HOME/tests/c/tree_max.c"
line = 94
begin = 46
end = 53

[JC_7]
file = "HOME/tests/c/tree_max.c"
line = 36
begin = 15
end = 35

[JC_16]
file = "HOME/tests/c/tree_max.c"
line = 88
begin = 30
end = 43

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
kind = UserCall
file = "HOME/tests/c/tree_max.c"
line = 95
begin = 38
end = 56

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[mem_root_eq]
name = "Lemma mem_root_eq"
behavior = "axiom"
file = "HOME/tests/c/tree_max.c"
line = 56
begin = 6
end = 99

[has_size_inversion]
name = "Lemma has_size_inversion"
behavior = "axiom"
file = "HOME/tests/c/tree_max.c"
line = 75
begin = 6
end = 287

[JC_21]
file = "HOME/tests/c/tree_max.c"
line = 90
begin = 12
end = 70

[JC_1]
file = "HOME/tests/c/tree_max.jessie/tree_max.jc"
line = 45
begin = 6
end = 9

[JC_37]
kind = UserCall
file = "HOME/tests/c/tree_max.c"
line = 94
begin = 31
end = 55

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[mem_right]
name = "Lemma mem_right"
behavior = "axiom"
file = "HOME/tests/c/tree_max.c"
line = 60
begin = 6
end = 101

[JC_20]
file = "HOME/tests/c/tree_max.c"
line = 90
begin = 30
end = 70

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/c/tree_max.jessie/tree_max.jc"
line = 45
begin = 6
end = 9

[JC_19]
file = "HOME/tests/c/tree_max.c"
line = 90
begin = 12
end = 26

[JC_30]
kind = UserCall
file = "HOME/tests/c/tree_max.c"
line = 94
begin = 37
end = 54

[JC_28]
kind = PointerDeref
file = "HOME/tests/c/tree_max.c"
line = 94
begin = 6
end = 13

========== file tests/c/tree_max.jessie/why/tree_max.why ==========
type Tree

type charP

type int32

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic Tree_tag:  -> Tree tag_id

axiom Tree_int : (int_of_tag(Tree_tag) = (1))

logic Tree_of_pointer_address: unit pointer -> Tree pointer

axiom Tree_of_pointer_address_of_pointer_addr :
 (forall p:Tree pointer. (p = Tree_of_pointer_address(pointer_address(p))))

axiom Tree_parenttag_bottom : parenttag(Tree_tag, bottom_tag)

axiom Tree_tags :
 (forall x:Tree pointer.
  (forall Tree_tag_table:Tree tag_table.
   instanceof(Tree_tag_table, x, Tree_tag)))

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic has_size: Tree pointer, int, Tree alloc_table,
 (Tree, Tree pointer) memory, (Tree, Tree pointer) memory -> prop

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_Tree(p:Tree pointer, a:int,
 Tree_alloc_table:Tree alloc_table) = (offset_min(Tree_alloc_table, p) <= a)

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

logic mem: int32, Tree pointer, (Tree, Tree pointer) memory,
 (Tree, Tree pointer) memory, (Tree, int32) memory -> prop

axiom pointer_addr_of_Tree_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Tree_of_pointer_address(p))))

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_Tree(p:Tree pointer, b:int,
 Tree_alloc_table:Tree alloc_table) = (offset_max(Tree_alloc_table, p) >= b)

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate size_decreases(t1:Tree pointer, t2:Tree pointer,
 Tree_t2_4_alloc_table_at_L:Tree alloc_table,
 Tree_t1_3_alloc_table_at_L:Tree alloc_table,
 Tree_right_t2_4_at_L:(Tree, Tree pointer) memory,
 Tree_right_t1_3_at_L:(Tree, Tree pointer) memory,
 Tree_left_t2_4_at_L:(Tree, Tree pointer) memory,
 Tree_left_t1_3_at_L:(Tree, Tree pointer) memory) =
 (exists s1_1_0:int.
  (exists s2_1_0:int.
   (has_size(t1, s1_1_0, Tree_t1_3_alloc_table_at_L, Tree_right_t1_3_at_L,
    Tree_left_t1_3_at_L)
   and (has_size(t2, s2_1_0, Tree_t2_4_alloc_table_at_L,
        Tree_right_t2_4_at_L, Tree_left_t2_4_at_L)
       and gt_int(s1_1_0, s2_1_0)))))

predicate strict_valid_root_Tree(p:Tree pointer, a:int, b:int,
 Tree_alloc_table:Tree alloc_table) =
 ((offset_min(Tree_alloc_table, p) = a)
 and (offset_max(Tree_alloc_table, p) = b))

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_Tree(p:Tree pointer, a:int, b:int,
 Tree_alloc_table:Tree alloc_table) =
 ((offset_min(Tree_alloc_table, p) = a)
 and (offset_max(Tree_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_Tree(p:Tree pointer, a:int, b:int,
 Tree_alloc_table:Tree alloc_table) =
 ((offset_min(Tree_alloc_table, p) <= a)
 and (offset_max(Tree_alloc_table, p) >= b))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_Tree(p:Tree pointer, a:int, b:int,
 Tree_alloc_table:Tree alloc_table) =
 ((offset_min(Tree_alloc_table, p) <= a)
 and (offset_max(Tree_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_tree(t_8:Tree pointer,
 Tree_t_8_5_alloc_table_at_L:Tree alloc_table,
 Tree_right_t_8_5_at_L:(Tree, Tree pointer) memory,
 Tree_left_t_8_5_at_L:(Tree, Tree pointer) memory) =
 (exists s_1:int.
  has_size(t_8, s_1, Tree_t_8_5_alloc_table_at_L, Tree_right_t_8_5_at_L,
  Tree_left_t_8_5_at_L))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

axiom mem_null :
 (forall Tree_right_t_1_at_L:(Tree, Tree pointer) memory.
  (forall Tree_left_t_1_at_L:(Tree, Tree pointer) memory.
   (forall Tree_value_t_1_at_L:(Tree, int32) memory.
    (forall x_0_0:int32.
     (not mem(x_0_0, null, Tree_right_t_1_at_L, Tree_left_t_1_at_L,
          Tree_value_t_1_at_L))))))

axiom mem_root :
 (forall Tree_right_t_1_at_L:(Tree, Tree pointer) memory.
  (forall Tree_left_t_1_at_L:(Tree, Tree pointer) memory.
   (forall Tree_value_t_1_at_L:(Tree, int32) memory.
    (forall t_0_0:Tree pointer.
     ((t_0_0 <> null) ->
      mem(select(Tree_value_t_1_at_L, t_0_0), t_0_0, Tree_right_t_1_at_L,
      Tree_left_t_1_at_L, Tree_value_t_1_at_L))))))

axiom mem_root_eq :
 (forall Tree_right_t_1_at_L:(Tree, Tree pointer) memory.
  (forall Tree_left_t_1_at_L:(Tree, Tree pointer) memory.
   (forall Tree_value_t_1_at_L:(Tree, int32) memory.
    (forall x_1_0:int32.
     (forall t_1:Tree pointer.
      ((t_1 <> null) ->
       ((integer_of_int32(x_1_0) = integer_of_int32(select(Tree_value_t_1_at_L,
                                                    t_1))) ->
        mem(x_1_0, t_1, Tree_right_t_1_at_L, Tree_left_t_1_at_L,
        Tree_value_t_1_at_L))))))))

axiom mem_left :
 (forall Tree_right_t_1_at_L:(Tree, Tree pointer) memory.
  (forall Tree_left_t_1_at_L:(Tree, Tree pointer) memory.
   (forall Tree_value_t_1_at_L:(Tree, int32) memory.
    (forall x_2:int32.
     (forall t_2:Tree pointer.
      ((t_2 <> null) ->
       (mem(x_2, select(Tree_left_t_1_at_L, t_2), Tree_right_t_1_at_L,
        Tree_left_t_1_at_L, Tree_value_t_1_at_L) ->
        mem(x_2, t_2, Tree_right_t_1_at_L, Tree_left_t_1_at_L,
        Tree_value_t_1_at_L))))))))

axiom mem_right :
 (forall Tree_right_t_1_at_L:(Tree, Tree pointer) memory.
  (forall Tree_left_t_1_at_L:(Tree, Tree pointer) memory.
   (forall Tree_value_t_1_at_L:(Tree, int32) memory.
    (forall x_3:int32.
     (forall t_3:Tree pointer.
      ((t_3 <> null) ->
       (mem(x_3, select(Tree_right_t_1_at_L, t_3), Tree_right_t_1_at_L,
        Tree_left_t_1_at_L, Tree_value_t_1_at_L) ->
        mem(x_3, t_3, Tree_right_t_1_at_L, Tree_left_t_1_at_L,
        Tree_value_t_1_at_L))))))))

axiom mem_inversion :
 (forall Tree_right_t_1_at_L:(Tree, Tree pointer) memory.
  (forall Tree_left_t_1_at_L:(Tree, Tree pointer) memory.
   (forall Tree_value_t_1_at_L:(Tree, int32) memory.
    (forall x_4:int32.
     (forall t_4:Tree pointer.
      (mem(x_4, t_4, Tree_right_t_1_at_L, Tree_left_t_1_at_L,
       Tree_value_t_1_at_L) ->
       ((t_4 <> null)
       and ((integer_of_int32(x_4) = integer_of_int32(select(Tree_value_t_1_at_L,
                                                      t_4)))
           or (mem(x_4, select(Tree_left_t_1_at_L, t_4), Tree_right_t_1_at_L,
               Tree_left_t_1_at_L, Tree_value_t_1_at_L)
              or mem(x_4, select(Tree_right_t_1_at_L, t_4),
                 Tree_right_t_1_at_L, Tree_left_t_1_at_L,
                 Tree_value_t_1_at_L))))))))))

axiom has_size_null :
 (forall Tree_t_5_2_alloc_table_at_L:Tree alloc_table.
  (forall Tree_right_t_5_2_at_L:(Tree, Tree pointer) memory.
   (forall Tree_left_t_5_2_at_L:(Tree, Tree pointer) memory.
    has_size(null, (0), Tree_t_5_2_alloc_table_at_L, Tree_right_t_5_2_at_L,
    Tree_left_t_5_2_at_L))))

axiom has_size_non_null :
 (forall Tree_t_5_2_alloc_table_at_L:Tree alloc_table.
  (forall Tree_right_t_5_2_at_L:(Tree, Tree pointer) memory.
   (forall Tree_left_t_5_2_at_L:(Tree, Tree pointer) memory.
    (forall t_6:Tree pointer.
     ((le_int(offset_min(Tree_t_5_2_alloc_table_at_L, t_6), (0))
      and ge_int(offset_max(Tree_t_5_2_alloc_table_at_L, t_6), (0))) ->
      (forall s1_1:int.
       (forall s2_1:int.
        ((has_size(select(Tree_left_t_5_2_at_L, t_6), s1_1,
          Tree_t_5_2_alloc_table_at_L, Tree_right_t_5_2_at_L,
          Tree_left_t_5_2_at_L)
         and has_size(select(Tree_right_t_5_2_at_L, t_6), s2_1,
             Tree_t_5_2_alloc_table_at_L, Tree_right_t_5_2_at_L,
             Tree_left_t_5_2_at_L)) ->
         has_size(t_6, add_int(add_int(s1_1, s2_1), (1)),
         Tree_t_5_2_alloc_table_at_L, Tree_right_t_5_2_at_L,
         Tree_left_t_5_2_at_L)))))))))

axiom has_size_inversion :
 (forall Tree_t_5_2_alloc_table_at_L:Tree alloc_table.
  (forall Tree_right_t_5_2_at_L:(Tree, Tree pointer) memory.
   (forall Tree_left_t_5_2_at_L:(Tree, Tree pointer) memory.
    (forall t_7:Tree pointer.
     (forall s_0_0:int.
      (has_size(t_7, s_0_0, Tree_t_5_2_alloc_table_at_L,
       Tree_right_t_5_2_at_L, Tree_left_t_5_2_at_L) ->
       (((t_7 = null) and (s_0_0 = (0)))
       or (le_int(offset_min(Tree_t_5_2_alloc_table_at_L, t_7), (0))
          and (ge_int(offset_max(Tree_t_5_2_alloc_table_at_L, t_7), (0))
              and (exists s1_0_0:int.
                   (exists s2_0_0:int.
                    (has_size(select(Tree_left_t_5_2_at_L, t_7), s1_0_0,
                     Tree_t_5_2_alloc_table_at_L, Tree_right_t_5_2_at_L,
                     Tree_left_t_5_2_at_L)
                    and (has_size(select(Tree_right_t_5_2_at_L, t_7), s2_0_0,
                         Tree_t_5_2_alloc_table_at_L, Tree_right_t_5_2_at_L,
                         Tree_left_t_5_2_at_L)
                        and (le_int((0), s1_0_0)
                            and (le_int((0), s2_0_0)
                                and (s_0_0 = add_int(add_int(s1_0_0, s2_0_0),
                                             (1))))))))))))))))))

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter Tree_alloc_table : Tree alloc_table ref

parameter Tree_tag_table : Tree tag_table ref

parameter alloc_struct_Tree :
 n:int ->
  Tree_alloc_table:Tree alloc_table ref ->
   Tree_tag_table:Tree tag_table ref ->
    { } Tree pointer writes Tree_alloc_table,Tree_tag_table
    { (strict_valid_struct_Tree(result, (0), sub_int(n, (1)),
       Tree_alloc_table)
      and (alloc_extends(Tree_alloc_table@, Tree_alloc_table)
          and (alloc_fresh(Tree_alloc_table@, result, n)
              and instanceof(Tree_tag_table, result, Tree_tag)))) }

parameter alloc_struct_Tree_requires :
 n:int ->
  Tree_alloc_table:Tree alloc_table ref ->
   Tree_tag_table:Tree tag_table ref ->
    { ge_int(n, (0))} Tree pointer writes Tree_alloc_table,Tree_tag_table
    { (strict_valid_struct_Tree(result, (0), sub_int(n, (1)),
       Tree_alloc_table)
      and (alloc_extends(Tree_alloc_table@, Tree_alloc_table)
          and (alloc_fresh(Tree_alloc_table@, result, n)
              and instanceof(Tree_tag_table, result, Tree_tag)))) }

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter max :
 x_0:int32 ->
  y:int32 ->
   { } int32
   { (JC_7:
     (integer_of_int32(result) = int_max(integer_of_int32(x_0),
                                 integer_of_int32(y)))) }

parameter max_requires :
 x_0:int32 ->
  y:int32 ->
   { } int32
   { (JC_7:
     (integer_of_int32(result) = int_max(integer_of_int32(x_0),
                                 integer_of_int32(y)))) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter tree_max :
 t_0:Tree pointer ->
  Tree_t_6_alloc_table:Tree alloc_table ->
   Tree_right_t_6:(Tree, Tree pointer) memory ->
    Tree_left_t_6:(Tree, Tree pointer) memory ->
     Tree_value_t_6:(Tree, int32) memory ->
      { } int32
      { (JC_24:
        ((JC_22:
         mem(result, t_0, Tree_right_t_6, Tree_left_t_6, Tree_value_t_6))
        and (JC_23:
            (forall x_5:int32.
             (mem(x_5, t_0, Tree_right_t_6, Tree_left_t_6, Tree_value_t_6) ->
              ge_int(integer_of_int32(result), integer_of_int32(x_5))))))) }

parameter tree_max_requires :
 t_0:Tree pointer ->
  Tree_t_6_alloc_table:Tree alloc_table ->
   Tree_right_t_6:(Tree, Tree pointer) memory ->
    Tree_left_t_6:(Tree, Tree pointer) memory ->
     Tree_value_t_6:(Tree, int32) memory ->
      { (JC_13:
        ((JC_11: (t_0 <> null))
        and (JC_12:
            valid_tree(t_0, Tree_t_6_alloc_table, Tree_right_t_6,
            Tree_left_t_6))))}
      int32
      { (JC_24:
        ((JC_22:
         mem(result, t_0, Tree_right_t_6, Tree_left_t_6, Tree_value_t_6))
        and (JC_23:
            (forall x_5:int32.
             (mem(x_5, t_0, Tree_right_t_6, Tree_left_t_6, Tree_value_t_6) ->
              ge_int(integer_of_int32(result), integer_of_int32(x_5))))))) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let tree_max_ensures_default =
 fun (t_0 : Tree pointer) (Tree_t_6_alloc_table : Tree alloc_table) (Tree_value_t_6 : (Tree, int32) memory) (Tree_left_t_6 : (Tree, Tree pointer) memory) (Tree_right_t_6 : (Tree, Tree pointer) memory) ->
  { (JC_17:
    ((JC_15: (t_0 <> null))
    and (JC_16:
        valid_tree(t_0, Tree_t_6_alloc_table, Tree_right_t_6, Tree_left_t_6)))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let m = ref (any_int32 void) in
     (let tmp = ref (any_int32 void) in
     (let tmp_0 = ref (any_int32 void) in
     begin
       (let _jessie_ = (m := ((safe_acc_ Tree_value_t_6) t_0)) in void);
      (if ((safe_neq_pointer ((safe_acc_ Tree_left_t_6) t_0)) null)
      then
       (let _jessie_ =
       begin
         (let _jessie_ =
         (tmp := (let _jessie_ = ((safe_acc_ Tree_left_t_6) t_0) in
                 (JC_36:
                 (((((tree_max _jessie_) Tree_t_6_alloc_table) Tree_right_t_6) Tree_left_t_6) Tree_value_t_6)))) in
         void);
        (m := (let _jessie_ = !m in
              (let _jessie_ = !tmp in
              (JC_37: ((max _jessie_) _jessie_))))); !m end in void)
      else void);
      (if ((safe_neq_pointer ((safe_acc_ Tree_right_t_6) t_0)) null)
      then
       (let _jessie_ =
       begin
         (let _jessie_ =
         (tmp_0 := (let _jessie_ = ((safe_acc_ Tree_right_t_6) t_0) in
                   (JC_38:
                   (((((tree_max _jessie_) Tree_t_6_alloc_table) Tree_right_t_6) Tree_left_t_6) Tree_value_t_6)))) in
         void);
        (m := (let _jessie_ = !m in
              (let _jessie_ = !tmp_0 in
              (JC_39: ((max _jessie_) _jessie_))))); !m end in void)
      else void); (return := !m); (raise Return) end))); absurd  end with
   Return -> !return end))
  { (JC_21:
    ((JC_19: mem(result, t_0, Tree_right_t_6, Tree_left_t_6, Tree_value_t_6))
    and (JC_20:
        (forall x_5:int32.
         (mem(x_5, t_0, Tree_right_t_6, Tree_left_t_6, Tree_value_t_6) ->
          ge_int(integer_of_int32(result), integer_of_int32(x_5))))))) } 

let tree_max_safety =
 fun (t_0 : Tree pointer) (Tree_t_6_alloc_table : Tree alloc_table) (Tree_value_t_6 : (Tree, int32) memory) (Tree_left_t_6 : (Tree, Tree pointer) memory) (Tree_right_t_6 : (Tree, Tree pointer) memory) ->
  { (JC_17:
    ((JC_15: (t_0 <> null))
    and (JC_16:
        valid_tree(t_0, Tree_t_6_alloc_table, Tree_right_t_6, Tree_left_t_6)))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let m = ref (any_int32 void) in
     (let tmp = ref (any_int32 void) in
     (let tmp_0 = ref (any_int32 void) in
     begin
       (let _jessie_ =
       (m := (JC_27: (((acc_ Tree_t_6_alloc_table) Tree_value_t_6) t_0))) in
       void);
      (if ((neq_pointer (JC_28:
                        (((acc_ Tree_t_6_alloc_table) Tree_left_t_6) t_0))) null)
      then
       (let _jessie_ =
       begin
         (let _jessie_ =
         (tmp := (let _jessie_ =
                 (JC_29: (((acc_ Tree_t_6_alloc_table) Tree_left_t_6) t_0)) in
                 (JC_30:
                 (((((tree_max_requires _jessie_) Tree_t_6_alloc_table) Tree_right_t_6) Tree_left_t_6) Tree_value_t_6)))) in
         void);
        (m := (let _jessie_ = !m in
              (let _jessie_ = !tmp in
              (JC_31: ((max_requires _jessie_) _jessie_))))); !m end in
       void) else void);
      (if ((neq_pointer (JC_32:
                        (((acc_ Tree_t_6_alloc_table) Tree_right_t_6) t_0))) null)
      then
       (let _jessie_ =
       begin
         (let _jessie_ =
         (tmp_0 := (let _jessie_ =
                   (JC_33:
                   (((acc_ Tree_t_6_alloc_table) Tree_right_t_6) t_0)) in
                   (JC_34:
                   (((((tree_max_requires _jessie_) Tree_t_6_alloc_table) Tree_right_t_6) Tree_left_t_6) Tree_value_t_6)))) in
         void);
        (m := (let _jessie_ = !m in
              (let _jessie_ = !tmp_0 in
              (JC_35: ((max_requires _jessie_) _jessie_))))); !m end in
       void) else void); (return := !m); (raise Return) end))); absurd  end
   with Return -> !return end)) { true } 


why-2.39/tests/c/oracle/array_double.res.oracle0000644000106100004300000011163413147234006020517 0ustar  marchevals========== file tests/c/array_double.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/



double a[2];
double b[2];
double c[2];


/*@ requires
  \valid(a+(0..1)) &&
  \valid(b+(0..1)) &&
  \valid(c+(0..1)) &&
      \abs(b[0]) <= 1.0 &&
      \abs(b[1]) <= 1.0 &&
      \abs(c[0]) <= 1.0 &&
      \abs(c[1]) <= 1.0 ;
*/
void test() {
  a[0] = b[0] + c[0];
  a[1] = b[1] + c[1];
  //@ assert \abs(a[0] - (b[0] + c[0])) <= 0x1p-53;

}


/*
Local Variables:
compile-command: "make array_double.why3ide"
End:
*/
========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/array_double.c (with preprocessing)
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/array_double.jessie
[jessie] File tests/c/array_double.jessie/array_double.jc written.
[jessie] File tests/c/array_double.jessie/array_double.cloc written.
========== file tests/c/array_double.jessie/array_double.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

tag doubleP = {
  double doubleM: 64;
}

type doubleP = [doubleP]

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

doubleP[0..1] a;

invariant valid_a :
((\offset_min(a) <= 0) && (\offset_max(a) >= 1))

doubleP[0..1] b;

invariant valid_b :
((\offset_min(b) <= 0) && (\offset_max(b) >= 1))

doubleP[0..1] c;

invariant valid_c :
((\offset_min(c) <= 0) && (\offset_max(c) >= 1))

unit test()
  requires (_C_13 : ((((((((_C_20 : (\offset_min(a) <= 0)) &&
                            (_C_21 : (\offset_max(a) >= 1))) &&
                           ((_C_23 : (\offset_min(b) <= 0)) &&
                             (_C_24 : (\offset_max(b) >= 1)))) &&
                          ((_C_26 : (\offset_min(c) <= 0)) &&
                            (_C_27 : (\offset_max(c) >= 1)))) &&
                         (_C_28 : (\real_abs(((b + 0).doubleM :> real)) <=
                                    1.0))) &&
                        (_C_29 : (\real_abs(((b + 1).doubleM :> real)) <=
                                   1.0))) &&
                       (_C_30 : (\real_abs(((c + 0).doubleM :> real)) <= 1.0))) &&
                      (_C_31 : (\real_abs(((c + 1).doubleM :> real)) <= 1.0))));
behavior default:
  ensures (_C_12 : true);
{  
   {  (_C_5 : ((_C_4 : (a + 0).doubleM) = (_C_3 : ((_C_2 : (b + 0).doubleM) +
                                                    (_C_1 : (c + 0).doubleM)))));
      (_C_10 : ((_C_9 : (a + 1).doubleM) = (_C_8 : ((_C_7 : (b + 1).doubleM) +
                                                     (_C_6 : (c + 1).doubleM)))));
      
      {  
         (assert for default: (_C_11 : (jessie : (\real_abs((((a + 0).doubleM :> real) -
                                                              (((b + 0).doubleM :> real) +
                                                                ((c + 0).doubleM :> real)))) <=
                                                   0x1p-53))));
         ()
      };
      
      (return ())
   }
}
========== file tests/c/array_double.jessie/array_double.cloc ==========
[_C_28]
file = "HOME/tests/c/array_double.c"
line = 43
begin = 6
end = 23

[_C_31]
file = "HOME/tests/c/array_double.c"
line = 46
begin = 6
end = 23

[test]
name = "Function test"
file = "HOME/tests/c/array_double.c"
line = 48
begin = 5
end = 9

[_C_4]
file = "HOME/tests/c/array_double.c"
line = 49
begin = 9
end = 20

[_C_23]
file = "HOME/tests/c/array_double.c"
line = 41
begin = 2
end = 18

[_C_19]
file = "HOME/tests/c/array_double.c"
line = 40
begin = 2
end = 18

[_C_13]
file = "HOME/tests/c/array_double.c"
line = 40
begin = 2
end = 170

[_C_5]
file = "HOME/tests/c/array_double.c"
line = 49
begin = 9
end = 20

[_C_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_22]
file = "HOME/tests/c/array_double.c"
line = 41
begin = 2
end = 18

[_C_9]
file = "HOME/tests/c/array_double.c"
line = 50
begin = 9
end = 20

[_C_30]
file = "HOME/tests/c/array_double.c"
line = 45
begin = 6
end = 23

[_C_6]
file = "HOME/tests/c/array_double.c"
line = 50
begin = 16
end = 20

[_C_24]
file = "HOME/tests/c/array_double.c"
line = 41
begin = 2
end = 18

[_C_20]
file = "HOME/tests/c/array_double.c"
line = 40
begin = 2
end = 18

[_C_3]
file = "HOME/tests/c/array_double.c"
line = 49
begin = 9
end = 20

[_C_17]
file = "HOME/tests/c/array_double.c"
line = 40
begin = 2
end = 62

[_C_7]
file = "HOME/tests/c/array_double.c"
line = 50
begin = 9
end = 13

[_C_27]
file = "HOME/tests/c/array_double.c"
line = 42
begin = 2
end = 18

[_C_15]
file = "HOME/tests/c/array_double.c"
line = 40
begin = 2
end = 116

[_C_26]
file = "HOME/tests/c/array_double.c"
line = 42
begin = 2
end = 18

[_C_10]
file = "HOME/tests/c/array_double.c"
line = 50
begin = 9
end = 20

[_C_8]
file = "HOME/tests/c/array_double.c"
line = 50
begin = 9
end = 20

[_C_18]
file = "HOME/tests/c/array_double.c"
line = 40
begin = 2
end = 40

[_C_29]
file = "HOME/tests/c/array_double.c"
line = 44
begin = 6
end = 23

[_C_14]
file = "HOME/tests/c/array_double.c"
line = 40
begin = 2
end = 143

[_C_2]
file = "HOME/tests/c/array_double.c"
line = 49
begin = 9
end = 13

[_C_16]
file = "HOME/tests/c/array_double.c"
line = 40
begin = 2
end = 89

[_C_1]
file = "HOME/tests/c/array_double.c"
line = 49
begin = 16
end = 20

[_C_25]
file = "HOME/tests/c/array_double.c"
line = 42
begin = 2
end = 18

[_C_11]
file = "HOME/tests/c/array_double.c"
line = 51
begin = 18
end = 55

[_C_21]
file = "HOME/tests/c/array_double.c"
line = 40
begin = 2
end = 18

========== jessie execution ==========
Generating Why function test
========== file tests/c/array_double.jessie/array_double.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why $(WHYLIB)/why/floats_strict.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/array_double_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: array_double.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: array_double.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: array_double.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/array_double.jessie/array_double.loc ==========
[JC_51]
file = "HOME/tests/c/array_double.c"
line = 51
begin = 18
end = 55

[JC_45]
file = "HOME/tests/c/array_double.c"
line = 48
begin = 5
end = 9

[JC_31]
file = "HOME/tests/c/array_double.c"
line = 48
begin = 5
end = 9

[JC_17]
file = "HOME/tests/c/array_double.c"
line = 48
begin = 5
end = 9

[JC_48]
file = "HOME/tests/c/array_double.c"
line = 51
begin = 18
end = 55

[JC_23]
file = "HOME/tests/c/array_double.c"
line = 41
begin = 2
end = 18

[JC_22]
file = "HOME/tests/c/array_double.c"
line = 41
begin = 2
end = 18

[JC_5]
file = "HOME/tests/c/array_double.c"
line = 40
begin = 2
end = 18

[JC_9]
file = "HOME/tests/c/array_double.c"
line = 42
begin = 2
end = 18

[JC_24]
file = "HOME/tests/c/array_double.c"
line = 42
begin = 2
end = 18

[JC_25]
file = "HOME/tests/c/array_double.c"
line = 42
begin = 2
end = 18

[JC_41]
file = "HOME/tests/c/array_double.c"
line = 48
begin = 5
end = 9

[JC_47]
kind = FPOverflow
file = "HOME/tests/c/array_double.c"
line = 50
begin = 9
end = 20

[JC_26]
file = "HOME/tests/c/array_double.c"
line = 43
begin = 6
end = 23

[JC_8]
file = "HOME/tests/c/array_double.c"
line = 42
begin = 2
end = 18

[JC_13]
file = "HOME/tests/c/array_double.c"
line = 46
begin = 6
end = 23

[JC_11]
file = "HOME/tests/c/array_double.c"
line = 44
begin = 6
end = 23

[JC_15]
file = "HOME/tests/c/array_double.c"
line = 48
begin = 5
end = 9

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/tests/c/array_double.c"
line = 48
begin = 5
end = 9

[JC_40]
file = "HOME/tests/c/array_double.c"
line = 48
begin = 5
end = 9

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/tests/c/array_double.c"
line = 44
begin = 6
end = 23

[JC_38]
file = "HOME/tests/c/array_double.c"
line = 48
begin = 5
end = 9

[JC_12]
file = "HOME/tests/c/array_double.c"
line = 45
begin = 6
end = 23

[JC_6]
file = "HOME/tests/c/array_double.c"
line = 41
begin = 2
end = 18

[JC_44]
file = "HOME/tests/c/array_double.c"
line = 48
begin = 5
end = 9

[JC_4]
file = "HOME/tests/c/array_double.c"
line = 40
begin = 2
end = 18

[JC_42]
file = "HOME/tests/c/array_double.c"
line = 48
begin = 5
end = 9

[JC_46]
kind = FPOverflow
file = "HOME/tests/c/array_double.c"
line = 49
begin = 9
end = 20

[JC_32]
file = "HOME/tests/c/array_double.c"
line = 48
begin = 5
end = 9

[JC_33]
file = "HOME/tests/c/array_double.c"
line = 48
begin = 5
end = 9

[JC_29]
file = "HOME/tests/c/array_double.c"
line = 46
begin = 6
end = 23

[JC_7]
file = "HOME/tests/c/array_double.c"
line = 41
begin = 2
end = 18

[JC_16]
file = "HOME/tests/c/array_double.c"
line = 48
begin = 5
end = 9

[JC_43]
file = "HOME/tests/c/array_double.c"
line = 48
begin = 5
end = 9

[test_ensures_default]
name = "Function test"
behavior = "default behavior"
file = "HOME/tests/c/array_double.c"
line = 48
begin = 5
end = 9

[JC_34]
file = "HOME/tests/c/array_double.c"
line = 48
begin = 5
end = 9

[JC_14]
file = "HOME/tests/c/array_double.c"
line = 40
begin = 2
end = 170

[JC_21]
file = "HOME/tests/c/array_double.c"
line = 40
begin = 2
end = 18

[JC_49]
kind = FPOverflow
file = "HOME/tests/c/array_double.c"
line = 49
begin = 9
end = 20

[JC_37]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_10]
file = "HOME/tests/c/array_double.c"
line = 43
begin = 6
end = 23

[test_safety]
name = "Function test"
behavior = "Safety"
file = "HOME/tests/c/array_double.c"
line = 48
begin = 5
end = 9

[JC_20]
file = "HOME/tests/c/array_double.c"
line = 40
begin = 2
end = 18

[JC_18]
file = "HOME/tests/c/array_double.c"
line = 48
begin = 5
end = 9

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_50]
kind = FPOverflow
file = "HOME/tests/c/array_double.c"
line = 50
begin = 9
end = 20

[JC_30]
file = "HOME/tests/c/array_double.c"
line = 40
begin = 2
end = 170

[JC_28]
file = "HOME/tests/c/array_double.c"
line = 45
begin = 6
end = 23

========== file tests/c/array_double.jessie/why/array_double.why ==========
type a_1

type b_2

type c_3

type charP

type doubleP

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic a:  -> doubleP pointer

logic b:  -> doubleP pointer

logic c:  -> doubleP pointer

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic doubleP_tag:  -> doubleP tag_id

axiom doubleP_int : (int_of_tag(doubleP_tag) = (1))

logic doubleP_of_pointer_address: unit pointer -> doubleP pointer

axiom doubleP_of_pointer_address_of_pointer_addr :
 (forall p:doubleP pointer.
  (p = doubleP_of_pointer_address(pointer_address(p))))

axiom doubleP_parenttag_bottom : parenttag(doubleP_tag, bottom_tag)

axiom doubleP_tags :
 (forall x:doubleP pointer.
  (forall doubleP_tag_table:doubleP tag_table.
   instanceof(doubleP_tag_table, x, doubleP_tag)))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_doubleP(p:doubleP pointer, a:int,
 doubleP_alloc_table:doubleP alloc_table) =
 (offset_min(doubleP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_doubleP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(doubleP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_doubleP(p:doubleP pointer, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 (offset_max(doubleP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_doubleP(p:doubleP pointer, a:int, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 ((offset_min(doubleP_alloc_table, p) = a)
 and (offset_max(doubleP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_doubleP(p:doubleP pointer, a:int, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 ((offset_min(doubleP_alloc_table, p) = a)
 and (offset_max(doubleP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_a(doubleP_a_1_alloc_table:doubleP alloc_table) =
 (le_int(offset_min(doubleP_a_1_alloc_table, a), (0))
 and ge_int(offset_max(doubleP_a_1_alloc_table, a), (1)))

predicate valid_b(doubleP_b_2_alloc_table:doubleP alloc_table) =
 (le_int(offset_min(doubleP_b_2_alloc_table, b), (0))
 and ge_int(offset_max(doubleP_b_2_alloc_table, b), (1)))

predicate valid_c(doubleP_c_3_alloc_table:doubleP alloc_table) =
 (le_int(offset_min(doubleP_c_3_alloc_table, c), (0))
 and ge_int(offset_max(doubleP_c_3_alloc_table, c), (1)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_doubleP(p:doubleP pointer, a:int, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 ((offset_min(doubleP_alloc_table, p) <= a)
 and (offset_max(doubleP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_doubleP(p:doubleP pointer, a:int, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 ((offset_min(doubleP_alloc_table, p) <= a)
 and (offset_max(doubleP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter doubleP_alloc_table : doubleP alloc_table ref

parameter doubleP_tag_table : doubleP tag_table ref

parameter alloc_struct_doubleP :
 n:int ->
  doubleP_alloc_table:doubleP alloc_table ref ->
   doubleP_tag_table:doubleP tag_table ref ->
    { } doubleP pointer writes doubleP_alloc_table,doubleP_tag_table
    { (strict_valid_struct_doubleP(result, (0), sub_int(n, (1)),
       doubleP_alloc_table)
      and (alloc_extends(doubleP_alloc_table@, doubleP_alloc_table)
          and (alloc_fresh(doubleP_alloc_table@, result, n)
              and instanceof(doubleP_tag_table, result, doubleP_tag)))) }

parameter alloc_struct_doubleP_requires :
 n:int ->
  doubleP_alloc_table:doubleP alloc_table ref ->
   doubleP_tag_table:doubleP tag_table ref ->
    { ge_int(n, (0))} doubleP pointer
    writes doubleP_alloc_table,doubleP_tag_table
    { (strict_valid_struct_doubleP(result, (0), sub_int(n, (1)),
       doubleP_alloc_table)
      and (alloc_extends(doubleP_alloc_table@, doubleP_alloc_table)
          and (alloc_fresh(doubleP_alloc_table@, result, n)
              and instanceof(doubleP_tag_table, result, doubleP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter doubleP_a_1_alloc_table : doubleP alloc_table ref

parameter doubleP_b_2_alloc_table : doubleP alloc_table ref

parameter doubleP_c_3_alloc_table : doubleP alloc_table ref

parameter doubleP_doubleM_a_1 : (doubleP, double) memory ref

parameter doubleP_doubleM_b_2 : (doubleP, double) memory ref

parameter doubleP_doubleM_c_3 : (doubleP, double) memory ref

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter test :
 tt:unit ->
  { } unit
  reads doubleP_a_1_alloc_table,doubleP_b_2_alloc_table,doubleP_c_3_alloc_table,doubleP_doubleM_a_1,doubleP_doubleM_b_2,doubleP_doubleM_c_3
  writes doubleP_doubleM_a_1
  { (JC_45:
    ((JC_42: valid_c(doubleP_c_3_alloc_table))
    and ((JC_43: valid_b(doubleP_b_2_alloc_table))
        and (JC_44: valid_a(doubleP_a_1_alloc_table))))) }

parameter test_requires :
 tt:unit ->
  { (JC_18:
    ((JC_14:
     ((JC_4: le_int(offset_min(doubleP_a_1_alloc_table, a), (0)))
     and ((JC_5: ge_int(offset_max(doubleP_a_1_alloc_table, a), (1)))
         and ((JC_6: le_int(offset_min(doubleP_b_2_alloc_table, b), (0)))
             and ((JC_7: ge_int(offset_max(doubleP_b_2_alloc_table, b), (1)))
                 and ((JC_8:
                      le_int(offset_min(doubleP_c_3_alloc_table, c), (0)))
                     and ((JC_9:
                          ge_int(offset_max(doubleP_c_3_alloc_table, c), (1)))
                         and ((JC_10:
                              le_real(abs_real(double_value(select(doubleP_doubleM_b_2,
                                                            shift(b, (0))))),
                              1.0))
                             and ((JC_11:
                                  le_real(abs_real(double_value(select(doubleP_doubleM_b_2,
                                                                shift(b, (1))))),
                                  1.0))
                                 and ((JC_12:
                                      le_real(abs_real(double_value(select(doubleP_doubleM_c_3,
                                                                    shift(c,
                                                                    (0))))),
                                      1.0))
                                     and (JC_13:
                                         le_real(abs_real(double_value(
                                                          select(doubleP_doubleM_c_3,
                                                          shift(c, (1))))),
                                         1.0))))))))))))
    and ((JC_15: valid_c(doubleP_c_3_alloc_table))
        and ((JC_16: valid_b(doubleP_b_2_alloc_table))
            and (JC_17: valid_a(doubleP_a_1_alloc_table))))))}
  unit
  reads doubleP_a_1_alloc_table,doubleP_b_2_alloc_table,doubleP_c_3_alloc_table,doubleP_doubleM_a_1,doubleP_doubleM_b_2,doubleP_doubleM_c_3
  writes doubleP_doubleM_a_1
  { (JC_45:
    ((JC_42: valid_c(doubleP_c_3_alloc_table))
    and ((JC_43: valid_b(doubleP_b_2_alloc_table))
        and (JC_44: valid_a(doubleP_a_1_alloc_table))))) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let test_ensures_default =
 fun (tt : unit) ->
  { (JC_34:
    ((JC_30:
     ((JC_20: le_int(offset_min(doubleP_a_1_alloc_table, a), (0)))
     and ((JC_21: ge_int(offset_max(doubleP_a_1_alloc_table, a), (1)))
         and ((JC_22: le_int(offset_min(doubleP_b_2_alloc_table, b), (0)))
             and ((JC_23:
                  ge_int(offset_max(doubleP_b_2_alloc_table, b), (1)))
                 and ((JC_24:
                      le_int(offset_min(doubleP_c_3_alloc_table, c), (0)))
                     and ((JC_25:
                          ge_int(offset_max(doubleP_c_3_alloc_table, c), (1)))
                         and ((JC_26:
                              le_real(abs_real(double_value(select(doubleP_doubleM_b_2,
                                                            shift(b, (0))))),
                              1.0))
                             and ((JC_27:
                                  le_real(abs_real(double_value(select(doubleP_doubleM_b_2,
                                                                shift(b, (1))))),
                                  1.0))
                                 and ((JC_28:
                                      le_real(abs_real(double_value(select(doubleP_doubleM_c_3,
                                                                    shift(c,
                                                                    (0))))),
                                      1.0))
                                     and (JC_29:
                                         le_real(abs_real(double_value(
                                                          select(doubleP_doubleM_c_3,
                                                          shift(c, (1))))),
                                         1.0))))))))))))
    and ((JC_31: valid_c(doubleP_c_3_alloc_table))
        and ((JC_32: valid_b(doubleP_b_2_alloc_table))
            and (JC_33: valid_a(doubleP_a_1_alloc_table)))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (JC_49:
     (((add_double_safe nearest_even) ((safe_acc_ !doubleP_doubleM_b_2) 
                                       ((shift b) (0)))) ((safe_acc_ !doubleP_doubleM_c_3) 
                                                          ((shift c) (0))))) in
     (let _jessie_ = a in
     (let _jessie_ =
     (JC_50:
     (((add_double_safe nearest_even) ((safe_acc_ !doubleP_doubleM_b_2) 
                                       ((shift b) (1)))) ((safe_acc_ !doubleP_doubleM_c_3) 
                                                          ((shift c) (1))))) in
     (let _jessie_ = a in
     (let _jessie_ = (1) in
     (let _jessie_ = ((shift _jessie_) _jessie_) in
     [ { } unit reads doubleP_a_1_alloc_table,doubleP_doubleM_a_1
       writes doubleP_doubleM_a_1
       { (not_assigns(doubleP_a_1_alloc_table, doubleP_doubleM_a_1@,
          doubleP_doubleM_a_1,
          pset_range(pset_singleton(_jessie_), (0), (1)))
         and ((select(doubleP_doubleM_a_1, shift(_jessie_, (0))) = _jessie_)
             and (select(doubleP_doubleM_a_1, shift(_jessie_, (1))) = _jessie_))) } ]))))));
    (assert
    { (JC_51:
      le_real(abs_real(sub_real(double_value(select(doubleP_doubleM_a_1,
                                             shift(a, (0)))),
                       add_real(double_value(select(doubleP_doubleM_b_2,
                                             shift(b, (0)))),
                       double_value(select(doubleP_doubleM_c_3,
                                    shift(c, (0))))))),
      0x1p-53)) }; void); void; (raise Return); (raise Return) end with
   Return -> void end) { (JC_36: true) } 

let test_safety =
 fun (tt : unit) ->
  { (JC_34:
    ((JC_30:
     ((JC_20: le_int(offset_min(doubleP_a_1_alloc_table, a), (0)))
     and ((JC_21: ge_int(offset_max(doubleP_a_1_alloc_table, a), (1)))
         and ((JC_22: le_int(offset_min(doubleP_b_2_alloc_table, b), (0)))
             and ((JC_23:
                  ge_int(offset_max(doubleP_b_2_alloc_table, b), (1)))
                 and ((JC_24:
                      le_int(offset_min(doubleP_c_3_alloc_table, c), (0)))
                     and ((JC_25:
                          ge_int(offset_max(doubleP_c_3_alloc_table, c), (1)))
                         and ((JC_26:
                              le_real(abs_real(double_value(select(doubleP_doubleM_b_2,
                                                            shift(b, (0))))),
                              1.0))
                             and ((JC_27:
                                  le_real(abs_real(double_value(select(doubleP_doubleM_b_2,
                                                                shift(b, (1))))),
                                  1.0))
                                 and ((JC_28:
                                      le_real(abs_real(double_value(select(doubleP_doubleM_c_3,
                                                                    shift(c,
                                                                    (0))))),
                                      1.0))
                                     and (JC_29:
                                         le_real(abs_real(double_value(
                                                          select(doubleP_doubleM_c_3,
                                                          shift(c, (1))))),
                                         1.0))))))))))))
    and ((JC_31: valid_c(doubleP_c_3_alloc_table))
        and ((JC_32: valid_b(doubleP_b_2_alloc_table))
            and (JC_33: valid_a(doubleP_a_1_alloc_table)))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (JC_46:
     (((add_double nearest_even) ((safe_acc_ !doubleP_doubleM_b_2) ((shift b) (0)))) 
      ((safe_acc_ !doubleP_doubleM_c_3) ((shift c) (0))))) in
     (let _jessie_ = a in
     (let _jessie_ =
     (JC_47:
     (((add_double nearest_even) ((safe_acc_ !doubleP_doubleM_b_2) ((shift b) (1)))) 
      ((safe_acc_ !doubleP_doubleM_c_3) ((shift c) (1))))) in
     (let _jessie_ = a in
     (let _jessie_ = (1) in
     (let _jessie_ = ((shift _jessie_) _jessie_) in
     [ { } unit reads doubleP_a_1_alloc_table,doubleP_doubleM_a_1
       writes doubleP_doubleM_a_1
       { (not_assigns(doubleP_a_1_alloc_table, doubleP_doubleM_a_1@,
          doubleP_doubleM_a_1,
          pset_range(pset_singleton(_jessie_), (0), (1)))
         and ((select(doubleP_doubleM_a_1, shift(_jessie_, (0))) = _jessie_)
             and (select(doubleP_doubleM_a_1, shift(_jessie_, (1))) = _jessie_))) } ]))))));
    [ { } unit
      reads doubleP_doubleM_a_1,doubleP_doubleM_b_2,doubleP_doubleM_c_3
      { (JC_48:
        le_real(abs_real(sub_real(double_value(select(doubleP_doubleM_a_1,
                                               shift(a, (0)))),
                         add_real(double_value(select(doubleP_doubleM_b_2,
                                               shift(b, (0)))),
                         double_value(select(doubleP_doubleM_c_3,
                                      shift(c, (0))))))),
        0x1p-53)) } ]; void; (raise Return); (raise Return) end with
   Return -> void end)
  { (JC_41:
    ((JC_38: valid_c(doubleP_c_3_alloc_table))
    and ((JC_39: valid_b(doubleP_b_2_alloc_table))
        and (JC_40: valid_a(doubleP_a_1_alloc_table))))) } 


why-2.39/tests/c/oracle/flag.err.oracle0000644000106100004300000000000013147234006016737 0ustar  marchevalswhy-2.39/tests/c/oracle/binary_search_wrong.res.oracle0000644000106100004300000014714013147234006022075 0ustar  marchevals========== file tests/c/binary_search_wrong.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// RUNSIMPLIFY this tells regtests to run Simplify in this example

//@ lemma mean: \forall integer x, y; x <= y ==> x <= (x+y)/2 <= y;

/*@ predicate sorted{L}(long *t, integer a, integer b) =
  @    \forall integer i,j; a <= i <= j <= b ==> t[i] <= t[j];
  @*/

/*@ requires n >= 0 && \valid(t+(0..n-1));
  @ ensures -1 <= \result < n;
  @ behavior success:
  @   ensures \result >= 0 ==> t[\result] == v;
  @ behavior failure:
  @   assumes sorted(t,0,n-1);
  @   ensures \result == -1 ==>
  @     \forall integer k; 0 <= k < n ==> t[k] != v;
  @*/
int binary_search(long t[], int n, long v) {
  int l = 0, u = n-1;
  /*@ loop invariant
    @   0 <= l && u <= n-1;
    @ for failure:
    @   loop invariant
    @   \forall integer k; 0 <= k < n && t[k] == v ==> l <= k <= u;
    @ loop variant u-l;
    @*/
  while (l <= u ) {
    int m = (l + u) / 2;
    //@ assert l <= m <= u;
    if (t[m] < v) l = m + 1;
    else if (t[m] > v) u = m - 1;
    else return m;
  }
  return -1;
}

/*
Local Variables:
compile-command: "make binary_search_wrong.why3ide"
End:
*/
========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/binary_search_wrong.c (with preprocessing)
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/binary_search_wrong.jessie
[jessie] File tests/c/binary_search_wrong.jessie/binary_search_wrong.jc written.
[jessie] File tests/c/binary_search_wrong.jessie/binary_search_wrong.cloc written.
========== file tests/c/binary_search_wrong.jessie/binary_search_wrong.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

type int32 = -2147483648..2147483647

tag longP = {
  int32 longM: 32;
}

type longP = [longP]

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

lemma mean :
(\forall integer x;
  (\forall integer y;
    ((x <= y) ==> ((x <= ((x + y) / 2)) && (((x + y) / 2) <= y)))))

predicate sorted{L}(longP[..] t, integer a, integer b) =
(\forall integer i_1;
  (\forall integer j_0;
    ((((a <= i_1) && (i_1 <= j_0)) && (j_0 <= b)) ==>
      ((t + i_1).longM <= (t + j_0).longM))))

int32 binary_search(longP[..] t, int32 n_1, int32 v)
  requires (_C_33 : ((_C_34 : (n_1 >= 0)) &&
                      ((_C_36 : (\offset_min(t) <= 0)) &&
                        (_C_37 : (\offset_max(t) >= (n_1 - 1))))));
behavior default:
  ensures (_C_28 : ((_C_29 : ((- 1) <= \result)) &&
                     (_C_30 : (\result < \at(n_1,Old)))));
behavior success:
  ensures (_C_31 : ((\result >= 0) ==>
                     ((\at(t,Old) + \result).longM == \at(v,Old))));
behavior failure:
  assumes sorted{Here}(t, 0, (n_1 - 1));
  ensures (_C_32 : ((\result == (- 1)) ==>
                     (\forall integer k_0;
                       (((0 <= k_0) && (k_0 < \at(n_1,Old))) ==>
                         ((\at(t,Old) + k_0).longM != \at(v,Old))))));
{  
   (var int32 l);
   
   (var int32 u);
   
   (var int32 m);
   
   (var int32 __retres);
   
   {  (_C_1 : (l = 0));
      (_C_4 : (u = (_C_3 : ((_C_2 : (n_1 - 1)) :> int32))));
      
      loop 
      behavior default:
        invariant (_C_7 : ((_C_8 : (0 <= l)) && (_C_9 : (u <= (n_1 - 1)))));
      behavior failure:
        invariant (_C_6 : (\forall integer k;
                            ((((0 <= k) && (k < n_1)) &&
                               ((t + k).longM == v)) ==>
                              ((l <= k) && (k <= u)))));
      variant (_C_5 : (u - l));
      while (true)
      {  
         {  (if (l <= u) then () else 
            (goto while_0_break));
            
            {  (_C_14 : (m = (_C_13 : ((_C_12 : ((_C_11 : ((_C_10 : (l + u)) :> int32)) /
                                                  2)) :> int32))));
               
               {  
                  (assert for default: (_C_15 : (jessie : ((l <= m) &&
                                                            (m <= u)))));
                  ()
               };
               
               {  (if ((_C_26 : (_C_25 : (t + m)).longM) < v) then (_C_24 : (l = 
                                                                   (_C_23 : (
                                                                   (_C_22 : 
                                                                   (m +
                                                                    1)) :> int32)))) else 
                  (if ((_C_21 : (_C_20 : (t + m)).longM) > v) then (_C_19 : (u = 
                                                                   (_C_18 : (
                                                                   (_C_17 : 
                                                                   (m -
                                                                    1)) :> int32)))) else 
                  {  (_C_16 : (__retres = m));
                     
                     (goto return_label)
                  }))
               }
            }
         }
      };
      (while_0_break : ());
      (_C_27 : (__retres = -1));
      (return_label : 
      (return __retres))
   }
}
========== file tests/c/binary_search_wrong.jessie/binary_search_wrong.cloc ==========
[_C_35]
file = "HOME/tests/c/binary_search_wrong.c"
line = 40
begin = 26
end = 44

[_C_28]
file = "HOME/tests/c/binary_search_wrong.c"
line = 41
begin = 12
end = 29

[_C_31]
file = "HOME/tests/c/binary_search_wrong.c"
line = 43
begin = 14
end = 46

[mean]
name = "Lemma mean"
file = "HOME/tests/c/binary_search_wrong.c"
line = 34
begin = 7
end = 70

[_C_4]
file = "HOME/tests/c/binary_search_wrong.c"
line = 50
begin = 2
end = 5

[_C_32]
file = "HOME/tests/c/binary_search_wrong.c"
line = 46
begin = 14
end = 83

[_C_23]
file = "HOME/tests/c/binary_search_wrong.c"
line = 61
begin = 22
end = 27

[_C_19]
file = "HOME/tests/c/binary_search_wrong.c"
line = 62
begin = 27
end = 32

[_C_13]
file = "HOME/tests/c/binary_search_wrong.c"
line = 59
begin = 12
end = 23

[_C_5]
file = "HOME/tests/c/binary_search_wrong.c"
line = 56
begin = 19
end = 22

[_C_36]
file = "HOME/tests/c/binary_search_wrong.c"
line = 40
begin = 26
end = 44

[_C_12]
file = "HOME/tests/c/binary_search_wrong.c"
line = 59
begin = 12
end = 23

[_C_33]
file = "HOME/tests/c/binary_search_wrong.c"
line = 40
begin = 16
end = 44

[_C_22]
file = "HOME/tests/c/binary_search_wrong.c"
line = 61
begin = 22
end = 27

[binary_search]
name = "Function binary_search"
file = "HOME/tests/c/binary_search_wrong.c"
line = 49
begin = 4
end = 17

[_C_9]
file = "HOME/tests/c/binary_search_wrong.c"
line = 52
begin = 18
end = 26

[_C_30]
file = "HOME/tests/c/binary_search_wrong.c"
line = 41
begin = 18
end = 29

[_C_6]
file = "HOME/tests/c/binary_search_wrong.c"
line = 55
begin = 8
end = 66

[_C_24]
file = "HOME/tests/c/binary_search_wrong.c"
line = 61
begin = 22
end = 27

[_C_20]
file = "HOME/tests/c/binary_search_wrong.c"
line = 62
begin = 13
end = 14

[_C_3]
file = "HOME/tests/c/binary_search_wrong.c"
line = 50
begin = 17
end = 20

[_C_17]
file = "HOME/tests/c/binary_search_wrong.c"
line = 62
begin = 27
end = 32

[_C_7]
file = "HOME/tests/c/binary_search_wrong.c"
line = 52
begin = 8
end = 26

[_C_27]
file = "HOME/tests/c/binary_search_wrong.c"
line = 65
begin = 2
end = 12

[_C_15]
file = "HOME/tests/c/binary_search_wrong.c"
line = 60
begin = 22
end = 33

[_C_26]
file = "HOME/tests/c/binary_search_wrong.c"
line = 61
begin = 8
end = 12

[_C_10]
file = "HOME/tests/c/binary_search_wrong.c"
line = 59
begin = 13
end = 18

[_C_8]
file = "HOME/tests/c/binary_search_wrong.c"
line = 52
begin = 8
end = 14

[_C_18]
file = "HOME/tests/c/binary_search_wrong.c"
line = 62
begin = 27
end = 32

[_C_29]
file = "HOME/tests/c/binary_search_wrong.c"
line = 41
begin = 12
end = 25

[_C_14]
file = "HOME/tests/c/binary_search_wrong.c"
line = 59
begin = 4
end = 7

[_C_37]
file = "HOME/tests/c/binary_search_wrong.c"
line = 40
begin = 26
end = 44

[_C_2]
file = "HOME/tests/c/binary_search_wrong.c"
line = 50
begin = 17
end = 20

[_C_34]
file = "HOME/tests/c/binary_search_wrong.c"
line = 40
begin = 16
end = 22

[_C_16]
file = "HOME/tests/c/binary_search_wrong.c"
line = 63
begin = 9
end = 18

[_C_1]
file = "HOME/tests/c/binary_search_wrong.c"
line = 50
begin = 2
end = 5

[_C_25]
file = "HOME/tests/c/binary_search_wrong.c"
line = 61
begin = 8
end = 9

[_C_11]
file = "HOME/tests/c/binary_search_wrong.c"
line = 59
begin = 13
end = 18

[_C_21]
file = "HOME/tests/c/binary_search_wrong.c"
line = 62
begin = 13
end = 17

========== jessie execution ==========
Generating Why function binary_search
========== file tests/c/binary_search_wrong.jessie/binary_search_wrong.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/binary_search_wrong_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: binary_search_wrong.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: binary_search_wrong.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: binary_search_wrong.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/binary_search_wrong.jessie/binary_search_wrong.loc ==========
[JC_63]
file = "HOME/tests/c/binary_search_wrong.c"
line = 60
begin = 22
end = 33

[JC_51]
file = "HOME/tests/c/binary_search_wrong.jessie/binary_search_wrong.jc"
line = 81
begin = 6
end = 1876

[binary_search_ensures_default]
name = "Function binary_search"
behavior = "default behavior"
file = "HOME/tests/c/binary_search_wrong.c"
line = 49
begin = 4
end = 17

[JC_45]
kind = DivByZero
file = "HOME/tests/c/binary_search_wrong.c"
line = 59
begin = 12
end = 23

[mean]
name = "Lemma mean"
behavior = "lemma"
file = "HOME/tests/c/binary_search_wrong.c"
line = 34
begin = 7
end = 70

[JC_31]
kind = DivByZero
file = "HOME/tests/c/binary_search_wrong.c"
line = 59
begin = 12
end = 23

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_55]
file = "HOME/tests/c/binary_search_wrong.c"
line = 55
begin = 8
end = 66

[JC_48]
file = "HOME/tests/c/binary_search_wrong.c"
line = 52
begin = 18
end = 26

[JC_23]
kind = ArithOverflow
file = "HOME/tests/c/binary_search_wrong.c"
line = 50
begin = 17
end = 20

[JC_22]
file = "HOME/tests/c/binary_search_wrong.c"
line = 46
begin = 14
end = 83

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/c/binary_search_wrong.c"
line = 40
begin = 16
end = 44

[JC_24]
file = "HOME/tests/c/binary_search_wrong.c"
line = 52
begin = 8
end = 14

[JC_25]
file = "HOME/tests/c/binary_search_wrong.c"
line = 52
begin = 18
end = 26

[JC_41]
file = "HOME/tests/c/binary_search_wrong.c"
line = 52
begin = 8
end = 26

[JC_47]
file = "HOME/tests/c/binary_search_wrong.c"
line = 52
begin = 8
end = 14

[JC_52]
file = "HOME/tests/c/binary_search_wrong.jessie/binary_search_wrong.jc"
line = 81
begin = 6
end = 1876

[JC_26]
file = "HOME/tests/c/binary_search_wrong.c"
line = 52
begin = 8
end = 26

[JC_8]
file = "HOME/tests/c/binary_search_wrong.c"
line = 40
begin = 26
end = 44

[JC_54]
file = "HOME/tests/c/binary_search_wrong.c"
line = 60
begin = 22
end = 33

[JC_13]
file = "HOME/tests/c/binary_search_wrong.c"
line = 41
begin = 12
end = 29

[binary_search_ensures_success]
name = "Function binary_search"
behavior = "Behavior `success'"
file = "HOME/tests/c/binary_search_wrong.c"
line = 49
begin = 4
end = 17

[binary_search_ensures_failure]
name = "Function binary_search"
behavior = "Behavior `failure'"
file = "HOME/tests/c/binary_search_wrong.c"
line = 49
begin = 4
end = 17

[JC_11]
file = "HOME/tests/c/binary_search_wrong.c"
line = 41
begin = 12
end = 25

[JC_15]
file = "HOME/tests/c/binary_search_wrong.c"
line = 41
begin = 18
end = 29

[JC_36]
kind = PointerDeref
file = "HOME/tests/c/binary_search_wrong.c"
line = 62
begin = 13
end = 17

[JC_39]
file = "HOME/tests/c/binary_search_wrong.c"
line = 52
begin = 8
end = 14

[JC_40]
file = "HOME/tests/c/binary_search_wrong.c"
line = 52
begin = 18
end = 26

[JC_35]
kind = ArithOverflow
file = "HOME/tests/c/binary_search_wrong.c"
line = 61
begin = 22
end = 27

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
file = "HOME/tests/c/binary_search_wrong.c"
line = 56
begin = 19
end = 22

[JC_12]
file = "HOME/tests/c/binary_search_wrong.c"
line = 41
begin = 18
end = 29

[JC_6]
file = "HOME/tests/c/binary_search_wrong.c"
line = 40
begin = 16
end = 22

[JC_44]
file = "HOME/tests/c/binary_search_wrong.jessie/binary_search_wrong.jc"
line = 81
begin = 6
end = 1876

[JC_4]
file = "HOME/tests/c/binary_search_wrong.c"
line = 40
begin = 16
end = 44

[JC_62]
kind = DivByZero
file = "HOME/tests/c/binary_search_wrong.c"
line = 59
begin = 12
end = 23

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
file = "HOME/tests/c/binary_search_wrong.c"
line = 60
begin = 22
end = 33

[JC_61]
file = "HOME/tests/c/binary_search_wrong.jessie/binary_search_wrong.jc"
line = 81
begin = 6
end = 1876

[JC_32]
kind = ArithOverflow
file = "HOME/tests/c/binary_search_wrong.c"
line = 59
begin = 12
end = 23

[JC_56]
file = "HOME/tests/c/binary_search_wrong.c"
line = 52
begin = 8
end = 14

[JC_33]
file = "HOME/tests/c/binary_search_wrong.c"
line = 60
begin = 22
end = 33

[JC_29]
file = "HOME/tests/c/binary_search_wrong.jessie/binary_search_wrong.jc"
line = 81
begin = 6
end = 1876

[JC_7]
file = "HOME/tests/c/binary_search_wrong.c"
line = 40
begin = 26
end = 44

[JC_16]
file = "HOME/tests/c/binary_search_wrong.c"
line = 41
begin = 12
end = 29

[JC_43]
file = "HOME/tests/c/binary_search_wrong.jessie/binary_search_wrong.jc"
line = 81
begin = 6
end = 1876

[JC_2]
file = "HOME/tests/c/binary_search_wrong.c"
line = 40
begin = 26
end = 44

[JC_34]
kind = PointerDeref
file = "HOME/tests/c/binary_search_wrong.c"
line = 61
begin = 8
end = 12

[JC_14]
file = "HOME/tests/c/binary_search_wrong.c"
line = 41
begin = 12
end = 25

[JC_53]
kind = DivByZero
file = "HOME/tests/c/binary_search_wrong.c"
line = 59
begin = 12
end = 23

[JC_21]
file = "HOME/tests/c/binary_search_wrong.c"
line = 46
begin = 14
end = 83

[JC_49]
file = "HOME/tests/c/binary_search_wrong.c"
line = 52
begin = 8
end = 26

[JC_1]
file = "HOME/tests/c/binary_search_wrong.c"
line = 40
begin = 16
end = 22

[JC_37]
kind = ArithOverflow
file = "HOME/tests/c/binary_search_wrong.c"
line = 62
begin = 27
end = 32

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/tests/c/binary_search_wrong.c"
line = 52
begin = 18
end = 26

[JC_59]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/tests/c/binary_search_wrong.c"
line = 43
begin = 14
end = 46

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/c/binary_search_wrong.c"
line = 40
begin = 26
end = 44

[JC_60]
file = "HOME/tests/c/binary_search_wrong.jessie/binary_search_wrong.jc"
line = 81
begin = 6
end = 1876

[JC_19]
file = "HOME/tests/c/binary_search_wrong.c"
line = 43
begin = 14
end = 46

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[binary_search_safety]
name = "Function binary_search"
behavior = "Safety"
file = "HOME/tests/c/binary_search_wrong.c"
line = 49
begin = 4
end = 17

[JC_30]
kind = ArithOverflow
file = "HOME/tests/c/binary_search_wrong.c"
line = 59
begin = 13
end = 18

[JC_58]
file = "HOME/tests/c/binary_search_wrong.c"
line = 52
begin = 8
end = 26

[JC_28]
file = "HOME/tests/c/binary_search_wrong.jessie/binary_search_wrong.jc"
line = 81
begin = 6
end = 1876

========== file tests/c/binary_search_wrong.jessie/why/binary_search_wrong.why ==========
type charP

type int32

type int8

type longP

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_longP(p:longP pointer, a:int,
 longP_alloc_table:longP alloc_table) =
 (offset_min(longP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

logic longP_tag:  -> longP tag_id

axiom longP_int : (int_of_tag(longP_tag) = (1))

logic longP_of_pointer_address: unit pointer -> longP pointer

axiom longP_of_pointer_address_of_pointer_addr :
 (forall p:longP pointer. (p = longP_of_pointer_address(pointer_address(p))))

axiom longP_parenttag_bottom : parenttag(longP_tag, bottom_tag)

axiom longP_tags :
 (forall x:longP pointer.
  (forall longP_tag_table:longP tag_table.
   instanceof(longP_tag_table, x, longP_tag)))

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_longP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(longP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_longP(p:longP pointer, b:int,
 longP_alloc_table:longP alloc_table) =
 (offset_max(longP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate sorted(t:longP pointer, a:int, b:int,
 longP_longM_t_1_at_L:(longP, int32) memory) =
 (forall i_1:int.
  (forall j_0:int.
   ((le_int(a, i_1) and (le_int(i_1, j_0) and le_int(j_0, b))) ->
    le_int(integer_of_int32(select(longP_longM_t_1_at_L, shift(t, i_1))),
    integer_of_int32(select(longP_longM_t_1_at_L, shift(t, j_0)))))))

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_longP(p:longP pointer, a:int, b:int,
 longP_alloc_table:longP alloc_table) =
 ((offset_min(longP_alloc_table, p) = a)
 and (offset_max(longP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_longP(p:longP pointer, a:int, b:int,
 longP_alloc_table:longP alloc_table) =
 ((offset_min(longP_alloc_table, p) = a)
 and (offset_max(longP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_longP(p:longP pointer, a:int, b:int,
 longP_alloc_table:longP alloc_table) =
 ((offset_min(longP_alloc_table, p) <= a)
 and (offset_max(longP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_longP(p:longP pointer, a:int, b:int,
 longP_alloc_table:longP alloc_table) =
 ((offset_min(longP_alloc_table, p) <= a)
 and (offset_max(longP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

lemma mean :
 (forall x_0:int.
  (forall y:int.
   (le_int(x_0, y) ->
    (le_int(x_0, computer_div(add_int(x_0, y), (2)))
    and le_int(computer_div(add_int(x_0, y), (2)), y)))))

exception Goto_while_0_break_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter longP_alloc_table : longP alloc_table ref

parameter longP_tag_table : longP tag_table ref

parameter alloc_struct_longP :
 n:int ->
  longP_alloc_table:longP alloc_table ref ->
   longP_tag_table:longP tag_table ref ->
    { } longP pointer writes longP_alloc_table,longP_tag_table
    { (strict_valid_struct_longP(result, (0), sub_int(n, (1)),
       longP_alloc_table)
      and (alloc_extends(longP_alloc_table@, longP_alloc_table)
          and (alloc_fresh(longP_alloc_table@, result, n)
              and instanceof(longP_tag_table, result, longP_tag)))) }

parameter alloc_struct_longP_requires :
 n:int ->
  longP_alloc_table:longP alloc_table ref ->
   longP_tag_table:longP tag_table ref ->
    { ge_int(n, (0))} longP pointer writes longP_alloc_table,longP_tag_table
    { (strict_valid_struct_longP(result, (0), sub_int(n, (1)),
       longP_alloc_table)
      and (alloc_extends(longP_alloc_table@, longP_alloc_table)
          and (alloc_fresh(longP_alloc_table@, result, n)
              and instanceof(longP_tag_table, result, longP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter binary_search :
 t_0:longP pointer ->
  n_1:int32 ->
   v:int32 ->
    longP_t_2_alloc_table:longP alloc_table ->
     longP_longM_t_2:(longP, int32) memory ->
      { } int32
      { ((sorted(t_0, (0), sub_int(integer_of_int32(n_1), (1)),
          longP_longM_t_2) ->
          (JC_22:
          ((integer_of_int32(result) = neg_int((1))) ->
           (forall k_0:int.
            ((le_int((0), k_0) and lt_int(k_0, integer_of_int32(n_1))) ->
             (integer_of_int32(select(longP_longM_t_2, shift(t_0, k_0))) <> 
             integer_of_int32(v)))))))
        and ((JC_20:
             (ge_int(integer_of_int32(result), (0)) ->
              (integer_of_int32(select(longP_longM_t_2,
                                shift(t_0, integer_of_int32(result)))) = 
              integer_of_int32(v))))
            and (JC_16:
                ((JC_14: le_int(neg_int((1)), integer_of_int32(result)))
                and (JC_15:
                    lt_int(integer_of_int32(result), integer_of_int32(n_1))))))) }

parameter binary_search_requires :
 t_0:longP pointer ->
  n_1:int32 ->
   v:int32 ->
    longP_t_2_alloc_table:longP alloc_table ->
     longP_longM_t_2:(longP, int32) memory ->
      { (JC_4:
        ((JC_1: ge_int(integer_of_int32(n_1), (0)))
        and ((JC_2: le_int(offset_min(longP_t_2_alloc_table, t_0), (0)))
            and (JC_3:
                ge_int(offset_max(longP_t_2_alloc_table, t_0),
                sub_int(integer_of_int32(n_1), (1)))))))}
      int32
      { ((sorted(t_0, (0), sub_int(integer_of_int32(n_1), (1)),
          longP_longM_t_2) ->
          (JC_22:
          ((integer_of_int32(result) = neg_int((1))) ->
           (forall k_0:int.
            ((le_int((0), k_0) and lt_int(k_0, integer_of_int32(n_1))) ->
             (integer_of_int32(select(longP_longM_t_2, shift(t_0, k_0))) <> 
             integer_of_int32(v)))))))
        and ((JC_20:
             (ge_int(integer_of_int32(result), (0)) ->
              (integer_of_int32(select(longP_longM_t_2,
                                shift(t_0, integer_of_int32(result)))) = 
              integer_of_int32(v))))
            and (JC_16:
                ((JC_14: le_int(neg_int((1)), integer_of_int32(result)))
                and (JC_15:
                    lt_int(integer_of_int32(result), integer_of_int32(n_1))))))) }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let binary_search_ensures_default =
 fun (t_0 : longP pointer) (n_1 : int32) (v : int32) (longP_t_2_alloc_table : longP alloc_table) (longP_longM_t_2 : (longP, int32) memory) ->
  { (JC_9:
    ((JC_6: ge_int(integer_of_int32(n_1), (0)))
    and ((JC_7: le_int(offset_min(longP_t_2_alloc_table, t_0), (0)))
        and (JC_8:
            ge_int(offset_max(longP_t_2_alloc_table, t_0),
            sub_int(integer_of_int32(n_1), (1))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let l = ref (any_int32 void) in
     (let u = ref (any_int32 void) in
     (let m = ref (any_int32 void) in
     (let __retres = ref (any_int32 void) in
     try
      begin
        try
         begin
           (let _jessie_ = (l := (safe_int32_of_integer_ (0))) in void);
          (let _jessie_ =
          (u := (safe_int32_of_integer_ ((sub_int (integer_of_int32 n_1)) (1)))) in
          void);
          (loop_2:
          begin
            while true do
            { invariant
                (JC_41:
                ((JC_39: le_int((0), integer_of_int32(l)))
                and (JC_40:
                    le_int(integer_of_int32(u),
                    sub_int(integer_of_int32(n_1), (1))))))  }
             begin
               [ { } unit { true } ];
              try
               begin
                 (if ((le_int_ (integer_of_int32 !l)) (integer_of_int32 !u))
                 then void else (raise (Goto_while_0_break_exc void)));
                (let _jessie_ =
                (m := (safe_int32_of_integer_ (JC_45:
                                              ((computer_div (integer_of_int32 
                                                              (safe_int32_of_integer_ 
                                                               ((add_int 
                                                                 (integer_of_int32 !l)) 
                                                                (integer_of_int32 !u))))) (2))))) in
                void);
                (assert
                { (JC_46:
                  (le_int(integer_of_int32(l), integer_of_int32(m))
                  and le_int(integer_of_int32(m), integer_of_int32(u)))) };
                void); void;
                (if ((lt_int_ (integer_of_int32 ((safe_acc_ longP_longM_t_2) 
                                                 ((shift t_0) (integer_of_int32 !m))))) 
                     (integer_of_int32 v))
                then
                 (let _jessie_ =
                 (l := (safe_int32_of_integer_ ((add_int (integer_of_int32 !m)) (1)))) in
                 void)
                else
                 (if ((gt_int_ (integer_of_int32 ((safe_acc_ longP_longM_t_2) 
                                                  ((shift t_0) (integer_of_int32 !m))))) 
                      (integer_of_int32 v))
                 then
                  (let _jessie_ =
                  (u := (safe_int32_of_integer_ ((sub_int (integer_of_int32 !m)) (1)))) in
                  void)
                 else
                  begin
                    (let _jessie_ = (__retres := !m) in void);
                   (raise (Return_label_exc void)) end));
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (let _jessie_ =
         (while_0_break:
         begin
           void; (__retres := (safe_int32_of_integer_ (neg_int (1))));
          !__retres end) in void) end; (raise (Return_label_exc void)) end
      with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end))));
    absurd  end with Return -> !return end))
  { (JC_13:
    ((JC_11: le_int(neg_int((1)), integer_of_int32(result)))
    and (JC_12: lt_int(integer_of_int32(result), integer_of_int32(n_1))))) } 

let binary_search_ensures_failure =
 fun (t_0 : longP pointer) (n_1 : int32) (v : int32) (longP_t_2_alloc_table : longP alloc_table) (longP_longM_t_2 : (longP, int32) memory) ->
  { (sorted(t_0, (0), sub_int(integer_of_int32(n_1), (1)), longP_longM_t_2)
    and (JC_9:
        ((JC_6: ge_int(integer_of_int32(n_1), (0)))
        and ((JC_7: le_int(offset_min(longP_t_2_alloc_table, t_0), (0)))
            and (JC_8:
                ge_int(offset_max(longP_t_2_alloc_table, t_0),
                sub_int(integer_of_int32(n_1), (1)))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let l = ref (any_int32 void) in
     (let u = ref (any_int32 void) in
     (let m = ref (any_int32 void) in
     (let __retres = ref (any_int32 void) in
     try
      begin
        try
         begin
           (let _jessie_ = (l := (safe_int32_of_integer_ (0))) in void);
          (let _jessie_ =
          (u := (safe_int32_of_integer_ ((sub_int (integer_of_int32 n_1)) (1)))) in
          void);
          (loop_4:
          begin
            while true do
            { invariant
                (JC_55:
                (forall k:int.
                 ((le_int((0), k)
                  and (lt_int(k, integer_of_int32(n_1))
                      and (integer_of_int32(select(longP_longM_t_2,
                                            shift(t_0, k))) = integer_of_int32(v)))) ->
                  (le_int(integer_of_int32(l), k)
                  and le_int(k, integer_of_int32(u))))))  }
             begin
               [ { } unit reads l,u
                 { (JC_58:
                   ((JC_56: le_int((0), integer_of_int32(l)))
                   and (JC_57:
                       le_int(integer_of_int32(u),
                       sub_int(integer_of_int32(n_1), (1)))))) } ];
              try
               begin
                 (if ((le_int_ (integer_of_int32 !l)) (integer_of_int32 !u))
                 then void else (raise (Goto_while_0_break_exc void)));
                (let _jessie_ =
                (m := (safe_int32_of_integer_ (JC_62:
                                              ((computer_div (integer_of_int32 
                                                              (safe_int32_of_integer_ 
                                                               ((add_int 
                                                                 (integer_of_int32 !l)) 
                                                                (integer_of_int32 !u))))) (2))))) in
                void);
                [ { } unit reads l,m,u
                  { (JC_63:
                    (le_int(integer_of_int32(l), integer_of_int32(m))
                    and le_int(integer_of_int32(m), integer_of_int32(u)))) } ];
                void;
                (if ((lt_int_ (integer_of_int32 ((safe_acc_ longP_longM_t_2) 
                                                 ((shift t_0) (integer_of_int32 !m))))) 
                     (integer_of_int32 v))
                then
                 (let _jessie_ =
                 (l := (safe_int32_of_integer_ ((add_int (integer_of_int32 !m)) (1)))) in
                 void)
                else
                 (if ((gt_int_ (integer_of_int32 ((safe_acc_ longP_longM_t_2) 
                                                  ((shift t_0) (integer_of_int32 !m))))) 
                      (integer_of_int32 v))
                 then
                  (let _jessie_ =
                  (u := (safe_int32_of_integer_ ((sub_int (integer_of_int32 !m)) (1)))) in
                  void)
                 else
                  begin
                    (let _jessie_ = (__retres := !m) in void);
                   (raise (Return_label_exc void)) end));
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (let _jessie_ =
         (while_0_break:
         begin
           void; (__retres := (safe_int32_of_integer_ (neg_int (1))));
          !__retres end) in void) end; (raise (Return_label_exc void)) end
      with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end))));
    absurd  end with Return -> !return end))
  { (JC_21:
    ((integer_of_int32(result) = neg_int((1))) ->
     (forall k_0:int.
      ((le_int((0), k_0) and lt_int(k_0, integer_of_int32(n_1))) ->
       (integer_of_int32(select(longP_longM_t_2, shift(t_0, k_0))) <> 
       integer_of_int32(v)))))) } 

let binary_search_ensures_success =
 fun (t_0 : longP pointer) (n_1 : int32) (v : int32) (longP_t_2_alloc_table : longP alloc_table) (longP_longM_t_2 : (longP, int32) memory) ->
  { (JC_9:
    ((JC_6: ge_int(integer_of_int32(n_1), (0)))
    and ((JC_7: le_int(offset_min(longP_t_2_alloc_table, t_0), (0)))
        and (JC_8:
            ge_int(offset_max(longP_t_2_alloc_table, t_0),
            sub_int(integer_of_int32(n_1), (1))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let l = ref (any_int32 void) in
     (let u = ref (any_int32 void) in
     (let m = ref (any_int32 void) in
     (let __retres = ref (any_int32 void) in
     try
      begin
        try
         begin
           (let _jessie_ = (l := (safe_int32_of_integer_ (0))) in void);
          (let _jessie_ =
          (u := (safe_int32_of_integer_ ((sub_int (integer_of_int32 n_1)) (1)))) in
          void);
          (loop_3:
          begin
            while true do
            { invariant (JC_51: true)  }
             begin
               [ { } unit reads l,u
                 { (JC_49:
                   ((JC_47: le_int((0), integer_of_int32(l)))
                   and (JC_48:
                       le_int(integer_of_int32(u),
                       sub_int(integer_of_int32(n_1), (1)))))) } ];
              try
               begin
                 (if ((le_int_ (integer_of_int32 !l)) (integer_of_int32 !u))
                 then void else (raise (Goto_while_0_break_exc void)));
                (let _jessie_ =
                (m := (safe_int32_of_integer_ (JC_53:
                                              ((computer_div (integer_of_int32 
                                                              (safe_int32_of_integer_ 
                                                               ((add_int 
                                                                 (integer_of_int32 !l)) 
                                                                (integer_of_int32 !u))))) (2))))) in
                void);
                [ { } unit reads l,m,u
                  { (JC_54:
                    (le_int(integer_of_int32(l), integer_of_int32(m))
                    and le_int(integer_of_int32(m), integer_of_int32(u)))) } ];
                void;
                (if ((lt_int_ (integer_of_int32 ((safe_acc_ longP_longM_t_2) 
                                                 ((shift t_0) (integer_of_int32 !m))))) 
                     (integer_of_int32 v))
                then
                 (let _jessie_ =
                 (l := (safe_int32_of_integer_ ((add_int (integer_of_int32 !m)) (1)))) in
                 void)
                else
                 (if ((gt_int_ (integer_of_int32 ((safe_acc_ longP_longM_t_2) 
                                                  ((shift t_0) (integer_of_int32 !m))))) 
                      (integer_of_int32 v))
                 then
                  (let _jessie_ =
                  (u := (safe_int32_of_integer_ ((sub_int (integer_of_int32 !m)) (1)))) in
                  void)
                 else
                  begin
                    (let _jessie_ = (__retres := !m) in void);
                   (raise (Return_label_exc void)) end));
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (let _jessie_ =
         (while_0_break:
         begin
           void; (__retres := (safe_int32_of_integer_ (neg_int (1))));
          !__retres end) in void) end; (raise (Return_label_exc void)) end
      with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end))));
    absurd  end with Return -> !return end))
  { (JC_19:
    (ge_int(integer_of_int32(result), (0)) ->
     (integer_of_int32(select(longP_longM_t_2,
                       shift(t_0, integer_of_int32(result)))) = integer_of_int32(v)))) }
  

let binary_search_safety =
 fun (t_0 : longP pointer) (n_1 : int32) (v : int32) (longP_t_2_alloc_table : longP alloc_table) (longP_longM_t_2 : (longP, int32) memory) ->
  { (JC_9:
    ((JC_6: ge_int(integer_of_int32(n_1), (0)))
    and ((JC_7: le_int(offset_min(longP_t_2_alloc_table, t_0), (0)))
        and (JC_8:
            ge_int(offset_max(longP_t_2_alloc_table, t_0),
            sub_int(integer_of_int32(n_1), (1))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let l = ref (any_int32 void) in
     (let u = ref (any_int32 void) in
     (let m = ref (any_int32 void) in
     (let __retres = ref (any_int32 void) in
     try
      begin
        try
         begin
           (let _jessie_ = (l := (safe_int32_of_integer_ (0))) in void);
          (let _jessie_ =
          (u := (JC_23:
                (int32_of_integer_ ((sub_int (integer_of_int32 n_1)) (1))))) in
          void);
          (loop_1:
          begin
            while true do
            { invariant (JC_28: true)
              variant (JC_38 : sub_int(integer_of_int32(u),
                               integer_of_int32(l))) }
             begin
               [ { } unit reads l,u
                 { (JC_26:
                   ((JC_24: le_int((0), integer_of_int32(l)))
                   and (JC_25:
                       le_int(integer_of_int32(u),
                       sub_int(integer_of_int32(n_1), (1)))))) } ];
              try
               begin
                 (if ((le_int_ (integer_of_int32 !l)) (integer_of_int32 !u))
                 then void else (raise (Goto_while_0_break_exc void)));
                (let _jessie_ =
                (m := (JC_32:
                      (int32_of_integer_ (JC_31:
                                         ((computer_div_ (integer_of_int32 
                                                          (JC_30:
                                                          (int32_of_integer_ 
                                                           ((add_int 
                                                             (integer_of_int32 !l)) 
                                                            (integer_of_int32 !u)))))) (2)))))) in
                void);
                [ { } unit reads l,m,u
                  { (JC_33:
                    (le_int(integer_of_int32(l), integer_of_int32(m))
                    and le_int(integer_of_int32(m), integer_of_int32(u)))) } ];
                void;
                (if ((lt_int_ (integer_of_int32 (JC_34:
                                                ((((offset_acc_ longP_t_2_alloc_table) longP_longM_t_2) t_0) 
                                                 (integer_of_int32 !m))))) 
                     (integer_of_int32 v))
                then
                 (let _jessie_ =
                 (l := (JC_35:
                       (int32_of_integer_ ((add_int (integer_of_int32 !m)) (1))))) in
                 void)
                else
                 (if ((gt_int_ (integer_of_int32 (JC_36:
                                                 ((((offset_acc_ longP_t_2_alloc_table) longP_longM_t_2) t_0) 
                                                  (integer_of_int32 !m))))) 
                      (integer_of_int32 v))
                 then
                  (let _jessie_ =
                  (u := (JC_37:
                        (int32_of_integer_ ((sub_int (integer_of_int32 !m)) (1))))) in
                  void)
                 else
                  begin
                    (let _jessie_ = (__retres := !m) in void);
                   (raise (Return_label_exc void)) end));
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (let _jessie_ =
         (while_0_break:
         begin
           void; (__retres := (safe_int32_of_integer_ (neg_int (1))));
          !__retres end) in void) end; (raise (Return_label_exc void)) end
      with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end))));
    absurd  end with Return -> !return end)) { true } 


why-2.39/tests/c/oracle/sparse_array2.res.oracle0000644000106100004300000043024713147234006020630 0ustar  marchevals========== file tests/c/sparse_array2.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

typedef unsigned int size_t;
void *malloc(size_t size);
void *calloc(size_t nmemb, size_t size);

typedef unsigned int uint;

#define DEFAULT 0

typedef struct SparseArray {
  int *val;
  uint *idx, *back;
  uint n;
  uint sz; // inutile ?
} *sparse_array;

/*@ predicate is_elt{L}(sparse_array a, integer i) =
  @      0 <= a->idx[i] < a->n
  @   && a->back[a->idx[i]] == i
  @ ;
  @*/

/*@ axiomatic Model {
  @   logic integer model{L}(sparse_array a,integer i);
  @   axiom model_in: \forall sparse_array a, integer i;
  @     is_elt(a,i) ==> model(a,i) == a->val[i];
  @   axiom model_out: \forall sparse_array a, integer i;
  @     !is_elt(a,i) ==> model(a,i) == DEFAULT;
  @}
  @*/

/*@ predicate inv(sparse_array a) =
  @   \valid(a) &&
  @   0 <= a->n <= a-> sz &&
  @   \valid(a->val+(0..a->sz-1)) &&
  @   \valid(a->idx+(0..a->sz-1)) &&
  @   \valid(a->back+(0..a->sz-1)) &&
  @   \forall integer i; 0 <= i < a->n ==>  
  @      0 <= a->back[i] < a->sz && a->idx[a->back[i]] == i;
  @*/


/*@ requires sz >= 0;
  @ assigns \nothing;
  @ ensures \fresh(\result,sizeof(struct Sparse_array));
  @ ensures inv(\result);
  @ ensures \result->sz == sz;
  @ ensures \forall integer i; model(\result,i) == DEFAULT;
  @*/
sparse_array create(uint sz) {
  sparse_array a = (sparse_array)malloc(sizeof(struct SparseArray));
  a->val = (int*)calloc(sz,sizeof(int));
  a->idx = (uint*)calloc(sz,sizeof(uint));
  a->back = (uint*)calloc(sz,sizeof(uint));
  a->n = 0;
  a->sz = sz; // inutile ?
  return a;
}

/*@ requires \valid(a);
  @ requires inv(a);
  @ requires i <= a->sz - 1;
  @ assigns \nothing;
  @ ensures \result == model(a,i);
  @*/
int get(sparse_array a, uint i) {
  // note: 0 <= a->idx[i] holds because of type uint
  //@ assert 0 <= a->idx[i];
  if (a->idx[i] < a->n && 
      a->back[a->idx[i]] == i) return a->val[i];
  else return 0;
}

/*@ requires \valid(a);
  @ requires inv(a);
  @ requires i <= a->sz - 1;
  @ assigns a->val[i],a->idx[..],a->back[..], a->n;
  @ ensures inv(a);
  @ ensures model(a,i) == v;
  @ ensures \forall integer j; j != i ==> 
  @    model(a,j) == \old(model(a,j)); 
  @*/
void set(sparse_array a, uint i, int v) {
  a->val[i] = v;
  if (!(a->idx[i] < a->n && a-> back[a->idx[i]] == i)) {
    //@ assert a->n < a->sz;
    a->idx[i] = a->n; a->back[a->n] = i; a->n++;
  }
}



int main() {
  sparse_array a = create(10), b = create(20);
  int x,y;
  x = get(a,5); y = get(b,7);
  //@ assert x == 0 && y == 0;
  set(a,5,1); set(b,7,2);
  x = get(a,5); y = get(b,7);
  //@ assert x == 1 && y == 2;
  x = get(a,0); y = get(b,0);
  //@ assert x == 0 && y == 0;
  return 0;
}





/*
Local Variables:
compile-command: "make sparse_array2.why3ide"
End:
*/
========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/sparse_array2.c (with preprocessing)
[jessie] Starting Jessie translation
tests/c/sparse_array2.c:123:[kernel] warning: Neither code nor specification for function calloc, generating default assigns from the prototype
tests/c/sparse_array2.c:123:[kernel] warning: Neither code nor specification for function malloc, generating default assigns from the prototype
[jessie] Producing Jessie files in subdir tests/c/sparse_array2.jessie
[jessie] File tests/c/sparse_array2.jessie/sparse_array2.jc written.
[jessie] File tests/c/sparse_array2.jessie/sparse_array2.cloc written.
========== file tests/c/sparse_array2.jessie/sparse_array2.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type uint32 = 0..4294967295

type int8 = -128..127

type int32 = -2147483648..2147483647

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag unsigned_intP = {
  uint32 unsigned_intM: 32;
}

type unsigned_intP = [unsigned_intP]

tag intP = {
  int32 intM: 32;
}

type intP = [intP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

tag SparseArray = {
  intP[..] val: 32; 
  unsigned_intP[..] idx: 32; 
  unsigned_intP[..] back: 32; 
  uint32 n_1: 32; 
  uint32 sz_0: 32;
}

type SparseArray = [SparseArray]

charP[..] calloc(uint32 nmemb, uint32 size_0)
behavior default:
  assigns \nothing;
  ensures (_C_1 : true);
;

predicate is_elt{L}(SparseArray[..] a, integer i_1) =
(((0 <= (a.idx + i_1).unsigned_intM) &&
   ((a.idx + i_1).unsigned_intM < a.n_1)) &&
  ((a.back + (a.idx + i_1).unsigned_intM).unsigned_intM == i_1))

axiomatic Model {

  logic integer model{L}(SparseArray[..] a_0, integer i_2)
   
  axiom model_in{L} :
  (\forall SparseArray[..] a_1;
    (\forall integer i_3;
      (is_elt{L}(a_1, i_3) ==> (model{L}(a_1, i_3) == (a_1.val + i_3).intM))))
   
  axiom model_out{L} :
  (\forall SparseArray[..] a_2;
    (\forall integer i_4;
      ((! is_elt{L}(a_2, i_4)) ==> (model{L}(a_2, i_4) == 0))))
  
}

predicate inv{L}(SparseArray[..] a_3) =
\at(((((((((\offset_min(a_3) <= 0) && (\offset_max(a_3) >= 0)) &&
           (0 <= a_3.n_1)) &&
          (a_3.n_1 <= a_3.sz_0)) &&
         ((\offset_min(a_3.val) <= 0) &&
           (\offset_max(a_3.val) >= (a_3.sz_0 - 1)))) &&
        ((\offset_min(a_3.idx) <= 0) &&
          (\offset_max(a_3.idx) >= (a_3.sz_0 - 1)))) &&
       ((\offset_min(a_3.back) <= 0) &&
         (\offset_max(a_3.back) >= (a_3.sz_0 - 1)))) &&
      (\forall integer i_5;
        (((0 <= i_5) && (i_5 < a_3.n_1)) ==>
          (((0 <= (a_3.back + i_5).unsigned_intM) &&
             ((a_3.back + i_5).unsigned_intM < a_3.sz_0)) &&
            ((a_3.idx + (a_3.back + i_5).unsigned_intM).unsigned_intM == i_5))))),L)

SparseArray[..] create(uint32 sz)
  requires (_C_24 : (sz >= 0));
behavior default:
  assigns \nothing;
  ensures (_C_17 : ((_C_18 : \fresh(\result)) &&
                     ((_C_20 : inv{Here}(\result)) &&
                       ((_C_22 : (\result.sz_0 == \at(sz,Old))) &&
                         (_C_23 : (\forall integer i_6;
                                    (model{Here}(\result, i_6) == 0)))))));
{  
   (var SparseArray[..] a_1);
   
   {  (_C_3 : (a_1 = (_C_2 : (new SparseArray[1]))));
      (_C_6 : ((_C_5 : a_1.val) = (_C_4 : (new intP[sz]))));
      (_C_9 : ((_C_8 : a_1.idx) = (_C_7 : (new unsigned_intP[sz]))));
      (_C_12 : ((_C_11 : a_1.back) = (_C_10 : (new unsigned_intP[sz]))));
      (_C_14 : ((_C_13 : a_1.n_1) = 0));
      (_C_16 : ((_C_15 : a_1.sz_0) = sz));
      
      (return a_1)
   }
}

int32 get(SparseArray[..] a, uint32 i)
  requires (_C_45 : ((_C_46 : (\offset_min(a) <= 0)) &&
                      (_C_47 : (\offset_max(a) >= 0))));
  requires (_C_44 : inv{Here}(a));
  requires (_C_43 : (i <= (a.sz_0 - 1)));
behavior default:
  assigns \nothing;
  ensures (_C_42 : (\result == model{Here}(\at(a,Old), \at(i,Old))));
{  
   (var int32 __retres);
   
   {  
      {  
         (assert for default: (_C_25 : (jessie : (0 <=
                                                   (a.idx + i).unsigned_intM))));
         ()
      };
      
      {  (if ((_C_41 : (_C_40 : ((_C_39 : a.idx) + i)).unsigned_intM) <
               (_C_38 : a.n_1)) then (if ((_C_37 : (_C_36 : ((_C_35 : a.back) +
                                                              (_C_34 : 
                                                              (_C_33 : 
                                                              ((_C_32 : a.idx) +
                                                                i)).unsigned_intM))).unsigned_intM) ==
                                           i) then 
                                     {  (_C_31 : (__retres = (_C_30 : 
                                                             (_C_29 : 
                                                             ((_C_28 : a.val) +
                                                               i)).intM)));
                                        
                                        (goto return_label)
                                     } else 
                                     {  (_C_27 : (__retres = 0));
                                        
                                        (goto return_label)
                                     }) else 
         {  (_C_26 : (__retres = 0));
            
            (goto return_label)
         });
         (return_label : 
         (return __retres))
      }
   }
}

unit set(SparseArray[..] a_0, uint32 i_0, int32 v)
  requires (_C_85 : ((_C_86 : (\offset_min(a_0) <= 0)) &&
                      (_C_87 : (\offset_max(a_0) >= 0))));
  requires (_C_84 : inv{Here}(a_0));
  requires (_C_83 : (i_0 <= (a_0.sz_0 - 1)));
behavior default:
  assigns (a_0.val + i_0).intM,
  (a_0.idx + [..]).unsigned_intM,
  (a_0.back + [..]).unsigned_intM,
  a_0.n_1;
  ensures (_C_78 : ((_C_79 : inv{Here}(\at(a_0,Old))) &&
                     ((_C_81 : (model{Here}(\at(a_0,Old), \at(i_0,Old)) ==
                                 \at(v,Old))) &&
                       (_C_82 : (\forall integer j_0;
                                  ((j_0 != \at(i_0,Old)) ==>
                                    (model{Here}(\at(a_0,Old), j_0) ==
                                      \at(model{Old}(a_0, j_0),Old))))))));
{  
   {  (_C_51 : ((_C_50 : (_C_49 : ((_C_48 : a_0.val) + i_0)).intM) = v));
      (if ((_C_61 : (_C_60 : ((_C_59 : a_0.idx) + i_0)).unsigned_intM) <
            (_C_58 : a_0.n_1)) then (if ((_C_57 : (_C_56 : ((_C_55 : a_0.back) +
                                                             (_C_54 : 
                                                             (_C_53 : 
                                                             ((_C_52 : a_0.idx) +
                                                               i_0)).unsigned_intM))).unsigned_intM) ==
                                          i_0) then () else 
                                    (goto _LAND)) else 
      (goto _LAND));
      
      (goto _LAND_0);
      (_LAND : 
      {  
         {  
            (assert for default: (_C_62 : (jessie : (a_0.n_1 < a_0.sz_0))));
            ()
         };
         (_C_67 : ((_C_66 : (_C_65 : ((_C_64 : a_0.idx) + i_0)).unsigned_intM) = 
         (_C_63 : a_0.n_1)));
         (_C_72 : ((_C_71 : (_C_70 : ((_C_69 : a_0.back) + (_C_68 : a_0.n_1))).unsigned_intM) = i_0));
         (_C_77 : ((_C_76 : a_0.n_1) = (_C_75 : ((_C_74 : ((_C_73 : a_0.n_1) +
                                                            1)) :> uint32))))
      });
      (_LAND_0 : ());
      
      (return ())
   }
}

int32 main()
behavior default:
  ensures (_C_110 : true);
{  
   (var SparseArray[..] a_2);
   
   (var SparseArray[..] b);
   
   (var int32 x);
   
   (var int32 y);
   
   (var int32 __retres_0);
   
   {  (_C_89 : (a_2 = (_C_88 : create(10))));
      (_C_91 : (b = (_C_90 : create(20))));
      (_C_93 : (x = (_C_92 : get(a_2, 5))));
      (_C_95 : (y = (_C_94 : get(b, 7))));
      
      {  
         (assert for default: (_C_96 : (jessie : ((x == 0) && (y == 0)))));
         ()
      };
      (_C_97 : set(a_2, 5, 1));
      (_C_98 : set(b, 7, 2));
      (_C_100 : (x = (_C_99 : get(a_2, 5))));
      (_C_102 : (y = (_C_101 : get(b, 7))));
      
      {  
         (assert for default: (_C_103 : (jessie : ((x == 1) && (y == 2)))));
         ()
      };
      (_C_105 : (x = (_C_104 : get(a_2, 0))));
      (_C_107 : (y = (_C_106 : get(b, 0))));
      
      {  
         (assert for default: (_C_108 : (jessie : ((x == 0) && (y == 0)))));
         ()
      };
      (_C_109 : (__retres_0 = 0));
      
      (return __retres_0)
   }
}
========== file tests/c/sparse_array2.jessie/sparse_array2.cloc ==========
[_C_52]
file = "HOME/tests/c/sparse_array2.c"
line = 115
begin = 37
end = 43

[_C_35]
file = "HOME/tests/c/sparse_array2.c"
line = 100
begin = 6
end = 13

[_C_56]
file = "HOME/tests/c/sparse_array2.c"
line = 115
begin = 28
end = 36

[_C_28]
file = "HOME/tests/c/sparse_array2.c"
line = 100
begin = 38
end = 44

[_C_72]
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 38
end = 39

[_C_59]
file = "HOME/tests/c/sparse_array2.c"
line = 115
begin = 8
end = 14

[_C_48]
file = "HOME/tests/c/sparse_array2.c"
line = 114
begin = 2
end = 8

[_C_51]
file = "HOME/tests/c/sparse_array2.c"
line = 114
begin = 14
end = 15

[model_out]
name = "Lemma model_out"
file = "HOME/tests/c/sparse_array2.c"
line = 57
begin = 6
end = 99

[main]
name = "Function main"
file = "HOME/tests/c/sparse_array2.c"
line = 123
begin = 4
end = 8

[_C_103]
file = "HOME/tests/c/sparse_array2.c"
line = 130
begin = 18
end = 34

[_C_31]
file = "HOME/tests/c/sparse_array2.c"
line = 100
begin = 31
end = 48

[_C_108]
file = "HOME/tests/c/sparse_array2.c"
line = 132
begin = 18
end = 34

[_C_77]
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 41
end = 47

[_C_83]
file = "HOME/tests/c/sparse_array2.c"
line = 106
begin = 13
end = 27

[_C_41]
file = "HOME/tests/c/sparse_array2.c"
line = 99
begin = 6
end = 15

[_C_4]
file = "HOME/tests/c/sparse_array2.c"
line = 82
begin = 17
end = 39

[_C_101]
file = "HOME/tests/c/sparse_array2.c"
line = 129
begin = 20
end = 28

[_C_71]
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 38
end = 39

[_C_70]
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 22
end = 29

[_C_89]
file = "HOME/tests/c/sparse_array2.c"
line = 124
begin = 19
end = 29

[_C_90]
file = "HOME/tests/c/sparse_array2.c"
line = 124
begin = 35
end = 45

[_C_61]
file = "HOME/tests/c/sparse_array2.c"
line = 115
begin = 8
end = 17

[_C_69]
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 22
end = 29

[_C_32]
file = "HOME/tests/c/sparse_array2.c"
line = 100
begin = 14
end = 20

[_C_23]
file = "HOME/tests/c/sparse_array2.c"
line = 78
begin = 12
end = 52

[_C_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_42]
file = "HOME/tests/c/sparse_array2.c"
line = 94
begin = 12
end = 33

[_C_82]
file = "HOME/tests/c/sparse_array2.c"
line = 110
begin = 12
end = 79

[_C_110]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_94]
file = "HOME/tests/c/sparse_array2.c"
line = 126
begin = 20
end = 28

[_C_84]
file = "HOME/tests/c/sparse_array2.c"
line = 105
begin = 13
end = 19

[_C_13]
file = "HOME/tests/c/sparse_array2.c"
line = 85
begin = 9
end = 10

[_C_5]
file = "HOME/tests/c/sparse_array2.c"
line = 82
begin = 17
end = 39

[_C_91]
file = "HOME/tests/c/sparse_array2.c"
line = 124
begin = 35
end = 45

[_C_36]
file = "HOME/tests/c/sparse_array2.c"
line = 100
begin = 6
end = 13

[_C_12]
file = "HOME/tests/c/sparse_array2.c"
line = 84
begin = 19
end = 42

[_C_33]
file = "HOME/tests/c/sparse_array2.c"
line = 100
begin = 14
end = 20

[_C_79]
file = "HOME/tests/c/sparse_array2.c"
line = 108
begin = 12
end = 18

[_C_104]
file = "HOME/tests/c/sparse_array2.c"
line = 131
begin = 6
end = 14

[_C_85]
file = "HOME/tests/c/sparse_array2.c"
line = 104
begin = 16
end = 25

[_C_22]
file = "HOME/tests/c/sparse_array2.c"
line = 77
begin = 12
end = 29

[_C_65]
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 4
end = 10

[_C_9]
file = "HOME/tests/c/sparse_array2.c"
line = 83
begin = 18
end = 41

[_C_57]
file = "HOME/tests/c/sparse_array2.c"
line = 115
begin = 28
end = 47

[_C_54]
file = "HOME/tests/c/sparse_array2.c"
line = 115
begin = 37
end = 46

[_C_30]
file = "HOME/tests/c/sparse_array2.c"
line = 100
begin = 38
end = 47

[_C_63]
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 16
end = 20

[_C_6]
file = "HOME/tests/c/sparse_array2.c"
line = 82
begin = 17
end = 39

[model_in]
name = "Lemma model_in"
file = "HOME/tests/c/sparse_array2.c"
line = 55
begin = 6
end = 105

[_C_64]
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 4
end = 10

[_C_95]
file = "HOME/tests/c/sparse_array2.c"
line = 126
begin = 20
end = 28

[_C_93]
file = "HOME/tests/c/sparse_array2.c"
line = 126
begin = 6
end = 14

[_C_102]
file = "HOME/tests/c/sparse_array2.c"
line = 129
begin = 20
end = 28

[_C_49]
file = "HOME/tests/c/sparse_array2.c"
line = 114
begin = 2
end = 8

[_C_24]
file = "HOME/tests/c/sparse_array2.c"
line = 73
begin = 16
end = 23

[_C_45]
file = "HOME/tests/c/sparse_array2.c"
line = 90
begin = 16
end = 25

[_C_97]
file = "HOME/tests/c/sparse_array2.c"
line = 128
begin = 2
end = 12

[_C_20]
file = "HOME/tests/c/sparse_array2.c"
line = 76
begin = 12
end = 24

[_C_73]
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 41
end = 45

[_C_96]
file = "HOME/tests/c/sparse_array2.c"
line = 127
begin = 18
end = 34

[_C_38]
file = "HOME/tests/c/sparse_array2.c"
line = 99
begin = 18
end = 22

[_C_3]
file = "HOME/tests/c/sparse_array2.c"
line = 81
begin = 33
end = 67

[_C_98]
file = "HOME/tests/c/sparse_array2.c"
line = 128
begin = 14
end = 24

[_C_109]
file = "HOME/tests/c/sparse_array2.c"
line = 133
begin = 2
end = 11

[_C_92]
file = "HOME/tests/c/sparse_array2.c"
line = 126
begin = 6
end = 14

[_C_81]
file = "HOME/tests/c/sparse_array2.c"
line = 109
begin = 12
end = 27

[get]
name = "Function get"
file = "HOME/tests/c/sparse_array2.c"
line = 96
begin = 4
end = 7

[_C_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_7]
file = "HOME/tests/c/sparse_array2.c"
line = 83
begin = 18
end = 41

[_C_86]
file = "HOME/tests/c/sparse_array2.c"
line = 104
begin = 16
end = 25

[_C_62]
file = "HOME/tests/c/sparse_array2.c"
line = 116
begin = 22
end = 34

[_C_55]
file = "HOME/tests/c/sparse_array2.c"
line = 115
begin = 28
end = 36

[_C_27]
file = "HOME/tests/c/sparse_array2.c"
line = 101
begin = 7
end = 16

[set]
name = "Function set"
file = "HOME/tests/c/sparse_array2.c"
line = 113
begin = 5
end = 8

[_C_105]
file = "HOME/tests/c/sparse_array2.c"
line = 131
begin = 6
end = 14

[_C_87]
file = "HOME/tests/c/sparse_array2.c"
line = 104
begin = 16
end = 25

[_C_46]
file = "HOME/tests/c/sparse_array2.c"
line = 90
begin = 16
end = 25

[_C_44]
file = "HOME/tests/c/sparse_array2.c"
line = 91
begin = 13
end = 19

[_C_15]
file = "HOME/tests/c/sparse_array2.c"
line = 86
begin = 10
end = 12

[_C_99]
file = "HOME/tests/c/sparse_array2.c"
line = 129
begin = 6
end = 14

[_C_26]
file = "HOME/tests/c/sparse_array2.c"
line = 101
begin = 7
end = 16

[_C_47]
file = "HOME/tests/c/sparse_array2.c"
line = 90
begin = 16
end = 25

[_C_10]
file = "HOME/tests/c/sparse_array2.c"
line = 84
begin = 19
end = 42

[_C_68]
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 30
end = 34

[_C_60]
file = "HOME/tests/c/sparse_array2.c"
line = 115
begin = 8
end = 14

[_C_53]
file = "HOME/tests/c/sparse_array2.c"
line = 115
begin = 37
end = 43

[_C_40]
file = "HOME/tests/c/sparse_array2.c"
line = 99
begin = 6
end = 12

[_C_58]
file = "HOME/tests/c/sparse_array2.c"
line = 115
begin = 20
end = 24

[_C_8]
file = "HOME/tests/c/sparse_array2.c"
line = 83
begin = 18
end = 41

[_C_66]
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 16
end = 20

[_C_18]
file = "HOME/tests/c/sparse_array2.c"
line = 75
begin = 12
end = 55

[_C_29]
file = "HOME/tests/c/sparse_array2.c"
line = 100
begin = 38
end = 44

[_C_75]
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 41
end = 47

[create]
name = "Function create"
file = "HOME/tests/c/sparse_array2.c"
line = 80
begin = 13
end = 19

[_C_14]
file = "HOME/tests/c/sparse_array2.c"
line = 85
begin = 9
end = 10

[_C_106]
file = "HOME/tests/c/sparse_array2.c"
line = 131
begin = 20
end = 28

[_C_50]
file = "HOME/tests/c/sparse_array2.c"
line = 114
begin = 14
end = 15

[_C_37]
file = "HOME/tests/c/sparse_array2.c"
line = 100
begin = 6
end = 24

[_C_43]
file = "HOME/tests/c/sparse_array2.c"
line = 92
begin = 13
end = 27

[_C_107]
file = "HOME/tests/c/sparse_array2.c"
line = 131
begin = 20
end = 28

[_C_88]
file = "HOME/tests/c/sparse_array2.c"
line = 124
begin = 19
end = 29

[_C_100]
file = "HOME/tests/c/sparse_array2.c"
line = 129
begin = 6
end = 14

[_C_2]
file = "HOME/tests/c/sparse_array2.c"
line = 81
begin = 33
end = 67

[_C_34]
file = "HOME/tests/c/sparse_array2.c"
line = 100
begin = 14
end = 23

[_C_67]
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 16
end = 20

[_C_16]
file = "HOME/tests/c/sparse_array2.c"
line = 86
begin = 10
end = 12

[_C_1]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_76]
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 41
end = 47

[_C_25]
file = "HOME/tests/c/sparse_array2.c"
line = 98
begin = 18
end = 32

[_C_39]
file = "HOME/tests/c/sparse_array2.c"
line = 99
begin = 6
end = 12

[_C_80]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_74]
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 41
end = 47

[_C_78]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_11]
file = "HOME/tests/c/sparse_array2.c"
line = 84
begin = 19
end = 42

[_C_21]
file = "HOME/"
line = 0
begin = -1
end = -1

========== jessie execution ==========
Generating Why function create
Generating Why function get
Generating Why function set
Generating Why function main
========== file tests/c/sparse_array2.jessie/sparse_array2.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/sparse_array2_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: sparse_array2.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: sparse_array2.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: sparse_array2.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/sparse_array2.jessie/sparse_array2.loc ==========
[main_safety]
name = "Function main"
behavior = "Safety"
file = "HOME/tests/c/sparse_array2.c"
line = 123
begin = 4
end = 8

[JC_94]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_73]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 99
begin = 6
end = 12

[JC_158]
kind = UserCall
file = "HOME/tests/c/sparse_array2.c"
line = 124
begin = 19
end = 29

[JC_63]
file = "HOME/tests/c/sparse_array2.c"
line = 92
begin = 13
end = 27

[JC_80]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 100
begin = 38
end = 44

[JC_51]
kind = AllocSize
file = "HOME/tests/c/sparse_array2.c"
line = 82
begin = 17
end = 39

[JC_71]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_147]
kind = UserCall
file = "HOME/tests/c/sparse_array2.c"
line = 126
begin = 6
end = 14

[JC_151]
kind = UserCall
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 244
begin = 15
end = 27

[JC_45]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 116
begin = 15
end = 57

[JC_123]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 115
begin = 37
end = 46

[JC_106]
file = "HOME/tests/c/sparse_array2.c"
line = 109
begin = 12
end = 27

[JC_143]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_113]
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 178
begin = 10
end = 110

[set_safety]
name = "Function set"
behavior = "Safety"
file = "HOME/tests/c/sparse_array2.c"
line = 113
begin = 5
end = 8

[JC_116]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_64]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_133]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 41
end = 45

[model_out]
name = "Lemma model_out"
behavior = "axiom"
file = "HOME/tests/c/sparse_array2.c"
line = 57
begin = 6
end = 99

[JC_99]
file = "HOME/tests/c/sparse_array2.c"
line = 113
begin = 5
end = 8

[JC_85]
file = "HOME/tests/c/sparse_array2.c"
line = 105
begin = 13
end = 19

[JC_126]
file = "HOME/tests/c/sparse_array2.c"
line = 116
begin = 22
end = 34

[JC_170]
file = "HOME/tests/c/sparse_array2.c"
line = 132
begin = 18
end = 34

[JC_31]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_17]
file = "HOME/tests/c/sparse_array2.c"
line = 77
begin = 12
end = 29

[JC_122]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 115
begin = 37
end = 43

[create_safety]
name = "Function create"
behavior = "Safety"
file = "HOME/tests/c/sparse_array2.c"
line = 80
begin = 13
end = 19

[JC_81]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 100
begin = 38
end = 47

[JC_55]
file = "HOME/tests/c/sparse_array2.c"
line = 90
begin = 16
end = 25

[JC_138]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_134]
kind = ArithOverflow
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 41
end = 47

[JC_148]
kind = UserCall
file = "HOME/tests/c/sparse_array2.c"
line = 126
begin = 20
end = 28

[JC_137]
file = "HOME/tests/c/sparse_array2.c"
line = 123
begin = 4
end = 8

[JC_48]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 119
begin = 16
end = 37

[JC_23]
file = "HOME/tests/c/sparse_array2.c"
line = 80
begin = 13
end = 19

[JC_22]
file = "HOME/tests/c/sparse_array2.c"
line = 80
begin = 13
end = 19

[JC_121]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 115
begin = 20
end = 24

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_125]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 115
begin = 28
end = 47

[JC_67]
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 132
begin = 10
end = 18

[JC_9]
file = "HOME/"
line = 0
begin = -1
end = -1

[set_ensures_default]
name = "Function set"
behavior = "default behavior"
file = "HOME/tests/c/sparse_array2.c"
line = 113
begin = 5
end = 8

[JC_75]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 99
begin = 18
end = 22

[JC_24]
file = "HOME/tests/c/sparse_array2.c"
line = 80
begin = 13
end = 19

[JC_25]
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 106
begin = 10
end = 18

[JC_78]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 100
begin = 6
end = 13

[JC_41]
kind = AllocSize
file = "HOME/tests/c/sparse_array2.c"
line = 81
begin = 33
end = 67

[JC_74]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 99
begin = 6
end = 15

[JC_47]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 118
begin = 16
end = 70

[JC_52]
kind = AllocSize
file = "HOME/tests/c/sparse_array2.c"
line = 83
begin = 18
end = 41

[JC_26]
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 105
begin = 9
end = 16

[JC_8]
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 62
begin = 10
end = 18

[JC_154]
file = "HOME/tests/c/sparse_array2.c"
line = 130
begin = 18
end = 34

[JC_54]
file = "HOME/tests/c/sparse_array2.c"
line = 90
begin = 16
end = 25

[JC_79]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 100
begin = 6
end = 24

[JC_13]
file = "HOME/tests/c/sparse_array2.c"
line = 73
begin = 16
end = 23

[JC_130]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 22
end = 29

[JC_82]
file = "HOME/tests/c/sparse_array2.c"
line = 98
begin = 18
end = 32

[JC_163]
kind = UserCall
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 243
begin = 15
end = 29

[JC_153]
kind = UserCall
file = "HOME/tests/c/sparse_array2.c"
line = 129
begin = 20
end = 28

[model_in]
name = "Lemma model_in"
behavior = "axiom"
file = "HOME/tests/c/sparse_array2.c"
line = 55
begin = 6
end = 105

[JC_87]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/c/sparse_array2.c"
line = 73
begin = 16
end = 23

[JC_167]
file = "HOME/tests/c/sparse_array2.c"
line = 130
begin = 18
end = 34

[JC_98]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_70]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/tests/c/sparse_array2.c"
line = 75
begin = 12
end = 55

[JC_36]
file = "HOME/tests/c/sparse_array2.c"
line = 80
begin = 13
end = 19

[JC_168]
kind = UserCall
file = "HOME/tests/c/sparse_array2.c"
line = 131
begin = 6
end = 14

[JC_104]
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 177
begin = 9
end = 16

[JC_91]
file = "HOME/tests/c/sparse_array2.c"
line = 105
begin = 13
end = 19

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_112]
file = "HOME/tests/c/sparse_array2.c"
line = 113
begin = 5
end = 8

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_162]
file = "HOME/tests/c/sparse_array2.c"
line = 127
begin = 18
end = 34

[JC_135]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 211
begin = 19
end = 154

[JC_169]
kind = UserCall
file = "HOME/tests/c/sparse_array2.c"
line = 131
begin = 20
end = 28

[JC_83]
file = "HOME/tests/c/sparse_array2.c"
line = 104
begin = 16
end = 25

[JC_35]
file = "HOME/tests/c/sparse_array2.c"
line = 80
begin = 13
end = 19

[JC_132]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 210
begin = 19
end = 99

[JC_27]
file = "HOME/tests/c/sparse_array2.c"
line = 75
begin = 12
end = 55

[JC_115]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_109]
file = "HOME/tests/c/sparse_array2.c"
line = 113
begin = 5
end = 8

[JC_107]
file = "HOME/tests/c/sparse_array2.c"
line = 110
begin = 12
end = 79

[JC_69]
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 132
begin = 10
end = 18

[JC_124]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 115
begin = 28
end = 36

[JC_38]
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 105
begin = 9
end = 16

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 62
begin = 10
end = 18

[JC_156]
kind = UserCall
file = "HOME/tests/c/sparse_array2.c"
line = 131
begin = 20
end = 28

[JC_127]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 16
end = 20

[JC_164]
kind = UserCall
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 244
begin = 15
end = 27

[JC_44]
kind = AllocSize
file = "HOME/tests/c/sparse_array2.c"
line = 84
begin = 19
end = 42

[JC_155]
kind = UserCall
file = "HOME/tests/c/sparse_array2.c"
line = 131
begin = 6
end = 14

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/tests/c/sparse_array2.c"
line = 91
begin = 13
end = 19

[JC_101]
file = "HOME/tests/c/sparse_array2.c"
line = 113
begin = 5
end = 8

[get_ensures_default]
name = "Function get"
behavior = "default behavior"
file = "HOME/tests/c/sparse_array2.c"
line = 96
begin = 4
end = 7

[JC_88]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_129]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 208
begin = 19
end = 108

[JC_42]
kind = AllocSize
file = "HOME/tests/c/sparse_array2.c"
line = 82
begin = 17
end = 39

[JC_110]
file = "HOME/tests/c/sparse_array2.c"
line = 113
begin = 5
end = 8

[main_ensures_default]
name = "Function main"
behavior = "default behavior"
file = "HOME/tests/c/sparse_array2.c"
line = 123
begin = 4
end = 8

[JC_166]
kind = UserCall
file = "HOME/tests/c/sparse_array2.c"
line = 129
begin = 20
end = 28

[JC_103]
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 178
begin = 10
end = 110

[JC_46]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 117
begin = 15
end = 66

[JC_141]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
file = "HOME/tests/c/sparse_array2.c"
line = 90
begin = 16
end = 25

[JC_32]
file = "HOME/tests/c/sparse_array2.c"
line = 80
begin = 13
end = 19

[JC_56]
file = "HOME/tests/c/sparse_array2.c"
line = 91
begin = 13
end = 19

[JC_33]
file = "HOME/tests/c/sparse_array2.c"
line = 80
begin = 13
end = 19

[JC_65]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_118]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 190
begin = 16
end = 70

[JC_105]
file = "HOME/tests/c/sparse_array2.c"
line = 108
begin = 12
end = 18

[JC_140]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/tests/c/sparse_array2.c"
line = 77
begin = 12
end = 29

[JC_144]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_159]
kind = UserCall
file = "HOME/tests/c/sparse_array2.c"
line = 124
begin = 35
end = 45

[JC_68]
file = "HOME/tests/c/sparse_array2.c"
line = 94
begin = 12
end = 33

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/tests/c/sparse_array2.c"
line = 76
begin = 12
end = 24

[JC_96]
file = "HOME/tests/c/sparse_array2.c"
line = 109
begin = 12
end = 27

[JC_43]
kind = AllocSize
file = "HOME/tests/c/sparse_array2.c"
line = 83
begin = 18
end = 41

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
file = "HOME/tests/c/sparse_array2.c"
line = 108
begin = 12
end = 18

[JC_93]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_97]
file = "HOME/tests/c/sparse_array2.c"
line = 110
begin = 12
end = 79

[JC_84]
file = "HOME/tests/c/sparse_array2.c"
line = 104
begin = 16
end = 25

[JC_160]
kind = UserCall
file = "HOME/tests/c/sparse_array2.c"
line = 126
begin = 6
end = 14

[JC_128]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 4
end = 10

[JC_34]
file = "HOME/tests/c/sparse_array2.c"
line = 80
begin = 13
end = 19

[JC_114]
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 177
begin = 9
end = 16

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_150]
kind = UserCall
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 243
begin = 15
end = 29

[JC_117]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 114
begin = 2
end = 8

[JC_90]
file = "HOME/tests/c/sparse_array2.c"
line = 104
begin = 16
end = 25

[JC_53]
kind = AllocSize
file = "HOME/tests/c/sparse_array2.c"
line = 84
begin = 19
end = 42

[JC_157]
file = "HOME/tests/c/sparse_array2.c"
line = 132
begin = 18
end = 34

[JC_145]
kind = UserCall
file = "HOME/tests/c/sparse_array2.c"
line = 124
begin = 19
end = 29

[JC_21]
file = "HOME/tests/c/sparse_array2.c"
line = 80
begin = 13
end = 19

[JC_149]
file = "HOME/tests/c/sparse_array2.c"
line = 127
begin = 18
end = 34

[JC_111]
file = "HOME/tests/c/sparse_array2.c"
line = 113
begin = 5
end = 8

[JC_77]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 100
begin = 14
end = 23

[JC_49]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 120
begin = 16
end = 39

[JC_1]
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 60
begin = 10
end = 16

[JC_131]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 30
end = 34

[JC_102]
file = "HOME/tests/c/sparse_array2.c"
line = 113
begin = 5
end = 8

[JC_37]
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 106
begin = 10
end = 18

[JC_142]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_108]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/tests/c/sparse_array2.c"
line = 92
begin = 13
end = 27

[JC_161]
kind = UserCall
file = "HOME/tests/c/sparse_array2.c"
line = 126
begin = 20
end = 28

[JC_146]
kind = UserCall
file = "HOME/tests/c/sparse_array2.c"
line = 124
begin = 35
end = 45

[JC_89]
file = "HOME/tests/c/sparse_array2.c"
line = 104
begin = 16
end = 25

[create_ensures_default]
name = "Function create"
behavior = "default behavior"
file = "HOME/tests/c/sparse_array2.c"
line = 80
begin = 13
end = 19

[JC_136]
file = "HOME/tests/c/sparse_array2.c"
line = 116
begin = 22
end = 34

[JC_66]
file = "HOME/tests/c/sparse_array2.c"
line = 94
begin = 12
end = 33

[JC_59]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/tests/c/sparse_array2.c"
line = 80
begin = 13
end = 19

[JC_165]
kind = UserCall
file = "HOME/tests/c/sparse_array2.c"
line = 129
begin = 6
end = 14

[JC_18]
file = "HOME/tests/c/sparse_array2.c"
line = 78
begin = 12
end = 52

[JC_3]
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 60
begin = 10
end = 16

[JC_92]
file = "HOME/tests/c/sparse_array2.c"
line = 106
begin = 13
end = 27

[JC_152]
kind = UserCall
file = "HOME/tests/c/sparse_array2.c"
line = 129
begin = 6
end = 14

[JC_86]
file = "HOME/tests/c/sparse_array2.c"
line = 106
begin = 13
end = 27

[JC_60]
file = "HOME/tests/c/sparse_array2.c"
line = 90
begin = 16
end = 25

[JC_139]
file = "HOME/tests/c/sparse_array2.c"
line = 123
begin = 4
end = 8

[get_safety]
name = "Function get"
behavior = "Safety"
file = "HOME/tests/c/sparse_array2.c"
line = 96
begin = 4
end = 7

[JC_72]
file = "HOME/tests/c/sparse_array2.c"
line = 98
begin = 18
end = 32

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_119]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 115
begin = 8
end = 14

[JC_76]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 100
begin = 14
end = 20

[JC_50]
kind = AllocSize
file = "HOME/tests/c/sparse_array2.c"
line = 81
begin = 33
end = 67

[JC_30]
file = "HOME/tests/c/sparse_array2.c"
line = 78
begin = 12
end = 52

[JC_120]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 115
begin = 8
end = 17

[JC_58]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_100]
file = "HOME/tests/c/sparse_array2.c"
line = 113
begin = 5
end = 8

[JC_28]
file = "HOME/tests/c/sparse_array2.c"
line = 76
begin = 12
end = 24

========== file tests/c/sparse_array2.jessie/why/sparse_array2.why ==========
type SparseArray

type charP

type int32

type int8

type intP

type padding

type uint32

type uint8

type unsigned_charP

type unsigned_intP

type voidP

logic SparseArray_tag:  -> SparseArray tag_id

axiom SparseArray_int : (int_of_tag(SparseArray_tag) = (1))

logic SparseArray_of_pointer_address: unit pointer -> SparseArray pointer

axiom SparseArray_of_pointer_address_of_pointer_addr :
 (forall p:SparseArray pointer.
  (p = SparseArray_of_pointer_address(pointer_address(p))))

axiom SparseArray_parenttag_bottom : parenttag(SparseArray_tag, bottom_tag)

axiom SparseArray_tags :
 (forall x:SparseArray pointer.
  (forall SparseArray_tag_table:SparseArray tag_table.
   instanceof(SparseArray_tag_table, x, SparseArray_tag)))

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint32: uint32 -> int

predicate eq_uint32(x:uint32, y:uint32) =
 eq_int(integer_of_uint32(x), integer_of_uint32(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

logic intP_tag:  -> intP tag_id

axiom intP_int : (int_of_tag(intP_tag) = (1))

logic intP_of_pointer_address: unit pointer -> intP pointer

axiom intP_of_pointer_address_of_pointer_addr :
 (forall p:intP pointer. (p = intP_of_pointer_address(pointer_address(p))))

axiom intP_parenttag_bottom : parenttag(intP_tag, bottom_tag)

axiom intP_tags :
 (forall x:intP pointer.
  (forall intP_tag_table:intP tag_table.
   instanceof(intP_tag_table, x, intP_tag)))

predicate inv(a_3:SparseArray pointer,
 unsigned_intP_back_17_alloc_table_at_L:unsigned_intP alloc_table,
 unsigned_intP_idx_16_alloc_table_at_L:unsigned_intP alloc_table,
 intP_val_15_alloc_table_at_L:intP alloc_table,
 SparseArray_a_3_5_alloc_table_at_L:SparseArray alloc_table,
 SparseArray_sz_0_a_3_5_at_L:(SparseArray, uint32) memory,
 SparseArray_n_1_a_3_5_at_L:(SparseArray, uint32) memory,
 SparseArray_back_a_3_5_at_L:(SparseArray, unsigned_intP pointer) memory,
 SparseArray_idx_a_3_5_at_L:(SparseArray, unsigned_intP pointer) memory,
 SparseArray_val_a_3_5_at_L:(SparseArray, intP pointer) memory,
 unsigned_intP_unsigned_intM_back_17_at_L:(unsigned_intP, uint32) memory,
 unsigned_intP_unsigned_intM_idx_16_at_L:(unsigned_intP, uint32) memory) =
 (le_int(offset_min(SparseArray_a_3_5_alloc_table_at_L, a_3), (0))
 and (ge_int(offset_max(SparseArray_a_3_5_alloc_table_at_L, a_3), (0))
     and (le_int((0),
          integer_of_uint32(select(SparseArray_n_1_a_3_5_at_L, a_3)))
         and (le_int(integer_of_uint32(select(SparseArray_n_1_a_3_5_at_L,
                                       a_3)),
              integer_of_uint32(select(SparseArray_sz_0_a_3_5_at_L, a_3)))
             and (le_int(offset_min(intP_val_15_alloc_table_at_L,
                         select(SparseArray_val_a_3_5_at_L, a_3)),
                  (0))
                 and (ge_int(offset_max(intP_val_15_alloc_table_at_L,
                             select(SparseArray_val_a_3_5_at_L, a_3)),
                      sub_int(integer_of_uint32(select(SparseArray_sz_0_a_3_5_at_L,
                                                a_3)),
                      (1)))
                     and (le_int(offset_min(unsigned_intP_idx_16_alloc_table_at_L,
                                 select(SparseArray_idx_a_3_5_at_L, a_3)),
                          (0))
                         and (ge_int(offset_max(unsigned_intP_idx_16_alloc_table_at_L,
                                     select(SparseArray_idx_a_3_5_at_L, a_3)),
                              sub_int(integer_of_uint32(select(SparseArray_sz_0_a_3_5_at_L,
                                                        a_3)),
                              (1)))
                             and (le_int(offset_min(unsigned_intP_back_17_alloc_table_at_L,
                                         select(SparseArray_back_a_3_5_at_L,
                                         a_3)),
                                  (0))
                                 and (ge_int(offset_max(unsigned_intP_back_17_alloc_table_at_L,
                                             select(SparseArray_back_a_3_5_at_L,
                                             a_3)),
                                      sub_int(integer_of_uint32(select(SparseArray_sz_0_a_3_5_at_L,
                                                                a_3)),
                                      (1)))
                                     and (forall i_5:int.
                                          ((le_int((0), i_5)
                                           and lt_int(i_5,
                                               integer_of_uint32(select(SparseArray_n_1_a_3_5_at_L,
                                                                 a_3)))) ->
                                           (le_int((0),
                                            integer_of_uint32(select(unsigned_intP_unsigned_intM_back_17_at_L,
                                                              shift(select(SparseArray_back_a_3_5_at_L,
                                                                    a_3),
                                                              i_5))))
                                           and (lt_int(integer_of_uint32(
                                                       select(unsigned_intP_unsigned_intM_back_17_at_L,
                                                       shift(select(SparseArray_back_a_3_5_at_L,
                                                             a_3),
                                                       i_5))),
                                                integer_of_uint32(select(SparseArray_sz_0_a_3_5_at_L,
                                                                  a_3)))
                                               and (integer_of_uint32(
                                                    select(unsigned_intP_unsigned_intM_idx_16_at_L,
                                                    shift(select(SparseArray_idx_a_3_5_at_L,
                                                          a_3),
                                                    integer_of_uint32(
                                                    select(unsigned_intP_unsigned_intM_back_17_at_L,
                                                    shift(select(SparseArray_back_a_3_5_at_L,
                                                          a_3),
                                                    i_5)))))) = i_5)))))))))))))))

predicate is_elt(a:SparseArray pointer, i_1:int,
 SparseArray_n_1_a_3_at_L:(SparseArray, uint32) memory,
 SparseArray_back_a_3_at_L:(SparseArray, unsigned_intP pointer) memory,
 SparseArray_idx_a_3_at_L:(SparseArray, unsigned_intP pointer) memory,
 unsigned_intP_unsigned_intM_back_11_at_L:(unsigned_intP, uint32) memory,
 unsigned_intP_unsigned_intM_idx_10_at_L:(unsigned_intP, uint32) memory) =
 (le_int((0),
  integer_of_uint32(select(unsigned_intP_unsigned_intM_idx_10_at_L,
                    shift(select(SparseArray_idx_a_3_at_L, a), i_1))))
 and (lt_int(integer_of_uint32(select(unsigned_intP_unsigned_intM_idx_10_at_L,
                               shift(select(SparseArray_idx_a_3_at_L, a),
                               i_1))),
      integer_of_uint32(select(SparseArray_n_1_a_3_at_L, a)))
     and (integer_of_uint32(select(unsigned_intP_unsigned_intM_back_11_at_L,
                            shift(select(SparseArray_back_a_3_at_L, a),
                            integer_of_uint32(select(unsigned_intP_unsigned_intM_idx_10_at_L,
                                              shift(select(SparseArray_idx_a_3_at_L,
                                                    a),
                                              i_1)))))) = i_1)))

predicate left_valid_struct_SparseArray(p:SparseArray pointer, a:int,
 SparseArray_alloc_table:SparseArray alloc_table) =
 (offset_min(SparseArray_alloc_table, p) <= a)

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_intP(p:intP pointer, a:int,
 intP_alloc_table:intP alloc_table) = (offset_min(intP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_intP(p:unsigned_intP pointer, a:int,
 unsigned_intP_alloc_table:unsigned_intP alloc_table) =
 (offset_min(unsigned_intP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

logic model: SparseArray pointer, int, (SparseArray, uint32) memory,
 (SparseArray, unsigned_intP pointer) memory,
 (SparseArray, unsigned_intP pointer) memory,
 (SparseArray, intP pointer) memory, (intP, int32) memory,
 (unsigned_intP, uint32) memory, (unsigned_intP, uint32) memory -> int

axiom pointer_addr_of_SparseArray_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(SparseArray_of_pointer_address(p))))

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_intP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(intP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic unsigned_intP_of_pointer_address: unit pointer -> unsigned_intP pointer

axiom pointer_addr_of_unsigned_intP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_intP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_SparseArray(p:SparseArray pointer, b:int,
 SparseArray_alloc_table:SparseArray alloc_table) =
 (offset_max(SparseArray_alloc_table, p) >= b)

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_intP(p:intP pointer, b:int,
 intP_alloc_table:intP alloc_table) = (offset_max(intP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_intP(p:unsigned_intP pointer, b:int,
 unsigned_intP_alloc_table:unsigned_intP alloc_table) =
 (offset_max(unsigned_intP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_SparseArray(p:SparseArray pointer, a:int, b:int,
 SparseArray_alloc_table:SparseArray alloc_table) =
 ((offset_min(SparseArray_alloc_table, p) = a)
 and (offset_max(SparseArray_alloc_table, p) = b))

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_intP(p:unsigned_intP pointer, a:int,
 b:int, unsigned_intP_alloc_table:unsigned_intP alloc_table) =
 ((offset_min(unsigned_intP_alloc_table, p) = a)
 and (offset_max(unsigned_intP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_SparseArray(p:SparseArray pointer, a:int,
 b:int, SparseArray_alloc_table:SparseArray alloc_table) =
 ((offset_min(SparseArray_alloc_table, p) = a)
 and (offset_max(SparseArray_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_intP(p:unsigned_intP pointer, a:int,
 b:int, unsigned_intP_alloc_table:unsigned_intP alloc_table) =
 ((offset_min(unsigned_intP_alloc_table, p) = a)
 and (offset_max(unsigned_intP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint32_of_integer: int -> uint32

axiom uint32_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (4294967295))) ->
   eq_int(integer_of_uint32(uint32_of_integer(x)), x)))

axiom uint32_extensionality :
 (forall x:uint32.
  (forall y:uint32[eq_int(integer_of_uint32(x), integer_of_uint32(y))].
   (eq_int(integer_of_uint32(x), integer_of_uint32(y)) -> (x = y))))

axiom uint32_range :
 (forall x:uint32.
  (le_int((0), integer_of_uint32(x))
  and le_int(integer_of_uint32(x), (4294967295))))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

logic unsigned_intP_tag:  -> unsigned_intP tag_id

axiom unsigned_intP_int : (int_of_tag(unsigned_intP_tag) = (1))

axiom unsigned_intP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_intP pointer.
  (p = unsigned_intP_of_pointer_address(pointer_address(p))))

axiom unsigned_intP_parenttag_bottom :
 parenttag(unsigned_intP_tag, bottom_tag)

axiom unsigned_intP_tags :
 (forall x:unsigned_intP pointer.
  (forall unsigned_intP_tag_table:unsigned_intP tag_table.
   instanceof(unsigned_intP_tag_table, x, unsigned_intP_tag)))

predicate valid_root_SparseArray(p:SparseArray pointer, a:int, b:int,
 SparseArray_alloc_table:SparseArray alloc_table) =
 ((offset_min(SparseArray_alloc_table, p) <= a)
 and (offset_max(SparseArray_alloc_table, p) >= b))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_unsigned_intP(p:unsigned_intP pointer, a:int, b:int,
 unsigned_intP_alloc_table:unsigned_intP alloc_table) =
 ((offset_min(unsigned_intP_alloc_table, p) <= a)
 and (offset_max(unsigned_intP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_SparseArray(p:SparseArray pointer, a:int, b:int,
 SparseArray_alloc_table:SparseArray alloc_table) =
 ((offset_min(SparseArray_alloc_table, p) <= a)
 and (offset_max(SparseArray_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_intP(p:unsigned_intP pointer, a:int, b:int,
 unsigned_intP_alloc_table:unsigned_intP alloc_table) =
 ((offset_min(unsigned_intP_alloc_table, p) <= a)
 and (offset_max(unsigned_intP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

axiom model_in :
 (forall SparseArray_n_1_a_0_4_at_L:(SparseArray, uint32) memory.
  (forall SparseArray_back_a_0_4_at_L:
   (SparseArray, unsigned_intP pointer) memory.
   (forall SparseArray_idx_a_0_4_at_L:
    (SparseArray, unsigned_intP pointer) memory.
    (forall SparseArray_val_a_0_4_at_L:(SparseArray, intP pointer) memory.
     (forall intP_intM_val_13_at_L:(intP, int32) memory.
      (forall unsigned_intP_unsigned_intM_idx_37_at_L:
       (unsigned_intP, uint32) memory.
       (forall unsigned_intP_unsigned_intM_back_36_at_L:
        (unsigned_intP, uint32) memory.
        (forall a_1_0:SparseArray pointer.
         (forall i_3:int.
          (is_elt(a_1_0, i_3, SparseArray_n_1_a_0_4_at_L,
           SparseArray_back_a_0_4_at_L, SparseArray_idx_a_0_4_at_L,
           unsigned_intP_unsigned_intM_back_36_at_L,
           unsigned_intP_unsigned_intM_idx_37_at_L) ->
           (model(a_1_0, i_3, SparseArray_n_1_a_0_4_at_L,
            SparseArray_back_a_0_4_at_L, SparseArray_idx_a_0_4_at_L,
            SparseArray_val_a_0_4_at_L, intP_intM_val_13_at_L,
            unsigned_intP_unsigned_intM_idx_37_at_L,
            unsigned_intP_unsigned_intM_back_36_at_L) = integer_of_int32(
                                                        select(intP_intM_val_13_at_L,
                                                        shift(select(SparseArray_val_a_0_4_at_L,
                                                              a_1_0),
                                                        i_3))))))))))))))

axiom model_out :
 (forall SparseArray_n_1_a_0_4_at_L:(SparseArray, uint32) memory.
  (forall SparseArray_back_a_0_4_at_L:
   (SparseArray, unsigned_intP pointer) memory.
   (forall SparseArray_idx_a_0_4_at_L:
    (SparseArray, unsigned_intP pointer) memory.
    (forall SparseArray_val_a_0_4_at_L:(SparseArray, intP pointer) memory.
     (forall intP_intM_val_13_at_L:(intP, int32) memory.
      (forall unsigned_intP_unsigned_intM_idx_37_at_L:
       (unsigned_intP, uint32) memory.
       (forall unsigned_intP_unsigned_intM_back_36_at_L:
        (unsigned_intP, uint32) memory.
        (forall a_2:SparseArray pointer.
         (forall i_4:int.
          ((not is_elt(a_2, i_4, SparseArray_n_1_a_0_4_at_L,
                SparseArray_back_a_0_4_at_L, SparseArray_idx_a_0_4_at_L,
                unsigned_intP_unsigned_intM_back_36_at_L,
                unsigned_intP_unsigned_intM_idx_37_at_L)) ->
           (model(a_2, i_4, SparseArray_n_1_a_0_4_at_L,
            SparseArray_back_a_0_4_at_L, SparseArray_idx_a_0_4_at_L,
            SparseArray_val_a_0_4_at_L, intP_intM_val_13_at_L,
            unsigned_intP_unsigned_intM_idx_37_at_L,
            unsigned_intP_unsigned_intM_back_36_at_L) = (0))))))))))))

exception Goto__LAND_0_exc of unit

exception Goto__LAND_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter SparseArray_alloc_table : SparseArray alloc_table ref

parameter SparseArray_tag_table : SparseArray tag_table ref

parameter alloc_struct_SparseArray :
 n:int ->
  SparseArray_alloc_table:SparseArray alloc_table ref ->
   SparseArray_tag_table:SparseArray tag_table ref ->
    { } SparseArray pointer
    writes SparseArray_alloc_table,SparseArray_tag_table
    { (strict_valid_struct_SparseArray(result, (0), sub_int(n, (1)),
       SparseArray_alloc_table)
      and (alloc_extends(SparseArray_alloc_table@, SparseArray_alloc_table)
          and (alloc_fresh(SparseArray_alloc_table@, result, n)
              and instanceof(SparseArray_tag_table, result, SparseArray_tag)))) }

parameter alloc_struct_SparseArray_requires :
 n:int ->
  SparseArray_alloc_table:SparseArray alloc_table ref ->
   SparseArray_tag_table:SparseArray tag_table ref ->
    { ge_int(n, (0))} SparseArray pointer
    writes SparseArray_alloc_table,SparseArray_tag_table
    { (strict_valid_struct_SparseArray(result, (0), sub_int(n, (1)),
       SparseArray_alloc_table)
      and (alloc_extends(SparseArray_alloc_table@, SparseArray_alloc_table)
          and (alloc_fresh(SparseArray_alloc_table@, result, n)
              and instanceof(SparseArray_tag_table, result, SparseArray_tag)))) }

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter intP_alloc_table : intP alloc_table ref

parameter intP_tag_table : intP tag_table ref

parameter alloc_struct_intP :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { } intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter alloc_struct_intP_requires :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { ge_int(n, (0))} intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter unsigned_intP_alloc_table : unsigned_intP alloc_table ref

parameter unsigned_intP_tag_table : unsigned_intP tag_table ref

parameter alloc_struct_unsigned_intP :
 n:int ->
  unsigned_intP_alloc_table:unsigned_intP alloc_table ref ->
   unsigned_intP_tag_table:unsigned_intP tag_table ref ->
    { } unsigned_intP pointer
    writes unsigned_intP_alloc_table,unsigned_intP_tag_table
    { (strict_valid_struct_unsigned_intP(result, (0), sub_int(n, (1)),
       unsigned_intP_alloc_table)
      and (alloc_extends(unsigned_intP_alloc_table@,
           unsigned_intP_alloc_table)
          and (alloc_fresh(unsigned_intP_alloc_table@, result, n)
              and instanceof(unsigned_intP_tag_table, result,
                  unsigned_intP_tag)))) }

parameter alloc_struct_unsigned_intP_requires :
 n:int ->
  unsigned_intP_alloc_table:unsigned_intP alloc_table ref ->
   unsigned_intP_tag_table:unsigned_intP tag_table ref ->
    { ge_int(n, (0))} unsigned_intP pointer
    writes unsigned_intP_alloc_table,unsigned_intP_tag_table
    { (strict_valid_struct_unsigned_intP(result, (0), sub_int(n, (1)),
       unsigned_intP_alloc_table)
      and (alloc_extends(unsigned_intP_alloc_table@,
           unsigned_intP_alloc_table)
          and (alloc_fresh(unsigned_intP_alloc_table@, result, n)
              and instanceof(unsigned_intP_tag_table, result,
                  unsigned_intP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint32 : unit -> { } uint32 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter calloc :
 nmemb:uint32 -> size_0:uint32 -> { } charP pointer { true }

parameter calloc_requires :
 nmemb:uint32 -> size_0:uint32 -> { } charP pointer { true }

parameter create :
 sz:uint32 ->
  unsigned_intP_back_24_alloc_table:unsigned_intP alloc_table ref ->
   unsigned_intP_idx_22_alloc_table:unsigned_intP alloc_table ref ->
    intP_val_20_alloc_table:intP alloc_table ref ->
     SparseArray_result_6_alloc_table:SparseArray alloc_table ref ->
      unsigned_intP_back_24_tag_table:unsigned_intP tag_table ref ->
       unsigned_intP_idx_22_tag_table:unsigned_intP tag_table ref ->
        intP_val_20_tag_table:intP tag_table ref ->
         SparseArray_result_6_tag_table:SparseArray tag_table ref ->
          SparseArray_sz_0_result_6:(SparseArray, uint32) memory ref ->
           SparseArray_n_1_result_6:(SparseArray, uint32) memory ref ->
            SparseArray_back_result_6:(SparseArray, unsigned_intP pointer) memory ref ->
             SparseArray_idx_result_6:(SparseArray, unsigned_intP pointer) memory ref ->
              SparseArray_val_result_6:(SparseArray, intP pointer) memory ref ->
               intP_intM_val_20:(intP, int32) memory ->
                unsigned_intP_unsigned_intM_back_24:(unsigned_intP, uint32) memory ->
                 unsigned_intP_unsigned_intM_idx_22:(unsigned_intP, uint32) memory ->
                  { } SparseArray pointer
                  reads SparseArray_back_result_6,SparseArray_idx_result_6,SparseArray_n_1_result_6,SparseArray_result_6_alloc_table,SparseArray_sz_0_result_6,SparseArray_val_result_6,intP_val_20_alloc_table,unsigned_intP_back_24_alloc_table,unsigned_intP_idx_22_alloc_table
                  writes SparseArray_back_result_6,SparseArray_idx_result_6,SparseArray_n_1_result_6,SparseArray_result_6_alloc_table,SparseArray_result_6_tag_table,SparseArray_sz_0_result_6,SparseArray_val_result_6,intP_val_20_alloc_table,intP_val_20_tag_table,unsigned_intP_back_24_alloc_table,unsigned_intP_back_24_tag_table,unsigned_intP_idx_22_alloc_table,unsigned_intP_idx_22_tag_table
                  { (JC_38:
                    ((JC_31:
                     ((JC_27:
                      (not valid(SparseArray_result_6_alloc_table@, result)))
                     and ((JC_28:
                          inv(result, unsigned_intP_back_24_alloc_table,
                          unsigned_intP_idx_22_alloc_table,
                          intP_val_20_alloc_table,
                          SparseArray_result_6_alloc_table,
                          SparseArray_sz_0_result_6,
                          SparseArray_n_1_result_6,
                          SparseArray_back_result_6,
                          SparseArray_idx_result_6, SparseArray_val_result_6,
                          unsigned_intP_unsigned_intM_back_24,
                          unsigned_intP_unsigned_intM_idx_22))
                         and ((JC_29:
                              (integer_of_uint32(select(SparseArray_sz_0_result_6,
                                                 result)) = integer_of_uint32(sz)))
                             and (JC_30:
                                 (forall i_6:int.
                                  (model(result, i_6,
                                   SparseArray_n_1_result_6,
                                   SparseArray_back_result_6,
                                   SparseArray_idx_result_6,
                                   SparseArray_val_result_6,
                                   intP_intM_val_20,
                                   unsigned_intP_unsigned_intM_idx_22,
                                   unsigned_intP_unsigned_intM_back_24) = (0))))))))
                    and (JC_37:
                        (((((JC_32:
                            not_assigns(SparseArray_result_6_alloc_table@,
                            SparseArray_val_result_6@,
                            SparseArray_val_result_6, pset_empty))
                           and (JC_33:
                               not_assigns(SparseArray_result_6_alloc_table@,
                               SparseArray_idx_result_6@,
                               SparseArray_idx_result_6, pset_empty)))
                          and (JC_34:
                              not_assigns(SparseArray_result_6_alloc_table@,
                              SparseArray_back_result_6@,
                              SparseArray_back_result_6, pset_empty)))
                         and (JC_35:
                             not_assigns(SparseArray_result_6_alloc_table@,
                             SparseArray_n_1_result_6@,
                             SparseArray_n_1_result_6, pset_empty)))
                        and (JC_36:
                            not_assigns(SparseArray_result_6_alloc_table@,
                            SparseArray_sz_0_result_6@,
                            SparseArray_sz_0_result_6, pset_empty)))))) }

parameter create_requires :
 sz:uint32 ->
  unsigned_intP_back_24_alloc_table:unsigned_intP alloc_table ref ->
   unsigned_intP_idx_22_alloc_table:unsigned_intP alloc_table ref ->
    intP_val_20_alloc_table:intP alloc_table ref ->
     SparseArray_result_6_alloc_table:SparseArray alloc_table ref ->
      unsigned_intP_back_24_tag_table:unsigned_intP tag_table ref ->
       unsigned_intP_idx_22_tag_table:unsigned_intP tag_table ref ->
        intP_val_20_tag_table:intP tag_table ref ->
         SparseArray_result_6_tag_table:SparseArray tag_table ref ->
          SparseArray_sz_0_result_6:(SparseArray, uint32) memory ref ->
           SparseArray_n_1_result_6:(SparseArray, uint32) memory ref ->
            SparseArray_back_result_6:(SparseArray, unsigned_intP pointer) memory ref ->
             SparseArray_idx_result_6:(SparseArray, unsigned_intP pointer) memory ref ->
              SparseArray_val_result_6:(SparseArray, intP pointer) memory ref ->
               intP_intM_val_20:(intP, int32) memory ->
                unsigned_intP_unsigned_intM_back_24:(unsigned_intP, uint32) memory ->
                 unsigned_intP_unsigned_intM_idx_22:(unsigned_intP, uint32) memory ->
                  { (JC_11: ge_int(integer_of_uint32(sz), (0)))}
                  SparseArray pointer
                  reads SparseArray_back_result_6,SparseArray_idx_result_6,SparseArray_n_1_result_6,SparseArray_result_6_alloc_table,SparseArray_sz_0_result_6,SparseArray_val_result_6,intP_val_20_alloc_table,unsigned_intP_back_24_alloc_table,unsigned_intP_idx_22_alloc_table
                  writes SparseArray_back_result_6,SparseArray_idx_result_6,SparseArray_n_1_result_6,SparseArray_result_6_alloc_table,SparseArray_result_6_tag_table,SparseArray_sz_0_result_6,SparseArray_val_result_6,intP_val_20_alloc_table,intP_val_20_tag_table,unsigned_intP_back_24_alloc_table,unsigned_intP_back_24_tag_table,unsigned_intP_idx_22_alloc_table,unsigned_intP_idx_22_tag_table
                  { (JC_38:
                    ((JC_31:
                     ((JC_27:
                      (not valid(SparseArray_result_6_alloc_table@, result)))
                     and ((JC_28:
                          inv(result, unsigned_intP_back_24_alloc_table,
                          unsigned_intP_idx_22_alloc_table,
                          intP_val_20_alloc_table,
                          SparseArray_result_6_alloc_table,
                          SparseArray_sz_0_result_6,
                          SparseArray_n_1_result_6,
                          SparseArray_back_result_6,
                          SparseArray_idx_result_6, SparseArray_val_result_6,
                          unsigned_intP_unsigned_intM_back_24,
                          unsigned_intP_unsigned_intM_idx_22))
                         and ((JC_29:
                              (integer_of_uint32(select(SparseArray_sz_0_result_6,
                                                 result)) = integer_of_uint32(sz)))
                             and (JC_30:
                                 (forall i_6:int.
                                  (model(result, i_6,
                                   SparseArray_n_1_result_6,
                                   SparseArray_back_result_6,
                                   SparseArray_idx_result_6,
                                   SparseArray_val_result_6,
                                   intP_intM_val_20,
                                   unsigned_intP_unsigned_intM_idx_22,
                                   unsigned_intP_unsigned_intM_back_24) = (0))))))))
                    and (JC_37:
                        (((((JC_32:
                            not_assigns(SparseArray_result_6_alloc_table@,
                            SparseArray_val_result_6@,
                            SparseArray_val_result_6, pset_empty))
                           and (JC_33:
                               not_assigns(SparseArray_result_6_alloc_table@,
                               SparseArray_idx_result_6@,
                               SparseArray_idx_result_6, pset_empty)))
                          and (JC_34:
                              not_assigns(SparseArray_result_6_alloc_table@,
                              SparseArray_back_result_6@,
                              SparseArray_back_result_6, pset_empty)))
                         and (JC_35:
                             not_assigns(SparseArray_result_6_alloc_table@,
                             SparseArray_n_1_result_6@,
                             SparseArray_n_1_result_6, pset_empty)))
                        and (JC_36:
                            not_assigns(SparseArray_result_6_alloc_table@,
                            SparseArray_sz_0_result_6@,
                            SparseArray_sz_0_result_6, pset_empty)))))) }

parameter get :
 a_1:SparseArray pointer ->
  i:uint32 ->
   unsigned_intP_back_27_alloc_table:unsigned_intP alloc_table ->
    unsigned_intP_idx_26_alloc_table:unsigned_intP alloc_table ->
     intP_val_28_alloc_table:intP alloc_table ->
      SparseArray_a_8_alloc_table:SparseArray alloc_table ->
       SparseArray_sz_0_a_8:(SparseArray, uint32) memory ->
        SparseArray_n_1_a_8:(SparseArray, uint32) memory ->
         SparseArray_back_a_8:(SparseArray, unsigned_intP pointer) memory ->
          SparseArray_idx_a_8:(SparseArray, unsigned_intP pointer) memory ->
           SparseArray_val_a_8:(SparseArray, intP pointer) memory ->
            intP_intM_val_28:(intP, int32) memory ->
             unsigned_intP_unsigned_intM_back_27:(unsigned_intP, uint32) memory ->
              unsigned_intP_unsigned_intM_idx_26:(unsigned_intP, uint32) memory ->
               { } int32
               { (JC_68:
                 (integer_of_int32(result) = model(a_1, integer_of_uint32(i),
                                             SparseArray_n_1_a_8,
                                             SparseArray_back_a_8,
                                             SparseArray_idx_a_8,
                                             SparseArray_val_a_8,
                                             intP_intM_val_28,
                                             unsigned_intP_unsigned_intM_idx_26,
                                             unsigned_intP_unsigned_intM_back_27))) }

parameter get_requires :
 a_1:SparseArray pointer ->
  i:uint32 ->
   unsigned_intP_back_27_alloc_table:unsigned_intP alloc_table ->
    unsigned_intP_idx_26_alloc_table:unsigned_intP alloc_table ->
     intP_val_28_alloc_table:intP alloc_table ->
      SparseArray_a_8_alloc_table:SparseArray alloc_table ->
       SparseArray_sz_0_a_8:(SparseArray, uint32) memory ->
        SparseArray_n_1_a_8:(SparseArray, uint32) memory ->
         SparseArray_back_a_8:(SparseArray, unsigned_intP pointer) memory ->
          SparseArray_idx_a_8:(SparseArray, unsigned_intP pointer) memory ->
           SparseArray_val_a_8:(SparseArray, intP pointer) memory ->
            intP_intM_val_28:(intP, int32) memory ->
             unsigned_intP_unsigned_intM_back_27:(unsigned_intP, uint32) memory ->
              unsigned_intP_unsigned_intM_idx_26:(unsigned_intP, uint32) memory ->
               { (JC_58:
                 ((JC_54:
                  le_int(offset_min(SparseArray_a_8_alloc_table, a_1), (0)))
                 and ((JC_55:
                      ge_int(offset_max(SparseArray_a_8_alloc_table, a_1),
                      (0)))
                     and ((JC_56:
                          inv(a_1, unsigned_intP_back_27_alloc_table,
                          unsigned_intP_idx_26_alloc_table,
                          intP_val_28_alloc_table,
                          SparseArray_a_8_alloc_table, SparseArray_sz_0_a_8,
                          SparseArray_n_1_a_8, SparseArray_back_a_8,
                          SparseArray_idx_a_8, SparseArray_val_a_8,
                          unsigned_intP_unsigned_intM_back_27,
                          unsigned_intP_unsigned_intM_idx_26))
                         and (JC_57:
                             le_int(integer_of_uint32(i),
                             sub_int(integer_of_uint32(select(SparseArray_sz_0_a_8,
                                                       a_1)),
                             (1))))))))}
               int32
               { (JC_68:
                 (integer_of_int32(result) = model(a_1, integer_of_uint32(i),
                                             SparseArray_n_1_a_8,
                                             SparseArray_back_a_8,
                                             SparseArray_idx_a_8,
                                             SparseArray_val_a_8,
                                             intP_intM_val_28,
                                             unsigned_intP_unsigned_intM_idx_26,
                                             unsigned_intP_unsigned_intM_back_27))) }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter main : tt:unit -> { } int32 { true }

parameter main_requires : tt:unit -> { } int32 { true }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint32_of_integer_ :
 x:int -> { } uint32 { eq_int(integer_of_uint32(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter set :
 a_0_0:SparseArray pointer ->
  i_0:uint32 ->
   v:int32 ->
    SparseArray_n_1_a_0_9:(SparseArray, uint32) memory ref ->
     intP_intM_val_29:(intP, int32) memory ref ->
      unsigned_intP_unsigned_intM_back_31:(unsigned_intP, uint32) memory ref ->
       unsigned_intP_unsigned_intM_idx_30:(unsigned_intP, uint32) memory ref ->
        unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table ->
         unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table ->
          intP_val_29_alloc_table:intP alloc_table ->
           SparseArray_a_0_9_alloc_table:SparseArray alloc_table ->
            SparseArray_sz_0_a_0_9:(SparseArray, uint32) memory ->
             SparseArray_back_a_0_9:(SparseArray, unsigned_intP pointer) memory ->
              SparseArray_idx_a_0_9:(SparseArray, unsigned_intP pointer) memory ->
               SparseArray_val_a_0_9:(SparseArray, intP pointer) memory ->
                { } unit
                reads SparseArray_n_1_a_0_9,intP_intM_val_29,unsigned_intP_unsigned_intM_back_31,unsigned_intP_unsigned_intM_idx_30
                writes SparseArray_n_1_a_0_9,intP_intM_val_29,unsigned_intP_unsigned_intM_back_31,unsigned_intP_unsigned_intM_idx_30
                { (JC_114:
                  ((JC_108:
                   ((JC_105:
                    inv(a_0_0, unsigned_intP_back_31_alloc_table,
                    unsigned_intP_idx_30_alloc_table,
                    intP_val_29_alloc_table, SparseArray_a_0_9_alloc_table,
                    SparseArray_sz_0_a_0_9, SparseArray_n_1_a_0_9,
                    SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
                    SparseArray_val_a_0_9,
                    unsigned_intP_unsigned_intM_back_31,
                    unsigned_intP_unsigned_intM_idx_30))
                   and ((JC_106:
                        (model(a_0_0, integer_of_uint32(i_0),
                         SparseArray_n_1_a_0_9, SparseArray_back_a_0_9,
                         SparseArray_idx_a_0_9, SparseArray_val_a_0_9,
                         intP_intM_val_29,
                         unsigned_intP_unsigned_intM_idx_30,
                         unsigned_intP_unsigned_intM_back_31) = integer_of_int32(v)))
                       and (JC_107:
                           (forall j_0:int.
                            ((j_0 <> integer_of_uint32(i_0)) ->
                             (model(a_0_0, j_0, SparseArray_n_1_a_0_9,
                              SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
                              SparseArray_val_a_0_9, intP_intM_val_29,
                              unsigned_intP_unsigned_intM_idx_30,
                              unsigned_intP_unsigned_intM_back_31) = 
                             model(a_0_0, j_0, SparseArray_n_1_a_0_9@,
                             SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
                             SparseArray_val_a_0_9, intP_intM_val_29@,
                             unsigned_intP_unsigned_intM_idx_30@,
                             unsigned_intP_unsigned_intM_back_31@))))))))
                  and (JC_113:
                      ((((JC_109:
                         not_assigns(unsigned_intP_idx_30_alloc_table,
                         unsigned_intP_unsigned_intM_idx_30@,
                         unsigned_intP_unsigned_intM_idx_30,
                         pset_all(pset_deref(SparseArray_idx_a_0_9,
                                  pset_singleton(a_0_0)))))
                        and (JC_110:
                            not_assigns(unsigned_intP_back_31_alloc_table,
                            unsigned_intP_unsigned_intM_back_31@,
                            unsigned_intP_unsigned_intM_back_31,
                            pset_all(pset_deref(SparseArray_back_a_0_9,
                                     pset_singleton(a_0_0))))))
                       and (JC_111:
                           not_assigns(intP_val_29_alloc_table,
                           intP_intM_val_29@, intP_intM_val_29,
                           pset_range(pset_deref(SparseArray_val_a_0_9,
                                      pset_singleton(a_0_0)),
                           integer_of_uint32(i_0), integer_of_uint32(i_0)))))
                      and (JC_112:
                          not_assigns(SparseArray_a_0_9_alloc_table,
                          SparseArray_n_1_a_0_9@, SparseArray_n_1_a_0_9,
                          pset_singleton(a_0_0))))))) }

parameter set_requires :
 a_0_0:SparseArray pointer ->
  i_0:uint32 ->
   v:int32 ->
    SparseArray_n_1_a_0_9:(SparseArray, uint32) memory ref ->
     intP_intM_val_29:(intP, int32) memory ref ->
      unsigned_intP_unsigned_intM_back_31:(unsigned_intP, uint32) memory ref ->
       unsigned_intP_unsigned_intM_idx_30:(unsigned_intP, uint32) memory ref ->
        unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table ->
         unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table ->
          intP_val_29_alloc_table:intP alloc_table ->
           SparseArray_a_0_9_alloc_table:SparseArray alloc_table ->
            SparseArray_sz_0_a_0_9:(SparseArray, uint32) memory ->
             SparseArray_back_a_0_9:(SparseArray, unsigned_intP pointer) memory ->
              SparseArray_idx_a_0_9:(SparseArray, unsigned_intP pointer) memory ->
               SparseArray_val_a_0_9:(SparseArray, intP pointer) memory ->
                { (JC_87:
                  ((JC_83:
                   le_int(offset_min(SparseArray_a_0_9_alloc_table, a_0_0),
                   (0)))
                  and ((JC_84:
                       ge_int(offset_max(SparseArray_a_0_9_alloc_table,
                              a_0_0),
                       (0)))
                      and ((JC_85:
                           inv(a_0_0, unsigned_intP_back_31_alloc_table,
                           unsigned_intP_idx_30_alloc_table,
                           intP_val_29_alloc_table,
                           SparseArray_a_0_9_alloc_table,
                           SparseArray_sz_0_a_0_9, SparseArray_n_1_a_0_9,
                           SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
                           SparseArray_val_a_0_9,
                           unsigned_intP_unsigned_intM_back_31,
                           unsigned_intP_unsigned_intM_idx_30))
                          and (JC_86:
                              le_int(integer_of_uint32(i_0),
                              sub_int(integer_of_uint32(select(SparseArray_sz_0_a_0_9,
                                                        a_0_0)),
                              (1))))))))}
                unit
                reads SparseArray_n_1_a_0_9,intP_intM_val_29,unsigned_intP_unsigned_intM_back_31,unsigned_intP_unsigned_intM_idx_30
                writes SparseArray_n_1_a_0_9,intP_intM_val_29,unsigned_intP_unsigned_intM_back_31,unsigned_intP_unsigned_intM_idx_30
                { (JC_114:
                  ((JC_108:
                   ((JC_105:
                    inv(a_0_0, unsigned_intP_back_31_alloc_table,
                    unsigned_intP_idx_30_alloc_table,
                    intP_val_29_alloc_table, SparseArray_a_0_9_alloc_table,
                    SparseArray_sz_0_a_0_9, SparseArray_n_1_a_0_9,
                    SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
                    SparseArray_val_a_0_9,
                    unsigned_intP_unsigned_intM_back_31,
                    unsigned_intP_unsigned_intM_idx_30))
                   and ((JC_106:
                        (model(a_0_0, integer_of_uint32(i_0),
                         SparseArray_n_1_a_0_9, SparseArray_back_a_0_9,
                         SparseArray_idx_a_0_9, SparseArray_val_a_0_9,
                         intP_intM_val_29,
                         unsigned_intP_unsigned_intM_idx_30,
                         unsigned_intP_unsigned_intM_back_31) = integer_of_int32(v)))
                       and (JC_107:
                           (forall j_0:int.
                            ((j_0 <> integer_of_uint32(i_0)) ->
                             (model(a_0_0, j_0, SparseArray_n_1_a_0_9,
                              SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
                              SparseArray_val_a_0_9, intP_intM_val_29,
                              unsigned_intP_unsigned_intM_idx_30,
                              unsigned_intP_unsigned_intM_back_31) = 
                             model(a_0_0, j_0, SparseArray_n_1_a_0_9@,
                             SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
                             SparseArray_val_a_0_9, intP_intM_val_29@,
                             unsigned_intP_unsigned_intM_idx_30@,
                             unsigned_intP_unsigned_intM_back_31@))))))))
                  and (JC_113:
                      ((((JC_109:
                         not_assigns(unsigned_intP_idx_30_alloc_table,
                         unsigned_intP_unsigned_intM_idx_30@,
                         unsigned_intP_unsigned_intM_idx_30,
                         pset_all(pset_deref(SparseArray_idx_a_0_9,
                                  pset_singleton(a_0_0)))))
                        and (JC_110:
                            not_assigns(unsigned_intP_back_31_alloc_table,
                            unsigned_intP_unsigned_intM_back_31@,
                            unsigned_intP_unsigned_intM_back_31,
                            pset_all(pset_deref(SparseArray_back_a_0_9,
                                     pset_singleton(a_0_0))))))
                       and (JC_111:
                           not_assigns(intP_val_29_alloc_table,
                           intP_intM_val_29@, intP_intM_val_29,
                           pset_range(pset_deref(SparseArray_val_a_0_9,
                                      pset_singleton(a_0_0)),
                           integer_of_uint32(i_0), integer_of_uint32(i_0)))))
                      and (JC_112:
                          not_assigns(SparseArray_a_0_9_alloc_table,
                          SparseArray_n_1_a_0_9@, SparseArray_n_1_a_0_9,
                          pset_singleton(a_0_0))))))) }

parameter uint32_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (4294967295)))} uint32
  { eq_int(integer_of_uint32(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let create_ensures_default =
 fun (sz : uint32) (SparseArray_result_6_alloc_table : SparseArray alloc_table ref) (intP_val_20_alloc_table : intP alloc_table ref) (unsigned_intP_idx_22_alloc_table : unsigned_intP alloc_table ref) (unsigned_intP_back_24_alloc_table : unsigned_intP alloc_table ref) (unsigned_intP_back_24_tag_table : unsigned_intP tag_table ref) (unsigned_intP_idx_22_tag_table : unsigned_intP tag_table ref) (intP_val_20_tag_table : intP tag_table ref) (SparseArray_result_6_tag_table : SparseArray tag_table ref) (SparseArray_val_result_6 : (SparseArray, intP pointer) memory ref) (SparseArray_idx_result_6 : (SparseArray, unsigned_intP pointer) memory ref) (SparseArray_back_result_6 : (SparseArray, unsigned_intP pointer) memory ref) (SparseArray_n_1_result_6 : (SparseArray, uint32) memory ref) (SparseArray_sz_0_result_6 : (SparseArray, uint32) memory ref) (unsigned_intP_unsigned_intM_idx_22 : (unsigned_intP, uint32) memory) (unsigned_intP_unsigned_intM_back_24 : (unsigned_intP, uint32) memory) (intP_intM_val_20 : (intP, int32) memory) ->
  { (JC_13: ge_int(integer_of_uint32(sz), (0))) }
  (init:
  (let return = ref (any_pointer void) in
  try
   begin
     (let a_1_1 = ref (any_pointer void) in
     begin
       (let _jessie_ =
       (a_1_1 := (JC_50:
                 (((alloc_struct_SparseArray (1)) SparseArray_result_6_alloc_table) SparseArray_result_6_tag_table))) in
       void);
      (let _jessie_ =
      (JC_51:
      (((alloc_struct_intP (integer_of_uint32 sz)) intP_val_20_alloc_table) intP_val_20_tag_table)) in
      (let _jessie_ = !a_1_1 in
      (((safe_upd_ SparseArray_val_result_6) _jessie_) _jessie_)));
      (let _jessie_ =
      (JC_52:
      (((alloc_struct_unsigned_intP (integer_of_uint32 sz)) unsigned_intP_idx_22_alloc_table) unsigned_intP_idx_22_tag_table)) in
      (let _jessie_ = !a_1_1 in
      (((safe_upd_ SparseArray_idx_result_6) _jessie_) _jessie_)));
      (let _jessie_ =
      (JC_53:
      (((alloc_struct_unsigned_intP (integer_of_uint32 sz)) unsigned_intP_back_24_alloc_table) unsigned_intP_back_24_tag_table)) in
      (let _jessie_ = !a_1_1 in
      (((safe_upd_ SparseArray_back_result_6) _jessie_) _jessie_)));
      (let _jessie_ = (safe_uint32_of_integer_ (0)) in
      (let _jessie_ = !a_1_1 in
      (((safe_upd_ SparseArray_n_1_result_6) _jessie_) _jessie_)));
      (let _jessie_ = sz in
      (let _jessie_ = !a_1_1 in
      (((safe_upd_ SparseArray_sz_0_result_6) _jessie_) _jessie_)));
      (return := !a_1_1); (raise Return) end); absurd  end with Return ->
   !return end))
  { (JC_26:
    ((JC_19:
     ((JC_15: (not valid(SparseArray_result_6_alloc_table@, result)))
     and ((JC_16:
          inv(result, unsigned_intP_back_24_alloc_table,
          unsigned_intP_idx_22_alloc_table, intP_val_20_alloc_table,
          SparseArray_result_6_alloc_table, SparseArray_sz_0_result_6,
          SparseArray_n_1_result_6, SparseArray_back_result_6,
          SparseArray_idx_result_6, SparseArray_val_result_6,
          unsigned_intP_unsigned_intM_back_24,
          unsigned_intP_unsigned_intM_idx_22))
         and ((JC_17:
              (integer_of_uint32(select(SparseArray_sz_0_result_6, result)) = 
              integer_of_uint32(sz)))
             and (JC_18:
                 (forall i_6:int.
                  (model(result, i_6, SparseArray_n_1_result_6,
                   SparseArray_back_result_6, SparseArray_idx_result_6,
                   SparseArray_val_result_6, intP_intM_val_20,
                   unsigned_intP_unsigned_intM_idx_22,
                   unsigned_intP_unsigned_intM_back_24) = (0))))))))
    and (JC_25:
        (((((JC_20:
            not_assigns(SparseArray_result_6_alloc_table@,
            SparseArray_val_result_6@, SparseArray_val_result_6, pset_empty))
           and (JC_21:
               not_assigns(SparseArray_result_6_alloc_table@,
               SparseArray_idx_result_6@, SparseArray_idx_result_6,
               pset_empty)))
          and (JC_22:
              not_assigns(SparseArray_result_6_alloc_table@,
              SparseArray_back_result_6@, SparseArray_back_result_6,
              pset_empty)))
         and (JC_23:
             not_assigns(SparseArray_result_6_alloc_table@,
             SparseArray_n_1_result_6@, SparseArray_n_1_result_6, pset_empty)))
        and (JC_24:
            not_assigns(SparseArray_result_6_alloc_table@,
            SparseArray_sz_0_result_6@, SparseArray_sz_0_result_6,
            pset_empty)))))) } 

let create_safety =
 fun (sz : uint32) (SparseArray_result_6_alloc_table : SparseArray alloc_table ref) (intP_val_20_alloc_table : intP alloc_table ref) (unsigned_intP_idx_22_alloc_table : unsigned_intP alloc_table ref) (unsigned_intP_back_24_alloc_table : unsigned_intP alloc_table ref) (unsigned_intP_back_24_tag_table : unsigned_intP tag_table ref) (unsigned_intP_idx_22_tag_table : unsigned_intP tag_table ref) (intP_val_20_tag_table : intP tag_table ref) (SparseArray_result_6_tag_table : SparseArray tag_table ref) (SparseArray_val_result_6 : (SparseArray, intP pointer) memory ref) (SparseArray_idx_result_6 : (SparseArray, unsigned_intP pointer) memory ref) (SparseArray_back_result_6 : (SparseArray, unsigned_intP pointer) memory ref) (SparseArray_n_1_result_6 : (SparseArray, uint32) memory ref) (SparseArray_sz_0_result_6 : (SparseArray, uint32) memory ref) (unsigned_intP_unsigned_intM_idx_22 : (unsigned_intP, uint32) memory) (unsigned_intP_unsigned_intM_back_24 : (unsigned_intP, uint32) memory) (intP_intM_val_20 : (intP, int32) memory) ->
  { (JC_13: ge_int(integer_of_uint32(sz), (0))) }
  (init:
  (let return = ref (any_pointer void) in
  try
   begin
     (let a_1_1 = ref (any_pointer void) in
     begin
       (let _jessie_ =
       (a_1_1 := (JC_41:
                 (((alloc_struct_SparseArray_requires (1)) SparseArray_result_6_alloc_table) SparseArray_result_6_tag_table))) in
       void);
      (let _jessie_ =
      (JC_42:
      (((alloc_struct_intP_requires (integer_of_uint32 sz)) intP_val_20_alloc_table) intP_val_20_tag_table)) in
      (let _jessie_ = !a_1_1 in
      (JC_45:
      ((((upd_ !SparseArray_result_6_alloc_table) SparseArray_val_result_6) _jessie_) _jessie_))));
      (let _jessie_ =
      (JC_43:
      (((alloc_struct_unsigned_intP_requires (integer_of_uint32 sz)) unsigned_intP_idx_22_alloc_table) unsigned_intP_idx_22_tag_table)) in
      (let _jessie_ = !a_1_1 in
      (JC_46:
      ((((upd_ !SparseArray_result_6_alloc_table) SparseArray_idx_result_6) _jessie_) _jessie_))));
      (let _jessie_ =
      (JC_44:
      (((alloc_struct_unsigned_intP_requires (integer_of_uint32 sz)) unsigned_intP_back_24_alloc_table) unsigned_intP_back_24_tag_table)) in
      (let _jessie_ = !a_1_1 in
      (JC_47:
      ((((upd_ !SparseArray_result_6_alloc_table) SparseArray_back_result_6) _jessie_) _jessie_))));
      (let _jessie_ = (safe_uint32_of_integer_ (0)) in
      (let _jessie_ = !a_1_1 in
      (JC_48:
      ((((upd_ !SparseArray_result_6_alloc_table) SparseArray_n_1_result_6) _jessie_) _jessie_))));
      (let _jessie_ = sz in
      (let _jessie_ = !a_1_1 in
      (JC_49:
      ((((upd_ !SparseArray_result_6_alloc_table) SparseArray_sz_0_result_6) _jessie_) _jessie_))));
      (return := !a_1_1); (raise Return) end); absurd  end with Return ->
   !return end)) { true } 

let get_ensures_default =
 fun (a_1 : SparseArray pointer) (i : uint32) (SparseArray_a_8_alloc_table : SparseArray alloc_table) (intP_val_28_alloc_table : intP alloc_table) (unsigned_intP_idx_26_alloc_table : unsigned_intP alloc_table) (unsigned_intP_back_27_alloc_table : unsigned_intP alloc_table) (unsigned_intP_unsigned_intM_idx_26 : (unsigned_intP, uint32) memory) (unsigned_intP_unsigned_intM_back_27 : (unsigned_intP, uint32) memory) (intP_intM_val_28 : (intP, int32) memory) (SparseArray_val_a_8 : (SparseArray, intP pointer) memory) (SparseArray_idx_a_8 : (SparseArray, unsigned_intP pointer) memory) (SparseArray_back_a_8 : (SparseArray, unsigned_intP pointer) memory) (SparseArray_n_1_a_8 : (SparseArray, uint32) memory) (SparseArray_sz_0_a_8 : (SparseArray, uint32) memory) ->
  { (JC_64:
    ((JC_60: le_int(offset_min(SparseArray_a_8_alloc_table, a_1), (0)))
    and ((JC_61: ge_int(offset_max(SparseArray_a_8_alloc_table, a_1), (0)))
        and ((JC_62:
             inv(a_1, unsigned_intP_back_27_alloc_table,
             unsigned_intP_idx_26_alloc_table, intP_val_28_alloc_table,
             SparseArray_a_8_alloc_table, SparseArray_sz_0_a_8,
             SparseArray_n_1_a_8, SparseArray_back_a_8, SparseArray_idx_a_8,
             SparseArray_val_a_8, unsigned_intP_unsigned_intM_back_27,
             unsigned_intP_unsigned_intM_idx_26))
            and (JC_63:
                le_int(integer_of_uint32(i),
                sub_int(integer_of_uint32(select(SparseArray_sz_0_a_8, a_1)),
                (1)))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let __retres = ref (any_int32 void) in
     begin
       (assert
       { (JC_82:
         le_int((0),
         integer_of_uint32(select(unsigned_intP_unsigned_intM_idx_26,
                           shift(select(SparseArray_idx_a_8, a_1),
                           integer_of_uint32(i)))))) }; void); void;
      try
       begin
         (if ((lt_int_ (integer_of_uint32 ((safe_acc_ unsigned_intP_unsigned_intM_idx_26) 
                                           ((shift ((safe_acc_ SparseArray_idx_a_8) a_1)) 
                                            (integer_of_uint32 i))))) 
              (integer_of_uint32 ((safe_acc_ SparseArray_n_1_a_8) a_1)))
         then
          (if ((eq_int_ (integer_of_uint32 ((safe_acc_ unsigned_intP_unsigned_intM_back_27) 
                                            ((shift ((safe_acc_ SparseArray_back_a_8) a_1)) 
                                             (integer_of_uint32 ((safe_acc_ unsigned_intP_unsigned_intM_idx_26) 
                                                                 ((shift 
                                                                   ((safe_acc_ SparseArray_idx_a_8) a_1)) 
                                                                  (integer_of_uint32 i)))))))) 
               (integer_of_uint32 i))
          then
           begin
             (let _jessie_ =
             (__retres := ((safe_acc_ intP_intM_val_28) ((shift ((safe_acc_ SparseArray_val_a_8) a_1)) 
                                                         (integer_of_uint32 i)))) in
             void); (raise (Return_label_exc void)) end
          else
           begin
             (let _jessie_ = (__retres := (safe_int32_of_integer_ (0))) in
             void); (raise (Return_label_exc void)) end)
         else
          begin
            (let _jessie_ = (__retres := (safe_int32_of_integer_ (0))) in
            void); (raise (Return_label_exc void)) end);
        (raise (Return_label_exc void)) end with
       Return_label_exc _jessie_ ->
       (return_label: begin   (return := !__retres); (raise Return) end) end
     end); absurd  end with Return -> !return end))
  { (JC_66:
    (integer_of_int32(result) = model(a_1, integer_of_uint32(i),
                                SparseArray_n_1_a_8, SparseArray_back_a_8,
                                SparseArray_idx_a_8, SparseArray_val_a_8,
                                intP_intM_val_28,
                                unsigned_intP_unsigned_intM_idx_26,
                                unsigned_intP_unsigned_intM_back_27))) } 

let get_safety =
 fun (a_1 : SparseArray pointer) (i : uint32) (SparseArray_a_8_alloc_table : SparseArray alloc_table) (intP_val_28_alloc_table : intP alloc_table) (unsigned_intP_idx_26_alloc_table : unsigned_intP alloc_table) (unsigned_intP_back_27_alloc_table : unsigned_intP alloc_table) (unsigned_intP_unsigned_intM_idx_26 : (unsigned_intP, uint32) memory) (unsigned_intP_unsigned_intM_back_27 : (unsigned_intP, uint32) memory) (intP_intM_val_28 : (intP, int32) memory) (SparseArray_val_a_8 : (SparseArray, intP pointer) memory) (SparseArray_idx_a_8 : (SparseArray, unsigned_intP pointer) memory) (SparseArray_back_a_8 : (SparseArray, unsigned_intP pointer) memory) (SparseArray_n_1_a_8 : (SparseArray, uint32) memory) (SparseArray_sz_0_a_8 : (SparseArray, uint32) memory) ->
  { (JC_64:
    ((JC_60: le_int(offset_min(SparseArray_a_8_alloc_table, a_1), (0)))
    and ((JC_61: ge_int(offset_max(SparseArray_a_8_alloc_table, a_1), (0)))
        and ((JC_62:
             inv(a_1, unsigned_intP_back_27_alloc_table,
             unsigned_intP_idx_26_alloc_table, intP_val_28_alloc_table,
             SparseArray_a_8_alloc_table, SparseArray_sz_0_a_8,
             SparseArray_n_1_a_8, SparseArray_back_a_8, SparseArray_idx_a_8,
             SparseArray_val_a_8, unsigned_intP_unsigned_intM_back_27,
             unsigned_intP_unsigned_intM_idx_26))
            and (JC_63:
                le_int(integer_of_uint32(i),
                sub_int(integer_of_uint32(select(SparseArray_sz_0_a_8, a_1)),
                (1)))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let __retres = ref (any_int32 void) in
     begin
       [ { } unit
         { (JC_72:
           le_int((0),
           integer_of_uint32(select(unsigned_intP_unsigned_intM_idx_26,
                             shift(select(SparseArray_idx_a_8, a_1),
                             integer_of_uint32(i)))))) } ]; void;
      try
       begin
         (if ((lt_int_ (integer_of_uint32 (JC_74:
                                          ((((offset_acc_ unsigned_intP_idx_26_alloc_table) unsigned_intP_unsigned_intM_idx_26) 
                                            (JC_73:
                                            (((acc_ SparseArray_a_8_alloc_table) SparseArray_idx_a_8) a_1))) 
                                           (integer_of_uint32 i))))) 
              (integer_of_uint32 (JC_75:
                                 (((acc_ SparseArray_a_8_alloc_table) SparseArray_n_1_a_8) a_1))))
         then
          (if ((eq_int_ (integer_of_uint32 (JC_79:
                                           ((((offset_acc_ unsigned_intP_back_27_alloc_table) unsigned_intP_unsigned_intM_back_27) 
                                             (JC_78:
                                             (((acc_ SparseArray_a_8_alloc_table) SparseArray_back_a_8) a_1))) 
                                            (integer_of_uint32 (JC_77:
                                                               ((((offset_acc_ unsigned_intP_idx_26_alloc_table) unsigned_intP_unsigned_intM_idx_26) 
                                                                 (JC_76:
                                                                 (((acc_ SparseArray_a_8_alloc_table) SparseArray_idx_a_8) a_1))) 
                                                                (integer_of_uint32 i)))))))) 
               (integer_of_uint32 i))
          then
           begin
             (let _jessie_ =
             (__retres := (JC_81:
                          ((((offset_acc_ intP_val_28_alloc_table) intP_intM_val_28) 
                            (JC_80:
                            (((acc_ SparseArray_a_8_alloc_table) SparseArray_val_a_8) a_1))) 
                           (integer_of_uint32 i)))) in void);
            (raise (Return_label_exc void)) end
          else
           begin
             (let _jessie_ = (__retres := (safe_int32_of_integer_ (0))) in
             void); (raise (Return_label_exc void)) end)
         else
          begin
            (let _jessie_ = (__retres := (safe_int32_of_integer_ (0))) in
            void); (raise (Return_label_exc void)) end);
        (raise (Return_label_exc void)) end with
       Return_label_exc _jessie_ ->
       (return_label: begin   (return := !__retres); (raise Return) end) end
     end); absurd  end with Return -> !return end)) { true } 

let main_ensures_default =
 fun (tt : unit) ->
  { (JC_140: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let SparseArray_sz_0_b_33 = ref (any_memory void) in
     (let SparseArray_sz_0_a_2_32 = ref (any_memory void) in
     (let SparseArray_n_1_b_33 = ref (any_memory void) in
     (let SparseArray_n_1_a_2_32 = ref (any_memory void) in
     (let SparseArray_back_b_33 = ref (any_memory void) in
     (let SparseArray_back_a_2_32 = ref (any_memory void) in
     (let SparseArray_idx_b_33 = ref (any_memory void) in
     (let SparseArray_idx_a_2_32 = ref (any_memory void) in
     (let SparseArray_val_b_33 = ref (any_memory void) in
     (let SparseArray_val_a_2_32 = ref (any_memory void) in
     (let intP_intM_val_146 = ref (any_memory void) in
     (let intP_intM_val_142 = ref (any_memory void) in
     (let unsigned_intP_unsigned_intM_idx_148 = ref (any_memory void) in
     (let unsigned_intP_unsigned_intM_back_147 = ref (any_memory void) in
     (let unsigned_intP_unsigned_intM_idx_144 = ref (any_memory void) in
     (let unsigned_intP_unsigned_intM_back_143 = ref (any_memory void) in
     (let SparseArray_a_2_32_tag_table = ref (any_tag_table void) in
     (let SparseArray_b_33_tag_table = ref (any_tag_table void) in
     (let intP_val_142_tag_table = ref (any_tag_table void) in
     (let intP_val_146_tag_table = ref (any_tag_table void) in
     (let unsigned_intP_back_143_tag_table = ref (any_tag_table void) in
     (let unsigned_intP_idx_144_tag_table = ref (any_tag_table void) in
     (let unsigned_intP_back_147_tag_table = ref (any_tag_table void) in
     (let unsigned_intP_idx_148_tag_table = ref (any_tag_table void) in
     (let unsigned_intP_idx_148_alloc_table = ref (any_alloc_table void) in
     (let unsigned_intP_back_147_alloc_table = ref (any_alloc_table void) in
     (let unsigned_intP_idx_144_alloc_table = ref (any_alloc_table void) in
     (let unsigned_intP_back_143_alloc_table = ref (any_alloc_table void) in
     (let intP_val_146_alloc_table = ref (any_alloc_table void) in
     (let intP_val_142_alloc_table = ref (any_alloc_table void) in
     (let SparseArray_b_33_alloc_table = ref (any_alloc_table void) in
     (let SparseArray_a_2_32_alloc_table = ref (any_alloc_table void) in
     (let a_2_0 = ref (any_pointer void) in
     (let b = ref (any_pointer void) in
     (let x_0 = ref (any_int32 void) in
     (let y = ref (any_int32 void) in
     (let __retres_0 = ref (any_int32 void) in
     begin
       (let _jessie_ =
       (a_2_0 := (let _jessie_ = (safe_uint32_of_integer_ (10)) in
                 (JC_158:
                 (((((((((((((((((create _jessie_) unsigned_intP_back_143_alloc_table) unsigned_intP_idx_144_alloc_table) intP_val_142_alloc_table) SparseArray_a_2_32_alloc_table) unsigned_intP_back_143_tag_table) unsigned_intP_idx_144_tag_table) intP_val_142_tag_table) SparseArray_a_2_32_tag_table) SparseArray_sz_0_a_2_32) SparseArray_n_1_a_2_32) SparseArray_back_a_2_32) SparseArray_idx_a_2_32) SparseArray_val_a_2_32) !intP_intM_val_142) !unsigned_intP_unsigned_intM_back_143) !unsigned_intP_unsigned_intM_idx_144)))) in
       void);
      (let _jessie_ =
      (b := (let _jessie_ = (safe_uint32_of_integer_ (20)) in
            (JC_159:
            (((((((((((((((((create _jessie_) unsigned_intP_back_147_alloc_table) unsigned_intP_idx_148_alloc_table) intP_val_146_alloc_table) SparseArray_b_33_alloc_table) unsigned_intP_back_147_tag_table) unsigned_intP_idx_148_tag_table) intP_val_146_tag_table) SparseArray_b_33_tag_table) SparseArray_sz_0_b_33) SparseArray_n_1_b_33) SparseArray_back_b_33) SparseArray_idx_b_33) SparseArray_val_b_33) !intP_intM_val_146) !unsigned_intP_unsigned_intM_back_147) !unsigned_intP_unsigned_intM_idx_148)))) in
      void);
      (let _jessie_ =
      (x_0 := (let _jessie_ = !a_2_0 in
              (let _jessie_ = (safe_uint32_of_integer_ (5)) in
              (JC_160:
              ((((((((((((((get _jessie_) _jessie_) !unsigned_intP_back_143_alloc_table) !unsigned_intP_idx_144_alloc_table) !intP_val_142_alloc_table) !SparseArray_a_2_32_alloc_table) !SparseArray_sz_0_a_2_32) !SparseArray_n_1_a_2_32) !SparseArray_back_a_2_32) !SparseArray_idx_a_2_32) !SparseArray_val_a_2_32) !intP_intM_val_142) !unsigned_intP_unsigned_intM_back_143) !unsigned_intP_unsigned_intM_idx_144))))) in
      void);
      (let _jessie_ =
      (y := (let _jessie_ = !b in
            (let _jessie_ = (safe_uint32_of_integer_ (7)) in
            (JC_161:
            ((((((((((((((get _jessie_) _jessie_) !unsigned_intP_back_147_alloc_table) !unsigned_intP_idx_148_alloc_table) !intP_val_146_alloc_table) !SparseArray_b_33_alloc_table) !SparseArray_sz_0_b_33) !SparseArray_n_1_b_33) !SparseArray_back_b_33) !SparseArray_idx_b_33) !SparseArray_val_b_33) !intP_intM_val_146) !unsigned_intP_unsigned_intM_back_147) !unsigned_intP_unsigned_intM_idx_148))))) in
      void);
      (assert
      { (JC_162:
        ((integer_of_int32(x_0) = (0)) and (integer_of_int32(y) = (0)))) };
      void); void;
      (let _jessie_ = !a_2_0 in
      (let _jessie_ = (safe_uint32_of_integer_ (5)) in
      (let _jessie_ = (safe_int32_of_integer_ (1)) in
      (JC_163:
      (((((((((((((((set _jessie_) _jessie_) _jessie_) SparseArray_n_1_a_2_32) intP_intM_val_142) unsigned_intP_unsigned_intM_back_143) unsigned_intP_unsigned_intM_idx_144) !unsigned_intP_back_143_alloc_table) !unsigned_intP_idx_144_alloc_table) !intP_val_142_alloc_table) !SparseArray_a_2_32_alloc_table) !SparseArray_sz_0_a_2_32) !SparseArray_back_a_2_32) !SparseArray_idx_a_2_32) !SparseArray_val_a_2_32)))));
      (let _jessie_ = !b in
      (let _jessie_ = (safe_uint32_of_integer_ (7)) in
      (let _jessie_ = (safe_int32_of_integer_ (2)) in
      (JC_164:
      (((((((((((((((set _jessie_) _jessie_) _jessie_) SparseArray_n_1_b_33) intP_intM_val_146) unsigned_intP_unsigned_intM_back_147) unsigned_intP_unsigned_intM_idx_148) !unsigned_intP_back_147_alloc_table) !unsigned_intP_idx_148_alloc_table) !intP_val_146_alloc_table) !SparseArray_b_33_alloc_table) !SparseArray_sz_0_b_33) !SparseArray_back_b_33) !SparseArray_idx_b_33) !SparseArray_val_b_33)))));
      (let _jessie_ =
      (x_0 := (let _jessie_ = !a_2_0 in
              (let _jessie_ = (safe_uint32_of_integer_ (5)) in
              (JC_165:
              ((((((((((((((get _jessie_) _jessie_) !unsigned_intP_back_143_alloc_table) !unsigned_intP_idx_144_alloc_table) !intP_val_142_alloc_table) !SparseArray_a_2_32_alloc_table) !SparseArray_sz_0_a_2_32) !SparseArray_n_1_a_2_32) !SparseArray_back_a_2_32) !SparseArray_idx_a_2_32) !SparseArray_val_a_2_32) !intP_intM_val_142) !unsigned_intP_unsigned_intM_back_143) !unsigned_intP_unsigned_intM_idx_144))))) in
      void);
      (let _jessie_ =
      (y := (let _jessie_ = !b in
            (let _jessie_ = (safe_uint32_of_integer_ (7)) in
            (JC_166:
            ((((((((((((((get _jessie_) _jessie_) !unsigned_intP_back_147_alloc_table) !unsigned_intP_idx_148_alloc_table) !intP_val_146_alloc_table) !SparseArray_b_33_alloc_table) !SparseArray_sz_0_b_33) !SparseArray_n_1_b_33) !SparseArray_back_b_33) !SparseArray_idx_b_33) !SparseArray_val_b_33) !intP_intM_val_146) !unsigned_intP_unsigned_intM_back_147) !unsigned_intP_unsigned_intM_idx_148))))) in
      void);
      (assert
      { (JC_167:
        ((integer_of_int32(x_0) = (1)) and (integer_of_int32(y) = (2)))) };
      void); void;
      (let _jessie_ =
      (x_0 := (let _jessie_ = !a_2_0 in
              (let _jessie_ = (safe_uint32_of_integer_ (0)) in
              (JC_168:
              ((((((((((((((get _jessie_) _jessie_) !unsigned_intP_back_143_alloc_table) !unsigned_intP_idx_144_alloc_table) !intP_val_142_alloc_table) !SparseArray_a_2_32_alloc_table) !SparseArray_sz_0_a_2_32) !SparseArray_n_1_a_2_32) !SparseArray_back_a_2_32) !SparseArray_idx_a_2_32) !SparseArray_val_a_2_32) !intP_intM_val_142) !unsigned_intP_unsigned_intM_back_143) !unsigned_intP_unsigned_intM_idx_144))))) in
      void);
      (let _jessie_ =
      (y := (let _jessie_ = !b in
            (let _jessie_ = (safe_uint32_of_integer_ (0)) in
            (JC_169:
            ((((((((((((((get _jessie_) _jessie_) !unsigned_intP_back_147_alloc_table) !unsigned_intP_idx_148_alloc_table) !intP_val_146_alloc_table) !SparseArray_b_33_alloc_table) !SparseArray_sz_0_b_33) !SparseArray_n_1_b_33) !SparseArray_back_b_33) !SparseArray_idx_b_33) !SparseArray_val_b_33) !intP_intM_val_146) !unsigned_intP_unsigned_intM_back_147) !unsigned_intP_unsigned_intM_idx_148))))) in
      void);
      (assert
      { (JC_170:
        ((integer_of_int32(x_0) = (0)) and (integer_of_int32(y) = (0)))) };
      void); void;
      (let _jessie_ = (__retres_0 := (safe_int32_of_integer_ (0))) in
      void); (return := !__retres_0); (raise Return) end)))))))))))))))))))))))))))))))))))));
    absurd  end with Return -> !return end)) { (JC_141: true) } 

let main_safety =
 fun (tt : unit) ->
  { (JC_140: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let SparseArray_sz_0_b_33 = ref (any_memory void) in
     (let SparseArray_sz_0_a_2_32 = ref (any_memory void) in
     (let SparseArray_n_1_b_33 = ref (any_memory void) in
     (let SparseArray_n_1_a_2_32 = ref (any_memory void) in
     (let SparseArray_back_b_33 = ref (any_memory void) in
     (let SparseArray_back_a_2_32 = ref (any_memory void) in
     (let SparseArray_idx_b_33 = ref (any_memory void) in
     (let SparseArray_idx_a_2_32 = ref (any_memory void) in
     (let SparseArray_val_b_33 = ref (any_memory void) in
     (let SparseArray_val_a_2_32 = ref (any_memory void) in
     (let intP_intM_val_146 = ref (any_memory void) in
     (let intP_intM_val_142 = ref (any_memory void) in
     (let unsigned_intP_unsigned_intM_idx_148 = ref (any_memory void) in
     (let unsigned_intP_unsigned_intM_back_147 = ref (any_memory void) in
     (let unsigned_intP_unsigned_intM_idx_144 = ref (any_memory void) in
     (let unsigned_intP_unsigned_intM_back_143 = ref (any_memory void) in
     (let SparseArray_a_2_32_tag_table = ref (any_tag_table void) in
     (let SparseArray_b_33_tag_table = ref (any_tag_table void) in
     (let intP_val_142_tag_table = ref (any_tag_table void) in
     (let intP_val_146_tag_table = ref (any_tag_table void) in
     (let unsigned_intP_back_143_tag_table = ref (any_tag_table void) in
     (let unsigned_intP_idx_144_tag_table = ref (any_tag_table void) in
     (let unsigned_intP_back_147_tag_table = ref (any_tag_table void) in
     (let unsigned_intP_idx_148_tag_table = ref (any_tag_table void) in
     (let unsigned_intP_idx_148_alloc_table = ref (any_alloc_table void) in
     (let unsigned_intP_back_147_alloc_table = ref (any_alloc_table void) in
     (let unsigned_intP_idx_144_alloc_table = ref (any_alloc_table void) in
     (let unsigned_intP_back_143_alloc_table = ref (any_alloc_table void) in
     (let intP_val_146_alloc_table = ref (any_alloc_table void) in
     (let intP_val_142_alloc_table = ref (any_alloc_table void) in
     (let SparseArray_b_33_alloc_table = ref (any_alloc_table void) in
     (let SparseArray_a_2_32_alloc_table = ref (any_alloc_table void) in
     (let a_2_0 = ref (any_pointer void) in
     (let b = ref (any_pointer void) in
     (let x_0 = ref (any_int32 void) in
     (let y = ref (any_int32 void) in
     (let __retres_0 = ref (any_int32 void) in
     begin
       (let _jessie_ =
       (a_2_0 := (let _jessie_ = (safe_uint32_of_integer_ (10)) in
                 (JC_145:
                 (((((((((((((((((create_requires _jessie_) unsigned_intP_back_143_alloc_table) unsigned_intP_idx_144_alloc_table) intP_val_142_alloc_table) SparseArray_a_2_32_alloc_table) unsigned_intP_back_143_tag_table) unsigned_intP_idx_144_tag_table) intP_val_142_tag_table) SparseArray_a_2_32_tag_table) SparseArray_sz_0_a_2_32) SparseArray_n_1_a_2_32) SparseArray_back_a_2_32) SparseArray_idx_a_2_32) SparseArray_val_a_2_32) !intP_intM_val_142) !unsigned_intP_unsigned_intM_back_143) !unsigned_intP_unsigned_intM_idx_144)))) in
       void);
      (let _jessie_ =
      (b := (let _jessie_ = (safe_uint32_of_integer_ (20)) in
            (JC_146:
            (((((((((((((((((create_requires _jessie_) unsigned_intP_back_147_alloc_table) unsigned_intP_idx_148_alloc_table) intP_val_146_alloc_table) SparseArray_b_33_alloc_table) unsigned_intP_back_147_tag_table) unsigned_intP_idx_148_tag_table) intP_val_146_tag_table) SparseArray_b_33_tag_table) SparseArray_sz_0_b_33) SparseArray_n_1_b_33) SparseArray_back_b_33) SparseArray_idx_b_33) SparseArray_val_b_33) !intP_intM_val_146) !unsigned_intP_unsigned_intM_back_147) !unsigned_intP_unsigned_intM_idx_148)))) in
      void);
      (let _jessie_ =
      (x_0 := (let _jessie_ = !a_2_0 in
              (let _jessie_ = (safe_uint32_of_integer_ (5)) in
              (JC_147:
              ((((((((((((((get_requires _jessie_) _jessie_) !unsigned_intP_back_143_alloc_table) !unsigned_intP_idx_144_alloc_table) !intP_val_142_alloc_table) !SparseArray_a_2_32_alloc_table) !SparseArray_sz_0_a_2_32) !SparseArray_n_1_a_2_32) !SparseArray_back_a_2_32) !SparseArray_idx_a_2_32) !SparseArray_val_a_2_32) !intP_intM_val_142) !unsigned_intP_unsigned_intM_back_143) !unsigned_intP_unsigned_intM_idx_144))))) in
      void);
      (let _jessie_ =
      (y := (let _jessie_ = !b in
            (let _jessie_ = (safe_uint32_of_integer_ (7)) in
            (JC_148:
            ((((((((((((((get_requires _jessie_) _jessie_) !unsigned_intP_back_147_alloc_table) !unsigned_intP_idx_148_alloc_table) !intP_val_146_alloc_table) !SparseArray_b_33_alloc_table) !SparseArray_sz_0_b_33) !SparseArray_n_1_b_33) !SparseArray_back_b_33) !SparseArray_idx_b_33) !SparseArray_val_b_33) !intP_intM_val_146) !unsigned_intP_unsigned_intM_back_147) !unsigned_intP_unsigned_intM_idx_148))))) in
      void);
      [ { } unit reads x_0,y
        { (JC_149:
          ((integer_of_int32(x_0) = (0)) and (integer_of_int32(y) = (0)))) } ];
      void;
      (let _jessie_ = !a_2_0 in
      (let _jessie_ = (safe_uint32_of_integer_ (5)) in
      (let _jessie_ = (safe_int32_of_integer_ (1)) in
      (JC_150:
      (((((((((((((((set_requires _jessie_) _jessie_) _jessie_) SparseArray_n_1_a_2_32) intP_intM_val_142) unsigned_intP_unsigned_intM_back_143) unsigned_intP_unsigned_intM_idx_144) !unsigned_intP_back_143_alloc_table) !unsigned_intP_idx_144_alloc_table) !intP_val_142_alloc_table) !SparseArray_a_2_32_alloc_table) !SparseArray_sz_0_a_2_32) !SparseArray_back_a_2_32) !SparseArray_idx_a_2_32) !SparseArray_val_a_2_32)))));
      (let _jessie_ = !b in
      (let _jessie_ = (safe_uint32_of_integer_ (7)) in
      (let _jessie_ = (safe_int32_of_integer_ (2)) in
      (JC_151:
      (((((((((((((((set_requires _jessie_) _jessie_) _jessie_) SparseArray_n_1_b_33) intP_intM_val_146) unsigned_intP_unsigned_intM_back_147) unsigned_intP_unsigned_intM_idx_148) !unsigned_intP_back_147_alloc_table) !unsigned_intP_idx_148_alloc_table) !intP_val_146_alloc_table) !SparseArray_b_33_alloc_table) !SparseArray_sz_0_b_33) !SparseArray_back_b_33) !SparseArray_idx_b_33) !SparseArray_val_b_33)))));
      (let _jessie_ =
      (x_0 := (let _jessie_ = !a_2_0 in
              (let _jessie_ = (safe_uint32_of_integer_ (5)) in
              (JC_152:
              ((((((((((((((get_requires _jessie_) _jessie_) !unsigned_intP_back_143_alloc_table) !unsigned_intP_idx_144_alloc_table) !intP_val_142_alloc_table) !SparseArray_a_2_32_alloc_table) !SparseArray_sz_0_a_2_32) !SparseArray_n_1_a_2_32) !SparseArray_back_a_2_32) !SparseArray_idx_a_2_32) !SparseArray_val_a_2_32) !intP_intM_val_142) !unsigned_intP_unsigned_intM_back_143) !unsigned_intP_unsigned_intM_idx_144))))) in
      void);
      (let _jessie_ =
      (y := (let _jessie_ = !b in
            (let _jessie_ = (safe_uint32_of_integer_ (7)) in
            (JC_153:
            ((((((((((((((get_requires _jessie_) _jessie_) !unsigned_intP_back_147_alloc_table) !unsigned_intP_idx_148_alloc_table) !intP_val_146_alloc_table) !SparseArray_b_33_alloc_table) !SparseArray_sz_0_b_33) !SparseArray_n_1_b_33) !SparseArray_back_b_33) !SparseArray_idx_b_33) !SparseArray_val_b_33) !intP_intM_val_146) !unsigned_intP_unsigned_intM_back_147) !unsigned_intP_unsigned_intM_idx_148))))) in
      void);
      [ { } unit reads x_0,y
        { (JC_154:
          ((integer_of_int32(x_0) = (1)) and (integer_of_int32(y) = (2)))) } ];
      void;
      (let _jessie_ =
      (x_0 := (let _jessie_ = !a_2_0 in
              (let _jessie_ = (safe_uint32_of_integer_ (0)) in
              (JC_155:
              ((((((((((((((get_requires _jessie_) _jessie_) !unsigned_intP_back_143_alloc_table) !unsigned_intP_idx_144_alloc_table) !intP_val_142_alloc_table) !SparseArray_a_2_32_alloc_table) !SparseArray_sz_0_a_2_32) !SparseArray_n_1_a_2_32) !SparseArray_back_a_2_32) !SparseArray_idx_a_2_32) !SparseArray_val_a_2_32) !intP_intM_val_142) !unsigned_intP_unsigned_intM_back_143) !unsigned_intP_unsigned_intM_idx_144))))) in
      void);
      (let _jessie_ =
      (y := (let _jessie_ = !b in
            (let _jessie_ = (safe_uint32_of_integer_ (0)) in
            (JC_156:
            ((((((((((((((get_requires _jessie_) _jessie_) !unsigned_intP_back_147_alloc_table) !unsigned_intP_idx_148_alloc_table) !intP_val_146_alloc_table) !SparseArray_b_33_alloc_table) !SparseArray_sz_0_b_33) !SparseArray_n_1_b_33) !SparseArray_back_b_33) !SparseArray_idx_b_33) !SparseArray_val_b_33) !intP_intM_val_146) !unsigned_intP_unsigned_intM_back_147) !unsigned_intP_unsigned_intM_idx_148))))) in
      void);
      [ { } unit reads x_0,y
        { (JC_157:
          ((integer_of_int32(x_0) = (0)) and (integer_of_int32(y) = (0)))) } ];
      void;
      (let _jessie_ = (__retres_0 := (safe_int32_of_integer_ (0))) in
      void); (return := !__retres_0); (raise Return) end)))))))))))))))))))))))))))))))))))));
    absurd  end with Return -> !return end)) { true } 

let set_ensures_default =
 fun (a_0_0 : SparseArray pointer) (i_0 : uint32) (v : int32) (unsigned_intP_unsigned_intM_idx_30 : (unsigned_intP, uint32) memory ref) (unsigned_intP_unsigned_intM_back_31 : (unsigned_intP, uint32) memory ref) (intP_intM_val_29 : (intP, int32) memory ref) (SparseArray_n_1_a_0_9 : (SparseArray, uint32) memory ref) (SparseArray_a_0_9_alloc_table : SparseArray alloc_table) (intP_val_29_alloc_table : intP alloc_table) (unsigned_intP_idx_30_alloc_table : unsigned_intP alloc_table) (unsigned_intP_back_31_alloc_table : unsigned_intP alloc_table) (SparseArray_val_a_0_9 : (SparseArray, intP pointer) memory) (SparseArray_idx_a_0_9 : (SparseArray, unsigned_intP pointer) memory) (SparseArray_back_a_0_9 : (SparseArray, unsigned_intP pointer) memory) (SparseArray_sz_0_a_0_9 : (SparseArray, uint32) memory) ->
  { (JC_93:
    ((JC_89: le_int(offset_min(SparseArray_a_0_9_alloc_table, a_0_0), (0)))
    and ((JC_90:
         ge_int(offset_max(SparseArray_a_0_9_alloc_table, a_0_0), (0)))
        and ((JC_91:
             inv(a_0_0, unsigned_intP_back_31_alloc_table,
             unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
             SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
             SparseArray_n_1_a_0_9, SparseArray_back_a_0_9,
             SparseArray_idx_a_0_9, SparseArray_val_a_0_9,
             unsigned_intP_unsigned_intM_back_31,
             unsigned_intP_unsigned_intM_idx_30))
            and (JC_92:
                le_int(integer_of_uint32(i_0),
                sub_int(integer_of_uint32(select(SparseArray_sz_0_a_0_9,
                                          a_0_0)),
                (1)))))))) }
  (init:
  try
   begin
     try
      begin
        try
         begin
           (let _jessie_ =
           (let _jessie_ = v in
           (let _jessie_ = ((safe_acc_ SparseArray_val_a_0_9) a_0_0) in
           (let _jessie_ = (integer_of_uint32 i_0) in
           (let _jessie_ = ((shift _jessie_) _jessie_) in
           (((safe_upd_ intP_intM_val_29) _jessie_) _jessie_))))) in
           void);
          (if ((lt_int_ (integer_of_uint32 ((safe_acc_ !unsigned_intP_unsigned_intM_idx_30) 
                                            ((shift ((safe_acc_ SparseArray_idx_a_0_9) a_0_0)) 
                                             (integer_of_uint32 i_0))))) 
               (integer_of_uint32 ((safe_acc_ !SparseArray_n_1_a_0_9) a_0_0)))
          then
           (if ((eq_int_ (integer_of_uint32 ((safe_acc_ !unsigned_intP_unsigned_intM_back_31) 
                                             ((shift ((safe_acc_ SparseArray_back_a_0_9) a_0_0)) 
                                              (integer_of_uint32 ((safe_acc_ !unsigned_intP_unsigned_intM_idx_30) 
                                                                  ((shift 
                                                                    ((safe_acc_ SparseArray_idx_a_0_9) a_0_0)) 
                                                                   (integer_of_uint32 i_0)))))))) 
                (integer_of_uint32 i_0)) then void
           else (raise (Goto__LAND_exc void)))
          else (raise (Goto__LAND_exc void)));
          (raise (Goto__LAND_0_exc void)); (raise (Goto__LAND_exc void)) end
         with Goto__LAND_exc _jessie_ ->
         (let _jessie_ =
         begin
           (assert
           { (JC_136:
             lt_int(integer_of_uint32(select(SparseArray_n_1_a_0_9, a_0_0)),
             integer_of_uint32(select(SparseArray_sz_0_a_0_9, a_0_0)))) };
           void); void;
          (let _jessie_ =
          (let _jessie_ = ((safe_acc_ !SparseArray_n_1_a_0_9) a_0_0) in
          (let _jessie_ = ((safe_acc_ SparseArray_idx_a_0_9) a_0_0) in
          (let _jessie_ = (integer_of_uint32 i_0) in
          (let _jessie_ = ((shift _jessie_) _jessie_) in
          (((safe_upd_ unsigned_intP_unsigned_intM_idx_30) _jessie_) _jessie_))))) in
          void);
          (let _jessie_ =
          (let _jessie_ = i_0 in
          (let _jessie_ = ((safe_acc_ SparseArray_back_a_0_9) a_0_0) in
          (let _jessie_ =
          (integer_of_uint32 ((safe_acc_ !SparseArray_n_1_a_0_9) a_0_0)) in
          (let _jessie_ = ((shift _jessie_) _jessie_) in
          (((safe_upd_ unsigned_intP_unsigned_intM_back_31) _jessie_) _jessie_))))) in
          void);
          (let _jessie_ =
          (safe_uint32_of_integer_ ((add_int (integer_of_uint32 ((safe_acc_ !SparseArray_n_1_a_0_9) a_0_0))) (1))) in
          begin
            (let _jessie_ = a_0_0 in
            (((safe_upd_ SparseArray_n_1_a_0_9) _jessie_) _jessie_));
           _jessie_ end) end in void) end; (raise (Goto__LAND_0_exc void))
      end with Goto__LAND_0_exc _jessie_ ->
      begin   void; (raise Return) end end; (raise Return) end with Return ->
   void end)
  { (JC_104:
    ((JC_98:
     ((JC_95:
      inv(a_0_0, unsigned_intP_back_31_alloc_table,
      unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
      SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
      SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
      SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
      unsigned_intP_unsigned_intM_idx_30))
     and ((JC_96:
          (model(a_0_0, integer_of_uint32(i_0), SparseArray_n_1_a_0_9,
           SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
           SparseArray_val_a_0_9, intP_intM_val_29,
           unsigned_intP_unsigned_intM_idx_30,
           unsigned_intP_unsigned_intM_back_31) = integer_of_int32(v)))
         and (JC_97:
             (forall j_0:int.
              ((j_0 <> integer_of_uint32(i_0)) ->
               (model(a_0_0, j_0, SparseArray_n_1_a_0_9,
                SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
                SparseArray_val_a_0_9, intP_intM_val_29,
                unsigned_intP_unsigned_intM_idx_30,
                unsigned_intP_unsigned_intM_back_31) = model(a_0_0, j_0,
                                                       SparseArray_n_1_a_0_9@,
                                                       SparseArray_back_a_0_9,
                                                       SparseArray_idx_a_0_9,
                                                       SparseArray_val_a_0_9,
                                                       intP_intM_val_29@,
                                                       unsigned_intP_unsigned_intM_idx_30@,
                                                       unsigned_intP_unsigned_intM_back_31@))))))))
    and (JC_103:
        ((((JC_99:
           not_assigns(unsigned_intP_idx_30_alloc_table,
           unsigned_intP_unsigned_intM_idx_30@,
           unsigned_intP_unsigned_intM_idx_30,
           pset_all(pset_deref(SparseArray_idx_a_0_9, pset_singleton(a_0_0)))))
          and (JC_100:
              not_assigns(unsigned_intP_back_31_alloc_table,
              unsigned_intP_unsigned_intM_back_31@,
              unsigned_intP_unsigned_intM_back_31,
              pset_all(pset_deref(SparseArray_back_a_0_9,
                       pset_singleton(a_0_0))))))
         and (JC_101:
             not_assigns(intP_val_29_alloc_table, intP_intM_val_29@,
             intP_intM_val_29,
             pset_range(pset_deref(SparseArray_val_a_0_9,
                        pset_singleton(a_0_0)),
             integer_of_uint32(i_0), integer_of_uint32(i_0)))))
        and (JC_102:
            not_assigns(SparseArray_a_0_9_alloc_table,
            SparseArray_n_1_a_0_9@, SparseArray_n_1_a_0_9,
            pset_singleton(a_0_0))))))) } 

let set_safety =
 fun (a_0_0 : SparseArray pointer) (i_0 : uint32) (v : int32) (unsigned_intP_unsigned_intM_idx_30 : (unsigned_intP, uint32) memory ref) (unsigned_intP_unsigned_intM_back_31 : (unsigned_intP, uint32) memory ref) (intP_intM_val_29 : (intP, int32) memory ref) (SparseArray_n_1_a_0_9 : (SparseArray, uint32) memory ref) (SparseArray_a_0_9_alloc_table : SparseArray alloc_table) (intP_val_29_alloc_table : intP alloc_table) (unsigned_intP_idx_30_alloc_table : unsigned_intP alloc_table) (unsigned_intP_back_31_alloc_table : unsigned_intP alloc_table) (SparseArray_val_a_0_9 : (SparseArray, intP pointer) memory) (SparseArray_idx_a_0_9 : (SparseArray, unsigned_intP pointer) memory) (SparseArray_back_a_0_9 : (SparseArray, unsigned_intP pointer) memory) (SparseArray_sz_0_a_0_9 : (SparseArray, uint32) memory) ->
  { (JC_93:
    ((JC_89: le_int(offset_min(SparseArray_a_0_9_alloc_table, a_0_0), (0)))
    and ((JC_90:
         ge_int(offset_max(SparseArray_a_0_9_alloc_table, a_0_0), (0)))
        and ((JC_91:
             inv(a_0_0, unsigned_intP_back_31_alloc_table,
             unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
             SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
             SparseArray_n_1_a_0_9, SparseArray_back_a_0_9,
             SparseArray_idx_a_0_9, SparseArray_val_a_0_9,
             unsigned_intP_unsigned_intM_back_31,
             unsigned_intP_unsigned_intM_idx_30))
            and (JC_92:
                le_int(integer_of_uint32(i_0),
                sub_int(integer_of_uint32(select(SparseArray_sz_0_a_0_9,
                                          a_0_0)),
                (1)))))))) }
  (init:
  try
   begin
     try
      begin
        try
         begin
           (let _jessie_ =
           (let _jessie_ = v in
           (let _jessie_ =
           (JC_117:
           (((acc_ SparseArray_a_0_9_alloc_table) SparseArray_val_a_0_9) a_0_0)) in
           (let _jessie_ = (integer_of_uint32 i_0) in
           (let _jessie_ = ((shift _jessie_) _jessie_) in
           (JC_118:
           (((((offset_upd_ intP_val_29_alloc_table) intP_intM_val_29) _jessie_) _jessie_) _jessie_)))))) in
           void);
          (if ((lt_int_ (integer_of_uint32 (JC_120:
                                           ((((offset_acc_ unsigned_intP_idx_30_alloc_table) !unsigned_intP_unsigned_intM_idx_30) 
                                             (JC_119:
                                             (((acc_ SparseArray_a_0_9_alloc_table) SparseArray_idx_a_0_9) a_0_0))) 
                                            (integer_of_uint32 i_0))))) 
               (integer_of_uint32 (JC_121:
                                  (((acc_ SparseArray_a_0_9_alloc_table) !SparseArray_n_1_a_0_9) a_0_0))))
          then
           (if ((eq_int_ (integer_of_uint32 (JC_125:
                                            ((((offset_acc_ unsigned_intP_back_31_alloc_table) !unsigned_intP_unsigned_intM_back_31) 
                                              (JC_124:
                                              (((acc_ SparseArray_a_0_9_alloc_table) SparseArray_back_a_0_9) a_0_0))) 
                                             (integer_of_uint32 (JC_123:
                                                                ((((offset_acc_ unsigned_intP_idx_30_alloc_table) !unsigned_intP_unsigned_intM_idx_30) 
                                                                  (JC_122:
                                                                  (((acc_ SparseArray_a_0_9_alloc_table) SparseArray_idx_a_0_9) a_0_0))) 
                                                                 (integer_of_uint32 i_0)))))))) 
                (integer_of_uint32 i_0)) then void
           else (raise (Goto__LAND_exc void)))
          else (raise (Goto__LAND_exc void)));
          (raise (Goto__LAND_0_exc void)); (raise (Goto__LAND_exc void)) end
         with Goto__LAND_exc _jessie_ ->
         (let _jessie_ =
         begin
           [ { } unit reads SparseArray_n_1_a_0_9
             { (JC_126:
               lt_int(integer_of_uint32(select(SparseArray_n_1_a_0_9, a_0_0)),
               integer_of_uint32(select(SparseArray_sz_0_a_0_9, a_0_0)))) } ];
          void;
          (let _jessie_ =
          (let _jessie_ =
          (JC_127:
          (((acc_ SparseArray_a_0_9_alloc_table) !SparseArray_n_1_a_0_9) a_0_0)) in
          (let _jessie_ =
          (JC_128:
          (((acc_ SparseArray_a_0_9_alloc_table) SparseArray_idx_a_0_9) a_0_0)) in
          (let _jessie_ = (integer_of_uint32 i_0) in
          (let _jessie_ = ((shift _jessie_) _jessie_) in
          (JC_129:
          (((((offset_upd_ unsigned_intP_idx_30_alloc_table) unsigned_intP_unsigned_intM_idx_30) _jessie_) _jessie_) _jessie_)))))) in
          void);
          (let _jessie_ =
          (let _jessie_ = i_0 in
          (let _jessie_ =
          (JC_130:
          (((acc_ SparseArray_a_0_9_alloc_table) SparseArray_back_a_0_9) a_0_0)) in
          (let _jessie_ =
          (integer_of_uint32 (JC_131:
                             (((acc_ SparseArray_a_0_9_alloc_table) !SparseArray_n_1_a_0_9) a_0_0))) in
          (let _jessie_ = ((shift _jessie_) _jessie_) in
          (JC_132:
          (((((offset_upd_ unsigned_intP_back_31_alloc_table) unsigned_intP_unsigned_intM_back_31) _jessie_) _jessie_) _jessie_)))))) in
          void);
          (let _jessie_ =
          (JC_134:
          (uint32_of_integer_ ((add_int (integer_of_uint32 (JC_133:
                                                           (((acc_ SparseArray_a_0_9_alloc_table) !SparseArray_n_1_a_0_9) a_0_0)))) (1)))) in
          begin
            (let _jessie_ = a_0_0 in
            (JC_135:
            ((((upd_ SparseArray_a_0_9_alloc_table) SparseArray_n_1_a_0_9) _jessie_) _jessie_)));
           _jessie_ end) end in void) end; (raise (Goto__LAND_0_exc void))
      end with Goto__LAND_0_exc _jessie_ ->
      begin   void; (raise Return) end end; (raise Return) end with Return ->
   void end) { true } 


why-2.39/tests/c/oracle/fact.err.oracle0000644000106100004300000000014313147234006016753 0ustar  marchevalscat: /tmp/regtests.cwd: No such file or directory
grep: /src/version.ml: No such file or directory
why-2.39/tests/c/oracle/overflow_level.res.oracle0000644000106100004300000004761313147234006021106 0ustar  marchevals========== file tests/c/overflow_level.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

double x;

void f() {
double y;
/*0*/	y = x+1.e291;
/*1*/	y = x+1.e292;
/*2*/	y = x+x;
/*3*/	y = x+1e-6;
}
========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/overflow_level.c (with preprocessing)
tests/c/overflow_level.c:36:[kernel] warning: Floating-point constant 1.e291 is not represented exactly. Will use 0x1.9a742461887f6p966. See documentation for option -warn-decimal-float
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/overflow_level.jessie
[jessie] File tests/c/overflow_level.jessie/overflow_level.jc written.
[jessie] File tests/c/overflow_level.jessie/overflow_level.cloc written.
========== file tests/c/overflow_level.jessie/overflow_level.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

double x;

unit f()
behavior default:
  ensures (_C_9 : true);
{  
   (var double y);
   
   {  (_C_2 : (y = (_C_1 : (x + (1.e291 :> double)))));
      (_C_4 : (y = (_C_3 : (x + (1.e292 :> double)))));
      (_C_6 : (y = (_C_5 : (x + x))));
      (_C_8 : (y = (_C_7 : (x + (1e-6 :> double)))));
      
      (return ())
   }
}
========== file tests/c/overflow_level.jessie/overflow_level.cloc ==========
[_C_4]
file = "HOME/tests/c/overflow_level.c"
line = 37
begin = 10
end = 18

[_C_5]
file = "HOME/tests/c/overflow_level.c"
line = 38
begin = 10
end = 13

[_C_9]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_6]
file = "HOME/tests/c/overflow_level.c"
line = 38
begin = 10
end = 13

[_C_3]
file = "HOME/tests/c/overflow_level.c"
line = 37
begin = 10
end = 18

[_C_7]
file = "HOME/tests/c/overflow_level.c"
line = 39
begin = 10
end = 16

[_C_8]
file = "HOME/tests/c/overflow_level.c"
line = 39
begin = 10
end = 16

[_C_2]
file = "HOME/tests/c/overflow_level.c"
line = 36
begin = 10
end = 18

[_C_1]
file = "HOME/tests/c/overflow_level.c"
line = 36
begin = 10
end = 18

[f]
name = "Function f"
file = "HOME/tests/c/overflow_level.c"
line = 34
begin = 5
end = 6

========== jessie execution ==========
Generating Why function f
========== file tests/c/overflow_level.jessie/overflow_level.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why $(WHYLIB)/why/floats_strict.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/overflow_level_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: overflow_level.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: overflow_level.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: overflow_level.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/overflow_level.jessie/overflow_level.loc ==========
[f_safety]
name = "Function f"
behavior = "Safety"
file = "HOME/tests/c/overflow_level.c"
line = 34
begin = 5
end = 6

[JC_17]
kind = FPOverflow
file = "HOME/tests/c/overflow_level.c"
line = 37
begin = 10
end = 18

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
kind = FPOverflow
file = "HOME/tests/c/overflow_level.jessie/overflow_level.jc"
line = 42
begin = 32
end = 50

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
kind = FPOverflow
file = "HOME/tests/c/overflow_level.c"
line = 38
begin = 10
end = 13

[JC_11]
kind = FPOverflow
file = "HOME/tests/c/overflow_level.jessie/overflow_level.jc"
line = 43
begin = 32
end = 50

[JC_15]
kind = FPOverflow
file = "HOME/tests/c/overflow_level.c"
line = 39
begin = 10
end = 16

[JC_12]
kind = FPOverflow
file = "HOME/tests/c/overflow_level.c"
line = 37
begin = 10
end = 18

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
kind = FPOverflow
file = "HOME/tests/c/overflow_level.c"
line = 36
begin = 10
end = 18

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
kind = FPOverflow
file = "HOME/tests/c/overflow_level.jessie/overflow_level.jc"
line = 45
begin = 32
end = 48

[JC_1]
file = "HOME/tests/c/overflow_level.c"
line = 34
begin = 5
end = 6

[JC_10]
kind = FPOverflow
file = "HOME/tests/c/overflow_level.c"
line = 36
begin = 10
end = 18

[JC_18]
kind = FPOverflow
file = "HOME/tests/c/overflow_level.c"
line = 38
begin = 10
end = 13

[JC_3]
file = "HOME/tests/c/overflow_level.c"
line = 34
begin = 5
end = 6

[JC_19]
kind = FPOverflow
file = "HOME/tests/c/overflow_level.c"
line = 39
begin = 10
end = 16

[f_ensures_default]
name = "Function f"
behavior = "default behavior"
file = "HOME/tests/c/overflow_level.c"
line = 34
begin = 5
end = 6

========== file tests/c/overflow_level.jessie/why/overflow_level.why ==========
type charP

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

logic x_0:  -> double

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter f : tt:unit -> { } unit { true }

parameter f_requires : tt:unit -> { } unit { true }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let f_ensures_default =
 fun (tt : unit) ->
  { (JC_4: true) }
  (init:
  try
   begin
     (let y = ref (any_double void) in
     begin
       (let _jessie_ =
       (y := (JC_16:
             (((add_double_safe nearest_even) x_0) ((double_of_real_safe nearest_even) 1.e291)))) in
       void);
      (let _jessie_ =
      (y := (JC_17:
            (((add_double_safe nearest_even) x_0) ((double_of_real_safe nearest_even) 1.e292)))) in
      void);
      (let _jessie_ =
      (y := (JC_18: (((add_double_safe nearest_even) x_0) x_0))) in void);
      (let _jessie_ =
      (y := (JC_19:
            (((add_double_safe nearest_even) x_0) ((double_of_real_safe nearest_even) 1e-6)))) in
      void); (raise Return) end); (raise Return) end with Return -> void end)
  { (JC_5: true) } 

let f_safety =
 fun (tt : unit) ->
  { (JC_4: true) }
  (init:
  try
   begin
     (let y = ref (any_double void) in
     begin
       (let _jessie_ =
       (y := (JC_10:
             (((add_double nearest_even) x_0) (JC_9:
                                              ((double_of_real nearest_even) 1.e291))))) in
       void);
      (let _jessie_ =
      (y := (JC_12:
            (((add_double nearest_even) x_0) (JC_11:
                                             ((double_of_real nearest_even) 1.e292))))) in
      void);
      (let _jessie_ =
      (y := (JC_13: (((add_double nearest_even) x_0) x_0))) in void);
      (let _jessie_ =
      (y := (JC_15:
            (((add_double nearest_even) x_0) (JC_14:
                                             ((double_of_real nearest_even) 1e-6))))) in
      void); (raise Return) end); (raise Return) end with Return -> void end)
  { true } 


why-2.39/tests/c/oracle/duplets.err.oracle0000644000106100004300000000000013147234006017506 0ustar  marchevalswhy-2.39/tests/c/oracle/double_rounding_strict_model.err.oracle0000644000106100004300000000000013147234006023755 0ustar  marchevalswhy-2.39/tests/c/oracle/rec.res.oracle0000644000106100004300000011010613147234006016611 0ustar  marchevals========== file tests/c/rec.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@ logic integer sum_upto(integer n) = n*(n+1) / 2;

/*@ lemma sum_rec: \forall integer n; n >=0 ==>
  @     sum_upto(n+1) == sum_upto(n)+n+1;
  @*/

/*@ requires x >= 0;
  @ requires x <= 1000;
  @ decreases x;
  @ ensures \result == sum_upto(x);
  @*/
long sum(int x) {
  if (x == 0) return 0;
  else return x + sum (x-1);
}


/*@ ensures \result == 36; 
  @*/
long main () {
  long i = sum(8);
  return i;
}



/*@ decreases 101-n ;
  @ behavior less_than_101:
  @   assumes n <= 100;
  @   ensures \result == 91;
  @ behavior greater_than_100:
  @   assumes n >= 101;
  @   ensures \result == n - 10;
  @*/
int f91(int n) {
  if (n <= 100) {
    return f91(f91(n + 11));
  }
  else
    return n - 10;
}

/*
Local Variables:
compile-command: "make rec.why3ide"
End:
*/


========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/rec.c (with preprocessing)
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/rec.jessie
[jessie] File tests/c/rec.jessie/rec.jc written.
[jessie] File tests/c/rec.jessie/rec.cloc written.
========== file tests/c/rec.jessie/rec.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

type int32 = -2147483648..2147483647

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

logic integer sum_upto(integer n) =
((n * (n + 1)) / 2)

lemma sum_rec :
(\forall integer n_0;
  ((n_0 >= 0) ==> (sum_upto((n_0 + 1)) == ((sum_upto(n_0) + n_0) + 1))))

int32 sum(int32 x)
  requires (_C_12 : (x >= 0));
  requires (_C_11 : (x <= 1000));
  decreases (_C_13 : x);
behavior default:
  ensures (_C_10 : (\result == sum_upto(\at(x,Old))));
{  
   (var int32 tmp);
   
   (var int32 __retres);
   
   {  (if (x == 0) then 
      {  (_C_9 : (__retres = 0));
         
         (goto return_label)
      } else 
      {  
         {  (_C_4 : (tmp = (_C_3 : sum((_C_2 : ((_C_1 : (x - 1)) :> int32))))));
            ()
         };
         (_C_8 : (__retres = (_C_7 : ((_C_6 : ((_C_5 : (x :> int32)) + tmp)) :> int32))));
         
         (goto return_label)
      });
      (return_label : 
      (return __retres))
   }
}

int32 main()
behavior default:
  ensures (_C_16 : (\result == 36));
{  
   (var int32 i);
   
   {  (_C_15 : (i = (_C_14 : sum(8))));
      
      (return i)
   }
}

int32 f91(int32 n_1)
  decreases (_C_30 : (101 - n_1));
behavior less_than_101:
  assumes (n_1 <= 100);
  ensures (_C_27 : (\result == 91));
behavior greater_than_100:
  assumes (n_1 >= 101);
  ensures (_C_28 : (\result == (\at(n_1,Old) - 10)));
behavior default:
  ensures (_C_29 : true);
{  
   (var int32 tmp_0);
   
   (var int32 tmp_0_0);
   
   (var int32 __retres_0);
   
   {  (if (n_1 <= 100) then 
      {  (_C_23 : (tmp_0 = (_C_22 : f91((_C_21 : ((_C_20 : (n_1 + 11)) :> int32))))));
         (_C_25 : (tmp_0_0 = (_C_24 : f91(tmp_0))));
         (_C_26 : (__retres_0 = tmp_0_0));
         
         (goto return_label)
      } else 
      {  (_C_19 : (__retres_0 = (_C_18 : ((_C_17 : (n_1 - 10)) :> int32))));
         
         (goto return_label)
      });
      (return_label : 
      (return __retres_0))
   }
}
========== file tests/c/rec.jessie/rec.cloc ==========
[_C_28]
file = "HOME/tests/c/rec.c"
line = 64
begin = 14
end = 31

[f91]
name = "Function f91"
file = "HOME/tests/c/rec.c"
line = 66
begin = 4
end = 7

[main]
name = "Function main"
file = "HOME/tests/c/rec.c"
line = 51
begin = 5
end = 9

[_C_4]
file = "HOME/tests/c/rec.c"
line = 45
begin = 18
end = 27

[_C_23]
file = "HOME/tests/c/rec.c"
line = 68
begin = 15
end = 26

[_C_19]
file = "HOME/tests/c/rec.c"
line = 71
begin = 4
end = 18

[_C_13]
file = "HOME/tests/c/rec.c"
line = 40
begin = 14
end = 15

[_C_5]
file = "HOME/tests/c/rec.c"
line = 45
begin = 14
end = 15

[_C_12]
file = "HOME/tests/c/rec.c"
line = 38
begin = 16
end = 22

[_C_22]
file = "HOME/tests/c/rec.c"
line = 68
begin = 15
end = 26

[_C_9]
file = "HOME/tests/c/rec.c"
line = 44
begin = 14
end = 23

[_C_30]
file = "HOME/tests/c/rec.c"
line = 58
begin = 17
end = 22

[_C_6]
file = "HOME/tests/c/rec.c"
line = 45
begin = 14
end = 27

[_C_24]
file = "HOME/tests/c/rec.c"
line = 68
begin = 11
end = 27

[_C_20]
file = "HOME/tests/c/rec.c"
line = 68
begin = 19
end = 25

[_C_3]
file = "HOME/tests/c/rec.c"
line = 45
begin = 18
end = 27

[_C_17]
file = "HOME/tests/c/rec.c"
line = 71
begin = 11
end = 17

[_C_7]
file = "HOME/tests/c/rec.c"
line = 45
begin = 14
end = 27

[_C_27]
file = "HOME/tests/c/rec.c"
line = 61
begin = 14
end = 27

[_C_15]
file = "HOME/tests/c/rec.c"
line = 52
begin = 11
end = 17

[_C_26]
file = "HOME/tests/c/rec.c"
line = 68
begin = 4
end = 28

[_C_10]
file = "HOME/tests/c/rec.c"
line = 41
begin = 12
end = 34

[_C_8]
file = "HOME/tests/c/rec.c"
line = 45
begin = 7
end = 28

[_C_18]
file = "HOME/tests/c/rec.c"
line = 71
begin = 11
end = 17

[_C_29]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_14]
file = "HOME/tests/c/rec.c"
line = 52
begin = 11
end = 17

[_C_2]
file = "HOME/tests/c/rec.c"
line = 45
begin = 23
end = 26

[_C_16]
file = "HOME/tests/c/rec.c"
line = 49
begin = 15
end = 28

[_C_1]
file = "HOME/tests/c/rec.c"
line = 45
begin = 23
end = 26

[_C_25]
file = "HOME/tests/c/rec.c"
line = 68
begin = 11
end = 27

[_C_11]
file = "HOME/tests/c/rec.c"
line = 39
begin = 13
end = 22

[sum]
name = "Function sum"
file = "HOME/tests/c/rec.c"
line = 43
begin = 5
end = 8

[sum_rec]
name = "Lemma sum_rec"
file = "HOME/tests/c/rec.c"
line = 34
begin = 7
end = 92

[_C_21]
file = "HOME/tests/c/rec.c"
line = 68
begin = 19
end = 25

========== jessie execution ==========
Generating Why function sum
Generating Why function main
Generating Why function f91
========== file tests/c/rec.jessie/rec.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/rec_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: rec.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: rec.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: rec.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/rec.jessie/rec.loc ==========
[main_safety]
name = "Function main"
behavior = "Safety"
file = "HOME/tests/c/rec.c"
line = 51
begin = 5
end = 9

[JC_51]
kind = ArithOverflow
file = "HOME/tests/c/rec.c"
line = 71
begin = 11
end = 17

[JC_45]
file = "HOME/tests/c/rec.c"
line = 58
begin = 17
end = 22

[JC_31]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_17]
kind = VarDecr
file = "HOME/tests/c/rec.c"
line = 45
begin = 18
end = 27

[sum_safety]
name = "Function sum"
behavior = "Safety"
file = "HOME/tests/c/rec.c"
line = 43
begin = 5
end = 8

[JC_55]
kind = UserCall
file = "HOME/tests/c/rec.c"
line = 68
begin = 11
end = 27

[f91_safety]
name = "Function f91"
behavior = "Safety"
file = "HOME/tests/c/rec.c"
line = 66
begin = 4
end = 7

[JC_48]
file = "HOME/tests/c/rec.c"
line = 58
begin = 17
end = 22

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/tests/c/rec.c"
line = 51
begin = 5
end = 9

[JC_5]
file = "HOME/tests/c/rec.c"
line = 38
begin = 16
end = 22

[JC_9]
file = "HOME/tests/c/rec.c"
line = 41
begin = 12
end = 34

[JC_24]
file = "HOME/tests/c/rec.c"
line = 49
begin = 15
end = 28

[JC_25]
file = "HOME/tests/c/rec.c"
line = 49
begin = 15
end = 28

[JC_41]
file = "HOME/tests/c/rec.c"
line = 64
begin = 14
end = 31

[JC_47]
kind = UserCall
file = "HOME/tests/c/rec.c"
line = 68
begin = 11
end = 27

[JC_52]
kind = UserCall
file = "HOME/tests/c/rec.c"
line = 68
begin = 15
end = 26

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
kind = UserCall
file = "HOME/tests/c/rec.c"
line = 68
begin = 15
end = 26

[JC_13]
kind = ArithOverflow
file = "HOME/tests/c/rec.c"
line = 45
begin = 23
end = 26

[f91_ensures_greater_than_100]
name = "Function f91"
behavior = "Behavior `greater_than_100'"
file = "HOME/tests/c/rec.c"
line = 66
begin = 4
end = 7

[JC_11]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/tests/c/rec.c"
line = 40
begin = 14
end = 15

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/tests/c/rec.c"
line = 61
begin = 14
end = 27

[JC_40]
file = "HOME/tests/c/rec.c"
line = 64
begin = 14
end = 31

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
file = "HOME/tests/c/rec.c"
line = 61
begin = 14
end = 27

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/tests/c/rec.c"
line = 39
begin = 13
end = 22

[JC_44]
file = "HOME/tests/c/rec.c"
line = 58
begin = 17
end = 22

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
kind = ArithOverflow
file = "HOME/tests/c/rec.c"
line = 68
begin = 19
end = 25

[JC_46]
kind = VarDecr
file = "HOME/tests/c/rec.c"
line = 68
begin = 15
end = 26

[main_ensures_default]
name = "Function main"
behavior = "default behavior"
file = "HOME/tests/c/rec.c"
line = 51
begin = 5
end = 9

[JC_32]
file = "HOME/tests/c/rec.c"
line = 66
begin = 4
end = 7

[JC_56]
kind = UserCall
file = "HOME/tests/c/rec.c"
line = 68
begin = 15
end = 26

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[f91_ensures_less_than_101]
name = "Function f91"
behavior = "Behavior `less_than_101'"
file = "HOME/tests/c/rec.c"
line = 66
begin = 4
end = 7

[JC_29]
kind = UserCall
file = "HOME/tests/c/rec.c"
line = 52
begin = 11
end = 17

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[sum_ensures_default]
name = "Function sum"
behavior = "default behavior"
file = "HOME/tests/c/rec.c"
line = 43
begin = 5
end = 8

[JC_16]
file = "HOME/tests/c/rec.c"
line = 40
begin = 14
end = 15

[JC_43]
kind = UserCall
file = "HOME/tests/c/rec.c"
line = 68
begin = 15
end = 26

[JC_2]
file = "HOME/tests/c/rec.c"
line = 39
begin = 13
end = 22

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
kind = UserCall
file = "HOME/tests/c/rec.c"
line = 45
begin = 18
end = 27

[JC_53]
kind = UserCall
file = "HOME/tests/c/rec.c"
line = 68
begin = 11
end = 27

[JC_21]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_49]
file = "HOME/tests/c/rec.c"
line = 58
begin = 17
end = 22

[JC_1]
file = "HOME/tests/c/rec.c"
line = 38
begin = 16
end = 22

[JC_37]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_10]
file = "HOME/tests/c/rec.c"
line = 41
begin = 12
end = 34

[JC_57]
kind = UserCall
file = "HOME/tests/c/rec.c"
line = 68
begin = 11
end = 27

[JC_20]
file = "HOME/tests/c/rec.c"
line = 51
begin = 5
end = 9

[JC_18]
kind = ArithOverflow
file = "HOME/tests/c/rec.c"
line = 45
begin = 14
end = 27

[JC_3]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
kind = UserCall
file = "HOME/tests/c/rec.c"
line = 45
begin = 18
end = 27

[JC_50]
kind = VarDecr
file = "HOME/tests/c/rec.c"
line = 68
begin = 11
end = 27

[JC_30]
file = "HOME/tests/c/rec.c"
line = 66
begin = 4
end = 7

[sum_rec]
name = "Lemma sum_rec"
behavior = "lemma"
file = "HOME/tests/c/rec.c"
line = 34
begin = 7
end = 92

[f91_ensures_default]
name = "Function f91"
behavior = "default behavior"
file = "HOME/tests/c/rec.c"
line = 66
begin = 4
end = 7

[JC_28]
kind = UserCall
file = "HOME/tests/c/rec.c"
line = 52
begin = 11
end = 17

========== file tests/c/rec.jessie/why/rec.why ==========
type charP

type int32

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

function sum_upto(n:int) : int =
 computer_div(mul_int(n, add_int(n, (1))), (2))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

lemma sum_rec :
 (forall n_0:int.
  (ge_int(n_0, (0)) ->
   (sum_upto(add_int(n_0, (1))) = add_int(add_int(sum_upto(n_0), n_0), (1)))))

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter f91 :
 n_1:int32 ->
  { } int32
  { ((ge_int(integer_of_int32(n_1), (101)) ->
      (JC_41:
      (integer_of_int32(result) = sub_int(integer_of_int32(n_1), (10)))))
    and (le_int(integer_of_int32(n_1), (100)) ->
         (JC_39: (integer_of_int32(result) = (91))))) }

parameter f91_requires :
 n_1:int32 ->
  { } int32
  { ((ge_int(integer_of_int32(n_1), (101)) ->
      (JC_41:
      (integer_of_int32(result) = sub_int(integer_of_int32(n_1), (10)))))
    and (le_int(integer_of_int32(n_1), (100)) ->
         (JC_39: (integer_of_int32(result) = (91))))) }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter main :
 tt:unit -> { } int32 { (JC_25: (integer_of_int32(result) = (36))) }

parameter main_requires :
 tt:unit -> { } int32 { (JC_25: (integer_of_int32(result) = (36))) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter sum :
 x_0:int32 ->
  { } int32
  { (JC_10: (integer_of_int32(result) = sum_upto(integer_of_int32(x_0)))) }

parameter sum_requires :
 x_0:int32 ->
  { (JC_3:
    ((JC_1: ge_int(integer_of_int32(x_0), (0)))
    and (JC_2: le_int(integer_of_int32(x_0), (1000)))))}
  int32
  { (JC_10: (integer_of_int32(result) = sum_upto(integer_of_int32(x_0)))) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let f91_ensures_default =
 fun (n_1 : int32) ->
  { (JC_33: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let tmp_0 = ref (any_int32 void) in
     (let tmp_0_0 = ref (any_int32 void) in
     (let __retres_0 = ref (any_int32 void) in
     try
      begin
        (if ((le_int_ (integer_of_int32 n_1)) (100))
        then
         begin
           (let _jessie_ =
           (tmp_0 := (let _jessie_ =
                     (safe_int32_of_integer_ ((add_int (integer_of_int32 n_1)) (11))) in
                     (JC_52: (f91 _jessie_)))) in void);
          (let _jessie_ =
          (tmp_0_0 := (let _jessie_ = !tmp_0 in (JC_53: (f91 _jessie_)))) in
          void); (let _jessie_ = (__retres_0 := !tmp_0_0) in void);
          (raise (Return_label_exc void)) end
        else
         begin
           (let _jessie_ =
           (__retres_0 := (safe_int32_of_integer_ ((sub_int (integer_of_int32 n_1)) (10)))) in
           void); (raise (Return_label_exc void)) end);
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres_0); (raise Return) end) end)));
    absurd  end with Return -> !return end)) { (JC_34: true) } 

let f91_ensures_greater_than_100 =
 fun (n_1 : int32) ->
  { ge_int(integer_of_int32(n_1), (101)) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let tmp_0 = ref (any_int32 void) in
     (let tmp_0_0 = ref (any_int32 void) in
     (let __retres_0 = ref (any_int32 void) in
     try
      begin
        (if ((le_int_ (integer_of_int32 n_1)) (100))
        then
         begin
           (let _jessie_ =
           (tmp_0 := (let _jessie_ =
                     (safe_int32_of_integer_ ((add_int (integer_of_int32 n_1)) (11))) in
                     (JC_56: (f91 _jessie_)))) in void);
          (let _jessie_ =
          (tmp_0_0 := (let _jessie_ = !tmp_0 in (JC_57: (f91 _jessie_)))) in
          void); (let _jessie_ = (__retres_0 := !tmp_0_0) in void);
          (raise (Return_label_exc void)) end
        else
         begin
           (let _jessie_ =
           (__retres_0 := (safe_int32_of_integer_ ((sub_int (integer_of_int32 n_1)) (10)))) in
           void); (raise (Return_label_exc void)) end);
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres_0); (raise Return) end) end)));
    absurd  end with Return -> !return end))
  { (JC_40:
    (integer_of_int32(result) = sub_int(integer_of_int32(n_1), (10)))) } 

let f91_ensures_less_than_101 =
 fun (n_1 : int32) ->
  { le_int(integer_of_int32(n_1), (100)) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let tmp_0 = ref (any_int32 void) in
     (let tmp_0_0 = ref (any_int32 void) in
     (let __retres_0 = ref (any_int32 void) in
     try
      begin
        (if ((le_int_ (integer_of_int32 n_1)) (100))
        then
         begin
           (let _jessie_ =
           (tmp_0 := (let _jessie_ =
                     (safe_int32_of_integer_ ((add_int (integer_of_int32 n_1)) (11))) in
                     (JC_54: (f91 _jessie_)))) in void);
          (let _jessie_ =
          (tmp_0_0 := (let _jessie_ = !tmp_0 in (JC_55: (f91 _jessie_)))) in
          void); (let _jessie_ = (__retres_0 := !tmp_0_0) in void);
          (raise (Return_label_exc void)) end
        else
         begin
           (let _jessie_ =
           (__retres_0 := (safe_int32_of_integer_ ((sub_int (integer_of_int32 n_1)) (10)))) in
           void); (raise (Return_label_exc void)) end);
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres_0); (raise Return) end) end)));
    absurd  end with Return -> !return end))
  { (JC_38: (integer_of_int32(result) = (91))) } 

let f91_safety =
 fun (n_1 : int32) ->
  { (JC_33: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let tmp_0 = ref (any_int32 void) in
     (let tmp_0_0 = ref (any_int32 void) in
     (let __retres_0 = ref (any_int32 void) in
     try
      begin
        (if ((le_int_ (integer_of_int32 n_1)) (100))
        then
         begin
           (let _jessie_ =
           (tmp_0 := (let _jessie_ =
                     (JC_42:
                     (int32_of_integer_ ((add_int (integer_of_int32 n_1)) (11)))) in
                     (JC_46:
                     (check
                     { zwf_zero((JC_45 : sub_int((101),
                                         integer_of_int32(_jessie_))),
                       (JC_44 : sub_int((101), integer_of_int32(n_1)))) };
                     (JC_43: (f91_requires _jessie_)))))) in void);
          (let _jessie_ =
          (tmp_0_0 := (let _jessie_ = !tmp_0 in
                      (JC_50:
                      (check
                      { zwf_zero((JC_49 : sub_int((101),
                                          integer_of_int32(_jessie_))),
                        (JC_48 : sub_int((101), integer_of_int32(n_1)))) };
                      (JC_47: (f91_requires _jessie_)))))) in void);
          (let _jessie_ = (__retres_0 := !tmp_0_0) in void);
          (raise (Return_label_exc void)) end
        else
         begin
           (let _jessie_ =
           (__retres_0 := (JC_51:
                          (int32_of_integer_ ((sub_int (integer_of_int32 n_1)) (10))))) in
           void); (raise (Return_label_exc void)) end);
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres_0); (raise Return) end) end)));
    absurd  end with Return -> !return end)) { true } 

let main_ensures_default =
 fun (tt : unit) ->
  { (JC_23: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let i = ref (any_int32 void) in
     begin
       (let _jessie_ =
       (i := (let _jessie_ = (safe_int32_of_integer_ (8)) in
             (JC_29: (sum _jessie_)))) in void); (return := !i);
      (raise Return) end); absurd  end with Return -> !return end))
  { (JC_24: (integer_of_int32(result) = (36))) } 

let main_safety =
 fun (tt : unit) ->
  { (JC_23: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let i = ref (any_int32 void) in
     begin
       (let _jessie_ =
       (i := (let _jessie_ = (safe_int32_of_integer_ (8)) in
             (JC_28: (sum_requires _jessie_)))) in void); (return := !i);
      (raise Return) end); absurd  end with Return -> !return end)) { true } 

let sum_ensures_default =
 fun (x_0 : int32) ->
  { (JC_7:
    ((JC_5: ge_int(integer_of_int32(x_0), (0)))
    and (JC_6: le_int(integer_of_int32(x_0), (1000))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let tmp = ref (any_int32 void) in
     (let __retres = ref (any_int32 void) in
     try
      begin
        (if ((eq_int_ (integer_of_int32 x_0)) (0))
        then
         begin
           (let _jessie_ = (__retres := (safe_int32_of_integer_ (0))) in
           void); (raise (Return_label_exc void)) end
        else
         begin
           (let _jessie_ =
           (tmp := (let _jessie_ =
                   (safe_int32_of_integer_ ((sub_int (integer_of_int32 x_0)) (1))) in
                   (JC_19: (sum _jessie_)))) in void); void;
          (let _jessie_ =
          (__retres := (safe_int32_of_integer_ ((add_int (integer_of_int32 x_0)) 
                                                (integer_of_int32 !tmp)))) in
          void); (raise (Return_label_exc void)) end);
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end));
    absurd  end with Return -> !return end))
  { (JC_9: (integer_of_int32(result) = sum_upto(integer_of_int32(x_0)))) } 

let sum_safety =
 fun (x_0 : int32) ->
  { (JC_7:
    ((JC_5: ge_int(integer_of_int32(x_0), (0)))
    and (JC_6: le_int(integer_of_int32(x_0), (1000))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let tmp = ref (any_int32 void) in
     (let __retres = ref (any_int32 void) in
     try
      begin
        (if ((eq_int_ (integer_of_int32 x_0)) (0))
        then
         begin
           (let _jessie_ = (__retres := (safe_int32_of_integer_ (0))) in
           void); (raise (Return_label_exc void)) end
        else
         begin
           (let _jessie_ =
           (tmp := (let _jessie_ =
                   (JC_13:
                   (int32_of_integer_ ((sub_int (integer_of_int32 x_0)) (1)))) in
                   (JC_17:
                   (check
                   { zwf_zero(integer_of_int32((JC_16 : _jessie_)),
                     integer_of_int32((JC_15 : x_0))) };
                   (JC_14: (sum_requires _jessie_)))))) in void); void;
          (let _jessie_ =
          (__retres := (JC_18:
                       (int32_of_integer_ ((add_int (integer_of_int32 x_0)) 
                                           (integer_of_int32 !tmp))))) in
          void); (raise (Return_label_exc void)) end);
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end));
    absurd  end with Return -> !return end)) { true } 


why-2.39/tests/c/oracle/conjugate.res.oracle0000644000106100004300000016346613147234006020040 0ustar  marchevals========== file tests/c/conjugate.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*

  This was inspired by this article:

    Franck Butelle, Florent Hivert, Micaela Mayero, and Frédéric
    Toumazet. Formal Proof of SCHUR Conjugate Function. In Proceedings
    of Calculemus 2010, pages 158-171. Springer-Verlag LNAI, 2010.

  and an improvement made in Why3 (http://why3.lri.fr) by
  Jean-Christophe Filliatre

  Original C code from SCHUR

  Note that arrays are one-based
  (that code was translated from Pascal code where arrays were one-based)

*/

#define MAX 100

/*@ predicate is_partition(int *a) =
    // elements ranges between 0 and MAX-1
    (\forall integer i; 1 <= i < MAX ==> 0 <= a[i] < MAX-1) &&
    // sorted in non-increasing order 
    (\forall integer i,j; 1 <= i <= j < MAX ==> a[i] >= a[j]) &&
    // at least one 0 sentinel
    a[MAX-1] == 0 ;

  predicate numofgt (int *a, integer n, integer v) =
    // values in a[1..n] are >= v, and a[n+1] < v
    0 <= n < MAX-1 &&
    (\forall integer j; 1 <= j <= n ==> v <= a[j]) &&
    v > a[n+1] ;

  predicate is_conjugate (int *a, int *b) =
    MAX > a[1] &&
    \forall integer j; 1 <= j < MAX ==> numofgt(a,b[j],j);

*/

/*@ requires \valid(A + (0 .. MAX-1));
  @ requires \valid(B + (0 .. MAX-1));
  @ // requires \forall integer i; 1 <= i < MAX ==> 1 <= A[i] < MAX-1;
  @ requires \forall integer k; 1 <= k < MAX ==> B[k] == 0;
  @ requires is_partition(A);
  @ assigns B[..];
  @ ensures is_conjugate(A,B);
  @*/
void conjgte (int A[MAX], int B[MAX]) {
  int i, partc = 1, edge = 0;
  /*@ loop invariant 1 <= partc < MAX;
    @ loop invariant \forall integer j;
    @   A[partc] < j <= A[1] ==> numofgt(A,B[j],j);
    @ loop invariant \forall integer j;
    @   A[1] < j < MAX ==> B[j] == 0;
    @ loop variant MAX - partc;
    @*/
  while (A[partc] != 0) 
    Start: {
    edge = A[partc];
    /*@ loop invariant \at(partc,Start) <= partc < MAX-1;
      @ loop invariant \forall integer j; 
      @    \at(partc,Start) <= j < partc ==> A[j] == edge;
      @ loop variant MAX - partc;
      @*/
    do
      partc = partc + 1;
    while (A[partc] == edge);
    /*@ loop invariant 1 <= i;
      @ loop invariant \forall integer j;
      @   edge < j < MAX ==> B[j] == \at(B[j],Start);
      @ loop invariant \forall integer j;
      @   A[partc] < j < i ==> B[j] == partc-1;
      @ loop variant edge-i;
      @*/
    for (i = A[partc] + 1; i <= edge; i++)
      B[i] = partc - 1;
  }
}

========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/conjugate.c (with preprocessing)
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/conjugate.jessie
[jessie] File tests/c/conjugate.jessie/conjugate.jc written.
[jessie] File tests/c/conjugate.jessie/conjugate.cloc written.
========== file tests/c/conjugate.jessie/conjugate.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

type int32 = -2147483648..2147483647

tag intP = {
  int32 intM: 32;
}

type intP = [intP]

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

predicate is_partition{L}(intP[..] a) =
\at((((\forall integer i_1;
        (((1 <= i_1) && (i_1 < 100)) ==>
          ((0 <= (a + i_1).intM) && ((a + i_1).intM < (100 - 1))))) &&
       (\forall integer i_2;
         (\forall integer j_0;
           ((((1 <= i_2) && (i_2 <= j_0)) && (j_0 < 100)) ==>
             ((a + i_2).intM >= (a + j_0).intM))))) &&
      ((a + (100 - 1)).intM == 0)),L)

predicate numofgt{L}(intP[..] a_0, integer n, integer v) =
\at(((((0 <= n) && (n < (100 - 1))) &&
       (\forall integer j_1;
         (((1 <= j_1) && (j_1 <= n)) ==> (v <= (a_0 + j_1).intM)))) &&
      (v > (a_0 + (n + 1)).intM)),L)

predicate is_conjugate{L}(intP[..] a_1, intP[..] b) =
\at(((100 > (a_1 + 1).intM) &&
      (\forall integer j_2;
        (((1 <= j_2) && (j_2 < 100)) ==>
          numofgt{L}(a_1, (b + j_2).intM, j_2)))),L)

unit conjgte(intP[0] A, intP[0] B)
  requires (_C_47 : ((_C_48 : (\offset_min(A) <= 0)) &&
                      (_C_49 : (\offset_max(A) >= (100 - 1)))));
  requires (_C_44 : ((_C_45 : (\offset_min(B) <= 0)) &&
                      (_C_46 : (\offset_max(B) >= (100 - 1)))));
  requires (_C_43 : (\forall integer k;
                      (((1 <= k) && (k < 100)) ==> ((B + k).intM == 0))));
  requires (_C_42 : is_partition{Here}(A));
behavior default:
  assigns (B + [..]).intM;
  ensures (_C_41 : is_conjugate{Here}(\at(A,Old), \at(B,Old)));
{  
   (var int32 i);
   
   (var int32 partc);
   
   (var int32 edge);
   
   {  (_C_1 : (partc = 1));
      (_C_2 : (edge = 0));
      
      loop 
      behavior default:
        invariant (_C_6 : ((_C_7 : (1 <= partc)) && (_C_8 : (partc < 100))));
      behavior default:
        invariant (_C_5 : (\forall integer j_6;
                            ((((A + partc).intM < j_6) &&
                               (j_6 <= (A + 1).intM)) ==>
                              numofgt{Here}(A, (B + j_6).intM, j_6))));
      behavior default:
        invariant (_C_4 : (\forall integer j_7;
                            ((((A + 1).intM < j_7) && (j_7 < 100)) ==>
                              ((B + j_7).intM == 0))));
      variant (_C_3 : (100 - partc));
      while (true)
      {  
         {  (if ((_C_10 : (_C_9 : (A + partc)).intM) != 0) then () else 
            (goto while_0_break));
            (Start : 
            {  (_C_13 : (edge = (_C_12 : (_C_11 : (A + partc)).intM)));
               
               loop 
               behavior default:
                 invariant (_C_16 : ((_C_17 : (\at(partc,Start) <= partc)) &&
                                      (_C_18 : (partc < (100 - 1)))));
               behavior default:
                 invariant (_C_15 : (\forall integer j_3;
                                      (((\at(partc,Start) <= j_3) &&
                                         (j_3 < partc)) ==>
                                        ((A + j_3).intM == edge))));
               variant (_C_14 : (100 - partc));
               while (true)
               {  
                  {  (_C_21 : (partc = (_C_20 : ((_C_19 : (partc + 1)) :> int32))));
                     (if ((_C_23 : (_C_22 : (A + partc)).intM) == edge) then () else 
                     (goto while_1_break))
                  }
               };
               (while_1_break : ());
               (_C_28 : (i = (_C_27 : ((_C_26 : ((_C_25 : (_C_24 : (A +
                                                                    partc)).intM) +
                                                  1)) :> int32))));
               
               loop 
               behavior default:
                 invariant (_C_32 : (1 <= i));
               behavior default:
                 invariant (_C_31 : (\forall integer j_4;
                                      (((edge < j_4) && (j_4 < 100)) ==>
                                        ((B + j_4).intM ==
                                          \at((B + j_4).intM,Start)))));
               behavior default:
                 invariant (_C_30 : (\forall integer j_5;
                                      ((((A + partc).intM < j_5) &&
                                         (j_5 < i)) ==>
                                        ((B + j_5).intM == (partc - 1)))));
               variant (_C_29 : (edge - i));
               while (true)
               {  
                  {  (if (i <= edge) then () else 
                     (goto while_2_break));
                     (_C_37 : ((_C_36 : (_C_35 : (B + i)).intM) = (_C_34 : (
                                                                  (_C_33 : 
                                                                  (partc -
                                                                    1)) :> int32))));
                     (_C_40 : (i = (_C_39 : ((_C_38 : (i + 1)) :> int32))))
                  }
               };
               (while_2_break : ())
            })
         }
      };
      (while_0_break : ());
      
      (return ())
   }
}
========== file tests/c/conjugate.jessie/conjugate.cloc ==========
[_C_35]
file = "HOME/tests/c/conjugate.c"
line = 108
begin = 6
end = 7

[_C_28]
file = "HOME/tests/c/conjugate.c"
line = 107
begin = 13
end = 25

[_C_48]
file = "HOME/tests/c/conjugate.c"
line = 72
begin = 16
end = 41

[_C_31]
file = "HOME/tests/c/conjugate.c"
line = 101
begin = 23
end = 94

[_C_41]
file = "HOME/tests/c/conjugate.c"
line = 78
begin = 12
end = 29

[_C_4]
file = "HOME/tests/c/conjugate.c"
line = 85
begin = 21
end = 76

[_C_32]
file = "HOME/tests/c/conjugate.c"
line = 100
begin = 30
end = 36

[_C_23]
file = "HOME/tests/c/conjugate.c"
line = 99
begin = 11
end = 19

[_C_19]
file = "HOME/tests/c/conjugate.c"
line = 98
begin = 14
end = 23

[_C_42]
file = "HOME/tests/c/conjugate.c"
line = 76
begin = 13
end = 28

[_C_13]
file = "HOME/tests/c/conjugate.c"
line = 91
begin = 11
end = 19

[_C_5]
file = "HOME/tests/c/conjugate.c"
line = 83
begin = 21
end = 90

[_C_36]
file = "HOME/tests/c/conjugate.c"
line = 108
begin = 13
end = 22

[_C_12]
file = "HOME/tests/c/conjugate.c"
line = 91
begin = 11
end = 19

[_C_33]
file = "HOME/tests/c/conjugate.c"
line = 108
begin = 13
end = 22

[_C_22]
file = "HOME/tests/c/conjugate.c"
line = 99
begin = 11
end = 12

[_C_9]
file = "HOME/tests/c/conjugate.c"
line = 89
begin = 9
end = 10

[_C_30]
file = "HOME/tests/c/conjugate.c"
line = 103
begin = 23
end = 88

[_C_6]
file = "HOME/tests/c/conjugate.c"
line = 82
begin = 26
end = 42

[_C_49]
file = "HOME/tests/c/conjugate.c"
line = 72
begin = 16
end = 41

[_C_24]
file = "HOME/tests/c/conjugate.c"
line = 107
begin = 13
end = 14

[_C_45]
file = "HOME/tests/c/conjugate.c"
line = 73
begin = 13
end = 38

[_C_20]
file = "HOME/tests/c/conjugate.c"
line = 98
begin = 14
end = 23

[conjgte]
name = "Function conjgte"
file = "HOME/tests/c/conjugate.c"
line = 80
begin = 5
end = 12

[_C_38]
file = "HOME/tests/c/conjugate.c"
line = 107
begin = 38
end = 41

[_C_3]
file = "HOME/tests/c/conjugate.c"
line = 87
begin = 19
end = 30

[_C_17]
file = "HOME/tests/c/conjugate.c"
line = 92
begin = 30
end = 55

[_C_7]
file = "HOME/tests/c/conjugate.c"
line = 82
begin = 26
end = 36

[_C_27]
file = "HOME/tests/c/conjugate.c"
line = 107
begin = 13
end = 25

[_C_46]
file = "HOME/tests/c/conjugate.c"
line = 73
begin = 13
end = 38

[_C_44]
file = "HOME/tests/c/conjugate.c"
line = 73
begin = 13
end = 38

[_C_15]
file = "HOME/tests/c/conjugate.c"
line = 93
begin = 23
end = 99

[_C_26]
file = "HOME/tests/c/conjugate.c"
line = 107
begin = 13
end = 25

[_C_47]
file = "HOME/tests/c/conjugate.c"
line = 72
begin = 16
end = 41

[_C_10]
file = "HOME/tests/c/conjugate.c"
line = 89
begin = 9
end = 17

[_C_40]
file = "HOME/tests/c/conjugate.c"
line = 107
begin = 38
end = 41

[_C_8]
file = "HOME/tests/c/conjugate.c"
line = 82
begin = 31
end = 42

[_C_18]
file = "HOME/tests/c/conjugate.c"
line = 92
begin = 50
end = 64

[_C_29]
file = "HOME/tests/c/conjugate.c"
line = 105
begin = 21
end = 27

[_C_14]
file = "HOME/tests/c/conjugate.c"
line = 95
begin = 21
end = 32

[_C_37]
file = "HOME/tests/c/conjugate.c"
line = 108
begin = 13
end = 22

[_C_43]
file = "HOME/tests/c/conjugate.c"
line = 75
begin = 13
end = 58

[_C_2]
file = "HOME/tests/c/conjugate.c"
line = 81
begin = 2
end = 5

[_C_34]
file = "HOME/tests/c/conjugate.c"
line = 108
begin = 13
end = 22

[_C_16]
file = "HOME/tests/c/conjugate.c"
line = 92
begin = 30
end = 64

[_C_1]
file = "HOME/tests/c/conjugate.c"
line = 81
begin = 2
end = 5

[_C_25]
file = "HOME/tests/c/conjugate.c"
line = 107
begin = 13
end = 21

[_C_39]
file = "HOME/tests/c/conjugate.c"
line = 107
begin = 38
end = 41

[_C_11]
file = "HOME/tests/c/conjugate.c"
line = 91
begin = 11
end = 12

[_C_21]
file = "HOME/tests/c/conjugate.c"
line = 98
begin = 14
end = 23

========== jessie execution ==========
Generating Why function conjgte
========== file tests/c/conjugate.jessie/conjugate.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/conjugate_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: conjugate.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: conjugate.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: conjugate.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/conjugate.jessie/conjugate.loc ==========
[JC_73]
file = "HOME/tests/c/conjugate.c"
line = 103
begin = 23
end = 88

[JC_63]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_51]
file = "HOME/tests/c/conjugate.jessie/conjugate.jc"
line = 127
begin = 15
end = 1301

[JC_71]
file = "HOME/tests/c/conjugate.jessie/conjugate.jc"
line = 105
begin = 15
end = 837

[JC_45]
kind = PointerDeref
file = "HOME/tests/c/conjugate.c"
line = 107
begin = 13
end = 21

[JC_64]
file = "HOME/tests/c/conjugate.jessie/conjugate.jc"
line = 85
begin = 6
end = 3346

[JC_31]
file = "HOME/tests/c/conjugate.jessie/conjugate.jc"
line = 85
begin = 6
end = 3346

[JC_17]
file = "HOME/tests/c/conjugate.c"
line = 78
begin = 12
end = 29

[JC_55]
kind = ArithOverflow
file = "HOME/tests/c/conjugate.c"
line = 107
begin = 38
end = 41

[JC_48]
file = "HOME/tests/c/conjugate.c"
line = 101
begin = 23
end = 94

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/tests/c/conjugate.jessie/conjugate.jc"
line = 72
begin = 9
end = 16

[JC_5]
file = "HOME/tests/c/conjugate.c"
line = 75
begin = 13
end = 58

[JC_67]
file = "HOME/tests/c/conjugate.c"
line = 92
begin = 30
end = 55

[JC_9]
file = "HOME/tests/c/conjugate.c"
line = 72
begin = 16
end = 41

[JC_75]
file = "HOME/tests/c/conjugate.c"
line = 100
begin = 30
end = 36

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/tests/c/conjugate.c"
line = 85
begin = 21
end = 76

[JC_78]
file = "HOME/tests/c/conjugate.jessie/conjugate.jc"
line = 127
begin = 15
end = 1301

[JC_41]
file = "HOME/tests/c/conjugate.jessie/conjugate.jc"
line = 105
begin = 15
end = 837

[JC_74]
file = "HOME/tests/c/conjugate.c"
line = 101
begin = 23
end = 94

[JC_47]
file = "HOME/tests/c/conjugate.c"
line = 103
begin = 23
end = 88

[JC_52]
file = "HOME/tests/c/conjugate.jessie/conjugate.jc"
line = 127
begin = 15
end = 1301

[JC_26]
file = "HOME/tests/c/conjugate.c"
line = 83
begin = 21
end = 90

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[conjgte_ensures_default]
name = "Function conjgte"
behavior = "default behavior"
file = "HOME/tests/c/conjugate.c"
line = 80
begin = 5
end = 12

[JC_54]
kind = PointerDeref
file = "HOME/tests/c/conjugate.jessie/conjugate.jc"
line = 145
begin = 31
end = 310

[JC_13]
file = "HOME/tests/c/conjugate.c"
line = 75
begin = 13
end = 58

[JC_11]
file = "HOME/tests/c/conjugate.c"
line = 73
begin = 13
end = 38

[JC_70]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/tests/c/conjugate.c"
line = 92
begin = 30
end = 55

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/tests/c/conjugate.jessie/conjugate.jc"
line = 105
begin = 15
end = 837

[JC_35]
file = "HOME/tests/c/conjugate.c"
line = 93
begin = 23
end = 99

[JC_27]
file = "HOME/tests/c/conjugate.c"
line = 82
begin = 26
end = 36

[JC_69]
file = "HOME/tests/c/conjugate.c"
line = 92
begin = 30
end = 64

[JC_38]
file = "HOME/tests/c/conjugate.c"
line = 92
begin = 30
end = 64

[JC_12]
file = "HOME/tests/c/conjugate.c"
line = 73
begin = 13
end = 38

[JC_6]
file = "HOME/tests/c/conjugate.c"
line = 76
begin = 13
end = 28

[JC_44]
file = "HOME/tests/c/conjugate.c"
line = 95
begin = 21
end = 32

[JC_4]
file = "HOME/tests/c/conjugate.c"
line = 73
begin = 13
end = 38

[JC_62]
file = "HOME/tests/c/conjugate.c"
line = 82
begin = 26
end = 42

[JC_42]
kind = ArithOverflow
file = "HOME/tests/c/conjugate.c"
line = 98
begin = 14
end = 23

[JC_46]
kind = ArithOverflow
file = "HOME/tests/c/conjugate.c"
line = 107
begin = 13
end = 25

[JC_61]
file = "HOME/tests/c/conjugate.c"
line = 82
begin = 31
end = 42

[JC_32]
file = "HOME/tests/c/conjugate.jessie/conjugate.jc"
line = 85
begin = 6
end = 3346

[JC_56]
file = "HOME/tests/c/conjugate.c"
line = 105
begin = 21
end = 27

[JC_33]
kind = PointerDeref
file = "HOME/tests/c/conjugate.c"
line = 89
begin = 9
end = 17

[JC_65]
file = "HOME/tests/c/conjugate.jessie/conjugate.jc"
line = 85
begin = 6
end = 3346

[JC_29]
file = "HOME/tests/c/conjugate.c"
line = 82
begin = 26
end = 42

[JC_68]
file = "HOME/tests/c/conjugate.c"
line = 92
begin = 50
end = 64

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
kind = PointerDeref
file = "HOME/tests/c/conjugate.c"
line = 99
begin = 11
end = 19

[JC_2]
file = "HOME/tests/c/conjugate.c"
line = 72
begin = 16
end = 41

[JC_34]
kind = PointerDeref
file = "HOME/tests/c/conjugate.c"
line = 91
begin = 11
end = 19

[JC_14]
file = "HOME/tests/c/conjugate.c"
line = 76
begin = 13
end = 28

[JC_53]
kind = ArithOverflow
file = "HOME/tests/c/conjugate.c"
line = 108
begin = 13
end = 22

[JC_21]
file = "HOME/tests/c/conjugate.c"
line = 80
begin = 5
end = 12

[conjgte_safety]
name = "Function conjgte"
behavior = "Safety"
file = "HOME/tests/c/conjugate.c"
line = 80
begin = 5
end = 12

[JC_77]
file = "HOME/tests/c/conjugate.jessie/conjugate.jc"
line = 127
begin = 15
end = 1301

[JC_49]
file = "HOME/tests/c/conjugate.c"
line = 100
begin = 30
end = 36

[JC_1]
file = "HOME/tests/c/conjugate.c"
line = 72
begin = 16
end = 41

[JC_37]
file = "HOME/tests/c/conjugate.c"
line = 92
begin = 50
end = 64

[JC_10]
file = "HOME/tests/c/conjugate.c"
line = 72
begin = 16
end = 41

[JC_57]
file = "HOME/tests/c/conjugate.c"
line = 87
begin = 19
end = 30

[JC_66]
file = "HOME/tests/c/conjugate.c"
line = 93
begin = 23
end = 99

[JC_59]
file = "HOME/tests/c/conjugate.c"
line = 83
begin = 21
end = 90

[JC_20]
file = "HOME/tests/c/conjugate.c"
line = 78
begin = 12
end = 29

[JC_18]
file = "HOME/tests/c/conjugate.c"
line = 80
begin = 5
end = 12

[JC_3]
file = "HOME/tests/c/conjugate.c"
line = 73
begin = 13
end = 38

[JC_60]
file = "HOME/tests/c/conjugate.c"
line = 82
begin = 26
end = 36

[JC_72]
file = "HOME/tests/c/conjugate.jessie/conjugate.jc"
line = 105
begin = 15
end = 837

[JC_19]
file = "HOME/tests/c/conjugate.jessie/conjugate.jc"
line = 72
begin = 9
end = 16

[JC_76]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/tests/c/conjugate.c"
line = 85
begin = 21
end = 76

[JC_28]
file = "HOME/tests/c/conjugate.c"
line = 82
begin = 31
end = 42

========== file tests/c/conjugate.jessie/why/conjugate.why ==========
type charP

type int32

type int8

type intP

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

logic intP_tag:  -> intP tag_id

axiom intP_int : (int_of_tag(intP_tag) = (1))

logic intP_of_pointer_address: unit pointer -> intP pointer

axiom intP_of_pointer_address_of_pointer_addr :
 (forall p:intP pointer. (p = intP_of_pointer_address(pointer_address(p))))

axiom intP_parenttag_bottom : parenttag(intP_tag, bottom_tag)

axiom intP_tags :
 (forall x:intP pointer.
  (forall intP_tag_table:intP tag_table.
   instanceof(intP_tag_table, x, intP_tag)))

predicate numofgt(a_0:intP pointer, n:int, v:int,
 intP_intM_a_0_2_at_L:(intP, int32) memory) =
 (le_int((0), n)
 and (lt_int(n, sub_int((100), (1)))
     and ((forall j_1:int.
           ((le_int((1), j_1) and le_int(j_1, n)) ->
            le_int(v,
            integer_of_int32(select(intP_intM_a_0_2_at_L, shift(a_0, j_1))))))
         and gt_int(v,
             integer_of_int32(select(intP_intM_a_0_2_at_L,
                              shift(a_0, add_int(n, (1)))))))))

predicate is_conjugate(a_1:intP pointer, b:intP pointer,
 intP_intM_b_4_at_L:(intP, int32) memory,
 intP_intM_a_1_3_at_L:(intP, int32) memory) =
 (gt_int((100),
  integer_of_int32(select(intP_intM_a_1_3_at_L, shift(a_1, (1)))))
 and (forall j_2:int.
      ((le_int((1), j_2) and lt_int(j_2, (100))) ->
       numofgt(a_1,
       integer_of_int32(select(intP_intM_b_4_at_L, shift(b, j_2))), j_2,
       intP_intM_a_1_3_at_L))))

predicate is_partition(a:intP pointer,
 intP_intM_a_1_at_L:(intP, int32) memory) =
 ((forall i_1:int.
   ((le_int((1), i_1) and lt_int(i_1, (100))) ->
    (le_int((0), integer_of_int32(select(intP_intM_a_1_at_L, shift(a, i_1))))
    and lt_int(integer_of_int32(select(intP_intM_a_1_at_L, shift(a, i_1))),
        sub_int((100), (1))))))
 and ((forall i_2:int.
       (forall j_0:int.
        ((le_int((1), i_2) and (le_int(i_2, j_0) and lt_int(j_0, (100)))) ->
         ge_int(integer_of_int32(select(intP_intM_a_1_at_L, shift(a, i_2))),
         integer_of_int32(select(intP_intM_a_1_at_L, shift(a, j_0)))))))
     and (integer_of_int32(select(intP_intM_a_1_at_L,
                           shift(a, sub_int((100), (1))))) = (0))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_intP(p:intP pointer, a:int,
 intP_alloc_table:intP alloc_table) = (offset_min(intP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_intP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(intP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_intP(p:intP pointer, b:int,
 intP_alloc_table:intP alloc_table) = (offset_max(intP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Goto_while_0_break_exc of unit

exception Goto_while_1_break_exc of unit

exception Goto_while_2_break_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter intP_alloc_table : intP alloc_table ref

parameter intP_tag_table : intP tag_table ref

parameter alloc_struct_intP :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { } intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter alloc_struct_intP_requires :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { ge_int(n, (0))} intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter conjgte :
 A:intP pointer ->
  B:intP pointer ->
   intP_intM_B_6:(intP, int32) memory ref ->
    intP_B_6_alloc_table:intP alloc_table ->
     intP_A_5_alloc_table:intP alloc_table ->
      intP_intM_A_5:(intP, int32) memory ->
       { } unit reads intP_intM_B_6 writes intP_intM_B_6
       { (JC_22:
         ((JC_20: is_conjugate(A, B, intP_intM_B_6, intP_intM_A_5))
         and (JC_21:
             not_assigns(intP_B_6_alloc_table, intP_intM_B_6@, intP_intM_B_6,
             pset_all(pset_singleton(B)))))) }

parameter conjgte_requires :
 A:intP pointer ->
  B:intP pointer ->
   intP_intM_B_6:(intP, int32) memory ref ->
    intP_B_6_alloc_table:intP alloc_table ->
     intP_A_5_alloc_table:intP alloc_table ->
      intP_intM_A_5:(intP, int32) memory ->
       { (JC_7:
         ((JC_1: le_int(offset_min(intP_A_5_alloc_table, A), (0)))
         and ((JC_2:
              ge_int(offset_max(intP_A_5_alloc_table, A),
              sub_int((100), (1))))
             and ((JC_3: le_int(offset_min(intP_B_6_alloc_table, B), (0)))
                 and ((JC_4:
                      ge_int(offset_max(intP_B_6_alloc_table, B),
                      sub_int((100), (1))))
                     and ((JC_5:
                          (forall k:int.
                           ((le_int((1), k) and lt_int(k, (100))) ->
                            (integer_of_int32(select(intP_intM_B_6,
                                              shift(B, k))) = (0)))))
                         and (JC_6: is_partition(A, intP_intM_A_5))))))))}
       unit reads intP_intM_B_6 writes intP_intM_B_6
       { (JC_22:
         ((JC_20: is_conjugate(A, B, intP_intM_B_6, intP_intM_A_5))
         and (JC_21:
             not_assigns(intP_B_6_alloc_table, intP_intM_B_6@, intP_intM_B_6,
             pset_all(pset_singleton(B)))))) }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let conjgte_ensures_default =
 fun (A : intP pointer) (B : intP pointer) (intP_intM_B_6 : (intP, int32) memory ref) (intP_A_5_alloc_table : intP alloc_table) (intP_B_6_alloc_table : intP alloc_table) (intP_intM_A_5 : (intP, int32) memory) ->
  { (valid_struct_intP(B, (0), (0), intP_B_6_alloc_table)
    and (valid_struct_intP(A, (0), (0), intP_A_5_alloc_table)
        and (JC_15:
            ((JC_9: le_int(offset_min(intP_A_5_alloc_table, A), (0)))
            and ((JC_10:
                 ge_int(offset_max(intP_A_5_alloc_table, A),
                 sub_int((100), (1))))
                and ((JC_11:
                     le_int(offset_min(intP_B_6_alloc_table, B), (0)))
                    and ((JC_12:
                         ge_int(offset_max(intP_B_6_alloc_table, B),
                         sub_int((100), (1))))
                        and ((JC_13:
                             (forall k:int.
                              ((le_int((1), k) and lt_int(k, (100))) ->
                               (integer_of_int32(select(intP_intM_B_6,
                                                 shift(B, k))) = (0)))))
                            and (JC_14: is_partition(A, intP_intM_A_5)))))))))) }
  (init:
  try
   begin
     (let i = ref (any_int32 void) in
     (let partc = ref (any_int32 void) in
     (let edge = ref (any_int32 void) in
     try
      begin
        (let _jessie_ = (partc := (safe_int32_of_integer_ (1))) in void);
       (let _jessie_ = (edge := (safe_int32_of_integer_ (0))) in void);
       (loop_4:
       begin
         while true do
         { invariant
             (((JC_58:
               (forall j_7:int.
                ((lt_int(integer_of_int32(select(intP_intM_A_5,
                                          shift(A, (1)))),
                  j_7)
                 and lt_int(j_7, (100))) ->
                 (integer_of_int32(select(intP_intM_B_6, shift(B, j_7))) = (0)))))
              and ((JC_59:
                   (forall j_6:int.
                    ((lt_int(integer_of_int32(select(intP_intM_A_5,
                                              shift(A,
                                              integer_of_int32(partc)))),
                      j_6)
                     and le_int(j_6,
                         integer_of_int32(select(intP_intM_A_5,
                                          shift(A, (1)))))) ->
                     numofgt(A,
                     integer_of_int32(select(intP_intM_B_6, shift(B, j_6))),
                     j_6, intP_intM_A_5))))
                  and (JC_62:
                      ((JC_60: le_int((1), integer_of_int32(partc)))
                      and (JC_61: lt_int(integer_of_int32(partc), (100)))))))
             and (JC_64:
                 not_assigns(intP_B_6_alloc_table, intP_intM_B_6@init,
                 intP_intM_B_6, pset_all(pset_singleton(B)))))  }
          begin
            [ { } unit { true } ];
           try
            begin
              (if ((neq_int_ (integer_of_int32 ((safe_acc_ intP_intM_A_5) 
                                                ((shift A) (integer_of_int32 !partc))))) (0))
              then void else (raise (Goto_while_0_break_exc void)));
             (Start:
             begin
               try
                begin
                  try
                   begin
                     (let _jessie_ =
                     (edge := ((safe_acc_ intP_intM_A_5) ((shift A) (integer_of_int32 !partc)))) in
                     void);
                    (loop_5:
                    begin
                      while true do
                      { invariant
                          (((JC_66:
                            (forall j_3:int.
                             ((le_int(integer_of_int32(partc@Start), j_3)
                              and lt_int(j_3, integer_of_int32(partc))) ->
                              (integer_of_int32(select(intP_intM_A_5,
                                                shift(A, j_3))) = integer_of_int32(edge)))))
                           and (JC_69:
                               ((JC_67:
                                le_int(integer_of_int32(partc@Start),
                                integer_of_int32(partc)))
                               and (JC_68:
                                   lt_int(integer_of_int32(partc),
                                   sub_int((100), (1)))))))
                          and (JC_71:
                              not_assigns(intP_B_6_alloc_table,
                              intP_intM_B_6@init, intP_intM_B_6,
                              pset_all(pset_singleton(B)))))  }
                       begin
                         [ { } unit { true } ];
                        try
                         begin
                           (let _jessie_ =
                           (partc := (safe_int32_of_integer_ ((add_int 
                                                               (integer_of_int32 !partc)) (1)))) in
                           void);
                          (if ((eq_int_ (integer_of_int32 ((safe_acc_ intP_intM_A_5) 
                                                           ((shift A) 
                                                            (integer_of_int32 !partc))))) 
                               (integer_of_int32 !edge)) then void
                          else (raise (Goto_while_1_break_exc void)));
                          (raise (Loop_continue_exc void)) end with
                         Loop_continue_exc _jessie_ -> void end end done;
                     (raise (Goto_while_1_break_exc void)) end) end with
                   Goto_while_1_break_exc _jessie_ ->
                   (while_1_break:
                   begin
                     void;
                    (let _jessie_ =
                    (i := (safe_int32_of_integer_ ((add_int (integer_of_int32 
                                                             ((safe_acc_ intP_intM_A_5) 
                                                              ((shift A) 
                                                               (integer_of_int32 !partc))))) (1)))) in
                    void);
                    (loop_6:
                    while true do
                    { invariant
                        (((JC_73:
                          (forall j_5:int.
                           ((lt_int(integer_of_int32(select(intP_intM_A_5,
                                                     shift(A,
                                                     integer_of_int32(partc)))),
                             j_5)
                            and lt_int(j_5, integer_of_int32(i))) ->
                            (integer_of_int32(select(intP_intM_B_6,
                                              shift(B, j_5))) = sub_int(
                                                                integer_of_int32(partc),
                                                                (1))))))
                         and ((JC_74:
                              (forall j_4:int.
                               ((lt_int(integer_of_int32(edge), j_4)
                                and lt_int(j_4, (100))) ->
                                (integer_of_int32(select(intP_intM_B_6,
                                                  shift(B, j_4))) = integer_of_int32(
                                                                    select(intP_intM_B_6@Start,
                                                                    shift(B,
                                                                    j_4)))))))
                             and (JC_75: le_int((1), integer_of_int32(i)))))
                        and (JC_77:
                            not_assigns(intP_B_6_alloc_table,
                            intP_intM_B_6@init, intP_intM_B_6,
                            pset_all(pset_singleton(B)))))  }
                     begin
                       [ { } unit { true } ];
                      try
                       begin
                         (let _jessie_ =
                         begin
                           (if ((le_int_ (integer_of_int32 !i)) (integer_of_int32 !edge))
                           then void
                           else (raise (Goto_while_2_break_exc void)));
                          (let _jessie_ =
                          (let _jessie_ =
                          (safe_int32_of_integer_ ((sub_int (integer_of_int32 !partc)) (1))) in
                          (let _jessie_ = B in
                          (let _jessie_ = (integer_of_int32 !i) in
                          (let _jessie_ =
                          ((shift _jessie_) _jessie_) in
                          (((safe_upd_ intP_intM_B_6) _jessie_) _jessie_))))) in
                          void);
                          (i := (safe_int32_of_integer_ ((add_int (integer_of_int32 !i)) (1))));
                          !i end in void); (raise (Loop_continue_exc void))
                       end with Loop_continue_exc _jessie_ -> void end end
                    done) end) end; (raise (Goto_while_2_break_exc void)) end
                with Goto_while_2_break_exc _jessie_ ->
                (while_2_break: void) end; (raise (Loop_continue_exc void))
             end) end with Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (raise Return) end) end)));
    (raise Return) end with Return -> void end)
  { (JC_19:
    ((JC_17: is_conjugate(A, B, intP_intM_B_6, intP_intM_A_5))
    and (JC_18:
        not_assigns(intP_B_6_alloc_table, intP_intM_B_6@, intP_intM_B_6,
        pset_all(pset_singleton(B)))))) } 

let conjgte_safety =
 fun (A : intP pointer) (B : intP pointer) (intP_intM_B_6 : (intP, int32) memory ref) (intP_A_5_alloc_table : intP alloc_table) (intP_B_6_alloc_table : intP alloc_table) (intP_intM_A_5 : (intP, int32) memory) ->
  { (valid_struct_intP(B, (0), (0), intP_B_6_alloc_table)
    and (valid_struct_intP(A, (0), (0), intP_A_5_alloc_table)
        and (JC_15:
            ((JC_9: le_int(offset_min(intP_A_5_alloc_table, A), (0)))
            and ((JC_10:
                 ge_int(offset_max(intP_A_5_alloc_table, A),
                 sub_int((100), (1))))
                and ((JC_11:
                     le_int(offset_min(intP_B_6_alloc_table, B), (0)))
                    and ((JC_12:
                         ge_int(offset_max(intP_B_6_alloc_table, B),
                         sub_int((100), (1))))
                        and ((JC_13:
                             (forall k:int.
                              ((le_int((1), k) and lt_int(k, (100))) ->
                               (integer_of_int32(select(intP_intM_B_6,
                                                 shift(B, k))) = (0)))))
                            and (JC_14: is_partition(A, intP_intM_A_5)))))))))) }
  (init:
  try
   begin
     (let i = ref (any_int32 void) in
     (let partc = ref (any_int32 void) in
     (let edge = ref (any_int32 void) in
     try
      begin
        (let _jessie_ = (partc := (safe_int32_of_integer_ (1))) in void);
       (let _jessie_ = (edge := (safe_int32_of_integer_ (0))) in void);
       (loop_1:
       begin
         while true do
         { invariant (JC_31: true)
           variant (JC_57 : sub_int((100), integer_of_int32(partc))) }
          begin
            [ { } unit reads intP_intM_B_6,partc
              { ((JC_25:
                 (forall j_7:int.
                  ((lt_int(integer_of_int32(select(intP_intM_A_5,
                                            shift(A, (1)))),
                    j_7)
                   and lt_int(j_7, (100))) ->
                   (integer_of_int32(select(intP_intM_B_6, shift(B, j_7))) = (0)))))
                and ((JC_26:
                     (forall j_6:int.
                      ((lt_int(integer_of_int32(select(intP_intM_A_5,
                                                shift(A,
                                                integer_of_int32(partc)))),
                        j_6)
                       and le_int(j_6,
                           integer_of_int32(select(intP_intM_A_5,
                                            shift(A, (1)))))) ->
                       numofgt(A,
                       integer_of_int32(select(intP_intM_B_6, shift(B, j_6))),
                       j_6, intP_intM_A_5))))
                    and (JC_29:
                        ((JC_27: le_int((1), integer_of_int32(partc)))
                        and (JC_28: lt_int(integer_of_int32(partc), (100))))))) } ];
           try
            begin
              (if ((neq_int_ (integer_of_int32 (JC_33:
                                               ((((offset_acc_ intP_A_5_alloc_table) intP_intM_A_5) A) 
                                                (integer_of_int32 !partc))))) (0))
              then void else (raise (Goto_while_0_break_exc void)));
             (Start:
             begin
               try
                begin
                  try
                   begin
                     (let _jessie_ =
                     (edge := (JC_34:
                              ((((offset_acc_ intP_A_5_alloc_table) intP_intM_A_5) A) 
                               (integer_of_int32 !partc)))) in void);
                    (loop_2:
                    begin
                      while true do
                      { invariant (JC_40: true)
                        variant (JC_44 : sub_int((100),
                                         integer_of_int32(partc))) }
                       begin
                         [ { } unit reads edge,partc
                           { ((JC_35:
                              (forall j_3:int.
                               ((le_int(integer_of_int32(partc@Start), j_3)
                                and lt_int(j_3, integer_of_int32(partc))) ->
                                (integer_of_int32(select(intP_intM_A_5,
                                                  shift(A, j_3))) = integer_of_int32(edge)))))
                             and (JC_38:
                                 ((JC_36:
                                  le_int(integer_of_int32(partc@Start),
                                  integer_of_int32(partc)))
                                 and (JC_37:
                                     lt_int(integer_of_int32(partc),
                                     sub_int((100), (1))))))) } ];
                        try
                         begin
                           (let _jessie_ =
                           (partc := (JC_42:
                                     (int32_of_integer_ ((add_int (integer_of_int32 !partc)) (1))))) in
                           void);
                          (if ((eq_int_ (integer_of_int32 (JC_43:
                                                          ((((offset_acc_ intP_A_5_alloc_table) intP_intM_A_5) A) 
                                                           (integer_of_int32 !partc))))) 
                               (integer_of_int32 !edge)) then void
                          else (raise (Goto_while_1_break_exc void)));
                          (raise (Loop_continue_exc void)) end with
                         Loop_continue_exc _jessie_ -> void end end done;
                     (raise (Goto_while_1_break_exc void)) end) end with
                   Goto_while_1_break_exc _jessie_ ->
                   (while_1_break:
                   begin
                     void;
                    (let _jessie_ =
                    (i := (JC_46:
                          (int32_of_integer_ ((add_int (integer_of_int32 
                                                        (JC_45:
                                                        ((((offset_acc_ intP_A_5_alloc_table) intP_intM_A_5) A) 
                                                         (integer_of_int32 !partc))))) (1))))) in
                    void);
                    (loop_3:
                    while true do
                    { invariant (JC_51: true)
                      variant (JC_56 : sub_int(integer_of_int32(edge),
                                       integer_of_int32(i))) }
                     begin
                       [ { } unit reads edge,i,intP_intM_B_6,partc
                         { ((JC_47:
                            (forall j_5:int.
                             ((lt_int(integer_of_int32(select(intP_intM_A_5,
                                                       shift(A,
                                                       integer_of_int32(partc)))),
                               j_5)
                              and lt_int(j_5, integer_of_int32(i))) ->
                              (integer_of_int32(select(intP_intM_B_6,
                                                shift(B, j_5))) = sub_int(
                                                                  integer_of_int32(partc),
                                                                  (1))))))
                           and ((JC_48:
                                (forall j_4:int.
                                 ((lt_int(integer_of_int32(edge), j_4)
                                  and lt_int(j_4, (100))) ->
                                  (integer_of_int32(select(intP_intM_B_6,
                                                    shift(B, j_4))) = 
                                  integer_of_int32(select(intP_intM_B_6@Start,
                                                   shift(B, j_4)))))))
                               and (JC_49: le_int((1), integer_of_int32(i))))) } ];
                      try
                       begin
                         (let _jessie_ =
                         begin
                           (if ((le_int_ (integer_of_int32 !i)) (integer_of_int32 !edge))
                           then void
                           else (raise (Goto_while_2_break_exc void)));
                          (let _jessie_ =
                          (let _jessie_ =
                          (JC_53:
                          (int32_of_integer_ ((sub_int (integer_of_int32 !partc)) (1)))) in
                          (let _jessie_ = B in
                          (let _jessie_ = (integer_of_int32 !i) in
                          (let _jessie_ =
                          ((shift _jessie_) _jessie_) in
                          (JC_54:
                          (((((offset_upd_ intP_B_6_alloc_table) intP_intM_B_6) _jessie_) _jessie_) _jessie_)))))) in
                          void);
                          (i := (JC_55:
                                (int32_of_integer_ ((add_int (integer_of_int32 !i)) (1)))));
                          !i end in void); (raise (Loop_continue_exc void))
                       end with Loop_continue_exc _jessie_ -> void end end
                    done) end) end; (raise (Goto_while_2_break_exc void)) end
                with Goto_while_2_break_exc _jessie_ ->
                (while_2_break: void) end; (raise (Loop_continue_exc void))
             end) end with Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (raise Return) end) end)));
    (raise Return) end with Return -> void end) { true } 


why-2.39/tests/c/oracle/float_array.err.oracle0000644000106100004300000000000013147234006020331 0ustar  marchevalswhy-2.39/tests/c/oracle/Sterbenz.err.oracle0000644000106100004300000000000013147234006017622 0ustar  marchevalswhy-2.39/tests/c/oracle/swap.err.oracle0000644000106100004300000000000013147234006017000 0ustar  marchevalswhy-2.39/tests/c/oracle/my_cosine.err.oracle0000644000106100004300000000014313147234006020023 0ustar  marchevalscat: /tmp/regtests.cwd: No such file or directory
grep: /src/version.ml: No such file or directory
why-2.39/tests/c/oracle/sum_array.err.oracle0000644000106100004300000000000013147234006020030 0ustar  marchevalswhy-2.39/tests/c/oracle/eps_line1.err.oracle0000644000106100004300000000000013147234006017705 0ustar  marchevalswhy-2.39/tests/c/oracle/scalar_product.err.oracle0000644000106100004300000000000013147234006021033 0ustar  marchevalswhy-2.39/tests/c/oracle/popHeap.res.oracle0000644000106100004300000040112213147234006017435 0ustar  marchevals========== file tests/c/popHeap.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/**
Extract from
http://www.first.fraunhofer.de/fileadmin/FIRST/ACSL-by-Example.pdf
*/

#pragma SeparationPolicy(none)


typedef int bool;
#define false		((bool)0)
#define true		((bool)1)

typedef int value_type;

typedef int size_type; 




/*@
  predicate IsValidRange(value_type* a, integer n) =
    (0 <= n) && \valid(a+(0..n-1));
*/

/*@
  predicate
    IsEqual{A,B}(value_type* a, integer n, value_type* b) =
      \forall integer i; 0 <= i < n ==> 
        \at(a[i], A) == \at(b[i], B);
*/



/*@
  axiomatic ParentChildAxioms
  {
    predicate ParentChild(integer i, integer j);

    axiom ParentChild_1:
      \forall integer i, j; ParentChild(i, j) <==>
         0 <= i < j && (j == 2*i+1 || j == 2*i+2);

    axiom ParentChild_2:
      \forall integer i, j; ParentChild(i, j) <==>
        0 < j && i == (j-1)/2;
  }

  lemma ParentChild_3:
    \forall integer i; 0 < i ==>
      ParentChild((i-1)/2, i) && 0 <= (i-1)/2 < i;

  predicate IsHeap{L}(value_type* c, integer n) = 
    \forall integer i, j;
      j < n && ParentChild(i, j) ==> c[i] >= c[j];
*/

/*@
  predicate IsMaximum{L}(value_type* a, integer n, integer max) =
     \forall integer i; 0 <= i < n ==> a[max] >= a[i];

  predicate IsFirstMaximum{L}(value_type* a, integer max) =
    \forall integer i; 0 <= i < max ==> a[i] < a[max];
*/

/*@
  axiomatic CountAxiomatic
  {
    logic integer Count{L}(value_type* a, value_type v,
                           integer i, integer j) reads a[i..(j-1)];

    axiom Count0:
      \forall value_type *a, v, integer i,j;
        i >= j ==> Count(a, v, i, j) == 0;

    axiom Count1:
      \forall value_type *a, v, integer i, j, k;
        0 <= i <= j <= k ==> Count(a, v, i ,k) ==
                             Count(a, v, i, j) + Count(a, v, j, k);

    axiom Count2:
      \forall value_type *a, v, integer i;
        (a[i] != v ==> Count(a, v, i, i+1) == 0) &&
        (a[i] == v ==> Count(a, v, i, i+1) == 1);

  logic integer CountWithHole{L}(value_type* c, value_type v, integer i, integer h,  integer j) =
      Count{L}(c, v, i, h) + Count{L}(c, v, h+1, j);

  logic integer CountWithoutHole{L}(value_type* c, value_type v, integer i, integer h,  integer j) =
      Count{L}(c, v, i, h) + Count{L}(c, v, h, j);
  }

  lemma CountLemma: \forall value_type *a, v, integer i;
    0 <= i ==> Count(a, v, 0, i+1) ==
               Count(a, v, 0, i) + Count(a, v, i, i+1);
*/

/*@
  predicate
    Permutation{A,B}(value_type* c, size_type n) = 
      \forall value_type x; 
        Count{A}(c, x, 0, n) == Count{B}(c, x, 0, n);
*/

/*@
  requires 0 < n && IsValidRange(a, n);
  requires IsHeap(a, n);

  assigns \nothing;

  ensures \forall integer i; 0 <= i < n ==> a[0] >= a[i];
*/
void pop_heap_induction(const value_type* a, size_type n);


/*@
  requires 0 < n && IsValidRange(a, n);
  requires 0 <= parent < child < n;
  requires a[parent] == a[child];

  assigns \nothing;

  ensures \forall value_type x; 
    CountWithHole(a, x, 0, child, n) == CountWithHole(a, x, 0, parent, n);
*/
void pop_push_heap_copy(value_type* a, size_type n, size_type parent, size_type child);

#define INT_MAX			2147483647

/*@
   requires 0 < n <  (INT_MAX-2)/2;
   requires IsValidRange(a, n);
   requires IsHeap(a, n);

   assigns a[0..(n-1)];

   ensures IsHeap(a, n-1);
   ensures a[n-1] == \old(a[0]);
   ensures IsMaximum(a, n, n-1);
   ensures Permutation{Old, Here}(a, n);
*/
void pop_heap(value_type* a, size_type n);


void pop_heap(value_type* a, size_type n)
{
  //@ ghost pop_heap_induction(a,n);
  //@ assert \forall integer i; 0 < i < n ==> a[0] >= a[i];
  value_type tmp = 0, max = 0;
  size_type hole = 0;
  tmp = a[n-1];
  max  = a[0];
  /*@ assert \forall value_type x;
        CountWithHole(a,x,0,hole,n) == Count{Pre}(a,x,1,n);
  */
  /*@
     loop invariant 0 <= hole < n;
     loop invariant IsHeap(a,n-1);
     loop invariant \forall integer i; 0 <= i < n ==> a[i] <= max;
     loop invariant \forall integer i;
        hole < n-1 && ParentChild(i,hole) ==> a[i] >= tmp;
     loop invariant \forall value_type x;
        CountWithHole(a,x,0,hole,n) == Count{Pre}(a,x,1,n);
     loop invariant \at(a[n-1],Pre) == a[n-1];

     loop assigns a[0..hole],hole;
     loop   variant n - hole;
  */
  while (true)
  {
    size_type child = 2*hole + 2;
    if (child < n-1)
    {
      if (a[child] < a[child-1]) child--;
      //@ assert ParentChild(hole,child);
      if (a[child] > tmp)
      {
        //@ assert hole < n-1;
        a[hole] = a[child];
        //@ assert \at(a[n-1],Pre) == a[n-1];
        //@ ghost pop_push_heap_copy(a,n,hole,child);
        hole = child;
      }
      else break;
    }
    else
    {
      child = 2*hole + 1;
      if (child == n-2 && a[child] > tmp)
      {
        //@ assert hole < n-1;
        a[hole] = a[child];
        //@ assert \at(a[n-1],Pre) == a[n-1];
        //@ ghost pop_push_heap_copy(a,n,hole,child);
        hole = child;
      }
      break;
    }
  }
  /*@  assert \forall integer i;
    hole < n-1 && ParentChild(i,hole) ==> a[i] >= tmp;
  */

  a[hole] = tmp;
  /*@ assert \forall value_type x;
        CountWithHole(a,x,0,hole,n) == Count{Pre}(a,x,1,n);
  */
  //@ assert hole a[hole] ==tmp== \at(a[n-1],Pre) == a[n-1];
  /*@ assert \forall value_type x; hole < n-1 ==>
        Count(a,x,hole+1,(n-1)+1)==CountWithoutHole(a,x,hole+1,n-1,n);
  */

  /*@ assert \forall value_type x;
      (hole < n-1 ==> CountWithHole(a,x,0,hole,n) ==
        CountWithHole(a,x,0,hole,n-1) +  Count(a,x,n-1 ,(n-1)+1) ==
        CountWithoutHole(a,x,0,hole,hole+1) + Count(a,x,hole+1,n-1) ==
        CountWithoutHole(a,x,0,hole,n-1) ==
        Count(a,x,0,n-1)) &&
      (hole == n-1 ==> CountWithHole(a,x,0,hole,n) ==
        CountWithHole(a,x,0,n-1,n) == Count(a,x,0,n-1));
  */
  /*@ assert \forall value_type x; Count(a,x,0,n-1) ==
        CountWithHole(a,x,0,hole,n) == Count{Pre}(a,x,1,n);
  */

  a[n-1]  = max;
  /*@ assert \forall value_type x;
        Count(a,x,n-1,(n-1)+1) == Count{Pre}(a,x,0,1);
  */
  /*@ assert \forall value_type x; CountWithoutHole(a,x,0,n-1,n) 
        == CountWithoutHole{Pre}(a,x,0,1,n);
  */
  /*@ assert \forall value_type x;
        Count(a,x,0,n) == CountWithoutHole(a,x,0,n-1,n) ==
        CountWithoutHole{Pre}(a,x,0,1,n) == Count{Pre}(a,x,0,n);
  */
}



void pop_heap_induction(const value_type* a, size_type n)
{
  /*@
  loop invariant 0 <= i <= n;
  loop invariant  \forall integer j;
     0 <= j < i <= n ==> a[0] >= a[j];
  loop   variant n - i;
  */
  for (size_type i = 1; i < n; i++)
  {
    //@ assert 0 < i ==> ParentChild((i-1)/2, i);
  }
}



========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/popHeap.c (with preprocessing)
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/popHeap.jessie
[jessie] File tests/c/popHeap.jessie/popHeap.jc written.
[jessie] File tests/c/popHeap.jessie/popHeap.cloc written.
========== file tests/c/popHeap.jessie/popHeap.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

type int32 = -2147483648..2147483647

tag intP = {
  int32 intM: 32;
}

type intP = [intP]

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

predicate IsValidRange{L}(intP[..] a, integer n) =
\at(((0 <= n) && ((\offset_min(a) <= 0) && (\offset_max(a) >= (n - 1)))),L)

predicate IsEqual{A, B}(intP[..] a_0, integer n_0, intP[..] b) =
(\forall integer i_1;
  (((0 <= i_1) && (i_1 < n_0)) ==>
    (\at((a_0 + i_1).intM,A) == \at((b + i_1).intM,B))))

axiomatic ParentChildAxioms {

  predicate ParentChild(integer i_2, integer j_0)
   
  axiom ParentChild_1 :
  (\forall integer i_3;
    (\forall integer j_1;
      (ParentChild(i_3, j_1) <==>
        (((0 <= i_3) && (i_3 < j_1)) &&
          ((j_1 == ((2 * i_3) + 1)) || (j_1 == ((2 * i_3) + 2)))))))
   
  axiom ParentChild_2 :
  (\forall integer i_4;
    (\forall integer j_2;
      (ParentChild(i_4, j_2) <==> ((0 < j_2) && (i_4 == ((j_2 - 1) / 2))))))
  
}

lemma ParentChild_3 :
(\forall integer i_5;
  ((0 < i_5) ==>
    ((ParentChild(((i_5 - 1) / 2), i_5) && (0 <= ((i_5 - 1) / 2))) &&
      (((i_5 - 1) / 2) < i_5))))

predicate IsHeap{L}(intP[..] c, integer n_1) =
(\forall integer i_6;
  (\forall integer j_3;
    (((j_3 < n_1) && ParentChild(i_6, j_3)) ==>
      ((c + i_6).intM >= (c + j_3).intM))))

predicate IsMaximum{L}(intP[..] a_1, integer n_2, integer max) =
(\forall integer i_7;
  (((0 <= i_7) && (i_7 < n_2)) ==> ((a_1 + max).intM >= (a_1 + i_7).intM)))

predicate IsFirstMaximum{L}(intP[..] a_2, integer max_0) =
(\forall integer i_8;
  (((0 <= i_8) && (i_8 < max_0)) ==> ((a_2 + i_8).intM < (a_2 + max_0).intM)))

axiomatic CountAxiomatic {

  logic integer Count{L}(intP[..] a_3, int32 v, integer i_9, integer j_4)
  reads (a_3 + [i_9..(j_4 - 1)]).intM;
   
  axiom Count0{L} :
  (\forall intP[..] a_4;
    (\forall int32 v_0;
      (\forall integer i_10;
        (\forall integer j_5;
          ((i_10 >= j_5) ==> (Count{L}(a_4, v_0, i_10, j_5) == 0))))))
   
  axiom Count1{L} :
  (\forall intP[..] a_5;
    (\forall int32 v_1;
      (\forall integer i_11;
        (\forall integer j_6;
          (\forall integer k;
            ((((0 <= i_11) && (i_11 <= j_6)) && (j_6 <= k)) ==>
              (Count{L}(a_5, v_1, i_11, k) ==
                (Count{L}(a_5, v_1, i_11, j_6) + Count{L}(a_5, v_1, j_6, k)))))))))
   
  axiom Count2{L} :
  (\forall intP[..] a_6;
    (\forall int32 v_2;
      (\forall integer i_12;
        ((((a_6 + i_12).intM != v_2) ==>
           (Count{L}(a_6, v_2, i_12, (i_12 + 1)) == 0)) &&
          (((a_6 + i_12).intM == v_2) ==>
            (Count{L}(a_6, v_2, i_12, (i_12 + 1)) == 1))))))
   
  logic integer CountWithHole{L}(intP[..] c_0, int32 v_3, integer i_13,
                                 integer h, integer j_7) =
  (Count{L}(c_0, v_3, i_13, h) + Count{L}(c_0, v_3, (h + 1), j_7))
   
  logic integer CountWithoutHole{L}(intP[..] c_1, int32 v_4, integer i_14,
                                    integer h_0, integer j_8) =
  (Count{L}(c_1, v_4, i_14, h_0) + Count{L}(c_1, v_4, h_0, j_8))
  
}

lemma CountLemma{L} :
(\forall intP[..] a_7;
  (\forall int32 v_5;
    (\forall integer i_15;
      ((0 <= i_15) ==>
        (Count{L}(a_7, v_5, 0, (i_15 + 1)) ==
          (Count{L}(a_7, v_5, 0, i_15) +
            Count{L}(a_7, v_5, i_15, (i_15 + 1))))))))

predicate Permutation{A, B}(intP[..] c_2, int32 n_3) =
(\forall int32 x;
  (Count{A}(c_2, x, 0, n_3) == Count{B}(c_2, x, 0, n_3)))

unit pop_push_heap_copy(intP[..] a_1, int32 n_3, int32 parent, int32 child)
  requires (_C_8 : ((_C_9 : (0 < n_3)) &&
                     (_C_10 : IsValidRange{Here}(a_1, n_3))));
  requires (_C_3 : (((_C_5 : (0 <= parent)) && (_C_6 : (parent < child))) &&
                     (_C_7 : (child < n_3))));
  requires (_C_2 : ((a_1 + parent).intM == (a_1 + child).intM));
behavior default:
  assigns \nothing;
  ensures (_C_1 : (\forall int32 x_0;
                    (CountWithHole{Here}(\at(a_1,Old), x_0, 0,
                                         \at(child,Old), \at(n_3,Old)) ==
                      CountWithHole{Here}(\at(a_1,Old), x_0, 0,
                                          \at(parent,Old), \at(n_3,Old)))));
;

unit pop_heap(intP[..] a, int32 n_1)
  requires (_C_106 : ((_C_107 : (0 < n_1)) &&
                       (_C_108 : (n_1 < ((2147483647 - 2) / 2)))));
  requires (_C_105 : IsValidRange{Here}(a, n_1));
  requires (_C_104 : IsHeap{Here}(a, n_1));
behavior default:
  assigns (a + [0..(n_1 - 1)]).intM;
  ensures (_C_97 : ((_C_98 : IsHeap{Here}(\at(a,Old), (\at(n_1,Old) - 1))) &&
                     ((_C_100 : ((\at(a,Old) + (\at(n_1,Old) - 1)).intM ==
                                  \at((a + 0).intM,Old))) &&
                       ((_C_102 : IsMaximum{Here}(\at(a,Old), \at(n_1,Old),
                                                  (\at(n_1,Old) - 1))) &&
                         (_C_103 : Permutation{Old,
                         Here}(\at(a,Old), \at(n_1,Old)))))));
{  
   (var int32 tmp);
   
   (var int32 max);
   
   (var int32 hole);
   
   (var int32 child_0);
   
   {  (_C_11 : pop_heap_induction(a, n_1));
      
      {  
         (assert for default: (_C_12 : (jessie : (\forall integer i_16;
                                                   (((0 < i_16) &&
                                                      (i_16 < n_1)) ==>
                                                     ((a + 0).intM >=
                                                       (a + i_16).intM))))));
         ()
      };
      
      {  (_C_13 : (tmp = 0));
         (_C_14 : (max = 0))
      };
      (_C_15 : (hole = 0));
      (_C_20 : (tmp = (_C_19 : (_C_18 : (a +
                                          (_C_17 : ((_C_16 : (n_1 - 1)) :> int32)))).intM)));
      (_C_23 : (max = (_C_22 : (_C_21 : (a + 0)).intM)));
      
      {  
         (assert for default: (_C_24 : (jessie : (\forall int32 x_1;
                                                   (CountWithHole{Here}(
                                                     a, x_1, 0, hole, n_1) ==
                                                     Count{Pre}(a, x_1, 1,
                                                                n_1))))));
         ()
      };
      
      loop 
      behavior default:
        invariant (_C_31 : ((_C_32 : (0 <= hole)) && (_C_33 : (hole < n_1))));
      behavior default:
        invariant (_C_30 : IsHeap{Here}(a, (n_1 - 1)));
      behavior default:
        invariant (_C_29 : (\forall integer i_17;
                             (((0 <= i_17) && (i_17 < n_1)) ==>
                               ((a + i_17).intM <= max))));
      behavior default:
        invariant (_C_28 : (\forall integer i_18;
                             (((hole < (n_1 - 1)) && ParentChild(i_18, hole)) ==>
                               ((a + i_18).intM >= tmp))));
      behavior default:
        invariant (_C_27 : (\forall int32 x_2;
                             (CountWithHole{Here}(a, x_2, 0, hole, n_1) ==
                               Count{Pre}(a, x_2, 1, n_1))));
      behavior default:
        invariant (_C_26 : (\at((a + (n_1 - 1)).intM,Pre) ==
                             (a + (n_1 - 1)).intM));
      behavior default:
        
        assigns (a + [0..hole]).intM,
        hole;
      variant (_C_25 : (n_1 - hole));
      while (true)
      {  
         {  (_C_38 : (child_0 = (_C_37 : ((_C_36 : ((_C_35 : ((_C_34 : 
                                                              (2 *
                                                                hole)) :> int32)) +
                                                     2)) :> int32))));
            (if (child_0 < (_C_79 : ((_C_78 : (n_1 - 1)) :> int32))) then 
            {  (if ((_C_65 : (_C_64 : (a + child_0)).intM) <
                     (_C_63 : (_C_62 : (a +
                                         (_C_61 : ((_C_60 : (child_0 - 1)) :> int32)))).intM)) then 
               (_C_59 : (child_0 = (_C_58 : ((_C_57 : (child_0 - 1)) :> int32)))) else ());
               
               {  
                  (assert for default: (_C_66 : (jessie : ParentChild(
                                                hole, child_0))));
                  ()
               };
               
               {  (if ((_C_77 : (_C_76 : (a + child_0)).intM) > tmp) then 
                  {  
                     {  
                        (assert for default: (_C_67 : (jessie : (hole <
                                                                  (n_1 - 1)))));
                        ()
                     };
                     (_C_72 : ((_C_71 : (_C_70 : (a + hole)).intM) = 
                     (_C_69 : (_C_68 : (a + child_0)).intM)));
                     
                     {  
                        (assert for default: (_C_73 : (jessie : (\at(
                                                                 (a +
                                                                   (n_1 - 1)).intM,Pre) ==
                                                                  (a +
                                                                    (n_1 - 1)).intM))));
                        ()
                     };
                     (_C_74 : pop_push_heap_copy(a, n_1, hole, child_0));
                     (_C_75 : (hole = child_0))
                  } else 
                  (goto while_0_break))
               }
            } else 
            {  (_C_43 : (child_0 = (_C_42 : ((_C_41 : ((_C_40 : ((_C_39 : 
                                                                 (2 *
                                                                   hole)) :> int32)) +
                                                        1)) :> int32))));
               (if (child_0 == (_C_56 : ((_C_55 : (n_1 - 2)) :> int32))) then 
               (if ((_C_54 : (_C_53 : (a + child_0)).intM) > tmp) then 
               {  
                  {  
                     (assert for default: (_C_44 : (jessie : (hole <
                                                               (n_1 - 1)))));
                     ()
                  };
                  (_C_49 : ((_C_48 : (_C_47 : (a + hole)).intM) = (_C_46 : 
                                                                  (_C_45 : 
                                                                  (a +
                                                                    child_0)).intM)));
                  
                  {  
                     (assert for default: (_C_50 : (jessie : (\at((a +
                                                                    (n_1 - 1)).intM,Pre) ==
                                                               (a +
                                                                 (n_1 - 1)).intM))));
                     ()
                  };
                  (_C_51 : pop_push_heap_copy(a, n_1, hole, child_0));
                  (_C_52 : (hole = child_0))
               } else ()) else ());
               
               (goto while_0_break)
            })
         }
      };
      (while_0_break : ());
      
      {  
         (assert for default: (_C_80 : (jessie : (\forall integer i_19;
                                                   (((hole < (n_1 - 1)) &&
                                                      ParentChild(i_19, hole)) ==>
                                                     ((a + i_19).intM >= tmp))))));
         ()
      };
      (_C_83 : ((_C_82 : (_C_81 : (a + hole)).intM) = tmp));
      
      {  
         (assert for default: (_C_84 : (jessie : (\forall int32 x_3;
                                                   (CountWithHole{Here}(
                                                     a, x_3, 0, hole, n_1) ==
                                                     Count{Pre}(a, x_3, 1,
                                                                n_1))))));
         ()
      };
      
      {  
         (assert for default: (_C_85 : (jessie : ((hole < (n_1 - 1)) ==>
                                                   ((((a + hole).intM == tmp) &&
                                                      (tmp ==
                                                        \at((a + (n_1 - 1)).intM,Pre))) &&
                                                     (\at((a + (n_1 - 1)).intM,Pre) ==
                                                       (a + (n_1 - 1)).intM))))));
         ()
      };
      
      {  
         (assert for default: (_C_86 : (jessie : (\forall int32 x_4;
                                                   ((hole < (n_1 - 1)) ==>
                                                     (Count{Here}(a, x_4,
                                                                  (hole + 1),
                                                                  ((n_1 - 1) +
                                                                    1)) ==
                                                       CountWithoutHole{Here}(
                                                       a, x_4, (hole + 1),
                                                       (n_1 - 1), n_1)))))));
         ()
      };
      
      {  
         (assert for default: (_C_87 : (jessie : (\forall int32 x_5;
                                                   (((hole < (n_1 - 1)) ==>
                                                      ((((CountWithHole{Here}(
                                                           a, x_5, 0, hole,
                                                           n_1) ==
                                                           (CountWithHole{Here}(
                                                             a, x_5, 0, hole,
                                                             (n_1 - 1)) +
                                                             Count{Here}(
                                                             a, x_5,
                                                             (n_1 - 1),
                                                             ((n_1 - 1) + 1)))) &&
                                                          ((CountWithHole{Here}(
                                                             a, x_5, 0, hole,
                                                             (n_1 - 1)) +
                                                             Count{Here}(
                                                             a, x_5,
                                                             (n_1 - 1),
                                                             ((n_1 - 1) + 1))) ==
                                                            (CountWithoutHole{Here}(
                                                              a, x_5, 0,
                                                              hole,
                                                              (hole + 1)) +
                                                              Count{Here}(
                                                              a, x_5,
                                                              (hole + 1),
                                                              (n_1 - 1))))) &&
                                                         ((CountWithoutHole{Here}(
                                                            a, x_5, 0, hole,
                                                            (hole + 1)) +
                                                            Count{Here}(
                                                            a, x_5,
                                                            (hole + 1),
                                                            (n_1 - 1))) ==
                                                           CountWithoutHole{Here}(
                                                           a, x_5, 0, hole,
                                                           (n_1 - 1)))) &&
                                                        (CountWithoutHole{Here}(
                                                          a, x_5, 0, hole,
                                                          (n_1 - 1)) ==
                                                          Count{Here}(
                                                          a, x_5, 0,
                                                          (n_1 - 1))))) &&
                                                     ((hole == (n_1 - 1)) ==>
                                                       ((CountWithHole{Here}(
                                                          a, x_5, 0, hole,
                                                          n_1) ==
                                                          CountWithHole{Here}(
                                                          a, x_5, 0,
                                                          (n_1 - 1), n_1)) &&
                                                         (CountWithHole{Here}(
                                                           a, x_5, 0,
                                                           (n_1 - 1), n_1) ==
                                                           Count{Here}(
                                                           a, x_5, 0,
                                                           (n_1 - 1))))))))));
         ()
      };
      
      {  
         (assert for default: (_C_88 : (jessie : (\forall int32 x_6;
                                                   ((Count{Here}(a, x_6, 0,
                                                                 (n_1 - 1)) ==
                                                      CountWithHole{Here}(
                                                      a, x_6, 0, hole, n_1)) &&
                                                     (CountWithHole{Here}(
                                                       a, x_6, 0, hole, n_1) ==
                                                       Count{Pre}(a, x_6, 1,
                                                                  n_1)))))));
         ()
      };
      (_C_93 : ((_C_92 : (_C_91 : (a +
                                    (_C_90 : ((_C_89 : (n_1 - 1)) :> int32)))).intM) = max));
      
      {  
         (assert for default: (_C_94 : (jessie : (\forall int32 x_7;
                                                   (Count{Here}(a, x_7,
                                                                (n_1 - 1),
                                                                ((n_1 - 1) +
                                                                  1)) ==
                                                     Count{Pre}(a, x_7, 0, 1))))));
         ()
      };
      
      {  
         (assert for default: (_C_95 : (jessie : (\forall int32 x_8;
                                                   (CountWithoutHole{Here}(
                                                     a, x_8, 0, (n_1 - 1),
                                                     n_1) ==
                                                     CountWithoutHole{Pre}(
                                                     a, x_8, 0, 1, n_1))))));
         ()
      };
      
      {  
         (assert for default: (_C_96 : (jessie : (\forall int32 x_9;
                                                   (((Count{Here}(a, x_9, 0,
                                                                  n_1) ==
                                                       CountWithoutHole{Here}(
                                                       a, x_9, 0, (n_1 - 1),
                                                       n_1)) &&
                                                      (CountWithoutHole{Here}(
                                                        a, x_9, 0, (n_1 - 1),
                                                        n_1) ==
                                                        CountWithoutHole{Pre}(
                                                        a, x_9, 0, 1, n_1))) &&
                                                     (CountWithoutHole{Pre}(
                                                       a, x_9, 0, 1, n_1) ==
                                                       Count{Pre}(a, x_9, 0,
                                                                  n_1)))))));
         ()
      };
      
      (return ())
   }
}

unit pop_heap_induction(intP[..] a_0, int32 n_2)
  requires (_C_121 : ((_C_122 : (0 < n_2)) &&
                       (_C_123 : IsValidRange{Here}(a_0, n_2))));
  requires (_C_120 : IsHeap{Here}(a_0, n_2));
behavior default:
  assigns \nothing;
  ensures (_C_119 : (\forall integer i_20;
                      (((0 <= i_20) && (i_20 < \at(n_2,Old))) ==>
                        ((\at(a_0,Old) + 0).intM >=
                          (\at(a_0,Old) + i_20).intM))));
{  
   (var int32 i);
   
   {  (_C_109 : (i = 1));
      
      loop 
      behavior default:
        invariant (_C_112 : ((_C_113 : (0 <= i)) && (_C_114 : (i <= n_2))));
      behavior default:
        invariant (_C_111 : (\forall integer j_9;
                              ((((0 <= j_9) && (j_9 < i)) && (i <= n_2)) ==>
                                ((a_0 + 0).intM >= (a_0 + j_9).intM))));
      variant (_C_110 : (n_2 - i));
      while (true)
      {  
         {  (if (i < n_2) then () else 
            (goto while_0_break));
            
            {  
               {  
                  (assert for default: (_C_115 : (jessie : ((0 < i) ==>
                                                             ParentChild(
                                                             ((i - 1) / 2), i)))));
                  ()
               }
            };
            (_C_118 : (i = (_C_117 : ((_C_116 : (i + 1)) :> int32))))
         }
      };
      (while_0_break : ());
      
      (return ())
   }
}
========== file tests/c/popHeap.jessie/popHeap.cloc ==========
[_C_115]
file = "HOME/tests/c/popHeap.c"
line = 281
begin = 22
end = 55

[_C_52]
file = "HOME/tests/c/popHeap.c"
line = 225
begin = 15
end = 20

[_C_121]
file = "HOME/tests/c/popHeap.c"
line = 136
begin = 11
end = 38

[_C_35]
file = "HOME/tests/c/popHeap.c"
line = 201
begin = 22
end = 28

[_C_117]
file = "HOME/tests/c/popHeap.c"
line = 279
begin = 31
end = 34

[_C_120]
file = "HOME/tests/c/popHeap.c"
line = 137
begin = 11
end = 23

[_C_56]
file = "HOME/tests/c/popHeap.c"
line = 219
begin = 19
end = 22

[_C_28]
file = "HOME/tests/c/popHeap.c"
line = 190
begin = 20
end = 96

[_C_72]
file = "HOME/tests/c/popHeap.c"
line = 209
begin = 18
end = 26

[_C_59]
file = "HOME/tests/c/popHeap.c"
line = 204
begin = 33
end = 40

[_C_48]
file = "HOME/tests/c/popHeap.c"
line = 222
begin = 18
end = 26

[_C_116]
file = "HOME/tests/c/popHeap.c"
line = 279
begin = 31
end = 34

[_C_51]
file = "HOME/tests/c/popHeap.c"
line = 224
begin = 29
end = 63

[_C_103]
file = "HOME/tests/c/popHeap.c"
line = 170
begin = 11
end = 39

[_C_31]
file = "HOME/tests/c/popHeap.c"
line = 187
begin = 20
end = 33

[_C_108]
file = "HOME/tests/c/popHeap.c"
line = 161
begin = 16
end = 37

[_C_77]
file = "HOME/tests/c/popHeap.c"
line = 206
begin = 10
end = 18

[_C_83]
file = "HOME/tests/c/popHeap.c"
line = 234
begin = 12
end = 15

[ParentChild_3]
name = "Lemma ParentChild_3"
file = "HOME/tests/c/popHeap.c"
line = 79
begin = 2
end = 234

[_C_41]
file = "HOME/tests/c/popHeap.c"
line = 218
begin = 14
end = 24

[_C_4]
file = "HOME/tests/c/popHeap.c"
line = 148
begin = 11
end = 30

[ParentChild_1]
name = "Lemma ParentChild_1"
file = "HOME/tests/c/popHeap.c"
line = 70
begin = 4
end = 126

[_C_101]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_71]
file = "HOME/tests/c/popHeap.c"
line = 209
begin = 18
end = 26

[_C_70]
file = "HOME/tests/c/popHeap.c"
line = 209
begin = 8
end = 9

[_C_89]
file = "HOME/tests/c/popHeap.c"
line = 256
begin = 4
end = 7

[_C_90]
file = "HOME/tests/c/popHeap.c"
line = 256
begin = 4
end = 7

[_C_61]
file = "HOME/tests/c/popHeap.c"
line = 204
begin = 23
end = 30

[_C_69]
file = "HOME/tests/c/popHeap.c"
line = 209
begin = 18
end = 26

[_C_32]
file = "HOME/tests/c/popHeap.c"
line = 187
begin = 20
end = 29

[_C_23]
file = "HOME/tests/c/popHeap.c"
line = 182
begin = 8
end = 12

[_C_19]
file = "HOME/tests/c/popHeap.c"
line = 181
begin = 8
end = 14

[_C_42]
file = "HOME/tests/c/popHeap.c"
line = 218
begin = 14
end = 24

[_C_82]
file = "HOME/tests/c/popHeap.c"
line = 234
begin = 12
end = 15

[_C_110]
file = "HOME/tests/c/popHeap.c"
line = 277
begin = 15
end = 20

[_C_94]
file = "HOME/tests/c/popHeap.c"
line = 257
begin = 18
end = 93

[_C_84]
file = "HOME/tests/c/popHeap.c"
line = 235
begin = 18
end = 98

[_C_13]
file = "HOME/tests/c/popHeap.c"
line = 179
begin = 2
end = 12

[_C_5]
file = "HOME/tests/c/popHeap.c"
line = 148
begin = 11
end = 22

[_C_91]
file = "HOME/tests/c/popHeap.c"
line = 256
begin = 2
end = 3

[_C_36]
file = "HOME/tests/c/popHeap.c"
line = 201
begin = 22
end = 32

[_C_12]
file = "HOME/tests/c/popHeap.c"
line = 178
begin = 18
end = 63

[_C_33]
file = "HOME/tests/c/popHeap.c"
line = 187
begin = 25
end = 33

[_C_111]
file = "HOME/tests/c/popHeap.c"
line = 275
begin = 17
end = 73

[_C_79]
file = "HOME/tests/c/popHeap.c"
line = 202
begin = 16
end = 19

[CountLemma]
name = "Lemma CountLemma"
file = "HOME/tests/c/popHeap.c"
line = 123
begin = 2
end = 150

[ParentChild_2]
name = "Lemma ParentChild_2"
file = "HOME/tests/c/popHeap.c"
line = 74
begin = 4
end = 106

[_C_104]
file = "HOME/tests/c/popHeap.c"
line = 163
begin = 12
end = 24

[_C_85]
file = "HOME/tests/c/popHeap.c"
line = 238
begin = 18
end = 72

[_C_22]
file = "HOME/tests/c/popHeap.c"
line = 182
begin = 8
end = 12

[_C_65]
file = "HOME/tests/c/popHeap.c"
line = 204
begin = 10
end = 18

[_C_9]
file = "HOME/tests/c/popHeap.c"
line = 147
begin = 11
end = 16

[_C_57]
file = "HOME/tests/c/popHeap.c"
line = 204
begin = 33
end = 40

[_C_54]
file = "HOME/tests/c/popHeap.c"
line = 219
begin = 26
end = 34

[_C_30]
file = "HOME/tests/c/popHeap.c"
line = 188
begin = 20
end = 33

[_C_63]
file = "HOME/tests/c/popHeap.c"
line = 204
begin = 21
end = 31

[_C_6]
file = "HOME/tests/c/popHeap.c"
line = 148
begin = 16
end = 30

[_C_64]
file = "HOME/tests/c/popHeap.c"
line = 204
begin = 10
end = 11

[_C_122]
file = "HOME/tests/c/popHeap.c"
line = 136
begin = 11
end = 16

[_C_95]
file = "HOME/tests/c/popHeap.c"
line = 260
begin = 18
end = 113

[_C_93]
file = "HOME/tests/c/popHeap.c"
line = 256
begin = 11
end = 14

[_C_102]
file = "HOME/tests/c/popHeap.c"
line = 169
begin = 11
end = 31

[_C_49]
file = "HOME/tests/c/popHeap.c"
line = 222
begin = 18
end = 26

[_C_24]
file = "HOME/tests/c/popHeap.c"
line = 183
begin = 18
end = 98

[_C_45]
file = "HOME/tests/c/popHeap.c"
line = 222
begin = 18
end = 19

[_C_97]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_20]
file = "HOME/tests/c/popHeap.c"
line = 181
begin = 8
end = 14

[_C_73]
file = "HOME/tests/c/popHeap.c"
line = 210
begin = 30
end = 55

[pop_heap]
name = "Function pop_heap"
file = "HOME/tests/c/popHeap.c"
line = 175
begin = 5
end = 13

[Count2]
name = "Lemma Count2"
file = "HOME/tests/c/popHeap.c"
line = 111
begin = 4
end = 162

[_C_96]
file = "HOME/tests/c/popHeap.c"
line = 263
begin = 18
end = 162

[_C_38]
file = "HOME/tests/c/popHeap.c"
line = 201
begin = 4
end = 13

[_C_3]
file = "HOME/tests/c/popHeap.c"
line = 148
begin = 11
end = 34

[_C_98]
file = "HOME/tests/c/popHeap.c"
line = 167
begin = 11
end = 25

[_C_109]
file = "HOME/tests/c/popHeap.c"
line = 279
begin = 7
end = 16

[_C_114]
file = "HOME/tests/c/popHeap.c"
line = 274
begin = 22
end = 28

[_C_92]
file = "HOME/tests/c/popHeap.c"
line = 256
begin = 11
end = 14

[_C_81]
file = "HOME/tests/c/popHeap.c"
line = 234
begin = 2
end = 3

[_C_17]
file = "HOME/tests/c/popHeap.c"
line = 181
begin = 10
end = 13

[_C_112]
file = "HOME/tests/c/popHeap.c"
line = 274
begin = 17
end = 28

[Count0]
name = "Lemma Count0"
file = "HOME/tests/c/popHeap.c"
line = 102
begin = 4
end = 105

[_C_7]
file = "HOME/tests/c/popHeap.c"
line = 148
begin = 25
end = 34

[_C_86]
file = "HOME/tests/c/popHeap.c"
line = 239
begin = 18
end = 124

[_C_62]
file = "HOME/tests/c/popHeap.c"
line = 204
begin = 21
end = 22

[_C_55]
file = "HOME/tests/c/popHeap.c"
line = 219
begin = 19
end = 22

[_C_27]
file = "HOME/tests/c/popHeap.c"
line = 192
begin = 20
end = 100

[_C_105]
file = "HOME/tests/c/popHeap.c"
line = 162
begin = 12
end = 30

[_C_87]
file = "HOME/tests/c/popHeap.c"
line = 243
begin = 18
end = 413

[_C_46]
file = "HOME/tests/c/popHeap.c"
line = 222
begin = 18
end = 26

[_C_44]
file = "HOME/tests/c/popHeap.c"
line = 221
begin = 30
end = 40

[_C_15]
file = "HOME/tests/c/popHeap.c"
line = 180
begin = 2
end = 11

[_C_99]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_26]
file = "HOME/tests/c/popHeap.c"
line = 194
begin = 20
end = 45

[_C_47]
file = "HOME/tests/c/popHeap.c"
line = 222
begin = 8
end = 9

[_C_10]
file = "HOME/tests/c/popHeap.c"
line = 147
begin = 20
end = 38

[_C_68]
file = "HOME/tests/c/popHeap.c"
line = 209
begin = 18
end = 19

[_C_60]
file = "HOME/tests/c/popHeap.c"
line = 204
begin = 23
end = 30

[_C_53]
file = "HOME/tests/c/popHeap.c"
line = 219
begin = 26
end = 27

[_C_40]
file = "HOME/tests/c/popHeap.c"
line = 218
begin = 14
end = 20

[_C_58]
file = "HOME/tests/c/popHeap.c"
line = 204
begin = 33
end = 40

[_C_8]
file = "HOME/tests/c/popHeap.c"
line = 147
begin = 11
end = 38

[_C_119]
file = "HOME/tests/c/popHeap.c"
line = 141
begin = 10
end = 56

[_C_66]
file = "HOME/tests/c/popHeap.c"
line = 205
begin = 26
end = 49

[_C_18]
file = "HOME/tests/c/popHeap.c"
line = 181
begin = 8
end = 9

[_C_29]
file = "HOME/tests/c/popHeap.c"
line = 189
begin = 20
end = 65

[_C_75]
file = "HOME/tests/c/popHeap.c"
line = 212
begin = 15
end = 20

[_C_14]
file = "HOME/tests/c/popHeap.c"
line = 179
begin = 2
end = 12

[_C_123]
file = "HOME/tests/c/popHeap.c"
line = 136
begin = 20
end = 38

[_C_106]
file = "HOME/tests/c/popHeap.c"
line = 161
begin = 12
end = 37

[_C_50]
file = "HOME/tests/c/popHeap.c"
line = 223
begin = 30
end = 55

[_C_37]
file = "HOME/tests/c/popHeap.c"
line = 201
begin = 22
end = 32

[_C_43]
file = "HOME/tests/c/popHeap.c"
line = 218
begin = 14
end = 24

[_C_107]
file = "HOME/tests/c/popHeap.c"
line = 161
begin = 12
end = 17

[_C_88]
file = "HOME/tests/c/popHeap.c"
line = 252
begin = 18
end = 118

[_C_100]
file = "HOME/tests/c/popHeap.c"
line = 168
begin = 11
end = 31

[_C_2]
file = "HOME/tests/c/popHeap.c"
line = 149
begin = 11
end = 32

[Count1]
name = "Lemma Count1"
file = "HOME/tests/c/popHeap.c"
line = 106
begin = 4
end = 184

[_C_34]
file = "HOME/tests/c/popHeap.c"
line = 201
begin = 22
end = 28

[_C_67]
file = "HOME/tests/c/popHeap.c"
line = 208
begin = 30
end = 40

[_C_16]
file = "HOME/tests/c/popHeap.c"
line = 181
begin = 10
end = 13

[_C_113]
file = "HOME/tests/c/popHeap.c"
line = 274
begin = 17
end = 23

[_C_1]
file = "HOME/tests/c/popHeap.c"
line = 153
begin = 10
end = 105

[_C_76]
file = "HOME/tests/c/popHeap.c"
line = 206
begin = 10
end = 11

[_C_25]
file = "HOME/tests/c/popHeap.c"
line = 197
begin = 18
end = 26

[_C_39]
file = "HOME/tests/c/popHeap.c"
line = 218
begin = 14
end = 20

[pop_heap_induction]
name = "Function pop_heap_induction"
file = "HOME/tests/c/popHeap.c"
line = 271
begin = 5
end = 23

[_C_80]
file = "HOME/tests/c/popHeap.c"
line = 230
begin = 19
end = 91

[_C_74]
file = "HOME/tests/c/popHeap.c"
line = 211
begin = 29
end = 63

[_C_78]
file = "HOME/tests/c/popHeap.c"
line = 202
begin = 16
end = 19

[_C_11]
file = "HOME/tests/c/popHeap.c"
line = 177
begin = 17
end = 40

[_C_21]
file = "HOME/tests/c/popHeap.c"
line = 182
begin = 8
end = 9

[_C_118]
file = "HOME/tests/c/popHeap.c"
line = 279
begin = 31
end = 34

========== jessie execution ==========
Generating Why function pop_heap
Generating Why function pop_heap_induction
========== file tests/c/popHeap.jessie/popHeap.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/popHeap_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: popHeap.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: popHeap.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: popHeap.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/popHeap.jessie/popHeap.loc ==========
[JC_94]
file = "HOME/tests/c/popHeap.c"
line = 235
begin = 18
end = 98

[JC_73]
kind = PointerDeref
file = "HOME/tests/c/popHeap.c"
line = 204
begin = 21
end = 31

[JC_158]
kind = ArithOverflow
file = "HOME/tests/c/popHeap.c"
line = 279
begin = 31
end = 34

[JC_63]
file = "HOME/tests/c/popHeap.c"
line = 187
begin = 25
end = 33

[JC_80]
file = "HOME/tests/c/popHeap.c"
line = 210
begin = 30
end = 55

[JC_51]
kind = UserCall
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 180
begin = 15
end = 41

[JC_71]
kind = PointerDeref
file = "HOME/tests/c/popHeap.c"
line = 204
begin = 10
end = 18

[JC_147]
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 473
begin = 10
end = 18

[JC_151]
file = "HOME/tests/c/popHeap.c"
line = 274
begin = 17
end = 23

[JC_45]
file = "HOME/tests/c/popHeap.c"
line = 170
begin = 11
end = 39

[JC_123]
file = "HOME/tests/c/popHeap.c"
line = 223
begin = 30
end = 55

[JC_106]
file = "HOME/tests/c/popHeap.c"
line = 183
begin = 18
end = 98

[JC_143]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_113]
file = "HOME/tests/c/popHeap.c"
line = 187
begin = 25
end = 33

[JC_116]
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 208
begin = 6
end = 4815

[JC_64]
file = "HOME/tests/c/popHeap.c"
line = 187
begin = 20
end = 33

[JC_133]
file = "HOME/tests/c/popHeap.c"
line = 263
begin = 18
end = 162

[JC_99]
kind = ArithOverflow
file = "HOME/tests/c/popHeap.c"
line = 256
begin = 4
end = 7

[ParentChild_3]
name = "Lemma ParentChild_3"
behavior = "lemma"
file = "HOME/tests/c/popHeap.c"
line = 79
begin = 2
end = 234

[JC_85]
kind = PointerDeref
file = "HOME/tests/c/popHeap.c"
line = 219
begin = 26
end = 34

[JC_126]
file = "HOME/tests/c/popHeap.c"
line = 235
begin = 18
end = 98

[ParentChild_1]
name = "Lemma ParentChild_1"
behavior = "axiom"
file = "HOME/tests/c/popHeap.c"
line = 70
begin = 4
end = 126

[JC_31]
file = "HOME/tests/c/popHeap.c"
line = 162
begin = 12
end = 30

[JC_17]
file = "HOME/tests/c/popHeap.c"
line = 153
begin = 10
end = 105

[JC_122]
file = "HOME/tests/c/popHeap.c"
line = 221
begin = 30
end = 40

[JC_81]
kind = UserCall
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 269
begin = 30
end = 71

[JC_55]
kind = PointerDeref
file = "HOME/tests/c/popHeap.c"
line = 182
begin = 8
end = 12

[JC_138]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_134]
file = "HOME/tests/c/popHeap.c"
line = 136
begin = 11
end = 16

[JC_148]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_137]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_48]
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 162
begin = 9
end = 16

[JC_23]
file = "HOME/tests/c/popHeap.c"
line = 161
begin = 12
end = 17

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_121]
kind = UserCall
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 269
begin = 30
end = 71

[JC_5]
file = "HOME/tests/c/popHeap.c"
line = 148
begin = 25
end = 34

[JC_125]
file = "HOME/tests/c/popHeap.c"
line = 230
begin = 19
end = 91

[JC_67]
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 208
begin = 6
end = 4815

[JC_9]
file = "HOME/tests/c/popHeap.c"
line = 147
begin = 11
end = 16

[JC_75]
file = "HOME/tests/c/popHeap.c"
line = 205
begin = 26
end = 49

[JC_24]
file = "HOME/tests/c/popHeap.c"
line = 161
begin = 16
end = 37

[JC_25]
file = "HOME/tests/c/popHeap.c"
line = 162
begin = 12
end = 30

[JC_78]
kind = PointerDeref
file = "HOME/tests/c/popHeap.c"
line = 209
begin = 18
end = 26

[JC_41]
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 162
begin = 9
end = 16

[JC_74]
kind = ArithOverflow
file = "HOME/tests/c/popHeap.c"
line = 204
begin = 33
end = 40

[JC_47]
file = "HOME/tests/c/popHeap.c"
line = 175
begin = 5
end = 13

[JC_52]
file = "HOME/tests/c/popHeap.c"
line = 178
begin = 18
end = 63

[JC_26]
file = "HOME/tests/c/popHeap.c"
line = 163
begin = 12
end = 24

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[CountLemma]
name = "Lemma CountLemma"
behavior = "lemma"
file = "HOME/tests/c/popHeap.c"
line = 123
begin = 2
end = 150

[ParentChild_2]
name = "Lemma ParentChild_2"
behavior = "axiom"
file = "HOME/tests/c/popHeap.c"
line = 74
begin = 4
end = 106

[JC_154]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
kind = PointerDeref
file = "HOME/tests/c/popHeap.c"
line = 181
begin = 8
end = 14

[JC_79]
kind = PointerDeref
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 258
begin = 31
end = 129

[JC_13]
file = "HOME/tests/c/popHeap.c"
line = 148
begin = 25
end = 34

[JC_130]
file = "HOME/tests/c/popHeap.c"
line = 252
begin = 18
end = 118

[JC_82]
kind = ArithOverflow
file = "HOME/tests/c/popHeap.c"
line = 218
begin = 14
end = 20

[JC_163]
file = "HOME/tests/c/popHeap.c"
line = 274
begin = 17
end = 28

[JC_153]
file = "HOME/tests/c/popHeap.c"
line = 274
begin = 17
end = 28

[JC_87]
kind = PointerDeref
file = "HOME/tests/c/popHeap.c"
line = 222
begin = 18
end = 26

[JC_11]
file = "HOME/tests/c/popHeap.c"
line = 148
begin = 11
end = 22

[pop_heap_induction_ensures_default]
name = "Function pop_heap_induction"
behavior = "default behavior"
file = "HOME/tests/c/popHeap.c"
line = 271
begin = 5
end = 23

[JC_167]
file = "HOME/tests/c/popHeap.c"
line = 281
begin = 22
end = 55

[JC_98]
file = "HOME/tests/c/popHeap.c"
line = 252
begin = 18
end = 118

[JC_70]
kind = ArithOverflow
file = "HOME/tests/c/popHeap.c"
line = 202
begin = 16
end = 19

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/tests/c/popHeap.c"
line = 168
begin = 11
end = 31

[JC_104]
kind = UserCall
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 180
begin = 15
end = 41

[JC_91]
file = "HOME/tests/c/popHeap.c"
line = 197
begin = 18
end = 26

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_112]
file = "HOME/tests/c/popHeap.c"
line = 187
begin = 20
end = 29

[JC_40]
file = "HOME/tests/c/popHeap.c"
line = 175
begin = 5
end = 13

[JC_162]
file = "HOME/tests/c/popHeap.c"
line = 274
begin = 22
end = 28

[JC_135]
file = "HOME/tests/c/popHeap.c"
line = 136
begin = 20
end = 38

[JC_83]
kind = ArithOverflow
file = "HOME/tests/c/popHeap.c"
line = 218
begin = 14
end = 24

[JC_35]
file = "HOME/tests/c/popHeap.c"
line = 167
begin = 11
end = 25

[Count2]
name = "Lemma Count2"
behavior = "axiom"
file = "HOME/tests/c/popHeap.c"
line = 111
begin = 4
end = 162

[JC_132]
file = "HOME/tests/c/popHeap.c"
line = 260
begin = 18
end = 113

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_115]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_109]
file = "HOME/tests/c/popHeap.c"
line = 190
begin = 20
end = 96

[JC_107]
file = "HOME/tests/c/popHeap.c"
line = 194
begin = 20
end = 45

[JC_69]
kind = ArithOverflow
file = "HOME/tests/c/popHeap.c"
line = 201
begin = 22
end = 32

[JC_124]
kind = UserCall
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 299
begin = 27
end = 68

[JC_38]
file = "HOME/tests/c/popHeap.c"
line = 170
begin = 11
end = 39

[JC_12]
file = "HOME/tests/c/popHeap.c"
line = 148
begin = 16
end = 30

[JC_6]
file = "HOME/tests/c/popHeap.c"
line = 149
begin = 11
end = 32

[JC_156]
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 483
begin = 6
end = 896

[JC_127]
file = "HOME/tests/c/popHeap.c"
line = 238
begin = 18
end = 72

[JC_164]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/tests/c/popHeap.c"
line = 169
begin = 11
end = 31

[JC_155]
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 483
begin = 6
end = 896

[JC_4]
file = "HOME/tests/c/popHeap.c"
line = 148
begin = 16
end = 30

[pop_heap_induction_safety]
name = "Function pop_heap_induction"
behavior = "Safety"
file = "HOME/tests/c/popHeap.c"
line = 271
begin = 5
end = 23

[JC_62]
file = "HOME/tests/c/popHeap.c"
line = 187
begin = 20
end = 29

[JC_101]
file = "HOME/tests/c/popHeap.c"
line = 257
begin = 18
end = 93

[Count0]
name = "Lemma Count0"
behavior = "axiom"
file = "HOME/tests/c/popHeap.c"
line = 102
begin = 4
end = 105

[JC_88]
kind = PointerDeref
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 287
begin = 28
end = 306

[JC_129]
file = "HOME/tests/c/popHeap.c"
line = 243
begin = 18
end = 413

[JC_42]
file = "HOME/tests/c/popHeap.c"
line = 167
begin = 11
end = 25

[JC_110]
file = "HOME/tests/c/popHeap.c"
line = 189
begin = 20
end = 65

[JC_166]
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 483
begin = 6
end = 896

[JC_103]
file = "HOME/tests/c/popHeap.c"
line = 263
begin = 18
end = 162

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_141]
file = "HOME/tests/c/popHeap.c"
line = 137
begin = 11
end = 23

[JC_61]
file = "HOME/tests/c/popHeap.c"
line = 188
begin = 20
end = 33

[JC_32]
file = "HOME/tests/c/popHeap.c"
line = 163
begin = 12
end = 24

[JC_56]
file = "HOME/tests/c/popHeap.c"
line = 183
begin = 18
end = 98

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_118]
file = "HOME/tests/c/popHeap.c"
line = 205
begin = 26
end = 49

[JC_105]
file = "HOME/tests/c/popHeap.c"
line = 178
begin = 18
end = 63

[JC_140]
file = "HOME/tests/c/popHeap.c"
line = 136
begin = 20
end = 38

[JC_29]
file = "HOME/tests/c/popHeap.c"
line = 161
begin = 12
end = 17

[JC_144]
file = "HOME/tests/c/popHeap.c"
line = 141
begin = 10
end = 56

[JC_159]
file = "HOME/tests/c/popHeap.c"
line = 277
begin = 15
end = 20

[JC_68]
kind = ArithOverflow
file = "HOME/tests/c/popHeap.c"
line = 201
begin = 22
end = 28

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_96]
file = "HOME/tests/c/popHeap.c"
line = 239
begin = 18
end = 124

[JC_43]
file = "HOME/tests/c/popHeap.c"
line = 168
begin = 11
end = 31

[JC_2]
file = "HOME/tests/c/popHeap.c"
line = 147
begin = 20
end = 38

[JC_95]
file = "HOME/tests/c/popHeap.c"
line = 238
begin = 18
end = 72

[JC_93]
kind = PointerDeref
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 316
begin = 16
end = 57

[JC_97]
file = "HOME/tests/c/popHeap.c"
line = 243
begin = 18
end = 413

[JC_84]
kind = ArithOverflow
file = "HOME/tests/c/popHeap.c"
line = 219
begin = 19
end = 22

[JC_160]
file = "HOME/tests/c/popHeap.c"
line = 275
begin = 17
end = 73

[JC_128]
file = "HOME/tests/c/popHeap.c"
line = 239
begin = 18
end = 124

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_114]
file = "HOME/tests/c/popHeap.c"
line = 187
begin = 20
end = 33

[JC_14]
file = "HOME/tests/c/popHeap.c"
line = 149
begin = 11
end = 32

[JC_150]
file = "HOME/tests/c/popHeap.c"
line = 275
begin = 17
end = 73

[pop_heap_ensures_default]
name = "Function pop_heap"
behavior = "default behavior"
file = "HOME/tests/c/popHeap.c"
line = 175
begin = 5
end = 13

[JC_117]
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 208
begin = 6
end = 4815

[pop_heap_safety]
name = "Function pop_heap"
behavior = "Safety"
file = "HOME/tests/c/popHeap.c"
line = 175
begin = 5
end = 13

[JC_90]
kind = UserCall
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 299
begin = 27
end = 68

[JC_53]
kind = ArithOverflow
file = "HOME/tests/c/popHeap.c"
line = 181
begin = 10
end = 13

[JC_157]
file = "HOME/tests/c/popHeap.c"
line = 281
begin = 22
end = 55

[JC_145]
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 473
begin = 10
end = 18

[JC_21]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_149]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_111]
file = "HOME/tests/c/popHeap.c"
line = 188
begin = 20
end = 33

[JC_77]
file = "HOME/tests/c/popHeap.c"
line = 208
begin = 30
end = 40

[JC_49]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/c/popHeap.c"
line = 147
begin = 11
end = 16

[JC_131]
file = "HOME/tests/c/popHeap.c"
line = 257
begin = 18
end = 93

[JC_102]
file = "HOME/tests/c/popHeap.c"
line = 260
begin = 18
end = 113

[JC_37]
file = "HOME/tests/c/popHeap.c"
line = 169
begin = 11
end = 31

[Count1]
name = "Lemma Count1"
behavior = "axiom"
file = "HOME/tests/c/popHeap.c"
line = 106
begin = 4
end = 184

[JC_142]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_10]
file = "HOME/tests/c/popHeap.c"
line = 147
begin = 20
end = 38

[JC_108]
file = "HOME/tests/c/popHeap.c"
line = 192
begin = 20
end = 100

[JC_57]
file = "HOME/tests/c/popHeap.c"
line = 194
begin = 20
end = 45

[JC_161]
file = "HOME/tests/c/popHeap.c"
line = 274
begin = 17
end = 23

[JC_146]
file = "HOME/tests/c/popHeap.c"
line = 141
begin = 10
end = 56

[JC_89]
file = "HOME/tests/c/popHeap.c"
line = 223
begin = 30
end = 55

[JC_136]
file = "HOME/tests/c/popHeap.c"
line = 137
begin = 11
end = 23

[JC_66]
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 208
begin = 6
end = 4815

[JC_59]
file = "HOME/tests/c/popHeap.c"
line = 190
begin = 20
end = 96

[JC_20]
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 149
begin = 10
end = 18

[JC_165]
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 483
begin = 6
end = 896

[JC_18]
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 149
begin = 10
end = 18

[JC_3]
file = "HOME/tests/c/popHeap.c"
line = 148
begin = 11
end = 22

[JC_92]
file = "HOME/tests/c/popHeap.c"
line = 230
begin = 19
end = 91

[JC_152]
file = "HOME/tests/c/popHeap.c"
line = 274
begin = 22
end = 28

[JC_86]
file = "HOME/tests/c/popHeap.c"
line = 221
begin = 30
end = 40

[JC_60]
file = "HOME/tests/c/popHeap.c"
line = 189
begin = 20
end = 65

[JC_139]
file = "HOME/tests/c/popHeap.c"
line = 136
begin = 11
end = 16

[JC_72]
kind = ArithOverflow
file = "HOME/tests/c/popHeap.c"
line = 204
begin = 23
end = 30

[JC_19]
file = "HOME/tests/c/popHeap.c"
line = 153
begin = 10
end = 105

[JC_119]
file = "HOME/tests/c/popHeap.c"
line = 208
begin = 30
end = 40

[JC_76]
kind = PointerDeref
file = "HOME/tests/c/popHeap.c"
line = 206
begin = 10
end = 18

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/tests/c/popHeap.c"
line = 161
begin = 16
end = 37

[JC_120]
file = "HOME/tests/c/popHeap.c"
line = 210
begin = 30
end = 55

[JC_58]
file = "HOME/tests/c/popHeap.c"
line = 192
begin = 20
end = 100

[JC_100]
kind = PointerDeref
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 422
begin = 16
end = 129

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/c/popHeap.jessie/why/popHeap.why ==========
type charP

type int32

type int8

type intP

type padding

type uint8

type unsigned_charP

type voidP

logic Count: intP pointer, int32, int, int, (intP, int32) memory -> int

function CountWithHole(c_0:intP pointer, v_3:int32, i_13:int, h:int, j_7:int,
 intP_intM_at_L:(intP, int32) memory) : int =
 add_int(Count(c_0, v_3, i_13, h, intP_intM_at_L),
 Count(c_0, v_3, add_int(h, (1)), j_7, intP_intM_at_L))

function CountWithoutHole(c_1:intP pointer, v_4:int32, i_14:int, h_0:int,
 j_8:int, intP_intM_at_L:(intP, int32) memory) : int =
 add_int(Count(c_1, v_4, i_14, h_0, intP_intM_at_L),
 Count(c_1, v_4, h_0, j_8, intP_intM_at_L))

logic integer_of_int32: int32 -> int

predicate IsEqual(a_0:intP pointer, n_0:int, b:intP pointer,
 intP_intM_at_B:(intP, int32) memory, intP_intM_at_A:(intP, int32) memory) =
 (forall i_1:int.
  ((le_int((0), i_1) and lt_int(i_1, n_0)) ->
   (integer_of_int32(select(intP_intM_at_A, shift(a_0, i_1))) = integer_of_int32(
                                                                select(intP_intM_at_B,
                                                                shift(b, i_1))))))

predicate IsFirstMaximum(a_2:intP pointer, max_0:int,
 intP_intM_at_L:(intP, int32) memory) =
 (forall i_8:int.
  ((le_int((0), i_8) and lt_int(i_8, max_0)) ->
   lt_int(integer_of_int32(select(intP_intM_at_L, shift(a_2, i_8))),
   integer_of_int32(select(intP_intM_at_L, shift(a_2, max_0))))))

logic ParentChild: int, int -> prop

predicate IsHeap(c:intP pointer, n_1:int,
 intP_intM_at_L:(intP, int32) memory) =
 (forall i_6:int.
  (forall j_3:int.
   ((lt_int(j_3, n_1) and ParentChild(i_6, j_3)) ->
    ge_int(integer_of_int32(select(intP_intM_at_L, shift(c, i_6))),
    integer_of_int32(select(intP_intM_at_L, shift(c, j_3)))))))

predicate IsMaximum(a_1:intP pointer, n_2:int, max:int,
 intP_intM_at_L:(intP, int32) memory) =
 (forall i_7:int.
  ((le_int((0), i_7) and lt_int(i_7, n_2)) ->
   ge_int(integer_of_int32(select(intP_intM_at_L, shift(a_1, max))),
   integer_of_int32(select(intP_intM_at_L, shift(a_1, i_7))))))

predicate IsValidRange(a:intP pointer, n:int,
 intP_alloc_table_at_L:intP alloc_table) =
 (le_int((0), n)
 and (le_int(offset_min(intP_alloc_table_at_L, a), (0))
     and ge_int(offset_max(intP_alloc_table_at_L, a), sub_int(n, (1)))))

predicate Permutation(c_2:intP pointer, n_3:int32,
 intP_intM_at_B:(intP, int32) memory, intP_intM_at_A:(intP, int32) memory) =
 (forall x_0:int32.
  (Count(c_2, x_0, (0), integer_of_int32(n_3), intP_intM_at_A) = Count(c_2,
                                                                 x_0, (0),
                                                                 integer_of_int32(n_3),
                                                                 intP_intM_at_B)))

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

logic intP_tag:  -> intP tag_id

axiom intP_int : (int_of_tag(intP_tag) = (1))

logic intP_of_pointer_address: unit pointer -> intP pointer

axiom intP_of_pointer_address_of_pointer_addr :
 (forall p:intP pointer. (p = intP_of_pointer_address(pointer_address(p))))

axiom intP_parenttag_bottom : parenttag(intP_tag, bottom_tag)

axiom intP_tags :
 (forall x:intP pointer.
  (forall intP_tag_table:intP tag_table.
   instanceof(intP_tag_table, x, intP_tag)))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_intP(p:intP pointer, a:int,
 intP_alloc_table:intP alloc_table) = (offset_min(intP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom no_assign_Count_0 :
 (forall tmp:intP pset.
  (forall tmpmem:(intP, int32) memory.
   (forall tmpalloc:intP alloc_table.
    (forall intP_intM_at_L:(intP, int32) memory.
     (forall j_4:int.
      (forall i_9:int.
       (forall v:int32.
        (forall a_3:intP pointer.
         ((pset_disjoint(tmp,
           pset_range(pset_singleton(a_3), i_9, sub_int(j_4, (1))))
          and not_assigns(tmpalloc, intP_intM_at_L, tmpmem, tmp)) ->
          (Count(a_3, v, i_9, j_4, intP_intM_at_L) = Count(a_3, v, i_9, j_4,
                                                     tmpmem)))))))))))

axiom no_update_Count_0 :
 (forall tmp:intP pointer.
  (forall tmpval:int32.
   (forall intP_intM_at_L:(intP, int32) memory.
    (forall j_4:int.
     (forall i_9:int.
      (forall v:int32.
       (forall a_3:intP pointer.
        ((not in_pset(tmp,
              pset_range(pset_singleton(a_3), i_9, sub_int(j_4, (1))))) ->
         (Count(a_3, v, i_9, j_4, intP_intM_at_L) = Count(a_3, v, i_9, j_4,
                                                    store(intP_intM_at_L,
                                                    tmp, tmpval)))))))))))

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_intP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(intP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_intP(p:intP pointer, b:int,
 intP_alloc_table:intP alloc_table) = (offset_max(intP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

axiom ParentChild_1 :
 (forall i_3:int.
  (forall j_1:int.
   (ParentChild(i_3, j_1)
   <-> (le_int((0), i_3)
       and (lt_int(i_3, j_1)
           and ((j_1 = add_int(mul_int((2), i_3), (1)))
               or (j_1 = add_int(mul_int((2), i_3), (2)))))))))

axiom ParentChild_2 :
 (forall i_4:int.
  (forall j_2:int.
   (ParentChild(i_4, j_2)
   <-> (lt_int((0), j_2) and (i_4 = computer_div(sub_int(j_2, (1)), (2)))))))

lemma ParentChild_3 :
 (forall i_5:int.
  (lt_int((0), i_5) ->
   (ParentChild(computer_div(sub_int(i_5, (1)), (2)), i_5)
   and (le_int((0), computer_div(sub_int(i_5, (1)), (2)))
       and lt_int(computer_div(sub_int(i_5, (1)), (2)), i_5)))))

axiom Count0 :
 (forall intP_intM_at_L:(intP, int32) memory.
  (forall a_4_0:intP pointer.
   (forall v_0:int32.
    (forall i_10:int.
     (forall j_5:int.
      (ge_int(i_10, j_5) ->
       (Count(a_4_0, v_0, i_10, j_5, intP_intM_at_L) = (0))))))))

axiom Count1 :
 (forall intP_intM_at_L:(intP, int32) memory.
  (forall a_5:intP pointer.
   (forall v_1:int32.
    (forall i_11:int.
     (forall j_6:int.
      (forall k:int.
       ((le_int((0), i_11) and (le_int(i_11, j_6) and le_int(j_6, k))) ->
        (Count(a_5, v_1, i_11, k, intP_intM_at_L) = add_int(Count(a_5, v_1,
                                                            i_11, j_6,
                                                            intP_intM_at_L),
                                                    Count(a_5, v_1, j_6, k,
                                                    intP_intM_at_L))))))))))

axiom Count2 :
 (forall intP_intM_at_L:(intP, int32) memory.
  (forall a_6:intP pointer.
   (forall v_2:int32.
    (forall i_12:int.
     (((integer_of_int32(select(intP_intM_at_L, shift(a_6, i_12))) <> 
       integer_of_int32(v_2)) ->
       (Count(a_6, v_2, i_12, add_int(i_12, (1)), intP_intM_at_L) = (0)))
     and ((integer_of_int32(select(intP_intM_at_L, shift(a_6, i_12))) = 
          integer_of_int32(v_2)) ->
          (Count(a_6, v_2, i_12, add_int(i_12, (1)), intP_intM_at_L) = (1))))))))

lemma CountLemma :
 (forall intP_intM_at_L:(intP, int32) memory.
  (forall a_7:intP pointer.
   (forall v_5:int32.
    (forall i_15:int.
     (le_int((0), i_15) ->
      (Count(a_7, v_5, (0), add_int(i_15, (1)), intP_intM_at_L) = add_int(
                                                                  Count(a_7,
                                                                  v_5, (0),
                                                                  i_15,
                                                                  intP_intM_at_L),
                                                                  Count(a_7,
                                                                  v_5, i_15,
                                                                  add_int(i_15,
                                                                  (1)),
                                                                  intP_intM_at_L))))))))

exception Goto_while_0_break_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter intP_alloc_table : intP alloc_table ref

parameter intP_tag_table : intP tag_table ref

parameter alloc_struct_intP :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { } intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter alloc_struct_intP_requires :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { ge_int(n, (0))} intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter charP_charM : (charP, int8) memory ref

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter intP_intM : (intP, int32) memory ref

parameter pop_heap :
 a_4:intP pointer ->
  n_1_0:int32 ->
   { } unit reads intP_alloc_table,intP_intM writes intP_intM
   { (JC_48:
     ((JC_46:
      ((JC_42: IsHeap(a_4, sub_int(integer_of_int32(n_1_0), (1)), intP_intM))
      and ((JC_43:
           (integer_of_int32(select(intP_intM,
                             shift(a_4,
                             sub_int(integer_of_int32(n_1_0), (1))))) = 
           integer_of_int32(select(intP_intM@, shift(a_4, (0))))))
          and ((JC_44:
               IsMaximum(a_4, integer_of_int32(n_1_0),
               sub_int(integer_of_int32(n_1_0), (1)), intP_intM))
              and (JC_45: Permutation(a_4, n_1_0, intP_intM, intP_intM@))))))
     and (JC_47:
         not_assigns(intP_alloc_table@, intP_intM@, intP_intM,
         pset_range(pset_singleton(a_4), (0),
         sub_int(integer_of_int32(n_1_0), (1))))))) }

parameter pop_heap_induction :
 a_0_0:intP pointer ->
  n_2_0:int32 ->
   { } unit reads intP_alloc_table,intP_intM
   { (JC_146:
     (forall i_20:int.
      ((le_int((0), i_20) and lt_int(i_20, integer_of_int32(n_2_0))) ->
       ge_int(integer_of_int32(select(intP_intM, shift(a_0_0, (0)))),
       integer_of_int32(select(intP_intM, shift(a_0_0, i_20))))))) }

parameter pop_heap_induction_requires :
 a_0_0:intP pointer ->
  n_2_0:int32 ->
   { (JC_137:
     ((JC_134: lt_int((0), integer_of_int32(n_2_0)))
     and ((JC_135:
          IsValidRange(a_0_0, integer_of_int32(n_2_0), intP_alloc_table))
         and (JC_136: IsHeap(a_0_0, integer_of_int32(n_2_0), intP_intM)))))}
   unit reads intP_alloc_table,intP_intM
   { (JC_146:
     (forall i_20:int.
      ((le_int((0), i_20) and lt_int(i_20, integer_of_int32(n_2_0))) ->
       ge_int(integer_of_int32(select(intP_intM, shift(a_0_0, (0)))),
       integer_of_int32(select(intP_intM, shift(a_0_0, i_20))))))) }

parameter pop_heap_requires :
 a_4:intP pointer ->
  n_1_0:int32 ->
   { (JC_27:
     ((JC_23: lt_int((0), integer_of_int32(n_1_0)))
     and ((JC_24:
          lt_int(integer_of_int32(n_1_0),
          computer_div(sub_int((2147483647), (2)), (2))))
         and ((JC_25:
              IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table))
             and (JC_26: IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))))}
   unit reads intP_alloc_table,intP_intM writes intP_intM
   { (JC_48:
     ((JC_46:
      ((JC_42: IsHeap(a_4, sub_int(integer_of_int32(n_1_0), (1)), intP_intM))
      and ((JC_43:
           (integer_of_int32(select(intP_intM,
                             shift(a_4,
                             sub_int(integer_of_int32(n_1_0), (1))))) = 
           integer_of_int32(select(intP_intM@, shift(a_4, (0))))))
          and ((JC_44:
               IsMaximum(a_4, integer_of_int32(n_1_0),
               sub_int(integer_of_int32(n_1_0), (1)), intP_intM))
              and (JC_45: Permutation(a_4, n_1_0, intP_intM, intP_intM@))))))
     and (JC_47:
         not_assigns(intP_alloc_table@, intP_intM@, intP_intM,
         pset_range(pset_singleton(a_4), (0),
         sub_int(integer_of_int32(n_1_0), (1))))))) }

parameter pop_push_heap_copy :
 a_1_0:intP pointer ->
  n_3_0:int32 ->
   parent:int32 ->
    child:int32 ->
     { } unit reads intP_alloc_table,intP_intM
     { (JC_19:
       (forall x_0_0:int32.
        (CountWithHole(a_1_0, x_0_0, (0), integer_of_int32(child),
         integer_of_int32(n_3_0), intP_intM) = CountWithHole(a_1_0, x_0_0,
                                               (0), integer_of_int32(parent),
                                               integer_of_int32(n_3_0),
                                               intP_intM)))) }

parameter pop_push_heap_copy_requires :
 a_1_0:intP pointer ->
  n_3_0:int32 ->
   parent:int32 ->
    child:int32 ->
     { (JC_7:
       ((JC_1: lt_int((0), integer_of_int32(n_3_0)))
       and ((JC_2:
            IsValidRange(a_1_0, integer_of_int32(n_3_0), intP_alloc_table))
           and ((JC_3: le_int((0), integer_of_int32(parent)))
               and ((JC_4:
                    lt_int(integer_of_int32(parent), integer_of_int32(child)))
                   and ((JC_5:
                        lt_int(integer_of_int32(child),
                        integer_of_int32(n_3_0)))
                       and (JC_6:
                           (integer_of_int32(select(intP_intM,
                                             shift(a_1_0,
                                             integer_of_int32(parent)))) = 
                           integer_of_int32(select(intP_intM,
                                            shift(a_1_0,
                                            integer_of_int32(child))))))))))))}
     unit reads intP_alloc_table,intP_intM
     { (JC_19:
       (forall x_0_0:int32.
        (CountWithHole(a_1_0, x_0_0, (0), integer_of_int32(child),
         integer_of_int32(n_3_0), intP_intM) = CountWithHole(a_1_0, x_0_0,
                                               (0), integer_of_int32(parent),
                                               integer_of_int32(n_3_0),
                                               intP_intM)))) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

parameter unsigned_charP_unsigned_charM : (unsigned_charP, uint8) memory ref

let pop_heap_ensures_default =
 fun (a_4 : intP pointer) (n_1_0 : int32) ->
  { (JC_33:
    ((JC_29: lt_int((0), integer_of_int32(n_1_0)))
    and ((JC_30:
         lt_int(integer_of_int32(n_1_0),
         computer_div(sub_int((2147483647), (2)), (2))))
        and ((JC_31:
             IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table))
            and (JC_32: IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) }
  (init:
  try
   begin
     (let tmp = ref (any_int32 void) in
     (let max_1 = ref (any_int32 void) in
     (let hole = ref (any_int32 void) in
     (let child_0 = ref (any_int32 void) in
     try
      begin
        (let _jessie_ = a_4 in
        (let _jessie_ = n_1_0 in
        (JC_104: ((pop_heap_induction _jessie_) _jessie_))));
       (assert
       { (JC_105:
         (forall i_16:int.
          ((lt_int((0), i_16) and lt_int(i_16, integer_of_int32(n_1_0))) ->
           ge_int(integer_of_int32(select(intP_intM, shift(a_4, (0)))),
           integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) }; void);
       void;
       (let _jessie_ =
       begin
         (let _jessie_ = (tmp := (safe_int32_of_integer_ (0))) in void);
        (max_1 := (safe_int32_of_integer_ (0))); !max_1 end in void);
       (let _jessie_ = (hole := (safe_int32_of_integer_ (0))) in void);
       (let _jessie_ =
       (tmp := ((safe_acc_ !intP_intM) ((shift a_4) (integer_of_int32 
                                                     (safe_int32_of_integer_ 
                                                      ((sub_int (integer_of_int32 n_1_0)) (1))))))) in
       void);
       (let _jessie_ =
       (max_1 := ((safe_acc_ !intP_intM) ((shift a_4) (0)))) in void);
       (assert
       { (JC_106:
         (forall x_1:int32.
          (CountWithHole(a_4, x_1, (0), integer_of_int32(hole),
           integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, (1),
                                                 integer_of_int32(n_1_0),
                                                 intP_intM@init)))) }; void);
       begin
         void;
        (loop_2:
        begin
          while true do
          { invariant
              (((JC_107:
                (integer_of_int32(select(intP_intM@init,
                                  shift(a_4,
                                  sub_int(integer_of_int32(n_1_0), (1))))) = 
                integer_of_int32(select(intP_intM,
                                 shift(a_4,
                                 sub_int(integer_of_int32(n_1_0), (1)))))))
               and ((JC_108:
                    (forall x_2:int32.
                     (CountWithHole(a_4, x_2, (0), integer_of_int32(hole),
                      integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_2,
                                                            (1),
                                                            integer_of_int32(n_1_0),
                                                            intP_intM@init))))
                   and ((JC_109:
                        (forall i_18:int.
                         ((lt_int(integer_of_int32(hole),
                           sub_int(integer_of_int32(n_1_0), (1)))
                          and ParentChild(i_18, integer_of_int32(hole))) ->
                          ge_int(integer_of_int32(select(intP_intM,
                                                  shift(a_4, i_18))),
                          integer_of_int32(tmp)))))
                       and ((JC_110:
                            (forall i_17:int.
                             ((le_int((0), i_17)
                              and lt_int(i_17, integer_of_int32(n_1_0))) ->
                              le_int(integer_of_int32(select(intP_intM,
                                                      shift(a_4, i_17))),
                              integer_of_int32(max_1)))))
                           and ((JC_111:
                                IsHeap(a_4,
                                sub_int(integer_of_int32(n_1_0), (1)),
                                intP_intM))
                               and (JC_114:
                                   ((JC_112:
                                    le_int((0), integer_of_int32(hole)))
                                   and (JC_113:
                                       lt_int(integer_of_int32(hole),
                                       integer_of_int32(n_1_0))))))))))
              and ((JC_116:
                   not_assigns(intP_alloc_table@loop_2, intP_intM@loop_2,
                   intP_intM,
                   pset_range(pset_singleton(a_4), (0),
                   integer_of_int32(hole))))
                  and (JC_117:
                      not_assigns(intP_alloc_table@init, intP_intM@init,
                      intP_intM,
                      pset_range(pset_singleton(a_4), (0),
                      sub_int(integer_of_int32(n_1_0), (1)))))))  }
           begin
             [ { } unit { true } ];
            try
             begin
               (let _jessie_ =
               (child_0 := (safe_int32_of_integer_ ((add_int (integer_of_int32 
                                                              (safe_int32_of_integer_ 
                                                               ((mul_int (2)) 
                                                                (integer_of_int32 !hole))))) (2)))) in
               void);
              (if ((lt_int_ (integer_of_int32 !child_0)) (integer_of_int32 
                                                          (safe_int32_of_integer_ 
                                                           ((sub_int 
                                                             (integer_of_int32 n_1_0)) (1)))))
              then
               begin
                 (if ((lt_int_ (integer_of_int32 ((safe_acc_ !intP_intM) 
                                                  ((shift a_4) (integer_of_int32 !child_0))))) 
                      (integer_of_int32 ((safe_acc_ !intP_intM) ((shift a_4) 
                                                                 (integer_of_int32 
                                                                  (safe_int32_of_integer_ 
                                                                   ((sub_int 
                                                                    (integer_of_int32 !child_0)) (1))))))))
                 then
                  (let _jessie_ =
                  (child_0 := (safe_int32_of_integer_ ((sub_int (integer_of_int32 !child_0)) (1)))) in
                  void) else void);
                (assert
                { (JC_118:
                  ParentChild(integer_of_int32(hole),
                  integer_of_int32(child_0))) }; void); void;
                (if ((gt_int_ (integer_of_int32 ((safe_acc_ !intP_intM) 
                                                 ((shift a_4) (integer_of_int32 !child_0))))) 
                     (integer_of_int32 !tmp))
                then
                 (let _jessie_ =
                 begin
                   (assert
                   { (JC_119:
                     lt_int(integer_of_int32(hole),
                     sub_int(integer_of_int32(n_1_0), (1)))) }; void); void;
                  (let _jessie_ =
                  (let _jessie_ =
                  ((safe_acc_ !intP_intM) ((shift a_4) (integer_of_int32 !child_0))) in
                  (let _jessie_ = a_4 in
                  (let _jessie_ = (integer_of_int32 !hole) in
                  (let _jessie_ = ((shift _jessie_) _jessie_) in
                  (((safe_upd_ intP_intM) _jessie_) _jessie_))))) in
                  void);
                  (assert
                  { (JC_120:
                    (integer_of_int32(select(intP_intM@init,
                                      shift(a_4,
                                      sub_int(integer_of_int32(n_1_0), (1))))) = 
                    integer_of_int32(select(intP_intM,
                                     shift(a_4,
                                     sub_int(integer_of_int32(n_1_0), (1))))))) };
                  void); void;
                  (let _jessie_ = a_4 in
                  (let _jessie_ = n_1_0 in
                  (let _jessie_ = !hole in
                  (let _jessie_ = !child_0 in
                  (JC_121:
                  ((((pop_push_heap_copy _jessie_) _jessie_) _jessie_) _jessie_))))));
                  (hole := !child_0); !hole end in void)
                else (raise (Goto_while_0_break_exc void))) end
              else
               begin
                 (let _jessie_ =
                 (child_0 := (safe_int32_of_integer_ ((add_int (integer_of_int32 
                                                                (safe_int32_of_integer_ 
                                                                 ((mul_int (2)) 
                                                                  (integer_of_int32 !hole))))) (1)))) in
                 void);
                (if ((eq_int_ (integer_of_int32 !child_0)) (integer_of_int32 
                                                            (safe_int32_of_integer_ 
                                                             ((sub_int 
                                                               (integer_of_int32 n_1_0)) (2)))))
                then
                 (if ((gt_int_ (integer_of_int32 ((safe_acc_ !intP_intM) 
                                                  ((shift a_4) (integer_of_int32 !child_0))))) 
                      (integer_of_int32 !tmp))
                 then
                  (let _jessie_ =
                  begin
                    (assert
                    { (JC_122:
                      lt_int(integer_of_int32(hole),
                      sub_int(integer_of_int32(n_1_0), (1)))) }; void); void;
                   (let _jessie_ =
                   (let _jessie_ =
                   ((safe_acc_ !intP_intM) ((shift a_4) (integer_of_int32 !child_0))) in
                   (let _jessie_ = a_4 in
                   (let _jessie_ = (integer_of_int32 !hole) in
                   (let _jessie_ = ((shift _jessie_) _jessie_) in
                   (((safe_upd_ intP_intM) _jessie_) _jessie_))))) in
                   void);
                   (assert
                   { (JC_123:
                     (integer_of_int32(select(intP_intM@init,
                                       shift(a_4,
                                       sub_int(integer_of_int32(n_1_0), (1))))) = 
                     integer_of_int32(select(intP_intM,
                                      shift(a_4,
                                      sub_int(integer_of_int32(n_1_0), (1))))))) };
                   void); void;
                   (let _jessie_ = a_4 in
                   (let _jessie_ = n_1_0 in
                   (let _jessie_ = !hole in
                   (let _jessie_ = !child_0 in
                   (JC_124:
                   ((((pop_push_heap_copy _jessie_) _jessie_) _jessie_) _jessie_))))));
                   (hole := !child_0); !hole end in void) else void)
                else void); (raise (Goto_while_0_break_exc void)) end);
              (raise (Loop_continue_exc void)) end with
             Loop_continue_exc _jessie_ -> void end end done;
         (raise (Goto_while_0_break_exc void)) end) end end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break:
      begin
        void;
       (assert
       { (JC_125:
         (forall i_19:int.
          ((lt_int(integer_of_int32(hole),
            sub_int(integer_of_int32(n_1_0), (1)))
           and ParentChild(i_19, integer_of_int32(hole))) ->
           ge_int(integer_of_int32(select(intP_intM, shift(a_4, i_19))),
           integer_of_int32(tmp))))) }; void); void;
       (let _jessie_ =
       (let _jessie_ = !tmp in
       (let _jessie_ = a_4 in
       (let _jessie_ = (integer_of_int32 !hole) in
       (let _jessie_ = ((shift _jessie_) _jessie_) in
       (((safe_upd_ intP_intM) _jessie_) _jessie_))))) in void);
       (assert
       { (JC_126:
         (forall x_3:int32.
          (CountWithHole(a_4, x_3, (0), integer_of_int32(hole),
           integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_3, (1),
                                                 integer_of_int32(n_1_0),
                                                 intP_intM@init)))) }; void);
       void;
       (assert
       { (JC_127:
         (lt_int(integer_of_int32(hole),
          sub_int(integer_of_int32(n_1_0), (1))) ->
          ((integer_of_int32(select(intP_intM,
                             shift(a_4, integer_of_int32(hole)))) = integer_of_int32(tmp))
          and ((integer_of_int32(tmp) = integer_of_int32(select(intP_intM@init,
                                                         shift(a_4,
                                                         sub_int(integer_of_int32(n_1_0),
                                                         (1))))))
              and (integer_of_int32(select(intP_intM@init,
                                    shift(a_4,
                                    sub_int(integer_of_int32(n_1_0), (1))))) = 
                  integer_of_int32(select(intP_intM,
                                   shift(a_4,
                                   sub_int(integer_of_int32(n_1_0), (1)))))))))) };
       void); void;
       (assert
       { (JC_128:
         (forall x_4:int32.
          (lt_int(integer_of_int32(hole),
           sub_int(integer_of_int32(n_1_0), (1))) ->
           (Count(a_4, x_4, add_int(integer_of_int32(hole), (1)),
            add_int(sub_int(integer_of_int32(n_1_0), (1)), (1)), intP_intM) = 
           CountWithoutHole(a_4, x_4, add_int(integer_of_int32(hole), (1)),
           sub_int(integer_of_int32(n_1_0), (1)), integer_of_int32(n_1_0),
           intP_intM))))) }; void); void;
       (assert
       { (JC_129:
         (forall x_5:int32.
          ((lt_int(integer_of_int32(hole),
            sub_int(integer_of_int32(n_1_0), (1))) ->
            ((CountWithHole(a_4, x_5, (0), integer_of_int32(hole),
              integer_of_int32(n_1_0), intP_intM) = add_int(CountWithHole(a_4,
                                                            x_5, (0),
                                                            integer_of_int32(hole),
                                                            sub_int(integer_of_int32(n_1_0),
                                                            (1)), intP_intM),
                                                    Count(a_4, x_5,
                                                    sub_int(integer_of_int32(n_1_0),
                                                    (1)),
                                                    add_int(sub_int(integer_of_int32(n_1_0),
                                                            (1)),
                                                    (1)), intP_intM)))
            and ((add_int(CountWithHole(a_4, x_5, (0),
                          integer_of_int32(hole),
                          sub_int(integer_of_int32(n_1_0), (1)), intP_intM),
                  Count(a_4, x_5, sub_int(integer_of_int32(n_1_0), (1)),
                  add_int(sub_int(integer_of_int32(n_1_0), (1)), (1)),
                  intP_intM)) = add_int(CountWithoutHole(a_4, x_5, (0),
                                        integer_of_int32(hole),
                                        add_int(integer_of_int32(hole), (1)),
                                        intP_intM),
                                Count(a_4, x_5,
                                add_int(integer_of_int32(hole), (1)),
                                sub_int(integer_of_int32(n_1_0), (1)),
                                intP_intM)))
                and ((add_int(CountWithoutHole(a_4, x_5, (0),
                              integer_of_int32(hole),
                              add_int(integer_of_int32(hole), (1)),
                              intP_intM),
                      Count(a_4, x_5, add_int(integer_of_int32(hole), (1)),
                      sub_int(integer_of_int32(n_1_0), (1)), intP_intM)) = 
                     CountWithoutHole(a_4, x_5, (0), integer_of_int32(hole),
                     sub_int(integer_of_int32(n_1_0), (1)), intP_intM))
                    and (CountWithoutHole(a_4, x_5, (0),
                         integer_of_int32(hole),
                         sub_int(integer_of_int32(n_1_0), (1)), intP_intM) = 
                        Count(a_4, x_5, (0),
                        sub_int(integer_of_int32(n_1_0), (1)), intP_intM))))))
          and ((integer_of_int32(hole) = sub_int(integer_of_int32(n_1_0),
                                         (1))) ->
               ((CountWithHole(a_4, x_5, (0), integer_of_int32(hole),
                 integer_of_int32(n_1_0), intP_intM) = CountWithHole(a_4,
                                                       x_5, (0),
                                                       sub_int(integer_of_int32(n_1_0),
                                                       (1)),
                                                       integer_of_int32(n_1_0),
                                                       intP_intM))
               and (CountWithHole(a_4, x_5, (0),
                    sub_int(integer_of_int32(n_1_0), (1)),
                    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_5,
                                                          (0),
                                                          sub_int(integer_of_int32(n_1_0),
                                                          (1)), intP_intM))))))) };
       void); void;
       (assert
       { (JC_130:
         (forall x_6:int32.
          ((Count(a_4, x_6, (0), sub_int(integer_of_int32(n_1_0), (1)),
            intP_intM) = CountWithHole(a_4, x_6, (0), integer_of_int32(hole),
                         integer_of_int32(n_1_0), intP_intM))
          and (CountWithHole(a_4, x_6, (0), integer_of_int32(hole),
               integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_6, (1),
                                                     integer_of_int32(n_1_0),
                                                     intP_intM@init))))) };
       void); void;
       (let _jessie_ =
       (let _jessie_ = !max_1 in
       (let _jessie_ = a_4 in
       (let _jessie_ =
       (integer_of_int32 (safe_int32_of_integer_ ((sub_int (integer_of_int32 n_1_0)) (1)))) in
       (let _jessie_ = ((shift _jessie_) _jessie_) in
       (((safe_upd_ intP_intM) _jessie_) _jessie_))))) in void);
       (assert
       { (JC_131:
         (forall x_7:int32.
          (Count(a_4, x_7, sub_int(integer_of_int32(n_1_0), (1)),
           add_int(sub_int(integer_of_int32(n_1_0), (1)), (1)), intP_intM) = 
          Count(a_4, x_7, (0), (1), intP_intM@init)))) }; void); void;
       (assert
       { (JC_132:
         (forall x_8:int32.
          (CountWithoutHole(a_4, x_8, (0),
           sub_int(integer_of_int32(n_1_0), (1)), integer_of_int32(n_1_0),
           intP_intM) = CountWithoutHole(a_4, x_8, (0), (1),
                        integer_of_int32(n_1_0), intP_intM@init)))) }; void);
       void;
       (assert
       { (JC_133:
         (forall x_9:int32.
          ((Count(a_4, x_9, (0), integer_of_int32(n_1_0), intP_intM) = 
           CountWithoutHole(a_4, x_9, (0),
           sub_int(integer_of_int32(n_1_0), (1)), integer_of_int32(n_1_0),
           intP_intM))
          and ((CountWithoutHole(a_4, x_9, (0),
                sub_int(integer_of_int32(n_1_0), (1)),
                integer_of_int32(n_1_0), intP_intM) = CountWithoutHole(a_4,
                                                      x_9, (0), (1),
                                                      integer_of_int32(n_1_0),
                                                      intP_intM@init))
              and (CountWithoutHole(a_4, x_9, (0), (1),
                   integer_of_int32(n_1_0), intP_intM@init) = Count(a_4, x_9,
                                                              (0),
                                                              integer_of_int32(n_1_0),
                                                              intP_intM@init)))))) };
       void); void; (raise Return) end) end)))); (raise Return) end with
   Return -> void end)
  { (JC_41:
    ((JC_39:
     ((JC_35: IsHeap(a_4, sub_int(integer_of_int32(n_1_0), (1)), intP_intM))
     and ((JC_36:
          (integer_of_int32(select(intP_intM,
                            shift(a_4, sub_int(integer_of_int32(n_1_0), (1))))) = 
          integer_of_int32(select(intP_intM@, shift(a_4, (0))))))
         and ((JC_37:
              IsMaximum(a_4, integer_of_int32(n_1_0),
              sub_int(integer_of_int32(n_1_0), (1)), intP_intM))
             and (JC_38: Permutation(a_4, n_1_0, intP_intM, intP_intM@))))))
    and (JC_40:
        not_assigns(intP_alloc_table@, intP_intM@, intP_intM,
        pset_range(pset_singleton(a_4), (0),
        sub_int(integer_of_int32(n_1_0), (1))))))) } 

let pop_heap_induction_ensures_default =
 fun (a_0_0 : intP pointer) (n_2_0 : int32) ->
  { (JC_142:
    ((JC_139: lt_int((0), integer_of_int32(n_2_0)))
    and ((JC_140:
         IsValidRange(a_0_0, integer_of_int32(n_2_0), intP_alloc_table))
        and (JC_141: IsHeap(a_0_0, integer_of_int32(n_2_0), intP_intM))))) }
  (init:
  try
   begin
     (let i = ref (any_int32 void) in
     try
      begin
        (let _jessie_ = (i := (safe_int32_of_integer_ (1))) in void);
       (loop_4:
       begin
         while true do
         { invariant
             ((JC_160:
              (forall j_9:int.
               ((le_int((0), j_9)
                and (lt_int(j_9, integer_of_int32(i))
                    and le_int(integer_of_int32(i), integer_of_int32(n_2_0)))) ->
                ge_int(integer_of_int32(select(intP_intM, shift(a_0_0, (0)))),
                integer_of_int32(select(intP_intM, shift(a_0_0, j_9)))))))
             and (JC_163:
                 ((JC_161: le_int((0), integer_of_int32(i)))
                 and (JC_162:
                     le_int(integer_of_int32(i), integer_of_int32(n_2_0))))))
            }
          begin
            [ { } unit { true } ];
           try
            begin
              (let _jessie_ =
              begin
                (if ((lt_int_ (integer_of_int32 !i)) (integer_of_int32 n_2_0))
                then void else (raise (Goto_while_0_break_exc void)));
               (assert
               { (JC_167:
                 (lt_int((0), integer_of_int32(i)) ->
                  ParentChild(computer_div(sub_int(integer_of_int32(i), (1)),
                              (2)),
                  integer_of_int32(i)))) }; void); void;
               (i := (safe_int32_of_integer_ ((add_int (integer_of_int32 !i)) (1))));
               !i end in void); (raise (Loop_continue_exc void)) end with
            Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (raise Return) end) end); (raise Return)
   end with Return -> void end)
  { (JC_144:
    (forall i_20:int.
     ((le_int((0), i_20) and lt_int(i_20, integer_of_int32(n_2_0))) ->
      ge_int(integer_of_int32(select(intP_intM, shift(a_0_0, (0)))),
      integer_of_int32(select(intP_intM, shift(a_0_0, i_20))))))) } 

let pop_heap_induction_safety =
 fun (a_0_0 : intP pointer) (n_2_0 : int32) ->
  { (JC_142:
    ((JC_139: lt_int((0), integer_of_int32(n_2_0)))
    and ((JC_140:
         IsValidRange(a_0_0, integer_of_int32(n_2_0), intP_alloc_table))
        and (JC_141: IsHeap(a_0_0, integer_of_int32(n_2_0), intP_intM))))) }
  (init:
  try
   begin
     (let i = ref (any_int32 void) in
     try
      begin
        (let _jessie_ = (i := (safe_int32_of_integer_ (1))) in void);
       (loop_3:
       begin
         while true do
         { invariant (JC_155: true)
           variant (JC_159 : sub_int(integer_of_int32(n_2_0),
                             integer_of_int32(i))) }
          begin
            [ { } unit reads i,intP_intM
              { ((JC_150:
                 (forall j_9:int.
                  ((le_int((0), j_9)
                   and (lt_int(j_9, integer_of_int32(i))
                       and le_int(integer_of_int32(i),
                           integer_of_int32(n_2_0)))) ->
                   ge_int(integer_of_int32(select(intP_intM,
                                           shift(a_0_0, (0)))),
                   integer_of_int32(select(intP_intM, shift(a_0_0, j_9)))))))
                and (JC_153:
                    ((JC_151: le_int((0), integer_of_int32(i)))
                    and (JC_152:
                        le_int(integer_of_int32(i), integer_of_int32(n_2_0)))))) } ];
           try
            begin
              (let _jessie_ =
              begin
                (if ((lt_int_ (integer_of_int32 !i)) (integer_of_int32 n_2_0))
                then void else (raise (Goto_while_0_break_exc void)));
               [ { } unit reads i
                 { (JC_157:
                   (lt_int((0), integer_of_int32(i)) ->
                    ParentChild(computer_div(sub_int(integer_of_int32(i),
                                             (1)),
                                (2)),
                    integer_of_int32(i)))) } ]; void;
               (i := (JC_158:
                     (int32_of_integer_ ((add_int (integer_of_int32 !i)) (1)))));
               !i end in void); (raise (Loop_continue_exc void)) end with
            Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (raise Return) end) end); (raise Return)
   end with Return -> void end) { true } 

let pop_heap_safety =
 fun (a_4 : intP pointer) (n_1_0 : int32) ->
  { (JC_33:
    ((JC_29: lt_int((0), integer_of_int32(n_1_0)))
    and ((JC_30:
         lt_int(integer_of_int32(n_1_0),
         computer_div(sub_int((2147483647), (2)), (2))))
        and ((JC_31:
             IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table))
            and (JC_32: IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) }
  (init:
  try
   begin
     (let tmp = ref (any_int32 void) in
     (let max_1 = ref (any_int32 void) in
     (let hole = ref (any_int32 void) in
     (let child_0 = ref (any_int32 void) in
     try
      begin
        (let _jessie_ = a_4 in
        (let _jessie_ = n_1_0 in
        (JC_51: ((pop_heap_induction_requires _jessie_) _jessie_))));
       [ { } unit reads intP_intM
         { (JC_52:
           (forall i_16:int.
            ((lt_int((0), i_16) and lt_int(i_16, integer_of_int32(n_1_0))) ->
             ge_int(integer_of_int32(select(intP_intM, shift(a_4, (0)))),
             integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) } ];
       void;
       (let _jessie_ =
       begin
         (let _jessie_ = (tmp := (safe_int32_of_integer_ (0))) in void);
        (max_1 := (safe_int32_of_integer_ (0))); !max_1 end in void);
       (let _jessie_ = (hole := (safe_int32_of_integer_ (0))) in void);
       (let _jessie_ =
       (tmp := (JC_54:
               ((((offset_acc_ !intP_alloc_table) !intP_intM) a_4) (integer_of_int32 
                                                                    (JC_53:
                                                                    (int32_of_integer_ 
                                                                    ((sub_int 
                                                                    (integer_of_int32 n_1_0)) (1)))))))) in
       void);
       (let _jessie_ =
       (max_1 := (JC_55: (((acc_ !intP_alloc_table) !intP_intM) a_4))) in
       void);
       [ { } unit reads hole,intP_intM
         { (JC_56:
           (forall x_1:int32.
            (CountWithHole(a_4, x_1, (0), integer_of_int32(hole),
             integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, (1),
                                                   integer_of_int32(n_1_0),
                                                   intP_intM@init)))) } ];
       begin
         void;
        (loop_1:
        begin
          while true do
          { invariant (JC_66: true)
            variant (JC_91 : sub_int(integer_of_int32(n_1_0),
                             integer_of_int32(hole))) }
           begin
             [ { } unit reads hole,intP_intM,max_1,tmp
               { ((JC_57:
                  (integer_of_int32(select(intP_intM@init,
                                    shift(a_4,
                                    sub_int(integer_of_int32(n_1_0), (1))))) = 
                  integer_of_int32(select(intP_intM,
                                   shift(a_4,
                                   sub_int(integer_of_int32(n_1_0), (1)))))))
                 and ((JC_58:
                      (forall x_2:int32.
                       (CountWithHole(a_4, x_2, (0), integer_of_int32(hole),
                        integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_2,
                                                              (1),
                                                              integer_of_int32(n_1_0),
                                                              intP_intM@init))))
                     and ((JC_59:
                          (forall i_18:int.
                           ((lt_int(integer_of_int32(hole),
                             sub_int(integer_of_int32(n_1_0), (1)))
                            and ParentChild(i_18, integer_of_int32(hole))) ->
                            ge_int(integer_of_int32(select(intP_intM,
                                                    shift(a_4, i_18))),
                            integer_of_int32(tmp)))))
                         and ((JC_60:
                              (forall i_17:int.
                               ((le_int((0), i_17)
                                and lt_int(i_17, integer_of_int32(n_1_0))) ->
                                le_int(integer_of_int32(select(intP_intM,
                                                        shift(a_4, i_17))),
                                integer_of_int32(max_1)))))
                             and ((JC_61:
                                  IsHeap(a_4,
                                  sub_int(integer_of_int32(n_1_0), (1)),
                                  intP_intM))
                                 and (JC_64:
                                     ((JC_62:
                                      le_int((0), integer_of_int32(hole)))
                                     and (JC_63:
                                         lt_int(integer_of_int32(hole),
                                         integer_of_int32(n_1_0)))))))))) } ];
            try
             begin
               (let _jessie_ =
               (child_0 := (JC_69:
                           (int32_of_integer_ ((add_int (integer_of_int32 
                                                         (JC_68:
                                                         (int32_of_integer_ 
                                                          ((mul_int (2)) 
                                                           (integer_of_int32 !hole)))))) (2))))) in
               void);
              (if ((lt_int_ (integer_of_int32 !child_0)) (integer_of_int32 
                                                          (JC_70:
                                                          (int32_of_integer_ 
                                                           ((sub_int 
                                                             (integer_of_int32 n_1_0)) (1))))))
              then
               begin
                 (if ((lt_int_ (integer_of_int32 (JC_71:
                                                 ((((offset_acc_ !intP_alloc_table) !intP_intM) a_4) 
                                                  (integer_of_int32 !child_0))))) 
                      (integer_of_int32 (JC_73:
                                        ((((offset_acc_ !intP_alloc_table) !intP_intM) a_4) 
                                         (integer_of_int32 (JC_72:
                                                           (int32_of_integer_ 
                                                            ((sub_int 
                                                              (integer_of_int32 !child_0)) (1)))))))))
                 then
                  (let _jessie_ =
                  (child_0 := (JC_74:
                              (int32_of_integer_ ((sub_int (integer_of_int32 !child_0)) (1))))) in
                  void) else void);
                [ { } unit reads child_0,hole
                  { (JC_75:
                    ParentChild(integer_of_int32(hole),
                    integer_of_int32(child_0))) } ]; void;
                (if ((gt_int_ (integer_of_int32 (JC_76:
                                                ((((offset_acc_ !intP_alloc_table) !intP_intM) a_4) 
                                                 (integer_of_int32 !child_0))))) 
                     (integer_of_int32 !tmp))
                then
                 (let _jessie_ =
                 begin
                   [ { } unit reads hole
                     { (JC_77:
                       lt_int(integer_of_int32(hole),
                       sub_int(integer_of_int32(n_1_0), (1)))) } ]; void;
                  (let _jessie_ =
                  (let _jessie_ =
                  (JC_78:
                  ((((offset_acc_ !intP_alloc_table) !intP_intM) a_4) 
                   (integer_of_int32 !child_0))) in
                  (let _jessie_ = a_4 in
                  (let _jessie_ = (integer_of_int32 !hole) in
                  (let _jessie_ = ((shift _jessie_) _jessie_) in
                  (JC_79:
                  (((((offset_upd_ !intP_alloc_table) intP_intM) _jessie_) _jessie_) _jessie_)))))) in
                  void);
                  [ { } unit reads intP_intM
                    { (JC_80:
                      (integer_of_int32(select(intP_intM@init,
                                        shift(a_4,
                                        sub_int(integer_of_int32(n_1_0), (1))))) = 
                      integer_of_int32(select(intP_intM,
                                       shift(a_4,
                                       sub_int(integer_of_int32(n_1_0), (1))))))) } ];
                  void;
                  (let _jessie_ = a_4 in
                  (let _jessie_ = n_1_0 in
                  (let _jessie_ = !hole in
                  (let _jessie_ = !child_0 in
                  (JC_81:
                  ((((pop_push_heap_copy_requires _jessie_) _jessie_) _jessie_) _jessie_))))));
                  (hole := !child_0); !hole end in void)
                else (raise (Goto_while_0_break_exc void))) end
              else
               begin
                 (let _jessie_ =
                 (child_0 := (JC_83:
                             (int32_of_integer_ ((add_int (integer_of_int32 
                                                           (JC_82:
                                                           (int32_of_integer_ 
                                                            ((mul_int (2)) 
                                                             (integer_of_int32 !hole)))))) (1))))) in
                 void);
                (if ((eq_int_ (integer_of_int32 !child_0)) (integer_of_int32 
                                                            (JC_84:
                                                            (int32_of_integer_ 
                                                             ((sub_int 
                                                               (integer_of_int32 n_1_0)) (2))))))
                then
                 (if ((gt_int_ (integer_of_int32 (JC_85:
                                                 ((((offset_acc_ !intP_alloc_table) !intP_intM) a_4) 
                                                  (integer_of_int32 !child_0))))) 
                      (integer_of_int32 !tmp))
                 then
                  (let _jessie_ =
                  begin
                    [ { } unit reads hole
                      { (JC_86:
                        lt_int(integer_of_int32(hole),
                        sub_int(integer_of_int32(n_1_0), (1)))) } ]; void;
                   (let _jessie_ =
                   (let _jessie_ =
                   (JC_87:
                   ((((offset_acc_ !intP_alloc_table) !intP_intM) a_4) 
                    (integer_of_int32 !child_0))) in
                   (let _jessie_ = a_4 in
                   (let _jessie_ = (integer_of_int32 !hole) in
                   (let _jessie_ = ((shift _jessie_) _jessie_) in
                   (JC_88:
                   (((((offset_upd_ !intP_alloc_table) intP_intM) _jessie_) _jessie_) _jessie_)))))) in
                   void);
                   [ { } unit reads intP_intM
                     { (JC_89:
                       (integer_of_int32(select(intP_intM@init,
                                         shift(a_4,
                                         sub_int(integer_of_int32(n_1_0),
                                         (1))))) = integer_of_int32(select(intP_intM,
                                                                    shift(a_4,
                                                                    sub_int(
                                                                    integer_of_int32(n_1_0),
                                                                    (1))))))) } ];
                   void;
                   (let _jessie_ = a_4 in
                   (let _jessie_ = n_1_0 in
                   (let _jessie_ = !hole in
                   (let _jessie_ = !child_0 in
                   (JC_90:
                   ((((pop_push_heap_copy_requires _jessie_) _jessie_) _jessie_) _jessie_))))));
                   (hole := !child_0); !hole end in void) else void)
                else void); (raise (Goto_while_0_break_exc void)) end);
              (raise (Loop_continue_exc void)) end with
             Loop_continue_exc _jessie_ -> void end end done;
         (raise (Goto_while_0_break_exc void)) end) end end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break:
      begin
        void;
       [ { } unit reads hole,intP_intM,tmp
         { (JC_92:
           (forall i_19:int.
            ((lt_int(integer_of_int32(hole),
              sub_int(integer_of_int32(n_1_0), (1)))
             and ParentChild(i_19, integer_of_int32(hole))) ->
             ge_int(integer_of_int32(select(intP_intM, shift(a_4, i_19))),
             integer_of_int32(tmp))))) } ]; void;
       (let _jessie_ =
       (let _jessie_ = !tmp in
       (let _jessie_ = a_4 in
       (let _jessie_ = (integer_of_int32 !hole) in
       (let _jessie_ = ((shift _jessie_) _jessie_) in
       (JC_93:
       (((((offset_upd_ !intP_alloc_table) intP_intM) _jessie_) _jessie_) _jessie_)))))) in
       void);
       [ { } unit reads hole,intP_intM
         { (JC_94:
           (forall x_3:int32.
            (CountWithHole(a_4, x_3, (0), integer_of_int32(hole),
             integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_3, (1),
                                                   integer_of_int32(n_1_0),
                                                   intP_intM@init)))) } ];
       void;
       [ { } unit reads hole,intP_intM,tmp
         { (JC_95:
           (lt_int(integer_of_int32(hole),
            sub_int(integer_of_int32(n_1_0), (1))) ->
            ((integer_of_int32(select(intP_intM,
                               shift(a_4, integer_of_int32(hole)))) = 
             integer_of_int32(tmp))
            and ((integer_of_int32(tmp) = integer_of_int32(select(intP_intM@init,
                                                           shift(a_4,
                                                           sub_int(integer_of_int32(n_1_0),
                                                           (1))))))
                and (integer_of_int32(select(intP_intM@init,
                                      shift(a_4,
                                      sub_int(integer_of_int32(n_1_0), (1))))) = 
                    integer_of_int32(select(intP_intM,
                                     shift(a_4,
                                     sub_int(integer_of_int32(n_1_0), (1)))))))))) } ];
       void;
       [ { } unit reads hole,intP_intM
         { (JC_96:
           (forall x_4:int32.
            (lt_int(integer_of_int32(hole),
             sub_int(integer_of_int32(n_1_0), (1))) ->
             (Count(a_4, x_4, add_int(integer_of_int32(hole), (1)),
              add_int(sub_int(integer_of_int32(n_1_0), (1)), (1)), intP_intM) = 
             CountWithoutHole(a_4, x_4, add_int(integer_of_int32(hole), (1)),
             sub_int(integer_of_int32(n_1_0), (1)), integer_of_int32(n_1_0),
             intP_intM))))) } ]; void;
       [ { } unit reads hole,intP_intM
         { (JC_97:
           (forall x_5:int32.
            ((lt_int(integer_of_int32(hole),
              sub_int(integer_of_int32(n_1_0), (1))) ->
              ((CountWithHole(a_4, x_5, (0), integer_of_int32(hole),
                integer_of_int32(n_1_0), intP_intM) = add_int(CountWithHole(a_4,
                                                              x_5, (0),
                                                              integer_of_int32(hole),
                                                              sub_int(
                                                              integer_of_int32(n_1_0),
                                                              (1)),
                                                              intP_intM),
                                                      Count(a_4, x_5,
                                                      sub_int(integer_of_int32(n_1_0),
                                                      (1)),
                                                      add_int(sub_int(
                                                              integer_of_int32(n_1_0),
                                                              (1)),
                                                      (1)), intP_intM)))
              and ((add_int(CountWithHole(a_4, x_5, (0),
                            integer_of_int32(hole),
                            sub_int(integer_of_int32(n_1_0), (1)), intP_intM),
                    Count(a_4, x_5, sub_int(integer_of_int32(n_1_0), (1)),
                    add_int(sub_int(integer_of_int32(n_1_0), (1)), (1)),
                    intP_intM)) = add_int(CountWithoutHole(a_4, x_5, (0),
                                          integer_of_int32(hole),
                                          add_int(integer_of_int32(hole),
                                          (1)), intP_intM),
                                  Count(a_4, x_5,
                                  add_int(integer_of_int32(hole), (1)),
                                  sub_int(integer_of_int32(n_1_0), (1)),
                                  intP_intM)))
                  and ((add_int(CountWithoutHole(a_4, x_5, (0),
                                integer_of_int32(hole),
                                add_int(integer_of_int32(hole), (1)),
                                intP_intM),
                        Count(a_4, x_5, add_int(integer_of_int32(hole), (1)),
                        sub_int(integer_of_int32(n_1_0), (1)), intP_intM)) = 
                       CountWithoutHole(a_4, x_5, (0),
                       integer_of_int32(hole),
                       sub_int(integer_of_int32(n_1_0), (1)), intP_intM))
                      and (CountWithoutHole(a_4, x_5, (0),
                           integer_of_int32(hole),
                           sub_int(integer_of_int32(n_1_0), (1)), intP_intM) = 
                          Count(a_4, x_5, (0),
                          sub_int(integer_of_int32(n_1_0), (1)), intP_intM))))))
            and ((integer_of_int32(hole) = sub_int(integer_of_int32(n_1_0),
                                           (1))) ->
                 ((CountWithHole(a_4, x_5, (0), integer_of_int32(hole),
                   integer_of_int32(n_1_0), intP_intM) = CountWithHole(a_4,
                                                         x_5, (0),
                                                         sub_int(integer_of_int32(n_1_0),
                                                         (1)),
                                                         integer_of_int32(n_1_0),
                                                         intP_intM))
                 and (CountWithHole(a_4, x_5, (0),
                      sub_int(integer_of_int32(n_1_0), (1)),
                      integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_5,
                                                            (0),
                                                            sub_int(integer_of_int32(n_1_0),
                                                            (1)), intP_intM))))))) } ];
       void;
       [ { } unit reads hole,intP_intM
         { (JC_98:
           (forall x_6:int32.
            ((Count(a_4, x_6, (0), sub_int(integer_of_int32(n_1_0), (1)),
              intP_intM) = CountWithHole(a_4, x_6, (0),
                           integer_of_int32(hole), integer_of_int32(n_1_0),
                           intP_intM))
            and (CountWithHole(a_4, x_6, (0), integer_of_int32(hole),
                 integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_6, (1),
                                                       integer_of_int32(n_1_0),
                                                       intP_intM@init))))) } ];
       void;
       (let _jessie_ =
       (let _jessie_ = !max_1 in
       (let _jessie_ = a_4 in
       (let _jessie_ =
       (integer_of_int32 (JC_99:
                         (int32_of_integer_ ((sub_int (integer_of_int32 n_1_0)) (1))))) in
       (let _jessie_ = ((shift _jessie_) _jessie_) in
       (JC_100:
       (((((offset_upd_ !intP_alloc_table) intP_intM) _jessie_) _jessie_) _jessie_)))))) in
       void);
       [ { } unit reads intP_intM
         { (JC_101:
           (forall x_7:int32.
            (Count(a_4, x_7, sub_int(integer_of_int32(n_1_0), (1)),
             add_int(sub_int(integer_of_int32(n_1_0), (1)), (1)), intP_intM) = 
            Count(a_4, x_7, (0), (1), intP_intM@init)))) } ]; void;
       [ { } unit reads intP_intM
         { (JC_102:
           (forall x_8:int32.
            (CountWithoutHole(a_4, x_8, (0),
             sub_int(integer_of_int32(n_1_0), (1)), integer_of_int32(n_1_0),
             intP_intM) = CountWithoutHole(a_4, x_8, (0), (1),
                          integer_of_int32(n_1_0), intP_intM@init)))) } ];
       void;
       [ { } unit reads intP_intM
         { (JC_103:
           (forall x_9:int32.
            ((Count(a_4, x_9, (0), integer_of_int32(n_1_0), intP_intM) = 
             CountWithoutHole(a_4, x_9, (0),
             sub_int(integer_of_int32(n_1_0), (1)), integer_of_int32(n_1_0),
             intP_intM))
            and ((CountWithoutHole(a_4, x_9, (0),
                  sub_int(integer_of_int32(n_1_0), (1)),
                  integer_of_int32(n_1_0), intP_intM) = CountWithoutHole(a_4,
                                                        x_9, (0), (1),
                                                        integer_of_int32(n_1_0),
                                                        intP_intM@init))
                and (CountWithoutHole(a_4, x_9, (0), (1),
                     integer_of_int32(n_1_0), intP_intM@init) = Count(a_4,
                                                                x_9, (0),
                                                                integer_of_int32(n_1_0),
                                                                intP_intM@init)))))) } ];
       void; (raise Return) end) end)))); (raise Return) end with Return ->
   void end) { true } 


why-2.39/tests/c/oracle/array_max.res.oracle0000644000106100004300000010673513147234006020040 0ustar  marchevals========== file tests/c/array_max.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*
COST Verification Competition. vladimir@cost-ic0701.org

Challenge 1: Maximum in an array

Given: A non-empty integer array a.

Verify that the index returned by the method max() given below points to
an element maximal in the array.

*/

/*@ requires len > 0 && \valid(a+(0..len-1));
  @ ensures 0 <= \result < len &&
  @   \forall integer i; 0 <= i < len ==> a[i] <= a[\result];
  @*/
int max(int *a, int len) {
  int x = 0;
  int y = len-1;
  /*@ loop invariant 0 <= x <= y < len &&
    @      \forall integer i;
    @         0 <= i < x || y < i < len ==>
    @         a[i] <= \max(a[x],a[y]);
    @ loop variant y - x;
    @*/
  while (x != y) {
    if (a[x] <= a[y]) x++;
    else y--;
  }
  return x;
}

/*
Local Variables:
compile-command: "make array_max.why3ide"
End:
*/

========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/array_max.c (with preprocessing)
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/array_max.jessie
[jessie] File tests/c/array_max.jessie/array_max.jc written.
[jessie] File tests/c/array_max.jessie/array_max.cloc written.
========== file tests/c/array_max.jessie/array_max.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

type int32 = -2147483648..2147483647

tag intP = {
  int32 intM: 32;
}

type intP = [intP]

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

int32 max(intP[..] a, int32 len)
  requires (_C_28 : ((_C_29 : (len > 0)) &&
                      ((_C_31 : (\offset_min(a) <= 0)) &&
                        (_C_32 : (\offset_max(a) >= (len - 1))))));
behavior default:
  ensures (_C_23 : (((_C_25 : (0 <= \result)) &&
                      (_C_26 : (\result < \at(len,Old)))) &&
                     (_C_27 : (\forall integer i_2;
                                (((0 <= i_2) && (i_2 < \at(len,Old))) ==>
                                  ((\at(a,Old) + i_2).intM <=
                                    (\at(a,Old) + \result).intM))))));
{  
   (var int32 x);
   
   (var int32 y);
   
   {  (_C_1 : (x = 0));
      (_C_4 : (y = (_C_3 : ((_C_2 : (len - 1)) :> int32))));
      
      loop 
      behavior default:
        invariant (_C_6 : ((((_C_9 : (0 <= x)) && (_C_10 : (x <= y))) &&
                             (_C_11 : (y < len))) &&
                            (_C_12 : (\forall integer i_1;
                                       ((((0 <= i_1) && (i_1 < x)) ||
                                          ((y < i_1) && (i_1 < len))) ==>
                                         ((a + i_1).intM <=
                                           \integer_max((a + x).intM,
                                                        (a + y).intM)))))));
      variant (_C_5 : (y - x));
      while (true)
      {  
         {  (if (x != y) then () else 
            (goto while_0_break));
            
            {  (if ((_C_22 : (_C_21 : (a + x)).intM) <=
                     (_C_20 : (_C_19 : (a + y)).intM)) then (_C_18 : (x = 
                                                            (_C_17 : (
                                                            (_C_16 : 
                                                            (x + 1)) :> int32)))) else 
               (_C_15 : (y = (_C_14 : ((_C_13 : (y - 1)) :> int32)))))
            }
         }
      };
      (while_0_break : ());
      
      (return x)
   }
}
========== file tests/c/array_max.jessie/array_max.cloc ==========
[_C_28]
file = "HOME/tests/c/array_max.c"
line = 44
begin = 16
end = 47

[_C_31]
file = "HOME/tests/c/array_max.c"
line = 44
begin = 27
end = 47

[max]
name = "Function max"
file = "HOME/tests/c/array_max.c"
line = 48
begin = 4
end = 7

[_C_4]
file = "HOME/tests/c/array_max.c"
line = 50
begin = 2
end = 5

[_C_32]
file = "HOME/tests/c/array_max.c"
line = 44
begin = 27
end = 47

[_C_23]
file = "HOME/tests/c/array_max.c"
line = 45
begin = 12
end = 94

[_C_19]
file = "HOME/tests/c/array_max.c"
line = 58
begin = 16
end = 17

[_C_13]
file = "HOME/tests/c/array_max.c"
line = 59
begin = 9
end = 12

[_C_5]
file = "HOME/tests/c/array_max.c"
line = 55
begin = 19
end = 24

[_C_12]
file = "HOME/tests/c/array_max.c"
line = 52
begin = 11
end = 111

[_C_22]
file = "HOME/tests/c/array_max.c"
line = 58
begin = 8
end = 12

[_C_9]
file = "HOME/tests/c/array_max.c"
line = 51
begin = 26
end = 32

[_C_30]
file = "HOME/tests/c/array_max.c"
line = 44
begin = 27
end = 47

[_C_6]
file = "HOME/tests/c/array_max.c"
line = 51
begin = 26
end = 158

[_C_24]
file = "HOME/tests/c/array_max.c"
line = 45
begin = 12
end = 30

[_C_20]
file = "HOME/tests/c/array_max.c"
line = 58
begin = 16
end = 20

[_C_3]
file = "HOME/tests/c/array_max.c"
line = 50
begin = 10
end = 15

[_C_17]
file = "HOME/tests/c/array_max.c"
line = 58
begin = 22
end = 25

[_C_7]
file = "HOME/tests/c/array_max.c"
line = 51
begin = 26
end = 43

[_C_27]
file = "HOME/tests/c/array_max.c"
line = 46
begin = 6
end = 60

[_C_15]
file = "HOME/tests/c/array_max.c"
line = 59
begin = 9
end = 12

[_C_26]
file = "HOME/tests/c/array_max.c"
line = 45
begin = 17
end = 30

[_C_10]
file = "HOME/tests/c/array_max.c"
line = 51
begin = 31
end = 37

[_C_8]
file = "HOME/tests/c/array_max.c"
line = 51
begin = 26
end = 37

[_C_18]
file = "HOME/tests/c/array_max.c"
line = 58
begin = 22
end = 25

[_C_29]
file = "HOME/tests/c/array_max.c"
line = 44
begin = 16
end = 23

[_C_14]
file = "HOME/tests/c/array_max.c"
line = 59
begin = 9
end = 12

[_C_2]
file = "HOME/tests/c/array_max.c"
line = 50
begin = 10
end = 15

[_C_16]
file = "HOME/tests/c/array_max.c"
line = 58
begin = 22
end = 25

[_C_1]
file = "HOME/tests/c/array_max.c"
line = 49
begin = 2
end = 5

[_C_25]
file = "HOME/tests/c/array_max.c"
line = 45
begin = 12
end = 24

[_C_11]
file = "HOME/tests/c/array_max.c"
line = 51
begin = 36
end = 43

[_C_21]
file = "HOME/tests/c/array_max.c"
line = 58
begin = 8
end = 9

========== jessie execution ==========
Generating Why function max
========== file tests/c/array_max.jessie/array_max.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/array_max_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: array_max.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: array_max.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: array_max.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/array_max.jessie/array_max.loc ==========
[JC_31]
kind = PointerDeref
file = "HOME/tests/c/array_max.c"
line = 58
begin = 16
end = 20

[JC_17]
file = "HOME/tests/c/array_max.c"
line = 46
begin = 6
end = 60

[JC_23]
file = "HOME/tests/c/array_max.c"
line = 51
begin = 31
end = 37

[JC_22]
file = "HOME/tests/c/array_max.c"
line = 51
begin = 26
end = 32

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/c/array_max.c"
line = 44
begin = 16
end = 47

[JC_24]
file = "HOME/tests/c/array_max.c"
line = 51
begin = 36
end = 43

[JC_25]
file = "HOME/tests/c/array_max.c"
line = 52
begin = 11
end = 111

[JC_41]
file = "HOME/tests/c/array_max.jessie/array_max.jc"
line = 61
begin = 6
end = 1183

[JC_26]
file = "HOME/tests/c/array_max.c"
line = 51
begin = 26
end = 158

[JC_8]
file = "HOME/tests/c/array_max.c"
line = 44
begin = 27
end = 47

[JC_13]
file = "HOME/tests/c/array_max.c"
line = 46
begin = 6
end = 60

[JC_11]
file = "HOME/tests/c/array_max.c"
line = 45
begin = 12
end = 24

[JC_15]
file = "HOME/tests/c/array_max.c"
line = 45
begin = 12
end = 24

[JC_36]
file = "HOME/tests/c/array_max.c"
line = 51
begin = 31
end = 37

[JC_39]
file = "HOME/tests/c/array_max.c"
line = 51
begin = 26
end = 158

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/tests/c/array_max.c"
line = 51
begin = 26
end = 32

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
file = "HOME/tests/c/array_max.c"
line = 52
begin = 11
end = 111

[JC_12]
file = "HOME/tests/c/array_max.c"
line = 45
begin = 17
end = 30

[JC_6]
file = "HOME/tests/c/array_max.c"
line = 44
begin = 16
end = 23

[JC_4]
file = "HOME/tests/c/array_max.c"
line = 44
begin = 16
end = 47

[JC_42]
file = "HOME/tests/c/array_max.jessie/array_max.jc"
line = 61
begin = 6
end = 1183

[max_safety]
name = "Function max"
behavior = "Safety"
file = "HOME/tests/c/array_max.c"
line = 48
begin = 4
end = 7

[JC_32]
kind = ArithOverflow
file = "HOME/tests/c/array_max.c"
line = 58
begin = 22
end = 25

[JC_33]
kind = ArithOverflow
file = "HOME/tests/c/array_max.c"
line = 59
begin = 9
end = 12

[JC_29]
file = "HOME/tests/c/array_max.jessie/array_max.jc"
line = 61
begin = 6
end = 1183

[JC_7]
file = "HOME/tests/c/array_max.c"
line = 44
begin = 27
end = 47

[JC_16]
file = "HOME/tests/c/array_max.c"
line = 45
begin = 17
end = 30

[JC_2]
file = "HOME/tests/c/array_max.c"
line = 44
begin = 27
end = 47

[JC_34]
file = "HOME/tests/c/array_max.c"
line = 55
begin = 19
end = 24

[JC_14]
file = "HOME/tests/c/array_max.c"
line = 45
begin = 12
end = 94

[JC_21]
kind = ArithOverflow
file = "HOME/tests/c/array_max.c"
line = 50
begin = 10
end = 15

[JC_1]
file = "HOME/tests/c/array_max.c"
line = 44
begin = 16
end = 23

[JC_37]
file = "HOME/tests/c/array_max.c"
line = 51
begin = 36
end = 43

[max_ensures_default]
name = "Function max"
behavior = "default behavior"
file = "HOME/tests/c/array_max.c"
line = 48
begin = 4
end = 7

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/c/array_max.c"
line = 45
begin = 12
end = 94

[JC_3]
file = "HOME/tests/c/array_max.c"
line = 44
begin = 27
end = 47

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
kind = PointerDeref
file = "HOME/tests/c/array_max.c"
line = 58
begin = 8
end = 12

[JC_28]
file = "HOME/tests/c/array_max.jessie/array_max.jc"
line = 61
begin = 6
end = 1183

========== file tests/c/array_max.jessie/why/array_max.why ==========
type charP

type int32

type int8

type intP

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

logic intP_tag:  -> intP tag_id

axiom intP_int : (int_of_tag(intP_tag) = (1))

logic intP_of_pointer_address: unit pointer -> intP pointer

axiom intP_of_pointer_address_of_pointer_addr :
 (forall p:intP pointer. (p = intP_of_pointer_address(pointer_address(p))))

axiom intP_parenttag_bottom : parenttag(intP_tag, bottom_tag)

axiom intP_tags :
 (forall x:intP pointer.
  (forall intP_tag_table:intP tag_table.
   instanceof(intP_tag_table, x, intP_tag)))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_intP(p:intP pointer, a:int,
 intP_alloc_table:intP alloc_table) = (offset_min(intP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_intP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(intP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_intP(p:intP pointer, b:int,
 intP_alloc_table:intP alloc_table) = (offset_max(intP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Goto_while_0_break_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter intP_alloc_table : intP alloc_table ref

parameter intP_tag_table : intP tag_table ref

parameter alloc_struct_intP :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { } intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter alloc_struct_intP_requires :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { ge_int(n, (0))} intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter max :
 a:intP pointer ->
  len:int32 ->
   intP_a_1_alloc_table:intP alloc_table ->
    intP_intM_a_1:(intP, int32) memory ->
     { } int32
     { (JC_18:
       ((JC_15: le_int((0), integer_of_int32(result)))
       and ((JC_16: lt_int(integer_of_int32(result), integer_of_int32(len)))
           and (JC_17:
               (forall i_2:int.
                ((le_int((0), i_2) and lt_int(i_2, integer_of_int32(len))) ->
                 le_int(integer_of_int32(select(intP_intM_a_1, shift(a, i_2))),
                 integer_of_int32(select(intP_intM_a_1,
                                  shift(a, integer_of_int32(result))))))))))) }

parameter max_requires :
 a:intP pointer ->
  len:int32 ->
   intP_a_1_alloc_table:intP alloc_table ->
    intP_intM_a_1:(intP, int32) memory ->
     { (JC_4:
       ((JC_1: gt_int(integer_of_int32(len), (0)))
       and ((JC_2: le_int(offset_min(intP_a_1_alloc_table, a), (0)))
           and (JC_3:
               ge_int(offset_max(intP_a_1_alloc_table, a),
               sub_int(integer_of_int32(len), (1)))))))}
     int32
     { (JC_18:
       ((JC_15: le_int((0), integer_of_int32(result)))
       and ((JC_16: lt_int(integer_of_int32(result), integer_of_int32(len)))
           and (JC_17:
               (forall i_2:int.
                ((le_int((0), i_2) and lt_int(i_2, integer_of_int32(len))) ->
                 le_int(integer_of_int32(select(intP_intM_a_1, shift(a, i_2))),
                 integer_of_int32(select(intP_intM_a_1,
                                  shift(a, integer_of_int32(result))))))))))) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let max_ensures_default =
 fun (a : intP pointer) (len : int32) (intP_a_1_alloc_table : intP alloc_table) (intP_intM_a_1 : (intP, int32) memory) ->
  { (JC_9:
    ((JC_6: gt_int(integer_of_int32(len), (0)))
    and ((JC_7: le_int(offset_min(intP_a_1_alloc_table, a), (0)))
        and (JC_8:
            ge_int(offset_max(intP_a_1_alloc_table, a),
            sub_int(integer_of_int32(len), (1))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let x_0 = ref (any_int32 void) in
     (let y = ref (any_int32 void) in
     try
      begin
        (let _jessie_ = (x_0 := (safe_int32_of_integer_ (0))) in void);
       (let _jessie_ =
       (y := (safe_int32_of_integer_ ((sub_int (integer_of_int32 len)) (1)))) in
       void);
       (loop_2:
       begin
         while true do
         { invariant
             (JC_39:
             ((JC_35: le_int((0), integer_of_int32(x_0)))
             and ((JC_36: le_int(integer_of_int32(x_0), integer_of_int32(y)))
                 and ((JC_37:
                      lt_int(integer_of_int32(y), integer_of_int32(len)))
                     and (JC_38:
                         (forall i_1:int.
                          (((le_int((0), i_1)
                            and lt_int(i_1, integer_of_int32(x_0)))
                           or (lt_int(integer_of_int32(y), i_1)
                              and lt_int(i_1, integer_of_int32(len)))) ->
                           le_int(integer_of_int32(select(intP_intM_a_1,
                                                   shift(a, i_1))),
                           int_max(integer_of_int32(select(intP_intM_a_1,
                                                    shift(a,
                                                    integer_of_int32(x_0)))),
                           integer_of_int32(select(intP_intM_a_1,
                                            shift(a, integer_of_int32(y)))))))))))))
            }
          begin
            [ { } unit { true } ];
           try
            begin
              (let _jessie_ =
              begin
                (if ((neq_int_ (integer_of_int32 !x_0)) (integer_of_int32 !y))
                then void else (raise (Goto_while_0_break_exc void)));
               (if ((le_int_ (integer_of_int32 ((safe_acc_ intP_intM_a_1) 
                                                ((shift a) (integer_of_int32 !x_0))))) 
                    (integer_of_int32 ((safe_acc_ intP_intM_a_1) ((shift a) 
                                                                  (integer_of_int32 !y)))))
               then
                begin
                  (x_0 := (safe_int32_of_integer_ ((add_int (integer_of_int32 !x_0)) (1))));
                 !x_0 end
               else
                begin
                  (y := (safe_int32_of_integer_ ((sub_int (integer_of_int32 !y)) (1))));
                 !y end) end in void); (raise (Loop_continue_exc void)) end
            with Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (return := !x_0); (raise Return) end) end));
    absurd  end with Return -> !return end))
  { (JC_14:
    ((JC_11: le_int((0), integer_of_int32(result)))
    and ((JC_12: lt_int(integer_of_int32(result), integer_of_int32(len)))
        and (JC_13:
            (forall i_2:int.
             ((le_int((0), i_2) and lt_int(i_2, integer_of_int32(len))) ->
              le_int(integer_of_int32(select(intP_intM_a_1, shift(a, i_2))),
              integer_of_int32(select(intP_intM_a_1,
                               shift(a, integer_of_int32(result))))))))))) } 

let max_safety =
 fun (a : intP pointer) (len : int32) (intP_a_1_alloc_table : intP alloc_table) (intP_intM_a_1 : (intP, int32) memory) ->
  { (JC_9:
    ((JC_6: gt_int(integer_of_int32(len), (0)))
    and ((JC_7: le_int(offset_min(intP_a_1_alloc_table, a), (0)))
        and (JC_8:
            ge_int(offset_max(intP_a_1_alloc_table, a),
            sub_int(integer_of_int32(len), (1))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let x_0 = ref (any_int32 void) in
     (let y = ref (any_int32 void) in
     try
      begin
        (let _jessie_ = (x_0 := (safe_int32_of_integer_ (0))) in void);
       (let _jessie_ =
       (y := (JC_21:
             (int32_of_integer_ ((sub_int (integer_of_int32 len)) (1))))) in
       void);
       (loop_1:
       begin
         while true do
         { invariant (JC_28: true)
           variant (JC_34 : sub_int(integer_of_int32(y),
                            integer_of_int32(x_0))) }
          begin
            [ { } unit reads x_0,y
              { (JC_26:
                ((JC_22: le_int((0), integer_of_int32(x_0)))
                and ((JC_23:
                     le_int(integer_of_int32(x_0), integer_of_int32(y)))
                    and ((JC_24:
                         lt_int(integer_of_int32(y), integer_of_int32(len)))
                        and (JC_25:
                            (forall i_1:int.
                             (((le_int((0), i_1)
                               and lt_int(i_1, integer_of_int32(x_0)))
                              or (lt_int(integer_of_int32(y), i_1)
                                 and lt_int(i_1, integer_of_int32(len)))) ->
                              le_int(integer_of_int32(select(intP_intM_a_1,
                                                      shift(a, i_1))),
                              int_max(integer_of_int32(select(intP_intM_a_1,
                                                       shift(a,
                                                       integer_of_int32(x_0)))),
                              integer_of_int32(select(intP_intM_a_1,
                                               shift(a, integer_of_int32(y))))))))))))) } ];
           try
            begin
              (let _jessie_ =
              begin
                (if ((neq_int_ (integer_of_int32 !x_0)) (integer_of_int32 !y))
                then void else (raise (Goto_while_0_break_exc void)));
               (if ((le_int_ (integer_of_int32 (JC_30:
                                               ((((offset_acc_ intP_a_1_alloc_table) intP_intM_a_1) a) 
                                                (integer_of_int32 !x_0))))) 
                    (integer_of_int32 (JC_31:
                                      ((((offset_acc_ intP_a_1_alloc_table) intP_intM_a_1) a) 
                                       (integer_of_int32 !y)))))
               then
                begin
                  (x_0 := (JC_32:
                          (int32_of_integer_ ((add_int (integer_of_int32 !x_0)) (1)))));
                 !x_0 end
               else
                begin
                  (y := (JC_33:
                        (int32_of_integer_ ((sub_int (integer_of_int32 !y)) (1)))));
                 !y end) end in void); (raise (Loop_continue_exc void)) end
            with Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (return := !x_0); (raise Return) end) end));
    absurd  end with Return -> !return end)) { true } 


why-2.39/tests/c/oracle/duplets.res.oracle0000644000106100004300000027107313147234006017533 0ustar  marchevals========== file tests/c/duplets.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*
COST Verification Competition. vladimir@cost-ic0701.org

Challenge 3: Two equal elements

Given: An integer array a of length n+2 with n>=2. It is known that at
least two values stored in the array appear twice (i.e., there are at
least two duplets).

Implement and verify a program finding such two values.

You may assume that the array contains values between 0 and n-1.
*/

#define NULL (void*)0

/* equality between an integer and a possibly null int* */
/*@ predicate eq_opt{L}(integer x, int *o) =
  @   o != \null && x == *o ;
  @*/

/* A duplet in array a is a pair of indexes (i,j) in the bounds of array
   a such that a[i] = a[j] */
/*@ predicate is_duplet{L}(int *a, integer len, integer i, integer j) =
  @    0 <= i < j < len && a[i] == a[j];
  @*/

/* duplet(a) returns the indexes (i,j) of a duplet in a.
 * moreover, if except is not null, the value of this duplet must
 * be different from it.
 */
/*@ requires 2 <= len &&
  @   \valid(a+(0..len-1)) && \valid(pi) && \valid(pj) &&
  @   ( except == \null || \valid(except)) &&
  @   \exists integer i,j;
  @     is_duplet(a,len,i,j) && ! eq_opt(a[i],except) ;
  @ assigns *pi,*pj;
  @ ensures
  @   is_duplet(a,len,*pi,*pj) &&
  @   ! eq_opt(a[*pi],except);
  @*/
void duplet(int *a, int len, int *except, int *pi, int *pj) {
  /*@ loop invariant 0 <= i <= len-1 &&
    @  \forall integer k,l; 0 <= k < i && k < l < len ==>
    @    ! eq_opt(a[k],except) ==> ! is_duplet(a,len,k,l);
    @ loop variant len - i;
    @*/
  for(int i=0; i <= len - 2; i++) {
    int v = a[i];
    if (except == NULL || *except != v) {
      /*@ loop invariant i+1 <= j <= len &&
        @   \forall integer l; i < l < j ==> ! is_duplet(a,len,i,l);
        @ loop variant len - j;
        @*/
      for (int j=i+1; j < len; j++) {
        if (a[j] == v) {
          *pi = i; *pj = j; return;
        }
      }
    }
  }
  // assert \forall integer i j; ! is_duplet(a,i,j);
  //@ assert \false;
}



/*@ requires 4 <= len &&
  @   \valid(a+(0..len-1)) && \valid(pi) && \valid(pj) &&
  @   \valid(pk) && \valid(pl) &&
  @   \exists integer i,j,k,l;
  @     is_duplet(a,len,i,j) && is_duplet(a,len,k,l) && a[i] != a[k];
  @ assigns *pi,*pj,*pk,*pl;
  @ ensures is_duplet(a,len,*pi,*pj) &&
  @   is_duplet(a,len,*pk,*pl) &&
  @   a[*pi] != a[*pk];
  @*/
void duplets(int a[], int len, int *pi, int *pj, int *pk, int *pl) {
  duplet(a,len,NULL,pi,pj);
  duplet(a,len,&a[*pi],pk,pl);
}


/*
Local Variables:
compile-command: "make duplets.why3ide"
End:
*/

========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/duplets.c (with preprocessing)
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/duplets.jessie
[jessie] File tests/c/duplets.jessie/duplets.jc written.
[jessie] File tests/c/duplets.jessie/duplets.cloc written.
========== file tests/c/duplets.jessie/duplets.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

type int32 = -2147483648..2147483647

tag intP = {
  int32 intM: 32;
}

type intP = [intP]

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

predicate eq_opt{L}(integer x, intP[..] o) =
((o != null) && (x == o.intM))

predicate is_duplet{L}(intP[..] a, integer len, integer i_1, integer j_0) =
((((0 <= i_1) && (i_1 < j_0)) && (j_0 < len)) &&
  ((a + i_1).intM == (a + j_0).intM))

unit duplet(intP[..] a, int32 len, intP[..] except, intP[..] pi, intP[..] pj)
  requires (_C_39 : ((((((_C_44 : (2 <= len)) &&
                          ((_C_46 : (\offset_min(a) <= 0)) &&
                            (_C_47 : (\offset_max(a) >= (len - 1))))) &&
                         ((_C_49 : (\offset_min(pi) <= 0)) &&
                           (_C_50 : (\offset_max(pi) >= 0)))) &&
                        ((_C_52 : (\offset_min(pj) <= 0)) &&
                          (_C_53 : (\offset_max(pj) >= 0)))) &&
                       (_C_54 : ((except == null) ||
                                  ((\offset_min(except) <= 0) &&
                                    (\offset_max(except) >= 0))))) &&
                      (_C_55 : (\exists integer i_2;
                                 (\exists integer j_1;
                                   (is_duplet{Here}(a, len, i_2, j_1) &&
                                     (! eq_opt{Here}((a + i_2).intM, except))))))));
behavior default:
  assigns pi.intM,
  pj.intM;
  ensures (_C_36 : ((_C_37 : is_duplet{Here}(\at(a,Old), \at(len,Old),
                                             \at(pi,Old).intM,
                                             \at(pj,Old).intM)) &&
                     (_C_38 : (! eq_opt{Here}((\at(a,Old) + \at(pi,Old).intM).intM,
                                              \at(except,Old))))));
{  
   (var int32 i);
   
   (var int32 v);
   
   (var int32 j);
   
   {  
      {  (_C_1 : (i = 0));
         
         loop 
         behavior default:
           invariant (_C_3 : (((_C_5 : (0 <= i)) &&
                                (_C_6 : (i <= (len - 1)))) &&
                               (_C_7 : (\forall integer k;
                                         (\forall integer l_0;
                                           (((((0 <= k) && (k < i)) &&
                                               (k < l_0)) &&
                                              (l_0 < len)) ==>
                                             ((! eq_opt{Here}((a + k).intM,
                                                              except)) ==>
                                               (! is_duplet{Here}(a, len, k,
                                                                  l_0)))))))));
         variant (_C_2 : (len - i));
         while (true)
         {  
            {  (if (i <= (_C_9 : ((_C_8 : (len - 2)) :> int32))) then () else 
               (goto while_0_break));
               
               {  (_C_12 : (v = (_C_11 : (_C_10 : (a + i)).intM)));
                  (if (except == null) then 
                  (goto _LOR) else (if ((_C_13 : except.intM) != v) then 
                                   (goto _LOR) else ()));
                  
                  (goto _LOR_0);
                  (_LOR : 
                  {  (_C_16 : (j = (_C_15 : ((_C_14 : (i + 1)) :> int32))));
                     
                     loop 
                     behavior default:
                       invariant (_C_18 : (((_C_20 : ((i + 1) <= j)) &&
                                             (_C_21 : (j <= len))) &&
                                            (_C_22 : (\forall integer l;
                                                       (((i < l) && (l < j)) ==>
                                                         (! is_duplet{Here}(
                                                         a, len, i, l)))))));
                     variant (_C_17 : (len - j));
                     while (true)
                     {  
                        {  (if (j < len) then () else 
                           (goto while_1_break));
                           
                           {  (if ((_C_28 : (_C_27 : (a + j)).intM) == v) then 
                              {  (_C_24 : ((_C_23 : pi.intM) = i));
                                 (_C_26 : ((_C_25 : pj.intM) = j));
                                 
                                 (goto return_label)
                              } else ())
                           };
                           (_C_31 : (j = (_C_30 : ((_C_29 : (j + 1)) :> int32))))
                        }
                     };
                     (while_1_break : ())
                  });
                  (_LOR_0 : ())
               };
               (_C_34 : (i = (_C_33 : ((_C_32 : (i + 1)) :> int32))))
            }
         };
         (while_0_break : ())
      };
      
      {  
         (assert for default: (_C_35 : (jessie : false)));
         ()
      };
      (return_label : 
      (return ()))
   }
}

unit duplets(intP[..] a_0, int32 len_0, intP[..] pi_0, intP[..] pj_0,
             intP[..] pk, intP[..] pl)
  requires (_C_65 : (((((((_C_71 : (4 <= len_0)) &&
                           ((_C_73 : (\offset_min(a_0) <= 0)) &&
                             (_C_74 : (\offset_max(a_0) >= (len_0 - 1))))) &&
                          ((_C_76 : (\offset_min(pi_0) <= 0)) &&
                            (_C_77 : (\offset_max(pi_0) >= 0)))) &&
                         ((_C_79 : (\offset_min(pj_0) <= 0)) &&
                           (_C_80 : (\offset_max(pj_0) >= 0)))) &&
                        ((_C_82 : (\offset_min(pk) <= 0)) &&
                          (_C_83 : (\offset_max(pk) >= 0)))) &&
                       ((_C_85 : (\offset_min(pl) <= 0)) &&
                         (_C_86 : (\offset_max(pl) >= 0)))) &&
                      (_C_87 : (\exists integer i_3;
                                 (\exists integer j_2;
                                   (\exists integer k_0;
                                     (\exists integer l_1;
                                       ((is_duplet{Here}(a_0, len_0, i_3, j_2) &&
                                          is_duplet{Here}(a_0, len_0, k_0,
                                                          l_1)) &&
                                         ((a_0 + i_3).intM !=
                                           (a_0 + k_0).intM)))))))));
behavior default:
  assigns pi_0.intM,
  pj_0.intM,
  pk.intM,
  pl.intM;
  ensures (_C_60 : (((_C_62 : is_duplet{Here}(\at(a_0,Old), \at(len_0,Old),
                                              \at(pi_0,Old).intM,
                                              \at(pj_0,Old).intM)) &&
                      (_C_63 : is_duplet{Here}(\at(a_0,Old), \at(len_0,Old),
                                               \at(pk,Old).intM,
                                               \at(pl,Old).intM))) &&
                     (_C_64 : ((\at(a_0,Old) + \at(pi_0,Old).intM).intM !=
                                (\at(a_0,Old) + \at(pk,Old).intM).intM))));
{  
   {  (_C_56 : duplet(a_0, len_0, null, pi_0, pj_0));
      (_C_59 : duplet(a_0, len_0, (_C_58 : (a_0 + (_C_57 : pi_0.intM))), pk,
                      pl));
      
      (return ())
   }
}
========== file tests/c/duplets.jessie/duplets.cloc ==========
[duplet]
name = "Function duplet"
file = "HOME/tests/c/duplets.c"
line = 73
begin = 5
end = 11

[_C_52]
file = "HOME/tests/c/duplets.c"
line = 64
begin = 44
end = 54

[_C_35]
file = "HOME/tests/c/duplets.c"
line = 94
begin = 18
end = 24

[_C_56]
file = "HOME/tests/c/duplets.c"
line = 110
begin = 2
end = 30

[_C_28]
file = "HOME/tests/c/duplets.c"
line = 87
begin = 12
end = 16

[_C_72]
file = "HOME/tests/c/duplets.c"
line = 100
begin = 6
end = 26

[_C_59]
file = "HOME/tests/c/duplets.c"
line = 111
begin = 2
end = 29

[_C_48]
file = "HOME/tests/c/duplets.c"
line = 64
begin = 30
end = 40

[_C_51]
file = "HOME/tests/c/duplets.c"
line = 64
begin = 44
end = 54

[_C_31]
file = "HOME/tests/c/duplets.c"
line = 86
begin = 31
end = 34

[duplets]
name = "Function duplets"
file = "HOME/tests/c/duplets.c"
line = 109
begin = 5
end = 12

[_C_77]
file = "HOME/tests/c/duplets.c"
line = 100
begin = 30
end = 40

[_C_83]
file = "HOME/tests/c/duplets.c"
line = 101
begin = 6
end = 16

[_C_41]
file = "HOME/tests/c/duplets.c"
line = 63
begin = 16
end = 82

[_C_4]
file = "HOME/tests/c/duplets.c"
line = 74
begin = 26
end = 41

[_C_71]
file = "HOME/tests/c/duplets.c"
line = 99
begin = 16
end = 24

[_C_70]
file = "HOME/tests/c/duplets.c"
line = 99
begin = 16
end = 54

[_C_61]
file = "HOME/tests/c/duplets.c"
line = 105
begin = 12
end = 70

[_C_69]
file = "HOME/tests/c/duplets.c"
line = 99
begin = 16
end = 68

[_C_32]
file = "HOME/tests/c/duplets.c"
line = 79
begin = 29
end = 32

[_C_23]
file = "HOME/tests/c/duplets.c"
line = 88
begin = 16
end = 17

[_C_19]
file = "HOME/tests/c/duplets.c"
line = 82
begin = 34
end = 49

[_C_42]
file = "HOME/tests/c/duplets.c"
line = 63
begin = 16
end = 68

[_C_82]
file = "HOME/tests/c/duplets.c"
line = 101
begin = 6
end = 16

[_C_84]
file = "HOME/tests/c/duplets.c"
line = 101
begin = 20
end = 30

[_C_13]
file = "HOME/tests/c/duplets.c"
line = 81
begin = 30
end = 37

[_C_5]
file = "HOME/tests/c/duplets.c"
line = 74
begin = 26
end = 32

[_C_36]
file = "HOME/tests/c/duplets.c"
line = 70
begin = 6
end = 63

[_C_12]
file = "HOME/tests/c/duplets.c"
line = 80
begin = 4
end = 7

[_C_33]
file = "HOME/tests/c/duplets.c"
line = 79
begin = 29
end = 32

[_C_79]
file = "HOME/tests/c/duplets.c"
line = 100
begin = 44
end = 54

[_C_85]
file = "HOME/tests/c/duplets.c"
line = 101
begin = 20
end = 30

[_C_22]
file = "HOME/tests/c/duplets.c"
line = 83
begin = 12
end = 67

[_C_65]
file = "HOME/tests/c/duplets.c"
line = 99
begin = 16
end = 219

[_C_9]
file = "HOME/tests/c/duplets.c"
line = 79
begin = 20
end = 27

[_C_57]
file = "HOME/tests/c/duplets.c"
line = 111
begin = 18
end = 21

[_C_54]
file = "HOME/tests/c/duplets.c"
line = 65
begin = 6
end = 42

[_C_30]
file = "HOME/tests/c/duplets.c"
line = 86
begin = 31
end = 34

[_C_63]
file = "HOME/tests/c/duplets.c"
line = 106
begin = 6
end = 30

[_C_6]
file = "HOME/tests/c/duplets.c"
line = 74
begin = 31
end = 41

[_C_64]
file = "HOME/tests/c/duplets.c"
line = 107
begin = 6
end = 22

[_C_49]
file = "HOME/tests/c/duplets.c"
line = 64
begin = 30
end = 40

[_C_24]
file = "HOME/tests/c/duplets.c"
line = 88
begin = 16
end = 17

[_C_45]
file = "HOME/tests/c/duplets.c"
line = 64
begin = 6
end = 26

[_C_20]
file = "HOME/tests/c/duplets.c"
line = 82
begin = 34
end = 42

[_C_73]
file = "HOME/tests/c/duplets.c"
line = 100
begin = 6
end = 26

[_C_38]
file = "HOME/tests/c/duplets.c"
line = 71
begin = 6
end = 29

[_C_3]
file = "HOME/tests/c/duplets.c"
line = 74
begin = 26
end = 160

[_C_81]
file = "HOME/tests/c/duplets.c"
line = 101
begin = 6
end = 16

[_C_17]
file = "HOME/tests/c/duplets.c"
line = 84
begin = 23
end = 30

[_C_7]
file = "HOME/tests/c/duplets.c"
line = 75
begin = 7
end = 115

[_C_86]
file = "HOME/tests/c/duplets.c"
line = 101
begin = 20
end = 30

[_C_62]
file = "HOME/tests/c/duplets.c"
line = 105
begin = 12
end = 36

[_C_55]
file = "HOME/tests/c/duplets.c"
line = 66
begin = 6
end = 80

[_C_27]
file = "HOME/tests/c/duplets.c"
line = 87
begin = 12
end = 13

[_C_87]
file = "HOME/tests/c/duplets.c"
line = 102
begin = 6
end = 99

[_C_46]
file = "HOME/tests/c/duplets.c"
line = 64
begin = 6
end = 26

[_C_44]
file = "HOME/tests/c/duplets.c"
line = 63
begin = 16
end = 24

[_C_15]
file = "HOME/tests/c/duplets.c"
line = 86
begin = 17
end = 20

[_C_26]
file = "HOME/tests/c/duplets.c"
line = 88
begin = 25
end = 26

[_C_47]
file = "HOME/tests/c/duplets.c"
line = 64
begin = 6
end = 26

[_C_10]
file = "HOME/tests/c/duplets.c"
line = 80
begin = 12
end = 13

[_C_68]
file = "HOME/tests/c/duplets.c"
line = 99
begin = 16
end = 82

[_C_60]
file = "HOME/tests/c/duplets.c"
line = 105
begin = 12
end = 96

[_C_53]
file = "HOME/tests/c/duplets.c"
line = 64
begin = 44
end = 54

[_C_40]
file = "HOME/tests/c/duplets.c"
line = 63
begin = 16
end = 128

[_C_58]
file = "HOME/tests/c/duplets.c"
line = 111
begin = 16
end = 17

[_C_8]
file = "HOME/tests/c/duplets.c"
line = 79
begin = 20
end = 27

[_C_66]
file = "HOME/tests/c/duplets.c"
line = 99
begin = 16
end = 116

[_C_18]
file = "HOME/tests/c/duplets.c"
line = 82
begin = 34
end = 120

[_C_29]
file = "HOME/tests/c/duplets.c"
line = 86
begin = 31
end = 34

[_C_75]
file = "HOME/tests/c/duplets.c"
line = 100
begin = 30
end = 40

[_C_14]
file = "HOME/tests/c/duplets.c"
line = 86
begin = 17
end = 20

[_C_50]
file = "HOME/tests/c/duplets.c"
line = 64
begin = 30
end = 40

[_C_37]
file = "HOME/tests/c/duplets.c"
line = 70
begin = 6
end = 30

[_C_43]
file = "HOME/tests/c/duplets.c"
line = 63
begin = 16
end = 54

[_C_2]
file = "HOME/tests/c/duplets.c"
line = 77
begin = 19
end = 26

[_C_34]
file = "HOME/tests/c/duplets.c"
line = 79
begin = 29
end = 32

[_C_67]
file = "HOME/tests/c/duplets.c"
line = 99
begin = 16
end = 102

[_C_16]
file = "HOME/tests/c/duplets.c"
line = 86
begin = 11
end = 14

[_C_1]
file = "HOME/tests/c/duplets.c"
line = 79
begin = 6
end = 9

[_C_76]
file = "HOME/tests/c/duplets.c"
line = 100
begin = 30
end = 40

[_C_25]
file = "HOME/tests/c/duplets.c"
line = 88
begin = 25
end = 26

[_C_39]
file = "HOME/tests/c/duplets.c"
line = 63
begin = 16
end = 212

[_C_80]
file = "HOME/tests/c/duplets.c"
line = 100
begin = 44
end = 54

[_C_74]
file = "HOME/tests/c/duplets.c"
line = 100
begin = 6
end = 26

[_C_78]
file = "HOME/tests/c/duplets.c"
line = 100
begin = 44
end = 54

[_C_11]
file = "HOME/tests/c/duplets.c"
line = 80
begin = 12
end = 16

[_C_21]
file = "HOME/tests/c/duplets.c"
line = 82
begin = 41
end = 49

========== jessie execution ==========
Generating Why function duplet
Generating Why function duplets
========== file tests/c/duplets.jessie/duplets.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/duplets_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: duplets.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: duplets.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: duplets.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/duplets.jessie/duplets.loc ==========
[JC_94]
file = "HOME/tests/c/duplets.c"
line = 101
begin = 20
end = 30

[JC_73]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 82
begin = 9
end = 2882

[JC_63]
kind = PointerDeref
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 125
begin = 43
end = 64

[JC_80]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 110
begin = 21
end = 1263

[JC_51]
file = "HOME/tests/c/duplets.c"
line = 82
begin = 41
end = 49

[duplet_ensures_default]
name = "Function duplet"
behavior = "default behavior"
file = "HOME/tests/c/duplets.c"
line = 73
begin = 5
end = 11

[JC_71]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 82
begin = 9
end = 2882

[JC_45]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 82
begin = 9
end = 2882

[JC_123]
file = "HOME/tests/c/duplets.c"
line = 106
begin = 6
end = 30

[JC_106]
file = "HOME/tests/c/duplets.c"
line = 101
begin = 6
end = 16

[JC_113]
file = "HOME/tests/c/duplets.c"
line = 106
begin = 6
end = 30

[JC_116]
file = "HOME/tests/c/duplets.c"
line = 109
begin = 5
end = 12

[JC_64]
kind = PointerDeref
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 126
begin = 43
end = 64

[JC_133]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_99]
file = "HOME/tests/c/duplets.c"
line = 100
begin = 6
end = 26

[JC_85]
file = "HOME/tests/c/duplets.c"
line = 100
begin = 6
end = 26

[JC_126]
file = "HOME/tests/c/duplets.c"
line = 109
begin = 5
end = 12

[JC_31]
file = "HOME/tests/c/duplets.c"
line = 71
begin = 6
end = 29

[JC_17]
file = "HOME/tests/c/duplets.c"
line = 64
begin = 44
end = 54

[JC_122]
file = "HOME/tests/c/duplets.c"
line = 105
begin = 12
end = 36

[JC_81]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 110
begin = 21
end = 1263

[JC_55]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 110
begin = 21
end = 1263

[JC_138]
kind = UserCall
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 190
begin = 15
end = 102

[JC_134]
kind = UserCall
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 189
begin = 15
end = 51

[JC_137]
kind = UserCall
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 189
begin = 15
end = 51

[JC_48]
kind = PointerDeref
file = "HOME/tests/c/duplets.c"
line = 81
begin = 30
end = 37

[JC_23]
file = "HOME/tests/c/duplets.c"
line = 70
begin = 6
end = 30

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_121]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 175
begin = 9
end = 16

[JC_5]
file = "HOME/tests/c/duplets.c"
line = 64
begin = 30
end = 40

[JC_125]
file = "HOME/tests/c/duplets.c"
line = 105
begin = 12
end = 96

[JC_67]
file = "HOME/tests/c/duplets.c"
line = 75
begin = 7
end = 115

[JC_9]
file = "HOME/tests/c/duplets.c"
line = 66
begin = 6
end = 80

[JC_75]
file = "HOME/tests/c/duplets.c"
line = 82
begin = 41
end = 49

[JC_24]
file = "HOME/tests/c/duplets.c"
line = 71
begin = 6
end = 29

[JC_25]
file = "HOME/tests/c/duplets.c"
line = 70
begin = 6
end = 63

[duplet_safety]
name = "Function duplet"
behavior = "Safety"
file = "HOME/tests/c/duplets.c"
line = 73
begin = 5
end = 11

[JC_78]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/tests/c/duplets.c"
line = 75
begin = 7
end = 115

[JC_74]
file = "HOME/tests/c/duplets.c"
line = 82
begin = 34
end = 42

[JC_47]
kind = PointerDeref
file = "HOME/tests/c/duplets.c"
line = 80
begin = 12
end = 16

[JC_52]
file = "HOME/tests/c/duplets.c"
line = 83
begin = 12
end = 67

[JC_26]
file = "HOME/tests/c/duplets.c"
line = 73
begin = 5
end = 11

[JC_8]
file = "HOME/tests/c/duplets.c"
line = 65
begin = 6
end = 42

[JC_54]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_79]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 110
begin = 21
end = 1263

[JC_13]
file = "HOME/tests/c/duplets.c"
line = 64
begin = 6
end = 26

[JC_130]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 176
begin = 10
end = 54

[JC_82]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 110
begin = 21
end = 1263

[JC_87]
file = "HOME/tests/c/duplets.c"
line = 100
begin = 30
end = 40

[JC_11]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_98]
file = "HOME/tests/c/duplets.c"
line = 99
begin = 16
end = 24

[JC_70]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 82
begin = 9
end = 2882

[JC_15]
file = "HOME/tests/c/duplets.c"
line = 64
begin = 30
end = 40

[JC_36]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 64
begin = 9
end = 16

[JC_104]
file = "HOME/tests/c/duplets.c"
line = 100
begin = 44
end = 54

[JC_91]
file = "HOME/tests/c/duplets.c"
line = 101
begin = 6
end = 16

[JC_39]
file = "HOME/tests/c/duplets.c"
line = 74
begin = 26
end = 32

[JC_112]
file = "HOME/tests/c/duplets.c"
line = 105
begin = 12
end = 36

[JC_40]
file = "HOME/tests/c/duplets.c"
line = 74
begin = 31
end = 41

[JC_135]
kind = PointerDeref
file = "HOME/tests/c/duplets.c"
line = 111
begin = 18
end = 21

[JC_83]
file = "HOME/tests/c/duplets.c"
line = 94
begin = 18
end = 24

[JC_35]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 65
begin = 10
end = 28

[JC_132]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/tests/c/duplets.c"
line = 73
begin = 5
end = 11

[JC_115]
file = "HOME/tests/c/duplets.c"
line = 105
begin = 12
end = 96

[JC_109]
file = "HOME/tests/c/duplets.c"
line = 102
begin = 6
end = 99

[JC_107]
file = "HOME/tests/c/duplets.c"
line = 101
begin = 20
end = 30

[JC_69]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_124]
file = "HOME/tests/c/duplets.c"
line = 107
begin = 6
end = 22

[JC_38]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_12]
file = "HOME/tests/c/duplets.c"
line = 63
begin = 16
end = 24

[JC_6]
file = "HOME/tests/c/duplets.c"
line = 64
begin = 44
end = 54

[JC_127]
file = "HOME/tests/c/duplets.c"
line = 109
begin = 5
end = 12

[JC_44]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 82
begin = 9
end = 2882

[JC_4]
file = "HOME/tests/c/duplets.c"
line = 64
begin = 30
end = 40

[JC_62]
file = "HOME/tests/c/duplets.c"
line = 94
begin = 18
end = 24

[JC_101]
file = "HOME/tests/c/duplets.c"
line = 100
begin = 30
end = 40

[JC_88]
file = "HOME/tests/c/duplets.c"
line = 100
begin = 30
end = 40

[JC_129]
file = "HOME/tests/c/duplets.c"
line = 109
begin = 5
end = 12

[JC_42]
file = "HOME/tests/c/duplets.c"
line = 74
begin = 26
end = 160

[JC_110]
file = "HOME/tests/c/duplets.c"
line = 99
begin = 16
end = 219

[JC_103]
file = "HOME/tests/c/duplets.c"
line = 100
begin = 44
end = 54

[JC_46]
kind = ArithOverflow
file = "HOME/tests/c/duplets.c"
line = 79
begin = 20
end = 27

[JC_61]
file = "HOME/tests/c/duplets.c"
line = 77
begin = 19
end = 26

[JC_32]
file = "HOME/tests/c/duplets.c"
line = 70
begin = 6
end = 63

[JC_56]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 110
begin = 21
end = 1263

[duplets_safety]
name = "Function duplets"
behavior = "Safety"
file = "HOME/tests/c/duplets.c"
line = 109
begin = 5
end = 12

[JC_33]
file = "HOME/tests/c/duplets.c"
line = 73
begin = 5
end = 11

[JC_65]
file = "HOME/tests/c/duplets.c"
line = 74
begin = 26
end = 32

[JC_118]
file = "HOME/tests/c/duplets.c"
line = 109
begin = 5
end = 12

[JC_105]
file = "HOME/tests/c/duplets.c"
line = 101
begin = 6
end = 16

[JC_29]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 64
begin = 9
end = 16

[JC_68]
file = "HOME/tests/c/duplets.c"
line = 74
begin = 26
end = 160

[JC_7]
file = "HOME/tests/c/duplets.c"
line = 64
begin = 44
end = 54

[JC_16]
file = "HOME/tests/c/duplets.c"
line = 64
begin = 30
end = 40

[JC_96]
file = "HOME/tests/c/duplets.c"
line = 99
begin = 16
end = 219

[JC_43]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_2]
file = "HOME/tests/c/duplets.c"
line = 64
begin = 6
end = 26

[JC_95]
file = "HOME/tests/c/duplets.c"
line = 102
begin = 6
end = 99

[JC_93]
file = "HOME/tests/c/duplets.c"
line = 101
begin = 20
end = 30

[JC_97]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_84]
file = "HOME/tests/c/duplets.c"
line = 99
begin = 16
end = 24

[JC_128]
file = "HOME/tests/c/duplets.c"
line = 109
begin = 5
end = 12

[JC_34]
file = "HOME/tests/c/duplets.c"
line = 73
begin = 5
end = 11

[JC_114]
file = "HOME/tests/c/duplets.c"
line = 107
begin = 6
end = 22

[JC_14]
file = "HOME/tests/c/duplets.c"
line = 64
begin = 6
end = 26

[JC_117]
file = "HOME/tests/c/duplets.c"
line = 109
begin = 5
end = 12

[JC_90]
file = "HOME/tests/c/duplets.c"
line = 100
begin = 44
end = 54

[JC_53]
file = "HOME/tests/c/duplets.c"
line = 82
begin = 34
end = 120

[JC_21]
file = "HOME/tests/c/duplets.c"
line = 63
begin = 16
end = 212

[JC_111]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_77]
file = "HOME/tests/c/duplets.c"
line = 82
begin = 34
end = 120

[JC_49]
kind = ArithOverflow
file = "HOME/tests/c/duplets.c"
line = 86
begin = 17
end = 20

[JC_1]
file = "HOME/tests/c/duplets.c"
line = 63
begin = 16
end = 24

[JC_131]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 175
begin = 9
end = 16

[JC_102]
file = "HOME/tests/c/duplets.c"
line = 100
begin = 30
end = 40

[JC_37]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_10]
file = "HOME/tests/c/duplets.c"
line = 63
begin = 16
end = 212

[JC_108]
file = "HOME/tests/c/duplets.c"
line = 101
begin = 20
end = 30

[JC_57]
kind = PointerDeref
file = "HOME/tests/c/duplets.c"
line = 87
begin = 12
end = 16

[JC_89]
file = "HOME/tests/c/duplets.c"
line = 100
begin = 44
end = 54

[JC_136]
kind = UserCall
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 190
begin = 15
end = 102

[JC_66]
file = "HOME/tests/c/duplets.c"
line = 74
begin = 31
end = 41

[JC_59]
file = "HOME/tests/c/duplets.c"
line = 84
begin = 23
end = 30

[JC_20]
file = "HOME/tests/c/duplets.c"
line = 66
begin = 6
end = 80

[JC_18]
file = "HOME/tests/c/duplets.c"
line = 64
begin = 44
end = 54

[JC_3]
file = "HOME/tests/c/duplets.c"
line = 64
begin = 6
end = 26

[JC_92]
file = "HOME/tests/c/duplets.c"
line = 101
begin = 6
end = 16

[duplets_ensures_default]
name = "Function duplets"
behavior = "default behavior"
file = "HOME/tests/c/duplets.c"
line = 109
begin = 5
end = 12

[JC_86]
file = "HOME/tests/c/duplets.c"
line = 100
begin = 6
end = 26

[JC_60]
kind = ArithOverflow
file = "HOME/tests/c/duplets.c"
line = 79
begin = 29
end = 32

[JC_72]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 82
begin = 9
end = 2882

[JC_19]
file = "HOME/tests/c/duplets.c"
line = 65
begin = 6
end = 42

[JC_119]
file = "HOME/tests/c/duplets.c"
line = 109
begin = 5
end = 12

[JC_76]
file = "HOME/tests/c/duplets.c"
line = 83
begin = 12
end = 67

[JC_50]
file = "HOME/tests/c/duplets.c"
line = 82
begin = 34
end = 42

[JC_30]
file = "HOME/tests/c/duplets.c"
line = 70
begin = 6
end = 30

[JC_120]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 176
begin = 10
end = 54

[JC_58]
kind = ArithOverflow
file = "HOME/tests/c/duplets.c"
line = 86
begin = 31
end = 34

[JC_100]
file = "HOME/tests/c/duplets.c"
line = 100
begin = 6
end = 26

[JC_28]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 65
begin = 10
end = 28

========== file tests/c/duplets.jessie/why/duplets.why ==========
type charP

type int32

type int8

type intP

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

predicate eq_opt(x_0:int, o:intP pointer,
 intP_intM_o_1_at_L:(intP, int32) memory) =
 ((o <> null) and (x_0 = integer_of_int32(select(intP_intM_o_1_at_L, o))))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

logic intP_tag:  -> intP tag_id

axiom intP_int : (int_of_tag(intP_tag) = (1))

logic intP_of_pointer_address: unit pointer -> intP pointer

axiom intP_of_pointer_address_of_pointer_addr :
 (forall p:intP pointer. (p = intP_of_pointer_address(pointer_address(p))))

axiom intP_parenttag_bottom : parenttag(intP_tag, bottom_tag)

axiom intP_tags :
 (forall x:intP pointer.
  (forall intP_tag_table:intP tag_table.
   instanceof(intP_tag_table, x, intP_tag)))

predicate is_duplet(a:intP pointer, len:int, i_1:int, j_0:int,
 intP_intM_a_2_at_L:(intP, int32) memory) =
 (le_int((0), i_1)
 and (lt_int(i_1, j_0)
     and (lt_int(j_0, len)
         and (integer_of_int32(select(intP_intM_a_2_at_L, shift(a, i_1))) = 
             integer_of_int32(select(intP_intM_a_2_at_L, shift(a, j_0)))))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_intP(p:intP pointer, a:int,
 intP_alloc_table:intP alloc_table) = (offset_min(intP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_intP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(intP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_intP(p:intP pointer, b:int,
 intP_alloc_table:intP alloc_table) = (offset_max(intP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Goto__LOR_0_exc of unit

exception Goto__LOR_exc of unit

exception Goto_while_0_break_exc of unit

exception Goto_while_1_break_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter intP_alloc_table : intP alloc_table ref

parameter intP_tag_table : intP tag_table ref

parameter alloc_struct_intP :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { } intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter alloc_struct_intP_requires :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { ge_int(n, (0))} intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter duplet :
 a_0:intP pointer ->
  len_0:int32 ->
   except:intP pointer ->
    pi:intP pointer ->
     pj:intP pointer ->
      intP_intM_pj_6:(intP, int32) memory ref ->
       intP_intM_pi_5:(intP, int32) memory ref ->
        intP_pj_6_alloc_table:intP alloc_table ->
         intP_pi_5_alloc_table:intP alloc_table ->
          intP_except_4_alloc_table:intP alloc_table ->
           intP_a_3_alloc_table:intP alloc_table ->
            intP_intM_except_4:(intP, int32) memory ->
             intP_intM_a_3:(intP, int32) memory ->
              { } unit reads intP_intM_pi_5,intP_intM_pj_6
              writes intP_intM_pi_5,intP_intM_pj_6
              { (JC_36:
                ((JC_32:
                 ((JC_30:
                  is_duplet(a_0, integer_of_int32(len_0),
                  integer_of_int32(select(intP_intM_pi_5, pi)),
                  integer_of_int32(select(intP_intM_pj_6, pj)),
                  intP_intM_a_3))
                 and (JC_31:
                     (not eq_opt(integer_of_int32(select(intP_intM_a_3,
                                                  shift(a_0,
                                                  integer_of_int32(select(intP_intM_pi_5,
                                                                   pi))))),
                          except, intP_intM_except_4)))))
                and (JC_35:
                    ((JC_33:
                     not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5@,
                     intP_intM_pi_5, pset_singleton(pi)))
                    and (JC_34:
                        not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6@,
                        intP_intM_pj_6, pset_singleton(pj))))))) }

parameter duplet_requires :
 a_0:intP pointer ->
  len_0:int32 ->
   except:intP pointer ->
    pi:intP pointer ->
     pj:intP pointer ->
      intP_intM_pj_6:(intP, int32) memory ref ->
       intP_intM_pi_5:(intP, int32) memory ref ->
        intP_pj_6_alloc_table:intP alloc_table ->
         intP_pi_5_alloc_table:intP alloc_table ->
          intP_except_4_alloc_table:intP alloc_table ->
           intP_a_3_alloc_table:intP alloc_table ->
            intP_intM_except_4:(intP, int32) memory ->
             intP_intM_a_3:(intP, int32) memory ->
              { (JC_10:
                ((JC_1: le_int((2), integer_of_int32(len_0)))
                and ((JC_2:
                     le_int(offset_min(intP_a_3_alloc_table, a_0), (0)))
                    and ((JC_3:
                         ge_int(offset_max(intP_a_3_alloc_table, a_0),
                         sub_int(integer_of_int32(len_0), (1))))
                        and ((JC_4:
                             le_int(offset_min(intP_pi_5_alloc_table, pi),
                             (0)))
                            and ((JC_5:
                                 ge_int(offset_max(intP_pi_5_alloc_table, pi),
                                 (0)))
                                and ((JC_6:
                                     le_int(offset_min(intP_pj_6_alloc_table,
                                            pj),
                                     (0)))
                                    and ((JC_7:
                                         ge_int(offset_max(intP_pj_6_alloc_table,
                                                pj),
                                         (0)))
                                        and ((JC_8:
                                             ((except = null)
                                             or (le_int(offset_min(intP_except_4_alloc_table,
                                                        except),
                                                 (0))
                                                and ge_int(offset_max(intP_except_4_alloc_table,
                                                           except),
                                                    (0)))))
                                            and (JC_9:
                                                (exists i_2:int.
                                                 (exists j_1:int.
                                                  (is_duplet(a_0,
                                                   integer_of_int32(len_0),
                                                   i_2, j_1, intP_intM_a_3)
                                                  and (not eq_opt(integer_of_int32(
                                                                  select(intP_intM_a_3,
                                                                  shift(a_0,
                                                                  i_2))),
                                                           except,
                                                           intP_intM_except_4)))))))))))))))}
              unit reads intP_intM_pi_5,intP_intM_pj_6
              writes intP_intM_pi_5,intP_intM_pj_6
              { (JC_36:
                ((JC_32:
                 ((JC_30:
                  is_duplet(a_0, integer_of_int32(len_0),
                  integer_of_int32(select(intP_intM_pi_5, pi)),
                  integer_of_int32(select(intP_intM_pj_6, pj)),
                  intP_intM_a_3))
                 and (JC_31:
                     (not eq_opt(integer_of_int32(select(intP_intM_a_3,
                                                  shift(a_0,
                                                  integer_of_int32(select(intP_intM_pi_5,
                                                                   pi))))),
                          except, intP_intM_except_4)))))
                and (JC_35:
                    ((JC_33:
                     not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5@,
                     intP_intM_pi_5, pset_singleton(pi)))
                    and (JC_34:
                        not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6@,
                        intP_intM_pj_6, pset_singleton(pj))))))) }

parameter duplets :
 a_0_0:intP pointer ->
  len_0_0:int32 ->
   pi_0:intP pointer ->
    pj_0:intP pointer ->
     pk:intP pointer ->
      pl:intP pointer ->
       intP_intM_pl_11:(intP, int32) memory ref ->
        intP_intM_pk_10:(intP, int32) memory ref ->
         intP_intM_pj_0_9:(intP, int32) memory ref ->
          intP_intM_pi_0_8:(intP, int32) memory ref ->
           intP_pl_11_alloc_table:intP alloc_table ->
            intP_pk_10_alloc_table:intP alloc_table ->
             intP_pj_0_9_alloc_table:intP alloc_table ->
              intP_pi_0_8_alloc_table:intP alloc_table ->
               intP_a_0_7_alloc_table:intP alloc_table ->
                intP_intM_a_0_7:(intP, int32) memory ->
                 { } unit
                 reads intP_intM_pi_0_8,intP_intM_pj_0_9,intP_intM_pk_10,intP_intM_pl_11
                 writes intP_intM_pi_0_8,intP_intM_pj_0_9,intP_intM_pk_10,intP_intM_pl_11
                 { (JC_131:
                   ((JC_125:
                    ((JC_122:
                     is_duplet(a_0_0, integer_of_int32(len_0_0),
                     integer_of_int32(select(intP_intM_pi_0_8, pi_0)),
                     integer_of_int32(select(intP_intM_pj_0_9, pj_0)),
                     intP_intM_a_0_7))
                    and ((JC_123:
                         is_duplet(a_0_0, integer_of_int32(len_0_0),
                         integer_of_int32(select(intP_intM_pk_10, pk)),
                         integer_of_int32(select(intP_intM_pl_11, pl)),
                         intP_intM_a_0_7))
                        and (JC_124:
                            (integer_of_int32(select(intP_intM_a_0_7,
                                              shift(a_0_0,
                                              integer_of_int32(select(intP_intM_pi_0_8,
                                                               pi_0))))) <> 
                            integer_of_int32(select(intP_intM_a_0_7,
                                             shift(a_0_0,
                                             integer_of_int32(select(intP_intM_pk_10,
                                                              pk))))))))))
                   and (JC_130:
                       ((((JC_126:
                          not_assigns(intP_pi_0_8_alloc_table,
                          intP_intM_pi_0_8@, intP_intM_pi_0_8,
                          pset_singleton(pi_0)))
                         and (JC_127:
                             not_assigns(intP_pj_0_9_alloc_table,
                             intP_intM_pj_0_9@, intP_intM_pj_0_9,
                             pset_singleton(pj_0))))
                        and (JC_128:
                            not_assigns(intP_pk_10_alloc_table,
                            intP_intM_pk_10@, intP_intM_pk_10,
                            pset_singleton(pk))))
                       and (JC_129:
                           not_assigns(intP_pl_11_alloc_table,
                           intP_intM_pl_11@, intP_intM_pl_11,
                           pset_singleton(pl))))))) }

parameter duplets_requires :
 a_0_0:intP pointer ->
  len_0_0:int32 ->
   pi_0:intP pointer ->
    pj_0:intP pointer ->
     pk:intP pointer ->
      pl:intP pointer ->
       intP_intM_pl_11:(intP, int32) memory ref ->
        intP_intM_pk_10:(intP, int32) memory ref ->
         intP_intM_pj_0_9:(intP, int32) memory ref ->
          intP_intM_pi_0_8:(intP, int32) memory ref ->
           intP_pl_11_alloc_table:intP alloc_table ->
            intP_pk_10_alloc_table:intP alloc_table ->
             intP_pj_0_9_alloc_table:intP alloc_table ->
              intP_pi_0_8_alloc_table:intP alloc_table ->
               intP_a_0_7_alloc_table:intP alloc_table ->
                intP_intM_a_0_7:(intP, int32) memory ->
                 { (JC_96:
                   ((JC_84: le_int((4), integer_of_int32(len_0_0)))
                   and ((JC_85:
                        le_int(offset_min(intP_a_0_7_alloc_table, a_0_0),
                        (0)))
                       and ((JC_86:
                            ge_int(offset_max(intP_a_0_7_alloc_table, a_0_0),
                            sub_int(integer_of_int32(len_0_0), (1))))
                           and ((JC_87:
                                le_int(offset_min(intP_pi_0_8_alloc_table,
                                       pi_0),
                                (0)))
                               and ((JC_88:
                                    ge_int(offset_max(intP_pi_0_8_alloc_table,
                                           pi_0),
                                    (0)))
                                   and ((JC_89:
                                        le_int(offset_min(intP_pj_0_9_alloc_table,
                                               pj_0),
                                        (0)))
                                       and ((JC_90:
                                            ge_int(offset_max(intP_pj_0_9_alloc_table,
                                                   pj_0),
                                            (0)))
                                           and ((JC_91:
                                                le_int(offset_min(intP_pk_10_alloc_table,
                                                       pk),
                                                (0)))
                                               and ((JC_92:
                                                    ge_int(offset_max(intP_pk_10_alloc_table,
                                                           pk),
                                                    (0)))
                                                   and ((JC_93:
                                                        le_int(offset_min(intP_pl_11_alloc_table,
                                                               pl),
                                                        (0)))
                                                       and ((JC_94:
                                                            ge_int(offset_max(intP_pl_11_alloc_table,
                                                                   pl),
                                                            (0)))
                                                           and (JC_95:
                                                               (exists i_3:int.
                                                                (exists j_2:int.
                                                                 (exists k_0:int.
                                                                  (exists l_1:int.
                                                                   (is_duplet(a_0_0,
                                                                    integer_of_int32(len_0_0),
                                                                    i_3, j_2,
                                                                    intP_intM_a_0_7)
                                                                   and 
                                                                   (is_duplet(a_0_0,
                                                                    integer_of_int32(len_0_0),
                                                                    k_0, l_1,
                                                                    intP_intM_a_0_7)
                                                                   and 
                                                                   (integer_of_int32(
                                                                    select(intP_intM_a_0_7,
                                                                    shift(a_0_0,
                                                                    i_3))) <> 
                                                                   integer_of_int32(
                                                                   select(intP_intM_a_0_7,
                                                                   shift(a_0_0,
                                                                   k_0)))))))))))))))))))))))}
                 unit
                 reads intP_intM_pi_0_8,intP_intM_pj_0_9,intP_intM_pk_10,intP_intM_pl_11
                 writes intP_intM_pi_0_8,intP_intM_pj_0_9,intP_intM_pk_10,intP_intM_pl_11
                 { (JC_131:
                   ((JC_125:
                    ((JC_122:
                     is_duplet(a_0_0, integer_of_int32(len_0_0),
                     integer_of_int32(select(intP_intM_pi_0_8, pi_0)),
                     integer_of_int32(select(intP_intM_pj_0_9, pj_0)),
                     intP_intM_a_0_7))
                    and ((JC_123:
                         is_duplet(a_0_0, integer_of_int32(len_0_0),
                         integer_of_int32(select(intP_intM_pk_10, pk)),
                         integer_of_int32(select(intP_intM_pl_11, pl)),
                         intP_intM_a_0_7))
                        and (JC_124:
                            (integer_of_int32(select(intP_intM_a_0_7,
                                              shift(a_0_0,
                                              integer_of_int32(select(intP_intM_pi_0_8,
                                                               pi_0))))) <> 
                            integer_of_int32(select(intP_intM_a_0_7,
                                             shift(a_0_0,
                                             integer_of_int32(select(intP_intM_pk_10,
                                                              pk))))))))))
                   and (JC_130:
                       ((((JC_126:
                          not_assigns(intP_pi_0_8_alloc_table,
                          intP_intM_pi_0_8@, intP_intM_pi_0_8,
                          pset_singleton(pi_0)))
                         and (JC_127:
                             not_assigns(intP_pj_0_9_alloc_table,
                             intP_intM_pj_0_9@, intP_intM_pj_0_9,
                             pset_singleton(pj_0))))
                        and (JC_128:
                            not_assigns(intP_pk_10_alloc_table,
                            intP_intM_pk_10@, intP_intM_pk_10,
                            pset_singleton(pk))))
                       and (JC_129:
                           not_assigns(intP_pl_11_alloc_table,
                           intP_intM_pl_11@, intP_intM_pl_11,
                           pset_singleton(pl))))))) }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let duplet_ensures_default =
 fun (a_0 : intP pointer) (len_0 : int32) (except : intP pointer) (pi : intP pointer) (pj : intP pointer) (intP_intM_pi_5 : (intP, int32) memory ref) (intP_intM_pj_6 : (intP, int32) memory ref) (intP_a_3_alloc_table : intP alloc_table) (intP_except_4_alloc_table : intP alloc_table) (intP_pi_5_alloc_table : intP alloc_table) (intP_pj_6_alloc_table : intP alloc_table) (intP_intM_a_3 : (intP, int32) memory) (intP_intM_except_4 : (intP, int32) memory) ->
  { (JC_21:
    ((JC_12: le_int((2), integer_of_int32(len_0)))
    and ((JC_13: le_int(offset_min(intP_a_3_alloc_table, a_0), (0)))
        and ((JC_14:
             ge_int(offset_max(intP_a_3_alloc_table, a_0),
             sub_int(integer_of_int32(len_0), (1))))
            and ((JC_15: le_int(offset_min(intP_pi_5_alloc_table, pi), (0)))
                and ((JC_16:
                     ge_int(offset_max(intP_pi_5_alloc_table, pi), (0)))
                    and ((JC_17:
                         le_int(offset_min(intP_pj_6_alloc_table, pj), (0)))
                        and ((JC_18:
                             ge_int(offset_max(intP_pj_6_alloc_table, pj),
                             (0)))
                            and ((JC_19:
                                 ((except = null)
                                 or (le_int(offset_min(intP_except_4_alloc_table,
                                            except),
                                     (0))
                                    and ge_int(offset_max(intP_except_4_alloc_table,
                                               except),
                                        (0)))))
                                and (JC_20:
                                    (exists i_2:int.
                                     (exists j_1:int.
                                      (is_duplet(a_0,
                                       integer_of_int32(len_0), i_2, j_1,
                                       intP_intM_a_3)
                                      and (not eq_opt(integer_of_int32(
                                                      select(intP_intM_a_3,
                                                      shift(a_0, i_2))),
                                               except, intP_intM_except_4))))))))))))))) }
  (init:
  try
   begin
     (let i = ref (any_int32 void) in
     (let v = ref (any_int32 void) in
     (let j = ref (any_int32 void) in
     try
      begin
        try
         begin
           (let _jessie_ = (i := (safe_int32_of_integer_ (0))) in void);
          (loop_3:
          begin
            while true do
            { invariant
                ((JC_68:
                 ((JC_65: le_int((0), integer_of_int32(i)))
                 and ((JC_66:
                      le_int(integer_of_int32(i),
                      sub_int(integer_of_int32(len_0), (1))))
                     and (JC_67:
                         (forall k:int.
                          (forall l_0:int.
                           ((le_int((0), k)
                            and (lt_int(k, integer_of_int32(i))
                                and (lt_int(k, l_0)
                                    and lt_int(l_0, integer_of_int32(len_0))))) ->
                            ((not eq_opt(integer_of_int32(select(intP_intM_a_3,
                                                          shift(a_0, k))),
                                  except, intP_intM_except_4)) ->
                             (not is_duplet(a_0, integer_of_int32(len_0), k,
                                  l_0, intP_intM_a_3))))))))))
                and (JC_72:
                    ((JC_70:
                     not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5@init,
                     intP_intM_pi_5, pset_singleton(pi)))
                    and (JC_71:
                        not_assigns(intP_pj_6_alloc_table,
                        intP_intM_pj_6@init, intP_intM_pj_6,
                        pset_singleton(pj))))))  }
             begin
               [ { } unit { true } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((le_int_ (integer_of_int32 !i)) (integer_of_int32 
                                                         (safe_int32_of_integer_ 
                                                          ((sub_int (integer_of_int32 len_0)) (2)))))
                   then void else (raise (Goto_while_0_break_exc void)));
                  try
                   begin
                     try
                      begin
                        (let _jessie_ =
                        (v := ((safe_acc_ intP_intM_a_3) ((shift a_0) 
                                                          (integer_of_int32 !i)))) in
                        void);
                       (if ((safe_eq_pointer except) null)
                       then (raise (Goto__LOR_exc void))
                       else
                        (if ((neq_int_ (integer_of_int32 ((safe_acc_ intP_intM_except_4) except))) 
                             (integer_of_int32 !v))
                        then (raise (Goto__LOR_exc void)) else void));
                       (raise (Goto__LOR_0_exc void));
                       (raise (Goto__LOR_exc void)) end with
                      Goto__LOR_exc _jessie_ ->
                      try
                       begin
                         (let _jessie_ =
                         (j := (safe_int32_of_integer_ ((add_int (integer_of_int32 !i)) (1)))) in
                         void);
                        (loop_4:
                        begin
                          while true do
                          { invariant
                              ((JC_77:
                               ((JC_74:
                                le_int(add_int(integer_of_int32(i), (1)),
                                integer_of_int32(j)))
                               and ((JC_75:
                                    le_int(integer_of_int32(j),
                                    integer_of_int32(len_0)))
                                   and (JC_76:
                                       (forall l:int.
                                        ((lt_int(integer_of_int32(i), l)
                                         and lt_int(l, integer_of_int32(j))) ->
                                         (not is_duplet(a_0,
                                              integer_of_int32(len_0),
                                              integer_of_int32(i), l,
                                              intP_intM_a_3))))))))
                              and (JC_81:
                                  ((JC_79:
                                   not_assigns(intP_pi_5_alloc_table,
                                   intP_intM_pi_5@init, intP_intM_pi_5,
                                   pset_singleton(pi)))
                                  and (JC_80:
                                      not_assigns(intP_pj_6_alloc_table,
                                      intP_intM_pj_6@init, intP_intM_pj_6,
                                      pset_singleton(pj))))))  }
                           begin
                             [ { } unit { true } ];
                            try
                             begin
                               (let _jessie_ =
                               begin
                                 (if ((lt_int_ (integer_of_int32 !j)) 
                                      (integer_of_int32 len_0)) then void
                                 else (raise (Goto_while_1_break_exc void)));
                                (if ((eq_int_ (integer_of_int32 ((safe_acc_ intP_intM_a_3) 
                                                                 ((shift a_0) 
                                                                  (integer_of_int32 !j))))) 
                                     (integer_of_int32 !v))
                                then
                                 begin
                                   (let _jessie_ = !i in
                                   (let _jessie_ = pi in
                                   (((safe_upd_ intP_intM_pi_5) _jessie_) _jessie_)));
                                  (let _jessie_ = !j in
                                  (let _jessie_ = pj in
                                  (((safe_upd_ intP_intM_pj_6) _jessie_) _jessie_)));
                                  (raise (Return_label_exc void)) end
                                else void);
                                (j := (safe_int32_of_integer_ ((add_int 
                                                                (integer_of_int32 !j)) (1))));
                                !j end in void);
                              (raise (Loop_continue_exc void)) end with
                             Loop_continue_exc _jessie_ -> void end end done;
                         (raise (Goto_while_1_break_exc void)) end) end with
                       Goto_while_1_break_exc _jessie_ ->
                       (while_1_break: void) end end;
                    (raise (Goto__LOR_0_exc void)) end with
                   Goto__LOR_0_exc _jessie_ -> void end;
                  (i := (safe_int32_of_integer_ ((add_int (integer_of_int32 !i)) (1))));
                  !i end in void); (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ -> (while_0_break: void) end;
       (assert { (JC_83: (false = true)) }; void); void;
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: (raise Return)) end))); (raise Return) end with
   Return -> void end)
  { (JC_29:
    ((JC_25:
     ((JC_23:
      is_duplet(a_0, integer_of_int32(len_0),
      integer_of_int32(select(intP_intM_pi_5, pi)),
      integer_of_int32(select(intP_intM_pj_6, pj)), intP_intM_a_3))
     and (JC_24:
         (not eq_opt(integer_of_int32(select(intP_intM_a_3,
                                      shift(a_0,
                                      integer_of_int32(select(intP_intM_pi_5,
                                                       pi))))),
              except, intP_intM_except_4)))))
    and (JC_28:
        ((JC_26:
         not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5@, intP_intM_pi_5,
         pset_singleton(pi)))
        and (JC_27:
            not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6@,
            intP_intM_pj_6, pset_singleton(pj))))))) } 

let duplet_safety =
 fun (a_0 : intP pointer) (len_0 : int32) (except : intP pointer) (pi : intP pointer) (pj : intP pointer) (intP_intM_pi_5 : (intP, int32) memory ref) (intP_intM_pj_6 : (intP, int32) memory ref) (intP_a_3_alloc_table : intP alloc_table) (intP_except_4_alloc_table : intP alloc_table) (intP_pi_5_alloc_table : intP alloc_table) (intP_pj_6_alloc_table : intP alloc_table) (intP_intM_a_3 : (intP, int32) memory) (intP_intM_except_4 : (intP, int32) memory) ->
  { (JC_21:
    ((JC_12: le_int((2), integer_of_int32(len_0)))
    and ((JC_13: le_int(offset_min(intP_a_3_alloc_table, a_0), (0)))
        and ((JC_14:
             ge_int(offset_max(intP_a_3_alloc_table, a_0),
             sub_int(integer_of_int32(len_0), (1))))
            and ((JC_15: le_int(offset_min(intP_pi_5_alloc_table, pi), (0)))
                and ((JC_16:
                     ge_int(offset_max(intP_pi_5_alloc_table, pi), (0)))
                    and ((JC_17:
                         le_int(offset_min(intP_pj_6_alloc_table, pj), (0)))
                        and ((JC_18:
                             ge_int(offset_max(intP_pj_6_alloc_table, pj),
                             (0)))
                            and ((JC_19:
                                 ((except = null)
                                 or (le_int(offset_min(intP_except_4_alloc_table,
                                            except),
                                     (0))
                                    and ge_int(offset_max(intP_except_4_alloc_table,
                                               except),
                                        (0)))))
                                and (JC_20:
                                    (exists i_2:int.
                                     (exists j_1:int.
                                      (is_duplet(a_0,
                                       integer_of_int32(len_0), i_2, j_1,
                                       intP_intM_a_3)
                                      and (not eq_opt(integer_of_int32(
                                                      select(intP_intM_a_3,
                                                      shift(a_0, i_2))),
                                               except, intP_intM_except_4))))))))))))))) }
  (init:
  try
   begin
     (let i = ref (any_int32 void) in
     (let v = ref (any_int32 void) in
     (let j = ref (any_int32 void) in
     try
      begin
        try
         begin
           (let _jessie_ = (i := (safe_int32_of_integer_ (0))) in void);
          (loop_1:
          begin
            while true do
            { invariant (JC_44: true)
              variant (JC_61 : sub_int(integer_of_int32(len_0),
                               integer_of_int32(i))) }
             begin
               [ { } unit reads i
                 { (JC_42:
                   ((JC_39: le_int((0), integer_of_int32(i)))
                   and ((JC_40:
                        le_int(integer_of_int32(i),
                        sub_int(integer_of_int32(len_0), (1))))
                       and (JC_41:
                           (forall k:int.
                            (forall l_0:int.
                             ((le_int((0), k)
                              and (lt_int(k, integer_of_int32(i))
                                  and (lt_int(k, l_0)
                                      and lt_int(l_0,
                                          integer_of_int32(len_0))))) ->
                              ((not eq_opt(integer_of_int32(select(intP_intM_a_3,
                                                            shift(a_0, k))),
                                    except, intP_intM_except_4)) ->
                               (not is_duplet(a_0, integer_of_int32(len_0),
                                    k, l_0, intP_intM_a_3)))))))))) } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((le_int_ (integer_of_int32 !i)) (integer_of_int32 
                                                         (JC_46:
                                                         (int32_of_integer_ 
                                                          ((sub_int (integer_of_int32 len_0)) (2))))))
                   then void else (raise (Goto_while_0_break_exc void)));
                  try
                   begin
                     try
                      begin
                        (let _jessie_ =
                        (v := (JC_47:
                              ((((offset_acc_ intP_a_3_alloc_table) intP_intM_a_3) a_0) 
                               (integer_of_int32 !i)))) in void);
                       (if ((eq_pointer except) null)
                       then (raise (Goto__LOR_exc void))
                       else
                        (if ((neq_int_ (integer_of_int32 (JC_48:
                                                         (((acc_ intP_except_4_alloc_table) intP_intM_except_4) except)))) 
                             (integer_of_int32 !v))
                        then (raise (Goto__LOR_exc void)) else void));
                       (raise (Goto__LOR_0_exc void));
                       (raise (Goto__LOR_exc void)) end with
                      Goto__LOR_exc _jessie_ ->
                      try
                       begin
                         (let _jessie_ =
                         (j := (JC_49:
                               (int32_of_integer_ ((add_int (integer_of_int32 !i)) (1))))) in
                         void);
                        (loop_2:
                        begin
                          while true do
                          { invariant (JC_55: true)
                            variant (JC_59 : sub_int(integer_of_int32(len_0),
                                             integer_of_int32(j))) }
                           begin
                             [ { } unit reads i,j
                               { (JC_53:
                                 ((JC_50:
                                  le_int(add_int(integer_of_int32(i), (1)),
                                  integer_of_int32(j)))
                                 and ((JC_51:
                                      le_int(integer_of_int32(j),
                                      integer_of_int32(len_0)))
                                     and (JC_52:
                                         (forall l:int.
                                          ((lt_int(integer_of_int32(i), l)
                                           and lt_int(l, integer_of_int32(j))) ->
                                           (not is_duplet(a_0,
                                                integer_of_int32(len_0),
                                                integer_of_int32(i), l,
                                                intP_intM_a_3)))))))) } ];
                            try
                             begin
                               (let _jessie_ =
                               begin
                                 (if ((lt_int_ (integer_of_int32 !j)) 
                                      (integer_of_int32 len_0)) then void
                                 else (raise (Goto_while_1_break_exc void)));
                                (if ((eq_int_ (integer_of_int32 (JC_57:
                                                                ((((offset_acc_ intP_a_3_alloc_table) intP_intM_a_3) a_0) 
                                                                 (integer_of_int32 !j))))) 
                                     (integer_of_int32 !v))
                                then
                                 begin
                                   (let _jessie_ = !i in
                                   (let _jessie_ = pi in
                                   (JC_63:
                                   ((((upd_ intP_pi_5_alloc_table) intP_intM_pi_5) _jessie_) _jessie_))));
                                  (let _jessie_ = !j in
                                  (let _jessie_ = pj in
                                  (JC_64:
                                  ((((upd_ intP_pj_6_alloc_table) intP_intM_pj_6) _jessie_) _jessie_))));
                                  (raise (Return_label_exc void)) end
                                else void);
                                (j := (JC_58:
                                      (int32_of_integer_ ((add_int (integer_of_int32 !j)) (1)))));
                                !j end in void);
                              (raise (Loop_continue_exc void)) end with
                             Loop_continue_exc _jessie_ -> void end end done;
                         (raise (Goto_while_1_break_exc void)) end) end with
                       Goto_while_1_break_exc _jessie_ ->
                       (while_1_break: void) end end;
                    (raise (Goto__LOR_0_exc void)) end with
                   Goto__LOR_0_exc _jessie_ -> void end;
                  (i := (JC_60:
                        (int32_of_integer_ ((add_int (integer_of_int32 !i)) (1)))));
                  !i end in void); (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ -> (while_0_break: void) end;
       [ { } unit { (JC_62: (false = true)) } ]; void;
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: (raise Return)) end))); (raise Return) end with
   Return -> void end) { true } 

let duplets_ensures_default =
 fun (a_0_0 : intP pointer) (len_0_0 : int32) (pi_0 : intP pointer) (pj_0 : intP pointer) (pk : intP pointer) (pl : intP pointer) (intP_intM_pi_0_8 : (intP, int32) memory ref) (intP_intM_pj_0_9 : (intP, int32) memory ref) (intP_intM_pk_10 : (intP, int32) memory ref) (intP_intM_pl_11 : (intP, int32) memory ref) (intP_a_0_7_alloc_table : intP alloc_table) (intP_pi_0_8_alloc_table : intP alloc_table) (intP_pj_0_9_alloc_table : intP alloc_table) (intP_pk_10_alloc_table : intP alloc_table) (intP_pl_11_alloc_table : intP alloc_table) (intP_intM_a_0_7 : (intP, int32) memory) ->
  { (JC_110:
    ((JC_98: le_int((4), integer_of_int32(len_0_0)))
    and ((JC_99: le_int(offset_min(intP_a_0_7_alloc_table, a_0_0), (0)))
        and ((JC_100:
             ge_int(offset_max(intP_a_0_7_alloc_table, a_0_0),
             sub_int(integer_of_int32(len_0_0), (1))))
            and ((JC_101:
                 le_int(offset_min(intP_pi_0_8_alloc_table, pi_0), (0)))
                and ((JC_102:
                     ge_int(offset_max(intP_pi_0_8_alloc_table, pi_0), (0)))
                    and ((JC_103:
                         le_int(offset_min(intP_pj_0_9_alloc_table, pj_0),
                         (0)))
                        and ((JC_104:
                             ge_int(offset_max(intP_pj_0_9_alloc_table, pj_0),
                             (0)))
                            and ((JC_105:
                                 le_int(offset_min(intP_pk_10_alloc_table,
                                        pk),
                                 (0)))
                                and ((JC_106:
                                     ge_int(offset_max(intP_pk_10_alloc_table,
                                            pk),
                                     (0)))
                                    and ((JC_107:
                                         le_int(offset_min(intP_pl_11_alloc_table,
                                                pl),
                                         (0)))
                                        and ((JC_108:
                                             ge_int(offset_max(intP_pl_11_alloc_table,
                                                    pl),
                                             (0)))
                                            and (JC_109:
                                                (exists i_3:int.
                                                 (exists j_2:int.
                                                  (exists k_0:int.
                                                   (exists l_1:int.
                                                    (is_duplet(a_0_0,
                                                     integer_of_int32(len_0_0),
                                                     i_3, j_2,
                                                     intP_intM_a_0_7)
                                                    and (is_duplet(a_0_0,
                                                         integer_of_int32(len_0_0),
                                                         k_0, l_1,
                                                         intP_intM_a_0_7)
                                                        and (integer_of_int32(
                                                             select(intP_intM_a_0_7,
                                                             shift(a_0_0,
                                                             i_3))) <> 
                                                            integer_of_int32(
                                                            select(intP_intM_a_0_7,
                                                            shift(a_0_0, k_0))))))))))))))))))))))) }
  (init:
  try
   begin
     (let intP_intM_null_15 = (any_memory void) in
     (let intP_null_15_alloc_table = (any_alloc_table void) in
     begin
       (let _jessie_ = a_0_0 in
       (let _jessie_ = len_0_0 in
       (let _jessie_ = null in
       (let _jessie_ = pi_0 in
       (let _jessie_ = pj_0 in
       (JC_137:
       (((((((((((((duplet _jessie_) _jessie_) _jessie_) _jessie_) _jessie_) intP_intM_pj_0_9) intP_intM_pi_0_8) intP_pj_0_9_alloc_table) intP_pi_0_8_alloc_table) intP_null_15_alloc_table) intP_a_0_7_alloc_table) intP_intM_null_15) intP_intM_a_0_7)))))));
      (let _jessie_ = a_0_0 in
      (let _jessie_ = len_0_0 in
      (let _jessie_ =
      ((shift a_0_0) (integer_of_int32 ((safe_acc_ !intP_intM_pi_0_8) pi_0))) in
      (let _jessie_ = pk in
      (let _jessie_ = pl in
      (JC_138:
      (((((((((((((duplet _jessie_) _jessie_) _jessie_) _jessie_) _jessie_) intP_intM_pl_11) intP_intM_pk_10) intP_pl_11_alloc_table) intP_pk_10_alloc_table) intP_a_0_7_alloc_table) intP_a_0_7_alloc_table) intP_intM_a_0_7) intP_intM_a_0_7)))))));
      (raise Return) end)); (raise Return) end with Return -> void end)
  { (JC_121:
    ((JC_115:
     ((JC_112:
      is_duplet(a_0_0, integer_of_int32(len_0_0),
      integer_of_int32(select(intP_intM_pi_0_8, pi_0)),
      integer_of_int32(select(intP_intM_pj_0_9, pj_0)), intP_intM_a_0_7))
     and ((JC_113:
          is_duplet(a_0_0, integer_of_int32(len_0_0),
          integer_of_int32(select(intP_intM_pk_10, pk)),
          integer_of_int32(select(intP_intM_pl_11, pl)), intP_intM_a_0_7))
         and (JC_114:
             (integer_of_int32(select(intP_intM_a_0_7,
                               shift(a_0_0,
                               integer_of_int32(select(intP_intM_pi_0_8,
                                                pi_0))))) <> integer_of_int32(
                                                             select(intP_intM_a_0_7,
                                                             shift(a_0_0,
                                                             integer_of_int32(
                                                             select(intP_intM_pk_10,
                                                             pk))))))))))
    and (JC_120:
        ((((JC_116:
           not_assigns(intP_pi_0_8_alloc_table, intP_intM_pi_0_8@,
           intP_intM_pi_0_8, pset_singleton(pi_0)))
          and (JC_117:
              not_assigns(intP_pj_0_9_alloc_table, intP_intM_pj_0_9@,
              intP_intM_pj_0_9, pset_singleton(pj_0))))
         and (JC_118:
             not_assigns(intP_pk_10_alloc_table, intP_intM_pk_10@,
             intP_intM_pk_10, pset_singleton(pk))))
        and (JC_119:
            not_assigns(intP_pl_11_alloc_table, intP_intM_pl_11@,
            intP_intM_pl_11, pset_singleton(pl))))))) } 

let duplets_safety =
 fun (a_0_0 : intP pointer) (len_0_0 : int32) (pi_0 : intP pointer) (pj_0 : intP pointer) (pk : intP pointer) (pl : intP pointer) (intP_intM_pi_0_8 : (intP, int32) memory ref) (intP_intM_pj_0_9 : (intP, int32) memory ref) (intP_intM_pk_10 : (intP, int32) memory ref) (intP_intM_pl_11 : (intP, int32) memory ref) (intP_a_0_7_alloc_table : intP alloc_table) (intP_pi_0_8_alloc_table : intP alloc_table) (intP_pj_0_9_alloc_table : intP alloc_table) (intP_pk_10_alloc_table : intP alloc_table) (intP_pl_11_alloc_table : intP alloc_table) (intP_intM_a_0_7 : (intP, int32) memory) ->
  { (JC_110:
    ((JC_98: le_int((4), integer_of_int32(len_0_0)))
    and ((JC_99: le_int(offset_min(intP_a_0_7_alloc_table, a_0_0), (0)))
        and ((JC_100:
             ge_int(offset_max(intP_a_0_7_alloc_table, a_0_0),
             sub_int(integer_of_int32(len_0_0), (1))))
            and ((JC_101:
                 le_int(offset_min(intP_pi_0_8_alloc_table, pi_0), (0)))
                and ((JC_102:
                     ge_int(offset_max(intP_pi_0_8_alloc_table, pi_0), (0)))
                    and ((JC_103:
                         le_int(offset_min(intP_pj_0_9_alloc_table, pj_0),
                         (0)))
                        and ((JC_104:
                             ge_int(offset_max(intP_pj_0_9_alloc_table, pj_0),
                             (0)))
                            and ((JC_105:
                                 le_int(offset_min(intP_pk_10_alloc_table,
                                        pk),
                                 (0)))
                                and ((JC_106:
                                     ge_int(offset_max(intP_pk_10_alloc_table,
                                            pk),
                                     (0)))
                                    and ((JC_107:
                                         le_int(offset_min(intP_pl_11_alloc_table,
                                                pl),
                                         (0)))
                                        and ((JC_108:
                                             ge_int(offset_max(intP_pl_11_alloc_table,
                                                    pl),
                                             (0)))
                                            and (JC_109:
                                                (exists i_3:int.
                                                 (exists j_2:int.
                                                  (exists k_0:int.
                                                   (exists l_1:int.
                                                    (is_duplet(a_0_0,
                                                     integer_of_int32(len_0_0),
                                                     i_3, j_2,
                                                     intP_intM_a_0_7)
                                                    and (is_duplet(a_0_0,
                                                         integer_of_int32(len_0_0),
                                                         k_0, l_1,
                                                         intP_intM_a_0_7)
                                                        and (integer_of_int32(
                                                             select(intP_intM_a_0_7,
                                                             shift(a_0_0,
                                                             i_3))) <> 
                                                            integer_of_int32(
                                                            select(intP_intM_a_0_7,
                                                            shift(a_0_0, k_0))))))))))))))))))))))) }
  (init:
  try
   begin
     (let intP_intM_null_15 = (any_memory void) in
     (let intP_null_15_alloc_table = (any_alloc_table void) in
     begin
       (let _jessie_ = a_0_0 in
       (let _jessie_ = len_0_0 in
       (let _jessie_ = null in
       (let _jessie_ = pi_0 in
       (let _jessie_ = pj_0 in
       (JC_134:
       (((((((((((((duplet_requires _jessie_) _jessie_) _jessie_) _jessie_) _jessie_) intP_intM_pj_0_9) intP_intM_pi_0_8) intP_pj_0_9_alloc_table) intP_pi_0_8_alloc_table) intP_null_15_alloc_table) intP_a_0_7_alloc_table) intP_intM_null_15) intP_intM_a_0_7)))))));
      (let _jessie_ = a_0_0 in
      (let _jessie_ = len_0_0 in
      (let _jessie_ =
      ((shift a_0_0) (integer_of_int32 (JC_135:
                                       (((acc_ intP_pi_0_8_alloc_table) !intP_intM_pi_0_8) pi_0)))) in
      (let _jessie_ = pk in
      (let _jessie_ = pl in
      (JC_136:
      (((((((((((((duplet_requires _jessie_) _jessie_) _jessie_) _jessie_) _jessie_) intP_intM_pl_11) intP_intM_pk_10) intP_pl_11_alloc_table) intP_pk_10_alloc_table) intP_a_0_7_alloc_table) intP_a_0_7_alloc_table) intP_intM_a_0_7) intP_intM_a_0_7)))))));
      (raise Return) end)); (raise Return) end with Return -> void end)
  { true } 


why-2.39/tests/c/oracle/swap.res.oracle0000644000106100004300000004537613147234006017032 0ustar  marchevals========== file tests/c/swap.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

int a;
int b;

/*@ ensures a == \old(b) && b == \old(a);
  @*/
void swap() {
  int tmp = a;
  a = b;
  b = tmp;
}
========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/swap.c (with preprocessing)
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/swap.jessie
[jessie] File tests/c/swap.jessie/swap.jc written.
[jessie] File tests/c/swap.jessie/swap.cloc written.
========== file tests/c/swap.jessie/swap.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

type int32 = -2147483648..2147483647

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

int32 a;

int32 b;

unit swap()
behavior default:
  ensures (_C_4 : ((_C_5 : (a == \at(b,Old))) && (_C_6 : (b == \at(a,Old)))));
{  
   (var int32 tmp);
   
   {  (_C_1 : (tmp = a));
      (_C_2 : (a = b));
      (_C_3 : (b = tmp));
      
      (return ())
   }
}
========== file tests/c/swap.jessie/swap.cloc ==========
[_C_4]
file = "HOME/tests/c/swap.c"
line = 35
begin = 15
end = 43

[_C_5]
file = "HOME/tests/c/swap.c"
line = 35
begin = 15
end = 27

[_C_6]
file = "HOME/tests/c/swap.c"
line = 35
begin = 31
end = 43

[_C_3]
file = "HOME/tests/c/swap.c"
line = 40
begin = 6
end = 9

[swap]
name = "Function swap"
file = "HOME/tests/c/swap.c"
line = 37
begin = 5
end = 9

[_C_2]
file = "HOME/tests/c/swap.c"
line = 39
begin = 6
end = 7

[_C_1]
file = "HOME/tests/c/swap.c"
line = 38
begin = 2
end = 5

========== jessie execution ==========
Generating Why function swap
========== file tests/c/swap.jessie/swap.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/swap_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: swap.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: swap.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: swap.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/swap.jessie/swap.loc ==========
[JC_5]
file = "HOME/tests/c/swap.c"
line = 35
begin = 15
end = 27

[JC_9]
file = "HOME/tests/c/swap.c"
line = 35
begin = 31
end = 43

[JC_8]
file = "HOME/tests/c/swap.c"
line = 35
begin = 15
end = 27

[JC_11]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/tests/c/swap.c"
line = 35
begin = 31
end = 43

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[swap_ensures_default]
name = "Function swap"
behavior = "default behavior"
file = "HOME/tests/c/swap.c"
line = 37
begin = 5
end = 9

[swap_safety]
name = "Function swap"
behavior = "Safety"
file = "HOME/tests/c/swap.c"
line = 37
begin = 5
end = 9

[JC_7]
file = "HOME/tests/c/swap.c"
line = 35
begin = 15
end = 43

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/c/swap.c"
line = 37
begin = 5
end = 9

[JC_10]
file = "HOME/tests/c/swap.c"
line = 35
begin = 15
end = 43

[JC_3]
file = "HOME/tests/c/swap.c"
line = 37
begin = 5
end = 9

========== file tests/c/swap.jessie/why/swap.why ==========
type charP

type int32

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter a : int32 ref

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter b : int32 ref

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter swap :
 tt:unit ->
  { } unit reads a,b writes a,b
  { (JC_10:
    ((JC_8: (integer_of_int32(a) = integer_of_int32(b@)))
    and (JC_9: (integer_of_int32(b) = integer_of_int32(a@))))) }

parameter swap_requires :
 tt:unit ->
  { } unit reads a,b writes a,b
  { (JC_10:
    ((JC_8: (integer_of_int32(a) = integer_of_int32(b@)))
    and (JC_9: (integer_of_int32(b) = integer_of_int32(a@))))) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let swap_ensures_default =
 fun (tt : unit) ->
  { (JC_4: true) }
  (init:
  try
   begin
     (let tmp = ref (any_int32 void) in
     begin
       (let _jessie_ = (tmp := !a) in void);
      (let _jessie_ = (a := !b) in void);
      (let _jessie_ = (b := !tmp) in void); (raise Return) end);
    (raise Return) end with Return -> void end)
  { (JC_7:
    ((JC_5: (integer_of_int32(a) = integer_of_int32(b@)))
    and (JC_6: (integer_of_int32(b) = integer_of_int32(a@))))) } 

let swap_safety =
 fun (tt : unit) ->
  { (JC_4: true) }
  (init:
  try
   begin
     (let tmp = ref (any_int32 void) in
     begin
       (let _jessie_ = (tmp := !a) in void);
      (let _jessie_ = (a := !b) in void);
      (let _jessie_ = (b := !tmp) in void); (raise Return) end);
    (raise Return) end with Return -> void end) { true } 


why-2.39/tests/c/oracle/selection_sort.res.oracle0000644000106100004300000020175413147234006021106 0ustar  marchevals========== file tests/c/selection_sort.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// RUNSIMPLIFY: will ask regtests to run Simplify on this program

#pragma JessieIntegerModel(math)

#include "sorting.h"

/*@ requires \valid(t+i) && \valid(t+j);
  @ assigns t[i],t[j];
  @ ensures Swap{Old,Here}(t,i,j);
  @*/
void swap(int t[], int i, int j) {
  int tmp = t[i];
  t[i] = t[j];
  t[j] = tmp;
}

/*@ requires \valid(t+(0..n-1));
  @ behavior sorted:
  @   ensures Sorted(t,0,n);
  @ behavior permutation:
  @   ensures Permut{Old,Here}(t,0,n-1);
  @*/
void sel_sort(int t[], int n) {
  int i,j;
  int mi,mv;
  if (n <= 0) return;
  /*@ loop invariant 0 <= i < n;
    @ for sorted:
    @  loop invariant
    @   Sorted(t,0,i) &&
    @   (\forall integer k1, k2 ;
    @      0 <= k1 < i <= k2 < n ==> t[k1] <= t[k2]) ;
    @ for permutation:
    @  loop invariant Permut{Pre,Here}(t,0,n-1);
    @ loop variant n-i;
    @*/
  for (i=0; i t[k] >= mv);
      @ for permutation:
      @  loop invariant
      @   Permut{Pre,Here}(t,0,n-1);
      @ loop variant n-j;
      @*/
    for (j=i+1; j < n; j++) {
      if (t[j] < mv) {
	mi = j ; mv = t[j];
      }
    }
  L:
    swap(t,i,mi);
    //@ assert Permut{L,Here}(t,0,n-1);
  }
}


/*
Local Variables:
compile-command: "frama-c -jessie selection_sort.c"
End:
*/
========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/selection_sort.c (with preprocessing)
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/selection_sort.jessie
[jessie] File tests/c/selection_sort.jessie/selection_sort.jc written.
[jessie] File tests/c/selection_sort.jessie/selection_sort.cloc written.
========== file tests/c/selection_sort.jessie/selection_sort.jc ==========
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

tag intP = {
  integer intM: 32;
}

type intP = [intP]

tag unsigned_charP = {
  integer unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  integer charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

predicate Swap{L1, L2}(intP[..] a, integer i_1, integer j_0) =
(((\at((a + i_1).intM,L1) == \at((a + j_0).intM,L2)) &&
   (\at((a + j_0).intM,L1) == \at((a + i_1).intM,L2))) &&
  (\forall integer k;
    (((k != i_1) && (k != j_0)) ==>
      (\at((a + k).intM,L1) == \at((a + k).intM,L2)))))

predicate Permut{L1, L2}(intP[..] a_0, integer l, integer h) {
case Permut_refl{L}: \at((\forall intP[..] a_1;
                           (\forall integer l_0;
                             (\forall integer h_0;
                               Permut{L,
                               L}(a_1, l_0, h_0)))),L);
  
  case Permut_sym{L1, L2}: (\forall intP[..] a_2;
                             (\forall integer l_1;
                               (\forall integer h_1;
                                 (Permut{L1,
                                   L2}(a_2, l_1, h_1) ==>
                                   Permut{L2,
                                   L1}(a_2, l_1, h_1)))));
  
  case Permut_trans{L1, L2, L3}: (\forall intP[..] a_3;
                                   (\forall integer l_2;
                                     (\forall integer h_2;
                                       ((Permut{L1,
                                          L2}(a_3, l_2, h_2) &&
                                          Permut{L2,
                                          L3}(a_3, l_2, h_2)) ==>
                                         Permut{L1,
                                         L3}(a_3, l_2, h_2)))));
  
  case Permut_swap{L1, L2}: (\forall intP[..] a_4;
                              (\forall integer l_3;
                                (\forall integer h_3;
                                  (\forall integer i_2;
                                    (\forall integer j_1;
                                      ((((((l_3 <= i_2) && (i_2 <= h_3)) &&
                                           (l_3 <= j_1)) &&
                                          (j_1 <= h_3)) &&
                                         Swap{L1,
                                         L2}(a_4, i_2, j_1)) ==>
                                        Permut{L1,
                                        L2}(a_4, l_3, h_3)))))));
  
}

predicate Sorted{L}(intP[..] a_5, integer l_4, integer h_4) =
(\forall integer i_3;
  (\forall integer j_2;
    ((((l_4 <= i_3) && (i_3 <= j_2)) && (j_2 < h_4)) ==>
      ((a_5 + i_3).intM <= (a_5 + j_2).intM))))

unit swap(intP[..] t_0, integer i, integer j)
  requires (_C_13 : (((_C_15 : (\offset_min(t_0) <= i)) &&
                       (_C_16 : (\offset_max(t_0) >= i))) &&
                      ((_C_18 : (\offset_min(t_0) <= j)) &&
                        (_C_19 : (\offset_max(t_0) >= j)))));
behavior default:
  assigns (t_0 + i).intM,
  (t_0 + j).intM;
  ensures (_C_12 : Swap{Old, Here}(\at(t_0,Old), \at(i,Old), \at(j,Old)));
{  
   (var integer tmp);
   
   {  (_C_3 : (tmp = (_C_2 : (_C_1 : (t_0 + i)).intM)));
      (_C_8 : ((_C_7 : (_C_6 : (t_0 + i)).intM) = (_C_5 : (_C_4 : (t_0 + j)).intM)));
      (_C_11 : ((_C_10 : (_C_9 : (t_0 + j)).intM) = tmp));
      
      (return ())
   }
}

unit sel_sort(intP[..] t, integer n_1)
  requires (_C_61 : ((_C_62 : (\offset_min(t) <= 0)) &&
                      (_C_63 : (\offset_max(t) >= (n_1 - 1)))));
behavior default:
  ensures (_C_58 : true);
behavior sorted:
  ensures (_C_59 : Sorted{Here}(\at(t,Old), 0, \at(n_1,Old)));
behavior permutation:
  ensures (_C_60 : Permut{Old, Here}(\at(t,Old), 0, (\at(n_1,Old) - 1)));
{  
   (var integer i_0);
   
   (var integer j_0);
   
   (var integer mi);
   
   (var integer mv);
   
   {  (if (n_1 <= 0) then 
      (goto return_label) else ());
      (_C_20 : (i_0 = 0));
      
      loop 
      behavior default:
        invariant (_C_26 : ((_C_27 : (0 <= i_0)) && (_C_28 : (i_0 < n_1))));
      behavior sorted:
        invariant (_C_23 : ((_C_24 : Sorted{Here}(t, 0, i_0)) &&
                             (_C_25 : (\forall integer k1;
                                        (\forall integer k2;
                                          (((((0 <= k1) && (k1 < i_0)) &&
                                              (i_0 <= k2)) &&
                                             (k2 < n_1)) ==>
                                            ((t + k1).intM <= (t + k2).intM)))))));
      behavior permutation:
        invariant (_C_22 : Permut{Pre, Here}(t, 0, (n_1 - 1)));
      variant (_C_21 : (n_1 - i_0));
      while (true)
      {  
         {  (if (i_0 < (_C_29 : (n_1 - 1))) then () else 
            (goto while_0_break));
            
            {  (_C_32 : (mv = (_C_31 : (_C_30 : (t + i_0)).intM)));
               (_C_33 : (mi = i_0));
               (_C_35 : (j_0 = (_C_34 : (i_0 + 1))));
               
               loop 
               behavior default:
                 invariant (_C_41 : (((_C_43 : (i_0 < j_0)) &&
                                       (_C_44 : (i_0 <= mi))) &&
                                      (_C_45 : (mi < n_1))));
               behavior sorted:
                 invariant (_C_38 : ((_C_39 : (mv == (t + mi).intM)) &&
                                      (_C_40 : (\forall integer k_0;
                                                 (((i_0 <= k_0) &&
                                                    (k_0 < j_0)) ==>
                                                   ((t + k_0).intM >= mv))))));
               behavior permutation:
                 invariant (_C_37 : Permut{Pre, Here}(t, 0, (n_1 - 1)));
               variant (_C_36 : (n_1 - j_0));
               while (true)
               {  
                  {  (if (j_0 < n_1) then () else 
                     (goto while_1_break));
                     
                     {  (if ((_C_51 : (_C_50 : (t + j_0)).intM) < mv) then 
                        {  (_C_46 : (mi = j_0));
                           (_C_49 : (mv = (_C_48 : (_C_47 : (t + j_0)).intM)))
                        } else ())
                     };
                     (_C_53 : (j_0 = (_C_52 : (j_0 + 1))))
                  }
               };
               (while_1_break : ());
               (L : (_C_54 : swap(t, i_0, mi)));
               
               {  
                  (assert for default: (_C_55 : (jessie : Permut{L,
                                                Here}(t, 0, (n_1 - 1)))));
                  ()
               }
            };
            (_C_57 : (i_0 = (_C_56 : (i_0 + 1))))
         }
      };
      (while_0_break : ());
      (return_label : 
      (return ()))
   }
}
========== file tests/c/selection_sort.jessie/selection_sort.cloc ==========
[_C_52]
file = "HOME/tests/c/selection_sort.c"
line = 81
begin = 23
end = 26

[_C_35]
file = "HOME/tests/c/selection_sort.c"
line = 81
begin = 11
end = 14

[sel_sort]
name = "Function sel_sort"
file = "HOME/tests/c/selection_sort.c"
line = 54
begin = 5
end = 13

[_C_56]
file = "HOME/tests/c/selection_sort.c"
line = 68
begin = 19
end = 22

[_C_28]
file = "HOME/tests/c/selection_sort.c"
line = 58
begin = 31
end = 36

[_C_59]
file = "HOME/tests/c/selection_sort.c"
line = 50
begin = 14
end = 27

[_C_48]
file = "HOME/tests/c/selection_sort.c"
line = 83
begin = 15
end = 19

[_C_51]
file = "HOME/tests/c/selection_sort.c"
line = 82
begin = 10
end = 14

[_C_31]
file = "HOME/tests/c/selection_sort.c"
line = 70
begin = 9
end = 13

[_C_41]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 30
end = 50

[_C_4]
file = "HOME/tests/c/selection_sort.c"
line = 44
begin = 9
end = 10

[_C_61]
file = "HOME/tests/c/selection_sort.c"
line = 48
begin = 16
end = 34

[_C_32]
file = "HOME/tests/c/selection_sort.c"
line = 70
begin = 9
end = 13

[_C_23]
file = "HOME/tests/c/selection_sort.c"
line = 61
begin = 8
end = 111

[_C_19]
file = "HOME/tests/c/selection_sort.c"
line = 38
begin = 31
end = 42

[_C_42]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 30
end = 46

[_C_13]
file = "HOME/tests/c/selection_sort.c"
line = 38
begin = 16
end = 42

[_C_5]
file = "HOME/tests/c/selection_sort.c"
line = 44
begin = 9
end = 13

[_C_36]
file = "HOME/tests/c/selection_sort.c"
line = 79
begin = 21
end = 24

[_C_12]
file = "HOME/tests/c/selection_sort.c"
line = 40
begin = 12
end = 33

[_C_33]
file = "HOME/tests/c/selection_sort.c"
line = 70
begin = 20
end = 21

[_C_22]
file = "HOME/tests/c/selection_sort.c"
line = 65
begin = 22
end = 47

[_C_9]
file = "HOME/tests/c/selection_sort.c"
line = 45
begin = 2
end = 3

[_C_57]
file = "HOME/tests/c/selection_sort.c"
line = 68
begin = 19
end = 22

[_C_54]
file = "HOME/tests/c/selection_sort.c"
line = 87
begin = 4
end = 16

[_C_30]
file = "HOME/tests/c/selection_sort.c"
line = 70
begin = 9
end = 10

[_C_63]
file = "HOME/tests/c/selection_sort.c"
line = 48
begin = 16
end = 34

[_C_6]
file = "HOME/tests/c/selection_sort.c"
line = 44
begin = 2
end = 3

[_C_49]
file = "HOME/tests/c/selection_sort.c"
line = 83
begin = 15
end = 19

[_C_24]
file = "HOME/tests/c/selection_sort.c"
line = 61
begin = 8
end = 21

[_C_45]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 44
end = 50

[_C_20]
file = "HOME/tests/c/selection_sort.c"
line = 68
begin = 9
end = 10

[_C_38]
file = "HOME/tests/c/selection_sort.c"
line = 74
begin = 11
end = 83

[_C_3]
file = "HOME/tests/c/selection_sort.c"
line = 43
begin = 2
end = 5

[_C_17]
file = "HOME/tests/c/selection_sort.c"
line = 38
begin = 31
end = 42

[_C_7]
file = "HOME/tests/c/selection_sort.c"
line = 44
begin = 9
end = 13

[_C_62]
file = "HOME/tests/c/selection_sort.c"
line = 48
begin = 16
end = 34

[_C_55]
file = "HOME/tests/c/selection_sort.c"
line = 88
begin = 22
end = 45

[_C_27]
file = "HOME/tests/c/selection_sort.c"
line = 58
begin = 26
end = 32

[_C_46]
file = "HOME/tests/c/selection_sort.c"
line = 83
begin = 6
end = 7

[_C_44]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 39
end = 46

[_C_15]
file = "HOME/tests/c/selection_sort.c"
line = 38
begin = 16
end = 27

[_C_26]
file = "HOME/tests/c/selection_sort.c"
line = 58
begin = 26
end = 36

[_C_47]
file = "HOME/tests/c/selection_sort.c"
line = 83
begin = 15
end = 16

[_C_10]
file = "HOME/tests/c/selection_sort.c"
line = 45
begin = 9
end = 12

[_C_60]
file = "HOME/tests/c/selection_sort.c"
line = 52
begin = 14
end = 39

[_C_53]
file = "HOME/tests/c/selection_sort.c"
line = 81
begin = 23
end = 26

[_C_40]
file = "HOME/tests/c/selection_sort.c"
line = 75
begin = 11
end = 57

[_C_58]
file = "HOME/"
line = 0
begin = -1
end = -1

[swap]
name = "Function swap"
file = "HOME/tests/c/selection_sort.c"
line = 42
begin = 5
end = 9

[_C_8]
file = "HOME/tests/c/selection_sort.c"
line = 44
begin = 9
end = 13

[_C_18]
file = "HOME/tests/c/selection_sort.c"
line = 38
begin = 31
end = 42

[_C_29]
file = "HOME/tests/c/selection_sort.c"
line = 68
begin = 14
end = 17

[_C_14]
file = "HOME/tests/c/selection_sort.c"
line = 38
begin = 16
end = 27

[_C_50]
file = "HOME/tests/c/selection_sort.c"
line = 82
begin = 10
end = 11

[_C_37]
file = "HOME/tests/c/selection_sort.c"
line = 78
begin = 10
end = 35

[_C_43]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 30
end = 35

[_C_2]
file = "HOME/tests/c/selection_sort.c"
line = 43
begin = 12
end = 16

[_C_34]
file = "HOME/tests/c/selection_sort.c"
line = 81
begin = 11
end = 14

[_C_16]
file = "HOME/tests/c/selection_sort.c"
line = 38
begin = 16
end = 27

[_C_1]
file = "HOME/tests/c/selection_sort.c"
line = 43
begin = 12
end = 13

[_C_25]
file = "HOME/tests/c/selection_sort.c"
line = 62
begin = 8
end = 86

[_C_39]
file = "HOME/tests/c/selection_sort.c"
line = 74
begin = 11
end = 22

[_C_11]
file = "HOME/tests/c/selection_sort.c"
line = 45
begin = 9
end = 12

[_C_21]
file = "HOME/tests/c/selection_sort.c"
line = 66
begin = 19
end = 22

========== jessie execution ==========
Generating Why function swap
Generating Why function sel_sort
========== file tests/c/selection_sort.jessie/selection_sort.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/selection_sort_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: selection_sort.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: selection_sort.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: selection_sort.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/selection_sort.jessie/selection_sort.loc ==========
[JC_94]
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 153
begin = 15
end = 1311

[JC_73]
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 153
begin = 15
end = 1311

[JC_63]
file = "HOME/tests/c/selection_sort.c"
line = 58
begin = 26
end = 36

[JC_80]
file = "HOME/tests/c/selection_sort.c"
line = 58
begin = 31
end = 36

[JC_51]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 30
end = 50

[JC_71]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_45]
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 130
begin = 6
end = 2739

[JC_106]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 39
end = 46

[JC_113]
file = "HOME/tests/c/selection_sort.c"
line = 88
begin = 22
end = 45

[JC_64]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_99]
file = "HOME/tests/c/selection_sort.c"
line = 58
begin = 31
end = 36

[JC_85]
file = "HOME/tests/c/selection_sort.c"
line = 74
begin = 11
end = 22

[JC_31]
file = "HOME/tests/c/selection_sort.c"
line = 48
begin = 16
end = 34

[JC_17]
file = "HOME/tests/c/selection_sort.c"
line = 42
begin = 5
end = 9

[JC_81]
file = "HOME/tests/c/selection_sort.c"
line = 58
begin = 26
end = 36

[JC_55]
kind = PointerDeref
file = "HOME/tests/c/selection_sort.c"
line = 82
begin = 10
end = 14

[JC_48]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 30
end = 35

[JC_23]
kind = PointerDeref
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 101
begin = 15
end = 82

[JC_22]
kind = PointerDeref
file = "HOME/tests/c/selection_sort.c"
line = 44
begin = 9
end = 13

[JC_5]
file = "HOME/tests/c/selection_sort.c"
line = 38
begin = 16
end = 42

[JC_67]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 30
end = 35

[JC_9]
file = "HOME/tests/c/selection_sort.c"
line = 38
begin = 31
end = 42

[JC_75]
file = "HOME/tests/c/selection_sort.c"
line = 88
begin = 22
end = 45

[JC_24]
kind = PointerDeref
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 102
begin = 16
end = 55

[JC_25]
file = "HOME/tests/c/selection_sort.c"
line = 48
begin = 16
end = 34

[JC_78]
file = "HOME/tests/c/selection_sort.c"
line = 61
begin = 8
end = 111

[JC_41]
file = "HOME/tests/c/selection_sort.c"
line = 58
begin = 26
end = 32

[JC_74]
kind = UserCall
file = "HOME/tests/c/selection_sort.c"
line = 87
begin = 4
end = 16

[JC_47]
kind = PointerDeref
file = "HOME/tests/c/selection_sort.c"
line = 70
begin = 9
end = 13

[JC_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/tests/c/selection_sort.c"
line = 48
begin = 16
end = 34

[JC_8]
file = "HOME/tests/c/selection_sort.c"
line = 38
begin = 16
end = 27

[JC_54]
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 153
begin = 15
end = 1311

[JC_79]
file = "HOME/tests/c/selection_sort.c"
line = 58
begin = 26
end = 32

[JC_13]
file = "HOME/tests/c/selection_sort.c"
line = 40
begin = 12
end = 33

[JC_82]
file = "HOME/"
line = 0
begin = -1
end = -1

[sel_sort_ensures_sorted]
name = "Function sel_sort"
behavior = "Behavior `sorted'"
file = "HOME/tests/c/selection_sort.c"
line = 54
begin = 5
end = 13

[JC_87]
file = "HOME/tests/c/selection_sort.c"
line = 74
begin = 11
end = 83

[JC_11]
file = "HOME/tests/c/selection_sort.c"
line = 38
begin = 16
end = 42

[JC_98]
file = "HOME/tests/c/selection_sort.c"
line = 58
begin = 26
end = 32

[JC_70]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 30
end = 50

[JC_15]
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 93
begin = 9
end = 16

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_104]
file = "HOME/tests/c/selection_sort.c"
line = 78
begin = 10
end = 35

[JC_91]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 30
end = 50

[JC_39]
file = "HOME/tests/c/selection_sort.c"
line = 52
begin = 14
end = 39

[JC_112]
kind = UserCall
file = "HOME/tests/c/selection_sort.c"
line = 87
begin = 4
end = 16

[JC_40]
file = "HOME/tests/c/selection_sort.c"
line = 52
begin = 14
end = 39

[JC_83]
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 130
begin = 6
end = 2739

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/tests/c/selection_sort.c"
line = 48
begin = 16
end = 34

[JC_109]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_107]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 44
end = 50

[JC_69]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 44
end = 50

[JC_38]
file = "HOME/tests/c/selection_sort.c"
line = 50
begin = 14
end = 27

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/tests/c/selection_sort.c"
line = 38
begin = 31
end = 42

[JC_62]
file = "HOME/tests/c/selection_sort.c"
line = 58
begin = 31
end = 36

[JC_101]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_88]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 30
end = 35

[JC_42]
file = "HOME/tests/c/selection_sort.c"
line = 58
begin = 31
end = 36

[swap_ensures_default]
name = "Function swap"
behavior = "default behavior"
file = "HOME/tests/c/selection_sort.c"
line = 42
begin = 5
end = 9

[JC_110]
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 153
begin = 15
end = 1311

[JC_103]
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 130
begin = 6
end = 2739

[JC_46]
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 130
begin = 6
end = 2739

[swap_safety]
name = "Function swap"
behavior = "Safety"
file = "HOME/tests/c/selection_sort.c"
line = 42
begin = 5
end = 9

[JC_61]
file = "HOME/tests/c/selection_sort.c"
line = 58
begin = 26
end = 32

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
kind = PointerDeref
file = "HOME/tests/c/selection_sort.c"
line = 83
begin = 15
end = 19

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 130
begin = 6
end = 2739

[JC_105]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 30
end = 35

[JC_29]
file = "HOME/tests/c/selection_sort.c"
line = 48
begin = 16
end = 34

[JC_68]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 39
end = 46

[JC_7]
file = "HOME/tests/c/selection_sort.c"
line = 38
begin = 16
end = 27

[JC_16]
file = "HOME/tests/c/selection_sort.c"
line = 40
begin = 12
end = 33

[JC_96]
file = "HOME/tests/c/selection_sort.c"
line = 88
begin = 22
end = 45

[JC_43]
file = "HOME/tests/c/selection_sort.c"
line = 58
begin = 26
end = 36

[JC_2]
file = "HOME/tests/c/selection_sort.c"
line = 38
begin = 16
end = 27

[JC_95]
kind = UserCall
file = "HOME/tests/c/selection_sort.c"
line = 87
begin = 4
end = 16

[JC_93]
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 153
begin = 15
end = 1311

[JC_97]
file = "HOME/tests/c/selection_sort.c"
line = 65
begin = 22
end = 47

[JC_84]
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 130
begin = 6
end = 2739

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[sel_sort_ensures_default]
name = "Function sel_sort"
behavior = "default behavior"
file = "HOME/tests/c/selection_sort.c"
line = 54
begin = 5
end = 13

[JC_14]
file = "HOME/tests/c/selection_sort.c"
line = 42
begin = 5
end = 9

[JC_90]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 44
end = 50

[JC_53]
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 153
begin = 15
end = 1311

[sel_sort_safety]
name = "Function sel_sort"
behavior = "Safety"
file = "HOME/tests/c/selection_sort.c"
line = 54
begin = 5
end = 13

[JC_21]
kind = PointerDeref
file = "HOME/tests/c/selection_sort.c"
line = 43
begin = 12
end = 16

[JC_111]
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 153
begin = 15
end = 1311

[JC_77]
file = "HOME/tests/c/selection_sort.c"
line = 62
begin = 8
end = 86

[JC_49]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 39
end = 46

[JC_1]
file = "HOME/tests/c/selection_sort.c"
line = 38
begin = 16
end = 27

[JC_102]
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 130
begin = 6
end = 2739

[JC_37]
file = "HOME/tests/c/selection_sort.c"
line = 50
begin = 14
end = 27

[JC_10]
file = "HOME/tests/c/selection_sort.c"
line = 38
begin = 31
end = 42

[JC_108]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 30
end = 50

[JC_57]
file = "HOME/tests/c/selection_sort.c"
line = 79
begin = 21
end = 24

[JC_89]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 39
end = 46

[JC_66]
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 130
begin = 6
end = 2739

[JC_59]
file = "HOME/tests/c/selection_sort.c"
line = 88
begin = 22
end = 45

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 93
begin = 9
end = 16

[JC_3]
file = "HOME/tests/c/selection_sort.c"
line = 38
begin = 31
end = 42

[JC_92]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_86]
file = "HOME/tests/c/selection_sort.c"
line = 75
begin = 11
end = 57

[JC_60]
file = "HOME/tests/c/selection_sort.c"
line = 66
begin = 19
end = 22

[JC_72]
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 153
begin = 15
end = 1311

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[sel_sort_ensures_permutation]
name = "Function sel_sort"
behavior = "Behavior `permutation'"
file = "HOME/tests/c/selection_sort.c"
line = 54
begin = 5
end = 13

[JC_76]
file = "HOME/tests/c/selection_sort.c"
line = 61
begin = 8
end = 21

[JC_50]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 44
end = 50

[JC_30]
file = "HOME/tests/c/selection_sort.c"
line = 48
begin = 16
end = 34

[JC_58]
kind = UserCall
file = "HOME/tests/c/selection_sort.c"
line = 87
begin = 4
end = 16

[JC_100]
file = "HOME/tests/c/selection_sort.c"
line = 58
begin = 26
end = 36

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/c/selection_sort.jessie/why/selection_sort.why ==========
type charP

type intP

type padding

type unsigned_charP

type voidP

predicate Swap(a:intP pointer, i_1:int, j_0:int,
 intP_intM_a_1_at_L2:(intP, int) memory,
 intP_intM_a_1_at_L1:(intP, int) memory) =
 ((select(intP_intM_a_1_at_L1, shift(a, i_1)) = select(intP_intM_a_1_at_L2,
                                                shift(a, j_0)))
 and ((select(intP_intM_a_1_at_L1, shift(a, j_0)) = select(intP_intM_a_1_at_L2,
                                                    shift(a, i_1)))
     and (forall k:int.
          (((k <> i_1) and (k <> j_0)) ->
           (select(intP_intM_a_1_at_L1, shift(a, k)) = select(intP_intM_a_1_at_L2,
                                                       shift(a, k)))))))

inductive Permut: intP pointer, int, int, (intP, int) memory,
                  (intP, int) memory -> prop =
 | Permut_refl: (forall intP_intM_a_0_2_at_L:(intP, int) memory.
                 (forall a_1:intP pointer.
                  (forall l_0:int.
                   (forall h_0:int.
                    Permut(a_1, l_0, h_0, intP_intM_a_0_2_at_L,
                    intP_intM_a_0_2_at_L)))))
 | Permut_sym: (forall intP_intM_a_0_2_at_L2:(intP, int) memory.
                (forall intP_intM_a_0_2_at_L1:(intP, int) memory.
                 (forall a_2:intP pointer.
                  (forall l_1:int.
                   (forall h_1:int.
                    (Permut(a_2, l_1, h_1, intP_intM_a_0_2_at_L2,
                     intP_intM_a_0_2_at_L1) ->
                     Permut(a_2, l_1, h_1, intP_intM_a_0_2_at_L1,
                     intP_intM_a_0_2_at_L2)))))))
 | Permut_trans: (forall intP_intM_a_0_2_at_L3:(intP, int) memory.
                  (forall intP_intM_a_0_2_at_L2:(intP, int) memory.
                   (forall intP_intM_a_0_2_at_L1:(intP, int) memory.
                    (forall a_3:intP pointer.
                     (forall l_2:int.
                      (forall h_2:int.
                       ((Permut(a_3, l_2, h_2, intP_intM_a_0_2_at_L2,
                         intP_intM_a_0_2_at_L1)
                        and Permut(a_3, l_2, h_2, intP_intM_a_0_2_at_L3,
                            intP_intM_a_0_2_at_L2)) ->
                        Permut(a_3, l_2, h_2, intP_intM_a_0_2_at_L3,
                        intP_intM_a_0_2_at_L1))))))))
 | Permut_swap: (forall intP_intM_a_0_2_at_L2:(intP, int) memory.
                 (forall intP_intM_a_0_2_at_L1:(intP, int) memory.
                  (forall a_4:intP pointer.
                   (forall l_3:int.
                    (forall h_3:int.
                     (forall i_2:int.
                      (forall j_1:int.
                       ((le_int(l_3, i_2)
                        and (le_int(i_2, h_3)
                            and (le_int(l_3, j_1)
                                and (le_int(j_1, h_3)
                                    and Swap(a_4, i_2, j_1,
                                        intP_intM_a_0_2_at_L2,
                                        intP_intM_a_0_2_at_L1))))) ->
                        Permut(a_4, l_3, h_3, intP_intM_a_0_2_at_L2,
                        intP_intM_a_0_2_at_L1)))))))))
 
predicate Sorted(a_5:intP pointer, l_4:int, h_4:int,
 intP_intM_a_5_3_at_L:(intP, int) memory) =
 (forall i_3:int.
  (forall j_2:int.
   ((le_int(l_4, i_3) and (le_int(i_3, j_2) and lt_int(j_2, h_4))) ->
    le_int(select(intP_intM_a_5_3_at_L, shift(a_5, i_3)),
    select(intP_intM_a_5_3_at_L, shift(a_5, j_2))))))

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic intP_tag:  -> intP tag_id

axiom intP_int : (int_of_tag(intP_tag) = (1))

logic intP_of_pointer_address: unit pointer -> intP pointer

axiom intP_of_pointer_address_of_pointer_addr :
 (forall p:intP pointer. (p = intP_of_pointer_address(pointer_address(p))))

axiom intP_parenttag_bottom : parenttag(intP_tag, bottom_tag)

axiom intP_tags :
 (forall x:intP pointer.
  (forall intP_tag_table:intP tag_table.
   instanceof(intP_tag_table, x, intP_tag)))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_intP(p:intP pointer, a:int,
 intP_alloc_table:intP alloc_table) = (offset_min(intP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_intP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(intP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_intP(p:intP pointer, b:int,
 intP_alloc_table:intP alloc_table) = (offset_max(intP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Goto_while_0_break_exc of unit

exception Goto_while_1_break_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter intP_alloc_table : intP alloc_table ref

parameter intP_tag_table : intP tag_table ref

parameter alloc_struct_intP :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { } intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter alloc_struct_intP_requires :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { ge_int(n, (0))} intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter sel_sort :
 t:intP pointer ->
  n_1:int ->
   intP_intM_t_5:(intP, int) memory ref ->
    intP_t_5_alloc_table:intP alloc_table ->
     { } unit reads intP_intM_t_5 writes intP_intM_t_5
     { ((JC_40:
        Permut(t, (0), sub_int(n_1, (1)), intP_intM_t_5, intP_intM_t_5@))
       and (JC_38: Sorted(t, (0), n_1, intP_intM_t_5))) }

parameter sel_sort_requires :
 t:intP pointer ->
  n_1:int ->
   intP_intM_t_5:(intP, int) memory ref ->
    intP_t_5_alloc_table:intP alloc_table ->
     { (JC_27:
       ((JC_25: le_int(offset_min(intP_t_5_alloc_table, t), (0)))
       and (JC_26:
           ge_int(offset_max(intP_t_5_alloc_table, t), sub_int(n_1, (1))))))}
     unit reads intP_intM_t_5 writes intP_intM_t_5
     { ((JC_40:
        Permut(t, (0), sub_int(n_1, (1)), intP_intM_t_5, intP_intM_t_5@))
       and (JC_38: Sorted(t, (0), n_1, intP_intM_t_5))) }

parameter swap :
 t_0:intP pointer ->
  i:int ->
   j:int ->
    intP_intM_t_0_4:(intP, int) memory ref ->
     intP_t_0_4_alloc_table:intP alloc_table ->
      { } unit reads intP_intM_t_0_4 writes intP_intM_t_0_4
      { (JC_18:
        ((JC_16: Swap(t_0, i, j, intP_intM_t_0_4, intP_intM_t_0_4@))
        and (JC_17:
            not_assigns(intP_t_0_4_alloc_table, intP_intM_t_0_4@,
            intP_intM_t_0_4,
            pset_union(pset_range(pset_singleton(t_0), j, j),
            pset_range(pset_singleton(t_0), i, i)))))) }

parameter swap_requires :
 t_0:intP pointer ->
  i:int ->
   j:int ->
    intP_intM_t_0_4:(intP, int) memory ref ->
     intP_t_0_4_alloc_table:intP alloc_table ->
      { (JC_5:
        ((JC_1: le_int(offset_min(intP_t_0_4_alloc_table, t_0), i))
        and ((JC_2: ge_int(offset_max(intP_t_0_4_alloc_table, t_0), i))
            and ((JC_3: le_int(offset_min(intP_t_0_4_alloc_table, t_0), j))
                and (JC_4:
                    ge_int(offset_max(intP_t_0_4_alloc_table, t_0), j))))))}
      unit reads intP_intM_t_0_4 writes intP_intM_t_0_4
      { (JC_18:
        ((JC_16: Swap(t_0, i, j, intP_intM_t_0_4, intP_intM_t_0_4@))
        and (JC_17:
            not_assigns(intP_t_0_4_alloc_table, intP_intM_t_0_4@,
            intP_intM_t_0_4,
            pset_union(pset_range(pset_singleton(t_0), j, j),
            pset_range(pset_singleton(t_0), i, i)))))) }

let sel_sort_ensures_default =
 fun (t : intP pointer) (n_1 : int) (intP_intM_t_5 : (intP, int) memory ref) (intP_t_5_alloc_table : intP alloc_table) ->
  { (JC_31:
    ((JC_29: le_int(offset_min(intP_t_5_alloc_table, t), (0)))
    and (JC_30:
        ge_int(offset_max(intP_t_5_alloc_table, t), sub_int(n_1, (1)))))) }
  (init:
  try
   begin
     (let i_0 = ref (any_int void) in
     (let j_0_0 = ref (any_int void) in
     (let mi = ref (any_int void) in
     (let mv = ref (any_int void) in
     try
      begin
        try
         begin
           (if ((le_int_ n_1) (0)) then (raise (Return_label_exc void))
           else void); (let _jessie_ = (i_0 := (0)) in void);
          (loop_3:
          begin
            while true do
            { invariant
                (JC_63:
                ((JC_61: le_int((0), i_0)) and (JC_62: lt_int(i_0, n_1)))) 
               }
             begin
               [ { } unit { true } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((lt_int_ !i_0) ((sub_int n_1) (1))) then void
                   else (raise (Goto_while_0_break_exc void)));
                  try
                   begin
                     (let _jessie_ =
                     (mv := ((safe_acc_ !intP_intM_t_5) ((shift t) !i_0))) in
                     void); (let _jessie_ = (mi := !i_0) in void);
                    (let _jessie_ = (j_0_0 := ((add_int !i_0) (1))) in
                    void);
                    (loop_4:
                    begin
                      while true do
                      { invariant
                          (JC_70:
                          ((JC_67: lt_int(i_0, j_0_0))
                          and ((JC_68: le_int(i_0, mi))
                              and (JC_69: lt_int(mi, n_1)))))  }
                       begin
                         [ { } unit { true } ];
                        try
                         begin
                           (let _jessie_ =
                           begin
                             (if ((lt_int_ !j_0_0) n_1) then void
                             else (raise (Goto_while_1_break_exc void)));
                            (if ((lt_int_ ((safe_acc_ !intP_intM_t_5) 
                                           ((shift t) !j_0_0))) !mv)
                            then
                             (let _jessie_ =
                             begin
                               (let _jessie_ = (mi := !j_0_0) in void);
                              (mv := ((safe_acc_ !intP_intM_t_5) ((shift t) !j_0_0)));
                              !mv end in void) else void);
                            (j_0_0 := ((add_int !j_0_0) (1))); !j_0_0 end in
                           void); (raise (Loop_continue_exc void)) end with
                         Loop_continue_exc _jessie_ -> void end end done;
                     (raise (Goto_while_1_break_exc void)) end) end with
                   Goto_while_1_break_exc _jessie_ ->
                   (while_1_break:
                   begin
                     void;
                    (L:
                    begin
                      (let _jessie_ = t in
                      (let _jessie_ = !i_0 in
                      (let _jessie_ = !mi in
                      (JC_74:
                      (((((swap _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))));
                     (assert
                     { (JC_75:
                       Permut(t, (0), sub_int(n_1, (1)), intP_intM_t_5,
                       intP_intM_t_5@L)) }; void); void end) end) end;
                  (i_0 := ((add_int !i_0) (1))); !i_0 end in void);
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ -> (while_0_break: void) end;
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: (raise Return)) end)))); (raise Return) end with
   Return -> void end) { (JC_33: true) } 

let sel_sort_ensures_permutation =
 fun (t : intP pointer) (n_1 : int) (intP_intM_t_5 : (intP, int) memory ref) (intP_t_5_alloc_table : intP alloc_table) ->
  { (JC_31:
    ((JC_29: le_int(offset_min(intP_t_5_alloc_table, t), (0)))
    and (JC_30:
        ge_int(offset_max(intP_t_5_alloc_table, t), sub_int(n_1, (1)))))) }
  (init:
  try
   begin
     (let i_0 = ref (any_int void) in
     (let j_0_0 = ref (any_int void) in
     (let mi = ref (any_int void) in
     (let mv = ref (any_int void) in
     try
      begin
        try
         begin
           (if ((le_int_ n_1) (0)) then (raise (Return_label_exc void))
           else void); (let _jessie_ = (i_0 := (0)) in void);
          (loop_7:
          begin
            while true do
            { invariant
                (JC_97:
                Permut(t, (0), sub_int(n_1, (1)), intP_intM_t_5,
                intP_intM_t_5@init))  }
             begin
               [ { } unit reads i_0
                 { (JC_100:
                   ((JC_98: le_int((0), i_0)) and (JC_99: lt_int(i_0, n_1)))) } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((lt_int_ !i_0) ((sub_int n_1) (1))) then void
                   else (raise (Goto_while_0_break_exc void)));
                  try
                   begin
                     (let _jessie_ =
                     (mv := ((safe_acc_ !intP_intM_t_5) ((shift t) !i_0))) in
                     void); (let _jessie_ = (mi := !i_0) in void);
                    (let _jessie_ = (j_0_0 := ((add_int !i_0) (1))) in
                    void);
                    (loop_8:
                    begin
                      while true do
                      { invariant
                          (JC_104:
                          Permut(t, (0), sub_int(n_1, (1)), intP_intM_t_5,
                          intP_intM_t_5@init))  }
                       begin
                         [ { } unit reads i_0,j_0_0,mi
                           { (JC_108:
                             ((JC_105: lt_int(i_0, j_0_0))
                             and ((JC_106: le_int(i_0, mi))
                                 and (JC_107: lt_int(mi, n_1))))) } ];
                        try
                         begin
                           (let _jessie_ =
                           begin
                             (if ((lt_int_ !j_0_0) n_1) then void
                             else (raise (Goto_while_1_break_exc void)));
                            (if ((lt_int_ ((safe_acc_ !intP_intM_t_5) 
                                           ((shift t) !j_0_0))) !mv)
                            then
                             (let _jessie_ =
                             begin
                               (let _jessie_ = (mi := !j_0_0) in void);
                              (mv := ((safe_acc_ !intP_intM_t_5) ((shift t) !j_0_0)));
                              !mv end in void) else void);
                            (j_0_0 := ((add_int !j_0_0) (1))); !j_0_0 end in
                           void); (raise (Loop_continue_exc void)) end with
                         Loop_continue_exc _jessie_ -> void end end done;
                     (raise (Goto_while_1_break_exc void)) end) end with
                   Goto_while_1_break_exc _jessie_ ->
                   (while_1_break:
                   begin
                     void;
                    (L:
                    begin
                      (let _jessie_ = t in
                      (let _jessie_ = !i_0 in
                      (let _jessie_ = !mi in
                      (JC_112:
                      (((((swap _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))));
                     [ { } unit reads intP_intM_t_5
                       { (JC_113:
                         Permut(t, (0), sub_int(n_1, (1)), intP_intM_t_5,
                         intP_intM_t_5@L)) } ]; void end) end) end;
                  (i_0 := ((add_int !i_0) (1))); !i_0 end in void);
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ -> (while_0_break: void) end;
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: (raise Return)) end)))); (raise Return) end with
   Return -> void end)
  { (JC_39: Permut(t, (0), sub_int(n_1, (1)), intP_intM_t_5, intP_intM_t_5@)) }
  

let sel_sort_ensures_sorted =
 fun (t : intP pointer) (n_1 : int) (intP_intM_t_5 : (intP, int) memory ref) (intP_t_5_alloc_table : intP alloc_table) ->
  { (JC_31:
    ((JC_29: le_int(offset_min(intP_t_5_alloc_table, t), (0)))
    and (JC_30:
        ge_int(offset_max(intP_t_5_alloc_table, t), sub_int(n_1, (1)))))) }
  (init:
  try
   begin
     (let i_0 = ref (any_int void) in
     (let j_0_0 = ref (any_int void) in
     (let mi = ref (any_int void) in
     (let mv = ref (any_int void) in
     try
      begin
        try
         begin
           (if ((le_int_ n_1) (0)) then (raise (Return_label_exc void))
           else void); (let _jessie_ = (i_0 := (0)) in void);
          (loop_5:
          begin
            while true do
            { invariant
                (JC_78:
                ((JC_76: Sorted(t, (0), i_0, intP_intM_t_5))
                and (JC_77:
                    (forall k1:int.
                     (forall k2:int.
                      ((le_int((0), k1)
                       and (lt_int(k1, i_0)
                           and (le_int(i_0, k2) and lt_int(k2, n_1)))) ->
                       le_int(select(intP_intM_t_5, shift(t, k1)),
                       select(intP_intM_t_5, shift(t, k2)))))))))  }
             begin
               [ { } unit reads i_0
                 { (JC_81:
                   ((JC_79: le_int((0), i_0)) and (JC_80: lt_int(i_0, n_1)))) } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((lt_int_ !i_0) ((sub_int n_1) (1))) then void
                   else (raise (Goto_while_0_break_exc void)));
                  try
                   begin
                     (let _jessie_ =
                     (mv := ((safe_acc_ !intP_intM_t_5) ((shift t) !i_0))) in
                     void); (let _jessie_ = (mi := !i_0) in void);
                    (let _jessie_ = (j_0_0 := ((add_int !i_0) (1))) in
                    void);
                    (loop_6:
                    begin
                      while true do
                      { invariant
                          (JC_87:
                          ((JC_85:
                           (mv = select(intP_intM_t_5, shift(t, mi))))
                          and (JC_86:
                              (forall k_0:int.
                               ((le_int(i_0, k_0) and lt_int(k_0, j_0_0)) ->
                                ge_int(select(intP_intM_t_5, shift(t, k_0)),
                                mv))))))  }
                       begin
                         [ { } unit reads i_0,j_0_0,mi
                           { (JC_91:
                             ((JC_88: lt_int(i_0, j_0_0))
                             and ((JC_89: le_int(i_0, mi))
                                 and (JC_90: lt_int(mi, n_1))))) } ];
                        try
                         begin
                           (let _jessie_ =
                           begin
                             (if ((lt_int_ !j_0_0) n_1) then void
                             else (raise (Goto_while_1_break_exc void)));
                            (if ((lt_int_ ((safe_acc_ !intP_intM_t_5) 
                                           ((shift t) !j_0_0))) !mv)
                            then
                             (let _jessie_ =
                             begin
                               (let _jessie_ = (mi := !j_0_0) in void);
                              (mv := ((safe_acc_ !intP_intM_t_5) ((shift t) !j_0_0)));
                              !mv end in void) else void);
                            (j_0_0 := ((add_int !j_0_0) (1))); !j_0_0 end in
                           void); (raise (Loop_continue_exc void)) end with
                         Loop_continue_exc _jessie_ -> void end end done;
                     (raise (Goto_while_1_break_exc void)) end) end with
                   Goto_while_1_break_exc _jessie_ ->
                   (while_1_break:
                   begin
                     void;
                    (L:
                    begin
                      (let _jessie_ = t in
                      (let _jessie_ = !i_0 in
                      (let _jessie_ = !mi in
                      (JC_95:
                      (((((swap _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))));
                     [ { } unit reads intP_intM_t_5
                       { (JC_96:
                         Permut(t, (0), sub_int(n_1, (1)), intP_intM_t_5,
                         intP_intM_t_5@L)) } ]; void end) end) end;
                  (i_0 := ((add_int !i_0) (1))); !i_0 end in void);
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ -> (while_0_break: void) end;
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: (raise Return)) end)))); (raise Return) end with
   Return -> void end) { (JC_37: Sorted(t, (0), n_1, intP_intM_t_5)) } 

let sel_sort_safety =
 fun (t : intP pointer) (n_1 : int) (intP_intM_t_5 : (intP, int) memory ref) (intP_t_5_alloc_table : intP alloc_table) ->
  { (JC_31:
    ((JC_29: le_int(offset_min(intP_t_5_alloc_table, t), (0)))
    and (JC_30:
        ge_int(offset_max(intP_t_5_alloc_table, t), sub_int(n_1, (1)))))) }
  (init:
  try
   begin
     (let i_0 = ref (any_int void) in
     (let j_0_0 = ref (any_int void) in
     (let mi = ref (any_int void) in
     (let mv = ref (any_int void) in
     try
      begin
        try
         begin
           (if ((le_int_ n_1) (0)) then (raise (Return_label_exc void))
           else void); (let _jessie_ = (i_0 := (0)) in void);
          (loop_1:
          begin
            while true do
            { invariant (JC_45: true) variant (JC_60 : sub_int(n_1, i_0)) }
             begin
               [ { } unit reads i_0
                 { (JC_43:
                   ((JC_41: le_int((0), i_0)) and (JC_42: lt_int(i_0, n_1)))) } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((lt_int_ !i_0) ((sub_int n_1) (1))) then void
                   else (raise (Goto_while_0_break_exc void)));
                  try
                   begin
                     (let _jessie_ =
                     (mv := (JC_47:
                            ((((offset_acc_ intP_t_5_alloc_table) !intP_intM_t_5) t) !i_0))) in
                     void); (let _jessie_ = (mi := !i_0) in void);
                    (let _jessie_ = (j_0_0 := ((add_int !i_0) (1))) in
                    void);
                    (loop_2:
                    begin
                      while true do
                      { invariant (JC_53: true)
                        variant (JC_57 : sub_int(n_1, j_0_0)) }
                       begin
                         [ { } unit reads i_0,j_0_0,mi
                           { (JC_51:
                             ((JC_48: lt_int(i_0, j_0_0))
                             and ((JC_49: le_int(i_0, mi))
                                 and (JC_50: lt_int(mi, n_1))))) } ];
                        try
                         begin
                           (let _jessie_ =
                           begin
                             (if ((lt_int_ !j_0_0) n_1) then void
                             else (raise (Goto_while_1_break_exc void)));
                            (if ((lt_int_ (JC_55:
                                          ((((offset_acc_ intP_t_5_alloc_table) !intP_intM_t_5) t) !j_0_0))) !mv)
                            then
                             (let _jessie_ =
                             begin
                               (let _jessie_ = (mi := !j_0_0) in void);
                              (mv := (JC_56:
                                     ((((offset_acc_ intP_t_5_alloc_table) !intP_intM_t_5) t) !j_0_0)));
                              !mv end in void) else void);
                            (j_0_0 := ((add_int !j_0_0) (1))); !j_0_0 end in
                           void); (raise (Loop_continue_exc void)) end with
                         Loop_continue_exc _jessie_ -> void end end done;
                     (raise (Goto_while_1_break_exc void)) end) end with
                   Goto_while_1_break_exc _jessie_ ->
                   (while_1_break:
                   begin
                     void;
                    (L:
                    begin
                      (let _jessie_ = t in
                      (let _jessie_ = !i_0 in
                      (let _jessie_ = !mi in
                      (JC_58:
                      (((((swap_requires _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))));
                     [ { } unit reads intP_intM_t_5
                       { (JC_59:
                         Permut(t, (0), sub_int(n_1, (1)), intP_intM_t_5,
                         intP_intM_t_5@L)) } ]; void end) end) end;
                  (i_0 := ((add_int !i_0) (1))); !i_0 end in void);
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ -> (while_0_break: void) end;
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: (raise Return)) end)))); (raise Return) end with
   Return -> void end) { true } 

let swap_ensures_default =
 fun (t_0 : intP pointer) (i : int) (j : int) (intP_intM_t_0_4 : (intP, int) memory ref) (intP_t_0_4_alloc_table : intP alloc_table) ->
  { (JC_11:
    ((JC_7: le_int(offset_min(intP_t_0_4_alloc_table, t_0), i))
    and ((JC_8: ge_int(offset_max(intP_t_0_4_alloc_table, t_0), i))
        and ((JC_9: le_int(offset_min(intP_t_0_4_alloc_table, t_0), j))
            and (JC_10: ge_int(offset_max(intP_t_0_4_alloc_table, t_0), j)))))) }
  (init:
  try
   begin
     (let tmp = ref (any_int void) in
     begin
       (let _jessie_ =
       (tmp := ((safe_acc_ !intP_intM_t_0_4) ((shift t_0) i))) in void);
      (let _jessie_ =
      (let _jessie_ = ((safe_acc_ !intP_intM_t_0_4) ((shift t_0) j)) in
      (let _jessie_ = t_0 in
      (let _jessie_ = i in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (((safe_upd_ intP_intM_t_0_4) _jessie_) _jessie_))))) in void);
      (let _jessie_ =
      (let _jessie_ = !tmp in
      (let _jessie_ = t_0 in
      (let _jessie_ = j in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (((safe_upd_ intP_intM_t_0_4) _jessie_) _jessie_))))) in void);
      (raise Return) end); (raise Return) end with Return -> void end)
  { (JC_15:
    ((JC_13: Swap(t_0, i, j, intP_intM_t_0_4, intP_intM_t_0_4@))
    and (JC_14:
        not_assigns(intP_t_0_4_alloc_table, intP_intM_t_0_4@,
        intP_intM_t_0_4,
        pset_union(pset_range(pset_singleton(t_0), j, j),
        pset_range(pset_singleton(t_0), i, i)))))) } 

let swap_safety =
 fun (t_0 : intP pointer) (i : int) (j : int) (intP_intM_t_0_4 : (intP, int) memory ref) (intP_t_0_4_alloc_table : intP alloc_table) ->
  { (JC_11:
    ((JC_7: le_int(offset_min(intP_t_0_4_alloc_table, t_0), i))
    and ((JC_8: ge_int(offset_max(intP_t_0_4_alloc_table, t_0), i))
        and ((JC_9: le_int(offset_min(intP_t_0_4_alloc_table, t_0), j))
            and (JC_10: ge_int(offset_max(intP_t_0_4_alloc_table, t_0), j)))))) }
  (init:
  try
   begin
     (let tmp = ref (any_int void) in
     begin
       (let _jessie_ =
       (tmp := (JC_21:
               ((((offset_acc_ intP_t_0_4_alloc_table) !intP_intM_t_0_4) t_0) i))) in
       void);
      (let _jessie_ =
      (let _jessie_ =
      (JC_22:
      ((((offset_acc_ intP_t_0_4_alloc_table) !intP_intM_t_0_4) t_0) j)) in
      (let _jessie_ = t_0 in
      (let _jessie_ = i in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (JC_23:
      (((((offset_upd_ intP_t_0_4_alloc_table) intP_intM_t_0_4) _jessie_) _jessie_) _jessie_)))))) in
      void);
      (let _jessie_ =
      (let _jessie_ = !tmp in
      (let _jessie_ = t_0 in
      (let _jessie_ = j in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (JC_24:
      (((((offset_upd_ intP_t_0_4_alloc_table) intP_intM_t_0_4) _jessie_) _jessie_) _jessie_)))))) in
      void); (raise Return) end); (raise Return) end with Return -> void end)
  { true } 


why-2.39/tests/c/oracle/clock_drift.err.oracle0000644000106100004300000000000013147234006020311 0ustar  marchevalswhy-2.39/tests/c/oracle/flag.res.oracle0000644000106100004300000020016013147234006016751 0ustar  marchevals========== file tests/c/flag.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* Dijkstra's dutch flag */

#pragma JessieIntegerModel(math)

typedef char color;

#define BLUE (color)1
#define WHITE (color)2
#define RED (color)3

/*@ predicate is_color(color c) =
  @   c == BLUE || c == WHITE || c == RED ;
  @*/

/*@ predicate is_color_array{L}(color *t, integer l) =
  @   \valid(t+(0..l-1)) &&
  @   \forall integer i; 0 <= i < l ==> is_color(t[i]) ;
  @*/

/*@ predicate is_monochrome{L}(color *t,integer i, integer j, color c) =
  @   \forall integer k; i <= k < j ==> t[k] == c ;
  @*/


/*@ requires \valid(t+(i..j));
  @ behavior decides_monochromatic:
  @   ensures \result <==> is_monochrome(t,i,j,c);
  @*/
int isMonochrome(color t[], int i, int j, color c) {
  /*@ loop invariant i <= k &&
    @   \forall integer l; i <= l < k ==> t[l] == c;
    @ loop variant j - k;
    @*/
  for (int k = i; k < j; k++) if (t[k] != c) return 0;
  return 1;
}

/*@ requires \valid(t+i);
  @ requires \valid(t+j);
  @ behavior i_j_swapped:
  @   assigns t[i],t[j];
  @   ensures t[i] == \old(t[j]) && t[j] == \old(t[i]);
  @*/
void swap(color t[], int i, int j) {
  color z = t[i];
  t[i] = t[j];
  t[j] = z;
}

/*@ requires l >= 0 && is_color_array(t, l);
  @ behavior sorts:
  @   ensures
  @     (\exists integer b,r;
  @        is_monochrome(t,0,b,BLUE) &&
  @        is_monochrome(t,b,r,WHITE) &&
  @        is_monochrome(t,r,l,RED));
  @*/
void flag(color t[], int l) {
  int b = 0;
  int i = 0;
  int r = l;
  /*@ loop invariant
    @   is_color_array(t,l) &&
    @   0 <= b <= i <= r <= l &&
    @   is_monochrome(t,0,b,BLUE) &&
    @   is_monochrome(t,b,i,WHITE) &&
    @   is_monochrome(t,r,l,RED);
    @ loop variant r - i;
    @*/
  while (i < r) {
    switch (t[i]) {
    case BLUE:
      swap(t,b++, i++);
      break;
    case WHITE:
      i++;
      break;
    case RED:
      swap(t,--r, i);
      break;
    }
  }
}



/*
Local Variables:
compile-command: "make flag.why3ide"
End:
*/
========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/flag.c (with preprocessing)
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/flag.jessie
[jessie] File tests/c/flag.jessie/flag.jc written.
[jessie] File tests/c/flag.jessie/flag.cloc written.
========== file tests/c/flag.jessie/flag.jc ==========
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

tag unsigned_charP = {
  integer unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  integer charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

predicate is_color(integer c) =
(((c == 1) || (c == 2)) || (c == 3))

predicate is_color_array{L}(charP[..] t, integer l) =
(((\offset_min(t) <= 0) && (\offset_max(t) >= (l - 1))) &&
  (\forall integer i_1;
    (((0 <= i_1) && (i_1 < l)) ==> is_color((t + i_1).charM))))

predicate is_monochrome{L}(charP[..] t_0, integer i_2, integer j_0,
                           integer c_0) =
(\forall integer k;
  (((i_2 <= k) && (k < j_0)) ==> ((t_0 + k).charM == c_0)))

integer isMonochrome(charP[..] t_0, integer i, integer j, integer c)
  requires (_C_14 : ((_C_15 : (\offset_min(t_0) <= i)) &&
                      (_C_16 : (\offset_max(t_0) >= j))));
behavior default:
  ensures (_C_12 : true);
behavior decides_monochromatic:
  ensures (_C_13 : ((\result != 0) <==>
                     is_monochrome{Here}(\at(t_0,Old), \at(i,Old),
                                         \at(j,Old), \at(c,Old))));
{  
   (var integer k);
   
   (var integer __retres);
   
   {  
      {  (_C_1 : (k = i));
         
         loop 
         behavior default:
           invariant (_C_3 : ((_C_4 : (i <= k)) &&
                               (_C_5 : (\forall integer l_0;
                                         (((i <= l_0) && (l_0 < k)) ==>
                                           ((t_0 + l_0).charM == c))))));
         variant (_C_2 : (j - k));
         while (true)
         {  
            {  (if (k < j) then () else 
               (goto while_0_break));
               (if ((_C_8 : (_C_7 : (t_0 + k)).charM) != c) then 
               {  (_C_6 : (__retres = 0));
                  
                  (goto return_label)
               } else ());
               (_C_10 : (k = (_C_9 : (k + 1))))
            }
         };
         (while_0_break : ())
      };
      (_C_11 : (__retres = 1));
      (return_label : 
      (return __retres))
   }
}

unit swap(charP[..] t_1, integer i_0, integer j_0)
  requires (_C_35 : ((_C_36 : (\offset_min(t_1) <= i_0)) &&
                      (_C_37 : (\offset_max(t_1) >= i_0))));
  requires (_C_32 : ((_C_33 : (\offset_min(t_1) <= j_0)) &&
                      (_C_34 : (\offset_max(t_1) >= j_0))));
behavior default:
  ensures (_C_28 : true);
behavior i_j_swapped:
  assigns (t_1 + i_0).charM,
  (t_1 + j_0).charM;
  ensures (_C_29 : ((_C_30 : ((\at(t_1,Old) + \at(i_0,Old)).charM ==
                               \at((t_1 + j_0).charM,Old))) &&
                     (_C_31 : ((\at(t_1,Old) + \at(j_0,Old)).charM ==
                                \at((t_1 + i_0).charM,Old)))));
{  
   (var integer z);
   
   {  (_C_19 : (z = (_C_18 : (_C_17 : (t_1 + i_0)).charM)));
      (_C_24 : ((_C_23 : (_C_22 : (t_1 + i_0)).charM) = (_C_21 : (_C_20 : 
                                                                 (t_1 +
                                                                   j_0)).charM)));
      (_C_27 : ((_C_26 : (_C_25 : (t_1 + j_0)).charM) = z));
      
      (return ())
   }
}

unit flag(charP[..] t, integer l)
  requires (_C_73 : ((_C_74 : (l >= 0)) &&
                      (_C_75 : is_color_array{Here}(t, l))));
behavior default:
  ensures (_C_71 : true);
behavior sorts:
  ensures (_C_72 : (\exists integer b;
                     (\exists integer r;
                       ((is_monochrome{Here}(\at(t,Old), 0, b, 1) &&
                          is_monochrome{Here}(\at(t,Old), b, r, 2)) &&
                         is_monochrome{Here}(\at(t,Old), r, \at(l,Old), 3)))));
{  
   (var integer b);
   
   (var integer i_1);
   
   (var integer r);
   
   (var integer tmp);
   
   (var integer tmp_0);
   
   {  (_C_38 : (b = 0));
      (_C_39 : (i_1 = 0));
      (_C_40 : (r = l));
      
      loop 
      behavior default:
        invariant (_C_42 : ((((((((_C_49 : is_color_array{Here}(t, l)) &&
                                   (_C_50 : (0 <= b))) &&
                                  (_C_51 : (b <= i_1))) &&
                                 (_C_52 : (i_1 <= r))) &&
                                (_C_53 : (r <= l))) &&
                               (_C_54 : is_monochrome{Here}(t, 0, b, 1))) &&
                              (_C_55 : is_monochrome{Here}(t, b, i_1, 2))) &&
                             (_C_56 : is_monochrome{Here}(t, r, l, 3))));
      variant (_C_41 : (r - i_1));
      while (true)
      {  
         {  (if (i_1 < r) then () else 
            (goto while_0_break));
            
            {  
               switch ((_C_70 : (_C_69 : (t + i_1)).charM)) {
                 case 1:
                 {  
                    {  (_C_57 : (tmp = i_1));
                       (_C_59 : (i_1 = (_C_58 : (i_1 + 1))));
                       ();
                       (_C_60 : (tmp_0 = b));
                       (_C_62 : (b = (_C_61 : (b + 1))));
                       ();
                       ()
                    };
                    (_C_63 : swap(t, tmp_0, tmp));
                    
                    (goto switch_1_break)
                 }
                 case 2:
                 {  (_C_65 : (i_1 = (_C_64 : (i_1 + 1))));
                    
                    (goto switch_1_break)
                 }
                 case 3:
                 {  
                    {  ();
                       (_C_67 : (r = (_C_66 : (r - 1))));
                       ()
                    };
                    (_C_68 : swap(t, r, i_1));
                    
                    (goto switch_1_break)
                 }
               };
               (switch_1_break : ())
            }
         }
      };
      (while_0_break : ());
      
      (return ())
   }
}
========== file tests/c/flag.jessie/flag.cloc ==========
[_C_52]
file = "HOME/tests/c/flag.c"
line = 95
begin = 18
end = 24

[_C_35]
file = "HOME/tests/c/flag.c"
line = 69
begin = 16
end = 27

[_C_56]
file = "HOME/tests/c/flag.c"
line = 98
begin = 8
end = 37

[_C_28]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_72]
file = "HOME/tests/c/flag.c"
line = 84
begin = 8
end = 159

[flag]
name = "Function flag"
file = "HOME/tests/c/flag.c"
line = 89
begin = 5
end = 9

[_C_59]
file = "HOME/tests/c/flag.c"
line = 104
begin = 18
end = 21

[_C_48]
file = "HOME/tests/c/flag.c"
line = 94
begin = 8
end = 45

[_C_51]
file = "HOME/tests/c/flag.c"
line = 95
begin = 13
end = 19

[_C_31]
file = "HOME/tests/c/flag.c"
line = 73
begin = 36
end = 54

[_C_41]
file = "HOME/tests/c/flag.c"
line = 99
begin = 19
end = 24

[_C_4]
file = "HOME/tests/c/flag.c"
line = 61
begin = 26
end = 32

[_C_71]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_70]
file = "HOME/tests/c/flag.c"
line = 102
begin = 12
end = 16

[_C_61]
file = "HOME/tests/c/flag.c"
line = 104
begin = 13
end = 16

[_C_69]
file = "HOME/tests/c/flag.c"
line = 102
begin = 12
end = 13

[_C_32]
file = "HOME/tests/c/flag.c"
line = 70
begin = 13
end = 24

[_C_23]
file = "HOME/tests/c/flag.c"
line = 77
begin = 9
end = 13

[_C_19]
file = "HOME/tests/c/flag.c"
line = 76
begin = 2
end = 7

[isMonochrome]
name = "Function isMonochrome"
file = "HOME/tests/c/flag.c"
line = 60
begin = 4
end = 16

[_C_42]
file = "HOME/tests/c/flag.c"
line = 94
begin = 8
end = 183

[_C_13]
file = "HOME/tests/c/flag.c"
line = 58
begin = 14
end = 49

[_C_5]
file = "HOME/tests/c/flag.c"
line = 62
begin = 8
end = 51

[_C_36]
file = "HOME/tests/c/flag.c"
line = 69
begin = 16
end = 27

[_C_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_33]
file = "HOME/tests/c/flag.c"
line = 70
begin = 13
end = 24

[_C_22]
file = "HOME/tests/c/flag.c"
line = 77
begin = 2
end = 3

[_C_65]
file = "HOME/tests/c/flag.c"
line = 107
begin = 6
end = 9

[_C_9]
file = "HOME/tests/c/flag.c"
line = 65
begin = 25
end = 28

[_C_57]
file = "HOME/tests/c/flag.c"
line = 104
begin = 18
end = 21

[_C_54]
file = "HOME/tests/c/flag.c"
line = 96
begin = 8
end = 37

[_C_30]
file = "HOME/tests/c/flag.c"
line = 73
begin = 14
end = 32

[_C_63]
file = "HOME/tests/c/flag.c"
line = 104
begin = 6
end = 22

[_C_6]
file = "HOME/tests/c/flag.c"
line = 65
begin = 45
end = 54

[_C_64]
file = "HOME/tests/c/flag.c"
line = 107
begin = 6
end = 9

[_C_49]
file = "HOME/tests/c/flag.c"
line = 94
begin = 8
end = 27

[_C_24]
file = "HOME/tests/c/flag.c"
line = 77
begin = 9
end = 13

[_C_45]
file = "HOME/tests/c/flag.c"
line = 94
begin = 8
end = 60

[_C_20]
file = "HOME/tests/c/flag.c"
line = 77
begin = 9
end = 10

[_C_73]
file = "HOME/tests/c/flag.c"
line = 81
begin = 16
end = 46

[_C_38]
file = "HOME/tests/c/flag.c"
line = 90
begin = 2
end = 5

[_C_3]
file = "HOME/tests/c/flag.c"
line = 61
begin = 26
end = 87

[_C_17]
file = "HOME/tests/c/flag.c"
line = 76
begin = 12
end = 13

[_C_7]
file = "HOME/tests/c/flag.c"
line = 65
begin = 34
end = 35

[_C_62]
file = "HOME/tests/c/flag.c"
line = 104
begin = 13
end = 16

[_C_55]
file = "HOME/tests/c/flag.c"
line = 97
begin = 8
end = 37

[_C_27]
file = "HOME/tests/c/flag.c"
line = 78
begin = 9
end = 10

[_C_46]
file = "HOME/tests/c/flag.c"
line = 94
begin = 8
end = 55

[_C_44]
file = "HOME/tests/c/flag.c"
line = 94
begin = 8
end = 101

[_C_15]
file = "HOME/tests/c/flag.c"
line = 56
begin = 16
end = 32

[_C_26]
file = "HOME/tests/c/flag.c"
line = 78
begin = 9
end = 10

[_C_47]
file = "HOME/tests/c/flag.c"
line = 94
begin = 8
end = 50

[_C_10]
file = "HOME/tests/c/flag.c"
line = 65
begin = 25
end = 28

[_C_68]
file = "HOME/tests/c/flag.c"
line = 110
begin = 6
end = 20

[_C_60]
file = "HOME/tests/c/flag.c"
line = 104
begin = 13
end = 16

[_C_53]
file = "HOME/tests/c/flag.c"
line = 95
begin = 23
end = 29

[_C_40]
file = "HOME/tests/c/flag.c"
line = 92
begin = 2
end = 5

[_C_58]
file = "HOME/tests/c/flag.c"
line = 104
begin = 18
end = 21

[swap]
name = "Function swap"
file = "HOME/tests/c/flag.c"
line = 75
begin = 5
end = 9

[_C_8]
file = "HOME/tests/c/flag.c"
line = 65
begin = 34
end = 38

[_C_66]
file = "HOME/tests/c/flag.c"
line = 110
begin = 13
end = 16

[_C_18]
file = "HOME/tests/c/flag.c"
line = 76
begin = 12
end = 16

[_C_29]
file = "HOME/tests/c/flag.c"
line = 73
begin = 14
end = 54

[_C_75]
file = "HOME/tests/c/flag.c"
line = 81
begin = 26
end = 46

[_C_14]
file = "HOME/tests/c/flag.c"
line = 56
begin = 16
end = 32

[_C_50]
file = "HOME/tests/c/flag.c"
line = 95
begin = 8
end = 14

[_C_37]
file = "HOME/tests/c/flag.c"
line = 69
begin = 16
end = 27

[_C_43]
file = "HOME/tests/c/flag.c"
line = 94
begin = 8
end = 142

[_C_2]
file = "HOME/tests/c/flag.c"
line = 63
begin = 19
end = 24

[_C_34]
file = "HOME/tests/c/flag.c"
line = 70
begin = 13
end = 24

[_C_67]
file = "HOME/tests/c/flag.c"
line = 110
begin = 13
end = 16

[_C_16]
file = "HOME/tests/c/flag.c"
line = 56
begin = 16
end = 32

[_C_1]
file = "HOME/tests/c/flag.c"
line = 65
begin = 7
end = 10

[_C_25]
file = "HOME/tests/c/flag.c"
line = 78
begin = 2
end = 3

[_C_39]
file = "HOME/tests/c/flag.c"
line = 91
begin = 2
end = 5

[_C_74]
file = "HOME/tests/c/flag.c"
line = 81
begin = 16
end = 22

[_C_11]
file = "HOME/tests/c/flag.c"
line = 66
begin = 2
end = 11

[_C_21]
file = "HOME/tests/c/flag.c"
line = 77
begin = 9
end = 13

========== jessie execution ==========
Generating Why function isMonochrome
Generating Why function swap
Generating Why function flag
========== file tests/c/flag.jessie/flag.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/flag_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: flag.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: flag.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: flag.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/flag.jessie/flag.loc ==========
[JC_94]
file = "HOME/tests/c/flag.c"
line = 99
begin = 19
end = 24

[JC_73]
file = "HOME/"
line = 0
begin = -1
end = -1

[isMonochrome_safety]
name = "Function isMonochrome"
behavior = "Safety"
file = "HOME/tests/c/flag.c"
line = 60
begin = 4
end = 16

[JC_63]
kind = PointerDeref
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 104
begin = 16
end = 226

[JC_80]
file = "HOME/tests/c/flag.c"
line = 95
begin = 8
end = 14

[JC_51]
file = "HOME/tests/c/flag.c"
line = 73
begin = 14
end = 32

[JC_71]
file = "HOME/tests/c/flag.c"
line = 81
begin = 16
end = 46

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_106]
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 139
begin = 6
end = 1855

[JC_113]
file = "HOME/tests/c/flag.c"
line = 95
begin = 23
end = 29

[JC_116]
file = "HOME/tests/c/flag.c"
line = 98
begin = 8
end = 37

[JC_64]
kind = PointerDeref
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 107
begin = 16
end = 57

[JC_99]
file = "HOME/tests/c/flag.c"
line = 95
begin = 23
end = 29

[JC_85]
file = "HOME/tests/c/flag.c"
line = 97
begin = 8
end = 37

[JC_31]
file = "HOME/tests/c/flag.c"
line = 61
begin = 26
end = 87

[JC_17]
file = "HOME/tests/c/flag.c"
line = 61
begin = 26
end = 87

[JC_122]
kind = UserCall
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 182
begin = 29
end = 44

[JC_81]
file = "HOME/tests/c/flag.c"
line = 95
begin = 13
end = 19

[JC_55]
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 93
begin = 9
end = 20

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/tests/c/flag.c"
line = 61
begin = 26
end = 32

[JC_22]
file = "HOME/tests/c/flag.c"
line = 63
begin = 19
end = 24

[JC_121]
kind = UserCall
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 167
begin = 29
end = 48

[isMonochrome_ensures_default]
name = "Function isMonochrome"
behavior = "default behavior"
file = "HOME/tests/c/flag.c"
line = 60
begin = 4
end = 16

[JC_5]
file = "HOME/tests/c/flag.c"
line = 56
begin = 16
end = 32

[JC_67]
file = "HOME/tests/c/flag.c"
line = 81
begin = 16
end = 46

[JC_9]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_75]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_24]
file = "HOME/tests/c/flag.c"
line = 62
begin = 8
end = 51

[JC_25]
file = "HOME/tests/c/flag.c"
line = 61
begin = 26
end = 87

[flag_ensures_sorts]
name = "Function flag"
behavior = "Behavior `sorts'"
file = "HOME/tests/c/flag.c"
line = 89
begin = 5
end = 9

[JC_78]
file = "HOME/tests/c/flag.c"
line = 84
begin = 8
end = 159

[JC_41]
file = "HOME/tests/c/flag.c"
line = 69
begin = 16
end = 27

[JC_74]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/"
line = 0
begin = -1
end = -1

[isMonochrome_ensures_decides_monochromatic]
name = "Function isMonochrome"
behavior = "Behavior `decides_monochromatic'"
file = "HOME/tests/c/flag.c"
line = 60
begin = 4
end = 16

[JC_52]
file = "HOME/tests/c/flag.c"
line = 73
begin = 36
end = 54

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[swap_ensures_i_j_swapped]
name = "Function swap"
behavior = "Behavior `i_j_swapped'"
file = "HOME/tests/c/flag.c"
line = 75
begin = 5
end = 9

[JC_54]
file = "HOME/tests/c/flag.c"
line = 75
begin = 5
end = 9

[JC_79]
file = "HOME/tests/c/flag.c"
line = 94
begin = 8
end = 27

[JC_13]
file = "HOME/tests/c/flag.c"
line = 58
begin = 14
end = 49

[JC_82]
file = "HOME/tests/c/flag.c"
line = 95
begin = 18
end = 24

[JC_87]
file = "HOME/tests/c/flag.c"
line = 94
begin = 8
end = 183

[JC_11]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_98]
file = "HOME/tests/c/flag.c"
line = 95
begin = 18
end = 24

[JC_70]
file = "HOME/tests/c/flag.c"
line = 81
begin = 26
end = 46

[JC_15]
file = "HOME/tests/c/flag.c"
line = 61
begin = 26
end = 32

[JC_36]
file = "HOME/tests/c/flag.c"
line = 69
begin = 16
end = 27

[JC_104]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_91]
kind = PointerDeref
file = "HOME/tests/c/flag.c"
line = 102
begin = 12
end = 16

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_112]
file = "HOME/tests/c/flag.c"
line = 95
begin = 18
end = 24

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
file = "HOME/tests/c/flag.c"
line = 95
begin = 23
end = 29

[JC_35]
file = "HOME/tests/c/flag.c"
line = 69
begin = 16
end = 27

[JC_27]
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 59
begin = 9
end = 714

[JC_115]
file = "HOME/tests/c/flag.c"
line = 97
begin = 8
end = 37

[JC_109]
file = "HOME/tests/c/flag.c"
line = 94
begin = 8
end = 27

[JC_107]
kind = UserCall
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 167
begin = 29
end = 48

[JC_69]
file = "HOME/tests/c/flag.c"
line = 81
begin = 16
end = 22

[JC_38]
file = "HOME/tests/c/flag.c"
line = 70
begin = 13
end = 24

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/tests/c/flag.c"
line = 56
begin = 16
end = 32

[JC_44]
file = "HOME/tests/c/flag.c"
line = 70
begin = 13
end = 24

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
kind = PointerDeref
file = "HOME/tests/c/flag.c"
line = 77
begin = 9
end = 13

[JC_101]
file = "HOME/tests/c/flag.c"
line = 97
begin = 8
end = 37

[JC_88]
file = "HOME/"
line = 0
begin = -1
end = -1

[flag_safety]
name = "Function flag"
behavior = "Safety"
file = "HOME/tests/c/flag.c"
line = 89
begin = 5
end = 9

[JC_42]
file = "HOME/tests/c/flag.c"
line = 69
begin = 16
end = 27

[swap_ensures_default]
name = "Function swap"
behavior = "default behavior"
file = "HOME/tests/c/flag.c"
line = 75
begin = 5
end = 9

[JC_110]
file = "HOME/tests/c/flag.c"
line = 95
begin = 8
end = 14

[JC_103]
file = "HOME/tests/c/flag.c"
line = 94
begin = 8
end = 183

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[swap_safety]
name = "Function swap"
behavior = "Safety"
file = "HOME/tests/c/flag.c"
line = 75
begin = 5
end = 9

[JC_61]
kind = PointerDeref
file = "HOME/tests/c/flag.c"
line = 76
begin = 12
end = 16

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/tests/c/flag.c"
line = 73
begin = 14
end = 32

[JC_33]
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 59
begin = 9
end = 714

[flag_ensures_default]
name = "Function flag"
behavior = "default behavior"
file = "HOME/tests/c/flag.c"
line = 89
begin = 5
end = 9

[JC_65]
file = "HOME/tests/c/flag.c"
line = 81
begin = 16
end = 22

[JC_118]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_105]
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 139
begin = 6
end = 1855

[JC_29]
file = "HOME/tests/c/flag.c"
line = 61
begin = 26
end = 32

[JC_68]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_7]
file = "HOME/tests/c/flag.c"
line = 56
begin = 16
end = 32

[JC_16]
file = "HOME/tests/c/flag.c"
line = 62
begin = 8
end = 51

[JC_96]
file = "HOME/tests/c/flag.c"
line = 95
begin = 8
end = 14

[JC_43]
file = "HOME/tests/c/flag.c"
line = 70
begin = 13
end = 24

[JC_2]
file = "HOME/tests/c/flag.c"
line = 56
begin = 16
end = 32

[JC_95]
file = "HOME/tests/c/flag.c"
line = 94
begin = 8
end = 27

[JC_93]
kind = UserCall
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 182
begin = 29
end = 44

[JC_97]
file = "HOME/tests/c/flag.c"
line = 95
begin = 13
end = 19

[JC_84]
file = "HOME/tests/c/flag.c"
line = 96
begin = 8
end = 37

[JC_34]
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 59
begin = 9
end = 714

[JC_114]
file = "HOME/tests/c/flag.c"
line = 96
begin = 8
end = 37

[JC_14]
file = "HOME/tests/c/flag.c"
line = 58
begin = 14
end = 49

[JC_117]
file = "HOME/tests/c/flag.c"
line = 94
begin = 8
end = 183

[JC_90]
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 139
begin = 6
end = 1855

[JC_53]
file = "HOME/tests/c/flag.c"
line = 73
begin = 14
end = 54

[JC_21]
kind = PointerDeref
file = "HOME/tests/c/flag.c"
line = 65
begin = 34
end = 38

[JC_111]
file = "HOME/tests/c/flag.c"
line = 95
begin = 13
end = 19

[JC_77]
file = "HOME/tests/c/flag.c"
line = 84
begin = 8
end = 159

[JC_49]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/c/flag.c"
line = 56
begin = 16
end = 32

[JC_102]
file = "HOME/tests/c/flag.c"
line = 98
begin = 8
end = 37

[JC_37]
file = "HOME/tests/c/flag.c"
line = 70
begin = 13
end = 24

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_108]
kind = UserCall
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 182
begin = 29
end = 44

[JC_57]
file = "HOME/tests/c/flag.c"
line = 73
begin = 36
end = 54

[JC_89]
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 139
begin = 6
end = 1855

[JC_66]
file = "HOME/tests/c/flag.c"
line = 81
begin = 26
end = 46

[JC_59]
file = "HOME/tests/c/flag.c"
line = 75
begin = 5
end = 9

[JC_20]
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 59
begin = 9
end = 714

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/c/flag.c"
line = 56
begin = 16
end = 32

[JC_92]
kind = UserCall
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 167
begin = 29
end = 48

[JC_86]
file = "HOME/tests/c/flag.c"
line = 98
begin = 8
end = 37

[JC_60]
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 93
begin = 9
end = 20

[JC_72]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 59
begin = 9
end = 714

[JC_119]
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 139
begin = 6
end = 1855

[JC_76]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/tests/c/flag.c"
line = 62
begin = 8
end = 51

[JC_120]
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 139
begin = 6
end = 1855

[JC_58]
file = "HOME/tests/c/flag.c"
line = 73
begin = 14
end = 54

[JC_100]
file = "HOME/tests/c/flag.c"
line = 96
begin = 8
end = 37

[JC_28]
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 59
begin = 9
end = 714

========== file tests/c/flag.jessie/why/flag.why ==========
type charP

type padding

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

predicate is_color(c:int) = ((c = (1)) or ((c = (2)) or (c = (3))))

predicate is_color_array(t:charP pointer, l:int,
 charP_t_1_alloc_table_at_L:charP alloc_table,
 charP_charM_t_1_at_L:(charP, int) memory) =
 (le_int(offset_min(charP_t_1_alloc_table_at_L, t), (0))
 and (ge_int(offset_max(charP_t_1_alloc_table_at_L, t), sub_int(l, (1)))
     and (forall i_1:int.
          ((le_int((0), i_1) and lt_int(i_1, l)) ->
           is_color(select(charP_charM_t_1_at_L, shift(t, i_1)))))))

predicate is_monochrome(t_0:charP pointer, i_2:int, j_0:int, c_0:int,
 charP_charM_t_0_2_at_L:(charP, int) memory) =
 (forall k:int.
  ((le_int(i_2, k) and lt_int(k, j_0)) ->
   (select(charP_charM_t_0_2_at_L, shift(t_0, k)) = c_0)))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Goto_switch_1_break_exc of unit

exception Goto_while_0_break_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter flag :
 t_2:charP pointer ->
  l_0:int ->
   charP_charM_t_5:(charP, int) memory ref ->
    charP_t_5_alloc_table:charP alloc_table ->
     { } unit reads charP_charM_t_5 writes charP_charM_t_5
     { (JC_78:
       (exists b:int.
        (exists r:int.
         (is_monochrome(t_2, (0), b, (1), charP_charM_t_5)
         and (is_monochrome(t_2, b, r, (2), charP_charM_t_5)
             and is_monochrome(t_2, r, l_0, (3), charP_charM_t_5)))))) }

parameter flag_requires :
 t_2:charP pointer ->
  l_0:int ->
   charP_charM_t_5:(charP, int) memory ref ->
    charP_t_5_alloc_table:charP alloc_table ->
     { (JC_67:
       ((JC_65: ge_int(l_0, (0)))
       and (JC_66:
           is_color_array(t_2, l_0, charP_t_5_alloc_table, charP_charM_t_5))))}
     unit reads charP_charM_t_5 writes charP_charM_t_5
     { (JC_78:
       (exists b:int.
        (exists r:int.
         (is_monochrome(t_2, (0), b, (1), charP_charM_t_5)
         and (is_monochrome(t_2, b, r, (2), charP_charM_t_5)
             and is_monochrome(t_2, r, l_0, (3), charP_charM_t_5)))))) }

parameter isMonochrome :
 t_0_0:charP pointer ->
  i:int ->
   j:int ->
    c_1:int ->
     charP_t_0_3_alloc_table:charP alloc_table ->
      charP_charM_t_0_3:(charP, int) memory ->
       { } int
       { (JC_14:
         ((result <> (0))
         <-> is_monochrome(t_0_0, i, j, c_1, charP_charM_t_0_3))) }

parameter isMonochrome_requires :
 t_0_0:charP pointer ->
  i:int ->
   j:int ->
    c_1:int ->
     charP_t_0_3_alloc_table:charP alloc_table ->
      charP_charM_t_0_3:(charP, int) memory ->
       { (JC_3:
         ((JC_1: le_int(offset_min(charP_t_0_3_alloc_table, t_0_0), i))
         and (JC_2: ge_int(offset_max(charP_t_0_3_alloc_table, t_0_0), j))))}
       int
       { (JC_14:
         ((result <> (0))
         <-> is_monochrome(t_0_0, i, j, c_1, charP_charM_t_0_3))) }

parameter swap :
 t_1:charP pointer ->
  i_0:int ->
   j_0_0:int ->
    charP_charM_t_1_4:(charP, int) memory ref ->
     charP_t_1_4_alloc_table:charP alloc_table ->
      { } unit reads charP_charM_t_1_4 writes charP_charM_t_1_4
      { (JC_60:
        ((JC_58:
         ((JC_56:
          (select(charP_charM_t_1_4, shift(t_1, i_0)) = select(charP_charM_t_1_4@,
                                                        shift(t_1, j_0_0))))
         and (JC_57:
             (select(charP_charM_t_1_4, shift(t_1, j_0_0)) = select(charP_charM_t_1_4@,
                                                             shift(t_1, i_0))))))
        and (JC_59:
            not_assigns(charP_t_1_4_alloc_table, charP_charM_t_1_4@,
            charP_charM_t_1_4,
            pset_union(pset_range(pset_singleton(t_1), j_0_0, j_0_0),
            pset_range(pset_singleton(t_1), i_0, i_0)))))) }

parameter swap_requires :
 t_1:charP pointer ->
  i_0:int ->
   j_0_0:int ->
    charP_charM_t_1_4:(charP, int) memory ref ->
     charP_t_1_4_alloc_table:charP alloc_table ->
      { (JC_39:
        ((JC_35: le_int(offset_min(charP_t_1_4_alloc_table, t_1), i_0))
        and ((JC_36: ge_int(offset_max(charP_t_1_4_alloc_table, t_1), i_0))
            and ((JC_37:
                 le_int(offset_min(charP_t_1_4_alloc_table, t_1), j_0_0))
                and (JC_38:
                    ge_int(offset_max(charP_t_1_4_alloc_table, t_1), j_0_0))))))}
      unit reads charP_charM_t_1_4 writes charP_charM_t_1_4
      { (JC_60:
        ((JC_58:
         ((JC_56:
          (select(charP_charM_t_1_4, shift(t_1, i_0)) = select(charP_charM_t_1_4@,
                                                        shift(t_1, j_0_0))))
         and (JC_57:
             (select(charP_charM_t_1_4, shift(t_1, j_0_0)) = select(charP_charM_t_1_4@,
                                                             shift(t_1, i_0))))))
        and (JC_59:
            not_assigns(charP_t_1_4_alloc_table, charP_charM_t_1_4@,
            charP_charM_t_1_4,
            pset_union(pset_range(pset_singleton(t_1), j_0_0, j_0_0),
            pset_range(pset_singleton(t_1), i_0, i_0)))))) }

let flag_ensures_default =
 fun (t_2 : charP pointer) (l_0 : int) (charP_charM_t_5 : (charP, int) memory ref) (charP_t_5_alloc_table : charP alloc_table) ->
  { (JC_71:
    ((JC_69: ge_int(l_0, (0)))
    and (JC_70:
        is_color_array(t_2, l_0, charP_t_5_alloc_table, charP_charM_t_5)))) }
  (init:
  try
   begin
     (let b_0 = ref (any_int void) in
     (let i_1_0 = ref (any_int void) in
     (let r_0 = ref (any_int void) in
     (let tmp = ref (any_int void) in
     (let tmp_0 = ref (any_int void) in
     try
      begin
        (let _jessie_ = (b_0 := (0)) in void);
       (let _jessie_ = (i_1_0 := (0)) in void);
       (let _jessie_ = (r_0 := l_0) in void);
       (loop_5:
       begin
         while true do
         { invariant
             (JC_103:
             ((JC_95:
              is_color_array(t_2, l_0, charP_t_5_alloc_table,
              charP_charM_t_5))
             and ((JC_96: le_int((0), b_0))
                 and ((JC_97: le_int(b_0, i_1_0))
                     and ((JC_98: le_int(i_1_0, r_0))
                         and ((JC_99: le_int(r_0, l_0))
                             and ((JC_100:
                                  is_monochrome(t_2, (0), b_0, (1),
                                  charP_charM_t_5))
                                 and ((JC_101:
                                      is_monochrome(t_2, b_0, i_1_0, (2),
                                      charP_charM_t_5))
                                     and (JC_102:
                                         is_monochrome(t_2, r_0, l_0, (3),
                                         charP_charM_t_5))))))))))  }
          begin
            [ { } unit { true } ];
           try
            begin
              (if ((lt_int_ !i_1_0) !r_0) then void
              else (raise (Goto_while_0_break_exc void)));
             try
              begin
                (let _jessie_ =
                ((safe_acc_ !charP_charM_t_5) ((shift t_2) !i_1_0)) in
                begin
                  (if ((eq_int_ _jessie_) (1))
                  then
                   begin
                     (let _jessie_ = (tmp := !i_1_0) in void);
                    (let _jessie_ = (i_1_0 := ((add_int !i_1_0) (1))) in
                    void); void; (let _jessie_ = (tmp_0 := !b_0) in void);
                    (let _jessie_ = (b_0 := ((add_int !b_0) (1))) in void);
                    void; void;
                    (let _jessie_ = t_2 in
                    (let _jessie_ = !tmp_0 in
                    (let _jessie_ = !tmp in
                    (JC_107:
                    (((((swap _jessie_) _jessie_) _jessie_) charP_charM_t_5) charP_t_5_alloc_table)))));
                    (raise (Goto_switch_1_break_exc void)) end else void);
                 (if (((eq_int_ _jessie_) (2)) || ((eq_int_ _jessie_) (1)))
                 then
                  begin
                    (let _jessie_ = (i_1_0 := ((add_int !i_1_0) (1))) in
                    void); (raise (Goto_switch_1_break_exc void)) end
                 else void);
                 (if (((eq_int_ _jessie_) (3)) || (((eq_int_ _jessie_) (2)) || 
                                                   ((eq_int_ _jessie_) (1))))
                 then
                  begin
                    void;
                   (let _jessie_ = (r_0 := ((sub_int !r_0) (1))) in void);
                   void;
                   (let _jessie_ = t_2 in
                   (let _jessie_ = !r_0 in
                   (let _jessie_ = !i_1_0 in
                   (JC_108:
                   (((((swap _jessie_) _jessie_) _jessie_) charP_charM_t_5) charP_t_5_alloc_table)))));
                   (raise (Goto_switch_1_break_exc void)) end else void) end);
               (raise (Goto_switch_1_break_exc void)) end with
              Goto_switch_1_break_exc _jessie_ -> (switch_1_break: void) end;
             (raise (Loop_continue_exc void)) end with
            Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (raise Return) end) end)))));
    (raise Return) end with Return -> void end) { (JC_73: true) } 

let flag_ensures_sorts =
 fun (t_2 : charP pointer) (l_0 : int) (charP_charM_t_5 : (charP, int) memory ref) (charP_t_5_alloc_table : charP alloc_table) ->
  { (JC_71:
    ((JC_69: ge_int(l_0, (0)))
    and (JC_70:
        is_color_array(t_2, l_0, charP_t_5_alloc_table, charP_charM_t_5)))) }
  (init:
  try
   begin
     (let b_0 = ref (any_int void) in
     (let i_1_0 = ref (any_int void) in
     (let r_0 = ref (any_int void) in
     (let tmp = ref (any_int void) in
     (let tmp_0 = ref (any_int void) in
     try
      begin
        (let _jessie_ = (b_0 := (0)) in void);
       (let _jessie_ = (i_1_0 := (0)) in void);
       (let _jessie_ = (r_0 := l_0) in void);
       (loop_6:
       begin
         while true do
         { invariant (JC_119: true)  }
          begin
            [ { } unit reads b_0,charP_charM_t_5,i_1_0,r_0
              { (JC_117:
                ((JC_109:
                 is_color_array(t_2, l_0, charP_t_5_alloc_table,
                 charP_charM_t_5))
                and ((JC_110: le_int((0), b_0))
                    and ((JC_111: le_int(b_0, i_1_0))
                        and ((JC_112: le_int(i_1_0, r_0))
                            and ((JC_113: le_int(r_0, l_0))
                                and ((JC_114:
                                     is_monochrome(t_2, (0), b_0, (1),
                                     charP_charM_t_5))
                                    and ((JC_115:
                                         is_monochrome(t_2, b_0, i_1_0, (2),
                                         charP_charM_t_5))
                                        and (JC_116:
                                            is_monochrome(t_2, r_0, l_0, (3),
                                            charP_charM_t_5)))))))))) } ];
           try
            begin
              (if ((lt_int_ !i_1_0) !r_0) then void
              else (raise (Goto_while_0_break_exc void)));
             try
              begin
                (let _jessie_ =
                ((safe_acc_ !charP_charM_t_5) ((shift t_2) !i_1_0)) in
                begin
                  (if ((eq_int_ _jessie_) (1))
                  then
                   begin
                     (let _jessie_ = (tmp := !i_1_0) in void);
                    (let _jessie_ = (i_1_0 := ((add_int !i_1_0) (1))) in
                    void); void; (let _jessie_ = (tmp_0 := !b_0) in void);
                    (let _jessie_ = (b_0 := ((add_int !b_0) (1))) in void);
                    void; void;
                    (let _jessie_ = t_2 in
                    (let _jessie_ = !tmp_0 in
                    (let _jessie_ = !tmp in
                    (JC_121:
                    (((((swap _jessie_) _jessie_) _jessie_) charP_charM_t_5) charP_t_5_alloc_table)))));
                    (raise (Goto_switch_1_break_exc void)) end else void);
                 (if (((eq_int_ _jessie_) (2)) || ((eq_int_ _jessie_) (1)))
                 then
                  begin
                    (let _jessie_ = (i_1_0 := ((add_int !i_1_0) (1))) in
                    void); (raise (Goto_switch_1_break_exc void)) end
                 else void);
                 (if (((eq_int_ _jessie_) (3)) || (((eq_int_ _jessie_) (2)) || 
                                                   ((eq_int_ _jessie_) (1))))
                 then
                  begin
                    void;
                   (let _jessie_ = (r_0 := ((sub_int !r_0) (1))) in void);
                   void;
                   (let _jessie_ = t_2 in
                   (let _jessie_ = !r_0 in
                   (let _jessie_ = !i_1_0 in
                   (JC_122:
                   (((((swap _jessie_) _jessie_) _jessie_) charP_charM_t_5) charP_t_5_alloc_table)))));
                   (raise (Goto_switch_1_break_exc void)) end else void) end);
               (raise (Goto_switch_1_break_exc void)) end with
              Goto_switch_1_break_exc _jessie_ -> (switch_1_break: void) end;
             (raise (Loop_continue_exc void)) end with
            Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (raise Return) end) end)))));
    (raise Return) end with Return -> void end)
  { (JC_77:
    (exists b:int.
     (exists r:int.
      (is_monochrome(t_2, (0), b, (1), charP_charM_t_5)
      and (is_monochrome(t_2, b, r, (2), charP_charM_t_5)
          and is_monochrome(t_2, r, l_0, (3), charP_charM_t_5)))))) } 

let flag_safety =
 fun (t_2 : charP pointer) (l_0 : int) (charP_charM_t_5 : (charP, int) memory ref) (charP_t_5_alloc_table : charP alloc_table) ->
  { (JC_71:
    ((JC_69: ge_int(l_0, (0)))
    and (JC_70:
        is_color_array(t_2, l_0, charP_t_5_alloc_table, charP_charM_t_5)))) }
  (init:
  try
   begin
     (let b_0 = ref (any_int void) in
     (let i_1_0 = ref (any_int void) in
     (let r_0 = ref (any_int void) in
     (let tmp = ref (any_int void) in
     (let tmp_0 = ref (any_int void) in
     try
      begin
        (let _jessie_ = (b_0 := (0)) in void);
       (let _jessie_ = (i_1_0 := (0)) in void);
       (let _jessie_ = (r_0 := l_0) in void);
       (loop_4:
       begin
         while true do
         { invariant (JC_89: true) variant (JC_94 : sub_int(r_0, i_1_0)) }
          begin
            [ { } unit reads b_0,charP_charM_t_5,i_1_0,r_0
              { (JC_87:
                ((JC_79:
                 is_color_array(t_2, l_0, charP_t_5_alloc_table,
                 charP_charM_t_5))
                and ((JC_80: le_int((0), b_0))
                    and ((JC_81: le_int(b_0, i_1_0))
                        and ((JC_82: le_int(i_1_0, r_0))
                            and ((JC_83: le_int(r_0, l_0))
                                and ((JC_84:
                                     is_monochrome(t_2, (0), b_0, (1),
                                     charP_charM_t_5))
                                    and ((JC_85:
                                         is_monochrome(t_2, b_0, i_1_0, (2),
                                         charP_charM_t_5))
                                        and (JC_86:
                                            is_monochrome(t_2, r_0, l_0, (3),
                                            charP_charM_t_5)))))))))) } ];
           try
            begin
              (if ((lt_int_ !i_1_0) !r_0) then void
              else (raise (Goto_while_0_break_exc void)));
             try
              begin
                (let _jessie_ =
                (JC_91:
                ((((offset_acc_ charP_t_5_alloc_table) !charP_charM_t_5) t_2) !i_1_0)) in
                begin
                  (if ((eq_int_ _jessie_) (1))
                  then
                   begin
                     (let _jessie_ = (tmp := !i_1_0) in void);
                    (let _jessie_ = (i_1_0 := ((add_int !i_1_0) (1))) in
                    void); void; (let _jessie_ = (tmp_0 := !b_0) in void);
                    (let _jessie_ = (b_0 := ((add_int !b_0) (1))) in void);
                    void; void;
                    (let _jessie_ = t_2 in
                    (let _jessie_ = !tmp_0 in
                    (let _jessie_ = !tmp in
                    (JC_92:
                    (((((swap_requires _jessie_) _jessie_) _jessie_) charP_charM_t_5) charP_t_5_alloc_table)))));
                    (raise (Goto_switch_1_break_exc void)) end else void);
                 (if (((eq_int_ _jessie_) (2)) || ((eq_int_ _jessie_) (1)))
                 then
                  begin
                    (let _jessie_ = (i_1_0 := ((add_int !i_1_0) (1))) in
                    void); (raise (Goto_switch_1_break_exc void)) end
                 else void);
                 (if (((eq_int_ _jessie_) (3)) || (((eq_int_ _jessie_) (2)) || 
                                                   ((eq_int_ _jessie_) (1))))
                 then
                  begin
                    void;
                   (let _jessie_ = (r_0 := ((sub_int !r_0) (1))) in void);
                   void;
                   (let _jessie_ = t_2 in
                   (let _jessie_ = !r_0 in
                   (let _jessie_ = !i_1_0 in
                   (JC_93:
                   (((((swap_requires _jessie_) _jessie_) _jessie_) charP_charM_t_5) charP_t_5_alloc_table)))));
                   (raise (Goto_switch_1_break_exc void)) end else void) end);
               (raise (Goto_switch_1_break_exc void)) end with
              Goto_switch_1_break_exc _jessie_ -> (switch_1_break: void) end;
             (raise (Loop_continue_exc void)) end with
            Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (raise Return) end) end)))));
    (raise Return) end with Return -> void end) { true } 

let isMonochrome_ensures_decides_monochromatic =
 fun (t_0_0 : charP pointer) (i : int) (j : int) (c_1 : int) (charP_t_0_3_alloc_table : charP alloc_table) (charP_charM_t_0_3 : (charP, int) memory) ->
  { (JC_7:
    ((JC_5: le_int(offset_min(charP_t_0_3_alloc_table, t_0_0), i))
    and (JC_6: ge_int(offset_max(charP_t_0_3_alloc_table, t_0_0), j)))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let k_0 = ref (any_int void) in
     (let __retres = ref (any_int void) in
     try
      begin
        try
         begin
           (let _jessie_ = (k_0 := i) in void);
          (loop_3:
          begin
            while true do
            { invariant (JC_33: true)  }
             begin
               [ { } unit reads k_0
                 { (JC_31:
                   ((JC_29: le_int(i, k_0))
                   and (JC_30:
                       (forall l_0_0:int.
                        ((le_int(i, l_0_0) and lt_int(l_0_0, k_0)) ->
                         (select(charP_charM_t_0_3, shift(t_0_0, l_0_0)) = c_1)))))) } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((lt_int_ !k_0) j) then void
                   else (raise (Goto_while_0_break_exc void)));
                  (if ((neq_int_ ((safe_acc_ charP_charM_t_0_3) ((shift t_0_0) !k_0))) c_1)
                  then
                   begin
                     (let _jessie_ = (__retres := (0)) in void);
                    (raise (Return_label_exc void)) end else void);
                  (k_0 := ((add_int !k_0) (1))); !k_0 end in void);
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ -> (while_0_break: void) end;
       (let _jessie_ = (__retres := (1)) in void);
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end));
    absurd  end with Return -> !return end))
  { (JC_13:
    ((result <> (0)) <-> is_monochrome(t_0_0, i, j, c_1, charP_charM_t_0_3))) }
  

let isMonochrome_ensures_default =
 fun (t_0_0 : charP pointer) (i : int) (j : int) (c_1 : int) (charP_t_0_3_alloc_table : charP alloc_table) (charP_charM_t_0_3 : (charP, int) memory) ->
  { (JC_7:
    ((JC_5: le_int(offset_min(charP_t_0_3_alloc_table, t_0_0), i))
    and (JC_6: ge_int(offset_max(charP_t_0_3_alloc_table, t_0_0), j)))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let k_0 = ref (any_int void) in
     (let __retres = ref (any_int void) in
     try
      begin
        try
         begin
           (let _jessie_ = (k_0 := i) in void);
          (loop_2:
          begin
            while true do
            { invariant
                (JC_25:
                ((JC_23: le_int(i, k_0))
                and (JC_24:
                    (forall l_0_0:int.
                     ((le_int(i, l_0_0) and lt_int(l_0_0, k_0)) ->
                      (select(charP_charM_t_0_3, shift(t_0_0, l_0_0)) = c_1))))))
               }
             begin
               [ { } unit { true } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((lt_int_ !k_0) j) then void
                   else (raise (Goto_while_0_break_exc void)));
                  (if ((neq_int_ ((safe_acc_ charP_charM_t_0_3) ((shift t_0_0) !k_0))) c_1)
                  then
                   begin
                     (let _jessie_ = (__retres := (0)) in void);
                    (raise (Return_label_exc void)) end else void);
                  (k_0 := ((add_int !k_0) (1))); !k_0 end in void);
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ -> (while_0_break: void) end;
       (let _jessie_ = (__retres := (1)) in void);
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end));
    absurd  end with Return -> !return end)) { (JC_9: true) } 

let isMonochrome_safety =
 fun (t_0_0 : charP pointer) (i : int) (j : int) (c_1 : int) (charP_t_0_3_alloc_table : charP alloc_table) (charP_charM_t_0_3 : (charP, int) memory) ->
  { (JC_7:
    ((JC_5: le_int(offset_min(charP_t_0_3_alloc_table, t_0_0), i))
    and (JC_6: ge_int(offset_max(charP_t_0_3_alloc_table, t_0_0), j)))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let k_0 = ref (any_int void) in
     (let __retres = ref (any_int void) in
     try
      begin
        try
         begin
           (let _jessie_ = (k_0 := i) in void);
          (loop_1:
          begin
            while true do
            { invariant (JC_19: true) variant (JC_22 : sub_int(j, k_0)) }
             begin
               [ { } unit reads k_0
                 { (JC_17:
                   ((JC_15: le_int(i, k_0))
                   and (JC_16:
                       (forall l_0_0:int.
                        ((le_int(i, l_0_0) and lt_int(l_0_0, k_0)) ->
                         (select(charP_charM_t_0_3, shift(t_0_0, l_0_0)) = c_1)))))) } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((lt_int_ !k_0) j) then void
                   else (raise (Goto_while_0_break_exc void)));
                  (if ((neq_int_ (JC_21:
                                 ((((offset_acc_ charP_t_0_3_alloc_table) charP_charM_t_0_3) t_0_0) !k_0))) c_1)
                  then
                   begin
                     (let _jessie_ = (__retres := (0)) in void);
                    (raise (Return_label_exc void)) end else void);
                  (k_0 := ((add_int !k_0) (1))); !k_0 end in void);
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ -> (while_0_break: void) end;
       (let _jessie_ = (__retres := (1)) in void);
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end));
    absurd  end with Return -> !return end)) { true } 

let swap_ensures_default =
 fun (t_1 : charP pointer) (i_0 : int) (j_0_0 : int) (charP_charM_t_1_4 : (charP, int) memory ref) (charP_t_1_4_alloc_table : charP alloc_table) ->
  { (JC_45:
    ((JC_41: le_int(offset_min(charP_t_1_4_alloc_table, t_1), i_0))
    and ((JC_42: ge_int(offset_max(charP_t_1_4_alloc_table, t_1), i_0))
        and ((JC_43: le_int(offset_min(charP_t_1_4_alloc_table, t_1), j_0_0))
            and (JC_44:
                ge_int(offset_max(charP_t_1_4_alloc_table, t_1), j_0_0)))))) }
  (init:
  try
   begin
     (let z = ref (any_int void) in
     begin
       (let _jessie_ =
       (z := ((safe_acc_ !charP_charM_t_1_4) ((shift t_1) i_0))) in void);
      (let _jessie_ =
      (let _jessie_ =
      ((safe_acc_ !charP_charM_t_1_4) ((shift t_1) j_0_0)) in
      (let _jessie_ = t_1 in
      (let _jessie_ = i_0 in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (((safe_upd_ charP_charM_t_1_4) _jessie_) _jessie_))))) in void);
      (let _jessie_ =
      (let _jessie_ = !z in
      (let _jessie_ = t_1 in
      (let _jessie_ = j_0_0 in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (((safe_upd_ charP_charM_t_1_4) _jessie_) _jessie_))))) in void);
      (raise Return) end); (raise Return) end with Return -> void end)
  { (JC_47: true) } 

let swap_ensures_i_j_swapped =
 fun (t_1 : charP pointer) (i_0 : int) (j_0_0 : int) (charP_charM_t_1_4 : (charP, int) memory ref) (charP_t_1_4_alloc_table : charP alloc_table) ->
  { (JC_45:
    ((JC_41: le_int(offset_min(charP_t_1_4_alloc_table, t_1), i_0))
    and ((JC_42: ge_int(offset_max(charP_t_1_4_alloc_table, t_1), i_0))
        and ((JC_43: le_int(offset_min(charP_t_1_4_alloc_table, t_1), j_0_0))
            and (JC_44:
                ge_int(offset_max(charP_t_1_4_alloc_table, t_1), j_0_0)))))) }
  (init:
  try
   begin
     (let z = ref (any_int void) in
     begin
       (let _jessie_ =
       (z := ((safe_acc_ !charP_charM_t_1_4) ((shift t_1) i_0))) in void);
      (let _jessie_ =
      (let _jessie_ =
      ((safe_acc_ !charP_charM_t_1_4) ((shift t_1) j_0_0)) in
      (let _jessie_ = t_1 in
      (let _jessie_ = i_0 in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (((safe_upd_ charP_charM_t_1_4) _jessie_) _jessie_))))) in void);
      (let _jessie_ =
      (let _jessie_ = !z in
      (let _jessie_ = t_1 in
      (let _jessie_ = j_0_0 in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (((safe_upd_ charP_charM_t_1_4) _jessie_) _jessie_))))) in void);
      (raise Return) end); (raise Return) end with Return -> void end)
  { (JC_55:
    ((JC_53:
     ((JC_51:
      (select(charP_charM_t_1_4, shift(t_1, i_0)) = select(charP_charM_t_1_4@,
                                                    shift(t_1, j_0_0))))
     and (JC_52:
         (select(charP_charM_t_1_4, shift(t_1, j_0_0)) = select(charP_charM_t_1_4@,
                                                         shift(t_1, i_0))))))
    and (JC_54:
        not_assigns(charP_t_1_4_alloc_table, charP_charM_t_1_4@,
        charP_charM_t_1_4,
        pset_union(pset_range(pset_singleton(t_1), j_0_0, j_0_0),
        pset_range(pset_singleton(t_1), i_0, i_0)))))) } 

let swap_safety =
 fun (t_1 : charP pointer) (i_0 : int) (j_0_0 : int) (charP_charM_t_1_4 : (charP, int) memory ref) (charP_t_1_4_alloc_table : charP alloc_table) ->
  { (JC_45:
    ((JC_41: le_int(offset_min(charP_t_1_4_alloc_table, t_1), i_0))
    and ((JC_42: ge_int(offset_max(charP_t_1_4_alloc_table, t_1), i_0))
        and ((JC_43: le_int(offset_min(charP_t_1_4_alloc_table, t_1), j_0_0))
            and (JC_44:
                ge_int(offset_max(charP_t_1_4_alloc_table, t_1), j_0_0)))))) }
  (init:
  try
   begin
     (let z = ref (any_int void) in
     begin
       (let _jessie_ =
       (z := (JC_61:
             ((((offset_acc_ charP_t_1_4_alloc_table) !charP_charM_t_1_4) t_1) i_0))) in
       void);
      (let _jessie_ =
      (let _jessie_ =
      (JC_62:
      ((((offset_acc_ charP_t_1_4_alloc_table) !charP_charM_t_1_4) t_1) j_0_0)) in
      (let _jessie_ = t_1 in
      (let _jessie_ = i_0 in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (JC_63:
      (((((offset_upd_ charP_t_1_4_alloc_table) charP_charM_t_1_4) _jessie_) _jessie_) _jessie_)))))) in
      void);
      (let _jessie_ =
      (let _jessie_ = !z in
      (let _jessie_ = t_1 in
      (let _jessie_ = j_0_0 in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (JC_64:
      (((((offset_upd_ charP_t_1_4_alloc_table) charP_charM_t_1_4) _jessie_) _jessie_) _jessie_)))))) in
      void); (raise Return) end); (raise Return) end with Return -> void end)
  { true } 


why-2.39/tests/c/oracle/array_double.err.oracle0000644000106100004300000000000013147234006020476 0ustar  marchevalswhy-2.39/tests/c/oracle/isqrt.res.oracle0000644000106100004300000006161613147234006017215 0ustar  marchevals========== file tests/c/isqrt.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


#pragma JessieIntegerModel(math)

//@ logic integer sqr(integer x) = x * x;

/*@ requires x >= 0;
  @ ensures \result >= 0 && sqr(\result) <= x && x < sqr(\result + 1);
  @*/
int isqrt(int x) {
  int count = 0, sum = 1;
  /*@ loop invariant count >= 0 && x >= sqr(count) && sum == sqr(count+1);
    @ loop variant  x - count; 
    @*/
  while (sum <= x) sum += 2 * ++count + 1;
  return count;
}

//@ ensures \result == 4;
int main () {
  int r;
  r = isqrt(17);
  //@ assert r < 4 ==> \false;
  //@ assert r > 4 ==> \false;
  return r;
}

/*
Local Variables:
compile-command: "make isqrt.why3ide"
End:
*/


========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/isqrt.c (with preprocessing)
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/isqrt.jessie
[jessie] File tests/c/isqrt.jessie/isqrt.jc written.
[jessie] File tests/c/isqrt.jessie/isqrt.cloc written.
========== file tests/c/isqrt.jessie/isqrt.jc ==========
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

tag unsigned_charP = {
  integer unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  integer charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

logic integer sqr(integer x) =
(x * x)

integer isqrt(integer x)
  requires (_C_20 : (x >= 0));
behavior default:
  ensures (_C_15 : (((_C_17 : (\result >= 0)) &&
                      (_C_18 : (sqr(\result) <= \at(x,Old)))) &&
                     (_C_19 : (\at(x,Old) < sqr((\result + 1))))));
{  
   (var integer count);
   
   (var integer sum);
   
   {  (_C_1 : (count = 0));
      (_C_2 : (sum = 1));
      
      loop 
      behavior default:
        invariant (_C_4 : (((_C_6 : (count >= 0)) &&
                             (_C_7 : (x >= sqr(count)))) &&
                            (_C_8 : (sum == sqr((count + 1))))));
      variant (_C_3 : (x - count));
      while (true)
      {  
         {  (if (sum <= x) then () else 
            (goto while_0_break));
            
            {  (_C_10 : (count = (_C_9 : (count + 1))));
               (_C_14 : (sum = (_C_13 : (sum +
                                          (_C_12 : ((_C_11 : (2 * count)) +
                                                     1))))))
            }
         }
      };
      (while_0_break : ());
      
      (return count)
   }
}

integer main()
behavior default:
  ensures (_C_25 : (\result == 4));
{  
   (var integer r);
   
   {  (_C_22 : (r = (_C_21 : isqrt(17))));
      
      {  
         (assert for default: (_C_23 : (jessie : ((r < 4) ==> false))));
         ()
      };
      
      {  
         (assert for default: (_C_24 : (jessie : ((r > 4) ==> false))));
         ()
      };
      
      {  
         (return r)
      }
   }
}
========== file tests/c/isqrt.jessie/isqrt.cloc ==========
[main]
name = "Function main"
file = "HOME/tests/c/isqrt.c"
line = 50
begin = 4
end = 8

[_C_4]
file = "HOME/tests/c/isqrt.c"
line = 42
begin = 26
end = 78

[_C_23]
file = "HOME/tests/c/isqrt.c"
line = 53
begin = 18
end = 34

[_C_19]
file = "HOME/tests/c/isqrt.c"
line = 38
begin = 49
end = 69

[_C_13]
file = "HOME/tests/c/isqrt.c"
line = 45
begin = 19
end = 41

[_C_5]
file = "HOME/tests/c/isqrt.c"
line = 42
begin = 26
end = 55

[_C_12]
file = "HOME/tests/c/isqrt.c"
line = 45
begin = 26
end = 41

[_C_22]
file = "HOME/tests/c/isqrt.c"
line = 52
begin = 6
end = 15

[_C_9]
file = "HOME/tests/c/isqrt.c"
line = 45
begin = 30
end = 37

[_C_6]
file = "HOME/tests/c/isqrt.c"
line = 42
begin = 26
end = 36

[_C_24]
file = "HOME/tests/c/isqrt.c"
line = 54
begin = 18
end = 34

[_C_20]
file = "HOME/tests/c/isqrt.c"
line = 37
begin = 16
end = 22

[_C_3]
file = "HOME/tests/c/isqrt.c"
line = 43
begin = 19
end = 28

[_C_17]
file = "HOME/tests/c/isqrt.c"
line = 38
begin = 12
end = 24

[_C_7]
file = "HOME/tests/c/isqrt.c"
line = 42
begin = 40
end = 55

[_C_15]
file = "HOME/tests/c/isqrt.c"
line = 38
begin = 12
end = 69

[_C_10]
file = "HOME/tests/c/isqrt.c"
line = 45
begin = 30
end = 37

[_C_8]
file = "HOME/tests/c/isqrt.c"
line = 42
begin = 59
end = 78

[_C_18]
file = "HOME/tests/c/isqrt.c"
line = 38
begin = 28
end = 45

[_C_14]
file = "HOME/tests/c/isqrt.c"
line = 45
begin = 19
end = 41

[_C_2]
file = "HOME/tests/c/isqrt.c"
line = 41
begin = 2
end = 5

[_C_16]
file = "HOME/tests/c/isqrt.c"
line = 38
begin = 12
end = 45

[isqrt]
name = "Function isqrt"
file = "HOME/tests/c/isqrt.c"
line = 40
begin = 4
end = 9

[_C_1]
file = "HOME/tests/c/isqrt.c"
line = 41
begin = 2
end = 5

[_C_25]
file = "HOME/tests/c/isqrt.c"
line = 49
begin = 15
end = 27

[_C_11]
file = "HOME/tests/c/isqrt.c"
line = 45
begin = 26
end = 37

[_C_21]
file = "HOME/tests/c/isqrt.c"
line = 52
begin = 6
end = 15

========== jessie execution ==========
Generating Why function isqrt
Generating Why function main
========== file tests/c/isqrt.jessie/isqrt.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/isqrt_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: isqrt.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: isqrt.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: isqrt.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/isqrt.jessie/isqrt.loc ==========
[main_safety]
name = "Function main"
behavior = "Safety"
file = "HOME/tests/c/isqrt.c"
line = 50
begin = 4
end = 8

[JC_31]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_17]
file = "HOME/tests/c/isqrt.c"
line = 42
begin = 59
end = 78

[JC_23]
file = "HOME/tests/c/isqrt.c"
line = 42
begin = 26
end = 36

[JC_22]
file = "HOME/tests/c/isqrt.c"
line = 43
begin = 19
end = 28

[JC_5]
file = "HOME/tests/c/isqrt.c"
line = 38
begin = 12
end = 24

[JC_9]
file = "HOME/tests/c/isqrt.c"
line = 38
begin = 12
end = 24

[JC_24]
file = "HOME/tests/c/isqrt.c"
line = 42
begin = 40
end = 55

[JC_25]
file = "HOME/tests/c/isqrt.c"
line = 42
begin = 59
end = 78

[JC_41]
kind = UserCall
file = "HOME/tests/c/isqrt.c"
line = 52
begin = 6
end = 15

[JC_26]
file = "HOME/tests/c/isqrt.c"
line = 42
begin = 26
end = 78

[JC_8]
file = "HOME/tests/c/isqrt.c"
line = 38
begin = 12
end = 69

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[isqrt_ensures_default]
name = "Function isqrt"
behavior = "default behavior"
file = "HOME/tests/c/isqrt.c"
line = 40
begin = 4
end = 9

[JC_11]
file = "HOME/tests/c/isqrt.c"
line = 38
begin = 49
end = 69

[JC_15]
file = "HOME/tests/c/isqrt.c"
line = 42
begin = 26
end = 36

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/tests/c/isqrt.c"
line = 53
begin = 18
end = 34

[JC_40]
file = "HOME/tests/c/isqrt.c"
line = 54
begin = 18
end = 34

[JC_35]
file = "HOME/tests/c/isqrt.c"
line = 49
begin = 15
end = 27

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
kind = UserCall
file = "HOME/tests/c/isqrt.c"
line = 52
begin = 6
end = 15

[JC_12]
file = "HOME/tests/c/isqrt.c"
line = 38
begin = 12
end = 69

[JC_6]
file = "HOME/tests/c/isqrt.c"
line = 38
begin = 28
end = 45

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/tests/c/isqrt.c"
line = 53
begin = 18
end = 34

[main_ensures_default]
name = "Function main"
behavior = "default behavior"
file = "HOME/tests/c/isqrt.c"
line = 50
begin = 4
end = 8

[JC_32]
file = "HOME/tests/c/isqrt.c"
line = 50
begin = 4
end = 8

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/tests/c/isqrt.jessie/isqrt.jc"
line = 46
begin = 6
end = 642

[JC_7]
file = "HOME/tests/c/isqrt.c"
line = 38
begin = 49
end = 69

[JC_16]
file = "HOME/tests/c/isqrt.c"
line = 42
begin = 40
end = 55

[JC_43]
file = "HOME/tests/c/isqrt.c"
line = 54
begin = 18
end = 34

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/tests/c/isqrt.c"
line = 49
begin = 15
end = 27

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/tests/c/isqrt.jessie/isqrt.jc"
line = 46
begin = 6
end = 642

[JC_1]
file = "HOME/tests/c/isqrt.c"
line = 37
begin = 16
end = 22

[JC_37]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_10]
file = "HOME/tests/c/isqrt.c"
line = 38
begin = 28
end = 45

[isqrt_safety]
name = "Function isqrt"
behavior = "Safety"
file = "HOME/tests/c/isqrt.c"
line = 40
begin = 4
end = 9

[JC_20]
file = "HOME/tests/c/isqrt.jessie/isqrt.jc"
line = 46
begin = 6
end = 642

[JC_18]
file = "HOME/tests/c/isqrt.c"
line = 42
begin = 26
end = 78

[JC_3]
file = "HOME/tests/c/isqrt.c"
line = 37
begin = 16
end = 22

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/tests/c/isqrt.c"
line = 50
begin = 4
end = 8

[JC_28]
file = "HOME/tests/c/isqrt.jessie/isqrt.jc"
line = 46
begin = 6
end = 642

========== file tests/c/isqrt.jessie/why/isqrt.why ==========
type charP

type padding

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

function sqr(x_0:int) : int = mul_int(x_0, x_0)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Goto_while_0_break_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter isqrt :
 x_1:int ->
  { } int
  { (JC_12:
    ((JC_9: ge_int(result, (0)))
    and ((JC_10: le_int(sqr(result), x_1))
        and (JC_11: lt_int(x_1, sqr(add_int(result, (1)))))))) }

parameter isqrt_requires :
 x_1:int ->
  { (JC_1: ge_int(x_1, (0)))} int
  { (JC_12:
    ((JC_9: ge_int(result, (0)))
    and ((JC_10: le_int(sqr(result), x_1))
        and (JC_11: lt_int(x_1, sqr(add_int(result, (1)))))))) }

parameter main : tt:unit -> { } int { (JC_35: (result = (4))) }

parameter main_requires : tt:unit -> { } int { (JC_35: (result = (4))) }

let isqrt_ensures_default =
 fun (x_1 : int) ->
  { (JC_3: ge_int(x_1, (0))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let count = ref (any_int void) in
     (let sum = ref (any_int void) in
     try
      begin
        (let _jessie_ = (count := (0)) in void);
       (let _jessie_ = (sum := (1)) in void);
       (loop_2:
       begin
         while true do
         { invariant
             (JC_26:
             ((JC_23: ge_int(count, (0)))
             and ((JC_24: ge_int(x_1, sqr(count)))
                 and (JC_25: (sum = sqr(add_int(count, (1))))))))  }
          begin
            [ { } unit { true } ];
           try
            begin
              (let _jessie_ =
              begin
                (if ((le_int_ !sum) x_1) then void
                else (raise (Goto_while_0_break_exc void)));
               (let _jessie_ = (count := ((add_int !count) (1))) in void);
               (sum := ((add_int !sum) ((add_int ((mul_int (2)) !count)) (1))));
               !sum end in void); (raise (Loop_continue_exc void)) end with
            Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (return := !count); (raise Return) end) end));
    absurd  end with Return -> !return end))
  { (JC_8:
    ((JC_5: ge_int(result, (0)))
    and ((JC_6: le_int(sqr(result), x_1))
        and (JC_7: lt_int(x_1, sqr(add_int(result, (1)))))))) } 

let isqrt_safety =
 fun (x_1 : int) ->
  { (JC_3: ge_int(x_1, (0))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let count = ref (any_int void) in
     (let sum = ref (any_int void) in
     try
      begin
        (let _jessie_ = (count := (0)) in void);
       (let _jessie_ = (sum := (1)) in void);
       (loop_1:
       begin
         while true do
         { invariant (JC_20: true) variant (JC_22 : sub_int(x_1, count)) }
          begin
            [ { } unit reads count,sum
              { (JC_18:
                ((JC_15: ge_int(count, (0)))
                and ((JC_16: ge_int(x_1, sqr(count)))
                    and (JC_17: (sum = sqr(add_int(count, (1)))))))) } ];
           try
            begin
              (let _jessie_ =
              begin
                (if ((le_int_ !sum) x_1) then void
                else (raise (Goto_while_0_break_exc void)));
               (let _jessie_ = (count := ((add_int !count) (1))) in void);
               (sum := ((add_int !sum) ((add_int ((mul_int (2)) !count)) (1))));
               !sum end in void); (raise (Loop_continue_exc void)) end with
            Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (return := !count); (raise Return) end) end));
    absurd  end with Return -> !return end)) { true } 

let main_ensures_default =
 fun (tt : unit) ->
  { (JC_33: true) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let r = ref (any_int void) in
     begin
       (let _jessie_ =
       (r := (let _jessie_ = (17) in (JC_41: (isqrt _jessie_)))) in void);
      (assert { (JC_42: (lt_int(r, (4)) -> (false = true))) }; void); void;
      (assert { (JC_43: (gt_int(r, (4)) -> (false = true))) }; void); void;
      (return := !r); (raise Return) end); absurd  end with Return ->
   !return end)) { (JC_34: (result = (4))) } 

let main_safety =
 fun (tt : unit) ->
  { (JC_33: true) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let r = ref (any_int void) in
     begin
       (let _jessie_ =
       (r := (let _jessie_ = (17) in (JC_38: (isqrt_requires _jessie_)))) in
       void);
      [ { } unit reads r { (JC_39: (lt_int(r, (4)) -> (false = true))) } ];
      void;
      [ { } unit reads r { (JC_40: (gt_int(r, (4)) -> (false = true))) } ];
      void; (return := !r); (raise Return) end); absurd  end with Return ->
   !return end)) { true } 


why-2.39/tests/c/oracle/double_rounding_multirounding_model.res.oracle0000644000106100004300000005232613147234006025370 0ustar  marchevals========== file tests/c/double_rounding_multirounding_model.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* 

Warning: the proof can be achieve with Gappa 0.14.1 but not
with versions 0.15 ou 0.16. Hopefully it will work with 0.16.1 and higher

*/

#pragma JessieFloatModel(multirounding)

double doublerounding() {
  double x = 1.0;
  double y = 0x1p-53 + 0x1p-64;
  double z = x + y;
  //@ assert 1.0 - 0x1p-63 <= z <= 1.0 + 0x1p-52 + 0x1p-62;
  // assert 1.0 <= z <= 1.0 + 0x1p-52;
  return z;
}

/*
Local Variables:
compile-command: "LC_ALL=C make double_rounding_multirounding_model.why3ide"
End:
*/
========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/double_rounding_multirounding_model.c (with preprocessing)
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/double_rounding_multirounding_model.jessie
[jessie] File tests/c/double_rounding_multirounding_model.jessie/double_rounding_multirounding_model.jc written.
[jessie] File tests/c/double_rounding_multirounding_model.jessie/double_rounding_multirounding_model.cloc written.
========== file tests/c/double_rounding_multirounding_model.jessie/double_rounding_multirounding_model.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol
# FloatModel = multirounding

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

double doublerounding()
behavior default:
  ensures (_C_7 : true);
{  
   (var double x);
   
   (var double y);
   
   (var double z);
   
   {  (_C_1 : (x = (1.0 :> double)));
      (_C_3 : (y = (_C_2 : ((0x1p-53 :> double) + (0x1p-64 :> double)))));
      (_C_5 : (z = (_C_4 : (x + y))));
      
      {  
         (assert for default: (_C_6 : (jessie : (((1.0 - 0x1p-63) <=
                                                   (z :> real)) &&
                                                  ((z :> real) <=
                                                    ((1.0 + 0x1p-52) +
                                                      0x1p-62))))));
         ()
      };
      
      {  
         (return z)
      }
   }
}
========== file tests/c/double_rounding_multirounding_model.jessie/double_rounding_multirounding_model.cloc ==========
[_C_4]
file = "HOME/tests/c/double_rounding_multirounding_model.c"
line = 44
begin = 13
end = 18

[_C_5]
file = "HOME/tests/c/double_rounding_multirounding_model.c"
line = 44
begin = 2
end = 8

[doublerounding]
name = "Function doublerounding"
file = "HOME/tests/c/double_rounding_multirounding_model.c"
line = 41
begin = 7
end = 21

[_C_6]
file = "HOME/tests/c/double_rounding_multirounding_model.c"
line = 45
begin = 18
end = 63

[_C_3]
file = "HOME/tests/c/double_rounding_multirounding_model.c"
line = 43
begin = 2
end = 8

[_C_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_2]
file = "HOME/tests/c/double_rounding_multirounding_model.c"
line = 43
begin = 13
end = 30

[_C_1]
file = "HOME/tests/c/double_rounding_multirounding_model.c"
line = 42
begin = 2
end = 8

========== jessie execution ==========
Generating Why function doublerounding
========== file tests/c/double_rounding_multirounding_model.jessie/double_rounding_multirounding_model.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why $(WHYLIB)/why/floats_multi_rounding.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/double_rounding_multirounding_model_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: double_rounding_multirounding_model.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: double_rounding_multirounding_model.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: double_rounding_multirounding_model.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/double_rounding_multirounding_model.jessie/double_rounding_multirounding_model.loc ==========
[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
kind = FPOverflow
file = "HOME/tests/c/double_rounding_multirounding_model.jessie/double_rounding_multirounding_model.jc"
line = 46
begin = 28
end = 47

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/tests/c/double_rounding_multirounding_model.c"
line = 45
begin = 18
end = 63

[JC_11]
kind = FPOverflow
file = "HOME/tests/c/double_rounding_multirounding_model.c"
line = 43
begin = 13
end = 30

[JC_15]
kind = FPOverflow
file = "HOME/tests/c/double_rounding_multirounding_model.c"
line = 44
begin = 13
end = 18

[JC_12]
kind = FPOverflow
file = "HOME/tests/c/double_rounding_multirounding_model.c"
line = 44
begin = 13
end = 18

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[doublerounding_ensures_default]
name = "Function doublerounding"
behavior = "default behavior"
file = "HOME/tests/c/double_rounding_multirounding_model.c"
line = 41
begin = 7
end = 21

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/tests/c/double_rounding_multirounding_model.c"
line = 45
begin = 18
end = 63

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
kind = FPOverflow
file = "HOME/tests/c/double_rounding_multirounding_model.c"
line = 43
begin = 13
end = 30

[doublerounding_safety]
name = "Function doublerounding"
behavior = "Safety"
file = "HOME/tests/c/double_rounding_multirounding_model.c"
line = 41
begin = 7
end = 21

[JC_1]
file = "HOME/tests/c/double_rounding_multirounding_model.c"
line = 41
begin = 7
end = 21

[JC_10]
kind = FPOverflow
file = "HOME/tests/c/double_rounding_multirounding_model.jessie/double_rounding_multirounding_model.jc"
line = 46
begin = 50
end = 69

[JC_3]
file = "HOME/tests/c/double_rounding_multirounding_model.c"
line = 41
begin = 7
end = 21

========== file tests/c/double_rounding_multirounding_model.jessie/why/double_rounding_multirounding_model.why ==========
type charP

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter doublerounding : tt:unit -> { } double { true }

parameter doublerounding_requires : tt:unit -> { } double { true }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let doublerounding_ensures_default =
 fun (tt : unit) ->
  { (JC_4: true) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let x_0 = ref (any_double void) in
     (let y = ref (any_double void) in
     (let z = ref (any_double void) in
     begin
       (let _jessie_ = (x_0 := (double_of_real_exact 1.0)) in void);
      (let _jessie_ =
      (y := (JC_14:
            (((add_double_safe nearest_even) ((double_of_real_safe nearest_even) 0x1p-53)) 
             ((double_of_real_safe nearest_even) 0x1p-64)))) in void);
      (let _jessie_ =
      (z := (JC_15: (((add_double_safe nearest_even) !x_0) !y))) in void);
      (assert
      { (JC_16:
        (le_real(sub_real(1.0, 0x1p-63), double_value(z))
        and le_real(double_value(z),
            add_real(add_real(1.0, 0x1p-52), 0x1p-62)))) }; void); void;
      (return := !z); (raise Return) end))); absurd  end with Return ->
   !return end)) { (JC_5: true) } 

let doublerounding_safety =
 fun (tt : unit) ->
  { (JC_4: true) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let x_0 = ref (any_double void) in
     (let y = ref (any_double void) in
     (let z = ref (any_double void) in
     begin
       (let _jessie_ = (x_0 := (double_of_real_exact 1.0)) in void);
      (let _jessie_ =
      (y := (JC_11:
            (((add_double nearest_even) (JC_9:
                                        ((double_of_real nearest_even) 0x1p-53))) 
             (JC_10: ((double_of_real nearest_even) 0x1p-64))))) in void);
      (let _jessie_ =
      (z := (JC_12: (((add_double nearest_even) !x_0) !y))) in void);
      [ { } unit reads z
        { (JC_13:
          (le_real(sub_real(1.0, 0x1p-63), double_value(z))
          and le_real(double_value(z),
              add_real(add_real(1.0, 0x1p-52), 0x1p-62)))) } ]; void;
      (return := !z); (raise Return) end))); absurd  end with Return ->
   !return end)) { true } 


why-2.39/tests/c/oracle/fresh.err.oracle0000644000106100004300000000000013147234006017135 0ustar  marchevalswhy-2.39/tests/c/oracle/interval_arith.res.oracle0000644000106100004300000034537413147234006021074 0ustar  marchevals========== file tests/c/interval_arith.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

#pragma JessieFloatModel(full)
#pragma JessieFloatRoundingMode(down)


/*@ requires !\is_NaN(x) && !\is_NaN(y);
  @ ensures \le_float(\result,x) && \le_float(\result,y);
  @ ensures \eq_float(\result,x) || \eq_float(\result,y);
  @*/
double min(double x, double y)
{
  return x < y ? x : y;
}


/*@ requires !\is_NaN(x) && !\is_NaN(y);
  @ ensures \le_float(x,\result) && \le_float(y,\result);
  @ ensures \eq_float(\result,x) || \eq_float(\result,y);
  @*/
double max(double x, double y)
{
  return x > y ? x : y;
}


//@ predicate dif_sign(double x, double y) = \sign(x) != \sign(y);
//@ predicate sam_sign(double x, double y) = \sign(x) == \sign(y);

/*@ predicate double_le_real(double x,real y) =
  @           (\is_finite(x) && x <= y) || \is_minus_infinity(x);
  @*/

/*@ predicate real_le_double(real x,double y) =
  @           (\is_finite(y) && x <= y) || \is_plus_infinity(y);
  @*/

/*@ predicate in_interval(real a,double l,double u) =
  @           double_le_real(l,a) && real_le_double(a,u);
  @*/



/*@ requires ! \is_NaN(x) && ! \is_NaN(y);
  @ requires \is_infinite(x) || \is_infinite(y) ==> dif_sign(x,y);
  @ requires \is_infinite(x) && \is_finite(y) ==> y != 0.0;
  @ requires \is_finite(x) && \is_infinite(y) ==> x != 0.0;
  @ assigns \nothing;
  @ ensures double_le_real(\result,x*y);
  @*/
double mul_dn(double x, double y)
{
  double z = x*y;
  /* @ assert \is_finite(x) && \is_finite(y)
    @     && \no_overflow_double(\Down,x*y) ==> double_le_real(z,x*y);
    @*/
  /* @ assert \is_finite(x) && \is_finite(y)
    @     && ! \no_overflow_double(\Down,x*y) && \sign(x) == \sign(y) ==> double_le_real(z,x*y);
    @*/
  /* @ assert \is_finite(x) && \is_finite(y)
    @     && ! \no_overflow_double(\Down,x*y) && \sign(x) != \sign(y)  ==> double_le_real(z,x*y);
    @*/
  /* @ assert \is_infinite(x) || \is_infinite(y) ==> double_le_real(z,x*y);
    @*/
  return z;
}



/*@ requires !\is_NaN(x) && !\is_NaN(y);
  @ requires \is_infinite(x) || \is_infinite(y) ==> sam_sign(x,y);
  @ requires \is_infinite(x) && \is_finite(y) ==> y != 0.0;
  @ requires \is_infinite(y) && \is_finite(x) ==> x != 0.0;
  @ requires \is_finite(x) && \is_finite(y) &&
  @          !\no_overflow_double(\Down,-y) && \sign(y) == \Positive
  @          ==> x > 0.0 ;
  @ ensures  real_le_double(x * y,\result);
  @*/
double mul_up(double x, double y) {
  double a=-y;
  double b=x*a;
  double z=-b;
  /*  double z = -(x * -y);*/

  /*@ assert \is_infinite(x) || \is_infinite(y) ==> real_le_double(x * y,z);
    @*/


  /*@ assert \is_finite(x) && \is_infinite(y) ==> real_le_double(x * y,z) ;
    @*/
  /*@ assert \is_infinite(x) && \is_finite(y) &&
    @    \no_overflow_double(\Down,-y) ==> real_le_double(x * y,z);
    @*/
  /*@ assert \is_infinite(x) && \is_finite(y) &&
    @    ! \no_overflow_double(\Down,-y) ==> real_le_double(x * y,z);
    @*/
  /*@ assert \is_infinite(x) && \is_infinite(y) ==> real_le_double(x * y,z);
    @*/



  /*@ assert \is_finite(x) && \is_finite(y) &&
    @     \no_overflow_double(\Down,-y) &&
    @     \no_overflow_double(\Down,x*a) &&
    @     !\no_overflow_double(\Down,-b) ==> real_le_double(x * y,z) ;
    @*/
  /*@ assert \is_finite(x) && \is_finite(y) &&
    @     \no_overflow_double(\Down,-y) &&
    @     !\no_overflow_double(\Down,x*a) ==> real_le_double(x * y,z) ;
    @*/
  /*@ assert \is_finite(x) && \is_finite(y) &&
    @     !\no_overflow_double(\Down,-y) && \sign(y) == \Positive
    @                                     ==> real_le_double(x * y,z) ;
    @*/
  /*@ assert \is_finite(x) && \is_finite(y) &&
    @     !\no_overflow_double(\Down,-y) && \sign(y) == \Negative &&
    @     !\no_overflow_double(\Down,x*a) ==> real_le_double(x * y,z) ;
    @*/
  /*@ assert \is_finite(x) && \is_finite(y) &&
    @     !\no_overflow_double(\Down,-y) && \sign(y) == \Negative &&
    @     \no_overflow_double(\Down,x*a) &&
    @     !\no_overflow_double(\Down,-b)  ==> real_le_double(x * y,z) ;
    @*/
  /*@ assert \is_finite(x) && \is_finite(y) &&
    @     !\no_overflow_double(\Down,-y) && \sign(y) == \Negative &&
    @     \no_overflow_double(\Down,x*a) &&
    @     \no_overflow_double(\Down,-b) ==> real_le_double(x * y,z);
    @*/
  /*@ assert \is_finite(x) && \is_finite(y) &&
    @     \no_overflow_double(\Down,-y) &&
    @     \no_overflow_double(\Down,x*a) &&
    @     \no_overflow_double(\Down,-b) && x > 0.0 ==> \is_finite(z) && real_le_double(x * y,z) ;
    @*/
  /*@ assert \is_finite(x) && \is_finite(y) &&
    @     \no_overflow_double(\Down,-y) &&
    @     \no_overflow_double(\Down,x*a) &&
    @     \no_overflow_double(\Down,-b) && x < 0.0 ==> \is_finite(z) && real_le_double(x * y,z) ;
    @*/

   return z;
}


double zl, zu;

/*@ predicate is_interval(double xl, double xu) =
  @       (\is_finite(xl) || \is_minus_infinity(xl))
  @       &&
  @       (\is_finite(xu) || \is_plus_infinity(xu));
  @*/

/*@ requires is_interval(xl,xu) && is_interval(yl,yu);
  @ ensures is_interval(zl,zu);
  @ ensures \forall real a,b;
  @    in_interval(a,xl,xu) && in_interval(b,yl,yu) ==>
  @    in_interval(a+b,zl,zu);
  @*/
void add(double xl, double xu, double yl, double yu)
{
  zl = xl + yl;
  /* @ assert
    @  \forall real a,b;
    @    in_interval(a,xl,xu) && in_interval(b,yl,yu) ==>
    @      double_le_real(zl,a+b)  ;
    @*/
  zu = -((-xu) - yu);
  /* @ assert caseuii: \is_infinite(xu) && \is_infinite(yu) ==>
    @  \forall real a,b;
    @    in_interval(a,xl,xu) && in_interval(b,yl,yu) ==>
    @      real_le_double(a+b,zu)  ;
    @*/
  /* @ assert caseuif: \is_infinite(xu) && \is_finite(yu) ==>
    @  \forall real a,b;
    @    in_interval(a,xl,xu) && in_interval(b,yl,yu) ==>
    @      real_le_double(a+b,zu)  ;
    @*/
  /* @ assert caseufi: \is_finite(xu) && \is_infinite(yu) ==>
    @  \forall real a,b;
    @    in_interval(a,xl,xu) && in_interval(b,yl,yu) ==>
    @      real_le_double(a+b,zu)  ;
    @*/
  /* @ assert caseufff: \is_finite(xu) && \is_finite(yu) && \is_infinite(zu) ==>
    @  \forall real a,b;
    @    in_interval(a,xl,xu) && in_interval(b,yl,yu) ==>
    @      real_le_double(a+b,zu)  ;
    @*/
  /* @ assert caseufff: \is_finite(xu) && \is_finite(yu) && \is_finite(zu) ==>
    @  \forall real a,b;
    @    in_interval(a,xl,xu) && in_interval(b,yl,yu) ==>
    @      real_le_double(a+b,zu)  ;
    @*/
}





/*@ requires is_interval(xl,xu) && is_interval(yl,yu);
  @ ensures is_interval(zl,zu);
  @ ensures \forall real a,b;
  @    in_interval(a,xl,xu) && in_interval(b,yl,yu) ==>
  @    in_interval(a*b,zl,zu);
  @*/
void mul(double xl, double xu, double yl, double yu)
{
  if (xl < 0.0)
    if (xu > 0.0)
      if (yl < 0.0)
        if (yu > 0.0) // M * M
          { zl = min(mul_dn(xl, yu), mul_dn(xu, yl));
            zu = max(mul_up(xl, yl), mul_up(xu, yu)); }
        else           // M * Neg
          { zl = mul_dn(xu, yl);
            zu = mul_up(xl, yl); }
      else
        if (yu > 0.0) // M * Pos
          { zl = mul_dn(xl, yu);
            zu = mul_up(xu, yu); }
        else           // M * Zero
          { zl = 0.0;
            zu = 0.0; }
    else
      if (yl < 0.0)
        if (yu > 0.0) // Neg * M
          { zl = mul_dn(xl, yu);
            zu = mul_up(xl, yl); }
        else           // Neg * Neg
          { zl = mul_dn(xu, yu);
            zu = mul_up(xl, yl); }
      else
        if (yu > 0.0) // Neg * Pos
          { zl = mul_dn(xl, yu);
            zu = mul_up(xu, yl); }
        else           // Neg * Zero
          { zl = 0.0;
            zu = 0.0; }
  else
    if (xu > 0.0)
      if (yl < 0.0)
        if (yu > 0.0) // Pos * M
          { zl = mul_dn(xu, yl);
            zu = mul_up(xu, yu); }
        else           // Pos * Neg
          { zl = mul_dn(xu, yl);
            zu = mul_up(xl, yu); }
      else
        if (yu > 0.0) // Pos * Pos
          { zl = mul_dn(xl, yl);
            zu = mul_up(xu, yu); }
        else           // Pos * Zero
          { zl = 0.0;
            zu = 0.0; }
    else               // Zero * M
      { zl = 0.0;
        zu = 0.0; }
}




/*
Local Variables:
compile-command: "LC_ALL=C make interval_arith.why3ide"
End:
*/
========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/interval_arith.c (with preprocessing)
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/interval_arith.jessie
[jessie] File tests/c/interval_arith.jessie/interval_arith.jc written.
[jessie] File tests/c/interval_arith.jessie/interval_arith.cloc written.
========== file tests/c/interval_arith.jessie/interval_arith.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol
# FloatModel = full
# FloatRoundingMode = down

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

double min(double x_0, double y_0)
  requires (_C_8 : ((_C_9 : (! \double_is_NaN(x_0))) &&
                     (_C_10 : (! \double_is_NaN(y_0)))));
behavior default:
  ensures (_C_3 : (((_C_5 : \le_double(\result, \at(x_0,Old))) &&
                     (_C_6 : \le_double(\result, \at(y_0,Old)))) &&
                    (_C_7 : (\eq_double(\result, \at(x_0,Old)) ||
                              \eq_double(\result, \at(y_0,Old))))));
{  
   (var double tmp);
   
   {  (if (x_0 < y_0) then (_C_2 : (tmp = x_0)) else (_C_1 : (tmp = y_0)));
      
      (return tmp)
   }
}

double max(double x, double y)
  requires (_C_18 : ((_C_19 : (! \double_is_NaN(x))) &&
                      (_C_20 : (! \double_is_NaN(y)))));
behavior default:
  ensures (_C_13 : (((_C_15 : \le_double(\at(x,Old), \result)) &&
                      (_C_16 : \le_double(\at(y,Old), \result))) &&
                     (_C_17 : (\eq_double(\result, \at(x,Old)) ||
                                \eq_double(\result, \at(y,Old))))));
{  
   (var double tmp_0);
   
   {  (if (x > y) then (_C_12 : (tmp_0 = x)) else (_C_11 : (tmp_0 = y)));
      
      (return tmp_0)
   }
}

predicate dif_sign(double x, double y) =
(\double_sign(x) != \double_sign(y))

predicate sam_sign(double x_0, double y_0) =
(\double_sign(x_0) == \double_sign(y_0))

predicate double_le_real(double x_1, real y_1) =
((\double_is_finite(x_1) && ((x_1 :> real) <= y_1)) ||
  \double_is_minus_infinity(x_1))

predicate real_le_double(real x_2, double y_2) =
((\double_is_finite(y_2) && (x_2 <= (y_2 :> real))) ||
  \double_is_plus_infinity(y_2))

predicate in_interval(real a, double l, double u) =
(double_le_real(l, a) && real_le_double(a, u))

double mul_dn(double x_1, double y_1)
  requires (_C_27 : ((_C_28 : (! \double_is_NaN(x_1))) &&
                      (_C_29 : (! \double_is_NaN(y_1)))));
  requires (_C_26 : ((\double_is_infinite(x_1) || \double_is_infinite(y_1)) ==>
                      dif_sign(x_1, y_1)));
  requires (_C_25 : ((\double_is_infinite(x_1) && \double_is_finite(y_1)) ==>
                      ((y_1 :> real) != 0.0)));
  requires (_C_24 : ((\double_is_finite(x_1) && \double_is_infinite(y_1)) ==>
                      ((x_1 :> real) != 0.0)));
behavior default:
  assigns \nothing;
  ensures (_C_23 : double_le_real(\result,
                                  ((\at(x_1,Old) :> real) *
                                    (\at(y_1,Old) :> real))));
{  
   (var double z);
   
   {  (_C_22 : (z = (_C_21 : (x_1 * y_1))));
      
      (return z)
   }
}

double mul_up(double x_2, double y_2)
  requires (_C_54 : ((_C_55 : (! \double_is_NaN(x_2))) &&
                      (_C_56 : (! \double_is_NaN(y_2)))));
  requires (_C_53 : ((\double_is_infinite(x_2) || \double_is_infinite(y_2)) ==>
                      sam_sign(x_2, y_2)));
  requires (_C_52 : ((\double_is_infinite(x_2) && \double_is_finite(y_2)) ==>
                      ((y_2 :> real) != 0.0)));
  requires (_C_51 : ((\double_is_infinite(y_2) && \double_is_finite(x_2)) ==>
                      ((x_2 :> real) != 0.0)));
  requires (_C_50 : ((((\double_is_finite(x_2) && \double_is_finite(y_2)) &&
                        (! \no_overflow_double(\Down(), (- (y_2 :> real))))) &&
                       (\double_sign(y_2) == \Positive())) ==>
                      ((x_2 :> real) > 0.0)));
behavior default:
  ensures (_C_49 : real_le_double(((\at(x_2,Old) :> real) *
                                    (\at(y_2,Old) :> real)),
                                  \result));
{  
   (var double a);
   
   (var double b);
   
   (var double z_0);
   
   {  (_C_31 : (a = (_C_30 : (- y_2))));
      (_C_33 : (b = (_C_32 : (x_2 * a))));
      (_C_35 : (z_0 = (_C_34 : (- b))));
      
      {  
         (assert for default: (_C_36 : (jessie : ((\double_is_infinite(
                                                    x_2) ||
                                                    \double_is_infinite(
                                                    y_2)) ==>
                                                   real_le_double(((x_2 :> real) *
                                                                    (y_2 :> real)),
                                                                  z_0)))));
         ()
      };
      
      {  
         (assert for default: (_C_37 : (jessie : ((\double_is_finite(
                                                    x_2) &&
                                                    \double_is_infinite(
                                                    y_2)) ==>
                                                   real_le_double(((x_2 :> real) *
                                                                    (y_2 :> real)),
                                                                  z_0)))));
         ()
      };
      
      {  
         (assert for default: (_C_38 : (jessie : (((\double_is_infinite(
                                                     x_2) &&
                                                     \double_is_finite(
                                                     y_2)) &&
                                                    \no_overflow_double(
                                                    \Down(),
                                                    (- (y_2 :> real)))) ==>
                                                   real_le_double(((x_2 :> real) *
                                                                    (y_2 :> real)),
                                                                  z_0)))));
         ()
      };
      
      {  
         (assert for default: (_C_39 : (jessie : (((\double_is_infinite(
                                                     x_2) &&
                                                     \double_is_finite(
                                                     y_2)) &&
                                                    (! \no_overflow_double(
                                                    \Down(),
                                                    (- (y_2 :> real))))) ==>
                                                   real_le_double(((x_2 :> real) *
                                                                    (y_2 :> real)),
                                                                  z_0)))));
         ()
      };
      
      {  
         (assert for default: (_C_40 : (jessie : ((\double_is_infinite(
                                                    x_2) &&
                                                    \double_is_infinite(
                                                    y_2)) ==>
                                                   real_le_double(((x_2 :> real) *
                                                                    (y_2 :> real)),
                                                                  z_0)))));
         ()
      };
      
      {  
         (assert for default: (_C_41 : (jessie : (((((\double_is_finite(
                                                       x_2) &&
                                                       \double_is_finite(
                                                       y_2)) &&
                                                      \no_overflow_double(
                                                      \Down(),
                                                      (- (y_2 :> real)))) &&
                                                     \no_overflow_double(
                                                     \Down(),
                                                     ((x_2 :> real) *
                                                       (a :> real)))) &&
                                                    (! \no_overflow_double(
                                                    \Down(), (- (b :> real))))) ==>
                                                   real_le_double(((x_2 :> real) *
                                                                    (y_2 :> real)),
                                                                  z_0)))));
         ()
      };
      
      {  
         (assert for default: (_C_42 : (jessie : ((((\double_is_finite(
                                                      x_2) &&
                                                      \double_is_finite(
                                                      y_2)) &&
                                                     \no_overflow_double(
                                                     \Down(),
                                                     (- (y_2 :> real)))) &&
                                                    (! \no_overflow_double(
                                                    \Down(),
                                                    ((x_2 :> real) *
                                                      (a :> real))))) ==>
                                                   real_le_double(((x_2 :> real) *
                                                                    (y_2 :> real)),
                                                                  z_0)))));
         ()
      };
      
      {  
         (assert for default: (_C_43 : (jessie : ((((\double_is_finite(
                                                      x_2) &&
                                                      \double_is_finite(
                                                      y_2)) &&
                                                     (! \no_overflow_double(
                                                     \Down(),
                                                     (- (y_2 :> real))))) &&
                                                    (\double_sign(y_2) ==
                                                      \Positive())) ==>
                                                   real_le_double(((x_2 :> real) *
                                                                    (y_2 :> real)),
                                                                  z_0)))));
         ()
      };
      
      {  
         (assert for default: (_C_44 : (jessie : (((((\double_is_finite(
                                                       x_2) &&
                                                       \double_is_finite(
                                                       y_2)) &&
                                                      (! \no_overflow_double(
                                                      \Down(),
                                                      (- (y_2 :> real))))) &&
                                                     (\double_sign(y_2) ==
                                                       \Negative())) &&
                                                    (! \no_overflow_double(
                                                    \Down(),
                                                    ((x_2 :> real) *
                                                      (a :> real))))) ==>
                                                   real_le_double(((x_2 :> real) *
                                                                    (y_2 :> real)),
                                                                  z_0)))));
         ()
      };
      
      {  
         (assert for default: (_C_45 : (jessie : ((((((\double_is_finite(
                                                        x_2) &&
                                                        \double_is_finite(
                                                        y_2)) &&
                                                       (! \no_overflow_double(
                                                       \Down(),
                                                       (- (y_2 :> real))))) &&
                                                      (\double_sign(y_2) ==
                                                        \Negative())) &&
                                                     \no_overflow_double(
                                                     \Down(),
                                                     ((x_2 :> real) *
                                                       (a :> real)))) &&
                                                    (! \no_overflow_double(
                                                    \Down(), (- (b :> real))))) ==>
                                                   real_le_double(((x_2 :> real) *
                                                                    (y_2 :> real)),
                                                                  z_0)))));
         ()
      };
      
      {  
         (assert for default: (_C_46 : (jessie : ((((((\double_is_finite(
                                                        x_2) &&
                                                        \double_is_finite(
                                                        y_2)) &&
                                                       (! \no_overflow_double(
                                                       \Down(),
                                                       (- (y_2 :> real))))) &&
                                                      (\double_sign(y_2) ==
                                                        \Negative())) &&
                                                     \no_overflow_double(
                                                     \Down(),
                                                     ((x_2 :> real) *
                                                       (a :> real)))) &&
                                                    \no_overflow_double(
                                                    \Down(), (- (b :> real)))) ==>
                                                   real_le_double(((x_2 :> real) *
                                                                    (y_2 :> real)),
                                                                  z_0)))));
         ()
      };
      
      {  
         (assert for default: (_C_47 : (jessie : ((((((\double_is_finite(
                                                        x_2) &&
                                                        \double_is_finite(
                                                        y_2)) &&
                                                       \no_overflow_double(
                                                       \Down(),
                                                       (- (y_2 :> real)))) &&
                                                      \no_overflow_double(
                                                      \Down(),
                                                      ((x_2 :> real) *
                                                        (a :> real)))) &&
                                                     \no_overflow_double(
                                                     \Down(), (- (b :> real)))) &&
                                                    ((x_2 :> real) > 0.0)) ==>
                                                   (\double_is_finite(
                                                     z_0) &&
                                                     real_le_double(((x_2 :> real) *
                                                                    (y_2 :> real)),
                                                                    z_0))))));
         ()
      };
      
      {  
         (assert for default: (_C_48 : (jessie : ((((((\double_is_finite(
                                                        x_2) &&
                                                        \double_is_finite(
                                                        y_2)) &&
                                                       \no_overflow_double(
                                                       \Down(),
                                                       (- (y_2 :> real)))) &&
                                                      \no_overflow_double(
                                                      \Down(),
                                                      ((x_2 :> real) *
                                                        (a :> real)))) &&
                                                     \no_overflow_double(
                                                     \Down(), (- (b :> real)))) &&
                                                    ((x_2 :> real) < 0.0)) ==>
                                                   (\double_is_finite(
                                                     z_0) &&
                                                     real_le_double(((x_2 :> real) *
                                                                    (y_2 :> real)),
                                                                    z_0))))));
         ()
      };
      
      {  
         (return z_0)
      }
   }
}

double zl;

double zu;

predicate is_interval(double xl, double xu) =
((\double_is_finite(xl) || \double_is_minus_infinity(xl)) &&
  (\double_is_finite(xu) || \double_is_plus_infinity(xu)))

unit add(double xl, double xu, double yl, double yu)
  requires (_C_66 : ((_C_67 : is_interval(xl, xu)) &&
                      (_C_68 : is_interval(yl, yu))));
behavior default:
  ensures (_C_63 : ((_C_64 : is_interval(zl, zu)) &&
                     (_C_65 : (\forall real a_0;
                                (\forall real b;
                                  ((in_interval(a_0, \at(xl,Old), \at(xu,Old)) &&
                                     in_interval(b, \at(yl,Old), \at(yu,Old))) ==>
                                    in_interval((a_0 + b), zl, zu)))))));
{  
   {  (_C_58 : (zl = (_C_57 : (xl + yl))));
      (_C_62 : (zu = (_C_61 : (- (_C_60 : ((_C_59 : (- xu)) - yu))))));
      
      (return ())
   }
}

unit mul(double xl_0, double xu_0, double yl_0, double yu_0)
  requires (_C_124 : ((_C_125 : is_interval(xl_0, xu_0)) &&
                       (_C_126 : is_interval(yl_0, yu_0))));
behavior default:
  ensures (_C_121 : ((_C_122 : is_interval(zl, zu)) &&
                      (_C_123 : (\forall real a_1;
                                  (\forall real b_0;
                                    ((in_interval(a_1, \at(xl_0,Old),
                                                  \at(xu_0,Old)) &&
                                       in_interval(b_0, \at(yl_0,Old),
                                                   \at(yu_0,Old))) ==>
                                      in_interval((a_1 * b_0), zl, zu)))))));
{  
   (var double tmp_1);
   
   (var double tmp_0_0);
   
   (var double tmp_1_0);
   
   (var double tmp_2);
   
   {  (if (xl_0 < (0.0 :> double)) then (if (xu_0 > (0.0 :> double)) then 
                                        (if (yl_0 < (0.0 :> double)) then 
                                        (if (yu_0 > (0.0 :> double)) then 
                                        {  
                                           {  (_C_110 : (tmp_1 = (_C_109 : mul_dn(
                                                                 xu_0, yl_0))));
                                              (_C_112 : (tmp_0_0 = (_C_111 : mul_dn(
                                                                   xl_0, yu_0))))
                                           };
                                           (_C_114 : (zl = (_C_113 : min(
                                                           tmp_0_0, tmp_1))));
                                           
                                           {  (_C_116 : (tmp_1_0 = (_C_115 : mul_up(
                                                                   xu_0, yu_0))));
                                              (_C_118 : (tmp_2 = (_C_117 : mul_up(
                                                                 xl_0, yl_0))))
                                           };
                                           (_C_120 : (zu = (_C_119 : max(
                                                           tmp_2, tmp_1_0))))
                                        } else 
                                        {  (_C_106 : (zl = (_C_105 : mul_dn(
                                                           xu_0, yl_0))));
                                           (_C_108 : (zu = (_C_107 : mul_up(
                                                           xl_0, yl_0))))
                                        }) else (if (yu_0 > (0.0 :> double)) then 
                                                {  (_C_102 : (zl = (_C_101 : mul_dn(
                                                                   xl_0, yu_0))));
                                                   (_C_104 : (zu = (_C_103 : mul_up(
                                                                   xu_0, yu_0))))
                                                } else 
                                                {  (_C_99 : (zl = (0.0 :> double)));
                                                   (_C_100 : (zu = (0.0 :> double)))
                                                })) else (if (yl_0 <
                                                               (0.0 :> double)) then 
                                                         (if (yu_0 >
                                                               (0.0 :> double)) then 
                                                         {  (_C_96 : (zl = 
                                                            (_C_95 : mul_dn(
                                                            xl_0, yu_0))));
                                                            (_C_98 : (zu = 
                                                            (_C_97 : mul_up(
                                                            xl_0, yl_0))))
                                                         } else 
                                                         {  (_C_92 : (zl = 
                                                            (_C_91 : mul_dn(
                                                            xu_0, yu_0))));
                                                            (_C_94 : (zu = 
                                                            (_C_93 : mul_up(
                                                            xl_0, yl_0))))
                                                         }) else (if 
                                                                 (yu_0 >
                                                                   (0.0 :> double)) then 
                                                                 {  (_C_88 : (zl = 
                                                                    (_C_87 : mul_dn(
                                                                    xl_0,
                                                                    yu_0))));
                                                                    (_C_90 : (zu = 
                                                                    (_C_89 : mul_up(
                                                                    xu_0,
                                                                    yl_0))))
                                                                 } else 
                                                                 {  (_C_85 : (zl = (0.0 :> double)));
                                                                    (_C_86 : (zu = (0.0 :> double)))
                                                                 }))) else 
      (if (xu_0 > (0.0 :> double)) then (if (yl_0 < (0.0 :> double)) then 
                                        (if (yu_0 > (0.0 :> double)) then 
                                        {  (_C_82 : (zl = (_C_81 : mul_dn(
                                                          xu_0, yl_0))));
                                           (_C_84 : (zu = (_C_83 : mul_up(
                                                          xu_0, yu_0))))
                                        } else 
                                        {  (_C_78 : (zl = (_C_77 : mul_dn(
                                                          xu_0, yl_0))));
                                           (_C_80 : (zu = (_C_79 : mul_up(
                                                          xl_0, yu_0))))
                                        }) else (if (yu_0 > (0.0 :> double)) then 
                                                {  (_C_74 : (zl = (_C_73 : mul_dn(
                                                                  xl_0, yl_0))));
                                                   (_C_76 : (zu = (_C_75 : mul_up(
                                                                  xu_0, yu_0))))
                                                } else 
                                                {  (_C_71 : (zl = (0.0 :> double)));
                                                   (_C_72 : (zu = (0.0 :> double)))
                                                })) else 
      {  (_C_69 : (zl = (0.0 :> double)));
         (_C_70 : (zu = (0.0 :> double)))
      }));
      
      (return ())
   }
}
========== file tests/c/interval_arith.jessie/interval_arith.cloc ==========
[_C_115]
file = "HOME/tests/c/interval_arith.c"
line = 240
begin = 37
end = 51

[_C_52]
file = "HOME/tests/c/interval_arith.c"
line = 101
begin = 13
end = 58

[_C_121]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_35]
file = "HOME/tests/c/interval_arith.c"
line = 111
begin = 2
end = 8

[_C_117]
file = "HOME/tests/c/interval_arith.c"
line = 240
begin = 21
end = 35

[_C_120]
file = "HOME/tests/c/interval_arith.c"
line = 240
begin = 17
end = 52

[mul]
name = "Function mul"
file = "HOME/tests/c/interval_arith.c"
line = 233
begin = 5
end = 8

[_C_56]
file = "HOME/tests/c/interval_arith.c"
line = 99
begin = 31
end = 42

[_C_28]
file = "HOME/tests/c/interval_arith.c"
line = 73
begin = 16
end = 28

[_C_72]
file = "HOME/tests/c/interval_arith.c"
line = 281
begin = 17
end = 20

[_C_59]
file = "HOME/tests/c/interval_arith.c"
line = 195
begin = 11
end = 13

[_C_48]
file = "HOME/tests/c/interval_arith.c"
line = 163
begin = 18
end = 234

[_C_116]
file = "HOME/tests/c/interval_arith.c"
line = 240
begin = 37
end = 51

[_C_51]
file = "HOME/tests/c/interval_arith.c"
line = 102
begin = 13
end = 58

[_C_103]
file = "HOME/tests/c/interval_arith.c"
line = 247
begin = 17
end = 31

[_C_31]
file = "HOME/tests/c/interval_arith.c"
line = 109
begin = 2
end = 8

[_C_108]
file = "HOME/tests/c/interval_arith.c"
line = 243
begin = 17
end = 31

[_C_77]
file = "HOME/tests/c/interval_arith.c"
line = 273
begin = 17
end = 31

[_C_83]
file = "HOME/tests/c/interval_arith.c"
line = 271
begin = 17
end = 31

[max]
name = "Function max"
file = "HOME/tests/c/interval_arith.c"
line = 50
begin = 7
end = 10

[_C_41]
file = "HOME/tests/c/interval_arith.c"
line = 131
begin = 18
end = 207

[_C_4]
file = "HOME/tests/c/interval_arith.c"
line = 37
begin = 12
end = 56

[_C_101]
file = "HOME/tests/c/interval_arith.c"
line = 246
begin = 17
end = 31

[_C_71]
file = "HOME/tests/c/interval_arith.c"
line = 280
begin = 17
end = 20

[_C_70]
file = "HOME/tests/c/interval_arith.c"
line = 284
begin = 13
end = 16

[_C_89]
file = "HOME/tests/c/interval_arith.c"
line = 262
begin = 17
end = 31

[mul_dn]
name = "Function mul_dn"
file = "HOME/tests/c/interval_arith.c"
line = 80
begin = 7
end = 13

[_C_90]
file = "HOME/tests/c/interval_arith.c"
line = 262
begin = 17
end = 31

[_C_61]
file = "HOME/tests/c/interval_arith.c"
line = 195
begin = 9
end = 19

[_C_69]
file = "HOME/tests/c/interval_arith.c"
line = 283
begin = 13
end = 16

[_C_32]
file = "HOME/tests/c/interval_arith.c"
line = 110
begin = 11
end = 14

[_C_23]
file = "HOME/tests/c/interval_arith.c"
line = 78
begin = 12
end = 39

[_C_19]
file = "HOME/tests/c/interval_arith.c"
line = 46
begin = 16
end = 27

[_C_42]
file = "HOME/tests/c/interval_arith.c"
line = 136
begin = 18
end = 164

[_C_82]
file = "HOME/tests/c/interval_arith.c"
line = 270
begin = 17
end = 31

[_C_110]
file = "HOME/tests/c/interval_arith.c"
line = 239
begin = 37
end = 51

[mul_up]
name = "Function mul_up"
file = "HOME/tests/c/interval_arith.c"
line = 108
begin = 7
end = 13

[_C_94]
file = "HOME/tests/c/interval_arith.c"
line = 258
begin = 17
end = 31

[_C_84]
file = "HOME/tests/c/interval_arith.c"
line = 271
begin = 17
end = 31

[_C_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_5]
file = "HOME/tests/c/interval_arith.c"
line = 37
begin = 12
end = 32

[_C_91]
file = "HOME/tests/c/interval_arith.c"
line = 257
begin = 17
end = 31

[_C_36]
file = "HOME/tests/c/interval_arith.c"
line = 114
begin = 18
end = 80

[_C_12]
file = "HOME/tests/c/interval_arith.c"
line = 52
begin = 13
end = 14

[_C_33]
file = "HOME/tests/c/interval_arith.c"
line = 110
begin = 2
end = 8

[_C_111]
file = "HOME/tests/c/interval_arith.c"
line = 239
begin = 21
end = 35

[_C_79]
file = "HOME/tests/c/interval_arith.c"
line = 274
begin = 17
end = 31

[_C_104]
file = "HOME/tests/c/interval_arith.c"
line = 247
begin = 17
end = 31

[_C_85]
file = "HOME/tests/c/interval_arith.c"
line = 264
begin = 17
end = 20

[_C_22]
file = "HOME/tests/c/interval_arith.c"
line = 82
begin = 2
end = 8

[_C_65]
file = "HOME/tests/c/interval_arith.c"
line = 183
begin = 12
end = 115

[_C_9]
file = "HOME/tests/c/interval_arith.c"
line = 36
begin = 16
end = 27

[_C_57]
file = "HOME/tests/c/interval_arith.c"
line = 189
begin = 7
end = 14

[_C_54]
file = "HOME/tests/c/interval_arith.c"
line = 99
begin = 16
end = 42

[_C_30]
file = "HOME/tests/c/interval_arith.c"
line = 109
begin = 12
end = 13

[_C_63]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_6]
file = "HOME/tests/c/interval_arith.c"
line = 37
begin = 36
end = 56

[_C_64]
file = "HOME/tests/c/interval_arith.c"
line = 182
begin = 12
end = 30

[_C_122]
file = "HOME/tests/c/interval_arith.c"
line = 228
begin = 12
end = 30

[_C_95]
file = "HOME/tests/c/interval_arith.c"
line = 254
begin = 17
end = 31

[_C_93]
file = "HOME/tests/c/interval_arith.c"
line = 258
begin = 17
end = 31

[_C_102]
file = "HOME/tests/c/interval_arith.c"
line = 246
begin = 17
end = 31

[_C_49]
file = "HOME/tests/c/interval_arith.c"
line = 106
begin = 12
end = 41

[_C_24]
file = "HOME/tests/c/interval_arith.c"
line = 76
begin = 13
end = 58

[_C_45]
file = "HOME/tests/c/interval_arith.c"
line = 148
begin = 18
end = 233

[_C_97]
file = "HOME/tests/c/interval_arith.c"
line = 255
begin = 17
end = 31

[_C_20]
file = "HOME/tests/c/interval_arith.c"
line = 46
begin = 31
end = 42

[_C_73]
file = "HOME/tests/c/interval_arith.c"
line = 277
begin = 17
end = 31

[_C_96]
file = "HOME/tests/c/interval_arith.c"
line = 254
begin = 17
end = 31

[_C_38]
file = "HOME/tests/c/interval_arith.c"
line = 120
begin = 18
end = 120

[min]
name = "Function min"
file = "HOME/tests/c/interval_arith.c"
line = 40
begin = 7
end = 10

[_C_3]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_98]
file = "HOME/tests/c/interval_arith.c"
line = 255
begin = 17
end = 31

[_C_109]
file = "HOME/tests/c/interval_arith.c"
line = 239
begin = 37
end = 51

[_C_124]
file = "HOME/tests/c/interval_arith.c"
line = 227
begin = 16
end = 56

[_C_114]
file = "HOME/tests/c/interval_arith.c"
line = 239
begin = 17
end = 52

[_C_92]
file = "HOME/tests/c/interval_arith.c"
line = 257
begin = 17
end = 31

[_C_81]
file = "HOME/tests/c/interval_arith.c"
line = 270
begin = 17
end = 31

[_C_17]
file = "HOME/tests/c/interval_arith.c"
line = 48
begin = 12
end = 56

[_C_112]
file = "HOME/tests/c/interval_arith.c"
line = 239
begin = 21
end = 35

[_C_7]
file = "HOME/tests/c/interval_arith.c"
line = 38
begin = 12
end = 56

[_C_86]
file = "HOME/tests/c/interval_arith.c"
line = 265
begin = 17
end = 20

[_C_62]
file = "HOME/tests/c/interval_arith.c"
line = 195
begin = 7
end = 20

[_C_55]
file = "HOME/tests/c/interval_arith.c"
line = 99
begin = 16
end = 27

[_C_27]
file = "HOME/tests/c/interval_arith.c"
line = 73
begin = 16
end = 44

[_C_105]
file = "HOME/tests/c/interval_arith.c"
line = 242
begin = 17
end = 31

[_C_87]
file = "HOME/tests/c/interval_arith.c"
line = 261
begin = 17
end = 31

[add]
name = "Function add"
file = "HOME/tests/c/interval_arith.c"
line = 187
begin = 5
end = 8

[_C_46]
file = "HOME/tests/c/interval_arith.c"
line = 153
begin = 18
end = 232

[_C_44]
file = "HOME/tests/c/interval_arith.c"
line = 144
begin = 18
end = 190

[_C_15]
file = "HOME/tests/c/interval_arith.c"
line = 47
begin = 12
end = 32

[_C_99]
file = "HOME/tests/c/interval_arith.c"
line = 249
begin = 17
end = 20

[_C_26]
file = "HOME/tests/c/interval_arith.c"
line = 74
begin = 13
end = 65

[_C_47]
file = "HOME/tests/c/interval_arith.c"
line = 158
begin = 18
end = 234

[_C_10]
file = "HOME/tests/c/interval_arith.c"
line = 36
begin = 31
end = 42

[_C_68]
file = "HOME/tests/c/interval_arith.c"
line = 181
begin = 38
end = 56

[_C_60]
file = "HOME/tests/c/interval_arith.c"
line = 195
begin = 9
end = 19

[_C_53]
file = "HOME/tests/c/interval_arith.c"
line = 100
begin = 13
end = 65

[_C_40]
file = "HOME/tests/c/interval_arith.c"
line = 126
begin = 18
end = 80

[_C_58]
file = "HOME/tests/c/interval_arith.c"
line = 189
begin = 7
end = 14

[_C_8]
file = "HOME/tests/c/interval_arith.c"
line = 36
begin = 16
end = 42

[_C_119]
file = "HOME/tests/c/interval_arith.c"
line = 240
begin = 17
end = 52

[_C_66]
file = "HOME/tests/c/interval_arith.c"
line = 181
begin = 16
end = 56

[_C_18]
file = "HOME/tests/c/interval_arith.c"
line = 46
begin = 16
end = 42

[_C_29]
file = "HOME/tests/c/interval_arith.c"
line = 73
begin = 32
end = 44

[_C_75]
file = "HOME/tests/c/interval_arith.c"
line = 278
begin = 17
end = 31

[_C_14]
file = "HOME/tests/c/interval_arith.c"
line = 47
begin = 12
end = 56

[_C_123]
file = "HOME/tests/c/interval_arith.c"
line = 229
begin = 12
end = 115

[_C_106]
file = "HOME/tests/c/interval_arith.c"
line = 242
begin = 17
end = 31

[_C_50]
file = "HOME/tests/c/interval_arith.c"
line = 103
begin = 13
end = 140

[_C_37]
file = "HOME/tests/c/interval_arith.c"
line = 118
begin = 18
end = 78

[_C_43]
file = "HOME/tests/c/interval_arith.c"
line = 140
begin = 18
end = 187

[_C_107]
file = "HOME/tests/c/interval_arith.c"
line = 243
begin = 17
end = 31

[_C_88]
file = "HOME/tests/c/interval_arith.c"
line = 261
begin = 17
end = 31

[_C_100]
file = "HOME/tests/c/interval_arith.c"
line = 250
begin = 17
end = 20

[_C_2]
file = "HOME/tests/c/interval_arith.c"
line = 42
begin = 13
end = 14

[_C_34]
file = "HOME/tests/c/interval_arith.c"
line = 111
begin = 12
end = 13

[_C_67]
file = "HOME/tests/c/interval_arith.c"
line = 181
begin = 16
end = 34

[_C_16]
file = "HOME/tests/c/interval_arith.c"
line = 47
begin = 36
end = 56

[_C_125]
file = "HOME/tests/c/interval_arith.c"
line = 227
begin = 16
end = 34

[_C_113]
file = "HOME/tests/c/interval_arith.c"
line = 239
begin = 17
end = 52

[_C_126]
file = "HOME/tests/c/interval_arith.c"
line = 227
begin = 38
end = 56

[_C_1]
file = "HOME/tests/c/interval_arith.c"
line = 42
begin = 13
end = 14

[_C_76]
file = "HOME/tests/c/interval_arith.c"
line = 278
begin = 17
end = 31

[_C_25]
file = "HOME/tests/c/interval_arith.c"
line = 75
begin = 13
end = 58

[_C_39]
file = "HOME/tests/c/interval_arith.c"
line = 123
begin = 18
end = 122

[_C_80]
file = "HOME/tests/c/interval_arith.c"
line = 274
begin = 17
end = 31

[_C_74]
file = "HOME/tests/c/interval_arith.c"
line = 277
begin = 17
end = 31

[_C_78]
file = "HOME/tests/c/interval_arith.c"
line = 273
begin = 17
end = 31

[_C_11]
file = "HOME/tests/c/interval_arith.c"
line = 52
begin = 13
end = 14

[_C_21]
file = "HOME/tests/c/interval_arith.c"
line = 82
begin = 13
end = 16

[_C_118]
file = "HOME/tests/c/interval_arith.c"
line = 240
begin = 21
end = 35

========== jessie execution ==========
Generating Why function min
Generating Why function max
Generating Why function mul_dn
Generating Why function mul_up
Generating Why function add
Generating Why function mul
========== file tests/c/interval_arith.jessie/interval_arith.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why $(WHYLIB)/why/floats_full.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/interval_arith_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: interval_arith.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: interval_arith.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: interval_arith.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/interval_arith.jessie/interval_arith.loc ==========
[add_ensures_default]
name = "Function add"
behavior = "default behavior"
file = "HOME/tests/c/interval_arith.c"
line = 187
begin = 5
end = 8

[JC_176]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 240
begin = 37
end = 51

[JC_177]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 240
begin = 21
end = 35

[JC_94]
file = "HOME/tests/c/interval_arith.c"
line = 163
begin = 18
end = 234

[JC_73]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_158]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 243
begin = 17
end = 31

[JC_63]
file = "HOME/tests/c/interval_arith.c"
line = 102
begin = 13
end = 58

[JC_80]
kind = FPOverflow
file = "HOME/tests/c/interval_arith.c"
line = 110
begin = 11
end = 14

[JC_51]
file = "HOME/tests/c/interval_arith.c"
line = 78
begin = 12
end = 39

[JC_71]
file = "HOME/tests/c/interval_arith.c"
line = 102
begin = 13
end = 58

[JC_147]
file = "HOME/tests/c/interval_arith.c"
line = 229
begin = 12
end = 115

[JC_151]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 239
begin = 37
end = 51

[JC_45]
file = "HOME/tests/c/interval_arith.c"
line = 73
begin = 32
end = 44

[JC_123]
file = "HOME/tests/c/interval_arith.c"
line = 183
begin = 12
end = 115

[JC_106]
file = "HOME/tests/c/interval_arith.c"
line = 144
begin = 18
end = 190

[JC_143]
file = "HOME/tests/c/interval_arith.c"
line = 228
begin = 12
end = 30

[JC_113]
file = "HOME/tests/c/interval_arith.c"
line = 181
begin = 16
end = 56

[JC_116]
file = "HOME/tests/c/interval_arith.c"
line = 181
begin = 38
end = 56

[JC_64]
file = "HOME/tests/c/interval_arith.c"
line = 103
begin = 13
end = 140

[JC_133]
kind = FPOverflow
file = "HOME/tests/c/interval_arith.c"
line = 195
begin = 9
end = 19

[JC_188]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 262
begin = 17
end = 31

[JC_180]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 243
begin = 17
end = 31

[JC_99]
file = "HOME/tests/c/interval_arith.c"
line = 118
begin = 18
end = 78

[JC_85]
file = "HOME/tests/c/interval_arith.c"
line = 123
begin = 18
end = 122

[JC_126]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_170]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 274
begin = 17
end = 31

[JC_31]
file = "HOME/tests/c/interval_arith.c"
line = 47
begin = 12
end = 32

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_194]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 278
begin = 17
end = 31

[JC_122]
file = "HOME/tests/c/interval_arith.c"
line = 182
begin = 12
end = 30

[JC_81]
kind = FPOverflow
file = "HOME/tests/c/interval_arith.c"
line = 111
begin = 12
end = 13

[JC_55]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_138]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_134]
kind = FPOverflow
file = "HOME/tests/c/interval_arith.c"
line = 195
begin = 9
end = 19

[JC_148]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_137]
file = "HOME/tests/c/interval_arith.c"
line = 227
begin = 16
end = 56

[mul_dn_safety]
name = "Function mul_dn"
behavior = "Safety"
file = "HOME/tests/c/interval_arith.c"
line = 80
begin = 7
end = 13

[JC_48]
file = "HOME/tests/c/interval_arith.c"
line = 76
begin = 13
end = 58

[JC_23]
file = "HOME/tests/c/interval_arith.c"
line = 46
begin = 16
end = 27

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_172]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 278
begin = 17
end = 31

[JC_121]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/tests/c/interval_arith.c"
line = 36
begin = 16
end = 27

[JC_125]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/tests/c/interval_arith.c"
line = 99
begin = 16
end = 27

[JC_9]
file = "HOME/tests/c/interval_arith.c"
line = 37
begin = 12
end = 32

[mul_ensures_default]
name = "Function mul"
behavior = "default behavior"
file = "HOME/tests/c/interval_arith.c"
line = 233
begin = 5
end = 8

[mul_up_ensures_default]
name = "Function mul_up"
behavior = "default behavior"
file = "HOME/tests/c/interval_arith.c"
line = 108
begin = 7
end = 13

[JC_75]
file = "HOME/tests/c/interval_arith.c"
line = 106
begin = 12
end = 41

[JC_24]
file = "HOME/tests/c/interval_arith.c"
line = 46
begin = 31
end = 42

[JC_193]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 277
begin = 17
end = 31

[JC_25]
file = "HOME/tests/c/interval_arith.c"
line = 46
begin = 16
end = 42

[JC_189]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 270
begin = 17
end = 31

[JC_186]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 258
begin = 17
end = 31

[JC_78]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_175]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 239
begin = 17
end = 52

[JC_41]
file = "HOME/tests/c/interval_arith.c"
line = 76
begin = 13
end = 58

[add_safety]
name = "Function add"
behavior = "Safety"
file = "HOME/tests/c/interval_arith.c"
line = 187
begin = 5
end = 8

[JC_74]
file = "HOME/"
line = 0
begin = -1
end = -1

[min_ensures_default]
name = "Function min"
behavior = "default behavior"
file = "HOME/tests/c/interval_arith.c"
line = 40
begin = 7
end = 10

[JC_47]
file = "HOME/tests/c/interval_arith.c"
line = 75
begin = 13
end = 58

[JC_52]
file = "HOME/tests/c/interval_arith.jessie/interval_arith.jc"
line = 97
begin = 10
end = 18

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_154]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 240
begin = 37
end = 51

[JC_54]
file = "HOME/tests/c/interval_arith.jessie/interval_arith.jc"
line = 97
begin = 10
end = 18

[JC_79]
kind = FPOverflow
file = "HOME/tests/c/interval_arith.c"
line = 109
begin = 12
end = 13

[JC_13]
file = "HOME/tests/c/interval_arith.c"
line = 37
begin = 12
end = 32

[JC_130]
kind = FPOverflow
file = "HOME/tests/c/interval_arith.c"
line = 195
begin = 9
end = 19

[JC_82]
file = "HOME/tests/c/interval_arith.c"
line = 114
begin = 18
end = 80

[JC_174]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 239
begin = 21
end = 35

[JC_163]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 257
begin = 17
end = 31

[JC_153]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 239
begin = 17
end = 52

[JC_87]
file = "HOME/tests/c/interval_arith.c"
line = 131
begin = 18
end = 207

[JC_11]
file = "HOME/tests/c/interval_arith.c"
line = 38
begin = 12
end = 56

[JC_185]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 257
begin = 17
end = 31

[JC_184]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 255
begin = 17
end = 31

[JC_167]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 270
begin = 17
end = 31

[JC_98]
file = "HOME/tests/c/interval_arith.c"
line = 114
begin = 18
end = 80

[JC_70]
file = "HOME/tests/c/interval_arith.c"
line = 101
begin = 13
end = 58

[JC_15]
file = "HOME/tests/c/interval_arith.c"
line = 38
begin = 12
end = 56

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[min_safety]
name = "Function min"
behavior = "Safety"
file = "HOME/tests/c/interval_arith.c"
line = 40
begin = 7
end = 10

[JC_182]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 247
begin = 17
end = 31

[JC_168]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 271
begin = 17
end = 31

[JC_104]
file = "HOME/tests/c/interval_arith.c"
line = 136
begin = 18
end = 164

[JC_91]
file = "HOME/tests/c/interval_arith.c"
line = 148
begin = 18
end = 233

[JC_39]
file = "HOME/tests/c/interval_arith.c"
line = 74
begin = 13
end = 65

[JC_112]
file = "HOME/tests/c/interval_arith.c"
line = 181
begin = 38
end = 56

[JC_40]
file = "HOME/tests/c/interval_arith.c"
line = 75
begin = 13
end = 58

[JC_162]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 255
begin = 17
end = 31

[JC_135]
file = "HOME/tests/c/interval_arith.c"
line = 227
begin = 16
end = 34

[JC_169]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 273
begin = 17
end = 31

[JC_83]
file = "HOME/tests/c/interval_arith.c"
line = 118
begin = 18
end = 78

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_132]
kind = FPOverflow
file = "HOME/tests/c/interval_arith.c"
line = 195
begin = 11
end = 13

[JC_27]
file = "HOME/tests/c/interval_arith.c"
line = 47
begin = 12
end = 32

[JC_115]
file = "HOME/tests/c/interval_arith.c"
line = 181
begin = 16
end = 34

[JC_109]
file = "HOME/tests/c/interval_arith.c"
line = 158
begin = 18
end = 234

[JC_107]
file = "HOME/tests/c/interval_arith.c"
line = 148
begin = 18
end = 233

[JC_69]
file = "HOME/tests/c/interval_arith.c"
line = 100
begin = 13
end = 65

[JC_179]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 242
begin = 17
end = 31

[JC_124]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
file = "HOME/tests/c/interval_arith.c"
line = 73
begin = 32
end = 44

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/tests/c/interval_arith.c"
line = 36
begin = 31
end = 42

[JC_156]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 240
begin = 17
end = 52

[JC_127]
kind = FPOverflow
file = "HOME/tests/c/interval_arith.c"
line = 189
begin = 7
end = 14

[JC_171]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 277
begin = 17
end = 31

[JC_164]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 258
begin = 17
end = 31

[JC_44]
file = "HOME/tests/c/interval_arith.c"
line = 73
begin = 16
end = 28

[JC_155]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 240
begin = 21
end = 35

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_191]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 273
begin = 17
end = 31

[JC_62]
file = "HOME/tests/c/interval_arith.c"
line = 101
begin = 13
end = 58

[JC_101]
file = "HOME/tests/c/interval_arith.c"
line = 123
begin = 18
end = 122

[JC_88]
file = "HOME/tests/c/interval_arith.c"
line = 136
begin = 18
end = 164

[JC_129]
kind = FPOverflow
file = "HOME/tests/c/interval_arith.c"
line = 195
begin = 9
end = 19

[mul_up_safety]
name = "Function mul_up"
behavior = "Safety"
file = "HOME/tests/c/interval_arith.c"
line = 108
begin = 7
end = 13

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_190]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 271
begin = 17
end = 31

[max_safety]
name = "Function max"
behavior = "Safety"
file = "HOME/tests/c/interval_arith.c"
line = 50
begin = 7
end = 10

[JC_178]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 240
begin = 17
end = 52

[JC_110]
file = "HOME/tests/c/interval_arith.c"
line = 163
begin = 18
end = 234

[JC_166]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 262
begin = 17
end = 31

[JC_103]
file = "HOME/tests/c/interval_arith.c"
line = 131
begin = 18
end = 207

[JC_46]
file = "HOME/tests/c/interval_arith.c"
line = 74
begin = 13
end = 65

[JC_141]
file = "HOME/tests/c/interval_arith.c"
line = 227
begin = 16
end = 56

[JC_61]
file = "HOME/tests/c/interval_arith.c"
line = 100
begin = 13
end = 65

[JC_32]
file = "HOME/tests/c/interval_arith.c"
line = 47
begin = 36
end = 56

[JC_56]
file = "HOME/"
line = 0
begin = -1
end = -1

[mul_dn_ensures_default]
name = "Function mul_dn"
behavior = "default behavior"
file = "HOME/tests/c/interval_arith.c"
line = 80
begin = 7
end = 13

[JC_33]
file = "HOME/tests/c/interval_arith.c"
line = 48
begin = 12
end = 56

[JC_65]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_118]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_173]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 239
begin = 37
end = 51

[JC_105]
file = "HOME/tests/c/interval_arith.c"
line = 140
begin = 18
end = 187

[JC_140]
file = "HOME/tests/c/interval_arith.c"
line = 227
begin = 38
end = 56

[JC_29]
file = "HOME/tests/c/interval_arith.c"
line = 48
begin = 12
end = 56

[JC_144]
file = "HOME/tests/c/interval_arith.c"
line = 229
begin = 12
end = 115

[JC_159]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 246
begin = 17
end = 31

[JC_68]
file = "HOME/tests/c/interval_arith.c"
line = 99
begin = 31
end = 42

[JC_7]
file = "HOME/tests/c/interval_arith.c"
line = 36
begin = 16
end = 42

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_96]
kind = FPOverflow
file = "HOME/tests/c/interval_arith.c"
line = 110
begin = 11
end = 14

[JC_43]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_2]
file = "HOME/tests/c/interval_arith.c"
line = 36
begin = 31
end = 42

[JC_95]
kind = FPOverflow
file = "HOME/tests/c/interval_arith.c"
line = 109
begin = 12
end = 13

[JC_93]
file = "HOME/tests/c/interval_arith.c"
line = 158
begin = 18
end = 234

[JC_97]
kind = FPOverflow
file = "HOME/tests/c/interval_arith.c"
line = 111
begin = 12
end = 13

[JC_84]
file = "HOME/tests/c/interval_arith.c"
line = 120
begin = 18
end = 120

[JC_160]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 247
begin = 17
end = 31

[JC_128]
kind = FPOverflow
file = "HOME/tests/c/interval_arith.c"
line = 195
begin = 11
end = 13

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_114]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/tests/c/interval_arith.c"
line = 37
begin = 36
end = 56

[JC_150]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_117]
file = "HOME/tests/c/interval_arith.c"
line = 181
begin = 16
end = 56

[JC_90]
file = "HOME/tests/c/interval_arith.c"
line = 144
begin = 18
end = 190

[JC_53]
file = "HOME/tests/c/interval_arith.c"
line = 78
begin = 12
end = 39

[JC_157]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 242
begin = 17
end = 31

[JC_145]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/tests/c/interval_arith.c"
line = 46
begin = 16
end = 42

[JC_149]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_111]
file = "HOME/tests/c/interval_arith.c"
line = 181
begin = 16
end = 34

[JC_77]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_49]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/c/interval_arith.c"
line = 36
begin = 16
end = 27

[JC_131]
kind = FPOverflow
file = "HOME/tests/c/interval_arith.c"
line = 189
begin = 7
end = 14

[JC_102]
file = "HOME/tests/c/interval_arith.c"
line = 126
begin = 18
end = 80

[JC_37]
file = "HOME/tests/c/interval_arith.c"
line = 73
begin = 16
end = 28

[JC_181]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 246
begin = 17
end = 31

[JC_142]
file = "HOME/"
line = 0
begin = -1
end = -1

[max_ensures_default]
name = "Function max"
behavior = "default behavior"
file = "HOME/tests/c/interval_arith.c"
line = 50
begin = 7
end = 10

[JC_10]
file = "HOME/tests/c/interval_arith.c"
line = 37
begin = 36
end = 56

[JC_108]
file = "HOME/tests/c/interval_arith.c"
line = 153
begin = 18
end = 232

[JC_57]
kind = FPOverflow
file = "HOME/tests/c/interval_arith.c"
line = 82
begin = 13
end = 16

[JC_161]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 254
begin = 17
end = 31

[JC_146]
file = "HOME/tests/c/interval_arith.c"
line = 228
begin = 12
end = 30

[JC_89]
file = "HOME/tests/c/interval_arith.c"
line = 140
begin = 18
end = 187

[JC_136]
file = "HOME/tests/c/interval_arith.c"
line = 227
begin = 38
end = 56

[JC_66]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_59]
file = "HOME/tests/c/interval_arith.c"
line = 99
begin = 16
end = 27

[JC_20]
file = "HOME/tests/c/interval_arith.c"
line = 46
begin = 31
end = 42

[JC_165]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 261
begin = 17
end = 31

[JC_192]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 274
begin = 17
end = 31

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/c/interval_arith.c"
line = 36
begin = 16
end = 42

[JC_92]
file = "HOME/tests/c/interval_arith.c"
line = 153
begin = 18
end = 232

[JC_152]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 239
begin = 21
end = 35

[JC_86]
file = "HOME/tests/c/interval_arith.c"
line = 126
begin = 18
end = 80

[JC_60]
file = "HOME/tests/c/interval_arith.c"
line = 99
begin = 31
end = 42

[JC_183]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 254
begin = 17
end = 31

[JC_139]
file = "HOME/tests/c/interval_arith.c"
line = 227
begin = 16
end = 34

[JC_72]
file = "HOME/tests/c/interval_arith.c"
line = 103
begin = 13
end = 140

[JC_19]
file = "HOME/tests/c/interval_arith.c"
line = 46
begin = 16
end = 27

[JC_119]
file = "HOME/tests/c/interval_arith.c"
line = 182
begin = 12
end = 30

[JC_187]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 261
begin = 17
end = 31

[JC_76]
file = "HOME/tests/c/interval_arith.c"
line = 106
begin = 12
end = 41

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[mul_safety]
name = "Function mul"
behavior = "Safety"
file = "HOME/tests/c/interval_arith.c"
line = 233
begin = 5
end = 8

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_120]
file = "HOME/tests/c/interval_arith.c"
line = 183
begin = 12
end = 115

[JC_58]
kind = FPOverflow
file = "HOME/tests/c/interval_arith.c"
line = 82
begin = 13
end = 16

[JC_100]
file = "HOME/tests/c/interval_arith.c"
line = 120
begin = 18
end = 120

[JC_28]
file = "HOME/tests/c/interval_arith.c"
line = 47
begin = 36
end = 56

========== file tests/c/interval_arith.jessie/why/interval_arith.why ==========
type charP

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

predicate dif_sign(x_2:double, y_1:double) =
 (double_sign(x_2) <> double_sign(y_1))

predicate double_le_real(x_1_0:double, y_1_0:real) =
 ((double_is_finite(x_1_0) and le_real(double_value(x_1_0), y_1_0))
 or double_is_minus_infinity(x_1_0))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

predicate real_le_double(x_2_0:real, y_2:double) =
 ((double_is_finite(y_2) and le_real(x_2_0, double_value(y_2)))
 or double_is_plus_infinity(y_2))

predicate in_interval(a:real, l:double, u:double) =
 (double_le_real(l, a) and real_le_double(a, u))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate is_interval(xl:double, xu:double) =
 ((double_is_finite(xl) or double_is_minus_infinity(xl))
 and (double_is_finite(xu) or double_is_plus_infinity(xu)))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate sam_sign(x_0_0:double, y_0_0:double) =
 (double_sign(x_0_0) = double_sign(y_0_0))

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter zu : double ref

parameter zl : double ref

parameter add :
 xl_0:double ->
  xu_0:double ->
   yl:double ->
    yu:double ->
     { } unit reads zl,zu writes zl,zu
     { (JC_124:
       ((JC_122: is_interval(zl, zu))
       and (JC_123:
           (forall a_0_0:real.
            (forall b_0:real.
             ((in_interval(a_0_0, xl_0, xu_0) and in_interval(b_0, yl, yu)) ->
              in_interval(add_real(a_0_0, b_0), zl, zu))))))) }

parameter add_requires :
 xl_0:double ->
  xu_0:double ->
   yl:double ->
    yu:double ->
     { (JC_113:
       ((JC_111: is_interval(xl_0, xu_0)) and (JC_112: is_interval(yl, yu))))}
     unit reads zl,zu writes zl,zu
     { (JC_124:
       ((JC_122: is_interval(zl, zu))
       and (JC_123:
           (forall a_0_0:real.
            (forall b_0:real.
             ((in_interval(a_0_0, xl_0, xu_0) and in_interval(b_0, yl, yu)) ->
              in_interval(add_real(a_0_0, b_0), zl, zu))))))) }

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter max :
 x_1:double ->
  y:double ->
   { } double
   { (JC_34:
     ((JC_31: le_double_full(x_1, result))
     and ((JC_32: le_double_full(y, result))
         and (JC_33:
             (eq_double_full(result, x_1) or eq_double_full(result, y)))))) }

parameter max_requires :
 x_1:double ->
  y:double ->
   { (JC_21:
     ((JC_19: (not double_is_NaN(x_1))) and (JC_20: (not double_is_NaN(y)))))}
   double
   { (JC_34:
     ((JC_31: le_double_full(x_1, result))
     and ((JC_32: le_double_full(y, result))
         and (JC_33:
             (eq_double_full(result, x_1) or eq_double_full(result, y)))))) }

parameter min :
 x_0:double ->
  y_0:double ->
   { } double
   { (JC_16:
     ((JC_13: le_double_full(result, x_0))
     and ((JC_14: le_double_full(result, y_0))
         and (JC_15:
             (eq_double_full(result, x_0) or eq_double_full(result, y_0)))))) }

parameter min_requires :
 x_0:double ->
  y_0:double ->
   { (JC_3:
     ((JC_1: (not double_is_NaN(x_0))) and (JC_2: (not double_is_NaN(y_0)))))}
   double
   { (JC_16:
     ((JC_13: le_double_full(result, x_0))
     and ((JC_14: le_double_full(result, y_0))
         and (JC_15:
             (eq_double_full(result, x_0) or eq_double_full(result, y_0)))))) }

parameter mul :
 xl_0_0:double ->
  xu_0_0:double ->
   yl_0:double ->
    yu_0:double ->
     { } unit reads zl,zu writes zl,zu
     { (JC_148:
       ((JC_146: is_interval(zl, zu))
       and (JC_147:
           (forall a_1:real.
            (forall b_0_0:real.
             ((in_interval(a_1, xl_0_0, xu_0_0)
              and in_interval(b_0_0, yl_0, yu_0)) ->
              in_interval(mul_real(a_1, b_0_0), zl, zu))))))) }

parameter mul_dn :
 x_1_1:double ->
  y_1_1:double ->
   { } double
   { (JC_53:
     double_le_real(result,
     mul_real(double_value(x_1_1), double_value(y_1_1)))) }

parameter mul_dn_requires :
 x_1_1:double ->
  y_1_1:double ->
   { (JC_42:
     ((JC_37: (not double_is_NaN(x_1_1)))
     and ((JC_38: (not double_is_NaN(y_1_1)))
         and ((JC_39:
              ((double_is_infinite(x_1_1) or double_is_infinite(y_1_1)) ->
               dif_sign(x_1_1, y_1_1)))
             and ((JC_40:
                  ((double_is_infinite(x_1_1) and double_is_finite(y_1_1)) ->
                   (double_value(y_1_1) <> 0.0)))
                 and (JC_41:
                     ((double_is_finite(x_1_1) and double_is_infinite(y_1_1)) ->
                      (double_value(x_1_1) <> 0.0))))))))}
   double
   { (JC_53:
     double_le_real(result,
     mul_real(double_value(x_1_1), double_value(y_1_1)))) }

parameter mul_requires :
 xl_0_0:double ->
  xu_0_0:double ->
   yl_0:double ->
    yu_0:double ->
     { (JC_137:
       ((JC_135: is_interval(xl_0_0, xu_0_0))
       and (JC_136: is_interval(yl_0, yu_0))))}
     unit reads zl,zu writes zl,zu
     { (JC_148:
       ((JC_146: is_interval(zl, zu))
       and (JC_147:
           (forall a_1:real.
            (forall b_0_0:real.
             ((in_interval(a_1, xl_0_0, xu_0_0)
              and in_interval(b_0_0, yl_0, yu_0)) ->
              in_interval(mul_real(a_1, b_0_0), zl, zu))))))) }

parameter mul_up :
 x_2_1:double ->
  y_2_0:double ->
   { } double
   { (JC_76:
     real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
     result)) }

parameter mul_up_requires :
 x_2_1:double ->
  y_2_0:double ->
   { (JC_65:
     ((JC_59: (not double_is_NaN(x_2_1)))
     and ((JC_60: (not double_is_NaN(y_2_0)))
         and ((JC_61:
              ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
               sam_sign(x_2_1, y_2_0)))
             and ((JC_62:
                  ((double_is_infinite(x_2_1) and double_is_finite(y_2_0)) ->
                   (double_value(y_2_0) <> 0.0)))
                 and ((JC_63:
                      ((double_is_infinite(y_2_0)
                       and double_is_finite(x_2_1)) ->
                       (double_value(x_2_1) <> 0.0)))
                     and (JC_64:
                         ((double_is_finite(x_2_1)
                          and (double_is_finite(y_2_0)
                              and ((not no_overflow_double(down,
                                        neg_real(double_value(y_2_0))))
                                  and (double_sign(y_2_0) = Positive)))) ->
                          gt_real(double_value(x_2_1), 0.0)))))))))}
   double
   { (JC_76:
     real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
     result)) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let add_ensures_default =
 fun (xl_0 : double) (xu_0 : double) (yl : double) (yu : double) ->
  { (JC_117:
    ((JC_115: is_interval(xl_0, xu_0)) and (JC_116: is_interval(yl, yu)))) }
  (init:
  try
   begin
     (let _jessie_ = (zl := (JC_131: (((add_double down) xl_0) yl))) in
     void);
    (let _jessie_ =
    (zu := (JC_134:
           (neg_double (JC_133:
                       (((sub_double down) (JC_132: (neg_double xu_0))) yu))))) in
    void); (raise Return); (raise Return) end with Return -> void end)
  { (JC_121:
    ((JC_119: is_interval(zl, zu))
    and (JC_120:
        (forall a_0_0:real.
         (forall b_0:real.
          ((in_interval(a_0_0, xl_0, xu_0) and in_interval(b_0, yl, yu)) ->
           in_interval(add_real(a_0_0, b_0), zl, zu))))))) } 

let add_safety =
 fun (xl_0 : double) (xu_0 : double) (yl : double) (yu : double) ->
  { (JC_117:
    ((JC_115: is_interval(xl_0, xu_0)) and (JC_116: is_interval(yl, yu)))) }
  (init:
  try
   begin
     (let _jessie_ = (zl := (JC_127: (((add_double down) xl_0) yl))) in
     void);
    (let _jessie_ =
    (zu := (JC_130:
           (neg_double (JC_129:
                       (((sub_double down) (JC_128: (neg_double xu_0))) yu))))) in
    void); (raise Return); (raise Return) end with Return -> void end)
  { true } 

let max_ensures_default =
 fun (x_1 : double) (y : double) ->
  { (JC_25:
    ((JC_23: (not double_is_NaN(x_1))) and (JC_24: (not double_is_NaN(y))))) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let tmp_0 = ref (any_double void) in
     begin
       (let _jessie_ =
       (if ((gt_double_ x_1) y) then begin   (tmp_0 := x_1); !tmp_0 end
       else begin   (tmp_0 := y); !tmp_0 end) in void); (return := !tmp_0);
      (raise Return) end); absurd  end with Return -> !return end))
  { (JC_30:
    ((JC_27: le_double_full(x_1, result))
    and ((JC_28: le_double_full(y, result))
        and (JC_29:
            (eq_double_full(result, x_1) or eq_double_full(result, y)))))) } 

let max_safety =
 fun (x_1 : double) (y : double) ->
  { (JC_25:
    ((JC_23: (not double_is_NaN(x_1))) and (JC_24: (not double_is_NaN(y))))) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let tmp_0 = ref (any_double void) in
     begin
       (let _jessie_ =
       (if ((gt_double_ x_1) y) then begin   (tmp_0 := x_1); !tmp_0 end
       else begin   (tmp_0 := y); !tmp_0 end) in void); (return := !tmp_0);
      (raise Return) end); absurd  end with Return -> !return end)) { true } 

let min_ensures_default =
 fun (x_0 : double) (y_0 : double) ->
  { (JC_7:
    ((JC_5: (not double_is_NaN(x_0))) and (JC_6: (not double_is_NaN(y_0))))) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let tmp = ref (any_double void) in
     begin
       (let _jessie_ =
       (if ((lt_double_ x_0) y_0) then begin   (tmp := x_0); !tmp end
       else begin   (tmp := y_0); !tmp end) in void); (return := !tmp);
      (raise Return) end); absurd  end with Return -> !return end))
  { (JC_12:
    ((JC_9: le_double_full(result, x_0))
    and ((JC_10: le_double_full(result, y_0))
        and (JC_11:
            (eq_double_full(result, x_0) or eq_double_full(result, y_0)))))) }
  

let min_safety =
 fun (x_0 : double) (y_0 : double) ->
  { (JC_7:
    ((JC_5: (not double_is_NaN(x_0))) and (JC_6: (not double_is_NaN(y_0))))) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let tmp = ref (any_double void) in
     begin
       (let _jessie_ =
       (if ((lt_double_ x_0) y_0) then begin   (tmp := x_0); !tmp end
       else begin   (tmp := y_0); !tmp end) in void); (return := !tmp);
      (raise Return) end); absurd  end with Return -> !return end)) { true } 

let mul_dn_ensures_default =
 fun (x_1_1 : double) (y_1_1 : double) ->
  { (JC_49:
    ((JC_44: (not double_is_NaN(x_1_1)))
    and ((JC_45: (not double_is_NaN(y_1_1)))
        and ((JC_46:
             ((double_is_infinite(x_1_1) or double_is_infinite(y_1_1)) ->
              dif_sign(x_1_1, y_1_1)))
            and ((JC_47:
                 ((double_is_infinite(x_1_1) and double_is_finite(y_1_1)) ->
                  (double_value(y_1_1) <> 0.0)))
                and (JC_48:
                    ((double_is_finite(x_1_1) and double_is_infinite(y_1_1)) ->
                     (double_value(x_1_1) <> 0.0)))))))) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let z = ref (any_double void) in
     begin
       (let _jessie_ = (z := (JC_58: (((mul_double down) x_1_1) y_1_1))) in
       void); (return := !z); (raise Return) end); absurd  end with Return ->
   !return end))
  { (JC_51:
    double_le_real(result,
    mul_real(double_value(x_1_1), double_value(y_1_1)))) } 

let mul_dn_safety =
 fun (x_1_1 : double) (y_1_1 : double) ->
  { (JC_49:
    ((JC_44: (not double_is_NaN(x_1_1)))
    and ((JC_45: (not double_is_NaN(y_1_1)))
        and ((JC_46:
             ((double_is_infinite(x_1_1) or double_is_infinite(y_1_1)) ->
              dif_sign(x_1_1, y_1_1)))
            and ((JC_47:
                 ((double_is_infinite(x_1_1) and double_is_finite(y_1_1)) ->
                  (double_value(y_1_1) <> 0.0)))
                and (JC_48:
                    ((double_is_finite(x_1_1) and double_is_infinite(y_1_1)) ->
                     (double_value(x_1_1) <> 0.0)))))))) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let z = ref (any_double void) in
     begin
       (let _jessie_ = (z := (JC_57: (((mul_double down) x_1_1) y_1_1))) in
       void); (return := !z); (raise Return) end); absurd  end with Return ->
   !return end)) { true } 

let mul_ensures_default =
 fun (xl_0_0 : double) (xu_0_0 : double) (yl_0 : double) (yu_0 : double) ->
  { (JC_141:
    ((JC_139: is_interval(xl_0_0, xu_0_0))
    and (JC_140: is_interval(yl_0, yu_0)))) }
  (init:
  try
   begin
     (let tmp_1 = ref (any_double void) in
     (let tmp_0_0 = ref (any_double void) in
     (let tmp_1_0 = ref (any_double void) in
     (let tmp_2 = ref (any_double void) in
     begin
       (let _jessie_ =
       (if ((lt_double_ xl_0_0) (double_of_real_exact 0.0))
       then
        (if ((gt_double_ xu_0_0) (double_of_real_exact 0.0))
        then
         (if ((lt_double_ yl_0) (double_of_real_exact 0.0))
         then
          (if ((gt_double_ yu_0) (double_of_real_exact 0.0))
          then
           begin
             (let _jessie_ =
             begin
               (let _jessie_ =
               (tmp_1 := (let _jessie_ = xu_0_0 in
                         (let _jessie_ = yl_0 in
                         (JC_173: ((mul_dn _jessie_) _jessie_))))) in
               void);
              (tmp_0_0 := (let _jessie_ = xl_0_0 in
                          (let _jessie_ = yu_0 in
                          (JC_174: ((mul_dn _jessie_) _jessie_)))));
              !tmp_0_0 end in void);
            (let _jessie_ =
            (zl := (let _jessie_ = !tmp_0_0 in
                   (let _jessie_ = !tmp_1 in
                   (JC_175: ((min _jessie_) _jessie_))))) in void);
            (let _jessie_ =
            begin
              (let _jessie_ =
              (tmp_1_0 := (let _jessie_ = xu_0_0 in
                          (let _jessie_ = yu_0 in
                          (JC_176: ((mul_up _jessie_) _jessie_))))) in
              void);
             (tmp_2 := (let _jessie_ = xl_0_0 in
                       (let _jessie_ = yl_0 in
                       (JC_177: ((mul_up _jessie_) _jessie_)))));
             !tmp_2 end in void);
            (zu := (let _jessie_ = !tmp_2 in
                   (let _jessie_ = !tmp_1_0 in
                   (JC_178: ((max _jessie_) _jessie_))))); !zu end
          else
           begin
             (let _jessie_ =
             (zl := (let _jessie_ = xu_0_0 in
                    (let _jessie_ = yl_0 in
                    (JC_179: ((mul_dn _jessie_) _jessie_))))) in void);
            (zu := (let _jessie_ = xl_0_0 in
                   (let _jessie_ = yl_0 in
                   (JC_180: ((mul_up _jessie_) _jessie_))))); !zu end)
         else
          (if ((gt_double_ yu_0) (double_of_real_exact 0.0))
          then
           begin
             (let _jessie_ =
             (zl := (let _jessie_ = xl_0_0 in
                    (let _jessie_ = yu_0 in
                    (JC_181: ((mul_dn _jessie_) _jessie_))))) in void);
            (zu := (let _jessie_ = xu_0_0 in
                   (let _jessie_ = yu_0 in
                   (JC_182: ((mul_up _jessie_) _jessie_))))); !zu end
          else
           begin
             (let _jessie_ = (zl := (double_of_real_exact 0.0)) in void);
            (zu := (double_of_real_exact 0.0)); !zu end))
        else
         (if ((lt_double_ yl_0) (double_of_real_exact 0.0))
         then
          (if ((gt_double_ yu_0) (double_of_real_exact 0.0))
          then
           begin
             (let _jessie_ =
             (zl := (let _jessie_ = xl_0_0 in
                    (let _jessie_ = yu_0 in
                    (JC_183: ((mul_dn _jessie_) _jessie_))))) in void);
            (zu := (let _jessie_ = xl_0_0 in
                   (let _jessie_ = yl_0 in
                   (JC_184: ((mul_up _jessie_) _jessie_))))); !zu end
          else
           begin
             (let _jessie_ =
             (zl := (let _jessie_ = xu_0_0 in
                    (let _jessie_ = yu_0 in
                    (JC_185: ((mul_dn _jessie_) _jessie_))))) in void);
            (zu := (let _jessie_ = xl_0_0 in
                   (let _jessie_ = yl_0 in
                   (JC_186: ((mul_up _jessie_) _jessie_))))); !zu end)
         else
          (if ((gt_double_ yu_0) (double_of_real_exact 0.0))
          then
           begin
             (let _jessie_ =
             (zl := (let _jessie_ = xl_0_0 in
                    (let _jessie_ = yu_0 in
                    (JC_187: ((mul_dn _jessie_) _jessie_))))) in void);
            (zu := (let _jessie_ = xu_0_0 in
                   (let _jessie_ = yl_0 in
                   (JC_188: ((mul_up _jessie_) _jessie_))))); !zu end
          else
           begin
             (let _jessie_ = (zl := (double_of_real_exact 0.0)) in void);
            (zu := (double_of_real_exact 0.0)); !zu end)))
       else
        (if ((gt_double_ xu_0_0) (double_of_real_exact 0.0))
        then
         (if ((lt_double_ yl_0) (double_of_real_exact 0.0))
         then
          (if ((gt_double_ yu_0) (double_of_real_exact 0.0))
          then
           begin
             (let _jessie_ =
             (zl := (let _jessie_ = xu_0_0 in
                    (let _jessie_ = yl_0 in
                    (JC_189: ((mul_dn _jessie_) _jessie_))))) in void);
            (zu := (let _jessie_ = xu_0_0 in
                   (let _jessie_ = yu_0 in
                   (JC_190: ((mul_up _jessie_) _jessie_))))); !zu end
          else
           begin
             (let _jessie_ =
             (zl := (let _jessie_ = xu_0_0 in
                    (let _jessie_ = yl_0 in
                    (JC_191: ((mul_dn _jessie_) _jessie_))))) in void);
            (zu := (let _jessie_ = xl_0_0 in
                   (let _jessie_ = yu_0 in
                   (JC_192: ((mul_up _jessie_) _jessie_))))); !zu end)
         else
          (if ((gt_double_ yu_0) (double_of_real_exact 0.0))
          then
           begin
             (let _jessie_ =
             (zl := (let _jessie_ = xl_0_0 in
                    (let _jessie_ = yl_0 in
                    (JC_193: ((mul_dn _jessie_) _jessie_))))) in void);
            (zu := (let _jessie_ = xu_0_0 in
                   (let _jessie_ = yu_0 in
                   (JC_194: ((mul_up _jessie_) _jessie_))))); !zu end
          else
           begin
             (let _jessie_ = (zl := (double_of_real_exact 0.0)) in void);
            (zu := (double_of_real_exact 0.0)); !zu end))
        else
         begin
           (let _jessie_ = (zl := (double_of_real_exact 0.0)) in void);
          (zu := (double_of_real_exact 0.0)); !zu end)) in void);
      (raise Return) end)))); (raise Return) end with Return -> void end)
  { (JC_145:
    ((JC_143: is_interval(zl, zu))
    and (JC_144:
        (forall a_1:real.
         (forall b_0_0:real.
          ((in_interval(a_1, xl_0_0, xu_0_0)
           and in_interval(b_0_0, yl_0, yu_0)) ->
           in_interval(mul_real(a_1, b_0_0), zl, zu))))))) } 

let mul_safety =
 fun (xl_0_0 : double) (xu_0_0 : double) (yl_0 : double) (yu_0 : double) ->
  { (JC_141:
    ((JC_139: is_interval(xl_0_0, xu_0_0))
    and (JC_140: is_interval(yl_0, yu_0)))) }
  (init:
  try
   begin
     (let tmp_1 = ref (any_double void) in
     (let tmp_0_0 = ref (any_double void) in
     (let tmp_1_0 = ref (any_double void) in
     (let tmp_2 = ref (any_double void) in
     begin
       (let _jessie_ =
       (if ((lt_double_ xl_0_0) (double_of_real_exact 0.0))
       then
        (if ((gt_double_ xu_0_0) (double_of_real_exact 0.0))
        then
         (if ((lt_double_ yl_0) (double_of_real_exact 0.0))
         then
          (if ((gt_double_ yu_0) (double_of_real_exact 0.0))
          then
           begin
             (let _jessie_ =
             begin
               (let _jessie_ =
               (tmp_1 := (let _jessie_ = xu_0_0 in
                         (let _jessie_ = yl_0 in
                         (JC_151: ((mul_dn_requires _jessie_) _jessie_))))) in
               void);
              (tmp_0_0 := (let _jessie_ = xl_0_0 in
                          (let _jessie_ = yu_0 in
                          (JC_152: ((mul_dn_requires _jessie_) _jessie_)))));
              !tmp_0_0 end in void);
            (let _jessie_ =
            (zl := (let _jessie_ = !tmp_0_0 in
                   (let _jessie_ = !tmp_1 in
                   (JC_153: ((min_requires _jessie_) _jessie_))))) in
            void);
            (let _jessie_ =
            begin
              (let _jessie_ =
              (tmp_1_0 := (let _jessie_ = xu_0_0 in
                          (let _jessie_ = yu_0 in
                          (JC_154: ((mul_up_requires _jessie_) _jessie_))))) in
              void);
             (tmp_2 := (let _jessie_ = xl_0_0 in
                       (let _jessie_ = yl_0 in
                       (JC_155: ((mul_up_requires _jessie_) _jessie_)))));
             !tmp_2 end in void);
            (zu := (let _jessie_ = !tmp_2 in
                   (let _jessie_ = !tmp_1_0 in
                   (JC_156: ((max_requires _jessie_) _jessie_))))); !zu
           end
          else
           begin
             (let _jessie_ =
             (zl := (let _jessie_ = xu_0_0 in
                    (let _jessie_ = yl_0 in
                    (JC_157: ((mul_dn_requires _jessie_) _jessie_))))) in
             void);
            (zu := (let _jessie_ = xl_0_0 in
                   (let _jessie_ = yl_0 in
                   (JC_158: ((mul_up_requires _jessie_) _jessie_)))));
            !zu end)
         else
          (if ((gt_double_ yu_0) (double_of_real_exact 0.0))
          then
           begin
             (let _jessie_ =
             (zl := (let _jessie_ = xl_0_0 in
                    (let _jessie_ = yu_0 in
                    (JC_159: ((mul_dn_requires _jessie_) _jessie_))))) in
             void);
            (zu := (let _jessie_ = xu_0_0 in
                   (let _jessie_ = yu_0 in
                   (JC_160: ((mul_up_requires _jessie_) _jessie_)))));
            !zu end
          else
           begin
             (let _jessie_ = (zl := (double_of_real_exact 0.0)) in void);
            (zu := (double_of_real_exact 0.0)); !zu end))
        else
         (if ((lt_double_ yl_0) (double_of_real_exact 0.0))
         then
          (if ((gt_double_ yu_0) (double_of_real_exact 0.0))
          then
           begin
             (let _jessie_ =
             (zl := (let _jessie_ = xl_0_0 in
                    (let _jessie_ = yu_0 in
                    (JC_161: ((mul_dn_requires _jessie_) _jessie_))))) in
             void);
            (zu := (let _jessie_ = xl_0_0 in
                   (let _jessie_ = yl_0 in
                   (JC_162: ((mul_up_requires _jessie_) _jessie_)))));
            !zu end
          else
           begin
             (let _jessie_ =
             (zl := (let _jessie_ = xu_0_0 in
                    (let _jessie_ = yu_0 in
                    (JC_163: ((mul_dn_requires _jessie_) _jessie_))))) in
             void);
            (zu := (let _jessie_ = xl_0_0 in
                   (let _jessie_ = yl_0 in
                   (JC_164: ((mul_up_requires _jessie_) _jessie_)))));
            !zu end)
         else
          (if ((gt_double_ yu_0) (double_of_real_exact 0.0))
          then
           begin
             (let _jessie_ =
             (zl := (let _jessie_ = xl_0_0 in
                    (let _jessie_ = yu_0 in
                    (JC_165: ((mul_dn_requires _jessie_) _jessie_))))) in
             void);
            (zu := (let _jessie_ = xu_0_0 in
                   (let _jessie_ = yl_0 in
                   (JC_166: ((mul_up_requires _jessie_) _jessie_)))));
            !zu end
          else
           begin
             (let _jessie_ = (zl := (double_of_real_exact 0.0)) in void);
            (zu := (double_of_real_exact 0.0)); !zu end)))
       else
        (if ((gt_double_ xu_0_0) (double_of_real_exact 0.0))
        then
         (if ((lt_double_ yl_0) (double_of_real_exact 0.0))
         then
          (if ((gt_double_ yu_0) (double_of_real_exact 0.0))
          then
           begin
             (let _jessie_ =
             (zl := (let _jessie_ = xu_0_0 in
                    (let _jessie_ = yl_0 in
                    (JC_167: ((mul_dn_requires _jessie_) _jessie_))))) in
             void);
            (zu := (let _jessie_ = xu_0_0 in
                   (let _jessie_ = yu_0 in
                   (JC_168: ((mul_up_requires _jessie_) _jessie_)))));
            !zu end
          else
           begin
             (let _jessie_ =
             (zl := (let _jessie_ = xu_0_0 in
                    (let _jessie_ = yl_0 in
                    (JC_169: ((mul_dn_requires _jessie_) _jessie_))))) in
             void);
            (zu := (let _jessie_ = xl_0_0 in
                   (let _jessie_ = yu_0 in
                   (JC_170: ((mul_up_requires _jessie_) _jessie_)))));
            !zu end)
         else
          (if ((gt_double_ yu_0) (double_of_real_exact 0.0))
          then
           begin
             (let _jessie_ =
             (zl := (let _jessie_ = xl_0_0 in
                    (let _jessie_ = yl_0 in
                    (JC_171: ((mul_dn_requires _jessie_) _jessie_))))) in
             void);
            (zu := (let _jessie_ = xu_0_0 in
                   (let _jessie_ = yu_0 in
                   (JC_172: ((mul_up_requires _jessie_) _jessie_)))));
            !zu end
          else
           begin
             (let _jessie_ = (zl := (double_of_real_exact 0.0)) in void);
            (zu := (double_of_real_exact 0.0)); !zu end))
        else
         begin
           (let _jessie_ = (zl := (double_of_real_exact 0.0)) in void);
          (zu := (double_of_real_exact 0.0)); !zu end)) in void);
      (raise Return) end)))); (raise Return) end with Return -> void end)
  { true } 

let mul_up_ensures_default =
 fun (x_2_1 : double) (y_2_0 : double) ->
  { (JC_73:
    ((JC_67: (not double_is_NaN(x_2_1)))
    and ((JC_68: (not double_is_NaN(y_2_0)))
        and ((JC_69:
             ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
              sam_sign(x_2_1, y_2_0)))
            and ((JC_70:
                 ((double_is_infinite(x_2_1) and double_is_finite(y_2_0)) ->
                  (double_value(y_2_0) <> 0.0)))
                and ((JC_71:
                     ((double_is_infinite(y_2_0) and double_is_finite(x_2_1)) ->
                      (double_value(x_2_1) <> 0.0)))
                    and (JC_72:
                        ((double_is_finite(x_2_1)
                         and (double_is_finite(y_2_0)
                             and ((not no_overflow_double(down,
                                       neg_real(double_value(y_2_0))))
                                 and (double_sign(y_2_0) = Positive)))) ->
                         gt_real(double_value(x_2_1), 0.0))))))))) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let a_0 = ref (any_double void) in
     (let b = ref (any_double void) in
     (let z_0 = ref (any_double void) in
     begin
       (let _jessie_ = (a_0 := (JC_95: (neg_double y_2_0))) in void);
      (let _jessie_ = (b := (JC_96: (((mul_double down) x_2_1) !a_0))) in
      void); (let _jessie_ = (z_0 := (JC_97: (neg_double !b))) in void);
      (assert
      { (JC_98:
        ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
         real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
         z_0))) }; void); void;
      (assert
      { (JC_99:
        ((double_is_finite(x_2_1) and double_is_infinite(y_2_0)) ->
         real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
         z_0))) }; void); void;
      (assert
      { (JC_100:
        ((double_is_infinite(x_2_1)
         and (double_is_finite(y_2_0)
             and no_overflow_double(down, neg_real(double_value(y_2_0))))) ->
         real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
         z_0))) }; void); void;
      (assert
      { (JC_101:
        ((double_is_infinite(x_2_1)
         and (double_is_finite(y_2_0)
             and (not no_overflow_double(down, neg_real(double_value(y_2_0)))))) ->
         real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
         z_0))) }; void); void;
      (assert
      { (JC_102:
        ((double_is_infinite(x_2_1) and double_is_infinite(y_2_0)) ->
         real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
         z_0))) }; void); void;
      (assert
      { (JC_103:
        ((double_is_finite(x_2_1)
         and (double_is_finite(y_2_0)
             and (no_overflow_double(down, neg_real(double_value(y_2_0)))
                 and (no_overflow_double(down,
                      mul_real(double_value(x_2_1), double_value(a_0)))
                     and (not no_overflow_double(down,
                              neg_real(double_value(b)))))))) ->
         real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
         z_0))) }; void); void;
      (assert
      { (JC_104:
        ((double_is_finite(x_2_1)
         and (double_is_finite(y_2_0)
             and (no_overflow_double(down, neg_real(double_value(y_2_0)))
                 and (not no_overflow_double(down,
                          mul_real(double_value(x_2_1), double_value(a_0))))))) ->
         real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
         z_0))) }; void); void;
      (assert
      { (JC_105:
        ((double_is_finite(x_2_1)
         and (double_is_finite(y_2_0)
             and ((not no_overflow_double(down,
                       neg_real(double_value(y_2_0))))
                 and (double_sign(y_2_0) = Positive)))) ->
         real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
         z_0))) }; void); void;
      (assert
      { (JC_106:
        ((double_is_finite(x_2_1)
         and (double_is_finite(y_2_0)
             and ((not no_overflow_double(down,
                       neg_real(double_value(y_2_0))))
                 and ((double_sign(y_2_0) = Negative)
                     and (not no_overflow_double(down,
                              mul_real(double_value(x_2_1),
                              double_value(a_0)))))))) ->
         real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
         z_0))) }; void); void;
      (assert
      { (JC_107:
        ((double_is_finite(x_2_1)
         and (double_is_finite(y_2_0)
             and ((not no_overflow_double(down,
                       neg_real(double_value(y_2_0))))
                 and ((double_sign(y_2_0) = Negative)
                     and (no_overflow_double(down,
                          mul_real(double_value(x_2_1), double_value(a_0)))
                         and (not no_overflow_double(down,
                                  neg_real(double_value(b))))))))) ->
         real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
         z_0))) }; void); void;
      (assert
      { (JC_108:
        ((double_is_finite(x_2_1)
         and (double_is_finite(y_2_0)
             and ((not no_overflow_double(down,
                       neg_real(double_value(y_2_0))))
                 and ((double_sign(y_2_0) = Negative)
                     and (no_overflow_double(down,
                          mul_real(double_value(x_2_1), double_value(a_0)))
                         and no_overflow_double(down,
                             neg_real(double_value(b)))))))) ->
         real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
         z_0))) }; void); void;
      (assert
      { (JC_109:
        ((double_is_finite(x_2_1)
         and (double_is_finite(y_2_0)
             and (no_overflow_double(down, neg_real(double_value(y_2_0)))
                 and (no_overflow_double(down,
                      mul_real(double_value(x_2_1), double_value(a_0)))
                     and (no_overflow_double(down, neg_real(double_value(b)))
                         and gt_real(double_value(x_2_1), 0.0)))))) ->
         (double_is_finite(z_0)
         and real_le_double(mul_real(double_value(x_2_1),
                            double_value(y_2_0)),
             z_0)))) }; void); void;
      (assert
      { (JC_110:
        ((double_is_finite(x_2_1)
         and (double_is_finite(y_2_0)
             and (no_overflow_double(down, neg_real(double_value(y_2_0)))
                 and (no_overflow_double(down,
                      mul_real(double_value(x_2_1), double_value(a_0)))
                     and (no_overflow_double(down, neg_real(double_value(b)))
                         and lt_real(double_value(x_2_1), 0.0)))))) ->
         (double_is_finite(z_0)
         and real_le_double(mul_real(double_value(x_2_1),
                            double_value(y_2_0)),
             z_0)))) }; void); void; (return := !z_0); (raise Return) end)));
    absurd  end with Return -> !return end))
  { (JC_75:
    real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
    result)) } 

let mul_up_safety =
 fun (x_2_1 : double) (y_2_0 : double) ->
  { (JC_73:
    ((JC_67: (not double_is_NaN(x_2_1)))
    and ((JC_68: (not double_is_NaN(y_2_0)))
        and ((JC_69:
             ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
              sam_sign(x_2_1, y_2_0)))
            and ((JC_70:
                 ((double_is_infinite(x_2_1) and double_is_finite(y_2_0)) ->
                  (double_value(y_2_0) <> 0.0)))
                and ((JC_71:
                     ((double_is_infinite(y_2_0) and double_is_finite(x_2_1)) ->
                      (double_value(x_2_1) <> 0.0)))
                    and (JC_72:
                        ((double_is_finite(x_2_1)
                         and (double_is_finite(y_2_0)
                             and ((not no_overflow_double(down,
                                       neg_real(double_value(y_2_0))))
                                 and (double_sign(y_2_0) = Positive)))) ->
                         gt_real(double_value(x_2_1), 0.0))))))))) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let a_0 = ref (any_double void) in
     (let b = ref (any_double void) in
     (let z_0 = ref (any_double void) in
     begin
       (let _jessie_ = (a_0 := (JC_79: (neg_double y_2_0))) in void);
      (let _jessie_ = (b := (JC_80: (((mul_double down) x_2_1) !a_0))) in
      void); (let _jessie_ = (z_0 := (JC_81: (neg_double !b))) in void);
      [ { } unit reads z_0
        { (JC_82:
          ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
           real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
           z_0))) } ]; void;
      [ { } unit reads z_0
        { (JC_83:
          ((double_is_finite(x_2_1) and double_is_infinite(y_2_0)) ->
           real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
           z_0))) } ]; void;
      [ { } unit reads z_0
        { (JC_84:
          ((double_is_infinite(x_2_1)
           and (double_is_finite(y_2_0)
               and no_overflow_double(down, neg_real(double_value(y_2_0))))) ->
           real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
           z_0))) } ]; void;
      [ { } unit reads z_0
        { (JC_85:
          ((double_is_infinite(x_2_1)
           and (double_is_finite(y_2_0)
               and (not no_overflow_double(down,
                        neg_real(double_value(y_2_0)))))) ->
           real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
           z_0))) } ]; void;
      [ { } unit reads z_0
        { (JC_86:
          ((double_is_infinite(x_2_1) and double_is_infinite(y_2_0)) ->
           real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
           z_0))) } ]; void;
      [ { } unit reads a_0,b,z_0
        { (JC_87:
          ((double_is_finite(x_2_1)
           and (double_is_finite(y_2_0)
               and (no_overflow_double(down, neg_real(double_value(y_2_0)))
                   and (no_overflow_double(down,
                        mul_real(double_value(x_2_1), double_value(a_0)))
                       and (not no_overflow_double(down,
                                neg_real(double_value(b)))))))) ->
           real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
           z_0))) } ]; void;
      [ { } unit reads a_0,z_0
        { (JC_88:
          ((double_is_finite(x_2_1)
           and (double_is_finite(y_2_0)
               and (no_overflow_double(down, neg_real(double_value(y_2_0)))
                   and (not no_overflow_double(down,
                            mul_real(double_value(x_2_1), double_value(a_0))))))) ->
           real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
           z_0))) } ]; void;
      [ { } unit reads z_0
        { (JC_89:
          ((double_is_finite(x_2_1)
           and (double_is_finite(y_2_0)
               and ((not no_overflow_double(down,
                         neg_real(double_value(y_2_0))))
                   and (double_sign(y_2_0) = Positive)))) ->
           real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
           z_0))) } ]; void;
      [ { } unit reads a_0,z_0
        { (JC_90:
          ((double_is_finite(x_2_1)
           and (double_is_finite(y_2_0)
               and ((not no_overflow_double(down,
                         neg_real(double_value(y_2_0))))
                   and ((double_sign(y_2_0) = Negative)
                       and (not no_overflow_double(down,
                                mul_real(double_value(x_2_1),
                                double_value(a_0)))))))) ->
           real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
           z_0))) } ]; void;
      [ { } unit reads a_0,b,z_0
        { (JC_91:
          ((double_is_finite(x_2_1)
           and (double_is_finite(y_2_0)
               and ((not no_overflow_double(down,
                         neg_real(double_value(y_2_0))))
                   and ((double_sign(y_2_0) = Negative)
                       and (no_overflow_double(down,
                            mul_real(double_value(x_2_1), double_value(a_0)))
                           and (not no_overflow_double(down,
                                    neg_real(double_value(b))))))))) ->
           real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
           z_0))) } ]; void;
      [ { } unit reads a_0,b,z_0
        { (JC_92:
          ((double_is_finite(x_2_1)
           and (double_is_finite(y_2_0)
               and ((not no_overflow_double(down,
                         neg_real(double_value(y_2_0))))
                   and ((double_sign(y_2_0) = Negative)
                       and (no_overflow_double(down,
                            mul_real(double_value(x_2_1), double_value(a_0)))
                           and no_overflow_double(down,
                               neg_real(double_value(b)))))))) ->
           real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
           z_0))) } ]; void;
      [ { } unit reads a_0,b,z_0
        { (JC_93:
          ((double_is_finite(x_2_1)
           and (double_is_finite(y_2_0)
               and (no_overflow_double(down, neg_real(double_value(y_2_0)))
                   and (no_overflow_double(down,
                        mul_real(double_value(x_2_1), double_value(a_0)))
                       and (no_overflow_double(down,
                            neg_real(double_value(b)))
                           and gt_real(double_value(x_2_1), 0.0)))))) ->
           (double_is_finite(z_0)
           and real_le_double(mul_real(double_value(x_2_1),
                              double_value(y_2_0)),
               z_0)))) } ]; void;
      [ { } unit reads a_0,b,z_0
        { (JC_94:
          ((double_is_finite(x_2_1)
           and (double_is_finite(y_2_0)
               and (no_overflow_double(down, neg_real(double_value(y_2_0)))
                   and (no_overflow_double(down,
                        mul_real(double_value(x_2_1), double_value(a_0)))
                       and (no_overflow_double(down,
                            neg_real(double_value(b)))
                           and lt_real(double_value(x_2_1), 0.0)))))) ->
           (double_is_finite(z_0)
           and real_le_double(mul_real(double_value(x_2_1),
                              double_value(y_2_0)),
               z_0)))) } ]; void; (return := !z_0); (raise Return) end)));
    absurd  end with Return -> !return end)) { true } 


why-2.39/tests/c/oracle/selection_sort.err.oracle0000644000106100004300000000062613147234006021100 0ustar  marchevalsWarning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
why-2.39/tests/c/oracle/float_array.res.oracle0000644000106100004300000014746313147234006020363 0ustar  marchevals========== file tests/c/float_array.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@ logic real EPS1 = 0x1p-53;
//@ logic real UPPER = 0x1p0;
//@ logic integer N = 10;

//@ predicate bounded(real z, real bound) = \abs(z) <= bound;

double x;

/*@
  @ requires bounded(d, UPPER);
  @ requires \round_error(d) == 0;
  @
  @ ensures \abs(x - (d + 1.0)) <= EPS1;
  @ ensures \round_error(x) <= EPS1;
*/
void AffectDoubleDansX(double d) {
        x=d+1.0;
}

/*@
  @ requires \valid(X+(0..N));
  @ requires bounded(d, UPPER);
  @ requires \round_error(d) == 0;
  @
  @ ensures \abs(X[1] - (d + 1.0)) <= EPS1;
  @ ensures \round_error(X[1]) <= EPS1;
  @ ensures \abs(X[2] - (d + 1.0)) <= EPS1;
  @ ensures \round_error(X[2]) <= EPS1;
*/
void AffectDoubleDansTab(double d, double X[]) {
        X[1]=d+1.0;
        X[2]=d+1.0;
        // assert X[1] == \round_double(\NearestEven,d+1.0);
}

/*@
  @ requires \valid(X+(0..N));
  @ requires bounded(d, UPPER);
  @ requires \round_error(d) == 0;
  @
  @ ensures \abs(X[1] - (d + 1.0)) <= EPS1;
  @ ensures \round_error(X[1]) <= EPS1;
*/
void AffectDoubleDansTab1(double d, double X[]) {
        X[1]=d+1.0;
}

/*@
  @ requires \valid(X+(0..N));
  @ requires bounded(d, UPPER);
  @ requires \round_error(d) == 0;
  @
  @ ensures \abs(X[0] - (d + 1.0)) <= EPS1;
  @ ensures \round_error(X[0]) <= EPS1;
*/
void AffectDoubleDansTab0(double d, double X[]) {
        X[0]=d+1.0;
        //@ assert X[0] == \round_double(\NearestEven,d+1.0);
        //@ assert \exact(X[0]) == d+1.0;
}
========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/float_array.c (with preprocessing)
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/float_array.jessie
[jessie] File tests/c/float_array.jessie/float_array.jc written.
[jessie] File tests/c/float_array.jessie/float_array.cloc written.
========== file tests/c/float_array.jessie/float_array.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

tag doubleP = {
  double doubleM: 64;
}

type doubleP = [doubleP]

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

logic real EPS1 =
0x1p-53

logic real UPPER =
0x1p0

logic integer N =
10

predicate bounded(real z, real bound) =
(\real_abs(z) <= bound)

double x;

unit AffectDoubleDansX(double d_2)
  requires (_C_7 : bounded((d_2 :> real), UPPER));
  requires (_C_6 : (\double_round_error(d_2) == 0));
behavior default:
  ensures (_C_3 : ((_C_4 : (\real_abs(((x :> real) -
                                        ((\at(d_2,Old) :> real) + 1.0))) <=
                             EPS1)) &&
                    (_C_5 : (\double_round_error(x) <= EPS1))));
{  
   {  (_C_2 : (x = (_C_1 : (d_2 + (1.0 :> double)))));
      
      (return ())
   }
}

unit AffectDoubleDansTab(double d, doubleP[..] X)
  requires (_C_25 : ((_C_26 : (\offset_min(X) <= 0)) &&
                      (_C_27 : (\offset_max(X) >= N))));
  requires (_C_24 : bounded((d :> real), UPPER));
  requires (_C_23 : (\double_round_error(d) == 0));
behavior default:
  ensures (_C_16 : ((_C_17 : (\real_abs((((\at(X,Old) + 1).doubleM :> real) -
                                          ((\at(d,Old) :> real) + 1.0))) <=
                               EPS1)) &&
                     ((_C_19 : (\double_round_error((\at(X,Old) + 1).doubleM) <=
                                 EPS1)) &&
                       ((_C_21 : (\real_abs((((\at(X,Old) + 2).doubleM :> real) -
                                              ((\at(d,Old) :> real) + 1.0))) <=
                                   EPS1)) &&
                         (_C_22 : (\double_round_error((\at(X,Old) + 2).doubleM) <=
                                    EPS1))))));
{  
   {  (_C_11 : ((_C_10 : (_C_9 : (X + 1)).doubleM) = (_C_8 : (d +
                                                               (1.0 :> double)))));
      (_C_15 : ((_C_14 : (_C_13 : (X + 2)).doubleM) = (_C_12 : (d +
                                                                 (1.0 :> double)))));
      
      (return ())
   }
}

unit AffectDoubleDansTab1(double d_1, doubleP[..] X_1)
  requires (_C_37 : ((_C_38 : (\offset_min(X_1) <= 0)) &&
                      (_C_39 : (\offset_max(X_1) >= N))));
  requires (_C_36 : bounded((d_1 :> real), UPPER));
  requires (_C_35 : (\double_round_error(d_1) == 0));
behavior default:
  ensures (_C_32 : ((_C_33 : (\real_abs((((\at(X_1,Old) + 1).doubleM :> real) -
                                          ((\at(d_1,Old) :> real) + 1.0))) <=
                               EPS1)) &&
                     (_C_34 : (\double_round_error((\at(X_1,Old) + 1).doubleM) <=
                                EPS1))));
{  
   {  (_C_31 : ((_C_30 : (_C_29 : (X_1 + 1)).doubleM) = (_C_28 : (d_1 +
                                                                   (1.0 :> double)))));
      
      (return ())
   }
}

unit AffectDoubleDansTab0(double d_0, doubleP[..] X_0)
  requires (_C_51 : ((_C_52 : (\offset_min(X_0) <= 0)) &&
                      (_C_53 : (\offset_max(X_0) >= N))));
  requires (_C_50 : bounded((d_0 :> real), UPPER));
  requires (_C_49 : (\double_round_error(d_0) == 0));
behavior default:
  ensures (_C_46 : ((_C_47 : (\real_abs((((\at(X_0,Old) + 0).doubleM :> real) -
                                          ((\at(d_0,Old) :> real) + 1.0))) <=
                               EPS1)) &&
                     (_C_48 : (\double_round_error((\at(X_0,Old) + 0).doubleM) <=
                                EPS1))));
{  
   {  (_C_43 : ((_C_42 : (_C_41 : (X_0 + 0)).doubleM) = (_C_40 : (d_0 +
                                                                   (1.0 :> double)))));
      
      {  
         (assert for default: (_C_44 : (jessie : (((X_0 + 0).doubleM :> real) ==
                                                   (\round_double(\NearestEven(
                                                                  ),
                                                                  ((d_0 :> real) +
                                                                    1.0)) :> real)))));
         ()
      };
      
      {  
         (assert for default: (_C_45 : (jessie : (\double_exact((X_0 + 0).doubleM) ==
                                                   ((d_0 :> real) + 1.0)))));
         ()
      };
      
      (return ())
   }
}
========== file tests/c/float_array.jessie/float_array.cloc ==========
[_C_52]
file = "HOME/tests/c/float_array.c"
line = 80
begin = 13
end = 29

[_C_35]
file = "HOME/tests/c/float_array.c"
line = 70
begin = 13
end = 33

[_C_28]
file = "HOME/tests/c/float_array.c"
line = 76
begin = 13
end = 18

[_C_48]
file = "HOME/tests/c/float_array.c"
line = 85
begin = 12
end = 38

[_C_51]
file = "HOME/tests/c/float_array.c"
line = 80
begin = 13
end = 29

[_C_31]
file = "HOME/tests/c/float_array.c"
line = 76
begin = 13
end = 18

[_C_41]
file = "HOME/tests/c/float_array.c"
line = 88
begin = 8
end = 9

[_C_4]
file = "HOME/tests/c/float_array.c"
line = 44
begin = 12
end = 39

[_C_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_23]
file = "HOME/tests/c/float_array.c"
line = 54
begin = 13
end = 33

[_C_19]
file = "HOME/tests/c/float_array.c"
line = 57
begin = 12
end = 38

[AffectDoubleDansX]
name = "Function AffectDoubleDansX"
file = "HOME/tests/c/float_array.c"
line = 47
begin = 5
end = 22

[_C_42]
file = "HOME/tests/c/float_array.c"
line = 88
begin = 13
end = 18

[AffectDoubleDansTab1]
name = "Function AffectDoubleDansTab1"
file = "HOME/tests/c/float_array.c"
line = 75
begin = 5
end = 25

[_C_13]
file = "HOME/tests/c/float_array.c"
line = 63
begin = 8
end = 9

[_C_5]
file = "HOME/tests/c/float_array.c"
line = 45
begin = 12
end = 35

[_C_36]
file = "HOME/tests/c/float_array.c"
line = 69
begin = 13
end = 30

[_C_12]
file = "HOME/tests/c/float_array.c"
line = 63
begin = 13
end = 18

[_C_33]
file = "HOME/tests/c/float_array.c"
line = 72
begin = 12
end = 42

[_C_22]
file = "HOME/tests/c/float_array.c"
line = 59
begin = 12
end = 38

[_C_9]
file = "HOME/tests/c/float_array.c"
line = 62
begin = 8
end = 9

[_C_30]
file = "HOME/tests/c/float_array.c"
line = 76
begin = 13
end = 18

[_C_6]
file = "HOME/tests/c/float_array.c"
line = 42
begin = 13
end = 33

[_C_49]
file = "HOME/tests/c/float_array.c"
line = 82
begin = 13
end = 33

[_C_24]
file = "HOME/tests/c/float_array.c"
line = 53
begin = 13
end = 30

[_C_45]
file = "HOME/tests/c/float_array.c"
line = 90
begin = 30
end = 51

[_C_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_38]
file = "HOME/tests/c/float_array.c"
line = 68
begin = 13
end = 29

[AffectDoubleDansTab]
name = "Function AffectDoubleDansTab"
file = "HOME/tests/c/float_array.c"
line = 61
begin = 5
end = 24

[_C_3]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_17]
file = "HOME/tests/c/float_array.c"
line = 56
begin = 12
end = 42

[_C_7]
file = "HOME/tests/c/float_array.c"
line = 41
begin = 13
end = 30

[_C_27]
file = "HOME/tests/c/float_array.c"
line = 52
begin = 13
end = 29

[_C_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_44]
file = "HOME/tests/c/float_array.c"
line = 89
begin = 30
end = 71

[_C_15]
file = "HOME/tests/c/float_array.c"
line = 63
begin = 13
end = 18

[_C_26]
file = "HOME/tests/c/float_array.c"
line = 52
begin = 13
end = 29

[_C_47]
file = "HOME/tests/c/float_array.c"
line = 84
begin = 12
end = 42

[_C_10]
file = "HOME/tests/c/float_array.c"
line = 62
begin = 13
end = 18

[_C_53]
file = "HOME/tests/c/float_array.c"
line = 80
begin = 13
end = 29

[_C_40]
file = "HOME/tests/c/float_array.c"
line = 88
begin = 13
end = 18

[_C_8]
file = "HOME/tests/c/float_array.c"
line = 62
begin = 13
end = 18

[_C_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_29]
file = "HOME/tests/c/float_array.c"
line = 76
begin = 8
end = 9

[_C_14]
file = "HOME/tests/c/float_array.c"
line = 63
begin = 13
end = 18

[_C_50]
file = "HOME/tests/c/float_array.c"
line = 81
begin = 13
end = 30

[_C_37]
file = "HOME/tests/c/float_array.c"
line = 68
begin = 13
end = 29

[_C_43]
file = "HOME/tests/c/float_array.c"
line = 88
begin = 13
end = 18

[_C_2]
file = "HOME/tests/c/float_array.c"
line = 48
begin = 10
end = 15

[_C_34]
file = "HOME/tests/c/float_array.c"
line = 73
begin = 12
end = 38

[_C_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_1]
file = "HOME/tests/c/float_array.c"
line = 48
begin = 10
end = 15

[_C_25]
file = "HOME/tests/c/float_array.c"
line = 52
begin = 13
end = 29

[_C_39]
file = "HOME/tests/c/float_array.c"
line = 68
begin = 13
end = 29

[AffectDoubleDansTab0]
name = "Function AffectDoubleDansTab0"
file = "HOME/tests/c/float_array.c"
line = 87
begin = 5
end = 25

[_C_11]
file = "HOME/tests/c/float_array.c"
line = 62
begin = 13
end = 18

[_C_21]
file = "HOME/tests/c/float_array.c"
line = 58
begin = 12
end = 42

========== jessie execution ==========
Generating Why function AffectDoubleDansX
Generating Why function AffectDoubleDansTab
Generating Why function AffectDoubleDansTab1
Generating Why function AffectDoubleDansTab0
========== file tests/c/float_array.jessie/float_array.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why $(WHYLIB)/why/floats_strict.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/float_array_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: float_array.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: float_array.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: float_array.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/float_array.jessie/float_array.loc ==========
[JC_94]
kind = FPOverflow
file = "HOME/tests/c/float_array.c"
line = 88
begin = 13
end = 18

[JC_73]
file = "HOME/tests/c/float_array.c"
line = 82
begin = 13
end = 33

[JC_63]
file = "HOME/tests/c/float_array.c"
line = 73
begin = 12
end = 38

[JC_80]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_51]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_71]
file = "HOME/tests/c/float_array.c"
line = 80
begin = 13
end = 29

[JC_45]
kind = FPOverflow
file = "HOME/tests/c/float_array.c"
line = 62
begin = 13
end = 18

[JC_64]
file = "HOME/"
line = 0
begin = -1
end = -1

[AffectDoubleDansTab_ensures_default]
name = "Function AffectDoubleDansTab"
behavior = "default behavior"
file = "HOME/tests/c/float_array.c"
line = 61
begin = 5
end = 24

[JC_85]
file = "HOME/tests/c/float_array.c"
line = 84
begin = 12
end = 42

[AffectDoubleDansTab1_ensures_default]
name = "Function AffectDoubleDansTab1"
behavior = "default behavior"
file = "HOME/tests/c/float_array.c"
line = 75
begin = 5
end = 25

[JC_31]
file = "HOME/tests/c/float_array.c"
line = 56
begin = 12
end = 42

[JC_17]
kind = FPOverflow
file = "HOME/tests/c/float_array.c"
line = 48
begin = 10
end = 15

[JC_81]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_55]
file = "HOME/tests/c/float_array.c"
line = 69
begin = 13
end = 30

[JC_48]
file = "HOME/tests/c/float_array.c"
line = 68
begin = 13
end = 29

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/tests/c/float_array.c"
line = 54
begin = 13
end = 33

[JC_5]
file = "HOME/tests/c/float_array.c"
line = 41
begin = 13
end = 30

[JC_67]
kind = FPOverflow
file = "HOME/tests/c/float_array.c"
line = 76
begin = 13
end = 18

[JC_9]
file = "HOME/tests/c/float_array.c"
line = 44
begin = 12
end = 39

[JC_75]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/tests/c/float_array.c"
line = 52
begin = 13
end = 29

[JC_78]
file = "HOME/tests/c/float_array.c"
line = 81
begin = 13
end = 30

[JC_41]
file = "HOME/"
line = 0
begin = -1
end = -1

[AffectDoubleDansTab1_safety]
name = "Function AffectDoubleDansTab1"
behavior = "Safety"
file = "HOME/tests/c/float_array.c"
line = 75
begin = 5
end = 25

[JC_74]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/tests/c/float_array.c"
line = 68
begin = 13
end = 29

[JC_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/tests/c/float_array.c"
line = 52
begin = 13
end = 29

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/tests/c/float_array.c"
line = 68
begin = 13
end = 29

[JC_79]
file = "HOME/tests/c/float_array.c"
line = 82
begin = 13
end = 33

[JC_13]
file = "HOME/tests/c/float_array.c"
line = 45
begin = 12
end = 35

[AffectDoubleDansTab0_safety]
name = "Function AffectDoubleDansTab0"
behavior = "Safety"
file = "HOME/tests/c/float_array.c"
line = 87
begin = 5
end = 25

[JC_82]
file = "HOME/tests/c/float_array.c"
line = 84
begin = 12
end = 42

[JC_87]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_70]
file = "HOME/tests/c/float_array.c"
line = 80
begin = 13
end = 29

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/tests/c/float_array.c"
line = 56
begin = 12
end = 42

[JC_91]
file = "HOME/tests/c/float_array.c"
line = 89
begin = 30
end = 71

[JC_39]
file = "HOME/tests/c/float_array.c"
line = 59
begin = 12
end = 38

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
file = "HOME/tests/c/float_array.c"
line = 85
begin = 12
end = 38

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/tests/c/float_array.c"
line = 53
begin = 13
end = 30

[JC_69]
kind = FPOverflow
file = "HOME/tests/c/float_array.c"
line = 76
begin = 13
end = 18

[JC_38]
file = "HOME/tests/c/float_array.c"
line = 58
begin = 12
end = 42

[AffectDoubleDansTab0_ensures_default]
name = "Function AffectDoubleDansTab0"
behavior = "default behavior"
file = "HOME/tests/c/float_array.c"
line = 87
begin = 5
end = 25

[JC_12]
file = "HOME/tests/c/float_array.c"
line = 44
begin = 12
end = 39

[JC_6]
file = "HOME/tests/c/float_array.c"
line = 42
begin = 13
end = 33

[JC_44]
kind = FPOverflow
file = "HOME/tests/c/float_array.c"
line = 63
begin = 13
end = 18

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[AffectDoubleDansX_safety]
name = "Function AffectDoubleDansX"
behavior = "Safety"
file = "HOME/tests/c/float_array.c"
line = 47
begin = 5
end = 22

[JC_62]
file = "HOME/tests/c/float_array.c"
line = 72
begin = 12
end = 42

[JC_88]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
kind = FPOverflow
file = "HOME/tests/c/float_array.c"
line = 63
begin = 13
end = 18

[JC_61]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/tests/c/float_array.c"
line = 57
begin = 12
end = 38

[JC_56]
file = "HOME/tests/c/float_array.c"
line = 70
begin = 13
end = 33

[JC_33]
file = "HOME/tests/c/float_array.c"
line = 58
begin = 12
end = 42

[JC_65]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_68]
kind = PointerDeref
file = "HOME/tests/c/float_array.jessie/float_array.jc"
line = 107
begin = 16
end = 156

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_96]
file = "HOME/tests/c/float_array.c"
line = 90
begin = 30
end = 51

[JC_43]
kind = FPOverflow
file = "HOME/tests/c/float_array.c"
line = 62
begin = 13
end = 18

[JC_2]
file = "HOME/tests/c/float_array.c"
line = 42
begin = 13
end = 33

[JC_95]
file = "HOME/tests/c/float_array.c"
line = 89
begin = 30
end = 71

[JC_93]
kind = PointerDeref
file = "HOME/tests/c/float_array.jessie/float_array.jc"
line = 126
begin = 16
end = 156

[AffectDoubleDansX_ensures_default]
name = "Function AffectDoubleDansX"
behavior = "default behavior"
file = "HOME/tests/c/float_array.c"
line = 47
begin = 5
end = 22

[JC_84]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/tests/c/float_array.c"
line = 59
begin = 12
end = 38

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_90]
kind = FPOverflow
file = "HOME/tests/c/float_array.c"
line = 88
begin = 13
end = 18

[JC_53]
file = "HOME/tests/c/float_array.c"
line = 68
begin = 13
end = 29

[JC_21]
file = "HOME/tests/c/float_array.c"
line = 53
begin = 13
end = 30

[JC_77]
file = "HOME/tests/c/float_array.c"
line = 80
begin = 13
end = 29

[JC_49]
file = "HOME/tests/c/float_array.c"
line = 69
begin = 13
end = 30

[JC_1]
file = "HOME/tests/c/float_array.c"
line = 41
begin = 13
end = 30

[JC_37]
file = "HOME/tests/c/float_array.c"
line = 57
begin = 12
end = 38

[JC_10]
file = "HOME/tests/c/float_array.c"
line = 45
begin = 12
end = 35

[JC_57]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_89]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_66]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_59]
file = "HOME/tests/c/float_array.c"
line = 72
begin = 12
end = 42

[JC_20]
file = "HOME/tests/c/float_array.c"
line = 52
begin = 13
end = 29

[JC_18]
kind = FPOverflow
file = "HOME/tests/c/float_array.c"
line = 48
begin = 10
end = 15

[JC_3]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_92]
file = "HOME/tests/c/float_array.c"
line = 90
begin = 30
end = 51

[JC_86]
file = "HOME/tests/c/float_array.c"
line = 85
begin = 12
end = 38

[JC_60]
file = "HOME/tests/c/float_array.c"
line = 73
begin = 12
end = 38

[AffectDoubleDansTab_safety]
name = "Function AffectDoubleDansTab"
behavior = "Safety"
file = "HOME/tests/c/float_array.c"
line = 61
begin = 5
end = 24

[JC_72]
file = "HOME/tests/c/float_array.c"
line = 81
begin = 13
end = 30

[JC_19]
file = "HOME/tests/c/float_array.c"
line = 52
begin = 13
end = 29

[JC_76]
file = "HOME/tests/c/float_array.c"
line = 80
begin = 13
end = 29

[JC_50]
file = "HOME/tests/c/float_array.c"
line = 70
begin = 13
end = 33

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_28]
file = "HOME/tests/c/float_array.c"
line = 54
begin = 13
end = 33

========== file tests/c/float_array.jessie/why/float_array.why ==========
type charP

type doubleP

type int8

type padding

type uint8

type unsigned_charP

type voidP

function EPS1() : real = 0x1p-53

function N() : int = (10)

function UPPER() : real = 0x1p0

predicate bounded(z:real, bound:real) = le_real(abs_real(z), bound)

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic doubleP_tag:  -> doubleP tag_id

axiom doubleP_int : (int_of_tag(doubleP_tag) = (1))

logic doubleP_of_pointer_address: unit pointer -> doubleP pointer

axiom doubleP_of_pointer_address_of_pointer_addr :
 (forall p:doubleP pointer.
  (p = doubleP_of_pointer_address(pointer_address(p))))

axiom doubleP_parenttag_bottom : parenttag(doubleP_tag, bottom_tag)

axiom doubleP_tags :
 (forall x:doubleP pointer.
  (forall doubleP_tag_table:doubleP tag_table.
   instanceof(doubleP_tag_table, x, doubleP_tag)))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_doubleP(p:doubleP pointer, a:int,
 doubleP_alloc_table:doubleP alloc_table) =
 (offset_min(doubleP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_doubleP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(doubleP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_doubleP(p:doubleP pointer, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 (offset_max(doubleP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_doubleP(p:doubleP pointer, a:int, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 ((offset_min(doubleP_alloc_table, p) = a)
 and (offset_max(doubleP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_doubleP(p:doubleP pointer, a:int, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 ((offset_min(doubleP_alloc_table, p) = a)
 and (offset_max(doubleP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_doubleP(p:doubleP pointer, a:int, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 ((offset_min(doubleP_alloc_table, p) <= a)
 and (offset_max(doubleP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_doubleP(p:doubleP pointer, a:int, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 ((offset_min(doubleP_alloc_table, p) <= a)
 and (offset_max(doubleP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

parameter AffectDoubleDansTab :
 d:double ->
  X:doubleP pointer ->
   doubleP_doubleM_X_1:(doubleP, double) memory ref ->
    doubleP_X_1_alloc_table:doubleP alloc_table ->
     { } unit reads doubleP_doubleM_X_1 writes doubleP_doubleM_X_1
     { (JC_40:
       ((JC_36:
        le_real(abs_real(sub_real(double_value(select(doubleP_doubleM_X_1,
                                               shift(X, (1)))),
                         add_real(double_value(d), 1.0))),
        EPS1))
       and ((JC_37:
            le_real(double_round_error(select(doubleP_doubleM_X_1,
                                       shift(X, (1)))),
            EPS1))
           and ((JC_38:
                le_real(abs_real(sub_real(double_value(select(doubleP_doubleM_X_1,
                                                       shift(X, (2)))),
                                 add_real(double_value(d), 1.0))),
                EPS1))
               and (JC_39:
                   le_real(double_round_error(select(doubleP_doubleM_X_1,
                                              shift(X, (2)))),
                   EPS1)))))) }

parameter AffectDoubleDansTab0 :
 d_0:double ->
  X_0:doubleP pointer ->
   doubleP_doubleM_X_0_3:(doubleP, double) memory ref ->
    doubleP_X_0_3_alloc_table:doubleP alloc_table ->
     { } unit reads doubleP_doubleM_X_0_3 writes doubleP_doubleM_X_0_3
     { (JC_87:
       ((JC_85:
        le_real(abs_real(sub_real(double_value(select(doubleP_doubleM_X_0_3,
                                               shift(X_0, (0)))),
                         add_real(double_value(d_0), 1.0))),
        EPS1))
       and (JC_86:
           le_real(double_round_error(select(doubleP_doubleM_X_0_3,
                                      shift(X_0, (0)))),
           EPS1)))) }

parameter AffectDoubleDansTab0_requires :
 d_0:double ->
  X_0:doubleP pointer ->
   doubleP_doubleM_X_0_3:(doubleP, double) memory ref ->
    doubleP_X_0_3_alloc_table:doubleP alloc_table ->
     { (JC_74:
       ((JC_70: le_int(offset_min(doubleP_X_0_3_alloc_table, X_0), (0)))
       and ((JC_71: ge_int(offset_max(doubleP_X_0_3_alloc_table, X_0), N))
           and ((JC_72: bounded(double_value(d_0), UPPER))
               and (JC_73: (double_round_error(d_0) = 0.0))))))}
     unit reads doubleP_doubleM_X_0_3 writes doubleP_doubleM_X_0_3
     { (JC_87:
       ((JC_85:
        le_real(abs_real(sub_real(double_value(select(doubleP_doubleM_X_0_3,
                                               shift(X_0, (0)))),
                         add_real(double_value(d_0), 1.0))),
        EPS1))
       and (JC_86:
           le_real(double_round_error(select(doubleP_doubleM_X_0_3,
                                      shift(X_0, (0)))),
           EPS1)))) }

parameter AffectDoubleDansTab1 :
 d_1:double ->
  X_1:doubleP pointer ->
   doubleP_doubleM_X_1_2:(doubleP, double) memory ref ->
    doubleP_X_1_2_alloc_table:doubleP alloc_table ->
     { } unit reads doubleP_doubleM_X_1_2 writes doubleP_doubleM_X_1_2
     { (JC_64:
       ((JC_62:
        le_real(abs_real(sub_real(double_value(select(doubleP_doubleM_X_1_2,
                                               shift(X_1, (1)))),
                         add_real(double_value(d_1), 1.0))),
        EPS1))
       and (JC_63:
           le_real(double_round_error(select(doubleP_doubleM_X_1_2,
                                      shift(X_1, (1)))),
           EPS1)))) }

parameter AffectDoubleDansTab1_requires :
 d_1:double ->
  X_1:doubleP pointer ->
   doubleP_doubleM_X_1_2:(doubleP, double) memory ref ->
    doubleP_X_1_2_alloc_table:doubleP alloc_table ->
     { (JC_51:
       ((JC_47: le_int(offset_min(doubleP_X_1_2_alloc_table, X_1), (0)))
       and ((JC_48: ge_int(offset_max(doubleP_X_1_2_alloc_table, X_1), N))
           and ((JC_49: bounded(double_value(d_1), UPPER))
               and (JC_50: (double_round_error(d_1) = 0.0))))))}
     unit reads doubleP_doubleM_X_1_2 writes doubleP_doubleM_X_1_2
     { (JC_64:
       ((JC_62:
        le_real(abs_real(sub_real(double_value(select(doubleP_doubleM_X_1_2,
                                               shift(X_1, (1)))),
                         add_real(double_value(d_1), 1.0))),
        EPS1))
       and (JC_63:
           le_real(double_round_error(select(doubleP_doubleM_X_1_2,
                                      shift(X_1, (1)))),
           EPS1)))) }

parameter AffectDoubleDansTab_requires :
 d:double ->
  X:doubleP pointer ->
   doubleP_doubleM_X_1:(doubleP, double) memory ref ->
    doubleP_X_1_alloc_table:doubleP alloc_table ->
     { (JC_23:
       ((JC_19: le_int(offset_min(doubleP_X_1_alloc_table, X), (0)))
       and ((JC_20: ge_int(offset_max(doubleP_X_1_alloc_table, X), N))
           and ((JC_21: bounded(double_value(d), UPPER))
               and (JC_22: (double_round_error(d) = 0.0))))))}
     unit reads doubleP_doubleM_X_1 writes doubleP_doubleM_X_1
     { (JC_40:
       ((JC_36:
        le_real(abs_real(sub_real(double_value(select(doubleP_doubleM_X_1,
                                               shift(X, (1)))),
                         add_real(double_value(d), 1.0))),
        EPS1))
       and ((JC_37:
            le_real(double_round_error(select(doubleP_doubleM_X_1,
                                       shift(X, (1)))),
            EPS1))
           and ((JC_38:
                le_real(abs_real(sub_real(double_value(select(doubleP_doubleM_X_1,
                                                       shift(X, (2)))),
                                 add_real(double_value(d), 1.0))),
                EPS1))
               and (JC_39:
                   le_real(double_round_error(select(doubleP_doubleM_X_1,
                                              shift(X, (2)))),
                   EPS1)))))) }

parameter x_0 : double ref

parameter AffectDoubleDansX :
 d_2:double ->
  { } unit reads x_0 writes x_0
  { (JC_14:
    ((JC_12:
     le_real(abs_real(sub_real(double_value(x_0),
                      add_real(double_value(d_2), 1.0))),
     EPS1))
    and (JC_13: le_real(double_round_error(x_0), EPS1)))) }

parameter AffectDoubleDansX_requires :
 d_2:double ->
  { (JC_3:
    ((JC_1: bounded(double_value(d_2), UPPER))
    and (JC_2: (double_round_error(d_2) = 0.0))))}
  unit reads x_0 writes x_0
  { (JC_14:
    ((JC_12:
     le_real(abs_real(sub_real(double_value(x_0),
                      add_real(double_value(d_2), 1.0))),
     EPS1))
    and (JC_13: le_real(double_round_error(x_0), EPS1)))) }

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter doubleP_alloc_table : doubleP alloc_table ref

parameter doubleP_tag_table : doubleP tag_table ref

parameter alloc_struct_doubleP :
 n:int ->
  doubleP_alloc_table:doubleP alloc_table ref ->
   doubleP_tag_table:doubleP tag_table ref ->
    { } doubleP pointer writes doubleP_alloc_table,doubleP_tag_table
    { (strict_valid_struct_doubleP(result, (0), sub_int(n, (1)),
       doubleP_alloc_table)
      and (alloc_extends(doubleP_alloc_table@, doubleP_alloc_table)
          and (alloc_fresh(doubleP_alloc_table@, result, n)
              and instanceof(doubleP_tag_table, result, doubleP_tag)))) }

parameter alloc_struct_doubleP_requires :
 n:int ->
  doubleP_alloc_table:doubleP alloc_table ref ->
   doubleP_tag_table:doubleP tag_table ref ->
    { ge_int(n, (0))} doubleP pointer
    writes doubleP_alloc_table,doubleP_tag_table
    { (strict_valid_struct_doubleP(result, (0), sub_int(n, (1)),
       doubleP_alloc_table)
      and (alloc_extends(doubleP_alloc_table@, doubleP_alloc_table)
          and (alloc_fresh(doubleP_alloc_table@, result, n)
              and instanceof(doubleP_tag_table, result, doubleP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let AffectDoubleDansTab0_ensures_default =
 fun (d_0 : double) (X_0 : doubleP pointer) (doubleP_doubleM_X_0_3 : (doubleP, double) memory ref) (doubleP_X_0_3_alloc_table : doubleP alloc_table) ->
  { (JC_80:
    ((JC_76: le_int(offset_min(doubleP_X_0_3_alloc_table, X_0), (0)))
    and ((JC_77: ge_int(offset_max(doubleP_X_0_3_alloc_table, X_0), N))
        and ((JC_78: bounded(double_value(d_0), UPPER))
            and (JC_79: (double_round_error(d_0) = 0.0)))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (JC_94:
     (((add_double_safe nearest_even) d_0) (double_of_real_exact 1.0))) in
     (let _jessie_ = X_0 in
     (((safe_upd_ doubleP_doubleM_X_0_3) _jessie_) _jessie_)));
    (assert
    { (JC_95:
      (double_value(select(doubleP_doubleM_X_0_3, shift(X_0, (0)))) = 
      round_double(nearest_even, add_real(double_value(d_0), 1.0)))) }; void);
    void;
    (assert
    { (JC_96:
      (double_exact(select(doubleP_doubleM_X_0_3, shift(X_0, (0)))) = 
      add_real(double_value(d_0), 1.0))) }; void); void; (raise Return);
    (raise Return) end with Return -> void end)
  { (JC_84:
    ((JC_82:
     le_real(abs_real(sub_real(double_value(select(doubleP_doubleM_X_0_3,
                                            shift(X_0, (0)))),
                      add_real(double_value(d_0), 1.0))),
     EPS1))
    and (JC_83:
        le_real(double_round_error(select(doubleP_doubleM_X_0_3,
                                   shift(X_0, (0)))),
        EPS1)))) } 

let AffectDoubleDansTab0_safety =
 fun (d_0 : double) (X_0 : doubleP pointer) (doubleP_doubleM_X_0_3 : (doubleP, double) memory ref) (doubleP_X_0_3_alloc_table : doubleP alloc_table) ->
  { (JC_80:
    ((JC_76: le_int(offset_min(doubleP_X_0_3_alloc_table, X_0), (0)))
    and ((JC_77: ge_int(offset_max(doubleP_X_0_3_alloc_table, X_0), N))
        and ((JC_78: bounded(double_value(d_0), UPPER))
            and (JC_79: (double_round_error(d_0) = 0.0)))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (JC_90: (((add_double nearest_even) d_0) (double_of_real_exact 1.0))) in
     (let _jessie_ = X_0 in
     (JC_93:
     ((((upd_ doubleP_X_0_3_alloc_table) doubleP_doubleM_X_0_3) _jessie_) _jessie_))));
    [ { } unit reads doubleP_doubleM_X_0_3
      { (JC_91:
        (double_value(select(doubleP_doubleM_X_0_3, shift(X_0, (0)))) = 
        round_double(nearest_even, add_real(double_value(d_0), 1.0)))) } ];
    void;
    [ { } unit reads doubleP_doubleM_X_0_3
      { (JC_92:
        (double_exact(select(doubleP_doubleM_X_0_3, shift(X_0, (0)))) = 
        add_real(double_value(d_0), 1.0))) } ]; void; (raise Return);
    (raise Return) end with Return -> void end) { true } 

let AffectDoubleDansTab1_ensures_default =
 fun (d_1 : double) (X_1 : doubleP pointer) (doubleP_doubleM_X_1_2 : (doubleP, double) memory ref) (doubleP_X_1_2_alloc_table : doubleP alloc_table) ->
  { (JC_57:
    ((JC_53: le_int(offset_min(doubleP_X_1_2_alloc_table, X_1), (0)))
    and ((JC_54: ge_int(offset_max(doubleP_X_1_2_alloc_table, X_1), N))
        and ((JC_55: bounded(double_value(d_1), UPPER))
            and (JC_56: (double_round_error(d_1) = 0.0)))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (JC_69:
     (((add_double_safe nearest_even) d_1) (double_of_real_exact 1.0))) in
     (let _jessie_ = X_1 in
     (let _jessie_ = (1) in
     (let _jessie_ = ((shift _jessie_) _jessie_) in
     (let _jessie_ = ((shift _jessie_) (1)) in
     (((safe_upd_ doubleP_doubleM_X_1_2) _jessie_) _jessie_))))));
    (raise Return); (raise Return) end with Return -> void end)
  { (JC_61:
    ((JC_59:
     le_real(abs_real(sub_real(double_value(select(doubleP_doubleM_X_1_2,
                                            shift(X_1, (1)))),
                      add_real(double_value(d_1), 1.0))),
     EPS1))
    and (JC_60:
        le_real(double_round_error(select(doubleP_doubleM_X_1_2,
                                   shift(X_1, (1)))),
        EPS1)))) } 

let AffectDoubleDansTab1_safety =
 fun (d_1 : double) (X_1 : doubleP pointer) (doubleP_doubleM_X_1_2 : (doubleP, double) memory ref) (doubleP_X_1_2_alloc_table : doubleP alloc_table) ->
  { (JC_57:
    ((JC_53: le_int(offset_min(doubleP_X_1_2_alloc_table, X_1), (0)))
    and ((JC_54: ge_int(offset_max(doubleP_X_1_2_alloc_table, X_1), N))
        and ((JC_55: bounded(double_value(d_1), UPPER))
            and (JC_56: (double_round_error(d_1) = 0.0)))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (JC_67: (((add_double nearest_even) d_1) (double_of_real_exact 1.0))) in
     (let _jessie_ = X_1 in
     (let _jessie_ = (1) in
     (let _jessie_ = ((shift _jessie_) _jessie_) in
     (let _jessie_ = ((shift _jessie_) (1)) in
     (JC_68:
     ((((upd_ doubleP_X_1_2_alloc_table) doubleP_doubleM_X_1_2) _jessie_) _jessie_)))))));
    (raise Return); (raise Return) end with Return -> void end) { true } 

let AffectDoubleDansTab_ensures_default =
 fun (d : double) (X : doubleP pointer) (doubleP_doubleM_X_1 : (doubleP, double) memory ref) (doubleP_X_1_alloc_table : doubleP alloc_table) ->
  { (JC_29:
    ((JC_25: le_int(offset_min(doubleP_X_1_alloc_table, X), (0)))
    and ((JC_26: ge_int(offset_max(doubleP_X_1_alloc_table, X), N))
        and ((JC_27: bounded(double_value(d), UPPER))
            and (JC_28: (double_round_error(d) = 0.0)))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (JC_45: (((add_double_safe nearest_even) d) (double_of_real_exact 1.0))) in
     (let _jessie_ = X in
     (let _jessie_ = (1) in
     (let _jessie_ = ((shift _jessie_) _jessie_) in
     (let _jessie_ =
     (JC_46: (((add_double_safe nearest_even) d) (double_of_real_exact 1.0))) in
     (let _jessie_ = X in
     (let _jessie_ = (2) in
     (let _jessie_ = ((shift _jessie_) _jessie_) in
     [ { } unit reads doubleP_doubleM_X_1 writes doubleP_doubleM_X_1
       { (not_assigns(doubleP_X_1_alloc_table, doubleP_doubleM_X_1@,
          doubleP_doubleM_X_1,
          pset_range(pset_singleton(_jessie_), (1), (2)))
         and ((select(doubleP_doubleM_X_1, shift(_jessie_, (1))) = _jessie_)
             and (select(doubleP_doubleM_X_1, shift(_jessie_, (2))) = _jessie_))) } ]))))))));
    (raise Return); (raise Return) end with Return -> void end)
  { (JC_35:
    ((JC_31:
     le_real(abs_real(sub_real(double_value(select(doubleP_doubleM_X_1,
                                            shift(X, (1)))),
                      add_real(double_value(d), 1.0))),
     EPS1))
    and ((JC_32:
         le_real(double_round_error(select(doubleP_doubleM_X_1,
                                    shift(X, (1)))),
         EPS1))
        and ((JC_33:
             le_real(abs_real(sub_real(double_value(select(doubleP_doubleM_X_1,
                                                    shift(X, (2)))),
                              add_real(double_value(d), 1.0))),
             EPS1))
            and (JC_34:
                le_real(double_round_error(select(doubleP_doubleM_X_1,
                                           shift(X, (2)))),
                EPS1)))))) } 

let AffectDoubleDansTab_safety =
 fun (d : double) (X : doubleP pointer) (doubleP_doubleM_X_1 : (doubleP, double) memory ref) (doubleP_X_1_alloc_table : doubleP alloc_table) ->
  { (JC_29:
    ((JC_25: le_int(offset_min(doubleP_X_1_alloc_table, X), (0)))
    and ((JC_26: ge_int(offset_max(doubleP_X_1_alloc_table, X), N))
        and ((JC_27: bounded(double_value(d), UPPER))
            and (JC_28: (double_round_error(d) = 0.0)))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (JC_43: (((add_double nearest_even) d) (double_of_real_exact 1.0))) in
     (let _jessie_ = X in
     (let _jessie_ = (1) in
     (let _jessie_ = ((shift _jessie_) _jessie_) in
     (let _jessie_ =
     (JC_44: (((add_double nearest_even) d) (double_of_real_exact 1.0))) in
     (let _jessie_ = X in
     (let _jessie_ = (2) in
     (let _jessie_ = ((shift _jessie_) _jessie_) in
     [ { (le_int(offset_min(doubleP_X_1_alloc_table, _jessie_), (2))
         and (le_int((2), offset_max(doubleP_X_1_alloc_table, _jessie_))
             and (le_int(offset_min(doubleP_X_1_alloc_table, _jessie_), (1))
                 and le_int((1),
                     offset_max(doubleP_X_1_alloc_table, _jessie_)))))}
       unit reads doubleP_doubleM_X_1 writes doubleP_doubleM_X_1
       { (not_assigns(doubleP_X_1_alloc_table, doubleP_doubleM_X_1@,
          doubleP_doubleM_X_1,
          pset_range(pset_singleton(_jessie_), (1), (2)))
         and ((select(doubleP_doubleM_X_1, shift(_jessie_, (1))) = _jessie_)
             and (select(doubleP_doubleM_X_1, shift(_jessie_, (2))) = _jessie_))) } ]))))))));
    (raise Return); (raise Return) end with Return -> void end) { true } 

let AffectDoubleDansX_ensures_default =
 fun (d_2 : double) ->
  { (JC_7:
    ((JC_5: bounded(double_value(d_2), UPPER))
    and (JC_6: (double_round_error(d_2) = 0.0)))) }
  (init:
  try
   begin
     (let _jessie_ =
     (x_0 := (JC_18:
             (((add_double_safe nearest_even) d_2) (double_of_real_exact 1.0)))) in
     void); (raise Return); (raise Return) end with Return -> void end)
  { (JC_11:
    ((JC_9:
     le_real(abs_real(sub_real(double_value(x_0),
                      add_real(double_value(d_2), 1.0))),
     EPS1))
    and (JC_10: le_real(double_round_error(x_0), EPS1)))) } 

let AffectDoubleDansX_safety =
 fun (d_2 : double) ->
  { (JC_7:
    ((JC_5: bounded(double_value(d_2), UPPER))
    and (JC_6: (double_round_error(d_2) = 0.0)))) }
  (init:
  try
   begin
     (let _jessie_ =
     (x_0 := (JC_17:
             (((add_double nearest_even) d_2) (double_of_real_exact 1.0)))) in
     void); (raise Return); (raise Return) end with Return -> void end)
  { true } 


why-2.39/tests/c/oracle/power.err.oracle0000644000106100004300000000000013147234006017162 0ustar  marchevalswhy-2.39/tests/c/oracle/find_array.res.oracle0000644000106100004300000015137413147234006020172 0ustar  marchevals========== file tests/c/find_array.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/** from Julien Signoles' tutorial
 **/

/*@
  predicate sorted{L}(int* arr, integer length) =
  \forall integer i, j; 0 <= i <= j < length ==> arr[i] <= arr[j];

  predicate mem{L}(int elt, int* arr, integer length) =
  \exists integer i; 0 <= i = 0;
  requires \valid(arr+(0..(length-1)));

  assigns \nothing;

  behavior exists:
    assumes mem(query, arr, length);
    ensures arr[\result] == query;

  behavior not_exists:
    assumes ! mem(query, arr, length);
    ensures \result == -1;
*/
int find_array(int* arr, int length, int query) {
  int low = 0;
  int high = length - 1;
  /*@
    loop invariant 0 <= low;
    loop invariant high < length;
    loop invariant \forall integer i; 0 <= i < low ==> arr[i] < query;
    loop invariant \forall integer i; high < i < length ==> arr[i] > query;
    loop variant high - low;
  */
  while (low <= high) {
    int mean = low + (high -low) / 2;
    if (arr[mean] == query) return mean;
    if (arr[mean] < query) low = mean + 1;
    else high = mean - 1;
  }
  return -1;
}

/*
Local Variables:
compile-command: "frama-c -jessie find_array.c"
End:
*/
========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/find_array.c (with preprocessing)
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/find_array.jessie
[jessie] File tests/c/find_array.jessie/find_array.jc written.
[jessie] File tests/c/find_array.jessie/find_array.cloc written.
========== file tests/c/find_array.jessie/find_array.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

type int32 = -2147483648..2147483647

tag intP = {
  int32 intM: 32;
}

type intP = [intP]

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

predicate sorted{L}(intP[..] arr, integer length) =
(\forall integer i_1;
  (\forall integer j_0;
    ((((0 <= i_1) && (i_1 <= j_0)) && (j_0 < length)) ==>
      ((arr + i_1).intM <= (arr + j_0).intM))))

predicate mem{L}(int32 elt, intP[..] arr_0, integer length_0) =
(\exists integer i_2;
  (((0 <= i_2) && (i_2 < length_0)) && ((arr_0 + i_2).intM == elt)))

int32 find_array(intP[..] arr, int32 length, int32 query)
  requires (_C_36 : sorted{Here}(arr, length));
  requires (_C_35 : (length >= 0));
  requires (_C_32 : ((_C_33 : (\offset_min(arr) <= 0)) &&
                      (_C_34 : (\offset_max(arr) >= (length - 1)))));
behavior default:
  assigns \nothing;
  ensures (_C_29 : true);
behavior exists:
  assumes mem{Here}(query, arr, length);
  ensures (_C_30 : ((\at(arr,Old) + \result).intM == \at(query,Old)));
behavior not_exists:
  assumes (! mem{Here}(query, arr, length));
  ensures (_C_31 : (\result == (- 1)));
{  
   (var int32 low);
   
   (var int32 high);
   
   (var int32 mean);
   
   (var int32 __retres);
   
   {  (_C_1 : (low = 0));
      (_C_4 : (high = (_C_3 : ((_C_2 : (length - 1)) :> int32))));
      
      loop 
      behavior default:
        invariant (_C_9 : (0 <= low));
      behavior default:
        invariant (_C_8 : (high < length));
      behavior default:
        invariant (_C_7 : (\forall integer i_3;
                            (((0 <= i_3) && (i_3 < low)) ==>
                              ((arr + i_3).intM < query))));
      behavior default:
        invariant (_C_6 : (\forall integer i_4;
                            (((high < i_4) && (i_4 < length)) ==>
                              ((arr + i_4).intM > query))));
      variant (_C_5 : (high - low));
      while (true)
      {  
         {  (if (low <= high) then () else 
            (goto while_0_break));
            
            {  (_C_16 : (mean = (_C_15 : ((_C_14 : (low +
                                                     (_C_13 : ((_C_12 : 
                                                               ((_C_11 : (
                                                                (_C_10 : 
                                                                (high -
                                                                  low)) :> int32)) /
                                                                 2)) :> int32)))) :> int32))));
               (if ((_C_19 : (_C_18 : (arr + mean)).intM) == query) then 
               {  (_C_17 : (__retres = mean));
                  
                  (goto return_label)
               } else ());
               (if ((_C_27 : (_C_26 : (arr + mean)).intM) < query) then 
               (_C_25 : (low = (_C_24 : ((_C_23 : (mean + 1)) :> int32)))) else 
               (_C_22 : (high = (_C_21 : ((_C_20 : (mean - 1)) :> int32)))))
            }
         }
      };
      (while_0_break : ());
      (_C_28 : (__retres = -1));
      (return_label : 
      (return __retres))
   }
}
========== file tests/c/find_array.jessie/find_array.cloc ==========
[_C_35]
file = "HOME/tests/c/find_array.c"
line = 45
begin = 11
end = 22

[_C_28]
file = "HOME/tests/c/find_array.c"
line = 74
begin = 2
end = 12

[_C_31]
file = "HOME/tests/c/find_array.c"
line = 56
begin = 12
end = 25

[find_array]
name = "Function find_array"
file = "HOME/tests/c/find_array.c"
line = 58
begin = 4
end = 14

[_C_4]
file = "HOME/tests/c/find_array.c"
line = 60
begin = 2
end = 5

[_C_32]
file = "HOME/tests/c/find_array.c"
line = 46
begin = 11
end = 38

[_C_23]
file = "HOME/tests/c/find_array.c"
line = 71
begin = 33
end = 41

[_C_19]
file = "HOME/tests/c/find_array.c"
line = 70
begin = 8
end = 17

[_C_13]
file = "HOME/tests/c/find_array.c"
line = 69
begin = 21
end = 36

[_C_5]
file = "HOME/tests/c/find_array.c"
line = 66
begin = 17
end = 27

[_C_36]
file = "HOME/tests/c/find_array.c"
line = 44
begin = 11
end = 29

[_C_12]
file = "HOME/tests/c/find_array.c"
line = 69
begin = 21
end = 36

[_C_33]
file = "HOME/tests/c/find_array.c"
line = 46
begin = 11
end = 38

[_C_22]
file = "HOME/tests/c/find_array.c"
line = 72
begin = 16
end = 24

[_C_9]
file = "HOME/tests/c/find_array.c"
line = 62
begin = 19
end = 27

[_C_30]
file = "HOME/tests/c/find_array.c"
line = 52
begin = 12
end = 33

[_C_6]
file = "HOME/tests/c/find_array.c"
line = 65
begin = 19
end = 74

[_C_24]
file = "HOME/tests/c/find_array.c"
line = 71
begin = 33
end = 41

[_C_20]
file = "HOME/tests/c/find_array.c"
line = 72
begin = 16
end = 24

[_C_3]
file = "HOME/tests/c/find_array.c"
line = 60
begin = 13
end = 23

[_C_17]
file = "HOME/tests/c/find_array.c"
line = 70
begin = 28
end = 40

[_C_7]
file = "HOME/tests/c/find_array.c"
line = 64
begin = 19
end = 69

[_C_27]
file = "HOME/tests/c/find_array.c"
line = 71
begin = 8
end = 17

[_C_15]
file = "HOME/tests/c/find_array.c"
line = 69
begin = 15
end = 36

[_C_26]
file = "HOME/tests/c/find_array.c"
line = 71
begin = 8
end = 11

[_C_10]
file = "HOME/tests/c/find_array.c"
line = 69
begin = 22
end = 31

[_C_8]
file = "HOME/tests/c/find_array.c"
line = 63
begin = 19
end = 32

[_C_18]
file = "HOME/tests/c/find_array.c"
line = 70
begin = 8
end = 11

[_C_29]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_14]
file = "HOME/tests/c/find_array.c"
line = 69
begin = 15
end = 36

[_C_2]
file = "HOME/tests/c/find_array.c"
line = 60
begin = 13
end = 23

[_C_34]
file = "HOME/tests/c/find_array.c"
line = 46
begin = 11
end = 38

[_C_16]
file = "HOME/tests/c/find_array.c"
line = 69
begin = 4
end = 7

[_C_1]
file = "HOME/tests/c/find_array.c"
line = 59
begin = 2
end = 5

[_C_25]
file = "HOME/tests/c/find_array.c"
line = 71
begin = 33
end = 41

[_C_11]
file = "HOME/tests/c/find_array.c"
line = 69
begin = 22
end = 31

[_C_21]
file = "HOME/tests/c/find_array.c"
line = 72
begin = 16
end = 24

========== jessie execution ==========
Generating Why function find_array
========== file tests/c/find_array.jessie/find_array.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/find_array_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: find_array.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: find_array.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: find_array.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/find_array.jessie/find_array.loc ==========
[JC_63]
kind = DivByZero
file = "HOME/tests/c/find_array.c"
line = 69
begin = 21
end = 36

[JC_51]
file = "HOME/tests/c/find_array.c"
line = 62
begin = 19
end = 27

[JC_45]
file = "HOME/tests/c/find_array.jessie/find_array.jc"
line = 78
begin = 6
end = 1695

[JC_31]
kind = ArithOverflow
file = "HOME/tests/c/find_array.c"
line = 69
begin = 22
end = 31

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_55]
kind = DivByZero
file = "HOME/tests/c/find_array.c"
line = 69
begin = 21
end = 36

[JC_48]
file = "HOME/tests/c/find_array.c"
line = 65
begin = 19
end = 74

[JC_23]
kind = ArithOverflow
file = "HOME/tests/c/find_array.c"
line = 60
begin = 13
end = 23

[JC_22]
file = "HOME/tests/c/find_array.c"
line = 56
begin = 12
end = 25

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[find_array_safety]
name = "Function find_array"
behavior = "Safety"
file = "HOME/tests/c/find_array.c"
line = 58
begin = 4
end = 14

[JC_9]
file = "HOME/tests/c/find_array.c"
line = 46
begin = 11
end = 38

[JC_24]
file = "HOME/tests/c/find_array.c"
line = 65
begin = 19
end = 74

[JC_25]
file = "HOME/tests/c/find_array.c"
line = 64
begin = 19
end = 69

[JC_41]
file = "HOME/tests/c/find_array.c"
line = 64
begin = 19
end = 69

[JC_47]
kind = DivByZero
file = "HOME/tests/c/find_array.c"
line = 69
begin = 21
end = 36

[JC_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/tests/c/find_array.c"
line = 63
begin = 19
end = 32

[JC_8]
file = "HOME/tests/c/find_array.c"
line = 45
begin = 11
end = 22

[JC_54]
file = "HOME/tests/c/find_array.jessie/find_array.jc"
line = 78
begin = 6
end = 1695

[find_array_ensures_not_exists]
name = "Function find_array"
behavior = "Behavior `not_exists'"
file = "HOME/tests/c/find_array.c"
line = 58
begin = 4
end = 14

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
kind = PointerDeref
file = "HOME/tests/c/find_array.c"
line = 71
begin = 8
end = 17

[JC_39]
file = "HOME/tests/c/find_array.c"
line = 66
begin = 17
end = 27

[JC_40]
file = "HOME/tests/c/find_array.c"
line = 65
begin = 19
end = 74

[JC_35]
kind = PointerDeref
file = "HOME/tests/c/find_array.c"
line = 70
begin = 8
end = 17

[JC_27]
file = "HOME/tests/c/find_array.c"
line = 62
begin = 19
end = 27

[JC_38]
kind = ArithOverflow
file = "HOME/tests/c/find_array.c"
line = 72
begin = 16
end = 24

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/tests/c/find_array.c"
line = 46
begin = 11
end = 38

[JC_62]
file = "HOME/tests/c/find_array.jessie/find_array.jc"
line = 78
begin = 6
end = 1695

[JC_42]
file = "HOME/tests/c/find_array.c"
line = 63
begin = 19
end = 32

[JC_46]
file = "HOME/tests/c/find_array.jessie/find_array.jc"
line = 78
begin = 6
end = 1695

[JC_61]
file = "HOME/tests/c/find_array.jessie/find_array.jc"
line = 78
begin = 6
end = 1695

[JC_32]
kind = DivByZero
file = "HOME/tests/c/find_array.c"
line = 69
begin = 21
end = 36

[JC_56]
file = "HOME/tests/c/find_array.c"
line = 65
begin = 19
end = 74

[JC_33]
kind = ArithOverflow
file = "HOME/tests/c/find_array.c"
line = 69
begin = 21
end = 36

[JC_29]
file = "HOME/tests/c/find_array.jessie/find_array.jc"
line = 78
begin = 6
end = 1695

[JC_7]
file = "HOME/tests/c/find_array.c"
line = 44
begin = 11
end = 29

[JC_16]
file = "HOME/tests/c/find_array.jessie/find_array.jc"
line = 58
begin = 10
end = 18

[JC_43]
file = "HOME/tests/c/find_array.c"
line = 62
begin = 19
end = 27

[JC_2]
file = "HOME/tests/c/find_array.c"
line = 45
begin = 11
end = 22

[JC_34]
kind = ArithOverflow
file = "HOME/tests/c/find_array.c"
line = 69
begin = 15
end = 36

[JC_14]
file = "HOME/tests/c/find_array.jessie/find_array.jc"
line = 58
begin = 10
end = 18

[JC_53]
file = "HOME/tests/c/find_array.jessie/find_array.jc"
line = 78
begin = 6
end = 1695

[JC_21]
file = "HOME/tests/c/find_array.c"
line = 56
begin = 12
end = 25

[JC_49]
file = "HOME/tests/c/find_array.c"
line = 64
begin = 19
end = 69

[JC_1]
file = "HOME/tests/c/find_array.c"
line = 44
begin = 11
end = 29

[JC_37]
kind = ArithOverflow
file = "HOME/tests/c/find_array.c"
line = 71
begin = 33
end = 41

[JC_10]
file = "HOME/tests/c/find_array.c"
line = 46
begin = 11
end = 38

[JC_57]
file = "HOME/tests/c/find_array.c"
line = 64
begin = 19
end = 69

[JC_59]
file = "HOME/tests/c/find_array.c"
line = 62
begin = 19
end = 27

[find_array_ensures_default]
name = "Function find_array"
behavior = "default behavior"
file = "HOME/tests/c/find_array.c"
line = 58
begin = 4
end = 14

[JC_20]
file = "HOME/tests/c/find_array.c"
line = 52
begin = 12
end = 33

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/c/find_array.c"
line = 46
begin = 11
end = 38

[JC_60]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/tests/c/find_array.c"
line = 52
begin = 12
end = 33

[find_array_ensures_exists]
name = "Function find_array"
behavior = "Behavior `exists'"
file = "HOME/tests/c/find_array.c"
line = 58
begin = 4
end = 14

[JC_50]
file = "HOME/tests/c/find_array.c"
line = 63
begin = 19
end = 32

[JC_30]
file = "HOME/tests/c/find_array.jessie/find_array.jc"
line = 78
begin = 6
end = 1695

[JC_58]
file = "HOME/tests/c/find_array.c"
line = 63
begin = 19
end = 32

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/c/find_array.jessie/why/find_array.why ==========
type charP

type int32

type int8

type intP

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

logic intP_tag:  -> intP tag_id

axiom intP_int : (int_of_tag(intP_tag) = (1))

logic intP_of_pointer_address: unit pointer -> intP pointer

axiom intP_of_pointer_address_of_pointer_addr :
 (forall p:intP pointer. (p = intP_of_pointer_address(pointer_address(p))))

axiom intP_parenttag_bottom : parenttag(intP_tag, bottom_tag)

axiom intP_tags :
 (forall x:intP pointer.
  (forall intP_tag_table:intP tag_table.
   instanceof(intP_tag_table, x, intP_tag)))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_intP(p:intP pointer, a:int,
 intP_alloc_table:intP alloc_table) = (offset_min(intP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

predicate mem(elt:int32, arr_0:intP pointer, length_0:int,
 intP_intM_arr_0_2_at_L:(intP, int32) memory) =
 (exists i_2:int.
  (le_int((0), i_2)
  and (lt_int(i_2, length_0)
      and (integer_of_int32(select(intP_intM_arr_0_2_at_L, shift(arr_0, i_2))) = 
          integer_of_int32(elt)))))

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_intP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(intP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_intP(p:intP pointer, b:int,
 intP_alloc_table:intP alloc_table) = (offset_max(intP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate sorted(arr:intP pointer, length:int,
 intP_intM_arr_1_at_L:(intP, int32) memory) =
 (forall i_1:int.
  (forall j_0:int.
   ((le_int((0), i_1) and (le_int(i_1, j_0) and lt_int(j_0, length))) ->
    le_int(integer_of_int32(select(intP_intM_arr_1_at_L, shift(arr, i_1))),
    integer_of_int32(select(intP_intM_arr_1_at_L, shift(arr, j_0)))))))

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Goto_while_0_break_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter intP_alloc_table : intP alloc_table ref

parameter intP_tag_table : intP tag_table ref

parameter alloc_struct_intP :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { } intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter alloc_struct_intP_requires :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { ge_int(n, (0))} intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter find_array :
 arr_1:intP pointer ->
  length_1:int32 ->
   query:int32 ->
    intP_arr_3_alloc_table:intP alloc_table ->
     intP_intM_arr_3:(intP, int32) memory ->
      { } int32
      { (((not mem(query, arr_1, integer_of_int32(length_1), intP_intM_arr_3)) ->
          (JC_22: (integer_of_int32(result) = neg_int((1)))))
        and (mem(query, arr_1, integer_of_int32(length_1), intP_intM_arr_3) ->
             (JC_20:
             (integer_of_int32(select(intP_intM_arr_3,
                               shift(arr_1, integer_of_int32(result)))) = 
             integer_of_int32(query))))) }

parameter find_array_requires :
 arr_1:intP pointer ->
  length_1:int32 ->
   query:int32 ->
    intP_arr_3_alloc_table:intP alloc_table ->
     intP_intM_arr_3:(intP, int32) memory ->
      { (JC_5:
        ((JC_1: sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3))
        and ((JC_2: ge_int(integer_of_int32(length_1), (0)))
            and ((JC_3:
                 le_int(offset_min(intP_arr_3_alloc_table, arr_1), (0)))
                and (JC_4:
                    ge_int(offset_max(intP_arr_3_alloc_table, arr_1),
                    sub_int(integer_of_int32(length_1), (1))))))))}
      int32
      { (((not mem(query, arr_1, integer_of_int32(length_1), intP_intM_arr_3)) ->
          (JC_22: (integer_of_int32(result) = neg_int((1)))))
        and (mem(query, arr_1, integer_of_int32(length_1), intP_intM_arr_3) ->
             (JC_20:
             (integer_of_int32(select(intP_intM_arr_3,
                               shift(arr_1, integer_of_int32(result)))) = 
             integer_of_int32(query))))) }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let find_array_ensures_default =
 fun (arr_1 : intP pointer) (length_1 : int32) (query : int32) (intP_arr_3_alloc_table : intP alloc_table) (intP_intM_arr_3 : (intP, int32) memory) ->
  { (JC_11:
    ((JC_7: sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3))
    and ((JC_8: ge_int(integer_of_int32(length_1), (0)))
        and ((JC_9: le_int(offset_min(intP_arr_3_alloc_table, arr_1), (0)))
            and (JC_10:
                ge_int(offset_max(intP_arr_3_alloc_table, arr_1),
                sub_int(integer_of_int32(length_1), (1)))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let low = ref (any_int32 void) in
     (let high = ref (any_int32 void) in
     (let mean = ref (any_int32 void) in
     (let __retres = ref (any_int32 void) in
     try
      begin
        try
         begin
           (let _jessie_ = (low := (safe_int32_of_integer_ (0))) in void);
          (let _jessie_ =
          (high := (safe_int32_of_integer_ ((sub_int (integer_of_int32 length_1)) (1)))) in
          void);
          (loop_2:
          begin
            while true do
            { invariant
                ((JC_40:
                 (forall i_4:int.
                  ((lt_int(integer_of_int32(high), i_4)
                   and lt_int(i_4, integer_of_int32(length_1))) ->
                   gt_int(integer_of_int32(select(intP_intM_arr_3,
                                           shift(arr_1, i_4))),
                   integer_of_int32(query)))))
                and ((JC_41:
                     (forall i_3:int.
                      ((le_int((0), i_3)
                       and lt_int(i_3, integer_of_int32(low))) ->
                       lt_int(integer_of_int32(select(intP_intM_arr_3,
                                               shift(arr_1, i_3))),
                       integer_of_int32(query)))))
                    and ((JC_42:
                         lt_int(integer_of_int32(high),
                         integer_of_int32(length_1)))
                        and (JC_43: le_int((0), integer_of_int32(low)))))) 
               }
             begin
               [ { } unit { true } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((le_int_ (integer_of_int32 !low)) (integer_of_int32 !high))
                   then void else (raise (Goto_while_0_break_exc void)));
                  (let _jessie_ =
                  (mean := (safe_int32_of_integer_ ((add_int (integer_of_int32 !low)) 
                                                    (integer_of_int32 
                                                     (safe_int32_of_integer_ 
                                                      (JC_47:
                                                      ((computer_div 
                                                        (integer_of_int32 
                                                         (safe_int32_of_integer_ 
                                                          ((sub_int (integer_of_int32 !high)) 
                                                           (integer_of_int32 !low))))) (2)))))))) in
                  void);
                  (if ((eq_int_ (integer_of_int32 ((safe_acc_ intP_intM_arr_3) 
                                                   ((shift arr_1) (integer_of_int32 !mean))))) 
                       (integer_of_int32 query))
                  then
                   begin
                     (let _jessie_ = (__retres := !mean) in void);
                    (raise (Return_label_exc void)) end else void);
                  (if ((lt_int_ (integer_of_int32 ((safe_acc_ intP_intM_arr_3) 
                                                   ((shift arr_1) (integer_of_int32 !mean))))) 
                       (integer_of_int32 query))
                  then
                   begin
                     (low := (safe_int32_of_integer_ ((add_int (integer_of_int32 !mean)) (1))));
                    !low end
                  else
                   begin
                     (high := (safe_int32_of_integer_ ((sub_int (integer_of_int32 !mean)) (1))));
                    !high end) end in void); (raise (Loop_continue_exc void))
               end with Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (let _jessie_ =
         (while_0_break:
         begin
           void; (__retres := (safe_int32_of_integer_ (neg_int (1))));
          !__retres end) in void) end; (raise (Return_label_exc void)) end
      with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end))));
    absurd  end with Return -> !return end)) { (JC_14: true) } 

let find_array_ensures_exists =
 fun (arr_1 : intP pointer) (length_1 : int32) (query : int32) (intP_arr_3_alloc_table : intP alloc_table) (intP_intM_arr_3 : (intP, int32) memory) ->
  { (mem(query, arr_1, integer_of_int32(length_1), intP_intM_arr_3)
    and (JC_11:
        ((JC_7: sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3))
        and ((JC_8: ge_int(integer_of_int32(length_1), (0)))
            and ((JC_9:
                 le_int(offset_min(intP_arr_3_alloc_table, arr_1), (0)))
                and (JC_10:
                    ge_int(offset_max(intP_arr_3_alloc_table, arr_1),
                    sub_int(integer_of_int32(length_1), (1))))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let low = ref (any_int32 void) in
     (let high = ref (any_int32 void) in
     (let mean = ref (any_int32 void) in
     (let __retres = ref (any_int32 void) in
     try
      begin
        try
         begin
           (let _jessie_ = (low := (safe_int32_of_integer_ (0))) in void);
          (let _jessie_ =
          (high := (safe_int32_of_integer_ ((sub_int (integer_of_int32 length_1)) (1)))) in
          void);
          (loop_3:
          begin
            while true do
            { invariant (JC_53: true)  }
             begin
               [ { } unit reads high,low
                 { ((JC_48:
                    (forall i_4:int.
                     ((lt_int(integer_of_int32(high), i_4)
                      and lt_int(i_4, integer_of_int32(length_1))) ->
                      gt_int(integer_of_int32(select(intP_intM_arr_3,
                                              shift(arr_1, i_4))),
                      integer_of_int32(query)))))
                   and ((JC_49:
                        (forall i_3:int.
                         ((le_int((0), i_3)
                          and lt_int(i_3, integer_of_int32(low))) ->
                          lt_int(integer_of_int32(select(intP_intM_arr_3,
                                                  shift(arr_1, i_3))),
                          integer_of_int32(query)))))
                       and ((JC_50:
                            lt_int(integer_of_int32(high),
                            integer_of_int32(length_1)))
                           and (JC_51: le_int((0), integer_of_int32(low)))))) } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((le_int_ (integer_of_int32 !low)) (integer_of_int32 !high))
                   then void else (raise (Goto_while_0_break_exc void)));
                  (let _jessie_ =
                  (mean := (safe_int32_of_integer_ ((add_int (integer_of_int32 !low)) 
                                                    (integer_of_int32 
                                                     (safe_int32_of_integer_ 
                                                      (JC_55:
                                                      ((computer_div 
                                                        (integer_of_int32 
                                                         (safe_int32_of_integer_ 
                                                          ((sub_int (integer_of_int32 !high)) 
                                                           (integer_of_int32 !low))))) (2)))))))) in
                  void);
                  (if ((eq_int_ (integer_of_int32 ((safe_acc_ intP_intM_arr_3) 
                                                   ((shift arr_1) (integer_of_int32 !mean))))) 
                       (integer_of_int32 query))
                  then
                   begin
                     (let _jessie_ = (__retres := !mean) in void);
                    (raise (Return_label_exc void)) end else void);
                  (if ((lt_int_ (integer_of_int32 ((safe_acc_ intP_intM_arr_3) 
                                                   ((shift arr_1) (integer_of_int32 !mean))))) 
                       (integer_of_int32 query))
                  then
                   begin
                     (low := (safe_int32_of_integer_ ((add_int (integer_of_int32 !mean)) (1))));
                    !low end
                  else
                   begin
                     (high := (safe_int32_of_integer_ ((sub_int (integer_of_int32 !mean)) (1))));
                    !high end) end in void); (raise (Loop_continue_exc void))
               end with Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (let _jessie_ =
         (while_0_break:
         begin
           void; (__retres := (safe_int32_of_integer_ (neg_int (1))));
          !__retres end) in void) end; (raise (Return_label_exc void)) end
      with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end))));
    absurd  end with Return -> !return end))
  { (JC_19:
    (integer_of_int32(select(intP_intM_arr_3,
                      shift(arr_1, integer_of_int32(result)))) = integer_of_int32(query))) }
  

let find_array_ensures_not_exists =
 fun (arr_1 : intP pointer) (length_1 : int32) (query : int32) (intP_arr_3_alloc_table : intP alloc_table) (intP_intM_arr_3 : (intP, int32) memory) ->
  { ((not mem(query, arr_1, integer_of_int32(length_1), intP_intM_arr_3))
    and (JC_11:
        ((JC_7: sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3))
        and ((JC_8: ge_int(integer_of_int32(length_1), (0)))
            and ((JC_9:
                 le_int(offset_min(intP_arr_3_alloc_table, arr_1), (0)))
                and (JC_10:
                    ge_int(offset_max(intP_arr_3_alloc_table, arr_1),
                    sub_int(integer_of_int32(length_1), (1))))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let low = ref (any_int32 void) in
     (let high = ref (any_int32 void) in
     (let mean = ref (any_int32 void) in
     (let __retres = ref (any_int32 void) in
     try
      begin
        try
         begin
           (let _jessie_ = (low := (safe_int32_of_integer_ (0))) in void);
          (let _jessie_ =
          (high := (safe_int32_of_integer_ ((sub_int (integer_of_int32 length_1)) (1)))) in
          void);
          (loop_4:
          begin
            while true do
            { invariant (JC_61: true)  }
             begin
               [ { } unit reads high,low
                 { ((JC_56:
                    (forall i_4:int.
                     ((lt_int(integer_of_int32(high), i_4)
                      and lt_int(i_4, integer_of_int32(length_1))) ->
                      gt_int(integer_of_int32(select(intP_intM_arr_3,
                                              shift(arr_1, i_4))),
                      integer_of_int32(query)))))
                   and ((JC_57:
                        (forall i_3:int.
                         ((le_int((0), i_3)
                          and lt_int(i_3, integer_of_int32(low))) ->
                          lt_int(integer_of_int32(select(intP_intM_arr_3,
                                                  shift(arr_1, i_3))),
                          integer_of_int32(query)))))
                       and ((JC_58:
                            lt_int(integer_of_int32(high),
                            integer_of_int32(length_1)))
                           and (JC_59: le_int((0), integer_of_int32(low)))))) } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((le_int_ (integer_of_int32 !low)) (integer_of_int32 !high))
                   then void else (raise (Goto_while_0_break_exc void)));
                  (let _jessie_ =
                  (mean := (safe_int32_of_integer_ ((add_int (integer_of_int32 !low)) 
                                                    (integer_of_int32 
                                                     (safe_int32_of_integer_ 
                                                      (JC_63:
                                                      ((computer_div 
                                                        (integer_of_int32 
                                                         (safe_int32_of_integer_ 
                                                          ((sub_int (integer_of_int32 !high)) 
                                                           (integer_of_int32 !low))))) (2)))))))) in
                  void);
                  (if ((eq_int_ (integer_of_int32 ((safe_acc_ intP_intM_arr_3) 
                                                   ((shift arr_1) (integer_of_int32 !mean))))) 
                       (integer_of_int32 query))
                  then
                   begin
                     (let _jessie_ = (__retres := !mean) in void);
                    (raise (Return_label_exc void)) end else void);
                  (if ((lt_int_ (integer_of_int32 ((safe_acc_ intP_intM_arr_3) 
                                                   ((shift arr_1) (integer_of_int32 !mean))))) 
                       (integer_of_int32 query))
                  then
                   begin
                     (low := (safe_int32_of_integer_ ((add_int (integer_of_int32 !mean)) (1))));
                    !low end
                  else
                   begin
                     (high := (safe_int32_of_integer_ ((sub_int (integer_of_int32 !mean)) (1))));
                    !high end) end in void); (raise (Loop_continue_exc void))
               end with Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (let _jessie_ =
         (while_0_break:
         begin
           void; (__retres := (safe_int32_of_integer_ (neg_int (1))));
          !__retres end) in void) end; (raise (Return_label_exc void)) end
      with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end))));
    absurd  end with Return -> !return end))
  { (JC_21: (integer_of_int32(result) = neg_int((1)))) } 

let find_array_safety =
 fun (arr_1 : intP pointer) (length_1 : int32) (query : int32) (intP_arr_3_alloc_table : intP alloc_table) (intP_intM_arr_3 : (intP, int32) memory) ->
  { (JC_11:
    ((JC_7: sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3))
    and ((JC_8: ge_int(integer_of_int32(length_1), (0)))
        and ((JC_9: le_int(offset_min(intP_arr_3_alloc_table, arr_1), (0)))
            and (JC_10:
                ge_int(offset_max(intP_arr_3_alloc_table, arr_1),
                sub_int(integer_of_int32(length_1), (1)))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let low = ref (any_int32 void) in
     (let high = ref (any_int32 void) in
     (let mean = ref (any_int32 void) in
     (let __retres = ref (any_int32 void) in
     try
      begin
        try
         begin
           (let _jessie_ = (low := (safe_int32_of_integer_ (0))) in void);
          (let _jessie_ =
          (high := (JC_23:
                   (int32_of_integer_ ((sub_int (integer_of_int32 length_1)) (1))))) in
          void);
          (loop_1:
          begin
            while true do
            { invariant (JC_29: true)
              variant (JC_39 : sub_int(integer_of_int32(high),
                               integer_of_int32(low))) }
             begin
               [ { } unit reads high,low
                 { ((JC_24:
                    (forall i_4:int.
                     ((lt_int(integer_of_int32(high), i_4)
                      and lt_int(i_4, integer_of_int32(length_1))) ->
                      gt_int(integer_of_int32(select(intP_intM_arr_3,
                                              shift(arr_1, i_4))),
                      integer_of_int32(query)))))
                   and ((JC_25:
                        (forall i_3:int.
                         ((le_int((0), i_3)
                          and lt_int(i_3, integer_of_int32(low))) ->
                          lt_int(integer_of_int32(select(intP_intM_arr_3,
                                                  shift(arr_1, i_3))),
                          integer_of_int32(query)))))
                       and ((JC_26:
                            lt_int(integer_of_int32(high),
                            integer_of_int32(length_1)))
                           and (JC_27: le_int((0), integer_of_int32(low)))))) } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((le_int_ (integer_of_int32 !low)) (integer_of_int32 !high))
                   then void else (raise (Goto_while_0_break_exc void)));
                  (let _jessie_ =
                  (mean := (JC_34:
                           (int32_of_integer_ ((add_int (integer_of_int32 !low)) 
                                               (integer_of_int32 (JC_33:
                                                                 (int32_of_integer_ 
                                                                  (JC_32:
                                                                  ((computer_div_ 
                                                                    (integer_of_int32 
                                                                    (JC_31:
                                                                    (int32_of_integer_ 
                                                                    ((sub_int 
                                                                    (integer_of_int32 !high)) 
                                                                    (integer_of_int32 !low)))))) (2)))))))))) in
                  void);
                  (if ((eq_int_ (integer_of_int32 (JC_35:
                                                  ((((offset_acc_ intP_arr_3_alloc_table) intP_intM_arr_3) arr_1) 
                                                   (integer_of_int32 !mean))))) 
                       (integer_of_int32 query))
                  then
                   begin
                     (let _jessie_ = (__retres := !mean) in void);
                    (raise (Return_label_exc void)) end else void);
                  (if ((lt_int_ (integer_of_int32 (JC_36:
                                                  ((((offset_acc_ intP_arr_3_alloc_table) intP_intM_arr_3) arr_1) 
                                                   (integer_of_int32 !mean))))) 
                       (integer_of_int32 query))
                  then
                   begin
                     (low := (JC_37:
                             (int32_of_integer_ ((add_int (integer_of_int32 !mean)) (1)))));
                    !low end
                  else
                   begin
                     (high := (JC_38:
                              (int32_of_integer_ ((sub_int (integer_of_int32 !mean)) (1)))));
                    !high end) end in void); (raise (Loop_continue_exc void))
               end with Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (let _jessie_ =
         (while_0_break:
         begin
           void; (__retres := (safe_int32_of_integer_ (neg_int (1))));
          !__retres end) in void) end; (raise (Return_label_exc void)) end
      with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end))));
    absurd  end with Return -> !return end)) { true } 


why-2.39/tests/c/oracle/interval_arith.err.oracle0000644000106100004300000000000013147234006021041 0ustar  marchevalswhy-2.39/tests/c/oracle/binary_search.res.oracle0000644000106100004300000015114313147234006020657 0ustar  marchevals========== file tests/c/binary_search.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// RUNSIMPLIFY this tells regtests to run Simplify in this example

//@ lemma mean: \forall integer x, y; x <= y ==> x <= (x+y)/2 <= y;

/*@ predicate sorted{L}(long *t, integer a, integer b) =
  @    \forall integer i,j; a <= i <= j <= b ==> t[i] <= t[j];
  @*/

/*@ requires n >= 0 && \valid(t+(0..n-1));
  @ ensures -1 <= \result < n;
  @ behavior success:
  @   ensures \result >= 0 ==> t[\result] == v;
  @ behavior failure:
  @   assumes sorted(t,0,n-1);
  @   ensures \result == -1 ==>
  @     \forall integer k; 0 <= k < n ==> t[k] != v;
  @*/
int binary_search(long t[], int n, long v) {
  int l = 0, u = n-1;
  /*@ loop invariant
    @   0 <= l && u <= n-1;
    @ for failure:
    @   loop invariant
    @   \forall integer k; 0 <= k < n && t[k] == v ==> l <= k <= u;
    @ loop variant u-l;
    @*/
  while (l <= u ) {
    int m = l + (u - l) / 2;
    //@ assert l <= m <= u;
    if (t[m] < v) l = m + 1;
    else if (t[m] > v) u = m - 1;
    else return m;
  }
  return -1;
}

/*
Local Variables:
compile-command: "make binary_search.why3ide"
End:
*/
========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/binary_search.c (with preprocessing)
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/binary_search.jessie
[jessie] File tests/c/binary_search.jessie/binary_search.jc written.
[jessie] File tests/c/binary_search.jessie/binary_search.cloc written.
========== file tests/c/binary_search.jessie/binary_search.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

type int32 = -2147483648..2147483647

tag longP = {
  int32 longM: 32;
}

type longP = [longP]

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

lemma mean :
(\forall integer x;
  (\forall integer y;
    ((x <= y) ==> ((x <= ((x + y) / 2)) && (((x + y) / 2) <= y)))))

predicate sorted{L}(longP[..] t, integer a, integer b) =
(\forall integer i_1;
  (\forall integer j_0;
    ((((a <= i_1) && (i_1 <= j_0)) && (j_0 <= b)) ==>
      ((t + i_1).longM <= (t + j_0).longM))))

int32 binary_search(longP[..] t, int32 n_1, int32 v)
  requires (_C_35 : ((_C_36 : (n_1 >= 0)) &&
                      ((_C_38 : (\offset_min(t) <= 0)) &&
                        (_C_39 : (\offset_max(t) >= (n_1 - 1))))));
behavior default:
  ensures (_C_30 : ((_C_31 : ((- 1) <= \result)) &&
                     (_C_32 : (\result < \at(n_1,Old)))));
behavior success:
  ensures (_C_33 : ((\result >= 0) ==>
                     ((\at(t,Old) + \result).longM == \at(v,Old))));
behavior failure:
  assumes sorted{Here}(t, 0, (n_1 - 1));
  ensures (_C_34 : ((\result == (- 1)) ==>
                     (\forall integer k_0;
                       (((0 <= k_0) && (k_0 < \at(n_1,Old))) ==>
                         ((\at(t,Old) + k_0).longM != \at(v,Old))))));
{  
   (var int32 l);
   
   (var int32 u);
   
   (var int32 m);
   
   (var int32 __retres);
   
   {  (_C_1 : (l = 0));
      (_C_4 : (u = (_C_3 : ((_C_2 : (n_1 - 1)) :> int32))));
      
      loop 
      behavior default:
        invariant (_C_7 : ((_C_8 : (0 <= l)) && (_C_9 : (u <= (n_1 - 1)))));
      behavior failure:
        invariant (_C_6 : (\forall integer k;
                            ((((0 <= k) && (k < n_1)) &&
                               ((t + k).longM == v)) ==>
                              ((l <= k) && (k <= u)))));
      variant (_C_5 : (u - l));
      while (true)
      {  
         {  (if (l <= u) then () else 
            (goto while_0_break));
            
            {  (_C_16 : (m = (_C_15 : ((_C_14 : (l +
                                                  (_C_13 : ((_C_12 : 
                                                            ((_C_11 : (
                                                             (_C_10 : 
                                                             (u - l)) :> int32)) /
                                                              2)) :> int32)))) :> int32))));
               
               {  
                  (assert for default: (_C_17 : (jessie : ((l <= m) &&
                                                            (m <= u)))));
                  ()
               };
               
               {  (if ((_C_28 : (_C_27 : (t + m)).longM) < v) then (_C_26 : (l = 
                                                                   (_C_25 : (
                                                                   (_C_24 : 
                                                                   (m +
                                                                    1)) :> int32)))) else 
                  (if ((_C_23 : (_C_22 : (t + m)).longM) > v) then (_C_21 : (u = 
                                                                   (_C_20 : (
                                                                   (_C_19 : 
                                                                   (m -
                                                                    1)) :> int32)))) else 
                  {  (_C_18 : (__retres = m));
                     
                     (goto return_label)
                  }))
               }
            }
         }
      };
      (while_0_break : ());
      (_C_29 : (__retres = -1));
      (return_label : 
      (return __retres))
   }
}
========== file tests/c/binary_search.jessie/binary_search.cloc ==========
[_C_35]
file = "HOME/tests/c/binary_search.c"
line = 40
begin = 16
end = 44

[_C_28]
file = "HOME/tests/c/binary_search.c"
line = 61
begin = 8
end = 12

[_C_31]
file = "HOME/tests/c/binary_search.c"
line = 41
begin = 12
end = 25

[mean]
name = "Lemma mean"
file = "HOME/tests/c/binary_search.c"
line = 34
begin = 7
end = 70

[_C_4]
file = "HOME/tests/c/binary_search.c"
line = 50
begin = 2
end = 5

[_C_32]
file = "HOME/tests/c/binary_search.c"
line = 41
begin = 18
end = 29

[_C_23]
file = "HOME/tests/c/binary_search.c"
line = 62
begin = 13
end = 17

[_C_19]
file = "HOME/tests/c/binary_search.c"
line = 62
begin = 27
end = 32

[_C_13]
file = "HOME/tests/c/binary_search.c"
line = 59
begin = 16
end = 27

[_C_5]
file = "HOME/tests/c/binary_search.c"
line = 56
begin = 19
end = 22

[_C_36]
file = "HOME/tests/c/binary_search.c"
line = 40
begin = 16
end = 22

[_C_12]
file = "HOME/tests/c/binary_search.c"
line = 59
begin = 16
end = 27

[_C_33]
file = "HOME/tests/c/binary_search.c"
line = 43
begin = 14
end = 46

[_C_22]
file = "HOME/tests/c/binary_search.c"
line = 62
begin = 13
end = 14

[binary_search]
name = "Function binary_search"
file = "HOME/tests/c/binary_search.c"
line = 49
begin = 4
end = 17

[_C_9]
file = "HOME/tests/c/binary_search.c"
line = 52
begin = 18
end = 26

[_C_30]
file = "HOME/tests/c/binary_search.c"
line = 41
begin = 12
end = 29

[_C_6]
file = "HOME/tests/c/binary_search.c"
line = 55
begin = 8
end = 66

[_C_24]
file = "HOME/tests/c/binary_search.c"
line = 61
begin = 22
end = 27

[_C_20]
file = "HOME/tests/c/binary_search.c"
line = 62
begin = 27
end = 32

[_C_38]
file = "HOME/tests/c/binary_search.c"
line = 40
begin = 26
end = 44

[_C_3]
file = "HOME/tests/c/binary_search.c"
line = 50
begin = 17
end = 20

[_C_17]
file = "HOME/tests/c/binary_search.c"
line = 60
begin = 22
end = 33

[_C_7]
file = "HOME/tests/c/binary_search.c"
line = 52
begin = 8
end = 26

[_C_27]
file = "HOME/tests/c/binary_search.c"
line = 61
begin = 8
end = 9

[_C_15]
file = "HOME/tests/c/binary_search.c"
line = 59
begin = 12
end = 27

[_C_26]
file = "HOME/tests/c/binary_search.c"
line = 61
begin = 22
end = 27

[_C_10]
file = "HOME/tests/c/binary_search.c"
line = 59
begin = 17
end = 22

[_C_8]
file = "HOME/tests/c/binary_search.c"
line = 52
begin = 8
end = 14

[_C_18]
file = "HOME/tests/c/binary_search.c"
line = 63
begin = 9
end = 18

[_C_29]
file = "HOME/tests/c/binary_search.c"
line = 65
begin = 2
end = 12

[_C_14]
file = "HOME/tests/c/binary_search.c"
line = 59
begin = 12
end = 27

[_C_37]
file = "HOME/tests/c/binary_search.c"
line = 40
begin = 26
end = 44

[_C_2]
file = "HOME/tests/c/binary_search.c"
line = 50
begin = 17
end = 20

[_C_34]
file = "HOME/tests/c/binary_search.c"
line = 46
begin = 14
end = 83

[_C_16]
file = "HOME/tests/c/binary_search.c"
line = 59
begin = 4
end = 7

[_C_1]
file = "HOME/tests/c/binary_search.c"
line = 50
begin = 2
end = 5

[_C_25]
file = "HOME/tests/c/binary_search.c"
line = 61
begin = 22
end = 27

[_C_39]
file = "HOME/tests/c/binary_search.c"
line = 40
begin = 26
end = 44

[_C_11]
file = "HOME/tests/c/binary_search.c"
line = 59
begin = 17
end = 22

[_C_21]
file = "HOME/tests/c/binary_search.c"
line = 62
begin = 27
end = 32

========== jessie execution ==========
Generating Why function binary_search
========== file tests/c/binary_search.jessie/binary_search.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/binary_search_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: binary_search.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: binary_search.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: binary_search.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/binary_search.jessie/binary_search.loc ==========
[JC_63]
kind = DivByZero
file = "HOME/tests/c/binary_search.c"
line = 59
begin = 16
end = 27

[JC_51]
file = "HOME/"
line = 0
begin = -1
end = -1

[binary_search_ensures_default]
name = "Function binary_search"
behavior = "default behavior"
file = "HOME/tests/c/binary_search.c"
line = 49
begin = 4
end = 17

[JC_45]
file = "HOME/tests/c/binary_search.jessie/binary_search.jc"
line = 81
begin = 6
end = 2160

[JC_64]
file = "HOME/tests/c/binary_search.c"
line = 60
begin = 22
end = 33

[mean]
name = "Lemma mean"
behavior = "lemma"
file = "HOME/tests/c/binary_search.c"
line = 34
begin = 7
end = 70

[JC_31]
kind = DivByZero
file = "HOME/tests/c/binary_search.c"
line = 59
begin = 16
end = 27

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_55]
file = "HOME/tests/c/binary_search.c"
line = 60
begin = 22
end = 33

[JC_48]
file = "HOME/tests/c/binary_search.c"
line = 52
begin = 8
end = 14

[JC_23]
kind = ArithOverflow
file = "HOME/tests/c/binary_search.c"
line = 50
begin = 17
end = 20

[JC_22]
file = "HOME/tests/c/binary_search.c"
line = 46
begin = 14
end = 83

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/c/binary_search.c"
line = 40
begin = 16
end = 44

[JC_24]
file = "HOME/tests/c/binary_search.c"
line = 52
begin = 8
end = 14

[JC_25]
file = "HOME/tests/c/binary_search.c"
line = 52
begin = 18
end = 26

[JC_41]
file = "HOME/tests/c/binary_search.c"
line = 52
begin = 18
end = 26

[JC_47]
file = "HOME/tests/c/binary_search.c"
line = 60
begin = 22
end = 33

[JC_52]
file = "HOME/tests/c/binary_search.jessie/binary_search.jc"
line = 81
begin = 6
end = 2160

[JC_26]
file = "HOME/tests/c/binary_search.c"
line = 52
begin = 8
end = 26

[JC_8]
file = "HOME/tests/c/binary_search.c"
line = 40
begin = 26
end = 44

[JC_54]
kind = DivByZero
file = "HOME/tests/c/binary_search.c"
line = 59
begin = 16
end = 27

[JC_13]
file = "HOME/tests/c/binary_search.c"
line = 41
begin = 12
end = 29

[binary_search_ensures_success]
name = "Function binary_search"
behavior = "Behavior `success'"
file = "HOME/tests/c/binary_search.c"
line = 49
begin = 4
end = 17

[binary_search_ensures_failure]
name = "Function binary_search"
behavior = "Behavior `failure'"
file = "HOME/tests/c/binary_search.c"
line = 49
begin = 4
end = 17

[JC_11]
file = "HOME/tests/c/binary_search.c"
line = 41
begin = 12
end = 25

[JC_15]
file = "HOME/tests/c/binary_search.c"
line = 41
begin = 18
end = 29

[JC_36]
kind = ArithOverflow
file = "HOME/tests/c/binary_search.c"
line = 61
begin = 22
end = 27

[JC_39]
file = "HOME/tests/c/binary_search.c"
line = 56
begin = 19
end = 22

[JC_40]
file = "HOME/tests/c/binary_search.c"
line = 52
begin = 8
end = 14

[JC_35]
kind = PointerDeref
file = "HOME/tests/c/binary_search.c"
line = 61
begin = 8
end = 12

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
kind = ArithOverflow
file = "HOME/tests/c/binary_search.c"
line = 62
begin = 27
end = 32

[JC_12]
file = "HOME/tests/c/binary_search.c"
line = 41
begin = 18
end = 29

[JC_6]
file = "HOME/tests/c/binary_search.c"
line = 40
begin = 16
end = 22

[JC_44]
file = "HOME/tests/c/binary_search.jessie/binary_search.jc"
line = 81
begin = 6
end = 2160

[JC_4]
file = "HOME/tests/c/binary_search.c"
line = 40
begin = 16
end = 44

[JC_62]
file = "HOME/tests/c/binary_search.jessie/binary_search.jc"
line = 81
begin = 6
end = 2160

[JC_42]
file = "HOME/tests/c/binary_search.c"
line = 52
begin = 8
end = 26

[JC_46]
kind = DivByZero
file = "HOME/tests/c/binary_search.c"
line = 59
begin = 16
end = 27

[JC_61]
file = "HOME/tests/c/binary_search.jessie/binary_search.jc"
line = 81
begin = 6
end = 2160

[JC_32]
kind = ArithOverflow
file = "HOME/tests/c/binary_search.c"
line = 59
begin = 16
end = 27

[JC_56]
file = "HOME/tests/c/binary_search.c"
line = 55
begin = 8
end = 66

[JC_33]
kind = ArithOverflow
file = "HOME/tests/c/binary_search.c"
line = 59
begin = 12
end = 27

[JC_29]
file = "HOME/tests/c/binary_search.jessie/binary_search.jc"
line = 81
begin = 6
end = 2160

[JC_7]
file = "HOME/tests/c/binary_search.c"
line = 40
begin = 26
end = 44

[JC_16]
file = "HOME/tests/c/binary_search.c"
line = 41
begin = 12
end = 29

[JC_43]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_2]
file = "HOME/tests/c/binary_search.c"
line = 40
begin = 26
end = 44

[JC_34]
file = "HOME/tests/c/binary_search.c"
line = 60
begin = 22
end = 33

[JC_14]
file = "HOME/tests/c/binary_search.c"
line = 41
begin = 12
end = 25

[JC_53]
file = "HOME/tests/c/binary_search.jessie/binary_search.jc"
line = 81
begin = 6
end = 2160

[JC_21]
file = "HOME/tests/c/binary_search.c"
line = 46
begin = 14
end = 83

[JC_49]
file = "HOME/tests/c/binary_search.c"
line = 52
begin = 18
end = 26

[JC_1]
file = "HOME/tests/c/binary_search.c"
line = 40
begin = 16
end = 22

[JC_37]
kind = PointerDeref
file = "HOME/tests/c/binary_search.c"
line = 62
begin = 13
end = 17

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/tests/c/binary_search.c"
line = 52
begin = 8
end = 14

[JC_59]
file = "HOME/tests/c/binary_search.c"
line = 52
begin = 8
end = 26

[JC_20]
file = "HOME/tests/c/binary_search.c"
line = 43
begin = 14
end = 46

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/c/binary_search.c"
line = 40
begin = 26
end = 44

[JC_60]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/tests/c/binary_search.c"
line = 43
begin = 14
end = 46

[JC_50]
file = "HOME/tests/c/binary_search.c"
line = 52
begin = 8
end = 26

[binary_search_safety]
name = "Function binary_search"
behavior = "Safety"
file = "HOME/tests/c/binary_search.c"
line = 49
begin = 4
end = 17

[JC_30]
kind = ArithOverflow
file = "HOME/tests/c/binary_search.c"
line = 59
begin = 17
end = 22

[JC_58]
file = "HOME/tests/c/binary_search.c"
line = 52
begin = 18
end = 26

[JC_28]
file = "HOME/tests/c/binary_search.jessie/binary_search.jc"
line = 81
begin = 6
end = 2160

========== file tests/c/binary_search.jessie/why/binary_search.why ==========
type charP

type int32

type int8

type longP

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_longP(p:longP pointer, a:int,
 longP_alloc_table:longP alloc_table) =
 (offset_min(longP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

logic longP_tag:  -> longP tag_id

axiom longP_int : (int_of_tag(longP_tag) = (1))

logic longP_of_pointer_address: unit pointer -> longP pointer

axiom longP_of_pointer_address_of_pointer_addr :
 (forall p:longP pointer. (p = longP_of_pointer_address(pointer_address(p))))

axiom longP_parenttag_bottom : parenttag(longP_tag, bottom_tag)

axiom longP_tags :
 (forall x:longP pointer.
  (forall longP_tag_table:longP tag_table.
   instanceof(longP_tag_table, x, longP_tag)))

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_longP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(longP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_longP(p:longP pointer, b:int,
 longP_alloc_table:longP alloc_table) =
 (offset_max(longP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate sorted(t:longP pointer, a:int, b:int,
 longP_longM_t_1_at_L:(longP, int32) memory) =
 (forall i_1:int.
  (forall j_0:int.
   ((le_int(a, i_1) and (le_int(i_1, j_0) and le_int(j_0, b))) ->
    le_int(integer_of_int32(select(longP_longM_t_1_at_L, shift(t, i_1))),
    integer_of_int32(select(longP_longM_t_1_at_L, shift(t, j_0)))))))

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_longP(p:longP pointer, a:int, b:int,
 longP_alloc_table:longP alloc_table) =
 ((offset_min(longP_alloc_table, p) = a)
 and (offset_max(longP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_longP(p:longP pointer, a:int, b:int,
 longP_alloc_table:longP alloc_table) =
 ((offset_min(longP_alloc_table, p) = a)
 and (offset_max(longP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_longP(p:longP pointer, a:int, b:int,
 longP_alloc_table:longP alloc_table) =
 ((offset_min(longP_alloc_table, p) <= a)
 and (offset_max(longP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_longP(p:longP pointer, a:int, b:int,
 longP_alloc_table:longP alloc_table) =
 ((offset_min(longP_alloc_table, p) <= a)
 and (offset_max(longP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

lemma mean :
 (forall x_0:int.
  (forall y:int.
   (le_int(x_0, y) ->
    (le_int(x_0, computer_div(add_int(x_0, y), (2)))
    and le_int(computer_div(add_int(x_0, y), (2)), y)))))

exception Goto_while_0_break_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter longP_alloc_table : longP alloc_table ref

parameter longP_tag_table : longP tag_table ref

parameter alloc_struct_longP :
 n:int ->
  longP_alloc_table:longP alloc_table ref ->
   longP_tag_table:longP tag_table ref ->
    { } longP pointer writes longP_alloc_table,longP_tag_table
    { (strict_valid_struct_longP(result, (0), sub_int(n, (1)),
       longP_alloc_table)
      and (alloc_extends(longP_alloc_table@, longP_alloc_table)
          and (alloc_fresh(longP_alloc_table@, result, n)
              and instanceof(longP_tag_table, result, longP_tag)))) }

parameter alloc_struct_longP_requires :
 n:int ->
  longP_alloc_table:longP alloc_table ref ->
   longP_tag_table:longP tag_table ref ->
    { ge_int(n, (0))} longP pointer writes longP_alloc_table,longP_tag_table
    { (strict_valid_struct_longP(result, (0), sub_int(n, (1)),
       longP_alloc_table)
      and (alloc_extends(longP_alloc_table@, longP_alloc_table)
          and (alloc_fresh(longP_alloc_table@, result, n)
              and instanceof(longP_tag_table, result, longP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter binary_search :
 t_0:longP pointer ->
  n_1:int32 ->
   v:int32 ->
    longP_t_2_alloc_table:longP alloc_table ->
     longP_longM_t_2:(longP, int32) memory ->
      { } int32
      { ((sorted(t_0, (0), sub_int(integer_of_int32(n_1), (1)),
          longP_longM_t_2) ->
          (JC_22:
          ((integer_of_int32(result) = neg_int((1))) ->
           (forall k_0:int.
            ((le_int((0), k_0) and lt_int(k_0, integer_of_int32(n_1))) ->
             (integer_of_int32(select(longP_longM_t_2, shift(t_0, k_0))) <> 
             integer_of_int32(v)))))))
        and ((JC_20:
             (ge_int(integer_of_int32(result), (0)) ->
              (integer_of_int32(select(longP_longM_t_2,
                                shift(t_0, integer_of_int32(result)))) = 
              integer_of_int32(v))))
            and (JC_16:
                ((JC_14: le_int(neg_int((1)), integer_of_int32(result)))
                and (JC_15:
                    lt_int(integer_of_int32(result), integer_of_int32(n_1))))))) }

parameter binary_search_requires :
 t_0:longP pointer ->
  n_1:int32 ->
   v:int32 ->
    longP_t_2_alloc_table:longP alloc_table ->
     longP_longM_t_2:(longP, int32) memory ->
      { (JC_4:
        ((JC_1: ge_int(integer_of_int32(n_1), (0)))
        and ((JC_2: le_int(offset_min(longP_t_2_alloc_table, t_0), (0)))
            and (JC_3:
                ge_int(offset_max(longP_t_2_alloc_table, t_0),
                sub_int(integer_of_int32(n_1), (1)))))))}
      int32
      { ((sorted(t_0, (0), sub_int(integer_of_int32(n_1), (1)),
          longP_longM_t_2) ->
          (JC_22:
          ((integer_of_int32(result) = neg_int((1))) ->
           (forall k_0:int.
            ((le_int((0), k_0) and lt_int(k_0, integer_of_int32(n_1))) ->
             (integer_of_int32(select(longP_longM_t_2, shift(t_0, k_0))) <> 
             integer_of_int32(v)))))))
        and ((JC_20:
             (ge_int(integer_of_int32(result), (0)) ->
              (integer_of_int32(select(longP_longM_t_2,
                                shift(t_0, integer_of_int32(result)))) = 
              integer_of_int32(v))))
            and (JC_16:
                ((JC_14: le_int(neg_int((1)), integer_of_int32(result)))
                and (JC_15:
                    lt_int(integer_of_int32(result), integer_of_int32(n_1))))))) }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let binary_search_ensures_default =
 fun (t_0 : longP pointer) (n_1 : int32) (v : int32) (longP_t_2_alloc_table : longP alloc_table) (longP_longM_t_2 : (longP, int32) memory) ->
  { (JC_9:
    ((JC_6: ge_int(integer_of_int32(n_1), (0)))
    and ((JC_7: le_int(offset_min(longP_t_2_alloc_table, t_0), (0)))
        and (JC_8:
            ge_int(offset_max(longP_t_2_alloc_table, t_0),
            sub_int(integer_of_int32(n_1), (1))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let l = ref (any_int32 void) in
     (let u = ref (any_int32 void) in
     (let m = ref (any_int32 void) in
     (let __retres = ref (any_int32 void) in
     try
      begin
        try
         begin
           (let _jessie_ = (l := (safe_int32_of_integer_ (0))) in void);
          (let _jessie_ =
          (u := (safe_int32_of_integer_ ((sub_int (integer_of_int32 n_1)) (1)))) in
          void);
          (loop_2:
          begin
            while true do
            { invariant
                (JC_42:
                ((JC_40: le_int((0), integer_of_int32(l)))
                and (JC_41:
                    le_int(integer_of_int32(u),
                    sub_int(integer_of_int32(n_1), (1))))))  }
             begin
               [ { } unit { true } ];
              try
               begin
                 (if ((le_int_ (integer_of_int32 !l)) (integer_of_int32 !u))
                 then void else (raise (Goto_while_0_break_exc void)));
                (let _jessie_ =
                (m := (safe_int32_of_integer_ ((add_int (integer_of_int32 !l)) 
                                               (integer_of_int32 (safe_int32_of_integer_ 
                                                                  (JC_46:
                                                                  ((computer_div 
                                                                    (integer_of_int32 
                                                                    (safe_int32_of_integer_ 
                                                                    ((sub_int 
                                                                    (integer_of_int32 !u)) 
                                                                    (integer_of_int32 !l))))) (2)))))))) in
                void);
                (assert
                { (JC_47:
                  (le_int(integer_of_int32(l), integer_of_int32(m))
                  and le_int(integer_of_int32(m), integer_of_int32(u)))) };
                void); void;
                (if ((lt_int_ (integer_of_int32 ((safe_acc_ longP_longM_t_2) 
                                                 ((shift t_0) (integer_of_int32 !m))))) 
                     (integer_of_int32 v))
                then
                 (let _jessie_ =
                 (l := (safe_int32_of_integer_ ((add_int (integer_of_int32 !m)) (1)))) in
                 void)
                else
                 (if ((gt_int_ (integer_of_int32 ((safe_acc_ longP_longM_t_2) 
                                                  ((shift t_0) (integer_of_int32 !m))))) 
                      (integer_of_int32 v))
                 then
                  (let _jessie_ =
                  (u := (safe_int32_of_integer_ ((sub_int (integer_of_int32 !m)) (1)))) in
                  void)
                 else
                  begin
                    (let _jessie_ = (__retres := !m) in void);
                   (raise (Return_label_exc void)) end));
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (let _jessie_ =
         (while_0_break:
         begin
           void; (__retres := (safe_int32_of_integer_ (neg_int (1))));
          !__retres end) in void) end; (raise (Return_label_exc void)) end
      with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end))));
    absurd  end with Return -> !return end))
  { (JC_13:
    ((JC_11: le_int(neg_int((1)), integer_of_int32(result)))
    and (JC_12: lt_int(integer_of_int32(result), integer_of_int32(n_1))))) } 

let binary_search_ensures_failure =
 fun (t_0 : longP pointer) (n_1 : int32) (v : int32) (longP_t_2_alloc_table : longP alloc_table) (longP_longM_t_2 : (longP, int32) memory) ->
  { (sorted(t_0, (0), sub_int(integer_of_int32(n_1), (1)), longP_longM_t_2)
    and (JC_9:
        ((JC_6: ge_int(integer_of_int32(n_1), (0)))
        and ((JC_7: le_int(offset_min(longP_t_2_alloc_table, t_0), (0)))
            and (JC_8:
                ge_int(offset_max(longP_t_2_alloc_table, t_0),
                sub_int(integer_of_int32(n_1), (1)))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let l = ref (any_int32 void) in
     (let u = ref (any_int32 void) in
     (let m = ref (any_int32 void) in
     (let __retres = ref (any_int32 void) in
     try
      begin
        try
         begin
           (let _jessie_ = (l := (safe_int32_of_integer_ (0))) in void);
          (let _jessie_ =
          (u := (safe_int32_of_integer_ ((sub_int (integer_of_int32 n_1)) (1)))) in
          void);
          (loop_4:
          begin
            while true do
            { invariant
                (JC_56:
                (forall k:int.
                 ((le_int((0), k)
                  and (lt_int(k, integer_of_int32(n_1))
                      and (integer_of_int32(select(longP_longM_t_2,
                                            shift(t_0, k))) = integer_of_int32(v)))) ->
                  (le_int(integer_of_int32(l), k)
                  and le_int(k, integer_of_int32(u))))))  }
             begin
               [ { } unit reads l,u
                 { (JC_59:
                   ((JC_57: le_int((0), integer_of_int32(l)))
                   and (JC_58:
                       le_int(integer_of_int32(u),
                       sub_int(integer_of_int32(n_1), (1)))))) } ];
              try
               begin
                 (if ((le_int_ (integer_of_int32 !l)) (integer_of_int32 !u))
                 then void else (raise (Goto_while_0_break_exc void)));
                (let _jessie_ =
                (m := (safe_int32_of_integer_ ((add_int (integer_of_int32 !l)) 
                                               (integer_of_int32 (safe_int32_of_integer_ 
                                                                  (JC_63:
                                                                  ((computer_div 
                                                                    (integer_of_int32 
                                                                    (safe_int32_of_integer_ 
                                                                    ((sub_int 
                                                                    (integer_of_int32 !u)) 
                                                                    (integer_of_int32 !l))))) (2)))))))) in
                void);
                [ { } unit reads l,m,u
                  { (JC_64:
                    (le_int(integer_of_int32(l), integer_of_int32(m))
                    and le_int(integer_of_int32(m), integer_of_int32(u)))) } ];
                void;
                (if ((lt_int_ (integer_of_int32 ((safe_acc_ longP_longM_t_2) 
                                                 ((shift t_0) (integer_of_int32 !m))))) 
                     (integer_of_int32 v))
                then
                 (let _jessie_ =
                 (l := (safe_int32_of_integer_ ((add_int (integer_of_int32 !m)) (1)))) in
                 void)
                else
                 (if ((gt_int_ (integer_of_int32 ((safe_acc_ longP_longM_t_2) 
                                                  ((shift t_0) (integer_of_int32 !m))))) 
                      (integer_of_int32 v))
                 then
                  (let _jessie_ =
                  (u := (safe_int32_of_integer_ ((sub_int (integer_of_int32 !m)) (1)))) in
                  void)
                 else
                  begin
                    (let _jessie_ = (__retres := !m) in void);
                   (raise (Return_label_exc void)) end));
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (let _jessie_ =
         (while_0_break:
         begin
           void; (__retres := (safe_int32_of_integer_ (neg_int (1))));
          !__retres end) in void) end; (raise (Return_label_exc void)) end
      with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end))));
    absurd  end with Return -> !return end))
  { (JC_21:
    ((integer_of_int32(result) = neg_int((1))) ->
     (forall k_0:int.
      ((le_int((0), k_0) and lt_int(k_0, integer_of_int32(n_1))) ->
       (integer_of_int32(select(longP_longM_t_2, shift(t_0, k_0))) <> 
       integer_of_int32(v)))))) } 

let binary_search_ensures_success =
 fun (t_0 : longP pointer) (n_1 : int32) (v : int32) (longP_t_2_alloc_table : longP alloc_table) (longP_longM_t_2 : (longP, int32) memory) ->
  { (JC_9:
    ((JC_6: ge_int(integer_of_int32(n_1), (0)))
    and ((JC_7: le_int(offset_min(longP_t_2_alloc_table, t_0), (0)))
        and (JC_8:
            ge_int(offset_max(longP_t_2_alloc_table, t_0),
            sub_int(integer_of_int32(n_1), (1))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let l = ref (any_int32 void) in
     (let u = ref (any_int32 void) in
     (let m = ref (any_int32 void) in
     (let __retres = ref (any_int32 void) in
     try
      begin
        try
         begin
           (let _jessie_ = (l := (safe_int32_of_integer_ (0))) in void);
          (let _jessie_ =
          (u := (safe_int32_of_integer_ ((sub_int (integer_of_int32 n_1)) (1)))) in
          void);
          (loop_3:
          begin
            while true do
            { invariant (JC_52: true)  }
             begin
               [ { } unit reads l,u
                 { (JC_50:
                   ((JC_48: le_int((0), integer_of_int32(l)))
                   and (JC_49:
                       le_int(integer_of_int32(u),
                       sub_int(integer_of_int32(n_1), (1)))))) } ];
              try
               begin
                 (if ((le_int_ (integer_of_int32 !l)) (integer_of_int32 !u))
                 then void else (raise (Goto_while_0_break_exc void)));
                (let _jessie_ =
                (m := (safe_int32_of_integer_ ((add_int (integer_of_int32 !l)) 
                                               (integer_of_int32 (safe_int32_of_integer_ 
                                                                  (JC_54:
                                                                  ((computer_div 
                                                                    (integer_of_int32 
                                                                    (safe_int32_of_integer_ 
                                                                    ((sub_int 
                                                                    (integer_of_int32 !u)) 
                                                                    (integer_of_int32 !l))))) (2)))))))) in
                void);
                [ { } unit reads l,m,u
                  { (JC_55:
                    (le_int(integer_of_int32(l), integer_of_int32(m))
                    and le_int(integer_of_int32(m), integer_of_int32(u)))) } ];
                void;
                (if ((lt_int_ (integer_of_int32 ((safe_acc_ longP_longM_t_2) 
                                                 ((shift t_0) (integer_of_int32 !m))))) 
                     (integer_of_int32 v))
                then
                 (let _jessie_ =
                 (l := (safe_int32_of_integer_ ((add_int (integer_of_int32 !m)) (1)))) in
                 void)
                else
                 (if ((gt_int_ (integer_of_int32 ((safe_acc_ longP_longM_t_2) 
                                                  ((shift t_0) (integer_of_int32 !m))))) 
                      (integer_of_int32 v))
                 then
                  (let _jessie_ =
                  (u := (safe_int32_of_integer_ ((sub_int (integer_of_int32 !m)) (1)))) in
                  void)
                 else
                  begin
                    (let _jessie_ = (__retres := !m) in void);
                   (raise (Return_label_exc void)) end));
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (let _jessie_ =
         (while_0_break:
         begin
           void; (__retres := (safe_int32_of_integer_ (neg_int (1))));
          !__retres end) in void) end; (raise (Return_label_exc void)) end
      with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end))));
    absurd  end with Return -> !return end))
  { (JC_19:
    (ge_int(integer_of_int32(result), (0)) ->
     (integer_of_int32(select(longP_longM_t_2,
                       shift(t_0, integer_of_int32(result)))) = integer_of_int32(v)))) }
  

let binary_search_safety =
 fun (t_0 : longP pointer) (n_1 : int32) (v : int32) (longP_t_2_alloc_table : longP alloc_table) (longP_longM_t_2 : (longP, int32) memory) ->
  { (JC_9:
    ((JC_6: ge_int(integer_of_int32(n_1), (0)))
    and ((JC_7: le_int(offset_min(longP_t_2_alloc_table, t_0), (0)))
        and (JC_8:
            ge_int(offset_max(longP_t_2_alloc_table, t_0),
            sub_int(integer_of_int32(n_1), (1))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let l = ref (any_int32 void) in
     (let u = ref (any_int32 void) in
     (let m = ref (any_int32 void) in
     (let __retres = ref (any_int32 void) in
     try
      begin
        try
         begin
           (let _jessie_ = (l := (safe_int32_of_integer_ (0))) in void);
          (let _jessie_ =
          (u := (JC_23:
                (int32_of_integer_ ((sub_int (integer_of_int32 n_1)) (1))))) in
          void);
          (loop_1:
          begin
            while true do
            { invariant (JC_28: true)
              variant (JC_39 : sub_int(integer_of_int32(u),
                               integer_of_int32(l))) }
             begin
               [ { } unit reads l,u
                 { (JC_26:
                   ((JC_24: le_int((0), integer_of_int32(l)))
                   and (JC_25:
                       le_int(integer_of_int32(u),
                       sub_int(integer_of_int32(n_1), (1)))))) } ];
              try
               begin
                 (if ((le_int_ (integer_of_int32 !l)) (integer_of_int32 !u))
                 then void else (raise (Goto_while_0_break_exc void)));
                (let _jessie_ =
                (m := (JC_33:
                      (int32_of_integer_ ((add_int (integer_of_int32 !l)) 
                                          (integer_of_int32 (JC_32:
                                                            (int32_of_integer_ 
                                                             (JC_31:
                                                             ((computer_div_ 
                                                               (integer_of_int32 
                                                                (JC_30:
                                                                (int32_of_integer_ 
                                                                 ((sub_int 
                                                                   (integer_of_int32 !u)) 
                                                                  (integer_of_int32 !l)))))) (2)))))))))) in
                void);
                [ { } unit reads l,m,u
                  { (JC_34:
                    (le_int(integer_of_int32(l), integer_of_int32(m))
                    and le_int(integer_of_int32(m), integer_of_int32(u)))) } ];
                void;
                (if ((lt_int_ (integer_of_int32 (JC_35:
                                                ((((offset_acc_ longP_t_2_alloc_table) longP_longM_t_2) t_0) 
                                                 (integer_of_int32 !m))))) 
                     (integer_of_int32 v))
                then
                 (let _jessie_ =
                 (l := (JC_36:
                       (int32_of_integer_ ((add_int (integer_of_int32 !m)) (1))))) in
                 void)
                else
                 (if ((gt_int_ (integer_of_int32 (JC_37:
                                                 ((((offset_acc_ longP_t_2_alloc_table) longP_longM_t_2) t_0) 
                                                  (integer_of_int32 !m))))) 
                      (integer_of_int32 v))
                 then
                  (let _jessie_ =
                  (u := (JC_38:
                        (int32_of_integer_ ((sub_int (integer_of_int32 !m)) (1))))) in
                  void)
                 else
                  begin
                    (let _jessie_ = (__retres := !m) in void);
                   (raise (Return_label_exc void)) end));
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (let _jessie_ =
         (while_0_break:
         begin
           void; (__retres := (safe_int32_of_integer_ (neg_int (1))));
          !__retres end) in void) end; (raise (Return_label_exc void)) end
      with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end))));
    absurd  end with Return -> !return end)) { true } 


why-2.39/tests/c/oracle/rec.err.oracle0000644000106100004300000000000013147234006016577 0ustar  marchevalswhy-2.39/tests/c/oracle/eps_line2.res.oracle0000644000106100004300000011676613147234006017742 0ustar  marchevals========== file tests/c/eps_line2.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

#pragma JessieFloatModel(multirounding)

#define E 0x1.90641p-45

//@ logic integer l_sign(real x) = (x >= 0.0) ? 1 : -1;

/*@ requires e1<= x-\exact(x) <= e2;
  @ ensures  (\result != 0 ==> \result == l_sign(\exact(x))) &&
  @          \abs(\result) <= 1 ;
  @*/
int sign(double x, double e1, double e2) {

  if (x > e2)
    return 1;
  if (x < e1)
    return -1;
  return 0;
}

/*@ requires
  @   sx == \exact(sx)  && sy == \exact(sy) &&
  @   vx == \exact(vx)  && vy == \exact(vy) &&
  @   \abs(sx) <= 100.0 && \abs(sy) <= 100.0 &&
  @   \abs(vx) <= 1.0   && \abs(vy) <= 1.0;
  @ ensures
  @    \result != 0
  @      ==> \result == l_sign(\exact(sx)*\exact(vx)+\exact(sy)*\exact(vy))
  @            * l_sign(\exact(sx)*\exact(vy)-\exact(sy)*\exact(vx));
  @*/
int eps_line(double sx, double sy,double vx, double vy){
  int s1,s2;

  s1=sign(sx*vx+sy*vy, -E, E);
  s2=sign(sx*vy-sy*vx, -E, E);

  return s1*s2;
}

/*
Local Variables:
compile-command: "LC_ALL=C make eps_line2.why3ide"
End:
*/
========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/eps_line2.c (with preprocessing)
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/eps_line2.jessie
[jessie] File tests/c/eps_line2.jessie/eps_line2.jc written.
[jessie] File tests/c/eps_line2.jessie/eps_line2.cloc written.
========== file tests/c/eps_line2.jessie/eps_line2.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol
# FloatModel = multirounding

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

type int32 = -2147483648..2147483647

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

logic integer l_sign(real x) =
(if (x >= 0.0) then 1 else (- 1))

int32 sign(double x, double e1, double e2)
  requires (_C_7 : ((_C_8 : ((e1 :> real) <=
                              ((x :> real) - \double_exact(x)))) &&
                     (_C_9 : (((x :> real) - \double_exact(x)) <=
                               (e2 :> real)))));
behavior default:
  ensures (_C_4 : ((_C_5 : ((\result != 0) ==>
                             (\result == l_sign(\double_exact(\at(x,Old)))))) &&
                    (_C_6 : (\integer_abs(\result) <= 1))));
{  
   (var int32 __retres);
   
   {  (if (x > e2) then 
      {  (_C_1 : (__retres = 1));
         
         (goto return_label)
      } else ());
      (if (x < e1) then 
      {  (_C_2 : (__retres = -1));
         
         (goto return_label)
      } else ());
      (_C_3 : (__retres = 0));
      (return_label : 
      (return __retres))
   }
}

int32 eps_line(double sx, double sy, double vx, double vy)
  requires (_C_26 : ((((((((_C_33 : ((sx :> real) == \double_exact(sx))) &&
                            (_C_34 : ((sy :> real) == \double_exact(sy)))) &&
                           (_C_35 : ((vx :> real) == \double_exact(vx)))) &&
                          (_C_36 : ((vy :> real) == \double_exact(vy)))) &&
                         (_C_37 : (\real_abs((sx :> real)) <= 100.0))) &&
                        (_C_38 : (\real_abs((sy :> real)) <= 100.0))) &&
                       (_C_39 : (\real_abs((vx :> real)) <= 1.0))) &&
                      (_C_40 : (\real_abs((vy :> real)) <= 1.0))));
behavior default:
  ensures (_C_25 : ((\result != 0) ==>
                     (\result ==
                       (l_sign(((\double_exact(\at(sx,Old)) *
                                  \double_exact(\at(vx,Old))) +
                                 (\double_exact(\at(sy,Old)) *
                                   \double_exact(\at(vy,Old))))) *
                         l_sign(((\double_exact(\at(sx,Old)) *
                                   \double_exact(\at(vy,Old))) -
                                  (\double_exact(\at(sy,Old)) *
                                    \double_exact(\at(vx,Old)))))))));
{  
   (var int32 s1);
   
   (var int32 s2);
   
   (var int32 __retres_0);
   
   {  (_C_15 : (s1 = (_C_14 : sign((_C_12 : ((_C_11 : (sx * vx)) +
                                              (_C_10 : (sy * vy)))),
                                   (_C_13 : (- (0x1.90641p-45 :> double))),
                                   (0x1.90641p-45 :> double)))));
      (_C_21 : (s2 = (_C_20 : sign((_C_18 : ((_C_17 : (sx * vy)) -
                                              (_C_16 : (sy * vx)))),
                                   (_C_19 : (- (0x1.90641p-45 :> double))),
                                   (0x1.90641p-45 :> double)))));
      (_C_24 : (__retres_0 = (_C_23 : ((_C_22 : (s1 * s2)) :> int32))));
      
      (return __retres_0)
   }
}
========== file tests/c/eps_line2.jessie/eps_line2.cloc ==========
[sign]
name = "Function sign"
file = "HOME/tests/c/eps_line2.c"
line = 42
begin = 4
end = 8

[_C_35]
file = "HOME/tests/c/eps_line2.c"
line = 53
begin = 6
end = 22

[_C_28]
file = "HOME/tests/c/eps_line2.c"
line = 52
begin = 6
end = 136

[_C_31]
file = "HOME/tests/c/eps_line2.c"
line = 52
begin = 6
end = 68

[_C_4]
file = "HOME/tests/c/eps_line2.c"
line = 39
begin = 12
end = 94

[_C_32]
file = "HOME/tests/c/eps_line2.c"
line = 52
begin = 6
end = 42

[_C_23]
file = "HOME/tests/c/eps_line2.c"
line = 67
begin = 9
end = 14

[_C_19]
file = "HOME/tests/c/eps_line2.c"
line = 65
begin = 24
end = 37

[_C_13]
file = "HOME/tests/c/eps_line2.c"
line = 64
begin = 24
end = 37

[_C_5]
file = "HOME/tests/c/eps_line2.c"
line = 39
begin = 12
end = 59

[_C_36]
file = "HOME/tests/c/eps_line2.c"
line = 53
begin = 26
end = 42

[_C_12]
file = "HOME/tests/c/eps_line2.c"
line = 64
begin = 10
end = 21

[_C_33]
file = "HOME/tests/c/eps_line2.c"
line = 52
begin = 6
end = 22

[_C_22]
file = "HOME/tests/c/eps_line2.c"
line = 67
begin = 9
end = 14

[_C_9]
file = "HOME/tests/c/eps_line2.c"
line = 38
begin = 21
end = 38

[_C_30]
file = "HOME/tests/c/eps_line2.c"
line = 52
begin = 6
end = 88

[_C_6]
file = "HOME/tests/c/eps_line2.c"
line = 40
begin = 13
end = 31

[_C_24]
file = "HOME/tests/c/eps_line2.c"
line = 67
begin = 2
end = 15

[_C_20]
file = "HOME/tests/c/eps_line2.c"
line = 65
begin = 5
end = 53

[_C_38]
file = "HOME/tests/c/eps_line2.c"
line = 54
begin = 27
end = 44

[_C_3]
file = "HOME/tests/c/eps_line2.c"
line = 48
begin = 2
end = 11

[_C_17]
file = "HOME/tests/c/eps_line2.c"
line = 65
begin = 10
end = 15

[_C_7]
file = "HOME/tests/c/eps_line2.c"
line = 38
begin = 16
end = 38

[_C_27]
file = "HOME/tests/c/eps_line2.c"
line = 52
begin = 6
end = 161

[_C_15]
file = "HOME/tests/c/eps_line2.c"
line = 64
begin = 5
end = 53

[_C_26]
file = "HOME/tests/c/eps_line2.c"
line = 52
begin = 6
end = 180

[_C_10]
file = "HOME/tests/c/eps_line2.c"
line = 64
begin = 16
end = 21

[_C_40]
file = "HOME/tests/c/eps_line2.c"
line = 55
begin = 25
end = 40

[_C_8]
file = "HOME/tests/c/eps_line2.c"
line = 38
begin = 16
end = 32

[_C_18]
file = "HOME/tests/c/eps_line2.c"
line = 65
begin = 10
end = 21

[_C_29]
file = "HOME/tests/c/eps_line2.c"
line = 52
begin = 6
end = 115

[_C_14]
file = "HOME/tests/c/eps_line2.c"
line = 64
begin = 5
end = 53

[_C_37]
file = "HOME/tests/c/eps_line2.c"
line = 54
begin = 6
end = 23

[_C_2]
file = "HOME/tests/c/eps_line2.c"
line = 47
begin = 4
end = 14

[_C_34]
file = "HOME/tests/c/eps_line2.c"
line = 52
begin = 26
end = 42

[_C_16]
file = "HOME/tests/c/eps_line2.c"
line = 65
begin = 16
end = 21

[eps_line]
name = "Function eps_line"
file = "HOME/tests/c/eps_line2.c"
line = 61
begin = 4
end = 12

[_C_1]
file = "HOME/tests/c/eps_line2.c"
line = 45
begin = 4
end = 13

[_C_25]
file = "HOME/tests/c/eps_line2.c"
line = 57
begin = 7
end = 164

[_C_39]
file = "HOME/tests/c/eps_line2.c"
line = 55
begin = 6
end = 21

[_C_11]
file = "HOME/tests/c/eps_line2.c"
line = 64
begin = 10
end = 15

[_C_21]
file = "HOME/tests/c/eps_line2.c"
line = 65
begin = 5
end = 53

========== jessie execution ==========
Generating Why function sign
Generating Why function eps_line
========== file tests/c/eps_line2.jessie/eps_line2.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why $(WHYLIB)/why/floats_multi_rounding.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/eps_line2_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: eps_line2.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: eps_line2.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: eps_line2.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/eps_line2.jessie/eps_line2.loc ==========
[JC_63]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.c"
line = 65
begin = 16
end = 21

[JC_51]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.c"
line = 65
begin = 10
end = 15

[JC_45]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.c"
line = 64
begin = 16
end = 21

[JC_64]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.c"
line = 65
begin = 10
end = 21

[eps_line_safety]
name = "Function eps_line"
behavior = "Safety"
file = "HOME/tests/c/eps_line2.c"
line = 61
begin = 4
end = 12

[JC_31]
file = "HOME/tests/c/eps_line2.c"
line = 54
begin = 6
end = 23

[JC_17]
file = "HOME/tests/c/eps_line2.c"
line = 52
begin = 6
end = 22

[JC_55]
kind = ArithOverflow
file = "HOME/tests/c/eps_line2.c"
line = 67
begin = 9
end = 14

[JC_48]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.jessie/eps_line2.jc"
line = 102
begin = 35
end = 60

[JC_23]
file = "HOME/tests/c/eps_line2.c"
line = 55
begin = 6
end = 21

[JC_22]
file = "HOME/tests/c/eps_line2.c"
line = 54
begin = 27
end = 44

[JC_5]
file = "HOME/tests/c/eps_line2.c"
line = 38
begin = 16
end = 32

[JC_9]
file = "HOME/tests/c/eps_line2.c"
line = 39
begin = 12
end = 59

[JC_24]
file = "HOME/tests/c/eps_line2.c"
line = 55
begin = 25
end = 40

[JC_25]
file = "HOME/tests/c/eps_line2.c"
line = 52
begin = 6
end = 180

[JC_41]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.jessie/eps_line2.jc"
line = 98
begin = 35
end = 60

[JC_47]
kind = UserCall
file = "HOME/tests/c/eps_line2.c"
line = 64
begin = 5
end = 53

[JC_52]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.c"
line = 65
begin = 16
end = 21

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
kind = UserCall
file = "HOME/tests/c/eps_line2.c"
line = 65
begin = 5
end = 53

[JC_13]
file = "HOME/tests/c/eps_line2.c"
line = 40
begin = 13
end = 31

[JC_11]
file = "HOME/tests/c/eps_line2.c"
line = 39
begin = 12
end = 94

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[sign_ensures_default]
name = "Function sign"
behavior = "default behavior"
file = "HOME/tests/c/eps_line2.c"
line = 42
begin = 4
end = 8

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/tests/c/eps_line2.c"
line = 52
begin = 6
end = 180

[sign_safety]
name = "Function sign"
behavior = "Safety"
file = "HOME/tests/c/eps_line2.c"
line = 42
begin = 4
end = 8

[JC_27]
file = "HOME/tests/c/eps_line2.c"
line = 52
begin = 6
end = 22

[JC_38]
file = "HOME/tests/c/eps_line2.c"
line = 57
begin = 7
end = 164

[JC_12]
file = "HOME/tests/c/eps_line2.c"
line = 39
begin = 12
end = 59

[JC_6]
file = "HOME/tests/c/eps_line2.c"
line = 38
begin = 21
end = 38

[JC_44]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.c"
line = 64
begin = 10
end = 15

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.c"
line = 65
begin = 10
end = 15

[JC_42]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.jessie/eps_line2.jc"
line = 97
begin = 47
end = 72

[JC_46]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.c"
line = 64
begin = 10
end = 21

[JC_61]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.c"
line = 65
begin = 24
end = 37

[JC_32]
file = "HOME/tests/c/eps_line2.c"
line = 54
begin = 27
end = 44

[JC_56]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.c"
line = 64
begin = 24
end = 37

[JC_33]
file = "HOME/tests/c/eps_line2.c"
line = 55
begin = 6
end = 21

[JC_65]
kind = UserCall
file = "HOME/tests/c/eps_line2.c"
line = 65
begin = 5
end = 53

[JC_29]
file = "HOME/tests/c/eps_line2.c"
line = 53
begin = 6
end = 22

[JC_7]
file = "HOME/tests/c/eps_line2.c"
line = 38
begin = 16
end = 38

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.c"
line = 64
begin = 24
end = 37

[JC_2]
file = "HOME/tests/c/eps_line2.c"
line = 38
begin = 21
end = 38

[JC_34]
file = "HOME/tests/c/eps_line2.c"
line = 55
begin = 25
end = 40

[JC_14]
file = "HOME/tests/c/eps_line2.c"
line = 39
begin = 12
end = 94

[JC_53]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.c"
line = 65
begin = 10
end = 21

[JC_21]
file = "HOME/tests/c/eps_line2.c"
line = 54
begin = 6
end = 23

[JC_49]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.jessie/eps_line2.jc"
line = 101
begin = 47
end = 72

[JC_1]
file = "HOME/tests/c/eps_line2.c"
line = 38
begin = 16
end = 32

[JC_37]
file = "HOME/tests/c/eps_line2.c"
line = 57
begin = 7
end = 164

[JC_10]
file = "HOME/tests/c/eps_line2.c"
line = 40
begin = 13
end = 31

[JC_57]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.c"
line = 64
begin = 10
end = 15

[JC_59]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.c"
line = 64
begin = 10
end = 21

[JC_20]
file = "HOME/tests/c/eps_line2.c"
line = 53
begin = 26
end = 42

[JC_18]
file = "HOME/tests/c/eps_line2.c"
line = 52
begin = 26
end = 42

[JC_3]
file = "HOME/tests/c/eps_line2.c"
line = 38
begin = 16
end = 38

[JC_60]
kind = UserCall
file = "HOME/tests/c/eps_line2.c"
line = 64
begin = 5
end = 53

[JC_19]
file = "HOME/tests/c/eps_line2.c"
line = 53
begin = 6
end = 22

[JC_50]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.c"
line = 65
begin = 24
end = 37

[JC_30]
file = "HOME/tests/c/eps_line2.c"
line = 53
begin = 26
end = 42

[eps_line_ensures_default]
name = "Function eps_line"
behavior = "default behavior"
file = "HOME/tests/c/eps_line2.c"
line = 61
begin = 4
end = 12

[JC_58]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.c"
line = 64
begin = 16
end = 21

[JC_28]
file = "HOME/tests/c/eps_line2.c"
line = 52
begin = 26
end = 42

========== file tests/c/eps_line2.jessie/why/eps_line2.why ==========
type charP

type int32

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

function l_sign(x_0:real) : int =
 (if ge_real_bool(x_0, 0.0) then (1) else neg_int((1)))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter eps_line :
 sx:double ->
  sy:double ->
   vx:double ->
    vy:double ->
     { } int32
     { (JC_38:
       ((integer_of_int32(result) <> (0)) ->
        (integer_of_int32(result) = mul_int(l_sign(add_real(mul_real(
                                                            double_exact(sx),
                                                            double_exact(vx)),
                                                   mul_real(double_exact(sy),
                                                   double_exact(vy)))),
                                    l_sign(sub_real(mul_real(double_exact(sx),
                                                    double_exact(vy)),
                                           mul_real(double_exact(sy),
                                           double_exact(vx)))))))) }

parameter eps_line_requires :
 sx:double ->
  sy:double ->
   vx:double ->
    vy:double ->
     { (JC_25:
       ((JC_17: (double_value(sx) = double_exact(sx)))
       and ((JC_18: (double_value(sy) = double_exact(sy)))
           and ((JC_19: (double_value(vx) = double_exact(vx)))
               and ((JC_20: (double_value(vy) = double_exact(vy)))
                   and ((JC_21: le_real(abs_real(double_value(sx)), 100.0))
                       and ((JC_22:
                            le_real(abs_real(double_value(sy)), 100.0))
                           and ((JC_23:
                                le_real(abs_real(double_value(vx)), 1.0))
                               and (JC_24:
                                   le_real(abs_real(double_value(vy)), 1.0))))))))))}
     int32
     { (JC_38:
       ((integer_of_int32(result) <> (0)) ->
        (integer_of_int32(result) = mul_int(l_sign(add_real(mul_real(
                                                            double_exact(sx),
                                                            double_exact(vx)),
                                                   mul_real(double_exact(sy),
                                                   double_exact(vy)))),
                                    l_sign(sub_real(mul_real(double_exact(sx),
                                                    double_exact(vy)),
                                           mul_real(double_exact(sy),
                                           double_exact(vx)))))))) }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter sign :
 x_1:double ->
  e1:double ->
   e2:double ->
    { } int32
    { (JC_14:
      ((JC_12:
       ((integer_of_int32(result) <> (0)) ->
        (integer_of_int32(result) = l_sign(double_exact(x_1)))))
      and (JC_13: le_int(abs_int(integer_of_int32(result)), (1))))) }

parameter sign_requires :
 x_1:double ->
  e1:double ->
   e2:double ->
    { (JC_3:
      ((JC_1:
       le_real(double_value(e1),
       sub_real(double_value(x_1), double_exact(x_1))))
      and (JC_2:
          le_real(sub_real(double_value(x_1), double_exact(x_1)),
          double_value(e2)))))}
    int32
    { (JC_14:
      ((JC_12:
       ((integer_of_int32(result) <> (0)) ->
        (integer_of_int32(result) = l_sign(double_exact(x_1)))))
      and (JC_13: le_int(abs_int(integer_of_int32(result)), (1))))) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let eps_line_ensures_default =
 fun (sx : double) (sy : double) (vx : double) (vy : double) ->
  { (JC_35:
    ((JC_27: (double_value(sx) = double_exact(sx)))
    and ((JC_28: (double_value(sy) = double_exact(sy)))
        and ((JC_29: (double_value(vx) = double_exact(vx)))
            and ((JC_30: (double_value(vy) = double_exact(vy)))
                and ((JC_31: le_real(abs_real(double_value(sx)), 100.0))
                    and ((JC_32: le_real(abs_real(double_value(sy)), 100.0))
                        and ((JC_33:
                             le_real(abs_real(double_value(vx)), 1.0))
                            and (JC_34:
                                le_real(abs_real(double_value(vy)), 1.0)))))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let s1_1 = ref (any_int32 void) in
     (let s2_1 = ref (any_int32 void) in
     (let __retres_0 = ref (any_int32 void) in
     begin
       (let _jessie_ =
       (s1_1 := (let _jessie_ =
                (JC_59:
                (((add_double_safe nearest_even) (JC_57:
                                                 (((mul_double_safe nearest_even) sx) vx))) 
                 (JC_58: (((mul_double_safe nearest_even) sy) vy)))) in
                (let _jessie_ =
                (JC_56:
                ((neg_double_safe nearest_even) ((double_of_real_safe nearest_even) 0x1.90641p-45))) in
                (let _jessie_ =
                ((double_of_real_safe nearest_even) 0x1.90641p-45) in
                (JC_60: (((sign _jessie_) _jessie_) _jessie_)))))) in
       void);
      (let _jessie_ =
      (s2_1 := (let _jessie_ =
               (JC_64:
               (((sub_double_safe nearest_even) (JC_62:
                                                (((mul_double_safe nearest_even) sx) vy))) 
                (JC_63: (((mul_double_safe nearest_even) sy) vx)))) in
               (let _jessie_ =
               (JC_61:
               ((neg_double_safe nearest_even) ((double_of_real_safe nearest_even) 0x1.90641p-45))) in
               (let _jessie_ =
               ((double_of_real_safe nearest_even) 0x1.90641p-45) in
               (JC_65: (((sign _jessie_) _jessie_) _jessie_)))))) in
      void);
      (let _jessie_ =
      (__retres_0 := (safe_int32_of_integer_ ((mul_int (integer_of_int32 !s1_1)) 
                                              (integer_of_int32 !s2_1)))) in
      void); (return := !__retres_0); (raise Return) end))); absurd  end with
   Return -> !return end))
  { (JC_37:
    ((integer_of_int32(result) <> (0)) ->
     (integer_of_int32(result) = mul_int(l_sign(add_real(mul_real(double_exact(sx),
                                                         double_exact(vx)),
                                                mul_real(double_exact(sy),
                                                double_exact(vy)))),
                                 l_sign(sub_real(mul_real(double_exact(sx),
                                                 double_exact(vy)),
                                        mul_real(double_exact(sy),
                                        double_exact(vx)))))))) } 

let eps_line_safety =
 fun (sx : double) (sy : double) (vx : double) (vy : double) ->
  { (JC_35:
    ((JC_27: (double_value(sx) = double_exact(sx)))
    and ((JC_28: (double_value(sy) = double_exact(sy)))
        and ((JC_29: (double_value(vx) = double_exact(vx)))
            and ((JC_30: (double_value(vy) = double_exact(vy)))
                and ((JC_31: le_real(abs_real(double_value(sx)), 100.0))
                    and ((JC_32: le_real(abs_real(double_value(sy)), 100.0))
                        and ((JC_33:
                             le_real(abs_real(double_value(vx)), 1.0))
                            and (JC_34:
                                le_real(abs_real(double_value(vy)), 1.0)))))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let s1_1 = ref (any_int32 void) in
     (let s2_1 = ref (any_int32 void) in
     (let __retres_0 = ref (any_int32 void) in
     begin
       (let _jessie_ =
       (s1_1 := (let _jessie_ =
                (JC_46:
                (((add_double nearest_even) (JC_44:
                                            (((mul_double nearest_even) sx) vx))) 
                 (JC_45: (((mul_double nearest_even) sy) vy)))) in
                (let _jessie_ =
                (JC_43:
                ((neg_double nearest_even) (JC_42:
                                           ((double_of_real nearest_even) 0x1.90641p-45)))) in
                (let _jessie_ =
                (JC_41: ((double_of_real nearest_even) 0x1.90641p-45)) in
                (JC_47: (((sign_requires _jessie_) _jessie_) _jessie_)))))) in
       void);
      (let _jessie_ =
      (s2_1 := (let _jessie_ =
               (JC_53:
               (((sub_double nearest_even) (JC_51:
                                           (((mul_double nearest_even) sx) vy))) 
                (JC_52: (((mul_double nearest_even) sy) vx)))) in
               (let _jessie_ =
               (JC_50:
               ((neg_double nearest_even) (JC_49:
                                          ((double_of_real nearest_even) 0x1.90641p-45)))) in
               (let _jessie_ =
               (JC_48: ((double_of_real nearest_even) 0x1.90641p-45)) in
               (JC_54: (((sign_requires _jessie_) _jessie_) _jessie_)))))) in
      void);
      (let _jessie_ =
      (__retres_0 := (JC_55:
                     (int32_of_integer_ ((mul_int (integer_of_int32 !s1_1)) 
                                         (integer_of_int32 !s2_1))))) in
      void); (return := !__retres_0); (raise Return) end))); absurd  end with
   Return -> !return end)) { true } 

let sign_ensures_default =
 fun (x_1 : double) (e1 : double) (e2 : double) ->
  { (JC_7:
    ((JC_5:
     le_real(double_value(e1),
     sub_real(double_value(x_1), double_exact(x_1))))
    and (JC_6:
        le_real(sub_real(double_value(x_1), double_exact(x_1)),
        double_value(e2))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let __retres = ref (any_int32 void) in
     try
      begin
        (if ((gt_double_ x_1) e2)
        then
         begin
           (let _jessie_ = (__retres := (safe_int32_of_integer_ (1))) in
           void); (raise (Return_label_exc void)) end else void);
       (if ((lt_double_ x_1) e1)
       then
        begin
          (let _jessie_ =
          (__retres := (safe_int32_of_integer_ (neg_int (1)))) in void);
         (raise (Return_label_exc void)) end else void);
       (let _jessie_ = (__retres := (safe_int32_of_integer_ (0))) in void);
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end);
    absurd  end with Return -> !return end))
  { (JC_11:
    ((JC_9:
     ((integer_of_int32(result) <> (0)) ->
      (integer_of_int32(result) = l_sign(double_exact(x_1)))))
    and (JC_10: le_int(abs_int(integer_of_int32(result)), (1))))) } 

let sign_safety =
 fun (x_1 : double) (e1 : double) (e2 : double) ->
  { (JC_7:
    ((JC_5:
     le_real(double_value(e1),
     sub_real(double_value(x_1), double_exact(x_1))))
    and (JC_6:
        le_real(sub_real(double_value(x_1), double_exact(x_1)),
        double_value(e2))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let __retres = ref (any_int32 void) in
     try
      begin
        (if ((gt_double_ x_1) e2)
        then
         begin
           (let _jessie_ = (__retres := (safe_int32_of_integer_ (1))) in
           void); (raise (Return_label_exc void)) end else void);
       (if ((lt_double_ x_1) e1)
       then
        begin
          (let _jessie_ =
          (__retres := (safe_int32_of_integer_ (neg_int (1)))) in void);
         (raise (Return_label_exc void)) end else void);
       (let _jessie_ = (__retres := (safe_int32_of_integer_ (0))) in void);
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end);
    absurd  end with Return -> !return end)) { true } 


why-2.39/tests/c/oracle/binary_heap.res.oracle0000644000106100004300000003573313147234006020335 0ustar  marchevals========== file tests/c/binary_heap.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

typedef unsigned int uint;

struct Heap;

typedef struct Heap *heap;

heap create(uint sz);

void insert(heap u, int e);

int extract_min(heap u);


========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/binary_heap.c (with preprocessing)
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/binary_heap.jessie
[jessie] File tests/c/binary_heap.jessie/binary_heap.jc written.
[jessie] File tests/c/binary_heap.jessie/binary_heap.cloc written.
========== file tests/c/binary_heap.jessie/binary_heap.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]
========== file tests/c/binary_heap.jessie/binary_heap.cloc ==========
========== jessie execution ==========
========== file tests/c/binary_heap.jessie/binary_heap.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/binary_heap_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: binary_heap.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: binary_heap.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: binary_heap.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/binary_heap.jessie/binary_heap.loc ==========
========== file tests/c/binary_heap.jessie/why/binary_heap.why ==========
type charP

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }


why-2.39/tests/c/oracle/minmax.res.oracle0000644000106100004300000010072313147234006017335 0ustar  marchevals========== file tests/c/minmax.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


//@ ensures \result == \max(x,y);
int max(int x, int y) {
  return (x <= y) ? y : x;
}


//@ ensures \result == \min(x,y);
int min(int x, int y) {
  return (x <= y) ? x : y;
}


//@ ensures \result == \max(x,y);
float fmax(float x, float y) {
  return (x <= y) ? y : x;
}


//@ ensures \result == \min(x,y);
float fmin(float x, float y) {
  return (x <= y) ? x : y;
}


//@ ensures \result == \max(x,y);
double dmax(double x, double y) {
  return (x <= y) ? y : x;
}


//@ ensures \result == \min(x,y);
double dmin(double x, double y) {
  return (x <= y) ? x : y;
}



/*
Local Variables:
compile-command: "make minmax.why3ide"
End:
*/

========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/minmax.c (with preprocessing)
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/minmax.jessie
[jessie] File tests/c/minmax.jessie/minmax.jc written.
[jessie] File tests/c/minmax.jessie/minmax.cloc written.
========== file tests/c/minmax.jessie/minmax.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

type int32 = -2147483648..2147483647

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

int32 max(int32 x_3, int32 y_3)
behavior default:
  ensures (_C_3 : (\result == \integer_max(\at(x_3,Old), \at(y_3,Old))));
{  
   (var int32 tmp);
   
   {  (if (x_3 <= y_3) then (_C_2 : (tmp = y_3)) else (_C_1 : (tmp = x_3)));
      
      (return tmp)
   }
}

int32 min(int32 x_4, int32 y_4)
behavior default:
  ensures (_C_6 : (\result == \integer_min(\at(x_4,Old), \at(y_4,Old))));
{  
   (var int32 tmp_0);
   
   {  (if (x_4 <= y_4) then (_C_5 : (tmp_0 = x_4)) else (_C_4 : (tmp_0 = y_4)));
      
      (return tmp_0)
   }
}

float fmax(float x_1, float y_1)
behavior default:
  ensures (_C_9 : ((\result :> real) ==
                    \real_max((\at(x_1,Old) :> real), (\at(y_1,Old) :> real))));
{  
   (var float tmp_1);
   
   {  (if (x_1 <= y_1) then (_C_8 : (tmp_1 = y_1)) else (_C_7 : (tmp_1 = x_1)));
      
      (return tmp_1)
   }
}

float fmin(float x_2, float y_2)
behavior default:
  ensures (_C_12 : ((\result :> real) ==
                     \real_min((\at(x_2,Old) :> real), (\at(y_2,Old) :> real))));
{  
   (var float tmp_2);
   
   {  (if (x_2 <= y_2) then (_C_11 : (tmp_2 = x_2)) else (_C_10 : (tmp_2 = y_2)));
      
      (return tmp_2)
   }
}

double dmax(double x, double y)
behavior default:
  ensures (_C_15 : ((\result :> real) ==
                     \real_max((\at(x,Old) :> real), (\at(y,Old) :> real))));
{  
   (var double tmp_3);
   
   {  (if (x <= y) then (_C_14 : (tmp_3 = y)) else (_C_13 : (tmp_3 = x)));
      
      (return tmp_3)
   }
}

double dmin(double x_0, double y_0)
behavior default:
  ensures (_C_18 : ((\result :> real) ==
                     \real_min((\at(x_0,Old) :> real), (\at(y_0,Old) :> real))));
{  
   (var double tmp_4);
   
   {  (if (x_0 <= y_0) then (_C_17 : (tmp_4 = x_0)) else (_C_16 : (tmp_4 = y_0)));
      
      (return tmp_4)
   }
}
========== file tests/c/minmax.jessie/minmax.cloc ==========
[max]
name = "Function max"
file = "HOME/tests/c/minmax.c"
line = 34
begin = 4
end = 7

[_C_4]
file = "HOME/tests/c/minmax.c"
line = 41
begin = 15
end = 16

[_C_13]
file = "HOME/tests/c/minmax.c"
line = 59
begin = 15
end = 16

[_C_5]
file = "HOME/tests/c/minmax.c"
line = 41
begin = 15
end = 16

[_C_12]
file = "HOME/tests/c/minmax.c"
line = 51
begin = 15
end = 35

[_C_9]
file = "HOME/tests/c/minmax.c"
line = 45
begin = 15
end = 35

[_C_6]
file = "HOME/tests/c/minmax.c"
line = 39
begin = 15
end = 35

[fmin]
name = "Function fmin"
file = "HOME/tests/c/minmax.c"
line = 52
begin = 6
end = 10

[fmax]
name = "Function fmax"
file = "HOME/tests/c/minmax.c"
line = 46
begin = 6
end = 10

[min]
name = "Function min"
file = "HOME/tests/c/minmax.c"
line = 40
begin = 4
end = 7

[_C_3]
file = "HOME/tests/c/minmax.c"
line = 33
begin = 15
end = 35

[_C_17]
file = "HOME/tests/c/minmax.c"
line = 65
begin = 15
end = 16

[_C_7]
file = "HOME/tests/c/minmax.c"
line = 47
begin = 15
end = 16

[_C_15]
file = "HOME/tests/c/minmax.c"
line = 57
begin = 15
end = 35

[_C_10]
file = "HOME/tests/c/minmax.c"
line = 53
begin = 15
end = 16

[_C_8]
file = "HOME/tests/c/minmax.c"
line = 47
begin = 15
end = 16

[_C_18]
file = "HOME/tests/c/minmax.c"
line = 63
begin = 15
end = 35

[dmin]
name = "Function dmin"
file = "HOME/tests/c/minmax.c"
line = 64
begin = 7
end = 11

[_C_14]
file = "HOME/tests/c/minmax.c"
line = 59
begin = 15
end = 16

[dmax]
name = "Function dmax"
file = "HOME/tests/c/minmax.c"
line = 58
begin = 7
end = 11

[_C_2]
file = "HOME/tests/c/minmax.c"
line = 35
begin = 15
end = 16

[_C_16]
file = "HOME/tests/c/minmax.c"
line = 65
begin = 15
end = 16

[_C_1]
file = "HOME/tests/c/minmax.c"
line = 35
begin = 15
end = 16

[_C_11]
file = "HOME/tests/c/minmax.c"
line = 53
begin = 15
end = 16

========== jessie execution ==========
Generating Why function max
Generating Why function min
Generating Why function fmax
Generating Why function fmin
Generating Why function dmax
Generating Why function dmin
========== file tests/c/minmax.jessie/minmax.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why $(WHYLIB)/why/floats_strict.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/minmax_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: minmax.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: minmax.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: minmax.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/minmax.jessie/minmax.loc ==========
[dmax_safety]
name = "Function dmax"
behavior = "Safety"
file = "HOME/tests/c/minmax.c"
line = 58
begin = 7
end = 11

[JC_45]
file = "HOME/tests/c/minmax.c"
line = 63
begin = 15
end = 35

[fmax_safety]
name = "Function fmax"
behavior = "Safety"
file = "HOME/tests/c/minmax.c"
line = 46
begin = 6
end = 10

[fmin_ensures_default]
name = "Function fmin"
behavior = "default behavior"
file = "HOME/tests/c/minmax.c"
line = 52
begin = 6
end = 10

[JC_31]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_17]
file = "HOME/tests/c/minmax.c"
line = 46
begin = 6
end = 10

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/tests/c/minmax.c"
line = 45
begin = 15
end = 35

[JC_5]
file = "HOME/tests/c/minmax.c"
line = 33
begin = 15
end = 35

[JC_9]
file = "HOME/tests/c/minmax.c"
line = 40
begin = 4
end = 7

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/tests/c/minmax.c"
line = 52
begin = 6
end = 10

[JC_41]
file = "HOME/tests/c/minmax.c"
line = 64
begin = 7
end = 11

[min_ensures_default]
name = "Function min"
behavior = "default behavior"
file = "HOME/tests/c/minmax.c"
line = 40
begin = 4
end = 7

[JC_47]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/tests/c/minmax.c"
line = 39
begin = 15
end = 35

[JC_11]
file = "HOME/tests/c/minmax.c"
line = 40
begin = 4
end = 7

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[dmin_ensures_default]
name = "Function dmin"
behavior = "default behavior"
file = "HOME/tests/c/minmax.c"
line = 64
begin = 7
end = 11

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[min_safety]
name = "Function min"
behavior = "Safety"
file = "HOME/tests/c/minmax.c"
line = 40
begin = 4
end = 7

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/tests/c/minmax.c"
line = 58
begin = 7
end = 11

[JC_27]
file = "HOME/tests/c/minmax.c"
line = 52
begin = 6
end = 10

[JC_38]
file = "HOME/tests/c/minmax.c"
line = 57
begin = 15
end = 35

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/tests/c/minmax.c"
line = 33
begin = 15
end = 35

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[max_safety]
name = "Function max"
behavior = "Safety"
file = "HOME/tests/c/minmax.c"
line = 34
begin = 4
end = 7

[dmax_ensures_default]
name = "Function dmax"
behavior = "default behavior"
file = "HOME/tests/c/minmax.c"
line = 58
begin = 7
end = 11

[JC_46]
file = "HOME/tests/c/minmax.c"
line = 63
begin = 15
end = 35

[fmax_ensures_default]
name = "Function fmax"
behavior = "default behavior"
file = "HOME/tests/c/minmax.c"
line = 46
begin = 6
end = 10

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[dmin_safety]
name = "Function dmin"
behavior = "Safety"
file = "HOME/tests/c/minmax.c"
line = 64
begin = 7
end = 11

[JC_33]
file = "HOME/tests/c/minmax.c"
line = 58
begin = 7
end = 11

[JC_29]
file = "HOME/tests/c/minmax.c"
line = 51
begin = 15
end = 35

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
file = "HOME/tests/c/minmax.c"
line = 64
begin = 7
end = 11

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/tests/c/minmax.c"
line = 39
begin = 15
end = 35

[JC_21]
file = "HOME/tests/c/minmax.c"
line = 45
begin = 15
end = 35

[JC_1]
file = "HOME/tests/c/minmax.c"
line = 34
begin = 4
end = 7

[JC_37]
file = "HOME/tests/c/minmax.c"
line = 57
begin = 15
end = 35

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[max_ensures_default]
name = "Function max"
behavior = "default behavior"
file = "HOME/tests/c/minmax.c"
line = 34
begin = 4
end = 7

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/c/minmax.c"
line = 34
begin = 4
end = 7

[fmin_safety]
name = "Function fmin"
behavior = "Safety"
file = "HOME/tests/c/minmax.c"
line = 52
begin = 6
end = 10

[JC_19]
file = "HOME/tests/c/minmax.c"
line = 46
begin = 6
end = 10

[JC_30]
file = "HOME/tests/c/minmax.c"
line = 51
begin = 15
end = 35

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/c/minmax.jessie/why/minmax.why ==========
type charP

type int32

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter dmax :
 x_0:double ->
  y:double ->
   { } double
   { (JC_38:
     (double_value(result) = real_max(double_value(x_0), double_value(y)))) }

parameter dmax_requires :
 x_0:double ->
  y:double ->
   { } double
   { (JC_38:
     (double_value(result) = real_max(double_value(x_0), double_value(y)))) }

parameter dmin :
 x_0_0:double ->
  y_0:double ->
   { } double
   { (JC_46:
     (double_value(result) = real_min(double_value(x_0_0), double_value(y_0)))) }

parameter dmin_requires :
 x_0_0:double ->
  y_0:double ->
   { } double
   { (JC_46:
     (double_value(result) = real_min(double_value(x_0_0), double_value(y_0)))) }

parameter fmax :
 x_1:single ->
  y_1:single ->
   { } single
   { (JC_22:
     (single_value(result) = real_max(single_value(x_1), single_value(y_1)))) }

parameter fmax_requires :
 x_1:single ->
  y_1:single ->
   { } single
   { (JC_22:
     (single_value(result) = real_max(single_value(x_1), single_value(y_1)))) }

parameter fmin :
 x_2:single ->
  y_2:single ->
   { } single
   { (JC_30:
     (single_value(result) = real_min(single_value(x_2), single_value(y_2)))) }

parameter fmin_requires :
 x_2:single ->
  y_2:single ->
   { } single
   { (JC_30:
     (single_value(result) = real_min(single_value(x_2), single_value(y_2)))) }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter max :
 x_3:int32 ->
  y_3:int32 ->
   { } int32
   { (JC_6:
     (integer_of_int32(result) = int_max(integer_of_int32(x_3),
                                 integer_of_int32(y_3)))) }

parameter max_requires :
 x_3:int32 ->
  y_3:int32 ->
   { } int32
   { (JC_6:
     (integer_of_int32(result) = int_max(integer_of_int32(x_3),
                                 integer_of_int32(y_3)))) }

parameter min :
 x_4:int32 ->
  y_4:int32 ->
   { } int32
   { (JC_14:
     (integer_of_int32(result) = int_min(integer_of_int32(x_4),
                                 integer_of_int32(y_4)))) }

parameter min_requires :
 x_4:int32 ->
  y_4:int32 ->
   { } int32
   { (JC_14:
     (integer_of_int32(result) = int_min(integer_of_int32(x_4),
                                 integer_of_int32(y_4)))) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let dmax_ensures_default =
 fun (x_0 : double) (y : double) ->
  { (JC_36: true) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let tmp_3 = ref (any_double void) in
     begin
       (let _jessie_ =
       (if ((le_double_ x_0) y) then begin   (tmp_3 := y); !tmp_3 end
       else begin   (tmp_3 := x_0); !tmp_3 end) in void); (return := !tmp_3);
      (raise Return) end); absurd  end with Return -> !return end))
  { (JC_37:
    (double_value(result) = real_max(double_value(x_0), double_value(y)))) } 

let dmax_safety =
 fun (x_0 : double) (y : double) ->
  { (JC_36: true) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let tmp_3 = ref (any_double void) in
     begin
       (let _jessie_ =
       (if ((le_double_ x_0) y) then begin   (tmp_3 := y); !tmp_3 end
       else begin   (tmp_3 := x_0); !tmp_3 end) in void); (return := !tmp_3);
      (raise Return) end); absurd  end with Return -> !return end)) { true } 

let dmin_ensures_default =
 fun (x_0_0 : double) (y_0 : double) ->
  { (JC_44: true) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let tmp_4 = ref (any_double void) in
     begin
       (let _jessie_ =
       (if ((le_double_ x_0_0) y_0) then begin   (tmp_4 := x_0_0); !tmp_4 end
       else begin   (tmp_4 := y_0); !tmp_4 end) in void); (return := !tmp_4);
      (raise Return) end); absurd  end with Return -> !return end))
  { (JC_45:
    (double_value(result) = real_min(double_value(x_0_0), double_value(y_0)))) }
  

let dmin_safety =
 fun (x_0_0 : double) (y_0 : double) ->
  { (JC_44: true) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let tmp_4 = ref (any_double void) in
     begin
       (let _jessie_ =
       (if ((le_double_ x_0_0) y_0) then begin   (tmp_4 := x_0_0); !tmp_4 end
       else begin   (tmp_4 := y_0); !tmp_4 end) in void); (return := !tmp_4);
      (raise Return) end); absurd  end with Return -> !return end)) { true } 

let fmax_ensures_default =
 fun (x_1 : single) (y_1 : single) ->
  { (JC_20: true) }
  (init:
  (let return = ref (any_single void) in
  try
   begin
     (let tmp_1 = ref (any_single void) in
     begin
       (let _jessie_ =
       (if ((le_single_ x_1) y_1) then begin   (tmp_1 := y_1); !tmp_1 end
       else begin   (tmp_1 := x_1); !tmp_1 end) in void); (return := !tmp_1);
      (raise Return) end); absurd  end with Return -> !return end))
  { (JC_21:
    (single_value(result) = real_max(single_value(x_1), single_value(y_1)))) }
  

let fmax_safety =
 fun (x_1 : single) (y_1 : single) ->
  { (JC_20: true) }
  (init:
  (let return = ref (any_single void) in
  try
   begin
     (let tmp_1 = ref (any_single void) in
     begin
       (let _jessie_ =
       (if ((le_single_ x_1) y_1) then begin   (tmp_1 := y_1); !tmp_1 end
       else begin   (tmp_1 := x_1); !tmp_1 end) in void); (return := !tmp_1);
      (raise Return) end); absurd  end with Return -> !return end)) { true } 

let fmin_ensures_default =
 fun (x_2 : single) (y_2 : single) ->
  { (JC_28: true) }
  (init:
  (let return = ref (any_single void) in
  try
   begin
     (let tmp_2 = ref (any_single void) in
     begin
       (let _jessie_ =
       (if ((le_single_ x_2) y_2) then begin   (tmp_2 := x_2); !tmp_2 end
       else begin   (tmp_2 := y_2); !tmp_2 end) in void); (return := !tmp_2);
      (raise Return) end); absurd  end with Return -> !return end))
  { (JC_29:
    (single_value(result) = real_min(single_value(x_2), single_value(y_2)))) }
  

let fmin_safety =
 fun (x_2 : single) (y_2 : single) ->
  { (JC_28: true) }
  (init:
  (let return = ref (any_single void) in
  try
   begin
     (let tmp_2 = ref (any_single void) in
     begin
       (let _jessie_ =
       (if ((le_single_ x_2) y_2) then begin   (tmp_2 := x_2); !tmp_2 end
       else begin   (tmp_2 := y_2); !tmp_2 end) in void); (return := !tmp_2);
      (raise Return) end); absurd  end with Return -> !return end)) { true } 

let max_ensures_default =
 fun (x_3 : int32) (y_3 : int32) ->
  { (JC_4: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let tmp = ref (any_int32 void) in
     begin
       (let _jessie_ =
       (if ((le_int_ (integer_of_int32 x_3)) (integer_of_int32 y_3))
       then begin   (tmp := y_3); !tmp end
       else begin   (tmp := x_3); !tmp end) in void); (return := !tmp);
      (raise Return) end); absurd  end with Return -> !return end))
  { (JC_5:
    (integer_of_int32(result) = int_max(integer_of_int32(x_3),
                                integer_of_int32(y_3)))) } 

let max_safety =
 fun (x_3 : int32) (y_3 : int32) ->
  { (JC_4: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let tmp = ref (any_int32 void) in
     begin
       (let _jessie_ =
       (if ((le_int_ (integer_of_int32 x_3)) (integer_of_int32 y_3))
       then begin   (tmp := y_3); !tmp end
       else begin   (tmp := x_3); !tmp end) in void); (return := !tmp);
      (raise Return) end); absurd  end with Return -> !return end)) { true } 

let min_ensures_default =
 fun (x_4 : int32) (y_4 : int32) ->
  { (JC_12: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let tmp_0 = ref (any_int32 void) in
     begin
       (let _jessie_ =
       (if ((le_int_ (integer_of_int32 x_4)) (integer_of_int32 y_4))
       then begin   (tmp_0 := x_4); !tmp_0 end
       else begin   (tmp_0 := y_4); !tmp_0 end) in void); (return := !tmp_0);
      (raise Return) end); absurd  end with Return -> !return end))
  { (JC_13:
    (integer_of_int32(result) = int_min(integer_of_int32(x_4),
                                integer_of_int32(y_4)))) } 

let min_safety =
 fun (x_4 : int32) (y_4 : int32) ->
  { (JC_12: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let tmp_0 = ref (any_int32 void) in
     begin
       (let _jessie_ =
       (if ((le_int_ (integer_of_int32 x_4)) (integer_of_int32 y_4))
       then begin   (tmp_0 := x_4); !tmp_0 end
       else begin   (tmp_0 := y_4); !tmp_0 end) in void); (return := !tmp_0);
      (raise Return) end); absurd  end with Return -> !return end)) { true } 


why-2.39/tests/c/oracle/muller.res.oracle0000644000106100004300000015260513147234006017352 0ustar  marchevals========== file tests/c/muller.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

typedef unsigned int size_t;
void *malloc(size_t size);
void *calloc(size_t nmemb, size_t size);

/*@ axiomatic NumOfPos {
  @  logic integer num_of_pos{L}(integer i,integer j,int *t);
  @  axiom num_of_pos_empty{L} :
  @   \forall integer i, j, int *t;
  @    i >= j ==> num_of_pos(i,j,t) == 0;
  @  axiom num_of_pos_true_case{L} :
  @   \forall integer i, j, int *t;
  @       i < j && t[j-1] > 0 ==>
  @         num_of_pos(i,j,t) == num_of_pos(i,j-1,t) + 1;
  @  axiom num_of_pos_false_case{L} :
  @   \forall integer i, j, int *t;
  @       i < j && ! (t[j-1] > 0) ==>
  @         num_of_pos(i,j,t) == num_of_pos(i,j-1,t);
  @ }
  @*/


/*@ lemma num_of_pos_non_negative{L} :
  @   \forall integer i, j, int *t; 0 <= num_of_pos(i,j,t);
  @*/

/*@ lemma num_of_pos_additive{L} :
  @   \forall integer i, j, k, int *t; i <= j <= k ==>
  @       num_of_pos(i,k,t) == num_of_pos(i,j,t) + num_of_pos(j,k,t);
  @*/

/*@ lemma num_of_pos_increasing{L} :
  @   \forall integer i, j, k, int *t;
  @       j <= k ==> num_of_pos(i,j,t) <= num_of_pos(i,k,t);
  @*/

/*@ lemma num_of_pos_strictly_increasing{L} :
  @   \forall integer i, n, int *t;
  @       0 <= i < n && t[i] > 0 ==>
  @       num_of_pos(0,i,t) < num_of_pos(0,n,t);
  @*/

/*@ requires l >= 0 && \valid(t+(0..l-1));
  @*/
int* m(int *t, int l) {
  int i, count = 0;
  int *u;

  /*@ loop invariant
    @    0 <= i <= l &&
    @    0 <= count <= i &&
    @    count == num_of_pos(0,i,t) ;
    @ loop variant l - i;
    @*/
  for (i=0 ; i < l; i++) if (t[i] > 0) count++;

  u = (int*)calloc(count,sizeof(int));
  count = 0;

  /*@ loop invariant
    @    0 <= i <= l &&
    @    0 <= count <= i &&
    @    count == num_of_pos(0,i,t);
    @ loop variant l - i;
    @*/
  for (int i=0 ; i < l; i++) {
    if (t[i] > 0) u[count++] = t[i];
  }
  return u;
}


/*
Local Variables:
compile-command: "make muller.why3ide"
End:
*/
========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/muller.c (with preprocessing)
[jessie] Starting Jessie translation
tests/c/muller.c:75:[kernel] warning: Neither code nor specification for function calloc, generating default assigns from the prototype
[jessie] Producing Jessie files in subdir tests/c/muller.jessie
[jessie] File tests/c/muller.jessie/muller.jc written.
[jessie] File tests/c/muller.jessie/muller.cloc written.
========== file tests/c/muller.jessie/muller.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type uint32 = 0..4294967295

type int8 = -128..127

type int32 = -2147483648..2147483647

tag intP = {
  int32 intM: 32;
}

type intP = [intP]

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

charP[..] calloc(uint32 nmemb, uint32 size_0)
behavior default:
  assigns \nothing;
  ensures (_C_1 : true);
;

axiomatic NumOfPos {

  logic integer num_of_pos{L}(integer i_1, integer j_0, intP[..] t)
   
  axiom num_of_pos_empty{L} :
  (\forall integer i_2;
    (\forall integer j_1;
      (\forall intP[..] t_0;
        ((i_2 >= j_1) ==> (num_of_pos{L}(i_2, j_1, t_0) == 0)))))
   
  axiom num_of_pos_true_case{L} :
  (\forall integer i_3;
    (\forall integer j_2;
      (\forall intP[..] t_1;
        (((i_3 < j_2) && ((t_1 + (j_2 - 1)).intM > 0)) ==>
          (num_of_pos{L}(i_3, j_2, t_1) ==
            (num_of_pos{L}(i_3, (j_2 - 1), t_1) + 1))))))
   
  axiom num_of_pos_false_case{L} :
  (\forall integer i_4;
    (\forall integer j_3;
      (\forall intP[..] t_2;
        (((i_4 < j_3) && (! ((t_2 + (j_3 - 1)).intM > 0))) ==>
          (num_of_pos{L}(i_4, j_3, t_2) ==
            num_of_pos{L}(i_4, (j_3 - 1), t_2))))))
  
}

lemma num_of_pos_non_negative{L} :
(\forall integer i_5;
  (\forall integer j_4;
    (\forall intP[..] t_3;
      (0 <= num_of_pos{L}(i_5, j_4, t_3)))))

lemma num_of_pos_additive{L} :
(\forall integer i_6;
  (\forall integer j_5;
    (\forall integer k;
      (\forall intP[..] t_4;
        (((i_6 <= j_5) && (j_5 <= k)) ==>
          (num_of_pos{L}(i_6, k, t_4) ==
            (num_of_pos{L}(i_6, j_5, t_4) + num_of_pos{L}(j_5, k, t_4))))))))

lemma num_of_pos_increasing{L} :
(\forall integer i_7;
  (\forall integer j_6;
    (\forall integer k_0;
      (\forall intP[..] t_5;
        ((j_6 <= k_0) ==>
          (num_of_pos{L}(i_7, j_6, t_5) <= num_of_pos{L}(i_7, k_0, t_5)))))))

lemma num_of_pos_strictly_increasing{L} :
(\forall integer i_8;
  (\forall integer n;
    (\forall intP[..] t_6;
      ((((0 <= i_8) && (i_8 < n)) && ((t_6 + i_8).intM > 0)) ==>
        (num_of_pos{L}(0, i_8, t_6) < num_of_pos{L}(0, n, t_6))))))

intP[..] m(intP[..] t, int32 l)
  requires (_C_52 : ((_C_53 : (l >= 0)) &&
                      ((_C_55 : (\offset_min(t) <= 0)) &&
                        (_C_56 : (\offset_max(t) >= (l - 1))))));
behavior default:
  ensures (_C_51 : true);
{  
   (var int32 i);
   
   (var int32 count);
   
   (var intP[..] u);
   
   (var int32 i_0);
   
   (var int32 tmp_0);
   
   {  (_C_2 : (count = 0));
      (_C_3 : (i = 0));
      
      loop 
      behavior default:
        invariant (_C_5 : (((((_C_9 : (0 <= i)) && (_C_10 : (i <= l))) &&
                              (_C_11 : (0 <= count))) &&
                             (_C_12 : (count <= i))) &&
                            (_C_13 : (count == num_of_pos{Here}(0, i, t)))));
      variant (_C_4 : (l - i));
      while (true)
      {  
         {  (if (i < l) then () else 
            (goto while_0_break));
            (if ((_C_18 : (_C_17 : (t + i)).intM) > 0) then (_C_16 : (count = 
                                                            (_C_15 : (
                                                            (_C_14 : 
                                                            (count +
                                                              1)) :> int32)))) else ());
            (_C_21 : (i = (_C_20 : ((_C_19 : (i + 1)) :> int32))))
         }
      };
      (while_0_break : ());
      (_C_24 : (u = (_C_23 : (new intP[(_C_22 : (count :> uint32))]))));
      (_C_25 : (count = 0));
      
      {  (_C_26 : (i_0 = 0));
         
         loop 
         behavior default:
           invariant (_C_28 : (((((_C_32 : (0 <= i_0)) &&
                                   (_C_33 : (i_0 <= l))) &&
                                  (_C_34 : (0 <= count))) &&
                                 (_C_35 : (count <= i_0))) &&
                                (_C_36 : (count ==
                                           num_of_pos{Here}(0, i_0, t)))));
         variant (_C_27 : (l - i_0));
         while (true)
         {  
            {  (if (i_0 < l) then () else 
               (goto while_1_break));
               
               {  (if ((_C_47 : (_C_46 : (t + i_0)).intM) > 0) then 
                  {  (_C_37 : (tmp_0 = count));
                     (_C_40 : (count = (_C_39 : ((_C_38 : (count + 1)) :> int32))));
                     (_C_45 : ((_C_44 : (_C_43 : (u + tmp_0)).intM) = 
                     (_C_42 : (_C_41 : (t + i_0)).intM)))
                  } else ())
               };
               (_C_50 : (i_0 = (_C_49 : ((_C_48 : (i_0 + 1)) :> int32))))
            }
         };
         (while_1_break : ())
      };
      
      (return u)
   }
}
========== file tests/c/muller.jessie/muller.cloc ==========
[_C_52]
file = "HOME/tests/c/muller.c"
line = 73
begin = 16
end = 44

[_C_35]
file = "HOME/tests/c/muller.c"
line = 92
begin = 14
end = 24

[_C_56]
file = "HOME/tests/c/muller.c"
line = 73
begin = 26
end = 44

[_C_28]
file = "HOME/tests/c/muller.c"
line = 91
begin = 9
end = 87

[_C_48]
file = "HOME/tests/c/muller.c"
line = 96
begin = 24
end = 27

[_C_51]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_31]
file = "HOME/tests/c/muller.c"
line = 91
begin = 9
end = 20

[num_of_pos_non_negative]
name = "Lemma num_of_pos_non_negative"
file = "HOME/tests/c/muller.c"
line = 53
begin = 7
end = 101

[_C_41]
file = "HOME/tests/c/muller.c"
line = 97
begin = 31
end = 32

[_C_4]
file = "HOME/tests/c/muller.c"
line = 83
begin = 19
end = 24

[_C_32]
file = "HOME/tests/c/muller.c"
line = 91
begin = 9
end = 15

[_C_23]
file = "HOME/tests/c/muller.c"
line = 87
begin = 12
end = 37

[_C_19]
file = "HOME/tests/c/muller.c"
line = 85
begin = 20
end = 23

[_C_42]
file = "HOME/tests/c/muller.c"
line = 97
begin = 31
end = 35

[_C_13]
file = "HOME/tests/c/muller.c"
line = 82
begin = 9
end = 35

[_C_5]
file = "HOME/tests/c/muller.c"
line = 80
begin = 9
end = 87

[_C_36]
file = "HOME/tests/c/muller.c"
line = 93
begin = 9
end = 35

[_C_12]
file = "HOME/tests/c/muller.c"
line = 81
begin = 14
end = 24

[_C_33]
file = "HOME/tests/c/muller.c"
line = 91
begin = 14
end = 20

[_C_22]
file = "HOME/tests/c/muller.c"
line = 87
begin = 19
end = 24

[_C_9]
file = "HOME/tests/c/muller.c"
line = 80
begin = 9
end = 15

[_C_54]
file = "HOME/tests/c/muller.c"
line = 73
begin = 26
end = 44

[_C_30]
file = "HOME/tests/c/muller.c"
line = 91
begin = 9
end = 43

[_C_6]
file = "HOME/tests/c/muller.c"
line = 80
begin = 9
end = 48

[_C_49]
file = "HOME/tests/c/muller.c"
line = 96
begin = 24
end = 27

[_C_24]
file = "HOME/tests/c/muller.c"
line = 87
begin = 12
end = 37

[_C_45]
file = "HOME/tests/c/muller.c"
line = 97
begin = 31
end = 35

[_C_20]
file = "HOME/tests/c/muller.c"
line = 85
begin = 20
end = 23

[num_of_pos_false_case]
name = "Lemma num_of_pos_false_case"
file = "HOME/tests/c/muller.c"
line = 45
begin = 5
end = 165

[_C_38]
file = "HOME/tests/c/muller.c"
line = 97
begin = 20
end = 27

[_C_3]
file = "HOME/tests/c/muller.c"
line = 85
begin = 9
end = 10

[num_of_pos_increasing]
name = "Lemma num_of_pos_increasing"
file = "HOME/tests/c/muller.c"
line = 62
begin = 7
end = 139

[num_of_pos_true_case]
name = "Lemma num_of_pos_true_case"
file = "HOME/tests/c/muller.c"
line = 41
begin = 5
end = 164

[_C_17]
file = "HOME/tests/c/muller.c"
line = 85
begin = 29
end = 30

[_C_7]
file = "HOME/tests/c/muller.c"
line = 80
begin = 9
end = 43

[_C_55]
file = "HOME/tests/c/muller.c"
line = 73
begin = 26
end = 44

[_C_27]
file = "HOME/tests/c/muller.c"
line = 94
begin = 19
end = 24

[_C_46]
file = "HOME/tests/c/muller.c"
line = 97
begin = 8
end = 9

[_C_44]
file = "HOME/tests/c/muller.c"
line = 97
begin = 31
end = 35

[_C_15]
file = "HOME/tests/c/muller.c"
line = 85
begin = 39
end = 46

[num_of_pos_strictly_increasing]
name = "Lemma num_of_pos_strictly_increasing"
file = "HOME/tests/c/muller.c"
line = 67
begin = 7
end = 170

[_C_26]
file = "HOME/tests/c/muller.c"
line = 96
begin = 7
end = 10

[_C_47]
file = "HOME/tests/c/muller.c"
line = 97
begin = 8
end = 12

[_C_10]
file = "HOME/tests/c/muller.c"
line = 80
begin = 14
end = 20

[_C_53]
file = "HOME/tests/c/muller.c"
line = 73
begin = 16
end = 22

[_C_40]
file = "HOME/tests/c/muller.c"
line = 97
begin = 20
end = 27

[num_of_pos_additive]
name = "Lemma num_of_pos_additive"
file = "HOME/tests/c/muller.c"
line = 57
begin = 7
end = 162

[_C_8]
file = "HOME/tests/c/muller.c"
line = 80
begin = 9
end = 20

[_C_18]
file = "HOME/tests/c/muller.c"
line = 85
begin = 29
end = 33

[_C_29]
file = "HOME/tests/c/muller.c"
line = 91
begin = 9
end = 48

[_C_14]
file = "HOME/tests/c/muller.c"
line = 85
begin = 39
end = 46

[_C_50]
file = "HOME/tests/c/muller.c"
line = 96
begin = 24
end = 27

[_C_37]
file = "HOME/tests/c/muller.c"
line = 97
begin = 20
end = 27

[_C_43]
file = "HOME/tests/c/muller.c"
line = 97
begin = 18
end = 19

[num_of_pos_empty]
name = "Lemma num_of_pos_empty"
file = "HOME/tests/c/muller.c"
line = 38
begin = 5
end = 110

[_C_2]
file = "HOME/tests/c/muller.c"
line = 76
begin = 2
end = 5

[_C_34]
file = "HOME/tests/c/muller.c"
line = 92
begin = 9
end = 19

[_C_16]
file = "HOME/tests/c/muller.c"
line = 85
begin = 39
end = 46

[_C_1]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_25]
file = "HOME/tests/c/muller.c"
line = 88
begin = 10
end = 11

[_C_39]
file = "HOME/tests/c/muller.c"
line = 97
begin = 20
end = 27

[_C_11]
file = "HOME/tests/c/muller.c"
line = 81
begin = 9
end = 19

[m]
name = "Function m"
file = "HOME/tests/c/muller.c"
line = 75
begin = 3
end = 4

[_C_21]
file = "HOME/tests/c/muller.c"
line = 85
begin = 20
end = 23

========== jessie execution ==========
Generating Why function m
========== file tests/c/muller.jessie/muller.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/muller_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: muller.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: muller.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: muller.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/muller.jessie/muller.loc ==========
[JC_73]
file = "HOME/tests/c/muller.jessie/muller.jc"
line = 153
begin = 9
end = 1056

[JC_63]
file = "HOME/tests/c/muller.jessie/muller.jc"
line = 128
begin = 6
end = 898

[JC_51]
kind = PointerDeref
file = "HOME/tests/c/muller.c"
line = 97
begin = 31
end = 35

[JC_71]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_45]
file = "HOME/tests/c/muller.c"
line = 91
begin = 9
end = 87

[JC_64]
kind = AllocSize
file = "HOME/tests/c/muller.c"
line = 87
begin = 12
end = 37

[num_of_pos_non_negative]
name = "Lemma num_of_pos_non_negative"
behavior = "lemma"
file = "HOME/tests/c/muller.c"
line = 53
begin = 7
end = 101

[JC_31]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_17]
file = "HOME/tests/c/muller.c"
line = 73
begin = 26
end = 44

[JC_55]
file = "HOME/tests/c/muller.c"
line = 80
begin = 9
end = 15

[JC_48]
file = "HOME/tests/c/muller.jessie/muller.jc"
line = 153
begin = 9
end = 1056

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/tests/c/muller.c"
line = 92
begin = 9
end = 19

[JC_9]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/tests/c/muller.c"
line = 80
begin = 9
end = 15

[JC_41]
file = "HOME/tests/c/muller.c"
line = 91
begin = 14
end = 20

[JC_47]
file = "HOME/tests/c/muller.jessie/muller.jc"
line = 153
begin = 9
end = 1056

[JC_52]
kind = PointerDeref
file = "HOME/tests/c/muller.jessie/muller.jc"
line = 170
begin = 31
end = 126

[JC_26]
file = "HOME/tests/c/muller.c"
line = 80
begin = 14
end = 20

[JC_8]
file = "HOME/tests/c/muller.jessie/muller.jc"
line = 46
begin = 10
end = 18

[JC_54]
file = "HOME/tests/c/muller.c"
line = 94
begin = 19
end = 24

[JC_13]
file = "HOME/tests/c/muller.c"
line = 73
begin = 26
end = 44

[JC_11]
file = "HOME/tests/c/muller.c"
line = 73
begin = 16
end = 22

[JC_70]
file = "HOME/tests/c/muller.c"
line = 91
begin = 9
end = 87

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
kind = ArithOverflow
file = "HOME/tests/c/muller.c"
line = 85
begin = 20
end = 23

[JC_39]
kind = AllocSize
file = "HOME/tests/c/muller.c"
line = 87
begin = 12
end = 37

[JC_40]
file = "HOME/tests/c/muller.c"
line = 91
begin = 9
end = 15

[JC_35]
kind = ArithOverflow
file = "HOME/tests/c/muller.c"
line = 85
begin = 39
end = 46

[num_of_pos_false_case]
name = "Lemma num_of_pos_false_case"
behavior = "axiom"
file = "HOME/tests/c/muller.c"
line = 45
begin = 5
end = 165

[JC_27]
file = "HOME/tests/c/muller.c"
line = 81
begin = 9
end = 19

[JC_69]
file = "HOME/tests/c/muller.c"
line = 93
begin = 9
end = 35

[JC_38]
kind = ArithOverflow
file = "HOME/tests/c/muller.c"
line = 87
begin = 19
end = 24

[JC_12]
file = "HOME/tests/c/muller.c"
line = 73
begin = 26
end = 44

[JC_6]
file = "HOME/tests/c/muller.jessie/muller.jc"
line = 46
begin = 10
end = 18

[num_of_pos_increasing]
name = "Lemma num_of_pos_increasing"
behavior = "lemma"
file = "HOME/tests/c/muller.c"
line = 62
begin = 7
end = 139

[JC_44]
file = "HOME/tests/c/muller.c"
line = 93
begin = 9
end = 35

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[num_of_pos_true_case]
name = "Lemma num_of_pos_true_case"
behavior = "axiom"
file = "HOME/tests/c/muller.c"
line = 41
begin = 5
end = 164

[JC_62]
file = "HOME/tests/c/muller.jessie/muller.jc"
line = 128
begin = 6
end = 898

[JC_42]
file = "HOME/tests/c/muller.c"
line = 92
begin = 9
end = 19

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/tests/c/muller.jessie/muller.jc"
line = 128
begin = 6
end = 898

[JC_56]
file = "HOME/tests/c/muller.c"
line = 80
begin = 14
end = 20

[m_safety]
name = "Function m"
behavior = "Safety"
file = "HOME/tests/c/muller.c"
line = 75
begin = 3
end = 4

[JC_33]
file = "HOME/tests/c/muller.jessie/muller.jc"
line = 128
begin = 6
end = 898

[JC_65]
file = "HOME/tests/c/muller.c"
line = 91
begin = 9
end = 15

[num_of_pos_strictly_increasing]
name = "Lemma num_of_pos_strictly_increasing"
behavior = "lemma"
file = "HOME/tests/c/muller.c"
line = 67
begin = 7
end = 170

[m_ensures_default]
name = "Function m"
behavior = "default behavior"
file = "HOME/tests/c/muller.c"
line = 75
begin = 3
end = 4

[JC_29]
file = "HOME/tests/c/muller.c"
line = 82
begin = 9
end = 35

[JC_68]
file = "HOME/tests/c/muller.c"
line = 92
begin = 14
end = 24

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[num_of_pos_additive]
name = "Lemma num_of_pos_additive"
behavior = "lemma"
file = "HOME/tests/c/muller.c"
line = 57
begin = 7
end = 162

[JC_16]
file = "HOME/tests/c/muller.c"
line = 73
begin = 16
end = 22

[JC_43]
file = "HOME/tests/c/muller.c"
line = 92
begin = 14
end = 24

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
kind = PointerDeref
file = "HOME/tests/c/muller.c"
line = 85
begin = 29
end = 33

[JC_14]
file = "HOME/tests/c/muller.c"
line = 73
begin = 16
end = 44

[JC_53]
kind = ArithOverflow
file = "HOME/tests/c/muller.c"
line = 96
begin = 24
end = 27

[JC_21]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_49]
kind = PointerDeref
file = "HOME/tests/c/muller.c"
line = 97
begin = 8
end = 12

[JC_1]
file = "HOME/tests/c/muller.jessie/muller.jc"
line = 44
begin = 10
end = 16

[num_of_pos_empty]
name = "Lemma num_of_pos_empty"
behavior = "axiom"
file = "HOME/tests/c/muller.c"
line = 38
begin = 5
end = 110

[JC_37]
file = "HOME/tests/c/muller.c"
line = 83
begin = 19
end = 24

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/tests/c/muller.c"
line = 81
begin = 9
end = 19

[JC_66]
file = "HOME/tests/c/muller.c"
line = 91
begin = 14
end = 20

[JC_59]
file = "HOME/tests/c/muller.c"
line = 82
begin = 9
end = 35

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/c/muller.c"
line = 73
begin = 26
end = 44

[JC_3]
file = "HOME/tests/c/muller.jessie/muller.jc"
line = 44
begin = 10
end = 16

[JC_60]
file = "HOME/tests/c/muller.c"
line = 80
begin = 9
end = 87

[JC_72]
file = "HOME/tests/c/muller.jessie/muller.jc"
line = 153
begin = 9
end = 1056

[JC_19]
file = "HOME/tests/c/muller.c"
line = 73
begin = 16
end = 44

[JC_50]
kind = ArithOverflow
file = "HOME/tests/c/muller.c"
line = 97
begin = 20
end = 27

[JC_30]
file = "HOME/tests/c/muller.c"
line = 80
begin = 9
end = 87

[JC_58]
file = "HOME/tests/c/muller.c"
line = 81
begin = 14
end = 24

[JC_28]
file = "HOME/tests/c/muller.c"
line = 81
begin = 14
end = 24

========== file tests/c/muller.jessie/why/muller.why ==========
type charP

type int32

type int8

type intP

type padding

type uint32

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint32: uint32 -> int

predicate eq_uint32(x:uint32, y:uint32) =
 eq_int(integer_of_uint32(x), integer_of_uint32(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

logic intP_tag:  -> intP tag_id

axiom intP_int : (int_of_tag(intP_tag) = (1))

logic intP_of_pointer_address: unit pointer -> intP pointer

axiom intP_of_pointer_address_of_pointer_addr :
 (forall p:intP pointer. (p = intP_of_pointer_address(pointer_address(p))))

axiom intP_parenttag_bottom : parenttag(intP_tag, bottom_tag)

axiom intP_tags :
 (forall x:intP pointer.
  (forall intP_tag_table:intP tag_table.
   instanceof(intP_tag_table, x, intP_tag)))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_intP(p:intP pointer, a:int,
 intP_alloc_table:intP alloc_table) = (offset_min(intP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

logic num_of_pos: int, int, intP pointer, (intP, int32) memory -> int

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_intP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(intP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_intP(p:intP pointer, b:int,
 intP_alloc_table:intP alloc_table) = (offset_max(intP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint32_of_integer: int -> uint32

axiom uint32_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (4294967295))) ->
   eq_int(integer_of_uint32(uint32_of_integer(x)), x)))

axiom uint32_extensionality :
 (forall x:uint32.
  (forall y:uint32[eq_int(integer_of_uint32(x), integer_of_uint32(y))].
   (eq_int(integer_of_uint32(x), integer_of_uint32(y)) -> (x = y))))

axiom uint32_range :
 (forall x:uint32.
  (le_int((0), integer_of_uint32(x))
  and le_int(integer_of_uint32(x), (4294967295))))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

axiom num_of_pos_empty :
 (forall intP_intM_t_3_at_L:(intP, int32) memory.
  (forall i_2:int.
   (forall j_1:int.
    (forall t_0_0:intP pointer.
     (ge_int(i_2, j_1) ->
      (num_of_pos(i_2, j_1, t_0_0, intP_intM_t_3_at_L) = (0)))))))

axiom num_of_pos_true_case :
 (forall intP_intM_t_3_at_L:(intP, int32) memory.
  (forall i_3:int.
   (forall j_2:int.
    (forall t_1:intP pointer.
     ((lt_int(i_3, j_2)
      and gt_int(integer_of_int32(select(intP_intM_t_3_at_L,
                                  shift(t_1, sub_int(j_2, (1))))),
          (0))) ->
      (num_of_pos(i_3, j_2, t_1, intP_intM_t_3_at_L) = add_int(num_of_pos(i_3,
                                                               sub_int(j_2,
                                                               (1)), t_1,
                                                               intP_intM_t_3_at_L),
                                                       (1))))))))

axiom num_of_pos_false_case :
 (forall intP_intM_t_3_at_L:(intP, int32) memory.
  (forall i_4:int.
   (forall j_3:int.
    (forall t_2:intP pointer.
     ((lt_int(i_4, j_3)
      and (not gt_int(integer_of_int32(select(intP_intM_t_3_at_L,
                                       shift(t_2, sub_int(j_3, (1))))),
               (0)))) ->
      (num_of_pos(i_4, j_3, t_2, intP_intM_t_3_at_L) = num_of_pos(i_4,
                                                       sub_int(j_3, (1)),
                                                       t_2,
                                                       intP_intM_t_3_at_L)))))))

lemma num_of_pos_non_negative :
 (forall intP_intM_t_3_10_at_L:(intP, int32) memory.
  (forall i_5:int.
   (forall j_4:int.
    (forall t_3:intP pointer.
     le_int((0), num_of_pos(i_5, j_4, t_3, intP_intM_t_3_10_at_L))))))

lemma num_of_pos_additive :
 (forall intP_intM_t_4_11_at_L:(intP, int32) memory.
  (forall i_6:int.
   (forall j_5:int.
    (forall k:int.
     (forall t_4:intP pointer.
      ((le_int(i_6, j_5) and le_int(j_5, k)) ->
       (num_of_pos(i_6, k, t_4, intP_intM_t_4_11_at_L) = add_int(num_of_pos(i_6,
                                                                 j_5, t_4,
                                                                 intP_intM_t_4_11_at_L),
                                                         num_of_pos(j_5, k,
                                                         t_4,
                                                         intP_intM_t_4_11_at_L)))))))))

lemma num_of_pos_increasing :
 (forall intP_intM_t_5_12_at_L:(intP, int32) memory.
  (forall i_7:int.
   (forall j_6:int.
    (forall k_0:int.
     (forall t_5:intP pointer.
      (le_int(j_6, k_0) ->
       le_int(num_of_pos(i_7, j_6, t_5, intP_intM_t_5_12_at_L),
       num_of_pos(i_7, k_0, t_5, intP_intM_t_5_12_at_L))))))))

lemma num_of_pos_strictly_increasing :
 (forall intP_intM_t_6_13_at_L:(intP, int32) memory.
  (forall i_8:int.
   (forall n:int.
    (forall t_6:intP pointer.
     ((le_int((0), i_8)
      and (lt_int(i_8, n)
          and gt_int(integer_of_int32(select(intP_intM_t_6_13_at_L,
                                      shift(t_6, i_8))),
              (0)))) ->
      lt_int(num_of_pos((0), i_8, t_6, intP_intM_t_6_13_at_L),
      num_of_pos((0), n, t_6, intP_intM_t_6_13_at_L)))))))

exception Goto_while_0_break_exc of unit

exception Goto_while_1_break_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter intP_alloc_table : intP alloc_table ref

parameter intP_tag_table : intP tag_table ref

parameter alloc_struct_intP :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { } intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter alloc_struct_intP_requires :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { ge_int(n, (0))} intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint32 : unit -> { } uint32 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter calloc :
 nmemb:uint32 -> size_0:uint32 -> { } charP pointer { true }

parameter calloc_requires :
 nmemb:uint32 -> size_0:uint32 -> { } charP pointer { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter m :
 t_0:intP pointer ->
  l:int32 ->
   intP_m_6_alloc_table:intP alloc_table ref ->
    intP_m_6_tag_table:intP tag_table ref ->
     intP_intM_m_6:(intP, int32) memory ref ->
      intP_t_4_alloc_table:intP alloc_table ->
       intP_intM_t_4:(intP, int32) memory ->
        { } intP pointer reads intP_m_6_alloc_table
        writes intP_intM_m_6,intP_m_6_alloc_table,intP_m_6_tag_table 
        { true }

parameter m_requires :
 t_0:intP pointer ->
  l:int32 ->
   intP_m_6_alloc_table:intP alloc_table ref ->
    intP_m_6_tag_table:intP tag_table ref ->
     intP_intM_m_6:(intP, int32) memory ref ->
      intP_t_4_alloc_table:intP alloc_table ->
       intP_intM_t_4:(intP, int32) memory ->
        { (JC_14:
          ((JC_11: ge_int(integer_of_int32(l), (0)))
          and ((JC_12: le_int(offset_min(intP_t_4_alloc_table, t_0), (0)))
              and (JC_13:
                  ge_int(offset_max(intP_t_4_alloc_table, t_0),
                  sub_int(integer_of_int32(l), (1)))))))}
        intP pointer reads intP_m_6_alloc_table
        writes intP_intM_m_6,intP_m_6_alloc_table,intP_m_6_tag_table 
        { true }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint32_of_integer_ :
 x:int -> { } uint32 { eq_int(integer_of_uint32(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint32_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (4294967295)))} uint32
  { eq_int(integer_of_uint32(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let m_ensures_default =
 fun (t_0 : intP pointer) (l : int32) (intP_m_6_alloc_table : intP alloc_table ref) (intP_m_6_tag_table : intP tag_table ref) (intP_intM_m_6 : (intP, int32) memory ref) (intP_t_4_alloc_table : intP alloc_table) (intP_intM_t_4 : (intP, int32) memory) ->
  { (JC_19:
    ((JC_16: ge_int(integer_of_int32(l), (0)))
    and ((JC_17: le_int(offset_min(intP_t_4_alloc_table, t_0), (0)))
        and (JC_18:
            ge_int(offset_max(intP_t_4_alloc_table, t_0),
            sub_int(integer_of_int32(l), (1))))))) }
  (init:
  (let return = ref (any_pointer void) in
  try
   begin
     (let i = ref (any_int32 void) in
     (let count = ref (any_int32 void) in
     (let u = ref (any_pointer void) in
     (let i_0 = ref (any_int32 void) in
     (let tmp_0 = ref (any_int32 void) in
     try
      begin
        (let _jessie_ = (count := (safe_int32_of_integer_ (0))) in void);
       (let _jessie_ = (i := (safe_int32_of_integer_ (0))) in void);
       (loop_3:
       begin
         while true do
         { invariant
             (JC_60:
             ((JC_55: le_int((0), integer_of_int32(i)))
             and ((JC_56: le_int(integer_of_int32(i), integer_of_int32(l)))
                 and ((JC_57: le_int((0), integer_of_int32(count)))
                     and ((JC_58:
                          le_int(integer_of_int32(count),
                          integer_of_int32(i)))
                         and (JC_59:
                             (integer_of_int32(count) = num_of_pos((0),
                                                        integer_of_int32(i),
                                                        t_0, intP_intM_t_4))))))))
            }
          begin
            [ { } unit { true } ];
           try
            begin
              (let _jessie_ =
              begin
                (if ((lt_int_ (integer_of_int32 !i)) (integer_of_int32 l))
                then void else (raise (Goto_while_0_break_exc void)));
               (if ((gt_int_ (integer_of_int32 ((safe_acc_ intP_intM_t_4) 
                                                ((shift t_0) (integer_of_int32 !i))))) (0))
               then
                (let _jessie_ =
                (count := (safe_int32_of_integer_ ((add_int (integer_of_int32 !count)) (1)))) in
                void) else void);
               (i := (safe_int32_of_integer_ ((add_int (integer_of_int32 !i)) (1))));
               !i end in void); (raise (Loop_continue_exc void)) end with
            Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break:
      begin
        void;
       (let _jessie_ =
       (u := (JC_64:
             (((alloc_struct_intP (integer_of_uint32 (safe_uint32_of_integer_ 
                                                      (integer_of_int32 !count)))) intP_m_6_alloc_table) intP_m_6_tag_table))) in
       void);
       (let _jessie_ = (count := (safe_int32_of_integer_ (0))) in void);
       try
        begin
          (let _jessie_ = (i_0 := (safe_int32_of_integer_ (0))) in void);
         (loop_4:
         begin
           while true do
           { invariant
               (JC_70:
               ((JC_65: le_int((0), integer_of_int32(i_0)))
               and ((JC_66:
                    le_int(integer_of_int32(i_0), integer_of_int32(l)))
                   and ((JC_67: le_int((0), integer_of_int32(count)))
                       and ((JC_68:
                            le_int(integer_of_int32(count),
                            integer_of_int32(i_0)))
                           and (JC_69:
                               (integer_of_int32(count) = num_of_pos((0),
                                                          integer_of_int32(i_0),
                                                          t_0, intP_intM_t_4))))))))
              }
            begin
              [ { } unit { true } ];
             try
              begin
                (let _jessie_ =
                begin
                  (if ((lt_int_ (integer_of_int32 !i_0)) (integer_of_int32 l))
                  then void else (raise (Goto_while_1_break_exc void)));
                 (if ((gt_int_ (integer_of_int32 ((safe_acc_ intP_intM_t_4) 
                                                  ((shift t_0) (integer_of_int32 !i_0))))) (0))
                 then
                  (let _jessie_ =
                  begin
                    (let _jessie_ = (tmp_0 := !count) in void);
                   (let _jessie_ =
                   (count := (safe_int32_of_integer_ ((add_int (integer_of_int32 !count)) (1)))) in
                   void);
                   (let _jessie_ =
                   ((safe_acc_ intP_intM_t_4) ((shift t_0) (integer_of_int32 !i_0))) in
                   (let _jessie_ = !u in
                   (let _jessie_ = (integer_of_int32 !tmp_0) in
                   (let _jessie_ = ((shift _jessie_) _jessie_) in
                   begin
                     (((safe_upd_ intP_intM_m_6) _jessie_) _jessie_);
                    _jessie_ end)))) end in void) else void);
                 (i_0 := (safe_int32_of_integer_ ((add_int (integer_of_int32 !i_0)) (1))));
                 !i_0 end in void); (raise (Loop_continue_exc void)) end with
              Loop_continue_exc _jessie_ -> void end end done;
          (raise (Goto_while_1_break_exc void)) end) end with
        Goto_while_1_break_exc _jessie_ -> (while_1_break: void) end;
       (return := !u); (raise Return) end) end))))); absurd  end with
   Return -> !return end)) { (JC_21: true) } 

let m_safety =
 fun (t_0 : intP pointer) (l : int32) (intP_m_6_alloc_table : intP alloc_table ref) (intP_m_6_tag_table : intP tag_table ref) (intP_intM_m_6 : (intP, int32) memory ref) (intP_t_4_alloc_table : intP alloc_table) (intP_intM_t_4 : (intP, int32) memory) ->
  { (JC_19:
    ((JC_16: ge_int(integer_of_int32(l), (0)))
    and ((JC_17: le_int(offset_min(intP_t_4_alloc_table, t_0), (0)))
        and (JC_18:
            ge_int(offset_max(intP_t_4_alloc_table, t_0),
            sub_int(integer_of_int32(l), (1))))))) }
  (init:
  (let return = ref (any_pointer void) in
  try
   begin
     (let i = ref (any_int32 void) in
     (let count = ref (any_int32 void) in
     (let u = ref (any_pointer void) in
     (let i_0 = ref (any_int32 void) in
     (let tmp_0 = ref (any_int32 void) in
     try
      begin
        (let _jessie_ = (count := (safe_int32_of_integer_ (0))) in void);
       (let _jessie_ = (i := (safe_int32_of_integer_ (0))) in void);
       (loop_1:
       begin
         while true do
         { invariant (JC_32: true)
           variant (JC_37 : sub_int(integer_of_int32(l), integer_of_int32(i))) }
          begin
            [ { } unit reads count,i
              { (JC_30:
                ((JC_25: le_int((0), integer_of_int32(i)))
                and ((JC_26:
                     le_int(integer_of_int32(i), integer_of_int32(l)))
                    and ((JC_27: le_int((0), integer_of_int32(count)))
                        and ((JC_28:
                             le_int(integer_of_int32(count),
                             integer_of_int32(i)))
                            and (JC_29:
                                (integer_of_int32(count) = num_of_pos((0),
                                                           integer_of_int32(i),
                                                           t_0,
                                                           intP_intM_t_4)))))))) } ];
           try
            begin
              (let _jessie_ =
              begin
                (if ((lt_int_ (integer_of_int32 !i)) (integer_of_int32 l))
                then void else (raise (Goto_while_0_break_exc void)));
               (if ((gt_int_ (integer_of_int32 (JC_34:
                                               ((((offset_acc_ intP_t_4_alloc_table) intP_intM_t_4) t_0) 
                                                (integer_of_int32 !i))))) (0))
               then
                (let _jessie_ =
                (count := (JC_35:
                          (int32_of_integer_ ((add_int (integer_of_int32 !count)) (1))))) in
                void) else void);
               (i := (JC_36:
                     (int32_of_integer_ ((add_int (integer_of_int32 !i)) (1)))));
               !i end in void); (raise (Loop_continue_exc void)) end with
            Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break:
      begin
        void;
       (let _jessie_ =
       (u := (JC_39:
             (((alloc_struct_intP_requires (integer_of_uint32 (JC_38:
                                                              (uint32_of_integer_ 
                                                               (integer_of_int32 !count))))) intP_m_6_alloc_table) intP_m_6_tag_table))) in
       void);
       (let _jessie_ = (count := (safe_int32_of_integer_ (0))) in void);
       try
        begin
          (let _jessie_ = (i_0 := (safe_int32_of_integer_ (0))) in void);
         (loop_2:
         begin
           while true do
           { invariant (JC_47: true)
             variant (JC_54 : sub_int(integer_of_int32(l),
                              integer_of_int32(i_0))) }
            begin
              [ { } unit reads count,i_0
                { (JC_45:
                  ((JC_40: le_int((0), integer_of_int32(i_0)))
                  and ((JC_41:
                       le_int(integer_of_int32(i_0), integer_of_int32(l)))
                      and ((JC_42: le_int((0), integer_of_int32(count)))
                          and ((JC_43:
                               le_int(integer_of_int32(count),
                               integer_of_int32(i_0)))
                              and (JC_44:
                                  (integer_of_int32(count) = num_of_pos((0),
                                                             integer_of_int32(i_0),
                                                             t_0,
                                                             intP_intM_t_4)))))))) } ];
             try
              begin
                (let _jessie_ =
                begin
                  (if ((lt_int_ (integer_of_int32 !i_0)) (integer_of_int32 l))
                  then void else (raise (Goto_while_1_break_exc void)));
                 (if ((gt_int_ (integer_of_int32 (JC_49:
                                                 ((((offset_acc_ intP_t_4_alloc_table) intP_intM_t_4) t_0) 
                                                  (integer_of_int32 !i_0))))) (0))
                 then
                  (let _jessie_ =
                  begin
                    (let _jessie_ = (tmp_0 := !count) in void);
                   (let _jessie_ =
                   (count := (JC_50:
                             (int32_of_integer_ ((add_int (integer_of_int32 !count)) (1))))) in
                   void);
                   (let _jessie_ =
                   (JC_51:
                   ((((offset_acc_ intP_t_4_alloc_table) intP_intM_t_4) t_0) 
                    (integer_of_int32 !i_0))) in
                   (let _jessie_ = !u in
                   (let _jessie_ = (integer_of_int32 !tmp_0) in
                   (let _jessie_ = ((shift _jessie_) _jessie_) in
                   (JC_52:
                   begin
                     (((((offset_upd_ !intP_m_6_alloc_table) intP_intM_m_6) _jessie_) _jessie_) _jessie_);
                    _jessie_ end))))) end in void) else void);
                 (i_0 := (JC_53:
                         (int32_of_integer_ ((add_int (integer_of_int32 !i_0)) (1)))));
                 !i_0 end in void); (raise (Loop_continue_exc void)) end with
              Loop_continue_exc _jessie_ -> void end end done;
          (raise (Goto_while_1_break_exc void)) end) end with
        Goto_while_1_break_exc _jessie_ -> (while_1_break: void) end;
       (return := !u); (raise Return) end) end))))); absurd  end with
   Return -> !return end)) { true } 


why-2.39/tests/c/oracle/tree_max.err.oracle0000644000106100004300000000000013147234006017632 0ustar  marchevalswhy-2.39/tests/c/oracle/array_max.err.oracle0000644000106100004300000000000013147234006020011 0ustar  marchevalswhy-2.39/tests/c/oracle/floats_bsearch.err.oracle0000644000106100004300000000000013147234006021005 0ustar  marchevalswhy-2.39/tests/c/oracle/heap_sort.err.oracle0000644000106100004300000000000013147234006020012 0ustar  marchevalswhy-2.39/tests/c/oracle/quick_sort.res.oracle0000644000106100004300000021716213147234006020235 0ustar  marchevals========== file tests/c/quick_sort.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// RUNSIMPLIFY: will ask regtests to run Simplify on this program

#pragma JessieIntegerModel(math)

#include "sorting.h"

/*@ requires \valid(t+i) && \valid(t+j);
  @ assigns t[i],t[j];
  @ ensures Swap{Old,Here}(t,i,j);
  @*/
void swap(int t[], int i, int j) {
  int tmp = t[i];
  t[i] = t[j];
  t[j] = tmp;
}

// quick_rec sorts t[l..r]
/*@ requires \valid(t+(l..r));
  @ decreases r-l;
  @ assigns t[l..r];
  @ behavior sorted:
  @   ensures Sorted(t,l,r+1);
  @ behavior permutation:
  @   ensures Permut{Old,Here}(t,l,r);
  @*/
void quick_rec(int t[], int l, int r) {
  int v,m,i;
  if (l >= r) return;
  v = t[l];
  m = l;
  /*@ loop invariant
    @   \forall integer j; l < j <= m ==> t[j] < v;
    @ loop invariant
    @   \forall integer j; m < j <  i ==> t[j] >= v;
    @ loop invariant
    @   Permut{Pre,Here}(t,l,r);
    @ loop invariant t[l] == v && l <= m < i <= r+1;
    @ loop variant r-i;
    @*/
  for (i = l + 1; i <= r; i++) {
    if (t[i] < v) {
    L1:
      swap(t,i,++m);
      //@ assert Permut{L1,Here}(t,l,r);
    }
  }
  //@ assert l <= m <= r;
 L: swap(t,l,m);
  //@ assert Permut{L,Here}(t,l,r);
  quick_rec(t,l,m-1);
  quick_rec(t,m+1,r);
}

/*@ requires \valid(t+(0..n-1));
  @ behavior sorted:
  @   ensures Sorted(t,0,n);
  @ behavior permutation:
  @   ensures Permut{Old,Here}(t,0,n-1);
  @*/
void quick_sort(int t[], int n) {
  quick_rec(t,0,n-1);
}


/*
Local Variables:
compile-command: "make quick_sort.why3ide"
End:
*/
========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/quick_sort.c (with preprocessing)
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/quick_sort.jessie
[jessie] File tests/c/quick_sort.jessie/quick_sort.jc written.
[jessie] File tests/c/quick_sort.jessie/quick_sort.cloc written.
========== file tests/c/quick_sort.jessie/quick_sort.jc ==========
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

tag intP = {
  integer intM: 32;
}

type intP = [intP]

tag unsigned_charP = {
  integer unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  integer charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

predicate Swap{L1, L2}(intP[..] a, integer i_1, integer j_0) =
(((\at((a + i_1).intM,L1) == \at((a + j_0).intM,L2)) &&
   (\at((a + j_0).intM,L1) == \at((a + i_1).intM,L2))) &&
  (\forall integer k;
    (((k != i_1) && (k != j_0)) ==>
      (\at((a + k).intM,L1) == \at((a + k).intM,L2)))))

predicate Permut{L1, L2}(intP[..] a_0, integer l, integer h) {
case Permut_refl{L}: \at((\forall intP[..] a_1;
                           (\forall integer l_0;
                             (\forall integer h_0;
                               Permut{L,
                               L}(a_1, l_0, h_0)))),L);
  
  case Permut_sym{L1, L2}: (\forall intP[..] a_2;
                             (\forall integer l_1;
                               (\forall integer h_1;
                                 (Permut{L1,
                                   L2}(a_2, l_1, h_1) ==>
                                   Permut{L2,
                                   L1}(a_2, l_1, h_1)))));
  
  case Permut_trans{L1, L2, L3}: (\forall intP[..] a_3;
                                   (\forall integer l_2;
                                     (\forall integer h_2;
                                       ((Permut{L1,
                                          L2}(a_3, l_2, h_2) &&
                                          Permut{L2,
                                          L3}(a_3, l_2, h_2)) ==>
                                         Permut{L1,
                                         L3}(a_3, l_2, h_2)))));
  
  case Permut_swap{L1, L2}: (\forall intP[..] a_4;
                              (\forall integer l_3;
                                (\forall integer h_3;
                                  (\forall integer i_2;
                                    (\forall integer j_1;
                                      ((((((l_3 <= i_2) && (i_2 <= h_3)) &&
                                           (l_3 <= j_1)) &&
                                          (j_1 <= h_3)) &&
                                         Swap{L1,
                                         L2}(a_4, i_2, j_1)) ==>
                                        Permut{L1,
                                        L2}(a_4, l_3, h_3)))))));
  
}

predicate Sorted{L}(intP[..] a_5, integer l_4, integer h_4) =
(\forall integer i_3;
  (\forall integer j_2;
    ((((l_4 <= i_3) && (i_3 <= j_2)) && (j_2 < h_4)) ==>
      ((a_5 + i_3).intM <= (a_5 + j_2).intM))))

unit swap(intP[..] t_1, integer i, integer j)
  requires (_C_13 : (((_C_15 : (\offset_min(t_1) <= i)) &&
                       (_C_16 : (\offset_max(t_1) >= i))) &&
                      ((_C_18 : (\offset_min(t_1) <= j)) &&
                        (_C_19 : (\offset_max(t_1) >= j)))));
behavior default:
  assigns (t_1 + i).intM,
  (t_1 + j).intM;
  ensures (_C_12 : Swap{Old, Here}(\at(t_1,Old), \at(i,Old), \at(j,Old)));
{  
   (var integer tmp);
   
   {  (_C_3 : (tmp = (_C_2 : (_C_1 : (t_1 + i)).intM)));
      (_C_8 : ((_C_7 : (_C_6 : (t_1 + i)).intM) = (_C_5 : (_C_4 : (t_1 + j)).intM)));
      (_C_11 : ((_C_10 : (_C_9 : (t_1 + j)).intM) = tmp));
      
      (return ())
   }
}

unit quick_rec(intP[..] t, integer l, integer r)
  requires (_C_55 : ((_C_56 : (\offset_min(t) <= l)) &&
                      (_C_57 : (\offset_max(t) >= r))));
  decreases (_C_58 : (r - l));
behavior default:
  assigns (t + [l..r]).intM;
  ensures (_C_52 : true);
behavior sorted:
  ensures (_C_53 : Sorted{Here}(\at(t,Old), \at(l,Old), (\at(r,Old) + 1)));
behavior permutation:
  ensures (_C_54 : Permut{Old, Here}(\at(t,Old), \at(l,Old), \at(r,Old)));
{  
   (var integer v);
   
   (var integer m);
   
   (var integer i_0);
   
   {  (if (l >= r) then 
      (goto return_label) else ());
      (_C_22 : (v = (_C_21 : (_C_20 : (t + l)).intM)));
      (_C_23 : (m = l));
      (_C_25 : (i_0 = (_C_24 : (l + 1))));
      
      loop 
      behavior default:
        invariant (_C_36 : (\forall integer j_3;
                             (((l < j_3) && (j_3 <= m)) ==>
                               ((t + j_3).intM < v))));
      behavior default:
        invariant (_C_35 : (\forall integer j_4;
                             (((m < j_4) && (j_4 < i_0)) ==>
                               ((t + j_4).intM >= v))));
      behavior default:
        invariant (_C_34 : Permut{Pre, Here}(t, l, r));
      behavior default:
        invariant (_C_27 : ((((_C_30 : ((t + l).intM == v)) &&
                               (_C_31 : (l <= m))) &&
                              (_C_32 : (m < i_0))) &&
                             (_C_33 : (i_0 <= (r + 1)))));
      variant (_C_26 : (r - i_0));
      while (true)
      {  
         {  (if (i_0 <= r) then () else 
            (goto while_0_break));
            
            {  (if ((_C_42 : (_C_41 : (t + i_0)).intM) < v) then 
               {  (L1 : 
                  {  (_C_38 : (m = (_C_37 : (m + 1))));
                     ();
                     ()
                  });
                  (_C_39 : swap(t, i_0, m));
                  
                  {  
                     (assert for default: (_C_40 : (jessie : Permut{L1,
                                                   Here}(t, l, r))));
                     ()
                  }
               } else ())
            };
            (_C_44 : (i_0 = (_C_43 : (i_0 + 1))))
         }
      };
      (while_0_break : ());
      
      {  
         (assert for default: (_C_45 : (jessie : ((l <= m) && (m <= r)))));
         ()
      };
      (L : (_C_46 : swap(t, l, m)));
      
      {  
         (assert for default: (_C_47 : (jessie : Permut{L, Here}(t, l, r))));
         ()
      };
      (_C_49 : quick_rec(t, l, (_C_48 : (m - 1))));
      (_C_51 : quick_rec(t, (_C_50 : (m + 1)), r));
      (return_label : 
      (return ()))
   }
}

unit quick_sort(intP[..] t_0, integer n_1)
  requires (_C_64 : ((_C_65 : (\offset_min(t_0) <= 0)) &&
                      (_C_66 : (\offset_max(t_0) >= (n_1 - 1)))));
behavior default:
  ensures (_C_61 : true);
behavior sorted:
  ensures (_C_62 : Sorted{Here}(\at(t_0,Old), 0, \at(n_1,Old)));
behavior permutation:
  ensures (_C_63 : Permut{Old, Here}(\at(t_0,Old), 0, (\at(n_1,Old) - 1)));
{  
   {  (_C_60 : quick_rec(t_0, 0, (_C_59 : (n_1 - 1))));
      
      (return ())
   }
}
========== file tests/c/quick_sort.jessie/quick_sort.cloc ==========
[quick_sort]
name = "Function quick_sort"
file = "HOME/tests/c/quick_sort.c"
line = 91
begin = 5
end = 15

[_C_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_35]
file = "HOME/tests/c/quick_sort.c"
line = 65
begin = 8
end = 50

[_C_56]
file = "HOME/tests/c/quick_sort.c"
line = 49
begin = 16
end = 32

[_C_28]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 21
end = 44

[_C_59]
file = "HOME/tests/c/quick_sort.c"
line = 92
begin = 16
end = 19

[_C_48]
file = "HOME/tests/c/quick_sort.c"
line = 81
begin = 16
end = 19

[_C_51]
file = "HOME/tests/c/quick_sort.c"
line = 82
begin = 2
end = 20

[_C_31]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 34
end = 40

[quick_rec]
name = "Function quick_rec"
file = "HOME/tests/c/quick_sort.c"
line = 57
begin = 5
end = 14

[_C_41]
file = "HOME/tests/c/quick_sort.c"
line = 72
begin = 8
end = 9

[_C_4]
file = "HOME/tests/c/quick_sort.c"
line = 44
begin = 9
end = 10

[_C_61]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_32]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 39
end = 44

[_C_23]
file = "HOME/tests/c/quick_sort.c"
line = 61
begin = 6
end = 7

[_C_19]
file = "HOME/tests/c/quick_sort.c"
line = 38
begin = 31
end = 42

[_C_42]
file = "HOME/tests/c/quick_sort.c"
line = 72
begin = 8
end = 12

[_C_13]
file = "HOME/tests/c/quick_sort.c"
line = 38
begin = 16
end = 42

[_C_5]
file = "HOME/tests/c/quick_sort.c"
line = 44
begin = 9
end = 13

[_C_36]
file = "HOME/tests/c/quick_sort.c"
line = 63
begin = 8
end = 50

[_C_12]
file = "HOME/tests/c/quick_sort.c"
line = 40
begin = 12
end = 33

[_C_33]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 43
end = 51

[_C_22]
file = "HOME/tests/c/quick_sort.c"
line = 60
begin = 6
end = 10

[_C_65]
file = "HOME/tests/c/quick_sort.c"
line = 85
begin = 16
end = 34

[_C_9]
file = "HOME/tests/c/quick_sort.c"
line = 45
begin = 2
end = 3

[_C_57]
file = "HOME/tests/c/quick_sort.c"
line = 49
begin = 16
end = 32

[_C_54]
file = "HOME/tests/c/quick_sort.c"
line = 55
begin = 14
end = 37

[_C_30]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 21
end = 30

[_C_63]
file = "HOME/tests/c/quick_sort.c"
line = 89
begin = 14
end = 39

[_C_6]
file = "HOME/tests/c/quick_sort.c"
line = 44
begin = 2
end = 3

[_C_64]
file = "HOME/tests/c/quick_sort.c"
line = 85
begin = 16
end = 34

[_C_49]
file = "HOME/tests/c/quick_sort.c"
line = 81
begin = 2
end = 20

[_C_24]
file = "HOME/tests/c/quick_sort.c"
line = 71
begin = 11
end = 16

[_C_45]
file = "HOME/tests/c/quick_sort.c"
line = 78
begin = 18
end = 29

[_C_20]
file = "HOME/tests/c/quick_sort.c"
line = 60
begin = 6
end = 7

[_C_38]
file = "HOME/tests/c/quick_sort.c"
line = 74
begin = 15
end = 18

[_C_3]
file = "HOME/tests/c/quick_sort.c"
line = 43
begin = 2
end = 5

[_C_17]
file = "HOME/tests/c/quick_sort.c"
line = 38
begin = 31
end = 42

[_C_7]
file = "HOME/tests/c/quick_sort.c"
line = 44
begin = 9
end = 13

[_C_62]
file = "HOME/tests/c/quick_sort.c"
line = 87
begin = 14
end = 27

[_C_55]
file = "HOME/tests/c/quick_sort.c"
line = 49
begin = 16
end = 32

[_C_27]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 21
end = 51

[_C_46]
file = "HOME/tests/c/quick_sort.c"
line = 79
begin = 4
end = 15

[_C_44]
file = "HOME/tests/c/quick_sort.c"
line = 71
begin = 26
end = 29

[_C_15]
file = "HOME/tests/c/quick_sort.c"
line = 38
begin = 16
end = 27

[_C_26]
file = "HOME/tests/c/quick_sort.c"
line = 69
begin = 19
end = 22

[_C_47]
file = "HOME/tests/c/quick_sort.c"
line = 80
begin = 18
end = 39

[_C_10]
file = "HOME/tests/c/quick_sort.c"
line = 45
begin = 9
end = 12

[_C_60]
file = "HOME/tests/c/quick_sort.c"
line = 92
begin = 2
end = 20

[_C_53]
file = "HOME/tests/c/quick_sort.c"
line = 53
begin = 14
end = 29

[_C_40]
file = "HOME/tests/c/quick_sort.c"
line = 75
begin = 26
end = 48

[_C_58]
file = "HOME/tests/c/quick_sort.c"
line = 50
begin = 14
end = 17

[swap]
name = "Function swap"
file = "HOME/tests/c/quick_sort.c"
line = 42
begin = 5
end = 9

[_C_8]
file = "HOME/tests/c/quick_sort.c"
line = 44
begin = 9
end = 13

[_C_66]
file = "HOME/tests/c/quick_sort.c"
line = 85
begin = 16
end = 34

[_C_18]
file = "HOME/tests/c/quick_sort.c"
line = 38
begin = 31
end = 42

[_C_29]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 21
end = 40

[_C_14]
file = "HOME/tests/c/quick_sort.c"
line = 38
begin = 16
end = 27

[_C_50]
file = "HOME/tests/c/quick_sort.c"
line = 82
begin = 14
end = 17

[_C_37]
file = "HOME/tests/c/quick_sort.c"
line = 74
begin = 15
end = 18

[_C_43]
file = "HOME/tests/c/quick_sort.c"
line = 71
begin = 26
end = 29

[_C_2]
file = "HOME/tests/c/quick_sort.c"
line = 43
begin = 12
end = 16

[_C_34]
file = "HOME/tests/c/quick_sort.c"
line = 67
begin = 8
end = 31

[_C_16]
file = "HOME/tests/c/quick_sort.c"
line = 38
begin = 16
end = 27

[_C_1]
file = "HOME/tests/c/quick_sort.c"
line = 43
begin = 12
end = 13

[_C_25]
file = "HOME/tests/c/quick_sort.c"
line = 71
begin = 11
end = 16

[_C_39]
file = "HOME/tests/c/quick_sort.c"
line = 74
begin = 6
end = 19

[_C_11]
file = "HOME/tests/c/quick_sort.c"
line = 45
begin = 9
end = 12

[_C_21]
file = "HOME/tests/c/quick_sort.c"
line = 60
begin = 6
end = 10

========== jessie execution ==========
Generating Why function swap
Generating Why function quick_rec
Generating Why function quick_sort
========== file tests/c/quick_sort.jessie/quick_sort.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/quick_sort_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: quick_sort.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: quick_sort.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: quick_sort.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/quick_sort.jessie/quick_sort.loc ==========
[JC_94]
file = "HOME/tests/c/quick_sort.c"
line = 65
begin = 8
end = 50

[JC_73]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 43
end = 51

[JC_63]
file = "HOME/tests/c/quick_sort.c"
line = 50
begin = 14
end = 17

[JC_80]
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 132
begin = 6
end = 1478

[JC_51]
file = "HOME/tests/c/quick_sort.c"
line = 63
begin = 8
end = 50

[JC_71]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 34
end = 40

[JC_45]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 34
end = 40

[JC_123]
kind = UserCall
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 185
begin = 15
end = 49

[JC_106]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 21
end = 30

[JC_143]
kind = UserCall
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 201
begin = 15
end = 53

[JC_113]
file = "HOME/tests/c/quick_sort.c"
line = 63
begin = 8
end = 50

[JC_116]
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 132
begin = 6
end = 1478

[JC_64]
file = "HOME/tests/c/quick_sort.c"
line = 50
begin = 14
end = 17

[JC_133]
file = "HOME/"
line = 0
begin = -1
end = -1

[quick_sort_ensures_default]
name = "Function quick_sort"
behavior = "default behavior"
file = "HOME/tests/c/quick_sort.c"
line = 91
begin = 5
end = 15

[quick_rec_ensures_sorted]
name = "Function quick_rec"
behavior = "Behavior `sorted'"
file = "HOME/tests/c/quick_sort.c"
line = 57
begin = 5
end = 14

[JC_99]
kind = UserCall
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 160
begin = 27
end = 42

[JC_85]
file = "HOME/tests/c/quick_sort.c"
line = 80
begin = 18
end = 39

[JC_126]
file = "HOME/tests/c/quick_sort.c"
line = 85
begin = 16
end = 34

[JC_31]
file = "HOME/tests/c/quick_sort.c"
line = 49
begin = 16
end = 32

[JC_17]
file = "HOME/tests/c/quick_sort.c"
line = 42
begin = 5
end = 9

[JC_122]
kind = UserCall
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 184
begin = 15
end = 49

[JC_81]
kind = UserCall
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 160
begin = 27
end = 42

[JC_55]
kind = PointerDeref
file = "HOME/tests/c/quick_sort.c"
line = 72
begin = 8
end = 12

[JC_138]
file = "HOME/tests/c/quick_sort.c"
line = 89
begin = 14
end = 39

[JC_134]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_137]
file = "HOME/tests/c/quick_sort.c"
line = 87
begin = 14
end = 27

[JC_48]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 21
end = 51

[JC_23]
kind = PointerDeref
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 101
begin = 15
end = 82

[JC_22]
kind = PointerDeref
file = "HOME/tests/c/quick_sort.c"
line = 44
begin = 9
end = 13

[JC_121]
file = "HOME/tests/c/quick_sort.c"
line = 80
begin = 18
end = 39

[JC_5]
file = "HOME/tests/c/quick_sort.c"
line = 38
begin = 16
end = 42

[JC_125]
file = "HOME/tests/c/quick_sort.c"
line = 85
begin = 16
end = 34

[JC_67]
file = "HOME/tests/c/quick_sort.c"
line = 50
begin = 14
end = 17

[JC_9]
file = "HOME/tests/c/quick_sort.c"
line = 38
begin = 31
end = 42

[JC_75]
file = "HOME/tests/c/quick_sort.c"
line = 67
begin = 8
end = 31

[JC_24]
kind = PointerDeref
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 102
begin = 16
end = 55

[JC_25]
file = "HOME/tests/c/quick_sort.c"
line = 49
begin = 16
end = 32

[JC_78]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/tests/c/quick_sort.c"
line = 55
begin = 14
end = 37

[JC_74]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 21
end = 51

[JC_47]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 43
end = 51

[JC_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/tests/c/quick_sort.c"
line = 49
begin = 16
end = 32

[JC_8]
file = "HOME/tests/c/quick_sort.c"
line = 38
begin = 16
end = 27

[JC_54]
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 132
begin = 6
end = 1478

[JC_79]
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 132
begin = 6
end = 1478

[quick_sort_ensures_sorted]
name = "Function quick_sort"
behavior = "Behavior `sorted'"
file = "HOME/tests/c/quick_sort.c"
line = 91
begin = 5
end = 15

[JC_13]
file = "HOME/tests/c/quick_sort.c"
line = 40
begin = 12
end = 33

[JC_130]
file = "HOME/tests/c/quick_sort.c"
line = 85
begin = 16
end = 34

[JC_82]
file = "HOME/tests/c/quick_sort.c"
line = 75
begin = 26
end = 48

[JC_87]
kind = UserCall
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 185
begin = 15
end = 49

[JC_11]
file = "HOME/tests/c/quick_sort.c"
line = 38
begin = 16
end = 42

[JC_98]
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 132
begin = 6
end = 1478

[JC_70]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 21
end = 30

[quick_rec_safety]
name = "Function quick_rec"
behavior = "Safety"
file = "HOME/tests/c/quick_sort.c"
line = 57
begin = 5
end = 14

[quick_rec_ensures_default]
name = "Function quick_rec"
behavior = "default behavior"
file = "HOME/tests/c/quick_sort.c"
line = 57
begin = 5
end = 14

[JC_15]
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 93
begin = 9
end = 16

[JC_36]
file = "HOME/tests/c/quick_sort.c"
line = 57
begin = 5
end = 14

[JC_104]
kind = UserCall
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 184
begin = 15
end = 49

[JC_91]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 43
end = 51

[JC_39]
file = "HOME/tests/c/quick_sort.c"
line = 53
begin = 14
end = 29

[JC_112]
file = "HOME/tests/c/quick_sort.c"
line = 65
begin = 8
end = 50

[JC_40]
file = "HOME/tests/c/quick_sort.c"
line = 53
begin = 14
end = 29

[JC_135]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
file = "HOME/tests/c/quick_sort.c"
line = 78
begin = 18
end = 29

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_132]
file = "HOME/"
line = 0
begin = -1
end = -1

[quick_rec_ensures_permutation]
name = "Function quick_rec"
behavior = "Behavior `permutation'"
file = "HOME/tests/c/quick_sort.c"
line = 57
begin = 5
end = 14

[JC_27]
file = "HOME/tests/c/quick_sort.c"
line = 49
begin = 16
end = 32

[JC_115]
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 132
begin = 6
end = 1478

[JC_109]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 43
end = 51

[JC_107]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 34
end = 40

[JC_69]
kind = VarDecr
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 185
begin = 15
end = 49

[JC_124]
file = "HOME/tests/c/quick_sort.c"
line = 85
begin = 16
end = 34

[JC_38]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_127]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 21
end = 30

[JC_4]
file = "HOME/tests/c/quick_sort.c"
line = 38
begin = 31
end = 42

[JC_62]
kind = UserCall
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 184
begin = 15
end = 49

[JC_101]
file = "HOME/tests/c/quick_sort.c"
line = 78
begin = 18
end = 29

[JC_88]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 21
end = 30

[JC_129]
file = "HOME/tests/c/quick_sort.c"
line = 85
begin = 16
end = 34

[JC_42]
file = "HOME/tests/c/quick_sort.c"
line = 55
begin = 14
end = 37

[swap_ensures_default]
name = "Function swap"
behavior = "default behavior"
file = "HOME/tests/c/quick_sort.c"
line = 42
begin = 5
end = 9

[JC_110]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 21
end = 51

[JC_103]
file = "HOME/tests/c/quick_sort.c"
line = 80
begin = 18
end = 39

[JC_46]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 39
end = 44

[swap_safety]
name = "Function swap"
behavior = "Safety"
file = "HOME/tests/c/quick_sort.c"
line = 42
begin = 5
end = 9

[JC_141]
kind = UserCall
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 201
begin = 15
end = 53

[JC_61]
file = "HOME/tests/c/quick_sort.c"
line = 80
begin = 18
end = 39

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
kind = UserCall
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 160
begin = 27
end = 42

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
kind = VarDecr
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 184
begin = 15
end = 49

[JC_118]
file = "HOME/tests/c/quick_sort.c"
line = 75
begin = 26
end = 48

[quick_sort_safety]
name = "Function quick_sort"
behavior = "Safety"
file = "HOME/tests/c/quick_sort.c"
line = 91
begin = 5
end = 15

[JC_105]
kind = UserCall
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 185
begin = 15
end = 49

[JC_140]
kind = UserCall
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 201
begin = 15
end = 53

[JC_29]
file = "HOME/tests/c/quick_sort.c"
line = 49
begin = 16
end = 32

[JC_68]
file = "HOME/tests/c/quick_sort.c"
line = 50
begin = 14
end = 17

[JC_7]
file = "HOME/tests/c/quick_sort.c"
line = 38
begin = 16
end = 27

[JC_16]
file = "HOME/tests/c/quick_sort.c"
line = 40
begin = 12
end = 33

[JC_96]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
kind = PointerDeref
file = "HOME/tests/c/quick_sort.c"
line = 60
begin = 6
end = 10

[JC_2]
file = "HOME/tests/c/quick_sort.c"
line = 38
begin = 16
end = 27

[quick_sort_ensures_permutation]
name = "Function quick_sort"
behavior = "Behavior `permutation'"
file = "HOME/tests/c/quick_sort.c"
line = 91
begin = 5
end = 15

[JC_95]
file = "HOME/tests/c/quick_sort.c"
line = 63
begin = 8
end = 50

[JC_93]
file = "HOME/tests/c/quick_sort.c"
line = 67
begin = 8
end = 31

[JC_97]
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 132
begin = 6
end = 1478

[JC_84]
kind = UserCall
file = "HOME/tests/c/quick_sort.c"
line = 79
begin = 4
end = 15

[JC_128]
file = "HOME/tests/c/quick_sort.c"
line = 85
begin = 16
end = 34

[JC_34]
file = "HOME/tests/c/quick_sort.c"
line = 57
begin = 5
end = 14

[JC_114]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/tests/c/quick_sort.c"
line = 42
begin = 5
end = 9

[JC_117]
kind = UserCall
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 160
begin = 27
end = 42

[JC_90]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 39
end = 44

[JC_53]
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 132
begin = 6
end = 1478

[JC_21]
kind = PointerDeref
file = "HOME/tests/c/quick_sort.c"
line = 43
begin = 12
end = 16

[JC_111]
file = "HOME/tests/c/quick_sort.c"
line = 67
begin = 8
end = 31

[JC_77]
file = "HOME/tests/c/quick_sort.c"
line = 63
begin = 8
end = 50

[JC_49]
file = "HOME/tests/c/quick_sort.c"
line = 67
begin = 8
end = 31

[JC_1]
file = "HOME/tests/c/quick_sort.c"
line = 38
begin = 16
end = 27

[JC_131]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_102]
kind = UserCall
file = "HOME/tests/c/quick_sort.c"
line = 79
begin = 4
end = 15

[JC_37]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_142]
kind = UserCall
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 201
begin = 15
end = 53

[JC_10]
file = "HOME/tests/c/quick_sort.c"
line = 38
begin = 31
end = 42

[JC_108]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 39
end = 44

[JC_57]
file = "HOME/tests/c/quick_sort.c"
line = 75
begin = 26
end = 48

[JC_89]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 34
end = 40

[JC_136]
file = "HOME/tests/c/quick_sort.c"
line = 87
begin = 14
end = 27

[JC_66]
kind = UserCall
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 185
begin = 15
end = 49

[JC_59]
file = "HOME/tests/c/quick_sort.c"
line = 78
begin = 18
end = 29

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 93
begin = 9
end = 16

[JC_3]
file = "HOME/tests/c/quick_sort.c"
line = 38
begin = 31
end = 42

[JC_92]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 21
end = 51

[JC_86]
kind = UserCall
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 184
begin = 15
end = 49

[JC_60]
kind = UserCall
file = "HOME/tests/c/quick_sort.c"
line = 79
begin = 4
end = 15

[JC_139]
file = "HOME/tests/c/quick_sort.c"
line = 89
begin = 14
end = 39

[JC_72]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 39
end = 44

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_119]
file = "HOME/tests/c/quick_sort.c"
line = 78
begin = 18
end = 29

[JC_76]
file = "HOME/tests/c/quick_sort.c"
line = 65
begin = 8
end = 50

[JC_50]
file = "HOME/tests/c/quick_sort.c"
line = 65
begin = 8
end = 50

[JC_30]
file = "HOME/tests/c/quick_sort.c"
line = 49
begin = 16
end = 32

[JC_120]
kind = UserCall
file = "HOME/tests/c/quick_sort.c"
line = 79
begin = 4
end = 15

[JC_58]
file = "HOME/tests/c/quick_sort.c"
line = 69
begin = 19
end = 22

[JC_100]
file = "HOME/tests/c/quick_sort.c"
line = 75
begin = 26
end = 48

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/c/quick_sort.jessie/why/quick_sort.why ==========
type charP

type intP

type padding

type unsigned_charP

type voidP

predicate Swap(a:intP pointer, i_1:int, j_0:int,
 intP_intM_a_1_at_L2:(intP, int) memory,
 intP_intM_a_1_at_L1:(intP, int) memory) =
 ((select(intP_intM_a_1_at_L1, shift(a, i_1)) = select(intP_intM_a_1_at_L2,
                                                shift(a, j_0)))
 and ((select(intP_intM_a_1_at_L1, shift(a, j_0)) = select(intP_intM_a_1_at_L2,
                                                    shift(a, i_1)))
     and (forall k:int.
          (((k <> i_1) and (k <> j_0)) ->
           (select(intP_intM_a_1_at_L1, shift(a, k)) = select(intP_intM_a_1_at_L2,
                                                       shift(a, k)))))))

inductive Permut: intP pointer, int, int, (intP, int) memory,
                  (intP, int) memory -> prop =
 | Permut_refl: (forall intP_intM_a_0_2_at_L:(intP, int) memory.
                 (forall a_1:intP pointer.
                  (forall l_0_0:int.
                   (forall h_0:int.
                    Permut(a_1, l_0_0, h_0, intP_intM_a_0_2_at_L,
                    intP_intM_a_0_2_at_L)))))
 | Permut_sym: (forall intP_intM_a_0_2_at_L2:(intP, int) memory.
                (forall intP_intM_a_0_2_at_L1:(intP, int) memory.
                 (forall a_2:intP pointer.
                  (forall l_1:int.
                   (forall h_1:int.
                    (Permut(a_2, l_1, h_1, intP_intM_a_0_2_at_L2,
                     intP_intM_a_0_2_at_L1) ->
                     Permut(a_2, l_1, h_1, intP_intM_a_0_2_at_L1,
                     intP_intM_a_0_2_at_L2)))))))
 | Permut_trans: (forall intP_intM_a_0_2_at_L3:(intP, int) memory.
                  (forall intP_intM_a_0_2_at_L2:(intP, int) memory.
                   (forall intP_intM_a_0_2_at_L1:(intP, int) memory.
                    (forall a_3:intP pointer.
                     (forall l_2:int.
                      (forall h_2:int.
                       ((Permut(a_3, l_2, h_2, intP_intM_a_0_2_at_L2,
                         intP_intM_a_0_2_at_L1)
                        and Permut(a_3, l_2, h_2, intP_intM_a_0_2_at_L3,
                            intP_intM_a_0_2_at_L2)) ->
                        Permut(a_3, l_2, h_2, intP_intM_a_0_2_at_L3,
                        intP_intM_a_0_2_at_L1))))))))
 | Permut_swap: (forall intP_intM_a_0_2_at_L2:(intP, int) memory.
                 (forall intP_intM_a_0_2_at_L1:(intP, int) memory.
                  (forall a_4:intP pointer.
                   (forall l_3:int.
                    (forall h_3:int.
                     (forall i_2:int.
                      (forall j_1:int.
                       ((le_int(l_3, i_2)
                        and (le_int(i_2, h_3)
                            and (le_int(l_3, j_1)
                                and (le_int(j_1, h_3)
                                    and Swap(a_4, i_2, j_1,
                                        intP_intM_a_0_2_at_L2,
                                        intP_intM_a_0_2_at_L1))))) ->
                        Permut(a_4, l_3, h_3, intP_intM_a_0_2_at_L2,
                        intP_intM_a_0_2_at_L1)))))))))
 
predicate Sorted(a_5:intP pointer, l_4:int, h_4:int,
 intP_intM_a_5_3_at_L:(intP, int) memory) =
 (forall i_3:int.
  (forall j_2:int.
   ((le_int(l_4, i_3) and (le_int(i_3, j_2) and lt_int(j_2, h_4))) ->
    le_int(select(intP_intM_a_5_3_at_L, shift(a_5, i_3)),
    select(intP_intM_a_5_3_at_L, shift(a_5, j_2))))))

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic intP_tag:  -> intP tag_id

axiom intP_int : (int_of_tag(intP_tag) = (1))

logic intP_of_pointer_address: unit pointer -> intP pointer

axiom intP_of_pointer_address_of_pointer_addr :
 (forall p:intP pointer. (p = intP_of_pointer_address(pointer_address(p))))

axiom intP_parenttag_bottom : parenttag(intP_tag, bottom_tag)

axiom intP_tags :
 (forall x:intP pointer.
  (forall intP_tag_table:intP tag_table.
   instanceof(intP_tag_table, x, intP_tag)))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_intP(p:intP pointer, a:int,
 intP_alloc_table:intP alloc_table) = (offset_min(intP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_intP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(intP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_intP(p:intP pointer, b:int,
 intP_alloc_table:intP alloc_table) = (offset_max(intP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Goto_while_0_break_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter intP_alloc_table : intP alloc_table ref

parameter intP_tag_table : intP tag_table ref

parameter alloc_struct_intP :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { } intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter alloc_struct_intP_requires :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { ge_int(n, (0))} intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter quick_rec :
 t:intP pointer ->
  l_0:int ->
   r:int ->
    intP_intM_t_5:(intP, int) memory ref ->
     intP_t_5_alloc_table:intP alloc_table ->
      { } unit reads intP_intM_t_5 writes intP_intM_t_5
      { ((JC_42: Permut(t, l_0, r, intP_intM_t_5, intP_intM_t_5@))
        and ((JC_40: Sorted(t, l_0, add_int(r, (1)), intP_intM_t_5))
            and (JC_36:
                not_assigns(intP_t_5_alloc_table, intP_intM_t_5@,
                intP_intM_t_5, pset_range(pset_singleton(t), l_0, r))))) }

parameter quick_rec_requires :
 t:intP pointer ->
  l_0:int ->
   r:int ->
    intP_intM_t_5:(intP, int) memory ref ->
     intP_t_5_alloc_table:intP alloc_table ->
      { (JC_27:
        ((JC_25: le_int(offset_min(intP_t_5_alloc_table, t), l_0))
        and (JC_26: ge_int(offset_max(intP_t_5_alloc_table, t), r))))}
      unit reads intP_intM_t_5 writes intP_intM_t_5
      { ((JC_42: Permut(t, l_0, r, intP_intM_t_5, intP_intM_t_5@))
        and ((JC_40: Sorted(t, l_0, add_int(r, (1)), intP_intM_t_5))
            and (JC_36:
                not_assigns(intP_t_5_alloc_table, intP_intM_t_5@,
                intP_intM_t_5, pset_range(pset_singleton(t), l_0, r))))) }

parameter quick_sort :
 t_0:intP pointer ->
  n_1:int ->
   intP_intM_t_0_6:(intP, int) memory ref ->
    intP_t_0_6_alloc_table:intP alloc_table ->
     { } unit reads intP_intM_t_0_6 writes intP_intM_t_0_6
     { ((JC_139:
        Permut(t_0, (0), sub_int(n_1, (1)), intP_intM_t_0_6,
        intP_intM_t_0_6@))
       and (JC_137: Sorted(t_0, (0), n_1, intP_intM_t_0_6))) }

parameter quick_sort_requires :
 t_0:intP pointer ->
  n_1:int ->
   intP_intM_t_0_6:(intP, int) memory ref ->
    intP_t_0_6_alloc_table:intP alloc_table ->
     { (JC_126:
       ((JC_124: le_int(offset_min(intP_t_0_6_alloc_table, t_0), (0)))
       and (JC_125:
           ge_int(offset_max(intP_t_0_6_alloc_table, t_0), sub_int(n_1, (1))))))}
     unit reads intP_intM_t_0_6 writes intP_intM_t_0_6
     { ((JC_139:
        Permut(t_0, (0), sub_int(n_1, (1)), intP_intM_t_0_6,
        intP_intM_t_0_6@))
       and (JC_137: Sorted(t_0, (0), n_1, intP_intM_t_0_6))) }

parameter swap :
 t_1:intP pointer ->
  i:int ->
   j:int ->
    intP_intM_t_1_4:(intP, int) memory ref ->
     intP_t_1_4_alloc_table:intP alloc_table ->
      { } unit reads intP_intM_t_1_4 writes intP_intM_t_1_4
      { (JC_18:
        ((JC_16: Swap(t_1, i, j, intP_intM_t_1_4, intP_intM_t_1_4@))
        and (JC_17:
            not_assigns(intP_t_1_4_alloc_table, intP_intM_t_1_4@,
            intP_intM_t_1_4,
            pset_union(pset_range(pset_singleton(t_1), j, j),
            pset_range(pset_singleton(t_1), i, i)))))) }

parameter swap_requires :
 t_1:intP pointer ->
  i:int ->
   j:int ->
    intP_intM_t_1_4:(intP, int) memory ref ->
     intP_t_1_4_alloc_table:intP alloc_table ->
      { (JC_5:
        ((JC_1: le_int(offset_min(intP_t_1_4_alloc_table, t_1), i))
        and ((JC_2: ge_int(offset_max(intP_t_1_4_alloc_table, t_1), i))
            and ((JC_3: le_int(offset_min(intP_t_1_4_alloc_table, t_1), j))
                and (JC_4:
                    ge_int(offset_max(intP_t_1_4_alloc_table, t_1), j))))))}
      unit reads intP_intM_t_1_4 writes intP_intM_t_1_4
      { (JC_18:
        ((JC_16: Swap(t_1, i, j, intP_intM_t_1_4, intP_intM_t_1_4@))
        and (JC_17:
            not_assigns(intP_t_1_4_alloc_table, intP_intM_t_1_4@,
            intP_intM_t_1_4,
            pset_union(pset_range(pset_singleton(t_1), j, j),
            pset_range(pset_singleton(t_1), i, i)))))) }

let quick_rec_ensures_default =
 fun (t : intP pointer) (l_0 : int) (r : int) (intP_intM_t_5 : (intP, int) memory ref) (intP_t_5_alloc_table : intP alloc_table) ->
  { (JC_31:
    ((JC_29: le_int(offset_min(intP_t_5_alloc_table, t), l_0))
    and (JC_30: ge_int(offset_max(intP_t_5_alloc_table, t), r)))) }
  (init:
  try
   begin
     (let v = ref (any_int void) in
     (let m = ref (any_int void) in
     (let i_0 = ref (any_int void) in
     try
      begin
        try
         begin
           (if ((ge_int_ l_0) r) then (raise (Return_label_exc void))
           else void);
          (let _jessie_ =
          (v := ((safe_acc_ !intP_intM_t_5) ((shift t) l_0))) in void);
          (let _jessie_ = (m := l_0) in void);
          (let _jessie_ = (i_0 := ((add_int l_0) (1))) in void);
          (loop_2:
          begin
            while true do
            { invariant
                (((JC_74:
                  ((JC_70: (select(intP_intM_t_5, shift(t, l_0)) = v))
                  and ((JC_71: le_int(l_0, m))
                      and ((JC_72: lt_int(m, i_0))
                          and (JC_73: le_int(i_0, add_int(r, (1))))))))
                 and ((JC_75:
                      Permut(t, l_0, r, intP_intM_t_5, intP_intM_t_5@init))
                     and ((JC_76:
                          (forall j_4:int.
                           ((lt_int(m, j_4) and lt_int(j_4, i_0)) ->
                            ge_int(select(intP_intM_t_5, shift(t, j_4)), v))))
                         and (JC_77:
                             (forall j_3:int.
                              ((lt_int(l_0, j_3) and le_int(j_3, m)) ->
                               lt_int(select(intP_intM_t_5, shift(t, j_3)),
                               v)))))))
                and (JC_79:
                    not_assigns(intP_t_5_alloc_table, intP_intM_t_5@init,
                    intP_intM_t_5, pset_range(pset_singleton(t), l_0, r))))
               }
             begin
               [ { } unit { true } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((le_int_ !i_0) r) then void
                   else (raise (Goto_while_0_break_exc void)));
                  (if ((lt_int_ ((safe_acc_ !intP_intM_t_5) ((shift t) !i_0))) !v)
                  then
                   (L1:
                   begin
                     (let _jessie_ = (m := ((add_int !m) (1))) in void);
                    void; void;
                    (let _jessie_ = t in
                    (let _jessie_ = !i_0 in
                    (let _jessie_ = !m in
                    (JC_81:
                    (((((swap _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))));
                    (assert
                    { (JC_82:
                      Permut(t, l_0, r, intP_intM_t_5, intP_intM_t_5@L1)) };
                    void); void end) else void);
                  (i_0 := ((add_int !i_0) (1))); !i_0 end in void);
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (while_0_break:
         begin
           void;
          (assert { (JC_83: (le_int(l_0, m) and le_int(m, r))) }; void);
          begin
            void;
           (L:
           begin
             (let _jessie_ = t in
             (let _jessie_ = l_0 in
             (let _jessie_ = !m in
             (JC_84:
             (((((swap _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))));
            (assert
            { (JC_85: Permut(t, l_0, r, intP_intM_t_5, intP_intM_t_5@L)) };
            void); void;
            (let _jessie_ = t in
            (let _jessie_ = l_0 in
            (let _jessie_ = ((sub_int !m) (1)) in
            (JC_86:
            (((((quick_rec _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))));
            (let _jessie_ = t in
            (let _jessie_ = ((add_int !m) (1)) in
            (let _jessie_ = r in
            (JC_87:
            (((((quick_rec _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))))
           end) end end) end; (raise (Return_label_exc void)) end with
      Return_label_exc _jessie_ -> (return_label: (raise Return)) end)));
    (raise Return) end with Return -> void end)
  { (JC_34:
    not_assigns(intP_t_5_alloc_table, intP_intM_t_5@, intP_intM_t_5,
    pset_range(pset_singleton(t), l_0, r))) } 

let quick_rec_ensures_permutation =
 fun (t : intP pointer) (l_0 : int) (r : int) (intP_intM_t_5 : (intP, int) memory ref) (intP_t_5_alloc_table : intP alloc_table) ->
  { (JC_31:
    ((JC_29: le_int(offset_min(intP_t_5_alloc_table, t), l_0))
    and (JC_30: ge_int(offset_max(intP_t_5_alloc_table, t), r)))) }
  (init:
  try
   begin
     (let v = ref (any_int void) in
     (let m = ref (any_int void) in
     (let i_0 = ref (any_int void) in
     try
      begin
        try
         begin
           (if ((ge_int_ l_0) r) then (raise (Return_label_exc void))
           else void);
          (let _jessie_ =
          (v := ((safe_acc_ !intP_intM_t_5) ((shift t) l_0))) in void);
          (let _jessie_ = (m := l_0) in void);
          (let _jessie_ = (i_0 := ((add_int l_0) (1))) in void);
          (loop_4:
          begin
            while true do
            { invariant (JC_115: true)  }
             begin
               [ { } unit reads i_0,intP_intM_t_5,m,v
                 { ((JC_110:
                    ((JC_106: (select(intP_intM_t_5, shift(t, l_0)) = v))
                    and ((JC_107: le_int(l_0, m))
                        and ((JC_108: lt_int(m, i_0))
                            and (JC_109: le_int(i_0, add_int(r, (1))))))))
                   and ((JC_111:
                        Permut(t, l_0, r, intP_intM_t_5, intP_intM_t_5@init))
                       and ((JC_112:
                            (forall j_4:int.
                             ((lt_int(m, j_4) and lt_int(j_4, i_0)) ->
                              ge_int(select(intP_intM_t_5, shift(t, j_4)), v))))
                           and (JC_113:
                               (forall j_3:int.
                                ((lt_int(l_0, j_3) and le_int(j_3, m)) ->
                                 lt_int(select(intP_intM_t_5, shift(t, j_3)),
                                 v))))))) } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((le_int_ !i_0) r) then void
                   else (raise (Goto_while_0_break_exc void)));
                  (if ((lt_int_ ((safe_acc_ !intP_intM_t_5) ((shift t) !i_0))) !v)
                  then
                   (L1:
                   begin
                     (let _jessie_ = (m := ((add_int !m) (1))) in void);
                    void; void;
                    (let _jessie_ = t in
                    (let _jessie_ = !i_0 in
                    (let _jessie_ = !m in
                    (JC_117:
                    (((((swap _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))));
                    [ { } unit reads intP_intM_t_5
                      { (JC_118:
                        Permut(t, l_0, r, intP_intM_t_5, intP_intM_t_5@L1)) } ];
                    void end) else void); (i_0 := ((add_int !i_0) (1))); !i_0
                 end in void); (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (while_0_break:
         begin
           void;
          [ { } unit reads m { (JC_119: (le_int(l_0, m) and le_int(m, r))) } ];
          begin
            void;
           (L:
           begin
             (let _jessie_ = t in
             (let _jessie_ = l_0 in
             (let _jessie_ = !m in
             (JC_120:
             (((((swap _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))));
            [ { } unit reads intP_intM_t_5
              { (JC_121: Permut(t, l_0, r, intP_intM_t_5, intP_intM_t_5@L)) } ];
            void;
            (let _jessie_ = t in
            (let _jessie_ = l_0 in
            (let _jessie_ = ((sub_int !m) (1)) in
            (JC_122:
            (((((quick_rec _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))));
            (let _jessie_ = t in
            (let _jessie_ = ((add_int !m) (1)) in
            (let _jessie_ = r in
            (JC_123:
            (((((quick_rec _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))))
           end) end end) end; (raise (Return_label_exc void)) end with
      Return_label_exc _jessie_ -> (return_label: (raise Return)) end)));
    (raise Return) end with Return -> void end)
  { (JC_41: Permut(t, l_0, r, intP_intM_t_5, intP_intM_t_5@)) } 

let quick_rec_ensures_sorted =
 fun (t : intP pointer) (l_0 : int) (r : int) (intP_intM_t_5 : (intP, int) memory ref) (intP_t_5_alloc_table : intP alloc_table) ->
  { (JC_31:
    ((JC_29: le_int(offset_min(intP_t_5_alloc_table, t), l_0))
    and (JC_30: ge_int(offset_max(intP_t_5_alloc_table, t), r)))) }
  (init:
  try
   begin
     (let v = ref (any_int void) in
     (let m = ref (any_int void) in
     (let i_0 = ref (any_int void) in
     try
      begin
        try
         begin
           (if ((ge_int_ l_0) r) then (raise (Return_label_exc void))
           else void);
          (let _jessie_ =
          (v := ((safe_acc_ !intP_intM_t_5) ((shift t) l_0))) in void);
          (let _jessie_ = (m := l_0) in void);
          (let _jessie_ = (i_0 := ((add_int l_0) (1))) in void);
          (loop_3:
          begin
            while true do
            { invariant (JC_97: true)  }
             begin
               [ { } unit reads i_0,intP_intM_t_5,m,v
                 { ((JC_92:
                    ((JC_88: (select(intP_intM_t_5, shift(t, l_0)) = v))
                    and ((JC_89: le_int(l_0, m))
                        and ((JC_90: lt_int(m, i_0))
                            and (JC_91: le_int(i_0, add_int(r, (1))))))))
                   and ((JC_93:
                        Permut(t, l_0, r, intP_intM_t_5, intP_intM_t_5@init))
                       and ((JC_94:
                            (forall j_4:int.
                             ((lt_int(m, j_4) and lt_int(j_4, i_0)) ->
                              ge_int(select(intP_intM_t_5, shift(t, j_4)), v))))
                           and (JC_95:
                               (forall j_3:int.
                                ((lt_int(l_0, j_3) and le_int(j_3, m)) ->
                                 lt_int(select(intP_intM_t_5, shift(t, j_3)),
                                 v))))))) } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((le_int_ !i_0) r) then void
                   else (raise (Goto_while_0_break_exc void)));
                  (if ((lt_int_ ((safe_acc_ !intP_intM_t_5) ((shift t) !i_0))) !v)
                  then
                   (L1:
                   begin
                     (let _jessie_ = (m := ((add_int !m) (1))) in void);
                    void; void;
                    (let _jessie_ = t in
                    (let _jessie_ = !i_0 in
                    (let _jessie_ = !m in
                    (JC_99:
                    (((((swap _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))));
                    [ { } unit reads intP_intM_t_5
                      { (JC_100:
                        Permut(t, l_0, r, intP_intM_t_5, intP_intM_t_5@L1)) } ];
                    void end) else void); (i_0 := ((add_int !i_0) (1))); !i_0
                 end in void); (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (while_0_break:
         begin
           void;
          [ { } unit reads m { (JC_101: (le_int(l_0, m) and le_int(m, r))) } ];
          begin
            void;
           (L:
           begin
             (let _jessie_ = t in
             (let _jessie_ = l_0 in
             (let _jessie_ = !m in
             (JC_102:
             (((((swap _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))));
            [ { } unit reads intP_intM_t_5
              { (JC_103: Permut(t, l_0, r, intP_intM_t_5, intP_intM_t_5@L)) } ];
            void;
            (let _jessie_ = t in
            (let _jessie_ = l_0 in
            (let _jessie_ = ((sub_int !m) (1)) in
            (JC_104:
            (((((quick_rec _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))));
            (let _jessie_ = t in
            (let _jessie_ = ((add_int !m) (1)) in
            (let _jessie_ = r in
            (JC_105:
            (((((quick_rec _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))))
           end) end end) end; (raise (Return_label_exc void)) end with
      Return_label_exc _jessie_ -> (return_label: (raise Return)) end)));
    (raise Return) end with Return -> void end)
  { (JC_39: Sorted(t, l_0, add_int(r, (1)), intP_intM_t_5)) } 

let quick_rec_safety =
 fun (t : intP pointer) (l_0 : int) (r : int) (intP_intM_t_5 : (intP, int) memory ref) (intP_t_5_alloc_table : intP alloc_table) ->
  { (JC_31:
    ((JC_29: le_int(offset_min(intP_t_5_alloc_table, t), l_0))
    and (JC_30: ge_int(offset_max(intP_t_5_alloc_table, t), r)))) }
  (init:
  try
   begin
     (let v = ref (any_int void) in
     (let m = ref (any_int void) in
     (let i_0 = ref (any_int void) in
     try
      begin
        try
         begin
           (if ((ge_int_ l_0) r) then (raise (Return_label_exc void))
           else void);
          (let _jessie_ =
          (v := (JC_43:
                ((((offset_acc_ intP_t_5_alloc_table) !intP_intM_t_5) t) l_0))) in
          void); (let _jessie_ = (m := l_0) in void);
          (let _jessie_ = (i_0 := ((add_int l_0) (1))) in void);
          (loop_1:
          begin
            while true do
            { invariant (JC_53: true) variant (JC_58 : sub_int(r, i_0)) }
             begin
               [ { } unit reads i_0,intP_intM_t_5,m,v
                 { ((JC_48:
                    ((JC_44: (select(intP_intM_t_5, shift(t, l_0)) = v))
                    and ((JC_45: le_int(l_0, m))
                        and ((JC_46: lt_int(m, i_0))
                            and (JC_47: le_int(i_0, add_int(r, (1))))))))
                   and ((JC_49:
                        Permut(t, l_0, r, intP_intM_t_5, intP_intM_t_5@init))
                       and ((JC_50:
                            (forall j_4:int.
                             ((lt_int(m, j_4) and lt_int(j_4, i_0)) ->
                              ge_int(select(intP_intM_t_5, shift(t, j_4)), v))))
                           and (JC_51:
                               (forall j_3:int.
                                ((lt_int(l_0, j_3) and le_int(j_3, m)) ->
                                 lt_int(select(intP_intM_t_5, shift(t, j_3)),
                                 v))))))) } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((le_int_ !i_0) r) then void
                   else (raise (Goto_while_0_break_exc void)));
                  (if ((lt_int_ (JC_55:
                                ((((offset_acc_ intP_t_5_alloc_table) !intP_intM_t_5) t) !i_0))) !v)
                  then
                   (L1:
                   begin
                     (let _jessie_ = (m := ((add_int !m) (1))) in void);
                    void; void;
                    (let _jessie_ = t in
                    (let _jessie_ = !i_0 in
                    (let _jessie_ = !m in
                    (JC_56:
                    (((((swap_requires _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))));
                    [ { } unit reads intP_intM_t_5
                      { (JC_57:
                        Permut(t, l_0, r, intP_intM_t_5, intP_intM_t_5@L1)) } ];
                    void end) else void); (i_0 := ((add_int !i_0) (1))); !i_0
                 end in void); (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (while_0_break:
         begin
           void;
          [ { } unit reads m { (JC_59: (le_int(l_0, m) and le_int(m, r))) } ];
          begin
            void;
           (L:
           begin
             (let _jessie_ = t in
             (let _jessie_ = l_0 in
             (let _jessie_ = !m in
             (JC_60:
             (((((swap_requires _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))));
            [ { } unit reads intP_intM_t_5
              { (JC_61: Permut(t, l_0, r, intP_intM_t_5, intP_intM_t_5@L)) } ];
            void;
            (let _jessie_ = t in
            (let _jessie_ = l_0 in
            (let _jessie_ = ((sub_int !m) (1)) in
            (JC_65:
            (check
            { zwf_zero((JC_64 : sub_int(_jessie_, _jessie_)),
              (JC_63 : sub_int(r, l_0))) };
            (JC_62:
            (((((quick_rec_requires _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))))));
            (let _jessie_ = t in
            (let _jessie_ = ((add_int !m) (1)) in
            (let _jessie_ = r in
            (JC_69:
            (check
            { zwf_zero((JC_68 : sub_int(_jessie_, _jessie_)),
              (JC_67 : sub_int(r, l_0))) };
            (JC_66:
            (((((quick_rec_requires _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))))))
           end) end end) end; (raise (Return_label_exc void)) end with
      Return_label_exc _jessie_ -> (return_label: (raise Return)) end)));
    (raise Return) end with Return -> void end) { true } 

let quick_sort_ensures_default =
 fun (t_0 : intP pointer) (n_1 : int) (intP_intM_t_0_6 : (intP, int) memory ref) (intP_t_0_6_alloc_table : intP alloc_table) ->
  { (JC_130:
    ((JC_128: le_int(offset_min(intP_t_0_6_alloc_table, t_0), (0)))
    and (JC_129:
        ge_int(offset_max(intP_t_0_6_alloc_table, t_0), sub_int(n_1, (1)))))) }
  (init:
  try
   begin
     (let _jessie_ = t_0 in
     (let _jessie_ = (0) in
     (let _jessie_ = ((sub_int n_1) (1)) in
     (JC_141:
     (((((quick_rec _jessie_) _jessie_) _jessie_) intP_intM_t_0_6) intP_t_0_6_alloc_table)))));
    (raise Return); (raise Return) end with Return -> void end)
  { (JC_132: true) } 

let quick_sort_ensures_permutation =
 fun (t_0 : intP pointer) (n_1 : int) (intP_intM_t_0_6 : (intP, int) memory ref) (intP_t_0_6_alloc_table : intP alloc_table) ->
  { (JC_130:
    ((JC_128: le_int(offset_min(intP_t_0_6_alloc_table, t_0), (0)))
    and (JC_129:
        ge_int(offset_max(intP_t_0_6_alloc_table, t_0), sub_int(n_1, (1)))))) }
  (init:
  try
   begin
     (let _jessie_ = t_0 in
     (let _jessie_ = (0) in
     (let _jessie_ = ((sub_int n_1) (1)) in
     (JC_143:
     (((((quick_rec _jessie_) _jessie_) _jessie_) intP_intM_t_0_6) intP_t_0_6_alloc_table)))));
    (raise Return); (raise Return) end with Return -> void end)
  { (JC_138:
    Permut(t_0, (0), sub_int(n_1, (1)), intP_intM_t_0_6, intP_intM_t_0_6@)) } 

let quick_sort_ensures_sorted =
 fun (t_0 : intP pointer) (n_1 : int) (intP_intM_t_0_6 : (intP, int) memory ref) (intP_t_0_6_alloc_table : intP alloc_table) ->
  { (JC_130:
    ((JC_128: le_int(offset_min(intP_t_0_6_alloc_table, t_0), (0)))
    and (JC_129:
        ge_int(offset_max(intP_t_0_6_alloc_table, t_0), sub_int(n_1, (1)))))) }
  (init:
  try
   begin
     (let _jessie_ = t_0 in
     (let _jessie_ = (0) in
     (let _jessie_ = ((sub_int n_1) (1)) in
     (JC_142:
     (((((quick_rec _jessie_) _jessie_) _jessie_) intP_intM_t_0_6) intP_t_0_6_alloc_table)))));
    (raise Return); (raise Return) end with Return -> void end)
  { (JC_136: Sorted(t_0, (0), n_1, intP_intM_t_0_6)) } 

let quick_sort_safety =
 fun (t_0 : intP pointer) (n_1 : int) (intP_intM_t_0_6 : (intP, int) memory ref) (intP_t_0_6_alloc_table : intP alloc_table) ->
  { (JC_130:
    ((JC_128: le_int(offset_min(intP_t_0_6_alloc_table, t_0), (0)))
    and (JC_129:
        ge_int(offset_max(intP_t_0_6_alloc_table, t_0), sub_int(n_1, (1)))))) }
  (init:
  try
   begin
     (let _jessie_ = t_0 in
     (let _jessie_ = (0) in
     (let _jessie_ = ((sub_int n_1) (1)) in
     (JC_140:
     (((((quick_rec_requires _jessie_) _jessie_) _jessie_) intP_intM_t_0_6) intP_t_0_6_alloc_table)))));
    (raise Return); (raise Return) end with Return -> void end) { true } 

let swap_ensures_default =
 fun (t_1 : intP pointer) (i : int) (j : int) (intP_intM_t_1_4 : (intP, int) memory ref) (intP_t_1_4_alloc_table : intP alloc_table) ->
  { (JC_11:
    ((JC_7: le_int(offset_min(intP_t_1_4_alloc_table, t_1), i))
    and ((JC_8: ge_int(offset_max(intP_t_1_4_alloc_table, t_1), i))
        and ((JC_9: le_int(offset_min(intP_t_1_4_alloc_table, t_1), j))
            and (JC_10: ge_int(offset_max(intP_t_1_4_alloc_table, t_1), j)))))) }
  (init:
  try
   begin
     (let tmp = ref (any_int void) in
     begin
       (let _jessie_ =
       (tmp := ((safe_acc_ !intP_intM_t_1_4) ((shift t_1) i))) in void);
      (let _jessie_ =
      (let _jessie_ = ((safe_acc_ !intP_intM_t_1_4) ((shift t_1) j)) in
      (let _jessie_ = t_1 in
      (let _jessie_ = i in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (((safe_upd_ intP_intM_t_1_4) _jessie_) _jessie_))))) in void);
      (let _jessie_ =
      (let _jessie_ = !tmp in
      (let _jessie_ = t_1 in
      (let _jessie_ = j in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (((safe_upd_ intP_intM_t_1_4) _jessie_) _jessie_))))) in void);
      (raise Return) end); (raise Return) end with Return -> void end)
  { (JC_15:
    ((JC_13: Swap(t_1, i, j, intP_intM_t_1_4, intP_intM_t_1_4@))
    and (JC_14:
        not_assigns(intP_t_1_4_alloc_table, intP_intM_t_1_4@,
        intP_intM_t_1_4,
        pset_union(pset_range(pset_singleton(t_1), j, j),
        pset_range(pset_singleton(t_1), i, i)))))) } 

let swap_safety =
 fun (t_1 : intP pointer) (i : int) (j : int) (intP_intM_t_1_4 : (intP, int) memory ref) (intP_t_1_4_alloc_table : intP alloc_table) ->
  { (JC_11:
    ((JC_7: le_int(offset_min(intP_t_1_4_alloc_table, t_1), i))
    and ((JC_8: ge_int(offset_max(intP_t_1_4_alloc_table, t_1), i))
        and ((JC_9: le_int(offset_min(intP_t_1_4_alloc_table, t_1), j))
            and (JC_10: ge_int(offset_max(intP_t_1_4_alloc_table, t_1), j)))))) }
  (init:
  try
   begin
     (let tmp = ref (any_int void) in
     begin
       (let _jessie_ =
       (tmp := (JC_21:
               ((((offset_acc_ intP_t_1_4_alloc_table) !intP_intM_t_1_4) t_1) i))) in
       void);
      (let _jessie_ =
      (let _jessie_ =
      (JC_22:
      ((((offset_acc_ intP_t_1_4_alloc_table) !intP_intM_t_1_4) t_1) j)) in
      (let _jessie_ = t_1 in
      (let _jessie_ = i in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (JC_23:
      (((((offset_upd_ intP_t_1_4_alloc_table) intP_intM_t_1_4) _jessie_) _jessie_) _jessie_)))))) in
      void);
      (let _jessie_ =
      (let _jessie_ = !tmp in
      (let _jessie_ = t_1 in
      (let _jessie_ = j in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (JC_24:
      (((((offset_upd_ intP_t_1_4_alloc_table) intP_intM_t_1_4) _jessie_) _jessie_) _jessie_)))))) in
      void); (raise Return) end); (raise Return) end with Return -> void end)
  { true } 


why-2.39/tests/c/oracle/scalar_product.res.oracle0000644000106100004300000020104313147234006021046 0ustar  marchevals========== file tests/c/scalar_product.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// for N = 10
#define NMAX 10
#define NMAXR 10.0
#define B 0x1.1p-50

// for N = 100
// #define NMAX 100
// #define NMAXR 100.0
// #define B 0x1.02p-47


// for N = 1000
// #define NMAX 1000
// #define NMAXR 1000.0
// #define B 0x1.004p-44


/*@ axiomatic ScalarProduct {
  @   // exact_scalar_product(x,y,n) = x[0]*y[0] + ... + x[n-1] * y[n-1]
  @   logic real exact_scalar_product{L}(double *x, double *y, integer n)
  @       reads x[..], y[..];
  @   axiom A1{L}: \forall double *x,*y;
  @      exact_scalar_product(x,y,0) == 0.0;
  @   axiom A2{L}: \forall double *x,*y; \forall integer n ;
  @      n >= 0 ==>
  @        exact_scalar_product(x,y,n+1) == 
  @          exact_scalar_product(x,y,n) + x[n]*y[n];
  @ }
  @*/


/*@ lemma bound_int_to_real:
  @   \forall integer i; i <= NMAX ==> i <= NMAXR;
  @*/


/*@ requires 0 <= n <= NMAX;
  @ requires \valid(x+(0..n-1)) && \valid(y+(0.. n-1)) ;
  @ requires \forall integer i; 0 <= i < n ==>
  @          \abs(x[i]) <= 1.0 && \abs(y[i]) <= 1.0 ;
  @ ensures
  @    \abs(\result - exact_scalar_product(x,y,n)) <= n * B;
  @*/
double scalar_product(double x[], double y[], int n) {
  double p = 0.0;
  /*@ loop invariant 0 <= i <= n ;
    @ loop invariant \abs(exact_scalar_product(x,y,i)) <= i;
    @ loop invariant \abs(p - exact_scalar_product(x,y,i)) <= i * B;
    @ loop variant n-i;
    @*/
  for (int i=0; i < n; i++) {
    // bounds, needed by Gappa
    //@ assert \abs(x[i]) <= 1.0;
    //@ assert \abs(y[i]) <= 1.0;
    //@ assert \abs(p) <= NMAXR*(1+B) ;

  L:
    p = p + x[i]*y[i];

    // bound on the rounding errors in the statement above, proved by gappa
    /*@ assert \abs(p - (\at(p,L) + x[i]*y[i])) <= B;
     */

    // the proper instance of triangular inequality to show the main invariant
    /*@ assert
          \abs(p - exact_scalar_product(x,y,i+1)) <=
          \abs(p - (\at(p,L) + x[i]*y[i])) +
          \abs((\at(p,L) + x[i]*y[i]) -
               (exact_scalar_product(x,y,i) + x[i]*y[i])) ;
    */

    // a lemma to show the invariant \abs(exact_scalar_product(x,y,i)) <= i
    /*@ assert
      \abs(exact_scalar_product(x,y,i+1)) <=
         \abs(exact_scalar_product(x,y,i)) + \abs(x[i]) * \abs(y[i]);
    */

    // a necessary lemma, proved only by gappa
    //@ assert \abs(x[i]) * \abs(y[i]) <= 1.0;
  }
  return p;
}



/*
Local Variables:
compile-command: "make scalar_product.why3ide"
End:
*/


========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/scalar_product.c (with preprocessing)
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/scalar_product.jessie
[jessie] File tests/c/scalar_product.jessie/scalar_product.jc written.
[jessie] File tests/c/scalar_product.jessie/scalar_product.cloc written.
========== file tests/c/scalar_product.jessie/scalar_product.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

type int32 = -2147483648..2147483647

tag doubleP = {
  double doubleM: 64;
}

type doubleP = [doubleP]

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

axiomatic ScalarProduct {

  logic real exact_scalar_product{L}(doubleP[..] x, doubleP[..] y, integer n)
  reads (x + [..]).doubleM, (y + [..]).doubleM;
   
  axiom A1{L} :
  (\forall doubleP[..] x_0;
    (\forall doubleP[..] y_0;
      (exact_scalar_product{L}(x_0, y_0, 0) == 0.0)))
   
  axiom A2{L} :
  (\forall doubleP[..] x_1;
    (\forall doubleP[..] y_1;
      (\forall integer n_0;
        ((n_0 >= 0) ==>
          (exact_scalar_product{L}(x_1, y_1, (n_0 + 1)) ==
            (exact_scalar_product{L}(x_1, y_1, n_0) +
              (((x_1 + n_0).doubleM :> real) * ((y_1 + n_0).doubleM :> real))))))))
  
}

lemma bound_int_to_real :
(\forall integer i_1;
  ((i_1 <= 10) ==> (i_1 <= 10.0)))

double scalar_product(doubleP[..] x, doubleP[..] y, int32 n_1)
  requires (_C_35 : ((_C_36 : (0 <= n_1)) && (_C_37 : (n_1 <= 10))));
  requires (_C_28 : (((_C_30 : (\offset_min(x) <= 0)) &&
                       (_C_31 : (\offset_max(x) >= (n_1 - 1)))) &&
                      ((_C_33 : (\offset_min(y) <= 0)) &&
                        (_C_34 : (\offset_max(y) >= (n_1 - 1))))));
  requires (_C_27 : (\forall integer i_2;
                      (((0 <= i_2) && (i_2 < n_1)) ==>
                        ((\real_abs(((x + i_2).doubleM :> real)) <= 1.0) &&
                          (\real_abs(((y + i_2).doubleM :> real)) <= 1.0)))));
behavior default:
  ensures (_C_26 : (\real_abs(((\result :> real) -
                                exact_scalar_product{Here}(\at(x,Old),
                                                           \at(y,Old),
                                                           \at(n_1,Old)))) <=
                     (\at(n_1,Old) * 0x1.1p-50)));
{  
   (var double p);
   
   (var int32 i);
   
   {  (_C_1 : (p = (0.0 :> double)));
      
      {  (_C_2 : (i = 0));
         
         loop 
         behavior default:
           invariant (_C_6 : ((_C_7 : (0 <= i)) && (_C_8 : (i <= n_1))));
         behavior default:
           invariant (_C_5 : (\real_abs(exact_scalar_product{Here}(x, y, i)) <=
                               i));
         behavior default:
           invariant (_C_4 : (\real_abs(((p :> real) -
                                          exact_scalar_product{Here}(
                                          x, y, i))) <=
                               (i * 0x1.1p-50)));
         variant (_C_3 : (n_1 - i));
         while (true)
         {  
            {  (if (i < n_1) then () else 
               (goto while_0_break));
               
               {  
                  {  
                     (assert for default: (_C_9 : (jessie : (\real_abs(
                                                              ((x + i).doubleM :> real)) <=
                                                              1.0))));
                     ()
                  };
                  
                  {  
                     (assert for default: (_C_10 : (jessie : (\real_abs(
                                                               ((y + i).doubleM :> real)) <=
                                                               1.0))));
                     ()
                  };
                  
                  {  
                     (assert for default: (_C_11 : (jessie : (\real_abs(
                                                               (p :> real)) <=
                                                               (10.0 *
                                                                 (1 +
                                                                   0x1.1p-50))))));
                     ()
                  };
                  (L : (_C_18 : (p = (_C_17 : (p +
                                                (_C_16 : ((_C_15 : (_C_14 : 
                                                                   (x +
                                                                    i)).doubleM) *
                                                           (_C_13 : (_C_12 : 
                                                                    (y +
                                                                    i)).doubleM))))))));
                  
                  {  
                     (assert for default: (_C_19 : (jessie : (\real_abs(
                                                               ((p :> real) -
                                                                 ((\at(p,L) :> real) +
                                                                   (((x + i).doubleM :> real) *
                                                                    ((y + i).doubleM :> real))))) <=
                                                               0x1.1p-50))));
                     ()
                  };
                  
                  {  
                     (assert for default: (_C_20 : (jessie : (\real_abs(
                                                               ((p :> real) -
                                                                 exact_scalar_product{Here}(
                                                                 x, y,
                                                                 (i + 1)))) <=
                                                               (\real_abs(
                                                                 ((p :> real) -
                                                                   ((\at(p,L) :> real) +
                                                                    (((x + i).doubleM :> real) *
                                                                    ((y + i).doubleM :> real))))) +
                                                                 \real_abs(
                                                                 (((\at(p,L) :> real) +
                                                                    (((x + i).doubleM :> real) *
                                                                    ((y + i).doubleM :> real))) -
                                                                   (exact_scalar_product{Here}(
                                                                    x, y, i) +
                                                                    (((x + i).doubleM :> real) *
                                                                    ((y + i).doubleM :> real))))))))));
                     ()
                  };
                  
                  {  
                     (assert for default: (_C_21 : (jessie : (\real_abs(
                                                               exact_scalar_product{Here}(
                                                               x, y, 
                                                               (i + 1))) <=
                                                               (\real_abs(
                                                                 exact_scalar_product{Here}(
                                                                 x, y, i)) +
                                                                 (\real_abs(
                                                                   ((x + i).doubleM :> real)) *
                                                                   \real_abs(
                                                                   ((y + i).doubleM :> real))))))));
                     ()
                  };
                  
                  {  
                     (assert for default: (_C_22 : (jessie : ((\real_abs(
                                                                ((x + i).doubleM :> real)) *
                                                                \real_abs(
                                                                ((y + i).doubleM :> real))) <=
                                                               1.0))));
                     ()
                  }
               };
               (_C_25 : (i = (_C_24 : ((_C_23 : (i + 1)) :> int32))))
            }
         };
         (while_0_break : ())
      };
      
      (return p)
   }
}
========== file tests/c/scalar_product.jessie/scalar_product.cloc ==========
[_C_35]
file = "HOME/tests/c/scalar_product.c"
line = 68
begin = 16
end = 28

[_C_28]
file = "HOME/tests/c/scalar_product.c"
line = 69
begin = 13
end = 54

[_C_31]
file = "HOME/tests/c/scalar_product.c"
line = 69
begin = 13
end = 31

[_C_4]
file = "HOME/tests/c/scalar_product.c"
line = 79
begin = 21
end = 75

[_C_32]
file = "HOME/tests/c/scalar_product.c"
line = 69
begin = 35
end = 54

[_C_23]
file = "HOME/tests/c/scalar_product.c"
line = 82
begin = 23
end = 26

[_C_19]
file = "HOME/tests/c/scalar_product.c"
line = 92
begin = 22
end = 67

[_C_13]
file = "HOME/tests/c/scalar_product.c"
line = 89
begin = 17
end = 21

[_C_5]
file = "HOME/tests/c/scalar_product.c"
line = 78
begin = 21
end = 59

[_C_36]
file = "HOME/tests/c/scalar_product.c"
line = 68
begin = 16
end = 22

[_C_12]
file = "HOME/tests/c/scalar_product.c"
line = 89
begin = 17
end = 18

[_C_33]
file = "HOME/tests/c/scalar_product.c"
line = 69
begin = 35
end = 54

[_C_22]
file = "HOME/tests/c/scalar_product.c"
line = 110
begin = 22
end = 52

[A2]
name = "Lemma A2"
file = "HOME/tests/c/scalar_product.c"
line = 55
begin = 6
end = 178

[_C_9]
file = "HOME/tests/c/scalar_product.c"
line = 84
begin = 22
end = 39

[_C_30]
file = "HOME/tests/c/scalar_product.c"
line = 69
begin = 13
end = 31

[_C_6]
file = "HOME/tests/c/scalar_product.c"
line = 77
begin = 26
end = 37

[_C_24]
file = "HOME/tests/c/scalar_product.c"
line = 82
begin = 23
end = 26

[_C_20]
file = "HOME/tests/c/scalar_product.c"
line = 97
begin = 10
end = 195

[scalar_product]
name = "Function scalar_product"
file = "HOME/tests/c/scalar_product.c"
line = 75
begin = 7
end = 21

[_C_3]
file = "HOME/tests/c/scalar_product.c"
line = 80
begin = 19
end = 22

[_C_17]
file = "HOME/tests/c/scalar_product.c"
line = 89
begin = 8
end = 21

[_C_7]
file = "HOME/tests/c/scalar_product.c"
line = 77
begin = 26
end = 32

[_C_27]
file = "HOME/tests/c/scalar_product.c"
line = 70
begin = 13
end = 98

[A1]
name = "Lemma A1"
file = "HOME/tests/c/scalar_product.c"
line = 53
begin = 6
end = 85

[_C_15]
file = "HOME/tests/c/scalar_product.c"
line = 89
begin = 12
end = 16

[_C_26]
file = "HOME/tests/c/scalar_product.c"
line = 73
begin = 7
end = 67

[_C_10]
file = "HOME/tests/c/scalar_product.c"
line = 85
begin = 22
end = 39

[_C_8]
file = "HOME/tests/c/scalar_product.c"
line = 77
begin = 31
end = 37

[_C_18]
file = "HOME/tests/c/scalar_product.c"
line = 89
begin = 8
end = 21

[_C_29]
file = "HOME/tests/c/scalar_product.c"
line = 69
begin = 13
end = 31

[_C_14]
file = "HOME/tests/c/scalar_product.c"
line = 89
begin = 12
end = 13

[_C_37]
file = "HOME/tests/c/scalar_product.c"
line = 68
begin = 21
end = 28

[_C_2]
file = "HOME/tests/c/scalar_product.c"
line = 82
begin = 7
end = 10

[_C_34]
file = "HOME/tests/c/scalar_product.c"
line = 69
begin = 35
end = 54

[_C_16]
file = "HOME/tests/c/scalar_product.c"
line = 89
begin = 12
end = 21

[_C_1]
file = "HOME/tests/c/scalar_product.c"
line = 76
begin = 2
end = 8

[bound_int_to_real]
name = "Lemma bound_int_to_real"
file = "HOME/tests/c/scalar_product.c"
line = 63
begin = 7
end = 79

[_C_25]
file = "HOME/tests/c/scalar_product.c"
line = 82
begin = 23
end = 26

[_C_11]
file = "HOME/tests/c/scalar_product.c"
line = 86
begin = 22
end = 51

[_C_21]
file = "HOME/tests/c/scalar_product.c"
line = 105
begin = 6
end = 113

========== jessie execution ==========
Generating Why function scalar_product
========== file tests/c/scalar_product.jessie/scalar_product.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why $(WHYLIB)/why/floats_strict.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/scalar_product_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: scalar_product.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: scalar_product.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: scalar_product.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/scalar_product.jessie/scalar_product.loc ==========
[JC_51]
file = "HOME/tests/c/scalar_product.jessie/scalar_product.jc"
line = 92
begin = 9
end = 6171

[JC_45]
file = "HOME/tests/c/scalar_product.c"
line = 78
begin = 21
end = 59

[JC_31]
file = "HOME/tests/c/scalar_product.c"
line = 84
begin = 22
end = 39

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_55]
kind = FPOverflow
file = "HOME/tests/c/scalar_product.c"
line = 89
begin = 12
end = 21

[JC_48]
file = "HOME/tests/c/scalar_product.c"
line = 77
begin = 26
end = 37

[scalar_product_safety]
name = "Function scalar_product"
behavior = "Safety"
file = "HOME/tests/c/scalar_product.c"
line = 75
begin = 7
end = 21

[JC_23]
file = "HOME/tests/c/scalar_product.c"
line = 79
begin = 21
end = 75

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/tests/c/scalar_product.c"
line = 69
begin = 35
end = 54

[JC_9]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_24]
file = "HOME/tests/c/scalar_product.c"
line = 78
begin = 21
end = 59

[JC_25]
file = "HOME/tests/c/scalar_product.c"
line = 77
begin = 26
end = 32

[JC_41]
file = "HOME/tests/c/scalar_product.c"
line = 110
begin = 22
end = 52

[JC_47]
file = "HOME/tests/c/scalar_product.c"
line = 77
begin = 31
end = 37

[JC_52]
file = "HOME/tests/c/scalar_product.c"
line = 84
begin = 22
end = 39

[JC_26]
file = "HOME/tests/c/scalar_product.c"
line = 77
begin = 31
end = 37

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/tests/c/scalar_product.c"
line = 86
begin = 22
end = 51

[A2]
name = "Lemma A2"
behavior = "axiom"
file = "HOME/tests/c/scalar_product.c"
line = 55
begin = 6
end = 178

[JC_13]
file = "HOME/tests/c/scalar_product.c"
line = 69
begin = 13
end = 31

[JC_11]
file = "HOME/tests/c/scalar_product.c"
line = 68
begin = 21
end = 28

[JC_15]
file = "HOME/tests/c/scalar_product.c"
line = 69
begin = 35
end = 54

[JC_36]
kind = FPOverflow
file = "HOME/tests/c/scalar_product.c"
line = 89
begin = 12
end = 21

[JC_39]
file = "HOME/tests/c/scalar_product.c"
line = 97
begin = 10
end = 195

[JC_40]
file = "HOME/tests/c/scalar_product.c"
line = 105
begin = 6
end = 113

[JC_35]
kind = PointerDeref
file = "HOME/tests/c/scalar_product.c"
line = 89
begin = 17
end = 21

[JC_27]
file = "HOME/tests/c/scalar_product.c"
line = 77
begin = 26
end = 37

[JC_38]
file = "HOME/tests/c/scalar_product.c"
line = 92
begin = 22
end = 67

[JC_12]
file = "HOME/tests/c/scalar_product.c"
line = 69
begin = 13
end = 31

[JC_6]
file = "HOME/tests/c/scalar_product.c"
line = 69
begin = 35
end = 54

[JC_44]
file = "HOME/tests/c/scalar_product.c"
line = 79
begin = 21
end = 75

[JC_4]
file = "HOME/tests/c/scalar_product.c"
line = 69
begin = 13
end = 31

[JC_42]
kind = ArithOverflow
file = "HOME/tests/c/scalar_product.c"
line = 82
begin = 23
end = 26

[JC_46]
file = "HOME/tests/c/scalar_product.c"
line = 77
begin = 26
end = 32

[A1]
name = "Lemma A1"
behavior = "axiom"
file = "HOME/tests/c/scalar_product.c"
line = 53
begin = 6
end = 85

[JC_32]
file = "HOME/tests/c/scalar_product.c"
line = 85
begin = 22
end = 39

[JC_56]
kind = FPOverflow
file = "HOME/tests/c/scalar_product.c"
line = 89
begin = 8
end = 21

[JC_33]
file = "HOME/tests/c/scalar_product.c"
line = 86
begin = 22
end = 51

[JC_29]
file = "HOME/tests/c/scalar_product.jessie/scalar_product.jc"
line = 92
begin = 9
end = 6171

[JC_7]
file = "HOME/tests/c/scalar_product.c"
line = 70
begin = 13
end = 98

[JC_16]
file = "HOME/tests/c/scalar_product.c"
line = 70
begin = 13
end = 98

[JC_43]
file = "HOME/tests/c/scalar_product.c"
line = 80
begin = 19
end = 22

[JC_2]
file = "HOME/tests/c/scalar_product.c"
line = 68
begin = 21
end = 28

[JC_34]
kind = PointerDeref
file = "HOME/tests/c/scalar_product.c"
line = 89
begin = 12
end = 16

[JC_14]
file = "HOME/tests/c/scalar_product.c"
line = 69
begin = 35
end = 54

[scalar_product_ensures_default]
name = "Function scalar_product"
behavior = "default behavior"
file = "HOME/tests/c/scalar_product.c"
line = 75
begin = 7
end = 21

[JC_53]
file = "HOME/tests/c/scalar_product.c"
line = 85
begin = 22
end = 39

[JC_21]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_49]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/c/scalar_product.c"
line = 68
begin = 16
end = 22

[JC_37]
kind = FPOverflow
file = "HOME/tests/c/scalar_product.c"
line = 89
begin = 8
end = 21

[JC_10]
file = "HOME/tests/c/scalar_product.c"
line = 68
begin = 16
end = 22

[JC_57]
file = "HOME/tests/c/scalar_product.c"
line = 92
begin = 22
end = 67

[JC_59]
file = "HOME/tests/c/scalar_product.c"
line = 105
begin = 6
end = 113

[JC_20]
file = "HOME/tests/c/scalar_product.c"
line = 73
begin = 7
end = 67

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/c/scalar_product.c"
line = 69
begin = 13
end = 31

[bound_int_to_real]
name = "Lemma bound_int_to_real"
behavior = "lemma"
file = "HOME/tests/c/scalar_product.c"
line = 63
begin = 7
end = 79

[JC_60]
file = "HOME/tests/c/scalar_product.c"
line = 110
begin = 22
end = 52

[JC_19]
file = "HOME/tests/c/scalar_product.c"
line = 73
begin = 7
end = 67

[JC_50]
file = "HOME/tests/c/scalar_product.jessie/scalar_product.jc"
line = 92
begin = 9
end = 6171

[JC_30]
file = "HOME/tests/c/scalar_product.jessie/scalar_product.jc"
line = 92
begin = 9
end = 6171

[JC_58]
file = "HOME/tests/c/scalar_product.c"
line = 97
begin = 10
end = 195

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/c/scalar_product.jessie/why/scalar_product.why ==========
type charP

type doubleP

type int32

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic doubleP_tag:  -> doubleP tag_id

axiom doubleP_int : (int_of_tag(doubleP_tag) = (1))

logic doubleP_of_pointer_address: unit pointer -> doubleP pointer

axiom doubleP_of_pointer_address_of_pointer_addr :
 (forall p:doubleP pointer.
  (p = doubleP_of_pointer_address(pointer_address(p))))

axiom doubleP_parenttag_bottom : parenttag(doubleP_tag, bottom_tag)

axiom doubleP_tags :
 (forall x:doubleP pointer.
  (forall doubleP_tag_table:doubleP tag_table.
   instanceof(doubleP_tag_table, x, doubleP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic exact_scalar_product: doubleP pointer, doubleP pointer, int,
 (doubleP, double) memory, (doubleP, double) memory -> real

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_doubleP(p:doubleP pointer, a:int,
 doubleP_alloc_table:doubleP alloc_table) =
 (offset_min(doubleP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom no_assign_exact_scalar_product_0 :
 (forall tmp:doubleP pset.
  (forall tmpmem:(doubleP, double) memory.
   (forall tmpalloc:doubleP alloc_table.
    (forall doubleP_doubleM_x_1_at_L:(doubleP, double) memory.
     (forall doubleP_doubleM_y_2_at_L:(doubleP, double) memory.
      (forall n:int.
       (forall y:doubleP pointer.
        (forall x_0:doubleP pointer.
         ((pset_disjoint(tmp, pset_all(pset_singleton(y)))
          and not_assigns(tmpalloc, doubleP_doubleM_y_2_at_L, tmpmem, tmp)) ->
          (exact_scalar_product(x_0, y, n, doubleP_doubleM_y_2_at_L,
           doubleP_doubleM_x_1_at_L) = exact_scalar_product(x_0, y, n,
                                       tmpmem, doubleP_doubleM_x_1_at_L)))))))))))

axiom no_assign_exact_scalar_product_1 :
 (forall tmp:doubleP pset.
  (forall tmpmem:(doubleP, double) memory.
   (forall tmpalloc:doubleP alloc_table.
    (forall doubleP_doubleM_x_1_at_L:(doubleP, double) memory.
     (forall doubleP_doubleM_y_2_at_L:(doubleP, double) memory.
      (forall n:int.
       (forall y:doubleP pointer.
        (forall x_0:doubleP pointer.
         ((pset_disjoint(tmp, pset_all(pset_singleton(x_0)))
          and not_assigns(tmpalloc, doubleP_doubleM_x_1_at_L, tmpmem, tmp)) ->
          (exact_scalar_product(x_0, y, n, doubleP_doubleM_y_2_at_L,
           doubleP_doubleM_x_1_at_L) = exact_scalar_product(x_0, y, n,
                                       doubleP_doubleM_y_2_at_L, tmpmem)))))))))))

axiom no_update_exact_scalar_product_0 :
 (forall tmp:doubleP pointer.
  (forall tmpval:double.
   (forall doubleP_doubleM_x_1_at_L:(doubleP, double) memory.
    (forall doubleP_doubleM_y_2_at_L:(doubleP, double) memory.
     (forall n:int.
      (forall y:doubleP pointer.
       (forall x_0:doubleP pointer.
        ((not in_pset(tmp, pset_all(pset_singleton(y)))) ->
         (exact_scalar_product(x_0, y, n, doubleP_doubleM_y_2_at_L,
          doubleP_doubleM_x_1_at_L) = exact_scalar_product(x_0, y, n,
                                      store(doubleP_doubleM_y_2_at_L, tmp,
                                      tmpval), doubleP_doubleM_x_1_at_L))))))))))

axiom no_update_exact_scalar_product_1 :
 (forall tmp:doubleP pointer.
  (forall tmpval:double.
   (forall doubleP_doubleM_x_1_at_L:(doubleP, double) memory.
    (forall doubleP_doubleM_y_2_at_L:(doubleP, double) memory.
     (forall n:int.
      (forall y:doubleP pointer.
       (forall x_0:doubleP pointer.
        ((not in_pset(tmp, pset_all(pset_singleton(x_0)))) ->
         (exact_scalar_product(x_0, y, n, doubleP_doubleM_y_2_at_L,
          doubleP_doubleM_x_1_at_L) = exact_scalar_product(x_0, y, n,
                                      doubleP_doubleM_y_2_at_L,
                                      store(doubleP_doubleM_x_1_at_L, tmp,
                                      tmpval)))))))))))

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_doubleP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(doubleP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_doubleP(p:doubleP pointer, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 (offset_max(doubleP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_doubleP(p:doubleP pointer, a:int, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 ((offset_min(doubleP_alloc_table, p) = a)
 and (offset_max(doubleP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_doubleP(p:doubleP pointer, a:int, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 ((offset_min(doubleP_alloc_table, p) = a)
 and (offset_max(doubleP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_doubleP(p:doubleP pointer, a:int, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 ((offset_min(doubleP_alloc_table, p) <= a)
 and (offset_max(doubleP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_doubleP(p:doubleP pointer, a:int, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 ((offset_min(doubleP_alloc_table, p) <= a)
 and (offset_max(doubleP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

axiom A1 :
 (forall doubleP_doubleM_y_2_at_L:(doubleP, double) memory.
  (forall doubleP_doubleM_x_1_at_L:(doubleP, double) memory.
   (forall x_0_0:doubleP pointer.
    (forall y_0_0:doubleP pointer.
     (exact_scalar_product(x_0_0, y_0_0, (0), doubleP_doubleM_y_2_at_L,
      doubleP_doubleM_x_1_at_L) = 0.0)))))

axiom A2 :
 (forall doubleP_doubleM_y_2_at_L:(doubleP, double) memory.
  (forall doubleP_doubleM_x_1_at_L:(doubleP, double) memory.
   (forall x_1_0:doubleP pointer.
    (forall y_1:doubleP pointer.
     (forall n_0:int.
      (ge_int(n_0, (0)) ->
       (exact_scalar_product(x_1_0, y_1, add_int(n_0, (1)),
        doubleP_doubleM_y_2_at_L, doubleP_doubleM_x_1_at_L) = add_real(
                                                              exact_scalar_product(x_1_0,
                                                              y_1, n_0,
                                                              doubleP_doubleM_y_2_at_L,
                                                              doubleP_doubleM_x_1_at_L),
                                                              mul_real(
                                                              double_value(
                                                              select(doubleP_doubleM_x_1_at_L,
                                                              shift(x_1_0,
                                                              n_0))),
                                                              double_value(
                                                              select(doubleP_doubleM_y_2_at_L,
                                                              shift(y_1, n_0))))))))))))

lemma bound_int_to_real :
 (forall i_1:int. (le_int(i_1, (10)) -> le_real(real_of_int(i_1), 10.0)))

exception Goto_while_0_break_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter doubleP_alloc_table : doubleP alloc_table ref

parameter doubleP_tag_table : doubleP tag_table ref

parameter alloc_struct_doubleP :
 n:int ->
  doubleP_alloc_table:doubleP alloc_table ref ->
   doubleP_tag_table:doubleP tag_table ref ->
    { } doubleP pointer writes doubleP_alloc_table,doubleP_tag_table
    { (strict_valid_struct_doubleP(result, (0), sub_int(n, (1)),
       doubleP_alloc_table)
      and (alloc_extends(doubleP_alloc_table@, doubleP_alloc_table)
          and (alloc_fresh(doubleP_alloc_table@, result, n)
              and instanceof(doubleP_tag_table, result, doubleP_tag)))) }

parameter alloc_struct_doubleP_requires :
 n:int ->
  doubleP_alloc_table:doubleP alloc_table ref ->
   doubleP_tag_table:doubleP tag_table ref ->
    { ge_int(n, (0))} doubleP pointer
    writes doubleP_alloc_table,doubleP_tag_table
    { (strict_valid_struct_doubleP(result, (0), sub_int(n, (1)),
       doubleP_alloc_table)
      and (alloc_extends(doubleP_alloc_table@, doubleP_alloc_table)
          and (alloc_fresh(doubleP_alloc_table@, result, n)
              and instanceof(doubleP_tag_table, result, doubleP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter scalar_product :
 x_1:doubleP pointer ->
  y_0:doubleP pointer ->
   n_1:int32 ->
    doubleP_y_4_alloc_table:doubleP alloc_table ->
     doubleP_x_3_alloc_table:doubleP alloc_table ->
      doubleP_doubleM_y_4:(doubleP, double) memory ->
       doubleP_doubleM_x_3:(doubleP, double) memory ->
        { } double
        { (JC_20:
          le_real(abs_real(sub_real(double_value(result),
                           exact_scalar_product(x_1, y_0,
                           integer_of_int32(n_1), doubleP_doubleM_y_4,
                           doubleP_doubleM_x_3))),
          mul_real(real_of_int(integer_of_int32(n_1)), 0x1.1p-50))) }

parameter scalar_product_requires :
 x_1:doubleP pointer ->
  y_0:doubleP pointer ->
   n_1:int32 ->
    doubleP_y_4_alloc_table:doubleP alloc_table ->
     doubleP_x_3_alloc_table:doubleP alloc_table ->
      doubleP_doubleM_y_4:(doubleP, double) memory ->
       doubleP_doubleM_x_3:(doubleP, double) memory ->
        { (JC_8:
          ((JC_1: le_int((0), integer_of_int32(n_1)))
          and ((JC_2: le_int(integer_of_int32(n_1), (10)))
              and ((JC_3:
                   le_int(offset_min(doubleP_x_3_alloc_table, x_1), (0)))
                  and ((JC_4:
                       ge_int(offset_max(doubleP_x_3_alloc_table, x_1),
                       sub_int(integer_of_int32(n_1), (1))))
                      and ((JC_5:
                           le_int(offset_min(doubleP_y_4_alloc_table, y_0),
                           (0)))
                          and ((JC_6:
                               ge_int(offset_max(doubleP_y_4_alloc_table,
                                      y_0),
                               sub_int(integer_of_int32(n_1), (1))))
                              and (JC_7:
                                  (forall i_2:int.
                                   ((le_int((0), i_2)
                                    and lt_int(i_2, integer_of_int32(n_1))) ->
                                    (le_real(abs_real(double_value(select(doubleP_doubleM_x_3,
                                                                   shift(x_1,
                                                                   i_2)))),
                                     1.0)
                                    and le_real(abs_real(double_value(
                                                         select(doubleP_doubleM_y_4,
                                                         shift(y_0, i_2)))),
                                        1.0))))))))))))}
        double
        { (JC_20:
          le_real(abs_real(sub_real(double_value(result),
                           exact_scalar_product(x_1, y_0,
                           integer_of_int32(n_1), doubleP_doubleM_y_4,
                           doubleP_doubleM_x_3))),
          mul_real(real_of_int(integer_of_int32(n_1)), 0x1.1p-50))) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let scalar_product_ensures_default =
 fun (x_1 : doubleP pointer) (y_0 : doubleP pointer) (n_1 : int32) (doubleP_x_3_alloc_table : doubleP alloc_table) (doubleP_y_4_alloc_table : doubleP alloc_table) (doubleP_doubleM_x_3 : (doubleP, double) memory) (doubleP_doubleM_y_4 : (doubleP, double) memory) ->
  { (JC_17:
    ((JC_10: le_int((0), integer_of_int32(n_1)))
    and ((JC_11: le_int(integer_of_int32(n_1), (10)))
        and ((JC_12: le_int(offset_min(doubleP_x_3_alloc_table, x_1), (0)))
            and ((JC_13:
                 ge_int(offset_max(doubleP_x_3_alloc_table, x_1),
                 sub_int(integer_of_int32(n_1), (1))))
                and ((JC_14:
                     le_int(offset_min(doubleP_y_4_alloc_table, y_0), (0)))
                    and ((JC_15:
                         ge_int(offset_max(doubleP_y_4_alloc_table, y_0),
                         sub_int(integer_of_int32(n_1), (1))))
                        and (JC_16:
                            (forall i_2:int.
                             ((le_int((0), i_2)
                              and lt_int(i_2, integer_of_int32(n_1))) ->
                              (le_real(abs_real(double_value(select(doubleP_doubleM_x_3,
                                                             shift(x_1, i_2)))),
                               1.0)
                              and le_real(abs_real(double_value(select(doubleP_doubleM_y_4,
                                                                shift(y_0,
                                                                i_2)))),
                                  1.0)))))))))))) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let p = ref (any_double void) in
     (let i = ref (any_int32 void) in
     begin
       (let _jessie_ = (p := (double_of_real_exact 0.0)) in void);
      try
       begin
         (let _jessie_ = (i := (safe_int32_of_integer_ (0))) in void);
        (loop_2:
        begin
          while true do
          { invariant
              ((JC_44:
               le_real(abs_real(sub_real(double_value(p),
                                exact_scalar_product(x_1, y_0,
                                integer_of_int32(i), doubleP_doubleM_y_4,
                                doubleP_doubleM_x_3))),
               mul_real(real_of_int(integer_of_int32(i)), 0x1.1p-50)))
              and ((JC_45:
                   le_real(abs_real(exact_scalar_product(x_1, y_0,
                                    integer_of_int32(i), doubleP_doubleM_y_4,
                                    doubleP_doubleM_x_3)),
                   real_of_int(integer_of_int32(i))))
                  and (JC_48:
                      ((JC_46: le_int((0), integer_of_int32(i)))
                      and (JC_47:
                          le_int(integer_of_int32(i), integer_of_int32(n_1)))))))
             }
           begin
             [ { } unit { true } ];
            try
             begin
               (let _jessie_ =
               begin
                 (if ((lt_int_ (integer_of_int32 !i)) (integer_of_int32 n_1))
                 then void else (raise (Goto_while_0_break_exc void)));
                (assert
                { (JC_52:
                  le_real(abs_real(double_value(select(doubleP_doubleM_x_3,
                                                shift(x_1,
                                                integer_of_int32(i))))),
                  1.0)) }; void); void;
                (assert
                { (JC_53:
                  le_real(abs_real(double_value(select(doubleP_doubleM_y_4,
                                                shift(y_0,
                                                integer_of_int32(i))))),
                  1.0)) }; void); void;
                (assert
                { (JC_54:
                  le_real(abs_real(double_value(p)),
                  mul_real(10.0, add_real(1.0, 0x1.1p-50)))) }; void);
                begin
                  void;
                 (L:
                 begin
                   (let _jessie_ =
                   (p := (JC_56:
                         (((add_double_safe nearest_even) !p) (JC_55:
                                                              (((mul_double_safe nearest_even) 
                                                                ((safe_acc_ doubleP_doubleM_x_3) 
                                                                 ((shift x_1) 
                                                                  (integer_of_int32 !i)))) 
                                                               ((safe_acc_ doubleP_doubleM_y_4) 
                                                                ((shift y_0) 
                                                                 (integer_of_int32 !i)))))))) in
                   void);
                  (assert
                  { (JC_57:
                    le_real(abs_real(sub_real(double_value(p),
                                     add_real(double_value(p@L),
                                     mul_real(double_value(select(doubleP_doubleM_x_3,
                                                           shift(x_1,
                                                           integer_of_int32(i)))),
                                     double_value(select(doubleP_doubleM_y_4,
                                                  shift(y_0,
                                                  integer_of_int32(i)))))))),
                    0x1.1p-50)) }; void); void;
                  (assert
                  { (JC_58:
                    le_real(abs_real(sub_real(double_value(p),
                                     exact_scalar_product(x_1, y_0,
                                     add_int(integer_of_int32(i), (1)),
                                     doubleP_doubleM_y_4,
                                     doubleP_doubleM_x_3))),
                    add_real(abs_real(sub_real(double_value(p),
                                      add_real(double_value(p@L),
                                      mul_real(double_value(select(doubleP_doubleM_x_3,
                                                            shift(x_1,
                                                            integer_of_int32(i)))),
                                      double_value(select(doubleP_doubleM_y_4,
                                                   shift(y_0,
                                                   integer_of_int32(i)))))))),
                    abs_real(sub_real(add_real(double_value(p@L),
                                      mul_real(double_value(select(doubleP_doubleM_x_3,
                                                            shift(x_1,
                                                            integer_of_int32(i)))),
                                      double_value(select(doubleP_doubleM_y_4,
                                                   shift(y_0,
                                                   integer_of_int32(i)))))),
                             add_real(exact_scalar_product(x_1, y_0,
                                      integer_of_int32(i),
                                      doubleP_doubleM_y_4,
                                      doubleP_doubleM_x_3),
                             mul_real(double_value(select(doubleP_doubleM_x_3,
                                                   shift(x_1,
                                                   integer_of_int32(i)))),
                             double_value(select(doubleP_doubleM_y_4,
                                          shift(y_0, integer_of_int32(i))))))))))) };
                  void); void;
                  (assert
                  { (JC_59:
                    le_real(abs_real(exact_scalar_product(x_1, y_0,
                                     add_int(integer_of_int32(i), (1)),
                                     doubleP_doubleM_y_4,
                                     doubleP_doubleM_x_3)),
                    add_real(abs_real(exact_scalar_product(x_1, y_0,
                                      integer_of_int32(i),
                                      doubleP_doubleM_y_4,
                                      doubleP_doubleM_x_3)),
                    mul_real(abs_real(double_value(select(doubleP_doubleM_x_3,
                                                   shift(x_1,
                                                   integer_of_int32(i))))),
                    abs_real(double_value(select(doubleP_doubleM_y_4,
                                          shift(y_0, integer_of_int32(i))))))))) };
                  void); void;
                  (assert
                  { (JC_60:
                    le_real(mul_real(abs_real(double_value(select(doubleP_doubleM_x_3,
                                                           shift(x_1,
                                                           integer_of_int32(i))))),
                            abs_real(double_value(select(doubleP_doubleM_y_4,
                                                  shift(y_0,
                                                  integer_of_int32(i)))))),
                    1.0)) }; void); void;
                  (i := (safe_int32_of_integer_ ((add_int (integer_of_int32 !i)) (1))));
                  !i end) end end in void); (raise (Loop_continue_exc void))
             end with Loop_continue_exc _jessie_ -> void end end done;
         (raise (Goto_while_0_break_exc void)) end) end with
       Goto_while_0_break_exc _jessie_ -> (while_0_break: void) end;
      (return := !p); (raise Return) end)); absurd  end with Return ->
   !return end))
  { (JC_19:
    le_real(abs_real(sub_real(double_value(result),
                     exact_scalar_product(x_1, y_0, integer_of_int32(n_1),
                     doubleP_doubleM_y_4, doubleP_doubleM_x_3))),
    mul_real(real_of_int(integer_of_int32(n_1)), 0x1.1p-50))) } 

let scalar_product_safety =
 fun (x_1 : doubleP pointer) (y_0 : doubleP pointer) (n_1 : int32) (doubleP_x_3_alloc_table : doubleP alloc_table) (doubleP_y_4_alloc_table : doubleP alloc_table) (doubleP_doubleM_x_3 : (doubleP, double) memory) (doubleP_doubleM_y_4 : (doubleP, double) memory) ->
  { (JC_17:
    ((JC_10: le_int((0), integer_of_int32(n_1)))
    and ((JC_11: le_int(integer_of_int32(n_1), (10)))
        and ((JC_12: le_int(offset_min(doubleP_x_3_alloc_table, x_1), (0)))
            and ((JC_13:
                 ge_int(offset_max(doubleP_x_3_alloc_table, x_1),
                 sub_int(integer_of_int32(n_1), (1))))
                and ((JC_14:
                     le_int(offset_min(doubleP_y_4_alloc_table, y_0), (0)))
                    and ((JC_15:
                         ge_int(offset_max(doubleP_y_4_alloc_table, y_0),
                         sub_int(integer_of_int32(n_1), (1))))
                        and (JC_16:
                            (forall i_2:int.
                             ((le_int((0), i_2)
                              and lt_int(i_2, integer_of_int32(n_1))) ->
                              (le_real(abs_real(double_value(select(doubleP_doubleM_x_3,
                                                             shift(x_1, i_2)))),
                               1.0)
                              and le_real(abs_real(double_value(select(doubleP_doubleM_y_4,
                                                                shift(y_0,
                                                                i_2)))),
                                  1.0)))))))))))) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let p = ref (any_double void) in
     (let i = ref (any_int32 void) in
     begin
       (let _jessie_ = (p := (double_of_real_exact 0.0)) in void);
      try
       begin
         (let _jessie_ = (i := (safe_int32_of_integer_ (0))) in void);
        (loop_1:
        begin
          while true do
          { invariant (JC_29: true)
            variant (JC_43 : sub_int(integer_of_int32(n_1),
                             integer_of_int32(i))) }
           begin
             [ { } unit reads i,p
               { ((JC_23:
                  le_real(abs_real(sub_real(double_value(p),
                                   exact_scalar_product(x_1, y_0,
                                   integer_of_int32(i), doubleP_doubleM_y_4,
                                   doubleP_doubleM_x_3))),
                  mul_real(real_of_int(integer_of_int32(i)), 0x1.1p-50)))
                 and ((JC_24:
                      le_real(abs_real(exact_scalar_product(x_1, y_0,
                                       integer_of_int32(i),
                                       doubleP_doubleM_y_4,
                                       doubleP_doubleM_x_3)),
                      real_of_int(integer_of_int32(i))))
                     and (JC_27:
                         ((JC_25: le_int((0), integer_of_int32(i)))
                         and (JC_26:
                             le_int(integer_of_int32(i),
                             integer_of_int32(n_1))))))) } ];
            try
             begin
               (let _jessie_ =
               begin
                 (if ((lt_int_ (integer_of_int32 !i)) (integer_of_int32 n_1))
                 then void else (raise (Goto_while_0_break_exc void)));
                [ { } unit reads i
                  { (JC_31:
                    le_real(abs_real(double_value(select(doubleP_doubleM_x_3,
                                                  shift(x_1,
                                                  integer_of_int32(i))))),
                    1.0)) } ]; void;
                [ { } unit reads i
                  { (JC_32:
                    le_real(abs_real(double_value(select(doubleP_doubleM_y_4,
                                                  shift(y_0,
                                                  integer_of_int32(i))))),
                    1.0)) } ]; void;
                [ { } unit reads p
                  { (JC_33:
                    le_real(abs_real(double_value(p)),
                    mul_real(10.0, add_real(1.0, 0x1.1p-50)))) } ];
                begin
                  void;
                 (L:
                 begin
                   (let _jessie_ =
                   (p := (JC_37:
                         (((add_double nearest_even) !p) (JC_36:
                                                         (((mul_double nearest_even) 
                                                           (JC_34:
                                                           ((((offset_acc_ doubleP_x_3_alloc_table) doubleP_doubleM_x_3) x_1) 
                                                            (integer_of_int32 !i)))) 
                                                          (JC_35:
                                                          ((((offset_acc_ doubleP_y_4_alloc_table) doubleP_doubleM_y_4) y_0) 
                                                           (integer_of_int32 !i)))))))) in
                   void);
                  [ { } unit reads i,p
                    { (JC_38:
                      le_real(abs_real(sub_real(double_value(p),
                                       add_real(double_value(p@L),
                                       mul_real(double_value(select(doubleP_doubleM_x_3,
                                                             shift(x_1,
                                                             integer_of_int32(i)))),
                                       double_value(select(doubleP_doubleM_y_4,
                                                    shift(y_0,
                                                    integer_of_int32(i)))))))),
                      0x1.1p-50)) } ]; void;
                  [ { } unit reads i,p
                    { (JC_39:
                      le_real(abs_real(sub_real(double_value(p),
                                       exact_scalar_product(x_1, y_0,
                                       add_int(integer_of_int32(i), (1)),
                                       doubleP_doubleM_y_4,
                                       doubleP_doubleM_x_3))),
                      add_real(abs_real(sub_real(double_value(p),
                                        add_real(double_value(p@L),
                                        mul_real(double_value(select(doubleP_doubleM_x_3,
                                                              shift(x_1,
                                                              integer_of_int32(i)))),
                                        double_value(select(doubleP_doubleM_y_4,
                                                     shift(y_0,
                                                     integer_of_int32(i)))))))),
                      abs_real(sub_real(add_real(double_value(p@L),
                                        mul_real(double_value(select(doubleP_doubleM_x_3,
                                                              shift(x_1,
                                                              integer_of_int32(i)))),
                                        double_value(select(doubleP_doubleM_y_4,
                                                     shift(y_0,
                                                     integer_of_int32(i)))))),
                               add_real(exact_scalar_product(x_1, y_0,
                                        integer_of_int32(i),
                                        doubleP_doubleM_y_4,
                                        doubleP_doubleM_x_3),
                               mul_real(double_value(select(doubleP_doubleM_x_3,
                                                     shift(x_1,
                                                     integer_of_int32(i)))),
                               double_value(select(doubleP_doubleM_y_4,
                                            shift(y_0, integer_of_int32(i))))))))))) } ];
                  void;
                  [ { } unit reads i
                    { (JC_40:
                      le_real(abs_real(exact_scalar_product(x_1, y_0,
                                       add_int(integer_of_int32(i), (1)),
                                       doubleP_doubleM_y_4,
                                       doubleP_doubleM_x_3)),
                      add_real(abs_real(exact_scalar_product(x_1, y_0,
                                        integer_of_int32(i),
                                        doubleP_doubleM_y_4,
                                        doubleP_doubleM_x_3)),
                      mul_real(abs_real(double_value(select(doubleP_doubleM_x_3,
                                                     shift(x_1,
                                                     integer_of_int32(i))))),
                      abs_real(double_value(select(doubleP_doubleM_y_4,
                                            shift(y_0, integer_of_int32(i))))))))) } ];
                  void;
                  [ { } unit reads i
                    { (JC_41:
                      le_real(mul_real(abs_real(double_value(select(doubleP_doubleM_x_3,
                                                             shift(x_1,
                                                             integer_of_int32(i))))),
                              abs_real(double_value(select(doubleP_doubleM_y_4,
                                                    shift(y_0,
                                                    integer_of_int32(i)))))),
                      1.0)) } ]; void;
                  (i := (JC_42:
                        (int32_of_integer_ ((add_int (integer_of_int32 !i)) (1)))));
                  !i end) end end in void); (raise (Loop_continue_exc void))
             end with Loop_continue_exc _jessie_ -> void end end done;
         (raise (Goto_while_0_break_exc void)) end) end with
       Goto_while_0_break_exc _jessie_ -> (while_0_break: void) end;
      (return := !p); (raise Return) end)); absurd  end with Return ->
   !return end)) { true } 


why-2.39/tests/c/oracle/popHeap.err.oracle0000644000106100004300000000000013147234006017422 0ustar  marchevalswhy-2.39/tests/c/oracle/cd1d.res.oracle0000644000106100004300000006254513147234006016670 0ustar  marchevals========== file tests/c/cd1d.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

#define D 10.0
#define T 1.0

/*@ predicate conflict(real s, real v) =
      \exists real t; 0<=t<=T && s - t * v < D;
*/

/*@ predicate cd1d(real s, real v) = D + T * v > s ; */

/*@ lemma completeness: \forall real s, v; v >= 0.0 ==>
             conflict(s,v) ==> cd1d(s,v); */

#define eps 0x1p-49

#define Dp (D+eps)

/*@ requires 100.>=s>=0. && 1. >=v >= 0.;
       behavior completeness:
          assumes cd1d(s,v);
          ensures \result == 1;
 */
int cd1d_double(double s, double v) {
  return (Dp+T*v>s) ? 1 : 0;
}
========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/cd1d.c (with preprocessing)
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/cd1d.jessie
[jessie] File tests/c/cd1d.jessie/cd1d.jc written.
[jessie] File tests/c/cd1d.jessie/cd1d.cloc written.
========== file tests/c/cd1d.jessie/cd1d.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

type int32 = -2147483648..2147483647

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

predicate conflict(real s, real v) =
(\exists real t;
  (((0 <= t) && (t <= 1.0)) && ((s - (t * v)) < 10.0)))

predicate cd1d(real s_0, real v_0) =
((10.0 + (1.0 * v_0)) > s_0)

lemma completeness :
(\forall real s_1;
  (\forall real v_1;
    ((v_1 >= 0.0) ==> (conflict(s_1, v_1) ==> cd1d(s_1, v_1)))))

int32 cd1d_double(double s, double v)
  requires (_C_8 : ((((_C_11 : (100. >= (s :> real))) &&
                       (_C_12 : ((s :> real) >= 0.))) &&
                      (_C_13 : (1. >= (v :> real)))) &&
                     (_C_14 : ((v :> real) >= 0.))));
behavior default:
  ensures (_C_6 : true);
behavior completeness:
  assumes cd1d((s :> real), (v :> real));
  ensures (_C_7 : (\result == 1));
{  
   (var int32 tmp);
   
   {  (if ((_C_5 : ((_C_4 : ((10.0 :> double) + (0x1p-49 :> double))) +
                     (_C_3 : ((1.0 :> double) * v)))) >
            s) then (_C_2 : (tmp = 1)) else (_C_1 : (tmp = 0)));
      
      (return tmp)
   }
}
========== file tests/c/cd1d.jessie/cd1d.cloc ==========
[_C_4]
file = "HOME/tests/c/cd1d.c"
line = 54
begin = 11
end = 24

[completeness]
name = "Lemma completeness"
file = "HOME/tests/c/cd1d.c"
line = 41
begin = 7
end = 100

[_C_13]
file = "HOME/tests/c/cd1d.c"
line = 48
begin = 31
end = 37

[_C_5]
file = "HOME/tests/c/cd1d.c"
line = 54
begin = 10
end = 31

[_C_12]
file = "HOME/tests/c/cd1d.c"
line = 48
begin = 22
end = 27

[_C_9]
file = "HOME/tests/c/cd1d.c"
line = 48
begin = 16
end = 37

[_C_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[cd1d_double]
name = "Function cd1d_double"
file = "HOME/tests/c/cd1d.c"
line = 53
begin = 4
end = 15

[_C_3]
file = "HOME/tests/c/cd1d.c"
line = 54
begin = 26
end = 31

[_C_7]
file = "HOME/tests/c/cd1d.c"
line = 51
begin = 18
end = 30

[_C_10]
file = "HOME/tests/c/cd1d.c"
line = 48
begin = 16
end = 27

[_C_8]
file = "HOME/tests/c/cd1d.c"
line = 48
begin = 16
end = 43

[_C_14]
file = "HOME/tests/c/cd1d.c"
line = 48
begin = 36
end = 43

[_C_2]
file = "HOME/tests/c/cd1d.c"
line = 54
begin = 32
end = 33

[_C_1]
file = "HOME/tests/c/cd1d.c"
line = 54
begin = 32
end = 33

[_C_11]
file = "HOME/tests/c/cd1d.c"
line = 48
begin = 16
end = 23

========== jessie execution ==========
Generating Why function cd1d_double
========== file tests/c/cd1d.jessie/cd1d.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why $(WHYLIB)/why/floats_strict.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/cd1d_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: cd1d.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: cd1d.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: cd1d.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/cd1d.jessie/cd1d.loc ==========
[JC_17]
file = "HOME/tests/c/cd1d.c"
line = 51
begin = 18
end = 30

[JC_23]
kind = FPOverflow
file = "HOME/tests/c/cd1d.c"
line = 54
begin = 11
end = 24

[JC_22]
kind = FPOverflow
file = "HOME/tests/c/cd1d.c"
line = 54
begin = 10
end = 31

[JC_5]
file = "HOME/tests/c/cd1d.c"
line = 48
begin = 16
end = 43

[JC_9]
file = "HOME/tests/c/cd1d.c"
line = 48
begin = 31
end = 37

[completeness]
name = "Lemma completeness"
behavior = "lemma"
file = "HOME/tests/c/cd1d.c"
line = 41
begin = 7
end = 100

[JC_24]
kind = FPOverflow
file = "HOME/tests/c/cd1d.c"
line = 54
begin = 26
end = 31

[JC_25]
kind = FPOverflow
file = "HOME/tests/c/cd1d.c"
line = 54
begin = 10
end = 31

[JC_26]
kind = FPOverflow
file = "HOME/tests/c/cd1d.c"
line = 54
begin = 11
end = 24

[JC_8]
file = "HOME/tests/c/cd1d.c"
line = 48
begin = 22
end = 27

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/c/cd1d.c"
line = 48
begin = 16
end = 43

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
kind = FPOverflow
file = "HOME/tests/c/cd1d.c"
line = 54
begin = 26
end = 31

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/tests/c/cd1d.c"
line = 48
begin = 36
end = 43

[cd1d_double_ensures_default]
name = "Function cd1d_double"
behavior = "default behavior"
file = "HOME/tests/c/cd1d.c"
line = 53
begin = 4
end = 15

[cd1d_double_safety]
name = "Function cd1d_double"
behavior = "Safety"
file = "HOME/tests/c/cd1d.c"
line = 53
begin = 4
end = 15

[JC_7]
file = "HOME/tests/c/cd1d.c"
line = 48
begin = 16
end = 23

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_2]
file = "HOME/tests/c/cd1d.c"
line = 48
begin = 22
end = 27

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
kind = FPOverflow
file = "HOME/tests/c/cd1d.c"
line = 54
begin = 26
end = 31

[cd1d_double_ensures_completeness]
name = "Function cd1d_double"
behavior = "Behavior `completeness'"
file = "HOME/tests/c/cd1d.c"
line = 53
begin = 4
end = 15

[JC_1]
file = "HOME/tests/c/cd1d.c"
line = 48
begin = 16
end = 23

[JC_10]
file = "HOME/tests/c/cd1d.c"
line = 48
begin = 36
end = 43

[JC_20]
kind = FPOverflow
file = "HOME/tests/c/cd1d.c"
line = 54
begin = 11
end = 24

[JC_18]
file = "HOME/tests/c/cd1d.c"
line = 51
begin = 18
end = 30

[JC_3]
file = "HOME/tests/c/cd1d.c"
line = 48
begin = 31
end = 37

[JC_19]
kind = FPOverflow
file = "HOME/tests/c/cd1d.jessie/cd1d.jc"
line = 61
begin = 48
end = 67

[JC_28]
kind = FPOverflow
file = "HOME/tests/c/cd1d.c"
line = 54
begin = 10
end = 31

========== file tests/c/cd1d.jessie/why/cd1d.why ==========
type charP

type int32

type int8

type padding

type uint8

type unsigned_charP

type voidP

predicate cd1d(s_0_0:real, v_0:real) =
 gt_real(add_real(10.0, mul_real(1.0, v_0)), s_0_0)

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

predicate conflict(s_0:real, v:real) =
 (exists t:real.
  (le_real(0.0, t)
  and (le_real(t, 1.0) and lt_real(sub_real(s_0, mul_real(t, v)), 10.0))))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

lemma completeness :
 (forall s_1_0:real.
  (forall v_1_0:real.
   (ge_real(v_1_0, 0.0) -> (conflict(s_1_0, v_1_0) -> cd1d(s_1_0, v_1_0)))))

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter cd1d_double :
 s_1:double ->
  v_1:double ->
   { } int32
   { (cd1d(double_value(s_1), double_value(v_1)) ->
      (JC_18: (integer_of_int32(result) = (1)))) }

parameter cd1d_double_requires :
 s_1:double ->
  v_1:double ->
   { (JC_5:
     ((JC_1: ge_real(100., double_value(s_1)))
     and ((JC_2: ge_real(double_value(s_1), 0.))
         and ((JC_3: ge_real(1., double_value(v_1)))
             and (JC_4: ge_real(double_value(v_1), 0.))))))}
   int32
   { (cd1d(double_value(s_1), double_value(v_1)) ->
      (JC_18: (integer_of_int32(result) = (1)))) }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let cd1d_double_ensures_completeness =
 fun (s_1 : double) (v_1 : double) ->
  { (cd1d(double_value(s_1), double_value(v_1))
    and (JC_11:
        ((JC_7: ge_real(100., double_value(s_1)))
        and ((JC_8: ge_real(double_value(s_1), 0.))
            and ((JC_9: ge_real(1., double_value(v_1)))
                and (JC_10: ge_real(double_value(v_1), 0.))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let tmp = ref (any_int32 void) in
     begin
       (let _jessie_ =
       (if ((gt_double_ (JC_28:
                        (((add_double_safe nearest_even) (JC_26:
                                                         (((add_double_safe nearest_even) 
                                                           (double_of_real_exact 10.0)) 
                                                          ((double_of_real_safe nearest_even) 0x1p-49)))) 
                         (JC_27:
                         (((mul_double_safe nearest_even) (double_of_real_exact 1.0)) v_1))))) s_1)
       then begin   (tmp := (safe_int32_of_integer_ (1))); !tmp end
       else begin   (tmp := (safe_int32_of_integer_ (0))); !tmp end) in void);
      (return := !tmp); (raise Return) end); absurd  end with Return ->
   !return end)) { (JC_17: (integer_of_int32(result) = (1))) } 

let cd1d_double_ensures_default =
 fun (s_1 : double) (v_1 : double) ->
  { (JC_11:
    ((JC_7: ge_real(100., double_value(s_1)))
    and ((JC_8: ge_real(double_value(s_1), 0.))
        and ((JC_9: ge_real(1., double_value(v_1)))
            and (JC_10: ge_real(double_value(v_1), 0.)))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let tmp = ref (any_int32 void) in
     begin
       (let _jessie_ =
       (if ((gt_double_ (JC_25:
                        (((add_double_safe nearest_even) (JC_23:
                                                         (((add_double_safe nearest_even) 
                                                           (double_of_real_exact 10.0)) 
                                                          ((double_of_real_safe nearest_even) 0x1p-49)))) 
                         (JC_24:
                         (((mul_double_safe nearest_even) (double_of_real_exact 1.0)) v_1))))) s_1)
       then begin   (tmp := (safe_int32_of_integer_ (1))); !tmp end
       else begin   (tmp := (safe_int32_of_integer_ (0))); !tmp end) in void);
      (return := !tmp); (raise Return) end); absurd  end with Return ->
   !return end)) { (JC_13: true) } 

let cd1d_double_safety =
 fun (s_1 : double) (v_1 : double) ->
  { (JC_11:
    ((JC_7: ge_real(100., double_value(s_1)))
    and ((JC_8: ge_real(double_value(s_1), 0.))
        and ((JC_9: ge_real(1., double_value(v_1)))
            and (JC_10: ge_real(double_value(v_1), 0.)))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let tmp = ref (any_int32 void) in
     begin
       (let _jessie_ =
       (if ((gt_double_ (JC_22:
                        (((add_double nearest_even) (JC_20:
                                                    (((add_double nearest_even) 
                                                      (double_of_real_exact 10.0)) 
                                                     (JC_19:
                                                     ((double_of_real nearest_even) 0x1p-49))))) 
                         (JC_21:
                         (((mul_double nearest_even) (double_of_real_exact 1.0)) v_1))))) s_1)
       then begin   (tmp := (safe_int32_of_integer_ (1))); !tmp end
       else begin   (tmp := (safe_int32_of_integer_ (0))); !tmp end) in void);
      (return := !tmp); (raise Return) end); absurd  end with Return ->
   !return end)) { true } 


why-2.39/tests/c/oracle/eps_line1.res.oracle0000644000106100004300000011630013147234006017721 0ustar  marchevals========== file tests/c/eps_line1.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

#define E 0x1p-45


//@ logic integer l_sign(real x) = (x >= 0.0) ? 1 : -1;

/*@ requires e1<= x-\exact(x) <= e2;
  @ ensures  (\result != 0 ==> \result == l_sign(\exact(x))) &&
  @          \abs(\result) <= 1 ;
  @*/
int sign(double x, double e1, double e2) {

  if (x > e2)
    return 1;
  if (x < e1)
    return -1;
  return 0;
}

/*@ requires
  @   sx == \exact(sx)  && sy == \exact(sy) &&
  @   vx == \exact(vx)  && vy == \exact(vy) &&
  @   \abs(sx) <= 100.0 && \abs(sy) <= 100.0 &&
  @   \abs(vx) <= 1.0   && \abs(vy) <= 1.0;
  @ ensures
  @    \result != 0
  @      ==> \result == l_sign(\exact(sx)*\exact(vx)+\exact(sy)*\exact(vy))
  @            * l_sign(\exact(sx)*\exact(vy)-\exact(sy)*\exact(vx));
  @*/
int eps_line(double sx, double sy,double vx, double vy){
  int s1,s2;

  s1=sign(sx*vx+sy*vy, -E, E);
  s2=sign(sx*vy-sy*vx, -E, E);

  return s1*s2;
}

/*
Local Variables:
compile-command: "LC_ALL=C make eps_line1.why3ide"
End:
*/
========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/eps_line1.c (with preprocessing)
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/eps_line1.jessie
[jessie] File tests/c/eps_line1.jessie/eps_line1.jc written.
[jessie] File tests/c/eps_line1.jessie/eps_line1.cloc written.
========== file tests/c/eps_line1.jessie/eps_line1.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

type int32 = -2147483648..2147483647

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

logic integer l_sign(real x) =
(if (x >= 0.0) then 1 else (- 1))

int32 sign(double x, double e1, double e2)
  requires (_C_7 : ((_C_8 : ((e1 :> real) <=
                              ((x :> real) - \double_exact(x)))) &&
                     (_C_9 : (((x :> real) - \double_exact(x)) <=
                               (e2 :> real)))));
behavior default:
  ensures (_C_4 : ((_C_5 : ((\result != 0) ==>
                             (\result == l_sign(\double_exact(\at(x,Old)))))) &&
                    (_C_6 : (\integer_abs(\result) <= 1))));
{  
   (var int32 __retres);
   
   {  (if (x > e2) then 
      {  (_C_1 : (__retres = 1));
         
         (goto return_label)
      } else ());
      (if (x < e1) then 
      {  (_C_2 : (__retres = -1));
         
         (goto return_label)
      } else ());
      (_C_3 : (__retres = 0));
      (return_label : 
      (return __retres))
   }
}

int32 eps_line(double sx, double sy, double vx, double vy)
  requires (_C_26 : ((((((((_C_33 : ((sx :> real) == \double_exact(sx))) &&
                            (_C_34 : ((sy :> real) == \double_exact(sy)))) &&
                           (_C_35 : ((vx :> real) == \double_exact(vx)))) &&
                          (_C_36 : ((vy :> real) == \double_exact(vy)))) &&
                         (_C_37 : (\real_abs((sx :> real)) <= 100.0))) &&
                        (_C_38 : (\real_abs((sy :> real)) <= 100.0))) &&
                       (_C_39 : (\real_abs((vx :> real)) <= 1.0))) &&
                      (_C_40 : (\real_abs((vy :> real)) <= 1.0))));
behavior default:
  ensures (_C_25 : ((\result != 0) ==>
                     (\result ==
                       (l_sign(((\double_exact(\at(sx,Old)) *
                                  \double_exact(\at(vx,Old))) +
                                 (\double_exact(\at(sy,Old)) *
                                   \double_exact(\at(vy,Old))))) *
                         l_sign(((\double_exact(\at(sx,Old)) *
                                   \double_exact(\at(vy,Old))) -
                                  (\double_exact(\at(sy,Old)) *
                                    \double_exact(\at(vx,Old)))))))));
{  
   (var int32 s1);
   
   (var int32 s2);
   
   (var int32 __retres_0);
   
   {  (_C_15 : (s1 = (_C_14 : sign((_C_12 : ((_C_11 : (sx * vx)) +
                                              (_C_10 : (sy * vy)))),
                                   (_C_13 : (- (0x1p-45 :> double))),
                                   (0x1p-45 :> double)))));
      (_C_21 : (s2 = (_C_20 : sign((_C_18 : ((_C_17 : (sx * vy)) -
                                              (_C_16 : (sy * vx)))),
                                   (_C_19 : (- (0x1p-45 :> double))),
                                   (0x1p-45 :> double)))));
      (_C_24 : (__retres_0 = (_C_23 : ((_C_22 : (s1 * s2)) :> int32))));
      
      (return __retres_0)
   }
}
========== file tests/c/eps_line1.jessie/eps_line1.cloc ==========
[sign]
name = "Function sign"
file = "HOME/tests/c/eps_line1.c"
line = 41
begin = 4
end = 8

[_C_35]
file = "HOME/tests/c/eps_line1.c"
line = 52
begin = 6
end = 22

[_C_28]
file = "HOME/tests/c/eps_line1.c"
line = 51
begin = 6
end = 136

[_C_31]
file = "HOME/tests/c/eps_line1.c"
line = 51
begin = 6
end = 68

[_C_4]
file = "HOME/tests/c/eps_line1.c"
line = 38
begin = 12
end = 94

[_C_32]
file = "HOME/tests/c/eps_line1.c"
line = 51
begin = 6
end = 42

[_C_23]
file = "HOME/tests/c/eps_line1.c"
line = 66
begin = 9
end = 14

[_C_19]
file = "HOME/tests/c/eps_line1.c"
line = 64
begin = 24
end = 31

[_C_13]
file = "HOME/tests/c/eps_line1.c"
line = 63
begin = 24
end = 31

[_C_5]
file = "HOME/tests/c/eps_line1.c"
line = 38
begin = 12
end = 59

[_C_36]
file = "HOME/tests/c/eps_line1.c"
line = 52
begin = 26
end = 42

[_C_12]
file = "HOME/tests/c/eps_line1.c"
line = 63
begin = 10
end = 21

[_C_33]
file = "HOME/tests/c/eps_line1.c"
line = 51
begin = 6
end = 22

[_C_22]
file = "HOME/tests/c/eps_line1.c"
line = 66
begin = 9
end = 14

[_C_9]
file = "HOME/tests/c/eps_line1.c"
line = 37
begin = 21
end = 38

[_C_30]
file = "HOME/tests/c/eps_line1.c"
line = 51
begin = 6
end = 88

[_C_6]
file = "HOME/tests/c/eps_line1.c"
line = 39
begin = 13
end = 31

[_C_24]
file = "HOME/tests/c/eps_line1.c"
line = 66
begin = 2
end = 15

[_C_20]
file = "HOME/tests/c/eps_line1.c"
line = 64
begin = 5
end = 41

[_C_38]
file = "HOME/tests/c/eps_line1.c"
line = 53
begin = 27
end = 44

[_C_3]
file = "HOME/tests/c/eps_line1.c"
line = 47
begin = 2
end = 11

[_C_17]
file = "HOME/tests/c/eps_line1.c"
line = 64
begin = 10
end = 15

[_C_7]
file = "HOME/tests/c/eps_line1.c"
line = 37
begin = 16
end = 38

[_C_27]
file = "HOME/tests/c/eps_line1.c"
line = 51
begin = 6
end = 161

[_C_15]
file = "HOME/tests/c/eps_line1.c"
line = 63
begin = 5
end = 41

[_C_26]
file = "HOME/tests/c/eps_line1.c"
line = 51
begin = 6
end = 180

[_C_10]
file = "HOME/tests/c/eps_line1.c"
line = 63
begin = 16
end = 21

[_C_40]
file = "HOME/tests/c/eps_line1.c"
line = 54
begin = 25
end = 40

[_C_8]
file = "HOME/tests/c/eps_line1.c"
line = 37
begin = 16
end = 32

[_C_18]
file = "HOME/tests/c/eps_line1.c"
line = 64
begin = 10
end = 21

[_C_29]
file = "HOME/tests/c/eps_line1.c"
line = 51
begin = 6
end = 115

[_C_14]
file = "HOME/tests/c/eps_line1.c"
line = 63
begin = 5
end = 41

[_C_37]
file = "HOME/tests/c/eps_line1.c"
line = 53
begin = 6
end = 23

[_C_2]
file = "HOME/tests/c/eps_line1.c"
line = 46
begin = 4
end = 14

[_C_34]
file = "HOME/tests/c/eps_line1.c"
line = 51
begin = 26
end = 42

[_C_16]
file = "HOME/tests/c/eps_line1.c"
line = 64
begin = 16
end = 21

[eps_line]
name = "Function eps_line"
file = "HOME/tests/c/eps_line1.c"
line = 60
begin = 4
end = 12

[_C_1]
file = "HOME/tests/c/eps_line1.c"
line = 44
begin = 4
end = 13

[_C_25]
file = "HOME/tests/c/eps_line1.c"
line = 56
begin = 7
end = 164

[_C_39]
file = "HOME/tests/c/eps_line1.c"
line = 54
begin = 6
end = 21

[_C_11]
file = "HOME/tests/c/eps_line1.c"
line = 63
begin = 10
end = 15

[_C_21]
file = "HOME/tests/c/eps_line1.c"
line = 64
begin = 5
end = 41

========== jessie execution ==========
Generating Why function sign
Generating Why function eps_line
========== file tests/c/eps_line1.jessie/eps_line1.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why $(WHYLIB)/why/floats_strict.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/eps_line1_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: eps_line1.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: eps_line1.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: eps_line1.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/eps_line1.jessie/eps_line1.loc ==========
[JC_63]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.c"
line = 64
begin = 16
end = 21

[JC_51]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.c"
line = 64
begin = 10
end = 15

[JC_45]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.c"
line = 63
begin = 16
end = 21

[JC_64]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.c"
line = 64
begin = 10
end = 21

[eps_line_safety]
name = "Function eps_line"
behavior = "Safety"
file = "HOME/tests/c/eps_line1.c"
line = 60
begin = 4
end = 12

[JC_31]
file = "HOME/tests/c/eps_line1.c"
line = 53
begin = 6
end = 23

[JC_17]
file = "HOME/tests/c/eps_line1.c"
line = 51
begin = 6
end = 22

[JC_55]
kind = ArithOverflow
file = "HOME/tests/c/eps_line1.c"
line = 66
begin = 9
end = 14

[JC_48]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.jessie/eps_line1.jc"
line = 101
begin = 35
end = 54

[JC_23]
file = "HOME/tests/c/eps_line1.c"
line = 54
begin = 6
end = 21

[JC_22]
file = "HOME/tests/c/eps_line1.c"
line = 53
begin = 27
end = 44

[JC_5]
file = "HOME/tests/c/eps_line1.c"
line = 37
begin = 16
end = 32

[JC_9]
file = "HOME/tests/c/eps_line1.c"
line = 38
begin = 12
end = 59

[JC_24]
file = "HOME/tests/c/eps_line1.c"
line = 54
begin = 25
end = 40

[JC_25]
file = "HOME/tests/c/eps_line1.c"
line = 51
begin = 6
end = 180

[JC_41]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.jessie/eps_line1.jc"
line = 97
begin = 35
end = 54

[JC_47]
kind = UserCall
file = "HOME/tests/c/eps_line1.c"
line = 63
begin = 5
end = 41

[JC_52]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.c"
line = 64
begin = 16
end = 21

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
kind = UserCall
file = "HOME/tests/c/eps_line1.c"
line = 64
begin = 5
end = 41

[JC_13]
file = "HOME/tests/c/eps_line1.c"
line = 39
begin = 13
end = 31

[JC_11]
file = "HOME/tests/c/eps_line1.c"
line = 38
begin = 12
end = 94

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[sign_ensures_default]
name = "Function sign"
behavior = "default behavior"
file = "HOME/tests/c/eps_line1.c"
line = 41
begin = 4
end = 8

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/tests/c/eps_line1.c"
line = 51
begin = 6
end = 180

[sign_safety]
name = "Function sign"
behavior = "Safety"
file = "HOME/tests/c/eps_line1.c"
line = 41
begin = 4
end = 8

[JC_27]
file = "HOME/tests/c/eps_line1.c"
line = 51
begin = 6
end = 22

[JC_38]
file = "HOME/tests/c/eps_line1.c"
line = 56
begin = 7
end = 164

[JC_12]
file = "HOME/tests/c/eps_line1.c"
line = 38
begin = 12
end = 59

[JC_6]
file = "HOME/tests/c/eps_line1.c"
line = 37
begin = 21
end = 38

[JC_44]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.c"
line = 63
begin = 10
end = 15

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.c"
line = 64
begin = 10
end = 15

[JC_42]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.jessie/eps_line1.jc"
line = 96
begin = 47
end = 66

[JC_46]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.c"
line = 63
begin = 10
end = 21

[JC_61]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.c"
line = 64
begin = 24
end = 31

[JC_32]
file = "HOME/tests/c/eps_line1.c"
line = 53
begin = 27
end = 44

[JC_56]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.c"
line = 63
begin = 24
end = 31

[JC_33]
file = "HOME/tests/c/eps_line1.c"
line = 54
begin = 6
end = 21

[JC_65]
kind = UserCall
file = "HOME/tests/c/eps_line1.c"
line = 64
begin = 5
end = 41

[JC_29]
file = "HOME/tests/c/eps_line1.c"
line = 52
begin = 6
end = 22

[JC_7]
file = "HOME/tests/c/eps_line1.c"
line = 37
begin = 16
end = 38

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.c"
line = 63
begin = 24
end = 31

[JC_2]
file = "HOME/tests/c/eps_line1.c"
line = 37
begin = 21
end = 38

[JC_34]
file = "HOME/tests/c/eps_line1.c"
line = 54
begin = 25
end = 40

[JC_14]
file = "HOME/tests/c/eps_line1.c"
line = 38
begin = 12
end = 94

[JC_53]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.c"
line = 64
begin = 10
end = 21

[JC_21]
file = "HOME/tests/c/eps_line1.c"
line = 53
begin = 6
end = 23

[JC_49]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.jessie/eps_line1.jc"
line = 100
begin = 47
end = 66

[JC_1]
file = "HOME/tests/c/eps_line1.c"
line = 37
begin = 16
end = 32

[JC_37]
file = "HOME/tests/c/eps_line1.c"
line = 56
begin = 7
end = 164

[JC_10]
file = "HOME/tests/c/eps_line1.c"
line = 39
begin = 13
end = 31

[JC_57]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.c"
line = 63
begin = 10
end = 15

[JC_59]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.c"
line = 63
begin = 10
end = 21

[JC_20]
file = "HOME/tests/c/eps_line1.c"
line = 52
begin = 26
end = 42

[JC_18]
file = "HOME/tests/c/eps_line1.c"
line = 51
begin = 26
end = 42

[JC_3]
file = "HOME/tests/c/eps_line1.c"
line = 37
begin = 16
end = 38

[JC_60]
kind = UserCall
file = "HOME/tests/c/eps_line1.c"
line = 63
begin = 5
end = 41

[JC_19]
file = "HOME/tests/c/eps_line1.c"
line = 52
begin = 6
end = 22

[JC_50]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.c"
line = 64
begin = 24
end = 31

[JC_30]
file = "HOME/tests/c/eps_line1.c"
line = 52
begin = 26
end = 42

[eps_line_ensures_default]
name = "Function eps_line"
behavior = "default behavior"
file = "HOME/tests/c/eps_line1.c"
line = 60
begin = 4
end = 12

[JC_58]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.c"
line = 63
begin = 16
end = 21

[JC_28]
file = "HOME/tests/c/eps_line1.c"
line = 51
begin = 26
end = 42

========== file tests/c/eps_line1.jessie/why/eps_line1.why ==========
type charP

type int32

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

function l_sign(x_0:real) : int =
 (if ge_real_bool(x_0, 0.0) then (1) else neg_int((1)))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter eps_line :
 sx:double ->
  sy:double ->
   vx:double ->
    vy:double ->
     { } int32
     { (JC_38:
       ((integer_of_int32(result) <> (0)) ->
        (integer_of_int32(result) = mul_int(l_sign(add_real(mul_real(
                                                            double_exact(sx),
                                                            double_exact(vx)),
                                                   mul_real(double_exact(sy),
                                                   double_exact(vy)))),
                                    l_sign(sub_real(mul_real(double_exact(sx),
                                                    double_exact(vy)),
                                           mul_real(double_exact(sy),
                                           double_exact(vx)))))))) }

parameter eps_line_requires :
 sx:double ->
  sy:double ->
   vx:double ->
    vy:double ->
     { (JC_25:
       ((JC_17: (double_value(sx) = double_exact(sx)))
       and ((JC_18: (double_value(sy) = double_exact(sy)))
           and ((JC_19: (double_value(vx) = double_exact(vx)))
               and ((JC_20: (double_value(vy) = double_exact(vy)))
                   and ((JC_21: le_real(abs_real(double_value(sx)), 100.0))
                       and ((JC_22:
                            le_real(abs_real(double_value(sy)), 100.0))
                           and ((JC_23:
                                le_real(abs_real(double_value(vx)), 1.0))
                               and (JC_24:
                                   le_real(abs_real(double_value(vy)), 1.0))))))))))}
     int32
     { (JC_38:
       ((integer_of_int32(result) <> (0)) ->
        (integer_of_int32(result) = mul_int(l_sign(add_real(mul_real(
                                                            double_exact(sx),
                                                            double_exact(vx)),
                                                   mul_real(double_exact(sy),
                                                   double_exact(vy)))),
                                    l_sign(sub_real(mul_real(double_exact(sx),
                                                    double_exact(vy)),
                                           mul_real(double_exact(sy),
                                           double_exact(vx)))))))) }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter sign :
 x_1:double ->
  e1:double ->
   e2:double ->
    { } int32
    { (JC_14:
      ((JC_12:
       ((integer_of_int32(result) <> (0)) ->
        (integer_of_int32(result) = l_sign(double_exact(x_1)))))
      and (JC_13: le_int(abs_int(integer_of_int32(result)), (1))))) }

parameter sign_requires :
 x_1:double ->
  e1:double ->
   e2:double ->
    { (JC_3:
      ((JC_1:
       le_real(double_value(e1),
       sub_real(double_value(x_1), double_exact(x_1))))
      and (JC_2:
          le_real(sub_real(double_value(x_1), double_exact(x_1)),
          double_value(e2)))))}
    int32
    { (JC_14:
      ((JC_12:
       ((integer_of_int32(result) <> (0)) ->
        (integer_of_int32(result) = l_sign(double_exact(x_1)))))
      and (JC_13: le_int(abs_int(integer_of_int32(result)), (1))))) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let eps_line_ensures_default =
 fun (sx : double) (sy : double) (vx : double) (vy : double) ->
  { (JC_35:
    ((JC_27: (double_value(sx) = double_exact(sx)))
    and ((JC_28: (double_value(sy) = double_exact(sy)))
        and ((JC_29: (double_value(vx) = double_exact(vx)))
            and ((JC_30: (double_value(vy) = double_exact(vy)))
                and ((JC_31: le_real(abs_real(double_value(sx)), 100.0))
                    and ((JC_32: le_real(abs_real(double_value(sy)), 100.0))
                        and ((JC_33:
                             le_real(abs_real(double_value(vx)), 1.0))
                            and (JC_34:
                                le_real(abs_real(double_value(vy)), 1.0)))))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let s1_1 = ref (any_int32 void) in
     (let s2_1 = ref (any_int32 void) in
     (let __retres_0 = ref (any_int32 void) in
     begin
       (let _jessie_ =
       (s1_1 := (let _jessie_ =
                (JC_59:
                (((add_double_safe nearest_even) (JC_57:
                                                 (((mul_double_safe nearest_even) sx) vx))) 
                 (JC_58: (((mul_double_safe nearest_even) sy) vy)))) in
                (let _jessie_ =
                (JC_56:
                (neg_double ((double_of_real_safe nearest_even) 0x1p-45))) in
                (let _jessie_ =
                ((double_of_real_safe nearest_even) 0x1p-45) in
                (JC_60: (((sign _jessie_) _jessie_) _jessie_)))))) in
       void);
      (let _jessie_ =
      (s2_1 := (let _jessie_ =
               (JC_64:
               (((sub_double_safe nearest_even) (JC_62:
                                                (((mul_double_safe nearest_even) sx) vy))) 
                (JC_63: (((mul_double_safe nearest_even) sy) vx)))) in
               (let _jessie_ =
               (JC_61:
               (neg_double ((double_of_real_safe nearest_even) 0x1p-45))) in
               (let _jessie_ =
               ((double_of_real_safe nearest_even) 0x1p-45) in
               (JC_65: (((sign _jessie_) _jessie_) _jessie_)))))) in
      void);
      (let _jessie_ =
      (__retres_0 := (safe_int32_of_integer_ ((mul_int (integer_of_int32 !s1_1)) 
                                              (integer_of_int32 !s2_1)))) in
      void); (return := !__retres_0); (raise Return) end))); absurd  end with
   Return -> !return end))
  { (JC_37:
    ((integer_of_int32(result) <> (0)) ->
     (integer_of_int32(result) = mul_int(l_sign(add_real(mul_real(double_exact(sx),
                                                         double_exact(vx)),
                                                mul_real(double_exact(sy),
                                                double_exact(vy)))),
                                 l_sign(sub_real(mul_real(double_exact(sx),
                                                 double_exact(vy)),
                                        mul_real(double_exact(sy),
                                        double_exact(vx)))))))) } 

let eps_line_safety =
 fun (sx : double) (sy : double) (vx : double) (vy : double) ->
  { (JC_35:
    ((JC_27: (double_value(sx) = double_exact(sx)))
    and ((JC_28: (double_value(sy) = double_exact(sy)))
        and ((JC_29: (double_value(vx) = double_exact(vx)))
            and ((JC_30: (double_value(vy) = double_exact(vy)))
                and ((JC_31: le_real(abs_real(double_value(sx)), 100.0))
                    and ((JC_32: le_real(abs_real(double_value(sy)), 100.0))
                        and ((JC_33:
                             le_real(abs_real(double_value(vx)), 1.0))
                            and (JC_34:
                                le_real(abs_real(double_value(vy)), 1.0)))))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let s1_1 = ref (any_int32 void) in
     (let s2_1 = ref (any_int32 void) in
     (let __retres_0 = ref (any_int32 void) in
     begin
       (let _jessie_ =
       (s1_1 := (let _jessie_ =
                (JC_46:
                (((add_double nearest_even) (JC_44:
                                            (((mul_double nearest_even) sx) vx))) 
                 (JC_45: (((mul_double nearest_even) sy) vy)))) in
                (let _jessie_ =
                (JC_43:
                (neg_double (JC_42: ((double_of_real nearest_even) 0x1p-45)))) in
                (let _jessie_ =
                (JC_41: ((double_of_real nearest_even) 0x1p-45)) in
                (JC_47: (((sign_requires _jessie_) _jessie_) _jessie_)))))) in
       void);
      (let _jessie_ =
      (s2_1 := (let _jessie_ =
               (JC_53:
               (((sub_double nearest_even) (JC_51:
                                           (((mul_double nearest_even) sx) vy))) 
                (JC_52: (((mul_double nearest_even) sy) vx)))) in
               (let _jessie_ =
               (JC_50:
               (neg_double (JC_49: ((double_of_real nearest_even) 0x1p-45)))) in
               (let _jessie_ =
               (JC_48: ((double_of_real nearest_even) 0x1p-45)) in
               (JC_54: (((sign_requires _jessie_) _jessie_) _jessie_)))))) in
      void);
      (let _jessie_ =
      (__retres_0 := (JC_55:
                     (int32_of_integer_ ((mul_int (integer_of_int32 !s1_1)) 
                                         (integer_of_int32 !s2_1))))) in
      void); (return := !__retres_0); (raise Return) end))); absurd  end with
   Return -> !return end)) { true } 

let sign_ensures_default =
 fun (x_1 : double) (e1 : double) (e2 : double) ->
  { (JC_7:
    ((JC_5:
     le_real(double_value(e1),
     sub_real(double_value(x_1), double_exact(x_1))))
    and (JC_6:
        le_real(sub_real(double_value(x_1), double_exact(x_1)),
        double_value(e2))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let __retres = ref (any_int32 void) in
     try
      begin
        (if ((gt_double_ x_1) e2)
        then
         begin
           (let _jessie_ = (__retres := (safe_int32_of_integer_ (1))) in
           void); (raise (Return_label_exc void)) end else void);
       (if ((lt_double_ x_1) e1)
       then
        begin
          (let _jessie_ =
          (__retres := (safe_int32_of_integer_ (neg_int (1)))) in void);
         (raise (Return_label_exc void)) end else void);
       (let _jessie_ = (__retres := (safe_int32_of_integer_ (0))) in void);
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end);
    absurd  end with Return -> !return end))
  { (JC_11:
    ((JC_9:
     ((integer_of_int32(result) <> (0)) ->
      (integer_of_int32(result) = l_sign(double_exact(x_1)))))
    and (JC_10: le_int(abs_int(integer_of_int32(result)), (1))))) } 

let sign_safety =
 fun (x_1 : double) (e1 : double) (e2 : double) ->
  { (JC_7:
    ((JC_5:
     le_real(double_value(e1),
     sub_real(double_value(x_1), double_exact(x_1))))
    and (JC_6:
        le_real(sub_real(double_value(x_1), double_exact(x_1)),
        double_value(e2))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let __retres = ref (any_int32 void) in
     try
      begin
        (if ((gt_double_ x_1) e2)
        then
         begin
           (let _jessie_ = (__retres := (safe_int32_of_integer_ (1))) in
           void); (raise (Return_label_exc void)) end else void);
       (if ((lt_double_ x_1) e1)
       then
        begin
          (let _jessie_ =
          (__retres := (safe_int32_of_integer_ (neg_int (1)))) in void);
         (raise (Return_label_exc void)) end else void);
       (let _jessie_ = (__retres := (safe_int32_of_integer_ (0))) in void);
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end);
    absurd  end with Return -> !return end)) { true } 


why-2.39/tests/c/oracle/fresh.res.oracle0000644000106100004300000006424513147234006017163 0ustar  marchevals========== file tests/c/fresh.c ==========

/*@ allocates \result;
  @ ensures \fresh(\result,size) && \valid(\result+(0..size-1));
  @*/
char *malloc(unsigned int size);

typedef struct Fresh { int f; } *fresh;

/*@ allocates \result;
  @ ensures \fresh(\result,sizeof(struct Fresh)) && \valid(\result);
  @*/
fresh create() {
  fresh f = (fresh)malloc(sizeof(struct Fresh));
  return f;
}

/*@ requires \valid(f1);
  @*/
void test (fresh f1) {
  fresh f2 = create ();
  //@ assert f1 != f2;
  //@ assert \valid(f2);
  // assert \false;
}


/*
Local Variables:
compile-command: "make fresh.why3ml"
End:
*/


========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/fresh.c (with preprocessing)
[jessie] Starting Jessie translation
tests/c/fresh.c:19:[kernel] warning: No code nor implicit assigns clause for function malloc, generating default assigns from the prototype
[jessie] Producing Jessie files in subdir tests/c/fresh.jessie
[jessie] File tests/c/fresh.jessie/fresh.jc written.
[jessie] File tests/c/fresh.jessie/fresh.cloc written.
========== file tests/c/fresh.jessie/fresh.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

type int32 = -2147483648..2147483647

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

tag Fresh = {
  int32 f: 32;
}

type Fresh = [Fresh]

Fresh[..] create()
behavior default:
  allocates \result;
  ensures (_C_3 : ((_C_4 : \fresh(\result)) &&
                    ((_C_6 : (\offset_min(\result) <= 0)) &&
                      (_C_7 : (\offset_max(\result) >= 0)))));
{  
   (var Fresh[..] f_0);
   
   {  (_C_2 : (f_0 = (_C_1 : (new Fresh[1]))));
      
      (return f_0)
   }
}

unit test(Fresh[..] f1)
  requires (_C_13 : ((_C_14 : (\offset_min(f1) <= 0)) &&
                      (_C_15 : (\offset_max(f1) >= 0))));
behavior default:
  ensures (_C_12 : true);
{  
   (var Fresh[..] f2);
   
   {  (_C_9 : (f2 = (_C_8 : create())));
      
      {  
         (assert for default: (_C_10 : (jessie : (f1 != f2))));
         ()
      };
      
      {  
         (assert for default: (_C_11 : (jessie : ((\offset_min(f2) <= 0) &&
                                                   (\offset_max(f2) >= 0)))));
         ()
      };
      
      (return ())
   }
}
========== file tests/c/fresh.jessie/fresh.cloc ==========
[test]
name = "Function test"
file = "HOME/tests/c/fresh.c"
line = 19
begin = 5
end = 9

[_C_4]
file = "HOME/tests/c/fresh.c"
line = 10
begin = 12
end = 48

[_C_13]
file = "HOME/tests/c/fresh.c"
line = 17
begin = 16
end = 26

[_C_5]
file = "HOME/tests/c/fresh.c"
line = 10
begin = 52
end = 67

[_C_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_9]
file = "HOME/tests/c/fresh.c"
line = 20
begin = 13
end = 22

[_C_6]
file = "HOME/tests/c/fresh.c"
line = 10
begin = 52
end = 67

[_C_3]
file = "HOME/tests/c/fresh.c"
line = 10
begin = 12
end = 67

[_C_7]
file = "HOME/tests/c/fresh.c"
line = 10
begin = 52
end = 67

[_C_15]
file = "HOME/tests/c/fresh.c"
line = 17
begin = 16
end = 26

[_C_10]
file = "HOME/tests/c/fresh.c"
line = 21
begin = 18
end = 26

[_C_8]
file = "HOME/tests/c/fresh.c"
line = 20
begin = 13
end = 22

[_C_14]
file = "HOME/tests/c/fresh.c"
line = 17
begin = 16
end = 26

[create]
name = "Function create"
file = "HOME/tests/c/fresh.c"
line = 12
begin = 6
end = 12

[_C_2]
file = "HOME/tests/c/fresh.c"
line = 13
begin = 19
end = 47

[_C_1]
file = "HOME/tests/c/fresh.c"
line = 13
begin = 19
end = 47

[_C_11]
file = "HOME/tests/c/fresh.c"
line = 22
begin = 18
end = 28

========== jessie execution ==========
Generating Why function create
Generating Why function test
========== file tests/c/fresh.jessie/fresh.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/fresh_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: fresh.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: fresh.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: fresh.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/fresh.jessie/fresh.loc ==========
[JC_31]
file = "HOME/tests/c/fresh.c"
line = 22
begin = 18
end = 28

[JC_17]
file = "HOME/tests/c/fresh.c"
line = 17
begin = 16
end = 26

[create_safety]
name = "Function create"
behavior = "Safety"
file = "HOME/tests/c/fresh.c"
line = 12
begin = 6
end = 12

[JC_23]
file = "HOME/tests/c/fresh.c"
line = 17
begin = 16
end = 26

[JC_22]
file = "HOME/tests/c/fresh.c"
line = 17
begin = 16
end = 26

[JC_5]
file = "HOME/tests/c/fresh.c"
line = 10
begin = 12
end = 48

[JC_9]
file = "HOME/tests/c/fresh.c"
line = 10
begin = 12
end = 48

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/tests/c/fresh.c"
line = 10
begin = 12
end = 67

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/c/fresh.c"
line = 10
begin = 52
end = 67

[JC_15]
kind = AllocSize
file = "HOME/tests/c/fresh.c"
line = 13
begin = 19
end = 47

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_12]
file = "HOME/tests/c/fresh.c"
line = 10
begin = 12
end = 67

[JC_6]
file = "HOME/tests/c/fresh.c"
line = 10
begin = 52
end = 67

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
kind = UserCall
file = "HOME/tests/c/fresh.c"
line = 20
begin = 13
end = 22

[JC_33]
file = "HOME/tests/c/fresh.c"
line = 21
begin = 18
end = 26

[JC_29]
kind = UserCall
file = "HOME/tests/c/fresh.c"
line = 20
begin = 13
end = 22

[JC_7]
file = "HOME/tests/c/fresh.c"
line = 10
begin = 52
end = 67

[JC_16]
kind = AllocSize
file = "HOME/tests/c/fresh.c"
line = 13
begin = 19
end = 47

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[test_ensures_default]
name = "Function test"
behavior = "default behavior"
file = "HOME/tests/c/fresh.c"
line = 19
begin = 5
end = 9

[JC_34]
file = "HOME/tests/c/fresh.c"
line = 22
begin = 18
end = 28

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/tests/c/fresh.c"
line = 17
begin = 16
end = 26

[JC_1]
file = "HOME/tests/c/fresh.c"
line = 12
begin = 6
end = 12

[JC_10]
file = "HOME/tests/c/fresh.c"
line = 10
begin = 52
end = 67

[test_safety]
name = "Function test"
behavior = "Safety"
file = "HOME/tests/c/fresh.c"
line = 19
begin = 5
end = 9

[create_ensures_default]
name = "Function create"
behavior = "default behavior"
file = "HOME/tests/c/fresh.c"
line = 12
begin = 6
end = 12

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/c/fresh.c"
line = 17
begin = 16
end = 26

[JC_3]
file = "HOME/tests/c/fresh.c"
line = 12
begin = 6
end = 12

[JC_19]
file = "HOME/tests/c/fresh.c"
line = 17
begin = 16
end = 26

[JC_30]
file = "HOME/tests/c/fresh.c"
line = 21
begin = 18
end = 26

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/c/fresh.jessie/why/fresh.why ==========
type Fresh

type charP

type int32

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic Fresh_tag:  -> Fresh tag_id

axiom Fresh_int : (int_of_tag(Fresh_tag) = (1))

logic Fresh_of_pointer_address: unit pointer -> Fresh pointer

axiom Fresh_of_pointer_address_of_pointer_addr :
 (forall p:Fresh pointer. (p = Fresh_of_pointer_address(pointer_address(p))))

axiom Fresh_parenttag_bottom : parenttag(Fresh_tag, bottom_tag)

axiom Fresh_tags :
 (forall x:Fresh pointer.
  (forall Fresh_tag_table:Fresh tag_table.
   instanceof(Fresh_tag_table, x, Fresh_tag)))

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_Fresh(p:Fresh pointer, a:int,
 Fresh_alloc_table:Fresh alloc_table) =
 (offset_min(Fresh_alloc_table, p) <= a)

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_Fresh_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Fresh_of_pointer_address(p))))

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_Fresh(p:Fresh pointer, b:int,
 Fresh_alloc_table:Fresh alloc_table) =
 (offset_max(Fresh_alloc_table, p) >= b)

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_Fresh(p:Fresh pointer, a:int, b:int,
 Fresh_alloc_table:Fresh alloc_table) =
 ((offset_min(Fresh_alloc_table, p) = a)
 and (offset_max(Fresh_alloc_table, p) = b))

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_Fresh(p:Fresh pointer, a:int, b:int,
 Fresh_alloc_table:Fresh alloc_table) =
 ((offset_min(Fresh_alloc_table, p) = a)
 and (offset_max(Fresh_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_Fresh(p:Fresh pointer, a:int, b:int,
 Fresh_alloc_table:Fresh alloc_table) =
 ((offset_min(Fresh_alloc_table, p) <= a)
 and (offset_max(Fresh_alloc_table, p) >= b))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_Fresh(p:Fresh pointer, a:int, b:int,
 Fresh_alloc_table:Fresh alloc_table) =
 ((offset_min(Fresh_alloc_table, p) <= a)
 and (offset_max(Fresh_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

parameter Fresh_alloc_table : Fresh alloc_table ref

parameter Fresh_tag_table : Fresh tag_table ref

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter alloc_struct_Fresh :
 n:int ->
  Fresh_alloc_table:Fresh alloc_table ref ->
   Fresh_tag_table:Fresh tag_table ref ->
    { } Fresh pointer writes Fresh_alloc_table,Fresh_tag_table
    { (strict_valid_struct_Fresh(result, (0), sub_int(n, (1)),
       Fresh_alloc_table)
      and (alloc_extends(Fresh_alloc_table@, Fresh_alloc_table)
          and (alloc_fresh(Fresh_alloc_table@, result, n)
              and instanceof(Fresh_tag_table, result, Fresh_tag)))) }

parameter alloc_struct_Fresh_requires :
 n:int ->
  Fresh_alloc_table:Fresh alloc_table ref ->
   Fresh_tag_table:Fresh tag_table ref ->
    { ge_int(n, (0))} Fresh pointer writes Fresh_alloc_table,Fresh_tag_table
    { (strict_valid_struct_Fresh(result, (0), sub_int(n, (1)),
       Fresh_alloc_table)
      and (alloc_extends(Fresh_alloc_table@, Fresh_alloc_table)
          and (alloc_fresh(Fresh_alloc_table@, result, n)
              and instanceof(Fresh_tag_table, result, Fresh_tag)))) }

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter create :
 Fresh_result_1_alloc_table:Fresh alloc_table ref ->
  Fresh_result_1_tag_table:Fresh tag_table ref ->
   { } Fresh pointer reads Fresh_result_1_alloc_table
   writes Fresh_result_1_alloc_table,Fresh_result_1_tag_table
   { (JC_12:
     ((JC_9: (not valid(Fresh_result_1_alloc_table@, result)))
     and ((JC_10:
          le_int(offset_min(Fresh_result_1_alloc_table, result), (0)))
         and (JC_11:
             ge_int(offset_max(Fresh_result_1_alloc_table, result), (0)))))) }

parameter create_requires :
 Fresh_result_1_alloc_table:Fresh alloc_table ref ->
  Fresh_result_1_tag_table:Fresh tag_table ref ->
   { } Fresh pointer reads Fresh_result_1_alloc_table
   writes Fresh_result_1_alloc_table,Fresh_result_1_tag_table
   { (JC_12:
     ((JC_9: (not valid(Fresh_result_1_alloc_table@, result)))
     and ((JC_10:
          le_int(offset_min(Fresh_result_1_alloc_table, result), (0)))
         and (JC_11:
             ge_int(offset_max(Fresh_result_1_alloc_table, result), (0)))))) }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter test :
 f1:Fresh pointer ->
  Fresh_f1_3_alloc_table:Fresh alloc_table ref ->
   Fresh_f1_3_tag_table:Fresh tag_table ref ->
    { } unit reads Fresh_f1_3_alloc_table
    writes Fresh_f1_3_alloc_table,Fresh_f1_3_tag_table { true }

parameter test_requires :
 f1:Fresh pointer ->
  Fresh_f1_3_alloc_table:Fresh alloc_table ref ->
   Fresh_f1_3_tag_table:Fresh tag_table ref ->
    { (JC_19:
      ((JC_17: le_int(offset_min(Fresh_f1_3_alloc_table, f1), (0)))
      and (JC_18: ge_int(offset_max(Fresh_f1_3_alloc_table, f1), (0)))))}
    unit reads Fresh_f1_3_alloc_table
    writes Fresh_f1_3_alloc_table,Fresh_f1_3_tag_table { true }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let create_ensures_default =
 fun (Fresh_result_1_alloc_table : Fresh alloc_table ref) (Fresh_result_1_tag_table : Fresh tag_table ref) ->
  { (JC_4: true) }
  (init:
  (let return = ref (any_pointer void) in
  try
   begin
     (let f_0 = ref (any_pointer void) in
     begin
       (let _jessie_ =
       (f_0 := (JC_16:
               (((alloc_struct_Fresh (1)) Fresh_result_1_alloc_table) Fresh_result_1_tag_table))) in
       void); (return := !f_0); (raise Return) end); absurd  end with
   Return -> !return end))
  { (JC_8:
    ((JC_5: (not valid(Fresh_result_1_alloc_table@, result)))
    and ((JC_6: le_int(offset_min(Fresh_result_1_alloc_table, result), (0)))
        and (JC_7:
            ge_int(offset_max(Fresh_result_1_alloc_table, result), (0)))))) } 

let create_safety =
 fun (Fresh_result_1_alloc_table : Fresh alloc_table ref) (Fresh_result_1_tag_table : Fresh tag_table ref) ->
  { (JC_4: true) }
  (init:
  (let return = ref (any_pointer void) in
  try
   begin
     (let f_0 = ref (any_pointer void) in
     begin
       (let _jessie_ =
       (f_0 := (JC_15:
               (((alloc_struct_Fresh_requires (1)) Fresh_result_1_alloc_table) Fresh_result_1_tag_table))) in
       void); (return := !f_0); (raise Return) end); absurd  end with
   Return -> !return end)) { true } 

let test_ensures_default =
 fun (f1 : Fresh pointer) (Fresh_f1_3_alloc_table : Fresh alloc_table ref) (Fresh_f1_3_tag_table : Fresh tag_table ref) ->
  { (JC_23:
    ((JC_21: le_int(offset_min(Fresh_f1_3_alloc_table, f1), (0)))
    and (JC_22: ge_int(offset_max(Fresh_f1_3_alloc_table, f1), (0))))) }
  (init:
  try
   begin
     (let f2 = ref (any_pointer void) in
     begin
       (let _jessie_ =
       (f2 := (JC_32: ((create Fresh_f1_3_alloc_table) Fresh_f1_3_tag_table))) in
       void); (assert { (JC_33: (f1 <> f2)) }; void); void;
      (assert
      { (JC_34:
        (le_int(offset_min(Fresh_f1_3_alloc_table, f2), (0))
        and ge_int(offset_max(Fresh_f1_3_alloc_table, f2), (0)))) }; void);
      void; (raise Return) end); (raise Return) end with Return -> void end)
  { (JC_25: true) } 

let test_safety =
 fun (f1 : Fresh pointer) (Fresh_f1_3_alloc_table : Fresh alloc_table ref) (Fresh_f1_3_tag_table : Fresh tag_table ref) ->
  { (JC_23:
    ((JC_21: le_int(offset_min(Fresh_f1_3_alloc_table, f1), (0)))
    and (JC_22: ge_int(offset_max(Fresh_f1_3_alloc_table, f1), (0))))) }
  (init:
  try
   begin
     (let f2 = ref (any_pointer void) in
     begin
       (let _jessie_ =
       (f2 := (JC_29:
              ((create_requires Fresh_f1_3_alloc_table) Fresh_f1_3_tag_table))) in
       void); [ { } unit reads f2 { (JC_30: (f1 <> f2)) } ]; void;
      [ { } unit reads Fresh_f1_3_alloc_table,f2
        { (JC_31:
          (le_int(offset_min(Fresh_f1_3_alloc_table, f2), (0))
          and ge_int(offset_max(Fresh_f1_3_alloc_table, f2), (0)))) } ];
      void; (raise Return) end); (raise Return) end with Return -> void end)
  { true } 


why-2.39/tests/c/oracle/heap_sort.res.oracle0000644000106100004300000015054613147234006020040 0ustar  marchevals========== file tests/c/heap_sort.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

#include "binary_heap.h"


/*@ requires len >= 0;
  @ requires \valid(arr+(0..len-1));
  @ // assigns arr[..];
  @ ensures \forall integer i,j; 0 <= i <= j < len ==> arr[i] <= arr[j];
  @*/
void heap_sort(int *arr, uint len) {
  uint i;
  heap h = create(len);
  /*@ loop invariant 0 <= i <= len;
    @ loop variant len - i;
    @*/
  for (i = 0; i < len; ++i) insert(h,arr[i]);
  /*@ loop invariant 0 <= i <= len;
    @ loop variant len - i;
    @*/
  for (i = 0; i < len; ++i) arr[i] = extract_min(h);
}



void main() {
  int arr[] = {42, 13, 42};
  heap_sort(arr,3);
  //@ assert arr[0] <= arr[1] && arr[1] <= arr[2];
  //@ assert arr[0] == 13 && arr[1] == 42 && arr[2] == 42;
}
========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/heap_sort.c (with preprocessing)
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/heap_sort.jessie
[jessie] File tests/c/heap_sort.jessie/heap_sort.jc written.
[jessie] File tests/c/heap_sort.jessie/heap_sort.cloc written.
========== file tests/c/heap_sort.jessie/heap_sort.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type uint32 = 0..4294967295

type int8 = -128..127

type int32 = -2147483648..2147483647

tag intP = {
  int32 intM: 32;
}

type intP = [intP]

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

tag Heap = {
  int32 x: 32;
}

type Heap = [Heap]

Heap[..] create(uint32 sz)
behavior default:
  assigns \nothing;
  ensures (_C_1 : true);
;

unit insert(Heap[..] u_0, int32 e)
behavior default:
  assigns u_0.x;
  ensures (_C_2 : true);
;

int32 extract_min(Heap[..] u)
behavior default:
  assigns \nothing;
  ensures (_C_3 : true);
;

unit heap_sort(intP[..] arr, uint32 len)
  requires (_C_33 : (len >= 0));
  requires (_C_30 : ((_C_31 : (\offset_min(arr) <= 0)) &&
                      (_C_32 : (\offset_max(arr) >= (len - 1)))));
behavior default:
  ensures (_C_29 : (\forall integer i_1;
                     (\forall integer j_0;
                       ((((0 <= i_1) && (i_1 <= j_0)) &&
                          (j_0 < \at(len,Old))) ==>
                         ((\at(arr,Old) + i_1).intM <=
                           (\at(arr,Old) + j_0).intM)))));
{  
   (var uint32 i);
   
   (var Heap[..] h);
   
   {  (_C_5 : (h = (_C_4 : create(len))));
      (_C_6 : (i = 0));
      
      loop 
      behavior default:
        invariant (_C_8 : ((_C_9 : (0 <= i)) && (_C_10 : (i <= len))));
      variant (_C_7 : (len - i));
      while (true)
      {  
         {  (if (i < len) then () else 
            (goto while_0_break));
            (_C_13 : insert(h, (_C_12 : (_C_11 : (arr + i)).intM)));
            (_C_16 : (i = (_C_15 : ((_C_14 : (i + 1)) :> uint32))))
         }
      };
      (while_0_break : ());
      (_C_17 : (i = 0));
      
      loop 
      behavior default:
        invariant (_C_19 : ((_C_20 : (0 <= i)) && (_C_21 : (i <= len))));
      variant (_C_18 : (len - i));
      while (true)
      {  
         {  (if (i < len) then () else 
            (goto while_1_break));
            (_C_25 : ((_C_24 : (_C_23 : (arr + i)).intM) = (_C_22 : extract_min(
                                                           h))));
            (_C_28 : (i = (_C_27 : ((_C_26 : (i + 1)) :> uint32))))
         }
      };
      (while_1_break : ());
      
      (return ())
   }
}

unit main()
behavior default:
  ensures (_C_46 : true);
{  
   (var intP[0..2] arr_0);
   
   {  (_C_35 : (arr_0 = (_C_34 : (new intP[3]))));
      (_C_37 : ((_C_36 : (arr_0 + 0).intM) = 42));
      (_C_39 : ((_C_38 : (arr_0 + 1).intM) = 13));
      (_C_41 : ((_C_40 : (arr_0 + 2).intM) = 42));
      (_C_42 : heap_sort(arr_0, 3));
      
      {  
         (assert for default: (_C_43 : (jessie : (((arr_0 + 0).intM <=
                                                    (arr_0 + 1).intM) &&
                                                   ((arr_0 + 1).intM <=
                                                     (arr_0 + 2).intM)))));
         ()
      };
      
      {  
         (assert for default: (_C_44 : (jessie : ((((arr_0 + 0).intM == 13) &&
                                                    ((arr_0 + 1).intM == 42)) &&
                                                   ((arr_0 + 2).intM == 42)))));
         ()
      };
      
      {  (_C_45 : (free(arr_0)));
         
         (return ())
      }
   }
}
========== file tests/c/heap_sort.jessie/heap_sort.cloc ==========
[_C_35]
file = "HOME/tests/c/heap_sort.c"
line = 56
begin = 6
end = 9

[_C_28]
file = "HOME/tests/c/heap_sort.c"
line = 50
begin = 23
end = 26

[main]
name = "Function main"
file = "HOME/tests/c/heap_sort.c"
line = 55
begin = 5
end = 9

[_C_31]
file = "HOME/tests/c/heap_sort.c"
line = 36
begin = 13
end = 35

[_C_41]
file = "HOME/tests/c/heap_sort.c"
line = 56
begin = 2
end = 5

[_C_4]
file = "HOME/tests/c/heap_sort.c"
line = 42
begin = 11
end = 22

[_C_32]
file = "HOME/tests/c/heap_sort.c"
line = 36
begin = 13
end = 35

[_C_23]
file = "HOME/tests/c/heap_sort.c"
line = 50
begin = 28
end = 31

[_C_19]
file = "HOME/tests/c/heap_sort.c"
line = 47
begin = 26
end = 39

[_C_42]
file = "HOME/tests/c/heap_sort.c"
line = 57
begin = 2
end = 18

[_C_13]
file = "HOME/tests/c/heap_sort.c"
line = 46
begin = 28
end = 44

[_C_5]
file = "HOME/tests/c/heap_sort.c"
line = 42
begin = 11
end = 22

[_C_36]
file = "HOME/tests/c/heap_sort.c"
line = 56
begin = 2
end = 5

[_C_12]
file = "HOME/tests/c/heap_sort.c"
line = 46
begin = 37
end = 43

[_C_33]
file = "HOME/tests/c/heap_sort.c"
line = 35
begin = 16
end = 24

[_C_22]
file = "HOME/tests/c/heap_sort.c"
line = 50
begin = 37
end = 51

[_C_9]
file = "HOME/tests/c/heap_sort.c"
line = 43
begin = 26
end = 32

[_C_30]
file = "HOME/tests/c/heap_sort.c"
line = 36
begin = 13
end = 35

[_C_6]
file = "HOME/tests/c/heap_sort.c"
line = 46
begin = 11
end = 12

[_C_24]
file = "HOME/tests/c/heap_sort.c"
line = 50
begin = 37
end = 51

[_C_45]
file = "HOME/tests/c/heap_sort.c"
line = 56
begin = 6
end = 9

[_C_20]
file = "HOME/tests/c/heap_sort.c"
line = 47
begin = 26
end = 32

[_C_38]
file = "HOME/tests/c/heap_sort.c"
line = 56
begin = 2
end = 5

[_C_3]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_17]
file = "HOME/tests/c/heap_sort.c"
line = 50
begin = 11
end = 12

[_C_7]
file = "HOME/tests/c/heap_sort.c"
line = 44
begin = 19
end = 26

[_C_27]
file = "HOME/tests/c/heap_sort.c"
line = 50
begin = 23
end = 26

[_C_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_44]
file = "HOME/tests/c/heap_sort.c"
line = 59
begin = 18
end = 62

[_C_15]
file = "HOME/tests/c/heap_sort.c"
line = 46
begin = 23
end = 26

[_C_26]
file = "HOME/tests/c/heap_sort.c"
line = 50
begin = 23
end = 26

[_C_10]
file = "HOME/tests/c/heap_sort.c"
line = 43
begin = 31
end = 39

[_C_40]
file = "HOME/tests/c/heap_sort.c"
line = 56
begin = 2
end = 5

[_C_8]
file = "HOME/tests/c/heap_sort.c"
line = 43
begin = 26
end = 39

[_C_18]
file = "HOME/tests/c/heap_sort.c"
line = 48
begin = 19
end = 26

[_C_29]
file = "HOME/tests/c/heap_sort.c"
line = 38
begin = 12
end = 71

[_C_14]
file = "HOME/tests/c/heap_sort.c"
line = 46
begin = 23
end = 26

[_C_37]
file = "HOME/tests/c/heap_sort.c"
line = 56
begin = 2
end = 5

[_C_43]
file = "HOME/tests/c/heap_sort.c"
line = 58
begin = 18
end = 54

[_C_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_34]
file = "HOME/tests/c/heap_sort.c"
line = 56
begin = 6
end = 9

[_C_16]
file = "HOME/tests/c/heap_sort.c"
line = 46
begin = 23
end = 26

[_C_1]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_25]
file = "HOME/tests/c/heap_sort.c"
line = 50
begin = 37
end = 51

[_C_39]
file = "HOME/tests/c/heap_sort.c"
line = 56
begin = 2
end = 5

[_C_11]
file = "HOME/tests/c/heap_sort.c"
line = 46
begin = 37
end = 40

[heap_sort]
name = "Function heap_sort"
file = "HOME/tests/c/heap_sort.c"
line = 40
begin = 5
end = 14

[_C_21]
file = "HOME/tests/c/heap_sort.c"
line = 47
begin = 31
end = 39

========== jessie execution ==========
Generating Why function heap_sort
Generating Why function main
========== file tests/c/heap_sort.jessie/heap_sort.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/heap_sort_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: heap_sort.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: heap_sort.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: heap_sort.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/heap_sort.jessie/heap_sort.loc ==========
[main_safety]
name = "Function main"
behavior = "Safety"
file = "HOME/tests/c/heap_sort.c"
line = 55
begin = 5
end = 9

[JC_94]
kind = AllocSize
file = "HOME/tests/c/heap_sort.c"
line = 56
begin = 6
end = 9

[JC_73]
kind = UserCall
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 95
begin = 21
end = 66

[JC_63]
kind = PointerDeref
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 110
begin = 22
end = 143

[JC_80]
kind = UserCall
file = "HOME/tests/c/heap_sort.c"
line = 50
begin = 37
end = 51

[JC_51]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 87
begin = 6
end = 401

[JC_71]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 87
begin = 6
end = 401

[JC_45]
kind = UserCall
file = "HOME/tests/c/heap_sort.c"
line = 42
begin = 11
end = 22

[JC_64]
kind = ArithOverflow
file = "HOME/tests/c/heap_sort.c"
line = 50
begin = 23
end = 26

[JC_85]
file = "HOME/"
line = 0
begin = -1
end = -1

[heap_sort_ensures_default]
name = "Function heap_sort"
behavior = "default behavior"
file = "HOME/tests/c/heap_sort.c"
line = 40
begin = 5
end = 14

[JC_31]
file = "HOME/tests/c/heap_sort.c"
line = 35
begin = 16
end = 24

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_81]
file = "HOME/tests/c/heap_sort.c"
line = 55
begin = 5
end = 9

[JC_55]
file = "HOME/tests/c/heap_sort.c"
line = 44
begin = 19
end = 26

[JC_48]
file = "HOME/tests/c/heap_sort.c"
line = 43
begin = 26
end = 39

[JC_23]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 62
begin = 6
end = 17

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/tests/c/heap_sort.c"
line = 43
begin = 26
end = 32

[JC_9]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_75]
file = "HOME/tests/c/heap_sort.c"
line = 47
begin = 31
end = 39

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_78]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 102
begin = 6
end = 482

[JC_41]
file = "HOME/tests/c/heap_sort.c"
line = 38
begin = 12
end = 71

[JC_74]
file = "HOME/tests/c/heap_sort.c"
line = 47
begin = 26
end = 32

[JC_47]
file = "HOME/tests/c/heap_sort.c"
line = 43
begin = 31
end = 39

[JC_52]
kind = PointerDeref
file = "HOME/tests/c/heap_sort.c"
line = 46
begin = 37
end = 43

[JC_26]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 64
begin = 10
end = 18

[JC_8]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 52
begin = 10
end = 18

[JC_54]
kind = ArithOverflow
file = "HOME/tests/c/heap_sort.c"
line = 46
begin = 23
end = 26

[JC_79]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 102
begin = 6
end = 482

[JC_13]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 56
begin = 5
end = 11

[JC_82]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_87]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 56
begin = 5
end = 11

[JC_70]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/tests/c/heap_sort.c"
line = 35
begin = 16
end = 24

[JC_91]
kind = UserCall
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 131
begin = 15
end = 34

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
file = "HOME/tests/c/heap_sort.c"
line = 55
begin = 5
end = 9

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_69]
file = "HOME/tests/c/heap_sort.c"
line = 43
begin = 26
end = 39

[JC_38]
file = "HOME/tests/c/heap_sort.c"
line = 36
begin = 13
end = 35

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 52
begin = 10
end = 18

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[heap_sort_safety]
name = "Function heap_sort"
behavior = "Safety"
file = "HOME/tests/c/heap_sort.c"
line = 40
begin = 5
end = 14

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
kind = UserCall
file = "HOME/tests/c/heap_sort.c"
line = 50
begin = 37
end = 51

[JC_88]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/tests/c/heap_sort.c"
line = 38
begin = 12
end = 71

[main_ensures_default]
name = "Function main"
behavior = "default behavior"
file = "HOME/tests/c/heap_sort.c"
line = 55
begin = 5
end = 9

[JC_46]
file = "HOME/tests/c/heap_sort.c"
line = 43
begin = 26
end = 32

[JC_61]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 102
begin = 6
end = 482

[JC_32]
file = "HOME/tests/c/heap_sort.c"
line = 36
begin = 13
end = 35

[JC_56]
file = "HOME/tests/c/heap_sort.c"
line = 47
begin = 26
end = 32

[JC_33]
file = "HOME/tests/c/heap_sort.c"
line = 36
begin = 13
end = 35

[JC_65]
file = "HOME/tests/c/heap_sort.c"
line = 48
begin = 19
end = 26

[JC_29]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_68]
file = "HOME/tests/c/heap_sort.c"
line = 43
begin = 31
end = 39

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 56
begin = 5
end = 11

[JC_96]
file = "HOME/tests/c/heap_sort.c"
line = 58
begin = 18
end = 54

[JC_43]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
kind = UserCall
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 131
begin = 15
end = 34

[JC_93]
file = "HOME/tests/c/heap_sort.c"
line = 59
begin = 18
end = 62

[JC_97]
file = "HOME/tests/c/heap_sort.c"
line = 59
begin = 18
end = 62

[JC_84]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_90]
kind = IndexBounds
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 127
begin = 16
end = 47

[JC_53]
kind = UserCall
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 95
begin = 21
end = 66

[JC_21]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 62
begin = 6
end = 17

[JC_77]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_49]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 50
begin = 9
end = 15

[JC_37]
file = "HOME/tests/c/heap_sort.c"
line = 36
begin = 13
end = 35

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/tests/c/heap_sort.c"
line = 47
begin = 31
end = 39

[JC_89]
kind = AllocSize
file = "HOME/tests/c/heap_sort.c"
line = 56
begin = 6
end = 9

[JC_66]
kind = UserCall
file = "HOME/tests/c/heap_sort.c"
line = 42
begin = 11
end = 22

[JC_59]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 56
begin = 5
end = 11

[JC_3]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 50
begin = 9
end = 15

[JC_92]
file = "HOME/tests/c/heap_sort.c"
line = 58
begin = 18
end = 54

[JC_86]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_60]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 102
begin = 6
end = 482

[JC_72]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 87
begin = 6
end = 401

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_76]
file = "HOME/tests/c/heap_sort.c"
line = 47
begin = 26
end = 39

[JC_50]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 87
begin = 6
end = 401

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/tests/c/heap_sort.c"
line = 47
begin = 26
end = 39

[JC_28]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 64
begin = 10
end = 18

========== file tests/c/heap_sort.jessie/why/heap_sort.why ==========
type Heap

type charP

type int32

type int8

type intP

type padding

type uint32

type uint8

type unsigned_charP

type voidP

logic Heap_tag:  -> Heap tag_id

axiom Heap_int : (int_of_tag(Heap_tag) = (1))

logic Heap_of_pointer_address: unit pointer -> Heap pointer

axiom Heap_of_pointer_address_of_pointer_addr :
 (forall p:Heap pointer. (p = Heap_of_pointer_address(pointer_address(p))))

axiom Heap_parenttag_bottom : parenttag(Heap_tag, bottom_tag)

axiom Heap_tags :
 (forall x:Heap pointer.
  (forall Heap_tag_table:Heap tag_table.
   instanceof(Heap_tag_table, x, Heap_tag)))

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint32: uint32 -> int

predicate eq_uint32(x:uint32, y:uint32) =
 eq_int(integer_of_uint32(x), integer_of_uint32(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

logic intP_tag:  -> intP tag_id

axiom intP_int : (int_of_tag(intP_tag) = (1))

logic intP_of_pointer_address: unit pointer -> intP pointer

axiom intP_of_pointer_address_of_pointer_addr :
 (forall p:intP pointer. (p = intP_of_pointer_address(pointer_address(p))))

axiom intP_parenttag_bottom : parenttag(intP_tag, bottom_tag)

axiom intP_tags :
 (forall x:intP pointer.
  (forall intP_tag_table:intP tag_table.
   instanceof(intP_tag_table, x, intP_tag)))

predicate left_valid_struct_Heap(p:Heap pointer, a:int,
 Heap_alloc_table:Heap alloc_table) = (offset_min(Heap_alloc_table, p) <= a)

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_intP(p:intP pointer, a:int,
 intP_alloc_table:intP alloc_table) = (offset_min(intP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_Heap_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Heap_of_pointer_address(p))))

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_intP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(intP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_Heap(p:Heap pointer, b:int,
 Heap_alloc_table:Heap alloc_table) = (offset_max(Heap_alloc_table, p) >= b)

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_intP(p:intP pointer, b:int,
 intP_alloc_table:intP alloc_table) = (offset_max(intP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_Heap(p:Heap pointer, a:int, b:int,
 Heap_alloc_table:Heap alloc_table) =
 ((offset_min(Heap_alloc_table, p) = a)
 and (offset_max(Heap_alloc_table, p) = b))

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_Heap(p:Heap pointer, a:int, b:int,
 Heap_alloc_table:Heap alloc_table) =
 ((offset_min(Heap_alloc_table, p) = a)
 and (offset_max(Heap_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint32_of_integer: int -> uint32

axiom uint32_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (4294967295))) ->
   eq_int(integer_of_uint32(uint32_of_integer(x)), x)))

axiom uint32_extensionality :
 (forall x:uint32.
  (forall y:uint32[eq_int(integer_of_uint32(x), integer_of_uint32(y))].
   (eq_int(integer_of_uint32(x), integer_of_uint32(y)) -> (x = y))))

axiom uint32_range :
 (forall x:uint32.
  (le_int((0), integer_of_uint32(x))
  and le_int(integer_of_uint32(x), (4294967295))))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_Heap(p:Heap pointer, a:int, b:int,
 Heap_alloc_table:Heap alloc_table) =
 ((offset_min(Heap_alloc_table, p) <= a)
 and (offset_max(Heap_alloc_table, p) >= b))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_Heap(p:Heap pointer, a:int, b:int,
 Heap_alloc_table:Heap alloc_table) =
 ((offset_min(Heap_alloc_table, p) <= a)
 and (offset_max(Heap_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Goto_while_0_break_exc of unit

exception Goto_while_1_break_exc of unit

parameter Heap_alloc_table : Heap alloc_table ref

parameter Heap_tag_table : Heap tag_table ref

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter alloc_struct_Heap :
 n:int ->
  Heap_alloc_table:Heap alloc_table ref ->
   Heap_tag_table:Heap tag_table ref ->
    { } Heap pointer writes Heap_alloc_table,Heap_tag_table
    { (strict_valid_struct_Heap(result, (0), sub_int(n, (1)),
       Heap_alloc_table)
      and (alloc_extends(Heap_alloc_table@, Heap_alloc_table)
          and (alloc_fresh(Heap_alloc_table@, result, n)
              and instanceof(Heap_tag_table, result, Heap_tag)))) }

parameter alloc_struct_Heap_requires :
 n:int ->
  Heap_alloc_table:Heap alloc_table ref ->
   Heap_tag_table:Heap tag_table ref ->
    { ge_int(n, (0))} Heap pointer writes Heap_alloc_table,Heap_tag_table
    { (strict_valid_struct_Heap(result, (0), sub_int(n, (1)),
       Heap_alloc_table)
      and (alloc_extends(Heap_alloc_table@, Heap_alloc_table)
          and (alloc_fresh(Heap_alloc_table@, result, n)
              and instanceof(Heap_tag_table, result, Heap_tag)))) }

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter intP_alloc_table : intP alloc_table ref

parameter intP_tag_table : intP tag_table ref

parameter alloc_struct_intP :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { } intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter alloc_struct_intP_requires :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { ge_int(n, (0))} intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint32 : unit -> { } uint32 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter create : sz:uint32 -> { } Heap pointer { true }

parameter create_requires : sz:uint32 -> { } Heap pointer { true }

parameter extract_min : u:Heap pointer -> { } int32 { true }

parameter extract_min_requires : u:Heap pointer -> { } int32 { true }

parameter heap_sort :
 arr:intP pointer ->
  len:uint32 ->
   intP_intM_arr_5:(intP, int32) memory ref ->
    intP_arr_5_alloc_table:intP alloc_table ->
     { } unit reads intP_intM_arr_5 writes intP_intM_arr_5
     { (JC_42:
       (forall i_1:int.
        (forall j_0:int.
         ((le_int((0), i_1)
          and (le_int(i_1, j_0) and lt_int(j_0, integer_of_uint32(len)))) ->
          le_int(integer_of_int32(select(intP_intM_arr_5, shift(arr, i_1))),
          integer_of_int32(select(intP_intM_arr_5, shift(arr, j_0)))))))) }

parameter heap_sort_requires :
 arr:intP pointer ->
  len:uint32 ->
   intP_intM_arr_5:(intP, int32) memory ref ->
    intP_arr_5_alloc_table:intP alloc_table ->
     { (JC_34:
       ((JC_31: ge_int(integer_of_uint32(len), (0)))
       and ((JC_32: le_int(offset_min(intP_arr_5_alloc_table, arr), (0)))
           and (JC_33:
               ge_int(offset_max(intP_arr_5_alloc_table, arr),
               sub_int(integer_of_uint32(len), (1)))))))}
     unit reads intP_intM_arr_5 writes intP_intM_arr_5
     { (JC_42:
       (forall i_1:int.
        (forall j_0:int.
         ((le_int((0), i_1)
          and (le_int(i_1, j_0) and lt_int(j_0, integer_of_uint32(len)))) ->
          le_int(integer_of_int32(select(intP_intM_arr_5, shift(arr, i_1))),
          integer_of_int32(select(intP_intM_arr_5, shift(arr, j_0)))))))) }

parameter insert :
 u_0:Heap pointer ->
  e:int32 ->
   Heap_x_u_0_3:(Heap, int32) memory ref ->
    Heap_u_0_3_alloc_table:Heap alloc_table ->
     { } unit writes Heap_x_u_0_3
     { (JC_18:
       not_assigns(Heap_u_0_3_alloc_table, Heap_x_u_0_3@, Heap_x_u_0_3,
       pset_singleton(u_0))) }

parameter insert_requires :
 u_0:Heap pointer ->
  e:int32 ->
   Heap_x_u_0_3:(Heap, int32) memory ref ->
    Heap_u_0_3_alloc_table:Heap alloc_table ->
     { } unit writes Heap_x_u_0_3
     { (JC_18:
       not_assigns(Heap_u_0_3_alloc_table, Heap_x_u_0_3@, Heap_x_u_0_3,
       pset_singleton(u_0))) }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter main : tt:unit -> { } unit { true }

parameter main_requires : tt:unit -> { } unit { true }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint32_of_integer_ :
 x:int -> { } uint32 { eq_int(integer_of_uint32(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint32_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (4294967295)))} uint32
  { eq_int(integer_of_uint32(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let heap_sort_ensures_default =
 fun (arr : intP pointer) (len : uint32) (intP_intM_arr_5 : (intP, int32) memory ref) (intP_arr_5_alloc_table : intP alloc_table) ->
  { (JC_39:
    ((JC_36: ge_int(integer_of_uint32(len), (0)))
    and ((JC_37: le_int(offset_min(intP_arr_5_alloc_table, arr), (0)))
        and (JC_38:
            ge_int(offset_max(intP_arr_5_alloc_table, arr),
            sub_int(integer_of_uint32(len), (1))))))) }
  (init:
  try
   begin
     (let Heap_x_h_6 = ref (any_memory void) in
     (let Heap_h_6_alloc_table = (any_alloc_table void) in
     (let i = ref (any_uint32 void) in
     (let h = ref (any_pointer void) in
     try
      begin
        try
         begin
           (let _jessie_ =
           (h := (let _jessie_ = len in (JC_66: (create _jessie_)))) in
           void);
          (let _jessie_ = (i := (safe_uint32_of_integer_ (0))) in void);
          (loop_3:
          begin
            while true do
            { invariant
                (JC_69:
                ((JC_67: le_int((0), integer_of_uint32(i)))
                and (JC_68:
                    le_int(integer_of_uint32(i), integer_of_uint32(len)))))
               }
             begin
               [ { } unit { true } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((lt_int_ (integer_of_uint32 !i)) (integer_of_uint32 len))
                   then void else (raise (Goto_while_0_break_exc void)));
                  (let _jessie_ = !h in
                  (let _jessie_ =
                  ((safe_acc_ !intP_intM_arr_5) ((shift arr) (integer_of_uint32 !i))) in
                  (JC_73:
                  ((((insert _jessie_) _jessie_) Heap_x_h_6) Heap_h_6_alloc_table))));
                  (i := (safe_uint32_of_integer_ ((add_int (integer_of_uint32 !i)) (1))));
                  !i end in void); (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (while_0_break:
         begin
           void;
          (let _jessie_ = (i := (safe_uint32_of_integer_ (0))) in void);
          (loop_4:
          while true do
          { invariant
              (JC_76:
              ((JC_74: le_int((0), integer_of_uint32(i)))
              and (JC_75:
                  le_int(integer_of_uint32(i), integer_of_uint32(len))))) 
             }
           begin
             [ { } unit { true } ];
            try
             begin
               (let _jessie_ =
               begin
                 (if ((lt_int_ (integer_of_uint32 !i)) (integer_of_uint32 len))
                 then void else (raise (Goto_while_1_break_exc void)));
                (let _jessie_ =
                (let _jessie_ =
                (let _jessie_ = !h in (JC_80: (extract_min _jessie_))) in
                (let _jessie_ = arr in
                (let _jessie_ = (integer_of_uint32 !i) in
                (let _jessie_ = ((shift _jessie_) _jessie_) in
                (((safe_upd_ intP_intM_arr_5) _jessie_) _jessie_))))) in
                void);
                (i := (safe_uint32_of_integer_ ((add_int (integer_of_uint32 !i)) (1))));
                !i end in void); (raise (Loop_continue_exc void)) end with
             Loop_continue_exc _jessie_ -> void end end done) end) end;
       (raise (Goto_while_1_break_exc void)) end with
      Goto_while_1_break_exc _jessie_ ->
      (while_1_break: begin   void; (raise Return) end) end))));
    (raise Return) end with Return -> void end)
  { (JC_41:
    (forall i_1:int.
     (forall j_0:int.
      ((le_int((0), i_1)
       and (le_int(i_1, j_0) and lt_int(j_0, integer_of_uint32(len)))) ->
       le_int(integer_of_int32(select(intP_intM_arr_5, shift(arr, i_1))),
       integer_of_int32(select(intP_intM_arr_5, shift(arr, j_0)))))))) } 

let heap_sort_safety =
 fun (arr : intP pointer) (len : uint32) (intP_intM_arr_5 : (intP, int32) memory ref) (intP_arr_5_alloc_table : intP alloc_table) ->
  { (JC_39:
    ((JC_36: ge_int(integer_of_uint32(len), (0)))
    and ((JC_37: le_int(offset_min(intP_arr_5_alloc_table, arr), (0)))
        and (JC_38:
            ge_int(offset_max(intP_arr_5_alloc_table, arr),
            sub_int(integer_of_uint32(len), (1))))))) }
  (init:
  try
   begin
     (let Heap_x_h_6 = ref (any_memory void) in
     (let Heap_h_6_alloc_table = (any_alloc_table void) in
     (let i = ref (any_uint32 void) in
     (let h = ref (any_pointer void) in
     try
      begin
        try
         begin
           (let _jessie_ =
           (h := (let _jessie_ = len in
                 (JC_45: (create_requires _jessie_)))) in void);
          (let _jessie_ = (i := (safe_uint32_of_integer_ (0))) in void);
          (loop_1:
          begin
            while true do
            { invariant (JC_50: true)
              variant (JC_55 : sub_int(integer_of_uint32(len),
                               integer_of_uint32(i))) }
             begin
               [ { } unit reads i
                 { (JC_48:
                   ((JC_46: le_int((0), integer_of_uint32(i)))
                   and (JC_47:
                       le_int(integer_of_uint32(i), integer_of_uint32(len))))) } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((lt_int_ (integer_of_uint32 !i)) (integer_of_uint32 len))
                   then void else (raise (Goto_while_0_break_exc void)));
                  (let _jessie_ = !h in
                  (let _jessie_ =
                  (JC_52:
                  ((((offset_acc_ intP_arr_5_alloc_table) !intP_intM_arr_5) arr) 
                   (integer_of_uint32 !i))) in
                  (JC_53:
                  ((((insert_requires _jessie_) _jessie_) Heap_x_h_6) Heap_h_6_alloc_table))));
                  (i := (JC_54:
                        (uint32_of_integer_ ((add_int (integer_of_uint32 !i)) (1)))));
                  !i end in void); (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (while_0_break:
         begin
           void;
          (let _jessie_ = (i := (safe_uint32_of_integer_ (0))) in void);
          (loop_2:
          while true do
          { invariant (JC_60: true)
            variant (JC_65 : sub_int(integer_of_uint32(len),
                             integer_of_uint32(i))) }
           begin
             [ { } unit reads i
               { (JC_58:
                 ((JC_56: le_int((0), integer_of_uint32(i)))
                 and (JC_57:
                     le_int(integer_of_uint32(i), integer_of_uint32(len))))) } ];
            try
             begin
               (let _jessie_ =
               begin
                 (if ((lt_int_ (integer_of_uint32 !i)) (integer_of_uint32 len))
                 then void else (raise (Goto_while_1_break_exc void)));
                (let _jessie_ =
                (let _jessie_ =
                (let _jessie_ = !h in
                (JC_62: (extract_min_requires _jessie_))) in
                (let _jessie_ = arr in
                (let _jessie_ = (integer_of_uint32 !i) in
                (let _jessie_ = ((shift _jessie_) _jessie_) in
                (JC_63:
                (((((offset_upd_ intP_arr_5_alloc_table) intP_intM_arr_5) _jessie_) _jessie_) _jessie_)))))) in
                void);
                (i := (JC_64:
                      (uint32_of_integer_ ((add_int (integer_of_uint32 !i)) (1)))));
                !i end in void); (raise (Loop_continue_exc void)) end with
             Loop_continue_exc _jessie_ -> void end end done) end) end;
       (raise (Goto_while_1_break_exc void)) end with
      Goto_while_1_break_exc _jessie_ ->
      (while_1_break: begin   void; (raise Return) end) end))));
    (raise Return) end with Return -> void end) { true } 

let main_ensures_default =
 fun (tt : unit) ->
  { (JC_84: true) }
  (init:
  try
   begin
     (let intP_intM_arr_0_8 = ref (any_memory void) in
     (let intP_arr_0_8_tag_table = ref (any_tag_table void) in
     (let intP_arr_0_8_alloc_table = ref (any_alloc_table void) in
     (let arr_0 = ref (any_pointer void) in
     begin
       (let _jessie_ =
       (arr_0 := (JC_94:
                 (((alloc_struct_intP (3)) intP_arr_0_8_alloc_table) intP_arr_0_8_tag_table))) in
       void);
      (let _jessie_ = (safe_int32_of_integer_ (42)) in
      (let _jessie_ = !arr_0 in
      (let _jessie_ = (safe_int32_of_integer_ (13)) in
      (let _jessie_ = !arr_0 in
      (let _jessie_ = (1) in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (let _jessie_ = (safe_int32_of_integer_ (42)) in
      (let _jessie_ = !arr_0 in
      (let _jessie_ = (2) in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      [ { } unit reads intP_arr_0_8_alloc_table,intP_intM_arr_0_8
        writes intP_intM_arr_0_8
        { (not_assigns(intP_arr_0_8_alloc_table, intP_intM_arr_0_8@,
           intP_intM_arr_0_8,
           pset_range(pset_singleton(_jessie_), (0), (2)))
          and ((select(intP_intM_arr_0_8, shift(_jessie_, (0))) = _jessie_)
              and ((select(intP_intM_arr_0_8, shift(_jessie_, (1))) = _jessie_)
                  and (select(intP_intM_arr_0_8, shift(_jessie_, (2))) = _jessie_)))) } ]))))))))));
      (let _jessie_ = !arr_0 in
      (let _jessie_ = (safe_uint32_of_integer_ (3)) in
      (JC_95:
      ((((heap_sort _jessie_) _jessie_) intP_intM_arr_0_8) !intP_arr_0_8_alloc_table))));
      (assert
      { (JC_96:
        (le_int(integer_of_int32(select(intP_intM_arr_0_8, shift(arr_0, (0)))),
         integer_of_int32(select(intP_intM_arr_0_8, shift(arr_0, (1)))))
        and le_int(integer_of_int32(select(intP_intM_arr_0_8,
                                    shift(arr_0, (1)))),
            integer_of_int32(select(intP_intM_arr_0_8, shift(arr_0, (2))))))) };
      void); void;
      (assert
      { (JC_97:
        ((integer_of_int32(select(intP_intM_arr_0_8, shift(arr_0, (0)))) = (13))
        and ((integer_of_int32(select(intP_intM_arr_0_8, shift(arr_0, (1)))) = (42))
            and (integer_of_int32(select(intP_intM_arr_0_8,
                                  shift(arr_0, (2)))) = (42))))) }; void);
      void; ((safe_free_parameter intP_arr_0_8_alloc_table) !arr_0);
      (raise Return) end)))); (raise Return) end with Return -> void end)
  { (JC_85: true) } 

let main_safety =
 fun (tt : unit) ->
  { (JC_84: true) }
  (init:
  try
   begin
     (let intP_intM_arr_0_8 = ref (any_memory void) in
     (let intP_arr_0_8_tag_table = ref (any_tag_table void) in
     (let intP_arr_0_8_alloc_table = ref (any_alloc_table void) in
     (let arr_0 = ref (any_pointer void) in
     begin
       (let _jessie_ =
       (arr_0 := (let _jessie_ =
                 (JC_89:
                 (((alloc_struct_intP_requires (3)) intP_arr_0_8_alloc_table) intP_arr_0_8_tag_table)) in
                 (JC_90:
                 (assert
                 { ge_int(offset_max(intP_arr_0_8_alloc_table, _jessie_),
                   (2)) }; _jessie_)))) in void);
      (let _jessie_ = (safe_int32_of_integer_ (42)) in
      (let _jessie_ = !arr_0 in
      (let _jessie_ = (safe_int32_of_integer_ (13)) in
      (let _jessie_ = !arr_0 in
      (let _jessie_ = (1) in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (let _jessie_ = (safe_int32_of_integer_ (42)) in
      (let _jessie_ = !arr_0 in
      (let _jessie_ = (2) in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      [ { } unit reads intP_arr_0_8_alloc_table,intP_intM_arr_0_8
        writes intP_intM_arr_0_8
        { (not_assigns(intP_arr_0_8_alloc_table, intP_intM_arr_0_8@,
           intP_intM_arr_0_8,
           pset_range(pset_singleton(_jessie_), (0), (2)))
          and ((select(intP_intM_arr_0_8, shift(_jessie_, (0))) = _jessie_)
              and ((select(intP_intM_arr_0_8, shift(_jessie_, (1))) = _jessie_)
                  and (select(intP_intM_arr_0_8, shift(_jessie_, (2))) = _jessie_)))) } ]))))))))));
      (let _jessie_ = !arr_0 in
      (let _jessie_ = (safe_uint32_of_integer_ (3)) in
      (JC_91:
      ((((heap_sort_requires _jessie_) _jessie_) intP_intM_arr_0_8) !intP_arr_0_8_alloc_table))));
      [ { } unit reads arr_0,intP_intM_arr_0_8
        { (JC_92:
          (le_int(integer_of_int32(select(intP_intM_arr_0_8,
                                   shift(arr_0, (0)))),
           integer_of_int32(select(intP_intM_arr_0_8, shift(arr_0, (1)))))
          and le_int(integer_of_int32(select(intP_intM_arr_0_8,
                                      shift(arr_0, (1)))),
              integer_of_int32(select(intP_intM_arr_0_8, shift(arr_0, (2))))))) } ];
      void;
      [ { } unit reads arr_0,intP_intM_arr_0_8
        { (JC_93:
          ((integer_of_int32(select(intP_intM_arr_0_8, shift(arr_0, (0)))) = (13))
          and ((integer_of_int32(select(intP_intM_arr_0_8, shift(arr_0, (1)))) = (42))
              and (integer_of_int32(select(intP_intM_arr_0_8,
                                    shift(arr_0, (2)))) = (42))))) } ]; void;
      ((free_parameter intP_arr_0_8_alloc_table) !arr_0); (raise Return) end))));
    (raise Return) end with Return -> void end) { true } 


why-2.39/tests/c/oracle/sum_array.res.oracle0000644000106100004300000014124013147234006020045 0ustar  marchevals========== file tests/c/sum_array.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

#pragma JessieIntegerModel(math)

/*@ axiomatic Sum {
  @   // sum(t,i,j) denotes t[i]+...+t[j-1]
  @   logic integer sum{L}(int *t, integer i, integer j)
  @        reads i,j,t, t[..] ;
  @   axiom sum1{L} :
  @     \forall int *t, integer i, j; i >= j ==> sum(t,i,j) == 0;
  @   axiom sum2{L} :
  @     \forall int *t, integer i, j; i <= j ==>
  @       sum(t,i,j+1) == sum(t,i,j) + t[j];
  @ }
  @*/

/*@ lemma sum3{L} :
  @     \forall int *t, integer i, j, k;
  @       i <= j <= k ==>
  @         sum(t,i,k) == sum(t,i,j) + sum(t,j,k);
  @*/

/*@ lemma sum_footprint{L} :
  @     \forall int *t1,*t2, integer i, j;
  @       (\forall integer k; i<=k t1[k] == t2[k]) ==>
  @       sum(t1,i,j) == sum(t2,i,j);
  @*/

/*@ requires n >= 1 && \valid(t+(0..n-1)) ;
  @ ensures \result == sum(t,0,n);
  @*/
int test1(int t[],int n) {
  int i,s = 0;

  /*@ loop invariant 0 <= i <= n && s == sum(t,0,i);
    @ loop variant n-i;
  */
  for(i=0; i < n; i++)
  {
    s += t[i];
  }
  return s;
}


/*@ requires n >= 1 && \valid(t+(0..n-1));
  @ assigns t[..];
  @ ensures sum(t,0,n) == \old(sum(t,0,n))+n;
  @*/
void test2(int t[],int n) {
  int i;
  /*@ loop invariant 0 <= i <= n &&
    @     sum(t,0,n) == \at(sum(t,0,n),Pre)+i;
    @ loop variant n-i;
    @*/
  for(i=0; i < n; i++)
  {
    //@ assert sum(t,0,n) == sum(t,0,i) + t[i] + sum(t,i+1,n);
    t[i] += 1;
    //@ assert sum(t,0,n) == sum(t,0,i) + t[i] + sum(t,i+1,n);
  }
}

/*
Local Variables:
compile-command: "make sum_array.why3ide"
End:
*/
========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/sum_array.c (with preprocessing)
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/sum_array.jessie
[jessie] File tests/c/sum_array.jessie/sum_array.jc written.
[jessie] File tests/c/sum_array.jessie/sum_array.cloc written.
========== file tests/c/sum_array.jessie/sum_array.jc ==========
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

tag intP = {
  integer intM: 32;
}

type intP = [intP]

tag unsigned_charP = {
  integer unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  integer charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

axiomatic Sum {

  logic integer sum{L}(intP[..] t, integer i_1, integer j_0) reads i_1, j_0,
  t, (t + [..]).intM;
   
  axiom sum1{L} :
  (\forall intP[..] t_0;
    (\forall integer i_2;
      (\forall integer j_1;
        ((i_2 >= j_1) ==> (sum{L}(t_0, i_2, j_1) == 0)))))
   
  axiom sum2{L} :
  (\forall intP[..] t_1;
    (\forall integer i_3;
      (\forall integer j_2;
        ((i_3 <= j_2) ==>
          (sum{L}(t_1, i_3, (j_2 + 1)) ==
            (sum{L}(t_1, i_3, j_2) + (t_1 + j_2).intM))))))
  
}

lemma sum3{L} :
(\forall intP[..] t_2;
  (\forall integer i_4;
    (\forall integer j_3;
      (\forall integer k;
        (((i_4 <= j_3) && (j_3 <= k)) ==>
          (sum{L}(t_2, i_4, k) ==
            (sum{L}(t_2, i_4, j_3) + sum{L}(t_2, j_3, k))))))))

lemma sum_footprint{L} :
(\forall intP[..] t1;
  (\forall intP[..] t2;
    (\forall integer i_5;
      (\forall integer j_4;
        ((\forall integer k_0;
           (((i_5 <= k_0) && (k_0 < j_4)) ==>
             ((t1 + k_0).intM == (t2 + k_0).intM))) ==>
          (sum{L}(t1, i_5, j_4) == sum{L}(t2, i_5, j_4)))))))

integer test1(intP[..] t, integer n_1)
  requires (_C_16 : ((_C_17 : (n_1 >= 1)) &&
                      ((_C_19 : (\offset_min(t) <= 0)) &&
                        (_C_20 : (\offset_max(t) >= (n_1 - 1))))));
behavior default:
  ensures (_C_15 : (\result == sum{Here}(\at(t,Old), 0, \at(n_1,Old))));
{  
   (var integer i);
   
   (var integer s);
   
   {  (_C_1 : (s = 0));
      (_C_2 : (i = 0));
      
      loop 
      behavior default:
        invariant (_C_4 : (((_C_6 : (0 <= i)) && (_C_7 : (i <= n_1))) &&
                            (_C_8 : (s == sum{Here}(t, 0, i)))));
      variant (_C_3 : (n_1 - i));
      while (true)
      {  
         {  (if (i < n_1) then () else 
            (goto while_0_break));
            
            {  (_C_12 : (s = (_C_11 : (s + (_C_10 : (_C_9 : (t + i)).intM)))))
            };
            (_C_14 : (i = (_C_13 : (i + 1))))
         }
      };
      (while_0_break : ());
      
      (return s)
   }
}

unit test2(intP[..] t_0, integer n_2)
  requires (_C_39 : ((_C_40 : (n_2 >= 1)) &&
                      ((_C_42 : (\offset_min(t_0) <= 0)) &&
                        (_C_43 : (\offset_max(t_0) >= (n_2 - 1))))));
behavior default:
  assigns (t_0 + [..]).intM;
  ensures (_C_38 : (sum{Here}(\at(t_0,Old), 0, \at(n_2,Old)) ==
                     (\at(sum{Old}(t_0, 0, n_2),Old) + \at(n_2,Old))));
{  
   (var integer i_0);
   
   {  (_C_21 : (i_0 = 0));
      
      loop 
      behavior default:
        invariant (_C_23 : (((_C_25 : (0 <= i_0)) && (_C_26 : (i_0 <= n_2))) &&
                             (_C_27 : (sum{Here}(t_0, 0, n_2) ==
                                        (\at(sum{Pre}(t_0, 0, n_2),Pre) +
                                          i_0)))));
      variant (_C_22 : (n_2 - i_0));
      while (true)
      {  
         {  (if (i_0 < n_2) then () else 
            (goto while_0_break));
            
            {  
               {  
                  (assert for default: (_C_28 : (jessie : (sum{Here}(
                                                            t_0, 0, n_2) ==
                                                            ((sum{Here}(
                                                               t_0, 0, i_0) +
                                                               (t_0 + i_0).intM) +
                                                              sum{Here}(
                                                              t_0, (i_0 + 1),
                                                              n_2))))));
                  ()
               };
               (_C_34 : ((_C_33 : (_C_32 : (t_0 + i_0)).intM) = (_C_31 : 
                                                                ((_C_30 : 
                                                                 (_C_29 : 
                                                                 (t_0 +
                                                                   i_0)).intM) +
                                                                  1))));
               
               {  
                  (assert for default: (_C_35 : (jessie : (sum{Here}(
                                                            t_0, 0, n_2) ==
                                                            ((sum{Here}(
                                                               t_0, 0, i_0) +
                                                               (t_0 + i_0).intM) +
                                                              sum{Here}(
                                                              t_0, (i_0 + 1),
                                                              n_2))))));
                  ()
               }
            };
            (_C_37 : (i_0 = (_C_36 : (i_0 + 1))))
         }
      };
      (while_0_break : ());
      
      (return ())
   }
}
========== file tests/c/sum_array.jessie/sum_array.cloc ==========
[_C_35]
file = "HOME/tests/c/sum_array.c"
line = 89
begin = 22
end = 68

[_C_28]
file = "HOME/tests/c/sum_array.c"
line = 87
begin = 22
end = 68

[_C_31]
file = "HOME/tests/c/sum_array.c"
line = 88
begin = 4
end = 13

[_C_41]
file = "HOME/tests/c/sum_array.c"
line = 75
begin = 26
end = 44

[_C_4]
file = "HOME/tests/c/sum_array.c"
line = 64
begin = 26
end = 56

[_C_32]
file = "HOME/tests/c/sum_array.c"
line = 88
begin = 4
end = 5

[_C_23]
file = "HOME/tests/c/sum_array.c"
line = 81
begin = 26
end = 86

[_C_19]
file = "HOME/tests/c/sum_array.c"
line = 58
begin = 26
end = 44

[_C_42]
file = "HOME/tests/c/sum_array.c"
line = 75
begin = 26
end = 44

[test1]
name = "Function test1"
file = "HOME/tests/c/sum_array.c"
line = 61
begin = 4
end = 9

[_C_13]
file = "HOME/tests/c/sum_array.c"
line = 67
begin = 18
end = 21

[_C_5]
file = "HOME/tests/c/sum_array.c"
line = 64
begin = 26
end = 37

[_C_36]
file = "HOME/tests/c/sum_array.c"
line = 85
begin = 18
end = 21

[_C_12]
file = "HOME/tests/c/sum_array.c"
line = 69
begin = 4
end = 13

[_C_33]
file = "HOME/tests/c/sum_array.c"
line = 88
begin = 4
end = 13

[_C_22]
file = "HOME/tests/c/sum_array.c"
line = 83
begin = 19
end = 22

[_C_9]
file = "HOME/tests/c/sum_array.c"
line = 69
begin = 9
end = 10

[_C_30]
file = "HOME/tests/c/sum_array.c"
line = 88
begin = 4
end = 8

[_C_6]
file = "HOME/tests/c/sum_array.c"
line = 64
begin = 26
end = 32

[_C_24]
file = "HOME/tests/c/sum_array.c"
line = 81
begin = 26
end = 37

[_C_20]
file = "HOME/tests/c/sum_array.c"
line = 58
begin = 26
end = 44

[test2]
name = "Function test2"
file = "HOME/tests/c/sum_array.c"
line = 79
begin = 5
end = 10

[_C_38]
file = "HOME/tests/c/sum_array.c"
line = 77
begin = 12
end = 44

[_C_3]
file = "HOME/tests/c/sum_array.c"
line = 65
begin = 19
end = 22

[sum_footprint]
name = "Lemma sum_footprint"
file = "HOME/tests/c/sum_array.c"
line = 52
begin = 7
end = 173

[_C_17]
file = "HOME/tests/c/sum_array.c"
line = 58
begin = 16
end = 22

[sum3]
name = "Lemma sum3"
file = "HOME/tests/c/sum_array.c"
line = 46
begin = 7
end = 140

[_C_7]
file = "HOME/tests/c/sum_array.c"
line = 64
begin = 31
end = 37

[_C_27]
file = "HOME/tests/c/sum_array.c"
line = 82
begin = 10
end = 45

[_C_15]
file = "HOME/tests/c/sum_array.c"
line = 59
begin = 12
end = 33

[_C_26]
file = "HOME/tests/c/sum_array.c"
line = 81
begin = 31
end = 37

[sum2]
name = "Lemma sum2"
file = "HOME/tests/c/sum_array.c"
line = 40
begin = 6
end = 115

[_C_10]
file = "HOME/tests/c/sum_array.c"
line = 69
begin = 9
end = 13

[_C_40]
file = "HOME/tests/c/sum_array.c"
line = 75
begin = 16
end = 22

[_C_8]
file = "HOME/tests/c/sum_array.c"
line = 64
begin = 41
end = 56

[_C_18]
file = "HOME/tests/c/sum_array.c"
line = 58
begin = 26
end = 44

[_C_29]
file = "HOME/tests/c/sum_array.c"
line = 88
begin = 4
end = 5

[_C_14]
file = "HOME/tests/c/sum_array.c"
line = 67
begin = 18
end = 21

[_C_37]
file = "HOME/tests/c/sum_array.c"
line = 85
begin = 18
end = 21

[_C_43]
file = "HOME/tests/c/sum_array.c"
line = 75
begin = 26
end = 44

[_C_2]
file = "HOME/tests/c/sum_array.c"
line = 67
begin = 8
end = 9

[_C_34]
file = "HOME/tests/c/sum_array.c"
line = 88
begin = 4
end = 13

[_C_16]
file = "HOME/tests/c/sum_array.c"
line = 58
begin = 16
end = 44

[_C_1]
file = "HOME/tests/c/sum_array.c"
line = 62
begin = 2
end = 5

[_C_25]
file = "HOME/tests/c/sum_array.c"
line = 81
begin = 26
end = 32

[_C_39]
file = "HOME/tests/c/sum_array.c"
line = 75
begin = 16
end = 44

[_C_11]
file = "HOME/tests/c/sum_array.c"
line = 69
begin = 4
end = 13

[sum1]
name = "Lemma sum1"
file = "HOME/tests/c/sum_array.c"
line = 38
begin = 6
end = 87

[_C_21]
file = "HOME/tests/c/sum_array.c"
line = 85
begin = 8
end = 9

========== jessie execution ==========
Generating Why function test1
Generating Why function test2
========== file tests/c/sum_array.jessie/sum_array.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/sum_array_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: sum_array.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: sum_array.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: sum_array.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/sum_array.jessie/sum_array.loc ==========
[JC_63]
file = "HOME/tests/c/sum_array.c"
line = 82
begin = 10
end = 45

[JC_51]
file = "HOME/tests/c/sum_array.c"
line = 82
begin = 10
end = 45

[JC_45]
file = "HOME/tests/c/sum_array.c"
line = 79
begin = 5
end = 10

[JC_64]
file = "HOME/tests/c/sum_array.c"
line = 81
begin = 26
end = 86

[JC_31]
file = "HOME/tests/c/sum_array.c"
line = 75
begin = 16
end = 22

[JC_17]
file = "HOME/tests/c/sum_array.c"
line = 64
begin = 41
end = 56

[JC_55]
file = "HOME/tests/c/sum_array.jessie/sum_array.jc"
line = 123
begin = 6
end = 2351

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/tests/c/sum_array.c"
line = 65
begin = 19
end = 22

[JC_22]
kind = PointerDeref
file = "HOME/tests/c/sum_array.c"
line = 69
begin = 9
end = 13

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/tests/c/sum_array.jessie/sum_array.jc"
line = 123
begin = 6
end = 2351

[test1_safety]
name = "Function test1"
behavior = "Safety"
file = "HOME/tests/c/sum_array.c"
line = 61
begin = 4
end = 9

[JC_9]
file = "HOME/tests/c/sum_array.c"
line = 58
begin = 16
end = 44

[JC_24]
file = "HOME/tests/c/sum_array.c"
line = 64
begin = 26
end = 32

[JC_25]
file = "HOME/tests/c/sum_array.c"
line = 64
begin = 31
end = 37

[JC_41]
file = "HOME/tests/c/sum_array.c"
line = 77
begin = 12
end = 44

[JC_47]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_52]
file = "HOME/tests/c/sum_array.c"
line = 81
begin = 26
end = 86

[JC_26]
file = "HOME/tests/c/sum_array.c"
line = 64
begin = 41
end = 56

[JC_8]
file = "HOME/tests/c/sum_array.c"
line = 58
begin = 26
end = 44

[JC_54]
file = "HOME/tests/c/sum_array.jessie/sum_array.jc"
line = 123
begin = 6
end = 2351

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/c/sum_array.c"
line = 59
begin = 12
end = 33

[test2_safety]
name = "Function test2"
behavior = "Safety"
file = "HOME/tests/c/sum_array.c"
line = 79
begin = 5
end = 10

[JC_15]
file = "HOME/tests/c/sum_array.c"
line = 64
begin = 26
end = 32

[JC_36]
file = "HOME/tests/c/sum_array.c"
line = 75
begin = 16
end = 22

[JC_39]
file = "HOME/tests/c/sum_array.c"
line = 75
begin = 16
end = 44

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/tests/c/sum_array.c"
line = 64
begin = 26
end = 56

[JC_69]
file = "HOME/tests/c/sum_array.c"
line = 89
begin = 22
end = 68

[JC_38]
file = "HOME/tests/c/sum_array.c"
line = 75
begin = 26
end = 44

[JC_12]
file = "HOME/tests/c/sum_array.c"
line = 59
begin = 12
end = 33

[JC_6]
file = "HOME/tests/c/sum_array.c"
line = 58
begin = 16
end = 22

[sum_footprint]
name = "Lemma sum_footprint"
behavior = "lemma"
file = "HOME/tests/c/sum_array.c"
line = 52
begin = 7
end = 173

[JC_44]
file = "HOME/tests/c/sum_array.c"
line = 77
begin = 12
end = 44

[JC_4]
file = "HOME/tests/c/sum_array.c"
line = 58
begin = 16
end = 44

[JC_62]
file = "HOME/tests/c/sum_array.c"
line = 81
begin = 31
end = 37

[sum3]
name = "Lemma sum3"
behavior = "lemma"
file = "HOME/tests/c/sum_array.c"
line = 46
begin = 7
end = 140

[JC_42]
file = "HOME/tests/c/sum_array.c"
line = 79
begin = 5
end = 10

[JC_46]
file = "HOME/tests/c/sum_array.jessie/sum_array.jc"
line = 114
begin = 9
end = 16

[test2_ensures_default]
name = "Function test2"
behavior = "default behavior"
file = "HOME/tests/c/sum_array.c"
line = 79
begin = 5
end = 10

[JC_61]
file = "HOME/tests/c/sum_array.c"
line = 81
begin = 26
end = 32

[JC_32]
file = "HOME/tests/c/sum_array.c"
line = 75
begin = 26
end = 44

[JC_56]
file = "HOME/tests/c/sum_array.c"
line = 87
begin = 22
end = 68

[JC_33]
file = "HOME/tests/c/sum_array.c"
line = 75
begin = 26
end = 44

[JC_65]
file = "HOME/"
line = 0
begin = -1
end = -1

[sum2]
name = "Lemma sum2"
behavior = "axiom"
file = "HOME/tests/c/sum_array.c"
line = 40
begin = 6
end = 115

[JC_29]
file = "HOME/tests/c/sum_array.jessie/sum_array.jc"
line = 89
begin = 6
end = 484

[JC_68]
file = "HOME/tests/c/sum_array.c"
line = 87
begin = 22
end = 68

[JC_7]
file = "HOME/tests/c/sum_array.c"
line = 58
begin = 26
end = 44

[JC_16]
file = "HOME/tests/c/sum_array.c"
line = 64
begin = 31
end = 37

[JC_43]
file = "HOME/tests/c/sum_array.jessie/sum_array.jc"
line = 114
begin = 9
end = 16

[JC_2]
file = "HOME/tests/c/sum_array.c"
line = 58
begin = 26
end = 44

[JC_34]
file = "HOME/tests/c/sum_array.c"
line = 75
begin = 16
end = 44

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_53]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/tests/c/sum_array.jessie/sum_array.jc"
line = 89
begin = 6
end = 484

[JC_49]
file = "HOME/tests/c/sum_array.c"
line = 81
begin = 26
end = 32

[test1_ensures_default]
name = "Function test1"
behavior = "default behavior"
file = "HOME/tests/c/sum_array.c"
line = 61
begin = 4
end = 9

[JC_1]
file = "HOME/tests/c/sum_array.c"
line = 58
begin = 16
end = 22

[JC_37]
file = "HOME/tests/c/sum_array.c"
line = 75
begin = 26
end = 44

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
kind = PointerDeref
file = "HOME/tests/c/sum_array.c"
line = 88
begin = 4
end = 8

[JC_66]
file = "HOME/tests/c/sum_array.jessie/sum_array.jc"
line = 123
begin = 6
end = 2351

[JC_59]
file = "HOME/tests/c/sum_array.c"
line = 89
begin = 22
end = 68

[JC_20]
file = "HOME/tests/c/sum_array.jessie/sum_array.jc"
line = 89
begin = 6
end = 484

[JC_18]
file = "HOME/tests/c/sum_array.c"
line = 64
begin = 26
end = 56

[JC_3]
file = "HOME/tests/c/sum_array.c"
line = 58
begin = 26
end = 44

[JC_60]
file = "HOME/tests/c/sum_array.c"
line = 83
begin = 19
end = 22

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_50]
file = "HOME/tests/c/sum_array.c"
line = 81
begin = 31
end = 37

[JC_30]
file = "HOME/tests/c/sum_array.jessie/sum_array.jc"
line = 89
begin = 6
end = 484

[sum1]
name = "Lemma sum1"
behavior = "axiom"
file = "HOME/tests/c/sum_array.c"
line = 38
begin = 6
end = 87

[JC_58]
kind = PointerDeref
file = "HOME/tests/c/sum_array.jessie/sum_array.jc"
line = 147
begin = 25
end = 446

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/c/sum_array.jessie/why/sum_array.why ==========
type charP

type intP

type padding

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic intP_tag:  -> intP tag_id

axiom intP_int : (int_of_tag(intP_tag) = (1))

logic intP_of_pointer_address: unit pointer -> intP pointer

axiom intP_of_pointer_address_of_pointer_addr :
 (forall p:intP pointer. (p = intP_of_pointer_address(pointer_address(p))))

axiom intP_parenttag_bottom : parenttag(intP_tag, bottom_tag)

axiom intP_tags :
 (forall x:intP pointer.
  (forall intP_tag_table:intP tag_table.
   instanceof(intP_tag_table, x, intP_tag)))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_intP(p:intP pointer, a:int,
 intP_alloc_table:intP alloc_table) = (offset_min(intP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

logic sum: intP pointer, int, int, (intP, int) memory -> int

axiom no_assign_sum_0 :
 (forall tmp:intP pset.
  (forall tmpmem:(intP, int) memory.
   (forall tmpalloc:intP alloc_table.
    (forall intP_intM_t_1_at_L:(intP, int) memory.
     (forall j_0:int.
      (forall i_1:int.
       (forall t:intP pointer.
        ((pset_disjoint(tmp, pset_all(pset_singleton(t)))
         and not_assigns(tmpalloc, intP_intM_t_1_at_L, tmpmem, tmp)) ->
         (sum(t, i_1, j_0, intP_intM_t_1_at_L) = sum(t, i_1, j_0, tmpmem))))))))))

axiom no_update_sum_0 :
 (forall tmp:intP pointer.
  (forall tmpval:int.
   (forall intP_intM_t_1_at_L:(intP, int) memory.
    (forall j_0:int.
     (forall i_1:int.
      (forall t:intP pointer.
       ((not in_pset(tmp, pset_all(pset_singleton(t)))) ->
        (sum(t, i_1, j_0, intP_intM_t_1_at_L) = sum(t, i_1, j_0,
                                                store(intP_intM_t_1_at_L,
                                                tmp, tmpval))))))))))

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_intP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(intP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_intP(p:intP pointer, b:int,
 intP_alloc_table:intP alloc_table) = (offset_max(intP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

axiom sum1 :
 (forall intP_intM_t_1_at_L:(intP, int) memory.
  (forall t_0_1:intP pointer.
   (forall i_2:int.
    (forall j_1:int.
     (ge_int(i_2, j_1) -> (sum(t_0_1, i_2, j_1, intP_intM_t_1_at_L) = (0)))))))

axiom sum2 :
 (forall intP_intM_t_1_at_L:(intP, int) memory.
  (forall t_1:intP pointer.
   (forall i_3:int.
    (forall j_2:int.
     (le_int(i_3, j_2) ->
      (sum(t_1, i_3, add_int(j_2, (1)), intP_intM_t_1_at_L) = add_int(
                                                              sum(t_1, i_3,
                                                              j_2,
                                                              intP_intM_t_1_at_L),
                                                              select(intP_intM_t_1_at_L,
                                                              shift(t_1, j_2)))))))))

lemma sum3 :
 (forall intP_intM_t_2_6_at_L:(intP, int) memory.
  (forall t_2:intP pointer.
   (forall i_4:int.
    (forall j_3:int.
     (forall k:int.
      ((le_int(i_4, j_3) and le_int(j_3, k)) ->
       (sum(t_2, i_4, k, intP_intM_t_2_6_at_L) = add_int(sum(t_2, i_4, j_3,
                                                         intP_intM_t_2_6_at_L),
                                                 sum(t_2, j_3, k,
                                                 intP_intM_t_2_6_at_L)))))))))

lemma sum_footprint :
 (forall intP_intM_t2_8_at_L:(intP, int) memory.
  (forall intP_intM_t1_7_at_L:(intP, int) memory.
   (forall t1:intP pointer.
    (forall t2:intP pointer.
     (forall i_5:int.
      (forall j_4:int.
       ((forall k_0:int.
         ((le_int(i_5, k_0) and lt_int(k_0, j_4)) ->
          (select(intP_intM_t1_7_at_L, shift(t1, k_0)) = select(intP_intM_t2_8_at_L,
                                                         shift(t2, k_0))))) ->
        (sum(t1, i_5, j_4, intP_intM_t1_7_at_L) = sum(t2, i_5, j_4,
                                                  intP_intM_t2_8_at_L)))))))))

exception Goto_while_0_break_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter intP_alloc_table : intP alloc_table ref

parameter intP_tag_table : intP tag_table ref

parameter alloc_struct_intP :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { } intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter alloc_struct_intP_requires :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { ge_int(n, (0))} intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter test1 :
 t_0:intP pointer ->
  n_1:int ->
   intP_t_2_alloc_table:intP alloc_table ->
    intP_intM_t_2:(intP, int) memory ->
     { } int { (JC_12: (result = sum(t_0, (0), n_1, intP_intM_t_2))) }

parameter test1_requires :
 t_0:intP pointer ->
  n_1:int ->
   intP_t_2_alloc_table:intP alloc_table ->
    intP_intM_t_2:(intP, int) memory ->
     { (JC_4:
       ((JC_1: ge_int(n_1, (1)))
       and ((JC_2: le_int(offset_min(intP_t_2_alloc_table, t_0), (0)))
           and (JC_3:
               ge_int(offset_max(intP_t_2_alloc_table, t_0),
               sub_int(n_1, (1)))))))}
     int { (JC_12: (result = sum(t_0, (0), n_1, intP_intM_t_2))) }

parameter test2 :
 t_0_0:intP pointer ->
  n_2:int ->
   intP_intM_t_0_3:(intP, int) memory ref ->
    intP_t_0_3_alloc_table:intP alloc_table ->
     { } unit reads intP_intM_t_0_3 writes intP_intM_t_0_3
     { (JC_46:
       ((JC_44:
        (sum(t_0_0, (0), n_2, intP_intM_t_0_3) = add_int(sum(t_0_0, (0), n_2,
                                                         intP_intM_t_0_3@),
                                                 n_2)))
       and (JC_45:
           not_assigns(intP_t_0_3_alloc_table, intP_intM_t_0_3@,
           intP_intM_t_0_3, pset_all(pset_singleton(t_0_0)))))) }

parameter test2_requires :
 t_0_0:intP pointer ->
  n_2:int ->
   intP_intM_t_0_3:(intP, int) memory ref ->
    intP_t_0_3_alloc_table:intP alloc_table ->
     { (JC_34:
       ((JC_31: ge_int(n_2, (1)))
       and ((JC_32: le_int(offset_min(intP_t_0_3_alloc_table, t_0_0), (0)))
           and (JC_33:
               ge_int(offset_max(intP_t_0_3_alloc_table, t_0_0),
               sub_int(n_2, (1)))))))}
     unit reads intP_intM_t_0_3 writes intP_intM_t_0_3
     { (JC_46:
       ((JC_44:
        (sum(t_0_0, (0), n_2, intP_intM_t_0_3) = add_int(sum(t_0_0, (0), n_2,
                                                         intP_intM_t_0_3@),
                                                 n_2)))
       and (JC_45:
           not_assigns(intP_t_0_3_alloc_table, intP_intM_t_0_3@,
           intP_intM_t_0_3, pset_all(pset_singleton(t_0_0)))))) }

let test1_ensures_default =
 fun (t_0 : intP pointer) (n_1 : int) (intP_t_2_alloc_table : intP alloc_table) (intP_intM_t_2 : (intP, int) memory) ->
  { (JC_9:
    ((JC_6: ge_int(n_1, (1)))
    and ((JC_7: le_int(offset_min(intP_t_2_alloc_table, t_0), (0)))
        and (JC_8:
            ge_int(offset_max(intP_t_2_alloc_table, t_0), sub_int(n_1, (1))))))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let i = ref (any_int void) in
     (let s_0 = ref (any_int void) in
     try
      begin
        (let _jessie_ = (s_0 := (0)) in void);
       (let _jessie_ = (i := (0)) in void);
       (loop_2:
       begin
         while true do
         { invariant
             (JC_27:
             ((JC_24: le_int((0), i))
             and ((JC_25: le_int(i, n_1))
                 and (JC_26: (s_0 = sum(t_0, (0), i, intP_intM_t_2)))))) 
            }
          begin
            [ { } unit { true } ];
           try
            begin
              (let _jessie_ =
              begin
                (if ((lt_int_ !i) n_1) then void
                else (raise (Goto_while_0_break_exc void)));
               (let _jessie_ =
               begin
                 (s_0 := ((add_int !s_0) ((safe_acc_ intP_intM_t_2) ((shift t_0) !i))));
                !s_0 end in void); (i := ((add_int !i) (1))); !i end in void);
             (raise (Loop_continue_exc void)) end with
            Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (return := !s_0); (raise Return) end) end));
    absurd  end with Return -> !return end))
  { (JC_11: (result = sum(t_0, (0), n_1, intP_intM_t_2))) } 

let test1_safety =
 fun (t_0 : intP pointer) (n_1 : int) (intP_t_2_alloc_table : intP alloc_table) (intP_intM_t_2 : (intP, int) memory) ->
  { (JC_9:
    ((JC_6: ge_int(n_1, (1)))
    and ((JC_7: le_int(offset_min(intP_t_2_alloc_table, t_0), (0)))
        and (JC_8:
            ge_int(offset_max(intP_t_2_alloc_table, t_0), sub_int(n_1, (1))))))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let i = ref (any_int void) in
     (let s_0 = ref (any_int void) in
     try
      begin
        (let _jessie_ = (s_0 := (0)) in void);
       (let _jessie_ = (i := (0)) in void);
       (loop_1:
       begin
         while true do
         { invariant (JC_20: true) variant (JC_23 : sub_int(n_1, i)) }
          begin
            [ { } unit reads i,s_0
              { (JC_18:
                ((JC_15: le_int((0), i))
                and ((JC_16: le_int(i, n_1))
                    and (JC_17: (s_0 = sum(t_0, (0), i, intP_intM_t_2)))))) } ];
           try
            begin
              (let _jessie_ =
              begin
                (if ((lt_int_ !i) n_1) then void
                else (raise (Goto_while_0_break_exc void)));
               (let _jessie_ =
               begin
                 (s_0 := ((add_int !s_0) (JC_22:
                                         ((((offset_acc_ intP_t_2_alloc_table) intP_intM_t_2) t_0) !i))));
                !s_0 end in void); (i := ((add_int !i) (1))); !i end in void);
             (raise (Loop_continue_exc void)) end with
            Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (return := !s_0); (raise Return) end) end));
    absurd  end with Return -> !return end)) { true } 

let test2_ensures_default =
 fun (t_0_0 : intP pointer) (n_2 : int) (intP_intM_t_0_3 : (intP, int) memory ref) (intP_t_0_3_alloc_table : intP alloc_table) ->
  { (JC_39:
    ((JC_36: ge_int(n_2, (1)))
    and ((JC_37: le_int(offset_min(intP_t_0_3_alloc_table, t_0_0), (0)))
        and (JC_38:
            ge_int(offset_max(intP_t_0_3_alloc_table, t_0_0),
            sub_int(n_2, (1))))))) }
  (init:
  try
   begin
     (let i_0 = ref (any_int void) in
     try
      begin
        (let _jessie_ = (i_0 := (0)) in void);
       (loop_4:
       begin
         while true do
         { invariant
             ((JC_64:
              ((JC_61: le_int((0), i_0))
              and ((JC_62: le_int(i_0, n_2))
                  and (JC_63:
                      (sum(t_0_0, (0), n_2, intP_intM_t_0_3) = add_int(
                                                               sum(t_0_0,
                                                               (0), n_2,
                                                               intP_intM_t_0_3@init),
                                                               i_0))))))
             and (JC_66:
                 not_assigns(intP_t_0_3_alloc_table, intP_intM_t_0_3@init,
                 intP_intM_t_0_3, pset_all(pset_singleton(t_0_0))))) 
            }
          begin
            [ { } unit { true } ];
           try
            begin
              (let _jessie_ =
              begin
                (if ((lt_int_ !i_0) n_2) then void
                else (raise (Goto_while_0_break_exc void)));
               (assert
               { (JC_68:
                 (sum(t_0_0, (0), n_2, intP_intM_t_0_3) = add_int(add_int(
                                                                  sum(t_0_0,
                                                                  (0), i_0,
                                                                  intP_intM_t_0_3),
                                                                  select(intP_intM_t_0_3,
                                                                  shift(t_0_0,
                                                                  i_0))),
                                                          sum(t_0_0,
                                                          add_int(i_0, (1)),
                                                          n_2,
                                                          intP_intM_t_0_3)))) };
               void); void;
               (let _jessie_ =
               (let _jessie_ =
               ((add_int ((safe_acc_ !intP_intM_t_0_3) ((shift t_0_0) !i_0))) (1)) in
               (let _jessie_ = t_0_0 in
               (let _jessie_ = !i_0 in
               (let _jessie_ = ((shift _jessie_) _jessie_) in
               (((safe_upd_ intP_intM_t_0_3) _jessie_) _jessie_))))) in
               void);
               (assert
               { (JC_69:
                 (sum(t_0_0, (0), n_2, intP_intM_t_0_3) = add_int(add_int(
                                                                  sum(t_0_0,
                                                                  (0), i_0,
                                                                  intP_intM_t_0_3),
                                                                  select(intP_intM_t_0_3,
                                                                  shift(t_0_0,
                                                                  i_0))),
                                                          sum(t_0_0,
                                                          add_int(i_0, (1)),
                                                          n_2,
                                                          intP_intM_t_0_3)))) };
               void); void; (i_0 := ((add_int !i_0) (1))); !i_0 end in void);
             (raise (Loop_continue_exc void)) end with
            Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (raise Return) end) end); (raise Return)
   end with Return -> void end)
  { (JC_43:
    ((JC_41:
     (sum(t_0_0, (0), n_2, intP_intM_t_0_3) = add_int(sum(t_0_0, (0), n_2,
                                                      intP_intM_t_0_3@),
                                              n_2)))
    and (JC_42:
        not_assigns(intP_t_0_3_alloc_table, intP_intM_t_0_3@,
        intP_intM_t_0_3, pset_all(pset_singleton(t_0_0)))))) } 

let test2_safety =
 fun (t_0_0 : intP pointer) (n_2 : int) (intP_intM_t_0_3 : (intP, int) memory ref) (intP_t_0_3_alloc_table : intP alloc_table) ->
  { (JC_39:
    ((JC_36: ge_int(n_2, (1)))
    and ((JC_37: le_int(offset_min(intP_t_0_3_alloc_table, t_0_0), (0)))
        and (JC_38:
            ge_int(offset_max(intP_t_0_3_alloc_table, t_0_0),
            sub_int(n_2, (1))))))) }
  (init:
  try
   begin
     (let i_0 = ref (any_int void) in
     try
      begin
        (let _jessie_ = (i_0 := (0)) in void);
       (loop_3:
       begin
         while true do
         { invariant (JC_54: true) variant (JC_60 : sub_int(n_2, i_0)) }
          begin
            [ { } unit reads i_0,intP_intM_t_0_3
              { (JC_52:
                ((JC_49: le_int((0), i_0))
                and ((JC_50: le_int(i_0, n_2))
                    and (JC_51:
                        (sum(t_0_0, (0), n_2, intP_intM_t_0_3) = add_int(
                                                                 sum(t_0_0,
                                                                 (0), n_2,
                                                                 intP_intM_t_0_3@init),
                                                                 i_0)))))) } ];
           try
            begin
              (let _jessie_ =
              begin
                (if ((lt_int_ !i_0) n_2) then void
                else (raise (Goto_while_0_break_exc void)));
               [ { } unit reads i_0,intP_intM_t_0_3
                 { (JC_56:
                   (sum(t_0_0, (0), n_2, intP_intM_t_0_3) = add_int(add_int(
                                                                    sum(t_0_0,
                                                                    (0), i_0,
                                                                    intP_intM_t_0_3),
                                                                    select(intP_intM_t_0_3,
                                                                    shift(t_0_0,
                                                                    i_0))),
                                                            sum(t_0_0,
                                                            add_int(i_0, (1)),
                                                            n_2,
                                                            intP_intM_t_0_3)))) } ];
               void;
               (let _jessie_ =
               (let _jessie_ =
               ((add_int (JC_57:
                         ((((offset_acc_ intP_t_0_3_alloc_table) !intP_intM_t_0_3) t_0_0) !i_0))) (1)) in
               (let _jessie_ = t_0_0 in
               (let _jessie_ = !i_0 in
               (let _jessie_ = ((shift _jessie_) _jessie_) in
               (JC_58:
               (((((offset_upd_ intP_t_0_3_alloc_table) intP_intM_t_0_3) _jessie_) _jessie_) _jessie_)))))) in
               void);
               [ { } unit reads i_0,intP_intM_t_0_3
                 { (JC_59:
                   (sum(t_0_0, (0), n_2, intP_intM_t_0_3) = add_int(add_int(
                                                                    sum(t_0_0,
                                                                    (0), i_0,
                                                                    intP_intM_t_0_3),
                                                                    select(intP_intM_t_0_3,
                                                                    shift(t_0_0,
                                                                    i_0))),
                                                            sum(t_0_0,
                                                            add_int(i_0, (1)),
                                                            n_2,
                                                            intP_intM_t_0_3)))) } ];
               void; (i_0 := ((add_int !i_0) (1))); !i_0 end in void);
             (raise (Loop_continue_exc void)) end with
            Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (raise Return) end) end); (raise Return)
   end with Return -> void end) { true } 


why-2.39/tests/c/oracle/floats_bsearch.res.oracle0000644000106100004300000015556013147234006021034 0ustar  marchevals========== file tests/c/floats_bsearch.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

#pragma JessieFloatModel(full)

/*@ predicate sorted{L}(double *t, integer a, integer b) =
  @    \forall integer i,j; a <= i <= j <= b ==> \le_float(t[i],t[j]);
  @*/

/*@ requires n >= 0 && \valid(t + (0 .. n-1));
  @ requires ! \is_NaN(v);
  @ requires \forall integer i; 0 <= i <= n-1 ==> ! \is_NaN(t[i]);
  @ ensures -1 <= \result < n;
  @ behavior success:
  @   ensures \result >= 0 ==> \eq_float(t[\result],v);
  @ behavior failure:
  @   assumes sorted(t,0,n-1);
  @   ensures \result == -1 ==>
  @     \forall integer k; 0 <= k < n ==> \ne_float(t[k],v);
  @*/
int binary_search(double t[], int n, double v) {
  int l = 0, u = n-1;
  /*@ loop invariant
    @   0 <= l && u <= n-1;
    @ for failure:
    @   loop invariant
    @     \forall integer k;
    @      0 <= k < l ==> \lt_float(t[k],v);
    @   loop invariant
    @     \forall integer k;
    @      u < k <= n-1 ==> \lt_float(v,t[k]);
    @ loop variant u-l;
    @*/
  while (l <= u ) {
    int m = l + (u - l) / 2;
    //@ assert l <= m <= u;
    if (t[m] < v) l = m + 1;
    else if (t[m] > v) u = m - 1;
    else
      {
        // assert ! \is_NaN(t[m]);
        // assert \le_float(t[m],v);
        // assert \ge_float(t[m],v);
        return m;
      }
  }
  return -1;
}

/*
Local Variables:
compile-command: "make floats_bsearch.why3ide"
End:
*/
========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/floats_bsearch.c (with preprocessing)
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/floats_bsearch.jessie
[jessie] File tests/c/floats_bsearch.jessie/floats_bsearch.jc written.
[jessie] File tests/c/floats_bsearch.jessie/floats_bsearch.cloc written.
========== file tests/c/floats_bsearch.jessie/floats_bsearch.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol
# FloatModel = full

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

type int32 = -2147483648..2147483647

tag doubleP = {
  double doubleM: 64;
}

type doubleP = [doubleP]

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

predicate sorted{L}(doubleP[..] t, integer a, integer b) =
(\forall integer i_1;
  (\forall integer j_0;
    ((((a <= i_1) && (i_1 <= j_0)) && (j_0 <= b)) ==>
      \le_double((t + i_1).doubleM, (t + j_0).doubleM))))

int32 binary_search(doubleP[..] t, int32 n_1, double v)
  requires (_C_38 : ((_C_39 : (n_1 >= 0)) &&
                      ((_C_41 : (\offset_min(t) <= 0)) &&
                        (_C_42 : (\offset_max(t) >= (n_1 - 1))))));
  requires (_C_37 : (! \double_is_NaN(v)));
  requires (_C_36 : (\forall integer i_2;
                      (((0 <= i_2) && (i_2 <= (n_1 - 1))) ==>
                        (! \double_is_NaN((t + i_2).doubleM)))));
behavior default:
  ensures (_C_31 : ((_C_32 : ((- 1) <= \result)) &&
                     (_C_33 : (\result < \at(n_1,Old)))));
behavior success:
  ensures (_C_34 : ((\result >= 0) ==>
                     \eq_double((\at(t,Old) + \result).doubleM, \at(v,Old))));
behavior failure:
  assumes sorted{Here}(t, 0, (n_1 - 1));
  ensures (_C_35 : ((\result == (- 1)) ==>
                     (\forall integer k_1;
                       (((0 <= k_1) && (k_1 < \at(n_1,Old))) ==>
                         \ne_double((\at(t,Old) + k_1).doubleM, \at(v,Old))))));
{  
   (var int32 l);
   
   (var int32 u);
   
   (var int32 m);
   
   (var int32 __retres);
   
   {  (_C_1 : (l = 0));
      (_C_4 : (u = (_C_3 : ((_C_2 : (n_1 - 1)) :> int32))));
      
      loop 
      behavior default:
        invariant (_C_8 : ((_C_9 : (0 <= l)) && (_C_10 : (u <= (n_1 - 1)))));
      behavior failure:
        invariant (_C_7 : (\forall integer k;
                            (((0 <= k) && (k < l)) ==>
                              \lt_double((t + k).doubleM, v))));
      behavior failure:
        invariant (_C_6 : (\forall integer k_0;
                            (((u < k_0) && (k_0 <= (n_1 - 1))) ==>
                              \lt_double(v, (t + k_0).doubleM))));
      variant (_C_5 : (u - l));
      while (true)
      {  
         {  (if (l <= u) then () else 
            (goto while_0_break));
            
            {  (_C_17 : (m = (_C_16 : ((_C_15 : (l +
                                                  (_C_14 : ((_C_13 : 
                                                            ((_C_12 : (
                                                             (_C_11 : 
                                                             (u - l)) :> int32)) /
                                                              2)) :> int32)))) :> int32))));
               
               {  
                  (assert for default: (_C_18 : (jessie : ((l <= m) &&
                                                            (m <= u)))));
                  ()
               };
               
               {  (if ((_C_29 : (_C_28 : (t + m)).doubleM) < v) then 
                  (_C_27 : (l = (_C_26 : ((_C_25 : (m + 1)) :> int32)))) else 
                  (if ((_C_24 : (_C_23 : (t + m)).doubleM) > v) then 
                  (_C_22 : (u = (_C_21 : ((_C_20 : (m - 1)) :> int32)))) else 
                  {  (_C_19 : (__retres = m));
                     
                     (goto return_label)
                  }))
               }
            }
         }
      };
      (while_0_break : ());
      (_C_30 : (__retres = -1));
      (return_label : 
      (return __retres))
   }
}
========== file tests/c/floats_bsearch.jessie/floats_bsearch.cloc ==========
[_C_35]
file = "HOME/tests/c/floats_bsearch.c"
line = 46
begin = 14
end = 91

[_C_28]
file = "HOME/tests/c/floats_bsearch.c"
line = 65
begin = 8
end = 9

[_C_31]
file = "HOME/tests/c/floats_bsearch.c"
line = 41
begin = 12
end = 29

[_C_41]
file = "HOME/tests/c/floats_bsearch.c"
line = 38
begin = 26
end = 48

[_C_4]
file = "HOME/tests/c/floats_bsearch.c"
line = 50
begin = 2
end = 5

[_C_32]
file = "HOME/tests/c/floats_bsearch.c"
line = 41
begin = 12
end = 25

[_C_23]
file = "HOME/tests/c/floats_bsearch.c"
line = 66
begin = 13
end = 14

[_C_19]
file = "HOME/tests/c/floats_bsearch.c"
line = 72
begin = 8
end = 17

[_C_42]
file = "HOME/tests/c/floats_bsearch.c"
line = 38
begin = 26
end = 48

[_C_13]
file = "HOME/tests/c/floats_bsearch.c"
line = 63
begin = 16
end = 27

[_C_5]
file = "HOME/tests/c/floats_bsearch.c"
line = 60
begin = 19
end = 22

[_C_36]
file = "HOME/tests/c/floats_bsearch.c"
line = 40
begin = 13
end = 65

[_C_12]
file = "HOME/tests/c/floats_bsearch.c"
line = 63
begin = 17
end = 22

[_C_33]
file = "HOME/tests/c/floats_bsearch.c"
line = 41
begin = 18
end = 29

[_C_22]
file = "HOME/tests/c/floats_bsearch.c"
line = 66
begin = 27
end = 32

[binary_search]
name = "Function binary_search"
file = "HOME/tests/c/floats_bsearch.c"
line = 49
begin = 4
end = 17

[_C_9]
file = "HOME/tests/c/floats_bsearch.c"
line = 52
begin = 8
end = 14

[_C_30]
file = "HOME/tests/c/floats_bsearch.c"
line = 75
begin = 2
end = 12

[_C_6]
file = "HOME/tests/c/floats_bsearch.c"
line = 58
begin = 10
end = 74

[_C_24]
file = "HOME/tests/c/floats_bsearch.c"
line = 66
begin = 13
end = 17

[_C_20]
file = "HOME/tests/c/floats_bsearch.c"
line = 66
begin = 27
end = 32

[_C_38]
file = "HOME/tests/c/floats_bsearch.c"
line = 38
begin = 16
end = 48

[_C_3]
file = "HOME/tests/c/floats_bsearch.c"
line = 50
begin = 17
end = 20

[_C_17]
file = "HOME/tests/c/floats_bsearch.c"
line = 63
begin = 4
end = 7

[_C_7]
file = "HOME/tests/c/floats_bsearch.c"
line = 55
begin = 10
end = 72

[_C_27]
file = "HOME/tests/c/floats_bsearch.c"
line = 65
begin = 22
end = 27

[_C_15]
file = "HOME/tests/c/floats_bsearch.c"
line = 63
begin = 12
end = 27

[_C_26]
file = "HOME/tests/c/floats_bsearch.c"
line = 65
begin = 22
end = 27

[_C_10]
file = "HOME/tests/c/floats_bsearch.c"
line = 52
begin = 18
end = 26

[_C_40]
file = "HOME/tests/c/floats_bsearch.c"
line = 38
begin = 26
end = 48

[_C_8]
file = "HOME/tests/c/floats_bsearch.c"
line = 52
begin = 8
end = 26

[_C_18]
file = "HOME/tests/c/floats_bsearch.c"
line = 64
begin = 22
end = 33

[_C_29]
file = "HOME/tests/c/floats_bsearch.c"
line = 65
begin = 8
end = 12

[_C_14]
file = "HOME/tests/c/floats_bsearch.c"
line = 63
begin = 16
end = 27

[_C_37]
file = "HOME/tests/c/floats_bsearch.c"
line = 39
begin = 13
end = 25

[_C_2]
file = "HOME/tests/c/floats_bsearch.c"
line = 50
begin = 17
end = 20

[_C_34]
file = "HOME/tests/c/floats_bsearch.c"
line = 43
begin = 14
end = 54

[_C_16]
file = "HOME/tests/c/floats_bsearch.c"
line = 63
begin = 12
end = 27

[_C_1]
file = "HOME/tests/c/floats_bsearch.c"
line = 50
begin = 2
end = 5

[_C_25]
file = "HOME/tests/c/floats_bsearch.c"
line = 65
begin = 22
end = 27

[_C_39]
file = "HOME/tests/c/floats_bsearch.c"
line = 38
begin = 16
end = 22

[_C_11]
file = "HOME/tests/c/floats_bsearch.c"
line = 63
begin = 17
end = 22

[_C_21]
file = "HOME/tests/c/floats_bsearch.c"
line = 66
begin = 27
end = 32

========== jessie execution ==========
Generating Why function binary_search
========== file tests/c/floats_bsearch.jessie/floats_bsearch.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why $(WHYLIB)/why/floats_full.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/floats_bsearch_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: floats_bsearch.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: floats_bsearch.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: floats_bsearch.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/floats_bsearch.jessie/floats_bsearch.loc ==========
[JC_63]
file = "HOME/tests/c/floats_bsearch.c"
line = 52
begin = 18
end = 26

[JC_51]
file = "HOME/tests/c/floats_bsearch.c"
line = 64
begin = 22
end = 33

[binary_search_ensures_default]
name = "Function binary_search"
behavior = "default behavior"
file = "HOME/tests/c/floats_bsearch.c"
line = 49
begin = 4
end = 17

[JC_45]
file = "HOME/tests/c/floats_bsearch.c"
line = 52
begin = 18
end = 26

[JC_64]
file = "HOME/tests/c/floats_bsearch.c"
line = 52
begin = 8
end = 26

[JC_31]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_17]
file = "HOME/tests/c/floats_bsearch.c"
line = 41
begin = 12
end = 29

[JC_55]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_48]
file = "HOME/tests/c/floats_bsearch.jessie/floats_bsearch.jc"
line = 81
begin = 6
end = 1814

[JC_23]
file = "HOME/tests/c/floats_bsearch.c"
line = 43
begin = 14
end = 54

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/tests/c/floats_bsearch.c"
line = 40
begin = 13
end = 65

[JC_67]
file = "HOME/tests/c/floats_bsearch.jessie/floats_bsearch.jc"
line = 81
begin = 6
end = 1814

[JC_9]
file = "HOME/tests/c/floats_bsearch.c"
line = 38
begin = 26
end = 48

[JC_24]
file = "HOME/tests/c/floats_bsearch.c"
line = 43
begin = 14
end = 54

[JC_25]
file = "HOME/tests/c/floats_bsearch.c"
line = 46
begin = 14
end = 91

[JC_41]
kind = PointerDeref
file = "HOME/tests/c/floats_bsearch.c"
line = 66
begin = 13
end = 17

[JC_47]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_52]
file = "HOME/tests/c/floats_bsearch.c"
line = 52
begin = 8
end = 14

[JC_26]
file = "HOME/tests/c/floats_bsearch.c"
line = 46
begin = 14
end = 91

[JC_8]
file = "HOME/tests/c/floats_bsearch.c"
line = 38
begin = 16
end = 22

[JC_54]
file = "HOME/tests/c/floats_bsearch.c"
line = 52
begin = 8
end = 26

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[binary_search_ensures_success]
name = "Function binary_search"
behavior = "Behavior `success'"
file = "HOME/tests/c/floats_bsearch.c"
line = 49
begin = 4
end = 17

[binary_search_ensures_failure]
name = "Function binary_search"
behavior = "Behavior `failure'"
file = "HOME/tests/c/floats_bsearch.c"
line = 49
begin = 4
end = 17

[JC_11]
file = "HOME/tests/c/floats_bsearch.c"
line = 39
begin = 13
end = 25

[JC_15]
file = "HOME/tests/c/floats_bsearch.c"
line = 41
begin = 12
end = 25

[JC_36]
kind = ArithOverflow
file = "HOME/tests/c/floats_bsearch.c"
line = 63
begin = 16
end = 27

[JC_39]
kind = PointerDeref
file = "HOME/tests/c/floats_bsearch.c"
line = 65
begin = 8
end = 12

[JC_40]
kind = ArithOverflow
file = "HOME/tests/c/floats_bsearch.c"
line = 65
begin = 22
end = 27

[JC_35]
kind = DivByZero
file = "HOME/tests/c/floats_bsearch.c"
line = 63
begin = 16
end = 27

[JC_27]
kind = ArithOverflow
file = "HOME/tests/c/floats_bsearch.c"
line = 50
begin = 17
end = 20

[JC_69]
file = "HOME/tests/c/floats_bsearch.c"
line = 64
begin = 22
end = 33

[JC_38]
file = "HOME/tests/c/floats_bsearch.c"
line = 64
begin = 22
end = 33

[JC_12]
file = "HOME/tests/c/floats_bsearch.c"
line = 40
begin = 13
end = 65

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/tests/c/floats_bsearch.c"
line = 52
begin = 8
end = 14

[JC_4]
file = "HOME/tests/c/floats_bsearch.c"
line = 39
begin = 13
end = 25

[JC_62]
file = "HOME/tests/c/floats_bsearch.c"
line = 52
begin = 8
end = 14

[JC_42]
kind = ArithOverflow
file = "HOME/tests/c/floats_bsearch.c"
line = 66
begin = 27
end = 32

[JC_46]
file = "HOME/tests/c/floats_bsearch.c"
line = 52
begin = 8
end = 26

[JC_61]
file = "HOME/tests/c/floats_bsearch.c"
line = 55
begin = 10
end = 72

[JC_32]
file = "HOME/tests/c/floats_bsearch.jessie/floats_bsearch.jc"
line = 81
begin = 6
end = 1814

[JC_56]
file = "HOME/tests/c/floats_bsearch.jessie/floats_bsearch.jc"
line = 81
begin = 6
end = 1814

[JC_33]
file = "HOME/tests/c/floats_bsearch.jessie/floats_bsearch.jc"
line = 81
begin = 6
end = 1814

[JC_65]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/tests/c/floats_bsearch.c"
line = 52
begin = 18
end = 26

[JC_68]
kind = DivByZero
file = "HOME/tests/c/floats_bsearch.c"
line = 63
begin = 16
end = 27

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/tests/c/floats_bsearch.c"
line = 41
begin = 18
end = 29

[JC_43]
file = "HOME/tests/c/floats_bsearch.c"
line = 60
begin = 19
end = 22

[JC_2]
file = "HOME/tests/c/floats_bsearch.c"
line = 38
begin = 26
end = 48

[JC_34]
kind = ArithOverflow
file = "HOME/tests/c/floats_bsearch.c"
line = 63
begin = 17
end = 22

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_53]
file = "HOME/tests/c/floats_bsearch.c"
line = 52
begin = 18
end = 26

[JC_21]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_49]
file = "HOME/tests/c/floats_bsearch.jessie/floats_bsearch.jc"
line = 81
begin = 6
end = 1814

[JC_1]
file = "HOME/tests/c/floats_bsearch.c"
line = 38
begin = 16
end = 22

[JC_37]
kind = ArithOverflow
file = "HOME/tests/c/floats_bsearch.c"
line = 63
begin = 12
end = 27

[JC_10]
file = "HOME/tests/c/floats_bsearch.c"
line = 38
begin = 26
end = 48

[JC_57]
file = "HOME/tests/c/floats_bsearch.jessie/floats_bsearch.jc"
line = 81
begin = 6
end = 1814

[JC_66]
file = "HOME/tests/c/floats_bsearch.jessie/floats_bsearch.jc"
line = 81
begin = 6
end = 1814

[JC_59]
file = "HOME/tests/c/floats_bsearch.c"
line = 64
begin = 22
end = 33

[JC_20]
file = "HOME/tests/c/floats_bsearch.c"
line = 41
begin = 12
end = 29

[JC_18]
file = "HOME/tests/c/floats_bsearch.c"
line = 41
begin = 12
end = 25

[JC_3]
file = "HOME/tests/c/floats_bsearch.c"
line = 38
begin = 26
end = 48

[JC_60]
file = "HOME/tests/c/floats_bsearch.c"
line = 58
begin = 10
end = 74

[JC_19]
file = "HOME/tests/c/floats_bsearch.c"
line = 41
begin = 18
end = 29

[JC_50]
kind = DivByZero
file = "HOME/tests/c/floats_bsearch.c"
line = 63
begin = 16
end = 27

[binary_search_safety]
name = "Function binary_search"
behavior = "Safety"
file = "HOME/tests/c/floats_bsearch.c"
line = 49
begin = 4
end = 17

[JC_30]
file = "HOME/tests/c/floats_bsearch.c"
line = 52
begin = 8
end = 26

[JC_58]
kind = DivByZero
file = "HOME/tests/c/floats_bsearch.c"
line = 63
begin = 16
end = 27

[JC_28]
file = "HOME/tests/c/floats_bsearch.c"
line = 52
begin = 8
end = 14

========== file tests/c/floats_bsearch.jessie/why/floats_bsearch.why ==========
type charP

type doubleP

type int32

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic doubleP_tag:  -> doubleP tag_id

axiom doubleP_int : (int_of_tag(doubleP_tag) = (1))

logic doubleP_of_pointer_address: unit pointer -> doubleP pointer

axiom doubleP_of_pointer_address_of_pointer_addr :
 (forall p:doubleP pointer.
  (p = doubleP_of_pointer_address(pointer_address(p))))

axiom doubleP_parenttag_bottom : parenttag(doubleP_tag, bottom_tag)

axiom doubleP_tags :
 (forall x:doubleP pointer.
  (forall doubleP_tag_table:doubleP tag_table.
   instanceof(doubleP_tag_table, x, doubleP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_doubleP(p:doubleP pointer, a:int,
 doubleP_alloc_table:doubleP alloc_table) =
 (offset_min(doubleP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_doubleP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(doubleP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_doubleP(p:doubleP pointer, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 (offset_max(doubleP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate sorted(t:doubleP pointer, a:int, b:int,
 doubleP_doubleM_t_1_at_L:(doubleP, double) memory) =
 (forall i_1:int.
  (forall j_0:int.
   ((le_int(a, i_1) and (le_int(i_1, j_0) and le_int(j_0, b))) ->
    le_double_full(select(doubleP_doubleM_t_1_at_L, shift(t, i_1)),
    select(doubleP_doubleM_t_1_at_L, shift(t, j_0))))))

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_doubleP(p:doubleP pointer, a:int, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 ((offset_min(doubleP_alloc_table, p) = a)
 and (offset_max(doubleP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_doubleP(p:doubleP pointer, a:int, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 ((offset_min(doubleP_alloc_table, p) = a)
 and (offset_max(doubleP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_doubleP(p:doubleP pointer, a:int, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 ((offset_min(doubleP_alloc_table, p) <= a)
 and (offset_max(doubleP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_doubleP(p:doubleP pointer, a:int, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 ((offset_min(doubleP_alloc_table, p) <= a)
 and (offset_max(doubleP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Goto_while_0_break_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter doubleP_alloc_table : doubleP alloc_table ref

parameter doubleP_tag_table : doubleP tag_table ref

parameter alloc_struct_doubleP :
 n:int ->
  doubleP_alloc_table:doubleP alloc_table ref ->
   doubleP_tag_table:doubleP tag_table ref ->
    { } doubleP pointer writes doubleP_alloc_table,doubleP_tag_table
    { (strict_valid_struct_doubleP(result, (0), sub_int(n, (1)),
       doubleP_alloc_table)
      and (alloc_extends(doubleP_alloc_table@, doubleP_alloc_table)
          and (alloc_fresh(doubleP_alloc_table@, result, n)
              and instanceof(doubleP_tag_table, result, doubleP_tag)))) }

parameter alloc_struct_doubleP_requires :
 n:int ->
  doubleP_alloc_table:doubleP alloc_table ref ->
   doubleP_tag_table:doubleP tag_table ref ->
    { ge_int(n, (0))} doubleP pointer
    writes doubleP_alloc_table,doubleP_tag_table
    { (strict_valid_struct_doubleP(result, (0), sub_int(n, (1)),
       doubleP_alloc_table)
      and (alloc_extends(doubleP_alloc_table@, doubleP_alloc_table)
          and (alloc_fresh(doubleP_alloc_table@, result, n)
              and instanceof(doubleP_tag_table, result, doubleP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter binary_search :
 t_0:doubleP pointer ->
  n_1:int32 ->
   v:double ->
    doubleP_t_2_alloc_table:doubleP alloc_table ->
     doubleP_doubleM_t_2:(doubleP, double) memory ->
      { } int32
      { ((sorted(t_0, (0), sub_int(integer_of_int32(n_1), (1)),
          doubleP_doubleM_t_2) ->
          (JC_26:
          ((integer_of_int32(result) = neg_int((1))) ->
           (forall k_1:int.
            ((le_int((0), k_1) and lt_int(k_1, integer_of_int32(n_1))) ->
             ne_double_full(select(doubleP_doubleM_t_2, shift(t_0, k_1)), v))))))
        and ((JC_24:
             (ge_int(integer_of_int32(result), (0)) ->
              eq_double_full(select(doubleP_doubleM_t_2,
                             shift(t_0, integer_of_int32(result))),
              v)))
            and (JC_20:
                ((JC_18: le_int(neg_int((1)), integer_of_int32(result)))
                and (JC_19:
                    lt_int(integer_of_int32(result), integer_of_int32(n_1))))))) }

parameter binary_search_requires :
 t_0:doubleP pointer ->
  n_1:int32 ->
   v:double ->
    doubleP_t_2_alloc_table:doubleP alloc_table ->
     doubleP_doubleM_t_2:(doubleP, double) memory ->
      { (JC_6:
        ((JC_1: ge_int(integer_of_int32(n_1), (0)))
        and ((JC_2: le_int(offset_min(doubleP_t_2_alloc_table, t_0), (0)))
            and ((JC_3:
                 ge_int(offset_max(doubleP_t_2_alloc_table, t_0),
                 sub_int(integer_of_int32(n_1), (1))))
                and ((JC_4: (not double_is_NaN(v)))
                    and (JC_5:
                        (forall i_2:int.
                         ((le_int((0), i_2)
                          and le_int(i_2,
                              sub_int(integer_of_int32(n_1), (1)))) ->
                          (not double_is_NaN(select(doubleP_doubleM_t_2,
                                             shift(t_0, i_2))))))))))))}
      int32
      { ((sorted(t_0, (0), sub_int(integer_of_int32(n_1), (1)),
          doubleP_doubleM_t_2) ->
          (JC_26:
          ((integer_of_int32(result) = neg_int((1))) ->
           (forall k_1:int.
            ((le_int((0), k_1) and lt_int(k_1, integer_of_int32(n_1))) ->
             ne_double_full(select(doubleP_doubleM_t_2, shift(t_0, k_1)), v))))))
        and ((JC_24:
             (ge_int(integer_of_int32(result), (0)) ->
              eq_double_full(select(doubleP_doubleM_t_2,
                             shift(t_0, integer_of_int32(result))),
              v)))
            and (JC_20:
                ((JC_18: le_int(neg_int((1)), integer_of_int32(result)))
                and (JC_19:
                    lt_int(integer_of_int32(result), integer_of_int32(n_1))))))) }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let binary_search_ensures_default =
 fun (t_0 : doubleP pointer) (n_1 : int32) (v : double) (doubleP_t_2_alloc_table : doubleP alloc_table) (doubleP_doubleM_t_2 : (doubleP, double) memory) ->
  { (JC_13:
    ((JC_8: ge_int(integer_of_int32(n_1), (0)))
    and ((JC_9: le_int(offset_min(doubleP_t_2_alloc_table, t_0), (0)))
        and ((JC_10:
             ge_int(offset_max(doubleP_t_2_alloc_table, t_0),
             sub_int(integer_of_int32(n_1), (1))))
            and ((JC_11: (not double_is_NaN(v)))
                and (JC_12:
                    (forall i_2:int.
                     ((le_int((0), i_2)
                      and le_int(i_2, sub_int(integer_of_int32(n_1), (1)))) ->
                      (not double_is_NaN(select(doubleP_doubleM_t_2,
                                         shift(t_0, i_2)))))))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let l = ref (any_int32 void) in
     (let u = ref (any_int32 void) in
     (let m = ref (any_int32 void) in
     (let __retres = ref (any_int32 void) in
     try
      begin
        try
         begin
           (let _jessie_ = (l := (safe_int32_of_integer_ (0))) in void);
          (let _jessie_ =
          (u := (safe_int32_of_integer_ ((sub_int (integer_of_int32 n_1)) (1)))) in
          void);
          (loop_2:
          begin
            while true do
            { invariant
                (JC_46:
                ((JC_44: le_int((0), integer_of_int32(l)))
                and (JC_45:
                    le_int(integer_of_int32(u),
                    sub_int(integer_of_int32(n_1), (1))))))  }
             begin
               [ { } unit { true } ];
              try
               begin
                 (if ((le_int_ (integer_of_int32 !l)) (integer_of_int32 !u))
                 then void else (raise (Goto_while_0_break_exc void)));
                (let _jessie_ =
                (m := (safe_int32_of_integer_ ((add_int (integer_of_int32 !l)) 
                                               (integer_of_int32 (safe_int32_of_integer_ 
                                                                  (JC_50:
                                                                  ((computer_div 
                                                                    (integer_of_int32 
                                                                    (safe_int32_of_integer_ 
                                                                    ((sub_int 
                                                                    (integer_of_int32 !u)) 
                                                                    (integer_of_int32 !l))))) (2)))))))) in
                void);
                (assert
                { (JC_51:
                  (le_int(integer_of_int32(l), integer_of_int32(m))
                  and le_int(integer_of_int32(m), integer_of_int32(u)))) };
                void); void;
                (if ((lt_double_ ((safe_acc_ doubleP_doubleM_t_2) ((shift t_0) 
                                                                   (integer_of_int32 !m)))) v)
                then
                 (let _jessie_ =
                 (l := (safe_int32_of_integer_ ((add_int (integer_of_int32 !m)) (1)))) in
                 void)
                else
                 (if ((gt_double_ ((safe_acc_ doubleP_doubleM_t_2) ((shift t_0) 
                                                                    (integer_of_int32 !m)))) v)
                 then
                  (let _jessie_ =
                  (u := (safe_int32_of_integer_ ((sub_int (integer_of_int32 !m)) (1)))) in
                  void)
                 else
                  begin
                    (let _jessie_ = (__retres := !m) in void);
                   (raise (Return_label_exc void)) end));
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (let _jessie_ =
         (while_0_break:
         begin
           void; (__retres := (safe_int32_of_integer_ (neg_int (1))));
          !__retres end) in void) end; (raise (Return_label_exc void)) end
      with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end))));
    absurd  end with Return -> !return end))
  { (JC_17:
    ((JC_15: le_int(neg_int((1)), integer_of_int32(result)))
    and (JC_16: lt_int(integer_of_int32(result), integer_of_int32(n_1))))) } 

let binary_search_ensures_failure =
 fun (t_0 : doubleP pointer) (n_1 : int32) (v : double) (doubleP_t_2_alloc_table : doubleP alloc_table) (doubleP_doubleM_t_2 : (doubleP, double) memory) ->
  { (sorted(t_0, (0), sub_int(integer_of_int32(n_1), (1)),
     doubleP_doubleM_t_2)
    and (JC_13:
        ((JC_8: ge_int(integer_of_int32(n_1), (0)))
        and ((JC_9: le_int(offset_min(doubleP_t_2_alloc_table, t_0), (0)))
            and ((JC_10:
                 ge_int(offset_max(doubleP_t_2_alloc_table, t_0),
                 sub_int(integer_of_int32(n_1), (1))))
                and ((JC_11: (not double_is_NaN(v)))
                    and (JC_12:
                        (forall i_2:int.
                         ((le_int((0), i_2)
                          and le_int(i_2,
                              sub_int(integer_of_int32(n_1), (1)))) ->
                          (not double_is_NaN(select(doubleP_doubleM_t_2,
                                             shift(t_0, i_2))))))))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let l = ref (any_int32 void) in
     (let u = ref (any_int32 void) in
     (let m = ref (any_int32 void) in
     (let __retres = ref (any_int32 void) in
     try
      begin
        try
         begin
           (let _jessie_ = (l := (safe_int32_of_integer_ (0))) in void);
          (let _jessie_ =
          (u := (safe_int32_of_integer_ ((sub_int (integer_of_int32 n_1)) (1)))) in
          void);
          (loop_4:
          begin
            while true do
            { invariant
                ((JC_60:
                 (forall k_0:int.
                  ((lt_int(integer_of_int32(u), k_0)
                   and le_int(k_0, sub_int(integer_of_int32(n_1), (1)))) ->
                   lt_double_full(v,
                   select(doubleP_doubleM_t_2, shift(t_0, k_0))))))
                and (JC_61:
                    (forall k:int.
                     ((le_int((0), k) and lt_int(k, integer_of_int32(l))) ->
                      lt_double_full(select(doubleP_doubleM_t_2,
                                     shift(t_0, k)),
                      v)))))  }
             begin
               [ { } unit reads l,u
                 { (JC_64:
                   ((JC_62: le_int((0), integer_of_int32(l)))
                   and (JC_63:
                       le_int(integer_of_int32(u),
                       sub_int(integer_of_int32(n_1), (1)))))) } ];
              try
               begin
                 (if ((le_int_ (integer_of_int32 !l)) (integer_of_int32 !u))
                 then void else (raise (Goto_while_0_break_exc void)));
                (let _jessie_ =
                (m := (safe_int32_of_integer_ ((add_int (integer_of_int32 !l)) 
                                               (integer_of_int32 (safe_int32_of_integer_ 
                                                                  (JC_68:
                                                                  ((computer_div 
                                                                    (integer_of_int32 
                                                                    (safe_int32_of_integer_ 
                                                                    ((sub_int 
                                                                    (integer_of_int32 !u)) 
                                                                    (integer_of_int32 !l))))) (2)))))))) in
                void);
                [ { } unit reads l,m,u
                  { (JC_69:
                    (le_int(integer_of_int32(l), integer_of_int32(m))
                    and le_int(integer_of_int32(m), integer_of_int32(u)))) } ];
                void;
                (if ((lt_double_ ((safe_acc_ doubleP_doubleM_t_2) ((shift t_0) 
                                                                   (integer_of_int32 !m)))) v)
                then
                 (let _jessie_ =
                 (l := (safe_int32_of_integer_ ((add_int (integer_of_int32 !m)) (1)))) in
                 void)
                else
                 (if ((gt_double_ ((safe_acc_ doubleP_doubleM_t_2) ((shift t_0) 
                                                                    (integer_of_int32 !m)))) v)
                 then
                  (let _jessie_ =
                  (u := (safe_int32_of_integer_ ((sub_int (integer_of_int32 !m)) (1)))) in
                  void)
                 else
                  begin
                    (let _jessie_ = (__retres := !m) in void);
                   (raise (Return_label_exc void)) end));
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (let _jessie_ =
         (while_0_break:
         begin
           void; (__retres := (safe_int32_of_integer_ (neg_int (1))));
          !__retres end) in void) end; (raise (Return_label_exc void)) end
      with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end))));
    absurd  end with Return -> !return end))
  { (JC_25:
    ((integer_of_int32(result) = neg_int((1))) ->
     (forall k_1:int.
      ((le_int((0), k_1) and lt_int(k_1, integer_of_int32(n_1))) ->
       ne_double_full(select(doubleP_doubleM_t_2, shift(t_0, k_1)), v))))) } 

let binary_search_ensures_success =
 fun (t_0 : doubleP pointer) (n_1 : int32) (v : double) (doubleP_t_2_alloc_table : doubleP alloc_table) (doubleP_doubleM_t_2 : (doubleP, double) memory) ->
  { (JC_13:
    ((JC_8: ge_int(integer_of_int32(n_1), (0)))
    and ((JC_9: le_int(offset_min(doubleP_t_2_alloc_table, t_0), (0)))
        and ((JC_10:
             ge_int(offset_max(doubleP_t_2_alloc_table, t_0),
             sub_int(integer_of_int32(n_1), (1))))
            and ((JC_11: (not double_is_NaN(v)))
                and (JC_12:
                    (forall i_2:int.
                     ((le_int((0), i_2)
                      and le_int(i_2, sub_int(integer_of_int32(n_1), (1)))) ->
                      (not double_is_NaN(select(doubleP_doubleM_t_2,
                                         shift(t_0, i_2)))))))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let l = ref (any_int32 void) in
     (let u = ref (any_int32 void) in
     (let m = ref (any_int32 void) in
     (let __retres = ref (any_int32 void) in
     try
      begin
        try
         begin
           (let _jessie_ = (l := (safe_int32_of_integer_ (0))) in void);
          (let _jessie_ =
          (u := (safe_int32_of_integer_ ((sub_int (integer_of_int32 n_1)) (1)))) in
          void);
          (loop_3:
          begin
            while true do
            { invariant (JC_56: true)  }
             begin
               [ { } unit reads l,u
                 { (JC_54:
                   ((JC_52: le_int((0), integer_of_int32(l)))
                   and (JC_53:
                       le_int(integer_of_int32(u),
                       sub_int(integer_of_int32(n_1), (1)))))) } ];
              try
               begin
                 (if ((le_int_ (integer_of_int32 !l)) (integer_of_int32 !u))
                 then void else (raise (Goto_while_0_break_exc void)));
                (let _jessie_ =
                (m := (safe_int32_of_integer_ ((add_int (integer_of_int32 !l)) 
                                               (integer_of_int32 (safe_int32_of_integer_ 
                                                                  (JC_58:
                                                                  ((computer_div 
                                                                    (integer_of_int32 
                                                                    (safe_int32_of_integer_ 
                                                                    ((sub_int 
                                                                    (integer_of_int32 !u)) 
                                                                    (integer_of_int32 !l))))) (2)))))))) in
                void);
                [ { } unit reads l,m,u
                  { (JC_59:
                    (le_int(integer_of_int32(l), integer_of_int32(m))
                    and le_int(integer_of_int32(m), integer_of_int32(u)))) } ];
                void;
                (if ((lt_double_ ((safe_acc_ doubleP_doubleM_t_2) ((shift t_0) 
                                                                   (integer_of_int32 !m)))) v)
                then
                 (let _jessie_ =
                 (l := (safe_int32_of_integer_ ((add_int (integer_of_int32 !m)) (1)))) in
                 void)
                else
                 (if ((gt_double_ ((safe_acc_ doubleP_doubleM_t_2) ((shift t_0) 
                                                                    (integer_of_int32 !m)))) v)
                 then
                  (let _jessie_ =
                  (u := (safe_int32_of_integer_ ((sub_int (integer_of_int32 !m)) (1)))) in
                  void)
                 else
                  begin
                    (let _jessie_ = (__retres := !m) in void);
                   (raise (Return_label_exc void)) end));
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (let _jessie_ =
         (while_0_break:
         begin
           void; (__retres := (safe_int32_of_integer_ (neg_int (1))));
          !__retres end) in void) end; (raise (Return_label_exc void)) end
      with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end))));
    absurd  end with Return -> !return end))
  { (JC_23:
    (ge_int(integer_of_int32(result), (0)) ->
     eq_double_full(select(doubleP_doubleM_t_2,
                    shift(t_0, integer_of_int32(result))),
     v))) } 

let binary_search_safety =
 fun (t_0 : doubleP pointer) (n_1 : int32) (v : double) (doubleP_t_2_alloc_table : doubleP alloc_table) (doubleP_doubleM_t_2 : (doubleP, double) memory) ->
  { (JC_13:
    ((JC_8: ge_int(integer_of_int32(n_1), (0)))
    and ((JC_9: le_int(offset_min(doubleP_t_2_alloc_table, t_0), (0)))
        and ((JC_10:
             ge_int(offset_max(doubleP_t_2_alloc_table, t_0),
             sub_int(integer_of_int32(n_1), (1))))
            and ((JC_11: (not double_is_NaN(v)))
                and (JC_12:
                    (forall i_2:int.
                     ((le_int((0), i_2)
                      and le_int(i_2, sub_int(integer_of_int32(n_1), (1)))) ->
                      (not double_is_NaN(select(doubleP_doubleM_t_2,
                                         shift(t_0, i_2)))))))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let l = ref (any_int32 void) in
     (let u = ref (any_int32 void) in
     (let m = ref (any_int32 void) in
     (let __retres = ref (any_int32 void) in
     try
      begin
        try
         begin
           (let _jessie_ = (l := (safe_int32_of_integer_ (0))) in void);
          (let _jessie_ =
          (u := (JC_27:
                (int32_of_integer_ ((sub_int (integer_of_int32 n_1)) (1))))) in
          void);
          (loop_1:
          begin
            while true do
            { invariant (JC_32: true)
              variant (JC_43 : sub_int(integer_of_int32(u),
                               integer_of_int32(l))) }
             begin
               [ { } unit reads l,u
                 { (JC_30:
                   ((JC_28: le_int((0), integer_of_int32(l)))
                   and (JC_29:
                       le_int(integer_of_int32(u),
                       sub_int(integer_of_int32(n_1), (1)))))) } ];
              try
               begin
                 (if ((le_int_ (integer_of_int32 !l)) (integer_of_int32 !u))
                 then void else (raise (Goto_while_0_break_exc void)));
                (let _jessie_ =
                (m := (JC_37:
                      (int32_of_integer_ ((add_int (integer_of_int32 !l)) 
                                          (integer_of_int32 (JC_36:
                                                            (int32_of_integer_ 
                                                             (JC_35:
                                                             ((computer_div_ 
                                                               (integer_of_int32 
                                                                (JC_34:
                                                                (int32_of_integer_ 
                                                                 ((sub_int 
                                                                   (integer_of_int32 !u)) 
                                                                  (integer_of_int32 !l)))))) (2)))))))))) in
                void);
                [ { } unit reads l,m,u
                  { (JC_38:
                    (le_int(integer_of_int32(l), integer_of_int32(m))
                    and le_int(integer_of_int32(m), integer_of_int32(u)))) } ];
                void;
                (if ((lt_double_ (JC_39:
                                 ((((offset_acc_ doubleP_t_2_alloc_table) doubleP_doubleM_t_2) t_0) 
                                  (integer_of_int32 !m)))) v)
                then
                 (let _jessie_ =
                 (l := (JC_40:
                       (int32_of_integer_ ((add_int (integer_of_int32 !m)) (1))))) in
                 void)
                else
                 (if ((gt_double_ (JC_41:
                                  ((((offset_acc_ doubleP_t_2_alloc_table) doubleP_doubleM_t_2) t_0) 
                                   (integer_of_int32 !m)))) v)
                 then
                  (let _jessie_ =
                  (u := (JC_42:
                        (int32_of_integer_ ((sub_int (integer_of_int32 !m)) (1))))) in
                  void)
                 else
                  begin
                    (let _jessie_ = (__retres := !m) in void);
                   (raise (Return_label_exc void)) end));
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (let _jessie_ =
         (while_0_break:
         begin
           void; (__retres := (safe_int32_of_integer_ (neg_int (1))));
          !__retres end) in void) end; (raise (Return_label_exc void)) end
      with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end))));
    absurd  end with Return -> !return end)) { true } 


why-2.39/tests/c/oracle/binary_search.err.oracle0000644000106100004300000000000013147234006020637 0ustar  marchevalswhy-2.39/tests/c/oracle/sparse_array.err.oracle0000644000106100004300000000000013147234006020521 0ustar  marchevalswhy-2.39/tests/c/oracle/insertion_sort.res.oracle0000644000106100004300000012572113147234006021132 0ustar  marchevals========== file tests/c/insertion_sort.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// RUNSIMPLIFY: will ask regtests to run Simplify on this program

#pragma JessieIntegerModel(math)

#include "sorting.h"

/*@ requires \valid(t+(0..n-1));
  @ ensures Sorted(t,0,n-1);
  @*/
void insert_sort(int t[], int n) {
  int i,j;
  int mv;
  if (n <= 1) return;
  /*@ loop invariant 0 <= i <= n;
    @ loop invariant Sorted(t,0,i);
    @ loop variant n-i;
    @*/
  for (i=1; i Sorted(t,0,i);
      @ loop invariant j < i ==> Sorted(t,0,i+1);
      @ loop invariant \forall integer k; j <= k < i ==> t[k] > mv;
      @ loop variant j;
      @*/
    // look for the right index j to put t[i]
    for (j=i; j > 0; j--) {
      if (t[j-1] <= mv) break;
      t[j] = t[j-1];
    }
    t[j] = mv;
  }
}


/*
Local Variables:
compile-command: "make insertion_sort.why3ide"
End:
*/
========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/insertion_sort.c (with preprocessing)
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/insertion_sort.jessie
[jessie] File tests/c/insertion_sort.jessie/insertion_sort.jc written.
[jessie] File tests/c/insertion_sort.jessie/insertion_sort.cloc written.
========== file tests/c/insertion_sort.jessie/insertion_sort.jc ==========
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

tag intP = {
  integer intM: 32;
}

type intP = [intP]

tag unsigned_charP = {
  integer unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  integer charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

predicate Swap{L1, L2}(intP[..] a, integer i_1, integer j_0) =
(((\at((a + i_1).intM,L1) == \at((a + j_0).intM,L2)) &&
   (\at((a + j_0).intM,L1) == \at((a + i_1).intM,L2))) &&
  (\forall integer k;
    (((k != i_1) && (k != j_0)) ==>
      (\at((a + k).intM,L1) == \at((a + k).intM,L2)))))

predicate Permut{L1, L2}(intP[..] a_0, integer l, integer h) {
case Permut_refl{L}: \at((\forall intP[..] a_1;
                           (\forall integer l_0;
                             (\forall integer h_0;
                               Permut{L,
                               L}(a_1, l_0, h_0)))),L);
  
  case Permut_sym{L1, L2}: (\forall intP[..] a_2;
                             (\forall integer l_1;
                               (\forall integer h_1;
                                 (Permut{L1,
                                   L2}(a_2, l_1, h_1) ==>
                                   Permut{L2,
                                   L1}(a_2, l_1, h_1)))));
  
  case Permut_trans{L1, L2, L3}: (\forall intP[..] a_3;
                                   (\forall integer l_2;
                                     (\forall integer h_2;
                                       ((Permut{L1,
                                          L2}(a_3, l_2, h_2) &&
                                          Permut{L2,
                                          L3}(a_3, l_2, h_2)) ==>
                                         Permut{L1,
                                         L3}(a_3, l_2, h_2)))));
  
  case Permut_swap{L1, L2}: (\forall intP[..] a_4;
                              (\forall integer l_3;
                                (\forall integer h_3;
                                  (\forall integer i_2;
                                    (\forall integer j_1;
                                      ((((((l_3 <= i_2) && (i_2 <= h_3)) &&
                                           (l_3 <= j_1)) &&
                                          (j_1 <= h_3)) &&
                                         Swap{L1,
                                         L2}(a_4, i_2, j_1)) ==>
                                        Permut{L1,
                                        L2}(a_4, l_3, h_3)))))));
  
}

predicate Sorted{L}(intP[..] a_5, integer l_4, integer h_4) =
(\forall integer i_3;
  (\forall integer j_2;
    ((((l_4 <= i_3) && (i_3 <= j_2)) && (j_2 < h_4)) ==>
      ((a_5 + i_3).intM <= (a_5 + j_2).intM))))

unit insert_sort(intP[..] t, integer n_1)
  requires (_C_35 : ((_C_36 : (\offset_min(t) <= 0)) &&
                      (_C_37 : (\offset_max(t) >= (n_1 - 1)))));
behavior default:
  ensures (_C_34 : Sorted{Here}(\at(t,Old), 0, (\at(n_1,Old) - 1)));
{  
   (var integer i);
   
   (var integer j);
   
   (var integer mv);
   
   {  (if (n_1 <= 1) then 
      (goto return_label) else ());
      (_C_1 : (i = 1));
      
      loop 
      behavior default:
        invariant (_C_4 : ((_C_5 : (0 <= i)) && (_C_6 : (i <= n_1))));
      behavior default:
        invariant (_C_3 : Sorted{Here}(t, 0, i));
      variant (_C_2 : (n_1 - i));
      while (true)
      {  
         {  (if (i < n_1) then () else 
            (goto while_0_break));
            
            {  (_C_9 : (mv = (_C_8 : (_C_7 : (t + i)).intM)));
               (_C_10 : (j = i));
               
               loop 
               behavior default:
                 invariant (_C_15 : ((_C_16 : (0 <= j)) &&
                                      (_C_17 : (j <= i))));
               behavior default:
                 invariant (_C_14 : ((j == i) ==> Sorted{Here}(t, 0, i)));
               behavior default:
                 invariant (_C_13 : ((j < i) ==> Sorted{Here}(t, 0, (i + 1))));
               behavior default:
                 invariant (_C_12 : (\forall integer k_0;
                                      (((j <= k_0) && (k_0 < i)) ==>
                                        ((t + k_0).intM > mv))));
               variant (_C_11 : j);
               while (true)
               {  
                  {  (if (j > 0) then () else 
                     (goto while_1_break));
                     
                     {  (if ((_C_20 : (_C_19 : (t + (_C_18 : (j - 1)))).intM) <=
                              mv) then 
                        (goto while_1_break) else ());
                        (_C_26 : ((_C_25 : (_C_24 : (t + j)).intM) = 
                        (_C_23 : (_C_22 : (t + (_C_21 : (j - 1)))).intM)))
                     };
                     (_C_28 : (j = (_C_27 : (j - 1))))
                  }
               };
               (while_1_break : ());
               (_C_31 : ((_C_30 : (_C_29 : (t + j)).intM) = mv))
            };
            (_C_33 : (i = (_C_32 : (i + 1))))
         }
      };
      (while_0_break : ());
      (return_label : 
      (return ()))
   }
}
========== file tests/c/insertion_sort.jessie/insertion_sort.cloc ==========
[_C_35]
file = "HOME/tests/c/insertion_sort.c"
line = 38
begin = 16
end = 34

[_C_28]
file = "HOME/tests/c/insertion_sort.c"
line = 59
begin = 21
end = 24

[_C_31]
file = "HOME/tests/c/insertion_sort.c"
line = 63
begin = 11
end = 13

[_C_4]
file = "HOME/tests/c/insertion_sort.c"
line = 45
begin = 26
end = 37

[_C_32]
file = "HOME/tests/c/insertion_sort.c"
line = 49
begin = 17
end = 20

[_C_23]
file = "HOME/tests/c/insertion_sort.c"
line = 61
begin = 13
end = 19

[_C_19]
file = "HOME/tests/c/insertion_sort.c"
line = 60
begin = 10
end = 11

[_C_13]
file = "HOME/tests/c/insertion_sort.c"
line = 54
begin = 23
end = 48

[_C_5]
file = "HOME/tests/c/insertion_sort.c"
line = 45
begin = 26
end = 32

[_C_36]
file = "HOME/tests/c/insertion_sort.c"
line = 38
begin = 16
end = 34

[_C_12]
file = "HOME/tests/c/insertion_sort.c"
line = 55
begin = 23
end = 66

[_C_33]
file = "HOME/tests/c/insertion_sort.c"
line = 49
begin = 17
end = 20

[_C_22]
file = "HOME/tests/c/insertion_sort.c"
line = 61
begin = 13
end = 14

[_C_9]
file = "HOME/tests/c/insertion_sort.c"
line = 51
begin = 9
end = 13

[_C_30]
file = "HOME/tests/c/insertion_sort.c"
line = 63
begin = 11
end = 13

[_C_6]
file = "HOME/tests/c/insertion_sort.c"
line = 45
begin = 31
end = 37

[_C_24]
file = "HOME/tests/c/insertion_sort.c"
line = 61
begin = 6
end = 7

[_C_20]
file = "HOME/tests/c/insertion_sort.c"
line = 60
begin = 10
end = 16

[_C_3]
file = "HOME/tests/c/insertion_sort.c"
line = 46
begin = 21
end = 34

[_C_17]
file = "HOME/tests/c/insertion_sort.c"
line = 52
begin = 35
end = 41

[_C_7]
file = "HOME/tests/c/insertion_sort.c"
line = 51
begin = 9
end = 10

[insert_sort]
name = "Function insert_sort"
file = "HOME/tests/c/insertion_sort.c"
line = 41
begin = 5
end = 16

[_C_27]
file = "HOME/tests/c/insertion_sort.c"
line = 59
begin = 21
end = 24

[_C_15]
file = "HOME/tests/c/insertion_sort.c"
line = 52
begin = 30
end = 41

[_C_26]
file = "HOME/tests/c/insertion_sort.c"
line = 61
begin = 13
end = 19

[_C_10]
file = "HOME/tests/c/insertion_sort.c"
line = 59
begin = 11
end = 12

[_C_8]
file = "HOME/tests/c/insertion_sort.c"
line = 51
begin = 9
end = 13

[_C_18]
file = "HOME/tests/c/insertion_sort.c"
line = 60
begin = 12
end = 15

[_C_29]
file = "HOME/tests/c/insertion_sort.c"
line = 63
begin = 4
end = 5

[_C_14]
file = "HOME/tests/c/insertion_sort.c"
line = 53
begin = 23
end = 47

[_C_37]
file = "HOME/tests/c/insertion_sort.c"
line = 38
begin = 16
end = 34

[_C_2]
file = "HOME/tests/c/insertion_sort.c"
line = 47
begin = 19
end = 22

[_C_34]
file = "HOME/tests/c/insertion_sort.c"
line = 39
begin = 12
end = 27

[_C_16]
file = "HOME/tests/c/insertion_sort.c"
line = 52
begin = 30
end = 36

[_C_1]
file = "HOME/tests/c/insertion_sort.c"
line = 49
begin = 9
end = 10

[_C_25]
file = "HOME/tests/c/insertion_sort.c"
line = 61
begin = 13
end = 19

[_C_11]
file = "HOME/tests/c/insertion_sort.c"
line = 56
begin = 21
end = 22

[_C_21]
file = "HOME/tests/c/insertion_sort.c"
line = 61
begin = 15
end = 18

========== jessie execution ==========
Generating Why function insert_sort
========== file tests/c/insertion_sort.jessie/insertion_sort.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/insertion_sort_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: insertion_sort.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: insertion_sort.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: insertion_sort.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/insertion_sort.jessie/insertion_sort.loc ==========
[JC_51]
file = "HOME/tests/c/insertion_sort.jessie/insertion_sort.jc"
line = 118
begin = 15
end = 1252

[JC_45]
file = "HOME/tests/c/insertion_sort.c"
line = 53
begin = 23
end = 47

[JC_31]
kind = PointerDeref
file = "HOME/tests/c/insertion_sort.c"
line = 61
begin = 13
end = 19

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_48]
file = "HOME/tests/c/insertion_sort.c"
line = 52
begin = 30
end = 41

[JC_23]
file = "HOME/tests/c/insertion_sort.c"
line = 53
begin = 23
end = 47

[JC_22]
file = "HOME/tests/c/insertion_sort.c"
line = 54
begin = 23
end = 48

[JC_5]
file = "HOME/tests/c/insertion_sort.c"
line = 38
begin = 16
end = 34

[JC_9]
file = "HOME/tests/c/insertion_sort.c"
line = 39
begin = 12
end = 27

[JC_24]
file = "HOME/tests/c/insertion_sort.c"
line = 52
begin = 30
end = 36

[JC_25]
file = "HOME/tests/c/insertion_sort.c"
line = 52
begin = 35
end = 41

[JC_41]
file = "HOME/tests/c/insertion_sort.jessie/insertion_sort.jc"
line = 104
begin = 6
end = 1880

[JC_47]
file = "HOME/tests/c/insertion_sort.c"
line = 52
begin = 35
end = 41

[JC_26]
file = "HOME/tests/c/insertion_sort.c"
line = 52
begin = 30
end = 41

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/tests/c/insertion_sort.c"
line = 46
begin = 21
end = 34

[insert_sort_ensures_default]
name = "Function insert_sort"
behavior = "default behavior"
file = "HOME/tests/c/insertion_sort.c"
line = 41
begin = 5
end = 16

[JC_11]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/tests/c/insertion_sort.c"
line = 45
begin = 31
end = 37

[JC_36]
file = "HOME/tests/c/insertion_sort.c"
line = 46
begin = 21
end = 34

[JC_39]
file = "HOME/tests/c/insertion_sort.c"
line = 45
begin = 26
end = 37

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/tests/c/insertion_sort.c"
line = 47
begin = 19
end = 22

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
file = "HOME/tests/c/insertion_sort.c"
line = 45
begin = 31
end = 37

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/tests/c/insertion_sort.c"
line = 38
begin = 16
end = 34

[JC_44]
file = "HOME/tests/c/insertion_sort.c"
line = 54
begin = 23
end = 48

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/tests/c/insertion_sort.jessie/insertion_sort.jc"
line = 104
begin = 6
end = 1880

[JC_46]
file = "HOME/tests/c/insertion_sort.c"
line = 52
begin = 30
end = 36

[JC_32]
kind = PointerDeref
file = "HOME/tests/c/insertion_sort.jessie/insertion_sort.jc"
line = 139
begin = 34
end = 142

[JC_33]
file = "HOME/tests/c/insertion_sort.c"
line = 56
begin = 21
end = 22

[JC_29]
file = "HOME/tests/c/insertion_sort.jessie/insertion_sort.jc"
line = 118
begin = 15
end = 1252

[JC_7]
file = "HOME/tests/c/insertion_sort.c"
line = 38
begin = 16
end = 34

[JC_16]
file = "HOME/tests/c/insertion_sort.c"
line = 45
begin = 26
end = 37

[JC_43]
file = "HOME/tests/c/insertion_sort.c"
line = 55
begin = 23
end = 66

[JC_2]
file = "HOME/tests/c/insertion_sort.c"
line = 38
begin = 16
end = 34

[JC_34]
kind = PointerDeref
file = "HOME/tests/c/insertion_sort.jessie/insertion_sort.jc"
line = 146
begin = 25
end = 62

[JC_14]
file = "HOME/tests/c/insertion_sort.c"
line = 45
begin = 26
end = 32

[JC_21]
file = "HOME/tests/c/insertion_sort.c"
line = 55
begin = 23
end = 66

[JC_49]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/c/insertion_sort.c"
line = 38
begin = 16
end = 34

[JC_37]
file = "HOME/tests/c/insertion_sort.c"
line = 45
begin = 26
end = 32

[insert_sort_safety]
name = "Function insert_sort"
behavior = "Safety"
file = "HOME/tests/c/insertion_sort.c"
line = 41
begin = 5
end = 16

[JC_10]
file = "HOME/tests/c/insertion_sort.c"
line = 39
begin = 12
end = 27

[JC_20]
kind = PointerDeref
file = "HOME/tests/c/insertion_sort.c"
line = 51
begin = 9
end = 13

[JC_18]
file = "HOME/tests/c/insertion_sort.jessie/insertion_sort.jc"
line = 104
begin = 6
end = 1880

[JC_3]
file = "HOME/tests/c/insertion_sort.c"
line = 38
begin = 16
end = 34

[JC_19]
file = "HOME/tests/c/insertion_sort.jessie/insertion_sort.jc"
line = 104
begin = 6
end = 1880

[JC_50]
file = "HOME/tests/c/insertion_sort.jessie/insertion_sort.jc"
line = 118
begin = 15
end = 1252

[JC_30]
kind = PointerDeref
file = "HOME/tests/c/insertion_sort.c"
line = 60
begin = 10
end = 16

[JC_28]
file = "HOME/tests/c/insertion_sort.jessie/insertion_sort.jc"
line = 118
begin = 15
end = 1252

========== file tests/c/insertion_sort.jessie/why/insertion_sort.why ==========
type charP

type intP

type padding

type unsigned_charP

type voidP

predicate Swap(a:intP pointer, i_1:int, j_0:int,
 intP_intM_a_1_at_L2:(intP, int) memory,
 intP_intM_a_1_at_L1:(intP, int) memory) =
 ((select(intP_intM_a_1_at_L1, shift(a, i_1)) = select(intP_intM_a_1_at_L2,
                                                shift(a, j_0)))
 and ((select(intP_intM_a_1_at_L1, shift(a, j_0)) = select(intP_intM_a_1_at_L2,
                                                    shift(a, i_1)))
     and (forall k:int.
          (((k <> i_1) and (k <> j_0)) ->
           (select(intP_intM_a_1_at_L1, shift(a, k)) = select(intP_intM_a_1_at_L2,
                                                       shift(a, k)))))))

inductive Permut: intP pointer, int, int, (intP, int) memory,
                  (intP, int) memory -> prop =
 | Permut_refl: (forall intP_intM_a_0_2_at_L:(intP, int) memory.
                 (forall a_1:intP pointer.
                  (forall l_0:int.
                   (forall h_0:int.
                    Permut(a_1, l_0, h_0, intP_intM_a_0_2_at_L,
                    intP_intM_a_0_2_at_L)))))
 | Permut_sym: (forall intP_intM_a_0_2_at_L2:(intP, int) memory.
                (forall intP_intM_a_0_2_at_L1:(intP, int) memory.
                 (forall a_2:intP pointer.
                  (forall l_1:int.
                   (forall h_1:int.
                    (Permut(a_2, l_1, h_1, intP_intM_a_0_2_at_L2,
                     intP_intM_a_0_2_at_L1) ->
                     Permut(a_2, l_1, h_1, intP_intM_a_0_2_at_L1,
                     intP_intM_a_0_2_at_L2)))))))
 | Permut_trans: (forall intP_intM_a_0_2_at_L3:(intP, int) memory.
                  (forall intP_intM_a_0_2_at_L2:(intP, int) memory.
                   (forall intP_intM_a_0_2_at_L1:(intP, int) memory.
                    (forall a_3:intP pointer.
                     (forall l_2:int.
                      (forall h_2:int.
                       ((Permut(a_3, l_2, h_2, intP_intM_a_0_2_at_L2,
                         intP_intM_a_0_2_at_L1)
                        and Permut(a_3, l_2, h_2, intP_intM_a_0_2_at_L3,
                            intP_intM_a_0_2_at_L2)) ->
                        Permut(a_3, l_2, h_2, intP_intM_a_0_2_at_L3,
                        intP_intM_a_0_2_at_L1))))))))
 | Permut_swap: (forall intP_intM_a_0_2_at_L2:(intP, int) memory.
                 (forall intP_intM_a_0_2_at_L1:(intP, int) memory.
                  (forall a_4:intP pointer.
                   (forall l_3:int.
                    (forall h_3:int.
                     (forall i_2:int.
                      (forall j_1:int.
                       ((le_int(l_3, i_2)
                        and (le_int(i_2, h_3)
                            and (le_int(l_3, j_1)
                                and (le_int(j_1, h_3)
                                    and Swap(a_4, i_2, j_1,
                                        intP_intM_a_0_2_at_L2,
                                        intP_intM_a_0_2_at_L1))))) ->
                        Permut(a_4, l_3, h_3, intP_intM_a_0_2_at_L2,
                        intP_intM_a_0_2_at_L1)))))))))
 
predicate Sorted(a_5:intP pointer, l_4:int, h_4:int,
 intP_intM_a_5_3_at_L:(intP, int) memory) =
 (forall i_3:int.
  (forall j_2:int.
   ((le_int(l_4, i_3) and (le_int(i_3, j_2) and lt_int(j_2, h_4))) ->
    le_int(select(intP_intM_a_5_3_at_L, shift(a_5, i_3)),
    select(intP_intM_a_5_3_at_L, shift(a_5, j_2))))))

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic intP_tag:  -> intP tag_id

axiom intP_int : (int_of_tag(intP_tag) = (1))

logic intP_of_pointer_address: unit pointer -> intP pointer

axiom intP_of_pointer_address_of_pointer_addr :
 (forall p:intP pointer. (p = intP_of_pointer_address(pointer_address(p))))

axiom intP_parenttag_bottom : parenttag(intP_tag, bottom_tag)

axiom intP_tags :
 (forall x:intP pointer.
  (forall intP_tag_table:intP tag_table.
   instanceof(intP_tag_table, x, intP_tag)))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_intP(p:intP pointer, a:int,
 intP_alloc_table:intP alloc_table) = (offset_min(intP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_intP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(intP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_intP(p:intP pointer, b:int,
 intP_alloc_table:intP alloc_table) = (offset_max(intP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Goto_while_0_break_exc of unit

exception Goto_while_1_break_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter intP_alloc_table : intP alloc_table ref

parameter intP_tag_table : intP tag_table ref

parameter alloc_struct_intP :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { } intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter alloc_struct_intP_requires :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { ge_int(n, (0))} intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter insert_sort :
 t:intP pointer ->
  n_1:int ->
   intP_intM_t_4:(intP, int) memory ref ->
    intP_t_4_alloc_table:intP alloc_table ->
     { } unit reads intP_intM_t_4 writes intP_intM_t_4
     { (JC_10: Sorted(t, (0), sub_int(n_1, (1)), intP_intM_t_4)) }

parameter insert_sort_requires :
 t:intP pointer ->
  n_1:int ->
   intP_intM_t_4:(intP, int) memory ref ->
    intP_t_4_alloc_table:intP alloc_table ->
     { (JC_3:
       ((JC_1: le_int(offset_min(intP_t_4_alloc_table, t), (0)))
       and (JC_2:
           ge_int(offset_max(intP_t_4_alloc_table, t), sub_int(n_1, (1))))))}
     unit reads intP_intM_t_4 writes intP_intM_t_4
     { (JC_10: Sorted(t, (0), sub_int(n_1, (1)), intP_intM_t_4)) }

let insert_sort_ensures_default =
 fun (t : intP pointer) (n_1 : int) (intP_intM_t_4 : (intP, int) memory ref) (intP_t_4_alloc_table : intP alloc_table) ->
  { (JC_7:
    ((JC_5: le_int(offset_min(intP_t_4_alloc_table, t), (0)))
    and (JC_6:
        ge_int(offset_max(intP_t_4_alloc_table, t), sub_int(n_1, (1)))))) }
  (init:
  try
   begin
     (let i = ref (any_int void) in
     (let j = ref (any_int void) in
     (let mv = ref (any_int void) in
     try
      begin
        try
         begin
           (if ((le_int_ n_1) (1)) then (raise (Return_label_exc void))
           else void); (let _jessie_ = (i := (1)) in void);
          (loop_3:
          begin
            while true do
            { invariant
                ((JC_36: Sorted(t, (0), i, intP_intM_t_4))
                and (JC_39:
                    ((JC_37: le_int((0), i)) and (JC_38: le_int(i, n_1)))))
               }
             begin
               [ { } unit { true } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((lt_int_ !i) n_1) then void
                   else (raise (Goto_while_0_break_exc void)));
                  try
                   begin
                     (let _jessie_ =
                     (mv := ((safe_acc_ !intP_intM_t_4) ((shift t) !i))) in
                     void); (let _jessie_ = (j := !i) in void);
                    (loop_4:
                    begin
                      while true do
                      { invariant
                          ((JC_43:
                           (forall k_0:int.
                            ((le_int(j, k_0) and lt_int(k_0, i)) ->
                             gt_int(select(intP_intM_t_4, shift(t, k_0)), mv))))
                          and ((JC_44:
                               (lt_int(j, i) ->
                                Sorted(t, (0), add_int(i, (1)),
                                intP_intM_t_4)))
                              and ((JC_45:
                                   ((j = i) ->
                                    Sorted(t, (0), i, intP_intM_t_4)))
                                  and (JC_48:
                                      ((JC_46: le_int((0), j))
                                      and (JC_47: le_int(j, i))))))) 
                         }
                       begin
                         [ { } unit { true } ];
                        try
                         begin
                           (let _jessie_ =
                           begin
                             (if ((gt_int_ !j) (0)) then void
                             else (raise (Goto_while_1_break_exc void)));
                            (let _jessie_ =
                            begin
                              (if ((le_int_ ((safe_acc_ !intP_intM_t_4) 
                                             ((shift t) ((sub_int !j) (1))))) !mv)
                              then (raise (Goto_while_1_break_exc void))
                              else void);
                             (let _jessie_ =
                             ((safe_acc_ !intP_intM_t_4) ((shift t) ((sub_int !j) (1)))) in
                             (let _jessie_ = t in
                             (let _jessie_ = !j in
                             (let _jessie_ =
                             ((shift _jessie_) _jessie_) in
                             begin
                               (((safe_upd_ intP_intM_t_4) _jessie_) _jessie_);
                              _jessie_ end)))) end in void);
                            (j := ((sub_int !j) (1))); !j end in void);
                          (raise (Loop_continue_exc void)) end with
                         Loop_continue_exc _jessie_ -> void end end done;
                     (raise (Goto_while_1_break_exc void)) end) end with
                   Goto_while_1_break_exc _jessie_ ->
                   (let _jessie_ =
                   (while_1_break:
                   begin
                     void;
                    (let _jessie_ = !mv in
                    (let _jessie_ = t in
                    (let _jessie_ = !j in
                    (let _jessie_ = ((shift _jessie_) _jessie_) in
                    begin
                      (((safe_upd_ intP_intM_t_4) _jessie_) _jessie_);
                     _jessie_ end)))) end) in void) end;
                  (i := ((add_int !i) (1))); !i end in void);
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ -> (while_0_break: void) end;
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: (raise Return)) end))); (raise Return) end with
   Return -> void end)
  { (JC_9: Sorted(t, (0), sub_int(n_1, (1)), intP_intM_t_4)) } 

let insert_sort_safety =
 fun (t : intP pointer) (n_1 : int) (intP_intM_t_4 : (intP, int) memory ref) (intP_t_4_alloc_table : intP alloc_table) ->
  { (JC_7:
    ((JC_5: le_int(offset_min(intP_t_4_alloc_table, t), (0)))
    and (JC_6:
        ge_int(offset_max(intP_t_4_alloc_table, t), sub_int(n_1, (1)))))) }
  (init:
  try
   begin
     (let i = ref (any_int void) in
     (let j = ref (any_int void) in
     (let mv = ref (any_int void) in
     try
      begin
        try
         begin
           (if ((le_int_ n_1) (1)) then (raise (Return_label_exc void))
           else void); (let _jessie_ = (i := (1)) in void);
          (loop_1:
          begin
            while true do
            { invariant (JC_18: true) variant (JC_35 : sub_int(n_1, i)) }
             begin
               [ { } unit reads i,intP_intM_t_4
                 { ((JC_13: Sorted(t, (0), i, intP_intM_t_4))
                   and (JC_16:
                       ((JC_14: le_int((0), i)) and (JC_15: le_int(i, n_1))))) } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((lt_int_ !i) n_1) then void
                   else (raise (Goto_while_0_break_exc void)));
                  try
                   begin
                     (let _jessie_ =
                     (mv := (JC_20:
                            ((((offset_acc_ intP_t_4_alloc_table) !intP_intM_t_4) t) !i))) in
                     void); (let _jessie_ = (j := !i) in void);
                    (loop_2:
                    begin
                      while true do
                      { invariant (JC_28: true) variant (JC_33 : j) }
                       begin
                         [ { } unit reads i,intP_intM_t_4,j,mv
                           { ((JC_21:
                              (forall k_0:int.
                               ((le_int(j, k_0) and lt_int(k_0, i)) ->
                                gt_int(select(intP_intM_t_4, shift(t, k_0)),
                                mv))))
                             and ((JC_22:
                                  (lt_int(j, i) ->
                                   Sorted(t, (0), add_int(i, (1)),
                                   intP_intM_t_4)))
                                 and ((JC_23:
                                      ((j = i) ->
                                       Sorted(t, (0), i, intP_intM_t_4)))
                                     and (JC_26:
                                         ((JC_24: le_int((0), j))
                                         and (JC_25: le_int(j, i))))))) } ];
                        try
                         begin
                           (let _jessie_ =
                           begin
                             (if ((gt_int_ !j) (0)) then void
                             else (raise (Goto_while_1_break_exc void)));
                            (let _jessie_ =
                            begin
                              (if ((le_int_ (JC_30:
                                            ((((offset_acc_ intP_t_4_alloc_table) !intP_intM_t_4) t) 
                                             ((sub_int !j) (1))))) !mv)
                              then (raise (Goto_while_1_break_exc void))
                              else void);
                             (let _jessie_ =
                             (JC_31:
                             ((((offset_acc_ intP_t_4_alloc_table) !intP_intM_t_4) t) 
                              ((sub_int !j) (1)))) in
                             (let _jessie_ = t in
                             (let _jessie_ = !j in
                             (let _jessie_ =
                             ((shift _jessie_) _jessie_) in
                             (JC_32:
                             begin
                               (((((offset_upd_ intP_t_4_alloc_table) intP_intM_t_4) _jessie_) _jessie_) _jessie_);
                              _jessie_ end))))) end in void);
                            (j := ((sub_int !j) (1))); !j end in void);
                          (raise (Loop_continue_exc void)) end with
                         Loop_continue_exc _jessie_ -> void end end done;
                     (raise (Goto_while_1_break_exc void)) end) end with
                   Goto_while_1_break_exc _jessie_ ->
                   (let _jessie_ =
                   (while_1_break:
                   begin
                     void;
                    (let _jessie_ = !mv in
                    (let _jessie_ = t in
                    (let _jessie_ = !j in
                    (let _jessie_ = ((shift _jessie_) _jessie_) in
                    (JC_34:
                    begin
                      (((((offset_upd_ intP_t_4_alloc_table) intP_intM_t_4) _jessie_) _jessie_) _jessie_);
                     _jessie_ end))))) end) in void) end;
                  (i := ((add_int !i) (1))); !i end in void);
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ -> (while_0_break: void) end;
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: (raise Return)) end))); (raise Return) end with
   Return -> void end) { true } 


why-2.39/tests/c/oracle/muller.err.oracle0000644000106100004300000000000013147234006017326 0ustar  marchevalswhy-2.39/tests/c/oracle/clock_drift.res.oracle0000644000106100004300000007560313147234006020337 0ustar  marchevals========== file tests/c/clock_drift.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// RUNGAPPA: will ask regtests to run gappa on VCs of this program

#define NMAX 1000000
#define NMAXR 1000000.0

// this one is needed by Gappa to prove the assertion on the rounding error
/*@ lemma real_of_int_inf_NMAX:
  @   \forall integer i; i <= NMAX ==> i <= NMAXR;
  @*/

// this one does not seem useful for Alt-Ergo
// but it is for CVC3, to prove preservation of the loop
// invariant. Z3 does not prove it either
//@ lemma real_of_int_succ: \forall integer n; n+1 == n + 1.0;

// this one does not seem to be needed anymore
/* lemma inf_mult : 
  @    \forall real x,y,z; x<=y && 0<=z ==> x*z <= y*z;
  @*/

#define A 1.49012e-09 
// A is a bound of (float)0.1 - 0.1

// this one is not needed anymore since (float)0.1 is evaluated
// at compile-time
// lemma round01: \abs((float)0.1 - 0.1) <=  A;

// B is a bound of round_error(t+(float)0.1) for 0 <= t <= 0.1*NMAXR
// NMAX = 100 -> #define B 4.76838e-07
// NMAX = 1000000 ->
#define B 0x1p-8

#define C (B + A)

/*@ requires 0 <= n <= NMAX;
  @ ensures \abs(\result - n*0.1) <= n * C;
  @*/
float f_single(int n)
{
  float t = 0.0f;
  int i;

  /*@ loop invariant 0 <= i <= n;
    @ loop invariant \abs(t - i * 0.1) <= i * C ;
    @ loop variant n-i;
    @*/
  for(i=0;i (i_1 <= 1000000.0)))

lemma real_of_int_succ :
(\forall integer n;
  ((n + 1) == (n + 1.0)))

float f_single(int32 n_1)
  requires (_C_16 : ((_C_17 : (0 <= n_1)) && (_C_18 : (n_1 <= 1000000))));
behavior default:
  ensures (_C_15 : (\real_abs(((\result :> real) - (\at(n_1,Old) * 0.1))) <=
                     (\at(n_1,Old) * (0x1p-8 + 1.49012e-09))));
{  
   (var float t);
   
   (var int32 i);
   
   {  (_C_1 : (t = (0.0 :> float)));
      (_C_2 : (i = 0));
      
      loop 
      behavior default:
        invariant (_C_5 : ((_C_6 : (0 <= i)) && (_C_7 : (i <= n_1))));
      behavior default:
        invariant (_C_4 : (\real_abs(((t :> real) - (i * 0.1))) <=
                            (i * (0x1p-8 + 1.49012e-09))));
      variant (_C_3 : (n_1 - i));
      while (true)
      {  
         {  (if (i < n_1) then () else 
            (goto while_0_break));
            
            {  (L : 
               {  
                  {  
                     (assert for default: (_C_8 : (jessie : ((0.0 <=
                                                               (t :> real)) &&
                                                              ((t :> real) <=
                                                                (1000000.0 *
                                                                  (0.1 +
                                                                    (0x1p-8 +
                                                                    1.49012e-09))))))));
                     ()
                  };
                  (_C_10 : (t = (_C_9 : (t + (0.1 :> float)))))
               });
               
               {  
                  (assert for default: (_C_11 : (jessie : (\real_abs(
                                                            ((t :> real) -
                                                              ((\at(t,L) :> real) +
                                                                ((0.1 :> float) :> real)))) <=
                                                            0x1p-8))));
                  ()
               }
            };
            (_C_14 : (i = (_C_13 : ((_C_12 : (i + 1)) :> int32))))
         }
      };
      (while_0_break : ());
      
      (return t)
   }
}
========== file tests/c/clock_drift.jessie/clock_drift.cloc ==========
[real_of_int_succ]
name = "Lemma real_of_int_succ"
file = "HOME/tests/c/clock_drift.c"
line = 45
begin = 7
end = 65

[_C_4]
file = "HOME/tests/c/clock_drift.c"
line = 75
begin = 21
end = 68

[_C_13]
file = "HOME/tests/c/clock_drift.c"
line = 78
begin = 14
end = 17

[_C_5]
file = "HOME/tests/c/clock_drift.c"
line = 74
begin = 26
end = 37

[_C_12]
file = "HOME/tests/c/clock_drift.c"
line = 78
begin = 14
end = 17

[real_of_int_inf_NMAX]
name = "Lemma real_of_int_inf_NMAX"
file = "HOME/tests/c/clock_drift.c"
line = 38
begin = 7
end = 92

[_C_9]
file = "HOME/tests/c/clock_drift.c"
line = 81
begin = 8
end = 16

[_C_6]
file = "HOME/tests/c/clock_drift.c"
line = 74
begin = 26
end = 32

[_C_3]
file = "HOME/tests/c/clock_drift.c"
line = 76
begin = 19
end = 22

[_C_17]
file = "HOME/tests/c/clock_drift.c"
line = 66
begin = 16
end = 22

[f_single]
name = "Function f_single"
file = "HOME/tests/c/clock_drift.c"
line = 69
begin = 6
end = 14

[_C_7]
file = "HOME/tests/c/clock_drift.c"
line = 74
begin = 31
end = 37

[_C_15]
file = "HOME/tests/c/clock_drift.c"
line = 67
begin = 12
end = 63

[_C_10]
file = "HOME/tests/c/clock_drift.c"
line = 81
begin = 8
end = 16

[_C_8]
file = "HOME/tests/c/clock_drift.c"
line = 80
begin = 22
end = 72

[_C_18]
file = "HOME/tests/c/clock_drift.c"
line = 66
begin = 21
end = 33

[_C_14]
file = "HOME/tests/c/clock_drift.c"
line = 78
begin = 14
end = 17

[_C_2]
file = "HOME/tests/c/clock_drift.c"
line = 78
begin = 8
end = 9

[_C_16]
file = "HOME/tests/c/clock_drift.c"
line = 66
begin = 16
end = 33

[_C_1]
file = "HOME/tests/c/clock_drift.c"
line = 71
begin = 2
end = 7

[_C_11]
file = "HOME/tests/c/clock_drift.c"
line = 82
begin = 22
end = 65

========== jessie execution ==========
Generating Why function f_single
========== file tests/c/clock_drift.jessie/clock_drift.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why $(WHYLIB)/why/floats_strict.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/clock_drift_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: clock_drift.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: clock_drift.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: clock_drift.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/clock_drift.jessie/clock_drift.loc ==========
[real_of_int_succ]
name = "Lemma real_of_int_succ"
behavior = "lemma"
file = "HOME/tests/c/clock_drift.c"
line = 45
begin = 7
end = 65

[JC_31]
file = "HOME/tests/c/clock_drift.jessie/clock_drift.jc"
line = 57
begin = 6
end = 1711

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[f_single_safety]
name = "Function f_single"
behavior = "Safety"
file = "HOME/tests/c/clock_drift.c"
line = 69
begin = 6
end = 14

[JC_23]
kind = ArithOverflow
file = "HOME/tests/c/clock_drift.c"
line = 78
begin = 14
end = 17

[JC_22]
file = "HOME/tests/c/clock_drift.c"
line = 82
begin = 22
end = 65

[JC_5]
file = "HOME/tests/c/clock_drift.c"
line = 66
begin = 16
end = 22

[JC_9]
file = "HOME/tests/c/clock_drift.c"
line = 67
begin = 12
end = 63

[JC_24]
file = "HOME/tests/c/clock_drift.c"
line = 76
begin = 19
end = 22

[JC_25]
file = "HOME/tests/c/clock_drift.c"
line = 75
begin = 21
end = 68

[JC_26]
file = "HOME/tests/c/clock_drift.c"
line = 74
begin = 26
end = 32

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[real_of_int_inf_NMAX]
name = "Lemma real_of_int_inf_NMAX"
behavior = "lemma"
file = "HOME/tests/c/clock_drift.c"
line = 38
begin = 7
end = 92

[JC_13]
file = "HOME/tests/c/clock_drift.c"
line = 75
begin = 21
end = 68

[JC_11]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/tests/c/clock_drift.c"
line = 74
begin = 31
end = 37

[f_single_ensures_default]
name = "Function f_single"
behavior = "default behavior"
file = "HOME/tests/c/clock_drift.c"
line = 69
begin = 6
end = 14

[JC_27]
file = "HOME/tests/c/clock_drift.c"
line = 74
begin = 31
end = 37

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/tests/c/clock_drift.c"
line = 66
begin = 21
end = 33

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/tests/c/clock_drift.c"
line = 80
begin = 22
end = 72

[JC_33]
kind = FPOverflow
file = "HOME/tests/c/clock_drift.c"
line = 81
begin = 8
end = 16

[JC_29]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_7]
file = "HOME/tests/c/clock_drift.c"
line = 66
begin = 16
end = 33

[JC_16]
file = "HOME/tests/c/clock_drift.c"
line = 74
begin = 26
end = 37

[JC_2]
file = "HOME/tests/c/clock_drift.c"
line = 66
begin = 21
end = 33

[JC_34]
file = "HOME/tests/c/clock_drift.c"
line = 82
begin = 22
end = 65

[JC_14]
file = "HOME/tests/c/clock_drift.c"
line = 74
begin = 26
end = 32

[JC_21]
kind = FPOverflow
file = "HOME/tests/c/clock_drift.c"
line = 81
begin = 8
end = 16

[JC_1]
file = "HOME/tests/c/clock_drift.c"
line = 66
begin = 16
end = 22

[JC_10]
file = "HOME/tests/c/clock_drift.c"
line = 67
begin = 12
end = 63

[JC_20]
file = "HOME/tests/c/clock_drift.c"
line = 80
begin = 22
end = 72

[JC_18]
file = "HOME/tests/c/clock_drift.jessie/clock_drift.jc"
line = 57
begin = 6
end = 1711

[JC_3]
file = "HOME/tests/c/clock_drift.c"
line = 66
begin = 16
end = 33

[JC_19]
file = "HOME/tests/c/clock_drift.jessie/clock_drift.jc"
line = 57
begin = 6
end = 1711

[JC_30]
file = "HOME/tests/c/clock_drift.jessie/clock_drift.jc"
line = 57
begin = 6
end = 1711

[JC_28]
file = "HOME/tests/c/clock_drift.c"
line = 74
begin = 26
end = 37

========== file tests/c/clock_drift.jessie/why/clock_drift.why ==========
type charP

type int32

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

lemma real_of_int_inf_NMAX :
 (forall i_1:int.
  (le_int(i_1, (1000000)) -> le_real(real_of_int(i_1), 1000000.0)))

lemma real_of_int_succ :
 (forall n:int.
  (real_of_int(add_int(n, (1))) = add_real(real_of_int(n), 1.0)))

exception Goto_while_0_break_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter f_single :
 n_1:int32 ->
  { } single
  { (JC_10:
    le_real(abs_real(sub_real(single_value(result),
                     mul_real(real_of_int(integer_of_int32(n_1)), 0.1))),
    mul_real(real_of_int(integer_of_int32(n_1)),
    add_real(0x1p-8, 1.49012e-09)))) }

parameter f_single_requires :
 n_1:int32 ->
  { (JC_3:
    ((JC_1: le_int((0), integer_of_int32(n_1)))
    and (JC_2: le_int(integer_of_int32(n_1), (1000000)))))}
  single
  { (JC_10:
    le_real(abs_real(sub_real(single_value(result),
                     mul_real(real_of_int(integer_of_int32(n_1)), 0.1))),
    mul_real(real_of_int(integer_of_int32(n_1)),
    add_real(0x1p-8, 1.49012e-09)))) }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let f_single_ensures_default =
 fun (n_1 : int32) ->
  { (JC_7:
    ((JC_5: le_int((0), integer_of_int32(n_1)))
    and (JC_6: le_int(integer_of_int32(n_1), (1000000))))) }
  (init:
  (let return = ref (any_single void) in
  try
   begin
     (let t = ref (any_single void) in
     (let i = ref (any_int32 void) in
     try
      begin
        (let _jessie_ = (t := (single_of_real_exact 0.0)) in void);
       (let _jessie_ = (i := (safe_int32_of_integer_ (0))) in void);
       (loop_2:
       begin
         while true do
         { invariant
             ((JC_25:
              le_real(abs_real(sub_real(single_value(t),
                               mul_real(real_of_int(integer_of_int32(i)),
                               0.1))),
              mul_real(real_of_int(integer_of_int32(i)),
              add_real(0x1p-8, 1.49012e-09))))
             and (JC_28:
                 ((JC_26: le_int((0), integer_of_int32(i)))
                 and (JC_27:
                     le_int(integer_of_int32(i), integer_of_int32(n_1))))))
            }
          begin
            [ { } unit { true } ];
           try
            begin
              (let _jessie_ =
              begin
                (if ((lt_int_ (integer_of_int32 !i)) (integer_of_int32 n_1))
                then void else (raise (Goto_while_0_break_exc void)));
               (L:
               begin
                 (let _jessie_ =
                 begin
                   (assert
                   { (JC_32:
                     (le_real(0.0, single_value(t))
                     and le_real(single_value(t),
                         mul_real(1000000.0,
                         add_real(0.1, add_real(0x1p-8, 1.49012e-09)))))) };
                   void); void;
                  (t := (JC_33:
                        (((add_single_safe nearest_even) !t) (single_of_real_exact 0x1.99999ap-4))));
                  !t end in void);
                (assert
                { (JC_34:
                  le_real(abs_real(sub_real(single_value(t),
                                   add_real(single_value(t@L), 0x1.99999ap-4))),
                  0x1p-8)) }; void); void;
                (i := (safe_int32_of_integer_ ((add_int (integer_of_int32 !i)) (1))));
                !i end) end in void); (raise (Loop_continue_exc void)) end
            with Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (return := !t); (raise Return) end) end));
    absurd  end with Return -> !return end))
  { (JC_9:
    le_real(abs_real(sub_real(single_value(result),
                     mul_real(real_of_int(integer_of_int32(n_1)), 0.1))),
    mul_real(real_of_int(integer_of_int32(n_1)),
    add_real(0x1p-8, 1.49012e-09)))) } 

let f_single_safety =
 fun (n_1 : int32) ->
  { (JC_7:
    ((JC_5: le_int((0), integer_of_int32(n_1)))
    and (JC_6: le_int(integer_of_int32(n_1), (1000000))))) }
  (init:
  (let return = ref (any_single void) in
  try
   begin
     (let t = ref (any_single void) in
     (let i = ref (any_int32 void) in
     try
      begin
        (let _jessie_ = (t := (single_of_real_exact 0.0)) in void);
       (let _jessie_ = (i := (safe_int32_of_integer_ (0))) in void);
       (loop_1:
       begin
         while true do
         { invariant (JC_18: true)
           variant (JC_24 : sub_int(integer_of_int32(n_1),
                            integer_of_int32(i))) }
          begin
            [ { } unit reads i,t
              { ((JC_13:
                 le_real(abs_real(sub_real(single_value(t),
                                  mul_real(real_of_int(integer_of_int32(i)),
                                  0.1))),
                 mul_real(real_of_int(integer_of_int32(i)),
                 add_real(0x1p-8, 1.49012e-09))))
                and (JC_16:
                    ((JC_14: le_int((0), integer_of_int32(i)))
                    and (JC_15:
                        le_int(integer_of_int32(i), integer_of_int32(n_1)))))) } ];
           try
            begin
              (let _jessie_ =
              begin
                (if ((lt_int_ (integer_of_int32 !i)) (integer_of_int32 n_1))
                then void else (raise (Goto_while_0_break_exc void)));
               (L:
               begin
                 (let _jessie_ =
                 begin
                   [ { } unit reads t
                     { (JC_20:
                       (le_real(0.0, single_value(t))
                       and le_real(single_value(t),
                           mul_real(1000000.0,
                           add_real(0.1, add_real(0x1p-8, 1.49012e-09)))))) } ];
                  void;
                  (t := (JC_21:
                        (((add_single nearest_even) !t) (single_of_real_exact 0x1.99999ap-4))));
                  !t end in void);
                [ { } unit reads t
                  { (JC_22:
                    le_real(abs_real(sub_real(single_value(t),
                                     add_real(single_value(t@L),
                                     0x1.99999ap-4))),
                    0x1p-8)) } ]; void;
                (i := (JC_23:
                      (int32_of_integer_ ((add_int (integer_of_int32 !i)) (1)))));
                !i end) end in void); (raise (Loop_continue_exc void)) end
            with Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (return := !t); (raise Return) end) end));
    absurd  end with Return -> !return end)) { true } 


why-2.39/tests/c/oracle/maze.err.oracle0000644000106100004300000000014313147234006016772 0ustar  marchevalscat: /tmp/regtests.cwd: No such file or directory
grep: /src/version.ml: No such file or directory
why-2.39/tests/c/oracle/float_sqrt.err.oracle0000644000106100004300000000000013147234006020204 0ustar  marchevalswhy-2.39/tests/c/oracle/maze.res.oracle0000644000106100004300000000622513147234006017002 0ustar  marchevals========== file tests/c/maze.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


void buildMaze(uint n) {

  union_find u = create(n*n);

  //@ ghost integer num_edges = 0;

  /*@ loop invariant num_edges + NumClasses(u) == n*n;
    @*/
  while (num_classes(u) > 1) {
    uint x = rand() % n;
    uint y = rand() % n;
    uint d = rand() % 2;
    uint w = x, z = y;
    id (d == 0) w++; else z++;
    if (w < n && z < n) {
      int a = y*n+x, b = w*n+z;
      if (find(u,a) != find(u,b)) {
	// output_edge(x,y,w,z);
	//@ ghost num_edges++;
	union(a,b);
      }
    }
  }
  // nombre d'aretes = n*n - 1
  //@ assert num_edges == n*n - 1

  // each node is reachable from origin
  //@ assert \forall int x; 0 <= x < n*n ==> same(u,x,0);
}



========== frama-c -jessie execution ==========
[kernel] user error: option `-jessie' is unknown.
                     use `frama-c -help' for more information.
[kernel] Frama-C aborted: invalid user input.
why-2.39/tests/c/oracle/insertion_sort.err.oracle0000644000106100004300000000062613147234006021125 0ustar  marchevalsWarning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
why-2.39/tests/c/oracle/conjugate.err.oracle0000644000106100004300000000000013147234006020005 0ustar  marchevalswhy-2.39/tests/c/oracle/double_rounding_strict_model.res.oracle0000644000106100004300000005033013147234006023771 0ustar  marchevals========== file tests/c/double_rounding_strict_model.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


double doublerounding() {
  double x = 1.0;
  double y = 0x1p-53 + 0x1p-64;
  double z = x + y;
  //@ assert z == 1.0 + 0x1p-52;
  return z;
}


/*
Local Variables:
compile-command: "LC_ALL=C make double_rounding_strict_model.why3ide"
End:
*/
========== frama-c -jessie execution ==========
[kernel] Parsing FRAMAC_SHARE/libc/__fc_builtin_for_normalization.i (no preprocessing)
[kernel] Parsing tests/c/double_rounding_strict_model.c (with preprocessing)
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/double_rounding_strict_model.jessie
[jessie] File tests/c/double_rounding_strict_model.jessie/double_rounding_strict_model.jc written.
[jessie] File tests/c/double_rounding_strict_model.jessie/double_rounding_strict_model.cloc written.
========== file tests/c/double_rounding_strict_model.jessie/double_rounding_strict_model.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

double doublerounding()
behavior default:
  ensures (_C_7 : true);
{  
   (var double x);
   
   (var double y);
   
   (var double z);
   
   {  (_C_1 : (x = (1.0 :> double)));
      (_C_3 : (y = (_C_2 : ((0x1p-53 :> double) + (0x1p-64 :> double)))));
      (_C_5 : (z = (_C_4 : (x + y))));
      
      {  
         (assert for default: (_C_6 : (jessie : ((z :> real) ==
                                                  (1.0 + 0x1p-52)))));
         ()
      };
      
      {  
         (return z)
      }
   }
}
========== file tests/c/double_rounding_strict_model.jessie/double_rounding_strict_model.cloc ==========
[_C_4]
file = "HOME/tests/c/double_rounding_strict_model.c"
line = 36
begin = 13
end = 18

[_C_5]
file = "HOME/tests/c/double_rounding_strict_model.c"
line = 36
begin = 2
end = 8

[doublerounding]
name = "Function doublerounding"
file = "HOME/tests/c/double_rounding_strict_model.c"
line = 33
begin = 7
end = 21

[_C_6]
file = "HOME/tests/c/double_rounding_strict_model.c"
line = 37
begin = 18
end = 36

[_C_3]
file = "HOME/tests/c/double_rounding_strict_model.c"
line = 35
begin = 2
end = 8

[_C_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_2]
file = "HOME/tests/c/double_rounding_strict_model.c"
line = 35
begin = 13
end = 30

[_C_1]
file = "HOME/tests/c/double_rounding_strict_model.c"
line = 34
begin = 2
end = 8

========== jessie execution ==========
Generating Why function doublerounding
========== file tests/c/double_rounding_strict_model.jessie/double_rounding_strict_model.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why $(WHYLIB)/why/floats_strict.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/double_rounding_strict_model_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: double_rounding_strict_model.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: double_rounding_strict_model.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: double_rounding_strict_model.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/c/double_rounding_strict_model.jessie/double_rounding_strict_model.loc ==========
[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
kind = FPOverflow
file = "HOME/tests/c/double_rounding_strict_model.jessie/double_rounding_strict_model.jc"
line = 45
begin = 28
end = 47

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/tests/c/double_rounding_strict_model.c"
line = 37
begin = 18
end = 36

[JC_11]
kind = FPOverflow
file = "HOME/tests/c/double_rounding_strict_model.c"
line = 35
begin = 13
end = 30

[JC_15]
kind = FPOverflow
file = "HOME/tests/c/double_rounding_strict_model.c"
line = 36
begin = 13
end = 18

[JC_12]
kind = FPOverflow
file = "HOME/tests/c/double_rounding_strict_model.c"
line = 36
begin = 13
end = 18

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[doublerounding_ensures_default]
name = "Function doublerounding"
behavior = "default behavior"
file = "HOME/tests/c/double_rounding_strict_model.c"
line = 33
begin = 7
end = 21

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/tests/c/double_rounding_strict_model.c"
line = 37
begin = 18
end = 36

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
kind = FPOverflow
file = "HOME/tests/c/double_rounding_strict_model.c"
line = 35
begin = 13
end = 30

[doublerounding_safety]
name = "Function doublerounding"
behavior = "Safety"
file = "HOME/tests/c/double_rounding_strict_model.c"
line = 33
begin = 7
end = 21

[JC_1]
file = "HOME/tests/c/double_rounding_strict_model.c"
line = 33
begin = 7
end = 21

[JC_10]
kind = FPOverflow
file = "HOME/tests/c/double_rounding_strict_model.jessie/double_rounding_strict_model.jc"
line = 45
begin = 50
end = 69

[JC_3]
file = "HOME/tests/c/double_rounding_strict_model.c"
line = 33
begin = 7
end = 21

========== file tests/c/double_rounding_strict_model.jessie/why/double_rounding_strict_model.why ==========
type charP

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter doublerounding : tt:unit -> { } double { true }

parameter doublerounding_requires : tt:unit -> { } double { true }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let doublerounding_ensures_default =
 fun (tt : unit) ->
  { (JC_4: true) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let x_0 = ref (any_double void) in
     (let y = ref (any_double void) in
     (let z = ref (any_double void) in
     begin
       (let _jessie_ = (x_0 := (double_of_real_exact 1.0)) in void);
      (let _jessie_ =
      (y := (JC_14:
            (((add_double_safe nearest_even) ((double_of_real_safe nearest_even) 0x1p-53)) 
             ((double_of_real_safe nearest_even) 0x1p-64)))) in void);
      (let _jessie_ =
      (z := (JC_15: (((add_double_safe nearest_even) !x_0) !y))) in void);
      (assert { (JC_16: (double_value(z) = add_real(1.0, 0x1p-52))) }; void);
      void; (return := !z); (raise Return) end))); absurd  end with Return ->
   !return end)) { (JC_5: true) } 

let doublerounding_safety =
 fun (tt : unit) ->
  { (JC_4: true) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let x_0 = ref (any_double void) in
     (let y = ref (any_double void) in
     (let z = ref (any_double void) in
     begin
       (let _jessie_ = (x_0 := (double_of_real_exact 1.0)) in void);
      (let _jessie_ =
      (y := (JC_11:
            (((add_double nearest_even) (JC_9:
                                        ((double_of_real nearest_even) 0x1p-53))) 
             (JC_10: ((double_of_real nearest_even) 0x1p-64))))) in void);
      (let _jessie_ =
      (z := (JC_12: (((add_double nearest_even) !x_0) !y))) in void);
      [ { } unit reads z
        { (JC_13: (double_value(z) = add_real(1.0, 0x1p-52))) } ]; void;
      (return := !z); (raise Return) end))); absurd  end with Return ->
   !return end)) { true } 


why-2.39/tests/c/oracle/isqrt.err.oracle0000644000106100004300000000000013147234006017170 0ustar  marchevalswhy-2.39/tests/c/rec.c0000644000106100004300000000570113147234006013535 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

//@ logic integer sum_upto(integer n) = n*(n+1) / 2;

/*@ lemma sum_rec: \forall integer n; n >=0 ==>
  @     sum_upto(n+1) == sum_upto(n)+n+1;
  @*/

/*@ requires x >= 0;
  @ requires x <= 1000;
  @ decreases x;
  @ ensures \result == sum_upto(x);
  @*/
long sum(int x) {
  if (x == 0) return 0;
  else return x + sum (x-1);
}


/*@ ensures \result == 36; 
  @*/
long main () {
  long i = sum(8);
  return i;
}



/*@ decreases 101-n ;
  @ behavior less_than_101:
  @   assumes n <= 100;
  @   ensures \result == 91;
  @ behavior greater_than_100:
  @   assumes n >= 101;
  @   ensures \result == n - 10;
  @*/
int f91(int n) {
  if (n <= 100) {
    return f91(f91(n + 11));
  }
  else
    return n - 10;
}

/*
Local Variables:
compile-command: "make rec.why3ide"
End:
*/


why-2.39/tests/c/find_array.c0000644000106100004300000000654013147234006015104 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

/** from Julien Signoles' tutorial
 **/

/*@
  predicate sorted{L}(int* arr, integer length) =
  \forall integer i, j; 0 <= i <= j < length ==> arr[i] <= arr[j];

  predicate mem{L}(int elt, int* arr, integer length) =
  \exists integer i; 0 <= i = 0;
  requires \valid(arr+(0..(length-1)));

  assigns \nothing;

  behavior exists:
    assumes mem(query, arr, length);
    ensures arr[\result] == query;

  behavior not_exists:
    assumes ! mem(query, arr, length);
    ensures \result == -1;
*/
int find_array(int* arr, int length, int query) {
  int low = 0;
  int high = length - 1;
  /*@
    loop invariant 0 <= low;
    loop invariant high < length;
    loop invariant \forall integer i; 0 <= i < low ==> arr[i] < query;
    loop invariant \forall integer i; high < i < length ==> arr[i] > query;
    loop variant high - low;
  */
  while (low <= high) {
    int mean = low + (high -low) / 2;
    if (arr[mean] == query) return mean;
    if (arr[mean] < query) low = mean + 1;
    else high = mean - 1;
  }
  return -1;
}

/*
Local Variables:
compile-command: "frama-c -jessie find_array.c"
End:
*/
why-2.39/tests/c/eps_line1.c0000644000106100004300000000615713147234006014651 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

#define E 0x1p-45


//@ logic integer l_sign(real x) = (x >= 0.0) ? 1 : -1;

/*@ requires e1<= x-\exact(x) <= e2;
  @ ensures  (\result != 0 ==> \result == l_sign(\exact(x))) &&
  @          \abs(\result) <= 1 ;
  @*/
int sign(double x, double e1, double e2) {

  if (x > e2)
    return 1;
  if (x < e1)
    return -1;
  return 0;
}

/*@ requires
  @   sx == \exact(sx)  && sy == \exact(sy) &&
  @   vx == \exact(vx)  && vy == \exact(vy) &&
  @   \abs(sx) <= 100.0 && \abs(sy) <= 100.0 &&
  @   \abs(vx) <= 1.0   && \abs(vy) <= 1.0;
  @ ensures
  @    \result != 0
  @      ==> \result == l_sign(\exact(sx)*\exact(vx)+\exact(sy)*\exact(vy))
  @            * l_sign(\exact(sx)*\exact(vy)-\exact(sy)*\exact(vx));
  @*/
int eps_line(double sx, double sy,double vx, double vy){
  int s1,s2;

  s1=sign(sx*vx+sy*vy, -E, E);
  s2=sign(sx*vy-sy*vx, -E, E);

  return s1*s2;
}

/*
Local Variables:
compile-command: "LC_ALL=C make eps_line1.why3ide"
End:
*/
why-2.39/tests/c/result/0000755000106100004300000000000013147234006014133 5ustar  marchevalswhy-2.39/tests/c/result/README0000644000106100004300000000013313147234006015010 0ustar  marchevalsthis directory is to store results of tests. There is
intentionally no file managed by SVN
why-2.39/tests/c/maze.c0000644000106100004300000000551713147234006013725 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/


void buildMaze(uint n) {

  union_find u = create(n*n);

  //@ ghost integer num_edges = 0;

  /*@ loop invariant num_edges + NumClasses(u) == n*n;
    @*/
  while (num_classes(u) > 1) {
    uint x = rand() % n;
    uint y = rand() % n;
    uint d = rand() % 2;
    uint w = x, z = y;
    id (d == 0) w++; else z++;
    if (w < n && z < n) {
      int a = y*n+x, b = w*n+z;
      if (find(u,a) != find(u,b)) {
	// output_edge(x,y,w,z);
	//@ ghost num_edges++;
	union(a,b);
      }
    }
  }
  // nombre d'aretes = n*n - 1
  //@ assert num_edges == n*n - 1

  // each node is reachable from origin
  //@ assert \forall int x; 0 <= x < n*n ==> same(u,x,0);
}



why-2.39/tests/c/sparse_array.c0000644000106100004300000000650413147234006015461 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

typedef unsigned int uint;

#define MAXLEN 1000

typedef struct SparseArray {
  int val[MAXLEN];
  uint idx[MAXLEN], back[MAXLEN];
  uint n;
  uint sz;
} *sparse_array;

/*@ requires sz <= MAXLEN;
  @ ensures \fresh(\result,sizeof(struct SparseArray));
  @*/
sparse_array create(uint sz) {
  sparse_array a = (sparse_array)malloc(sizeof(struct SparseArray));
  a->n = 0;
  a->sz = sz;
  return a;
}

/*@ requires \valid(a);
  @*/
int get(sparse_array a, uint i) {
  if (a->idx[i] < a->n && a-> back[a->idx[i]] == i) return a->val[i];
  else return 0;
}

/*@ requires \valid(a);
  @*/
void set(sparse_array a, uint i, int v) {
  a->val[i] = v;
  if (!(a->idx[i] < a->n && a-> back[a->idx[i]] == i)) {
    //@ assert a->n < MAXLEN;
    a->idx[i] = a->n; a->back[a->n] = i; a->n++;
  }
}



int main() {
  sparse_array a = create(10), b = create(20);
  int x,y;
  x = get(a,5); y = get(b,7);
  //@ assert x == 0 && y == 0;
  set(a,5,1); set(b,7,2);
  x = get(a,5); y = get(b,7);
  //@ assert x == 1 && y == 2;
  x = get(a,0); y = get(b,0);
  //@ assert x == 0 && y == 0;
  return 0;
}





/*
Local Variables:
compile-command: "make sparse_array.why3ide"
End:
*/


why-2.39/tests/c/float_array.c0000644000106100004300000000713013147234006015265 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

//@ logic real EPS1 = 0x1p-53;
//@ logic real UPPER = 0x1p0;
//@ logic integer N = 10;

//@ predicate bounded(real z, real bound) = \abs(z) <= bound;

double x;

/*@
  @ requires bounded(d, UPPER);
  @ requires \round_error(d) == 0;
  @
  @ ensures \abs(x - (d + 1.0)) <= EPS1;
  @ ensures \round_error(x) <= EPS1;
*/
void AffectDoubleDansX(double d) {
        x=d+1.0;
}

/*@
  @ requires \valid(X+(0..N));
  @ requires bounded(d, UPPER);
  @ requires \round_error(d) == 0;
  @
  @ ensures \abs(X[1] - (d + 1.0)) <= EPS1;
  @ ensures \round_error(X[1]) <= EPS1;
  @ ensures \abs(X[2] - (d + 1.0)) <= EPS1;
  @ ensures \round_error(X[2]) <= EPS1;
*/
void AffectDoubleDansTab(double d, double X[]) {
        X[1]=d+1.0;
        X[2]=d+1.0;
        // assert X[1] == \round_double(\NearestEven,d+1.0);
}

/*@
  @ requires \valid(X+(0..N));
  @ requires bounded(d, UPPER);
  @ requires \round_error(d) == 0;
  @
  @ ensures \abs(X[1] - (d + 1.0)) <= EPS1;
  @ ensures \round_error(X[1]) <= EPS1;
*/
void AffectDoubleDansTab1(double d, double X[]) {
        X[1]=d+1.0;
}

/*@
  @ requires \valid(X+(0..N));
  @ requires bounded(d, UPPER);
  @ requires \round_error(d) == 0;
  @
  @ ensures \abs(X[0] - (d + 1.0)) <= EPS1;
  @ ensures \round_error(X[0]) <= EPS1;
*/
void AffectDoubleDansTab0(double d, double X[]) {
        X[0]=d+1.0;
        //@ assert X[0] == \round_double(\NearestEven,d+1.0);
        //@ assert \exact(X[0]) == d+1.0;
}
why-2.39/tests/c/triangle.c0000644000106100004300000000530213147234006014566 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

/*@ requires 0 <= x;
  @ ensures \result==\round_double(\NearestEven,\sqrt(x));
  @*/
double sqrt(double x);



/*@ logic real S(real a, real b, real c) = 
  @  \let s = (a+b+c)/2;
  @        \sqrt(s*(s-a)*(s-b)*(s-c));
  @ */

/*@ requires 0 <= c <= b <= a && a <= b + c && a <= 0x1p255;
  @ ensures 0x1p-513 < \result 
  @    ==> \abs(\result-S(a,b,c)) <= (4.75*0x1p-53 + 33*0x1p-106)*S(a,b,c);
  @ */

double triangle (double a,double b, double c) {
  return (0x1p-2*sqrt((a+(b+c))*(a+(b-c))*(c+(a-b))*(c-(a-b))));
}
why-2.39/tests/c/reverse_array.c0000644000106100004300000000574613147234006015646 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

/** Reversing the elements of an array.
    Original idea by Francesco Bonnizzi 
*/

#pragma SeparationPolicy(none)

/*@ requires \valid(a);
  @ requires \valid(b);
  @ assigns(*a);
  @ assigns(*b);
  @ ensures *a == \old(*b);
  @ ensures *b == \old(*a);
  @*/
void swap(char *a, char *b) {
  const char tmp = *a;
  *a = *b;
  *b = tmp;
}

/*@ requires n >= 0;
  @ requires \valid(s+(0 .. n-1));
  @ decreases n;
  @ assigns s[0..(n-1)];
  @ ensures \forall integer i;
  @   0 <= i < n ==> \at(s[i], Pre) == \at(s[n-i-1], Post);
  @*/
void reverse(char *s, unsigned n) {
  if (n < 2) return;
  swap(s, s + (n - 1));
  reverse(s + 1, n - 2);
  //@ assert s[0] == \at(s[n-1], Pre);
  //@ assert s[n-1] == \at(s[0], Pre);
  //@ assert \forall integer i; 1 <= i < n-1 ==> s[i] == (s+1)[i-1] ;
}
why-2.39/tests/c/double_rounding_strict_model.c0000644000106100004300000000465613147234006020723 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/


double doublerounding() {
  double x = 1.0;
  double y = 0x1p-53 + 0x1p-64;
  double z = x + y;
  //@ assert z == 1.0 + 0x1p-52;
  return z;
}


/*
Local Variables:
compile-command: "LC_ALL=C make double_rounding_strict_model.why3ide"
End:
*/
why-2.39/tests/c/heap_sort.c0000644000106100004300000000554513147234006014756 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

#include "binary_heap.h"


/*@ requires len >= 0;
  @ requires \valid(arr+(0..len-1));
  @ // assigns arr[..];
  @ ensures \forall integer i,j; 0 <= i <= j < len ==> arr[i] <= arr[j];
  @*/
void heap_sort(int *arr, uint len) {
  uint i;
  heap h = create(len);
  /*@ loop invariant 0 <= i <= len;
    @ loop variant len - i;
    @*/
  for (i = 0; i < len; ++i) insert(h,arr[i]);
  /*@ loop invariant 0 <= i <= len;
    @ loop variant len - i;
    @*/
  for (i = 0; i < len; ++i) arr[i] = extract_min(h);
}



void main() {
  int arr[] = {42, 13, 42};
  heap_sort(arr,3);
  //@ assert arr[0] <= arr[1] && arr[1] <= arr[2];
  //@ assert arr[0] == 13 && arr[1] == 42 && arr[2] == 42;
}
why-2.39/tests/c/selection_sort.c0000644000106100004300000000721513147234006016022 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

// RUNSIMPLIFY: will ask regtests to run Simplify on this program

#pragma JessieIntegerModel(math)

#include "sorting.h"

/*@ requires \valid(t+i) && \valid(t+j);
  @ assigns t[i],t[j];
  @ ensures Swap{Old,Here}(t,i,j);
  @*/
void swap(int t[], int i, int j) {
  int tmp = t[i];
  t[i] = t[j];
  t[j] = tmp;
}

/*@ requires \valid(t+(0..n-1));
  @ assigns t[0..n-1];
  @ behavior sorted:
  @   ensures Sorted(t,0,n);
  @ behavior permutation:
  @   ensures Permut{Old,Here}(t,0,n-1);
  @*/
void sel_sort(int t[], int n) {
  int i,j;
  int mi,mv;
  if (n <= 0) return;
  /*@ loop invariant 0 <= i < n;
    @ for sorted:
    @  loop invariant
    @   Sorted(t,0,i) &&
    @   (\forall integer k1, k2 ;
    @      0 <= k1 < i <= k2 < n ==> t[k1] <= t[k2]) ;
    @ for permutation:
    @  loop invariant Permut{Pre,Here}(t,0,n-1);
    @ loop variant n-i;
    @*/
  for (i=0; i t[k] >= mv);
      @ for permutation:
      @  loop invariant
      @   Permut{Pre,Here}(t,0,n-1);
      @ loop variant n-j;
      @*/
    for (j=i+1; j < n; j++) {
      if (t[j] < mv) {
	mi = j ; mv = t[j];
      }
    }
  L:
    swap(t,i,mi);
    //@ assert Permut{L,Here}(t,0,n-1);
  }
}


/*
Local Variables:
compile-command: "frama-c -jessie selection_sort.c"
End:
*/
why-2.39/tests/c/binary_search_wrong.c0000644000106100004300000000634313147234006017014 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

// RUNSIMPLIFY this tells regtests to run Simplify in this example

//@ lemma mean: \forall integer x, y; x <= y ==> x <= (x+y)/2 <= y;

/*@ predicate sorted{L}(long *t, integer a, integer b) =
  @    \forall integer i,j; a <= i <= j <= b ==> t[i] <= t[j];
  @*/

/*@ requires n >= 0 && \valid(t+(0..n-1));
  @ ensures -1 <= \result < n;
  @ behavior success:
  @   ensures \result >= 0 ==> t[\result] == v;
  @ behavior failure:
  @   assumes sorted(t,0,n-1);
  @   ensures \result == -1 ==>
  @     \forall integer k; 0 <= k < n ==> t[k] != v;
  @*/
int binary_search(long t[], int n, long v) {
  int l = 0, u = n-1;
  /*@ loop invariant
    @   0 <= l && u <= n-1;
    @ for failure:
    @   loop invariant
    @   \forall integer k; 0 <= k < n && t[k] == v ==> l <= k <= u;
    @ loop variant u-l;
    @*/
  while (l <= u ) {
    int m = (l + u) / 2;
    //@ assert l <= m <= u;
    if (t[m] < v) l = m + 1;
    else if (t[m] > v) u = m - 1;
    else return m;
  }
  return -1;
}

/*
Local Variables:
compile-command: "make binary_search_wrong.why3ide"
End:
*/
why-2.39/tests/c/quick_sort.c0000644000106100004300000000724313147234006015152 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

// RUNSIMPLIFY: will ask regtests to run Simplify on this program

#pragma JessieIntegerModel(math)

#include "sorting.h"

/*@ requires \valid(t+i) && \valid(t+j);
  @ assigns t[i],t[j];
  @ ensures Swap{Old,Here}(t,i,j);
  @*/
void swap(int t[], int i, int j) {
  int tmp = t[i];
  t[i] = t[j];
  t[j] = tmp;
}

// quick_rec sorts t[l..r]
/*@ requires \valid(t+(l..r));
  @ decreases r-l;
  @ assigns t[l..r];
  @ behavior sorted:
  @   ensures Sorted(t,l,r+1);
  @ behavior permutation:
  @   ensures Permut{Old,Here}(t,l,r);
  @*/
void quick_rec(int t[], int l, int r) {
  int v,m,i;
  if (l >= r) return;
  v = t[l];
  m = l;
  /*@ loop invariant
    @   \forall integer j; l < j <= m ==> t[j] < v;
    @ loop invariant
    @   \forall integer j; m < j <  i ==> t[j] >= v;
    @ loop invariant t[l] == v && l <= m < i <= r+1;
    @ for permutation: loop invariant
    @   Permut{Pre,Here}(t,l,r);
    @ loop variant r-i;
    @*/
  for (i = l + 1; i <= r; i++) {
    if (t[i] < v) {
    L1:
      swap(t,i,++m);
      //@ for permutation: assert Permut{L1,Here}(t,l,r);
    }
  }
  //@ assert l <= m <= r;
 L: swap(t,l,m);
  //@ for permutation: assert Permut{L,Here}(t,l,r);
  quick_rec(t,l,m-1);
  quick_rec(t,m+1,r);
}

/*@ requires \valid(t+(0..n-1));
  @ behavior sorted:
  @   ensures Sorted(t,0,n);
  @ behavior permutation:
  @   ensures Permut{Old,Here}(t,0,n-1);
  @*/
void quick_sort(int t[], int n) {
  quick_rec(t,0,n-1);
}


/*
Local Variables:
compile-command: "make quick_sort.why3ide"
End:
*/
why-2.39/tests/c/Sterbenz.jessie/0000755000106100004300000000000013147234006015672 5ustar  marchevalswhy-2.39/tests/c/Sterbenz.jessie/coq/0000755000106100004300000000000013147234006016454 5ustar  marchevalswhy-2.39/tests/c/Sterbenz.jessie/coq/Sterbenz_why.v0000644000106100004300000003161213147234006021331 0ustar  marchevals(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)
Require Export jessie_why.
Require Export WhyFloatsStrictLegacy.

(*Why type*) Definition charP: Set.
Admitted.

(*Why type*) Definition int8: Set.
Admitted.

(*Why type*) Definition padding: Set.
Admitted.

(*Why type*) Definition uint8: Set.
Admitted.

(*Why type*) Definition unsigned_charP: Set.
Admitted.

(*Why type*) Definition voidP: Set.
Admitted.

(*Why logic*) Definition charP_tag : (tag_id charP).
Admitted.

(*Why axiom*) Lemma charP_int : (int_of_tag charP_tag) = 1.
Admitted.
Dp_hint charP_int.

(*Why logic*) Definition charP_of_pointer_address :
  (pointer unit) -> (pointer charP).
Admitted.

(*Why axiom*) Lemma charP_of_pointer_address_of_pointer_addr :
  (forall (p:(pointer charP)),
   p = (charP_of_pointer_address (pointer_address p))).
Admitted.
Dp_hint charP_of_pointer_address_of_pointer_addr.

(*Why axiom*) Lemma charP_parenttag_bottom :
  (parenttag charP_tag (@bottom_tag charP)).
Admitted.
Dp_hint charP_parenttag_bottom.

(*Why axiom*) Lemma charP_tags :
  (forall (x:(pointer charP)),
   (forall (charP_tag_table:(tag_table charP)),
    (instanceof charP_tag_table x charP_tag))).
Admitted.
Dp_hint charP_tags.

(*Why logic*) Definition integer_of_int8 : int8 -> Z.
Admitted.

(*Why predicate*) Definition eq_int8  (x:int8) (y:int8)
  := (integer_of_int8 x) = (integer_of_int8 y).

(*Why logic*) Definition integer_of_uint8 : uint8 -> Z.
Admitted.

(*Why predicate*) Definition eq_uint8  (x:uint8) (y:uint8)
  := (integer_of_uint8 x) = (integer_of_uint8 y).

(*Why logic*) Definition int8_of_integer : Z -> int8.
Admitted.

(*Why axiom*) Lemma int8_coerce :
  (forall (x:Z),
   ((-128) <= x /\ x <= 127 -> (integer_of_int8 (int8_of_integer x)) = x)).
Admitted.

(*Why axiom*) Lemma int8_extensionality :
  (forall (x:int8),
   (forall (y:int8), ((integer_of_int8 x) = (integer_of_int8 y) -> x = y))).
Admitted.
Dp_hint int8_extensionality.

(*Why axiom*) Lemma int8_range :
  (forall (x:int8), (-128) <= (integer_of_int8 x) /\ (integer_of_int8 x) <=
   127).
Admitted.



(*Why predicate*) Definition left_valid_struct_charP  (p:(pointer charP)) (a:Z) (charP_alloc_table:(alloc_table charP))
  := (offset_min charP_alloc_table p) <= a.

(*Why predicate*) Definition left_valid_struct_unsigned_charP  (p:(pointer unsigned_charP)) (a:Z) (unsigned_charP_alloc_table:(alloc_table unsigned_charP))
  := (offset_min unsigned_charP_alloc_table p) <= a.

(*Why predicate*) Definition left_valid_struct_voidP  (p:(pointer voidP)) (a:Z) (voidP_alloc_table:(alloc_table voidP))
  := (offset_min voidP_alloc_table p) <= a.

(*Why axiom*) Lemma pointer_addr_of_charP_of_pointer_address :
  (forall (p:(pointer unit)),
   p = (pointer_address (charP_of_pointer_address p))).
Admitted.
Dp_hint pointer_addr_of_charP_of_pointer_address.

(*Why logic*) Definition unsigned_charP_of_pointer_address :
  (pointer unit) -> (pointer unsigned_charP).
Admitted.

(*Why axiom*) Lemma pointer_addr_of_unsigned_charP_of_pointer_address :
  (forall (p:(pointer unit)),
   p = (pointer_address (unsigned_charP_of_pointer_address p))).
Admitted.
Dp_hint pointer_addr_of_unsigned_charP_of_pointer_address.

(*Why logic*) Definition voidP_of_pointer_address :
  (pointer unit) -> (pointer voidP).
Admitted.

(*Why axiom*) Lemma pointer_addr_of_voidP_of_pointer_address :
  (forall (p:(pointer unit)),
   p = (pointer_address (voidP_of_pointer_address p))).
Admitted.
Dp_hint pointer_addr_of_voidP_of_pointer_address.

(*Why predicate*) Definition right_valid_struct_charP  (p:(pointer charP)) (b:Z) (charP_alloc_table:(alloc_table charP))
  := (offset_max charP_alloc_table p) >= b.

(*Why predicate*) Definition right_valid_struct_unsigned_charP  (p:(pointer unsigned_charP)) (b:Z) (unsigned_charP_alloc_table:(alloc_table unsigned_charP))
  := (offset_max unsigned_charP_alloc_table p) >= b.

(*Why predicate*) Definition right_valid_struct_voidP  (p:(pointer voidP)) (b:Z) (voidP_alloc_table:(alloc_table voidP))
  := (offset_max voidP_alloc_table p) >= b.

(*Why predicate*) Definition strict_valid_root_charP  (p:(pointer charP)) (a:Z) (b:Z) (charP_alloc_table:(alloc_table charP))
  := (offset_min charP_alloc_table p) = a /\
     (offset_max charP_alloc_table p) = b.

(*Why predicate*) Definition strict_valid_root_unsigned_charP  (p:(pointer unsigned_charP)) (a:Z) (b:Z) (unsigned_charP_alloc_table:(alloc_table unsigned_charP))
  := (offset_min unsigned_charP_alloc_table p) = a /\
     (offset_max unsigned_charP_alloc_table p) = b.

(*Why predicate*) Definition strict_valid_root_voidP  (p:(pointer voidP)) (a:Z) (b:Z) (voidP_alloc_table:(alloc_table voidP))
  := (offset_min voidP_alloc_table p) = a /\
     (offset_max voidP_alloc_table p) = b.

(*Why predicate*) Definition strict_valid_struct_charP  (p:(pointer charP)) (a:Z) (b:Z) (charP_alloc_table:(alloc_table charP))
  := (offset_min charP_alloc_table p) = a /\
     (offset_max charP_alloc_table p) = b.

(*Why predicate*) Definition strict_valid_struct_unsigned_charP  (p:(pointer unsigned_charP)) (a:Z) (b:Z) (unsigned_charP_alloc_table:(alloc_table unsigned_charP))
  := (offset_min unsigned_charP_alloc_table p) = a /\
     (offset_max unsigned_charP_alloc_table p) = b.

(*Why predicate*) Definition strict_valid_struct_voidP  (p:(pointer voidP)) (a:Z) (b:Z) (voidP_alloc_table:(alloc_table voidP))
  := (offset_min voidP_alloc_table p) = a /\
     (offset_max voidP_alloc_table p) = b.

(*Why logic*) Definition uint8_of_integer : Z -> uint8.
Admitted.

(*Why axiom*) Lemma uint8_coerce :
  (forall (x:Z),
   (0 <= x /\ x <= 255 -> (integer_of_uint8 (uint8_of_integer x)) = x)).
Admitted.
Dp_hint uint8_coerce.

(*Why axiom*) Lemma uint8_extensionality :
  (forall (x:uint8),
   (forall (y:uint8), ((integer_of_uint8 x) = (integer_of_uint8 y) -> x = y))).
Admitted.
Dp_hint uint8_extensionality.

(*Why axiom*) Lemma uint8_range :
  (forall (x:uint8), 0 <= (integer_of_uint8 x) /\ (integer_of_uint8 x) <= 255).
Admitted.
Dp_hint uint8_range.

(*Why logic*) Definition unsigned_charP_tag : (tag_id unsigned_charP).
Admitted.

(*Why axiom*) Lemma unsigned_charP_int : (int_of_tag unsigned_charP_tag) = 1.
Admitted.
Dp_hint unsigned_charP_int.

(*Why axiom*) Lemma unsigned_charP_of_pointer_address_of_pointer_addr :
  (forall (p:(pointer unsigned_charP)),
   p = (unsigned_charP_of_pointer_address (pointer_address p))).
Admitted.
Dp_hint unsigned_charP_of_pointer_address_of_pointer_addr.

(*Why axiom*) Lemma unsigned_charP_parenttag_bottom :
  (parenttag unsigned_charP_tag (@bottom_tag unsigned_charP)).
Admitted.
Dp_hint unsigned_charP_parenttag_bottom.

(*Why axiom*) Lemma unsigned_charP_tags :
  (forall (x:(pointer unsigned_charP)),
   (forall (unsigned_charP_tag_table:(tag_table unsigned_charP)),
    (instanceof unsigned_charP_tag_table x unsigned_charP_tag))).
Admitted.
Dp_hint unsigned_charP_tags.

(*Why predicate*) Definition valid_root_charP  (p:(pointer charP)) (a:Z) (b:Z) (charP_alloc_table:(alloc_table charP))
  := (offset_min charP_alloc_table p) <= a /\
     (offset_max charP_alloc_table p) >= b.

(*Why predicate*) Definition valid_root_unsigned_charP  (p:(pointer unsigned_charP)) (a:Z) (b:Z) (unsigned_charP_alloc_table:(alloc_table unsigned_charP))
  := (offset_min unsigned_charP_alloc_table p) <= a /\
     (offset_max unsigned_charP_alloc_table p) >= b.

(*Why predicate*) Definition valid_root_voidP  (p:(pointer voidP)) (a:Z) (b:Z) (voidP_alloc_table:(alloc_table voidP))
  := (offset_min voidP_alloc_table p) <= a /\
     (offset_max voidP_alloc_table p) >= b.

(*Why predicate*) Definition valid_struct_charP  (p:(pointer charP)) (a:Z) (b:Z) (charP_alloc_table:(alloc_table charP))
  := (offset_min charP_alloc_table p) <= a /\
     (offset_max charP_alloc_table p) >= b.

(*Why predicate*) Definition valid_struct_unsigned_charP  (p:(pointer unsigned_charP)) (a:Z) (b:Z) (unsigned_charP_alloc_table:(alloc_table unsigned_charP))
  := (offset_min unsigned_charP_alloc_table p) <= a /\
     (offset_max unsigned_charP_alloc_table p) >= b.

(*Why predicate*) Definition valid_struct_voidP  (p:(pointer voidP)) (a:Z) (b:Z) (voidP_alloc_table:(alloc_table voidP))
  := (offset_min voidP_alloc_table p) <= a /\
     (offset_max voidP_alloc_table p) >= b.

(*Why logic*) Definition voidP_tag : (tag_id voidP).
Admitted.

(*Why axiom*) Lemma voidP_int : (int_of_tag voidP_tag) = 1.
Admitted.
Dp_hint voidP_int.

(*Why axiom*) Lemma voidP_of_pointer_address_of_pointer_addr :
  (forall (p:(pointer voidP)),
   p = (voidP_of_pointer_address (pointer_address p))).
Admitted.
Dp_hint voidP_of_pointer_address_of_pointer_addr.

(*Why axiom*) Lemma voidP_parenttag_bottom :
  (parenttag voidP_tag (@bottom_tag voidP)).
Admitted.
Dp_hint voidP_parenttag_bottom.

(*Why axiom*) Lemma voidP_tags :
  (forall (x:(pointer voidP)),
   (forall (voidP_tag_table:(tag_table voidP)),
    (instanceof voidP_tag_table x voidP_tag))).
Admitted.
Dp_hint voidP_tags.

(* Why obligation from file "Sterbenz.c", line 38, characters 13-21: *)
(*Why goal*) Lemma Sterbenz_ensures_default_po_1 : 
  forall (x_0: single),
  forall (y: single),
  forall (HW_1: (* JC_7 *)
                ((* JC_5 *)
                 (Rle (Rdiv (single_value y) (2)%R) (single_value x_0)) /\
                (* JC_6 *)
                (Rle (single_value x_0) (Rmult (2)%R (single_value y))))),
  (* JC_16 *) (Rle (0)%R (single_value y)).
Proof.
intros x y (h1,h2).
apply Rmult_le_reg_l with 3%R.
  apply Rlt_le_trans with 2%R; auto with real.
apply Rplus_le_reg_l with (single_value y).
apply Rmult_le_reg_l with (/2)%R; auto with real.
replace (/ 2 * (single_value y + 3 * 0))%R with (single_value y / 2)%R by (unfold Rdiv; ring).
apply Rle_trans with (single_value x); [apply h1|idtac].
apply Rle_trans with  (2 * single_value y)%R; [ apply h2 | right; field].
Qed.

(* Why obligation from file "Sterbenz.c", line 39, characters 13-21: *)
(*Why goal*) Lemma Sterbenz_ensures_default_po_2 : 
  forall (x_0: single),
  forall (y: single),
  forall (HW_1: (* JC_7 *)
                ((* JC_5 *)
                 (Rle (Rdiv (single_value y) (2)%R) (single_value x_0)) /\
                (* JC_6 *)
                (Rle (single_value x_0) (Rmult (2)%R (single_value y))))),
  forall (HW_4: (* JC_16 *) (Rle (0)%R (single_value y))),
  (* JC_17 *) (Rle (0)%R (single_value x_0)).
Proof.
intros x y (h1,h2) y_pos.
apply Rle_trans with (single_value y / 2)%R; [idtac|apply h1].
unfold Rdiv; apply Rmult_le_pos; auto with real.
Save.

(* Why obligation from file "Sterbenz.c", line 35, characters 12-28: *)
(*Why goal*) Lemma Sterbenz_ensures_default_po_3 : 
  forall (x_0: single),
  forall (y: single),
  forall (HW_1: (* JC_7 *)
                ((* JC_5 *)
                 (Rle (Rdiv (single_value y) (2)%R) (single_value x_0)) /\
                (* JC_6 *)
                (Rle (single_value x_0) (Rmult (2)%R (single_value y))))),
  forall (HW_4: (* JC_16 *) (Rle (0)%R (single_value y))),
  forall (HW_5: (* JC_17 *) (Rle (0)%R (single_value x_0))),
  forall (result: single),
  forall (HW_6: (sub_single_post nearest_even x_0 y result)),
  forall (__retres: single),
  forall (HW_7: __retres = result),
  forall (why__return: single),
  forall (HW_8: why__return = __retres),
  (* JC_9 *)
  (eq (single_value why__return) (Rminus (single_value x_0) (single_value y))).
Proof.
intros x y (H1,H2) _ _ r (H4,(H5a,H5b)) r' H6 r'' H7.
rewrite H7,H6,H4; unfold single_value in *.
unfold FtoRradix; rewrite <- Fminus_correct; auto with zarith.
elim (mode_single_RoundingMode nearest_even); intros P (H8,H9).
apply sym_eq; apply RoundedModeProjectorIdemEq with bsingle 24%nat P; try apply psGivesBound; auto with zarith.
apply Sterbenz; auto with zarith; try apply FcanonicBound with radix; try now destruct x; try now destruct y.
fold FtoRradix; apply Rle_trans with (2:=H1); unfold Rdiv; simpl; right; ring.
Save.

(* Why obligation from file "Sterbenz.c", line 40, characters 9-12: *)
(*Why goal*) Lemma Sterbenz_safety_po_1 : 
  forall (x_0: single),
  forall (y: single),
  forall (HW_1: (* JC_7 *)
                ((* JC_5 *)
                 (Rle (Rdiv (single_value y) (2)%R) (single_value x_0)) /\
                (* JC_6 *)
                (Rle (single_value x_0) (Rmult (2)%R (single_value y))))),
  forall (HW_4: (* JC_13 *) (Rle (0)%R (single_value y))),
  forall (HW_5: (* JC_14 *) (Rle (0)%R (single_value x_0))),
  (no_overflow_single
   nearest_even (Rminus (single_value x_0) (single_value y))).
Proof.
intros x y (h1,h2) y_pos x_pos.
apply bounded_real_no_overflow_single.
case (Rle_or_lt (single_value x) (single_value y)); intros.
rewrite Rabs_left1.
ring_simplify.
apply Rle_trans with (-0+single_value y)%R;auto with real.
ring_simplify; rewrite <- (Rabs_right (single_value y)).
apply single_le_strict.
auto with real.
apply Rplus_le_reg_l with (single_value y); now ring_simplify.
rewrite Rabs_right.
ring_simplify.
apply Rle_trans with (single_value x-0)%R.
apply Rplus_le_compat_l; auto with real.
ring_simplify; rewrite <- (Rabs_right (single_value x)).
apply single_le_strict.
auto with real.
apply Rle_ge; apply Rplus_le_reg_l with (single_value y); ring_simplify; auto with real.
Save.

why-2.39/tests/c/overflow_level.c0000644000106100004300000000474013147234006016020 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

double x;

void f() {
  double y;
  y = x+1e-6;    // cannot overflow
  y = x+1.e291;  // cannot overflow
  y = x+1.e292;  // can overflow, should not be proved
  y = x+x;       // can overflow, should not be proved
}

/*
Local Variables:
compile-command: "make overflow_level.why3ide"
End:
*/
why-2.39/tests/c/fresh.c0000644000106100004300000000535713147234006014102 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

/*@ allocates \result;
  @ ensures \fresh(\result,size) && \valid(\result+(0..size-1));
  @*/
char *malloc(unsigned int size);

typedef struct Fresh { int f; } *fresh;

/*@ allocates \result;
  @ ensures \fresh(\result,sizeof(struct Fresh)) && \valid(\result);
  @*/
fresh create() {
  fresh f = (fresh)malloc(sizeof(struct Fresh));
  return f;
}

/*@ requires \valid(f1);
  @*/
void test (fresh f1) {
  fresh f2 = create ();
  //@ assert f1 != f2;
  //@ assert \valid(f2);
  // assert \false;
}


/*
Local Variables:
compile-command: "make fresh.why3ml"
End:
*/


why-2.39/tests/c/scalar_product.c0000644000106100004300000001102713147234006015767 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

// for N = 10
#define NMAX 10
#define NMAXR 10.0
#define B 0x1.1p-50

// for N = 100
// #define NMAX 100
// #define NMAXR 100.0
// #define B 0x1.02p-47


// for N = 1000
// #define NMAX 1000
// #define NMAXR 1000.0
// #define B 0x1.004p-44


/*@ axiomatic ScalarProduct {
  @   // exact_scalar_product(x,y,n) = x[0]*y[0] + ... + x[n-1] * y[n-1]
  @   logic real exact_scalar_product{L}(double *x, double *y, integer n)
  @       reads x[..], y[..];
  @   axiom A1{L}: \forall double *x,*y;
  @      exact_scalar_product(x,y,0) == 0.0;
  @   axiom A2{L}: \forall double *x,*y; \forall integer n ;
  @      n >= 0 ==>
  @        exact_scalar_product(x,y,n+1) == 
  @          exact_scalar_product(x,y,n) + x[n]*y[n];
  @ }
  @*/


/*@ lemma bound_int_to_real:
  @   \forall integer i; i <= NMAX ==> i <= NMAXR;
  @*/


/*@ requires 0 <= n <= NMAX;
  @ requires \valid(x+(0..n-1)) && \valid(y+(0.. n-1)) ;
  @ requires \forall integer i; 0 <= i < n ==>
  @          \abs(x[i]) <= 1.0 && \abs(y[i]) <= 1.0 ;
  @ ensures
  @    \abs(\result - exact_scalar_product(x,y,n)) <= n * B;
  @*/
double scalar_product(double x[], double y[], int n) {
  double p = 0.0;
  /*@ loop invariant 0 <= i <= n ;
    @ loop invariant \abs(exact_scalar_product(x,y,i)) <= i;
    @ loop invariant \abs(p - exact_scalar_product(x,y,i)) <= i * B;
    @ loop variant n-i;
    @*/
  for (int i=0; i < n; i++) {
    // bounds, needed by Gappa
    //@ assert \abs(x[i]) <= 1.0;
    //@ assert \abs(y[i]) <= 1.0;
    //@ assert \abs(p) <= NMAXR*(1+B) ;

  L:
    p = p + x[i]*y[i];

    // bound on the rounding errors in the statement above, proved by gappa
    /*@ assert \abs(p - (\at(p,L) + x[i]*y[i])) <= B;
     */

    // the proper instance of triangular inequality to show the main invariant
    /*@ assert
          \abs(p - exact_scalar_product(x,y,i+1)) <=
          \abs(p - (\at(p,L) + x[i]*y[i])) +
          \abs((\at(p,L) + x[i]*y[i]) -
               (exact_scalar_product(x,y,i) + x[i]*y[i])) ;
    */

    // a lemma to show the invariant \abs(exact_scalar_product(x,y,i)) <= i
    /*@ assert
      \abs(exact_scalar_product(x,y,i+1)) <=
         \abs(exact_scalar_product(x,y,i)) + \abs(x[i]) * \abs(y[i]);
    */

    // a necessary lemma, proved only by gappa
    //@ assert \abs(x[i]) * \abs(y[i]) <= 1.0;
  }
  return p;
}



/*
Local Variables:
compile-command: "make scalar_product.why3ide"
End:
*/


why-2.39/tests/c/muller.c0000644000106100004300000001002513147234006014257 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

typedef unsigned int size_t;
void *malloc(size_t size);
void *calloc(size_t nmemb, size_t size);

/*@ axiomatic NumOfPos {
  @  logic integer num_of_pos{L}(integer i,integer j,int *t);
  @  axiom num_of_pos_empty{L} :
  @   \forall integer i, j, int *t;
  @    i >= j ==> num_of_pos(i,j,t) == 0;
  @  axiom num_of_pos_true_case{L} :
  @   \forall integer i, j, int *t;
  @       i < j && t[j-1] > 0 ==>
  @         num_of_pos(i,j,t) == num_of_pos(i,j-1,t) + 1;
  @  axiom num_of_pos_false_case{L} :
  @   \forall integer i, j, int *t;
  @       i < j && ! (t[j-1] > 0) ==>
  @         num_of_pos(i,j,t) == num_of_pos(i,j-1,t);
  @ }
  @*/


/*@ lemma num_of_pos_non_negative{L} :
  @   \forall integer i, j, int *t; 0 <= num_of_pos(i,j,t);
  @*/

/*@ lemma num_of_pos_additive{L} :
  @   \forall integer i, j, k, int *t; i <= j <= k ==>
  @       num_of_pos(i,k,t) == num_of_pos(i,j,t) + num_of_pos(j,k,t);
  @*/

/*@ lemma num_of_pos_increasing{L} :
  @   \forall integer i, j, k, int *t;
  @       j <= k ==> num_of_pos(i,j,t) <= num_of_pos(i,k,t);
  @*/

/*@ lemma num_of_pos_strictly_increasing{L} :
  @   \forall integer i, n, int *t;
  @       0 <= i < n && t[i] > 0 ==>
  @       num_of_pos(0,i,t) < num_of_pos(0,n,t);
  @*/

/*@ requires l >= 0 && \valid(t+(0..l-1));
  @*/
int* m(int *t, int l) {
  int i, count = 0;
  int *u;

  /*@ loop invariant
    @    0 <= i <= l &&
    @    0 <= count <= i &&
    @    count == num_of_pos(0,i,t) ;
    @ loop variant l - i;
    @*/
  for (i=0 ; i < l; i++) if (t[i] > 0) count++;

  u = (int*)calloc(count,sizeof(int));
  count = 0;

  /*@ loop invariant
    @    0 <= i <= l &&
    @    0 <= count <= i &&
    @    count == num_of_pos(0,i,t);
    @ loop variant l - i;
    @*/
  for (int i=0 ; i < l; i++) {
    if (t[i] > 0) u[count++] = t[i];
  }
  return u;
}


/*
Local Variables:
compile-command: "make muller.why3ide"
End:
*/
why-2.39/tests/c/array_double.c0000644000106100004300000000513613147234006015436 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/



double a[2];
double b[2];
double c[2];


/*@ requires
  \valid(a+(0..1)) &&
  \valid(b+(0..1)) &&
  \valid(c+(0..1)) &&
      \abs(b[0]) <= 1.0 &&
      \abs(b[1]) <= 1.0 &&
      \abs(c[0]) <= 1.0 &&
      \abs(c[1]) <= 1.0 ;
*/
void test() {
  a[0] = b[0] + c[0];
  a[1] = b[1] + c[1];
  //@ assert \abs(a[0] - (b[0] + c[0])) <= 0x1p-53;

}


/*
Local Variables:
compile-command: "make array_double.why3ide"
End:
*/
why-2.39/tests/c/floats_bsearch.c0000644000106100004300000000674713147234006015756 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

#pragma JessieFloatModel(full)

/*@ predicate sorted{L}(double *t, integer a, integer b) =
  @    \forall integer i,j; a <= i <= j <= b ==> \le_float(t[i],t[j]);
  @*/

/*@ requires n >= 0 && \valid(t + (0 .. n-1));
  @ requires ! \is_NaN(v);
  @ requires \forall integer i; 0 <= i <= n-1 ==> ! \is_NaN(t[i]);
  @ ensures -1 <= \result < n;
  @ behavior success:
  @   ensures \result >= 0 ==> \eq_float(t[\result],v);
  @ behavior failure:
  @   assumes sorted(t,0,n-1);
  @   ensures \result == -1 ==>
  @     \forall integer k; 0 <= k < n ==> \ne_float(t[k],v);
  @*/
int binary_search(double t[], int n, double v) {
  int l = 0, u = n-1;
  /*@ loop invariant
    @   0 <= l && u <= n-1;
    @ for failure:
    @   loop invariant
    @     \forall integer k;
    @      0 <= k < l ==> \lt_float(t[k],v);
    @   loop invariant
    @     \forall integer k;
    @      u < k <= n-1 ==> \lt_float(v,t[k]);
    @ loop variant u-l;
    @*/
  while (l <= u ) {
    int m = l + (u - l) / 2;
    //@ assert l <= m <= u;
    if (t[m] < v) l = m + 1;
    else if (t[m] > v) u = m - 1;
    else
      {
        // assert ! \is_NaN(t[m]);
        // assert \le_float(t[m],v);
        // assert \ge_float(t[m],v);
        return m;
      }
  }
  return -1;
}

/*
Local Variables:
compile-command: "make floats_bsearch.why3ide"
End:
*/
why-2.39/tests/c/my_cosine.jessie/0000755000106100004300000000000013147234006016063 5ustar  marchevalswhy-2.39/tests/c/my_cosine.jessie/coq/0000755000106100004300000000000013147234006016645 5ustar  marchevalswhy-2.39/tests/c/my_cosine.jessie/coq/my_cosine_why.v0000644000106100004300000010361613147234006021717 0ustar  marchevals(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)
Require Export jessie_why. 
Require Import WhyFloatsStrict.
Require Import Interval_tactic.
Require Import Rtrigo_def.

(*Why type*) Definition charP: Set.
Admitted.

(*Why type*) Definition int8: Set.
Admitted.

(*Why type*) Definition padding: Set.
Admitted.

(*Why type*) Definition uint8: Set.
Admitted.

(*Why type*) Definition unsigned_charP: Set.
Admitted.

(*Why type*) Definition voidP: Set.
Admitted.

(*Why logic*) Definition charP_tag : (tag_id charP).
Admitted.

(*Why axiom*) Lemma charP_int : (int_of_tag charP_tag) = 1.
Admitted.
Dp_hint charP_int.

(*Why logic*) Definition charP_of_pointer_address :
  (pointer unit) -> (pointer charP).
Admitted.

(*Why axiom*) Lemma charP_of_pointer_address_of_pointer_addr :
  (forall (p:(pointer charP)),
   p = (charP_of_pointer_address (pointer_address p))).
Admitted.
Dp_hint charP_of_pointer_address_of_pointer_addr.

(*Why axiom*) Lemma charP_parenttag_bottom :
  (parenttag charP_tag (@bottom_tag charP)).
Admitted.
Dp_hint charP_parenttag_bottom.

(*Why axiom*) Lemma charP_tags :
  (forall (x:(pointer charP)),
   (forall (charP_tag_table:(tag_table charP)),
    (instanceof charP_tag_table x charP_tag))).
Admitted.
Dp_hint charP_tags.

(*Why logic*) Definition integer_of_int8 : int8 -> Z.
Admitted.

(*Why predicate*) Definition eq_int8  (x:int8) (y:int8)
  := (integer_of_int8 x) = (integer_of_int8 y).

(*Why logic*) Definition integer_of_uint8 : uint8 -> Z.
Admitted.

(*Why predicate*) Definition eq_uint8  (x:uint8) (y:uint8)
  := (integer_of_uint8 x) = (integer_of_uint8 y).

(*Why logic*) Definition int8_of_integer : Z -> int8.
Admitted.

(*Why axiom*) Lemma int8_coerce :
  (forall (x:Z),
   ((-128) <= x /\ x <= 127 -> (integer_of_int8 (int8_of_integer x)) = x)).
Admitted.

(*Why axiom*) Lemma int8_extensionality :
  (forall (x:int8),
   (forall (y:int8), ((integer_of_int8 x) = (integer_of_int8 y) -> x = y))).
Admitted.
Dp_hint int8_extensionality.

(*Why axiom*) Lemma int8_range :
  (forall (x:int8), (-128) <= (integer_of_int8 x) /\ (integer_of_int8 x) <=
   127).
Admitted.

(*Why predicate*) Definition left_valid_struct_charP  (p:(pointer charP)) (a:Z) (charP_alloc_table:(alloc_table charP))
  := (offset_min charP_alloc_table p) <= a.

(*Why predicate*) Definition left_valid_struct_unsigned_charP  (p:(pointer unsigned_charP)) (a:Z) (unsigned_charP_alloc_table:(alloc_table unsigned_charP))
  := (offset_min unsigned_charP_alloc_table p) <= a.

(*Why predicate*) Definition left_valid_struct_voidP  (p:(pointer voidP)) (a:Z) (voidP_alloc_table:(alloc_table voidP))
  := (offset_min voidP_alloc_table p) <= a.

(*Why axiom*) Lemma pointer_addr_of_charP_of_pointer_address :
  (forall (p:(pointer unit)),
   p = (pointer_address (charP_of_pointer_address p))).
Admitted.
Dp_hint pointer_addr_of_charP_of_pointer_address.

(*Why logic*) Definition unsigned_charP_of_pointer_address :
  (pointer unit) -> (pointer unsigned_charP).
Admitted.

(*Why axiom*) Lemma pointer_addr_of_unsigned_charP_of_pointer_address :
  (forall (p:(pointer unit)),
   p = (pointer_address (unsigned_charP_of_pointer_address p))).
Admitted.
Dp_hint pointer_addr_of_unsigned_charP_of_pointer_address.

(*Why logic*) Definition voidP_of_pointer_address :
  (pointer unit) -> (pointer voidP).
Admitted.

(*Why axiom*) Lemma pointer_addr_of_voidP_of_pointer_address :
  (forall (p:(pointer unit)),
   p = (pointer_address (voidP_of_pointer_address p))).
Admitted.
Dp_hint pointer_addr_of_voidP_of_pointer_address.

(*Why predicate*) Definition right_valid_struct_charP  (p:(pointer charP)) (b:Z) (charP_alloc_table:(alloc_table charP))
  := (offset_max charP_alloc_table p) >= b.

(*Why predicate*) Definition right_valid_struct_unsigned_charP  (p:(pointer unsigned_charP)) (b:Z) (unsigned_charP_alloc_table:(alloc_table unsigned_charP))
  := (offset_max unsigned_charP_alloc_table p) >= b.

(*Why predicate*) Definition right_valid_struct_voidP  (p:(pointer voidP)) (b:Z) (voidP_alloc_table:(alloc_table voidP))
  := (offset_max voidP_alloc_table p) >= b.

(*Why predicate*) Definition strict_valid_root_charP  (p:(pointer charP)) (a:Z) (b:Z) (charP_alloc_table:(alloc_table charP))
  := (offset_min charP_alloc_table p) = a /\
     (offset_max charP_alloc_table p) = b.

(*Why predicate*) Definition strict_valid_root_unsigned_charP  (p:(pointer unsigned_charP)) (a:Z) (b:Z) (unsigned_charP_alloc_table:(alloc_table unsigned_charP))
  := (offset_min unsigned_charP_alloc_table p) = a /\
     (offset_max unsigned_charP_alloc_table p) = b.

(*Why predicate*) Definition strict_valid_root_voidP  (p:(pointer voidP)) (a:Z) (b:Z) (voidP_alloc_table:(alloc_table voidP))
  := (offset_min voidP_alloc_table p) = a /\
     (offset_max voidP_alloc_table p) = b.

(*Why predicate*) Definition strict_valid_struct_charP  (p:(pointer charP)) (a:Z) (b:Z) (charP_alloc_table:(alloc_table charP))
  := (offset_min charP_alloc_table p) = a /\
     (offset_max charP_alloc_table p) = b.

(*Why predicate*) Definition strict_valid_struct_unsigned_charP  (p:(pointer unsigned_charP)) (a:Z) (b:Z) (unsigned_charP_alloc_table:(alloc_table unsigned_charP))
  := (offset_min unsigned_charP_alloc_table p) = a /\
     (offset_max unsigned_charP_alloc_table p) = b.

(*Why predicate*) Definition strict_valid_struct_voidP  (p:(pointer voidP)) (a:Z) (b:Z) (voidP_alloc_table:(alloc_table voidP))
  := (offset_min voidP_alloc_table p) = a /\
     (offset_max voidP_alloc_table p) = b.

(*Why logic*) Definition uint8_of_integer : Z -> uint8.
Admitted.

(*Why axiom*) Lemma uint8_coerce :
  (forall (x:Z),
   (0 <= x /\ x <= 255 -> (integer_of_uint8 (uint8_of_integer x)) = x)).
Admitted.
Dp_hint uint8_coerce.

(*Why axiom*) Lemma uint8_extensionality :
  (forall (x:uint8),
   (forall (y:uint8), ((integer_of_uint8 x) = (integer_of_uint8 y) -> x = y))).
Admitted.
Dp_hint uint8_extensionality.

(*Why axiom*) Lemma uint8_range :
  (forall (x:uint8), 0 <= (integer_of_uint8 x) /\ (integer_of_uint8 x) <= 255).
Admitted.
Dp_hint uint8_range.

(*Why logic*) Definition unsigned_charP_tag : (tag_id unsigned_charP).
Admitted.

(*Why axiom*) Lemma unsigned_charP_int : (int_of_tag unsigned_charP_tag) = 1.
Admitted.
Dp_hint unsigned_charP_int.

(*Why axiom*) Lemma unsigned_charP_of_pointer_address_of_pointer_addr :
  (forall (p:(pointer unsigned_charP)),
   p = (unsigned_charP_of_pointer_address (pointer_address p))).
Admitted.
Dp_hint unsigned_charP_of_pointer_address_of_pointer_addr.

(*Why axiom*) Lemma unsigned_charP_parenttag_bottom :
  (parenttag unsigned_charP_tag (@bottom_tag unsigned_charP)).
Admitted.
Dp_hint unsigned_charP_parenttag_bottom.

(*Why axiom*) Lemma unsigned_charP_tags :
  (forall (x:(pointer unsigned_charP)),
   (forall (unsigned_charP_tag_table:(tag_table unsigned_charP)),
    (instanceof unsigned_charP_tag_table x unsigned_charP_tag))).
Admitted.
Dp_hint unsigned_charP_tags.

(*Why predicate*) Definition valid_root_charP  (p:(pointer charP)) (a:Z) (b:Z) (charP_alloc_table:(alloc_table charP))
  := (offset_min charP_alloc_table p) <= a /\
     (offset_max charP_alloc_table p) >= b.

(*Why predicate*) Definition valid_root_unsigned_charP  (p:(pointer unsigned_charP)) (a:Z) (b:Z) (unsigned_charP_alloc_table:(alloc_table unsigned_charP))
  := (offset_min unsigned_charP_alloc_table p) <= a /\
     (offset_max unsigned_charP_alloc_table p) >= b.

(*Why predicate*) Definition valid_root_voidP  (p:(pointer voidP)) (a:Z) (b:Z) (voidP_alloc_table:(alloc_table voidP))
  := (offset_min voidP_alloc_table p) <= a /\
     (offset_max voidP_alloc_table p) >= b.

(*Why predicate*) Definition valid_struct_charP  (p:(pointer charP)) (a:Z) (b:Z) (charP_alloc_table:(alloc_table charP))
  := (offset_min charP_alloc_table p) <= a /\
     (offset_max charP_alloc_table p) >= b.

(*Why predicate*) Definition valid_struct_unsigned_charP  (p:(pointer unsigned_charP)) (a:Z) (b:Z) (unsigned_charP_alloc_table:(alloc_table unsigned_charP))
  := (offset_min unsigned_charP_alloc_table p) <= a /\
     (offset_max unsigned_charP_alloc_table p) >= b.

(*Why predicate*) Definition valid_struct_voidP  (p:(pointer voidP)) (a:Z) (b:Z) (voidP_alloc_table:(alloc_table voidP))
  := (offset_min voidP_alloc_table p) <= a /\
     (offset_max voidP_alloc_table p) >= b.

(*Why logic*) Definition voidP_tag : (tag_id voidP).
Admitted.

(*Why axiom*) Lemma voidP_int : (int_of_tag voidP_tag) = 1.
Admitted.
Dp_hint voidP_int.

(*Why axiom*) Lemma voidP_of_pointer_address_of_pointer_addr :
  (forall (p:(pointer voidP)),
   p = (voidP_of_pointer_address (pointer_address p))).
Admitted.
Dp_hint voidP_of_pointer_address_of_pointer_addr.

(*Why axiom*) Lemma voidP_parenttag_bottom :
  (parenttag voidP_tag (@bottom_tag voidP)).
Admitted.
Dp_hint voidP_parenttag_bottom.

(*Why axiom*) Lemma voidP_tags :
  (forall (x:(pointer voidP)),
   (forall (voidP_tag_table:(tag_table voidP)),
    (instanceof voidP_tag_table x voidP_tag))).
Admitted.
Dp_hint voidP_tags.

(* Why obligation from file "my_cosine.c", line 36, characters 4-111: *)
(*Why goal*) Lemma method_error : 
  (forall (x_3:R),
   ((Rle (Rabs x_3) (1 / 32)%R) ->
    (Rle
     (Rabs
      (Rminus (Rminus (1)%R (Rmult (Rmult x_3 x_3) (05 / 10)%R)) (cos x_3)))
     (1 / 16777216)%R))).
Proof.
intros x H.

interval with (i_bisect_diff x).
Save.

Dp_hint method_error.

(* Why obligation from file "my_cosine.c", line 44, characters 13-53: *)
(*Why goal*) Lemma my_cos1_ensures_default_po_1 : 
  forall (x_0: single),
  forall (HW_1: (* JC_3 *) (Rle (Rabs (single_value x_0)) (1 / 32)%R)),
  (* JC_13 *)
  (Rle
   (Rabs
    (Rminus
     (Rminus
      (1)%R (Rmult (Rmult (single_value x_0) (single_value x_0)) (05 / 10)%R)) (
     cos (single_value x_0))))
   (1 / 16777216)%R).
Proof.
intros x H.
interval with (i_bisect_diff (single_value x)).
Save.

(* Why obligation from file "my_cosine.c", line 41, characters 12-46: *)
(*Why goal*) Lemma my_cos1_ensures_default_po_2 : 
  forall (x_0: single),
  forall (HW_1: (* JC_3 *) (Rle (Rabs (single_value x_0)) (1 / 32)%R)),
  forall (HW_4: (* JC_13 *)
                (Rle
                 (Rabs
                  (Rminus
                   (Rminus
                    (1)%R (Rmult
                           (Rmult (single_value x_0) (single_value x_0)) (05 / 10)%R)) (
                   cos (single_value x_0))))
                 (1 / 16777216)%R)),
  forall (result: single),
  forall (HW_5: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  forall (result0: single),
  forall (HW_6: (mul_single_post nearest_even x_0 x_0 result0)),
  forall (result1: single),
  forall (HW_7: (eq (single_value result1) (05 / 10)%R) /\
                (eq (single_exact result1) (05 / 10)%R) /\
                (eq (single_model result1) (05 / 10)%R)),
  forall (result2: single),
  forall (HW_8: (mul_single_post nearest_even result0 result1 result2)),
  forall (result3: single),
  forall (HW_9: (sub_single_post nearest_even result result2 result3)),
  forall (__retres: single),
  forall (HW_10: __retres = result3),
  forall (why__return: single),
  forall (HW_11: why__return = __retres),
  (* JC_5 *)
  (Rle (Rabs (Rminus (single_value why__return) (cos (single_value x_0))))
   (1 / 8388608)%R).
Proof.
admit.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "my_cosine.c", line 45, characters 16-21: *)
(*Why goal*) Lemma my_cos1_safety_po_1 : 
  forall (x_0: single),
  forall (HW_1: (* JC_3 *) (Rle (Rabs (single_value x_0)) (1 / 32)%R)),
  forall (HW_4: (* JC_9 *)
                (Rle
                 (Rabs
                  (Rminus
                   (Rminus
                    (1)%R (Rmult
                           (Rmult (single_value x_0) (single_value x_0)) (05 / 10)%R)) (
                   cos (single_value x_0))))
                 (1 / 16777216)%R)),
  forall (result: single),
  forall (HW_5: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  (no_overflow_single
   nearest_even (Rmult (single_value x_0) (single_value x_0))).
Proof.
admit.
Save.

(* Why obligation from file "my_cosine.c", line 45, characters 16-28: *)
(*Why goal*) Lemma my_cos1_safety_po_2 : 
  forall (x_0: single),
  forall (HW_1: (* JC_3 *) (Rle (Rabs (single_value x_0)) (1 / 32)%R)),
  forall (HW_4: (* JC_9 *)
                (Rle
                 (Rabs
                  (Rminus
                   (Rminus
                    (1)%R (Rmult
                           (Rmult (single_value x_0) (single_value x_0)) (05 / 10)%R)) (
                   cos (single_value x_0))))
                 (1 / 16777216)%R)),
  forall (result: single),
  forall (HW_5: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  forall (HW_6: (no_overflow_single
                 nearest_even (Rmult (single_value x_0) (single_value x_0)))),
  forall (result0: single),
  forall (HW_7: (mul_single_post nearest_even x_0 x_0 result0)),
  forall (result1: single),
  forall (HW_8: (eq (single_value result1) (05 / 10)%R) /\
                (eq (single_exact result1) (05 / 10)%R) /\
                (eq (single_model result1) (05 / 10)%R)),
  (no_overflow_single
   nearest_even (Rmult (single_value result0) (single_value result1))).
Proof.
admit.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "my_cosine.c", line 45, characters 9-28: *)
(*Why goal*) Lemma my_cos1_safety_po_3 : 
  forall (x_0: single),
  forall (HW_1: (* JC_3 *) (Rle (Rabs (single_value x_0)) (1 / 32)%R)),
  forall (HW_4: (* JC_9 *)
                (Rle
                 (Rabs
                  (Rminus
                   (Rminus
                    (1)%R (Rmult
                           (Rmult (single_value x_0) (single_value x_0)) (05 / 10)%R)) (
                   cos (single_value x_0))))
                 (1 / 16777216)%R)),
  forall (result: single),
  forall (HW_5: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  forall (HW_6: (no_overflow_single
                 nearest_even (Rmult (single_value x_0) (single_value x_0)))),
  forall (result0: single),
  forall (HW_7: (mul_single_post nearest_even x_0 x_0 result0)),
  forall (result1: single),
  forall (HW_8: (eq (single_value result1) (05 / 10)%R) /\
                (eq (single_exact result1) (05 / 10)%R) /\
                (eq (single_model result1) (05 / 10)%R)),
  forall (HW_9: (no_overflow_single
                 nearest_even (Rmult
                               (single_value result0) (single_value result1)))),
  forall (result2: single),
  forall (HW_10: (mul_single_post nearest_even result0 result1 result2)),
  (no_overflow_single
   nearest_even (Rminus (single_value result) (single_value result2))).
Proof.
admit.
Save.

(* Why obligation from file "my_cosine.c", line 53, characters 13-27: *)
(*Why goal*) Lemma my_cos2_ensures_default_po_1 : 
  forall (x_0_0: single),
  forall (HW_1: (* JC_23 *)
                ((* JC_21 *) (Rle (Rabs (single_value x_0_0)) (1 / 32)%R) /\
                (* JC_22 *) (eq (single_round_error x_0_0) (0)%R))),
  (* JC_34 *) (eq (single_exact x_0_0) (single_value x_0_0)).
Proof.
admit.
Save.

(* Why obligation from file "my_cosine.c", line 55, characters 13-49: *)
(*Why goal*) Lemma my_cos2_ensures_default_po_2 : 
  forall (x_0_0: single),
  forall (HW_1: (* JC_23 *)
                ((* JC_21 *) (Rle (Rabs (single_value x_0_0)) (1 / 32)%R) /\
                (* JC_22 *) (eq (single_round_error x_0_0) (0)%R))),
  forall (HW_4: (* JC_34 *) (eq (single_exact x_0_0) (single_value x_0_0))),
  forall (result: single),
  forall (HW_5: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  forall (result0: single),
  forall (HW_6: (mul_single_post nearest_even x_0_0 x_0_0 result0)),
  forall (result1: single),
  forall (HW_7: (eq (single_value result1) (05 / 10)%R) /\
                (eq (single_exact result1) (05 / 10)%R) /\
                (eq (single_model result1) (05 / 10)%R)),
  forall (result2: single),
  forall (HW_8: (mul_single_post nearest_even result0 result1 result2)),
  forall (result3: single),
  forall (HW_9: (sub_single_post nearest_even result result2 result3)),
  forall (r: single),
  forall (HW_10: r = result3),
  (* JC_38 *)
  (Rle (Rabs (Rminus (single_exact r) (cos (single_value x_0_0))))
   (1 / 16777216)%R).
Proof.
intros x (H1,H2) Heq.
intros r (_,(exa_r,_)).
intros r0 (_,(exa_r0,_)).
intros r1 (_,(exa_r1,_)).
intros r2 (_,(exa_r2,_)).
intros r3 (_,(exa_r3,_)).
intros r4 r4_eq.
subst r4.
rewrite exa_r3; clear exa_r3 r3.
rewrite exa_r2; clear exa_r2 r2.
rewrite exa_r1; clear exa_r1 r1.
rewrite exa_r0; clear exa_r0 r0.
rewrite exa_r; clear exa_r r.
unfold single_round_error in H2.
rewrite Heq.
interval with (i_bisect_diff (single_value x)).
Save.

(* Why obligation from file "my_cosine.c", line 50, characters 12-46: *)
(*Why goal*) Lemma my_cos2_ensures_default_po_3 : 
  forall (x_0_0: single),
  forall (HW_1: (* JC_23 *)
                ((* JC_21 *) (Rle (Rabs (single_value x_0_0)) (1 / 32)%R) /\
                (* JC_22 *) (eq (single_round_error x_0_0) (0)%R))),
  forall (HW_4: (* JC_34 *) (eq (single_exact x_0_0) (single_value x_0_0))),
  forall (result: single),
  forall (HW_5: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  forall (result0: single),
  forall (HW_6: (mul_single_post nearest_even x_0_0 x_0_0 result0)),
  forall (result1: single),
  forall (HW_7: (eq (single_value result1) (05 / 10)%R) /\
                (eq (single_exact result1) (05 / 10)%R) /\
                (eq (single_model result1) (05 / 10)%R)),
  forall (result2: single),
  forall (HW_8: (mul_single_post nearest_even result0 result1 result2)),
  forall (result3: single),
  forall (HW_9: (sub_single_post nearest_even result result2 result3)),
  forall (r: single),
  forall (HW_10: r = result3),
  forall (HW_11: (* JC_38 *)
                 (Rle
                  (Rabs (Rminus (single_exact r) (cos (single_value x_0_0))))
                  (1 / 16777216)%R)),
  forall (why__return: single),
  forall (HW_12: why__return = r),
  (* JC_25 *)
  (Rle (Rabs (Rminus (single_value why__return) (cos (single_value x_0_0))))
   (1 / 8388608)%R).
Proof.
admit.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "my_cosine.c", line 54, characters 19-24: *)
(*Why goal*) Lemma my_cos2_safety_po_1 : 
  forall (x_0_0: single),
  forall (HW_1: (* JC_23 *)
                ((* JC_21 *) (Rle (Rabs (single_value x_0_0)) (1 / 32)%R) /\
                (* JC_22 *) (eq (single_round_error x_0_0) (0)%R))),
  forall (HW_4: (* JC_29 *) (eq (single_exact x_0_0) (single_value x_0_0))),
  forall (result: single),
  forall (HW_5: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  (no_overflow_single
   nearest_even (Rmult (single_value x_0_0) (single_value x_0_0))).
Proof.
admit.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "my_cosine.c", line 54, characters 19-31: *)
(*Why goal*) Lemma my_cos2_safety_po_2 : 
  forall (x_0_0: single),
  forall (HW_1: (* JC_23 *)
                ((* JC_21 *) (Rle (Rabs (single_value x_0_0)) (1 / 32)%R) /\
                (* JC_22 *) (eq (single_round_error x_0_0) (0)%R))),
  forall (HW_4: (* JC_29 *) (eq (single_exact x_0_0) (single_value x_0_0))),
  forall (result: single),
  forall (HW_5: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  forall (HW_6: (no_overflow_single
                 nearest_even (Rmult
                               (single_value x_0_0) (single_value x_0_0)))),
  forall (result0: single),
  forall (HW_7: (mul_single_post nearest_even x_0_0 x_0_0 result0)),
  forall (result1: single),
  forall (HW_8: (eq (single_value result1) (05 / 10)%R) /\
                (eq (single_exact result1) (05 / 10)%R) /\
                (eq (single_model result1) (05 / 10)%R)),
  (no_overflow_single
   nearest_even (Rmult (single_value result0) (single_value result1))).
Proof.
admit.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "my_cosine.c", line 54, characters 12-31: *)
(*Why goal*) Lemma my_cos2_safety_po_3 : 
  forall (x_0_0: single),
  forall (HW_1: (* JC_23 *)
                ((* JC_21 *) (Rle (Rabs (single_value x_0_0)) (1 / 32)%R) /\
                (* JC_22 *) (eq (single_round_error x_0_0) (0)%R))),
  forall (HW_4: (* JC_29 *) (eq (single_exact x_0_0) (single_value x_0_0))),
  forall (result: single),
  forall (HW_5: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  forall (HW_6: (no_overflow_single
                 nearest_even (Rmult
                               (single_value x_0_0) (single_value x_0_0)))),
  forall (result0: single),
  forall (HW_7: (mul_single_post nearest_even x_0_0 x_0_0 result0)),
  forall (result1: single),
  forall (HW_8: (eq (single_value result1) (05 / 10)%R) /\
                (eq (single_exact result1) (05 / 10)%R) /\
                (eq (single_model result1) (05 / 10)%R)),
  forall (HW_9: (no_overflow_single
                 nearest_even (Rmult
                               (single_value result0) (single_value result1)))),
  forall (result2: single),
  forall (HW_10: (mul_single_post nearest_even result0 result1 result2)),
  (no_overflow_single
   nearest_even (Rminus (single_value result) (single_value result2))).
Proof.
admit.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "my_cosine.c", line 67, characters 13-57: *)
(*Why goal*) Lemma my_cos3_ensures_default_po_1 : 
  forall (x_1: single),
  forall (HW_1: (* JC_45 *)
                ((* JC_43 *) (Rle (Rabs (single_exact x_1)) (1 / 32)%R) /\
                (* JC_44 *) (Rle (single_round_error x_1) (1 / 1048576)%R))),
  forall (result: single),
  forall (HW_4: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  forall (result0: single),
  forall (HW_5: (mul_single_post nearest_even x_1 x_1 result0)),
  forall (result1: single),
  forall (HW_6: (eq (single_value result1) (05 / 10)%R) /\
                (eq (single_exact result1) (05 / 10)%R) /\
                (eq (single_model result1) (05 / 10)%R)),
  forall (result2: single),
  forall (HW_7: (mul_single_post nearest_even result0 result1 result2)),
  forall (result3: single),
  forall (HW_8: (sub_single_post nearest_even result result2 result3)),
  forall (r_0: single),
  forall (HW_9: r_0 = result3),
  (* JC_62 *)
  (Rle (Rabs (Rminus (single_exact r_0) (cos (single_exact x_1))))
   (1 / 16777216)%R).
Proof.
admit.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "my_cosine.c", line 62, characters 12-62: *)
(*Why goal*) Lemma my_cos3_ensures_default_po_2 : 
  forall (x_1: single),
  forall (HW_1: (* JC_45 *)
                ((* JC_43 *) (Rle (Rabs (single_exact x_1)) (1 / 32)%R) /\
                (* JC_44 *) (Rle (single_round_error x_1) (1 / 1048576)%R))),
  forall (result: single),
  forall (HW_4: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  forall (result0: single),
  forall (HW_5: (mul_single_post nearest_even x_1 x_1 result0)),
  forall (result1: single),
  forall (HW_6: (eq (single_value result1) (05 / 10)%R) /\
                (eq (single_exact result1) (05 / 10)%R) /\
                (eq (single_model result1) (05 / 10)%R)),
  forall (result2: single),
  forall (HW_7: (mul_single_post nearest_even result0 result1 result2)),
  forall (result3: single),
  forall (HW_8: (sub_single_post nearest_even result result2 result3)),
  forall (r_0: single),
  forall (HW_9: r_0 = result3),
  forall (HW_10: (* JC_62 *)
                 (Rle
                  (Rabs (Rminus (single_exact r_0) (cos (single_exact x_1))))
                  (1 / 16777216)%R)),
  forall (why__return: single),
  forall (HW_11: why__return = r_0),
  (* JC_49 *)
  (* JC_47 *)
  (Rle (Rabs (Rminus (single_exact why__return) (cos (single_exact x_1))))
   (1 / 16777216)%R).
Proof.
admit.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "my_cosine.c", line 63, characters 11-61: *)
(*Why goal*) Lemma my_cos3_ensures_default_po_3 : 
  forall (x_1: single),
  forall (HW_1: (* JC_45 *)
                ((* JC_43 *) (Rle (Rabs (single_exact x_1)) (1 / 32)%R) /\
                (* JC_44 *) (Rle (single_round_error x_1) (1 / 1048576)%R))),
  forall (result: single),
  forall (HW_4: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  forall (result0: single),
  forall (HW_5: (mul_single_post nearest_even x_1 x_1 result0)),
  forall (result1: single),
  forall (HW_6: (eq (single_value result1) (05 / 10)%R) /\
                (eq (single_exact result1) (05 / 10)%R) /\
                (eq (single_model result1) (05 / 10)%R)),
  forall (result2: single),
  forall (HW_7: (mul_single_post nearest_even result0 result1 result2)),
  forall (result3: single),
  forall (HW_8: (sub_single_post nearest_even result result2 result3)),
  forall (r_0: single),
  forall (HW_9: r_0 = result3),
  forall (HW_10: (* JC_62 *)
                 (Rle
                  (Rabs (Rminus (single_exact r_0) (cos (single_exact x_1))))
                  (1 / 16777216)%R)),
  forall (why__return: single),
  forall (HW_11: why__return = r_0),
  (* JC_49 *)
  (* JC_48 *)
  (Rle (single_round_error why__return)
   (Rplus (single_round_error x_1) (3 / 16777216)%R)).
Proof.
admit.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "my_cosine.c", line 66, characters 19-24: *)
(*Why goal*) Lemma my_cos3_safety_po_1 : 
  forall (x_1: single),
  forall (HW_1: (* JC_45 *)
                ((* JC_43 *) (Rle (Rabs (single_exact x_1)) (1 / 32)%R) /\
                (* JC_44 *) (Rle (single_round_error x_1) (1 / 1048576)%R))),
  forall (result: single),
  forall (HW_4: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  (no_overflow_single
   nearest_even (Rmult (single_value x_1) (single_value x_1))).
Proof.
admit.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "my_cosine.c", line 66, characters 19-31: *)
(*Why goal*) Lemma my_cos3_safety_po_2 : 
  forall (x_1: single),
  forall (HW_1: (* JC_45 *)
                ((* JC_43 *) (Rle (Rabs (single_exact x_1)) (1 / 32)%R) /\
                (* JC_44 *) (Rle (single_round_error x_1) (1 / 1048576)%R))),
  forall (result: single),
  forall (HW_4: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  forall (HW_5: (no_overflow_single
                 nearest_even (Rmult (single_value x_1) (single_value x_1)))),
  forall (result0: single),
  forall (HW_6: (mul_single_post nearest_even x_1 x_1 result0)),
  forall (result1: single),
  forall (HW_7: (eq (single_value result1) (05 / 10)%R) /\
                (eq (single_exact result1) (05 / 10)%R) /\
                (eq (single_model result1) (05 / 10)%R)),
  (no_overflow_single
   nearest_even (Rmult (single_value result0) (single_value result1))).
Proof.
admit.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "my_cosine.c", line 66, characters 12-31: *)
(*Why goal*) Lemma my_cos3_safety_po_3 : 
  forall (x_1: single),
  forall (HW_1: (* JC_45 *)
                ((* JC_43 *) (Rle (Rabs (single_exact x_1)) (1 / 32)%R) /\
                (* JC_44 *) (Rle (single_round_error x_1) (1 / 1048576)%R))),
  forall (result: single),
  forall (HW_4: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  forall (HW_5: (no_overflow_single
                 nearest_even (Rmult (single_value x_1) (single_value x_1)))),
  forall (result0: single),
  forall (HW_6: (mul_single_post nearest_even x_1 x_1 result0)),
  forall (result1: single),
  forall (HW_7: (eq (single_value result1) (05 / 10)%R) /\
                (eq (single_exact result1) (05 / 10)%R) /\
                (eq (single_model result1) (05 / 10)%R)),
  forall (HW_8: (no_overflow_single
                 nearest_even (Rmult
                               (single_value result0) (single_value result1)))),
  forall (result2: single),
  forall (HW_9: (mul_single_post nearest_even result0 result1 result2)),
  (no_overflow_single
   nearest_even (Rminus (single_value result) (single_value result2))).
Proof.
admit.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "my_cosine.c", line 75, characters 13-55: *)
(*Why goal*) Lemma my_cos4_ensures_default_po_1 : 
  forall (x_2: single),
  forall (HW_1: (* JC_65 *) (Rle (Rabs (single_value x_2)) (007 / 100)%R)),
  (* JC_75 *)
  (Rle
   (Rabs
    (Rminus
     (Rminus
      (1)%R (Rmult (Rmult (single_value x_2) (single_value x_2)) (05 / 10)%R)) (
     cos (single_value x_2))))
   (18 / 16777216)%R).
Proof.
admit.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "my_cosine.c", line 72, characters 12-48: *)
(*Why goal*) Lemma my_cos4_ensures_default_po_2 : 
  forall (x_2: single),
  forall (HW_1: (* JC_65 *) (Rle (Rabs (single_value x_2)) (007 / 100)%R)),
  forall (HW_4: (* JC_75 *)
                (Rle
                 (Rabs
                  (Rminus
                   (Rminus
                    (1)%R (Rmult
                           (Rmult (single_value x_2) (single_value x_2)) (05 / 10)%R)) (
                   cos (single_value x_2))))
                 (18 / 16777216)%R)),
  forall (result: single),
  forall (HW_5: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  forall (result0: single),
  forall (HW_6: (mul_single_post nearest_even x_2 x_2 result0)),
  forall (result1: single),
  forall (HW_7: (eq (single_value result1) (05 / 10)%R) /\
                (eq (single_exact result1) (05 / 10)%R) /\
                (eq (single_model result1) (05 / 10)%R)),
  forall (result2: single),
  forall (HW_8: (mul_single_post nearest_even result0 result1 result2)),
  forall (result3: single),
  forall (HW_9: (sub_single_post nearest_even result result2 result3)),
  forall (__retres_0: single),
  forall (HW_10: __retres_0 = result3),
  forall (why__return: single),
  forall (HW_11: why__return = __retres_0),
  (* JC_67 *)
  (Rle (Rabs (Rminus (single_value why__return) (cos (single_value x_2))))
   (19 / 16777216)%R).
Proof.
admit.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "my_cosine.c", line 76, characters 16-21: *)
(*Why goal*) Lemma my_cos4_safety_po_1 : 
  forall (x_2: single),
  forall (HW_1: (* JC_65 *) (Rle (Rabs (single_value x_2)) (007 / 100)%R)),
  forall (HW_4: (* JC_71 *)
                (Rle
                 (Rabs
                  (Rminus
                   (Rminus
                    (1)%R (Rmult
                           (Rmult (single_value x_2) (single_value x_2)) (05 / 10)%R)) (
                   cos (single_value x_2))))
                 (18 / 16777216)%R)),
  forall (result: single),
  forall (HW_5: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  (no_overflow_single
   nearest_even (Rmult (single_value x_2) (single_value x_2))).
Proof.
admit.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "my_cosine.c", line 76, characters 16-28: *)
(*Why goal*) Lemma my_cos4_safety_po_2 : 
  forall (x_2: single),
  forall (HW_1: (* JC_65 *) (Rle (Rabs (single_value x_2)) (007 / 100)%R)),
  forall (HW_4: (* JC_71 *)
                (Rle
                 (Rabs
                  (Rminus
                   (Rminus
                    (1)%R (Rmult
                           (Rmult (single_value x_2) (single_value x_2)) (05 / 10)%R)) (
                   cos (single_value x_2))))
                 (18 / 16777216)%R)),
  forall (result: single),
  forall (HW_5: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  forall (HW_6: (no_overflow_single
                 nearest_even (Rmult (single_value x_2) (single_value x_2)))),
  forall (result0: single),
  forall (HW_7: (mul_single_post nearest_even x_2 x_2 result0)),
  forall (result1: single),
  forall (HW_8: (eq (single_value result1) (05 / 10)%R) /\
                (eq (single_exact result1) (05 / 10)%R) /\
                (eq (single_model result1) (05 / 10)%R)),
  (no_overflow_single
   nearest_even (Rmult (single_value result0) (single_value result1))).
Proof.
admit.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "my_cosine.c", line 76, characters 9-28: *)
(*Why goal*) Lemma my_cos4_safety_po_3 : 
  forall (x_2: single),
  forall (HW_1: (* JC_65 *) (Rle (Rabs (single_value x_2)) (007 / 100)%R)),
  forall (HW_4: (* JC_71 *)
                (Rle
                 (Rabs
                  (Rminus
                   (Rminus
                    (1)%R (Rmult
                           (Rmult (single_value x_2) (single_value x_2)) (05 / 10)%R)) (
                   cos (single_value x_2))))
                 (18 / 16777216)%R)),
  forall (result: single),
  forall (HW_5: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  forall (HW_6: (no_overflow_single
                 nearest_even (Rmult (single_value x_2) (single_value x_2)))),
  forall (result0: single),
  forall (HW_7: (mul_single_post nearest_even x_2 x_2 result0)),
  forall (result1: single),
  forall (HW_8: (eq (single_value result1) (05 / 10)%R) /\
                (eq (single_exact result1) (05 / 10)%R) /\
                (eq (single_model result1) (05 / 10)%R)),
  forall (HW_9: (no_overflow_single
                 nearest_even (Rmult
                               (single_value result0) (single_value result1)))),
  forall (result2: single),
  forall (HW_10: (mul_single_post nearest_even result0 result1 result2)),
  (no_overflow_single
   nearest_even (Rminus (single_value result) (single_value result2))).
Proof.
admit.
(* FILL PROOF HERE *)
Save.


why-2.39/tests/c/array_max.c0000644000106100004300000000571413147234006014753 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

/*
COST Verification Competition. vladimir@cost-ic0701.org

Challenge 1: Maximum in an array

Given: A non-empty integer array a.

Verify that the index returned by the method max() given below points to
an element maximal in the array.

*/

/*@ requires len > 0 && \valid(a+(0..len-1));
  @ ensures 0 <= \result < len &&
  @   \forall integer i; 0 <= i < len ==> a[i] <= a[\result];
  @*/
int max(int *a, int len) {
  int x = 0;
  int y = len-1;
  /*@ loop invariant 0 <= x <= y < len &&
    @      \forall integer i;
    @         0 <= i < x || y < i < len ==>
    @         a[i] <= \max(a[x],a[y]);
    @ loop variant y - x;
    @*/
  while (x != y) {
    if (a[x] <= a[y]) x++;
    else y--;
  }
  return x;
}

/*
Local Variables:
compile-command: "make array_max.why3ide"
End:
*/

why-2.39/tests/c/sparse_array2.c0000644000106100004300000001150113147234006015534 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

typedef unsigned int size_t;
void *malloc(size_t size);
void *calloc(size_t nmemb, size_t size);

typedef unsigned int uint;

#define DEFAULT 0

typedef struct SparseArray {
  int *val;
  uint *idx, *back;
  uint n;
  uint sz; // inutile ?
} *sparse_array;

/*@ predicate is_elt{L}(sparse_array a, integer i) =
  @      0 <= a->idx[i] < a->n
  @   && a->back[a->idx[i]] == i
  @ ;
  @*/

/*@ axiomatic Model {
  @   logic integer model{L}(sparse_array a,integer i);
  @   axiom model_in: \forall sparse_array a, integer i;
  @     is_elt(a,i) ==> model(a,i) == a->val[i];
  @   axiom model_out: \forall sparse_array a, integer i;
  @     !is_elt(a,i) ==> model(a,i) == DEFAULT;
  @}
  @*/

/*@ predicate inv(sparse_array a) =
  @   \valid(a) &&
  @   0 <= a->n <= a-> sz &&
  @   \valid(a->val+(0..a->sz-1)) &&
  @   \valid(a->idx+(0..a->sz-1)) &&
  @   \valid(a->back+(0..a->sz-1)) &&
  @   \forall integer i; 0 <= i < a->n ==>  
  @      0 <= a->back[i] < a->sz && a->idx[a->back[i]] == i;
  @*/


/*@ requires sz >= 0;
  @ assigns \nothing;
  @ ensures \fresh(\result,sizeof(struct Sparse_array));
  @ ensures inv(\result);
  @ ensures \result->sz == sz;
  @ ensures \forall integer i; model(\result,i) == DEFAULT;
  @*/
sparse_array create(uint sz) {
  sparse_array a = (sparse_array)malloc(sizeof(struct SparseArray));
  a->val = (int*)calloc(sz,sizeof(int));
  a->idx = (uint*)calloc(sz,sizeof(uint));
  a->back = (uint*)calloc(sz,sizeof(uint));
  a->n = 0;
  a->sz = sz; // inutile ?
  return a;
}

/*@ requires \valid(a);
  @ requires inv(a);
  @ requires i <= a->sz - 1;
  @ assigns \nothing;
  @ ensures \result == model(a,i);
  @*/
int get(sparse_array a, uint i) {
  // note: 0 <= a->idx[i] holds because of type uint
  //@ assert 0 <= a->idx[i];
  if (a->idx[i] < a->n && 
      a->back[a->idx[i]] == i) return a->val[i];
  else return 0;
}

/*@ requires \valid(a);
  @ requires inv(a);
  @ requires i <= a->sz - 1;
  @ assigns a->val[i],a->idx[..],a->back[..], a->n;
  @ ensures inv(a);
  @ ensures model(a,i) == v;
  @ ensures \forall integer j; j != i ==> 
  @    model(a,j) == \old(model(a,j)); 
  @*/
void set(sparse_array a, uint i, int v) {
  a->val[i] = v;
  if (!(a->idx[i] < a->n && a-> back[a->idx[i]] == i)) {
    //@ assert a->n < a->sz;
    a->idx[i] = a->n; a->back[a->n] = i; a->n++;
  }
}



int main() {
  sparse_array a = create(10), b = create(20);
  int x,y;
  x = get(a,5); y = get(b,7);
  //@ assert x == 0 && y == 0;
  set(a,5,1); set(b,7,2);
  x = get(a,5); y = get(b,7);
  //@ assert x == 1 && y == 2;
  x = get(a,0); y = get(b,0);
  //@ assert x == 0 && y == 0;
  return 0;
}





/*
Local Variables:
compile-command: "make sparse_array2.why3ide"
End:
*/
why-2.39/tests/c/conjugate.c0000644000106100004300000001111713147234006014741 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

/*

  This was inspired by this article:

    Franck Butelle, Florent Hivert, Micaela Mayero, and Frédéric
    Toumazet. Formal Proof of SCHUR Conjugate Function. In Proceedings
    of Calculemus 2010, pages 158-171. Springer-Verlag LNAI, 2010.

  and an improvement made in Why3 (http://why3.lri.fr) by
  Jean-Christophe Filliatre

  Original C code from SCHUR

  Note that arrays are one-based
  (that code was translated from Pascal code where arrays were one-based)

*/

#define MAX 100

/*@ predicate is_partition(int *a) =
    // elements ranges between 0 and MAX-1
    (\forall integer i; 1 <= i < MAX ==> 0 <= a[i] < MAX-1) &&
    // sorted in non-increasing order
    (\forall integer i,j; 1 <= i <= j < MAX ==> a[i] >= a[j]) &&
    // at least one 0 sentinel
    a[MAX-1] == 0 ;

  predicate numofgt (int *a, integer n, integer v) =
    // values in a[1..n] are >= v, and a[n+1] < v
    0 <= n < MAX-1 &&
    (\forall integer j; 1 <= j <= n ==> v <= a[j]) &&
    v > a[n+1] ;

  predicate is_conjugate (int *a, int *b) =
    MAX > a[1] &&
    \forall integer j; 1 <= j < MAX ==> numofgt(a,b[j],j);

*/

/*@ requires \valid(A + (0 .. MAX-1));
  @ requires \valid(B + (0 .. MAX-1));
  @ // requires \forall integer i; 1 <= i < MAX ==> 1 <= A[i] < MAX-1;
  @ requires \forall integer k; 1 <= k < MAX ==> B[k] == 0;
  @ requires is_partition(A);
  @ assigns B[..];
  @ ensures is_conjugate(A,B);
  @*/
void conjgte (int A[MAX], int B[MAX]) {
  int i, partc = 1, edge = 0;
  /*@ loop invariant 1 <= partc < MAX;
    @ loop invariant \forall integer j;
    @   A[partc] < j <= A[1] ==> numofgt(A,B[j],j);
    @ loop invariant \forall integer j;
    @   A[1] < j < MAX ==> B[j] == 0;
    @ loop variant MAX - partc;
    @*/
  while (A[partc] != 0)
    Start: {
    edge = A[partc];
    /*@ loop invariant \at(partc,Start) <= partc < MAX-1;
      @ loop invariant \forall integer j;
      @    \at(partc,Start) <= j < partc ==> A[j] == edge;
      @ loop variant MAX - partc;
      @*/
    do
      partc = partc + 1;
    while (A[partc] == edge);
    /*@ loop invariant 1 <= i;
      @ loop invariant \forall integer j;
      @   edge < j < MAX ==> B[j] == \at(B[j],Start);
      @ loop invariant \forall integer j;
      @   A[partc] < j < i ==> B[j] == partc-1;
      @ loop variant edge-i;
      @*/
    for (i = A[partc] + 1; i <= edge; i++)
      B[i] = partc - 1;
  }
}


/*
Local Variables:
compile-command: "make conjugate.why3ide"
End:
*/
why-2.39/tests/c/duplets.c0000644000106100004300000001120013147234006014433 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

/*
COST Verification Competition. vladimir@cost-ic0701.org

Challenge 3: Two equal elements

Given: An integer array a of length n+2 with n>=2. It is known that at
least two values stored in the array appear twice (i.e., there are at
least two duplets).

Implement and verify a program finding such two values.

You may assume that the array contains values between 0 and n-1.
*/

#define NULL (void*)0

/* equality between an integer and a possibly null int* */
/*@ predicate eq_opt{L}(integer x, int *o) =
  @   o != \null && x == *o ;
  @*/

/* A duplet in array a is a pair of indexes (i,j) in the bounds of array
   a such that a[i] = a[j] */
/*@ predicate is_duplet{L}(int *a, integer len, integer i, integer j) =
  @    0 <= i < j < len && a[i] == a[j];
  @*/

/* duplet(a) returns the indexes (i,j) of a duplet in a.
 * moreover, if except is not null, the value of this duplet must
 * be different from it.
 */
/*@ requires 2 <= len &&
  @   \valid(a+(0..len-1)) && \valid(pi) && \valid(pj) &&
  @   ( except == \null || \valid(except)) &&
  @   \exists integer i,j;
  @     is_duplet(a,len,i,j) && ! eq_opt(a[i],except) ;
  @ assigns *pi,*pj;
  @ ensures
  @   is_duplet(a,len,*pi,*pj) &&
  @   ! eq_opt(a[*pi],except);
  @*/
void duplet(int *a, int len, int *except, int *pi, int *pj) {
  /*@ loop invariant 0 <= i <= len-1 &&
    @  \forall integer k,l; 0 <= k < i && k < l < len ==>
    @    ! eq_opt(a[k],except) ==> ! is_duplet(a,len,k,l);
    @ loop variant len - i;
    @*/
  for(int i=0; i <= len - 2; i++) {
    int v = a[i];
    if (except == NULL || *except != v) {
      /*@ loop invariant i+1 <= j <= len &&
        @   \forall integer l; i < l < j ==> ! is_duplet(a,len,i,l);
        @ loop variant len - j;
        @*/
      for (int j=i+1; j < len; j++) {
        if (a[j] == v) {
          *pi = i; *pj = j; return;
        }
      }
    }
  }
  // assert \forall integer i j; ! is_duplet(a,i,j);
  //@ assert \false;
}



/*@ requires 4 <= len &&
  @   \valid(a+(0..len-1)) && \valid(pi) && \valid(pj) &&
  @   \valid(pk) && \valid(pl) &&
  @   \exists integer i,j,k,l;
  @     is_duplet(a,len,i,j) && is_duplet(a,len,k,l) && a[i] != a[k];
  @ assigns *pi,*pj,*pk,*pl;
  @ ensures is_duplet(a,len,*pi,*pj) &&
  @   is_duplet(a,len,*pk,*pl) &&
  @   a[*pi] != a[*pk];
  @*/
void duplets(int a[], int len, int *pi, int *pj, int *pk, int *pl) {
  duplet(a,len,NULL,pi,pj);
  duplet(a,len,&a[*pi],pk,pl);
}


/*
Local Variables:
compile-command: "make duplets.why3ide"
End:
*/

why-2.39/tests/c/popHeap.c0000644000106100004300000002115113147234006014355 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

/**
Extract from
http://www.first.fraunhofer.de/fileadmin/FIRST/ACSL-by-Example.pdf
*/

#pragma SeparationPolicy(none)


typedef int bool;
#define false		((bool)0)
#define true		((bool)1)

typedef int value_type;

typedef int size_type; 




/*@
  predicate IsValidRange(value_type* a, integer n) =
    (0 <= n) && \valid(a+(0..n-1));
*/

/*@
  predicate
    IsEqual{A,B}(value_type* a, integer n, value_type* b) =
      \forall integer i; 0 <= i < n ==> 
        \at(a[i], A) == \at(b[i], B);
*/



/*@
  axiomatic ParentChildAxioms
  {
    predicate ParentChild(integer i, integer j);

    axiom ParentChild_1:
      \forall integer i, j; ParentChild(i, j) <==>
         0 <= i < j && (j == 2*i+1 || j == 2*i+2);

    axiom ParentChild_2:
      \forall integer i, j; ParentChild(i, j) <==>
        0 < j && i == (j-1)/2;
  }

  lemma ParentChild_3:
    \forall integer i; 0 < i ==>
      ParentChild((i-1)/2, i) && 0 <= (i-1)/2 < i;

  predicate IsHeap{L}(value_type* c, integer n) = 
    \forall integer i, j;
      j < n && ParentChild(i, j) ==> c[i] >= c[j];
*/

/*@
  predicate IsMaximum{L}(value_type* a, integer n, integer max) =
     \forall integer i; 0 <= i < n ==> a[max] >= a[i];

  predicate IsFirstMaximum{L}(value_type* a, integer max) =
    \forall integer i; 0 <= i < max ==> a[i] < a[max];
*/

/*@
  axiomatic CountAxiomatic
  {
    logic integer Count{L}(value_type* a, value_type v,
                           integer i, integer j) reads a[i..(j-1)];

    axiom Count0:
      \forall value_type *a, v, integer i,j;
        i >= j ==> Count(a, v, i, j) == 0;

    axiom Count1:
      \forall value_type *a, v, integer i, j, k;
        0 <= i <= j <= k ==> Count(a, v, i ,k) ==
                             Count(a, v, i, j) + Count(a, v, j, k);

    axiom Count2:
      \forall value_type *a, v, integer i;
        (a[i] != v ==> Count(a, v, i, i+1) == 0) &&
        (a[i] == v ==> Count(a, v, i, i+1) == 1);

  logic integer CountWithHole{L}(value_type* c, value_type v, integer i, integer h,  integer j) =
      Count{L}(c, v, i, h) + Count{L}(c, v, h+1, j);

  logic integer CountWithoutHole{L}(value_type* c, value_type v, integer i, integer h,  integer j) =
      Count{L}(c, v, i, h) + Count{L}(c, v, h, j);
  }

  lemma CountLemma: \forall value_type *a, v, integer i;
    0 <= i ==> Count(a, v, 0, i+1) ==
               Count(a, v, 0, i) + Count(a, v, i, i+1);
*/

/*@
  predicate
    Permutation{A,B}(value_type* c, size_type n) = 
      \forall value_type x; 
        Count{A}(c, x, 0, n) == Count{B}(c, x, 0, n);
*/

/*@
  requires 0 < n && IsValidRange(a, n);
  requires IsHeap(a, n);

  assigns \nothing;

  ensures \forall integer i; 0 <= i < n ==> a[0] >= a[i];
*/
void pop_heap_induction(const value_type* a, size_type n);


/*@
  requires 0 < n && IsValidRange(a, n);
  requires 0 <= parent < child < n;
  requires a[parent] == a[child];

  assigns \nothing;

  ensures \forall value_type x; 
    CountWithHole(a, x, 0, child, n) == CountWithHole(a, x, 0, parent, n);
*/
void pop_push_heap_copy(value_type* a, size_type n, size_type parent, size_type child);

#define INT_MAX			2147483647

/*@
   requires 0 < n <  (INT_MAX-2)/2;
   requires IsValidRange(a, n);
   requires IsHeap(a, n);

   assigns a[0..(n-1)];

   ensures IsHeap(a, n-1);
   ensures a[n-1] == \old(a[0]);
   ensures IsMaximum(a, n, n-1);
   ensures Permutation{Old, Here}(a, n);
*/
void pop_heap(value_type* a, size_type n);


void pop_heap(value_type* a, size_type n)
{
  //@ ghost pop_heap_induction(a,n);
  //@ assert \forall integer i; 0 < i < n ==> a[0] >= a[i];
  value_type tmp = 0, max = 0;
  size_type hole = 0;
  tmp = a[n-1];
  max  = a[0];
  /*@ assert \forall value_type x;
        CountWithHole(a,x,0,hole,n) == Count{Pre}(a,x,1,n);
  */
  /*@
     loop invariant 0 <= hole < n;
     loop invariant IsHeap(a,n-1);
     loop invariant \forall integer i; 0 <= i < n ==> a[i] <= max;
     loop invariant \forall integer i;
        hole < n-1 && ParentChild(i,hole) ==> a[i] >= tmp;
     loop invariant \forall value_type x;
        CountWithHole(a,x,0,hole,n) == Count{Pre}(a,x,1,n);
     loop invariant \at(a[n-1],Pre) == a[n-1];

     loop assigns a[0..hole],hole;
     loop   variant n - hole;
  */
  while (true)
  {
    size_type child = 2*hole + 2;
    if (child < n-1)
    {
      if (a[child] < a[child-1]) child--;
      //@ assert ParentChild(hole,child);
      if (a[child] > tmp)
      {
        //@ assert hole < n-1;
        a[hole] = a[child];
        //@ assert \at(a[n-1],Pre) == a[n-1];
        //@ ghost pop_push_heap_copy(a,n,hole,child);
        hole = child;
      }
      else break;
    }
    else
    {
      child = 2*hole + 1;
      if (child == n-2 && a[child] > tmp)
      {
        //@ assert hole < n-1;
        a[hole] = a[child];
        //@ assert \at(a[n-1],Pre) == a[n-1];
        //@ ghost pop_push_heap_copy(a,n,hole,child);
        hole = child;
      }
      break;
    }
  }
  /*@  assert \forall integer i;
    hole < n-1 && ParentChild(i,hole) ==> a[i] >= tmp;
  */

  a[hole] = tmp;
  /*@ assert \forall value_type x;
        CountWithHole(a,x,0,hole,n) == Count{Pre}(a,x,1,n);
  */
  //@ assert hole a[hole] ==tmp== \at(a[n-1],Pre) == a[n-1];
  /*@ assert \forall value_type x; hole < n-1 ==>
        Count(a,x,hole+1,(n-1)+1)==CountWithoutHole(a,x,hole+1,n-1,n);
  */

  /*@ assert \forall value_type x;
      (hole < n-1 ==> CountWithHole(a,x,0,hole,n) ==
        CountWithHole(a,x,0,hole,n-1) +  Count(a,x,n-1 ,(n-1)+1) ==
        CountWithoutHole(a,x,0,hole,hole+1) + Count(a,x,hole+1,n-1) ==
        CountWithoutHole(a,x,0,hole,n-1) ==
        Count(a,x,0,n-1)) &&
      (hole == n-1 ==> CountWithHole(a,x,0,hole,n) ==
        CountWithHole(a,x,0,n-1,n) == Count(a,x,0,n-1));
  */
  /*@ assert \forall value_type x; Count(a,x,0,n-1) ==
        CountWithHole(a,x,0,hole,n) == Count{Pre}(a,x,1,n);
  */

  a[n-1]  = max;
  /*@ assert \forall value_type x;
        Count(a,x,n-1,(n-1)+1) == Count{Pre}(a,x,0,1);
  */
  /*@ assert \forall value_type x; CountWithoutHole(a,x,0,n-1,n) 
        == CountWithoutHole{Pre}(a,x,0,1,n);
  */
  /*@ assert \forall value_type x;
        Count(a,x,0,n) == CountWithoutHole(a,x,0,n-1,n) ==
        CountWithoutHole{Pre}(a,x,0,1,n) == Count{Pre}(a,x,0,n);
  */
}



void pop_heap_induction(const value_type* a, size_type n)
{
  /*@
  loop invariant 0 <= i <= n;
  loop invariant  \forall integer j;
     0 <= j < i <= n ==> a[0] >= a[j];
  loop   variant n - i;
  */
  for (size_type i = 1; i < n; i++)
  {
    //@ assert 0 < i ==> ParentChild((i-1)/2, i);
  }
}



why-2.39/tests/c/binary_heap.c0000644000106100004300000000451713147234006015251 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

typedef unsigned int uint;

struct Heap;

typedef struct Heap *heap;

heap create(uint sz);

void insert(heap u, int e);

int extract_min(heap u);


why-2.39/tests/java/0000755000106100004300000000000013147234006013314 5ustar  marchevalswhy-2.39/tests/java/AllZeros.java0000644000106100004300000000537013147234006015717 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

class AllZeros {

    static int should_not_be_proved(int t[]) {
	return t.length;

    }


    /*@ requires t != null;
      @ ensures \result <==> 
      @      \forall integer i; 0 <= i < t.length ==> t[i] == 0; 
      @*/
    static boolean all_zeros(int t[]) {
	/*@ loop_invariant 
	  @  0 <= k <= t.length && 
	  @  \forall integer i; 0 <= i < k ==> t[i] == 0;
	  @ loop_variant t.length - k;
	  @*/
	for (int k = 0; k < t.length; k++) 
	    if (t[k] != 0) 
		return false;
	return true;
    }
}

/*
Local Variables:
compile-command: "make AllZeros.why3ide"
End:
*/


why-2.39/tests/java/Bug_sort_exns.java0000644000106100004300000000445413147234006017007 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

public class Bug_sort_exns {
    public static void exn() {
        throw new IllegalArgumentException();
    }
}
why-2.39/tests/java/Purse.java0000644000106100004300000000643513147234006015265 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

//@+ CheckArithOverflow = no


class NoCreditException extends Exception {

    public NoCreditException() { }

}

public class Purse {

    private int balance;
    //@ invariant balance_non_negative: balance >= 0;

    /*@ requires true;
      @ assigns balance;
      @ ensures balance == 0;
      @*/
    public Purse() {
        balance = 0;
    }

    /*@ requires s >= 0;
      @ assigns balance;
      @ ensures balance == \old(balance) + s;
      @*/
    public void credit(int s) {
        balance += s;
    }

    /*@ requires s >= 0;
      @ assigns balance;
      @ ensures s <= \old(balance) && balance == \old(balance) - s;
      @ behavior amount_too_large:
      @   assigns \nothing;
      @   signals (NoCreditException) s > \old(balance) ;
      @*/
    public void withdraw(int s) throws NoCreditException {
        if (balance >= s)
            balance = balance - s;
        else
            throw new NoCreditException();
    }

    //@ ensures \result == balance;
    public int getBalance() {
        return balance;
    }

}



/*
Local Variables:
compile-command: "make Purse.why3ide"
End:
*/


why-2.39/tests/java/Fact.java0000644000106100004300000000537313147234006015044 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

// int model: unbounded mathematical integers
//@+ CheckArithOverflow = no

/*@ inductive isfact(integer x, integer r) {
  @  case isfact0: isfact(0,1);
  @  case isfactn:
  @   \forall integer n r;
  @     n >= 1 && isfact(n-1,r) ==> isfact(n,r*n);
  @ }
  @*/

public class Fact {

    /*@ requires x >= 0;
      @ ensures isfact(x, \result);
      @*/
    public static int fact(int x) {
        int a = 0, y = 1;
        /*@ loop_invariant 0 <= a <= x && isfact(a,y);
          @ loop_variant x-a;
          @*/
        while (a < x) y = y * ++a;
        return y;
    }

}why-2.39/tests/java/Fresh.java0000644000106100004300000000475613147234006015242 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/


class Fresh {

    /*@ allocates \result;
      @ ensures \fresh(\result);
      @*/
    static Fresh create() {
        return new Fresh ();
    }

    void test () {
        Fresh f = create ();
        //@ assert this != f;
    }
}




/*
Local Variables:
compile-command: "make Fresh.why3ide"
End:
*/


why-2.39/tests/java/Power.java0000644000106100004300000000704513147234006015261 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/


// int model: unbounded mathematical integers
//@+ CheckArithOverflow = no


/*@ axiomatic Power {
  @   logic integer power(integer x, integer n);
  @   axiom power_0: \forall integer x; power(x,0) == 1;
  @   axiom power_s: \forall integer x n; power(x,n+1) == x*power(x,n);
  @ }
  @*/

/*@ lemma power_mul:
  @   \forall integer x y n; n >= 0 ==> power(x*y,n) == power(x,n)*power(y,n);
  @*/

/*@ lemma power_even:
  @   \forall integer x n; n >= 0 && n % 2 == 0 ==> power(x,n) == power(x*x,n/2);
  @*/

/*@ lemma power_odd:
  @   \forall integer x n; n >= 0 && n % 2 != 0 ==> power(x,n) == x*power(x*x,n/2);
  @*/


class Power {

    // recursive implementation

    /*@ requires 0 <= n;
      @ decreases n;
      @ ensures \result == power(x,n);
      @*/
    static long rec(long x, int n) {
        if ( n == 0) return 1;
        long r = rec(x, n/2);
        if ( n % 2 == 0 ) return r*r;
        return r*r*x;
    }


    // non-recursive implementation

    /*@ requires 0 <= n;
      @ ensures \result == power(x,n);
      @*/
    static long imp(long x, int n) {
        long r = 1, p = x;
        int e = n;

        /*@ loop_invariant
          @   0 <= e && r * power(p,e) == power(x,n);
          @ loop_variant e;
          @*/
        while (e > 0) {
            if (e % 2 != 0) r *= p;
            p *= p;
            e /= 2;
        }
        return r;
    }

}

why-2.39/tests/java/BinarySearch.java0000644000106100004300000001011313147234006016525 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

// RUNSIMPLIFY this tells regtests to run Simplify in this example

//+ CheckArithOverflow = yes

/* lemma mean_property1 :
  @   \forall integer x y; x <= y ==> x <= (x+y)/2 <= y;
  @*/

/* lemma mean_property2 :
  @   \forall integer x y; x <= y ==> x <= x+(y-x)/2 <= y;
  @*/

/* lemma div2_property :
  @   \forall integer x; 0 <= x ==> 0 <= x/2 <= x;
  @*/

/*@ predicate is_sorted{L}(int[] t) =
  @   t != null &&
  @   \forall integer i j;
  @     0 <= i && i <= j && j < t.length ==> t[i] <= t[j] ;
  @*/


class BinarySearch {

    /* binary_search(t,v) search for element v in array t
       between index 0 and t.length-1
       array t is assumed to be sorted in increasing order
       returns an index i between 0 and t.length-1 where t[i] equals v,
       or -1 if no element in t is equal to v
    */

    /*@ requires t != null;
      @ ensures -1 <= \result < t.length;
      @ behavior success:
      @   ensures \result >= 0 ==> t[\result] == v;
      @ behavior failure:
      @  assumes is_sorted(t);
      @  // assumes
      @  //   \forall integer k1 k2;
      @  //      0 <= k1 <= k2 <= t.length-1 ==> t[k1] <= t[k2];
      @  ensures \result == -1 ==>
      @    \forall integer k; 0 <= k < t.length ==> t[k] != v;
      @*/
    static int binary_search(int t[], int v) {
	int l = 0, u = t.length - 1;
	/*@ loop_invariant
	  @   0 <= l && u <= t.length - 1;
	  @ for failure:
	  @  loop_invariant
	  @    \forall integer k; 0 <= k < t.length ==> t[k] == v ==> l <= k <= u;
	  @ loop_variant
	  @   u-l ;
	  @*/
	while (l <= u ) {
	    int m;
            // wrong: m = (u + l) / 2;
            // fix: 
            m = l + (u - l) / 2;
            // the following assertion helps provers
            //@ assert l <= m <= u;
	    if (t[m] < v) l = m + 1;
	    else if (t[m] > v) u = m - 1;
	    else return m;
	}
	return -1;
    }

}

/*
Local Variables:
compile-command: "make BinarySearch.why3ide"
End:
*/


why-2.39/tests/java/MyCosine.java0000644000106100004300000000702313147234006015707 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

/*@ lemma method_error: \forall real x;
  @     \real_abs(x) <= 0x1p-5 ==> \real_abs(1.0 - x*x*0.5 - \cos(x)) <= 0x1p-24;
  @*/

class MyCosine {

/*@ requires \real_abs(x) <= 0x1p-5;
  @ ensures \real_abs(\result - \cos(x)) <= 0x1p-23;
  @*/
static float my_cos1(float x) {
  //@ assert \real_abs(1.0 - x*x*0.5 - \cos(x)) <= 0x1p-24;
  return 1.0f - x * x * 0.5f;
}

/* requires \real_abs(x) <= 0x1p-5 && \round_error(x) == 0.0;
  @ ensures \real_abs(\result - \cos(x)) <= 0x1p-23;
  @*/
static float my_cos2(float x) {
  // assert \exact(x) == x;
  float r = 1.0f - x * x * 0.5f;
  // assert \real_abs(\exact(r) - \cos(x)) <= 0x1p-24;
  return r;
}


/* requires \real_abs(\exact(x)) <= 0x1p-5
  @     && \round_error(x) <= 0x1p-20;
  @ ensures \real_abs(\exact(\result) - \cos(\exact(x))) <= 0x1p-24
  @     && \round_error(\result) <= \round_error(x) + 0x3p-24;
  @*/
static float my_cos3(float x) {
  float r = 1.0f - x * x * 0.5f;
  // assert \real_abs(\exact(r) - \cos(\exact(x))) <= 0x1p-24;  // by interval
  return r;
}

/*@ requires \real_abs(x) <= 0.07 ;
  @ ensures \real_abs(\result - \cos(x)) <= 0x1.3p-20;
  @*/
static float my_cos4(float x) {
  //@ assert \real_abs(x) <= 0x9.p-7;
  //@ assert \real_abs(1.0 - x*x*0.5 - \cos(x)) <= 0x1.2p-20;
  return 1.0f - x * x * 0.5f;
}

}


/*
Local Variables:
compile-command: "krakatoa MyCosine.java"
End:
*/


why-2.39/tests/java/bts15964.java0000644000106100004300000000441613147234006015365 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

class bts15964 {
        public void f() {
            Object x = null;
        }
}
why-2.39/tests/java/Gcd.java0000644000106100004300000001060213147234006014653 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

//@+ CheckArithOverflow = no

/* complements for non-linear integer arithmetic */

/*@ lemma distr_right:
  @   \forall integer x y z; x*(y+z) == (x*y)+(x*z);
  @*/

/*@ lemma distr_left:
  @   \forall integer x y z; (x+y)*z == (x*z)+(y*z);
  @*/

/*@ lemma distr_right_minus:
  @   \forall integer x y z; x*(y-z) == (x*y)-(x*z);
  @*/

/*@ lemma distr_left_minus:
  @   \forall integer x y z; (x-y)*z == (x*z)-(y*z);
  @*/

/*@ lemma mul_comm:
  @   \forall integer x y; x*y == y*x;
  @*/

/*@ lemma mul_assoc:
  @   \forall integer x y z; x*(y*z) == (x*y)*z;
  @*/

/*@ predicate divides(integer x, integer y) =
  @   \exists integer q; y == q*x ;
  @*/

/*@ lemma div_mod_property:
  @  \forall integer x y;
  @    x >=0 && y > 0 ==> x%y  == x - y*(x/y);
  @*/

/*@ lemma mod_property:
  @  \forall integer x y;
  @    x >=0 && y > 0 ==> 0 <= x%y && x%y < y;
  @*/

/*@ predicate isGcd(integer a, integer b, integer d) =
  @   divides(d,a) && divides(d,b) &&
  @     \forall integer z;
  @     divides(z,a) && divides(z,b) ==> divides(z,d) ;
  @*/

/*@ lemma gcd_zero :
  @   \forall integer a; isGcd(a,0,a) ;
  @*/

/*@ lemma gcd_property :
  @   \forall integer a b d;
  @      a >= 0 && b > 0 && isGcd(b,a % b,d) ==> isGcd(a,b,d) ;
  @*/

class Gcd {

    /*@ requires x >= 0 && y >= 0;
      @ behavior resultIsGcd:
      @   ensures isGcd(x,y,\result) ;
      @ behavior bezoutProperty:
      @   ensures \exists integer a b; a*x+b*y == \result;
      @*/
    static int gcd(int x, int y) {
        //@ ghost integer a = 1, b = 0, c = 0, d = 1;
        /*@ loop_invariant
          @    x >= 0 && y >= 0 &&
	  @    (\forall integer d ;  isGcd(x,y,d) ==>
	  @        \at(isGcd(x,y,d),Pre)) &&
          @    a*\at(x,Pre)+b*\at(y,Pre) == x &&
          @    c*\at(x,Pre)+d*\at(y,Pre) == y ;
          @ loop_variant y;
          @*/
        while (y > 0) {
            int r = x % y;
            //@ ghost integer q = x / y;
            x = y;
            y = r;
            //@ ghost integer ta = a, tb = b;
            //@ ghost a = c;
	    //@ ghost b = d;
            //@ ghost c = ta - c * q;
            //@ ghost d = tb - d * q;
        }
        return x;
    }

}




/*
Local Variables:
compile-command: "make Gcd.why3ide"
End:
*/

why-2.39/tests/java/BankingExample.java0000644000106100004300000000561513147234006017053 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

public class BankingExample
      {
      
         public static final int MAX_BALANCE = 1000; 
         private int balance;
         private boolean isLocked = false; 
      
         //@ invariant my_inv: balance >= 0 && balance <= MAX_BALANCE;
      
         /*@ assigns balance, isLocked;
           @ ensures balance == 0;
           @*/
         public BankingExample()
         {
             this.balance = 0;
         }
      
          /*@ requires 0 < amount && amount + balance < MAX_BALANCE;
            @ assigns balance;
            @ ensures balance == \old(balance) + amount;
            @*/
         public void credit(final int amount)
         {
             this.balance += amount;
         }
     }why-2.39/tests/java/Sort.java0000644000106100004300000001067613147234006015120 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

//@+ TerminationPolicy = user

//@+ CheckArithOverflow = no

/*@ predicate Sorted{L}(int a[], integer l, integer h) =
  @   \forall integer i; l <= i < h ==> a[i] <= a[i+1] ;
  @*/

/*@ predicate Swap{L1,L2}(int a[], integer i, integer j) =
  @   \at(a[i],L1) == \at(a[j],L2) &&
  @   \at(a[j],L1) == \at(a[i],L2) &&
  @   \forall integer k; k != i && k != j ==> \at(a[k],L1) == \at(a[k],L2);
  @*/

/*@ axiomatic Permut {
  @  predicate Permut{L1,L2}(int a[], integer l, integer h);
  @  axiom Permut_refl{L}:
  @   \forall int a[], integer l h; Permut{L,L}(a, l, h) ;
  @  axiom Permut_sym{L1,L2}:
  @    \forall int a[], integer l h;
  @      Permut{L1,L2}(a, l, h) ==> Permut{L2,L1}(a, l, h) ;
  @  axiom Permut_trans{L1,L2,L3}:
  @    \forall int a[], integer l h;
  @      Permut{L1,L2}(a, l, h) && Permut{L2,L3}(a, l, h) ==>
  @        Permut{L1,L3}(a, l, h) ;
  @  axiom Permut_swap{L1,L2}:
  @    \forall int a[], integer l h i j;
  @       l <= i <= h && l <= j <= h && Swap{L1,L2}(a, i, j) ==>
  @     Permut{L1,L2}(a, l, h) ;
  @ }
  @*/

class Sort {

    /*@ requires t != null &&
      @    0 <= i < t.length && 0 <= j < t.length;
      @ assigns t[i],t[j];
      @ ensures Swap{Old,Here}(t,i,j);
      @*/
    void swap(int t[], int i, int j) {
	int tmp = t[i];
	t[i] = t[j];
	t[j] = tmp;
    }

    /*@ requires t != null;
      @ behavior sorted:
      @   ensures Sorted(t,0,t.length-1);
      @ behavior permutation:
      @   ensures Permut{Old,Here}(t,0,t.length-1);
      @*/
    void min_sort(int t[]) {
	int i,j;
	int mi,mv;
	/*@ loop_invariant 0 <= i;
	  @ for sorted:
	  @  loop_invariant Sorted(t,0,i) &&
	  @   (\forall integer k1 k2 ;
	  @      0 <= k1 < i <= k2 < t.length ==> t[k1] <= t[k2]) ;
	  @ for permutation:
	  @   loop_invariant Permut{Pre,Here}(t,0,t.length-1);
	  @*/
	for (i=0; i t[k] >= mv);
	      @ for permutation:
	      @  loop_invariant Permut{Pre,Here}(t,0,t.length-1);
	      @*/
	    for (j=i+1; j < t.length; j++) {
		if (t[j] < mv) {
		    mi = j ; mv = t[j];
		}
	    }
	    swap(t,i,mi);
	}
    }

}
why-2.39/tests/java/Switch.java0000644000106100004300000000562713147234006015432 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

public class Switch {

    /*@ behavior normal:
      @   assigns \nothing;
      @   ensures (n==0 || n==1) <==> \result == 0;
      @*/
    public static int test1 (int n) {
	int r;
	switch(n) {
	case 0:
	case 1:
	    r = 0;
	    break;
	default:
	    r = 2;
	}
	return r;
    }

    /*@ behavior normal:
      @   assigns \nothing;
      @   ensures ((n==4 || n==7) <==> \result == 1) &&
      @            ((n==0 || n==1) <==> \result == 0);
      @*/
    public static int test2 (int n) {
	int r;
	switch(n) {
	case 0:
	case 1:
	    r = 0;
	    break;
	case 4:
	case 7:
	    r = 1;
	    break;
	case 12:
	default:
	case 26:
	    r = 2;
	}
	return r;
    }

}

/*
Local Variables:
compile-command: "make Switch.why3ide"
End:
*/

why-2.39/tests/java/FlagStatic.java0000644000106100004300000001033413147234006016201 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

/* Dijkstra's dutch flag */

//@+ CheckArithOverflow = no

/*@ predicate is_color(integer c) =
  @   c == FlagStatic.BLUE || c == FlagStatic.WHITE || c == FlagStatic.RED ;
  @*/

/*@ predicate is_color_array{L}(int t[]) =
  @   t != null &&
  @   \forall integer i; 0 <= i < t.length ==> is_color(t[i]) ;
  @*/

/*@ predicate is_monochrome{L}(int t[],integer i, integer j, int c) =
  @   \forall integer k; i <= k < j ==> t[k] == c ;
  @*/


class FlagStatic {

    public static final int BLUE = 1, WHITE = 2, RED = 3;

    /*@ requires t != null && 0 <= i <= j <= t.length ;
      @ behavior decides_monochromatic:
      @   ensures \result <==> is_monochrome(t,i,j,c);
      @*/
    public static boolean isMonochrome(int t[], int i, int j, int c) {
    	/*@ loop_invariant i <= k &&
	  @   (\forall integer l; i <= l < k ==> t[l]==c);
    	  @ loop_variant j - k;
	  @*/
	for (int k = i; k < j; k++) if (t[k] != c) return false;
	return true;
    }

    /*@ requires 0 <= i < t.length && 0 <= j < t.length;
      @ behavior i_j_swapped:
      @   assigns t[i],t[j];
      @   ensures t[i] == \old(t[j]) && t[j] == \old(t[i]);
      @*/
    private static void swap(int t[], int i, int j) {
	int z = t[i];
	t[i] = t[j];
	t[j] = z;
    }

    /*@ requires
      @   is_color_array(t);
      @ behavior sorts:
      @   ensures
      @     (\exists integer b r;
      @        is_monochrome(t,0,b,BLUE) &&
      @        is_monochrome(t,b,r,WHITE) &&
      @        is_monochrome(t,r,t.length,RED));
      @*/
    public static void flag(int t[]) {
	int b = 0;
	int i = 0;
	int r = t.length;
	/*@ loop_invariant
	  @   is_color_array(t) &&
	  @   0 <= b <= i <= r <= t.length &&
	  @   is_monochrome(t,0,b,BLUE) &&
	  @   is_monochrome(t,b,i,WHITE) &&
          @   is_monochrome(t,r,t.length,RED);
	  @ loop_variant r - i;
	  @*/
	while (i < r) {
	    switch (t[i]) {
	    case BLUE:
		swap(t,b++, i++);
		break;
	    case WHITE:
		i++;
		break;
	    case RED:
		swap(t,--r, i);
		break;
	    }
	}
    }
}



/*
Local Variables:
compile-command: "make FlagStatic.why3ide"
End:
*/
why-2.39/tests/java/BinarySearchWrong.java0000644000106100004300000001007113147234006017545 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

// RUNSIMPLIFY this tells regtests to run Simplify in this example

//+ CheckArithOverflow = yes

/* lemma mean_property1 :
  @   \forall integer x y; x <= y ==> x <= (x+y)/2 <= y;
  @*/

/* lemma mean_property2 :
  @   \forall integer x y; x <= y ==> x <= x+(y-x)/2 <= y;
  @*/

/* lemma div2_property :
  @   \forall integer x; 0 <= x ==> 0 <= x/2 <= x;
  @*/

/*@ predicate is_sorted{L}(int[] t) =
  @   t != null &&
  @   \forall integer i j;
  @     0 <= i && i <= j && j < t.length ==> t[i] <= t[j] ;
  @*/


class BinarySearch {

    /* binary_search(t,v) search for element v in array t
       between index 0 and t.length-1
       array t is assumed to be sorted in increasing order
       returns an index i between 0 and t.length-1 where t[i] equals v,
       or -1 if no element in t is equal to v
    */

    /*@ requires t != null;
      @ ensures -1 <= \result < t.length;
      @ behavior success:
      @   ensures \result >= 0 ==> t[\result] == v;
      @ behavior failure:
      @  assumes is_sorted(t);
      @  // assumes
      @  //   \forall integer k1 k2;
      @  //      0 <= k1 <= k2 <= t.length-1 ==> t[k1] <= t[k2];
      @  ensures \result == -1 ==>
      @    \forall integer k; 0 <= k < t.length ==> t[k] != v;
      @*/
    static int binary_search(int t[], int v) {
	int l = 0, u = t.length - 1;
	/*@ loop_invariant
	  @   0 <= l && u <= t.length - 1;
	  @ for failure:
	  @  loop_invariant
	  @    \forall integer k; 0 <= k < t.length ==> t[k] == v ==> l <= k <= u;
	  @ loop_variant
	  @   u-l ;
	  @*/
	while (l <= u ) {
	    int m;
            m = (u + l) / 2;
            // fix: m = l + (u - l) / 2;
            // the following assertion helps provers
            //@ assert l <= m <= u;
	    if (t[m] < v) l = m + 1;
	    else if (t[m] > v) u = m - 1;
	    else return m;
	}
	return -1;
    }

}

/*
Local Variables:
compile-command: "make BinarySearchWrong.why3ide"
End:
*/


why-2.39/tests/java/Termination.java0000644000106100004300000000517013147234006016453 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

//@+ CheckArithOverflow = no

class Termination {

    void loop1(int n) { 
	//@ loop_variant n;
	while (n > 0) n--; 
    }

    void loop2(int n) { 
	//@ loop_variant 100-n;
	while (n < 100) n++; 
    }

    //@ ensures \result == 0;
    int loop3() {
	int i = 100;
	/*@ loop_invariant 0 <= i <= 100;
	  @ loop_variant i;
	  @*/
	while (i > 0) i--;
	return i;
    }

}


/*
Local Variables:
compile-command: "make Termination.why3ide"
End:
*/


why-2.39/tests/java/SelectionSort.java0000644000106100004300000001116713147234006016762 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

/*@ predicate Sorted{L}(int a[], integer l, integer h) =
  @   \forall integer i j; l <= i <= j < h ==> a[i] <= a[j] ;
  @*/

/*@ predicate Swap{L1,L2}(int a[], integer i, integer j) =
  @   \at(a[i],L1) == \at(a[j],L2) &&
  @   \at(a[j],L1) == \at(a[i],L2) &&
  @   \forall integer k; k != i && k != j ==> \at(a[k],L1) == \at(a[k],L2);
  @*/

/*@ inductive Permut{L1,L2}(int a[], integer l, integer h) {
  @  case Permut_refl{L}: 
  @   \forall int a[], integer l h; Permut{L,L}(a, l, h) ;
  @  case Permut_sym{L1,L2}: 
  @    \forall int a[], integer l h; 
  @      Permut{L1,L2}(a, l, h) ==> Permut{L2,L1}(a, l, h) ;
  @  case Permut_trans{L1,L2,L3}: 
  @    \forall int a[], integer l h; 
  @      Permut{L1,L2}(a, l, h) && Permut{L2,L3}(a, l, h) ==> 
  @        Permut{L1,L3}(a, l, h) ;
  @  case Permut_swap{L1,L2}: 
  @    \forall int a[], integer l h i j; 
  @       l <= i <= h && l <= j <= h && Swap{L1,L2}(a, i, j) ==> 
  @     Permut{L1,L2}(a, l, h) ;
  @ }
  @*/

class SelectionSort {

    /*@ requires t != null && 
      @    0 <= i < t.length && 0 <= j < t.length;
      @ assigns t[i],t[j];
      @ ensures Swap{Old,Here}(t,i,j);
      @*/
    void swap(int t[], int i, int j) {
	int tmp = t[i];
	t[i] = t[j];
	t[j] = tmp;
    }
    
    /*@ requires t != null;
      @ behavior sorted:
      @   ensures Sorted(t,0,t.length);
      @ behavior permutation:
      @   ensures Permut{Old,Here}(t,0,t.length-1);
      @*/
    void sort(int t[]) {
	int i,j;
	int mi,mv;
	/*@ loop_invariant 0 <= i;
	  @ for sorted: 
	  @  loop_invariant Sorted(t,0,i) && 
	  @   (\forall integer k1 k2 ; 
	  @      0 <= k1 < i <= k2 < t.length ==> t[k1] <= t[k2]) ;
	  @ for permutation:
	  @   loop_invariant Permut{Pre,Here}(t,0,t.length-1);
	  @ loop_variant t.length - i;
	  @*/
	for (i=0; i t[k] >= mv);
	      @ // useless ! for permutation:
	      @ // loop_invariant Permut{Pre,Here}(t,0,t.length-1);
	      @ loop_variant t.length - j;
	      @*/
	    for (j=i+1; j < t.length; j++) {
		if (t[j] < mv) { 
		    mi = j ; mv = t[j]; 
		}
	    }
	    Before: 
	    swap(t,i,mi);
	    //@ for permutation: assert Permut{Before,Here}(t,0,t.length-1);
	}
    }

}



/*
Local Variables:
compile-command: "make SelectionSort.why3ide"
End:
*/


why-2.39/tests/java/MacCarthy.java0000644000106100004300000000523613147234006016040 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/


/* McCarthy's ``91'' function. */

public class MacCarthy {

    /*@ decreases 101-n ;
      @ behavior less_than_101:
      @   assumes n <= 100;
      @   ensures \result == 91;
      @ behavior greater_than_100:
      @   assumes n >= 101;
      @   ensures \result == n - 10;
      @*/
    public static int f91(int n) {
	if (n <= 100) {
	    return f91(f91(n + 11));
	}
	else
	    return n - 10;
    }

}

/*
Local Variables:
compile-command: "make MacCarthy.why3ide"
End:
*/


why-2.39/tests/java/coq/0000755000106100004300000000000013147234006014076 5ustar  marchevalswhy-2.39/tests/java/coq/Fibonacci_why.v0000644000106100004300000003666313147234006017047 0ustar  marchevals(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)
Require Export jessie_why.

(*Why type*) Definition Object: Set.
Admitted.

(*Why type*) Definition interface: Set.
Admitted.

(*Why logic*) Definition Exception_tag : (tag_id Object).
Admitted.

(*Why logic*) Definition Object_tag : (tag_id Object).
Admitted.

(*Why axiom*) Lemma Exception_parenttag_Object :
  (parenttag Exception_tag Object_tag).
Admitted.

(*Why logic*) Definition Fibonacci_tag : (tag_id Object).
Admitted.

(*Why axiom*) Lemma Fibonacci_parenttag_Object :
  (parenttag Fibonacci_tag Object_tag).
Admitted.

(*Why predicate*) Definition Non_null_Object  (x_0:(pointer Object)) (Object_alloc_table:(alloc_table Object))
  := (offset_max Object_alloc_table x_0) >= 0.

(*Why axiom*) Lemma Object_int : (int_of_tag Object_tag) = 1.
Admitted.

(*Why logic*) Definition Object_of_pointer_address :
  (pointer unit) -> (pointer Object).
Admitted.

(*Why axiom*) Lemma Object_of_pointer_address_of_pointer_addr :
  (forall (p:(pointer Object)),
   p = (Object_of_pointer_address (pointer_address p))).
Admitted.

(*Why axiom*) Lemma Object_parenttag_bottom :
  (parenttag Object_tag (@bottom_tag Object)).
Admitted.

(*Why axiom*) Lemma Object_tags :
  (forall (x:(pointer Object)),
   (forall (Object_tag_table:(tag_table Object)),
    (instanceof Object_tag_table x Object_tag))).
Admitted.

(*Why logic*) Definition String_tag : (tag_id Object).
Admitted.

(*Why axiom*) Lemma String_parenttag_Object :
  (parenttag String_tag Object_tag).
Admitted.

(*Why logic*) Definition Throwable_tag : (tag_id Object).
Admitted.

(*Why axiom*) Lemma Throwable_parenttag_Object :
  (parenttag Throwable_tag Object_tag).
Admitted.


(*Why logic*) Definition interface_tag : (tag_id interface).
Admitted.

(*Why axiom*) Lemma interface_int : (int_of_tag interface_tag) = 1.
Admitted.

(*Why logic*) Definition interface_of_pointer_address :
  (pointer unit) -> (pointer interface).
Admitted.

(*Why axiom*) Lemma interface_of_pointer_address_of_pointer_addr :
  (forall (p:(pointer interface)),
   p = (interface_of_pointer_address (pointer_address p))).
Admitted.

(*Why axiom*) Lemma interface_parenttag_bottom :
  (parenttag interface_tag (@bottom_tag interface)).
Admitted.

(*Why axiom*) Lemma interface_tags :
  (forall (x:(pointer interface)),
   (forall (interface_tag_table:(tag_table interface)),
    (instanceof interface_tag_table x interface_tag))).
Admitted.

(*Why inductive*) Inductive isfib  : Z -> Z -> Prop 
  := | isfib0 : (isfib 0 0)
     
     | isfib1 : (isfib 1 1)
     
     | isfibn : (forall (n:Z),
                 (forall (r_0:Z),
                  (forall (p:Z),
                   (n >= 2 /\ (isfib (n - 2) r_0) /\ (isfib (n - 1) p) ->
                    (isfib n (p + r_0))))))
     .

(*Why predicate*) Definition left_valid_struct_Object  (p:(pointer Object)) (a:Z) (Object_alloc_table:(alloc_table Object))
  := (offset_min Object_alloc_table p) <= a.

(*Why predicate*) Definition left_valid_struct_Exception  (p:(pointer Object)) (a:Z) (Object_alloc_table:(alloc_table Object))
  := (left_valid_struct_Object p a Object_alloc_table).

(*Why predicate*) Definition left_valid_struct_Fibonacci  (p:(pointer Object)) (a:Z) (Object_alloc_table:(alloc_table Object))
  := (left_valid_struct_Object p a Object_alloc_table).

(*Why predicate*) Definition left_valid_struct_String  (p:(pointer Object)) (a:Z) (Object_alloc_table:(alloc_table Object))
  := (left_valid_struct_Object p a Object_alloc_table).

(*Why predicate*) Definition left_valid_struct_Throwable  (p:(pointer Object)) (a:Z) (Object_alloc_table:(alloc_table Object))
  := (left_valid_struct_Object p a Object_alloc_table).

(*Why predicate*) Definition left_valid_struct_interface  (p:(pointer interface)) (a:Z) (interface_alloc_table:(alloc_table interface))
  := (offset_min interface_alloc_table p) <= a.

(*Why axiom*) Lemma pointer_addr_of_Object_of_pointer_address :
  (forall (p:(pointer unit)),
   p = (pointer_address (Object_of_pointer_address p))).
Admitted.

(*Why axiom*) Lemma pointer_addr_of_interface_of_pointer_address :
  (forall (p:(pointer unit)),
   p = (pointer_address (interface_of_pointer_address p))).
Admitted.

(*Why predicate*) Definition right_valid_struct_Object  (p:(pointer Object)) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (offset_max Object_alloc_table p) >= b.

(*Why predicate*) Definition right_valid_struct_Exception  (p:(pointer Object)) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (right_valid_struct_Object p b Object_alloc_table).

(*Why predicate*) Definition right_valid_struct_Fibonacci  (p:(pointer Object)) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (right_valid_struct_Object p b Object_alloc_table).

(*Why predicate*) Definition right_valid_struct_String  (p:(pointer Object)) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (right_valid_struct_Object p b Object_alloc_table).

(*Why predicate*) Definition right_valid_struct_Throwable  (p:(pointer Object)) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (right_valid_struct_Object p b Object_alloc_table).

(*Why predicate*) Definition right_valid_struct_interface  (p:(pointer interface)) (b:Z) (interface_alloc_table:(alloc_table interface))
  := (offset_max interface_alloc_table p) >= b.

(*Why predicate*) Definition strict_valid_root_Object  (p:(pointer Object)) (a:Z) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (offset_min Object_alloc_table p) = a /\
     (offset_max Object_alloc_table p) = b.

(*Why predicate*) Definition strict_valid_root_interface  (p:(pointer interface)) (a:Z) (b:Z) (interface_alloc_table:(alloc_table interface))
  := (offset_min interface_alloc_table p) = a /\
     (offset_max interface_alloc_table p) = b.

(*Why predicate*) Definition strict_valid_struct_Object  (p:(pointer Object)) (a:Z) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (offset_min Object_alloc_table p) = a /\
     (offset_max Object_alloc_table p) = b.

(*Why predicate*) Definition strict_valid_struct_Exception  (p:(pointer Object)) (a:Z) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (strict_valid_struct_Object p a b Object_alloc_table).

(*Why predicate*) Definition strict_valid_struct_Fibonacci  (p:(pointer Object)) (a:Z) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (strict_valid_struct_Object p a b Object_alloc_table).

(*Why predicate*) Definition strict_valid_struct_String  (p:(pointer Object)) (a:Z) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (strict_valid_struct_Object p a b Object_alloc_table).

(*Why predicate*) Definition strict_valid_struct_Throwable  (p:(pointer Object)) (a:Z) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (strict_valid_struct_Object p a b Object_alloc_table).

(*Why predicate*) Definition strict_valid_struct_interface  (p:(pointer interface)) (a:Z) (b:Z) (interface_alloc_table:(alloc_table interface))
  := (offset_min interface_alloc_table p) = a /\
     (offset_max interface_alloc_table p) = b.







(*Why predicate*) Definition valid_root_Object  (p:(pointer Object)) (a:Z) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (offset_min Object_alloc_table p) <= a /\
     (offset_max Object_alloc_table p) >= b.

(*Why predicate*) Definition valid_root_interface  (p:(pointer interface)) (a:Z) (b:Z) (interface_alloc_table:(alloc_table interface))
  := (offset_min interface_alloc_table p) <= a /\
     (offset_max interface_alloc_table p) >= b.

(*Why predicate*) Definition valid_struct_Object  (p:(pointer Object)) (a:Z) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (offset_min Object_alloc_table p) <= a /\
     (offset_max Object_alloc_table p) >= b.

(*Why predicate*) Definition valid_struct_Exception  (p:(pointer Object)) (a:Z) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (valid_struct_Object p a b Object_alloc_table).

(*Why predicate*) Definition valid_struct_Fibonacci  (p:(pointer Object)) (a:Z) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (valid_struct_Object p a b Object_alloc_table).

(*Why predicate*) Definition valid_struct_String  (p:(pointer Object)) (a:Z) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (valid_struct_Object p a b Object_alloc_table).

(*Why predicate*) Definition valid_struct_Throwable  (p:(pointer Object)) (a:Z) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (valid_struct_Object p a b Object_alloc_table).

(*Why predicate*) Definition valid_struct_interface  (p:(pointer interface)) (a:Z) (b:Z) (interface_alloc_table:(alloc_table interface))
  := (offset_min interface_alloc_table p) <= a /\
     (offset_max interface_alloc_table p) >= b.

(* Why obligation from file "Fibonacci.java", line 46, characters 10-19: *)
(*Why goal*) Lemma isfib_2_1 : 
  (isfib 2 1).
Proof.
apply isfibn with (r_0:=0) (p:=1); intuition.
apply isfib0.
apply isfib1.
Save.

(* Why obligation from file "Fibonacci.java", line 47, characters 10-19: *)
(*Why goal*) Lemma isfib_6_8 : 
  (isfib 6 8).
Proof.
assert (isfib3: isfib 3 2).
apply isfibn with (r_0:=1) (p:=1); intuition.
apply isfib1.
apply isfib_2_1.
assert (isfib4: isfib 4 3).
apply isfibn with (r_0:=1) (p:=2); intuition.
apply isfib_2_1.
assert (isfib5: isfib 5 5).
apply isfibn with (r_0:=2) (p:=3); intuition.
apply isfibn with (r_0:=3) (p:=5); intuition.
Save.

(* Why obligation from file "Fibonacci.java", line 50, characters 10-23: *)
(*Why goal*) Lemma not_isfib_2_2 : 
  ~(isfib 2 2).
Proof.
intro h; inversion h; intuition.
replace (p + r_0 - (p + r_0)) with 0 in H1 by omega.
inversion H1; auto with zarith.
assert (p=2) by omega.
subst.
replace (2 + 0 - 1) with 1 in H4 by omega.
inversion H4; auto with zarith.
Save.




































(* Why obligation from file "Fibonacci.java", line 60, characters 20-26: *)
(*Why goal*) Lemma Fibonacci_Fib_ensures_default_po_1 : 
  forall (n_0: Z),
  forall (HW_1: (* JC_29 *) n_0 >= 0),
  (* JC_48 *) (* JC_44 *) 0 <= 0.
Proof.
intuition.
Save.

(* Why obligation from file "Fibonacci.java", line 60, characters 25-31: *)
(*Why goal*) Lemma Fibonacci_Fib_ensures_default_po_2 : 
  forall (n_0: Z),
  forall (HW_1: (* JC_29 *) n_0 >= 0),
  (* JC_48 *) (* JC_45 *) 0 <= n_0.
Proof.
intuition.
Save.

(* Why obligation from file "Fibonacci.java", line 60, characters 35-47: *)
(*Why goal*) Lemma Fibonacci_Fib_ensures_default_po_3 : 
  forall (n_0: Z),
  forall (HW_1: (* JC_29 *) n_0 >= 0),
  (* JC_48 *) (* JC_46 *) (isfib (0 + 1) 1).
Proof.
intros; apply isfib1.
Save.

(* Why obligation from file "Fibonacci.java", line 60, characters 51-61: *)
(*Why goal*) Lemma Fibonacci_Fib_ensures_default_po_4 : 
  forall (n_0: Z),
  forall (HW_1: (* JC_29 *) n_0 >= 0),
  (* JC_48 *) (* JC_47 *) (isfib 0 0).
Proof.
intros; apply isfib0.
Save.

(* Why obligation from file "Fibonacci.java", line 60, characters 20-26: *)
(*Why goal*) Lemma Fibonacci_Fib_ensures_default_po_5 : 
  forall (n_0: Z),
  forall (HW_1: (* JC_29 *) n_0 >= 0),
  forall (i: Z),
  forall (x_0_0: Z),
  forall (y: Z),
  forall (HW_4: (* JC_48 *) ((* JC_44 *) 0 <= i /\ (* JC_45 *) i <= n_0 /\
                (* JC_46 *) (isfib (i + 1) x_0_0) /\ (* JC_47 *) (isfib i y))),
  forall (HW_6: i < n_0),
  forall (aux: Z),
  forall (HW_7: aux = y),
  forall (y0: Z),
  forall (HW_8: y0 = x_0_0),
  forall (x_0_0_0: Z),
  forall (HW_9: x_0_0_0 = (x_0_0 + aux)),
  forall (i0: Z),
  forall (HW_10: i0 = (i + 1)),
  (* JC_48 *) (* JC_44 *) 0 <= i0.
Proof.
intuition.
Save.

(* Why obligation from file "Fibonacci.java", line 60, characters 25-31: *)
(*Why goal*) Lemma Fibonacci_Fib_ensures_default_po_6 : 
  forall (n_0: Z),
  forall (HW_1: (* JC_29 *) n_0 >= 0),
  forall (i: Z),
  forall (x_0_0: Z),
  forall (y: Z),
  forall (HW_4: (* JC_48 *) ((* JC_44 *) 0 <= i /\ (* JC_45 *) i <= n_0 /\
                (* JC_46 *) (isfib (i + 1) x_0_0) /\ (* JC_47 *) (isfib i y))),
  forall (HW_6: i < n_0),
  forall (aux: Z),
  forall (HW_7: aux = y),
  forall (y0: Z),
  forall (HW_8: y0 = x_0_0),
  forall (x_0_0_0: Z),
  forall (HW_9: x_0_0_0 = (x_0_0 + aux)),
  forall (i0: Z),
  forall (HW_10: i0 = (i + 1)),
  (* JC_48 *) (* JC_45 *) i0 <= n_0.
Proof.
intuition.
Save.

(* Why obligation from file "Fibonacci.java", line 60, characters 35-47: *)
(*Why goal*) Lemma Fibonacci_Fib_ensures_default_po_7 : 
  forall (n_0: Z),
  forall (HW_1: (* JC_29 *) n_0 >= 0),
  forall (i: Z),
  forall (x_0_0: Z),
  forall (y: Z),
  forall (HW_4: (* JC_48 *) ((* JC_44 *) 0 <= i /\ (* JC_45 *) i <= n_0 /\
                (* JC_46 *) (isfib (i + 1) x_0_0) /\ (* JC_47 *) (isfib i y))),
  forall (HW_6: i < n_0),
  forall (aux: Z),
  forall (HW_7: aux = y),
  forall (y0: Z),
  forall (HW_8: y0 = x_0_0),
  forall (x_0_0_0: Z),
  forall (HW_9: x_0_0_0 = (x_0_0 + aux)),
  forall (i0: Z),
  forall (HW_10: i0 = (i + 1)),
  (* JC_48 *) (* JC_46 *) (isfib (i0 + 1) x_0_0_0).
Proof.
intuition;subst; auto.
apply isfibn; intuition.
replace (i+1+1-2) with i; auto with zarith.
replace (i+1+1-1) with (i+1); auto with zarith.
Save.

(* Why obligation from file "Fibonacci.java", line 60, characters 51-61: *)
(*Why goal*) Lemma Fibonacci_Fib_ensures_default_po_8 : 
  forall (n_0: Z),
  forall (HW_1: (* JC_29 *) n_0 >= 0),
  forall (i: Z),
  forall (x_0_0: Z),
  forall (y: Z),
  forall (HW_4: (* JC_48 *) ((* JC_44 *) 0 <= i /\ (* JC_45 *) i <= n_0 /\
                (* JC_46 *) (isfib (i + 1) x_0_0) /\ (* JC_47 *) (isfib i y))),
  forall (HW_6: i < n_0),
  forall (aux: Z),
  forall (HW_7: aux = y),
  forall (y0: Z),
  forall (HW_8: y0 = x_0_0),
  forall (x_0_0_0: Z),
  forall (HW_9: x_0_0_0 = (x_0_0 + aux)),
  forall (i0: Z),
  forall (HW_10: i0 = (i + 1)),
  (* JC_48 *) (* JC_47 *) (isfib i0 y0).
Proof.
intuition; subst; auto.
Save.

(* Why obligation from file "Fibonacci.java", line 55, characters 16-33: *)
(*Why goal*) Lemma Fibonacci_Fib_ensures_default_po_9 : 
  forall (n_0: Z),
  forall (HW_1: (* JC_29 *) n_0 >= 0),
  forall (i: Z),
  forall (x_0_0: Z),
  forall (y: Z),
  forall (HW_4: (* JC_48 *) ((* JC_44 *) 0 <= i /\ (* JC_45 *) i <= n_0 /\
                (* JC_46 *) (isfib (i + 1) x_0_0) /\ (* JC_47 *) (isfib i y))),
  forall (HW_11: i >= n_0),
  forall (why__return: Z),
  forall (HW_12: why__return = y),
  (* JC_31 *) (isfib n_0 why__return).
Proof.
intuition.
assert (i=n_0) by omega.
subst; auto.
Save.

(* Why obligation from file "Fibonacci.java", line 61, characters 18-21: *)
(*Why goal*) Lemma Fibonacci_Fib_safety_po_1 : 
  forall (n_0: Z),
  forall (HW_1: (* JC_29 *) n_0 >= 0),
  forall (i: Z),
  forall (x_0_0: Z),
  forall (y: Z),
  forall (HW_4: (* JC_41 *) True),
  forall (HW_5: (* JC_39 *) ((* JC_35 *) 0 <= i /\ (* JC_36 *) i <= n_0 /\
                (* JC_37 *) (isfib (i + 1) x_0_0) /\ (* JC_38 *) (isfib i y))),
  forall (HW_6: i < n_0),
  forall (aux: Z),
  forall (HW_7: aux = y),
  forall (y0: Z),
  forall (HW_8: y0 = x_0_0),
  forall (x_0_0_0: Z),
  forall (HW_9: x_0_0_0 = (x_0_0 + aux)),
  forall (i0: Z),
  forall (HW_10: i0 = (i + 1)),
  0 <= ((* JC_43 *) (n_0 - i)).
Proof.
intuition.
Save.

(* Why obligation from file "Fibonacci.java", line 61, characters 18-21: *)
(*Why goal*) Lemma Fibonacci_Fib_safety_po_2 : 
  forall (n_0: Z),
  forall (HW_1: (* JC_29 *) n_0 >= 0),
  forall (i: Z),
  forall (x_0_0: Z),
  forall (y: Z),
  forall (HW_4: (* JC_41 *) True),
  forall (HW_5: (* JC_39 *) ((* JC_35 *) 0 <= i /\ (* JC_36 *) i <= n_0 /\
                (* JC_37 *) (isfib (i + 1) x_0_0) /\ (* JC_38 *) (isfib i y))),
  forall (HW_6: i < n_0),
  forall (aux: Z),
  forall (HW_7: aux = y),
  forall (y0: Z),
  forall (HW_8: y0 = x_0_0),
  forall (x_0_0_0: Z),
  forall (HW_9: x_0_0_0 = (x_0_0 + aux)),
  forall (i0: Z),
  forall (HW_10: i0 = (i + 1)),
  ((* JC_43 *) (n_0 - i0)) < ((* JC_43 *) (n_0 - i)).
Proof.
intuition.
Save.

why-2.39/tests/java/Sort2.java0000644000106100004300000001037013147234006015171 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/



//@+ TerminationPolicy = user

//@+ CheckArithOverflow = no

/*@ predicate Sorted{L}(int a[], integer l, integer h) =
  @   \forall integer i; l <= i < h ==> a[i] <= a[i+1] ;
  @*/

/*@ predicate Swap{L1,L2}(int a[], integer i, integer j) =
  @   \at(a[i],L1) == \at(a[j],L2) &&
  @   \at(a[j],L1) == \at(a[i],L2) &&
  @   \forall integer k; k != i && k != j ==> \at(a[k],L1) == \at(a[k],L2);
  @*/

/*@ axiomatic Permut {
  @  predicate Permut{L1,L2}(int a[], integer l, integer h);
  @  axiom Permut_refl{L}: 
  @   \forall int a[], integer l h; Permut{L,L}(a, l, h) ;
  @  axiom Permut_sym{L1,L2}: 
  @    \forall int a[], integer l h; 
  @      Permut{L1,L2}(a, l, h) ==> Permut{L2,L1}(a, l, h) ;
  @  axiom Permut_trans{L1,L2,L3}: 
  @    \forall int a[], integer l h; 
  @      Permut{L1,L2}(a, l, h) && Permut{L2,L3}(a, l, h) ==> 
  @        Permut{L1,L3}(a, l, h) ;
  @  axiom Permut_swap{L1,L2}: 
  @    \forall int a[], integer l h i j; 
  @       l <= i <= h && l <= j <= h && Swap{L1,L2}(a, i, j) ==> 
  @     Permut{L1,L2}(a, l, h) ;
  @ }
  @*/

class Sort {

    /*@ requires t != null && 
      @    0 <= i < t.length && 0 <= j < t.length;
      @ assigns t[i],t[j];
      @ ensures Swap{Old,Here}(t,i,j);
      @*/
    void swap(int t[], int i, int j) {
	int tmp = t[i];
	t[i] = t[j];
	t[j] = tmp;
    }
    
    /*@ requires t != null;
      @ ensures Sorted(t,0,t.length-1) && Permut{Old,Here}(t,0,t.length-1);
      @*/
    void min_sort(int t[]) {
	int i,j;
	int mi,mv;
	/*@ loop_invariant 0 <= i && Sorted(t,0,i) && 
	  @   (\forall integer k1 k2 ; 
	  @      0 <= k1 < i <= k2 < t.length ==> t[k1] <= t[k2]) &&
	  @     Permut{Pre,Here}(t,0,t.length-1);
	  @*/
	for (i=0; i t[k] >= mv) &&
	      @ Permut{Pre,Here}(t,0,t.length-1);
	      @*/
	    for (j=i+1; j < t.length; j++) {
		if (t[j] < mv) { 
		    mi = j ; mv = t[j]; 
		}
	    }
	    swap(t,i,mi);
	}
    }

}
why-2.39/tests/java/ArrayMax.java0000644000106100004300000000652513147234006015713 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

/*
COST Verification Competition. vladimir@cost-ic0701.org

Challenge 1: Maximum in an array

Given: A non-empty integer array a.

Verify that the index returned by the method max() given below points to
an element maximal in the array.

*/

/*@ axiomatic integer_max {
  @   logic integer max(integer x, integer y);
  @   axiom max_is_ge : \forall integer x y; max(x,y) >= x && max(x,y) >= y;
  @   axiom max_is_some : \forall integer x y; max(x,y) == x || max(x,y) == y;
  @ }
  @*/

public class ArrayMax {


    /*@ requires a.length > 0;
      @ ensures 0 <= \result < a.length &&
      @   \forall integer i; 0 <= i < a.length ==> a[i] <= a[\result];
      @*/
    public static int max(int[] a) {
        int x = 0;
        int y = a.length-1;
        /*@ loop_invariant 0 <= x <= y < a.length &&
          @      \forall integer i;
          @         0 <= i < x || y < i < a.length ==>
          @         a[i] <= max(a[x],a[y]);
          @ loop_variant y - x;
          @*/
        while (x != y) {
            if (a[x] <= a[y]) x++;
                else y--;
        }
        return x;
    }

}

/*
Local Variables:
compile-command: "make ArrayMax.why3ide"
End:
*/

why-2.39/tests/java/Literals.java0000644000106100004300000000464013147234006015742 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

class Literals {

    public static final int x = 0xbad;

    /*@ ensures \result == 5991;
      @*/
    int f() {
	int y = 0xbad;
	return y+x+015;
    }

}


/*
Local Variables:
compile-command: "make Literals.why3ide"
End:
*/


why-2.39/tests/java/oracle/0000755000106100004300000000000013147234006014561 5ustar  marchevalswhy-2.39/tests/java/oracle/Creation.res.oracle0000644000106100004300000000733113147234006020310 0ustar  marchevals========== file tests/java/Creation.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ CheckArithOverflow = no

class Creation {

    int simple_val;

    /*@ behavior normal:
      @   assigns this.simple_val; // not \nothing 
      @   ensures this.simple_val == 0;
      @*/
    Creation() {
	this(0);
    }

    /*@ behavior normal:
      @   assigns this.simple_val; // not \nothing
      @   ensures this.simple_val == n;
      @*/
    Creation(int n) {
	simple_val = n;
    }

    /*@ behavior normal:
      @   assigns this.simple_val; // not \nothing
      @   ensures this.simple_val == n + m;
      @*/
    Creation(int n,int m) {
	this(n+m); 
    }

    /*@ behavior normal:
      @   ensures \result == 17;
      @*/
    public static int test1() {
	Creation t = new Creation(17);
	return t.simple_val;
    }

    /*@ behavior normal:
      @   ensures \result == 0;
      @*/
    public static int test2() {
	Creation t = new Creation();
	return t.simple_val;
    }

    /*@ behavior normal:
      @   assigns \nothing;             // BUG !!!!!!!!!!!!
      @   ensures \result == 17;
      @*/
    public static int test3() {
	Creation t = new Creation(10,7);
	return t.simple_val;
    }

}


class TestSuperConstructor extends Creation {

    /*@ behavior normal:
      @   assigns simple_val;
      @   ensures simple_val == 12;
      @*/
    TestSuperConstructor() {
	super(12);
    }

}


/*
Local Variables:
compile-command: "make Creation.why3ide"
End:
*/


========== krakatoa execution ==========
why-2.39/tests/java/oracle/TreeMax.err.oracle0000644000106100004300000000000013147234006020072 0ustar  marchevalswhy-2.39/tests/java/oracle/Purse.res.oracle0000644000106100004300000024105313147234006017643 0ustar  marchevals========== file tests/java/Purse.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ CheckArithOverflow = no


class NoCreditException extends Exception {

    public NoCreditException() { }

}

public class Purse {

    private int balance;
    //@ invariant balance_non_negative: balance >= 0;

    /*@ requires true;
      @ assigns balance;
      @ ensures balance == 0;
      @*/
    public Purse() {
        balance = 0;
    }

    /*@ requires s >= 0;
      @ assigns balance;
      @ ensures balance == \old(balance) + s;
      @*/
    public void credit(int s) {
        balance += s;
    }

    /*@ requires s >= 0;
      @ assigns balance;
      @ ensures s <= \old(balance) && balance == \old(balance) - s;
      @ behavior amount_too_large:
      @   assigns \nothing;
      @   signals (NoCreditException) s > \old(balance) ;
      @*/
    public void withdraw(int s) throws NoCreditException {
        if (balance >= s)
            balance = balance - s;
        else
            throw new NoCreditException();
    }

    //@ ensures \result == balance;
    public int getBalance() {
        return balance;
    }

}



/*
Local Variables:
compile-command: "make Purse.why3ide"
End:
*/


========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_Throwable_String for constructor Throwable
Generating JC function Purse_credit for method Purse.credit
Generating JC function Throwable_getCause for method Throwable.getCause
Generating JC function Throwable_printStackTrace for method Throwable.printStackTrace
Generating JC function Throwable_getMessage for method Throwable.getMessage
Generating JC function Purse_getBalance for method Purse.getBalance
Generating JC function Throwable_getLocalizedMessage for method Throwable.getLocalizedMessage
Generating JC function cons_Exception_Throwable for constructor Exception
Generating JC function cons_Purse for constructor Purse
Generating JC function Throwable_getStackTraceDepth for method Throwable.getStackTraceDepth
Generating JC function Throwable_toString for method Throwable.toString
Generating JC function Throwable_printStackTrace_PrintStream for method Throwable.printStackTrace
Generating JC function cons_NoCreditException for constructor NoCreditException
Generating JC function Purse_withdraw for method Purse.withdraw
Generating JC function cons_Exception_String_Throwable for constructor Exception
Generating JC function cons_Throwable_String_Throwable for constructor Throwable
Generating JC function cons_Throwable for constructor Throwable
Generating JC function Throwable_initCause for method Throwable.initCause
Generating JC function Throwable_fillInStackTrace for method Throwable.fillInStackTrace
Generating JC function cons_Exception_String for constructor Exception
Generating JC function cons_Exception for constructor Exception
Generating JC function cons_Throwable_Throwable for constructor Throwable
Done.
========== file tests/java/Purse.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

logic integer Throwable_serialVersionUID =
-3042686055658047285

logic integer Exception_serialVersionUID =
-3387516993124229948

String[0..] any_string()
;

tag String = Object with {
}

tag NoCreditException = Exception with {
}

tag Purse = Object with {
  integer balance;
  invariant balance_non_negative(this_3) = (this_3.balance >= 0);
}

tag Throwable = Object with {
  Object[0..] backtrace; 
  String[0..] detailMessage; 
  Throwable[0..] cause;
}

tag Object = {
}

tag PrintStream = Object with {
}

tag Exception = Throwable with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

exception Exception of Exception[0..]

exception NoCreditException of NoCreditException[0..]

exception Throwable of Throwable[0..]

unit cons_Throwable_String(! Throwable[0] this_17, String[0..] message)
{  (this_17.backtrace = null);
   (this_17.detailMessage = null);
   (this_17.cause = null)
}

unit Purse_credit(Purse[0] this_6, integer s_0)
  requires (K_2 : (s_0 >= 0));
behavior default:
  assigns this_6.balance;
  ensures (K_1 : (this_6.balance == (\at(this_6.balance,Old) + s_0)));
{  (K_3 : this_6.balance += s_0)
}

Throwable[0..] Throwable_getCause(Throwable[0] this_8)
;

unit Throwable_printStackTrace(Throwable[0] this_9)
;

String[0..] Throwable_getMessage(Throwable[0] this_10)
;

integer Purse_getBalance(Purse[0] this_4)
behavior default:
  ensures (K_4 : (\result == this_4.balance));
{  
   (return (K_5 : this_4.balance))
}

String[0..] Throwable_getLocalizedMessage(Throwable[0] this_11)
;

unit cons_Exception_Throwable(! Exception[0] this_18, Throwable[0..] cause_3){()}

unit cons_Purse(! Purse[0] this_7)
  requires (K_6 : true);
behavior default:
  assigns this_7.balance;
  ensures (K_7 : (this_7.balance == 0));
{  (this_7.balance = 0);
   (K_8 : (this_7.balance = 0))
}

integer Throwable_getStackTraceDepth(Throwable[0] this_12)
;

String[0..] Throwable_toString(Throwable[0] this_13)
;

unit Throwable_printStackTrace_PrintStream(Throwable[0] this_14,
                                           PrintStream[0..] s)
;

unit cons_NoCreditException(! NoCreditException[0] this_2){()}

unit Purse_withdraw(Purse[0] this_5, integer s_1)
  requires (K_13 : (s_1 >= 0));
behavior default:
  assigns this_5.balance;
  ensures (K_11 : ((K_10 : (s_1 <= \at(this_5.balance,Old))) &&
                    (K_9 : (this_5.balance ==
                             (\at(this_5.balance,Old) - s_1)))));
behavior amount_too_large:
  throws NoCreditException;
  assigns \nothing;
  ensures (K_12 : (s_1 > \at(this_5.balance,Old)));
{  (if (K_18 : ((K_17 : this_5.balance) >= s_1)) then (K_16 : (this_5.balance = 
                                                      (K_15 : ((K_14 : this_5.balance) -
                                                                s_1)))) else 
   {  
      (var NoCreditException[..] java_thrown_exception = 
      {  
         (var NoCreditException[0] this = (new NoCreditException[1]));
         
         {  
            (var unit _tt = cons_NoCreditException(this));
            this
         }
      });
      
      {  
         (assert Non_null_Object(java_thrown_exception));
         
         (throw NoCreditException java_thrown_exception)
      }
   })
}

unit cons_Exception_String_Throwable(! Exception[0] this_19,
                                     String[0..] message_2,
                                     Throwable[0..] cause_2){()}

unit cons_Throwable_String_Throwable(! Throwable[0] this_20,
                                     String[0..] message_0,
                                     Throwable[0..] cause)
{  (this_20.backtrace = null);
   (this_20.detailMessage = null);
   (this_20.cause = null)
}

unit cons_Throwable(! Throwable[0] this_21)
{  (this_21.backtrace = null);
   (this_21.detailMessage = null);
   (this_21.cause = null)
}

Throwable[0..] Throwable_initCause(Throwable[0] this_15,
                                   Throwable[0..] cause_1)
;

Throwable[0..] Throwable_fillInStackTrace(Throwable[0] this_16)
;

unit cons_Exception_String(! Exception[0] this_22, String[0..] message_1){()}

unit cons_Exception(! Exception[0] this_23){()}

unit cons_Throwable_Throwable(! Throwable[0] this_24, Throwable[0..] cause_0)
{  (this_24.backtrace = null);
   (this_24.detailMessage = null);
   (this_24.cause = null)
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Purse.jloc tests/java/Purse.jc && make -f tests/java/Purse.makefile gui"
End:
*/
========== file tests/java/Purse.jloc ==========
[Throwable_getCause]
name = "Method getCause"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 289
begin = 21
end = 29

[cons_Exception_Throwable]
name = "Constructor of class Exception"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 76
begin = 11
end = 20

[Purse_credit]
name = "Method credit"
file = "HOME/tests/java/Purse.java"
line = 58
begin = 16
end = 22

[K_17]
file = "HOME/tests/java/Purse.java"
line = 70
begin = 12
end = 19

[K_11]
file = "HOME/tests/java/Purse.java"
line = 64
begin = 16
end = 66

[Purse_withdraw]
name = "Method withdraw"
file = "HOME/tests/java/Purse.java"
line = 69
begin = 16
end = 24

[Throwable_initCause]
name = "Method initCause"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 317
begin = 34
end = 43

[K_13]
file = "HOME/tests/java/Purse.java"
line = 62
begin = 17
end = 23

[K_9]
file = "HOME/tests/java/Purse.java"
line = 64
begin = 38
end = 66

[Throwable_getLocalizedMessage]
name = "Method getLocalizedMessage"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 265
begin = 18
end = 37

[cons_Exception_String]
name = "Constructor of class Exception"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 40
begin = 11
end = 20

[Throwable_getMessage]
name = "Method getMessage"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 251
begin = 18
end = 28

[cons_Purse]
name = "Constructor of class Purse"
file = "HOME/tests/java/Purse.java"
line = 50
begin = 11
end = 16

[K_1]
file = "HOME/tests/java/Purse.java"
line = 56
begin = 16
end = 44

[Throwable_printStackTrace_PrintStream]
name = "Method printStackTrace"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 459
begin = 16
end = 31

[cons_Throwable_Throwable]
name = "Constructor of class Throwable"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 239
begin = 11
end = 20

[K_15]
file = "HOME/tests/java/Purse.java"
line = 71
begin = 22
end = 33

[Throwable_toString]
name = "Method toString"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 341
begin = 18
end = 26

[K_4]
file = "HOME/tests/java/Purse.java"
line = 76
begin = 16
end = 34

[K_12]
file = "HOME/tests/java/Purse.java"
line = 67
begin = 38
end = 55

[Throwable_fillInStackTrace]
name = "Method fillInStackTrace"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 562
begin = 41
end = 57

[Purse_getBalance]
name = "Method getBalance"
file = "HOME/tests/java/Purse.java"
line = 77
begin = 15
end = 25

[K_2]
file = "HOME/tests/java/Purse.java"
line = 54
begin = 17
end = 23

[cons_Throwable]
name = "Constructor of class Throwable"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 179
begin = 11
end = 20

[cons_Throwable_String_Throwable]
name = "Constructor of class Throwable"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 216
begin = 11
end = 20

[K_10]
file = "HOME/tests/java/Purse.java"
line = 64
begin = 16
end = 34

[K_6]
file = "HOME/tests/java/Purse.java"
line = 46
begin = 17
end = 21

[K_8]
file = "HOME/tests/java/Purse.java"
line = 51
begin = 8
end = 19

[cons_Exception_String_Throwable]
name = "Constructor of class Exception"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 58
begin = 11
end = 20

[K_3]
file = "HOME/tests/java/Purse.java"
line = 59
begin = 8
end = 20

[cons_Exception]
name = "Constructor of class Exception"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 28
begin = 11
end = 20

[cons_NoCreditException]
name = "Constructor of class NoCreditException"
file = "HOME/tests/java/Purse.java"
line = 37
begin = 11
end = 28

[cons_Throwable_String]
name = "Constructor of class Throwable"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 194
begin = 11
end = 20

[K_14]
file = "HOME/tests/java/Purse.java"
line = 71
begin = 22
end = 29

[Throwable_getStackTraceDepth]
name = "Method getStackTraceDepth"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 645
begin = 23
end = 41

[K_5]
file = "HOME/tests/java/Purse.java"
line = 78
begin = 15
end = 22

[Throwable_printStackTrace]
name = "Method printStackTrace"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 450
begin = 16
end = 31

[K_18]
file = "HOME/tests/java/Purse.java"
line = 70
begin = 12
end = 24

[K_7]
file = "HOME/tests/java/Purse.java"
line = 48
begin = 16
end = 28

[K_16]
file = "HOME/tests/java/Purse.java"
line = 71
begin = 12
end = 33

========== jessie execution ==========
Generating Why function cons_Throwable_String
Generating Why function Purse_credit
Generating Why function Purse_getBalance
Generating Why function cons_Exception_Throwable
Generating Why function cons_Purse
Generating Why function cons_NoCreditException
Generating Why function Purse_withdraw
Generating Why function cons_Exception_String_Throwable
Generating Why function cons_Throwable_String_Throwable
Generating Why function cons_Throwable
Generating Why function cons_Exception_String
Generating Why function cons_Exception
Generating Why function cons_Throwable_Throwable
========== file tests/java/Purse.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/Purse_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Purse.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Purse.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Purse.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/java/Purse.loc ==========
[JC_176]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_177]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 216
begin = 11
end = 20

[JC_221]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_80]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_51]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 450
begin = 16
end = 31

[JC_147]
file = "HOME/tests/java/Purse.java"
line = 69
begin = 16
end = 24

[JC_123]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_143]
file = "HOME/tests/java/Purse.jc"
line = 121
begin = 9
end = 16

[JC_113]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_116]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_64]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Purse_safety]
name = "Constructor of class Purse"
behavior = "Safety"
file = "HOME/tests/java/Purse.java"
line = 50
begin = 11
end = 16

[JC_133]
file = "HOME/tests/java/Purse.java"
line = 62
begin = 17
end = 23

[JC_188]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Throwable_ensures_default]
name = "Constructor of class Throwable"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 179
begin = 11
end = 20

[JC_180]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_99]
file = "HOME/tests/java/Purse.java"
line = 50
begin = 11
end = 16

[JC_200]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_85]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_201]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 562
begin = 41
end = 57

[Purse_getBalance_safety]
name = "Method getBalance"
behavior = "Safety"
file = "HOME/tests/java/Purse.java"
line = 77
begin = 15
end = 25

[JC_31]
file = "HOME/tests/java/Purse.java"
line = 58
begin = 16
end = 22

[JC_17]
file = "HOME/tests/java/Purse.jc"
line = 54
begin = 11
end = 65

[JC_194]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_122]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_205]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_81]
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 76
begin = 11
end = 20

[JC_55]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_134]
file = "HOME/tests/java/Purse.java"
line = 69
begin = 16
end = 24

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_172]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_121]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_125]
file = "HOME/tests/java/Purse.java"
line = 37
begin = 11
end = 28

[JC_67]
file = "HOME/tests/java/Purse.java"
line = 77
begin = 15
end = 25

[JC_9]
file = "HOME/tests/java/Purse.jc"
line = 52
begin = 8
end = 23

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_189]
file = "HOME/"
line = 0
begin = -1
end = -1

[Purse_withdraw_ensures_default]
name = "Method withdraw"
behavior = "default behavior"
file = "HOME/tests/java/Purse.java"
line = 69
begin = 16
end = 24

[JC_78]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 289
begin = 21
end = 29

[JC_74]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_195]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 317
begin = 34
end = 43

[JC_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[Purse_getBalance_ensures_default]
name = "Method getBalance"
behavior = "default behavior"
file = "HOME/tests/java/Purse.java"
line = 77
begin = 15
end = 25

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_82]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_163]
kind = AllocSize
file = "HOME/tests/java/Purse.jc"
line = 136
begin = 43
end = 67

[JC_153]
file = "HOME/tests/java/Purse.java"
line = 69
begin = 16
end = 24

[JC_222]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/Purse.jc"
line = 52
begin = 8
end = 23

[JC_185]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 179
begin = 11
end = 20

[JC_167]
kind = UserCall
file = "HOME/tests/java/Purse.jc"
line = 139
begin = 28
end = 56

[JC_98]
file = "HOME/tests/java/Purse.jc"
line = 100
begin = 9
end = 16

[JC_70]
file = "HOME/tests/java/Purse.java"
line = 76
begin = 16
end = 34

[cons_Throwable_String_ensures_default]
name = "Constructor of class Throwable"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 194
begin = 11
end = 20

[JC_36]
file = "HOME/tests/java/Purse.java"
line = 56
begin = 16
end = 44

[JC_104]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/tests/java/Purse.java"
line = 58
begin = 16
end = 22

[JC_112]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_135]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_169]
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 58
begin = 11
end = 20

[JC_132]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/tests/java/Purse.java"
line = 54
begin = 17
end = 23

[JC_115]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_109]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 341
begin = 18
end = 26

[JC_69]
file = "HOME/tests/java/Purse.java"
line = 76
begin = 16
end = 34

[JC_219]
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 28
begin = 11
end = 20

[JC_124]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_206]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_218]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_191]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_101]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 645
begin = 23
end = 41

[cons_Throwable_String_safety]
name = "Constructor of class Throwable"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 194
begin = 11
end = 20

[JC_223]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_129]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_190]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_110]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_166]
kind = AllocSize
file = "HOME/tests/java/Purse.jc"
line = 136
begin = 43
end = 67

[JC_103]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 645
begin = 23
end = 41

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Throwable_String_Throwable_safety]
name = "Constructor of class Throwable"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 216
begin = 11
end = 20

[Purse_withdraw_safety]
name = "Method withdraw"
behavior = "Safety"
file = "HOME/tests/java/Purse.java"
line = 69
begin = 16
end = 24

[JC_61]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_199]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_33]
file = "HOME/tests/java/Purse.java"
line = 56
begin = 16
end = 44

[JC_173]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_202]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_144]
file = "HOME/tests/java/Purse.java"
line = 64
begin = 16
end = 34

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 289
begin = 21
end = 29

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
file = "HOME/tests/java/Purse.jc"
line = 100
begin = 9
end = 16

[JC_97]
file = "HOME/tests/java/Purse.java"
line = 50
begin = 11
end = 16

[JC_84]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_160]
kind = IndexBounds
file = "HOME/tests/java/Purse.jc"
line = 136
begin = 10
end = 68

[JC_128]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/tests/java/Purse.java"
line = 58
begin = 16
end = 22

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_90]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_225]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 239
begin = 11
end = 20

[JC_149]
file = "HOME/tests/java/Purse.java"
line = 69
begin = 16
end = 24

[JC_216]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_131]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_37]
file = "HOME/tests/java/Purse.java"
line = 58
begin = 16
end = 22

[JC_181]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_108]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 251
begin = 18
end = 28

[JC_161]
kind = UserCall
file = "HOME/tests/java/Purse.jc"
line = 139
begin = 28
end = 56

[cons_NoCreditException_ensures_default]
name = "Constructor of class NoCreditException"
behavior = "default behavior"
file = "HOME/tests/java/Purse.java"
line = 37
begin = 11
end = 28

[JC_89]
file = "HOME/tests/java/Purse.java"
line = 50
begin = 11
end = 16

[JC_136]
file = "HOME/tests/java/Purse.java"
line = 62
begin = 17
end = 23

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_165]
file = "HOME/tests/java/Purse.jc"
line = 145
begin = 17
end = 55

[JC_213]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_217]
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 28
begin = 11
end = 20

[JC_229]
file = "HOME/"
line = 0
begin = -1
end = -1

[Purse_credit_ensures_default]
name = "Method credit"
behavior = "default behavior"
file = "HOME/tests/java/Purse.java"
line = 58
begin = 16
end = 22

[JC_86]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_72]
file = "HOME/tests/java/Purse.java"
line = 77
begin = 15
end = 25

[JC_19]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 194
begin = 11
end = 20

[JC_187]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 179
begin = 11
end = 20

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Throwable_safety]
name = "Constructor of class Throwable"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 179
begin = 11
end = 20

[cons_Exception_ensures_default]
name = "Constructor of class Exception"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 28
begin = 11
end = 20

[cons_Throwable_Throwable_safety]
name = "Constructor of class Throwable"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 239
begin = 11
end = 20

[JC_120]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_28]
file = "HOME/tests/java/Purse.java"
line = 58
begin = 16
end = 22

[JC_198]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_94]
file = "HOME/tests/java/Purse.java"
line = 50
begin = 11
end = 16

[JC_73]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 265
begin = 18
end = 37

[JC_158]
file = "HOME/tests/java/Purse.jc"
line = 126
begin = 9
end = 25

[JC_63]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_196]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_71]
file = "HOME/tests/java/Purse.java"
line = 77
begin = 15
end = 25

[JC_197]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_207]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_151]
file = "HOME/tests/java/Purse.java"
line = 67
begin = 38
end = 55

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_106]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Purse_ensures_default]
name = "Constructor of class Purse"
behavior = "default behavior"
file = "HOME/tests/java/Purse.java"
line = 50
begin = 11
end = 16

[JC_203]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 562
begin = 41
end = 57

[JC_227]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 239
begin = 11
end = 20

[JC_126]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_170]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_138]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_148]
file = "HOME/tests/java/Purse.jc"
line = 121
begin = 9
end = 16

[JC_137]
file = "HOME/tests/java/Purse.java"
line = 69
begin = 16
end = 24

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_231]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_75]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 265
begin = 18
end = 37

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_193]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 317
begin = 34
end = 43

[JC_186]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_212]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_175]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_224]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_232]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Throwable_String_Throwable_ensures_default]
name = "Constructor of class Throwable"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 216
begin = 11
end = 20

[JC_154]
file = "HOME/tests/java/Purse.jc"
line = 126
begin = 9
end = 25

[JC_54]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Exception_String_safety]
name = "Constructor of class Exception"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 40
begin = 11
end = 20

[JC_208]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_79]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Exception_String_Throwable_ensures_default]
name = "Constructor of class Exception"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 58
begin = 11
end = 20

[cons_Exception_String_ensures_default]
name = "Constructor of class Exception"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 40
begin = 11
end = 20

[JC_130]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_174]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_87]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_184]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_182]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_168]
file = "HOME/tests/java/Purse.jc"
line = 145
begin = 17
end = 55

[JC_91]
file = "HOME/tests/java/Purse.java"
line = 50
begin = 11
end = 16

[cons_NoCreditException_safety]
name = "Constructor of class NoCreditException"
behavior = "Safety"
file = "HOME/tests/java/Purse.java"
line = 37
begin = 11
end = 28

[JC_40]
file = "HOME/tests/java/Purse.java"
line = 58
begin = 16
end = 22

[JC_162]
file = "HOME/tests/java/Purse.jc"
line = 145
begin = 17
end = 55

[cons_Throwable_Throwable_ensures_default]
name = "Constructor of class Throwable"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 239
begin = 11
end = 20

[JC_83]
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 76
begin = 11
end = 20

[JC_35]
file = "HOME/tests/java/Purse.jc"
line = 71
begin = 9
end = 16

[JC_215]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_107]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_179]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 216
begin = 11
end = 20

[cons_Exception_Throwable_safety]
name = "Constructor of class Exception"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 76
begin = 11
end = 20

[JC_38]
file = "HOME/tests/java/Purse.jc"
line = 71
begin = 9
end = 16

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_156]
file = "HOME/tests/java/Purse.java"
line = 69
begin = 16
end = 24

[JC_127]
file = "HOME/tests/java/Purse.java"
line = 37
begin = 11
end = 28

[JC_171]
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 58
begin = 11
end = 20

[JC_164]
kind = UserCall
file = "HOME/tests/java/Purse.jc"
line = 139
begin = 28
end = 56

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_155]
file = "HOME/tests/java/Purse.java"
line = 67
begin = 38
end = 55

[JC_88]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_178]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_141]
file = "HOME/tests/java/Purse.java"
line = 64
begin = 16
end = 66

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_220]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
file = "HOME/tests/java/Purse.java"
line = 77
begin = 15
end = 25

[JC_118]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_105]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_140]
file = "HOME/tests/java/Purse.java"
line = 64
begin = 38
end = 66

[JC_159]
kind = AllocSize
file = "HOME/tests/java/Purse.jc"
line = 136
begin = 43
end = 67

[JC_68]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_96]
file = "HOME/tests/java/Purse.java"
line = 48
begin = 16
end = 28

[JC_93]
file = "HOME/tests/java/Purse.java"
line = 48
begin = 16
end = 28

[JC_214]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_114]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_150]
file = "HOME/tests/java/Purse.java"
line = 69
begin = 16
end = 24

[JC_117]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 459
begin = 16
end = 31

[JC_53]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_204]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Exception_String_Throwable_safety]
name = "Constructor of class Exception"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 58
begin = 11
end = 20

[JC_157]
file = "HOME/tests/java/Purse.java"
line = 69
begin = 16
end = 24

[JC_145]
file = "HOME/tests/java/Purse.java"
line = 64
begin = 38
end = 66

[JC_21]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 194
begin = 11
end = 20

[JC_209]
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 40
begin = 11
end = 20

[JC_111]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 341
begin = 18
end = 26

[JC_77]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_49]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 450
begin = 16
end = 31

[JC_1]
file = "HOME/tests/java/Purse.jc"
line = 16
begin = 12
end = 22

[JC_102]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Exception_safety]
name = "Constructor of class Exception"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 28
begin = 11
end = 20

[JC_142]
file = "HOME/tests/java/Purse.java"
line = 69
begin = 16
end = 24

[JC_211]
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 40
begin = 11
end = 20

[JC_146]
file = "HOME/tests/java/Purse.java"
line = 64
begin = 16
end = 66

[JC_66]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_59]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 251
begin = 18
end = 28

[cons_Exception_Throwable_ensures_default]
name = "Constructor of class Exception"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 76
begin = 11
end = 20

[JC_192]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/java/Purse.jc"
line = 54
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/Purse.jc"
line = 16
begin = 12
end = 22

[JC_92]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_152]
file = "HOME/tests/java/Purse.java"
line = 69
begin = 16
end = 24

[JC_228]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_60]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_183]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_139]
file = "HOME/tests/java/Purse.java"
line = 64
begin = 16
end = 34

[JC_119]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 459
begin = 16
end = 31

[JC_210]
file = "HOME/"
line = 0
begin = -1
end = -1

[Purse_withdraw_exsures_amount_too_large]
name = "Method withdraw"
behavior = "Behavior `amount_too_large'"
file = "HOME/tests/java/Purse.java"
line = 69
begin = 16
end = 24

[JC_76]
file = "HOME/"
line = 0
begin = -1
end = -1

[Purse_credit_safety]
name = "Method credit"
behavior = "Safety"
file = "HOME/tests/java/Purse.java"
line = 58
begin = 16
end = 22

[JC_230]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/tests/java/Purse.java"
line = 54
begin = 17
end = 23

[JC_226]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_100]
file = "HOME/tests/java/Purse.java"
line = 50
begin = 11
end = 16

========== file tests/java/why/Purse.why ==========
type Object

type interface

logic Exception_tag:  -> Object tag_id

logic Throwable_tag:  -> Object tag_id

axiom Exception_parenttag_Throwable : parenttag(Exception_tag, Throwable_tag)

function Exception_serialVersionUID() : int = neg_int((3387516993124229948))

logic NoCreditException_tag:  -> Object tag_id

axiom NoCreditException_parenttag_Exception :
 parenttag(NoCreditException_tag, Exception_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

logic Object_tag:  -> Object tag_id

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic PrintStream_tag:  -> Object tag_id

axiom PrintStream_parenttag_Object : parenttag(PrintStream_tag, Object_tag)

logic Purse_tag:  -> Object tag_id

axiom Purse_parenttag_Object : parenttag(Purse_tag, Object_tag)

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

function Throwable_serialVersionUID() : int = neg_int((3042686055658047285))

predicate balance_non_negative(this_3:Object pointer,
 Purse_balance:(Object, int) memory) =
 ge_int(select(Purse_balance, this_3), (0))

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Throwable(p, a, Object_alloc_table)

predicate left_valid_struct_NoCreditException(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Exception(p, a, Object_alloc_table)

predicate left_valid_struct_PrintStream(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Purse(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Throwable(p, b, Object_alloc_table)

predicate right_valid_struct_NoCreditException(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Exception(p, b, Object_alloc_table)

predicate right_valid_struct_PrintStream(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Purse(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Throwable(p, a, b, Object_alloc_table)

predicate strict_valid_struct_NoCreditException(p:Object pointer, a:int,
 b:int, Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Exception(p, a, b, Object_alloc_table)

predicate strict_valid_struct_PrintStream(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Purse(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Throwable(p, a, b, Object_alloc_table)

predicate valid_struct_NoCreditException(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Exception(p, a, b, Object_alloc_table)

predicate valid_struct_PrintStream(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Purse(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception NoCreditException_exc of Object pointer

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

parameter Purse_balance : (Object, int) memory ref

parameter Purse_credit :
 this_6:Object pointer ->
  s_0:int ->
   { } unit reads Object_alloc_table,Purse_balance writes Purse_balance
   { ((JC_40: balance_non_negative(this_6, Purse_balance))
     and (JC_38:
         ((JC_36:
          (select(Purse_balance, this_6) = add_int(select(Purse_balance@,
                                                   this_6),
                                           s_0)))
         and (JC_37:
             not_assigns(Object_alloc_table@, Purse_balance@, Purse_balance,
             pset_singleton(this_6)))))) }

parameter Purse_credit_requires :
 this_6:Object pointer ->
  s_0:int ->
   { (JC_28:
     ((JC_27: ge_int(s_0, (0)))
     and balance_non_negative(this_6, Purse_balance)))}
   unit reads Object_alloc_table,Purse_balance writes Purse_balance
   { ((JC_40: balance_non_negative(this_6, Purse_balance))
     and (JC_38:
         ((JC_36:
          (select(Purse_balance, this_6) = add_int(select(Purse_balance@,
                                                   this_6),
                                           s_0)))
         and (JC_37:
             not_assigns(Object_alloc_table@, Purse_balance@, Purse_balance,
             pset_singleton(this_6)))))) }

parameter Purse_getBalance :
 this_4:Object pointer ->
  { } int reads Object_alloc_table,Purse_balance
  { ((JC_72: balance_non_negative(this_4, Purse_balance))
    and (JC_70: (result = select(Purse_balance, this_4)))) }

parameter Purse_getBalance_requires :
 this_4:Object pointer ->
  { (JC_65: balance_non_negative(this_4, Purse_balance))} int
  reads Object_alloc_table,Purse_balance
  { ((JC_72: balance_non_negative(this_4, Purse_balance))
    and (JC_70: (result = select(Purse_balance, this_4)))) }

parameter Purse_withdraw :
 this_5:Object pointer ->
  s_1_0:int ->
   { } unit reads Object_alloc_table,Purse_balance
   writes Object_alloc_table,Object_tag_table,Purse_balance
   raises NoCreditException_exc
   { ((JC_150: balance_non_negative(this_5, Purse_balance))
     and (JC_148:
         ((JC_146:
          ((JC_144: le_int(s_1_0, select(Purse_balance@, this_5)))
          and (JC_145:
              (select(Purse_balance, this_5) = sub_int(select(Purse_balance@,
                                                       this_5),
                                               s_1_0)))))
         and (JC_147:
             not_assigns(Object_alloc_table@, Purse_balance@, Purse_balance,
             pset_singleton(this_5))))))
     | NoCreditException_exc =>
         (JC_158:
         ((JC_156:
          ((JC_155: gt_int(s_1_0, select(Purse_balance@, this_5)))
          and balance_non_negative(this_5, Purse_balance)))
         and (JC_157:
             not_assigns(Object_alloc_table@, Purse_balance@, Purse_balance,
             pset_empty)))) }

parameter Purse_withdraw_requires :
 this_5:Object pointer ->
  s_1_0:int ->
   { (JC_134:
     ((JC_133: ge_int(s_1_0, (0)))
     and balance_non_negative(this_5, Purse_balance)))}
   unit reads Object_alloc_table,Purse_balance
   writes Object_alloc_table,Object_tag_table,Purse_balance
   raises NoCreditException_exc
   { ((JC_150: balance_non_negative(this_5, Purse_balance))
     and (JC_148:
         ((JC_146:
          ((JC_144: le_int(s_1_0, select(Purse_balance@, this_5)))
          and (JC_145:
              (select(Purse_balance, this_5) = sub_int(select(Purse_balance@,
                                                       this_5),
                                               s_1_0)))))
         and (JC_147:
             not_assigns(Object_alloc_table@, Purse_balance@, Purse_balance,
             pset_singleton(this_5))))))
     | NoCreditException_exc =>
         (JC_158:
         ((JC_156:
          ((JC_155: gt_int(s_1_0, select(Purse_balance@, this_5)))
          and balance_non_negative(this_5, Purse_balance)))
         and (JC_157:
             not_assigns(Object_alloc_table@, Purse_balance@, Purse_balance,
             pset_empty)))) }

exception Return_label_exc of unit

parameter Throwable_backtrace : (Object, Object pointer) memory ref

parameter Throwable_cause : (Object, Object pointer) memory ref

parameter Throwable_detailMessage : (Object, Object pointer) memory ref

exception Throwable_exc of Object pointer

parameter Throwable_fillInStackTrace :
 this_16:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Throwable_fillInStackTrace_requires :
 this_16:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Throwable_getCause :
 this_8:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Throwable_getCause_requires :
 this_8:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Throwable_getLocalizedMessage :
 this_11:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Throwable_getLocalizedMessage_requires :
 this_11:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Throwable_getMessage :
 this_10:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Throwable_getMessage_requires :
 this_10:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Throwable_getStackTraceDepth :
 this_12:Object pointer -> { } int reads Object_alloc_table { true }

parameter Throwable_getStackTraceDepth_requires :
 this_12:Object pointer -> { } int reads Object_alloc_table { true }

parameter Throwable_initCause :
 this_15:Object pointer ->
  cause_1:Object pointer ->
   { } Object pointer reads Object_alloc_table { true }

parameter Throwable_initCause_requires :
 this_15:Object pointer ->
  cause_1:Object pointer ->
   { } Object pointer reads Object_alloc_table { true }

parameter Throwable_printStackTrace :
 this_9:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Throwable_printStackTrace_PrintStream :
 this_14:Object pointer ->
  s_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Throwable_printStackTrace_PrintStream_requires :
 this_14:Object pointer ->
  s_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Throwable_printStackTrace_requires :
 this_9:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Throwable_toString :
 this_13:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Throwable_toString_requires :
 this_13:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_NoCreditException :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_NoCreditException(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, NoCreditException_tag)))) }

parameter alloc_struct_NoCreditException_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_NoCreditException(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, NoCreditException_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_PrintStream :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_PrintStream(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, PrintStream_tag)))) }

parameter alloc_struct_PrintStream_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_PrintStream(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, PrintStream_tag)))) }

parameter alloc_struct_Purse :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Purse(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Purse_tag)))) }

parameter alloc_struct_Purse_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Purse(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Purse_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter cons_Exception :
 this_23:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Exception_String :
 this_22:Object pointer ->
  message_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Exception_String_Throwable :
 this_19:Object pointer ->
  message_2:Object pointer ->
   cause_2:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Exception_String_Throwable_requires :
 this_19:Object pointer ->
  message_2:Object pointer ->
   cause_2:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Exception_String_requires :
 this_22:Object pointer ->
  message_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Exception_Throwable :
 this_18:Object pointer ->
  cause_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Exception_Throwable_requires :
 this_18:Object pointer ->
  cause_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Exception_requires :
 this_23:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_NoCreditException :
 this_2:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_NoCreditException_requires :
 this_2:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Purse :
 this_7:Object pointer ->
  { } unit reads Object_alloc_table,Purse_balance writes Purse_balance
  { ((JC_100: balance_non_negative(this_7, Purse_balance))
    and (JC_98:
        ((JC_96: (select(Purse_balance, this_7) = (0)))
        and (JC_97:
            not_assigns(Object_alloc_table@, Purse_balance@, Purse_balance,
            pset_singleton(this_7)))))) }

parameter cons_Purse_requires :
 this_7:Object pointer ->
  { } unit reads Object_alloc_table,Purse_balance writes Purse_balance
  { ((JC_100: balance_non_negative(this_7, Purse_balance))
    and (JC_98:
        ((JC_96: (select(Purse_balance, this_7) = (0)))
        and (JC_97:
            not_assigns(Object_alloc_table@, Purse_balance@, Purse_balance,
            pset_singleton(this_7)))))) }

parameter cons_Throwable :
 this_21:Object pointer ->
  { } unit reads Object_alloc_table
  writes Throwable_backtrace,Throwable_cause,Throwable_detailMessage 
  { true }

parameter cons_Throwable_String :
 this_17:Object pointer ->
  message:Object pointer ->
   { } unit reads Object_alloc_table
   writes Throwable_backtrace,Throwable_cause,Throwable_detailMessage
   { true }

parameter cons_Throwable_String_Throwable :
 this_20:Object pointer ->
  message_0:Object pointer ->
   cause:Object pointer ->
    { } unit reads Object_alloc_table
    writes Throwable_backtrace,Throwable_cause,Throwable_detailMessage
    { true }

parameter cons_Throwable_String_Throwable_requires :
 this_20:Object pointer ->
  message_0:Object pointer ->
   cause:Object pointer ->
    { } unit reads Object_alloc_table
    writes Throwable_backtrace,Throwable_cause,Throwable_detailMessage
    { true }

parameter cons_Throwable_String_requires :
 this_17:Object pointer ->
  message:Object pointer ->
   { } unit reads Object_alloc_table
   writes Throwable_backtrace,Throwable_cause,Throwable_detailMessage
   { true }

parameter cons_Throwable_Throwable :
 this_24:Object pointer ->
  cause_0:Object pointer ->
   { } unit reads Object_alloc_table
   writes Throwable_backtrace,Throwable_cause,Throwable_detailMessage
   { true }

parameter cons_Throwable_Throwable_requires :
 this_24:Object pointer ->
  cause_0:Object pointer ->
   { } unit reads Object_alloc_table
   writes Throwable_backtrace,Throwable_cause,Throwable_detailMessage
   { true }

parameter cons_Throwable_requires :
 this_21:Object pointer ->
  { } unit reads Object_alloc_table
  writes Throwable_backtrace,Throwable_cause,Throwable_detailMessage 
  { true }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

let Purse_credit_ensures_default =
 fun (this_6 : Object pointer) (s_0 : int) ->
  { (valid_struct_Purse(this_6, (0), (0), Object_alloc_table)
    and (JC_31:
        ((JC_30: ge_int(s_0, (0)))
        and balance_non_negative(this_6, Purse_balance)))) }
  (init:
  try
   begin
     (let _jessie_ =
     (K_3:
     (let _jessie_ = ((add_int ((safe_acc_ !Purse_balance) this_6)) s_0) in
     begin
       (let _jessie_ = this_6 in
       (((safe_upd_ Purse_balance) _jessie_) _jessie_)); _jessie_ end)) in
     void); (raise Return) end with Return -> void end)
  { (JC_35:
    ((JC_33:
     (select(Purse_balance, this_6) = add_int(select(Purse_balance@, this_6),
                                      s_0)))
    and (JC_34:
        not_assigns(Object_alloc_table@, Purse_balance@, Purse_balance,
        pset_singleton(this_6))))) } 

let Purse_credit_safety =
 fun (this_6 : Object pointer) (s_0 : int) ->
  { (valid_struct_Purse(this_6, (0), (0), Object_alloc_table)
    and (JC_31:
        ((JC_30: ge_int(s_0, (0)))
        and balance_non_negative(this_6, Purse_balance)))) }
  (init:
  try
   begin
     (let _jessie_ =
     (K_3:
     (let _jessie_ = ((add_int ((safe_acc_ !Purse_balance) this_6)) s_0) in
     begin
       (let _jessie_ = this_6 in
       (((safe_upd_ Purse_balance) _jessie_) _jessie_)); _jessie_ end)) in
     void); (raise Return) end with Return -> void end)
  { (JC_39: balance_non_negative(this_6, Purse_balance)) } 

let Purse_getBalance_ensures_default =
 fun (this_4 : Object pointer) ->
  { (valid_struct_Purse(this_4, (0), (0), Object_alloc_table)
    and (JC_67: balance_non_negative(this_4, Purse_balance))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (return := (K_5: ((safe_acc_ !Purse_balance) this_4))); (raise Return);
    absurd  end with Return -> !return end))
  { (JC_69: (result = select(Purse_balance, this_4))) } 

let Purse_getBalance_safety =
 fun (this_4 : Object pointer) ->
  { (valid_struct_Purse(this_4, (0), (0), Object_alloc_table)
    and (JC_67: balance_non_negative(this_4, Purse_balance))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (return := (K_5: ((safe_acc_ !Purse_balance) this_4))); (raise Return);
    absurd  end with Return -> !return end))
  { (JC_71: balance_non_negative(this_4, Purse_balance)) } 

let Purse_withdraw_ensures_default =
 fun (this_5 : Object pointer) (s_1_0 : int) ->
  { (valid_struct_Purse(this_5, (0), (0), Object_alloc_table)
    and (JC_137:
        ((JC_136: ge_int(s_1_0, (0)))
        and balance_non_negative(this_5, Purse_balance)))) }
  (init:
  try
   begin
     (if (K_18:
         ((ge_int_ (K_17: ((safe_acc_ !Purse_balance) this_5))) s_1_0))
     then
      (let _jessie_ =
      (K_15: ((sub_int (K_14: ((safe_acc_ !Purse_balance) this_5))) s_1_0)) in
      (let _jessie_ = this_5 in
      (((safe_upd_ Purse_balance) _jessie_) _jessie_)))
     else
      (let java_thrown_exception =
      (let this =
      (JC_163:
      (((alloc_struct_NoCreditException (1)) Object_alloc_table) Object_tag_table)) in
      (let _tt =
      (let _jessie_ = this in
      (JC_164: (cons_NoCreditException _jessie_))) in this)) in
      begin
        (assert
        { (JC_165:
          Non_null_Object(java_thrown_exception, Object_alloc_table)) };
        void); (raise (NoCreditException_exc java_thrown_exception)) end));
    (raise Return) end with Return -> void end)
  { (JC_143:
    ((JC_141:
     ((JC_139: le_int(s_1_0, select(Purse_balance@, this_5)))
     and (JC_140:
         (select(Purse_balance, this_5) = sub_int(select(Purse_balance@,
                                                  this_5),
                                          s_1_0)))))
    and (JC_142:
        not_assigns(Object_alloc_table@, Purse_balance@, Purse_balance,
        pset_singleton(this_5))))) | NoCreditException_exc => true } 

let Purse_withdraw_exsures_amount_too_large =
 fun (this_5 : Object pointer) (s_1_0 : int) ->
  { (valid_struct_Purse(this_5, (0), (0), Object_alloc_table)
    and (JC_137:
        ((JC_136: ge_int(s_1_0, (0)))
        and balance_non_negative(this_5, Purse_balance)))) }
  (init:
  try
   begin
     (if (K_18:
         ((ge_int_ (K_17: ((safe_acc_ !Purse_balance) this_5))) s_1_0))
     then
      (let _jessie_ =
      (K_15: ((sub_int (K_14: ((safe_acc_ !Purse_balance) this_5))) s_1_0)) in
      (let _jessie_ = this_5 in
      (((safe_upd_ Purse_balance) _jessie_) _jessie_)))
     else
      (let java_thrown_exception =
      (let this =
      (JC_166:
      (((alloc_struct_NoCreditException (1)) Object_alloc_table) Object_tag_table)) in
      (let _tt =
      (let _jessie_ = this in
      (JC_167: (cons_NoCreditException _jessie_))) in this)) in
      begin
        [ { } unit reads Object_alloc_table
          { (JC_168:
            Non_null_Object(java_thrown_exception, Object_alloc_table)) } ];
       (raise (NoCreditException_exc java_thrown_exception)) end));
    (raise Return) end with Return -> void end)
  { true
    | NoCreditException_exc =>
        (JC_154:
        ((JC_152:
         ((JC_151: gt_int(s_1_0, select(Purse_balance@, this_5)))
         and balance_non_negative(this_5, Purse_balance)))
        and (JC_153:
            not_assigns(Object_alloc_table@, Purse_balance@, Purse_balance,
            pset_empty)))) } 

let Purse_withdraw_safety =
 fun (this_5 : Object pointer) (s_1_0 : int) ->
  { (valid_struct_Purse(this_5, (0), (0), Object_alloc_table)
    and (JC_137:
        ((JC_136: ge_int(s_1_0, (0)))
        and balance_non_negative(this_5, Purse_balance)))) }
  (init:
  try
   begin
     (if (K_18:
         ((ge_int_ (K_17: ((safe_acc_ !Purse_balance) this_5))) s_1_0))
     then
      (let _jessie_ =
      (K_15: ((sub_int (K_14: ((safe_acc_ !Purse_balance) this_5))) s_1_0)) in
      (let _jessie_ = this_5 in
      (((safe_upd_ Purse_balance) _jessie_) _jessie_)))
     else
      (let java_thrown_exception =
      (let this =
      (let _jessie_ =
      (JC_159:
      (((alloc_struct_NoCreditException_requires (1)) Object_alloc_table) Object_tag_table)) in
      (JC_160:
      (assert { ge_int(offset_max(Object_alloc_table, _jessie_), (0)) };
      _jessie_))) in
      (let _tt =
      (let _jessie_ = this in
      (JC_161: (cons_NoCreditException_requires _jessie_))) in this)) in
      begin
        [ { } unit reads Object_alloc_table
          { (JC_162:
            Non_null_Object(java_thrown_exception, Object_alloc_table)) } ];
       (raise (NoCreditException_exc java_thrown_exception)) end));
    (raise Return) end with Return -> void end)
  { (JC_149: balance_non_negative(this_5, Purse_balance))
    | NoCreditException_exc => true } 

let cons_Exception_String_Throwable_ensures_default =
 fun (this_19 : Object pointer) (message_2 : Object pointer) (cause_2 : Object pointer) ->
  { (left_valid_struct_Throwable(cause_2, (0), Object_alloc_table)
    and (left_valid_struct_String(message_2, (0), Object_alloc_table)
        and valid_struct_Exception(this_19, (0), (0), Object_alloc_table))) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_173: true) } 

let cons_Exception_String_Throwable_safety =
 fun (this_19 : Object pointer) (message_2 : Object pointer) (cause_2 : Object pointer) ->
  { (left_valid_struct_Throwable(cause_2, (0), Object_alloc_table)
    and (left_valid_struct_String(message_2, (0), Object_alloc_table)
        and valid_struct_Exception(this_19, (0), (0), Object_alloc_table))) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 

let cons_Exception_String_ensures_default =
 fun (this_22 : Object pointer) (message_1 : Object pointer) ->
  { (left_valid_struct_String(message_1, (0), Object_alloc_table)
    and valid_struct_Exception(this_22, (0), (0), Object_alloc_table)) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_213: true) } 

let cons_Exception_String_safety =
 fun (this_22 : Object pointer) (message_1 : Object pointer) ->
  { (left_valid_struct_String(message_1, (0), Object_alloc_table)
    and valid_struct_Exception(this_22, (0), (0), Object_alloc_table)) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 

let cons_Exception_Throwable_ensures_default =
 fun (this_18 : Object pointer) (cause_3 : Object pointer) ->
  { (left_valid_struct_Throwable(cause_3, (0), Object_alloc_table)
    and valid_struct_Exception(this_18, (0), (0), Object_alloc_table)) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_85: true) } 

let cons_Exception_Throwable_safety =
 fun (this_18 : Object pointer) (cause_3 : Object pointer) ->
  { (left_valid_struct_Throwable(cause_3, (0), Object_alloc_table)
    and valid_struct_Exception(this_18, (0), (0), Object_alloc_table)) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 

let cons_Exception_ensures_default =
 fun (this_23 : Object pointer) ->
  { valid_struct_Exception(this_23, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_221: true) } 

let cons_Exception_safety =
 fun (this_23 : Object pointer) ->
  { valid_struct_Exception(this_23, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 

let cons_NoCreditException_ensures_default =
 fun (this_2 : Object pointer) ->
  { valid_struct_NoCreditException(this_2, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_129: true) } 

let cons_NoCreditException_safety =
 fun (this_2 : Object pointer) ->
  { valid_struct_NoCreditException(this_2, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 

let cons_Purse_ensures_default =
 fun (this_7 : Object pointer) ->
  { valid_struct_Purse(this_7, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = (0) in
       (let _jessie_ = this_7 in
       (((safe_upd_ Purse_balance) _jessie_) _jessie_)));
      (K_8:
      (let _jessie_ = (0) in
      begin
        (let _jessie_ = this_7 in
        (((safe_upd_ Purse_balance) _jessie_) _jessie_)); _jessie_ end))
     end in void); (raise Return) end with Return -> void end)
  { (JC_95:
    ((JC_93: (select(Purse_balance, this_7) = (0)))
    and (JC_94:
        not_assigns(Object_alloc_table@, Purse_balance@, Purse_balance,
        pset_singleton(this_7))))) } 

let cons_Purse_safety =
 fun (this_7 : Object pointer) ->
  { valid_struct_Purse(this_7, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = (0) in
       (let _jessie_ = this_7 in
       (((safe_upd_ Purse_balance) _jessie_) _jessie_)));
      (K_8:
      (let _jessie_ = (0) in
      begin
        (let _jessie_ = this_7 in
        (((safe_upd_ Purse_balance) _jessie_) _jessie_)); _jessie_ end))
     end in void); (raise Return) end with Return -> void end)
  { (JC_99: balance_non_negative(this_7, Purse_balance)) } 

let cons_Throwable_String_Throwable_ensures_default =
 fun (this_20 : Object pointer) (message_0 : Object pointer) (cause : Object pointer) ->
  { (left_valid_struct_Throwable(cause, (0), Object_alloc_table)
    and (left_valid_struct_String(message_0, (0), Object_alloc_table)
        and valid_struct_Throwable(this_20, (0), (0), Object_alloc_table))) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_20 in
       (((safe_upd_ Throwable_backtrace) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_20 in
      (((safe_upd_ Throwable_detailMessage) _jessie_) _jessie_)));
      (let _jessie_ = null in
      begin
        (let _jessie_ = this_20 in
        (((safe_upd_ Throwable_cause) _jessie_) _jessie_)); _jessie_
      end) end in void); (raise Return) end with Return -> void end)
  { (JC_181: true) } 

let cons_Throwable_String_Throwable_safety =
 fun (this_20 : Object pointer) (message_0 : Object pointer) (cause : Object pointer) ->
  { (left_valid_struct_Throwable(cause, (0), Object_alloc_table)
    and (left_valid_struct_String(message_0, (0), Object_alloc_table)
        and valid_struct_Throwable(this_20, (0), (0), Object_alloc_table))) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_20 in
       (((safe_upd_ Throwable_backtrace) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_20 in
      (((safe_upd_ Throwable_detailMessage) _jessie_) _jessie_)));
      (let _jessie_ = null in
      begin
        (let _jessie_ = this_20 in
        (((safe_upd_ Throwable_cause) _jessie_) _jessie_)); _jessie_
      end) end in void); (raise Return) end with Return -> void end) 
  { true } 

let cons_Throwable_String_ensures_default =
 fun (this_17 : Object pointer) (message : Object pointer) ->
  { (left_valid_struct_String(message, (0), Object_alloc_table)
    and valid_struct_Throwable(this_17, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_17 in
       (((safe_upd_ Throwable_backtrace) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_17 in
      (((safe_upd_ Throwable_detailMessage) _jessie_) _jessie_)));
      (let _jessie_ = null in
      begin
        (let _jessie_ = this_17 in
        (((safe_upd_ Throwable_cause) _jessie_) _jessie_)); _jessie_
      end) end in void); (raise Return) end with Return -> void end)
  { (JC_23: true) } 

let cons_Throwable_String_safety =
 fun (this_17 : Object pointer) (message : Object pointer) ->
  { (left_valid_struct_String(message, (0), Object_alloc_table)
    and valid_struct_Throwable(this_17, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_17 in
       (((safe_upd_ Throwable_backtrace) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_17 in
      (((safe_upd_ Throwable_detailMessage) _jessie_) _jessie_)));
      (let _jessie_ = null in
      begin
        (let _jessie_ = this_17 in
        (((safe_upd_ Throwable_cause) _jessie_) _jessie_)); _jessie_
      end) end in void); (raise Return) end with Return -> void end) 
  { true } 

let cons_Throwable_Throwable_ensures_default =
 fun (this_24 : Object pointer) (cause_0 : Object pointer) ->
  { (left_valid_struct_Throwable(cause_0, (0), Object_alloc_table)
    and valid_struct_Throwable(this_24, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_24 in
       (((safe_upd_ Throwable_backtrace) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_24 in
      (((safe_upd_ Throwable_detailMessage) _jessie_) _jessie_)));
      (let _jessie_ = null in
      begin
        (let _jessie_ = this_24 in
        (((safe_upd_ Throwable_cause) _jessie_) _jessie_)); _jessie_
      end) end in void); (raise Return) end with Return -> void end)
  { (JC_229: true) } 

let cons_Throwable_Throwable_safety =
 fun (this_24 : Object pointer) (cause_0 : Object pointer) ->
  { (left_valid_struct_Throwable(cause_0, (0), Object_alloc_table)
    and valid_struct_Throwable(this_24, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_24 in
       (((safe_upd_ Throwable_backtrace) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_24 in
      (((safe_upd_ Throwable_detailMessage) _jessie_) _jessie_)));
      (let _jessie_ = null in
      begin
        (let _jessie_ = this_24 in
        (((safe_upd_ Throwable_cause) _jessie_) _jessie_)); _jessie_
      end) end in void); (raise Return) end with Return -> void end) 
  { true } 

let cons_Throwable_ensures_default =
 fun (this_21 : Object pointer) ->
  { valid_struct_Throwable(this_21, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_21 in
       (((safe_upd_ Throwable_backtrace) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_21 in
      (((safe_upd_ Throwable_detailMessage) _jessie_) _jessie_)));
      (let _jessie_ = null in
      begin
        (let _jessie_ = this_21 in
        (((safe_upd_ Throwable_cause) _jessie_) _jessie_)); _jessie_
      end) end in void); (raise Return) end with Return -> void end)
  { (JC_189: true) } 

let cons_Throwable_safety =
 fun (this_21 : Object pointer) ->
  { valid_struct_Throwable(this_21, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_21 in
       (((safe_upd_ Throwable_backtrace) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_21 in
      (((safe_upd_ Throwable_detailMessage) _jessie_) _jessie_)));
      (let _jessie_ = null in
      begin
        (let _jessie_ = this_21 in
        (((safe_upd_ Throwable_cause) _jessie_) _jessie_)); _jessie_
      end) end in void); (raise Return) end with Return -> void end) 
  { true } 


why-2.39/tests/java/oracle/Muller.err.oracle0000644000106100004300000000000013147234006017765 0ustar  marchevalswhy-2.39/tests/java/oracle/TestNonNull.res.oracle0000644000106100004300000012577213147234006021003 0ustar  marchevals========== file tests/java/TestNonNull.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ NonNullByDefault = all


class TestNonNull {

    static final int N = 2;

    static int[] st;
    //@ static invariant st_length: st.length >= 4;

    int[] t;
    //@ invariant t_length: t.length >= 4;

    TestNonNull() {
	t = new int[5];
	//@ assert t.length == 5;
    }


    //@ requires t.length >= 4;
    void test(int[] t) {
	int _i = t[3];
	t[2] = 1;
	int _j = t[N];
	t[N + 1] = 1;
	st[3] == 1;
    }

}

/*
Local Variables:
compile-command: "make TestNonNull.why3ide"
End:
*/


========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function TestNonNull_test for method TestNonNull.test
Generating JC function cons_TestNonNull for constructor TestNonNull
Done.
========== file tests/java/TestNonNull.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_intM{Here}(intM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

logic int32 TestNonNull_N =
2

String[0..] any_string()
;

tag String = Object with {
}

tag TestNonNull = Object with {
  intM[0..-1] t;
  invariant t_length(this) = ((\offset_max(this.t) + 1) >= 4);
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

tag intM = Object with {
  int32 intP;
}

boolean non_null_intM(! intM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_intM(! intM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

intM[0..-1] TestNonNull_st;

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

invariant st_length :
((\offset_max(TestNonNull_st) + 1) >= 4)

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit TestNonNull_test(TestNonNull[0] this_0, intM[0..-1] t)
  requires (K_1 : ((\offset_max(t) + 1) >= 4));
{  
   {  
      (var int32 _i = (K_8 : (t + 3).intP));
      
      {  (K_2 : ((t + 2).intP = 1));
         
         {  
            (var int32 _j = (K_7 : (t + TestNonNull_N).intP));
            
            {  (K_4 : ((t + (K_3 : ((TestNonNull_N + 1) :> int32))).intP = 1));
               (K_6 : ((K_5 : (TestNonNull_st + 3).intP) == 1))
            }
         }
      }
   }
}

unit cons_TestNonNull(! TestNonNull[0] this_1)
{  (this_1.t = null);
   (K_9 : (this_1.t = (new intM[5])));
   (K_11 : 
   (assert (K_10 : ((\offset_max(this_1.t) + 1) == 5))))
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/TestNonNull.jloc tests/java/TestNonNull.jc && make -f tests/java/TestNonNull.makefile gui"
End:
*/
========== file tests/java/TestNonNull.jloc ==========
[K_11]
file = "HOME/tests/java/TestNonNull.java"
line = 47
begin = 12
end = 25

[K_9]
file = "HOME/tests/java/TestNonNull.java"
line = 46
begin = 1
end = 15

[K_1]
file = "HOME/tests/java/TestNonNull.java"
line = 51
begin = 17
end = 30

[K_4]
file = "HOME/tests/java/TestNonNull.java"
line = 56
begin = 1
end = 13

[K_2]
file = "HOME/tests/java/TestNonNull.java"
line = 54
begin = 1
end = 9

[K_10]
file = "HOME/tests/java/TestNonNull.java"
line = 47
begin = 12
end = 25

[K_6]
file = "HOME/tests/java/TestNonNull.java"
line = 57
begin = 1
end = 11

[K_8]
file = "HOME/tests/java/TestNonNull.java"
line = 53
begin = 10
end = 14

[K_3]
file = "HOME/tests/java/TestNonNull.java"
line = 56
begin = 3
end = 8

[cons_TestNonNull]
name = "Constructor of class TestNonNull"
file = "HOME/tests/java/TestNonNull.java"
line = 45
begin = 4
end = 15

[TestNonNull_test]
name = "Method test"
file = "HOME/tests/java/TestNonNull.java"
line = 52
begin = 9
end = 13

[K_5]
file = "HOME/tests/java/TestNonNull.java"
line = 57
begin = 1
end = 6

[K_7]
file = "HOME/tests/java/TestNonNull.java"
line = 55
begin = 10
end = 14

========== jessie execution ==========
Generating Why function TestNonNull_test
Generating Why function cons_TestNonNull
========== file tests/java/TestNonNull.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/TestNonNull_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: TestNonNull.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: TestNonNull.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: TestNonNull.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/java/TestNonNull.loc ==========
[JC_73]
file = "HOME/tests/java/TestNonNull.java"
line = 45
begin = 4
end = 15

[JC_63]
kind = IndexBounds
file = "HOME/tests/java/TestNonNull.java"
line = 57
begin = 1
end = 6

[JC_80]
file = "HOME/tests/java/TestNonNull.java"
line = 47
begin = 12
end = 25

[JC_51]
file = "HOME/tests/java/TestNonNull.java"
line = 51
begin = 17
end = 30

[JC_71]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_45]
file = "HOME/tests/java/TestNonNull.jc"
line = 72
begin = 8
end = 23

[JC_64]
kind = IndexBounds
file = "HOME/tests/java/TestNonNull.jc"
line = 90
begin = 17
end = 33

[JC_31]
file = "HOME/tests/java/TestNonNull.jc"
line = 66
begin = 11
end = 103

[JC_17]
file = "HOME/tests/java/TestNonNull.jc"
line = 57
begin = 8
end = 21

[JC_55]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_48]
file = "HOME/tests/java/TestNonNull.java"
line = 52
begin = 9
end = 13

[JC_23]
file = "HOME/tests/java/TestNonNull.jc"
line = 57
begin = 8
end = 21

[JC_22]
file = "HOME/tests/java/TestNonNull.jc"
line = 59
begin = 10
end = 18

[JC_67]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/java/TestNonNull.jc"
line = 26
begin = 12
end = 22

[JC_75]
file = "HOME/tests/java/TestNonNull.java"
line = 45
begin = 4
end = 15

[JC_24]
file = "HOME/tests/java/TestNonNull.jc"
line = 57
begin = 8
end = 21

[JC_25]
file = "HOME/tests/java/TestNonNull.jc"
line = 63
begin = 8
end = 30

[JC_78]
file = "HOME/tests/java/TestNonNull.java"
line = 47
begin = 12
end = 25

[JC_41]
file = "HOME/tests/java/TestNonNull.jc"
line = 72
begin = 8
end = 23

[cons_TestNonNull_safety]
name = "Constructor of class TestNonNull"
behavior = "Safety"
file = "HOME/tests/java/TestNonNull.java"
line = 45
begin = 4
end = 15

[JC_74]
file = "HOME/tests/java/TestNonNull.java"
line = 45
begin = 4
end = 15

[JC_47]
file = "HOME/tests/java/TestNonNull.java"
line = 51
begin = 17
end = 30

[TestNonNull_test_safety]
name = "Method test"
behavior = "Safety"
file = "HOME/tests/java/TestNonNull.java"
line = 52
begin = 9
end = 13

[JC_52]
file = "HOME/tests/java/TestNonNull.java"
line = 52
begin = 9
end = 13

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_79]
kind = AllocSize
file = "HOME/tests/java/TestNonNull.jc"
line = 105
begin = 23
end = 34

[TestNonNull_test_ensures_default]
name = "Method test"
behavior = "default behavior"
file = "HOME/tests/java/TestNonNull.java"
line = 52
begin = 9
end = 13

[JC_13]
file = "HOME/tests/java/TestNonNull.jc"
line = 26
begin = 12
end = 22

[JC_11]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_70]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/tests/java/TestNonNull.jc"
line = 57
begin = 8
end = 21

[cons_TestNonNull_ensures_default]
name = "Constructor of class TestNonNull"
behavior = "default behavior"
file = "HOME/tests/java/TestNonNull.java"
line = 45
begin = 4
end = 15

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/tests/java/TestNonNull.jc"
line = 72
begin = 8
end = 23

[JC_27]
file = "HOME/tests/java/TestNonNull.jc"
line = 63
begin = 8
end = 30

[JC_69]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/tests/java/TestNonNull.jc"
line = 72
begin = 8
end = 23

[JC_62]
kind = IndexBounds
file = "HOME/tests/java/TestNonNull.java"
line = 55
begin = 10
end = 14

[JC_42]
file = "HOME/tests/java/TestNonNull.jc"
line = 72
begin = 8
end = 23

[JC_46]
file = "HOME/tests/java/TestNonNull.jc"
line = 72
begin = 8
end = 23

[JC_61]
kind = IndexBounds
file = "HOME/tests/java/TestNonNull.java"
line = 53
begin = 10
end = 14

[JC_32]
file = "HOME/tests/java/TestNonNull.jc"
line = 65
begin = 10
end = 18

[JC_56]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_33]
file = "HOME/tests/java/TestNonNull.jc"
line = 63
begin = 8
end = 30

[JC_65]
kind = IndexBounds
file = "HOME/tests/java/TestNonNull.jc"
line = 95
begin = 23
end = 76

[JC_29]
file = "HOME/tests/java/TestNonNull.jc"
line = 66
begin = 11
end = 103

[JC_68]
file = "HOME/tests/java/TestNonNull.java"
line = 45
begin = 4
end = 15

[JC_7]
file = "HOME/tests/java/TestNonNull.jc"
line = 26
begin = 12
end = 22

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
file = "HOME/tests/java/TestNonNull.jc"
line = 72
begin = 8
end = 23

[JC_34]
file = "HOME/tests/java/TestNonNull.jc"
line = 63
begin = 8
end = 30

[JC_14]
file = "HOME/tests/java/TestNonNull.jc"
line = 26
begin = 12
end = 22

[JC_53]
file = "HOME/tests/java/TestNonNull.java"
line = 52
begin = 9
end = 13

[JC_21]
file = "HOME/tests/java/TestNonNull.jc"
line = 60
begin = 11
end = 66

[JC_77]
kind = IndexBounds
file = "HOME/tests/java/TestNonNull.jc"
line = 105
begin = 11
end = 35

[JC_49]
file = "HOME/tests/java/TestNonNull.java"
line = 52
begin = 9
end = 13

[JC_37]
file = "HOME/tests/java/TestNonNull.jc"
line = 72
begin = 8
end = 23

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/tests/java/TestNonNull.java"
line = 52
begin = 9
end = 13

[JC_66]
file = "HOME/tests/java/TestNonNull.java"
line = 45
begin = 4
end = 15

[JC_59]
file = "HOME/tests/java/TestNonNull.java"
line = 52
begin = 9
end = 13

[JC_20]
file = "HOME/tests/java/TestNonNull.jc"
line = 59
begin = 10
end = 18

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_60]
file = "HOME/tests/java/TestNonNull.java"
line = 52
begin = 9
end = 13

[JC_72]
file = "HOME/tests/java/TestNonNull.java"
line = 45
begin = 4
end = 15

[JC_19]
file = "HOME/tests/java/TestNonNull.jc"
line = 60
begin = 11
end = 66

[JC_76]
kind = AllocSize
file = "HOME/tests/java/TestNonNull.jc"
line = 105
begin = 23
end = 34

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/tests/java/TestNonNull.jc"
line = 65
begin = 10
end = 18

[JC_58]
file = "HOME/tests/java/TestNonNull.java"
line = 52
begin = 9
end = 13

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/TestNonNull.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_1), (0))

predicate Non_null_intM(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), neg_int((1)))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic int32_of_integer: int -> int32

function TestNonNull_N() : int32 = int32_of_integer((2))

logic TestNonNull_tag:  -> Object tag_id

axiom TestNonNull_parenttag_Object : parenttag(TestNonNull_tag, Object_tag)

logic TestNonNull_st:  -> Object pointer

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic intM_tag:  -> Object tag_id

axiom intM_parenttag_Object : parenttag(intM_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_intM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_TestNonNull(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table,
 TestNonNull_t:(Object, Object pointer) memory) =
 (left_valid_struct_Object(p, a, Object_alloc_table)
 and left_valid_struct_intM(select(TestNonNull_t, p), (0),
     Object_alloc_table))

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_intM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_TestNonNull(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table,
 TestNonNull_t:(Object, Object pointer) memory) =
 (right_valid_struct_Object(p, b, Object_alloc_table)
 and right_valid_struct_intM(select(TestNonNull_t, p), (-1),
     Object_alloc_table))

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate st_length(Object_alloc_table:Object alloc_table) =
 ge_int(add_int(offset_max(Object_alloc_table, TestNonNull_st), (1)), (4))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_TestNonNull(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table,
 TestNonNull_t:(Object, Object pointer) memory) =
 (strict_valid_struct_Object(p, a, b, Object_alloc_table)
 and strict_valid_struct_intM(select(TestNonNull_t, p), (0), (-1),
     Object_alloc_table))

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate t_length(this:Object pointer,
 Object_alloc_table:Object alloc_table,
 TestNonNull_t:(Object, Object pointer) memory) =
 ge_int(add_int(offset_max(Object_alloc_table, select(TestNonNull_t, this)),
        (1)),
 (4))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_TestNonNull(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table,
 TestNonNull_t:(Object, Object pointer) memory) =
 (valid_struct_Object(p, a, b, Object_alloc_table)
 and valid_struct_intM(select(TestNonNull_t, p), (0), (-1),
     Object_alloc_table))

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

parameter TestNonNull_t : (Object, Object pointer) memory ref

parameter intM_intP : (Object, int32) memory ref

parameter TestNonNull_test :
 this_0:Object pointer ->
  t:Object pointer ->
   { } unit reads Object_alloc_table,TestNonNull_t,intM_intP writes intM_intP
   { (JC_60:
     ((JC_59: st_length(Object_alloc_table))
     and t_length(this_0, Object_alloc_table, TestNonNull_t))) }

parameter TestNonNull_test_requires :
 this_0:Object pointer ->
  t:Object pointer ->
   { (JC_49:
     ((JC_47: ge_int(add_int(offset_max(Object_alloc_table, t), (1)), (4)))
     and ((JC_48: st_length(Object_alloc_table))
         and t_length(this_0, Object_alloc_table, TestNonNull_t))))}
   unit reads Object_alloc_table,TestNonNull_t,intM_intP writes intM_intP
   { (JC_60:
     ((JC_59: st_length(Object_alloc_table))
     and t_length(this_0, Object_alloc_table, TestNonNull_t))) }

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_TestNonNull :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    TestNonNull_t:(Object, Object pointer) memory ->
     { } Object pointer writes Object_alloc_table,Object_tag_table
     { (strict_valid_struct_TestNonNull(result, (0), sub_int(n, (1)),
        Object_alloc_table, TestNonNull_t)
       and (alloc_extends(Object_alloc_table@, Object_alloc_table)
           and (alloc_fresh(Object_alloc_table@, result, n)
               and instanceof(Object_tag_table, result, TestNonNull_tag)))) }

parameter alloc_struct_TestNonNull_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    TestNonNull_t:(Object, Object pointer) memory ->
     { ge_int(n, (0))} Object pointer
     writes Object_alloc_table,Object_tag_table
     { (strict_valid_struct_TestNonNull(result, (0), sub_int(n, (1)),
        Object_alloc_table, TestNonNull_t)
       and (alloc_extends(Object_alloc_table@, Object_alloc_table)
           and (alloc_fresh(Object_alloc_table@, result, n)
               and instanceof(Object_tag_table, result, TestNonNull_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_intM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter alloc_struct_intM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 :
 tt:unit ->
  { } Object pointer reads Object_alloc_table
  { (JC_14: st_length(Object_alloc_table)) }

parameter any_string_0_requires :
 tt:unit ->
  { (JC_7: st_length(Object_alloc_table))} Object pointer
  reads Object_alloc_table { (JC_14: st_length(Object_alloc_table)) }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_TestNonNull :
 this_1:Object pointer ->
  { } unit reads Object_alloc_table,TestNonNull_t
  writes Object_alloc_table,Object_tag_table,TestNonNull_t
  { (JC_75:
    ((JC_74: st_length(Object_alloc_table))
    and t_length(this_1, Object_alloc_table, TestNonNull_t))) }

parameter cons_TestNonNull_requires :
 this_1:Object pointer ->
  { (JC_66: st_length(Object_alloc_table))} unit
  reads Object_alloc_table,TestNonNull_t
  writes Object_alloc_table,Object_tag_table,TestNonNull_t
  { (JC_75:
    ((JC_74: st_length(Object_alloc_table))
    and t_length(this_1, Object_alloc_table, TestNonNull_t))) }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter java_array_length_intM :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { ((JC_34: st_length(Object_alloc_table))
    and (JC_31:
        (le_int(result, (2147483647))
        and (ge_int(result, (0))
            and (result = add_int(offset_max(Object_alloc_table, x_3), (1))))))) }

parameter java_array_length_intM_requires :
 x_3:Object pointer ->
  { (JC_25: st_length(Object_alloc_table))} int reads Object_alloc_table
  { ((JC_34: st_length(Object_alloc_table))
    and (JC_31:
        (le_int(result, (2147483647))
        and (ge_int(result, (0))
            and (result = add_int(offset_max(Object_alloc_table, x_3), (1))))))) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { ((JC_42: st_length(Object_alloc_table))
    and (JC_46:
        ((if result then (offset_max(Object_alloc_table, x_4) = (0))
          else (x_4 = null))
        and (JC_45: st_length(Object_alloc_table))))) }

parameter non_null_Object_requires :
 x_4:Object pointer ->
  { (JC_35: st_length(Object_alloc_table))} bool reads Object_alloc_table
  { ((JC_42: st_length(Object_alloc_table))
    and (JC_46:
        ((if result then (offset_max(Object_alloc_table, x_4) = (0))
          else (x_4 = null))
        and (JC_45: st_length(Object_alloc_table))))) }

parameter non_null_intM :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { ((JC_24: st_length(Object_alloc_table))
    and (JC_21:
        (if result
         then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
         else (x_2 = null)))) }

parameter non_null_intM_requires :
 x_2:Object pointer ->
  { (JC_15: st_length(Object_alloc_table))} bool reads Object_alloc_table
  { ((JC_24: st_length(Object_alloc_table))
    and (JC_21:
        (if result
         then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
         else (x_2 = null)))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let TestNonNull_test_ensures_default =
 fun (this_0 : Object pointer) (t : Object pointer) ->
  { (valid_struct_intM(t, (0), (-1), Object_alloc_table)
    and (valid_struct_TestNonNull(this_0, (0), (0), Object_alloc_table,
         TestNonNull_t)
        and (JC_53:
            ((JC_51:
             ge_int(add_int(offset_max(Object_alloc_table, t), (1)), (4)))
            and ((JC_52: st_length(Object_alloc_table))
                and t_length(this_0, Object_alloc_table, TestNonNull_t)))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (let _i = (K_8: ((safe_acc_ !intM_intP) ((shift t) (3)))) in
     (K_2:
     begin
       (let _jessie_ = (safe_int32_of_integer_ (1)) in
       (let _jessie_ = t in
       (let _jessie_ = (2) in
       (let _jessie_ = ((shift _jessie_) _jessie_) in
       (let _jessie_ = ((shift _jessie_) (2)) in
       (((safe_upd_ intM_intP) _jessie_) _jessie_))))));
      (let _j =
      (K_7:
      ((safe_acc_ !intM_intP) ((shift t) (integer_of_int32 TestNonNull_N)))) in
      (K_4:
      begin
        (let _jessie_ = (safe_int32_of_integer_ (1)) in
        (let _jessie_ = t in
        (let _jessie_ = (3) in
        (let _jessie_ = ((shift _jessie_) _jessie_) in
        (let _jessie_ = ((shift _jessie_) (3)) in
        (((safe_upd_ intM_intP) _jessie_) _jessie_))))));
       (K_6:
       ((eq_int_ (integer_of_int32 (K_5:
                                   ((safe_acc_ !intM_intP) ((shift TestNonNull_st) (3)))))) (1)))
      end)) end)) in void); (raise Return) end with Return -> void end)
  { (JC_55: true) } 

let TestNonNull_test_safety =
 fun (this_0 : Object pointer) (t : Object pointer) ->
  { (valid_struct_intM(t, (0), (-1), Object_alloc_table)
    and (valid_struct_TestNonNull(this_0, (0), (0), Object_alloc_table,
         TestNonNull_t)
        and (JC_53:
            ((JC_51:
             ge_int(add_int(offset_max(Object_alloc_table, t), (1)), (4)))
            and ((JC_52: st_length(Object_alloc_table))
                and t_length(this_0, Object_alloc_table, TestNonNull_t)))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (let _i =
     (K_8:
     (JC_61: ((((lsafe_lbound_acc_ !Object_alloc_table) !intM_intP) t) (3)))) in
     (K_2:
     begin
       (let _jessie_ = (safe_int32_of_integer_ (1)) in
       (let _jessie_ = t in
       (let _jessie_ = (2) in
       (let _jessie_ = ((shift _jessie_) _jessie_) in
       (let _jessie_ = ((shift _jessie_) (2)) in
       (JC_64:
       (((((lsafe_lbound_upd_ !Object_alloc_table) intM_intP) _jessie_) (2)) _jessie_)))))));
      (let _j =
      (K_7:
      (JC_62: ((((lsafe_lbound_acc_ !Object_alloc_table) !intM_intP) t) (2)))) in
      (K_4:
      begin
        (let _jessie_ = (safe_int32_of_integer_ (1)) in
        (let _jessie_ = t in
        (let _jessie_ = (3) in
        (let _jessie_ = ((shift _jessie_) _jessie_) in
        (let _jessie_ = ((shift _jessie_) (3)) in
        (JC_65:
        (((((lsafe_lbound_upd_ !Object_alloc_table) intM_intP) _jessie_) (3)) _jessie_)))))));
       (K_6:
       ((eq_int_ (integer_of_int32 (K_5:
                                   (JC_63:
                                   ((((lsafe_lbound_acc_ !Object_alloc_table) !intM_intP) TestNonNull_st) (3)))))) (1)))
      end)) end)) in void); (raise Return) end with Return -> void end)
  { (JC_58:
    ((JC_57: st_length(Object_alloc_table))
    and t_length(this_0, Object_alloc_table, TestNonNull_t))) } 

let cons_TestNonNull_ensures_default =
 fun (this_1 : Object pointer) ->
  { (valid_struct_TestNonNull(this_1, (0), (0), Object_alloc_table,
     TestNonNull_t)
    and (JC_68: st_length(Object_alloc_table))) }
  (init:
  try
   begin
     (let _jessie_ = null in
     (let _jessie_ = this_1 in
     (((safe_upd_ TestNonNull_t) _jessie_) _jessie_)));
    (K_9:
    begin
      (let _jessie_ =
      (JC_79:
      (((alloc_struct_intM (5)) Object_alloc_table) Object_tag_table)) in
      (let _jessie_ = this_1 in
      (((safe_upd_ TestNonNull_t) _jessie_) _jessie_)));
     (K_11:
     begin
       (assert
       { (JC_80:
         (add_int(offset_max(Object_alloc_table,
                  select(TestNonNull_t, this_1)),
          (1)) = (5))) }; void); (raise Return) end) end) end with Return ->
   void end) { (JC_70: true) } 

let cons_TestNonNull_safety =
 fun (this_1 : Object pointer) ->
  { (valid_struct_TestNonNull(this_1, (0), (0), Object_alloc_table,
     TestNonNull_t)
    and (JC_68: st_length(Object_alloc_table))) }
  (init:
  try
   begin
     (let _jessie_ = null in
     (let _jessie_ = this_1 in
     (((safe_upd_ TestNonNull_t) _jessie_) _jessie_)));
    (K_9:
    begin
      (let _jessie_ =
      (let _jessie_ =
      (JC_76:
      (((alloc_struct_intM_requires (5)) Object_alloc_table) Object_tag_table)) in
      (JC_77:
      (assert { ge_int(offset_max(Object_alloc_table, _jessie_), (-1)) };
      _jessie_))) in
      (let _jessie_ = this_1 in
      (((safe_upd_ TestNonNull_t) _jessie_) _jessie_)));
     (K_11:
     begin
       [ { } unit reads Object_alloc_table,TestNonNull_t
         { (JC_78:
           (add_int(offset_max(Object_alloc_table,
                    select(TestNonNull_t, this_1)),
            (1)) = (5))) } ]; (raise Return) end) end) end with Return ->
   void end)
  { (JC_73:
    ((JC_72: st_length(Object_alloc_table))
    and t_length(this_1, Object_alloc_table, TestNonNull_t))) } 


why-2.39/tests/java/oracle/ArrayMax.err.oracle0000644000106100004300000000000013147234006020251 0ustar  marchevalswhy-2.39/tests/java/oracle/Fibonacci.res.oracle0000644000106100004300000000643713147234006020427 0ustar  marchevals========== file tests/java/Fibonacci.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// RUNCOQ: will ask regtests to check Coq proofs of this program

// int model: unbounded mathematical integers
//@+ CheckArithOverflow = no

/*@ inductive isfib(integer x, integer r) {
  @  case isfib0: isfib(0,0);
  @  case isfib1: isfib(1,1);
  @  case isfibn: 
  @   \forall integer n r p; 
  @     n >= 2 && isfib(n-2,r) && isfib(n-1,p) ==> isfib(n,p+r);
  @ }
  @*/ 

//@ lemma isfib_2_1 : isfib(2,1);
//@ lemma isfib_6_8 : isfib(6,8);

// provable only if def is inductive (least fix point)
//@ lemma not_isfib_2_2 : ! isfib(2,2);

public class Fibonacci {

    /*@ requires n >= 0;
      @ ensures isfib(n, \result); 
      @*/
    public static long Fib(int n) {
	long y=0, x=1, aux;

	/*@ loop_invariant 0 <= i <= n && isfib(i+1,x) && isfib(i,y);
	  @ loop_variant n-i;
	  @*/
	for(int i=0; i < n; i++) {
	    aux = y;
	    y = x;
	    x = x + aux;
	}
	return y;
    }
}

/*
Local Variables:
compile-command: "make Fibonacci.why3ide"
End:
*/


========== krakatoa execution ==========
why-2.39/tests/java/oracle/Fresh3.res.oracle0000644000106100004300000000564113147234006017700 0ustar  marchevals========== file tests/java/Fresh3.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ SeparationPolicy = None

class Int { int f; }

class Fresh3 {

  Int i;

/*@ assigns this.i;
  @ allocates this.i;
  @ ensures this.i != null && \fresh(this.i);
  @*/
void create() {
    this.i = new Int();
}

/*@ requires f != null && this.i != null && this != f;
  @*/
void test(Fresh3 f) {
  f.create();
  //@ assert this.i != f.i;
}

static void smoke_detector() {
    Fresh3 s1, s2;
    s1 = new Fresh3();
    s2 = new Fresh3();
    s1.create();
    s2.create();
    //@ assert 0 == 1;
}

}

/*
Local Variables:
compile-command: "LC_ALL=C make Fresh3.why3"
End:
*/
========== krakatoa execution ==========
why-2.39/tests/java/oracle/Booleans.err.oracle0000644000106100004300000000000013147234006020267 0ustar  marchevalswhy-2.39/tests/java/oracle/Negate.err.oracle0000644000106100004300000000020713147234006017741 0ustar  marchevalscat: /tmp/regtests.cwd: No such file or directory
grep: /src/version.ml: No such file or directory
Cannot open directory /lib/java_api
why-2.39/tests/java/oracle/SimpleApplet.err.oracle0000644000106100004300000000006713147234006021141 0ustar  marchevalsgenerating logic fun buffer_inv with one default label
why-2.39/tests/java/oracle/Power.err.oracle0000644000106100004300000000000013147234006017621 0ustar  marchevalswhy-2.39/tests/java/oracle/SideEffects.res.oracle0000644000106100004300000012122313147234006020725 0ustar  marchevals========== file tests/java/SideEffects.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ CheckArithOverflow = no

class SideEffects {

    /*@ requires t.length > 10;
      @*/
    void m1(int t[]) {
	int i = 0;
	t[i++] = 1;
	//@ assert t[0] == 1 && i == 1;
	t[++i] = 2;
	//@ assert t[0] == 1 && t[2] == 2 && i == 2;
	t[--i] = 3;
	//@ assert t[0] == 1 && t[2] == 2 && t[1] == 3 && i == 1;
	t[i--] = 4;
	//@ assert t[0] == 1 && t[2] == 2 && t[1] == 4 && i == 0;
    }

}


/*
Local Variables:
compile-command: "make SideEffects.why3ide"
End:
*/


========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_SideEffects for constructor SideEffects
Generating JC function SideEffects_m1 for method SideEffects.m1
Done.
========== file tests/java/SideEffects.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

predicate Non_null_intM{Here}(intM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag SideEffects = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

tag intM = Object with {
  integer intP;
}

boolean non_null_intM(! intM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_intM(! intM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_SideEffects(! SideEffects[0] this_1){()}

unit SideEffects_m1(SideEffects[0] this_0, intM[0..] t)
  requires (K_1 : ((\offset_max(t) + 1) > 10));
{  
   {  
      (var integer i = (K_36 : 0));
      
      {  (K_3 : ((t + (K_2 : (i ++))).intP = 1));
         (K_7 : 
         (assert (K_6 : ((K_5 : ((t + 0).intP == 1)) && (K_4 : (i == 1))))));
         (K_9 : ((t + (K_8 : (++ i))).intP = 2));
         (K_15 : 
         (assert (K_14 : ((K_13 : ((K_12 : ((t + 0).intP == 1)) &&
                                    (K_11 : ((t + 2).intP == 2)))) &&
                           (K_10 : (i == 2))))));
         (K_17 : ((t + (K_16 : (-- i))).intP = 3));
         (K_25 : 
         (assert (K_24 : ((K_23 : ((K_22 : ((K_21 : ((t + 0).intP == 1)) &&
                                             (K_20 : ((t + 2).intP == 2)))) &&
                                    (K_19 : ((t + 1).intP == 3)))) &&
                           (K_18 : (i == 1))))));
         (K_27 : ((t + (K_26 : (i --))).intP = 4));
         (K_35 : 
         (assert (K_34 : ((K_33 : ((K_32 : ((K_31 : ((t + 0).intP == 1)) &&
                                             (K_30 : ((t + 2).intP == 2)))) &&
                                    (K_29 : ((t + 1).intP == 4)))) &&
                           (K_28 : (i == 0))))))
      }
   }
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/SideEffects.jloc tests/java/SideEffects.jc && make -f tests/java/SideEffects.makefile gui"
End:
*/
========== file tests/java/SideEffects.jloc ==========
[K_30]
file = "HOME/tests/java/SideEffects.java"
line = 47
begin = 25
end = 34

[K_23]
file = "HOME/tests/java/SideEffects.java"
line = 45
begin = 12
end = 47

[K_33]
file = "HOME/tests/java/SideEffects.java"
line = 47
begin = 12
end = 47

[K_17]
file = "HOME/tests/java/SideEffects.java"
line = 44
begin = 1
end = 11

[K_11]
file = "HOME/tests/java/SideEffects.java"
line = 43
begin = 25
end = 34

[K_25]
file = "HOME/tests/java/SideEffects.java"
line = 45
begin = 12
end = 57

[K_13]
file = "HOME/tests/java/SideEffects.java"
line = 43
begin = 12
end = 34

[K_9]
file = "HOME/tests/java/SideEffects.java"
line = 42
begin = 1
end = 11

[K_28]
file = "HOME/tests/java/SideEffects.java"
line = 47
begin = 51
end = 57

[K_1]
file = "HOME/tests/java/SideEffects.java"
line = 36
begin = 17
end = 30

[K_15]
file = "HOME/tests/java/SideEffects.java"
line = 43
begin = 12
end = 44

[K_4]
file = "HOME/tests/java/SideEffects.java"
line = 41
begin = 25
end = 31

[K_12]
file = "HOME/tests/java/SideEffects.java"
line = 43
begin = 12
end = 21

[K_34]
file = "HOME/tests/java/SideEffects.java"
line = 47
begin = 12
end = 57

[K_20]
file = "HOME/tests/java/SideEffects.java"
line = 45
begin = 25
end = 34

[K_2]
file = "HOME/tests/java/SideEffects.java"
line = 40
begin = 3
end = 6

[K_29]
file = "HOME/tests/java/SideEffects.java"
line = 47
begin = 38
end = 47

[K_10]
file = "HOME/tests/java/SideEffects.java"
line = 43
begin = 38
end = 44

[K_35]
file = "HOME/tests/java/SideEffects.java"
line = 47
begin = 12
end = 57

[K_6]
file = "HOME/tests/java/SideEffects.java"
line = 41
begin = 12
end = 31

[K_8]
file = "HOME/tests/java/SideEffects.java"
line = 42
begin = 3
end = 6

[K_3]
file = "HOME/tests/java/SideEffects.java"
line = 40
begin = 1
end = 11

[K_31]
file = "HOME/tests/java/SideEffects.java"
line = 47
begin = 12
end = 21

[cons_SideEffects]
name = "Constructor of class SideEffects"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_32]
file = "HOME/tests/java/SideEffects.java"
line = 47
begin = 12
end = 34

[K_27]
file = "HOME/tests/java/SideEffects.java"
line = 46
begin = 1
end = 11

[K_21]
file = "HOME/tests/java/SideEffects.java"
line = 45
begin = 12
end = 21

[K_24]
file = "HOME/tests/java/SideEffects.java"
line = 45
begin = 12
end = 57

[K_14]
file = "HOME/tests/java/SideEffects.java"
line = 43
begin = 12
end = 44

[K_36]
file = "HOME/tests/java/SideEffects.java"
line = 39
begin = 9
end = 10

[K_19]
file = "HOME/tests/java/SideEffects.java"
line = 45
begin = 38
end = 47

[K_5]
file = "HOME/tests/java/SideEffects.java"
line = 41
begin = 12
end = 21

[K_18]
file = "HOME/tests/java/SideEffects.java"
line = 45
begin = 51
end = 57

[SideEffects_m1]
name = "Method m1"
file = "HOME/tests/java/SideEffects.java"
line = 38
begin = 9
end = 11

[K_7]
file = "HOME/tests/java/SideEffects.java"
line = 41
begin = 12
end = 31

[K_26]
file = "HOME/tests/java/SideEffects.java"
line = 46
begin = 3
end = 6

[K_22]
file = "HOME/tests/java/SideEffects.java"
line = 45
begin = 12
end = 34

[K_16]
file = "HOME/tests/java/SideEffects.java"
line = 44
begin = 3
end = 6

========== jessie execution ==========
Generating Why function cons_SideEffects
Generating Why function SideEffects_m1
========== file tests/java/SideEffects.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/SideEffects_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: SideEffects.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: SideEffects.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: SideEffects.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/java/SideEffects.loc ==========
[JC_73]
file = "HOME/tests/java/SideEffects.java"
line = 47
begin = 38
end = 47

[JC_63]
file = "HOME/tests/java/SideEffects.java"
line = 43
begin = 12
end = 44

[JC_80]
file = "HOME/tests/java/SideEffects.java"
line = 43
begin = 25
end = 34

[JC_51]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_SideEffects_ensures_default]
name = "Constructor of class SideEffects"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_71]
file = "HOME/tests/java/SideEffects.java"
line = 47
begin = 12
end = 21

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_64]
kind = PointerDeref
file = "HOME/tests/java/SideEffects.jc"
line = 80
begin = 18
end = 48

[JC_85]
file = "HOME/tests/java/SideEffects.java"
line = 45
begin = 38
end = 47

[JC_31]
file = "HOME/tests/java/SideEffects.jc"
line = 55
begin = 8
end = 23

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_81]
file = "HOME/tests/java/SideEffects.java"
line = 43
begin = 38
end = 44

[JC_55]
kind = PointerDeref
file = "HOME/tests/java/SideEffects.jc"
line = 72
begin = 17
end = 46

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/tests/java/SideEffects.jc"
line = 51
begin = 11
end = 103

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/tests/java/SideEffects.java"
line = 45
begin = 38
end = 47

[JC_9]
file = "HOME/tests/java/SideEffects.jc"
line = 42
begin = 8
end = 21

[JC_75]
file = "HOME/tests/java/SideEffects.java"
line = 47
begin = 12
end = 57

[JC_24]
file = "HOME/tests/java/SideEffects.jc"
line = 50
begin = 10
end = 18

[JC_25]
file = "HOME/tests/java/SideEffects.jc"
line = 51
begin = 11
end = 103

[JC_78]
file = "HOME/tests/java/SideEffects.java"
line = 41
begin = 12
end = 31

[JC_41]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_74]
file = "HOME/tests/java/SideEffects.java"
line = 47
begin = 51
end = 57

[JC_47]
file = "HOME/tests/java/SideEffects.java"
line = 36
begin = 17
end = 30

[JC_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/tests/java/SideEffects.jc"
line = 50
begin = 10
end = 18

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_79]
file = "HOME/tests/java/SideEffects.java"
line = 43
begin = 12
end = 21

[JC_13]
file = "HOME/tests/java/SideEffects.jc"
line = 45
begin = 11
end = 66

[JC_82]
file = "HOME/tests/java/SideEffects.java"
line = 43
begin = 12
end = 44

[JC_87]
file = "HOME/tests/java/SideEffects.java"
line = 45
begin = 12
end = 57

[JC_11]
file = "HOME/tests/java/SideEffects.jc"
line = 42
begin = 8
end = 21

[JC_70]
kind = PointerDeref
file = "HOME/tests/java/SideEffects.jc"
line = 86
begin = 18
end = 48

[JC_15]
file = "HOME/tests/java/SideEffects.jc"
line = 45
begin = 11
end = 66

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_91]
file = "HOME/tests/java/SideEffects.java"
line = 47
begin = 51
end = 57

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[SideEffects_m1_safety]
name = "Method m1"
behavior = "Safety"
file = "HOME/tests/java/SideEffects.java"
line = 38
begin = 9
end = 11

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
file = "HOME/tests/java/SideEffects.java"
line = 45
begin = 12
end = 21

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_69]
file = "HOME/tests/java/SideEffects.java"
line = 45
begin = 12
end = 57

[JC_38]
file = "HOME/tests/java/SideEffects.jc"
line = 57
begin = 11
end = 65

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/tests/java/SideEffects.java"
line = 43
begin = 38
end = 44

[JC_88]
file = "HOME/tests/java/SideEffects.java"
line = 47
begin = 12
end = 21

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
file = "HOME/tests/java/SideEffects.java"
line = 43
begin = 25
end = 34

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/tests/java/SideEffects.java"
line = 41
begin = 12
end = 21

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
file = "HOME/tests/java/SideEffects.java"
line = 45
begin = 12
end = 21

[JC_29]
file = "HOME/tests/java/SideEffects.jc"
line = 55
begin = 8
end = 23

[JC_68]
file = "HOME/tests/java/SideEffects.java"
line = 45
begin = 51
end = 57

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/tests/java/SideEffects.jc"
line = 44
begin = 10
end = 18

[JC_43]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_84]
file = "HOME/tests/java/SideEffects.java"
line = 45
begin = 25
end = 34

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/tests/java/SideEffects.jc"
line = 44
begin = 10
end = 18

[JC_90]
file = "HOME/tests/java/SideEffects.java"
line = 47
begin = 38
end = 47

[JC_53]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/tests/java/SideEffects.jc"
line = 48
begin = 8
end = 30

[SideEffects_m1_ensures_default]
name = "Method m1"
behavior = "default behavior"
file = "HOME/tests/java/SideEffects.java"
line = 38
begin = 9
end = 11

[JC_77]
file = "HOME/tests/java/SideEffects.java"
line = 41
begin = 25
end = 31

[JC_49]
file = "HOME/tests/java/SideEffects.java"
line = 36
begin = 17
end = 30

[JC_1]
file = "HOME/tests/java/SideEffects.jc"
line = 13
begin = 12
end = 22

[JC_37]
file = "HOME/tests/java/SideEffects.jc"
line = 57
begin = 11
end = 65

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/tests/java/SideEffects.java"
line = 41
begin = 25
end = 31

[JC_89]
file = "HOME/tests/java/SideEffects.java"
line = 47
begin = 25
end = 34

[JC_66]
file = "HOME/tests/java/SideEffects.java"
line = 45
begin = 25
end = 34

[JC_59]
kind = PointerDeref
file = "HOME/tests/java/SideEffects.jc"
line = 75
begin = 17
end = 46

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_SideEffects_safety]
name = "Constructor of class SideEffects"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/java/SideEffects.jc"
line = 13
begin = 12
end = 22

[JC_92]
file = "HOME/tests/java/SideEffects.java"
line = 47
begin = 12
end = 57

[JC_86]
file = "HOME/tests/java/SideEffects.java"
line = 45
begin = 51
end = 57

[JC_60]
file = "HOME/tests/java/SideEffects.java"
line = 43
begin = 12
end = 21

[JC_72]
file = "HOME/tests/java/SideEffects.java"
line = 47
begin = 25
end = 34

[JC_19]
file = "HOME/tests/java/SideEffects.jc"
line = 48
begin = 8
end = 30

[JC_76]
file = "HOME/tests/java/SideEffects.java"
line = 41
begin = 12
end = 21

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/tests/java/SideEffects.java"
line = 41
begin = 12
end = 31

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/SideEffects.why ==========
type Object

type interface

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_1), (0))

predicate Non_null_intM(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), neg_int((1)))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic SideEffects_tag:  -> Object tag_id

axiom SideEffects_parenttag_Object : parenttag(SideEffects_tag, Object_tag)

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic intM_tag:  -> Object tag_id

axiom intM_parenttag_Object : parenttag(intM_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_SideEffects(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_intM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_SideEffects(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_intM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_SideEffects(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_SideEffects(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

parameter intM_intP : (Object, int) memory ref

parameter SideEffects_m1 :
 this_0:Object pointer ->
  t:Object pointer ->
   { } unit reads Object_alloc_table,intM_intP writes intM_intP { true }

parameter SideEffects_m1_requires :
 this_0:Object pointer ->
  t:Object pointer ->
   { (JC_47: gt_int(add_int(offset_max(Object_alloc_table, t), (1)), (10)))}
   unit reads Object_alloc_table,intM_intP writes intM_intP { true }

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_SideEffects :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_SideEffects(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, SideEffects_tag)))) }

parameter alloc_struct_SideEffects_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_SideEffects(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, SideEffects_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_intM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter alloc_struct_intM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter cons_SideEffects :
 this_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_SideEffects_requires :
 this_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter java_array_length_intM :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter java_array_length_intM_requires :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter non_null_Object :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_Object_requires :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_intM :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

parameter non_null_intM_requires :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

let SideEffects_m1_ensures_default =
 fun (this_0 : Object pointer) (t : Object pointer) ->
  { (left_valid_struct_intM(t, (0), Object_alloc_table)
    and (valid_struct_SideEffects(this_0, (0), (0), Object_alloc_table)
        and (JC_49:
            gt_int(add_int(offset_max(Object_alloc_table, t), (1)), (10))))) }
  (init:
  try
   begin
     (let i = ref (K_36: (0)) in
     (K_3:
     begin
       (let _jessie_ =
       (let _jessie_ = (1) in
       (let _jessie_ = t in
       (let _jessie_ =
       (K_2:
       (let _jessie_ = !i in
       begin
         (let _jessie_ = (i := ((add_int _jessie_) (1))) in void);
        _jessie_ end)) in
       (let _jessie_ = ((shift _jessie_) _jessie_) in
       (((safe_upd_ intM_intP) _jessie_) _jessie_))))) in void);
      (K_7:
      begin
        (assert
        { (JC_78:
          ((JC_76: (select(intM_intP, shift(t, (0))) = (1)))
          and (JC_77: (i = (1))))) }; void);
       (K_9:
       begin
         (let _jessie_ =
         (let _jessie_ = (2) in
         (let _jessie_ = t in
         (let _jessie_ =
         (K_8: begin   (i := ((add_int !i) (1))); !i end) in
         (let _jessie_ = ((shift _jessie_) _jessie_) in
         (((safe_upd_ intM_intP) _jessie_) _jessie_))))) in void);
        (K_15:
        begin
          (assert
          { (JC_82:
            ((JC_79: (select(intM_intP, shift(t, (0))) = (1)))
            and ((JC_80: (select(intM_intP, shift(t, (2))) = (2)))
                and (JC_81: (i = (2)))))) }; void);
         (K_17:
         begin
           (let _jessie_ =
           (let _jessie_ = (3) in
           (let _jessie_ = t in
           (let _jessie_ =
           (K_16: begin   (i := ((sub_int !i) (1))); !i end) in
           (let _jessie_ = ((shift _jessie_) _jessie_) in
           (((safe_upd_ intM_intP) _jessie_) _jessie_))))) in void);
          (K_25:
          begin
            (assert
            { (JC_87:
              ((JC_83: (select(intM_intP, shift(t, (0))) = (1)))
              and ((JC_84: (select(intM_intP, shift(t, (2))) = (2)))
                  and ((JC_85: (select(intM_intP, shift(t, (1))) = (3)))
                      and (JC_86: (i = (1))))))) }; void);
           (K_27:
           begin
             (let _jessie_ =
             (let _jessie_ = (4) in
             (let _jessie_ = t in
             (let _jessie_ =
             (K_26:
             (let _jessie_ = !i in
             begin
               (let _jessie_ = (i := ((sub_int _jessie_) (1))) in void);
              _jessie_ end)) in
             (let _jessie_ = ((shift _jessie_) _jessie_) in
             (((safe_upd_ intM_intP) _jessie_) _jessie_))))) in void);
            (K_35:
            (assert
            { (JC_92:
              ((JC_88: (select(intM_intP, shift(t, (0))) = (1)))
              and ((JC_89: (select(intM_intP, shift(t, (2))) = (2)))
                  and ((JC_90: (select(intM_intP, shift(t, (1))) = (4)))
                      and (JC_91: (i = (0))))))) }; void)) end) end) end) end)
       end) end) end)); (raise Return) end with Return -> void end)
  { (JC_51: true) } 

let SideEffects_m1_safety =
 fun (this_0 : Object pointer) (t : Object pointer) ->
  { (left_valid_struct_intM(t, (0), Object_alloc_table)
    and (valid_struct_SideEffects(this_0, (0), (0), Object_alloc_table)
        and (JC_49:
            gt_int(add_int(offset_max(Object_alloc_table, t), (1)), (10))))) }
  (init:
  try
   begin
     (let i = ref (K_36: (0)) in
     (K_3:
     begin
       (let _jessie_ =
       (let _jessie_ = (1) in
       (let _jessie_ = t in
       (let _jessie_ =
       (K_2:
       (let _jessie_ = !i in
       begin
         (let _jessie_ = (i := ((add_int _jessie_) (1))) in void);
        _jessie_ end)) in
       (let _jessie_ = ((shift _jessie_) _jessie_) in
       (JC_55:
       (((((offset_upd_ !Object_alloc_table) intM_intP) _jessie_) _jessie_) _jessie_)))))) in
       void);
      (K_7:
      begin
        [ { } unit reads i,intM_intP
          { (JC_58:
            ((JC_56: (select(intM_intP, shift(t, (0))) = (1)))
            and (JC_57: (i = (1))))) } ];
       (K_9:
       begin
         (let _jessie_ =
         (let _jessie_ = (2) in
         (let _jessie_ = t in
         (let _jessie_ =
         (K_8: begin   (i := ((add_int !i) (1))); !i end) in
         (let _jessie_ = ((shift _jessie_) _jessie_) in
         (JC_59:
         (((((offset_upd_ !Object_alloc_table) intM_intP) _jessie_) _jessie_) _jessie_)))))) in
         void);
        (K_15:
        begin
          [ { } unit reads i,intM_intP
            { (JC_63:
              ((JC_60: (select(intM_intP, shift(t, (0))) = (1)))
              and ((JC_61: (select(intM_intP, shift(t, (2))) = (2)))
                  and (JC_62: (i = (2)))))) } ];
         (K_17:
         begin
           (let _jessie_ =
           (let _jessie_ = (3) in
           (let _jessie_ = t in
           (let _jessie_ =
           (K_16: begin   (i := ((sub_int !i) (1))); !i end) in
           (let _jessie_ = ((shift _jessie_) _jessie_) in
           (JC_64:
           (((((offset_upd_ !Object_alloc_table) intM_intP) _jessie_) _jessie_) _jessie_)))))) in
           void);
          (K_25:
          begin
            [ { } unit reads i,intM_intP
              { (JC_69:
                ((JC_65: (select(intM_intP, shift(t, (0))) = (1)))
                and ((JC_66: (select(intM_intP, shift(t, (2))) = (2)))
                    and ((JC_67: (select(intM_intP, shift(t, (1))) = (3)))
                        and (JC_68: (i = (1))))))) } ];
           (K_27:
           begin
             (let _jessie_ =
             (let _jessie_ = (4) in
             (let _jessie_ = t in
             (let _jessie_ =
             (K_26:
             (let _jessie_ = !i in
             begin
               (let _jessie_ = (i := ((sub_int _jessie_) (1))) in void);
              _jessie_ end)) in
             (let _jessie_ = ((shift _jessie_) _jessie_) in
             (JC_70:
             (((((offset_upd_ !Object_alloc_table) intM_intP) _jessie_) _jessie_) _jessie_)))))) in
             void);
            (K_35:
            [ { } unit reads i,intM_intP
              { (JC_75:
                ((JC_71: (select(intM_intP, shift(t, (0))) = (1)))
                and ((JC_72: (select(intM_intP, shift(t, (2))) = (2)))
                    and ((JC_73: (select(intM_intP, shift(t, (1))) = (4)))
                        and (JC_74: (i = (0))))))) } ]) end) end) end) end)
       end) end) end)); (raise Return) end with Return -> void end) { true } 

let cons_SideEffects_ensures_default =
 fun (this_1 : Object pointer) ->
  { valid_struct_SideEffects(this_1, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_43: true) } 

let cons_SideEffects_safety =
 fun (this_1 : Object pointer) ->
  { valid_struct_SideEffects(this_1, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 


why-2.39/tests/java/oracle/Termination.err.oracle0000644000106100004300000000000013147234006021016 0ustar  marchevalswhy-2.39/tests/java/oracle/MyCosine.res.oracle0000644000106100004300000011553613147234006020301 0ustar  marchevals========== file tests/java/MyCosine.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*@ lemma method_error: \forall real x;
  @     \real_abs(x) <= 0x1p-5 ==> \real_abs(1.0 - x*x*0.5 - \cos(x)) <= 0x1p-24;
  @*/

class MyCosine {

/*@ requires \real_abs(x) <= 0x1p-5;
  @ ensures \real_abs(\result - \cos(x)) <= 0x1p-23;
  @*/
static float my_cos1(float x) {
  //@ assert \real_abs(1.0 - x*x*0.5 - \cos(x)) <= 0x1p-24;
  return 1.0f - x * x * 0.5f;
}

/* requires \real_abs(x) <= 0x1p-5 && \round_error(x) == 0.0;
  @ ensures \real_abs(\result - \cos(x)) <= 0x1p-23;
  @*/
static float my_cos2(float x) {
  // assert \exact(x) == x;
  float r = 1.0f - x * x * 0.5f;
  // assert \real_abs(\exact(r) - \cos(x)) <= 0x1p-24;
  return r;
}


/* requires \real_abs(\exact(x)) <= 0x1p-5
  @     && \round_error(x) <= 0x1p-20;
  @ ensures \real_abs(\exact(\result) - \cos(\exact(x))) <= 0x1p-24
  @     && \round_error(\result) <= \round_error(x) + 0x3p-24;
  @*/
static float my_cos3(float x) {
  float r = 1.0f - x * x * 0.5f;
  // assert \real_abs(\exact(r) - \cos(\exact(x))) <= 0x1p-24;  // by interval
  return r;
}

/*@ requires \real_abs(x) <= 0.07 ;
  @ ensures \real_abs(\result - \cos(x)) <= 0x1.3p-20;
  @*/
static float my_cos4(float x) {
  //@ assert \real_abs(x) <= 0x9.p-7;
  //@ assert \real_abs(1.0 - x*x*0.5 - \cos(x)) <= 0x1.2p-20;
  return 1.0f - x * x * 0.5f;
}

}


/*
Local Variables:
compile-command: "krakatoa MyCosine.java"
End:
*/


========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function MyCosine_my_cos2 for method MyCosine.my_cos2
Generating JC function cons_MyCosine for constructor MyCosine
Generating JC function MyCosine_my_cos3 for method MyCosine.my_cos3
Generating JC function MyCosine_my_cos1 for method MyCosine.my_cos1
Generating JC function MyCosine_my_cos4 for method MyCosine.my_cos4
Done.
========== file tests/java/MyCosine.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag MyCosine = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

lemma method_error :
(\forall real x;
  ((\real_abs(x) <= 0x1p-5) ==>
    (\real_abs(((1.0 - ((x * x) * 0.5)) - \cos(x))) <= 0x1p-24)))

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

real MyCosine_my_cos2(real x_1)
{  
   {  
      (var real r_0 = (K_3 : (1.0 - (K_2 : ((K_1 : (x_1 * x_1)) * 0.5)))));
      
      (return r_0)
   }
}

unit cons_MyCosine(! MyCosine[0] this_0){()}

real MyCosine_my_cos3(real x_2)
{  
   {  
      (var real r = (K_6 : (1.0 - (K_5 : ((K_4 : (x_2 * x_2)) * 0.5)))));
      
      (return r)
   }
}

real MyCosine_my_cos1(real x_0)
  requires (K_8 : (\real_abs(x_0) <= 0x1p-5));
behavior default:
  ensures (K_7 : (\real_abs((\result - \cos(x_0))) <= 0x1p-23));
{  (K_10 : 
   (assert (K_9 : (\real_abs(((1.0 - ((x_0 * x_0) * 0.5)) - \cos(x_0))) <=
                    0x1p-24))));
   
   (return (K_13 : (1.0 - (K_12 : ((K_11 : (x_0 * x_0)) * 0.5)))))
}

real MyCosine_my_cos4(real x_3)
  requires (K_15 : (\real_abs(x_3) <= 0.07));
behavior default:
  ensures (K_14 : (\real_abs((\result - \cos(x_3))) <= 0x1.3p-20));
{  (K_17 : 
   (assert (K_16 : (\real_abs(x_3) <= 0x9.p-7))));
   (K_19 : 
   (assert (K_18 : (\real_abs(((1.0 - ((x_3 * x_3) * 0.5)) - \cos(x_3))) <=
                     0x1.2p-20))));
   
   (return (K_22 : (1.0 - (K_21 : ((K_20 : (x_3 * x_3)) * 0.5)))))
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/MyCosine.jloc tests/java/MyCosine.jc && make -f tests/java/MyCosine.makefile gui"
End:
*/
========== file tests/java/MyCosine.jloc ==========
[K_17]
file = "HOME/tests/java/MyCosine.java"
line = 72
begin = 13
end = 36

[K_11]
file = "HOME/tests/java/MyCosine.java"
line = 43
begin = 16
end = 21

[K_13]
file = "HOME/tests/java/MyCosine.java"
line = 43
begin = 9
end = 28

[K_9]
file = "HOME/tests/java/MyCosine.java"
line = 42
begin = 13
end = 58

[K_1]
file = "HOME/tests/java/MyCosine.java"
line = 51
begin = 19
end = 24

[K_15]
file = "HOME/tests/java/MyCosine.java"
line = 68
begin = 13
end = 33

[K_4]
file = "HOME/tests/java/MyCosine.java"
line = 63
begin = 19
end = 24

[K_12]
file = "HOME/tests/java/MyCosine.java"
line = 43
begin = 16
end = 28

[MyCosine_my_cos4]
name = "Method my_cos4"
file = "HOME/tests/java/MyCosine.java"
line = 71
begin = 13
end = 20

[K_20]
file = "HOME/tests/java/MyCosine.java"
line = 74
begin = 16
end = 21

[K_2]
file = "HOME/tests/java/MyCosine.java"
line = 51
begin = 19
end = 31

[MyCosine_my_cos1]
name = "Method my_cos1"
file = "HOME/tests/java/MyCosine.java"
line = 41
begin = 13
end = 20

[K_10]
file = "HOME/tests/java/MyCosine.java"
line = 42
begin = 13
end = 58

[cons_MyCosine]
name = "Constructor of class MyCosine"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_6]
file = "HOME/tests/java/MyCosine.java"
line = 63
begin = 12
end = 31

[K_8]
file = "HOME/tests/java/MyCosine.java"
line = 38
begin = 13
end = 35

[MyCosine_my_cos3]
name = "Method my_cos3"
file = "HOME/tests/java/MyCosine.java"
line = 62
begin = 13
end = 20

[K_3]
file = "HOME/tests/java/MyCosine.java"
line = 51
begin = 12
end = 31

[MyCosine_my_cos2]
name = "Method my_cos2"
file = "HOME/tests/java/MyCosine.java"
line = 49
begin = 13
end = 20

[K_21]
file = "HOME/tests/java/MyCosine.java"
line = 74
begin = 16
end = 28

[K_14]
file = "HOME/tests/java/MyCosine.java"
line = 69
begin = 12
end = 53

[method_error]
name = "Lemma method_error"
file = "HOME/tests/java/MyCosine.java"
line = 32
begin = 10
end = 22

[K_19]
file = "HOME/tests/java/MyCosine.java"
line = 73
begin = 13
end = 60

[K_5]
file = "HOME/tests/java/MyCosine.java"
line = 63
begin = 19
end = 31

[K_18]
file = "HOME/tests/java/MyCosine.java"
line = 73
begin = 13
end = 60

[K_7]
file = "HOME/tests/java/MyCosine.java"
line = 39
begin = 12
end = 51

[K_22]
file = "HOME/tests/java/MyCosine.java"
line = 74
begin = 9
end = 28

[K_16]
file = "HOME/tests/java/MyCosine.java"
line = 72
begin = 13
end = 36

========== jessie execution ==========
Generating Why function MyCosine_my_cos2
Generating Why function cons_MyCosine
Generating Why function MyCosine_my_cos3
Generating Why function MyCosine_my_cos1
Generating Why function MyCosine_my_cos4
========== file tests/java/MyCosine.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/MyCosine_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: MyCosine.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: MyCosine.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: MyCosine.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/java/MyCosine.loc ==========
[JC_63]
file = "HOME/tests/java/MyCosine.java"
line = 72
begin = 13
end = 36

[JC_51]
file = "HOME/tests/java/MyCosine.java"
line = 42
begin = 13
end = 58

[cons_MyCosine_safety]
name = "Constructor of class MyCosine"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_45]
file = "HOME/tests/java/MyCosine.java"
line = 38
begin = 13
end = 35

[MyCosine_my_cos2_ensures_default]
name = "Method my_cos2"
behavior = "default behavior"
file = "HOME/tests/java/MyCosine.java"
line = 49
begin = 13
end = 20

[JC_64]
file = "HOME/tests/java/MyCosine.java"
line = 73
begin = 13
end = 60

[JC_31]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_17]
file = "HOME/tests/java/MyCosine.jc"
line = 47
begin = 11
end = 65

[JC_55]
file = "HOME/tests/java/MyCosine.java"
line = 68
begin = 13
end = 33

[JC_48]
file = "HOME/tests/java/MyCosine.java"
line = 39
begin = 12
end = 51

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/java/MyCosine.jc"
line = 45
begin = 8
end = 23

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[MyCosine_my_cos4_ensures_default]
name = "Method my_cos4"
behavior = "default behavior"
file = "HOME/tests/java/MyCosine.java"
line = 71
begin = 13
end = 20

[JC_41]
file = "HOME/"
line = 0
begin = -1
end = -1

[MyCosine_my_cos2_safety]
name = "Method my_cos2"
behavior = "Safety"
file = "HOME/tests/java/MyCosine.java"
line = 49
begin = 13
end = 20

[MyCosine_my_cos1_safety]
name = "Method my_cos1"
behavior = "Safety"
file = "HOME/tests/java/MyCosine.java"
line = 41
begin = 13
end = 20

[JC_47]
file = "HOME/tests/java/MyCosine.java"
line = 39
begin = 12
end = 51

[JC_52]
file = "HOME/tests/java/MyCosine.java"
line = 42
begin = 13
end = 58

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/"
line = 0
begin = -1
end = -1

[MyCosine_my_cos3_safety]
name = "Method my_cos3"
behavior = "Safety"
file = "HOME/tests/java/MyCosine.java"
line = 62
begin = 13
end = 20

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/MyCosine.jc"
line = 45
begin = 8
end = 23

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/tests/java/MyCosine.java"
line = 62
begin = 13
end = 20

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/tests/java/MyCosine.java"
line = 73
begin = 13
end = 60

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
file = "HOME/tests/java/MyCosine.java"
line = 72
begin = 13
end = 36

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/"
line = 0
begin = -1
end = -1

[method_error]
name = "Lemma method_error"
behavior = "lemma"
file = "HOME/tests/java/MyCosine.java"
line = 32
begin = 10
end = 22

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[MyCosine_my_cos4_safety]
name = "Method my_cos4"
behavior = "Safety"
file = "HOME/tests/java/MyCosine.java"
line = 71
begin = 13
end = 20

[JC_43]
file = "HOME/tests/java/MyCosine.java"
line = 38
begin = 13
end = 35

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_53]
file = "HOME/tests/java/MyCosine.java"
line = 68
begin = 13
end = 33

[JC_21]
file = "HOME/tests/java/MyCosine.java"
line = 49
begin = 13
end = 20

[JC_49]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/java/MyCosine.jc"
line = 20
begin = 12
end = 22

[cons_MyCosine_ensures_default]
name = "Constructor of class MyCosine"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_37]
file = "HOME/tests/java/MyCosine.java"
line = 62
begin = 13
end = 20

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/tests/java/MyCosine.java"
line = 69
begin = 12
end = 53

[JC_59]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/java/MyCosine.jc"
line = 47
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/MyCosine.jc"
line = 20
begin = 12
end = 22

[JC_60]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/tests/java/MyCosine.java"
line = 49
begin = 13
end = 20

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[MyCosine_my_cos3_ensures_default]
name = "Method my_cos3"
behavior = "default behavior"
file = "HOME/tests/java/MyCosine.java"
line = 62
begin = 13
end = 20

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/tests/java/MyCosine.java"
line = 69
begin = 12
end = 53

[MyCosine_my_cos1_ensures_default]
name = "Method my_cos1"
behavior = "default behavior"
file = "HOME/tests/java/MyCosine.java"
line = 41
begin = 13
end = 20

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/MyCosine.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

logic MyCosine_tag:  -> Object tag_id

axiom MyCosine_parenttag_Object : parenttag(MyCosine_tag, Object_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_MyCosine(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_MyCosine(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_MyCosine(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_MyCosine(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

lemma method_error :
 (forall x_4:real.
  (le_real(abs_real(x_4), 0x1p-5) ->
   le_real(abs_real(sub_real(sub_real(1.0, mul_real(mul_real(x_4, x_4), 0.5)),
                    cos(x_4))),
   0x1p-24)))

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter MyCosine_my_cos1 :
 x_0_0:real ->
  { } real
  { (JC_48: le_real(abs_real(sub_real(result, cos(x_0_0))), 0x1p-23)) }

parameter MyCosine_my_cos1_requires :
 x_0_0:real ->
  { (JC_43: le_real(abs_real(x_0_0), 0x1p-5))} real
  { (JC_48: le_real(abs_real(sub_real(result, cos(x_0_0))), 0x1p-23)) }

parameter MyCosine_my_cos2 : x_1_0:real -> { } real { true }

parameter MyCosine_my_cos2_requires : x_1_0:real -> { } real { true }

parameter MyCosine_my_cos3 : x_2:real -> { } real { true }

parameter MyCosine_my_cos3_requires : x_2:real -> { } real { true }

parameter MyCosine_my_cos4 :
 x_3:real ->
  { } real
  { (JC_58: le_real(abs_real(sub_real(result, cos(x_3))), 0x1.3p-20)) }

parameter MyCosine_my_cos4_requires :
 x_3:real ->
  { (JC_53: le_real(abs_real(x_3), 0.07))} real
  { (JC_58: le_real(abs_real(sub_real(result, cos(x_3))), 0x1.3p-20)) }

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_MyCosine :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_MyCosine(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, MyCosine_tag)))) }

parameter alloc_struct_MyCosine_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_MyCosine(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, MyCosine_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_MyCosine :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_MyCosine_requires :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let MyCosine_my_cos1_ensures_default =
 fun (x_0_0 : real) ->
  { (JC_45: le_real(abs_real(x_0_0), 0x1p-5)) }
  (init:
  (let return = ref (any_real void) in
  try
   (K_10:
   begin
     (assert
     { (JC_52:
       le_real(abs_real(sub_real(sub_real(1.0,
                                 mul_real(mul_real(x_0_0, x_0_0), 0.5)),
                        cos(x_0_0))),
       0x1p-24)) }; void);
    (return := (K_13:
               ((sub_real 1.0) (K_12:
                               ((mul_real (K_11: ((mul_real x_0_0) x_0_0))) 0.5)))));
    (raise Return); absurd  end) with Return -> !return end))
  { (JC_47: le_real(abs_real(sub_real(result, cos(x_0_0))), 0x1p-23)) } 

let MyCosine_my_cos1_safety =
 fun (x_0_0 : real) ->
  { (JC_45: le_real(abs_real(x_0_0), 0x1p-5)) }
  (init:
  (let return = ref (any_real void) in
  try
   (K_10:
   begin
     [ { } unit
       { (JC_51:
         le_real(abs_real(sub_real(sub_real(1.0,
                                   mul_real(mul_real(x_0_0, x_0_0), 0.5)),
                          cos(x_0_0))),
         0x1p-24)) } ];
    (return := (K_13:
               ((sub_real 1.0) (K_12:
                               ((mul_real (K_11: ((mul_real x_0_0) x_0_0))) 0.5)))));
    (raise Return); absurd  end) with Return -> !return end)) { true } 

let MyCosine_my_cos2_ensures_default =
 fun (x_1_0 : real) ->
  { (JC_22: true) }
  (init:
  (let return = ref (any_real void) in
  try
   begin
     (let r_0 =
     (K_3:
     ((sub_real 1.0) (K_2: ((mul_real (K_1: ((mul_real x_1_0) x_1_0))) 0.5)))) in
     begin   (return := r_0); (raise Return) end); absurd  end with Return ->
   !return end)) { (JC_23: true) } 

let MyCosine_my_cos2_safety =
 fun (x_1_0 : real) ->
  { (JC_22: true) }
  (init:
  (let return = ref (any_real void) in
  try
   begin
     (let r_0 =
     (K_3:
     ((sub_real 1.0) (K_2: ((mul_real (K_1: ((mul_real x_1_0) x_1_0))) 0.5)))) in
     begin   (return := r_0); (raise Return) end); absurd  end with Return ->
   !return end)) { true } 

let MyCosine_my_cos3_ensures_default =
 fun (x_2 : real) ->
  { (JC_38: true) }
  (init:
  (let return = ref (any_real void) in
  try
   begin
     (let r =
     (K_6:
     ((sub_real 1.0) (K_5: ((mul_real (K_4: ((mul_real x_2) x_2))) 0.5)))) in
     begin   (return := r); (raise Return) end); absurd  end with Return ->
   !return end)) { (JC_39: true) } 

let MyCosine_my_cos3_safety =
 fun (x_2 : real) ->
  { (JC_38: true) }
  (init:
  (let return = ref (any_real void) in
  try
   begin
     (let r =
     (K_6:
     ((sub_real 1.0) (K_5: ((mul_real (K_4: ((mul_real x_2) x_2))) 0.5)))) in
     begin   (return := r); (raise Return) end); absurd  end with Return ->
   !return end)) { true } 

let MyCosine_my_cos4_ensures_default =
 fun (x_3 : real) ->
  { (JC_55: le_real(abs_real(x_3), 0.07)) }
  (init:
  (let return = ref (any_real void) in
  try
   (K_17:
   begin
     (assert { (JC_63: le_real(abs_real(x_3), 0x9.p-7)) }; void);
    (K_19:
    begin
      (assert
      { (JC_64:
        le_real(abs_real(sub_real(sub_real(1.0,
                                  mul_real(mul_real(x_3, x_3), 0.5)),
                         cos(x_3))),
        0x1.2p-20)) }; void);
     (return := (K_22:
                ((sub_real 1.0) (K_21:
                                ((mul_real (K_20: ((mul_real x_3) x_3))) 0.5)))));
     (raise Return); absurd  end) end) with Return -> !return end))
  { (JC_57: le_real(abs_real(sub_real(result, cos(x_3))), 0x1.3p-20)) } 

let MyCosine_my_cos4_safety =
 fun (x_3 : real) ->
  { (JC_55: le_real(abs_real(x_3), 0.07)) }
  (init:
  (let return = ref (any_real void) in
  try
   (K_17:
   begin
     [ { } unit { (JC_61: le_real(abs_real(x_3), 0x9.p-7)) } ];
    (K_19:
    begin
      [ { } unit
        { (JC_62:
          le_real(abs_real(sub_real(sub_real(1.0,
                                    mul_real(mul_real(x_3, x_3), 0.5)),
                           cos(x_3))),
          0x1.2p-20)) } ];
     (return := (K_22:
                ((sub_real 1.0) (K_21:
                                ((mul_real (K_20: ((mul_real x_3) x_3))) 0.5)))));
     (raise Return); absurd  end) end) with Return -> !return end)) { true } 

let cons_MyCosine_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_MyCosine(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_31: true) } 

let cons_MyCosine_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_MyCosine(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 


why-2.39/tests/java/oracle/AllZeros.err.oracle0000644000106100004300000000000013147234006020260 0ustar  marchevalswhy-2.39/tests/java/oracle/Duplets.res.oracle0000644000106100004300000005135313147234006020167 0ustar  marchevals========== file tests/java/Duplets.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*
COST Verification Competition. vladimir@cost-ic0701.org

Challenge 3: Two equal elements

Given: An integer array a of length n+2 with n>=2. It is known that at
least two values stored in the array appear twice (i.e., there are at
least two duplets).

Implement and verify a program finding such two values.

You may assume that the array contains values between 0 and n-1.
*/


class Integer {
    int value;
    /*@ ensures this.value == a;
      @*/
    Integer(int a) {
        value = a;
    }
}

class Pair {
    int x,y;
    /*@ ensures this.x == a && this.y == b;
      @*/
    Pair(int a,int b) {
        x = a; y = b;
    }
}

class Quadruple {
    int x,y,z,t;
    /*@ ensures this.x == a && this.y == b &&
      @         this.z == c && this.t == d;
      @*/
    Pair(int a,int b,int c,int d) {
        x = a; y = b; z = c; t = d;
    }
}

/* equality between an integer and a possibly null Integer object */
/*@ predicate eq_opt{L}(integer x, Integer o) =
  @   o != null && x == o.value;
  @*/

/* A duplet in array a is a pair of indexes (i,j) in the bounds of array
   a such that a[i] = a[j] */
/*@ predicate is_duplet{L}(int a[], integer i, integer j) =
  @    0 <= i < j < a.length && a[i] == a[j];
  @*/

class Duplets {

    /* duplet(a) returns the indexes (i,j) of a duplet in a.
     * moreover, if except is not null, the value of this duplet must
     * be different from it.
     */
    /*@ requires 2 <= a.length &&
      @   \exists integer i j;
      @     is_duplet(a,i,j) && ! eq_opt(a[i],except) ;
      @ ensures
      @   is_duplet(a,\result.x,\result.y) &&
      @   ! eq_opt(a[\result.x],except); 
      @*/
    Pair duplet(int a[], Integer except) {
        /*@ loop_invariant
          @  \forall integer k l; 0 <= k < i && k < l < a.length ==>
          @    ! eq_opt(a[k],except) ==> ! is_duplet(a,k,l);
          @ loop_variant a.length - i;
          @*/
        for(int i=0; i <= a.length - 2; i++) {
            int v = a[i];
            if (except != null && except.value != v) {
                /*@ loop_invariant
                  @   \forall integer l; i < l < j ==> ! is_duplet(a,i,l);
                  @ loop_variant a.length - j;
                  @*/
                for (int j=i+1; j < a.length; j++) {
                    if (a[j] == v) {
                        return new Pair(i, j);
                    }
                }
            }
        }
        // assert \forall integer i j; ! is_duplet(a,i,j);
        //@ assert false;
        return null;
    }


    /* requires 4 <= a.length && \exists integer i j k l;
      @   is_duplet(a,i,j) && is_duplet(a,k,l) && a[i] != a[k];
      @ ensures is_duplet(a,\result.x,\result.y) &&
      @   is_duplet(a,\result.z,\result.t) &&
      @   a[\result.x] != a[\result.z];
      @*/
    Quadruple duplets(int a[]) {
        Pair p = duplet(a,null);
        Pair q = duplet(a,new Integer(a[p.x]));
        return new Quadruple(p.x,p.y,q.x,q.y);
    }
   

}

/*
Local Variables:
compile-command: "make Duplets.why3ide"
End:
*/

========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_Pair_int_int for constructor Pair
Generating JC function Object_registerNatives for method Object.registerNatives
Generating JC function Object_clone for method Object.clone
Generating JC function cons_Quadruple_int_int_int_int for constructor Quadruple
Generating JC function cons_Integer_int for constructor Integer
Generating JC function Duplets_duplet for method Duplets.duplet
Generating JC function Duplets_duplets for method Duplets.duplets
Generating JC function cons_Duplets for constructor Duplets
Generating JC function Object_finalize for method Object.finalize
Generating JC function Object_notifyAll for method Object.notifyAll
Generating JC function Object_equals for method Object.equals
Generating JC function Object_toString for method Object.toString
Generating JC function Object_wait for method Object.wait
Generating JC function Object_hashCode for method Object.hashCode
Generating JC function Object_notify for method Object.notify
Generating JC function Object_wait_long_int for method Object.wait
Generating JC function Object_wait_long for method Object.wait
Generating JC function cons_Object for constructor Object
Done.
========== file tests/java/Duplets.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_intM{Here}(intM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Quadruple = Object with {
  int32 x; 
  int32 y; 
  int32 z; 
  int32 t;
}

tag Integer = Object with {
  int32 value;
}

tag Pair = Object with {
  int32 x; 
  int32 y;
}

tag Throwable = Object with {
}

tag Object = {
}

tag Duplets = Object with {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

tag intM = Object with {
  int32 intP;
}

boolean non_null_intM(! intM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_intM(! intM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

predicate eq_opt{L}(integer x, Integer[0..] o) =
(Non_null_Object(o) && (x == o.value))

predicate is_duplet{L}(intM[0..] a_2, integer i, integer j) =
((((0 <= i) && (i < j)) && (j < (\offset_max(a_2) + 1))) &&
  ((a_2 + i).intP == (a_2 + j).intP))

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_Pair_int_int(! Pair[0] this_2, int32 a_0, int32 b)
behavior default:
  ensures (K_3 : ((K_2 : (this_2.x == a_0)) && (K_1 : (this_2.y == b))));
{  (this_2.x = 0);
   (this_2.y = 0);
   (K_4 : (this_2.x = a_0));
   (K_5 : (this_2.y = b))
}

unit Object_registerNatives()
;

Object[0..] Object_clone(Object[0] this_10)
;

unit cons_Quadruple_int_int_int_int(! Quadruple[0] this_4, int32 a_1,
                                    int32 b_0, int32 c, int32 d)
behavior default:
  ensures (K_12 : ((K_11 : ((K_10 : ((K_9 : (this_4.x == a_1)) &&
                                      (K_8 : (this_4.y == b_0)))) &&
                             (K_7 : (this_4.z == c)))) &&
                    (K_6 : (this_4.t == d))));
{  (this_4.x = 0);
   (this_4.y = 0);
   (this_4.z = 0);
   (this_4.t = 0);
   (K_13 : (this_4.x = a_1));
   (K_14 : (this_4.y = b_0));
   (K_15 : (this_4.z = c));
   (K_16 : (this_4.t = d))
}

unit cons_Integer_int(! Integer[0] this_0, int32 a)
behavior default:
  ensures (K_17 : (this_0.value == a));
{  (this_0.value = 0);
   (K_18 : (this_0.value = a))
}

Pair[0..] Duplets_duplet(Duplets[0] this_8, intM[0..] a_3,
                         Integer[0..] except)
  requires (K_24 : ((K_23 : (2 <= (\offset_max(a_3) + 1))) &&
                     (K_22 : (\exists integer i_0;
                               (\exists integer j_0;
                                 (is_duplet{Here}(a_3, i_0, j_0) &&
                                   (! eq_opt{Here}((a_3 + i_0).intP, except))))))));
behavior default:
  ensures (K_21 : ((K_20 : is_duplet{Here}(a_3, \result.x, \result.y)) &&
                    (K_19 : (! eq_opt{Here}((a_3 + \result.x).intP, except)))));
{  
   {  
      {  
         (var int32 i_1 = (K_25 : 0));
         
         loop 
         behavior default:
           invariant (K_26 : (\forall integer k;
                               (\forall integer l;
                                 ((((0 <= k) && (k < i_1)) &&
                                    ((k < l) && (l < (\offset_max(a_3) + 1)))) ==>
                                   ((! eq_opt{Here}((a_3 + k).intP, except)) ==>
                                     (! is_duplet{Here}(a_3, k, l)))))));
         
         variant (K_27 : ((\offset_max(a_3) + 1) - i_1));
         for ( ; (K_43 : (i_1 <=
                           (K_42 : (((K_41 : java_array_length_intM(a_3)) -
                                      2) :> int32)))) ; (K_40 : (i_1 ++)))
         {  
            {  
               (var int32 v = (K_39 : (a_3 + i_1).intP));
               (if (K_38 : (non_null_Object(except) &&
                             (K_37 : ((K_36 : except.value) != v)))) then 
               {  
                  {  
                     (var int32 j_1 = (K_28 : ((i_1 + 1) :> int32)));
                     
                     loop 
                     behavior default:
                       invariant (K_29 : (\forall integer l_0;
                                           (((i_1 < l_0) && (l_0 < j_1)) ==>
                                             (! is_duplet{Here}(a_3, i_1, l_0)))));
                     
                     variant (K_30 : ((\offset_max(a_3) + 1) - j_1));
                     for ( ; (K_35 : (j_1 <
                                       (K_34 : java_array_length_intM(a_3)))) ; 
                     (K_33 : (j_1 ++)))
                     {  (if (K_32 : ((K_31 : (a_3 + j_1).intP) == v)) then 
                        (return 
                        {  
                           (var Pair[0] this = (new Pair[1]));
                           
                           {  
                              (var unit _tt = cons_Pair_int_int(this, i_1,
                                                                j_1));
                              this
                           }
                        }) else ())
                     }
                  }
               } else ())
            }
         }
      }
   };
   (K_45 : 
   (assert (K_44 : false)));
   
   (return null)
}

Quadruple[0..] Duplets_duplets(Duplets[0] this_6, intM[0..] a_4)
{  
   {  
      (var Pair[0..] p = (K_53 : Duplets_duplet(this_6, a_4, null)));
      
      {  
         (var Pair[0..] q = (K_52 : Duplets_duplet(this_6, a_4,
                                                   
                                                   {  
                                                      (var Integer[0] this = (new Integer[1]));
                                                      
                                                      {  
                                                         (var unit _tt = cons_Integer_int(
                                                         this,
                                                         (K_51 : (a_4 +
                                                                   (K_50 : p.x)).intP)));
                                                         this
                                                      }
                                                   })));
         
         (return 
         {  
            (var Quadruple[0] this = (new Quadruple[1]));
            
            {  
               (var unit _tt = cons_Quadruple_int_int_int_int(this,
                                                              (K_46 : p.x),
                                                              (K_47 : p.y),
                                                              (K_48 : q.x),
                                                              (K_49 : q.y)));
               this
            }
         })
      }
   }
}

unit cons_Duplets(! Duplets[0] this_9){()}

unit Object_finalize(Object[0] this_11)
;

unit Object_notifyAll(Object[0] this_12)
;

boolean Object_equals(Object[0] this_13, Object[0..] obj)
;

String[0..] Object_toString(Object[0] this_14)
;

unit Object_wait(Object[0] this_15)
;

int32 Object_hashCode(Object[0] this_16)
;

unit Object_notify(Object[0] this_17)
;

unit Object_wait_long_int(Object[0] this_18, long timeout_0, int32 nanos)
;

unit Object_wait_long(Object[0] this_19, long timeout)
;

unit cons_Object(! Object[0] this_20){()}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Duplets.jloc tests/java/Duplets.jc && make -f tests/java/Duplets.makefile gui"
End:
*/
========== file tests/java/Duplets.jloc ==========
[cons_Pair_int_int]
name = "Constructor of class Pair"
file = "HOME/tests/java/Duplets.java"
line = 60
begin = 4
end = 8

[K_30]
file = "HOME/tests/java/Duplets.java"
line = 110
begin = 33
end = 45

[K_23]
file = "HOME/tests/java/Duplets.java"
line = 92
begin = 17
end = 30

[K_33]
file = "HOME/tests/java/Duplets.java"
line = 112
begin = 46
end = 49

[K_49]
file = "HOME/tests/java/Duplets.java"
line = 134
begin = 41
end = 44

[K_17]
file = "HOME/tests/java/Duplets.java"
line = 49
begin = 16
end = 31

[Object_wait_long]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[cons_Duplets]
name = "Constructor of class Duplets"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_11]
file = "HOME/tests/java/Duplets.java"
line = 67
begin = 16
end = 73

[K_38]
file = "HOME/tests/java/Duplets.java"
line = 107
begin = 16
end = 51

[K_25]
file = "HOME/tests/java/Duplets.java"
line = 105
begin = 18
end = 19

[K_13]
file = "HOME/tests/java/Duplets.java"
line = 71
begin = 8
end = 13

[Object_finalize]
name = "Method finalize"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[K_9]
file = "HOME/tests/java/Duplets.java"
line = 67
begin = 16
end = 27

[Object_wait]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[K_44]
file = "HOME/tests/java/Duplets.java"
line = 120
begin = 19
end = 24

[Object_notify]
name = "Method notify"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[K_28]
file = "HOME/tests/java/Duplets.java"
line = 112
begin = 27
end = 30

[Object_clone]
name = "Method clone"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[cons_Object]
name = "Constructor of class Object"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_52]
file = "HOME/tests/java/Duplets.java"
line = 133
begin = 17
end = 46

[K_1]
file = "HOME/tests/java/Duplets.java"
line = 58
begin = 31
end = 42

[K_15]
file = "HOME/tests/java/Duplets.java"
line = 71
begin = 22
end = 27

[K_4]
file = "HOME/tests/java/Duplets.java"
line = 61
begin = 8
end = 13

[K_12]
file = "HOME/tests/java/Duplets.java"
line = 67
begin = 16
end = 88

[Object_wait_long_int]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[K_34]
file = "HOME/tests/java/Duplets.java"
line = 112
begin = 36
end = 44

[Object_registerNatives]
name = "Method registerNatives"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[K_20]
file = "HOME/tests/java/Duplets.java"
line = 96
begin = 10
end = 42

[K_53]
file = "HOME/tests/java/Duplets.java"
line = 132
begin = 17
end = 31

[K_2]
file = "HOME/tests/java/Duplets.java"
line = 58
begin = 16
end = 27

[Duplets_duplets]
name = "Method duplets"
file = "HOME/tests/java/Duplets.java"
line = 131
begin = 14
end = 21

[K_41]
file = "HOME/tests/java/Duplets.java"
line = 105
begin = 26
end = 34

[K_50]
file = "HOME/tests/java/Duplets.java"
line = 133
begin = 40
end = 43

[K_47]
file = "HOME/tests/java/Duplets.java"
line = 134
begin = 33
end = 36

[K_29]
file = "HOME/tests/java/Duplets.java"
line = 109
begin = 22
end = 73

[K_10]
file = "HOME/tests/java/Duplets.java"
line = 67
begin = 16
end = 42

[K_35]
file = "HOME/tests/java/Duplets.java"
line = 112
begin = 32
end = 44

[K_6]
file = "HOME/tests/java/Duplets.java"
line = 68
begin = 31
end = 42

[K_8]
file = "HOME/tests/java/Duplets.java"
line = 67
begin = 31
end = 42

[K_48]
file = "HOME/tests/java/Duplets.java"
line = 134
begin = 37
end = 40

[cons_Quadruple_int_int_int_int]
name = "Constructor of class Quadruple"
file = "HOME/tests/java/Duplets.java"
line = 70
begin = 4
end = 8

[K_3]
file = "HOME/tests/java/Duplets.java"
line = 58
begin = 16
end = 42

[K_31]
file = "HOME/tests/java/Duplets.java"
line = 113
begin = 24
end = 28

[cons_Integer_int]
name = "Constructor of class Integer"
file = "HOME/tests/java/Duplets.java"
line = 51
begin = 4
end = 11

[K_32]
file = "HOME/tests/java/Duplets.java"
line = 113
begin = 24
end = 33

[K_27]
file = "HOME/tests/java/Duplets.java"
line = 103
begin = 25
end = 37

[K_46]
file = "HOME/tests/java/Duplets.java"
line = 134
begin = 29
end = 32

[K_21]
file = "HOME/tests/java/Duplets.java"
line = 96
begin = 10
end = 85

[K_42]
file = "HOME/tests/java/Duplets.java"
line = 105
begin = 26
end = 38

[K_24]
file = "HOME/tests/java/Duplets.java"
line = 92
begin = 17
end = 118

[Duplets_duplet]
name = "Method duplet"
file = "HOME/tests/java/Duplets.java"
line = 99
begin = 9
end = 15

[K_14]
file = "HOME/tests/java/Duplets.java"
line = 71
begin = 15
end = 20

[K_39]
file = "HOME/tests/java/Duplets.java"
line = 106
begin = 20
end = 24

[K_36]
file = "HOME/tests/java/Duplets.java"
line = 107
begin = 34
end = 46

[Object_notifyAll]
name = "Method notifyAll"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[K_37]
file = "HOME/tests/java/Duplets.java"
line = 107
begin = 34
end = 51

[K_19]
file = "HOME/tests/java/Duplets.java"
line = 97
begin = 10
end = 39

[K_5]
file = "HOME/tests/java/Duplets.java"
line = 61
begin = 15
end = 20

[K_51]
file = "HOME/tests/java/Duplets.java"
line = 133
begin = 38
end = 44

[K_18]
file = "HOME/tests/java/Duplets.java"
line = 52
begin = 8
end = 17

[Object_equals]
name = "Method equals"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[K_7]
file = "HOME/tests/java/Duplets.java"
line = 68
begin = 16
end = 27

[K_40]
file = "HOME/tests/java/Duplets.java"
line = 105
begin = 40
end = 43

[Object_hashCode]
name = "Method hashCode"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[K_26]
file = "HOME/tests/java/Duplets.java"
line = 101
begin = 13
end = 128

[Object_toString]
name = "Method toString"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[K_22]
file = "HOME/tests/java/Duplets.java"
line = 93
begin = 10
end = 84

[K_45]
file = "HOME/tests/java/Duplets.java"
line = 120
begin = 19
end = 24

[K_16]
file = "HOME/tests/java/Duplets.java"
line = 71
begin = 29
end = 34

[K_43]
file = "HOME/tests/java/Duplets.java"
line = 105
begin = 21
end = 38

========== jessie execution ==========
Generating Why function cons_Pair_int_int
Generating Why function cons_Quadruple_int_int_int_int
Generating Why function cons_Integer_int
Generating Why function Duplets_duplet
(nulltype)
why-2.39/tests/java/oracle/Fact.err.oracle0000644000106100004300000000025613147234006017417 0ustar  marchevalsWarning: recursive definition of isfact in generated file
Warning: recursive definition of isfact in generated file
Warning: recursive definition of isfact in generated file
why-2.39/tests/java/oracle/Sort2.res.oracle0000644000106100004300000023202513147234006017555 0ustar  marchevals========== file tests/java/Sort2.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/



//@+ TerminationPolicy = user

//@+ CheckArithOverflow = no

/*@ predicate Sorted{L}(int a[], integer l, integer h) =
  @   \forall integer i; l <= i < h ==> a[i] <= a[i+1] ;
  @*/

/*@ predicate Swap{L1,L2}(int a[], integer i, integer j) =
  @   \at(a[i],L1) == \at(a[j],L2) &&
  @   \at(a[j],L1) == \at(a[i],L2) &&
  @   \forall integer k; k != i && k != j ==> \at(a[k],L1) == \at(a[k],L2);
  @*/

/*@ axiomatic Permut {
  @  predicate Permut{L1,L2}(int a[], integer l, integer h);
  @  axiom Permut_refl{L}: 
  @   \forall int a[], integer l h; Permut{L,L}(a, l, h) ;
  @  axiom Permut_sym{L1,L2}: 
  @    \forall int a[], integer l h; 
  @      Permut{L1,L2}(a, l, h) ==> Permut{L2,L1}(a, l, h) ;
  @  axiom Permut_trans{L1,L2,L3}: 
  @    \forall int a[], integer l h; 
  @      Permut{L1,L2}(a, l, h) && Permut{L2,L3}(a, l, h) ==> 
  @        Permut{L1,L3}(a, l, h) ;
  @  axiom Permut_swap{L1,L2}: 
  @    \forall int a[], integer l h i j; 
  @       l <= i <= h && l <= j <= h && Swap{L1,L2}(a, i, j) ==> 
  @     Permut{L1,L2}(a, l, h) ;
  @ }
  @*/

class Sort {

    /*@ requires t != null && 
      @    0 <= i < t.length && 0 <= j < t.length;
      @ assigns t[i],t[j];
      @ ensures Swap{Old,Here}(t,i,j);
      @*/
    void swap(int t[], int i, int j) {
	int tmp = t[i];
	t[i] = t[j];
	t[j] = tmp;
    }
    
    /*@ requires t != null;
      @ ensures Sorted(t,0,t.length-1) && Permut{Old,Here}(t,0,t.length-1);
      @*/
    void min_sort(int t[]) {
	int i,j;
	int mi,mv;
	/*@ loop_invariant 0 <= i && Sorted(t,0,i) && 
	  @   (\forall integer k1 k2 ; 
	  @      0 <= k1 < i <= k2 < t.length ==> t[k1] <= t[k2]) &&
	  @     Permut{Pre,Here}(t,0,t.length-1);
	  @*/
	for (i=0; i t[k] >= mv) &&
	      @ Permut{Pre,Here}(t,0,t.length-1);
	      @*/
	    for (j=i+1; j < t.length; j++) {
		if (t[j] < mv) { 
		    mi = j ; mv = t[j]; 
		}
	    }
	    swap(t,i,mi);
	}
    }

}
========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function Sort_swap for method Sort.swap
Generating JC function Sort_min_sort for method Sort.min_sort
Generating JC function Object_clone for method Object.clone
Generating JC function Object_notifyAll for method Object.notifyAll
Generating JC function Object_hashCode for method Object.hashCode
Generating JC function Object_equals for method Object.equals
Generating JC function Object_wait for method Object.wait
Generating JC function Object_notify for method Object.notify
Generating JC function Object_wait_long for method Object.wait
Generating JC function cons_Sort for constructor Sort
Generating JC function Object_toString for method Object.toString
Generating JC function Object_wait_long_int for method Object.wait
Generating JC function cons_Object for constructor Object
Generating JC function Object_finalize for method Object.finalize
Generating JC function Object_registerNatives for method Object.registerNatives
Done.
========== file tests/java/Sort2.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = user
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

predicate Non_null_intM{Here}(intM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Sort = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

tag intM = Object with {
  integer intP;
}

boolean non_null_intM(! intM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_intM(! intM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

predicate Sorted{L}(intM[0..] a, integer l, integer h) =
(\forall integer i;
  (((l <= i) && (i < h)) ==> ((a + i).intP <= (a + (i + 1)).intP)))

predicate Swap{L1, L2}(intM[0..] a_0, integer i_0, integer j) =
(((\at((a_0 + i_0).intP,L1) == \at((a_0 + j).intP,L2)) &&
   (\at((a_0 + j).intP,L1) == \at((a_0 + i_0).intP,L2))) &&
  (\forall integer k;
    (((k != i_0) && (k != j)) ==>
      (\at((a_0 + k).intP,L1) == \at((a_0 + k).intP,L2)))))

axiomatic Permut {

  predicate Permut{L1, L2}(intM[0..] a_1, integer l_0, integer h_0)
   
  axiom Permut_swap{L1, L2} :
  (\forall intM[0..] a_5;
    (\forall integer l_4;
      (\forall integer h_4;
        (\forall integer i_1;
          (\forall integer j_0;
            (((((l_4 <= i_1) && (i_1 <= h_4)) &&
                ((l_4 <= j_0) && (j_0 <= h_4))) &&
               Swap{L1,
               L2}(a_5, i_1, j_0)) ==>
              Permut{L1,
              L2}(a_5, l_4, h_4)))))))
   
  axiom Permut_trans{L1, L2, L3} :
  (\forall intM[0..] a_4;
    (\forall integer l_3;
      (\forall integer h_3;
        ((Permut{L1, L2}(a_4, l_3, h_3) && Permut{L2, L3}(a_4, l_3, h_3)) ==>
          Permut{L1,
          L3}(a_4, l_3, h_3)))))
   
  axiom Permut_sym{L1, L2} :
  (\forall intM[0..] a_3;
    (\forall integer l_2;
      (\forall integer h_2;
        (Permut{L1, L2}(a_3, l_2, h_2) ==> Permut{L2, L1}(a_3, l_2, h_2)))))
   
  axiom Permut_refl{L} :
  (\forall intM[0..] a_2;
    (\forall integer l_1;
      (\forall integer h_1;
        Permut{L, L}(a_2, l_1, h_1))))
  
}

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit Sort_swap(Sort[0] this_2, intM[0..] t, integer i_2, integer j_1)
  requires (K_10 : ((K_9 : ((K_8 : Non_null_intM(t)) &&
                             (K_7 : ((K_6 : (0 <= i_2)) &&
                                      (K_5 : (i_2 < (\offset_max(t) + 1))))))) &&
                     (K_4 : ((K_3 : (0 <= j_1)) &&
                              (K_2 : (j_1 < (\offset_max(t) + 1)))))));
behavior default:
  assigns (t + [i_2..i_2]).intP,
  (t + [j_1..j_1]).intP;
  ensures (K_1 : Swap{Old, Here}(t, i_2, j_1));
{  
   {  
      (var integer tmp = (K_14 : (t + i_2).intP));
      
      {  (K_12 : ((t + i_2).intP = (K_11 : (t + j_1).intP)));
         (K_13 : ((t + j_1).intP = tmp))
      }
   }
}

unit Sort_min_sort(Sort[0] this_0, intM[0..] t_0)
  requires (K_18 : Non_null_intM(t_0));
behavior default:
  ensures (K_17 : ((K_16 : Sorted{Here}(t_0, 0, ((\offset_max(t_0) + 1) - 1))) &&
                    (K_15 : Permut{Old,
                    Here}(t_0, 0, ((\offset_max(t_0) + 1) - 1)))));
{  
   {  
      (var integer i_3);
      
      {  
         (var integer j_2);
         
         {  
            (var integer mi);
            
            {  
               (var integer mv);
               
               loop 
               behavior default:
                 invariant (K_25 : ((K_24 : ((K_23 : ((K_22 : (0 <= i_3)) &&
                                                       (K_21 : Sorted{Here}(
                                                       t_0, 0, i_3)))) &&
                                              (K_20 : (\forall integer k1;
                                                        (\forall integer k2;
                                                          (((((0 <= k1) &&
                                                               (k1 < i_3)) &&
                                                              (i_3 <= k2)) &&
                                                             (k2 <
                                                               (\offset_max(t_0) +
                                                                 1))) ==>
                                                            ((t_0 + k1).intP <=
                                                              (t_0 + k2).intP))))))) &&
                                     (K_19 : Permut{Pre,
                                     Here}(t_0, 0,
                                           ((\offset_max(t_0) + 1) - 1)))));
               
               for ((i_3 = 0) ; (K_49 : (i_3 <
                                          (K_48 : ((K_47 : java_array_length_intM(
                                                   t_0)) -
                                                    1)))) ; (K_46 : (i_3 ++)))
               {  
                  {  (mv = (K_26 : (t_0 + i_3).intP));
                     (mi = i_3);
                     
                     loop 
                     behavior default:
                       invariant (K_37 : ((K_36 : ((K_35 : ((K_34 : ((K_33 : 
                                                                    (i_3 <
                                                                    j_2)) &&
                                                                    (K_32 : 
                                                                    ((K_31 : 
                                                                    (i_3 <=
                                                                    mi)) &&
                                                                    (K_30 : 
                                                                    (mi <
                                                                    (\offset_max(t_0) +
                                                                    1))))))) &&
                                                             (K_29 : 
                                                             (mv ==
                                                               (t_0 + mi).intP)))) &&
                                                    (K_28 : (\forall integer k_0;
                                                              (((i_3 <= k_0) &&
                                                                 (k_0 < j_2)) ==>
                                                                ((t_0 + k_0).intP >=
                                                                  mv)))))) &&
                                           (K_27 : Permut{Pre,
                                           Here}(t_0, 0,
                                                 ((\offset_max(t_0) + 1) - 1)))));
                     
                     for ((j_2 = (K_44 : (i_3 + 1))) ; (K_43 : (j_2 <
                                                                 (K_42 : java_array_length_intM(
                                                                 t_0)))) ; 
                     (K_41 : (j_2 ++)))
                     {  (if (K_40 : ((K_39 : (t_0 + j_2).intP) < mv)) then 
                        {  (mi = j_2);
                           (mv = (K_38 : (t_0 + j_2).intP))
                        } else ())
                     };
                     (K_45 : Sort_swap(this_0, t_0, i_3, mi))
                  }
               }
            }
         }
      }
   }
}

Object[0..] Object_clone(Object[0] this_4)
;

unit Object_notifyAll(Object[0] this_5)
;

integer Object_hashCode(Object[0] this_6)
;

boolean Object_equals(Object[0] this_7, Object[0..] obj)
;

unit Object_wait(Object[0] this_8)
;

unit Object_notify(Object[0] this_9)
;

unit Object_wait_long(Object[0] this_10, integer timeout)
;

unit cons_Sort(! Sort[0] this_3){()}

String[0..] Object_toString(Object[0] this_11)
;

unit Object_wait_long_int(Object[0] this_12, integer timeout_0, integer nanos)
;

unit cons_Object(! Object[0] this_14){()}

unit Object_finalize(Object[0] this_13)
;

unit Object_registerNatives()
;

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Sort2.jloc tests/java/Sort2.jc && make -f tests/java/Sort2.makefile gui"
End:
*/
========== file tests/java/Sort2.jloc ==========
[Permut_swap]
name = "Lemma Permut_swap"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_30]
file = "HOME/tests/java/Sort2.java"
line = 93
begin = 38
end = 51

[K_23]
file = "HOME/tests/java/Sort2.java"
line = 85
begin = 20
end = 43

[Permut_refl]
name = "Lemma Permut_refl"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_33]
file = "HOME/tests/java/Sort2.java"
line = 93
begin = 24
end = 29

[K_49]
file = "HOME/tests/java/Sort2.java"
line = 90
begin = 11
end = 23

[K_17]
file = "HOME/tests/java/Sort2.java"
line = 80
begin = 16
end = 74

[Object_wait_long]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[K_11]
file = "HOME/tests/java/Sort2.java"
line = 75
begin = 8
end = 12

[K_38]
file = "HOME/tests/java/Sort2.java"
line = 100
begin = 20
end = 24

[K_25]
file = "HOME/tests/java/Sort2.java"
line = 85
begin = 20
end = 184

[K_13]
file = "HOME/tests/java/Sort2.java"
line = 76
begin = 1
end = 11

[Object_finalize]
name = "Method finalize"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[K_9]
file = "HOME/tests/java/Sort2.java"
line = 68
begin = 17
end = 59

[Object_wait]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[K_44]
file = "HOME/tests/java/Sort2.java"
line = 98
begin = 12
end = 15

[Object_notify]
name = "Method notify"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[Object_clone]
name = "Method clone"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[K_28]
file = "HOME/tests/java/Sort2.java"
line = 95
begin = 12
end = 56

[cons_Object]
name = "Constructor of class Object"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_1]
file = "HOME/tests/java/Sort2.java"
line = 71
begin = 16
end = 37

[K_15]
file = "HOME/tests/java/Sort2.java"
line = 80
begin = 42
end = 74

[K_4]
file = "HOME/tests/java/Sort2.java"
line = 69
begin = 32
end = 49

[K_12]
file = "HOME/tests/java/Sort2.java"
line = 75
begin = 1
end = 12

[Object_wait_long_int]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[K_34]
file = "HOME/tests/java/Sort2.java"
line = 93
begin = 24
end = 51

[Object_registerNatives]
name = "Method registerNatives"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[K_20]
file = "HOME/tests/java/Sort2.java"
line = 86
begin = 8
end = 90

[K_2]
file = "HOME/tests/java/Sort2.java"
line = 69
begin = 37
end = 49

[K_41]
file = "HOME/tests/java/Sort2.java"
line = 98
begin = 31
end = 34

[K_47]
file = "HOME/tests/java/Sort2.java"
line = 90
begin = 13
end = 21

[K_29]
file = "HOME/tests/java/Sort2.java"
line = 94
begin = 9
end = 20

[K_10]
file = "HOME/tests/java/Sort2.java"
line = 68
begin = 17
end = 80

[K_35]
file = "HOME/tests/java/Sort2.java"
line = 93
begin = 24
end = 75

[K_6]
file = "HOME/tests/java/Sort2.java"
line = 69
begin = 11
end = 17

[K_8]
file = "HOME/tests/java/Sort2.java"
line = 68
begin = 17
end = 26

[K_48]
file = "HOME/tests/java/Sort2.java"
line = 90
begin = 13
end = 23

[Permut_trans]
name = "Lemma Permut_trans"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_3]
file = "HOME/tests/java/Sort2.java"
line = 69
begin = 32
end = 38

[K_31]
file = "HOME/tests/java/Sort2.java"
line = 93
begin = 33
end = 40

[K_32]
file = "HOME/tests/java/Sort2.java"
line = 93
begin = 33
end = 51

[K_27]
file = "HOME/tests/java/Sort2.java"
line = 96
begin = 9
end = 41

[cons_Sort]
name = "Constructor of class Sort"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_46]
file = "HOME/tests/java/Sort2.java"
line = 90
begin = 25
end = 28

[K_21]
file = "HOME/tests/java/Sort2.java"
line = 85
begin = 30
end = 43

[K_42]
file = "HOME/tests/java/Sort2.java"
line = 98
begin = 21
end = 29

[K_24]
file = "HOME/tests/java/Sort2.java"
line = 85
begin = 20
end = 139

[K_14]
file = "HOME/tests/java/Sort2.java"
line = 74
begin = 11
end = 15

[K_39]
file = "HOME/tests/java/Sort2.java"
line = 99
begin = 6
end = 10

[K_36]
file = "HOME/tests/java/Sort2.java"
line = 93
begin = 24
end = 136

[Permut_sym]
name = "Lemma Permut_sym"
file = "HOME/"
line = 0
begin = 0
end = 0

[Object_notifyAll]
name = "Method notifyAll"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[K_37]
file = "HOME/tests/java/Sort2.java"
line = 93
begin = 24
end = 181

[K_19]
file = "HOME/tests/java/Sort2.java"
line = 88
begin = 9
end = 41

[K_5]
file = "HOME/tests/java/Sort2.java"
line = 69
begin = 16
end = 28

[Sort_min_sort]
name = "Method min_sort"
file = "HOME/tests/java/Sort2.java"
line = 82
begin = 9
end = 17

[K_18]
file = "HOME/tests/java/Sort2.java"
line = 79
begin = 17
end = 26

[Object_equals]
name = "Method equals"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[Sort_swap]
name = "Method swap"
file = "HOME/tests/java/Sort2.java"
line = 73
begin = 9
end = 13

[K_7]
file = "HOME/tests/java/Sort2.java"
line = 69
begin = 11
end = 28

[K_40]
file = "HOME/tests/java/Sort2.java"
line = 99
begin = 6
end = 15

[Object_hashCode]
name = "Method hashCode"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[K_26]
file = "HOME/tests/java/Sort2.java"
line = 92
begin = 10
end = 14

[Object_toString]
name = "Method toString"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[K_22]
file = "HOME/tests/java/Sort2.java"
line = 85
begin = 20
end = 26

[K_45]
file = "HOME/tests/java/Sort2.java"
line = 103
begin = 5
end = 17

[K_16]
file = "HOME/tests/java/Sort2.java"
line = 80
begin = 16
end = 38

[K_43]
file = "HOME/tests/java/Sort2.java"
line = 98
begin = 17
end = 29

========== jessie execution ==========
Generating Why function Sort_swap
Generating Why function Sort_min_sort
Generating Why function cons_Sort
Generating Why function cons_Object
========== file tests/java/Sort2.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/Sort2_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Sort2.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Sort2.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Sort2.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/java/Sort2.loc ==========
[JC_198]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_176]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_177]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_94]
file = "HOME/tests/java/Sort2.java"
line = 93
begin = 24
end = 181

[JC_73]
file = "HOME/tests/java/Sort2.java"
line = 80
begin = 42
end = 74

[Permut_swap]
name = "Lemma Permut_swap"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_221]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_158]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_63]
kind = PointerDeref
file = "HOME/tests/java/Sort2.jc"
line = 128
begin = 18
end = 58

[JC_196]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_80]
file = "HOME/tests/java/Sort2.java"
line = 88
begin = 9
end = 41

[JC_51]
file = "HOME/tests/java/Sort2.java"
line = 68
begin = 17
end = 80

[Permut_refl]
name = "Lemma Permut_refl"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_71]
file = "HOME/tests/java/Sort2.java"
line = 80
begin = 16
end = 74

[JC_197]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_147]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_207]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_151]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_123]
kind = UserCall
file = "HOME/tests/java/Sort2.jc"
line = 214
begin = 29
end = 60

[JC_106]
file = "HOME/tests/java/Sort2.java"
line = 88
begin = 9
end = 41

[JC_143]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_113]
file = "HOME/tests/java/Sort2.java"
line = 93
begin = 33
end = 40

[JC_203]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_116]
file = "HOME/tests/java/Sort2.java"
line = 95
begin = 12
end = 56

[JC_64]
kind = PointerDeref
file = "HOME/tests/java/Sort2.jc"
line = 129
begin = 18
end = 38

[JC_133]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_227]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_188]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[cons_Object_ensures_default]
name = "Constructor of class Object"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_180]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_99]
kind = IndexBounds
file = "HOME/tests/java/Sort2.java"
line = 98
begin = 21
end = 29

[JC_200]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_85]
kind = UserCall
file = "HOME/tests/java/Sort2.java"
line = 90
begin = 13
end = 21

[JC_126]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_201]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_170]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_31]
file = "HOME/tests/java/Sort2.jc"
line = 55
begin = 8
end = 23

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_194]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_122]
kind = UserCall
file = "HOME/tests/java/Sort2.java"
line = 98
begin = 21
end = 29

[Sort_min_sort_safety]
name = "Method min_sort"
behavior = "Safety"
file = "HOME/tests/java/Sort2.java"
line = 82
begin = 9
end = 17

[JC_205]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_81]
file = "HOME/tests/java/Sort2.java"
line = 85
begin = 20
end = 184

[JC_55]
file = "HOME/tests/java/Sort2.jc"
line = 120
begin = 9
end = 16

[JC_138]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_134]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_148]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_137]
file = "HOME/"
line = 0
begin = -1
end = -1

[Sort_min_sort_ensures_default]
name = "Method min_sort"
behavior = "default behavior"
file = "HOME/tests/java/Sort2.java"
line = 82
begin = 9
end = 17

[JC_48]
file = "HOME/tests/java/Sort2.java"
line = 69
begin = 16
end = 28

[JC_23]
file = "HOME/tests/java/Sort2.jc"
line = 51
begin = 11
end = 103

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_172]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_121]
file = "HOME/tests/java/Sort2.jc"
line = 180
begin = 21
end = 2293

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_125]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/tests/java/Sort2.java"
line = 79
begin = 17
end = 26

[JC_9]
file = "HOME/tests/java/Sort2.jc"
line = 42
begin = 8
end = 21

[JC_75]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_24]
file = "HOME/tests/java/Sort2.jc"
line = 50
begin = 10
end = 18

[JC_193]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/tests/java/Sort2.jc"
line = 51
begin = 11
end = 103

[JC_189]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_186]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_78]
file = "HOME/tests/java/Sort2.java"
line = 85
begin = 30
end = 43

[JC_212]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_175]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/tests/java/Sort2.java"
line = 69
begin = 16
end = 28

[JC_224]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_74]
file = "HOME/tests/java/Sort2.java"
line = 80
begin = 16
end = 74

[JC_195]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/tests/java/Sort2.java"
line = 69
begin = 11
end = 17

[JC_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/tests/java/Sort2.jc"
line = 50
begin = 10
end = 18

[Sort_swap_safety]
name = "Method swap"
behavior = "Safety"
file = "HOME/tests/java/Sort2.java"
line = 73
begin = 9
end = 13

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Sort_ensures_default]
name = "Constructor of class Sort"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_154]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/tests/java/Sort2.java"
line = 73
begin = 9
end = 13

[JC_208]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_79]
file = "HOME/tests/java/Sort2.java"
line = 86
begin = 8
end = 90

[JC_13]
file = "HOME/tests/java/Sort2.jc"
line = 45
begin = 11
end = 66

[JC_130]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_82]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_174]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_163]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_153]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_222]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_87]
kind = PointerDeref
file = "HOME/tests/java/Sort2.java"
line = 92
begin = 10
end = 14

[JC_11]
file = "HOME/tests/java/Sort2.jc"
line = 42
begin = 8
end = 21

[JC_185]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_184]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_167]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_98]
kind = UserCall
file = "HOME/tests/java/Sort2.java"
line = 98
begin = 21
end = 29

[JC_70]
file = "HOME/tests/java/Sort2.java"
line = 80
begin = 42
end = 74

[JC_15]
file = "HOME/tests/java/Sort2.jc"
line = 45
begin = 11
end = 66

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_182]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_168]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_104]
file = "HOME/tests/java/Sort2.java"
line = 85
begin = 30
end = 43

[JC_91]
file = "HOME/tests/java/Sort2.java"
line = 94
begin = 9
end = 20

[JC_39]
file = "HOME/tests/java/Sort2.java"
line = 68
begin = 17
end = 26

[JC_112]
file = "HOME/tests/java/Sort2.java"
line = 93
begin = 24
end = 29

[JC_40]
file = "HOME/tests/java/Sort2.java"
line = 69
begin = 11
end = 17

[JC_162]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_135]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_169]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
file = "HOME/tests/java/Sort2.jc"
line = 153
begin = 15
end = 4048

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_215]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_132]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_115]
file = "HOME/tests/java/Sort2.java"
line = 94
begin = 9
end = 20

[JC_109]
file = "HOME/tests/java/Sort2.jc"
line = 153
begin = 15
end = 4048

[JC_107]
file = "HOME/tests/java/Sort2.java"
line = 85
begin = 20
end = 184

[JC_69]
file = "HOME/tests/java/Sort2.java"
line = 80
begin = 16
end = 38

[JC_219]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_179]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_124]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[Sort_swap_ensures_default]
name = "Method swap"
behavior = "default behavior"
file = "HOME/tests/java/Sort2.java"
line = 73
begin = 9
end = 13

[JC_38]
file = "HOME/tests/java/Sort2.jc"
line = 57
begin = 11
end = 65

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_156]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_127]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_171]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_164]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_44]
file = "HOME/tests/java/Sort2.java"
line = 68
begin = 17
end = 80

[JC_155]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[Permut_trans]
name = "Lemma Permut_trans"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_206]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_218]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_191]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
kind = PointerDeref
file = "HOME/tests/java/Sort2.java"
line = 75
begin = 8
end = 12

[JC_101]
kind = PointerDeref
file = "HOME/tests/java/Sort2.java"
line = 100
begin = 20
end = 24

[JC_88]
file = "HOME/tests/java/Sort2.java"
line = 93
begin = 24
end = 29

[JC_223]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_129]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/tests/java/Sort2.java"
line = 69
begin = 32
end = 38

[JC_190]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_178]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_110]
file = "HOME/tests/java/Sort2.jc"
line = 153
begin = 15
end = 4048

[JC_166]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_103]
file = "HOME/tests/java/Sort2.java"
line = 85
begin = 20
end = 26

[JC_46]
file = "HOME/tests/java/Sort2.java"
line = 68
begin = 17
end = 26

[cons_Sort_safety]
name = "Constructor of class Sort"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_141]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
kind = PointerDeref
file = "HOME/tests/java/Sort2.java"
line = 74
begin = 11
end = 15

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_199]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/tests/java/Sort2.java"
line = 71
begin = 16
end = 37

[JC_220]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
file = "HOME/tests/java/Sort2.java"
line = 79
begin = 17
end = 26

[JC_118]
file = "HOME/tests/java/Sort2.java"
line = 93
begin = 24
end = 181

[JC_173]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_105]
file = "HOME/tests/java/Sort2.java"
line = 86
begin = 8
end = 90

[JC_140]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_29]
file = "HOME/tests/java/Sort2.jc"
line = 55
begin = 8
end = 23

[JC_202]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_144]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Object_safety]
name = "Constructor of class Object"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_159]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_68]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/tests/java/Sort2.jc"
line = 44
begin = 10
end = 18

[JC_96]
file = "HOME/tests/java/Sort2.jc"
line = 180
begin = 21
end = 2293

[JC_43]
file = "HOME/tests/java/Sort2.java"
line = 69
begin = 37
end = 49

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_93]
file = "HOME/tests/java/Sort2.java"
line = 96
begin = 9
end = 41

[JC_97]
file = "HOME/tests/java/Sort2.jc"
line = 180
begin = 21
end = 2293

[Permut_sym]
name = "Lemma Permut_sym"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_84]
file = "HOME/tests/java/Sort2.jc"
line = 153
begin = 15
end = 4048

[JC_214]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_160]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_128]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_114]
file = "HOME/tests/java/Sort2.java"
line = 93
begin = 38
end = 51

[JC_14]
file = "HOME/tests/java/Sort2.jc"
line = 44
begin = 10
end = 18

[JC_150]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_117]
file = "HOME/tests/java/Sort2.java"
line = 96
begin = 9
end = 41

[JC_90]
file = "HOME/tests/java/Sort2.java"
line = 93
begin = 38
end = 51

[JC_53]
file = "HOME/tests/java/Sort2.java"
line = 71
begin = 16
end = 37

[JC_225]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_204]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_157]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_145]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/tests/java/Sort2.jc"
line = 48
begin = 8
end = 30

[JC_209]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_149]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_111]
kind = UserCall
file = "HOME/tests/java/Sort2.java"
line = 90
begin = 13
end = 21

[JC_77]
file = "HOME/tests/java/Sort2.java"
line = 85
begin = 20
end = 26

[JC_49]
file = "HOME/tests/java/Sort2.java"
line = 69
begin = 32
end = 38

[JC_1]
file = "HOME/tests/java/Sort2.jc"
line = 13
begin = 12
end = 22

[JC_216]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_131]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_102]
kind = UserCall
file = "HOME/tests/java/Sort2.jc"
line = 214
begin = 29
end = 60

[JC_37]
file = "HOME/tests/java/Sort2.jc"
line = 57
begin = 11
end = 65

[JC_181]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_142]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_108]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/tests/java/Sort2.java"
line = 73
begin = 9
end = 13

[JC_211]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_161]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_146]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_89]
file = "HOME/tests/java/Sort2.java"
line = 93
begin = 33
end = 40

[JC_136]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_66]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_59]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_165]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_213]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_192]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_217]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/java/Sort2.jc"
line = 13
begin = 12
end = 22

[JC_92]
file = "HOME/tests/java/Sort2.java"
line = 95
begin = 12
end = 56

[JC_152]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_86]
kind = IndexBounds
file = "HOME/tests/java/Sort2.java"
line = 90
begin = 13
end = 21

[JC_60]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_183]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_139]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_72]
file = "HOME/tests/java/Sort2.java"
line = 80
begin = 16
end = 38

[JC_19]
file = "HOME/tests/java/Sort2.jc"
line = 48
begin = 8
end = 30

[JC_119]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_210]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_187]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_76]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_50]
file = "HOME/tests/java/Sort2.java"
line = 69
begin = 37
end = 49

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_120]
file = "HOME/tests/java/Sort2.jc"
line = 180
begin = 21
end = 2293

[JC_58]
file = "HOME/tests/java/Sort2.jc"
line = 120
begin = 9
end = 16

[JC_226]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_100]
kind = PointerDeref
file = "HOME/tests/java/Sort2.java"
line = 99
begin = 6
end = 10

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/Sort2.why ==========
type Object

type interface

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_1), (0))

predicate Non_null_intM(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), neg_int((1)))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic Permut: Object pointer, int, int, (Object, int) memory,
 (Object, int) memory -> prop

logic Sort_tag:  -> Object tag_id

axiom Sort_parenttag_Object : parenttag(Sort_tag, Object_tag)

predicate Sorted(a:Object pointer, l:int, h:int,
 intM_intP_at_L:(Object, int) memory) =
 (forall i:int.
  ((le_int(l, i) and lt_int(i, h)) ->
   le_int(select(intM_intP_at_L, shift(a, i)),
   select(intM_intP_at_L, shift(a, add_int(i, (1)))))))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

predicate Swap(a_0:Object pointer, i_0:int, j:int,
 intM_intP_at_L2:(Object, int) memory,
 intM_intP_at_L1:(Object, int) memory) =
 ((select(intM_intP_at_L1, shift(a_0, i_0)) = select(intM_intP_at_L2,
                                              shift(a_0, j)))
 and ((select(intM_intP_at_L1, shift(a_0, j)) = select(intM_intP_at_L2,
                                                shift(a_0, i_0)))
     and (forall k:int.
          (((k <> i_0) and (k <> j)) ->
           (select(intM_intP_at_L1, shift(a_0, k)) = select(intM_intP_at_L2,
                                                     shift(a_0, k)))))))

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic intM_tag:  -> Object tag_id

axiom intM_parenttag_Object : parenttag(intM_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Sort(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_intM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Sort(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_intM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Sort(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Sort(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

axiom Permut_swap :
 (forall intM_intP_at_L2:(Object, int) memory.
  (forall intM_intP_at_L1:(Object, int) memory.
   (forall a_5:Object pointer.
    (forall l_4:int.
     (forall h_4:int.
      (forall i_1:int.
       (forall j_0:int.
        ((le_int(l_4, i_1)
         and (le_int(i_1, h_4)
             and (le_int(l_4, j_0)
                 and (le_int(j_0, h_4)
                     and Swap(a_5, i_1, j_0, intM_intP_at_L2,
                         intM_intP_at_L1))))) ->
         Permut(a_5, l_4, h_4, intM_intP_at_L2, intM_intP_at_L1)))))))))

axiom Permut_trans :
 (forall intM_intP_at_L3:(Object, int) memory.
  (forall intM_intP_at_L2:(Object, int) memory.
   (forall intM_intP_at_L1:(Object, int) memory.
    (forall a_4:Object pointer.
     (forall l_3:int.
      (forall h_3:int.
       ((Permut(a_4, l_3, h_3, intM_intP_at_L2, intM_intP_at_L1)
        and Permut(a_4, l_3, h_3, intM_intP_at_L3, intM_intP_at_L2)) ->
        Permut(a_4, l_3, h_3, intM_intP_at_L3, intM_intP_at_L1))))))))

axiom Permut_sym :
 (forall intM_intP_at_L2:(Object, int) memory.
  (forall intM_intP_at_L1:(Object, int) memory.
   (forall a_3:Object pointer.
    (forall l_2:int.
     (forall h_2:int.
      (Permut(a_3, l_2, h_2, intM_intP_at_L2, intM_intP_at_L1) ->
       Permut(a_3, l_2, h_2, intM_intP_at_L1, intM_intP_at_L2)))))))

axiom Permut_refl :
 (forall intM_intP_at_L:(Object, int) memory.
  (forall a_2:Object pointer.
   (forall l_1:int.
    (forall h_1:int. Permut(a_2, l_1, h_1, intM_intP_at_L, intM_intP_at_L)))))

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_alloc_table : Object alloc_table ref

parameter Object_clone :
 this_4:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_clone_requires :
 this_4:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_equals :
 this_7:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_equals_requires :
 this_7:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_finalize :
 this_13:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_finalize_requires :
 this_13:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_hashCode :
 this_6:Object pointer -> { } int reads Object_alloc_table { true }

parameter Object_hashCode_requires :
 this_6:Object pointer -> { } int reads Object_alloc_table { true }

parameter Object_notify :
 this_9:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll :
 this_5:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll_requires :
 this_5:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notify_requires :
 this_9:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_registerNatives : tt:unit -> { } unit { true }

parameter Object_registerNatives_requires : tt:unit -> { } unit { true }

parameter Object_tag_table : Object tag_table ref

parameter Object_toString :
 this_11:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_toString_requires :
 this_11:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_wait :
 this_8:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long :
 this_10:Object pointer ->
  timeout:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int :
 this_12:Object pointer ->
  timeout_0:int -> nanos:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int_requires :
 this_12:Object pointer ->
  timeout_0:int -> nanos:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_requires :
 this_10:Object pointer ->
  timeout:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_requires :
 this_8:Object pointer -> { } unit reads Object_alloc_table { true }

exception Return_label_exc of unit

parameter intM_intP : (Object, int) memory ref

parameter Sort_min_sort :
 this_0:Object pointer ->
  t_0:Object pointer ->
   { } unit reads Object_alloc_table,intM_intP writes intM_intP
   { (JC_74:
     ((JC_72:
      Sorted(t_0, (0),
      sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)), (1)),
      intM_intP))
     and (JC_73:
         Permut(t_0, (0),
         sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)), (1)),
         intM_intP, intM_intP@)))) }

parameter Sort_min_sort_requires :
 this_0:Object pointer ->
  t_0:Object pointer ->
   { (JC_65: Non_null_intM(t_0, Object_alloc_table))} unit
   reads Object_alloc_table,intM_intP writes intM_intP
   { (JC_74:
     ((JC_72:
      Sorted(t_0, (0),
      sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)), (1)),
      intM_intP))
     and (JC_73:
         Permut(t_0, (0),
         sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)), (1)),
         intM_intP, intM_intP@)))) }

parameter Sort_swap :
 this_2:Object pointer ->
  t:Object pointer ->
   i_2:int ->
    j_1:int ->
     { } unit reads Object_alloc_table,intM_intP writes intM_intP
     { (JC_58:
       ((JC_56: Swap(t, i_2, j_1, intM_intP, intM_intP@))
       and (JC_57:
           not_assigns(Object_alloc_table@, intM_intP@, intM_intP,
           pset_union(pset_range(pset_singleton(t), j_1, j_1),
           pset_range(pset_singleton(t), i_2, i_2)))))) }

parameter Sort_swap_requires :
 this_2:Object pointer ->
  t:Object pointer ->
   i_2:int ->
    j_1:int ->
     { (JC_44:
       ((JC_39: Non_null_intM(t, Object_alloc_table))
       and ((JC_40: le_int((0), i_2))
           and ((JC_41:
                lt_int(i_2, add_int(offset_max(Object_alloc_table, t), (1))))
               and ((JC_42: le_int((0), j_1))
                   and (JC_43:
                       lt_int(j_1,
                       add_int(offset_max(Object_alloc_table, t), (1)))))))))}
     unit reads Object_alloc_table,intM_intP writes intM_intP
     { (JC_58:
       ((JC_56: Swap(t, i_2, j_1, intM_intP, intM_intP@))
       and (JC_57:
           not_assigns(Object_alloc_table@, intM_intP@, intM_intP,
           pset_union(pset_range(pset_singleton(t), j_1, j_1),
           pset_range(pset_singleton(t), i_2, i_2)))))) }

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Sort :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Sort(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Sort_tag)))) }

parameter alloc_struct_Sort_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Sort(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Sort_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_intM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter alloc_struct_intM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter cons_Object :
 this_14:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object_requires :
 this_14:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Sort :
 this_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Sort_requires :
 this_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter java_array_length_intM :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter java_array_length_intM_requires :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter non_null_Object :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_Object_requires :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_intM :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

parameter non_null_intM_requires :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

let Sort_min_sort_ensures_default =
 fun (this_0 : Object pointer) (t_0 : Object pointer) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (valid_struct_Sort(this_0, (0), (0), Object_alloc_table)
        and (JC_67: Non_null_intM(t_0, Object_alloc_table)))) }
  (init:
  try
   begin
     (let i_3 = ref (any_int void) in
     (let j_2 = ref (any_int void) in
     (let mi = ref (any_int void) in
     (let mv = ref (any_int void) in
     begin
       (let _jessie_ = (i_3 := (0)) in void);
      try
       (loop_3:
       while true do
       { invariant
           (JC_107:
           ((JC_103: le_int((0), i_3))
           and ((JC_104: Sorted(t_0, (0), i_3, intM_intP))
               and ((JC_105:
                    (forall k1:int.
                     (forall k2:int.
                      ((le_int((0), k1)
                       and (lt_int(k1, i_3)
                           and (le_int(i_3, k2)
                               and lt_int(k2,
                                   add_int(offset_max(Object_alloc_table,
                                           t_0),
                                   (1)))))) ->
                       le_int(select(intM_intP, shift(t_0, k1)),
                       select(intM_intP, shift(t_0, k2)))))))
                   and (JC_106:
                       Permut(t_0, (0),
                       sub_int(add_int(offset_max(Object_alloc_table, t_0),
                               (1)),
                       (1)), intM_intP, intM_intP@init))))))  }
        begin
          [ { } unit { true } ];
         try
          begin
            (if (K_49:
                ((lt_int_ !i_3) (K_48:
                                ((sub_int (K_47:
                                          (let _jessie_ = t_0 in
                                          (JC_111:
                                          (java_array_length_intM _jessie_))))) (1)))))
            then
             begin
               (let _jessie_ =
               (mv := (K_26: ((safe_acc_ !intM_intP) ((shift t_0) !i_3)))) in
               void); (let _jessie_ = (mi := !i_3) in void);
              (let _jessie_ = (j_2 := (K_44: ((add_int !i_3) (1)))) in
              void);
              try
               (loop_4:
               while true do
               { invariant
                   (JC_118:
                   ((JC_112: lt_int(i_3, j_2))
                   and ((JC_113: le_int(i_3, mi))
                       and ((JC_114:
                            lt_int(mi,
                            add_int(offset_max(Object_alloc_table, t_0), (1))))
                           and ((JC_115:
                                (mv = select(intM_intP, shift(t_0, mi))))
                               and ((JC_116:
                                    (forall k_0:int.
                                     ((le_int(i_3, k_0) and lt_int(k_0, j_2)) ->
                                      ge_int(select(intM_intP,
                                             shift(t_0, k_0)),
                                      mv))))
                                   and (JC_117:
                                       Permut(t_0, (0),
                                       sub_int(add_int(offset_max(Object_alloc_table,
                                                       t_0),
                                               (1)),
                                       (1)), intM_intP, intM_intP@init))))))))
                  }
                begin
                  [ { } unit { true } ];
                 try
                  begin
                    (if (K_43:
                        ((lt_int_ !j_2) (K_42:
                                        (let _jessie_ = t_0 in
                                        (JC_122:
                                        (java_array_length_intM _jessie_))))))
                    then
                     (if (K_40:
                         ((lt_int_ (K_39:
                                   ((safe_acc_ !intM_intP) ((shift t_0) !j_2)))) !mv))
                     then
                      (let _jessie_ =
                      begin
                        (let _jessie_ = (mi := !j_2) in void);
                       (mv := (K_38:
                              ((safe_acc_ !intM_intP) ((shift t_0) !j_2))));
                       !mv end in void) else void)
                    else (raise (Loop_exit_exc void)));
                   (raise (Loop_continue_exc void)) end with
                  Loop_continue_exc _jessie_ ->
                  (let _jessie_ =
                  (K_41:
                  (let _jessie_ = !j_2 in
                  begin
                    (let _jessie_ = (j_2 := ((add_int _jessie_) (1))) in
                    void); _jessie_ end)) in void) end end done) with
               Loop_exit_exc _jessie_ -> void end;
              (K_45:
              (let _jessie_ = this_0 in
              (let _jessie_ = t_0 in
              (let _jessie_ = !i_3 in
              (let _jessie_ = !mi in
              (JC_123:
              ((((Sort_swap _jessie_) _jessie_) _jessie_) _jessie_)))))))
             end else (raise (Loop_exit_exc void)));
           (raise (Loop_continue_exc void)) end with
          Loop_continue_exc _jessie_ ->
          (let _jessie_ =
          (K_46:
          (let _jessie_ = !i_3 in
          begin
            (let _jessie_ = (i_3 := ((add_int _jessie_) (1))) in void);
           _jessie_ end)) in void) end end done) with
       Loop_exit_exc _jessie_ -> void end end)))); (raise Return) end with
   Return -> void end)
  { (JC_71:
    ((JC_69:
     Sorted(t_0, (0),
     sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)), (1)),
     intM_intP))
    and (JC_70:
        Permut(t_0, (0),
        sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)), (1)),
        intM_intP, intM_intP@)))) } 

let Sort_min_sort_safety =
 fun (this_0 : Object pointer) (t_0 : Object pointer) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (valid_struct_Sort(this_0, (0), (0), Object_alloc_table)
        and (JC_67: Non_null_intM(t_0, Object_alloc_table)))) }
  (init:
  try
   begin
     (let i_3 = ref (any_int void) in
     (let j_2 = ref (any_int void) in
     (let mi = ref (any_int void) in
     (let mv = ref (any_int void) in
     begin
       (let _jessie_ = (i_3 := (0)) in void);
      try
       (loop_1:
       while true do
       { invariant (JC_83: true)  }
        begin
          [ { } unit reads Object_alloc_table,i_3,intM_intP
            { (JC_81:
              ((JC_77: le_int((0), i_3))
              and ((JC_78: Sorted(t_0, (0), i_3, intM_intP))
                  and ((JC_79:
                       (forall k1:int.
                        (forall k2:int.
                         ((le_int((0), k1)
                          and (lt_int(k1, i_3)
                              and (le_int(i_3, k2)
                                  and lt_int(k2,
                                      add_int(offset_max(Object_alloc_table,
                                              t_0),
                                      (1)))))) ->
                          le_int(select(intM_intP, shift(t_0, k1)),
                          select(intM_intP, shift(t_0, k2)))))))
                      and (JC_80:
                          Permut(t_0, (0),
                          sub_int(add_int(offset_max(Object_alloc_table, t_0),
                                  (1)),
                          (1)), intM_intP, intM_intP@init)))))) } ];
         try
          begin
            (if (K_49:
                ((lt_int_ !i_3) (K_48:
                                ((sub_int (K_47:
                                          (let _jessie_ = t_0 in
                                          (JC_86:
                                          (assert
                                          { ge_int(offset_max(Object_alloc_table,
                                                   _jessie_),
                                            (-1)) };
                                          (JC_85:
                                          (java_array_length_intM_requires _jessie_))))))) (1)))))
            then
             begin
               (let _jessie_ =
               (mv := (K_26:
                      (JC_87:
                      ((((offset_acc_ !Object_alloc_table) !intM_intP) t_0) !i_3)))) in
               void); (let _jessie_ = (mi := !i_3) in void);
              (let _jessie_ = (j_2 := (K_44: ((add_int !i_3) (1)))) in
              void);
              try
               (loop_2:
               while true do
               { invariant (JC_96: true)  }
                begin
                  [ { } unit reads Object_alloc_table,i_3,intM_intP,j_2,mi,mv
                    { (JC_94:
                      ((JC_88: lt_int(i_3, j_2))
                      and ((JC_89: le_int(i_3, mi))
                          and ((JC_90:
                               lt_int(mi,
                               add_int(offset_max(Object_alloc_table, t_0),
                               (1))))
                              and ((JC_91:
                                   (mv = select(intM_intP, shift(t_0, mi))))
                                  and ((JC_92:
                                       (forall k_0:int.
                                        ((le_int(i_3, k_0)
                                         and lt_int(k_0, j_2)) ->
                                         ge_int(select(intM_intP,
                                                shift(t_0, k_0)),
                                         mv))))
                                      and (JC_93:
                                          Permut(t_0, (0),
                                          sub_int(add_int(offset_max(Object_alloc_table,
                                                          t_0),
                                                  (1)),
                                          (1)), intM_intP, intM_intP@init)))))))) } ];
                 try
                  begin
                    (if (K_43:
                        ((lt_int_ !j_2) (K_42:
                                        (let _jessie_ = t_0 in
                                        (JC_99:
                                        (assert
                                        { ge_int(offset_max(Object_alloc_table,
                                                 _jessie_),
                                          (-1)) };
                                        (JC_98:
                                        (java_array_length_intM_requires _jessie_))))))))
                    then
                     (if (K_40:
                         ((lt_int_ (K_39:
                                   (JC_100:
                                   ((((offset_acc_ !Object_alloc_table) !intM_intP) t_0) !j_2)))) !mv))
                     then
                      (let _jessie_ =
                      begin
                        (let _jessie_ = (mi := !j_2) in void);
                       (mv := (K_38:
                              (JC_101:
                              ((((offset_acc_ !Object_alloc_table) !intM_intP) t_0) !j_2))));
                       !mv end in void) else void)
                    else (raise (Loop_exit_exc void)));
                   (raise (Loop_continue_exc void)) end with
                  Loop_continue_exc _jessie_ ->
                  (let _jessie_ =
                  (K_41:
                  (let _jessie_ = !j_2 in
                  begin
                    (let _jessie_ = (j_2 := ((add_int _jessie_) (1))) in
                    void); _jessie_ end)) in void) end end done) with
               Loop_exit_exc _jessie_ -> void end;
              (K_45:
              (let _jessie_ = this_0 in
              (let _jessie_ = t_0 in
              (let _jessie_ = !i_3 in
              (let _jessie_ = !mi in
              (JC_102:
              ((((Sort_swap_requires _jessie_) _jessie_) _jessie_) _jessie_)))))))
             end else (raise (Loop_exit_exc void)));
           (raise (Loop_continue_exc void)) end with
          Loop_continue_exc _jessie_ ->
          (let _jessie_ =
          (K_46:
          (let _jessie_ = !i_3 in
          begin
            (let _jessie_ = (i_3 := ((add_int _jessie_) (1))) in void);
           _jessie_ end)) in void) end end done) with
       Loop_exit_exc _jessie_ -> void end end)))); (raise Return) end with
   Return -> void end) { true } 

let Sort_swap_ensures_default =
 fun (this_2 : Object pointer) (t : Object pointer) (i_2 : int) (j_1 : int) ->
  { (left_valid_struct_intM(t, (0), Object_alloc_table)
    and (valid_struct_Sort(this_2, (0), (0), Object_alloc_table)
        and (JC_51:
            ((JC_46: Non_null_intM(t, Object_alloc_table))
            and ((JC_47: le_int((0), i_2))
                and ((JC_48:
                     lt_int(i_2,
                     add_int(offset_max(Object_alloc_table, t), (1))))
                    and ((JC_49: le_int((0), j_1))
                        and (JC_50:
                            lt_int(j_1,
                            add_int(offset_max(Object_alloc_table, t), (1))))))))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (let tmp = (K_14: ((safe_acc_ !intM_intP) ((shift t) i_2))) in
     (K_12:
     begin
       (let _jessie_ =
       (let _jessie_ = (K_11: ((safe_acc_ !intM_intP) ((shift t) j_1))) in
       (let _jessie_ = t in
       (let _jessie_ = i_2 in
       (let _jessie_ = ((shift _jessie_) _jessie_) in
       (((safe_upd_ intM_intP) _jessie_) _jessie_))))) in void);
      (K_13:
      (let _jessie_ = tmp in
      (let _jessie_ = t in
      (let _jessie_ = j_1 in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      begin   (((safe_upd_ intM_intP) _jessie_) _jessie_); _jessie_ end)))))
     end)) in void); (raise Return) end with Return -> void end)
  { (JC_55:
    ((JC_53: Swap(t, i_2, j_1, intM_intP, intM_intP@))
    and (JC_54:
        not_assigns(Object_alloc_table@, intM_intP@, intM_intP,
        pset_union(pset_range(pset_singleton(t), j_1, j_1),
        pset_range(pset_singleton(t), i_2, i_2)))))) } 

let Sort_swap_safety =
 fun (this_2 : Object pointer) (t : Object pointer) (i_2 : int) (j_1 : int) ->
  { (left_valid_struct_intM(t, (0), Object_alloc_table)
    and (valid_struct_Sort(this_2, (0), (0), Object_alloc_table)
        and (JC_51:
            ((JC_46: Non_null_intM(t, Object_alloc_table))
            and ((JC_47: le_int((0), i_2))
                and ((JC_48:
                     lt_int(i_2,
                     add_int(offset_max(Object_alloc_table, t), (1))))
                    and ((JC_49: le_int((0), j_1))
                        and (JC_50:
                            lt_int(j_1,
                            add_int(offset_max(Object_alloc_table, t), (1))))))))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (let tmp =
     (K_14:
     (JC_61: ((((offset_acc_ !Object_alloc_table) !intM_intP) t) i_2))) in
     (K_12:
     begin
       (let _jessie_ =
       (let _jessie_ =
       (K_11:
       (JC_62: ((((offset_acc_ !Object_alloc_table) !intM_intP) t) j_1))) in
       (let _jessie_ = t in
       (let _jessie_ = i_2 in
       (let _jessie_ = ((shift _jessie_) _jessie_) in
       (JC_63:
       (((((offset_upd_ !Object_alloc_table) intM_intP) _jessie_) _jessie_) _jessie_)))))) in
       void);
      (K_13:
      (let _jessie_ = tmp in
      (let _jessie_ = t in
      (let _jessie_ = j_1 in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (JC_64:
      begin
        (((((offset_upd_ !Object_alloc_table) intM_intP) _jessie_) _jessie_) _jessie_);
       _jessie_ end)))))) end)) in void); (raise Return) end with Return ->
   void end) { true } 

let cons_Object_ensures_default =
 fun (this_14 : Object pointer) ->
  { valid_struct_Object(this_14, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_208: true) } 

let cons_Object_safety =
 fun (this_14 : Object pointer) ->
  { valid_struct_Object(this_14, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 

let cons_Sort_ensures_default =
 fun (this_3 : Object pointer) ->
  { valid_struct_Sort(this_3, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_184: true) } 

let cons_Sort_safety =
 fun (this_3 : Object pointer) ->
  { valid_struct_Sort(this_3, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 


why-2.39/tests/java/oracle/Assertion.res.oracle0000644000106100004300000006672613147234006020530 0ustar  marchevals========== file tests/java/Assertion.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

public class Assertion {
         /*@
           @ ensures \result == 5;
           @*/
         public static int max(int x) {
                 /*@ assert x == 5; @*/
                 return x;
         }
} ========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_Assertion for constructor Assertion
Generating JC function Assertion_max for method Assertion.max
Done.
========== file tests/java/Assertion.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Assertion = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_Assertion(! Assertion[0] this_0){()}

int32 Assertion_max(int32 x)
behavior default:
  ensures (K_1 : (\result == 5));
{  (K_3 : 
   (assert (K_2 : (x == 5))));
   
   (return x)
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Assertion.jloc tests/java/Assertion.jc && make -f tests/java/Assertion.makefile gui"
End:
*/
========== file tests/java/Assertion.jloc ==========
[K_1]
file = "HOME/tests/java/Assertion.java"
line = 34
begin = 21
end = 33

[K_2]
file = "HOME/tests/java/Assertion.java"
line = 37
begin = 28
end = 34

[Assertion_max]
name = "Method max"
file = "HOME/tests/java/Assertion.java"
line = 36
begin = 27
end = 30

[K_3]
file = "HOME/tests/java/Assertion.java"
line = 37
begin = 28
end = 34

[cons_Assertion]
name = "Constructor of class Assertion"
file = "HOME/"
line = 0
begin = -1
end = -1

========== jessie execution ==========
Generating Why function cons_Assertion
Generating Why function Assertion_max
========== file tests/java/Assertion.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/Assertion_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Assertion.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Assertion.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Assertion.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/java/Assertion.loc ==========
[JC_31]
file = "HOME/tests/java/Assertion.java"
line = 34
begin = 21
end = 33

[JC_17]
file = "HOME/tests/java/Assertion.jc"
line = 47
begin = 11
end = 65

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/java/Assertion.jc"
line = 45
begin = 8
end = 23

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[Assertion_max_safety]
name = "Method max"
behavior = "Safety"
file = "HOME/tests/java/Assertion.java"
line = 36
begin = 27
end = 30

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/Assertion.jc"
line = 45
begin = 8
end = 23

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/tests/java/Assertion.java"
line = 37
begin = 28
end = 34

[JC_35]
file = "HOME/tests/java/Assertion.java"
line = 37
begin = 28
end = 34

[JC_27]
file = "HOME/tests/java/Assertion.java"
line = 36
begin = 27
end = 30

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/tests/java/Assertion.java"
line = 34
begin = 21
end = 33

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/tests/java/Assertion.java"
line = 36
begin = 27
end = 30

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/java/Assertion.jc"
line = 20
begin = 12
end = 22

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/java/Assertion.jc"
line = 47
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/Assertion.jc"
line = 20
begin = 12
end = 22

[Assertion_max_ensures_default]
name = "Method max"
behavior = "default behavior"
file = "HOME/tests/java/Assertion.java"
line = 36
begin = 27
end = 30

[cons_Assertion_ensures_default]
name = "Constructor of class Assertion"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Assertion_safety]
name = "Constructor of class Assertion"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/Assertion.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic Assertion_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Assertion_parenttag_Object : parenttag(Assertion_tag, Object_tag)

logic Exception_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Assertion(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Assertion(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Assertion(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Assertion(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

parameter Assertion_max :
 x_2:int32 -> { } int32 { (JC_32: (integer_of_int32(result) = (5))) }

parameter Assertion_max_requires :
 x_2:int32 -> { } int32 { (JC_32: (integer_of_int32(result) = (5))) }

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Assertion :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Assertion(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Assertion_tag)))) }

parameter alloc_struct_Assertion_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Assertion(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Assertion_tag)))) }

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_Assertion :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Assertion_requires :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let Assertion_max_ensures_default =
 fun (x_2 : int32) ->
  { (JC_30: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   (K_3:
   begin
     (assert { (JC_36: (integer_of_int32(x_2) = (5))) }; void);
    (return := x_2); (raise Return); absurd  end) with Return -> !return end))
  { (JC_31: (integer_of_int32(result) = (5))) } 

let Assertion_max_safety =
 fun (x_2 : int32) ->
  { (JC_30: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   (K_3:
   begin
     [ { } unit { (JC_35: (integer_of_int32(x_2) = (5))) } ];
    (return := x_2); (raise Return); absurd  end) with Return -> !return end))
  { true } 

let cons_Assertion_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_Assertion(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_23: true) } 

let cons_Assertion_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_Assertion(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 


why-2.39/tests/java/oracle/Duplets.err.oracle0000644000106100004300000000022213147234006020153 0ustar  marchevalsFile "jc/jc_pervasives.ml", line 877, characters 6-6:
Uncaught exception: File "jc/jc_pervasives.ml", line 877, characters 6-12: Assertion failed
why-2.39/tests/java/oracle/Negate.res.oracle0000644000106100004300000000601613147234006017746 0ustar  marchevals========== file tests/java/Negate.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


//@+ CheckArithOverflow = no

public class negate {

    /*@ requires t != null;
      @ assigns t[0..t.length-1];
      @ ensures \forall integer k; 0 <= k < t.length ==> t[k] == -\old(t[k]);
      @*/
    static void negate(int t[]) {
	int i = 0;
	/*@ loop_invariant
	  @   0 <= i <= t.length &&
	  @   (\forall integer k; 0 <= k < i ==> t[k] == -\at(t[k],Pre)) &&
	  @   (\forall integer k; i <= k < t.length ==> t[k] == \at(t[k],Pre)) ;
	  @ // TODO: replace previous invariant by loop_assigns t[0..i-1];
	  @ loop_variant t.length-i;
	  @*/
	while (i < t.length) {
	    t[i] = -t[i];
	    i++;
	}

    }

}



/*
Local Variables:
compile-command: "make Negate.why3ide"
End:
*/

========== krakatoa execution ==========
why-2.39/tests/java/oracle/MacCarthy.err.oracle0000644000106100004300000000000013147234006020400 0ustar  marchevalswhy-2.39/tests/java/oracle/Counter.res.oracle0000644000106100004300000007335313147234006020172 0ustar  marchevals========== file tests/java/Counter.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ CheckArithOverflow = no

/*@ logic integer value{L}(Counter c) = 
  @    \at(c.increments,L) - \at(c.decrements,L);
  @*/

public class Counter {

    private int increments;
    private int decrements;

    //@ ensures value{Here}(this) == value{Old}(this) + 1;
    public void increment() {
        increments++;
    }

    //@ ensures value{Here}(this) == value{Old}(this) - 1;
    public void decrement() {
        decrements++;
    }

}

/*
Local Variables:
compile-command: "make Counter.why3ide"
End:
*/


========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function Counter_decrement for method Counter.decrement
Generating JC function cons_Counter for constructor Counter
Generating JC function Counter_increment for method Counter.increment
Done.
========== file tests/java/Counter.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Counter = Object with {
  integer increments; 
  integer decrements;
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

logic integer value{L}(Counter[0..] c) =
(\at(c.increments,L) - \at(c.decrements,L))

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit Counter_decrement(Counter[0] this_0)
behavior default:
  ensures (K_1 : (value{Here}(this_0) == (value{Old}(this_0) - 1)));
{  (K_2 : (this_0.decrements ++))
}

unit cons_Counter(! Counter[0] this_2)
{  (this_2.increments = 0);
   (this_2.decrements = 0)
}

unit Counter_increment(Counter[0] this_1)
behavior default:
  ensures (K_3 : (value{Here}(this_1) == (value{Old}(this_1) + 1)));
{  (K_4 : (this_1.increments ++))
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Counter.jloc tests/java/Counter.jc && make -f tests/java/Counter.makefile gui"
End:
*/
========== file tests/java/Counter.jloc ==========
[K_1]
file = "HOME/tests/java/Counter.java"
line = 48
begin = 16
end = 57

[K_4]
file = "HOME/tests/java/Counter.java"
line = 45
begin = 8
end = 20

[Counter_decrement]
name = "Method decrement"
file = "HOME/tests/java/Counter.java"
line = 49
begin = 16
end = 25

[K_2]
file = "HOME/tests/java/Counter.java"
line = 50
begin = 8
end = 20

[K_3]
file = "HOME/tests/java/Counter.java"
line = 43
begin = 16
end = 57

[Counter_increment]
name = "Method increment"
file = "HOME/tests/java/Counter.java"
line = 44
begin = 16
end = 25

[cons_Counter]
name = "Constructor of class Counter"
file = "HOME/"
line = 0
begin = -1
end = -1

========== jessie execution ==========
Generating Why function Counter_decrement
Generating Why function cons_Counter
Generating Why function Counter_increment
========== file tests/java/Counter.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/Counter_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Counter.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Counter.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Counter.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/java/Counter.loc ==========
[JC_31]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_17]
file = "HOME/tests/java/Counter.jc"
line = 39
begin = 11
end = 65

[cons_Counter_ensures_default]
name = "Constructor of class Counter"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/tests/java/Counter.java"
line = 48
begin = 16
end = 57

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/java/Counter.jc"
line = 37
begin = 8
end = 23

[JC_24]
file = "HOME/tests/java/Counter.java"
line = 48
begin = 16
end = 57

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[Counter_decrement_ensures_default]
name = "Method decrement"
behavior = "default behavior"
file = "HOME/tests/java/Counter.java"
line = 49
begin = 16
end = 25

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[Counter_decrement_safety]
name = "Method decrement"
behavior = "Safety"
file = "HOME/tests/java/Counter.java"
line = 49
begin = 16
end = 25

[JC_11]
file = "HOME/tests/java/Counter.jc"
line = 37
begin = 8
end = 23

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/tests/java/Counter.java"
line = 43
begin = 16
end = 57

[JC_40]
file = "HOME/tests/java/Counter.java"
line = 43
begin = 16
end = 57

[JC_35]
file = "HOME/tests/java/Counter.java"
line = 44
begin = 16
end = 25

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[Counter_increment_ensures_default]
name = "Method increment"
behavior = "default behavior"
file = "HOME/tests/java/Counter.java"
line = 44
begin = 16
end = 25

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[Counter_increment_safety]
name = "Method increment"
behavior = "Safety"
file = "HOME/tests/java/Counter.java"
line = 44
begin = 16
end = 25

[JC_29]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/tests/java/Counter.java"
line = 49
begin = 16
end = 25

[JC_1]
file = "HOME/tests/java/Counter.jc"
line = 10
begin = 12
end = 22

[JC_37]
file = "HOME/tests/java/Counter.java"
line = 44
begin = 16
end = 25

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Counter_safety]
name = "Constructor of class Counter"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/java/Counter.jc"
line = 39
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/Counter.jc"
line = 10
begin = 12
end = 22

[JC_19]
file = "HOME/tests/java/Counter.java"
line = 49
begin = 16
end = 25

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/Counter.why ==========
type Object

type interface

logic Counter_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Counter_parenttag_Object : parenttag(Counter_tag, Object_tag)

logic Exception_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Counter(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Counter(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Counter(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Counter(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

function value(c:Object pointer,
 Counter_decrements_at_L:(Object, int) memory,
 Counter_increments_at_L:(Object, int) memory) : int =
 sub_int(select(Counter_increments_at_L, c),
 select(Counter_decrements_at_L, c))

parameter Object_alloc_table : Object alloc_table ref

parameter Counter_decrements : (Object, int) memory ref

parameter Counter_increments : (Object, int) memory ref

parameter Counter_decrement :
 this_0:Object pointer ->
  { } unit reads Counter_decrements,Counter_increments,Object_alloc_table
  writes Counter_decrements
  { (JC_24:
    (value(this_0, Counter_decrements, Counter_increments) = sub_int(
                                                             value(this_0,
                                                             Counter_decrements@,
                                                             Counter_increments@),
                                                             (1)))) }

parameter Counter_decrement_requires :
 this_0:Object pointer ->
  { } unit reads Counter_decrements,Counter_increments,Object_alloc_table
  writes Counter_decrements
  { (JC_24:
    (value(this_0, Counter_decrements, Counter_increments) = sub_int(
                                                             value(this_0,
                                                             Counter_decrements@,
                                                             Counter_increments@),
                                                             (1)))) }

parameter Counter_increment :
 this_1:Object pointer ->
  { } unit reads Counter_decrements,Counter_increments,Object_alloc_table
  writes Counter_increments
  { (JC_40:
    (value(this_1, Counter_decrements, Counter_increments) = add_int(
                                                             value(this_1,
                                                             Counter_decrements@,
                                                             Counter_increments@),
                                                             (1)))) }

parameter Counter_increment_requires :
 this_1:Object pointer ->
  { } unit reads Counter_decrements,Counter_increments,Object_alloc_table
  writes Counter_increments
  { (JC_40:
    (value(this_1, Counter_decrements, Counter_increments) = add_int(
                                                             value(this_1,
                                                             Counter_decrements@,
                                                             Counter_increments@),
                                                             (1)))) }

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Counter :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Counter(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Counter_tag)))) }

parameter alloc_struct_Counter_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Counter(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Counter_tag)))) }

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter cons_Counter :
 this_2:Object pointer ->
  { } unit reads Object_alloc_table
  writes Counter_decrements,Counter_increments { true }

parameter cons_Counter_requires :
 this_2:Object pointer ->
  { } unit reads Object_alloc_table
  writes Counter_decrements,Counter_increments { true }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

let Counter_decrement_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_Counter(this_0, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     (K_2:
     (let _jessie_ = ((safe_acc_ !Counter_decrements) this_0) in
     begin
       (let _jessie_ = ((add_int _jessie_) (1)) in
       (let _jessie_ = this_0 in
       (((safe_upd_ Counter_decrements) _jessie_) _jessie_))); _jessie_
     end)) in void); (raise Return) end with Return -> void end)
  { (JC_23:
    (value(this_0, Counter_decrements, Counter_increments) = sub_int(
                                                             value(this_0,
                                                             Counter_decrements@,
                                                             Counter_increments@),
                                                             (1)))) } 

let Counter_decrement_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_Counter(this_0, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     (K_2:
     (let _jessie_ = ((safe_acc_ !Counter_decrements) this_0) in
     begin
       (let _jessie_ = ((add_int _jessie_) (1)) in
       (let _jessie_ = this_0 in
       (((safe_upd_ Counter_decrements) _jessie_) _jessie_))); _jessie_
     end)) in void); (raise Return) end with Return -> void end) { true } 

let Counter_increment_ensures_default =
 fun (this_1 : Object pointer) ->
  { valid_struct_Counter(this_1, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     (K_4:
     (let _jessie_ = ((safe_acc_ !Counter_increments) this_1) in
     begin
       (let _jessie_ = ((add_int _jessie_) (1)) in
       (let _jessie_ = this_1 in
       (((safe_upd_ Counter_increments) _jessie_) _jessie_))); _jessie_
     end)) in void); (raise Return) end with Return -> void end)
  { (JC_39:
    (value(this_1, Counter_decrements, Counter_increments) = add_int(
                                                             value(this_1,
                                                             Counter_decrements@,
                                                             Counter_increments@),
                                                             (1)))) } 

let Counter_increment_safety =
 fun (this_1 : Object pointer) ->
  { valid_struct_Counter(this_1, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     (K_4:
     (let _jessie_ = ((safe_acc_ !Counter_increments) this_1) in
     begin
       (let _jessie_ = ((add_int _jessie_) (1)) in
       (let _jessie_ = this_1 in
       (((safe_upd_ Counter_increments) _jessie_) _jessie_))); _jessie_
     end)) in void); (raise Return) end with Return -> void end) { true } 

let cons_Counter_ensures_default =
 fun (this_2 : Object pointer) ->
  { valid_struct_Counter(this_2, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = (0) in
       (let _jessie_ = this_2 in
       (((safe_upd_ Counter_increments) _jessie_) _jessie_)));
      (let _jessie_ = (0) in
      begin
        (let _jessie_ = this_2 in
        (((safe_upd_ Counter_decrements) _jessie_) _jessie_)); _jessie_
      end) end in void); (raise Return) end with Return -> void end)
  { (JC_31: true) } 

let cons_Counter_safety =
 fun (this_2 : Object pointer) ->
  { valid_struct_Counter(this_2, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = (0) in
       (let _jessie_ = this_2 in
       (((safe_upd_ Counter_increments) _jessie_) _jessie_)));
      (let _jessie_ = (0) in
      begin
        (let _jessie_ = this_2 in
        (((safe_upd_ Counter_decrements) _jessie_) _jessie_)); _jessie_
      end) end in void); (raise Return) end with Return -> void end) 
  { true } 


why-2.39/tests/java/oracle/Fresh2.err.oracle0000644000106100004300000000000013147234006017656 0ustar  marchevalswhy-2.39/tests/java/oracle/AllZeros.res.oracle0000644000106100004300000012662013147234006020302 0ustar  marchevals========== file tests/java/AllZeros.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

class AllZeros {

    static int should_not_be_proved(int t[]) {
	return t.length;

    }


    /*@ requires t != null;
      @ ensures \result <==> 
      @      \forall integer i; 0 <= i < t.length ==> t[i] == 0; 
      @*/
    static boolean all_zeros(int t[]) {
	/*@ loop_invariant 
	  @  0 <= k <= t.length && 
	  @  \forall integer i; 0 <= i < k ==> t[i] == 0;
	  @ loop_variant t.length - k;
	  @*/
	for (int k = 0; k < t.length; k++) 
	    if (t[k] != 0) 
		return false;
	return true;
    }
}

/*
Local Variables:
compile-command: "make AllZeros.why3ide"
End:
*/


========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function AllZeros_all_zeros for method AllZeros.all_zeros
Generating JC function cons_AllZeros for constructor AllZeros
Generating JC function AllZeros_should_not_be_proved for method AllZeros.should_not_be_proved
Done.
========== file tests/java/AllZeros.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_intM{Here}(intM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag AllZeros = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

tag intM = Object with {
  int32 intP;
}

boolean non_null_intM(! intM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_intM(! intM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

boolean AllZeros_all_zeros(intM[0..] t_0)
  requires (K_2 : Non_null_intM(t_0));
behavior default:
  ensures (K_1 : (\result <==>
                   (\forall integer i;
                     (((0 <= i) && (i < (\offset_max(t_0) + 1))) ==>
                       ((t_0 + i).intP == 0)))));
{  
   {  
      {  
         (var int32 k = (K_3 : 0));
         
         loop 
         behavior default:
           invariant (K_8 : ((K_7 : ((K_6 : (0 <= k)) &&
                                      (K_5 : (k <= (\offset_max(t_0) + 1))))) &&
                              (K_4 : (\forall integer i_0;
                                       (((0 <= i_0) && (i_0 < k)) ==>
                                         ((t_0 + i_0).intP == 0))))));
         
         variant (K_9 : ((\offset_max(t_0) + 1) - k));
         for ( ; (K_14 : (k < (K_13 : java_array_length_intM(t_0)))) ; 
         (K_12 : (k ++)))
         {  (if (K_11 : ((K_10 : (t_0 + k).intP) != 0)) then 
            (return false) else ())
         }
      }
   };
   
   (return true)
}

unit cons_AllZeros(! AllZeros[0] this_0){()}

int32 AllZeros_should_not_be_proved(intM[0..] t)
{  
   (return (K_15 : java_array_length_intM(t)))
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/AllZeros.jloc tests/java/AllZeros.jc && make -f tests/java/AllZeros.makefile gui"
End:
*/
========== file tests/java/AllZeros.jloc ==========
[K_11]
file = "HOME/tests/java/AllZeros.java"
line = 51
begin = 9
end = 18

[K_13]
file = "HOME/tests/java/AllZeros.java"
line = 50
begin = 21
end = 29

[AllZeros_all_zeros]
name = "Method all_zeros"
file = "HOME/tests/java/AllZeros.java"
line = 44
begin = 19
end = 28

[K_9]
file = "HOME/tests/java/AllZeros.java"
line = 48
begin = 18
end = 30

[K_1]
file = "HOME/tests/java/AllZeros.java"
line = 41
begin = 16
end = 93

[AllZeros_should_not_be_proved]
name = "Method should_not_be_proved"
file = "HOME/tests/java/AllZeros.java"
line = 34
begin = 15
end = 35

[K_15]
file = "HOME/tests/java/AllZeros.java"
line = 35
begin = 8
end = 16

[K_4]
file = "HOME/tests/java/AllZeros.java"
line = 47
begin = 6
end = 49

[K_12]
file = "HOME/tests/java/AllZeros.java"
line = 50
begin = 31
end = 34

[K_2]
file = "HOME/tests/java/AllZeros.java"
line = 40
begin = 17
end = 26

[K_10]
file = "HOME/tests/java/AllZeros.java"
line = 51
begin = 9
end = 13

[K_6]
file = "HOME/tests/java/AllZeros.java"
line = 46
begin = 6
end = 12

[K_8]
file = "HOME/tests/java/AllZeros.java"
line = 46
begin = 6
end = 78

[K_3]
file = "HOME/tests/java/AllZeros.java"
line = 50
begin = 14
end = 15

[K_14]
file = "HOME/tests/java/AllZeros.java"
line = 50
begin = 17
end = 29

[K_5]
file = "HOME/tests/java/AllZeros.java"
line = 46
begin = 11
end = 24

[K_7]
file = "HOME/tests/java/AllZeros.java"
line = 46
begin = 6
end = 24

[cons_AllZeros]
name = "Constructor of class AllZeros"
file = "HOME/"
line = 0
begin = -1
end = -1

========== jessie execution ==========
Generating Why function AllZeros_all_zeros
Generating Why function cons_AllZeros
Generating Why function AllZeros_should_not_be_proved
========== file tests/java/AllZeros.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/AllZeros_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: AllZeros.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: AllZeros.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: AllZeros.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/java/AllZeros.loc ==========
[cons_AllZeros_ensures_default]
name = "Constructor of class AllZeros"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_73]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_63]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_80]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_51]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_71]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_64]
file = "HOME/tests/java/AllZeros.jc"
line = 86
begin = 9
end = 651

[JC_85]
kind = ArithOverflow
file = "HOME/tests/java/AllZeros.java"
line = 35
begin = 8
end = 16

[JC_31]
file = "HOME/tests/java/AllZeros.jc"
line = 65
begin = 8
end = 23

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_81]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_55]
kind = IndexBounds
file = "HOME/tests/java/AllZeros.java"
line = 50
begin = 21
end = 29

[JC_48]
file = "HOME/tests/java/AllZeros.java"
line = 46
begin = 11
end = 24

[JC_23]
file = "HOME/tests/java/AllZeros.jc"
line = 61
begin = 11
end = 103

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/java/AllZeros.jc"
line = 52
begin = 8
end = 21

[JC_75]
file = "HOME/tests/java/AllZeros.java"
line = 34
begin = 15
end = 35

[JC_24]
file = "HOME/tests/java/AllZeros.jc"
line = 60
begin = 10
end = 18

[JC_25]
file = "HOME/tests/java/AllZeros.jc"
line = 61
begin = 11
end = 103

[JC_78]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/tests/java/AllZeros.java"
line = 40
begin = 17
end = 26

[JC_74]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/tests/java/AllZeros.java"
line = 46
begin = 6
end = 12

[JC_52]
file = "HOME/tests/java/AllZeros.jc"
line = 86
begin = 9
end = 651

[JC_26]
file = "HOME/tests/java/AllZeros.jc"
line = 60
begin = 10
end = 18

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
kind = UserCall
file = "HOME/tests/java/AllZeros.java"
line = 50
begin = 21
end = 29

[JC_79]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/tests/java/AllZeros.jc"
line = 55
begin = 11
end = 66

[JC_82]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/AllZeros.jc"
line = 52
begin = 8
end = 21

[JC_70]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/tests/java/AllZeros.jc"
line = 55
begin = 11
end = 66

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/tests/java/AllZeros.java"
line = 40
begin = 17
end = 26

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_AllZeros_safety]
name = "Constructor of class AllZeros"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
kind = UserCall
file = "HOME/tests/java/AllZeros.java"
line = 35
begin = 8
end = 16

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_69]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
file = "HOME/tests/java/AllZeros.jc"
line = 67
begin = 11
end = 65

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/tests/java/AllZeros.java"
line = 41
begin = 16
end = 93

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[AllZeros_should_not_be_proved_ensures_default]
name = "Method should_not_be_proved"
behavior = "default behavior"
file = "HOME/tests/java/AllZeros.java"
line = 34
begin = 15
end = 35

[JC_62]
file = "HOME/tests/java/AllZeros.java"
line = 46
begin = 6
end = 78

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
file = "HOME/tests/java/AllZeros.java"
line = 47
begin = 6
end = 49

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
kind = PointerDeref
file = "HOME/tests/java/AllZeros.java"
line = 51
begin = 9
end = 13

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
file = "HOME/tests/java/AllZeros.jc"
line = 86
begin = 9
end = 651

[JC_29]
file = "HOME/tests/java/AllZeros.jc"
line = 65
begin = 8
end = 23

[AllZeros_all_zeros_ensures_default]
name = "Method all_zeros"
behavior = "default behavior"
file = "HOME/tests/java/AllZeros.java"
line = 44
begin = 19
end = 28

[JC_68]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/tests/java/AllZeros.jc"
line = 54
begin = 10
end = 18

[JC_43]
file = "HOME/tests/java/AllZeros.java"
line = 41
begin = 16
end = 93

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_84]
kind = IndexBounds
file = "HOME/tests/java/AllZeros.java"
line = 35
begin = 8
end = 16

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/tests/java/AllZeros.jc"
line = 54
begin = 10
end = 18

[JC_53]
file = "HOME/tests/java/AllZeros.jc"
line = 86
begin = 9
end = 651

[JC_21]
file = "HOME/tests/java/AllZeros.jc"
line = 58
begin = 8
end = 30

[JC_77]
file = "HOME/tests/java/AllZeros.java"
line = 34
begin = 15
end = 35

[JC_49]
file = "HOME/tests/java/AllZeros.java"
line = 47
begin = 6
end = 49

[JC_1]
file = "HOME/tests/java/AllZeros.jc"
line = 23
begin = 12
end = 22

[JC_37]
file = "HOME/tests/java/AllZeros.jc"
line = 67
begin = 11
end = 65

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
kind = ArithOverflow
file = "HOME/tests/java/AllZeros.jc"
line = 96
begin = 18
end = 22

[AllZeros_should_not_be_proved_safety]
name = "Method should_not_be_proved"
behavior = "Safety"
file = "HOME/tests/java/AllZeros.java"
line = 34
begin = 15
end = 35

[JC_66]
kind = UserCall
file = "HOME/tests/java/AllZeros.java"
line = 50
begin = 21
end = 29

[JC_59]
file = "HOME/tests/java/AllZeros.java"
line = 46
begin = 6
end = 12

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/java/AllZeros.jc"
line = 23
begin = 12
end = 22

[JC_86]
kind = UserCall
file = "HOME/tests/java/AllZeros.java"
line = 35
begin = 8
end = 16

[JC_60]
file = "HOME/tests/java/AllZeros.java"
line = 46
begin = 11
end = 24

[JC_72]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/tests/java/AllZeros.jc"
line = 58
begin = 8
end = 30

[JC_76]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_50]
file = "HOME/tests/java/AllZeros.java"
line = 46
begin = 6
end = 78

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[AllZeros_all_zeros_safety]
name = "Method all_zeros"
behavior = "Safety"
file = "HOME/tests/java/AllZeros.java"
line = 44
begin = 19
end = 28

[JC_58]
file = "HOME/tests/java/AllZeros.java"
line = 48
begin = 18
end = 30

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/AllZeros.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic AllZeros_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom AllZeros_parenttag_Object : parenttag(AllZeros_tag, Object_tag)

logic Exception_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_1), (0))

predicate Non_null_intM(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), neg_int((1)))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic intM_tag:  -> Object tag_id

axiom intM_parenttag_Object : parenttag(intM_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_AllZeros(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_intM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_AllZeros(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_intM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_AllZeros(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_AllZeros(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

parameter Object_alloc_table : Object alloc_table ref

parameter intM_intP : (Object, int32) memory ref

parameter AllZeros_all_zeros :
 t_0:Object pointer ->
  { } bool reads Object_alloc_table,intM_intP
  { (JC_44:
    ((result = true)
    <-> (forall i:int.
         ((le_int((0), i)
          and lt_int(i, add_int(offset_max(Object_alloc_table, t_0), (1)))) ->
          (integer_of_int32(select(intM_intP, shift(t_0, i))) = (0)))))) }

parameter AllZeros_all_zeros_requires :
 t_0:Object pointer ->
  { (JC_39: Non_null_intM(t_0, Object_alloc_table))} bool
  reads Object_alloc_table,intM_intP
  { (JC_44:
    ((result = true)
    <-> (forall i:int.
         ((le_int((0), i)
          and lt_int(i, add_int(offset_max(Object_alloc_table, t_0), (1)))) ->
          (integer_of_int32(select(intM_intP, shift(t_0, i))) = (0)))))) }

parameter AllZeros_should_not_be_proved :
 t:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter AllZeros_should_not_be_proved_requires :
 t:Object pointer -> { } int32 reads Object_alloc_table { true }

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_AllZeros :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_AllZeros(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, AllZeros_tag)))) }

parameter alloc_struct_AllZeros_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_AllZeros(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, AllZeros_tag)))) }

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_intM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter alloc_struct_intM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_AllZeros :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_AllZeros_requires :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter java_array_length_intM :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter java_array_length_intM_requires :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_Object_requires :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_intM :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

parameter non_null_intM_requires :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let AllZeros_all_zeros_ensures_default =
 fun (t_0 : Object pointer) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (JC_41: Non_null_intM(t_0, Object_alloc_table))) }
  (init:
  (let return = ref (any_bool void) in
  try
   begin
     (let k = ref (safe_int32_of_integer_ (K_3: (0))) in
     try
      (loop_2:
      while true do
      { invariant
          (JC_62:
          ((JC_59: le_int((0), integer_of_int32(k)))
          and ((JC_60:
               le_int(integer_of_int32(k),
               add_int(offset_max(Object_alloc_table, t_0), (1))))
              and (JC_61:
                  (forall i_0:int.
                   ((le_int((0), i_0) and lt_int(i_0, integer_of_int32(k))) ->
                    (integer_of_int32(select(intM_intP, shift(t_0, i_0))) = (0))))))))
         }
       begin
         [ { } unit { true } ];
        try
         begin
           (if (K_14:
               ((lt_int_ (integer_of_int32 !k)) (K_13:
                                                (let _jessie_ = t_0 in
                                                (JC_66:
                                                (java_array_length_intM _jessie_))))))
           then
            (if (K_11:
                ((neq_int_ (integer_of_int32 (K_10:
                                             ((safe_acc_ !intM_intP) 
                                              ((shift t_0) (integer_of_int32 !k)))))) (0)))
            then begin   (return := false); (raise Return) end else void)
           else (raise (Loop_exit_exc void)));
          (raise (Loop_continue_exc void)) end with
         Loop_continue_exc _jessie_ ->
         (let _jessie_ =
         (K_12:
         (let _jessie_ = !k in
         begin
           (let _jessie_ =
           (k := (safe_int32_of_integer_ ((add_int (integer_of_int32 _jessie_)) (1)))) in
           void); _jessie_ end)) in void) end end done) with
      Loop_exit_exc _jessie_ -> void end); (return := true); (raise Return);
    absurd  end with Return -> !return end))
  { (JC_43:
    ((result = true)
    <-> (forall i:int.
         ((le_int((0), i)
          and lt_int(i, add_int(offset_max(Object_alloc_table, t_0), (1)))) ->
          (integer_of_int32(select(intM_intP, shift(t_0, i))) = (0)))))) } 

let AllZeros_all_zeros_safety =
 fun (t_0 : Object pointer) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (JC_41: Non_null_intM(t_0, Object_alloc_table))) }
  (init:
  (let return = ref (any_bool void) in
  try
   begin
     (let k = ref (safe_int32_of_integer_ (K_3: (0))) in
     try
      (loop_1:
      while true do
      { invariant (JC_52: true)
        variant (JC_58 : sub_int(add_int(offset_max(Object_alloc_table, t_0),
                                 (1)),
                         integer_of_int32(k))) }
       begin
         [ { } unit reads Object_alloc_table,intM_intP,k
           { (JC_50:
             ((JC_47: le_int((0), integer_of_int32(k)))
             and ((JC_48:
                  le_int(integer_of_int32(k),
                  add_int(offset_max(Object_alloc_table, t_0), (1))))
                 and (JC_49:
                     (forall i_0:int.
                      ((le_int((0), i_0)
                       and lt_int(i_0, integer_of_int32(k))) ->
                       (integer_of_int32(select(intM_intP, shift(t_0, i_0))) = (0)))))))) } ];
        try
         begin
           (if (K_14:
               ((lt_int_ (integer_of_int32 !k)) (K_13:
                                                (let _jessie_ = t_0 in
                                                (JC_55:
                                                (assert
                                                { ge_int(offset_max(Object_alloc_table,
                                                         _jessie_),
                                                  (-1)) };
                                                (JC_54:
                                                (java_array_length_intM_requires _jessie_))))))))
           then
            (if (K_11:
                ((neq_int_ (integer_of_int32 (K_10:
                                             (JC_56:
                                             ((((offset_acc_ !Object_alloc_table) !intM_intP) t_0) 
                                              (integer_of_int32 !k)))))) (0)))
            then begin   (return := false); (raise Return) end else void)
           else (raise (Loop_exit_exc void)));
          (raise (Loop_continue_exc void)) end with
         Loop_continue_exc _jessie_ ->
         (let _jessie_ =
         (K_12:
         (let _jessie_ = !k in
         begin
           (let _jessie_ =
           (k := (JC_57:
                 (int32_of_integer_ ((add_int (integer_of_int32 _jessie_)) (1))))) in
           void); _jessie_ end)) in void) end end done) with
      Loop_exit_exc _jessie_ -> void end); (return := true); (raise Return);
    absurd  end with Return -> !return end)) { true } 

let AllZeros_should_not_be_proved_ensures_default =
 fun (t : Object pointer) ->
  { left_valid_struct_intM(t, (0), Object_alloc_table) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (return := (safe_int32_of_integer_ (K_15:
                                        (let _jessie_ = t in
                                        (JC_86:
                                        (java_array_length_intM _jessie_))))));
    (raise Return); absurd  end with Return -> !return end))
  { (JC_79: true) } 

let AllZeros_should_not_be_proved_safety =
 fun (t : Object pointer) ->
  { left_valid_struct_intM(t, (0), Object_alloc_table) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (return := (JC_85:
                (int32_of_integer_ (K_15:
                                   (let _jessie_ = t in
                                   (JC_84:
                                   (assert
                                   { ge_int(offset_max(Object_alloc_table,
                                            _jessie_),
                                     (-1)) };
                                   (JC_83:
                                   (java_array_length_intM_requires _jessie_)))))))));
    (raise Return); absurd  end with Return -> !return end)) { true } 

let cons_AllZeros_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_AllZeros(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_71: true) } 

let cons_AllZeros_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_AllZeros(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 


why-2.39/tests/java/oracle/TreeMax.res.oracle0000644000106100004300000016734513147234006020125 0ustar  marchevals========== file tests/java/TreeMax.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ TerminationPolicy = user

/*@ axiomatic integer_max {
  @   logic integer max(integer x, integer y);
  @   axiom max_is_ge : \forall integer x y; max(x,y) >= x && max(x,y) >= y;
  @   axiom max_is_some : \forall integer x y; max(x,y) == x || max(x,y) == y;
  @ }
  @*/

class Int {
    //@ ensures \result == max(x,y);
    public static int max(int x, int y);
}

/*@ axiomatic Mem {
  @   predicate mem{L}(int x, Tree t);
  @   axiom mem_null{L}: \forall int x; ! mem(x,null);
  @   axiom mem_root{L}: \forall Tree t; t != null ==>
  @     mem(t.value,t);
  @   axiom mem_root_eq{L}: \forall int x, Tree t; t != null ==>
  @     x==t.value ==> mem(x,t);
  @   axiom mem_left{L}: \forall int x, Tree t; t != null ==>
  @     mem(x,t.left) ==> mem(x,t);
  @   axiom mem_right{L}: \forall int x, Tree t; t != null ==>
  @     mem(x,t.right) ==> mem(x,t);
  @   axiom mem_inversion{L}: \forall int x, Tree t;
  @     mem(x,t) ==> t != null &&
  @       (x==t.value || mem(x,t.left) || mem(x,t.right));
  @ }
  @*/

/* attempt to prove termination, not succesful yet */
/* axiomatic Finite {
  @   predicate has_size{L}(Tree t, integer s);
  @   axiom has_size_null{L}: has_size(null,0);
  @   axiom has_size_non_null{L}: \forall Tree t; t != null ==>
  @     \forall integer s1 s2;
  @     has_size(t.left,s1) && has_size(t.right,s2) ==>
  @     has_size(t,s1+s2+1) ;
  @   axiom has_size_inversion{L}: \forall Tree t, integer s;
  @     has_size(t,s) ==>
  @       (t == null && s == 0) ||
  @       (t != null && \exists integer s1 s2;
  @            has_size(t.left,s1) && has_size(t.right,s2) &&
  @            0 <= s1 && 0 <= s2 && s == s1+s2+1) ;
  @   predicate size_decreases{L}(Tree t1, Tree t2) =
  @     \exists integer s1 s2; has_size(t1,s1) && has_size(t2,s2) && s1 > s2;
  @ }
  @*/

class Tree {

    int value;
    Tree left;
    Tree right;

    /*@ // requires \exists integer s; has_size(this,s);
      @ // decreases this for size_decreases;
      @ ensures mem(\result,this) &&
      @   \forall int x; mem(x,this) ==> \result >= x;
      @*/
    int tree_max() {
        int m = value;
        if (left != null) m = Int.max(m,left.tree_max());
        if (right != null) m = Int.max(m,right.tree_max());
        return m;
    }

}

========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_Int for constructor Int
Generating JC function Object_equals for method Object.equals
Generating JC function Object_notify for method Object.notify
Generating JC function Object_registerNatives for method Object.registerNatives
Generating JC function Object_hashCode for method Object.hashCode
Generating JC function Object_wait_long_int for method Object.wait
Generating JC function Object_toString for method Object.toString
Generating JC function Object_notifyAll for method Object.notifyAll
Generating JC function cons_Object for constructor Object
Generating JC function Int_max for method Int.max
Generating JC function Tree_tree_max for method Tree.tree_max
Generating JC function Object_clone for method Object.clone
Generating JC function Object_wait_long for method Object.wait
Generating JC function Object_finalize for method Object.finalize
Generating JC function Object_wait for method Object.wait
Generating JC function cons_Tree for constructor Tree
Done.
========== file tests/java/TreeMax.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = user
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Int = Object with {
}

tag Tree = Object with {
  int32 value; 
  Tree[0..] left; 
  Tree[0..] right;
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

axiomatic Mem {

  predicate mem{L}(int32 x_3, Tree[0..] t)
   
  axiom mem_inversion{L} :
  (\forall int32 x_8;
    (\forall Tree[0] t_4;
      (mem{L}(x_8, t_4) ==>
        (Non_null_Object(t_4) &&
          (((x_8 == t_4.value) || mem{L}(x_8, t_4.left)) ||
            mem{L}(x_8, t_4.right))))))
   
  axiom mem_right{L} :
  (\forall int32 x_7;
    (\forall Tree[0] t_3;
      (Non_null_Object(t_3) ==>
        (mem{L}(x_7, t_3.right) ==> mem{L}(x_7, t_3)))))
   
  axiom mem_left{L} :
  (\forall int32 x_6;
    (\forall Tree[0] t_2;
      (Non_null_Object(t_2) ==> (mem{L}(x_6, t_2.left) ==> mem{L}(x_6, t_2)))))
   
  axiom mem_root_eq{L} :
  (\forall int32 x_5;
    (\forall Tree[0] t_1;
      (Non_null_Object(t_1) ==> ((x_5 == t_1.value) ==> mem{L}(x_5, t_1)))))
   
  axiom mem_root{L} :
  (\forall Tree[0] t_0;
    (Non_null_Object(t_0) ==> mem{L}(t_0.value, t_0)))
   
  axiom mem_null{L} :
  (\forall int32 x_4;
    (! mem{L}(x_4, null)))
  
}

axiomatic integer_max {

  logic integer max(integer x, integer y)
   
  axiom max_is_some :
  (\forall integer x_1;
    (\forall integer y_1;
      ((max(x_1, y_1) == x_1) || (max(x_1, y_1) == y_1))))
   
  axiom max_is_ge :
  (\forall integer x_0;
    (\forall integer y_0;
      ((max(x_0, y_0) >= x_0) && (max(x_0, y_0) >= y_0))))
  
}

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_Int(! Int[0] this_0){()}

boolean Object_equals(Object[0] this_5, Object[0..] obj)
;

unit Object_notify(Object[0] this_6)
;

unit Object_registerNatives()
;

int32 Object_hashCode(Object[0] this_7)
;

unit Object_wait_long_int(Object[0] this_8, long timeout_0, int32 nanos)
;

String[0..] Object_toString(Object[0] this_9)
;

unit Object_notifyAll(Object[0] this_10)
;

unit cons_Object(! Object[0] this_15){()}

int32 Int_max(int32 x_2, int32 y_2)
behavior default:
  ensures (K_1 : (\result == max(x_2, y_2)));
;

int32 Tree_tree_max(Tree[0] this_2)
behavior default:
  ensures (K_4 : ((K_3 : mem{Here}(\result, this_2)) &&
                   (K_2 : (\forall int32 x_9;
                            (mem{Here}(x_9, this_2) ==> (\result >= x_9))))));
{  
   {  
      (var int32 m = (K_13 : this_2.value));
      
      {  (if non_null_Object((K_8 : this_2.left)) then (m = (K_7 : Int_max(
                                                            m,
                                                            (K_6 : Tree_tree_max(
                                                            (K_5 : this_2.left)))))) else ());
         (if non_null_Object((K_12 : this_2.right)) then (m = (K_11 : Int_max(
                                                              m,
                                                              (K_10 : Tree_tree_max(
                                                              (K_9 : this_2.right)))))) else ());
         
         (return m)
      }
   }
}

Object[0..] Object_clone(Object[0] this_11)
;

unit Object_wait_long(Object[0] this_12, long timeout)
;

unit Object_finalize(Object[0] this_13)
;

unit Object_wait(Object[0] this_14)
;

unit cons_Tree(! Tree[0] this_4)
{  (this_4.value = 0);
   (this_4.left = null);
   (this_4.right = null)
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/TreeMax.jloc tests/java/TreeMax.jc && make -f tests/java/TreeMax.makefile gui"
End:
*/
========== file tests/java/TreeMax.jloc ==========
[cons_Tree]
name = "Constructor of class Tree"
file = "HOME/"
line = 0
begin = -1
end = -1

[Object_wait_long]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[K_11]
file = "HOME/tests/java/TreeMax.java"
line = 96
begin = 31
end = 58

[mem_left]
name = "Lemma mem_left"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_13]
file = "HOME/tests/java/TreeMax.java"
line = 94
begin = 16
end = 21

[max_is_some]
name = "Lemma max_is_some"
file = "HOME/"
line = 0
begin = 0
end = 0

[Object_finalize]
name = "Method finalize"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[K_9]
file = "HOME/tests/java/TreeMax.java"
line = 96
begin = 41
end = 46

[Object_wait]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[Object_notify]
name = "Method notify"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[Object_clone]
name = "Method clone"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[cons_Object]
name = "Constructor of class Object"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_1]
file = "HOME/tests/java/TreeMax.java"
line = 42
begin = 16
end = 35

[Int_max]
name = "Method max"
file = "HOME/tests/java/TreeMax.java"
line = 43
begin = 22
end = 25

[K_4]
file = "HOME/tests/java/TreeMax.java"
line = 90
begin = 16
end = 90

[K_12]
file = "HOME/tests/java/TreeMax.java"
line = 96
begin = 12
end = 17

[Object_wait_long_int]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[Object_registerNatives]
name = "Method registerNatives"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[mem_root]
name = "Lemma mem_root"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_2]
file = "HOME/tests/java/TreeMax.java"
line = 91
begin = 10
end = 53

[mem_null]
name = "Lemma mem_null"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_10]
file = "HOME/tests/java/TreeMax.java"
line = 96
begin = 41
end = 57

[K_6]
file = "HOME/tests/java/TreeMax.java"
line = 95
begin = 40
end = 55

[cons_Int]
name = "Constructor of class Int"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_8]
file = "HOME/tests/java/TreeMax.java"
line = 95
begin = 12
end = 16

[K_3]
file = "HOME/tests/java/TreeMax.java"
line = 90
begin = 16
end = 33

[max_is_ge]
name = "Lemma max_is_ge"
file = "HOME/"
line = 0
begin = 0
end = 0

[mem_inversion]
name = "Lemma mem_inversion"
file = "HOME/"
line = 0
begin = 0
end = 0

[Tree_tree_max]
name = "Method tree_max"
file = "HOME/tests/java/TreeMax.java"
line = 93
begin = 8
end = 16

[Object_notifyAll]
name = "Method notifyAll"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[mem_root_eq]
name = "Lemma mem_root_eq"
file = "HOME/"
line = 0
begin = 0
end = 0

[mem_right]
name = "Lemma mem_right"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_5]
file = "HOME/tests/java/TreeMax.java"
line = 95
begin = 40
end = 44

[Object_equals]
name = "Method equals"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[K_7]
file = "HOME/tests/java/TreeMax.java"
line = 95
begin = 30
end = 56

[Object_hashCode]
name = "Method hashCode"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[Object_toString]
name = "Method toString"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

========== jessie execution ==========
Generating Why function cons_Int
Generating Why function cons_Object
Generating Why function Tree_tree_max
Generating Why function cons_Tree
========== file tests/java/TreeMax.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/TreeMax_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: TreeMax.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: TreeMax.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: TreeMax.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/java/TreeMax.loc ==========
[JC_94]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_73]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_158]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_63]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_80]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_51]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_71]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Tree_safety]
name = "Constructor of class Tree"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_147]
file = "HOME/"
line = 0
begin = -1
end = -1

[Tree_tree_max_safety]
name = "Method tree_max"
behavior = "Safety"
file = "HOME/tests/java/TreeMax.java"
line = 93
begin = 8
end = 16

[JC_151]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_45]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_123]
kind = UserCall
file = "HOME/tests/java/TreeMax.java"
line = 96
begin = 41
end = 57

[JC_106]
file = "HOME/tests/java/TreeMax.java"
line = 90
begin = 16
end = 33

[JC_143]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_113]
kind = IndexBounds
file = "HOME/tests/java/TreeMax.java"
line = 95
begin = 40
end = 55

[JC_116]
kind = UserCall
file = "HOME/tests/java/TreeMax.java"
line = 96
begin = 41
end = 57

[JC_64]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_133]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[mem_left]
name = "Lemma mem_left"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[max_is_some]
name = "Lemma max_is_some"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[cons_Object_ensures_default]
name = "Constructor of class Object"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_99]
file = "HOME/tests/java/TreeMax.java"
line = 93
begin = 8
end = 16

[JC_85]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_126]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_31]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Int_ensures_default]
name = "Constructor of class Int"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_17]
file = "HOME/tests/java/TreeMax.jc"
line = 53
begin = 11
end = 65

[JC_122]
kind = UserCall
file = "HOME/tests/java/TreeMax.jc"
line = 157
begin = 13
end = 51

[JC_81]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_55]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_138]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_134]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_148]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_137]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_121]
kind = UserCall
file = "HOME/tests/java/TreeMax.java"
line = 95
begin = 30
end = 56

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_125]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_67]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_9]
file = "HOME/tests/java/TreeMax.jc"
line = 51
begin = 8
end = 23

[JC_75]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_78]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_74]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[mem_root]
name = "Lemma mem_root"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_154]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_79]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_130]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_82]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_163]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_153]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_87]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/TreeMax.jc"
line = 51
begin = 8
end = 23

[JC_98]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_70]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_104]
file = "HOME/tests/java/TreeMax.java"
line = 91
begin = 10
end = 53

[JC_91]
file = "HOME/tests/java/TreeMax.java"
line = 43
begin = 22
end = 25

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_112]
kind = UserCall
file = "HOME/tests/java/TreeMax.java"
line = 95
begin = 40
end = 55

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_162]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_135]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_83]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[mem_null]
name = "Lemma mem_null"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_132]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_115]
kind = UserCall
file = "HOME/tests/java/TreeMax.jc"
line = 157
begin = 13
end = 51

[JC_109]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_107]
file = "HOME/tests/java/TreeMax.java"
line = 91
begin = 10
end = 53

[JC_69]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_124]
kind = UserCall
file = "HOME/tests/java/TreeMax.java"
line = 96
begin = 31
end = 58

[JC_38]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_156]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_127]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_164]
file = "HOME/"
line = 0
begin = -1
end = -1

[Tree_tree_max_ensures_default]
name = "Method tree_max"
behavior = "default behavior"
file = "HOME/tests/java/TreeMax.java"
line = 93
begin = 8
end = 16

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_155]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/"
line = 0
begin = -1
end = -1

[max_is_ge]
name = "Lemma max_is_ge"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_101]
file = "HOME/tests/java/TreeMax.java"
line = 93
begin = 8
end = 16

[JC_88]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_129]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_110]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_103]
file = "HOME/tests/java/TreeMax.java"
line = 90
begin = 16
end = 33

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_141]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_61]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
file = "HOME/"
line = 0
begin = -1
end = -1

[mem_inversion]
name = "Lemma mem_inversion"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_118]
kind = UserCall
file = "HOME/tests/java/TreeMax.java"
line = 96
begin = 31
end = 58

[JC_105]
file = "HOME/tests/java/TreeMax.java"
line = 90
begin = 16
end = 90

[JC_140]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[cons_Tree_ensures_default]
name = "Constructor of class Tree"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_144]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_159]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Object_safety]
name = "Constructor of class Object"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_68]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_96]
file = "HOME/tests/java/TreeMax.java"
line = 42
begin = 16
end = 35

[JC_43]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
file = "HOME/tests/java/TreeMax.java"
line = 42
begin = 16
end = 35

[JC_93]
file = "HOME/tests/java/TreeMax.java"
line = 43
begin = 22
end = 25

[JC_97]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Int_safety]
name = "Constructor of class Int"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_84]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_160]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_128]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_114]
kind = UserCall
file = "HOME/tests/java/TreeMax.java"
line = 95
begin = 30
end = 56

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[mem_root_eq]
name = "Lemma mem_root_eq"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_150]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_117]
kind = IndexBounds
file = "HOME/tests/java/TreeMax.java"
line = 96
begin = 41
end = 57

[JC_90]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_53]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_157]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_145]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_149]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_111]
kind = UserCall
file = "HOME/tests/java/TreeMax.jc"
line = 153
begin = 13
end = 49

[JC_77]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_49]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/java/TreeMax.jc"
line = 20
begin = 12
end = 22

[JC_131]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_102]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_37]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_142]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[mem_right]
name = "Lemma mem_right"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_108]
file = "HOME/tests/java/TreeMax.java"
line = 90
begin = 16
end = 90

[JC_57]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_161]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_146]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_89]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_136]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_66]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_59]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/java/TreeMax.jc"
line = 53
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/TreeMax.jc"
line = 20
begin = 12
end = 22

[JC_92]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_152]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_86]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_60]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_139]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_72]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_119]
kind = UserCall
file = "HOME/tests/java/TreeMax.jc"
line = 153
begin = 13
end = 49

[JC_76]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_120]
kind = UserCall
file = "HOME/tests/java/TreeMax.java"
line = 95
begin = 40
end = 55

[JC_58]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_100]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/TreeMax.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

logic Int_tag:  -> Object tag_id

axiom Int_parenttag_Object : parenttag(Int_tag, Object_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic Tree_tag:  -> Object tag_id

axiom Tree_parenttag_Object : parenttag(Tree_tag, Object_tag)

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Int(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Tree(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

logic max: int, int -> int

logic mem: int32, Object pointer, Object alloc_table,
 (Object, Object pointer) memory, (Object, Object pointer) memory,
 (Object, int32) memory -> prop

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Int(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Tree(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Int(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Tree(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Int(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Tree(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

axiom mem_inversion :
 (forall Object_alloc_table_at_L:Object alloc_table.
  (forall Tree_right_at_L:(Object, Object pointer) memory.
   (forall Tree_left_at_L:(Object, Object pointer) memory.
    (forall Tree_value_at_L:(Object, int32) memory.
     (forall x_8:int32.
      (forall t_4:Object pointer.
       (mem(x_8, t_4, Object_alloc_table_at_L, Tree_right_at_L,
        Tree_left_at_L, Tree_value_at_L) ->
        (Non_null_Object(t_4, Object_alloc_table_at_L)
        and ((integer_of_int32(x_8) = integer_of_int32(select(Tree_value_at_L,
                                                       t_4)))
            or (mem(x_8, select(Tree_left_at_L, t_4),
                Object_alloc_table_at_L, Tree_right_at_L, Tree_left_at_L,
                Tree_value_at_L)
               or mem(x_8, select(Tree_right_at_L, t_4),
                  Object_alloc_table_at_L, Tree_right_at_L, Tree_left_at_L,
                  Tree_value_at_L)))))))))))

axiom mem_right :
 (forall Object_alloc_table_at_L:Object alloc_table.
  (forall Tree_right_at_L:(Object, Object pointer) memory.
   (forall Tree_left_at_L:(Object, Object pointer) memory.
    (forall Tree_value_at_L:(Object, int32) memory.
     (forall x_7:int32.
      (forall t_3:Object pointer.
       (Non_null_Object(t_3, Object_alloc_table_at_L) ->
        (mem(x_7, select(Tree_right_at_L, t_3), Object_alloc_table_at_L,
         Tree_right_at_L, Tree_left_at_L, Tree_value_at_L) ->
         mem(x_7, t_3, Object_alloc_table_at_L, Tree_right_at_L,
         Tree_left_at_L, Tree_value_at_L)))))))))

axiom mem_left :
 (forall Object_alloc_table_at_L:Object alloc_table.
  (forall Tree_right_at_L:(Object, Object pointer) memory.
   (forall Tree_left_at_L:(Object, Object pointer) memory.
    (forall Tree_value_at_L:(Object, int32) memory.
     (forall x_6:int32.
      (forall t_2:Object pointer.
       (Non_null_Object(t_2, Object_alloc_table_at_L) ->
        (mem(x_6, select(Tree_left_at_L, t_2), Object_alloc_table_at_L,
         Tree_right_at_L, Tree_left_at_L, Tree_value_at_L) ->
         mem(x_6, t_2, Object_alloc_table_at_L, Tree_right_at_L,
         Tree_left_at_L, Tree_value_at_L)))))))))

axiom mem_root_eq :
 (forall Object_alloc_table_at_L:Object alloc_table.
  (forall Tree_right_at_L:(Object, Object pointer) memory.
   (forall Tree_left_at_L:(Object, Object pointer) memory.
    (forall Tree_value_at_L:(Object, int32) memory.
     (forall x_5:int32.
      (forall t_1:Object pointer.
       (Non_null_Object(t_1, Object_alloc_table_at_L) ->
        ((integer_of_int32(x_5) = integer_of_int32(select(Tree_value_at_L,
                                                   t_1))) ->
         mem(x_5, t_1, Object_alloc_table_at_L, Tree_right_at_L,
         Tree_left_at_L, Tree_value_at_L)))))))))

axiom mem_root :
 (forall Object_alloc_table_at_L:Object alloc_table.
  (forall Tree_right_at_L:(Object, Object pointer) memory.
   (forall Tree_left_at_L:(Object, Object pointer) memory.
    (forall Tree_value_at_L:(Object, int32) memory.
     (forall t_0:Object pointer.
      (Non_null_Object(t_0, Object_alloc_table_at_L) ->
       mem(select(Tree_value_at_L, t_0), t_0, Object_alloc_table_at_L,
       Tree_right_at_L, Tree_left_at_L, Tree_value_at_L)))))))

axiom mem_null :
 (forall Object_alloc_table_at_L:Object alloc_table.
  (forall Tree_right_at_L:(Object, Object pointer) memory.
   (forall Tree_left_at_L:(Object, Object pointer) memory.
    (forall Tree_value_at_L:(Object, int32) memory.
     (forall x_4:int32.
      (not mem(x_4, null, Object_alloc_table_at_L, Tree_right_at_L,
           Tree_left_at_L, Tree_value_at_L)))))))

axiom max_is_some :
 (forall x_1_0:int.
  (forall y_1:int. ((max(x_1_0, y_1) = x_1_0) or (max(x_1_0, y_1) = y_1))))

axiom max_is_ge :
 (forall x_0_0:int.
  (forall y_0:int.
   (ge_int(max(x_0_0, y_0), x_0_0) and ge_int(max(x_0_0, y_0), y_0))))

exception Exception_exc of Object pointer

parameter Int_max :
 x_2_0:int32 ->
  y_2:int32 ->
   { } int32
   { (JC_96:
     (integer_of_int32(result) = max(integer_of_int32(x_2_0),
                                 integer_of_int32(y_2)))) }

parameter Int_max_requires :
 x_2_0:int32 ->
  y_2:int32 ->
   { } int32
   { (JC_96:
     (integer_of_int32(result) = max(integer_of_int32(x_2_0),
                                 integer_of_int32(y_2)))) }

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_alloc_table : Object alloc_table ref

parameter Object_clone :
 this_11:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_clone_requires :
 this_11:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_equals :
 this_5:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_equals_requires :
 this_5:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_finalize :
 this_13:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_finalize_requires :
 this_13:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_hashCode :
 this_7:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter Object_hashCode_requires :
 this_7:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter Object_notify :
 this_6:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll :
 this_10:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll_requires :
 this_10:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notify_requires :
 this_6:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_registerNatives : tt:unit -> { } unit { true }

parameter Object_registerNatives_requires : tt:unit -> { } unit { true }

parameter Object_tag_table : Object tag_table ref

parameter Object_toString :
 this_9:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_toString_requires :
 this_9:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_wait :
 this_14:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long :
 this_12:Object pointer ->
  timeout:long -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int :
 this_8:Object pointer ->
  timeout_0:long -> nanos:int32 -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int_requires :
 this_8:Object pointer ->
  timeout_0:long -> nanos:int32 -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_requires :
 this_12:Object pointer ->
  timeout:long -> { } unit reads Object_alloc_table { true }

parameter Object_wait_requires :
 this_14:Object pointer -> { } unit reads Object_alloc_table { true }

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter Tree_left : (Object, Object pointer) memory ref

parameter Tree_right : (Object, Object pointer) memory ref

parameter Tree_value : (Object, int32) memory ref

parameter Tree_tree_max :
 this_2:Object pointer ->
  { } int32 reads Object_alloc_table,Tree_left,Tree_right,Tree_value
  { (JC_108:
    ((JC_106:
     mem(result, this_2, Object_alloc_table, Tree_right, Tree_left,
     Tree_value))
    and (JC_107:
        (forall x_9:int32.
         (mem(x_9, this_2, Object_alloc_table, Tree_right, Tree_left,
          Tree_value) ->
          ge_int(integer_of_int32(result), integer_of_int32(x_9))))))) }

parameter Tree_tree_max_requires :
 this_2:Object pointer ->
  { } int32 reads Object_alloc_table,Tree_left,Tree_right,Tree_value
  { (JC_108:
    ((JC_106:
     mem(result, this_2, Object_alloc_table, Tree_right, Tree_left,
     Tree_value))
    and (JC_107:
        (forall x_9:int32.
         (mem(x_9, this_2, Object_alloc_table, Tree_right, Tree_left,
          Tree_value) ->
          ge_int(integer_of_int32(result), integer_of_int32(x_9))))))) }

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Int :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Int(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Int_tag)))) }

parameter alloc_struct_Int_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Int(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Int_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Tree :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Tree(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Tree_tag)))) }

parameter alloc_struct_Tree_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Tree(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Tree_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_Int :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Int_requires :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object :
 this_15:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object_requires :
 this_15:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Tree :
 this_4:Object pointer ->
  { } unit reads Object_alloc_table writes Tree_left,Tree_right,Tree_value
  { true }

parameter cons_Tree_requires :
 this_4:Object pointer ->
  { } unit reads Object_alloc_table writes Tree_left,Tree_right,Tree_value
  { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let Tree_tree_max_ensures_default =
 fun (this_2 : Object pointer) ->
  { valid_struct_Tree(this_2, (0), (0), Object_alloc_table) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let m = ref (K_13: ((safe_acc_ !Tree_value) this_2)) in
     begin
       (if (let _jessie_ = (K_8: ((safe_acc_ !Tree_left) this_2)) in
           (JC_119: (non_null_Object _jessie_)))
       then
        (let _jessie_ =
        (m := (K_7:
              (let _jessie_ = !m in
              (let _jessie_ =
              (K_6:
              (let _jessie_ = (K_5: ((safe_acc_ !Tree_left) this_2)) in
              (JC_120: (Tree_tree_max _jessie_)))) in
              (JC_121: ((Int_max _jessie_) _jessie_)))))) in void)
       else void);
      (if (let _jessie_ = (K_12: ((safe_acc_ !Tree_right) this_2)) in
          (JC_122: (non_null_Object _jessie_)))
      then
       (let _jessie_ =
       (m := (K_11:
             (let _jessie_ = !m in
             (let _jessie_ =
             (K_10:
             (let _jessie_ = (K_9: ((safe_acc_ !Tree_right) this_2)) in
             (JC_123: (Tree_tree_max _jessie_)))) in
             (JC_124: ((Int_max _jessie_) _jessie_)))))) in void)
      else void); (return := !m); (raise Return) end); absurd  end with
   Return -> !return end))
  { (JC_105:
    ((JC_103:
     mem(result, this_2, Object_alloc_table, Tree_right, Tree_left,
     Tree_value))
    and (JC_104:
        (forall x_9:int32.
         (mem(x_9, this_2, Object_alloc_table, Tree_right, Tree_left,
          Tree_value) ->
          ge_int(integer_of_int32(result), integer_of_int32(x_9))))))) } 

let Tree_tree_max_safety =
 fun (this_2 : Object pointer) ->
  { valid_struct_Tree(this_2, (0), (0), Object_alloc_table) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let m = ref (K_13: ((safe_acc_ !Tree_value) this_2)) in
     begin
       (if (let _jessie_ = (K_8: ((safe_acc_ !Tree_left) this_2)) in
           (JC_111: (non_null_Object_requires _jessie_)))
       then
        (let _jessie_ =
        (m := (K_7:
              (let _jessie_ = !m in
              (let _jessie_ =
              (K_6:
              (let _jessie_ = (K_5: ((safe_acc_ !Tree_left) this_2)) in
              (JC_113:
              (assert
              { ge_int(offset_max(Object_alloc_table, _jessie_), (0)) };
              (JC_112: (Tree_tree_max_requires _jessie_)))))) in
              (JC_114: ((Int_max_requires _jessie_) _jessie_)))))) in void)
       else void);
      (if (let _jessie_ = (K_12: ((safe_acc_ !Tree_right) this_2)) in
          (JC_115: (non_null_Object_requires _jessie_)))
      then
       (let _jessie_ =
       (m := (K_11:
             (let _jessie_ = !m in
             (let _jessie_ =
             (K_10:
             (let _jessie_ = (K_9: ((safe_acc_ !Tree_right) this_2)) in
             (JC_117:
             (assert
             { ge_int(offset_max(Object_alloc_table, _jessie_), (0)) };
             (JC_116: (Tree_tree_max_requires _jessie_)))))) in
             (JC_118: ((Int_max_requires _jessie_) _jessie_)))))) in
       void) else void); (return := !m); (raise Return) end); absurd  end
   with Return -> !return end)) { true } 

let cons_Int_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_Int(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_23: true) } 

let cons_Int_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_Int(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 

let cons_Object_ensures_default =
 fun (this_15 : Object pointer) ->
  { valid_struct_Object(this_15, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_87: true) } 

let cons_Object_safety =
 fun (this_15 : Object pointer) ->
  { valid_struct_Object(this_15, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 

let cons_Tree_ensures_default =
 fun (this_4 : Object pointer) ->
  { valid_struct_Tree(this_4, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = (safe_int32_of_integer_ (0)) in
       (let _jessie_ = this_4 in
       (((safe_upd_ Tree_value) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_4 in
      (((safe_upd_ Tree_left) _jessie_) _jessie_)));
      (let _jessie_ = null in
      begin
        (let _jessie_ = this_4 in
        (((safe_upd_ Tree_right) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end)
  { (JC_161: true) } 

let cons_Tree_safety =
 fun (this_4 : Object pointer) ->
  { valid_struct_Tree(this_4, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = (safe_int32_of_integer_ (0)) in
       (let _jessie_ = this_4 in
       (((safe_upd_ Tree_value) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_4 in
      (((safe_upd_ Tree_left) _jessie_) _jessie_)));
      (let _jessie_ = null in
      begin
        (let _jessie_ = this_4 in
        (((safe_upd_ Tree_right) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end) { true } 


why-2.39/tests/java/oracle/Assertion.err.oracle0000644000106100004300000000000013147234006020474 0ustar  marchevalswhy-2.39/tests/java/oracle/BinarySearchWrong.res.oracle0000644000106100004300000017343013147234006022137 0ustar  marchevals========== file tests/java/BinarySearchWrong.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// RUNSIMPLIFY this tells regtests to run Simplify in this example

//+ CheckArithOverflow = yes

/* lemma mean_property1 :
  @   \forall integer x y; x <= y ==> x <= (x+y)/2 <= y;
  @*/

/* lemma mean_property2 :
  @   \forall integer x y; x <= y ==> x <= x+(y-x)/2 <= y;
  @*/

/* lemma div2_property :
  @   \forall integer x; 0 <= x ==> 0 <= x/2 <= x;
  @*/

/*@ predicate is_sorted{L}(int[] t) =
  @   t != null &&
  @   \forall integer i j;
  @     0 <= i && i <= j && j < t.length ==> t[i] <= t[j] ;
  @*/


class BinarySearch {

    /* binary_search(t,v) search for element v in array t
       between index 0 and t.length-1
       array t is assumed to be sorted in increasing order
       returns an index i between 0 and t.length-1 where t[i] equals v,
       or -1 if no element in t is equal to v
    */

    /*@ requires t != null;
      @ ensures -1 <= \result < t.length;
      @ behavior success:
      @   ensures \result >= 0 ==> t[\result] == v;
      @ behavior failure:
      @  assumes is_sorted(t);
      @  // assumes
      @  //   \forall integer k1 k2;
      @  //      0 <= k1 <= k2 <= t.length-1 ==> t[k1] <= t[k2];
      @  ensures \result == -1 ==>
      @    \forall integer k; 0 <= k < t.length ==> t[k] != v;
      @*/
    static int binary_search(int t[], int v) {
	int l = 0, u = t.length - 1;
	/*@ loop_invariant
	  @   0 <= l && u <= t.length - 1;
	  @ for failure:
	  @  loop_invariant
	  @    \forall integer k; 0 <= k < t.length ==> t[k] == v ==> l <= k <= u;
	  @ loop_variant
	  @   u-l ;
	  @*/
	while (l <= u ) {
	    int m;
            m = (u + l) / 2;
            // fix: m = l + (u - l) / 2;
            // the following assertion helps provers
            //@ assert l <= m <= u;
	    if (t[m] < v) l = m + 1;
	    else if (t[m] > v) u = m - 1;
	    else return m;
	}
	return -1;
    }

}

/*
Local Variables:
compile-command: "make BinarySearchWrong.why3ide"
End:
*/


========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_BinarySearch for constructor BinarySearch
Generating JC function BinarySearch_binary_search for method BinarySearch.binary_search
Done.
========== file tests/java/BinarySearchWrong.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_intM{Here}(intM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag BinarySearch = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

tag intM = Object with {
  int32 intP;
}

boolean non_null_intM(! intM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_intM(! intM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

predicate is_sorted{L}(intM[0..] t) =
(Non_null_intM(t) &&
  (\forall integer i;
    (\forall integer j;
      ((((0 <= i) && (i <= j)) && (j < (\offset_max(t) + 1))) ==>
        ((t + i).intP <= (t + j).intP)))))

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_BinarySearch(! BinarySearch[0] this_0){()}

int32 BinarySearch_binary_search(intM[0..] t_0, int32 v)
  requires (K_6 : Non_null_intM(t_0));
behavior default:
  ensures (K_3 : ((K_2 : ((- 1) <= \result)) &&
                   (K_1 : (\result < (\offset_max(t_0) + 1)))));
behavior success:
  ensures (K_4 : ((\result >= 0) ==> ((t_0 + \result).intP == v)));
behavior failure:
  assumes is_sorted{Here}(t_0);
  ensures (K_5 : ((\result == (- 1)) ==>
                   (\forall integer k;
                     (((0 <= k) && (k < (\offset_max(t_0) + 1))) ==>
                       ((t_0 + k).intP != v)))));
{  
   {  
      (var int32 l = (K_28 : 0));
      
      {  
         (var int32 u = (K_27 : (((K_26 : java_array_length_intM(t_0)) - 1) :> int32)));
         
         {  
            loop 
            behavior default:
              invariant (K_9 : ((K_8 : (0 <= l)) &&
                                 (K_7 : (u <= ((\offset_max(t_0) + 1) - 1)))));
            behavior failure:
              invariant (K_10 : (\forall integer k_0;
                                  (((0 <= k_0) &&
                                     (k_0 < (\offset_max(t_0) + 1))) ==>
                                    (((t_0 + k_0).intP == v) ==>
                                      ((l <= k_0) && (k_0 <= u))))));
            variant (K_11 : (u - l));
            while ((K_24 : (l <= u)))
            {  
               {  
                  (var int32 m);
                  
                  {  (m = (K_13 : (((K_12 : ((u + l) :> int32)) / 2) :> int32)));
                     (K_17 : 
                     (assert (K_16 : ((K_15 : (l <= m)) && (K_14 : (m <= u))))));
                     (if (K_23 : ((K_22 : (t_0 + m).intP) < v)) then (l = 
                     (K_21 : ((m + 1) :> int32))) else (if (K_20 : ((K_19 : 
                                                                    (t_0 +
                                                                    m).intP) >
                                                                    v)) then (u = 
                                                       (K_18 : ((m - 1) :> int32))) else 
                                                       (return m)))
                  }
               }
            };
            
            (return (K_25 : ((- 1) :> int32)))
         }
      }
   }
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/BinarySearchWrong.jloc tests/java/BinarySearchWrong.jc && make -f tests/java/BinarySearchWrong.makefile gui"
End:
*/
========== file tests/java/BinarySearchWrong.jloc ==========
[K_23]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 92
begin = 9
end = 17

[K_17]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 91
begin = 23
end = 34

[K_11]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 84
begin = 7
end = 10

[K_25]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 96
begin = 8
end = 10

[K_13]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 88
begin = 16
end = 27

[K_9]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 79
begin = 7
end = 34

[K_28]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 77
begin = 9
end = 10

[K_1]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 65
begin = 22
end = 40

[K_15]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 91
begin = 23
end = 29

[K_4]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 67
begin = 18
end = 50

[K_12]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 88
begin = 17
end = 22

[K_20]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 93
begin = 14
end = 22

[cons_BinarySearch]
name = "Constructor of class BinarySearch"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_2]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 65
begin = 16
end = 29

[K_10]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 82
begin = 8
end = 74

[K_6]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 64
begin = 17
end = 26

[K_8]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 79
begin = 7
end = 13

[K_3]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 65
begin = 16
end = 40

[K_27]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 77
begin = 16
end = 28

[K_21]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 92
begin = 23
end = 28

[K_24]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 86
begin = 8
end = 14

[K_14]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 91
begin = 28
end = 34

[K_19]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 93
begin = 14
end = 18

[K_5]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 73
begin = 17
end = 96

[BinarySearch_binary_search]
name = "Method binary_search"
file = "HOME/tests/java/BinarySearchWrong.java"
line = 76
begin = 15
end = 28

[K_18]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 93
begin = 28
end = 33

[K_7]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 79
begin = 17
end = 34

[K_26]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 77
begin = 16
end = 24

[K_22]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 92
begin = 9
end = 13

[K_16]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 91
begin = 23
end = 34

========== jessie execution ==========
Generating Why function cons_BinarySearch
Generating Why function BinarySearch_binary_search
========== file tests/java/BinarySearchWrong.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/BinarySearchWrong_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: BinarySearchWrong.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: BinarySearchWrong.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: BinarySearchWrong.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/java/BinarySearchWrong.loc ==========
[JC_94]
kind = UserCall
file = "HOME/tests/java/BinarySearchWrong.java"
line = 77
begin = 16
end = 24

[JC_73]
kind = DivByZero
file = "HOME/tests/java/BinarySearchWrong.jc"
line = 120
begin = 36
end = 67

[JC_63]
kind = UserCall
file = "HOME/tests/java/BinarySearchWrong.java"
line = 77
begin = 16
end = 24

[BinarySearch_binary_search_ensures_success]
name = "Method binary_search"
behavior = "Behavior `success'"
file = "HOME/tests/java/BinarySearchWrong.java"
line = 76
begin = 15
end = 28

[JC_80]
kind = PointerDeref
file = "HOME/tests/java/BinarySearchWrong.java"
line = 93
begin = 14
end = 18

[JC_51]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 65
begin = 16
end = 29

[JC_71]
file = "HOME/tests/java/BinarySearchWrong.jc"
line = 104
begin = 12
end = 1476

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_106]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 82
begin = 8
end = 74

[JC_113]
kind = DivByZero
file = "HOME/tests/java/BinarySearchWrong.jc"
line = 120
begin = 36
end = 67

[JC_116]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 91
begin = 23
end = 34

[JC_64]
kind = IndexBounds
file = "HOME/tests/java/BinarySearchWrong.java"
line = 77
begin = 16
end = 24

[JC_99]
file = "HOME/tests/java/BinarySearchWrong.jc"
line = 104
begin = 12
end = 1476

[JC_85]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 79
begin = 17
end = 34

[JC_31]
file = "HOME/tests/java/BinarySearchWrong.jc"
line = 65
begin = 8
end = 23

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_81]
kind = ArithOverflow
file = "HOME/tests/java/BinarySearchWrong.java"
line = 93
begin = 28
end = 33

[JC_55]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 65
begin = 22
end = 40

[BinarySearch_binary_search_ensures_failure]
name = "Method binary_search"
behavior = "Behavior `failure'"
file = "HOME/tests/java/BinarySearchWrong.java"
line = 76
begin = 15
end = 28

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/tests/java/BinarySearchWrong.jc"
line = 61
begin = 11
end = 103

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 79
begin = 17
end = 34

[JC_9]
file = "HOME/tests/java/BinarySearchWrong.jc"
line = 52
begin = 8
end = 21

[JC_75]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 91
begin = 23
end = 29

[JC_24]
file = "HOME/tests/java/BinarySearchWrong.jc"
line = 60
begin = 10
end = 18

[JC_25]
file = "HOME/tests/java/BinarySearchWrong.jc"
line = 61
begin = 11
end = 103

[JC_78]
kind = PointerDeref
file = "HOME/tests/java/BinarySearchWrong.java"
line = 92
begin = 9
end = 13

[JC_41]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_74]
kind = ArithOverflow
file = "HOME/tests/java/BinarySearchWrong.java"
line = 88
begin = 16
end = 27

[JC_47]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 64
begin = 17
end = 26

[JC_52]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 65
begin = 22
end = 40

[JC_26]
file = "HOME/tests/java/BinarySearchWrong.jc"
line = 60
begin = 10
end = 18

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_BinarySearch_safety]
name = "Constructor of class BinarySearch"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 65
begin = 16
end = 29

[JC_79]
kind = ArithOverflow
file = "HOME/tests/java/BinarySearchWrong.java"
line = 92
begin = 23
end = 28

[JC_13]
file = "HOME/tests/java/BinarySearchWrong.jc"
line = 55
begin = 11
end = 66

[JC_82]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 84
begin = 7
end = 10

[JC_87]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/BinarySearchWrong.jc"
line = 52
begin = 8
end = 21

[JC_98]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_70]
file = "HOME/tests/java/BinarySearchWrong.jc"
line = 104
begin = 12
end = 1476

[JC_15]
file = "HOME/tests/java/BinarySearchWrong.jc"
line = 55
begin = 11
end = 66

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_104]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 91
begin = 23
end = 34

[JC_91]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 91
begin = 23
end = 29

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_112]
file = "HOME/tests/java/BinarySearchWrong.jc"
line = 104
begin = 12
end = 1476

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
kind = UserCall
file = "HOME/tests/java/BinarySearchWrong.java"
line = 77
begin = 16
end = 24

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_115]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 91
begin = 28
end = 34

[JC_109]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 79
begin = 7
end = 34

[JC_107]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 79
begin = 7
end = 13

[JC_69]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
file = "HOME/tests/java/BinarySearchWrong.jc"
line = 67
begin = 11
end = 65

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 73
begin = 17
end = 96

[JC_101]
kind = DivByZero
file = "HOME/tests/java/BinarySearchWrong.jc"
line = 120
begin = 36
end = 67

[JC_88]
file = "HOME/tests/java/BinarySearchWrong.jc"
line = 104
begin = 12
end = 1476

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_110]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_103]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 91
begin = 28
end = 34

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 73
begin = 17
end = 96

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 65
begin = 16
end = 40

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
kind = ArithOverflow
file = "HOME/tests/java/BinarySearchWrong.java"
line = 77
begin = 16
end = 28

[JC_105]
kind = UserCall
file = "HOME/tests/java/BinarySearchWrong.java"
line = 77
begin = 16
end = 24

[JC_29]
file = "HOME/tests/java/BinarySearchWrong.jc"
line = 65
begin = 8
end = 23

[BinarySearch_binary_search_ensures_default]
name = "Method binary_search"
behavior = "default behavior"
file = "HOME/tests/java/BinarySearchWrong.java"
line = 76
begin = 15
end = 28

[JC_68]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 79
begin = 7
end = 34

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/tests/java/BinarySearchWrong.jc"
line = 54
begin = 10
end = 18

[JC_96]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 79
begin = 17
end = 34

[JC_43]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 79
begin = 7
end = 13

[JC_93]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 91
begin = 23
end = 34

[cons_BinarySearch_ensures_default]
name = "Constructor of class BinarySearch"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_97]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 79
begin = 7
end = 34

[JC_84]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 79
begin = 7
end = 13

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_114]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 91
begin = 23
end = 29

[JC_14]
file = "HOME/tests/java/BinarySearchWrong.jc"
line = 54
begin = 10
end = 18

[JC_90]
kind = DivByZero
file = "HOME/tests/java/BinarySearchWrong.jc"
line = 120
begin = 36
end = 67

[JC_53]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 65
begin = 16
end = 40

[JC_21]
file = "HOME/tests/java/BinarySearchWrong.jc"
line = 58
begin = 8
end = 30

[JC_111]
file = "HOME/tests/java/BinarySearchWrong.jc"
line = 104
begin = 12
end = 1476

[JC_77]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 91
begin = 23
end = 34

[JC_49]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 64
begin = 17
end = 26

[JC_1]
file = "HOME/tests/java/BinarySearchWrong.jc"
line = 23
begin = 12
end = 22

[JC_102]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 91
begin = 23
end = 29

[JC_37]
file = "HOME/tests/java/BinarySearchWrong.jc"
line = 67
begin = 11
end = 65

[BinarySearch_binary_search_safety]
name = "Method binary_search"
behavior = "Safety"
file = "HOME/tests/java/BinarySearchWrong.java"
line = 76
begin = 15
end = 28

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_108]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 79
begin = 17
end = 34

[JC_57]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_89]
file = "HOME/tests/java/BinarySearchWrong.jc"
line = 104
begin = 12
end = 1476

[JC_66]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 79
begin = 7
end = 13

[JC_59]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 67
begin = 18
end = 50

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/java/BinarySearchWrong.jc"
line = 23
begin = 12
end = 22

[JC_92]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 91
begin = 28
end = 34

[JC_86]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 79
begin = 7
end = 34

[JC_60]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 67
begin = 18
end = 50

[JC_72]
kind = ArithOverflow
file = "HOME/tests/java/BinarySearchWrong.java"
line = 88
begin = 17
end = 22

[JC_19]
file = "HOME/tests/java/BinarySearchWrong.jc"
line = 58
begin = 8
end = 30

[JC_76]
file = "HOME/tests/java/BinarySearchWrong.java"
line = 91
begin = 28
end = 34

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_100]
file = "HOME/tests/java/BinarySearchWrong.jc"
line = 104
begin = 12
end = 1476

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/BinarySearchWrong.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic BinarySearch_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom BinarySearch_parenttag_Object : parenttag(BinarySearch_tag, Object_tag)

logic Exception_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_1), (0))

predicate Non_null_intM(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), neg_int((1)))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic intM_tag:  -> Object tag_id

axiom intM_parenttag_Object : parenttag(intM_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate is_sorted(t:Object pointer,
 Object_alloc_table_at_L:Object alloc_table,
 intM_intP_at_L:(Object, int32) memory) =
 (Non_null_intM(t, Object_alloc_table_at_L)
 and (forall i:int.
      (forall j:int.
       ((le_int((0), i)
        and (le_int(i, j)
            and lt_int(j,
                add_int(offset_max(Object_alloc_table_at_L, t), (1))))) ->
        le_int(integer_of_int32(select(intM_intP_at_L, shift(t, i))),
        integer_of_int32(select(intM_intP_at_L, shift(t, j))))))))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_BinarySearch(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_intM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_BinarySearch(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_intM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_BinarySearch(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_BinarySearch(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

parameter Object_alloc_table : Object alloc_table ref

parameter intM_intP : (Object, int32) memory ref

parameter BinarySearch_binary_search :
 t_0:Object pointer ->
  v:int32 ->
   { } int32 reads Object_alloc_table,intM_intP
   { ((is_sorted(t_0, Object_alloc_table@, intM_intP@) ->
       (JC_62:
       ((integer_of_int32(result) = neg_int((1))) ->
        (forall k:int.
         ((le_int((0), k)
          and lt_int(k, add_int(offset_max(Object_alloc_table, t_0), (1)))) ->
          (integer_of_int32(select(intM_intP, shift(t_0, k))) <> integer_of_int32(v)))))))
     and ((JC_60:
          (ge_int(integer_of_int32(result), (0)) ->
           (integer_of_int32(select(intM_intP,
                             shift(t_0, integer_of_int32(result)))) = 
           integer_of_int32(v))))
         and (JC_56:
             ((JC_54: le_int(neg_int((1)), integer_of_int32(result)))
             and (JC_55:
                 lt_int(integer_of_int32(result),
                 add_int(offset_max(Object_alloc_table, t_0), (1)))))))) }

parameter BinarySearch_binary_search_requires :
 t_0:Object pointer ->
  v:int32 ->
   { (JC_47: Non_null_intM(t_0, Object_alloc_table))} int32
   reads Object_alloc_table,intM_intP
   { ((is_sorted(t_0, Object_alloc_table@, intM_intP@) ->
       (JC_62:
       ((integer_of_int32(result) = neg_int((1))) ->
        (forall k:int.
         ((le_int((0), k)
          and lt_int(k, add_int(offset_max(Object_alloc_table, t_0), (1)))) ->
          (integer_of_int32(select(intM_intP, shift(t_0, k))) <> integer_of_int32(v)))))))
     and ((JC_60:
          (ge_int(integer_of_int32(result), (0)) ->
           (integer_of_int32(select(intM_intP,
                             shift(t_0, integer_of_int32(result)))) = 
           integer_of_int32(v))))
         and (JC_56:
             ((JC_54: le_int(neg_int((1)), integer_of_int32(result)))
             and (JC_55:
                 lt_int(integer_of_int32(result),
                 add_int(offset_max(Object_alloc_table, t_0), (1)))))))) }

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_BinarySearch :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_BinarySearch(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, BinarySearch_tag)))) }

parameter alloc_struct_BinarySearch_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_BinarySearch(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, BinarySearch_tag)))) }

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_intM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter alloc_struct_intM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_BinarySearch :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_BinarySearch_requires :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter java_array_length_intM :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter java_array_length_intM_requires :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_Object_requires :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_intM :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

parameter non_null_intM_requires :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let BinarySearch_binary_search_ensures_default =
 fun (t_0 : Object pointer) (v : int32) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (JC_49: Non_null_intM(t_0, Object_alloc_table))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let l = ref (safe_int32_of_integer_ (K_28: (0))) in
     (let u =
     ref (K_27:
         (safe_int32_of_integer_ ((sub_int (K_26:
                                           (let _jessie_ = t_0 in
                                           (JC_83:
                                           (java_array_length_intM _jessie_))))) (1)))) in
     begin
       try
        (loop_2:
        while true do
        { invariant
            (JC_86:
            ((JC_84: le_int((0), integer_of_int32(l)))
            and (JC_85:
                le_int(integer_of_int32(u),
                sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)),
                (1))))))  }
         begin
           [ { } unit { true } ];
          try
           begin
             (if (K_24:
                 ((le_int_ (integer_of_int32 !l)) (integer_of_int32 !u)))
             then
              (let m = ref (any_int32 void) in
              begin
                (let _jessie_ =
                (m := (K_13:
                      (safe_int32_of_integer_ (JC_90:
                                              ((computer_div (integer_of_int32 
                                                              (K_12:
                                                              (safe_int32_of_integer_ 
                                                               ((add_int 
                                                                 (integer_of_int32 !u)) 
                                                                (integer_of_int32 !l)))))) (2)))))) in
                void);
               (K_17:
               begin
                 (assert
                 { (JC_93:
                   ((JC_91: le_int(integer_of_int32(l), integer_of_int32(m)))
                   and (JC_92:
                       le_int(integer_of_int32(m), integer_of_int32(u))))) };
                 void);
                (if (K_23:
                    ((lt_int_ (integer_of_int32 (K_22:
                                                ((safe_acc_ !intM_intP) 
                                                 ((shift t_0) (integer_of_int32 !m)))))) 
                     (integer_of_int32 v)))
                then
                 (let _jessie_ =
                 (l := (K_21:
                       (safe_int32_of_integer_ ((add_int (integer_of_int32 !m)) (1))))) in
                 void)
                else
                 (if (K_20:
                     ((gt_int_ (integer_of_int32 (K_19:
                                                 ((safe_acc_ !intM_intP) 
                                                  ((shift t_0) (integer_of_int32 !m)))))) 
                      (integer_of_int32 v)))
                 then
                  (let _jessie_ =
                  (u := (K_18:
                        (safe_int32_of_integer_ ((sub_int (integer_of_int32 !m)) (1))))) in
                  void) else begin   (return := !m); (raise Return) end)) end)
              end) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ -> void end end done) with
        Loop_exit_exc _jessie_ -> void end;
      (return := (K_25: (safe_int32_of_integer_ (neg_int (1)))));
      (raise Return) end)); absurd  end with Return -> !return end))
  { (JC_53:
    ((JC_51: le_int(neg_int((1)), integer_of_int32(result)))
    and (JC_52:
        lt_int(integer_of_int32(result),
        add_int(offset_max(Object_alloc_table, t_0), (1)))))) } 

let BinarySearch_binary_search_ensures_failure =
 fun (t_0 : Object pointer) (v : int32) ->
  { (is_sorted(t_0, Object_alloc_table, intM_intP)
    and (left_valid_struct_intM(t_0, (0), Object_alloc_table)
        and (JC_49: Non_null_intM(t_0, Object_alloc_table)))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let l = ref (safe_int32_of_integer_ (K_28: (0))) in
     (let u =
     ref (K_27:
         (safe_int32_of_integer_ ((sub_int (K_26:
                                           (let _jessie_ = t_0 in
                                           (JC_105:
                                           (java_array_length_intM _jessie_))))) (1)))) in
     begin
       try
        (loop_4:
        while true do
        { invariant
            (JC_106:
            (forall k_0:int.
             ((le_int((0), k_0)
              and lt_int(k_0,
                  add_int(offset_max(Object_alloc_table, t_0), (1)))) ->
              ((integer_of_int32(select(intM_intP, shift(t_0, k_0))) = 
               integer_of_int32(v)) ->
               (le_int(integer_of_int32(l), k_0)
               and le_int(k_0, integer_of_int32(u)))))))  }
         begin
           [ { } unit reads Object_alloc_table,l,u
             { (JC_109:
               ((JC_107: le_int((0), integer_of_int32(l)))
               and (JC_108:
                   le_int(integer_of_int32(u),
                   sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)),
                   (1)))))) } ];
          try
           begin
             (if (K_24:
                 ((le_int_ (integer_of_int32 !l)) (integer_of_int32 !u)))
             then
              (let m = ref (any_int32 void) in
              begin
                (let _jessie_ =
                (m := (K_13:
                      (safe_int32_of_integer_ (JC_113:
                                              ((computer_div (integer_of_int32 
                                                              (K_12:
                                                              (safe_int32_of_integer_ 
                                                               ((add_int 
                                                                 (integer_of_int32 !u)) 
                                                                (integer_of_int32 !l)))))) (2)))))) in
                void);
               (K_17:
               begin
                 [ { } unit reads l,m,u
                   { (JC_116:
                     ((JC_114:
                      le_int(integer_of_int32(l), integer_of_int32(m)))
                     and (JC_115:
                         le_int(integer_of_int32(m), integer_of_int32(u))))) } ];
                (if (K_23:
                    ((lt_int_ (integer_of_int32 (K_22:
                                                ((safe_acc_ !intM_intP) 
                                                 ((shift t_0) (integer_of_int32 !m)))))) 
                     (integer_of_int32 v)))
                then
                 (let _jessie_ =
                 (l := (K_21:
                       (safe_int32_of_integer_ ((add_int (integer_of_int32 !m)) (1))))) in
                 void)
                else
                 (if (K_20:
                     ((gt_int_ (integer_of_int32 (K_19:
                                                 ((safe_acc_ !intM_intP) 
                                                  ((shift t_0) (integer_of_int32 !m)))))) 
                      (integer_of_int32 v)))
                 then
                  (let _jessie_ =
                  (u := (K_18:
                        (safe_int32_of_integer_ ((sub_int (integer_of_int32 !m)) (1))))) in
                  void) else begin   (return := !m); (raise Return) end)) end)
              end) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ -> void end end done) with
        Loop_exit_exc _jessie_ -> void end;
      (return := (K_25: (safe_int32_of_integer_ (neg_int (1)))));
      (raise Return) end)); absurd  end with Return -> !return end))
  { (JC_61:
    ((integer_of_int32(result) = neg_int((1))) ->
     (forall k:int.
      ((le_int((0), k)
       and lt_int(k, add_int(offset_max(Object_alloc_table, t_0), (1)))) ->
       (integer_of_int32(select(intM_intP, shift(t_0, k))) <> integer_of_int32(v)))))) }
  

let BinarySearch_binary_search_ensures_success =
 fun (t_0 : Object pointer) (v : int32) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (JC_49: Non_null_intM(t_0, Object_alloc_table))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let l = ref (safe_int32_of_integer_ (K_28: (0))) in
     (let u =
     ref (K_27:
         (safe_int32_of_integer_ ((sub_int (K_26:
                                           (let _jessie_ = t_0 in
                                           (JC_94:
                                           (java_array_length_intM _jessie_))))) (1)))) in
     begin
       try
        (loop_3:
        while true do
        { invariant (JC_99: true)  }
         begin
           [ { } unit reads Object_alloc_table,l,u
             { (JC_97:
               ((JC_95: le_int((0), integer_of_int32(l)))
               and (JC_96:
                   le_int(integer_of_int32(u),
                   sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)),
                   (1)))))) } ];
          try
           begin
             (if (K_24:
                 ((le_int_ (integer_of_int32 !l)) (integer_of_int32 !u)))
             then
              (let m = ref (any_int32 void) in
              begin
                (let _jessie_ =
                (m := (K_13:
                      (safe_int32_of_integer_ (JC_101:
                                              ((computer_div (integer_of_int32 
                                                              (K_12:
                                                              (safe_int32_of_integer_ 
                                                               ((add_int 
                                                                 (integer_of_int32 !u)) 
                                                                (integer_of_int32 !l)))))) (2)))))) in
                void);
               (K_17:
               begin
                 [ { } unit reads l,m,u
                   { (JC_104:
                     ((JC_102:
                      le_int(integer_of_int32(l), integer_of_int32(m)))
                     and (JC_103:
                         le_int(integer_of_int32(m), integer_of_int32(u))))) } ];
                (if (K_23:
                    ((lt_int_ (integer_of_int32 (K_22:
                                                ((safe_acc_ !intM_intP) 
                                                 ((shift t_0) (integer_of_int32 !m)))))) 
                     (integer_of_int32 v)))
                then
                 (let _jessie_ =
                 (l := (K_21:
                       (safe_int32_of_integer_ ((add_int (integer_of_int32 !m)) (1))))) in
                 void)
                else
                 (if (K_20:
                     ((gt_int_ (integer_of_int32 (K_19:
                                                 ((safe_acc_ !intM_intP) 
                                                  ((shift t_0) (integer_of_int32 !m)))))) 
                      (integer_of_int32 v)))
                 then
                  (let _jessie_ =
                  (u := (K_18:
                        (safe_int32_of_integer_ ((sub_int (integer_of_int32 !m)) (1))))) in
                  void) else begin   (return := !m); (raise Return) end)) end)
              end) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ -> void end end done) with
        Loop_exit_exc _jessie_ -> void end;
      (return := (K_25: (safe_int32_of_integer_ (neg_int (1)))));
      (raise Return) end)); absurd  end with Return -> !return end))
  { (JC_59:
    (ge_int(integer_of_int32(result), (0)) ->
     (integer_of_int32(select(intM_intP,
                       shift(t_0, integer_of_int32(result)))) = integer_of_int32(v)))) }
  

let BinarySearch_binary_search_safety =
 fun (t_0 : Object pointer) (v : int32) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (JC_49: Non_null_intM(t_0, Object_alloc_table))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let l = ref (safe_int32_of_integer_ (K_28: (0))) in
     (let u =
     ref (K_27:
         (JC_65:
         (int32_of_integer_ ((sub_int (K_26:
                                      (let _jessie_ = t_0 in
                                      (JC_64:
                                      (assert
                                      { ge_int(offset_max(Object_alloc_table,
                                               _jessie_),
                                        (-1)) };
                                      (JC_63:
                                      (java_array_length_intM_requires _jessie_))))))) (1))))) in
     begin
       try
        (loop_1:
        while true do
        { invariant (JC_70: true)
          variant (JC_82 : sub_int(integer_of_int32(u), integer_of_int32(l))) }
         begin
           [ { } unit reads Object_alloc_table,l,u
             { (JC_68:
               ((JC_66: le_int((0), integer_of_int32(l)))
               and (JC_67:
                   le_int(integer_of_int32(u),
                   sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)),
                   (1)))))) } ];
          try
           begin
             (if (K_24:
                 ((le_int_ (integer_of_int32 !l)) (integer_of_int32 !u)))
             then
              (let m = ref (any_int32 void) in
              begin
                (let _jessie_ =
                (m := (K_13:
                      (JC_74:
                      (int32_of_integer_ (JC_73:
                                         ((computer_div_ (integer_of_int32 
                                                          (K_12:
                                                          (JC_72:
                                                          (int32_of_integer_ 
                                                           ((add_int 
                                                             (integer_of_int32 !u)) 
                                                            (integer_of_int32 !l))))))) (2))))))) in
                void);
               (K_17:
               begin
                 [ { } unit reads l,m,u
                   { (JC_77:
                     ((JC_75:
                      le_int(integer_of_int32(l), integer_of_int32(m)))
                     and (JC_76:
                         le_int(integer_of_int32(m), integer_of_int32(u))))) } ];
                (if (K_23:
                    ((lt_int_ (integer_of_int32 (K_22:
                                                (JC_78:
                                                ((((offset_acc_ !Object_alloc_table) !intM_intP) t_0) 
                                                 (integer_of_int32 !m)))))) 
                     (integer_of_int32 v)))
                then
                 (let _jessie_ =
                 (l := (K_21:
                       (JC_79:
                       (int32_of_integer_ ((add_int (integer_of_int32 !m)) (1)))))) in
                 void)
                else
                 (if (K_20:
                     ((gt_int_ (integer_of_int32 (K_19:
                                                 (JC_80:
                                                 ((((offset_acc_ !Object_alloc_table) !intM_intP) t_0) 
                                                  (integer_of_int32 !m)))))) 
                      (integer_of_int32 v)))
                 then
                  (let _jessie_ =
                  (u := (K_18:
                        (JC_81:
                        (int32_of_integer_ ((sub_int (integer_of_int32 !m)) (1)))))) in
                  void) else begin   (return := !m); (raise Return) end)) end)
              end) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ -> void end end done) with
        Loop_exit_exc _jessie_ -> void end;
      (return := (K_25: (safe_int32_of_integer_ (neg_int (1)))));
      (raise Return) end)); absurd  end with Return -> !return end)) 
  { true } 

let cons_BinarySearch_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_BinarySearch(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_43: true) } 

let cons_BinarySearch_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_BinarySearch(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 


why-2.39/tests/java/oracle/FlagStatic.res.oracle0000644000106100004300000025671113147234006020575 0ustar  marchevals========== file tests/java/FlagStatic.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* Dijkstra's dutch flag */

//@+ CheckArithOverflow = no

/*@ predicate is_color(integer c) =
  @   c == FlagStatic.BLUE || c == FlagStatic.WHITE || c == FlagStatic.RED ;
  @*/

/*@ predicate is_color_array{L}(int t[]) =
  @   t != null &&
  @   \forall integer i; 0 <= i < t.length ==> is_color(t[i]) ;
  @*/

/*@ predicate is_monochrome{L}(int t[],integer i, integer j, int c) =
  @   \forall integer k; i <= k < j ==> t[k] == c ;
  @*/


class FlagStatic {

    public static final int BLUE = 1, WHITE = 2, RED = 3;

    /*@ requires t != null && 0 <= i <= j <= t.length ;
      @ behavior decides_monochromatic:
      @   ensures \result <==> is_monochrome(t,i,j,c);
      @*/
    public static boolean isMonochrome(int t[], int i, int j, int c) {
    	/*@ loop_invariant i <= k &&
	  @   (\forall integer l; i <= l < k ==> t[l]==c);
    	  @ loop_variant j - k;
	  @*/
	for (int k = i; k < j; k++) if (t[k] != c) return false;
	return true;
    }

    /*@ requires 0 <= i < t.length && 0 <= j < t.length;
      @ behavior i_j_swapped:
      @   assigns t[i],t[j];
      @   ensures t[i] == \old(t[j]) && t[j] == \old(t[i]);
      @*/
    private static void swap(int t[], int i, int j) {
	int z = t[i];
	t[i] = t[j];
	t[j] = z;
    }

    /*@ requires
      @   is_color_array(t);
      @ behavior sorts:
      @   ensures
      @     (\exists integer b r;
      @        is_monochrome(t,0,b,BLUE) &&
      @        is_monochrome(t,b,r,WHITE) &&
      @        is_monochrome(t,r,t.length,RED));
      @*/
    public static void flag(int t[]) {
	int b = 0;
	int i = 0;
	int r = t.length;
	/*@ loop_invariant
	  @   is_color_array(t) &&
	  @   0 <= b <= i <= r <= t.length &&
	  @   is_monochrome(t,0,b,BLUE) &&
	  @   is_monochrome(t,b,i,WHITE) &&
          @   is_monochrome(t,r,t.length,RED);
	  @ loop_variant r - i;
	  @*/
	while (i < r) {
	    switch (t[i]) {
	    case BLUE:
		swap(t,b++, i++);
		break;
	    case WHITE:
		i++;
		break;
	    case RED:
		swap(t,--r, i);
		break;
	    }
	}
    }
}



/*
Local Variables:
compile-command: "make FlagStatic.why3ide"
End:
*/
========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function FlagStatic_swap for method FlagStatic.swap
Generating JC function Object_equals for method Object.equals
Generating JC function Object_notify for method Object.notify
Generating JC function Object_registerNatives for method Object.registerNatives
Generating JC function Object_hashCode for method Object.hashCode
Generating JC function Object_wait_long_int for method Object.wait
Generating JC function Object_toString for method Object.toString
Generating JC function Object_notifyAll for method Object.notifyAll
Generating JC function cons_Object for constructor Object
Generating JC function FlagStatic_flag for method FlagStatic.flag
Generating JC function FlagStatic_isMonochrome for method FlagStatic.isMonochrome
Generating JC function Object_clone for method Object.clone
Generating JC function Object_wait_long for method Object.wait
Generating JC function Object_finalize for method Object.finalize
Generating JC function Object_wait for method Object.wait
Generating JC function cons_FlagStatic for constructor FlagStatic
Done.
========== file tests/java/FlagStatic.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

predicate Non_null_intM{Here}(intM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

logic integer FlagStatic_BLUE =
1

logic integer FlagStatic_WHITE =
2

logic integer FlagStatic_RED =
3

String[0..] any_string()
;

tag String = Object with {
}

tag FlagStatic = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

tag intM = Object with {
  integer intP;
}

boolean non_null_intM(! intM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_intM(! intM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

predicate is_color(integer c) =
(((c == FlagStatic_BLUE) || (c == FlagStatic_WHITE)) ||
  (c == FlagStatic_RED))

predicate is_color_array{L}(intM[0..] t_2) =
(Non_null_intM(t_2) &&
  (\forall integer i_1;
    (((0 <= i_1) && (i_1 < (\offset_max(t_2) + 1))) ==>
      is_color((t_2 + i_1).intP))))

predicate is_monochrome{L}(intM[0..] t_3, integer i_2, integer j_1,
                           integer c_1) =
(\forall integer k;
  (((i_2 <= k) && (k < j_1)) ==> ((t_3 + k).intP == c_1)))

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit FlagStatic_swap(intM[0..] t_0, integer i_0, integer j_0)
  requires (K_10 : ((K_9 : ((K_8 : (0 <= i_0)) &&
                             (K_7 : (i_0 < (\offset_max(t_0) + 1))))) &&
                     (K_6 : ((K_5 : (0 <= j_0)) &&
                              (K_4 : (j_0 < (\offset_max(t_0) + 1)))))));
behavior i_j_swapped:
  assigns (t_0 + [i_0..i_0]).intP,
  (t_0 + [j_0..j_0]).intP;
  ensures (K_3 : ((K_2 : ((t_0 + i_0).intP == \at((t_0 + j_0).intP,Old))) &&
                   (K_1 : ((t_0 + j_0).intP == \at((t_0 + i_0).intP,Old)))));
{  
   {  
      (var integer z = (K_14 : (t_0 + i_0).intP));
      
      {  (K_12 : ((t_0 + i_0).intP = (K_11 : (t_0 + j_0).intP)));
         (K_13 : ((t_0 + j_0).intP = z))
      }
   }
}

boolean Object_equals(Object[0] this_2, Object[0..] obj)
;

unit Object_notify(Object[0] this_3)
;

unit Object_registerNatives()
;

integer Object_hashCode(Object[0] this_4)
;

unit Object_wait_long_int(Object[0] this_5, integer timeout_0, integer nanos)
;

String[0..] Object_toString(Object[0] this_6)
;

unit Object_notifyAll(Object[0] this_7)
;

unit cons_Object(! Object[0] this_12){()}

unit FlagStatic_flag(intM[0..] t_1)
  requires (K_16 : is_color_array{Here}(t_1));
behavior sorts:
  ensures (K_15 : (\exists integer b;
                    (\exists integer r;
                      ((is_monochrome{Here}(t_1, 0, b, FlagStatic_BLUE) &&
                         is_monochrome{Here}(t_1, b, r, FlagStatic_WHITE)) &&
                        is_monochrome{Here}(t_1, r, (\offset_max(t_1) + 1),
                                            FlagStatic_RED)))));
{  
   {  
      (var integer b_0 = (K_43 : 0));
      
      {  
         (var integer i_3 = (K_42 : 0));
         
         {  
            (var integer r_0 = (K_41 : java_array_length_intM(t_1)));
            
            loop 
            behavior default:
              invariant (K_31 : ((K_30 : ((K_29 : ((K_28 : ((K_27 : is_color_array{Here}(
                                                            t_1)) &&
                                                             (K_26 : 
                                                             ((K_25 : 
                                                              ((K_24 : 
                                                               ((K_23 : 
                                                                (0 <=
                                                                  b_0)) &&
                                                                 (K_22 : 
                                                                 (b_0 <=
                                                                   i_3)))) &&
                                                                (K_21 : 
                                                                (i_3 <=
                                                                  r_0)))) &&
                                                               (K_20 : 
                                                               (r_0 <=
                                                                 (\offset_max(t_1) +
                                                                   1))))))) &&
                                                    (K_19 : is_monochrome{Here}(
                                                    t_1, 0, b_0,
                                                    FlagStatic_BLUE)))) &&
                                           (K_18 : is_monochrome{Here}(
                                           t_1, b_0, i_3, FlagStatic_WHITE)))) &&
                                  (K_17 : is_monochrome{Here}(t_1, r_0,
                                                              (\offset_max(t_1) +
                                                                1),
                                                              FlagStatic_RED))));
            variant (K_32 : (r_0 - i_3));
            while ((K_40 : (i_3 < r_0)))
            {  
               switch ((K_39 : (t_1 + i_3).intP)) {
                 case FlagStatic_BLUE:
                 {  (K_35 : FlagStatic_swap(t_1, (K_33 : (b_0 ++)),
                                            (K_34 : (i_3 ++))));
                    
                    (break )
                 }
                 case FlagStatic_WHITE:
                 {  (K_36 : (i_3 ++));
                    
                    (break )
                 }
                 case FlagStatic_RED:
                 {  (K_38 : FlagStatic_swap(t_1, (K_37 : (-- r_0)), i_3));
                    
                    (break )
                 }
               }
            }
         }
      }
   }
}

boolean FlagStatic_isMonochrome(intM[0..] t, integer i, integer j,
                                integer c_0)
  requires (K_51 : ((K_50 : Non_null_intM(t)) &&
                     (K_49 : ((K_48 : ((K_47 : (0 <= i)) &&
                                        (K_46 : (i <= j)))) &&
                               (K_45 : (j <= (\offset_max(t) + 1)))))));
behavior decides_monochromatic:
  ensures (K_44 : (\result <==> is_monochrome{Here}(t, i, j, c_0)));
{  
   {  
      {  
         (var integer k_0 = (K_52 : i));
         
         loop 
         behavior default:
           invariant (K_55 : ((K_54 : (i <= k_0)) &&
                               (K_53 : (\forall integer l;
                                         (((i <= l) && (l < k_0)) ==>
                                           ((t + l).intP == c_0))))));
         
         variant (K_56 : (j - k_0));
         for ( ; (K_60 : (k_0 < j)) ; (K_59 : (k_0 ++)))
         {  (if (K_58 : ((K_57 : (t + k_0).intP) != c_0)) then 
            (return false) else ())
         }
      }
   };
   
   (return true)
}

Object[0..] Object_clone(Object[0] this_8)
;

unit Object_wait_long(Object[0] this_9, integer timeout)
;

unit Object_finalize(Object[0] this_10)
;

unit Object_wait(Object[0] this_11)
;

unit cons_FlagStatic(! FlagStatic[0] this_1){()}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/FlagStatic.jloc tests/java/FlagStatic.jc && make -f tests/java/FlagStatic.makefile gui"
End:
*/
========== file tests/java/FlagStatic.jloc ==========
[FlagStatic_swap]
name = "Method swap"
file = "HOME/tests/java/FlagStatic.java"
line = 72
begin = 24
end = 28

[K_30]
file = "HOME/tests/java/FlagStatic.java"
line = 92
begin = 7
end = 136

[K_23]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 7
end = 13

[K_33]
file = "HOME/tests/java/FlagStatic.java"
line = 102
begin = 9
end = 12

[K_49]
file = "HOME/tests/java/FlagStatic.java"
line = 54
begin = 30
end = 53

[K_17]
file = "HOME/tests/java/FlagStatic.java"
line = 96
begin = 14
end = 45

[Object_wait_long]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[K_11]
file = "HOME/tests/java/FlagStatic.java"
line = 74
begin = 8
end = 12

[K_38]
file = "HOME/tests/java/FlagStatic.java"
line = 108
begin = 2
end = 16

[K_25]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 7
end = 23

[K_13]
file = "HOME/tests/java/FlagStatic.java"
line = 75
begin = 1
end = 9

[K_60]
file = "HOME/tests/java/FlagStatic.java"
line = 63
begin = 17
end = 22

[Object_finalize]
name = "Method finalize"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[K_9]
file = "HOME/tests/java/FlagStatic.java"
line = 67
begin = 17
end = 34

[Object_wait]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[K_44]
file = "HOME/tests/java/FlagStatic.java"
line = 56
begin = 18
end = 53

[Object_notify]
name = "Method notify"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[Object_clone]
name = "Method clone"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[K_28]
file = "HOME/tests/java/FlagStatic.java"
line = 92
begin = 7
end = 63

[cons_Object]
name = "Constructor of class Object"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_52]
file = "HOME/tests/java/FlagStatic.java"
line = 63
begin = 14
end = 15

[K_1]
file = "HOME/tests/java/FlagStatic.java"
line = 70
begin = 40
end = 58

[cons_FlagStatic]
name = "Constructor of class FlagStatic"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_15]
file = "HOME/tests/java/FlagStatic.java"
line = 82
begin = 13
end = 169

[K_4]
file = "HOME/tests/java/FlagStatic.java"
line = 67
begin = 43
end = 55

[K_12]
file = "HOME/tests/java/FlagStatic.java"
line = 74
begin = 1
end = 12

[K_55]
file = "HOME/tests/java/FlagStatic.java"
line = 59
begin = 24
end = 84

[K_34]
file = "HOME/tests/java/FlagStatic.java"
line = 102
begin = 14
end = 17

[Object_wait_long_int]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[Object_registerNatives]
name = "Method registerNatives"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[K_20]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 22
end = 35

[K_59]
file = "HOME/tests/java/FlagStatic.java"
line = 63
begin = 24
end = 27

[K_58]
file = "HOME/tests/java/FlagStatic.java"
line = 63
begin = 33
end = 42

[K_53]
file = "HOME/tests/java/FlagStatic.java"
line = 60
begin = 8
end = 49

[FlagStatic_flag]
name = "Method flag"
file = "HOME/tests/java/FlagStatic.java"
line = 87
begin = 23
end = 27

[K_2]
file = "HOME/tests/java/FlagStatic.java"
line = 70
begin = 18
end = 36

[K_41]
file = "HOME/tests/java/FlagStatic.java"
line = 90
begin = 9
end = 17

[K_50]
file = "HOME/tests/java/FlagStatic.java"
line = 54
begin = 17
end = 26

[K_47]
file = "HOME/tests/java/FlagStatic.java"
line = 54
begin = 30
end = 36

[K_29]
file = "HOME/tests/java/FlagStatic.java"
line = 92
begin = 7
end = 99

[K_10]
file = "HOME/tests/java/FlagStatic.java"
line = 67
begin = 17
end = 55

[K_35]
file = "HOME/tests/java/FlagStatic.java"
line = 102
begin = 2
end = 18

[K_6]
file = "HOME/tests/java/FlagStatic.java"
line = 67
begin = 38
end = 55

[K_8]
file = "HOME/tests/java/FlagStatic.java"
line = 67
begin = 17
end = 23

[K_48]
file = "HOME/tests/java/FlagStatic.java"
line = 54
begin = 30
end = 41

[K_3]
file = "HOME/tests/java/FlagStatic.java"
line = 70
begin = 18
end = 58

[K_31]
file = "HOME/tests/java/FlagStatic.java"
line = 92
begin = 7
end = 185

[FlagStatic_isMonochrome]
name = "Method isMonochrome"
file = "HOME/tests/java/FlagStatic.java"
line = 58
begin = 26
end = 38

[K_32]
file = "HOME/tests/java/FlagStatic.java"
line = 97
begin = 18
end = 23

[K_27]
file = "HOME/tests/java/FlagStatic.java"
line = 92
begin = 7
end = 24

[K_46]
file = "HOME/tests/java/FlagStatic.java"
line = 54
begin = 35
end = 41

[K_21]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 17
end = 23

[K_42]
file = "HOME/tests/java/FlagStatic.java"
line = 89
begin = 9
end = 10

[K_24]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 7
end = 18

[K_56]
file = "HOME/tests/java/FlagStatic.java"
line = 61
begin = 22
end = 27

[K_14]
file = "HOME/tests/java/FlagStatic.java"
line = 73
begin = 9
end = 13

[K_39]
file = "HOME/tests/java/FlagStatic.java"
line = 100
begin = 13
end = 17

[K_36]
file = "HOME/tests/java/FlagStatic.java"
line = 105
begin = 2
end = 5

[K_57]
file = "HOME/tests/java/FlagStatic.java"
line = 63
begin = 33
end = 37

[Object_notifyAll]
name = "Method notifyAll"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[K_37]
file = "HOME/tests/java/FlagStatic.java"
line = 108
begin = 9
end = 12

[K_54]
file = "HOME/tests/java/FlagStatic.java"
line = 59
begin = 24
end = 30

[K_19]
file = "HOME/tests/java/FlagStatic.java"
line = 94
begin = 7
end = 32

[K_5]
file = "HOME/tests/java/FlagStatic.java"
line = 67
begin = 38
end = 44

[K_51]
file = "HOME/tests/java/FlagStatic.java"
line = 54
begin = 17
end = 53

[K_18]
file = "HOME/tests/java/FlagStatic.java"
line = 95
begin = 7
end = 33

[Object_equals]
name = "Method equals"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[K_7]
file = "HOME/tests/java/FlagStatic.java"
line = 67
begin = 22
end = 34

[K_40]
file = "HOME/tests/java/FlagStatic.java"
line = 99
begin = 8
end = 13

[K_26]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 7
end = 35

[Object_hashCode]
name = "Method hashCode"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[Object_toString]
name = "Method toString"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[K_22]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 12
end = 18

[K_45]
file = "HOME/tests/java/FlagStatic.java"
line = 54
begin = 40
end = 53

[K_16]
file = "HOME/tests/java/FlagStatic.java"
line = 79
begin = 10
end = 27

[K_43]
file = "HOME/tests/java/FlagStatic.java"
line = 88
begin = 9
end = 10

========== jessie execution ==========
Generating Why function FlagStatic_swap
Generating Why function cons_Object
Generating Why function FlagStatic_flag
Generating Why function FlagStatic_isMonochrome
Generating Why function cons_FlagStatic
========== file tests/java/FlagStatic.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/FlagStatic_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: FlagStatic.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: FlagStatic.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: FlagStatic.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/java/FlagStatic.loc ==========
[JC_176]
kind = UserCall
file = "HOME/tests/java/FlagStatic.java"
line = 90
begin = 9
end = 17

[JC_233]
file = "HOME/"
line = 0
begin = -1
end = -1

[FlagStatic_isMonochrome_ensures_decides_monochromatic]
name = "Method isMonochrome"
behavior = "Behavior `decides_monochromatic'"
file = "HOME/tests/java/FlagStatic.java"
line = 58
begin = 26
end = 38

[JC_177]
file = "HOME/tests/java/FlagStatic.java"
line = 92
begin = 7
end = 24

[JC_221]
file = "HOME/tests/java/FlagStatic.jc"
line = 219
begin = 9
end = 509

[JC_80]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_51]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_147]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 12
end = 18

[JC_123]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_143]
kind = UserCall
file = "HOME/tests/java/FlagStatic.java"
line = 90
begin = 9
end = 17

[JC_113]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_248]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_116]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_64]
file = "HOME/tests/java/FlagStatic.jc"
line = 93
begin = 9
end = 20

[JC_133]
file = "HOME/tests/java/FlagStatic.java"
line = 79
begin = 10
end = 27

[JC_261]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_188]
file = "HOME/tests/java/FlagStatic.jc"
line = 150
begin = 12
end = 2823

[JC_180]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 17
end = 23

[JC_99]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_200]
file = "HOME/tests/java/FlagStatic.java"
line = 54
begin = 40
end = 53

[JC_85]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_250]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_201]
file = "HOME/tests/java/FlagStatic.java"
line = 54
begin = 17
end = 53

[JC_31]
file = "HOME/tests/java/FlagStatic.jc"
line = 64
begin = 8
end = 23

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_194]
file = "HOME/tests/java/FlagStatic.java"
line = 54
begin = 40
end = 53

[JC_122]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_205]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_81]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_55]
file = "HOME/tests/java/FlagStatic.java"
line = 70
begin = 18
end = 36

[JC_134]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_48]
file = "HOME/tests/java/FlagStatic.java"
line = 67
begin = 43
end = 55

[JC_23]
file = "HOME/tests/java/FlagStatic.jc"
line = 60
begin = 11
end = 103

[JC_241]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_172]
file = "HOME/tests/java/FlagStatic.jc"
line = 150
begin = 12
end = 2823

[JC_121]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_125]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
kind = PointerDeref
file = "HOME/tests/java/FlagStatic.jc"
line = 102
begin = 18
end = 62

[JC_9]
file = "HOME/tests/java/FlagStatic.jc"
line = 51
begin = 8
end = 21

[JC_25]
file = "HOME/tests/java/FlagStatic.jc"
line = 60
begin = 11
end = 103

[JC_189]
kind = UserCall
file = "HOME/tests/java/FlagStatic.jc"
line = 184
begin = 28
end = 130

[JC_78]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/tests/java/FlagStatic.java"
line = 67
begin = 38
end = 44

[JC_74]
file = "HOME/"
line = 0
begin = -1
end = -1

[FlagStatic_isMonochrome_ensures_default]
name = "Method isMonochrome"
behavior = "default behavior"
file = "HOME/tests/java/FlagStatic.java"
line = 58
begin = 26
end = 38

[JC_195]
file = "HOME/tests/java/FlagStatic.java"
line = 54
begin = 17
end = 53

[JC_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/tests/java/FlagStatic.jc"
line = 59
begin = 10
end = 18

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_256]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/tests/java/FlagStatic.jc"
line = 54
begin = 11
end = 66

[JC_240]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_82]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_163]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 7
end = 13

[JC_153]
file = "HOME/tests/java/FlagStatic.java"
line = 92
begin = 7
end = 185

[JC_222]
file = "HOME/tests/java/FlagStatic.jc"
line = 219
begin = 9
end = 509

[JC_246]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/FlagStatic.jc"
line = 51
begin = 8
end = 21

[JC_185]
file = "HOME/tests/java/FlagStatic.java"
line = 92
begin = 7
end = 185

[JC_167]
file = "HOME/tests/java/FlagStatic.java"
line = 94
begin = 7
end = 32

[JC_98]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_70]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_104]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/tests/java/FlagStatic.java"
line = 67
begin = 17
end = 23

[JC_112]
file = "HOME/"
line = 0
begin = -1
end = -1

[FlagStatic_flag_safety]
name = "Method flag"
behavior = "Safety"
file = "HOME/tests/java/FlagStatic.java"
line = 87
begin = 23
end = 27

[JC_135]
file = "HOME/tests/java/FlagStatic.java"
line = 79
begin = 10
end = 27

[JC_169]
file = "HOME/tests/java/FlagStatic.java"
line = 96
begin = 14
end = 45

[JC_132]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_115]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_109]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_69]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_219]
file = "HOME/tests/java/FlagStatic.java"
line = 59
begin = 24
end = 84

[JC_124]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_268]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_FlagStatic_ensures_default]
name = "Constructor of class FlagStatic"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_206]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_218]
file = "HOME/tests/java/FlagStatic.java"
line = 60
begin = 8
end = 49

[JC_191]
file = "HOME/tests/java/FlagStatic.java"
line = 54
begin = 17
end = 26

[JC_62]
file = "HOME/tests/java/FlagStatic.java"
line = 70
begin = 18
end = 58

[JC_101]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_264]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_223]
file = "HOME/tests/java/FlagStatic.java"
line = 59
begin = 24
end = 30

[JC_129]
file = "HOME/"
line = 0
begin = -1
end = -1

[FlagStatic_swap_ensures_i_j_swapped]
name = "Method swap"
behavior = "Behavior `i_j_swapped'"
file = "HOME/tests/java/FlagStatic.java"
line = 72
begin = 24
end = 28

[JC_190]
kind = UserCall
file = "HOME/tests/java/FlagStatic.jc"
line = 195
begin = 28
end = 72

[JC_110]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_166]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 22
end = 35

[JC_103]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_46]
file = "HOME/tests/java/FlagStatic.java"
line = 67
begin = 22
end = 34

[JC_61]
file = "HOME/tests/java/FlagStatic.java"
line = 70
begin = 40
end = 58

[JC_254]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_199]
file = "HOME/tests/java/FlagStatic.java"
line = 54
begin = 35
end = 41

[JC_56]
file = "HOME/tests/java/FlagStatic.java"
line = 70
begin = 40
end = 58

[JC_243]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_173]
file = "HOME/tests/java/FlagStatic.jc"
line = 150
begin = 12
end = 2823

[JC_29]
file = "HOME/tests/java/FlagStatic.jc"
line = 64
begin = 8
end = 23

[JC_202]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_144]
kind = IndexBounds
file = "HOME/tests/java/FlagStatic.java"
line = 90
begin = 9
end = 17

[JC_16]
file = "HOME/tests/java/FlagStatic.jc"
line = 53
begin = 10
end = 18

[JC_43]
file = "HOME/tests/java/FlagStatic.java"
line = 67
begin = 17
end = 55

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_267]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_235]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_97]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_84]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_160]
file = "HOME/tests/java/FlagStatic.java"
line = 97
begin = 18
end = 23

[JC_128]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/tests/java/FlagStatic.jc"
line = 53
begin = 10
end = 18

[FlagStatic_flag_ensures_default]
name = "Method flag"
behavior = "default behavior"
file = "HOME/tests/java/FlagStatic.java"
line = 87
begin = 23
end = 27

[JC_90]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_225]
file = "HOME/tests/java/FlagStatic.java"
line = 59
begin = 24
end = 84

[JC_149]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 22
end = 35

[JC_216]
file = "HOME/tests/java/FlagStatic.java"
line = 61
begin = 22
end = 27

[JC_131]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_37]
file = "HOME/tests/java/FlagStatic.jc"
line = 66
begin = 11
end = 65

[JC_181]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 22
end = 35

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_108]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/tests/java/FlagStatic.java"
line = 70
begin = 18
end = 58

[JC_257]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_161]
kind = UserCall
file = "HOME/tests/java/FlagStatic.java"
line = 90
begin = 9
end = 17

[JC_89]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_136]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_165]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 17
end = 23

[JC_213]
file = "HOME/tests/java/FlagStatic.jc"
line = 219
begin = 9
end = 509

[JC_217]
file = "HOME/tests/java/FlagStatic.java"
line = 59
begin = 24
end = 30

[JC_253]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_229]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_86]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_72]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/tests/java/FlagStatic.jc"
line = 57
begin = 8
end = 30

[JC_187]
file = "HOME/tests/java/FlagStatic.jc"
line = 150
begin = 12
end = 2823

[JC_238]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_120]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/tests/java/FlagStatic.java"
line = 72
begin = 24
end = 28

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_198]
file = "HOME/tests/java/FlagStatic.java"
line = 54
begin = 30
end = 36

[JC_94]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_73]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_158]
kind = UserCall
file = "HOME/tests/java/FlagStatic.jc"
line = 184
begin = 28
end = 130

[JC_63]
file = "HOME/tests/java/FlagStatic.java"
line = 72
begin = 24
end = 28

[JC_196]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_71]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_197]
file = "HOME/tests/java/FlagStatic.java"
line = 54
begin = 17
end = 26

[cons_FlagStatic_safety]
name = "Constructor of class FlagStatic"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_207]
file = "HOME/tests/java/FlagStatic.java"
line = 56
begin = 18
end = 53

[JC_151]
file = "HOME/tests/java/FlagStatic.java"
line = 95
begin = 7
end = 33

[JC_45]
file = "HOME/tests/java/FlagStatic.java"
line = 67
begin = 17
end = 23

[JC_106]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_251]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_203]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_227]
file = "HOME/tests/java/FlagStatic.jc"
line = 219
begin = 9
end = 509

[cons_Object_ensures_default]
name = "Constructor of class Object"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_265]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_126]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_170]
file = "HOME/tests/java/FlagStatic.java"
line = 92
begin = 7
end = 185

[JC_236]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_138]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_247]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_148]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 17
end = 23

[JC_137]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_231]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_75]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_24]
file = "HOME/tests/java/FlagStatic.jc"
line = 59
begin = 10
end = 18

[JC_193]
file = "HOME/tests/java/FlagStatic.java"
line = 54
begin = 35
end = 41

[JC_186]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_260]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_212]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_175]
kind = UserCall
file = "HOME/tests/java/FlagStatic.jc"
line = 195
begin = 28
end = 72

[JC_224]
file = "HOME/tests/java/FlagStatic.java"
line = 60
begin = 8
end = 49

[JC_47]
file = "HOME/tests/java/FlagStatic.java"
line = 67
begin = 38
end = 44

[JC_232]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_154]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_237]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_208]
file = "HOME/tests/java/FlagStatic.java"
line = 56
begin = 18
end = 53

[JC_79]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[FlagStatic_swap_ensures_default]
name = "Method swap"
behavior = "default behavior"
file = "HOME/tests/java/FlagStatic.java"
line = 72
begin = 24
end = 28

[JC_130]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_174]
kind = UserCall
file = "HOME/tests/java/FlagStatic.jc"
line = 184
begin = 28
end = 130

[JC_87]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_184]
file = "HOME/tests/java/FlagStatic.java"
line = 96
begin = 14
end = 45

[JC_15]
file = "HOME/tests/java/FlagStatic.jc"
line = 54
begin = 11
end = 66

[JC_182]
file = "HOME/tests/java/FlagStatic.java"
line = 94
begin = 7
end = 32

[JC_168]
file = "HOME/tests/java/FlagStatic.java"
line = 95
begin = 7
end = 33

[JC_91]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/tests/java/FlagStatic.java"
line = 67
begin = 22
end = 34

[JC_162]
file = "HOME/tests/java/FlagStatic.java"
line = 92
begin = 7
end = 24

[JC_83]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_215]
kind = PointerDeref
file = "HOME/tests/java/FlagStatic.java"
line = 63
begin = 33
end = 37

[JC_263]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_107]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_179]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 12
end = 18

[FlagStatic_swap_safety]
name = "Method swap"
behavior = "Safety"
file = "HOME/tests/java/FlagStatic.java"
line = 72
begin = 24
end = 28

[JC_38]
file = "HOME/tests/java/FlagStatic.jc"
line = 66
begin = 11
end = 65

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_242]
file = "HOME/"
line = 0
begin = -1
end = -1

[FlagStatic_flag_ensures_sorts]
name = "Method flag"
behavior = "Behavior `sorts'"
file = "HOME/tests/java/FlagStatic.java"
line = 87
begin = 23
end = 27

[JC_156]
file = "HOME/tests/java/FlagStatic.jc"
line = 150
begin = 12
end = 2823

[JC_127]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_252]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_171]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_164]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 12
end = 18

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_155]
file = "HOME/tests/java/FlagStatic.jc"
line = 150
begin = 12
end = 2823

[JC_88]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/tests/java/FlagStatic.java"
line = 67
begin = 43
end = 55

[FlagStatic_isMonochrome_safety]
name = "Method isMonochrome"
behavior = "Safety"
file = "HOME/tests/java/FlagStatic.java"
line = 58
begin = 26
end = 38

[JC_178]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 7
end = 13

[JC_141]
file = "HOME/tests/java/FlagStatic.java"
line = 82
begin = 13
end = 169

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_220]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
kind = PointerDeref
file = "HOME/tests/java/FlagStatic.java"
line = 73
begin = 9
end = 13

[JC_118]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_105]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_245]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_140]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_159]
kind = UserCall
file = "HOME/tests/java/FlagStatic.jc"
line = 195
begin = 28
end = 72

[cons_Object_safety]
name = "Constructor of class Object"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_68]
kind = PointerDeref
file = "HOME/tests/java/FlagStatic.jc"
line = 103
begin = 18
end = 38

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_96]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_93]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_259]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_266]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_255]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_214]
file = "HOME/tests/java/FlagStatic.jc"
line = 219
begin = 9
end = 509

[JC_258]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_114]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_150]
file = "HOME/tests/java/FlagStatic.java"
line = 94
begin = 7
end = 32

[JC_117]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_53]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_204]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_157]
kind = PointerDeref
file = "HOME/tests/java/FlagStatic.java"
line = 100
begin = 13
end = 17

[JC_145]
file = "HOME/tests/java/FlagStatic.java"
line = 92
begin = 7
end = 24

[JC_21]
file = "HOME/tests/java/FlagStatic.jc"
line = 57
begin = 8
end = 30

[JC_209]
file = "HOME/tests/java/FlagStatic.java"
line = 59
begin = 24
end = 30

[JC_111]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_77]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_49]
file = "HOME/tests/java/FlagStatic.java"
line = 67
begin = 17
end = 55

[JC_1]
file = "HOME/tests/java/FlagStatic.jc"
line = 22
begin = 12
end = 22

[JC_102]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_142]
file = "HOME/tests/java/FlagStatic.java"
line = 82
begin = 13
end = 169

[JC_211]
file = "HOME/tests/java/FlagStatic.java"
line = 59
begin = 24
end = 84

[JC_146]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 7
end = 13

[JC_262]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_249]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_66]
kind = PointerDeref
file = "HOME/tests/java/FlagStatic.java"
line = 74
begin = 8
end = 12

[JC_59]
file = "HOME/tests/java/FlagStatic.jc"
line = 93
begin = 9
end = 20

[JC_192]
file = "HOME/tests/java/FlagStatic.java"
line = 54
begin = 30
end = 36

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_239]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_3]
file = "HOME/tests/java/FlagStatic.jc"
line = 22
begin = 12
end = 22

[JC_92]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_152]
file = "HOME/tests/java/FlagStatic.java"
line = 96
begin = 14
end = 45

[JC_228]
file = "HOME/tests/java/FlagStatic.jc"
line = 219
begin = 9
end = 509

[JC_60]
file = "HOME/tests/java/FlagStatic.java"
line = 70
begin = 18
end = 36

[JC_183]
file = "HOME/tests/java/FlagStatic.java"
line = 95
begin = 7
end = 33

[JC_139]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_119]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_210]
file = "HOME/tests/java/FlagStatic.java"
line = 60
begin = 8
end = 49

[JC_76]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_244]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_230]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_234]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_226]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_100]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/FlagStatic.why ==========
type Object

type interface

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

function FlagStatic_BLUE() : int = (1)

function FlagStatic_RED() : int = (3)

function FlagStatic_WHITE() : int = (2)

logic FlagStatic_tag:  -> Object tag_id

axiom FlagStatic_parenttag_Object : parenttag(FlagStatic_tag, Object_tag)

predicate Non_null_Object(x_1:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_1), (0))

predicate Non_null_intM(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), neg_int((1)))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic intM_tag:  -> Object tag_id

axiom intM_parenttag_Object : parenttag(intM_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate is_color(c:int) =
 ((c = FlagStatic_BLUE) or ((c = FlagStatic_WHITE) or (c = FlagStatic_RED)))

predicate is_color_array(t_2:Object pointer,
 Object_alloc_table_at_L:Object alloc_table,
 intM_intP_at_L:(Object, int) memory) =
 (Non_null_intM(t_2, Object_alloc_table_at_L)
 and (forall i_1:int.
      ((le_int((0), i_1)
       and lt_int(i_1,
           add_int(offset_max(Object_alloc_table_at_L, t_2), (1)))) ->
       is_color(select(intM_intP_at_L, shift(t_2, i_1))))))

predicate is_monochrome(t_3:Object pointer, i_2:int, j_1:int, c_1:int,
 intM_intP_at_L:(Object, int) memory) =
 (forall k:int.
  ((le_int(i_2, k) and lt_int(k, j_1)) ->
   (select(intM_intP_at_L, shift(t_3, k)) = c_1)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_FlagStatic(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_intM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_FlagStatic(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_intM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_FlagStatic(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_FlagStatic(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

exception Exception_exc of Object pointer

parameter Object_alloc_table : Object alloc_table ref

parameter intM_intP : (Object, int) memory ref

parameter FlagStatic_flag :
 t_1:Object pointer ->
  { } unit reads Object_alloc_table,intM_intP writes intM_intP
  { (JC_142:
    (exists b:int.
     (exists r:int.
      (is_monochrome(t_1, (0), b, FlagStatic_BLUE, intM_intP)
      and (is_monochrome(t_1, b, r, FlagStatic_WHITE, intM_intP)
          and is_monochrome(t_1, r,
              add_int(offset_max(Object_alloc_table, t_1), (1)),
              FlagStatic_RED, intM_intP)))))) }

parameter FlagStatic_flag_requires :
 t_1:Object pointer ->
  { (JC_133: is_color_array(t_1, Object_alloc_table, intM_intP))} unit
  reads Object_alloc_table,intM_intP writes intM_intP
  { (JC_142:
    (exists b:int.
     (exists r:int.
      (is_monochrome(t_1, (0), b, FlagStatic_BLUE, intM_intP)
      and (is_monochrome(t_1, b, r, FlagStatic_WHITE, intM_intP)
          and is_monochrome(t_1, r,
              add_int(offset_max(Object_alloc_table, t_1), (1)),
              FlagStatic_RED, intM_intP)))))) }

parameter FlagStatic_isMonochrome :
 t:Object pointer ->
  i:int ->
   j:int ->
    c_0:int ->
     { } bool reads Object_alloc_table,intM_intP
     { (JC_208: ((result = true) <-> is_monochrome(t, i, j, c_0, intM_intP))) }

parameter FlagStatic_isMonochrome_requires :
 t:Object pointer ->
  i:int ->
   j:int ->
    c_0:int ->
     { (JC_195:
       ((JC_191: Non_null_intM(t, Object_alloc_table))
       and ((JC_192: le_int((0), i))
           and ((JC_193: le_int(i, j))
               and (JC_194:
                   le_int(j, add_int(offset_max(Object_alloc_table, t), (1))))))))}
     bool reads Object_alloc_table,intM_intP
     { (JC_208: ((result = true) <-> is_monochrome(t, i, j, c_0, intM_intP))) }

parameter FlagStatic_swap :
 t_0:Object pointer ->
  i_0:int ->
   j_0:int ->
    { } unit reads Object_alloc_table,intM_intP writes intM_intP
    { (JC_64:
      ((JC_62:
       ((JC_60:
        (select(intM_intP, shift(t_0, i_0)) = select(intM_intP@,
                                              shift(t_0, j_0))))
       and (JC_61:
           (select(intM_intP, shift(t_0, j_0)) = select(intM_intP@,
                                                 shift(t_0, i_0))))))
      and (JC_63:
          not_assigns(Object_alloc_table@, intM_intP@, intM_intP,
          pset_union(pset_range(pset_singleton(t_0), j_0, j_0),
          pset_range(pset_singleton(t_0), i_0, i_0)))))) }

parameter FlagStatic_swap_requires :
 t_0:Object pointer ->
  i_0:int ->
   j_0:int ->
    { (JC_43:
      ((JC_39: le_int((0), i_0))
      and ((JC_40:
           lt_int(i_0, add_int(offset_max(Object_alloc_table, t_0), (1))))
          and ((JC_41: le_int((0), j_0))
              and (JC_42:
                  lt_int(j_0,
                  add_int(offset_max(Object_alloc_table, t_0), (1))))))))}
    unit reads Object_alloc_table,intM_intP writes intM_intP
    { (JC_64:
      ((JC_62:
       ((JC_60:
        (select(intM_intP, shift(t_0, i_0)) = select(intM_intP@,
                                              shift(t_0, j_0))))
       and (JC_61:
           (select(intM_intP, shift(t_0, j_0)) = select(intM_intP@,
                                                 shift(t_0, i_0))))))
      and (JC_63:
          not_assigns(Object_alloc_table@, intM_intP@, intM_intP,
          pset_union(pset_range(pset_singleton(t_0), j_0, j_0),
          pset_range(pset_singleton(t_0), i_0, i_0)))))) }

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_clone :
 this_8:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_clone_requires :
 this_8:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_equals :
 this_2:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_equals_requires :
 this_2:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_finalize :
 this_10:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_finalize_requires :
 this_10:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_hashCode :
 this_4:Object pointer -> { } int reads Object_alloc_table { true }

parameter Object_hashCode_requires :
 this_4:Object pointer -> { } int reads Object_alloc_table { true }

parameter Object_notify :
 this_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll :
 this_7:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll_requires :
 this_7:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notify_requires :
 this_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_registerNatives : tt:unit -> { } unit { true }

parameter Object_registerNatives_requires : tt:unit -> { } unit { true }

parameter Object_tag_table : Object tag_table ref

parameter Object_toString :
 this_6:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_toString_requires :
 this_6:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_wait :
 this_11:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long :
 this_9:Object pointer ->
  timeout:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int :
 this_5:Object pointer ->
  timeout_0:int -> nanos:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int_requires :
 this_5:Object pointer ->
  timeout_0:int -> nanos:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_requires :
 this_9:Object pointer ->
  timeout:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_requires :
 this_11:Object pointer -> { } unit reads Object_alloc_table { true }

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_FlagStatic :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_FlagStatic(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, FlagStatic_tag)))) }

parameter alloc_struct_FlagStatic_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_FlagStatic(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, FlagStatic_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_intM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter alloc_struct_intM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter cons_FlagStatic :
 this_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_FlagStatic_requires :
 this_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object :
 this_12:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object_requires :
 this_12:Object pointer -> { } unit reads Object_alloc_table { true }

parameter java_array_length_intM :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter java_array_length_intM_requires :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter non_null_Object :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_Object_requires :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_intM :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

parameter non_null_intM_requires :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

let FlagStatic_flag_ensures_default =
 fun (t_1 : Object pointer) ->
  { (left_valid_struct_intM(t_1, (0), Object_alloc_table)
    and (JC_135: is_color_array(t_1, Object_alloc_table, intM_intP))) }
  (init:
  try
   begin
     (let b_0 = ref (K_43: (0)) in
     (let i_3 = ref (K_42: (0)) in
     (let r_0 =
     ref (K_41:
         (let _jessie_ = t_1 in
         (JC_161: (java_array_length_intM _jessie_)))) in
     try
      (loop_2:
      while true do
      { invariant
          (JC_170:
          ((JC_162: is_color_array(t_1, Object_alloc_table, intM_intP))
          and ((JC_163: le_int((0), b_0))
              and ((JC_164: le_int(b_0, i_3))
                  and ((JC_165: le_int(i_3, r_0))
                      and ((JC_166:
                           le_int(r_0,
                           add_int(offset_max(Object_alloc_table, t_1), (1))))
                          and ((JC_167:
                               is_monochrome(t_1, (0), b_0, FlagStatic_BLUE,
                               intM_intP))
                              and ((JC_168:
                                   is_monochrome(t_1, b_0, i_3,
                                   FlagStatic_WHITE, intM_intP))
                                  and (JC_169:
                                      is_monochrome(t_1, r_0,
                                      add_int(offset_max(Object_alloc_table,
                                              t_1),
                                      (1)), FlagStatic_RED, intM_intP))))))))))
         }
       begin
         [ { } unit { true } ];
        try
         begin
           (if (K_40: ((lt_int_ !i_3) !r_0))
           then
            (let _jessie_ =
            (K_39: ((safe_acc_ !intM_intP) ((shift t_1) !i_3))) in
            try
             begin
               (if ((eq_int_ _jessie_) FlagStatic_BLUE)
               then
                (K_35:
                begin
                  (let _jessie_ = t_1 in
                  (let _jessie_ =
                  (K_33:
                  (let _jessie_ = !b_0 in
                  begin
                    (let _jessie_ = (b_0 := ((add_int _jessie_) (1))) in
                    void); _jessie_ end)) in
                  (let _jessie_ =
                  (K_34:
                  (let _jessie_ = !i_3 in
                  begin
                    (let _jessie_ = (i_3 := ((add_int _jessie_) (1))) in
                    void); _jessie_ end)) in
                  (JC_174:
                  (((FlagStatic_swap _jessie_) _jessie_) _jessie_)))));
                 (raise (Loop_exit_exc void)) end) else void);
              (if (((eq_int_ _jessie_) FlagStatic_WHITE) || ((eq_int_ _jessie_) FlagStatic_BLUE))
              then
               (K_36:
               begin
                 (let _jessie_ =
                 (let _jessie_ = !i_3 in
                 begin
                   (let _jessie_ = (i_3 := ((add_int _jessie_) (1))) in
                   void); _jessie_ end) in void);
                (raise (Loop_exit_exc void)) end) else void);
              (if (((eq_int_ _jessie_) FlagStatic_RED) || (((eq_int_ _jessie_) FlagStatic_WHITE) || 
                                                           ((eq_int_ _jessie_) FlagStatic_BLUE)))
              then
               (K_38:
               begin
                 (let _jessie_ = t_1 in
                 (let _jessie_ =
                 (K_37: begin   (r_0 := ((sub_int !r_0) (1))); !r_0 end) in
                 (let _jessie_ = !i_3 in
                 (JC_175:
                 (((FlagStatic_swap _jessie_) _jessie_) _jessie_)))));
                (raise (Loop_exit_exc void)) end) else void) end with
             Loop_exit_exc _jessie_ -> void end)
           else (raise (Loop_exit_exc void)));
          (raise (Loop_continue_exc void)) end with
         Loop_continue_exc _jessie_ -> void end end done) with
      Loop_exit_exc _jessie_ -> void end))); (raise Return) end with
   Return -> void end) { (JC_137: true) } 

let FlagStatic_flag_ensures_sorts =
 fun (t_1 : Object pointer) ->
  { (left_valid_struct_intM(t_1, (0), Object_alloc_table)
    and (JC_135: is_color_array(t_1, Object_alloc_table, intM_intP))) }
  (init:
  try
   begin
     (let b_0 = ref (K_43: (0)) in
     (let i_3 = ref (K_42: (0)) in
     (let r_0 =
     ref (K_41:
         (let _jessie_ = t_1 in
         (JC_176: (java_array_length_intM _jessie_)))) in
     try
      (loop_3:
      while true do
      { invariant (JC_187: true)  }
       begin
         [ { } unit reads Object_alloc_table,b_0,i_3,intM_intP,r_0
           { (JC_185:
             ((JC_177: is_color_array(t_1, Object_alloc_table, intM_intP))
             and ((JC_178: le_int((0), b_0))
                 and ((JC_179: le_int(b_0, i_3))
                     and ((JC_180: le_int(i_3, r_0))
                         and ((JC_181:
                              le_int(r_0,
                              add_int(offset_max(Object_alloc_table, t_1),
                              (1))))
                             and ((JC_182:
                                  is_monochrome(t_1, (0), b_0,
                                  FlagStatic_BLUE, intM_intP))
                                 and ((JC_183:
                                      is_monochrome(t_1, b_0, i_3,
                                      FlagStatic_WHITE, intM_intP))
                                     and (JC_184:
                                         is_monochrome(t_1, r_0,
                                         add_int(offset_max(Object_alloc_table,
                                                 t_1),
                                         (1)), FlagStatic_RED, intM_intP)))))))))) } ];
        try
         begin
           (if (K_40: ((lt_int_ !i_3) !r_0))
           then
            (let _jessie_ =
            (K_39: ((safe_acc_ !intM_intP) ((shift t_1) !i_3))) in
            try
             begin
               (if ((eq_int_ _jessie_) FlagStatic_BLUE)
               then
                (K_35:
                begin
                  (let _jessie_ = t_1 in
                  (let _jessie_ =
                  (K_33:
                  (let _jessie_ = !b_0 in
                  begin
                    (let _jessie_ = (b_0 := ((add_int _jessie_) (1))) in
                    void); _jessie_ end)) in
                  (let _jessie_ =
                  (K_34:
                  (let _jessie_ = !i_3 in
                  begin
                    (let _jessie_ = (i_3 := ((add_int _jessie_) (1))) in
                    void); _jessie_ end)) in
                  (JC_189:
                  (((FlagStatic_swap _jessie_) _jessie_) _jessie_)))));
                 (raise (Loop_exit_exc void)) end) else void);
              (if (((eq_int_ _jessie_) FlagStatic_WHITE) || ((eq_int_ _jessie_) FlagStatic_BLUE))
              then
               (K_36:
               begin
                 (let _jessie_ =
                 (let _jessie_ = !i_3 in
                 begin
                   (let _jessie_ = (i_3 := ((add_int _jessie_) (1))) in
                   void); _jessie_ end) in void);
                (raise (Loop_exit_exc void)) end) else void);
              (if (((eq_int_ _jessie_) FlagStatic_RED) || (((eq_int_ _jessie_) FlagStatic_WHITE) || 
                                                           ((eq_int_ _jessie_) FlagStatic_BLUE)))
              then
               (K_38:
               begin
                 (let _jessie_ = t_1 in
                 (let _jessie_ =
                 (K_37: begin   (r_0 := ((sub_int !r_0) (1))); !r_0 end) in
                 (let _jessie_ = !i_3 in
                 (JC_190:
                 (((FlagStatic_swap _jessie_) _jessie_) _jessie_)))));
                (raise (Loop_exit_exc void)) end) else void) end with
             Loop_exit_exc _jessie_ -> void end)
           else (raise (Loop_exit_exc void)));
          (raise (Loop_continue_exc void)) end with
         Loop_continue_exc _jessie_ -> void end end done) with
      Loop_exit_exc _jessie_ -> void end))); (raise Return) end with
   Return -> void end)
  { (JC_141:
    (exists b:int.
     (exists r:int.
      (is_monochrome(t_1, (0), b, FlagStatic_BLUE, intM_intP)
      and (is_monochrome(t_1, b, r, FlagStatic_WHITE, intM_intP)
          and is_monochrome(t_1, r,
              add_int(offset_max(Object_alloc_table, t_1), (1)),
              FlagStatic_RED, intM_intP)))))) } 

let FlagStatic_flag_safety =
 fun (t_1 : Object pointer) ->
  { (left_valid_struct_intM(t_1, (0), Object_alloc_table)
    and (JC_135: is_color_array(t_1, Object_alloc_table, intM_intP))) }
  (init:
  try
   begin
     (let b_0 = ref (K_43: (0)) in
     (let i_3 = ref (K_42: (0)) in
     (let r_0 =
     ref (K_41:
         (let _jessie_ = t_1 in
         (JC_144:
         (assert
         { ge_int(offset_max(Object_alloc_table, _jessie_), (-1)) };
         (JC_143: (java_array_length_intM_requires _jessie_)))))) in
     try
      (loop_1:
      while true do
      { invariant (JC_155: true) variant (JC_160 : sub_int(r_0, i_3)) }
       begin
         [ { } unit reads Object_alloc_table,b_0,i_3,intM_intP,r_0
           { (JC_153:
             ((JC_145: is_color_array(t_1, Object_alloc_table, intM_intP))
             and ((JC_146: le_int((0), b_0))
                 and ((JC_147: le_int(b_0, i_3))
                     and ((JC_148: le_int(i_3, r_0))
                         and ((JC_149:
                              le_int(r_0,
                              add_int(offset_max(Object_alloc_table, t_1),
                              (1))))
                             and ((JC_150:
                                  is_monochrome(t_1, (0), b_0,
                                  FlagStatic_BLUE, intM_intP))
                                 and ((JC_151:
                                      is_monochrome(t_1, b_0, i_3,
                                      FlagStatic_WHITE, intM_intP))
                                     and (JC_152:
                                         is_monochrome(t_1, r_0,
                                         add_int(offset_max(Object_alloc_table,
                                                 t_1),
                                         (1)), FlagStatic_RED, intM_intP)))))))))) } ];
        try
         begin
           (if (K_40: ((lt_int_ !i_3) !r_0))
           then
            (let _jessie_ =
            (K_39:
            (JC_157:
            ((((offset_acc_ !Object_alloc_table) !intM_intP) t_1) !i_3))) in
            try
             begin
               (if ((eq_int_ _jessie_) FlagStatic_BLUE)
               then
                (K_35:
                begin
                  (let _jessie_ = t_1 in
                  (let _jessie_ =
                  (K_33:
                  (let _jessie_ = !b_0 in
                  begin
                    (let _jessie_ = (b_0 := ((add_int _jessie_) (1))) in
                    void); _jessie_ end)) in
                  (let _jessie_ =
                  (K_34:
                  (let _jessie_ = !i_3 in
                  begin
                    (let _jessie_ = (i_3 := ((add_int _jessie_) (1))) in
                    void); _jessie_ end)) in
                  (JC_158:
                  (((FlagStatic_swap_requires _jessie_) _jessie_) _jessie_)))));
                 (raise (Loop_exit_exc void)) end) else void);
              (if (((eq_int_ _jessie_) FlagStatic_WHITE) || ((eq_int_ _jessie_) FlagStatic_BLUE))
              then
               (K_36:
               begin
                 (let _jessie_ =
                 (let _jessie_ = !i_3 in
                 begin
                   (let _jessie_ = (i_3 := ((add_int _jessie_) (1))) in
                   void); _jessie_ end) in void);
                (raise (Loop_exit_exc void)) end) else void);
              (if (((eq_int_ _jessie_) FlagStatic_RED) || (((eq_int_ _jessie_) FlagStatic_WHITE) || 
                                                           ((eq_int_ _jessie_) FlagStatic_BLUE)))
              then
               (K_38:
               begin
                 (let _jessie_ = t_1 in
                 (let _jessie_ =
                 (K_37: begin   (r_0 := ((sub_int !r_0) (1))); !r_0 end) in
                 (let _jessie_ = !i_3 in
                 (JC_159:
                 (((FlagStatic_swap_requires _jessie_) _jessie_) _jessie_)))));
                (raise (Loop_exit_exc void)) end) else void) end with
             Loop_exit_exc _jessie_ -> void end)
           else (raise (Loop_exit_exc void)));
          (raise (Loop_continue_exc void)) end with
         Loop_continue_exc _jessie_ -> void end end done) with
      Loop_exit_exc _jessie_ -> void end))); (raise Return) end with
   Return -> void end) { true } 

let FlagStatic_isMonochrome_ensures_decides_monochromatic =
 fun (t : Object pointer) (i : int) (j : int) (c_0 : int) ->
  { (left_valid_struct_intM(t, (0), Object_alloc_table)
    and (JC_201:
        ((JC_197: Non_null_intM(t, Object_alloc_table))
        and ((JC_198: le_int((0), i))
            and ((JC_199: le_int(i, j))
                and (JC_200:
                    le_int(j,
                    add_int(offset_max(Object_alloc_table, t), (1))))))))) }
  (init:
  (let return = ref (any_bool void) in
  try
   begin
     (let k_0 = ref (K_52: i) in
     try
      (loop_6:
      while true do
      { invariant (JC_227: true)  }
       begin
         [ { } unit reads intM_intP,k_0
           { (JC_225:
             ((JC_223: le_int(i, k_0))
             and (JC_224:
                 (forall l:int.
                  ((le_int(i, l) and lt_int(l, k_0)) ->
                   (select(intM_intP, shift(t, l)) = c_0)))))) } ];
        try
         begin
           (if (K_60: ((lt_int_ !k_0) j))
           then
            (if (K_58:
                ((neq_int_ (K_57: ((safe_acc_ !intM_intP) ((shift t) !k_0)))) c_0))
            then begin   (return := false); (raise Return) end else void)
           else (raise (Loop_exit_exc void)));
          (raise (Loop_continue_exc void)) end with
         Loop_continue_exc _jessie_ ->
         (let _jessie_ =
         (K_59:
         (let _jessie_ = !k_0 in
         begin
           (let _jessie_ = (k_0 := ((add_int _jessie_) (1))) in void);
          _jessie_ end)) in void) end end done) with
      Loop_exit_exc _jessie_ -> void end); (return := true); (raise Return);
    absurd  end with Return -> !return end))
  { (JC_207: ((result = true) <-> is_monochrome(t, i, j, c_0, intM_intP))) } 

let FlagStatic_isMonochrome_ensures_default =
 fun (t : Object pointer) (i : int) (j : int) (c_0 : int) ->
  { (left_valid_struct_intM(t, (0), Object_alloc_table)
    and (JC_201:
        ((JC_197: Non_null_intM(t, Object_alloc_table))
        and ((JC_198: le_int((0), i))
            and ((JC_199: le_int(i, j))
                and (JC_200:
                    le_int(j,
                    add_int(offset_max(Object_alloc_table, t), (1))))))))) }
  (init:
  (let return = ref (any_bool void) in
  try
   begin
     (let k_0 = ref (K_52: i) in
     try
      (loop_5:
      while true do
      { invariant
          (JC_219:
          ((JC_217: le_int(i, k_0))
          and (JC_218:
              (forall l:int.
               ((le_int(i, l) and lt_int(l, k_0)) ->
                (select(intM_intP, shift(t, l)) = c_0))))))  }
       begin
         [ { } unit { true } ];
        try
         begin
           (if (K_60: ((lt_int_ !k_0) j))
           then
            (if (K_58:
                ((neq_int_ (K_57: ((safe_acc_ !intM_intP) ((shift t) !k_0)))) c_0))
            then begin   (return := false); (raise Return) end else void)
           else (raise (Loop_exit_exc void)));
          (raise (Loop_continue_exc void)) end with
         Loop_continue_exc _jessie_ ->
         (let _jessie_ =
         (K_59:
         (let _jessie_ = !k_0 in
         begin
           (let _jessie_ = (k_0 := ((add_int _jessie_) (1))) in void);
          _jessie_ end)) in void) end end done) with
      Loop_exit_exc _jessie_ -> void end); (return := true); (raise Return);
    absurd  end with Return -> !return end)) { (JC_203: true) } 

let FlagStatic_isMonochrome_safety =
 fun (t : Object pointer) (i : int) (j : int) (c_0 : int) ->
  { (left_valid_struct_intM(t, (0), Object_alloc_table)
    and (JC_201:
        ((JC_197: Non_null_intM(t, Object_alloc_table))
        and ((JC_198: le_int((0), i))
            and ((JC_199: le_int(i, j))
                and (JC_200:
                    le_int(j,
                    add_int(offset_max(Object_alloc_table, t), (1))))))))) }
  (init:
  (let return = ref (any_bool void) in
  try
   begin
     (let k_0 = ref (K_52: i) in
     try
      (loop_4:
      while true do
      { invariant (JC_213: true) variant (JC_216 : sub_int(j, k_0)) }
       begin
         [ { } unit reads intM_intP,k_0
           { (JC_211:
             ((JC_209: le_int(i, k_0))
             and (JC_210:
                 (forall l:int.
                  ((le_int(i, l) and lt_int(l, k_0)) ->
                   (select(intM_intP, shift(t, l)) = c_0)))))) } ];
        try
         begin
           (if (K_60: ((lt_int_ !k_0) j))
           then
            (if (K_58:
                ((neq_int_ (K_57:
                           (JC_215:
                           ((((offset_acc_ !Object_alloc_table) !intM_intP) t) !k_0)))) c_0))
            then begin   (return := false); (raise Return) end else void)
           else (raise (Loop_exit_exc void)));
          (raise (Loop_continue_exc void)) end with
         Loop_continue_exc _jessie_ ->
         (let _jessie_ =
         (K_59:
         (let _jessie_ = !k_0 in
         begin
           (let _jessie_ = (k_0 := ((add_int _jessie_) (1))) in void);
          _jessie_ end)) in void) end end done) with
      Loop_exit_exc _jessie_ -> void end); (return := true); (raise Return);
    absurd  end with Return -> !return end)) { true } 

let FlagStatic_swap_ensures_default =
 fun (t_0 : Object pointer) (i_0 : int) (j_0 : int) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (JC_49:
        ((JC_45: le_int((0), i_0))
        and ((JC_46:
             lt_int(i_0, add_int(offset_max(Object_alloc_table, t_0), (1))))
            and ((JC_47: le_int((0), j_0))
                and (JC_48:
                    lt_int(j_0,
                    add_int(offset_max(Object_alloc_table, t_0), (1))))))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (let z = (K_14: ((safe_acc_ !intM_intP) ((shift t_0) i_0))) in
     (K_12:
     begin
       (let _jessie_ =
       (let _jessie_ =
       (K_11: ((safe_acc_ !intM_intP) ((shift t_0) j_0))) in
       (let _jessie_ = t_0 in
       (let _jessie_ = i_0 in
       (let _jessie_ = ((shift _jessie_) _jessie_) in
       (((safe_upd_ intM_intP) _jessie_) _jessie_))))) in void);
      (K_13:
      (let _jessie_ = z in
      (let _jessie_ = t_0 in
      (let _jessie_ = j_0 in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      begin   (((safe_upd_ intM_intP) _jessie_) _jessie_); _jessie_ end)))))
     end)) in void); (raise Return) end with Return -> void end)
  { (JC_51: true) } 

let FlagStatic_swap_ensures_i_j_swapped =
 fun (t_0 : Object pointer) (i_0 : int) (j_0 : int) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (JC_49:
        ((JC_45: le_int((0), i_0))
        and ((JC_46:
             lt_int(i_0, add_int(offset_max(Object_alloc_table, t_0), (1))))
            and ((JC_47: le_int((0), j_0))
                and (JC_48:
                    lt_int(j_0,
                    add_int(offset_max(Object_alloc_table, t_0), (1))))))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (let z = (K_14: ((safe_acc_ !intM_intP) ((shift t_0) i_0))) in
     (K_12:
     begin
       (let _jessie_ =
       (let _jessie_ =
       (K_11: ((safe_acc_ !intM_intP) ((shift t_0) j_0))) in
       (let _jessie_ = t_0 in
       (let _jessie_ = i_0 in
       (let _jessie_ = ((shift _jessie_) _jessie_) in
       (((safe_upd_ intM_intP) _jessie_) _jessie_))))) in void);
      (K_13:
      (let _jessie_ = z in
      (let _jessie_ = t_0 in
      (let _jessie_ = j_0 in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      begin   (((safe_upd_ intM_intP) _jessie_) _jessie_); _jessie_ end)))))
     end)) in void); (raise Return) end with Return -> void end)
  { (JC_59:
    ((JC_57:
     ((JC_55:
      (select(intM_intP, shift(t_0, i_0)) = select(intM_intP@,
                                            shift(t_0, j_0))))
     and (JC_56:
         (select(intM_intP, shift(t_0, j_0)) = select(intM_intP@,
                                               shift(t_0, i_0))))))
    and (JC_58:
        not_assigns(Object_alloc_table@, intM_intP@, intM_intP,
        pset_union(pset_range(pset_singleton(t_0), j_0, j_0),
        pset_range(pset_singleton(t_0), i_0, i_0)))))) } 

let FlagStatic_swap_safety =
 fun (t_0 : Object pointer) (i_0 : int) (j_0 : int) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (JC_49:
        ((JC_45: le_int((0), i_0))
        and ((JC_46:
             lt_int(i_0, add_int(offset_max(Object_alloc_table, t_0), (1))))
            and ((JC_47: le_int((0), j_0))
                and (JC_48:
                    lt_int(j_0,
                    add_int(offset_max(Object_alloc_table, t_0), (1))))))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (let z =
     (K_14:
     (JC_65: ((((offset_acc_ !Object_alloc_table) !intM_intP) t_0) i_0))) in
     (K_12:
     begin
       (let _jessie_ =
       (let _jessie_ =
       (K_11:
       (JC_66: ((((offset_acc_ !Object_alloc_table) !intM_intP) t_0) j_0))) in
       (let _jessie_ = t_0 in
       (let _jessie_ = i_0 in
       (let _jessie_ = ((shift _jessie_) _jessie_) in
       (JC_67:
       (((((offset_upd_ !Object_alloc_table) intM_intP) _jessie_) _jessie_) _jessie_)))))) in
       void);
      (K_13:
      (let _jessie_ = z in
      (let _jessie_ = t_0 in
      (let _jessie_ = j_0 in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (JC_68:
      begin
        (((((offset_upd_ !Object_alloc_table) intM_intP) _jessie_) _jessie_) _jessie_);
       _jessie_ end)))))) end)) in void); (raise Return) end with Return ->
   void end) { true } 

let cons_FlagStatic_ensures_default =
 fun (this_1 : Object pointer) ->
  { valid_struct_FlagStatic(this_1, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_265: true) } 

let cons_FlagStatic_safety =
 fun (this_1 : Object pointer) ->
  { valid_struct_FlagStatic(this_1, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 

let cons_Object_ensures_default =
 fun (this_12 : Object pointer) ->
  { valid_struct_Object(this_12, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_129: true) } 

let cons_Object_safety =
 fun (this_12 : Object pointer) ->
  { valid_struct_Object(this_12, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 


why-2.39/tests/java/oracle/BinarySearchWrong.err.oracle0000644000106100004300000000000013147234006022114 0ustar  marchevalswhy-2.39/tests/java/oracle/Fresh2.res.oracle0000644000106100004300000014262513147234006017703 0ustar  marchevals========== file tests/java/Fresh2.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ SeparationPolicy = None

class Fresh2 {

    int x;

    /*@ assigns \nothing;
      @ allocates this;
      @ ensures \fresh(this);
      @*/
    Fresh2 ();

    /*@ assigns \nothing;
      @ allocates \result;
      @ ensures \result != null && \fresh(\result);
      @*/
    static Fresh2 create() {
        return new Fresh2();
    }

    void test() {
        Fresh2 f;
        f = create ();
        //@ assert this != f;
    }

    static void smoke_detector() {
        Fresh2 _s1 = create ();
        Fresh2 _s2 = create ();
        //@ assert 0 == 1;
    }

}


/*
Local Variables:
compile-command: "LC_ALL=C make Fresh2.why3ide"
End:
*/
========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_Fresh2 for constructor Fresh2
Generating JC function Fresh2_create for method Fresh2.create
Generating JC function Object_equals for method Object.equals
Generating JC function Object_notify for method Object.notify
Generating JC function Object_registerNatives for method Object.registerNatives
Generating JC function Object_hashCode for method Object.hashCode
Generating JC function Object_wait_long_int for method Object.wait
Generating JC function Object_toString for method Object.toString
Generating JC function Object_notifyAll for method Object.notifyAll
Generating JC function cons_Object for constructor Object
Generating JC function Fresh2_test for method Fresh2.test
Generating JC function Object_clone for method Object.clone
Generating JC function Object_wait_long for method Object.wait
Generating JC function Object_finalize for method Object.finalize
Generating JC function Object_wait for method Object.wait
Generating JC function Fresh2_smoke_detector for method Fresh2.smoke_detector
Done.
========== file tests/java/Fresh2.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Fresh2 = Object with {
  int32 x;
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_Fresh2(! Fresh2[0] this_2)
behavior default:
  assigns \nothing;
  allocates this_2;
  ensures (K_1 : \fresh(this_2));
{  (this_2.x = 0)
}

Fresh2[0..] Fresh2_create()
behavior default:
  assigns \nothing;
  allocates \result;
  ensures (K_4 : ((K_3 : Non_null_Object(\result)) &&
                   (K_2 : \fresh(\result))));
{  
   (return 
   {  
      (var Fresh2[0] this = (new Fresh2[1]));
      
      {  
         (var unit _tt = cons_Fresh2(this));
         this
      }
   })
}

boolean Object_equals(Object[0] this_3, Object[0..] obj)
;

unit Object_notify(Object[0] this_4)
;

unit Object_registerNatives()
;

int32 Object_hashCode(Object[0] this_5)
;

unit Object_wait_long_int(Object[0] this_6, long timeout_0, int32 nanos)
;

String[0..] Object_toString(Object[0] this_7)
;

unit Object_notifyAll(Object[0] this_8)
;

unit cons_Object(! Object[0] this_13){()}

unit Fresh2_test(Fresh2[0] this_1)
{  
   {  
      (var Fresh2[0..] f);
      
      {  (f = (K_5 : Fresh2_create()));
         (K_7 : 
         (assert (K_6 : (this_1 != f))))
      }
   }
}

Object[0..] Object_clone(Object[0] this_9)
;

unit Object_wait_long(Object[0] this_10, long timeout)
;

unit Object_finalize(Object[0] this_11)
;

unit Object_wait(Object[0] this_12)
;

unit Fresh2_smoke_detector()
{  
   {  
      (var Fresh2[0..] _s1 = (K_11 : Fresh2_create()));
      
      {  
         (var Fresh2[0..] _s2 = (K_10 : Fresh2_create()));
         (K_9 : 
         (assert (K_8 : (0 == 1))))
      }
   }
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Fresh2.jloc tests/java/Fresh2.jc && make -f tests/java/Fresh2.makefile gui"
End:
*/
========== file tests/java/Fresh2.jloc ==========
[K_11]
file = "HOME/tests/java/Fresh2.java"
line = 59
begin = 21
end = 30

[Object_wait_long]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[Object_finalize]
name = "Method finalize"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[K_9]
file = "HOME/tests/java/Fresh2.java"
line = 61
begin = 19
end = 25

[Object_wait]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[Object_notify]
name = "Method notify"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[Object_clone]
name = "Method clone"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[cons_Object]
name = "Constructor of class Object"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_1]
file = "HOME/tests/java/Fresh2.java"
line = 40
begin = 16
end = 28

[K_4]
file = "HOME/tests/java/Fresh2.java"
line = 46
begin = 16
end = 50

[Object_wait_long_int]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[Object_registerNatives]
name = "Method registerNatives"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[K_2]
file = "HOME/tests/java/Fresh2.java"
line = 46
begin = 35
end = 50

[K_10]
file = "HOME/tests/java/Fresh2.java"
line = 60
begin = 21
end = 30

[cons_Fresh2]
name = "Constructor of class Fresh2"
file = "HOME/tests/java/Fresh2.java"
line = 42
begin = 4
end = 10

[K_6]
file = "HOME/tests/java/Fresh2.java"
line = 55
begin = 19
end = 28

[K_8]
file = "HOME/tests/java/Fresh2.java"
line = 61
begin = 19
end = 25

[K_3]
file = "HOME/tests/java/Fresh2.java"
line = 46
begin = 16
end = 31

[Fresh2_create]
name = "Method create"
file = "HOME/tests/java/Fresh2.java"
line = 48
begin = 18
end = 24

[Object_notifyAll]
name = "Method notifyAll"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[Fresh2_smoke_detector]
name = "Method smoke_detector"
file = "HOME/tests/java/Fresh2.java"
line = 58
begin = 16
end = 30

[K_5]
file = "HOME/tests/java/Fresh2.java"
line = 54
begin = 12
end = 21

[Fresh2_test]
name = "Method test"
file = "HOME/tests/java/Fresh2.java"
line = 52
begin = 9
end = 13

[Object_equals]
name = "Method equals"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[K_7]
file = "HOME/tests/java/Fresh2.java"
line = 55
begin = 19
end = 28

[Object_hashCode]
name = "Method hashCode"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[Object_toString]
name = "Method toString"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

========== jessie execution ==========
Generating Why function cons_Fresh2
Generating Why function Fresh2_create
Generating Why function cons_Object
Generating Why function Fresh2_test
Generating Why function Fresh2_smoke_detector
========== file tests/java/Fresh2.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/Fresh2_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Fresh2.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Fresh2.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Fresh2.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/java/Fresh2.loc ==========
[JC_94]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_73]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_158]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_63]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_80]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_51]
kind = UserCall
file = "HOME/tests/java/Fresh2.jc"
line = 75
begin = 25
end = 42

[JC_71]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_147]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_151]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_123]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_106]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_143]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_113]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_116]
file = "HOME/tests/java/Fresh2.java"
line = 52
begin = 9
end = 13

[JC_64]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Fresh2_safety]
name = "Constructor of class Fresh2"
behavior = "Safety"
file = "HOME/tests/java/Fresh2.java"
line = 42
begin = 4
end = 10

[JC_133]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Object_ensures_default]
name = "Constructor of class Object"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[Fresh2_test_ensures_default]
name = "Method test"
behavior = "default behavior"
file = "HOME/tests/java/Fresh2.java"
line = 52
begin = 9
end = 13

[JC_99]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_85]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_126]
kind = UserCall
file = "HOME/tests/java/Fresh2.java"
line = 54
begin = 12
end = 21

[JC_170]
file = "HOME/tests/java/Fresh2.java"
line = 61
begin = 19
end = 25

[JC_31]
file = "HOME/tests/java/Fresh2.java"
line = 48
begin = 18
end = 24

[JC_17]
file = "HOME/tests/java/Fresh2.jc"
line = 48
begin = 11
end = 65

[JC_122]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_81]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_55]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_138]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_134]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_148]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_137]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_48]
kind = IndexBounds
file = "HOME/tests/java/Fresh2.jc"
line = 72
begin = 7
end = 43

[JC_23]
file = "HOME/tests/java/Fresh2.java"
line = 40
begin = 16
end = 28

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_172]
kind = UserCall
file = "HOME/tests/java/Fresh2.java"
line = 60
begin = 21
end = 30

[JC_121]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_125]
file = "HOME/tests/java/Fresh2.java"
line = 55
begin = 19
end = 28

[JC_67]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/java/Fresh2.jc"
line = 46
begin = 8
end = 23

[JC_75]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_24]
file = "HOME/tests/java/Fresh2.java"
line = 42
begin = 4
end = 10

[JC_25]
file = "HOME/tests/java/Fresh2.jc"
line = 56
begin = 9
end = 16

[JC_78]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_41]
file = "HOME/tests/java/Fresh2.java"
line = 46
begin = 35
end = 50

[JC_74]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
kind = AllocSize
file = "HOME/tests/java/Fresh2.jc"
line = 72
begin = 29
end = 42

[JC_52]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_26]
file = "HOME/tests/java/Fresh2.java"
line = 40
begin = 16
end = 28

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_154]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_54]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_79]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_130]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_82]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_163]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_153]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_87]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/Fresh2.jc"
line = 46
begin = 8
end = 23

[JC_167]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_98]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_70]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[cons_Fresh2_ensures_default]
name = "Constructor of class Fresh2"
behavior = "default behavior"
file = "HOME/tests/java/Fresh2.java"
line = 42
begin = 4
end = 10

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[Fresh2_test_safety]
name = "Method test"
behavior = "Safety"
file = "HOME/tests/java/Fresh2.java"
line = 52
begin = 9
end = 13

[JC_36]
file = "HOME/tests/java/Fresh2.java"
line = 46
begin = 35
end = 50

[JC_168]
kind = UserCall
file = "HOME/tests/java/Fresh2.java"
line = 59
begin = 21
end = 30

[JC_104]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_91]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/tests/java/Fresh2.jc"
line = 64
begin = 9
end = 16

[JC_112]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/tests/java/Fresh2.java"
line = 46
begin = 16
end = 31

[JC_162]
file = "HOME/tests/java/Fresh2.java"
line = 58
begin = 16
end = 30

[JC_135]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_169]
kind = UserCall
file = "HOME/tests/java/Fresh2.java"
line = 60
begin = 21
end = 30

[JC_83]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/tests/java/Fresh2.java"
line = 46
begin = 16
end = 31

[JC_132]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/tests/java/Fresh2.java"
line = 42
begin = 4
end = 10

[JC_115]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_109]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_107]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_69]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_124]
kind = UserCall
file = "HOME/tests/java/Fresh2.java"
line = 54
begin = 12
end = 21

[JC_38]
file = "HOME/tests/java/Fresh2.java"
line = 48
begin = 18
end = 24

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_156]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_127]
file = "HOME/tests/java/Fresh2.java"
line = 55
begin = 19
end = 28

[JC_171]
kind = UserCall
file = "HOME/tests/java/Fresh2.java"
line = 59
begin = 21
end = 30

[JC_164]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/tests/java/Fresh2.jc"
line = 64
begin = 9
end = 16

[JC_155]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_101]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_88]
file = "HOME/"
line = 0
begin = -1
end = -1

[Fresh2_create_safety]
name = "Method create"
behavior = "Safety"
file = "HOME/tests/java/Fresh2.java"
line = 48
begin = 18
end = 24

[JC_129]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/tests/java/Fresh2.java"
line = 46
begin = 16
end = 50

[JC_110]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_166]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_103]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_141]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_33]
file = "HOME/tests/java/Fresh2.java"
line = 48
begin = 18
end = 24

[JC_65]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_118]
file = "HOME/tests/java/Fresh2.java"
line = 52
begin = 9
end = 13

[JC_173]
file = "HOME/tests/java/Fresh2.java"
line = 61
begin = 19
end = 25

[JC_105]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_140]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_144]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_159]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Object_safety]
name = "Constructor of class Object"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_68]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_96]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
file = "HOME/tests/java/Fresh2.java"
line = 48
begin = 18
end = 24

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_93]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_97]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_84]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_160]
file = "HOME/tests/java/Fresh2.java"
line = 58
begin = 16
end = 30

[JC_128]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_114]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_150]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_117]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_90]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_53]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_157]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_145]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/tests/java/Fresh2.java"
line = 42
begin = 4
end = 10

[Fresh2_smoke_detector_ensures_default]
name = "Method smoke_detector"
behavior = "default behavior"
file = "HOME/tests/java/Fresh2.java"
line = 58
begin = 16
end = 30

[JC_149]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_111]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_77]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_49]
kind = UserCall
file = "HOME/tests/java/Fresh2.jc"
line = 75
begin = 25
end = 42

[JC_1]
file = "HOME/tests/java/Fresh2.jc"
line = 20
begin = 12
end = 22

[JC_131]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_102]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_37]
file = "HOME/tests/java/Fresh2.java"
line = 46
begin = 16
end = 50

[JC_142]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_108]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_161]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_146]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_89]
file = "HOME/"
line = 0
begin = -1
end = -1

[Fresh2_smoke_detector_safety]
name = "Method smoke_detector"
behavior = "Safety"
file = "HOME/tests/java/Fresh2.java"
line = 58
begin = 16
end = 30

[JC_136]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_66]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_59]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_165]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/java/Fresh2.jc"
line = 48
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/Fresh2.jc"
line = 20
begin = 12
end = 22

[JC_92]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_152]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_86]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_60]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_139]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_72]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/tests/java/Fresh2.java"
line = 42
begin = 4
end = 10

[JC_119]
file = "HOME/"
line = 0
begin = -1
end = -1

[Fresh2_create_ensures_default]
name = "Method create"
behavior = "default behavior"
file = "HOME/tests/java/Fresh2.java"
line = 48
begin = 18
end = 24

[JC_76]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_50]
kind = AllocSize
file = "HOME/tests/java/Fresh2.jc"
line = 72
begin = 29
end = 42

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_120]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_100]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_28]
file = "HOME/tests/java/Fresh2.jc"
line = 56
begin = 9
end = 16

========== file tests/java/why/Fresh2.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

logic Fresh2_tag:  -> Object tag_id

axiom Fresh2_parenttag_Object : parenttag(Fresh2_tag, Object_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Fresh2(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Fresh2(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Fresh2(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Fresh2(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

exception Exception_exc of Object pointer

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

parameter Fresh2_x : (Object, int32) memory ref

parameter Fresh2_create :
 tt:unit ->
  { } Object pointer reads Object_alloc_table
  writes Fresh2_x,Object_alloc_table,Object_tag_table
  { (JC_44:
    ((JC_42:
     ((JC_40: Non_null_Object(result, Object_alloc_table))
     and (JC_41: (not valid(Object_alloc_table@, result)))))
    and (JC_43:
        not_assigns(Object_alloc_table@, Fresh2_x@, Fresh2_x, pset_empty)))) }

parameter Fresh2_create_requires :
 tt:unit ->
  { } Object pointer reads Object_alloc_table
  writes Fresh2_x,Object_alloc_table,Object_tag_table
  { (JC_44:
    ((JC_42:
     ((JC_40: Non_null_Object(result, Object_alloc_table))
     and (JC_41: (not valid(Object_alloc_table@, result)))))
    and (JC_43:
        not_assigns(Object_alloc_table@, Fresh2_x@, Fresh2_x, pset_empty)))) }

parameter Fresh2_smoke_detector :
 tt:unit ->
  { } unit reads Object_alloc_table
  writes Fresh2_x,Object_alloc_table,Object_tag_table { true }

parameter Fresh2_smoke_detector_requires :
 tt:unit ->
  { } unit reads Object_alloc_table
  writes Fresh2_x,Object_alloc_table,Object_tag_table { true }

parameter Fresh2_test :
 this_1:Object pointer ->
  { } unit reads Object_alloc_table
  writes Fresh2_x,Object_alloc_table,Object_tag_table { true }

parameter Fresh2_test_requires :
 this_1:Object pointer ->
  { } unit reads Object_alloc_table
  writes Fresh2_x,Object_alloc_table,Object_tag_table { true }

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_clone :
 this_9:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_clone_requires :
 this_9:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_equals :
 this_3:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_equals_requires :
 this_3:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_finalize :
 this_11:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_finalize_requires :
 this_11:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_hashCode :
 this_5:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter Object_hashCode_requires :
 this_5:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter Object_notify :
 this_4:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll :
 this_8:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll_requires :
 this_8:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notify_requires :
 this_4:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_registerNatives : tt:unit -> { } unit { true }

parameter Object_registerNatives_requires : tt:unit -> { } unit { true }

parameter Object_toString :
 this_7:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_toString_requires :
 this_7:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_wait :
 this_12:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long :
 this_10:Object pointer ->
  timeout:long -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int :
 this_6:Object pointer ->
  timeout_0:long -> nanos:int32 -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int_requires :
 this_6:Object pointer ->
  timeout_0:long -> nanos:int32 -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_requires :
 this_10:Object pointer ->
  timeout:long -> { } unit reads Object_alloc_table { true }

parameter Object_wait_requires :
 this_12:Object pointer -> { } unit reads Object_alloc_table { true }

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Fresh2 :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Fresh2(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Fresh2_tag)))) }

parameter alloc_struct_Fresh2_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Fresh2(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Fresh2_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_Fresh2 :
 this_2:Object pointer ->
  { } unit reads Object_alloc_table writes Fresh2_x
  { (JC_28:
    ((JC_26: (not valid(Object_alloc_table@, this_2)))
    and (JC_27:
        not_assigns(Object_alloc_table@, Fresh2_x@, Fresh2_x, pset_empty)))) }

parameter cons_Fresh2_requires :
 this_2:Object pointer ->
  { } unit reads Object_alloc_table writes Fresh2_x
  { (JC_28:
    ((JC_26: (not valid(Object_alloc_table@, this_2)))
    and (JC_27:
        not_assigns(Object_alloc_table@, Fresh2_x@, Fresh2_x, pset_empty)))) }

parameter cons_Object :
 this_13:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object_requires :
 this_13:Object pointer -> { } unit reads Object_alloc_table { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let Fresh2_create_ensures_default =
 fun (tt : unit) ->
  { (JC_34: true) }
  (init:
  (let return = ref (any_pointer void) in
  try
   begin
     (return := (let this =
                (JC_50:
                (((alloc_struct_Fresh2 (1)) Object_alloc_table) Object_tag_table)) in
                (let _tt =
                (let _jessie_ = this in (JC_51: (cons_Fresh2 _jessie_))) in
                this))); (raise Return); absurd  end with Return ->
   !return end))
  { (JC_39:
    ((JC_37:
     ((JC_35: Non_null_Object(result, Object_alloc_table))
     and (JC_36: (not valid(Object_alloc_table@, result)))))
    and (JC_38:
        not_assigns(Object_alloc_table@, Fresh2_x@, Fresh2_x, pset_empty)))) }
  

let Fresh2_create_safety =
 fun (tt : unit) ->
  { (JC_34: true) }
  (init:
  (let return = ref (any_pointer void) in
  try
   begin
     (return := (let this =
                (let _jessie_ =
                (JC_47:
                (((alloc_struct_Fresh2_requires (1)) Object_alloc_table) Object_tag_table)) in
                (JC_48:
                (assert
                { ge_int(offset_max(Object_alloc_table, _jessie_), (0)) };
                _jessie_))) in
                (let _tt =
                (let _jessie_ = this in
                (JC_49: (cons_Fresh2_requires _jessie_))) in this)));
    (raise Return); absurd  end with Return -> !return end)) { true } 

let Fresh2_smoke_detector_ensures_default =
 fun (tt : unit) ->
  { (JC_163: true) }
  (init:
  try
   begin
     (let _s1 = (K_11: (JC_171: (Fresh2_create void))) in
     (let _s2 = (K_10: (JC_172: (Fresh2_create void))) in
     (K_9: (assert { (JC_173: ((0) = (1))) }; void)))); (raise Return) end
   with Return -> void end) { (JC_164: true) } 

let Fresh2_smoke_detector_safety =
 fun (tt : unit) ->
  { (JC_163: true) }
  (init:
  try
   begin
     (let _s1 = (K_11: (JC_168: (Fresh2_create_requires void))) in
     (let _s2 = (K_10: (JC_169: (Fresh2_create_requires void))) in
     (K_9: [ { } unit { (JC_170: ((0) = (1))) } ]))); (raise Return) end with
   Return -> void end) { true } 

let Fresh2_test_ensures_default =
 fun (this_1 : Object pointer) ->
  { valid_struct_Fresh2(this_1, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let f = ref (any_pointer void) in
     begin
       (let _jessie_ = (f := (K_5: (JC_126: (Fresh2_create void)))) in
       void); (K_7: (assert { (JC_127: (this_1 <> f)) }; void)) end);
    (raise Return) end with Return -> void end) { (JC_120: true) } 

let Fresh2_test_safety =
 fun (this_1 : Object pointer) ->
  { valid_struct_Fresh2(this_1, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let f = ref (any_pointer void) in
     begin
       (let _jessie_ =
       (f := (K_5: (JC_124: (Fresh2_create_requires void)))) in void);
      (K_7: [ { } unit reads f { (JC_125: (this_1 <> f)) } ]) end);
    (raise Return) end with Return -> void end) { true } 

let cons_Fresh2_ensures_default =
 fun (this_2 : Object pointer) ->
  { valid_struct_Fresh2(this_2, (0), (0), Object_alloc_table) }
  (let mutable_this_2 = ref this_2 in
  (init:
  try
   begin
     (let _jessie_ =
     (let _jessie_ = (safe_int32_of_integer_ (0)) in
     begin
       (let _jessie_ = !mutable_this_2 in
       (((safe_upd_ Fresh2_x) _jessie_) _jessie_)); _jessie_ end) in void);
    (raise Return) end with Return -> void end))
  { (JC_25:
    ((JC_23: (not valid(Object_alloc_table@, this_2)))
    and (JC_24:
        not_assigns(Object_alloc_table@, Fresh2_x@, Fresh2_x, pset_empty)))) }
  

let cons_Fresh2_safety =
 fun (this_2 : Object pointer) ->
  { valid_struct_Fresh2(this_2, (0), (0), Object_alloc_table) }
  (let mutable_this_2 = ref this_2 in
  (init:
  try
   begin
     (let _jessie_ =
     (let _jessie_ = (safe_int32_of_integer_ (0)) in
     begin
       (let _jessie_ = !mutable_this_2 in
       (((safe_upd_ Fresh2_x) _jessie_) _jessie_)); _jessie_ end) in void);
    (raise Return) end with Return -> void end)) { true } 

let cons_Object_ensures_default =
 fun (this_13 : Object pointer) ->
  { valid_struct_Object(this_13, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_112: true) } 

let cons_Object_safety =
 fun (this_13 : Object pointer) ->
  { valid_struct_Object(this_13, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 


why-2.39/tests/java/oracle/BinarySearch.res.oracle0000644000106100004300000001037113147234006021114 0ustar  marchevals========== file tests/java/BinarySearch.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// RUNSIMPLIFY this tells regtests to run Simplify in this example

//+ CheckArithOverflow = yes

/* lemma mean_property1 :
  @   \forall integer x y; x <= y ==> x <= (x+y)/2 <= y;
  @*/

/* lemma mean_property2 :
  @   \forall integer x y; x <= y ==> x <= x+(y-x)/2 <= y;
  @*/

/* lemma div2_property :
  @   \forall integer x; 0 <= x ==> 0 <= x/2 <= x;
  @*/

/*@ predicate is_sorted{L}(int[] t) =
  @   t != null &&
  @   \forall integer i j;
  @     0 <= i && i <= j && j < t.length ==> t[i] <= t[j] ;
  @*/


class BinarySearch {

    /* binary_search(t,v) search for element v in array t
       between index 0 and t.length-1
       array t is assumed to be sorted in increasing order
       returns an index i between 0 and t.length-1 where t[i] equals v,
       or -1 if no element in t is equal to v
    */

    /*@ requires t != null;
      @ ensures -1 <= \result < t.length;
      @ behavior success:
      @   ensures \result >= 0 ==> t[\result] == v;
      @ behavior failure:
      @  assumes is_sorted(t);
      @  // assumes
      @  //   \forall integer k1 k2;
      @  //      0 <= k1 <= k2 <= t.length-1 ==> t[k1] <= t[k2];
      @  ensures \result == -1 ==>
      @    \forall integer k; 0 <= k < t.length ==> t[k] != v;
      @*/
    static int binary_search(int t[], int v) {
	int l = 0, u = t.length - 1;
	/*@ loop_invariant
	  @   0 <= l && u <= t.length - 1;
	  @ for failure:
	  @  loop_invariant
	  @    \forall integer k; 0 <= k < t.length ==> t[k] == v ==> l <= k <= u;
	  @ loop_variant
	  @   u-l ;
	  @*/
	while (l <= u ) {
	    int m;
            // wrong: m = (u + l) / 2;
            // fix: 
            m = l + (u - l) / 2;
            // the following assertion helps provers
            //@ assert l <= m <= u;
	    if (t[m] < v) l = m + 1;
	    else if (t[m] > v) u = m - 1;
	    else return m;
	}
	return -1;
    }

}

/*
Local Variables:
compile-command: "make BinarySearch.why3ide"
End:
*/


========== krakatoa execution ==========
why-2.39/tests/java/oracle/Fresh3.err.oracle0000644000106100004300000000020713147234006017670 0ustar  marchevalscat: /tmp/regtests.cwd: No such file or directory
grep: /src/version.ml: No such file or directory
Cannot open directory /lib/java_api
why-2.39/tests/java/oracle/FlagStatic.err.oracle0000644000106100004300000000000013147234006020546 0ustar  marchevalswhy-2.39/tests/java/oracle/bts15964.res.oracle0000644000106100004300000000467013147234006017750 0ustar  marchevals========== file tests/java/bts15964.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

class bts15964 {
        public void f() {
            Object x = null;
        }
}
========== krakatoa execution ==========
why-2.39/tests/java/oracle/SimpleAlloc.res.oracle0000644000106100004300000012456013147234006020754 0ustar  marchevals========== file tests/java/SimpleAlloc.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

class Node {
    int val;

    /*@ assigns \nothing;
      @ allocates this;
      @ ensures this.val == 0;
      @*/
    Node(){}
}

class test {
    Node[] x;

    /*@ requires x != null && x.length == 10  ;
      @ assigns x[0];
      @ allocates x[0];
      @ ensures x[0] != null;
      @*/
    void test() {
        x[0]=new Node();
    }
}




/*
Local Variables:
compile-command: "make SimpleAlloc.why3ide"
End:
*/

========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_Node for constructor Node
Generating JC function test_test for method test.test
Generating JC function cons_test for constructor test
Done.
========== file tests/java/SimpleAlloc.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_NodeM{Here}(NodeM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Node = Object with {
  int32 val;
}

tag test = Object with {
  NodeM[0..] x;
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

tag NodeM = Object with {
  Node[0..] NodeP;
}

boolean non_null_NodeM(! NodeM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_NodeM(! NodeM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_Node(! Node[0] this_0)
behavior default:
  assigns \nothing;
  allocates this_0;
  ensures (K_1 : (this_0.val == 0));
{  (this_0.val = 0)
}

unit test_test(test[0] this_2)
  requires (K_5 : ((K_4 : Non_null_NodeM(this_2.x)) &&
                    (K_3 : ((\offset_max(this_2.x) + 1) == 10))));
behavior default:
  assigns (this_2.x + [0..0]).NodeP;
  allocates (this_2.x + [0..0]).NodeP;
  ensures (K_2 : Non_null_Object((this_2.x + 0).NodeP));
{  (K_7 : (((K_6 : this_2.x) + 0).NodeP = 
   {  
      (var Node[0] this = (new Node[1]));
      
      {  
         (var unit _tt = cons_Node(this));
         this
      }
   }))
}

unit cons_test(! test[0] this_3)
{  (this_3.x = null)
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/SimpleAlloc.jloc tests/java/SimpleAlloc.jc && make -f tests/java/SimpleAlloc.makefile gui"
End:
*/
========== file tests/java/SimpleAlloc.jloc ==========
[test_test]
name = "Method test"
file = "HOME/tests/java/SimpleAlloc.java"
line = 50
begin = 9
end = 13

[K_1]
file = "HOME/tests/java/SimpleAlloc.java"
line = 37
begin = 16
end = 29

[K_4]
file = "HOME/tests/java/SimpleAlloc.java"
line = 45
begin = 17
end = 26

[K_2]
file = "HOME/tests/java/SimpleAlloc.java"
line = 48
begin = 16
end = 28

[K_6]
file = "HOME/tests/java/SimpleAlloc.java"
line = 51
begin = 8
end = 12

[K_3]
file = "HOME/tests/java/SimpleAlloc.java"
line = 45
begin = 30
end = 44

[cons_test]
name = "Constructor of class test"
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Node]
name = "Constructor of class Node"
file = "HOME/tests/java/SimpleAlloc.java"
line = 39
begin = 4
end = 8

[K_5]
file = "HOME/tests/java/SimpleAlloc.java"
line = 45
begin = 17
end = 44

[K_7]
file = "HOME/tests/java/SimpleAlloc.java"
line = 51
begin = 8
end = 23

========== jessie execution ==========
Generating Why function cons_Node
Generating Why function test_test
Generating Why function cons_test
========== file tests/java/SimpleAlloc.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/SimpleAlloc_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: SimpleAlloc.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: SimpleAlloc.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: SimpleAlloc.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/java/SimpleAlloc.loc ==========
[cons_Node_ensures_default]
name = "Constructor of class Node"
behavior = "default behavior"
file = "HOME/tests/java/SimpleAlloc.java"
line = 39
begin = 4
end = 8

[cons_Node_safety]
name = "Constructor of class Node"
behavior = "Safety"
file = "HOME/tests/java/SimpleAlloc.java"
line = 39
begin = 4
end = 8

[JC_73]
kind = UserCall
file = "HOME/tests/java/SimpleAlloc.jc"
line = 99
begin = 25
end = 40

[JC_63]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 90
begin = 9
end = 16

[JC_80]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_51]
file = "HOME/tests/java/SimpleAlloc.java"
line = 45
begin = 17
end = 26

[JC_71]
kind = AllocSize
file = "HOME/tests/java/SimpleAlloc.jc"
line = 96
begin = 27
end = 38

[JC_45]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 80
begin = 9
end = 16

[test_test_safety]
name = "Method test"
behavior = "Safety"
file = "HOME/tests/java/SimpleAlloc.java"
line = 50
begin = 9
end = 13

[JC_64]
file = "HOME/tests/java/SimpleAlloc.java"
line = 48
begin = 16
end = 28

[JC_31]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 70
begin = 8
end = 23

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_81]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_55]
file = "HOME/tests/java/SimpleAlloc.java"
line = 45
begin = 17
end = 26

[JC_48]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 80
begin = 9
end = 16

[JC_23]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 66
begin = 11
end = 103

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_test_ensures_default]
name = "Constructor of class test"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 91
begin = 10
end = 35

[JC_9]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 57
begin = 8
end = 22

[JC_75]
kind = AllocSize
file = "HOME/tests/java/SimpleAlloc.jc"
line = 96
begin = 27
end = 38

[JC_24]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 65
begin = 10
end = 18

[JC_25]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 66
begin = 11
end = 103

[JC_78]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/tests/java/SimpleAlloc.java"
line = 39
begin = 4
end = 8

[JC_74]
kind = IndexBounds
file = "HOME/tests/java/SimpleAlloc.jc"
line = 94
begin = 11
end = 178

[JC_47]
file = "HOME/tests/java/SimpleAlloc.java"
line = 39
begin = 4
end = 8

[JC_52]
file = "HOME/tests/java/SimpleAlloc.java"
line = 45
begin = 30
end = 44

[JC_26]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 65
begin = 10
end = 18

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_79]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 60
begin = 11
end = 66

[JC_82]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 57
begin = 8
end = 22

[JC_70]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 60
begin = 11
end = 66

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/tests/java/SimpleAlloc.java"
line = 39
begin = 4
end = 8

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[test_test_ensures_default]
name = "Method test"
behavior = "default behavior"
file = "HOME/tests/java/SimpleAlloc.java"
line = 50
begin = 9
end = 13

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_69]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 72
begin = 11
end = 65

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/tests/java/SimpleAlloc.java"
line = 39
begin = 4
end = 8

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 91
begin = 10
end = 35

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
file = "HOME/tests/java/SimpleAlloc.java"
line = 37
begin = 16
end = 29

[JC_61]
file = "HOME/tests/java/SimpleAlloc.java"
line = 50
begin = 9
end = 13

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/tests/java/SimpleAlloc.java"
line = 45
begin = 30
end = 44

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
file = "HOME/tests/java/SimpleAlloc.java"
line = 50
begin = 9
end = 13

[cons_test_safety]
name = "Constructor of class test"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 70
begin = 8
end = 23

[JC_68]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 90
begin = 9
end = 16

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 59
begin = 10
end = 18

[JC_43]
file = "HOME/tests/java/SimpleAlloc.java"
line = 37
begin = 16
end = 29

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_84]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 59
begin = 10
end = 18

[JC_53]
file = "HOME/tests/java/SimpleAlloc.java"
line = 45
begin = 17
end = 44

[JC_21]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 63
begin = 8
end = 31

[JC_77]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_49]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 23
begin = 12
end = 22

[JC_37]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 72
begin = 11
end = 65

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/tests/java/SimpleAlloc.java"
line = 45
begin = 17
end = 44

[JC_66]
file = "HOME/tests/java/SimpleAlloc.java"
line = 50
begin = 9
end = 13

[JC_59]
file = "HOME/tests/java/SimpleAlloc.java"
line = 48
begin = 16
end = 28

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 23
begin = 12
end = 22

[JC_60]
file = "HOME/tests/java/SimpleAlloc.java"
line = 50
begin = 9
end = 13

[JC_72]
kind = IndexBounds
file = "HOME/tests/java/SimpleAlloc.jc"
line = 96
begin = 7
end = 39

[JC_19]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 63
begin = 8
end = 31

[JC_76]
kind = UserCall
file = "HOME/tests/java/SimpleAlloc.jc"
line = 99
begin = 25
end = 40

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/SimpleAlloc.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

logic NodeM_tag:  -> Object tag_id

axiom NodeM_parenttag_Object : parenttag(NodeM_tag, Object_tag)

logic Node_tag:  -> Object tag_id

axiom Node_parenttag_Object : parenttag(Node_tag, Object_tag)

predicate Non_null_NodeM(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), neg_int((1)))

predicate Non_null_Object(x_1:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_1), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Node(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_NodeM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

predicate left_valid_struct_test(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Node(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_NodeM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

predicate right_valid_struct_test(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Node(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_NodeM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_test(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

logic test_tag:  -> Object tag_id

axiom test_parenttag_Object : parenttag(test_tag, Object_tag)

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Node(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_NodeM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_test(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter NodeM_NodeP : (Object, Object pointer) memory ref

parameter Node_val : (Object, int32) memory ref

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Node :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Node(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Node_tag)))) }

parameter alloc_struct_NodeM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_NodeM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, NodeM_tag)))) }

parameter alloc_struct_NodeM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_NodeM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, NodeM_tag)))) }

parameter alloc_struct_Node_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Node(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Node_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_test :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_test(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, test_tag)))) }

parameter alloc_struct_test_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_test(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, test_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_Node :
 this_0:Object pointer ->
  { } unit reads Node_val,Object_alloc_table writes Node_val
  { (JC_48:
    ((JC_46: (integer_of_int32(select(Node_val, this_0)) = (0)))
    and (JC_47:
        not_assigns(Object_alloc_table@, Node_val@, Node_val, pset_empty)))) }

parameter cons_Node_requires :
 this_0:Object pointer ->
  { } unit reads Node_val,Object_alloc_table writes Node_val
  { (JC_48:
    ((JC_46: (integer_of_int32(select(Node_val, this_0)) = (0)))
    and (JC_47:
        not_assigns(Object_alloc_table@, Node_val@, Node_val, pset_empty)))) }

parameter test_x : (Object, Object pointer) memory ref

parameter cons_test :
 this_3:Object pointer ->
  { } unit reads Object_alloc_table writes test_x { true }

parameter cons_test_requires :
 this_3:Object pointer ->
  { } unit reads Object_alloc_table writes test_x { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter java_array_length_NodeM :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter java_array_length_NodeM_requires :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_NodeM :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

parameter non_null_NodeM_requires :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

parameter non_null_Object :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_Object_requires :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

parameter test_test :
 this_2:Object pointer ->
  { } unit reads NodeM_NodeP,Node_val,Object_alloc_table,test_x
  writes NodeM_NodeP,Node_val,Object_alloc_table,Object_tag_table
  { (JC_68:
    ((JC_64:
     Non_null_Object(select(NodeM_NodeP, shift(select(test_x, this_2), (0))),
     Object_alloc_table))
    and (JC_67:
        ((JC_65:
         not_assigns(Object_alloc_table@, Node_val@, Node_val, pset_empty))
        and (JC_66:
            not_assigns(Object_alloc_table@, NodeM_NodeP@, NodeM_NodeP,
            pset_range(pset_deref(test_x@, pset_singleton(this_2)), (0), (0)))))))) }

parameter test_test_requires :
 this_2:Object pointer ->
  { (JC_53:
    ((JC_51: Non_null_NodeM(select(test_x, this_2), Object_alloc_table))
    and (JC_52:
        (add_int(offset_max(Object_alloc_table, select(test_x, this_2)), (1)) = (10)))))}
  unit reads NodeM_NodeP,Node_val,Object_alloc_table,test_x
  writes NodeM_NodeP,Node_val,Object_alloc_table,Object_tag_table
  { (JC_68:
    ((JC_64:
     Non_null_Object(select(NodeM_NodeP, shift(select(test_x, this_2), (0))),
     Object_alloc_table))
    and (JC_67:
        ((JC_65:
         not_assigns(Object_alloc_table@, Node_val@, Node_val, pset_empty))
        and (JC_66:
            not_assigns(Object_alloc_table@, NodeM_NodeP@, NodeM_NodeP,
            pset_range(pset_deref(test_x@, pset_singleton(this_2)), (0), (0)))))))) }

let cons_Node_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_Node(this_0, (0), (0), Object_alloc_table) }
  (let mutable_this_0 = ref this_0 in
  (init:
  try
   begin
     (let _jessie_ =
     (let _jessie_ = (safe_int32_of_integer_ (0)) in
     begin
       (let _jessie_ = !mutable_this_0 in
       (((safe_upd_ Node_val) _jessie_) _jessie_)); _jessie_ end) in void);
    (raise Return) end with Return -> void end))
  { (JC_45:
    ((JC_43: (integer_of_int32(select(Node_val, this_0)) = (0)))
    and (JC_44:
        not_assigns(Object_alloc_table@, Node_val@, Node_val, pset_empty)))) }
  

let cons_Node_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_Node(this_0, (0), (0), Object_alloc_table) }
  (let mutable_this_0 = ref this_0 in
  (init:
  try
   begin
     (let _jessie_ =
     (let _jessie_ = (safe_int32_of_integer_ (0)) in
     begin
       (let _jessie_ = !mutable_this_0 in
       (((safe_upd_ Node_val) _jessie_) _jessie_)); _jessie_ end) in void);
    (raise Return) end with Return -> void end)) { true } 

let cons_test_ensures_default =
 fun (this_3 : Object pointer) ->
  { valid_struct_test(this_3, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     (let _jessie_ = null in
     begin
       (let _jessie_ = this_3 in
       (((safe_upd_ test_x) _jessie_) _jessie_)); _jessie_ end) in
     void); (raise Return) end with Return -> void end) { (JC_81: true) } 

let cons_test_safety =
 fun (this_3 : Object pointer) ->
  { valid_struct_test(this_3, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     (let _jessie_ = null in
     begin
       (let _jessie_ = this_3 in
       (((safe_upd_ test_x) _jessie_) _jessie_)); _jessie_ end) in
     void); (raise Return) end with Return -> void end) { true } 

let test_test_ensures_default =
 fun (this_2 : Object pointer) ->
  { (valid_struct_test(this_2, (0), (0), Object_alloc_table)
    and (JC_57:
        ((JC_55: Non_null_NodeM(select(test_x, this_2), Object_alloc_table))
        and (JC_56:
            (add_int(offset_max(Object_alloc_table, select(test_x, this_2)),
             (1)) = (10)))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (K_7:
     (let _jessie_ =
     (let this =
     (JC_75: (((alloc_struct_Node (1)) Object_alloc_table) Object_tag_table)) in
     (let _tt = (let _jessie_ = this in (JC_76: (cons_Node _jessie_))) in
     this)) in
     begin
       (let _jessie_ = (K_6: ((safe_acc_ !test_x) this_2)) in
       (((safe_upd_ NodeM_NodeP) _jessie_) _jessie_)); _jessie_ end)) in
     void); (raise Return) end with Return -> void end)
  { (JC_63:
    ((JC_59:
     Non_null_Object(select(NodeM_NodeP, shift(select(test_x, this_2), (0))),
     Object_alloc_table))
    and (JC_62:
        ((JC_60:
         not_assigns(Object_alloc_table@, Node_val@, Node_val, pset_empty))
        and (JC_61:
            not_assigns(Object_alloc_table@, NodeM_NodeP@, NodeM_NodeP,
            pset_range(pset_deref(test_x@, pset_singleton(this_2)), (0), (0)))))))) }
  

let test_test_safety =
 fun (this_2 : Object pointer) ->
  { (valid_struct_test(this_2, (0), (0), Object_alloc_table)
    and (JC_57:
        ((JC_55: Non_null_NodeM(select(test_x, this_2), Object_alloc_table))
        and (JC_56:
            (add_int(offset_max(Object_alloc_table, select(test_x, this_2)),
             (1)) = (10)))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (K_7:
     (let _jessie_ =
     (let this =
     (let _jessie_ =
     (JC_71:
     (((alloc_struct_Node_requires (1)) Object_alloc_table) Object_tag_table)) in
     (JC_72:
     (assert { ge_int(offset_max(Object_alloc_table, _jessie_), (0)) };
     _jessie_))) in
     (let _tt =
     (let _jessie_ = this in (JC_73: (cons_Node_requires _jessie_))) in
     this)) in
     begin
       (let _jessie_ = (K_6: ((safe_acc_ !test_x) this_2)) in
       (JC_74:
       (((((lsafe_lbound_upd_ !Object_alloc_table) NodeM_NodeP) _jessie_) (0)) _jessie_)));
      _jessie_ end)) in void); (raise Return) end with Return -> void end)
  { true } 


why-2.39/tests/java/oracle/Bug_sort_exns.err.oracle0000644000106100004300000000000013147234006021346 0ustar  marchevalswhy-2.39/tests/java/oracle/MullerTheory.res.oracle0000644000106100004300000015410613147234006021202 0ustar  marchevals========== file tests/java/MullerTheory.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* File Muller.java */

//@+ CheckArithOverflow = no
//@+ SeparationPolicy = Regions

//@ import tests.spec.NumOfPos;

/*@ lemma num_of_pos_strictly_increasing{L} :
  @   \forall integer i j k l, int t[];
  @       j < k && k <= l && t[k] > 0 ==> 
  @       num_of_pos(i,j,t) < num_of_pos(i,l,t);
  @*/

public class MullerTheory {

    /*@ requires t!=null;
      @*/
    public static int[] m(int t[]) {
	int count = 0;
	
	/*@ loop_invariant
	  @    0 <= i <= t.length && 
	  @    0 <= count <= i && 
	  @    count == num_of_pos(0,i-1,t) ; 
	  @ loop_variant t.length - i;
	  @*/
	for (int i=0 ; i < t.length; i++) if (t[i] > 0) count++;
	
	int u[] = new int[count];
	count = 0;
	
	/*@ loop_invariant
	  @    0 <= i <= t.length && 
	  @    0 <= count <= i && 
	  @    count == num_of_pos(0,i-1,t);
	  @ loop_variant t.length - i;
	  @*/
	for (int i=0 ; i < t.length; i++) {
	    if (t[i] > 0) u[count++] = t[i];
	}
	return u;
    }
}

/* End of file Muller.java */
========== krakatoa execution ==========
Parsing OK.
Parsing of spec file tests/spec/NumOfPos.spec was OK.
It contains theory 'NumOfPos'
Typing OK.
Generating JC function cons_MullerTheory for constructor MullerTheory
Generating JC function MullerTheory_m for method MullerTheory.m
Done.
========== file tests/java/MullerTheory.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = None

predicate Non_null_intM{Here}(intM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag MullerTheory = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

tag intM = Object with {
  integer intP;
}

boolean non_null_intM(! intM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_intM(! intM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

axiomatic NumOfPos {

  logic integer num_of_pos{L}(integer i, integer j, intM[0..] t)
   
  axiom num_of_pos_false_case{L} :
  (\forall integer i_2;
    (\forall integer j_2;
      (\forall integer k_0;
        (\forall intM[0..] t_2;
          (((i_2 <= j_2) && (! ((t_2 + j_2).intP > 0))) ==>
            (num_of_pos{L}(i_2, j_2, t_2) ==
              num_of_pos{L}(i_2, (j_2 - 1), t_2)))))))
   
  axiom num_of_pos_true_case{L} :
  (\forall integer i_1;
    (\forall integer j_1;
      (\forall integer k;
        (\forall intM[0..] t_1;
          (((i_1 <= j_1) && ((t_1 + j_1).intP > 0)) ==>
            (num_of_pos{L}(i_1, j_1, t_1) ==
              (num_of_pos{L}(i_1, (j_1 - 1), t_1) + 1)))))))
   
  axiom num_of_pos_empty{L} :
  (\forall integer i_0;
    (\forall integer j_0;
      (\forall intM[0..] t_0;
        ((i_0 > j_0) ==> (num_of_pos{L}(i_0, j_0, t_0) == 0)))))
  
}

lemma num_of_pos_strictly_increasing{L} :
(\forall integer i_3;
  (\forall integer j_3;
    (\forall integer k_1;
      (\forall integer l;
        (\forall intM[0..] t_3;
          ((((j_3 < k_1) && (k_1 <= l)) && ((t_3 + k_1).intP > 0)) ==>
            (num_of_pos{L}(i_3, j_3, t_3) < num_of_pos{L}(i_3, l, t_3))))))))

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_MullerTheory(! MullerTheory[0] this_0){()}

intM[0..] MullerTheory_m(intM[0..] t_4)
  requires (K_1 : Non_null_intM(t_4));
{  
   {  
      (var integer count = (K_39 : 0));
      
      {  
         {  
            {  
               (var integer i_4 = (K_2 : 0));
               
               loop 
               behavior default:
                 invariant (K_11 : ((K_10 : ((K_9 : ((K_8 : (0 <= i_4)) &&
                                                      (K_7 : (i_4 <=
                                                               (\offset_max(t_4) +
                                                                 1))))) &&
                                              (K_6 : ((K_5 : (0 <= count)) &&
                                                       (K_4 : (count <= i_4)))))) &&
                                     (K_3 : (count ==
                                              num_of_pos{Here}(0, (i_4 - 1),
                                                               t_4)))));
               
               variant (K_12 : ((\offset_max(t_4) + 1) - i_4));
               for ( ; (K_18 : (i_4 < (K_17 : java_array_length_intM(t_4)))) ; 
               (K_16 : (i_4 ++)))
               {  (if (K_15 : ((K_14 : (t_4 + i_4).intP) > 0)) then (K_13 : 
                                                                    (count ++)) else ())
               }
            }
         };
         
         {  
            (var intM[0..] u = (K_38 : (new intM[count])));
            
            {  (count = 0);
               
               {  
                  {  
                     (var integer i_5 = (K_19 : 0));
                     
                     loop 
                     behavior default:
                       invariant (K_28 : ((K_27 : ((K_26 : ((K_25 : (0 <=
                                                                    i_5)) &&
                                                             (K_24 : 
                                                             (i_5 <=
                                                               (\offset_max(t_4) +
                                                                 1))))) &&
                                                    (K_23 : ((K_22 : 
                                                             (0 <=
                                                               count)) &&
                                                              (K_21 : 
                                                              (count <=
                                                                i_5)))))) &&
                                           (K_20 : (count ==
                                                     num_of_pos{Here}(
                                                     0, (i_5 - 1), t_4)))));
                     
                     variant (K_29 : ((\offset_max(t_4) + 1) - i_5));
                     for ( ; (K_37 : (i_5 <
                                       (K_36 : java_array_length_intM(t_4)))) ; 
                     (K_35 : (i_5 ++)))
                     {  (if (K_34 : ((K_33 : (t_4 + i_5).intP) > 0)) then 
                        (K_32 : ((u + (K_30 : (count ++))).intP = (K_31 : 
                                                                  (t_4 +
                                                                    i_5).intP))) else ())
                     }
                  }
               };
               
               (return u)
            }
         }
      }
   }
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/MullerTheory.jloc tests/java/MullerTheory.jc && make -f tests/java/MullerTheory.makefile gui"
End:
*/
========== file tests/java/MullerTheory.jloc ==========
[K_30]
file = "HOME/tests/java/MullerTheory.java"
line = 70
begin = 21
end = 28

[K_23]
file = "HOME/tests/java/MullerTheory.java"
line = 65
begin = 8
end = 23

[K_33]
file = "HOME/tests/java/MullerTheory.java"
line = 70
begin = 9
end = 13

[K_17]
file = "HOME/tests/java/MullerTheory.java"
line = 58
begin = 20
end = 28

[K_11]
file = "HOME/tests/java/MullerTheory.java"
line = 53
begin = 8
end = 95

[K_38]
file = "HOME/tests/java/MullerTheory.java"
line = 60
begin = 11
end = 25

[K_25]
file = "HOME/tests/java/MullerTheory.java"
line = 64
begin = 8
end = 14

[K_13]
file = "HOME/tests/java/MullerTheory.java"
line = 58
begin = 49
end = 56

[K_9]
file = "HOME/tests/java/MullerTheory.java"
line = 53
begin = 8
end = 26

[K_28]
file = "HOME/tests/java/MullerTheory.java"
line = 64
begin = 8
end = 95

[K_1]
file = "HOME/tests/java/MullerTheory.java"
line = 47
begin = 17
end = 24

[K_15]
file = "HOME/tests/java/MullerTheory.java"
line = 58
begin = 39
end = 47

[K_4]
file = "HOME/tests/java/MullerTheory.java"
line = 54
begin = 13
end = 23

[K_12]
file = "HOME/tests/java/MullerTheory.java"
line = 56
begin = 18
end = 30

[K_34]
file = "HOME/tests/java/MullerTheory.java"
line = 70
begin = 9
end = 17

[K_20]
file = "HOME/tests/java/MullerTheory.java"
line = 66
begin = 8
end = 36

[MullerTheory_m]
name = "Method m"
file = "HOME/tests/java/MullerTheory.java"
line = 49
begin = 24
end = 25

[cons_MullerTheory]
name = "Constructor of class MullerTheory"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_2]
file = "HOME/tests/java/MullerTheory.java"
line = 58
begin = 12
end = 13

[K_29]
file = "HOME/tests/java/MullerTheory.java"
line = 67
begin = 18
end = 30

[num_of_pos_false_case]
name = "Lemma num_of_pos_false_case"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_10]
file = "HOME/tests/java/MullerTheory.java"
line = 53
begin = 8
end = 54

[K_35]
file = "HOME/tests/java/MullerTheory.java"
line = 69
begin = 30
end = 33

[K_6]
file = "HOME/tests/java/MullerTheory.java"
line = 54
begin = 8
end = 23

[K_8]
file = "HOME/tests/java/MullerTheory.java"
line = 53
begin = 8
end = 14

[K_3]
file = "HOME/tests/java/MullerTheory.java"
line = 55
begin = 8
end = 36

[num_of_pos_true_case]
name = "Lemma num_of_pos_true_case"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_31]
file = "HOME/tests/java/MullerTheory.java"
line = 70
begin = 32
end = 36

[K_32]
file = "HOME/tests/java/MullerTheory.java"
line = 70
begin = 19
end = 36

[K_27]
file = "HOME/tests/java/MullerTheory.java"
line = 64
begin = 8
end = 54

[K_21]
file = "HOME/tests/java/MullerTheory.java"
line = 65
begin = 13
end = 23

[num_of_pos_strictly_increasing]
name = "Lemma num_of_pos_strictly_increasing"
file = "HOME/tests/java/MullerTheory.java"
line = 39
begin = 10
end = 40

[K_24]
file = "HOME/tests/java/MullerTheory.java"
line = 64
begin = 13
end = 26

[K_14]
file = "HOME/tests/java/MullerTheory.java"
line = 58
begin = 39
end = 43

[K_39]
file = "HOME/tests/java/MullerTheory.java"
line = 50
begin = 13
end = 14

[K_36]
file = "HOME/tests/java/MullerTheory.java"
line = 69
begin = 20
end = 28

[K_37]
file = "HOME/tests/java/MullerTheory.java"
line = 69
begin = 16
end = 28

[num_of_pos_empty]
name = "Lemma num_of_pos_empty"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_19]
file = "HOME/tests/java/MullerTheory.java"
line = 69
begin = 12
end = 13

[K_5]
file = "HOME/tests/java/MullerTheory.java"
line = 54
begin = 8
end = 18

[K_18]
file = "HOME/tests/java/MullerTheory.java"
line = 58
begin = 16
end = 28

[K_7]
file = "HOME/tests/java/MullerTheory.java"
line = 53
begin = 13
end = 26

[K_26]
file = "HOME/tests/java/MullerTheory.java"
line = 64
begin = 8
end = 26

[K_22]
file = "HOME/tests/java/MullerTheory.java"
line = 65
begin = 8
end = 18

[K_16]
file = "HOME/tests/java/MullerTheory.java"
line = 58
begin = 30
end = 33

========== jessie execution ==========
Generating Why function cons_MullerTheory
Generating Why function MullerTheory_m
========== file tests/java/MullerTheory.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/MullerTheory_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: MullerTheory.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: MullerTheory.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: MullerTheory.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/java/MullerTheory.loc ==========
[JC_94]
kind = AllocSize
file = "HOME/tests/java/MullerTheory.java"
line = 60
begin = 11
end = 25

[JC_73]
file = "HOME/tests/java/MullerTheory.java"
line = 66
begin = 8
end = 36

[JC_63]
file = "HOME/tests/java/MullerTheory.jc"
line = 116
begin = 15
end = 1099

[cons_MullerTheory_ensures_default]
name = "Constructor of class MullerTheory"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_80]
kind = PointerDeref
file = "HOME/tests/java/MullerTheory.java"
line = 70
begin = 9
end = 13

[JC_51]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_71]
file = "HOME/tests/java/MullerTheory.java"
line = 65
begin = 8
end = 18

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_64]
kind = UserCall
file = "HOME/tests/java/MullerTheory.java"
line = 58
begin = 20
end = 28

[JC_99]
file = "HOME/tests/java/MullerTheory.java"
line = 66
begin = 8
end = 36

[JC_85]
file = "HOME/tests/java/MullerTheory.java"
line = 53
begin = 13
end = 26

[JC_31]
file = "HOME/tests/java/MullerTheory.jc"
line = 55
begin = 8
end = 23

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_MullerTheory_safety]
name = "Constructor of class MullerTheory"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_81]
kind = PointerDeref
file = "HOME/tests/java/MullerTheory.java"
line = 70
begin = 32
end = 36

[JC_55]
file = "HOME/tests/java/MullerTheory.java"
line = 53
begin = 8
end = 14

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/tests/java/MullerTheory.jc"
line = 51
begin = 11
end = 103

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/tests/java/MullerTheory.java"
line = 56
begin = 18
end = 30

[JC_9]
file = "HOME/tests/java/MullerTheory.jc"
line = 42
begin = 8
end = 21

[JC_75]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_24]
file = "HOME/tests/java/MullerTheory.jc"
line = 50
begin = 10
end = 18

[JC_25]
file = "HOME/tests/java/MullerTheory.jc"
line = 51
begin = 11
end = 103

[JC_78]
kind = UserCall
file = "HOME/tests/java/MullerTheory.java"
line = 69
begin = 20
end = 28

[JC_41]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_74]
file = "HOME/tests/java/MullerTheory.java"
line = 64
begin = 8
end = 95

[JC_47]
file = "HOME/tests/java/MullerTheory.java"
line = 47
begin = 17
end = 24

[JC_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/tests/java/MullerTheory.jc"
line = 50
begin = 10
end = 18

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_79]
kind = IndexBounds
file = "HOME/tests/java/MullerTheory.java"
line = 69
begin = 20
end = 28

[JC_13]
file = "HOME/tests/java/MullerTheory.jc"
line = 45
begin = 11
end = 66

[JC_82]
kind = PointerDeref
file = "HOME/tests/java/MullerTheory.java"
line = 70
begin = 19
end = 36

[JC_87]
file = "HOME/tests/java/MullerTheory.java"
line = 54
begin = 13
end = 23

[JC_11]
file = "HOME/tests/java/MullerTheory.jc"
line = 42
begin = 8
end = 21

[JC_98]
file = "HOME/tests/java/MullerTheory.java"
line = 65
begin = 13
end = 23

[JC_70]
file = "HOME/tests/java/MullerTheory.java"
line = 64
begin = 13
end = 26

[JC_15]
file = "HOME/tests/java/MullerTheory.jc"
line = 45
begin = 11
end = 66

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_104]
kind = UserCall
file = "HOME/tests/java/MullerTheory.java"
line = 69
begin = 20
end = 28

[JC_91]
file = "HOME/tests/java/MullerTheory.jc"
line = 116
begin = 15
end = 1099

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
file = "HOME/tests/java/MullerTheory.java"
line = 67
begin = 18
end = 30

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[num_of_pos_false_case]
name = "Lemma num_of_pos_false_case"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_69]
file = "HOME/tests/java/MullerTheory.java"
line = 64
begin = 8
end = 14

[JC_38]
file = "HOME/tests/java/MullerTheory.jc"
line = 57
begin = 11
end = 65

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[num_of_pos_true_case]
name = "Lemma num_of_pos_true_case"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_62]
file = "HOME/tests/java/MullerTheory.jc"
line = 116
begin = 15
end = 1099

[JC_101]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_88]
file = "HOME/tests/java/MullerTheory.java"
line = 55
begin = 8
end = 36

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_103]
file = "HOME/tests/java/MullerTheory.jc"
line = 146
begin = 21
end = 1746

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/tests/java/MullerTheory.java"
line = 53
begin = 13
end = 26

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
kind = IndexBounds
file = "HOME/tests/java/MullerTheory.java"
line = 58
begin = 20
end = 28

[num_of_pos_strictly_increasing]
name = "Lemma num_of_pos_strictly_increasing"
behavior = "lemma"
file = "HOME/tests/java/MullerTheory.java"
line = 39
begin = 10
end = 40

[JC_29]
file = "HOME/tests/java/MullerTheory.jc"
line = 55
begin = 8
end = 23

[JC_68]
kind = AllocSize
file = "HOME/tests/java/MullerTheory.java"
line = 60
begin = 11
end = 25

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/tests/java/MullerTheory.jc"
line = 44
begin = 10
end = 18

[JC_96]
file = "HOME/tests/java/MullerTheory.java"
line = 64
begin = 13
end = 26

[JC_43]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
file = "HOME/tests/java/MullerTheory.java"
line = 64
begin = 8
end = 14

[JC_93]
kind = UserCall
file = "HOME/tests/java/MullerTheory.java"
line = 58
begin = 20
end = 28

[JC_97]
file = "HOME/tests/java/MullerTheory.java"
line = 65
begin = 8
end = 18

[JC_84]
file = "HOME/tests/java/MullerTheory.java"
line = 53
begin = 8
end = 14

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/tests/java/MullerTheory.jc"
line = 44
begin = 10
end = 18

[JC_90]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_53]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/tests/java/MullerTheory.jc"
line = 48
begin = 8
end = 30

[JC_77]
file = "HOME/tests/java/MullerTheory.jc"
line = 146
begin = 21
end = 1746

[JC_49]
file = "HOME/tests/java/MullerTheory.java"
line = 47
begin = 17
end = 24

[JC_1]
file = "HOME/tests/java/MullerTheory.jc"
line = 13
begin = 12
end = 22

[num_of_pos_empty]
name = "Lemma num_of_pos_empty"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_102]
file = "HOME/tests/java/MullerTheory.jc"
line = 146
begin = 21
end = 1746

[JC_37]
file = "HOME/tests/java/MullerTheory.jc"
line = 57
begin = 11
end = 65

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/tests/java/MullerTheory.java"
line = 54
begin = 8
end = 18

[JC_89]
file = "HOME/tests/java/MullerTheory.java"
line = 53
begin = 8
end = 95

[JC_66]
kind = PointerDeref
file = "HOME/tests/java/MullerTheory.java"
line = 58
begin = 39
end = 43

[JC_59]
file = "HOME/tests/java/MullerTheory.java"
line = 55
begin = 8
end = 36

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[MullerTheory_m_safety]
name = "Method m"
behavior = "Safety"
file = "HOME/tests/java/MullerTheory.java"
line = 49
begin = 24
end = 25

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/java/MullerTheory.jc"
line = 13
begin = 12
end = 22

[JC_92]
file = "HOME/tests/java/MullerTheory.jc"
line = 116
begin = 15
end = 1099

[JC_86]
file = "HOME/tests/java/MullerTheory.java"
line = 54
begin = 8
end = 18

[JC_60]
file = "HOME/tests/java/MullerTheory.java"
line = 53
begin = 8
end = 95

[JC_72]
file = "HOME/tests/java/MullerTheory.java"
line = 65
begin = 13
end = 23

[JC_19]
file = "HOME/tests/java/MullerTheory.jc"
line = 48
begin = 8
end = 30

[JC_76]
file = "HOME/tests/java/MullerTheory.jc"
line = 146
begin = 21
end = 1746

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[MullerTheory_m_ensures_default]
name = "Method m"
behavior = "default behavior"
file = "HOME/tests/java/MullerTheory.java"
line = 49
begin = 24
end = 25

[JC_58]
file = "HOME/tests/java/MullerTheory.java"
line = 54
begin = 13
end = 23

[JC_100]
file = "HOME/tests/java/MullerTheory.java"
line = 64
begin = 8
end = 95

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/MullerTheory.why ==========
type Object

type interface

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

logic MullerTheory_tag:  -> Object tag_id

axiom MullerTheory_parenttag_Object : parenttag(MullerTheory_tag, Object_tag)

predicate Non_null_Object(x_1:Object pointer,
 Object_x_2_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_x_2_alloc_table, x_1), (0))

predicate Non_null_intM(x_0:Object pointer,
 Object_x_1_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_x_1_alloc_table, x_0), neg_int((1)))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic intM_tag:  -> Object tag_id

axiom intM_parenttag_Object : parenttag(intM_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_MullerTheory(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_intM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

logic num_of_pos: int, int, Object pointer, (Object, int) memory -> int

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_MullerTheory(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_intM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_MullerTheory(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_MullerTheory(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

axiom num_of_pos_false_case :
 (forall intM_intP_t_8_at_L:(Object, int) memory.
  (forall i_2:int.
   (forall j_2:int.
    (forall k_0:int.
     (forall t_2:Object pointer.
      ((le_int(i_2, j_2)
       and (not gt_int(select(intM_intP_t_8_at_L, shift(t_2, j_2)), (0)))) ->
       (num_of_pos(i_2, j_2, t_2, intM_intP_t_8_at_L) = num_of_pos(i_2,
                                                        sub_int(j_2, (1)),
                                                        t_2,
                                                        intM_intP_t_8_at_L))))))))

axiom num_of_pos_true_case :
 (forall intM_intP_t_8_at_L:(Object, int) memory.
  (forall i_1:int.
   (forall j_1:int.
    (forall k:int.
     (forall t_1:Object pointer.
      ((le_int(i_1, j_1)
       and gt_int(select(intM_intP_t_8_at_L, shift(t_1, j_1)), (0))) ->
       (num_of_pos(i_1, j_1, t_1, intM_intP_t_8_at_L) = add_int(num_of_pos(i_1,
                                                                sub_int(j_1,
                                                                (1)), t_1,
                                                                intM_intP_t_8_at_L),
                                                        (1)))))))))

axiom num_of_pos_empty :
 (forall intM_intP_t_8_at_L:(Object, int) memory.
  (forall i_0:int.
   (forall j_0:int.
    (forall t_0:Object pointer.
     (gt_int(i_0, j_0) ->
      (num_of_pos(i_0, j_0, t_0, intM_intP_t_8_at_L) = (0)))))))

lemma num_of_pos_strictly_increasing :
 (forall intM_intP_t_3_18_at_L:(Object, int) memory.
  (forall i_3:int.
   (forall j_3:int.
    (forall k_1:int.
     (forall l:int.
      (forall t_3:Object pointer.
       ((lt_int(j_3, k_1)
        and (le_int(k_1, l)
            and gt_int(select(intM_intP_t_3_18_at_L, shift(t_3, k_1)), (0)))) ->
        lt_int(num_of_pos(i_3, j_3, t_3, intM_intP_t_3_18_at_L),
        num_of_pos(i_3, l, t_3, intM_intP_t_3_18_at_L)))))))))

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter MullerTheory_m :
 t_4:Object pointer ->
  Object_MullerTheory_m_12_alloc_table:Object alloc_table ref ->
   Object_MullerTheory_m_12_tag_table:Object tag_table ref ->
    intM_intP_MullerTheory_m_12:(Object, int) memory ref ->
     Object_t_4_10_alloc_table:Object alloc_table ->
      intM_intP_t_4_10:(Object, int) memory ->
       { } Object pointer reads Object_MullerTheory_m_12_alloc_table
       writes Object_MullerTheory_m_12_alloc_table,Object_MullerTheory_m_12_tag_table,intM_intP_MullerTheory_m_12
       { true }

parameter MullerTheory_m_requires :
 t_4:Object pointer ->
  Object_MullerTheory_m_12_alloc_table:Object alloc_table ref ->
   Object_MullerTheory_m_12_tag_table:Object tag_table ref ->
    intM_intP_MullerTheory_m_12:(Object, int) memory ref ->
     Object_t_4_10_alloc_table:Object alloc_table ->
      intM_intP_t_4_10:(Object, int) memory ->
       { (JC_47: Non_null_intM(t_4, Object_t_4_10_alloc_table))}
       Object pointer reads Object_MullerTheory_m_12_alloc_table
       writes Object_MullerTheory_m_12_alloc_table,Object_MullerTheory_m_12_tag_table,intM_intP_MullerTheory_m_12
       { true }

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_MullerTheory :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_MullerTheory(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, MullerTheory_tag)))) }

parameter alloc_struct_MullerTheory_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_MullerTheory(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, MullerTheory_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_intM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter alloc_struct_intM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter cons_MullerTheory :
 this_0:Object pointer ->
  Object_this_0_9_alloc_table:Object alloc_table -> { } unit { true }

parameter cons_MullerTheory_requires :
 this_0:Object pointer ->
  Object_this_0_9_alloc_table:Object alloc_table -> { } unit { true }

parameter java_array_length_intM :
 x_3:Object pointer ->
  Object_x_6_alloc_table:Object alloc_table ->
   { } int
   { (JC_25:
     (le_int(result, (2147483647))
     and (ge_int(result, (0))
         and (result = add_int(offset_max(Object_x_6_alloc_table, x_3), (1)))))) }

parameter java_array_length_intM_requires :
 x_3:Object pointer ->
  Object_x_6_alloc_table:Object alloc_table ->
   { } int
   { (JC_25:
     (le_int(result, (2147483647))
     and (ge_int(result, (0))
         and (result = add_int(offset_max(Object_x_6_alloc_table, x_3), (1)))))) }

parameter non_null_Object :
 x_4:Object pointer ->
  Object_x_7_alloc_table:Object alloc_table ->
   { } bool
   { (JC_38:
     (if result then (offset_max(Object_x_7_alloc_table, x_4) = (0))
      else (x_4 = null))) }

parameter non_null_Object_requires :
 x_4:Object pointer ->
  Object_x_7_alloc_table:Object alloc_table ->
   { } bool
   { (JC_38:
     (if result then (offset_max(Object_x_7_alloc_table, x_4) = (0))
      else (x_4 = null))) }

parameter non_null_intM :
 x_2:Object pointer ->
  Object_x_5_alloc_table:Object alloc_table ->
   { } bool
   { (JC_15:
     (if result
      then ge_int(offset_max(Object_x_5_alloc_table, x_2), neg_int((1)))
      else (x_2 = null))) }

parameter non_null_intM_requires :
 x_2:Object pointer ->
  Object_x_5_alloc_table:Object alloc_table ->
   { } bool
   { (JC_15:
     (if result
      then ge_int(offset_max(Object_x_5_alloc_table, x_2), neg_int((1)))
      else (x_2 = null))) }

let MullerTheory_m_ensures_default =
 fun (t_4 : Object pointer) (Object_MullerTheory_m_12_alloc_table : Object alloc_table ref) (Object_MullerTheory_m_12_tag_table : Object tag_table ref) (intM_intP_MullerTheory_m_12 : (Object, int) memory ref) (Object_t_4_10_alloc_table : Object alloc_table) (intM_intP_t_4_10 : (Object, int) memory) ->
  { (left_valid_struct_intM(t_4, (0), Object_t_4_10_alloc_table)
    and (JC_49: Non_null_intM(t_4, Object_t_4_10_alloc_table))) }
  (init:
  (let return = ref (any_pointer void) in
  try
   begin
     (let count = ref (K_39: (0)) in
     begin
       (let i_4 = ref (K_2: (0)) in
       try
        (loop_3:
        while true do
        { invariant
            (JC_89:
            ((JC_84: le_int((0), i_4))
            and ((JC_85:
                 le_int(i_4,
                 add_int(offset_max(Object_t_4_10_alloc_table, t_4), (1))))
                and ((JC_86: le_int((0), count))
                    and ((JC_87: le_int(count, i_4))
                        and (JC_88:
                            (count = num_of_pos((0), sub_int(i_4, (1)), t_4,
                                     intM_intP_t_4_10))))))))  }
         begin
           [ { } unit { true } ];
          try
           begin
             (if (K_18:
                 ((lt_int_ !i_4) (K_17:
                                 (let _jessie_ = t_4 in
                                 (JC_93:
                                 ((java_array_length_intM _jessie_) Object_t_4_10_alloc_table))))))
             then
              (if (K_15:
                  ((gt_int_ (K_14:
                            ((safe_acc_ intM_intP_t_4_10) ((shift t_4) !i_4)))) (0)))
              then
               (let _jessie_ =
               (K_13:
               (let _jessie_ = !count in
               begin
                 (let _jessie_ = (count := ((add_int _jessie_) (1))) in
                 void); _jessie_ end)) in void) else void)
             else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ ->
           (let _jessie_ =
           (K_16:
           (let _jessie_ = !i_4 in
           begin
             (let _jessie_ = (i_4 := ((add_int _jessie_) (1))) in void);
            _jessie_ end)) in void) end end done) with
        Loop_exit_exc _jessie_ -> void end);
      (let u =
      (K_38:
      (JC_94:
      (((alloc_struct_intM !count) Object_MullerTheory_m_12_alloc_table) Object_MullerTheory_m_12_tag_table))) in
      begin
        (let _jessie_ = (count := (0)) in void);
       (let i_5 = ref (K_19: (0)) in
       try
        (loop_4:
        while true do
        { invariant
            (JC_100:
            ((JC_95: le_int((0), i_5))
            and ((JC_96:
                 le_int(i_5,
                 add_int(offset_max(Object_t_4_10_alloc_table, t_4), (1))))
                and ((JC_97: le_int((0), count))
                    and ((JC_98: le_int(count, i_5))
                        and (JC_99:
                            (count = num_of_pos((0), sub_int(i_5, (1)), t_4,
                                     intM_intP_t_4_10))))))))  }
         begin
           [ { } unit { true } ];
          try
           begin
             (if (K_37:
                 ((lt_int_ !i_5) (K_36:
                                 (let _jessie_ = t_4 in
                                 (JC_104:
                                 ((java_array_length_intM _jessie_) Object_t_4_10_alloc_table))))))
             then
              (if (K_34:
                  ((gt_int_ (K_33:
                            ((safe_acc_ intM_intP_t_4_10) ((shift t_4) !i_5)))) (0)))
              then
               (let _jessie_ =
               (K_32:
               (let _jessie_ =
               (K_31: ((safe_acc_ intM_intP_t_4_10) ((shift t_4) !i_5))) in
               (let _jessie_ = u in
               (let _jessie_ =
               (K_30:
               (let _jessie_ = !count in
               begin
                 (let _jessie_ = (count := ((add_int _jessie_) (1))) in
                 void); _jessie_ end)) in
               (let _jessie_ = ((shift _jessie_) _jessie_) in
               (((safe_upd_ intM_intP_MullerTheory_m_12) _jessie_) _jessie_)))))) in
               void) else void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ ->
           (let _jessie_ =
           (K_35:
           (let _jessie_ = !i_5 in
           begin
             (let _jessie_ = (i_5 := ((add_int _jessie_) (1))) in void);
            _jessie_ end)) in void) end end done) with
        Loop_exit_exc _jessie_ -> void end); (return := u); (raise Return)
      end) end); absurd  end with Return -> !return end)) { (JC_51: true) } 

let MullerTheory_m_safety =
 fun (t_4 : Object pointer) (Object_MullerTheory_m_12_alloc_table : Object alloc_table ref) (Object_MullerTheory_m_12_tag_table : Object tag_table ref) (intM_intP_MullerTheory_m_12 : (Object, int) memory ref) (Object_t_4_10_alloc_table : Object alloc_table) (intM_intP_t_4_10 : (Object, int) memory) ->
  { (left_valid_struct_intM(t_4, (0), Object_t_4_10_alloc_table)
    and (JC_49: Non_null_intM(t_4, Object_t_4_10_alloc_table))) }
  (init:
  (let return = ref (any_pointer void) in
  try
   begin
     (let count = ref (K_39: (0)) in
     begin
       (let i_4 = ref (K_2: (0)) in
       try
        (loop_1:
        while true do
        { invariant (JC_62: true)
          variant (JC_67 : sub_int(add_int(offset_max(Object_t_4_10_alloc_table,
                                           t_4),
                                   (1)),
                           i_4)) }
         begin
           [ { } unit reads count,i_4
             { (JC_60:
               ((JC_55: le_int((0), i_4))
               and ((JC_56:
                    le_int(i_4,
                    add_int(offset_max(Object_t_4_10_alloc_table, t_4), (1))))
                   and ((JC_57: le_int((0), count))
                       and ((JC_58: le_int(count, i_4))
                           and (JC_59:
                               (count = num_of_pos((0), sub_int(i_4, (1)),
                                        t_4, intM_intP_t_4_10)))))))) } ];
          try
           begin
             (if (K_18:
                 ((lt_int_ !i_4) (K_17:
                                 (let _jessie_ = t_4 in
                                 (JC_65:
                                 (assert
                                 { ge_int(offset_max(Object_t_4_10_alloc_table,
                                          _jessie_),
                                   (-1)) };
                                 (JC_64:
                                 ((java_array_length_intM_requires _jessie_) Object_t_4_10_alloc_table))))))))
             then
              (if (K_15:
                  ((gt_int_ (K_14:
                            (JC_66:
                            ((((offset_acc_ Object_t_4_10_alloc_table) intM_intP_t_4_10) t_4) !i_4)))) (0)))
              then
               (let _jessie_ =
               (K_13:
               (let _jessie_ = !count in
               begin
                 (let _jessie_ = (count := ((add_int _jessie_) (1))) in
                 void); _jessie_ end)) in void) else void)
             else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ ->
           (let _jessie_ =
           (K_16:
           (let _jessie_ = !i_4 in
           begin
             (let _jessie_ = (i_4 := ((add_int _jessie_) (1))) in void);
            _jessie_ end)) in void) end end done) with
        Loop_exit_exc _jessie_ -> void end);
      (let u =
      (K_38:
      (JC_68:
      (((alloc_struct_intM_requires !count) Object_MullerTheory_m_12_alloc_table) Object_MullerTheory_m_12_tag_table))) in
      begin
        (let _jessie_ = (count := (0)) in void);
       (let i_5 = ref (K_19: (0)) in
       try
        (loop_2:
        while true do
        { invariant (JC_76: true)
          variant (JC_83 : sub_int(add_int(offset_max(Object_t_4_10_alloc_table,
                                           t_4),
                                   (1)),
                           i_5)) }
         begin
           [ { } unit reads count,i_5
             { (JC_74:
               ((JC_69: le_int((0), i_5))
               and ((JC_70:
                    le_int(i_5,
                    add_int(offset_max(Object_t_4_10_alloc_table, t_4), (1))))
                   and ((JC_71: le_int((0), count))
                       and ((JC_72: le_int(count, i_5))
                           and (JC_73:
                               (count = num_of_pos((0), sub_int(i_5, (1)),
                                        t_4, intM_intP_t_4_10)))))))) } ];
          try
           begin
             (if (K_37:
                 ((lt_int_ !i_5) (K_36:
                                 (let _jessie_ = t_4 in
                                 (JC_79:
                                 (assert
                                 { ge_int(offset_max(Object_t_4_10_alloc_table,
                                          _jessie_),
                                   (-1)) };
                                 (JC_78:
                                 ((java_array_length_intM_requires _jessie_) Object_t_4_10_alloc_table))))))))
             then
              (if (K_34:
                  ((gt_int_ (K_33:
                            (JC_80:
                            ((((offset_acc_ Object_t_4_10_alloc_table) intM_intP_t_4_10) t_4) !i_5)))) (0)))
              then
               (let _jessie_ =
               (K_32:
               (let _jessie_ =
               (K_31:
               (JC_81:
               ((((offset_acc_ Object_t_4_10_alloc_table) intM_intP_t_4_10) t_4) !i_5))) in
               (let _jessie_ = u in
               (let _jessie_ =
               (K_30:
               (let _jessie_ = !count in
               begin
                 (let _jessie_ = (count := ((add_int _jessie_) (1))) in
                 void); _jessie_ end)) in
               (let _jessie_ = ((shift _jessie_) _jessie_) in
               (JC_82:
               (((((offset_upd_ !Object_MullerTheory_m_12_alloc_table) intM_intP_MullerTheory_m_12) _jessie_) _jessie_) _jessie_))))))) in
               void) else void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ ->
           (let _jessie_ =
           (K_35:
           (let _jessie_ = !i_5 in
           begin
             (let _jessie_ = (i_5 := ((add_int _jessie_) (1))) in void);
            _jessie_ end)) in void) end end done) with
        Loop_exit_exc _jessie_ -> void end); (return := u); (raise Return)
      end) end); absurd  end with Return -> !return end)) { true } 

let cons_MullerTheory_ensures_default =
 fun (this_0 : Object pointer) (Object_this_0_9_alloc_table : Object alloc_table) ->
  { valid_struct_MullerTheory(this_0, (0), (0), Object_this_0_9_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_43: true) } 

let cons_MullerTheory_safety =
 fun (this_0 : Object pointer) (Object_this_0_9_alloc_table : Object alloc_table) ->
  { valid_struct_MullerTheory(this_0, (0), (0), Object_this_0_9_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 


why-2.39/tests/java/oracle/Switch.res.oracle0000644000106100004300000011427313147234006020011 0ustar  marchevals========== file tests/java/Switch.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

public class Switch {

    /*@ behavior normal:
      @   assigns \nothing;
      @   ensures (n==0 || n==1) <==> \result == 0;
      @*/
    public static int test1 (int n) {
	int r;
	switch(n) {
	case 0:
	case 1:
	    r = 0;
	    break;
	default:
	    r = 2;
	}
	return r;
    }

    /*@ behavior normal:
      @   assigns \nothing;
      @   ensures ((n==4 || n==7) <==> \result == 1) &&
      @            ((n==0 || n==1) <==> \result == 0);
      @*/
    public static int test2 (int n) {
	int r;
	switch(n) {
	case 0:
	case 1:
	    r = 0;
	    break;
	case 4:
	case 7:
	    r = 1;
	    break;
	case 12:
	default:
	case 26:
	    r = 2;
	}
	return r;
    }

}

/*
Local Variables:
compile-command: "make Switch.why3ide"
End:
*/

========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function Switch_test2 for method Switch.test2
Generating JC function cons_Switch for constructor Switch
Generating JC function Switch_test1 for method Switch.test1
Done.
========== file tests/java/Switch.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Switch = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

int32 Switch_test2(int32 n_0)
behavior normal:
  assigns \nothing;
  ensures (K_3 : ((K_2 : (((n_0 == 4) || (n_0 == 7)) <==> (\result == 1))) &&
                   (K_1 : (((n_0 == 0) || (n_0 == 1)) <==> (\result == 0)))));
{  
   {  
      (var int32 r);
      
      {  
         switch (n_0) {
           case 0:
           case 1:
           {  (r = 0);
              
              (break )
           }
           case 4:
           case 7:
           {  (r = 1);
              
              (break )
           }
           case 12:
           default:
           case 26:
           {  (r = 2)
           }
         };
         
         (return r)
      }
   }
}

unit cons_Switch(! Switch[0] this_0){()}

int32 Switch_test1(int32 n)
behavior normal:
  assigns \nothing;
  ensures (K_4 : (((n == 0) || (n == 1)) <==> (\result == 0)));
{  
   {  
      (var int32 r_0);
      
      {  
         switch (n) {
           case 0:
           case 1:
           {  (r_0 = 0);
              
              (break )
           }
           default:
           {  (r_0 = 2)
           }
         };
         
         (return r_0)
      }
   }
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Switch.jloc tests/java/Switch.jc && make -f tests/java/Switch.makefile gui"
End:
*/
========== file tests/java/Switch.jloc ==========
[Switch_test1]
name = "Method test1"
file = "HOME/tests/java/Switch.java"
line = 38
begin = 22
end = 27

[K_1]
file = "HOME/tests/java/Switch.java"
line = 54
begin = 20
end = 52

[cons_Switch]
name = "Constructor of class Switch"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_4]
file = "HOME/tests/java/Switch.java"
line = 36
begin = 18
end = 50

[K_2]
file = "HOME/tests/java/Switch.java"
line = 53
begin = 19
end = 51

[K_3]
file = "HOME/tests/java/Switch.java"
line = 53
begin = 18
end = 109

[Switch_test2]
name = "Method test2"
file = "HOME/tests/java/Switch.java"
line = 56
begin = 22
end = 27

========== jessie execution ==========
Generating Why function Switch_test2
Generating Why function cons_Switch
Generating Why function Switch_test1
========== file tests/java/Switch.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/Switch_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Switch.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Switch.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Switch.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/java/Switch.loc ==========
[JC_51]
file = "HOME/tests/java/Switch.java"
line = 36
begin = 18
end = 50

[JC_45]
file = "HOME/tests/java/Switch.java"
line = 38
begin = 22
end = 27

[Switch_test1_ensures_normal]
name = "Method test1"
behavior = "Behavior `normal'"
file = "HOME/tests/java/Switch.java"
line = 38
begin = 22
end = 27

[JC_31]
file = "HOME/tests/java/Switch.java"
line = 53
begin = 19
end = 51

[JC_17]
file = "HOME/tests/java/Switch.jc"
line = 47
begin = 11
end = 65

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/java/Switch.jc"
line = 45
begin = 8
end = 23

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_52]
file = "HOME/tests/java/Switch.jc"
line = 93
begin = 10
end = 18

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/tests/java/Switch.jc"
line = 93
begin = 10
end = 18

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[Switch_test2_ensures_normal]
name = "Method test2"
behavior = "Behavior `normal'"
file = "HOME/tests/java/Switch.java"
line = 56
begin = 22
end = 27

[JC_11]
file = "HOME/tests/java/Switch.jc"
line = 45
begin = 8
end = 23

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Switch_safety]
name = "Constructor of class Switch"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[Switch_test2_ensures_default]
name = "Method test2"
behavior = "default behavior"
file = "HOME/tests/java/Switch.java"
line = 56
begin = 22
end = 27

[JC_27]
file = "HOME/tests/java/Switch.java"
line = 53
begin = 19
end = 51

[JC_38]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[Switch_test2_safety]
name = "Method test2"
behavior = "Safety"
file = "HOME/tests/java/Switch.java"
line = 56
begin = 22
end = 27

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/tests/java/Switch.java"
line = 54
begin = 20
end = 52

[JC_33]
file = "HOME/tests/java/Switch.java"
line = 53
begin = 18
end = 109

[cons_Switch_ensures_default]
name = "Constructor of class Switch"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/tests/java/Switch.java"
line = 53
begin = 18
end = 109

[Switch_test1_safety]
name = "Method test1"
behavior = "Safety"
file = "HOME/tests/java/Switch.java"
line = 38
begin = 22
end = 27

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
file = "HOME/tests/java/Switch.java"
line = 38
begin = 22
end = 27

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/tests/java/Switch.jc"
line = 56
begin = 10
end = 18

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_53]
file = "HOME/tests/java/Switch.java"
line = 36
begin = 18
end = 50

[JC_21]
file = "HOME/tests/java/Switch.java"
line = 56
begin = 22
end = 27

[Switch_test1_ensures_default]
name = "Method test1"
behavior = "default behavior"
file = "HOME/tests/java/Switch.java"
line = 38
begin = 22
end = 27

[JC_49]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/java/Switch.jc"
line = 20
begin = 12
end = 22

[JC_37]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/java/Switch.jc"
line = 47
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/Switch.jc"
line = 20
begin = 12
end = 22

[JC_19]
file = "HOME/tests/java/Switch.java"
line = 56
begin = 22
end = 27

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/tests/java/Switch.jc"
line = 56
begin = 10
end = 18

[JC_28]
file = "HOME/tests/java/Switch.java"
line = 54
begin = 20
end = 52

========== file tests/java/why/Switch.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Switch_tag:  -> Object tag_id

axiom Switch_parenttag_Object : parenttag(Switch_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Switch(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Switch(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Switch(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Switch(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

parameter Switch_test1 :
 n:int32 ->
  { } int32
  { (JC_53:
    (((integer_of_int32(n) = (0)) or (integer_of_int32(n) = (1)))
    <-> (integer_of_int32(result) = (0)))) }

parameter Switch_test1_requires :
 n:int32 ->
  { } int32
  { (JC_53:
    (((integer_of_int32(n) = (0)) or (integer_of_int32(n) = (1)))
    <-> (integer_of_int32(result) = (0)))) }

parameter Switch_test2 :
 n_0:int32 ->
  { } int32
  { (JC_33:
    ((JC_31:
     (((integer_of_int32(n_0) = (4)) or (integer_of_int32(n_0) = (7)))
     <-> (integer_of_int32(result) = (1))))
    and (JC_32:
        (((integer_of_int32(n_0) = (0)) or (integer_of_int32(n_0) = (1)))
        <-> (integer_of_int32(result) = (0)))))) }

parameter Switch_test2_requires :
 n_0:int32 ->
  { } int32
  { (JC_33:
    ((JC_31:
     (((integer_of_int32(n_0) = (4)) or (integer_of_int32(n_0) = (7)))
     <-> (integer_of_int32(result) = (1))))
    and (JC_32:
        (((integer_of_int32(n_0) = (0)) or (integer_of_int32(n_0) = (1)))
        <-> (integer_of_int32(result) = (0)))))) }

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Switch :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Switch(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Switch_tag)))) }

parameter alloc_struct_Switch_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Switch(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Switch_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_Switch :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Switch_requires :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let Switch_test1_ensures_default =
 fun (n : int32) ->
  { (JC_46: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let r_0 = ref (any_int32 void) in
     begin
       (let _jessie_ = n in
       try
        (if (((eq_int_ (integer_of_int32 _jessie_)) (1)) || ((eq_int_ 
                                                               (integer_of_int32 _jessie_)) (0)))
        then
         begin
           (let _jessie_ = (r_0 := (safe_int32_of_integer_ (0))) in void);
          (raise (Loop_exit_exc void)) end
        else
         (if true
         then
          (let _jessie_ =
          begin   (r_0 := (safe_int32_of_integer_ (2))); !r_0 end in void)
         else void)) with Loop_exit_exc _jessie_ -> void end);
      (return := !r_0); (raise Return) end); absurd  end with Return ->
   !return end)) { (JC_47: true) } 

let Switch_test1_ensures_normal =
 fun (n : int32) ->
  { (JC_46: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let r_0 = ref (any_int32 void) in
     begin
       (let _jessie_ = n in
       try
        (if (((eq_int_ (integer_of_int32 _jessie_)) (1)) || ((eq_int_ 
                                                               (integer_of_int32 _jessie_)) (0)))
        then
         begin
           (let _jessie_ = (r_0 := (safe_int32_of_integer_ (0))) in void);
          (raise (Loop_exit_exc void)) end
        else
         (if true
         then
          (let _jessie_ =
          begin   (r_0 := (safe_int32_of_integer_ (2))); !r_0 end in void)
         else void)) with Loop_exit_exc _jessie_ -> void end);
      (return := !r_0); (raise Return) end); absurd  end with Return ->
   !return end))
  { (JC_51:
    (((integer_of_int32(n) = (0)) or (integer_of_int32(n) = (1)))
    <-> (integer_of_int32(result) = (0)))) } 

let Switch_test1_safety =
 fun (n : int32) ->
  { (JC_46: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let r_0 = ref (any_int32 void) in
     begin
       (let _jessie_ = n in
       try
        (if (((eq_int_ (integer_of_int32 _jessie_)) (1)) || ((eq_int_ 
                                                               (integer_of_int32 _jessie_)) (0)))
        then
         begin
           (let _jessie_ = (r_0 := (safe_int32_of_integer_ (0))) in void);
          (raise (Loop_exit_exc void)) end
        else
         (if true
         then
          (let _jessie_ =
          begin   (r_0 := (safe_int32_of_integer_ (2))); !r_0 end in void)
         else void)) with Loop_exit_exc _jessie_ -> void end);
      (return := !r_0); (raise Return) end); absurd  end with Return ->
   !return end)) { true } 

let Switch_test2_ensures_default =
 fun (n_0 : int32) ->
  { (JC_22: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let r = ref (any_int32 void) in
     begin
       (let _jessie_ = n_0 in
       try
        (if (((eq_int_ (integer_of_int32 _jessie_)) (1)) || ((eq_int_ 
                                                               (integer_of_int32 _jessie_)) (0)))
        then
         begin
           (let _jessie_ = (r := (safe_int32_of_integer_ (0))) in void);
          (raise (Loop_exit_exc void)) end
        else
         (if (((eq_int_ (integer_of_int32 _jessie_)) (7)) || ((eq_int_ 
                                                                (integer_of_int32 _jessie_)) (4)))
         then
          begin
            (let _jessie_ = (r := (safe_int32_of_integer_ (1))) in void);
           (raise (Loop_exit_exc void)) end
         else
          (if (((eq_int_ (integer_of_int32 _jessie_)) (26)) || (true || 
                                                                ((eq_int_ 
                                                                  (integer_of_int32 _jessie_)) (12))))
          then
           (let _jessie_ =
           begin   (r := (safe_int32_of_integer_ (2))); !r end in void)
          else void))) with Loop_exit_exc _jessie_ -> void end);
      (return := !r); (raise Return) end); absurd  end with Return ->
   !return end)) { (JC_23: true) } 

let Switch_test2_ensures_normal =
 fun (n_0 : int32) ->
  { (JC_22: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let r = ref (any_int32 void) in
     begin
       (let _jessie_ = n_0 in
       try
        (if (((eq_int_ (integer_of_int32 _jessie_)) (1)) || ((eq_int_ 
                                                               (integer_of_int32 _jessie_)) (0)))
        then
         begin
           (let _jessie_ = (r := (safe_int32_of_integer_ (0))) in void);
          (raise (Loop_exit_exc void)) end
        else
         (if (((eq_int_ (integer_of_int32 _jessie_)) (7)) || ((eq_int_ 
                                                                (integer_of_int32 _jessie_)) (4)))
         then
          begin
            (let _jessie_ = (r := (safe_int32_of_integer_ (1))) in void);
           (raise (Loop_exit_exc void)) end
         else
          (if (((eq_int_ (integer_of_int32 _jessie_)) (26)) || (true || 
                                                                ((eq_int_ 
                                                                  (integer_of_int32 _jessie_)) (12))))
          then
           (let _jessie_ =
           begin   (r := (safe_int32_of_integer_ (2))); !r end in void)
          else void))) with Loop_exit_exc _jessie_ -> void end);
      (return := !r); (raise Return) end); absurd  end with Return ->
   !return end))
  { (JC_29:
    ((JC_27:
     (((integer_of_int32(n_0) = (4)) or (integer_of_int32(n_0) = (7)))
     <-> (integer_of_int32(result) = (1))))
    and (JC_28:
        (((integer_of_int32(n_0) = (0)) or (integer_of_int32(n_0) = (1)))
        <-> (integer_of_int32(result) = (0)))))) } 

let Switch_test2_safety =
 fun (n_0 : int32) ->
  { (JC_22: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let r = ref (any_int32 void) in
     begin
       (let _jessie_ = n_0 in
       try
        (if (((eq_int_ (integer_of_int32 _jessie_)) (1)) || ((eq_int_ 
                                                               (integer_of_int32 _jessie_)) (0)))
        then
         begin
           (let _jessie_ = (r := (safe_int32_of_integer_ (0))) in void);
          (raise (Loop_exit_exc void)) end
        else
         (if (((eq_int_ (integer_of_int32 _jessie_)) (7)) || ((eq_int_ 
                                                                (integer_of_int32 _jessie_)) (4)))
         then
          begin
            (let _jessie_ = (r := (safe_int32_of_integer_ (1))) in void);
           (raise (Loop_exit_exc void)) end
         else
          (if (((eq_int_ (integer_of_int32 _jessie_)) (26)) || (true || 
                                                                ((eq_int_ 
                                                                  (integer_of_int32 _jessie_)) (12))))
          then
           (let _jessie_ =
           begin   (r := (safe_int32_of_integer_ (2))); !r end in void)
          else void))) with Loop_exit_exc _jessie_ -> void end);
      (return := !r); (raise Return) end); absurd  end with Return ->
   !return end)) { true } 

let cons_Switch_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_Switch(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_39: true) } 

let cons_Switch_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_Switch(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 


why-2.39/tests/java/oracle/BinarySearch.err.oracle0000644000106100004300000000020713147234006021110 0ustar  marchevalscat: /tmp/regtests.cwd: No such file or directory
grep: /src/version.ml: No such file or directory
Cannot open directory /lib/java_api
why-2.39/tests/java/oracle/Hello.res.oracle0000644000106100004300000101414713147234006017613 0ustar  marchevals========== file tests/java/Hello.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

class Hello {

    public static void main(String argv[]) {
        System.out.println("Hello Krakatoa");
    }

}



/*
Local Variables:
compile-command: "make Hello.why3ide"
End:
*/


========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_Hello for constructor Hello
Generating JC function System_runFinalizersOnExit for method System.runFinalizersOnExit
Generating JC function cons_String_byteA_String for constructor String
Generating JC function cons_PrintStream_OutputStream_boolean_String for constructor PrintStream
Generating JC function String_replaceAll for method String.replaceAll
Generating JC function OutputStream_write_byteA_int_int for method OutputStream.write
Generating JC function FilterOutputStream_write_byteA for method FilterOutputStream.write
Generating JC function cons_String_byteA for constructor String
Generating JC function System_checkIO for method System.checkIO
Generating JC function cons_String_byteA_int for constructor String
Generating JC function cons_PrintStream_OutputStream for constructor PrintStream
Generating JC function PrintStream_println_int for method PrintStream.println
Generating JC function Object_wait_long for method Object.wait
Generating JC function PrintStream_close for method PrintStream.close
Generating JC function String_valueOf_charA_int_int for method String.valueOf
Generating JC function cons_PrintStream_OutputStream_boolean for constructor PrintStream
Generating JC function System_currentTimeMillis for method System.currentTimeMillis
Generating JC function String_indexOf_charA_int_int_charA_int_int_int for method String.indexOf
Generating JC function String_charAt for method String.charAt
Generating JC function Object_clone for method Object.clone
Generating JC function String_getBytes_String for method String.getBytes
Generating JC function PrintStream_init for method PrintStream.init
Generating JC function String_substring_int for method String.substring
Generating JC function String_getChars for method String.getChars
Generating JC function cons_FilterOutputStream_OutputStream for constructor FilterOutputStream
Generating JC function PrintStream_println_boolean for method PrintStream.println
Generating JC function FilterOutputStream_flush for method FilterOutputStream.flush
Generating JC function String_indexOf_String_int for method String.indexOf
Generating JC function String_equalsIgnoreCase for method String.equalsIgnoreCase
Generating JC function PrintStream_println_Object for method PrintStream.println
Generating JC function String_equals for method String.equals
Generating JC function String_substring_int_int for method String.substring
Generating JC function String_length for method String.length
Generating JC function System_setOut for method System.setOut
Generating JC function PrintStream_ensureOpen for method PrintStream.ensureOpen
Generating JC function Comparable_compareTo for method Comparable.compareTo
Generating JC function PrintStream_checkError for method PrintStream.checkError
Generating JC function PrintStream_println_char for method PrintStream.println
Generating JC function Object_equals for method Object.equals
Generating JC function PrintStream_newLine for method PrintStream.newLine
Generating JC function OutputStream_write_byteA for method OutputStream.write
Generating JC function System_loadLibrary for method System.loadLibrary
Generating JC function PrintStream_println_String for method PrintStream.println
Generating JC function Object_hashCode for method Object.hashCode
Generating JC function String_valueOf_boolean for method String.valueOf
Generating JC function String_split_String_int for method String.split
Generating JC function PrintStream_setError for method PrintStream.setError
Generating JC function String_replace for method String.replace
Generating JC function CharSequence_charAt for method CharSequence.charAt
Generating JC function String_lastIndexOf_int_int for method String.lastIndexOf
Generating JC function CharSequence_length for method CharSequence.length
Generating JC function FilterOutputStream_write_int for method FilterOutputStream.write
Generating JC function String_checkBounds for method String.checkBounds
Generating JC function PrintStream_print_float for method PrintStream.print
Generating JC function String_copyValueOf_charA for method String.copyValueOf
Generating JC function String_indexOf_String for method String.indexOf
Generating JC function cons_String_byteA_int_int for constructor String
Generating JC function PrintStream_print_String for method PrintStream.print
Generating JC function FilterOutputStream_close for method FilterOutputStream.close
Generating JC function cons_Object for constructor Object
Generating JC function Object_notify for method Object.notify
Generating JC function Object_wait_long_int for method Object.wait
Generating JC function OutputStream_write for method OutputStream.write
Generating JC function String_copyValueOf_charA_int_int for method String.copyValueOf
Generating JC function String_lastIndexOf_String for method String.lastIndexOf
Generating JC function String_valueOf_double for method String.valueOf
Generating JC function String_valueOf_long for method String.valueOf
Generating JC function Object_wait for method Object.wait
Generating JC function System_setErr for method System.setErr
Generating JC function PrintStream_print_double for method PrintStream.print
Generating JC function Object_toString for method Object.toString
Generating JC function PrintStream_print_charA for method PrintStream.print
Generating JC function String_indexOf_int_int for method String.indexOf
Generating JC function String_toString for method String.toString
Generating JC function String_lastIndexOf_String_int for method String.lastIndexOf
Generating JC function PrintStream_print_char for method PrintStream.print
Generating JC function PrintStream_println_long for method PrintStream.println
Generating JC function cons_PrintStream_boolean_OutputStream for constructor PrintStream
Generating JC function cons_String_int_int_charA for constructor String
Generating JC function System_exit for method System.exit
Generating JC function cons_OutputStream for constructor OutputStream
Generating JC function System_runFinalization for method System.runFinalization
Generating JC function String_valueOf_float for method String.valueOf
Generating JC function String_replaceFirst for method String.replaceFirst
Generating JC function Object_registerNatives for method Object.registerNatives
Generating JC function String_endsWith for method String.endsWith
Generating JC function PrintStream_write_charA for method PrintStream.write
Generating JC function PrintStream_println for method PrintStream.println
Generating JC function System_getProperty_String for method System.getProperty
Generating JC function String_valueOf_charA for method String.valueOf
Generating JC function System_setErr0 for method System.setErr0
Generating JC function System_arraycopy for method System.arraycopy
Generating JC function String_startsWith_String_int for method String.startsWith
Generating JC function String_contentEquals for method String.contentEquals
Generating JC function System_initializeSystemClass for method System.initializeSystemClass
Generating JC function String_compareTo_String for method String.compareTo
Generating JC function cons_String_byteA_int_int_String for constructor String
Generating JC function String_concat for method String.concat
Generating JC function Object_finalize for method Object.finalize
Generating JC function PrintStream_println_float for method PrintStream.println
Generating JC function PrintStream_print_long for method PrintStream.print
Generating JC function String_trim for method String.trim
Generating JC function CharSequence_subSequence for method CharSequence.subSequence
Generating JC function FilterOutputStream_write for method FilterOutputStream.write
Generating JC function String_indexOf for method String.indexOf
Generating JC function String_getBytes_int_int_byteA_int for method String.getBytes
Generating JC function System_load for method System.load
Generating JC function System_nullInputStream for method System.nullInputStream
Generating JC function System_getenv for method System.getenv
Generating JC function String_valueOf_Object for method String.valueOf
Generating JC function System_registerNatives for method System.registerNatives
Generating JC function PrintStream_println_charA for method PrintStream.println
Generating JC function CharSequence_toString for method CharSequence.toString
Generating JC function System_mapLibraryName for method System.mapLibraryName
Generating JC function cons_String_charA_int_int for constructor String
Generating JC function Hello_main for method Hello.main
Generating JC function String_split_String for method String.split
Generating JC function String_valueOf_char for method String.valueOf
Generating JC function String_lastIndexOf_charA_int_int_charA_int_int_int for method String.lastIndexOf
Generating JC function cons_String for constructor String
Generating JC function String_matches for method String.matches
Generating JC function PrintStream_print_boolean for method PrintStream.print
Generating JC function PrintStream_flush for method PrintStream.flush
Generating JC function String_getBytes for method String.getBytes
Generating JC function System_setOut0 for method System.setOut0
Generating JC function Object_notifyAll for method Object.notifyAll
Generating JC function PrintStream_println_double for method PrintStream.println
Generating JC function String_compareTo_Object for method String.compareTo
Generating JC function String_valueOf for method String.valueOf
Generating JC function System_identityHashCode for method System.identityHashCode
Generating JC function String_subSequence for method String.subSequence
Generating JC function OutputStream_close for method OutputStream.close
Generating JC function cons_String_String for constructor String
Generating JC function PrintStream_print_int for method PrintStream.print
Generating JC function cons_String_StringBuffer for constructor String
Generating JC function String_toCharArray for method String.toCharArray
Generating JC function cons_String_byteA_int_int_int for constructor String
Generating JC function System_setProperty for method System.setProperty
Generating JC function String_intern for method String.intern
Generating JC function String_lastIndexOf for method String.lastIndexOf
Generating JC function System_getProperty_String_String for method System.getProperty
Generating JC function String_startsWith_String for method String.startsWith
Generating JC function String_compareToIgnoreCase for method String.compareToIgnoreCase
Generating JC function String_regionMatches_int_String_int_int for method String.regionMatches
Generating JC function PrintStream_print for method PrintStream.print
Generating JC function OutputStream_flush for method OutputStream.flush
Generating JC function cons_System for constructor System
Generating JC function PrintStream_write_String for method PrintStream.write
Generating JC function PrintStream_write_int for method PrintStream.write
Generating JC function System_nullPrintStream for method System.nullPrintStream
Generating JC function String_toUpperCase for method String.toUpperCase
Generating JC function String_regionMatches_boolean_int_String_int_int for method String.regionMatches
Generating JC function cons_String_charA for constructor String
Generating JC function String_hashCode for method String.hashCode
Generating JC function PrintStream_write_byteA_int_int for method PrintStream.write
Generating JC function String_toLowerCase for method String.toLowerCase
Generating JC function System_gc for method System.gc
Done.
========== file tests/java/Hello.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_StringM{Here}(StringM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_charM{Here}(charM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_byteM{Here}(byteM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

logic long String_serialVersionUID =
-6849794470754667710

axiomatic in_theory {

  logic InputStream[0..] System_in 
  
}

axiomatic out_theory {

  logic PrintStream[0..] System_out 
  
}

axiomatic err_theory {

  logic PrintStream[0..] System_err 
  
}

String[0..] any_string()
;

tag String = Object with {
  charM[0..] value; 
  int32 offset; 
  int32 count; 
  int32 hash;
}

tag InputStream = Object with {
}

tag OutputStream = Object with {
}

tag Hello = Object with {
}

tag System = Object with {
}

tag FilterOutputStream = OutputStream with {
  OutputStream[0..] out;
}

tag OutputStreamWriter = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag PrintStream = FilterOutputStream with {
  boolean autoFlush; 
  boolean trouble; 
  boolean closing;
}

tag StringBuffer = Object with {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

tag StringM = Object with {
  String[0..] StringP;
}

tag charM = Object with {
  char charP;
}

tag byteM = Object with {
  byte byteP;
}

boolean non_null_StringM(! StringM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_StringM(! StringM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

boolean non_null_charM(! charM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_charM(! charM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

boolean non_null_byteM(! byteM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_byteM(! byteM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_Hello(! Hello[0] this_6){()}

unit System_runFinalizersOnExit(boolean value_0)
;

unit cons_String_byteA_String(! String[0] this_104, byteM[0..] bytes_1,
                              String[0..] charsetName_0)
{  (this_104.value = null);
   (this_104.offset = 0);
   (this_104.count = 0);
   (this_104.hash = 0)
}

unit cons_PrintStream_OutputStream_boolean_String(! PrintStream[0] this_105,
                                                  OutputStream[0..] out_5,
                                                  boolean autoFlush_1,
                                                  String[0..] encoding)
{  (this_105.autoFlush = false);
   (this_105.trouble = false);
   (this_105.closing = false)
}

String[0..] String_replaceAll(String[0] this_7, String[0..] regex_1,
                              String[0..] replacement_0)
;

unit OutputStream_write_byteA_int_int(OutputStream[0] this_8, byteM[0..] b_1,
                                      int32 off, int32 len)
;

unit FilterOutputStream_write_byteA(FilterOutputStream[0] this_9,
                                    byteM[0..] b_3)
;

unit cons_String_byteA(! String[0] this_106, byteM[0..] bytes_3)
{  (this_106.value = null);
   (this_106.offset = 0);
   (this_106.count = 0);
   (this_106.hash = 0)
}

unit System_checkIO()
;

unit cons_String_byteA_int(! String[0] this_107, byteM[0..] ascii_0,
                           int32 hibyte_0)
{  (this_107.value = null);
   (this_107.offset = 0);
   (this_107.count = 0);
   (this_107.hash = 0)
}

unit cons_PrintStream_OutputStream(! PrintStream[0] this_108,
                                   OutputStream[0..] out_2)
{  (this_108.autoFlush = false);
   (this_108.trouble = false);
   (this_108.closing = false)
}

unit PrintStream_println_int(PrintStream[0] this_10, int32 x_2)
;

unit Object_wait_long(Object[0] this_11, long timeout)
;

unit PrintStream_close(PrintStream[0] this_12)
;

String[0..] String_valueOf_charA_int_int(charM[0..] data_0, int32 offset_5,
                                         int32 count_2)
;

unit cons_PrintStream_OutputStream_boolean(! PrintStream[0] this_109,
                                           OutputStream[0..] out_4,
                                           boolean autoFlush_0)
{  (this_109.autoFlush = false);
   (this_109.trouble = false);
   (this_109.closing = false)
}

long System_currentTimeMillis()
;

int32 String_indexOf_charA_int_int_charA_int_int_int(charM[0..] source,
                                                     int32 sourceOffset,
                                                     int32 sourceCount,
                                                     charM[0..] target,
                                                     int32 targetOffset,
                                                     int32 targetCount,
                                                     int32 fromIndex_2)
;

char String_charAt(String[0] this_13, int32 index_0)
;

Object[0..] Object_clone(Object[0] this_14)
;

byteM[0..] String_getBytes_String(String[0] this_15,
                                  String[0..] charsetName_1)
;

unit PrintStream_init(PrintStream[0] this_16, OutputStreamWriter[0..] osw)
;

String[0..] String_substring_int(String[0] this_17, int32 beginIndex)
;

unit String_getChars(String[0] this_18, int32 srcBegin, int32 srcEnd,
                     charM[0..] dst, int32 dstBegin)
;

unit cons_FilterOutputStream_OutputStream(! FilterOutputStream[0] this_110,
                                          OutputStream[0..] out_1)
{  (this_110.out = null)
}

unit PrintStream_println_boolean(PrintStream[0] this_19, boolean x_0)
;

unit FilterOutputStream_flush(FilterOutputStream[0] this_20)
;

int32 String_indexOf_String_int(String[0] this_21, String[0..] str_1,
                                int32 fromIndex_1)
;

boolean String_equalsIgnoreCase(String[0] this_22, String[0..] anotherString)
;

unit PrintStream_println_Object(PrintStream[0] this_23, Object[0..] x_8)
;

boolean String_equals(String[0] this_24, Object[0..] anObject)
;

String[0..] String_substring_int_int(String[0] this_25, int32 beginIndex_0,
                                     int32 endIndex)
;

int32 String_length(String[0] this_26)
;

unit System_setOut(PrintStream[0..] out)
;

unit PrintStream_ensureOpen(PrintStream[0] this_27)
;

int32 Comparable_compareTo(Object/*interface*/[0..] this_28, Object[0..] o)
;

boolean PrintStream_checkError(PrintStream[0] this_29)
;

unit PrintStream_println_char(PrintStream[0] this_30, char x_1)
;

boolean Object_equals(Object[0] this_31, Object[0..] obj_1)
;

unit PrintStream_newLine(PrintStream[0] this_32)
;

unit OutputStream_write_byteA(OutputStream[0] this_33, byteM[0..] b_0)
;

unit System_loadLibrary(String[0..] libname)
;

unit PrintStream_println_String(PrintStream[0] this_34, String[0..] x_7)
;

int32 Object_hashCode(Object[0] this_35)
;

String[0..] String_valueOf_boolean(boolean b_7)
;

StringM[0..] String_split_String_int(String[0] this_36, String[0..] regex_2,
                                     int32 limit)
;

unit PrintStream_setError(PrintStream[0] this_37)
;

String[0..] String_replace(String[0] this_38, char oldChar, char newChar)
;

char CharSequence_charAt(Object/*interface*/[0..] this_39, int32 index)
;

int32 String_lastIndexOf_int_int(String[0] this_40, int32 ch_2,
                                 int32 fromIndex_0)
;

int32 CharSequence_length(Object/*interface*/[0..] this_41)
;

unit FilterOutputStream_write_int(FilterOutputStream[0] this_42, int32 b_2)
;

unit String_checkBounds(byteM[0..] bytes, int32 offset_1, int32 length_0)
;

unit PrintStream_print_float(PrintStream[0] this_43, real f)
;

String[0..] String_copyValueOf_charA(charM[0..] data_2)
;

int32 String_indexOf_String(String[0] this_44, String[0..] str_0)
;

unit cons_String_byteA_int_int(! String[0] this_111, byteM[0..] bytes_2,
                               int32 offset_3, int32 length_2)
{  (this_111.value = null);
   (this_111.offset = 0);
   (this_111.count = 0);
   (this_111.hash = 0)
}

unit PrintStream_print_String(PrintStream[0] this_45, String[0..] s_1)
;

unit FilterOutputStream_close(FilterOutputStream[0] this_46)
;

unit cons_Object(! Object[0] this_112){()}

unit Object_notify(Object[0] this_47)
;

unit Object_wait_long_int(Object[0] this_48, long timeout_0, int32 nanos)
;

unit OutputStream_write(OutputStream[0] this_49, int32 b)
;

String[0..] String_copyValueOf_charA_int_int(charM[0..] data_1,
                                             int32 offset_6, int32 count_3)
;

int32 String_lastIndexOf_String(String[0] this_50, String[0..] str_2)
;

String[0..] String_valueOf_double(real d_0)
;

String[0..] String_valueOf_long(long l_0)
;

unit Object_wait(Object[0] this_51)
;

unit System_setErr(PrintStream[0..] err)
;

unit PrintStream_print_double(PrintStream[0] this_52, real d)
;

String[0..] Object_toString(Object[0] this_53)
;

unit PrintStream_print_charA(PrintStream[0] this_54, charM[0..] s_0)
;

int32 String_indexOf_int_int(String[0] this_55, int32 ch_0, int32 fromIndex)
;

String[0..] String_toString(String[0] this_56)
;

int32 String_lastIndexOf_String_int(String[0] this_57, String[0..] str_3,
                                    int32 fromIndex_3)
;

unit PrintStream_print_char(PrintStream[0] this_58, char c)
;

unit PrintStream_println_long(PrintStream[0] this_59, long x_3)
;

unit cons_PrintStream_boolean_OutputStream(! PrintStream[0] this_113,
                                           boolean autoFlush,
                                           OutputStream[0..] out_3)
{  (this_113.autoFlush = false);
   (this_113.trouble = false);
   (this_113.closing = false)
}

unit cons_String_int_int_charA(! String[0] this_114, int32 offset_4,
                               int32 count_1, charM[0..] value_3)
{  (this_114.value = null);
   (this_114.offset = 0);
   (this_114.count = 0);
   (this_114.hash = 0)
}

unit System_exit(int32 status)
;

unit cons_OutputStream(! OutputStream[0] this_115){()}

unit System_runFinalization()
;

String[0..] String_valueOf_float(real f_0)
;

String[0..] String_replaceFirst(String[0] this_60, String[0..] regex_0,
                                String[0..] replacement)
;

unit Object_registerNatives()
;

boolean String_endsWith(String[0] this_61, String[0..] suffix)
;

unit PrintStream_write_charA(PrintStream[0] this_62, charM[0..] buf_0)
;

unit PrintStream_println(PrintStream[0] this_63)
;

String[0..] System_getProperty_String(String[0..] key)
;

String[0..] String_valueOf_charA(charM[0..] data)
;

unit System_setErr0(PrintStream[0..] err_0)
;

unit System_arraycopy(Object[0..] src, int32 srcPos, Object[0..] dest,
                      int32 destPos, int32 length)
;

boolean String_startsWith_String_int(String[0] this_64, String[0..] prefix,
                                     int32 toffset_1)
;

boolean String_contentEquals(String[0] this_65, StringBuffer[0..] sb)
;

unit System_initializeSystemClass()
;

int32 String_compareTo_String(String[0] this_66, String[0..] anotherString_0)
;

unit cons_String_byteA_int_int_String(! String[0] this_116,
                                      byteM[0..] bytes_0, int32 offset_2,
                                      int32 length_1, String[0..] charsetName)
{  (this_116.value = null);
   (this_116.offset = 0);
   (this_116.count = 0);
   (this_116.hash = 0)
}

String[0..] String_concat(String[0] this_67, String[0..] str_4)
;

unit Object_finalize(Object[0] this_68)
;

unit PrintStream_println_float(PrintStream[0] this_69, real x_4)
;

unit PrintStream_print_long(PrintStream[0] this_70, long l)
;

String[0..] String_trim(String[0] this_71)
;

Object/*interface*/[0..] CharSequence_subSequence(Object/*interface*/[0..] this_72,
                                                  int32 start, int32 end_0)
;

unit FilterOutputStream_write(FilterOutputStream[0] this_73, byteM[0..] b_4,
                              int32 off_0, int32 len_0)
;

int32 String_indexOf(String[0] this_74, int32 ch)
;

unit String_getBytes_int_int_byteA_int(String[0] this_75, int32 srcBegin_0,
                                       int32 srcEnd_0, byteM[0..] dst_0,
                                       int32 dstBegin_0)
;

unit System_load(String[0..] filename)
;

InputStream[0..] System_nullInputStream()
;

String[0..] System_getenv(String[0..] name)
;

String[0..] String_valueOf_Object(Object[0..] obj_0)
;

unit System_registerNatives()
;

unit PrintStream_println_charA(PrintStream[0] this_76, charM[0..] x_6)
;

String[0..] CharSequence_toString(Object/*interface*/[0..] this_77)
;

String[0..] System_mapLibraryName(String[0..] libname_0)
;

unit cons_String_charA_int_int(! String[0] this_117, charM[0..] value_2,
                               int32 offset, int32 count)
{  (this_117.value = null);
   (this_117.offset = 0);
   (this_117.count = 0);
   (this_117.hash = 0)
}

unit Hello_main(StringM[0..] argv)
{  (K_1 : PrintStream_println_String(System_out, any_string()))
}

StringM[0..] String_split_String(String[0] this_78, String[0..] regex_3)
;

String[0..] String_valueOf_char(char c_0)
;

int32 String_lastIndexOf_charA_int_int_charA_int_int_int(charM[0..] source_0,
                                                         int32 sourceOffset_0,
                                                         int32 sourceCount_0,
                                                         charM[0..] target_0,
                                                         int32 targetOffset_0,
                                                         int32 targetCount_0,
                                                         int32 fromIndex_4)
;

unit cons_String(! String[0] this_118)
{  (this_118.value = null);
   (this_118.offset = 0);
   (this_118.count = 0);
   (this_118.hash = 0)
}

boolean String_matches(String[0] this_79, String[0..] regex)
;

unit PrintStream_print_boolean(PrintStream[0] this_80, boolean b_6)
;

unit PrintStream_flush(PrintStream[0] this_81)
;

byteM[0..] String_getBytes(String[0] this_82)
;

unit System_setOut0(PrintStream[0..] out_0)
;

unit Object_notifyAll(Object[0] this_83)
;

unit PrintStream_println_double(PrintStream[0] this_84, real x_5)
;

int32 String_compareTo_Object(String[0] this_85, Object[0..] o_0)
;

String[0..] String_valueOf(int32 i_0)
;

int32 System_identityHashCode(Object[0..] x)
;

Object/*interface*/[0..] String_subSequence(String[0] this_86,
                                            int32 beginIndex_1,
                                            int32 endIndex_0)
;

unit OutputStream_close(OutputStream[0] this_87)
;

unit cons_String_String(! String[0] this_119, String[0..] original)
{  (this_119.value = null);
   (this_119.offset = 0);
   (this_119.count = 0);
   (this_119.hash = 0)
}

unit PrintStream_print_int(PrintStream[0] this_88, int32 i)
;

unit cons_String_StringBuffer(! String[0] this_120, StringBuffer[0..] buffer)
{  (this_120.value = null);
   (this_120.offset = 0);
   (this_120.count = 0);
   (this_120.hash = 0)
}

charM[0..] String_toCharArray(String[0] this_89)
;

unit cons_String_byteA_int_int_int(! String[0] this_121, byteM[0..] ascii,
                                   int32 hibyte, int32 offset_0,
                                   int32 count_0)
{  (this_121.value = null);
   (this_121.offset = 0);
   (this_121.count = 0);
   (this_121.hash = 0)
}

String[0..] System_setProperty(String[0..] key_1, String[0..] value)
;

String[0..] String_intern(String[0] this_90)
;

int32 String_lastIndexOf(String[0] this_91, int32 ch_1)
;

String[0..] System_getProperty_String_String(String[0..] key_0,
                                             String[0..] def)
;

boolean String_startsWith_String(String[0] this_92, String[0..] prefix_0)
;

int32 String_compareToIgnoreCase(String[0] this_93, String[0..] str)
;

boolean String_regionMatches_int_String_int_int(String[0] this_94,
                                                int32 toffset,
                                                String[0..] other,
                                                int32 ooffset, int32 len_2)
;

unit PrintStream_print(PrintStream[0] this_95, Object[0..] obj)
;

unit OutputStream_flush(OutputStream[0] this_96)
;

unit cons_System(! System[0] this_122){()}

unit PrintStream_write_String(PrintStream[0] this_97, String[0..] s)
;

unit PrintStream_write_int(PrintStream[0] this_98, int32 b_5)
;

PrintStream[0..] System_nullPrintStream()
;

String[0..] String_toUpperCase(String[0] this_99)
;

boolean String_regionMatches_boolean_int_String_int_int(String[0] this_100,
                                                        boolean ignoreCase,
                                                        int32 toffset_0,
                                                        String[0..] other_0,
                                                        int32 ooffset_0,
                                                        int32 len_3)
;

unit cons_String_charA(! String[0] this_123, charM[0..] value_1)
{  (this_123.value = null);
   (this_123.offset = 0);
   (this_123.count = 0);
   (this_123.hash = 0)
}

int32 String_hashCode(String[0] this_101)
;

unit PrintStream_write_byteA_int_int(PrintStream[0] this_102, byteM[0..] buf,
                                     int32 off_1, int32 len_1)
;

String[0..] String_toLowerCase(String[0] this_103)
;

unit System_gc()
;

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Hello.jloc tests/java/Hello.jc && make -f tests/java/Hello.makefile gui"
End:
*/
========== file tests/java/Hello.jloc ==========
[String_replaceAll]
name = "Method replaceAll"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1666
begin = 18
end = 28

[OutputStream_flush]
name = "Method flush"
file = "HOME/lib/java_api/java/io/OutputStream.java"
line = 115
begin = 16
end = 21

[String_indexOf]
name = "Method indexOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1102
begin = 15
end = 22

[String_indexOf_String]
name = "Method indexOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1221
begin = 15
end = 22

[CharSequence_charAt]
name = "Method charAt"
file = "HOME/lib/java_api/java/lang/CharSequence.java"
line = 56
begin = 9
end = 15

[PrintStream_init]
name = "Method init"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 75
begin = 17
end = 21

[String_compareTo_String]
name = "Method compareTo"
file = "HOME/lib/java_api/java/lang/String.java"
line = 728
begin = 15
end = 24

[String_equalsIgnoreCase]
name = "Method equalsIgnoreCase"
file = "HOME/lib/java_api/java/lang/String.java"
line = 681
begin = 19
end = 35

[String_lastIndexOf_String_int]
name = "Method lastIndexOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1333
begin = 15
end = 26

[PrintStream_setError]
name = "Method setError"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 199
begin = 19
end = 27

[String_intern]
name = "Method intern"
file = "HOME/lib/java_api/java/lang/String.java"
line = 2313
begin = 25
end = 31

[String_getBytes_int_int_byteA_int]
name = "Method getBytes"
file = "HOME/lib/java_api/java/lang/String.java"
line = 532
begin = 16
end = 24

[String_split_String_int]
name = "Method split"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1750
begin = 20
end = 25

[PrintStream_println_float]
name = "Method println"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 541
begin = 16
end = 23

[String_valueOf_boolean]
name = "Method valueOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 2216
begin = 25
end = 32

[System_checkIO]
name = "Method checkIO"
file = "HOME/lib/java_api/java/lang/System.java"
line = 175
begin = 24
end = 31

[Object_wait_long]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[String_getChars]
name = "Method getChars"
file = "HOME/lib/java_api/java/lang/String.java"
line = 481
begin = 16
end = 24

[String_indexOf_charA_int_int_charA_int_int_int]
name = "Method indexOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1257
begin = 15
end = 22

[PrintStream_write_int]
name = "Method write"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 223
begin = 16
end = 21

[System_mapLibraryName]
name = "Method mapLibraryName"
file = "HOME/lib/java_api/java/lang/System.java"
line = 857
begin = 32
end = 46

[FilterOutputStream_write]
name = "Method write"
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 103
begin = 16
end = 21

[cons_String_byteA_String]
name = "Constructor of class String"
file = "HOME/lib/java_api/java/lang/String.java"
line = 345
begin = 11
end = 17

[System_arraycopy]
name = "Method arraycopy"
file = "HOME/lib/java_api/java/lang/System.java"
line = 374
begin = 30
end = 39

[String_valueOf_long]
name = "Method valueOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 2257
begin = 25
end = 32

[String_toCharArray]
name = "Method toCharArray"
file = "HOME/lib/java_api/java/lang/String.java"
line = 2123
begin = 18
end = 29

[String_toLowerCase]
name = "Method toLowerCase"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1904
begin = 18
end = 29

[Object_finalize]
name = "Method finalize"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[String_charAt]
name = "Method charAt"
file = "HOME/lib/java_api/java/lang/String.java"
line = 444
begin = 16
end = 22

[System_load]
name = "Method load"
file = "HOME/lib/java_api/java/lang/System.java"
line = 820
begin = 23
end = 27

[PrintStream_print_charA]
name = "Method print"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 431
begin = 16
end = 21

[Object_wait]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[PrintStream_println_int]
name = "Method println"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 513
begin = 16
end = 23

[cons_String_String]
name = "Constructor of class String"
file = "HOME/lib/java_api/java/lang/String.java"
line = 142
begin = 11
end = 17

[PrintStream_print]
name = "Method print"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 461
begin = 16
end = 21

[Object_notify]
name = "Method notify"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[Object_clone]
name = "Method clone"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[PrintStream_print_int]
name = "Method print"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 375
begin = 16
end = 21

[PrintStream_println]
name = "Method println"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 474
begin = 16
end = 23

[cons_String_int_int_charA]
name = "Constructor of class String"
file = "HOME/lib/java_api/java/lang/String.java"
line = 413
begin = 4
end = 10

[System_registerNatives]
name = "Method registerNatives"
file = "HOME/lib/java_api/java/lang/System.java"
line = 38
begin = 31
end = 46

[String_valueOf_float]
name = "Method valueOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 2271
begin = 25
end = 32

[FilterOutputStream_flush]
name = "Method flush"
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 122
begin = 16
end = 21

[String_toUpperCase]
name = "Method toUpperCase"
file = "HOME/lib/java_api/java/lang/String.java"
line = 2056
begin = 18
end = 29

[cons_Object]
name = "Constructor of class Object"
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_FilterOutputStream_OutputStream]
name = "Constructor of class FilterOutputStream"
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 43
begin = 11
end = 29

[String_startsWith_String]
name = "Method startsWith"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1038
begin = 19
end = 29

[K_1]
file = "HOME/tests/java/Hello.java"
line = 35
begin = 8
end = 44

[String_trim]
name = "Method trim"
file = "HOME/lib/java_api/java/lang/String.java"
line = 2092
begin = 18
end = 22

[System_setErr0]
name = "Method setErr0"
file = "HOME/lib/java_api/java/lang/System.java"
line = 182
begin = 31
end = 38

[String_checkBounds]
name = "Method checkBounds"
file = "HOME/lib/java_api/java/lang/String.java"
line = 283
begin = 24
end = 35

[PrintStream_flush]
name = "Method flush"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 132
begin = 16
end = 21

[FilterOutputStream_close]
name = "Method close"
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 138
begin = 16
end = 21

[System_nullInputStream]
name = "Method nullInputStream"
file = "HOME/lib/java_api/java/lang/System.java"
line = 865
begin = 31
end = 46

[cons_String_byteA_int_int]
name = "Constructor of class String"
file = "HOME/lib/java_api/java/lang/String.java"
line = 371
begin = 11
end = 17

[Comparable_compareTo]
name = "Method compareTo"
file = "HOME/lib/java_api/java/lang/Comparable.java"
line = 121
begin = 15
end = 24

[System_loadLibrary]
name = "Method loadLibrary"
file = "HOME/lib/java_api/java/lang/System.java"
line = 843
begin = 23
end = 34

[String_regionMatches_boolean_int_String_int_int]
name = "Method regionMatches"
file = "HOME/lib/java_api/java/lang/String.java"
line = 950
begin = 19
end = 32

[OutputStream_write]
name = "Method write"
file = "HOME/lib/java_api/java/io/OutputStream.java"
line = 45
begin = 25
end = 30

[PrintStream_println_String]
name = "Method println"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 583
begin = 16
end = 23

[PrintStream_checkError]
name = "Method checkError"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 188
begin = 19
end = 29

[OutputStream_close]
name = "Method close"
file = "HOME/lib/java_api/java/io/OutputStream.java"
line = 128
begin = 16
end = 21

[CharSequence_subSequence]
name = "Method subSequence"
file = "HOME/lib/java_api/java/lang/CharSequence.java"
line = 75
begin = 17
end = 28

[System_currentTimeMillis]
name = "Method currentTimeMillis"
file = "HOME/lib/java_api/java/lang/System.java"
line = 280
begin = 30
end = 47

[Object_wait_long_int]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[OutputStream_write_byteA_int_int]
name = "Method write"
file = "HOME/lib/java_api/java/io/OutputStream.java"
line = 89
begin = 16
end = 21

[cons_PrintStream_boolean_OutputStream]
name = "Constructor of class PrintStream"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 67
begin = 12
end = 23

[cons_PrintStream_OutputStream_boolean_String]
name = "Constructor of class PrintStream"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 113
begin = 11
end = 22

[Object_registerNatives]
name = "Method registerNatives"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[String_subSequence]
name = "Method subSequence"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1482
begin = 24
end = 35

[System_setProperty]
name = "Method setProperty"
file = "HOME/lib/java_api/java/lang/System.java"
line = 656
begin = 25
end = 36

[String_indexOf_String_int]
name = "Method indexOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1239
begin = 15
end = 22

[String_getBytes]
name = "Method getBytes"
file = "HOME/lib/java_api/java/lang/String.java"
line = 591
begin = 18
end = 26

[cons_String]
name = "Constructor of class String"
file = "HOME/lib/java_api/java/lang/String.java"
line = 129
begin = 11
end = 17

[String_valueOf_Object]
name = "Method valueOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 2138
begin = 25
end = 32

[PrintStream_println_Object]
name = "Method println"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 597
begin = 16
end = 23

[Hello_main]
name = "Method main"
file = "HOME/tests/java/Hello.java"
line = 34
begin = 23
end = 27

[String_endsWith]
name = "Method endsWith"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1053
begin = 19
end = 27

[String_lastIndexOf]
name = "Method lastIndexOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1167
begin = 15
end = 26

[System_runFinalization]
name = "Method runFinalization"
file = "HOME/lib/java_api/java/lang/System.java"
line = 768
begin = 23
end = 38

[String_getBytes_String]
name = "Method getBytes"
file = "HOME/lib/java_api/java/lang/String.java"
line = 572
begin = 18
end = 26

[System_getProperty_String]
name = "Method getProperty"
file = "HOME/lib/java_api/java/lang/System.java"
line = 575
begin = 25
end = 36

[System_exit]
name = "Method exit"
file = "HOME/lib/java_api/java/lang/System.java"
line = 724
begin = 23
end = 27

[String_indexOf_int_int]
name = "Method indexOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1134
begin = 15
end = 22

[String_copyValueOf_charA_int_int]
name = "Method copyValueOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 2191
begin = 25
end = 36

[System_setOut]
name = "Method setOut"
file = "HOME/lib/java_api/java/lang/System.java"
line = 146
begin = 23
end = 29

[System_runFinalizersOnExit]
name = "Method runFinalizersOnExit"
file = "HOME/lib/java_api/java/lang/System.java"
line = 797
begin = 23
end = 42

[PrintStream_print_boolean]
name = "Method print"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 349
begin = 16
end = 21

[String_compareTo_Object]
name = "Method compareTo"
file = "HOME/lib/java_api/java/lang/String.java"
line = 778
begin = 15
end = 24

[String_valueOf_charA_int_int]
name = "Method valueOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 2177
begin = 25
end = 32

[String_matches]
name = "Method matches"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1600
begin = 19
end = 26

[String_lastIndexOf_charA_int_int_charA_int_int_int]
name = "Method lastIndexOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1351
begin = 15
end = 26

[String_startsWith_String_int]
name = "Method startsWith"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1007
begin = 19
end = 29

[System_getenv]
name = "Method getenv"
file = "HOME/lib/java_api/java/lang/System.java"
line = 700
begin = 25
end = 31

[String_copyValueOf_charA]
name = "Method copyValueOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 2204
begin = 25
end = 36

[cons_System]
name = "Constructor of class System"
file = "HOME/lib/java_api/java/lang/System.java"
line = 44
begin = 12
end = 18

[PrintStream_println_charA]
name = "Method println"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 569
begin = 16
end = 23

[String_toString]
name = "Method toString"
file = "HOME/lib/java_api/java/lang/String.java"
line = 2112
begin = 18
end = 26

[System_setOut0]
name = "Method setOut0"
file = "HOME/lib/java_api/java/lang/System.java"
line = 181
begin = 31
end = 38

[String_equals]
name = "Method equals"
file = "HOME/lib/java_api/java/lang/String.java"
line = 608
begin = 19
end = 25

[String_substring_int]
name = "Method substring"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1414
begin = 18
end = 27

[cons_PrintStream_OutputStream_boolean]
name = "Constructor of class PrintStream"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 92
begin = 11
end = 22

[PrintStream_newLine]
name = "Method newLine"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 318
begin = 17
end = 24

[String_substring_int_int]
name = "Method substring"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1440
begin = 18
end = 27

[PrintStream_write_byteA_int_int]
name = "Method write"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 254
begin = 16
end = 21

[String_compareToIgnoreCase]
name = "Method compareToIgnoreCase"
file = "HOME/lib/java_api/java/lang/String.java"
line = 846
begin = 15
end = 34

[System_getProperty_String_String]
name = "Method getProperty"
file = "HOME/lib/java_api/java/lang/System.java"
line = 614
begin = 25
end = 36

[System_identityHashCode]
name = "Method identityHashCode"
file = "HOME/lib/java_api/java/lang/System.java"
line = 389
begin = 29
end = 45

[String_valueOf_double]
name = "Method valueOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 2285
begin = 25
end = 32

[String_lastIndexOf_String]
name = "Method lastIndexOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1315
begin = 15
end = 26

[CharSequence_toString]
name = "Method toString"
file = "HOME/lib/java_api/java/lang/CharSequence.java"
line = 84
begin = 18
end = 26

[PrintStream_print_long]
name = "Method print"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 389
begin = 16
end = 21

[PrintStream_write_String]
name = "Method write"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 299
begin = 17
end = 22

[PrintStream_println_long]
name = "Method println"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 527
begin = 16
end = 23

[cons_Hello]
name = "Constructor of class Hello"
file = "HOME/"
line = 0
begin = -1
end = -1

[String_valueOf]
name = "Method valueOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 2243
begin = 25
end = 32

[String_lastIndexOf_int_int]
name = "Method lastIndexOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1194
begin = 15
end = 26

[String_valueOf_char]
name = "Method valueOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 2228
begin = 25
end = 32

[FilterOutputStream_write_int]
name = "Method write"
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 59
begin = 16
end = 21

[cons_PrintStream_OutputStream]
name = "Constructor of class PrintStream"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 55
begin = 11
end = 22

[System_initializeSystemClass]
name = "Method initializeSystemClass"
file = "HOME/lib/java_api/java/lang/System.java"
line = 882
begin = 24
end = 45

[String_replaceFirst]
name = "Method replaceFirst"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1633
begin = 18
end = 30

[String_regionMatches_int_String_int_int]
name = "Method regionMatches"
file = "HOME/lib/java_api/java/lang/String.java"
line = 881
begin = 19
end = 32

[PrintStream_close]
name = "Method close"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 152
begin = 16
end = 21

[Object_notifyAll]
name = "Method notifyAll"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[PrintStream_println_boolean]
name = "Method println"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 485
begin = 16
end = 23

[String_valueOf_charA]
name = "Method valueOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 2152
begin = 25
end = 32

[System_setErr]
name = "Method setErr"
file = "HOME/lib/java_api/java/lang/System.java"
line = 170
begin = 23
end = 29

[cons_String_byteA_int]
name = "Constructor of class String"
file = "HOME/lib/java_api/java/lang/String.java"
line = 275
begin = 11
end = 17

[String_contentEquals]
name = "Method contentEquals"
file = "HOME/lib/java_api/java/lang/String.java"
line = 640
begin = 19
end = 32

[PrintStream_print_double]
name = "Method print"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 417
begin = 16
end = 21

[PrintStream_ensureOpen]
name = "Method ensureOpen"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 121
begin = 17
end = 27

[cons_String_charA]
name = "Constructor of class String"
file = "HOME/lib/java_api/java/lang/String.java"
line = 167
begin = 11
end = 17

[String_replace]
name = "Method replace"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1546
begin = 18
end = 25

[System_nullPrintStream]
name = "Method nullPrintStream"
file = "HOME/lib/java_api/java/lang/System.java"
line = 873
begin = 31
end = 46

[cons_String_byteA_int_int_String]
name = "Constructor of class String"
file = "HOME/lib/java_api/java/lang/String.java"
line = 316
begin = 11
end = 17

[PrintStream_print_float]
name = "Method print"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 403
begin = 16
end = 21

[cons_OutputStream]
name = "Constructor of class OutputStream"
file = "HOME/"
line = 0
begin = -1
end = -1

[FilterOutputStream_write_byteA]
name = "Method write"
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 79
begin = 16
end = 21

[PrintStream_println_double]
name = "Method println"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 555
begin = 16
end = 23

[OutputStream_write_byteA]
name = "Method write"
file = "HOME/lib/java_api/java/io/OutputStream.java"
line = 57
begin = 16
end = 21

[PrintStream_print_char]
name = "Method print"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 361
begin = 16
end = 21

[System_gc]
name = "Method gc"
file = "HOME/lib/java_api/java/lang/System.java"
line = 746
begin = 23
end = 25

[PrintStream_print_String]
name = "Method print"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 444
begin = 16
end = 21

[PrintStream_println_char]
name = "Method println"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 499
begin = 16
end = 23

[cons_String_StringBuffer]
name = "Constructor of class String"
file = "HOME/lib/java_api/java/lang/String.java"
line = 403
begin = 11
end = 17

[cons_String_byteA_int_int_int]
name = "Constructor of class String"
file = "HOME/lib/java_api/java/lang/String.java"
line = 234
begin = 11
end = 17

[String_concat]
name = "Method concat"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1506
begin = 18
end = 24

[Object_equals]
name = "Method equals"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[String_length]
name = "Method length"
file = "HOME/lib/java_api/java/lang/String.java"
line = 427
begin = 15
end = 21

[String_split_String]
name = "Method split"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1792
begin = 20
end = 25

[String_hashCode]
name = "Method hashCode"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1070
begin = 15
end = 23

[PrintStream_write_charA]
name = "Method write"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 277
begin = 17
end = 22

[CharSequence_length]
name = "Method length"
file = "HOME/lib/java_api/java/lang/CharSequence.java"
line = 40
begin = 8
end = 14

[Object_hashCode]
name = "Method hashCode"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[Object_toString]
name = "Method toString"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[cons_String_byteA]
name = "Constructor of class String"
file = "HOME/lib/java_api/java/lang/String.java"
line = 391
begin = 11
end = 17

[cons_String_charA_int_int]
name = "Constructor of class String"
file = "HOME/lib/java_api/java/lang/String.java"
line = 189
begin = 11
end = 17

========== jessie execution ==========
Generating Why function cons_Hello
Generating Why function cons_String_byteA_String
Generating Why function cons_PrintStream_OutputStream_boolean_String
Generating Why function cons_String_byteA
Generating Why function cons_String_byteA_int
Generating Why function cons_PrintStream_OutputStream
Generating Why function cons_PrintStream_OutputStream_boolean
Generating Why function cons_FilterOutputStream_OutputStream
Generating Why function cons_String_byteA_int_int
Generating Why function cons_Object
Generating Why function cons_PrintStream_boolean_OutputStream
Generating Why function cons_String_int_int_charA
Generating Why function cons_OutputStream
Generating Why function cons_String_byteA_int_int_String
Generating Why function cons_String_charA_int_int
Generating Why function Hello_main
Generating Why function cons_String
Generating Why function cons_String_String
Generating Why function cons_String_StringBuffer
Generating Why function cons_String_byteA_int_int_int
Generating Why function cons_System
Generating Why function cons_String_charA
========== file tests/java/Hello.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/Hello_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Hello.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Hello.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Hello.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/java/Hello.loc ==========
[JC_451]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_294]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_176]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1079]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1055]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_80]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_421]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_798]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_915]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_774]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_617]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_1291]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_964]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_116]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_825]
file = "HOME/lib/java_api/java/lang/String.java"
line = 640
begin = 19
end = 32

[JC_327]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1440
begin = 18
end = 27

[JC_544]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1133]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1031]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1219]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1116]
file = "HOME/lib/java_api/java/lang/System.java"
line = 389
begin = 29
end = 45

[JC_871]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 541
begin = 16
end = 23

[JC_410]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_180]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1322]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1172]
file = "HOME/lib/java_api/java/lang/String.java"
line = 234
begin = 11
end = 17

[JC_473]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1194
begin = 15
end = 26

[JC_394]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_460]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_200]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_491]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_201]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 92
begin = 11
end = 22

[JC_1287]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1033]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_813]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_513]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2204
begin = 25
end = 36

[JC_194]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_122]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1228]
file = "HOME/lib/java_api/java/lang/String.java"
line = 881
begin = 19
end = 32

[JC_810]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_734]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_642]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_323]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1318]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 254
begin = 16
end = 21

[JC_1253]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_902]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_134]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1043]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/tests/java/Hello.jc"
line = 125
begin = 11
end = 103

[JC_934]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_699]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_125]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1251]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_726]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_925]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/tests/java/Hello.jc"
line = 135
begin = 8
end = 31

[JC_74]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1132]
file = "HOME/lib/java_api/java/io/OutputStream.java"
line = 128
begin = 16
end = 21

[JC_733]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_195]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1280]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/tests/java/Hello.jc"
line = 124
begin = 10
end = 18

[JC_827]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1198]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1167
begin = 15
end = 26

[JC_1136]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1038]
file = "HOME/lib/java_api/java/lang/String.java"
line = 129
begin = 11
end = 17

[JC_646]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_794]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1337]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_781]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1028]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1351
begin = 15
end = 26

[JC_1258]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_415]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 583
begin = 16
end = 23

[JC_405]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_PrintStream_OutputStream_boolean_safety]
name = "Constructor of class PrintStream"
behavior = "Safety"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 92
begin = 11
end = 22

[JC_953]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2138
begin = 25
end = 32

[JC_696]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_411]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_163]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_634]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_359]
file = "HOME/lib/java_api/java/lang/Comparable.java"
line = 121
begin = 15
end = 24

[JC_1264]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_687]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 527
begin = 16
end = 23

[JC_417]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 583
begin = 16
end = 23

[JC_36]
file = "HOME/tests/java/Hello.jc"
line = 131
begin = 10
end = 18

[JC_1097]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_386]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_340]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_291]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_135]
file = "HOME/lib/java_api/java/lang/String.java"
line = 391
begin = 11
end = 17

[JC_1015]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_169]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 513
begin = 16
end = 23

[JC_1125]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_599]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2285
begin = 25
end = 32

[JC_420]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_314]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_115]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_109]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_69]
file = "HOME/tests/java/Hello.jc"
line = 155
begin = 8
end = 23

[JC_1218]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_881]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 389
begin = 16
end = 21

[JC_936]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_String_byteA_int_int_safety]
name = "Constructor of class String"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/String.java"
line = 371
begin = 11
end = 17

[JC_329]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1440
begin = 18
end = 27

[JC_328]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1153]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_838]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_583]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2191
begin = 25
end = 36

[JC_1123]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_191]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2177
begin = 25
end = 32

[JC_1236]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 461
begin = 16
end = 21

[JC_1014]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1792
begin = 20
end = 25

[JC_387]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_884]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_744]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_980]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_459]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_372]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_440]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
file = "HOME/tests/java/Hello.jc"
line = 137
begin = 10
end = 18

[JC_1150]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 375
begin = 16
end = 21

[JC_199]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 92
begin = 11
end = 22

[JC_56]
file = "HOME/tests/java/Hello.jc"
line = 144
begin = 10
end = 18

[JC_929]
file = "HOME/lib/java_api/java/lang/System.java"
line = 820
begin = 23
end = 27

[JC_1307]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1270]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 223
begin = 16
end = 21

[JC_704]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_370]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_173]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_524]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_859]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1317]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1294]
file = "HOME/lib/java_api/java/lang/String.java"
line = 950
begin = 19
end = 32

[JC_43]
file = "HOME/tests/java/Hello.jc"
line = 138
begin = 11
end = 103

[cons_String_byteA_int_int_int_ensures_default]
name = "Constructor of class String"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/String.java"
line = 234
begin = 11
end = 17

[JC_783]
file = "HOME/lib/java_api/java/lang/System.java"
line = 575
begin = 25
end = 36

[JC_1121]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_944]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_97]
file = "HOME/lib/java_api/java/lang/String.java"
line = 345
begin = 11
end = 17

[JC_1067]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_343]
file = "HOME/lib/java_api/java/lang/System.java"
line = 146
begin = 23
end = 29

[JC_1152]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_754]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1196]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1167
begin = 15
end = 26

[JC_830]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_90]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1306]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1245]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_760]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_504]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_281]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 485
begin = 16
end = 23

[JC_131]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_721]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_581]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1076]
file = "HOME/lib/java_api/java/lang/System.java"
line = 181
begin = 31
end = 38

[JC_257]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1414
begin = 18
end = 27

[JC_161]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 55
begin = 11
end = 22

[JC_333]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1183]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_136]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_605]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1252]
file = "HOME/lib/java_api/java/lang/System.java"
line = 44
begin = 12
end = 18

[JC_831]
file = "HOME/lib/java_api/java/lang/System.java"
line = 882
begin = 24
end = 45

[JC_1330]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_834]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_PrintStream_OutputStream_boolean_ensures_default]
name = "Constructor of class PrintStream"
behavior = "default behavior"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 92
begin = 11
end = 22

[JC_1185]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1062]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 132
begin = 16
end = 21

[JC_229]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1107]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_951]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2138
begin = 25
end = 32

[JC_564]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_500]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_882]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1008]
kind = UserCall
file = "HOME/tests/java/Hello.jc"
line = 589
begin = 10
end = 62

[JC_731]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_633]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 417
begin = 16
end = 21

[JC_620]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_684]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_615]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_1099]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1046]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1600
begin = 19
end = 26

[JC_994]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_741]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_479]
file = "HOME/lib/java_api/java/lang/CharSequence.java"
line = 40
begin = 8
end = 14

[JC_198]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_285]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_94]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_73]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1115]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_695]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 67
begin = 12
end = 23

[JC_422]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1224]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1041]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1032]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_678]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_627]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_381]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_71]
file = "HOME/tests/java/Hello.jc"
line = 155
begin = 8
end = 23

[JC_380]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1312]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1319]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_896]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_365]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_251]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_376]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1310]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1070
begin = 15
end = 23

[JC_1018]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_844]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_963]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1156]
file = "HOME/lib/java_api/java/lang/String.java"
line = 403
begin = 11
end = 17

[JC_720]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_906]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_986]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_675]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_170]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_804]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_593]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1315
begin = 15
end = 26

[JC_492]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_300]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_319]
file = "HOME/lib/java_api/java/lang/String.java"
line = 608
begin = 19
end = 25

[JC_995]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_347]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_735]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2271
begin = 25
end = 32

[JC_1165]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_550]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_231]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_809]
file = "HOME/lib/java_api/java/lang/System.java"
line = 374
begin = 30
end = 39

[JC_1026]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_857]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1506
begin = 18
end = 24

[JC_643]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_553]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_768]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_350]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_528]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_356]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1130]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_568]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_298]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_224]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1229]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_481]
file = "HOME/lib/java_api/java/lang/CharSequence.java"
line = 40
begin = 8
end = 14

[JC_664]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_427]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_332]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_710]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_795]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_154]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_713]
file = "HOME/lib/java_api/java/lang/System.java"
line = 724
begin = 23
end = 27

[JC_237]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_367]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 188
begin = 19
end = 29

[JC_1286]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2056
begin = 18
end = 29

[JC_875]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_130]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1324]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1904
begin = 18
end = 29

[JC_1074]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_String_charA_safety]
name = "Constructor of class String"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/String.java"
line = 167
begin = 11
end = 17

[JC_686]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_997]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_578]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1137]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_893]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_182]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_516]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_903]
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 103
begin = 16
end = 21

[JC_1262]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 299
begin = 17
end = 22

[JC_215]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1257
begin = 15
end = 22

[JC_869]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_850]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_String_charA_int_int_ensures_default]
name = "Constructor of class String"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/String.java"
line = 189
begin = 11
end = 17

[JC_242]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_877]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_305]
file = "HOME/lib/java_api/java/lang/String.java"
line = 681
begin = 19
end = 35

[JC_252]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1159]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1180]
file = "HOME/lib/java_api/java/lang/System.java"
line = 656
begin = 25
end = 36

[JC_846]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_String_charA_ensures_default]
name = "Constructor of class String"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/String.java"
line = 167
begin = 11
end = 17

[JC_274]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_485]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1105]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_551]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1210]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_968]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_765]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_742]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_446]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_907]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_String_int_int_charA_safety]
name = "Constructor of class String"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/String.java"
line = 413
begin = 4
end = 10

[JC_666]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_425]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_310]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_670]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_471]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1194
begin = 15
end = 26

[JC_648]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_891]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_916]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_736]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_575]
file = "HOME/lib/java_api/java/io/OutputStream.java"
line = 45
begin = 25
end = 30

[JC_490]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_118]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_988]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_418]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_105]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 113
begin = 11
end = 22

[JC_245]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_68]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_429]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_353]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 121
begin = 17
end = 27

[JC_96]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_958]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1260]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 299
begin = 17
end = 22

[JC_1069]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_259]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_706]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_532]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_445]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_150]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_117]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_996]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_880]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_287]
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 122
begin = 16
end = 21

[JC_49]
file = "HOME/tests/java/Hello.jc"
line = 142
begin = 8
end = 22

[JC_1]
file = "HOME/tests/java/Hello.jc"
line = 50
begin = 12
end = 22

[JC_854]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_771]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1095]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1110]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2243
begin = 25
end = 32

[JC_737]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2271
begin = 25
end = 32

[JC_1166]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2123
begin = 18
end = 29

[JC_1057]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_861]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_249]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 75
begin = 17
end = 21

[JC_66]
file = "HOME/tests/java/Hello.jc"
line = 150
begin = 10
end = 18

[JC_918]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_950]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_943]
file = "HOME/lib/java_api/java/lang/System.java"
line = 700
begin = 25
end = 31

[JC_876]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_192]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_749]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_152]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_228]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_863]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_495]
file = "HOME/lib/java_api/java/lang/String.java"
line = 283
begin = 24
end = 35

[JC_384]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_139]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_352]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1045]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_489]
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 59
begin = 16
end = 21

[JC_244]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_230]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_728]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_275]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_234]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1048]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1053]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_777]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 474
begin = 16
end = 23

[JC_577]
file = "HOME/lib/java_api/java/io/OutputStream.java"
line = 45
begin = 25
end = 30

[JC_708]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_467]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_727]
file = "HOME/lib/java_api/java/lang/System.java"
line = 768
begin = 23
end = 38

[JC_221]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_952]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_862]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_778]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_51]
file = "HOME/tests/java/Hello.jc"
line = 142
begin = 8
end = 22

[JC_766]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_780]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_382]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_784]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_689]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 527
begin = 16
end = 23

[JC_1108]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2243
begin = 25
end = 32

[JC_442]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_123]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1233]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_935]
file = "HOME/lib/java_api/java/lang/System.java"
line = 865
begin = 31
end = 46

[JC_933]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_587]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_248]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_64]
file = "HOME/tests/java/Hello.jc"
line = 150
begin = 10
end = 18

[JC_457]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1546
begin = 18
end = 25

[JC_366]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1078]
file = "HOME/lib/java_api/java/lang/System.java"
line = 181
begin = 31
end = 38

[JC_1297]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1201]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_897]
file = "HOME/lib/java_api/java/lang/CharSequence.java"
line = 75
begin = 17
end = 28

[JC_379]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1256]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_346]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_99]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1065]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_820]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_622]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_693]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_307]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_465]
file = "HOME/lib/java_api/java/lang/CharSequence.java"
line = 56
begin = 9
end = 15

[JC_772]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_740]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1122]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_832]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_626]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_205]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1024]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_81]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_55]
file = "HOME/tests/java/Hello.jc"
line = 145
begin = 11
end = 66

[JC_369]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 188
begin = 19
end = 29

[JC_354]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_926]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_241]
file = "HOME/lib/java_api/java/lang/String.java"
line = 572
begin = 18
end = 26

[JC_973]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_966]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_938]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_358]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_563]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1338]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1146]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_759]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1053
begin = 19
end = 27

[JC_923]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_558]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_659]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_468]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_271]
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 43
begin = 11
end = 29

[JC_1124]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1482
begin = 24
end = 35

[JC_999]
file = "HOME/tests/java/Hello.java"
line = 34
begin = 23
end = 27

[JC_270]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_975]
file = "HOME/lib/java_api/java/lang/CharSequence.java"
line = 84
begin = 18
end = 26

[JC_547]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_426]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/tests/java/Hello.jc"
line = 119
begin = 11
end = 66

[JC_539]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_892]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_246]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/Hello.jc"
line = 116
begin = 8
end = 24

[JC_954]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_569]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_185]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 152
begin = 16
end = 21

[JC_98]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_70]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_639]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_1101]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_412]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_904]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_899]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_104]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_971]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_949]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_913]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1102
begin = 15
end = 22

[JC_752]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1162]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_132]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_472]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Hello_ensures_default]
name = "Constructor of class Hello"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1283]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_322]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_590]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_992]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_873]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 541
begin = 16
end = 23

[JC_206]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_816]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_308]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1212]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1038
begin = 19
end = 29

[JC_223]
file = "HOME/lib/java_api/java/lang/String.java"
line = 444
begin = 16
end = 22

[JC_129]
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 79
begin = 16
end = 21

[JC_883]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1309]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_190]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1120]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
file = "HOME/tests/java/Hello.jc"
line = 148
begin = 8
end = 31

[JC_254]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_243]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_276]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1168]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_847]
file = "HOME/lib/java_api/java/lang/String.java"
line = 316
begin = 11
end = 17

[JC_557]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_432]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_PrintStream_boolean_OutputStream_ensures_default]
name = "Constructor of class PrintStream"
behavior = "default behavior"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 67
begin = 12
end = 23

[JC_470]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_202]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_753]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_998]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_507]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_515]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_792]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_435]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_128]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/tests/java/Hello.jc"
line = 131
begin = 10
end = 18

[JC_993]
file = "HOME/lib/java_api/java/lang/String.java"
line = 189
begin = 11
end = 17

[JC_1084]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_888]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_697]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 67
begin = 12
end = 23

[JC_852]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_225]
file = "HOME/lib/java_api/java/lang/String.java"
line = 444
begin = 16
end = 22

[JC_890]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_149]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_723]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_618]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_216]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_889]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2092
begin = 18
end = 22

[JC_812]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_324]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_37]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1138]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_523]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_845]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_796]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_390]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1215]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1091]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_688]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_213]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1092]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 555
begin = 16
end = 23

[JC_1087]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_253]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_819]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_612]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_598]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_606]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_782]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_652]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_344]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1240]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_187]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_543]
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 138
begin = 16
end = 21

[JC_309]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1064]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_591]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1315
begin = 15
end = 26

[JC_336]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1261]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_823]
file = "HOME/lib/java_api/java/lang/String.java"
line = 640
begin = 19
end = 32

[JC_609]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2257
begin = 25
end = 32

[JC_709]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_625]
file = "HOME/lib/java_api/java/lang/System.java"
line = 170
begin = 23
end = 29

[JC_63]
file = "HOME/tests/java/Hello.jc"
line = 151
begin = 11
end = 103

[JC_1301]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_520]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_610]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_197]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_579]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_45]
file = "HOME/tests/java/Hello.jc"
line = 138
begin = 11
end = 103

[JC_956]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_106]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_361]
file = "HOME/lib/java_api/java/lang/Comparable.java"
line = 121
begin = 15
end = 24

[JC_1316]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 254
begin = 16
end = 21

[JC_608]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_408]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_339]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1187]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_930]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_406]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_400]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1023]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_227]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1100]
file = "HOME/lib/java_api/java/lang/String.java"
line = 778
begin = 15
end = 24

[JC_839]
file = "HOME/lib/java_api/java/lang/String.java"
line = 728
begin = 15
end = 24

[JC_623]
file = "HOME/lib/java_api/java/lang/System.java"
line = 170
begin = 23
end = 29

[JC_886]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_527]
file = "HOME/lib/java_api/java/lang/String.java"
line = 371
begin = 11
end = 17

[JC_1214]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1038
begin = 19
end = 29

[JC_1225]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_434]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_761]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1053
begin = 19
end = 27

[JC_1299]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_879]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 389
begin = 16
end = 21

[JC_533]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_791]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2152
begin = 25
end = 32

[JC_236]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_138]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_556]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_458]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1160]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1009]
kind = IndexBounds
file = "HOME/tests/java/Hello.jc"
line = 589
begin = 10
end = 62

[JC_193]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2177
begin = 25
end = 32

[JC_1275]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1295]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_714]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_282]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_826]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_371]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_991]
file = "HOME/lib/java_api/java/lang/String.java"
line = 189
begin = 11
end = 17

[JC_592]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_232]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1320]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/tests/java/Hello.jc"
line = 144
begin = 10
end = 18

[JC_990]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_654]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1259]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1012]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1792
begin = 20
end = 25

[JC_836]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_208]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_79]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_455]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1546
begin = 18
end = 25

[JC_644]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_184]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_922]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1329]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1025]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_660]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_91]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1335]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_548]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_162]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1254]
file = "HOME/lib/java_api/java/lang/System.java"
line = 44
begin = 12
end = 18

[JC_398]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1052]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 349
begin = 16
end = 21

[JC_1039]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_840]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1163]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_681]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 361
begin = 16
end = 21

[JC_1112]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_722]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_822]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_572]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_514]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1013]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_String_byteA_int_safety]
name = "Constructor of class String"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/String.java"
line = 275
begin = 11
end = 17

[JC_1242]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1249]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_870]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_614]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_454]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_341]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1177]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1208]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1206]
file = "HOME/lib/java_api/java/lang/System.java"
line = 614
begin = 25
end = 36

[JC_1292]
file = "HOME/lib/java_api/java/lang/String.java"
line = 950
begin = 19
end = 32

[JC_874]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1246]
file = "HOME/lib/java_api/java/io/OutputStream.java"
line = 115
begin = 16
end = 21

[JC_141]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_927]
file = "HOME/lib/java_api/java/lang/System.java"
line = 820
begin = 23
end = 27

[JC_712]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_803]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_596]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_566]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
file = "HOME/tests/java/Hello.jc"
line = 151
begin = 11
end = 103

[JC_1239]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_511]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2204
begin = 25
end = 36

[JC_395]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_905]
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 103
begin = 16
end = 21

[JC_1083]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_738]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1109]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_266]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_214]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_303]
file = "HOME/lib/java_api/java/lang/String.java"
line = 681
begin = 19
end = 35

[JC_258]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_PrintStream_OutputStream_ensures_default]
name = "Constructor of class PrintStream"
behavior = "default behavior"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 55
begin = 11
end = 22

[JC_1243]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1070]
file = "HOME/lib/java_api/java/lang/String.java"
line = 591
begin = 18
end = 26

[JC_959]
file = "HOME/lib/java_api/java/lang/System.java"
line = 38
begin = 31
end = 46

[JC_145]
file = "HOME/lib/java_api/java/lang/System.java"
line = 175
begin = 24
end = 31

[JC_898]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_209]
file = "HOME/lib/java_api/java/lang/System.java"
line = 280
begin = 30
end = 47

[JC_1267]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1171]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_111]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1666
begin = 18
end = 28

[JC_1104]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_349]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1232]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1197]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_211]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1326]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1904
begin = 18
end = 29

[JC_974]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_588]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_262]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1226]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_637]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_775]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 474
begin = 16
end = 23

[JC_841]
file = "HOME/lib/java_api/java/lang/String.java"
line = 728
begin = 15
end = 24

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1288]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1072]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_984]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1030]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1351
begin = 15
end = 26

[JC_941]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_748]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_437]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1314]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_210]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1247]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_423]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_510]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_478]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_297]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1239
begin = 15
end = 22

[JC_1203]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_100]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1184]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_762]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_494]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_String_ensures_default]
name = "Constructor of class String"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/String.java"
line = 129
begin = 11
end = 17

[JC_373]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_848]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_817]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1007
begin = 19
end = 29

[JC_1303]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1296]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1222]
file = "HOME/lib/java_api/java/lang/String.java"
line = 846
begin = 15
end = 34

[JC_1217]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_453]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1282]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1143]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_842]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_920]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_914]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_143]
file = "HOME/lib/java_api/java/lang/System.java"
line = 175
begin = 24
end = 31

[JC_113]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1666
begin = 18
end = 28

[JC_1155]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_448]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_945]
file = "HOME/lib/java_api/java/lang/System.java"
line = 700
begin = 25
end = 31

[JC_404]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_133]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_475]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1188]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2313
begin = 25
end = 31

[JC_1148]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 375
begin = 16
end = 21

[JC_320]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1305]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1002]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_683]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_502]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1308]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1070
begin = 15
end = 23

[JC_1086]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_1313]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1281]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_536]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1193]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1250]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_280]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1056]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_976]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_931]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_865]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_858]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1060]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 132
begin = 16
end = 21

[JC_967]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 569
begin = 16
end = 23

[JC_375]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 499
begin = 16
end = 23

[JC_9]
file = "HOME/tests/java/Hello.jc"
line = 116
begin = 8
end = 24

[JC_690]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_315]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1049]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_860]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_486]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1066]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_924]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1274]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_724]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1194]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_594]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_357]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1231]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_561]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_656]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_673]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1333
begin = 15
end = 26

[JC_326]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_616]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_String_byteA_String_safety]
name = "Constructor of class String"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/String.java"
line = 345
begin = 11
end = 17

[JC_1190]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2313
begin = 25
end = 31

[JC_802]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_665]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2112
begin = 18
end = 26

[JC_1061]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_694]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_430]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_909]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_955]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_833]
file = "HOME/lib/java_api/java/lang/System.java"
line = 882
begin = 24
end = 45

[JC_1126]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1482
begin = 24
end = 35

[JC_1202]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_403]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_82]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1129]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_589]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_917]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_661]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_595]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1273]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_940]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_112]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1241]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1154]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_362]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_295]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1239
begin = 15
end = 22

[JC_268]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1145]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_449]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 199
begin = 19
end = 27

[JC_1248]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_304]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_String_String_ensures_default]
name = "Constructor of class String"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/String.java"
line = 142
begin = 11
end = 17

[JC_650]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_218]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1093]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_101]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_526]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_851]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_921]
file = "HOME/lib/java_api/java/lang/String.java"
line = 532
begin = 16
end = 24

[JC_790]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_773]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1170]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_705]
file = "HOME/lib/java_api/java/lang/String.java"
line = 413
begin = 4
end = 10

[JC_103]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 113
begin = 11
end = 22

[JC_1279]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1036]
file = "HOME/lib/java_api/java/lang/String.java"
line = 129
begin = 11
end = 17

[JC_509]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_289]
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 122
begin = 16
end = 21

[JC_302]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1220]
file = "HOME/lib/java_api/java/lang/String.java"
line = 846
begin = 15
end = 34

[JC_33]
file = "HOME/tests/java/Hello.jc"
line = 132
begin = 11
end = 66

[JC_296]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_290]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_567]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_29]
file = "HOME/tests/java/Hello.jc"
line = 129
begin = 8
end = 22

[JC_144]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1098]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_360]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/tests/java/Hello.jc"
line = 118
begin = 10
end = 18

[JC_335]
file = "HOME/lib/java_api/java/lang/String.java"
line = 427
begin = 15
end = 21

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
file = "HOME/lib/java_api/java/lang/String.java"
line = 345
begin = 11
end = 17

[JC_318]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_84]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1169]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_String_byteA_int_int_String_ensures_default]
name = "Constructor of class String"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/String.java"
line = 316
begin = 11
end = 17

[JC_160]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/tests/java/Hello.jc"
line = 118
begin = 10
end = 18

[JC_981]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_653]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1321]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_645]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_181]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1278]
file = "HOME/lib/java_api/java/lang/System.java"
line = 873
begin = 31
end = 46

[JC_538]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_108]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_89]
file = "HOME/lib/java_api/java/lang/System.java"
line = 797
begin = 23
end = 42

[JC_1263]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1207]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1077]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_String_byteA_int_int_ensures_default]
name = "Constructor of class String"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/String.java"
line = 371
begin = 11
end = 17

[JC_293]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_165]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1059]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1089]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_718]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_217]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1257
begin = 15
end = 22

[JC_338]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_894]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_402]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1010]
kind = UserCall
file = "HOME/tests/java/Hello.jc"
line = 589
begin = 49
end = 61

[JC_1111]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_364]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1140]
file = "HOME/lib/java_api/java/lang/String.java"
line = 142
begin = 11
end = 17

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1204]
file = "HOME/lib/java_api/java/lang/System.java"
line = 614
begin = 25
end = 36

[JC_1051]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_409]
file = "HOME/lib/java_api/java/lang/System.java"
line = 843
begin = 23
end = 34

[JC_120]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1276]
file = "HOME/lib/java_api/java/lang/System.java"
line = 873
begin = 31
end = 46

[JC_559]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1068]
file = "HOME/lib/java_api/java/lang/String.java"
line = 591
begin = 18
end = 26

[JC_580]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_555]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_483]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_OutputStream_ensures_default]
name = "Constructor of class OutputStream"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_604]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_597]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_279]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 485
begin = 16
end = 23

[JC_306]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_207]
file = "HOME/lib/java_api/java/lang/System.java"
line = 280
begin = 30
end = 47

[JC_655]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1134
begin = 15
end = 22

[JC_611]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1128]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1027]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_203]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1004]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_313]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 597
begin = 16
end = 23

[JC_756]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1271]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Object_ensures_default]
name = "Constructor of class Object"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_FilterOutputStream_OutputStream_safety]
name = "Constructor of class FilterOutputStream"
behavior = "Safety"
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 43
begin = 11
end = 29

[Hello_main_ensures_default]
name = "Method main"
behavior = "default behavior"
file = "HOME/tests/java/Hello.java"
line = 34
begin = 23
end = 27

[JC_546]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_265]
file = "HOME/lib/java_api/java/lang/String.java"
line = 481
begin = 16
end = 24

[JC_900]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_691]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1141]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1007]
kind = UserCall
file = "HOME/tests/java/Hello.jc"
line = 589
begin = 49
end = 61

[JC_1144]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_635]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_818]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_716]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_493]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_787]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_247]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 75
begin = 17
end = 21

[JC_969]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 569
begin = 16
end = 23

[JC_137]
file = "HOME/lib/java_api/java/lang/String.java"
line = 391
begin = 11
end = 17

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_466]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_866]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_75]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_658]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_628]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_641]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_530]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1047]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1022]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2228
begin = 25
end = 32

[cons_System_ensures_default]
name = "Constructor of class System"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/System.java"
line = 44
begin = 12
end = 18

[JC_260]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_212]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1189]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_707]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_571]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_474]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_770]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_542]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_702]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_278]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1235]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_663]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2112
begin = 18
end = 26

[JC_334]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1265]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1102]
file = "HOME/lib/java_api/java/lang/String.java"
line = 778
begin = 15
end = 24

[JC_1331]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1090]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_960]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_867]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_174]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1333]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_745]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1633
begin = 18
end = 30

[JC_464]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_985]
file = "HOME/lib/java_api/java/lang/System.java"
line = 857
begin = 32
end = 46

[cons_String_byteA_safety]
name = "Constructor of class String"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/String.java"
line = 391
begin = 11
end = 17

[JC_87]
file = "HOME/lib/java_api/java/lang/System.java"
line = 797
begin = 23
end = 42

[JC_1268]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 223
begin = 16
end = 21

[JC_560]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/tests/java/Hello.jc"
line = 119
begin = 11
end = 66

[JC_1298]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1071]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_939]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_835]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_788]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_368]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_321]
file = "HOME/lib/java_api/java/lang/String.java"
line = 608
begin = 19
end = 25

[JC_805]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_685]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_629]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_String_byteA_int_int_int_safety]
name = "Constructor of class String"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/String.java"
line = 234
begin = 11
end = 17

[JC_1000]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_668]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_299]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_156]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_127]
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 79
begin = 16
end = 21

[JC_171]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/tests/java/Hello.jc"
line = 137
begin = 10
end = 18

[JC_155]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1192]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1181]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_730]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_540]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_477]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1127]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1266]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_987]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1158]
file = "HOME/lib/java_api/java/lang/String.java"
line = 403
begin = 11
end = 17

[JC_348]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_853]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1011]
kind = UserCall
file = "HOME/tests/java/Hello.jc"
line = 589
begin = 10
end = 62

[JC_140]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1073]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_937]
file = "HOME/lib/java_api/java/lang/System.java"
line = 865
begin = 31
end = 46

[JC_159]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 55
begin = 11
end = 22

[JC_828]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_517]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_393]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 318
begin = 17
end = 24

[JC_586]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_93]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_895]
file = "HOME/lib/java_api/java/lang/CharSequence.java"
line = 75
begin = 17
end = 28

[JC_554]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_277]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_288]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_283]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_114]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1237]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_815]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1007
begin = 19
end = 29

[JC_484]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_53]
file = "HOME/tests/java/Hello.jc"
line = 145
begin = 11
end = 66

[JC_1238]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 461
begin = 16
end = 21

[JC_414]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_String_byteA_ensures_default]
name = "Constructor of class String"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/String.java"
line = 391
begin = 11
end = 17

[JC_21]
file = "HOME/tests/java/Hello.jc"
line = 122
begin = 8
end = 33

[JC_1269]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_977]
file = "HOME/lib/java_api/java/lang/CharSequence.java"
line = 84
begin = 18
end = 26

[JC_758]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_743]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1633
begin = 18
end = 30

[JC_77]
file = "HOME/tests/java/Hello.jc"
line = 157
begin = 11
end = 65

[JC_602]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_102]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_String_charA_int_int_safety]
name = "Constructor of class String"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/String.java"
line = 189
begin = 11
end = 17

[JC_142]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_String_byteA_String_ensures_default]
name = "Constructor of class String"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/String.java"
line = 345
begin = 11
end = 17

[JC_146]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_399]
file = "HOME/lib/java_api/java/io/OutputStream.java"
line = 57
begin = 16
end = 21

[JC_59]
file = "HOME/tests/java/Hello.jc"
line = 148
begin = 8
end = 31

[cons_OutputStream_safety]
name = "Constructor of class OutputStream"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_355]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_342]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_397]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_576]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/java/Hello.jc"
line = 50
begin = 12
end = 22

[JC_1080]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1003]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_957]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_377]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 499
begin = 16
end = 23

[JC_60]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_965]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_183]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 152
begin = 16
end = 21

[JC_1119]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_692]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_119]
file = "HOME/lib/java_api/java/io/OutputStream.java"
line = 89
begin = 16
end = 21

[JC_786]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_671]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1333
begin = 15
end = 26

[cons_String_StringBuffer_ensures_default]
name = "Constructor of class String"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/String.java"
line = 403
begin = 11
end = 17

[JC_76]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_462]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_698]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_498]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_311]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 597
begin = 16
end = 23

[JC_286]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1205]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1134]
file = "HOME/lib/java_api/java/io/OutputStream.java"
line = 128
begin = 16
end = 21

[JC_1001]
file = "HOME/tests/java/Hello.java"
line = 34
begin = 23
end = 27

[cons_PrintStream_OutputStream_safety]
name = "Constructor of class PrintStream"
behavior = "Safety"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 55
begin = 11
end = 22

[JC_534]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_363]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_619]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_978]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_719]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_233]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_1147]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_948]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_177]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_461]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1323]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_970]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_757]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_732]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_392]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_746]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_519]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1221
begin = 15
end = 22

[JC_316]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_565]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_147]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_636]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_436]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1034]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_961]
file = "HOME/lib/java_api/java/lang/System.java"
line = 38
begin = 31
end = 46

[JC_301]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1042]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1284]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2056
begin = 18
end = 29

[JC_452]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_261]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_188]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_729]
file = "HOME/lib/java_api/java/lang/System.java"
line = 768
begin = 23
end = 38

[JC_1029]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_632]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_630]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_570]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_501]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_85]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1209]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_String_byteA_int_int_String_safety]
name = "Constructor of class String"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/String.java"
line = 316
begin = 11
end = 17

[JC_647]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 431
begin = 16
end = 21

[JC_250]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_942]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_391]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 318
begin = 17
end = 24

[JC_31]
file = "HOME/tests/java/Hello.jc"
line = 129
begin = 8
end = 22

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_401]
file = "HOME/lib/java_api/java/io/OutputStream.java"
line = 57
begin = 16
end = 21

[cons_String_safety]
name = "Constructor of class String"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/String.java"
line = 129
begin = 11
end = 17

[JC_172]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_121]
file = "HOME/lib/java_api/java/io/OutputStream.java"
line = 89
begin = 16
end = 21

[JC_518]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_799]
file = "HOME/lib/java_api/java/lang/System.java"
line = 182
begin = 31
end = 38

[JC_1035]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_443]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/tests/java/Hello.jc"
line = 125
begin = 11
end = 103

[JC_1006]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_480]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_416]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_189]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_78]
file = "HOME/tests/java/Hello.jc"
line = 157
begin = 11
end = 65

[JC_447]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 199
begin = 19
end = 27

[JC_1300]
file = "HOME/lib/java_api/java/lang/String.java"
line = 167
begin = 11
end = 17

[JC_582]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_983]
file = "HOME/lib/java_api/java/lang/System.java"
line = 857
begin = 32
end = 46

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_715]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_476]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_256]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1334]
file = "HOME/lib/java_api/java/lang/System.java"
line = 746
begin = 23
end = 25

[JC_982]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_717]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_385]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_1142]
file = "HOME/lib/java_api/java/lang/String.java"
line = 142
begin = 11
end = 17

[JC_1088]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_711]
file = "HOME/lib/java_api/java/lang/System.java"
line = 724
begin = 23
end = 27

[JC_767]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 277
begin = 17
end = 22

[JC_674]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_240]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_153]
file = "HOME/lib/java_api/java/lang/String.java"
line = 275
begin = 11
end = 17

[JC_222]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1230]
file = "HOME/lib/java_api/java/lang/String.java"
line = 881
begin = 19
end = 32

[JC_450]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_167]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 513
begin = 16
end = 23

[JC_345]
file = "HOME/lib/java_api/java/lang/System.java"
line = 146
begin = 23
end = 29

[JC_1157]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/tests/java/Hello.jc"
line = 135
begin = 8
end = 31

[JC_573]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_PrintStream_boolean_OutputStream_safety]
name = "Constructor of class PrintStream"
behavior = "Safety"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 67
begin = 12
end = 23

[JC_701]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_979]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_FilterOutputStream_OutputStream_ensures_default]
name = "Constructor of class FilterOutputStream"
behavior = "default behavior"
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 43
begin = 11
end = 29

[JC_496]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1175]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1113]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1106]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1211]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1017]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_811]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_219]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_124]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_273]
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 43
begin = 11
end = 29

[JC_428]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_901]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_800]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_672]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_843]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_325]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_264]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1289]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_433]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2216
begin = 25
end = 32

[JC_601]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2285
begin = 25
end = 32

[JC_584]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_574]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_110]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_764]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_166]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1339]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_272]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_613]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1191]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_497]
file = "HOME/lib/java_api/java/lang/String.java"
line = 283
begin = 24
end = 35

[JC_1302]
file = "HOME/lib/java_api/java/lang/String.java"
line = 167
begin = 11
end = 17

[JC_1195]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1058]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1050]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1016]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_989]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_824]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1285]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_864]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_267]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1161]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_235]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1178]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1005]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1244]
file = "HOME/lib/java_api/java/io/OutputStream.java"
line = 115
begin = 16
end = 21

[JC_292]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1311]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1234]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_677]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_String_StringBuffer_safety]
name = "Constructor of class String"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/String.java"
line = 403
begin = 11
end = 17

[JC_284]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1044]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1600
begin = 19
end = 26

[JC_503]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 403
begin = 16
end = 21

[JC_552]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_972]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_441]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1750
begin = 20
end = 25

[JC_962]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1139]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_86]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1223]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_549]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_72]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/tests/java/Hello.jc"
line = 122
begin = 8
end = 33

[cons_String_int_int_charA_ensures_default]
name = "Constructor of class String"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/String.java"
line = 413
begin = 4
end = 10

[JC_407]
file = "HOME/lib/java_api/java/lang/System.java"
line = 843
begin = 23
end = 34

[JC_1040]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_238]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1200]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_947]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_910]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_669]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_488]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1131]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_378]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1085]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_531]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_383]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_1164]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2123
begin = 18
end = 29

[JC_872]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_849]
file = "HOME/lib/java_api/java/lang/String.java"
line = 316
begin = 11
end = 17

[JC_829]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_158]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1186]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_196]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_640]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_419]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_438]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_151]
file = "HOME/lib/java_api/java/lang/String.java"
line = 275
begin = 11
end = 17

[JC_814]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_374]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_487]
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 59
begin = 16
end = 21

[JC_463]
file = "HOME/lib/java_api/java/lang/CharSequence.java"
line = 56
begin = 9
end = 15

[cons_String_String_safety]
name = "Constructor of class String"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/String.java"
line = 142
begin = 11
end = 17

[JC_776]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_337]
file = "HOME/lib/java_api/java/lang/String.java"
line = 427
begin = 15
end = 21

[JC_522]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1328]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_801]
file = "HOME/lib/java_api/java/lang/System.java"
line = 182
begin = 31
end = 38

[JC_649]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 431
begin = 16
end = 21

[JC_1114]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1054]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 349
begin = 16
end = 21

[JC_887]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2092
begin = 18
end = 22

[JC_126]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1199]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1182]
file = "HOME/lib/java_api/java/lang/System.java"
line = 656
begin = 25
end = 36

[JC_607]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2257
begin = 25
end = 32

[JC_1149]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1135]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1332]
file = "HOME/lib/java_api/java/lang/System.java"
line = 746
begin = 23
end = 25

[cons_PrintStream_OutputStream_boolean_String_ensures_default]
name = "Constructor of class PrintStream"
behavior = "default behavior"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 113
begin = 11
end = 22

[JC_603]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1290]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_541]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_269]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1082]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_525]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_148]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_785]
file = "HOME/lib/java_api/java/lang/System.java"
line = 575
begin = 25
end = 36

[JC_657]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1134
begin = 15
end = 22

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_24]
file = "HOME/tests/java/Hello.jc"
line = 124
begin = 10
end = 18

[JC_186]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_175]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_797]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_545]
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 138
begin = 16
end = 21

[JC_1213]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_928]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_330]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Hello_safety]
name = "Constructor of class Hello"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1336]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_739]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_System_safety]
name = "Constructor of class System"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/System.java"
line = 44
begin = 12
end = 18

[JC_789]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_638]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_413]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_389]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_700]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1255]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_807]
file = "HOME/lib/java_api/java/lang/System.java"
line = 374
begin = 30
end = 39

[JC_512]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1293]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1081]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_855]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1506
begin = 18
end = 24

[JC_932]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_779]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_621]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_168]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_662]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1117]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_911]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1102
begin = 15
end = 22

[JC_35]
file = "HOME/tests/java/Hello.jc"
line = 132
begin = 11
end = 66

[JC_1315]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_908]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_469]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1304]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1103]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_946]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_856]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1325]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_263]
file = "HOME/lib/java_api/java/lang/String.java"
line = 481
begin = 16
end = 24

[JC_107]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1096]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_508]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_179]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1176]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_651]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_600]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_164]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_821]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_868]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_667]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1327]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_439]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1750
begin = 20
end = 25

[JC_88]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1179]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_878]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_String_byteA_int_ensures_default]
name = "Constructor of class String"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/String.java"
line = 275
begin = 11
end = 17

[JC_1021]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_751]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_178]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1020]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2228
begin = 25
end = 32

[JC_885]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_506]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1063]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_331]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_220]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_521]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1221
begin = 15
end = 22

[JC_747]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_529]
file = "HOME/lib/java_api/java/lang/String.java"
line = 371
begin = 11
end = 17

[JC_312]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_676]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_444]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Object_safety]
name = "Constructor of class Object"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_682]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1227]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1174]
file = "HOME/lib/java_api/java/lang/String.java"
line = 234
begin = 11
end = 17

[JC_755]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_750]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_631]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 417
begin = 16
end = 21

[JC_585]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2191
begin = 25
end = 36

[JC_703]
file = "HOME/lib/java_api/java/lang/String.java"
line = 413
begin = 4
end = 10

[JC_919]
file = "HOME/lib/java_api/java/lang/String.java"
line = 532
begin = 16
end = 24

[JC_431]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2216
begin = 25
end = 32

[JC_424]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_769]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 277
begin = 17
end = 22

[JC_562]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_679]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 361
begin = 16
end = 21

[JC_255]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1414
begin = 18
end = 27

[JC_1151]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_793]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2152
begin = 25
end = 32

[JC_204]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_157]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_806]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1277]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1118]
file = "HOME/lib/java_api/java/lang/System.java"
line = 389
begin = 29
end = 45

[JC_1257]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1216]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_396]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1173]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_456]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_388]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_763]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_808]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1167]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_537]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 444
begin = 16
end = 21

[JC_535]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 444
begin = 16
end = 21

[JC_1037]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_837]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_725]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_239]
file = "HOME/lib/java_api/java/lang/String.java"
line = 572
begin = 18
end = 26

[JC_1019]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_92]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1272]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_351]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 121
begin = 17
end = 27

[JC_1221]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_PrintStream_OutputStream_boolean_String_safety]
name = "Constructor of class PrintStream"
behavior = "Safety"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 113
begin = 11
end = 22

[JC_317]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_680]
file = "HOME/"
line = 0
begin = -1
end = -1

[Hello_main_safety]
name = "Method main"
behavior = "Safety"
file = "HOME/tests/java/Hello.java"
line = 34
begin = 23
end = 27

[JC_912]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1094]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 555
begin = 16
end = 23

[JC_1075]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_624]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_499]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_482]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_505]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 403
begin = 16
end = 21

[JC_226]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/Hello.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

logic FilterOutputStream_tag:  -> Object tag_id

logic OutputStream_tag:  -> Object tag_id

axiom FilterOutputStream_parenttag_OutputStream :
 parenttag(FilterOutputStream_tag, OutputStream_tag)

logic Hello_tag:  -> Object tag_id

axiom Hello_parenttag_Object : parenttag(Hello_tag, Object_tag)

logic InputStream_tag:  -> Object tag_id

axiom InputStream_parenttag_Object : parenttag(InputStream_tag, Object_tag)

predicate Non_null_Object(x_3:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_3), (0))

predicate Non_null_StringM(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), neg_int((1)))

predicate Non_null_byteM(x_2:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))

predicate Non_null_charM(x_1:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_1), neg_int((1)))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic OutputStreamWriter_tag:  -> Object tag_id

axiom OutputStreamWriter_parenttag_Object :
 parenttag(OutputStreamWriter_tag, Object_tag)

axiom OutputStream_parenttag_Object : parenttag(OutputStream_tag, Object_tag)

logic PrintStream_tag:  -> Object tag_id

axiom PrintStream_parenttag_FilterOutputStream :
 parenttag(PrintStream_tag, FilterOutputStream_tag)

logic StringBuffer_tag:  -> Object tag_id

axiom StringBuffer_parenttag_Object : parenttag(StringBuffer_tag, Object_tag)

logic StringM_tag:  -> Object tag_id

axiom StringM_parenttag_Object : parenttag(StringM_tag, Object_tag)

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic long_of_integer: int -> long

function String_serialVersionUID() : long =
 long_of_integer(neg_int((6849794470754667710)))

logic System_err:  -> Object pointer

logic System_in:  -> Object pointer

logic System_out:  -> Object pointer

logic System_tag:  -> Object tag_id

axiom System_parenttag_Object : parenttag(System_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic byteM_tag:  -> Object tag_id

axiom byteM_parenttag_Object : parenttag(byteM_tag, Object_tag)

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic charM_tag:  -> Object tag_id

axiom charM_parenttag_Object : parenttag(charM_tag, Object_tag)

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_OutputStream(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_FilterOutputStream(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_OutputStream(p, a, Object_alloc_table)

predicate left_valid_struct_Hello(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_InputStream(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_OutputStreamWriter(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_PrintStream(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_FilterOutputStream(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_StringBuffer(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_StringM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_System(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_byteM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_charM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_OutputStream(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_FilterOutputStream(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_OutputStream(p, b, Object_alloc_table)

predicate right_valid_struct_Hello(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_InputStream(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_OutputStreamWriter(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_PrintStream(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_FilterOutputStream(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_StringBuffer(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_StringM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_System(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_byteM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_charM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_OutputStream(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_FilterOutputStream(p:Object pointer, a:int,
 b:int, Object_alloc_table:Object alloc_table) =
 strict_valid_struct_OutputStream(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Hello(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_InputStream(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_OutputStreamWriter(p:Object pointer, a:int,
 b:int, Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_PrintStream(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_FilterOutputStream(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_StringBuffer(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_StringM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_System(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_byteM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_charM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_OutputStream(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_FilterOutputStream(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_OutputStream(p, a, b, Object_alloc_table)

predicate valid_struct_Hello(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_InputStream(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_OutputStreamWriter(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_PrintStream(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_FilterOutputStream(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_StringBuffer(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_StringM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_System(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_byteM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_charM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

parameter CharSequence_charAt :
 this_39:Object pointer -> index:int32 -> { } char { true }

parameter CharSequence_charAt_requires :
 this_39:Object pointer -> index:int32 -> { } char { true }

parameter CharSequence_length : this_41:Object pointer -> { } int32 { true }

parameter CharSequence_length_requires :
 this_41:Object pointer -> { } int32 { true }

parameter CharSequence_subSequence :
 this_72:Object pointer ->
  start:int32 -> end_0:int32 -> { } Object pointer { true }

parameter CharSequence_subSequence_requires :
 this_72:Object pointer ->
  start:int32 -> end_0:int32 -> { } Object pointer { true }

parameter CharSequence_toString :
 this_77:Object pointer -> { } Object pointer { true }

parameter CharSequence_toString_requires :
 this_77:Object pointer -> { } Object pointer { true }

parameter Comparable_compareTo :
 this_28:Object pointer -> o:Object pointer -> { } int32 { true }

parameter Comparable_compareTo_requires :
 this_28:Object pointer -> o:Object pointer -> { } int32 { true }

exception Exception_exc of Object pointer

parameter Object_alloc_table : Object alloc_table ref

parameter FilterOutputStream_close :
 this_46:Object pointer -> { } unit reads Object_alloc_table { true }

parameter FilterOutputStream_close_requires :
 this_46:Object pointer -> { } unit reads Object_alloc_table { true }

parameter FilterOutputStream_flush :
 this_20:Object pointer -> { } unit reads Object_alloc_table { true }

parameter FilterOutputStream_flush_requires :
 this_20:Object pointer -> { } unit reads Object_alloc_table { true }

parameter FilterOutputStream_out : (Object, Object pointer) memory ref

parameter FilterOutputStream_write :
 this_73:Object pointer ->
  b_4:Object pointer ->
   off_0:int32 -> len_0:int32 -> { } unit reads Object_alloc_table { true }

parameter FilterOutputStream_write_byteA :
 this_9:Object pointer ->
  b_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter FilterOutputStream_write_byteA_requires :
 this_9:Object pointer ->
  b_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter FilterOutputStream_write_int :
 this_42:Object pointer ->
  b_2:int32 -> { } unit reads Object_alloc_table { true }

parameter FilterOutputStream_write_int_requires :
 this_42:Object pointer ->
  b_2:int32 -> { } unit reads Object_alloc_table { true }

parameter FilterOutputStream_write_requires :
 this_73:Object pointer ->
  b_4:Object pointer ->
   off_0:int32 -> len_0:int32 -> { } unit reads Object_alloc_table { true }

parameter Hello_main :
 argv:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Hello_main_requires :
 argv:Object pointer -> { } unit reads Object_alloc_table { true }

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_clone :
 this_14:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_clone_requires :
 this_14:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_equals :
 this_31:Object pointer ->
  obj_1:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_equals_requires :
 this_31:Object pointer ->
  obj_1:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_finalize :
 this_68:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_finalize_requires :
 this_68:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_hashCode :
 this_35:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter Object_hashCode_requires :
 this_35:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter Object_notify :
 this_47:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll :
 this_83:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll_requires :
 this_83:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notify_requires :
 this_47:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_registerNatives : tt:unit -> { } unit { true }

parameter Object_registerNatives_requires : tt:unit -> { } unit { true }

parameter Object_tag_table : Object tag_table ref

parameter Object_toString :
 this_53:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_toString_requires :
 this_53:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_wait :
 this_51:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long :
 this_11:Object pointer ->
  timeout:long -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int :
 this_48:Object pointer ->
  timeout_0:long -> nanos:int32 -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int_requires :
 this_48:Object pointer ->
  timeout_0:long -> nanos:int32 -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_requires :
 this_11:Object pointer ->
  timeout:long -> { } unit reads Object_alloc_table { true }

parameter Object_wait_requires :
 this_51:Object pointer -> { } unit reads Object_alloc_table { true }

parameter OutputStream_close :
 this_87:Object pointer -> { } unit reads Object_alloc_table { true }

parameter OutputStream_close_requires :
 this_87:Object pointer -> { } unit reads Object_alloc_table { true }

parameter OutputStream_flush :
 this_96:Object pointer -> { } unit reads Object_alloc_table { true }

parameter OutputStream_flush_requires :
 this_96:Object pointer -> { } unit reads Object_alloc_table { true }

parameter OutputStream_write :
 this_49:Object pointer ->
  b:int32 -> { } unit reads Object_alloc_table { true }

parameter OutputStream_write_byteA :
 this_33:Object pointer ->
  b_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter OutputStream_write_byteA_int_int :
 this_8:Object pointer ->
  b_1:Object pointer ->
   off:int32 -> len:int32 -> { } unit reads Object_alloc_table { true }

parameter OutputStream_write_byteA_int_int_requires :
 this_8:Object pointer ->
  b_1:Object pointer ->
   off:int32 -> len:int32 -> { } unit reads Object_alloc_table { true }

parameter OutputStream_write_byteA_requires :
 this_33:Object pointer ->
  b_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter OutputStream_write_requires :
 this_49:Object pointer ->
  b:int32 -> { } unit reads Object_alloc_table { true }

parameter PrintStream_autoFlush : (Object, bool) memory ref

parameter PrintStream_checkError :
 this_29:Object pointer -> { } bool reads Object_alloc_table { true }

parameter PrintStream_checkError_requires :
 this_29:Object pointer -> { } bool reads Object_alloc_table { true }

parameter PrintStream_close :
 this_12:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_close_requires :
 this_12:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_closing : (Object, bool) memory ref

parameter PrintStream_ensureOpen :
 this_27:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_ensureOpen_requires :
 this_27:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_flush :
 this_81:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_flush_requires :
 this_81:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_init :
 this_16:Object pointer ->
  osw:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_init_requires :
 this_16:Object pointer ->
  osw:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_newLine :
 this_32:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_newLine_requires :
 this_32:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_print :
 this_95:Object pointer ->
  obj:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_print_String :
 this_45:Object pointer ->
  s_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_print_String_requires :
 this_45:Object pointer ->
  s_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_print_boolean :
 this_80:Object pointer ->
  b_6:bool -> { } unit reads Object_alloc_table { true }

parameter PrintStream_print_boolean_requires :
 this_80:Object pointer ->
  b_6:bool -> { } unit reads Object_alloc_table { true }

parameter PrintStream_print_char :
 this_58:Object pointer ->
  c:char -> { } unit reads Object_alloc_table { true }

parameter PrintStream_print_charA :
 this_54:Object pointer ->
  s_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_print_charA_requires :
 this_54:Object pointer ->
  s_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_print_char_requires :
 this_58:Object pointer ->
  c:char -> { } unit reads Object_alloc_table { true }

parameter PrintStream_print_double :
 this_52:Object pointer ->
  d:real -> { } unit reads Object_alloc_table { true }

parameter PrintStream_print_double_requires :
 this_52:Object pointer ->
  d:real -> { } unit reads Object_alloc_table { true }

parameter PrintStream_print_float :
 this_43:Object pointer ->
  f:real -> { } unit reads Object_alloc_table { true }

parameter PrintStream_print_float_requires :
 this_43:Object pointer ->
  f:real -> { } unit reads Object_alloc_table { true }

parameter PrintStream_print_int :
 this_88:Object pointer ->
  i:int32 -> { } unit reads Object_alloc_table { true }

parameter PrintStream_print_int_requires :
 this_88:Object pointer ->
  i:int32 -> { } unit reads Object_alloc_table { true }

parameter PrintStream_print_long :
 this_70:Object pointer ->
  l:long -> { } unit reads Object_alloc_table { true }

parameter PrintStream_print_long_requires :
 this_70:Object pointer ->
  l:long -> { } unit reads Object_alloc_table { true }

parameter PrintStream_print_requires :
 this_95:Object pointer ->
  obj:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println :
 this_63:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_Object :
 this_23:Object pointer ->
  x_8_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_Object_requires :
 this_23:Object pointer ->
  x_8_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_String :
 this_34:Object pointer ->
  x_7_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_String_requires :
 this_34:Object pointer ->
  x_7_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_boolean :
 this_19:Object pointer ->
  x_0_0:bool -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_boolean_requires :
 this_19:Object pointer ->
  x_0_0:bool -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_char :
 this_30:Object pointer ->
  x_1_0:char -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_charA :
 this_76:Object pointer ->
  x_6_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_charA_requires :
 this_76:Object pointer ->
  x_6_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_char_requires :
 this_30:Object pointer ->
  x_1_0:char -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_double :
 this_84:Object pointer ->
  x_5_0:real -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_double_requires :
 this_84:Object pointer ->
  x_5_0:real -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_float :
 this_69:Object pointer ->
  x_4_0:real -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_float_requires :
 this_69:Object pointer ->
  x_4_0:real -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_int :
 this_10:Object pointer ->
  x_2_0:int32 -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_int_requires :
 this_10:Object pointer ->
  x_2_0:int32 -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_long :
 this_59:Object pointer ->
  x_3_0:long -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_long_requires :
 this_59:Object pointer ->
  x_3_0:long -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_requires :
 this_63:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_setError :
 this_37:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_setError_requires :
 this_37:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_trouble : (Object, bool) memory ref

parameter PrintStream_write_String :
 this_97:Object pointer ->
  s_2:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_write_String_requires :
 this_97:Object pointer ->
  s_2:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_write_byteA_int_int :
 this_102:Object pointer ->
  buf:Object pointer ->
   off_1:int32 -> len_1:int32 -> { } unit reads Object_alloc_table { true }

parameter PrintStream_write_byteA_int_int_requires :
 this_102:Object pointer ->
  buf:Object pointer ->
   off_1:int32 -> len_1:int32 -> { } unit reads Object_alloc_table { true }

parameter PrintStream_write_charA :
 this_62:Object pointer ->
  buf_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_write_charA_requires :
 this_62:Object pointer ->
  buf_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_write_int :
 this_98:Object pointer ->
  b_5:int32 -> { } unit reads Object_alloc_table { true }

parameter PrintStream_write_int_requires :
 this_98:Object pointer ->
  b_5:int32 -> { } unit reads Object_alloc_table { true }

exception Return_label_exc of unit

parameter StringM_StringP : (Object, Object pointer) memory ref

parameter String_charAt :
 this_13:Object pointer ->
  index_0:int32 -> { } char reads Object_alloc_table { true }

parameter String_charAt_requires :
 this_13:Object pointer ->
  index_0:int32 -> { } char reads Object_alloc_table { true }

parameter String_checkBounds :
 bytes:Object pointer ->
  offset_1:int32 -> length_0:int32 -> { } unit { true }

parameter String_checkBounds_requires :
 bytes:Object pointer ->
  offset_1:int32 -> length_0:int32 -> { } unit { true }

parameter String_compareToIgnoreCase :
 this_93:Object pointer ->
  str:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter String_compareToIgnoreCase_requires :
 this_93:Object pointer ->
  str:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter String_compareTo_Object :
 this_85:Object pointer ->
  o_0:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter String_compareTo_Object_requires :
 this_85:Object pointer ->
  o_0:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter String_compareTo_String :
 this_66:Object pointer ->
  anotherString_0:Object pointer ->
   { } int32 reads Object_alloc_table { true }

parameter String_compareTo_String_requires :
 this_66:Object pointer ->
  anotherString_0:Object pointer ->
   { } int32 reads Object_alloc_table { true }

parameter String_concat :
 this_67:Object pointer ->
  str_4:Object pointer ->
   { } Object pointer reads Object_alloc_table { true }

parameter String_concat_requires :
 this_67:Object pointer ->
  str_4:Object pointer ->
   { } Object pointer reads Object_alloc_table { true }

parameter String_contentEquals :
 this_65:Object pointer ->
  sb:Object pointer -> { } bool reads Object_alloc_table { true }

parameter String_contentEquals_requires :
 this_65:Object pointer ->
  sb:Object pointer -> { } bool reads Object_alloc_table { true }

parameter String_copyValueOf_charA :
 data_2:Object pointer -> { } Object pointer { true }

parameter String_copyValueOf_charA_int_int :
 data_1:Object pointer ->
  offset_6:int32 -> count_3:int32 -> { } Object pointer { true }

parameter String_copyValueOf_charA_int_int_requires :
 data_1:Object pointer ->
  offset_6:int32 -> count_3:int32 -> { } Object pointer { true }

parameter String_copyValueOf_charA_requires :
 data_2:Object pointer -> { } Object pointer { true }

parameter String_count : (Object, int32) memory ref

parameter String_endsWith :
 this_61:Object pointer ->
  suffix:Object pointer -> { } bool reads Object_alloc_table { true }

parameter String_endsWith_requires :
 this_61:Object pointer ->
  suffix:Object pointer -> { } bool reads Object_alloc_table { true }

parameter String_equals :
 this_24:Object pointer ->
  anObject:Object pointer -> { } bool reads Object_alloc_table { true }

parameter String_equalsIgnoreCase :
 this_22:Object pointer ->
  anotherString:Object pointer -> { } bool reads Object_alloc_table { true }

parameter String_equalsIgnoreCase_requires :
 this_22:Object pointer ->
  anotherString:Object pointer -> { } bool reads Object_alloc_table { true }

parameter String_equals_requires :
 this_24:Object pointer ->
  anObject:Object pointer -> { } bool reads Object_alloc_table { true }

parameter String_getBytes :
 this_82:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter String_getBytes_String :
 this_15:Object pointer ->
  charsetName_1:Object pointer ->
   { } Object pointer reads Object_alloc_table { true }

parameter String_getBytes_String_requires :
 this_15:Object pointer ->
  charsetName_1:Object pointer ->
   { } Object pointer reads Object_alloc_table { true }

parameter String_getBytes_int_int_byteA_int :
 this_75:Object pointer ->
  srcBegin_0:int32 ->
   srcEnd_0:int32 ->
    dst_0:Object pointer ->
     dstBegin_0:int32 -> { } unit reads Object_alloc_table { true }

parameter String_getBytes_int_int_byteA_int_requires :
 this_75:Object pointer ->
  srcBegin_0:int32 ->
   srcEnd_0:int32 ->
    dst_0:Object pointer ->
     dstBegin_0:int32 -> { } unit reads Object_alloc_table { true }

parameter String_getBytes_requires :
 this_82:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter String_getChars :
 this_18:Object pointer ->
  srcBegin:int32 ->
   srcEnd:int32 ->
    dst:Object pointer ->
     dstBegin:int32 -> { } unit reads Object_alloc_table { true }

parameter String_getChars_requires :
 this_18:Object pointer ->
  srcBegin:int32 ->
   srcEnd:int32 ->
    dst:Object pointer ->
     dstBegin:int32 -> { } unit reads Object_alloc_table { true }

parameter String_hash : (Object, int32) memory ref

parameter String_hashCode :
 this_101:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter String_hashCode_requires :
 this_101:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter String_indexOf :
 this_74:Object pointer ->
  ch:int32 -> { } int32 reads Object_alloc_table { true }

parameter String_indexOf_String :
 this_44:Object pointer ->
  str_0:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter String_indexOf_String_int :
 this_21:Object pointer ->
  str_1:Object pointer ->
   fromIndex_1:int32 -> { } int32 reads Object_alloc_table { true }

parameter String_indexOf_String_int_requires :
 this_21:Object pointer ->
  str_1:Object pointer ->
   fromIndex_1:int32 -> { } int32 reads Object_alloc_table { true }

parameter String_indexOf_String_requires :
 this_44:Object pointer ->
  str_0:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter String_indexOf_charA_int_int_charA_int_int_int :
 source:Object pointer ->
  sourceOffset:int32 ->
   sourceCount:int32 ->
    target:Object pointer ->
     targetOffset:int32 ->
      targetCount:int32 -> fromIndex_2:int32 -> { } int32 { true }

parameter String_indexOf_charA_int_int_charA_int_int_int_requires :
 source:Object pointer ->
  sourceOffset:int32 ->
   sourceCount:int32 ->
    target:Object pointer ->
     targetOffset:int32 ->
      targetCount:int32 -> fromIndex_2:int32 -> { } int32 { true }

parameter String_indexOf_int_int :
 this_55:Object pointer ->
  ch_0:int32 ->
   fromIndex:int32 -> { } int32 reads Object_alloc_table { true }

parameter String_indexOf_int_int_requires :
 this_55:Object pointer ->
  ch_0:int32 ->
   fromIndex:int32 -> { } int32 reads Object_alloc_table { true }

parameter String_indexOf_requires :
 this_74:Object pointer ->
  ch:int32 -> { } int32 reads Object_alloc_table { true }

parameter String_intern :
 this_90:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter String_intern_requires :
 this_90:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter String_lastIndexOf :
 this_91:Object pointer ->
  ch_1:int32 -> { } int32 reads Object_alloc_table { true }

parameter String_lastIndexOf_String :
 this_50:Object pointer ->
  str_2:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter String_lastIndexOf_String_int :
 this_57:Object pointer ->
  str_3:Object pointer ->
   fromIndex_3:int32 -> { } int32 reads Object_alloc_table { true }

parameter String_lastIndexOf_String_int_requires :
 this_57:Object pointer ->
  str_3:Object pointer ->
   fromIndex_3:int32 -> { } int32 reads Object_alloc_table { true }

parameter String_lastIndexOf_String_requires :
 this_50:Object pointer ->
  str_2:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter String_lastIndexOf_charA_int_int_charA_int_int_int :
 source_0:Object pointer ->
  sourceOffset_0:int32 ->
   sourceCount_0:int32 ->
    target_0:Object pointer ->
     targetOffset_0:int32 ->
      targetCount_0:int32 -> fromIndex_4:int32 -> { } int32 { true }

parameter String_lastIndexOf_charA_int_int_charA_int_int_int_requires :
 source_0:Object pointer ->
  sourceOffset_0:int32 ->
   sourceCount_0:int32 ->
    target_0:Object pointer ->
     targetOffset_0:int32 ->
      targetCount_0:int32 -> fromIndex_4:int32 -> { } int32 { true }

parameter String_lastIndexOf_int_int :
 this_40:Object pointer ->
  ch_2:int32 ->
   fromIndex_0:int32 -> { } int32 reads Object_alloc_table { true }

parameter String_lastIndexOf_int_int_requires :
 this_40:Object pointer ->
  ch_2:int32 ->
   fromIndex_0:int32 -> { } int32 reads Object_alloc_table { true }

parameter String_lastIndexOf_requires :
 this_91:Object pointer ->
  ch_1:int32 -> { } int32 reads Object_alloc_table { true }

parameter String_length :
 this_26:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter String_length_requires :
 this_26:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter String_matches :
 this_79:Object pointer ->
  regex:Object pointer -> { } bool reads Object_alloc_table { true }

parameter String_matches_requires :
 this_79:Object pointer ->
  regex:Object pointer -> { } bool reads Object_alloc_table { true }

parameter String_offset : (Object, int32) memory ref

parameter String_regionMatches_boolean_int_String_int_int :
 this_100:Object pointer ->
  ignoreCase:bool ->
   toffset_0:int32 ->
    other_0:Object pointer ->
     ooffset_0:int32 ->
      len_3:int32 -> { } bool reads Object_alloc_table { true }

parameter String_regionMatches_boolean_int_String_int_int_requires :
 this_100:Object pointer ->
  ignoreCase:bool ->
   toffset_0:int32 ->
    other_0:Object pointer ->
     ooffset_0:int32 ->
      len_3:int32 -> { } bool reads Object_alloc_table { true }

parameter String_regionMatches_int_String_int_int :
 this_94:Object pointer ->
  toffset:int32 ->
   other:Object pointer ->
    ooffset:int32 ->
     len_2:int32 -> { } bool reads Object_alloc_table { true }

parameter String_regionMatches_int_String_int_int_requires :
 this_94:Object pointer ->
  toffset:int32 ->
   other:Object pointer ->
    ooffset:int32 ->
     len_2:int32 -> { } bool reads Object_alloc_table { true }

parameter String_replace :
 this_38:Object pointer ->
  oldChar:char ->
   newChar:char -> { } Object pointer reads Object_alloc_table { true }

parameter String_replaceAll :
 this_7:Object pointer ->
  regex_1:Object pointer ->
   replacement_0:Object pointer ->
    { } Object pointer reads Object_alloc_table { true }

parameter String_replaceAll_requires :
 this_7:Object pointer ->
  regex_1:Object pointer ->
   replacement_0:Object pointer ->
    { } Object pointer reads Object_alloc_table { true }

parameter String_replaceFirst :
 this_60:Object pointer ->
  regex_0:Object pointer ->
   replacement:Object pointer ->
    { } Object pointer reads Object_alloc_table { true }

parameter String_replaceFirst_requires :
 this_60:Object pointer ->
  regex_0:Object pointer ->
   replacement:Object pointer ->
    { } Object pointer reads Object_alloc_table { true }

parameter String_replace_requires :
 this_38:Object pointer ->
  oldChar:char ->
   newChar:char -> { } Object pointer reads Object_alloc_table { true }

parameter String_split_String :
 this_78:Object pointer ->
  regex_3:Object pointer ->
   { } Object pointer reads Object_alloc_table { true }

parameter String_split_String_int :
 this_36:Object pointer ->
  regex_2:Object pointer ->
   limit:int32 -> { } Object pointer reads Object_alloc_table { true }

parameter String_split_String_int_requires :
 this_36:Object pointer ->
  regex_2:Object pointer ->
   limit:int32 -> { } Object pointer reads Object_alloc_table { true }

parameter String_split_String_requires :
 this_78:Object pointer ->
  regex_3:Object pointer ->
   { } Object pointer reads Object_alloc_table { true }

parameter String_startsWith_String :
 this_92:Object pointer ->
  prefix_0:Object pointer -> { } bool reads Object_alloc_table { true }

parameter String_startsWith_String_int :
 this_64:Object pointer ->
  prefix:Object pointer ->
   toffset_1:int32 -> { } bool reads Object_alloc_table { true }

parameter String_startsWith_String_int_requires :
 this_64:Object pointer ->
  prefix:Object pointer ->
   toffset_1:int32 -> { } bool reads Object_alloc_table { true }

parameter String_startsWith_String_requires :
 this_92:Object pointer ->
  prefix_0:Object pointer -> { } bool reads Object_alloc_table { true }

parameter String_subSequence :
 this_86:Object pointer ->
  beginIndex_1:int32 ->
   endIndex_0:int32 -> { } Object pointer reads Object_alloc_table { true }

parameter String_subSequence_requires :
 this_86:Object pointer ->
  beginIndex_1:int32 ->
   endIndex_0:int32 -> { } Object pointer reads Object_alloc_table { true }

parameter String_substring_int :
 this_17:Object pointer ->
  beginIndex:int32 -> { } Object pointer reads Object_alloc_table { true }

parameter String_substring_int_int :
 this_25:Object pointer ->
  beginIndex_0:int32 ->
   endIndex:int32 -> { } Object pointer reads Object_alloc_table { true }

parameter String_substring_int_int_requires :
 this_25:Object pointer ->
  beginIndex_0:int32 ->
   endIndex:int32 -> { } Object pointer reads Object_alloc_table { true }

parameter String_substring_int_requires :
 this_17:Object pointer ->
  beginIndex:int32 -> { } Object pointer reads Object_alloc_table { true }

parameter String_toCharArray :
 this_89:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter String_toCharArray_requires :
 this_89:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter String_toLowerCase :
 this_103:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter String_toLowerCase_requires :
 this_103:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter String_toString :
 this_56:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter String_toString_requires :
 this_56:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter String_toUpperCase :
 this_99:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter String_toUpperCase_requires :
 this_99:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter String_trim :
 this_71:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter String_trim_requires :
 this_71:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter String_value : (Object, Object pointer) memory ref

parameter String_valueOf : i_0:int32 -> { } Object pointer { true }

parameter String_valueOf_Object :
 obj_0:Object pointer -> { } Object pointer { true }

parameter String_valueOf_Object_requires :
 obj_0:Object pointer -> { } Object pointer { true }

parameter String_valueOf_boolean : b_7:bool -> { } Object pointer { true }

parameter String_valueOf_boolean_requires :
 b_7:bool -> { } Object pointer { true }

parameter String_valueOf_char : c_0:char -> { } Object pointer { true }

parameter String_valueOf_charA :
 data:Object pointer -> { } Object pointer { true }

parameter String_valueOf_charA_int_int :
 data_0:Object pointer ->
  offset_5:int32 -> count_2:int32 -> { } Object pointer { true }

parameter String_valueOf_charA_int_int_requires :
 data_0:Object pointer ->
  offset_5:int32 -> count_2:int32 -> { } Object pointer { true }

parameter String_valueOf_charA_requires :
 data:Object pointer -> { } Object pointer { true }

parameter String_valueOf_char_requires :
 c_0:char -> { } Object pointer { true }

parameter String_valueOf_double : d_0:real -> { } Object pointer { true }

parameter String_valueOf_double_requires :
 d_0:real -> { } Object pointer { true }

parameter String_valueOf_float : f_0:real -> { } Object pointer { true }

parameter String_valueOf_float_requires :
 f_0:real -> { } Object pointer { true }

parameter String_valueOf_long : l_0:long -> { } Object pointer { true }

parameter String_valueOf_long_requires :
 l_0:long -> { } Object pointer { true }

parameter String_valueOf_requires : i_0:int32 -> { } Object pointer { true }

parameter System_arraycopy :
 src:Object pointer ->
  srcPos:int32 ->
   dest:Object pointer -> destPos:int32 -> length:int32 -> { } unit { true }

parameter System_arraycopy_requires :
 src:Object pointer ->
  srcPos:int32 ->
   dest:Object pointer -> destPos:int32 -> length:int32 -> { } unit { true }

parameter System_checkIO : tt:unit -> { } unit { true }

parameter System_checkIO_requires : tt:unit -> { } unit { true }

parameter System_currentTimeMillis : tt:unit -> { } long { true }

parameter System_currentTimeMillis_requires : tt:unit -> { } long { true }

parameter System_exit : status:int32 -> { } unit { true }

parameter System_exit_requires : status:int32 -> { } unit { true }

parameter System_gc : tt:unit -> { } unit { true }

parameter System_gc_requires : tt:unit -> { } unit { true }

parameter System_getProperty_String :
 key:Object pointer -> { } Object pointer { true }

parameter System_getProperty_String_String :
 key_0:Object pointer -> def:Object pointer -> { } Object pointer { true }

parameter System_getProperty_String_String_requires :
 key_0:Object pointer -> def:Object pointer -> { } Object pointer { true }

parameter System_getProperty_String_requires :
 key:Object pointer -> { } Object pointer { true }

parameter System_getenv : name:Object pointer -> { } Object pointer { true }

parameter System_getenv_requires :
 name:Object pointer -> { } Object pointer { true }

parameter System_identityHashCode : x_11:Object pointer -> { } int32 { true }

parameter System_identityHashCode_requires :
 x_11:Object pointer -> { } int32 { true }

parameter System_initializeSystemClass : tt:unit -> { } unit { true }

parameter System_initializeSystemClass_requires :
 tt:unit -> { } unit { true }

parameter System_load : filename:Object pointer -> { } unit { true }

parameter System_loadLibrary : libname:Object pointer -> { } unit { true }

parameter System_loadLibrary_requires :
 libname:Object pointer -> { } unit { true }

parameter System_load_requires : filename:Object pointer -> { } unit { true }

parameter System_mapLibraryName :
 libname_0:Object pointer -> { } Object pointer { true }

parameter System_mapLibraryName_requires :
 libname_0:Object pointer -> { } Object pointer { true }

parameter System_nullInputStream : tt:unit -> { } Object pointer { true }

parameter System_nullInputStream_requires :
 tt:unit -> { } Object pointer { true }

parameter System_nullPrintStream : tt:unit -> { } Object pointer { true }

parameter System_nullPrintStream_requires :
 tt:unit -> { } Object pointer { true }

parameter System_registerNatives : tt:unit -> { } unit { true }

parameter System_registerNatives_requires : tt:unit -> { } unit { true }

parameter System_runFinalization : tt:unit -> { } unit { true }

parameter System_runFinalization_requires : tt:unit -> { } unit { true }

parameter System_runFinalizersOnExit : value_0:bool -> { } unit { true }

parameter System_runFinalizersOnExit_requires :
 value_0:bool -> { } unit { true }

parameter System_setErr : err:Object pointer -> { } unit { true }

parameter System_setErr0 : err_0:Object pointer -> { } unit { true }

parameter System_setErr0_requires : err_0:Object pointer -> { } unit { true }

parameter System_setErr_requires : err:Object pointer -> { } unit { true }

parameter System_setOut : out:Object pointer -> { } unit { true }

parameter System_setOut0 : out_0:Object pointer -> { } unit { true }

parameter System_setOut0_requires : out_0:Object pointer -> { } unit { true }

parameter System_setOut_requires : out:Object pointer -> { } unit { true }

parameter System_setProperty :
 key_1:Object pointer -> value:Object pointer -> { } Object pointer { true }

parameter System_setProperty_requires :
 key_1:Object pointer -> value:Object pointer -> { } Object pointer { true }

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_FilterOutputStream :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_FilterOutputStream(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result,
                  FilterOutputStream_tag)))) }

parameter alloc_struct_FilterOutputStream_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_FilterOutputStream(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result,
                  FilterOutputStream_tag)))) }

parameter alloc_struct_Hello :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Hello(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Hello_tag)))) }

parameter alloc_struct_Hello_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Hello(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Hello_tag)))) }

parameter alloc_struct_InputStream :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_InputStream(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, InputStream_tag)))) }

parameter alloc_struct_InputStream_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_InputStream(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, InputStream_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_OutputStream :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_OutputStream(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, OutputStream_tag)))) }

parameter alloc_struct_OutputStreamWriter :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_OutputStreamWriter(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result,
                  OutputStreamWriter_tag)))) }

parameter alloc_struct_OutputStreamWriter_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_OutputStreamWriter(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result,
                  OutputStreamWriter_tag)))) }

parameter alloc_struct_OutputStream_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_OutputStream(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, OutputStream_tag)))) }

parameter alloc_struct_PrintStream :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_PrintStream(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, PrintStream_tag)))) }

parameter alloc_struct_PrintStream_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_PrintStream(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, PrintStream_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_StringBuffer :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_StringBuffer(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, StringBuffer_tag)))) }

parameter alloc_struct_StringBuffer_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_StringBuffer(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, StringBuffer_tag)))) }

parameter alloc_struct_StringM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_StringM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, StringM_tag)))) }

parameter alloc_struct_StringM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_StringM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, StringM_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_System :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_System(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, System_tag)))) }

parameter alloc_struct_System_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_System(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, System_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_byteM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_byteM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, byteM_tag)))) }

parameter alloc_struct_byteM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_byteM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, byteM_tag)))) }

parameter alloc_struct_charM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_charM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, charM_tag)))) }

parameter alloc_struct_charM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_charM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, charM_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter byteM_byteP : (Object, byte) memory ref

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter charM_charP : (Object, char) memory ref

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_FilterOutputStream_OutputStream :
 this_110:Object pointer ->
  out_1:Object pointer ->
   { } unit reads Object_alloc_table writes FilterOutputStream_out { true }

parameter cons_FilterOutputStream_OutputStream_requires :
 this_110:Object pointer ->
  out_1:Object pointer ->
   { } unit reads Object_alloc_table writes FilterOutputStream_out { true }

parameter cons_Hello :
 this_6:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Hello_requires :
 this_6:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object :
 this_112:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object_requires :
 this_112:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_OutputStream :
 this_115:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_OutputStream_requires :
 this_115:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_PrintStream_OutputStream :
 this_108:Object pointer ->
  out_2:Object pointer ->
   { } unit reads Object_alloc_table
   writes PrintStream_autoFlush,PrintStream_closing,PrintStream_trouble
   { true }

parameter cons_PrintStream_OutputStream_boolean :
 this_109:Object pointer ->
  out_4:Object pointer ->
   autoFlush_0:bool ->
    { } unit reads Object_alloc_table
    writes PrintStream_autoFlush,PrintStream_closing,PrintStream_trouble
    { true }

parameter cons_PrintStream_OutputStream_boolean_String :
 this_105:Object pointer ->
  out_5:Object pointer ->
   autoFlush_1:bool ->
    encoding:Object pointer ->
     { } unit reads Object_alloc_table
     writes PrintStream_autoFlush,PrintStream_closing,PrintStream_trouble
     { true }

parameter cons_PrintStream_OutputStream_boolean_String_requires :
 this_105:Object pointer ->
  out_5:Object pointer ->
   autoFlush_1:bool ->
    encoding:Object pointer ->
     { } unit reads Object_alloc_table
     writes PrintStream_autoFlush,PrintStream_closing,PrintStream_trouble
     { true }

parameter cons_PrintStream_OutputStream_boolean_requires :
 this_109:Object pointer ->
  out_4:Object pointer ->
   autoFlush_0:bool ->
    { } unit reads Object_alloc_table
    writes PrintStream_autoFlush,PrintStream_closing,PrintStream_trouble
    { true }

parameter cons_PrintStream_OutputStream_requires :
 this_108:Object pointer ->
  out_2:Object pointer ->
   { } unit reads Object_alloc_table
   writes PrintStream_autoFlush,PrintStream_closing,PrintStream_trouble
   { true }

parameter cons_PrintStream_boolean_OutputStream :
 this_113:Object pointer ->
  autoFlush:bool ->
   out_3:Object pointer ->
    { } unit reads Object_alloc_table
    writes PrintStream_autoFlush,PrintStream_closing,PrintStream_trouble
    { true }

parameter cons_PrintStream_boolean_OutputStream_requires :
 this_113:Object pointer ->
  autoFlush:bool ->
   out_3:Object pointer ->
    { } unit reads Object_alloc_table
    writes PrintStream_autoFlush,PrintStream_closing,PrintStream_trouble
    { true }

parameter cons_String :
 this_118:Object pointer ->
  { } unit reads Object_alloc_table
  writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_String :
 this_119:Object pointer ->
  original:Object pointer ->
   { } unit reads Object_alloc_table
   writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_StringBuffer :
 this_120:Object pointer ->
  buffer:Object pointer ->
   { } unit reads Object_alloc_table
   writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_StringBuffer_requires :
 this_120:Object pointer ->
  buffer:Object pointer ->
   { } unit reads Object_alloc_table
   writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_String_requires :
 this_119:Object pointer ->
  original:Object pointer ->
   { } unit reads Object_alloc_table
   writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_byteA :
 this_106:Object pointer ->
  bytes_3:Object pointer ->
   { } unit reads Object_alloc_table
   writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_byteA_String :
 this_104:Object pointer ->
  bytes_1:Object pointer ->
   charsetName_0:Object pointer ->
    { } unit reads Object_alloc_table
    writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_byteA_String_requires :
 this_104:Object pointer ->
  bytes_1:Object pointer ->
   charsetName_0:Object pointer ->
    { } unit reads Object_alloc_table
    writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_byteA_int :
 this_107:Object pointer ->
  ascii_0:Object pointer ->
   hibyte_0:int32 ->
    { } unit reads Object_alloc_table
    writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_byteA_int_int :
 this_111:Object pointer ->
  bytes_2:Object pointer ->
   offset_3:int32 ->
    length_2:int32 ->
     { } unit reads Object_alloc_table
     writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_byteA_int_int_String :
 this_116:Object pointer ->
  bytes_0:Object pointer ->
   offset_2:int32 ->
    length_1:int32 ->
     charsetName:Object pointer ->
      { } unit reads Object_alloc_table
      writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_byteA_int_int_String_requires :
 this_116:Object pointer ->
  bytes_0:Object pointer ->
   offset_2:int32 ->
    length_1:int32 ->
     charsetName:Object pointer ->
      { } unit reads Object_alloc_table
      writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_byteA_int_int_int :
 this_121:Object pointer ->
  ascii:Object pointer ->
   hibyte:int32 ->
    offset_0:int32 ->
     count_0:int32 ->
      { } unit reads Object_alloc_table
      writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_byteA_int_int_int_requires :
 this_121:Object pointer ->
  ascii:Object pointer ->
   hibyte:int32 ->
    offset_0:int32 ->
     count_0:int32 ->
      { } unit reads Object_alloc_table
      writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_byteA_int_int_requires :
 this_111:Object pointer ->
  bytes_2:Object pointer ->
   offset_3:int32 ->
    length_2:int32 ->
     { } unit reads Object_alloc_table
     writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_byteA_int_requires :
 this_107:Object pointer ->
  ascii_0:Object pointer ->
   hibyte_0:int32 ->
    { } unit reads Object_alloc_table
    writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_byteA_requires :
 this_106:Object pointer ->
  bytes_3:Object pointer ->
   { } unit reads Object_alloc_table
   writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_charA :
 this_123:Object pointer ->
  value_1:Object pointer ->
   { } unit reads Object_alloc_table
   writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_charA_int_int :
 this_117:Object pointer ->
  value_2:Object pointer ->
   offset:int32 ->
    count:int32 ->
     { } unit reads Object_alloc_table
     writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_charA_int_int_requires :
 this_117:Object pointer ->
  value_2:Object pointer ->
   offset:int32 ->
    count:int32 ->
     { } unit reads Object_alloc_table
     writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_charA_requires :
 this_123:Object pointer ->
  value_1:Object pointer ->
   { } unit reads Object_alloc_table
   writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_int_int_charA :
 this_114:Object pointer ->
  offset_4:int32 ->
   count_1:int32 ->
    value_3:Object pointer ->
     { } unit reads Object_alloc_table
     writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_int_int_charA_requires :
 this_114:Object pointer ->
  offset_4:int32 ->
   count_1:int32 ->
    value_3:Object pointer ->
     { } unit reads Object_alloc_table
     writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_requires :
 this_118:Object pointer ->
  { } unit reads Object_alloc_table
  writes String_count,String_hash,String_offset,String_value { true }

parameter cons_System :
 this_122:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_System_requires :
 this_122:Object pointer -> { } unit reads Object_alloc_table { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter java_array_length_StringM :
 x_5:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_5), (1)))))) }

parameter java_array_length_StringM_requires :
 x_5:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_5), (1)))))) }

parameter java_array_length_byteM :
 x_9:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_65:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_9), (1)))))) }

parameter java_array_length_byteM_requires :
 x_9:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_65:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_9), (1)))))) }

parameter java_array_length_charM :
 x_7:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_45:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_7), (1)))))) }

parameter java_array_length_charM_requires :
 x_7:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_45:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_7), (1)))))) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_10:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_78:
    (if result then (offset_max(Object_alloc_table, x_10) = (0))
     else (x_10 = null))) }

parameter non_null_Object_requires :
 x_10:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_78:
    (if result then (offset_max(Object_alloc_table, x_10) = (0))
     else (x_10 = null))) }

parameter non_null_StringM :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_4), neg_int((1)))
     else (x_4 = null))) }

parameter non_null_StringM_requires :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_4), neg_int((1)))
     else (x_4 = null))) }

parameter non_null_byteM :
 x_8:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_55:
    (if result then ge_int(offset_max(Object_alloc_table, x_8), neg_int((1)))
     else (x_8 = null))) }

parameter non_null_byteM_requires :
 x_8:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_55:
    (if result then ge_int(offset_max(Object_alloc_table, x_8), neg_int((1)))
     else (x_8 = null))) }

parameter non_null_charM :
 x_6:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_35:
    (if result then ge_int(offset_max(Object_alloc_table, x_6), neg_int((1)))
     else (x_6 = null))) }

parameter non_null_charM_requires :
 x_6:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_35:
    (if result then ge_int(offset_max(Object_alloc_table, x_6), neg_int((1)))
     else (x_6 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let Hello_main_ensures_default =
 fun (argv : Object pointer) ->
  { left_valid_struct_StringM(argv, (0), Object_alloc_table) }
  (init:
  try
   (K_1:
   begin
     (let _jessie_ = System_out in
     (let _jessie_ = (JC_1010: (any_string_0 void)) in
     (JC_1011: ((PrintStream_println_String _jessie_) _jessie_))));
    (raise Return) end) with Return -> void end) { (JC_1003: true) } 

let Hello_main_safety =
 fun (argv : Object pointer) ->
  { left_valid_struct_StringM(argv, (0), Object_alloc_table) }
  (init:
  try
   (K_1:
   begin
     (let _jessie_ = System_out in
     (let _jessie_ = (JC_1007: (any_string_0_requires void)) in
     (JC_1009:
     (assert { ge_int(offset_max(Object_alloc_table, _jessie_), (0)) };
     (JC_1008:
     ((PrintStream_println_String_requires _jessie_) _jessie_))))));
    (raise Return) end) with Return -> void end) { true } 

let cons_FilterOutputStream_OutputStream_ensures_default =
 fun (this_110 : Object pointer) (out_1 : Object pointer) ->
  { (left_valid_struct_OutputStream(out_1, (0), Object_alloc_table)
    and valid_struct_FilterOutputStream(this_110, (0), (0),
        Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     (let _jessie_ = null in
     begin
       (let _jessie_ = this_110 in
       (((safe_upd_ FilterOutputStream_out) _jessie_) _jessie_));
      _jessie_ end) in void); (raise Return) end with Return -> void end)
  { (JC_275: true) } 

let cons_FilterOutputStream_OutputStream_safety =
 fun (this_110 : Object pointer) (out_1 : Object pointer) ->
  { (left_valid_struct_OutputStream(out_1, (0), Object_alloc_table)
    and valid_struct_FilterOutputStream(this_110, (0), (0),
        Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     (let _jessie_ = null in
     begin
       (let _jessie_ = this_110 in
       (((safe_upd_ FilterOutputStream_out) _jessie_) _jessie_));
      _jessie_ end) in void); (raise Return) end with Return -> void end)
  { true } 

let cons_Hello_ensures_default =
 fun (this_6 : Object pointer) ->
  { valid_struct_Hello(this_6, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_83: true) } 

let cons_Hello_safety =
 fun (this_6 : Object pointer) ->
  { valid_struct_Hello(this_6, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 

let cons_Object_ensures_default =
 fun (this_112 : Object pointer) ->
  { valid_struct_Object(this_112, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_555: true) } 

let cons_Object_safety =
 fun (this_112 : Object pointer) ->
  { valid_struct_Object(this_112, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 

let cons_OutputStream_ensures_default =
 fun (this_115 : Object pointer) ->
  { valid_struct_OutputStream(this_115, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_723: true) } 

let cons_OutputStream_safety =
 fun (this_115 : Object pointer) ->
  { valid_struct_OutputStream(this_115, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 

let cons_PrintStream_OutputStream_boolean_String_ensures_default =
 fun (this_105 : Object pointer) (out_5 : Object pointer) (autoFlush_1 : bool) (encoding : Object pointer) ->
  { (left_valid_struct_String(encoding, (0), Object_alloc_table)
    and (left_valid_struct_OutputStream(out_5, (0), Object_alloc_table)
        and valid_struct_PrintStream(this_105, (0), (0), Object_alloc_table))) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = false in
       (let _jessie_ = this_105 in
       (((safe_upd_ PrintStream_autoFlush) _jessie_) _jessie_)));
      (let _jessie_ = false in
      (let _jessie_ = this_105 in
      (((safe_upd_ PrintStream_trouble) _jessie_) _jessie_)));
      (let _jessie_ = false in
      begin
        (let _jessie_ = this_105 in
        (((safe_upd_ PrintStream_closing) _jessie_) _jessie_));
       _jessie_ end) end in void); (raise Return) end with Return ->
   void end) { (JC_107: true) } 

let cons_PrintStream_OutputStream_boolean_String_safety =
 fun (this_105 : Object pointer) (out_5 : Object pointer) (autoFlush_1 : bool) (encoding : Object pointer) ->
  { (left_valid_struct_String(encoding, (0), Object_alloc_table)
    and (left_valid_struct_OutputStream(out_5, (0), Object_alloc_table)
        and valid_struct_PrintStream(this_105, (0), (0), Object_alloc_table))) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = false in
       (let _jessie_ = this_105 in
       (((safe_upd_ PrintStream_autoFlush) _jessie_) _jessie_)));
      (let _jessie_ = false in
      (let _jessie_ = this_105 in
      (((safe_upd_ PrintStream_trouble) _jessie_) _jessie_)));
      (let _jessie_ = false in
      begin
        (let _jessie_ = this_105 in
        (((safe_upd_ PrintStream_closing) _jessie_) _jessie_));
       _jessie_ end) end in void); (raise Return) end with Return ->
   void end) { true } 

let cons_PrintStream_OutputStream_boolean_ensures_default =
 fun (this_109 : Object pointer) (out_4 : Object pointer) (autoFlush_0 : bool) ->
  { (left_valid_struct_OutputStream(out_4, (0), Object_alloc_table)
    and valid_struct_PrintStream(this_109, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = false in
       (let _jessie_ = this_109 in
       (((safe_upd_ PrintStream_autoFlush) _jessie_) _jessie_)));
      (let _jessie_ = false in
      (let _jessie_ = this_109 in
      (((safe_upd_ PrintStream_trouble) _jessie_) _jessie_)));
      (let _jessie_ = false in
      begin
        (let _jessie_ = this_109 in
        (((safe_upd_ PrintStream_closing) _jessie_) _jessie_));
       _jessie_ end) end in void); (raise Return) end with Return ->
   void end) { (JC_203: true) } 

let cons_PrintStream_OutputStream_boolean_safety =
 fun (this_109 : Object pointer) (out_4 : Object pointer) (autoFlush_0 : bool) ->
  { (left_valid_struct_OutputStream(out_4, (0), Object_alloc_table)
    and valid_struct_PrintStream(this_109, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = false in
       (let _jessie_ = this_109 in
       (((safe_upd_ PrintStream_autoFlush) _jessie_) _jessie_)));
      (let _jessie_ = false in
      (let _jessie_ = this_109 in
      (((safe_upd_ PrintStream_trouble) _jessie_) _jessie_)));
      (let _jessie_ = false in
      begin
        (let _jessie_ = this_109 in
        (((safe_upd_ PrintStream_closing) _jessie_) _jessie_));
       _jessie_ end) end in void); (raise Return) end with Return ->
   void end) { true } 

let cons_PrintStream_OutputStream_ensures_default =
 fun (this_108 : Object pointer) (out_2 : Object pointer) ->
  { (left_valid_struct_OutputStream(out_2, (0), Object_alloc_table)
    and valid_struct_PrintStream(this_108, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = false in
       (let _jessie_ = this_108 in
       (((safe_upd_ PrintStream_autoFlush) _jessie_) _jessie_)));
      (let _jessie_ = false in
      (let _jessie_ = this_108 in
      (((safe_upd_ PrintStream_trouble) _jessie_) _jessie_)));
      (let _jessie_ = false in
      begin
        (let _jessie_ = this_108 in
        (((safe_upd_ PrintStream_closing) _jessie_) _jessie_));
       _jessie_ end) end in void); (raise Return) end with Return ->
   void end) { (JC_163: true) } 

let cons_PrintStream_OutputStream_safety =
 fun (this_108 : Object pointer) (out_2 : Object pointer) ->
  { (left_valid_struct_OutputStream(out_2, (0), Object_alloc_table)
    and valid_struct_PrintStream(this_108, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = false in
       (let _jessie_ = this_108 in
       (((safe_upd_ PrintStream_autoFlush) _jessie_) _jessie_)));
      (let _jessie_ = false in
      (let _jessie_ = this_108 in
      (((safe_upd_ PrintStream_trouble) _jessie_) _jessie_)));
      (let _jessie_ = false in
      begin
        (let _jessie_ = this_108 in
        (((safe_upd_ PrintStream_closing) _jessie_) _jessie_));
       _jessie_ end) end in void); (raise Return) end with Return ->
   void end) { true } 

let cons_PrintStream_boolean_OutputStream_ensures_default =
 fun (this_113 : Object pointer) (autoFlush : bool) (out_3 : Object pointer) ->
  { (left_valid_struct_OutputStream(out_3, (0), Object_alloc_table)
    and valid_struct_PrintStream(this_113, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = false in
       (let _jessie_ = this_113 in
       (((safe_upd_ PrintStream_autoFlush) _jessie_) _jessie_)));
      (let _jessie_ = false in
      (let _jessie_ = this_113 in
      (((safe_upd_ PrintStream_trouble) _jessie_) _jessie_)));
      (let _jessie_ = false in
      begin
        (let _jessie_ = this_113 in
        (((safe_upd_ PrintStream_closing) _jessie_) _jessie_));
       _jessie_ end) end in void); (raise Return) end with Return ->
   void end) { (JC_699: true) } 

let cons_PrintStream_boolean_OutputStream_safety =
 fun (this_113 : Object pointer) (autoFlush : bool) (out_3 : Object pointer) ->
  { (left_valid_struct_OutputStream(out_3, (0), Object_alloc_table)
    and valid_struct_PrintStream(this_113, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = false in
       (let _jessie_ = this_113 in
       (((safe_upd_ PrintStream_autoFlush) _jessie_) _jessie_)));
      (let _jessie_ = false in
      (let _jessie_ = this_113 in
      (((safe_upd_ PrintStream_trouble) _jessie_) _jessie_)));
      (let _jessie_ = false in
      begin
        (let _jessie_ = this_113 in
        (((safe_upd_ PrintStream_closing) _jessie_) _jessie_));
       _jessie_ end) end in void); (raise Return) end with Return ->
   void end) { true } 

let cons_String_StringBuffer_ensures_default =
 fun (this_120 : Object pointer) (buffer : Object pointer) ->
  { (left_valid_struct_StringBuffer(buffer, (0), Object_alloc_table)
    and valid_struct_String(this_120, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_120 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_120 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_120 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_120 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end)
  { (JC_1160: true) } 

let cons_String_StringBuffer_safety =
 fun (this_120 : Object pointer) (buffer : Object pointer) ->
  { (left_valid_struct_StringBuffer(buffer, (0), Object_alloc_table)
    and valid_struct_String(this_120, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_120 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_120 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_120 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_120 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end) { true } 

let cons_String_String_ensures_default =
 fun (this_119 : Object pointer) (original : Object pointer) ->
  { (left_valid_struct_String(original, (0), Object_alloc_table)
    and valid_struct_String(this_119, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_119 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_119 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_119 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_119 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end)
  { (JC_1144: true) } 

let cons_String_String_safety =
 fun (this_119 : Object pointer) (original : Object pointer) ->
  { (left_valid_struct_String(original, (0), Object_alloc_table)
    and valid_struct_String(this_119, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_119 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_119 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_119 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_119 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end) { true } 

let cons_String_byteA_String_ensures_default =
 fun (this_104 : Object pointer) (bytes_1 : Object pointer) (charsetName_0 : Object pointer) ->
  { (left_valid_struct_String(charsetName_0, (0), Object_alloc_table)
    and (left_valid_struct_byteM(bytes_1, (0), Object_alloc_table)
        and valid_struct_String(this_104, (0), (0), Object_alloc_table))) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_104 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_104 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_104 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_104 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end)
  { (JC_99: true) } 

let cons_String_byteA_String_safety =
 fun (this_104 : Object pointer) (bytes_1 : Object pointer) (charsetName_0 : Object pointer) ->
  { (left_valid_struct_String(charsetName_0, (0), Object_alloc_table)
    and (left_valid_struct_byteM(bytes_1, (0), Object_alloc_table)
        and valid_struct_String(this_104, (0), (0), Object_alloc_table))) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_104 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_104 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_104 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_104 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end) { true } 

let cons_String_byteA_ensures_default =
 fun (this_106 : Object pointer) (bytes_3 : Object pointer) ->
  { (left_valid_struct_byteM(bytes_3, (0), Object_alloc_table)
    and valid_struct_String(this_106, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_106 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_106 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_106 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_106 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end)
  { (JC_139: true) } 

let cons_String_byteA_int_ensures_default =
 fun (this_107 : Object pointer) (ascii_0 : Object pointer) (hibyte_0 : int32) ->
  { (left_valid_struct_byteM(ascii_0, (0), Object_alloc_table)
    and valid_struct_String(this_107, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_107 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_107 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_107 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_107 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end)
  { (JC_155: true) } 

let cons_String_byteA_int_int_String_ensures_default =
 fun (this_116 : Object pointer) (bytes_0 : Object pointer) (offset_2 : int32) (length_1 : int32) (charsetName : Object pointer) ->
  { (left_valid_struct_String(charsetName, (0), Object_alloc_table)
    and (left_valid_struct_byteM(bytes_0, (0), Object_alloc_table)
        and valid_struct_String(this_116, (0), (0), Object_alloc_table))) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_116 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_116 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_116 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_116 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end)
  { (JC_851: true) } 

let cons_String_byteA_int_int_String_safety =
 fun (this_116 : Object pointer) (bytes_0 : Object pointer) (offset_2 : int32) (length_1 : int32) (charsetName : Object pointer) ->
  { (left_valid_struct_String(charsetName, (0), Object_alloc_table)
    and (left_valid_struct_byteM(bytes_0, (0), Object_alloc_table)
        and valid_struct_String(this_116, (0), (0), Object_alloc_table))) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_116 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_116 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_116 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_116 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end) { true } 

let cons_String_byteA_int_int_ensures_default =
 fun (this_111 : Object pointer) (bytes_2 : Object pointer) (offset_3 : int32) (length_2 : int32) ->
  { (left_valid_struct_byteM(bytes_2, (0), Object_alloc_table)
    and valid_struct_String(this_111, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_111 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_111 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_111 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_111 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end)
  { (JC_531: true) } 

let cons_String_byteA_int_int_int_ensures_default =
 fun (this_121 : Object pointer) (ascii : Object pointer) (hibyte : int32) (offset_0 : int32) (count_0 : int32) ->
  { (left_valid_struct_byteM(ascii, (0), Object_alloc_table)
    and valid_struct_String(this_121, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_121 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_121 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_121 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_121 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end)
  { (JC_1176: true) } 

let cons_String_byteA_int_int_int_safety =
 fun (this_121 : Object pointer) (ascii : Object pointer) (hibyte : int32) (offset_0 : int32) (count_0 : int32) ->
  { (left_valid_struct_byteM(ascii, (0), Object_alloc_table)
    and valid_struct_String(this_121, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_121 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_121 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_121 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_121 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end) { true } 

let cons_String_byteA_int_int_safety =
 fun (this_111 : Object pointer) (bytes_2 : Object pointer) (offset_3 : int32) (length_2 : int32) ->
  { (left_valid_struct_byteM(bytes_2, (0), Object_alloc_table)
    and valid_struct_String(this_111, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_111 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_111 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_111 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_111 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end) { true } 

let cons_String_byteA_int_safety =
 fun (this_107 : Object pointer) (ascii_0 : Object pointer) (hibyte_0 : int32) ->
  { (left_valid_struct_byteM(ascii_0, (0), Object_alloc_table)
    and valid_struct_String(this_107, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_107 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_107 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_107 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_107 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end) { true } 

let cons_String_byteA_safety =
 fun (this_106 : Object pointer) (bytes_3 : Object pointer) ->
  { (left_valid_struct_byteM(bytes_3, (0), Object_alloc_table)
    and valid_struct_String(this_106, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_106 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_106 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_106 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_106 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end) { true } 

let cons_String_charA_ensures_default =
 fun (this_123 : Object pointer) (value_1 : Object pointer) ->
  { (left_valid_struct_charM(value_1, (0), Object_alloc_table)
    and valid_struct_String(this_123, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_123 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_123 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_123 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_123 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end)
  { (JC_1304: true) } 

let cons_String_charA_int_int_ensures_default =
 fun (this_117 : Object pointer) (value_2 : Object pointer) (offset : int32) (count : int32) ->
  { (left_valid_struct_charM(value_2, (0), Object_alloc_table)
    and valid_struct_String(this_117, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_117 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_117 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_117 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_117 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end)
  { (JC_995: true) } 

let cons_String_charA_int_int_safety =
 fun (this_117 : Object pointer) (value_2 : Object pointer) (offset : int32) (count : int32) ->
  { (left_valid_struct_charM(value_2, (0), Object_alloc_table)
    and valid_struct_String(this_117, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_117 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_117 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_117 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_117 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end) { true } 

let cons_String_charA_safety =
 fun (this_123 : Object pointer) (value_1 : Object pointer) ->
  { (left_valid_struct_charM(value_1, (0), Object_alloc_table)
    and valid_struct_String(this_123, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_123 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_123 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_123 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_123 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end) { true } 

let cons_String_ensures_default =
 fun (this_118 : Object pointer) ->
  { valid_struct_String(this_118, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_118 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_118 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_118 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_118 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end)
  { (JC_1040: true) } 

let cons_String_int_int_charA_ensures_default =
 fun (this_114 : Object pointer) (offset_4 : int32) (count_1 : int32) (value_3 : Object pointer) ->
  { (left_valid_struct_charM(value_3, (0), Object_alloc_table)
    and valid_struct_String(this_114, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_114 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_114 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_114 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_114 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end)
  { (JC_707: true) } 

let cons_String_int_int_charA_safety =
 fun (this_114 : Object pointer) (offset_4 : int32) (count_1 : int32) (value_3 : Object pointer) ->
  { (left_valid_struct_charM(value_3, (0), Object_alloc_table)
    and valid_struct_String(this_114, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_114 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_114 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_114 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_114 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end) { true } 

let cons_String_safety =
 fun (this_118 : Object pointer) ->
  { valid_struct_String(this_118, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_118 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_118 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_118 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_118 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end) { true } 

let cons_System_ensures_default =
 fun (this_122 : Object pointer) ->
  { valid_struct_System(this_122, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_1256: true) } 

let cons_System_safety =
 fun (this_122 : Object pointer) ->
  { valid_struct_System(this_122, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 


why-2.39/tests/java/oracle/Booleans.res.oracle0000644000106100004300000045124613147234006020316 0ustar  marchevals========== file tests/java/Booleans.java ==========

class Booleans {

    /*@ ensures \result ==  ((e || (t && f)) && (t || f)) ;
      @*/
    static boolean f(boolean e,boolean t,boolean f,boolean r)
    {
        return ( (e || (t && f)) && (t || f) );
    }


}========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function Booleans_f for method Booleans.f
Generating JC function cons_Booleans for constructor Booleans
Done.
========== file tests/java/Booleans.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) == 0)

tag Object = {
}

tag String = Object with {
}

tag Throwable = Object with {
}

tag Exception = Object with {
}

tag Booleans = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

exception Throwable of Throwable[0..]

exception Exception of Exception[0..]

boolean Booleans_f(boolean e, boolean t, boolean f, boolean r)
behavior default:
  ensures (K_1 : (\result == ((e || (t && f)) && (t || f))));
{  
   (return (K_5 : ((K_3 : (e || (K_2 : (t && f)))) && (K_4 : (t || f)))))
}

unit cons_Booleans(! Booleans[0] this_0){()}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Booleans.jloc tests/java/Booleans.jc && make -f tests/java/Booleans.makefile gui"
End:
*/
========== file tests/java/Booleans.jloc ==========
[K_1]
file = "HOME/tests/java/Booleans.java"
line = 4
begin = 16
end = 57

[K_2]
file = "HOME/tests/java/Booleans.java"
line = 8
begin = 24
end = 30

[K_3]
file = "HOME/tests/java/Booleans.java"
line = 8
begin = 18
end = 31

[K_4]
file = "HOME/tests/java/Booleans.java"
line = 8
begin = 37
end = 43

[K_5]
file = "HOME/tests/java/Booleans.java"
line = 8
begin = 17
end = 44

[Booleans_f]
name = "Method f"
file = "HOME/tests/java/Booleans.java"
line = 6
begin = 19
end = 20

[cons_Booleans]
name = "Constructor of class Booleans"
file = "HOME/"
line = 0
begin = -1
end = -1

========== jessie execution ==========
Generating Why function Booleans_f
Generating Why function cons_Booleans
========== file tests/java/Booleans.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT)  -split-user-conj -explain -locs Booleans.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT)  -split-user-conj -explain -locs Booleans.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why

COQDEP = coqdep

.PHONY: all coq pvs simplify cvcl harvey smtlib zenon

all: simplify/Booleans_why.sx

project: why/Booleans.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/Booleans_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/Booleans_why.vo

coq/Booleans_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Booleans_why.v: why/Booleans.why
	@echo 'why -coq [...] why/Booleans.why' && $(WHY) $(JESSIELIBFILES) why/Booleans.why

coq-goals: goals coq/Booleans_ctx_why.vo
	for f in why/*_po*.why; do make -f Booleans.makefile coq/`basename $$f .why`_why.v ; done

coq/Booleans_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Booleans_ctx_why.v: why/Booleans_ctx.why
	@echo 'why -coq [...] why/Booleans_ctx.why' && $(WHY) why/Booleans_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export Booleans_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/Booleans_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<

pvs: pvs/Booleans_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/Booleans_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/Booleans_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/Booleans_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/Booleans_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/Booleans_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/Booleans_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/Booleans_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/Booleans_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/Booleans_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/Booleans_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

gui stat: Booleans.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

-include Booleans.depend

depend: coq/Booleans_why.v
	-$(COQDEP) -I coq coq/Booleans*_why.v > Booleans.depend

clean:
	rm -f coq/*.vo

========== file tests/java/Booleans.loc ==========
[JC_1]
file = "HOME/tests/java/Booleans.jc"
line = 42
begin = 8
end = 23

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/java/Booleans.jc"
line = 42
begin = 8
end = 23

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/java/Booleans.jc"
line = 44
begin = 11
end = 65

[JC_10]
file = "HOME/tests/java/Booleans.jc"
line = 44
begin = 11
end = 65

[JC_11]
file = "HOME/tests/java/Booleans.java"
line = 6
begin = 19
end = 20

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/tests/java/Booleans.java"
line = 6
begin = 19
end = 20

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/tests/java/Booleans.java"
line = 4
begin = 16
end = 57

[JC_16]
file = "HOME/tests/java/Booleans.java"
line = 4
begin = 16
end = 57

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Booleans_safety]
name = "Constructor of class Booleans"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Booleans_ensures_default]
name = "Constructor of class Booleans"
behavior = "Default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[Booleans_f_ensures_default]
name = "Method f"
behavior = "Default behavior"
file = "HOME/tests/java/Booleans.java"
line = 6
begin = 19
end = 20

[Booleans_f_safety]
name = "Method f"
behavior = "Safety"
file = "HOME/tests/java/Booleans.java"
line = 6
begin = 19
end = 20

========== file tests/java/why/Booleans.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic Booleans_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Booleans_parenttag_Object : parenttag(Booleans_tag, Object_tag)

exception Exception_exc of Object pointer

logic Exception_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

predicate Non_null_Object(x:Object pointer,
 Object_alloc_table:Object alloc_table) =
 eq_int(offset_max(Object_alloc_table, x), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_bitvector: bitvector -> Object pointer

logic bitvector_of_Object: Object pointer -> bitvector

axiom Object_of_bitvector_of_bitvector_of_Object :
 (forall x:Object pointer. (Object_of_bitvector(bitvector_of_Object(x)) = x))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

exception Return_label_exc of unit

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

exception Throwable_exc of Object pointer

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

axiom bitvector_of_Object_of_Object_of_bitvector :
 (forall x:bitvector. (bitvector_of_Object(Object_of_bitvector(x)) = x))

logic bitvector_of_byte: byte -> bitvector

logic byte_of_bitvector: bitvector -> byte

axiom bitvector_of_byte_of_byte_of_bitvector :
 (forall x:bitvector. (bitvector_of_byte(byte_of_bitvector(x)) = x))

logic bitvector_of_char: char -> bitvector

logic char_of_bitvector: bitvector -> char

axiom bitvector_of_char_of_char_of_bitvector :
 (forall x:bitvector. (bitvector_of_char(char_of_bitvector(x)) = x))

logic bitvector_of_int32: int32 -> bitvector

logic int32_of_bitvector: bitvector -> int32

axiom bitvector_of_int32_of_int32_of_bitvector :
 (forall x:bitvector. (bitvector_of_int32(int32_of_bitvector(x)) = x))

logic bitvector_of_interface: interface pointer -> bitvector

logic interface_of_bitvector: bitvector -> interface pointer

axiom bitvector_of_interface_of_interface_of_bitvector :
 (forall x:bitvector.
  (bitvector_of_interface(interface_of_bitvector(x)) = x))

logic bitvector_of_long: long -> bitvector

logic long_of_bitvector: bitvector -> long

axiom bitvector_of_long_of_long_of_bitvector :
 (forall x:bitvector. (bitvector_of_long(long_of_bitvector(x)) = x))

logic bitvector_of_short: short -> bitvector

logic short_of_bitvector: bitvector -> short

axiom bitvector_of_short_of_short_of_bitvector :
 (forall x:bitvector. (bitvector_of_short(short_of_bitvector(x)) = x))

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

predicate eq_byte(x:byte,
 y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

axiom byte_of_bitvector_of_bitvector_of_byte :
 (forall x:byte. eq_byte(byte_of_bitvector(bitvector_of_byte(x)), x))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

predicate eq_char(x:char,
 y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

axiom char_of_bitvector_of_bitvector_of_char :
 (forall x:char. eq_char(char_of_bitvector(bitvector_of_char(x)), x))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32,
 y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long,
 y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short,
 y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_of_bitvector_of_bitvector_of_int32 :
 (forall x:int32. eq_int32(int32_of_bitvector(bitvector_of_int32(x)), x))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

axiom interface_of_bitvector_of_bitvector_of_interface :
 (forall x:interface pointer.
  (interface_of_bitvector(bitvector_of_interface(x)) = x))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer,
 a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Booleans(p:Object pointer,
 a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Exception(p:Object pointer,
 a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer,
 a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer,
 a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer,
 a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_of_bitvector_of_bitvector_of_long :
 (forall x:long. eq_long(long_of_bitvector(bitvector_of_long(x)), x))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer,
 b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Booleans(p:Object pointer,
 b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Exception(p:Object pointer,
 b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer,
 b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer,
 b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer,
 b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_of_bitvector_of_bitvector_of_short :
 (forall x:short. eq_short(short_of_bitvector(bitvector_of_short(x)), x))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer,
 a:int,
 b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer,
 a:int,
 b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer,
 a:int,
 b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Booleans(p:Object pointer,
 a:int,
 b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Exception(p:Object pointer,
 a:int,
 b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer,
 a:int,
 b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer,
 a:int,
 b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer,
 a:int,
 b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_bitvector_struct_Object(p:unit pointer,
 a:int,
 b:int,
 bitvector_alloc_table:unit alloc_table) =
 ((offset_min(bitvector_alloc_table, p) = a)
 and (offset_max(bitvector_alloc_table, p) = b))

predicate valid_bitvector_struct_Booleans(p:unit pointer,
 a:int,
 b:int,
 bitvector_alloc_table:unit alloc_table) =
 valid_bitvector_struct_Object(p, a, b, bitvector_alloc_table)

predicate valid_bitvector_struct_Exception(p:unit pointer,
 a:int,
 b:int,
 bitvector_alloc_table:unit alloc_table) =
 valid_bitvector_struct_Object(p, a, b, bitvector_alloc_table)

predicate valid_bitvector_struct_String(p:unit pointer,
 a:int,
 b:int,
 bitvector_alloc_table:unit alloc_table) =
 valid_bitvector_struct_Object(p, a, b, bitvector_alloc_table)

predicate valid_bitvector_struct_Throwable(p:unit pointer,
 a:int,
 b:int,
 bitvector_alloc_table:unit alloc_table) =
 valid_bitvector_struct_Object(p, a, b, bitvector_alloc_table)

predicate valid_bitvector_struct_interface(p:unit pointer,
 a:int,
 b:int,
 bitvector_alloc_table:unit alloc_table) =
 ((offset_min(bitvector_alloc_table, p) = a)
 and (offset_max(bitvector_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer,
 a:int,
 b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer,
 a:int,
 b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer,
 a:int,
 b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Booleans(p:Object pointer,
 a:int,
 b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Exception(p:Object pointer,
 a:int,
 b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer,
 a:int,
 b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer,
 a:int,
 b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer,
 a:int,
 b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

parameter Booleans_f :
 e:bool ->
  t:bool ->
   f:bool ->
    r:bool ->
     { } bool
     { (JC_16:
       eq_bool(result, bool_and(bool_or(e, bool_and(t, f)), bool_or(t, f)))) }

parameter Booleans_f_requires :
 e:bool ->
  t:bool ->
   f:bool ->
    r:bool ->
     { } bool
     { (JC_16:
       eq_bool(result, bool_and(bool_or(e, bool_and(t, f)), bool_or(t, f)))) }

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

parameter alloc_bitvector_struct_Booleans :
 n:int ->
  bitvector_alloc_table:unit alloc_table ref ->
   { } unit pointer writes bitvector_alloc_table
   { (valid_bitvector_struct_Booleans(result, (0), sub_int(n, (1)),
      bitvector_alloc_table)
     and (alloc_extends(bitvector_alloc_table@, bitvector_alloc_table)
         and alloc_fresh(bitvector_alloc_table@, result, n))) }

parameter alloc_bitvector_struct_Booleans_requires :
 n:int ->
  bitvector_alloc_table:unit alloc_table ref ->
   { ge_int(n, (0))} unit pointer writes bitvector_alloc_table
   { (valid_bitvector_struct_Booleans(result, (0), sub_int(n, (1)),
      bitvector_alloc_table)
     and (alloc_extends(bitvector_alloc_table@, bitvector_alloc_table)
         and alloc_fresh(bitvector_alloc_table@, result, n))) }

parameter alloc_bitvector_struct_Exception :
 n:int ->
  bitvector_alloc_table:unit alloc_table ref ->
   { } unit pointer writes bitvector_alloc_table
   { (valid_bitvector_struct_Exception(result, (0), sub_int(n, (1)),
      bitvector_alloc_table)
     and (alloc_extends(bitvector_alloc_table@, bitvector_alloc_table)
         and alloc_fresh(bitvector_alloc_table@, result, n))) }

parameter alloc_bitvector_struct_Exception_requires :
 n:int ->
  bitvector_alloc_table:unit alloc_table ref ->
   { ge_int(n, (0))} unit pointer writes bitvector_alloc_table
   { (valid_bitvector_struct_Exception(result, (0), sub_int(n, (1)),
      bitvector_alloc_table)
     and (alloc_extends(bitvector_alloc_table@, bitvector_alloc_table)
         and alloc_fresh(bitvector_alloc_table@, result, n))) }

parameter alloc_bitvector_struct_Object :
 n:int ->
  bitvector_alloc_table:unit alloc_table ref ->
   { } unit pointer writes bitvector_alloc_table
   { (valid_bitvector_struct_Object(result, (0), sub_int(n, (1)),
      bitvector_alloc_table)
     and (alloc_extends(bitvector_alloc_table@, bitvector_alloc_table)
         and alloc_fresh(bitvector_alloc_table@, result, n))) }

parameter alloc_bitvector_struct_Object_requires :
 n:int ->
  bitvector_alloc_table:unit alloc_table ref ->
   { ge_int(n, (0))} unit pointer writes bitvector_alloc_table
   { (valid_bitvector_struct_Object(result, (0), sub_int(n, (1)),
      bitvector_alloc_table)
     and (alloc_extends(bitvector_alloc_table@, bitvector_alloc_table)
         and alloc_fresh(bitvector_alloc_table@, result, n))) }

parameter alloc_bitvector_struct_String :
 n:int ->
  bitvector_alloc_table:unit alloc_table ref ->
   { } unit pointer writes bitvector_alloc_table
   { (valid_bitvector_struct_String(result, (0), sub_int(n, (1)),
      bitvector_alloc_table)
     and (alloc_extends(bitvector_alloc_table@, bitvector_alloc_table)
         and alloc_fresh(bitvector_alloc_table@, result, n))) }

parameter alloc_bitvector_struct_String_requires :
 n:int ->
  bitvector_alloc_table:unit alloc_table ref ->
   { ge_int(n, (0))} unit pointer writes bitvector_alloc_table
   { (valid_bitvector_struct_String(result, (0), sub_int(n, (1)),
      bitvector_alloc_table)
     and (alloc_extends(bitvector_alloc_table@, bitvector_alloc_table)
         and alloc_fresh(bitvector_alloc_table@, result, n))) }

parameter alloc_bitvector_struct_Throwable :
 n:int ->
  bitvector_alloc_table:unit alloc_table ref ->
   { } unit pointer writes bitvector_alloc_table
   { (valid_bitvector_struct_Throwable(result, (0), sub_int(n, (1)),
      bitvector_alloc_table)
     and (alloc_extends(bitvector_alloc_table@, bitvector_alloc_table)
         and alloc_fresh(bitvector_alloc_table@, result, n))) }

parameter alloc_bitvector_struct_Throwable_requires :
 n:int ->
  bitvector_alloc_table:unit alloc_table ref ->
   { ge_int(n, (0))} unit pointer writes bitvector_alloc_table
   { (valid_bitvector_struct_Throwable(result, (0), sub_int(n, (1)),
      bitvector_alloc_table)
     and (alloc_extends(bitvector_alloc_table@, bitvector_alloc_table)
         and alloc_fresh(bitvector_alloc_table@, result, n))) }

parameter alloc_bitvector_struct_interface :
 n:int ->
  bitvector_alloc_table:unit alloc_table ref ->
   { } unit pointer writes bitvector_alloc_table
   { (valid_bitvector_struct_interface(result, (0), sub_int(n, (1)),
      bitvector_alloc_table)
     and (alloc_extends(bitvector_alloc_table@, bitvector_alloc_table)
         and alloc_fresh(bitvector_alloc_table@, result, n))) }

parameter alloc_bitvector_struct_interface_requires :
 n:int ->
  bitvector_alloc_table:unit alloc_table ref ->
   { ge_int(n, (0))} unit pointer writes bitvector_alloc_table
   { (valid_bitvector_struct_interface(result, (0), sub_int(n, (1)),
      bitvector_alloc_table)
     and (alloc_extends(bitvector_alloc_table@, bitvector_alloc_table)
         and alloc_fresh(bitvector_alloc_table@, result, n))) }

parameter alloc_struct_Booleans :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Booleans(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Booleans_tag)))) }

parameter alloc_struct_Booleans_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Booleans(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Booleans_tag)))) }

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_Booleans :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Booleans_requires :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_0:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_10:
    (if result
     then eq_int(offset_max(Object_alloc_table, x_0), (0))
     else (x_0 = null))) }

parameter non_null_Object_requires :
 x_0:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_10:
    (if result
     then eq_int(offset_max(Object_alloc_table, x_0), (0))
     else (x_0 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let Booleans_f_ensures_default =
 fun (e : bool) (t : bool) (f : bool) (r : bool) ->
  { (JC_14: true) }
  (init:
  (let return = ref (any_bool void) in
  try
   begin
     (return := (K_5: ((K_3: (e || (K_2: (t && f)))) && (K_4: (t || f)))));
    (raise Return);
    absurd 
   end
   with
   Return ->
   !return end))
  { (JC_15:
    eq_bool(result, bool_and(bool_or(e, bool_and(t, f)), bool_or(t, f)))) }

let Booleans_f_safety =
 fun (e : bool) (t : bool) (f : bool) (r : bool) ->
  { (JC_14: true) }
  (init:
  (let return = ref (any_bool void) in
  try
   begin
     (return := (K_5: ((K_3: (e || (K_2: (t && f)))) && (K_4: (t || f)))));
    (raise Return);
    absurd 
   end
   with
   Return ->
   !return end))
  { true }

let cons_Booleans_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_Booleans(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_23: true) }

let cons_Booleans_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_Booleans(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }


========== make project execution ==========
why --project [...] why/Booleans.why
========== file tests/java/why/Booleans.wpr ==========

  
    
    
    
      
      
    
    
  
  
    
  

========== file tests/java/why/Booleans_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic div_int : int, int -> int

logic mod_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

logic int_of_real : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

logic sqrt_real : real -> real

logic pow_real : real, real -> real

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type bitvector

logic concat_bitvector : bitvector, bitvector -> bitvector

logic offset_min_bytes : 'a1 alloc_table, 'a1 pointer, int -> int

logic offset_max_bytes : 'a1 alloc_table, 'a1 pointer, int -> int

axiom offset_min_bytes_def:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall s:int [offset_min_bytes(a, p, s)].
        ((0 < s) ->
         ((offset_min(a, p) <= (s * offset_min_bytes(a, p, s))) and
          (((s * offset_min_bytes(a, p, s)) - s) < offset_min(a, p)))))))

axiom offset_max_bytes_def:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall s:int [offset_max_bytes(a, p, s)].
        ((0 < s) ->
         (((((s * offset_max_bytes(a, p, s)) + s) - 1) <= offset_max(a,
          p)) and (offset_max(a, p) < ((((s * offset_max_bytes(a, p,
          s)) + s) + s) - 1)))))))

logic extract_bytes : bitvector, int, int -> bitvector

logic replace_bytes : bitvector, int, int, bitvector -> bitvector

axiom select_store_eq_union:
  (forall o1:int.
    (forall s1:int.
      (forall o2:int.
        (forall s2:int.
          (forall v1:bitvector.
            (forall v2:bitvector [extract_bytes(replace_bytes(v1, o1, s1,
              v2), o2, s2)].
              (((o1 = o2) and (s1 = s2)) -> (extract_bytes(replace_bytes(v1,
               o1, s1, v2), o2, s2) = v2))))))))

axiom select_store_neq_union:
  (forall o1:int.
    (forall s1:int.
      (forall o2:int.
        (forall s2:int.
          (forall v1:bitvector.
            (forall v2:bitvector [extract_bytes(replace_bytes(v1, o1, s1,
              v2), o2, s2)].
              ((((o2 + s2) <= o1) or ((o1 + s2) <= o2)) ->
               (extract_bytes(replace_bytes(v1, o1, s1, v2), o2,
               s2) = extract_bytes(v1, o2, s2)))))))))

axiom concat_replace_bytes_up:
  (forall o1:int.
    (forall s1:int.
      (forall o2:int.
        (forall s2:int.
          (forall v1:bitvector.
            (forall v2:bitvector.
              (forall v3:bitvector [replace_bytes(replace_bytes(v1, o1, s1,
                v2), o2, s2, v3)].
                (((o1 + s1) = o2) -> (replace_bytes(replace_bytes(v1, o1, s1,
                 v2), o2, s2, v3) = replace_bytes(v1, o1, (s1 + s2),
                 concat_bitvector(v2, v3)))))))))))

axiom concat_replace_bytes_down:
  (forall o1:int.
    (forall s1:int.
      (forall o2:int.
        (forall s2:int.
          (forall v1:bitvector.
            (forall v2:bitvector.
              (forall v3:bitvector [replace_bytes(replace_bytes(v1, o1, s1,
                v2), o2, s2, v3)].
                (((o2 + s2) = o1) -> (replace_bytes(replace_bytes(v1, o1, s1,
                 v2), o2, s2, v3) = replace_bytes(v1, o2, (s1 + s2),
                 concat_bitvector(v3, v2)))))))))))

axiom concat_extract_bytes:
  (forall o1:int.
    (forall s1:int.
      (forall o2:int.
        (forall s2:int.
          (forall v:bitvector [concat_bitvector(extract_bytes(v, o1, s1),
            extract_bytes(v, o2, s2))].
            (((o1 + s1) = o2) -> (concat_bitvector(extract_bytes(v, o1, s1),
             extract_bytes(v, o2, s2)) = extract_bytes(v, o1, (s1 + s2)))))))))

logic select_bytes : ('a1, bitvector) memory, 'a1 pointer, int,
int -> bitvector

logic store_bytes : ('a1, bitvector) memory, 'a1 pointer, int, int,
bitvector -> ('a1, bitvector) memory

axiom select_store_eq_bytes:
  (forall m:('a1, bitvector) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall o1:int.
          (forall s1:int.
            (forall o2:int.
              (forall s2:int.
                (forall v:bitvector [select_bytes(store_bytes(m, p1, o1, s1,
                  v), p2, o2, s2)].
                  (((p1 = p2) and ((o1 = o2) and (s1 = s2))) ->
                   (select_bytes(store_bytes(m, p1, o1, s1, v), p2, o2,
                   s2) = v))))))))))

axiom select_store_neq_bytes:
  (forall m:('a1, bitvector) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall o1:int.
          (forall s1:int.
            (forall o2:int.
              (forall s2:int.
                (forall v:bitvector [select_bytes(store_bytes(m, p1, o1, s1,
                  v), p2, o2, s2)].
                  (pset_disjoint(pset_range(pset_singleton(p1), o1,
                   (o1 + s1)), pset_range(pset_singleton(p2), o2,
                   (o2 + s2))) -> (select_bytes(store_bytes(m, p1, o1, s1,
                   v), p2, o2, s2) = select_bytes(m, p2, o2, s2)))))))))))

axiom shift_store_bytes:
  (forall m:('a1, bitvector) memory.
    (forall p:'a1 pointer.
      (forall i:int.
        (forall o:int.
          (forall s:int.
            (forall v:bitvector [store_bytes(m, shift(p, i), o, s, v)].
              (store_bytes(m, shift(p, i), o, s, v) = store_bytes(m, p,
              (o + i), s, v))))))))

axiom shift_select_bytes:
  (forall m:('a1, bitvector) memory.
    (forall p:'a1 pointer.
      (forall i:int.
        (forall o:int.
          (forall s:int.
            (forall v:bitvector [select_bytes(m, shift(p, i), o, s)].
              (select_bytes(m, shift(p, i), o, s) = select_bytes(m, p,
              (o + i), s))))))))

axiom concat_store_bytes_up:
  (forall m:('a1, bitvector) memory.
    (forall p:'a1 pointer.
      (forall o1:int.
        (forall s1:int.
          (forall o2:int.
            (forall s2:int.
              (forall v1:bitvector.
                (forall v2:bitvector [store_bytes(store_bytes(m, p, o1, s1,
                  v1), p, o2, s2, v2)].
                  (((o1 + s1) = o2) -> (store_bytes(store_bytes(m, p, o1, s1,
                   v1), p, o2, s2, v2) = store_bytes(m, p, o1, (s1 + s2),
                   concat_bitvector(v1, v2))))))))))))

axiom concat_store_bytes_down:
  (forall m:('a1, bitvector) memory.
    (forall p:'a1 pointer.
      (forall o1:int.
        (forall s1:int.
          (forall o2:int.
            (forall s2:int.
              (forall v1:bitvector.
                (forall v2:bitvector [store_bytes(store_bytes(m, p, o1, s1,
                  v1), p, o2, s2, v2)].
                  (((o2 + s2) = o1) -> (store_bytes(store_bytes(m, p, o1, s1,
                   v1), p, o2, s2, v2) = store_bytes(m, p, o2, (s1 + s2),
                   concat_bitvector(v2, v1))))))))))))

axiom concat_select_bytes:
  (forall m:('a1, bitvector) memory.
    (forall p:'a1 pointer.
      (forall o1:int.
        (forall s1:int.
          (forall o2:int.
            (forall s2:int [concat_bitvector(select_bytes(m, p, o1, s1),
              select_bytes(m, p, o2, s2))].
              (((o1 + s1) = o2) -> (concat_bitvector(select_bytes(m, p, o1,
               s1), select_bytes(m, p, o2, s2)) = select_bytes(m, p, o1,
               (s1 + s2))))))))))

logic integer_of_bitvector : bitvector -> int

logic bitvector_of_integer : int -> bitvector

logic real_of_bitvector : bitvector -> real

type Object

type byte

type char

type int32

type interface

type long

type short

logic Booleans_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Booleans_parenttag_Object: parenttag(Booleans_tag, Object_tag)

logic Exception_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x) = 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_bitvector : bitvector -> Object pointer

logic bitvector_of_Object : Object pointer -> bitvector

axiom Object_of_bitvector_of_bitvector_of_Object:
  (forall x:Object pointer.
    (Object_of_bitvector(bitvector_of_Object(x)) = x))

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

axiom bitvector_of_Object_of_Object_of_bitvector:
  (forall x:bitvector. (bitvector_of_Object(Object_of_bitvector(x)) = x))

logic bitvector_of_byte : byte -> bitvector

logic byte_of_bitvector : bitvector -> byte

axiom bitvector_of_byte_of_byte_of_bitvector:
  (forall x:bitvector. (bitvector_of_byte(byte_of_bitvector(x)) = x))

logic bitvector_of_char : char -> bitvector

logic char_of_bitvector : bitvector -> char

axiom bitvector_of_char_of_char_of_bitvector:
  (forall x:bitvector. (bitvector_of_char(char_of_bitvector(x)) = x))

logic bitvector_of_int32 : int32 -> bitvector

logic int32_of_bitvector : bitvector -> int32

axiom bitvector_of_int32_of_int32_of_bitvector:
  (forall x:bitvector. (bitvector_of_int32(int32_of_bitvector(x)) = x))

logic bitvector_of_interface : interface pointer -> bitvector

logic interface_of_bitvector : bitvector -> interface pointer

axiom bitvector_of_interface_of_interface_of_bitvector:
  (forall x:bitvector.
    (bitvector_of_interface(interface_of_bitvector(x)) = x))

logic bitvector_of_long : long -> bitvector

logic long_of_bitvector : bitvector -> long

axiom bitvector_of_long_of_long_of_bitvector:
  (forall x:bitvector. (bitvector_of_long(long_of_bitvector(x)) = x))

logic bitvector_of_short : short -> bitvector

logic short_of_bitvector : bitvector -> short

axiom bitvector_of_short_of_short_of_bitvector:
  (forall x:bitvector. (bitvector_of_short(short_of_bitvector(x)) = x))

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

axiom byte_of_bitvector_of_bitvector_of_byte:
  (forall x:byte. eq_byte(byte_of_bitvector(bitvector_of_byte(x)), x))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

axiom char_of_bitvector_of_bitvector_of_char:
  (forall x:char. eq_char(char_of_bitvector(bitvector_of_char(x)), x))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_of_bitvector_of_bitvector_of_int32:
  (forall x:int32. eq_int32(int32_of_bitvector(bitvector_of_int32(x)), x))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

axiom interface_of_bitvector_of_bitvector_of_interface:
  (forall x:interface pointer.
    (interface_of_bitvector(bitvector_of_interface(x)) = x))

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Booleans(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_of_bitvector_of_bitvector_of_long:
  (forall x:long. eq_long(long_of_bitvector(bitvector_of_long(x)), x))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Booleans(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_of_bitvector_of_bitvector_of_short:
  (forall x:short. eq_short(short_of_bitvector(bitvector_of_short(x)), x))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Booleans(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_bitvector_struct_Object(p: unit pointer, a: int, b: int,
  bitvector_alloc_table: unit alloc_table) =
  ((offset_min(bitvector_alloc_table, p) = a) and
   (offset_max(bitvector_alloc_table, p) = b))

predicate valid_bitvector_struct_Booleans(p: unit pointer, a: int, b: int,
  bitvector_alloc_table: unit alloc_table) = valid_bitvector_struct_Object(p,
  a, b, bitvector_alloc_table)

predicate valid_bitvector_struct_Exception(p: unit pointer, a: int, b: int,
  bitvector_alloc_table: unit alloc_table) = valid_bitvector_struct_Object(p,
  a, b, bitvector_alloc_table)

predicate valid_bitvector_struct_String(p: unit pointer, a: int, b: int,
  bitvector_alloc_table: unit alloc_table) = valid_bitvector_struct_Object(p,
  a, b, bitvector_alloc_table)

predicate valid_bitvector_struct_Throwable(p: unit pointer, a: int, b: int,
  bitvector_alloc_table: unit alloc_table) = valid_bitvector_struct_Object(p,
  a, b, bitvector_alloc_table)

predicate valid_bitvector_struct_interface(p: unit pointer, a: int, b: int,
  bitvector_alloc_table: unit alloc_table) =
  ((offset_min(bitvector_alloc_table, p) = a) and
   (offset_max(bitvector_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Booleans(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

========== file tests/java/why/Booleans_po1.why ==========
goal Booleans_f_ensures_default_po_1:
  forall e:bool.
  forall t:bool.
  forall f:bool.
  ("JC_14": true) ->
  forall result:bool.
  (if result then
   (((e = true) or ((e = false) and ((t = true) and (f = true)))) and
    ((t = true) or ((t = false) and (f = true)))) else
   (((e = false) and ((t = false) or ((t = true) and (f = false)))) or
    (((e = true) or ((e = false) and ((t = true) and (f = true)))) and
     ((t = false) and (f = false))))) ->
  forall return:bool.
  (return = result) ->
  ("JC_15": (return = bool_and(bool_or(e, bool_and(t, f)), bool_or(t, f))))

========== generation of Simplify VC output ==========
why -simplify [...] why/Booleans.why
========== file tests/java/simplify/Booleans_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom offset_min_bytes_def
 (FORALL (a p s)
 (IMPLIES (< 0 s)
 (AND (<= (offset_min a p) (* s (offset_min_bytes a p s)))
 (< (- (* s (offset_min_bytes a p s)) s) (offset_min a p)))))

 (FORALL (s)
 (IMPLIES (< 0 s)
 (FORALL (a p)
 (AND (<= (offset_min a p) (* s (offset_min_bytes a p s)))
 (< (- (* s (offset_min_bytes a p s)) s) (offset_min a p)))))))

(BG_PUSH
 ;; Why axiom offset_max_bytes_def
 (FORALL (a p s)
 (IMPLIES (< 0 s)
 (AND (<= (- (+ (* s (offset_max_bytes a p s)) s) 1) (offset_max a p))
 (< (offset_max a p) (- (+ (+ (* s (offset_max_bytes a p s)) s) s) 1)))))

 (FORALL (s)
 (IMPLIES (< 0 s)
 (FORALL (a p)
 (AND (<= (- (+ (* s (offset_max_bytes a p s)) s) 1) (offset_max a p))
 (< (offset_max a p) (- (+ (+ (* s (offset_max_bytes a p s)) s) s) 1)))))))

(BG_PUSH
 ;; Why axiom select_store_eq_union
 (FORALL (o1 s1 o2 s2 v1 v2)
 (IMPLIES (AND (EQ o1 o2) (EQ s1 s2))
 (EQ (extract_bytes (replace_bytes v1 o1 s1 v2) o2 s2) v2)))

 (FORALL (o1 s1 o2 s2)
 (IMPLIES (AND (EQ o1 o2) (EQ s1 s2))
 (FORALL (v1 v2) (EQ (extract_bytes (replace_bytes v1 o1 s1 v2) o2 s2) v2)))))

(BG_PUSH
 ;; Why axiom select_store_neq_union
 (FORALL (o1 s1 o2 s2 v1 v2)
 (IMPLIES (OR (<= (+ o2 s2) o1) (<= (+ o1 s2) o2))
 (EQ (extract_bytes (replace_bytes v1 o1 s1 v2) o2 s2)
 (extract_bytes v1 o2 s2))))

 (FORALL (o1 o2 s2)
 (IMPLIES (OR (<= (+ o2 s2) o1) (<= (+ o1 s2) o2))
 (FORALL (s1 v1 v2)
 (EQ (extract_bytes (replace_bytes v1 o1 s1 v2) o2 s2)
 (extract_bytes v1 o2 s2))))))

(BG_PUSH
 ;; Why axiom concat_replace_bytes_up
 (FORALL (o1 s1 o2 s2 v1 v2 v3)
 (IMPLIES (EQ (+ o1 s1) o2)
 (EQ (replace_bytes (replace_bytes v1 o1 s1 v2) o2 s2 v3)
 (replace_bytes v1 o1 (+ s1 s2) (concat_bitvector v2 v3)))))

 (FORALL (o1 s1 o2)
 (IMPLIES (EQ (+ o1 s1) o2)
 (FORALL (s2 v1 v2 v3)
 (EQ (replace_bytes (replace_bytes v1 o1 s1 v2) o2 s2 v3)
 (replace_bytes v1 o1 (+ s1 s2) (concat_bitvector v2 v3)))))))

(BG_PUSH
 ;; Why axiom concat_replace_bytes_down
 (FORALL (o1 s1 o2 s2 v1 v2 v3)
 (IMPLIES (EQ (+ o2 s2) o1)
 (EQ (replace_bytes (replace_bytes v1 o1 s1 v2) o2 s2 v3)
 (replace_bytes v1 o2 (+ s1 s2) (concat_bitvector v3 v2)))))

 (FORALL (o1 o2 s2)
 (IMPLIES (EQ (+ o2 s2) o1)
 (FORALL (s1 v1 v2 v3)
 (EQ (replace_bytes (replace_bytes v1 o1 s1 v2) o2 s2 v3)
 (replace_bytes v1 o2 (+ s1 s2) (concat_bitvector v3 v2)))))))

(BG_PUSH
 ;; Why axiom concat_extract_bytes
 (FORALL (o1 s1 o2 s2 v)
 (IMPLIES (EQ (+ o1 s1) o2)
 (EQ (concat_bitvector (extract_bytes v o1 s1) (extract_bytes v o2 s2))
 (extract_bytes v o1 (+ s1 s2)))))

 (FORALL (o1 s1 o2)
 (IMPLIES (EQ (+ o1 s1) o2)
 (FORALL (s2 v)
 (EQ (concat_bitvector (extract_bytes v o1 s1) (extract_bytes v o2 s2))
 (extract_bytes v o1 (+ s1 s2)))))))

(BG_PUSH
 ;; Why axiom select_store_eq_bytes
 (FORALL (m p1 p2 o1 s1 o2 s2 v)
 (IMPLIES (AND (EQ p1 p2) (AND (EQ o1 o2) (EQ s1 s2)))
 (EQ (select_bytes (store_bytes m p1 o1 s1 v) p2 o2 s2) v)))

 (FORALL (p1 p2 o1 s1 o2 s2)
 (IMPLIES (AND (EQ p1 p2) (AND (EQ o1 o2) (EQ s1 s2)))
 (FORALL (m v) (EQ (select_bytes (store_bytes m p1 o1 s1 v) p2 o2 s2) v)))))

(BG_PUSH
 ;; Why axiom select_store_neq_bytes
 (FORALL (m p1 p2 o1 s1 o2 s2 v)
 (IMPLIES
 (pset_disjoint
 (pset_range (pset_singleton p1) o1 (+ o1 s1)) (pset_range
                                               (pset_singleton p2) o2 
                                               (+ o2 s2)))
 (EQ (select_bytes (store_bytes m p1 o1 s1 v) p2 o2 s2)
 (select_bytes m p2 o2 s2))))

 (FORALL (p1 p2 o1 s1 o2 s2)
 (IMPLIES
 (pset_disjoint
 (pset_range (pset_singleton p1) o1 (+ o1 s1)) (pset_range
                                               (pset_singleton p2) o2 
                                               (+ o2 s2)))
 (FORALL (m v)
 (EQ (select_bytes (store_bytes m p1 o1 s1 v) p2 o2 s2)
 (select_bytes m p2 o2 s2))))))

(BG_PUSH
 ;; Why axiom shift_store_bytes
 (FORALL (m p i o s v)
 (EQ (store_bytes m (shift p i) o s v) (store_bytes m p (+ o i) s v))))

(BG_PUSH
 ;; Why axiom shift_select_bytes
 (FORALL (m p i o s v)
 (EQ (select_bytes m (shift p i) o s) (select_bytes m p (+ o i) s))))

(BG_PUSH
 ;; Why axiom concat_store_bytes_up
 (FORALL (m p o1 s1 o2 s2 v1 v2)
 (IMPLIES (EQ (+ o1 s1) o2)
 (EQ (store_bytes (store_bytes m p o1 s1 v1) p o2 s2 v2)
 (store_bytes m p o1 (+ s1 s2) (concat_bitvector v1 v2)))))

 (FORALL (o1 s1 o2)
 (IMPLIES (EQ (+ o1 s1) o2)
 (FORALL (m p s2 v1 v2)
 (EQ (store_bytes (store_bytes m p o1 s1 v1) p o2 s2 v2)
 (store_bytes m p o1 (+ s1 s2) (concat_bitvector v1 v2)))))))

(BG_PUSH
 ;; Why axiom concat_store_bytes_down
 (FORALL (m p o1 s1 o2 s2 v1 v2)
 (IMPLIES (EQ (+ o2 s2) o1)
 (EQ (store_bytes (store_bytes m p o1 s1 v1) p o2 s2 v2)
 (store_bytes m p o2 (+ s1 s2) (concat_bitvector v2 v1)))))

 (FORALL (o1 o2 s2)
 (IMPLIES (EQ (+ o2 s2) o1)
 (FORALL (m p s1 v1 v2)
 (EQ (store_bytes (store_bytes m p o1 s1 v1) p o2 s2 v2)
 (store_bytes m p o2 (+ s1 s2) (concat_bitvector v2 v1)))))))

(BG_PUSH
 ;; Why axiom concat_select_bytes
 (FORALL (m p o1 s1 o2 s2)
 (IMPLIES (EQ (+ o1 s1) o2)
 (EQ (concat_bitvector (select_bytes m p o1 s1) (select_bytes m p o2 s2))
 (select_bytes m p o1 (+ s1 s2)))))

 (FORALL (o1 s1 o2)
 (IMPLIES (EQ (+ o1 s1) o2)
 (FORALL (m p s2)
 (EQ (concat_bitvector (select_bytes m p o1 s1) (select_bytes m p o2 s2))
 (select_bytes m p o1 (+ s1 s2)))))))

(BG_PUSH
 ;; Why axiom Booleans_parenttag_Object
 (EQ (parenttag Booleans_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(DEFPRED (Non_null_Object x Object_alloc_table)
  (EQ (offset_max Object_alloc_table x) 0))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_bitvector_of_bitvector_of_Object
 (FORALL (x) (EQ (Object_of_bitvector (bitvector_of_Object x)) x)))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom bitvector_of_Object_of_Object_of_bitvector
 (FORALL (x) (EQ (bitvector_of_Object (Object_of_bitvector x)) x)))

(BG_PUSH
 ;; Why axiom bitvector_of_byte_of_byte_of_bitvector
 (FORALL (x) (EQ (bitvector_of_byte (byte_of_bitvector x)) x)))

(BG_PUSH
 ;; Why axiom bitvector_of_char_of_char_of_bitvector
 (FORALL (x) (EQ (bitvector_of_char (char_of_bitvector x)) x)))

(BG_PUSH
 ;; Why axiom bitvector_of_int32_of_int32_of_bitvector
 (FORALL (x) (EQ (bitvector_of_int32 (int32_of_bitvector x)) x)))

(BG_PUSH
 ;; Why axiom bitvector_of_interface_of_interface_of_bitvector
 (FORALL (x) (EQ (bitvector_of_interface (interface_of_bitvector x)) x)))

(BG_PUSH
 ;; Why axiom bitvector_of_long_of_long_of_bitvector
 (FORALL (x) (EQ (bitvector_of_long (long_of_bitvector x)) x)))

(BG_PUSH
 ;; Why axiom bitvector_of_short_of_short_of_bitvector
 (FORALL (x) (EQ (bitvector_of_short (short_of_bitvector x)) x)))

(BG_PUSH
 ;; Why axiom byte_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 128) x) (<= x 127))
 (EQ (integer_of_byte (byte_of_integer x)) x))))

(DEFPRED (eq_byte x y) (EQ (integer_of_byte x) (integer_of_byte y)))

(BG_PUSH
 ;; Why axiom byte_of_bitvector_of_bitvector_of_byte
 (FORALL (x) (eq_byte (byte_of_bitvector (bitvector_of_byte x)) x)))

(BG_PUSH
 ;; Why axiom byte_range
 (FORALL (x)
 (AND (<= (- 0 128) (integer_of_byte x)) (<= (integer_of_byte x) 127))))

(BG_PUSH
 ;; Why axiom char_coerce
 (FORALL (x)
 (IMPLIES (AND (<= 0 x) (<= x 65535))
 (EQ (integer_of_char (char_of_integer x)) x))))

(DEFPRED (eq_char x y) (EQ (integer_of_char x) (integer_of_char y)))

(BG_PUSH
 ;; Why axiom char_of_bitvector_of_bitvector_of_char
 (FORALL (x) (eq_char (char_of_bitvector (bitvector_of_char x)) x)))

(BG_PUSH
 ;; Why axiom char_range
 (FORALL (x) (AND (<= 0 (integer_of_char x)) (<= (integer_of_char x) 65535))))

(DEFPRED (eq_int32 x y) (EQ (integer_of_int32 x) (integer_of_int32 y)))

(DEFPRED (eq_long x y) (EQ (integer_of_long x) (integer_of_long y)))

(DEFPRED (eq_short x y) (EQ (integer_of_short x) (integer_of_short y)))

(BG_PUSH
 ;; Why axiom int32_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_2147483648) x)
 (<= x constant_too_large_2147483647))
 (EQ (integer_of_int32 (int32_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom int32_of_bitvector_of_bitvector_of_int32
 (FORALL (x) (eq_int32 (int32_of_bitvector (bitvector_of_int32 x)) x)))

(BG_PUSH
 ;; Why axiom int32_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_2147483648) (integer_of_int32 x))
 (<= (integer_of_int32 x) constant_too_large_2147483647))))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_bitvector_of_bitvector_of_interface
 (FORALL (x) (EQ (interface_of_bitvector (bitvector_of_interface x)) x)))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_Booleans p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom long_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_9223372036854775808) x)
 (<= x constant_too_large_9223372036854775807))
 (EQ (integer_of_long (long_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom long_of_bitvector_of_bitvector_of_long
 (FORALL (x) (eq_long (long_of_bitvector (bitvector_of_long x)) x)))

(BG_PUSH
 ;; Why axiom long_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_9223372036854775808) (integer_of_long x))
 (<= (integer_of_long x) constant_too_large_9223372036854775807))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_Booleans p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(BG_PUSH
 ;; Why axiom short_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 32768) x) (<= x 32767))
 (EQ (integer_of_short (short_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom short_of_bitvector_of_bitvector_of_short
 (FORALL (x) (eq_short (short_of_bitvector (bitvector_of_short x)) x)))

(BG_PUSH
 ;; Why axiom short_range
 (FORALL (x)
 (AND (<= (- 0 32768) (integer_of_short x)) (<= (integer_of_short x) 32767))))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Booleans p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_bitvector_struct_Object p a b bitvector_alloc_table)
  (AND (EQ (offset_min bitvector_alloc_table p) a)
  (EQ (offset_max bitvector_alloc_table p) b)))

(DEFPRED (valid_bitvector_struct_Booleans p a b bitvector_alloc_table)
  (valid_bitvector_struct_Object p a b bitvector_alloc_table))

(DEFPRED (valid_bitvector_struct_Exception p a b bitvector_alloc_table)
  (valid_bitvector_struct_Object p a b bitvector_alloc_table))

(DEFPRED (valid_bitvector_struct_String p a b bitvector_alloc_table)
  (valid_bitvector_struct_Object p a b bitvector_alloc_table))

(DEFPRED (valid_bitvector_struct_Throwable p a b bitvector_alloc_table)
  (valid_bitvector_struct_Object p a b bitvector_alloc_table))

(DEFPRED (valid_bitvector_struct_interface p a b bitvector_alloc_table)
  (AND (EQ (offset_min bitvector_alloc_table p) a)
  (EQ (offset_max bitvector_alloc_table p) b)))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_Booleans p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

;; Booleans_f_ensures_default_po_1, File "HOME/tests/java/Booleans.java", line 4, characters 16-57
(FORALL (e)
(FORALL (t)
(FORALL (f)
(IMPLIES TRUE
(FORALL (result)
(IMPLIES (AND
         (IMPLIES (EQ result |@true|) (AND
                                      (OR (EQ e |@true|)
                                      (AND (EQ e |@false|)
                                      (AND (EQ t |@true|) (EQ f |@true|))))
                                      (OR (EQ t |@true|)
                                      (AND (EQ t |@false|) (EQ f |@true|)))))
         (IMPLIES (NEQ result |@true|) (OR
                                       (AND (EQ e |@false|)
                                       (OR (EQ t |@false|)
                                       (AND (EQ t |@true|) (EQ f |@false|))))
                                       (AND
                                       (OR (EQ e |@true|)
                                       (AND (EQ e |@false|)
                                       (AND (EQ t |@true|) (EQ f |@true|))))
                                       (AND (EQ t |@false|) (EQ f |@false|))))))
(FORALL (return)
(IMPLIES (EQ return result)
(EQ return (bool_and (bool_or e (bool_and t f)) (bool_or t f)))))))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/Booleans_why.sx      : ? (0/0/1/0/0)
total   :   1
valid   :   0 (  0%)
invalid :   0 (  0%)
unknown :   1 (100%)
timeout :   0 (  0%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/Booleans.why
========== file tests/java/why/Booleans_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic div_int : int, int -> int

logic mod_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

logic int_of_real : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

logic sqrt_real : real -> real

logic pow_real : real, real -> real

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type bitvector

logic concat_bitvector : bitvector, bitvector -> bitvector

logic offset_min_bytes : 'a1 alloc_table, 'a1 pointer, int -> int

logic offset_max_bytes : 'a1 alloc_table, 'a1 pointer, int -> int

axiom offset_min_bytes_def:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall s:int [offset_min_bytes(a, p, s)].
        ((0 < s) ->
         ((offset_min(a, p) <= (s * offset_min_bytes(a, p, s))) and
          (((s * offset_min_bytes(a, p, s)) - s) < offset_min(a, p)))))))

axiom offset_max_bytes_def:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall s:int [offset_max_bytes(a, p, s)].
        ((0 < s) ->
         (((((s * offset_max_bytes(a, p, s)) + s) - 1) <= offset_max(a,
          p)) and (offset_max(a, p) < ((((s * offset_max_bytes(a, p,
          s)) + s) + s) - 1)))))))

logic extract_bytes : bitvector, int, int -> bitvector

logic replace_bytes : bitvector, int, int, bitvector -> bitvector

axiom select_store_eq_union:
  (forall o1:int.
    (forall s1:int.
      (forall o2:int.
        (forall s2:int.
          (forall v1:bitvector.
            (forall v2:bitvector [extract_bytes(replace_bytes(v1, o1, s1,
              v2), o2, s2)].
              (((o1 = o2) and (s1 = s2)) -> (extract_bytes(replace_bytes(v1,
               o1, s1, v2), o2, s2) = v2))))))))

axiom select_store_neq_union:
  (forall o1:int.
    (forall s1:int.
      (forall o2:int.
        (forall s2:int.
          (forall v1:bitvector.
            (forall v2:bitvector [extract_bytes(replace_bytes(v1, o1, s1,
              v2), o2, s2)].
              ((((o2 + s2) <= o1) or ((o1 + s2) <= o2)) ->
               (extract_bytes(replace_bytes(v1, o1, s1, v2), o2,
               s2) = extract_bytes(v1, o2, s2)))))))))

axiom concat_replace_bytes_up:
  (forall o1:int.
    (forall s1:int.
      (forall o2:int.
        (forall s2:int.
          (forall v1:bitvector.
            (forall v2:bitvector.
              (forall v3:bitvector [replace_bytes(replace_bytes(v1, o1, s1,
                v2), o2, s2, v3)].
                (((o1 + s1) = o2) -> (replace_bytes(replace_bytes(v1, o1, s1,
                 v2), o2, s2, v3) = replace_bytes(v1, o1, (s1 + s2),
                 concat_bitvector(v2, v3)))))))))))

axiom concat_replace_bytes_down:
  (forall o1:int.
    (forall s1:int.
      (forall o2:int.
        (forall s2:int.
          (forall v1:bitvector.
            (forall v2:bitvector.
              (forall v3:bitvector [replace_bytes(replace_bytes(v1, o1, s1,
                v2), o2, s2, v3)].
                (((o2 + s2) = o1) -> (replace_bytes(replace_bytes(v1, o1, s1,
                 v2), o2, s2, v3) = replace_bytes(v1, o2, (s1 + s2),
                 concat_bitvector(v3, v2)))))))))))

axiom concat_extract_bytes:
  (forall o1:int.
    (forall s1:int.
      (forall o2:int.
        (forall s2:int.
          (forall v:bitvector [concat_bitvector(extract_bytes(v, o1, s1),
            extract_bytes(v, o2, s2))].
            (((o1 + s1) = o2) -> (concat_bitvector(extract_bytes(v, o1, s1),
             extract_bytes(v, o2, s2)) = extract_bytes(v, o1, (s1 + s2)))))))))

logic select_bytes : ('a1, bitvector) memory, 'a1 pointer, int,
int -> bitvector

logic store_bytes : ('a1, bitvector) memory, 'a1 pointer, int, int,
bitvector -> ('a1, bitvector) memory

axiom select_store_eq_bytes:
  (forall m:('a1, bitvector) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall o1:int.
          (forall s1:int.
            (forall o2:int.
              (forall s2:int.
                (forall v:bitvector [select_bytes(store_bytes(m, p1, o1, s1,
                  v), p2, o2, s2)].
                  (((p1 = p2) and ((o1 = o2) and (s1 = s2))) ->
                   (select_bytes(store_bytes(m, p1, o1, s1, v), p2, o2,
                   s2) = v))))))))))

axiom select_store_neq_bytes:
  (forall m:('a1, bitvector) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall o1:int.
          (forall s1:int.
            (forall o2:int.
              (forall s2:int.
                (forall v:bitvector [select_bytes(store_bytes(m, p1, o1, s1,
                  v), p2, o2, s2)].
                  (pset_disjoint(pset_range(pset_singleton(p1), o1,
                   (o1 + s1)), pset_range(pset_singleton(p2), o2,
                   (o2 + s2))) -> (select_bytes(store_bytes(m, p1, o1, s1,
                   v), p2, o2, s2) = select_bytes(m, p2, o2, s2)))))))))))

axiom shift_store_bytes:
  (forall m:('a1, bitvector) memory.
    (forall p:'a1 pointer.
      (forall i:int.
        (forall o:int.
          (forall s:int.
            (forall v:bitvector [store_bytes(m, shift(p, i), o, s, v)].
              (store_bytes(m, shift(p, i), o, s, v) = store_bytes(m, p,
              (o + i), s, v))))))))

axiom shift_select_bytes:
  (forall m:('a1, bitvector) memory.
    (forall p:'a1 pointer.
      (forall i:int.
        (forall o:int.
          (forall s:int.
            (forall v:bitvector [select_bytes(m, shift(p, i), o, s)].
              (select_bytes(m, shift(p, i), o, s) = select_bytes(m, p,
              (o + i), s))))))))

axiom concat_store_bytes_up:
  (forall m:('a1, bitvector) memory.
    (forall p:'a1 pointer.
      (forall o1:int.
        (forall s1:int.
          (forall o2:int.
            (forall s2:int.
              (forall v1:bitvector.
                (forall v2:bitvector [store_bytes(store_bytes(m, p, o1, s1,
                  v1), p, o2, s2, v2)].
                  (((o1 + s1) = o2) -> (store_bytes(store_bytes(m, p, o1, s1,
                   v1), p, o2, s2, v2) = store_bytes(m, p, o1, (s1 + s2),
                   concat_bitvector(v1, v2))))))))))))

axiom concat_store_bytes_down:
  (forall m:('a1, bitvector) memory.
    (forall p:'a1 pointer.
      (forall o1:int.
        (forall s1:int.
          (forall o2:int.
            (forall s2:int.
              (forall v1:bitvector.
                (forall v2:bitvector [store_bytes(store_bytes(m, p, o1, s1,
                  v1), p, o2, s2, v2)].
                  (((o2 + s2) = o1) -> (store_bytes(store_bytes(m, p, o1, s1,
                   v1), p, o2, s2, v2) = store_bytes(m, p, o2, (s1 + s2),
                   concat_bitvector(v2, v1))))))))))))

axiom concat_select_bytes:
  (forall m:('a1, bitvector) memory.
    (forall p:'a1 pointer.
      (forall o1:int.
        (forall s1:int.
          (forall o2:int.
            (forall s2:int [concat_bitvector(select_bytes(m, p, o1, s1),
              select_bytes(m, p, o2, s2))].
              (((o1 + s1) = o2) -> (concat_bitvector(select_bytes(m, p, o1,
               s1), select_bytes(m, p, o2, s2)) = select_bytes(m, p, o1,
               (s1 + s2))))))))))

logic integer_of_bitvector : bitvector -> int

logic bitvector_of_integer : int -> bitvector

logic real_of_bitvector : bitvector -> real

type Object

type byte

type char

type int32

type interface

type long

type short

logic Booleans_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Booleans_parenttag_Object: parenttag(Booleans_tag, Object_tag)

logic Exception_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x) = 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_bitvector : bitvector -> Object pointer

logic bitvector_of_Object : Object pointer -> bitvector

axiom Object_of_bitvector_of_bitvector_of_Object:
  (forall x:Object pointer.
    (Object_of_bitvector(bitvector_of_Object(x)) = x))

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

axiom bitvector_of_Object_of_Object_of_bitvector:
  (forall x:bitvector. (bitvector_of_Object(Object_of_bitvector(x)) = x))

logic bitvector_of_byte : byte -> bitvector

logic byte_of_bitvector : bitvector -> byte

axiom bitvector_of_byte_of_byte_of_bitvector:
  (forall x:bitvector. (bitvector_of_byte(byte_of_bitvector(x)) = x))

logic bitvector_of_char : char -> bitvector

logic char_of_bitvector : bitvector -> char

axiom bitvector_of_char_of_char_of_bitvector:
  (forall x:bitvector. (bitvector_of_char(char_of_bitvector(x)) = x))

logic bitvector_of_int32 : int32 -> bitvector

logic int32_of_bitvector : bitvector -> int32

axiom bitvector_of_int32_of_int32_of_bitvector:
  (forall x:bitvector. (bitvector_of_int32(int32_of_bitvector(x)) = x))

logic bitvector_of_interface : interface pointer -> bitvector

logic interface_of_bitvector : bitvector -> interface pointer

axiom bitvector_of_interface_of_interface_of_bitvector:
  (forall x:bitvector.
    (bitvector_of_interface(interface_of_bitvector(x)) = x))

logic bitvector_of_long : long -> bitvector

logic long_of_bitvector : bitvector -> long

axiom bitvector_of_long_of_long_of_bitvector:
  (forall x:bitvector. (bitvector_of_long(long_of_bitvector(x)) = x))

logic bitvector_of_short : short -> bitvector

logic short_of_bitvector : bitvector -> short

axiom bitvector_of_short_of_short_of_bitvector:
  (forall x:bitvector. (bitvector_of_short(short_of_bitvector(x)) = x))

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

axiom byte_of_bitvector_of_bitvector_of_byte:
  (forall x:byte. eq_byte(byte_of_bitvector(bitvector_of_byte(x)), x))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

axiom char_of_bitvector_of_bitvector_of_char:
  (forall x:char. eq_char(char_of_bitvector(bitvector_of_char(x)), x))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_of_bitvector_of_bitvector_of_int32:
  (forall x:int32. eq_int32(int32_of_bitvector(bitvector_of_int32(x)), x))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

axiom interface_of_bitvector_of_bitvector_of_interface:
  (forall x:interface pointer.
    (interface_of_bitvector(bitvector_of_interface(x)) = x))

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Booleans(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_of_bitvector_of_bitvector_of_long:
  (forall x:long. eq_long(long_of_bitvector(bitvector_of_long(x)), x))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Booleans(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_of_bitvector_of_bitvector_of_short:
  (forall x:short. eq_short(short_of_bitvector(bitvector_of_short(x)), x))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Booleans(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_bitvector_struct_Object(p: unit pointer, a: int, b: int,
  bitvector_alloc_table: unit alloc_table) =
  ((offset_min(bitvector_alloc_table, p) = a) and
   (offset_max(bitvector_alloc_table, p) = b))

predicate valid_bitvector_struct_Booleans(p: unit pointer, a: int, b: int,
  bitvector_alloc_table: unit alloc_table) = valid_bitvector_struct_Object(p,
  a, b, bitvector_alloc_table)

predicate valid_bitvector_struct_Exception(p: unit pointer, a: int, b: int,
  bitvector_alloc_table: unit alloc_table) = valid_bitvector_struct_Object(p,
  a, b, bitvector_alloc_table)

predicate valid_bitvector_struct_String(p: unit pointer, a: int, b: int,
  bitvector_alloc_table: unit alloc_table) = valid_bitvector_struct_Object(p,
  a, b, bitvector_alloc_table)

predicate valid_bitvector_struct_Throwable(p: unit pointer, a: int, b: int,
  bitvector_alloc_table: unit alloc_table) = valid_bitvector_struct_Object(p,
  a, b, bitvector_alloc_table)

predicate valid_bitvector_struct_interface(p: unit pointer, a: int, b: int,
  bitvector_alloc_table: unit alloc_table) =
  ((offset_min(bitvector_alloc_table, p) = a) and
   (offset_max(bitvector_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Booleans(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

goal Booleans_f_ensures_default_po_1:
  forall e:bool.
  forall t:bool.
  forall f:bool.
  ("JC_14": true) ->
  forall result:bool.
  (if result then
   (((e = true) or ((e = false) and ((t = true) and (f = true)))) and
    ((t = true) or ((t = false) and (f = true)))) else
   (((e = false) and ((t = false) or ((t = true) and (f = false)))) or
    (((e = true) or ((e = false) and ((t = true) and (f = true)))) and
     ((t = false) and (f = false))))) ->
  forall return:bool.
  (return = result) ->
  ("JC_15": (return = bool_and(bool_or(e, bool_and(t, f)), bool_or(t, f))))

========== running alt-ergo ==========
Running Alt-Ergo on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
why/Booleans_why.why          : . (1/0/0/0/0)
total   :   1
valid   :   1 (100%)
invalid :   0 (  0%)
unknown :   0 (  0%)
timeout :   0 (  0%)
failure :   0 (  0%)
why-2.39/tests/java/oracle/Creation.err.oracle0000644000106100004300000000020713147234006020302 0ustar  marchevalscat: /tmp/regtests.cwd: No such file or directory
grep: /src/version.ml: No such file or directory
Cannot open directory /lib/java_api
why-2.39/tests/java/oracle/Gcd.res.oracle0000644000106100004300000014274113147234006017246 0ustar  marchevals========== file tests/java/Gcd.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ CheckArithOverflow = no

/* complements for non-linear integer arithmetic */

/*@ lemma distr_right:
  @   \forall integer x y z; x*(y+z) == (x*y)+(x*z);
  @*/

/*@ lemma distr_left:
  @   \forall integer x y z; (x+y)*z == (x*z)+(y*z);
  @*/

/*@ lemma distr_right_minus:
  @   \forall integer x y z; x*(y-z) == (x*y)-(x*z);
  @*/

/*@ lemma distr_left_minus:
  @   \forall integer x y z; (x-y)*z == (x*z)-(y*z);
  @*/

/*@ lemma mul_comm:
  @   \forall integer x y; x*y == y*x;
  @*/

/*@ lemma mul_assoc:
  @   \forall integer x y z; x*(y*z) == (x*y)*z;
  @*/

/*@ predicate divides(integer x, integer y) =
  @   \exists integer q; y == q*x ;
  @*/

/*@ lemma div_mod_property:
  @  \forall integer x y;
  @    x >=0 && y > 0 ==> x%y  == x - y*(x/y);
  @*/

/*@ lemma mod_property:
  @  \forall integer x y;
  @    x >=0 && y > 0 ==> 0 <= x%y && x%y < y;
  @*/

/*@ predicate isGcd(integer a, integer b, integer d) =
  @   divides(d,a) && divides(d,b) &&
  @     \forall integer z;
  @     divides(z,a) && divides(z,b) ==> divides(z,d) ;
  @*/

/*@ lemma gcd_zero :
  @   \forall integer a; isGcd(a,0,a) ;
  @*/

/*@ lemma gcd_property :
  @   \forall integer a b d;
  @      a >= 0 && b > 0 && isGcd(b,a % b,d) ==> isGcd(a,b,d) ;
  @*/

class Gcd {

    /*@ requires x >= 0 && y >= 0;
      @ behavior resultIsGcd:
      @   ensures isGcd(x,y,\result) ;
      @ behavior bezoutProperty:
      @   ensures \exists integer a b; a*x+b*y == \result;
      @*/
    static int gcd(int x, int y) {
        //@ ghost integer a = 1, b = 0, c = 0, d = 1;
        /*@ loop_invariant
          @    x >= 0 && y >= 0 &&
	  @    (\forall integer d ;  isGcd(x,y,d) ==>
	  @        \at(isGcd(x,y,d),Pre)) &&
          @    a*\at(x,Pre)+b*\at(y,Pre) == x &&
          @    c*\at(x,Pre)+d*\at(y,Pre) == y ;
          @ loop_variant y;
          @*/
        while (y > 0) {
            int r = x % y;
            //@ ghost integer q = x / y;
            x = y;
            y = r;
            //@ ghost integer ta = a, tb = b;
            //@ ghost a = c;
	    //@ ghost b = d;
            //@ ghost c = ta - c * q;
            //@ ghost d = tb - d * q;
        }
        return x;
    }

}




/*
Local Variables:
compile-command: "make Gcd.why3ide"
End:
*/

========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_Gcd for constructor Gcd
Generating JC function Gcd_gcd for method Gcd.gcd
Done.
========== file tests/java/Gcd.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Gcd = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

predicate divides(integer x_5, integer y_5) =
(\exists integer q;
  (y_5 == (q * x_5)))

predicate isGcd(integer a, integer b, integer d) =
((divides(d, a) && divides(d, b)) &&
  (\forall integer z_4;
    ((divides(z_4, a) && divides(z_4, b)) ==> divides(z_4, d))))

lemma distr_right :
(\forall integer x;
  (\forall integer y;
    (\forall integer z;
      ((x * (y + z)) == ((x * y) + (x * z))))))

lemma distr_left :
(\forall integer x_0;
  (\forall integer y_0;
    (\forall integer z_0;
      (((x_0 + y_0) * z_0) == ((x_0 * z_0) + (y_0 * z_0))))))

lemma distr_right_minus :
(\forall integer x_1;
  (\forall integer y_1;
    (\forall integer z_1;
      ((x_1 * (y_1 - z_1)) == ((x_1 * y_1) - (x_1 * z_1))))))

lemma distr_left_minus :
(\forall integer x_2;
  (\forall integer y_2;
    (\forall integer z_2;
      (((x_2 - y_2) * z_2) == ((x_2 * z_2) - (y_2 * z_2))))))

lemma mul_comm :
(\forall integer x_3;
  (\forall integer y_3;
    ((x_3 * y_3) == (y_3 * x_3))))

lemma mul_assoc :
(\forall integer x_4;
  (\forall integer y_4;
    (\forall integer z_3;
      ((x_4 * (y_4 * z_3)) == ((x_4 * y_4) * z_3)))))

lemma div_mod_property :
(\forall integer x_6;
  (\forall integer y_6;
    (((x_6 >= 0) && (y_6 > 0)) ==>
      ((x_6 % y_6) == (x_6 - (y_6 * (x_6 / y_6)))))))

lemma mod_property :
(\forall integer x_7;
  (\forall integer y_7;
    (((x_7 >= 0) && (y_7 > 0)) ==>
      ((0 <= (x_7 % y_7)) && ((x_7 % y_7) < y_7)))))

lemma gcd_zero :
(\forall integer a_0;
  isGcd(a_0, 0, a_0))

lemma gcd_property :
(\forall integer a_1;
  (\forall integer b_0;
    (\forall integer d_0;
      ((((a_1 >= 0) && (b_0 > 0)) && isGcd(b_0, (a_1 % b_0), d_0)) ==>
        isGcd(a_1, b_0, d_0)))))

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_Gcd(! Gcd[0] this_0){()}

integer Gcd_gcd(integer x_8, integer y_8)
  requires (K_5 : ((K_4 : (x_8 >= 0)) && (K_3 : (y_8 >= 0))));
behavior resultIsGcd:
  ensures (K_1 : isGcd(x_8, y_8, \result));
behavior bezoutProperty:
  ensures (K_2 : (\exists integer a_2;
                   (\exists integer b_1;
                     (((a_2 * x_8) + (b_1 * y_8)) == \result))));
{  
   {  
      (var integer a_3 = (K_28 : 1));
      
      {  
         (var integer b_2 = (K_27 : 0));
         
         {  
            (var integer c = (K_26 : 0));
            
            {  
               (var integer d_1 = (K_25 : 1));
               
               {  
                  loop 
                  behavior default:
                    invariant (K_14 : ((K_13 : ((K_12 : ((K_11 : ((K_10 : 
                                                                  (x_8 >=
                                                                    0)) &&
                                                                   (K_9 : 
                                                                   (y_8 >=
                                                                    0)))) &&
                                                          (K_8 : (\forall integer d_2;
                                                                   (isGcd(
                                                                    x_8, y_8,
                                                                    d_2) ==>
                                                                    \at(isGcd(
                                                                    x_8, y_8,
                                                                    d_2),Pre)))))) &&
                                                 (K_7 : (((a_3 *
                                                            \at(x_8,Pre)) +
                                                           (b_2 *
                                                             \at(y_8,Pre))) ==
                                                          x_8)))) &&
                                        (K_6 : (((c * \at(x_8,Pre)) +
                                                  (d_1 * \at(y_8,Pre))) ==
                                                 y_8))));
                  variant (K_15 : y_8);
                  while ((K_24 : (y_8 > 0)))
                  {  
                     {  
                        (var integer r = (K_23 : (x_8 % y_8)));
                        
                        {  
                           (var integer q_0 = (K_22 : (x_8 / y_8)));
                           
                           {  (x_8 = y_8);
                              (y_8 = r);
                              
                              {  
                                 (var integer ta = (K_21 : a_3));
                                 
                                 {  
                                    (var integer tb = (K_20 : b_2));
                                    
                                    {  (a_3 = c);
                                       (b_2 = d_1);
                                       (c = (K_17 : (ta - (K_16 : (c * q_0)))));
                                       (d_1 = (K_19 : (tb -
                                                        (K_18 : (d_1 * q_0)))))
                                    }
                                 }
                              }
                           }
                        }
                     }
                  };
                  
                  (return x_8)
               }
            }
         }
      }
   }
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Gcd.jloc tests/java/Gcd.jc && make -f tests/java/Gcd.makefile gui"
End:
*/
========== file tests/java/Gcd.jloc ==========
[K_23]
file = "HOME/tests/java/Gcd.java"
line = 108
begin = 20
end = 25

[gcd_property]
name = "Lemma gcd_property"
file = "HOME/tests/java/Gcd.java"
line = 84
begin = 10
end = 22

[K_17]
file = "HOME/tests/java/Gcd.java"
line = 115
begin = 26
end = 36

[K_11]
file = "HOME/tests/java/Gcd.java"
line = 100
begin = 15
end = 31

[K_25]
file = "HOME/tests/java/Gcd.java"
line = 98
begin = 51
end = 52

[K_13]
file = "HOME/tests/java/Gcd.java"
line = 100
begin = 15
end = 165

[Gcd_gcd]
name = "Method gcd"
file = "HOME/tests/java/Gcd.java"
line = 97
begin = 15
end = 18

[K_9]
file = "HOME/tests/java/Gcd.java"
line = 100
begin = 25
end = 31

[mul_assoc]
name = "Lemma mul_assoc"
file = "HOME/tests/java/Gcd.java"
line = 56
begin = 10
end = 19

[distr_right_minus]
name = "Lemma distr_right_minus"
file = "HOME/tests/java/Gcd.java"
line = 44
begin = 10
end = 27

[K_28]
file = "HOME/tests/java/Gcd.java"
line = 98
begin = 30
end = 31

[gcd_zero]
name = "Lemma gcd_zero"
file = "HOME/tests/java/Gcd.java"
line = 80
begin = 10
end = 18

[K_1]
file = "HOME/tests/java/Gcd.java"
line = 93
begin = 18
end = 36

[K_15]
file = "HOME/tests/java/Gcd.java"
line = 105
begin = 25
end = 26

[K_4]
file = "HOME/tests/java/Gcd.java"
line = 91
begin = 17
end = 23

[K_12]
file = "HOME/tests/java/Gcd.java"
line = 100
begin = 15
end = 116

[K_20]
file = "HOME/tests/java/Gcd.java"
line = 112
begin = 43
end = 44

[K_2]
file = "HOME/tests/java/Gcd.java"
line = 95
begin = 18
end = 57

[mul_comm]
name = "Lemma mul_comm"
file = "HOME/tests/java/Gcd.java"
line = 52
begin = 10
end = 18

[K_10]
file = "HOME/tests/java/Gcd.java"
line = 100
begin = 15
end = 21

[K_6]
file = "HOME/tests/java/Gcd.java"
line = 104
begin = 15
end = 45

[K_8]
file = "HOME/tests/java/Gcd.java"
line = 101
begin = 9
end = 80

[K_3]
file = "HOME/tests/java/Gcd.java"
line = 91
begin = 27
end = 33

[distr_left_minus]
name = "Lemma distr_left_minus"
file = "HOME/tests/java/Gcd.java"
line = 48
begin = 10
end = 26

[K_27]
file = "HOME/tests/java/Gcd.java"
line = 98
begin = 37
end = 38

[K_21]
file = "HOME/tests/java/Gcd.java"
line = 112
begin = 35
end = 36

[K_24]
file = "HOME/tests/java/Gcd.java"
line = 107
begin = 15
end = 20

[K_14]
file = "HOME/tests/java/Gcd.java"
line = 100
begin = 15
end = 214

[div_mod_property]
name = "Lemma div_mod_property"
file = "HOME/tests/java/Gcd.java"
line = 64
begin = 10
end = 26

[distr_right]
name = "Lemma distr_right"
file = "HOME/tests/java/Gcd.java"
line = 36
begin = 10
end = 21

[mod_property]
name = "Lemma mod_property"
file = "HOME/tests/java/Gcd.java"
line = 69
begin = 10
end = 22

[K_19]
file = "HOME/tests/java/Gcd.java"
line = 116
begin = 26
end = 36

[K_5]
file = "HOME/tests/java/Gcd.java"
line = 91
begin = 17
end = 33

[cons_Gcd]
name = "Constructor of class Gcd"
file = "HOME/"
line = 0
begin = -1
end = -1

[distr_left]
name = "Lemma distr_left"
file = "HOME/tests/java/Gcd.java"
line = 40
begin = 10
end = 20

[K_18]
file = "HOME/tests/java/Gcd.java"
line = 116
begin = 31
end = 36

[K_7]
file = "HOME/tests/java/Gcd.java"
line = 103
begin = 15
end = 45

[K_26]
file = "HOME/tests/java/Gcd.java"
line = 98
begin = 44
end = 45

[K_22]
file = "HOME/tests/java/Gcd.java"
line = 109
begin = 34
end = 39

[K_16]
file = "HOME/tests/java/Gcd.java"
line = 115
begin = 31
end = 36

========== jessie execution ==========
Generating Why function cons_Gcd
Generating Why function Gcd_gcd
========== file tests/java/Gcd.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/Gcd_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Gcd.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Gcd.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Gcd.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/java/Gcd.loc ==========
[Gcd_gcd_ensures_resultIsGcd]
name = "Method gcd"
behavior = "Behavior `resultIsGcd'"
file = "HOME/tests/java/Gcd.java"
line = 97
begin = 15
end = 18

[JC_73]
file = "HOME/tests/java/Gcd.jc"
line = 135
begin = 18
end = 2892

[JC_63]
file = "HOME/tests/java/Gcd.jc"
line = 135
begin = 18
end = 2892

[JC_80]
file = "HOME/tests/java/Gcd.java"
line = 103
begin = 15
end = 45

[JC_51]
file = "HOME/tests/java/Gcd.jc"
line = 135
begin = 18
end = 2892

[JC_71]
file = "HOME/tests/java/Gcd.java"
line = 100
begin = 15
end = 214

[JC_45]
file = "HOME/tests/java/Gcd.java"
line = 101
begin = 9
end = 80

[gcd_property]
name = "Lemma gcd_property"
behavior = "lemma"
file = "HOME/tests/java/Gcd.java"
line = 84
begin = 10
end = 22

[JC_64]
kind = DivByZero
file = "HOME/tests/java/Gcd.java"
line = 108
begin = 20
end = 25

[cons_Gcd_safety]
name = "Constructor of class Gcd"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[Gcd_gcd_ensures_default]
name = "Method gcd"
behavior = "default behavior"
file = "HOME/tests/java/Gcd.java"
line = 97
begin = 15
end = 18

[mul_assoc]
name = "Lemma mul_assoc"
behavior = "lemma"
file = "HOME/tests/java/Gcd.java"
line = 56
begin = 10
end = 19

[JC_85]
file = "HOME/tests/java/Gcd.jc"
line = 135
begin = 18
end = 2892

[distr_right_minus]
name = "Lemma distr_right_minus"
behavior = "lemma"
file = "HOME/tests/java/Gcd.java"
line = 44
begin = 10
end = 27

[JC_31]
file = "HOME/tests/java/Gcd.java"
line = 91
begin = 17
end = 23

[JC_17]
file = "HOME/tests/java/Gcd.jc"
line = 37
begin = 11
end = 65

[gcd_zero]
name = "Lemma gcd_zero"
behavior = "lemma"
file = "HOME/tests/java/Gcd.java"
line = 80
begin = 10
end = 18

[JC_81]
file = "HOME/tests/java/Gcd.java"
line = 104
begin = 15
end = 45

[JC_55]
file = "HOME/tests/java/Gcd.java"
line = 100
begin = 15
end = 21

[JC_48]
file = "HOME/tests/java/Gcd.java"
line = 100
begin = 15
end = 214

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/tests/java/Gcd.java"
line = 100
begin = 25
end = 31

[JC_9]
file = "HOME/tests/java/Gcd.jc"
line = 35
begin = 8
end = 23

[JC_75]
kind = DivByZero
file = "HOME/tests/java/Gcd.java"
line = 108
begin = 20
end = 25

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_78]
file = "HOME/tests/java/Gcd.java"
line = 100
begin = 25
end = 31

[JC_41]
file = "HOME/tests/java/Gcd.java"
line = 95
begin = 18
end = 57

[JC_74]
file = "HOME/tests/java/Gcd.jc"
line = 135
begin = 18
end = 2892

[JC_47]
file = "HOME/tests/java/Gcd.java"
line = 104
begin = 15
end = 45

[JC_52]
kind = DivByZero
file = "HOME/tests/java/Gcd.java"
line = 108
begin = 20
end = 25

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Gcd_ensures_default]
name = "Constructor of class Gcd"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/tests/java/Gcd.java"
line = 105
begin = 25
end = 26

[JC_79]
file = "HOME/tests/java/Gcd.java"
line = 101
begin = 9
end = 80

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_82]
file = "HOME/tests/java/Gcd.java"
line = 100
begin = 15
end = 214

[JC_87]
kind = DivByZero
file = "HOME/tests/java/Gcd.java"
line = 109
begin = 34
end = 39

[JC_11]
file = "HOME/tests/java/Gcd.jc"
line = 35
begin = 8
end = 23

[JC_70]
file = "HOME/tests/java/Gcd.java"
line = 104
begin = 15
end = 45

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/tests/java/Gcd.java"
line = 93
begin = 18
end = 36

[mul_comm]
name = "Lemma mul_comm"
behavior = "lemma"
file = "HOME/tests/java/Gcd.java"
line = 52
begin = 10
end = 18

[JC_40]
file = "HOME/tests/java/Gcd.java"
line = 93
begin = 18
end = 36

[JC_83]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/tests/java/Gcd.java"
line = 91
begin = 17
end = 23

[JC_69]
file = "HOME/tests/java/Gcd.java"
line = 103
begin = 15
end = 45

[JC_38]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/tests/java/Gcd.java"
line = 100
begin = 25
end = 31

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/tests/java/Gcd.jc"
line = 135
begin = 18
end = 2892

[JC_42]
file = "HOME/tests/java/Gcd.java"
line = 95
begin = 18
end = 57

[JC_46]
file = "HOME/tests/java/Gcd.java"
line = 103
begin = 15
end = 45

[distr_left_minus]
name = "Lemma distr_left_minus"
behavior = "lemma"
file = "HOME/tests/java/Gcd.java"
line = 48
begin = 10
end = 26

[JC_61]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/tests/java/Gcd.java"
line = 91
begin = 27
end = 33

[JC_56]
file = "HOME/tests/java/Gcd.java"
line = 100
begin = 25
end = 31

[JC_33]
file = "HOME/tests/java/Gcd.java"
line = 91
begin = 17
end = 33

[JC_65]
kind = DivByZero
file = "HOME/tests/java/Gcd.java"
line = 109
begin = 34
end = 39

[Gcd_gcd_safety]
name = "Method gcd"
behavior = "Safety"
file = "HOME/tests/java/Gcd.java"
line = 97
begin = 15
end = 18

[Gcd_gcd_ensures_bezoutProperty]
name = "Method gcd"
behavior = "Behavior `bezoutProperty'"
file = "HOME/tests/java/Gcd.java"
line = 97
begin = 15
end = 18

[JC_29]
file = "HOME/tests/java/Gcd.java"
line = 91
begin = 17
end = 33

[div_mod_property]
name = "Lemma div_mod_property"
behavior = "lemma"
file = "HOME/tests/java/Gcd.java"
line = 64
begin = 10
end = 26

[JC_68]
file = "HOME/tests/java/Gcd.java"
line = 101
begin = 9
end = 80

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[distr_right]
name = "Lemma distr_right"
behavior = "lemma"
file = "HOME/tests/java/Gcd.java"
line = 36
begin = 10
end = 21

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
file = "HOME/tests/java/Gcd.java"
line = 100
begin = 15
end = 21

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_84]
file = "HOME/tests/java/Gcd.jc"
line = 135
begin = 18
end = 2892

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[mod_property]
name = "Lemma mod_property"
behavior = "lemma"
file = "HOME/tests/java/Gcd.java"
line = 69
begin = 10
end = 22

[JC_53]
kind = DivByZero
file = "HOME/tests/java/Gcd.java"
line = 109
begin = 34
end = 39

[JC_21]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_77]
file = "HOME/tests/java/Gcd.java"
line = 100
begin = 15
end = 21

[JC_49]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/java/Gcd.jc"
line = 10
begin = 12
end = 22

[JC_37]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/tests/java/Gcd.java"
line = 101
begin = 9
end = 80

[JC_66]
file = "HOME/tests/java/Gcd.java"
line = 100
begin = 15
end = 21

[JC_59]
file = "HOME/tests/java/Gcd.java"
line = 104
begin = 15
end = 45

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/java/Gcd.jc"
line = 37
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/Gcd.jc"
line = 10
begin = 12
end = 22

[distr_left]
name = "Lemma distr_left"
behavior = "lemma"
file = "HOME/tests/java/Gcd.java"
line = 40
begin = 10
end = 20

[JC_86]
kind = DivByZero
file = "HOME/tests/java/Gcd.java"
line = 108
begin = 20
end = 25

[JC_60]
file = "HOME/tests/java/Gcd.java"
line = 100
begin = 15
end = 214

[JC_72]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_76]
kind = DivByZero
file = "HOME/tests/java/Gcd.java"
line = 109
begin = 34
end = 39

[JC_50]
file = "HOME/tests/java/Gcd.jc"
line = 135
begin = 18
end = 2892

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/tests/java/Gcd.java"
line = 103
begin = 15
end = 45

[JC_28]
file = "HOME/tests/java/Gcd.java"
line = 91
begin = 27
end = 33

========== file tests/java/why/Gcd.why ==========
type Object

type interface

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

logic Gcd_tag:  -> Object tag_id

axiom Gcd_parenttag_Object : parenttag(Gcd_tag, Object_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

predicate divides(x_5:int, y_5:int) = (exists q:int. (y_5 = mul_int(q, x_5)))

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate isGcd(a:int, b:int, d:int) =
 (divides(d, a)
 and (divides(d, b)
     and (forall z_4:int.
          ((divides(z_4, a) and divides(z_4, b)) -> divides(z_4, d)))))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Gcd(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Gcd(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Gcd(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Gcd(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

lemma distr_right :
 (forall x_2:int.
  (forall y:int.
   (forall z:int.
    (mul_int(x_2, add_int(y, z)) = add_int(mul_int(x_2, y), mul_int(x_2, z))))))

lemma distr_left :
 (forall x_0_0:int.
  (forall y_0:int.
   (forall z_0:int.
    (mul_int(add_int(x_0_0, y_0), z_0) = add_int(mul_int(x_0_0, z_0),
                                         mul_int(y_0, z_0))))))

lemma distr_right_minus :
 (forall x_1_0:int.
  (forall y_1:int.
   (forall z_1:int.
    (mul_int(x_1_0, sub_int(y_1, z_1)) = sub_int(mul_int(x_1_0, y_1),
                                         mul_int(x_1_0, z_1))))))

lemma distr_left_minus :
 (forall x_2_0:int.
  (forall y_2:int.
   (forall z_2:int.
    (mul_int(sub_int(x_2_0, y_2), z_2) = sub_int(mul_int(x_2_0, z_2),
                                         mul_int(y_2, z_2))))))

lemma mul_comm :
 (forall x_3:int. (forall y_3:int. (mul_int(x_3, y_3) = mul_int(y_3, x_3))))

lemma mul_assoc :
 (forall x_4:int.
  (forall y_4:int.
   (forall z_3:int.
    (mul_int(x_4, mul_int(y_4, z_3)) = mul_int(mul_int(x_4, y_4), z_3)))))

lemma div_mod_property :
 (forall x_6:int.
  (forall y_6:int.
   ((ge_int(x_6, (0)) and gt_int(y_6, (0))) ->
    (computer_mod(x_6, y_6) = sub_int(x_6,
                              mul_int(y_6, computer_div(x_6, y_6)))))))

lemma mod_property :
 (forall x_7:int.
  (forall y_7:int.
   ((ge_int(x_7, (0)) and gt_int(y_7, (0))) ->
    (le_int((0), computer_mod(x_7, y_7))
    and lt_int(computer_mod(x_7, y_7), y_7)))))

lemma gcd_zero : (forall a_0:int. isGcd(a_0, (0), a_0))

lemma gcd_property :
 (forall a_1:int.
  (forall b_0:int.
   (forall d_0:int.
    ((ge_int(a_1, (0))
     and (gt_int(b_0, (0)) and isGcd(b_0, computer_mod(a_1, b_0), d_0))) ->
     isGcd(a_1, b_0, d_0)))))

exception Exception_exc of Object pointer

parameter Gcd_gcd :
 x_8:int ->
  y_8:int ->
   { } int
   { ((JC_42:
      (exists a_2:int.
       (exists b_1:int.
        (add_int(mul_int(a_2, x_8), mul_int(b_1, y_8)) = result))))
     and (JC_40: isGcd(x_8, y_8, result))) }

parameter Gcd_gcd_requires :
 x_8:int ->
  y_8:int ->
   { (JC_29: ((JC_27: ge_int(x_8, (0))) and (JC_28: ge_int(y_8, (0)))))} int
   { ((JC_42:
      (exists a_2:int.
       (exists b_1:int.
        (add_int(mul_int(a_2, x_8), mul_int(b_1, y_8)) = result))))
     and (JC_40: isGcd(x_8, y_8, result))) }

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Gcd :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Gcd(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Gcd_tag)))) }

parameter alloc_struct_Gcd_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Gcd(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Gcd_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter cons_Gcd :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Gcd_requires :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

let Gcd_gcd_ensures_bezoutProperty =
 fun (x_8 : int) (y_8 : int) ->
  { (JC_33: ((JC_31: ge_int(x_8, (0))) and (JC_32: ge_int(y_8, (0))))) }
  (let mutable_x_8 = ref x_8 in
  (let mutable_y_8 = ref y_8 in
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let a_3 = ref (K_28: (1)) in
     (let b_2 = ref (K_27: (0)) in
     (let c = ref (K_26: (0)) in
     (let d_1 = ref (K_25: (1)) in
     begin
       try
        (loop_4:
        while true do
        { invariant (JC_84: true)  }
         begin
           [ { } unit reads a_3,b_2,c,d_1,mutable_x_8,mutable_y_8
             { (JC_82:
               ((JC_77: ge_int(mutable_x_8, (0)))
               and ((JC_78: ge_int(mutable_y_8, (0)))
                   and ((JC_79:
                        (forall d_2:int.
                         (isGcd(mutable_x_8, mutable_y_8, d_2) ->
                          isGcd(mutable_x_8@init, mutable_y_8@init, d_2))))
                       and ((JC_80:
                            (add_int(mul_int(a_3, mutable_x_8@init),
                             mul_int(b_2, mutable_y_8@init)) = mutable_x_8))
                           and (JC_81:
                               (add_int(mul_int(c, mutable_x_8@init),
                                mul_int(d_1, mutable_y_8@init)) = mutable_y_8))))))) } ];
          try
           begin
             (if (K_24: ((gt_int_ !mutable_y_8) (0)))
             then
              (let _jessie_ =
              (let r =
              (K_23: (JC_86: ((computer_mod !mutable_x_8) !mutable_y_8))) in
              (let q_0 =
              (K_22: (JC_87: ((computer_div !mutable_x_8) !mutable_y_8))) in
              begin
                (let _jessie_ = (mutable_x_8 := !mutable_y_8) in void);
               (let _jessie_ = (mutable_y_8 := r) in void);
               (let ta = (K_21: !a_3) in
               (let tb = (K_20: !b_2) in
               begin
                 (let _jessie_ = (a_3 := !c) in void);
                (let _jessie_ = (b_2 := !d_1) in void);
                (let _jessie_ =
                (c := (K_17: ((sub_int ta) (K_16: ((mul_int !c) q_0))))) in
                void);
                (d_1 := (K_19: ((sub_int tb) (K_18: ((mul_int !d_1) q_0)))));
                !d_1 end)) end)) in void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ -> void end end done) with
        Loop_exit_exc _jessie_ -> void end; (return := !mutable_x_8);
      (raise Return) end)))); absurd  end with Return -> !return end))))
  { (JC_41:
    (exists a_2:int.
     (exists b_1:int.
      (add_int(mul_int(a_2, x_8), mul_int(b_1, y_8)) = result)))) } 

let Gcd_gcd_ensures_default =
 fun (x_8 : int) (y_8 : int) ->
  { (JC_33: ((JC_31: ge_int(x_8, (0))) and (JC_32: ge_int(y_8, (0))))) }
  (let mutable_x_8 = ref x_8 in
  (let mutable_y_8 = ref y_8 in
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let a_3 = ref (K_28: (1)) in
     (let b_2 = ref (K_27: (0)) in
     (let c = ref (K_26: (0)) in
     (let d_1 = ref (K_25: (1)) in
     begin
       try
        (loop_2:
        while true do
        { invariant
            (JC_60:
            ((JC_55: ge_int(mutable_x_8, (0)))
            and ((JC_56: ge_int(mutable_y_8, (0)))
                and ((JC_57:
                     (forall d_2:int.
                      (isGcd(mutable_x_8, mutable_y_8, d_2) ->
                       isGcd(mutable_x_8@init, mutable_y_8@init, d_2))))
                    and ((JC_58:
                         (add_int(mul_int(a_3, mutable_x_8@init),
                          mul_int(b_2, mutable_y_8@init)) = mutable_x_8))
                        and (JC_59:
                            (add_int(mul_int(c, mutable_x_8@init),
                             mul_int(d_1, mutable_y_8@init)) = mutable_y_8)))))))
           }
         begin
           [ { } unit { true } ];
          try
           begin
             (if (K_24: ((gt_int_ !mutable_y_8) (0)))
             then
              (let _jessie_ =
              (let r =
              (K_23: (JC_64: ((computer_mod !mutable_x_8) !mutable_y_8))) in
              (let q_0 =
              (K_22: (JC_65: ((computer_div !mutable_x_8) !mutable_y_8))) in
              begin
                (let _jessie_ = (mutable_x_8 := !mutable_y_8) in void);
               (let _jessie_ = (mutable_y_8 := r) in void);
               (let ta = (K_21: !a_3) in
               (let tb = (K_20: !b_2) in
               begin
                 (let _jessie_ = (a_3 := !c) in void);
                (let _jessie_ = (b_2 := !d_1) in void);
                (let _jessie_ =
                (c := (K_17: ((sub_int ta) (K_16: ((mul_int !c) q_0))))) in
                void);
                (d_1 := (K_19: ((sub_int tb) (K_18: ((mul_int !d_1) q_0)))));
                !d_1 end)) end)) in void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ -> void end end done) with
        Loop_exit_exc _jessie_ -> void end; (return := !mutable_x_8);
      (raise Return) end)))); absurd  end with Return -> !return end))))
  { (JC_35: true) } 

let Gcd_gcd_ensures_resultIsGcd =
 fun (x_8 : int) (y_8 : int) ->
  { (JC_33: ((JC_31: ge_int(x_8, (0))) and (JC_32: ge_int(y_8, (0))))) }
  (let mutable_x_8 = ref x_8 in
  (let mutable_y_8 = ref y_8 in
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let a_3 = ref (K_28: (1)) in
     (let b_2 = ref (K_27: (0)) in
     (let c = ref (K_26: (0)) in
     (let d_1 = ref (K_25: (1)) in
     begin
       try
        (loop_3:
        while true do
        { invariant (JC_73: true)  }
         begin
           [ { } unit reads a_3,b_2,c,d_1,mutable_x_8,mutable_y_8
             { (JC_71:
               ((JC_66: ge_int(mutable_x_8, (0)))
               and ((JC_67: ge_int(mutable_y_8, (0)))
                   and ((JC_68:
                        (forall d_2:int.
                         (isGcd(mutable_x_8, mutable_y_8, d_2) ->
                          isGcd(mutable_x_8@init, mutable_y_8@init, d_2))))
                       and ((JC_69:
                            (add_int(mul_int(a_3, mutable_x_8@init),
                             mul_int(b_2, mutable_y_8@init)) = mutable_x_8))
                           and (JC_70:
                               (add_int(mul_int(c, mutable_x_8@init),
                                mul_int(d_1, mutable_y_8@init)) = mutable_y_8))))))) } ];
          try
           begin
             (if (K_24: ((gt_int_ !mutable_y_8) (0)))
             then
              (let _jessie_ =
              (let r =
              (K_23: (JC_75: ((computer_mod !mutable_x_8) !mutable_y_8))) in
              (let q_0 =
              (K_22: (JC_76: ((computer_div !mutable_x_8) !mutable_y_8))) in
              begin
                (let _jessie_ = (mutable_x_8 := !mutable_y_8) in void);
               (let _jessie_ = (mutable_y_8 := r) in void);
               (let ta = (K_21: !a_3) in
               (let tb = (K_20: !b_2) in
               begin
                 (let _jessie_ = (a_3 := !c) in void);
                (let _jessie_ = (b_2 := !d_1) in void);
                (let _jessie_ =
                (c := (K_17: ((sub_int ta) (K_16: ((mul_int !c) q_0))))) in
                void);
                (d_1 := (K_19: ((sub_int tb) (K_18: ((mul_int !d_1) q_0)))));
                !d_1 end)) end)) in void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ -> void end end done) with
        Loop_exit_exc _jessie_ -> void end; (return := !mutable_x_8);
      (raise Return) end)))); absurd  end with Return -> !return end))))
  { (JC_39: isGcd(x_8, y_8, result)) } 

let Gcd_gcd_safety =
 fun (x_8 : int) (y_8 : int) ->
  { (JC_33: ((JC_31: ge_int(x_8, (0))) and (JC_32: ge_int(y_8, (0))))) }
  (let mutable_x_8 = ref x_8 in
  (let mutable_y_8 = ref y_8 in
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let a_3 = ref (K_28: (1)) in
     (let b_2 = ref (K_27: (0)) in
     (let c = ref (K_26: (0)) in
     (let d_1 = ref (K_25: (1)) in
     begin
       try
        (loop_1:
        while true do
        { invariant (JC_50: true) variant (JC_54 : mutable_y_8) }
         begin
           [ { } unit reads a_3,b_2,c,d_1,mutable_x_8,mutable_y_8
             { (JC_48:
               ((JC_43: ge_int(mutable_x_8, (0)))
               and ((JC_44: ge_int(mutable_y_8, (0)))
                   and ((JC_45:
                        (forall d_2:int.
                         (isGcd(mutable_x_8, mutable_y_8, d_2) ->
                          isGcd(mutable_x_8@init, mutable_y_8@init, d_2))))
                       and ((JC_46:
                            (add_int(mul_int(a_3, mutable_x_8@init),
                             mul_int(b_2, mutable_y_8@init)) = mutable_x_8))
                           and (JC_47:
                               (add_int(mul_int(c, mutable_x_8@init),
                                mul_int(d_1, mutable_y_8@init)) = mutable_y_8))))))) } ];
          try
           begin
             (if (K_24: ((gt_int_ !mutable_y_8) (0)))
             then
              (let _jessie_ =
              (let r =
              (K_23: (JC_52: ((computer_mod_ !mutable_x_8) !mutable_y_8))) in
              (let q_0 =
              (K_22: (JC_53: ((computer_div_ !mutable_x_8) !mutable_y_8))) in
              begin
                (let _jessie_ = (mutable_x_8 := !mutable_y_8) in void);
               (let _jessie_ = (mutable_y_8 := r) in void);
               (let ta = (K_21: !a_3) in
               (let tb = (K_20: !b_2) in
               begin
                 (let _jessie_ = (a_3 := !c) in void);
                (let _jessie_ = (b_2 := !d_1) in void);
                (let _jessie_ =
                (c := (K_17: ((sub_int ta) (K_16: ((mul_int !c) q_0))))) in
                void);
                (d_1 := (K_19: ((sub_int tb) (K_18: ((mul_int !d_1) q_0)))));
                !d_1 end)) end)) in void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ -> void end end done) with
        Loop_exit_exc _jessie_ -> void end; (return := !mutable_x_8);
      (raise Return) end)))); absurd  end with Return -> !return end))))
  { true } 

let cons_Gcd_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_Gcd(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_23: true) } 

let cons_Gcd_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_Gcd(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 


why-2.39/tests/java/oracle/Switch.err.oracle0000644000106100004300000000000013147234006017766 0ustar  marchevalswhy-2.39/tests/java/oracle/SimpleApplet.res.oracle0000644000106100004300000053354213147234006021153 0ustar  marchevals========== file tests/java/SimpleApplet.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// JAVACARD: will ask regtests to use Java Card API for this program

/*****************************

Very basic Java Card Applet to check non-regression of basic Java Card support

thanks to Peter Trommler 

********************/



import javacard.framework.APDU;
import javacard.framework.Applet;
import javacard.framework.ISO7816;
import javacard.framework.ISOException;
import javacard.framework.JCSystem;
import javacard.framework.OwnerPIN;
import javacard.security.*;

public class Card extends Applet {
	
    //##################################################
    //Instruction Variables
    //##################################################
    final static byte Card_Class = (byte)0x80;
    final static byte Card_Ins_Pin= (byte)0x02;
    final static byte Card_Ins_Auth=(byte)0x01;
    final static byte Card_Ins_Write= (byte) 0x05;
    final static byte Card_Ins_Del = (byte) 0x06;
    final static byte Card_Ins_Read = (byte) 0x07;
	
	
    //##################################################
    //Other Parameters
    //##################################################
    final static byte Key_Length = (byte) 0x84;
    final static short Data_Count = 10; 
    final static short Data_Len = 5;
    final static byte Term_Function_Writer =(byte) 0xAA;
    final static byte Term_Function_Reader = (byte)0x11;
	
    /**
     * Constructor for the Card.
     */
    Card(){
	// nothing to be done
    }

    //#####################################################
    //Applet Card install
    //####################################################
    public static void install(byte[] bArray, short bOffset, byte bLength) {
	// GP-compliant JavaCard applet registration
	new Card().register(bArray, (short) (bOffset + 1), bArray[bOffset]);
    }
	
    //####################################################
    //Here starts the good part.
    //###################################################
    public void process(APDU apdu) {
	//When the applet is selected, the card will be initialised!		
	if (selectingApplet()) {
	    return;
	}
		
	byte[] buf = apdu.getBuffer();
		
	//Returns an error if the Class  is wrong.
	if(buf[ISO7816.OFFSET_CLA]!= Card_Class){
	    ISOException.throwIt(ISO7816.SW_CLA_NOT_SUPPORTED);
	}
		
	switch (buf[ISO7816.OFFSET_INS]) {
	    //Here is where the Signature from the terminal will be checked
	    //and also here is where will be decided to what functions
	    //the Terminal will have access to.
				
	    //Calls the Read Method	
	case Card_Ins_Read:
	    // for now just return OK SW1SW2=0x9000
	    break;
				
	default:
	    // good practice: If you don't know the INStruction, say so:
	    ISOException.throwIt(ISO7816.SW_INS_NOT_SUPPORTED);
	}
	return;
    }
}


/*
Local Variables:
compile-command: "make SimpleApplet.why3ide"
End:
*/

========== krakatoa execution ==========
// JAVACARD: will ask regtests to use Java Card API for this program
Parsing OK.
Typing OK.
Generating JC function APDU_setLc for method APDU.setLc
Generating JC function Applet_install for method Applet.install
Generating JC function APDU_resetNoGetResponseFlag for method APDU.resetNoGetResponseFlag
Generating JC function APDU_getOutgoingFlag for method APDU.getOutgoingFlag
Generating JC function APDU_getLrIs256Flag for method APDU.getLrIs256Flag
Generating JC function Applet_register for method Applet.register
Generating JC function cons_RuntimeException for constructor RuntimeException
Generating JC function APDU_setNoChainingFlag for method APDU.setNoChainingFlag
Generating JC function APDU_getInBlockSize for method APDU.getInBlockSize
Generating JC function cons_Card for constructor Card
Generating JC function APDU_setNoGetResponseFlag for method APDU.setNoGetResponseFlag
Generating JC function APDU_getNoGetResponseFlag for method APDU.getNoGetResponseFlag
Generating JC function cons_Throwable for constructor Throwable
Generating JC function APDU_resetLrIs256Flag for method APDU.resetLrIs256Flag
Generating JC function APDU_setOutgoingLenSetFlag for method APDU.setOutgoingLenSetFlag
Generating JC function ISOException_throwIt for method ISOException.throwIt
Generating JC function Applet_deselect for method Applet.deselect
Generating JC function cons_APDU for constructor APDU
Generating JC function ISOException_getReason for method ISOException.getReason
Generating JC function APDU_getOutBlockSize for method APDU.getOutBlockSize
Generating JC function cons_Exception for constructor Exception
Generating JC function APDU_setIncoming for method APDU.setIncoming
Generating JC function APDU_resetSendInProgressFlag for method APDU.resetSendInProgressFlag
Generating JC function APDU_setPreReadLength for method APDU.setPreReadLength
Generating JC function cons_ISOException_short for constructor ISOException
Generating JC function APDU_getProtocol for method APDU.getProtocol
Generating JC function ISOException_setReason for method ISOException.setReason
Generating JC function APDU_resetOutgoingLenSetFlag for method APDU.resetOutgoingLenSetFlag
Generating JC function APDU_sendBytesLong for method APDU.sendBytesLong
Generating JC function APDU_complete for method APDU.complete
Generating JC function APDU_getNoChainingFlag for method APDU.getNoChainingFlag
Generating JC function APDU_setSendInProgressFlag for method APDU.setSendInProgressFlag
Generating JC function Applet_getShareableInterfaceObject for method Applet.getShareableInterfaceObject
Generating JC function APDU_setOutgoingAndSend for method APDU.setOutgoingAndSend
Generating JC function APDU_resetAPDU for method APDU.resetAPDU
Generating JC function APDU_setIncomingAndReceive for method APDU.setIncomingAndReceive
Generating JC function cons_CardRuntimeException_short for constructor CardRuntimeException
Generating JC function APDU_resetNoChainingFlag for method APDU.resetNoChainingFlag
Generating JC function APDU_getLr for method APDU.getLr
Generating JC function APDU_getOutgoingLenSetFlag for method APDU.getOutgoingLenSetFlag
Generating JC function APDU_getLc for method APDU.getLc
Generating JC function APDU_setOutgoingNoChaining for method APDU.setOutgoingNoChaining
Generating JC function cons_Object for constructor Object
Generating JC function APDU_waitExtension for method APDU.waitExtension
Generating JC function Applet_selectingApplet for method Applet.selectingApplet
Generating JC function Applet_register_byteA_short_byte for method Applet.register
Generating JC function Card_install for method Card.install
Generating JC function APDU_getSendInProgressFlag for method APDU.getSendInProgressFlag
Generating JC function CardRuntimeException_getReason for method CardRuntimeException.getReason
Generating JC function APDU_sendBytes for method APDU.sendBytes
Generating JC function APDU_setLrIs256Flag for method APDU.setLrIs256Flag
Generating JC function APDU_getPreReadLength for method APDU.getPreReadLength
Generating JC function APDU_setIncomingFlag for method APDU.setIncomingFlag
Generating JC function APDU_setLe for method APDU.setLe
Generating JC function Applet_process for method Applet.process
Generating JC function CardRuntimeException_throwIt for method CardRuntimeException.throwIt
Generating JC function APDU_getIncomingFlag for method APDU.getIncomingFlag
Generating JC function cons_Applet for constructor Applet
Generating JC function APDU_receiveBytes for method APDU.receiveBytes
Generating JC function APDU_getBuffer for method APDU.getBuffer
Generating JC function CardRuntimeException_setReason for method CardRuntimeException.setReason
Generating JC function Card_process for method Card.process
Generating JC function APDU_resetOutgoingFlag for method APDU.resetOutgoingFlag
Generating JC function APDU_send61xx for method APDU.send61xx
Generating JC function APDU_getLe for method APDU.getLe
Generating JC function Object_equals for method Object.equals
Generating JC function APDU_undoIncomingAndReceive for method APDU.undoIncomingAndReceive
Generating JC function APDU_setOutgoingFlag for method APDU.setOutgoingFlag
Generating JC function Applet_select for method Applet.select
Generating JC function APDU_setOutgoingLength for method APDU.setOutgoingLength
Generating JC function APDU_getNAD for method APDU.getNAD
Generating JC function APDU_resetIncomingFlag for method APDU.resetIncomingFlag
Generating JC function APDU_setOutgoing for method APDU.setOutgoing
Generating JC function APDU_setLr for method APDU.setLr
Done.
========== file tests/java/SimpleApplet.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_byteM{Here}(byteM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_shortM{Here}(shortM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

logic short ISO7816_SW_NO_ERROR =
-28672

logic short ISO7816_SW_BYTES_REMAINING_00 =
24832

logic short ISO7816_SW_WRONG_LENGTH =
26368

logic short ISO7816_SW_SECURITY_STATUS_NOT_SATISFIED =
27010

logic short ISO7816_SW_FILE_INVALID =
27011

logic short ISO7816_SW_DATA_INVALID =
27012

logic short ISO7816_SW_CONDITIONS_NOT_SATISFIED =
27013

logic short ISO7816_SW_COMMAND_NOT_ALLOWED =
27014

logic short ISO7816_SW_APPLET_SELECT_FAILED =
27033

logic short ISO7816_SW_WRONG_DATA =
27264

logic short ISO7816_SW_FUNC_NOT_SUPPORTED =
27265

logic short ISO7816_SW_FILE_NOT_FOUND =
27266

logic short ISO7816_SW_RECORD_NOT_FOUND =
27267

logic short ISO7816_SW_INCORRECT_P1P2 =
27270

logic short ISO7816_SW_WRONG_P1P2 =
27392

logic short ISO7816_SW_CORRECT_LENGTH_00 =
27648

logic short ISO7816_SW_INS_NOT_SUPPORTED =
27904

logic short ISO7816_SW_CLA_NOT_SUPPORTED =
28160

logic short ISO7816_SW_UNKNOWN =
28416

logic short ISO7816_SW_FILE_FULL =
27268

logic byte ISO7816_OFFSET_CLA =
0

logic byte ISO7816_OFFSET_INS =
1

logic byte ISO7816_OFFSET_P1 =
2

logic byte ISO7816_OFFSET_P2 =
3

logic byte ISO7816_OFFSET_LC =
4

logic byte ISO7816_OFFSET_CDATA =
5

logic byte ISO7816_CLA_ISO7816 =
0

logic byte ISO7816_INS_SELECT =
-92

logic byte ISO7816_INS_EXTERNAL_AUTHENTICATE =
-126

axiomatic BUFFERSIZE_theory {

  logic short APDU_BUFFERSIZE 
  
}

logic byte APDU_IFSC =
1

logic short APDU_IFSD =
258

logic byte APDU_LE =
0

logic byte APDU_LR =
1

logic byte APDU_LC =
2

logic byte APDU_PRE_READ_LENGTH =
3

logic byte APDU_RAM_VARS_LENGTH =
4

logic short APDU_BUFFER_OVERFLOW =
-16383

logic short APDU_READ_ERROR =
-16381

logic short APDU_WRITE_ERROR =
-16380

logic short APDU_INVALID_GET_RESPONSE =
-16378

logic byte APDU_ACK_NONE =
0

logic byte APDU_ACK_INS =
1

logic byte APDU_ACK_NOT_INS =
2

logic byte APDU_PROTOCOL_T0 =
0

logic byte APDU_PROTOCOL_T1 =
1

logic byte Card_Card_Class =
-128

logic byte Card_Card_Ins_Pin =
2

logic byte Card_Card_Ins_Auth =
1

logic byte Card_Card_Ins_Write =
5

logic byte Card_Card_Ins_Del =
6

logic byte Card_Card_Ins_Read =
7

logic byte Card_Key_Length =
-124

logic short Card_Data_Count =
10

logic short Card_Data_Len =
5

logic byte Card_Term_Function_Writer =
-86

logic byte Card_Term_Function_Reader =
17

tag Throwable = Object with {
}

tag Applet = Object with {
  PrivAccess[0..] thePrivAccess;
}

tag PackedBoolean = Object with {
}

tag NativeMethods = Object with {
}

tag CardRuntimeException = RuntimeException with {
  short reason;
}

tag OwnerPIN = Object with {
}

tag JCSystem = Object with {
}

tag Exception = Throwable with {
}

tag Object = {
}

tag APDU = Object with {
  byteM[0..] buffer; 
  PackedBoolean[0..] thePackedBoolean; 
  byte incomingFlag; 
  byte outgoingFlag; 
  byte outgoingLenSetFlag; 
  byte lrIs256Flag; 
  byte sendInProgressFlag; 
  byte noChainingFlag; 
  byte noGetResponseFlag;
  invariant buffer_inv(this_3) = ((\offset_max(this_3.buffer) + 1) >= 37);
}

tag ISOException = CardRuntimeException with {
  shortM[0..] theSw;
}

tag AID = Object with {
}

tag Card = Applet with {
}

tag PrivAccess = Object with {
}

tag RuntimeException = Exception with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

tag byteM = Object with {
  byte byteP;
}

tag shortM = Object with {
  short shortP;
}

boolean non_null_byteM(! byteM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_byteM(! byteM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

boolean non_null_shortM(! shortM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_shortM(! shortM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

CardRuntimeException[0..] CardRuntimeException_systemInstance;

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

APDU[0..] APDU_theAPDU;

byteM[0..] APDU_ramVars;

ISOException[0..] ISOException_systemInstance;

exception ISOException of ISOException[0..]

exception Exception of Exception[0..]

exception RuntimeException of RuntimeException[0..]

exception Throwable of Throwable[0..]

exception CardRuntimeException of CardRuntimeException[0..]

unit APDU_setLc(APDU[0] this_10, byte data_1)
;

unit Applet_install(byteM[0..] bArray, short bOffset, byte bLength)
;

unit APDU_resetNoGetResponseFlag(APDU[0] this_11)
;

boolean APDU_getOutgoingFlag(APDU[0] this_12)
;

boolean APDU_getLrIs256Flag(APDU[0] this_13)
;

unit Applet_register(Applet[0] this_14)
;

unit cons_RuntimeException(! RuntimeException[0] this_66){()}

unit APDU_setNoChainingFlag(APDU[0] this_15)
;

short APDU_getInBlockSize()
;

unit cons_Card(! Card[0] this_9){()}

unit APDU_setNoGetResponseFlag(APDU[0] this_16)
;

boolean APDU_getNoGetResponseFlag(APDU[0] this_17)
;

unit cons_Throwable(! Throwable[0] this_67){()}

unit APDU_resetLrIs256Flag(APDU[0] this_18)
;

unit APDU_setOutgoingLenSetFlag(APDU[0] this_19)
;

unit ISOException_throwIt(short sw_0)
;

unit Applet_deselect(Applet[0] this_20)
;

unit cons_APDU(! APDU[0] this_68)
{  (this_68.buffer = null);
   (this_68.thePackedBoolean = null);
   (this_68.incomingFlag = 0);
   (this_68.outgoingFlag = 0);
   (this_68.outgoingLenSetFlag = 0);
   (this_68.lrIs256Flag = 0);
   (this_68.sendInProgressFlag = 0);
   (this_68.noChainingFlag = 0);
   (this_68.noGetResponseFlag = 0)
}

short ISOException_getReason(ISOException[0] this_21)
;

short APDU_getOutBlockSize()
;

unit cons_Exception(! Exception[0] this_69){()}

unit APDU_setIncoming(APDU[0] this_22)
;

unit APDU_resetSendInProgressFlag(APDU[0] this_23)
;

unit APDU_setPreReadLength(APDU[0] this_24, byte data_2)
;

unit cons_ISOException_short(! ISOException[0] this_70, short sw)
{  (this_70.theSw = null)
}

byte APDU_getProtocol()
;

unit ISOException_setReason(ISOException[0] this_25, short sw_1)
;

unit APDU_resetOutgoingLenSetFlag(APDU[0] this_26)
;

unit APDU_sendBytesLong(APDU[0] this_27, byteM[0..] outData, short bOff_1,
                        short len_2)
;

unit APDU_complete(APDU[0] this_28, short status)
;

boolean APDU_getNoChainingFlag(APDU[0] this_29)
;

unit APDU_setSendInProgressFlag(APDU[0] this_30)
;

Object/*interface*/[0..] Applet_getShareableInterfaceObject(Applet[0] this_31,
                                                            AID[0..] clientAID,
                                                            byte param)
;

unit APDU_setOutgoingAndSend(APDU[0] this_32, short bOff_2, short len_3)
;

unit APDU_resetAPDU(APDU[0] this_33)
;

short APDU_setIncomingAndReceive(APDU[0] this_34)
;

unit cons_CardRuntimeException_short(! CardRuntimeException[0] this_71,
                                     short reason)
{  (this_71.reason = 0)
}

unit APDU_resetNoChainingFlag(APDU[0] this_35)
;

short APDU_getLr(APDU[0] this_36)
;

boolean APDU_getOutgoingLenSetFlag(APDU[0] this_37)
;

byte APDU_getLc(APDU[0] this_38)
;

short APDU_setOutgoingNoChaining(APDU[0] this_39)
;

unit cons_Object(! Object[0] this_72){()}

unit APDU_waitExtension()
;

boolean Applet_selectingApplet(Applet[0] this_40)
;

unit Applet_register_byteA_short_byte(Applet[0] this_52, byteM[0..] bArray_0,
                                      short bOffset_0, byte bLength_0)
;

unit Card_install(byteM[0..] bArray_1, short bOffset_1, byte bLength_1)
{  (K_4 : Applet_register_byteA_short_byte(
                                           {  
                                              (var Card[0] this = (new Card[1]));
                                              
                                              {  
                                                 (var unit _tt = cons_Card(
                                                 this));
                                                 this
                                              }
                                           }, bArray_1,
                                           (K_2 : ((K_1 : ((bOffset_1 + 1) :> int32)) :> short)),
                                           (K_3 : (bArray_1 + bOffset_1).byteP)))
}

boolean APDU_getSendInProgressFlag(APDU[0] this_41)
;

short CardRuntimeException_getReason(CardRuntimeException[0] this_42)
;

unit APDU_sendBytes(APDU[0] this_43, short bOff_0, short len_1)
;

unit APDU_setLrIs256Flag(APDU[0] this_44)
;

byte APDU_getPreReadLength(APDU[0] this_45)
;

unit APDU_setIncomingFlag(APDU[0] this_46)
;

unit APDU_setLe(APDU[0] this_47, byte data)
;

unit Applet_process(Applet[0] this_48, APDU[0..] apdu)
;

unit CardRuntimeException_throwIt(short reason_1)
;

boolean APDU_getIncomingFlag(APDU[0] this_49)
;

unit cons_Applet(! Applet[0] this_73)
{  (this_73.thePrivAccess = null)
}

short APDU_receiveBytes(APDU[0] this_50, short bOff)
;

byteM[0..] APDU_getBuffer(APDU[0] this_51)
behavior normal:
  ensures (K_5 : (\result == this_51.buffer));
;

unit CardRuntimeException_setReason(CardRuntimeException[0] this_53,
                                    short reason_0)
;

unit Card_process(Card[0] this_1, APDU[0..] apdu_0)
{  (if (K_6 : Applet_selectingApplet(this_1)) then 
   (return ()) else ());
   
   {  
      (var byteM[0..] buf = (K_12 : APDU_getBuffer(apdu_0)));
      
      {  (if (K_9 : ((K_8 : (buf + ISO7816_OFFSET_CLA).byteP) !=
                      Card_Card_Class)) then (K_7 : ISOException_throwIt(
                                             ISO7816_SW_CLA_NOT_SUPPORTED)) else ());
         
         switch ((K_11 : (buf + ISO7816_OFFSET_INS).byteP)) {
           case Card_Card_Ins_Read:
           {  
              (break )
           }
           default:
           {  (K_10 : ISOException_throwIt(ISO7816_SW_INS_NOT_SUPPORTED))
           }
         };
         
         (return ())
      }
   }
}

unit APDU_resetOutgoingFlag(APDU[0] this_54)
;

short APDU_send61xx(APDU[0] this_55, short len_0)
;

short APDU_getLe(APDU[0] this_56)
;

boolean Object_equals(Object[0] this_57, Object[0..] obj)
;

unit APDU_undoIncomingAndReceive(APDU[0] this_58)
;

unit APDU_setOutgoingFlag(APDU[0] this_59)
;

boolean Applet_select(Applet[0] this_60)
;

unit APDU_setOutgoingLength(APDU[0] this_61, short len)
;

byte APDU_getNAD(APDU[0] this_62)
;

unit APDU_resetIncomingFlag(APDU[0] this_63)
;

short APDU_setOutgoing(APDU[0] this_64)
;

unit APDU_setLr(APDU[0] this_65, byte data_0)
;

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/SimpleApplet.jloc tests/java/SimpleApplet.jc && make -f tests/java/SimpleApplet.makefile gui"
End:
*/
========== file tests/java/SimpleApplet.jloc ==========
[APDU_send61xx]
name = "Method send61xx"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 520
begin = 16
end = 24

[APDU_complete]
name = "Method complete"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 752
begin = 7
end = 15

[APDU_setOutgoingAndSend]
name = "Method setOutgoingAndSend"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 719
begin = 15
end = 33

[Applet_register_byteA_short_byte]
name = "Method register"
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 281
begin = 25
end = 33

[cons_Applet]
name = "Constructor of class Applet"
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 97
begin = 14
end = 20

[Card_process]
name = "Method process"
file = "HOME/tests/java/SimpleApplet.java"
line = 92
begin = 16
end = 23

[APDU_getNAD]
name = "Method getNAD"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 339
begin = 14
end = 20

[APDU_setOutgoingLenSetFlag]
name = "Method setOutgoingLenSetFlag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 213
begin = 15
end = 36

[APDU_setOutgoingLength]
name = "Method setOutgoingLength"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 403
begin = 14
end = 31

[Applet_select]
name = "Method select"
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 185
begin = 19
end = 25

[cons_Card]
name = "Constructor of class Card"
file = "HOME/tests/java/SimpleApplet.java"
line = 77
begin = 4
end = 8

[K_11]
file = "HOME/tests/java/SimpleApplet.java"
line = 105
begin = 9
end = 32

[Applet_selectingApplet]
name = "Method selectingApplet"
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 293
begin = 28
end = 43

[APDU_resetLrIs256Flag]
name = "Method resetLrIs256Flag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 219
begin = 15
end = 31

[Applet_deselect]
name = "Method deselect"
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 209
begin = 16
end = 24

[K_9]
file = "HOME/tests/java/SimpleApplet.java"
line = 101
begin = 4
end = 40

[APDU_sendBytes]
name = "Method sendBytes"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 577
begin = 14
end = 23

[Applet_install]
name = "Method install"
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 139
begin = 23
end = 30

[Card_install]
name = "Method install"
file = "HOME/tests/java/SimpleApplet.java"
line = 84
begin = 23
end = 30

[cons_Object]
name = "Constructor of class Object"
file = "HOME/lib/javacard_api/java/lang/Object.java"
line = 47
begin = 9
end = 15

[K_1]
file = "HOME/tests/java/SimpleApplet.java"
line = 86
begin = 38
end = 49

[CardRuntimeException_setReason]
name = "Method setReason"
file = "HOME/lib/javacard_api/javacard/framework/CardRuntimeException.java"
line = 74
begin = 14
end = 23

[K_4]
file = "HOME/tests/java/SimpleApplet.java"
line = 86
begin = 1
end = 68

[K_12]
file = "HOME/tests/java/SimpleApplet.java"
line = 98
begin = 14
end = 30

[APDU_getLr]
name = "Method getLr"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 178
begin = 16
end = 21

[APDU_setOutgoing]
name = "Method setOutgoing"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 354
begin = 15
end = 26

[APDU_getLe]
name = "Method getLe"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 171
begin = 16
end = 21

[APDU_setIncomingAndReceive]
name = "Method setIncomingAndReceive"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 505
begin = 15
end = 36

[APDU_setNoChainingFlag]
name = "Method setNoChainingFlag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 226
begin = 15
end = 32

[APDU_getOutBlockSize]
name = "Method getOutBlockSize"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 310
begin = 22
end = 37

[APDU_getOutgoingLenSetFlag]
name = "Method getOutgoingLenSetFlag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 212
begin = 18
end = 39

[ISOException_getReason]
name = "Method getReason"
file = "HOME/lib/javacard_api/javacard/framework/ISOException.java"
line = 106
begin = 28
end = 37

[APDU_getNoGetResponseFlag]
name = "Method getNoGetResponseFlag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 230
begin = 18
end = 38

[APDU_resetOutgoingLenSetFlag]
name = "Method resetOutgoingLenSetFlag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 214
begin = 15
end = 38

[K_2]
file = "HOME/tests/java/SimpleApplet.java"
line = 86
begin = 29
end = 50

[APDU_resetNoChainingFlag]
name = "Method resetNoChainingFlag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 227
begin = 15
end = 34

[APDU_getLrIs256Flag]
name = "Method getLrIs256Flag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 217
begin = 18
end = 32

[APDU_setIncomingFlag]
name = "Method setIncomingFlag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 198
begin = 15
end = 30

[APDU_setIncoming]
name = "Method setIncoming"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 422
begin = 15
end = 26

[cons_Throwable]
name = "Constructor of class Throwable"
file = "HOME/lib/javacard_api/java/lang/Throwable.java"
line = 48
begin = 9
end = 18

[Applet_register]
name = "Method register"
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 252
begin = 25
end = 33

[Applet_getShareableInterfaceObject]
name = "Method getShareableInterfaceObject"
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 230
begin = 21
end = 48

[K_10]
file = "HOME/tests/java/SimpleApplet.java"
line = 117
begin = 5
end = 55

[APDU_setSendInProgressFlag]
name = "Method setSendInProgressFlag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 203
begin = 15
end = 36

[K_6]
file = "HOME/tests/java/SimpleApplet.java"
line = 94
begin = 5
end = 22

[K_8]
file = "HOME/tests/java/SimpleApplet.java"
line = 101
begin = 4
end = 27

[APDU_undoIncomingAndReceive]
name = "Method undoIncomingAndReceive"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 793
begin = 7
end = 29

[APDU_waitExtension]
name = "Method waitExtension"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 811
begin = 21
end = 34

[APDU_getOutgoingFlag]
name = "Method getOutgoingFlag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 207
begin = 18
end = 33

[APDU_getLc]
name = "Method getLc"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 185
begin = 15
end = 20

[K_3]
file = "HOME/tests/java/SimpleApplet.java"
line = 86
begin = 52
end = 67

[cons_Exception]
name = "Constructor of class Exception"
file = "HOME/lib/javacard_api/java/lang/Exception.java"
line = 49
begin = 9
end = 18

[APDU_resetNoGetResponseFlag]
name = "Method resetNoGetResponseFlag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 232
begin = 15
end = 37

[APDU_setOutgoingFlag]
name = "Method setOutgoingFlag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 208
begin = 15
end = 30

[APDU_getNoChainingFlag]
name = "Method getNoChainingFlag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 225
begin = 10
end = 27

[CardRuntimeException_throwIt]
name = "Method throwIt"
file = "HOME/lib/javacard_api/javacard/framework/CardRuntimeException.java"
line = 89
begin = 21
end = 28

[APDU_setLr]
name = "Method setLr"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 182
begin = 15
end = 20

[APDU_getIncomingFlag]
name = "Method getIncomingFlag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 197
begin = 18
end = 33

[APDU_getInBlockSize]
name = "Method getInBlockSize"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 291
begin = 22
end = 36

[cons_ISOException_short]
name = "Constructor of class ISOException"
file = "HOME/lib/javacard_api/javacard/framework/ISOException.java"
line = 59
begin = 9
end = 21

[APDU_setLrIs256Flag]
name = "Method setLrIs256Flag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 218
begin = 15
end = 29

[APDU_resetOutgoingFlag]
name = "Method resetOutgoingFlag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 209
begin = 15
end = 32

[APDU_getSendInProgressFlag]
name = "Method getSendInProgressFlag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 202
begin = 18
end = 39

[APDU_sendBytesLong]
name = "Method sendBytesLong"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 685
begin = 14
end = 27

[APDU_setOutgoingNoChaining]
name = "Method setOutgoingNoChaining"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 381
begin = 15
end = 36

[ISOException_throwIt]
name = "Method throwIt"
file = "HOME/lib/javacard_api/javacard/framework/ISOException.java"
line = 86
begin = 23
end = 30

[cons_CardRuntimeException_short]
name = "Constructor of class CardRuntimeException"
file = "HOME/lib/javacard_api/javacard/framework/CardRuntimeException.java"
line = 56
begin = 9
end = 29

[APDU_resetIncomingFlag]
name = "Method resetIncomingFlag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 199
begin = 15
end = 32

[APDU_setLc]
name = "Method setLc"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 186
begin = 15
end = 20

[APDU_getProtocol]
name = "Method getProtocol"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 329
begin = 21
end = 32

[cons_RuntimeException]
name = "Constructor of class RuntimeException"
file = "HOME/lib/javacard_api/java/lang/RuntimeException.java"
line = 47
begin = 9
end = 25

[APDU_setLe]
name = "Method setLe"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 175
begin = 15
end = 20

[APDU_getPreReadLength]
name = "Method getPreReadLength"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 189
begin = 15
end = 31

[K_5]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 269
begin = 18
end = 35

[Applet_process]
name = "Method process"
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 166
begin = 25
end = 32

[APDU_resetAPDU]
name = "Method resetAPDU"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 726
begin = 7
end = 16

[cons_APDU]
name = "Constructor of class APDU"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 239
begin = 2
end = 6

[APDU_setNoGetResponseFlag]
name = "Method setNoGetResponseFlag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 231
begin = 15
end = 35

[Object_equals]
name = "Method equals"
file = "HOME/lib/javacard_api/java/lang/Object.java"
line = 85
begin = 31
end = 37

[K_7]
file = "HOME/tests/java/SimpleApplet.java"
line = 102
begin = 5
end = 55

[APDU_receiveBytes]
name = "Method receiveBytes"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 459
begin = 15
end = 27

[APDU_getBuffer]
name = "Method getBuffer"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 272
begin = 18
end = 27

[CardRuntimeException_getReason]
name = "Method getReason"
file = "HOME/lib/javacard_api/javacard/framework/CardRuntimeException.java"
line = 67
begin = 30
end = 39

[APDU_resetSendInProgressFlag]
name = "Method resetSendInProgressFlag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 204
begin = 15
end = 38

[APDU_setPreReadLength]
name = "Method setPreReadLength"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 190
begin = 15
end = 31

[ISOException_setReason]
name = "Method setReason"
file = "HOME/lib/javacard_api/javacard/framework/ISOException.java"
line = 119
begin = 14
end = 23

========== jessie execution ==========
Generating Why function cons_RuntimeException
Generating Why function cons_Card
Generating Why function cons_Throwable
Generating Why function cons_APDU
Generating Why function cons_Exception
Generating Why function cons_ISOException_short
Generating Why function cons_CardRuntimeException_short
Generating Why function cons_Object
Generating Why function Card_install
Generating Why function cons_Applet
Generating Why function Card_process
========== file tests/java/SimpleApplet.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/SimpleApplet_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: SimpleApplet.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: SimpleApplet.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: SimpleApplet.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/java/SimpleApplet.loc ==========
[JC_494]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_451]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_373]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 185
begin = 15
end = 20

[JC_294]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_176]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_80]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_453]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 577
begin = 14
end = 23

[JC_421]
file = "HOME/tests/java/SimpleApplet.java"
line = 84
begin = 23
end = 30

[cons_Applet_ensures_default]
name = "Constructor of class Applet"
behavior = "default behavior"
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 97
begin = 14
end = 20

[JC_617]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_143]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_113]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 226
begin = 15
end = 32

[JC_116]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_448]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_404]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_133]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 231
begin = 15
end = 35

[JC_327]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_544]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 272
begin = 18
end = 27

[JC_475]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 189
begin = 15
end = 31

[JC_410]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_320]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_180]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Throwable_ensures_default]
name = "Constructor of class Throwable"
behavior = "default behavior"
file = "HOME/lib/javacard_api/java/lang/Throwable.java"
line = 48
begin = 9
end = 18

[JC_473]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_394]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_502]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_460]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 577
begin = 14
end = 23

[JC_200]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_491]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 175
begin = 15
end = 20

[JC_201]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_536]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_513]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_194]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 239
begin = 2
end = 6

[JC_122]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_642]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 339
begin = 14
end = 20

[JC_323]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 726
begin = 7
end = 16

[JC_280]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_134]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/tests/java/SimpleApplet.jc"
line = 286
begin = 8
end = 23

[cons_Card_ensures_default]
name = "Constructor of class Card"
behavior = "default behavior"
file = "HOME/tests/java/SimpleApplet.java"
line = 77
begin = 4
end = 8

[JC_375]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_125]
file = "HOME/tests/java/SimpleApplet.java"
line = 77
begin = 4
end = 8

[JC_67]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 232
begin = 15
end = 37

[JC_9]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_315]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 719
begin = 15
end = 33

[JC_486]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/tests/java/SimpleApplet.jc"
line = 301
begin = 8
end = 23

[JC_594]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 171
begin = 16
end = 21

[JC_357]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 178
begin = 16
end = 21

[JC_561]
kind = UserCall
file = "HOME/tests/java/SimpleApplet.java"
line = 94
begin = 5
end = 22

[JC_74]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 232
begin = 15
end = 37

[JC_656]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_195]
file = "HOME/lib/javacard_api/javacard/framework/ISOException.java"
line = 106
begin = 28
end = 37

[JC_326]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/tests/java/SimpleApplet.jc"
line = 288
begin = 10
end = 18

[JC_616]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_665]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_430]
kind = AllocSize
file = "HOME/tests/java/SimpleApplet.jc"
line = 474
begin = 67
end = 78

[JC_646]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 199
begin = 15
end = 32

[JC_415]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_405]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 293
begin = 28
end = 43

[JC_403]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 293
begin = 28
end = 43

[JC_82]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 207
begin = 18
end = 33

[JC_411]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 281
begin = 25
end = 33

[JC_163]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 213
begin = 15
end = 36

[JC_634]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 403
begin = 14
end = 31

[JC_359]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_589]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_661]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_417]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/tests/java/SimpleApplet.jc"
line = 294
begin = 10
end = 18

[JC_595]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 171
begin = 16
end = 21

[JC_386]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 381
begin = 15
end = 36

[JC_340]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_291]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 225
begin = 10
end = 27

[JC_112]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_135]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_169]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 213
begin = 15
end = 36

[JC_599]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_420]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_314]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_115]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 291
begin = 22
end = 36

[JC_109]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 226
begin = 15
end = 32

[JC_69]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 232
begin = 15
end = 37

[JC_362]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 178
begin = 16
end = 21

[JC_295]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_268]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_449]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_329]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 726
begin = 7
end = 16

[JC_328]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_304]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_583]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_650]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 199
begin = 15
end = 32

[cons_CardRuntimeException_short_ensures_default]
name = "Constructor of class CardRuntimeException"
behavior = "default behavior"
file = "HOME/lib/javacard_api/javacard/framework/CardRuntimeException.java"
line = 56
begin = 9
end = 29

[JC_218]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_191]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_101]
file = "HOME/lib/javacard_api/java/lang/RuntimeException.java"
line = 47
begin = 9
end = 25

[JC_526]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_387]
file = "HOME/lib/javacard_api/java/lang/Object.java"
line = 47
begin = 9
end = 15

[JC_459]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 577
begin = 14
end = 23

[JC_372]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_440]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_103]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_509]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 197
begin = 18
end = 33

[JC_289]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 752
begin = 7
end = 15

[JC_302]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_199]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_33]
file = "HOME/tests/java/SimpleApplet.jc"
line = 292
begin = 8
end = 32

[JC_296]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_290]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 752
begin = 7
end = 15

[JC_370]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 212
begin = 18
end = 39

[JC_173]
file = "HOME/lib/javacard_api/javacard/framework/ISOException.java"
line = 86
begin = 23
end = 30

[JC_567]
kind = UserCall
file = "HOME/tests/java/SimpleApplet.jc"
line = 549
begin = 22
end = 72

[JC_524]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_144]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_360]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/tests/java/SimpleApplet.jc"
line = 281
begin = 10
end = 18

[JC_335]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
file = "HOME/tests/java/SimpleApplet.jc"
line = 301
begin = 8
end = 23

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_97]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_318]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_84]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_343]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_160]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_90]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 217
begin = 18
end = 32

[JC_653]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_504]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_281]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 685
begin = 14
end = 27

[JC_131]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 231
begin = 15
end = 35

[JC_645]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_581]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_181]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 209
begin = 16
end = 24

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_538]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_108]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 186
begin = 15
end = 20

[JC_257]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_161]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 219
begin = 15
end = 31

[JC_89]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 217
begin = 18
end = 32

[JC_333]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 505
begin = 15
end = 36

[JC_136]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_605]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_293]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 225
begin = 10
end = 27

[JC_165]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 213
begin = 15
end = 36

[JC_217]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_338]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 505
begin = 15
end = 36

[JC_229]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 204
begin = 15
end = 38

[cons_Card_safety]
name = "Constructor of class Card"
behavior = "Safety"
file = "HOME/tests/java/SimpleApplet.java"
line = 77
begin = 4
end = 8

[JC_564]
kind = IndexBounds
file = "HOME/tests/java/SimpleApplet.java"
line = 101
begin = 4
end = 27

[JC_500]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 166
begin = 25
end = 32

[JC_402]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_364]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_50]
file = "HOME/tests/java/SimpleApplet.jc"
line = 303
begin = 11
end = 65

[JC_633]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_620]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 185
begin = 19
end = 25

[JC_615]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_409]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_479]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 198
begin = 15
end = 30

[cons_Exception_ensures_default]
name = "Constructor of class Exception"
behavior = "default behavior"
file = "HOME/lib/javacard_api/java/lang/Exception.java"
line = 49
begin = 9
end = 18

[JC_120]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_559]
file = "HOME/tests/java/SimpleApplet.java"
line = 92
begin = 16
end = 23

[JC_28]
file = "HOME/tests/java/SimpleApplet.jc"
line = 288
begin = 10
end = 18

[JC_198]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_580]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 520
begin = 16
end = 24

[JC_555]
file = "HOME/tests/java/SimpleApplet.java"
line = 92
begin = 16
end = 23

[JC_285]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 752
begin = 7
end = 15

[JC_483]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 198
begin = 15
end = 30

[cons_ISOException_short_safety]
name = "Constructor of class ISOException"
behavior = "Safety"
file = "HOME/lib/javacard_api/javacard/framework/ISOException.java"
line = 59
begin = 9
end = 21

[JC_604]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 793
begin = 7
end = 29

[JC_94]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_73]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 232
begin = 15
end = 37

[JC_597]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_279]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_422]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_627]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_381]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 381
begin = 15
end = 36

[JC_71]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_306]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 203
begin = 15
end = 36

[JC_380]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_207]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_655]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_611]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 793
begin = 7
end = 29

[JC_365]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 212
begin = 18
end = 39

[JC_251]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 329
begin = 21
end = 32

[JC_203]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 310
begin = 22
end = 37

[JC_376]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_313]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Object_ensures_default]
name = "Constructor of class Object"
behavior = "default behavior"
file = "HOME/lib/javacard_api/java/lang/Object.java"
line = 47
begin = 9
end = 15

[JC_546]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_265]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_170]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 213
begin = 15
end = 36

[JC_593]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_492]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 175
begin = 15
end = 20

[JC_300]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_319]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_635]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 403
begin = 14
end = 31

[JC_493]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 166
begin = 25
end = 32

[JC_347]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 227
begin = 15
end = 34

[JC_247]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_550]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_137]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 231
begin = 15
end = 35

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_466]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_231]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_75]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 207
begin = 18
end = 33

[JC_658]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 354
begin = 15
end = 26

[JC_643]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 339
begin = 14
end = 20

[JC_628]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 403
begin = 14
end = 31

[JC_553]
file = "HOME/tests/java/SimpleApplet.java"
line = 92
begin = 16
end = 23

[JC_641]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_530]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_350]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_528]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_356]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_260]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_212]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_571]
kind = UserCall
file = "HOME/tests/java/SimpleApplet.jc"
line = 549
begin = 22
end = 72

[JC_568]
kind = UserCall
file = "HOME/tests/java/SimpleApplet.java"
line = 94
begin = 5
end = 22

[JC_298]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 225
begin = 10
end = 27

[JC_224]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_474]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_481]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_664]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_542]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 272
begin = 18
end = 27

[JC_427]
kind = PointerDeref
file = "HOME/tests/java/SimpleApplet.java"
line = 86
begin = 52
end = 67

[JC_332]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_278]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_663]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_154]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_237]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 190
begin = 15
end = 31

[JC_367]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_334]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_130]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_174]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_464]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_CardRuntimeException_short_safety]
name = "Constructor of class CardRuntimeException"
behavior = "Safety"
file = "HOME/lib/javacard_api/javacard/framework/CardRuntimeException.java"
line = 56
begin = 9
end = 29

[JC_87]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_578]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 209
begin = 15
end = 32

[JC_560]
file = "HOME/tests/java/SimpleApplet.java"
line = 92
begin = 16
end = 23

[JC_15]
file = "HOME/tests/java/SimpleApplet.jc"
line = 282
begin = 11
end = 103

[JC_182]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_516]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 197
begin = 18
end = 33

[JC_368]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 217
begin = 18
end = 32

[JC_321]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 719
begin = 15
end = 33

[JC_215]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_629]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/tests/java/SimpleApplet.jc"
line = 275
begin = 10
end = 18

[JC_299]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 203
begin = 15
end = 36

[JC_242]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 190
begin = 15
end = 31

[JC_156]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_127]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_305]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 203
begin = 15
end = 36

[JC_252]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_171]
file = "HOME/lib/javacard_api/javacard/framework/ISOException.java"
line = 86
begin = 23
end = 30

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_155]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 219
begin = 15
end = 31

[JC_274]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 214
begin = 15
end = 38

[JC_485]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 175
begin = 15
end = 20

[JC_551]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_540]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 272
begin = 18
end = 27

[JC_477]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 198
begin = 15
end = 30

[JC_446]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_666]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 182
begin = 15
end = 20

[JC_425]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_310]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_471]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 189
begin = 15
end = 31

[JC_648]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_575]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_348]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_490]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_118]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_418]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_105]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_245]
file = "HOME/lib/javacard_api/javacard/framework/ISOException.java"
line = 59
begin = 9
end = 21

[JC_140]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_159]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_68]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_429]
kind = ArithOverflow
file = "HOME/tests/java/SimpleApplet.java"
line = 86
begin = 29
end = 50

[JC_353]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 227
begin = 15
end = 34

[JC_517]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 97
begin = 14
end = 20

[JC_393]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_96]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_586]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 520
begin = 16
end = 24

[JC_93]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 252
begin = 25
end = 33

[JC_259]
file = "HOME/lib/javacard_api/javacard/framework/ISOException.java"
line = 119
begin = 14
end = 23

[JC_554]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_532]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 459
begin = 15
end = 27

[JC_277]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 685
begin = 14
end = 27

[JC_288]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_283]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 752
begin = 7
end = 15

[JC_114]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 226
begin = 15
end = 32

[JC_484]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 198
begin = 15
end = 30

[JC_445]
file = "HOME/lib/javacard_api/javacard/framework/CardRuntimeException.java"
line = 67
begin = 30
end = 39

[JC_150]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_117]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 291
begin = 22
end = 36

[JC_53]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 186
begin = 15
end = 20

[JC_414]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/tests/java/SimpleApplet.jc"
line = 286
begin = 8
end = 23

[JC_287]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_77]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 207
begin = 18
end = 33

[JC_49]
file = "HOME/tests/java/SimpleApplet.jc"
line = 303
begin = 11
end = 65

[JC_1]
file = "HOME/tests/java/SimpleApplet.jc"
line = 273
begin = 8
end = 22

[JC_602]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_102]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Exception_safety]
name = "Constructor of class Exception"
behavior = "Safety"
file = "HOME/lib/javacard_api/java/lang/Exception.java"
line = 49
begin = 9
end = 18

[JC_142]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_146]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 230
begin = 18
end = 38

[JC_399]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_249]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_66]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_59]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 139
begin = 23
end = 30

[JC_355]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 178
begin = 16
end = 21

[JC_342]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_397]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 811
begin = 21
end = 34

[JC_192]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_576]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/java/SimpleApplet.jc"
line = 273
begin = 8
end = 22

[JC_377]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 185
begin = 15
end = 20

[JC_152]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_228]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_60]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_495]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 166
begin = 25
end = 32

[Card_install_ensures_default]
name = "Method install"
behavior = "default behavior"
file = "HOME/tests/java/SimpleApplet.java"
line = 84
begin = 23
end = 30

[JC_384]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_183]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_139]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 230
begin = 18
end = 38

[JC_352]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_119]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_489]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_76]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_462]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_244]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_498]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_311]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_230]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_275]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 685
begin = 14
end = 27

[JC_234]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 204
begin = 15
end = 38

[JC_286]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_534]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_363]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 212
begin = 18
end = 39

[JC_619]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 208
begin = 15
end = 30

[JC_577]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_233]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 204
begin = 15
end = 38

[JC_467]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 218
begin = 15
end = 29

[cons_ISOException_short_ensures_default]
name = "Constructor of class ISOException"
behavior = "default behavior"
file = "HOME/lib/javacard_api/javacard/framework/ISOException.java"
line = 59
begin = 9
end = 21

[JC_177]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_461]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 218
begin = 15
end = 29

[JC_221]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 422
begin = 15
end = 26

[JC_51]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 186
begin = 15
end = 20

[JC_392]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_519]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 97
begin = 14
end = 20

[JC_316]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_565]
kind = UserCall
file = "HOME/tests/java/SimpleApplet.java"
line = 102
begin = 5
end = 55

[JC_382]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_147]
file = "HOME/lib/javacard_api/java/lang/Throwable.java"
line = 48
begin = 9
end = 18

[JC_636]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 339
begin = 14
end = 20

[JC_442]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_436]
kind = UserCall
file = "HOME/tests/java/SimpleApplet.jc"
line = 472
begin = 10
end = 739

[JC_123]
file = "HOME/tests/java/SimpleApplet.java"
line = 77
begin = 4
end = 8

[JC_587]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 520
begin = 16
end = 24

[JC_248]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_64]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_457]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_301]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 203
begin = 15
end = 36

[JC_366]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_452]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_261]
file = "HOME/lib/javacard_api/javacard/framework/ISOException.java"
line = 119
begin = 14
end = 23

[JC_188]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_379]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 381
begin = 15
end = 36

[JC_346]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_99]
file = "HOME/lib/javacard_api/java/lang/RuntimeException.java"
line = 47
begin = 9
end = 25

[JC_632]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_630]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 403
begin = 14
end = 31

[JC_622]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 185
begin = 19
end = 25

[JC_570]
kind = UserCall
file = "HOME/tests/java/SimpleApplet.java"
line = 102
begin = 5
end = 55

[JC_501]
file = "HOME/lib/javacard_api/javacard/framework/CardRuntimeException.java"
line = 89
begin = 21
end = 28

[JC_85]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 217
begin = 18
end = 32

[JC_647]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_250]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_391]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_307]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 230
begin = 21
end = 48

[JC_465]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_31]
file = "HOME/tests/java/SimpleApplet.jc"
line = 292
begin = 8
end = 32

[JC_17]
file = "HOME/tests/java/SimpleApplet.jc"
line = 282
begin = 11
end = 103

[JC_401]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_626]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_205]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 310
begin = 22
end = 37

[JC_81]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 207
begin = 18
end = 33

[JC_55]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_369]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 212
begin = 18
end = 39

[JC_354]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 227
begin = 15
end = 34

[JC_241]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 190
begin = 15
end = 31

[JC_172]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_121]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_518]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_443]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 202
begin = 18
end = 39

[JC_25]
file = "HOME/tests/java/SimpleApplet.jc"
line = 289
begin = 11
end = 66

[JC_480]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_416]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_358]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_189]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 239
begin = 2
end = 6

[JC_563]
kind = IndexBounds
file = "HOME/tests/java/SimpleApplet.java"
line = 98
begin = 14
end = 30

[JC_78]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_447]
file = "HOME/lib/javacard_api/javacard/framework/CardRuntimeException.java"
line = 67
begin = 30
end = 39

[JC_582]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 520
begin = 16
end = 24

[JC_558]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_659]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 354
begin = 15
end = 26

[JC_468]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 218
begin = 15
end = 29

[JC_8]
file = "HOME/tests/java/SimpleApplet.jc"
line = 275
begin = 10
end = 18

[JC_271]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_270]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_547]
file = "HOME/lib/javacard_api/javacard/framework/CardRuntimeException.java"
line = 74
begin = 14
end = 23

[JC_476]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 189
begin = 15
end = 31

[JC_256]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_426]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_385]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 381
begin = 15
end = 36

[JC_13]
file = "HOME/tests/java/SimpleApplet.jc"
line = 279
begin = 8
end = 31

[JC_539]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 272
begin = 18
end = 27

[JC_240]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_153]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_222]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_450]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_246]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/SimpleApplet.jc"
line = 279
begin = 8
end = 31

[JC_569]
kind = UserCall
file = "HOME/tests/java/SimpleApplet.java"
line = 98
begin = 14
end = 30

[JC_185]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_167]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_98]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_70]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_639]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_345]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_412]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_RuntimeException_safety]
name = "Constructor of class RuntimeException"
behavior = "Safety"
file = "HOME/lib/javacard_api/java/lang/RuntimeException.java"
line = 47
begin = 9
end = 25

[cons_APDU_safety]
name = "Constructor of class APDU"
behavior = "Safety"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 239
begin = 2
end = 6

[JC_104]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_573]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_496]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_132]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_472]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/tests/java/SimpleApplet.jc"
line = 289
begin = 11
end = 66

[JC_322]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 719
begin = 15
end = 33

[JC_219]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 422
begin = 15
end = 26

[JC_124]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_590]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 171
begin = 16
end = 21

[JC_273]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 214
begin = 15
end = 38

[JC_428]
kind = ArithOverflow
file = "HOME/tests/java/SimpleApplet.java"
line = 86
begin = 38
end = 49

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_206]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_325]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 726
begin = 7
end = 16

[JC_308]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_264]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_433]
kind = UserCall
file = "HOME/tests/java/SimpleApplet.jc"
line = 472
begin = 10
end = 739

[JC_223]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_129]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_601]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_584]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_574]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 209
begin = 15
end = 32

[JC_190]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_110]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_166]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_272]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_613]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 139
begin = 23
end = 30

[JC_497]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_254]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_243]
file = "HOME/lib/javacard_api/javacard/framework/ISOException.java"
line = 59
begin = 9
end = 21

[JC_276]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_557]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_432]
kind = UserCall
file = "HOME/tests/java/SimpleApplet.jc"
line = 477
begin = 65
end = 130

[JC_470]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_202]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_507]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_267]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 214
begin = 15
end = 38

[JC_515]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 197
begin = 18
end = 33

[JC_235]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 190
begin = 15
end = 31

[JC_435]
kind = UserCall
file = "HOME/tests/java/SimpleApplet.jc"
line = 477
begin = 65
end = 130

[JC_128]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_225]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 422
begin = 15
end = 26

[JC_149]
file = "HOME/lib/javacard_api/java/lang/Throwable.java"
line = 48
begin = 9
end = 18

[JC_618]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 208
begin = 15
end = 30

[JC_216]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_324]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_292]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_37]
file = "HOME/tests/java/SimpleApplet.jc"
line = 295
begin = 11
end = 103

[JC_523]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_284]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_503]
file = "HOME/lib/javacard_api/javacard/framework/CardRuntimeException.java"
line = 89
begin = 21
end = 28

[JC_390]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_552]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_441]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_213]
file = "HOME/lib/javacard_api/java/lang/Exception.java"
line = 49
begin = 9
end = 18

[JC_253]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 329
begin = 21
end = 32

[JC_612]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 208
begin = 15
end = 30

[JC_598]
file = "HOME/lib/javacard_api/java/lang/Object.java"
line = 85
begin = 31
end = 37

[JC_86]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_549]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_72]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_606]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 793
begin = 7
end = 29

[JC_652]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 354
begin = 15
end = 26

[JC_407]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_344]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_187]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 239
begin = 2
end = 6

[JC_543]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 269
begin = 18
end = 35

[JC_238]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_309]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 230
begin = 21
end = 48

[JC_591]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_336]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Throwable_safety]
name = "Constructor of class Throwable"
behavior = "Safety"
file = "HOME/lib/javacard_api/java/lang/Throwable.java"
line = 48
begin = 9
end = 18

[JC_488]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_APDU_ensures_default]
name = "Constructor of class APDU"
behavior = "default behavior"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 239
begin = 2
end = 6

[JC_58]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 186
begin = 15
end = 20

[Card_process_safety]
name = "Method process"
behavior = "Safety"
file = "HOME/tests/java/SimpleApplet.java"
line = 92
begin = 16
end = 23

[JC_378]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 185
begin = 15
end = 20

[JC_531]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 459
begin = 15
end = 27

[JC_383]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_609]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_625]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_158]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_RuntimeException_ensures_default]
name = "Constructor of class RuntimeException"
behavior = "default behavior"
file = "HOME/lib/javacard_api/java/lang/RuntimeException.java"
line = 47
begin = 9
end = 25

[JC_63]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_196]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_520]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_610]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 793
begin = 7
end = 29

[JC_640]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_419]
file = "HOME/tests/java/SimpleApplet.java"
line = 84
begin = 23
end = 30

[JC_197]
file = "HOME/lib/javacard_api/javacard/framework/ISOException.java"
line = 106
begin = 28
end = 37

[JC_579]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 209
begin = 15
end = 32

[JC_438]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_151]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_374]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_106]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_361]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 178
begin = 16
end = 21

[JC_608]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_408]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_339]
file = "HOME/lib/javacard_api/javacard/framework/CardRuntimeException.java"
line = 56
begin = 9
end = 29

[JC_406]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_400]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_487]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 175
begin = 15
end = 20

[JC_463]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 218
begin = 15
end = 29

[JC_337]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 505
begin = 15
end = 36

[JC_522]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_227]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 204
begin = 15
end = 38

[JC_649]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_623]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_527]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 459
begin = 15
end = 27

[JC_434]
kind = AllocSize
file = "HOME/tests/java/SimpleApplet.jc"
line = 474
begin = 67
end = 78

[JC_126]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_533]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 272
begin = 18
end = 27

[JC_607]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_236]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_603]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_138]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 231
begin = 15
end = 35

[JC_541]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 269
begin = 18
end = 35

[JC_269]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 214
begin = 15
end = 38

[JC_556]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_525]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 459
begin = 15
end = 27

[JC_148]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_657]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_458]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/tests/java/SimpleApplet.jc"
line = 276
begin = 11
end = 66

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_193]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 239
begin = 2
end = 6

[JC_282]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 685
begin = 14
end = 27

[JC_186]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_175]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_371]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 185
begin = 15
end = 20

[JC_592]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_232]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_545]
file = "HOME/lib/javacard_api/javacard/framework/CardRuntimeException.java"
line = 74
begin = 14
end = 23

[JC_54]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_654]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 354
begin = 15
end = 26

[JC_330]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 726
begin = 7
end = 16

[JC_208]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_79]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_638]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 339
begin = 14
end = 20

[JC_413]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 281
begin = 25
end = 33

[JC_389]
file = "HOME/lib/javacard_api/java/lang/Object.java"
line = 47
begin = 9
end = 15

[JC_455]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 577
begin = 14
end = 23

[JC_644]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 199
begin = 15
end = 32

[JC_512]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_184]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_660]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 182
begin = 15
end = 20

[JC_621]
file = "HOME/"
line = 0
begin = -1
end = -1

[Card_install_safety]
name = "Method install"
behavior = "Safety"
file = "HOME/tests/java/SimpleApplet.java"
line = 84
begin = 23
end = 30

[JC_168]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_91]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 252
begin = 25
end = 33

[JC_662]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 182
begin = 15
end = 20

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_548]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_162]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 219
begin = 15
end = 31

[JC_398]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/tests/java/SimpleApplet.jc"
line = 295
begin = 11
end = 103

[JC_469]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 189
begin = 15
end = 31

[JC_572]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 209
begin = 15
end = 32

[JC_514]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_263]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_107]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 226
begin = 15
end = 32

[JC_508]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_179]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 209
begin = 16
end = 24

[JC_38]
file = "HOME/tests/java/SimpleApplet.jc"
line = 294
begin = 10
end = 18

[JC_651]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 199
begin = 15
end = 32

[JC_600]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_164]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_614]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 208
begin = 15
end = 30

[JC_667]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 182
begin = 15
end = 20

[JC_454]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_439]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 202
begin = 18
end = 39

[JC_341]
file = "HOME/lib/javacard_api/javacard/framework/CardRuntimeException.java"
line = 56
begin = 9
end = 29

[JC_88]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_178]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_506]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_141]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 230
begin = 18
end = 38

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_331]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 505
begin = 15
end = 36

[JC_220]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_596]
file = "HOME/lib/javacard_api/java/lang/Object.java"
line = 85
begin = 31
end = 37

[JC_566]
kind = IndexBounds
file = "HOME/tests/java/SimpleApplet.java"
line = 105
begin = 9
end = 32

[JC_521]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_529]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_312]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_444]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 202
begin = 18
end = 39

[cons_Object_safety]
name = "Constructor of class Object"
behavior = "Safety"
file = "HOME/lib/javacard_api/java/lang/Object.java"
line = 47
begin = 9
end = 15

[JC_7]
file = "HOME/tests/java/SimpleApplet.jc"
line = 276
begin = 11
end = 66

[JC_511]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 197
begin = 18
end = 33

[JC_395]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 811
begin = 21
end = 34

[JC_631]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_585]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_431]
kind = IndexBounds
file = "HOME/tests/java/SimpleApplet.jc"
line = 474
begin = 47
end = 79

[JC_424]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_562]
kind = UserCall
file = "HOME/tests/java/SimpleApplet.java"
line = 98
begin = 14
end = 30

[JC_266]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_255]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_214]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_303]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_258]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_204]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_157]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 219
begin = 15
end = 31

[JC_145]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 230
begin = 18
end = 38

[JC_209]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Applet_safety]
name = "Constructor of class Applet"
behavior = "Safety"
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 97
begin = 14
end = 20

[JC_111]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_349]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 227
begin = 15
end = 34

[JC_396]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_456]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_388]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_211]
file = "HOME/lib/javacard_api/java/lang/Exception.java"
line = 49
begin = 9
end = 18

[JC_588]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 171
begin = 16
end = 21

[JC_262]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_637]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_537]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_535]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 272
begin = 18
end = 27

[JC_18]
file = "HOME/tests/java/SimpleApplet.jc"
line = 281
begin = 10
end = 18

[JC_239]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_92]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_351]
file = "HOME/"
line = 0
begin = -1
end = -1

[Card_process_ensures_default]
name = "Method process"
behavior = "default behavior"
file = "HOME/tests/java/SimpleApplet.java"
line = 92
begin = 16
end = 23

[JC_437]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 202
begin = 18
end = 39

[JC_317]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 719
begin = 15
end = 33

[JC_210]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_423]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_510]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_478]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_624]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_499]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 166
begin = 25
end = 32

[JC_482]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_297]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 225
begin = 10
end = 27

[JC_505]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_226]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 422
begin = 15
end = 26

[JC_100]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/SimpleApplet.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic AID_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom AID_parenttag_Object : parenttag(AID_tag, Object_tag)

logic byte_of_integer: int -> byte

function APDU_ACK_INS() : byte = byte_of_integer((1))

function APDU_ACK_NONE() : byte = byte_of_integer((0))

function APDU_ACK_NOT_INS() : byte = byte_of_integer((2))

logic APDU_BUFFERSIZE:  -> short

logic short_of_integer: int -> short

function APDU_BUFFER_OVERFLOW() : short = short_of_integer(neg_int((16383)))

function APDU_IFSC() : byte = byte_of_integer((1))

function APDU_IFSD() : short = short_of_integer((258))

function APDU_INVALID_GET_RESPONSE() : short =
 short_of_integer(neg_int((16378)))

function APDU_LC() : byte = byte_of_integer((2))

function APDU_LE() : byte = byte_of_integer((0))

function APDU_LR() : byte = byte_of_integer((1))

function APDU_PRE_READ_LENGTH() : byte = byte_of_integer((3))

function APDU_PROTOCOL_T0() : byte = byte_of_integer((0))

function APDU_PROTOCOL_T1() : byte = byte_of_integer((1))

function APDU_RAM_VARS_LENGTH() : byte = byte_of_integer((4))

function APDU_READ_ERROR() : short = short_of_integer(neg_int((16381)))

function APDU_WRITE_ERROR() : short = short_of_integer(neg_int((16380)))

logic APDU_tag:  -> Object tag_id

axiom APDU_parenttag_Object : parenttag(APDU_tag, Object_tag)

logic APDU_ramVars:  -> Object pointer

logic APDU_theAPDU:  -> Object pointer

logic Applet_tag:  -> Object tag_id

axiom Applet_parenttag_Object : parenttag(Applet_tag, Object_tag)

logic CardRuntimeException_tag:  -> Object tag_id

logic RuntimeException_tag:  -> Object tag_id

axiom CardRuntimeException_parenttag_RuntimeException :
 parenttag(CardRuntimeException_tag, RuntimeException_tag)

logic CardRuntimeException_systemInstance:  -> Object pointer

function Card_Card_Class() : byte = byte_of_integer(neg_int((128)))

function Card_Card_Ins_Auth() : byte = byte_of_integer((1))

function Card_Card_Ins_Del() : byte = byte_of_integer((6))

function Card_Card_Ins_Pin() : byte = byte_of_integer((2))

function Card_Card_Ins_Read() : byte = byte_of_integer((7))

function Card_Card_Ins_Write() : byte = byte_of_integer((5))

function Card_Data_Count() : short = short_of_integer((10))

function Card_Data_Len() : short = short_of_integer((5))

function Card_Key_Length() : byte = byte_of_integer(neg_int((124)))

function Card_Term_Function_Reader() : byte = byte_of_integer((17))

function Card_Term_Function_Writer() : byte = byte_of_integer(neg_int((86)))

logic Card_tag:  -> Object tag_id

axiom Card_parenttag_Applet : parenttag(Card_tag, Applet_tag)

logic Exception_tag:  -> Object tag_id

logic Throwable_tag:  -> Object tag_id

axiom Exception_parenttag_Throwable : parenttag(Exception_tag, Throwable_tag)

function ISO7816_CLA_ISO7816() : byte = byte_of_integer((0))

function ISO7816_INS_EXTERNAL_AUTHENTICATE() : byte =
 byte_of_integer(neg_int((126)))

function ISO7816_INS_SELECT() : byte = byte_of_integer(neg_int((92)))

function ISO7816_OFFSET_CDATA() : byte = byte_of_integer((5))

function ISO7816_OFFSET_CLA() : byte = byte_of_integer((0))

function ISO7816_OFFSET_INS() : byte = byte_of_integer((1))

function ISO7816_OFFSET_LC() : byte = byte_of_integer((4))

function ISO7816_OFFSET_P1() : byte = byte_of_integer((2))

function ISO7816_OFFSET_P2() : byte = byte_of_integer((3))

function ISO7816_SW_APPLET_SELECT_FAILED() : short =
 short_of_integer((27033))

function ISO7816_SW_BYTES_REMAINING_00() : short = short_of_integer((24832))

function ISO7816_SW_CLA_NOT_SUPPORTED() : short = short_of_integer((28160))

function ISO7816_SW_COMMAND_NOT_ALLOWED() : short = short_of_integer((27014))

function ISO7816_SW_CONDITIONS_NOT_SATISFIED() : short =
 short_of_integer((27013))

function ISO7816_SW_CORRECT_LENGTH_00() : short = short_of_integer((27648))

function ISO7816_SW_DATA_INVALID() : short = short_of_integer((27012))

function ISO7816_SW_FILE_FULL() : short = short_of_integer((27268))

function ISO7816_SW_FILE_INVALID() : short = short_of_integer((27011))

function ISO7816_SW_FILE_NOT_FOUND() : short = short_of_integer((27266))

function ISO7816_SW_FUNC_NOT_SUPPORTED() : short = short_of_integer((27265))

function ISO7816_SW_INCORRECT_P1P2() : short = short_of_integer((27270))

function ISO7816_SW_INS_NOT_SUPPORTED() : short = short_of_integer((27904))

function ISO7816_SW_NO_ERROR() : short = short_of_integer(neg_int((28672)))

function ISO7816_SW_RECORD_NOT_FOUND() : short = short_of_integer((27267))

function ISO7816_SW_SECURITY_STATUS_NOT_SATISFIED() : short =
 short_of_integer((27010))

function ISO7816_SW_UNKNOWN() : short = short_of_integer((28416))

function ISO7816_SW_WRONG_DATA() : short = short_of_integer((27264))

function ISO7816_SW_WRONG_LENGTH() : short = short_of_integer((26368))

function ISO7816_SW_WRONG_P1P2() : short = short_of_integer((27392))

logic ISOException_tag:  -> Object tag_id

axiom ISOException_parenttag_CardRuntimeException :
 parenttag(ISOException_tag, CardRuntimeException_tag)

logic ISOException_systemInstance:  -> Object pointer

logic JCSystem_tag:  -> Object tag_id

axiom JCSystem_parenttag_Object : parenttag(JCSystem_tag, Object_tag)

logic NativeMethods_tag:  -> Object tag_id

axiom NativeMethods_parenttag_Object :
 parenttag(NativeMethods_tag, Object_tag)

predicate Non_null_Object(x_2:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_2), (0))

predicate Non_null_byteM(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), neg_int((1)))

predicate Non_null_shortM(x_1:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_1), neg_int((1)))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic OwnerPIN_tag:  -> Object tag_id

axiom OwnerPIN_parenttag_Object : parenttag(OwnerPIN_tag, Object_tag)

logic PackedBoolean_tag:  -> Object tag_id

axiom PackedBoolean_parenttag_Object :
 parenttag(PackedBoolean_tag, Object_tag)

logic PrivAccess_tag:  -> Object tag_id

axiom PrivAccess_parenttag_Object : parenttag(PrivAccess_tag, Object_tag)

axiom RuntimeException_parenttag_Exception :
 parenttag(RuntimeException_tag, Exception_tag)

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

predicate buffer_inv(this_3:Object pointer,
 Object_alloc_table:Object alloc_table,
 APDU_buffer:(Object, Object pointer) memory) =
 ge_int(add_int(offset_max(Object_alloc_table, select(APDU_buffer, this_3)),
        (1)),
 (37))

logic byteM_tag:  -> Object tag_id

axiom byteM_parenttag_Object : parenttag(byteM_tag, Object_tag)

logic integer_of_byte: byte -> int

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_AID(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_APDU(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Applet(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Card(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Applet(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Throwable(p, a, Object_alloc_table)

predicate left_valid_struct_RuntimeException(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Exception(p, a, Object_alloc_table)

predicate left_valid_struct_CardRuntimeException(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_RuntimeException(p, a, Object_alloc_table)

predicate left_valid_struct_ISOException(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_CardRuntimeException(p, a, Object_alloc_table)

predicate left_valid_struct_JCSystem(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_NativeMethods(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_OwnerPIN(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_PackedBoolean(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_PrivAccess(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_byteM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

predicate left_valid_struct_shortM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_AID(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_APDU(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Applet(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Card(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Applet(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Throwable(p, b, Object_alloc_table)

predicate right_valid_struct_RuntimeException(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Exception(p, b, Object_alloc_table)

predicate right_valid_struct_CardRuntimeException(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_RuntimeException(p, b, Object_alloc_table)

predicate right_valid_struct_ISOException(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_CardRuntimeException(p, b, Object_alloc_table)

predicate right_valid_struct_JCSystem(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_NativeMethods(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_OwnerPIN(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_PackedBoolean(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_PrivAccess(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_byteM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

predicate right_valid_struct_shortM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

logic shortM_tag:  -> Object tag_id

axiom shortM_parenttag_Object : parenttag(shortM_tag, Object_tag)

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_AID(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_APDU(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Applet(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Card(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Applet(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Throwable(p, a, b, Object_alloc_table)

predicate strict_valid_struct_RuntimeException(p:Object pointer, a:int,
 b:int, Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Exception(p, a, b, Object_alloc_table)

predicate strict_valid_struct_CardRuntimeException(p:Object pointer, a:int,
 b:int, Object_alloc_table:Object alloc_table) =
 strict_valid_struct_RuntimeException(p, a, b, Object_alloc_table)

predicate strict_valid_struct_ISOException(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_CardRuntimeException(p, a, b, Object_alloc_table)

predicate strict_valid_struct_JCSystem(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_NativeMethods(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_OwnerPIN(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_PackedBoolean(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_PrivAccess(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_byteM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_shortM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_AID(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_APDU(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Applet(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Card(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Applet(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Throwable(p, a, b, Object_alloc_table)

predicate valid_struct_RuntimeException(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Exception(p, a, b, Object_alloc_table)

predicate valid_struct_CardRuntimeException(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_RuntimeException(p, a, b, Object_alloc_table)

predicate valid_struct_ISOException(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_CardRuntimeException(p, a, b, Object_alloc_table)

predicate valid_struct_JCSystem(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_NativeMethods(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_OwnerPIN(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_PackedBoolean(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_PrivAccess(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_byteM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_shortM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

parameter APDU_buffer : (Object, Object pointer) memory ref

parameter Object_alloc_table : Object alloc_table ref

parameter APDU_complete :
 this_28:Object pointer ->
  status:short ->
   { } unit reads APDU_buffer,Object_alloc_table
   { (JC_290: buffer_inv(this_28, Object_alloc_table, APDU_buffer)) }

parameter APDU_complete_requires :
 this_28:Object pointer ->
  status:short ->
   { (JC_283: buffer_inv(this_28, Object_alloc_table, APDU_buffer))} unit
   reads APDU_buffer,Object_alloc_table
   { (JC_290: buffer_inv(this_28, Object_alloc_table, APDU_buffer)) }

parameter APDU_getBuffer :
 this_51:Object pointer ->
  { } Object pointer reads APDU_buffer,Object_alloc_table
  { ((JC_540: buffer_inv(this_51, Object_alloc_table, APDU_buffer))
    and (JC_544:
        ((JC_543: (result = select(APDU_buffer, this_51)))
        and buffer_inv(this_51, Object_alloc_table, APDU_buffer)))) }

parameter APDU_getBuffer_requires :
 this_51:Object pointer ->
  { (JC_533: buffer_inv(this_51, Object_alloc_table, APDU_buffer))}
  Object pointer reads APDU_buffer,Object_alloc_table
  { ((JC_540: buffer_inv(this_51, Object_alloc_table, APDU_buffer))
    and (JC_544:
        ((JC_543: (result = select(APDU_buffer, this_51)))
        and buffer_inv(this_51, Object_alloc_table, APDU_buffer)))) }

parameter APDU_getInBlockSize : tt:unit -> { } short { true }

parameter APDU_getInBlockSize_requires : tt:unit -> { } short { true }

parameter APDU_getIncomingFlag :
 this_49:Object pointer ->
  { } bool reads APDU_buffer,Object_alloc_table
  { (JC_516: buffer_inv(this_49, Object_alloc_table, APDU_buffer)) }

parameter APDU_getIncomingFlag_requires :
 this_49:Object pointer ->
  { (JC_509: buffer_inv(this_49, Object_alloc_table, APDU_buffer))} bool
  reads APDU_buffer,Object_alloc_table
  { (JC_516: buffer_inv(this_49, Object_alloc_table, APDU_buffer)) }

parameter APDU_getLc :
 this_38:Object pointer ->
  { } byte reads APDU_buffer,Object_alloc_table
  { (JC_378: buffer_inv(this_38, Object_alloc_table, APDU_buffer)) }

parameter APDU_getLc_requires :
 this_38:Object pointer ->
  { (JC_371: buffer_inv(this_38, Object_alloc_table, APDU_buffer))} byte
  reads APDU_buffer,Object_alloc_table
  { (JC_378: buffer_inv(this_38, Object_alloc_table, APDU_buffer)) }

parameter APDU_getLe :
 this_56:Object pointer ->
  { } short reads APDU_buffer,Object_alloc_table
  { (JC_595: buffer_inv(this_56, Object_alloc_table, APDU_buffer)) }

parameter APDU_getLe_requires :
 this_56:Object pointer ->
  { (JC_588: buffer_inv(this_56, Object_alloc_table, APDU_buffer))} short
  reads APDU_buffer,Object_alloc_table
  { (JC_595: buffer_inv(this_56, Object_alloc_table, APDU_buffer)) }

parameter APDU_getLr :
 this_36:Object pointer ->
  { } short reads APDU_buffer,Object_alloc_table
  { (JC_362: buffer_inv(this_36, Object_alloc_table, APDU_buffer)) }

parameter APDU_getLrIs256Flag :
 this_13:Object pointer ->
  { } bool reads APDU_buffer,Object_alloc_table
  { (JC_90: buffer_inv(this_13, Object_alloc_table, APDU_buffer)) }

parameter APDU_getLrIs256Flag_requires :
 this_13:Object pointer ->
  { (JC_83: buffer_inv(this_13, Object_alloc_table, APDU_buffer))} bool
  reads APDU_buffer,Object_alloc_table
  { (JC_90: buffer_inv(this_13, Object_alloc_table, APDU_buffer)) }

parameter APDU_getLr_requires :
 this_36:Object pointer ->
  { (JC_355: buffer_inv(this_36, Object_alloc_table, APDU_buffer))} short
  reads APDU_buffer,Object_alloc_table
  { (JC_362: buffer_inv(this_36, Object_alloc_table, APDU_buffer)) }

parameter APDU_getNAD :
 this_62:Object pointer ->
  { } byte reads APDU_buffer,Object_alloc_table
  { (JC_643: buffer_inv(this_62, Object_alloc_table, APDU_buffer)) }

parameter APDU_getNAD_requires :
 this_62:Object pointer ->
  { (JC_636: buffer_inv(this_62, Object_alloc_table, APDU_buffer))} byte
  reads APDU_buffer,Object_alloc_table
  { (JC_643: buffer_inv(this_62, Object_alloc_table, APDU_buffer)) }

parameter APDU_getNoChainingFlag :
 this_29:Object pointer ->
  { } bool reads APDU_buffer,Object_alloc_table
  { (JC_298: buffer_inv(this_29, Object_alloc_table, APDU_buffer)) }

parameter APDU_getNoChainingFlag_requires :
 this_29:Object pointer ->
  { (JC_291: buffer_inv(this_29, Object_alloc_table, APDU_buffer))} bool
  reads APDU_buffer,Object_alloc_table
  { (JC_298: buffer_inv(this_29, Object_alloc_table, APDU_buffer)) }

parameter APDU_getNoGetResponseFlag :
 this_17:Object pointer ->
  { } bool reads APDU_buffer,Object_alloc_table
  { (JC_146: buffer_inv(this_17, Object_alloc_table, APDU_buffer)) }

parameter APDU_getNoGetResponseFlag_requires :
 this_17:Object pointer ->
  { (JC_139: buffer_inv(this_17, Object_alloc_table, APDU_buffer))} bool
  reads APDU_buffer,Object_alloc_table
  { (JC_146: buffer_inv(this_17, Object_alloc_table, APDU_buffer)) }

parameter APDU_getOutBlockSize : tt:unit -> { } short { true }

parameter APDU_getOutBlockSize_requires : tt:unit -> { } short { true }

parameter APDU_getOutgoingFlag :
 this_12:Object pointer ->
  { } bool reads APDU_buffer,Object_alloc_table
  { (JC_82: buffer_inv(this_12, Object_alloc_table, APDU_buffer)) }

parameter APDU_getOutgoingFlag_requires :
 this_12:Object pointer ->
  { (JC_75: buffer_inv(this_12, Object_alloc_table, APDU_buffer))} bool
  reads APDU_buffer,Object_alloc_table
  { (JC_82: buffer_inv(this_12, Object_alloc_table, APDU_buffer)) }

parameter APDU_getOutgoingLenSetFlag :
 this_37:Object pointer ->
  { } bool reads APDU_buffer,Object_alloc_table
  { (JC_370: buffer_inv(this_37, Object_alloc_table, APDU_buffer)) }

parameter APDU_getOutgoingLenSetFlag_requires :
 this_37:Object pointer ->
  { (JC_363: buffer_inv(this_37, Object_alloc_table, APDU_buffer))} bool
  reads APDU_buffer,Object_alloc_table
  { (JC_370: buffer_inv(this_37, Object_alloc_table, APDU_buffer)) }

parameter APDU_getPreReadLength :
 this_45:Object pointer ->
  { } byte reads APDU_buffer,Object_alloc_table
  { (JC_476: buffer_inv(this_45, Object_alloc_table, APDU_buffer)) }

parameter APDU_getPreReadLength_requires :
 this_45:Object pointer ->
  { (JC_469: buffer_inv(this_45, Object_alloc_table, APDU_buffer))} byte
  reads APDU_buffer,Object_alloc_table
  { (JC_476: buffer_inv(this_45, Object_alloc_table, APDU_buffer)) }

parameter APDU_getProtocol : tt:unit -> { } byte { true }

parameter APDU_getProtocol_requires : tt:unit -> { } byte { true }

parameter APDU_getSendInProgressFlag :
 this_41:Object pointer ->
  { } bool reads APDU_buffer,Object_alloc_table
  { (JC_444: buffer_inv(this_41, Object_alloc_table, APDU_buffer)) }

parameter APDU_getSendInProgressFlag_requires :
 this_41:Object pointer ->
  { (JC_437: buffer_inv(this_41, Object_alloc_table, APDU_buffer))} bool
  reads APDU_buffer,Object_alloc_table
  { (JC_444: buffer_inv(this_41, Object_alloc_table, APDU_buffer)) }

parameter APDU_incomingFlag : (Object, byte) memory ref

parameter APDU_lrIs256Flag : (Object, byte) memory ref

parameter APDU_noChainingFlag : (Object, byte) memory ref

parameter APDU_noGetResponseFlag : (Object, byte) memory ref

parameter APDU_outgoingFlag : (Object, byte) memory ref

parameter APDU_outgoingLenSetFlag : (Object, byte) memory ref

parameter APDU_receiveBytes :
 this_50:Object pointer ->
  bOff:short ->
   { } short reads APDU_buffer,Object_alloc_table
   { (JC_532: buffer_inv(this_50, Object_alloc_table, APDU_buffer)) }

parameter APDU_receiveBytes_requires :
 this_50:Object pointer ->
  bOff:short ->
   { (JC_525: buffer_inv(this_50, Object_alloc_table, APDU_buffer))} short
   reads APDU_buffer,Object_alloc_table
   { (JC_532: buffer_inv(this_50, Object_alloc_table, APDU_buffer)) }

parameter APDU_resetAPDU :
 this_33:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  { (JC_330: buffer_inv(this_33, Object_alloc_table, APDU_buffer)) }

parameter APDU_resetAPDU_requires :
 this_33:Object pointer ->
  { (JC_323: buffer_inv(this_33, Object_alloc_table, APDU_buffer))} unit
  reads APDU_buffer,Object_alloc_table
  { (JC_330: buffer_inv(this_33, Object_alloc_table, APDU_buffer)) }

parameter APDU_resetIncomingFlag :
 this_63:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  { (JC_651: buffer_inv(this_63, Object_alloc_table, APDU_buffer)) }

parameter APDU_resetIncomingFlag_requires :
 this_63:Object pointer ->
  { (JC_644: buffer_inv(this_63, Object_alloc_table, APDU_buffer))} unit
  reads APDU_buffer,Object_alloc_table
  { (JC_651: buffer_inv(this_63, Object_alloc_table, APDU_buffer)) }

parameter APDU_resetLrIs256Flag :
 this_18:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  { (JC_162: buffer_inv(this_18, Object_alloc_table, APDU_buffer)) }

parameter APDU_resetLrIs256Flag_requires :
 this_18:Object pointer ->
  { (JC_155: buffer_inv(this_18, Object_alloc_table, APDU_buffer))} unit
  reads APDU_buffer,Object_alloc_table
  { (JC_162: buffer_inv(this_18, Object_alloc_table, APDU_buffer)) }

parameter APDU_resetNoChainingFlag :
 this_35:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  { (JC_354: buffer_inv(this_35, Object_alloc_table, APDU_buffer)) }

parameter APDU_resetNoChainingFlag_requires :
 this_35:Object pointer ->
  { (JC_347: buffer_inv(this_35, Object_alloc_table, APDU_buffer))} unit
  reads APDU_buffer,Object_alloc_table
  { (JC_354: buffer_inv(this_35, Object_alloc_table, APDU_buffer)) }

parameter APDU_resetNoGetResponseFlag :
 this_11:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  { (JC_74: buffer_inv(this_11, Object_alloc_table, APDU_buffer)) }

parameter APDU_resetNoGetResponseFlag_requires :
 this_11:Object pointer ->
  { (JC_67: buffer_inv(this_11, Object_alloc_table, APDU_buffer))} unit
  reads APDU_buffer,Object_alloc_table
  { (JC_74: buffer_inv(this_11, Object_alloc_table, APDU_buffer)) }

parameter APDU_resetOutgoingFlag :
 this_54:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  { (JC_579: buffer_inv(this_54, Object_alloc_table, APDU_buffer)) }

parameter APDU_resetOutgoingFlag_requires :
 this_54:Object pointer ->
  { (JC_572: buffer_inv(this_54, Object_alloc_table, APDU_buffer))} unit
  reads APDU_buffer,Object_alloc_table
  { (JC_579: buffer_inv(this_54, Object_alloc_table, APDU_buffer)) }

parameter APDU_resetOutgoingLenSetFlag :
 this_26:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  { (JC_274: buffer_inv(this_26, Object_alloc_table, APDU_buffer)) }

parameter APDU_resetOutgoingLenSetFlag_requires :
 this_26:Object pointer ->
  { (JC_267: buffer_inv(this_26, Object_alloc_table, APDU_buffer))} unit
  reads APDU_buffer,Object_alloc_table
  { (JC_274: buffer_inv(this_26, Object_alloc_table, APDU_buffer)) }

parameter APDU_resetSendInProgressFlag :
 this_23:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  { (JC_234: buffer_inv(this_23, Object_alloc_table, APDU_buffer)) }

parameter APDU_resetSendInProgressFlag_requires :
 this_23:Object pointer ->
  { (JC_227: buffer_inv(this_23, Object_alloc_table, APDU_buffer))} unit
  reads APDU_buffer,Object_alloc_table
  { (JC_234: buffer_inv(this_23, Object_alloc_table, APDU_buffer)) }

parameter APDU_send61xx :
 this_55:Object pointer ->
  len_0:short ->
   { } short reads APDU_buffer,Object_alloc_table
   { (JC_587: buffer_inv(this_55, Object_alloc_table, APDU_buffer)) }

parameter APDU_send61xx_requires :
 this_55:Object pointer ->
  len_0:short ->
   { (JC_580: buffer_inv(this_55, Object_alloc_table, APDU_buffer))} short
   reads APDU_buffer,Object_alloc_table
   { (JC_587: buffer_inv(this_55, Object_alloc_table, APDU_buffer)) }

parameter APDU_sendBytes :
 this_43:Object pointer ->
  bOff_0:short ->
   len_1:short ->
    { } unit reads APDU_buffer,Object_alloc_table
    { (JC_460: buffer_inv(this_43, Object_alloc_table, APDU_buffer)) }

parameter APDU_sendBytesLong :
 this_27:Object pointer ->
  outData:Object pointer ->
   bOff_1:short ->
    len_2:short ->
     { } unit reads APDU_buffer,Object_alloc_table
     { (JC_282: buffer_inv(this_27, Object_alloc_table, APDU_buffer)) }

parameter APDU_sendBytesLong_requires :
 this_27:Object pointer ->
  outData:Object pointer ->
   bOff_1:short ->
    len_2:short ->
     { (JC_275: buffer_inv(this_27, Object_alloc_table, APDU_buffer))} unit
     reads APDU_buffer,Object_alloc_table
     { (JC_282: buffer_inv(this_27, Object_alloc_table, APDU_buffer)) }

parameter APDU_sendBytes_requires :
 this_43:Object pointer ->
  bOff_0:short ->
   len_1:short ->
    { (JC_453: buffer_inv(this_43, Object_alloc_table, APDU_buffer))} unit
    reads APDU_buffer,Object_alloc_table
    { (JC_460: buffer_inv(this_43, Object_alloc_table, APDU_buffer)) }

parameter APDU_sendInProgressFlag : (Object, byte) memory ref

parameter APDU_setIncoming :
 this_22:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  { (JC_226: buffer_inv(this_22, Object_alloc_table, APDU_buffer)) }

parameter APDU_setIncomingAndReceive :
 this_34:Object pointer ->
  { } short reads APDU_buffer,Object_alloc_table
  { (JC_338: buffer_inv(this_34, Object_alloc_table, APDU_buffer)) }

parameter APDU_setIncomingAndReceive_requires :
 this_34:Object pointer ->
  { (JC_331: buffer_inv(this_34, Object_alloc_table, APDU_buffer))} short
  reads APDU_buffer,Object_alloc_table
  { (JC_338: buffer_inv(this_34, Object_alloc_table, APDU_buffer)) }

parameter APDU_setIncomingFlag :
 this_46:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  { (JC_484: buffer_inv(this_46, Object_alloc_table, APDU_buffer)) }

parameter APDU_setIncomingFlag_requires :
 this_46:Object pointer ->
  { (JC_477: buffer_inv(this_46, Object_alloc_table, APDU_buffer))} unit
  reads APDU_buffer,Object_alloc_table
  { (JC_484: buffer_inv(this_46, Object_alloc_table, APDU_buffer)) }

parameter APDU_setIncoming_requires :
 this_22:Object pointer ->
  { (JC_219: buffer_inv(this_22, Object_alloc_table, APDU_buffer))} unit
  reads APDU_buffer,Object_alloc_table
  { (JC_226: buffer_inv(this_22, Object_alloc_table, APDU_buffer)) }

parameter APDU_setLc :
 this_10:Object pointer ->
  data_1:byte ->
   { } unit reads APDU_buffer,Object_alloc_table
   { (JC_58: buffer_inv(this_10, Object_alloc_table, APDU_buffer)) }

parameter APDU_setLc_requires :
 this_10:Object pointer ->
  data_1:byte ->
   { (JC_51: buffer_inv(this_10, Object_alloc_table, APDU_buffer))} unit
   reads APDU_buffer,Object_alloc_table
   { (JC_58: buffer_inv(this_10, Object_alloc_table, APDU_buffer)) }

parameter APDU_setLe :
 this_47:Object pointer ->
  data:byte ->
   { } unit reads APDU_buffer,Object_alloc_table
   { (JC_492: buffer_inv(this_47, Object_alloc_table, APDU_buffer)) }

parameter APDU_setLe_requires :
 this_47:Object pointer ->
  data:byte ->
   { (JC_485: buffer_inv(this_47, Object_alloc_table, APDU_buffer))} unit
   reads APDU_buffer,Object_alloc_table
   { (JC_492: buffer_inv(this_47, Object_alloc_table, APDU_buffer)) }

parameter APDU_setLr :
 this_65:Object pointer ->
  data_0:byte ->
   { } unit reads APDU_buffer,Object_alloc_table
   { (JC_667: buffer_inv(this_65, Object_alloc_table, APDU_buffer)) }

parameter APDU_setLrIs256Flag :
 this_44:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  { (JC_468: buffer_inv(this_44, Object_alloc_table, APDU_buffer)) }

parameter APDU_setLrIs256Flag_requires :
 this_44:Object pointer ->
  { (JC_461: buffer_inv(this_44, Object_alloc_table, APDU_buffer))} unit
  reads APDU_buffer,Object_alloc_table
  { (JC_468: buffer_inv(this_44, Object_alloc_table, APDU_buffer)) }

parameter APDU_setLr_requires :
 this_65:Object pointer ->
  data_0:byte ->
   { (JC_660: buffer_inv(this_65, Object_alloc_table, APDU_buffer))} unit
   reads APDU_buffer,Object_alloc_table
   { (JC_667: buffer_inv(this_65, Object_alloc_table, APDU_buffer)) }

parameter APDU_setNoChainingFlag :
 this_15:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  { (JC_114: buffer_inv(this_15, Object_alloc_table, APDU_buffer)) }

parameter APDU_setNoChainingFlag_requires :
 this_15:Object pointer ->
  { (JC_107: buffer_inv(this_15, Object_alloc_table, APDU_buffer))} unit
  reads APDU_buffer,Object_alloc_table
  { (JC_114: buffer_inv(this_15, Object_alloc_table, APDU_buffer)) }

parameter APDU_setNoGetResponseFlag :
 this_16:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  { (JC_138: buffer_inv(this_16, Object_alloc_table, APDU_buffer)) }

parameter APDU_setNoGetResponseFlag_requires :
 this_16:Object pointer ->
  { (JC_131: buffer_inv(this_16, Object_alloc_table, APDU_buffer))} unit
  reads APDU_buffer,Object_alloc_table
  { (JC_138: buffer_inv(this_16, Object_alloc_table, APDU_buffer)) }

parameter APDU_setOutgoing :
 this_64:Object pointer ->
  { } short reads APDU_buffer,Object_alloc_table
  { (JC_659: buffer_inv(this_64, Object_alloc_table, APDU_buffer)) }

parameter APDU_setOutgoingAndSend :
 this_32:Object pointer ->
  bOff_2:short ->
   len_3:short ->
    { } unit reads APDU_buffer,Object_alloc_table
    { (JC_322: buffer_inv(this_32, Object_alloc_table, APDU_buffer)) }

parameter APDU_setOutgoingAndSend_requires :
 this_32:Object pointer ->
  bOff_2:short ->
   len_3:short ->
    { (JC_315: buffer_inv(this_32, Object_alloc_table, APDU_buffer))} unit
    reads APDU_buffer,Object_alloc_table
    { (JC_322: buffer_inv(this_32, Object_alloc_table, APDU_buffer)) }

parameter APDU_setOutgoingFlag :
 this_59:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  { (JC_619: buffer_inv(this_59, Object_alloc_table, APDU_buffer)) }

parameter APDU_setOutgoingFlag_requires :
 this_59:Object pointer ->
  { (JC_612: buffer_inv(this_59, Object_alloc_table, APDU_buffer))} unit
  reads APDU_buffer,Object_alloc_table
  { (JC_619: buffer_inv(this_59, Object_alloc_table, APDU_buffer)) }

parameter APDU_setOutgoingLenSetFlag :
 this_19:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  { (JC_170: buffer_inv(this_19, Object_alloc_table, APDU_buffer)) }

parameter APDU_setOutgoingLenSetFlag_requires :
 this_19:Object pointer ->
  { (JC_163: buffer_inv(this_19, Object_alloc_table, APDU_buffer))} unit
  reads APDU_buffer,Object_alloc_table
  { (JC_170: buffer_inv(this_19, Object_alloc_table, APDU_buffer)) }

parameter APDU_setOutgoingLength :
 this_61:Object pointer ->
  len:short ->
   { } unit reads APDU_buffer,Object_alloc_table
   { (JC_635: buffer_inv(this_61, Object_alloc_table, APDU_buffer)) }

parameter APDU_setOutgoingLength_requires :
 this_61:Object pointer ->
  len:short ->
   { (JC_628: buffer_inv(this_61, Object_alloc_table, APDU_buffer))} unit
   reads APDU_buffer,Object_alloc_table
   { (JC_635: buffer_inv(this_61, Object_alloc_table, APDU_buffer)) }

parameter APDU_setOutgoingNoChaining :
 this_39:Object pointer ->
  { } short reads APDU_buffer,Object_alloc_table
  { (JC_386: buffer_inv(this_39, Object_alloc_table, APDU_buffer)) }

parameter APDU_setOutgoingNoChaining_requires :
 this_39:Object pointer ->
  { (JC_379: buffer_inv(this_39, Object_alloc_table, APDU_buffer))} short
  reads APDU_buffer,Object_alloc_table
  { (JC_386: buffer_inv(this_39, Object_alloc_table, APDU_buffer)) }

parameter APDU_setOutgoing_requires :
 this_64:Object pointer ->
  { (JC_652: buffer_inv(this_64, Object_alloc_table, APDU_buffer))} short
  reads APDU_buffer,Object_alloc_table
  { (JC_659: buffer_inv(this_64, Object_alloc_table, APDU_buffer)) }

parameter APDU_setPreReadLength :
 this_24:Object pointer ->
  data_2:byte ->
   { } unit reads APDU_buffer,Object_alloc_table
   { (JC_242: buffer_inv(this_24, Object_alloc_table, APDU_buffer)) }

parameter APDU_setPreReadLength_requires :
 this_24:Object pointer ->
  data_2:byte ->
   { (JC_235: buffer_inv(this_24, Object_alloc_table, APDU_buffer))} unit
   reads APDU_buffer,Object_alloc_table
   { (JC_242: buffer_inv(this_24, Object_alloc_table, APDU_buffer)) }

parameter APDU_setSendInProgressFlag :
 this_30:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  { (JC_306: buffer_inv(this_30, Object_alloc_table, APDU_buffer)) }

parameter APDU_setSendInProgressFlag_requires :
 this_30:Object pointer ->
  { (JC_299: buffer_inv(this_30, Object_alloc_table, APDU_buffer))} unit
  reads APDU_buffer,Object_alloc_table
  { (JC_306: buffer_inv(this_30, Object_alloc_table, APDU_buffer)) }

parameter APDU_thePackedBoolean : (Object, Object pointer) memory ref

parameter APDU_undoIncomingAndReceive :
 this_58:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  { (JC_611: buffer_inv(this_58, Object_alloc_table, APDU_buffer)) }

parameter APDU_undoIncomingAndReceive_requires :
 this_58:Object pointer ->
  { (JC_604: buffer_inv(this_58, Object_alloc_table, APDU_buffer))} unit
  reads APDU_buffer,Object_alloc_table
  { (JC_611: buffer_inv(this_58, Object_alloc_table, APDU_buffer)) }

parameter APDU_waitExtension : tt:unit -> { } unit { true }

parameter APDU_waitExtension_requires : tt:unit -> { } unit { true }

parameter Applet_deselect :
 this_20:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Applet_deselect_requires :
 this_20:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Applet_getShareableInterfaceObject :
 this_31:Object pointer ->
  clientAID:Object pointer ->
   param:byte -> { } Object pointer reads Object_alloc_table { true }

parameter Applet_getShareableInterfaceObject_requires :
 this_31:Object pointer ->
  clientAID:Object pointer ->
   param:byte -> { } Object pointer reads Object_alloc_table { true }

parameter Applet_install :
 bArray:Object pointer -> bOffset:short -> bLength:byte -> { } unit { true }

parameter Applet_install_requires :
 bArray:Object pointer -> bOffset:short -> bLength:byte -> { } unit { true }

parameter Applet_process :
 this_48:Object pointer ->
  apdu:Object pointer ->
   { } unit reads APDU_buffer,Object_alloc_table
   { (JC_500: buffer_inv(apdu, Object_alloc_table, APDU_buffer)) }

parameter Applet_process_requires :
 this_48:Object pointer ->
  apdu:Object pointer ->
   { (JC_493: buffer_inv(apdu, Object_alloc_table, APDU_buffer))} unit
   reads APDU_buffer,Object_alloc_table
   { (JC_500: buffer_inv(apdu, Object_alloc_table, APDU_buffer)) }

parameter Applet_register :
 this_14:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Applet_register_byteA_short_byte :
 this_52:Object pointer ->
  bArray_0:Object pointer ->
   bOffset_0:short ->
    bLength_0:byte -> { } unit reads Object_alloc_table { true }

parameter Applet_register_byteA_short_byte_requires :
 this_52:Object pointer ->
  bArray_0:Object pointer ->
   bOffset_0:short ->
    bLength_0:byte -> { } unit reads Object_alloc_table { true }

parameter Applet_register_requires :
 this_14:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Applet_select :
 this_60:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Applet_select_requires :
 this_60:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Applet_selectingApplet :
 this_40:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Applet_selectingApplet_requires :
 this_40:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Applet_thePrivAccess : (Object, Object pointer) memory ref

exception CardRuntimeException_exc of Object pointer

parameter CardRuntimeException_getReason :
 this_42:Object pointer -> { } short reads Object_alloc_table { true }

parameter CardRuntimeException_getReason_requires :
 this_42:Object pointer -> { } short reads Object_alloc_table { true }

parameter CardRuntimeException_reason : (Object, short) memory ref

parameter CardRuntimeException_setReason :
 this_53:Object pointer ->
  reason_0:short -> { } unit reads Object_alloc_table { true }

parameter CardRuntimeException_setReason_requires :
 this_53:Object pointer ->
  reason_0:short -> { } unit reads Object_alloc_table { true }

parameter CardRuntimeException_throwIt : reason_1:short -> { } unit { true }

parameter CardRuntimeException_throwIt_requires :
 reason_1:short -> { } unit { true }

parameter byteM_byteP : (Object, byte) memory ref

parameter Object_tag_table : Object tag_table ref

parameter Card_install :
 bArray_1:Object pointer ->
  bOffset_1:short ->
   bLength_1:byte ->
    { } unit reads Object_alloc_table,byteM_byteP
    writes Object_alloc_table,Object_tag_table { true }

parameter Card_install_requires :
 bArray_1:Object pointer ->
  bOffset_1:short ->
   bLength_1:byte ->
    { } unit reads Object_alloc_table,byteM_byteP
    writes Object_alloc_table,Object_tag_table { true }

parameter Card_process :
 this_1:Object pointer ->
  apdu_0:Object pointer ->
   { } unit reads APDU_buffer,Object_alloc_table,byteM_byteP
   { (JC_560: buffer_inv(apdu_0, Object_alloc_table, APDU_buffer)) }

parameter Card_process_requires :
 this_1:Object pointer ->
  apdu_0:Object pointer ->
   { (JC_553: buffer_inv(apdu_0, Object_alloc_table, APDU_buffer))} unit
   reads APDU_buffer,Object_alloc_table,byteM_byteP
   { (JC_560: buffer_inv(apdu_0, Object_alloc_table, APDU_buffer)) }

exception Exception_exc of Object pointer

exception ISOException_exc of Object pointer

parameter ISOException_getReason :
 this_21:Object pointer -> { } short reads Object_alloc_table { true }

parameter ISOException_getReason_requires :
 this_21:Object pointer -> { } short reads Object_alloc_table { true }

parameter ISOException_setReason :
 this_25:Object pointer ->
  sw_1:short -> { } unit reads Object_alloc_table { true }

parameter ISOException_setReason_requires :
 this_25:Object pointer ->
  sw_1:short -> { } unit reads Object_alloc_table { true }

parameter ISOException_theSw : (Object, Object pointer) memory ref

parameter ISOException_throwIt : sw_0:short -> { } unit { true }

parameter ISOException_throwIt_requires : sw_0:short -> { } unit { true }

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_equals :
 this_57:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_equals_requires :
 this_57:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

exception Return_label_exc of unit

exception RuntimeException_exc of Object pointer

exception Throwable_exc of Object pointer

parameter alloc_struct_AID :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_AID(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, AID_tag)))) }

parameter alloc_struct_AID_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_AID(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, AID_tag)))) }

parameter alloc_struct_APDU :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_APDU(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, APDU_tag)))) }

parameter alloc_struct_APDU_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_APDU(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, APDU_tag)))) }

parameter alloc_struct_Applet :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Applet(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Applet_tag)))) }

parameter alloc_struct_Applet_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Applet(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Applet_tag)))) }

parameter alloc_struct_Card :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Card(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Card_tag)))) }

parameter alloc_struct_CardRuntimeException :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_CardRuntimeException(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result,
                  CardRuntimeException_tag)))) }

parameter alloc_struct_CardRuntimeException_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_CardRuntimeException(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result,
                  CardRuntimeException_tag)))) }

parameter alloc_struct_Card_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Card(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Card_tag)))) }

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_ISOException :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_ISOException(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, ISOException_tag)))) }

parameter alloc_struct_ISOException_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_ISOException(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, ISOException_tag)))) }

parameter alloc_struct_JCSystem :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_JCSystem(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, JCSystem_tag)))) }

parameter alloc_struct_JCSystem_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_JCSystem(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, JCSystem_tag)))) }

parameter alloc_struct_NativeMethods :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_NativeMethods(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, NativeMethods_tag)))) }

parameter alloc_struct_NativeMethods_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_NativeMethods(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, NativeMethods_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_OwnerPIN :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_OwnerPIN(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, OwnerPIN_tag)))) }

parameter alloc_struct_OwnerPIN_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_OwnerPIN(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, OwnerPIN_tag)))) }

parameter alloc_struct_PackedBoolean :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_PackedBoolean(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, PackedBoolean_tag)))) }

parameter alloc_struct_PackedBoolean_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_PackedBoolean(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, PackedBoolean_tag)))) }

parameter alloc_struct_PrivAccess :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_PrivAccess(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, PrivAccess_tag)))) }

parameter alloc_struct_PrivAccess_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_PrivAccess(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, PrivAccess_tag)))) }

parameter alloc_struct_RuntimeException :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_RuntimeException(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, RuntimeException_tag)))) }

parameter alloc_struct_RuntimeException_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_RuntimeException(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, RuntimeException_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_byteM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_byteM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, byteM_tag)))) }

parameter alloc_struct_byteM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_byteM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, byteM_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_shortM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_shortM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, shortM_tag)))) }

parameter alloc_struct_shortM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_shortM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, shortM_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_APDU :
 this_68:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  writes APDU_buffer,APDU_incomingFlag,APDU_lrIs256Flag,APDU_noChainingFlag,APDU_noGetResponseFlag,APDU_outgoingFlag,APDU_outgoingLenSetFlag,APDU_sendInProgressFlag,APDU_thePackedBoolean
  { (JC_194: buffer_inv(this_68, Object_alloc_table, APDU_buffer)) }

parameter cons_APDU_requires :
 this_68:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  writes APDU_buffer,APDU_incomingFlag,APDU_lrIs256Flag,APDU_noChainingFlag,APDU_noGetResponseFlag,APDU_outgoingFlag,APDU_outgoingLenSetFlag,APDU_sendInProgressFlag,APDU_thePackedBoolean
  { (JC_194: buffer_inv(this_68, Object_alloc_table, APDU_buffer)) }

parameter cons_Applet :
 this_73:Object pointer ->
  { } unit reads Object_alloc_table writes Applet_thePrivAccess { true }

parameter cons_Applet_requires :
 this_73:Object pointer ->
  { } unit reads Object_alloc_table writes Applet_thePrivAccess { true }

parameter cons_Card :
 this_9:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_CardRuntimeException_short :
 this_71:Object pointer ->
  reason:short ->
   { } unit reads Object_alloc_table writes CardRuntimeException_reason
   { true }

parameter cons_CardRuntimeException_short_requires :
 this_71:Object pointer ->
  reason:short ->
   { } unit reads Object_alloc_table writes CardRuntimeException_reason
   { true }

parameter cons_Card_requires :
 this_9:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Exception :
 this_69:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Exception_requires :
 this_69:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_ISOException_short :
 this_70:Object pointer ->
  sw:short ->
   { } unit reads Object_alloc_table writes ISOException_theSw { true }

parameter cons_ISOException_short_requires :
 this_70:Object pointer ->
  sw:short ->
   { } unit reads Object_alloc_table writes ISOException_theSw { true }

parameter cons_Object :
 this_72:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object_requires :
 this_72:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_RuntimeException :
 this_66:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_RuntimeException_requires :
 this_66:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Throwable :
 this_67:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Throwable_requires :
 this_67:Object pointer -> { } unit reads Object_alloc_table { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter java_array_length_byteM :
 x_4:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_17:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_4), (1)))))) }

parameter java_array_length_byteM_requires :
 x_4:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_17:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_4), (1)))))) }

parameter java_array_length_shortM :
 x_6:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_37:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_6), (1)))))) }

parameter java_array_length_shortM_requires :
 x_6:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_37:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_6), (1)))))) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_7:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_50:
    (if result then (offset_max(Object_alloc_table, x_7) = (0))
     else (x_7 = null))) }

parameter non_null_Object_requires :
 x_7:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_50:
    (if result then (offset_max(Object_alloc_table, x_7) = (0))
     else (x_7 = null))) }

parameter non_null_byteM :
 x_3:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_7:
    (if result then ge_int(offset_max(Object_alloc_table, x_3), neg_int((1)))
     else (x_3 = null))) }

parameter non_null_byteM_requires :
 x_3:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_7:
    (if result then ge_int(offset_max(Object_alloc_table, x_3), neg_int((1)))
     else (x_3 = null))) }

parameter non_null_shortM :
 x_5:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_27:
    (if result then ge_int(offset_max(Object_alloc_table, x_5), neg_int((1)))
     else (x_5 = null))) }

parameter non_null_shortM_requires :
 x_5:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_27:
    (if result then ge_int(offset_max(Object_alloc_table, x_5), neg_int((1)))
     else (x_5 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter shortM_shortP : (Object, short) memory ref

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let Card_install_ensures_default =
 fun (bArray_1 : Object pointer) (bOffset_1 : short) (bLength_1 : byte) ->
  { left_valid_struct_byteM(bArray_1, (0), Object_alloc_table) }
  (init:
  try
   (K_4:
   begin
     (let _jessie_ =
     (let this =
     (JC_434:
     (((alloc_struct_Card (1)) Object_alloc_table) Object_tag_table)) in
     (let _tt =
     (let _jessie_ = this in (JC_435: (cons_Card _jessie_))) in this)) in
     (let _jessie_ = bArray_1 in
     (let _jessie_ =
     (K_2:
     (safe_short_of_integer_ (integer_of_int32 (K_1:
                                               (safe_int32_of_integer_ 
                                                ((add_int (integer_of_short bOffset_1)) (1))))))) in
     (let _jessie_ =
     (K_3:
     ((safe_acc_ !byteM_byteP) ((shift bArray_1) (integer_of_short bOffset_1)))) in
     (JC_436:
     ((((Applet_register_byteA_short_byte _jessie_) _jessie_) _jessie_) _jessie_))))));
    (raise Return) end) with Return -> void end) { (JC_423: true) } 

let Card_install_safety =
 fun (bArray_1 : Object pointer) (bOffset_1 : short) (bLength_1 : byte) ->
  { left_valid_struct_byteM(bArray_1, (0), Object_alloc_table) }
  (init:
  try
   (K_4:
   begin
     (let _jessie_ =
     (let this =
     (let _jessie_ =
     (JC_430:
     (((alloc_struct_Card_requires (1)) Object_alloc_table) Object_tag_table)) in
     (JC_431:
     (assert { ge_int(offset_max(Object_alloc_table, _jessie_), (0)) };
     _jessie_))) in
     (let _tt =
     (let _jessie_ = this in (JC_432: (cons_Card_requires _jessie_))) in
     this)) in
     (let _jessie_ = bArray_1 in
     (let _jessie_ =
     (K_2:
     (JC_429:
     (short_of_integer_ (integer_of_int32 (K_1:
                                          (JC_428:
                                          (int32_of_integer_ ((add_int 
                                                               (integer_of_short bOffset_1)) (1))))))))) in
     (let _jessie_ =
     (K_3:
     (JC_427:
     ((((offset_acc_ !Object_alloc_table) !byteM_byteP) bArray_1) (integer_of_short bOffset_1)))) in
     (JC_433:
     ((((Applet_register_byteA_short_byte_requires _jessie_) _jessie_) _jessie_) _jessie_))))));
    (raise Return) end) with Return -> void end) { true } 

let Card_process_ensures_default =
 fun (this_1 : Object pointer) (apdu_0 : Object pointer) ->
  { (left_valid_struct_APDU(apdu_0, (0), Object_alloc_table)
    and (valid_struct_Card(this_1, (0), (0), Object_alloc_table)
        and (JC_555: buffer_inv(apdu_0, Object_alloc_table, APDU_buffer)))) }
  (init:
  try
   begin
     (if (K_6:
         (let _jessie_ = this_1 in
         (JC_568: (Applet_selectingApplet _jessie_)))) then (raise Return)
     else void);
    (let buf =
    (K_12:
    (let _jessie_ = apdu_0 in (JC_569: (APDU_getBuffer _jessie_)))) in
    begin
      (if (K_9:
          ((neq_int_ (integer_of_byte (K_8:
                                      ((safe_acc_ !byteM_byteP) ((shift buf) 
                                                                 (integer_of_byte ISO7816_OFFSET_CLA)))))) 
           (integer_of_byte Card_Card_Class)))
      then
       (K_7:
       (let _jessie_ = ISO7816_SW_CLA_NOT_SUPPORTED in
       (JC_570: (ISOException_throwIt _jessie_)))) else void);
     (let _jessie_ =
     (K_11:
     ((safe_acc_ !byteM_byteP) ((shift buf) (integer_of_byte ISO7816_OFFSET_INS)))) in
     try
      (if ((eq_int_ (integer_of_byte _jessie_)) (integer_of_byte Card_Card_Ins_Read))
      then (raise (Loop_exit_exc void))
      else
       (if true
       then
        (K_10:
        (let _jessie_ = ISO7816_SW_INS_NOT_SUPPORTED in
        (JC_571: (ISOException_throwIt _jessie_)))) else void)) with
      Loop_exit_exc _jessie_ -> void end); (raise Return) end);
    (raise Return) end with Return -> void end) { (JC_557: true) } 

let Card_process_safety =
 fun (this_1 : Object pointer) (apdu_0 : Object pointer) ->
  { (left_valid_struct_APDU(apdu_0, (0), Object_alloc_table)
    and (valid_struct_Card(this_1, (0), (0), Object_alloc_table)
        and (JC_555: buffer_inv(apdu_0, Object_alloc_table, APDU_buffer)))) }
  (init:
  try
   begin
     (if (K_6:
         (let _jessie_ = this_1 in
         (JC_561: (Applet_selectingApplet_requires _jessie_))))
     then (raise Return) else void);
    (let buf =
    (K_12:
    (let _jessie_ = apdu_0 in
    (JC_563:
    (assert { ge_int(offset_max(Object_alloc_table, _jessie_), (0)) };
    (JC_562: (APDU_getBuffer_requires _jessie_)))))) in
    begin
      (if (K_9:
          ((neq_int_ (integer_of_byte (K_8:
                                      (JC_564:
                                      ((((lsafe_lbound_acc_ !Object_alloc_table) !byteM_byteP) buf) (0)))))) 
           (integer_of_byte Card_Card_Class)))
      then
       (K_7:
       (let _jessie_ = ISO7816_SW_CLA_NOT_SUPPORTED in
       (JC_565: (ISOException_throwIt_requires _jessie_)))) else void);
     (let _jessie_ =
     (K_11:
     (JC_566:
     ((((lsafe_lbound_acc_ !Object_alloc_table) !byteM_byteP) buf) (1)))) in
     try
      (if ((eq_int_ (integer_of_byte _jessie_)) (integer_of_byte Card_Card_Ins_Read))
      then (raise (Loop_exit_exc void))
      else
       (if true
       then
        (K_10:
        (let _jessie_ = ISO7816_SW_INS_NOT_SUPPORTED in
        (JC_567: (ISOException_throwIt_requires _jessie_)))) else void))
      with Loop_exit_exc _jessie_ -> void end); (raise Return) end);
    (raise Return) end with Return -> void end)
  { (JC_559: buffer_inv(apdu_0, Object_alloc_table, APDU_buffer)) } 

let cons_APDU_ensures_default =
 fun (this_68 : Object pointer) ->
  { valid_struct_APDU(this_68, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_68 in
       (((safe_upd_ APDU_buffer) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_68 in
      (((safe_upd_ APDU_thePackedBoolean) _jessie_) _jessie_)));
      (let _jessie_ = (safe_byte_of_integer_ (0)) in
      (let _jessie_ = this_68 in
      (((safe_upd_ APDU_incomingFlag) _jessie_) _jessie_)));
      (let _jessie_ = (safe_byte_of_integer_ (0)) in
      (let _jessie_ = this_68 in
      (((safe_upd_ APDU_outgoingFlag) _jessie_) _jessie_)));
      (let _jessie_ = (safe_byte_of_integer_ (0)) in
      (let _jessie_ = this_68 in
      (((safe_upd_ APDU_outgoingLenSetFlag) _jessie_) _jessie_)));
      (let _jessie_ = (safe_byte_of_integer_ (0)) in
      (let _jessie_ = this_68 in
      (((safe_upd_ APDU_lrIs256Flag) _jessie_) _jessie_)));
      (let _jessie_ = (safe_byte_of_integer_ (0)) in
      (let _jessie_ = this_68 in
      (((safe_upd_ APDU_sendInProgressFlag) _jessie_) _jessie_)));
      (let _jessie_ = (safe_byte_of_integer_ (0)) in
      (let _jessie_ = this_68 in
      (((safe_upd_ APDU_noChainingFlag) _jessie_) _jessie_)));
      (let _jessie_ = (safe_byte_of_integer_ (0)) in
      begin
        (let _jessie_ = this_68 in
        (((safe_upd_ APDU_noGetResponseFlag) _jessie_) _jessie_));
       _jessie_ end) end in void); (raise Return) end with Return ->
   void end) { (JC_191: true) } 

let cons_APDU_safety =
 fun (this_68 : Object pointer) ->
  { valid_struct_APDU(this_68, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_68 in
       (((safe_upd_ APDU_buffer) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_68 in
      (((safe_upd_ APDU_thePackedBoolean) _jessie_) _jessie_)));
      (let _jessie_ = (safe_byte_of_integer_ (0)) in
      (let _jessie_ = this_68 in
      (((safe_upd_ APDU_incomingFlag) _jessie_) _jessie_)));
      (let _jessie_ = (safe_byte_of_integer_ (0)) in
      (let _jessie_ = this_68 in
      (((safe_upd_ APDU_outgoingFlag) _jessie_) _jessie_)));
      (let _jessie_ = (safe_byte_of_integer_ (0)) in
      (let _jessie_ = this_68 in
      (((safe_upd_ APDU_outgoingLenSetFlag) _jessie_) _jessie_)));
      (let _jessie_ = (safe_byte_of_integer_ (0)) in
      (let _jessie_ = this_68 in
      (((safe_upd_ APDU_lrIs256Flag) _jessie_) _jessie_)));
      (let _jessie_ = (safe_byte_of_integer_ (0)) in
      (let _jessie_ = this_68 in
      (((safe_upd_ APDU_sendInProgressFlag) _jessie_) _jessie_)));
      (let _jessie_ = (safe_byte_of_integer_ (0)) in
      (let _jessie_ = this_68 in
      (((safe_upd_ APDU_noChainingFlag) _jessie_) _jessie_)));
      (let _jessie_ = (safe_byte_of_integer_ (0)) in
      begin
        (let _jessie_ = this_68 in
        (((safe_upd_ APDU_noGetResponseFlag) _jessie_) _jessie_));
       _jessie_ end) end in void); (raise Return) end with Return ->
   void end)
  { (JC_193: buffer_inv(this_68, Object_alloc_table, APDU_buffer)) } 

let cons_Applet_ensures_default =
 fun (this_73 : Object pointer) ->
  { valid_struct_Applet(this_73, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     (let _jessie_ = null in
     begin
       (let _jessie_ = this_73 in
       (((safe_upd_ Applet_thePrivAccess) _jessie_) _jessie_));
      _jessie_ end) in void); (raise Return) end with Return -> void end)
  { (JC_521: true) } 

let cons_Applet_safety =
 fun (this_73 : Object pointer) ->
  { valid_struct_Applet(this_73, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     (let _jessie_ = null in
     begin
       (let _jessie_ = this_73 in
       (((safe_upd_ Applet_thePrivAccess) _jessie_) _jessie_));
      _jessie_ end) in void); (raise Return) end with Return -> void end)
  { true } 

let cons_CardRuntimeException_short_ensures_default =
 fun (this_71 : Object pointer) (reason : short) ->
  { valid_struct_CardRuntimeException(this_71, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     (let _jessie_ = (safe_short_of_integer_ (0)) in
     begin
       (let _jessie_ = this_71 in
       (((safe_upd_ CardRuntimeException_reason) _jessie_) _jessie_));
      _jessie_ end) in void); (raise Return) end with Return -> void end)
  { (JC_343: true) } 

let cons_CardRuntimeException_short_safety =
 fun (this_71 : Object pointer) (reason : short) ->
  { valid_struct_CardRuntimeException(this_71, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     (let _jessie_ = (safe_short_of_integer_ (0)) in
     begin
       (let _jessie_ = this_71 in
       (((safe_upd_ CardRuntimeException_reason) _jessie_) _jessie_));
      _jessie_ end) in void); (raise Return) end with Return -> void end)
  { true } 

let cons_Card_ensures_default =
 fun (this_9 : Object pointer) ->
  { valid_struct_Card(this_9, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_127: true) } 

let cons_Card_safety =
 fun (this_9 : Object pointer) ->
  { valid_struct_Card(this_9, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 

let cons_Exception_ensures_default =
 fun (this_69 : Object pointer) ->
  { valid_struct_Exception(this_69, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_215: true) } 

let cons_Exception_safety =
 fun (this_69 : Object pointer) ->
  { valid_struct_Exception(this_69, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 

let cons_ISOException_short_ensures_default =
 fun (this_70 : Object pointer) (sw : short) ->
  { valid_struct_ISOException(this_70, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     (let _jessie_ = null in
     begin
       (let _jessie_ = this_70 in
       (((safe_upd_ ISOException_theSw) _jessie_) _jessie_));
      _jessie_ end) in void); (raise Return) end with Return -> void end)
  { (JC_247: true) } 

let cons_ISOException_short_safety =
 fun (this_70 : Object pointer) (sw : short) ->
  { valid_struct_ISOException(this_70, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     (let _jessie_ = null in
     begin
       (let _jessie_ = this_70 in
       (((safe_upd_ ISOException_theSw) _jessie_) _jessie_)); _jessie_
     end) in void); (raise Return) end with Return -> void end) { true } 

let cons_Object_ensures_default =
 fun (this_72 : Object pointer) ->
  { valid_struct_Object(this_72, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_391: true) } 

let cons_Object_safety =
 fun (this_72 : Object pointer) ->
  { valid_struct_Object(this_72, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 

let cons_RuntimeException_ensures_default =
 fun (this_66 : Object pointer) ->
  { valid_struct_RuntimeException(this_66, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_103: true) } 

let cons_RuntimeException_safety =
 fun (this_66 : Object pointer) ->
  { valid_struct_RuntimeException(this_66, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 

let cons_Throwable_ensures_default =
 fun (this_67 : Object pointer) ->
  { valid_struct_Throwable(this_67, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_151: true) } 

let cons_Throwable_safety =
 fun (this_67 : Object pointer) ->
  { valid_struct_Throwable(this_67, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 


why-2.39/tests/java/oracle/Purse.err.oracle0000644000106100004300000000010113147234006017625 0ustar  marchevalsgenerating logic fun balance_non_negative with one default label
why-2.39/tests/java/oracle/Fresh.err.oracle0000644000106100004300000000000013147234006017574 0ustar  marchevalswhy-2.39/tests/java/oracle/Isqrt.err.oracle0000644000106100004300000000000013147234006017627 0ustar  marchevalswhy-2.39/tests/java/oracle/Arrays.res.oracle0000644000106100004300000023603213147234006020007 0ustar  marchevals========== file tests/java/Arrays.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


//@+ CheckArithOverflow = no

/* is_max(t,i,l) is true whenever t[i] is the maximum of t[0]..t[l-1]
 * l is an integer and not an int, because used as t.length which 
 * (in the logic) returns an integer and not an int 
 */
/*@ predicate is_max{L}(int[] t,int i,integer l) =
  @   t != null && 0 <= i < l <= t.length &&
  @   (\forall integer j; 0 <= j < l ==> t[j] <= t[i]) ;
  @*/

public class Arrays {

    /*@ requires t != null && 1 <= t.length <= 32767;
      @ behavior max_found:
      @   ensures 
      @      0 <= \result < t.length && 
      @      (\forall integer i; 
      @           0 <= i < t.length ==> t[i] <= t[\result]);
      @*/
    public static short findMax(int[] t) {
	int m = t[0];
	short r = 0;
        /*@ loop_invariant 
          @   1 <= i <= t.length && 0 <= r < t.length &&
          @   m == t[r] && (\forall integer j; 0 <= j < i ==> t[j] <= m);
          @ loop_variant t.length-i;
          @*/
	for (short i=1; i < t.length; i++) {
	    if (t[i] > m) {
		r = i; 
		m = t[i];
	    }
	}
	return r;
    }

    /*@ requires t != null && t.length >= 1;
      @ behavior max_found:
      @  ensures 
      @      0 <= \result < t.length && 
      @      is_max(t,\result,t.length) ;
      @*/
    public static int findMax2(int[] t) {
	int m = t[0];
	int r = 0; 
	/*@ loop_invariant 
	  @   1 <= i <= t.length && 0 <= r < t.length &&
          @   m == t[r] && is_max(t,r,i) ;
	  @ loop_variant t.length-i;
	  @*/
	for (int i=1; i < t.length; i++) {
	    if (t[i] > m) {
		r = i; 
		m = t[i];
	    }
	}
	return r;
    }


    /*@ requires t != null ;
      @ ensures 
      @   \forall integer i; 0 < i < t.length ==> t[i] == \old(t[i-1]);
      @*/
    public static void arrayShift(int[] t) {
	/*@ loop_invariant 
	  @   j < t.length &&
	  @   (t.length > 0 ==>
	  @     (0 <= j && 
          @     (\forall integer i; 0 <= i <= j ==> t[i] == \at(t[i],Pre)) &&
          @     (\forall integer i; j < i < t.length ==> t[i] == \at(t[i-1],Pre))));
	  @ loop_variant j;
	  @*/
      for (int j = t.length-1 ; j > 0 ; j--) {
	  t[j] = t[j-1];
	}
    }


}


/*
Local Variables: 
compile-command: "make Arrays.why3ide"
End: 
*/

========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function Arrays_findMax2 for method Arrays.findMax2
Generating JC function Arrays_arrayShift for method Arrays.arrayShift
Generating JC function Arrays_findMax for method Arrays.findMax
Generating JC function cons_Arrays for constructor Arrays
Done.
========== file tests/java/Arrays.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

predicate Non_null_intM{Here}(intM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Arrays = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

tag intM = Object with {
  integer intP;
}

boolean non_null_intM(! intM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_intM(! intM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

predicate is_max{L}(intM[0..] t, integer i, integer l) =
((Non_null_intM(t) && (((0 <= i) && (i < l)) && (l <= (\offset_max(t) + 1)))) &&
  (\forall integer j;
    (((0 <= j) && (j < l)) ==> ((t + j).intP <= (t + i).intP))))

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

integer Arrays_findMax2(intM[0..] t_1)
  requires (K_8 : ((K_7 : Non_null_intM(t_1)) &&
                    (K_6 : ((\offset_max(t_1) + 1) >= 1))));
behavior max_found:
  ensures (K_5 : ((K_4 : ((K_3 : (0 <= \result)) &&
                           (K_2 : (\result < (\offset_max(t_1) + 1))))) &&
                   (K_1 : is_max{Here}(t_1, \result, (\offset_max(t_1) + 1)))));
{  
   {  
      (var integer m = (K_29 : (t_1 + 0).intP));
      
      {  
         (var integer r = (K_28 : 0));
         
         {  
            {  
               {  
                  (var integer i_3 = (K_9 : 1));
                  
                  loop 
                  behavior default:
                    invariant (K_20 : ((K_19 : ((K_18 : ((K_17 : ((K_16 : 
                                                                  (1 <=
                                                                    i_3)) &&
                                                                   (K_15 : 
                                                                   (i_3 <=
                                                                    (\offset_max(t_1) +
                                                                    1))))) &&
                                                          (K_14 : ((K_13 : 
                                                                   (0 <=
                                                                    r)) &&
                                                                    (K_12 : 
                                                                    (r <
                                                                    (\offset_max(t_1) +
                                                                    1))))))) &&
                                                 (K_11 : (m ==
                                                           (t_1 + r).intP)))) &&
                                        (K_10 : is_max{Here}(t_1, r, i_3))));
                  
                  variant (K_21 : ((\offset_max(t_1) + 1) - i_3));
                  for ( ; (K_27 : (i_3 <
                                    (K_26 : java_array_length_intM(t_1)))) ; 
                  (K_25 : (i_3 ++)))
                  {  (if (K_24 : ((K_23 : (t_1 + i_3).intP) > m)) then 
                     {  (r = i_3);
                        (m = (K_22 : (t_1 + i_3).intP))
                     } else ())
                  }
               }
            };
            
            (return r)
         }
      }
   }
}

unit Arrays_arrayShift(intM[0..] t_2)
  requires (K_31 : Non_null_intM(t_2));
behavior default:
  ensures (K_30 : (\forall integer i_0;
                    (((0 < i_0) && (i_0 < (\offset_max(t_2) + 1))) ==>
                      ((t_2 + i_0).intP == \at((t_2 + (i_0 - 1)).intP,Old)))));
{  
   {  
      {  
         (var integer j_0 = (K_33 : ((K_32 : java_array_length_intM(t_2)) -
                                      1)));
         
         loop 
         behavior default:
           invariant (K_36 : ((K_35 : (j_0 < (\offset_max(t_2) + 1))) &&
                               (K_34 : (((\offset_max(t_2) + 1) > 0) ==>
                                         (((0 <= j_0) &&
                                            (\forall integer i_1;
                                              (((0 <= i_1) && (i_1 <= j_0)) ==>
                                                ((t_2 + i_1).intP ==
                                                  \at((t_2 + i_1).intP,Pre))))) &&
                                           (\forall integer i_2;
                                             (((j_0 < i_2) &&
                                                (i_2 <
                                                  (\offset_max(t_2) + 1))) ==>
                                               ((t_2 + i_2).intP ==
                                                 \at((t_2 + (i_2 - 1)).intP,Pre)))))))));
         
         variant (K_37 : j_0);
         for ( ; (K_42 : (j_0 > 0)) ; (K_41 : (j_0 --)))
         {  (K_40 : ((t_2 + j_0).intP = (K_39 : (t_2 + (K_38 : (j_0 - 1))).intP)))
         }
      }
   }
}

integer Arrays_findMax(intM[0..] t_0)
  requires (K_52 : ((K_51 : Non_null_intM(t_0)) &&
                     (K_50 : ((K_49 : (1 <= (\offset_max(t_0) + 1))) &&
                               (K_48 : ((\offset_max(t_0) + 1) <= 32767))))));
behavior max_found:
  ensures (K_47 : ((K_46 : ((K_45 : (0 <= \result)) &&
                             (K_44 : (\result < (\offset_max(t_0) + 1))))) &&
                    (K_43 : (\forall integer i_4;
                              (((0 <= i_4) && (i_4 < (\offset_max(t_0) + 1))) ==>
                                ((t_0 + i_4).intP <= (t_0 + \result).intP))))));
{  
   {  
      (var integer m_0 = (K_73 : (t_0 + 0).intP));
      
      {  
         (var integer r_0 = (K_72 : 0));
         
         {  
            {  
               {  
                  (var integer i_5 = (K_53 : 1));
                  
                  loop 
                  behavior default:
                    invariant (K_64 : ((K_63 : ((K_62 : ((K_61 : ((K_60 : 
                                                                  (1 <=
                                                                    i_5)) &&
                                                                   (K_59 : 
                                                                   (i_5 <=
                                                                    (\offset_max(t_0) +
                                                                    1))))) &&
                                                          (K_58 : ((K_57 : 
                                                                   (0 <=
                                                                    r_0)) &&
                                                                    (K_56 : 
                                                                    (r_0 <
                                                                    (\offset_max(t_0) +
                                                                    1))))))) &&
                                                 (K_55 : (m_0 ==
                                                           (t_0 + r_0).intP)))) &&
                                        (K_54 : (\forall integer j_1;
                                                  (((0 <= j_1) &&
                                                     (j_1 < i_5)) ==>
                                                    ((t_0 + j_1).intP <= m_0))))));
                  
                  variant (K_65 : ((\offset_max(t_0) + 1) - i_5));
                  for ( ; (K_71 : (i_5 <
                                    (K_70 : java_array_length_intM(t_0)))) ; 
                  (K_69 : (i_5 ++)))
                  {  (if (K_68 : ((K_67 : (t_0 + i_5).intP) > m_0)) then 
                     {  (r_0 = i_5);
                        (m_0 = (K_66 : (t_0 + i_5).intP))
                     } else ())
                  }
               }
            };
            
            (return r_0)
         }
      }
   }
}

unit cons_Arrays(! Arrays[0] this_0){()}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Arrays.jloc tests/java/Arrays.jc && make -f tests/java/Arrays.makefile gui"
End:
*/
========== file tests/java/Arrays.jloc ==========
[K_73]
file = "HOME/tests/java/Arrays.java"
line = 54
begin = 9
end = 13

[K_30]
file = "HOME/tests/java/Arrays.java"
line = 96
begin = 10
end = 70

[K_23]
file = "HOME/tests/java/Arrays.java"
line = 85
begin = 9
end = 13

[K_33]
file = "HOME/tests/java/Arrays.java"
line = 107
begin = 19
end = 29

[Arrays_findMax2]
name = "Method findMax2"
file = "HOME/tests/java/Arrays.java"
line = 76
begin = 22
end = 30

[K_70]
file = "HOME/tests/java/Arrays.java"
line = 61
begin = 21
end = 29

[K_49]
file = "HOME/tests/java/Arrays.java"
line = 46
begin = 30
end = 43

[K_17]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 7
end = 25

[K_11]
file = "HOME/tests/java/Arrays.java"
line = 81
begin = 14
end = 23

[K_38]
file = "HOME/tests/java/Arrays.java"
line = 108
begin = 12
end = 15

[K_25]
file = "HOME/tests/java/Arrays.java"
line = 84
begin = 29
end = 32

[K_13]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 29
end = 35

[K_60]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 14
end = 20

[K_64]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 14
end = 129

[K_9]
file = "HOME/tests/java/Arrays.java"
line = 84
begin = 12
end = 13

[K_71]
file = "HOME/tests/java/Arrays.java"
line = 61
begin = 17
end = 29

[K_44]
file = "HOME/tests/java/Arrays.java"
line = 49
begin = 18
end = 36

[K_28]
file = "HOME/tests/java/Arrays.java"
line = 78
begin = 9
end = 10

[K_68]
file = "HOME/tests/java/Arrays.java"
line = 62
begin = 9
end = 17

[K_52]
file = "HOME/tests/java/Arrays.java"
line = 46
begin = 17
end = 52

[K_1]
file = "HOME/tests/java/Arrays.java"
line = 74
begin = 13
end = 39

[K_15]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 12
end = 25

[K_4]
file = "HOME/tests/java/Arrays.java"
line = 73
begin = 13
end = 36

[K_12]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 34
end = 46

[K_55]
file = "HOME/tests/java/Arrays.java"
line = 58
begin = 14
end = 23

[K_34]
file = "HOME/tests/java/Arrays.java"
line = 101
begin = 8
end = 206

[K_20]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 7
end = 90

[K_63]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 14
end = 80

[K_59]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 19
end = 32

[K_58]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 36
end = 53

[K_53]
file = "HOME/tests/java/Arrays.java"
line = 61
begin = 14
end = 15

[K_2]
file = "HOME/tests/java/Arrays.java"
line = 73
begin = 18
end = 36

[K_41]
file = "HOME/tests/java/Arrays.java"
line = 107
begin = 40
end = 43

[K_50]
file = "HOME/tests/java/Arrays.java"
line = 46
begin = 30
end = 52

[K_47]
file = "HOME/tests/java/Arrays.java"
line = 49
begin = 13
end = 134

[K_29]
file = "HOME/tests/java/Arrays.java"
line = 77
begin = 9
end = 13

[K_10]
file = "HOME/tests/java/Arrays.java"
line = 81
begin = 27
end = 40

[K_35]
file = "HOME/tests/java/Arrays.java"
line = 100
begin = 7
end = 19

[K_6]
file = "HOME/tests/java/Arrays.java"
line = 70
begin = 30
end = 43

[K_8]
file = "HOME/tests/java/Arrays.java"
line = 70
begin = 17
end = 43

[K_72]
file = "HOME/tests/java/Arrays.java"
line = 55
begin = 11
end = 12

[K_48]
file = "HOME/tests/java/Arrays.java"
line = 46
begin = 35
end = 52

[K_3]
file = "HOME/tests/java/Arrays.java"
line = 73
begin = 13
end = 25

[K_66]
file = "HOME/tests/java/Arrays.java"
line = 64
begin = 6
end = 10

[K_31]
file = "HOME/tests/java/Arrays.java"
line = 94
begin = 17
end = 26

[K_67]
file = "HOME/tests/java/Arrays.java"
line = 62
begin = 9
end = 13

[Arrays_findMax]
name = "Method findMax"
file = "HOME/tests/java/Arrays.java"
line = 53
begin = 24
end = 31

[K_62]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 14
end = 53

[Arrays_arrayShift]
name = "Method arrayShift"
file = "HOME/tests/java/Arrays.java"
line = 98
begin = 23
end = 33

[K_32]
file = "HOME/tests/java/Arrays.java"
line = 107
begin = 19
end = 27

[K_27]
file = "HOME/tests/java/Arrays.java"
line = 84
begin = 15
end = 27

[K_46]
file = "HOME/tests/java/Arrays.java"
line = 49
begin = 13
end = 36

[K_21]
file = "HOME/tests/java/Arrays.java"
line = 82
begin = 18
end = 28

[K_42]
file = "HOME/tests/java/Arrays.java"
line = 107
begin = 32
end = 37

[K_24]
file = "HOME/tests/java/Arrays.java"
line = 85
begin = 9
end = 17

[K_56]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 41
end = 53

[K_14]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 29
end = 46

[K_39]
file = "HOME/tests/java/Arrays.java"
line = 108
begin = 10
end = 16

[K_36]
file = "HOME/tests/java/Arrays.java"
line = 100
begin = 7
end = 230

[K_57]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 36
end = 42

[K_69]
file = "HOME/tests/java/Arrays.java"
line = 61
begin = 31
end = 34

[K_65]
file = "HOME/tests/java/Arrays.java"
line = 59
begin = 25
end = 35

[K_37]
file = "HOME/tests/java/Arrays.java"
line = 105
begin = 18
end = 19

[cons_Arrays]
name = "Constructor of class Arrays"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_54]
file = "HOME/tests/java/Arrays.java"
line = 58
begin = 28
end = 71

[K_19]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 7
end = 73

[K_5]
file = "HOME/tests/java/Arrays.java"
line = 73
begin = 13
end = 80

[K_51]
file = "HOME/tests/java/Arrays.java"
line = 46
begin = 17
end = 26

[K_18]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 7
end = 46

[K_61]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 14
end = 32

[K_7]
file = "HOME/tests/java/Arrays.java"
line = 70
begin = 17
end = 26

[K_40]
file = "HOME/tests/java/Arrays.java"
line = 108
begin = 3
end = 16

[K_26]
file = "HOME/tests/java/Arrays.java"
line = 84
begin = 19
end = 27

[K_22]
file = "HOME/tests/java/Arrays.java"
line = 87
begin = 6
end = 10

[K_45]
file = "HOME/tests/java/Arrays.java"
line = 49
begin = 13
end = 25

[K_16]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 7
end = 13

[K_43]
file = "HOME/tests/java/Arrays.java"
line = 50
begin = 14
end = 92

========== jessie execution ==========
Generating Why function Arrays_findMax2
Generating Why function Arrays_arrayShift
Generating Why function Arrays_findMax
Generating Why function cons_Arrays
========== file tests/java/Arrays.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/Arrays_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Arrays.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Arrays.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Arrays.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/java/Arrays.loc ==========
[JC_176]
file = "HOME/tests/java/Arrays.java"
line = 58
begin = 14
end = 23

[JC_177]
file = "HOME/tests/java/Arrays.java"
line = 58
begin = 28
end = 71

[JC_94]
file = "HOME/tests/java/Arrays.jc"
line = 88
begin = 18
end = 1821

[JC_73]
kind = PointerDeref
file = "HOME/tests/java/Arrays.java"
line = 87
begin = 6
end = 10

[Arrays_findMax_ensures_default]
name = "Method findMax"
behavior = "default behavior"
file = "HOME/tests/java/Arrays.java"
line = 53
begin = 24
end = 31

[JC_158]
kind = PointerDeref
file = "HOME/tests/java/Arrays.java"
line = 62
begin = 9
end = 13

[JC_63]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 34
end = 46

[JC_80]
file = "HOME/tests/java/Arrays.java"
line = 81
begin = 27
end = 40

[JC_51]
file = "HOME/tests/java/Arrays.java"
line = 73
begin = 13
end = 25

[JC_71]
kind = IndexBounds
file = "HOME/tests/java/Arrays.java"
line = 84
begin = 19
end = 27

[JC_147]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 19
end = 32

[JC_151]
file = "HOME/tests/java/Arrays.java"
line = 58
begin = 28
end = 71

[JC_45]
file = "HOME/tests/java/Arrays.java"
line = 70
begin = 17
end = 43

[JC_123]
file = "HOME/tests/java/Arrays.java"
line = 46
begin = 17
end = 26

[JC_106]
kind = IndexBounds
file = "HOME/tests/java/Arrays.java"
line = 107
begin = 19
end = 27

[JC_143]
file = "HOME/tests/java/Arrays.java"
line = 50
begin = 14
end = 92

[JC_113]
kind = PointerDeref
file = "HOME/tests/java/Arrays.java"
line = 108
begin = 10
end = 16

[JC_116]
kind = UserCall
file = "HOME/tests/java/Arrays.java"
line = 107
begin = 19
end = 27

[JC_64]
file = "HOME/tests/java/Arrays.java"
line = 81
begin = 14
end = 23

[Arrays_findMax_safety]
name = "Method findMax"
behavior = "Safety"
file = "HOME/tests/java/Arrays.java"
line = 53
begin = 24
end = 31

[JC_133]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_188]
file = "HOME/"
line = 0
begin = -1
end = -1

[Arrays_findMax_ensures_max_found]
name = "Method findMax"
behavior = "Behavior `max_found'"
file = "HOME/tests/java/Arrays.java"
line = 53
begin = 24
end = 31

[JC_180]
file = "HOME/tests/java/Arrays.jc"
line = 184
begin = 18
end = 2047

[JC_99]
file = "HOME/tests/java/Arrays.java"
line = 94
begin = 17
end = 26

[JC_85]
kind = UserCall
file = "HOME/tests/java/Arrays.java"
line = 84
begin = 19
end = 27

[JC_126]
file = "HOME/tests/java/Arrays.java"
line = 46
begin = 17
end = 52

[JC_170]
file = "HOME/tests/java/Arrays.jc"
line = 184
begin = 18
end = 2047

[JC_31]
file = "HOME/tests/java/Arrays.jc"
line = 55
begin = 8
end = 23

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_122]
file = "HOME/tests/java/Arrays.jc"
line = 138
begin = 9
end = 1153

[JC_81]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 7
end = 90

[JC_55]
file = "HOME/tests/java/Arrays.java"
line = 73
begin = 13
end = 25

[JC_138]
file = "HOME/tests/java/Arrays.java"
line = 49
begin = 18
end = 36

[JC_134]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_148]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 36
end = 42

[JC_137]
file = "HOME/tests/java/Arrays.java"
line = 49
begin = 13
end = 25

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/tests/java/Arrays.jc"
line = 51
begin = 11
end = 103

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_172]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 14
end = 20

[JC_121]
file = "HOME/tests/java/Arrays.jc"
line = 138
begin = 9
end = 1153

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_125]
file = "HOME/tests/java/Arrays.java"
line = 46
begin = 35
end = 52

[JC_67]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/java/Arrays.jc"
line = 42
begin = 8
end = 21

[JC_75]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 7
end = 13

[JC_24]
file = "HOME/tests/java/Arrays.jc"
line = 50
begin = 10
end = 18

[JC_25]
file = "HOME/tests/java/Arrays.jc"
line = 51
begin = 11
end = 103

[JC_189]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_186]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_78]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 34
end = 46

[JC_175]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 41
end = 53

[JC_41]
file = "HOME/tests/java/Arrays.java"
line = 70
begin = 17
end = 43

[JC_74]
file = "HOME/tests/java/Arrays.java"
line = 82
begin = 18
end = 28

[JC_47]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_52]
file = "HOME/tests/java/Arrays.java"
line = 73
begin = 18
end = 36

[JC_26]
file = "HOME/tests/java/Arrays.jc"
line = 50
begin = 10
end = 18

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[Arrays_findMax2_ensures_default]
name = "Method findMax2"
behavior = "default behavior"
file = "HOME/tests/java/Arrays.java"
line = 76
begin = 22
end = 30

[JC_154]
file = "HOME/tests/java/Arrays.jc"
line = 184
begin = 18
end = 2047

[JC_54]
file = "HOME/tests/java/Arrays.java"
line = 73
begin = 13
end = 80

[JC_79]
file = "HOME/tests/java/Arrays.java"
line = 81
begin = 14
end = 23

[Arrays_findMax2_safety]
name = "Method findMax2"
behavior = "Safety"
file = "HOME/tests/java/Arrays.java"
line = 76
begin = 22
end = 30

[cons_Arrays_ensures_default]
name = "Constructor of class Arrays"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/tests/java/Arrays.jc"
line = 45
begin = 11
end = 66

[JC_130]
file = "HOME/tests/java/Arrays.java"
line = 46
begin = 35
end = 52

[JC_82]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_174]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 36
end = 42

[JC_163]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 36
end = 42

[JC_153]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Arrays_safety]
name = "Constructor of class Arrays"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_87]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 12
end = 25

[JC_11]
file = "HOME/tests/java/Arrays.jc"
line = 42
begin = 8
end = 21

[JC_185]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_184]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_167]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 14
end = 129

[JC_98]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_70]
kind = UserCall
file = "HOME/tests/java/Arrays.java"
line = 84
begin = 19
end = 27

[JC_15]
file = "HOME/tests/java/Arrays.jc"
line = 45
begin = 11
end = 66

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_182]
kind = UserCall
file = "HOME/tests/java/Arrays.java"
line = 61
begin = 21
end = 29

[JC_168]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_104]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_91]
file = "HOME/tests/java/Arrays.java"
line = 81
begin = 27
end = 40

[JC_39]
file = "HOME/tests/java/Arrays.java"
line = 70
begin = 17
end = 26

[JC_112]
file = "HOME/tests/java/Arrays.jc"
line = 138
begin = 9
end = 1153

[JC_40]
file = "HOME/tests/java/Arrays.java"
line = 70
begin = 30
end = 43

[JC_162]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 19
end = 32

[JC_135]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_169]
file = "HOME/tests/java/Arrays.jc"
line = 184
begin = 18
end = 2047

[JC_83]
file = "HOME/tests/java/Arrays.jc"
line = 88
begin = 18
end = 1821

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_132]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_115]
file = "HOME/tests/java/Arrays.java"
line = 105
begin = 18
end = 19

[JC_109]
file = "HOME/tests/java/Arrays.java"
line = 100
begin = 7
end = 230

[JC_107]
file = "HOME/tests/java/Arrays.java"
line = 100
begin = 7
end = 19

[JC_69]
file = "HOME/tests/java/Arrays.jc"
line = 88
begin = 18
end = 1821

[JC_179]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_124]
file = "HOME/tests/java/Arrays.java"
line = 46
begin = 30
end = 43

[JC_38]
file = "HOME/tests/java/Arrays.jc"
line = 57
begin = 11
end = 65

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_156]
kind = UserCall
file = "HOME/tests/java/Arrays.java"
line = 61
begin = 21
end = 29

[JC_127]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_171]
kind = UserCall
file = "HOME/tests/java/Arrays.java"
line = 61
begin = 21
end = 29

[JC_164]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 41
end = 53

[JC_44]
file = "HOME/tests/java/Arrays.java"
line = 70
begin = 30
end = 43

[JC_155]
file = "HOME/tests/java/Arrays.jc"
line = 184
begin = 18
end = 2047

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[Arrays_arrayShift_safety]
name = "Method arrayShift"
behavior = "Safety"
file = "HOME/tests/java/Arrays.java"
line = 98
begin = 23
end = 33

[JC_62]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 29
end = 35

[JC_101]
file = "HOME/tests/java/Arrays.java"
line = 96
begin = 10
end = 70

[JC_88]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 29
end = 35

[JC_129]
file = "HOME/tests/java/Arrays.java"
line = 46
begin = 30
end = 43

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_190]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_178]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 14
end = 129

[JC_110]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_166]
file = "HOME/tests/java/Arrays.java"
line = 58
begin = 28
end = 71

[JC_103]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_141]
file = "HOME/tests/java/Arrays.java"
line = 49
begin = 13
end = 25

[JC_61]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 12
end = 25

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/tests/java/Arrays.java"
line = 73
begin = 18
end = 36

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
file = "HOME/tests/java/Arrays.java"
line = 81
begin = 27
end = 40

[JC_118]
file = "HOME/tests/java/Arrays.java"
line = 101
begin = 8
end = 206

[JC_173]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 19
end = 32

[JC_105]
kind = UserCall
file = "HOME/tests/java/Arrays.java"
line = 107
begin = 19
end = 27

[JC_140]
file = "HOME/tests/java/Arrays.java"
line = 49
begin = 13
end = 134

[JC_29]
file = "HOME/tests/java/Arrays.jc"
line = 55
begin = 8
end = 23

[JC_144]
file = "HOME/tests/java/Arrays.java"
line = 49
begin = 13
end = 134

[JC_159]
kind = PointerDeref
file = "HOME/tests/java/Arrays.java"
line = 64
begin = 6
end = 10

[JC_68]
file = "HOME/tests/java/Arrays.jc"
line = 88
begin = 18
end = 1821

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/tests/java/Arrays.jc"
line = 44
begin = 10
end = 18

[JC_96]
kind = UserCall
file = "HOME/tests/java/Arrays.java"
line = 84
begin = 19
end = 27

[JC_43]
file = "HOME/tests/java/Arrays.java"
line = 70
begin = 17
end = 26

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
file = "HOME/tests/java/Arrays.jc"
line = 88
begin = 18
end = 1821

[JC_93]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_97]
file = "HOME/tests/java/Arrays.java"
line = 94
begin = 17
end = 26

[JC_84]
file = "HOME/tests/java/Arrays.jc"
line = 88
begin = 18
end = 1821

[JC_160]
file = "HOME/tests/java/Arrays.java"
line = 59
begin = 25
end = 35

[JC_128]
file = "HOME/tests/java/Arrays.java"
line = 46
begin = 17
end = 26

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_114]
kind = PointerDeref
file = "HOME/tests/java/Arrays.jc"
line = 156
begin = 21
end = 80

[JC_14]
file = "HOME/tests/java/Arrays.jc"
line = 44
begin = 10
end = 18

[JC_150]
file = "HOME/tests/java/Arrays.java"
line = 58
begin = 14
end = 23

[JC_117]
file = "HOME/tests/java/Arrays.java"
line = 100
begin = 7
end = 19

[JC_90]
file = "HOME/tests/java/Arrays.java"
line = 81
begin = 14
end = 23

[JC_53]
file = "HOME/tests/java/Arrays.java"
line = 74
begin = 13
end = 39

[JC_157]
kind = IndexBounds
file = "HOME/tests/java/Arrays.java"
line = 61
begin = 21
end = 29

[JC_145]
kind = IndexBounds
file = "HOME/tests/java/Arrays.java"
line = 54
begin = 9
end = 13

[JC_21]
file = "HOME/tests/java/Arrays.jc"
line = 48
begin = 8
end = 30

[JC_149]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 41
end = 53

[JC_111]
file = "HOME/tests/java/Arrays.jc"
line = 138
begin = 9
end = 1153

[JC_77]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 29
end = 35

[JC_49]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/java/Arrays.jc"
line = 13
begin = 12
end = 22

[JC_131]
file = "HOME/tests/java/Arrays.java"
line = 46
begin = 17
end = 52

[JC_102]
file = "HOME/tests/java/Arrays.java"
line = 96
begin = 10
end = 70

[JC_37]
file = "HOME/tests/java/Arrays.jc"
line = 57
begin = 11
end = 65

[JC_181]
file = "HOME/tests/java/Arrays.jc"
line = 184
begin = 18
end = 2047

[JC_142]
file = "HOME/tests/java/Arrays.java"
line = 49
begin = 18
end = 36

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_108]
file = "HOME/tests/java/Arrays.java"
line = 101
begin = 8
end = 206

[JC_57]
file = "HOME/tests/java/Arrays.java"
line = 74
begin = 13
end = 39

[JC_161]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 14
end = 20

[JC_146]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 14
end = 20

[JC_89]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 34
end = 46

[JC_136]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_66]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 7
end = 90

[JC_59]
kind = IndexBounds
file = "HOME/tests/java/Arrays.java"
line = 77
begin = 9
end = 13

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_165]
file = "HOME/tests/java/Arrays.java"
line = 58
begin = 14
end = 23

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/java/Arrays.jc"
line = 13
begin = 12
end = 22

[JC_92]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 7
end = 90

[JC_152]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 14
end = 129

[JC_86]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 7
end = 13

[JC_60]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 7
end = 13

[JC_183]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_139]
file = "HOME/tests/java/Arrays.java"
line = 50
begin = 14
end = 92

[Arrays_findMax2_ensures_max_found]
name = "Method findMax2"
behavior = "Behavior `max_found'"
file = "HOME/tests/java/Arrays.java"
line = 76
begin = 22
end = 30

[JC_72]
kind = PointerDeref
file = "HOME/tests/java/Arrays.java"
line = 85
begin = 9
end = 13

[JC_19]
file = "HOME/tests/java/Arrays.jc"
line = 48
begin = 8
end = 30

[JC_119]
file = "HOME/tests/java/Arrays.java"
line = 100
begin = 7
end = 230

[JC_187]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_76]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 12
end = 25

[Arrays_arrayShift_ensures_default]
name = "Method arrayShift"
behavior = "default behavior"
file = "HOME/tests/java/Arrays.java"
line = 98
begin = 23
end = 33

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_120]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/tests/java/Arrays.java"
line = 73
begin = 13
end = 80

[JC_100]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/Arrays.why ==========
type Object

type interface

logic Arrays_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Arrays_parenttag_Object : parenttag(Arrays_tag, Object_tag)

logic Exception_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_1), (0))

predicate Non_null_intM(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), neg_int((1)))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic intM_tag:  -> Object tag_id

axiom intM_parenttag_Object : parenttag(intM_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate is_max(t:Object pointer, i:int, l:int,
 Object_alloc_table_at_L:Object alloc_table,
 intM_intP_at_L:(Object, int) memory) =
 (Non_null_intM(t, Object_alloc_table_at_L)
 and (le_int((0), i)
     and (lt_int(i, l)
         and (le_int(l, add_int(offset_max(Object_alloc_table_at_L, t), (1)))
             and (forall j:int.
                  ((le_int((0), j) and lt_int(j, l)) ->
                   le_int(select(intM_intP_at_L, shift(t, j)),
                   select(intM_intP_at_L, shift(t, i)))))))))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Arrays(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_intM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Arrays(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_intM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Arrays(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Arrays(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

parameter Object_alloc_table : Object alloc_table ref

parameter intM_intP : (Object, int) memory ref

parameter Arrays_arrayShift :
 t_2:Object pointer ->
  { } unit reads Object_alloc_table,intM_intP writes intM_intP
  { (JC_102:
    (forall i_0:int.
     ((lt_int((0), i_0)
      and lt_int(i_0, add_int(offset_max(Object_alloc_table, t_2), (1)))) ->
      (select(intM_intP, shift(t_2, i_0)) = select(intM_intP@,
                                            shift(t_2, sub_int(i_0, (1)))))))) }

parameter Arrays_arrayShift_requires :
 t_2:Object pointer ->
  { (JC_97: Non_null_intM(t_2, Object_alloc_table))} unit
  reads Object_alloc_table,intM_intP writes intM_intP
  { (JC_102:
    (forall i_0:int.
     ((lt_int((0), i_0)
      and lt_int(i_0, add_int(offset_max(Object_alloc_table, t_2), (1)))) ->
      (select(intM_intP, shift(t_2, i_0)) = select(intM_intP@,
                                            shift(t_2, sub_int(i_0, (1)))))))) }

parameter Arrays_findMax :
 t_0:Object pointer ->
  { } int reads Object_alloc_table,intM_intP
  { (JC_144:
    ((JC_141: le_int((0), result))
    and ((JC_142:
         lt_int(result, add_int(offset_max(Object_alloc_table, t_0), (1))))
        and (JC_143:
            (forall i_4:int.
             ((le_int((0), i_4)
              and lt_int(i_4,
                  add_int(offset_max(Object_alloc_table, t_0), (1)))) ->
              le_int(select(intM_intP, shift(t_0, i_4)),
              select(intM_intP, shift(t_0, result))))))))) }

parameter Arrays_findMax2 :
 t_1:Object pointer ->
  { } int reads Object_alloc_table,intM_intP
  { (JC_58:
    ((JC_55: le_int((0), result))
    and ((JC_56:
         lt_int(result, add_int(offset_max(Object_alloc_table, t_1), (1))))
        and (JC_57:
            is_max(t_1, result,
            add_int(offset_max(Object_alloc_table, t_1), (1)),
            Object_alloc_table, intM_intP))))) }

parameter Arrays_findMax2_requires :
 t_1:Object pointer ->
  { (JC_41:
    ((JC_39: Non_null_intM(t_1, Object_alloc_table))
    and (JC_40:
        ge_int(add_int(offset_max(Object_alloc_table, t_1), (1)), (1)))))}
  int reads Object_alloc_table,intM_intP
  { (JC_58:
    ((JC_55: le_int((0), result))
    and ((JC_56:
         lt_int(result, add_int(offset_max(Object_alloc_table, t_1), (1))))
        and (JC_57:
            is_max(t_1, result,
            add_int(offset_max(Object_alloc_table, t_1), (1)),
            Object_alloc_table, intM_intP))))) }

parameter Arrays_findMax_requires :
 t_0:Object pointer ->
  { (JC_126:
    ((JC_123: Non_null_intM(t_0, Object_alloc_table))
    and ((JC_124:
         le_int((1), add_int(offset_max(Object_alloc_table, t_0), (1))))
        and (JC_125:
            le_int(add_int(offset_max(Object_alloc_table, t_0), (1)),
            (32767))))))}
  int reads Object_alloc_table,intM_intP
  { (JC_144:
    ((JC_141: le_int((0), result))
    and ((JC_142:
         lt_int(result, add_int(offset_max(Object_alloc_table, t_0), (1))))
        and (JC_143:
            (forall i_4:int.
             ((le_int((0), i_4)
              and lt_int(i_4,
                  add_int(offset_max(Object_alloc_table, t_0), (1)))) ->
              le_int(select(intM_intP, shift(t_0, i_4)),
              select(intM_intP, shift(t_0, result))))))))) }

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Arrays :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Arrays(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Arrays_tag)))) }

parameter alloc_struct_Arrays_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Arrays(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Arrays_tag)))) }

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_intM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter alloc_struct_intM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter cons_Arrays :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Arrays_requires :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter java_array_length_intM :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter java_array_length_intM_requires :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter non_null_Object :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_Object_requires :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_intM :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

parameter non_null_intM_requires :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

let Arrays_arrayShift_ensures_default =
 fun (t_2 : Object pointer) ->
  { (left_valid_struct_intM(t_2, (0), Object_alloc_table)
    and (JC_99: Non_null_intM(t_2, Object_alloc_table))) }
  (init:
  try
   begin
     (let j_0 =
     ref (K_33:
         ((sub_int (K_32:
                   (let _jessie_ = t_2 in
                   (JC_116: (java_array_length_intM _jessie_))))) (1))) in
     try
      (loop_5:
      while true do
      { invariant
          (JC_119:
          ((JC_117:
           lt_int(j_0, add_int(offset_max(Object_alloc_table, t_2), (1))))
          and (JC_118:
              (gt_int(add_int(offset_max(Object_alloc_table, t_2), (1)), (0)) ->
               (le_int((0), j_0)
               and ((forall i_1:int.
                     ((le_int((0), i_1) and le_int(i_1, j_0)) ->
                      (select(intM_intP, shift(t_2, i_1)) = select(intM_intP@init,
                                                            shift(t_2, i_1)))))
                   and (forall i_2:int.
                        ((lt_int(j_0, i_2)
                         and lt_int(i_2,
                             add_int(offset_max(Object_alloc_table, t_2),
                             (1)))) ->
                         (select(intM_intP, shift(t_2, i_2)) = select(intM_intP@init,
                                                               shift(t_2,
                                                               sub_int(i_2,
                                                               (1)))))))))))))
         }
       begin
         [ { } unit { true } ];
        try
         begin
           (if (K_42: ((gt_int_ !j_0) (0)))
           then
            (let _jessie_ =
            (K_40:
            (let _jessie_ =
            (K_39:
            ((safe_acc_ !intM_intP) ((shift t_2) (K_38: ((sub_int !j_0) (1)))))) in
            (let _jessie_ = t_2 in
            (let _jessie_ = !j_0 in
            (let _jessie_ = ((shift _jessie_) _jessie_) in
            begin
              (((safe_upd_ intM_intP) _jessie_) _jessie_); _jessie_ end))))) in
            void) else (raise (Loop_exit_exc void)));
          (raise (Loop_continue_exc void)) end with
         Loop_continue_exc _jessie_ ->
         (let _jessie_ =
         (K_41:
         (let _jessie_ = !j_0 in
         begin
           (let _jessie_ = (j_0 := ((sub_int _jessie_) (1))) in void);
          _jessie_ end)) in void) end end done) with
      Loop_exit_exc _jessie_ -> void end); (raise Return) end with Return ->
   void end)
  { (JC_101:
    (forall i_0:int.
     ((lt_int((0), i_0)
      and lt_int(i_0, add_int(offset_max(Object_alloc_table, t_2), (1)))) ->
      (select(intM_intP, shift(t_2, i_0)) = select(intM_intP@,
                                            shift(t_2, sub_int(i_0, (1)))))))) }
  

let Arrays_arrayShift_safety =
 fun (t_2 : Object pointer) ->
  { (left_valid_struct_intM(t_2, (0), Object_alloc_table)
    and (JC_99: Non_null_intM(t_2, Object_alloc_table))) }
  (init:
  try
   begin
     (let j_0 =
     ref (K_33:
         ((sub_int (K_32:
                   (let _jessie_ = t_2 in
                   (JC_106:
                   (assert
                   { ge_int(offset_max(Object_alloc_table, _jessie_), (-1)) };
                   (JC_105: (java_array_length_intM_requires _jessie_))))))) (1))) in
     try
      (loop_4:
      while true do
      { invariant (JC_111: true) variant (JC_115 : j_0) }
       begin
         [ { } unit reads Object_alloc_table,intM_intP,j_0
           { (JC_109:
             ((JC_107:
              lt_int(j_0, add_int(offset_max(Object_alloc_table, t_2), (1))))
             and (JC_108:
                 (gt_int(add_int(offset_max(Object_alloc_table, t_2), (1)),
                  (0)) ->
                  (le_int((0), j_0)
                  and ((forall i_1:int.
                        ((le_int((0), i_1) and le_int(i_1, j_0)) ->
                         (select(intM_intP, shift(t_2, i_1)) = select(intM_intP@init,
                                                               shift(t_2,
                                                               i_1)))))
                      and (forall i_2:int.
                           ((lt_int(j_0, i_2)
                            and lt_int(i_2,
                                add_int(offset_max(Object_alloc_table, t_2),
                                (1)))) ->
                            (select(intM_intP, shift(t_2, i_2)) = select(intM_intP@init,
                                                                  shift(t_2,
                                                                  sub_int(i_2,
                                                                  (1))))))))))))) } ];
        try
         begin
           (if (K_42: ((gt_int_ !j_0) (0)))
           then
            (let _jessie_ =
            (K_40:
            (let _jessie_ =
            (K_39:
            (JC_113:
            ((((offset_acc_ !Object_alloc_table) !intM_intP) t_2) (K_38:
                                                                  ((sub_int !j_0) (1)))))) in
            (let _jessie_ = t_2 in
            (let _jessie_ = !j_0 in
            (let _jessie_ = ((shift _jessie_) _jessie_) in
            (JC_114:
            begin
              (((((offset_upd_ !Object_alloc_table) intM_intP) _jessie_) _jessie_) _jessie_);
             _jessie_ end)))))) in void) else (raise (Loop_exit_exc void)));
          (raise (Loop_continue_exc void)) end with
         Loop_continue_exc _jessie_ ->
         (let _jessie_ =
         (K_41:
         (let _jessie_ = !j_0 in
         begin
           (let _jessie_ = (j_0 := ((sub_int _jessie_) (1))) in void);
          _jessie_ end)) in void) end end done) with
      Loop_exit_exc _jessie_ -> void end); (raise Return) end with Return ->
   void end) { true } 

let Arrays_findMax2_ensures_default =
 fun (t_1 : Object pointer) ->
  { (left_valid_struct_intM(t_1, (0), Object_alloc_table)
    and (JC_45:
        ((JC_43: Non_null_intM(t_1, Object_alloc_table))
        and (JC_44:
            ge_int(add_int(offset_max(Object_alloc_table, t_1), (1)), (1)))))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let m = ref (K_29: ((safe_acc_ !intM_intP) ((shift t_1) (0)))) in
     (let r = ref (K_28: (0)) in
     begin
       (let i_3 = ref (K_9: (1)) in
       try
        (loop_2:
        while true do
        { invariant
            (JC_81:
            ((JC_75: le_int((1), i_3))
            and ((JC_76:
                 le_int(i_3,
                 add_int(offset_max(Object_alloc_table, t_1), (1))))
                and ((JC_77: le_int((0), r))
                    and ((JC_78:
                         lt_int(r,
                         add_int(offset_max(Object_alloc_table, t_1), (1))))
                        and ((JC_79: (m = select(intM_intP, shift(t_1, r))))
                            and (JC_80:
                                is_max(t_1, r, i_3, Object_alloc_table,
                                intM_intP))))))))  }
         begin
           [ { } unit { true } ];
          try
           begin
             (if (K_27:
                 ((lt_int_ !i_3) (K_26:
                                 (let _jessie_ = t_1 in
                                 (JC_85: (java_array_length_intM _jessie_))))))
             then
              (if (K_24:
                  ((gt_int_ (K_23:
                            ((safe_acc_ !intM_intP) ((shift t_1) !i_3)))) !m))
              then
               (let _jessie_ =
               begin
                 (let _jessie_ = (r := !i_3) in void);
                (m := (K_22: ((safe_acc_ !intM_intP) ((shift t_1) !i_3))));
                !m end in void) else void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ ->
           (let _jessie_ =
           (K_25:
           (let _jessie_ = !i_3 in
           begin
             (let _jessie_ = (i_3 := ((add_int _jessie_) (1))) in void);
            _jessie_ end)) in void) end end done) with
        Loop_exit_exc _jessie_ -> void end); (return := !r); (raise Return)
     end)); absurd  end with Return -> !return end)) { (JC_47: true) } 

let Arrays_findMax2_ensures_max_found =
 fun (t_1 : Object pointer) ->
  { (left_valid_struct_intM(t_1, (0), Object_alloc_table)
    and (JC_45:
        ((JC_43: Non_null_intM(t_1, Object_alloc_table))
        and (JC_44:
            ge_int(add_int(offset_max(Object_alloc_table, t_1), (1)), (1)))))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let m = ref (K_29: ((safe_acc_ !intM_intP) ((shift t_1) (0)))) in
     (let r = ref (K_28: (0)) in
     begin
       (let i_3 = ref (K_9: (1)) in
       try
        (loop_3:
        while true do
        { invariant (JC_94: true)  }
         begin
           [ { } unit reads Object_alloc_table,i_3,intM_intP,m,r
             { (JC_92:
               ((JC_86: le_int((1), i_3))
               and ((JC_87:
                    le_int(i_3,
                    add_int(offset_max(Object_alloc_table, t_1), (1))))
                   and ((JC_88: le_int((0), r))
                       and ((JC_89:
                            lt_int(r,
                            add_int(offset_max(Object_alloc_table, t_1), (1))))
                           and ((JC_90:
                                (m = select(intM_intP, shift(t_1, r))))
                               and (JC_91:
                                   is_max(t_1, r, i_3, Object_alloc_table,
                                   intM_intP)))))))) } ];
          try
           begin
             (if (K_27:
                 ((lt_int_ !i_3) (K_26:
                                 (let _jessie_ = t_1 in
                                 (JC_96: (java_array_length_intM _jessie_))))))
             then
              (if (K_24:
                  ((gt_int_ (K_23:
                            ((safe_acc_ !intM_intP) ((shift t_1) !i_3)))) !m))
              then
               (let _jessie_ =
               begin
                 (let _jessie_ = (r := !i_3) in void);
                (m := (K_22: ((safe_acc_ !intM_intP) ((shift t_1) !i_3))));
                !m end in void) else void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ ->
           (let _jessie_ =
           (K_25:
           (let _jessie_ = !i_3 in
           begin
             (let _jessie_ = (i_3 := ((add_int _jessie_) (1))) in void);
            _jessie_ end)) in void) end end done) with
        Loop_exit_exc _jessie_ -> void end); (return := !r); (raise Return)
     end)); absurd  end with Return -> !return end))
  { (JC_54:
    ((JC_51: le_int((0), result))
    and ((JC_52:
         lt_int(result, add_int(offset_max(Object_alloc_table, t_1), (1))))
        and (JC_53:
            is_max(t_1, result,
            add_int(offset_max(Object_alloc_table, t_1), (1)),
            Object_alloc_table, intM_intP))))) } 

let Arrays_findMax2_safety =
 fun (t_1 : Object pointer) ->
  { (left_valid_struct_intM(t_1, (0), Object_alloc_table)
    and (JC_45:
        ((JC_43: Non_null_intM(t_1, Object_alloc_table))
        and (JC_44:
            ge_int(add_int(offset_max(Object_alloc_table, t_1), (1)), (1)))))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let m =
     ref (K_29:
         (JC_59:
         ((((lsafe_lbound_acc_ !Object_alloc_table) !intM_intP) t_1) (0)))) in
     (let r = ref (K_28: (0)) in
     begin
       (let i_3 = ref (K_9: (1)) in
       try
        (loop_1:
        while true do
        { invariant (JC_68: true)
          variant (JC_74 : sub_int(add_int(offset_max(Object_alloc_table,
                                           t_1),
                                   (1)),
                           i_3)) }
         begin
           [ { } unit reads Object_alloc_table,i_3,intM_intP,m,r
             { (JC_66:
               ((JC_60: le_int((1), i_3))
               and ((JC_61:
                    le_int(i_3,
                    add_int(offset_max(Object_alloc_table, t_1), (1))))
                   and ((JC_62: le_int((0), r))
                       and ((JC_63:
                            lt_int(r,
                            add_int(offset_max(Object_alloc_table, t_1), (1))))
                           and ((JC_64:
                                (m = select(intM_intP, shift(t_1, r))))
                               and (JC_65:
                                   is_max(t_1, r, i_3, Object_alloc_table,
                                   intM_intP)))))))) } ];
          try
           begin
             (if (K_27:
                 ((lt_int_ !i_3) (K_26:
                                 (let _jessie_ = t_1 in
                                 (JC_71:
                                 (assert
                                 { ge_int(offset_max(Object_alloc_table,
                                          _jessie_),
                                   (-1)) };
                                 (JC_70:
                                 (java_array_length_intM_requires _jessie_))))))))
             then
              (if (K_24:
                  ((gt_int_ (K_23:
                            (JC_72:
                            ((((offset_acc_ !Object_alloc_table) !intM_intP) t_1) !i_3)))) !m))
              then
               (let _jessie_ =
               begin
                 (let _jessie_ = (r := !i_3) in void);
                (m := (K_22:
                      (JC_73:
                      ((((offset_acc_ !Object_alloc_table) !intM_intP) t_1) !i_3))));
                !m end in void) else void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ ->
           (let _jessie_ =
           (K_25:
           (let _jessie_ = !i_3 in
           begin
             (let _jessie_ = (i_3 := ((add_int _jessie_) (1))) in void);
            _jessie_ end)) in void) end end done) with
        Loop_exit_exc _jessie_ -> void end); (return := !r); (raise Return)
     end)); absurd  end with Return -> !return end)) { true } 

let Arrays_findMax_ensures_default =
 fun (t_0 : Object pointer) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (JC_131:
        ((JC_128: Non_null_intM(t_0, Object_alloc_table))
        and ((JC_129:
             le_int((1), add_int(offset_max(Object_alloc_table, t_0), (1))))
            and (JC_130:
                le_int(add_int(offset_max(Object_alloc_table, t_0), (1)),
                (32767))))))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let m_0 = ref (K_73: ((safe_acc_ !intM_intP) ((shift t_0) (0)))) in
     (let r_0 = ref (K_72: (0)) in
     begin
       (let i_5 = ref (K_53: (1)) in
       try
        (loop_7:
        while true do
        { invariant
            (JC_167:
            ((JC_161: le_int((1), i_5))
            and ((JC_162:
                 le_int(i_5,
                 add_int(offset_max(Object_alloc_table, t_0), (1))))
                and ((JC_163: le_int((0), r_0))
                    and ((JC_164:
                         lt_int(r_0,
                         add_int(offset_max(Object_alloc_table, t_0), (1))))
                        and ((JC_165:
                             (m_0 = select(intM_intP, shift(t_0, r_0))))
                            and (JC_166:
                                (forall j_1:int.
                                 ((le_int((0), j_1) and lt_int(j_1, i_5)) ->
                                  le_int(select(intM_intP, shift(t_0, j_1)),
                                  m_0))))))))))  }
         begin
           [ { } unit { true } ];
          try
           begin
             (if (K_71:
                 ((lt_int_ !i_5) (K_70:
                                 (let _jessie_ = t_0 in
                                 (JC_171:
                                 (java_array_length_intM _jessie_))))))
             then
              (if (K_68:
                  ((gt_int_ (K_67:
                            ((safe_acc_ !intM_intP) ((shift t_0) !i_5)))) !m_0))
              then
               (let _jessie_ =
               begin
                 (let _jessie_ = (r_0 := !i_5) in void);
                (m_0 := (K_66: ((safe_acc_ !intM_intP) ((shift t_0) !i_5))));
                !m_0 end in void) else void)
             else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ ->
           (let _jessie_ =
           (K_69:
           (let _jessie_ = !i_5 in
           begin
             (let _jessie_ = (i_5 := ((add_int _jessie_) (1))) in void);
            _jessie_ end)) in void) end end done) with
        Loop_exit_exc _jessie_ -> void end); (return := !r_0);
      (raise Return) end)); absurd  end with Return -> !return end))
  { (JC_133: true) } 

let Arrays_findMax_ensures_max_found =
 fun (t_0 : Object pointer) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (JC_131:
        ((JC_128: Non_null_intM(t_0, Object_alloc_table))
        and ((JC_129:
             le_int((1), add_int(offset_max(Object_alloc_table, t_0), (1))))
            and (JC_130:
                le_int(add_int(offset_max(Object_alloc_table, t_0), (1)),
                (32767))))))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let m_0 = ref (K_73: ((safe_acc_ !intM_intP) ((shift t_0) (0)))) in
     (let r_0 = ref (K_72: (0)) in
     begin
       (let i_5 = ref (K_53: (1)) in
       try
        (loop_8:
        while true do
        { invariant (JC_180: true)  }
         begin
           [ { } unit reads Object_alloc_table,i_5,intM_intP,m_0,r_0
             { (JC_178:
               ((JC_172: le_int((1), i_5))
               and ((JC_173:
                    le_int(i_5,
                    add_int(offset_max(Object_alloc_table, t_0), (1))))
                   and ((JC_174: le_int((0), r_0))
                       and ((JC_175:
                            lt_int(r_0,
                            add_int(offset_max(Object_alloc_table, t_0), (1))))
                           and ((JC_176:
                                (m_0 = select(intM_intP, shift(t_0, r_0))))
                               and (JC_177:
                                   (forall j_1:int.
                                    ((le_int((0), j_1) and lt_int(j_1, i_5)) ->
                                     le_int(select(intM_intP,
                                            shift(t_0, j_1)),
                                     m_0)))))))))) } ];
          try
           begin
             (if (K_71:
                 ((lt_int_ !i_5) (K_70:
                                 (let _jessie_ = t_0 in
                                 (JC_182:
                                 (java_array_length_intM _jessie_))))))
             then
              (if (K_68:
                  ((gt_int_ (K_67:
                            ((safe_acc_ !intM_intP) ((shift t_0) !i_5)))) !m_0))
              then
               (let _jessie_ =
               begin
                 (let _jessie_ = (r_0 := !i_5) in void);
                (m_0 := (K_66: ((safe_acc_ !intM_intP) ((shift t_0) !i_5))));
                !m_0 end in void) else void)
             else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ ->
           (let _jessie_ =
           (K_69:
           (let _jessie_ = !i_5 in
           begin
             (let _jessie_ = (i_5 := ((add_int _jessie_) (1))) in void);
            _jessie_ end)) in void) end end done) with
        Loop_exit_exc _jessie_ -> void end); (return := !r_0);
      (raise Return) end)); absurd  end with Return -> !return end))
  { (JC_140:
    ((JC_137: le_int((0), result))
    and ((JC_138:
         lt_int(result, add_int(offset_max(Object_alloc_table, t_0), (1))))
        and (JC_139:
            (forall i_4:int.
             ((le_int((0), i_4)
              and lt_int(i_4,
                  add_int(offset_max(Object_alloc_table, t_0), (1)))) ->
              le_int(select(intM_intP, shift(t_0, i_4)),
              select(intM_intP, shift(t_0, result))))))))) } 

let Arrays_findMax_safety =
 fun (t_0 : Object pointer) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (JC_131:
        ((JC_128: Non_null_intM(t_0, Object_alloc_table))
        and ((JC_129:
             le_int((1), add_int(offset_max(Object_alloc_table, t_0), (1))))
            and (JC_130:
                le_int(add_int(offset_max(Object_alloc_table, t_0), (1)),
                (32767))))))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let m_0 =
     ref (K_73:
         (JC_145:
         ((((lsafe_lbound_acc_ !Object_alloc_table) !intM_intP) t_0) (0)))) in
     (let r_0 = ref (K_72: (0)) in
     begin
       (let i_5 = ref (K_53: (1)) in
       try
        (loop_6:
        while true do
        { invariant (JC_154: true)
          variant (JC_160 : sub_int(add_int(offset_max(Object_alloc_table,
                                            t_0),
                                    (1)),
                            i_5)) }
         begin
           [ { } unit reads Object_alloc_table,i_5,intM_intP,m_0,r_0
             { (JC_152:
               ((JC_146: le_int((1), i_5))
               and ((JC_147:
                    le_int(i_5,
                    add_int(offset_max(Object_alloc_table, t_0), (1))))
                   and ((JC_148: le_int((0), r_0))
                       and ((JC_149:
                            lt_int(r_0,
                            add_int(offset_max(Object_alloc_table, t_0), (1))))
                           and ((JC_150:
                                (m_0 = select(intM_intP, shift(t_0, r_0))))
                               and (JC_151:
                                   (forall j_1:int.
                                    ((le_int((0), j_1) and lt_int(j_1, i_5)) ->
                                     le_int(select(intM_intP,
                                            shift(t_0, j_1)),
                                     m_0)))))))))) } ];
          try
           begin
             (if (K_71:
                 ((lt_int_ !i_5) (K_70:
                                 (let _jessie_ = t_0 in
                                 (JC_157:
                                 (assert
                                 { ge_int(offset_max(Object_alloc_table,
                                          _jessie_),
                                   (-1)) };
                                 (JC_156:
                                 (java_array_length_intM_requires _jessie_))))))))
             then
              (if (K_68:
                  ((gt_int_ (K_67:
                            (JC_158:
                            ((((offset_acc_ !Object_alloc_table) !intM_intP) t_0) !i_5)))) !m_0))
              then
               (let _jessie_ =
               begin
                 (let _jessie_ = (r_0 := !i_5) in void);
                (m_0 := (K_66:
                        (JC_159:
                        ((((offset_acc_ !Object_alloc_table) !intM_intP) t_0) !i_5))));
                !m_0 end in void) else void)
             else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ ->
           (let _jessie_ =
           (K_69:
           (let _jessie_ = !i_5 in
           begin
             (let _jessie_ = (i_5 := ((add_int _jessie_) (1))) in void);
            _jessie_ end)) in void) end end done) with
        Loop_exit_exc _jessie_ -> void end); (return := !r_0);
      (raise Return) end)); absurd  end with Return -> !return end)) 
  { true } 

let cons_Arrays_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_Arrays(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_187: true) } 

let cons_Arrays_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_Arrays(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 


why-2.39/tests/java/oracle/Arrays.err.oracle0000644000106100004300000000000013147234006017766 0ustar  marchevalswhy-2.39/tests/java/oracle/NameConflicts.res.oracle0000644000106100004300000010403113147234006021264 0ustar  marchevals========== file tests/java/NameConflicts.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

class NameConflicts {

    int i;

    void setI(int i) {
	this.i = i;
    }

    /*@ behavior normal:
      @   ensures \result == 0;
      @*/
    int m() {
	int result = 0;
	return result;
    }

    int field;

    int field() { return field; }

}


/*
Local Variables:
compile-command: "make NameConflicts.why3ide"
End:
*/


========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function NameConflicts_m for method NameConflicts.m
Generating JC function NameConflicts_field for method NameConflicts.field
Generating JC function NameConflicts_setI for method NameConflicts.setI
Generating JC function cons_NameConflicts for constructor NameConflicts
Done.
========== file tests/java/NameConflicts.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag NameConflicts = Object with {
  int32 i; 
  int32 field;
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

int32 NameConflicts_m(NameConflicts[0] this_1)
behavior normal:
  ensures (K_1 : (\result == 0));
{  
   {  
      (var int32 result = (K_2 : 0));
      
      (return result)
   }
}

int32 NameConflicts_field(NameConflicts[0] this_0)
{  
   (return (K_3 : this_0.field))
}

unit NameConflicts_setI(NameConflicts[0] this_2, int32 i)
{  (K_4 : (this_2.i = i))
}

unit cons_NameConflicts(! NameConflicts[0] this_3)
{  (this_3.i = 0);
   (this_3.field = 0)
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/NameConflicts.jloc tests/java/NameConflicts.jc && make -f tests/java/NameConflicts.makefile gui"
End:
*/
========== file tests/java/NameConflicts.jloc ==========
[NameConflicts_field]
name = "Method field"
file = "HOME/tests/java/NameConflicts.java"
line = 50
begin = 8
end = 13

[K_1]
file = "HOME/tests/java/NameConflicts.java"
line = 41
begin = 18
end = 30

[K_4]
file = "HOME/tests/java/NameConflicts.java"
line = 37
begin = 1
end = 11

[K_2]
file = "HOME/tests/java/NameConflicts.java"
line = 44
begin = 14
end = 15

[NameConflicts_m]
name = "Method m"
file = "HOME/tests/java/NameConflicts.java"
line = 43
begin = 8
end = 9

[K_3]
file = "HOME/tests/java/NameConflicts.java"
line = 50
begin = 25
end = 30

[cons_NameConflicts]
name = "Constructor of class NameConflicts"
file = "HOME/"
line = 0
begin = -1
end = -1

[NameConflicts_setI]
name = "Method setI"
file = "HOME/tests/java/NameConflicts.java"
line = 36
begin = 9
end = 13

========== jessie execution ==========
Generating Why function NameConflicts_m
Generating Why function NameConflicts_field_0
Generating Why function NameConflicts_setI
Generating Why function cons_NameConflicts
========== file tests/java/NameConflicts.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/NameConflicts_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: NameConflicts.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: NameConflicts.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: NameConflicts.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/java/NameConflicts.loc ==========
[JC_51]
file = "HOME/"
line = 0
begin = -1
end = -1

[NameConflicts_m_ensures_default]
name = "Method m"
behavior = "default behavior"
file = "HOME/tests/java/NameConflicts.java"
line = 43
begin = 8
end = 9

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_NameConflicts_safety]
name = "Constructor of class NameConflicts"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_NameConflicts_ensures_default]
name = "Constructor of class NameConflicts"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[NameConflicts_m_ensures_normal]
name = "Method m"
behavior = "Behavior `normal'"
file = "HOME/tests/java/NameConflicts.java"
line = 43
begin = 8
end = 9

[JC_31]
file = "HOME/tests/java/NameConflicts.java"
line = 50
begin = 8
end = 13

[JC_17]
file = "HOME/tests/java/NameConflicts.jc"
line = 49
begin = 11
end = 65

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[NameConflicts_field_safety]
name = "Method field"
behavior = "Safety"
file = "HOME/tests/java/NameConflicts.java"
line = 50
begin = 8
end = 13

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/java/NameConflicts.jc"
line = 47
begin = 8
end = 23

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/NameConflicts.jc"
line = 47
begin = 8
end = 23

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[NameConflicts_field_ensures_default]
name = "Method field"
behavior = "default behavior"
file = "HOME/tests/java/NameConflicts.java"
line = 50
begin = 8
end = 13

[JC_39]
file = "HOME/tests/java/NameConflicts.java"
line = 36
begin = 9
end = 13

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/tests/java/NameConflicts.java"
line = 41
begin = 18
end = 30

[JC_38]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[NameConflicts_m_safety]
name = "Method m"
behavior = "Safety"
file = "HOME/tests/java/NameConflicts.java"
line = 43
begin = 8
end = 9

[JC_29]
file = "HOME/tests/java/NameConflicts.java"
line = 50
begin = 8
end = 13

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[NameConflicts_setI_safety]
name = "Method setI"
behavior = "Safety"
file = "HOME/tests/java/NameConflicts.java"
line = 36
begin = 9
end = 13

[JC_21]
file = "HOME/tests/java/NameConflicts.java"
line = 43
begin = 8
end = 9

[JC_49]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/java/NameConflicts.jc"
line = 20
begin = 12
end = 22

[JC_37]
file = "HOME/tests/java/NameConflicts.java"
line = 36
begin = 9
end = 13

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[NameConflicts_setI_ensures_default]
name = "Method setI"
behavior = "default behavior"
file = "HOME/tests/java/NameConflicts.java"
line = 36
begin = 9
end = 13

[JC_18]
file = "HOME/tests/java/NameConflicts.jc"
line = 49
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/NameConflicts.jc"
line = 20
begin = 12
end = 22

[JC_19]
file = "HOME/tests/java/NameConflicts.java"
line = 43
begin = 8
end = 9

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_28]
file = "HOME/tests/java/NameConflicts.java"
line = 41
begin = 18
end = 30

========== file tests/java/why/NameConflicts.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

logic NameConflicts_tag:  -> Object tag_id

axiom NameConflicts_parenttag_Object :
 parenttag(NameConflicts_tag, Object_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_NameConflicts(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_NameConflicts(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_NameConflicts(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_NameConflicts(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter NameConflicts_field : (Object, int32) memory ref

parameter Object_alloc_table : Object alloc_table ref

parameter NameConflicts_field_0 :
 this_0:Object pointer ->
  { } int32 reads NameConflicts_field,Object_alloc_table { true }

parameter NameConflicts_field_0_requires :
 this_0:Object pointer ->
  { } int32 reads NameConflicts_field,Object_alloc_table { true }

parameter NameConflicts_i : (Object, int32) memory ref

parameter NameConflicts_m :
 this_1:Object pointer ->
  { } int32 reads Object_alloc_table
  { (JC_28: (integer_of_int32(result) = (0))) }

parameter NameConflicts_m_requires :
 this_1:Object pointer ->
  { } int32 reads Object_alloc_table
  { (JC_28: (integer_of_int32(result) = (0))) }

parameter NameConflicts_setI :
 this_2:Object pointer ->
  i:int32 ->
   { } unit reads Object_alloc_table writes NameConflicts_i { true }

parameter NameConflicts_setI_requires :
 this_2:Object pointer ->
  i:int32 ->
   { } unit reads Object_alloc_table writes NameConflicts_i { true }

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_NameConflicts :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_NameConflicts(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, NameConflicts_tag)))) }

parameter alloc_struct_NameConflicts_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_NameConflicts(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, NameConflicts_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_NameConflicts :
 this_3:Object pointer ->
  { } unit reads Object_alloc_table
  writes NameConflicts_field,NameConflicts_i { true }

parameter cons_NameConflicts_requires :
 this_3:Object pointer ->
  { } unit reads Object_alloc_table
  writes NameConflicts_field,NameConflicts_i { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let NameConflicts_field_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_NameConflicts(this_0, (0), (0), Object_alloc_table) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (return := (K_3: ((safe_acc_ !NameConflicts_field) this_0)));
    (raise Return); absurd  end with Return -> !return end))
  { (JC_33: true) } 

let NameConflicts_field_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_NameConflicts(this_0, (0), (0), Object_alloc_table) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (return := (K_3: ((safe_acc_ !NameConflicts_field) this_0)));
    (raise Return); absurd  end with Return -> !return end)) { true } 

let NameConflicts_m_ensures_default =
 fun (this_1 : Object pointer) ->
  { valid_struct_NameConflicts(this_1, (0), (0), Object_alloc_table) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let result_0 = (safe_int32_of_integer_ (K_2: (0))) in
     begin   (return := result_0); (raise Return) end); absurd  end with
   Return -> !return end)) { (JC_23: true) } 

let NameConflicts_m_ensures_normal =
 fun (this_1 : Object pointer) ->
  { valid_struct_NameConflicts(this_1, (0), (0), Object_alloc_table) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let result_0 = (safe_int32_of_integer_ (K_2: (0))) in
     begin   (return := result_0); (raise Return) end); absurd  end with
   Return -> !return end)) { (JC_27: (integer_of_int32(result) = (0))) } 

let NameConflicts_m_safety =
 fun (this_1 : Object pointer) ->
  { valid_struct_NameConflicts(this_1, (0), (0), Object_alloc_table) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let result_0 = (safe_int32_of_integer_ (K_2: (0))) in
     begin   (return := result_0); (raise Return) end); absurd  end with
   Return -> !return end)) { true } 

let NameConflicts_setI_ensures_default =
 fun (this_2 : Object pointer) (i : int32) ->
  { valid_struct_NameConflicts(this_2, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     (K_4:
     (let _jessie_ = i in
     begin
       (let _jessie_ = this_2 in
       (((safe_upd_ NameConflicts_i) _jessie_) _jessie_)); _jessie_ end)) in
     void); (raise Return) end with Return -> void end) { (JC_41: true) } 

let NameConflicts_setI_safety =
 fun (this_2 : Object pointer) (i : int32) ->
  { valid_struct_NameConflicts(this_2, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     (K_4:
     (let _jessie_ = i in
     begin
       (let _jessie_ = this_2 in
       (((safe_upd_ NameConflicts_i) _jessie_) _jessie_)); _jessie_ end)) in
     void); (raise Return) end with Return -> void end) { true } 

let cons_NameConflicts_ensures_default =
 fun (this_3 : Object pointer) ->
  { valid_struct_NameConflicts(this_3, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = (safe_int32_of_integer_ (0)) in
       (let _jessie_ = this_3 in
       (((safe_upd_ NameConflicts_i) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_3 in
        (((safe_upd_ NameConflicts_field) _jessie_) _jessie_));
       _jessie_ end) end in void); (raise Return) end with Return ->
   void end) { (JC_49: true) } 

let cons_NameConflicts_safety =
 fun (this_3 : Object pointer) ->
  { valid_struct_NameConflicts(this_3, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = (safe_int32_of_integer_ (0)) in
       (let _jessie_ = this_3 in
       (((safe_upd_ NameConflicts_i) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_3 in
        (((safe_upd_ NameConflicts_field) _jessie_) _jessie_));
       _jessie_ end) end in void); (raise Return) end with Return ->
   void end) { true } 


why-2.39/tests/java/oracle/Fresh.res.oracle0000644000106100004300000012515613147234006017621 0ustar  marchevals========== file tests/java/Fresh.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


class Fresh {

    /*@ allocates \result;
      @ ensures \fresh(\result);
      @*/
    static Fresh create() {
        return new Fresh ();
    }

    void test () {
        Fresh f = create ();
        //@ assert this != f;
    }
}




/*
Local Variables:
compile-command: "make Fresh.why3ide"
End:
*/


========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_Fresh for constructor Fresh
Generating JC function Fresh_create for method Fresh.create
Generating JC function Fresh_test for method Fresh.test
Generating JC function Object_clone for method Object.clone
Generating JC function Object_notifyAll for method Object.notifyAll
Generating JC function Object_hashCode for method Object.hashCode
Generating JC function Object_equals for method Object.equals
Generating JC function Object_wait for method Object.wait
Generating JC function Object_notify for method Object.notify
Generating JC function Object_wait_long for method Object.wait
Generating JC function Object_toString for method Object.toString
Generating JC function Object_wait_long_int for method Object.wait
Generating JC function cons_Object for constructor Object
Generating JC function Object_finalize for method Object.finalize
Generating JC function Object_registerNatives for method Object.registerNatives
Done.
========== file tests/java/Fresh.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Fresh = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_Fresh(! Fresh[0] this_2){()}

Fresh[0..] Fresh_create()
behavior default:
  allocates \result;
  ensures (K_1 : \fresh(\result));
{  
   (return 
   {  
      (var Fresh[0] this = (new Fresh[1]));
      
      {  
         (var unit _tt = cons_Fresh(this));
         this
      }
   })
}

unit Fresh_test(Fresh[0] this_0)
{  
   {  
      (var Fresh[0..] f = (K_4 : Fresh_create()));
      (K_3 : 
      (assert (K_2 : (this_0 != f))))
   }
}

Object[0..] Object_clone(Object[0] this_3)
;

unit Object_notifyAll(Object[0] this_4)
;

int32 Object_hashCode(Object[0] this_5)
;

boolean Object_equals(Object[0] this_6, Object[0..] obj)
;

unit Object_wait(Object[0] this_7)
;

unit Object_notify(Object[0] this_8)
;

unit Object_wait_long(Object[0] this_9, long timeout)
;

String[0..] Object_toString(Object[0] this_10)
;

unit Object_wait_long_int(Object[0] this_11, long timeout_0, int32 nanos)
;

unit cons_Object(! Object[0] this_13){()}

unit Object_finalize(Object[0] this_12)
;

unit Object_registerNatives()
;

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Fresh.jloc tests/java/Fresh.jc && make -f tests/java/Fresh.makefile gui"
End:
*/
========== file tests/java/Fresh.jloc ==========
[cons_Fresh]
name = "Constructor of class Fresh"
file = "HOME/"
line = 0
begin = -1
end = -1

[Object_wait_long]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[Object_finalize]
name = "Method finalize"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[Object_wait]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[Object_notify]
name = "Method notify"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[Object_clone]
name = "Method clone"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[cons_Object]
name = "Constructor of class Object"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_1]
file = "HOME/tests/java/Fresh.java"
line = 36
begin = 16
end = 31

[K_4]
file = "HOME/tests/java/Fresh.java"
line = 43
begin = 18
end = 27

[Object_wait_long_int]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[Object_registerNatives]
name = "Method registerNatives"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[K_2]
file = "HOME/tests/java/Fresh.java"
line = 44
begin = 19
end = 28

[K_3]
file = "HOME/tests/java/Fresh.java"
line = 44
begin = 19
end = 28

[Fresh_test]
name = "Method test"
file = "HOME/tests/java/Fresh.java"
line = 42
begin = 9
end = 13

[Object_notifyAll]
name = "Method notifyAll"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[Fresh_create]
name = "Method create"
file = "HOME/tests/java/Fresh.java"
line = 38
begin = 17
end = 23

[Object_equals]
name = "Method equals"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[Object_hashCode]
name = "Method hashCode"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[Object_toString]
name = "Method toString"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

========== jessie execution ==========
Generating Why function cons_Fresh
Generating Why function Fresh_create
Generating Why function Fresh_test
Generating Why function cons_Object
========== file tests/java/Fresh.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/Fresh_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Fresh.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Fresh.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Fresh.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/java/Fresh.loc ==========
[JC_94]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_73]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_63]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_80]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_51]
file = "HOME/tests/java/Fresh.java"
line = 44
begin = 19
end = 28

[JC_71]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_147]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_123]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_106]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_143]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_113]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_116]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_64]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_133]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Object_ensures_default]
name = "Constructor of class Object"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_99]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_85]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_126]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_31]
file = "HOME/tests/java/Fresh.java"
line = 36
begin = 16
end = 31

[JC_17]
file = "HOME/tests/java/Fresh.jc"
line = 47
begin = 11
end = 65

[JC_122]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_81]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_55]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_138]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_134]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_137]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_48]
kind = UserCall
file = "HOME/tests/java/Fresh.java"
line = 43
begin = 18
end = 27

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_121]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_125]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/java/Fresh.jc"
line = 45
begin = 8
end = 23

[JC_75]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_78]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_41]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_74]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_52]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_79]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_130]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_82]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Fresh_ensures_default]
name = "Constructor of class Fresh"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_87]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/Fresh.jc"
line = 45
begin = 8
end = 23

[JC_98]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_70]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
kind = IndexBounds
file = "HOME/tests/java/Fresh.jc"
line = 63
begin = 7
end = 41

[JC_104]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_91]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
kind = UserCall
file = "HOME/tests/java/Fresh.jc"
line = 66
begin = 25
end = 41

[JC_112]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/tests/java/Fresh.java"
line = 42
begin = 9
end = 13

[JC_135]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
kind = AllocSize
file = "HOME/tests/java/Fresh.jc"
line = 63
begin = 28
end = 40

[JC_132]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_27]
file = "HOME/tests/java/Fresh.java"
line = 38
begin = 17
end = 23

[JC_115]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_109]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_107]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_69]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_124]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
kind = AllocSize
file = "HOME/tests/java/Fresh.jc"
line = 63
begin = 28
end = 40

[Fresh_create_safety]
name = "Method create"
behavior = "Safety"
file = "HOME/tests/java/Fresh.java"
line = 38
begin = 17
end = 23

[Fresh_test_safety]
name = "Method test"
behavior = "Safety"
file = "HOME/tests/java/Fresh.java"
line = 42
begin = 9
end = 13

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_127]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_101]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_88]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_129]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/tests/java/Fresh.java"
line = 42
begin = 9
end = 13

[JC_110]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_103]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_141]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/tests/java/Fresh.java"
line = 36
begin = 16
end = 31

[JC_56]
file = "HOME/"
line = 0
begin = -1
end = -1

[Fresh_create_ensures_default]
name = "Method create"
behavior = "default behavior"
file = "HOME/tests/java/Fresh.java"
line = 38
begin = 17
end = 23

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_118]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_105]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_140]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_29]
file = "HOME/tests/java/Fresh.java"
line = 38
begin = 17
end = 23

[JC_144]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Object_safety]
name = "Constructor of class Object"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_68]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_96]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_93]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_97]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_84]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_128]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_114]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_117]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_90]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_53]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_145]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_111]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_77]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_49]
file = "HOME/tests/java/Fresh.java"
line = 44
begin = 19
end = 28

[JC_1]
file = "HOME/tests/java/Fresh.jc"
line = 20
begin = 12
end = 22

[JC_131]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_102]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_37]
kind = UserCall
file = "HOME/tests/java/Fresh.jc"
line = 66
begin = 25
end = 41

[JC_142]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_108]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_57]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_146]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_89]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_136]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_66]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_59]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/java/Fresh.jc"
line = 47
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/Fresh.jc"
line = 20
begin = 12
end = 22

[JC_92]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_86]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_60]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_139]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_72]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_119]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Fresh_safety]
name = "Constructor of class Fresh"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_76]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[Fresh_test_ensures_default]
name = "Method test"
behavior = "default behavior"
file = "HOME/tests/java/Fresh.java"
line = 42
begin = 9
end = 13

[JC_50]
kind = UserCall
file = "HOME/tests/java/Fresh.java"
line = 43
begin = 18
end = 27

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_120]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_100]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/Fresh.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

logic Fresh_tag:  -> Object tag_id

axiom Fresh_parenttag_Object : parenttag(Fresh_tag, Object_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Fresh(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Fresh(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Fresh(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Fresh(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

exception Exception_exc of Object pointer

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

parameter Fresh_create :
 tt:unit ->
  { } Object pointer reads Object_alloc_table
  writes Object_alloc_table,Object_tag_table
  { (JC_32: (not valid(Object_alloc_table@, result))) }

parameter Fresh_create_requires :
 tt:unit ->
  { } Object pointer reads Object_alloc_table
  writes Object_alloc_table,Object_tag_table
  { (JC_32: (not valid(Object_alloc_table@, result))) }

parameter Fresh_test :
 this_0:Object pointer ->
  { } unit reads Object_alloc_table
  writes Object_alloc_table,Object_tag_table { true }

parameter Fresh_test_requires :
 this_0:Object pointer ->
  { } unit reads Object_alloc_table
  writes Object_alloc_table,Object_tag_table { true }

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_clone :
 this_3:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_clone_requires :
 this_3:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_equals :
 this_6:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_equals_requires :
 this_6:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_finalize :
 this_12:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_finalize_requires :
 this_12:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_hashCode :
 this_5:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter Object_hashCode_requires :
 this_5:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter Object_notify :
 this_8:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll :
 this_4:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll_requires :
 this_4:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notify_requires :
 this_8:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_registerNatives : tt:unit -> { } unit { true }

parameter Object_registerNatives_requires : tt:unit -> { } unit { true }

parameter Object_toString :
 this_10:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_toString_requires :
 this_10:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_wait :
 this_7:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long :
 this_9:Object pointer ->
  timeout:long -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int :
 this_11:Object pointer ->
  timeout_0:long -> nanos:int32 -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int_requires :
 this_11:Object pointer ->
  timeout_0:long -> nanos:int32 -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_requires :
 this_9:Object pointer ->
  timeout:long -> { } unit reads Object_alloc_table { true }

parameter Object_wait_requires :
 this_7:Object pointer -> { } unit reads Object_alloc_table { true }

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Fresh :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Fresh(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Fresh_tag)))) }

parameter alloc_struct_Fresh_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Fresh(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Fresh_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_Fresh :
 this_2:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Fresh_requires :
 this_2:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object :
 this_13:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object_requires :
 this_13:Object pointer -> { } unit reads Object_alloc_table { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let Fresh_create_ensures_default =
 fun (tt : unit) ->
  { (JC_30: true) }
  (init:
  (let return = ref (any_pointer void) in
  try
   begin
     (return := (let this =
                (JC_38:
                (((alloc_struct_Fresh (1)) Object_alloc_table) Object_tag_table)) in
                (let _tt =
                (let _jessie_ = this in (JC_39: (cons_Fresh _jessie_))) in
                this))); (raise Return); absurd  end with Return ->
   !return end)) { (JC_31: (not valid(Object_alloc_table@, result))) } 

let Fresh_create_safety =
 fun (tt : unit) ->
  { (JC_30: true) }
  (init:
  (let return = ref (any_pointer void) in
  try
   begin
     (return := (let this =
                (let _jessie_ =
                (JC_35:
                (((alloc_struct_Fresh_requires (1)) Object_alloc_table) Object_tag_table)) in
                (JC_36:
                (assert
                { ge_int(offset_max(Object_alloc_table, _jessie_), (0)) };
                _jessie_))) in
                (let _tt =
                (let _jessie_ = this in
                (JC_37: (cons_Fresh_requires _jessie_))) in this)));
    (raise Return); absurd  end with Return -> !return end)) { true } 

let Fresh_test_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_Fresh(this_0, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let f = (K_4: (JC_50: (Fresh_create void))) in
     (K_3: (assert { (JC_51: (this_0 <> f)) }; void))); (raise Return) end
   with Return -> void end) { (JC_44: true) } 

let Fresh_test_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_Fresh(this_0, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let f = (K_4: (JC_48: (Fresh_create_requires void))) in
     (K_3: [ { } unit { (JC_49: (this_0 <> f)) } ])); (raise Return) end with
   Return -> void end) { true } 

let cons_Fresh_ensures_default =
 fun (this_2 : Object pointer) ->
  { valid_struct_Fresh(this_2, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_23: true) } 

let cons_Fresh_safety =
 fun (this_2 : Object pointer) ->
  { valid_struct_Fresh(this_2, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 

let cons_Object_ensures_default =
 fun (this_13 : Object pointer) ->
  { valid_struct_Object(this_13, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_128: true) } 

let cons_Object_safety =
 fun (this_13 : Object pointer) ->
  { valid_struct_Object(this_13, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 


why-2.39/tests/java/oracle/SimpleAlloc.err.oracle0000644000106100004300000000000013147234006020731 0ustar  marchevalswhy-2.39/tests/java/oracle/Muller.res.oracle0000644000106100004300000020115713147234006020006 0ustar  marchevals========== file tests/java/Muller.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ SeparationPolicy = Regions

/*@ axiomatic NumOfPos {
  @  logic integer num_of_pos{L}(integer i,integer j,int t[]);
  @  axiom num_of_pos_empty{L} :
  @   \forall integer i j, int t[];
  @    i >= j ==> num_of_pos(i,j,t) == 0;
  @  axiom num_of_pos_true_case{L} :
  @   \forall integer i j, int t[];
  @       i < j && t[j-1] > 0 ==>
  @         num_of_pos(i,j,t) == num_of_pos(i,j-1,t) + 1;
  @  axiom num_of_pos_false_case{L} :
  @   \forall integer i j, int t[];
  @       i < j && ! (t[j-1] > 0) ==>
  @         num_of_pos(i,j,t) == num_of_pos(i,j-1,t);
  @ }
  @*/


/*@ lemma num_of_pos_non_negative{L} :
  @   \forall integer i j, int t[]; 0 <= num_of_pos(i,j,t);
  @*/

/*@ lemma num_of_pos_additive{L} :
  @   \forall integer i j k, int t[]; i <= j <= k ==>
  @       num_of_pos(i,k,t) == num_of_pos(i,j,t) + num_of_pos(j,k,t);
  @*/

/*@ lemma num_of_pos_increasing{L} :
  @   \forall integer i j k, int t[];
  @       j <= k ==> num_of_pos(i,j,t) <= num_of_pos(i,k,t);
  @*/

/*@ lemma num_of_pos_strictly_increasing{L} :
  @   \forall integer i n, int t[];
  @       0 <= i < n && t[i] > 0 ==>
  @       num_of_pos(0,i,t) < num_of_pos(0,n,t);
  @*/

public class Muller {

    /*@ requires t != null;
      @*/
    public static int[] m(int t[]) {
	int count = 0;

	/*@ loop_invariant
	  @    0 <= i <= t.length &&
	  @    0 <= count <= i &&
	  @    count == num_of_pos(0,i,t) ;
	  @ loop_variant t.length - i;
	  @*/
	for (int i=0 ; i < t.length; i++) if (t[i] > 0) count++;

	int u[] = new int[count];
	count = 0;

	/*@ loop_invariant
	  @    0 <= i <= t.length &&
	  @    0 <= count <= i &&
	  @    count == num_of_pos(0,i,t);
	  @ loop_variant t.length - i;
	  @*/
	for (int i=0 ; i < t.length; i++) {
	    if (t[i] > 0) u[count++] = t[i];
	}
	return u;
    }

}

/*
Local Variables:
compile-command: "make Muller.why3ide"
End:
*/
========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_Muller for constructor Muller
Generating JC function Muller_m for method Muller.m
Done.
========== file tests/java/Muller.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_intM{Here}(intM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Muller = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

tag intM = Object with {
  int32 intP;
}

boolean non_null_intM(! intM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_intM(! intM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

axiomatic NumOfPos {

  logic integer num_of_pos{L}(integer i, integer j, intM[0..] t)
   
  axiom num_of_pos_false_case{L} :
  (\forall integer i_2;
    (\forall integer j_2;
      (\forall intM[0..] t_2;
        (((i_2 < j_2) && (! ((t_2 + (j_2 - 1)).intP > 0))) ==>
          (num_of_pos{L}(i_2, j_2, t_2) ==
            num_of_pos{L}(i_2, (j_2 - 1), t_2))))))
   
  axiom num_of_pos_true_case{L} :
  (\forall integer i_1;
    (\forall integer j_1;
      (\forall intM[0..] t_1;
        (((i_1 < j_1) && ((t_1 + (j_1 - 1)).intP > 0)) ==>
          (num_of_pos{L}(i_1, j_1, t_1) ==
            (num_of_pos{L}(i_1, (j_1 - 1), t_1) + 1))))))
   
  axiom num_of_pos_empty{L} :
  (\forall integer i_0;
    (\forall integer j_0;
      (\forall intM[0..] t_0;
        ((i_0 >= j_0) ==> (num_of_pos{L}(i_0, j_0, t_0) == 0)))))
  
}

lemma num_of_pos_non_negative{L} :
(\forall integer i_3;
  (\forall integer j_3;
    (\forall intM[0..] t_3;
      (0 <= num_of_pos{L}(i_3, j_3, t_3)))))

lemma num_of_pos_additive{L} :
(\forall integer i_4;
  (\forall integer j_4;
    (\forall integer k;
      (\forall intM[0..] t_4;
        (((i_4 <= j_4) && (j_4 <= k)) ==>
          (num_of_pos{L}(i_4, k, t_4) ==
            (num_of_pos{L}(i_4, j_4, t_4) + num_of_pos{L}(j_4, k, t_4))))))))

lemma num_of_pos_increasing{L} :
(\forall integer i_5;
  (\forall integer j_5;
    (\forall integer k_0;
      (\forall intM[0..] t_5;
        ((j_5 <= k_0) ==>
          (num_of_pos{L}(i_5, j_5, t_5) <= num_of_pos{L}(i_5, k_0, t_5)))))))

lemma num_of_pos_strictly_increasing{L} :
(\forall integer i_6;
  (\forall integer n;
    (\forall intM[0..] t_6;
      ((((0 <= i_6) && (i_6 < n)) && ((t_6 + i_6).intP > 0)) ==>
        (num_of_pos{L}(0, i_6, t_6) < num_of_pos{L}(0, n, t_6))))))

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_Muller(! Muller[0] this_0){()}

intM[0..] Muller_m(intM[0..] t_7)
  requires (K_1 : Non_null_intM(t_7));
{  
   {  
      (var int32 count = (K_39 : 0));
      
      {  
         {  
            {  
               (var int32 i_7 = (K_2 : 0));
               
               loop 
               behavior default:
                 invariant (K_11 : ((K_10 : ((K_9 : ((K_8 : (0 <= i_7)) &&
                                                      (K_7 : (i_7 <=
                                                               (\offset_max(t_7) +
                                                                 1))))) &&
                                              (K_6 : ((K_5 : (0 <= count)) &&
                                                       (K_4 : (count <= i_7)))))) &&
                                     (K_3 : (count ==
                                              num_of_pos{Here}(0, i_7, t_7)))));
               
               variant (K_12 : ((\offset_max(t_7) + 1) - i_7));
               for ( ; (K_18 : (i_7 < (K_17 : java_array_length_intM(t_7)))) ; 
               (K_16 : (i_7 ++)))
               {  (if (K_15 : ((K_14 : (t_7 + i_7).intP) > 0)) then (K_13 : 
                                                                    (count ++)) else ())
               }
            }
         };
         
         {  
            (var intM[0..] u = (K_38 : (new intM[count])));
            
            {  (count = 0);
               
               {  
                  {  
                     (var int32 i_8 = (K_19 : 0));
                     
                     loop 
                     behavior default:
                       invariant (K_28 : ((K_27 : ((K_26 : ((K_25 : (0 <=
                                                                    i_8)) &&
                                                             (K_24 : 
                                                             (i_8 <=
                                                               (\offset_max(t_7) +
                                                                 1))))) &&
                                                    (K_23 : ((K_22 : 
                                                             (0 <=
                                                               count)) &&
                                                              (K_21 : 
                                                              (count <=
                                                                i_8)))))) &&
                                           (K_20 : (count ==
                                                     num_of_pos{Here}(
                                                     0, i_8, t_7)))));
                     
                     variant (K_29 : ((\offset_max(t_7) + 1) - i_8));
                     for ( ; (K_37 : (i_8 <
                                       (K_36 : java_array_length_intM(t_7)))) ; 
                     (K_35 : (i_8 ++)))
                     {  (if (K_34 : ((K_33 : (t_7 + i_8).intP) > 0)) then 
                        (K_32 : ((u + (K_30 : (count ++))).intP = (K_31 : 
                                                                  (t_7 +
                                                                    i_8).intP))) else ())
                     }
                  }
               };
               
               (return u)
            }
         }
      }
   }
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Muller.jloc tests/java/Muller.jc && make -f tests/java/Muller.makefile gui"
End:
*/
========== file tests/java/Muller.jloc ==========
[K_30]
file = "HOME/tests/java/Muller.java"
line = 96
begin = 21
end = 28

[K_23]
file = "HOME/tests/java/Muller.java"
line = 91
begin = 8
end = 23

[K_33]
file = "HOME/tests/java/Muller.java"
line = 96
begin = 9
end = 13

[K_17]
file = "HOME/tests/java/Muller.java"
line = 84
begin = 20
end = 28

[K_11]
file = "HOME/tests/java/Muller.java"
line = 79
begin = 8
end = 91

[K_38]
file = "HOME/tests/java/Muller.java"
line = 86
begin = 11
end = 25

[K_25]
file = "HOME/tests/java/Muller.java"
line = 90
begin = 8
end = 14

[K_13]
file = "HOME/tests/java/Muller.java"
line = 84
begin = 49
end = 56

[num_of_pos_non_negative]
name = "Lemma num_of_pos_non_negative"
file = "HOME/tests/java/Muller.java"
line = 51
begin = 10
end = 33

[K_9]
file = "HOME/tests/java/Muller.java"
line = 79
begin = 8
end = 26

[K_28]
file = "HOME/tests/java/Muller.java"
line = 90
begin = 8
end = 91

[K_1]
file = "HOME/tests/java/Muller.java"
line = 73
begin = 17
end = 26

[K_15]
file = "HOME/tests/java/Muller.java"
line = 84
begin = 39
end = 47

[K_4]
file = "HOME/tests/java/Muller.java"
line = 80
begin = 13
end = 23

[K_12]
file = "HOME/tests/java/Muller.java"
line = 82
begin = 18
end = 30

[K_34]
file = "HOME/tests/java/Muller.java"
line = 96
begin = 9
end = 17

[K_20]
file = "HOME/tests/java/Muller.java"
line = 92
begin = 8
end = 34

[cons_Muller]
name = "Constructor of class Muller"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_2]
file = "HOME/tests/java/Muller.java"
line = 84
begin = 12
end = 13

[K_29]
file = "HOME/tests/java/Muller.java"
line = 93
begin = 18
end = 30

[num_of_pos_false_case]
name = "Lemma num_of_pos_false_case"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_10]
file = "HOME/tests/java/Muller.java"
line = 79
begin = 8
end = 53

[K_35]
file = "HOME/tests/java/Muller.java"
line = 95
begin = 30
end = 33

[K_6]
file = "HOME/tests/java/Muller.java"
line = 80
begin = 8
end = 23

[K_8]
file = "HOME/tests/java/Muller.java"
line = 79
begin = 8
end = 14

[num_of_pos_increasing]
name = "Lemma num_of_pos_increasing"
file = "HOME/tests/java/Muller.java"
line = 60
begin = 10
end = 31

[K_3]
file = "HOME/tests/java/Muller.java"
line = 81
begin = 8
end = 34

[num_of_pos_true_case]
name = "Lemma num_of_pos_true_case"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_31]
file = "HOME/tests/java/Muller.java"
line = 96
begin = 32
end = 36

[K_32]
file = "HOME/tests/java/Muller.java"
line = 96
begin = 19
end = 36

[K_27]
file = "HOME/tests/java/Muller.java"
line = 90
begin = 8
end = 53

[K_21]
file = "HOME/tests/java/Muller.java"
line = 91
begin = 13
end = 23

[num_of_pos_strictly_increasing]
name = "Lemma num_of_pos_strictly_increasing"
file = "HOME/tests/java/Muller.java"
line = 65
begin = 10
end = 40

[K_24]
file = "HOME/tests/java/Muller.java"
line = 90
begin = 13
end = 26

[K_14]
file = "HOME/tests/java/Muller.java"
line = 84
begin = 39
end = 43

[num_of_pos_additive]
name = "Lemma num_of_pos_additive"
file = "HOME/tests/java/Muller.java"
line = 55
begin = 10
end = 29

[K_39]
file = "HOME/tests/java/Muller.java"
line = 76
begin = 13
end = 14

[K_36]
file = "HOME/tests/java/Muller.java"
line = 95
begin = 20
end = 28

[Muller_m]
name = "Method m"
file = "HOME/tests/java/Muller.java"
line = 75
begin = 24
end = 25

[K_37]
file = "HOME/tests/java/Muller.java"
line = 95
begin = 16
end = 28

[num_of_pos_empty]
name = "Lemma num_of_pos_empty"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_19]
file = "HOME/tests/java/Muller.java"
line = 95
begin = 12
end = 13

[K_5]
file = "HOME/tests/java/Muller.java"
line = 80
begin = 8
end = 18

[K_18]
file = "HOME/tests/java/Muller.java"
line = 84
begin = 16
end = 28

[K_7]
file = "HOME/tests/java/Muller.java"
line = 79
begin = 13
end = 26

[K_26]
file = "HOME/tests/java/Muller.java"
line = 90
begin = 8
end = 26

[K_22]
file = "HOME/tests/java/Muller.java"
line = 91
begin = 8
end = 18

[K_16]
file = "HOME/tests/java/Muller.java"
line = 84
begin = 30
end = 33

========== jessie execution ==========
Generating Why function cons_Muller
Generating Why function Muller_m
========== file tests/java/Muller.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/Muller_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Muller.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Muller.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Muller.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/java/Muller.loc ==========
[JC_94]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_73]
file = "HOME/tests/java/Muller.java"
line = 91
begin = 8
end = 18

[cons_Muller_ensures_default]
name = "Constructor of class Muller"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_63]
file = "HOME/tests/java/Muller.jc"
line = 145
begin = 15
end = 1030

[JC_80]
kind = UserCall
file = "HOME/tests/java/Muller.java"
line = 95
begin = 20
end = 28

[JC_51]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_71]
file = "HOME/tests/java/Muller.java"
line = 90
begin = 8
end = 14

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_106]
file = "HOME/tests/java/Muller.jc"
line = 174
begin = 21
end = 1740

[JC_64]
kind = UserCall
file = "HOME/tests/java/Muller.java"
line = 84
begin = 20
end = 28

[num_of_pos_non_negative]
name = "Lemma num_of_pos_non_negative"
behavior = "lemma"
file = "HOME/tests/java/Muller.java"
line = 51
begin = 10
end = 33

[JC_99]
file = "HOME/tests/java/Muller.java"
line = 90
begin = 8
end = 14

[JC_85]
kind = PointerDeref
file = "HOME/tests/java/Muller.java"
line = 96
begin = 19
end = 36

[Muller_m_ensures_default]
name = "Method m"
behavior = "default behavior"
file = "HOME/tests/java/Muller.java"
line = 75
begin = 24
end = 25

[JC_31]
file = "HOME/tests/java/Muller.jc"
line = 65
begin = 8
end = 23

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_81]
kind = IndexBounds
file = "HOME/tests/java/Muller.java"
line = 95
begin = 20
end = 28

[JC_55]
file = "HOME/tests/java/Muller.java"
line = 79
begin = 8
end = 14

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/tests/java/Muller.jc"
line = 61
begin = 11
end = 103

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
kind = ArithOverflow
file = "HOME/tests/java/Muller.jc"
line = 160
begin = 69
end = 77

[JC_9]
file = "HOME/tests/java/Muller.jc"
line = 52
begin = 8
end = 21

[JC_75]
file = "HOME/tests/java/Muller.java"
line = 92
begin = 8
end = 34

[JC_24]
file = "HOME/tests/java/Muller.jc"
line = 60
begin = 10
end = 18

[JC_25]
file = "HOME/tests/java/Muller.jc"
line = 61
begin = 11
end = 103

[JC_78]
file = "HOME/tests/java/Muller.jc"
line = 174
begin = 21
end = 1740

[JC_41]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_74]
file = "HOME/tests/java/Muller.java"
line = 91
begin = 13
end = 23

[JC_47]
file = "HOME/tests/java/Muller.java"
line = 73
begin = 17
end = 26

[JC_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/tests/java/Muller.jc"
line = 60
begin = 10
end = 18

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_79]
file = "HOME/tests/java/Muller.jc"
line = 174
begin = 21
end = 1740

[JC_13]
file = "HOME/tests/java/Muller.jc"
line = 55
begin = 11
end = 66

[JC_82]
kind = PointerDeref
file = "HOME/tests/java/Muller.java"
line = 96
begin = 9
end = 13

[JC_87]
file = "HOME/tests/java/Muller.java"
line = 93
begin = 18
end = 30

[JC_11]
file = "HOME/tests/java/Muller.jc"
line = 52
begin = 8
end = 21

[JC_98]
kind = AllocSize
file = "HOME/tests/java/Muller.java"
line = 86
begin = 11
end = 25

[JC_70]
kind = AllocSize
file = "HOME/tests/java/Muller.java"
line = 86
begin = 11
end = 25

[JC_15]
file = "HOME/tests/java/Muller.jc"
line = 55
begin = 11
end = 66

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_104]
file = "HOME/tests/java/Muller.java"
line = 90
begin = 8
end = 91

[JC_91]
file = "HOME/tests/java/Muller.java"
line = 80
begin = 13
end = 23

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
kind = PointerDeref
file = "HOME/tests/java/Muller.java"
line = 96
begin = 32
end = 36

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[num_of_pos_false_case]
name = "Lemma num_of_pos_false_case"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_107]
file = "HOME/tests/java/Muller.jc"
line = 174
begin = 21
end = 1740

[JC_69]
file = "HOME/tests/java/Muller.java"
line = 82
begin = 18
end = 30

[JC_38]
file = "HOME/tests/java/Muller.jc"
line = 67
begin = 11
end = 65

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[num_of_pos_increasing]
name = "Lemma num_of_pos_increasing"
behavior = "lemma"
file = "HOME/tests/java/Muller.java"
line = 60
begin = 10
end = 31

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[num_of_pos_true_case]
name = "Lemma num_of_pos_true_case"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_62]
file = "HOME/tests/java/Muller.jc"
line = 145
begin = 15
end = 1030

[JC_101]
file = "HOME/tests/java/Muller.java"
line = 91
begin = 8
end = 18

[JC_88]
file = "HOME/tests/java/Muller.java"
line = 79
begin = 8
end = 14

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[Muller_m_safety]
name = "Method m"
behavior = "Safety"
file = "HOME/tests/java/Muller.java"
line = 75
begin = 24
end = 25

[JC_103]
file = "HOME/tests/java/Muller.java"
line = 92
begin = 8
end = 34

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/tests/java/Muller.java"
line = 79
begin = 13
end = 26

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
kind = IndexBounds
file = "HOME/tests/java/Muller.java"
line = 84
begin = 20
end = 28

[num_of_pos_strictly_increasing]
name = "Lemma num_of_pos_strictly_increasing"
behavior = "lemma"
file = "HOME/tests/java/Muller.java"
line = 65
begin = 10
end = 40

[JC_105]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/tests/java/Muller.jc"
line = 65
begin = 8
end = 23

[JC_68]
kind = ArithOverflow
file = "HOME/tests/java/Muller.jc"
line = 158
begin = 24
end = 30

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[num_of_pos_additive]
name = "Lemma num_of_pos_additive"
behavior = "lemma"
file = "HOME/tests/java/Muller.java"
line = 55
begin = 10
end = 29

[JC_16]
file = "HOME/tests/java/Muller.jc"
line = 54
begin = 10
end = 18

[JC_96]
file = "HOME/tests/java/Muller.jc"
line = 145
begin = 15
end = 1030

[cons_Muller_safety]
name = "Constructor of class Muller"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
file = "HOME/tests/java/Muller.jc"
line = 145
begin = 15
end = 1030

[JC_93]
file = "HOME/tests/java/Muller.java"
line = 79
begin = 8
end = 91

[JC_97]
kind = UserCall
file = "HOME/tests/java/Muller.java"
line = 84
begin = 20
end = 28

[JC_84]
kind = ArithOverflow
file = "HOME/tests/java/Muller.jc"
line = 197
begin = 47
end = 55

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/tests/java/Muller.jc"
line = 54
begin = 10
end = 18

[JC_90]
file = "HOME/tests/java/Muller.java"
line = 80
begin = 8
end = 18

[JC_53]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/tests/java/Muller.jc"
line = 58
begin = 8
end = 30

[JC_77]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_49]
file = "HOME/tests/java/Muller.java"
line = 73
begin = 17
end = 26

[JC_1]
file = "HOME/tests/java/Muller.jc"
line = 23
begin = 12
end = 22

[num_of_pos_empty]
name = "Lemma num_of_pos_empty"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_102]
file = "HOME/tests/java/Muller.java"
line = 91
begin = 13
end = 23

[JC_37]
file = "HOME/tests/java/Muller.jc"
line = 67
begin = 11
end = 65

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_108]
kind = UserCall
file = "HOME/tests/java/Muller.java"
line = 95
begin = 20
end = 28

[JC_57]
file = "HOME/tests/java/Muller.java"
line = 80
begin = 8
end = 18

[JC_89]
file = "HOME/tests/java/Muller.java"
line = 79
begin = 13
end = 26

[JC_66]
kind = PointerDeref
file = "HOME/tests/java/Muller.java"
line = 84
begin = 39
end = 43

[JC_59]
file = "HOME/tests/java/Muller.java"
line = 81
begin = 8
end = 34

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/java/Muller.jc"
line = 23
begin = 12
end = 22

[JC_92]
file = "HOME/tests/java/Muller.java"
line = 81
begin = 8
end = 34

[JC_86]
kind = ArithOverflow
file = "HOME/tests/java/Muller.jc"
line = 195
begin = 30
end = 36

[JC_60]
file = "HOME/tests/java/Muller.java"
line = 79
begin = 8
end = 91

[JC_72]
file = "HOME/tests/java/Muller.java"
line = 90
begin = 13
end = 26

[JC_19]
file = "HOME/tests/java/Muller.jc"
line = 58
begin = 8
end = 30

[JC_76]
file = "HOME/tests/java/Muller.java"
line = 90
begin = 8
end = 91

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/tests/java/Muller.java"
line = 80
begin = 13
end = 23

[JC_100]
file = "HOME/tests/java/Muller.java"
line = 90
begin = 13
end = 26

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/Muller.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

logic Muller_tag:  -> Object tag_id

axiom Muller_parenttag_Object : parenttag(Muller_tag, Object_tag)

predicate Non_null_Object(x_1:Object pointer,
 Object_x_2_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_x_2_alloc_table, x_1), (0))

predicate Non_null_intM(x_0:Object pointer,
 Object_x_1_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_x_1_alloc_table, x_0), neg_int((1)))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic intM_tag:  -> Object tag_id

axiom intM_parenttag_Object : parenttag(intM_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Muller(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_intM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

logic num_of_pos: int, int, Object pointer, (Object, int32) memory -> int

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Muller(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_intM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Muller(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Muller(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

axiom num_of_pos_false_case :
 (forall intM_intP_t_8_at_L:(Object, int32) memory.
  (forall i_2:int.
   (forall j_2:int.
    (forall t_2:Object pointer.
     ((lt_int(i_2, j_2)
      and (not gt_int(integer_of_int32(select(intM_intP_t_8_at_L,
                                       shift(t_2, sub_int(j_2, (1))))),
               (0)))) ->
      (num_of_pos(i_2, j_2, t_2, intM_intP_t_8_at_L) = num_of_pos(i_2,
                                                       sub_int(j_2, (1)),
                                                       t_2,
                                                       intM_intP_t_8_at_L)))))))

axiom num_of_pos_true_case :
 (forall intM_intP_t_8_at_L:(Object, int32) memory.
  (forall i_1:int.
   (forall j_1:int.
    (forall t_1:Object pointer.
     ((lt_int(i_1, j_1)
      and gt_int(integer_of_int32(select(intM_intP_t_8_at_L,
                                  shift(t_1, sub_int(j_1, (1))))),
          (0))) ->
      (num_of_pos(i_1, j_1, t_1, intM_intP_t_8_at_L) = add_int(num_of_pos(i_1,
                                                               sub_int(j_1,
                                                               (1)), t_1,
                                                               intM_intP_t_8_at_L),
                                                       (1))))))))

axiom num_of_pos_empty :
 (forall intM_intP_t_8_at_L:(Object, int32) memory.
  (forall i_0:int.
   (forall j_0:int.
    (forall t_0:Object pointer.
     (ge_int(i_0, j_0) ->
      (num_of_pos(i_0, j_0, t_0, intM_intP_t_8_at_L) = (0)))))))

lemma num_of_pos_non_negative :
 (forall intM_intP_t_3_18_at_L:(Object, int32) memory.
  (forall i_3:int.
   (forall j_3:int.
    (forall t_3:Object pointer.
     le_int((0), num_of_pos(i_3, j_3, t_3, intM_intP_t_3_18_at_L))))))

lemma num_of_pos_additive :
 (forall intM_intP_t_4_19_at_L:(Object, int32) memory.
  (forall i_4:int.
   (forall j_4:int.
    (forall k:int.
     (forall t_4:Object pointer.
      ((le_int(i_4, j_4) and le_int(j_4, k)) ->
       (num_of_pos(i_4, k, t_4, intM_intP_t_4_19_at_L) = add_int(num_of_pos(i_4,
                                                                 j_4, t_4,
                                                                 intM_intP_t_4_19_at_L),
                                                         num_of_pos(j_4, k,
                                                         t_4,
                                                         intM_intP_t_4_19_at_L)))))))))

lemma num_of_pos_increasing :
 (forall intM_intP_t_5_20_at_L:(Object, int32) memory.
  (forall i_5:int.
   (forall j_5:int.
    (forall k_0:int.
     (forall t_5:Object pointer.
      (le_int(j_5, k_0) ->
       le_int(num_of_pos(i_5, j_5, t_5, intM_intP_t_5_20_at_L),
       num_of_pos(i_5, k_0, t_5, intM_intP_t_5_20_at_L))))))))

lemma num_of_pos_strictly_increasing :
 (forall intM_intP_t_6_21_at_L:(Object, int32) memory.
  (forall i_6:int.
   (forall n:int.
    (forall t_6:Object pointer.
     ((le_int((0), i_6)
      and (lt_int(i_6, n)
          and gt_int(integer_of_int32(select(intM_intP_t_6_21_at_L,
                                      shift(t_6, i_6))),
              (0)))) ->
      lt_int(num_of_pos((0), i_6, t_6, intM_intP_t_6_21_at_L),
      num_of_pos((0), n, t_6, intM_intP_t_6_21_at_L)))))))

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Muller_m :
 t_7:Object pointer ->
  Object_Muller_m_12_alloc_table:Object alloc_table ref ->
   Object_Muller_m_12_tag_table:Object tag_table ref ->
    intM_intP_Muller_m_12:(Object, int32) memory ref ->
     Object_t_7_10_alloc_table:Object alloc_table ->
      intM_intP_t_7_10:(Object, int32) memory ->
       { } Object pointer reads Object_Muller_m_12_alloc_table
       writes Object_Muller_m_12_alloc_table,Object_Muller_m_12_tag_table,intM_intP_Muller_m_12
       { true }

parameter Muller_m_requires :
 t_7:Object pointer ->
  Object_Muller_m_12_alloc_table:Object alloc_table ref ->
   Object_Muller_m_12_tag_table:Object tag_table ref ->
    intM_intP_Muller_m_12:(Object, int32) memory ref ->
     Object_t_7_10_alloc_table:Object alloc_table ->
      intM_intP_t_7_10:(Object, int32) memory ->
       { (JC_47: Non_null_intM(t_7, Object_t_7_10_alloc_table))}
       Object pointer reads Object_Muller_m_12_alloc_table
       writes Object_Muller_m_12_alloc_table,Object_Muller_m_12_tag_table,intM_intP_Muller_m_12
       { true }

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Muller :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Muller(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Muller_tag)))) }

parameter alloc_struct_Muller_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Muller(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Muller_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_intM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter alloc_struct_intM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_Muller :
 this_0:Object pointer ->
  Object_this_0_9_alloc_table:Object alloc_table -> { } unit { true }

parameter cons_Muller_requires :
 this_0:Object pointer ->
  Object_this_0_9_alloc_table:Object alloc_table -> { } unit { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter java_array_length_intM :
 x_3:Object pointer ->
  Object_x_6_alloc_table:Object alloc_table ->
   { } int
   { (JC_25:
     (le_int(result, (2147483647))
     and (ge_int(result, (0))
         and (result = add_int(offset_max(Object_x_6_alloc_table, x_3), (1)))))) }

parameter java_array_length_intM_requires :
 x_3:Object pointer ->
  Object_x_6_alloc_table:Object alloc_table ->
   { } int
   { (JC_25:
     (le_int(result, (2147483647))
     and (ge_int(result, (0))
         and (result = add_int(offset_max(Object_x_6_alloc_table, x_3), (1)))))) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_4:Object pointer ->
  Object_x_7_alloc_table:Object alloc_table ->
   { } bool
   { (JC_38:
     (if result then (offset_max(Object_x_7_alloc_table, x_4) = (0))
      else (x_4 = null))) }

parameter non_null_Object_requires :
 x_4:Object pointer ->
  Object_x_7_alloc_table:Object alloc_table ->
   { } bool
   { (JC_38:
     (if result then (offset_max(Object_x_7_alloc_table, x_4) = (0))
      else (x_4 = null))) }

parameter non_null_intM :
 x_2:Object pointer ->
  Object_x_5_alloc_table:Object alloc_table ->
   { } bool
   { (JC_15:
     (if result
      then ge_int(offset_max(Object_x_5_alloc_table, x_2), neg_int((1)))
      else (x_2 = null))) }

parameter non_null_intM_requires :
 x_2:Object pointer ->
  Object_x_5_alloc_table:Object alloc_table ->
   { } bool
   { (JC_15:
     (if result
      then ge_int(offset_max(Object_x_5_alloc_table, x_2), neg_int((1)))
      else (x_2 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let Muller_m_ensures_default =
 fun (t_7 : Object pointer) (Object_Muller_m_12_alloc_table : Object alloc_table ref) (Object_Muller_m_12_tag_table : Object tag_table ref) (intM_intP_Muller_m_12 : (Object, int32) memory ref) (Object_t_7_10_alloc_table : Object alloc_table) (intM_intP_t_7_10 : (Object, int32) memory) ->
  { (left_valid_struct_intM(t_7, (0), Object_t_7_10_alloc_table)
    and (JC_49: Non_null_intM(t_7, Object_t_7_10_alloc_table))) }
  (init:
  (let return = ref (any_pointer void) in
  try
   begin
     (let count = ref (safe_int32_of_integer_ (K_39: (0))) in
     begin
       (let i_7 = ref (safe_int32_of_integer_ (K_2: (0))) in
       try
        (loop_3:
        while true do
        { invariant
            (JC_93:
            ((JC_88: le_int((0), integer_of_int32(i_7)))
            and ((JC_89:
                 le_int(integer_of_int32(i_7),
                 add_int(offset_max(Object_t_7_10_alloc_table, t_7), (1))))
                and ((JC_90: le_int((0), integer_of_int32(count)))
                    and ((JC_91:
                         le_int(integer_of_int32(count),
                         integer_of_int32(i_7)))
                        and (JC_92:
                            (integer_of_int32(count) = num_of_pos((0),
                                                       integer_of_int32(i_7),
                                                       t_7, intM_intP_t_7_10))))))))
           }
         begin
           [ { } unit { true } ];
          try
           begin
             (if (K_18:
                 ((lt_int_ (integer_of_int32 !i_7)) (K_17:
                                                    (let _jessie_ = t_7 in
                                                    (JC_97:
                                                    ((java_array_length_intM _jessie_) Object_t_7_10_alloc_table))))))
             then
              (if (K_15:
                  ((gt_int_ (integer_of_int32 (K_14:
                                              ((safe_acc_ intM_intP_t_7_10) 
                                               ((shift t_7) (integer_of_int32 !i_7)))))) (0)))
              then
               (let _jessie_ =
               (K_13:
               (let _jessie_ = !count in
               begin
                 (let _jessie_ =
                 (count := (safe_int32_of_integer_ ((add_int (integer_of_int32 _jessie_)) (1)))) in
                 void); _jessie_ end)) in void) else void)
             else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ ->
           (let _jessie_ =
           (K_16:
           (let _jessie_ = !i_7 in
           begin
             (let _jessie_ =
             (i_7 := (safe_int32_of_integer_ ((add_int (integer_of_int32 _jessie_)) (1)))) in
             void); _jessie_ end)) in void) end end done) with
        Loop_exit_exc _jessie_ -> void end);
      (let u =
      (K_38:
      (JC_98:
      (((alloc_struct_intM (integer_of_int32 !count)) Object_Muller_m_12_alloc_table) Object_Muller_m_12_tag_table))) in
      begin
        (let _jessie_ = (count := (safe_int32_of_integer_ (0))) in void);
       (let i_8 = ref (safe_int32_of_integer_ (K_19: (0))) in
       try
        (loop_4:
        while true do
        { invariant
            (JC_104:
            ((JC_99: le_int((0), integer_of_int32(i_8)))
            and ((JC_100:
                 le_int(integer_of_int32(i_8),
                 add_int(offset_max(Object_t_7_10_alloc_table, t_7), (1))))
                and ((JC_101: le_int((0), integer_of_int32(count)))
                    and ((JC_102:
                         le_int(integer_of_int32(count),
                         integer_of_int32(i_8)))
                        and (JC_103:
                            (integer_of_int32(count) = num_of_pos((0),
                                                       integer_of_int32(i_8),
                                                       t_7, intM_intP_t_7_10))))))))
           }
         begin
           [ { } unit { true } ];
          try
           begin
             (if (K_37:
                 ((lt_int_ (integer_of_int32 !i_8)) (K_36:
                                                    (let _jessie_ = t_7 in
                                                    (JC_108:
                                                    ((java_array_length_intM _jessie_) Object_t_7_10_alloc_table))))))
             then
              (if (K_34:
                  ((gt_int_ (integer_of_int32 (K_33:
                                              ((safe_acc_ intM_intP_t_7_10) 
                                               ((shift t_7) (integer_of_int32 !i_8)))))) (0)))
              then
               (let _jessie_ =
               (K_32:
               (let _jessie_ =
               (K_31:
               ((safe_acc_ intM_intP_t_7_10) ((shift t_7) (integer_of_int32 !i_8)))) in
               (let _jessie_ = u in
               (let _jessie_ =
               (integer_of_int32 (K_30:
                                 (let _jessie_ = !count in
                                 begin
                                   (let _jessie_ =
                                   (count := (safe_int32_of_integer_ 
                                              ((add_int (integer_of_int32 _jessie_)) (1)))) in
                                   void); _jessie_ end))) in
               (let _jessie_ = ((shift _jessie_) _jessie_) in
               (((safe_upd_ intM_intP_Muller_m_12) _jessie_) _jessie_)))))) in
               void) else void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ ->
           (let _jessie_ =
           (K_35:
           (let _jessie_ = !i_8 in
           begin
             (let _jessie_ =
             (i_8 := (safe_int32_of_integer_ ((add_int (integer_of_int32 _jessie_)) (1)))) in
             void); _jessie_ end)) in void) end end done) with
        Loop_exit_exc _jessie_ -> void end); (return := u); (raise Return)
      end) end); absurd  end with Return -> !return end)) { (JC_51: true) } 

let Muller_m_safety =
 fun (t_7 : Object pointer) (Object_Muller_m_12_alloc_table : Object alloc_table ref) (Object_Muller_m_12_tag_table : Object tag_table ref) (intM_intP_Muller_m_12 : (Object, int32) memory ref) (Object_t_7_10_alloc_table : Object alloc_table) (intM_intP_t_7_10 : (Object, int32) memory) ->
  { (left_valid_struct_intM(t_7, (0), Object_t_7_10_alloc_table)
    and (JC_49: Non_null_intM(t_7, Object_t_7_10_alloc_table))) }
  (init:
  (let return = ref (any_pointer void) in
  try
   begin
     (let count = ref (safe_int32_of_integer_ (K_39: (0))) in
     begin
       (let i_7 = ref (safe_int32_of_integer_ (K_2: (0))) in
       try
        (loop_1:
        while true do
        { invariant (JC_62: true)
          variant (JC_69 : sub_int(add_int(offset_max(Object_t_7_10_alloc_table,
                                           t_7),
                                   (1)),
                           integer_of_int32(i_7))) }
         begin
           [ { } unit reads count,i_7
             { (JC_60:
               ((JC_55: le_int((0), integer_of_int32(i_7)))
               and ((JC_56:
                    le_int(integer_of_int32(i_7),
                    add_int(offset_max(Object_t_7_10_alloc_table, t_7), (1))))
                   and ((JC_57: le_int((0), integer_of_int32(count)))
                       and ((JC_58:
                            le_int(integer_of_int32(count),
                            integer_of_int32(i_7)))
                           and (JC_59:
                               (integer_of_int32(count) = num_of_pos((0),
                                                          integer_of_int32(i_7),
                                                          t_7,
                                                          intM_intP_t_7_10)))))))) } ];
          try
           begin
             (if (K_18:
                 ((lt_int_ (integer_of_int32 !i_7)) (K_17:
                                                    (let _jessie_ = t_7 in
                                                    (JC_65:
                                                    (assert
                                                    { ge_int(offset_max(Object_t_7_10_alloc_table,
                                                             _jessie_),
                                                      (-1)) };
                                                    (JC_64:
                                                    ((java_array_length_intM_requires _jessie_) Object_t_7_10_alloc_table))))))))
             then
              (if (K_15:
                  ((gt_int_ (integer_of_int32 (K_14:
                                              (JC_66:
                                              ((((offset_acc_ Object_t_7_10_alloc_table) intM_intP_t_7_10) t_7) 
                                               (integer_of_int32 !i_7)))))) (0)))
              then
               (let _jessie_ =
               (K_13:
               (let _jessie_ = !count in
               begin
                 (let _jessie_ =
                 (count := (JC_67:
                           (int32_of_integer_ ((add_int (integer_of_int32 _jessie_)) (1))))) in
                 void); _jessie_ end)) in void) else void)
             else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ ->
           (let _jessie_ =
           (K_16:
           (let _jessie_ = !i_7 in
           begin
             (let _jessie_ =
             (i_7 := (JC_68:
                     (int32_of_integer_ ((add_int (integer_of_int32 _jessie_)) (1))))) in
             void); _jessie_ end)) in void) end end done) with
        Loop_exit_exc _jessie_ -> void end);
      (let u =
      (K_38:
      (JC_70:
      (((alloc_struct_intM_requires (integer_of_int32 !count)) Object_Muller_m_12_alloc_table) Object_Muller_m_12_tag_table))) in
      begin
        (let _jessie_ = (count := (safe_int32_of_integer_ (0))) in void);
       (let i_8 = ref (safe_int32_of_integer_ (K_19: (0))) in
       try
        (loop_2:
        while true do
        { invariant (JC_78: true)
          variant (JC_87 : sub_int(add_int(offset_max(Object_t_7_10_alloc_table,
                                           t_7),
                                   (1)),
                           integer_of_int32(i_8))) }
         begin
           [ { } unit reads count,i_8
             { (JC_76:
               ((JC_71: le_int((0), integer_of_int32(i_8)))
               and ((JC_72:
                    le_int(integer_of_int32(i_8),
                    add_int(offset_max(Object_t_7_10_alloc_table, t_7), (1))))
                   and ((JC_73: le_int((0), integer_of_int32(count)))
                       and ((JC_74:
                            le_int(integer_of_int32(count),
                            integer_of_int32(i_8)))
                           and (JC_75:
                               (integer_of_int32(count) = num_of_pos((0),
                                                          integer_of_int32(i_8),
                                                          t_7,
                                                          intM_intP_t_7_10)))))))) } ];
          try
           begin
             (if (K_37:
                 ((lt_int_ (integer_of_int32 !i_8)) (K_36:
                                                    (let _jessie_ = t_7 in
                                                    (JC_81:
                                                    (assert
                                                    { ge_int(offset_max(Object_t_7_10_alloc_table,
                                                             _jessie_),
                                                      (-1)) };
                                                    (JC_80:
                                                    ((java_array_length_intM_requires _jessie_) Object_t_7_10_alloc_table))))))))
             then
              (if (K_34:
                  ((gt_int_ (integer_of_int32 (K_33:
                                              (JC_82:
                                              ((((offset_acc_ Object_t_7_10_alloc_table) intM_intP_t_7_10) t_7) 
                                               (integer_of_int32 !i_8)))))) (0)))
              then
               (let _jessie_ =
               (K_32:
               (let _jessie_ =
               (K_31:
               (JC_83:
               ((((offset_acc_ Object_t_7_10_alloc_table) intM_intP_t_7_10) t_7) 
                (integer_of_int32 !i_8)))) in
               (let _jessie_ = u in
               (let _jessie_ =
               (integer_of_int32 (K_30:
                                 (let _jessie_ = !count in
                                 begin
                                   (let _jessie_ =
                                   (count := (JC_84:
                                             (int32_of_integer_ ((add_int 
                                                                  (integer_of_int32 _jessie_)) (1))))) in
                                   void); _jessie_ end))) in
               (let _jessie_ = ((shift _jessie_) _jessie_) in
               (JC_85:
               (((((offset_upd_ !Object_Muller_m_12_alloc_table) intM_intP_Muller_m_12) _jessie_) _jessie_) _jessie_))))))) in
               void) else void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ ->
           (let _jessie_ =
           (K_35:
           (let _jessie_ = !i_8 in
           begin
             (let _jessie_ =
             (i_8 := (JC_86:
                     (int32_of_integer_ ((add_int (integer_of_int32 _jessie_)) (1))))) in
             void); _jessie_ end)) in void) end end done) with
        Loop_exit_exc _jessie_ -> void end); (return := u); (raise Return)
      end) end); absurd  end with Return -> !return end)) { true } 

let cons_Muller_ensures_default =
 fun (this_0 : Object pointer) (Object_this_0_9_alloc_table : Object alloc_table) ->
  { valid_struct_Muller(this_0, (0), (0), Object_this_0_9_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_43: true) } 

let cons_Muller_safety =
 fun (this_0 : Object pointer) (Object_this_0_9_alloc_table : Object alloc_table) ->
  { valid_struct_Muller(this_0, (0), (0), Object_this_0_9_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 


why-2.39/tests/java/oracle/Termination.res.oracle0000644000106100004300000010562413147234006021041 0ustar  marchevals========== file tests/java/Termination.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ CheckArithOverflow = no

class Termination {

    void loop1(int n) { 
	//@ loop_variant n;
	while (n > 0) n--; 
    }

    void loop2(int n) { 
	//@ loop_variant 100-n;
	while (n < 100) n++; 
    }

    //@ ensures \result == 0;
    int loop3() {
	int i = 100;
	/*@ loop_invariant 0 <= i <= 100;
	  @ loop_variant i;
	  @*/
	while (i > 0) i--;
	return i;
    }

}


/*
Local Variables:
compile-command: "make Termination.why3ide"
End:
*/


========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function Termination_loop2 for method Termination.loop2
Generating JC function Termination_loop3 for method Termination.loop3
Generating JC function Termination_loop1 for method Termination.loop1
Generating JC function cons_Termination for constructor Termination
Done.
========== file tests/java/Termination.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Termination = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit Termination_loop2(Termination[0] this_1, integer n_0)
{  
   loop 
   behavior default:
     invariant (K_1 : true);
   variant (K_2 : (100 - n_0));
   while ((K_4 : (n_0 < 100)))
   {  (K_3 : (n_0 ++))
   }
}

integer Termination_loop3(Termination[0] this_0)
behavior default:
  ensures (K_5 : (\result == 0));
{  
   {  
      (var integer i = (K_12 : 100));
      
      {  
         loop 
         behavior default:
           invariant (K_8 : ((K_7 : (0 <= i)) && (K_6 : (i <= 100))));
         variant (K_9 : i);
         while ((K_11 : (i > 0)))
         {  (K_10 : (i --))
         };
         
         (return i)
      }
   }
}

unit Termination_loop1(Termination[0] this_2, integer n)
{  
   loop 
   behavior default:
     invariant (K_13 : true);
   variant (K_14 : n);
   while ((K_16 : (n > 0)))
   {  (K_15 : (n --))
   }
}

unit cons_Termination(! Termination[0] this_3){()}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Termination.jloc tests/java/Termination.jc && make -f tests/java/Termination.makefile gui"
End:
*/
========== file tests/java/Termination.jloc ==========
[Termination_loop2]
name = "Method loop2"
file = "HOME/tests/java/Termination.java"
line = 41
begin = 9
end = 14

[K_11]
file = "HOME/tests/java/Termination.java"
line = 52
begin = 8
end = 13

[K_13]
file = "HOME/tests/java/Termination.java"
line = 37
begin = 5
end = 20

[cons_Termination]
name = "Constructor of class Termination"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_9]
file = "HOME/tests/java/Termination.java"
line = 50
begin = 18
end = 19

[K_1]
file = "HOME/tests/java/Termination.java"
line = 42
begin = 5
end = 24

[K_15]
file = "HOME/tests/java/Termination.java"
line = 38
begin = 15
end = 18

[K_4]
file = "HOME/tests/java/Termination.java"
line = 43
begin = 8
end = 15

[K_12]
file = "HOME/tests/java/Termination.java"
line = 48
begin = 9
end = 12

[Termination_loop1]
name = "Method loop1"
file = "HOME/tests/java/Termination.java"
line = 36
begin = 9
end = 14

[K_2]
file = "HOME/tests/java/Termination.java"
line = 42
begin = 18
end = 23

[Termination_loop3]
name = "Method loop3"
file = "HOME/tests/java/Termination.java"
line = 47
begin = 8
end = 13

[K_10]
file = "HOME/tests/java/Termination.java"
line = 52
begin = 15
end = 18

[K_6]
file = "HOME/tests/java/Termination.java"
line = 49
begin = 25
end = 33

[K_8]
file = "HOME/tests/java/Termination.java"
line = 49
begin = 20
end = 33

[K_3]
file = "HOME/tests/java/Termination.java"
line = 43
begin = 17
end = 20

[K_14]
file = "HOME/tests/java/Termination.java"
line = 37
begin = 18
end = 19

[K_5]
file = "HOME/tests/java/Termination.java"
line = 46
begin = 16
end = 28

[K_7]
file = "HOME/tests/java/Termination.java"
line = 49
begin = 20
end = 26

[K_16]
file = "HOME/tests/java/Termination.java"
line = 38
begin = 8
end = 13

========== jessie execution ==========
Generating Why function Termination_loop2
Generating Why function Termination_loop3
Generating Why function Termination_loop1
Generating Why function cons_Termination
========== file tests/java/Termination.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/Termination_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Termination.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Termination.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Termination.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/java/Termination.loc ==========
[JC_73]
file = "HOME/tests/java/Termination.jc"
line = 78
begin = 3
end = 137

[JC_63]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_80]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_51]
file = "HOME/tests/java/Termination.java"
line = 49
begin = 20
end = 26

[JC_71]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_45]
file = "HOME/tests/java/Termination.java"
line = 49
begin = 25
end = 33

[JC_64]
file = "HOME/"
line = 0
begin = -1
end = -1

[Termination_loop2_safety]
name = "Method loop2"
behavior = "Safety"
file = "HOME/tests/java/Termination.java"
line = 41
begin = 9
end = 14

[JC_31]
file = "HOME/tests/java/Termination.java"
line = 42
begin = 18
end = 23

[JC_17]
file = "HOME/tests/java/Termination.jc"
line = 37
begin = 11
end = 65

[Termination_loop3_ensures_default]
name = "Method loop3"
behavior = "default behavior"
file = "HOME/tests/java/Termination.java"
line = 47
begin = 8
end = 13

[JC_81]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_55]
file = "HOME/tests/java/Termination.jc"
line = 63
begin = 9
end = 213

[JC_48]
file = "HOME/tests/java/Termination.jc"
line = 63
begin = 9
end = 213

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/tests/java/Termination.jc"
line = 78
begin = 3
end = 137

[JC_9]
file = "HOME/tests/java/Termination.jc"
line = 35
begin = 8
end = 23

[JC_75]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Termination_safety]
name = "Constructor of class Termination"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_78]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/tests/java/Termination.java"
line = 46
begin = 16
end = 28

[JC_74]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_52]
file = "HOME/tests/java/Termination.java"
line = 49
begin = 25
end = 33

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_79]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[Termination_loop3_safety]
name = "Method loop3"
behavior = "Safety"
file = "HOME/tests/java/Termination.java"
line = 47
begin = 8
end = 13

[JC_11]
file = "HOME/tests/java/Termination.jc"
line = 35
begin = 8
end = 23

[JC_70]
file = "HOME/tests/java/Termination.java"
line = 37
begin = 5
end = 20

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/tests/java/Termination.java"
line = 47
begin = 8
end = 13

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/tests/java/Termination.java"
line = 46
begin = 16
end = 28

[JC_35]
file = "HOME/tests/java/Termination.jc"
line = 46
begin = 3
end = 149

[JC_27]
file = "HOME/tests/java/Termination.java"
line = 42
begin = 5
end = 24

[JC_69]
file = "HOME/tests/java/Termination.java"
line = 37
begin = 18
end = 19

[JC_38]
file = "HOME/tests/java/Termination.java"
line = 47
begin = 8
end = 13

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/tests/java/Termination.java"
line = 49
begin = 20
end = 26

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
file = "HOME/tests/java/Termination.java"
line = 49
begin = 20
end = 33

[JC_61]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/tests/java/Termination.java"
line = 42
begin = 5
end = 24

[JC_56]
file = "HOME/tests/java/Termination.jc"
line = 63
begin = 9
end = 213

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
file = "HOME/tests/java/Termination.java"
line = 37
begin = 5
end = 20

[Termination_loop2_ensures_default]
name = "Method loop2"
behavior = "default behavior"
file = "HOME/tests/java/Termination.java"
line = 41
begin = 9
end = 14

[JC_29]
file = "HOME/tests/java/Termination.jc"
line = 46
begin = 3
end = 149

[JC_68]
file = "HOME/tests/java/Termination.jc"
line = 78
begin = 3
end = 137

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[Termination_loop1_safety]
name = "Method loop1"
behavior = "Safety"
file = "HOME/tests/java/Termination.java"
line = 36
begin = 9
end = 14

[JC_43]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/tests/java/Termination.jc"
line = 46
begin = 3
end = 149

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_53]
file = "HOME/tests/java/Termination.java"
line = 49
begin = 20
end = 33

[JC_21]
file = "HOME/tests/java/Termination.java"
line = 41
begin = 9
end = 14

[JC_77]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_49]
file = "HOME/tests/java/Termination.jc"
line = 63
begin = 9
end = 213

[JC_1]
file = "HOME/tests/java/Termination.jc"
line = 10
begin = 12
end = 22

[Termination_loop1_ensures_default]
name = "Method loop1"
behavior = "default behavior"
file = "HOME/tests/java/Termination.java"
line = 36
begin = 9
end = 14

[JC_37]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Termination_ensures_default]
name = "Constructor of class Termination"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/tests/java/Termination.java"
line = 36
begin = 9
end = 14

[JC_66]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_59]
file = "HOME/tests/java/Termination.java"
line = 36
begin = 9
end = 14

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/java/Termination.jc"
line = 37
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/Termination.jc"
line = 10
begin = 12
end = 22

[JC_60]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_72]
file = "HOME/tests/java/Termination.jc"
line = 78
begin = 3
end = 137

[JC_19]
file = "HOME/tests/java/Termination.java"
line = 41
begin = 9
end = 14

[JC_76]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_50]
file = "HOME/tests/java/Termination.java"
line = 50
begin = 18
end = 19

[JC_30]
file = "HOME/tests/java/Termination.jc"
line = 46
begin = 3
end = 149

[JC_58]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/Termination.why ==========
type Object

type interface

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Termination_tag:  -> Object tag_id

axiom Termination_parenttag_Object : parenttag(Termination_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Termination(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Termination(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Termination(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Termination(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

parameter Termination_loop1 :
 this_2:Object pointer -> n:int -> { } unit reads Object_alloc_table { true }

parameter Termination_loop1_requires :
 this_2:Object pointer -> n:int -> { } unit reads Object_alloc_table { true }

parameter Termination_loop2 :
 this_1:Object pointer ->
  n_0:int -> { } unit reads Object_alloc_table { true }

parameter Termination_loop2_requires :
 this_1:Object pointer ->
  n_0:int -> { } unit reads Object_alloc_table { true }

parameter Termination_loop3 :
 this_0:Object pointer ->
  { } int reads Object_alloc_table { (JC_41: (result = (0))) }

parameter Termination_loop3_requires :
 this_0:Object pointer ->
  { } int reads Object_alloc_table { (JC_41: (result = (0))) }

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Termination :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Termination(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Termination_tag)))) }

parameter alloc_struct_Termination_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Termination(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Termination_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter cons_Termination :
 this_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Termination_requires :
 this_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

let Termination_loop1_ensures_default =
 fun (this_2 : Object pointer) (n : int) ->
  { valid_struct_Termination(this_2, (0), (0), Object_alloc_table) }
  (let mutable_n = ref n in
  (init:
  try
   begin
     try
      (loop_6:
      while true do
      { invariant (JC_70: (true = true))  }
       begin
         [ { } unit { true } ];
        try
         begin
           (if (K_16: ((gt_int_ !mutable_n) (0)))
           then
            (let _jessie_ =
            (K_15:
            (let _jessie_ = !mutable_n in
            begin
              (let _jessie_ = (mutable_n := ((sub_int _jessie_) (1))) in
              void); _jessie_ end)) in void)
           else (raise (Loop_exit_exc void)));
          (raise (Loop_continue_exc void)) end with
         Loop_continue_exc _jessie_ -> void end end done) with
      Loop_exit_exc _jessie_ -> void end; (raise Return) end with Return ->
   void end)) { (JC_61: true) } 

let Termination_loop1_safety =
 fun (this_2 : Object pointer) (n : int) ->
  { valid_struct_Termination(this_2, (0), (0), Object_alloc_table) }
  (let mutable_n = ref n in
  (init:
  try
   begin
     try
      (loop_5:
      while true do
      { invariant (JC_67: true) variant (JC_69 : mutable_n) }
       begin
         [ { } unit { (JC_65: (true = true)) } ];
        try
         begin
           (if (K_16: ((gt_int_ !mutable_n) (0)))
           then
            (let _jessie_ =
            (K_15:
            (let _jessie_ = !mutable_n in
            begin
              (let _jessie_ = (mutable_n := ((sub_int _jessie_) (1))) in
              void); _jessie_ end)) in void)
           else (raise (Loop_exit_exc void)));
          (raise (Loop_continue_exc void)) end with
         Loop_continue_exc _jessie_ -> void end end done) with
      Loop_exit_exc _jessie_ -> void end; (raise Return) end with Return ->
   void end)) { true } 

let Termination_loop2_ensures_default =
 fun (this_1 : Object pointer) (n_0 : int) ->
  { valid_struct_Termination(this_1, (0), (0), Object_alloc_table) }
  (let mutable_n_0 = ref n_0 in
  (init:
  try
   begin
     try
      (loop_2:
      while true do
      { invariant (JC_32: (true = true))  }
       begin
         [ { } unit { true } ];
        try
         begin
           (if (K_4: ((lt_int_ !mutable_n_0) (100)))
           then
            (let _jessie_ =
            (K_3:
            (let _jessie_ = !mutable_n_0 in
            begin
              (let _jessie_ = (mutable_n_0 := ((add_int _jessie_) (1))) in
              void); _jessie_ end)) in void)
           else (raise (Loop_exit_exc void)));
          (raise (Loop_continue_exc void)) end with
         Loop_continue_exc _jessie_ -> void end end done) with
      Loop_exit_exc _jessie_ -> void end; (raise Return) end with Return ->
   void end)) { (JC_23: true) } 

let Termination_loop2_safety =
 fun (this_1 : Object pointer) (n_0 : int) ->
  { valid_struct_Termination(this_1, (0), (0), Object_alloc_table) }
  (let mutable_n_0 = ref n_0 in
  (init:
  try
   begin
     try
      (loop_1:
      while true do
      { invariant (JC_29: true)
        variant (JC_31 : sub_int((100), mutable_n_0)) }
       begin
         [ { } unit { (JC_27: (true = true)) } ];
        try
         begin
           (if (K_4: ((lt_int_ !mutable_n_0) (100)))
           then
            (let _jessie_ =
            (K_3:
            (let _jessie_ = !mutable_n_0 in
            begin
              (let _jessie_ = (mutable_n_0 := ((add_int _jessie_) (1))) in
              void); _jessie_ end)) in void)
           else (raise (Loop_exit_exc void)));
          (raise (Loop_continue_exc void)) end with
         Loop_continue_exc _jessie_ -> void end end done) with
      Loop_exit_exc _jessie_ -> void end; (raise Return) end with Return ->
   void end)) { true } 

let Termination_loop3_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_Termination(this_0, (0), (0), Object_alloc_table) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let i = ref (K_12: (100)) in
     begin
       try
        (loop_4:
        while true do
        { invariant
            (JC_53: ((JC_51: le_int((0), i)) and (JC_52: le_int(i, (100)))))
           }
         begin
           [ { } unit { true } ];
          try
           begin
             (if (K_11: ((gt_int_ !i) (0)))
             then
              (let _jessie_ =
              (K_10:
              (let _jessie_ = !i in
              begin
                (let _jessie_ = (i := ((sub_int _jessie_) (1))) in void);
               _jessie_ end)) in void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ -> void end end done) with
        Loop_exit_exc _jessie_ -> void end; (return := !i); (raise Return)
     end); absurd  end with Return -> !return end))
  { (JC_40: (result = (0))) } 

let Termination_loop3_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_Termination(this_0, (0), (0), Object_alloc_table) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let i = ref (K_12: (100)) in
     begin
       try
        (loop_3:
        while true do
        { invariant (JC_48: true) variant (JC_50 : i) }
         begin
           [ { } unit reads i
             { (JC_46:
               ((JC_44: le_int((0), i)) and (JC_45: le_int(i, (100))))) } ];
          try
           begin
             (if (K_11: ((gt_int_ !i) (0)))
             then
              (let _jessie_ =
              (K_10:
              (let _jessie_ = !i in
              begin
                (let _jessie_ = (i := ((sub_int _jessie_) (1))) in void);
               _jessie_ end)) in void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ -> void end end done) with
        Loop_exit_exc _jessie_ -> void end; (return := !i); (raise Return)
     end); absurd  end with Return -> !return end)) { true } 

let cons_Termination_ensures_default =
 fun (this_3 : Object pointer) ->
  { valid_struct_Termination(this_3, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_78: true) } 

let cons_Termination_safety =
 fun (this_3 : Object pointer) ->
  { valid_struct_Termination(this_3, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 


why-2.39/tests/java/oracle/NameConflicts.err.oracle0000644000106100004300000000000013147234006021252 0ustar  marchevalswhy-2.39/tests/java/oracle/Fact.res.oracle0000644000106100004300000006621113147234006017423 0ustar  marchevals========== file tests/java/Fact.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// int model: unbounded mathematical integers
//@+ CheckArithOverflow = no

/*@ inductive isfact(integer x, integer r) {
  @  case isfact0: isfact(0,1);
  @  case isfactn:
  @   \forall integer n r;
  @     n >= 1 && isfact(n-1,r) ==> isfact(n,r*n);
  @ }
  @*/

public class Fact {

    /*@ requires x >= 0;
      @ ensures isfact(x, \result);
      @*/
    public static int fact(int x) {
        int a = 0, y = 1;
        /*@ loop_invariant 0 <= a <= x && isfact(a,y);
          @ loop_variant x-a;
          @*/
        while (a < x) y = y * ++a;
        return y;
    }

}========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_Fact for constructor Fact
Generating JC function Fact_fact for method Fact.fact
Done.
========== file tests/java/Fact.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Fact = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

predicate isfact(integer x, integer r) {
case isfact0: isfact(0, 1);
  
  case isfactn: (\forall integer n;
                  (\forall integer r_0;
                    (((n >= 1) && isfact((n - 1), r_0)) ==>
                      isfact(n, (r_0 * n)))));
  
}

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_Fact(! Fact[0] this_0){()}

integer Fact_fact(integer x_0)
  requires (K_2 : (x_0 >= 0));
behavior default:
  ensures (K_1 : isfact(x_0, \result));
{  
   {  
      (var integer a = (K_13 : 0));
      
      {  
         (var integer y = (K_12 : 1));
         
         {  
            loop 
            behavior default:
              invariant (K_7 : ((K_6 : ((K_5 : (0 <= a)) &&
                                         (K_4 : (a <= x_0)))) &&
                                 (K_3 : isfact(a, y))));
            variant (K_8 : (x_0 - a));
            while ((K_11 : (a < x_0)))
            {  (y = (K_10 : (y * (K_9 : (++ a)))))
            };
            
            (return y)
         }
      }
   }
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Fact.jloc tests/java/Fact.jc && make -f tests/java/Fact.makefile gui"
End:
*/
========== file tests/java/Fact.jloc ==========
[K_11]
file = "HOME/tests/java/Fact.java"
line = 53
begin = 15
end = 20

[K_13]
file = "HOME/tests/java/Fact.java"
line = 49
begin = 16
end = 17

[K_9]
file = "HOME/tests/java/Fact.java"
line = 53
begin = 30
end = 33

[K_1]
file = "HOME/tests/java/Fact.java"
line = 46
begin = 16
end = 34

[K_4]
file = "HOME/tests/java/Fact.java"
line = 50
begin = 32
end = 38

[K_12]
file = "HOME/tests/java/Fact.java"
line = 49
begin = 23
end = 24

[K_2]
file = "HOME/tests/java/Fact.java"
line = 45
begin = 17
end = 23

[K_10]
file = "HOME/tests/java/Fact.java"
line = 53
begin = 26
end = 33

[K_6]
file = "HOME/tests/java/Fact.java"
line = 50
begin = 27
end = 38

[K_8]
file = "HOME/tests/java/Fact.java"
line = 51
begin = 25
end = 28

[K_3]
file = "HOME/tests/java/Fact.java"
line = 50
begin = 42
end = 53

[cons_Fact]
name = "Constructor of class Fact"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_5]
file = "HOME/tests/java/Fact.java"
line = 50
begin = 27
end = 33

[Fact_fact]
name = "Method fact"
file = "HOME/tests/java/Fact.java"
line = 48
begin = 22
end = 26

[K_7]
file = "HOME/tests/java/Fact.java"
line = 50
begin = 27
end = 53

========== jessie execution ==========
Generating Why function cons_Fact
Generating Why function Fact_fact
========== file tests/java/Fact.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/Fact_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Fact.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Fact.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Fact.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/java/Fact.loc ==========
[JC_45]
file = "HOME/tests/java/Fact.java"
line = 50
begin = 42
end = 53

[cons_Fact_ensures_default]
name = "Constructor of class Fact"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_31]
file = "HOME/tests/java/Fact.java"
line = 46
begin = 16
end = 34

[cons_Fact_safety]
name = "Constructor of class Fact"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_17]
file = "HOME/tests/java/Fact.jc"
line = 37
begin = 11
end = 65

[JC_48]
file = "HOME/tests/java/Fact.jc"
line = 68
begin = 12
end = 372

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/java/Fact.jc"
line = 35
begin = 8
end = 23

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/tests/java/Fact.jc"
line = 68
begin = 12
end = 372

[JC_47]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/Fact.jc"
line = 35
begin = 8
end = 23

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/tests/java/Fact.java"
line = 50
begin = 32
end = 38

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/tests/java/Fact.jc"
line = 68
begin = 12
end = 372

[JC_35]
file = "HOME/tests/java/Fact.java"
line = 50
begin = 27
end = 33

[JC_27]
file = "HOME/tests/java/Fact.java"
line = 45
begin = 17
end = 23

[JC_38]
file = "HOME/tests/java/Fact.java"
line = 50
begin = 27
end = 53

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[Fact_fact_ensures_default]
name = "Method fact"
behavior = "default behavior"
file = "HOME/tests/java/Fact.java"
line = 48
begin = 22
end = 26

[JC_44]
file = "HOME/tests/java/Fact.java"
line = 50
begin = 32
end = 38

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/tests/java/Fact.java"
line = 51
begin = 25
end = 28

[JC_46]
file = "HOME/tests/java/Fact.java"
line = 50
begin = 27
end = 53

[JC_32]
file = "HOME/tests/java/Fact.java"
line = 46
begin = 16
end = 34

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[Fact_fact_safety]
name = "Method fact"
behavior = "Safety"
file = "HOME/tests/java/Fact.java"
line = 48
begin = 22
end = 26

[JC_29]
file = "HOME/tests/java/Fact.java"
line = 45
begin = 17
end = 23

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
file = "HOME/tests/java/Fact.java"
line = 50
begin = 27
end = 33

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_49]
file = "HOME/tests/java/Fact.jc"
line = 68
begin = 12
end = 372

[JC_1]
file = "HOME/tests/java/Fact.jc"
line = 10
begin = 12
end = 22

[JC_37]
file = "HOME/tests/java/Fact.java"
line = 50
begin = 42
end = 53

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/java/Fact.jc"
line = 37
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/Fact.jc"
line = 10
begin = 12
end = 22

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/Fact.why ==========
type Object

type interface

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

logic Fact_tag:  -> Object tag_id

axiom Fact_parenttag_Object : parenttag(Fact_tag, Object_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

inductive isfact: int, int -> prop =
 | isfact0: isfact((0), (1))
 | isfactn: (forall n:int.
             (forall r_0:int.
              ((ge_int(n, (1)) and isfact(sub_int(n, (1)), r_0)) ->
               isfact(n, mul_int(r_0, n)))))
 
predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Fact(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Fact(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Fact(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Fact(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

exception Exception_exc of Object pointer

parameter Fact_fact : x_0_0:int -> { } int { (JC_32: isfact(x_0_0, result)) }

parameter Fact_fact_requires :
 x_0_0:int ->
  { (JC_27: ge_int(x_0_0, (0)))} int { (JC_32: isfact(x_0_0, result)) }

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Fact :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Fact(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Fact_tag)))) }

parameter alloc_struct_Fact_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Fact(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Fact_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter cons_Fact :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Fact_requires :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

let Fact_fact_ensures_default =
 fun (x_0_0 : int) ->
  { (JC_29: ge_int(x_0_0, (0))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let a = ref (K_13: (0)) in
     (let y = ref (K_12: (1)) in
     begin
       try
        (loop_2:
        while true do
        { invariant
            (JC_46:
            ((JC_43: le_int((0), a))
            and ((JC_44: le_int(a, x_0_0)) and (JC_45: isfact(a, y))))) 
           }
         begin
           [ { } unit { true } ];
          try
           begin
             (if (K_11: ((lt_int_ !a) x_0_0))
             then
              (let _jessie_ =
              begin
                (y := (K_10:
                      ((mul_int !y) (K_9:
                                    begin   (a := ((add_int !a) (1))); !a end))));
               !y end in void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ -> void end end done) with
        Loop_exit_exc _jessie_ -> void end; (return := !y); (raise Return)
     end)); absurd  end with Return -> !return end))
  { (JC_31: isfact(x_0_0, result)) } 

let Fact_fact_safety =
 fun (x_0_0 : int) ->
  { (JC_29: ge_int(x_0_0, (0))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let a = ref (K_13: (0)) in
     (let y = ref (K_12: (1)) in
     begin
       try
        (loop_1:
        while true do
        { invariant (JC_40: true) variant (JC_42 : sub_int(x_0_0, a)) }
         begin
           [ { } unit reads a,y
             { (JC_38:
               ((JC_35: le_int((0), a))
               and ((JC_36: le_int(a, x_0_0)) and (JC_37: isfact(a, y))))) } ];
          try
           begin
             (if (K_11: ((lt_int_ !a) x_0_0))
             then
              (let _jessie_ =
              begin
                (y := (K_10:
                      ((mul_int !y) (K_9:
                                    begin   (a := ((add_int !a) (1))); !a end))));
               !y end in void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ -> void end end done) with
        Loop_exit_exc _jessie_ -> void end; (return := !y); (raise Return)
     end)); absurd  end with Return -> !return end)) { true } 

let cons_Fact_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_Fact(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_23: true) } 

let cons_Fact_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_Fact(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 


why-2.39/tests/java/oracle/Hello.err.oracle0000644000106100004300000000000013147234006017570 0ustar  marchevalswhy-2.39/tests/java/oracle/bts15964.err.oracle0000644000106100004300000000020713147234006017737 0ustar  marchevalscat: /tmp/regtests.cwd: No such file or directory
grep: /src/version.ml: No such file or directory
Cannot open directory /lib/java_api
why-2.39/tests/java/oracle/SelectionSort.res.oracle0000644000106100004300000030646213147234006021350 0ustar  marchevals========== file tests/java/SelectionSort.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*@ predicate Sorted{L}(int a[], integer l, integer h) =
  @   \forall integer i j; l <= i <= j < h ==> a[i] <= a[j] ;
  @*/

/*@ predicate Swap{L1,L2}(int a[], integer i, integer j) =
  @   \at(a[i],L1) == \at(a[j],L2) &&
  @   \at(a[j],L1) == \at(a[i],L2) &&
  @   \forall integer k; k != i && k != j ==> \at(a[k],L1) == \at(a[k],L2);
  @*/

/*@ inductive Permut{L1,L2}(int a[], integer l, integer h) {
  @  case Permut_refl{L}: 
  @   \forall int a[], integer l h; Permut{L,L}(a, l, h) ;
  @  case Permut_sym{L1,L2}: 
  @    \forall int a[], integer l h; 
  @      Permut{L1,L2}(a, l, h) ==> Permut{L2,L1}(a, l, h) ;
  @  case Permut_trans{L1,L2,L3}: 
  @    \forall int a[], integer l h; 
  @      Permut{L1,L2}(a, l, h) && Permut{L2,L3}(a, l, h) ==> 
  @        Permut{L1,L3}(a, l, h) ;
  @  case Permut_swap{L1,L2}: 
  @    \forall int a[], integer l h i j; 
  @       l <= i <= h && l <= j <= h && Swap{L1,L2}(a, i, j) ==> 
  @     Permut{L1,L2}(a, l, h) ;
  @ }
  @*/

class SelectionSort {

    /*@ requires t != null && 
      @    0 <= i < t.length && 0 <= j < t.length;
      @ assigns t[i],t[j];
      @ ensures Swap{Old,Here}(t,i,j);
      @*/
    void swap(int t[], int i, int j) {
	int tmp = t[i];
	t[i] = t[j];
	t[j] = tmp;
    }
    
    /*@ requires t != null;
      @ behavior sorted:
      @   ensures Sorted(t,0,t.length);
      @ behavior permutation:
      @   ensures Permut{Old,Here}(t,0,t.length-1);
      @*/
    void sort(int t[]) {
	int i,j;
	int mi,mv;
	/*@ loop_invariant 0 <= i;
	  @ for sorted: 
	  @  loop_invariant Sorted(t,0,i) && 
	  @   (\forall integer k1 k2 ; 
	  @      0 <= k1 < i <= k2 < t.length ==> t[k1] <= t[k2]) ;
	  @ for permutation:
	  @   loop_invariant Permut{Pre,Here}(t,0,t.length-1);
	  @ loop_variant t.length - i;
	  @*/
	for (i=0; i t[k] >= mv);
	      @ // useless ! for permutation:
	      @ // loop_invariant Permut{Pre,Here}(t,0,t.length-1);
	      @ loop_variant t.length - j;
	      @*/
	    for (j=i+1; j < t.length; j++) {
		if (t[j] < mv) { 
		    mi = j ; mv = t[j]; 
		}
	    }
	    Before: 
	    swap(t,i,mi);
	    //@ for permutation: assert Permut{Before,Here}(t,0,t.length-1);
	}
    }

}



/*
Local Variables:
compile-command: "make SelectionSort.why3ide"
End:
*/


========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function SelectionSort_swap for method SelectionSort.swap
Generating JC function SelectionSort_sort for method SelectionSort.sort
Generating JC function Object_clone for method Object.clone
Generating JC function Object_notifyAll for method Object.notifyAll
Generating JC function Object_hashCode for method Object.hashCode
Generating JC function Object_equals for method Object.equals
Generating JC function Object_wait for method Object.wait
Generating JC function Object_notify for method Object.notify
Generating JC function Object_wait_long for method Object.wait
Generating JC function cons_SelectionSort for constructor SelectionSort
Generating JC function Object_toString for method Object.toString
Generating JC function Object_wait_long_int for method Object.wait
Generating JC function cons_Object for constructor Object
Generating JC function Object_finalize for method Object.finalize
Generating JC function Object_registerNatives for method Object.registerNatives
Done.
========== file tests/java/SelectionSort.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_intM{Here}(intM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag SelectionSort = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

tag intM = Object with {
  int32 intP;
}

boolean non_null_intM(! intM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_intM(! intM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

predicate Sorted{L}(intM[0..] a, integer l, integer h) =
(\forall integer i;
  (\forall integer j;
    ((((l <= i) && (i <= j)) && (j < h)) ==> ((a + i).intP <= (a + j).intP))))

predicate Swap{L1, L2}(intM[0..] a_0, integer i_0, integer j_0) =
(((\at((a_0 + i_0).intP,L1) == \at((a_0 + j_0).intP,L2)) &&
   (\at((a_0 + j_0).intP,L1) == \at((a_0 + i_0).intP,L2))) &&
  (\forall integer k;
    (((k != i_0) && (k != j_0)) ==>
      (\at((a_0 + k).intP,L1) == \at((a_0 + k).intP,L2)))))

predicate Permut{L1, L2}(intM[0..] a_1, integer l_0, integer h_0) {
case Permut_refl{L}: (\forall intM[0..] a_2;
                       (\forall integer l_1;
                         (\forall integer h_1;
                           Permut{L, L}(a_2, l_1, h_1))));
  
  case Permut_sym{L1, L2}: (\forall intM[0..] a_3;
                             (\forall integer l_2;
                               (\forall integer h_2;
                                 (Permut{L1,
                                   L2}(a_3, l_2, h_2) ==>
                                   Permut{L2,
                                   L1}(a_3, l_2, h_2)))));
  
  case Permut_trans{L1, L2, L3}: (\forall intM[0..] a_4;
                                   (\forall integer l_3;
                                     (\forall integer h_3;
                                       ((Permut{L1,
                                          L2}(a_4, l_3, h_3) &&
                                          Permut{L2,
                                          L3}(a_4, l_3, h_3)) ==>
                                         Permut{L1,
                                         L3}(a_4, l_3, h_3)))));
  
  case Permut_swap{L1, L2}: (\forall intM[0..] a_5;
                              (\forall integer l_4;
                                (\forall integer h_4;
                                  (\forall integer i_1;
                                    (\forall integer j_1;
                                      (((((l_4 <= i_1) && (i_1 <= h_4)) &&
                                          ((l_4 <= j_1) && (j_1 <= h_4))) &&
                                         Swap{L1,
                                         L2}(a_5, i_1, j_1)) ==>
                                        Permut{L1,
                                        L2}(a_5, l_4, h_4)))))));
  
}

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit SelectionSort_swap(SelectionSort[0] this_2, intM[0..] t, int32 i_2,
                        int32 j_2)
  requires (K_10 : ((K_9 : ((K_8 : Non_null_intM(t)) &&
                             (K_7 : ((K_6 : (0 <= i_2)) &&
                                      (K_5 : (i_2 < (\offset_max(t) + 1))))))) &&
                     (K_4 : ((K_3 : (0 <= j_2)) &&
                              (K_2 : (j_2 < (\offset_max(t) + 1)))))));
behavior default:
  assigns (t + [i_2..i_2]).intP,
  (t + [j_2..j_2]).intP;
  ensures (K_1 : Swap{Old, Here}(t, i_2, j_2));
{  
   {  
      (var int32 tmp = (K_14 : (t + i_2).intP));
      
      {  (K_12 : ((t + i_2).intP = (K_11 : (t + j_2).intP)));
         (K_13 : ((t + j_2).intP = tmp))
      }
   }
}

unit SelectionSort_sort(SelectionSort[0] this_0, intM[0..] t_0)
  requires (K_17 : Non_null_intM(t_0));
behavior sorted:
  ensures (K_15 : Sorted{Here}(t_0, 0, (\offset_max(t_0) + 1)));
behavior permutation:
  ensures (K_16 : Permut{Old, Here}(t_0, 0, ((\offset_max(t_0) + 1) - 1)));
{  
   {  
      (var int32 i_3);
      
      {  
         (var int32 j_3);
         
         {  
            (var int32 mi);
            
            {  
               (var int32 mv);
               
               loop 
               behavior default:
                 invariant (K_18 : (0 <= i_3));
               behavior sorted:
                 invariant (K_21 : ((K_20 : Sorted{Here}(t_0, 0, i_3)) &&
                                     (K_19 : (\forall integer k1;
                                               (\forall integer k2;
                                                 (((((0 <= k1) && (k1 < i_3)) &&
                                                     (i_3 <= k2)) &&
                                                    (k2 <
                                                      (\offset_max(t_0) + 1))) ==>
                                                   ((t_0 + k1).intP <=
                                                     (t_0 + k2).intP)))))));
               behavior permutation:
                 invariant (K_22 : Permut{Pre,
                           Here}(t_0, 0, ((\offset_max(t_0) + 1) - 1)));
               
               variant (K_23 : ((\offset_max(t_0) + 1) - i_3));
               for ((i_3 = 0) ; (K_47 : (i_3 <
                                          (K_46 : (((K_45 : java_array_length_intM(
                                                    t_0)) -
                                                     1) :> int32)))) ; 
               (K_44 : (i_3 ++)))
               {  
                  {  (mv = (K_24 : (t_0 + i_3).intP));
                     (mi = i_3);
                     
                     loop 
                     behavior default:
                       invariant (K_29 : ((K_28 : (i_3 < j_3)) &&
                                           (K_27 : ((K_26 : (i_3 <= mi)) &&
                                                     (K_25 : (mi <
                                                               (\offset_max(t_0) +
                                                                 1)))))));
                     behavior sorted:
                       invariant (K_32 : ((K_31 : (mv == (t_0 + mi).intP)) &&
                                           (K_30 : (\forall integer k_0;
                                                     (((i_3 <= k_0) &&
                                                        (k_0 < j_3)) ==>
                                                       ((t_0 + k_0).intP >=
                                                         mv))))));
                     
                     variant (K_33 : ((\offset_max(t_0) + 1) - j_3));
                     for ((j_3 = (K_40 : ((i_3 + 1) :> int32))) ; (K_39 : 
                                                                  (j_3 <
                                                                    (K_38 : java_array_length_intM(
                                                                    t_0)))) ; 
                     (K_37 : (j_3 ++)))
                     {  (if (K_36 : ((K_35 : (t_0 + j_3).intP) < mv)) then 
                        {  (mi = j_3);
                           (mv = (K_34 : (t_0 + j_3).intP))
                        } else ())
                     };
                     (Before : 
                     {  (K_41 : SelectionSort_swap(this_0, t_0, i_3, mi));
                        (K_43 : 
                        (assert for permutation: (K_42 : Permut{Before,
                                                 Here}(t_0, 0,
                                                       ((\offset_max(t_0) +
                                                          1) -
                                                         1)))))
                     })
                  }
               }
            }
         }
      }
   }
}

Object[0..] Object_clone(Object[0] this_4)
;

unit Object_notifyAll(Object[0] this_5)
;

int32 Object_hashCode(Object[0] this_6)
;

boolean Object_equals(Object[0] this_7, Object[0..] obj)
;

unit Object_wait(Object[0] this_8)
;

unit Object_notify(Object[0] this_9)
;

unit Object_wait_long(Object[0] this_10, long timeout)
;

unit cons_SelectionSort(! SelectionSort[0] this_3){()}

String[0..] Object_toString(Object[0] this_11)
;

unit Object_wait_long_int(Object[0] this_12, long timeout_0, int32 nanos)
;

unit cons_Object(! Object[0] this_14){()}

unit Object_finalize(Object[0] this_13)
;

unit Object_registerNatives()
;

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/SelectionSort.jloc tests/java/SelectionSort.jc && make -f tests/java/SelectionSort.makefile gui"
End:
*/
========== file tests/java/SelectionSort.jloc ==========
[K_30]
file = "HOME/tests/java/SelectionSort.java"
line = 96
begin = 12
end = 56

[K_23]
file = "HOME/tests/java/SelectionSort.java"
line = 88
begin = 18
end = 30

[K_33]
file = "HOME/tests/java/SelectionSort.java"
line = 99
begin = 22
end = 34

[K_17]
file = "HOME/tests/java/SelectionSort.java"
line = 72
begin = 17
end = 26

[Object_wait_long]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[K_11]
file = "HOME/tests/java/SelectionSort.java"
line = 68
begin = 8
end = 12

[K_38]
file = "HOME/tests/java/SelectionSort.java"
line = 101
begin = 21
end = 29

[K_25]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 38
end = 51

[K_13]
file = "HOME/tests/java/SelectionSort.java"
line = 69
begin = 1
end = 11

[Object_finalize]
name = "Method finalize"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[K_9]
file = "HOME/tests/java/SelectionSort.java"
line = 61
begin = 17
end = 59

[Object_wait]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[K_44]
file = "HOME/tests/java/SelectionSort.java"
line = 90
begin = 25
end = 28

[Object_notify]
name = "Method notify"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[Object_clone]
name = "Method clone"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[K_28]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 24
end = 29

[cons_Object]
name = "Constructor of class Object"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_1]
file = "HOME/tests/java/SelectionSort.java"
line = 64
begin = 16
end = 37

[K_15]
file = "HOME/tests/java/SelectionSort.java"
line = 74
begin = 18
end = 38

[K_4]
file = "HOME/tests/java/SelectionSort.java"
line = 62
begin = 32
end = 49

[K_12]
file = "HOME/tests/java/SelectionSort.java"
line = 68
begin = 1
end = 12

[Object_wait_long_int]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[K_34]
file = "HOME/tests/java/SelectionSort.java"
line = 103
begin = 20
end = 24

[Object_registerNatives]
name = "Method registerNatives"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[K_20]
file = "HOME/tests/java/SelectionSort.java"
line = 83
begin = 21
end = 34

[cons_SelectionSort]
name = "Constructor of class SelectionSort"
file = "HOME/"
line = 0
begin = -1
end = -1

[SelectionSort_swap]
name = "Method swap"
file = "HOME/tests/java/SelectionSort.java"
line = 66
begin = 9
end = 13

[K_2]
file = "HOME/tests/java/SelectionSort.java"
line = 62
begin = 37
end = 49

[K_41]
file = "HOME/tests/java/SelectionSort.java"
line = 107
begin = 5
end = 17

[K_47]
file = "HOME/tests/java/SelectionSort.java"
line = 90
begin = 11
end = 23

[K_29]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 24
end = 51

[K_10]
file = "HOME/tests/java/SelectionSort.java"
line = 61
begin = 17
end = 80

[K_35]
file = "HOME/tests/java/SelectionSort.java"
line = 102
begin = 6
end = 10

[K_6]
file = "HOME/tests/java/SelectionSort.java"
line = 62
begin = 11
end = 17

[K_8]
file = "HOME/tests/java/SelectionSort.java"
line = 61
begin = 17
end = 26

[K_3]
file = "HOME/tests/java/SelectionSort.java"
line = 62
begin = 32
end = 38

[K_31]
file = "HOME/tests/java/SelectionSort.java"
line = 95
begin = 25
end = 36

[K_32]
file = "HOME/tests/java/SelectionSort.java"
line = 95
begin = 25
end = 97

[K_27]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 33
end = 51

[K_46]
file = "HOME/tests/java/SelectionSort.java"
line = 90
begin = 13
end = 23

[K_21]
file = "HOME/tests/java/SelectionSort.java"
line = 83
begin = 21
end = 130

[K_42]
file = "HOME/tests/java/SelectionSort.java"
line = 108
begin = 33
end = 68

[K_24]
file = "HOME/tests/java/SelectionSort.java"
line = 92
begin = 10
end = 14

[K_14]
file = "HOME/tests/java/SelectionSort.java"
line = 67
begin = 11
end = 15

[K_39]
file = "HOME/tests/java/SelectionSort.java"
line = 101
begin = 17
end = 29

[SelectionSort_sort]
name = "Method sort"
file = "HOME/tests/java/SelectionSort.java"
line = 78
begin = 9
end = 13

[K_36]
file = "HOME/tests/java/SelectionSort.java"
line = 102
begin = 6
end = 15

[Object_notifyAll]
name = "Method notifyAll"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[K_37]
file = "HOME/tests/java/SelectionSort.java"
line = 101
begin = 31
end = 34

[K_19]
file = "HOME/tests/java/SelectionSort.java"
line = 84
begin = 8
end = 90

[K_5]
file = "HOME/tests/java/SelectionSort.java"
line = 62
begin = 16
end = 28

[K_18]
file = "HOME/tests/java/SelectionSort.java"
line = 81
begin = 20
end = 26

[Object_equals]
name = "Method equals"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[K_7]
file = "HOME/tests/java/SelectionSort.java"
line = 62
begin = 11
end = 28

[K_40]
file = "HOME/tests/java/SelectionSort.java"
line = 101
begin = 12
end = 15

[Object_hashCode]
name = "Method hashCode"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[K_26]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 33
end = 40

[Object_toString]
name = "Method toString"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[K_22]
file = "HOME/tests/java/SelectionSort.java"
line = 87
begin = 22
end = 54

[K_45]
file = "HOME/tests/java/SelectionSort.java"
line = 90
begin = 13
end = 21

[K_16]
file = "HOME/tests/java/SelectionSort.java"
line = 76
begin = 18
end = 50

[K_43]
file = "HOME/tests/java/SelectionSort.java"
line = 108
begin = 33
end = 68

========== jessie execution ==========
Generating Why function SelectionSort_swap
Generating Why function SelectionSort_sort
Generating Why function cons_SelectionSort
Generating Why function cons_Object
========== file tests/java/SelectionSort.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/SelectionSort_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: SelectionSort.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: SelectionSort.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: SelectionSort.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/java/SelectionSort.loc ==========
[JC_176]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_233]
file = "HOME/"
line = 0
begin = -1
end = -1

[SelectionSort_sort_safety]
name = "Method sort"
behavior = "Safety"
file = "HOME/tests/java/SelectionSort.java"
line = 78
begin = 9
end = 13

[JC_177]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_221]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_80]
file = "HOME/tests/java/SelectionSort.jc"
line = 164
begin = 15
end = 3584

[JC_51]
file = "HOME/tests/java/SelectionSort.java"
line = 61
begin = 17
end = 80

[JC_147]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 38
end = 51

[JC_123]
file = "HOME/tests/java/SelectionSort.jc"
line = 164
begin = 15
end = 3584

[JC_143]
file = "HOME/tests/java/SelectionSort.jc"
line = 164
begin = 15
end = 3584

[SelectionSort_sort_ensures_sorted]
name = "Method sort"
behavior = "Behavior `sorted'"
file = "HOME/tests/java/SelectionSort.java"
line = 78
begin = 9
end = 13

[JC_113]
file = "HOME/tests/java/SelectionSort.jc"
line = 191
begin = 21
end = 1600

[JC_248]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_116]
kind = UserCall
file = "HOME/tests/java/SelectionSort.jc"
line = 218
begin = 32
end = 72

[JC_64]
kind = PointerDeref
file = "HOME/tests/java/SelectionSort.jc"
line = 140
begin = 18
end = 38

[JC_133]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_188]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_180]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_SelectionSort_ensures_default]
name = "Constructor of class SelectionSort"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_99]
kind = UserCall
file = "HOME/tests/java/SelectionSort.jc"
line = 218
begin = 32
end = 72

[JC_200]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_85]
kind = ArithOverflow
file = "HOME/tests/java/SelectionSort.java"
line = 101
begin = 12
end = 15

[JC_250]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_201]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_31]
file = "HOME/tests/java/SelectionSort.jc"
line = 65
begin = 8
end = 23

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_194]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_122]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_205]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_81]
kind = UserCall
file = "HOME/tests/java/SelectionSort.java"
line = 90
begin = 13
end = 21

[JC_55]
file = "HOME/tests/java/SelectionSort.jc"
line = 131
begin = 9
end = 16

[JC_134]
file = "HOME/tests/java/SelectionSort.jc"
line = 191
begin = 21
end = 1600

[SelectionSort_sort_ensures_permutation]
name = "Method sort"
behavior = "Behavior `permutation'"
file = "HOME/tests/java/SelectionSort.java"
line = 78
begin = 9
end = 13

[JC_48]
file = "HOME/tests/java/SelectionSort.java"
line = 62
begin = 16
end = 28

[JC_23]
file = "HOME/tests/java/SelectionSort.jc"
line = 61
begin = 11
end = 103

[JC_241]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_172]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_121]
file = "HOME/tests/java/SelectionSort.java"
line = 81
begin = 20
end = 26

[JC_125]
kind = UserCall
file = "HOME/tests/java/SelectionSort.java"
line = 90
begin = 13
end = 21

[JC_67]
file = "HOME/tests/java/SelectionSort.java"
line = 72
begin = 17
end = 26

[JC_9]
file = "HOME/tests/java/SelectionSort.jc"
line = 52
begin = 8
end = 21

[JC_25]
file = "HOME/tests/java/SelectionSort.jc"
line = 61
begin = 11
end = 103

[JC_189]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_78]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/tests/java/SelectionSort.java"
line = 62
begin = 16
end = 28

[JC_74]
file = "HOME/tests/java/SelectionSort.java"
line = 74
begin = 18
end = 38

[JC_195]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/tests/java/SelectionSort.jc"
line = 60
begin = 10
end = 18

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[SelectionSort_swap_ensures_default]
name = "Method swap"
behavior = "default behavior"
file = "HOME/tests/java/SelectionSort.java"
line = 66
begin = 9
end = 13

[JC_256]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/tests/java/SelectionSort.jc"
line = 55
begin = 11
end = 66

[JC_240]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_82]
kind = IndexBounds
file = "HOME/tests/java/SelectionSort.java"
line = 90
begin = 13
end = 21

[JC_163]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_153]
kind = UserCall
file = "HOME/tests/java/SelectionSort.jc"
line = 218
begin = 32
end = 72

[JC_222]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_246]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/SelectionSort.jc"
line = 52
begin = 8
end = 21

[JC_185]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_167]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_98]
file = "HOME/tests/java/SelectionSort.java"
line = 99
begin = 22
end = 34

[JC_70]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_104]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/tests/java/SelectionSort.java"
line = 61
begin = 17
end = 26

[JC_112]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_135]
file = "HOME/tests/java/SelectionSort.jc"
line = 191
begin = 21
end = 1600

[JC_169]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_132]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 24
end = 51

[cons_SelectionSort_safety]
name = "Constructor of class SelectionSort"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_115]
kind = UserCall
file = "HOME/tests/java/SelectionSort.java"
line = 101
begin = 21
end = 29

[JC_109]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 33
end = 40

[JC_69]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_219]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_124]
file = "HOME/tests/java/SelectionSort.jc"
line = 164
begin = 15
end = 3584

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_206]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_218]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_191]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
kind = PointerDeref
file = "HOME/tests/java/SelectionSort.java"
line = 68
begin = 8
end = 12

[JC_101]
kind = ArithOverflow
file = "HOME/tests/java/SelectionSort.jc"
line = 186
begin = 24
end = 30

[JC_223]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_129]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 24
end = 29

[JC_190]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_110]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 38
end = 51

[JC_166]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_103]
file = "HOME/tests/java/SelectionSort.java"
line = 81
begin = 20
end = 26

[JC_46]
file = "HOME/tests/java/SelectionSort.java"
line = 61
begin = 17
end = 26

[JC_61]
kind = PointerDeref
file = "HOME/tests/java/SelectionSort.java"
line = 67
begin = 11
end = 15

[JC_254]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_199]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/tests/java/SelectionSort.java"
line = 64
begin = 16
end = 37

[JC_243]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_173]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_29]
file = "HOME/tests/java/SelectionSort.jc"
line = 65
begin = 8
end = 23

[JC_202]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_144]
kind = UserCall
file = "HOME/tests/java/SelectionSort.java"
line = 90
begin = 13
end = 21

[JC_16]
file = "HOME/tests/java/SelectionSort.jc"
line = 54
begin = 10
end = 18

[JC_43]
file = "HOME/tests/java/SelectionSort.java"
line = 62
begin = 37
end = 49

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
kind = PointerDeref
file = "HOME/tests/java/SelectionSort.java"
line = 102
begin = 6
end = 10

[JC_235]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_97]
kind = ArithOverflow
file = "HOME/tests/java/SelectionSort.jc"
line = 211
begin = 30
end = 36

[JC_84]
kind = PointerDeref
file = "HOME/tests/java/SelectionSort.java"
line = 92
begin = 10
end = 14

[JC_160]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_128]
file = "HOME/tests/java/SelectionSort.java"
line = 95
begin = 25
end = 97

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/tests/java/SelectionSort.jc"
line = 54
begin = 10
end = 18

[JC_90]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_225]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_149]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_216]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_131]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 38
end = 51

[JC_37]
file = "HOME/tests/java/SelectionSort.jc"
line = 67
begin = 11
end = 65

[JC_181]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_108]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 24
end = 29

[JC_57]
file = "HOME/tests/java/SelectionSort.java"
line = 66
begin = 9
end = 13

[JC_257]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_161]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_89]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 24
end = 51

[JC_136]
kind = UserCall
file = "HOME/tests/java/SelectionSort.java"
line = 101
begin = 21
end = 29

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_165]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_213]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_217]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_253]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_229]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_86]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 24
end = 29

[JC_72]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/tests/java/SelectionSort.jc"
line = 58
begin = 8
end = 30

[JC_187]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_238]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_50]
file = "HOME/tests/java/SelectionSort.java"
line = 62
begin = 37
end = 49

[JC_120]
file = "HOME/tests/java/SelectionSort.java"
line = 83
begin = 21
end = 130

[JC_58]
file = "HOME/tests/java/SelectionSort.jc"
line = 131
begin = 9
end = 16

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_198]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_94]
kind = IndexBounds
file = "HOME/tests/java/SelectionSort.java"
line = 101
begin = 21
end = 29

[JC_73]
file = "HOME/tests/java/SelectionSort.java"
line = 74
begin = 18
end = 38

[JC_158]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_63]
kind = PointerDeref
file = "HOME/tests/java/SelectionSort.jc"
line = 139
begin = 18
end = 58

[JC_196]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_71]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_197]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_207]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_151]
file = "HOME/tests/java/SelectionSort.jc"
line = 191
begin = 21
end = 1600

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_106]
file = "HOME/tests/java/SelectionSort.jc"
line = 164
begin = 15
end = 3584

[JC_251]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_203]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_227]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[cons_Object_ensures_default]
name = "Constructor of class Object"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_126]
file = "HOME/tests/java/SelectionSort.java"
line = 95
begin = 25
end = 36

[JC_170]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_236]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_138]
file = "HOME/tests/java/SelectionSort.java"
line = 108
begin = 33
end = 68

[JC_247]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_148]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 24
end = 51

[JC_137]
kind = UserCall
file = "HOME/tests/java/SelectionSort.jc"
line = 218
begin = 32
end = 72

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_231]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_75]
file = "HOME/tests/java/SelectionSort.java"
line = 76
begin = 18
end = 50

[JC_24]
file = "HOME/tests/java/SelectionSort.jc"
line = 60
begin = 10
end = 18

[JC_193]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_186]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_212]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_175]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_224]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/tests/java/SelectionSort.java"
line = 62
begin = 11
end = 17

[JC_232]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_154]
file = "HOME/tests/java/SelectionSort.java"
line = 108
begin = 33
end = 68

[JC_54]
file = "HOME/tests/java/SelectionSort.java"
line = 66
begin = 9
end = 13

[JC_237]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_208]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_79]
file = "HOME/tests/java/SelectionSort.jc"
line = 164
begin = 15
end = 3584

[JC_130]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 33
end = 40

[JC_174]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_87]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 33
end = 40

[JC_184]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/tests/java/SelectionSort.jc"
line = 55
begin = 11
end = 66

[JC_182]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_168]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_91]
file = "HOME/tests/java/SelectionSort.jc"
line = 191
begin = 21
end = 1600

[JC_40]
file = "HOME/tests/java/SelectionSort.java"
line = 62
begin = 11
end = 17

[JC_162]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
kind = ArithOverflow
file = "HOME/tests/java/SelectionSort.java"
line = 90
begin = 13
end = 23

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_215]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_107]
kind = UserCall
file = "HOME/tests/java/SelectionSort.java"
line = 90
begin = 13
end = 21

[JC_179]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_38]
file = "HOME/tests/java/SelectionSort.jc"
line = 67
begin = 11
end = 65

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_242]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_156]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_127]
file = "HOME/tests/java/SelectionSort.java"
line = 96
begin = 12
end = 56

[JC_252]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_171]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_164]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/tests/java/SelectionSort.java"
line = 61
begin = 17
end = 80

[JC_155]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_88]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 38
end = 51

[JC_42]
file = "HOME/tests/java/SelectionSort.java"
line = 62
begin = 32
end = 38

[JC_178]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_141]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_220]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
file = "HOME/tests/java/SelectionSort.java"
line = 72
begin = 17
end = 26

[JC_118]
file = "HOME/tests/java/SelectionSort.java"
line = 83
begin = 21
end = 34

[JC_105]
file = "HOME/tests/java/SelectionSort.jc"
line = 164
begin = 15
end = 3584

[JC_245]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_140]
file = "HOME/tests/java/SelectionSort.java"
line = 81
begin = 20
end = 26

[cons_Object_safety]
name = "Constructor of class Object"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_159]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_68]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_96]
kind = PointerDeref
file = "HOME/tests/java/SelectionSort.java"
line = 103
begin = 20
end = 24

[JC_93]
kind = UserCall
file = "HOME/tests/java/SelectionSort.java"
line = 101
begin = 21
end = 29

[JC_255]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_214]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_258]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_114]
file = "HOME/tests/java/SelectionSort.jc"
line = 191
begin = 21
end = 1600

[JC_150]
file = "HOME/tests/java/SelectionSort.jc"
line = 191
begin = 21
end = 1600

[JC_117]
file = "HOME/tests/java/SelectionSort.java"
line = 108
begin = 33
end = 68

[JC_53]
file = "HOME/tests/java/SelectionSort.java"
line = 64
begin = 16
end = 37

[JC_204]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_157]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_145]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 24
end = 29

[JC_21]
file = "HOME/tests/java/SelectionSort.jc"
line = 58
begin = 8
end = 30

[JC_209]
file = "HOME/"
line = 0
begin = -1
end = -1

[SelectionSort_swap_safety]
name = "Method swap"
behavior = "Safety"
file = "HOME/tests/java/SelectionSort.java"
line = 66
begin = 9
end = 13

[JC_111]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 24
end = 51

[JC_77]
file = "HOME/tests/java/SelectionSort.java"
line = 81
begin = 20
end = 26

[JC_49]
file = "HOME/tests/java/SelectionSort.java"
line = 62
begin = 32
end = 38

[JC_1]
file = "HOME/tests/java/SelectionSort.jc"
line = 23
begin = 12
end = 22

[JC_102]
file = "HOME/tests/java/SelectionSort.java"
line = 88
begin = 18
end = 30

[JC_142]
file = "HOME/tests/java/SelectionSort.jc"
line = 164
begin = 15
end = 3584

[JC_211]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_146]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 33
end = 40

[JC_249]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_66]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_59]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_192]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_239]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/java/SelectionSort.jc"
line = 23
begin = 12
end = 22

[JC_92]
file = "HOME/tests/java/SelectionSort.jc"
line = 191
begin = 21
end = 1600

[JC_152]
kind = UserCall
file = "HOME/tests/java/SelectionSort.java"
line = 101
begin = 21
end = 29

[SelectionSort_sort_ensures_default]
name = "Method sort"
behavior = "default behavior"
file = "HOME/tests/java/SelectionSort.java"
line = 78
begin = 9
end = 13

[JC_228]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_60]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_183]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_139]
file = "HOME/tests/java/SelectionSort.java"
line = 87
begin = 22
end = 54

[JC_119]
file = "HOME/tests/java/SelectionSort.java"
line = 84
begin = 8
end = 90

[JC_210]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_76]
file = "HOME/tests/java/SelectionSort.java"
line = 76
begin = 18
end = 50

[JC_244]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_230]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_234]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_226]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_100]
file = "HOME/tests/java/SelectionSort.java"
line = 108
begin = 33
end = 68

========== file tests/java/why/SelectionSort.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_1), (0))

predicate Non_null_intM(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), neg_int((1)))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic integer_of_int32: int32 -> int

predicate Swap(a_0:Object pointer, i_0:int, j_0:int,
 intM_intP_at_L2:(Object, int32) memory,
 intM_intP_at_L1:(Object, int32) memory) =
 ((integer_of_int32(select(intM_intP_at_L1, shift(a_0, i_0))) = integer_of_int32(
                                                                select(intM_intP_at_L2,
                                                                shift(a_0,
                                                                j_0))))
 and ((integer_of_int32(select(intM_intP_at_L1, shift(a_0, j_0))) = integer_of_int32(
                                                                    select(intM_intP_at_L2,
                                                                    shift(a_0,
                                                                    i_0))))
     and (forall k:int.
          (((k <> i_0) and (k <> j_0)) ->
           (integer_of_int32(select(intM_intP_at_L1, shift(a_0, k))) = 
           integer_of_int32(select(intM_intP_at_L2, shift(a_0, k))))))))

inductive Permut: Object pointer, int, int, (Object, int32) memory,
                  (Object, int32) memory -> prop =
 | Permut_refl: (forall intM_intP_at_L:(Object, int32) memory.
                 (forall a_2:Object pointer.
                  (forall l_1:int.
                   (forall h_1:int.
                    Permut(a_2, l_1, h_1, intM_intP_at_L, intM_intP_at_L)))))
 | Permut_sym: (forall intM_intP_at_L2:(Object, int32) memory.
                (forall intM_intP_at_L1:(Object, int32) memory.
                 (forall a_3:Object pointer.
                  (forall l_2:int.
                   (forall h_2:int.
                    (Permut(a_3, l_2, h_2, intM_intP_at_L2, intM_intP_at_L1) ->
                     Permut(a_3, l_2, h_2, intM_intP_at_L1, intM_intP_at_L2)))))))
 | Permut_trans: (forall intM_intP_at_L3:(Object, int32) memory.
                  (forall intM_intP_at_L2:(Object, int32) memory.
                   (forall intM_intP_at_L1:(Object, int32) memory.
                    (forall a_4:Object pointer.
                     (forall l_3:int.
                      (forall h_3:int.
                       ((Permut(a_4, l_3, h_3, intM_intP_at_L2,
                         intM_intP_at_L1)
                        and Permut(a_4, l_3, h_3, intM_intP_at_L3,
                            intM_intP_at_L2)) ->
                        Permut(a_4, l_3, h_3, intM_intP_at_L3,
                        intM_intP_at_L1))))))))
 | Permut_swap: (forall intM_intP_at_L2:(Object, int32) memory.
                 (forall intM_intP_at_L1:(Object, int32) memory.
                  (forall a_5:Object pointer.
                   (forall l_4:int.
                    (forall h_4:int.
                     (forall i_1:int.
                      (forall j_1:int.
                       ((le_int(l_4, i_1)
                        and (le_int(i_1, h_4)
                            and (le_int(l_4, j_1)
                                and (le_int(j_1, h_4)
                                    and Swap(a_5, i_1, j_1, intM_intP_at_L2,
                                        intM_intP_at_L1))))) ->
                        Permut(a_5, l_4, h_4, intM_intP_at_L2,
                        intM_intP_at_L1)))))))))
 
logic SelectionSort_tag:  -> Object tag_id

axiom SelectionSort_parenttag_Object :
 parenttag(SelectionSort_tag, Object_tag)

predicate Sorted(a:Object pointer, l:int, h:int,
 intM_intP_at_L:(Object, int32) memory) =
 (forall i:int.
  (forall j:int.
   ((le_int(l, i) and (le_int(i, j) and lt_int(j, h))) ->
    le_int(integer_of_int32(select(intM_intP_at_L, shift(a, i))),
    integer_of_int32(select(intM_intP_at_L, shift(a, j)))))))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic intM_tag:  -> Object tag_id

axiom intM_parenttag_Object : parenttag(intM_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_SelectionSort(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_intM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_SelectionSort(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_intM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_SelectionSort(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_SelectionSort(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_alloc_table : Object alloc_table ref

parameter Object_clone :
 this_4:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_clone_requires :
 this_4:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_equals :
 this_7:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_equals_requires :
 this_7:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_finalize :
 this_13:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_finalize_requires :
 this_13:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_hashCode :
 this_6:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter Object_hashCode_requires :
 this_6:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter Object_notify :
 this_9:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll :
 this_5:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll_requires :
 this_5:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notify_requires :
 this_9:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_registerNatives : tt:unit -> { } unit { true }

parameter Object_registerNatives_requires : tt:unit -> { } unit { true }

parameter Object_tag_table : Object tag_table ref

parameter Object_toString :
 this_11:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_toString_requires :
 this_11:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_wait :
 this_8:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long :
 this_10:Object pointer ->
  timeout:long -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int :
 this_12:Object pointer ->
  timeout_0:long -> nanos:int32 -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int_requires :
 this_12:Object pointer ->
  timeout_0:long -> nanos:int32 -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_requires :
 this_10:Object pointer ->
  timeout:long -> { } unit reads Object_alloc_table { true }

parameter Object_wait_requires :
 this_8:Object pointer -> { } unit reads Object_alloc_table { true }

exception Return_label_exc of unit

parameter intM_intP : (Object, int32) memory ref

parameter SelectionSort_sort :
 this_0:Object pointer ->
  t_0:Object pointer ->
   { } unit reads Object_alloc_table,intM_intP writes intM_intP
   { ((JC_76:
      Permut(t_0, (0),
      sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)), (1)),
      intM_intP, intM_intP@))
     and (JC_74:
         Sorted(t_0, (0), add_int(offset_max(Object_alloc_table, t_0), (1)),
         intM_intP))) }

parameter SelectionSort_sort_requires :
 this_0:Object pointer ->
  t_0:Object pointer ->
   { (JC_65: Non_null_intM(t_0, Object_alloc_table))} unit
   reads Object_alloc_table,intM_intP writes intM_intP
   { ((JC_76:
      Permut(t_0, (0),
      sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)), (1)),
      intM_intP, intM_intP@))
     and (JC_74:
         Sorted(t_0, (0), add_int(offset_max(Object_alloc_table, t_0), (1)),
         intM_intP))) }

parameter SelectionSort_swap :
 this_2:Object pointer ->
  t:Object pointer ->
   i_2:int32 ->
    j_2:int32 ->
     { } unit reads Object_alloc_table,intM_intP writes intM_intP
     { (JC_58:
       ((JC_56:
        Swap(t, integer_of_int32(i_2), integer_of_int32(j_2), intM_intP,
        intM_intP@))
       and (JC_57:
           not_assigns(Object_alloc_table@, intM_intP@, intM_intP,
           pset_union(pset_range(pset_singleton(t), integer_of_int32(j_2),
                      integer_of_int32(j_2)),
           pset_range(pset_singleton(t), integer_of_int32(i_2),
           integer_of_int32(i_2))))))) }

parameter SelectionSort_swap_requires :
 this_2:Object pointer ->
  t:Object pointer ->
   i_2:int32 ->
    j_2:int32 ->
     { (JC_44:
       ((JC_39: Non_null_intM(t, Object_alloc_table))
       and ((JC_40: le_int((0), integer_of_int32(i_2)))
           and ((JC_41:
                lt_int(integer_of_int32(i_2),
                add_int(offset_max(Object_alloc_table, t), (1))))
               and ((JC_42: le_int((0), integer_of_int32(j_2)))
                   and (JC_43:
                       lt_int(integer_of_int32(j_2),
                       add_int(offset_max(Object_alloc_table, t), (1)))))))))}
     unit reads Object_alloc_table,intM_intP writes intM_intP
     { (JC_58:
       ((JC_56:
        Swap(t, integer_of_int32(i_2), integer_of_int32(j_2), intM_intP,
        intM_intP@))
       and (JC_57:
           not_assigns(Object_alloc_table@, intM_intP@, intM_intP,
           pset_union(pset_range(pset_singleton(t), integer_of_int32(j_2),
                      integer_of_int32(j_2)),
           pset_range(pset_singleton(t), integer_of_int32(i_2),
           integer_of_int32(i_2))))))) }

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_SelectionSort :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_SelectionSort(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, SelectionSort_tag)))) }

parameter alloc_struct_SelectionSort_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_SelectionSort(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, SelectionSort_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_intM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter alloc_struct_intM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_Object :
 this_14:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object_requires :
 this_14:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_SelectionSort :
 this_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_SelectionSort_requires :
 this_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter java_array_length_intM :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter java_array_length_intM_requires :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_Object_requires :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_intM :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

parameter non_null_intM_requires :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let SelectionSort_sort_ensures_default =
 fun (this_0 : Object pointer) (t_0 : Object pointer) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (valid_struct_SelectionSort(this_0, (0), (0), Object_alloc_table)
        and (JC_67: Non_null_intM(t_0, Object_alloc_table)))) }
  (init:
  try
   begin
     (let i_3 = ref (any_int32 void) in
     (let j_3 = ref (any_int32 void) in
     (let mi = ref (any_int32 void) in
     (let mv = ref (any_int32 void) in
     begin
       (let _jessie_ = (i_3 := (safe_int32_of_integer_ (0))) in void);
      try
       (loop_3:
       while true do
       { invariant (JC_103: le_int((0), integer_of_int32(i_3)))  }
        begin
          [ { } unit { true } ];
         try
          begin
            (if (K_47:
                ((lt_int_ (integer_of_int32 !i_3)) (integer_of_int32 
                                                    (K_46:
                                                    (safe_int32_of_integer_ 
                                                     ((sub_int (K_45:
                                                               (let _jessie_ =
                                                               t_0 in
                                                               (JC_107:
                                                               (java_array_length_intM _jessie_))))) (1)))))))
            then
             begin
               (let _jessie_ =
               (mv := (K_24:
                      ((safe_acc_ !intM_intP) ((shift t_0) (integer_of_int32 !i_3))))) in
               void); (let _jessie_ = (mi := !i_3) in void);
              (let _jessie_ =
              (j_3 := (K_40:
                      (safe_int32_of_integer_ ((add_int (integer_of_int32 !i_3)) (1))))) in
              void);
              try
               (loop_4:
               while true do
               { invariant
                   (JC_111:
                   ((JC_108:
                    lt_int(integer_of_int32(i_3), integer_of_int32(j_3)))
                   and ((JC_109:
                        le_int(integer_of_int32(i_3), integer_of_int32(mi)))
                       and (JC_110:
                           lt_int(integer_of_int32(mi),
                           add_int(offset_max(Object_alloc_table, t_0), (1)))))))
                  }
                begin
                  [ { } unit { true } ];
                 try
                  begin
                    (if (K_39:
                        ((lt_int_ (integer_of_int32 !j_3)) (K_38:
                                                           (let _jessie_ =
                                                           t_0 in
                                                           (JC_115:
                                                           (java_array_length_intM _jessie_))))))
                    then
                     (if (K_36:
                         ((lt_int_ (integer_of_int32 (K_35:
                                                     ((safe_acc_ !intM_intP) 
                                                      ((shift t_0) (integer_of_int32 !j_3)))))) 
                          (integer_of_int32 !mv)))
                     then
                      (let _jessie_ =
                      begin
                        (let _jessie_ = (mi := !j_3) in void);
                       (mv := (K_34:
                              ((safe_acc_ !intM_intP) ((shift t_0) (integer_of_int32 !j_3)))));
                       !mv end in void) else void)
                    else (raise (Loop_exit_exc void)));
                   (raise (Loop_continue_exc void)) end with
                  Loop_continue_exc _jessie_ ->
                  (let _jessie_ =
                  (K_37:
                  (let _jessie_ = !j_3 in
                  begin
                    (let _jessie_ =
                    (j_3 := (safe_int32_of_integer_ ((add_int (integer_of_int32 _jessie_)) (1)))) in
                    void); _jessie_ end)) in void) end end done) with
               Loop_exit_exc _jessie_ -> void end;
              (Before:
              (K_41:
              (let _jessie_ = this_0 in
              (let _jessie_ = t_0 in
              (let _jessie_ = !i_3 in
              (let _jessie_ = !mi in
              (JC_116:
              ((((SelectionSort_swap _jessie_) _jessie_) _jessie_) _jessie_))))))))
             end else (raise (Loop_exit_exc void)));
           (raise (Loop_continue_exc void)) end with
          Loop_continue_exc _jessie_ ->
          (let _jessie_ =
          (K_44:
          (let _jessie_ = !i_3 in
          begin
            (let _jessie_ =
            (i_3 := (safe_int32_of_integer_ ((add_int (integer_of_int32 _jessie_)) (1)))) in
            void); _jessie_ end)) in void) end end done) with
       Loop_exit_exc _jessie_ -> void end end)))); (raise Return) end with
   Return -> void end) { (JC_69: true) } 

let SelectionSort_sort_ensures_permutation =
 fun (this_0 : Object pointer) (t_0 : Object pointer) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (valid_struct_SelectionSort(this_0, (0), (0), Object_alloc_table)
        and (JC_67: Non_null_intM(t_0, Object_alloc_table)))) }
  (init:
  try
   begin
     (let i_3 = ref (any_int32 void) in
     (let j_3 = ref (any_int32 void) in
     (let mi = ref (any_int32 void) in
     (let mv = ref (any_int32 void) in
     begin
       (let _jessie_ = (i_3 := (safe_int32_of_integer_ (0))) in void);
      try
       (loop_7:
       while true do
       { invariant
           (JC_139:
           Permut(t_0, (0),
           sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)), (1)),
           intM_intP, intM_intP@init))  }
        begin
          [ { } unit reads i_3
            { (JC_140: le_int((0), integer_of_int32(i_3))) } ];
         try
          begin
            (if (K_47:
                ((lt_int_ (integer_of_int32 !i_3)) (integer_of_int32 
                                                    (K_46:
                                                    (safe_int32_of_integer_ 
                                                     ((sub_int (K_45:
                                                               (let _jessie_ =
                                                               t_0 in
                                                               (JC_144:
                                                               (java_array_length_intM _jessie_))))) (1)))))))
            then
             begin
               (let _jessie_ =
               (mv := (K_24:
                      ((safe_acc_ !intM_intP) ((shift t_0) (integer_of_int32 !i_3))))) in
               void); (let _jessie_ = (mi := !i_3) in void);
              (let _jessie_ =
              (j_3 := (K_40:
                      (safe_int32_of_integer_ ((add_int (integer_of_int32 !i_3)) (1))))) in
              void);
              begin
                try
                 (loop_8:
                 while true do
                 { invariant (JC_150: true)  }
                  begin
                    [ { } unit reads Object_alloc_table,i_3,j_3,mi
                      { (JC_148:
                        ((JC_145:
                         lt_int(integer_of_int32(i_3), integer_of_int32(j_3)))
                        and ((JC_146:
                             le_int(integer_of_int32(i_3),
                             integer_of_int32(mi)))
                            and (JC_147:
                                lt_int(integer_of_int32(mi),
                                add_int(offset_max(Object_alloc_table, t_0),
                                (1))))))) } ];
                   try
                    begin
                      (if (K_39:
                          ((lt_int_ (integer_of_int32 !j_3)) (K_38:
                                                             (let _jessie_ =
                                                             t_0 in
                                                             (JC_152:
                                                             (java_array_length_intM _jessie_))))))
                      then
                       (if (K_36:
                           ((lt_int_ (integer_of_int32 (K_35:
                                                       ((safe_acc_ !intM_intP) 
                                                        ((shift t_0) 
                                                         (integer_of_int32 !j_3)))))) 
                            (integer_of_int32 !mv)))
                       then
                        (let _jessie_ =
                        begin
                          (let _jessie_ = (mi := !j_3) in void);
                         (mv := (K_34:
                                ((safe_acc_ !intM_intP) ((shift t_0) 
                                                         (integer_of_int32 !j_3)))));
                         !mv end in void) else void)
                      else (raise (Loop_exit_exc void)));
                     (raise (Loop_continue_exc void)) end with
                    Loop_continue_exc _jessie_ ->
                    (let _jessie_ =
                    (K_37:
                    (let _jessie_ = !j_3 in
                    begin
                      (let _jessie_ =
                      (j_3 := (safe_int32_of_integer_ ((add_int (integer_of_int32 _jessie_)) (1)))) in
                      void); _jessie_ end)) in void) end end done) with
                 Loop_exit_exc _jessie_ -> void end;
               (Before:
               (K_41:
               begin
                 (let _jessie_ = this_0 in
                 (let _jessie_ = t_0 in
                 (let _jessie_ = !i_3 in
                 (let _jessie_ = !mi in
                 (JC_153:
                 ((((SelectionSort_swap _jessie_) _jessie_) _jessie_) _jessie_))))));
                (K_43:
                (assert
                { (JC_154:
                  Permut(t_0, (0),
                  sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)),
                  (1)), intM_intP, intM_intP@Before)) }; void)) end)) end end
            else (raise (Loop_exit_exc void)));
           (raise (Loop_continue_exc void)) end with
          Loop_continue_exc _jessie_ ->
          (let _jessie_ =
          (K_44:
          (let _jessie_ = !i_3 in
          begin
            (let _jessie_ =
            (i_3 := (safe_int32_of_integer_ ((add_int (integer_of_int32 _jessie_)) (1)))) in
            void); _jessie_ end)) in void) end end done) with
       Loop_exit_exc _jessie_ -> void end end)))); (raise Return) end with
   Return -> void end)
  { (JC_75:
    Permut(t_0, (0),
    sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)), (1)),
    intM_intP, intM_intP@)) } 

let SelectionSort_sort_ensures_sorted =
 fun (this_0 : Object pointer) (t_0 : Object pointer) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (valid_struct_SelectionSort(this_0, (0), (0), Object_alloc_table)
        and (JC_67: Non_null_intM(t_0, Object_alloc_table)))) }
  (init:
  try
   begin
     (let i_3 = ref (any_int32 void) in
     (let j_3 = ref (any_int32 void) in
     (let mi = ref (any_int32 void) in
     (let mv = ref (any_int32 void) in
     begin
       (let _jessie_ = (i_3 := (safe_int32_of_integer_ (0))) in void);
      try
       (loop_5:
       while true do
       { invariant
           (JC_120:
           ((JC_118: Sorted(t_0, (0), integer_of_int32(i_3), intM_intP))
           and (JC_119:
               (forall k1:int.
                (forall k2:int.
                 ((le_int((0), k1)
                  and (lt_int(k1, integer_of_int32(i_3))
                      and (le_int(integer_of_int32(i_3), k2)
                          and lt_int(k2,
                              add_int(offset_max(Object_alloc_table, t_0),
                              (1)))))) ->
                  le_int(integer_of_int32(select(intM_intP, shift(t_0, k1))),
                  integer_of_int32(select(intM_intP, shift(t_0, k2))))))))))
          }
        begin
          [ { } unit reads i_3
            { (JC_121: le_int((0), integer_of_int32(i_3))) } ];
         try
          begin
            (if (K_47:
                ((lt_int_ (integer_of_int32 !i_3)) (integer_of_int32 
                                                    (K_46:
                                                    (safe_int32_of_integer_ 
                                                     ((sub_int (K_45:
                                                               (let _jessie_ =
                                                               t_0 in
                                                               (JC_125:
                                                               (java_array_length_intM _jessie_))))) (1)))))))
            then
             begin
               (let _jessie_ =
               (mv := (K_24:
                      ((safe_acc_ !intM_intP) ((shift t_0) (integer_of_int32 !i_3))))) in
               void); (let _jessie_ = (mi := !i_3) in void);
              (let _jessie_ =
              (j_3 := (K_40:
                      (safe_int32_of_integer_ ((add_int (integer_of_int32 !i_3)) (1))))) in
              void);
              try
               (loop_6:
               while true do
               { invariant
                   (JC_128:
                   ((JC_126:
                    (integer_of_int32(mv) = integer_of_int32(select(intM_intP,
                                                             shift(t_0,
                                                             integer_of_int32(mi))))))
                   and (JC_127:
                       (forall k_0:int.
                        ((le_int(integer_of_int32(i_3), k_0)
                         and lt_int(k_0, integer_of_int32(j_3))) ->
                         ge_int(integer_of_int32(select(intM_intP,
                                                 shift(t_0, k_0))),
                         integer_of_int32(mv)))))))  }
                begin
                  [ { } unit reads Object_alloc_table,i_3,j_3,mi
                    { (JC_132:
                      ((JC_129:
                       lt_int(integer_of_int32(i_3), integer_of_int32(j_3)))
                      and ((JC_130:
                           le_int(integer_of_int32(i_3),
                           integer_of_int32(mi)))
                          and (JC_131:
                              lt_int(integer_of_int32(mi),
                              add_int(offset_max(Object_alloc_table, t_0),
                              (1))))))) } ];
                 try
                  begin
                    (if (K_39:
                        ((lt_int_ (integer_of_int32 !j_3)) (K_38:
                                                           (let _jessie_ =
                                                           t_0 in
                                                           (JC_136:
                                                           (java_array_length_intM _jessie_))))))
                    then
                     (if (K_36:
                         ((lt_int_ (integer_of_int32 (K_35:
                                                     ((safe_acc_ !intM_intP) 
                                                      ((shift t_0) (integer_of_int32 !j_3)))))) 
                          (integer_of_int32 !mv)))
                     then
                      (let _jessie_ =
                      begin
                        (let _jessie_ = (mi := !j_3) in void);
                       (mv := (K_34:
                              ((safe_acc_ !intM_intP) ((shift t_0) (integer_of_int32 !j_3)))));
                       !mv end in void) else void)
                    else (raise (Loop_exit_exc void)));
                   (raise (Loop_continue_exc void)) end with
                  Loop_continue_exc _jessie_ ->
                  (let _jessie_ =
                  (K_37:
                  (let _jessie_ = !j_3 in
                  begin
                    (let _jessie_ =
                    (j_3 := (safe_int32_of_integer_ ((add_int (integer_of_int32 _jessie_)) (1)))) in
                    void); _jessie_ end)) in void) end end done) with
               Loop_exit_exc _jessie_ -> void end;
              (Before:
              (K_41:
              (let _jessie_ = this_0 in
              (let _jessie_ = t_0 in
              (let _jessie_ = !i_3 in
              (let _jessie_ = !mi in
              (JC_137:
              ((((SelectionSort_swap _jessie_) _jessie_) _jessie_) _jessie_))))))))
             end else (raise (Loop_exit_exc void)));
           (raise (Loop_continue_exc void)) end with
          Loop_continue_exc _jessie_ ->
          (let _jessie_ =
          (K_44:
          (let _jessie_ = !i_3 in
          begin
            (let _jessie_ =
            (i_3 := (safe_int32_of_integer_ ((add_int (integer_of_int32 _jessie_)) (1)))) in
            void); _jessie_ end)) in void) end end done) with
       Loop_exit_exc _jessie_ -> void end end)))); (raise Return) end with
   Return -> void end)
  { (JC_73:
    Sorted(t_0, (0), add_int(offset_max(Object_alloc_table, t_0), (1)),
    intM_intP)) } 

let SelectionSort_sort_safety =
 fun (this_0 : Object pointer) (t_0 : Object pointer) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (valid_struct_SelectionSort(this_0, (0), (0), Object_alloc_table)
        and (JC_67: Non_null_intM(t_0, Object_alloc_table)))) }
  (init:
  try
   begin
     (let i_3 = ref (any_int32 void) in
     (let j_3 = ref (any_int32 void) in
     (let mi = ref (any_int32 void) in
     (let mv = ref (any_int32 void) in
     begin
       (let _jessie_ = (i_3 := (safe_int32_of_integer_ (0))) in void);
      try
       (loop_1:
       while true do
       { invariant (JC_79: true)
         variant (JC_102 : sub_int(add_int(offset_max(Object_alloc_table,
                                           t_0),
                                   (1)),
                           integer_of_int32(i_3))) }
        begin
          [ { } unit reads i_3
            { (JC_77: le_int((0), integer_of_int32(i_3))) } ];
         try
          begin
            (if (K_47:
                ((lt_int_ (integer_of_int32 !i_3)) (integer_of_int32 
                                                    (K_46:
                                                    (JC_83:
                                                    (int32_of_integer_ 
                                                     ((sub_int (K_45:
                                                               (let _jessie_ =
                                                               t_0 in
                                                               (JC_82:
                                                               (assert
                                                               { ge_int(
                                                                 offset_max(Object_alloc_table,
                                                                 _jessie_),
                                                                 (-1)) };
                                                               (JC_81:
                                                               (java_array_length_intM_requires _jessie_))))))) (1))))))))
            then
             begin
               (let _jessie_ =
               (mv := (K_24:
                      (JC_84:
                      ((((offset_acc_ !Object_alloc_table) !intM_intP) t_0) 
                       (integer_of_int32 !i_3))))) in void);
              (let _jessie_ = (mi := !i_3) in void);
              (let _jessie_ =
              (j_3 := (K_40:
                      (JC_85:
                      (int32_of_integer_ ((add_int (integer_of_int32 !i_3)) (1)))))) in
              void);
              try
               (loop_2:
               while true do
               { invariant (JC_91: true)
                 variant (JC_98 : sub_int(add_int(offset_max(Object_alloc_table,
                                                  t_0),
                                          (1)),
                                  integer_of_int32(j_3))) }
                begin
                  [ { } unit reads Object_alloc_table,i_3,j_3,mi
                    { (JC_89:
                      ((JC_86:
                       lt_int(integer_of_int32(i_3), integer_of_int32(j_3)))
                      and ((JC_87:
                           le_int(integer_of_int32(i_3),
                           integer_of_int32(mi)))
                          and (JC_88:
                              lt_int(integer_of_int32(mi),
                              add_int(offset_max(Object_alloc_table, t_0),
                              (1))))))) } ];
                 try
                  begin
                    (if (K_39:
                        ((lt_int_ (integer_of_int32 !j_3)) (K_38:
                                                           (let _jessie_ =
                                                           t_0 in
                                                           (JC_94:
                                                           (assert
                                                           { ge_int(offset_max(Object_alloc_table,
                                                                    _jessie_),
                                                             (-1)) };
                                                           (JC_93:
                                                           (java_array_length_intM_requires _jessie_))))))))
                    then
                     (if (K_36:
                         ((lt_int_ (integer_of_int32 (K_35:
                                                     (JC_95:
                                                     ((((offset_acc_ !Object_alloc_table) !intM_intP) t_0) 
                                                      (integer_of_int32 !j_3)))))) 
                          (integer_of_int32 !mv)))
                     then
                      (let _jessie_ =
                      begin
                        (let _jessie_ = (mi := !j_3) in void);
                       (mv := (K_34:
                              (JC_96:
                              ((((offset_acc_ !Object_alloc_table) !intM_intP) t_0) 
                               (integer_of_int32 !j_3))))); !mv end in void)
                     else void) else (raise (Loop_exit_exc void)));
                   (raise (Loop_continue_exc void)) end with
                  Loop_continue_exc _jessie_ ->
                  (let _jessie_ =
                  (K_37:
                  (let _jessie_ = !j_3 in
                  begin
                    (let _jessie_ =
                    (j_3 := (JC_97:
                            (int32_of_integer_ ((add_int (integer_of_int32 _jessie_)) (1))))) in
                    void); _jessie_ end)) in void) end end done) with
               Loop_exit_exc _jessie_ -> void end;
              (Before:
              (K_41:
              (let _jessie_ = this_0 in
              (let _jessie_ = t_0 in
              (let _jessie_ = !i_3 in
              (let _jessie_ = !mi in
              (JC_99:
              ((((SelectionSort_swap_requires _jessie_) _jessie_) _jessie_) _jessie_))))))))
             end else (raise (Loop_exit_exc void)));
           (raise (Loop_continue_exc void)) end with
          Loop_continue_exc _jessie_ ->
          (let _jessie_ =
          (K_44:
          (let _jessie_ = !i_3 in
          begin
            (let _jessie_ =
            (i_3 := (JC_101:
                    (int32_of_integer_ ((add_int (integer_of_int32 _jessie_)) (1))))) in
            void); _jessie_ end)) in void) end end done) with
       Loop_exit_exc _jessie_ -> void end end)))); (raise Return) end with
   Return -> void end) { true } 

let SelectionSort_swap_ensures_default =
 fun (this_2 : Object pointer) (t : Object pointer) (i_2 : int32) (j_2 : int32) ->
  { (left_valid_struct_intM(t, (0), Object_alloc_table)
    and (valid_struct_SelectionSort(this_2, (0), (0), Object_alloc_table)
        and (JC_51:
            ((JC_46: Non_null_intM(t, Object_alloc_table))
            and ((JC_47: le_int((0), integer_of_int32(i_2)))
                and ((JC_48:
                     lt_int(integer_of_int32(i_2),
                     add_int(offset_max(Object_alloc_table, t), (1))))
                    and ((JC_49: le_int((0), integer_of_int32(j_2)))
                        and (JC_50:
                            lt_int(integer_of_int32(j_2),
                            add_int(offset_max(Object_alloc_table, t), (1))))))))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (let tmp =
     (K_14: ((safe_acc_ !intM_intP) ((shift t) (integer_of_int32 i_2)))) in
     (K_12:
     begin
       (let _jessie_ =
       (let _jessie_ =
       (K_11: ((safe_acc_ !intM_intP) ((shift t) (integer_of_int32 j_2)))) in
       (let _jessie_ = t in
       (let _jessie_ = (integer_of_int32 i_2) in
       (let _jessie_ = ((shift _jessie_) _jessie_) in
       (((safe_upd_ intM_intP) _jessie_) _jessie_))))) in void);
      (K_13:
      (let _jessie_ = tmp in
      (let _jessie_ = t in
      (let _jessie_ = (integer_of_int32 j_2) in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      begin   (((safe_upd_ intM_intP) _jessie_) _jessie_); _jessie_ end)))))
     end)) in void); (raise Return) end with Return -> void end)
  { (JC_55:
    ((JC_53:
     Swap(t, integer_of_int32(i_2), integer_of_int32(j_2), intM_intP,
     intM_intP@))
    and (JC_54:
        not_assigns(Object_alloc_table@, intM_intP@, intM_intP,
        pset_union(pset_range(pset_singleton(t), integer_of_int32(j_2),
                   integer_of_int32(j_2)),
        pset_range(pset_singleton(t), integer_of_int32(i_2),
        integer_of_int32(i_2))))))) } 

let SelectionSort_swap_safety =
 fun (this_2 : Object pointer) (t : Object pointer) (i_2 : int32) (j_2 : int32) ->
  { (left_valid_struct_intM(t, (0), Object_alloc_table)
    and (valid_struct_SelectionSort(this_2, (0), (0), Object_alloc_table)
        and (JC_51:
            ((JC_46: Non_null_intM(t, Object_alloc_table))
            and ((JC_47: le_int((0), integer_of_int32(i_2)))
                and ((JC_48:
                     lt_int(integer_of_int32(i_2),
                     add_int(offset_max(Object_alloc_table, t), (1))))
                    and ((JC_49: le_int((0), integer_of_int32(j_2)))
                        and (JC_50:
                            lt_int(integer_of_int32(j_2),
                            add_int(offset_max(Object_alloc_table, t), (1))))))))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (let tmp =
     (K_14:
     (JC_61:
     ((((offset_acc_ !Object_alloc_table) !intM_intP) t) (integer_of_int32 i_2)))) in
     (K_12:
     begin
       (let _jessie_ =
       (let _jessie_ =
       (K_11:
       (JC_62:
       ((((offset_acc_ !Object_alloc_table) !intM_intP) t) (integer_of_int32 j_2)))) in
       (let _jessie_ = t in
       (let _jessie_ = (integer_of_int32 i_2) in
       (let _jessie_ = ((shift _jessie_) _jessie_) in
       (JC_63:
       (((((offset_upd_ !Object_alloc_table) intM_intP) _jessie_) _jessie_) _jessie_)))))) in
       void);
      (K_13:
      (let _jessie_ = tmp in
      (let _jessie_ = t in
      (let _jessie_ = (integer_of_int32 j_2) in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (JC_64:
      begin
        (((((offset_upd_ !Object_alloc_table) intM_intP) _jessie_) _jessie_) _jessie_);
       _jessie_ end)))))) end)) in void); (raise Return) end with Return ->
   void end) { true } 

let cons_Object_ensures_default =
 fun (this_14 : Object pointer) ->
  { valid_struct_Object(this_14, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_239: true) } 

let cons_Object_safety =
 fun (this_14 : Object pointer) ->
  { valid_struct_Object(this_14, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 

let cons_SelectionSort_ensures_default =
 fun (this_3 : Object pointer) ->
  { valid_struct_SelectionSort(this_3, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_215: true) } 

let cons_SelectionSort_safety =
 fun (this_3 : Object pointer) ->
  { valid_struct_SelectionSort(this_3, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 


why-2.39/tests/java/oracle/PreAndOld.res.oracle0000644000106100004300000006155213147234006020361 0ustar  marchevals========== file tests/java/PreAndOld.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


//@+ CheckArithOverflow = no

//@ logic integer f{L}(integer n) = n+PreAndOld.y;


class PreAndOld {

    static int y;

    /*@ ensures \result == \old(f(x))
      @      && \result == f{Old}(x)
      @      && \result == \at(f(x),Pre);
      @*/
    int g(int x) {
        int tmp = y;
        y = 12;
        return x+tmp;
    }
}





/*
Local Variables:
compile-command: "make PreAndOld.why3ide"
End:
*/

========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_PreAndOld for constructor PreAndOld
Generating JC function PreAndOld_g for method PreAndOld.g
Done.
========== file tests/java/PreAndOld.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag PreAndOld = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

integer PreAndOld_y;

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

logic integer f{L}(integer n) =
(n + PreAndOld_y)

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_PreAndOld(! PreAndOld[0] this_1){()}

integer PreAndOld_g(PreAndOld[0] this_0, integer x)
behavior default:
  ensures (K_5 : ((K_4 : ((K_3 : (\result == \at(f{Old}(x),Old))) &&
                           (K_2 : (\result == f{Old}(x))))) &&
                   (K_1 : (\result == \at(f{Old}(x),Old)))));
{  
   {  
      (var integer tmp = (K_7 : PreAndOld_y));
      
      {  (PreAndOld_y = 12);
         
         (return (K_6 : (x + tmp)))
      }
   }
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/PreAndOld.jloc tests/java/PreAndOld.jc && make -f tests/java/PreAndOld.makefile gui"
End:
*/
========== file tests/java/PreAndOld.jloc ==========
[K_1]
file = "HOME/tests/java/PreAndOld.java"
line = 44
begin = 16
end = 40

[PreAndOld_g]
name = "Method g"
file = "HOME/tests/java/PreAndOld.java"
line = 46
begin = 8
end = 9

[K_4]
file = "HOME/tests/java/PreAndOld.java"
line = 42
begin = 16
end = 74

[K_2]
file = "HOME/tests/java/PreAndOld.java"
line = 43
begin = 16
end = 36

[K_6]
file = "HOME/tests/java/PreAndOld.java"
line = 49
begin = 15
end = 20

[K_3]
file = "HOME/tests/java/PreAndOld.java"
line = 42
begin = 16
end = 37

[cons_PreAndOld]
name = "Constructor of class PreAndOld"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_5]
file = "HOME/tests/java/PreAndOld.java"
line = 42
begin = 16
end = 115

[K_7]
file = "HOME/tests/java/PreAndOld.java"
line = 47
begin = 18
end = 19

========== jessie execution ==========
Generating Why function cons_PreAndOld
Generating Why function PreAndOld_g
========== file tests/java/PreAndOld.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/PreAndOld_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: PreAndOld.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: PreAndOld.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: PreAndOld.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/java/PreAndOld.loc ==========
[JC_31]
file = "HOME/tests/java/PreAndOld.java"
line = 42
begin = 16
end = 37

[JC_17]
file = "HOME/tests/java/PreAndOld.jc"
line = 39
begin = 11
end = 65

[PreAndOld_g_safety]
name = "Method g"
behavior = "Safety"
file = "HOME/tests/java/PreAndOld.java"
line = 46
begin = 8
end = 9

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/java/PreAndOld.jc"
line = 37
begin = 8
end = 23

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[PreAndOld_g_ensures_default]
name = "Method g"
behavior = "default behavior"
file = "HOME/tests/java/PreAndOld.java"
line = 46
begin = 8
end = 9

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/PreAndOld.jc"
line = 37
begin = 8
end = 23

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/tests/java/PreAndOld.java"
line = 43
begin = 16
end = 36

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/tests/java/PreAndOld.java"
line = 42
begin = 16
end = 37

[JC_27]
file = "HOME/tests/java/PreAndOld.java"
line = 46
begin = 8
end = 9

[JC_38]
file = "HOME/tests/java/PreAndOld.java"
line = 42
begin = 16
end = 115

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/tests/java/PreAndOld.java"
line = 43
begin = 16
end = 36

[JC_33]
file = "HOME/tests/java/PreAndOld.java"
line = 44
begin = 16
end = 40

[JC_29]
file = "HOME/tests/java/PreAndOld.java"
line = 46
begin = 8
end = 9

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_PreAndOld_safety]
name = "Constructor of class PreAndOld"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/tests/java/PreAndOld.java"
line = 42
begin = 16
end = 115

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/java/PreAndOld.jc"
line = 10
begin = 12
end = 22

[JC_37]
file = "HOME/tests/java/PreAndOld.java"
line = 44
begin = 16
end = 40

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_PreAndOld_ensures_default]
name = "Constructor of class PreAndOld"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/java/PreAndOld.jc"
line = 39
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/PreAndOld.jc"
line = 10
begin = 12
end = 22

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/PreAndOld.why ==========
type Object

type interface

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic PreAndOld_tag:  -> Object tag_id

axiom PreAndOld_parenttag_Object : parenttag(PreAndOld_tag, Object_tag)

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

function f(n:int, PreAndOld_y_at_L:int) : int = add_int(n, PreAndOld_y_at_L)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_PreAndOld(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_PreAndOld(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_PreAndOld(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_PreAndOld(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

parameter PreAndOld_y : int ref

parameter PreAndOld_g :
 this_0:Object pointer ->
  x_2:int ->
   { } int reads Object_alloc_table,PreAndOld_y writes PreAndOld_y
   { (JC_38:
     ((JC_35: (result = f(x_2, PreAndOld_y@)))
     and ((JC_36: (result = f(x_2, PreAndOld_y@)))
         and (JC_37: (result = f(x_2, PreAndOld_y@)))))) }

parameter PreAndOld_g_requires :
 this_0:Object pointer ->
  x_2:int ->
   { } int reads Object_alloc_table,PreAndOld_y writes PreAndOld_y
   { (JC_38:
     ((JC_35: (result = f(x_2, PreAndOld_y@)))
     and ((JC_36: (result = f(x_2, PreAndOld_y@)))
         and (JC_37: (result = f(x_2, PreAndOld_y@)))))) }

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_PreAndOld :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_PreAndOld(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, PreAndOld_tag)))) }

parameter alloc_struct_PreAndOld_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_PreAndOld(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, PreAndOld_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter cons_PreAndOld :
 this_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_PreAndOld_requires :
 this_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

let PreAndOld_g_ensures_default =
 fun (this_0 : Object pointer) (x_2 : int) ->
  { valid_struct_PreAndOld(this_0, (0), (0), Object_alloc_table) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let tmp = (K_7: !PreAndOld_y) in
     begin
       (let _jessie_ = (PreAndOld_y := (12)) in void);
      (return := (K_6: ((add_int x_2) tmp))); (raise Return) end); absurd 
   end with Return -> !return end))
  { (JC_34:
    ((JC_31: (result = f(x_2, PreAndOld_y@)))
    and ((JC_32: (result = f(x_2, PreAndOld_y@)))
        and (JC_33: (result = f(x_2, PreAndOld_y@)))))) } 

let PreAndOld_g_safety =
 fun (this_0 : Object pointer) (x_2 : int) ->
  { valid_struct_PreAndOld(this_0, (0), (0), Object_alloc_table) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let tmp = (K_7: !PreAndOld_y) in
     begin
       (let _jessie_ = (PreAndOld_y := (12)) in void);
      (return := (K_6: ((add_int x_2) tmp))); (raise Return) end); absurd 
   end with Return -> !return end)) { true } 

let cons_PreAndOld_ensures_default =
 fun (this_1 : Object pointer) ->
  { valid_struct_PreAndOld(this_1, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_23: true) } 

let cons_PreAndOld_safety =
 fun (this_1 : Object pointer) ->
  { valid_struct_PreAndOld(this_1, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 


why-2.39/tests/java/oracle/SelectionSort.err.oracle0000644000106100004300000000062613147234006021340 0ustar  marchevalsWarning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
why-2.39/tests/java/oracle/Isqrt.res.oracle0000644000106100004300000013120713147234006017646 0ustar  marchevals========== file tests/java/Isqrt.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


//@+ CheckArithOverflow = no

//@ logic integer sqr(integer x) = x * x;

class Isqrt {

/*@ requires x >= 0;
  @ ensures \result >= 0 && sqr(\result) <= x && x < sqr(\result + 1);
  @*/
static int isqrt(int x) {
  int count = 0, sum = 1;
  /*@ loop_invariant count >= 0 && x >= sqr(count) && sum == sqr(count+1);
    @ loop_variant  x - count; 
    @*/
  while (sum <= x) sum += 2 * ++count + 1;
  return count;
}

//@ ensures \result == 4;
static int main () {
  int r;
  r = isqrt(17);
  //@ assert r < 4 ==> false;
  //@ assert r > 4 ==> false;
  return r;
}

}

/*
Local Variables:
compile-command: "make Isqrt.why3ide"
End:
*/


========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function Isqrt_isqrt for method Isqrt.isqrt
Generating JC function Isqrt_main for method Isqrt.main
Generating JC function Object_clone for method Object.clone
Generating JC function Object_notifyAll for method Object.notifyAll
Generating JC function Object_hashCode for method Object.hashCode
Generating JC function Object_equals for method Object.equals
Generating JC function Object_wait for method Object.wait
Generating JC function Object_notify for method Object.notify
Generating JC function Object_wait_long for method Object.wait
Generating JC function cons_Isqrt for constructor Isqrt
Generating JC function Object_toString for method Object.toString
Generating JC function Object_wait_long_int for method Object.wait
Generating JC function cons_Object for constructor Object
Generating JC function Object_finalize for method Object.finalize
Generating JC function Object_registerNatives for method Object.registerNatives
Done.
========== file tests/java/Isqrt.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Isqrt = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

logic integer sqr(integer x) =
(x * x)

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

integer Isqrt_isqrt(integer x_0)
  requires (K_6 : (x_0 >= 0));
behavior default:
  ensures (K_5 : ((K_4 : ((K_3 : (\result >= 0)) &&
                           (K_2 : (sqr(\result) <= x_0)))) &&
                   (K_1 : (x_0 < sqr((\result + 1))))));
{  
   {  
      (var integer count = (K_19 : 0));
      
      {  
         (var integer sum = (K_18 : 1));
         
         {  
            loop 
            behavior default:
              invariant (K_11 : ((K_10 : ((K_9 : (count >= 0)) &&
                                           (K_8 : (x_0 >= sqr(count))))) &&
                                  (K_7 : (sum == sqr((count + 1))))));
            variant (K_12 : (x_0 - count));
            while ((K_17 : (sum <= x_0)))
            {  (K_16 : sum += (K_15 : ((K_14 : (2 * (K_13 : (++ count)))) +
                                        1)))
            };
            
            (return count)
         }
      }
   }
}

integer Isqrt_main()
behavior default:
  ensures (K_20 : (\result == 4));
{  
   {  
      (var integer r);
      
      {  (r = (K_21 : Isqrt_isqrt(17)));
         (K_23 : 
         (assert (K_22 : ((r < 4) ==> false))));
         (K_25 : 
         (assert (K_24 : ((r > 4) ==> false))));
         
         (return r)
      }
   }
}

Object[0..] Object_clone(Object[0] this_2)
;

unit Object_notifyAll(Object[0] this_3)
;

integer Object_hashCode(Object[0] this_4)
;

boolean Object_equals(Object[0] this_5, Object[0..] obj)
;

unit Object_wait(Object[0] this_6)
;

unit Object_notify(Object[0] this_7)
;

unit Object_wait_long(Object[0] this_8, integer timeout)
;

unit cons_Isqrt(! Isqrt[0] this_1){()}

String[0..] Object_toString(Object[0] this_9)
;

unit Object_wait_long_int(Object[0] this_10, integer timeout_0, integer nanos)
;

unit cons_Object(! Object[0] this_12){()}

unit Object_finalize(Object[0] this_11)
;

unit Object_registerNatives()
;

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Isqrt.jloc tests/java/Isqrt.jc && make -f tests/java/Isqrt.makefile gui"
End:
*/
========== file tests/java/Isqrt.jloc ==========
[K_23]
file = "HOME/tests/java/Isqrt.java"
line = 55
begin = 13
end = 28

[K_17]
file = "HOME/tests/java/Isqrt.java"
line = 47
begin = 9
end = 17

[Object_wait_long]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[K_11]
file = "HOME/tests/java/Isqrt.java"
line = 44
begin = 21
end = 73

[K_25]
file = "HOME/tests/java/Isqrt.java"
line = 56
begin = 13
end = 28

[K_13]
file = "HOME/tests/java/Isqrt.java"
line = 47
begin = 30
end = 37

[Object_finalize]
name = "Method finalize"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[K_9]
file = "HOME/tests/java/Isqrt.java"
line = 44
begin = 21
end = 31

[Object_wait]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[Isqrt_main]
name = "Method main"
file = "HOME/tests/java/Isqrt.java"
line = 52
begin = 11
end = 15

[Object_notify]
name = "Method notify"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[Object_clone]
name = "Method clone"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[cons_Object]
name = "Constructor of class Object"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_1]
file = "HOME/tests/java/Isqrt.java"
line = 40
begin = 49
end = 69

[K_15]
file = "HOME/tests/java/Isqrt.java"
line = 47
begin = 26
end = 41

[K_4]
file = "HOME/tests/java/Isqrt.java"
line = 40
begin = 12
end = 45

[K_12]
file = "HOME/tests/java/Isqrt.java"
line = 45
begin = 20
end = 29

[Object_wait_long_int]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[Object_registerNatives]
name = "Method registerNatives"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[K_20]
file = "HOME/tests/java/Isqrt.java"
line = 51
begin = 12
end = 24

[K_2]
file = "HOME/tests/java/Isqrt.java"
line = 40
begin = 28
end = 45

[K_10]
file = "HOME/tests/java/Isqrt.java"
line = 44
begin = 21
end = 50

[K_6]
file = "HOME/tests/java/Isqrt.java"
line = 39
begin = 13
end = 19

[K_8]
file = "HOME/tests/java/Isqrt.java"
line = 44
begin = 35
end = 50

[K_3]
file = "HOME/tests/java/Isqrt.java"
line = 40
begin = 12
end = 24

[K_21]
file = "HOME/tests/java/Isqrt.java"
line = 54
begin = 6
end = 15

[Isqrt_isqrt]
name = "Method isqrt"
file = "HOME/tests/java/Isqrt.java"
line = 42
begin = 11
end = 16

[K_24]
file = "HOME/tests/java/Isqrt.java"
line = 56
begin = 13
end = 28

[K_14]
file = "HOME/tests/java/Isqrt.java"
line = 47
begin = 26
end = 37

[Object_notifyAll]
name = "Method notifyAll"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[K_19]
file = "HOME/tests/java/Isqrt.java"
line = 43
begin = 14
end = 15

[K_5]
file = "HOME/tests/java/Isqrt.java"
line = 40
begin = 12
end = 69

[K_18]
file = "HOME/tests/java/Isqrt.java"
line = 43
begin = 23
end = 24

[Object_equals]
name = "Method equals"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[K_7]
file = "HOME/tests/java/Isqrt.java"
line = 44
begin = 54
end = 73

[Object_hashCode]
name = "Method hashCode"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[Object_toString]
name = "Method toString"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[K_22]
file = "HOME/tests/java/Isqrt.java"
line = 55
begin = 13
end = 28

[K_16]
file = "HOME/tests/java/Isqrt.java"
line = 47
begin = 19
end = 41

[cons_Isqrt]
name = "Constructor of class Isqrt"
file = "HOME/"
line = 0
begin = -1
end = -1

========== jessie execution ==========
Generating Why function Isqrt_isqrt
Generating Why function Isqrt_main
Generating Why function cons_Isqrt
Generating Why function cons_Object
========== file tests/java/Isqrt.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/Isqrt_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Isqrt.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Isqrt.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Isqrt.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/java/Isqrt.loc ==========
[JC_94]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_73]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_158]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_63]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_80]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_51]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_71]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_147]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_151]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_123]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_106]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_143]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_113]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_116]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_64]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_133]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Object_ensures_default]
name = "Constructor of class Object"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_99]
file = "HOME/"
line = 0
begin = -1
end = -1

[Isqrt_isqrt_safety]
name = "Method isqrt"
behavior = "Safety"
file = "HOME/tests/java/Isqrt.java"
line = 42
begin = 11
end = 16

[JC_85]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_126]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_31]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_17]
file = "HOME/tests/java/Isqrt.jc"
line = 37
begin = 11
end = 65

[JC_122]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_81]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_55]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_138]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_134]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_148]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_137]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Isqrt_ensures_default]
name = "Constructor of class Isqrt"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_48]
file = "HOME/tests/java/Isqrt.java"
line = 52
begin = 11
end = 15

[JC_23]
file = "HOME/tests/java/Isqrt.java"
line = 40
begin = 12
end = 24

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_121]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_125]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/java/Isqrt.jc"
line = 35
begin = 8
end = 23

[JC_75]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_24]
file = "HOME/tests/java/Isqrt.java"
line = 40
begin = 28
end = 45

[JC_25]
file = "HOME/tests/java/Isqrt.java"
line = 40
begin = 49
end = 69

[JC_78]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_41]
file = "HOME/tests/java/Isqrt.java"
line = 44
begin = 21
end = 31

[JC_74]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/tests/java/Isqrt.jc"
line = 61
begin = 12
end = 481

[JC_52]
file = "HOME/tests/java/Isqrt.java"
line = 51
begin = 12
end = 24

[JC_26]
file = "HOME/tests/java/Isqrt.java"
line = 40
begin = 12
end = 69

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_154]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_79]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_130]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_82]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_163]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_153]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_87]
file = "HOME/"
line = 0
begin = -1
end = -1

[Isqrt_main_safety]
name = "Method main"
behavior = "Safety"
file = "HOME/tests/java/Isqrt.java"
line = 52
begin = 11
end = 15

[JC_11]
file = "HOME/tests/java/Isqrt.jc"
line = 35
begin = 8
end = 23

[JC_98]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_70]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[Isqrt_isqrt_ensures_default]
name = "Method isqrt"
behavior = "default behavior"
file = "HOME/tests/java/Isqrt.java"
line = 42
begin = 11
end = 16

[JC_36]
file = "HOME/tests/java/Isqrt.java"
line = 44
begin = 21
end = 73

[JC_104]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_91]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/tests/java/Isqrt.jc"
line = 61
begin = 12
end = 481

[JC_112]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_40]
file = "HOME/tests/java/Isqrt.java"
line = 45
begin = 20
end = 29

[JC_162]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_135]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/tests/java/Isqrt.java"
line = 44
begin = 54
end = 73

[JC_132]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/tests/java/Isqrt.java"
line = 40
begin = 12
end = 24

[JC_115]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_109]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_107]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_69]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_124]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
file = "HOME/tests/java/Isqrt.jc"
line = 61
begin = 12
end = 481

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_156]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_127]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_164]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/tests/java/Isqrt.java"
line = 44
begin = 21
end = 73

[JC_155]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_101]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_88]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_129]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/tests/java/Isqrt.java"
line = 44
begin = 35
end = 50

[JC_110]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_103]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
file = "HOME/tests/java/Isqrt.jc"
line = 61
begin = 12
end = 481

[JC_141]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
file = "HOME/tests/java/Isqrt.java"
line = 56
begin = 13
end = 28

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
kind = UserCall
file = "HOME/tests/java/Isqrt.java"
line = 54
begin = 6
end = 15

[JC_33]
file = "HOME/tests/java/Isqrt.java"
line = 44
begin = 21
end = 31

[cons_Isqrt_safety]
name = "Constructor of class Isqrt"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_118]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_105]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_140]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/tests/java/Isqrt.java"
line = 40
begin = 49
end = 69

[JC_144]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_159]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Object_safety]
name = "Constructor of class Object"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_68]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_96]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_43]
file = "HOME/tests/java/Isqrt.java"
line = 44
begin = 54
end = 73

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_93]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_97]
file = "HOME/"
line = 0
begin = -1
end = -1

[Isqrt_main_ensures_default]
name = "Method main"
behavior = "default behavior"
file = "HOME/tests/java/Isqrt.java"
line = 52
begin = 11
end = 15

[JC_84]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_160]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_128]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_34]
file = "HOME/tests/java/Isqrt.java"
line = 44
begin = 35
end = 50

[JC_114]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_150]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_117]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_90]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_53]
file = "HOME/tests/java/Isqrt.java"
line = 51
begin = 12
end = 24

[JC_157]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_145]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/tests/java/Isqrt.java"
line = 39
begin = 13
end = 19

[JC_149]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_111]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_77]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_49]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/java/Isqrt.jc"
line = 10
begin = 12
end = 22

[JC_131]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_102]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_37]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_142]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_108]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/tests/java/Isqrt.java"
line = 55
begin = 13
end = 28

[JC_161]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_146]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_89]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_136]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_66]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_59]
kind = UserCall
file = "HOME/tests/java/Isqrt.java"
line = 54
begin = 6
end = 15

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_165]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/java/Isqrt.jc"
line = 37
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/Isqrt.jc"
line = 10
begin = 12
end = 22

[JC_92]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_152]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_86]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_60]
file = "HOME/tests/java/Isqrt.java"
line = 55
begin = 13
end = 28

[JC_139]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_72]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_19]
file = "HOME/tests/java/Isqrt.java"
line = 39
begin = 13
end = 19

[JC_119]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_76]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_50]
file = "HOME/tests/java/Isqrt.java"
line = 52
begin = 11
end = 15

[JC_30]
file = "HOME/tests/java/Isqrt.java"
line = 40
begin = 12
end = 69

[JC_120]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/tests/java/Isqrt.java"
line = 56
begin = 13
end = 28

[JC_100]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_28]
file = "HOME/tests/java/Isqrt.java"
line = 40
begin = 28
end = 45

========== file tests/java/why/Isqrt.why ==========
type Object

type interface

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

logic Isqrt_tag:  -> Object tag_id

axiom Isqrt_parenttag_Object : parenttag(Isqrt_tag, Object_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Isqrt(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Isqrt(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

function sqr(x_2:int) : int = mul_int(x_2, x_2)

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Isqrt(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Isqrt(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

exception Exception_exc of Object pointer

parameter Isqrt_isqrt :
 x_0_0:int ->
  { } int
  { (JC_30:
    ((JC_27: ge_int(result, (0)))
    and ((JC_28: le_int(sqr(result), x_0_0))
        and (JC_29: lt_int(x_0_0, sqr(add_int(result, (1)))))))) }

parameter Isqrt_isqrt_requires :
 x_0_0:int ->
  { (JC_19: ge_int(x_0_0, (0)))} int
  { (JC_30:
    ((JC_27: ge_int(result, (0)))
    and ((JC_28: le_int(sqr(result), x_0_0))
        and (JC_29: lt_int(x_0_0, sqr(add_int(result, (1)))))))) }

parameter Isqrt_main : tt:unit -> { } int { (JC_53: (result = (4))) }

parameter Isqrt_main_requires :
 tt:unit -> { } int { (JC_53: (result = (4))) }

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_alloc_table : Object alloc_table ref

parameter Object_clone :
 this_2:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_clone_requires :
 this_2:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_equals :
 this_5:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_equals_requires :
 this_5:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_finalize :
 this_11:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_finalize_requires :
 this_11:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_hashCode :
 this_4:Object pointer -> { } int reads Object_alloc_table { true }

parameter Object_hashCode_requires :
 this_4:Object pointer -> { } int reads Object_alloc_table { true }

parameter Object_notify :
 this_7:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll :
 this_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll_requires :
 this_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notify_requires :
 this_7:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_registerNatives : tt:unit -> { } unit { true }

parameter Object_registerNatives_requires : tt:unit -> { } unit { true }

parameter Object_tag_table : Object tag_table ref

parameter Object_toString :
 this_9:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_toString_requires :
 this_9:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_wait :
 this_6:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long :
 this_8:Object pointer ->
  timeout:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int :
 this_10:Object pointer ->
  timeout_0:int -> nanos:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int_requires :
 this_10:Object pointer ->
  timeout_0:int -> nanos:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_requires :
 this_8:Object pointer ->
  timeout:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_requires :
 this_6:Object pointer -> { } unit reads Object_alloc_table { true }

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Isqrt :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Isqrt(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Isqrt_tag)))) }

parameter alloc_struct_Isqrt_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Isqrt(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Isqrt_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter cons_Isqrt :
 this_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Isqrt_requires :
 this_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object :
 this_12:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object_requires :
 this_12:Object pointer -> { } unit reads Object_alloc_table { true }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

let Isqrt_isqrt_ensures_default =
 fun (x_0_0 : int) ->
  { (JC_21: ge_int(x_0_0, (0))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let count = ref (K_19: (0)) in
     (let sum = ref (K_18: (1)) in
     begin
       try
        (loop_2:
        while true do
        { invariant
            (JC_44:
            ((JC_41: ge_int(count, (0)))
            and ((JC_42: ge_int(x_0_0, sqr(count)))
                and (JC_43: (sum = sqr(add_int(count, (1))))))))  }
         begin
           [ { } unit { true } ];
          try
           begin
             (if (K_17: ((le_int_ !sum) x_0_0))
             then
              (let _jessie_ =
              (K_16:
              begin
                (sum := ((add_int !sum) (K_15:
                                        ((add_int (K_14:
                                                  ((mul_int (2)) (K_13:
                                                                 begin
                                                                   (count := 
                                                                    ((add_int !count) (1)));
                                                                  !count end)))) (1)))));
               !sum end) in void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ -> void end end done) with
        Loop_exit_exc _jessie_ -> void end; (return := !count);
      (raise Return) end)); absurd  end with Return -> !return end))
  { (JC_26:
    ((JC_23: ge_int(result, (0)))
    and ((JC_24: le_int(sqr(result), x_0_0))
        and (JC_25: lt_int(x_0_0, sqr(add_int(result, (1)))))))) } 

let Isqrt_isqrt_safety =
 fun (x_0_0 : int) ->
  { (JC_21: ge_int(x_0_0, (0))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let count = ref (K_19: (0)) in
     (let sum = ref (K_18: (1)) in
     begin
       try
        (loop_1:
        while true do
        { invariant (JC_38: true) variant (JC_40 : sub_int(x_0_0, count)) }
         begin
           [ { } unit reads count,sum
             { (JC_36:
               ((JC_33: ge_int(count, (0)))
               and ((JC_34: ge_int(x_0_0, sqr(count)))
                   and (JC_35: (sum = sqr(add_int(count, (1)))))))) } ];
          try
           begin
             (if (K_17: ((le_int_ !sum) x_0_0))
             then
              (let _jessie_ =
              (K_16:
              begin
                (sum := ((add_int !sum) (K_15:
                                        ((add_int (K_14:
                                                  ((mul_int (2)) (K_13:
                                                                 begin
                                                                   (count := 
                                                                    ((add_int !count) (1)));
                                                                  !count end)))) (1)))));
               !sum end) in void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ -> void end end done) with
        Loop_exit_exc _jessie_ -> void end; (return := !count);
      (raise Return) end)); absurd  end with Return -> !return end)) 
  { true } 

let Isqrt_main_ensures_default =
 fun (tt : unit) ->
  { (JC_51: true) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let r = ref (any_int void) in
     begin
       (let _jessie_ =
       (r := (K_21:
             (let _jessie_ = (17) in (JC_59: (Isqrt_isqrt _jessie_))))) in
       void);
      (K_23:
      begin
        (assert { (JC_60: (lt_int(r, (4)) -> (false = true))) }; void);
       (K_25:
       begin
         (assert { (JC_61: (gt_int(r, (4)) -> (false = true))) }; void);
        (return := !r); (raise Return) end) end) end); absurd  end with
   Return -> !return end)) { (JC_52: (result = (4))) } 

let Isqrt_main_safety =
 fun (tt : unit) ->
  { (JC_51: true) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let r = ref (any_int void) in
     begin
       (let _jessie_ =
       (r := (K_21:
             (let _jessie_ = (17) in
             (JC_56: (Isqrt_isqrt_requires _jessie_))))) in void);
      (K_23:
      begin
        [ { } unit reads r { (JC_57: (lt_int(r, (4)) -> (false = true))) } ];
       (K_25:
       begin
         [ { } unit reads r { (JC_58: (gt_int(r, (4)) -> (false = true))) } ];
        (return := !r); (raise Return) end) end) end); absurd  end with
   Return -> !return end)) { true } 

let cons_Isqrt_ensures_default =
 fun (this_1 : Object pointer) ->
  { valid_struct_Isqrt(this_1, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_122: true) } 

let cons_Isqrt_safety =
 fun (this_1 : Object pointer) ->
  { valid_struct_Isqrt(this_1, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 

let cons_Object_ensures_default =
 fun (this_12 : Object pointer) ->
  { valid_struct_Object(this_12, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_146: true) } 

let cons_Object_safety =
 fun (this_12 : Object pointer) ->
  { valid_struct_Object(this_12, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 


why-2.39/tests/java/oracle/Power.res.oracle0000644000106100004300000014016213147234006017640 0ustar  marchevals========== file tests/java/Power.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


// int model: unbounded mathematical integers
//@+ CheckArithOverflow = no


/*@ axiomatic Power {
  @   logic integer power(integer x, integer n);
  @   axiom power_0: \forall integer x; power(x,0) == 1;
  @   axiom power_s: \forall integer x n; power(x,n+1) == x*power(x,n);
  @ }
  @*/

/*@ lemma power_mul:
  @   \forall integer x y n; n >= 0 ==> power(x*y,n) == power(x,n)*power(y,n);
  @*/

/*@ lemma power_even:
  @   \forall integer x n; n >= 0 && n % 2 == 0 ==> power(x,n) == power(x*x,n/2);
  @*/

/*@ lemma power_odd:
  @   \forall integer x n; n >= 0 && n % 2 != 0 ==> power(x,n) == x*power(x*x,n/2);
  @*/


class Power {

    // recursive implementation

    /*@ requires 0 <= n;
      @ decreases n;
      @ ensures \result == power(x,n);
      @*/
    static long rec(long x, int n) {
        if ( n == 0) return 1;
        long r = rec(x, n/2);
        if ( n % 2 == 0 ) return r*r;
        return r*r*x;
    }


    // non-recursive implementation

    /*@ requires 0 <= n;
      @ ensures \result == power(x,n);
      @*/
    static long imp(long x, int n) {
        long r = 1, p = x;
        int e = n;

        /*@ loop_invariant
          @   0 <= e && r * power(p,e) == power(x,n);
          @ loop_variant e;
          @*/
        while (e > 0) {
            if (e % 2 != 0) r *= p;
            p *= p;
            e /= 2;
        }
        return r;
    }

}

========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function Power_imp for method Power.imp
Generating JC function Object_clone for method Object.clone
Generating JC function Object_notifyAll for method Object.notifyAll
Generating JC function Object_hashCode for method Object.hashCode
Generating JC function Object_equals for method Object.equals
Generating JC function Object_wait for method Object.wait
Generating JC function Object_notify for method Object.notify
Generating JC function Object_wait_long for method Object.wait
Generating JC function cons_Power for constructor Power
Generating JC function Power_rec for method Power.rec
Generating JC function Object_toString for method Object.toString
Generating JC function Object_wait_long_int for method Object.wait
Generating JC function cons_Object for constructor Object
Generating JC function Object_finalize for method Object.finalize
Generating JC function Object_registerNatives for method Object.registerNatives
Done.
========== file tests/java/Power.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Power = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

axiomatic Power {

  logic integer power(integer x, integer n)
   
  axiom power_s :
  (\forall integer x_1;
    (\forall integer n_0;
      (power(x_1, (n_0 + 1)) == (x_1 * power(x_1, n_0)))))
   
  axiom power_0 :
  (\forall integer x_0;
    (power(x_0, 0) == 1))
  
}

lemma power_mul :
(\forall integer x_2;
  (\forall integer y;
    (\forall integer n_1;
      ((n_1 >= 0) ==>
        (power((x_2 * y), n_1) == (power(x_2, n_1) * power(y, n_1)))))))

lemma power_even :
(\forall integer x_3;
  (\forall integer n_2;
    (((n_2 >= 0) && ((n_2 % 2) == 0)) ==>
      (power(x_3, n_2) == power((x_3 * x_3), (n_2 / 2))))))

lemma power_odd :
(\forall integer x_4;
  (\forall integer n_3;
    (((n_3 >= 0) && ((n_3 % 2) != 0)) ==>
      (power(x_4, n_3) == (x_4 * power((x_4 * x_4), (n_3 / 2)))))))

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

integer Power_imp(integer x_6, integer n_5)
  requires (K_2 : (0 <= n_5));
behavior default:
  ensures (K_1 : (\result == power(x_6, n_5)));
{  
   {  
      (var integer r = (K_15 : 1));
      
      {  
         (var integer p = (K_14 : x_6));
         
         {  
            (var integer e = (K_13 : n_5));
            
            {  
               loop 
               behavior default:
                 invariant (K_5 : ((K_4 : (0 <= e)) &&
                                    (K_3 : ((r * power(p, e)) ==
                                             power(x_6, n_5)))));
               variant (K_6 : e);
               while ((K_12 : (e > 0)))
               {  
                  {  (if (K_9 : ((K_8 : (e % 2)) != 0)) then (K_7 : r *= p) else ());
                     (K_10 : p *= p);
                     (K_11 : e /= 2)
                  }
               };
               
               (return r)
            }
         }
      }
   }
}

Object[0..] Object_clone(Object[0] this_2)
;

unit Object_notifyAll(Object[0] this_3)
;

integer Object_hashCode(Object[0] this_4)
;

boolean Object_equals(Object[0] this_5, Object[0..] obj)
;

unit Object_wait(Object[0] this_6)
;

unit Object_notify(Object[0] this_7)
;

unit Object_wait_long(Object[0] this_8, integer timeout)
;

unit cons_Power(! Power[0] this_1){()}

integer Power_rec(integer x_5, integer n_4)
  requires (K_17 : (0 <= n_4));
  decreases (K_18 : n_4);
behavior default:
  ensures (K_16 : (\result == power(x_5, n_4)));
{  (if (K_19 : (n_4 == 0)) then 
   (return 1) else ());
   
   {  
      (var integer r_0 = (K_26 : Power_rec(x_5, (K_25 : (n_4 / 2)))));
      
      {  (if (K_22 : ((K_21 : (n_4 % 2)) == 0)) then 
         (return (K_20 : (r_0 * r_0))) else ());
         
         (return (K_24 : ((K_23 : (r_0 * r_0)) * x_5)))
      }
   }
}

String[0..] Object_toString(Object[0] this_9)
;

unit Object_wait_long_int(Object[0] this_10, integer timeout_0, integer nanos)
;

unit cons_Object(! Object[0] this_12){()}

unit Object_finalize(Object[0] this_11)
;

unit Object_registerNatives()
;

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Power.jloc tests/java/Power.jc && make -f tests/java/Power.makefile gui"
End:
*/
========== file tests/java/Power.jloc ==========
[K_23]
file = "HOME/tests/java/Power.java"
line = 69
begin = 15
end = 18

[K_17]
file = "HOME/tests/java/Power.java"
line = 61
begin = 17
end = 23

[Object_wait_long]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[K_11]
file = "HOME/tests/java/Power.java"
line = 89
begin = 12
end = 18

[K_25]
file = "HOME/tests/java/Power.java"
line = 67
begin = 24
end = 27

[K_13]
file = "HOME/tests/java/Power.java"
line = 80
begin = 16
end = 17

[Object_finalize]
name = "Method finalize"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[K_9]
file = "HOME/tests/java/Power.java"
line = 87
begin = 16
end = 26

[Object_wait]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[Object_notify]
name = "Method notify"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[Object_clone]
name = "Method clone"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[cons_Object]
name = "Constructor of class Object"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_1]
file = "HOME/tests/java/Power.java"
line = 76
begin = 16
end = 37

[K_15]
file = "HOME/tests/java/Power.java"
line = 79
begin = 17
end = 18

[K_4]
file = "HOME/tests/java/Power.java"
line = 83
begin = 14
end = 20

[K_12]
file = "HOME/tests/java/Power.java"
line = 86
begin = 15
end = 20

[Object_wait_long_int]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[Object_registerNatives]
name = "Method registerNatives"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[K_20]
file = "HOME/tests/java/Power.java"
line = 68
begin = 33
end = 36

[power_s]
name = "Lemma power_s"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_2]
file = "HOME/tests/java/Power.java"
line = 75
begin = 17
end = 23

[power_even]
name = "Lemma power_even"
file = "HOME/tests/java/Power.java"
line = 48
begin = 10
end = 20

[K_10]
file = "HOME/tests/java/Power.java"
line = 88
begin = 12
end = 18

[K_6]
file = "HOME/tests/java/Power.java"
line = 84
begin = 25
end = 26

[power_0]
name = "Lemma power_0"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_8]
file = "HOME/tests/java/Power.java"
line = 87
begin = 16
end = 21

[K_3]
file = "HOME/tests/java/Power.java"
line = 83
begin = 24
end = 52

[cons_Power]
name = "Constructor of class Power"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_21]
file = "HOME/tests/java/Power.java"
line = 68
begin = 13
end = 18

[K_24]
file = "HOME/tests/java/Power.java"
line = 69
begin = 15
end = 20

[K_14]
file = "HOME/tests/java/Power.java"
line = 79
begin = 24
end = 25

[Object_notifyAll]
name = "Method notifyAll"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[K_19]
file = "HOME/tests/java/Power.java"
line = 66
begin = 13
end = 19

[power_odd]
name = "Lemma power_odd"
file = "HOME/tests/java/Power.java"
line = 52
begin = 10
end = 19

[K_5]
file = "HOME/tests/java/Power.java"
line = 83
begin = 14
end = 52

[Power_rec]
name = "Method rec"
file = "HOME/tests/java/Power.java"
line = 65
begin = 16
end = 19

[Power_imp]
name = "Method imp"
file = "HOME/tests/java/Power.java"
line = 78
begin = 16
end = 19

[power_mul]
name = "Lemma power_mul"
file = "HOME/tests/java/Power.java"
line = 44
begin = 10
end = 19

[K_18]
file = "HOME/tests/java/Power.java"
line = 62
begin = 18
end = 19

[Object_equals]
name = "Method equals"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[K_7]
file = "HOME/tests/java/Power.java"
line = 87
begin = 28
end = 34

[K_26]
file = "HOME/tests/java/Power.java"
line = 67
begin = 17
end = 28

[Object_hashCode]
name = "Method hashCode"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[Object_toString]
name = "Method toString"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[K_22]
file = "HOME/tests/java/Power.java"
line = 68
begin = 13
end = 23

[K_16]
file = "HOME/tests/java/Power.java"
line = 63
begin = 16
end = 37

========== jessie execution ==========
Generating Why function Power_imp
Generating Why function cons_Power
Generating Why function Power_rec
Generating Why function cons_Object
========== file tests/java/Power.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/Power_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Power.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Power.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Power.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/java/Power.loc ==========
[JC_94]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_73]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_158]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_63]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_80]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_51]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_71]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_147]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_151]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_123]
kind = UserCall
file = "HOME/tests/java/Power.java"
line = 67
begin = 17
end = 28

[JC_106]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_143]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_113]
file = "HOME/tests/java/Power.java"
line = 63
begin = 16
end = 37

[JC_116]
kind = DivByZero
file = "HOME/tests/java/Power.java"
line = 67
begin = 24
end = 27

[JC_64]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_133]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[cons_Object_ensures_default]
name = "Constructor of class Object"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Power_safety]
name = "Constructor of class Power"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_99]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_85]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_126]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_31]
file = "HOME/tests/java/Power.jc"
line = 93
begin = 15
end = 530

[JC_17]
file = "HOME/tests/java/Power.jc"
line = 37
begin = 11
end = 65

[JC_122]
kind = DivByZero
file = "HOME/tests/java/Power.java"
line = 67
begin = 24
end = 27

[JC_81]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_55]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_138]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_134]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_148]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_137]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/tests/java/Power.java"
line = 76
begin = 16
end = 37

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_121]
kind = DivByZero
file = "HOME/tests/java/Power.java"
line = 68
begin = 13
end = 18

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_125]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_67]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/java/Power.jc"
line = 35
begin = 8
end = 23

[JC_75]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_24]
file = "HOME/tests/java/Power.java"
line = 76
begin = 16
end = 37

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_78]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_41]
file = "HOME/tests/java/Power.jc"
line = 93
begin = 15
end = 530

[JC_74]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/"
line = 0
begin = -1
end = -1

[Power_rec_safety]
name = "Method rec"
behavior = "Safety"
file = "HOME/tests/java/Power.java"
line = 65
begin = 16
end = 19

[JC_52]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[power_s]
name = "Lemma power_s"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_154]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_79]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_130]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_82]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_163]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_153]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_87]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/Power.jc"
line = 35
begin = 8
end = 23

[JC_98]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_70]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/tests/java/Power.java"
line = 83
begin = 14
end = 20

[JC_104]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_91]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_112]
file = "HOME/tests/java/Power.java"
line = 63
begin = 16
end = 37

[JC_40]
file = "HOME/tests/java/Power.jc"
line = 93
begin = 15
end = 530

[JC_162]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_135]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_83]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/tests/java/Power.java"
line = 84
begin = 25
end = 26

[power_even]
name = "Lemma power_even"
behavior = "lemma"
file = "HOME/tests/java/Power.java"
line = 48
begin = 10
end = 20

[JC_132]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/tests/java/Power.java"
line = 83
begin = 14
end = 20

[JC_115]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_109]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_107]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_69]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_124]
kind = DivByZero
file = "HOME/tests/java/Power.java"
line = 68
begin = 13
end = 18

[JC_38]
file = "HOME/tests/java/Power.java"
line = 83
begin = 14
end = 52

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[power_0]
name = "Lemma power_0"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_156]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_127]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_164]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_155]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_101]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_88]
file = "HOME/"
line = 0
begin = -1
end = -1

[Power_imp_safety]
name = "Method imp"
behavior = "Safety"
file = "HOME/tests/java/Power.java"
line = 78
begin = 16
end = 19

[JC_129]
file = "HOME/"
line = 0
begin = -1
end = -1

[Power_imp_ensures_default]
name = "Method imp"
behavior = "default behavior"
file = "HOME/tests/java/Power.java"
line = 78
begin = 16
end = 19

[JC_42]
kind = DivByZero
file = "HOME/tests/java/Power.java"
line = 87
begin = 16
end = 21

[Power_rec_ensures_default]
name = "Method rec"
behavior = "default behavior"
file = "HOME/tests/java/Power.java"
line = 65
begin = 16
end = 19

[JC_110]
file = "HOME/tests/java/Power.java"
line = 61
begin = 17
end = 23

[JC_103]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_141]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/tests/java/Power.jc"
line = 93
begin = 15
end = 530

[JC_56]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_33]
kind = DivByZero
file = "HOME/tests/java/Power.java"
line = 87
begin = 16
end = 21

[JC_65]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_118]
file = "HOME/tests/java/Power.java"
line = 62
begin = 18
end = 19

[JC_105]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_140]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/tests/java/Power.java"
line = 83
begin = 14
end = 52

[JC_144]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_159]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[cons_Object_safety]
name = "Constructor of class Object"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_68]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_96]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
kind = DivByZero
file = "HOME/tests/java/Power.jc"
line = 103
begin = 29
end = 35

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Power_ensures_default]
name = "Constructor of class Power"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_93]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_97]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_84]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_160]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_128]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
kind = DivByZero
file = "HOME/tests/java/Power.jc"
line = 103
begin = 29
end = 35

[JC_114]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_150]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_117]
kind = UserCall
file = "HOME/tests/java/Power.java"
line = 67
begin = 17
end = 28

[JC_90]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_53]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_157]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_145]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/tests/java/Power.java"
line = 75
begin = 17
end = 23

[JC_149]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_111]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_77]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_49]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/java/Power.jc"
line = 10
begin = 12
end = 22

[JC_131]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_102]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_37]
file = "HOME/tests/java/Power.java"
line = 83
begin = 24
end = 52

[JC_142]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[power_odd]
name = "Lemma power_odd"
behavior = "lemma"
file = "HOME/tests/java/Power.java"
line = 52
begin = 10
end = 19

[JC_108]
file = "HOME/tests/java/Power.java"
line = 61
begin = 17
end = 23

[JC_57]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_161]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_146]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_89]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_136]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_66]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_59]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/java/Power.jc"
line = 37
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/Power.jc"
line = 10
begin = 12
end = 22

[JC_92]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_152]
file = "HOME/"
line = 0
begin = -1
end = -1

[power_mul]
name = "Lemma power_mul"
behavior = "lemma"
file = "HOME/tests/java/Power.java"
line = 44
begin = 10
end = 19

[JC_86]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_60]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_139]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_72]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/tests/java/Power.java"
line = 75
begin = 17
end = 23

[JC_119]
file = "HOME/tests/java/Power.java"
line = 62
begin = 18
end = 19

[JC_76]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_120]
kind = VarDecr
file = "HOME/tests/java/Power.java"
line = 67
begin = 17
end = 28

[JC_58]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_100]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_28]
file = "HOME/tests/java/Power.java"
line = 83
begin = 24
end = 52

========== file tests/java/why/Power.why ==========
type Object

type interface

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic Power_tag:  -> Object tag_id

axiom Power_parenttag_Object : parenttag(Power_tag, Object_tag)

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Power(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

logic power: int, int -> int

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Power(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Power(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Power(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

axiom power_s :
 (forall x_1_0:int.
  (forall n_0:int.
   (power(x_1_0, add_int(n_0, (1))) = mul_int(x_1_0, power(x_1_0, n_0)))))

axiom power_0 : (forall x_0_0:int. (power(x_0_0, (0)) = (1)))

lemma power_mul :
 (forall x_2_0:int.
  (forall y:int.
   (forall n_1:int.
    (ge_int(n_1, (0)) ->
     (power(mul_int(x_2_0, y), n_1) = mul_int(power(x_2_0, n_1),
                                      power(y, n_1)))))))

lemma power_even :
 (forall x_3:int.
  (forall n_2:int.
   ((ge_int(n_2, (0)) and (computer_mod(n_2, (2)) = (0))) ->
    (power(x_3, n_2) = power(mul_int(x_3, x_3), computer_div(n_2, (2)))))))

lemma power_odd :
 (forall x_4:int.
  (forall n_3:int.
   ((ge_int(n_3, (0)) and (computer_mod(n_3, (2)) <> (0))) ->
    (power(x_4, n_3) = mul_int(x_4,
                       power(mul_int(x_4, x_4), computer_div(n_3, (2))))))))

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_alloc_table : Object alloc_table ref

parameter Object_clone :
 this_2:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_clone_requires :
 this_2:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_equals :
 this_5:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_equals_requires :
 this_5:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_finalize :
 this_11:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_finalize_requires :
 this_11:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_hashCode :
 this_4:Object pointer -> { } int reads Object_alloc_table { true }

parameter Object_hashCode_requires :
 this_4:Object pointer -> { } int reads Object_alloc_table { true }

parameter Object_notify :
 this_7:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll :
 this_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll_requires :
 this_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notify_requires :
 this_7:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_registerNatives : tt:unit -> { } unit { true }

parameter Object_registerNatives_requires : tt:unit -> { } unit { true }

parameter Object_tag_table : Object tag_table ref

parameter Object_toString :
 this_9:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_toString_requires :
 this_9:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_wait :
 this_6:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long :
 this_8:Object pointer ->
  timeout:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int :
 this_10:Object pointer ->
  timeout_0:int -> nanos:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int_requires :
 this_10:Object pointer ->
  timeout_0:int -> nanos:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_requires :
 this_8:Object pointer ->
  timeout:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_requires :
 this_6:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Power_imp :
 x_6:int -> n_5:int -> { } int { (JC_24: (result = power(x_6, n_5))) }

parameter Power_imp_requires :
 x_6:int ->
  n_5:int ->
   { (JC_19: le_int((0), n_5))} int { (JC_24: (result = power(x_6, n_5))) }

parameter Power_rec :
 x_5:int -> n_4:int -> { } int { (JC_113: (result = power(x_5, n_4))) }

parameter Power_rec_requires :
 x_5:int ->
  n_4:int ->
   { (JC_108: le_int((0), n_4))} int { (JC_113: (result = power(x_5, n_4))) }

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Power :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Power(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Power_tag)))) }

parameter alloc_struct_Power_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Power(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Power_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter cons_Object :
 this_12:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object_requires :
 this_12:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Power :
 this_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Power_requires :
 this_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

let Power_imp_ensures_default =
 fun (x_6 : int) (n_5 : int) ->
  { (JC_21: le_int((0), n_5)) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let r = ref (K_15: (1)) in
     (let p = ref (K_14: x_6) in
     (let e = ref (K_13: n_5) in
     begin
       try
        (loop_2:
        while true do
        { invariant
            (JC_38:
            ((JC_36: le_int((0), e))
            and (JC_37: (mul_int(r, power(p, e)) = power(x_6, n_5))))) 
           }
         begin
           [ { } unit { true } ];
          try
           begin
             (if (K_12: ((gt_int_ !e) (0)))
             then
              (let _jessie_ =
              begin
                (if (K_9:
                    ((neq_int_ (K_8: (JC_42: ((computer_mod !e) (2))))) (0)))
                then
                 (let _jessie_ = (K_7: (r := ((mul_int !r) !p))) in void)
                else void);
               (K_10:
               begin
                 (let _jessie_ = (p := ((mul_int !p) !p)) in void);
                (K_11:
                begin   (e := (JC_43: ((computer_div !e) (2)))); !e end) end)
              end in void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ -> void end end done) with
        Loop_exit_exc _jessie_ -> void end; (return := !r); (raise Return)
     end))); absurd  end with Return -> !return end))
  { (JC_23: (result = power(x_6, n_5))) } 

let Power_imp_safety =
 fun (x_6 : int) (n_5 : int) ->
  { (JC_21: le_int((0), n_5)) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let r = ref (K_15: (1)) in
     (let p = ref (K_14: x_6) in
     (let e = ref (K_13: n_5) in
     begin
       try
        (loop_1:
        while true do
        { invariant (JC_31: true) variant (JC_35 : e) }
         begin
           [ { } unit reads e,p,r
             { (JC_29:
               ((JC_27: le_int((0), e))
               and (JC_28: (mul_int(r, power(p, e)) = power(x_6, n_5))))) } ];
          try
           begin
             (if (K_12: ((gt_int_ !e) (0)))
             then
              (let _jessie_ =
              begin
                (if (K_9:
                    ((neq_int_ (K_8: (JC_33: ((computer_mod_ !e) (2))))) (0)))
                then
                 (let _jessie_ = (K_7: (r := ((mul_int !r) !p))) in void)
                else void);
               (K_10:
               begin
                 (let _jessie_ = (p := ((mul_int !p) !p)) in void);
                (K_11:
                begin   (e := (JC_34: ((computer_div_ !e) (2)))); !e end) end)
              end in void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ -> void end end done) with
        Loop_exit_exc _jessie_ -> void end; (return := !r); (raise Return)
     end))); absurd  end with Return -> !return end)) { true } 

let Power_rec_ensures_default =
 fun (x_5 : int) (n_4 : int) ->
  { (JC_110: le_int((0), n_4)) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (if (K_19: ((eq_int_ n_4) (0)))
     then begin   (return := (1)); (raise Return) end else void);
    (let r_0 =
    (K_26:
    (let _jessie_ = x_5 in
    (let _jessie_ = (K_25: (JC_122: ((computer_div n_4) (2)))) in
    (JC_123: ((Power_rec _jessie_) _jessie_))))) in
    begin
      (if (K_22: ((eq_int_ (K_21: (JC_124: ((computer_mod n_4) (2))))) (0)))
      then
       begin   (return := (K_20: ((mul_int r_0) r_0))); (raise Return) end
      else void);
     (return := (K_24: ((mul_int (K_23: ((mul_int r_0) r_0))) x_5)));
     (raise Return) end); absurd  end with Return -> !return end))
  { (JC_112: (result = power(x_5, n_4))) } 

let Power_rec_safety =
 fun (x_5 : int) (n_4 : int) ->
  { (JC_110: le_int((0), n_4)) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (if (K_19: ((eq_int_ n_4) (0)))
     then begin   (return := (1)); (raise Return) end else void);
    (let r_0 =
    (K_26:
    (let _jessie_ = x_5 in
    (let _jessie_ = (K_25: (JC_116: ((computer_div_ n_4) (2)))) in
    (JC_120:
    (check { zwf_zero((JC_119 : _jessie_), (JC_118 : n_4)) };
    (JC_117: ((Power_rec_requires _jessie_) _jessie_))))))) in
    begin
      (if (K_22: ((eq_int_ (K_21: (JC_121: ((computer_mod_ n_4) (2))))) (0)))
      then
       begin   (return := (K_20: ((mul_int r_0) r_0))); (raise Return) end
      else void);
     (return := (K_24: ((mul_int (K_23: ((mul_int r_0) r_0))) x_5)));
     (raise Return) end); absurd  end with Return -> !return end)) { true } 

let cons_Object_ensures_default =
 fun (this_12 : Object pointer) ->
  { valid_struct_Object(this_12, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_145: true) } 

let cons_Object_safety =
 fun (this_12 : Object pointer) ->
  { valid_struct_Object(this_12, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 

let cons_Power_ensures_default =
 fun (this_1 : Object pointer) ->
  { valid_struct_Power(this_1, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_104: true) } 

let cons_Power_safety =
 fun (this_1 : Object pointer) ->
  { valid_struct_Power(this_1, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 


why-2.39/tests/java/oracle/Literals.res.oracle0000644000106100004300000007144413147234006020331 0ustar  marchevals========== file tests/java/Literals.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

class Literals {

    public static final int x = 0xbad;

    /*@ ensures \result == 5991;
      @*/
    int f() {
	int y = 0xbad;
	return y+x+015;
    }

}


/*
Local Variables:
compile-command: "make Literals.why3ide"
End:
*/


========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_Literals for constructor Literals
Generating JC function Literals_f for method Literals.f
Done.
========== file tests/java/Literals.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

logic int32 Literals_x =
2989

String[0..] any_string()
;

tag String = Object with {
}

tag Literals = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_Literals(! Literals[0] this_1){()}

int32 Literals_f(Literals[0] this_0)
behavior default:
  ensures (K_1 : (\result == 5991));
{  
   {  
      (var int32 y = (K_4 : 0xbad));
      
      (return (K_3 : (((K_2 : ((y + Literals_x) :> int32)) + 015) :> int32)))
   }
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Literals.jloc tests/java/Literals.jc && make -f tests/java/Literals.makefile gui"
End:
*/
========== file tests/java/Literals.jloc ==========
[cons_Literals]
name = "Constructor of class Literals"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_1]
file = "HOME/tests/java/Literals.java"
line = 36
begin = 16
end = 31

[K_4]
file = "HOME/tests/java/Literals.java"
line = 39
begin = 9
end = 14

[Literals_f]
name = "Method f"
file = "HOME/tests/java/Literals.java"
line = 38
begin = 8
end = 9

[K_2]
file = "HOME/tests/java/Literals.java"
line = 40
begin = 8
end = 11

[K_3]
file = "HOME/tests/java/Literals.java"
line = 40
begin = 8
end = 15

========== jessie execution ==========
Generating Why function cons_Literals
Generating Why function Literals_f
========== file tests/java/Literals.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/Literals_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Literals.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Literals.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Literals.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/java/Literals.loc ==========
[Literals_f_ensures_default]
name = "Method f"
behavior = "default behavior"
file = "HOME/tests/java/Literals.java"
line = 38
begin = 8
end = 9

[JC_31]
file = "HOME/tests/java/Literals.java"
line = 36
begin = 16
end = 31

[JC_17]
file = "HOME/tests/java/Literals.jc"
line = 50
begin = 11
end = 65

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/java/Literals.jc"
line = 48
begin = 8
end = 23

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/Literals.jc"
line = 48
begin = 8
end = 23

[cons_Literals_safety]
name = "Constructor of class Literals"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[Literals_f_safety]
name = "Method f"
behavior = "Safety"
file = "HOME/tests/java/Literals.java"
line = 38
begin = 8
end = 9

[JC_36]
kind = ArithOverflow
file = "HOME/tests/java/Literals.java"
line = 40
begin = 8
end = 15

[JC_35]
kind = ArithOverflow
file = "HOME/tests/java/Literals.java"
line = 40
begin = 8
end = 11

[JC_27]
file = "HOME/tests/java/Literals.java"
line = 38
begin = 8
end = 9

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/tests/java/Literals.java"
line = 36
begin = 16
end = 31

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/tests/java/Literals.java"
line = 38
begin = 8
end = 9

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/java/Literals.jc"
line = 23
begin = 12
end = 22

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Literals_ensures_default]
name = "Constructor of class Literals"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/java/Literals.jc"
line = 50
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/Literals.jc"
line = 23
begin = 12
end = 22

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/Literals.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

logic Literals_tag:  -> Object tag_id

axiom Literals_parenttag_Object : parenttag(Literals_tag, Object_tag)

logic int32_of_integer: int -> int32

function Literals_x() : int32 = int32_of_integer((2989))

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Literals(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Literals(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Literals(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Literals(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

exception Exception_exc of Object pointer

parameter Object_alloc_table : Object alloc_table ref

parameter Literals_f :
 this_0:Object pointer ->
  { } int32 reads Object_alloc_table
  { (JC_32: (integer_of_int32(result) = (5991))) }

parameter Literals_f_requires :
 this_0:Object pointer ->
  { } int32 reads Object_alloc_table
  { (JC_32: (integer_of_int32(result) = (5991))) }

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Literals :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Literals(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Literals_tag)))) }

parameter alloc_struct_Literals_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Literals(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Literals_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_Literals :
 this_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Literals_requires :
 this_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let Literals_f_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_Literals(this_0, (0), (0), Object_alloc_table) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let y = (safe_int32_of_integer_ (K_4: (2989))) in
     begin
       (return := (K_3:
                  (safe_int32_of_integer_ ((add_int (integer_of_int32 
                                                     (K_2:
                                                     (safe_int32_of_integer_ 
                                                      ((add_int (integer_of_int32 y)) 
                                                       (integer_of_int32 Literals_x)))))) (13)))));
      (raise Return) end); absurd  end with Return -> !return end))
  { (JC_31: (integer_of_int32(result) = (5991))) } 

let Literals_f_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_Literals(this_0, (0), (0), Object_alloc_table) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let y = (safe_int32_of_integer_ (K_4: (2989))) in
     begin
       (return := (K_3:
                  (JC_36:
                  (int32_of_integer_ ((add_int (integer_of_int32 (K_2:
                                                                 (JC_35:
                                                                 (int32_of_integer_ 
                                                                  ((add_int 
                                                                    (integer_of_int32 y)) 
                                                                   (integer_of_int32 Literals_x))))))) (13))))));
      (raise Return) end); absurd  end with Return -> !return end)) { true } 

let cons_Literals_ensures_default =
 fun (this_1 : Object pointer) ->
  { valid_struct_Literals(this_1, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_23: true) } 

let cons_Literals_safety =
 fun (this_1 : Object pointer) ->
  { valid_struct_Literals(this_1, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 


why-2.39/tests/java/oracle/Literals.err.oracle0000644000106100004300000000000013147234006020304 0ustar  marchevalswhy-2.39/tests/java/oracle/Counter.err.oracle0000644000106100004300000000000013147234006020144 0ustar  marchevalswhy-2.39/tests/java/oracle/MullerTheory.err.oracle0000644000106100004300000000000013147234006021160 0ustar  marchevalswhy-2.39/tests/java/oracle/MyCosine.err.oracle0000644000106100004300000000000013147234006020253 0ustar  marchevalswhy-2.39/tests/java/oracle/Gcd.err.oracle0000644000106100004300000000000013147234006017222 0ustar  marchevalswhy-2.39/tests/java/oracle/MacCarthy.res.oracle0000644000106100004300000013326413147234006020424 0ustar  marchevals========== file tests/java/MacCarthy.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


/* McCarthy's ``91'' function. */

public class MacCarthy {

    /*@ decreases 101-n ;
      @ behavior less_than_101:
      @   assumes n <= 100;
      @   ensures \result == 91;
      @ behavior greater_than_100:
      @   assumes n >= 101;
      @   ensures \result == n - 10;
      @*/
    public static int f91(int n) {
	if (n <= 100) {
	    return f91(f91(n + 11));
	}
	else
	    return n - 10;
    }

}

/*
Local Variables:
compile-command: "make MacCarthy.why3ide"
End:
*/


========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_MacCarthy for constructor MacCarthy
Generating JC function Object_toString for method Object.toString
Generating JC function Object_wait_long for method Object.wait
Generating JC function Object_equals for method Object.equals
Generating JC function Object_clone for method Object.clone
Generating JC function Object_finalize for method Object.finalize
Generating JC function Object_notifyAll for method Object.notifyAll
Generating JC function Object_wait_long_int for method Object.wait
Generating JC function Object_registerNatives for method Object.registerNatives
Generating JC function MacCarthy_f91 for method MacCarthy.f91
Generating JC function Object_notify for method Object.notify
Generating JC function Object_wait for method Object.wait
Generating JC function cons_Object for constructor Object
Generating JC function Object_hashCode for method Object.hashCode
Done.
========== file tests/java/MacCarthy.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag MacCarthy = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_MacCarthy(! MacCarthy[0] this_1){()}

String[0..] Object_toString(Object[0] this_2)
;

unit Object_wait_long(Object[0] this_3, long timeout)
;

boolean Object_equals(Object[0] this_4, Object[0..] obj)
;

Object[0..] Object_clone(Object[0] this_5)
;

unit Object_finalize(Object[0] this_6)
;

unit Object_notifyAll(Object[0] this_7)
;

unit Object_wait_long_int(Object[0] this_8, long timeout_0, int32 nanos)
;

unit Object_registerNatives()
;

int32 MacCarthy_f91(int32 n)
  decreases (K_3 : (101 - n));
behavior less_than_101:
  assumes (n <= 100);
  ensures (K_1 : (\result == 91));
behavior greater_than_100:
  assumes (n >= 101);
  ensures (K_2 : (\result == (n - 10)));
{  (if (K_8 : (n <= 100)) then 
   (return (K_7 : MacCarthy_f91((K_6 : MacCarthy_f91((K_5 : ((n + 11) :> int32))))))) else 
   (return (K_4 : ((n - 10) :> int32))))
}

unit Object_notify(Object[0] this_9)
;

unit Object_wait(Object[0] this_10)
;

unit cons_Object(! Object[0] this_12){()}

int32 Object_hashCode(Object[0] this_11)
;

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/MacCarthy.jloc tests/java/MacCarthy.jc && make -f tests/java/MacCarthy.makefile gui"
End:
*/
========== file tests/java/MacCarthy.jloc ==========
[Object_wait_long]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[Object_finalize]
name = "Method finalize"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[Object_wait]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[Object_notify]
name = "Method notify"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[Object_clone]
name = "Method clone"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[cons_Object]
name = "Constructor of class Object"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_1]
file = "HOME/tests/java/MacCarthy.java"
line = 40
begin = 18
end = 31

[MacCarthy_f91]
name = "Method f91"
file = "HOME/tests/java/MacCarthy.java"
line = 45
begin = 22
end = 25

[K_4]
file = "HOME/tests/java/MacCarthy.java"
line = 50
begin = 12
end = 18

[Object_wait_long_int]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[Object_registerNatives]
name = "Method registerNatives"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[K_2]
file = "HOME/tests/java/MacCarthy.java"
line = 43
begin = 18
end = 35

[K_6]
file = "HOME/tests/java/MacCarthy.java"
line = 47
begin = 16
end = 27

[K_8]
file = "HOME/tests/java/MacCarthy.java"
line = 46
begin = 5
end = 13

[K_3]
file = "HOME/tests/java/MacCarthy.java"
line = 37
begin = 18
end = 23

[Object_notifyAll]
name = "Method notifyAll"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[cons_MacCarthy]
name = "Constructor of class MacCarthy"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_5]
file = "HOME/tests/java/MacCarthy.java"
line = 47
begin = 20
end = 26

[Object_equals]
name = "Method equals"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[K_7]
file = "HOME/tests/java/MacCarthy.java"
line = 47
begin = 12
end = 28

[Object_hashCode]
name = "Method hashCode"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[Object_toString]
name = "Method toString"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

========== jessie execution ==========
Generating Why function cons_MacCarthy
Generating Why function MacCarthy_f91
Generating Why function cons_Object
========== file tests/java/MacCarthy.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/MacCarthy_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: MacCarthy.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: MacCarthy.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: MacCarthy.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/java/MacCarthy.loc ==========
[JC_94]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_73]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_63]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_80]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_51]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_71]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_147]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_45]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_123]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_106]
file = "HOME/tests/java/MacCarthy.java"
line = 37
begin = 18
end = 23

[cons_MacCarthy_safety]
name = "Constructor of class MacCarthy"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_143]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_113]
kind = UserCall
file = "HOME/tests/java/MacCarthy.java"
line = 47
begin = 16
end = 27

[JC_116]
kind = UserCall
file = "HOME/tests/java/MacCarthy.java"
line = 47
begin = 12
end = 28

[JC_64]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_133]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Object_ensures_default]
name = "Constructor of class Object"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_99]
file = "HOME/tests/java/MacCarthy.java"
line = 40
begin = 18
end = 31

[JC_85]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_126]
file = "HOME/"
line = 0
begin = -1
end = -1

[MacCarthy_f91_ensures_less_than_101]
name = "Method f91"
behavior = "Behavior `less_than_101'"
file = "HOME/tests/java/MacCarthy.java"
line = 45
begin = 22
end = 25

[JC_31]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_17]
file = "HOME/tests/java/MacCarthy.jc"
line = 47
begin = 11
end = 65

[JC_122]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_81]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_55]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_138]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_134]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_148]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_137]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_121]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_125]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_9]
file = "HOME/tests/java/MacCarthy.jc"
line = 45
begin = 8
end = 23

[JC_75]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_78]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_74]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_MacCarthy_ensures_default]
name = "Constructor of class MacCarthy"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_79]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_130]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_82]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_87]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/MacCarthy.jc"
line = 45
begin = 8
end = 23

[JC_98]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_70]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_104]
kind = UserCall
file = "HOME/tests/java/MacCarthy.java"
line = 47
begin = 16
end = 27

[JC_91]
file = "HOME/tests/java/MacCarthy.java"
line = 45
begin = 22
end = 25

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_112]
kind = ArithOverflow
file = "HOME/tests/java/MacCarthy.java"
line = 50
begin = 12
end = 18

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_135]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_35]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_132]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_115]
kind = UserCall
file = "HOME/tests/java/MacCarthy.java"
line = 47
begin = 16
end = 27

[JC_109]
file = "HOME/tests/java/MacCarthy.java"
line = 37
begin = 18
end = 23

[JC_107]
kind = VarDecr
file = "HOME/tests/java/MacCarthy.java"
line = 47
begin = 16
end = 27

[JC_69]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_124]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
file = "HOME/"
line = 0
begin = -1
end = -1

[MacCarthy_f91_ensures_default]
name = "Method f91"
behavior = "default behavior"
file = "HOME/tests/java/MacCarthy.java"
line = 45
begin = 22
end = 25

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_127]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_101]
file = "HOME/tests/java/MacCarthy.java"
line = 43
begin = 18
end = 35

[JC_88]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_129]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_110]
file = "HOME/tests/java/MacCarthy.java"
line = 37
begin = 18
end = 23

[JC_103]
kind = ArithOverflow
file = "HOME/tests/java/MacCarthy.java"
line = 47
begin = 20
end = 26

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_141]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_118]
kind = UserCall
file = "HOME/tests/java/MacCarthy.java"
line = 47
begin = 12
end = 28

[JC_105]
file = "HOME/tests/java/MacCarthy.java"
line = 37
begin = 18
end = 23

[JC_140]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_144]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Object_safety]
name = "Constructor of class Object"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_68]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_96]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_93]
file = "HOME/tests/java/MacCarthy.java"
line = 45
begin = 22
end = 25

[JC_97]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_84]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_128]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_114]
kind = UserCall
file = "HOME/tests/java/MacCarthy.java"
line = 47
begin = 12
end = 28

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_150]
file = "HOME/"
line = 0
begin = -1
end = -1

[MacCarthy_f91_ensures_greater_than_100]
name = "Method f91"
behavior = "Behavior `greater_than_100'"
file = "HOME/tests/java/MacCarthy.java"
line = 45
begin = 22
end = 25

[JC_117]
kind = UserCall
file = "HOME/tests/java/MacCarthy.java"
line = 47
begin = 16
end = 27

[JC_90]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_53]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_145]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[MacCarthy_f91_safety]
name = "Method f91"
behavior = "Safety"
file = "HOME/tests/java/MacCarthy.java"
line = 45
begin = 22
end = 25

[JC_21]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_149]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_111]
kind = VarDecr
file = "HOME/tests/java/MacCarthy.java"
line = 47
begin = 12
end = 28

[JC_77]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_49]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/java/MacCarthy.jc"
line = 20
begin = 12
end = 22

[JC_131]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_102]
file = "HOME/tests/java/MacCarthy.java"
line = 43
begin = 18
end = 35

[JC_37]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_142]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_108]
kind = UserCall
file = "HOME/tests/java/MacCarthy.java"
line = 47
begin = 12
end = 28

[JC_57]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_146]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_89]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_136]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_66]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_59]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/java/MacCarthy.jc"
line = 47
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/MacCarthy.jc"
line = 20
begin = 12
end = 22

[JC_92]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_86]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_60]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_139]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_72]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_119]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_76]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_120]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_100]
file = "HOME/tests/java/MacCarthy.java"
line = 40
begin = 18
end = 31

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/MacCarthy.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

logic MacCarthy_tag:  -> Object tag_id

axiom MacCarthy_parenttag_Object : parenttag(MacCarthy_tag, Object_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_MacCarthy(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_MacCarthy(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_MacCarthy(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_MacCarthy(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter MacCarthy_f91 :
 n:int32 ->
  { } int32
  { ((ge_int(integer_of_int32(n), (101)) ->
      (JC_102:
      (integer_of_int32(result) = sub_int(integer_of_int32(n), (10)))))
    and (le_int(integer_of_int32(n), (100)) ->
         (JC_100: (integer_of_int32(result) = (91))))) }

parameter MacCarthy_f91_requires :
 n:int32 ->
  { } int32
  { ((ge_int(integer_of_int32(n), (101)) ->
      (JC_102:
      (integer_of_int32(result) = sub_int(integer_of_int32(n), (10)))))
    and (le_int(integer_of_int32(n), (100)) ->
         (JC_100: (integer_of_int32(result) = (91))))) }

parameter Object_alloc_table : Object alloc_table ref

parameter Object_clone :
 this_5:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_clone_requires :
 this_5:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_equals :
 this_4:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_equals_requires :
 this_4:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_finalize :
 this_6:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_finalize_requires :
 this_6:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_hashCode :
 this_11:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter Object_hashCode_requires :
 this_11:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter Object_notify :
 this_9:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll :
 this_7:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll_requires :
 this_7:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notify_requires :
 this_9:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_registerNatives : tt:unit -> { } unit { true }

parameter Object_registerNatives_requires : tt:unit -> { } unit { true }

parameter Object_tag_table : Object tag_table ref

parameter Object_toString :
 this_2:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_toString_requires :
 this_2:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_wait :
 this_10:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long :
 this_3:Object pointer ->
  timeout:long -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int :
 this_8:Object pointer ->
  timeout_0:long -> nanos:int32 -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int_requires :
 this_8:Object pointer ->
  timeout_0:long -> nanos:int32 -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_requires :
 this_3:Object pointer ->
  timeout:long -> { } unit reads Object_alloc_table { true }

parameter Object_wait_requires :
 this_10:Object pointer -> { } unit reads Object_alloc_table { true }

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_MacCarthy :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_MacCarthy(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, MacCarthy_tag)))) }

parameter alloc_struct_MacCarthy_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_MacCarthy(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, MacCarthy_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_MacCarthy :
 this_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_MacCarthy_requires :
 this_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object :
 this_12:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object_requires :
 this_12:Object pointer -> { } unit reads Object_alloc_table { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let MacCarthy_f91_ensures_default =
 fun (n : int32) ->
  { (JC_94: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (if (K_8: ((le_int_ (integer_of_int32 n)) (100)))
     then
      begin
        (return := (K_7:
                   (let _jessie_ =
                   (K_6:
                   (let _jessie_ =
                   (K_5:
                   (safe_int32_of_integer_ ((add_int (integer_of_int32 n)) (11)))) in
                   (JC_113: (MacCarthy_f91 _jessie_)))) in
                   (JC_114: (MacCarthy_f91 _jessie_))))); (raise Return) end
     else
      begin
        (return := (K_4:
                   (safe_int32_of_integer_ ((sub_int (integer_of_int32 n)) (10)))));
       (raise Return) end); absurd  end with Return -> !return end))
  { (JC_95: true) } 

let MacCarthy_f91_ensures_greater_than_100 =
 fun (n : int32) ->
  { ge_int(integer_of_int32(n), (101)) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (if (K_8: ((le_int_ (integer_of_int32 n)) (100)))
     then
      begin
        (return := (K_7:
                   (let _jessie_ =
                   (K_6:
                   (let _jessie_ =
                   (K_5:
                   (safe_int32_of_integer_ ((add_int (integer_of_int32 n)) (11)))) in
                   (JC_117: (MacCarthy_f91 _jessie_)))) in
                   (JC_118: (MacCarthy_f91 _jessie_))))); (raise Return)
      end
     else
      begin
        (return := (K_4:
                   (safe_int32_of_integer_ ((sub_int (integer_of_int32 n)) (10)))));
       (raise Return) end); absurd  end with Return -> !return end))
  { (JC_101: (integer_of_int32(result) = sub_int(integer_of_int32(n), (10)))) }
  

let MacCarthy_f91_ensures_less_than_101 =
 fun (n : int32) ->
  { le_int(integer_of_int32(n), (100)) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (if (K_8: ((le_int_ (integer_of_int32 n)) (100)))
     then
      begin
        (return := (K_7:
                   (let _jessie_ =
                   (K_6:
                   (let _jessie_ =
                   (K_5:
                   (safe_int32_of_integer_ ((add_int (integer_of_int32 n)) (11)))) in
                   (JC_115: (MacCarthy_f91 _jessie_)))) in
                   (JC_116: (MacCarthy_f91 _jessie_))))); (raise Return)
      end
     else
      begin
        (return := (K_4:
                   (safe_int32_of_integer_ ((sub_int (integer_of_int32 n)) (10)))));
       (raise Return) end); absurd  end with Return -> !return end))
  { (JC_99: (integer_of_int32(result) = (91))) } 

let MacCarthy_f91_safety =
 fun (n : int32) ->
  { (JC_94: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (if (K_8: ((le_int_ (integer_of_int32 n)) (100)))
     then
      begin
        (return := (K_7:
                   (let _jessie_ =
                   (K_6:
                   (let _jessie_ =
                   (K_5:
                   (JC_103:
                   (int32_of_integer_ ((add_int (integer_of_int32 n)) (11))))) in
                   (JC_107:
                   (check
                   { zwf_zero((JC_106 : sub_int((101),
                                        integer_of_int32(_jessie_))),
                     (JC_105 : sub_int((101), integer_of_int32(n)))) };
                   (JC_104: (MacCarthy_f91_requires _jessie_)))))) in
                   (JC_111:
                   (check
                   { zwf_zero((JC_110 : sub_int((101),
                                        integer_of_int32(_jessie_))),
                     (JC_109 : sub_int((101), integer_of_int32(n)))) };
                   (JC_108: (MacCarthy_f91_requires _jessie_)))))));
       (raise Return) end
     else
      begin
        (return := (K_4:
                   (JC_112:
                   (int32_of_integer_ ((sub_int (integer_of_int32 n)) (10))))));
       (raise Return) end); absurd  end with Return -> !return end)) 
  { true } 

let cons_MacCarthy_ensures_default =
 fun (this_1 : Object pointer) ->
  { valid_struct_MacCarthy(this_1, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_23: true) } 

let cons_MacCarthy_safety =
 fun (this_1 : Object pointer) ->
  { valid_struct_MacCarthy(this_1, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 

let cons_Object_ensures_default =
 fun (this_12 : Object pointer) ->
  { valid_struct_Object(this_12, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_139: true) } 

let cons_Object_safety =
 fun (this_12 : Object pointer) ->
  { valid_struct_Object(this_12, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 


why-2.39/tests/java/oracle/Sort2.err.oracle0000644000106100004300000000000013147234006017536 0ustar  marchevalswhy-2.39/tests/java/oracle/Bug_sort_exns.res.oracle0000644000106100004300000024256013147234006021372 0ustar  marchevals========== file tests/java/Bug_sort_exns.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

public class Bug_sort_exns {
    public static void exn() {
        throw new IllegalArgumentException();
    }
}
========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_Bug_sort_exns for constructor Bug_sort_exns
Generating JC function cons_RuntimeException for constructor RuntimeException
Generating JC function Throwable_getMessage for method Throwable.getMessage
Generating JC function Throwable_initCause for method Throwable.initCause
Generating JC function cons_Throwable_String_Throwable for constructor Throwable
Generating JC function cons_RuntimeException_String_Throwable for constructor RuntimeException
Generating JC function cons_Throwable_Throwable for constructor Throwable
Generating JC function cons_Exception_String for constructor Exception
Generating JC function cons_Exception_Throwable for constructor Exception
Generating JC function Throwable_printStackTrace_PrintStream for method Throwable.printStackTrace
Generating JC function Throwable_getCause for method Throwable.getCause
Generating JC function Throwable_toString for method Throwable.toString
Generating JC function cons_RuntimeException_String for constructor RuntimeException
Generating JC function cons_IllegalArgumentException for constructor IllegalArgumentException
Generating JC function cons_Exception for constructor Exception
Generating JC function cons_Throwable for constructor Throwable
Generating JC function cons_RuntimeException_Throwable for constructor RuntimeException
Generating JC function Bug_sort_exns_exn for method Bug_sort_exns.exn
Generating JC function Throwable_getLocalizedMessage for method Throwable.getLocalizedMessage
Generating JC function Throwable_printStackTrace for method Throwable.printStackTrace
Generating JC function Throwable_getStackTraceDepth for method Throwable.getStackTraceDepth
Generating JC function Throwable_fillInStackTrace for method Throwable.fillInStackTrace
Generating JC function cons_Throwable_String for constructor Throwable
Generating JC function cons_IllegalArgumentException_String for constructor IllegalArgumentException
Generating JC function cons_Exception_String_Throwable for constructor Exception
Done.
========== file tests/java/Bug_sort_exns.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

logic long RuntimeException_serialVersionUID =
-7034897190745766939

logic long Throwable_serialVersionUID =
-3042686055658047285

logic long Exception_serialVersionUID =
-3387516993124229948

String[0..] any_string()
;

tag String = Object with {
}

tag RuntimeException = Exception with {
}

tag Bug_sort_exns = Object with {
}

tag IllegalArgumentException = RuntimeException with {
}

tag PrintStream = Object with {
}

tag Throwable = Object with {
  Object[0..] backtrace; 
  String[0..] detailMessage; 
  Throwable[0..] cause;
}

tag Object = {
}

tag Exception = Throwable with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

exception Exception of Exception[0..]

exception IllegalArgumentException of IllegalArgumentException[0..]

exception RuntimeException of RuntimeException[0..]

exception Throwable of Throwable[0..]

unit cons_Bug_sort_exns(! Bug_sort_exns[0] this_4){()}

unit cons_RuntimeException(! RuntimeException[0] this_14){()}

String[0..] Throwable_getMessage(Throwable[0] this_5)
;

Throwable[0..] Throwable_initCause(Throwable[0] this_6,
                                   Throwable[0..] cause_1)
;

unit cons_Throwable_String_Throwable(! Throwable[0] this_15,
                                     String[0..] message_0,
                                     Throwable[0..] cause)
{  (this_15.backtrace = null);
   (this_15.detailMessage = null);
   (this_15.cause = null)
}

unit cons_RuntimeException_String_Throwable(! RuntimeException[0] this_16,
                                            String[0..] message_4,
                                            Throwable[0..] cause_4){()}

unit cons_Throwable_Throwable(! Throwable[0] this_17, Throwable[0..] cause_0)
{  (this_17.backtrace = null);
   (this_17.detailMessage = null);
   (this_17.cause = null)
}

unit cons_Exception_String(! Exception[0] this_18, String[0..] message_1){()}

unit cons_Exception_Throwable(! Exception[0] this_19, Throwable[0..] cause_3){()}

unit Throwable_printStackTrace_PrintStream(Throwable[0] this_7,
                                           PrintStream[0..] s)
;

Throwable[0..] Throwable_getCause(Throwable[0] this_8)
;

String[0..] Throwable_toString(Throwable[0] this_9)
;

unit cons_RuntimeException_String(! RuntimeException[0] this_20,
                                  String[0..] message_3){()}

unit cons_IllegalArgumentException(! IllegalArgumentException[0] this_21){()}

unit cons_Exception(! Exception[0] this_22){()}

unit cons_Throwable(! Throwable[0] this_23)
{  (this_23.backtrace = null);
   (this_23.detailMessage = null);
   (this_23.cause = null)
}

unit cons_RuntimeException_Throwable(! RuntimeException[0] this_24,
                                     Throwable[0..] cause_5){()}

unit Bug_sort_exns_exn()
{  
   {  
      (var IllegalArgumentException[..] java_thrown_exception = 
      {  
         (var IllegalArgumentException[0] this = (new IllegalArgumentException[1]));
         
         {  
            (var unit _tt = cons_IllegalArgumentException(this));
            this
         }
      });
      
      {  
         (assert Non_null_Object(java_thrown_exception));
         
         (throw IllegalArgumentException java_thrown_exception)
      }
   }
}

String[0..] Throwable_getLocalizedMessage(Throwable[0] this_10)
;

unit Throwable_printStackTrace(Throwable[0] this_11)
;

int32 Throwable_getStackTraceDepth(Throwable[0] this_12)
;

Throwable[0..] Throwable_fillInStackTrace(Throwable[0] this_13)
;

unit cons_Throwable_String(! Throwable[0] this_25, String[0..] message)
{  (this_25.backtrace = null);
   (this_25.detailMessage = null);
   (this_25.cause = null)
}

unit cons_IllegalArgumentException_String(! IllegalArgumentException[0] this_26,
                                          String[0..] s_0){()}

unit cons_Exception_String_Throwable(! Exception[0] this_27,
                                     String[0..] message_2,
                                     Throwable[0..] cause_2){()}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Bug_sort_exns.jloc tests/java/Bug_sort_exns.jc && make -f tests/java/Bug_sort_exns.makefile gui"
End:
*/
========== file tests/java/Bug_sort_exns.jloc ==========
[Throwable_getCause]
name = "Method getCause"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 289
begin = 21
end = 29

[cons_Exception_Throwable]
name = "Constructor of class Exception"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 76
begin = 11
end = 20

[Throwable_initCause]
name = "Method initCause"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 317
begin = 34
end = 43

[Throwable_getLocalizedMessage]
name = "Method getLocalizedMessage"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 265
begin = 18
end = 37

[cons_Exception_String]
name = "Constructor of class Exception"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 40
begin = 11
end = 20

[Throwable_getMessage]
name = "Method getMessage"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 251
begin = 18
end = 28

[Throwable_printStackTrace_PrintStream]
name = "Method printStackTrace"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 459
begin = 16
end = 31

[cons_Throwable_Throwable]
name = "Constructor of class Throwable"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 239
begin = 11
end = 20

[Throwable_toString]
name = "Method toString"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 341
begin = 18
end = 26

[cons_RuntimeException_String_Throwable]
name = "Constructor of class RuntimeException"
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 60
begin = 11
end = 27

[cons_Bug_sort_exns]
name = "Constructor of class Bug_sort_exns"
file = "HOME/"
line = 0
begin = -1
end = -1

[Throwable_fillInStackTrace]
name = "Method fillInStackTrace"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 562
begin = 41
end = 57

[cons_RuntimeException_String]
name = "Constructor of class RuntimeException"
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 42
begin = 11
end = 27

[cons_Throwable]
name = "Constructor of class Throwable"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 179
begin = 11
end = 20

[cons_Throwable_String_Throwable]
name = "Constructor of class Throwable"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 216
begin = 11
end = 20

[cons_Exception_String_Throwable]
name = "Constructor of class Exception"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 58
begin = 11
end = 20

[cons_IllegalArgumentException_String]
name = "Constructor of class IllegalArgumentException"
file = "HOME/lib/java_api/java/lang/IllegalArgumentException.java"
line = 35
begin = 11
end = 35

[cons_Exception]
name = "Constructor of class Exception"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 28
begin = 11
end = 20

[Bug_sort_exns_exn]
name = "Method exn"
file = "HOME/tests/java/Bug_sort_exns.java"
line = 33
begin = 23
end = 26

[cons_IllegalArgumentException]
name = "Constructor of class IllegalArgumentException"
file = "HOME/lib/java_api/java/lang/IllegalArgumentException.java"
line = 25
begin = 11
end = 35

[cons_Throwable_String]
name = "Constructor of class Throwable"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 194
begin = 11
end = 20

[cons_RuntimeException]
name = "Constructor of class RuntimeException"
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 31
begin = 11
end = 27

[Throwable_getStackTraceDepth]
name = "Method getStackTraceDepth"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 645
begin = 23
end = 41

[cons_RuntimeException_Throwable]
name = "Constructor of class RuntimeException"
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 76
begin = 11
end = 27

[Throwable_printStackTrace]
name = "Method printStackTrace"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 450
begin = 16
end = 31

========== jessie execution ==========
Generating Why function cons_Bug_sort_exns
Generating Why function cons_RuntimeException
Generating Why function cons_Throwable_String_Throwable
Generating Why function cons_RuntimeException_String_Throwable
Generating Why function cons_Throwable_Throwable
Generating Why function cons_Exception_String
Generating Why function cons_Exception_Throwable
Generating Why function cons_RuntimeException_String
Generating Why function cons_IllegalArgumentException
Generating Why function cons_Exception
Generating Why function cons_Throwable
Generating Why function cons_RuntimeException_Throwable
Generating Why function Bug_sort_exns_exn
Generating Why function cons_Throwable_String
Generating Why function cons_IllegalArgumentException_String
Generating Why function cons_Exception_String_Throwable
========== file tests/java/Bug_sort_exns.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/Bug_sort_exns_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Bug_sort_exns.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Bug_sort_exns.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Bug_sort_exns.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/java/Bug_sort_exns.loc ==========
[JC_176]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_177]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_221]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_80]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_51]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 216
begin = 11
end = 20

[JC_147]
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 76
begin = 11
end = 27

[JC_123]
file = "HOME/lib/java_api/java/lang/IllegalArgumentException.java"
line = 25
begin = 11
end = 35

[cons_RuntimeException_String_Throwable_ensures_default]
name = "Constructor of class RuntimeException"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 60
begin = 11
end = 27

[JC_143]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_113]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_116]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_64]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_133]
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 28
begin = 11
end = 20

[cons_Bug_sort_exns_safety]
name = "Constructor of class Bug_sort_exns"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_188]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 645
begin = 23
end = 41

[JC_180]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 450
begin = 16
end = 31

[cons_Throwable_ensures_default]
name = "Constructor of class Throwable"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 179
begin = 11
end = 20

[JC_99]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 289
begin = 21
end = 29

[JC_200]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_85]
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 76
begin = 11
end = 20

[JC_201]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_31]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_17]
file = "HOME/tests/java/Bug_sort_exns.jc"
line = 68
begin = 11
end = 65

[JC_194]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 562
begin = 41
end = 57

[JC_122]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_205]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_81]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_55]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_134]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_172]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 265
begin = 18
end = 37

[JC_121]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_125]
file = "HOME/lib/java_api/java/lang/IllegalArgumentException.java"
line = 25
begin = 11
end = 35

[JC_67]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 239
begin = 11
end = 20

[JC_9]
file = "HOME/tests/java/Bug_sort_exns.jc"
line = 66
begin = 8
end = 23

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_189]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_78]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_74]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_IllegalArgumentException_String_safety]
name = "Constructor of class IllegalArgumentException"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/IllegalArgumentException.java"
line = 35
begin = 11
end = 35

[JC_195]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_82]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_163]
kind = AllocSize
file = "HOME/tests/java/Bug_sort_exns.jc"
line = 143
begin = 50
end = 81

[JC_153]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_222]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/Bug_sort_exns.jc"
line = 66
begin = 8
end = 23

[JC_185]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_167]
kind = AllocSize
file = "HOME/tests/java/Bug_sort_exns.jc"
line = 143
begin = 50
end = 81

[JC_98]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_70]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Throwable_String_ensures_default]
name = "Constructor of class Throwable"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 194
begin = 11
end = 20

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_RuntimeException_safety]
name = "Constructor of class RuntimeException"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 31
begin = 11
end = 27

[JC_104]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_112]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_135]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_169]
file = "HOME/tests/java/Bug_sort_exns.jc"
line = 152
begin = 17
end = 55

[JC_132]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 31
begin = 11
end = 27

[JC_115]
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 42
begin = 11
end = 27

[JC_109]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 341
begin = 18
end = 26

[JC_69]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 239
begin = 11
end = 20

[JC_219]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_124]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_206]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_218]
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 58
begin = 11
end = 20

[JC_191]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Throwable_String_safety]
name = "Constructor of class Throwable"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 194
begin = 11
end = 20

[JC_101]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 289
begin = 21
end = 29

[JC_223]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_129]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_190]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_110]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_166]
file = "HOME/tests/java/Bug_sort_exns.jc"
line = 152
begin = 17
end = 55

[JC_103]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 60
begin = 11
end = 27

[cons_Throwable_String_Throwable_safety]
name = "Constructor of class Throwable"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 216
begin = 11
end = 20

[JC_199]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_RuntimeException_Throwable_ensures_default]
name = "Constructor of class RuntimeException"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 76
begin = 11
end = 27

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_173]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 31
begin = 11
end = 27

[JC_202]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 194
begin = 11
end = 20

[JC_144]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 317
begin = 34
end = 43

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_97]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_84]
file = "HOME/"
line = 0
begin = -1
end = -1

[Bug_sort_exns_exn_ensures_default]
name = "Method exn"
behavior = "default behavior"
file = "HOME/tests/java/Bug_sort_exns.java"
line = 33
begin = 23
end = 26

[JC_160]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_128]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_90]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_225]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_149]
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 76
begin = 11
end = 27

[JC_216]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_131]
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 28
begin = 11
end = 20

[cons_RuntimeException_String_ensures_default]
name = "Constructor of class RuntimeException"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 42
begin = 11
end = 27

[JC_37]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 251
begin = 18
end = 28

[cons_IllegalArgumentException_String_ensures_default]
name = "Constructor of class IllegalArgumentException"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/IllegalArgumentException.java"
line = 35
begin = 11
end = 35

[JC_181]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_IllegalArgumentException_safety]
name = "Constructor of class IllegalArgumentException"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/IllegalArgumentException.java"
line = 25
begin = 11
end = 35

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_108]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_161]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_89]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_136]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_165]
kind = UserCall
file = "HOME/tests/java/Bug_sort_exns.jc"
line = 146
begin = 28
end = 63

[JC_213]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_217]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_86]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_72]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_187]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Throwable_safety]
name = "Constructor of class Throwable"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 179
begin = 11
end = 20

[cons_Exception_ensures_default]
name = "Constructor of class Exception"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 28
begin = 11
end = 20

[JC_120]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Throwable_Throwable_safety]
name = "Constructor of class Throwable"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 239
begin = 11
end = 20

[JC_58]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_198]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_94]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_73]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_158]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_63]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_RuntimeException_ensures_default]
name = "Constructor of class RuntimeException"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 31
begin = 11
end = 27

[JC_196]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 562
begin = 41
end = 57

[JC_71]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_197]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_RuntimeException_Throwable_safety]
name = "Constructor of class RuntimeException"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 76
begin = 11
end = 27

[JC_207]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_151]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_45]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 317
begin = 34
end = 43

[JC_106]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_203]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_126]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_170]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 265
begin = 18
end = 37

[JC_138]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_148]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_137]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_75]
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 40
begin = 11
end = 20

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_193]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_186]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 645
begin = 23
end = 41

[JC_212]
file = "HOME/lib/java_api/java/lang/IllegalArgumentException.java"
line = 35
begin = 11
end = 35

[JC_175]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_224]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/"
line = 0
begin = -1
end = -1

[Bug_sort_exns_exn_safety]
name = "Method exn"
behavior = "Safety"
file = "HOME/tests/java/Bug_sort_exns.java"
line = 33
begin = 23
end = 26

[cons_Throwable_String_Throwable_ensures_default]
name = "Constructor of class Throwable"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 216
begin = 11
end = 20

[cons_Bug_sort_exns_ensures_default]
name = "Constructor of class Bug_sort_exns"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_154]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_208]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Exception_String_safety]
name = "Constructor of class Exception"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 40
begin = 11
end = 20

[JC_79]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Exception_String_Throwable_ensures_default]
name = "Constructor of class Exception"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 58
begin = 11
end = 20

[JC_130]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Exception_String_ensures_default]
name = "Constructor of class Exception"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 40
begin = 11
end = 20

[JC_174]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_87]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_184]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_182]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_168]
kind = UserCall
file = "HOME/tests/java/Bug_sort_exns.jc"
line = 146
begin = 28
end = 63

[JC_91]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 459
begin = 16
end = 31

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_162]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 76
begin = 11
end = 20

[cons_Throwable_Throwable_ensures_default]
name = "Constructor of class Throwable"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 239
begin = 11
end = 20

[cons_RuntimeException_String_Throwable_safety]
name = "Constructor of class RuntimeException"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 60
begin = 11
end = 27

[JC_35]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 251
begin = 18
end = 28

[JC_215]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_107]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 341
begin = 18
end = 26

[JC_179]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Exception_Throwable_safety]
name = "Constructor of class Exception"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 76
begin = 11
end = 20

[JC_38]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_156]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_127]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_171]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_164]
kind = IndexBounds
file = "HOME/tests/java/Bug_sort_exns.jc"
line = 143
begin = 10
end = 82

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_155]
file = "HOME/tests/java/Bug_sort_exns.java"
line = 33
begin = 23
end = 26

[JC_88]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_178]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 450
begin = 16
end = 31

[JC_141]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 179
begin = 11
end = 20

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_220]
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 58
begin = 11
end = 20

[JC_65]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_118]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_105]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_140]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_159]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_68]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_96]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_IllegalArgumentException_ensures_default]
name = "Constructor of class IllegalArgumentException"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/IllegalArgumentException.java"
line = 25
begin = 11
end = 35

[JC_93]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 459
begin = 16
end = 31

[JC_214]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_114]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_150]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_117]
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 42
begin = 11
end = 27

[JC_53]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 216
begin = 11
end = 20

[cons_Exception_String_Throwable_safety]
name = "Constructor of class Exception"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 58
begin = 11
end = 20

[JC_204]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 194
begin = 11
end = 20

[JC_157]
file = "HOME/tests/java/Bug_sort_exns.java"
line = 33
begin = 23
end = 26

[JC_145]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_209]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_111]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_77]
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 40
begin = 11
end = 20

[JC_49]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/java/Bug_sort_exns.jc"
line = 29
begin = 12
end = 22

[JC_102]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_142]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Exception_safety]
name = "Constructor of class Exception"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 28
begin = 11
end = 20

[JC_211]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_146]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_66]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_59]
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 60
begin = 11
end = 27

[cons_Exception_Throwable_ensures_default]
name = "Constructor of class Exception"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 76
begin = 11
end = 20

[JC_192]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/java/Bug_sort_exns.jc"
line = 68
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/Bug_sort_exns.jc"
line = 29
begin = 12
end = 22

[JC_92]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_152]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_60]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_183]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_139]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 179
begin = 11
end = 20

[JC_119]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_210]
file = "HOME/lib/java_api/java/lang/IllegalArgumentException.java"
line = 35
begin = 11
end = 35

[JC_76]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_RuntimeException_String_safety]
name = "Constructor of class RuntimeException"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 42
begin = 11
end = 27

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_100]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/Bug_sort_exns.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic Bug_sort_exns_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Bug_sort_exns_parenttag_Object :
 parenttag(Bug_sort_exns_tag, Object_tag)

logic Exception_tag:  -> Object tag_id

logic Throwable_tag:  -> Object tag_id

axiom Exception_parenttag_Throwable : parenttag(Exception_tag, Throwable_tag)

logic long_of_integer: int -> long

function Exception_serialVersionUID() : long =
 long_of_integer(neg_int((3387516993124229948)))

logic IllegalArgumentException_tag:  -> Object tag_id

logic RuntimeException_tag:  -> Object tag_id

axiom IllegalArgumentException_parenttag_RuntimeException :
 parenttag(IllegalArgumentException_tag, RuntimeException_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic PrintStream_tag:  -> Object tag_id

axiom PrintStream_parenttag_Object : parenttag(PrintStream_tag, Object_tag)

axiom RuntimeException_parenttag_Exception :
 parenttag(RuntimeException_tag, Exception_tag)

function RuntimeException_serialVersionUID() : long =
 long_of_integer(neg_int((7034897190745766939)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

function Throwable_serialVersionUID() : long =
 long_of_integer(neg_int((3042686055658047285)))

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Bug_sort_exns(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Throwable(p, a, Object_alloc_table)

predicate left_valid_struct_RuntimeException(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Exception(p, a, Object_alloc_table)

predicate left_valid_struct_IllegalArgumentException(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_RuntimeException(p, a, Object_alloc_table)

predicate left_valid_struct_PrintStream(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Bug_sort_exns(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Throwable(p, b, Object_alloc_table)

predicate right_valid_struct_RuntimeException(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Exception(p, b, Object_alloc_table)

predicate right_valid_struct_IllegalArgumentException(p:Object pointer,
 b:int, Object_alloc_table:Object alloc_table) =
 right_valid_struct_RuntimeException(p, b, Object_alloc_table)

predicate right_valid_struct_PrintStream(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Bug_sort_exns(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Throwable(p, a, b, Object_alloc_table)

predicate strict_valid_struct_RuntimeException(p:Object pointer, a:int,
 b:int, Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Exception(p, a, b, Object_alloc_table)

predicate strict_valid_struct_IllegalArgumentException(p:Object pointer,
 a:int, b:int, Object_alloc_table:Object alloc_table) =
 strict_valid_struct_RuntimeException(p, a, b, Object_alloc_table)

predicate strict_valid_struct_PrintStream(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Bug_sort_exns(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Throwable(p, a, b, Object_alloc_table)

predicate valid_struct_RuntimeException(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Exception(p, a, b, Object_alloc_table)

predicate valid_struct_IllegalArgumentException(p:Object pointer, a:int,
 b:int, Object_alloc_table:Object alloc_table) =
 valid_struct_RuntimeException(p, a, b, Object_alloc_table)

predicate valid_struct_PrintStream(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

exception IllegalArgumentException_exc of Object pointer

parameter Bug_sort_exns_exn :
 tt:unit ->
  { } unit reads Object_alloc_table
  writes Object_alloc_table,Object_tag_table
  raises IllegalArgumentException_exc
  { true | IllegalArgumentException_exc => true }

parameter Bug_sort_exns_exn_requires :
 tt:unit ->
  { } unit reads Object_alloc_table
  writes Object_alloc_table,Object_tag_table
  raises IllegalArgumentException_exc
  { true | IllegalArgumentException_exc => true }

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

exception RuntimeException_exc of Object pointer

parameter Throwable_backtrace : (Object, Object pointer) memory ref

parameter Throwable_cause : (Object, Object pointer) memory ref

parameter Throwable_detailMessage : (Object, Object pointer) memory ref

exception Throwable_exc of Object pointer

parameter Throwable_fillInStackTrace :
 this_13:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Throwable_fillInStackTrace_requires :
 this_13:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Throwable_getCause :
 this_8:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Throwable_getCause_requires :
 this_8:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Throwable_getLocalizedMessage :
 this_10:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Throwable_getLocalizedMessage_requires :
 this_10:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Throwable_getMessage :
 this_5:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Throwable_getMessage_requires :
 this_5:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Throwable_getStackTraceDepth :
 this_12:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter Throwable_getStackTraceDepth_requires :
 this_12:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter Throwable_initCause :
 this_6:Object pointer ->
  cause_1:Object pointer ->
   { } Object pointer reads Object_alloc_table { true }

parameter Throwable_initCause_requires :
 this_6:Object pointer ->
  cause_1:Object pointer ->
   { } Object pointer reads Object_alloc_table { true }

parameter Throwable_printStackTrace :
 this_11:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Throwable_printStackTrace_PrintStream :
 this_7:Object pointer ->
  s_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Throwable_printStackTrace_PrintStream_requires :
 this_7:Object pointer ->
  s_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Throwable_printStackTrace_requires :
 this_11:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Throwable_toString :
 this_9:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Throwable_toString_requires :
 this_9:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter alloc_struct_Bug_sort_exns :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Bug_sort_exns(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Bug_sort_exns_tag)))) }

parameter alloc_struct_Bug_sort_exns_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Bug_sort_exns(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Bug_sort_exns_tag)))) }

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_IllegalArgumentException :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_IllegalArgumentException(result, (0),
       sub_int(n, (1)), Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result,
                  IllegalArgumentException_tag)))) }

parameter alloc_struct_IllegalArgumentException_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_IllegalArgumentException(result, (0),
       sub_int(n, (1)), Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result,
                  IllegalArgumentException_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_PrintStream :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_PrintStream(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, PrintStream_tag)))) }

parameter alloc_struct_PrintStream_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_PrintStream(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, PrintStream_tag)))) }

parameter alloc_struct_RuntimeException :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_RuntimeException(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, RuntimeException_tag)))) }

parameter alloc_struct_RuntimeException_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_RuntimeException(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, RuntimeException_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_Bug_sort_exns :
 this_4:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Bug_sort_exns_requires :
 this_4:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Exception :
 this_22:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Exception_String :
 this_18:Object pointer ->
  message_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Exception_String_Throwable :
 this_27:Object pointer ->
  message_2:Object pointer ->
   cause_2:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Exception_String_Throwable_requires :
 this_27:Object pointer ->
  message_2:Object pointer ->
   cause_2:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Exception_String_requires :
 this_18:Object pointer ->
  message_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Exception_Throwable :
 this_19:Object pointer ->
  cause_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Exception_Throwable_requires :
 this_19:Object pointer ->
  cause_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Exception_requires :
 this_22:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_IllegalArgumentException :
 this_21:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_IllegalArgumentException_String :
 this_26:Object pointer ->
  s_0_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_IllegalArgumentException_String_requires :
 this_26:Object pointer ->
  s_0_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_IllegalArgumentException_requires :
 this_21:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_RuntimeException :
 this_14:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_RuntimeException_String :
 this_20:Object pointer ->
  message_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_RuntimeException_String_Throwable :
 this_16:Object pointer ->
  message_4:Object pointer ->
   cause_4:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_RuntimeException_String_Throwable_requires :
 this_16:Object pointer ->
  message_4:Object pointer ->
   cause_4:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_RuntimeException_String_requires :
 this_20:Object pointer ->
  message_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_RuntimeException_Throwable :
 this_24:Object pointer ->
  cause_5:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_RuntimeException_Throwable_requires :
 this_24:Object pointer ->
  cause_5:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_RuntimeException_requires :
 this_14:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Throwable :
 this_23:Object pointer ->
  { } unit reads Object_alloc_table
  writes Throwable_backtrace,Throwable_cause,Throwable_detailMessage 
  { true }

parameter cons_Throwable_String :
 this_25:Object pointer ->
  message:Object pointer ->
   { } unit reads Object_alloc_table
   writes Throwable_backtrace,Throwable_cause,Throwable_detailMessage
   { true }

parameter cons_Throwable_String_Throwable :
 this_15:Object pointer ->
  message_0:Object pointer ->
   cause:Object pointer ->
    { } unit reads Object_alloc_table
    writes Throwable_backtrace,Throwable_cause,Throwable_detailMessage
    { true }

parameter cons_Throwable_String_Throwable_requires :
 this_15:Object pointer ->
  message_0:Object pointer ->
   cause:Object pointer ->
    { } unit reads Object_alloc_table
    writes Throwable_backtrace,Throwable_cause,Throwable_detailMessage
    { true }

parameter cons_Throwable_String_requires :
 this_25:Object pointer ->
  message:Object pointer ->
   { } unit reads Object_alloc_table
   writes Throwable_backtrace,Throwable_cause,Throwable_detailMessage
   { true }

parameter cons_Throwable_Throwable :
 this_17:Object pointer ->
  cause_0:Object pointer ->
   { } unit reads Object_alloc_table
   writes Throwable_backtrace,Throwable_cause,Throwable_detailMessage
   { true }

parameter cons_Throwable_Throwable_requires :
 this_17:Object pointer ->
  cause_0:Object pointer ->
   { } unit reads Object_alloc_table
   writes Throwable_backtrace,Throwable_cause,Throwable_detailMessage
   { true }

parameter cons_Throwable_requires :
 this_23:Object pointer ->
  { } unit reads Object_alloc_table
  writes Throwable_backtrace,Throwable_cause,Throwable_detailMessage 
  { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let Bug_sort_exns_exn_ensures_default =
 fun (tt : unit) ->
  { (JC_158: true) }
  (init:
  try
   begin
     (let java_thrown_exception =
     (let this =
     (JC_167:
     (((alloc_struct_IllegalArgumentException (1)) Object_alloc_table) Object_tag_table)) in
     (let _tt =
     (let _jessie_ = this in
     (JC_168: (cons_IllegalArgumentException _jessie_))) in this)) in
     begin
       (assert
       { (JC_169: Non_null_Object(java_thrown_exception, Object_alloc_table)) };
       void); (raise (IllegalArgumentException_exc java_thrown_exception))
     end); (raise Return) end with Return -> void end)
  { (JC_159: true) | IllegalArgumentException_exc => true } 

let Bug_sort_exns_exn_safety =
 fun (tt : unit) ->
  { (JC_158: true) }
  (init:
  try
   begin
     (let java_thrown_exception =
     (let this =
     (let _jessie_ =
     (JC_163:
     (((alloc_struct_IllegalArgumentException_requires (1)) Object_alloc_table) Object_tag_table)) in
     (JC_164:
     (assert { ge_int(offset_max(Object_alloc_table, _jessie_), (0)) };
     _jessie_))) in
     (let _tt =
     (let _jessie_ = this in
     (JC_165: (cons_IllegalArgumentException_requires _jessie_))) in this)) in
     begin
       [ { } unit reads Object_alloc_table
         { (JC_166:
           Non_null_Object(java_thrown_exception, Object_alloc_table)) } ];
      (raise (IllegalArgumentException_exc java_thrown_exception)) end);
    (raise Return) end with Return -> void end)
  { true | IllegalArgumentException_exc => true } 

let cons_Bug_sort_exns_ensures_default =
 fun (this_4 : Object pointer) ->
  { valid_struct_Bug_sort_exns(this_4, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_23: true) } 

let cons_Bug_sort_exns_safety =
 fun (this_4 : Object pointer) ->
  { valid_struct_Bug_sort_exns(this_4, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 

let cons_Exception_String_Throwable_ensures_default =
 fun (this_27 : Object pointer) (message_2 : Object pointer) (cause_2 : Object pointer) ->
  { (left_valid_struct_Throwable(cause_2, (0), Object_alloc_table)
    and (left_valid_struct_String(message_2, (0), Object_alloc_table)
        and valid_struct_Exception(this_27, (0), (0), Object_alloc_table))) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_222: true) } 

let cons_Exception_String_Throwable_safety =
 fun (this_27 : Object pointer) (message_2 : Object pointer) (cause_2 : Object pointer) ->
  { (left_valid_struct_Throwable(cause_2, (0), Object_alloc_table)
    and (left_valid_struct_String(message_2, (0), Object_alloc_table)
        and valid_struct_Exception(this_27, (0), (0), Object_alloc_table))) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 

let cons_Exception_String_ensures_default =
 fun (this_18 : Object pointer) (message_1 : Object pointer) ->
  { (left_valid_struct_String(message_1, (0), Object_alloc_table)
    and valid_struct_Exception(this_18, (0), (0), Object_alloc_table)) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_79: true) } 

let cons_Exception_String_safety =
 fun (this_18 : Object pointer) (message_1 : Object pointer) ->
  { (left_valid_struct_String(message_1, (0), Object_alloc_table)
    and valid_struct_Exception(this_18, (0), (0), Object_alloc_table)) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 

let cons_Exception_Throwable_ensures_default =
 fun (this_19 : Object pointer) (cause_3 : Object pointer) ->
  { (left_valid_struct_Throwable(cause_3, (0), Object_alloc_table)
    and valid_struct_Exception(this_19, (0), (0), Object_alloc_table)) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_87: true) } 

let cons_Exception_Throwable_safety =
 fun (this_19 : Object pointer) (cause_3 : Object pointer) ->
  { (left_valid_struct_Throwable(cause_3, (0), Object_alloc_table)
    and valid_struct_Exception(this_19, (0), (0), Object_alloc_table)) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 

let cons_Exception_ensures_default =
 fun (this_22 : Object pointer) ->
  { valid_struct_Exception(this_22, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_135: true) } 

let cons_Exception_safety =
 fun (this_22 : Object pointer) ->
  { valid_struct_Exception(this_22, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 

let cons_IllegalArgumentException_String_ensures_default =
 fun (this_26 : Object pointer) (s_0_0 : Object pointer) ->
  { (left_valid_struct_String(s_0_0, (0), Object_alloc_table)
    and valid_struct_IllegalArgumentException(this_26, (0), (0),
        Object_alloc_table)) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_214: true) } 

let cons_IllegalArgumentException_String_safety =
 fun (this_26 : Object pointer) (s_0_0 : Object pointer) ->
  { (left_valid_struct_String(s_0_0, (0), Object_alloc_table)
    and valid_struct_IllegalArgumentException(this_26, (0), (0),
        Object_alloc_table)) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 

let cons_IllegalArgumentException_ensures_default =
 fun (this_21 : Object pointer) ->
  { valid_struct_IllegalArgumentException(this_21, (0), (0),
    Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_127: true) } 

let cons_IllegalArgumentException_safety =
 fun (this_21 : Object pointer) ->
  { valid_struct_IllegalArgumentException(this_21, (0), (0),
    Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 

let cons_RuntimeException_String_Throwable_ensures_default =
 fun (this_16 : Object pointer) (message_4 : Object pointer) (cause_4 : Object pointer) ->
  { (left_valid_struct_Throwable(cause_4, (0), Object_alloc_table)
    and (left_valid_struct_String(message_4, (0), Object_alloc_table)
        and valid_struct_RuntimeException(this_16, (0), (0),
            Object_alloc_table))) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_63: true) } 

let cons_RuntimeException_String_Throwable_safety =
 fun (this_16 : Object pointer) (message_4 : Object pointer) (cause_4 : Object pointer) ->
  { (left_valid_struct_Throwable(cause_4, (0), Object_alloc_table)
    and (left_valid_struct_String(message_4, (0), Object_alloc_table)
        and valid_struct_RuntimeException(this_16, (0), (0),
            Object_alloc_table))) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 

let cons_RuntimeException_String_ensures_default =
 fun (this_20 : Object pointer) (message_3 : Object pointer) ->
  { (left_valid_struct_String(message_3, (0), Object_alloc_table)
    and valid_struct_RuntimeException(this_20, (0), (0), Object_alloc_table)) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_119: true) } 

let cons_RuntimeException_String_safety =
 fun (this_20 : Object pointer) (message_3 : Object pointer) ->
  { (left_valid_struct_String(message_3, (0), Object_alloc_table)
    and valid_struct_RuntimeException(this_20, (0), (0), Object_alloc_table)) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 

let cons_RuntimeException_Throwable_ensures_default =
 fun (this_24 : Object pointer) (cause_5 : Object pointer) ->
  { (left_valid_struct_Throwable(cause_5, (0), Object_alloc_table)
    and valid_struct_RuntimeException(this_24, (0), (0), Object_alloc_table)) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_151: true) } 

let cons_RuntimeException_Throwable_safety =
 fun (this_24 : Object pointer) (cause_5 : Object pointer) ->
  { (left_valid_struct_Throwable(cause_5, (0), Object_alloc_table)
    and valid_struct_RuntimeException(this_24, (0), (0), Object_alloc_table)) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 

let cons_RuntimeException_ensures_default =
 fun (this_14 : Object pointer) ->
  { valid_struct_RuntimeException(this_14, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_31: true) } 

let cons_RuntimeException_safety =
 fun (this_14 : Object pointer) ->
  { valid_struct_RuntimeException(this_14, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 

let cons_Throwable_String_Throwable_ensures_default =
 fun (this_15 : Object pointer) (message_0 : Object pointer) (cause : Object pointer) ->
  { (left_valid_struct_Throwable(cause, (0), Object_alloc_table)
    and (left_valid_struct_String(message_0, (0), Object_alloc_table)
        and valid_struct_Throwable(this_15, (0), (0), Object_alloc_table))) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_15 in
       (((safe_upd_ Throwable_backtrace) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_15 in
      (((safe_upd_ Throwable_detailMessage) _jessie_) _jessie_)));
      (let _jessie_ = null in
      begin
        (let _jessie_ = this_15 in
        (((safe_upd_ Throwable_cause) _jessie_) _jessie_)); _jessie_
      end) end in void); (raise Return) end with Return -> void end)
  { (JC_55: true) } 

let cons_Throwable_String_Throwable_safety =
 fun (this_15 : Object pointer) (message_0 : Object pointer) (cause : Object pointer) ->
  { (left_valid_struct_Throwable(cause, (0), Object_alloc_table)
    and (left_valid_struct_String(message_0, (0), Object_alloc_table)
        and valid_struct_Throwable(this_15, (0), (0), Object_alloc_table))) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_15 in
       (((safe_upd_ Throwable_backtrace) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_15 in
      (((safe_upd_ Throwable_detailMessage) _jessie_) _jessie_)));
      (let _jessie_ = null in
      begin
        (let _jessie_ = this_15 in
        (((safe_upd_ Throwable_cause) _jessie_) _jessie_)); _jessie_
      end) end in void); (raise Return) end with Return -> void end) 
  { true } 

let cons_Throwable_String_ensures_default =
 fun (this_25 : Object pointer) (message : Object pointer) ->
  { (left_valid_struct_String(message, (0), Object_alloc_table)
    and valid_struct_Throwable(this_25, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_25 in
       (((safe_upd_ Throwable_backtrace) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_25 in
      (((safe_upd_ Throwable_detailMessage) _jessie_) _jessie_)));
      (let _jessie_ = null in
      begin
        (let _jessie_ = this_25 in
        (((safe_upd_ Throwable_cause) _jessie_) _jessie_)); _jessie_
      end) end in void); (raise Return) end with Return -> void end)
  { (JC_206: true) } 

let cons_Throwable_String_safety =
 fun (this_25 : Object pointer) (message : Object pointer) ->
  { (left_valid_struct_String(message, (0), Object_alloc_table)
    and valid_struct_Throwable(this_25, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_25 in
       (((safe_upd_ Throwable_backtrace) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_25 in
      (((safe_upd_ Throwable_detailMessage) _jessie_) _jessie_)));
      (let _jessie_ = null in
      begin
        (let _jessie_ = this_25 in
        (((safe_upd_ Throwable_cause) _jessie_) _jessie_)); _jessie_
      end) end in void); (raise Return) end with Return -> void end) 
  { true } 

let cons_Throwable_Throwable_ensures_default =
 fun (this_17 : Object pointer) (cause_0 : Object pointer) ->
  { (left_valid_struct_Throwable(cause_0, (0), Object_alloc_table)
    and valid_struct_Throwable(this_17, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_17 in
       (((safe_upd_ Throwable_backtrace) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_17 in
      (((safe_upd_ Throwable_detailMessage) _jessie_) _jessie_)));
      (let _jessie_ = null in
      begin
        (let _jessie_ = this_17 in
        (((safe_upd_ Throwable_cause) _jessie_) _jessie_)); _jessie_
      end) end in void); (raise Return) end with Return -> void end)
  { (JC_71: true) } 

let cons_Throwable_Throwable_safety =
 fun (this_17 : Object pointer) (cause_0 : Object pointer) ->
  { (left_valid_struct_Throwable(cause_0, (0), Object_alloc_table)
    and valid_struct_Throwable(this_17, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_17 in
       (((safe_upd_ Throwable_backtrace) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_17 in
      (((safe_upd_ Throwable_detailMessage) _jessie_) _jessie_)));
      (let _jessie_ = null in
      begin
        (let _jessie_ = this_17 in
        (((safe_upd_ Throwable_cause) _jessie_) _jessie_)); _jessie_
      end) end in void); (raise Return) end with Return -> void end) 
  { true } 

let cons_Throwable_ensures_default =
 fun (this_23 : Object pointer) ->
  { valid_struct_Throwable(this_23, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_23 in
       (((safe_upd_ Throwable_backtrace) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_23 in
      (((safe_upd_ Throwable_detailMessage) _jessie_) _jessie_)));
      (let _jessie_ = null in
      begin
        (let _jessie_ = this_23 in
        (((safe_upd_ Throwable_cause) _jessie_) _jessie_)); _jessie_
      end) end in void); (raise Return) end with Return -> void end)
  { (JC_143: true) } 

let cons_Throwable_safety =
 fun (this_23 : Object pointer) ->
  { valid_struct_Throwable(this_23, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_23 in
       (((safe_upd_ Throwable_backtrace) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_23 in
      (((safe_upd_ Throwable_detailMessage) _jessie_) _jessie_)));
      (let _jessie_ = null in
      begin
        (let _jessie_ = this_23 in
        (((safe_upd_ Throwable_cause) _jessie_) _jessie_)); _jessie_
      end) end in void); (raise Return) end with Return -> void end) 
  { true } 


why-2.39/tests/java/oracle/SideEffects.err.oracle0000644000106100004300000000000013147234006020711 0ustar  marchevalswhy-2.39/tests/java/oracle/BankingExample.res.oracle0000644000106100004300000010624413147234006021434 0ustar  marchevals========== file tests/java/BankingExample.java ==========
public class BankingExample
      {
      
         public static final int MAX_BALANCE = 1000; 
         private int balance;
         private boolean isLocked = false; 
      
         //@ invariant my_inv: balance >= 0 && balance <= MAX_BALANCE;
      
         /*@ assigns balance, isLocked;
           @ ensures balance == 0;
           @*/
         public BankingExample()
         {
             this.balance = 0;
         }
      
          /*@ requires 0 < amount && amount + balance < MAX_BALANCE;
            @ assigns balance;
            @ ensures balance == \old(balance) + amount;
            @*/
         public void credit(final int amount)
         {
             this.balance += amount;
         }
     }========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function BankingExample_credit for method BankingExample.credit
Generating JC function cons_BankingExample for constructor BankingExample
Done.
========== file tests/java/BankingExample.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

logic int32 BankingExample_MAX_BALANCE =
1000

String[0..] any_string()
;

tag String = Object with {
}

tag BankingExample = Object with {
  int32 balance; 
  boolean isLocked;
  invariant my_inv(this) =
    ((this.balance >= 0) && (this.balance <= BankingExample_MAX_BALANCE));
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit BankingExample_credit(BankingExample[0] this_0, int32 amount)
  requires (K_4 : ((K_3 : (0 < amount)) &&
                    (K_2 : ((amount + this_0.balance) <
                             BankingExample_MAX_BALANCE))));
behavior default:
  assigns this_0.balance;
  ensures (K_1 : (this_0.balance == (\at(this_0.balance,Old) + amount)));
{  (K_5 : this_0.balance += amount)
}

unit cons_BankingExample(! BankingExample[0] this_1)
behavior default:
  assigns this_1.balance,
  this_1.isLocked;
  ensures (K_6 : (this_1.balance == 0));
{  (this_1.balance = 0);
   (this_1.isLocked = false);
   (K_7 : (this_1.balance = 0))
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/BankingExample.jloc tests/java/BankingExample.jc && make -f tests/java/BankingExample.makefile gui"
End:
*/
========== file tests/java/BankingExample.jloc ==========
[BankingExample_credit]
name = "Method credit"
file = "HOME/tests/java/BankingExample.java"
line = 22
begin = 21
end = 27

[K_1]
file = "HOME/tests/java/BankingExample.java"
line = 20
begin = 22
end = 55

[K_4]
file = "HOME/tests/java/BankingExample.java"
line = 18
begin = 23
end = 67

[cons_BankingExample]
name = "Constructor of class BankingExample"
file = "HOME/tests/java/BankingExample.java"
line = 13
begin = 16
end = 30

[K_2]
file = "HOME/tests/java/BankingExample.java"
line = 18
begin = 37
end = 67

[K_6]
file = "HOME/tests/java/BankingExample.java"
line = 11
begin = 21
end = 33

[K_3]
file = "HOME/tests/java/BankingExample.java"
line = 18
begin = 23
end = 33

[K_5]
file = "HOME/tests/java/BankingExample.java"
line = 24
begin = 13
end = 35

[K_7]
file = "HOME/tests/java/BankingExample.java"
line = 15
begin = 13
end = 29

========== jessie execution ==========
Generating Why function BankingExample_credit
Generating Why function cons_BankingExample
========== file tests/java/BankingExample.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/BankingExample_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: BankingExample.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: BankingExample.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: BankingExample.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/java/BankingExample.loc ==========
[JC_51]
file = "HOME/tests/java/BankingExample.jc"
line = 72
begin = 9
end = 16

[JC_45]
file = "HOME/tests/java/BankingExample.jc"
line = 73
begin = 10
end = 43

[BankingExample_credit_ensures_default]
name = "Method credit"
behavior = "default behavior"
file = "HOME/tests/java/BankingExample.java"
line = 22
begin = 21
end = 27

[JC_31]
file = "HOME/tests/java/BankingExample.jc"
line = 65
begin = 9
end = 16

[JC_17]
file = "HOME/tests/java/BankingExample.jc"
line = 54
begin = 11
end = 65

[JC_48]
file = "HOME/tests/java/BankingExample.java"
line = 13
begin = 16
end = 30

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/tests/java/BankingExample.java"
line = 22
begin = 21
end = 27

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/java/BankingExample.jc"
line = 52
begin = 8
end = 23

[JC_24]
file = "HOME/tests/java/BankingExample.java"
line = 18
begin = 23
end = 33

[JC_25]
file = "HOME/tests/java/BankingExample.java"
line = 18
begin = 37
end = 67

[JC_41]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/tests/java/BankingExample.java"
line = 11
begin = 21
end = 33

[JC_52]
file = "HOME/tests/java/BankingExample.java"
line = 13
begin = 16
end = 30

[JC_26]
file = "HOME/tests/java/BankingExample.java"
line = 18
begin = 23
end = 67

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[BankingExample_credit_safety]
name = "Method credit"
behavior = "Safety"
file = "HOME/tests/java/BankingExample.java"
line = 22
begin = 21
end = 27

[JC_11]
file = "HOME/tests/java/BankingExample.jc"
line = 52
begin = 8
end = 23

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/tests/java/BankingExample.java"
line = 22
begin = 21
end = 27

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/tests/java/BankingExample.java"
line = 13
begin = 16
end = 30

[cons_BankingExample_ensures_default]
name = "Constructor of class BankingExample"
behavior = "default behavior"
file = "HOME/tests/java/BankingExample.java"
line = 13
begin = 16
end = 30

[JC_35]
file = "HOME/tests/java/BankingExample.java"
line = 22
begin = 21
end = 27

[JC_27]
file = "HOME/tests/java/BankingExample.java"
line = 22
begin = 21
end = 27

[JC_38]
file = "HOME/tests/java/BankingExample.java"
line = 13
begin = 16
end = 30

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/tests/java/BankingExample.java"
line = 13
begin = 16
end = 30

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/tests/java/BankingExample.java"
line = 11
begin = 21
end = 33

[JC_46]
file = "HOME/tests/java/BankingExample.jc"
line = 72
begin = 9
end = 16

[JC_32]
file = "HOME/tests/java/BankingExample.java"
line = 20
begin = 22
end = 55

[JC_33]
file = "HOME/tests/java/BankingExample.java"
line = 22
begin = 21
end = 27

[JC_29]
file = "HOME/tests/java/BankingExample.java"
line = 20
begin = 22
end = 55

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
file = "HOME/tests/java/BankingExample.java"
line = 13
begin = 16
end = 30

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/tests/java/BankingExample.jc"
line = 65
begin = 9
end = 16

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_53]
file = "HOME/tests/java/BankingExample.java"
line = 13
begin = 16
end = 30

[JC_21]
file = "HOME/tests/java/BankingExample.java"
line = 18
begin = 23
end = 67

[JC_49]
file = "HOME/tests/java/BankingExample.java"
line = 13
begin = 16
end = 30

[JC_1]
file = "HOME/tests/java/BankingExample.jc"
line = 23
begin = 12
end = 22

[JC_37]
kind = ArithOverflow
file = "HOME/tests/java/BankingExample.jc"
line = 68
begin = 10
end = 34

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_BankingExample_safety]
name = "Constructor of class BankingExample"
behavior = "Safety"
file = "HOME/tests/java/BankingExample.java"
line = 13
begin = 16
end = 30

[JC_20]
file = "HOME/tests/java/BankingExample.java"
line = 18
begin = 37
end = 67

[JC_18]
file = "HOME/tests/java/BankingExample.jc"
line = 54
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/BankingExample.jc"
line = 23
begin = 12
end = 22

[JC_19]
file = "HOME/tests/java/BankingExample.java"
line = 18
begin = 23
end = 33

[JC_50]
file = "HOME/tests/java/BankingExample.jc"
line = 73
begin = 10
end = 43

[JC_30]
file = "HOME/tests/java/BankingExample.java"
line = 22
begin = 21
end = 27

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/BankingExample.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic int32_of_integer: int -> int32

function BankingExample_MAX_BALANCE() : int32 = int32_of_integer((1000))

logic BankingExample_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom BankingExample_parenttag_Object :
 parenttag(BankingExample_tag, Object_tag)

logic Exception_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_BankingExample(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

predicate my_inv(this:Object pointer,
 BankingExample_balance:(Object, int32) memory) =
 (ge_int(integer_of_int32(select(BankingExample_balance, this)), (0))
 and le_int(integer_of_int32(select(BankingExample_balance, this)),
     integer_of_int32(BankingExample_MAX_BALANCE)))

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_BankingExample(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_BankingExample(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_BankingExample(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

parameter BankingExample_balance : (Object, int32) memory ref

parameter Object_alloc_table : Object alloc_table ref

parameter BankingExample_credit :
 this_0:Object pointer ->
  amount:int32 ->
   { } unit reads BankingExample_balance,Object_alloc_table
   writes BankingExample_balance
   { ((JC_36: my_inv(this_0, BankingExample_balance))
     and (JC_34:
         ((JC_32:
          (integer_of_int32(select(BankingExample_balance, this_0)) = 
          add_int(integer_of_int32(select(BankingExample_balance@, this_0)),
          integer_of_int32(amount))))
         and (JC_33:
             not_assigns(Object_alloc_table@, BankingExample_balance@,
             BankingExample_balance, pset_singleton(this_0)))))) }

parameter BankingExample_credit_requires :
 this_0:Object pointer ->
  amount:int32 ->
   { (JC_22:
     ((JC_21:
      ((JC_19: lt_int((0), integer_of_int32(amount)))
      and (JC_20:
          lt_int(add_int(integer_of_int32(amount),
                 integer_of_int32(select(BankingExample_balance, this_0))),
          integer_of_int32(BankingExample_MAX_BALANCE)))))
     and my_inv(this_0, BankingExample_balance)))}
   unit reads BankingExample_balance,Object_alloc_table
   writes BankingExample_balance
   { ((JC_36: my_inv(this_0, BankingExample_balance))
     and (JC_34:
         ((JC_32:
          (integer_of_int32(select(BankingExample_balance, this_0)) = 
          add_int(integer_of_int32(select(BankingExample_balance@, this_0)),
          integer_of_int32(amount))))
         and (JC_33:
             not_assigns(Object_alloc_table@, BankingExample_balance@,
             BankingExample_balance, pset_singleton(this_0)))))) }

parameter BankingExample_isLocked : (Object, bool) memory ref

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_BankingExample :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_BankingExample(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, BankingExample_tag)))) }

parameter alloc_struct_BankingExample_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_BankingExample(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, BankingExample_tag)))) }

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_BankingExample :
 this_1:Object pointer ->
  { } unit reads BankingExample_balance,Object_alloc_table
  writes BankingExample_balance,BankingExample_isLocked
  { ((JC_53: my_inv(this_1, BankingExample_balance))
    and (JC_51:
        ((JC_47:
         (integer_of_int32(select(BankingExample_balance, this_1)) = (0)))
        and (JC_50:
            ((JC_48:
             not_assigns(Object_alloc_table@, BankingExample_balance@,
             BankingExample_balance, pset_singleton(this_1)))
            and (JC_49:
                not_assigns(Object_alloc_table@, BankingExample_isLocked@,
                BankingExample_isLocked, pset_singleton(this_1)))))))) }

parameter cons_BankingExample_requires :
 this_1:Object pointer ->
  { } unit reads BankingExample_balance,Object_alloc_table
  writes BankingExample_balance,BankingExample_isLocked
  { ((JC_53: my_inv(this_1, BankingExample_balance))
    and (JC_51:
        ((JC_47:
         (integer_of_int32(select(BankingExample_balance, this_1)) = (0)))
        and (JC_50:
            ((JC_48:
             not_assigns(Object_alloc_table@, BankingExample_balance@,
             BankingExample_balance, pset_singleton(this_1)))
            and (JC_49:
                not_assigns(Object_alloc_table@, BankingExample_isLocked@,
                BankingExample_isLocked, pset_singleton(this_1)))))))) }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let BankingExample_credit_ensures_default =
 fun (this_0 : Object pointer) (amount : int32) ->
  { (valid_struct_BankingExample(this_0, (0), (0), Object_alloc_table)
    and (JC_27:
        ((JC_26:
         ((JC_24: lt_int((0), integer_of_int32(amount)))
         and (JC_25:
             lt_int(add_int(integer_of_int32(amount),
                    integer_of_int32(select(BankingExample_balance, this_0))),
             integer_of_int32(BankingExample_MAX_BALANCE)))))
        and my_inv(this_0, BankingExample_balance)))) }
  (init:
  try
   begin
     (let _jessie_ =
     (K_5:
     (let _jessie_ =
     (safe_int32_of_integer_ ((add_int (integer_of_int32 ((safe_acc_ !BankingExample_balance) this_0))) 
                              (integer_of_int32 amount))) in
     begin
       (let _jessie_ = this_0 in
       (((safe_upd_ BankingExample_balance) _jessie_) _jessie_)); _jessie_
     end)) in void); (raise Return) end with Return -> void end)
  { (JC_31:
    ((JC_29:
     (integer_of_int32(select(BankingExample_balance, this_0)) = add_int(
                                                                 integer_of_int32(
                                                                 select(BankingExample_balance@,
                                                                 this_0)),
                                                                 integer_of_int32(amount))))
    and (JC_30:
        not_assigns(Object_alloc_table@, BankingExample_balance@,
        BankingExample_balance, pset_singleton(this_0))))) } 

let BankingExample_credit_safety =
 fun (this_0 : Object pointer) (amount : int32) ->
  { (valid_struct_BankingExample(this_0, (0), (0), Object_alloc_table)
    and (JC_27:
        ((JC_26:
         ((JC_24: lt_int((0), integer_of_int32(amount)))
         and (JC_25:
             lt_int(add_int(integer_of_int32(amount),
                    integer_of_int32(select(BankingExample_balance, this_0))),
             integer_of_int32(BankingExample_MAX_BALANCE)))))
        and my_inv(this_0, BankingExample_balance)))) }
  (init:
  try
   begin
     (let _jessie_ =
     (K_5:
     (let _jessie_ =
     (JC_37:
     (int32_of_integer_ ((add_int (integer_of_int32 ((safe_acc_ !BankingExample_balance) this_0))) 
                         (integer_of_int32 amount)))) in
     begin
       (let _jessie_ = this_0 in
       (((safe_upd_ BankingExample_balance) _jessie_) _jessie_)); _jessie_
     end)) in void); (raise Return) end with Return -> void end)
  { (JC_35: my_inv(this_0, BankingExample_balance)) } 

let cons_BankingExample_ensures_default =
 fun (this_1 : Object pointer) ->
  { valid_struct_BankingExample(this_1, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = (safe_int32_of_integer_ (0)) in
       (let _jessie_ = this_1 in
       (((safe_upd_ BankingExample_balance) _jessie_) _jessie_)));
      (let _jessie_ = false in
      (let _jessie_ = this_1 in
      (((safe_upd_ BankingExample_isLocked) _jessie_) _jessie_)));
      (K_7:
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_1 in
        (((safe_upd_ BankingExample_balance) _jessie_) _jessie_));
       _jessie_ end)) end in void); (raise Return) end with Return ->
   void end)
  { (JC_46:
    ((JC_42:
     (integer_of_int32(select(BankingExample_balance, this_1)) = (0)))
    and (JC_45:
        ((JC_43:
         not_assigns(Object_alloc_table@, BankingExample_balance@,
         BankingExample_balance, pset_singleton(this_1)))
        and (JC_44:
            not_assigns(Object_alloc_table@, BankingExample_isLocked@,
            BankingExample_isLocked, pset_singleton(this_1))))))) } 

let cons_BankingExample_safety =
 fun (this_1 : Object pointer) ->
  { valid_struct_BankingExample(this_1, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = (safe_int32_of_integer_ (0)) in
       (let _jessie_ = this_1 in
       (((safe_upd_ BankingExample_balance) _jessie_) _jessie_)));
      (let _jessie_ = false in
      (let _jessie_ = this_1 in
      (((safe_upd_ BankingExample_isLocked) _jessie_) _jessie_)));
      (K_7:
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_1 in
        (((safe_upd_ BankingExample_balance) _jessie_) _jessie_));
       _jessie_ end)) end in void); (raise Return) end with Return ->
   void end) { (JC_52: my_inv(this_1, BankingExample_balance)) } 


why-2.39/tests/java/oracle/TestNonNull.err.oracle0000644000106100004300000000006513147234006020765 0ustar  marchevalsgenerating logic fun t_length with one default label
why-2.39/tests/java/oracle/PreAndOld.err.oracle0000644000106100004300000000000013147234006020335 0ustar  marchevalswhy-2.39/tests/java/oracle/Fibonacci.err.oracle0000644000106100004300000000020713147234006020413 0ustar  marchevalscat: /tmp/regtests.cwd: No such file or directory
grep: /src/version.ml: No such file or directory
Cannot open directory /lib/java_api
why-2.39/tests/java/oracle/BankingExample.err.oracle0000644000106100004300000000006313147234006021423 0ustar  marchevalsgenerating logic fun my_inv with one default label
why-2.39/tests/java/oracle/ArrayMax.res.oracle0000644000106100004300000013744413147234006020301 0ustar  marchevals========== file tests/java/ArrayMax.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*
COST Verification Competition. vladimir@cost-ic0701.org

Challenge 1: Maximum in an array

Given: A non-empty integer array a.

Verify that the index returned by the method max() given below points to
an element maximal in the array.

*/

/*@ axiomatic integer_max {
  @   logic integer max(integer x, integer y);
  @   axiom max_is_ge : \forall integer x y; max(x,y) >= x && max(x,y) >= y;
  @   axiom max_is_some : \forall integer x y; max(x,y) == x || max(x,y) == y;
  @ }
  @*/

public class ArrayMax {


    /*@ requires a.length > 0;
      @ ensures 0 <= \result < a.length &&
      @   \forall integer i; 0 <= i < a.length ==> a[i] <= a[\result];
      @*/
    public static int max(int[] a) {
        int x = 0;
        int y = a.length-1;
        /*@ loop_invariant 0 <= x <= y < a.length &&
          @      \forall integer i;
          @         0 <= i < x || y < i < a.length ==>
          @         a[i] <= max(a[x],a[y]);
          @ loop_variant y - x;
          @*/
        while (x != y) {
            if (a[x] <= a[y]) x++;
                else y--;
        }
        return x;
    }

}

/*
Local Variables:
compile-command: "make ArrayMax.why3ide"
End:
*/

========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_ArrayMax for constructor ArrayMax
Generating JC function ArrayMax_max for method ArrayMax.max
Done.
========== file tests/java/ArrayMax.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_intM{Here}(intM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag ArrayMax = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

tag intM = Object with {
  int32 intP;
}

boolean non_null_intM(! intM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_intM(! intM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

axiomatic integer_max {

  logic integer max(integer x, integer y)
   
  axiom max_is_some :
  (\forall integer x_1;
    (\forall integer y_1;
      ((max(x_1, y_1) == x_1) || (max(x_1, y_1) == y_1))))
   
  axiom max_is_ge :
  (\forall integer x_0;
    (\forall integer y_0;
      ((max(x_0, y_0) >= x_0) && (max(x_0, y_0) >= y_0))))
  
}

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_ArrayMax(! ArrayMax[0] this_0){()}

int32 ArrayMax_max(intM[0..] a)
  requires (K_6 : ((\offset_max(a) + 1) > 0));
behavior default:
  ensures (K_5 : ((K_4 : ((K_3 : (0 <= \result)) &&
                           (K_2 : (\result < (\offset_max(a) + 1))))) &&
                   (K_1 : (\forall integer i;
                            (((0 <= i) && (i < (\offset_max(a) + 1))) ==>
                              ((a + i).intP <= (a + \result).intP))))));
{  
   {  
      (var int32 x_2 = (K_23 : 0));
      
      {  
         (var int32 y_2 = (K_22 : (((K_21 : java_array_length_intM(a)) - 1) :> int32)));
         
         {  
            loop 
            behavior default:
              invariant (K_13 : ((K_12 : ((K_11 : ((K_10 : (0 <= x_2)) &&
                                                    (K_9 : (x_2 <= y_2)))) &&
                                           (K_8 : (y_2 <
                                                    (\offset_max(a) + 1))))) &&
                                  (K_7 : (\forall integer i_0;
                                           ((((0 <= i_0) && (i_0 < x_2)) ||
                                              ((y_2 < i_0) &&
                                                (i_0 < (\offset_max(a) + 1)))) ==>
                                             ((a + i_0).intP <=
                                               max((a + x_2).intP,
                                                   (a + y_2).intP)))))));
            variant (K_14 : (y_2 - x_2));
            while ((K_20 : (x_2 != y_2)))
            {  (if (K_19 : ((K_17 : (a + x_2).intP) <=
                             (K_18 : (a + y_2).intP))) then (K_16 : (x_2 ++)) else 
               (K_15 : (y_2 --)))
            };
            
            (return x_2)
         }
      }
   }
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/ArrayMax.jloc tests/java/ArrayMax.jc && make -f tests/java/ArrayMax.makefile gui"
End:
*/
========== file tests/java/ArrayMax.jloc ==========
[ArrayMax_max]
name = "Method max"
file = "HOME/tests/java/ArrayMax.java"
line = 58
begin = 22
end = 25

[K_23]
file = "HOME/tests/java/ArrayMax.java"
line = 59
begin = 16
end = 17

[K_17]
file = "HOME/tests/java/ArrayMax.java"
line = 68
begin = 16
end = 20

[K_11]
file = "HOME/tests/java/ArrayMax.java"
line = 61
begin = 27
end = 38

[K_13]
file = "HOME/tests/java/ArrayMax.java"
line = 61
begin = 27
end = 186

[max_is_some]
name = "Lemma max_is_some"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_9]
file = "HOME/tests/java/ArrayMax.java"
line = 61
begin = 32
end = 38

[K_1]
file = "HOME/tests/java/ArrayMax.java"
line = 56
begin = 10
end = 69

[K_15]
file = "HOME/tests/java/ArrayMax.java"
line = 69
begin = 21
end = 24

[K_4]
file = "HOME/tests/java/ArrayMax.java"
line = 55
begin = 16
end = 39

[K_12]
file = "HOME/tests/java/ArrayMax.java"
line = 61
begin = 27
end = 49

[cons_ArrayMax]
name = "Constructor of class ArrayMax"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_20]
file = "HOME/tests/java/ArrayMax.java"
line = 67
begin = 15
end = 21

[K_2]
file = "HOME/tests/java/ArrayMax.java"
line = 55
begin = 21
end = 39

[K_10]
file = "HOME/tests/java/ArrayMax.java"
line = 61
begin = 27
end = 33

[K_6]
file = "HOME/tests/java/ArrayMax.java"
line = 54
begin = 17
end = 29

[K_8]
file = "HOME/tests/java/ArrayMax.java"
line = 61
begin = 37
end = 49

[K_3]
file = "HOME/tests/java/ArrayMax.java"
line = 55
begin = 16
end = 28

[max_is_ge]
name = "Lemma max_is_ge"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_21]
file = "HOME/tests/java/ArrayMax.java"
line = 60
begin = 16
end = 24

[K_14]
file = "HOME/tests/java/ArrayMax.java"
line = 65
begin = 25
end = 30

[K_19]
file = "HOME/tests/java/ArrayMax.java"
line = 68
begin = 16
end = 28

[K_5]
file = "HOME/tests/java/ArrayMax.java"
line = 55
begin = 16
end = 112

[K_18]
file = "HOME/tests/java/ArrayMax.java"
line = 68
begin = 24
end = 28

[K_7]
file = "HOME/tests/java/ArrayMax.java"
line = 62
begin = 17
end = 133

[K_22]
file = "HOME/tests/java/ArrayMax.java"
line = 60
begin = 16
end = 26

[K_16]
file = "HOME/tests/java/ArrayMax.java"
line = 68
begin = 30
end = 33

========== jessie execution ==========
Generating Why function cons_ArrayMax
Generating Why function ArrayMax_max
========== file tests/java/ArrayMax.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/ArrayMax_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: ArrayMax.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: ArrayMax.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: ArrayMax.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/java/ArrayMax.loc ==========
[JC_73]
kind = PointerDeref
file = "HOME/tests/java/ArrayMax.java"
line = 68
begin = 24
end = 28

[JC_63]
kind = ArithOverflow
file = "HOME/tests/java/ArrayMax.java"
line = 60
begin = 16
end = 26

[JC_80]
file = "HOME/tests/java/ArrayMax.java"
line = 61
begin = 37
end = 49

[JC_51]
file = "HOME/tests/java/ArrayMax.java"
line = 55
begin = 16
end = 28

[JC_71]
file = "HOME/tests/java/ArrayMax.jc"
line = 108
begin = 12
end = 1096

[cons_ArrayMax_safety]
name = "Constructor of class ArrayMax"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_64]
file = "HOME/tests/java/ArrayMax.java"
line = 61
begin = 27
end = 33

[max_is_some]
name = "Lemma max_is_some"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_85]
file = "HOME/tests/java/ArrayMax.jc"
line = 108
begin = 12
end = 1096

[JC_31]
file = "HOME/tests/java/ArrayMax.jc"
line = 65
begin = 8
end = 23

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_81]
file = "HOME/tests/java/ArrayMax.java"
line = 62
begin = 17
end = 133

[JC_55]
file = "HOME/tests/java/ArrayMax.java"
line = 55
begin = 16
end = 28

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/tests/java/ArrayMax.jc"
line = 61
begin = 11
end = 103

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/tests/java/ArrayMax.java"
line = 62
begin = 17
end = 133

[JC_9]
file = "HOME/tests/java/ArrayMax.jc"
line = 52
begin = 8
end = 21

[JC_75]
kind = ArithOverflow
file = "HOME/tests/java/ArrayMax.jc"
line = 125
begin = 24
end = 30

[JC_24]
file = "HOME/tests/java/ArrayMax.jc"
line = 60
begin = 10
end = 18

[JC_25]
file = "HOME/tests/java/ArrayMax.jc"
line = 61
begin = 11
end = 103

[JC_78]
file = "HOME/tests/java/ArrayMax.java"
line = 61
begin = 27
end = 33

[JC_41]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_74]
kind = ArithOverflow
file = "HOME/tests/java/ArrayMax.jc"
line = 124
begin = 69
end = 75

[ArrayMax_max_ensures_default]
name = "Method max"
behavior = "default behavior"
file = "HOME/tests/java/ArrayMax.java"
line = 58
begin = 22
end = 25

[JC_47]
file = "HOME/tests/java/ArrayMax.java"
line = 54
begin = 17
end = 29

[JC_52]
file = "HOME/tests/java/ArrayMax.java"
line = 55
begin = 21
end = 39

[JC_26]
file = "HOME/tests/java/ArrayMax.jc"
line = 60
begin = 10
end = 18

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/tests/java/ArrayMax.java"
line = 55
begin = 16
end = 112

[JC_79]
file = "HOME/tests/java/ArrayMax.java"
line = 61
begin = 32
end = 38

[JC_13]
file = "HOME/tests/java/ArrayMax.jc"
line = 55
begin = 11
end = 66

[JC_82]
file = "HOME/tests/java/ArrayMax.java"
line = 61
begin = 27
end = 186

[JC_11]
file = "HOME/tests/java/ArrayMax.jc"
line = 52
begin = 8
end = 21

[JC_70]
file = "HOME/tests/java/ArrayMax.jc"
line = 108
begin = 12
end = 1096

[JC_15]
file = "HOME/tests/java/ArrayMax.jc"
line = 55
begin = 11
end = 66

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_69]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
file = "HOME/tests/java/ArrayMax.jc"
line = 67
begin = 11
end = 65

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
kind = IndexBounds
file = "HOME/tests/java/ArrayMax.java"
line = 60
begin = 16
end = 24

[max_is_ge]
name = "Lemma max_is_ge"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
kind = UserCall
file = "HOME/tests/java/ArrayMax.java"
line = 60
begin = 16
end = 24

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/tests/java/ArrayMax.java"
line = 55
begin = 21
end = 39

[cons_ArrayMax_ensures_default]
name = "Constructor of class ArrayMax"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[ArrayMax_max_safety]
name = "Method max"
behavior = "Safety"
file = "HOME/tests/java/ArrayMax.java"
line = 58
begin = 22
end = 25

[JC_65]
file = "HOME/tests/java/ArrayMax.java"
line = 61
begin = 32
end = 38

[JC_29]
file = "HOME/tests/java/ArrayMax.jc"
line = 65
begin = 8
end = 23

[JC_68]
file = "HOME/tests/java/ArrayMax.java"
line = 61
begin = 27
end = 186

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/tests/java/ArrayMax.jc"
line = 54
begin = 10
end = 18

[JC_43]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_84]
file = "HOME/tests/java/ArrayMax.jc"
line = 108
begin = 12
end = 1096

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/tests/java/ArrayMax.jc"
line = 54
begin = 10
end = 18

[JC_53]
file = "HOME/tests/java/ArrayMax.java"
line = 56
begin = 10
end = 69

[JC_21]
file = "HOME/tests/java/ArrayMax.jc"
line = 58
begin = 8
end = 30

[JC_77]
kind = UserCall
file = "HOME/tests/java/ArrayMax.java"
line = 60
begin = 16
end = 24

[JC_49]
file = "HOME/tests/java/ArrayMax.java"
line = 54
begin = 17
end = 29

[JC_1]
file = "HOME/tests/java/ArrayMax.jc"
line = 23
begin = 12
end = 22

[JC_37]
file = "HOME/tests/java/ArrayMax.jc"
line = 67
begin = 11
end = 65

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/tests/java/ArrayMax.java"
line = 56
begin = 10
end = 69

[JC_66]
file = "HOME/tests/java/ArrayMax.java"
line = 61
begin = 37
end = 49

[JC_59]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/java/ArrayMax.jc"
line = 23
begin = 12
end = 22

[JC_60]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_72]
kind = PointerDeref
file = "HOME/tests/java/ArrayMax.java"
line = 68
begin = 16
end = 20

[JC_19]
file = "HOME/tests/java/ArrayMax.jc"
line = 58
begin = 8
end = 30

[JC_76]
file = "HOME/tests/java/ArrayMax.java"
line = 65
begin = 25
end = 30

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/tests/java/ArrayMax.java"
line = 55
begin = 16
end = 112

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/ArrayMax.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic ArrayMax_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom ArrayMax_parenttag_Object : parenttag(ArrayMax_tag, Object_tag)

logic Exception_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_1), (0))

predicate Non_null_intM(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), neg_int((1)))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic intM_tag:  -> Object tag_id

axiom intM_parenttag_Object : parenttag(intM_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_ArrayMax(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_intM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

logic max: int, int -> int

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_ArrayMax(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_intM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_ArrayMax(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_ArrayMax(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

axiom max_is_some :
 (forall x_1_0:int.
  (forall y_1:int. ((max(x_1_0, y_1) = x_1_0) or (max(x_1_0, y_1) = y_1))))

axiom max_is_ge :
 (forall x_0_0:int.
  (forall y_0:int.
   (ge_int(max(x_0_0, y_0), x_0_0) and ge_int(max(x_0_0, y_0), y_0))))

parameter Object_alloc_table : Object alloc_table ref

parameter intM_intP : (Object, int32) memory ref

parameter ArrayMax_max :
 a:Object pointer ->
  { } int32 reads Object_alloc_table,intM_intP
  { (JC_58:
    ((JC_55: le_int((0), integer_of_int32(result)))
    and ((JC_56:
         lt_int(integer_of_int32(result),
         add_int(offset_max(Object_alloc_table, a), (1))))
        and (JC_57:
            (forall i:int.
             ((le_int((0), i)
              and lt_int(i, add_int(offset_max(Object_alloc_table, a), (1)))) ->
              le_int(integer_of_int32(select(intM_intP, shift(a, i))),
              integer_of_int32(select(intM_intP,
                               shift(a, integer_of_int32(result))))))))))) }

parameter ArrayMax_max_requires :
 a:Object pointer ->
  { (JC_47: gt_int(add_int(offset_max(Object_alloc_table, a), (1)), (0)))}
  int32 reads Object_alloc_table,intM_intP
  { (JC_58:
    ((JC_55: le_int((0), integer_of_int32(result)))
    and ((JC_56:
         lt_int(integer_of_int32(result),
         add_int(offset_max(Object_alloc_table, a), (1))))
        and (JC_57:
            (forall i:int.
             ((le_int((0), i)
              and lt_int(i, add_int(offset_max(Object_alloc_table, a), (1)))) ->
              le_int(integer_of_int32(select(intM_intP, shift(a, i))),
              integer_of_int32(select(intM_intP,
                               shift(a, integer_of_int32(result))))))))))) }

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_ArrayMax :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_ArrayMax(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, ArrayMax_tag)))) }

parameter alloc_struct_ArrayMax_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_ArrayMax(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, ArrayMax_tag)))) }

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_intM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter alloc_struct_intM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_ArrayMax :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_ArrayMax_requires :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter java_array_length_intM :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter java_array_length_intM_requires :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_Object_requires :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_intM :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

parameter non_null_intM_requires :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let ArrayMax_max_ensures_default =
 fun (a : Object pointer) ->
  { (left_valid_struct_intM(a, (0), Object_alloc_table)
    and (JC_49: gt_int(add_int(offset_max(Object_alloc_table, a), (1)), (0)))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let x_2_0 = ref (safe_int32_of_integer_ (K_23: (0))) in
     (let y_2 =
     ref (K_22:
         (safe_int32_of_integer_ ((sub_int (K_21:
                                           (let _jessie_ = a in
                                           (JC_77:
                                           (java_array_length_intM _jessie_))))) (1)))) in
     begin
       try
        (loop_2:
        while true do
        { invariant
            (JC_82:
            ((JC_78: le_int((0), integer_of_int32(x_2_0)))
            and ((JC_79:
                 le_int(integer_of_int32(x_2_0), integer_of_int32(y_2)))
                and ((JC_80:
                     lt_int(integer_of_int32(y_2),
                     add_int(offset_max(Object_alloc_table, a), (1))))
                    and (JC_81:
                        (forall i_0:int.
                         (((le_int((0), i_0)
                           and lt_int(i_0, integer_of_int32(x_2_0)))
                          or (lt_int(integer_of_int32(y_2), i_0)
                             and lt_int(i_0,
                                 add_int(offset_max(Object_alloc_table, a),
                                 (1))))) ->
                          le_int(integer_of_int32(select(intM_intP,
                                                  shift(a, i_0))),
                          max(integer_of_int32(select(intM_intP,
                                               shift(a,
                                               integer_of_int32(x_2_0)))),
                          integer_of_int32(select(intM_intP,
                                           shift(a, integer_of_int32(y_2)))))))))))))
           }
         begin
           [ { } unit { true } ];
          try
           begin
             (if (K_20:
                 ((neq_int_ (integer_of_int32 !x_2_0)) (integer_of_int32 !y_2)))
             then
              (let _jessie_ =
              (if (K_19:
                  ((le_int_ (integer_of_int32 (K_17:
                                              ((safe_acc_ !intM_intP) 
                                               ((shift a) (integer_of_int32 !x_2_0)))))) 
                   (integer_of_int32 (K_18:
                                     ((safe_acc_ !intM_intP) ((shift a) 
                                                              (integer_of_int32 !y_2)))))))
              then
               (K_16:
               (let _jessie_ = !x_2_0 in
               begin
                 (let _jessie_ =
                 (x_2_0 := (safe_int32_of_integer_ ((add_int (integer_of_int32 _jessie_)) (1)))) in
                 void); _jessie_ end))
              else
               (K_15:
               (let _jessie_ = !y_2 in
               begin
                 (let _jessie_ =
                 (y_2 := (safe_int32_of_integer_ ((sub_int (integer_of_int32 _jessie_)) (1)))) in
                 void); _jessie_ end))) in void)
             else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ -> void end end done) with
        Loop_exit_exc _jessie_ -> void end; (return := !x_2_0);
      (raise Return) end)); absurd  end with Return -> !return end))
  { (JC_54:
    ((JC_51: le_int((0), integer_of_int32(result)))
    and ((JC_52:
         lt_int(integer_of_int32(result),
         add_int(offset_max(Object_alloc_table, a), (1))))
        and (JC_53:
            (forall i:int.
             ((le_int((0), i)
              and lt_int(i, add_int(offset_max(Object_alloc_table, a), (1)))) ->
              le_int(integer_of_int32(select(intM_intP, shift(a, i))),
              integer_of_int32(select(intM_intP,
                               shift(a, integer_of_int32(result))))))))))) } 

let ArrayMax_max_safety =
 fun (a : Object pointer) ->
  { (left_valid_struct_intM(a, (0), Object_alloc_table)
    and (JC_49: gt_int(add_int(offset_max(Object_alloc_table, a), (1)), (0)))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let x_2_0 = ref (safe_int32_of_integer_ (K_23: (0))) in
     (let y_2 =
     ref (K_22:
         (JC_63:
         (int32_of_integer_ ((sub_int (K_21:
                                      (let _jessie_ = a in
                                      (JC_62:
                                      (assert
                                      { ge_int(offset_max(Object_alloc_table,
                                               _jessie_),
                                        (-1)) };
                                      (JC_61:
                                      (java_array_length_intM_requires _jessie_))))))) (1))))) in
     begin
       try
        (loop_1:
        while true do
        { invariant (JC_70: true)
          variant (JC_76 : sub_int(integer_of_int32(y_2),
                           integer_of_int32(x_2_0))) }
         begin
           [ { } unit reads Object_alloc_table,intM_intP,x_2_0,y_2
             { (JC_68:
               ((JC_64: le_int((0), integer_of_int32(x_2_0)))
               and ((JC_65:
                    le_int(integer_of_int32(x_2_0), integer_of_int32(y_2)))
                   and ((JC_66:
                        lt_int(integer_of_int32(y_2),
                        add_int(offset_max(Object_alloc_table, a), (1))))
                       and (JC_67:
                           (forall i_0:int.
                            (((le_int((0), i_0)
                              and lt_int(i_0, integer_of_int32(x_2_0)))
                             or (lt_int(integer_of_int32(y_2), i_0)
                                and lt_int(i_0,
                                    add_int(offset_max(Object_alloc_table, a),
                                    (1))))) ->
                             le_int(integer_of_int32(select(intM_intP,
                                                     shift(a, i_0))),
                             max(integer_of_int32(select(intM_intP,
                                                  shift(a,
                                                  integer_of_int32(x_2_0)))),
                             integer_of_int32(select(intM_intP,
                                              shift(a, integer_of_int32(y_2))))))))))))) } ];
          try
           begin
             (if (K_20:
                 ((neq_int_ (integer_of_int32 !x_2_0)) (integer_of_int32 !y_2)))
             then
              (let _jessie_ =
              (if (K_19:
                  ((le_int_ (integer_of_int32 (K_17:
                                              (JC_72:
                                              ((((offset_acc_ !Object_alloc_table) !intM_intP) a) 
                                               (integer_of_int32 !x_2_0)))))) 
                   (integer_of_int32 (K_18:
                                     (JC_73:
                                     ((((offset_acc_ !Object_alloc_table) !intM_intP) a) 
                                      (integer_of_int32 !y_2)))))))
              then
               (K_16:
               (let _jessie_ = !x_2_0 in
               begin
                 (let _jessie_ =
                 (x_2_0 := (JC_74:
                           (int32_of_integer_ ((add_int (integer_of_int32 _jessie_)) (1))))) in
                 void); _jessie_ end))
              else
               (K_15:
               (let _jessie_ = !y_2 in
               begin
                 (let _jessie_ =
                 (y_2 := (JC_75:
                         (int32_of_integer_ ((sub_int (integer_of_int32 _jessie_)) (1))))) in
                 void); _jessie_ end))) in void)
             else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ -> void end end done) with
        Loop_exit_exc _jessie_ -> void end; (return := !x_2_0);
      (raise Return) end)); absurd  end with Return -> !return end)) 
  { true } 

let cons_ArrayMax_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_ArrayMax(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_43: true) } 

let cons_ArrayMax_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_ArrayMax(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 


why-2.39/tests/java/oracle/Sort.res.oracle0000644000106100004300000024607413147234006017504 0ustar  marchevals========== file tests/java/Sort.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ TerminationPolicy = user

//@+ CheckArithOverflow = no

/*@ predicate Sorted{L}(int a[], integer l, integer h) =
  @   \forall integer i; l <= i < h ==> a[i] <= a[i+1] ;
  @*/

/*@ predicate Swap{L1,L2}(int a[], integer i, integer j) =
  @   \at(a[i],L1) == \at(a[j],L2) &&
  @   \at(a[j],L1) == \at(a[i],L2) &&
  @   \forall integer k; k != i && k != j ==> \at(a[k],L1) == \at(a[k],L2);
  @*/

/*@ axiomatic Permut {
  @  predicate Permut{L1,L2}(int a[], integer l, integer h);
  @  axiom Permut_refl{L}:
  @   \forall int a[], integer l h; Permut{L,L}(a, l, h) ;
  @  axiom Permut_sym{L1,L2}:
  @    \forall int a[], integer l h;
  @      Permut{L1,L2}(a, l, h) ==> Permut{L2,L1}(a, l, h) ;
  @  axiom Permut_trans{L1,L2,L3}:
  @    \forall int a[], integer l h;
  @      Permut{L1,L2}(a, l, h) && Permut{L2,L3}(a, l, h) ==>
  @        Permut{L1,L3}(a, l, h) ;
  @  axiom Permut_swap{L1,L2}:
  @    \forall int a[], integer l h i j;
  @       l <= i <= h && l <= j <= h && Swap{L1,L2}(a, i, j) ==>
  @     Permut{L1,L2}(a, l, h) ;
  @ }
  @*/

class Sort {

    /*@ requires t != null &&
      @    0 <= i < t.length && 0 <= j < t.length;
      @ assigns t[i],t[j];
      @ ensures Swap{Old,Here}(t,i,j);
      @*/
    void swap(int t[], int i, int j) {
	int tmp = t[i];
	t[i] = t[j];
	t[j] = tmp;
    }

    /*@ requires t != null;
      @ behavior sorted:
      @   ensures Sorted(t,0,t.length-1);
      @ behavior permutation:
      @   ensures Permut{Old,Here}(t,0,t.length-1);
      @*/
    void min_sort(int t[]) {
	int i,j;
	int mi,mv;
	/*@ loop_invariant 0 <= i;
	  @ for sorted:
	  @  loop_invariant Sorted(t,0,i) &&
	  @   (\forall integer k1 k2 ;
	  @      0 <= k1 < i <= k2 < t.length ==> t[k1] <= t[k2]) ;
	  @ for permutation:
	  @   loop_invariant Permut{Pre,Here}(t,0,t.length-1);
	  @*/
	for (i=0; i t[k] >= mv);
	      @ for permutation:
	      @  loop_invariant Permut{Pre,Here}(t,0,t.length-1);
	      @*/
	    for (j=i+1; j < t.length; j++) {
		if (t[j] < mv) {
		    mi = j ; mv = t[j];
		}
	    }
	    swap(t,i,mi);
	}
    }

}
========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function Sort_swap for method Sort.swap
Generating JC function Sort_min_sort for method Sort.min_sort
Generating JC function Object_clone for method Object.clone
Generating JC function Object_notifyAll for method Object.notifyAll
Generating JC function Object_hashCode for method Object.hashCode
Generating JC function Object_equals for method Object.equals
Generating JC function Object_wait for method Object.wait
Generating JC function Object_notify for method Object.notify
Generating JC function Object_wait_long for method Object.wait
Generating JC function cons_Sort for constructor Sort
Generating JC function Object_toString for method Object.toString
Generating JC function Object_wait_long_int for method Object.wait
Generating JC function cons_Object for constructor Object
Generating JC function Object_finalize for method Object.finalize
Generating JC function Object_registerNatives for method Object.registerNatives
Done.
========== file tests/java/Sort.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = user
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

predicate Non_null_intM{Here}(intM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Sort = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

tag intM = Object with {
  integer intP;
}

boolean non_null_intM(! intM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_intM(! intM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

predicate Sorted{L}(intM[0..] a, integer l, integer h) =
(\forall integer i;
  (((l <= i) && (i < h)) ==> ((a + i).intP <= (a + (i + 1)).intP)))

predicate Swap{L1, L2}(intM[0..] a_0, integer i_0, integer j) =
(((\at((a_0 + i_0).intP,L1) == \at((a_0 + j).intP,L2)) &&
   (\at((a_0 + j).intP,L1) == \at((a_0 + i_0).intP,L2))) &&
  (\forall integer k;
    (((k != i_0) && (k != j)) ==>
      (\at((a_0 + k).intP,L1) == \at((a_0 + k).intP,L2)))))

axiomatic Permut {

  predicate Permut{L1, L2}(intM[0..] a_1, integer l_0, integer h_0)
   
  axiom Permut_swap{L1, L2} :
  (\forall intM[0..] a_5;
    (\forall integer l_4;
      (\forall integer h_4;
        (\forall integer i_1;
          (\forall integer j_0;
            (((((l_4 <= i_1) && (i_1 <= h_4)) &&
                ((l_4 <= j_0) && (j_0 <= h_4))) &&
               Swap{L1,
               L2}(a_5, i_1, j_0)) ==>
              Permut{L1,
              L2}(a_5, l_4, h_4)))))))
   
  axiom Permut_trans{L1, L2, L3} :
  (\forall intM[0..] a_4;
    (\forall integer l_3;
      (\forall integer h_3;
        ((Permut{L1, L2}(a_4, l_3, h_3) && Permut{L2, L3}(a_4, l_3, h_3)) ==>
          Permut{L1,
          L3}(a_4, l_3, h_3)))))
   
  axiom Permut_sym{L1, L2} :
  (\forall intM[0..] a_3;
    (\forall integer l_2;
      (\forall integer h_2;
        (Permut{L1, L2}(a_3, l_2, h_2) ==> Permut{L2, L1}(a_3, l_2, h_2)))))
   
  axiom Permut_refl{L} :
  (\forall intM[0..] a_2;
    (\forall integer l_1;
      (\forall integer h_1;
        Permut{L, L}(a_2, l_1, h_1))))
  
}

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit Sort_swap(Sort[0] this_2, intM[0..] t, integer i_2, integer j_1)
  requires (K_10 : ((K_9 : ((K_8 : Non_null_intM(t)) &&
                             (K_7 : ((K_6 : (0 <= i_2)) &&
                                      (K_5 : (i_2 < (\offset_max(t) + 1))))))) &&
                     (K_4 : ((K_3 : (0 <= j_1)) &&
                              (K_2 : (j_1 < (\offset_max(t) + 1)))))));
behavior default:
  assigns (t + [i_2..i_2]).intP,
  (t + [j_1..j_1]).intP;
  ensures (K_1 : Swap{Old, Here}(t, i_2, j_1));
{  
   {  
      (var integer tmp = (K_14 : (t + i_2).intP));
      
      {  (K_12 : ((t + i_2).intP = (K_11 : (t + j_1).intP)));
         (K_13 : ((t + j_1).intP = tmp))
      }
   }
}

unit Sort_min_sort(Sort[0] this_0, intM[0..] t_0)
  requires (K_17 : Non_null_intM(t_0));
behavior sorted:
  ensures (K_15 : Sorted{Here}(t_0, 0, ((\offset_max(t_0) + 1) - 1)));
behavior permutation:
  ensures (K_16 : Permut{Old, Here}(t_0, 0, ((\offset_max(t_0) + 1) - 1)));
{  
   {  
      (var integer i_3);
      
      {  
         (var integer j_2);
         
         {  
            (var integer mi);
            
            {  
               (var integer mv);
               
               loop 
               behavior default:
                 invariant (K_18 : (0 <= i_3));
               behavior sorted:
                 invariant (K_21 : ((K_20 : Sorted{Here}(t_0, 0, i_3)) &&
                                     (K_19 : (\forall integer k1;
                                               (\forall integer k2;
                                                 (((((0 <= k1) && (k1 < i_3)) &&
                                                     (i_3 <= k2)) &&
                                                    (k2 <
                                                      (\offset_max(t_0) + 1))) ==>
                                                   ((t_0 + k1).intP <=
                                                     (t_0 + k2).intP)))))));
               behavior permutation:
                 invariant (K_22 : Permut{Pre,
                           Here}(t_0, 0, ((\offset_max(t_0) + 1) - 1)));
               
               for ((i_3 = 0) ; (K_44 : (i_3 <
                                          (K_43 : ((K_42 : java_array_length_intM(
                                                   t_0)) -
                                                    1)))) ; (K_41 : (i_3 ++)))
               {  
                  {  (mv = (K_23 : (t_0 + i_3).intP));
                     (mi = i_3);
                     
                     loop 
                     behavior default:
                       invariant (K_28 : ((K_27 : (i_3 < j_2)) &&
                                           (K_26 : ((K_25 : (i_3 <= mi)) &&
                                                     (K_24 : (mi <
                                                               (\offset_max(t_0) +
                                                                 1)))))));
                     behavior sorted:
                       invariant (K_31 : ((K_30 : (mv == (t_0 + mi).intP)) &&
                                           (K_29 : (\forall integer k_0;
                                                     (((i_3 <= k_0) &&
                                                        (k_0 < j_2)) ==>
                                                       ((t_0 + k_0).intP >=
                                                         mv))))));
                     behavior permutation:
                       invariant (K_32 : Permut{Pre,
                                 Here}(t_0, 0, ((\offset_max(t_0) + 1) - 1)));
                     
                     for ((j_2 = (K_39 : (i_3 + 1))) ; (K_38 : (j_2 <
                                                                 (K_37 : java_array_length_intM(
                                                                 t_0)))) ; 
                     (K_36 : (j_2 ++)))
                     {  (if (K_35 : ((K_34 : (t_0 + j_2).intP) < mv)) then 
                        {  (mi = j_2);
                           (mv = (K_33 : (t_0 + j_2).intP))
                        } else ())
                     };
                     (K_40 : Sort_swap(this_0, t_0, i_3, mi))
                  }
               }
            }
         }
      }
   }
}

Object[0..] Object_clone(Object[0] this_4)
;

unit Object_notifyAll(Object[0] this_5)
;

integer Object_hashCode(Object[0] this_6)
;

boolean Object_equals(Object[0] this_7, Object[0..] obj)
;

unit Object_wait(Object[0] this_8)
;

unit Object_notify(Object[0] this_9)
;

unit Object_wait_long(Object[0] this_10, integer timeout)
;

unit cons_Sort(! Sort[0] this_3){()}

String[0..] Object_toString(Object[0] this_11)
;

unit Object_wait_long_int(Object[0] this_12, integer timeout_0, integer nanos)
;

unit cons_Object(! Object[0] this_14){()}

unit Object_finalize(Object[0] this_13)
;

unit Object_registerNatives()
;

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Sort.jloc tests/java/Sort.jc && make -f tests/java/Sort.makefile gui"
End:
*/
========== file tests/java/Sort.jloc ==========
[Permut_swap]
name = "Lemma Permut_swap"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_30]
file = "HOME/tests/java/Sort.java"
line = 99
begin = 25
end = 36

[K_23]
file = "HOME/tests/java/Sort.java"
line = 96
begin = 10
end = 14

[Permut_refl]
name = "Lemma Permut_refl"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_33]
file = "HOME/tests/java/Sort.java"
line = 106
begin = 20
end = 24

[K_17]
file = "HOME/tests/java/Sort.java"
line = 77
begin = 17
end = 26

[Object_wait_long]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[K_11]
file = "HOME/tests/java/Sort.java"
line = 73
begin = 8
end = 12

[K_38]
file = "HOME/tests/java/Sort.java"
line = 104
begin = 17
end = 29

[K_25]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 33
end = 40

[K_13]
file = "HOME/tests/java/Sort.java"
line = 74
begin = 1
end = 11

[Object_finalize]
name = "Method finalize"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[K_9]
file = "HOME/tests/java/Sort.java"
line = 66
begin = 17
end = 58

[Object_wait]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[K_44]
file = "HOME/tests/java/Sort.java"
line = 94
begin = 11
end = 23

[Object_notify]
name = "Method notify"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[Object_clone]
name = "Method clone"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[K_28]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 24
end = 51

[cons_Object]
name = "Constructor of class Object"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_1]
file = "HOME/tests/java/Sort.java"
line = 69
begin = 16
end = 37

[K_15]
file = "HOME/tests/java/Sort.java"
line = 79
begin = 18
end = 40

[K_4]
file = "HOME/tests/java/Sort.java"
line = 67
begin = 32
end = 49

[K_12]
file = "HOME/tests/java/Sort.java"
line = 73
begin = 1
end = 12

[Object_wait_long_int]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[K_34]
file = "HOME/tests/java/Sort.java"
line = 105
begin = 6
end = 10

[Object_registerNatives]
name = "Method registerNatives"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[K_20]
file = "HOME/tests/java/Sort.java"
line = 88
begin = 21
end = 34

[K_2]
file = "HOME/tests/java/Sort.java"
line = 67
begin = 37
end = 49

[K_41]
file = "HOME/tests/java/Sort.java"
line = 94
begin = 25
end = 28

[K_29]
file = "HOME/tests/java/Sort.java"
line = 100
begin = 12
end = 56

[K_10]
file = "HOME/tests/java/Sort.java"
line = 66
begin = 17
end = 79

[K_35]
file = "HOME/tests/java/Sort.java"
line = 105
begin = 6
end = 15

[K_6]
file = "HOME/tests/java/Sort.java"
line = 67
begin = 11
end = 17

[K_8]
file = "HOME/tests/java/Sort.java"
line = 66
begin = 17
end = 26

[Permut_trans]
name = "Lemma Permut_trans"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_3]
file = "HOME/tests/java/Sort.java"
line = 67
begin = 32
end = 38

[K_31]
file = "HOME/tests/java/Sort.java"
line = 99
begin = 25
end = 97

[K_32]
file = "HOME/tests/java/Sort.java"
line = 102
begin = 25
end = 57

[K_27]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 24
end = 29

[cons_Sort]
name = "Constructor of class Sort"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_21]
file = "HOME/tests/java/Sort.java"
line = 88
begin = 21
end = 128

[K_42]
file = "HOME/tests/java/Sort.java"
line = 94
begin = 13
end = 21

[K_24]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 38
end = 51

[K_14]
file = "HOME/tests/java/Sort.java"
line = 72
begin = 11
end = 15

[K_39]
file = "HOME/tests/java/Sort.java"
line = 104
begin = 12
end = 15

[K_36]
file = "HOME/tests/java/Sort.java"
line = 104
begin = 31
end = 34

[Permut_sym]
name = "Lemma Permut_sym"
file = "HOME/"
line = 0
begin = 0
end = 0

[Object_notifyAll]
name = "Method notifyAll"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[K_37]
file = "HOME/tests/java/Sort.java"
line = 104
begin = 21
end = 29

[K_19]
file = "HOME/tests/java/Sort.java"
line = 89
begin = 8
end = 89

[K_5]
file = "HOME/tests/java/Sort.java"
line = 67
begin = 16
end = 28

[Sort_min_sort]
name = "Method min_sort"
file = "HOME/tests/java/Sort.java"
line = 83
begin = 9
end = 17

[K_18]
file = "HOME/tests/java/Sort.java"
line = 86
begin = 20
end = 26

[Object_equals]
name = "Method equals"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[Sort_swap]
name = "Method swap"
file = "HOME/tests/java/Sort.java"
line = 71
begin = 9
end = 13

[K_7]
file = "HOME/tests/java/Sort.java"
line = 67
begin = 11
end = 28

[K_40]
file = "HOME/tests/java/Sort.java"
line = 109
begin = 5
end = 17

[Object_hashCode]
name = "Method hashCode"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[K_26]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 33
end = 51

[Object_toString]
name = "Method toString"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[K_22]
file = "HOME/tests/java/Sort.java"
line = 92
begin = 22
end = 54

[K_16]
file = "HOME/tests/java/Sort.java"
line = 81
begin = 18
end = 50

[K_43]
file = "HOME/tests/java/Sort.java"
line = 94
begin = 13
end = 23

========== jessie execution ==========
Generating Why function Sort_swap
Generating Why function Sort_min_sort
Generating Why function cons_Sort
Generating Why function cons_Object
========== file tests/java/Sort.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

WHYLIB ?= HOME/lib

USERWHYTHREEOPT=
JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

why3: why/Sort_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Sort.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Sort.mlw
	 why3 ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Sort.mlw
	 why3 replay $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

========== file tests/java/Sort.loc ==========
[JC_176]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_233]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_177]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_221]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_80]
file = "HOME/tests/java/Sort.jc"
line = 153
begin = 15
end = 3072

[JC_51]
file = "HOME/tests/java/Sort.java"
line = 66
begin = 17
end = 79

[JC_147]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_123]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 38
end = 51

[JC_143]
file = "HOME/tests/java/Sort.jc"
line = 178
begin = 21
end = 1621

[JC_113]
file = "HOME/tests/java/Sort.java"
line = 86
begin = 20
end = 26

[JC_248]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_116]
file = "HOME/tests/java/Sort.jc"
line = 153
begin = 15
end = 3072

[JC_64]
kind = PointerDeref
file = "HOME/tests/java/Sort.jc"
line = 129
begin = 18
end = 38

[JC_133]
file = "HOME/tests/java/Sort.jc"
line = 153
begin = 15
end = 3072

[JC_188]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_180]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_99]
file = "HOME/tests/java/Sort.jc"
line = 153
begin = 15
end = 3072

[JC_200]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_85]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 33
end = 40

[JC_201]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_31]
file = "HOME/tests/java/Sort.jc"
line = 55
begin = 8
end = 23

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_194]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_122]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 33
end = 40

[JC_205]
file = "HOME/"
line = 0
begin = -1
end = -1

[Sort_min_sort_ensures_sorted]
name = "Method min_sort"
behavior = "Behavior `sorted'"
file = "HOME/tests/java/Sort.java"
line = 83
begin = 9
end = 17

[JC_81]
kind = UserCall
file = "HOME/tests/java/Sort.java"
line = 94
begin = 13
end = 21

[JC_55]
file = "HOME/tests/java/Sort.jc"
line = 120
begin = 9
end = 16

[JC_134]
file = "HOME/tests/java/Sort.jc"
line = 153
begin = 15
end = 3072

[Sort_min_sort_ensures_default]
name = "Method min_sort"
behavior = "default behavior"
file = "HOME/tests/java/Sort.java"
line = 83
begin = 9
end = 17

[JC_48]
file = "HOME/tests/java/Sort.java"
line = 67
begin = 16
end = 28

[JC_23]
file = "HOME/tests/java/Sort.jc"
line = 51
begin = 11
end = 103

[JC_241]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_172]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_121]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 24
end = 29

[JC_125]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/tests/java/Sort.java"
line = 77
begin = 17
end = 26

[JC_9]
file = "HOME/tests/java/Sort.jc"
line = 42
begin = 8
end = 21

[JC_25]
file = "HOME/tests/java/Sort.jc"
line = 51
begin = 11
end = 103

[JC_189]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_78]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/tests/java/Sort.java"
line = 67
begin = 16
end = 28

[JC_74]
file = "HOME/tests/java/Sort.java"
line = 79
begin = 18
end = 40

[JC_195]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/tests/java/Sort.jc"
line = 50
begin = 10
end = 18

[Sort_swap_safety]
name = "Method swap"
behavior = "Safety"
file = "HOME/tests/java/Sort.java"
line = 71
begin = 9
end = 13

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Sort_ensures_default]
name = "Constructor of class Sort"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/tests/java/Sort.jc"
line = 45
begin = 11
end = 66

[JC_240]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_82]
kind = IndexBounds
file = "HOME/tests/java/Sort.java"
line = 94
begin = 13
end = 21

[JC_163]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_153]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_222]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_246]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/Sort.jc"
line = 42
begin = 8
end = 21

[JC_185]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_167]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_98]
file = "HOME/tests/java/Sort.jc"
line = 153
begin = 15
end = 3072

[JC_70]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_104]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 24
end = 51

[JC_39]
file = "HOME/tests/java/Sort.java"
line = 66
begin = 17
end = 26

[JC_112]
file = "HOME/tests/java/Sort.java"
line = 88
begin = 21
end = 128

[JC_135]
kind = UserCall
file = "HOME/tests/java/Sort.java"
line = 94
begin = 13
end = 21

[JC_169]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_132]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_115]
file = "HOME/tests/java/Sort.jc"
line = 153
begin = 15
end = 3072

[JC_109]
kind = UserCall
file = "HOME/tests/java/Sort.jc"
line = 205
begin = 29
end = 60

[JC_69]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_219]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_124]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 24
end = 51

[Sort_swap_ensures_default]
name = "Method swap"
behavior = "default behavior"
file = "HOME/tests/java/Sort.java"
line = 71
begin = 9
end = 13

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[Permut_trans]
name = "Lemma Permut_trans"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_206]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_218]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_191]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
kind = PointerDeref
file = "HOME/tests/java/Sort.java"
line = 73
begin = 8
end = 12

[JC_101]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 24
end = 29

[JC_223]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_129]
kind = UserCall
file = "HOME/tests/java/Sort.jc"
line = 205
begin = 29
end = 60

[JC_190]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_110]
file = "HOME/tests/java/Sort.java"
line = 88
begin = 21
end = 34

[JC_166]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_103]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 38
end = 51

[JC_46]
file = "HOME/tests/java/Sort.java"
line = 66
begin = 17
end = 26

[JC_61]
kind = PointerDeref
file = "HOME/tests/java/Sort.java"
line = 72
begin = 11
end = 15

[JC_199]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/tests/java/Sort.java"
line = 69
begin = 16
end = 37

[JC_243]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_173]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/tests/java/Sort.jc"
line = 55
begin = 8
end = 23

[JC_202]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_144]
kind = UserCall
file = "HOME/tests/java/Sort.java"
line = 104
begin = 21
end = 29

[JC_16]
file = "HOME/tests/java/Sort.jc"
line = 44
begin = 10
end = 18

[JC_43]
file = "HOME/tests/java/Sort.java"
line = 67
begin = 37
end = 49

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
kind = UserCall
file = "HOME/tests/java/Sort.jc"
line = 205
begin = 29
end = 60

[JC_235]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_97]
file = "HOME/"
line = 0
begin = -1
end = -1

[Permut_sym]
name = "Lemma Permut_sym"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_84]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 24
end = 29

[JC_160]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_128]
kind = UserCall
file = "HOME/tests/java/Sort.java"
line = 104
begin = 21
end = 29

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/tests/java/Sort.jc"
line = 44
begin = 10
end = 18

[JC_90]
file = "HOME/tests/java/Sort.jc"
line = 178
begin = 21
end = 1621

[JC_225]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_149]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_216]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_131]
file = "HOME/tests/java/Sort.java"
line = 86
begin = 20
end = 26

[JC_37]
file = "HOME/tests/java/Sort.jc"
line = 57
begin = 11
end = 65

[JC_181]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_108]
kind = UserCall
file = "HOME/tests/java/Sort.java"
line = 104
begin = 21
end = 29

[JC_57]
file = "HOME/tests/java/Sort.java"
line = 71
begin = 9
end = 13

[JC_161]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_89]
file = "HOME/tests/java/Sort.jc"
line = 178
begin = 21
end = 1621

[JC_136]
file = "HOME/tests/java/Sort.java"
line = 102
begin = 25
end = 57

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_165]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_213]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_217]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_229]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_86]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 38
end = 51

[JC_72]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/tests/java/Sort.jc"
line = 48
begin = 8
end = 30

[JC_187]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_238]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_50]
file = "HOME/tests/java/Sort.java"
line = 67
begin = 37
end = 49

[JC_120]
file = "HOME/tests/java/Sort.java"
line = 99
begin = 25
end = 97

[JC_58]
file = "HOME/tests/java/Sort.jc"
line = 120
begin = 9
end = 16

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_198]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_94]
kind = PointerDeref
file = "HOME/tests/java/Sort.java"
line = 106
begin = 20
end = 24

[JC_73]
file = "HOME/tests/java/Sort.java"
line = 79
begin = 18
end = 40

[Permut_swap]
name = "Lemma Permut_swap"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_158]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_63]
kind = PointerDeref
file = "HOME/tests/java/Sort.jc"
line = 128
begin = 18
end = 58

[JC_196]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[Permut_refl]
name = "Lemma Permut_refl"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_71]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_197]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_207]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_151]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_106]
file = "HOME/tests/java/Sort.jc"
line = 178
begin = 21
end = 1621

[JC_203]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_227]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Object_ensures_default]
name = "Constructor of class Object"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_126]
file = "HOME/tests/java/Sort.jc"
line = 178
begin = 21
end = 1621

[JC_170]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[Sort_min_sort_safety]
name = "Method min_sort"
behavior = "Safety"
file = "HOME/tests/java/Sort.java"
line = 83
begin = 9
end = 17

[JC_236]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_138]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 33
end = 40

[JC_247]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_148]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_137]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 24
end = 29

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_231]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_75]
file = "HOME/tests/java/Sort.java"
line = 81
begin = 18
end = 50

[JC_24]
file = "HOME/tests/java/Sort.jc"
line = 50
begin = 10
end = 18

[JC_193]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_186]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_212]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_175]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_224]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/tests/java/Sort.java"
line = 67
begin = 11
end = 17

[JC_232]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_154]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_54]
file = "HOME/tests/java/Sort.java"
line = 71
begin = 9
end = 13

[JC_237]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_208]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_79]
file = "HOME/tests/java/Sort.jc"
line = 153
begin = 15
end = 3072

[JC_130]
file = "HOME/tests/java/Sort.java"
line = 92
begin = 22
end = 54

[JC_174]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_87]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 24
end = 51

[JC_184]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/tests/java/Sort.jc"
line = 45
begin = 11
end = 66

[JC_182]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_168]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_91]
kind = UserCall
file = "HOME/tests/java/Sort.java"
line = 104
begin = 21
end = 29

[JC_40]
file = "HOME/tests/java/Sort.java"
line = 67
begin = 11
end = 17

[JC_162]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_83]
kind = PointerDeref
file = "HOME/tests/java/Sort.java"
line = 96
begin = 10
end = 14

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_215]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_107]
file = "HOME/tests/java/Sort.jc"
line = 178
begin = 21
end = 1621

[JC_179]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
file = "HOME/tests/java/Sort.jc"
line = 57
begin = 11
end = 65

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_242]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_156]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_127]
file = "HOME/tests/java/Sort.jc"
line = 178
begin = 21
end = 1621

[JC_171]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_164]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_44]
file = "HOME/tests/java/Sort.java"
line = 66
begin = 17
end = 79

[JC_155]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_88]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/tests/java/Sort.java"
line = 67
begin = 32
end = 38

[JC_178]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[cons_Sort_safety]
name = "Constructor of class Sort"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_141]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_220]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_65]
file = "HOME/tests/java/Sort.java"
line = 77
begin = 17
end = 26

[JC_118]
file = "HOME/tests/java/Sort.java"
line = 99
begin = 25
end = 36

[JC_105]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_245]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_140]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 24
end = 51

[cons_Object_safety]
name = "Constructor of class Object"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_159]
file = "HOME/"
line = 0
begin = -1
end = -1

[Sort_min_sort_ensures_permutation]
name = "Method min_sort"
behavior = "Behavior `permutation'"
file = "HOME/tests/java/Sort.java"
line = 83
begin = 9
end = 17

[JC_68]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_96]
file = "HOME/tests/java/Sort.java"
line = 86
begin = 20
end = 26

[JC_93]
kind = PointerDeref
file = "HOME/tests/java/Sort.java"
line = 105
begin = 6
end = 10

[JC_214]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_114]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_150]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_117]
kind = UserCall
file = "HOME/tests/java/Sort.java"
line = 94
begin = 13
end = 21

[JC_53]
file = "HOME/tests/java/Sort.java"
line = 69
begin = 16
end = 37

[JC_204]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_157]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_145]
kind = UserCall
file = "HOME/tests/java/Sort.jc"
line = 205
begin = 29
end = 60

[JC_21]
file = "HOME/tests/java/Sort.jc"
line = 48
begin = 8
end = 30

[JC_209]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_111]
file = "HOME/tests/java/Sort.java"
line = 89
begin = 8
end = 89

[JC_77]
file = "HOME/tests/java/Sort.java"
line = 86
begin = 20
end = 26

[JC_49]
file = "HOME/tests/java/Sort.java"
line = 67
begin = 32
end = 38

[JC_1]
file = "HOME/tests/java/Sort.jc"
line = 13
begin = 12
end = 22

[JC_102]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 33
end = 40

[JC_142]
file = "HOME/tests/java/Sort.jc"
line = 178
begin = 21
end = 1621

[JC_211]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_146]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_249]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_66]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_59]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_192]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_239]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/java/Sort.jc"
line = 13
begin = 12
end = 22

[JC_92]
kind = IndexBounds
file = "HOME/tests/java/Sort.java"
line = 104
begin = 21
end = 29

[JC_152]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_228]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_60]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_183]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_139]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 38
end = 51

[JC_119]
file = "HOME/tests/java/Sort.java"
line = 100
begin = 12
end = 56

[JC_210]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_76]
file = "HOME/tests/java/Sort.java"
line = 81
begin = 18
end = 50

[JC_244]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_230]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_234]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_226]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_100]
kind = UserCall
file = "HOME/tests/java/Sort.java"
line = 94
begin = 13
end = 21

========== file tests/java/why/Sort.why ==========
type Object

type interface

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_1), (0))

predicate Non_null_intM(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), neg_int((1)))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic Permut: Object pointer, int, int, (Object, int) memory,
 (Object, int) memory -> prop

logic Sort_tag:  -> Object tag_id

axiom Sort_parenttag_Object : parenttag(Sort_tag, Object_tag)

predicate Sorted(a:Object pointer, l:int, h:int,
 intM_intP_at_L:(Object, int) memory) =
 (forall i:int.
  ((le_int(l, i) and lt_int(i, h)) ->
   le_int(select(intM_intP_at_L, shift(a, i)),
   select(intM_intP_at_L, shift(a, add_int(i, (1)))))))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

predicate Swap(a_0:Object pointer, i_0:int, j:int,
 intM_intP_at_L2:(Object, int) memory,
 intM_intP_at_L1:(Object, int) memory) =
 ((select(intM_intP_at_L1, shift(a_0, i_0)) = select(intM_intP_at_L2,
                                              shift(a_0, j)))
 and ((select(intM_intP_at_L1, shift(a_0, j)) = select(intM_intP_at_L2,
                                                shift(a_0, i_0)))
     and (forall k:int.
          (((k <> i_0) and (k <> j)) ->
           (select(intM_intP_at_L1, shift(a_0, k)) = select(intM_intP_at_L2,
                                                     shift(a_0, k)))))))

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic intM_tag:  -> Object tag_id

axiom intM_parenttag_Object : parenttag(intM_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Sort(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_intM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Sort(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_intM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Sort(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Sort(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

axiom Permut_swap :
 (forall intM_intP_at_L2:(Object, int) memory.
  (forall intM_intP_at_L1:(Object, int) memory.
   (forall a_5:Object pointer.
    (forall l_4:int.
     (forall h_4:int.
      (forall i_1:int.
       (forall j_0:int.
        ((le_int(l_4, i_1)
         and (le_int(i_1, h_4)
             and (le_int(l_4, j_0)
                 and (le_int(j_0, h_4)
                     and Swap(a_5, i_1, j_0, intM_intP_at_L2,
                         intM_intP_at_L1))))) ->
         Permut(a_5, l_4, h_4, intM_intP_at_L2, intM_intP_at_L1)))))))))

axiom Permut_trans :
 (forall intM_intP_at_L3:(Object, int) memory.
  (forall intM_intP_at_L2:(Object, int) memory.
   (forall intM_intP_at_L1:(Object, int) memory.
    (forall a_4:Object pointer.
     (forall l_3:int.
      (forall h_3:int.
       ((Permut(a_4, l_3, h_3, intM_intP_at_L2, intM_intP_at_L1)
        and Permut(a_4, l_3, h_3, intM_intP_at_L3, intM_intP_at_L2)) ->
        Permut(a_4, l_3, h_3, intM_intP_at_L3, intM_intP_at_L1))))))))

axiom Permut_sym :
 (forall intM_intP_at_L2:(Object, int) memory.
  (forall intM_intP_at_L1:(Object, int) memory.
   (forall a_3:Object pointer.
    (forall l_2:int.
     (forall h_2:int.
      (Permut(a_3, l_2, h_2, intM_intP_at_L2, intM_intP_at_L1) ->
       Permut(a_3, l_2, h_2, intM_intP_at_L1, intM_intP_at_L2)))))))

axiom Permut_refl :
 (forall intM_intP_at_L:(Object, int) memory.
  (forall a_2:Object pointer.
   (forall l_1:int.
    (forall h_1:int. Permut(a_2, l_1, h_1, intM_intP_at_L, intM_intP_at_L)))))

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_alloc_table : Object alloc_table ref

parameter Object_clone :
 this_4:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_clone_requires :
 this_4:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_equals :
 this_7:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_equals_requires :
 this_7:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_finalize :
 this_13:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_finalize_requires :
 this_13:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_hashCode :
 this_6:Object pointer -> { } int reads Object_alloc_table { true }

parameter Object_hashCode_requires :
 this_6:Object pointer -> { } int reads Object_alloc_table { true }

parameter Object_notify :
 this_9:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll :
 this_5:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll_requires :
 this_5:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notify_requires :
 this_9:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_registerNatives : tt:unit -> { } unit { true }

parameter Object_registerNatives_requires : tt:unit -> { } unit { true }

parameter Object_tag_table : Object tag_table ref

parameter Object_toString :
 this_11:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_toString_requires :
 this_11:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_wait :
 this_8:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long :
 this_10:Object pointer ->
  timeout:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int :
 this_12:Object pointer ->
  timeout_0:int -> nanos:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int_requires :
 this_12:Object pointer ->
  timeout_0:int -> nanos:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_requires :
 this_10:Object pointer ->
  timeout:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_requires :
 this_8:Object pointer -> { } unit reads Object_alloc_table { true }

exception Return_label_exc of unit

parameter intM_intP : (Object, int) memory ref

parameter Sort_min_sort :
 this_0:Object pointer ->
  t_0:Object pointer ->
   { } unit reads Object_alloc_table,intM_intP writes intM_intP
   { ((JC_76:
      Permut(t_0, (0),
      sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)), (1)),
      intM_intP, intM_intP@))
     and (JC_74:
         Sorted(t_0, (0),
         sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)), (1)),
         intM_intP))) }

parameter Sort_min_sort_requires :
 this_0:Object pointer ->
  t_0:Object pointer ->
   { (JC_65: Non_null_intM(t_0, Object_alloc_table))} unit
   reads Object_alloc_table,intM_intP writes intM_intP
   { ((JC_76:
      Permut(t_0, (0),
      sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)), (1)),
      intM_intP, intM_intP@))
     and (JC_74:
         Sorted(t_0, (0),
         sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)), (1)),
         intM_intP))) }

parameter Sort_swap :
 this_2:Object pointer ->
  t:Object pointer ->
   i_2:int ->
    j_1:int ->
     { } unit reads Object_alloc_table,intM_intP writes intM_intP
     { (JC_58:
       ((JC_56: Swap(t, i_2, j_1, intM_intP, intM_intP@))
       and (JC_57:
           not_assigns(Object_alloc_table@, intM_intP@, intM_intP,
           pset_union(pset_range(pset_singleton(t), j_1, j_1),
           pset_range(pset_singleton(t), i_2, i_2)))))) }

parameter Sort_swap_requires :
 this_2:Object pointer ->
  t:Object pointer ->
   i_2:int ->
    j_1:int ->
     { (JC_44:
       ((JC_39: Non_null_intM(t, Object_alloc_table))
       and ((JC_40: le_int((0), i_2))
           and ((JC_41:
                lt_int(i_2, add_int(offset_max(Object_alloc_table, t), (1))))
               and ((JC_42: le_int((0), j_1))
                   and (JC_43:
                       lt_int(j_1,
                       add_int(offset_max(Object_alloc_table, t), (1)))))))))}
     unit reads Object_alloc_table,intM_intP writes intM_intP
     { (JC_58:
       ((JC_56: Swap(t, i_2, j_1, intM_intP, intM_intP@))
       and (JC_57:
           not_assigns(Object_alloc_table@, intM_intP@, intM_intP,
           pset_union(pset_range(pset_singleton(t), j_1, j_1),
           pset_range(pset_singleton(t), i_2, i_2)))))) }

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Sort :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Sort(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Sort_tag)))) }

parameter alloc_struct_Sort_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Sort(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Sort_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_intM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter alloc_struct_intM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter cons_Object :
 this_14:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object_requires :
 this_14:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Sort :
 this_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Sort_requires :
 this_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter java_array_length_intM :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter java_array_length_intM_requires :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter non_null_Object :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_Object_requires :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_intM :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

parameter non_null_intM_requires :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

let Sort_min_sort_ensures_default =
 fun (this_0 : Object pointer) (t_0 : Object pointer) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (valid_struct_Sort(this_0, (0), (0), Object_alloc_table)
        and (JC_67: Non_null_intM(t_0, Object_alloc_table)))) }
  (init:
  try
   begin
     (let i_3 = ref (any_int void) in
     (let j_2 = ref (any_int void) in
     (let mi = ref (any_int void) in
     (let mv = ref (any_int void) in
     begin
       (let _jessie_ = (i_3 := (0)) in void);
      try
       (loop_3:
       while true do
       { invariant (JC_96: le_int((0), i_3))  }
        begin
          [ { } unit { true } ];
         try
          begin
            (if (K_44:
                ((lt_int_ !i_3) (K_43:
                                ((sub_int (K_42:
                                          (let _jessie_ = t_0 in
                                          (JC_100:
                                          (java_array_length_intM _jessie_))))) (1)))))
            then
             begin
               (let _jessie_ =
               (mv := (K_23: ((safe_acc_ !intM_intP) ((shift t_0) !i_3)))) in
               void); (let _jessie_ = (mi := !i_3) in void);
              (let _jessie_ = (j_2 := (K_39: ((add_int !i_3) (1)))) in
              void);
              try
               (loop_4:
               while true do
               { invariant
                   (JC_104:
                   ((JC_101: lt_int(i_3, j_2))
                   and ((JC_102: le_int(i_3, mi))
                       and (JC_103:
                           lt_int(mi,
                           add_int(offset_max(Object_alloc_table, t_0), (1)))))))
                  }
                begin
                  [ { } unit { true } ];
                 try
                  begin
                    (if (K_38:
                        ((lt_int_ !j_2) (K_37:
                                        (let _jessie_ = t_0 in
                                        (JC_108:
                                        (java_array_length_intM _jessie_))))))
                    then
                     (if (K_35:
                         ((lt_int_ (K_34:
                                   ((safe_acc_ !intM_intP) ((shift t_0) !j_2)))) !mv))
                     then
                      (let _jessie_ =
                      begin
                        (let _jessie_ = (mi := !j_2) in void);
                       (mv := (K_33:
                              ((safe_acc_ !intM_intP) ((shift t_0) !j_2))));
                       !mv end in void) else void)
                    else (raise (Loop_exit_exc void)));
                   (raise (Loop_continue_exc void)) end with
                  Loop_continue_exc _jessie_ ->
                  (let _jessie_ =
                  (K_36:
                  (let _jessie_ = !j_2 in
                  begin
                    (let _jessie_ = (j_2 := ((add_int _jessie_) (1))) in
                    void); _jessie_ end)) in void) end end done) with
               Loop_exit_exc _jessie_ -> void end;
              (K_40:
              (let _jessie_ = this_0 in
              (let _jessie_ = t_0 in
              (let _jessie_ = !i_3 in
              (let _jessie_ = !mi in
              (JC_109:
              ((((Sort_swap _jessie_) _jessie_) _jessie_) _jessie_)))))))
             end else (raise (Loop_exit_exc void)));
           (raise (Loop_continue_exc void)) end with
          Loop_continue_exc _jessie_ ->
          (let _jessie_ =
          (K_41:
          (let _jessie_ = !i_3 in
          begin
            (let _jessie_ = (i_3 := ((add_int _jessie_) (1))) in void);
           _jessie_ end)) in void) end end done) with
       Loop_exit_exc _jessie_ -> void end end)))); (raise Return) end with
   Return -> void end) { (JC_69: true) } 

let Sort_min_sort_ensures_permutation =
 fun (this_0 : Object pointer) (t_0 : Object pointer) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (valid_struct_Sort(this_0, (0), (0), Object_alloc_table)
        and (JC_67: Non_null_intM(t_0, Object_alloc_table)))) }
  (init:
  try
   begin
     (let i_3 = ref (any_int void) in
     (let j_2 = ref (any_int void) in
     (let mi = ref (any_int void) in
     (let mv = ref (any_int void) in
     begin
       (let _jessie_ = (i_3 := (0)) in void);
      try
       (loop_7:
       while true do
       { invariant
           (JC_130:
           Permut(t_0, (0),
           sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)), (1)),
           intM_intP, intM_intP@init))  }
        begin
          [ { } unit reads i_3 { (JC_131: le_int((0), i_3)) } ];
         try
          begin
            (if (K_44:
                ((lt_int_ !i_3) (K_43:
                                ((sub_int (K_42:
                                          (let _jessie_ = t_0 in
                                          (JC_135:
                                          (java_array_length_intM _jessie_))))) (1)))))
            then
             begin
               (let _jessie_ =
               (mv := (K_23: ((safe_acc_ !intM_intP) ((shift t_0) !i_3)))) in
               void); (let _jessie_ = (mi := !i_3) in void);
              (let _jessie_ = (j_2 := (K_39: ((add_int !i_3) (1)))) in
              void);
              try
               (loop_8:
               while true do
               { invariant
                   (JC_136:
                   Permut(t_0, (0),
                   sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)),
                   (1)), intM_intP, intM_intP@init))  }
                begin
                  [ { } unit reads Object_alloc_table,i_3,j_2,mi
                    { (JC_140:
                      ((JC_137: lt_int(i_3, j_2))
                      and ((JC_138: le_int(i_3, mi))
                          and (JC_139:
                              lt_int(mi,
                              add_int(offset_max(Object_alloc_table, t_0),
                              (1))))))) } ];
                 try
                  begin
                    (if (K_38:
                        ((lt_int_ !j_2) (K_37:
                                        (let _jessie_ = t_0 in
                                        (JC_144:
                                        (java_array_length_intM _jessie_))))))
                    then
                     (if (K_35:
                         ((lt_int_ (K_34:
                                   ((safe_acc_ !intM_intP) ((shift t_0) !j_2)))) !mv))
                     then
                      (let _jessie_ =
                      begin
                        (let _jessie_ = (mi := !j_2) in void);
                       (mv := (K_33:
                              ((safe_acc_ !intM_intP) ((shift t_0) !j_2))));
                       !mv end in void) else void)
                    else (raise (Loop_exit_exc void)));
                   (raise (Loop_continue_exc void)) end with
                  Loop_continue_exc _jessie_ ->
                  (let _jessie_ =
                  (K_36:
                  (let _jessie_ = !j_2 in
                  begin
                    (let _jessie_ = (j_2 := ((add_int _jessie_) (1))) in
                    void); _jessie_ end)) in void) end end done) with
               Loop_exit_exc _jessie_ -> void end;
              (K_40:
              (let _jessie_ = this_0 in
              (let _jessie_ = t_0 in
              (let _jessie_ = !i_3 in
              (let _jessie_ = !mi in
              (JC_145:
              ((((Sort_swap _jessie_) _jessie_) _jessie_) _jessie_)))))))
             end else (raise (Loop_exit_exc void)));
           (raise (Loop_continue_exc void)) end with
          Loop_continue_exc _jessie_ ->
          (let _jessie_ =
          (K_41:
          (let _jessie_ = !i_3 in
          begin
            (let _jessie_ = (i_3 := ((add_int _jessie_) (1))) in void);
           _jessie_ end)) in void) end end done) with
       Loop_exit_exc _jessie_ -> void end end)))); (raise Return) end with
   Return -> void end)
  { (JC_75:
    Permut(t_0, (0),
    sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)), (1)),
    intM_intP, intM_intP@)) } 

let Sort_min_sort_ensures_sorted =
 fun (this_0 : Object pointer) (t_0 : Object pointer) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (valid_struct_Sort(this_0, (0), (0), Object_alloc_table)
        and (JC_67: Non_null_intM(t_0, Object_alloc_table)))) }
  (init:
  try
   begin
     (let i_3 = ref (any_int void) in
     (let j_2 = ref (any_int void) in
     (let mi = ref (any_int void) in
     (let mv = ref (any_int void) in
     begin
       (let _jessie_ = (i_3 := (0)) in void);
      try
       (loop_5:
       while true do
       { invariant
           (JC_112:
           ((JC_110: Sorted(t_0, (0), i_3, intM_intP))
           and (JC_111:
               (forall k1:int.
                (forall k2:int.
                 ((le_int((0), k1)
                  and (lt_int(k1, i_3)
                      and (le_int(i_3, k2)
                          and lt_int(k2,
                              add_int(offset_max(Object_alloc_table, t_0),
                              (1)))))) ->
                  le_int(select(intM_intP, shift(t_0, k1)),
                  select(intM_intP, shift(t_0, k2)))))))))  }
        begin
          [ { } unit reads i_3 { (JC_113: le_int((0), i_3)) } ];
         try
          begin
            (if (K_44:
                ((lt_int_ !i_3) (K_43:
                                ((sub_int (K_42:
                                          (let _jessie_ = t_0 in
                                          (JC_117:
                                          (java_array_length_intM _jessie_))))) (1)))))
            then
             begin
               (let _jessie_ =
               (mv := (K_23: ((safe_acc_ !intM_intP) ((shift t_0) !i_3)))) in
               void); (let _jessie_ = (mi := !i_3) in void);
              (let _jessie_ = (j_2 := (K_39: ((add_int !i_3) (1)))) in
              void);
              try
               (loop_6:
               while true do
               { invariant
                   (JC_120:
                   ((JC_118: (mv = select(intM_intP, shift(t_0, mi))))
                   and (JC_119:
                       (forall k_0:int.
                        ((le_int(i_3, k_0) and lt_int(k_0, j_2)) ->
                         ge_int(select(intM_intP, shift(t_0, k_0)), mv))))))
                  }
                begin
                  [ { } unit reads Object_alloc_table,i_3,j_2,mi
                    { (JC_124:
                      ((JC_121: lt_int(i_3, j_2))
                      and ((JC_122: le_int(i_3, mi))
                          and (JC_123:
                              lt_int(mi,
                              add_int(offset_max(Object_alloc_table, t_0),
                              (1))))))) } ];
                 try
                  begin
                    (if (K_38:
                        ((lt_int_ !j_2) (K_37:
                                        (let _jessie_ = t_0 in
                                        (JC_128:
                                        (java_array_length_intM _jessie_))))))
                    then
                     (if (K_35:
                         ((lt_int_ (K_34:
                                   ((safe_acc_ !intM_intP) ((shift t_0) !j_2)))) !mv))
                     then
                      (let _jessie_ =
                      begin
                        (let _jessie_ = (mi := !j_2) in void);
                       (mv := (K_33:
                              ((safe_acc_ !intM_intP) ((shift t_0) !j_2))));
                       !mv end in void) else void)
                    else (raise (Loop_exit_exc void)));
                   (raise (Loop_continue_exc void)) end with
                  Loop_continue_exc _jessie_ ->
                  (let _jessie_ =
                  (K_36:
                  (let _jessie_ = !j_2 in
                  begin
                    (let _jessie_ = (j_2 := ((add_int _jessie_) (1))) in
                    void); _jessie_ end)) in void) end end done) with
               Loop_exit_exc _jessie_ -> void end;
              (K_40:
              (let _jessie_ = this_0 in
              (let _jessie_ = t_0 in
              (let _jessie_ = !i_3 in
              (let _jessie_ = !mi in
              (JC_129:
              ((((Sort_swap _jessie_) _jessie_) _jessie_) _jessie_)))))))
             end else (raise (Loop_exit_exc void)));
           (raise (Loop_continue_exc void)) end with
          Loop_continue_exc _jessie_ ->
          (let _jessie_ =
          (K_41:
          (let _jessie_ = !i_3 in
          begin
            (let _jessie_ = (i_3 := ((add_int _jessie_) (1))) in void);
           _jessie_ end)) in void) end end done) with
       Loop_exit_exc _jessie_ -> void end end)))); (raise Return) end with
   Return -> void end)
  { (JC_73:
    Sorted(t_0, (0),
    sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)), (1)),
    intM_intP)) } 

let Sort_min_sort_safety =
 fun (this_0 : Object pointer) (t_0 : Object pointer) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (valid_struct_Sort(this_0, (0), (0), Object_alloc_table)
        and (JC_67: Non_null_intM(t_0, Object_alloc_table)))) }
  (init:
  try
   begin
     (let i_3 = ref (any_int void) in
     (let j_2 = ref (any_int void) in
     (let mi = ref (any_int void) in
     (let mv = ref (any_int void) in
     begin
       (let _jessie_ = (i_3 := (0)) in void);
      try
       (loop_1:
       while true do
       { invariant (JC_79: true)  }
        begin
          [ { } unit reads i_3 { (JC_77: le_int((0), i_3)) } ];
         try
          begin
            (if (K_44:
                ((lt_int_ !i_3) (K_43:
                                ((sub_int (K_42:
                                          (let _jessie_ = t_0 in
                                          (JC_82:
                                          (assert
                                          { ge_int(offset_max(Object_alloc_table,
                                                   _jessie_),
                                            (-1)) };
                                          (JC_81:
                                          (java_array_length_intM_requires _jessie_))))))) (1)))))
            then
             begin
               (let _jessie_ =
               (mv := (K_23:
                      (JC_83:
                      ((((offset_acc_ !Object_alloc_table) !intM_intP) t_0) !i_3)))) in
               void); (let _jessie_ = (mi := !i_3) in void);
              (let _jessie_ = (j_2 := (K_39: ((add_int !i_3) (1)))) in
              void);
              try
               (loop_2:
               while true do
               { invariant (JC_89: true)  }
                begin
                  [ { } unit reads Object_alloc_table,i_3,j_2,mi
                    { (JC_87:
                      ((JC_84: lt_int(i_3, j_2))
                      and ((JC_85: le_int(i_3, mi))
                          and (JC_86:
                              lt_int(mi,
                              add_int(offset_max(Object_alloc_table, t_0),
                              (1))))))) } ];
                 try
                  begin
                    (if (K_38:
                        ((lt_int_ !j_2) (K_37:
                                        (let _jessie_ = t_0 in
                                        (JC_92:
                                        (assert
                                        { ge_int(offset_max(Object_alloc_table,
                                                 _jessie_),
                                          (-1)) };
                                        (JC_91:
                                        (java_array_length_intM_requires _jessie_))))))))
                    then
                     (if (K_35:
                         ((lt_int_ (K_34:
                                   (JC_93:
                                   ((((offset_acc_ !Object_alloc_table) !intM_intP) t_0) !j_2)))) !mv))
                     then
                      (let _jessie_ =
                      begin
                        (let _jessie_ = (mi := !j_2) in void);
                       (mv := (K_33:
                              (JC_94:
                              ((((offset_acc_ !Object_alloc_table) !intM_intP) t_0) !j_2))));
                       !mv end in void) else void)
                    else (raise (Loop_exit_exc void)));
                   (raise (Loop_continue_exc void)) end with
                  Loop_continue_exc _jessie_ ->
                  (let _jessie_ =
                  (K_36:
                  (let _jessie_ = !j_2 in
                  begin
                    (let _jessie_ = (j_2 := ((add_int _jessie_) (1))) in
                    void); _jessie_ end)) in void) end end done) with
               Loop_exit_exc _jessie_ -> void end;
              (K_40:
              (let _jessie_ = this_0 in
              (let _jessie_ = t_0 in
              (let _jessie_ = !i_3 in
              (let _jessie_ = !mi in
              (JC_95:
              ((((Sort_swap_requires _jessie_) _jessie_) _jessie_) _jessie_)))))))
             end else (raise (Loop_exit_exc void)));
           (raise (Loop_continue_exc void)) end with
          Loop_continue_exc _jessie_ ->
          (let _jessie_ =
          (K_41:
          (let _jessie_ = !i_3 in
          begin
            (let _jessie_ = (i_3 := ((add_int _jessie_) (1))) in void);
           _jessie_ end)) in void) end end done) with
       Loop_exit_exc _jessie_ -> void end end)))); (raise Return) end with
   Return -> void end) { true } 

let Sort_swap_ensures_default =
 fun (this_2 : Object pointer) (t : Object pointer) (i_2 : int) (j_1 : int) ->
  { (left_valid_struct_intM(t, (0), Object_alloc_table)
    and (valid_struct_Sort(this_2, (0), (0), Object_alloc_table)
        and (JC_51:
            ((JC_46: Non_null_intM(t, Object_alloc_table))
            and ((JC_47: le_int((0), i_2))
                and ((JC_48:
                     lt_int(i_2,
                     add_int(offset_max(Object_alloc_table, t), (1))))
                    and ((JC_49: le_int((0), j_1))
                        and (JC_50:
                            lt_int(j_1,
                            add_int(offset_max(Object_alloc_table, t), (1))))))))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (let tmp = (K_14: ((safe_acc_ !intM_intP) ((shift t) i_2))) in
     (K_12:
     begin
       (let _jessie_ =
       (let _jessie_ = (K_11: ((safe_acc_ !intM_intP) ((shift t) j_1))) in
       (let _jessie_ = t in
       (let _jessie_ = i_2 in
       (let _jessie_ = ((shift _jessie_) _jessie_) in
       (((safe_upd_ intM_intP) _jessie_) _jessie_))))) in void);
      (K_13:
      (let _jessie_ = tmp in
      (let _jessie_ = t in
      (let _jessie_ = j_1 in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      begin   (((safe_upd_ intM_intP) _jessie_) _jessie_); _jessie_ end)))))
     end)) in void); (raise Return) end with Return -> void end)
  { (JC_55:
    ((JC_53: Swap(t, i_2, j_1, intM_intP, intM_intP@))
    and (JC_54:
        not_assigns(Object_alloc_table@, intM_intP@, intM_intP,
        pset_union(pset_range(pset_singleton(t), j_1, j_1),
        pset_range(pset_singleton(t), i_2, i_2)))))) } 

let Sort_swap_safety =
 fun (this_2 : Object pointer) (t : Object pointer) (i_2 : int) (j_1 : int) ->
  { (left_valid_struct_intM(t, (0), Object_alloc_table)
    and (valid_struct_Sort(this_2, (0), (0), Object_alloc_table)
        and (JC_51:
            ((JC_46: Non_null_intM(t, Object_alloc_table))
            and ((JC_47: le_int((0), i_2))
                and ((JC_48:
                     lt_int(i_2,
                     add_int(offset_max(Object_alloc_table, t), (1))))
                    and ((JC_49: le_int((0), j_1))
                        and (JC_50:
                            lt_int(j_1,
                            add_int(offset_max(Object_alloc_table, t), (1))))))))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (let tmp =
     (K_14:
     (JC_61: ((((offset_acc_ !Object_alloc_table) !intM_intP) t) i_2))) in
     (K_12:
     begin
       (let _jessie_ =
       (let _jessie_ =
       (K_11:
       (JC_62: ((((offset_acc_ !Object_alloc_table) !intM_intP) t) j_1))) in
       (let _jessie_ = t in
       (let _jessie_ = i_2 in
       (let _jessie_ = ((shift _jessie_) _jessie_) in
       (JC_63:
       (((((offset_upd_ !Object_alloc_table) intM_intP) _jessie_) _jessie_) _jessie_)))))) in
       void);
      (K_13:
      (let _jessie_ = tmp in
      (let _jessie_ = t in
      (let _jessie_ = j_1 in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (JC_64:
      begin
        (((((offset_upd_ !Object_alloc_table) intM_intP) _jessie_) _jessie_) _jessie_);
       _jessie_ end)))))) end)) in void); (raise Return) end with Return ->
   void end) { true } 

let cons_Object_ensures_default =
 fun (this_14 : Object pointer) ->
  { valid_struct_Object(this_14, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_230: true) } 

let cons_Object_safety =
 fun (this_14 : Object pointer) ->
  { valid_struct_Object(this_14, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 

let cons_Sort_ensures_default =
 fun (this_3 : Object pointer) ->
  { valid_struct_Sort(this_3, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_206: true) } 

let cons_Sort_safety =
 fun (this_3 : Object pointer) ->
  { valid_struct_Sort(this_3, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true } 


why-2.39/tests/java/oracle/Sort.err.oracle0000644000106100004300000000000013147234006017454 0ustar  marchevalswhy-2.39/tests/java/TreeMax.java0000644000106100004300000001061113147234006015523 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

//@+ TerminationPolicy = user

/*@ axiomatic integer_max {
  @   logic integer max(integer x, integer y);
  @   axiom max_is_ge : \forall integer x y; max(x,y) >= x && max(x,y) >= y;
  @   axiom max_is_some : \forall integer x y; max(x,y) == x || max(x,y) == y;
  @ }
  @*/

class Int {
    //@ ensures \result == max(x,y);
    public static int max(int x, int y);
}

/*@ axiomatic Mem {
  @   predicate mem{L}(int x, Tree t);
  @   axiom mem_null{L}: \forall int x; ! mem(x,null);
  @   axiom mem_root{L}: \forall Tree t; t != null ==>
  @     mem(t.value,t);
  @   axiom mem_root_eq{L}: \forall int x, Tree t; t != null ==>
  @     x==t.value ==> mem(x,t);
  @   axiom mem_left{L}: \forall int x, Tree t; t != null ==>
  @     mem(x,t.left) ==> mem(x,t);
  @   axiom mem_right{L}: \forall int x, Tree t; t != null ==>
  @     mem(x,t.right) ==> mem(x,t);
  @   axiom mem_inversion{L}: \forall int x, Tree t;
  @     mem(x,t) ==> t != null &&
  @       (x==t.value || mem(x,t.left) || mem(x,t.right));
  @ }
  @*/

/* attempt to prove termination, not succesful yet */
/* axiomatic Finite {
  @   predicate has_size{L}(Tree t, integer s);
  @   axiom has_size_null{L}: has_size(null,0);
  @   axiom has_size_non_null{L}: \forall Tree t; t != null ==>
  @     \forall integer s1 s2;
  @     has_size(t.left,s1) && has_size(t.right,s2) ==>
  @     has_size(t,s1+s2+1) ;
  @   axiom has_size_inversion{L}: \forall Tree t, integer s;
  @     has_size(t,s) ==>
  @       (t == null && s == 0) ||
  @       (t != null && \exists integer s1 s2;
  @            has_size(t.left,s1) && has_size(t.right,s2) &&
  @            0 <= s1 && 0 <= s2 && s == s1+s2+1) ;
  @   predicate size_decreases{L}(Tree t1, Tree t2) =
  @     \exists integer s1 s2; has_size(t1,s1) && has_size(t2,s2) && s1 > s2;
  @ }
  @*/

class Tree {

    int value;
    Tree left;
    Tree right;

    /*@ // requires \exists integer s; has_size(this,s);
      @ // decreases this for size_decreases;
      @ ensures mem(\result,this) &&
      @   \forall int x; mem(x,this) ==> \result >= x;
      @*/
    int tree_max() {
        int m = value;
        if (left != null) m = Int.max(m,left.tree_max());
        if (right != null) m = Int.max(m,right.tree_max());
        return m;
    }

}

why-2.39/tests/java/SimpleApplet.java0000644000106100004300000001171413147234006016562 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

// JAVACARD: will ask regtests to use Java Card API for this program

/*****************************

Very basic Java Card Applet to check non-regression of basic Java Card support

thanks to Peter Trommler 

********************/



import javacard.framework.APDU;
import javacard.framework.Applet;
import javacard.framework.ISO7816;
import javacard.framework.ISOException;
import javacard.framework.JCSystem;
import javacard.framework.OwnerPIN;
import javacard.security.*;

public class Card extends Applet {
	
    //##################################################
    //Instruction Variables
    //##################################################
    final static byte Card_Class = (byte)0x80;
    final static byte Card_Ins_Pin= (byte)0x02;
    final static byte Card_Ins_Auth=(byte)0x01;
    final static byte Card_Ins_Write= (byte) 0x05;
    final static byte Card_Ins_Del = (byte) 0x06;
    final static byte Card_Ins_Read = (byte) 0x07;
	
	
    //##################################################
    //Other Parameters
    //##################################################
    final static byte Key_Length = (byte) 0x84;
    final static short Data_Count = 10; 
    final static short Data_Len = 5;
    final static byte Term_Function_Writer =(byte) 0xAA;
    final static byte Term_Function_Reader = (byte)0x11;
	
    /**
     * Constructor for the Card.
     */
    Card(){
	// nothing to be done
    }

    //#####################################################
    //Applet Card install
    //####################################################
    public static void install(byte[] bArray, short bOffset, byte bLength) {
	// GP-compliant JavaCard applet registration
	new Card().register(bArray, (short) (bOffset + 1), bArray[bOffset]);
    }
	
    //####################################################
    //Here starts the good part.
    //###################################################
    public void process(APDU apdu) {
	//When the applet is selected, the card will be initialised!		
	if (selectingApplet()) {
	    return;
	}
		
	byte[] buf = apdu.getBuffer();
		
	//Returns an error if the Class  is wrong.
	if(buf[ISO7816.OFFSET_CLA]!= Card_Class){
	    ISOException.throwIt(ISO7816.SW_CLA_NOT_SUPPORTED);
	}
		
	switch (buf[ISO7816.OFFSET_INS]) {
	    //Here is where the Signature from the terminal will be checked
	    //and also here is where will be decided to what functions
	    //the Terminal will have access to.
				
	    //Calls the Read Method	
	case Card_Ins_Read:
	    // for now just return OK SW1SW2=0x9000
	    break;
				
	default:
	    // good practice: If you don't know the INStruction, say so:
	    ISOException.throwIt(ISO7816.SW_INS_NOT_SUPPORTED);
	}
	return;
    }
}


/*
Local Variables:
compile-command: "make SimpleApplet.why3ide"
End:
*/

why-2.39/tests/java/result/0000755000106100004300000000000013147234006014632 5ustar  marchevalswhy-2.39/tests/java/result/README0000644000106100004300000000013313147234006015507 0ustar  marchevalsthis directory is to store results of tests. There is
intentionally no file managed by SVN
why-2.39/tests/java/Hello.java0000644000106100004300000000456413147234006015233 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

class Hello {

    public static void main(String argv[]) {
        System.out.println("Hello Krakatoa");
    }

}



/*
Local Variables:
compile-command: "make Hello.why3ide"
End:
*/


why-2.39/tests/java/Counter.java0000644000106100004300000000530013147234006015574 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

//@+ CheckArithOverflow = no

/*@ logic integer value{L}(Counter c) = 
  @    \at(c.increments,L) - \at(c.decrements,L);
  @*/

public class Counter {

    private int increments;
    private int decrements;

    //@ ensures value{Here}(this) == value{Old}(this) + 1;
    public void increment() {
        increments++;
    }

    //@ ensures value{Here}(this) == value{Old}(this) - 1;
    public void decrement() {
        decrements++;
    }

}

/*
Local Variables:
compile-command: "make Counter.why3ide"
End:
*/


why-2.39/tests/java/PreAndOld.java0000644000106100004300000000512513147234006015772 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/


//@+ CheckArithOverflow = no

//@ logic integer f{L}(integer n) = n+PreAndOld.y;


class PreAndOld {

    static int y;

    /*@ ensures \result == \old(f(x))
      @      && \result == f{Old}(x)
      @      && \result == \at(f(x),Pre);
      @*/
    int g(int x) {
        int tmp = y;
        y = 12;
        return x+tmp;
    }
}





/*
Local Variables:
compile-command: "make PreAndOld.why3ide"
End:
*/

why-2.39/tests/java/Isqrt.java0000644000106100004300000000546513147234006015273 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/


//@+ CheckArithOverflow = no

//@ logic integer sqr(integer x) = x * x;

class Isqrt {

/*@ requires x >= 0;
  @ ensures \result >= 0 && sqr(\result) <= x && x < sqr(\result + 1);
  @*/
static int isqrt(int x) {
  int count = 0, sum = 1;
  /*@ loop_invariant count >= 0 && x >= sqr(count) && sum == sqr(count+1);
    @ loop_variant  x - count; 
    @*/
  while (sum <= x) sum += 2 * ++count + 1;
  return count;
}

//@ ensures \result == 4;
static int main () {
  int r;
  r = isqrt(17);
  //@ assert r < 4 ==> false;
  //@ assert r > 4 ==> false;
  return r;
}

}

/*
Local Variables:
compile-command: "make Isqrt.why3ide"
End:
*/


why-2.39/tests/java/Fibonacci.java0000644000106100004300000000616413147234006016043 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

// RUNCOQ: will ask regtests to check Coq proofs of this program

// int model: unbounded mathematical integers
//@+ CheckArithOverflow = no

/*@ inductive isfib(integer x, integer r) {
  @  case isfib0: isfib(0,0);
  @  case isfib1: isfib(1,1);
  @  case isfibn: 
  @   \forall integer n r p; 
  @     n >= 2 && isfib(n-2,r) && isfib(n-1,p) ==> isfib(n,p+r);
  @ }
  @*/ 

//@ lemma isfib_2_1 : isfib(2,1);
//@ lemma isfib_6_8 : isfib(6,8);

// provable only if def is inductive (least fix point)
//@ lemma not_isfib_2_2 : ! isfib(2,2);

public class Fibonacci {

    /*@ requires n >= 0;
      @ ensures isfib(n, \result); 
      @*/
    public static long Fib(int n) {
	long y=0, x=1, aux;

	/*@ loop_invariant 0 <= i <= n && isfib(i+1,x) && isfib(i,y);
	  @ loop_variant n-i;
	  @*/
	for(int i=0; i < n; i++) {
	    aux = y;
	    y = x;
	    x = x + aux;
	}
	return y;
    }
}

/*
Local Variables:
compile-command: "make Fibonacci.why3ide"
End:
*/


why-2.39/tests/java/Creation.java0000644000106100004300000000705713147234006015734 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

//@+ CheckArithOverflow = no

class Creation {

    int simple_val;

    /*@ behavior normal:
      @   assigns this.simple_val; // not \nothing 
      @   ensures this.simple_val == 0;
      @*/
    Creation() {
	this(0);
    }

    /*@ behavior normal:
      @   assigns this.simple_val; // not \nothing
      @   ensures this.simple_val == n;
      @*/
    Creation(int n) {
	simple_val = n;
    }

    /*@ behavior normal:
      @   assigns this.simple_val; // not \nothing
      @   ensures this.simple_val == n + m;
      @*/
    Creation(int n,int m) {
	this(n+m); 
    }

    /*@ behavior normal:
      @   ensures \result == 17;
      @*/
    public static int test1() {
	Creation t = new Creation(17);
	return t.simple_val;
    }

    /*@ behavior normal:
      @   ensures \result == 0;
      @*/
    public static int test2() {
	Creation t = new Creation();
	return t.simple_val;
    }

    /*@ behavior normal:
      @   assigns \nothing;             // BUG !!!!!!!!!!!!
      @   ensures \result == 17;
      @*/
    public static int test3() {
	Creation t = new Creation(10,7);
	return t.simple_val;
    }

}


class TestSuperConstructor extends Creation {

    /*@ behavior normal:
      @   assigns simple_val;
      @   ensures simple_val == 12;
      @*/
    TestSuperConstructor() {
	super(12);
    }

}


/*
Local Variables:
compile-command: "make Creation.why3ide"
End:
*/


why-2.39/tests/java/Duplets.java0000644000106100004300000001223013147234006015575 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

/*
COST Verification Competition. vladimir@cost-ic0701.org

Challenge 3: Two equal elements

Given: An integer array a of length n+2 with n>=2. It is known that at
least two values stored in the array appear twice (i.e., there are at
least two duplets).

Implement and verify a program finding such two values.

You may assume that the array contains values between 0 and n-1.
*/


class Integer {
    int value;
    /*@ ensures this.value == a;
      @*/
    Integer(int a) {
        value = a;
    }
}

class Pair {
    int x,y;
    /*@ ensures this.x == a && this.y == b;
      @*/
    Pair(int a,int b) {
        x = a; y = b;
    }
}

class Quadruple {
    int x,y,z,t;
    /*@ ensures this.x == a && this.y == b &&
      @         this.z == c && this.t == d;
      @*/
    Pair(int a,int b,int c,int d) {
        x = a; y = b; z = c; t = d;
    }
}

/* equality between an integer and a possibly null Integer object */
/*@ predicate eq_opt{L}(integer x, Integer o) =
  @   o != null && x == o.value;
  @*/

/* A duplet in array a is a pair of indexes (i,j) in the bounds of array
   a such that a[i] = a[j] */
/*@ predicate is_duplet{L}(int a[], integer i, integer j) =
  @    0 <= i < j < a.length && a[i] == a[j];
  @*/

class Duplets {

    /* duplet(a) returns the indexes (i,j) of a duplet in a.
     * moreover, if except is not null, the value of this duplet must
     * be different from it.
     */
    /*@ requires 2 <= a.length &&
      @   \exists integer i j;
      @     is_duplet(a,i,j) && ! eq_opt(a[i],except) ;
      @ ensures
      @   is_duplet(a,\result.x,\result.y) &&
      @   ! eq_opt(a[\result.x],except); 
      @*/
    Pair duplet(int a[], Integer except) {
        /*@ loop_invariant
          @  \forall integer k l; 0 <= k < i && k < l < a.length ==>
          @    ! eq_opt(a[k],except) ==> ! is_duplet(a,k,l);
          @ loop_variant a.length - i;
          @*/
        for(int i=0; i <= a.length - 2; i++) {
            int v = a[i];
            if (except != null && except.value != v) {
                /*@ loop_invariant
                  @   \forall integer l; i < l < j ==> ! is_duplet(a,i,l);
                  @ loop_variant a.length - j;
                  @*/
                for (int j=i+1; j < a.length; j++) {
                    if (a[j] == v) {
                        return new Pair(i, j);
                    }
                }
            }
        }
        // assert \forall integer i j; ! is_duplet(a,i,j);
        //@ assert false;
        return null;
    }


    /* requires 4 <= a.length && \exists integer i j k l;
      @   is_duplet(a,i,j) && is_duplet(a,k,l) && a[i] != a[k];
      @ ensures is_duplet(a,\result.x,\result.y) &&
      @   is_duplet(a,\result.z,\result.t) &&
      @   a[\result.x] != a[\result.z];
      @*/
    Quadruple duplets(int a[]) {
        Pair p = duplet(a,null);
        Pair q = duplet(a,new Integer(a[p.x]));
        return new Quadruple(p.x,p.y,q.x,q.y);
    }
   

}

/*
Local Variables:
compile-command: "make Duplets.why3ide"
End:
*/

why-2.39/tests/java/TestNonNull.java0000644000106100004300000000525113147234006016407 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

//@+ NonNullByDefault = all


class TestNonNull {

    static final int N = 2;

    static int[] st;
    //@ static invariant st_length: st.length >= 4;

    int[] t;
    //@ invariant t_length: t.length >= 4;

    TestNonNull() {
	t = new int[5];
	//@ assert t.length == 5;
    }


    //@ requires t.length >= 4;
    void test(int[] t) {
	int _i = t[3];
	t[2] = 1;
	int _j = t[N];
	t[N + 1] = 1;
	st[3] == 1;
    }

}

/*
Local Variables:
compile-command: "make TestNonNull.why3ide"
End:
*/


why-2.39/tests/java/MullerTheory.java0000755000106100004300000000620113147234006016614 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

/* File Muller.java */

//@+ CheckArithOverflow = no
//@+ SeparationPolicy = Regions

//@ import tests.spec.NumOfPos;

/*@ lemma num_of_pos_strictly_increasing{L} :
  @   \forall integer i j k l, int t[];
  @       j < k && k <= l && t[k] > 0 ==> 
  @       num_of_pos(i,j,t) < num_of_pos(i,l,t);
  @*/

public class MullerTheory {

    /*@ requires t!=null;
      @*/
    public static int[] m(int t[]) {
	int count = 0;
	
	/*@ loop_invariant
	  @    0 <= i <= t.length && 
	  @    0 <= count <= i && 
	  @    count == num_of_pos(0,i-1,t) ; 
	  @ loop_variant t.length - i;
	  @*/
	for (int i=0 ; i < t.length; i++) if (t[i] > 0) count++;
	
	int u[] = new int[count];
	count = 0;
	
	/*@ loop_invariant
	  @    0 <= i <= t.length && 
	  @    0 <= count <= i && 
	  @    count == num_of_pos(0,i-1,t);
	  @ loop_variant t.length - i;
	  @*/
	for (int i=0 ; i < t.length; i++) {
	    if (t[i] > 0) u[count++] = t[i];
	}
	return u;
    }
}

/* End of file Muller.java */
why-2.39/tests/java/SimpleAlloc.java0000644000106100004300000000514213147234006016365 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

class Node {
    int val;

    /*@ assigns \nothing;
      @ allocates this;
      @ ensures this.val == 0;
      @*/
    Node(){}
}

class test {
    Node[] x;

    /*@ requires x != null && x.length == 10  ;
      @ assigns x[0];
      @ allocates x[0];
      @ ensures x[0] != null;
      @*/
    void test() {
        x[0]=new Node();
    }
}




/*
Local Variables:
compile-command: "make SimpleAlloc.why3ide"
End:
*/

why-2.39/tests/java/Assertion.java0000644000106100004300000000461213147234006016131 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

public class Assertion {
         /*@
           @ ensures \result == 5;
           @*/
         public static int max(int x) {
                 /*@ assert x == 5; @*/
                 return x;
         }
} why-2.39/tests/java/Fresh3.java0000644000106100004300000000537413147234006015322 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

//@+ SeparationPolicy = None

class Int { int f; }

class Fresh3 {

  Int i;

/*@ assigns this.i;
  @ allocates this.i;
  @ ensures this.i != null && \fresh(this.i);
  @*/
void create() {
    this.i = new Int();
}

/*@ requires f != null && this.i != null && this != f;
  @*/
void test(Fresh3 f) {
  f.create();
  //@ assert this.i != f.i;
}

static void smoke_detector() {
    Fresh3 s1, s2;
    s1 = new Fresh3();
    s2 = new Fresh3();
    s1.create();
    s2.create();
    //@ assert 0 == 1;
}

}

/*
Local Variables:
compile-command: "LC_ALL=C make Fresh3.why3ide"
End:
*/
why-2.39/tests/java/Muller.java0000644000106100004300000000776613147234006015437 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

//@+ SeparationPolicy = Regions

/*@ axiomatic NumOfPos {
  @  logic integer num_of_pos{L}(integer i,integer j,int t[]);
  @  axiom num_of_pos_empty{L} :
  @   \forall integer i j, int t[];
  @    i >= j ==> num_of_pos(i,j,t) == 0;
  @  axiom num_of_pos_true_case{L} :
  @   \forall integer i j, int t[];
  @       i < j && t[j-1] > 0 ==>
  @         num_of_pos(i,j,t) == num_of_pos(i,j-1,t) + 1;
  @  axiom num_of_pos_false_case{L} :
  @   \forall integer i j, int t[];
  @       i < j && ! (t[j-1] > 0) ==>
  @         num_of_pos(i,j,t) == num_of_pos(i,j-1,t);
  @ }
  @*/


/*@ lemma num_of_pos_non_negative{L} :
  @   \forall integer i j, int t[]; 0 <= num_of_pos(i,j,t);
  @*/

/*@ lemma num_of_pos_additive{L} :
  @   \forall integer i j k, int t[]; i <= j <= k ==>
  @       num_of_pos(i,k,t) == num_of_pos(i,j,t) + num_of_pos(j,k,t);
  @*/

/*@ lemma num_of_pos_increasing{L} :
  @   \forall integer i j k, int t[];
  @       j <= k ==> num_of_pos(i,j,t) <= num_of_pos(i,k,t);
  @*/

/*@ lemma num_of_pos_strictly_increasing{L} :
  @   \forall integer i n, int t[];
  @       0 <= i < n && t[i] > 0 ==>
  @       num_of_pos(0,i,t) < num_of_pos(0,n,t);
  @*/

public class Muller {

    /*@ requires t != null;
      @*/
    public static int[] m(int t[]) {
	int count = 0;

	/*@ loop_invariant
	  @    0 <= i <= t.length &&
	  @    0 <= count <= i &&
	  @    count == num_of_pos(0,i,t) ;
	  @ loop_variant t.length - i;
	  @*/
	for (int i=0 ; i < t.length; i++) if (t[i] > 0) count++;

	int u[] = new int[count];
	count = 0;

	/*@ loop_invariant
	  @    0 <= i <= t.length &&
	  @    0 <= count <= i &&
	  @    count == num_of_pos(0,i,t);
	  @ loop_variant t.length - i;
	  @*/
	for (int i=0 ; i < t.length; i++) {
	    if (t[i] > 0) u[count++] = t[i];
	}
	return u;
    }

}

/*
Local Variables:
compile-command: "make Muller.why3ide"
End:
*/
why-2.39/tests/java/SideEffects.java0000644000106100004300000000521013147234006016341 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

//@+ CheckArithOverflow = no

class SideEffects {

    /*@ requires t.length > 10;
      @*/
    void m1(int t[]) {
	int i = 0;
	t[i++] = 1;
	//@ assert t[0] == 1 && i == 1;
	t[++i] = 2;
	//@ assert t[0] == 1 && t[2] == 2 && i == 2;
	t[--i] = 3;
	//@ assert t[0] == 1 && t[2] == 2 && t[1] == 3 && i == 1;
	t[i--] = 4;
	//@ assert t[0] == 1 && t[2] == 2 && t[1] == 4 && i == 0;
    }

}


/*
Local Variables:
compile-command: "make SideEffects.why3ide"
End:
*/


why-2.39/tests/java/Negate.java0000644000106100004300000000554613147234006015374 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/


//@+ CheckArithOverflow = no

public class negate {

    /*@ requires t != null;
      @ assigns t[0..t.length-1];
      @ ensures \forall integer k; 0 <= k < t.length ==> t[k] == -\old(t[k]);
      @*/
    static void negate(int t[]) {
	int i = 0;
	/*@ loop_invariant
	  @   0 <= i <= t.length &&
	  @   (\forall integer k; 0 <= k < i ==> t[k] == -\at(t[k],Pre)) &&
	  @   (\forall integer k; i <= k < t.length ==> t[k] == \at(t[k],Pre)) ;
	  @ // TODO: replace previous invariant by loop_assigns t[0..i-1];
	  @ loop_variant t.length-i;
	  @*/
	while (i < t.length) {
	    t[i] = -t[i];
	    i++;
	}

    }

}



/*
Local Variables:
compile-command: "make Negate.why3ide"
End:
*/

why-2.39/tests/java/NameConflicts.java0000644000106100004300000000500413147234006016703 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

class NameConflicts {

    int i;

    void setI(int i) {
	this.i = i;
    }

    /*@ behavior normal:
      @   ensures \result == 0;
      @*/
    int m() {
	int result = 0;
	return result;
    }

    int field;

    int field() { return field; }

}


/*
Local Variables:
compile-command: "make NameConflicts.why3ide"
End:
*/


why-2.39/tests/java/Fresh2.java0000644000106100004300000000550713147234006015317 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/

//@+ SeparationPolicy = None

class Fresh2 {

    int x;

    /*@ assigns \nothing;
      @ allocates this;
      @ ensures \fresh(this);
      @*/
    Fresh2 ();

    /*@ assigns \nothing;
      @ allocates \result;
      @ ensures \result != null && \fresh(\result);
      @*/
    static Fresh2 create() {
        return new Fresh2();
    }

    void test() {
        Fresh2 f;
        f = create ();
        //@ assert this != f;
    }

    static void smoke_detector() {
        Fresh2 _s1 = create ();
        Fresh2 _s2 = create ();
        //@ assert 0 == 1;
    }

}


/*
Local Variables:
compile-command: "LC_ALL=C make Fresh2.why3ide"
End:
*/
why-2.39/tests/java/Arrays.java0000644000106100004300000001045513147234006015425 0ustar  marchevals/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2017                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/**************************************************************************/


//@+ CheckArithOverflow = no

/* is_max(t,i,l) is true whenever t[i] is the maximum of t[0]..t[l-1]
 * l is an integer and not an int, because used as t.length which 
 * (in the logic) returns an integer and not an int 
 */
/*@ predicate is_max{L}(int[] t,int i,integer l) =
  @   t != null && 0 <= i < l <= t.length &&
  @   (\forall integer j; 0 <= j < l ==> t[j] <= t[i]) ;
  @*/

public class Arrays {

    /*@ requires t != null && 1 <= t.length <= 32767;
      @ behavior max_found:
      @   ensures 
      @      0 <= \result < t.length && 
      @      (\forall integer i; 
      @           0 <= i < t.length ==> t[i] <= t[\result]);
      @*/
    public static short findMax(int[] t) {
	int m = t[0];
	short r = 0;
        /*@ loop_invariant 
          @   1 <= i <= t.length && 0 <= r < t.length &&
          @   m == t[r] && (\forall integer j; 0 <= j < i ==> t[j] <= m);
          @ loop_variant t.length-i;
          @*/
	for (short i=1; i < t.length; i++) {
	    if (t[i] > m) {
		r = i; 
		m = t[i];
	    }
	}
	return r;
    }

    /*@ requires t != null && t.length >= 1;
      @ behavior max_found:
      @  ensures 
      @      0 <= \result < t.length && 
      @      is_max(t,\result,t.length) ;
      @*/
    public static int findMax2(int[] t) {
	int m = t[0];
	int r = 0; 
	/*@ loop_invariant 
	  @   1 <= i <= t.length && 0 <= r < t.length &&
          @   m == t[r] && is_max(t,r,i) ;
	  @ loop_variant t.length-i;
	  @*/
	for (int i=1; i < t.length; i++) {
	    if (t[i] > m) {
		r = i; 
		m = t[i];
	    }
	}
	return r;
    }


    /*@ requires t != null ;
      @ ensures 
      @   \forall integer i; 0 < i < t.length ==> t[i] == \old(t[i-1]);
      @*/
    public static void arrayShift(int[] t) {
	/*@ loop_invariant 
	  @   j < t.length &&
	  @   (t.length > 0 ==>
	  @     (0 <= j && 
          @     (\forall integer i; 0 <= i <= j ==> t[i] == \at(t[i],Pre)) &&
          @     (\forall integer i; j < i < t.length ==> t[i] == \at(t[i-1],Pre))));
	  @ loop_variant j;
	  @*/
      for (int j = t.length-1 ; j > 0 ; j--) {
	  t[j] = t[j-1];
	}
    }


}


/*
Local Variables: 
compile-command: "make Arrays.why3ide"
End: 
*/

why-2.39/tests/regtest.sh0000755000106100004300000000326113147234006014411 0ustar  marchevals#!/bin/sh

echo 'Format.eprintf "%s@." (Sys.getcwd());;' | ocaml 1>/dev/null 2> /tmp/regtests.cwd

DIR=`cat /tmp/regtests.cwd`
rm -f /tmp/regtests.cwd
LIBDIR=`grep "libdir" $DIR/src/version.ml | sed -e 's|[^"]*"\([^"]*\)"[^"]*|\1|g' | head -n 1`
LANG=

echofilename () {
  echo "========== file $1 =========="
}

mycat() {
  echofilename $1
  sed -e "s|jessie_[0-9]\+|jessie_|g" $1
}

mycatfilterdir () {
  echofilename $1
  sed -e "s|$DIR|HOME|g" -e "s|$LIBDIR|WHYLIB|g" $1
}

case $1 in
  *.java)
        d=`dirname $1`
	b=`basename $1 .java`
        f=$d/$b
	mycat $f.java
	echo "========== krakatoa execution =========="
	rm -f $f.jc
	rm -f $f.jloc
	opt=""
	if grep JAVACARD $f.java ; then
	    opt=-javacard
	fi
	KRAKATOALIB=$DIR/lib bin/krakatoa.opt -gen-only $opt $1 || exit 1
	mycat $f.jc
	mycatfilterdir $f.jloc
	echo "========== jessie execution =========="
	rm -f $f.makefile
	rm -f $d/why/$b.why
	rm -f $f.loc
	WHYLIB=$DIR/lib bin/jessie.opt -locs $f.jloc -why-opt -split-user-conj $f.jc || exit 2
	mycatfilterdir $f.makefile
	mycatfilterdir $f.loc
	mycat $d/why/$b.why
	;;
  *.c)
        d=`dirname $1`
	b=`basename $1 .c`
        j=$d/$b.jessie
        f=$j/$b
	mycat $1
	echo "========== frama-c -jessie execution =========="
	rm -f $f.jc
	rm -f $f.cloc
	FRAMAC_PLUGIN=$DIR/frama-c-plugin frama-c -jessie -jessie-gen-only $1 || exit 1
	mycat $f.jc
	mycatfilterdir $f.cloc
	echo "========== jessie execution =========="
	rm -f $f.makefile
	rm -f $j/why/$b.why
	rm -f $f.loc
	WHYLIB=$DIR/lib bin/jessie.opt -locs $f.cloc -why-opt -split-user-conj $f.jc || exit 2
	mycatfilterdir $f.makefile
	mycatfilterdir $f.loc
	mycat $j/why/$b.why
	;;
  *)
	echo "don't know what to do with $1"
	exit 1
esac